Blue Nine Virus


 Virus Name:  Blue Nine 
 Aliases:     Blue Nine.925.A 
 V Status:    New 
 Discovery:   January, 1996 
 Symptoms:    .COM file growth; file date/time seconds = "04"; 
              decrease in available free memory; 
              DOS CHKDSK file allocation errors; 
              unexpected system reboots 
 Origin:      Unknown 
 Eff Length:  925 Bytes 
 Type Code:   PRhCK - Parasitic Resident .COM Infector 
 Detection Method:  F-Prot, AVTK, IBMAV, ViruScan, NAV, NAVDX, PCScan, 
                    ChAV, 
                    AVTK/N, IBMAV/N, NShld, NAV/N, Innoc 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Blue Nine or Blue Nine.925.A virus was received in January, 
       1996.  Its origin or point of isolation is unknown.  Blue Nine 
       is a memory resident stealth type virus which infects .COM files, 
       including COMMAND.COM.  It does not infect very small .COM files. 
 
       When the first Blue Nine infected program is executed, this virus 
       will install itself memory resident at the top of system memory but 
       below the 640K DOS boundary, not moving interrupt 12's return. 
       Available free memory, as indicated by the DOS CHKDSK program from 
       DOS 5.0, will have decreased by 960 bytes.  Interrupt 21 will be 
       hooked by the virus in memory. 
 
       Once memory resident, the Blue Nine virus will infect .COM files, 
       including COMMAND.COM, when they are executed.  Infected files will 
       have a file length increase of 925 bytes, though this file length 
       increase will be hidden when the virus is memory resident.  The 
       virus will be located at the end of the file.  The program's date 
       and time in the DOS disk directory listing will not appear to be 
       altered, though the seconds field will have been set to "04", the 
       infection marker for the virus.  The following text string is 
       visible within the viral code: 
 
           "-  Blue Nine Virus by Conzouler 1994  -" 
 
       The virus is not visible within infected files when this virus is 
       memory resident as the virus disinfects the program as it is read 
       into memory, thus its classification as a stealth virus. 
 
       The DOS CHKDSK program will indicate file allocation errors on all 
       infected files when this virus is memory resident.  Blue Nine.925.A 
       will also set the file date/time seconds to "04" on any .COM file, 
       even the very small .COM files it does not infect.  As a result, 
       some .COM files may appear to have drasticly increased in size or 
       be 925 bytes smaller in the DOS disk directory listing when the virus 
       is memory resident. 
 
       Known variant(s) of Blue Nine are: 
       Blue Nine.925.B: Also received in January, 1996, this is a 
           very minor variant, and is functionally similar to the origin 
           virus. 
           Origin:  Unknown  January, 1996.

Show viruses from discovered during that infect .

Main Page