Bow Virus


 Virus Name:  Bow 
 Aliases:     5856 
 V Status:    Rare 
 Discovery:   May, 1992 
 Symptoms:    .COM & .EXE file growth; file time altered; decrease in total 
              system & available free memory 
 Origin:      Unknown 
 Eff Length:  5,856 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  Sweep, IBMAV, AVTK, F-Prot, ViruScan, NAV, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    Sweep/N, AVTK/N, LProt, NProt, IBMAV/N, NAV/N, NShld 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Bow, or 5856, virus was received in May, 1992 from an unknown 
       origin.  This virus is a memory resident infector of .COM and .EXE 
       programs, including COMMAND.COM. 
 
       The first time a Bow infected program is executed, the Bow virus will 
       install itself memory resident at the top of system memory but below 
       the 640K DOS boundary, not moving interrupt 12's return.  Total 
       system and available free memory, as measured by the DOS CHKDSK 
       program, will have decreased by 5,888 bytes.  The Bow virus will 
       have hooked interrupts 1C and 21. 
 
       Once the Bow virus is memory resident, it will infect .COM and .EXE 
       programs when they are executed, as well as occassionally when a 
       program is opened.  Infected programs will have a file length 
       increase of 5,856 bytes with the virus being located at the end of 
       the file.  The program's date in the DOS disk directory listing will 
       not be altered, but the program's time may be altered to a different 
       value.  Two text strings are visible in the viral code in Bow 
       infected programs: 
 
               "TRUS" 
               "bow!" 
 
       It is unknown if the Bow virus does anything besides replicate.

Show viruses from discovered during that infect .

Main Page