Bubonic Virus


 Virus Name:  Bubonic 
 Aliases:    
 V Status:    Rare 
 Discovery:   May, 1993 
 Symptoms:    .COM & .EXE growth; DOS CHKDSK file allocation errors; 
              decrease in total system & available free memory; 
              sluggish DOS DIR commands 
 Origin:      Unknown 
 Eff Length:  2,181 - 2,193 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, F-Prot, Sweep, AVTK, NAVDX, 
                    VAlert, NAV, IBMAV, PCScan, ChAV, 
                    NShld, NProt, Sweep/N, AVTK/N, Innoc, NAV/N, IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Bubonic virus was received in May, 1993.  Its origin or point of 
       isolation is unknown.  Bubonic is a memory resident, fast infecting 
       virus which infects .COM and .EXE programs, including COMMAND.COM. 
       It is a size stealthing virus, hiding the file length increase on 
       infected files when they virus is memory resident. 
 
       When the first Bubonic infected program is executed, the Bubonic 
       virus will install itself memory resident at the top of system 
       memory but below the 640K DOS boundary, hooking interrupt 6B.  Total 
       system and available free memory, as indicated by the DOS CHKDSK 
       program, will have decreased by 2,592 bytes.  Interrupt 12's return 
       will not be moved. 
 
       Once memory resident, the Bubonic virus will infect .COM and .EXE 
       programs, including COMMAND.COM, when they are executed.  Infected 
       .COM programs will have a file length increase of 2,181 bytes. 
       .EXE programs infected with Bubonic will have a file length increase 
       of 2,181 to 2,193 bytes, though occassionally one may increase in 
       size by up to 2,254 bytes.  In both cases, the file length increase 
       is hidden when the virus is memory resident, and the virus is 
       located at the end of the file.  The program's date and time in the 
       DOS disk directory listing will not be altered.  The following text 
       strings are visible within the viral code in all Bubonic infected 
       programs: 
 
               "Bubonic[BBP],alpha.02a,fixedFCBbug.Soon:tightercode," 
               "anti-(debug,heuristics),norunifanti-virusprog.running 
                (FSP,etc.)bettermemorystealth" 
               "NEW!genetic,algorithmicdarwin-encryptionandadrop 
                libraryofmanyvirii,alllessthan6k!" 
               "Ooops, Sorry..." 
 
       Systems infected with the Bubonic virus will experience sluggish 
       DOS DIR command output.  The DOS CHKDSK program, when executed with 
       the Bubonic virus in memory, will detect file allocation errors on 
       all infected files.

Show viruses from discovered during that infect .

Main Page