Burglar Virus

Virus Name: Burglar Aliases: Burglar.1150 V Status: New Discovery: January, 1996 Symptoms: .EXE file growth; decrease in available free memory; file date/time seconds = "58"; DOS CHKDSK file allocation errors Origin: Unknown Eff Length: 1,150 Bytes Type Code: PRhE - Parasitic Resident .EXE Infector Detection Method: ViruScan, NAV, NAVDX, AVTK, IBMAV, F-Prot, PCScan, ChAV, NShld, NAV/N, AVTK/N, IBMAV/N, Innoc Removal Instructions: Delete infected files General Comments: The Burglar or Burglar.1150 virus was received in January, 1996, and is reported to be in the wild in North America. Burglar is a memory resident infector of .EXE files which exhibits some stealth characteristics. When the first Burglar infected program is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, not moving interrupt 12's return. Available free memory, as indicated by the DOS CHKDSK program from DOS 5.0, will have decreased by 1,376 bytes. Interrupt 21 will be hooked by the virus in memory. Once the Burglar virus is memory resident, it may infect .EXE files when they are executed, opened, or copied, though it does not infect all .EXE files. Programs infected with the Burglar virus will have a file length increase of 1,150 bytes, though this file length increase will be hidden when the virus is memory resident. The file's date and time in the DOS disk directory listing will not appear to be altered, though the seconds field will have been set to "58". The following text strings are visible within the viral code in all infected files: "AT THE GRAVE OF GRANDMA...." "CLHWTBF-WCTK" "Burglar/H*.*" The DOS CHKDSK program will indicate file allocation errors on all infected files when this virus is memory resident.