Cece Virus

Virus Name: Cece Aliases: Cece.1994 V Status: New Discovery: July, 1995 Symptoms: .COM & .EXE growth; decrease in available free memory; file date/time year altered; system hangs Origin: Unknown Eff Length: 1,994 Bytes Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: VAlert, AVTK, NAV, NAVDX, IBMAV, ViruScan, ChAV, AVTK/N, NAV/N, IBMAV/N, NShld, Innoc Removal Instructions: Delete infected files General Comments: The Cece virus was received in July, 1995. Its origin or point of isolation is unknown. Cece is a memory resident infector of .COM and .EXE files, including COMMAND.COM. When the first Cece infected program is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, hooking interrupts 01, 21, and 24. Available free memory, as indicated by the DOS CHKDSK program from DOS 5.0, will have decreased by 5,120 bytes. Interrupt 12's return will not have been moved. Once the Cece virus is memory resident, it will infect .COM and .EXE files when they are executed or opened, but not on copy. Infected programs will have a file length increase of 1,994 bytes with the virus being located at the end of the file. The file's date and time in the DOS disk directory listing will not appear to be altered, though the years field may appear to have 36 years added to the file date. The following text strings are encrypted within the viral code: "Welcome to presentation of new program, named Ce-Ce!!!" "Can you recognize what does it mean?" "1. Do you know the fly living in the Africa?" "2. Do you know int3 command opcode?" "3. Do you know that 0CCh is equal to 204?" "4. Do you know that CC is Computer Center abriviature?" "5. Do you know the name of main hero in Santa Barbara?" "Do you know ..." System hangs may occur when some programs are executed.