Che Gueva Virus


 Virus Name:  Che Gueva 
 Aliases:     Che Gueva.1918 
 V Status:    New 
 Discovery:   July, 1996 
 Symptoms:    .COM & .EXE file growth; 
              decrease in available free memory 
 Origin:      Spain 
 Eff Length:  1,918 - 1,934 Bytes 
 Type Code:   PRhA - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  NAV, NAVDX, ViruScan, AVTK 7.68+, 
                    NAV/N, NShld 2.33+, AVTK/N 7.68+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Che Gueva virus was received in July, 1996.  It is from Spain, 
       and may be "in the wild" in that country.  Che Gueva is a memory 
       resident infector of .COM and .EXE file, but not COMMAND.COM.  It 
       does not infect small .COM and .EXE files. 
 
       When the first Che Gueva infected program is executed, this virus 
       will install itself memory resident at the top of system memory 
       but below the 640K DOS boundary, not moving interrupt 12's return. 
       Available free memory, as indicated by the DOS CHKDSK program from 
       DOS 5.0, will have decreased by 2,400 bytes.  Interrupt 21 will be 
       hooked by the virus in memory. 
 
       Once the Che Gueva virus is memory resident, it will infect .COM 
       and .EXE files, other than small ones and COMMAND.COM, when they 
       are executed.  Infected .COM files will have a file length increase 
       of 1,918 bytes while .EXE files increase in size by 1,918 to 1,934 
       bytes.  In both cases, the virus will be located at the end of the 
       file.  The program's date and time in the DOS disk directory listing 
       will not be altered.  The following text strings are visible within 
       the viral code: 
 
           "VHR?" 
           "K\*LVY[_OKNY" 
           "*K*M_LK" 
           "KWZYMY**********" 
           "PSX*NOV*LVY[_OY*K*M_**" 
           "EHC" 
 
       It is unknown what this virus may do besides replicate.

Show viruses from discovered during that infect .

Main Page