Cholera Virus

Virus Name: Cholera Aliases: Cholera.1497, Cholera.1497.A V Status: New Discovery: July, 1995 Symptoms: .COM & .EXE growth; decrease in available free memory Origin: Unknown Eff Length: 1,497 - 2,064 Bytes Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: F-Prot, AVTK, VAlert, Sweep, IBMAV, NAV, NAVDX, ViruScan, ChAV, Sweep/N, AVTK/N, IBMAV/N, NAV/N, NProt, NShld, Innoc Removal Instructions: Delete infected files General Comments: The Cholera, Cholera.1497 or Cholera.1497.A, virus was received in July, 1995. Its origin or point of isolation is unknown. Cholera is a memory resident infector of .COM and .EXE files, including COMMAND.COM. When the first Cholera infected program is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, not moving interrupt 12's return. Available free memory, as indicated by the DOS CHKDSK program from DOS 5.0, will have decreased by 2,048 bytes. Interrupts 08 and 21 will be hooked by the virus in memory. Once the Cholera virus is memory resident, it will infect .COM and .EXE files, including COMMAND.COM, when they are executed. Infected .COM files will have a file length increase of 1,497 bytes while .EXE files will increase in size bye 2,052 to 2,064 bytes. In both cases, the virus will be located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. The following text string is visible within the viral code in all infected programs: "Cholera v1.0 by dr Hellraiser 94-02-03" It is unknown what the Cholera virus may do besides replicating. Known variant(s) of Cholera are: Cholera.1497.B: Also received in July, 1995, this is a minor variant of the Cholera virus described above. It contains the following text string: "Cholera v2.0 by dr Fleischman 93-12-29" System hangs may occur when infected programs are executed. Origin: Unknown July, 1995.