Conjurer Virus
Virus Name: Conjurer
Aliases: Conjurer.181
V Status: New
Discovery: January, 1996
Symptoms: .COM file growth; file date/time changes
Origin: Unknown
Eff Length: 181 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: NAV, NAVDX, IBMAV, PCScan, AVTK, ViruScan, F-Prot,
ChAV,
NAV/N, IBMAV/N, AVTK/N, LProt, NShld, Innoc 4.0+
Removal Instructions: Delete infected files
General Comments:
The Conjurer or Conjurer.181 virus was received with several variants
in January, 1996. Their origin or point of isolation is unknown.
Conjurer.181 is a non-resident, direct action infector of .COM
files, including COMMAND.COM.
When a program infected with the Conjurer.181 virus is executed,
this virus will infected up to five .COM files located in the
current directory. Infected .COM files will have a file length
increase of 181 bytes with the virus being located at the end of the
file. The file's date and time in the DOS disk directory listing
will have been updated to the current system date and time when
infection occurred. The following text string is visible within
the viral code in all infected programs:
"*.COM"
Additionally, the text string "GN" can be found starting in the
fourth byte and at the very end of all infected files.
Known variant(s) of Conjurer are:
Conjurer.265: Also received in January, 1996, this is a 265 byte
variant of the Conjurer virus described above. It infects the
first five .COM files in the current directory if they were not
previously infected by this variant. It does not infect past
the first five .COM files in any directory. Infected files will
have a file length increase of 265 bytes with the virus being
located at the end of the file. The program's date and time in
the DOS disk directory listing will have been updated to the
current system date and time when infection occurred. The
following text strings are visible within the viral code:
"z.com"
"iMMoRTaL.263!!"
This variant displays the last text string indicated above as
a message when an infected program is executed. System hangs
may occur when infected programs are executed.
Origin: Unknown January, 1996.
Conjurer.270: Also received in January, 1996, this is a 270 byte
variant of the Conjurer virus described above. It infects the
first five .COM files in the current directory if they were not
previously infected by this variant. It does not infect past
the first five .COM files in any directory. Infected files will
have a file length increase of 270 bytes with the virus being
located at the end of the file. The program's date and time in
the DOS disk directory listing will have been updated to the
current system date and time when infection occurred. The
following text strings are visible within the viral code:
"CoNJuReR.BSC!"
"*.com"
This variant displays the first text string indicated above as
a message when an infected program is executed. System hangs
may occur when infected programs are executed.
Origin: Unknown January, 1996.
Conjurer.277: Also received in January, 1996, this is a 277 byte
variant of the Conjurer virus described above. It infects the
first five .COM files in the current directory if they were not
previously infected by this variant. It does not infect past
the first five .COM files in any directory. Infected files will
have a file length increase of 277 bytes with the virus being
located at the end of the file. The program's date and time in
the DOS disk directory listing will have been updated to the
current system date and time when infection occurred. The
following text strings are visible within the viral code:
"*.COM"
"Dismezzie iz printed by:"
"CoNJuReR.TNG (The Next Generation!)"
The text string "GN" can be found starting in the fourth byte of
all infected files. This variant may display the last two text
strings indicated above as a message when an infected program is
executed. System hangs may occur when infected programs are
executed.
Origin: Unknown January, 1996.
Conjurer.300: Also received in January, 1996, this is a 300 byte
variant of the Conjurer virus described above. It infects up to
five .COM files in the current directory when an infected program
is executed. Infected files will have a file length increase of
300 bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory listing
will have been updated to the current system date and time when
infection occurred. The following text strings are encrypted
within the viral code:
"*.com"
"CoNJuReR.300!"
This variant may display the last text string indicated above as
a message when an infected program is executed. System hangs may
occur when infected programs are executed.
Origin: Unknown January, 1996.
Conjurer.312: Also received in January, 1996, this is a 312 byte
variant of the Conjurer virus described above. It infects up to
five .COM files in the current directory when an infected program
is executed. Infected files will have a file length increase of
312 bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory listing
will have been updated to the current system date and time when
infection occurred. The following text strings are encrypted
within the viral code:
"*.COM"
"GN"
"Diz mezzie iz printed by:"
"CoNJuReR.TNG"
"CoNJuReR.TNG (The Next Generation!)"
The unencrypted text string "GN" can be found starting in the
fourth byte of all infected files. This variant may display the
following message when an infected program is executed:
"Diz mezzie iz printed by:
CoNJuReR.TNG! (The Next Generation!)"
System hangs may occur when infected programs are executed.
Origin: Unknown January, 1996.
Conjurer.353: Also received in January, 1996, this is a 353 byte
variant of the Conjurer virus described above. It infects up to
five .COM files in the current directory when an infected program
is executed. Infected files will have a file length increase of
353 bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory listing
will have been updated to the current system date and time when
infection occurred. The following text strings is visible within
the viral code:
"z.com"
The following text string may be encrypted or unencrypted within
viral code in all infected programs:
"iMMoRTaL.358!!"
This variant may display the last text string indicated above as
a message when an infected program is executed, in either
encrypted or unencrypted form. System hangs may occur when
infected programs are executed.
Origin: Unknown January, 1996.
Conjurer.377: Also received in January, 1996, this is a 377 byte
variant of the Conjurer virus described above. It infects up to
five .COM files in the current directory when an infected program
is executed. Infected files will have a file length increase of
377 bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory listing
will have been updated to the current system date and time when
infection occurred. The following text strings are encrypted
within the viral code:
"z.com"
"iMMoRTaL.377 {Encrypted!!}"
This variant may display the last text string indicated above as
a message when an infected program is executed. System hangs
may occur when infected programs are executed.
Origin: Unknown January, 1996.
Conjurer.408: Also received in January, 1996, this is a 408 byte
variant of the Conjurer virus described above. It infects up to
five .COM files in the current directory when an infected program
is executed. Infected files will have a file length increase of
408 bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory listing
will have been updated to the current system date and time when
infection occurred. The following text strings are encrypted
within the viral code:
"DEBUGGING IS VERY ILLEGAL (NOT!)"
"Test Virus #2 Hacking Hell I-EAS Virus Creation Centre v0.19"
"[T2] [HH] [IE-VCC v0.19]"
"COM"
This variant does not display any messages, and system hangs do
not occur.
Origin: Unknown January, 1996.
Conjurer.433: Also received in January, 1996, this is a 433 byte
variant of the Conjurer virus described above. It infects up to
five .COM files in the current directory when an infected program
is executed. Infected files will have a file length increase of
433 bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory listing
will have been updated to the current system date and time when
infection occurred. The following text strings are encrypted
within the viral code:
"*.com"
"Ajax is kampioen, Ajax blift kampioen,
er is nog geen club die daar iets aan kan doen!
CoNJuReR.AJAX Rulez! [iMMoRTaL EAS]
Ajax won UEFA-Cup 1995!!!"
This variant displays the last text string indicated above as a
message whenever an infected program is executed.
Origin: Unknown January, 1996.
Conjurer.506: Also received in January, 1996, this is a 506 byte
variant of the Conjurer virus described above. It infects all of
the .COM files in the current directory when an infected program
is executed. Infected files will have a file length increase of
506 bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory listing
will have been updated to the current system date and time when
infection occurred. The following text strings are encrypted
within the viral code:
"DEBUGGING IS VERY ILLEGAL (NOT!)"
"Mega Destruct Hacking Hell I-EAS Virus Creation Centre v0.19"
"[MD] [HH] [IE-VCC v0.19]
"COM"
This variant displays the following message whenever an infected
program is executed:
"You computher is now infected with:
MEGA-DESTRUCTION
The Conjurers...."
Origin: Unknown January, 1996.
Conjurer.510: Also received in January, 1996, this is a 510 byte
variant of the Conjurer virus described above. It infects up to
five .COM files in the current directory when an infected program
is executed. Infected files will have a file length increase of
510 bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory listing
will have been updated to the current system date and time when
infection occurred. The following text strings are encrypted
within the viral code:
"iMMoRTaL.510 {Encrypted!!}"
"*.com"
This variant may display the first text string indicated above as
a message when an infected program is executed. System hangs
may occur when infected programs are executed.
Origin: Unknown January, 1996.
Conjurer.550: Also received in January, 1996, this is a 550 byte
variant of the Conjurer virus described above. It infects up to
five .COM files in the current directory when an infected program
is executed. Infected files will have a file length increase of
550 bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory listing
will have been updated to the current system date and time when
infection occurred. The following text strings are visible
within the viral code:
"z.com"
"anti-vir.dat"
"c:\dos\keyb.com"
"c:\dos\doskey.com"
"c:\run-me.com"
This variant also infects the copies of KEYB.COM and DOSKEY.COM
located in the C: drive DOS directory, as well as creating a 31
byte file with the current system date and time in the C: drive
root directory. Once all of the .COM files in the current
directory have been infected by the virus, it will display the
following message:
"iMMoRTaL.550!!"
System hangs may occur when infected programs are executed.
Origin: Unknown January, 1996.
Conjurer.586: Also received in January, 1996, this is a 586 byte
variant of the Conjurer virus described above. It infects up to
five .COM files in the current directory when an infected program
is executed. Infected files will have a file length increase of
586 bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory listing
will have been updated to the current system date and time when
infection occurred. The following text strings are encrypted
within the viral code:
"DEBUGGING IS VERY ILLEGAL (NOT!)"
"Test Virus #3 Hacking Hell I-EAS Virus Creation Centre v0.19"
"[T3] [HH] [IE-VCC v0.19]"
"COM"
This variant corrupts CMOS by uninstalling all drives and resets
the system date and time to Saturday, August 07, 1909.
Origin: Unknown January, 1996.
Conjurer.886: Also received in January, 1996, this is an 886 byte
variant of the Conjurer virus described above. It infects up to
five .COM files in the current directory when an infected program
is executed. Infected files will have a file length increase of
886 bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory listing
will have been updated to the current system date and time when
infection occurred. The following text strings maybe visible
or encrypted within the viral code:
"DEBUGGING IS VERY ILLEGAL (NOT!)"
"????????SYS"
"I am an assasin, I want to and shall kill you!"
"I also hate Aladdin and will also kill it!"
"I will eliminate you with the touch of just one finger"
"Look at my revenge! Crying wont help you!"
"I am a dangerous virus, I live! I am created by:"
"The [HACKING HELL] !!!!"
"Fear me! I am more powerfull than GOD!"
"Aladdin Killer #1 Hacking Hell"
"I-EAS Virus Creation Centre v0.19"
"[AK]"
"[HH]"
"[IE-VCC v0.19"
"XXX-Rated$+.COM"
Origin: Unknown January, 1996.