Crucifix Virus

Virus Name: Crucifix Aliases: Crucifix.2916 V Status: New Discovery: February, 1995 Symptoms: .COM file growth; decrease in available free memory Origin: Unknown Eff Length: 2,916 Bytes Type Code: PRhCK - Parasitic Resident .COM Infector Detection Method: F-Prot, NAV, AVTK, Sweep, IBMAV, NAVDX, VAlert, ViruScan, PCScan, ChAV, Sweep/N, NProt, AVTK/N, IBMAV/N, NAV/N, NShld, LProt, Innoc 4.0+ Removal Instructions: Delete infected files General Comments: The Crucifix or Crucifix.2916 virus was received in February, 1995. Its origin or point of isolation is unknown. Crucifix is a memory resident infector of .COM files, including COMMAND.COM. When the first Crucifix infected program is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, not moving interrupt 12's return. Total available free memory, as indicated by the DOS 5.0 CHKDSK program, will have decreased by 2,928 bytes. Interrupts 09 and 21 will be hooked by the virus in memory. Some memory mapping programs will indicate that the owner or program which is resident is "JeSuS". Once the Crucifix virus is memory resident, it will infect .COM files only when they are copied. Both the target and the source file will be infected by the virus. Programs infected with the Crucifix.2916 virus will have a file length increase of 2,916 bytes with the virus being located at the end of the file. The file's date and time in the DOS disk directory listing will not be altered. The following text strings are visible within the viral code: "If you're the Messiah and you know it," "Clap your hands!" "Then your face will surely show it," "(rucifixion Virus 1.0 (c) 1994, by Jesus of The Trinity" It is unknown what the Crucifix virus does besides replicate.