Crusher Virus


 Virus Name:  Crusher 
 Aliases:    
 V Status:    Rare 
 Discovery:   November, 1992 
 Symptoms:    .EXE file growth; master boot sector altered; decrease in 
              total system & available free memory; cross-linking of files; 
              message 
 Origin:      The Netherlands 
 Eff Length:  2,048 Bytes 
 Type Code:   PRhEX - Parasitic Resident .EXE & Master Boot Sector Infector 
 Detection Method:  ViruScan, Sweep, AVTK, NAV, NAVDX, VAlert, PCScan, 
                    ChAV, 
                    NShld, Sweep/N, AVTK/N, NAV/N, Innoc 4.0+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Crusher virus was submitted in November, 1992.  It is from The 
       Netherlands.  Crusher is a memory resident infector of the hard 
       disk master boot sector (partition table) and .EXE programs.  It 
       employs some stealth techniques to avoid detection. 
 
       The first time a program infected with the Crusher virus is executed, 
       the Crusher virus will infect the system hard disk master boot 
       sector.  It writes an unencrypted copy of the viral code to Side 0, 
       Cylinder 0, sectors 2 thru 5, and then alters the hard disk master 
       boot sector so that this code will be executed the next time the 
       system is booted from the hard disk.  It does not become memory 
       resident at this time. 
 
       The next time the system is booted from the system hard disk, the 
       Crusher virus will become memory resident at the top of system memory 
       but below the 640K DOS boundary.  Total system and available free 
       memory, as indicated by the DOS CHKDSK program, will have decreased 
       by 2,064 bytes.  Interrupt 21 will be hooked by Crusher in memory. 
 
       Once the Crusher virus is memory resident, it will infect .EXE 
       programs when they are executed.  Infected programs will have a file 
       length increase of 2,048 bytes, though the file length increase will 
       be hidden when the virus is active in memory.  The file's date and 
       time in the DOS disk directory listing will not be altered.  The 
       following text strings are encrypted within the viral code: 
 
               "Crusher" 
               "You are damned" 
               "Bit Addict / Trident" 
 
       The Crusher virus will occassionally display the above text when 
       it is memory resident.  Infected systems will also experience 
       cross-linking of files.

Show viruses from discovered during that infect .

Main Page