Devils & Evangels Virus


 Virus Name:  Devils & Evangels 
 Aliases:     Devils & Evangels.1456 
 V Status:    New 
 Discovered:  August, 1994 
 Symptoms:    .COM & .EXE growth; DOS CHKDSK file allocation errors; 
              System hangs; scrolling of system display; 
              file date/time seconds = "62" 
 Origin:      Unknown 
 Eff Length:  1,456 Bytes 
 Type Code:   PRTA - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  AVTK, Sweep, IBMAV, ViruScan, NAV, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    Sweep/N, AVTK/N, IBMAV/N, NShld, NAV/N, LProt, Innoc 4.0+ 
 Removal Instructions:  Delete infected files after clean cold boot 
 
 General Comments: 
       The Devils & Evangels or Devils & Evangels.1456 virus was received 
       in August, 1994.  Its origin or point of isolation is unknown.  This 
       virus was received with three variants, all four viruses are stealth 
       viruses which infect .COM and .EXE programs, but not COMMAND.COM. 
 
       When the first Devils & Evangels infected program is executed, this 
       virus will install itself memory resident at the top of system memory 
       but below the 640K DOS boundary, moving interrupt 12's return.  Total 
       system and available free memory, as indicated by the DOS CHKDSK 
       program, will have decreased by 2,976 bytes.  Interrupt 21 will be 
       hooked by the virus in memory. 
 
       Once the Devils & Evangels virus is memory resident, it will infect 
       .COM and .EXE programs, other than COMMAND.COM, when they are 
       executed.  Infected programs will have a file length increase of 
       1,456 bytes, though the file length increase will be hidden when the 
       virus is memory resident.  The virus will be located at the end of the 
       file, though it cannot be found within the file with the virus memory 
       resident as the virus disinfects files as they are read into memory. 
       The program's date and time in the DOS disk directory listing will not 
       appear to be altered, though the seconds field will have been set to 
       "62".  The following text string is encrypted within the viral code: 
 
               "Devils & Evangels, Inc." 
 
       System hangs may occur when infected programs are executed.  Also, 
       the system display may be scrolled upwards accompanied by a system 
       hang. 
 
       Known variant(s) of Devils & Evangels are: 
       Devils & Evangels.1526: A 1,526 byte variant of the Devils & 
               Evangels virus described above.  Its size in memory is 
               3,104 bytes, hooking interrupt 21.  It adds 1,526 bytes to 
               the .COM and .EXE programs it infects, though the file length 
               increase will not be visible when the virus is memory 
               resident.  The file's date and time, including the seconds 
               field, will not be altered.  The following text string is 
               encrypted within the viral code: 
               "Devils & Evangels, Inc." 
               The variant has symptions of infection similar to the virus 
               described above. 
               Origin:  Unknown  August, 1994. 
       Devils & Evangels.1634: A 1,634 byte variant of the Devils & 
               Evangels virus described above.  Its size in memory is 
               3,328 bytes, hooking interrupt 21.  It adds 1,634 bytes to 
               the .COM and .EXE programs it infects upon execution, open, 
               or copy, though the file length increase will not be visible 
               when the virus is memory resident.  The file's date and time, 
               including the seconds field, will not be altered.  The 
               following text string is encrypted within the viral code: 
               "Devils & Evangels, Inc." 
               The variant has symptions of infection similar to the virus 
               described above, though system hangs do not frequently occur. 
               Origin:  Unknown  August, 1994. 
       Devils & Evangels.1792: A 1,792 byte variant of the Devils & 
               Evangels virus described above.  Its size in memory is 
               3,648 bytes, hooking interrupts 21, 24, and 48.  It adds 1,792 
               bytes to the .COM and .EXE programs it infects upon execution, 
               open, or copy, though the file length increase will not be 
               visible when the virus is memory resident.  The file's date 
               and time, including the seconds field, will not be altered. 
               The following text string is encrypted within the viral code: 
               "Devils & Evangels, Inc. [DEI] MnemoniX $ v2.00" 
               The variant has symptions of infection similar to the virus 
               described above. 
               Origin:  Unknown  August, 1994. 
       Devils & Evangels.1948: A 1,948 byte variant of the Devils & 
               Evangels virus described above.  Its size in memory is 
               4,032 bytes, hooking interrupts 21 and 24.  It adds 1,948 
               bytes to the .COM and .EXE programs it infects upon execution, 
               open, or copy, though the file length increase will not be 
               visible when the virus is memory resident.  The file's date 
               and time, including the seconds field, will not be altered. 
               The following text strings are encrypted within the viral 
               code: 
               "Devils & Evangels, Inc. [DEI] MnemoniX" 
               "v2.50 ANTI-VIR.DAT C:\COMMAND.COM \DEI.COM" 
               Origin:  Unknown  February, 1995.

Show viruses from discovered during that infect .

Main Page