1253 Virus
Virus Name: 1253
Aliases: Anticad, V-1, Thanksgiving
V Status: Rare
Discovery: August, 1990
Symptoms: TSR; BSC; COMMAND.COM & .COM file growth; partition table
change
Origin: Austria
Eff Length: 1,253 Bytes
Type Code: PRsBCKX - Parasitic Resident .COM & Partition Table Infector
Detection Method: ViruScan, NAV, AVTK, F-Prot, Sweep,
IBMAV, NAVDX, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
NAV/N, IBMAV/N
Removal Instructions: NAV or delete infected files and replace partition
table/boot sector
General Comments:
The 1253 virus was submitted in August 1990. It is believed to have
originated in (or at least to have been first isolated in) Austria.
1253 is a generic infector of .COM files, including COMMAND.COM. It
also infects the boot sector of diskettes and the partition table of
hard disks.
The first time a program infected with the 1253 virus is executed,
the virus will install itself memory resident as a low system memory
TSR. The TSR will be 2,128 bytes in length, hooking interrupts 08,
13, 21, and 60. Total system memory will remain unchanged, and free
memory will decrease by 2,128 bytes. At this time, the partition
table of the system's hard disk is infected with the 1253 virus. If
the infected program was executed from a diskette, the diskette's
boot sector will also be infected.
Each time a .COM file is executed with the virus resident in memory,
the .COM file will be infected if it hasn't previously been
infected. The 1253 virus appends its viral code to the end of the
.COM file, and then changes the first few bytes of the program to
be a jump to the appended code. Infected files increase in length
by 1,253 bytes, and the virus makes no attempt to hide the increase
when the directory is displayed. Infected files will also have
their fourth through sixth bytes set to "V-1" (hex 56 2D 31).
Any diskettes which are accessed while the virus is present in
memory will have their boot sector infected with this virus.
Newly formatted diskettes, likewise, will be infected immediately.
The 1253 virus is destructive when it activates. The author of this
listing was able to get it to activate by setting the system date to
December 24th and then executing an infected program on drive A:.
The virus promptly went and overwrote the entire diskette in drive
A: with a pattern of 9 sectors of what appears to be a program
fragment. Once the virus has started to overwrite a diskette, the
only way to stop the disk activity is to power off the system.
The virus in the partition table and/or diskette boot sector is of
special note. When the system is booted from the hard disk or
diskette with the virus in the partition table or boot sector, the
virus will install itself memory resident. At this time, the virus
resides above the top of system memory but below the 640K DOS
boundary. The change in total system memory and available free
memory will be 77,840 bytes. It can be seen with the CHKDSK
command. At this time, any .COM program executed will be infected
with the 1253 virus, even though no programs on the hard disk may
contain this virus before the system boot occurred.
One effect of this virus once the system has been booted from an
infected hard drive or floppy is that the FORMAT command may result
in unexpected disk activity to inactive drives. For example, on the
author's system, when formatting a diskette in drive A: with the
current drive being drive C:, there was always disk activity to
drive B:.
Disinfecting the 1253 virus requires that besides disinfecting or
deleting infected .COM programs, the hard disks partition table and
the boot sector of any diskettes exposed to the infected system must
be disinfected. If the partition table and diskette boot sectors are
not disinfected, the system will promptly experience reinfection of
.COM files with the virus following a system boot from the hard disk
or diskette. Disinfecting the partition table and boot sectors, when
done properly, will also result in the system's full memory again
being available.
It is unknown if there are other activation dates for this virus, or
if it will overwrite the hard disk if an infected program is
executed on December 24th from the hard disk.