Discom Virus

Virus Name: Discom Aliases: V Status: Rare Discovered: November, 1990 Symptoms: TSR; .COM & .EXE growth Origin: Unknown Eff Length: 2,053 Bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, AVTK, F-Prot, Sweep, ChAV, IBMAV, NAV, NAVDX, VAlert, PCScan, NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N Removal Instructions: Delete infected files General Comments: The Discom virus was submitted in November, 1990. The location where the sample was isolated is unknown. Discom is a memory resident infector of .COM and .EXE files, and will not infect COMMAND.COM. This virus is based on the Jerusalem virus, and also contains some code from the Sunday virus. As such, some anti-viral utilities may identify files infected with this virus as containing both Jerusalem and Sunday. This virus does not exhibit symptoms or the activation of either the Jerusalem or Sunday viruses. The first time a program infected with the Discom virus is executed, the virus will install itself memory resident as a 2,304 byte low system memory TSR. Interrupts 08 and 21 will be hooked by the virus. Once memory resident, the virus will infect .COM and .EXE files when they are executed. Infected .COM files will increase in length by 2,053 bytes and have the virus located at the beginning of the infected file. Infected .EXE files will increase in length by 2,059 to 2,068 bytes with the virus being located at the end of the file. All infected files will end with the following hex character string: 11121704D0. Unlike many Jerusalem Variants, this virus does not exhibit a system slowdown after being memory resident for 30 minutes, and no "black window" appears. Discom will, at random intervals, send random characters to the system COM ports, as well as write portions of itself to random sectors on the system hard drive.