1385 Virus

Virus Name: 1385 Aliases: Disk Plus 1 V Status: Rare Discovery: February, 1992 Symptoms: .COM file growth; TSR; system hangs Origin: Unknown Eff Length: 1,385 Bytes Type Code: PRsCK - Parasitic Resident .COM Infector Detection Method: AVTK, ViruScan, F-Prot, Sweep, ChAV, NAV, IBMAV, NAVDX, VAlert, PCScan, NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N Removal Instructions: Delete infected files General Comments: The 1385 virus was submitted in February, 1992. Its origin or point of isolation are unknown. 1385 is a memory resident infector of .COM programs, including COMMAND.COM. It does not, however, infect very small .COM programs. The first time a program infected with the 1385 virus is executed, the 1385 virus will install itself memory resident as a low system memory TSR of 3,376 bytes. Interrupts 13, 21, CC, and F8 will be hooked by the 1385 virus in memory. Also at this time, the virus will infect C:\COMMAND.COM if it was not previously infected, and one .COM program located in the current drive and directory. Once the 1385 virus is memory resident, it will infect .COM programs as they are executed, plus one additional .COM program in the current directory. This mechanism allows the virus to spread very quickly. Programs infected with the 1385 virus will have a file length increase of 1,385 bytes with the virus being located at the beginning of the program. The file's date and time in the DOS disk directory listing will not have been altered. Two text strings occur in the viral code in infected programs: "c:\COMMAND.COM" "PATH=" Systems infected with the 1385 virus may experience system hangs when .COM programs are executed. It is unknown if 1385 does anything besides replicate.