Ebola Virus

Virus Name: Ebola Aliases: Ebola.313, Eb.313 V Status: New Discovered: January, 1996 Symptoms: .COM files altered Origin: Unknown Eff Length: 313 Bytes OW Type Code: ORaCK - Overwriting Resident .COM Infector Detection Method: AVTK, ViruScan, NAV, NAVDX, F-Prot, IBMAV, PCScan, ChAV, AVTK/N, NAV/N, NShld, IBMAV/N, Innoc Removal Instructions: Delete infected files General Comments: The Ebola, Eb.313 or Ebola.313, virus was received in January, 1996. Its origin or point of isolation is unknown. Ebola is a memory resident infector of .COM files, including COMMAND.COM. It only infects programs in subdirectories. When the first Ebola infected program is executed, this virus will install itself memory resident in allocated system memory, hooking interrupt 21. Total system and available free memory, as indicated with the DOS CHKDSK program from DOS 5.0, will not be altered. Once the Ebola virus is memory resident, it will infect .COM programs which are executed only if the .COM programs contains at least 313 bytes of hex "00" characters, in which case it will infect the program by overwriting 313 bytes of the hex "00" characters and adding a jump to this code at the beginning of the file. The file's length and file date/time in the DOS disk directory listing will not be altered. The following text string is visible within the viral code in all Ebola infected programs: "Ebola #2" Programs infected with the Ebola virus will usually function properly as this virus does not overwrite any of the program's actual code. Known variant(s) of Ebola are: Ebola.378: Also known as Eb.378, this is a 378 byte variant of the Ebola virus described above. It contains the following text string: "Ebola #1" Origin: Unknown January, 1996.