Edcl Virus


 Virus Name:  Edcl 
 Aliases:     Edct 
 V Status:    Rare 
 Discovered:  April, 1992 
 Symptoms:    .COM & .EXE file growth; decrease in total system and 
              available free memory 
 Origin:      Unknown 
 Eff Length:  1,600 - 1,615 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  F-Prot, AVTK, NAV, IBMAV, ViruScan, Sweep, PCScan, 
                    NAVDX, VAlert, ChAV, 
                    NShld, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N, 
                    LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Edcl virus was submitted in April, 1992.  It is originally from 
       Bulgaria, and is related to the CB-1530 virus.  Edcl is a memory 
       resident infector of .COM and .EXE programs, including COMMAND.COM, 
       and employs some stealth techniques to avoid detection. 
 
       When the first Edcl infected program is executed, the Edcl virus 
       will install itself memory resident at the top of system memory 
       but below the 640K DOS boundary.  Total system and available free 
       memory, as indicated by the DOS CHKDSK program, will have 
       decreased by 2,048 bytes.  Interrupt 12's return will not have 
       been moved.  Interrupts 09, 13, and 21 will be hooked by Edcl in 
       memory.  Also at this time the Edcl virus will infect COMMAND.COM 
       if it was not previously infected. 
 
       Once the Edcl virus is memory resident, it will infect .COM and 
       .EXE programs, other than very small ones, when the programs are 
       opened or executed.  Infected programs will have a file length 
       increase of 1,600 to 1,615 bytes with the virus being located 
       at the end of the program.  The file's date and time in the 
       DOS disk directory listing will not be altered.  One text string 
       can be found in the viral code in infected programs: 
 
               "EDCL" 
 
       The following text strings are also contained within the Edcl 
       virus, though they are encrypted so they will not appear in 
       infected files: 
 
               "COMEXEBACKUP.COM" 
               "Hi to Eastern Digital." 
               "Greetings to Mister L." 
               "Megafuck to Mihai Sirbu -- MicroTimSoft." 
 
       Attempts to execute some anti-viral scanners with the Edcl virus 
       memory resident will result in the virus being noticed on .COM 
       files, but not on .EXE files.  .EXE files may appear to be 
       uninfected, though if scanned with the virus non-resident, the 
       same utility will be able to detect the virus.  The virus may also 
       interfer with the operation of the BACKUP.COM program. 
 
       Known variant(s) of Edcl are: 
       Edcl-B: Functionally equivalent to the Edcl virus described 
             above, Edcl-B is a minor variant.  It has 21 bytes which 
             differ from the original virus. 
             Origin:  Unknown  October, 1992. 
       Edct: Similar to the Edcl virus described above, this variant 
             does not hook interrupt 13.  Like Edcl, it adds 1,600 to 
             1,615 bytes to the .COM and .EXE programs it infects on 
             execution and file open.  Two text strings are encrypted 
             within the viral code: 
             "COMEXEBACKUP.COM" 
             "Megafuck from Eastern Digital" 
             The "EDCL" text string found within the original virus has 
             been changed to "edct". 
             Origin:  Bulgaria  June, 1992. 
 
       See:   CB-1530

Show viruses from discovered during that infect .

Main Page