Enemy Within Virus

Virus Name: Enemy Within Aliases: Keeper.Enemy V Status: Rare Discovered: February, 1994 Symptoms: .EXE file growth; .COM files may appear to be 644 bytes too short; decrease in total system and available free memory Origin: Canada Eff Length: 644 Bytes Type Code: PRhE - Parasitic Resident .EXE Infector Detection Method: ViruScan, AVTK, F-Prot, Sweep, IBMAV, NAV, NAVDX, VAlert, PCScan, NShld, NProt, AVTK/N, Sweep/N, IBMAV/N, NAV/N, LProt Removal Instructions: Delete infected files General Comments: The Enemy Within virus was received in February, 1994. It appears to be from Canada. Enemy Within is a memory resident infector of .EXE programs. It is a fast infector, as well as a size stealth virus. The first time an Enemy Within infected program is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 1,040 bytes. Interrupt 21 will be hooked by the viris in memory. After the virus has become memory resident, it will infect .EXE programs when they are executed, opened, or copied. Programs infected with the Enemy Within virus will have a file length increase of 644 bytes with the virus being located at the end of the file. The file length increase, however, will be hidden by the virus when it is memory resident. The file's date and time in the DOS disk directory listing will not have been altered. The following text string is encrypted within the Enemy Within viral code: "[Enemy Within] Crypt Keeper - Phalcon/Skism" Users of systems infected with the Enemy Within virus may notice that .COM programs will appear to be 644 bytes shorter than normal in a DOS directory listing when the virus is memory resident. This effect is due to a bug in the virus. See: Keeper