Fairz Virus

Virus Name: Fairz Aliases: Khobar V Status: Rare Discovered: October, 1993 Symptoms: .COM & .EXE growth; file date/time changes; Decrease in total system & available free memory Origin: Unknown Eff Length: 2,088 - 2,102 Bytes Type Code: PRhA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, IBMAV, Sweep, AVTK, F-Prot, NAV, NAVDX, VAlert, PCScan, ChAV, NShld, Sweep/N, NProt, NAV/N, AVTK/N, IBMAV/N, Innoc, LProt Removal Instructions: Delete infected files General Comments: The Fairz, or Khobar, virus was submitted in October, 1993. Its origin or point of isolation is unknown. Fairz is a memory resident infector of .COM and .EXE programs, but not COMMAND.COM. When the first Fairz infected program is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, not moving interrupt 12's return. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 2,096 bytes. Interrupt 21 will be hooked by Fairz in memory. Once the Fairz virus is memory resident, it will infect .COM and .EXE programs when they are executed or opened, but not when they are copied. Infected programs will have a file length increase of approximately 2,088 to 2,102 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will have been updated to the current system date and time when infection occurred. The following text strings are encrypted within the Fairz viral code: "COM" "This is an [ illegal copy ] of Keypress virus remover" "System Halted." "Eternal Fair" It is unknown what Fairz does besides replicate.