Father Virus

Virus Name: Father Aliases: V Status: Rare Discovered: July, 1992 Symptoms: .COM & .EXE growth; decrease in total system & available free memory; file date/time changed to 11-08-91 4:15p Origin: Unknown Eff Length: 1,449 - 1,463 Bytes Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, AVTK, Sweep, F-Prot, IBMAV, NAV, NAVDX, VAlert, PCScan, ChAV, NShld, Sweep/N, NProt, AVTK/N, NAV/N, IBMAV/N, Innoc, LProt Removal Instructions: Delete infected files General Comments: The Father virus was received in July, 1992. Its origin or point of isolation is unknown. Father is a memory resident infector of .COM and .EXE programs. It is based on the Dark Avenger virus. When the first Father infected program is executed, the Father virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. It does not move interrupt 12's return. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 1,616 bytes. Interrupts 1C, 21, and 27 will be hooked by the virus. Also at this time, Father will infect COMMAND.COM if it was not previously infected. Once the Father virus is memory resident, it will infect .COM and .EXE programs when they are opened or executed. Infected .COM programs will have a file length increase of 1,449 bytes. Infected .EXE program will have a file length increase of 1,449 to 1,463 bytes. In both cases the virus will be located at the end of the program. The infected file's date and time in the DOS disk directory listing will have been changed to 11-08-91 4:15p. The following text strings can be found within the viral code in Father infected programs: "In memory of my father." "(C)Nduk '91" It is unknown what Father may do besides replicate. See: CB-1530 Dark Avenger