Father_Mac Virus
Virus Name: Father_Mac
Aliases: Father_Mac.269
V Status: New
Discovered: July, 1995
Symptoms: .COM file growth
Origin: Unknown
Eff Length: 269 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: F-Prot, AVTK, VAlert, Sweep, ViruScan, IBMAV,
NAV, NAVDX, PCScan, ChAV,
AVTK/N, Sweep/N, NShld, IBMAV/N, NAV/N, NProt, Innoc
Removal Instructions: Delete infected files
General Comments:
The Father_Mac or Father_Mac.269 virus was received in July, 1995.
Its origin or point of isolation is unknown. Father_Mac is a non-
resident, direct action infector of .COM files, including
COMMAND.COM.
When a program infected with the Father_Mac virus is executed, this
virus will infect one .COM file located in the current directory.
Infected files will have a file length increase of 269 bytes with
the virus being located at the end of the file. The program's date
and time in the DOS disk directory listing will not be altered. The
following text strings are visible within the viral code:
"*.com"
"dratboy"
"????????COM?"
It is unknown what the Father_Mac virus may do besides replicate.
Known variant(s) of Father_Mac are:
Father_Mac.269.B: Also received in July, 1995, Father_Mac.269.B
is a minor variant of the Father_Mac virus described above. It
so adds 269 bytes to the .COM files it infects. The following
text strings are visible within the viral code:
"*.com RATBOY"
"????????COM?"
Origin: Unknown July, 1995.
Father_Mac.289: Received in July, 1995, this is a 289 byte
variant of the Father_Mac virus described above. It infects
the first .COM file in the current directory when an infected
program is executed, adding 289 bytes to the file's length.
The program's date and time in the DOS disk directory listing
will not be altered. The following text string is encrypted
within the viral code:
"TCP1/X"
Characters from memory are displayed accompanied by a system
hang when infected .COM files are executed.
Origin: Unknown July, 1995.
Father_Mac.303: Received in July, 1995, this is a 303 byte
variant of the Father_Mac virus described above. It infects
three .COM files in the current directory when an infected
program is executed. Infected files will have a file length
increase of 303 bytes with the virus being located at the end
of the file. The program's date and time in the DOS disk
directory listing will not be altered. The following text
strings are encrypted within the viral code:
"*.com"
"To My Wife, Love Ratboy"
"????????COM?"
"TCP1/X"
Origin: Unknown July, 1995.
Father_Mac.306.A: Received in December, 1996, this is a 306 byte
version of the Father_Mac.303 variant. It infects three .COM
files in the current directory when an infected program is
executed, adding 306 bytes to the file's length. The virus
will be located at the end of the file. The program's date and
time in the DOS disk directory listing will not be altered. It
contains the following encrypted text strings:
"To My Wife, Love Ratboy"
"????????COM?"
Origin: Unknown December, 1996.
Father_Mac.306.B: Received in July, 1995, this is a 306 byte
version of the Father_Mac.303 variant. It infects three .COM
files in the current directory when an infected program is
executed, adding 306 bytes to the file's length. The virus
will be located at the end of the file. The program's date and
time in the DOS disk directory listing will not be altered. It
contains the same encrypted text strings as Father_Mac.303.
Origin: Unknown July, 1995.
Father_Mac.789: Received in July, 1995, this is a memory resident
variant of the Father_Mac virus described above. It becomes
memory resident as a low system memory TSR of 2,048 bytes,
hooking interrupt 21. Once resident, it infects .COM programs,
including COMMAND.COM, when they are executed or opened. Files
infected with this variant will have a file length increase of
789 bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory listing
will not be altered. The following text strings are encrypted
within the viral code:
"[LAVI 1.0] (c)1994 FaTHer MaC"
"Poner aca el texto deseado"
Origin: Unknown July, 1995.
Father_Mac.836: Received in July, 1995, this is a memory resident
variant of the Father_Mac virus described above. It becomes
memory resident as a low system memory TSR of 2,048 bytes,
hooking interrupt 21. Once resident, it infects .COM programs,
but not COMMAND.COM, when they are executed or opened. Files
infected with this variant will have a file length increase of
836 bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory listing
will not be altered. The following text string is encrypted
within the viral code:
"[LAVI 1.0] (c)1994 FaTHer MaC"
Origin: Unknown July, 1995.
Father_Mac.1360: Received in July, 1995, this is a memory
resident variant of the Father_Mac virus described above. It
becomes memory resident as a low system memory TSR of 2,048
bytes, hooking interrupt 21. Once resident, it infects .COM
programs, including COMMAND.COM, when they are executed or
opened. Files infected with this variant will have a file length
increase of 1,360 bytes with the virus being located at the end
of the file. The program's date and time in the DOS disk
directory listing will not be altered. The following text string
is encrypted within the viral code:
"[LAVI 1.0] (c)1994 FaTHer MaC"
Origin: Unknown July, 1995.
Father_Mac.1445: Received in July, 1995, this is a memory
resident variant of the Father_Mac virus described above. It
becomes memory resident as a low system memory TSR of 2,048
bytes, hooking interrupt 21. Once resident, it infects .COM
programs, including COMMAND.COM, when they are executed or
opened. Files infected with this variant will have a file length
increase of 1,445 bytes with the virus being located at the end
of the file. The program's date and time in the DOS disk
directory listing will not be altered. The following text
strings are encrypted within the viral code:
"LASNEEZE SNEEZE SNEEZE SNEEZE"
"Cough Cough Cough Cough"
Origin: Unknown July, 1995.
Father_Mac.1470: Received in July, 1995, this is a memory
resident variant of the Father_Mac virus described above. It
becomes memory resident as a low system memory TSR of 2,048
bytes, hooking interrupt 21. Once resident, it infects .COM
programs, including COMMAND.COM, when they are executed or
opened. Files infected with this variant will have a file length
increase of 1,470 bytes with the virus being located at the end
of the file. The program's date and time in the DOS disk
directory listing will not be altered. The following text
strings are encrypted within the viral code:
"[LAVI 1.0] (c)1994 FaTHer MaC"
"Poner aca el texto deseado"
This variant will sometimes emit a beep on the system speaker
and display some characters from memory when programs are
executed.
Origin: Unknown July, 1995.
Father_Mac.1495: Received in July, 1995, this is a memory
resident variant of the Father_Mac virus described above. It
becomes memory resident as a low system memory TSR of 2,048
bytes, hooking interrupt 21. Once resident, it infects .COM
programs, including COMMAND.COM, when they are executed or
opened. Files infected with this variant will have a file length
increase of 1,495 bytes with the virus being located at the end
of the file. The program's date and time in the DOS disk
directory listing will not be altered. The following text
strings are encrypted within the viral code:
"[LABARF BARF BARF BARF BARF HI"
"Cough Cough Cough Ch"
Origin: Unknown July, 1995.
Father_Mac.1496: Received in July, 1995, this is a memory
resident variant of the Father_Mac virus described above. It
becomes memory resident as a low system memory TSR of 2,048
bytes, hooking interrupt 21. Once resident, it infects .COM
programs, but not COMMAND.COM, when they are executed or
opened. Files infected with this variant will have a file length
increase of 1,496 bytes with the virus being located at the end
of the file. The program's date and time in the DOS disk
directory listing will not be altered. The following text
string is encrypted within the viral code:
"[LAVI 1.0] (c)1994 FaTHer MaC"
The following text strings are unencrypted within the viral code:
"lavi"
"fAthER mAc"
This variant may emit a shooting sound, either quick or slow,
from the system speaker when a program is infected by the virus.
Origin: Unknown July, 1995.
Father_Mac.1536: Received in July, 1995, this is a memory
resident variant of the Father_Mac virus described above. It
becomes memory resident as a low system memory TSR of 2,048
bytes, hooking interrupt 21. Once resident, it infects .COM
programs, but not COMMAND.COM, when they are executed or
opened. Files infected with this variant will have a file length
increase of 1,536 bytes with the virus being located at the end
of the file. The program's date and time in the DOS disk
directory listing will not be altered. The following text
strings are encrypted within the viral code:
"[LAVI 1.0] (c)1994 FaTHer MaC"
"TE GUSTA TU NEUVO BOOT RECORD??, CORTESIA DE ANTI-RAQPR"
"c:\RA\RA*.*"
Origin: Unknown July, 1995.