FCB Virus


 Virus Name:  FCB 
 Aliases:     384 
 V Status:    Viron 
 Discovered:  September, 1992 
 Symptoms:    .COM & .EXE programs overwritten; program corruption; 
              file date/time changes 
 Origin:      Bulgaria 
 Eff Length:  384 Bytes 
 Type Code:   ONAK - Overwriting Non-Resident .COM & .EXE Infector 
 Detection Method:  F-Prot, Sweep, ViruScan, AVTK, IBMAV, 
                    NAV, NAVDX, VAlert, PCScan, ChAV, 
                    NShld, Sweep/N, Innoc, NProt, AVTK/N, LProt, IBMAV/N, 
                    NAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The FCB, or 384, virus was received in September, 1992.  It is 
       originally from Bulgaria.  This virus is a non-resident, direct 
       action infector of .COM and .EXE programs, including COMMAND.COM. 
       It is unusual in that it uses file control blocks (FCBs) instead 
       of file handles in the process of infecting files. 
 
       When a program infected with the FCB virus is executed, this virus 
       will infect one program located in the current directory.  The 
       virus will select .COM files before .EXE files for infection, and 
       if COMMAND.COM is located in this directory, it may become infected. 
 
       Programs infected with the FCB virus will have the first 384 bytes 
       of the host program overwritten with the FCB virus' code.  The 
       file's date and time in the DOS disk directory will have been 
       updated to the current system date and time when infection occurred. 
       Infected programs will contain the following text strings: 
 
               "401 File Virus" 
               "Infects any .COM or .EXE file on any writeable Device" 
 
       The FCB virus doesn't do anything besides replicate, though infected 
       programs are permanently corrupted and must be replaced from clean, 
       backup copies.

Show viruses from discovered during that infect .

Main Page