Fich Virus
Virus Name: Fich
Aliases: FichV, CHV 2.1, 903
V Status: Common
Discovery: January, 1991
Symptoms: .COM file growth; TSR; system hangs; overwrites disk
Origin: France
Eff Length: 903 Bytes
Type Code: PRsCK - Parasitic Resident COM Infector
Detection Method: ViruScan, AVTK, F-Prot, NAV, Sweep,
IBMAV, NAVDX, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N,
IBMAV/N
Removal Instructions: Delete infected files
General Comments:
The Fich virus was discovered France in January, 1991. This virus
is not a particularly viable virus since replicated samples will not
further replicate. It is possible that the original sample is
corrupted. This virus infects .COM program, including COMMAND.COM.
When the original sample of Fich is executed, this virus will install
itself memory resident as a 1,216 byte low system memory TSR. It
will hook interrupt 21. At that time, it will infect COMMAND.COM,
adding 903 bytes to the beginning of the program. The following
message is then displayed:
"Fichier introuvable"
Once memory resident, this virus will infect up to three .COM
programs in the current directory if the original sample is again
executed. Later execution of infected files (other than the
original) will not result in the virus spreading to other files.
The virus will also infect files when the DOS COPY command is
used, but only if the source and target files are in the current
directory.
Infected .COM programs will have a file size increase of 903 bytes,
the virus will be located at the beginning of the infected program.
The file date and time in the disk directory will not be altered by
the virus.
If Fich becomes memory resident from other than the original sample,
it will not replicate to other .COM programs. The "Fichier
introuvable" message is not displayed with other than the original
sample.
Some programs may hang when they are executed on infected systems.
The Fich virus activates during the month of March, at which time it
may overwrite the first six sectors of each track of the current
drive with the following text string:
"CHV 2.1 vous a eu"
This string translates from French to English as "CHV 2.1 got you".
Known variant(s) of Fich are:
Fich-B: Similar to the original Fich virus, will infect 3 files
each time an infected program is executed, including when the
virus becomes memory resident. The message from the original
virus is never displayed. It has six bytes which are
different from the original virus.
Fich-C: Similar to Fich-B, this variant was submitted as an
unencrypted variant of Fich-B. Replicated samples of this
variant are, however, encrypted. The other difference from
the Fich-B variant is that interrupt 3 will be hooked by the
virus in memory.
Origin: France, September 1991
Fich-897: Based on the Fich virus, this variant differs in that
it only infects .EXE programs. Its memory resident TSR is
2,256 bytes, hooking interrupts 21 and 24. It infects one
.EXE program in the current directory each time any program
is executed, and well as the target file when .EXE programs
are copied. It adds 897 bytes to the .EXE programs it
infects, with the virus being located at the end of the
file. The program's date and time in the DOS disk directory
listing will not be altered. The following text string is
encrypted within the viral code:
"*.exe **FEXE 1.0 vous a eu **"
Origin: France, December 1992
See: Fichv-896