1689 Stealth Virus

Virus Name: 1689 Stealth Aliases: V Status: Rare Discovery: March, 1993 Symptoms: .COM & .EXE file growth; file allocation errors; decrease in total system & available free memory Origin: Unknown Eff Length: 1,689 Bytes Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: F-Prot, Sweep, AVTK, ViruScan, IBMAV, ChAV, NAV, NAVDX, VAlert, PCScan, Sweep/N, NShld, NProt, AVTK/N, NAV/N, IBMAV/N, Innoc, LProt Removal Instructions: Delete infected files General Comments: The 1689 Stealth virus was submitted in March, 1993. Its origin or point of isolation is unknown. 1689 Stealth is a memory resident stealth virus which infects .COM and .EXE programs, including COMMAND.COM. When the first 1689 Stealth infected program is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, hooking interrupts 21, 22, and 2F. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 1,728 bytes. Interrupt 12's return will not have been moved. Once the 1689 Stealth virus is memory resident, it will infect .COM and .EXE programs when they are executed. Infected programs will have increased in size by 1,689 bytes, but the file length increase is hidden by the virus when it is memory resident. The program's date and time in the DOS disk directory listing will not be altered. Two text strings are visible within the viral code in infected programs: "5V3" "COMEXE" The DOS CHKDSK program will return file allocation errors on all infected programs when the virus is memory resident. The virus does attempt to hide the file alterations so some anti-viral utilities which perform CRC or checksumming will not detect alterations on infected programs when 1689 Stealth is active in memory.