Fil Virus

Virus Name: Fil Aliases: V Status: Rare Discovered: March, 1992 Symptoms: .COM file growth; decrease in total system & available free memory; corruption of data files Origin: Unknown Eff Length: 1,658 Bytes Type Code: PRhCK - Parasitic Resident .COM Infector Detection Method: ViruScan, AVTK, Sweep, F-Prot, IBMAV, NAV, NAVDX, VAlert, PCScan, ChAV, NShld, Sweep/N, LProt, Innoc, NProt, IBMAV/N, AVTK/N, NAV/N Removal Instructions: Delete infected files General Comments: The Fil virus was submitted in March, 1992. Its origin, or point of isolation, is unknown. Fil is a memory resident infector of .COM programs, including COMMAND.COM. When the first Fil infected program is executed, the Fil virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 4,112 bytes. Interrupts 09, 1C, and 21 will be hooked by the Fil virus in memory. COMMAND.COM will be infected at this time if it was not previously infected. Once the Fil virus is memory resident, it may infect .COM programs when they are executed. Data and overlay files may also become either infected or corrupted when they are accessed. The Fil virus adds 1,658 bytes to the .COM programs it infects. The virus will be located at the end of infected programs. These .COM programs may also become reinfected by the virus. There will be no change to the file's date and time in the DOS disk directory listing. The following text strings are contained in the Fil virus' viral code, though they are usually not visible as the virus encrypts them: "pCbYTE" "bANDIT" "dEMORALIZED yOUTH" "tHIS IS THY PRESENT WORLD" "SAID THE fLAME TO THE sPARK" "tHOU ART MYSELF" "MY IMAGE" "AND MY SHADOW" "i HAVE CLOTHED-*MYSELF IN THEE" "AND THOU ART MY VEHICLE TO THE DAY" "bE-*WITH US" "WHEN THOU SHALT RE" "BECOME MYSELF AND OTHERS" "THYSELF AND ME" The Fil virus may corrupt data files accessed with write intent on infected systems.