1720 Virus


 Virus Name:  1720 
 Aliases:     PSQR Virus 
 V Status:    Rare 
 Discovery:   March, 1990 
 Symptoms :   TSR; .COM & .EXE growth; partition table damage on 
              activation; programs on diskette deleted on Friday the 13th 
 Origin:      Spain 
 Eff Length:  1,719 - 1,733 Bytes 
 Type Code:   PRsA - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, F-Prot, AVTK, NAV, Sweep, 
                    IBMAV, NAVDX, VAlert, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, 
                    NAV/N, IBMAV/N 
 Removal Instructions:  NAV, or delete infected files 
 
 General Comments: 
       The 1720, or PSQR virus, is a variant of the Jerusalem virus which 
       was first isolated in Barcelona, Spain, in March 1990.  This virus, 
       infects .COM and .EXE files, though unlike Jerusalem, it does not 
       infect overlay files.  COMMAND.COM will also not be infected. 
 
       The first time an infected file is executed, the virus will install 
       itself memory resident as a low system memory TSR of 2,048 bytes. 
       Interrupt 21 will be hooked by 1720 in memory. 
 
       Once the 1720 virus is memory resident, it will infect .COM and 
       .EXE programs as they are executed.  Infected .COM programs increase 
       in size by 1,720 bytes, and the virus will be located at the 
       beginning of the infected file.  Infected .EXE programs increase 
       in size by 1,719 to 1,733 bytes, and the virus will be located at 
       the end of the infected file.  In both cases, there will be no 
       change to the file's date and time in the DOS disk directory.  All 
       infected programs can be easily identified as they will end with 
       the text character string "PSQR", which is the infection marker for 
       this virus. 
 
       On Friday the 13th, the 1720 virus will activate the first time an 
       infected program is executed.  When the program is executed, it will 
       be deleted from disk.  More damaging, however, is that the 1720 
       virus will check to see if the system has a hard disk drive.  If a 
       hard disk drive is present, the virus will overwrite the boot sector 
       and partition table resulting in all data on the hard disk becoming 
       unavailable.  The system will also appear to hang. 
 
       Known variant(s) of 1720 are: 
       1720-B: Isolated in Spain in October, 1991, this variant is 
               functionally similar to the original virus.  The encryption 
               used within the virus has been slightly modified, though 
               most anti-virals will detect this variant without any 
               problem. 
 
       See:   PCBB   Jerusalem

Show viruses from discovered during that infect .

Main Page