Fisher Virus


 Virus Name:  Fisher 
 Aliases:     Fisher-1100 
 V Status:    Rare 
 Discovered:  March, 1993 
 Symptoms:    .COM file growth; DOS CHKDSK file allocation errors; 
              decrease in total system & available free memory 
 Origin:      Unknown 
 Eff Length:  1,100  Bytes 
 Type Code:   PRhCK - Parasitic Resident .COM Infector 
 Detection Method:  Sweep, AVTK, F-Prot, ViruScan, IBMAV, NAVDX, 
                    NAV, VAlert, PCScan, ChAV, 
                    Sweep/N, NShld, NProt, AVTK/N, NAV/N, IBMAV/N, Innoc, 
                    LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Fisher, or Fisher-1100, virus was submitted in March, 1993. 
       Fisher is a memory resident infector of .COM programs, including 
       COMMAND.COM, which should be considered a stealth virus. 
 
       When the first Fisher infected program is executed, this virus will 
       install itself memory resident at the top of system memory but below 
       the 640K DOS boundary, not moving interrupt 12's return.  Total 
       system and available free memory, as indicated by the DOS CHKDSK 
       program, will have decreased by 2,208 bytes.  Interrupt 21 will be 
       hooked by Fisher in memory.  COMMAND.COM will also be infected by the 
       virus at this time if it was not previously infected. 
 
       Once Fisher is memory resident, it will infect .COM programs when 
       they are executed or opened for any reason.  Infected programs will 
       have a file length increase of 1,100 bytes, though the file length 
       increase will be hidden when the virus is memory resident.  The 
       virus is located in the middle of infected files.  The program's date 
       and time in the DOS disk directory listing will not appear to be 
       altered, though the seconds field will have been set to "62".  The 
       following text strings are visible within the viral code in all 
       Fisher infected programs: 
 
               "comCOM" 
               "(c) Copyright 1992 by Fisher. Version 3.0" 
               "PUNK-ROCK & BEER FOREVER !" 
 
       Systems infected with the Fisher virus will experience the DOS 
       CHKDSK program detecting file allocation errors on all infected 
       files when the virus is memory resident. 
 
       Known variant(s) of Fisher are: 
       Fisher-2420: Possibly an earlier version of the Fisher virus, 
                    this variant will also infect .EXE programs when they 
                    are executed or opened.  Its size in memory is 2,432 
                    bytes, hooking interrupts 17 and 21.  Infected files 
                    will have a file length increase of 2,420 bytes, though 
                    the file length increase is hidden when Fisher-2420 is 
                    memory resident.  The virus will be located at the end 
                    of the file.  The following text strings are visible 
                    within the viral code in all Fisher-2420 infected 
                    programs: 
                    "comCOMexeEXE" 
                    "(c) Copyright 1991-92 by Fisher. Version 2.0" 
                    Origin:  Unknown  March, 1993.

Show viruses from discovered during that infect .

Main Page