Flip Virus


 Virus Name:  Flip 
 Aliases:     Flip-2343 
 V Status:    Common 
 Discovered:  July 1990 
 Isolated:    West Germany 
 Symptoms:    .COM & .EXE growth; decrease in system and free memory; 
              boot sector and master boot sector altered; file allocation 
              errors; possible hard disk corruption 
 Origin:      Switzerland 
 Eff Length:  2,343  Bytes 
 Type Code:   PRhABKX - Parasitic Resident .COM, .EXE, Master Boot Sector 
                        Infector 
 Detection Method:  ViruScan, F-Prot, NAV, AVTK, Sweep, 
                    IBMAV, NAVDX, VAlert, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, NProt, AVTK/N, NAV/N, IBMAV/N, 
                    Innoc 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Flip, or Flip-2343, virus was discovered in West Germany in 
       July 1990.  It is a generic file infector, and will infect .COM, 
       .EXE, and overlay files.  This virus will also infect COMMAND.COM, 
       as well as alter the master boot sector (partition table) and boot 
       sector of hard disks.  It is important to note that the Flip virus 
       is not infective from .COM files or boot sectors. 
 
       The first time an .EXE program infected with the Flip virus is 
       executed, it installs itself memory resident in high memory.  System 
       memory as reported by the CHKDSK command as well as free memory will 
       have decreased by 3,064 bytes.  At this time, the copy of 
       COMMAND.COM located in the C: drive root directory will be infected, 
       though no file length change will be apparent with the virus in 
       memory.  The system's hard disk master boot sector and boot sector 
       will also be slightly modified.  If the infected program was executed 
       from a floppy, COMMAND.COM on the floppy will be infected, though 
       the size change will be noticeable. 
 
       After Flip becomes memory resident, any .COM or .EXE files executed 
       will become infected.  Infected programs will show a file length 
       increase of 2,343 bytes.  If a program is executed which uses an 
       overlay file, the overlay file will also become infected. 
 
       Systems infected with Flip may experience file allocation errors 
       resulting in file linkage errors.  Some data files may become 
       corrupted. 
 
       On the second of any month, systems which were booted from an 
       infected hard disk and have an EGA or VGA capable display adapter 
       may experience the display on the system monitor being horizontally 
       "flipped" between 16:00 and 16:59. 
 
       Systems with hard disks which have been allocated with partitions 
       greater than 32 megabytes in size may experience corruption of the 
       hard disk logical partitioning.  When this occurs, a partition 
       larger than 32 megabytes may be altered to be slightly less than 
       32 megabytes in size. 
 
       Flip can only be passed between systems on infected .EXE files. 
       Infected .COM files, and altered floppy boot sectors do not transfer 
       the virus. 
 
       Known variant(s) of Flip are: 
       Flip-2153: Similar to the original Flip virus, this variant has 
               an effective length of 2,153 bytes.  Its memory resident 
               portion at the top of system memory is 2,672 bytes.  The 
               major difference between this variant and the original virus 
               is that Flip-2153 can infect programs from the hard disk 
               master boot sector infection. 
               Origin:  Unknown  January, 1991. 
       Flip-2153B: Similar to Flip-2153, this variant's major change 
               is that the virus can now infect programs after becoming 
               memory resident from an infected .COM program. 
               Origin:  United States  October, 1991. 
       Flip-2153C: Functionally similar to Flip-2153B, this variant 
               has been altered to avoid detection by some anti-viral 
               utilities. 
               Origin:  Unknown  February, 1992. 
       Flip-2343B: Functionally similar to the original Flip virus, 
               this variant's size in memory is 2,864 bytes, hooking 
               interrupt 21.  Once the virus has become memory resident 
               from an infected file, it is able to infect programs from 
               both .COM and .EXE files without the system needing to be 
               rebooted from the infected hard disk. 
               Origin:  Unknown  September, 1992. 
       Prism: Functionally similar to Flip-2153, this variant was 
               altered to avoid detection by most anti-viral utilities 
               which were aware of the Flip virus.  Like Flip-2153, it 
               adds 2,153 bytes to the .COM and .EXE programs it infects 
               when they are executed.  As with other members of this 
               family, it also infects the hard disk master boot sector 
               when the first infected program is executed. 
               Origin:  Unknown  January, 1992. 
       Raistlin: Functionally similar to Flip-2153B, this variant 
               has been altered to avoid detection by some anti-viral 
               utilities.  Like Flip-2153B, it adds 2,153 bytes to the .COM 
               and .EXE programs it infects on execution.  The following text 
               strings are encrypted within the viral code: 
               "RAISTLIN I from Spain" 
               "MADRID a favor del consumo de costo!" 
               As with other Flip variants, this variant also infects the 
               system hard disk master boot sector (which contains the hard 
               disk partition table). 
               Origin:  Spain  February, 1994.

Show viruses from discovered during that infect .

Main Page