Foetus 1.1 Virus


 Virus Name:  Foetus 1.1 
 Aliases:    
 V Status:    Rare 
 Discovered:  November, 1993 
 Symptoms:    .COM & .EXE growth; system hangs; 
              decrease in total system & available free memory 
 Origin:      Greece 
 Eff Length:  1,561 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, AVTK, Sweep, IBMAV, F-Prot, NAVDX, VAlert, 
                    NAV, PCScan, ChAV, 
                    NShld, Sweep/N, IBMAV/N, AVTK/N, NProt, NAV/N, Innoc 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Foetus 1.1 virus was received in November, 1993.  It is from 
       Greece and appears to be related to the  Athens  virus and its 
       Trojector variant.  Foetus 1.1 is a memory resident stealth virus 
       which infects .COM and .EXE programs, including COMMAND.COM. 
 
       When the first Foetus 1.1 infected program is executed, this virus 
       will install itself memory resident at the top of system memory but 
       below the 640K DOS boundary, not moving interrupt 12's return.  Total 
       system and available free memory, as indicated by the DOS CHKDSK 
       program, will have decreased by 3,776 bytes.  Interrupt 21 will be 
       hooked by the Foetus 1.1 virus in memory. 
 
       Once Foetus 1.1 is memory resident, it will infect .COM and .EXE 
       programs, including COMMAND.COM, when they are executed or opened 
       for any reason.  Infected programs will increase in size by 1,561 
       bytes, though the file length increase will not be visible when the 
       virus is memory resident.  The virus will be located at the end of 
       infected files.  The program's date and time in the DOS disk directory 
       listing will not be altered.  The following text string is encrypted 
       within the viral code in all Foetus 1.1 infected programs: 
 
               "FOETUS Version 1.1 Athens 1993" 
 
       The Foetus 1.1 virus, when memory resident, will not allow the viral 
       code to be viewed in infected files.  Attempts to view or list a file 
       will result in the virus substituting hex 00 characters for the viral 
       code.  Additionally, attempts to execute some anti-viral utilities 
       with the virus memory resident will result in a system hang.  The 
       DOS CHKDSK program will not return any indication of file allocation 
       errors on infected programs when the virus is memory resident.

Show viruses from discovered during that infect .

Main Page