Forger Virus

Virus Name: Forger Aliases: V Status: Rare Discovered: April, 1992 Symptoms: .EXE file growth; TSR Origin: Unknown Eff Length: 1,000 Bytes Type Code: PRsE - Parasitic Resident .EXE Infector Detection Method: Sweep, AVTK, F-Prot, IBMAV, PCScan, ViruScan, NAV, NAVDX, VAlert, ChAV, NShld, Sweep/N, LProt, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N Removal Instructions: Delete infected files General Comments: The Forger virus was received in April, 1992. Its origin is unknown. Forger is a memory resident infector of .EXE programs. When the first Forger infected program is executed, the Forger virus will install itself memory resident as a low system memory TSR of 3,376 bytes. It will have hooked interrupts 13, 21, and CC. At this time, it will also search the current directory to locate two previously uninfected .EXE programs, and then infect them. Once the Forger virus is memory resident, it will infect .EXE programs when they are executed. It will also infect one .EXE program each time a .COM program is executed. After the Forger virus has infected all .EXE programs on the current drive, it will start infecting programs on the C: drive. Programs infected with the Forger virus will have a file length increase of 1,000 bytes. The virus will be located at the end of the infected program. There will be no change to the file's date and time in the DOS disk directory listing. Forger is an encrypted virus. One text string is visible within the viral code in infected programs: "*.exe" The following text strings are encrypted within the viral code: "????????EXE" "Socha dsk" It is unknown what Forger does besides replicate.