Friday 13th Virus
Virus Name: Friday 13th
Aliases: Friday The 13th COM, South African, Virus B
V Status: Rare
Discovered: November, 1987
Symptoms: .COM growth; floppy disk access; file deletion
Origin: Republic of South Africa
Eff Length: 512 Bytes
Type Code: PNC - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan, F-Prot, AVTK, NAV, Sweep,
IBMAV, NAVDX, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
NAV/N, IBMAV/N
Removal Instructions: F-Prot, NAV, or delete infected files
General Comments:
The original Friday 13th COM virus first appeared in South
Africa in 1987. Unlike the Jerusalem (Friday the 13th) viruses, it
is not memory resident, nor does it hook any interrupts. This virus
only infects .COM files, but not COMMAND.COM. On each execution of
an infected file, the virus looks for two other .COM files on the C:
drive and one on the A: drive, if found they are infected. This
virus is extremely fast, and the only indication of propagation
occurring is the access light being on for the A: drive, if the
current default drive is C:. The virus will only infect a .COM file
once. The files, after infection, must be less than 64K in length.
On every Friday the 13th, if the host program is executed, it is
deleted.
Known variant(s) of Friday 13th COM are:
Edge: Functionally similar to the QFresh virus described below,
Edge has three bytes which differ. It contains the text:
"v w x".
Origin: Unknown December, 1992.
Friday 13th-540C: Received in November, 1993, Friday 13th-540C
is a modified version of the Virus-B variant described below.
It has been altered to avoid being detected by a specific
anti-viral utility, and is not believed to be in the public
domain.
Origin: Unknown November, 1993.
Friday 13th-978: Received in November, 1993, Friday 13th-978
is a modified version of the Virus-B variant described below.
It has been altered to avoid being detected by a specific
anti-viral utility, and is not believed to be in the public
domain. Friday 13th-978 adds 978 bytes to .COM files with
each infection.
Origin: Unknown November, 1993.
Friday 13th-B: same, except that it will infect every file in
the current subdirectory or in the system path if
the infected .COM program is in the system path.
Friday 13th-C: same as Friday 13th-B, except that the
message "We hope we haven't inconvenienced you"
is displayed whenever the virus activates.
Friday 13th-D: Friday 13th-D was received in September,
1991 from the NCSA. This variant adds 418 to
432 bytes to programs it infects. It will infect
all .COM programs, except COMMAND.COM, located in
the current directory whenever an infected .COM
program is executed. Infected programs will
have had their date and time in the disk directory
updated to the current system date and time when
infection occurred. The virus will be be
located at the end of the infected file. On
Friday The 13ths, the virus will delete any
infected program the user attempts to execute.
Friday 13th-NZ: Received from Dr. Henry Wolfe of New Zealand
in October, 1991, Friday 13th-NZ is a minor
variant of the Friday 13th virus. It infects all
.COM files in the current directory when an infected
program is executed, adding 623 to 634 bytes to the
file length. The actual length of the viral code,
however, is 350 bytes. The virus will be located at
the end of the infected file. It does not delete
programs on Friday The 13ths.
QFresh: Received from Sweden in June, 1992, QFresh is a 615 byte
variant of the Friday 13th virus. It infects all .COM files
in the current directory when an infected program is
executed. Infected programs will have a file length increase
of 615 to 628 bytes with the virus being located at the end
of the infected file. The program's date and time in the DOS
disk directory listing will not be altered. Infected
programs will contain the following text strings within the
QFresh viral code:
"ENET_INF"
"*.COM"
"????????COM"
Origin: Sweden June, 1992.
Virus-B: A 542 byte variant of Friday 13th, Virus-B infects all
of the .COM programs in the current directory, other than
COMMAND.COM, each time an infected program is executed, along
with displaying the following message:
"WARNING!!!! THIS PROGRAM IS INFECTED WITH VIRUS-B!
IT WILL INFECT EVERY .COM FILE IN THE CURRENT SUBDIRECTORY!"
Infected programs will have a file length increase of 542 to
555 bytes with the virus being located at the end of the
file. The program's date and time in the DOS disk directory
listing will not be altered. Besides the above message, the
following text strings can be found within the viral code in
Virus-B infected programs:
"*.COM"
"????????COM"
"COMMAND.COM"
Origin: United States 1988.