Friends Virus

Virus Name: Friends Aliases: V Status: Rare Discovered: April, 1992 Symptoms: .EXE file growth; decrease in total system and available free memory Origin: Unknown Eff Length: 1,362 - 1,377 Bytes Type Code: PRtE - Parasitic Resident .EXE Infector Detection Method: F-Prot, ViruScan, AVTK, Sweep, NAV, IBMAV, NAVDX, VAlert, PCScan, ChAV, NShld, Sweep/N, LProt, Innoc, NProt, IBMAV/N, AVTK/N, NAV/N Removal Instructions: Delete infected files General Comments: The Friends virus was submitted in April, 1992. Its origin or point of isolation is unknown. Friends is a memory resident infector of .EXE programs and spreads very quickly. When the first Friends infected program is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, moving interrupt 12's return. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 2,096 bytes. Interrupts 21 and 24 will be hooked by Friends in memory. Also at this time, the Friends virus will infect one .EXE program located in the current directory. Once the Friends virus is memory resident, it will infect one .EXE program each time any program or batch file is executed, a DIR command is performed, or when .EXE programs are opened for any reason. In the case of the DOS COPY command, the target file will become infected if it is an .EXE program. Programs infected with the Friends virus will have a file length increase of 1,362 to 1,377 bytes. The virus will be located at the end of the program. The file's date and time in the DOS disk directory listing will not be altered. Three text strings occur within the viral code in Friends infected programs: "GSJFOET!PG!NBJT!boe!DMBVEJB!TDIJGGFS" "????????EXE" "EXE \" The first of these text strings is encrypted, but unencrypted is the following message from which the virus gets its name: "FRIENDS!OF!MAIS!and!CLAUDIA!SAHIFFER" It is unknown if Friends does anything besides replicate. See: Cossiga