G2 Virus


 Virus Name:  G2 
 Aliases: 
 V Status:    Rare 
 Discovery:   1993 
 Symptoms:    Depends on virus present 
 Origin:      United States 
 Eff Length:  Depends on virus present 
 Type Code:   PONRAK - Parasitic &/or Overwriting .COM & .EXE Infector 
 Detection Method:  AVTK, F-Prot, IBMAV, Sweep, NAV, ViruScan, 
                    NAVDX, VAlert, PCScan, 
                    AVTK/N, Sweep/N, NShld, NAV/N, NProt, IBMAV/N, LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The G2 virus is not actually a virus, but rather a group or family 
       of viruses which were generated with the G2 virus generator.  This 
       particular virus generator is a modified version of the PS-MPC 
       virus generator, the major change being in the encryption mechanism. 
 
       The viruses listed below are G2 generated viruses.  Anti-viral 
       programs using virus scanning technologies may identify them as 
       G2, PS-MPC, or by the actual virus name. 
 
       Known G2 generated virus(es) are: 
       G2-A429: The G2-A429 virus was received in August, 1993.  It is 
                a non-resident, direct action infector of .COM programs, 
                but not COMMAND.COM.  It infects some .COM files in the 
                current directory when an infected program is executed. 
                Infected programs will have a file length increase of 429 
                bytes with the virus being located at the end of the file. 
                The program's date and time in the DOS disk directory 
                listing will not be altered.  The following text string is 
                encrypted within the G2-A429 viral code: 
                "[PS/Gư] Testing [G2 A] *.COM .." 
                Systems with advanced infections of G2-A429 may find that 
                .EXE programs appear to "disappear" from the disk 
                directory. 
                Origin:  Unknown  August, 1993. 
       G2-A438: The G2-A438 virus was received in August, 1993.  It is 
                a memory resident infector of .EXE programs.  When the first 
                G2-A438 infected program is executed, this virus will 
                become memory resident in 2,480 bytes of memory at the top 
                of system memory but below the 640K DOS boundary, hooking 
                interrupt 21.  Once resident, it will infect .EXE programs 
                when they are executed.  Infected programs will have a file 
                length increase of 438 bytes with the virus being located 
                at the end of the file.  The program's date and time in the 
                DOS disk directory listing will not be altered.  The 
                following text string is visible within the viral code in 
                all infected programs: 
                "[PS/Gư] Testing [G2 A2]" 
                Origin:  Unknown  August, 1993. 
       G2-A615: The G2-A615 virus was received in August, 1993.  It is 
                a non-resident, direct action infector of .COM and .EXE 
                programs, including COMMAND.COM.  It infects all of the 
                .COM and .EXE files in the current directory when an 
                infected program is executed.  Infected programs will have 
                a file length increase of 615 bytes with the virus being 
                located at the end of the file.  The program's date and time 
                in the DOS disk directory listing will not be altered.  The 
                following text string is encrypted within the G2-A615 viral 
                code: 
                "[PS/Gư] Testing [G2 A] *.EXE *.COM .." 
                System hangs frequently occur when infected programs are 
                executed. 
                Origin:  Unknown  August, 1993. 
       G2-Celeste: The G2-Celeste virus was received in August, 1993. 
                It is a non-resident, direct action infector of .COM 
                programs, but not COMMAND.COM.  It infects up to five .COM 
                files in the current directory when an infected program is 
                executed.  Infected programs will have a file length 
                increase of 310 bytes with the virus being located at the 
                end of the file.  The program's date and time in the DOS 
                disk directory listing will not be altered.  The following 
                text string can be found within the viral code in all 
                G2-Celeste infected programs: 
                "[PS/Gư] Straylight ][ Celeste Virus A *.COM .." 
                Origin:  Unknown  August, 1993. 
       G2-D598: The G2-D598 virus was received in August, 1993.  It is 
                a memory resident infector of .COM and .EXE programs, 
                including COMMAND.COM.  When the first G2-D598 infected 
                program is executed, this virus will become memory resident 
                in 9,984 bytes of memory at the top of system memory but 
                below the 640K DOS boundary, hooking interrupt 21.  Once 
                resident, it will infect .COM and .EXE programs when they 
                are executed.  Infected programs will have a file length 
                increase of 598 bytes with the virus being located 
                at the end of the file.  The program's date and time in the 
                DOS disk directory listing will not be altered.  The 
                following text string is encrypted within the viral code in 
                all infected programs: 
                "[PS/Gư] Captain [G2 D]" 
                Origin:  Unknown  August, 1993. 
       G2-E513: The G2-E513 virus was received in August, 1993.  It is a 
                non-resident, direct action infector of .EXE programs.  It 
                infects up to five .EXE files in the current directory when 
                an infected program is executed.  Infected programs will 
                have a file length increase of 513 bytes with the virus 
                being located at the end of the file.  The program's date 
                and time in the DOS disk directory listing will not be 
                altered.  The following text string is encrypted within 
                the viral code in all G2-E513 infected programs: 
                "[PS/Gư] Captain [G2 E] *.EXE .." 
                Origin:  Unknown  August, 1993. 
       G2-Mudshark: The G2-Mudshark virus was received in January, 1994. 
                It is a non-resident, direct action infector of .COM programs, 
                including COMMAND.COM.  It infects one .COM file in the 
                current directory when an infected program is executed. 
                Infected programs will have a file length increase of 314 
                bytes with the virus being located at the end of the file. 
                The program's date and time in the DOS disk directory listing 
                will not be altered.  The following text string is visible 
                within the viral code in all G2-Mudshark infected programs: 
                "[PS/Gư] pentagrame mudshark *.COM .." 
                Origin:  Unknown  January, 1994. 
       G2.Punisher: The G2.Punisher virus was received in February, 1994. 
                It is a memory resident infector of .COM and .EXE programs, 
                including COMMAND.COM.  When the first G2.Punisher infected 
                program is executed, this virus will install itself memory 
                resident at the top of system memory but below the 640K 
                DOS boundary, hooking interrupt 21.  Total system and 
                available free memory, as indicated by the DOS CHKDSK 
                program, will have decreased by 1.2K.  The virus contains a 
                bug, so it will reinfect memory in increments of 1.2K as 
                well.  Once resident, it infects programs when they are 
                executed.  Infected programs will have a file length 
                increase of 602 bytes with the virus being located at the end 
                of the file.  The program's date and time in the DOS disk 
                directory listing will not be altered.  The following text 
                string is encrypted within the G2.Punisher viral code: 
                "[PS/Gư] Punisher Death Destruction Mayhem" 
                Origin:  United States  February, 1994. 
       G2.Puppet: The G2.Puppet virus was received in May, 1995.  It is 
                a memory resident infector of .COM programs.  When the first 
                G2.Puppet infected program is executed, this virus will 
                install itself memory resident at the top of system memory 
                but below the 640K DOS boundary, hooking interrupt 21.  Total 
                available free memory, as indicated by the DOS 5.0 CHKDSK 
                program, will have decreased by 1,088 bytes.  Once resident, 
                it infects programs some .COM files when they are executed. 
                Infected programs will have a file length increase of 478 
                bytes with the virus being located at the end of the file. 
                The program's date and time in the DOS disk directory 
                listing will not be altered.  The following text string is 
                encrypted within the G2.Puppet viral code: 
                "[PS/Gư] eMpIrE-X" 
                "[Gư Puppet Masters 1 Virus]" 
                Origin:  Unknown  May, 1995. 
 
       See:   PS-MPC

Show viruses from discovered during that infect .

Main Page