Gippo Virus
Virus Name: Gippo
Aliases:
V Status: Rare
Discovered: October, 1993
Symptoms: .EXE file growth; beep emitted from system speaker
Origin: Unknown
Eff Length: 661 - 671 Bytes
Type Code: PNE - Parasitic Non-Resident .EXE Infector
Detection Method: ViruScan, AVTK, F-Prot, Sweep, IBMAV, NAV,
NAVDX, VAlert, PCScan, ChAV,
NShld, AVTK/N, NProt, Sweep/N, IBMAV/N, NAV/N, Innoc
Removal Instructions: Delete infected files
General Comments:
The Gippo virus was submitted in October, 1993. Its origin or point
of isolation is unknown. Gippo is a non-resident, direct action
infector of .EXE programs.
When a program infected with the Gippo virus is executed, the Gippo
virus may infect one .EXE file in the current drive's root directory.
Infections usually only occur when an infected program is executed
from a sub-directory, though they will occur from the root directory
in very advanced cases.
Programs infected with the Gippo virus will have a file length
increase of 661 to 671 bytes with the virus being located at the
end of the file. The program's date and time in the DOS disk
directory listing will not be altered. The following text strings
are visible within the viral code in all Gippo infected programs:
"BABE BABE"
"G.I.P.P.O. is here!"
"*.* *.EXE"
A beep may be emitted from the system speaker when infected programs
are executed.
Known variant(s) of Gippo are:
Gippo.Bumpy: Received in July, 1994, Gippo.Bumpy is a 1,045 byte
memory resident variant of the Gippo virus described above.
Its size in memory is 1,200 bytes, hooking interrupt 21 at
the top of system memory but below the 640K DOS boundary.
Once memory resident, it infects .EXE programs when they are
executed. Infected programs will have a file length increase
of 1,045 to 1,055 bytes with the virus being located at the
end of the file. The program's date and time in the DOS disk
directory listing will appear to be unaltered, though the
seconds field will have been set to "02". The following text
strings are encrypted within the viral code in all infected
programs:
"Bumpy (R) Ghost Player"
Origin: Italy July, 1994.
Gippo.Earthquake: Received in March, 1994, Gippo.Earthquake is a
883 byte variant of the Gippo virus described above. It
infects one .EXE program in the current directory when an
infected program is executed. Infected programs will have a
file length increase of 883 to 893 bytes with the virus
being located at the end of the file. The program's date and
time in the DOS disk directory listing will have been altered
so that the file time is set to 4:08AM. The following text
strings are visible within the viral code in all infected
programs:
"Earthquake"
"*.e?e"
"*.*"
It is unknown what Gippo.Earthquake may do besides replicate.
Origin: Bologna, Italy March, 1994.
Gippo.JumpingJack: Received in May, 1994, Gippo.JumpingJack is a
907 byte variant of the Gippo virus described above. It
infects one .EXE program in the current directory when an
infected program is executed. Infected programs will have a
file length increase of 907 to 917 bytes with the virus
being located at the end of the file. The program's date and
time in the DOS disk directory listing will have been altered
so that the file time is set to 4:08AM. The following text
strings are visible within the viral code in all infected
programs:
"JumpingJack"
"*.e?e \"
"G *.* smartc*.cps"
It is unknown what Gippo.JumpingJack may do besides
replicate.
Origin: Italy May, 1994.
Sunrise: Received in January, 1994, Sunrise is a 1,036 byte
variant of the Gippo virus described above. It infects one
.EXE program in the current directory when an infected
program is executed. Sunrise infected programs will have a
file length increase of 1,036 to 1,046 bytes with the virus
being located at the end of the file. The program's date and
time in the DOS disk directory listing will not be altered.
The following text strings are visible within the viral code
in all Sunrise infected programs:
"* Sunrise * EpidemicWare"
"G.I.P.Po. oct-93"
"sunrise"
"*.exe \ *.* smartc*.cp?"
Sunrise may interfer with the functioning of some versions
of the CPAV and MSAV anti-viral programs.
Origin: Unknown January, 1994.
Gippo.Stunning: Received in March, 1994, Gippo.Stunning is a
1,240 byte memory resident variant of the Gippo virus
described above. Its size in memory is 1,392 bytes, hooking
interrupt 21 at the top of system memory but below the 640K
DOS boundary. Once memory resident, it infects .EXE programs
when they are executed, opened, or copied. Infected programs
will have a file length increase of 1,240 to 1,250 bytes with
the virus being located at the end of the file. The
program's date and time in the DOS disk directory listing
will appear to be unaltered, though the seconds field will
have been set to "02". The following text strings are
encrypted within the viral code in all infected programs:
"Stunning Blow (R) Ghost Player Italy"
"*.CPS"
This virus may interfer with the functioning of some versions
of the CPAV and MSAV anti-viral programs.
Origin: Italy March, 1994.
Gippo.Stunning.B: Received in February, 1995, Gippo.Stunning.B
is based on the Gippo.Stunning variant described above. It
also adds 1,240 to 1,250 bytes to the .EXE files it infects.
The following text strings are encrypted within the viral
code in all infected programs:
"Stunning Blow ... Running Ghost (R) v00"
Origin: Unknown February, 1995.