Got-You Virus


 Virus Name:  Got-You 
 Aliases: 
 V Status:    Rare 
 Discovered:  September, 1991 
 Symptoms:    .EXE growth; hidden files created; changes printer setup; 
              cancels network printer redirection; unexpected printing of 
              display contents; last disk drive can't be accessed 
 Origin:      Belgium 
 Eff Length:  3,052 - 3,067 Bytes 
 Type Code:   PNE - Parasitic Non-Resident .EXE Infector 
 Detection Method:  ViruScan, Sweep, AVTK, F-Prot, IBMAV, PCScan, 
                    NAV, NAVDX, VAlert, ChAV, 
                    LProt, Sweep/N, NShld, Innoc, NProt, AVTK/N, 
                    NAV/N, IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Got-You virus was submitted in September, 1991, from Belgium. 
       Got-You is a non-resident, direct action infector of .EXE files 
       that only replicates on drives C: through Z: during the first half 
       of the year.  During the second half of the year, it activates. 
 
       When a program infected with Got-You is executed, the virus will 
       check the system date to determine what the current month is.  If 
       the current month is January thru June, the virus will randomly 
       select a hard disk drive from C: thru Z: where it will search for 
       an .EXE program to infect.  The virus searches down through the 
       directory structure, and infects the first uninfected .EXE program 
       it locates. 
 
       Programs infected with Got-You will increase in size by 3,052 to 
       3,067 bytes, with the virus being located at the end of the infected 
       file.  The file's date and time in the disk directory will not be 
       altered.  Infected files will contain the following text string: 
 
               "G OT YOU" 
 
       From July through December, Got-You will not replicate.  During this 
       period, the virus activates, performing any one of five different 
       behaviors.  Which of these behaviors occurs is randomly selected by 
       the virus.  The five behaviors are: 
 
       1. The virus will check to see if the computer is on a network and 
          has access to a network printer.  If the computer has access to 
          the network printer, it will change its setup. 
       2. The virus will check to see if the computer is on a network, and 
          will cancel any redirection which allows access to a network 
          printer. 
       3. The virus will print the computer's display contents to the 
          printer, similar to the user having pressed the print screen 
          key. 
       4. The virus will determine what drives are available by using the 
          DOS list of lists information, and disable the last drive so it 
          is not accessible. 
       5. The virus will create a hidden, 10,240 byte file on a randomly 
          selected drive.  This file will be named "G OT YOU. x ", and will 
          contain random data from memory. 
 
       Some code exists in the virus for deleting files, though it is not 
       called within the virus. 
 
       Got-You contains code to check if anti-viral monitoring packages are 
       memory resident, and will not replicate if it thinks one is present. 
       To do this, the virus checks for interrupts commonly monitored to be 
       in the same segment of memory.  It also contains code to try to 
       determine if a debugger is being used, and if found, will not 
       replicate.  Lastly, there is timer code to keep the virus from 
       searching too long for a file to infect.

Show viruses from discovered during that infect .

Main Page