GT-Spoof Virus


 Virus Name:  GT-Spoof 
 Aliases:     GoodTimes, GT-Spoof.1246 
 V Status:    New 
 Discovery:   January, 1996 
 Symptoms:    .COM & .EXE growth; decrease in available free memory 
 Origin:      Australia 
 Eff Length:  1,246 - 1,459 Bytes (approx) 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  IBMAV, NAV, NAVDX, ViruScan, ChAV, 
                    IBMAV/N, NAV/N, Innoc 4.0+, NShld 2.33+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The GT-Spoof, GoodTimes or GT-Spoof.1246, virus was received in 
       January, 1996 and appears to be from Australia.  This virus is a 
       memory resident polymorphic infector of .COM and .EXE files, 
       including COMMAND.COM. 
 
       When the first GT-Spoof infected program is executed, this virus 
       will install itself memory resident at the top of system memory but 
       below the 640K DOS boundary, not moving interrupt 12's return. 
       Available free memory, as indicated by the DOS CHKDSK program from 
       DOS 5.0, will have decreased by 2,800 bytes.  Interrupt 21 will be 
       hooked by the virus in memory. 
 
       Once the GT-Spoof virus is memory resident, it will infect .COM and 
       .EXE programs, including COMMAND.COM, when they are executed or 
       opened, but not when copied.  Infected programs will have a file 
       length increase of 1,246 to approximately 1,459 bytes with the 
       viral code being located at the end of the file.  The file's date 
       and time in the DOS disk directory listing will not be altered.  The 
       following text string is encrypted within the viral code: 
 
           "Good Times by Qark/VLAD" 
 
       Unlike most viruses, this virus does not alter the beginning of the 
       host program's executable code with a jump to execute the viral 
       code, but places the jump to the viral code elsewhere within the host 
       program.

Show viruses from discovered during that infect .

Main Page