Gynx Virus

Virus Name: Gynx Aliases: Gynx.1000 V Status: New Discovered: January, 1996 Symptoms: .COM file growth; file date/time seconds = "08"; decrease in available free memory Origin: Unknown Eff Length: 1,000 Bytes Type Code: PRhCK - Parasitic Resident .COM Infector Detection Method: F-Prot, IBMAV, ViruScan, AVTK, NAV, NAVDX, ChAV, IBMAV/N, NShld, NAV/N, AVTK/N, Innoc 4.0+ Removal Instructions: F-Prot, or Delete infected files General Comments: The Gynx or Gynx.1000 virus was received in January, 1996. Its origin or point of isolation is unknown. Gynx is a memory resident infector of .COM files, including COMMAND.COM. When the first Gynx infected program is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, not moving interrupt 12's return. Available free memory, as indicated by the DOS CHKDSK program from DOS 5.0, will have decreased by 1,264 bytes. Interrupt 21 will be hooked by the virus in memory. Also at this time, the virus will infect the copies of MODE.COM and KEYB.COM located in the C:\DOS directory if they were not previously infected by the virus. Once the Gynx virus is memory resident, it will infect .COM files, including COMMAND.COM, when they are executed or opened. Infected .COM files will have a file length increase of 1,000 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will not appear to be altered, though the seconds field will have been set to "08". The following text strings are encrypted within the viral code: "GYNX" "C:\DOS\MODE.COM" "C:\DOS\KEYB.COM" "I walked in the jungle with my M-60,and what did I see.A big fat nigger sitting in a tree.I was going to shoot him when he started to pee!" It is unknown what the Gynx virus may do besides replicate.