Gyro Virus

Virus Name: Gyro Aliases: V Status: Viron Discovered: December, 1992 Symptoms: .COM files overwritten; program corruption; boot failure Origin: Unknown Eff Length: 512 Bytes OW Type Code: ONCK - Non-Resident Overwriting .COM Infector Detection Method: Sweep, AVTK, F-Prot, ViruScan, IBMAV, NAVDX, NAV, VAlert, PCScan, ChAV, Sweep/N, NShld, Innoc, NProt, AVTK/N, LProt, IBMAV/N, NAV/N Removal Instructions: Delete infected files General Comments: The Gyro virus was submitted in December, 1992. Gyro is a non- resident, direct action overwriting virus which infects .COM programs, including COMMAND.COM. When a program infected with the Gyro virus is executed, the Gyro virus will infect one previously uninfected .COM program. The virus will search the current drive, the system hard disk C: drive, and then the B: diskette drive looking for a program to infect. Once it has infected a .COM program, it will either return the user to the DOS prompt or display the following message, returning the user to the DOS prompt: "Bad command or file name" Programs infected with the Gyro virus will have the first 512 bytes of the host program overwritten by the Gyro viral code. The host program is permanently corrupted as the virus does not save the original first 512 bytes of the program. There will be no file length increase unless the host program was originally smaller than 512 bytes in length, in which case the program's length will become 512 bytes in length. The program's date and time in the DOS disk directory listing will not be altered. Besides the above message, the following text strings are encrypted within the viral code: "*.com *" "GYROzs" Once COMMAND.COM becomes infected by the Gyro virus, boot failures will occur on infected systems.