3040 Stealth Virus

Virus Name: 3040 Stealth Aliases: 3040 V Status: Rare Discovery: October, 1992 Symptoms: .COM & .EXE growth; file date/time changes Origin: Unknown Eff Length: 3,040 - 3,183 Bytes Type Code: PRaA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, AVTK, F-Prot, Sweep, IBMAV, NAV, NAVDX, VAlert, PCScan, ChAV, NShld, Sweep/N, AVTK/N, NAV/N, NProt, IBMAV/N, Innoc Removal Instructions: Delete infected files General Comments: The 3040 Stealth virus was received in October, 1992. Its origin or point of isolation is unknown. 3040 Stealth is a memory resident infector of .COM and .EXE programs, but not COMMAND.COM. It uses some stealth techniques to avoid detection. The first time a program infected with the 3040 Stealth virus is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. There will be no change to total system and available free memory as the virus does not properly allocate the memory where it resides. Interrupt FC will point to the virus in memory. Once the 3040 Stealth virus is memory resident, it may infect all of the .COM and .EXE programs located in the current directory when an infected program is executed. Infected programs will have a file length increase of 3,040 to 3,183 bytes with the virus being located at the beginning of the file. The program's date and time in the DOS disk directory listing will have been updated to the current system date and time when infection occurred. No text strings are visible within the viral code. The memory resident portion of the virus performs the stealth function to avoid the detection of infected programs. It effectively disinfects programs on the fly when they are read into memory, thus avoiding anti-viral programs locating the file changes due to infection.