Helicopter Virus


 Virus Name:  Helicopter 
 Aliases:     Helicopter.777 
 V Status:    New 
 Discovered:  January, 1995 
 Symptoms:    .COM files altered; decrease in available free memory 
 Origin:      Unknown 
 Eff Length:  777 Bytes 
 Type Code:   ORhCK - Overwriting Resident .COM Infector 
 Detection Method:  F-Prot, AVTK, IBMAV, Sweep, NAV, NAVDX, VAlert, 
                    ViruScan, PCScan, ChAV, 
                    AVTK/N, IBMAV/N, Sweep/N, NProt, NAV/N, NShld, Innoc 4.0+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Helicopter virus was received in January, 1995.  Its origin 
       or point of isolation is unknown.  Helicopter is a memory resident 
       overwriting virus which selectively infects .COM files, including 
       COMMAND.COM. 
 
       When the first Helicopter infected program is executed, this virus 
       will install itself memory resident at the top of system memory 
       but below the 640K DOS boundary, not moving interrupt 12's return. 
       Available free memory, as indicated by the DOS 5.0 CHKDSK program, 
       will have decreased by approximately 1,296 bytes.  Interrupts 10, 
       21, and 24 will be hooked by the virus in memory. 
 
       Once the Helicopter virus is memory resident, it will infect .COM 
       programs when they are executed, providing the file has at least 
       777 bytes of continuous binary zeros.  Infected files will have 777 
       bytes of the binary zero area overwritten by the viral code, along 
       with the beginning of the file being altered to point to this area. 
       The file's date and time in the DOS disk directory listing will not 
       be altered.  No text strings are visible within the viral code. 
 
       It is unknown what the Helicopter virus does besides replicate.

Show viruses from discovered during that infect .

Main Page