3445-Stealth Virus


 Virus Name:  3445-Stealth 
 Aliases:     3445 
 V Status:    Rare 
 Discovery:   November, 1990 
 Symptoms:    .COM & .EXE growth; decrease in system & available free 
              memory; file allocation errors; system hangs 
 Origin:      Unknown 
 Eff Length:  3,445 Bytes 
 Type Code:   PRhA - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, Sweep, AVTK, F-Prot, IBMAV, NAV, NAVDX, 
                    VAlert, PCScan, ChAV, 
                    LProt, Sweep/N, Innoc, NProt, NShld, AVTK/N, NAV/N, 
                    IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The 3445-Stealth, or 3445, virus was originally received in 
       November, 1990.  Its origin is unknown.  3445-Stealth does not 
       replicate on all system configurations, and on most systems 
       execution of an infected program will result in a system hang.  It 
       is a memory resident infector of .COM & .EXE programs which employs 
       stealth techniques to avoid detection. 
 
       The first time a program infected with the 3445-Stealth virus is 
       executed, one of two things will happen.  On most systems, the 
       system will be hung, and the user will have to reboot the system. 
       On other systems, the virus will become memory resident.  When the 
       3445-Stealth virus is memory resident, it will be located at the 
       top of system memory but below the 640K DOS boundary.  Total system 
       and available free memory, as indicated by the DOS CHKDSK program, 
       will have decreased by 3,488 bytes.  Interrupt 12's return will not 
       have been moved.  The 3445-Stealth virus will have hooked interrupt 
       21 at the top of memory and interrupt 01 in low available system 
       memory. 
 
       Once the 3445-Stealth virus is memory resident, it will infect .COM 
       and .EXE programs, but not COMMAND.COM, when they are executed or 
       copied.  In the case of copying, both the source and target files 
       will become infected. 
 
       Programs infected with the 3445-Stealth virus will have a file 
       length increase of 3,445 bytes, though the file length increase will 
       not be visible in the DOS disk directory listing if the virus is 
       memory resident.  The virus will be located at the end of the 
       infected program.  The file's date and time in the DOS disk 
       directory listing will not have been altered. 
 
       Symptoms of a 3445-Stealth infection are that the DOS CHKDSK program 
       will indicate file allocation errors on all infected programs when 
       the virus is memory resident.  Additionally, execution of some 
       infected programs will result in a system hang.

Show viruses from discovered during that infect .

Main Page