Horror Virus
Virus Name: Horror
Aliases:
V Status: Rare
Discovered: June, 1992
Symptoms: .COM & .EXE file growth; decrease in total system & available
free memory; system hangs
Origin: Unknown
Eff Length: 2,319 Bytes
Type Code: PRsAK - Parasitic Resident .COM & .EXE Infector
Detection Method: F-Prot, Sweep, NAV, AVTK, IBMAV, ChAV,
ViruScan, NAVDX, VAlert, PCScan,
NShld, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N,
LProt
Removal Instructions: Delete infected files
General Comments:
The Horror virus was received in June, 1992. Its origin or point
of isolation is unknown. Horror is a memory resident infector of
.COM and .EXE programs, including COMMAND.COM.
The first time a program infected with the Horror virus is executed,
the Horror virus will install itself memory resident at the top of
system memory but below the 640K DOS boundary. Total system and
available free memory, as indicated by the DOS CHKDSK program, will
have decreased by 3,744 bytes. Interrupt 12's return will not be
moved. Interrupts 13 and 21 will be hooked by the Horror virus
in memory. Also at this time, the Horror virus will infect
the copy of COMMAND.COM pointed to by the COMSPEC environmental
variable if it was not previously infected.
Once the Horror virus is memory resident, it will infect .COM and
.EXE programs when they are executed. Infected programs will have
a file length increase of 2,319 bytes with the virus being located
at the end of the file. The file's date and time in the DOS disk
directory listing will not be altered. The Horror virus is
unable to determine if it has previously infected a program, so
the virus will reinfect previously infected programs, adding an
additional 2,319 bytes with each reinfection.
Horror is an encrypted virus. While it contains the following
text strings within its viral code, they cannot be viewed in
infected programs:
"This is HORROR !"
"COMSPECS"
It is unknown what Horror does besides replicate, though users of
infected systems may experience frequent system hangs when programs
are executed with the virus memory resident.
Known variant(s) of Horror are:
Horror-1112: Based on the Horror virus described above, this
variant adds 1,112 bytes to the .COM and .EXE programs
it infects on execution, with the virus being located at
the end of the file. It does not reinfect programs. Its
size in memory is 1,792 bytes, hooking interrupts 13 and
21. The system keyboard may occassionally become locked
out when the virus is memory resident. The encrypted
text strings found within the original virus are also
found in this variant.
Origin: Unknown December, 1992.
Horror-1137: Based on the Horror virus described above, this
variant adds 1,137 bytes to the .COM and .EXE programs
it infects on execution, with the virus being located at
the end of the file. It does not reinfect programs. Its
size in memory is 1,856 bytes, hooking interrupt 21. The
system keyboard may occassionally become locked out
when the virus is memory resident. The encrypted
text strings found within the original virus are also
found in this variant.
Origin: Unknown July, 1992.
Horror-1137B: Functionally equivalent to Horror-1137, this is a
very minor variant.
Origin: Unknown December, 1992.