Hybryd Virus

Virus Name: Hybryd Aliases: Hybrid V Status: Rare Discovered: January, 1991 Symptoms: .COM growth Origin: Poland Eff Length: 1,306 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan, AVTK, F-Prot, NAV, Sweep, IBMAV, NAVDX, VAlert, PCScan, ChAV, NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N Removal Instructions: Delete infected files General Comments: The Hybryd virus was submitted in January, 1991, and is from Poland. This virus is a non-resident direct action infector of .COM files, including COMMAND.COM. When a program infected with Hybryd is executed, the virus will look for an uninfected .COM program in the current directory. If an uninfected program is found, the virus will infect it. Infected .COM programs will have a file length increase of 1,306 bytes, the virus will be located at the end of the infected program. This virus alters the file time so that the seconds field in the file time is 62, the indicator that the file is infected. Just viewing the directory, though, it appears that the file date and time has not been altered. The following text strings are contained within the Hybryd virus, though they cannot be viewed in infected files as they are encrypted: "(C) Hybryd Soft Specjalne podziekowania dla Andrzeja Kadlofa i Mariusza Deca za artykuly w Komputerze 11/88" In the submitted sample, the one text string that is not encrypted is the following, which is also found in replicated samples: "Copyright IBM Corp 1981,1987 Licensed Material - Program Property of IBM" This string should not be taken to indicate that IBM necessarily had anything to do with the creation of this virus. On Friday the 13th starting in 1992, this virus will overwrite the current drive's boot sector when an infected program is executed. It may also corrupt program files at that time when they are executed.