Hypervisor Virus


 Virus Name:  Hypervisor 
 Aliases:     Hypervisor.3120 
 V Status:    New 
 Discovered:  July, 1995 
 Symptoms:    .COM & .EXE growth; file date/time seconds = "62"; 
              decrease in system and available free memory; 
              DOS CHKDSK file allocation errors 
 Origin:      Unknown 
 Eff Length:  3,120 Bytes 
 Type Code:   PRtAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method: AVTK, NAV, NAVDX, IBMAV, ViruScan, PCScan, F-Prot, 
                   ChAV, 
                   AVTK/N, NAV/N, IBMAV/N, NShld, NProt, Innoc 4.0+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Hypervisor or Hypervisor.3120 virus was received in July, 1995, 
       with one variant, Hypervisor.3128.  Their origin or point of 
       isolation is unknown.  Hypervisor is a memory resident stealth 
       virus which infects .COM and .EXE files, including COMMAND.COM. 
 
       When the first Hypervisor infected program is executed, this virus 
       will install itself memory resident at the top of system memory but 
       below the 640K DOS boundary, moving interrupt 12's return.  Total 
       system and available free memory, as indicated by the DOS CHKDSK 
       program from DOS 5.0, will have decreased by 4,096 bytes.  Interrupts 
       21, 25, and 26 will be hooked by the virus in memory. 
 
       Once the Hypervisor virus is memory resident, it will infect .COM 
       and .EXE files when they are executed or opened, but not on copy. 
       Infected programs will have a file length increase of 3,120 bytes, 
       though this file length increase will be hidden by the virus when 
       it is memory resident.  The virus will be located at the end of the 
       host program.  The file's date and time in the DOS disk directory 
       listing will not appear to be altered, though the seconds field will 
       have been set to "62", the infection marker for the virus.  The 
       following text strings are encrypted within the viral code: 
 
           "HYPERVISOR 2" 
           "HYPERVISOR 9" 
           "HYPERVISOR" 
           "SECURITY_EQUALS+ A" 
           "HYPERVISOR" 
           "HYPERVISOR" 
           "GROUPS_I'M_IN" 
           "PASSWORD 9" 
           "HYPERVISOR IDENTIFICATION." 
           "IDENTIFICATIONThe Hypervisor 9" 
           "HYPERVISSOR  LOGIN_CONTROL" 
           "HYPERVISOR LOGIN_CONTROL_" 
           "SUPERVISOR" 
           "HYPERVISORCOMEXE" 
 
       The DOS CHKDSK program will indicate file allocation errors on 
       all infected files when the virus is memory resident. 
 
       Known variant(s) of Hypervisor are: 
       Hypervisor.3128: Also received in July, 1995, this is a 3,128 
           byte variant of the Hypervisor virus described above.  Its size 
           in memory is also 4,096 bytes, hooking interrupts 21, 25, and 
           26.  It adds 3,128 bytes to the .COM and .EXE files it infects 
           on execution and open, though this file length increase will 
           be hidden when the virus is memory resident.  The virus will be 
           located at the end of the file.  The following text strings are 
           encrypted within the viral code: 
           "SYS:SYSTEM/SYS:LOGIN/NET$BIND.SYS NET$BVAL.SYS NET$OBJ.SYS 
            NET$PROP.SYS NET$VAL.SYS" 
           "SECURITY_EQUALS% AC" 
           "SECURITY_EQUALS" 
           "SUPERVISOR" 
           "GROUPS_I'M_IN!!" 
           "PASSWORD" 
           "IDENTIFICATION" 
           "IDENTIFICATIONThe" 
           "LOGIN_CONTROL" 
           "COMEXE" 
           The DOS CHKDSK program will indicate file allocation errors on 
           all infected files when the virus is memory resident. 
           Origin:  Unknown  July, 1995.

Show viruses from discovered during that infect .

Main Page