Incest Virus

Virus Name: Incest Aliases: Daddy.1117, Incest.1117 V Status: New Discovered: September, 1994 Symptoms: .COM & .EXE growth; DOS CHKDSK file allocation errors; decrease in total system & available free memory; file time changes Origin: Queensland, Australia Eff Length: 1,117 Bytes Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: AVTK, IBMAV, ViruScan, Sweep, F-Prot, NAV, NAVDX, VAlert, ChAV, IBMAV/N, NShld, AVTK/N, Sweep/N, NAV/N, Innoc 4.0+ Removal Instructions: Delete infected files General Comments: The Incest virus was submitted in September, 1994, after its isolation in Australia. Incest is a memory resident stealth-type virus which infects .COM and .EXE programs, including COMMAND.COM. When the first Incest infected program is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, not moving interrupt 12's return. Total system and available free memory will have decreased by 2,400 bytes, and interrupt 21 will be hooked by the virus is memory. Once the Incest virus is memory resident, it will infect .COM and .EXE programs, including COMMAND.COM, when they are executed, opened, or copied. Infected programs will have a file length increase of 1,117 bytes, though the file length increase will be hidden when the virus is memory resident. The virus will be located at the end of the file. The file's date in the DOS disk directory listing will not be altered, however, the time field will have been altered. The following text strings are encrypted within the viral code: "[Incest Daddy] by VLAD - Brisbane, OZ" "ANTI-VIR.DAT MSAV.CHK CHKLIST.CPS CHKLIST.MS" This virus interfers with the Microsoft Anti-Virus and Central Point Anti-Virus programs, deleting the above indicated files which the programs require in order to be able to detect viral infections.