Invader Virus
Virus Name: Invader
Aliases: Plastique Boot, Anticad 4
V Status: Common
Discovered: September, 1990
Symptoms: TSR; .COM & .EXE growth; BSC; music; track 1 of hard disk
may be overwritten
Origin: Taiwan/China
Eff Length: 4,096 Bytes
Type Code: PRsAB - Parasitic Resident .COM, .EXE, & Boot Sector Infector
Detection Method: ViruScan, AVTK, F-Prot, NAV, Sweep, IBMAV,
NAVDX, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
NAV/N, IBMAV/N
Removal Instructions: Delete infected files
General Comments:
The Invader virus was isolated in September, 1990 in China. This
virus is a later version of the Plastique-B or Plastique 5.21
virus. It is a memory resident infector of .COM and .EXE files, but
not COMMAND.COM. It also infects boot sectors. In September 1990,
many reports of infections of this virus have been received, it
appears to have spread very rapidly.
The first time a program infected with the Invader virus is
executed, the virus will install itself memory resident as a low
system memory TSR. The TSR is 5,120 bytes and interrupts 08, 09,
13, and 21 will be hooked.
At this time, the virus will also infect the boot sector of the
drive where the infected program was executed. The new boot sector
is an MS-DOS 3.30 boot sector, and can be easily identified because
the normal DOS error messages found in the boot sector are now at
the beginning of the boot sector instead of the end.
After the virus has become memory resident, any .COM or .EXE file
(with the exception of COMMAND.COM) opened will be infected by the
virus. Infected .COM files will increase in length by 4,096 bytes
with the viral code being located at the beginning of the infected
file. .EXE files will increase in length between 4,096 and 4,110
bytes with the viral code being located at the end of the infected
file.
Additionally, any non-write protected diskettes which are exposed to
the infected system will have their boot sectors infected.
The Invader virus activates after being memory resident for 30
minutes. At that time, a melody may be played on the system
speaker. On systems which play the melody, it will continue until
the system is rebooted. If the user presses CTL-ALT-DEL to reboot
the system, the first track of the system's hard disk will be
overwritten with an unencrypted copy of the virus. The melody
isn't played on all systems as it is configuration dependent. The
melody was originally composed by Mozart.
Known variant(s) of Invader are:
Chinese Invader: A variant of the Invader virus, this version is
from China. It contains the text string "PC Tools"
in the viral code. It is unknown what music, if
any this version plays.
Origin: China November, 1991.
Danube: A variant of the Invader virus, this variant addes 4,096
bytes to the .COM programs it infects, and 4,096 - 5,111
bytes to .EXE programs, with the virus being located at the
end of the file. Like other members of the Invader family,
this variant also infects diskette boot sectors. It contains
the following text strings within the viral code:
"ACAD.EXECOMMAND.COM.COM.EXE"
"by Invader, Feng Chia U., Warning: Don't run ACAD.EXE!"
Origin: Unknown October, 1992.
Mozart: Playing the same melody as the Invader virus described
above, this variant does not continue to play the melody
until the system is rebooted, but only continues for a
few minutes.
Sledge Hammer: Similar to the original Invader described above,
this variant was isolated in Morgan Hill, California
in July, 1991. Its major change from the original
virus is that it plays a different melody after
being resident for 30 minutes. The tune is the
theme song to the television program Sledge Hammer.
See: Plastique Plastique-B