Invol Virus


 Virus Name:  Invol 
 Aliases:    
 V Status:    Common 
 Discovered:  October, 1991 
 Symptoms:    .EXE & .SYS growth; decrease in available free memory; 
              write protect errors when executing .EXE files from write- 
              protected diskettes; file date/time changes 
 Origin:      United States 
 Eff Length:  1,409 - 1,421 Bytes (.EXE); 2,832 Bytes (.SYS) 
 Type Code:   PRsE - Parasitic Resident .EXE & .SYS Infector 
 Detection Method:  ViruScan, AVTK, F-Prot, IBMAV, ChAV, 
                    NAV, NAVDX, VAlert, PCScan, 
                    Innoc, NShld, AVTK/N, Sweep/N, IBMAV/N, NAV/N, LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Invol virus was received in October, 1991.  Its original point 
       of isolation was in the United States. Invol is a memory resident 
       infector of .EXE and .SYS files. 
 
       The Invol virus becomes memory resident when the first program 
       infected by the Invol virus is executed.  This program may be a .SYS 
       file which has a device entry in the CONFIG.SYS file, or an .EXE 
       file executed after the system boot has completed.  In either case, 
       if the DOS CHKDSK program is executed, it will indicate that the 
       system has 2,832 bytes less free memory than is expected.  Interrupt 
       21 will have been hooked by the virus in memory.  Memory mapping 
       utilities will most likely indicate that the system's config.sys has 
       increased in size by 2,832 bytes. 
 
       Once Invol is memory resident, it will attempt to infect the first 
       .SYS program indicated in the system's CONFIG.SYS file.  The .SYS 
       program will have a file size increase of 2,832 bytes with the 
       virus being located at the beginning of the file.  The file's date 
       and time in the DOS disk directory will have been updated to the 
       current system date and time.  The following text messages can be 
       found in infected .SYS files: 
 
               "You have helped spread this virus. 
                This is a message from your friendly 
                neighborhood infection service. 
                Thank you for your involuntary cooperation." 
               "c:\config.sys EVICE C:\vansi.sys device=vansi.sys" 
 
       .EXE programs will also be infected by the Invol virus once it is 
       memory resident.  In the case of .EXE programs, they will have a 
       file length increase of 1,409 to 1,421 bytes with the virus being 
       located at the end of the infected file.  The program's date and 
       time will have been updated to the system date and time when 
       infection occurred.  The above text messages will not be visible in 
       infected .EXE files as they are encrypted. 
 
       It is unknown what Invol does besides replicate. 
 
       Invol-B: Discovered in the United States in May, 1992, Invol-B 
                is a smaller version of the Invol virus described above. 
                Its encryption has been altered to avoid detection.  It 
                adds 2,720 bytes to the .SYS files it infects, and 1,348 
                to 1,365 bytes to .EXE files.  The last text string 
                indicated above in the original virus has been changed to: 
                "c:\config.sys EVICE C:\vansi.sys       vansi" 
                Origin:  United States  May, 1992.

Show viruses from discovered during that infect .

Main Page