Iranian Virus

Virus Name: Iranian Aliases: V Status: Rare Discovered: January, 1993 Symptoms: .COM & .EXE growth; decrease in total system & available free memory Origin: Unknown Eff Length: 1,320 Bytes Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, F-Prot, AVTK, IBMAV, Sweep, NAV, NAVDX, VAlert, PCScan, ChAV, NShld, AVTK/N, Sweep/N, NAV/N, IBMAV/N, Innoc Removal Instructions: Delete infected files General Comments: The Iranian virus was submitted in January, 1993. Its origin or point of isolation is unknown. Iranian is a memory resident infector of .COM and .EXE programs, including COMMAND.COM. When the first Iranian infected program is executed, the Iranian virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, hooking interrupts 09 and 21. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 1,328 bytes. Interrupt 12's return will not be moved. Once the Iranian virus is memory resident, it will infect .COM and .EXE programs, including COMMAND.COM, when they are executed. Infected programs will have a file length increase of 1,320 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. The following text strings are encrypted within the Iranian virus' code and are thus not visible within infected programs: "IRANIAN VIRUS W.by ABBAS KUHKAN ALIABADI" "ANTI VIRUS Writen By ABBAS KUKAN" "Virus Found" It is unknown what Iranian does besides replicate.