Online VSUM - Abraxas 5 Virus

Abraxas 5 Virus

Virus Name: Abraxas 5 Aliases: V Status: Viron Discovery: April, 1993 Symptoms: .COM & .EXE programs overwritten; programs fail to execute; graphic "ABRAXAS" and noise on system speaker; file date/time changes; C:\DOS\DOSSHELL.COM created Origin: Unknown Eff Length: 1,171 Bytes Type Code: ONA - Overwriting Non-Resident .COM & .EXE Infector Detection Method: AVTK, F-Prot, NAV, Sweep, ViruScan, IBMAV, NAVDX, VAlert, PCScan, ChAV, NShld, AVTK/N, NAV/N, Sweep/N, NProt, IBMAV/N, Innoc, LProt Removal Instructions: Delete infected files General Comments: The Abraxas 5 virus was submitted in April, 1993. Its origin is unknown. Abraxas 5 is a non-resident, direct action overwriting virus which infects .COM and .EXE programs, but not COMMAND.COM. When a program infected with the Abraxas 5 virus is executed, this virus infect the copy of DOSSHELL.COM located in the C:\DOS directory (creating the file if it doesn't exist), as well as one .EXE program located in the current directory. Due to a bug in the virus, only the first .EXE program in any directory will be infected by the Abraxas 5 virus. Programs infected with the Abraxas 5 virus will become 1,171 bytes in length, and will contain the Abraxas 5 viral code. The file's date and time in the DOS disk directory listing will be set to the system date and time when infection occurred. The following text strings can be found within the viral code in all Abraxas 5 infected programs: "*.exe c:\dos\dosshell.com .. MS-DOS (c)1992" "->>ABRAXAS-5<<--" "...For he is not of this day" "...Nor he of this mind" Execution of programs infected with the Abraxas 5 virus will also result in the display of a graphic "ABRAXAS" on the system display, accompanied by an ascending scale being played on the system speaker. Known variant(s) of Abraxas 5 are: Abraxas.1508: Received in July, 1994, Abraxas.1508 is a 1,508 byte variant which infects .EXE programs. When an infected program is executed, the virus will infect the first .EXE program located in the current directory, if it was not previously infected, as well as create a 1,508 byte file named "ROMMAND.COM". Infected .EXE programs will have a file length of 1,508 bytes and will contain a copy of the viral code. The original .EXE program is not saved by the virus, and hence is not recoverable other than from backups. Infected programs, as well as the ROMMAND.COM file, will have the file date and time in the DOS disk directory set to the current system date and time when infection occurred. The following text strings are visible within the viral code: "*.exe" "rommand.com" "Darkest Avenger" "CES (c) Controlled Environment Simulator" "Edwin Cleton 1993 VirSoft (c)" "h! Get a ROD just thinking about it!" The Abraxas.1508 virus also will display the following message when an infected program is executed: "I AM THE EDWIN CLETON VIRUS... AND I LOVE A GOOD HARD DRIVE ...Ahhhh! Get a ROD just thinking about it!" The message text prior to the "...Ahhhh!" text will be in line graphic characters. Origin: Unknown July, 1994.