Keyboard Bug Virus


 Virus Name:  Keyboard Bug 
 Aliases:     Keyboard Bug-1596, Kbug 
 V Status:    Rare 
 Discovered:  January, 1992 
 Symptoms:    .COM & .EXE growth; decrease in total system & available 
              free memory; system hangs; keyboard interference 
 Origin:      Unknown 
 Eff Length:  1,598 - 1,620 Bytes 
 Type Code:   PRhA - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  Sweep, ViruScan, F-Prot, AVTK, ChAV, 
                    IBMAV, NAV, NAVDX, VAlert, PCScan, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, 
                    NAV/N, IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Keyboard Bug, or Keyboard Bug-1596, virus was submitted in 
       January, 1992.  Its origin is unknown.  Keyboard Bug is a memory 
       resident infector of .COM and .EXE programs, but does not infect 
       COMMAND.COM. 
 
       The first time a program infected with Keyboard Bug is executed, 
       the Keyboard Bug virus will install itself memory resident at the 
       top of system memory but below the 640K DOS boundary.  Interrupt 
       12's return will not have been moved.  Total system and available 
       free memory, as indicated by the DOS CHKDSK program, will have 
       decreased by 1,616 bytes.  Interrupts 01, 03, 1C, and AC will 
       be hooked by the virus in memory. 
 
       Once the Keyboard Bug virus is memory resident, it will infect 
       .COM and .EXE programs, other than COMMAND.COM, when they are 
       executed.  .COM files will have a file length increase of 1,620 
       bytes.  .EXE files will have a file length increase of 1,598 to 
       1,612 bytes in length.  In both cases, the virus will be located 
       at the end of the infected program.  The file's date and time in 
       the DOS disk directory listing will not have been altered. 
 
       Systems infected with the Keyboard Bug virus will experience 
       intermittent interference with keyboard input due to the virus 
       adding bursts of random characters to the keyboard buffer.  System 
       hangs may also occur, in particular if the user attempts to copy 
       programs using the DOS COPY command. 
 
       Known variant(s) of Keyboard Bug are: 
       Keyboard Bug-914: A 914 byte variant of the Keyboard Bug virus, 
                  this variant will be memory resident in 1,328 bytes 
                  at the top of system memory but below the 640K DOS 
                  boundary, hooking interrupts 08, 1C, AA, and AC.  Keyboard  
                  Bug-914 infects .COM programs, other than COMMAND.COM, 
                  when they are executed.  Infected .COM programs will have 
                  a file length increase of 914 bytes with the virus being 
                  located at the end of the file.  The program's date and 
                  time in the DOS disk directory listing will not be 
                  altered.  One text string is encrypted within the viral 
                  code: 
                  "COMMAND" 
                  Origin:  Unknown  March, 1993. 
       Keyboard Bug.1268: Received in July, 1995, this is a 1,268 byte 
                  non-resident version of the Keyboard virus described 
                  above.  It infects one .COM file located in the current 
                  directory, bypassing COMMAND.COM, when an infected 
                  program is executed.  It will then starting accessing 
                  alternatingly drives A: and B:.  Beeping may also occur. 
                  Programs infected with this variant will have a file 
                  length increase of 1,268 to 1,284 bytes with the virus 
                  being located at the end of the file.  The program's 
                  date and time in the DOS disk directory listing will 
                  not be altered.  The following text strings are visible 
                  within the viral code: 
                  "????????COM" 
                  "*.com * \  \" 
                  "COMMAND.COM KeyBoard Error ..." 
                  "UFO" 
                  System hangs frequently occur when infected programs 
                  are executed.  The text string "KeyBoard Error ..." may 
                  also be displayed as a message on the system monitor. 
                  Origin:  Unknown  July, 1995. 
       Keyboard Bug-1720: A larger version of the Keyboard Bug virus, 
                  this variant will be memory resident in 1,728 bytes 
                  at the top of system memory but below the 640K DOS 
                  boundary, as well as have a 448 byte TSR.  Interrupts 
                  01, 03, 1C, and AC will be hooked in high memory, and 
                  interrupt 21 will be hooked by the TSR.  Infected .COM 
                  programs will have a file length increase of 1,744 
                  bytes.  .EXE programs will have a file length increase of 
                  1,722 to 1,734 bytes. 
       Keyboard Bug-1724: Another variant of the Keyboard Bug virus, 
                  this variant is somewhat similar to Keyboard Bug-1720. 
                  It infects .COM and .EXE programs when they are executed, 
                  adding 1,724 to 1,759 bytes to their length.  The virus 
                  is located at the end of infected files. 
                  Origin:  Unknown  October, 1992.

Show viruses from discovered during that infect .

Main Page