Kthulhu Virus

Virus Name: Kthulhu Aliases: V Status: Rare Discovered: December, 1992 Symptoms: .COM file growth; message displayed; system hangs; write protect errors on diskettes Origin: Poland Eff Length: 512 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan, AVTK, F-Prot, Sweep, IBMAV, NAV, NAVDX, VAlert, PCScan, ChAV, NShld, Sweep/N, NProt, AVTK/N, LProt, NAV/N, IBMAV/N, Innoc Removal Instructions: Delete infected programs General Comments: The Kthulhu virus was submitted in December, 1992. It is originally from Poland. Kthulhu is a non-resident, direct action infector of .COM programs, including COMMAND.COM. When a program infected with the Kthulhu virus is executed, the Kthulhu virus will infect all of the .COM programs located in the current directory. Infected programs will have a file length increase of 512 bytes with the virus being located at the beginning of the file. The program's date and time in the DOS disk directory listing will not be altered. The following text strings can be found within the viral code in all Kthulhu infected programs: "KTHULHU Today is my birthday." "IT $is coming." "$has gone." "*.COM" "????????COM?" The Kthulhu virus activates when an infected program is executed during the month of May of any year, displaying a message. A system hang also occurs. The text of the message depends on what the day of the month is set to in the system time. From the 1st of May thru May 19th, the message displayed is: "IT is coming." On May 20th, it displays the message: "Today is my birthday." From May 21st thru May 31st, it displays the message: "IT has gone. An additional symptom of a Kthulhu infection is that attempts to execute programs on write protected diskettes will result in a write protect error.