Leningrad II Virus

Virus Name: Leningrad II Aliases: Leningrad II.2000.A V Status: Rare Discovered: April, 1994 Symptoms: .COM file growth; decrease in total system & available free memory Origin: USSR Eff Length: 2,000 Bytes Type Code: PRhCK - Parasitic Resident .COM Infector Detection Method: F-Prot, Sweep, IBMAV, AVTK, ViruScan, NAV, NAVDX, VAlert, ChAV, PCScan, AVTK/N, Sweep/N, IBMAV/N, Innoc, NProt, NShld, NAV/N, LProt Removal Instructions: Delete infected files General Comments: The Leningrad II virus was submitted in April, 1994, and appears to be from the USSR. Leningrad II is a memory resident infector of .COM programs, including COMMAND.COM. When the first Leningrad II infected program is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, not moving interrupt 12's return. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 4,096 bytes. Interrupts 1C and 21 will be hooked by the virus in memory. Once memory resident, the Leningrad II virus will infect .COM programs when they are executed. Infected programs will have a file length increase of 2,000 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. The following text string is repeated many times within the viral code: "Leningrad" It is unknown what Leningrad II does besides replicate. Known variant(s) of Leningrad II are: Leningrad II.2000.B: Received in January, 1996, this is a minor variant of the Leningrad II virus described above. It will occassionally play a tune when the virus is memory resident. Origin: Unknown January, 1996. See: Sov