Liberty-1172 Virus

Virus Name: Liberty-1172 Aliases: Lib1172 V Status: Rare Discovered: December, 1991 Symptoms: .COM file growth; file date/time change; decrease in total system and available free memory Origin: Unknown Eff Length: 1,172 - 1,186 Bytes Type Code: PRhCK - Parasitic Resident .COM Infector Detection Method: ViruScan, Sweep, AVTK, F-Prot, ChAV, IBMAV, NAV, NAVDX, VAlert, PCScan, NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N Removal Instructions: Delete infected files General Comments: The Liberty-1172 virus was received in December, 1991. Its origin is unknown. Liberty-1172 is a memory resident infector of .COM programs, including COMMAND.COM. When the first Liberty-1172 virus infected program is executed, the Liberty-1172 virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 1,568 bytes. Interrupt 12's return will not have been moved. Interrupts 09 and 21 will be hooked by Liberty-1172 in high system memory. After Liberty-1172 has become memory resident, it will infect .COM programs, including COMMAND.COM, when they are executed. Infected programs will have a file length increase of 1,172 to 1,186 bytes. The virus will be located at the end of the file. The program's date and time in the DOS disk directory listing will have been updated to the system date and time when infection occurred. One text string can be found within the viral code in infected files: "Liberty" This text string will alo be found near the beginning of the file, which is how Liberty-1172 marks the file as being infected. It is unknown if Liberty-1172 does anything besides replicate.