Little Brother Virus
Virus Name: Little Brother
Aliases:
V Status: Rare
Discovered: October, 1991
Symptoms: 307 byte .COM files
Origin: The Netherlands
Eff Length: 307 Bytes
Type Code: SRCE - Spawning Resident .EXE Infector
Detection Method: F-Prot, ViruScan, AVTK, Sweep, IBMAV,
NAV, NAVDX, VAlert, PCScan, ChAV,
NShld, Sweep/N, LProt, Innoc, NProt, AVTK/N, IBMAV/N,
NAV/N
Removal Instructions: Delete infected .COM programs
General Comments:
The Little Brother virus was submitted from the Netherlands in
October, 1991. This virus is a spawning virus similar in technique
to the Aids 2 and Twin-351 viruses.
The first time a program infected with Little Brother is executed,
Little Brother will become memory resident in a "hole" in low
system memory in the system data area, hooking interrupt 21. There
will be no change in total system or available free memory.
Once resident, the Little Brother virus will infect .EXE programs
when they are executed. The .EXE program itself will not be
altered, but a corresponding .COM program will be created by the
virus of 307 bytes. This corresponding .COM program will contain
pure virus code and have a date/time stamp in the DOS directory
of when it was created. The following text strings can be found
in the 307 byte .COM files:
"Little Brother"
"EXE COM"
Since DOS will execute .COM programs before .EXE programs, whenever
the user attempts to execute a .EXE program, the corresponding
.COM program will be executed first. The .COM program, when finished
will then start the .EXE program the user was attempting to
execute.
Known variant(s) of Little Brother are:
Little Brother.276: Functionally similar to the original
Little Brother virus, this variant creates
.COM files of 276 bytes for each .EXE program
which is executed. The same text strings found
in the original virus are contained in this
variant.
Origin: Unknown January, 1996.
Little Brother-299: Functionally similar to the original
Little Brother virus, this variant creates
.COM files of 299 bytes for each .EXE program
which is executed. The same text strings found
in the original virus are contained in this
variant.
Origin: Unknown November, 1992.
Little Brother-300: Functionally similar to the original
Little Brother virus, this variant creates
.COM files of 300 bytes for each .EXE program
which is executed. The same text strings found
in the original virus are contained in this
variant.
Origin: Unknown December, 1992.
Little Brother.301: Functionally similar to the original
Little Brother virus, this variant creates
.COM files of 301 bytes for each .EXE program
which is executed. The same text strings found
in the original virus are contained in this
variant.
Origin: Unknown January, 1996.
Little Brother-321: Functionally similar to the original
Little Brother virus, this variant creates
.COM files of 321 bytes for each .EXE program
which is executed.
Origin: The Netherlands May, 1992.
Little Brother-349: Little Brother-349 is a 349 byte variant
of the Little Brother virus. It creates 349
byte companion files when an .EXE program is
executed after the virus becomes memory resident.
The companion files have the attributes system,
read-only, and hidden set so that the file will
not be visible in the DOS disk directory listing.
Little Brother-349 activates on the first
Tuesday in November, the day when major elections
are held in the United States, displaying the
following message with a beep multiple times:
"DID YOU VOTE, SHITHEAD??"
This message can be found in the companion files,
along with the following text string:
"EXE COM"
Origin: United States October, 1992.
Little Brother-361: Little Brother-361 is a 361 byte variant of
the Little Brother virus. It creates 361 byte
companion files when an .EXE program is executed
after the virus is memory resident. The
companion file will have the attributes system,
read-only, and hidden set so that the file will
not be visible in the DOS disk directory listing.
One text string can be found in the hidden .COM
files:
"EXE COM *.*"
Origin: United States October, 1992.