Little Red Virus


 Virus Name:  Little Red 
 Aliases:    
 V Status:    Common 
 Discovered:  September, 1994 
 Symptoms:    .COM & .EXE growth; DOS CHKDSK file allocation errors; 
              decrease in total system & available free memory; 
              sluggish DOS DIR command output; system hangs 
 Origin:      Unknown 
 Eff Length:  1,465 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  F-Prot, AVTK, IBMAV, ViruScan, NAV, Sweep, NAVDX, 
                    VAlert, PCScan, ChAV, 
                    NProt, AVTK/N, NShld, NAV/N, Sweep/N, IBMAV/N, Innoc, 
                    LProt 
 Removal Instructions:  F-Prot, or delete infected programs 
 
 General Comments: 
       The Little Red virus was received in September, 1994.  Its origin is 
       unknown, though the sample received was from an "in the wild" 
       infection in the United States.  Little Red is a memory resident 
       stealth-type virus which infects .COM and .EXE programs, including 
       COMMAND.COM. 
 
       When the first Little Red infected program is executed, this virus 
       will install itself memory resident at the top of system memory but 
       below the 640K DOS boundary, not moving interrupt 12's return.  Total 
       system and available free memory, as indicated by the DOS CHKDSK 
       program, will have decreased by 1,744 bytes.  Interrupts 1C and 21 
       will be hooked in memory.  Also at this time, the virus will infect 
       the copy of COMMAND.COM located in the C: drive root directory if it 
       was not previously infected. 
 
       Once the Little Red virus is memory resident, it will infect .COM and 
       .EXE programs, including COMMAND.COM, when they are executed, copied, 
       or a DOS DIR command is issued.  In the case of the DOS DIR command, 
       both the source and target files are infected by the virus.  Infected 
       programs will have a file length increase of 1,465 bytes, though the 
       file length increase will be hidden when the virus is memory resident. 
       The virus will be located at the end of the file.  The program's date 
       and time in the DOS disk directory listing will not be altered.  The 
       following text strings are encrypted within the viral code: 
 
               "C:\COMMAND.COM" 
 
       The DOS CHKDSK program will indicate file allocation errors on all 
       infected files when the virus is memory resident.  Output from the 
       DOS DIR command will be sluggish or delayed.  Some programs may 
       hang the system when they are executed.

Show viruses from discovered during that infect .

Main Page