Lost_Friend Virus

Virus Name: Lost_Friend Aliases: Lost_Friend.882 V Status: New Discovered: January, 1996 Symptoms: .EXE file growth; decrease in available free memory; system hangs Origin: Unknown Eff Length: 882 Bytes Type Code: PRhE - Parasitic Resident .EXE Infector Detection Method: NAV, NAVDX, IBMAV, ViruScan, AVTK, F-Prot, ChAV, NAV/N, IBMAV/N, AVTK/N, NShld, Innoc 4.0+ Removal Instructions: Delete infected files General Comments: The Lost_Friend virus was received in January, 1996. Its origin or point of isolation is unknown. Lost_Friend is a memory resident infector of .EXE files. When the first Lost_Friend infected program is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, not moving interrupt 12's return. Available free memory, as indicated by the DOS CHKDSK program from DOS 5.0, will have decreased by 1,168 bytes. Interrupt 21 will be hooked by the virus in memory. Once the Lost_Friend virus is memory resident, it will infect .EXE files when they are executed. Infected .EXE files will have a file length increase of 882 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. The following text strings are encrypted within the viral code: "Daniel, why did you have to die so young ? I will never forget you my friend!" "Your ashes in the wind, free to travel anywhere, a soul out of a dead body like a bird rising so high away reaching the blue sky, to a place called paradise, your first step to eternity, leaving behind pain and misery. [LOST FRIEND] 1995 by CoKe To LYNN, my love, and to MANDY, a true friend !" System hangs frequently occur when infected programs are executed.