Minsk Ghost Virus

Virus Name: Minsk Ghost Aliases: V Status: Rare Discovered: October, 1992 Symptoms: .COM & .EXE growth; decrease in total system & available free memory; file date set to 13-07-82 Origin: USSR Eff Length: 1,450 - 1,478 Bytes Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: Sweep, ViruScan, IBMAV, AVTK, F-Prot, NAVDX, NAV, VAlert, PCScan, ChAV, NShld, Sweep/N, Innoc, NProt, AVTK/N, LProt, IBMAV/N, NAV/N Removal Instructions: Delete infected files General Comments: The Minsk Ghost virus was submitted in October, 1992. It is originally from the USSR. Minsk Ghost is a memory resident infector of .COM and .EXE programs. It employs some stealth techniques to hide infections and spreads quickly on infected systems. The first time a program with the Minsk Ghost virus is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 1,536 bytes. Interrupt 1A will be hooked by the virus. Also at this time, Minsk Ghost will infect COMMAND.COM if it was not previously infected. Once the Minsk Ghost is memory resident, it will infect .COM and .EXE programs when they are executed or opened for any reason. Infected programs will have a file length increase of 1,450 to 1,478 bytes with the virus being located at the end of the file. The Minsk Ghost may reinfect previously infected programs, adding an additional 1,450 bytes. However, all but 3 to 31 bytes of the file length increase will be hidden by the virus when it is resident in memory. The file's date in the DOS disk directory listing will have been altered to 13-07-82. The following text string is visible within the viral code in all Minsk Ghost infected programs: "MINSK GHOST,1991" It is unknown what Minsk Ghost may do besides replicate.