Akuku Virus
Virus Name: Akuku
Aliases:
V Status: Rare
Discovery: January, 1991
Symptoms: .COM & .EXE growth; "Error in EXE file" message;
Unexpected drive accesses
Origin: USSR
Eff Length: 891 Bytes
Type Code: PNAK - Parasitic Non-Resident .COM & .EXE Infector
Detection Method: F-Prot, ViruScan, Sweep, NAVDX, VAlert,
AVTK, NAV, IBMAV, PCScan, ChAV,
NShld, Sweep/N, Innoc, NProt, AVTK/N, LProt, NAV/N,
IBMAV/N
Removal Instructions: Delete infected files
General Comments:
The Akuku virus was isolated in January, 1991, and comes from the
USSR. This virus is a non-resident direct action infector of .COM
and .EXE files, including COMMAND.COM.
When a program infected with Akuku is executed, the virus will
infect three programs in the current directory. If three uninfected
programs cannot be found in the current directory, the virus will
search the disk directory of the current drive, as well as the C:
drive. Both .COM and .EXE programs may become infected, as well as
COMMAND.COM. Programs smaller than 1K will not be infected by this
virus. Infected programs will increase in length by 891 to 907
bytes, the virus will be located at the end of the infected file.
The file date and time in the disk directory will not be altered by
the virus.
The following text string is contained within the viral code, and
can be found in all infected programs:
"A kuku, Nastepny komornik !!!"
Some .EXE programs will fail to execute properly after infection by
the Akuku virus. These programs may display an "Error in EXE file"
message and terminate when the user attempts to execute them.
Known variant(s) of Akuku are:
Akuku-3: Functionally equivalent to the original Akuku virus,
this variant has three bytes which differ. It does not
switch to the C: drive to infect files after all the
candidate files on the current drive have been infected.
Origin: Unknown January, 1992
Columbus: Based on the Akuku virus, Columbus is another variant
of the virus. It will infect one .COM program located in the
current directory each time an infected program is executed,
including COMMAND.COM. Columbus infected programs will have
a file length increase of 512 bytes with the virus being
located at the end of the file. On October 12th, execution
of an infected program will result in the following message
being repeatedly displayed on the system monitor while the
virus reads the entire system hard disk:
"Columbus Raped America. Now I Rape your Hard Disk."
The message is not visible in infected files as it is
encrypted within the viral code. The following additional
text strings are also encrypted within the viral code:
"*.COM Berlin, Md"
"NOT!! The procedure is a bit off. Hehe"
Origin: Maryland, United States November, 1992.
Cop-Mpl: Cop-Mpl is a variant of the Akuku virus described
above. It will infect three .COM or .EXE programs each
time an infected program is executed. If the virus does
not find three programs to infect on the current drive, it
will search and infect programs in the C: drive's directory
structure. Programs infected with Cop-Mpl will have a file
size increase of 1,113 to 1,128 bytes with the virus being
located at the end of the file. The following text string
can be found within the viral code:
"Sorry, I'm copmpletly dead."
Systems infected with Cop-Mpl may experience very long
program loads, or that the current drive has been changed
unexpectedly to the C: drive.
Origin: Unknown November, 1991.
Metal Thunder: Metal Thunder was submitted from Europe in
May, 1991. This variant is from Italy. Programs infected
with this variant will increase in size by 892 to 908 bytes.
Unlike the original virus, Metal Thunder will infect only one
program in the current directory when an infected program is
executed. The text string has been changed to:
"(c) by Metal Thunder IVRL MI"
Systems infected with the Metal Thunder variant may
experience frequent system hangs.
Origin: Italy May, 1991
Wilbur: Based on the Akuku virus, Wilbur is another variant of
the virus. It will infect one .COM program located in the
current directory each time an infected program is executed.
It will not infect COMMAND.COM. Wilbur infected programs
will have a file length increase of 512 bytes with the virus
being located at the end of the file. Systems infected with
Wilbur will occassionally have the following message
displayed when an infected program is executed:
"Wilbur sez Hi!"
The message is not visible in infected files as it is
encrypted.
Origin: Unknown May, 1992.
Wilbur-B: Based on the Wilbur variant described above, this is a
very minor variant. The following text strings are encrypted
within the viral code:
"*.COM"
"Wilbur sez Hi!"
"Origin: Berlin, Maryland 7Apr92"
"????????COM"
"COMMAND.COM"
Origin: Maryland, United States November, 1992.
Wilbur-C: Based on the Wilbur variant described above, this
variant has been altered to avoid detection. The following
text strings are encrypted within the viral code:
"*.COM"
"Wilbur sez Hi!"
"Origin: Berlin, Maryland 7Apr92"
Origin: Maryland, United States November, 1992.
Wilbur 2: Based on the Wilbur-C variant, this variant of Wilbur
also adds 512 bytes to the .COM programs it infects. There
are two distinct versions of the virus which may be
replicated from a Wilbur 2 sample. The first version will
occassionally display the following message:
"Wilbur sez Hi!"
The second version will occassionally display one of the
following messages:
"I am not an Animal. I am a Human Being!"
"I am not an Animal. I am Wilbur!"
"I am not Akuku. I am a Human Being!"
"I am not Akuku. I am Wilbur!"
The following text strings are encrypted within the viral
code in infected programs:
"I am not"
"I am"
"Wilbur sez Hi!"
"Akuku."
"an Animal."
"Wilbur!"
"a Human Being!"
Origin: Maryland, United States November, 1992.
Wilbur 3: Based on the Wilbur 2 variant described above, this
variant activates in the Spring of any year, primarily during
the month of April. In April, execution of an infected
may result in the following message being displayed
repeatedly, scrolling down the screen, while the virus
accesses the system hard disk:
"Wilbur sez: Formatting your disk. Please stand by."
The virus doesn't actually format the system hard disk in
the sample tested. The message is not visible in infected
programs as it is encrypted.
Origin: Maryland, United States November, 1992.