More-649 Virus

Virus Name: More-649 Aliases: V Status: Rare Discovered: March, 1993 Symptoms: .COM file growth; decrease in total system & available free memory; file date/time seconds set to "60" Origin: England Eff Length: 649 Bytes Type Code: PRhCK - Parasitic Resident .COM Infector Detection Method: Sweep, AVTK, F-Prot, ViruScan, IBMAV, ChAV, NAV, NAVDX, VAlert, PCScan, Sweep/N, NShld, AVTK/N, NProt, IBMAV/N, Innoc, NAV/N, LProt Removal Instructions: Delete infected files General Comments: The More-649 virus was submitted in March, 1993, and is from England. More-649 is a memory resident fast infector of .COM programs, including COMMAND.COM. When the first More-649 infected program is executed, the More-649 virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, hooking interrupt 21. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 2,048 bytes. Interrupts 12's return will not have been moved. Once the More-649 virus is memory resident, it will infect .COM programs when they are executed or opened for any reason. Infected programs will have a file length increase of 649 bytes with the virus being located at the end of the file. The file's date and time in the DOS disk directory listing will not appear to be altered, though the seconds field will have been set to "60". The More-649 virus is unable to determine when it has previously infected a file, so it will reinfect already infected programs, adding an additional 649 bytes with each reinfection. The following text strings are encrypted within the More-649 viral code: "OH NO NOT MORE ARCV." "[MoRE] ICE-9" It is unknown what More-649 may do besides replicate.