Mr_Gu Virus

Virus Name: Mr_Gu Aliases: Mr_Gu.545 V Status: New Discovered: July, 1995 Symptoms: .COM file growth; decrease in available free memory Origin: Unknown Eff Length: 545 Bytes Type Code: PRhCK - Parasitic Resident .COM Infector Detection Method: NAV, NAVDX, IBMAV, VAlert, AVTK, ViruScan, ChAV, F-Prot, PCScan, NAV/N, IBMAV/N, AVTK/N, NProt, NShld, Innoc Removal Instructions: Delete infected files General Comments: The Mr_Gu virus was received in July, 1995. Its origin or point of isolation is unknown. Mr_Gu is a memory resident infector of .COM files, including COMMAND.COM. When the first Mr_Gu infected program is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, not moving interrupt 12's return. Available free memory, as indicated by the DOS CHKDSK program from DOS 5.0, will have decreased by 1,616 bytes. Interrupt 21 will be hooked by the virus in memory. Once the Mr_Gu virus is memory resident, this virus will infect all of the .COM files in the current directory when a DOS COPY command is executed. Infected files will have a file length increase of 545 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. The following text strings are visible within the viral code: "*.com" "Mr.Gu" Known variant(s) of Mr_Gu are: Mr_Gu.635: Received in January, 1996, this is a 635 byte version of the Mr_Gu virus described above. Its size in memory is also 1,616 bytes, hooking interrupt 21. It infects .COM files, but not COMMAND.COM, when they are executed, opened, or copied. Infected files will have a file length increase of 635 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. The following text strings are encrypted within the viral code: "*.com" "COMMAND.COM" "Mr.Gu" Origin: Unknown January, 1996.