Alexander Virus


 Virus Name:  Alexander 
 Aliases:    
 V Status:    Rare 
 Discovery:   October, 1992 
 Symptoms:    .COM & .EXE file growth; decrease in total system & available 
              free memory 
 Origin:      Romania 
 Eff Length:  1,951 - 1,965 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, Sweep, IBMAV, AVTK, F-Prot, 
                    NAV, NAVDX, VAlert, PCScan, ChAV, 
                    NShld, Sweep/N, LProt, AVTK/N, NProt, NAV/N, Innoc, 
                    IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Alexander virus was received in October, 1992.  It appears to 
       be from Romania.  Alexander is a memory resident infector of .COM 
       and .EXE programs, including COMMAND.COM. 
 
       The first time a program infected with the Alexander virus is 
       executed, the Alexander virus will install itself memory resident 
       at the top of system memory but below the 640K DOS boundary.  Total 
       system and available free memory, as indicated by the DOS CHKDSK 
       program, will have decreased by 3,088 bytes.  Interrupts 08, 21 
       and 27 will be hooked by Alexander in memory. 
 
       Once the Alexander virus is memory resident, it will infect .COM 
       and .EXE programs, including COMMAND.COM, when they are executed, 
       copied, or opened for any reason.  Infected .COM programs will 
       increase in size by 1,951 bytes.  Infected .EXE programs will 
       increase in size by 1,951 to 1,965 bytes.  In both cases the virus 
       will be located at the end of the file.  The program's date and 
       time in the DOS disk directory listing will not be altered.  The 
       following text strings are visible in the viral code in all 
       infected programs: 
 
               "ALEX0302" 
               "COMMAND.COM" 
 
       The following additional text is encrypted within the viral, and 
       hence not visible within infected programs: 
 
               "Apa depistata in microprocesor 
                Functionarea poate fi compromisa 
                Se recomanda oprirea calculatorului 
                citeva ore pentru uscare" 
               "Alexander" 
               "Constanata" 
               "Romania" 
 
       It is unknown what Alexander does besides replicate. 
 
       Known variant(s) of Alexander are: 
       Alexander.2104: Received in July, 1994, Alexander.2104 is a 2,104 
                byte variant of the Alexander virus described above.  Like 
                the original virus, it infects .COM and .EXE programs, 
                including COMMAND.COM, when they are executed, opened, or 
                copied.  Infected .COM files increase in size by 2,104 bytes 
                while .EXE programs increase in size by 2,104 to 2,118 bytes. 
                In both cases, the virus will be located at the end of the 
                file and the program's date and time in the DOS disk 
                directory listing will not be altered.  The following text 
                string is visible within the viral code: 
                "COMMAND.COM !!" 
                Origin:  Unknown  July, 1994. 
 
       See:   CB-1530   Dark Avenger

Show viruses from discovered during that infect .

Main Page