November 17th Virus
Virus Name: November 17th
Aliases: 855, Nov 17
V Status: Rare
Discovered: January, 1992
Symptoms: .COM & .EXE growth; decrease in total system & available free
memory
Origin: Italy
Eff Length: 855 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, F-Prot, Sweep, AVTK, NAV,
IBMAV, NAVDX, VAlert, PCScan, ChAV,
NShld, Sweep/N, Innoc, NProt, AVTK/N, LProt, NAV/N,
IBMAV/N
Removal Instructions: Delete infected files
General Comments:
The November 17th virus was received in January, 1992. Its origin
or point of original isolation was originally unknown, but it has
since been reported as being widespread in Rome, Italy, in December,
1991. November 17th is a memory resident infector of .COM and .EXE
programs, including COMMAND.COM.
The first time a program infected with November 17th is executed,
this virus will install itself memory resident at the top of system
memory but below the 640K DOS boundary. Total system and available
free memory, as indicated by the DOS CHKDSK program, will have
decreased by 896 bytes. Interrupt 12's return will not have been
moved. Interrupts 09 and 21 will be hooked.
Once the November 17th virus is memory resident, it will infect
.COM and .EXE programs, including COMMAND.COM, when they are
opened or executed. Infected programs will have a file length
increase of 855 bytes with the virus being located at the end of
the infected file. There will be no visible change to the file's
date and time in a DOS disk directory listing. One text string can
be found within the viral code of all November 17th infected
programs:
"SCAN.CLEAN.COMEXE"
The November 17th virus overwrites the system hard disk when it
activates on November 17th of any year.
Known variant(s) of November 17th are:
Nov 17.522: A 522 byte variant of the November 17th virus,
this virus decreases available free memory, as indicated
by the DOS CHKDSK program from DOS 5.0, by 896 bytes. It
hooks interrupts 13 and 21. Infected .COM programs will
have a file length increase of 522 to 536 bytes with the
virus being located at the end of the file. The
program's date and time in the DOS disk directory listing
will not be altered. The following text string is
visible within the viral code:
"COM"
Origin: Unknown July, 1995.
Nov 17-768: A 768 byte variant of the November 17th virus,
this virus decreases total system and available free
memory by 800 bytes when it is memory resident. It
does not hook interrupt 09. Infected programs will
have a file length increase of 768 bytes with the
virus being located at the end of the infected file.
Origin: Unknown May, 1992.
Nov 17.800.C: An 800 byte variant of the November 17th virus,
this virus decreases available free memory, as indicated
by the DOS CHKDSK program from DOS 5.0, by 832 bytes. It
does not hook interrupt 09. Infected .COM and .EXE files
will have a file length increase of 800 bytes with the
virus being located at the end of the infected file.
The following text string is visible within the viral
code:
"CHK SCAN.CLEAN.COMEXE"
Origin: Unknown July, 1995.
Nov 17-880: An 880 byte variant of the November 17th virus,
this variant decreases total system and available free
memory by 928 bytes when it is memory resident. It
hooks interrupts 09 and 21. Infected programs will have
a file length increase of 880 bytes with the virus being
located at the end of the file. The following text
string is contained within the viral code:
"SCAN.CLEAN.COMEXEAMZ"
Nov 17-880 activates from November 17th thru December
31st of any year, at which time is will trash the
current drive and the C: drive.
Origin: Unknown November, 1992.
Nov 17.900.B: A 900 byte variant of the November 17th virus,
this virus decreases available free memory, as indicated
by the DOS CHKDSK program from DOS 5.0, by 1,024 bytes,
hooking interrupt 21. Infected .EXE files will have a
file length increase of 900 bytes with the virus being
located at the end of the infected file. The file's date
and time in the DOS disk directory listing will have been
updated to the current system date and time when
infection occurred. The following text strings are
encrypted within the viral code:
"SCANCLEAVIRSF-PRCPAV"
"Press a key to go on"
Origin: Unknown July, 1995.
Nov 17.900.C: Received in July, 1995, this variant is similar
to Nov 17.900.B. It contains the following encrypted
text string:
"SCANCLEAVIRSF-PRCPAV"
Origin: Unknown July, 1995.
Nov 17.1061: Received in January, 1996, this is a 1,061 byte
variant of the November 17th virus. Its size in memory
is 1,136 bytes, hooking interrupts 09 and 21. It
infects .COM and .EXE files, including COMMAND.COM, when
they are executed or opened, but not when copied.
Infected files will have a file length increase of 1,061
bytes with the virus being located at the end of the
file. The program's date and time in the DOS disk
directory listing will not be altered. The following
text string is encrypted within the viral code:
"SCAN.CLEAN.COMEXE"
This variant will not infect files named SCAN or CLEAN.
Origin: Unknown January, 1996.
November 17th-B: Based on the original November 17th virus,
this variant also adds 855 bytes to the .COM and .EXE
programs it infects. Infected .EXE programs will
usually hang the system, though infected .COM programs
will function properly.
Origin: Unknown September, 1992.