Alfa Virus


 Virus Name:  Alfa 
 Aliases:    
 V Status:    Rare 
 Discovery:   November, 1991 
 Symptoms:    .COM & .EXE growth; decrease in total system & available free 
              memory 
 Origin:      USSR (for some variants) 
 Eff Length:  Varies (see below) 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, Sweep, AVTK, F-Prot, 
                    IBMAV, NAV, NAVDX, VAlert, PCScan, ChAV, 
                    NShld, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N, 
                    LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Alfa virus is actually two closely related viruses with many 
       similiar characteristics.  The two viruses, Alfa-1150 and Alfa-1202, 
       will be described together with their differences pointed out below 
       under the "variants" section.  Both viruses were received in 
       November, 1991, and their origin is unknown. 
 
       The first time an Alfa virus is executed, it will install itself 
       memory resident at the top of system memory but below the 640K DOS 
       boundary.  Depending on which virus is present, total system and 
       available free memory, as determined by the DOS CHKDSK program, will 
       decrease by either 1,280 or 1,344 bytes.  Interrupt 21 will be 
       hooked by the virus at the top of system memory, as well as interrupt 
       01 being hooked in graphic card memory. 
 
       After an Alfa virus has become memory resident, it will infect .COM 
       and .EXE programs when they are executed, though it will not infect 
       small .COM files.  The file length increases are given below for 
       each of the viruses.  In the case of both viruses, the virus will 
       be located at the end of the infected file.  There will be no 
       change to the file's date and time in a DOS disk directory listing. 
       No text strings are visible within the viral code in infected 
       programs. 
 
       It is unknown if Alfa does anything besides replicate. 
 
       Known variant(s) of Alfa are: 
       Alfa-1150: Alfa-1150, or Yankee Doodle-1150, is the earlier 
                  variant of the Alfa virus.  It adds 1,150 to 1,165 
                  bytes to infected files.  .EXE files will be 
                  reinfected by the virus, adding an additional 1,152 
                  bytes with each reinfection.  Size in memory is 
                  1,280 bytes. 
                  Origin:  Unknown  November, 1991. 
       Alfa-1202: Alfa-1202, or Yankee Doodle-1202, is the later 
                  variant of the Alfa virus.  Unlike Alfa-1150, it does 
                  not reinfect .EXE files.  It adds 1,202 to 1,217 bytes 
                  to infected files.  Size in memory is 1,344 bytes. 
       Alfa-1712: Alfa-1712 is another variant of the Alfa virus. 
                  It becomes memory resident at the top of system memory 
                  but below the 640K DOS boundary, not moving interrupt 12's 
                  return, when the first infected program is executed. 
                  Total system and available free memory will have decreased 
                  by 3,008 bytes, and interrupt 21 will be hooked.  Once 
                  resident, it will infect .COM and .EXE programs when 
                  executed, adding 1,712 to 1,731 bytes to their length. 
                  The virus will be located at the end of the file.  The 
                  program's date and time in the DOS disk directory listing 
                  will have been changed to 14-25-12 12:01a. 
                  Origin:  USSR  July, 1992. 
       Alfa-Tired: The Alfa-Tired, or Tired, virus is another variant 
                  of the Alfa virus.  It becomes memory resident at the top 
                  of system memory but below the 640K DOS boundary, not 
                  moving interrupt 12's return, when the first infected 
                  program is executed.  Total system and available free 
                  memory will have decreased by 3,760 bytes, and interrupt 
                  21 will be hooked.  Once resident, it will infect .COM and 
                  .EXE programs when they are executed, adding 1,748 to 
                  1,766 bytes to their length.  The virus will be located at 
                  the end of the file.  The program's date and time in the 
                  DOS disk directory listing will not be altered. 
                  Origin:  USSR  July, 1992. 
       Rust: The Rust virus was received in October, 1992.  It becomes 
             memory resident when the first infected program is executed. 
             Total system and available free memory, as indicated by the DOS 
             CHKDSK program, will have decreased by 2,048 bytes, and 
             interrupt 03 will be hooked by the virus.  Interrupt 21 will 
             also be used by the virus, but will not be mapped by most 
             memory mapping utilities.  Once resident, Rust infects .COM and 
             .EXE programs when they are executed, adding 1,710 to 1,725 
             bytes to the file length.  The virus will be located at the end 
             of the file.  The programs date and time in the DOS disk 
             directory listing will not be altered.  Rust plays a three note 
             melody each time the user executes a program with the virus 
             memory resident. 
             Origin:  Unknown  October, 1992. 
            
 
       See:   Ah     Damage   Gremlin   Lucifer   Newcom   USSR 1049 
              V651   V1024

Show viruses from discovered during that infect .

Main Page