Offspring Virus


 Virus Name:  Offspring 
 Aliases:     Offspring v.07 
 V Status:    Rare 
 Discovered:  June, 1993 
 Symptoms:    .COM file growth; hidden .COM files created; system hangs; 
              decrease in total system & available free memory 
 Origin:      Unknown 
 Eff Length:  1,294 Bytes 
 Type Code:   PSRhA - Parasitic & Spawning Resident .COM & .EXE Infector 
 Detection Method:  F-Prot, AVTK, Sweep, IBMAV, ViruScan, NAV, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    NShld, AVTK/N, Sweep/N, IBMAV/N, Innoc, NAV/N, LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Offspring virus was submitted in June, 1993.  Its origin or 
       point of isolation is unknown.  Offspring is a memory resident 
       infector of .COM and .EXE programs, though the mechanism it uses 
       to infect the different files types is distinct for each.  It does 
       not infect COMMAND.COM. 
 
       When the first Offspring infected program is executed, the Offspring 
       virus will become memory resident at the top of system memory but 
       below the 640K DOS boundary, hooking interrupt 21.  Total system and 
       available free memory, as indicated by the DOS CHKDSK program, will 
       have decreased by 3,048 bytes.  Interrupt 12's return will not be 
       moved. 
 
       Once the Offspring virus is memory resident, it will infect .COM 
       programs when they are executed, or up to five .COM files in the 
       current directory when a DOS DIR command is issued.  Infected .COM 
       files will have a file length increase of 1,294 bytes with the 
       virus being located at the end of the file.  The .COM program's 
       date and time in the DOS disk directory listing will not be altered. 
 
       When the Offspring virus is memory resident, it will infect up to 
       five .EXE files located in the current directory whenever the user 
       changes drives or directories.  .EXE files are infected by the 
       virus creating a 1,294 byte companion .COM file with the same base 
       file name.  These companion files will have the current system date 
       and time when they were created, and the read-only and hidden 
       attributes set.  The .EXE files themselves will not be altered. 
 
       The following text strings are encrypted within the Offspring 
       viral code: 
 
               "COMMAND.COM" 
               "(c)1993 negoriV" 
               "* Thank you for providing me and my offspring with a 
                safe place to live *" 
               "* Offspring I v0.07. *" 
               "*.EXE *.COM" 
 
       System hangs may frequently occur when the Offspring virus is 
       memory resident. 
 
       Known variant(s) of Offspring are: 
       Offspring v.05: A earlier version of the Offspring virus 
                       described above, this variant also is memory 
                       resident, hooking interrupt 21.  Its size in memory 
                       is 2,096 bytes, as a TSR.  It infects all of the 
                       .EXE files in the current directory when a DOS Dir 
                       command is issued.  It also will infect .EXE files 
                       when they are copied.  In both cases, the infection 
                       mechanism is to create a hidden companion .COM file 
                       with the same base file name of 711 bytes.  These 
                       files have the read only and hidden attributes set, 
                       and the current system date and time when infection 
                       occurred. The following text strings are encrypted 
                       within the viral code: 
                       "(c)1993 VG Enterprises" 
                       "* Congratulations, You have recieved the privelge 
                        of being infected by the" 
                       "Offspring I v0.05." 
                       "*.EXE \" 
                       System hangs frequently occur when the virus is 
                       memory resident, though primarily when a DOS Dir 
                       command is performed. 
                       Origin:  Unknown  August, 1993. 
       Offspring v.81: A later version of the Offspring virus described 
                       above, this variant also is memory resident, hooking 
                       interrupt 21.  It infects up to five programs in 
                       the current directory when any program is executed. 
                       It first infects .EXE files, creating a hidden 
                       companion .COM file with the same base file name of 
                       1,127 to 1,177 bytes.  These files have the read 
                       only and hidden attribute set.  After all of the .EXE 
                       files are infected, it will infect .COM files with a 
                       parasitic infection of the virus.  Infected .COM 
                       files increase in size by 1,127 to 1,177 bytes with 
                       the virus being located at the endof the file.  The 
                       program's date and time in the DOS disk directory 
                       listing will not be altered.  The following text 
                       strings are encrypted within the viral code: 
                       "COMMAND.COM" 
                       "G(c)1993 negoriV" 
                       "OFFSPRING V0.81" 
                       "*.EXE *.COM" 
                       Execution of infected programs will result in the 
                       display of the following message, although the disk's 
                       file allocation table is not corrupted: 
                       "File allocation table bad" 
                       Origin:  Unknown  July, 1993.

Show viruses from discovered during that infect .

Main Page