Virus Name: Pathhunt
V Status: Rare
Discovered: September, 1991
Symptoms: .COM & .EXE growth; .DBF file corruption; "Path not found"
errors; program corruption
Origin: Republic of South Africa
Eff Length: 1,231 Bytes
Type Code: PNA - Parasitic Non-Resident .COM & .EXE Infector
Detection Method: ViruScan, AVTK, F-Prot, Sweep, NAV,
IBMAV, NAVDX, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
Removal Instructions: Delete infected files
The Pathhunt Virus was discovered in the Republic of South Africa
in September, 1991 by Oliver Steudler. Pathhunt is a non-resident
direct action infector of .COM and .EXE files. It may also
corrupt .DBF files on systems with advanced infections.
When a program infected with Pathhunt is executed, Pathhunt will
search the current directory structure for three .COM programs to
infect which do not start with a JMP instruction (E9h or EBh). If
the three .COM programs are not found, it will then search the
system path looking for files to infect. If three uninfected
candidate .COM program still have not been found, it will infect
up to three .EXE programs. Once all of the .EXE programs have
become infected, it will infect .DBF files, permanently corrupting
these data files. Additionally, Pathhunt does not always infect
programs correctly, some so programs will become corrupted and no
longer function properly.
Programs, both .COM and .EXE, infected with Pathhunt will increase
in length by 1,231 bytes with the virus being located at the end
of the infected file. There will be no change in the file's date
and time in the DOS disk directory.
The Pathhunt virus' name comes from the behavior of the virus when
it infects files. Once a candidate program has been located, the
virus renames the program to PATHHUNT, infects it, and then renames
it back to its original name.