Paturuzu Virus


 Virus Name:  Paturuzu 
 Aliases:     Paturuzu.1024 
 V Status:    Rare 
 Discovered:  April, 1994 
 Symptoms:    .COM file growth; TSR 
 Origin:      Argentina 
 Eff Length:  1,024 Bytes 
 Type Code:   PRsC - Parasitic Resident .COM Infector 
 Detection Method:  ViruScan, F-Prot, IBMAV, Sweep, AVTK, 
                    NAV, NAVDX, VAlert, PCScan, ChAV, 
                    AVTK/N, NProt, NShld, Sweep/N, IBMAV/N, NAV/N, LProt, 
                    Innoc 4.0+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Paturuzu or Paturuzu.1024 virus was received from Argentina in 
       April, 1994.  It is a memory resident infector of .COM programs, 
       but not COMMAND.COM. 
 
       When the first Paturuzu infected program is executed, this virus will 
       install itself memory resident as a low system memory TSR of 1,360 
       bytes, hooking interrupts 13 and 21. 
 
       Once the virus is memory resident, it will infect .COM programs when 
       they are executed.  Infected programs will have a file length increase 
       of 1,024 bytes with the virus being located at the beginning of the 
       file.  The program's date and time in the DOS disk directory listing 
       will not be altered.  The following text string is visible within the 
       viral code: 
 
               "NTOMY" 
 
       Known variant(s) of Paturuzu are: 
       Paturuzu.931: A later version of the Paturuzu virus described 
                above, this variant becomes memory resident at the top of 
                system memory but below the 640K DOS boundary when the first 
                infected program is executed.  Total system and available 
                free memory will have decreased by 1,920 bytes, and interrupt 
                21 will be hooked by the virus.  Also at this time, the 
                virus will infect the copy of COMMAND.COM located in the C: 
                drive root directory if it wasn't previously infected.  Once 
                resident, the virus infects .COM programs when they are 
                executed.  Infected programs will have a file length increase 
                of 931 bytes, though the file length increase will not be 
                visible when the virus is memory resident.  The file's date 
                and time in the DOS disk directory listing may disappear, and 
                the seconds field will have been set to "58".  The following 
                text strings are encrypted within the viral code: 
                "Huijaaa!! La proxima vez sera tarde..." 
                "Si sos MENEMISTA reza por tus discos." 
                ">> Virus PatoruzU 2.0 - Argentina <<" 
                "C:\COMMAND.COM" 
                When the virus is memory resident, the DOS CHKDSK program 
                will detect file allocation errors on all infected files. 
                Origin:  Argentina  May, 1994.

Show viruses from discovered during that infect .

Main Page