Virus Name: Paturuzu
V Status: Rare
Discovered: April, 1994
Symptoms: .COM file growth; TSR
Eff Length: 1,024 Bytes
Type Code: PRsC - Parasitic Resident .COM Infector
Detection Method: ViruScan, F-Prot, IBMAV, Sweep, AVTK,
NAV, NAVDX, VAlert, PCScan, ChAV,
AVTK/N, NProt, NShld, Sweep/N, IBMAV/N, NAV/N, LProt,
Removal Instructions: Delete infected files
The Paturuzu or Paturuzu.1024 virus was received from Argentina in
April, 1994. It is a memory resident infector of .COM programs,
but not COMMAND.COM.
When the first Paturuzu infected program is executed, this virus will
install itself memory resident as a low system memory TSR of 1,360
bytes, hooking interrupts 13 and 21.
Once the virus is memory resident, it will infect .COM programs when
they are executed. Infected programs will have a file length increase
of 1,024 bytes with the virus being located at the beginning of the
file. The program's date and time in the DOS disk directory listing
will not be altered. The following text string is visible within the
Known variant(s) of Paturuzu are:
Paturuzu.931: A later version of the Paturuzu virus described
above, this variant becomes memory resident at the top of
system memory but below the 640K DOS boundary when the first
infected program is executed. Total system and available
free memory will have decreased by 1,920 bytes, and interrupt
21 will be hooked by the virus. Also at this time, the
virus will infect the copy of COMMAND.COM located in the C:
drive root directory if it wasn't previously infected. Once
resident, the virus infects .COM programs when they are
executed. Infected programs will have a file length increase
of 931 bytes, though the file length increase will not be
visible when the virus is memory resident. The file's date
and time in the DOS disk directory listing may disappear, and
the seconds field will have been set to "58". The following
text strings are encrypted within the viral code:
"Huijaaa!! La proxima vez sera tarde..."
"Si sos MENEMISTA reza por tus discos."
">> Virus PatoruzU 2.0 - Argentina <<"
When the virus is memory resident, the DOS CHKDSK program
will detect file allocation errors on all infected files.
Origin: Argentina May, 1994.