PC Flu-2 Virus
Virus Name: PC Flu-2
Aliases: Flu-2
V Status: Rare
Discovered: January, 1992
Symptoms: .COM & .EXE growth; TSR; possible system hangs; keyboard
input omissions
Origin: Poland
Eff Length: 2,112 - 2,126 Bytes
Type Code: PRsAK - Parasitic Resident .COM Infector
Detection Method: ViruScan, AVTK, F-Prot, Sweep, NAV, PCScan,
IBMAV, NAVDX, VAlert, ChAV,
NShld, Sweep/N, Innoc, AVTK/N, NAV/N, IBMAV/N, NProt,
LProt
Removal Instructions: Delete infected files
General Comments:
The PC Flu-2 virus was received in January, 1992. Its origin is
Poland. PC Flu-2 is a memory resident infector of .COM and .EXE
programs, including COMMAND.COM. This virus does not function
properly on 386 computers, and execution of infected files on those
systems will result in a system hang.
The first time a program infected with PC Flu-2 is executed, the
PC Flu-2 virus will install itself memory resident as a low system
memory TSR of 6,192 bytes. Interrupts 21 and 27 will be hooked by
the PC Flu-2 virus in memory.
Once the PC Flu-2 virus is memory resident, it will infect .COM and
.EXE programs, including COMMAND.COM, when they are executed or
opened for any reason. Infected .COM files will have a file length
increase of 2,112 bytes with the virus being located at the
beginning of the infected file. Infected .EXE programs will have a
file length increase of 2,112 to 2,126 bytes with the virus being
located at the end of the infected file. In either case, the file's
date and time in the DOS disk directory listing will not have been
updated by the PC Flu-2 virus.
PC Flu-2 is an encrypted virus and no text strings will be visible
within the viral code in infected programs.
It is unknown what PC Flu-2 does besides replicate.
Known variants of PC Flu-2 are:
PC Flu-2B: A 2,141 byte variant of the PC Flu-2 virus, this
variant adds 2,141 to 2,157 bytes to the .EXE programs
it infects. In addition to the 6,192 byte TSR installed
by the virus, there is a small portion of the virus
placed in high system memory which hooks interrupts 08
and 09. This variant interfers with keyboard input so
that characters typed on the system keyboard may not
appear. The following text string is encrypted within
the virus:
"PC-FLU Mk II by Wizard 1991"
Origin: Poland April, 1992.
PC Flu-2D: A later version of PC Flu-2B, this variant adds
2,134 to 2,148 bytes to the .EXE programs it infects.
It contains the same encrypted text string as PC Flu-2B,
and also interfers with keyboard input.
Origin: Poland April, 1992.
PC Flu-2E: Similar to PC Flu-2D, this variant also adds 2,134 to
2,148 bytes to the .EXE programs it infects. It is
different in that it only infects .EXE programs when they
are executed. It contains three text strings which are
encrypted within the viral code:
"PC-FLU Mk II by Wizard 1991"
"-FLU Mk II by Wizard 1991"
"Incorrect DOS Version"
Origin: Poland April, 1992.
PC Flu-2F: A 2,156 byte variant of PC Flu-2, this variant
infects .COM and .EXE programs, including COMMAND.COM,
when they are opened or executed. Infected .COM
programs will have a file length increase of 2,156 bytes
with the virus being located at the beginning of the
file. Infected .EXE programs will increase in size by
2,156 to 2,170 bytes with the virus being located at the
end of the infected file. This variant does not interfer
with keyboard input.
Origin: Poland April, 1992.
See: PC Flu