Perfume Virus


 Virus Name:  Perfume 
 Aliases:     765, 4711, G-Virus 
 V Status:    Common 
 Discovered:  December, 1989 
 Symptoms:    .COM growth; decrease in total system & available free 
              memory; messages 
 Origin:      Germany 
 Eff Length:  765 Bytes 
 Type Code:   PRhCK - Parasitic Resident .COM Infector 
 Detection Method:  ViruScan, F-Prot, AVTK, NAV, Sweep, IBMAV, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, 
                    IBMAV/N 
 Removal Instructions:  F-Prot, NAV, or delete infected files 
 
 General Comments: 
       The Perfume virus is of German origin, and has also been isolated 
       in Poland in December, 1989.  This virus infects .COM files, 
       including COMMAND.COM. 
 
       The first time a program infected with the Perfume virus is executed, 
       the Perfume virus will install itself memory resident at the top of 
       system memory but below the 640K DOS boundary.  Total system and 
       available free memory, as indicated by the DOS CHKDSK program, will 
       have decreased by 1,024 bytes.  Interrupt 21 will be hooked by the 
       virus in memory.  Also at this time, the Perfume virus will infect 
       COMMAND.COM if it was not previously infected. 
 
       Once the Perfume virus is memory resident, it will infect .COM 
       programs when they are executed.  Infected programs will have a 
       file length increase of 765 bytes with the virus being located at 
       the end of the file.  The program's date and time in the DOS disk 
       directory listing will not be altered.  One text string is visible 
       in all infected files is: 
 
               "\COMMAND.COM" 
   
       The virus will sometimes ask the system user a question, and then 
       not run the infected program unless the system user responds by 
       typing 4711, the name of a German perfume.  In the most common 
       variant of this virus, however, the questions have been overwritten 
       with miscellaneous characters. 
 
       Known variant(s) of Perfume are: 
       G-Virus 1.2: A later version of the Perfume virus described 
                    above, this variant's size in memory is also 1,024 
                    bytes, hooking interrupt 21.  As with the original 
                    virus, it infects COMMAND.COM when it becomes memory 
                    resident if it was not previously infected.  G-Virus 
                    1.2 infects .COM programs when they are executed, adding 
                    653 bytes to their length.  The virus will be located 
                    at the end of the file, and the file's date and time 
                    in the DOS disk directory listing will not be altered. 
                    The following text strings are visible within the viral 
                    code in all G-Virus 1.2 infected files: 
                    "G-VIRUS V1.2" 
                    "Schon mal was von G-Virus geh”rt ?" 
                    "\COMMAND.COM" 
                    G-Virus V1.2 will display the second line of text above 
                    as a message on the system display each time an infected 
                    program is executed. 
                    Origin:  Unknown  April, 1993. 
 
       See:   Sorry

Show viruses from discovered during that infect .

Main Page