Plovdiv 1.1 Virus
Virus Name: Plovdiv 1.1
V Status: Rare
Discovered: November, 1991
Symptoms: .COM file growth; file allocation errors; program error
Eff Length: 800 Bytes
Type Code: PRCK - Parasitic Resident .COM Infector
Detection Method: ViruScan, Sweep, AVTK, F-Prot, ChAV,
NAV, IBMAV, NAVDX, VAlert, PCScan,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
Removal Instructions: Delete infected files
The Plovdiv 1.1 virus was received in November, 1991. It is
originally from Poland. Plovdiv 1.1 is a memory resident infector
of .COM files, including COMMAND.COM.
The first time a program infected with Plovdiv 1.1 is executed,
Plovdiv 1.1 will install itself memory resident in the DOS System
Data area in memory. It will hook interrupts 1E, 21, and 22.
There will be no change in total system and available free
memory as indicated by the DOS CHKDSK program.
After the Plovdiv 1.1 virus has become memory resident, it will
infect one .COM file in the current directory each time any
program is executed, a DIR command is performed, or a .BAT file
is executed. It will also infect .COM files if they are opened
for any reason.
Programs infected with Plovdiv 1.1 will have a file length increase
of 800 bytes, though the file length increase will be hidden when
the virus is memory resident. The virus will be located at the
beginning of infected files. There will be no change to the
file's date and time in a DOS directory listing. The following
text strings will appear within the viral code in infected files:
"(C)Damage inc.Ver 1.1,Plovdiv,1991"
Symptoms of a Plovdiv 1.1 infection are that the DOS CHKDSK program
will indicate file allocation errors on all infected files if it
is executed with the virus memory resident. Programs which expect
command line input may also return error messages and fail to
It is unknown if Plovdiv 1.1 does anything besides replicate.
See: Plovdiv 1.3