Plovdiv 1.3 Virus
Virus Name: Plovdiv 1.3
V Status: Rare
Discovered: November, 1991
Symptoms: .COM & .EXE growth; file allocation errors; program error
messages; decrease in total system and available free
Eff Length: 1,000 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, AVTK, Sweep, F-Prot, PCScan,
NAV, IBMAV, NAVDX, VAlert, ChAV,
NShld, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N,
Removal Instructions: Delete infected files
The Plovdiv 1.3 virus was received in November, 1991. It is
originally from Poland. Plovdiv 1.3 is a memory resident infector
of .COM and .EXE files, including COMMAND.COM.
The first time a program infected with Plovdiv 1.3 is executed,
Plovdiv 1.3 will install itself memory resident at the top of system
memory but below the 640K DOS boundary. Interrupts 21 and 22 will
be hooked. Total system and available free memory, as indicated
by the DOS CHKDSK program, will have decreased by 1,344 bytes.
Interrupt 12's return will not have been moved. Plovdiv 1.3 will
also infect COMMAND.COM at this time, if it was not previously
After the Plovdiv 1.3 virus has become memory resident, it will
infect one .COM or .EXE file in the current directory each time
any program or .BAT file is executed, a DIR command is performed,
as well as when program files are opened for any reason.
Programs infected with Plovdiv 1.3 will have a file length increase
of 1,000 bytes, though the file length increase will be hidden when
the virus is memory resident. The virus will be located at the
end of infected files. There will be no change to the file's date
and time in a DOS directory listing. The following text strings
will appear within the viral code in infected files:
"(C)Damage inc. Ver 1.3 1991 Plovdiv S.A."
Symptoms of a Plovdiv 1.3 infection are that the DOS CHKDSK program
will indicate file allocation errors on all infected files if it
is executed with the virus memory resident. Programs which expect
command line input may also return error messages and fail to
It is unknown if Plovdiv 1.3 does anything besides replicate.
Known variant(s) of Plovdiv 1.3 are:
Plovdiv 1.3B: Based on Plovdiv 1.3, this variant uses 1,840
bytes of memory, hooking interrupts 21 and 22. Like
Plovdiv 1.3, it infects .COM and .EXE programs when
programs are executed, DOS DIR command issued, or a .BAT
file is executed. Once it completes infecting all of
the programs in the current directory, it will start
infecting the C: drive. The following text string can
be found within the viral code in infected programs:
"(c)Damage inc. S.A. Ver 1.3B IX.91 Plovdiv".
Origin: Poland May, 1992.
See: Plovdiv 1.1