Plovdiv 1.3 Virus


 Virus Name:  Plovdiv 1.3 
 Aliases:     Plov 
 V Status:    Rare 
 Discovered:  November, 1991 
 Symptoms:    .COM & .EXE growth; file allocation errors; program error 
              messages; decrease in total system and available free 
              memory 
 Origin:      Poland 
 Eff Length:  1,000 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, AVTK, Sweep, F-Prot, PCScan, 
                    NAV, IBMAV, NAVDX, VAlert, ChAV, 
                    NShld, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N, 
                    LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Plovdiv 1.3 virus was received in November, 1991.  It is 
       originally from Poland.  Plovdiv 1.3 is a memory resident infector 
       of .COM and .EXE files, including COMMAND.COM. 
 
       The first time a program infected with Plovdiv 1.3 is executed, 
       Plovdiv 1.3 will install itself memory resident at the top of system 
       memory but below the 640K DOS boundary.  Interrupts 21 and 22 will 
       be hooked.  Total system and available free memory, as indicated 
       by the DOS CHKDSK program, will have decreased by 1,344 bytes. 
       Interrupt 12's return will not have been moved.  Plovdiv 1.3 will 
       also infect COMMAND.COM at this time, if it was not previously 
       infected. 
 
       After the Plovdiv 1.3 virus has become memory resident, it will 
       infect one .COM or .EXE file in the current directory each time 
       any program or .BAT file is executed, a DIR command is performed, 
       as well as when program files are opened for any reason. 
 
       Programs infected with Plovdiv 1.3 will have a file length increase 
       of 1,000 bytes, though the file length increase will be hidden when 
       the virus is memory resident.  The virus will be located at the 
       end of infected files.  There will be no change to the file's date 
       and time in a DOS directory listing.  The following text strings 
       will appear within the viral code in infected files: 
 
               "*.*" 
               "(C)Damage inc. Ver 1.3 1991 Plovdiv S.A." 
 
       Symptoms of a Plovdiv 1.3 infection are that the DOS CHKDSK program 
       will indicate file allocation errors on all infected files if it 
       is executed with the virus memory resident.  Programs which expect 
       command line input may also return error messages and fail to 
       function properly. 
 
       It is unknown if Plovdiv 1.3 does anything besides replicate. 
 
       Known variant(s) of Plovdiv 1.3 are: 
       Plovdiv 1.3B: Based on Plovdiv 1.3, this variant uses 1,840 
                 bytes of memory, hooking interrupts 21 and 22.  Like 
                 Plovdiv 1.3, it infects .COM and .EXE programs when 
                 programs are executed, DOS DIR command issued, or a .BAT 
                 file is executed.  Once it completes infecting all of 
                 the programs in the current directory, it will start 
                 infecting the C: drive.  The following text string can 
                 be found within the viral code in infected programs: 
                 "(c)Damage inc. S.A. Ver 1.3B IX.91 Plovdiv". 
                 Origin: Poland  May, 1992. 
 
       See:   Plovdiv 1.1 

Show viruses from discovered during that infect .

Main Page