Possessed Virus
Virus Name: Possessed
Aliases: Possessed-2443, Possessed 1.03A, Possessed 1.03B,
Possessed 1.07, Possessed 1.07B, Possessed 1.08
V Status: Rare
Discovered: June, 1991
Symptoms: .COM & .EXE growth; TSR; programs disappear; write fault
errors on COM1
Origin: Australia
Eff Length: 2,446 - 2,460 Bytes
Type Code: PRsAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, F-Prot, Sweep, AVTK, NAV,
IBMAV, NAVDX, VAlert, PCScan, ChAV,
Sweep/N, LProt, NShld, Innoc, NProt, IBMAV/N,
AVTK/N, NAV/N
Removal Instructions: Delete infected files
General Comments:
The Possessed virus was isolated in June, 1991, in Australia.
Possessed is a memory resident infector of .COM and .EXE programs,
including COMMAND.COM.
When the first Possessed infected program is executed, Possessed
will become memory resident as a low system memory TSR of 3,008
bytes. Interrupts 08, 21, and 24 will be hooked by the virus in
memory. COMMAND.COM will be infected at this time, if it was not
previously infected.
After Possessed is memory resident, it will infect .COM and .EXE
programs as they are executed. Possessed will be located at the
end of all infected programs. .COM programs, with the exception
of COMMAND.COM, will increase in size by 2,446 bytes. .EXE
programs will increase in size by 2,446 to 2,460 bytes. In the
case of COMMAND.COM, there will be no file length increase when
it is infected. All infected programs will have no change in their
date and time in the disk directory.
Programs infected with Possessed will contain the following text
strings:
"POSSESSED! Bwa! ha! ha! ha! ha!
Author: JonJon Gumba of AdU"
After Possessed has been memory resident for approximately 15 to
20 minutes, it will occasionally erase a program when the system
user attempts to execute it. Additionally, attempts to copy
programs may result in the user receiving a "Write fault error
writing device COM1", though the source and target of the operation
was a disk drive.
Known variant(s) of Possessed are:
Possessed 1.03A: Possessed 1.03A is a variant of the Possessed
virus described above. This variant's TSR will be
2,912 bytes in size, hooking interrupts 08, 21, and
24. It infects COMMAND.COM when the first program
is executed after becoming memory resident, and
then infects .COM and .EXE programs when they are
executed. .COM files, other than COMMAND.COM,
increase in size by 2,367 bytes. .EXE files increase
in size by 2,367 to 2,381 bytes. COMMAND.COM will
not change in size. In all cases, the virus will be
located at the end of the infected file. Besides
the text strings indicated above for the original
virus, the text string "COMMAND.COM" will also
appear in the viral code.
Origin: Unknown January, 1992.
Possessed 1.03B: Similar to Possessed 1.03A, Possessed 1.03B's
major characteristic change is that its TSR is now
2,928 bytes in size.
Origin: Unknown January, 1992.
Possessed 1.07: Similar to the original Possessessed virus, this
variant also adds 2,446 bytes to .COM files, other
than COMMAND.COM, and 2,446 to 2,460 bytes to .EXE
files. COMMAND.COM will have no change in file
length when it becomes infected when the first
program is executed after the virus becomes memory
resident. Its in memory TSR is 2,992 bytes, hooking
interrupts 08, 21, and 24. Besides the text strings
found in the viral code in programs infected with
the original virus, two additional text strings can
be found: "*.COM" and "*.EXE".
Origin: Unknown January, 1992.
Possessed 1.07B: Similar to Possessed-2443 and Possessed 1.07,
this variant's memory resident TSR is 3,008 bytes
in length. Infected .COM files, other than
COMMAND.COM, increase in size by 2,443 bytes.
Infected .EXE files increase in size by 2,443 to
2,457 bytes. COMMAND.COM does not change in length
when it becomes infected. This variant has 17
bytes which differ from Possessed-2443.
Origin: Unknown May, 1992.
Possessed 1.08: Similar to Possessed 1.07, this variant's major
difference is that it contains one additional
text string: "Fucker".
Origin: Unknown January, 1992.
Possessed.2167: Received in February, 1995, Possessed.2167 is a
2,167 byte variant of the Possessed virus described
above. Its size in memory is 2,672 bytes, hooking
interrupts 08, 21, and 24. It infects .COM and .EXE
files, including COMMAND.COM, when they are executed.
Infected .COM files increase in size by 2,193 bytes
while .EXE files increase in size by 2,167 to 2,181
bytes. The virus will be located at the beginning of
infected .COM files, and the end of infected .EXE
files. The file's date and time in the DOS disk
directory listing will not be altered. The following
text strings are visible within the viral code in all
infected programs:
"POSSESSED! Bwa! ha! ha! ha! ha!"
"Author: JonJon Gumba of AdU"
Origin: Unknown February, 1995.
Possessed-2443: Three bytes smaller than the Possessed virus,
Possessed-2443 was received in September, 1991. Its
memory resident TSR is 2,992 bytes in length, with
interrupts 08, 21, and 24 hooked. Infected .COM
files, other than COMMAND.COM, increase in size by
2,443 bytes. Infected .EXE files increase in size
by 2,443 to 2,457 bytes. COMMAND.COM does not change
in length when it becomes infected. Possessed-2443
contains the text strings found in the original
Possessed virus.
Origin: Unknown September, 1991.