Virus Name: Protipus
V Status: Rare
Discovery: September, 1993
Symptoms: .EXE files of 5,472 bytes; Hidden .EXE files;
file date/time changes
Eff Length: 5,472 Bytes
Type Code: SNE - Spawning or Companion .EXE Infector
Detection Method: F-Prot, ViruScan, IBMAV, Sweep, AVTK, NAV,
NShld, Sweep/N, NProt, AVTK/N, IBMAV/N, NAV/N
Removal Instructions: Delete infected files
The Protipus virus was submitted in September, 1993. Protipus is
a non-resident, direct action infector of .EXE files which uses a
technique similar to spawning or companion viruses.
When a program infected with the Protipus virus is executed, this
virus will infect one .EXE file located in the current directory.
First, the virus renames the original .EXE file so that the last
character of the base file name is now a "V". The hidden attribute
is then set so that the altered file name will not appear in a DOS
disk directory listing. The virus then creates a 5,472 byte .EXE
file with the original .EXE's file name. This 5,472 byte file
contains the Protipus viral code and will have the current system
date and time. The following text strings can be found within the
5,472 byte Protipus .EXE files:
"Sei stato contagiato dal Protipus virex!!!!"
"Conficius said: 'Arrangietes'"
Disinfection of the Protipus virus from infected systems is fairly
straight-forward. The system user should match the hidden original
.EXE files which have altered file names to the 5,472 byte .EXE
files. The 5,472 byte viral files should then be deleted, and then
the original .EXE file renamed to the correct name. Lastly, the
hidden attribute should be reset so that the file appears in the
DOS disk directory listing.