Proud Virus

Virus Name: Proud Aliases: V1302, P1 Related V Status: Rare Discovery: August, 1990 Symptoms: .COM growth; decrease in total system and available memory; FAT entry corruption Origin: Bulgaria Eff Length: 1,302 Bytes Type Code: PRtCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan, AVTK, F-Prot, NAV, Sweep, IBMAV, NAVDX, VAlert, PCScan, ChAV, NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N Removal Instructions: Delete infected files General Comments: The Proud, or V1302, virus was isolated in August of 1990 in Bulgaria by Vesselin Bontchev. Proud is a memory resident infector of .COM files, including COMMAND.COM. The first time a program infected with Proud is executed, the virus checks to determine if interrupt 13 is in use by another program, and if it is, the virus will hang the system. If interrupt 13 is not in use by another program, Proud will install itself memory resident at the top of system memory, but below the 640K DOS boundary. Total system memory and free available memory will decrease by 8,192 bytes. Interrupt 2A will be replaced by the virus. Once the virus is memory resident, it will infect .COM files within certain candidate length ranges when they are opened for any reason. The candidate file length ranges are: 2,048 - 14,335 bytes 16,384 - 30,719 bytes 32,768 - 47,103 bytes 49,152 - 63,487 bytes Proud is an encrypted virus, and is unusual in that it "splits" the .COM file being infected into two parts, placing the viral code between the two sections. Proud also is unable to distinguish when a file has been previously infected, so .COM files can become infected multiple times. Each infection, with the exception of COMMAND.COM, will add 1,302 bytes to the file length. Infected COMMAND.COM files generally don't increase in length on the first infection as the virus will overwrite part of the 00h area of COMMAND.COM with the viral code. Proud can be a damaging virus, with a probability of 1 out of 256, it may swap entries in the file allocation table.