Quango Virus


 Virus Name:  Quango 
 Aliases:     Quango.3000 
 V Status:    New 
 Discovery:   July, 1995 
 Symptoms:    .COM file growth; file date/time seconds = "62" 
 Origin:      Unknown 
 Eff Length:  3,000 Bytes 
 Type Code:   PRhCK - Parasitic Resident .COM Infector 
 Detection Method: VAlert, AVTK, NAV, NAVDX, IBMAV, ViruScan, PCScan, 
                   F-Prot, ChAV, 
                   NAV/N, IBMAV/N, NShld, AVTK/N, NProt, LProt, Innoc 4.0+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Quango virus was received in July, 1995.  Its origin or point 
       of isolation is unknown.  Quango is a memory resident infector of 
       .COM files, including COMMAND.COM. 
 
       When the first Quango infected program is executed, this virus will 
       install itself memory resident at the top of system memory but below 
       the 640K DOS boundary, not moving interrupt 12's return.  Available 
       free memory, as indicated by the DOS CHKDSK program from DOS 5.0, 
       will have decreased by 4,064 bytes.  Interrupt 21 will be hooked by 
       the virus in memory. 
 
       Once the Quango virus is memory resident, it will infect up to three 
       .COM files when a DOS DIR command is issued, as well as infect 
       up to three .COM files when a program is executed.  Programs infected 
       with the Quango virus will have a file length increase of 3,000 bytes 
       with the virus being located at the end of the file.  The file's 
       date and time in the DOS disk directory listing will not appear to 
       be altered, though the seconds field will have been set to "62".  The 
       following text strings are visible within the viral code: 
 
           "*.COM" 
           "????????COM" 
           "COMSPEC=C:\COMMAND.COM PROMPT=$p$g LISPHEAP=40000 
            LISPSTACK=5000 CLIPPER=F35;R70; AC=ac BC=bc" 
           "PATH=C:\NU;C:\NU;D:\CLIP;D:\FOX;C:\MZ;D:\TC;D:\TC\LIB; 
            D:\TC\HEADER;C:\VIRUS;C:\DOS;C:\ACAD;D:\NU;C:\ACAD\SHADE;" 
 
       Additionally, the following text strings from the Turbo-C compiler 
       used by the author of this virus also appear in the viral code: 
 
           "Turbo-C - Copyright (c) 1988 Borland Intl. Divide error" 
           "Abnormal program termination" 
 
       It is unknown what Quango may do besides replicate. 

Show viruses from discovered during that infect .

Main Page