Annres Virus


 Virus Name:  Annres 
 Aliases:     Annres.553 
 V Status:    New 
 Discovery:   January, 1996 
 Symptoms:    .COM file growth; decrease in available free memory 
 Origin:      Unknown 
 Eff Length:  553 Bytes 
 Type Code:   PRhCK - Parasitic Resident .COM Infector 
 Detection Method: ChAV, F-Prot, AVTK, IBMAV, ViruScan, PCScan, 
                   NAV, NAVDX, 
                   Innoc, AVTK/N, IBMAV/N, NShld, NAV/N 2.0 9612+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Annres or Annres.553 virus was received in January, 1996, 
       along with two variants.  There origin or point of isolation 
       is unknown.  Annres is a memory resident infector of .COM files, 
       including COMMAND.COM.  It does not infect very small .COM files. 
 
       When the first Annres infected program is executed, this virus 
       will install itself memory resident at the top of system memory 
       but below the 640K DOS boundary, not moving interrupt 12's 
       return.  Available free memory, as indicated by the DOS CHKDSK 
       program from DOS 5.0, will have decreased by 1,168 bytes. 
       Interrupt 21 will be hooked by the virus in memory. 
 
       Once this virus is memory resident, it will infect .COM files 
       when they are executed.  Infected files will have a file length 
       increase of 553 bytes with the virus being located at the end 
       of the file.  The program's date and time in the DOS disk 
       directory listing will not be altered.  The following text 
       string is encrypted within the viral code: 
 
           "Greetings to TRON, Sirius and MAN on the Moon! 
            [Mem-Annihilator II-*-v1.00-*-1994]" 
 
       It is unknown what this virus may do besides replicate. 
 
       Known variant(s) of Annres are: 
       Annres.1052: Received in January, 1996, this is an 1,052 byte 
           variant of the Annres virus described above.  Its size in 
           memory is 2,160 bytes, hooking interrupt 21.  It infects .COM 
           files when they are executed, adding 1,052 bytes to the file's 
           length.  The virus will be located at the end of the file.  The 
           program's date and time in the DOS disk directory listing will 
           not be altered.  The following text string is encrypted within 
           the viral code: 
           "Greetings to TRON, Sirius and Man on the Moon!" 
           "THANX to Dark Angel and PS" 
           "Your harddisk has been infected with Mem-Annihilator II-*- 
            v1.02-*-1994" 
           "Greetings to all virus writers elsewhere!" 
           Origin:  Unknown  January, 1996.

Show viruses from discovered during that infect .

Main Page