Revelation Virus

Virus Name: Revelation Aliases: V Status: Rare Discovery: August, 1993 Symptoms: .COM file growth; file allocation errors; decrease in total system & available free memory Origin: Unknown Eff Length: 4,096 Bytes Type Code: PRhCK - Parasitic Resident .COM Infector Detection Method: ViruScan, NAV, NAVDX, AVTK 7.68+, NShld, NAV/N, AVTK/N 7.68+ Removal Instructions: Delete infected files General Comments: The Revelation virus was received in August, 1993. Its origin or point of isolation is unknown. Revelation is a memory resident stealth virus which infects .COM programs, including COMMAND.COM. It employs an encryption mechanism similar to that used by the "Fish" virus. When the first Revelation infected program is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, not moving interrupt 12's return. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 32,768 bytes. Interrupts 21 and 22 will be hooked by Revelation in memory. Once memory resident, Revelation infects .COM programs over 4,096 bytes in size when a DOS DIR command is executed. The virus does not always infect the .COM files it encounters, sometimes it will just add 10 bytes to the end of the file. Programs infected with the 4096 virus will have a file length increase of 4,096 bytes, though 4,086 bytes of this file length increase will be hidden by the virus when it is memory resident. The virus will be located at the end of the file, and the file's date and time in the DOS disk directory listing will not be altered. The following text strings are encrypted within the Revelation viral code: "Genesis" "Revelation Virus Alpha" "COMMAND.COM" "Exodus" "Copyright (c) 1991 by Transvisionary" Systems infected with the Revelation virus will experience the DOS CHKDSK program indicating file allocation errors on all infected files when the virus is memory resident. See: Fish