Virus Name: Revelation
V Status: Rare
Discovery: August, 1993
Symptoms: .COM file growth; file allocation errors;
decrease in total system & available free memory
Eff Length: 4,096 Bytes
Type Code: PRhCK - Parasitic Resident .COM Infector
Detection Method: ViruScan, NAV, NAVDX, AVTK 7.68+,
NShld, NAV/N, AVTK/N 7.68+
Removal Instructions: Delete infected files
The Revelation virus was received in August, 1993. Its origin or
point of isolation is unknown. Revelation is a memory resident
stealth virus which infects .COM programs, including COMMAND.COM.
It employs an encryption mechanism similar to that used by the
When the first Revelation infected program is executed, this virus
will install itself memory resident at the top of system memory
but below the 640K DOS boundary, not moving interrupt 12's return.
Total system and available free memory, as indicated by the DOS
CHKDSK program, will have decreased by 32,768 bytes. Interrupts
21 and 22 will be hooked by Revelation in memory.
Once memory resident, Revelation infects .COM programs over 4,096
bytes in size when a DOS DIR command is executed. The virus does
not always infect the .COM files it encounters, sometimes it will
just add 10 bytes to the end of the file. Programs infected with
the 4096 virus will have a file length increase of 4,096 bytes,
though 4,086 bytes of this file length increase will be hidden by
the virus when it is memory resident. The virus will be located
at the end of the file, and the file's date and time in the DOS
disk directory listing will not be altered. The following text
strings are encrypted within the Revelation viral code:
"Revelation Virus Alpha"
"Copyright (c) 1991 by Transvisionary"
Systems infected with the Revelation virus will experience the
DOS CHKDSK program indicating file allocation errors on all
infected files when the virus is memory resident.