Revenge Attacker Virus
Virus Name: Revenge Attacker
Aliases: 777, Revenge
V Status: Rare
Discovery: June, 1991
Symptoms: .COM file growth; DIR command problems; system hang;
hard disk format
Eff Length: 1,127 Bytes
Type Code: PRsCK - Parasitic Resident .COM Infector
Detection Method: ViruScan, F-Prot, Sweep, AVTK, NAV,
IBMAV, NAVDX, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
Removal Instructions: Delete infected files
The Revenge Attacker, or 777, virus was received in June, 1991.
It originated in the Philipines. Revenge Attacker is a memory
resident generic infector of .COM programs, including COMMAND.COM.
It is a very destructive virus when it activates.
The first time a program infected with Revenge Attacker is executed,
the virus will install itself memory resident as a low system memory
TSR of 1,392 bytes. Interrupt 21 will be hooked by the virus.
COMMAND.COM will also be infected by the virus at this time.
Once Revenge Attacker is memory resident, it will infect one .COM
program each time an infected program is executed. Infected
programs will increase in size by 1,127 bytes with the virus being
located at the end of the infected program. Infected programs
will also have their date and time in the disk directory updated to
the system date and time when infection occurred.
Infected programs will be marked by the virus with the text string
"777" being found in the fourth through sixth bytes of infected
files. There are two other text strings which appear in infected
"*** 777 - Revenge Attacker V1.01 ***"
Revenge Attacker's low system memory TSR is not used for file
infection, but will interfer with system operation when some DOS
internal commands are issued. For example, issuing a DIR command
when Revenge Attacker is memory resident will result in a directory
display with the first directory entry repeated in place of each
actual directory entry. After a DIR command, the system will hang.
After all .COM programs in the current directory are infected,
Revenge Attacker will activate. At this time it will display the
first text string indicated above, followed by repeated 7's across
the screen. While it is displaying the message and writing the 7's
to the screen, it will overwrite the system hard disk starting with
Side 0, Cylinder 1, Sector 0. Fat corruption, directory
corruption, and file loss may result even if the user turns off
the computer immediately when the message is displayed.