Virus Name: Scramble
V Status: New
Discovered: January, 1995
Symptoms: .COM file growth; slow output to DOS DIR command;
decrease in total system & available free memory
Eff Length: 1,253 Bytes
Type Code: PRhCK - Parasitic Resident .COM Infector
Detection Method: AVTK, IBMAV, ViruScan, Sweep, F-Prot, NAVDX, VAlert,
NAV, PCScan, ChAV,
AVTK/N, NShld, Sweep/N, IBMAV/N, NAV/N, NProt, LProt,
Removal Instructions: Delete infected files
The Scramble or Scramble.1253 virus was received in December, 1994.
Its origin or point of isolation is unknown. Scramble is a memory
resident infector of .COM files, including COMMAND.COM. It may
be based on either the Flip or Tequila viruses.
When the first Scramble infected program is executed, this virus
will install itself memory resident at the top of system memory but
below the 640K DOS boundary, not moving interupt 12's return. The
virus will be located at address 9F00 in memory. It prevents some
memory mapping utilities from functioning properly, including some
versions of the DOS CHKDSK program.
Once the Scramble virus is memory resident, it will infect .COM
programs when they are executed or when a DOS DIR command is
issued. Infected .COM files will have a file length increase of
1,253 bytes, though this file length increase will be hidden when
the virus is memory resident. The virus will be located at the
end of all infected files. The program's date and time in the DOS
disk directory listing will not be altered. The following text
strings are encrypted within the viral code:
"BEER and TEQUILA forever !"
"[Scramble] By Nikademus"
"Read CRYPT Today!."
The DOS DIR command will be sluggish on all infected systems.