Scramble Virus

Virus Name: Scramble Aliases: Scramble.1253 V Status: New Discovered: January, 1995 Symptoms: .COM file growth; slow output to DOS DIR command; decrease in total system & available free memory Origin: Unknown Eff Length: 1,253 Bytes Type Code: PRhCK - Parasitic Resident .COM Infector Detection Method: AVTK, IBMAV, ViruScan, Sweep, F-Prot, NAVDX, VAlert, NAV, PCScan, ChAV, AVTK/N, NShld, Sweep/N, IBMAV/N, NAV/N, NProt, LProt, Innoc 4.0+ Removal Instructions: Delete infected files General Comments: The Scramble or Scramble.1253 virus was received in December, 1994. Its origin or point of isolation is unknown. Scramble is a memory resident infector of .COM files, including COMMAND.COM. It may be based on either the Flip or Tequila viruses. When the first Scramble infected program is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, not moving interupt 12's return. The virus will be located at address 9F00 in memory. It prevents some memory mapping utilities from functioning properly, including some versions of the DOS CHKDSK program. Once the Scramble virus is memory resident, it will infect .COM programs when they are executed or when a DOS DIR command is issued. Infected .COM files will have a file length increase of 1,253 bytes, though this file length increase will be hidden when the virus is memory resident. The virus will be located at the end of all infected files. The program's date and time in the DOS disk directory listing will not be altered. The following text strings are encrypted within the viral code: "BEER and TEQUILA forever !" "[Scramble] By Nikademus" "Read CRYPT Today!." The DOS DIR command will be sluggish on all infected systems.