Virus Name: Scroll
V Status: Rare
Discovered: October, 1992
Symptoms: .COM file growth; file time seconds set to "62"; decrease
in total system & available free memory; file allocation
error; .BAT files overwritten
Eff Length: 795 - 1,306 Bytes
Type Code: PRhCK - Parasitic Resident .COM Infector
Detection Method: ViruScan, AVTK, F-Prot, Sweep, IBMAV, NAVDX,
NAV, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, AVTK/N, NAV/N, IBMAV/N,
Removal Instructions: Delete infected files
The Scroll virus was received from Manchester, England in October,
1992. Scroll is a memory resident infector of .COM programs,
including COMMAND.COM. It employs some stealth techniques to
avoid the user noticing the file infections.
The first time a program infected by the Scroll virus is executed,
the Scroll virus will install itself memory resident at the top of
system memory but below the 640K DOS boundary. Total system and
available free memory, as indicated by the DOS CHKDSK program, will
have decreased by 3,008 bytes. Interrupt 21 will be hooked by
Scroll in memory.
Once memory resident, the Scroll virus will infect .COM programs,
including COMMAND.COM, when they are executed or opened for any
reason. Infected programs will have a file length increase of
795 to 1,306 bytes which the virus will hide when it is memory
resident. The Scroll virus will be located at the end of infected
programs. The seconds field in the file's date and time in the DOS
disk directory will have been set to "62", the infection marker for
the virus. The following text strings are encrypted within the
"[SCROLL] ICE-9 ARcV"
Systems infected with the Scroll virus may notice that the DOS
CHKDSK program will detect file allocation errors when the Scroll
virus is memory resident. It will also occassionally overwrite
.BAT files, permanently corrupting them.
Known variant(s) of Scroll are:
Scroll.600: Received in January, 1996, this is a 600 byte
non-resident variant of Scroll. It infects all of the .COM
files in the current directory, except very small ones and
COMMAND.COM, when an infected program is executed. Infected
programs will have a file length increase of 600 bytes with
the virus being located at the end of the file. The program's
date and time in the DOS disk directory listing will not
appear to be altered, though the seconds field will have been
changed to "52". The following text strings are visible within
the viral code:
".. *.* *.COM"
Origin: Unknown January, 1996.