Scroll Virus


 Virus Name:  Scroll 
 Aliases:     Scroll.795 
 V Status:    Rare 
 Discovered:  October, 1992 
 Symptoms:    .COM file growth; file time seconds set to "62"; decrease 
              in total system & available free memory; file allocation 
              error; .BAT files overwritten 
 Origin:      England 
 Eff Length:  795 - 1,306 Bytes 
 Type Code:   PRhCK - Parasitic Resident .COM Infector 
 Detection Method:  ViruScan, AVTK, F-Prot, Sweep, IBMAV, NAVDX, 
                    NAV, VAlert, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, AVTK/N, NAV/N, IBMAV/N, 
                    NProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Scroll virus was received from Manchester, England in October, 
       1992.  Scroll is a memory resident infector of .COM programs, 
       including COMMAND.COM.  It employs some stealth techniques to 
       avoid the user noticing the file infections. 
 
       The first time a program infected by the Scroll virus is executed, 
       the Scroll virus will install itself memory resident at the top of 
       system memory but below the 640K DOS boundary.  Total system and 
       available free memory, as indicated by the DOS CHKDSK program, will 
       have decreased by 3,008 bytes.  Interrupt 21 will be hooked by 
       Scroll in memory. 
 
       Once memory resident, the Scroll virus will infect .COM programs, 
       including COMMAND.COM, when they are executed or opened for any 
       reason.  Infected programs will have a file length increase of 
       795 to 1,306 bytes which the virus will hide when it is memory 
       resident.  The Scroll virus will be located at the end of infected 
       programs.  The seconds field in the file's date and time in the DOS 
       disk directory will have been set to "62", the infection marker for 
       the virus.  The following text strings are encrypted within the 
       viral code:  
  
               "[SCROLL] ICE-9 ARcV" 
               "\COMMAND.COM 
 
       Systems infected with the Scroll virus may notice that the DOS 
       CHKDSK program will detect file allocation errors when the Scroll 
       virus is memory resident.  It will also occassionally overwrite 
       .BAT files, permanently corrupting them. 
 
       Known variant(s) of Scroll are: 
       Scroll.600: Received in January, 1996, this is a 600 byte 
           non-resident variant of Scroll.  It infects all of the .COM 
           files in the current directory, except very small ones and 
           COMMAND.COM, when an infected program is executed.  Infected 
           programs will have a file length increase of 600 bytes with 
           the virus being located at the end of the file.  The program's 
           date and time in the DOS disk directory listing will not 
           appear to be altered, though the seconds field will have been 
           changed to "52".  The following text strings are visible within 
           the viral code: 
           ".. *.* *.COM" 
           "Scroll v1.0" 
           Origin:  Unknown  January, 1996.

Show viruses from discovered during that infect .

Main Page