Scythe Virus


 Virus Name:  Scythe 
 Aliases:    
 V Status:    Rare 
 Discovered:  October, 1992 
 Symptoms:    .COM file growth; file date/time change; decrease in total 
              system & available free memory; file allocation errors 
 Origin:      England 
 Eff Length:  1,208 Bytes 
 Type Code:   PRCK - Parasitic Resident .COM Infector 
 Detection Method:  ViruScan, AVTK, F-Prot, Sweep, IBMAV, 
                    NAV, NAVDX, VAlert, PCScan, 
                    NShld, Sweep/N, AVTK/N, NAV/N, NProt, IBMAV/N, LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Scythe virus was received from Manchester, England in October, 
       1992.  Scythe is a memory resident infector of .COM programs, 
       including COMMAND.COM.  It employs some stealth techniques to 
       avoid the user noticing the file infections, and is a fast file 
       infector. 
 
       The first time a program infected by the Scythe virus is executed, 
       the Scythe virus will install itself memory resident at the top of 
       system memory but below the 640K DOS boundary.  Total system and 
       available free memory, as indicated by the DOS CHKDSK program, will 
       have decreased by 3,008 bytes.  Interrupt 21 will be hooked by 
       Scythe in memory. 
 
       Once memory resident, the Scythe virus will infect .COM programs, 
       including COMMAND.COM, when they are executed or opened for any 
       reason.  Infected programs will have a file length increase of 
       1,208 bytes which the virus will usually hide when it is memory 
       resident (note: it doesn't always do this).  The Scythe virus will 
       be located at the end of infected programs.  The file's date and 
       time in the DOS disk directory listing will have been altered.  The 
       date will be different, and the time will be set to 10:56.18.  The 
       following text strings are encrypted within the viral code:  
  
               "This is the Scythe for Reaper Man." 
               "Beware I`m Sharp!" 
               "Made in England by Apache Warrior, ARCV Pres." 
               "Scythe Ver. 1.01 (c) Apache Warrior 92." 
               "Reaper Man Swung The SCYTHE and the PC Died!" 
               "[SCYTHE] Apache Warrior, ARCV Pres." 
 
       Systems infected with the Scythe virus may notice that the DOS 
       CHKDSK program will detect file allocation errors when the Scythe 
       virus is memory resident.

Show viruses from discovered during that infect .

Main Page