Virus Name: Scythe
V Status: Rare
Discovered: October, 1992
Symptoms: .COM file growth; file date/time change; decrease in total
system & available free memory; file allocation errors
Eff Length: 1,208 Bytes
Type Code: PRCK - Parasitic Resident .COM Infector
Detection Method: ViruScan, AVTK, F-Prot, Sweep, IBMAV,
NAV, NAVDX, VAlert, PCScan,
NShld, Sweep/N, AVTK/N, NAV/N, NProt, IBMAV/N, LProt
Removal Instructions: Delete infected files
The Scythe virus was received from Manchester, England in October,
1992. Scythe is a memory resident infector of .COM programs,
including COMMAND.COM. It employs some stealth techniques to
avoid the user noticing the file infections, and is a fast file
The first time a program infected by the Scythe virus is executed,
the Scythe virus will install itself memory resident at the top of
system memory but below the 640K DOS boundary. Total system and
available free memory, as indicated by the DOS CHKDSK program, will
have decreased by 3,008 bytes. Interrupt 21 will be hooked by
Scythe in memory.
Once memory resident, the Scythe virus will infect .COM programs,
including COMMAND.COM, when they are executed or opened for any
reason. Infected programs will have a file length increase of
1,208 bytes which the virus will usually hide when it is memory
resident (note: it doesn't always do this). The Scythe virus will
be located at the end of infected programs. The file's date and
time in the DOS disk directory listing will have been altered. The
date will be different, and the time will be set to 10:56.18. The
following text strings are encrypted within the viral code:
"This is the Scythe for Reaper Man."
"Beware I`m Sharp!"
"Made in England by Apache Warrior, ARCV Pres."
"Scythe Ver. 1.01 (c) Apache Warrior 92."
"Reaper Man Swung The SCYTHE and the PC Died!"
"[SCYTHE] Apache Warrior, ARCV Pres."
Systems infected with the Scythe virus may notice that the DOS
CHKDSK program will detect file allocation errors when the Scythe
virus is memory resident.