Semtex Virus


 Virus Name:  Semtex 
 Aliases:   
 V Status:    Rare 
 Discovered:  September, 1991 
 Symptoms:    .COM file growth; decrease in total system and available free 
              memory; screen display 
 Origin:      Czechoslovakia 
 Eff Length:  1,000 Bytes 
 Type Code:   PRhCK - Parasitic Resident .COM Infector 
 Detection Method:  Sweep, AVTK, F-Prot, NAVDX, VAlert, 
                    IBMAV, NAV, ViruScan, PCScan, ChAV, 
                    LProt, Sweep/N, NShld, Innoc, NProt, AVTK/N, NAV/N, 
                    IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Semtex virus was discovered in September, 1991.  It is originally 
       from Czechoslovakia.  Semtex is a memory resident infector of .COM 
       files, including COMMAND.COM. 
 
       When the first Semtex infected program is executed on a system, 
       Semtex will install itself memory resident at the top of system 
       memory but below the 640K DOS boundary.  Total system and available 
       free memory, as indicated by the DOS CHKDSK program, will decrease 
       by 4,080 bytes.  Interrupt 12's return will not be moved.  Semtex 
       will hook interrupts 8 and 21.  Also at this time, Semtex will 
       infect COMMAND.COM. 
 
       Once Semtex is memory resident, it will infect .COM programs when 
       they are executed or opened for any reason.  In the case of copying 
       programs from one directory to another, both the source and target 
       copy of the .COM program will be infected. 
 
       Programs infected with Semtex will increase in size by 1,000 bytes. 
       The virus will be located at the end of infected files.  There will 
       be no visible change to the file's date and time in the DOS disk 
       directory listing.  The following text string can be found within 
       the viral code in infected programs: 
 
               "S E M T E X  by Dusan Toman, CZECHOSLOVAKIA 
                (7)213-040 or (804)213-23" 
  
       This string is not displayed by the virus. 
 
       After Semtex has been memory resident for 60 minutes, it will 
       produce a screen display.  Each cursor position on the screen display 
       will be changed to contain a colored background and an ASCII 
       character.  The effect is a multi-color flashing screen of very 
       small rectangles.  The user can return the screen to normal by 
       pressing a key on the keyboard. 
 
       Known variant(s) of Semtex are: 
       Semtex-B: A 1,000 byte variant of the Semtex virus, this 
                 variant's size in memory is 4,080 bytes, hooking 
                 interrupt 21.  It infects .COM programs when they are 
                 executed or opened for any reason.  Infected programs 
                 will have a file length increase of 1,000 bytes with the 
                 virus being located at the end of the file.  The file 
                 length increase is not hidden when the virus is memory 
                 resident.  The program's date and time in the DOS disk 
                 directory listing will not be altered.  The following text 
                 string is visible within the viral code in all Semtex-B 
                 infected programs: 
                 "S E M T E X  by Dusan Toman, CZECHOSLOVAKIA 
                  ***  Have a nice day  ***" 
                 System hangs may occur when infected programs are executed. 
                 Origin:  Czechoslovakia  December, 1992. 
       Semtex-C: A 619 byte variant of the Semtex virus, this variant's 
                 size in memory is 4,080 bytes, hooking interrupts 08 and 
                 21.  It infects .COM programs when they are executed or 
                 opened for any reason.  Infected programs will have a 
                 file length increase of 619 bytes with the virus being 
                 located at the end of the file.  The file length increase 
                 is not hidden when the virus is memory resident.  The 
                 program's date and time in the DOS disk directory listing 
                 will not be altered.  The following text string is visible 
                 within the viral code in all Semtex-C infected programs: 
                 "S E M T E X  by Dusan Toman, CZECHOSLOVAKIA 
                 (7)213-040 or (804)213-23" 
                 System hangs may occur when infected programs are 
                 executed. 
                 Origin:  Czechoslovakia  December, 1992. 
       Semtex-D: A 1,000 byte variant of the Semtex virus, this 
                 variant's size in memory is 4,080 bytes, hooking 
                 interrupts 08 and 21.  It infects .COM programs when they 
                 are executed or opened for any reason.  Infected programs 
                 will have a file length increase of 1,000 bytes with the 
                 virus being located at the end of the file.  The file 
                 length increase is not hidden when the virus is memory 
                 resident.  The program's date and time in the DOS disk 
                 directory listing will not be altered.  The following text 
                 string is visible within the viral code in all Semtex-D 
                 infected programs: 
                 "S E M T E X  by Dusan Toman, CZECHOSLOVAKIA 
                 (7)213-040 or (804)213-23" 
                 System hangs may occur when infected programs are executed. 
                 Origin:  Czechoslovakia  December, 1992.

Show viruses from discovered during that infect .

Main Page