Virus Name: ShadowByte
Aliases: Shadow, Shadow-2
V Status: Rare
Discovered: May, 1991
Symptoms: .COM file growth
Eff Length: 713 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan, F-Prot, Sweep, AVTK, IBMAV, NAV,
NAVDX, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
Removal Instructions: Delete infected files
The ShadowByte, or Shadow, virus was isolated in May, 1991. Its
origin is unknown. ShadowByte is a non-resident generic infector of
.COM programs, it will infect COMMAND.COM.
When a program infected with ShadowByte is executed, it will infect
one program in the current directory. If COMMAND.COM is in the
current directory, it may become infected.
.COM programs, other than COMMAND.COM, will increase in length by
713 bytes when they are infected by ShadowByte. COMMAND.COM will
increase in size by 723 bytes if it becomes infected. In both
cases, the virus will be located at the end of the infected
program. There will be no change to the file date and time in the
Programs infected with ShadowByte will contain two text strings:
The virus' name comes from the first string above, which when
reversed says "Shadowbyte Lives!".
It is unknown if ShadowByte does anything besides replicate.
Known variant(s) of ShadowByte are:
Shadow-2: A smaller version of the Shadow virus, Shadow-2 adds
635 bytes to infected files. The following text strings
can be found in infected files:
"!sevil etybwodahS*.COM ????????."
Origin: Unknown November, 1991.