Shanghai Virus

Virus Name: Shanghai Aliases: V Status: Rare Discovered: May, 1993 Symptoms: .COM file growth; file date/time seconds = "62" decrease in total system & available free memory Origin: China Eff Length: 848 Bytes Type Code: PRhCK - Parasitic Resident .COM Infector Detection Method: ViruScan, F-Prot, AVTK, NAV, Sweep, IBMAV, NAVDX, VAlert, PCScan, ChAV, NShld, Sweep/N, NAV/N, AVTK/N, NProt, IBMAV/N, Innoc, LProt Removal Instructions: Delete infected files General Comments: The Shanghai virus was submitted in May, 1993, and is originally from China. Shanghai is a memory resident infector of .COM programs, including COMMAND.COM. When the first Shanghai infected program is executed, the Shanghai virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, not moving interrupt 12's return. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 2,048 bytes. Interrupt 21 will be hooked by Shanghai in memory. Once memory resident, the Shanghai virus will infect three .COM programs in the current directory each time a DOS DIR command is issued. Shanghai does not infect programs when they are executed. Programs infected with the Shanghai virus will have a file length increase of 848 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will appear to be unaltered, but the seconds field will have been set to "62". The following text strings can be found within the viral code in all Shanghai infected programs: "????????COM" "*.COM" "ShangHai Railway Institute" It is unknown what Shanghai may do besides replicate.