Shifter Virus

Virus Name: Shifter Aliases: V Status: Rare Discovered: February, 1993 Symptoms: .EXE file growth; Master Boot Sector Altered; decrease in total system & available free memory Origin: Unknown Eff Length: 6,672 Bytes Type Code: PRtEX - Parasitic Resident .EXE & Master Boot Sector Infector Detection Method: AVTK, Sweep, ViruScan, NAV, IBMAV, NAVDX, F-Prot, VAlert, PCScan, ChAV, LProt, Sweep/N, NShld, AVTK/N, NAV/N, IBMAV/N, Innoc Removal Instructions: Delete infected files & Replace Master Boot Sector General Comments: The Shifter virus was submitted in February, 1993. Its origin or point of isolation is unknown. Shifter is a memory resident infector of the hard disk master boot sector (partition table sector) and .EXE programs. When the first Shifter infected program is executed, the Shifter virus will infect the system hard disk's master boot sector, the sector containing the hard disk partitioning information. The virus does not become memory resident at this time, and will not start infecting files. The next time the system is booted from the system hard disk, the Shifter virus will become memory resident at the top of system memory but below the 640K DOS boundary, moving interrupt 12's return. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 7,168 bytes. Once the Shifter virus is memory resident, it will infect .EXE programs when they are executed. Infected programs will have a file length increase of 6,672 bytes with the virus being located at the end of the file. The file's date and time in the DOS disk directory listing will not be altered. No text strings are visible within the Shifter viral code. It is unknown what Shifter does besides replicate.