Anti-Pascal Virus


 Virus Name:  Anti-Pascal 
 Aliases:     Anti-Pascal 605 Virus, AP, AP-605, C-605, V605 
 V Status:    Research 
 Discovery:   June, 1990 
 Symptoms:    .COM growth; .BAK and .PAS file corruption 
 Origin:      Bulgaria 
 Isolated:    Sofia, Bulgaria 
 Eff Length:  605 Bytes 
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector 
 Detection Method:  ViruScan, NAV, F-Prot, AVTK, Sweep, 
                    IBMAV, NAVDX, VAlert, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, 
                    NAV/N, IBMAV/N 
 Removal Instructions:  NAV, or delete infected files 
 
 General Comments: 
       The Anti-Pascal virus, V605 or C-605, was isolated in Sofia, 
       Bulgaria in June 1990 by Vesselin Bontchev.  Originally, it was 
       thought that the Anti-Pascal virus was from the USSR or Poland, but 
       it has since been determined to have been a research virus written 
       in Bulgaria over one year before it was isolated.  The author was 
       not aware that it had "escaped" until July, 1990. 
 
       The Anti-Pascal virus is a generic .COM file infector, including 
       COMMAND.COM.  While this virus is not memory resident, when it is in 
       the process of infecting files, interrupt 24 will be hooked. 
 
       When a program infected with the Anti-Pascal virus is executed, the 
       virus will attempt to infect two other .COM files on the current 
       drive or on drive D: which are between 605 and 64,930 bytes in 
       length.  These files must not have the read-only attribute set.  If 
       an uninfected .COM file meeting the virus's selection criteria is 
       found, the first 605 bytes of the program is overwritten with the 
       viral code.  The original 605 bytes of the program is then appended 
       to the end of the infected file. Infected files will have increased 
       in length by 605 bytes, and they will also begin with the text 
       string "PQVWS" as well as contain the string "combakpas???exe" at 
       offset 0x17.  Infected files will also have had their file date/time 
       stamps in the directory updated to the date/time that the infection 
       occurred. 
 
       If the Anti-Pascal virus cannot find two .COM files to infect, it 
       will check the current drive and directory for .BAK and .PAS files. 
       If these files exist, they will be overwritten with the virus's 
       code.  If the overwritten files were .PAS files, the system's user 
       has now lost some of their Pascal source code. After overwriting 
       .BAK and .PAS files, the virus will attempt to rename them to .COM 
       files, or .EXE files if a .COM file already exists.  This renaming 
       does not work due to a bug in the virus. 
 
       Known variant(s) Anti-Pascal are: 
       AP-529: Similar to the 605 byte Anti-Pascal virus, the major 
               differences are that AP-529 will only infect .COM files over 
               2,048 bytes in length.  Infected files increase in length by 
               529 bytes.  Additionally, instead of overwriting the .BAK 
               and .PAS files, one .BAK and .PAS file will be deleted if 
               there are no uninfected .COM files with a length of at least 
               2,048 bytes on the current drive.  .COM files on the C: 
               drive root directory may also be infected by AP-529 when it 
               is executed from the A: or B: drive.  This variant should be 
               considered a "Research Virus", as it is not believed to have 
               been publicly released. 
 
       See:   Anti-Pascal II 

Show viruses from discovered during that infect .

Main Page