Sirius Virus


 Virus Name:  Sirius 
 Aliases:     Sirius.400, Hello, Hello.400 
 V Status:    New 
 Discovered:  July, 1995 
 Symptoms:    .COM file growth; file date/time seconds = "06" 
 Origin:      Unknown 
 Eff Length:  400 Bytes 
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector 
 Detection Method: F-Prot, AVTK, VAlert, ViruScan, Sweep, NAVDX, NAV, 
                   IBMAV, PCScan, ChAV, 
                   NShld, Sweep/N, NAV/N, IBMAV/N, AVTK/N, NProt, Innoc 4.0+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Sirius, Sirius.400, or Hello.400, virus was received in July, 
       1995, along with one variant, Sirius.720.  Their origin or point of 
       isolation is unknown.  Sirius is a non-resident, direct action 
       infector of .COM files, including COMMAND.COM. 
 
       When a program infected with the Sirius virus is executed, this 
       virus will infect one .COM file located in the current directory 
       on the C: drive.  It does not infect files located on other drives. 
       Programs infected with the Sirius virus will have a file length 
       of 400 bytes with the virus being located at the end of the file. 
       The program's date and time in the DOS disk directory listing will 
       not appear to be altered, though the seconds field will have been 
       set to a value of "06".  The following text string is encrypted 
       within the viral code: 
 
           "DK*.COM << Ebbelwoi >> by ()SiRiUS 10-93 D-63225B" 
 
       It is unknown what the Sirius virus does besides replicate. 
 
       Known variant(s) of Sirius are: 
       Sirius.720: Also received in July, 1995, Sirius.720 or Hello.720 
           is a 720 byte variant of the Sirius virus described above.  It 
           infects one .COM file located in the current directory when an 
           infected program is executed, provided that the current directory 
           is not a root directory of any drive.  Programs infected with 
           this variant will have a file length increase of 720 bytes with 
           the virus being located at the end of the file.  The program's 
           date and time in the DOS disk directory listing will not appear 
           to be altered, though the seconds field will have been set to 
           "06".  The following text strings are encrypted within the viral 
           code: 
           "*.CoM t* * \" 
           "<> EBBELWOI v33m BY ()SiRiUS 12-93 D-63225 IAMQVE OPVS EXEGI 
            QVOD NEC IOVIS IRA NEC IGNIS NEC POTERIT FERRVM NEC EDAX 
            ABOLERE VETVSTAS 9" 
           Origin:  Unknown  July, 1995. 
       Sirius.1068: Also received in July, 1995, this is a 1,068 byte 
           memory resident variant of the Sirius virus described above.  It 
           becomes memory resident at the top of system memory but below 
           the 640K DOS boundary, hooking interrupt 21.  Available free 
           memory, as indicated by the DOS CHKDSK program from DOS 5.0, 
           will have decreased by 5,376 bytes.  Once resident, it infects 
           .COM files when they are executed.  Infected .COM files will 
           have a file length increase of 1,068 bytes with the virus being 
           located at the end of the file.  The program's date and time in 
           the DOS disk directory listing will not appear to be altered, 
           though the seconds field will have been set to "06".  The 
           following text string is encrypted within the viral code: 
           "[EBBELWOI] Version QUX-7 3/94 Sirius" 
           This variant attempts to hide the file length increase when 
           the virus is memory resident, however due to a bug within the 
           viral code, most infected files will appear to have a 24 byte 
           reduction in size when the virus is memory resident.  Some 
           .COM files will hang the system when infected by the virus. 
           Origin:  Unknown  July, 1995. 

Show viruses from discovered during that infect .

Main Page