Virus Name: Skull
V Status: Rare
Discovered: January, 1993
Symptoms: .COM file growth; .EXE file corruption; graphic display
Origin: United States
Eff Length: 666 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: AVTK, Sweep, ViruScan, F-Prot, NAVDX, VAlert,
IBMAV, NAV, PCScan, ChAV,
Sweep/N, NShld, Innoc, NProt, AVTK/N, IBMAV/N, NAV/N,
Removal Instructions: Delete infected files
The Skull, or Necro, virus was submitted in January, 1993, and is
from the State of Pennsylvania in the United States. Skull is a
non-resident, direct action infector of .COM programs, including
COMMAND.COM. It will also "drop" a second virus, the Skull EXE
virus, described below under variant(s). Since the Skull EXE virus
also replicates, it is listed as a variant rather than as part of
the base Skull virus.
When a program infected with the Skull virus is executed, the Skull
virus will infect one .COM file located in the current directory.
If it cannot find a .COM program to infect, it will instead "drop"
the Skull EXE virus indicated below by overwriting the beginning of
an .EXE file.
Programs infected with the Skull virus will have a file length
increase of 666 bytes with the virus being located at the end of
the file. The program's date and time in the DOS disk directory
listing will not be altered. The following text strings are
visible within the Skull viral code in infected .COM files:
The Skull virus doesn't do anything besides replicate and drop the
Skull EXE virus indicated below. The Skull EXE virus displays a
message when it is executed.
Known variant(s) of Skull are:
Skull EXE: Skull EXE is the overwriting virus which is dropped
by the Skull virus indicated above. When a program
infected by the Skull EXE virus is executed, the Skull
EXE virus will infect one .EXE file located in the
current directory, overwriting the first 466 bytes of
the host file. Infected programs will not increase in
size. The Skull EXE virus will then display a graphic
"skull" on the system display, with the following
"You cant execute this file:
Its already dead!"
This message is encrypted within the viral code. The
following text string is unencrypted within the Skull EXE
Origin: Pennsylvania, USA January, 1993.