Virus Name: Appelscha
V Status: New
Discovery: July, 1994
Symptoms: .COM & .EXE growth; system hangs;
possible file date/time changes;
decrease in total system & available free memory
Eff Length: 2,161 Bytes
Type Code: PRtA - Parasitic Resident .COM & .EXE Infector
Detection Method: F-Prot, IBMAV, AVTK, ViruScan, Sweep,
NAVDX, VAlert, NAV,
AVTK/N, Sweep/N, IBMAV/N, NShld, NAV/N
Removal Instructions: Delete infected files
The Appelscha virus was submitted in July, 1994. Its origin or point
of isolation is unknown. Appelscha is a memory resident infector of
.COM and .EXE files, but not COMMAND.COM.
When the first Appelscha infected program is executed, this virus
will install itself memory resident at the top of system memory but
below the 640K DOS boundary, moving interrupt 12's return. Total
system and available free memory, as indicated by the DOS CHKDSK
program, will have decreased by 2,480 bytes. Interrupt 21 will be
hooked by the virus in memory.
Once the Appelscha virus is memory resident, it will infect .COM and
.EXE files when they are executed. Infected files will have a file
length increase of 2,161 bytes with the virus being located at the
end of the file. The program's date and time in the DOS disk
directory listing will not be altered. The following text string is
encrypted within the viral code:
The Appelscha virus will occassionally reinfect a previously infected
file, adding an additional 2,161 bytes to the file's length.
System hangs may occur when infected programs are executed. The
virus will also occassionally change the file date and time in the
DOS disk directory listing when it infects or reinfects files.