Virus Name: Soldier
Aliases: Soldier.1480, Macaroni
V Status: New
Discovered: January, 1996
Symptoms: .COM & .EXE growth; file date/time seconds = "28";
decrease in available free memory
Eff Length: 1,480 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: IBMAV, ViruScan, NAV, F-Prot, NAVDX, AVTK, PCScan,
IBMAV/N, NShld, NAV/N, AVTK/N, Innoc
Removal Instructions: Delete infected files
The Soldier, Soldier.1480 or Macaroni, virus was received in
January, 1996. Its origin is unknown, though it may be from
Sweden. Soldier is a memory resident stealth virus which infects
.COM and .EXE files, including COMMAND.COM.
When the first Soldier infected program is executed, this virus
will install itself memory resident at the top of system memory
but below the 640K DOS boundary, not moving interrupt 12's return.
Available free memory, as indicated by the DOS CHKDSK program from
DOS 5.0, will have decreased by 1,536 bytes. Interrupts 1C and 21
will be hooked by the virus in memory.
Once the Soldier virus is memory resident, it will infect .COM and
.EXE files, other than extremely small ones, when they are executed,
or opened, but not when copied. It will also infect one file in
the target directory whenever a DOS DIR command is issued. Files
infected with the Soldier virus will have a file length increase of
1,480 bytes, though this file length increase will be hidden when
the virus is memory resident. The program's date and time in the
DOS disk directory listing will not appear to be altered, though the
seconds field will have been set to "28". The following text
strings are visible within the viral code:
"Soldier BOB - (c)jan-94 by A:N:O:I"
"Programmed by Macaroni Ted"
"Soldier BOB - Made in Sweden."
Programs infected with this virus will also contain a list of the
executable .COM and .EXE files in the directory at the time of
infection within the viral code in infected programs.
When the Soldier virus is memory resident, extremely small .COM
and .EXE files may appear to have grown to almost 64K bytes. This
occurs because the virus sets the seconds field to "28" on these
files, but doesn't actually infect them.