Tabulero Virus


 Virus Name:  Tabulero 
 Aliases:    
 V Status:    Common - South America 
 Discovered:  September, 1992 
 Symptoms:    .EXE file growth; TSR 
 Origin:      Venezuela 
 Isolated:    Argentina 
 Eff Length:  2,048 - 2,062 Bytes 
 Type Code:   PRsE - Parasitic Resident .EXE Infector 
 Detection Method:  F-Prot, ViruScan, Sweep, IBMAV, AVTK, 
                    NAV, NAVDX, VAlert, PCScan, ChAV, 
                    NShld, Sweep/N, NAV/N, IBMAV/N, LProt, AVTK/N, Innoc 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Tabulero virus was received in September, 1992.  It is from 
       Venezuela, though it was isolated in Argentina.  Tabulero is a 
       memory resident infector of .EXE programs.  It is based on the 
       Jerusalem virus. 
 
       When the first Tabulero infected program is executed, the Tabulero 
       virus will install itself memory resident as a low system memory 
       TSR of 2,048 bytes.  It hooks interrupts 09 and 21. 
 
       Once the Tabulero virus is memory resident, it will infect .EXE 
       programs when they are executed.  Tabulero cannot recognize previous 
       infections on files, so it will also reinfect previously infected 
       programs.  Programs infected with the Tabulero virus will have a 
       file length increase of 2,048 to 2,062 bytes with the first infection 
       of the file, and 2,048 bytes with each reinfection.  The virus will 
       be located at the end of the file.  The program's date and time in 
       the DOS disk directory listing will not be altered.  The following 
       text strings can be found in all Tabulero infected programs: 
 
               "pTpApBpUpLpEpRpOp pI.U.P.L.C.M Wilmer C  G" 
               "exe" 
 
       Tabulero may display the text "TABULERO" on the system display 
       after it has been memory resident for some period of time. 
 
       Known variant(s) of Tabulero are: 
       Tabulero-B: A later variant of the Tabulero virus indicated 
                   above, it does not reinfect .EXE programs.  The text 
                   strings found in this variant are: 
                   "pTpApBpUpLpEpRpOp p" 
                   "ISRAEL" 
                   "ODALUBAT atse CP us, otreum ah LEMRAC" 
                   "--IUP LUIS CABALLERO MEJIAS--" 
                   Origin:  Unknown  September, 1992. 
       Tabulero 2: Another variant of the Tabulero virus, this variant 
                   does not reinfect previously infected files.  The text 
                   strings contained within the viral code are: 
                   "ODALUBAT atse CP us, otreum ah LEMRAC" 
                   "--IUP LUIS CABALLERO MEJIAS--" 
                   "Wilmer 86-Phonix (R) Rescue antivirus version 2.1" 
                   "Copyright (C) Phonix Corp 1987-1990. 
                    All right reserved." 
                   "Immunizing" 
                   "No path especifed or no found" 
                   "Example RESCUE A:" 
                   "pTpApBpUpLpEpRpOp p" 
                   "ISRAEL" 
                   Origin:  Unknown  January, 1993.

Show viruses from discovered during that infect .

Main Page