Tao Cheng Virus
Virus Name: Tao Cheng
V Status: Rare
Discovered: January, 1993.
Symptoms: .COM & .EXE growth; decrease in total system & available free
memory; system hangs; video mode altered; boot failure;
garbage characters written to system display;
unexpected system reboots
Eff Length: 1,295 Bytes
Type Code: PRtAK - Parasitic Resident .COM & .EXE Infector
Detection Method: AVTK, F-Prot, Sweep, ViruScan, IBMAV, NAV,
NAVDX, VAlert, PCScan, ChAV,
Sweep/N, NShld, NProt, AVTK/N, NAV/N, IBMAV/N, Innoc
Removal Instructions: Delete infected files
The Tao Cheng virus was submitted in January, 1993. Its origin or
point of isolation is unknown. Tao Cheng is a memory resident
infector of .COM and .EXE programs, including COMMAND.COM.
When the first Tao Cheng infected program is executed, the Tao Cheng
virus will install itself memory resident at the top of system
memory but below the 640K DOS boundary, moving interrupt 12's return.
Total system and available free memory, as indicated by the DOS
CHKDSK program, will have decreased by 3,072 bytes. Interrupt 21
will be hooked by the Tao Cheng virus is memory.
Once the Tao Cheng virus is memory resident, it will infect .COM
and .EXE programs when they are executed. Infected programs will
have a file length increase of 1,295 bytes with the virus being
located at the end of the file. The program's date and time in
the DOS disk directory listing will not be altered. The following
text strings are encrypted within the Tao Cheng viral code:
"TheDraw COM file Screen Save"
"Unsupported Video Mode"
"[Tao Cheng] Tommy Chong"
The author of the "TheDraw" program had nothing to do with the
creation of this virus. The first two strings above are in the
virus due to use of TheDraw to create part of the viral display.
Systems infected with the Tao Cheng virus will experience a number
of symptoms. Frequent system hangs will occur when programs are
executed. These hangs may be accompanied with the display of
colored squares containing random characters on the system monitor.
The system video mode may be switched. Unexpected system reboots
may occur, as well as boot failures once the boot copy of COMMAND.COM
becomes infected. Memory allocation errors may also occur,
accompanied by a message that COMMAND cannot be loaded, and the
system has been halted.