Virus Name: Telecom
Aliases: Telefonica, Telecom File, Spanish Telecom-2
V Status: Common
Discovered: June, 1991
Symptoms: .COM file growth; decrease in total system and available
memory; hard disk formatted
Eff Length: 3,700 Bytes
Type Code: PRhC - Parasitic Resident .COM Infector
Detection Method: ViruScan, F-Prot, Sweep, AVTK, NAV, IBMAV,
NAVDX, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
Removal Instructions: Delete infected files
The Telecom, Telefonica, or Telecom File virus was first reported
in December, 1990, in Spain. Though several samples of Telecom
were received in early 1991, the first replicable sample arrived
in June, 1991. This sample is also from Spain. Telecom is a
memory resident infector of .COM programs. It also carries a
variant of the Anti-Tel virus which it will install on the hard
disk master boot sector (partition table). Telecom was written by
the same individual as the Anti-Tel and Holocaust viruses. All of
these viruses are encrypted viruses.
When a program infected with Telecom is executed, Telecom will
install itself memory resident at the top of system memory but
below the 640K DOS boundary, interrupt 12's return will not be
moved. Total system and available free memory, as measured by
the DOS CHKDSK program, will have decreased by 3,984 bytes.
Interrupt 21 will be hooked by the Telecom virus in memory.
Once Telecom is memory resident, it will infect .COM programs
larger than approximately 1K in size when they are executed.
Infected .COM programs increase in size by 3,700 bytes, though
the file length increase cannot be seen in the disk directory
listing as the virus hides it. The virus alters the file's date
in the directory by adding 100 to the year, this is also not
readily apparent. The date alteration is how Telecom determines
if the file is already infected.
With Telecom memory resident, it will infect the hard disk master
boot sector with a variant of the Anti-Tel virus when the user
accesses a file or program on the hard disk. See the description
for Anti-Tel for information on the master boot sector infection.
The master boot sector infection does not contain a complete copy
of the Telecom virus, so it by itself cannot infect files.
The file infector portion of Telecom does not contain an activation
mechanism per say, the activation mechanism is in the master boot
sector infection. After 400 system boots from an infected disk, the
virus will overwrite the system hard drives.
See: Anti-Tel Holocaust