Tolbuhin Virus


 Virus Name:  Tolbuhin 
 Aliases:     Sk1, Tolbuhin-1147 
 V Status:    Rare 
 Discovery:   August, 1992 
 Symptoms:    .COM file growth; file date/time changes; system hangs 
 Origin:      Unknown 
 Eff Length:  1,147 Bytes 
 Type Code:   PRhC - Parasitic Resident .COM Infector 
 Detection Method:  ViruScan, AVTK, Sweep, IBMAV, F-Prot, 
                    NAV, NAVDX, VAlert, PCScan, ChAV, 
                    NShld, Sweep/N, LProt, Innoc, NProt, IBMAV/N, 
                    AVTK/N, NAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Tolbuhin, or Sk1, virus was received in August, 1992.  Its 
       origin or point of isolation is unknown.  Tolbuhin is a memory 
       resident infector of .COM programs, but not COMMAND.COM. 
 
       When the first Tolbuhin infected program is executed, the 
       Tolbuhin virus will become memory resident at the top of system 
       memory but below the 640K DOS boundary.  Total system and available 
       free memory, as indicated by the DOS CHKDSK program, will have 
       decreased by 2,048 bytes.  Interrupts 20 and 21 will be hooked by 
       Tolbuhin.  The virus may also infect one .COM program located in the 
       current directory at this time. 
 
       Once Tolbuhin is memory resident, it will infect .COM programs 
       when they are executed.  Infected programs will have a file 
       length increase of 1,147 bytes with the virus being located at 
       the end of the file.  The program's date and time in the DOS disk 
       directory listing will have been updated to the current system 
       date and time when infection occurred.  The following text 
       strings can be found in all programs infected with the Tolbuhin 
       virus: 
 
               "Virus in memory !!!" 
               "Created 21.I.1990 - PMG\OTME - Tolbuhin" 
               "*.com" 
               "????????COM" 
               "COMMAND" 
 
       System hangs frequently occur when the virus infects programs.  It 
       also contains some destructive code. 
 
       Known variant(s) of Tolbuhin are: 
       Tolbuhin-626: Based on the Tolbuhin virus, this variant's size 
                     in memory is also 2,048 bytes.  It hooks interrupts 
                     13, and 21.  Infected programs will have a file 
                     length increase of 626 bytes with the virus being 
                     located at the end of the file.  The program's date 
                     and time in the DOS disk directory listing will have 
                     been updated to the current system date and time 
                     when infection occurred.  The following text strings 
                     can be found within the viral code in infected files: 
                     "Virus in memory !!!" 
                     "*.com" 
                     "SK9" 
                     The text string "SK" will also be found starting in the 
                     fourth byte of all infected programs. 
                     Origin:  Unknown  August, 1993. 
       Tolbuhin-992: Based on the Tolbuhin virus, this variant's size 
                     in memory is also 2,048 bytes.  It hooks interrupts 
                     13, 20, and 21.  Infected programs will have a file 
                     length increase of 992 bytes with the virus being 
                     located at the end of the file.  The program's date 
                     and time in the DOS disk directory listing will have 
                     been updated to the current system date and time 
                     when infection occurred.  The following text strings 
                     can be found within the viral code in infected files: 
                     "Virus in memory !!!" 
                     "Created 21.I.1990 - PMG\OTME - Tolbuhin" 
                     "*.com" 
                     "COMMAND" 
                     Origin:  Bulgaria  November, 1992. 
       Tolbuhin-1004: Based on the Tolbuhin virus, this variant's size 
                     in memory is also 2,048 bytes.  It hooks interrupts 
                     13, 20, and 21.  Infected programs will have a file 
                     length increase of 1,004 bytes with the virus being 
                     located at the end of the file.  The program's date 
                     and time in the DOS disk directory listing will have 
                     been updated to the current system date and time 
                     when infection occurred.  The following text strings 
                     can be found within the viral code in infected files: 
                     "*.com" 
                     "COMMAND" 
                     Origin:  Bulgaria  November, 1992. 

Show viruses from discovered during that infect .

Main Page