Tormentor Virus

Virus Name: Tormentor Aliases: V Status: Rare Discovery: December, 1991 Symptoms: .EXE file growth; .PAS files disappear; decrease in total system and available free memory; system hangs Origin: Sweden Eff Length: 1,024 Bytes Type Code: PRhE - Parasitic Resident .EXE Infector Detection Method: Sweep, ViruScan, AVTK, F-Prot, PCScan, NAV, IBMAV, NAVDX, VAlert, ChAV, NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N Removal Instructions: Delete infected files General Comments: The Tormentor virus was received from Mikael Larssen of the Virus Help Center, Sweden, in December, 1991. Tormentor is a memory resident infector of .EXE programs. The first time a program infected with Tormentor is executed, the Tormentor virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 1,056 bytes. Interrupt 21 will be hooked by the virus in memory. Interrupt 12's return will not have been moved. Once Tormentor is memory resident, it will infect .EXE programs over approximately 3K in size when they are executed. Infected .EXE programs will have a file length increase of 1,024 bytes with the virus being located at the end of the infected file. The file's date and time in the DOS disk directory listing will not have been altered. The following two text strings can be found in Tormentor infected programs: "*.PAS" "TORMENTOR!" The Tormentor virus will occassionally delete .PAS files located in the current directory when a Tormentor infected .EXE program is executed. System hangs may also be experienced when attempting to execute some programs. Known variant(s) of Tormentor are: Tormentor-1040: Received in July, 1992, Tormentor-1040 is a 1,040 byte variant of the Tormentor virus. Its size in memory is 1,072 bytes, and like the original virus it hooks interrupt 21. Programs infected with Tormentor-1040 will have a file length increase of 1,040 bytes with the virus being located at the end of the file. No text strings are visible within the viral code. Origin: Sweden July, 1992. Tormentor-1072: Based on the Tormentor virus described above, Tormentor-1072 is a 1,072 byte variant which infects .COM and .EXE programs, but not COMMAND.COM. Its size in memory is 1,104 bytes, and it hooks interrupt 21. Once it is memory resident, it will infect .COM and .EXE programs larger than approximately 3K when they are executed. Infected programs increase in size by 1,072 bytes with the virus being located at the end of the file. The file's date and time in the DOS disk directory will have been updated, though it will not reflect the current system date and time when infection occurred. The following text strings can be found in all infected programs: "NUKE!" "TORMENTOR,soldier of -=DY=-" "[Thanks DAv!] DEMORALIZED YOUTH!" Unlike Tormentor, this virus does not delete .PAS files. System hangs may occur when infected programs are executed. Origin: Sweden December, 1991. Tormentor-1072B: Functionally equivalent to the Tormentor-1072 described above, the text strings in this variant are: "NUKE!" "THOMASC. KILLER !!! -=SY=-" "[Thanks DAv!] DEMORALIZED YOUTH!" Tormentor-1072C: Functionally equivalent to the Tormentor-1072 described above, this variant has a few bytes which differ. Tormentor-1072D: This variant is also functionally equivalent to the original Tormentor-1072, with minor byte changes. Nuke: Based on the Tormentor-1072 virus, Nuke also adds 1,072 bytes to the .EXE files it infects. The Nuke virus will only infect .EXE files, not .COM files as other members of the Tormentor group do. The text strings found within the Nuke virus are: "NUKE!" "[Thanks DAv!] DEMORALIZED YOUTH!" Nuke activates on the second day of any month. At that time, it will overwrite the first sectors of each hard disk on the system, from C: through Z:. Origin: Unknown January, 1992. Nuke Dropper: A small .COM program which was originally received with the Nuke virus. The program is not a natural infection, and serves no purpose except to release or drop the Nuke virus. Origin: Unknown January, 1992. Lixo Nuke: Similar to the Nuke virus, this variant will reformat the system hard disk on the 31st of any month. After becoming memory resident, it will infect .EXE programs when they are copied. Both the source and target files will be infected. Infected programs will have a file length increase of 1,072 bytes with the virus at the end of the file. The following text strings can be found in the Lixo Nuke viral code in infected programs: "NUKE!" "TORMENTOR,soldier of -=DY=-" "[Thanks DAv!]" "DEMORALIZED YOUTH!" Origin: Sweden July, 1992. Lixo Nuke Dropper: A small .COM program which was originally received with the Lixo Nuke virus. The program is not a natural infection, and serves no purpose except to release or drop the Lixo Nuke virus. Origin: Sweden July, 1992. See: Murphy