Virus Name: Arusiek
V Status: Rare
Discovery: May, 1993
Symptoms: .COM & .EXE growth;
decrease in total system & available free memory
Eff Length: 817 Bytes
Type Code: PRhA - Parasitic Resident .COM & .EXE Infector
Detection Method: IBMAV, ViruScan, AVTK, F-Prot, Sweep,
NAV, NAVDX, VAlert, ChAV,
Sweep/N, NShld, AVTK/N, NProt, NAV/N, IBMAV/N, Innoc,
Removal Instructions: Delete infected files
The Arusiek virus was received in May, 1993, and is from Morocco.
Arusiek is a memory resident infector of .COM and .EXE programs,
but not COMMAND.COM.
When the first Arusiek infected program is executed, the Arusiek
virus will install itself memory resident at the top of system
memory but below the 640K DOS boundary, hooking interrupt 21.
Total system and available free memory, as indicated by the
DOS CHKDSK program, will have decreased by 1,088 bytes. Interrupt
12's return will not be moved.
Once the Arusiek virus is memory resident, it will infect .COM and
.EXE programs when they are executed or opened for any reason.
Infected programs will have a file length increase of 817 bytes with
the virus being located at the end of the file. The program's date
and time in the DOS disk directory listing will not be altered.
The following text strings are visible within the viral code in all
Arusiek infected programs:
It is unknown what Arusiek does besides replicate.
Known variant(s) of Arusiek are:
Arusiek.692: Received in January, 1995, Arusiek.692 is a 692
byte variant of the Arusiek virus described above. Its
size in memory is approximately 800 bytes, hooking interrupt
21. Like the original virus, it infects .COM and .EXE files
when they are executed, opened, or copied. Infected files
have a file length increase of 692 bytes with the virus
being located at the end of the file. The program's date
and time in the DOS disk directory listing will not be
altered. The following text string can be found within the
viral code in all Arusiek.692 infected programs:
Origin: Unknown January, 1995.