Virus Name: Trakia
V Status: New
Discovered: February, 1995
Symptoms: .COM & .EXE growth; decrease in available free memory
Eff Length: 561 - 577 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: F-Prot, ViruScan, AVTK, Sweep, IBMAV,
NAV, NAVDX, VAlert, PCScan, ChAV,
NShld, Innoc, NProt, IBMAV/N, AVTK/N, Sweep/N, NAV/N,
Removal Instructions: Delete infected files
The Trakia virus was received in February, 1995. Its origin or
point of isolation is unknown. Trakia is a memory resident infector
of .COM and .EXE files, including COMMAND.COM.
When the first Trakia infected program is executed, this virus will
install itself memory resident at the top of system memory but below
the 640K DOS boundary, not moving interrupt 12's return. Available
free memory, as indicated by the DOS CHKDSK program from DOS 5.0,
will have decreased by approximately 928 bytes. Interrupt 21 will
be hooked by the virus in memory.
Once the Trakia virus is memory resident, it will infect .COM and
.EXE files, including COMMAND.COM, when they are executed. Infected
.COM files will have a file length increase of 561 bytes while .EXE
files will increase in size by 561 to 577 bytes. In both cases, the
virus will be located at the end of the file. The program's date
and time in the DOS disk directory listing will not be altered. No
text strings are visible within the viral code in infected files.
It is unknown what the Trakia virus does besides replicate.
Known variant(s) of Trakia include:
Trakia.570: Also received in February, 1995, Trakia.570 is a
570 byte version of the Trakia virus described above. Its
size in memory is approximately 944 bytes. It addes 570
bytes to the .COM files it infects, and 570 to 586 bytes to
.EXE files. In both cases, the virus will be located at the
end of the file. The file's date and time in the DOS disk
directory listing may appear to be blank, it has actually
been set to "0/0/80 12:00:00 AM". No text strings are
visible within the viral code.
Origin: Unknown February, 1995.
Trakia.1070: Received in July, 1996, this 1,070 byte variant has
been reported to be "in the wild". Its size in memory is
1,360 bytes, hooking interrupt 21. It infects .COM and .EXE
files, including COMMAND.COM, when they are executed, as well
as infecting on .EXE file in the current directory when an
infected program is executed. .COM files will have a file
length increase of 1,070 bytes while .EXE files increase in
size by 1,070 to 1,086 bytes. In both cases, the virus will
be located at the end of the file. The file's date and time
in the DOS disk directory listing will not be altered. One
text string is visible within the viral code:
Origin: Unknown July, 1996.