Trakia Virus


 Virus Name:  Trakia 
 Aliases:     Trakia.561 
 V Status:    New 
 Discovered:  February, 1995 
 Symptoms:    .COM & .EXE growth; decrease in available free memory 
 Origin:      Unknown 
 Eff Length:  561 - 577 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  F-Prot, ViruScan, AVTK, Sweep, IBMAV, 
                    NAV, NAVDX, VAlert, PCScan, ChAV, 
                    NShld, Innoc, NProt, IBMAV/N, AVTK/N, Sweep/N, NAV/N, 
                    LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Trakia virus was received in February, 1995.  Its origin or 
       point of isolation is unknown.  Trakia is a memory resident infector 
       of .COM and .EXE files, including COMMAND.COM. 
 
       When the first Trakia infected program is executed, this virus will 
       install itself memory resident at the top of system memory but below 
       the 640K DOS boundary, not moving interrupt 12's return.  Available 
       free memory, as indicated by the DOS CHKDSK program from DOS 5.0, 
       will have decreased by approximately 928 bytes.  Interrupt 21 will 
       be hooked by the virus in memory. 
 
       Once the Trakia virus is memory resident, it will infect .COM and 
       .EXE files, including COMMAND.COM, when they are executed.  Infected 
       .COM files will have a file length increase of 561 bytes while .EXE 
       files will increase in size by 561 to 577 bytes.  In both cases, the 
       virus will be located at the end of the file.  The program's date 
       and time in the DOS disk directory listing will not be altered.  No 
       text strings are visible within the viral code in infected files. 
 
       It is unknown what the Trakia virus does besides replicate. 
 
       Known variant(s) of Trakia include: 
       Trakia.570: Also received in February, 1995, Trakia.570 is a 
               570 byte version of the Trakia virus described above.  Its 
               size in memory is approximately 944 bytes.  It addes 570 
               bytes to the .COM files it infects, and 570 to 586 bytes to 
               .EXE files.  In both cases, the virus will be located at the 
               end of the file.  The file's date and time in the DOS disk 
               directory listing may appear to be blank, it has actually 
               been set to "0/0/80 12:00:00 AM".  No text strings are 
               visible within the viral code. 
               Origin:  Unknown  February, 1995. 
       Trakia.1070: Received in July, 1996, this 1,070 byte variant has 
               been reported to be "in the wild".  Its size in memory is 
               1,360 bytes, hooking interrupt 21.  It infects .COM and .EXE 
               files, including COMMAND.COM, when they are executed, as well 
               as infecting on .EXE file in the current directory when an 
               infected program is executed.  .COM files will have a file 
               length increase of 1,070 bytes while .EXE files increase in 
               size by 1,070 to 1,086 bytes.  In both cases, the virus will 
               be located at the end of the file.  The file's date and time 
               in the DOS disk directory listing will not be altered. One 
               text string is visible within the viral code: 
               "*.EXE" 
               Origin:  Unknown  July, 1996.

Show viruses from discovered during that infect .

Main Page