Trooper Virus

Virus Name: Trooper Aliases: Trooper.2259 V Status: New Discovered: December, 1996 Symptoms: .COM & .EXE growth; file date time decades = "5"; decrease in available free memory; DOS CHKDSK "Invalid drive specification" error Origin: Hungary Eff Length: 2,259 - 2,273 Bytes Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: NAV, NAVDX, AVTK, ViruScan 3.02+, NAV/N, AVTK/N Removal Instructions: Delete infected files General Comments: The Trooper virus was received in December, 1996, and is originally from Hungary. The virus is a memory resident infector of .COM and .EXE files, including COMMAND.COM. When the first Trooper infected program is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, not moving interrupt 12's return. Available free memory will have decreased by approximately 3,408 bytes. Interrupt 21 will be hooked by the virus in memory. Once the Trooper virus is memory resident, it will infect .COM and .EXE files, including COMMAND.COM, when they are executed. Infected programs will have a file length increase of 2,259 to 2,273 bytes with the virus being located at the end of the file. The file's date and time in the DOS disk directory listing will have been altered so that the decades field of the year will be "5". The following text strings are visible within the viral code: "TROOPER V1.0 Hungary-7500EXECOMCLIPPERCOMSPEC" "<=>?BEFKNOW" This virus will interfer with the execution of the DOS CHKDSK program from DOS 5.0. Attempts to run CHKDSK with the virus memory resident will result in an "Invalid drive specification" error message being displayed.