Virus Name: Trooper
V Status: New
Discovered: December, 1996
Symptoms: .COM & .EXE growth; file date time decades = "5";
decrease in available free memory;
DOS CHKDSK "Invalid drive specification" error
Eff Length: 2,259 - 2,273 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: NAV, NAVDX, AVTK, ViruScan 3.02+,
Removal Instructions: Delete infected files
The Trooper virus was received in December, 1996, and is originally
from Hungary. The virus is a memory resident infector of .COM and
.EXE files, including COMMAND.COM.
When the first Trooper infected program is executed, this virus will
install itself memory resident at the top of system memory but below
the 640K DOS boundary, not moving interrupt 12's return. Available
free memory will have decreased by approximately 3,408 bytes.
Interrupt 21 will be hooked by the virus in memory.
Once the Trooper virus is memory resident, it will infect .COM and
.EXE files, including COMMAND.COM, when they are executed. Infected
programs will have a file length increase of 2,259 to 2,273 bytes
with the virus being located at the end of the file. The file's
date and time in the DOS disk directory listing will have been
altered so that the decades field of the year will be "5". The
following text strings are visible within the viral code:
"TROOPER V1.0 Hungary-7500EXECOMCLIPPERCOMSPEC"
This virus will interfer with the execution of the DOS CHKDSK
program from DOS 5.0. Attempts to run CHKDSK with the virus
memory resident will result in an "Invalid drive specification"
error message being displayed.