Tula Virus


 Virus Name:  Tula 
 Aliases:     Tula-419 
 V Status:    Rare 
 Discovered:  April, 1992 
 Symptoms:    .COM file growth; decrease in total system and available 
              memory; file date/time changes 
 Origin:      USSR 
 Eff Length:  419 Bytes 
 Type Code:   PRtCK - Parasitic Resident .COM Infector 
 Detection Method:  AVTK, F-Prot, ViruScan, IBMAV, PCScan, 
                    Sweep, NAV, NAVDX, VAlert, ChAV, 
                    NShld, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N, 
                    LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Tula, or Tula-419, virus was received in April, 1992.  It is 
       originally from the USSR.  Tula is a memory resident infector of 
       .COM programs, including COMMAND.COM.  It does not replicate on 
       all systems. 
 
       The first time a program infected with the Tula virus is executed, 
       Tula will install itself memory resident at the top of system memory 
       but below the 640K DOS boundary.  Interrupt 12's return will be 
       moved.  Total system and available free memory, as indicated by the 
       DOS CHKDSK program, will have decreased by 1,024 bytes.  Interrupts 
       21 and 22 will be hooked by Tula in memory. 
 
       Once the Tula virus is memory resident, it will infect .COM files 
       larger than approximately 2K when they are executed.  Infected 
       programs will have a file length increase of 419 bytes with the 
       virus being located at the beginning of the infected program.  The 
       file's date and time in the DOS disk directory listing will have 
       been updated to the current system date and time. 
 
       One text string is visible within the Tula viral code in infected 
       programs: 
 
               "Tula 1990.Sat" 
 
       Known variant(s) of Tula are: 
       Tula-417: Also known as the F-Word or F-You virus, this virus 
                 is an earlier version of the Tula virus described above. 
                 Its size in memory is 1,024 bytes, hooking interrupts 
                 08 and 21.  Once resident, Tula-417 will infect .COM 
                 programs, including COMMAND.COM, when they are executed. 
                 Infected programs will increase in size by 417 bytes with 
                 the virus being located at the end of the file.  The 
                 program's date and time in the DOS disk directory listing 
                 will have been updated to the current system date and 
                 time when infection occurred.  The following text string 
                 can be found in all infected files: 
                 "Fuck You!" 
                 Systems infected with Tula-417 may experience difficulties 
                 executing .COM programs, such as EDLIN.COM, which require 
                 command line input. 
                 Origin:  USSR  December, 1990. 
       Tula-593: The Tule-593 virus is a 593 byte variant of the Tula 
                 virus described above.  Its size in memory is 1,024 bytes, 
                 hooking interrupts 08 and 21.  Once resident, Tula-593 will 
                 infect .COM and .EXE programs, including COMMAND.COM, when 
                 they are executed.  Infected programs will increase in size 
                 by 593 bytes with the virus being located at the end of the 
                 file.  The program's date and time in the DOS disk directory 
                 listing will not be altered.  One text string can be found 
                 at the end of files infected with Tula-593: 
                 "TR" 
                 Systems infected with Tula-593 may experience difficulties 
                 executing .COM programs, such as EDLIN.COM, which require 
                 command line input. 
                 Origin:  USSR  October, 1992. 
       Tula-635: The Tule-635 virus is a 635 byte variant of the Tula 
                 virus described above.  Its size in memory is 1,024 bytes, 
                 hooking interrupts 08 and 21.  Once resident, Tula-635 will 
                 infect .COM and .EXE programs, including COMMAND.COM, when 
                 they are executed.  Infected programs will increase in size 
                 by 635 bytes with the virus being located at the end of the 
                 file.  The program's date and time in the DOS disk directory 
                 listing will not be altered.  No text strings are visible 
                 within the viral code in infected programs.  Systems 
                 infected with Tula-635 may experience difficulties executing 
                 .COM programs, such as EDLIN.COM, which require command line 
                 input. 
                 Origin:  USSR  October, 1992. 
       Tula-1480: The Tule-1480 virus is a 1,480 byte variant of the Tula 
                 virus described above.  Its size in memory is 2,048 bytes, 
                 hooking interrupts 03 and 21.  Once resident, Tula-1480 will 
                 infect .COM and .EXE programs, including COMMAND.COM, when 
                 they are executed or opened for any reason.  Infected .COM 
                 programs will increase in size by 1,480 bytes.  Infected 
                 .EXE programs will increase in size by 1,480 to 1,494 bytes. 
                 In either case, the virus will be located at the end of the 
                 file.  The program's date and time in the DOS disk directory 
                 listing will not be altered.  No text strings are visible 
                 within the viral code in infected programs. 
                 Origin:  USSR  October, 1992.

Show viruses from discovered during that infect .

Main Page