Ultimation Virus


 Virus Name:  Ultimation 
 Aliases:    
 V Status:    New 
 Discovered:  March, 1993 
 Symptoms:    .EXE file corruption; file date/time changes; hidden files 
              starting with "_" created; message displayed; system hangs 
 Origin:      Unknown 
 Eff Length:  23,802 Bytes Overwriting 
 Type Code:   ONE - Overwriting Non-Resident .EXE Infector 
 Detection Method:  Sweep, F-Prot, AVTK, IBMAV, ViruScan, NAV, 
                    NAVDX, VAlert, ChAV, 
                    Sweep/N, NShld, AVTK/N, NProt, Innoc, NAV/N, 
                    IBMAV/N 
 Removal Instructions:  Delete infected Files 
 
 General Comments: 
       The Ultimation virus was submitted in March, 1993.  Ultimation is 
       a non-resident direct action overwriting virus which infects .EXE 
       files.  Unlike most overwriting viruses, this one saves a copy of 
       the original, uninfected .EXE file. 
 
       When a program infected with the Ultimation virus is executed, the 
       Ultimation virus will infect one .EXE file located in the current 
       directory.  The virus first makes a copy of the original .EXE file 
       with the first character of the base file name changed to "_", and 
       sets the hidden attribute.  The virus then overwrites the first 
       23,802 bytes of the host file with its viral code.  .EXE files 
       larger than 23,802 bytes will have no file length increase, while 
       those originally smaller than 23,802 bytes will become 23,802 bytes 
       in size.  The file's date and time in the DOS disk directory will 
       have been altered to some other value.  The following text strings 
       can be found within the viral code in Ultimation infected programs: 
 
               "PATH *.EXE" 
               "I'm bored." 
               "Screw you." 
               "Life is a drag." 
               "kufc fof." 
               "Ouch! Don't hit me so hard." 
               "Floppy drive A: is flooded. Please insert J cloth." 
               "Murderer." 
               "You have been infected by ULTIMATION corp." 
               "Go directly to jail. Do not pass go. Do not collect $200." 
               "Ah ha! Caught you." 
               "Copy protection error 23. Please re-install from master." 
 
       Other than the first text string indicated above, one of the other 
       text strings may be displayed as a message, possibly accompanied by 
       a system hang, when an infected program is executed. 
 
       To disinfect an infection of the Ultimation virus, delete the 
       infected .EXE programs, and then remove the hidden attribute from 
       the .EXE file copies which start with the "_" character.  The files 
       will then need to be renamed so that the first character of the 
       file name is restored to its original value.

Show viruses from discovered during that infect .

Main Page