Virus Name: Ultimation
V Status: New
Discovered: March, 1993
Symptoms: .EXE file corruption; file date/time changes; hidden files
starting with "_" created; message displayed; system hangs
Eff Length: 23,802 Bytes Overwriting
Type Code: ONE - Overwriting Non-Resident .EXE Infector
Detection Method: Sweep, F-Prot, AVTK, IBMAV, ViruScan, NAV,
NAVDX, VAlert, ChAV,
Sweep/N, NShld, AVTK/N, NProt, Innoc, NAV/N,
Removal Instructions: Delete infected Files
The Ultimation virus was submitted in March, 1993. Ultimation is
a non-resident direct action overwriting virus which infects .EXE
files. Unlike most overwriting viruses, this one saves a copy of
the original, uninfected .EXE file.
When a program infected with the Ultimation virus is executed, the
Ultimation virus will infect one .EXE file located in the current
directory. The virus first makes a copy of the original .EXE file
with the first character of the base file name changed to "_", and
sets the hidden attribute. The virus then overwrites the first
23,802 bytes of the host file with its viral code. .EXE files
larger than 23,802 bytes will have no file length increase, while
those originally smaller than 23,802 bytes will become 23,802 bytes
in size. The file's date and time in the DOS disk directory will
have been altered to some other value. The following text strings
can be found within the viral code in Ultimation infected programs:
"Life is a drag."
"Ouch! Don't hit me so hard."
"Floppy drive A: is flooded. Please insert J cloth."
"You have been infected by ULTIMATION corp."
"Go directly to jail. Do not pass go. Do not collect $200."
"Ah ha! Caught you."
"Copy protection error 23. Please re-install from master."
Other than the first text string indicated above, one of the other
text strings may be displayed as a message, possibly accompanied by
a system hang, when an infected program is executed.
To disinfect an infection of the Ultimation virus, delete the
infected .EXE programs, and then remove the hidden attribute from
the .EXE file copies which start with the "_" character. The files
will then need to be renamed so that the first character of the
file name is restored to its original value.