Uruguay Virus
Virus Name: Uruguay
Aliases: Uruguay 3
V Status: Rare
Discovered: December, 1992
Symptoms: .COM & .EXE growth; decrease in total system & available free
memory; system hangs; music; message displayed
Origin: Uruguay
Eff Length: 2,552 - 2,637 Bytes
Type Code: PRhA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, Sweep, AVTK, NAV, NAVDX, VAlert, PCScan,
ChAV,
Sweep/N, AVTK/N, NShld, NAV/N, LProt, IBMAV/N, Innoc 4.0+
Removal Instructions: Delete infected Files
General Comments:
The Uruguay, or Uruguay 3, virus was submitted in December, 1992,
and is from Uruguay. Uruguay 3 is a memory resident infector of
.COM and .EXE programs, but not COMMAND.COM. Uruguay 3 and the
later versions of this virus are polymorphic, using a complex
encryption mechanism to complicate their ability to be detected by
anti-viral products employing scanning technology. An algorithmic
approach is required to detect these viruses.
When a program infected with the Uruguay 3 virus is executed, the
Uruguay 3 virus will install itself memory resident at the top of
system memory but below the 640K DOS boundary. Total system and
available free memory, as indicated by the DOS CHKDSK program, will
have decreased by 5,120 bytes. Interrupt mapping programs will not
indicate that the virus has hooked any interrupts, though the virus
will use both interrupt 13 and 21 via a tunnelling technique.
Once the Uruguay 3 virus is memory resident, it will infect .COM
and .EXE programs when they are executed. Infected programs will
have a file length increase of 2,552 - 2,637 bytes with the virus
being located at the end of the file. The program's date and time
in the DOS disk directory listing will not be altered. The following
text string is encrypted within the viral code:
"COMMAND.COM.EXE"
Systems infected with Uruguay 3 will notice slow response to
execution of programs and command. The following message will also
sometimes be displayed when an infected program is executed,
accompanied by tones on the system speaker.
"'Uruguay-#3' Virus
Programmed in Montevideo (URUGUAY) by F3161. 06/92
This is a research virus - DO NOT DISTRIBUTE"
This message is not visible within infected files as it is encrypted.
Known variant(s) of Uruguay are:
Uruguay 4: Based on the Uruguay 3 virus described above,
Uruguay 4's size in memory is 5,456 bytes. It adds
2,718 to 2,859 bytes to the .COM and .EXE programs it
infects on execution and file open for read-only. The
message displayed by the virus accompanied by a tune on
the system speaker is:
"'Uruguay-#4' Virus
Programmed in Montevideo (URUGUAY) by F3161. 07/92
This is a research virus - DO NOT DISTRIBUTE"
Origin: Uruguay December, 1992.
Uruguay 5: Based on the Uruguay 4 variant, Uruguay 5's size in
memory is 8,352 bytes. This variant of Uruguay does not
replicate at all, but stays memory resident and displays
the following message when the user presses CTL-ALT-DEL:
"'Uruguay-#5' Virus
Programmed in Montevideo (URUGUAY) by F3161. 08/92
This is a research virus - DO NOT DISTRIBUTE"
As Uruguay 5 does not replicate, it is only included
here for informational purposes, and is not used for
anti-viral product testing.
Origin: Uruguay December, 1992.
Uruguay 6: Based on the Uruguay 5 virus described above,
Uruguay 6's size in memory is 9,504 bytes. It adds
4,879 bytes to the .COM and .EXE programs it infects on
execution and file open for read-only. The file length
increase is hidden when Uruguay 6 is memory resident. The
DOS CHKDSK program will detect file allocation errors on
all infected programs when Uruguay 6 is in memory. The
message displayed by the virus accompanied by a tune on
the system speaker is:
"'Uruguay-#6' Virus
Programmed in Montevideo (URUGUAY) by F3161. 11/92
This is a research virus - DO NOT DISTRIBUTE"
Origin: Uruguay December, 1992.