Uruk-hai Virus


 Virus Name:  Uruk-hai 
 Aliases:    
 V Status:    New 
 Discovered:  February, 1993 
 Symptoms:    .COM file growth; file date/time changes 
 Origin:      USSR 
 Eff Length:  394 Bytes 
 Type Code:   PRxCK - Parasitic Resident .COM Infector 
 Detection Method:  Sweep, AVTK, F-Prot, IBMAV, ChAV, 
                    ViruScan, NAV, NAVDX, VAlert, 
                    Sweep/N, AVTK/N, NShld, NProt, IBMAV/N, Innoc, NAV/N, 
                    LProt 
 Removal Instructions:  Delete infected Files 
 
 General Comments: 
       The Uruk-hai virus was submitted in February, 1993, and is from the 
       USSR.  Uruk-hai is a memory resident infector of .COM progams, 
       including COMMAND.COM. 
 
       When the first Uruk-hai infected program is executed, this virus 
       will install itself memory resident in a "hole" in low allocated 
       system memory, hooking interrupt 21.  Total system and available 
       free memory, as indicated by the DOS CHKDSK program, will not be 
       altered. 
 
       Once the Uruk-hai virus is memory resident, it will infect .COM 
       programs when they are executed.  If COMMAND.COM is executed, it 
       will become infected.  Programs infected with the Uruk-hai virus 
       will have a file length increase of 394 bytes with the virus being 
       located at the end of the file.  The program's date and time in the 
       DOS disk directory listing will have been updated to the current 
       system date and time when infection occurred.  The following text 
       string can be found within the viral code in all Uruk-hai infected 
       programs: 
 
               "V 1.0 Igor,1992 The Uruk-hai are upon you!" 
 
       Known variant(s) of Uruk-hai are: 
       Uruk-hai 300: A 300 byte variant of the Uruk-hai virus 
                     described above, this variant also resides in a "hole" 
                     in allocated memory, hooking interrupt 21.  It 
                     infects .COM programs when they are executed, adding 
                     300 bytes to their length.  The virus is located at 
                     the end of the file.  The program's date and time in 
                     the DOS disk directory listing will have been updated 
                     to the current system date and time when infection 
                     occurred.  The following text string can be found 
                     within the viral code in all Uruk-hai 300 infected 
                     files: 
                     "Igor 1992 v.2.0 The Uruk-hai and winged Nazgul 
                      strikes again!" 
                     Origin:  USSR  June, 1993. 
       Uruk-hai 361: A 361 byte variant of the Uruk-hai virus 
                     described above, this variant becomes memory resident 
                     at the top of system memory but below the 640K DOS 
                     boundary, moving interrupt 12's return.  Total system 
                     and available free memory, as indicated by the DOS 
                     CHKDSK program, will have decreased by 1,024 bytes. 
                     Interrupt 21 will be hooked by the virus in memory.  It 
                     infects .COM programs when they are executed, adding 
                     361 bytes to their length.  The virus is located at 
                     the end of the file.  The program's date and time in 
                     the DOS disk directory listing will have been updated 
                     to the current system date and time when infection 
                     occurred.  The following text string can be found 
                     within the viral code in all Uruk-hai 361 infected 
                     files: 
                     "Igor 1992 v.3.0 It was last assault of the Uruk-hai... 
                      We shall meet in Valhalla!" 
                     Origin:  USSR  June, 1993.

Show viruses from discovered during that infect .

Main Page