USSR 1049 Virus
Virus Name: USSR 1049
Aliases: RCE-1049, 1049
V Status: Rare
Discovered: December, 1990
Symptoms: .COM & .EXE growth; system hangs; decrease in total system
and available free memory
Eff Length: 1,049 Bytes
Type Code: PRhA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, AVTK, F-Prot, Sweep, ChAV,
NAV, IBMAV, NAVDX, VAlert, PCScan,
NShld, LProt, Sweep/N, Innoc, AVTK/N, IBMAV/N, NAV/N,
Removal Instructions: Delete infected files
The USSR 1049 virus was received in December, 1990. It originated
in the USSR. This virus is a memory resident infector of .COM and
.EXE files, and does not infect COMMAND.COM.
When the first program infected with USSR 1049 is executed, the
virus will install itself memory resident at the top of system
memory but below the 640K DOS boundary. This memory will be 1,056
bytes in size and is reserved. The interrupt 12 return is not
moved. Interrupt 21 will be hooked by the virus.
After USSR 1049 is memory resident, the virus will infect .COM and
.EXE files when they are executed. The virus, however, will not
infect very small .EXE files. Infected files will increase in size
by 1,051 to 1,064 bytes, the virus will be located at the end of
the infected program.
USSR 1049 is unusual in that it contains some code to support a
deactivation code via a special interrupt 21 call that will stop
the virus from infecting files. This code may have been used by
the author when developing the virus to stop it from infecting
Systems infected with the USSR 1049 virus may experience system
hangs when attempting to execute .EXE programs. These hangs
occasionally occur when the virus infects .EXE program, though the
program being infected will actually be infected.
USSR 1049 does not do anything besides replicate.