V800 Virus


 Virus Name:  V800 
 Aliases:     Live after Death Virus 
 V Status:    Rare 
 Discovered:  May, 1990 
 Symptoms:    .COM growth; decrease in total system and available memory 
 Origin:      Bulgaria 
 Eff Length:  800 Bytes 
 Type Code:   PRC - Parasitic Resident .COM Infector 
 Detection Method:  ViruScan, F-Prot, NAV, AVTK, Sweep, IBMAV, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, IBMAV/N, 
                    NAV/N 
 Removal Instructions:  F-Prot, or delete infected files 
 
 General Comments: 
       The V800, or Live after Death, virus was isolated in Bulgaria by 
       Vesselin Bontchev in May, 1990.  The V800 is a self-encrypting 
       memory resident .COM infector, and it does not infect COMMAND.COM. 
       This virus is thought to have been written by the same person as 
       the Dark Avenger virus since many of the same techniques are used. 
 
       The virus has received an alias of the Live after Death virus as 
       the virus contains the "Live after Death" string, though it cannot 
       be seen in infected files as the virus is encrypted. 
 
       The first time an infected program is run on a system, the V800 
       virus will install itself memory resident.  In the process of 
       installing itself resident, it will decrease available system 
       memory by 16K, using 8,192 bytes for itself in the top of available 
       free memory.  It will also hook interrupt 2A. 
 
       Once in memory, every time a .COM file is attempted to be executed, 
       the virus will check to see if it is a candidate for infection. 
       Whether the file will be infected depends on the size of the .COM 
       file when it is attempted to be executed.  In no event is a .COM 
       file smaller than 1024 bytes infected, but not all .COM files over 
       1024 bytes are infected either. 
 
       The V800 virus will reinfect .COM files, with the file's size 
       increasing by 800 bytes with each infection.  It does not, however, 
       infect .COM files more than eight times. 
 
       Known variant(s) of V800 are: 
       V800M: Very similar to V800, the major difference is that V800M 
              will infect files on both file open and file execute, 
              putting this variant into the "Stealth" virus category. When 
              the virus becomes memory resident, total system and free 
              memory will decrease by only 8,192 bytes.  This variant does 
              not have the "Live after Death" string in it.

Show viruses from discovered during that infect .

Main Page