V2000 Virus


 Virus Name:  V2000 
 Aliases:     Dark Avenger II, Stealth Virus, Travel Virus, Eddie 2000, 
              Apocalypse II 
 V Status:    Rare 
 Discovered:  1989 
 Symptoms:    TSR; .COM, .EXE, .OV? growth (see text); crashes; 
              cross-linked files following CHKDSK. 
 Origin:      Bulgaria 
 Eff Length:  2,000 Bytes 
 Type Code:   PRA - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, AVTK, NAV, F-Prot, Sweep, IBMAV, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, 
                    NAV/N, IBMAV/N 
 Removal Instructions:  NAV, or delete infected files 
 
 General Comments: 
       The V2000, or Dark Avenger II, virus is a memory resident generic 
       file infector.  The first isolated samples of this virus were 
       received from Bulgaria, where it was isolated by Daniel Kalchev and 
       Niki Spahiev. 
 
       V2000 will infect .COM, .EXE, and Overlay files, as well as 
       COMMAND.COM.  When the first infected file is executed, the virus 
       installs itself memory resident, and then infected COMMAND.COM if 
       it has not already been infected.  Then, when an executable file is 
       opened for any reason, it is infected if it hasn't been previously 
       infected. 
 
       Increased file lengths will not be shown if the V2000 virus is 
       present in memory when a DIR command is issued.  Issuing a CHKDSK 
       /F command on infected systems may result in cross-linking of files 
       since the directory information may not appear to match the entries 
       in the file allocation table (FAT). 
 
       Systems infected with the V2000 virus will experience unexpected 
       system crashes, resulting in lost data.  Some systems may also 
       become unbootable due to the modification of COMMAND.COM or the 
       hidden system files. 
 
       One of the following two text strings will appear in the viral code 
       in infected files, thus accounting for the alias of Travel virus 
       used in Bulgaria: 
 
              "Zopy me - I want to travel" 
              "Copy me - I want to travel" 
 
       There are reports from Bulgaria that the V2000 virus looks for and 
       hangs the system if programs written by Vesselin Bontchev are 
       attempted to be executed.  This would explain the presence of the 
       following copyright notice within the viral code: 
 
              "(c) 1989 by Vesselin Bontchev" 
 
       Known variant(s) of V2000 are: 
       V2000-B: (Die Young) Similar to the V2000 virus, the main 
                difference is that the text string "Zopy me - I want to 
                travel" is now "Only the Good die young..." or "Mnly the 
                Good die young..." and the encryption used by the virus is 
                different.  This variant is actually the original virus, 
                predating V2000. 
       Apocalypse II: Apocalypse II was received from Europe in May, 
                      1991.  It is similar to V2000 and V2000-B, the 
                      major change being that it no longer crashes 
                      the system, and the text string "Zopy me - I want 
                      to travel" is now "Apocalypse II begin!!".  This 
                      variant also modifies the boot sector, but not with 
                      an infectious copy of the virus. 
 
       See:   Dark Avenger   V651   V1024

Show viruses from discovered during that infect .

Main Page