Atas II Virus
Virus Name: Atas II
V Status: Rare
Discovery: January, 1993
Symptoms: .COM file growth; decrease in total system & available free
memory; file allocation errors; system hangs
Eff Length: 3,321 Bytes
Type Code: PRtCK - Parasitic Resident .COM Infector
Detection Method: AVTK, Sweep, F-Prot, ViruScan, NAVDX, VAlert,
IBMAV, NAV, PCScan, ChAV,
Sweep/N, Innoc, NShld, AVTK/N, IBMAV/N, NAV/N, LProt
Removal Instructions: Delete infected files
The Atas II, or Atas-3321, virus was submitted in January, 1993, and
is originally from Poland. Atas II is a memory resident infector of
.COM programs, including COMMAND.COM. It is a semi-stealth virus as
it hides the file length increase on infected programs when the virus
is memory resident.
When the first Atas II infected program is executed, the Atas II
virus will install itself memory resident at the top of system memory
but below the 640K DOS boundary, moving interrupt 12's return. Total
system and available free memory, as indicated by the DOS CHKDSK
program, will have decreased by 10,240 bytes. Interrupts 08, 10,
16, 1C, and 21 will be hooked by Atas II in memory.
Once the Atas II virus is memory resident, it will infect .COM
programs, including COMMAND.COM, when they are executed. Infected
programs will have a file length increase of 3,321 bytes, though the
file length increase will be hidden when the virus is resident in
memory. The virus will be located at the end of infected files, and
the program's date and time in the DOS disk directory listing will
not be altered. The following text strings are encrypted within the
Atas II viral code:
"bye <ò> music"
"ATAS Corporation.(B)1992,V1 Created in the Kiev by ATAS."
Systems infected with the Atas II will experience file allocation
errors being detected on all infected programs by the DOS CHKDSK
program when it is executed with the virus memory resident. It is
unknown what else Atas may do.