Atas II Virus


 Virus Name:  Atas II 
 Aliases:     Atas-3321 
 V Status:    Rare 
 Discovery:   January, 1993 
 Symptoms:    .COM file growth; decrease in total system & available free 
              memory; file allocation errors; system hangs 
 Origin:      Poland 
 Eff Length:  3,321 Bytes 
 Type Code:   PRtCK - Parasitic Resident .COM Infector 
 Detection Method:  AVTK, Sweep, F-Prot, ViruScan, NAVDX, VAlert, 
                    IBMAV, NAV, PCScan, ChAV, 
                    Sweep/N, Innoc, NShld, AVTK/N, IBMAV/N, NAV/N, LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Atas II, or Atas-3321, virus was submitted in January, 1993, and 
       is originally from Poland.  Atas II is a memory resident infector of 
       .COM programs, including COMMAND.COM.  It is a semi-stealth virus as 
       it hides the file length increase on infected programs when the virus 
       is memory resident. 
 
       When the first Atas II infected program is executed, the Atas II 
       virus will install itself memory resident at the top of system memory 
       but below the 640K DOS boundary, moving interrupt 12's return.  Total 
       system and available free memory, as indicated by the DOS CHKDSK 
       program, will have decreased by 10,240 bytes.  Interrupts 08, 10, 
       16, 1C, and 21 will be hooked by Atas II in memory. 
 
       Once the Atas II virus is memory resident, it will infect .COM 
       programs, including COMMAND.COM, when they are executed.  Infected 
       programs will have a file length increase of 3,321 bytes, though the 
       file length increase will be hidden when the virus is resident in 
       memory.  The virus will be located at the end of infected files, and 
       the program's date and time in the DOS disk directory listing will 
       not be altered.  The following text strings are encrypted within the 
       Atas II viral code: 
 
               "bye <> music" 
               "letters" 
               "display Bye-Bye" 
               "========.===" 
               "ATAS Corporation.(B)1992,V1 Created in the Kiev by ATAS." 
 
       Systems infected with the Atas II will experience file allocation 
       errors being detected on all infected programs by the DOS CHKDSK 
       program when it is executed with the virus memory resident.  It is 
       unknown what else Atas may do. 
 
       See:   Atas 

Show viruses from discovered during that infect .

Main Page