VFSI Virus

 Virus Name:  VFSI 
 Aliases:     437, Happy Day, VFSI.437 
 V Status:    Rare 
 Discovered:  September, 1990 
 Symptoms:    .COM growth; message 
 Origin:      Bulgaria 
 Eff Length:  437 Bytes 
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector 
 Detection Method:  ViruScan, AVTK, F-Prot, NAV, Sweep, IBMAV, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, 
                    NAV/N, IBMAV/N 
 Removal Instructions:  Delete infected files 
 General Comments: 
       The VFSI virus was isolated in September, 1990 at VFSI (the Higher 
       Institute of Financial Management) located in Svistov, a town on 
       the Danube.  VFSI is a non-resident, direct action, infector of 
       .COM files, including COMMAND.COM. 
       When a program infected with the VFSI virus is executed, it will 
       infect one other .COM file located in the current directory. 
       Candidate files to be infected are first aligned to be a multiple 
       of 16, and then the viral code is added.  Infected files will 
       increase in length by between 437 and 452 bytes, with the viral 
       code being located at the end of infected files. 
       Infected files can be easily identified as they will always contain 
       the following hex string: 3A483F244B6F636E706C74. 
       On approximately one out of five executions of an infected program, 
       the program will flash the following message on the screen: 
               "HELLO!!! HAPPY DAY and SUCCESS 
                  from virus 1.1 VFSI-Svistov" 
       This message is encrypted in the viral code, so it is not visible 
       in infected files. 
       Known variant(s) of VFSI are: 
       VFSI.427: Received in January, 1996, this is a 427 byte variant 
           of the VFSI virus described above.  It adds 427 to 443 bytes to 
           the .COM files it infects.  This variant will occassionally 
           display a message, "HAPPY BIRTHDAY VIRUS", when an infected 
           program is executed.  The following text string can be found 
           within the viral code in all infected programs: 
           Origin:  Unknown  January, 1996. 

Show viruses from discovered during that infect .

Main Page