Virus Name: VFSI
Aliases: 437, Happy Day, VFSI.437
V Status: Rare
Discovered: September, 1990
Symptoms: .COM growth; message
Eff Length: 437 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan, AVTK, F-Prot, NAV, Sweep, IBMAV,
NAVDX, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
Removal Instructions: Delete infected files
The VFSI virus was isolated in September, 1990 at VFSI (the Higher
Institute of Financial Management) located in Svistov, a town on
the Danube. VFSI is a non-resident, direct action, infector of
.COM files, including COMMAND.COM.
When a program infected with the VFSI virus is executed, it will
infect one other .COM file located in the current directory.
Candidate files to be infected are first aligned to be a multiple
of 16, and then the viral code is added. Infected files will
increase in length by between 437 and 452 bytes, with the viral
code being located at the end of infected files.
Infected files can be easily identified as they will always contain
the following hex string: 3A483F244B6F636E706C74.
On approximately one out of five executions of an infected program,
the program will flash the following message on the screen:
"HELLO!!! HAPPY DAY and SUCCESS
from virus 1.1 VFSI-Svistov"
This message is encrypted in the viral code, so it is not visible
in infected files.
Known variant(s) of VFSI are:
VFSI.427: Received in January, 1996, this is a 427 byte variant
of the VFSI virus described above. It adds 427 to 443 bytes to
the .COM files it infects. This variant will occassionally
display a message, "HAPPY BIRTHDAY VIRUS", when an infected
program is executed. The following text string can be found
within the viral code in all infected programs:
Origin: Unknown January, 1996.