VFSI Virus

Virus Name: VFSI Aliases: 437, Happy Day, VFSI.437 V Status: Rare Discovered: September, 1990 Symptoms: .COM growth; message Origin: Bulgaria Eff Length: 437 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan, AVTK, F-Prot, NAV, Sweep, IBMAV, NAVDX, VAlert, PCScan, ChAV, NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N Removal Instructions: Delete infected files General Comments: The VFSI virus was isolated in September, 1990 at VFSI (the Higher Institute of Financial Management) located in Svistov, a town on the Danube. VFSI is a non-resident, direct action, infector of .COM files, including COMMAND.COM. When a program infected with the VFSI virus is executed, it will infect one other .COM file located in the current directory. Candidate files to be infected are first aligned to be a multiple of 16, and then the viral code is added. Infected files will increase in length by between 437 and 452 bytes, with the viral code being located at the end of infected files. Infected files can be easily identified as they will always contain the following hex string: 3A483F244B6F636E706C74. On approximately one out of five executions of an infected program, the program will flash the following message on the screen: "HELLO!!! HAPPY DAY and SUCCESS from virus 1.1 VFSI-Svistov" This message is encrypted in the viral code, so it is not visible in infected files. Known variant(s) of VFSI are: VFSI.427: Received in January, 1996, this is a 427 byte variant of the VFSI virus described above. It adds 427 to 443 bytes to the .COM files it infects. This variant will occassionally display a message, "HAPPY BIRTHDAY VIRUS", when an infected program is executed. The following text string can be found within the viral code in all infected programs: "*.COM" Origin: Unknown January, 1996.