Virus Name: Athens
V Status: Rare
Discovery: May, 1992
Symptoms: .COM & .EXE growth; "General Failure error reading drive"
Origin: Athens, Greece
Eff Length: 1,463 Bytes
Type Code: PRfAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, F-Prot, Sweep, NAV, IBMAV, AVTK,
NAVDX, VAlert, PCScan, ChAV,
NShld, Sweep/N, Innoc, NProt, AVTK/N, LProt, NAV/N,
Removal Instructions: Delete infected files
The Athens virus was discovered in Athens, Greece, in May, 1992.
This virus is a memory resident stealth virus which infects .COM
and .EXE programs, including COMMAND.COM.
When the first program infected with the Athens virus is executed,
this virus will install itself memory resident at the top of system
memory but below the 640K DOS boundary, though the memory is not
reserved. Total system and available free memory will not be
altered. If COMMAND.COM was not previously infected, it will
be infected at this time. No change in file length will be visible.
Once the Athens virus is memory resident, it will infect .COM and
.EXE programs when they are executed or opened for any reason.
Infected programs will have a file length increase of 1,463 bytes,
with the virus being located at the end of the infected file. The
file length increase will be hidden by the virus when it is
memory resident. The file's date and time in the DOS disk directory
listing will not be altered.
The following text string is encrypted within the viral code in
"TROJECTOR II,(c) Armagedon Utilities, Athens 1992"
Systems infected with the Athens virus may experience general
failure errors when attempting to execute programs on diskettes,
requiring an Abort, Retry, Ignore, or Fail response.
It is unknown if Athens does anything besides replicate.
Trojector: Probably an earlier version of the Athens virus
described above, Trojector's size in memory is
3,776 bytes, hooking interrupt 21. It infects .COM and
.EXE programs, including COMMAND.COM, when they are
executed or opened with the virus memory resident.
Infected programs will have a file length increase of
1,561 bytes, though the length increase will not be
visible when Trojector is memory resident. The virus
will be located at the end of the infected program.
The following text strings are encrypted within the
"TROJECTOR ]I[,(c) Armagedon Utilities, Athens 1992,"
"Greetings to Vesselin"
Systems infected with Trojector may experience system
hangs when infected .COM programs are executed, as well
as the DOS CHKDSK program indicating errors on disks
regardless of whether the virus is memory resident.
Origin: Greece August, 1992.
Trojector-B: Similar to Trojector, Trojector-B has been altered
to avoid detection by some anti-viral scanning programs.
Origin: Unknown January, 1994.