Atomic 1 Virus


 Virus Name:  Atomic 1 
 Aliases:     Atomic 1A 
 V Status:    Viron 
 Discovery:   May, 1993 
 Symptoms:    .COM file corruption; program execution failure; 
              "Bad command or file name" message on program execution 
 Origin:      Canada 
 Eff Length:  371 Bytes Overwriting 
 Type Code:   ONCK - Overwriting Non-Resident .COM Infector 
 Detection Method:  F-Prot, AVTK, ViruScan, IBMAV, NAV, NAVDX, Sweep, 
                    VAlert, PCScan, ChAV, 
                    NShld, NProt, AVTK/N, IBMAV/N, Sweep/N, NAV/N, Innoc, 
                    LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Atomic 1, or Atomic 1A, virus was submitted in May, 1993, and 
       is from Canada.  Atomic 1 is a non-resident, direct action over- 
       writing virus.  It permanently corrupts the .COM programs it 
       infects. 
 
       When a program infected with the Atomic 1 virus is executed, the 
       Atomic 1 virus will infect the first two .COM files located in the 
       current directory, and then the following message will be displayed: 
  
               "Bad command or file name" 
 
       The user is then returned to the DOS prompt. 
 
       Programs infected with the Atomic 1 virus will have the first 371 
       bytes overwritten by the Atomic 1 viral code.  Since the virus does 
       not check to see if the programs it is infecting were previously 
       infected, it will not spread past the first two .COM files in any 
       directory.  The program's date and time in the DOS disk directory 
       listing will not be altered.  The following text strings are visible 
       within the viral code in all Atomic 1 infected programs: 
 
               "[TAD1A] Memory Lapse -- Toronto, CANADA" 
               "The Atomic Dustbin 1A -- This is just the first step" 
               "Bad command or file name" 
               "*.COM .. c Dustbin 1A -- This is just the first step" 
 
       Known variant(s) of Atomic 1 are: 
       Atomic 1B: A 480 byte variant of the virus described above, it 
                  infects the first two .COM files in the current directory 
                  when an infected program is executed, and then displays 
                  the following message: 
                  "Program execution terminated" 
                  The following text strings are visible within the viral 
                  code in all Atomic 1B infected programs: 
                  "[TAD1B] Memory Lapse -- Toronto, CANADA" 
                  "The Atomic Dustbin 1B -- This is almost the second step" 
                  "Program execution terminated" 
                  "The Atomic Dustbin - YOUR PHUCKED!" 
                  "*.COM .." 
                  Origin:  Canada  May, 1993. 
       Atomic.425: Received in May, 1996, this is a 425 byte companion 
           virus version of the Atomic 1 virus described above.  It becomes 
           memory resident as a low system memory TSR of 992 bytes, hooking 
           interrupt 21.  Once resident, it creates a 425 byte companion 
           .COM file for each .EXE file which the user executes or opens. 
           The companion files will have the current system date and time 
           when they were created, as well as having the hidden attribute 
           set.  The following text strings are visible within the viral 
           code: 
           "Atomic v1.00" 
           "by MnemoniX" 
           Origin:  Unknown  May, 1996. 
             
       See:   Atomic 2

Show viruses from discovered during that infect .

Main Page