Vlad Virus
Virus Name: Vlad
Aliases: Vlad.653
V Status: New
Discovered: July, 1995
Symptoms: .EXE file growth; decrease in available free memory;
.EXE file corruption; system hangs
Origin: Unknown
Eff Length: 653 Bytes
Type Code: PRhE - Parasitic Resident .EXE Infector
Detection Method: F-Prot, AVTK, VAlert, Sweep, IBMAV,
ViruScan, NAV, NAVDX, ChAV,
Sweep/N, IBMAV/N, AVTK/N, NShld, NAV/N, Innoc
Removal Instructions: Delete infected files
General Comments:
The Vlad or Vlad.653 virus was received in July, 1995. Its origin
or point of isolation is unknown. Vlad is a memory resident
infector of .EXE files.
When the first Vlad infected program is executed, this virus
will become memory resident at the top of system memory but below
the 640K DOS boundary, not moving interrupt 12's return. Available
system memory will have decreased by approximately 768 bytes. The
virus will have hooked interrupt 21.
Once the Vlad virus is memory resident, it will either corrupt or
infect .EXE files when they are executed or opened, but not when
copied. In either case, the .EXE file will have a file length
increase of 653 bytes with the virus being located at the end of
the file. The program's date and time in the DOS disk directory
listing will not be altered. The following text string is visible
within the viral code:
"[VLAD-DIR] [Darkman/VLAD]"
System hangs frequently occur when .EXE programs are executed.
Known variant(s) of Vlad are:
Vlad.651: Received in January, 1996, this is a 651 byte variant
of the Vlad virus described above. It infects all of the .EXE
files in the current directory when a DOS DIR command is issued
with the virus memory resident. Infected files will have a file
length increase of 651 bytes with the virus being located at the
end of the file. The program's date in the DOS directory
listing will have been changed to "01-02-80", the time will not
be altered. The following text strings are visible within the
viral code:
"*.EXE"
"[Replicator]"
"[Darkman/VLAD]"
Origin: Australia January, 1996.
Vlad.655: Received in January, 1996, this is a 655 byte variant
of the Vlad virus described above. It infects all of the .EXE
files in the current directory when .EXE files are executed,
opened, or located in a directory which is the target of a DOS DIR
command. Infected files will have a file length increase of 655
bytes with the virus being located at the end of the file. The
program's date in the DOS directory listing will have been
changed to "01-02-80", the time will not be altered. The
following text strings are visible within the viral code:
"*.EXE"
"[Replicator]"
"[Darkman/VLAD]"
Origin: Australia January, 1996.
Vlad.692: Received in January, 1996, this is a 692 byte variant
of the Vlad virus described above. Its size in memory is 1,408
bytes, hooking interrupt 21. This variant infects .COM and .EXE
files, including COMMAND.COM, when they are executed. Infected
files will have a file length increase of 692 bytes with the
virus being located at the end of the file. The program's date
and time in the DOS directory listing will not be altered. The
following text string is encrypted within the viral code:
"[DOS Idle] [Darkman/VLAD]"
Origin: Australia January, 1996.
Vlad.696: Received in January, 1996, this is a 696 byte variant
of the Vlad virus described above. Its size in memory is 1,424
bytes, hooking interrupt 21. This variant infects .COM and .EXE
files, including COMMAND.COM, when they are executed. Infected
files will have a file length increase of 696 bytes with the
virus being located at the end of the file. The program's date
and time in the DOS directory listing will not be altered. The
following text string is encrypted within the viral code:
"[DOS Idle] [Darkman/VLAD]"
Origin: Australia January, 1996.
Vlad.1066: Received in December, 1996, this is a 1,066 byte virus
written by the same author as the Vlad virus group. It becomes
memory resident at the top of system memory but below the 640K
DOS boundary, hooking interrupt 21. Available free memory will
have decreased by approximately 2,320 bytes. Once resident, it
infects .COM and .EXE files, including COMMAND.COM, when they are
executed, opened, or copied. Infected programs will have a file
length increase of 1,066 bytes with the virus being located in
the middle of the file. The program's date and time in the DOS
disk directory listing will not be altered. The following text
string is within the viral code:
"[Mon ami la pendule] - Metabolis/VLAD"
Origin: Australia December, 1996.
Vlad.2352: Received in December, 1996, this is a 2,352 byte virus
written by the same author as the Vlad virus group. It becomes
memory resident at the top of system memory but below the 640K
DOS boundary, hooking interrupt 21. Available free memory will
have decreased by approximately 4,720 bytes. Once resident, it
infects .COM files when they are executed, increasing their size
by 2,352 bytes. The virus will be located at the end of the file.
The program's date and time in the DOS disk directory listing will
not be altered. The following text strings are visible within
the viral code:
"[Midnight] by Antigen/VLAD"
"Hi Zvi!! Thanks for inspiring the idea :)"
Beeping and system hangs may occur when programs are executed with
this virus memory resident.
Origin: Australia December, 1996.
See: PH33R