Voronezh-Chemist Virus

Virus Name: Voronezh-Chemist Aliases: Chemist, Video Mode, Voronezh-650 V Status: Rare Discovered: January, 1992 Symptoms: .COM file growth; decrease in total system & available free memory Origin: Unknown Eff Length: 650 Bytes Type Code: PRhCK - Parasitic Resident .COM & .EXE Infector Detection Method: Sweep, ViruScan, F-Prot, AVTK, IBMAV, NAV, NAVDX, VAlert, PCScan, ChAV, NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N Removal Instructions: Delete infected files General Comments: The Voronezh-Chemist, or Chemist, virus was submitted in January, 1992. Its origin is unknown, though it is related to the Voronezh and Voronezh-370 viruses. Voronezh-Chemist is a memory resident infector of .COM programs, including COMMAND.COM. The first time a program infected with the Voronezh-Chemist virus is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. Total system and available free memory will have decreased by 2,048 bytes. Interrupt 12's return will not have been moved. Interrupts 21 and 24 will be hooked by the virus. Once Voronezh-Chemist is memory resident, it will infect .COM programs when they are executed. Infected programs will have a file length increase of 650 bytes with the virus being located at the beginning of the infected file. The file's date and time in the DOS disk directory listing will not have been altered. The following text strings can be found within the viral code in all Voronezh-Chemist infected programs: "Video mode 80x25 not supported" "16.01.91, v1.00" It is unknown if Voronezh-Chemist does anything besides replicate. Known variant(s) of Voronezh-Chemist are: Voronezh-650: Functionally similar to the Voronezh-Chemist virus described above, this variant has three bytes which differ. Origin: USSR December, 1992. See: Voronezh Voronezh-370