Virus Name: VS-2790
V Status: New
Discovered: November, 1993
Symptoms: .COM & .EXE growth; DOS CHKDSK file allocation errors;
decrease in total system & available free memory
Eff Length: 2,790 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, Sweep, AVTK, F-Prot, NAV, IBMAV, ChAV,
NAVDX, VAlert, PCScan,
Sweep/N, NShld, AVTK/N, IBMAV/N, Innoc, NProt, NAV/N,
Removal Instructions: Delete infected files
The VS-2790 virus was received in November, 1993. It's origin or
point of isolation is unknown. VS-2790 is a memory resident infector
of .COM and .EXE programs, but not COMMAND.COM.
When the first VS-2790 infected program is executed, this virus will
install itself memory resident at the top of system memory but below
the 640K DOS boundary, not moving interrupt 12's return. Total system
and available free memory, as indicated by the DOS CHKDSK program,
will have decreased by 2,832 bytes. Interrupts 1C and 21 will be
hooked by the virus.
Once VS-2790 is memory resident, it will infect .COM and .EXE
programs when they are executed or opened, but not when they are
copied. Infected programs will have a file length increase of 2,790
bytes with the virus being located being located at the end of the
file. This file length increase, however, will not be visible in the
DOS disk directory listing when the virus is memory resident. The
file's date and time in the DOS disk directory listing will not be
altered. The following text string can be found within the viral code
in all VS-2790 infected programs:
'VS-061-"STEALTHIE".(C) 1993, ViruSystems inc.$VS'
When VS-2790 is memory resident, the DOS CHKDSK program will return
file allocation errors on all infected files. It is unknown what
VS-2790 does besides replicate.