VS-2790 Virus

Virus Name: VS-2790 Aliases: V Status: New Discovered: November, 1993 Symptoms: .COM & .EXE growth; DOS CHKDSK file allocation errors; decrease in total system & available free memory Origin: USSR Eff Length: 2,790 Bytes Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, Sweep, AVTK, F-Prot, NAV, IBMAV, ChAV, NAVDX, VAlert, PCScan, Sweep/N, NShld, AVTK/N, IBMAV/N, Innoc, NProt, NAV/N, LProt Removal Instructions: Delete infected files General Comments: The VS-2790 virus was received in November, 1993. It's origin or point of isolation is unknown. VS-2790 is a memory resident infector of .COM and .EXE programs, but not COMMAND.COM. When the first VS-2790 infected program is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, not moving interrupt 12's return. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 2,832 bytes. Interrupts 1C and 21 will be hooked by the virus. Once VS-2790 is memory resident, it will infect .COM and .EXE programs when they are executed or opened, but not when they are copied. Infected programs will have a file length increase of 2,790 bytes with the virus being located being located at the end of the file. This file length increase, however, will not be visible in the DOS disk directory listing when the virus is memory resident. The file's date and time in the DOS disk directory listing will not be altered. The following text string can be found within the viral code in all VS-2790 infected programs: 'VS-061-"STEALTHIE".(C) 1993, ViruSystems inc.$VS' When VS-2790 is memory resident, the DOS CHKDSK program will return file allocation errors on all infected files. It is unknown what VS-2790 does besides replicate.