Virus Name: BGU
V Status: New
Discovery: January, 1996
Symptoms: .COM & .EXE growth; file date/time seconds = "32";
decrease in available free memory;
DOS CHKDSK file allocation errors
Eff Length: 1,295 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ChAV, AVTK, ViruScan, NAV 3.10 9612+, NAVBoot 2.0 9612+,
Innoc, AVTK/N, NShld, NAV/N 2.0 9612+
Removal Instructions: Delete infected files
The BGU or BGU.1295 virus was received in January, 1996, along with
one variant. Their origin or point of isolation is unknown. BGU
is a memory resident fast infector size stealthing virus which
infects .COM and .EXE files, including COMMAND.COM.
When the first BGU infected program is executed, this virus will
install itself memory resident at the top of system memory but
below the 640K DOS boundary, not moving interrupt 12's return.
Available free memory, as indicated by the DOS CHKDSK program
from DOS 5.0, will have decreased by 2,048 bytes. Interrupts 21
and 28 will be hooked by the virus in memory.
Once this virus is memory resident, it will infect .COM and .EXE
files, including COMMAND.COM, when they are executed or opened,
but not when copied. Infected files will have a file length increase
of 1,295 bytes, though this file length increase will be hidden
when the virus is memory resident. The virus will be located at
the end of the file. The program's date and time in the DOS disk
directory listing will not appear to be altered, though the
seconds field will have been set to "32". The following text
strings are visible within the viral code:
The DOS CHKDSK program will indicate file allocation erros on all
infected files when this virus is memory resident.
Known variant(s) of BGU are:
BGU.1298: Also received in January, 1996, this 1,298 byte
variant's size in memory is also 2,048 bytes, hooking interrupts
21 and 28. It is similar to the original virus described above,
with the exceptions that it adds 1,298 bytes to the files it
infects, and set the seconds field to "42" instead of "32". It
contains the same text strings as the original virus.
Origin: Unknown January, 1996.