BGU Virus


 Virus Name:  BGU 
 Aliases:     BGU.1295 
 V Status:    New 
 Discovery:   January, 1996 
 Symptoms:    .COM & .EXE growth; file date/time seconds = "32"; 
              decrease in available free memory; 
              DOS CHKDSK file allocation errors 
 Origin:      Unknown 
 Eff Length:  1,295 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method: ChAV, AVTK, ViruScan, NAV 3.10 9612+, NAVBoot 2.0 9612+, 
                   Innoc, AVTK/N, NShld, NAV/N 2.0 9612+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The BGU or BGU.1295 virus was received in January, 1996, along with 
       one variant.  Their origin or point of isolation is unknown.  BGU 
       is a memory resident fast infector size stealthing virus which 
       infects .COM and .EXE files, including COMMAND.COM. 
 
       When the first BGU infected program is executed, this virus will 
       install itself memory resident at the top of system memory but 
       below the 640K DOS boundary, not moving interrupt 12's return. 
       Available free memory, as indicated by the DOS CHKDSK program 
       from DOS 5.0, will have decreased by 2,048 bytes.  Interrupts 21 
       and 28 will be hooked by the virus in memory. 
 
       Once this virus is memory resident, it will infect .COM and .EXE 
       files, including COMMAND.COM, when they are executed or opened, 
       but not when copied.  Infected files will have a file length increase 
       of 1,295 bytes, though this file length increase will be hidden 
       when the virus is memory resident.  The virus will be located at 
       the end of the file.  The program's date and time in the DOS disk 
       directory listing will not appear to be altered, though the 
       seconds field will have been set to "32".  The following text 
       strings are visible within the viral code: 
 
           "BGU 1992" 
           "COMEXE" 
 
       The DOS CHKDSK program will indicate file allocation erros on all 
       infected files when this virus is memory resident. 
 
       Known variant(s) of BGU are: 
       BGU.1298: Also received in January, 1996, this 1,298 byte 
           variant's size in memory is also 2,048 bytes, hooking interrupts 
           21 and 28.  It is similar to the original virus described above, 
           with the exceptions that it adds 1,298 bytes to the files it 
           infects, and set the seconds field to "42" instead of "32".  It 
           contains the same text strings as the original virus. 
           Origin:  Unknown  January, 1996.

Show viruses from discovered during that infect .

Main Page