Virus Name: Blinker
Aliases: Blinker-496, Prague.Blinker
V Status: Rare
Discovery: November, 1991
Symptoms: .COM file growth; decrease in total system and available
free memory; spurious error messages
Origin: Prague, Czechoslovakia
Eff Length: 512 Bytes
Type Code: PRhCK - Parasitic Resident .COM Infector
Detection Method: ViruScan, Sweep, AVTK, F-Prot, ChAV,
NAV, IBMAV, NAVDX, VAlert, PCScan,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
Removal Instructions: Delete infected files
The Blinker virus was submitted in November, 1991. It originated in
Prague, Czechoslovakia. Blinker is a memory resident infector of
.COM programs, including COMMAND.COM. It is based on the BackTime
virus, and anti-viral programs may identify it as such.
The first time a program infected with Blinker is executed, the
Blinker virus will install itself memory resident at the top of
system memory but below the 640K DOS boundary. Total system and
available free memory, as indicated by the DOS CHKDSK program, will
have decreased by 528 bytes. Interrupts 08 and 21 will be hooked
by Blinker in memory. Interrupt 12's return will not have been
After Blinker is memory resident, it will infect any .COM program
which is executed. If COMMAND.COM is executed, it will become
infected as well. Blinker infected programs will have a file
length increase of 512 bytes. The virus will be located at the
end of the infected file. There will be no change to the file's
date and time in the DOS disk directory.
It is unknown what Blinker does besides replicate.
Known variant(s) of Blinker are:
Blinker-496: Blinker-496 is a 496 byte variant of the Blinker
virus described above. It contains the text string "Joker".
Systems infected with this variant may receive the following
error meesages for no apparent reason when the virus is
memory resident, both of which require a response from the
system user to abort, retry, ignore, or fail:
"Bad command error reading device CON"
"Bad command error writing device CON"
See: BackTime Shaker