Boys Virus


 Virus Name:  Boys 
 Aliases: 
 V Status:    Rare 
 Discovery:   May, 1991 
 Symptoms:    .COM file growth; .EXE programs disappear; file creation 
              errors 
 Origin:      Bulgaria 
 Eff Length:  500 Bytes 
 Type Code:   PRCK - Parasitic Resident .COM Infector 
 Detection Method:  ViruScan, F-Prot, Sweep, AVTK, NAV, IBMAV, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, AVTK/N, NAV/N, IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Boys virus was received in May, 1991.  This virus is from 
       Bulgaria.  It is a memory resident infector of .COM programs, 
       and will infect COMMAND.COM. 
 
       The first time a program infected with the Boys virus is executed, 
       Boys will install itself memory resident.  Unlike most memory 
       resident viruses, there will be no change in total system or 
       available free memory.  Memory mapping utilities will not indicate 
       that the virus is in memory as no interrupts are directly hooked. 
 
       Once Boys is memory resident, any .COM program executed which is 
       larger than 500 bytes will become infected.  Infected programs will 
       increase in length by 500 bytes with the virus being located at the 
       end of infected files.  The following text strings can be found in 
       programs infected with Boys: 
 
               "The good and the bad boy." 
               "*.EXE" 
               "????????COM" 
 
       The first of these strings will be located at the end of infected 
       programs. 
 
       Boys is a malicious virus.  Besides infecting .COM programs when 
       executed, it will alter the attribute bytes of .EXE programs by 
       setting the system attribute.  The .EXE programs will then not 
       appear when the user lists the disk directory.  If the user attempts 
       to copy back the missing .EXE programs, a "File creation error" will 
       occur since the files still exist.  The .EXE programs which the 
       virus has hidden can be recovered by removing the system attribute. 
 
       Known variant(s) of Boys are: 
       Boys 2: Based on the Boys virus, Boys 2 is a non-resident, 
               direct action infector of .COM programs, including 
               COMMAND.COM.  When a program infected with Boys 2 is 
               executed, Boys 2 will search the current directory for an 
               infected .COM program to infect.  If one is found, it will 
               be infected, and then the virus will delete one .EXE file 
               from the directory.  Boys 2 infected programs will have 
               a file length increase of 500 bytes with the virus being 
               located at the end of the program.  The following text 
               strings can be found within the viral code in infected 
               programs: 
               "The good and the bad boy." 
               "*.EXE" 
               "????????COM" 
               Origin:  Unknown  August, 1991. 
 
       See:   Bad Boy

Show viruses from discovered during that infect .

Main Page