Virus Name: Capitall
V Status: Rare
Discovery: July, 1992
Symptoms: .COM file growth; TSR
Eff Length: 927 Bytes
Type Code: PRsCK - Parasitic Resident .COM Infector
Detection Method: F-Prot, Sweep, ViruScan, IBMAV, AVTK, NAV, NAVDX,
VAlert, PCScan, ChAV,
NShld, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N,
Removal Instructions: Delete infected files
The Capitall virus was received from Poland in July, 1992. This
virus is a memory resident infector of .COM programs, including
COMMAND.COM. It uses an encryption mechanism similar to that
used by the Cascade virus, so it is possible some anti-viral
utilities will identify it as Cascade.
When a program infected with the Capitall virus is executed, this
virus will install itself memory resident as a low system memory
TSR of approximately 1,952 bytes. Interrupts 1C, 21, and 28 will be
hooked by Capitall in memory.
Once the Capitall virus is memory resident, it will infect .COM
programs when they are executed. If COMMAND.COM is executed, it
will become infected. Programs infected with the Capitall virus
will have a file length increase of 927 bytes with the virus being
located at the end of the infected file. The program's date and
time in the DOS disk directory listing will not be altered.
It is unknown what Capitall may do besides replicate.