Cara Virus

Virus Name: Cara Aliases: V Status: Rare Discovery: August, 1991 Symptoms: .COM growth; TSR; boot sector altered; decrease in total system and available free memory Origin: Spain Eff Length: 1,025 Bytes Type Code: PRsCK - Parasitic Resident .COM Infector Detection Method: ViruScan, Sweep, AVTK, NAV, IBMAV, F-Prot, NAVDX, VAlert, PCScan, ChAV, NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N Removal Instructions: Delete infected files General Comments: The Cara virus was received in September, 1991. It is originally from Spain. Cara is a memory resident infector of .COM files, including COMMAND.COM. It also alters boot sectors, though the boot sectors do not contain a live virus. The first time a program infected with Cara is executed, Cara will become memory resident at the top of system memory but below the 640K DOS boundary. Total system and available free memory will decrease by 3,048 bytes. Interrupts 13 and 21 will be hooked by the Cara virus in memory. At this time, Cara will also infect COMMAND.COM if it was not previously infected, and alter the current drive's boot sector by overwriting it. Once Cara is memory resident, it will infect .COM files when they are opened or executed. Infected .COM files increase in length by 1,025 bytes with the virus being located at the end of infected files. There will be no change in the file's date and time in the DOS disk directory. Programs infected with Cara will have the text string "CARA" located in the fifth thru eighth bytes of the infected files. This string is the marker used by the virus to determine if the file is already infected. Other text strings which can be found near the end of infected files are: "Virus es en memoria! Disco es infectado. Reemplaza "Boot". Clandestino Auto- Reproductivo Anti-virus CARA" CARA's overwriting of the disk boot sector is an attempt to disinfect boot sector viruses by providing a new boot sector.