Virus Name: Cara
V Status: Rare
Discovery: August, 1991
Symptoms: .COM growth; TSR; boot sector altered; decrease in total
system and available free memory
Eff Length: 1,025 Bytes
Type Code: PRsCK - Parasitic Resident .COM Infector
Detection Method: ViruScan, Sweep, AVTK, NAV, IBMAV,
F-Prot, NAVDX, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
Removal Instructions: Delete infected files
The Cara virus was received in September, 1991. It is originally
from Spain. Cara is a memory resident infector of .COM files,
including COMMAND.COM. It also alters boot sectors, though the
boot sectors do not contain a live virus.
The first time a program infected with Cara is executed, Cara will
become memory resident at the top of system memory but below the
640K DOS boundary. Total system and available free memory will
decrease by 3,048 bytes. Interrupts 13 and 21 will be hooked by
the Cara virus in memory. At this time, Cara will also infect
COMMAND.COM if it was not previously infected, and alter the
current drive's boot sector by overwriting it.
Once Cara is memory resident, it will infect .COM files when they
are opened or executed. Infected .COM files increase in length
by 1,025 bytes with the virus being located at the end of infected
files. There will be no change in the file's date and time in the
DOS disk directory.
Programs infected with Cara will have the text string "CARA" located
in the fifth thru eighth bytes of the infected files. This string
is the marker used by the virus to determine if the file is
already infected. Other text strings which can be found near the
end of infected files are:
"Virus es en memoria!
Disco es infectado. Reemplaza "Boot".
CARA's overwriting of the disk boot sector is an attempt to
disinfect boot sector viruses by providing a new boot sector.