Career Of Evil Virus
Virus Name: Career Of Evil
Aliases: Career Of Evil-446
V Status: Rare
Discovery: July, 1993
Symptoms: .COM & .SYS file growth; DOS CHKDSK file allocation errors
decrease in total system and available free memory
Eff Length: 446 Bytes
Type Code: PRhCK - Parasitic Resident .COM Infector
Detection Method: AVTK, NAV, ViruScan, IBMAV, F-Prot, NAVDX,
VAlert, PCScan, ChAV,
NShld, NProt, Sweep/N, NAV/N, AVTK/N, IBMAV/N, Innoc,
Removal Instructions: Delete infected files
The Career Of Evil, or Career Of Evil-446, virus was received in
July, 1993. Its origin or point of isolation is unknown. Career
Of Evil is a memory resident virus which uses some stealth
techniques to avoid detection and spread quickly to files. It
infects .COM programs, including COMMAND.COM, as well as .SYS files.
When the first Career of Evil infected program is executed, this
virus will install itself memory resident at the top of system
memory but below the 640K DOS boundary, hooking interrupt 21.
Total system and available free memory, as indicated by the DOS
CHKDSK program, will have decreased by 704 bytes. Interrupt 12's
return will not be moved.
Once the Career of Evil virus is memory resident, it will infect
.COM and .SYS programs when they are executed or opened for any
reason. Infected programs will have a file length increase of
446 bytes with the virus being located at the end of the file.
The file length increase, however, will be hidden when the virus
is memory resident. The program's date and time in the DOS disk
directory listing will not be altered. The text string "UK" can be
found starting in the fourth byte of all infected programs. The
following text string is visible within the viral code located at
the end of infected programs:
"tenUKCareer of Evil"
When the Career Of Evil virus is memory resident, the DOS CHKDSK
program will return file allocation errors on all infected programs.
Known variant(s) of Career of Evil are:
Career Of Evil-697: A 697 byte variant of the Career Of Evil
virus described above, this variant's size in memory is
960 bytes, hooking interrupt 21. It infects .COM and .SYS
files when they are executed or opened for any reason.
Infected programs will have a file length increase of 697
bytes though this file length increase will be hidden when
the virus is memory resident. The virus will be located
at the end of the file. The program's date and time in the
DOS disk directory listing will not be altered. The same
text strings appear in this variant as the original virus.
DOS CHKDSK file allocation errors will also occur on
infected programs when the virus is memory resident.
Origin: Unknown July, 1993