Cartuja Virus

Virus Name: Cartuja Aliases: V Status: Rare Discovery: June, 1993 Symptoms: .COM & .EXE growth; system hangs; decrease in total system & available free memory Origin: Unknown Eff Length: 1,568 - 1,600 Bytes Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, F-Prot, IBMAV, Sweep, AVTK, NAV, NAVDX, VAlert, ChAV, NShld, NProt, Sweep/N, AVTK/N, IBMAV/N, NAV/N, Innoc Removal Instructions: Delete infected files General Comments: The Cartuja virus was submitted in June, 1993. Its origin or point of isolation is unknown. Cartuja is a memory resident infector of .COM and .EXE programs, including COMMAND.COM. When the first Cartuja infected program is executed, the Cartuja virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, hooking interrupt 21. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 60,704 bytes. Interrupt 12's return will not have been moved. Once the Cartuja virus is memory resident, it may infect .COM and .EXE programs when they are executed, though it doesn't always infect the file. As a result, it may take several executions of a particular .COM or .EXE program before the file becomes infected. Programs infected with the Cartuja virus will have a file length increase of 1,568 to 1,600 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. The following text string appears within the viral code in all Cartuja infected programs: "Frz G" Frequent system hangs may occur when Cartuja infected programs are executed. The damage potential for this virus is unknown. See: Estepa