Virus Name: Cartuja
V Status: Rare
Discovery: June, 1993
Symptoms: .COM & .EXE growth; system hangs;
decrease in total system & available free memory
Eff Length: 1,568 - 1,600 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, F-Prot, IBMAV, Sweep, AVTK, NAV,
NAVDX, VAlert, ChAV,
NShld, NProt, Sweep/N, AVTK/N, IBMAV/N, NAV/N, Innoc
Removal Instructions: Delete infected files
The Cartuja virus was submitted in June, 1993. Its origin or point
of isolation is unknown. Cartuja is a memory resident infector of
.COM and .EXE programs, including COMMAND.COM.
When the first Cartuja infected program is executed, the Cartuja
virus will install itself memory resident at the top of system
memory but below the 640K DOS boundary, hooking interrupt 21. Total
system and available free memory, as indicated by the DOS CHKDSK
program, will have decreased by 60,704 bytes. Interrupt 12's return
will not have been moved.
Once the Cartuja virus is memory resident, it may infect .COM and
.EXE programs when they are executed, though it doesn't always
infect the file. As a result, it may take several executions of a
particular .COM or .EXE program before the file becomes infected.
Programs infected with the Cartuja virus will have a file length
increase of 1,568 to 1,600 bytes with the virus being located at the
end of the file. The program's date and time in the DOS disk
directory listing will not be altered. The following text string
appears within the viral code in all Cartuja infected programs:
Frequent system hangs may occur when Cartuja infected programs are
executed. The damage potential for this virus is unknown.