Chang Virus


 Virus Name:  Chang 
 Aliases:    
 V Status:    Rare 
 Discovery:   July, 1992 
 Symptoms:    .COM & .EXE growth; decrease in total system & available 
              free memory 
 Origin:      Unknown 
 Eff Length:  1,701 - 1,773 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, Sweep, F-Prot, AVTK, ChAV, 
                    IBMAV, NAV, NAVDX, VAlert, PCScan, 
                    NShld, Sweep/N, NProt, AVTK/N, IBMAV/N, NAV/N, Innoc, 
                    LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Chang virus was submitted in July, 1992.  Its origin or point 
       of isolation is unknown.  Chang is a memory resident infector 
       of .COM and .EXE programs, including COMMAND.COM. 
 
       When the first program infected with the Chang virus is executed, 
       the Chang virus will install itself memory resident at the top 
       of system memory but below the 640K DOS boundary.  It does not 
       move interrupt 12's return.  Total system and available free 
       memory, as indicated by the DOS CHKDSK program, will have decreased 
       by 1,760 bytes.  Interrupt 21 will be hooked by Chang in memory. 
 
       Once the Chang virus is memory resident, it will infect .COM and 
       .EXE programs when they are executed.  If COMMAND.COM is executed, 
       it will become infected.  Infected programs will have a file 
       length increase of 1,701 to 1,773 bytes with the virus being 
       located at the end of the file.  The program's date and time in 
       the DOS disk directory listing will not be altered. 
 
       The following text strings can be found within the viral code in 
       all Chang infected programs: 
 
               "YOU CAN CHANG SOMETHING OF THE PROGRAM 
                I HAVE GIVEN UP MY COPYRIGHT, AND I HAVE 
                LEFT SOME SPACE FOR YOU. 
                THANKS!TOO MANY WRITE PROTECT!!!" 
 
       It is unknown what Chang may do besides replicate. 
 
       Known variant(s) of Chang are: 
       Chang-B: Functionally equivalent to the original virus, this 
                variant is slightly modified. 
                Origin:  Unknown  June, 1992. 
       Chang 007: Behaviourly similar to the original Chang virus, 
                Chang 007's size in memory is 23,312 bytes, hooking 
                interrupt 21.  It adds 23,310 - 23,325 bytes to the 
                .COM, .EXE, and COMMAND.COM programs it infects.  Its 
                position in the file and visible text strings are the 
                same as for the original virus.  Most of the 23,310 plus 
                bytes this variant adds to infected files consists of 
                hex zero characters. 
                Origin:  Canada  August, 1992.

Show viruses from discovered during that infect .

Main Page