Virus Name: Chang
V Status: Rare
Discovery: July, 1992
Symptoms: .COM & .EXE growth; decrease in total system & available
Eff Length: 1,701 - 1,773 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, Sweep, F-Prot, AVTK, ChAV,
IBMAV, NAV, NAVDX, VAlert, PCScan,
NShld, Sweep/N, NProt, AVTK/N, IBMAV/N, NAV/N, Innoc,
Removal Instructions: Delete infected files
The Chang virus was submitted in July, 1992. Its origin or point
of isolation is unknown. Chang is a memory resident infector
of .COM and .EXE programs, including COMMAND.COM.
When the first program infected with the Chang virus is executed,
the Chang virus will install itself memory resident at the top
of system memory but below the 640K DOS boundary. It does not
move interrupt 12's return. Total system and available free
memory, as indicated by the DOS CHKDSK program, will have decreased
by 1,760 bytes. Interrupt 21 will be hooked by Chang in memory.
Once the Chang virus is memory resident, it will infect .COM and
.EXE programs when they are executed. If COMMAND.COM is executed,
it will become infected. Infected programs will have a file
length increase of 1,701 to 1,773 bytes with the virus being
located at the end of the file. The program's date and time in
the DOS disk directory listing will not be altered.
The following text strings can be found within the viral code in
all Chang infected programs:
"YOU CAN CHANG SOMETHING OF THE PROGRAM
I HAVE GIVEN UP MY COPYRIGHT, AND I HAVE
LEFT SOME SPACE FOR YOU.
THANKS!TOO MANY WRITE PROTECT!!!"
It is unknown what Chang may do besides replicate.
Known variant(s) of Chang are:
Chang-B: Functionally equivalent to the original virus, this
variant is slightly modified.
Origin: Unknown June, 1992.
Chang 007: Behaviourly similar to the original Chang virus,
Chang 007's size in memory is 23,312 bytes, hooking
interrupt 21. It adds 23,310 - 23,325 bytes to the
.COM, .EXE, and COMMAND.COM programs it infects. Its
position in the file and visible text strings are the
same as for the original virus. Most of the 23,310 plus
bytes this variant adds to infected files consists of
hex zero characters.
Origin: Canada August, 1992.