Virus Name: Changsha
V Status: Rare
Discovery: December, 1992
Symptoms: .COM & .EXE growth; Master boot sector altered; TSR
Eff Length: 3,072 - 3,104 Bytes
Type Code: PRsAKX - Parasitic Resident .COM, .EXE, & Master Boot Sector
Detection Method: AVTK, ViruScan, F-Prot, Sweep, NAV,
IBMAV, NAVDX, VAlert, PCScan, ChAV,
LProt, NShld, AVTK/N, Sweep/N, NAV/N, IBMAV/N,
Innoc, NProt, LProt
Removal Instructions: Delete infected files
The Changsha virus was submitted in December, 1992. It is originally
from China. Changsha is a memory resident infector of .COM and .EXE
programs, including COMMAND.COM. It also infects the system hard
disk master boot sector (partition table).
When the first Changsha infected program is executed, the Changsha
virus will install itself memory resident as a low system memory
TSR of 3,392 bytes, hooking interrupts 08, 13, and 21. Also at this
time, it will infect the hard disk master boot sector if it was not
Once the Changsha virus is memory resident, it will infect .COM and
.EXE programs when they are executed or opened for any reason.
Infected .COM programs will have a file length increase of 3,072
bytes. Infected .EXE programs will have a file length increase of
3,091 to 3,104 bytes. In both cases, the virus will be located at
the end of the file. The program's date and time in the DOS disk
directory listing will not be altered. The following text strings
can be found within the viral code in all Changsha infected programs:
"Auto-Copy Deluxe R3.0"
"(C)Copyright 1991. Mr. YaQi. Changsha China"
"No one can Beyond me!"
"Invalid Partition Table"
"Error Loading Operating System"
"Missing Operating System"
"New Century of Computer Now!"
It is unknown what Changsha does besides replicate.