Changsha Virus

Virus Name: Changsha Aliases: V Status: Rare Discovery: December, 1992 Symptoms: .COM & .EXE growth; Master boot sector altered; TSR Origin: China Eff Length: 3,072 - 3,104 Bytes Type Code: PRsAKX - Parasitic Resident .COM, .EXE, & Master Boot Sector Infector Detection Method: AVTK, ViruScan, F-Prot, Sweep, NAV, IBMAV, NAVDX, VAlert, PCScan, ChAV, LProt, NShld, AVTK/N, Sweep/N, NAV/N, IBMAV/N, Innoc, NProt, LProt Removal Instructions: Delete infected files General Comments: The Changsha virus was submitted in December, 1992. It is originally from China. Changsha is a memory resident infector of .COM and .EXE programs, including COMMAND.COM. It also infects the system hard disk master boot sector (partition table). When the first Changsha infected program is executed, the Changsha virus will install itself memory resident as a low system memory TSR of 3,392 bytes, hooking interrupts 08, 13, and 21. Also at this time, it will infect the hard disk master boot sector if it was not previously infected. Once the Changsha virus is memory resident, it will infect .COM and .EXE programs when they are executed or opened for any reason. Infected .COM programs will have a file length increase of 3,072 bytes. Infected .EXE programs will have a file length increase of 3,091 to 3,104 bytes. In both cases, the virus will be located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. The following text strings can be found within the viral code in all Changsha infected programs: "Welcome!" "Auto-Copy Deluxe R3.0" "(C)Copyright 1991. Mr. YaQi. Changsha China" "No one can Beyond me!" "Invalid Partition Table" "Error Loading Operating System" "Missing Operating System" "New Century of Computer Now!" It is unknown what Changsha does besides replicate.