Virus Name: CHR-869
V Status: Rare
Discovery: March, 1993
Symptoms: .COM & .EXE growth; file date/time changes; "#" character
displayed; decrease in total system & available free memory;
program execution failure
Eff Length: 869 - 1,348 Bytes
Type Code: PRhA - Parasitic Resident .COM & .EXE Infector
Detection Method: Sweep, AVTK, F-Prot, IBMAV, ViruScan,
NAV, NAVDX, VAlert, PCScan, ChAV,
Sweep/N, NShld, AVTK/N, NProt, IBMAV/N, Innoc, NAV/N,
Removal Instructions: Delete infected files
The CHR-869 virus was submitted in March, 1993. Its origin or point
of isolation is unknown. CHR-869 is a memory resident infector of
.COM & .EXE programs, but not COMMAND.COM.
When the first CHR-869 infected program is executed, the CHR-869
virus will install itself memory resident at the top of system
memory but below the 640K DOS boundary, hooking interrupt 21. Total
system and available free memory, as indicated by the DOS CHKDSK
program, will have decreased by 3,120 bytes. Interrupt 12's return
will not be moved.
Once memory resident, the CHR-869 virus will infect .COM and .EXE
programs, other than COMMAND.COM, when they are executed. Infected
.COM programs will have a file length increase of 869 bytes.
Infected .EXE programs will have a file length increase of up to
1,348 bytes. In both cases, the virus will be located at the end of
the infected file. The program's date and time in the DOS disk
directory listing will have been updated to the current system date
and time when infection occurred. No text strings are visible within
the CHR-869 viral code in infected programs.
Systems infected with the CHR-869 virus will notice that when the
virus is memory resident, a "#" character will be displayed on the
system monitor whenever a program is executed.