Close Virus

Virus Name: Close Aliases: V Status: Rare Discovery: April, 1992 Symptoms: .EXE file growth; decrease in total system and available free memory; message; boot failure on C: drive Origin: Unknown Eff Length: 662 - 672 Bytes Type Code: PRhE - Parasitic Resident .EXE Infector Detection Method: ViruScan, F-Prot, AVTK, Sweep, IBMAV, NAV, NAVDX, VAlert, ChAV, PCScan, NShld, Sweep/N, LProt, Innoc, NProt, IBMAV/N, AVTK/N, NAV/N Removal Instructions: Delete infected files General Comments: The Close virus was submitted in April, 1992. Its origin is unknown. Close is a memory resident infector of .EXE programs which will eventually corrupt one of the system files required to boot the system from the C: drive. The first time a program infected with the Close virus is executed, Close will install itself memory resident at the top of system memory but below the 640K DOS boundary. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 784 bytes. Interrupt 21 will be hooked. Once the Close virus is memory resident, it will infect .EXE programs when they are executed. Infected programs will have a file length increase of 662 to 672 bytes with the virus being located at the end of the infected file. The program's date and time in the DOS disk directory listing will not be altered. Two text strings are visible within the Close virus' code in infected programs: "C:\IO.SYS C:\IBMBIO.COM" "Close .." The Close virus was intermittently activate, at which time it will display the message "Close .." on the system screen and then corrupt either C:\IO.SYS or C:\IBMBIO.COM. The system will then be hung. Attempts to reboot the system from the C: drive will fail as one of the hidden system files is corrupted. After disinfecting or replacing all programs infected with the Close virus, the user should replace the hidden system files on the C: drive using the DOS SYS program.