Cosenza Virus
Virus Name: Cosenza
Aliases:
V Status: In The Wild
Discovery: July, 1996
Symptoms: .COM & .EXE growth; decrease in available free memory
Origin: Unknown
Eff Length: 3,205 - 3,236 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: AVTK, NAV, NAVDX, PCScan, ChAV, ViruScan 2.54+,
Innoc, NAV/N, AVTK/N, NShld 2.33+
Removal Instructions: Delete infected files
General Comments:
The Cosenza virus was received in July, 1996. Its origin or point
of isolation is unknown, though it has been reported to be "in the
wild". Cosenza is a memory resident infector of .COM and .EXE
files, including COMMAND.COM.
When the first Cosenza infected program is executed, this virus
will install itself memory resident at the top of system memory
but below the 640K DOS boundary, not moving interrupt 12's return.
Available free memory, as indicated by the DOS CHKDSK program
from DOS 5.0, will have decreased by 4,176 bytes. Interrupt 21
will be hooked by the virus in memory.
Once the Cosenza virus is memory resident, it will infect .COM and
.EXE files, including COMMAND.COM, when they are executed. Infected
.COM files will have a file length increase of 3,205 to 3,215 bytes
while .EXE files will increase in size by 3,224 to 3,236 bytes. In
both cases, the virus will be located at the end of the file. The
program's date and time in the DOS disk directory listing will not
be altered. The following text strings are encrypted within the
viral code:
"TBAVTBSCTBCLTBDRF-PRF-TEVIRSSCANCLEAVSHIMSAVVSAFCPAVVWATIBMANAV
.FINDTOOLAVSCDISKDE.EDEBUTD.E"
"[C*O*S*E*N*Z*A] Virus!"
"QUESTO ViRuS e STATO DISTRIBUITO DA:"
"(COMPUTER POINT <-> COSENZA,c.so d'Italia,0984/48166"
"(CALIO'"
"<-> COSENZA,via N. Serra ,0984/38861 )"
"(COMPUTER DISCOUNT <-> COSENZA,via Rodota 15,0984/71230 )"
"Advanced Semi-Stealth Virus with