Crazy Eddie Virus
Virus Name: Crazy Eddie
V Status: Rare
Symptoms: .COM & .EXE growth; master boot sector altered; decrease in
total system and available free memory; hard disk corruption;
file allocation errors
Eff Length: 2,600 - 2,715 Bytes
Type Code: PRtAKX - Parasitic Resident .COM, .EXE, & Master Boot Sector
Detection Method: ViruScan, AVTK, F-Prot, Sweep, NAV, IBMAV, ChAV,
NAVDX, VAlert, PCScan,
NShld, Sweep/N, NProt, AVTK/N, NAV/N, IBMAV/N, LProt
Removal Instructions: Delete infected files
The Crazy Eddie virus was originally received in 1991 from England.
Crazy Eddie is a memory resident multi-partite virus which infects
the hard disk master boot sector (partition table), COMMAND.COM,
.COM, and .EXE programs.
The first time a program infected with the Crazy Eddie virus is
executed, this virus will infect the hard disk master boot sector if
it was not previously infected. The virus locates a copy of
its viral code on the cylinder 0, side 0, sectors 2-4, and then
alters the master boot sector. The virus doesn't become memory
resident at this time, and will not infect programs.
Once the master boot sector has been infected, the Crazy Eddie virus
will become memory resident when the user boots the system from
the system hard disk. At this time, Crazy Eddie will install
itself memory resident at the top of system memory but below the
640K DOS boundary, moving interrupt 12's return. Total system
and available free memory, as indicated by the DOS CHKDSK program,
will have decreased by 17,408 bytes. Interrupts 00, 10, 14, and
17 will be hooked by the virus.
When Crazy Eddie is memory resident, it will infect .COM and .EXE
programs, including COMMAND.COM, when they are opened or executed.
It will also infect one program in the current directory each time
a DOS DIR command is performed.
Programs infected with Crazy Eddie will have a file length increase
of 2,600 to 2,715 bytes with the virus being located at the end of
the infected program. The file's date and time in the DOS disk
directory listing will not have been altered. One text string can
be found within the viral code in all infected programs:
Crazy Eddie is a destructive virus which activates on Monday The
28ths as well as on June 28th. On these dates, it will corrupt
the system hard disk by overwriting it with characters from memory
when the system is booted.