Crazy Eddie Virus


 Virus Name:  Crazy Eddie 
 Aliases:     England 
 V Status:    Rare 
 Discovery:   1991 
 Symptoms:    .COM & .EXE growth; master boot sector altered; decrease in 
              total system and available free memory; hard disk corruption; 
              file allocation errors 
 Origin:      England 
 Eff Length:  2,600 - 2,715 Bytes 
 Type Code:   PRtAKX - Parasitic Resident .COM, .EXE, & Master Boot Sector 
                       Infector 
 Detection Method:  ViruScan, AVTK, F-Prot, Sweep, NAV, IBMAV, ChAV, 
                    NAVDX, VAlert, PCScan, 
                    NShld, Sweep/N, NProt, AVTK/N, NAV/N, IBMAV/N, LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Crazy Eddie virus was originally received in 1991 from England. 
       Crazy Eddie is a memory resident multi-partite virus which infects 
       the hard disk master boot sector (partition table), COMMAND.COM, 
       .COM, and .EXE programs. 
 
       The first time a program infected with the Crazy Eddie virus is 
       executed, this virus will infect the hard disk master boot sector if 
       it was not previously infected.  The virus locates a copy of 
       its viral code on the cylinder 0, side 0, sectors 2-4, and then 
       alters the master boot sector.  The virus doesn't become memory 
       resident at this time, and will not infect programs. 
 
       Once the master boot sector has been infected, the Crazy Eddie virus 
       will become memory resident when the user boots the system from 
       the system hard disk.  At this time, Crazy Eddie will install 
       itself memory resident at the top of system memory but below the 
       640K DOS boundary, moving interrupt 12's return.  Total system 
       and available free memory, as indicated by the DOS CHKDSK program, 
       will have decreased by 17,408 bytes.  Interrupts 00, 10, 14, and 
       17 will be hooked by the virus. 
 
       When Crazy Eddie is memory resident, it will infect .COM and .EXE 
       programs, including COMMAND.COM, when they are opened or executed. 
       It will also infect one program in the current directory each time 
       a DOS DIR command is performed. 
 
       Programs infected with Crazy Eddie will have a file length increase 
       of 2,600 to 2,715 bytes with the virus being located at the end of 
       the infected program.  The file's date and time in the DOS disk 
       directory listing will not have been altered.  One text string can 
       be found within the viral code in all infected programs: 
 
               "Crazy Eddie" 
 
       Crazy Eddie is a destructive virus which activates on Monday The 
       28ths as well as on June 28th.  On these dates, it will corrupt 
       the system hard disk by overwriting it with characters from memory 
       when the system is booted.

Show viruses from discovered during that infect .

Main Page