Crazy Frog Virus
Virus Name: Crazy Frog
Aliases: Crazy Frog.1477
V Status: New
Discovery: May, 1996
Symptoms: .COM & .EXE growth; DOS CHKDSK file allocation errors;
decrease in available free memory;
file date/time seconds = "30" or "62"
Eff Length: 1,477 Bytes
Type Code: PRhA - Parasitic Resident .COM & .EXE Infector
Detection Method: F-Prot, AVTK, IBMAV, NAV, NAVDX, ViruScan, ChAV,
AVTK/N, IBMAV/N, NAV/N, NShld 2.32 9607+,
Removal Instructions: Delete infected files
The Crazy Frog virus was received in May, 1996. Its origin or
point of isolation is unknown. Crazy Frog is a memory resident
fast infector of .COM and .EXE files which is also a size stealthing
virus. It does not infect COMMAND.COM.
When the first Crazy Frog infected program is executed, this virus
will install itself memory resident at the top of system memory but
below the 640K DOS boundary, hooking interrupts 21 and 24. Available
free memory, as indicated by the DOS CHKDSK program from DOS 5.0,
will have decreased by 1,504 bytes. Interrupt 12's return will not
have been moved.
Once the Crazy Frog virus is memory resident, it will infect .COM
and .EXE files, other than COMMAND.COM, when they are executed,
opened, or copied. Infected files will have a file length increase
of 1,477 bytes, though this file length increase will be hidden when
the virus is memory resident. The virus will be located at the end
of the file. The program's date and time in the DOS disk directory
listing will not appear to be altered, though the seconds field will
have been altered to either "30" or "62". The following text string
is encrypted within the viral code:
"cRaZy fRoG, (c)95 bY iRASCiBLE"
The DOS CHKDSK program will indicate file allocation errors on all
infected files when this virus is memory resident.