Crazy Frog Virus

Virus Name: Crazy Frog Aliases: Crazy Frog.1477 V Status: New Discovery: May, 1996 Symptoms: .COM & .EXE growth; DOS CHKDSK file allocation errors; decrease in available free memory; file date/time seconds = "30" or "62" Origin: Unknown Eff Length: 1,477 Bytes Type Code: PRhA - Parasitic Resident .COM & .EXE Infector Detection Method: F-Prot, AVTK, IBMAV, NAV, NAVDX, ViruScan, ChAV, PCScan, AVTK/N, IBMAV/N, NAV/N, NShld 2.32 9607+, Innoc 4.0+ Removal Instructions: Delete infected files General Comments: The Crazy Frog virus was received in May, 1996. Its origin or point of isolation is unknown. Crazy Frog is a memory resident fast infector of .COM and .EXE files which is also a size stealthing virus. It does not infect COMMAND.COM. When the first Crazy Frog infected program is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, hooking interrupts 21 and 24. Available free memory, as indicated by the DOS CHKDSK program from DOS 5.0, will have decreased by 1,504 bytes. Interrupt 12's return will not have been moved. Once the Crazy Frog virus is memory resident, it will infect .COM and .EXE files, other than COMMAND.COM, when they are executed, opened, or copied. Infected files will have a file length increase of 1,477 bytes, though this file length increase will be hidden when the virus is memory resident. The virus will be located at the end of the file. The program's date and time in the DOS disk directory listing will not appear to be altered, though the seconds field will have been altered to either "30" or "62". The following text string is encrypted within the viral code: "cRaZy fRoG, (c)95 bY iRASCiBLE" The DOS CHKDSK program will indicate file allocation errors on all infected files when this virus is memory resident.