Virus Name: Crucifix
V Status: New
Discovery: February, 1995
Symptoms: .COM file growth; decrease in available free memory
Eff Length: 2,916 Bytes
Type Code: PRhCK - Parasitic Resident .COM Infector
Detection Method: F-Prot, NAV, AVTK, Sweep, IBMAV, NAVDX, VAlert,
ViruScan, PCScan, ChAV,
Sweep/N, NProt, AVTK/N, IBMAV/N, NAV/N, NShld, LProt,
Removal Instructions: Delete infected files
The Crucifix or Crucifix.2916 virus was received in February, 1995.
Its origin or point of isolation is unknown. Crucifix is a memory
resident infector of .COM files, including COMMAND.COM.
When the first Crucifix infected program is executed, this virus
will install itself memory resident at the top of system memory but
below the 640K DOS boundary, not moving interrupt 12's return.
Total available free memory, as indicated by the DOS 5.0 CHKDSK
program, will have decreased by 2,928 bytes. Interrupts 09 and 21
will be hooked by the virus in memory. Some memory mapping programs
will indicate that the owner or program which is resident is "JeSuS".
Once the Crucifix virus is memory resident, it will infect .COM files
only when they are copied. Both the target and the source file will
be infected by the virus. Programs infected with the Crucifix.2916
virus will have a file length increase of 2,916 bytes with the virus
being located at the end of the file. The file's date and time in
the DOS disk directory listing will not be altered. The following
text strings are visible within the viral code:
"If you're the Messiah and you know it,"
"Clap your hands!"
"Then your face will surely show it,"
"(rucifixion Virus 1.0 (c) 1994, by Jesus of The Trinity"
It is unknown what the Crucifix virus does besides replicate.