Cruncher Virus


 Virus Name:  Cruncher 
 Aliases:     Cruncher 1.0 
 V Status:    Rare 
 Discovery:   June, 1993 
 Symptoms:    .COM files decrease in size; 
              decrease in total system & available free memory 
 Origin:      The Netherlands 
 Eff Length:  N/A Bytes 
 Type Code:   !RhC - Compressing Resident .COM Infector 
 Detection Method:  VAlert, IBMAV, AVTK, ViruScan, NAV, NAVDX, 
                    IBMAV/N, AVTK/N, NAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Cruncher, or Cruncher 1.0, virus was submitted in June, 1993, 
       and is from The Netherlands.  Cruncher is a memory resident virus 
       which compresses the files it infects.  As a result, most infected 
       files will have decreased in size, depending on the file content and 
       size before the compression was applied by the virus. 
 
       When the first Cruncher infected program is executed, the Cruncher 
       virus will install itself memory resident at the top of system 
       memory but below the 640K DOS boundary, hooking interrupt 21.  Total 
       system and available free memory, as indicated by the DOS CHKDSK 
       program, will have decreased by 2,352 bytes.  Interrupt 12's return 
       will not have been moved. 
 
       Once the Cruncher virus is memory resident, it will infect .COM 
       programs, other than COMMAND.COM and very small .COM programs, when 
       they are executed.  Infected programs will usually decrease in size, 
       though .COM programs which were originally smaller than approximately 
       3K may show a slight increase in size.  The program's date and time 
       in the DOS disk directory listing will not be altered.  The following 
       text strings are contained within the viral code in the Cruncher 
       infected files, and are not visible since the viral code is 
       compressed along with the host file: 
 
               "[ MK / Trident ]" 
               "Cruncher V1.0" 
 
       Cruncher doesn't appear to do anything besides compress .COM files, 
       though its presence may result in some programs not functioning 
       properly. 
 
       Known variant(s) of Cruncher are: 
       Cruncher 2.0: Based on the Cruncher virus described above, 
                     Cruncher 2.0 is a later version of the virus which 
                     will infect and compress .EXE programs as well as 
                     .COM programs.  Its size in memory is 4,256 bytes, 
                     hooking interrupt 21.  It contains the following 
                     text strings, though they are not visible within 
                     infected files: 
                     "*** CRUNCHER V2.0 ***   Automatic file compression 
                      utility" 
                     "Written by Masud Khafir of the TridenT group  (c) 
                      31/12/92" 
                     "Greetings to Fred Cohen, Light Avenger, and 
                      Teddy Matsumoto" 
                     Origin:  The Netherlands  June, 1993. 
       Cruncher 2.1: Based on the Cruncher 2.0 variant described above, 
                     Cruncher 2.1 asks the user's permission to install 
                     itself memory resident and start compressing files.  Its 
                     Its size in memory is 5,056 bytes, hooking interrupt 21. 
                     It contains the following text strings, though they are 
                     not visible within infected files: 
                     "*** CRUNCHER V2.1 ***   Automatic file compression 
                      utility" 
                     "Written by Masud Khafir of the TridenT group  (c) 
                      23/8/93" 
                     "Greetings to Fred Cohen, Light Avenger, and 
                      Teddy Matsumoto" 
                     Origin:  The Netherlands  October, 1993. 

Show viruses from discovered during that infect .

Main Page