Virus Name: 1067
V Status: Rare
Discovery: January, 1991
Symptoms: .COM file growth; decrease in total system & available free
memory; TSR; error messages
Eff Length: 1,067 Bytes
Type Code: PRhCK - Parasitic Resident .COM Infector
Detection Method: ViruScan, NAV, AVTK, Sweep, ChAV,
F-Prot, IBMAV, NAVDX, VAlert, PCScan,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
Removal Instructions: Delete infected files
The 1067 virus was originally received in January, 1991. 1067 is
a memory resident infector of .COM programs, including COMMAND.COM.
It is originally from Europe.
The first time a 1067 infected program is executed, the 1067 virus
will install itself memory resident as a low system memory TSR of
1,808 or 1,856 bytes. Interrupt 21 will be hooked by the virus in
memory. Unlike most viruses which are TSRs, the infection of the
virus in memory will also result in a decrease in total system and
available free memory in increments of 64K. The additional decrease
in total system and available free memory may be mapped by some
utilities as an increase in the size of the in memory command
Once the 1067 virus is memory resident, it will infect one .COM
program over approximately 3K in size located in the current
directory each time any program is executed. If COMMAND.COM is
located in this directory, it may become infected.
1067 virus infected programs will have a file length increase of
1,067 bytes. The virus will be located at the end of the infected
program. The file's date and time in the DOS disk directory
listing will not have been altered. There are no text strings
visible within the viral code in infected programs.
A symptom of a 1067 infection is that attempts to execute large
.EXE programs may fail due to the virus' allocation of large
amounts of memory. These large .EXE programs may receive the
following error message when the user attempts to execute them:
"Program too big to fit in memory"
1067 doesn't appear to do anything besides replicate.