Cybercide Virus


 Virus Name:  Cybercide 
 Aliases:     Cybercide-2299 
 V Status:    Rare 
 Discovery:   September, 1993 
 Symptoms:    .COM file growth; DOS CHKDSK file allocation errors; 
              decrease in total system & available free memory; 
              DOS DIR command performance slowed 
 Origin:      Unknown 
 Eff Length:  2,299 Bytes 
 Type Code:   PRhCK - Parasitic Resident .COM Infector 
 Detection Method:  F-Prot, ViruScan, IBMAV, AVTK, Sweep, NAV, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    NShld, Sweep/N, AVTK/N, IBMAV/N, NAV/N, LProt, 
                    Innoc 4.0+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Cybercide virus was submitted in September, 1993.  Its origin or 
       point of isolation is unknown.  Cybercide is a memory resident 
       stealth virus which infects .COM programs, including COMMAND.COM. 
 
       When the first Cybercide infected program is executed, the Cybercide 
       virus will install itself memory resident at the top of system 
       memory but below the 640K DOS boundary, not moving interrupt 12's 
       return.  Total system and available free memory, as indicated by the 
       DOS CHKDSK program, will have decreased by 4,800 bytes.  Interrupts 
       09, 1C, and 21 will be hooked by Cybercide in memory. 
 
       Once the Cybercide virus is memory resident, it will infect .COM 
       programs when they are executed or opened, as well as when they are 
       included as a part of the target of a DOS DIR command.  Programs 
       infected with the Cybercide virus will have a file length increase 
       of 2,299 bytes, though this file length increase will be hidden when 
       the virus is memory resident.  The virus will be located at the end 
       of infected files.  The program's date and time in the DOS disk 
       directory listing will not be altered.  The following text strings 
       can be found within the viral code in all Cybercide infected programs: 
 
               "... I SHALL FEAR NO EVIL ..." 
               ">>>  A.N.O.I  <<<" 
               "**CYBERCIDE** -- FLOATING THROUGH THE VOID" 
               "iS AROUND!" 
               "* *I* *h*e*r*e*b*y* *p*r*o*c*l*a*i*m* *t*h*i*s* 
                *c*o*m*p*u*t*e*r* *a*s* *t*h*e* *p*r*o*p*e*r*t*y* *o*f* 
                *A*.*N*.*O*.*I*" 
               "*!*!* *A*L*L* *H*A*I*L* *D*A*R*T*H* *V*A*D*E*R*!*!*" 
               "-=CYBERCIDE=- 01-30-1993 * COPYRIGHT (C) 1992-93 
                A.N.O.I DEVELOPMENT" 
 
       The asterisks (*) in the fifth and sixth messages are actually a  
       character, or hex 0F. 
 
       Users of systems infected with Cybercide may notice that the 
       performance of the DOS DIR command is sluggish due to the virus 
       infecting .COM files included in the command output.  Additionally, 
       the DOS CHKDSK program will return file allocation errors on all 
       infected files when Cybercide is memory resident. 
 
       Known variant(s) of Cybercide are: 
       Cybercide-2299B: Received in April, 1994, Cybercide-2299B is 
                 functionally similar to the Cybercide virus described above. 
                 The text strings within the virus have been changed to the 
                 following: 
                 "... I SHALL FEAR NO EVIL ..." 
                 ">>>  A.N.O.I  <<<" 
                 "**CYBERCIDE** -- FLOATING THROUGH THE VOID" 
                 "iS AROUND!" 
                 "* *I* *h*e*r*e*b*y* *p*r*o*c*l*a*i*m* *t*h*i*s* 
                  *c*o*m*p*u*t*e*r* *a*s* *t*h*e* *p*r*o*p*e*r*t*y* *o*f* 
                  *N*A*Z*I*S*.* *" 
                 "*H*E*I*L* *H*I*T*L*E*R* *!*!*!*" 
                 "COPYRIGHT (C) 1992-93  A.N.O.I DEVELOPMENT" 
                 The asterisks (*) in the fifth and sixth messages are 
                 actually a  character, or hex 0F. 
                 Programs infected with Cybercide-2299B will have the file 
                 date/time seconds field in the DOS disk directory listing 
                 changed to "24". 
                 Origin:  Sweden  November, 1993. 
       MLP-1321: Received in November, 1993, MLP-1321 is based on the 
                 Cybercide virus described above.  MLP-1321's size in memory 
                 is 1,600 bytes, hooking interrupt 21.  Once memory resident, 
                 it infects .COM programs, including COMMAND.COM, when they 
                 are executed or opened for any reason.  Infected programs 
                 increase in size by 1,321 bytes, though the file length 
                 increase will be hidden when the virus is memory resident. 
                 The virus is located at the end of all infected programs. 
                 The program's date and time in the DOS disk directory 
                 listing will have been updated to the current system date 
                 and time when infection occurred.  The following text is 
                 encrypted within the MLP-1321 viral code: 
                 "simple simon met a pieman going to the fair 
                  said simple simon to the pieman let me take your ware" 
                 "- my little pony - copyright(c) 1993 Cruel Entity and 
                  A.N.O.I. -" 
                 ">>> A.N.O.I <<<" 
                 As with the original virus, the DOS CHKDSK program will 
                 return file allocation errors on all infected programs 
                 when the virus is memory resident.  Execution of infected 
                 programs may result in a system hang. 
                 Origin:  Sweden  November, 1993. 
 
       See:  DNR

Show viruses from discovered during that infect .

Main Page