Dalian Virus


 Virus Name:  Dalian 
 Aliases:     Dalian.1367 
 V Status:    In the wild 
 Discovery:   July, 1996 
 Symptoms:    .EXE file growth; sluggish DOS DIR commands 
              decrease in available free memory 
 Origin:      China 
 Eff Length:  1,367 - 1,382 Bytes 
 Type Code:   PRhE - Parasitic Resident .EXE Infector 
 Detection Method:  F-Prot, AVTK 7.61+, IBMAV, ViruScan 2.51+, PCScan 5.02+, 
                    NAV 3.09 9608+, NAVBoot 0.A 9608+, ChAV, 
                    Innoc 4.0+, NProt, AVTK/N 7.61+, IBMAV/N, 
                    NShld 2.32 9607+, LProt, NAV 2.0 9608+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Dalian virus was received in July, 1996, and is reported to 
       be "in the wild".  It appears to be from China.  Dalian is a 
       fast infector of .EXE files. 
 
       When the first Dalian infected program is executed, this virus 
       will install itself memory resident at the top of system memory 
       but below the 640K DOS boundary, not moving interrupt 12's return. 
       Available free memory, as indicated by the DOS CHKDSK program from 
       DOS 5.0, will have decreased by 1,632 bytes.  Interrupts 1C and 21 
       will be hooked by the virus in memory. 
 
       Once the Dalian virus is memory resident, it will infect all of the 
       .EXE files in a directory when a DOS DIR command is issued, as well 
       as the target file when they are copied.  Programs infected with 
       this virus will have a file length increase of 1,367 to 1,382 bytes 
       with the virus being located at the end of the file.  The program's 
       date and time in the DOS disk directory listing will not be altered. 
       The following text strings are visible within the viral code: 
 
           "Gene_1991_in DUT (Dalian China)" 
           "GFoundHookedFoundBased" 
 
       The DOS DIR command will appear to function sluggishly when this 
       virus is infecting files.

Show viruses from discovered during that infect .

Main Page