Virus Name: Dalian
V Status: In the wild
Discovery: July, 1996
Symptoms: .EXE file growth; sluggish DOS DIR commands
decrease in available free memory
Eff Length: 1,367 - 1,382 Bytes
Type Code: PRhE - Parasitic Resident .EXE Infector
Detection Method: F-Prot, AVTK 7.61+, IBMAV, ViruScan 2.51+, PCScan 5.02+,
NAV 3.09 9608+, NAVBoot 0.A 9608+, ChAV,
Innoc 4.0+, NProt, AVTK/N 7.61+, IBMAV/N,
NShld 2.32 9607+, LProt, NAV 2.0 9608+
Removal Instructions: Delete infected files
The Dalian virus was received in July, 1996, and is reported to
be "in the wild". It appears to be from China. Dalian is a
fast infector of .EXE files.
When the first Dalian infected program is executed, this virus
will install itself memory resident at the top of system memory
but below the 640K DOS boundary, not moving interrupt 12's return.
Available free memory, as indicated by the DOS CHKDSK program from
DOS 5.0, will have decreased by 1,632 bytes. Interrupts 1C and 21
will be hooked by the virus in memory.
Once the Dalian virus is memory resident, it will infect all of the
.EXE files in a directory when a DOS DIR command is issued, as well
as the target file when they are copied. Programs infected with
this virus will have a file length increase of 1,367 to 1,382 bytes
with the virus being located at the end of the file. The program's
date and time in the DOS disk directory listing will not be altered.
The following text strings are visible within the viral code:
"Gene_1991_in DUT (Dalian China)"
The DOS DIR command will appear to function sluggishly when this
virus is infecting files.