1226 Virus


 Virus Name:  1226 
 Aliases:     V1226 
 V Status:    Rare 
 Discovery:   July 1990 
 Symptoms:    .COM growth; decrease in system and free memory; system 
              hangs; spurious characters displayed in place of program 
              executing; disk drive spinning 
 Origin:      Bulgaria 
 Eff Length:  1,226 Bytes 
 Type Code:   PRhC - Parasitic Resident .COM Infector 
 Detection Method:  ViruScan, AVTK, F-Prot, NAV, Sweep, 
                    IBMAV, NAVDX, VAlert, PCScan, 
                    NShld, Sweep/N, LProt, Innoc, NProt, NAV/N, 
                    AVTK/N, IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The 1226 virus was isolated in Bulgaria in July 1990 by Vesselin 
       Bontchev.  This virus is a memory resident generic .COM infector, 
       though it does not infect COMMAND.COM.  The 1226 virus is a self- 
       encrypting virus, and simple search string algorithms will not 
       work to detect its presence on a system. 
 
       The first time a program infected with the 1226 virus is executed, 
       the virus will install itself memory resident, reserving 8,192 bytes 
       of memory at the top of free memory.  Interrupt 2A will be hooked. 
 
       Once 1226 is memory resident, the virus will attempt to infect any 
       .COM file that is executed that is at least 1,226 bytes in length 
       before infection.  The virus is rather "buggy" and the infection 
       process is not always entirely successful.  Successfully infected 
       files will increase in length by 1,226 bytes. 
 
       This virus will infect .COM files multiple times, it is unable to 
       determine that the file is already infected.  Each time the file is 
       infected it will grow in length by another 1,226 bytes.  Eventually, 
       the .COM files will grow too large to fit into memory. 
 
       Systems infected with the 1226 virus may experience unexpected 
       system hangs when attempting to execute programs.  Another effect 
       is that instead of a program executing, a line or two of spurious 
       characters will appear on the system display.  Lastly, infected 
       systems will always indicate that they have 8,192 less bytes of 
       total system and free memory available than is actually on the 
       machine. 
 
       Known variant(s) of 1226 are: 
       1226-B: Received in January, 1992 from an unknown origin, 1226-B 
              is a bug fixed version of the 1226 virus described above. 
              It does not have the bugs present in the earlier version 
              which cause system hangs or displaying of spurious characters. 
              It does still reinfect already infected files until they 
              become too large to fit into memory.  It is fairly 
              similar to 1226D. 
              Origin:  Unknown  January, 1992. 
       1226-B Dropper: Received in January, 1992, this is an .EXE file 
              which drops the 1226-B virus which only infects .COM files. 
              Origin:  Unknown  January, 1992. 
       1226D: Based on the 1226 virus, this variant does not experience 
              the system hangs and the display of spurious characters which 
              is common with the original virus.  1226D will infect .COM 
              files over 1,226 bytes in length when they are opened, copied, 
              or executed. 
              Origin:  Bulgaria  July, 1990. 
       1226M: (V1226M) Similar to the 1226D virus, except that files 
              are not infected on file open, only when they are executed. 
              Origin:  Bulgaria  July, 1990.

Show viruses from discovered during that infect .

Main Page