Dex Virus

Virus Name: Dex Aliases: Dex.1356 V Status: New Discovered: January, 1996 Symptoms: .COM & .EXE growth; file date/time seconds = "62"; decrease in available free memory; DOS CHKDSK file allocation errors Origin: Unknown Eff Length: 1,356 Bytes Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: IBMAV, NAV, NAVDX, AVTK, ViruScan, F-Prot, ChAV, IBMAV/N, NAV/N, AVTK/N, NShld 2.32 9606+, Innoc 4.0+ Removal Instructions: Delete infected files General Comments: The Dex virus was received in January, 1996. Its origin or point of isolation is unknown. Dex is a memory resident stealth virus which infects .COM and .EXE files, including COMMAND.COM. It is a fast file infector, quickly spreading on infected systems. When the first Dex infected program is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, not moving interrupt 12's return. Available free memory, as indicated by the DOS CHKDSK program from DOS 5.0, will have decreased by 2,656 bytes. Interrupt 21 will be hooked by the virus in memory. Once the Dex virus is memory resident, it will infect .COM and .EXE files, including COMMAND.COM, when they are executed, opened, or copied. Infected files will have a file length increase of 1,356 bytes, though this file length increase will be hidden by the virus when it is memory resident. The virus will be located at the end of the file. The program's date and time in the DOS disk directory listing will not appear to be altered, though the seconds field will have been set to "62". The following text strings are visible within the viral code: ".COM.EXEv08" "PKZIP.EXELHA.EXEARJ.EXE" "dex" This virus disinfects programs as they are read into memory, so any attempt to view these strings or the viral code with the virus memory resident will not be successful. An uninfected copy of the program will be shown to the user.