1253 Virus


 Virus Name:  1253 
 Aliases:     Anticad, V-1, Thanksgiving 
 V Status:    Rare 
 Discovery:   August, 1990 
 Symptoms:    TSR; BSC; COMMAND.COM & .COM file growth; partition table 
              change 
 Origin:      Austria 
 Eff Length:  1,253 Bytes 
 Type Code:   PRsBCKX - Parasitic Resident .COM & Partition Table Infector 
 Detection Method:  ViruScan, NAV, AVTK, F-Prot, Sweep, 
                    IBMAV, NAVDX, VAlert, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, 
                    NAV/N, IBMAV/N 
 Removal Instructions:  NAV or delete infected files and replace partition 
                        table/boot sector 
 General Comments: 
       The 1253 virus was submitted in August 1990.  It is believed to have 
       originated in (or at least to have been first isolated in) Austria. 
       1253 is a generic infector of .COM files, including COMMAND.COM. It 
       also infects the boot sector of diskettes and the partition table of 
       hard disks. 
 
       The first time a program infected with the 1253 virus is executed, 
       the virus will install itself memory resident as a low system memory 
       TSR.  The TSR will be 2,128 bytes in length, hooking interrupts 08, 
       13, 21, and 60.  Total system memory will remain unchanged, and free 
       memory will decrease by 2,128 bytes.  At this time, the partition 
       table of the system's hard disk is infected with the 1253 virus.  If 
       the infected program was executed from a diskette, the diskette's 
       boot sector will also be infected. 
 
       Each time a .COM file is executed with the virus resident in memory, 
       the .COM file will be infected if it hasn't previously been 
       infected. The 1253 virus appends its viral code to the end of the 
       .COM file, and then changes the first few bytes of the program to 
       be a jump to the appended code.  Infected files increase in length 
       by 1,253 bytes, and the virus makes no attempt to hide the increase 
       when the directory is displayed.  Infected files will also have 
       their fourth through sixth bytes set to "V-1" (hex 56 2D 31). 
 
       Any diskettes which are accessed while the virus is present in 
       memory will have their boot sector infected with this virus. 
       Newly formatted diskettes, likewise, will be infected immediately. 
 
       The 1253 virus is destructive when it activates.  The author of this 
       listing was able to get it to activate by setting the system date to 
       December 24th and then executing an infected program on drive A:. 
       The virus promptly went and overwrote the entire diskette in drive 
       A: with a pattern of 9 sectors of what appears to be a program 
       fragment.  Once the virus has started to overwrite a diskette, the 
       only way to stop the disk activity is to power off the system. 
 
       The virus in the partition table and/or diskette boot sector is of 
       special note.  When the system is booted from the hard disk or 
       diskette with the virus in the partition table or boot sector, the 
       virus will install itself memory resident.  At this time, the virus 
       resides above the top of system memory but below the 640K DOS 
       boundary.  The change in total system memory and available free 
       memory will be 77,840 bytes. It can be seen with the CHKDSK 
       command.  At this time, any .COM program executed will be infected 
       with the 1253 virus, even though no programs on the hard disk may 
       contain this virus before the system boot occurred. 
 
       One effect of this virus once the system has been booted from an 
       infected hard drive or floppy is that the FORMAT command may result 
       in unexpected disk activity to inactive drives.  For example, on the 
       author's system, when formatting a diskette in drive A: with the 
       current drive being drive C:, there was always disk activity to 
       drive B:. 
 
       Disinfecting the 1253 virus requires that besides disinfecting or 
       deleting infected .COM programs, the hard disks partition table and 
       the boot sector of any diskettes exposed to the infected system must 
       be disinfected.  If the partition table and diskette boot sectors are 
       not disinfected, the system will promptly experience reinfection of 
       .COM files with the virus following a system boot from the hard disk 
       or diskette.  Disinfecting the partition table and boot sectors, when 
       done properly, will also result in the system's full memory again 
       being available. 
 
       It is unknown if there are other activation dates for this virus, or 
       if it will overwrite the hard disk if an infected program is 
       executed on December 24th from the hard disk.

Show viruses from discovered during that infect .

Main Page