Virus Name: DSU
V Status: New
Discovered: July, 1995
Symptoms: .COM & .EXE growth; decrease in available free memory;
DOS CHKDSK file allocation errors
Eff Length: 1,414 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: F-Prot, AVTK, VAlert, ViruScan, Sweep, NAV, NAVDX,
AVTK/N, Sweep/N, NShld, NAV/N, IBMAV/N, NProt, Innoc 4.0+
Removal Instructions: Delete infected files
The DSU or DSU.1414 virus was received in July, 1995. Its origin
or point of isolation is unknown. DSU is a memory resident stealth
virus which infects .COM and .EXE files, including COMMAND.COM. It
is unkown what it may do besides replicate.
When the first DSU infected program is executed, this virus will
install itself memory reisdent at the top of system memory but
below the 640K DOS boundary, not moving interrupt 12's return.
Available free memory, as indicated by the DOS CHKDSK program from
DOS 5.0, will have decreased by 1,600 bytes. Interrupts 17 and 21
will be hooked by the virus in memory.
Once the DSU virus is memory resident, it will infect .COM and .EXE
files when they are executed or opened, but not on copy. Infected
files will have a file length increase of 1,414 bytes, though this
file length increase will be hidden when the virus is memory
resident. The virus will be located at the end of the file. The
following text string is encrypted within the viral code:
"(c) 1994 DSU RadioFuckPR"
The DOS CHKDSK program will indicate file allocation errors on all
infected files when the DSU virus is memory resident.
Known variant(s) of DSU are:
DSU.1422: Also received in July, 1995, this is a 1,422 byte
variant of the DSU virus described above. Its size in memory
is 3,144 bytes, hooking interrupt 21. This variant infects
.COM and .EXE files, but not COMMAND.COM, when they are executed.
Infected files will have a file length increase of 1,422 to
1,436 bytes with the virus being located at the end of the file,
though this file length increase will be hidden when the virus
is memory resident. The file's date and time in the DOS disk
directory listing will not be altered. The following text
strings are encrypted within the viral code:
"Happy New Year !!!"
The DOS CHKDSK program will return file allocation errors on
all infected files when the virus is memory resident.
Origin: Unknown July, 1995.