DSU Virus


 Virus Name:  DSU 
 Aliases:     DSU.1414 
 V Status:    New 
 Discovered:  July, 1995 
 Symptoms:    .COM & .EXE growth; decrease in available free memory; 
              DOS CHKDSK file allocation errors 
 Origin:      Unknown 
 Eff Length:  1,414 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  F-Prot, AVTK, VAlert, ViruScan, Sweep, NAV, NAVDX, 
                    IBMAV, ChAV, 
                    AVTK/N, Sweep/N, NShld, NAV/N, IBMAV/N, NProt, Innoc 4.0+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The DSU or DSU.1414 virus was received in July, 1995.  Its origin 
       or point of isolation is unknown.  DSU is a memory resident stealth 
       virus which infects .COM and .EXE files, including COMMAND.COM.  It 
       is unkown what it may do besides replicate. 
 
       When the first DSU infected program is executed, this virus will 
       install itself memory reisdent at the top of system memory but 
       below the 640K DOS boundary, not moving interrupt 12's return. 
       Available free memory, as indicated by the DOS CHKDSK program from 
       DOS 5.0, will have decreased by 1,600 bytes.  Interrupts 17 and 21 
       will be hooked by the virus in memory. 
 
       Once the DSU virus is memory resident, it will infect .COM and .EXE 
       files when they are executed or opened, but not on copy.  Infected 
       files will have a file length increase of 1,414 bytes, though this 
       file length increase will be hidden when the virus is memory 
       resident.  The virus will be located at the end of the file.  The 
       following text string is encrypted within the viral code: 
 
           "(c) 1994 DSU RadioFuckPR" 
 
       The DOS CHKDSK program will indicate file allocation errors on all 
       infected files when the DSU virus is memory resident. 
 
       Known variant(s) of DSU are: 
       DSU.1422: Also received in July, 1995, this is a 1,422 byte 
           variant of the DSU virus described above.  Its size in memory 
           is 3,144 bytes, hooking interrupt 21.  This variant infects 
           .COM and .EXE files, but not COMMAND.COM, when they are executed. 
           Infected files will have a file length increase of 1,422 to 
           1,436 bytes with the virus being located at the end of the file, 
           though this file length increase will be hidden when the virus 
           is memory resident.  The file's date and time in the DOS disk 
           directory listing will not be altered.  The following text 
           strings are encrypted within the viral code: 
           "DSU RFF" 
           "Happy New Year !!!" 
           "Dark Angel" 
           The DOS CHKDSK program will return file allocation errors on 
           all infected files when the virus is memory resident. 
           Origin:  Unknown  July, 1995.

Show viruses from discovered during that infect .

Main Page