Virus Name: Ebola
Aliases: Ebola.313, Eb.313
V Status: New
Discovered: January, 1996
Symptoms: .COM files altered
Eff Length: 313 Bytes OW
Type Code: ORaCK - Overwriting Resident .COM Infector
Detection Method: AVTK, ViruScan, NAV, NAVDX, F-Prot, IBMAV, PCScan,
AVTK/N, NAV/N, NShld, IBMAV/N, Innoc
Removal Instructions: Delete infected files
The Ebola, Eb.313 or Ebola.313, virus was received in January, 1996.
Its origin or point of isolation is unknown. Ebola is a memory
resident infector of .COM files, including COMMAND.COM. It only
infects programs in subdirectories.
When the first Ebola infected program is executed, this virus will
install itself memory resident in allocated system memory, hooking
interrupt 21. Total system and available free memory, as indicated
with the DOS CHKDSK program from DOS 5.0, will not be altered.
Once the Ebola virus is memory resident, it will infect .COM programs
which are executed only if the .COM programs contains at least 313
bytes of hex "00" characters, in which case it will infect the
program by overwriting 313 bytes of the hex "00" characters and
adding a jump to this code at the beginning of the file. The file's
length and file date/time in the DOS disk directory listing will not
be altered. The following text string is visible within the viral
code in all Ebola infected programs:
Programs infected with the Ebola virus will usually function
properly as this virus does not overwrite any of the program's
Known variant(s) of Ebola are:
Ebola.378: Also known as Eb.378, this is a 378 byte variant of
the Ebola virus described above. It contains the following
Origin: Unknown January, 1996.