Virus Name: Edcl
V Status: Rare
Discovered: April, 1992
Symptoms: .COM & .EXE file growth; decrease in total system and
available free memory
Eff Length: 1,600 - 1,615 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: F-Prot, AVTK, NAV, IBMAV, ViruScan, Sweep, PCScan,
NAVDX, VAlert, ChAV,
NShld, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N,
Removal Instructions: Delete infected files
The Edcl virus was submitted in April, 1992. It is originally from
Bulgaria, and is related to the CB-1530 virus. Edcl is a memory
resident infector of .COM and .EXE programs, including COMMAND.COM,
and employs some stealth techniques to avoid detection.
When the first Edcl infected program is executed, the Edcl virus
will install itself memory resident at the top of system memory
but below the 640K DOS boundary. Total system and available free
memory, as indicated by the DOS CHKDSK program, will have
decreased by 2,048 bytes. Interrupt 12's return will not have
been moved. Interrupts 09, 13, and 21 will be hooked by Edcl in
memory. Also at this time the Edcl virus will infect COMMAND.COM
if it was not previously infected.
Once the Edcl virus is memory resident, it will infect .COM and
.EXE programs, other than very small ones, when the programs are
opened or executed. Infected programs will have a file length
increase of 1,600 to 1,615 bytes with the virus being located
at the end of the program. The file's date and time in the
DOS disk directory listing will not be altered. One text string
can be found in the viral code in infected programs:
The following text strings are also contained within the Edcl
virus, though they are encrypted so they will not appear in
"Hi to Eastern Digital."
"Greetings to Mister L."
"Megafuck to Mihai Sirbu -- MicroTimSoft."
Attempts to execute some anti-viral scanners with the Edcl virus
memory resident will result in the virus being noticed on .COM
files, but not on .EXE files. .EXE files may appear to be
uninfected, though if scanned with the virus non-resident, the
same utility will be able to detect the virus. The virus may also
interfer with the operation of the BACKUP.COM program.
Known variant(s) of Edcl are:
Edcl-B: Functionally equivalent to the Edcl virus described
above, Edcl-B is a minor variant. It has 21 bytes which
differ from the original virus.
Origin: Unknown October, 1992.
Edct: Similar to the Edcl virus described above, this variant
does not hook interrupt 13. Like Edcl, it adds 1,600 to
1,615 bytes to the .COM and .EXE programs it infects on
execution and file open. Two text strings are encrypted
within the viral code:
"Megafuck from Eastern Digital"
The "EDCL" text string found within the original virus has
been changed to "edct".
Origin: Bulgaria June, 1992.