Virus Name: Enemy
V Status: Rare
Discovered: March, 1992
Symptoms: .COM & .EXE growth; decrease in total system and available
Eff Length: 712 - 1,396 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, F-Prot, AVTK, Sweep, IBMAV,
NAV, NAVDX, VAlert, PCScan, ChAV,
NShld, Sweep/N, LProt, Innoc, NProt, AVTK/N, IBMAV/N,
Removal Instructions: Delete infected files
The Enemy virus was received in March, 1992. Its origin is
unknown. Enemy is a memory resident infector of .COM and .EXE
programs, including COMMAND.COM.
The first time an Enemy infected program is executed, the Enemy
virus will install itself memory resident at the top of system
memory but below the 640K DOS boundary. Total system and
available free memory, as indicated by the DOS CHKDSK program,
will have decreased by 2,048 bytes. Interrupt 21 will be hooked
by Enemy in memory. Also at this time, the Enemy virus will
infect COMMAND.COM located on the current drive and C: drive if it
was not previously infected.
After the Enemy virus has become memory resident, it will infect
.COM and .EXE programs when they are executed or opened. Programs
infected with the Enemy virus will have a file length increase of
712 - 1,396 bytes with the virus being located at the end of the
file. The file's date and time in the DOS disk directory listing
will not have been altered.
The Enemy virus is an encrypted virus, but the following text
string can be found unencrypted near the end of the viral code
in some infected programs:
It is unknown if Enemy does anything besides replicate.
Known variant(s) of Enemy are:
Stranger: Functionally similar to the Enemy virus described
above, the Stranger virus adds 746 - 1,435 bytes to the
.COM and .EXE programs it infects. The following text
strings are encrypted within the Stranger viral code
in infected programs:
"I am a stranger in a strange land..."
The following text string can be found unencrypted near
the end of the viral code in infected programs:
Origin: Unknown July, 1992.