Virus Name: Estepa
V Status: Rare
Discovered: August, 1993
Symptoms: .COM & .EXE file growth;
decrease in total system & available free memory
Eff Length: 2,004 - 2,034 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: F-Prot, NAV, NAVDX, ViruScan, ChAV, AVTK 7.68+,
NShld, NProt, NAV/N, Innoc, AVTK/N 7.68+
Removal Instructions: Delete infected files
The Estepa virus was submitted in August, 1993. Its origin or point
of isolation is unknown. Estepa is a memory resident infector of
.COM and .EXE programs, including COMMAND.COM. It appears to be
based on the Cartuja virus.
When the first Estepa infected program is executed, the Estepa virus
will install itself memory resident at the top of system memory but
below the 640K DOS boundary, not moving interrupt 12's return. Total
system and available free memory, as indicated by the DOS CHKDSK
program, will have decreased by 61,856 bytes. Interrupt 21 will be
hooked by Estepa in memory.
Once the Estepa virus is memory resident, it will infect .COM and
.EXE programs, including COMMAND.COM, when they are executed.
Infected programs will have a file length increase of 2,004 to
2,034 bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory listing will
not be altered. No text strings are visible within the viral code
in Estepa infected programs.
It is unknown what Estepa does besides replicate.