Virus Name: Fairz
V Status: Rare
Discovered: October, 1993
Symptoms: .COM & .EXE growth; file date/time changes;
Decrease in total system & available free memory
Eff Length: 2,088 - 2,102 Bytes
Type Code: PRhA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, IBMAV, Sweep, AVTK, F-Prot, NAV,
NAVDX, VAlert, PCScan, ChAV,
NShld, Sweep/N, NProt, NAV/N, AVTK/N, IBMAV/N, Innoc,
Removal Instructions: Delete infected files
The Fairz, or Khobar, virus was submitted in October, 1993. Its
origin or point of isolation is unknown. Fairz is a memory resident
infector of .COM and .EXE programs, but not COMMAND.COM.
When the first Fairz infected program is executed, this virus will
install itself memory resident at the top of system memory but below
the 640K DOS boundary, not moving interrupt 12's return. Total
system and available free memory, as indicated by the DOS CHKDSK
program, will have decreased by 2,096 bytes. Interrupt 21 will be
hooked by Fairz in memory.
Once the Fairz virus is memory resident, it will infect .COM and
.EXE programs when they are executed or opened, but not when they
are copied. Infected programs will have a file length increase of
approximately 2,088 to 2,102 bytes with the virus being located at
the end of the file. The program's date and time in the DOS disk
directory listing will have been updated to the current system date
and time when infection occurred. The following text strings are
encrypted within the Fairz viral code:
"This is an [ illegal copy ] of Keypress virus remover"
It is unknown what Fairz does besides replicate.