Virus Name: FCB
V Status: Viron
Discovered: September, 1992
Symptoms: .COM & .EXE programs overwritten; program corruption;
file date/time changes
Eff Length: 384 Bytes
Type Code: ONAK - Overwriting Non-Resident .COM & .EXE Infector
Detection Method: F-Prot, Sweep, ViruScan, AVTK, IBMAV,
NAV, NAVDX, VAlert, PCScan, ChAV,
NShld, Sweep/N, Innoc, NProt, AVTK/N, LProt, IBMAV/N,
Removal Instructions: Delete infected files
The FCB, or 384, virus was received in September, 1992. It is
originally from Bulgaria. This virus is a non-resident, direct
action infector of .COM and .EXE programs, including COMMAND.COM.
It is unusual in that it uses file control blocks (FCBs) instead
of file handles in the process of infecting files.
When a program infected with the FCB virus is executed, this virus
will infect one program located in the current directory. The
virus will select .COM files before .EXE files for infection, and
if COMMAND.COM is located in this directory, it may become infected.
Programs infected with the FCB virus will have the first 384 bytes
of the host program overwritten with the FCB virus' code. The
file's date and time in the DOS disk directory will have been
updated to the current system date and time when infection occurred.
Infected programs will contain the following text strings:
"401 File Virus"
"Infects any .COM or .EXE file on any writeable Device"
The FCB virus doesn't do anything besides replicate, though infected
programs are permanently corrupted and must be replaced from clean,