1689 Stealth Virus
Virus Name: 1689 Stealth
V Status: Rare
Discovery: March, 1993
Symptoms: .COM & .EXE file growth; file allocation errors;
decrease in total system & available free memory
Eff Length: 1,689 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: F-Prot, Sweep, AVTK, ViruScan, IBMAV, ChAV,
NAV, NAVDX, VAlert, PCScan,
Sweep/N, NShld, NProt, AVTK/N, NAV/N, IBMAV/N, Innoc,
Removal Instructions: Delete infected files
The 1689 Stealth virus was submitted in March, 1993. Its origin or
point of isolation is unknown. 1689 Stealth is a memory resident
stealth virus which infects .COM and .EXE programs, including
When the first 1689 Stealth infected program is executed, this virus
will install itself memory resident at the top of system memory but
below the 640K DOS boundary, hooking interrupts 21, 22, and 2F.
Total system and available free memory, as indicated by the DOS
CHKDSK program, will have decreased by 1,728 bytes. Interrupt 12's
return will not have been moved.
Once the 1689 Stealth virus is memory resident, it will infect .COM
and .EXE programs when they are executed. Infected programs will
have increased in size by 1,689 bytes, but the file length increase
is hidden by the virus when it is memory resident. The program's
date and time in the DOS disk directory listing will not be altered.
Two text strings are visible within the viral code in infected
The DOS CHKDSK program will return file allocation errors on all
infected programs when the virus is memory resident. The virus does
attempt to hide the file alterations so some anti-viral utilities
which perform CRC or checksumming will not detect alterations on
infected programs when 1689 Stealth is active in memory.