1689 Stealth Virus

 Virus Name:  1689 Stealth 
 V Status:    Rare 
 Discovery:   March, 1993 
 Symptoms:    .COM & .EXE file growth; file allocation errors; 
              decrease in total system & available free memory 
 Origin:      Unknown 
 Eff Length:  1,689 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  F-Prot, Sweep, AVTK, ViruScan, IBMAV, ChAV, 
                    NAV, NAVDX, VAlert, PCScan, 
                    Sweep/N, NShld, NProt, AVTK/N, NAV/N, IBMAV/N, Innoc, 
 Removal Instructions:  Delete infected files 
 General Comments: 
       The 1689 Stealth virus was submitted in March, 1993.  Its origin or 
       point of isolation is unknown.  1689 Stealth is a memory resident 
       stealth virus which infects .COM and .EXE programs, including 
       When the first 1689 Stealth infected program is executed, this virus 
       will install itself memory resident at the top of system memory but 
       below the 640K DOS boundary, hooking interrupts 21, 22, and 2F. 
       Total system and available free memory, as indicated by the DOS 
       CHKDSK program, will have decreased by 1,728 bytes.  Interrupt 12's 
       return will not have been moved. 
       Once the 1689 Stealth virus is memory resident, it will infect .COM 
       and .EXE programs when they are executed.  Infected programs will 
       have increased in size by 1,689 bytes, but the file length increase 
       is hidden by the virus when it is memory resident.  The program's 
       date and time in the DOS disk directory listing will not be altered. 
       Two text strings are visible within the viral code in infected 
       The DOS CHKDSK program will return file allocation errors on all 
       infected programs when the virus is memory resident.  The virus does 
       attempt to hide the file alterations so some anti-viral utilities 
       which perform CRC or checksumming will not detect alterations on 
       infected programs when 1689 Stealth is active in memory. 

Show viruses from discovered during that infect .

Main Page