FireFly Virus


 Virus Name:  FireFly 
 Aliases:    
 V Status:    Rare 
 Discovered:  January, 1994 
 Symptoms:    .COM file growth; Some Anti-Viral programs are deleted; 
              VSAFE disabled in memory; 
              flashing of NumLock, CapsLock, and ScrollLock Keys; 
              decrease in total system and available free memory 
 Origin:      Unknown 
 Eff Length:  1,106 Bytes 
 Type Code:   PRhCK - Parasitic Resident .COM Infector 
 Detection Method:  AVTK, ViruScan, Sweep, F-Prot, IBMAV, NAV, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    AVTK/N, Sweep/N, NShld, NProt, IBMAV/N, NAV/N, LProt, 
                    Innoc 4.0+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The FireFly virus was received in January, 1994.  Its origin or 
       point of isolation is unknown.  FireFly is a memory resident infector 
       of .COM programs, including COMMAND.COM. 
 
       When the first FireFly infected program is executed, the virus will 
       check to determine if VSAFE from some versions Central Point 
       Software's CPAV and Microsoft Anti-Virus programs is active in memory. 
       If VSAFE is active, the virus will disable it in memory.  The virus 
       then becomes memory resident at the top of system memory but below the 
       640K DOS boundary, hooking interrupts 1C and 21.  Total system and 
       available free memory will decrease by approximately 4K. 
 
       Once the FireFly virus is memory resident, it will infect .COM 
       programs when they are executed.  Infected programs will have a file 
       length increase of 1,106 bytes with the virus being located at the 
       end of the file.  The program's date and time in the DOS disk 
       directory listing will not be altered.  The following text strings 
       are encrypted within the viral code in all FireFly infected programs: 
 
               "By Nikademus" 
               "Greetings to Urnst Kouch and the CRYPT staff." 
               "Psalm 69" 
               "Every day is Halloween" 
               "Happiness is Slavery" 
               "The land of Rape and Honey" 
               "Its Dead Jim" 
 
       The FireFly virus will delete some selected anti-viral utilities if 
       the user attempts to execute them with the virus memory resident. 
       The more noticeable effect of the virus, however, is that it will 
       toggle the settings of the NumLock, CapsLock, and ScrollLock keys 
       every few seconds resulting in a flashing effect on the keyboard. 
 
       Known variant(s) of FireFly are: 
       FireFly.1087: Received in July, 1994, FireFly.1087 is a 1,087 
                byte version of the FireFly virus described above.  Its size 
                in memory is 1,087 bytes, hooking interrupts 1C and 21.  Once 
                resident, it infects .COM programs when they are executed. 
                Infected programs will have a file length increase of 1,087 
                bytes with the virus being located at the end of the file. 
                The program's date and time in the DOS disk directory listing 
                will not be altered.  The following text strings are 
                encrypted within the viral code: 
                "[FireFly] By Nikademus" 
                "Greetings to Urnst Kouch and the CRYPT staff." 
                "American Jesus" 
                "Dont Pray On Me" 
                "Recipe for HAte" 
                "Atomic Garden" 
                "Its Dead Jim" 
                Symptoms/system effects of infection are similar to the 
                original virus. 
                Origin:  Sweden  July, 1994.

Show viruses from discovered during that infect .

Main Page