Virus Name: Forger
V Status: Rare
Discovered: April, 1992
Symptoms: .EXE file growth; TSR
Eff Length: 1,000 Bytes
Type Code: PRsE - Parasitic Resident .EXE Infector
Detection Method: Sweep, AVTK, F-Prot, IBMAV, PCScan,
ViruScan, NAV, NAVDX, VAlert, ChAV,
NShld, Sweep/N, LProt, Innoc, NProt, AVTK/N,
Removal Instructions: Delete infected files
The Forger virus was received in April, 1992. Its origin is
unknown. Forger is a memory resident infector of .EXE programs.
When the first Forger infected program is executed, the Forger
virus will install itself memory resident as a low system memory
TSR of 3,376 bytes. It will have hooked interrupts 13, 21, and
CC. At this time, it will also search the current directory to
locate two previously uninfected .EXE programs, and then infect
Once the Forger virus is memory resident, it will infect .EXE
programs when they are executed. It will also infect one .EXE
program each time a .COM program is executed. After the Forger
virus has infected all .EXE programs on the current drive, it
will start infecting programs on the C: drive.
Programs infected with the Forger virus will have a file length
increase of 1,000 bytes. The virus will be located at the end
of the infected program. There will be no change to the file's
date and time in the DOS disk directory listing.
Forger is an encrypted virus. One text string is visible within
the viral code in infected programs:
The following text strings are encrypted within the viral code:
It is unknown what Forger does besides replicate.