Forger Virus


 Virus Name:  Forger 
 Aliases:    
 V Status:    Rare 
 Discovered:  April, 1992 
 Symptoms:    .EXE file growth; TSR 
 Origin:      Unknown 
 Eff Length:  1,000  Bytes 
 Type Code:   PRsE - Parasitic Resident .EXE Infector 
 Detection Method:  Sweep, AVTK, F-Prot, IBMAV, PCScan, 
                    ViruScan, NAV, NAVDX, VAlert, ChAV, 
                    NShld, Sweep/N, LProt, Innoc, NProt, AVTK/N, 
                    NAV/N, IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Forger virus was received in April, 1992.  Its origin is 
       unknown.  Forger is a memory resident infector of .EXE programs. 
 
       When the first Forger infected program is executed, the Forger 
       virus will install itself memory resident as a low system memory 
       TSR of 3,376 bytes.  It will have hooked interrupts 13, 21, and 
       CC.  At this time, it will also search the current directory to 
       locate two previously uninfected .EXE programs, and then infect 
       them. 
 
       Once the Forger virus is memory resident, it will infect .EXE 
       programs when they are executed.  It will also infect one .EXE 
       program each time a .COM program is executed.  After the Forger 
       virus has infected all .EXE programs on the current drive, it 
       will start infecting programs on the C: drive. 
 
       Programs infected with the Forger virus will have a file length 
       increase of 1,000 bytes.  The virus will be located at the end 
       of the infected program.  There will be no change to the file's 
       date and time in the DOS disk directory listing. 
 
       Forger is an encrypted virus.  One text string is visible within 
       the viral code in infected programs: 
 
               "*.exe" 
 
       The following text strings are encrypted within the viral code: 
 
               "????????EXE" 
               "Socha dsk" 
 
       It is unknown what Forger does besides replicate. 
       

Show viruses from discovered during that infect .

Main Page