Fratricide Virus

Virus Name: Fratricide Aliases: V Status: Viron Discovered: February, 1993 Symptoms: .COM & .EXE file corruption; programs fail to execute; message Origin: North America Eff Length: 647 Bytes OW Type Code: ONA - Overwriting Non-Resident .COM & .EXE Infector Detection Method: F-Prot, NAV, ViruScan, Sweep, IBMAV, AVTK, NAVDX, VAlert, PCScan, ChAV, NShld, NProt, Sweep/N, NAV/N, AVTK/N, IBMAV/N, Innoc, LProt Removal Instructions: Delete infected files General Comments: The Fratricide virus was submitted in February, 1993, and appears to be from North America. Fratricide is a non-resident, direct action overwriting virus. It permanently corrupts the .COM and .EXE programs it infects. When a program infected with the Fratricide virus is executed, the Fratricide virus will infect four .EXE or .COM programs located in the current directory, with preference for .EXE files. It does not infect COMMAND.COM. Once it has completed infecting four files, the user will either be returned to the DOS prompt, or the following message may be displayed: "Program too big to fit in memory" Programs infected with the Fratricide virus will have the first 647 bytes of the host file overwritten by the virus, permanently corrupting the program since the beginning of the file is not saved by the virus. The file's date and time in the DOS disk directory listing will not be altered. Besides the above message, the following text strings are encrypted within the viral code: "Oh, life. I apologize for this terrible thing." "It is time for a chance. I'm a person with a message." "Fratricide - Murders a brother," "-- By Cone -- be ready to see more" "*.EXE *.COM .." Under some conditions, the first four text strings indicated above may be displayed as a message by the virus.