Virus Name: Fratricide
V Status: Viron
Discovered: February, 1993
Symptoms: .COM & .EXE file corruption; programs fail to execute;
Origin: North America
Eff Length: 647 Bytes OW
Type Code: ONA - Overwriting Non-Resident .COM & .EXE Infector
Detection Method: F-Prot, NAV, ViruScan, Sweep, IBMAV, AVTK,
NAVDX, VAlert, PCScan, ChAV,
NShld, NProt, Sweep/N, NAV/N, AVTK/N, IBMAV/N, Innoc,
Removal Instructions: Delete infected files
The Fratricide virus was submitted in February, 1993, and appears
to be from North America. Fratricide is a non-resident, direct
action overwriting virus. It permanently corrupts the .COM and
.EXE programs it infects.
When a program infected with the Fratricide virus is executed, the
Fratricide virus will infect four .EXE or .COM programs located
in the current directory, with preference for .EXE files. It does
not infect COMMAND.COM. Once it has completed infecting four files,
the user will either be returned to the DOS prompt, or the following
message may be displayed:
"Program too big to fit in memory"
Programs infected with the Fratricide virus will have the first 647
bytes of the host file overwritten by the virus, permanently
corrupting the program since the beginning of the file is not saved
by the virus. The file's date and time in the DOS disk directory
listing will not be altered. Besides the above message, the
following text strings are encrypted within the viral code:
"Oh, life. I apologize for this terrible thing."
"It is time for a chance. I'm a person with a message."
"Fratricide - Murders a brother,"
"-- By Cone -- be ready to see more"
"*.EXE *.COM .."
Under some conditions, the first four text strings indicated above
may be displayed as a message by the virus.