Virus Name: Friends
V Status: Rare
Discovered: April, 1992
Symptoms: .EXE file growth; decrease in total system and available free
Eff Length: 1,362 - 1,377 Bytes
Type Code: PRtE - Parasitic Resident .EXE Infector
Detection Method: F-Prot, ViruScan, AVTK, Sweep, NAV, IBMAV,
NAVDX, VAlert, PCScan, ChAV,
NShld, Sweep/N, LProt, Innoc, NProt, IBMAV/N,
Removal Instructions: Delete infected files
The Friends virus was submitted in April, 1992. Its origin or
point of isolation is unknown. Friends is a memory resident
infector of .EXE programs and spreads very quickly.
When the first Friends infected program is executed, this virus
will install itself memory resident at the top of system memory
but below the 640K DOS boundary, moving interrupt 12's return.
Total system and available free memory, as indicated by the DOS
CHKDSK program, will have decreased by 2,096 bytes. Interrupts
21 and 24 will be hooked by Friends in memory. Also at this
time, the Friends virus will infect one .EXE program located
in the current directory.
Once the Friends virus is memory resident, it will infect one
.EXE program each time any program or batch file is executed,
a DIR command is performed, or when .EXE programs are opened for
any reason. In the case of the DOS COPY command, the target file
will become infected if it is an .EXE program.
Programs infected with the Friends virus will have a file length
increase of 1,362 to 1,377 bytes. The virus will be located at
the end of the program. The file's date and time in the DOS disk
directory listing will not be altered. Three text strings occur
within the viral code in Friends infected programs:
The first of these text strings is encrypted, but unencrypted is
the following message from which the virus gets its name:
It is unknown if Friends does anything besides replicate.