Virus Name: Gnose
Aliases: Irish3, V-20
V Status: Rare
Discovered: May, 1992
Symptoms: .COM file growth; hidden .COM files; write protect errors
on write protected diskettes; TSR
Eff Length: 1,164 Bytes
Type Code: SPRsAK - Parasitic & Spawning Resident .COM & .EXE Infector
Detection Method: AVTK, Sweep, NAV, F-Prot, ViruScan, ChAV,
IBMAV, NAVDX, VAlert, PCScan,
NShld, Sweep/N, AVTK/N, NAV/N, NProt, IBMAV/N, Innoc,
Removal Instructions: Delete infected files
The Gnose, Irish3, or V-20, virus was discovered in Ireland in May,
1992. This virus is a memory resident infector of .COM and .EXE
programs which uses two different mechanisms to infect files. It
is both parasitic and spawning.
The first time a program infected with the Gnose virus is executed,
this virus will install itself memory resident as a low system
memory TSR of 2,608 bytes. It will have hooked interrupts 03, 1C,
and 21. Also at this time, it will infect one .COM program located
in the current directory.
Once the Gnose virus is memory resident, it will infect .COM and
.EXE files when they are executed. .COM files will also be infected
when they are opened.
.COM programs are infected in a parasitic manner by the Gnose virus.
They will have a file length increase of 1,164 bytes with the virus
being located at the beginning of the file. The program's date and
time in the DOS disk directory listing will not be altered.
.EXE programs are infected in a spawning manner, with companion
hidden .COM files created by the virus. The companion .COM files
will be 1,164 bytes in length and have the same base file name as
the .EXE program. The companion file's date and time will be the
system date and time when infection of the .EXE program occurred.
The companion, hidden .COM files contain a copy of the Gnose viral
Gnose is an encrypted virus, and no text strings are visible within
the viral code in infected files. The following text strings are
contained within the virus:
"Virus V2.0 [FrIEND]S"
Systems infected with the Gnose virus may notice that they receive
write protect errors when attempting to execute programs on write-