Gnose Virus


 Virus Name:  Gnose 
 Aliases:     Irish3, V-20 
 V Status:    Rare 
 Discovered:  May, 1992 
 Symptoms:    .COM file growth; hidden .COM files; write protect errors 
              on write protected diskettes; TSR 
 Origin:      Ireland 
 Eff Length:  1,164 Bytes 
 Type Code:   SPRsAK - Parasitic & Spawning Resident .COM & .EXE Infector 
 Detection Method:  AVTK, Sweep, NAV, F-Prot, ViruScan, ChAV, 
                    IBMAV, NAVDX, VAlert, PCScan, 
                    NShld, Sweep/N, AVTK/N, NAV/N, NProt, IBMAV/N, Innoc, 
                    LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Gnose, Irish3, or V-20, virus was discovered in Ireland in May, 
       1992.  This virus is a memory resident infector of .COM and .EXE 
       programs which uses two different mechanisms to infect files.  It 
       is both parasitic and spawning. 
 
       The first time a program infected with the Gnose virus is executed, 
       this virus will install itself memory resident as a low system 
       memory TSR of 2,608 bytes.  It will have hooked interrupts 03, 1C, 
       and 21.  Also at this time, it will infect one .COM program located 
       in the current directory. 
 
       Once the Gnose virus is memory resident, it will infect .COM and 
       .EXE files when they are executed.  .COM files will also be infected 
       when they are opened. 
 
       .COM programs are infected in a parasitic manner by the Gnose virus. 
       They will have a file length increase of 1,164 bytes with the virus 
       being located at the beginning of the file.  The program's date and 
       time in the DOS disk directory listing will not be altered. 
 
       .EXE programs are infected in a spawning manner, with companion 
       hidden .COM files created by the virus.  The companion .COM files 
       will be 1,164 bytes in length and have the same base file name as 
       the .EXE program.  The companion file's date and time will be the 
       system date and time when infection of the .EXE program occurred. 
       The companion, hidden .COM files contain a copy of the Gnose viral 
       code. 
 
       Gnose is an encrypted virus, and no text strings are visible within 
       the viral code in infected files.  The following text strings are 
       contained within the virus: 
 
               "GNOSE.EXE exe" 
               "Virus V2.0 [FrIEND]S" 
 
       Systems infected with the Gnose virus may notice that they receive 
       write protect errors when attempting to execute programs on write- 
       protected diskettes.

Show viruses from discovered during that infect .

Main Page