Gotcha Virus


 Virus Name:  Gotcha 
 Aliases:    
 V Status:    Rare 
 Discovered:  July, 1991 
 Symptoms:    .COM & .EXE growth; decrease in total system and available 
              memory; write protect errors on diskettes 
 Origin:      The Netherlands 
 Eff Length:  879 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, Sweep, AVTK, F-Prot, ChAV, 
                    IBMAV, NAV, NAVDX, VAlert, PCScan, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, 
                    NAV/N, IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Gotcha virus was received in July, 1991 from The Netherlands. 
       Gotcha is a memory resident infector of .COM and .EXE files, 
       including COMMAND.COM. 
 
       The first time a program infected with Gotcha is executed, Gotcha 
       will install itself memory resident at the top of system memory but 
       below the 640K DOS boundary.  Total system and available free 
       memory will decrease by 1,136 bytes.  Interrupt 21 will be hooked 
       by the virus. 
 
       Once Gotcha is memory resident, it will infect .COM and .EXE 
       programs, other than very small ones, when they are executed or 
       opened.  Programs infected by Gotacha will increase in size by 
       879 bytes, and will have the virus located at the end of the 
       infected file. 
 
       The following text strings can be found in all files infected with 
       the Gotcha virus: 
 
               "GOTCHA!" 
               "ANEXECOM" 
 
       It is unknown if Gotcha does anything besides replicate. 
 
       Known variants of Gotcha are: 
       Gotcha-627: Gotcha-627 is a 627 byte variant of the Gotcha virus. 
                   It adds 627 bytes to infected programs.  The virus will 
                   be located at the end of the infected file.  The memory 
                   resident portion of Gotcha-627 requires 912 bytes of 
                   memory which will be located at the top of system memory 
                   but below the 640K DOS boundary.  Total system and 
                   available free memory, as indicated by the DOS CHKDSK 
                   program, will have decreased by this amount. 
       Gotcha-732: Gotcha-732 is a 732 byte variant of the Gotcha virus. 
                   It adds 732 bytes to the .COM programs it infects.  The 
                   virus will be located at the end of the infected file. 
                   The memory resident portion of Gotcha-732 requires 992 
                   bytes of memory which will be located at the top of 
                   system memory but below the 640K DOS boundary.  Total 
                   system and available free memory, as indicated by the 
                   DOS CHKDSK program, will have decreased by this amount, 
                   and interrupt 21 will be hooked.  The text string 
                   "GOTCHA!" can be found at the end of all infected 
                   programs. 
                   Origin:  Unknown  November, 1992. 
       Gotcha-906: Gotcha-906 is a 906 byte variant of Gotcha, adding 
                   906 bytes to infected files.  The virus will be located 
                   at the end of infected files.  This variant uses 1,168 
                   bytes of memory located at the top of system memory but 
                   below the 640K DOS boundary.  One additional symptom 
                   of Gotcha found with this variant is that programs will 
                   become corrupted when the virus attempts to infect 
                   files if there is no space available on the disk.  
       Gotcha-A2: Functionally equivalent to the original virus, this 
                  variant has two bytes which differ.  Like the original, 
                  it adds 879 bytes to infected files.  The virus will 
                  be located at the end of infected files.  Gotcha-A2 
                  infected systems will experience write protect errors 
                  when attempting to execute programs from write protected 
                  diskettes. 
       Gotcha-B: Gotcha-B is a 881 byte variant of Gotcha, adding 881 
                 bytes to infected files.  As with the original virus, 
                 it will be located at the end of infected programs.  This 
                 variant doesn't experience write protect errors when 
                 accessing programs on write protected diskettes. 
       Gotcha-E: Gotcha-E is a 607 byte variant of the Gotcha virus.  It 
                 adds 607 bytes to the .COM programs it infects.  The text 
                 string "GOTCHA!" can be found at the end of all infected 
                 files.  Gotcha-E contains hex character strings from 
                 several viruses, including Datacrime, Datacrime II-B, 
                 Yankee 2, Syslock, and Tiny.  These hex strings are 
                 included within the virus for the purpose of confusing 
                 various scanners as to which virus is present on the 
                 system by having the scanner detect infections on some 
                 infected programs while missing the virus entirely on 
                 other infected programs. 
                 Origin:  Unknown  May, 1992. 
       Gotcha-Mut1: Gotcha-Mut1 is a 459 byte variant of the Gotcha 
                   virus.  It adds 459 bytes to infected programs.  The 
                   virus will be located at the end of the infected file. 
                   The memory resident portion of Gotcha-Mut1 requires 1,024 
                   bytes of memory which will be located at the top of 
                   system memory but below the 640K DOS boundary.  Total 
                   system and available free memory, as indicated by the 
                   DOS CHKDSK program, will have decreased by this amount. 
                   The following text string is visible within the viral 
                   code in all Gotcha-Mut1 infected programs: 
                   "MUTAtOR (C) Mutation Inc." 
                   Origin:  Unknown  May, 1993. 
       Gotcha-Mut2: Gotcha-Mut2 is a 307 byte variant of the Gotcha 
                   virus.  It adds 307 bytes to the .COM and .EXE programs 
                   it infects.  The virus will be located at the end of the 
                   infected file.  The program's date and time in the DOS 
                   disk directory listing will have been updated to the 
                   current system date and time when infection occurred. 
                   The memory resident portion of Gotcha-Mut2 requires 
                   1,024 bytes of memory which will be located at the top of 
                   system memory but below the 640K DOS boundary.  Total 
                   system and available free memory, as indicated by the 
                   DOS CHKDSK program, will have decreased by this amount. 
                   The following text string is visible within the viral 
                   code in all Gotcha-Mut2 infected programs: 
                   "Mutator v2.0b" 
                   Origin:  Unknown  May, 1993. 
       Gotcha-Mut3: Gotcha-Mut3 is a 304 byte variant of the Gotcha 
                   virus.  It adds 304 bytes to the .COM and .EXE programs 
                   it infects.  The virus will be located at the end of the 
                   infected file.  The program's date and time in the DOS 
                   disk directory listing will not be altered.  The memory 
                   resident portion of Gotcha-Mut3 requires 1,024 bytes of 
                   memory which will be located at the top of system memory 
                   but below the 640K DOS boundary.  Total system and 
                   available free memory, as indicated by the DOS CHKDSK 
                   program, will have decreased by this amount.  No text 
                   strings are visible within the Gotcha-Mut3 viral code. 
                   Gotcha-Mut3 will usually hang the system when infected 
                   programs are executed.  Due to a serious bug in the 
                   virus, this virus will never become a major problem. 
                   Origin:  Unknown  May, 1993. 
       Gotcha-Mut4: Gotcha-Mut4 is a 780 byte variant of the Gotcha 
                   virus.  It adds 780 bytes to infected .COM programs. 
                   The virus will be located at the end of the infected 
                   file.  The program's date and time will not be altered. 
                   The memory resident portion of Gotcha-Mut4 requires 1,024 
                   bytes of memory which will be located at the top of 
                   system memory but below the 640K DOS boundary.  Total 
                   system and available free memory, as indicated by the 
                   DOS CHKDSK program, will have decreased by this amount. 
                   The following text strings are encrypted within the 
                   Gotcha-Mut4 viral code: 
                   "Fuck you, asshole!!! You're using a Debugger!!!" 
                   "Hey! Holloween almost here!" 
                   "Better be good, or the demon's will get you!" 
                   "[Mutator] C/B: MainFrame [Mutation INc." 
                   The second and third text strings above will be displayed 
                   after the virus becomes memory resident on October 30th 
                   of any year when programs are executed.  Infected 
                   programs may also hang the system when they are executed. 
                   Origin:  Unknown  May, 1993. 
 
       See:   Legalize   Tchantches 

Show viruses from discovered during that infect .

Main Page