Virus Name: Guppy
V Status: Rare
Discovered: October, 1990
Symptoms: TSR; .COM growth; error messages; disk boot failures
Origin: United States
Eff Length: 152 Bytes
Type Code: PRsCK - Resident Parasitic .COM &.EXE Infector
Detection Method: ViruScan, AVTK, F-Prot, NAV, Sweep, IBMAV,
NAVDX, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
Removal Instructions: Delete infected files
The Guppy virus was submitted in late October, 1990 by Paul Ferguson
of Washington, DC. Guppy is a memory resident infector of .COM
files, including COMMAND.COM.
The first time a program infected with the Guppy virus is executed,
the virus will install itself memory resident as a low system memory
TSR with interrupt 21 hooked. Available free memory will decrease
by 720 bytes.
After the virus is memory resident, any .COM file with a file length
of at least 100 bytes (approximately) that is executed will become
infected with Guppy. Infected files will increase in length by 152
bytes, with two bytes added to the beginning of the .COM file, and
150 bytes added to the end of the file. Infected files will also
have their date/time stamps in the directory updated to the system
date and time when the infection occurred.
If COMMAND.COM is executed with Guppy memory resident, it will
become infected. If the system is later booted from a disk with a
Guppy infected COMMAND.COM, the boot will fail and a "Bad or Missing
Command Interpreter" message will be displayed.
Some programs will also fail to execute properly once infected with
Guppy. For example, attempts to execute EDLIN.COM after it was
executed on my system resulted in a consistent "Invalid drive or
file name" message, and EDLIN ending execution.
Infected files can be identified as they will end with the following
hex character string: 3ECD211F5A5B58EA
Known variant(s) of Guppy are:
Guppy-B: Almost identical to Guppy, there are a few bytes which have
been altered in this variant.