Guppy Virus

Virus Name: Guppy Aliases: V Status: Rare Discovered: October, 1990 Symptoms: TSR; .COM growth; error messages; disk boot failures Origin: United States Eff Length: 152 Bytes Type Code: PRsCK - Resident Parasitic .COM &.EXE Infector Detection Method: ViruScan, AVTK, F-Prot, NAV, Sweep, IBMAV, NAVDX, VAlert, PCScan, ChAV, NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N Removal Instructions: Delete infected files General Comments: The Guppy virus was submitted in late October, 1990 by Paul Ferguson of Washington, DC. Guppy is a memory resident infector of .COM files, including COMMAND.COM. The first time a program infected with the Guppy virus is executed, the virus will install itself memory resident as a low system memory TSR with interrupt 21 hooked. Available free memory will decrease by 720 bytes. After the virus is memory resident, any .COM file with a file length of at least 100 bytes (approximately) that is executed will become infected with Guppy. Infected files will increase in length by 152 bytes, with two bytes added to the beginning of the .COM file, and 150 bytes added to the end of the file. Infected files will also have their date/time stamps in the directory updated to the system date and time when the infection occurred. If COMMAND.COM is executed with Guppy memory resident, it will become infected. If the system is later booted from a disk with a Guppy infected COMMAND.COM, the boot will fail and a "Bad or Missing Command Interpreter" message will be displayed. Some programs will also fail to execute properly once infected with Guppy. For example, attempts to execute EDLIN.COM after it was executed on my system resulted in a consistent "Invalid drive or file name" message, and EDLIN ending execution. Infected files can be identified as they will end with the following hex character string: 3ECD211F5A5B58EA Known variant(s) of Guppy are: Guppy-B: Almost identical to Guppy, there are a few bytes which have been altered in this variant.