2560 Virus
Virus Name: 2560
Aliases: Magnitogorsk
V Status: Rare
Discovery: April, 1991
Symptoms: .COM & .EXE growth; decrease in system & available memory
Origin: USSR
Eff Length: 2,560 Bytes
Type Code: PRhA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, AVTK, F-Prot, Sweep, NAV,
IBMAV, NAVDX, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
NAV/N, IBMAV/N
Removal Instructions: Delete infected files
General Comments:
The 2560 virus was received in April, 1991. It is from the USSR.
This virus is a memory resident infector of .COM and .EXE files, it
does not infect COMMAND.COM.
The first time a program infected with the 2560 virus is executed,
2560 will install itself memory resident at the top of system memory
but below the 640K DOS boundary. Interrupt 12's return is not
moved. Interrupts 08, 13, 21, and 22 will be hooked by the virus.
Total system and available free memory, as measured by the DOS
CHKDSK program, will decrease by 5,184 bytes.
After becoming memory resident, 2560 will infect .COM and .EXE
programs over approximately 3K in length when they are executed or
opened for any reason. Infected programs will have a file length
increase of 2,560 bytes with the virus being located at the end of
the file. The date and time in the DOS disk directory will not be
altered.
The DOS EDLIN program will fail to function properly once infected
with 2560. Attempts to execute EDLIN will result in the message
"Invalid drive or file name" being displayed, and then EDLIN will
terminate leaving the user at a DOS prompt.
2560 is a stealth virus. While it does not hide it's file length
increase, it does actively employ stealth techniques in order to
avoid anti-viral utilities which are unaware of it.
It is unknown what 2560 does besides replicate.
Known variant(s) of 2560 are:
2560-B: Submitted in May, 1991 from Europe, 2560-B's major
difference from 2560 is that the virus will now infect
COMMAND.COM the first time an infected program is executed.
Infected COMMAND.COM programs will not have a file length
increase, regardless of whether the virus is memory
resident.
2560-C: Also received in May, 1991 from Europe, 2560-C's is
very similar to 2560-B.
Magnito-3000: Based on the 2560-C virus, Magnito-3000 is a
3,000 byte variant of the virus. Its size in memory is
6,064 bytes, hooking interrupts 08, 13, 21, and 22. It
infects .COM and .EXE programs, including COMMAND.COM, when
they are executed, copied, or opened for any reason.
Infected files will have a file length increase of 3,000
bytes, though the file length increase will be hidden when
the virus is memory resident. The virus is located at the
beginning of infected programs. The file's date and time
in the DOS disk directory listing will not be altered. The
following text strings are encrypted within the viral code:
"COMMAND"
"EEEE.EXE"
"AND"
Origin: USSR October, 1992.
Magnum: Based on the 2560-C virus, Magnum has been altered to
avoid being detected by some anti-viral programs. It
will reset the system date to 1-03-1988 when it is memory
resident. The following text strings are encrypted within
the viral code:
"Mr. Lozinsky
Just read document on your AIDSTEST
(1-Jan-91 version) we release new
virus. (C) USSR TeleFucks, Ltd......"
Origin: USSR July, 1992.
See: Magnitogorsk 2048