Happy New Year Virus
Virus Name: Happy New Year
Aliases: Happy N.Y., V1600, 1600, Dear Nina
V Status: Rare
Discovered: December, 1989
Symptoms: TSR; .COM & .EXE growth; floppy boot sector altered;
boot failures; bad or missing command interpreter message
Eff Length: 1,600 Bytes
Type Code: PRsAK - Resident Parasitic .COM & .EXE Infector
Detection Method: ViruScan, AVTK, F-Prot, NAV, Sweep,
IBMAV, NAVDX, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
Removal Instructions: Delete infected files
The Happy New Year, or V1600, virus was submitted in December, 1990.
This virus is originally from Bulgaria, and is a memory resident
infector of .COM and .EXE files. It will infect COMMAND.COM.
The first time a program infected with the Happy New Year virus is
executed, the virus will install itself memory resident as a 2,432
bytes low system memory TSR. Interrupt 21 will be hooked by the
virus. At this time, the virus will also make a slight alteration
to the floppy boot sector, and infect COMMAND.COM. Infected
COMMAND.COM files will not show a file length increase as the virus
will overwrite a portion of the hex 00 section of the file. The
altered floppy boot sector does not contain a copy of the virus, and
is not infectious.
Once Happy New Year is memory resident, it will infect .COM and .EXE
programs as they are executed. Infected programs will increase in
length by 1,600 bytes and have the virus located at the end of the
The following text message can be found in infected programs:
"Dear Nina, you make me write this virus; Happy new year!"
This message is not displayed by the virus.
Systems infected with the Happy New Year virus may fail to boot,
receiving a "Bad or missing command interpreter" message if
COMMAND.COM is infected on the boot diskette or hard drive.
It is unknown if Happy New Year carries any destructive capabilities.
Known variant(s) of Happy New Year are:
Happy New Year B: Similar to Happy New Year, this variant has five
bytes which differ from the original virus. Unlike
Happy New Year, COMMAND.COM will only be infected
if it is executed for some reason.