Virus Name: Helicopter
V Status: New
Discovered: January, 1995
Symptoms: .COM files altered; decrease in available free memory
Eff Length: 777 Bytes
Type Code: ORhCK - Overwriting Resident .COM Infector
Detection Method: F-Prot, AVTK, IBMAV, Sweep, NAV, NAVDX, VAlert,
ViruScan, PCScan, ChAV,
AVTK/N, IBMAV/N, Sweep/N, NProt, NAV/N, NShld, Innoc 4.0+
Removal Instructions: Delete infected files
The Helicopter virus was received in January, 1995. Its origin
or point of isolation is unknown. Helicopter is a memory resident
overwriting virus which selectively infects .COM files, including
When the first Helicopter infected program is executed, this virus
will install itself memory resident at the top of system memory
but below the 640K DOS boundary, not moving interrupt 12's return.
Available free memory, as indicated by the DOS 5.0 CHKDSK program,
will have decreased by approximately 1,296 bytes. Interrupts 10,
21, and 24 will be hooked by the virus in memory.
Once the Helicopter virus is memory resident, it will infect .COM
programs when they are executed, providing the file has at least
777 bytes of continuous binary zeros. Infected files will have 777
bytes of the binary zero area overwritten by the viral code, along
with the beginning of the file being altered to point to this area.
The file's date and time in the DOS disk directory listing will not
be altered. No text strings are visible within the viral code.
It is unknown what the Helicopter virus does besides replicate.