Highlander Virus


 Virus Name:  Highlander 
 Aliases:     Highlander.477 
 V Status:    Rare 
 Discovered:  October, 1992 
 Symptoms:    .COM file growth; TSR 
 Origin:      United States 
 Eff Length:  477 Bytes 
 Type Code:   PRsC - Parasitic Resident .COM Infector 
 Detection Method:  Sweep, ViruScan, AVTK, F-Prot, IBMAV, 
                    NAV, NAVDX, VAlert, PCScan, ChAV, 
                    NShld, Sweep/N, LProt, Innoc, NProt, AVTK/N, IBMAV/N, 
                    NAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Highlander virus was submitted in October, 1992.  It is 
       originally from the United States, and is by the same author as 
       the Geek virus.  Highlander is a memory resident infector of .COM 
       programs, but not COMMAND.COM. 
 
       When the first Highlander infected program is executed, the 
       Highlander virus will become memory resident as a low system 
       memory TSR of 1,280 bytes.  It hooks interrupts 21 and 22. 
 
       Once memory resident, the Highlander virus will infect .COM 
       programs other than COMMAND.COM when they are executed.  Infected 
       programs will have a file length increase of 477 bytes with the 
       virus being located at the beginning of the file.  The program's 
       date and time in the DOS disk directory listing will not be altered. 
       The following text strings are visible within the viral code in 
       all Highlander infected programs: 
 
               "COM" 
               "Highlander 1 RULES!" 
               "v05" 
 
       Highlander activates on the 29th day of any month, at which time 
       it will display the "Highlander 1 RULES!" message 21 times and 
       hang the system. 
 
       Known variant(s) of Highlander are: 
       Highlander.478: Received in July, 1995, this is a 478 byte 
           variant of the Highlander virus described above.  Its memory 
           resident TSR is 1,264 bytes, hooking interrupts 21 and 22. 
           It infects .COM files, but not COMMAND.COM, when they are 
           executed.  Infected files will have a file length increase of 
           478 bytes with the virus being located at the beginning of the 
           file.  The file's date and time in the DOS disk directory 
           listing will not appear to be altered, though the seconds field 
           will have been set to "40".  The following text strings are 
           visible within the viral code: 
           "COM" 
           "Highlander 1 RULES!" 
           Origin:  Unknown  July, 1995.

Show viruses from discovered during that infect .

Main Page