Hitchcock Virus


 Virus Name:  Hitchcock 
 Aliases:    
 V Status:    Rare 
 Discovered:  July, 1991 
 Symptoms:    .COM file growth; TSR; I/O error F0 messages; music; 
              decrease in total system and available memory 
 Origin:      Unknown 
 Eff Length:  1,247 Bytes 
 Type Code:   PRsCK - Parasitic Resident .COM Infector 
 Detection Method:  ViruScan, AVTK, Sweep, F-Prot, ChAV, 
                    NAV, IBMAV, NAVDX, VAlert, PCScan, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, 
                    NAV/N, IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Hitchcock virus was received in July, 1991.  Its origin is 
       unknown.  Hitchcock is a memory resident infector of .COM files,  
       including COMMAND.COM. 
 
       The first time a program infected with Hitchcock is executed, 
       Hitchcock will install itself memory resident as a low system 
       memory TSR of 4,196 bytes.  Some memory mapping utilities will 
       not show the TSR, but instead that the in-memory command interpretor 
       is 4,196 bytes larger than expected.  Interrupt 21 will be 
       hooked by the virus at this time. 
 
       After becoming memory resident, Hitchcock will infect .COM files 
       over approximately 3K in size when they are executed.  If 
       COMMAND.COM is executed, it will become infected.  Infected .COM 
       files will be 1,247 bytes larger than their pre-infection file size. 
       The virus will be located at the end of the infected program. 
 
       Attempts to execute programs from write-protected diskettes will 
       result in a DOS "Write protect error writing drive x" message. 
       Hitchcock does not trap this error. 
 
       Once COMMAND.COM becomes infected by being executed, later booting 
       from the infected COMMAND.COM will result in Hitchcock becoming 
       memory resident at the top of system memory but below the 640K 
       DOS boundary.  Total system and available free memory will have 
       decreased by 4,096 bytes.  Interrupts 1C and 21 will now be 
       hooked.  Execution of programs on the system may now get the 
       following error message, "I/O error F0, PC=3FAB", and the program 
       will be aborted. 
 
       Approximately five to ten minutes after booting the system from 
       a Hitchcock infected COMMAND.COM, the virus will play music on 
       the system speaker.  The music is the theme song from the Alfred 
       Hitchcock television program, and will continue to play at 
       intervals until the system is rebooted. 
 
       Known variant(s) of Hitchcock are: 
       Hitchcock-1238: Received in November, 1993, Hitchcock-1238 is 
                       a 1,238 byte variant of the Hitchcock virus described 
                       above.  Its size in memory is 4,112 bytes, hooking 
                       interrupts 1C and 21.  It adds 1,238 bytes to the 
                       .COM programs it infects.  The virus will be located 
                       at the end of the file.  The program's date and time 
                       in the DOS disk directory listing will not be altered. 
                       Systems infected with Hitchcock-1238 will experience 
                       the theme song from the Alfred Hitchcock television 
                       program being played on the system speaker.  As with 
                       the original virus, the tune will be played at 
                       intervals until the system is rebooted. 
                       Origin:  Unknown  November, 1993.

Show viruses from discovered during that infect .

Main Page