Virus Name: Holocaust
Aliases: Stealth, Holo
V Status: Rare
Discovered: December, 1990
Symptoms: Decrease in system & available memory; file allocation errors
Origin: Barcelona, Spain
Eff Length: 3,784 Bytes
Type Code: PRhCK - Resident Parasitic .COM Infector
Detection Method: ViruScan, F-Prot, AVTK, Sweep, ChAV,
NAV, IBMAV, NAVDX, VAlert, PCScan,
LProt, Sweep/N, Innoc, NShld, NProt, AVTK/N,
Removal Instructions: Delete infected files
The Holocaust virus was submitted in December, 1990 by David Llamas
of Barcelona, Spain. Holocaust is a self-encrypting memory resident
infector of .COM files, including COMMAND.COM. This virus is
qualifies as a Stealth virus as it hides the file length increase on
infected files as well as infecting on file open and execution.
The first time a program infected with the Holocaust virus is
executed, the virus will install itself memory resident. It will
reserve 4,080 bytes of high system memory below the 640K DOS
boundary. This memory will be marked as Command Data, and interrupt
21 will be hooked. Some memory mapping utilities will show the
memory resident command interpreter to have grown by the 4,080
bytes, though it is actually in high memory instead of low memory.
Once Holocaust is memory resident, it will infect .COM programs
which are executed or opened for any reason. This virus, however,
will not infect very small .COM files of less than 1K in size.
Infected .COM programs will increase in size by 3,784 bytes, though
this file size increase will not be seen in a directory listing if
the virus is memory resident. The viral code will be located at
the end of infected files.
If the Holocaust virus is memory resident and the DOS CHKDSK command
is executed, infected files will be indicated as having a file
allocation error. Execution of the command with the /F parameter on
systems with the virus memory resident will result in the infected
files becoming damaged. The file allocation errors do not occur if
the virus is not in memory since at that time the directory size
will match the file allocation in the FAT.
The Holocaust virus is a self-encrypting virus, and will
occasionally produce an infected file which is encrypted differently
from its original encryption mechanism. Some infected files will
contain the following text at the end of the program, while other
samples will have this text encrypted:
"Virus Anti - C.T.N.E. v2.10a. (c)1990 Grupo Holokausto.
Kampanya Anti-Telefonica. Menos tarifas y mas servicio.
Programmed in Barcelona (Spain). 23-8-90.
- 666 -"
Holocaust is reported by David Llamas to be widespread in Barcelona
as of December, 1990. It is not known if this virus activates, and
what it does on activation.