Holocaust Virus

 Virus Name:  Holocaust 
 Aliases:     Stealth, Holo 
 V Status:    Rare 
 Discovered:  December, 1990 
 Symptoms:    Decrease in system & available memory; file allocation errors 
 Origin:      Barcelona, Spain 
 Eff Length:  3,784 Bytes 
 Type Code:   PRhCK - Resident Parasitic .COM Infector 
 Detection Method:  ViruScan, F-Prot, AVTK, Sweep, ChAV, 
                    NAV, IBMAV, NAVDX, VAlert, PCScan, 
                    LProt, Sweep/N, Innoc, NShld, NProt, AVTK/N, 
                    NAV/N, IBMAV/N 
 Removal Instructions:  Delete infected files 
 General Comments: 
       The Holocaust virus was submitted in December, 1990 by David Llamas 
       of Barcelona, Spain.  Holocaust is a self-encrypting memory resident 
       infector of .COM files, including COMMAND.COM.  This virus is 
       qualifies as a Stealth virus as it hides the file length increase on 
       infected files as well as infecting on file open and execution. 
       The first time a program infected with the Holocaust virus is 
       executed, the virus will install itself memory resident.  It will 
       reserve 4,080 bytes of high system memory below the 640K DOS 
       boundary. This memory will be marked as Command Data, and interrupt 
       21 will be hooked.  Some memory mapping utilities will show the 
       memory resident command interpreter to have grown by the 4,080 
       bytes, though it is actually in high memory instead of low memory. 
       Once Holocaust is memory resident, it will infect .COM programs 
       which are executed or opened for any reason.  This virus, however, 
       will not infect very small .COM files of less than 1K in size. 
       Infected .COM programs will increase in size by 3,784 bytes, though 
       this file size increase will not be seen in a directory listing if 
       the virus is memory resident.   The viral code will be located at 
       the end of infected files. 
       If the Holocaust virus is memory resident and the DOS CHKDSK command 
       is executed, infected files will be indicated as having a file 
       allocation error.  Execution of the command with the /F parameter on 
       systems with the virus memory resident will result in the infected 
       files becoming damaged.  The file allocation errors do not occur if 
       the virus is not in memory since at that time the directory size 
       will match the file allocation in the FAT. 
       The Holocaust virus is a self-encrypting virus, and will 
       occasionally produce an infected file which is encrypted differently 
       from its original encryption mechanism.  Some infected files will 
       contain the following text at the end of the program, while other 
       samples will have this text encrypted: 
               "Virus Anti - C.T.N.E. v2.10a. (c)1990 Grupo Holokausto. 
                Kampanya Anti-Telefonica. Menos tarifas y mas servicio. 
                Programmed in Barcelona (Spain). 23-8-90. 
                - 666 -" 
       Holocaust is reported by David Llamas to be widespread in Barcelona 
       as of December, 1990.  It is not known if this virus activates, and 
       what it does on activation. 
       See:   Telecom 

Show viruses from discovered during that infect .

Main Page