Virus Name: Incest
Aliases: Daddy.1117, Incest.1117
V Status: New
Discovered: September, 1994
Symptoms: .COM & .EXE growth; DOS CHKDSK file allocation errors;
decrease in total system & available free memory;
file time changes
Origin: Queensland, Australia
Eff Length: 1,117 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: AVTK, IBMAV, ViruScan, Sweep, F-Prot, NAV,
NAVDX, VAlert, ChAV,
IBMAV/N, NShld, AVTK/N, Sweep/N, NAV/N, Innoc 4.0+
Removal Instructions: Delete infected files
The Incest virus was submitted in September, 1994, after its isolation
in Australia. Incest is a memory resident stealth-type virus which
infects .COM and .EXE programs, including COMMAND.COM.
When the first Incest infected program is executed, this virus will
install itself memory resident at the top of system memory but below
the 640K DOS boundary, not moving interrupt 12's return. Total system
and available free memory will have decreased by 2,400 bytes, and
interrupt 21 will be hooked by the virus is memory.
Once the Incest virus is memory resident, it will infect .COM and .EXE
programs, including COMMAND.COM, when they are executed, opened, or
copied. Infected programs will have a file length increase of 1,117
bytes, though the file length increase will be hidden when the virus
is memory resident. The virus will be located at the end of the file.
The file's date in the DOS disk directory listing will not be altered,
however, the time field will have been altered. The following text
strings are encrypted within the viral code:
"[Incest Daddy] by VLAD - Brisbane, OZ"
"ANTI-VIR.DAT MSAV.CHK CHKLIST.CPS CHKLIST.MS"
This virus interfers with the Microsoft Anti-Virus and Central
Point Anti-Virus programs, deleting the above indicated files which
the programs require in order to be able to detect viral infections.