Virus Name: Invol
V Status: Common
Discovered: October, 1991
Symptoms: .EXE & .SYS growth; decrease in available free memory;
write protect errors when executing .EXE files from write-
protected diskettes; file date/time changes
Origin: United States
Eff Length: 1,409 - 1,421 Bytes (.EXE); 2,832 Bytes (.SYS)
Type Code: PRsE - Parasitic Resident .EXE & .SYS Infector
Detection Method: ViruScan, AVTK, F-Prot, IBMAV, ChAV,
NAV, NAVDX, VAlert, PCScan,
Innoc, NShld, AVTK/N, Sweep/N, IBMAV/N, NAV/N, LProt
Removal Instructions: Delete infected files
The Invol virus was received in October, 1991. Its original point
of isolation was in the United States. Invol is a memory resident
infector of .EXE and .SYS files.
The Invol virus becomes memory resident when the first program
infected by the Invol virus is executed. This program may be a .SYS
file which has a device entry in the CONFIG.SYS file, or an .EXE
file executed after the system boot has completed. In either case,
if the DOS CHKDSK program is executed, it will indicate that the
system has 2,832 bytes less free memory than is expected. Interrupt
21 will have been hooked by the virus in memory. Memory mapping
utilities will most likely indicate that the system's config.sys has
increased in size by 2,832 bytes.
Once Invol is memory resident, it will attempt to infect the first
.SYS program indicated in the system's CONFIG.SYS file. The .SYS
program will have a file size increase of 2,832 bytes with the
virus being located at the beginning of the file. The file's date
and time in the DOS disk directory will have been updated to the
current system date and time. The following text messages can be
found in infected .SYS files:
"You have helped spread this virus.
This is a message from your friendly
neighborhood infection service.
Thank you for your involuntary cooperation."
"c:\config.sys EVICE C:\vansi.sys device=vansi.sys"
.EXE programs will also be infected by the Invol virus once it is
memory resident. In the case of .EXE programs, they will have a
file length increase of 1,409 to 1,421 bytes with the virus being
located at the end of the infected file. The program's date and
time will have been updated to the system date and time when
infection occurred. The above text messages will not be visible in
infected .EXE files as they are encrypted.
It is unknown what Invol does besides replicate.
Invol-B: Discovered in the United States in May, 1992, Invol-B
is a smaller version of the Invol virus described above.
Its encryption has been altered to avoid detection. It
adds 2,720 bytes to the .SYS files it infects, and 1,348
to 1,365 bytes to .EXE files. The last text string
indicated above in the original virus has been changed to:
"c:\config.sys EVICE C:\vansi.sys vansi"
Origin: United States May, 1992.