Virus Name: A-Bomb
V Status: New
Discovery: July, 1994
Symptoms: .COM file growth; DOS CHKDSK file allocation errors;
decrease in total system & available free memory;
file date/time seconds = "62"
Eff Length: 878 Bytes
Type Code: PRhCK - Parasitic Resident .COM Infector
Detection Method: AVTK, IBMAV, Sweep, F-Prot, ViruScan,
NAV, NAVDX, VAlert, PCScan, ChAV,
Sweep/N, AVTK/N, NProt, NShld, IBMAV/N, NAV/N, LProt,
Removal Instructions: Delete infected files
The A-Bomb virus was received in July, 1994. Its origin or point of
isolation is unknown. A-Bomb is a memory resident stealth virus
which infects .COM files, including COMMAND.COM.
When the first A-Bomb infected program is executed, this virus will
install itself memory resident at the top of system memory but below
the 640K DOS boundary, not moving interrupt 12's return. Total system
and available free memory, as indicated by the DOS CHKDSK program,
will have decreased by 1,808 bytes. Interrupt 21 will be hooked by
the virus in memory. The virus also infects COMMAND.COM at this
time if it was not previously infected.
Once the A-Bomb virus is memory resident, it will infect .COM files
when they are executed or opened for any reason. Infected programs
will have a file length increase of 878 bytes, though the file
length increase will be hidden when the virus is memory resident. The
virus will be located at the end of the infected file. The program's
date and time in the DOS disk directory listing will not appear to be
altered, though the seconds field will have been set to "62". The
following text string is encrypted within the A-Bomb viral code:
"[A-BOMB V1.0á] By Mnemonix 1994"
Users of systems infected with the A-Bomb virus may notice that some
programs or batch files may execute twice when the user runs them.
The DOS CHKDSK program will return file allocation errors on all
infected files when the virus is memory resident. This virus may
also interfer with the functioning of some anti-viral utilities when
it is memory resident.