ABC Virus


 Virus Name:  ABC 
 Aliases:    
 V Status:    Rare 
 Discovery:   October, 1992 
 Symptoms:    .COM & .EXE file growth; decrease in available free memory; 
              keystrokes repeated; file date/time changes; system hangs 
 Origin:      USSR 
 Eff Length:  2,952 - 2,972 Bytes 
 Type Code:   PRhE - Parasitic Resident .EXE Infector 
 Detection Method:  ViruScan, Sweep, AVTK, F-Prot, NAV, 
                    IBMAV, NAVDX, VAlert, PCScan, 
                    NShld, Sweep/N, AVTK/N, NProt, NAV/N, IBMAV/N, LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The ABC virus was received in October, 1992.  It is originally from 
       the USSR.  ABC is a memory resident infector of .EXE programs, though 
       it does also alter .COM files. 
 
       The first time a program infected with the ABC virus is executed, the 
       ABC virus will install itself memory resident at the top of system 
       memory but below the 640K DOS boundary, hooking interrupts 16 and 1C. 
       Total system memory, as measured by the DOS CHKDSK program, will not 
       be altered, but available free memory will have decreased by 
       approximately 8,960 bytes.  The copy of COMMAND.COM pointed to by 
       the COMSPEC environmental variable may also be altered at this time. 
 
       Once the ABC virus is memory resident, it will infect or alter .COM 
       and .EXE programs when they are executed.  .COM programs are not 
       infected by the virus, but may be altered, adding 4 to 30 bytes to 
       their length.  .EXE programs may be infected by the virus, adding 
       2,952 to 2,972 bytes to their length with the virus being located at 
       the end of the file.  .EXE programs which are not infected may be 
       altered, adding 4 to 30 bytes to their length.  The file's date and 
       time in the DOS disk directory listing may have been updated to the 
       current system date and time when the file was altered/infected. 
       No text strings are visible within the viral code in infected .EXE 
       programs, but the following text strings are encrypted within the 
       virus: 
 
               "ABC_FFEA" 
               "Minsk 8.01.92" 
               "ABC" 
 
       Systems infected with the ABC virus may experience keystrokes on the 
       system keyboard are frequently repeated, as well as system hangs 
       occurring when some programs are executed. 
 
       Known variant(s) of ABC are: 
       ABC-2918: A stealth variant of ABC, this variant's size in memory 
                 is 8,960 bytes, hooking interrupts 16, 1C, and 60.  It 
                 infects .EXE programs when they are executed or opened, 
                 adding 2,918 to 2,927 bytes to their length.  The virus 
                 will be located at the end of the file.  The program's date 
                 and time in the DOS disk directory listing will have been 
                 updated to the current system date and time when infection 
                 occurred.  Like the original virus, this variant also 
                 alters .COM programs, adding 4 to 16 bytes to their length. 
                 The same text strings encrypted within the original virus 
                 are encrypted in this variant. 
                 Origin:  USSR  October, 1992. 
       ABC-2918B: Functionally similar to ABC-2918, ABC-2918B is a 
                 very minor variant. 
                 Origin:  USSR  October, 1992.

Show viruses from discovered during that infect .

Main Page