Virus Name: ABC
V Status: Rare
Discovery: October, 1992
Symptoms: .COM & .EXE file growth; decrease in available free memory;
keystrokes repeated; file date/time changes; system hangs
Eff Length: 2,952 - 2,972 Bytes
Type Code: PRhE - Parasitic Resident .EXE Infector
Detection Method: ViruScan, Sweep, AVTK, F-Prot, NAV,
IBMAV, NAVDX, VAlert, PCScan,
NShld, Sweep/N, AVTK/N, NProt, NAV/N, IBMAV/N, LProt
Removal Instructions: Delete infected files
The ABC virus was received in October, 1992. It is originally from
the USSR. ABC is a memory resident infector of .EXE programs, though
it does also alter .COM files.
The first time a program infected with the ABC virus is executed, the
ABC virus will install itself memory resident at the top of system
memory but below the 640K DOS boundary, hooking interrupts 16 and 1C.
Total system memory, as measured by the DOS CHKDSK program, will not
be altered, but available free memory will have decreased by
approximately 8,960 bytes. The copy of COMMAND.COM pointed to by
the COMSPEC environmental variable may also be altered at this time.
Once the ABC virus is memory resident, it will infect or alter .COM
and .EXE programs when they are executed. .COM programs are not
infected by the virus, but may be altered, adding 4 to 30 bytes to
their length. .EXE programs may be infected by the virus, adding
2,952 to 2,972 bytes to their length with the virus being located at
the end of the file. .EXE programs which are not infected may be
altered, adding 4 to 30 bytes to their length. The file's date and
time in the DOS disk directory listing may have been updated to the
current system date and time when the file was altered/infected.
No text strings are visible within the viral code in infected .EXE
programs, but the following text strings are encrypted within the
Systems infected with the ABC virus may experience keystrokes on the
system keyboard are frequently repeated, as well as system hangs
occurring when some programs are executed.
Known variant(s) of ABC are:
ABC-2918: A stealth variant of ABC, this variant's size in memory
is 8,960 bytes, hooking interrupts 16, 1C, and 60. It
infects .EXE programs when they are executed or opened,
adding 2,918 to 2,927 bytes to their length. The virus
will be located at the end of the file. The program's date
and time in the DOS disk directory listing will have been
updated to the current system date and time when infection
occurred. Like the original virus, this variant also
alters .COM programs, adding 4 to 16 bytes to their length.
The same text strings encrypted within the original virus
are encrypted in this variant.
Origin: USSR October, 1992.
ABC-2918B: Functionally similar to ABC-2918, ABC-2918B is a
very minor variant.
Origin: USSR October, 1992.