Joanna Virus
Virus Name: Joanna
Aliases:
V Status: Rare
Discovered: September, 1992
Symptoms: .COM file growth; decrease in total system and available free
memory; message display
Origin: England
Eff Length: 986 Bytes
Type Code: PRhCK - Parasitic Resident .COM Infector
Detection Method: ViruScan, AVTK, F-Prot, Sweep, IBMAV, NAV,
NAVDX, VAlert, PCScan, ChAV,
NShld, Sweep/N, AVTK/N, NAV/N, NProt, IBMAV/N, Innoc,
LProt
Removal Instructions: Delete infected files
General Comments:
The Joanna virus was discovered in Lancs, England, in September,
1992. Joanna is a memory resident infector of .COM programs,
including COMMAND.COM.
When the first Joanna infected program is executed, the Joanna
virus will install itself memory resident at the top of system
memory but below the 640K DOS boundary. Total system and available
free memory, as indicated by the DOS CHKDSK program, will have
decreased by 3,008 bytes. Interrupt 21 will be hooked by the
virus in memory. Also at this time, the Joanna virus will infect
COMMAND.COM if it was not previously infected.
Once the Joanna virus is memory resident, it will infect .COM
programs when they are executed or opened for any reason. Infected
programs will have a file length increase of 986 bytes with the
virus being located at the end of the file. The program's date
and time in the DOS disk directory listing will not be altered.
Hidden files, however, will have had the hidden attribute removed.
The following text strings are encrypted within the Joanna virus,
and are not visible in infected programs:
"This is Dedicated To the Girl I Love, Joanna Dicks."
"Made in England by Apache Warrior, ARCV Pres."
"Jo Ver. 1.01 (c) Apache Warrior 92"
"I Love You Joanna, Apache.."
"[JO] By Apache Warrior, ARCV Pres."
Some of the above lines of text will occassionally be displayed
by the virus while it is in memory.
Known variant(s) of Joanna are:
Joanna 1.11: Received from Manchester, England in October, 1992,
Joanna 1.11 is a 916 byte variant of the Joanna virus.
Its size in memory, and use of interrupts, is the same
as the original virus. Joanna 1.11 infects .COM
programs, other than COMMAND.COM, when they are
executed. Infected programs will have a file length
increase of 916 bytes with the virus being located at
the end of the file. There will be no change to the
file's date and time in the DOS disk directory listing.
The following text strings are encrypted within the
viral code:
"Looking Good Slimline Joanna."
"Made in England by Apache Warrior, ARCV Pres."
"Jo Ver. 1.11 (c) Apache Warrior 92."
"I Love You Joanna, Apache..."
"[JO] By Apache Warrior, ARCV Pres."
Origin: Manchester, England October, 1992.
Joanna-911: A 911 byte variant of Joanna, this variant is very
similar to Joanna 1.11. Its size in memory is 3,018
bytes, hooking interrupt 21. Once resident, Joanna-911
infects .COM programs when they are executed or opened.
Infected programs will have a file length increase of 911
bytes with the virus being located at the end of the
file. The program's date and time in the DOS disk
directory listing will not be altered. The following
text strings are encrypted within the Joanna-911 viral
code:
"Looking Good Slimline Joanna"
"Made in England by Apache Warrior, ARCV Pres."
"Jo Ver. 1.11 (c) Apache Warrior 92"
"I Love You Joanna, Apache."
"[JO]"
"Apache Warrior, ARCV Pres"
Joanna-911 contains destructive code which may result
in directory and file allocation table corruption.
Origin: England January, 1993.
Joanna-911B: Based on the Joanna-911 variant, this variant's
size in memory is 3,008 bytes, hooking interrupt 21.
Like the Joanna-911 variant, it infects .COM programs
other than COMMAND.COM when they are executed or opened.
It is unable to distinquish when the virus has previously
infected a program, so programs will be repeatedly
infected. Each infection of the file adds 911 bytes with
the virus being located at the end of the file. This
variant will hide the file length increase with the first
infection of the file, but not with reinfections. The
seconds field in the file date/time in the DOS disk
directory listing will be set to 54 on all infected
files. The same text strings encrypted within the
Joanna-911 variant are encrypted within this variant.
When the virus is memory resident, the DOS CHKDSK program
will return file allocation errors on infected .COM
programs, plus .BAT and data files, but not .EXE or .SYS
files.
Origin: England March, 1993.
Jo EXE: Received from England in November, 1992, Jo EXE is a
916 byte variant of Joanna which infects .EXE files. Its
size in memory, and use of interrupts, is the same as the
original virus. Jo EXE infects .EXE programs when they
are executed or opened for any reason. Infected programs
will have a file length increase of 916 bytes, though the
file length increase will be hidden when the virus is
memory resident. The Jo EXE virus will be located at the
end of the file. The program's date and time in the DOS
disk directory listing will not be altered. The following
text strings are encrypted within the viral code:
"Jo Exersiser Virus. Apache Warrior, ARCV Pres. [JOEXE]"
"EXE"
The DOS CHKDSK program will return file allocation errors
on infected programs, as well as some data files, when
the Jo EXE virus is memory resident.
Origin: England November, 1992.