Joker 2 Virus

Virus Name: Joker 2 Aliases: Joker-01 V Status: Rare Discovered: May, 1991 Symptoms: .COM & .EXE growth; TSR; system hangs Origin: Unknown Eff Length: 29,233 Bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, F-Prot, Sweep, AVTK, NAV, IBMAV, NAVDX, VAlert, PCScan, ChAV, NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N Removal Instructions: Delete infected files General Comments: The Joker 2, or Joker-01, virus was submitted in May, 1991, by the PCVRF. Its origin is unknown. This virus is a memory resident infector of .COM and .EXE programs, and will not infect COMMAND.COM. The first time a program infected with Joker 2 is executed, Joker 2 will install itself memory resident as a low system memory TSR of 29, 568 bytes. Interrupts hooked by the virus include 09, 1C, and 21. After becoming memory resident, Joker 2 will infect .COM and .EXE files whose original program length was less than approximately 9K, when they are executed. Programs larger than 9K are never infected. Infected .COM programs always increase in size by 29,233 bytes. .EXE programs increase in size by 29,233 to 29,372 bytes. In both cases the virus will be located at the end of the infected program. The text string "JOKER-01" can be found in all infected files. Systems infected with Joker 2 may experience the system display being cleared, followed by a system hang occurring. When this happens, a few spurious characters may appear on the display as well. If ANSI.SYS is loaded before Joker 2 becomes resident, no screen effect will be produced. Joker 2 may be an incomplete virus, there is a large area of 00h characters within the virus code, implying that something else may be added later.