Joker 2 Virus
Virus Name: Joker 2
V Status: Rare
Discovered: May, 1991
Symptoms: .COM & .EXE growth; TSR; system hangs
Eff Length: 29,233 Bytes
Type Code: PRsA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, F-Prot, Sweep, AVTK, NAV,
IBMAV, NAVDX, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
Removal Instructions: Delete infected files
The Joker 2, or Joker-01, virus was submitted in May, 1991, by the
PCVRF. Its origin is unknown. This virus is a memory resident
infector of .COM and .EXE programs, and will not infect COMMAND.COM.
The first time a program infected with Joker 2 is executed, Joker 2
will install itself memory resident as a low system memory TSR of 29,
568 bytes. Interrupts hooked by the virus include 09, 1C, and 21.
After becoming memory resident, Joker 2 will infect .COM and .EXE
files whose original program length was less than approximately 9K,
when they are executed. Programs larger than 9K are never infected.
Infected .COM programs always increase in size by 29,233 bytes.
.EXE programs increase in size by 29,233 to 29,372 bytes. In both
cases the virus will be located at the end of the infected program.
The text string "JOKER-01" can be found in all infected files.
Systems infected with Joker 2 may experience the system display
being cleared, followed by a system hang occurring. When this
happens, a few spurious characters may appear on the display as
well. If ANSI.SYS is loaded before Joker 2 becomes resident, no
screen effect will be produced.
Joker 2 may be an incomplete virus, there is a large area of 00h
characters within the virus code, implying that something else may
be added later.