Abraxas 5 Virus
Virus Name: Abraxas 5
V Status: Viron
Discovery: April, 1993
Symptoms: .COM & .EXE programs overwritten; programs fail to execute;
graphic "ABRAXAS" and noise on system speaker;
file date/time changes; C:\DOS\DOSSHELL.COM created
Eff Length: 1,171 Bytes
Type Code: ONA - Overwriting Non-Resident .COM & .EXE Infector
Detection Method: AVTK, F-Prot, NAV, Sweep, ViruScan, IBMAV, NAVDX,
VAlert, PCScan, ChAV,
NShld, AVTK/N, NAV/N, Sweep/N, NProt, IBMAV/N, Innoc,
Removal Instructions: Delete infected files
The Abraxas 5 virus was submitted in April, 1993. Its origin is
unknown. Abraxas 5 is a non-resident, direct action overwriting
virus which infects .COM and .EXE programs, but not COMMAND.COM.
When a program infected with the Abraxas 5 virus is executed, this
virus infect the copy of DOSSHELL.COM located in the C:\DOS
directory (creating the file if it doesn't exist), as well as one
.EXE program located in the current directory. Due to a bug in the
virus, only the first .EXE program in any directory will be infected
by the Abraxas 5 virus. Programs infected with the Abraxas 5 virus
will become 1,171 bytes in length, and will contain the Abraxas 5
viral code. The file's date and time in the DOS disk directory
listing will be set to the system date and time when infection
The following text strings can be found within the viral code in all
Abraxas 5 infected programs:
"*.exe c:\dos\dosshell.com .. MS-DOS (c)1992"
"...For he is not of this day"
"...Nor he of this mind"
Execution of programs infected with the Abraxas 5 virus will also
result in the display of a graphic "ABRAXAS" on the system display,
accompanied by an ascending scale being played on the system speaker.
Known variant(s) of Abraxas 5 are:
Abraxas.1508: Received in July, 1994, Abraxas.1508 is a 1,508
byte variant which infects .EXE programs. When an
infected program is executed, the virus will infect the
first .EXE program located in the current directory, if
it was not previously infected, as well as create a
1,508 byte file named "ROMMAND.COM". Infected .EXE
programs will have a file length of 1,508 bytes and will
contain a copy of the viral code. The original .EXE
program is not saved by the virus, and hence is not
recoverable other than from backups. Infected programs,
as well as the ROMMAND.COM file, will have the file date
and time in the DOS disk directory set to the current
system date and time when infection occurred. The
following text strings are visible within the viral
"CES (c) Controlled Environment Simulator"
"Edwin Cleton 1993 VirSoft (c)"
"h! Get a ROD just thinking about it!"
The Abraxas.1508 virus also will display the following
message when an infected program is executed:
"I AM THE
AND I LOVE A
DRIVE ...Ahhhh! Get a ROD just thinking about it!"
The message text prior to the "...Ahhhh!" text will be
in line graphic characters.
Origin: Unknown July, 1994.