Leningrad II Virus
Virus Name: Leningrad II
Aliases: Leningrad II.2000.A
V Status: Rare
Discovered: April, 1994
Symptoms: .COM file growth;
decrease in total system & available free memory
Eff Length: 2,000 Bytes
Type Code: PRhCK - Parasitic Resident .COM Infector
Detection Method: F-Prot, Sweep, IBMAV, AVTK, ViruScan, NAV,
NAVDX, VAlert, ChAV, PCScan,
AVTK/N, Sweep/N, IBMAV/N, Innoc, NProt, NShld, NAV/N,
Removal Instructions: Delete infected files
The Leningrad II virus was submitted in April, 1994, and appears to
be from the USSR. Leningrad II is a memory resident infector of
.COM programs, including COMMAND.COM.
When the first Leningrad II infected program is executed, this virus
will install itself memory resident at the top of system memory but
below the 640K DOS boundary, not moving interrupt 12's return. Total
system and available free memory, as indicated by the DOS CHKDSK
program, will have decreased by 4,096 bytes. Interrupts 1C and 21
will be hooked by the virus in memory.
Once memory resident, the Leningrad II virus will infect .COM
programs when they are executed. Infected programs will have a file
length increase of 2,000 bytes with the virus being located at the
end of the file. The program's date and time in the DOS disk
directory listing will not be altered. The following text string is
repeated many times within the viral code:
It is unknown what Leningrad II does besides replicate.
Known variant(s) of Leningrad II are:
Leningrad II.2000.B: Received in January, 1996, this is a minor
variant of the Leningrad II virus described above. It will
occassionally play a tune when the virus is memory resident.
Origin: Unknown January, 1996.