Liberty Virus


 Virus Name:  Liberty 
 Aliases:     Liberty-A, Liberty-B, Liberty-C, Liberty-D, Liberty-E, 
              Liberty-F, Liberty-G, Liberty-H, Liberty-I, Liberty-J 
 V Status:    Common 
 Discovered:  May, 1990 
 Symptoms:    .COM, .EXE, and .OVL growth; BSC; file date and time changes; 
              decrease in total system and available free memory 
 Origin:      Sydney, Australia 
 Eff Length:  2,859 - 2,873 Bytes 
 Type Code:   PRfAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, F-Prot, NAV, AVTK, Sweep, IBMAV, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, 
                    NAV/N, IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Liberty virus was isolated in Sydney, Australia in May, 1990. 
       Liberty is a memory resident generic file infector, infecting .COM, 
       .EXE, and overlay files.  COMMAND.COM may also become infected.  In 
       advanced infections, the virus may also infect boot sectors. 
 
       The Liberty virus gets its name from the text string "Liberty" 
       which will appear in all infected files.  In .EXE files, it will be 
       located in the last 3K of the file.  In .COM files, it will appear 
       near the very beginning of the program, as well as within the last 
       3K of the infected file. 
 
       The first time a file infected with the Liberty virus is executed, 
       the virus will become memory resident.  Liberty installs itself 
       resident at the top of system memory but below the 640K DOS boundary. 
       Total system and available free memory will decrease by 8,496 bytes. 
       Interrupts 21 and 24 will be hooked by the virus in memory, as well 
       as interrupt 62 which will map to free available memory. 
 
       After becoming memory resident, programs which are executed may be 
       infected by the virus.  All .EXE files will be infected, but only 
       .COM files over 2K in length will become infected.  Overlay files 
       will also become infected.  Infected files will increase in size 
       between 2,859 and 2,873 bytes, and will end with the hex character 
       string: 80722D80FA81772880.  The main body of the virus will be 
       located at the end of all infected files.  Infected files will have 
       had their file date and time in the DOS disk directory updated to 
       the current system date and time when infection occurred. 
 
       Infected .COM files can also be identified by the following text 
       string which will appear near the beginning of the infected program: 
 
               "- M Y S T I C - COPYRIGHT (C) 1989-2000, by SsAsMsUsEsL" 
 
       This string does not appear in infected .EXE files, the area where 
       this string would have appeared in infected .EXE files will be 00h 
       characters. 
 
       Liberty is a self-encrypting virus.  It is not yet known if it is 
       destructive. 
 
       Known variant(s) of Liberty are: 
       Liberty-B: Isolated in November, 1990, this strain is functionally 
                  similar to the original Liberty virus.  The string which 
                  occurs at the end of all infected files has been changed 
                  to: C8004C40464842020EB.  The word "MAGIC" will also be 
                  found repeated together many times in infected files.  The 
                  file date and time in the DOS disk directory will also 
                  have been altered in Liberty-B infected files to the 
                  system date and time when infection occurred. 
       Liberty-C: Isolated in January, 1991, this variant is very similar 
                  to Liberty-B, there are 16 bytes which have been 
                  changed.  Like Liberty-B, the word "MAGIC" will be found 
                  repeated together many times in infected files.  The 
                  string which occurs at the end of all infected files has 
                  been changed to: C8004C404648422020E9.  File date and time 
                  change to system date and time when infection occurred 
                  is also experienced with this variant. 
       Liberty-D: Functionally equivalent to Liberty, this variant has 
                  the "MAGIC" text string repeated many times. 
       Liberty-E: Functionally equivalent to Liberty, this variant does 
                  not contain the "MAGIC" text string at all. 
       Liberty-F: Liberty-F is almost identical to Liberty-D, it has 
                  two bytes which differ in the viral code. 
       Liberty-G: Liberty-G is almost identical to Liberty-E, it has 
                  two bytes which differ within it's viral code. 
       Liberty-H: Liberty-H is almost identical to Liberty-D and 
                  Liberty-F, differing by two bytes within the viral code. 
                  It also has 13 bytes which differ from Liberty-C, and 
                  seven bytes which differ from Liberty-B. 
       Liberty-I: Liberty-I is almost identical to Liberty-E and 
                  Liberty-G, it has two bytes within the viral code which 
                  differ. 
       Liberty-J: Liberty-J is almost identical to Liberty-H, there are 
                  three bytes within the viral code which differ. 
 
       See:   Liberty-2

Show viruses from discovered during that infect .

Main Page