Ah Virus


 Virus Name:  Ah 
 Aliases:     Tuesday, David-1173 
 V Status:    Research 
 Discovery:   May, 1991 
 Symptoms:    .COM file growth; decrease in total system & available free 
              memory; system hangs; hard disk format; message 
 Origin:      Italy 
 Eff Length:  1,173 Bytes 
 Type Code:   PRhC - Parasitic Resident .COM Infector 
 Detection Method:  ViruScan, F-Prot, Sweep, AVTK, NAV, NAVDX, IBMAV, 
                    VAlert, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, 
                    NAV/N, IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Ah, or Tuesday, Virus was received in May, 1991.  Ah is based on 
       the V1024 virus, its origin is Italy.  Ah is a very buggy virus 
       which infects .COM programs. 
 
       When the first program infected with Ah is executed, Ah will install 
       itself memory resident at the top of system memory, but below the 
       640K DOS boundary.  Total system and available free memory, as 
       indicated by the DOS CHKDSK program, will decrease by 1,216 bytes. 
       Interrupts 08 and 21 will be hooked by the virus. 
 
       After Ah is memory resident, it will infect .COM programs over 1K 
       in length when they are executed.  Infected programs will increase 
       in size by 1,173 bytes, though the file length increase will be 
       hidden if Ah is resident.  Their date and time in the DOS directory 
       will appear to be unaltered, though if the program's original time 
       was 12:00a, it will now be blank.  The virus will be located at the 
       beginning of infected programs. 
 
       Systems infected with Ah will experience frequent system hangs. 
       These hangs occur when the user attempts to execute a .COM program 
       which is infected with Ah.  They may also occur when the virus 
       attempts to infect an uninfected program.  System hangs occur so 
       frequently with Ah that the virus is very noticeable. 
 
       The Ah virus activates on Tuesdays, at which time it will attempt 
       to format the first few tracks of the system hard disk. 
 
       Programs infected with Ah can be easily identified as they will 
       contain the following text strings: 
 
               "(C) David Grant Virus Research 1991 PCVRF 
                Disribuite this virus freely!!! 
                ...ah...John...Fuck You!" 
 
       Ah is believe to have been created by the same person as several 
       other viruses from Italy, including Smack and Enigma.  David Grant 
       and the PCVRF had nothing to do with its creation. 
 
       Known variant(s) of Ah are: 
       Ah-B: Similar to the original virus, this variant will 
             occassionally infect an .EXE program.  It contains the same 
             text strings as the original virus. 
             Origin:  Unknown  October, 1992. 
 
       See:   Alfa   V1024

Show viruses from discovered during that infect .

Main Page