Virus Name: Malaise
V Status: Rare
Discovered: June, 1992
Symptoms: .COM & .EXE growth; decrease in total system & available free
Eff Length: 1,357 - 1,371 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, NAV, Sweep, AVTK, F-Prot, IBMAV,
NAVDX, VAlert, PCScan, ChAV,
NShld, Sweep/N, NProt, AVTK/N, LProt, IBMAV/N,
Removal Instructions: Delete infected files
The Malaise virus was discovered in France in June, 1992. Malaise
is a memory resident infector of .COM and .EXE programs, including
The first time a program infected with the Malaise virus is
executed, the Malaise virus will install itself memory resident at
the top of system memory but below the 640K DOS boundary. It does
not move interrupt 12's return. Total system and available free
memory, as measured by the DOS CHKDSK program, will have decreased
by 4,096 bytes. Interrupt 21 will be hooked by Malaise in memory.
Once the Malaise virus is memory resident, it will infect .COM and
.EXE programs when they are executed. Infected programs will
increase in size by 1,357 to 1,371 bytes with the virus being
located at the end of the infected file. The program's date and
time in the DOS disk directory listing will not be altered.
Several text strings can be found within the viral code in Malaise
"Welcome into the virus"
"(c) 1990 by InfoViruses"
"( COM & EXE )"
"To inactivate me,just set to "*" the byte"
"Next time, be more prudent !"
Malaise doesn't appear to do anything besides replicate.
Known variant(s) of Malaise are:
Malaise-524: Based on the Malaise virus, this variant may also
be known by the name Locks. Malaise-524 is a 524 byte,
memory resident infector of .COM programs, including
COMMAND.COM. Its size in memory is 1,024 bytes, hooking
interrupts 1C and 21. Once resident, it will infect .COM
programs when executed, increasing their size by 524
bytes. The file's date and time in the DOS disk directory
listing will have been updated to the current system date
and time. The following text string can be found within
the viral code in all Malaise-524 infected programs:
The virus will be located at the end of the file.
Origin: France May, 1993.
Malaise-1743: Based on the Malaise virus described above, this
variant's size in memory is 2,000 bytes, hooking interrupt
21. When it becomes memory resident, it will also
infect the copy of COMMAND.COM located in the C: drive
root directory if it was not previously infected.
Malaise-1743 infects one .COM or .EXE program in the
current directory each time a DOS DIR command is issued.
Infected programs will have a file length increase of
1,743 to 1,757 bytes with the virus being located at the
end of the file, however the file length increase will be
hidden when the virus is memory resident. The program's
date and time in the DOS disk directory listing will not
be altered. No text strings are visible within the viral
code. Systems infected with Malaise-1743 will experience
a sluggish response to DOS DIR command, and the DOS CHKDSK
program will return file allocation errors on infected
files when the virus is memory resident. This variant
is also sometimes referred to as the HideNowT virus.
Origin: France April, 1993.
Malaise-B: Functionally similar to the original virus, this
variant has had the text string "[#]" changed to "[*]".
Origin: France June, 1992.