Malaise Virus

Virus Name: Malaise Aliases: V-IVL110 V Status: Rare Discovered: June, 1992 Symptoms: .COM & .EXE growth; decrease in total system & available free memory Origin: France Eff Length: 1,357 - 1,371 Bytes Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, NAV, Sweep, AVTK, F-Prot, IBMAV, NAVDX, VAlert, PCScan, ChAV, NShld, Sweep/N, NProt, AVTK/N, LProt, IBMAV/N, NAV/N, Innoc Removal Instructions: Delete infected files General Comments: The Malaise virus was discovered in France in June, 1992. Malaise is a memory resident infector of .COM and .EXE programs, including COMMAND.COM. The first time a program infected with the Malaise virus is executed, the Malaise virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. It does not move interrupt 12's return. Total system and available free memory, as measured by the DOS CHKDSK program, will have decreased by 4,096 bytes. Interrupt 21 will be hooked by Malaise in memory. Once the Malaise virus is memory resident, it will infect .COM and .EXE programs when they are executed. Infected programs will increase in size by 1,357 to 1,371 bytes with the virus being located at the end of the infected file. The program's date and time in the DOS disk directory listing will not be altered. Several text strings can be found within the viral code in Malaise infected programs: "----------------" "Welcome into the virus" "(c) 1990 by InfoViruses" "Laboratoyr" "V-IVL110" "( COM & EXE )" "To inactivate me,just set to "*" the byte" "in brackets:" "[#]" "Next time, be more prudent !" Malaise doesn't appear to do anything besides replicate. Known variant(s) of Malaise are: Malaise-524: Based on the Malaise virus, this variant may also be known by the name Locks. Malaise-524 is a 524 byte, memory resident infector of .COM programs, including COMMAND.COM. Its size in memory is 1,024 bytes, hooking interrupts 1C and 21. Once resident, it will infect .COM programs when executed, increasing their size by 524 bytes. The file's date and time in the DOS disk directory listing will have been updated to the current system date and time. The following text string can be found within the viral code in all Malaise-524 infected programs: "COMcom" The virus will be located at the end of the file. Origin: France May, 1993. Malaise-1743: Based on the Malaise virus described above, this variant's size in memory is 2,000 bytes, hooking interrupt 21. When it becomes memory resident, it will also infect the copy of COMMAND.COM located in the C: drive root directory if it was not previously infected. Malaise-1743 infects one .COM or .EXE program in the current directory each time a DOS DIR command is issued. Infected programs will have a file length increase of 1,743 to 1,757 bytes with the virus being located at the end of the file, however the file length increase will be hidden when the virus is memory resident. The program's date and time in the DOS disk directory listing will not be altered. No text strings are visible within the viral code. Systems infected with Malaise-1743 will experience a sluggish response to DOS DIR command, and the DOS CHKDSK program will return file allocation errors on infected files when the virus is memory resident. This variant is also sometimes referred to as the HideNowT virus. Origin: France April, 1993. Malaise-B: Functionally similar to the original virus, this variant has had the text string "[#]" changed to "[*]". Origin: France June, 1992.