Virus Name: Air_Raid
V Status: New
Discovery: January, 1996
Symptoms: .COM file growth; decrease in available free memory
Eff Length: 330 Bytes
Type Code: PRhCK - Parasitic Resident .COM Infector
Detection Method: NAV, NAVDX, ViruScan, AVTK, F-Prot, IBMAV, ChAV,
NAV/N, AVTK/N, NShld, IBMAV/N, Innoc
Removal Instructions: Delete corresponding .COM files
The Air_Raid virus was received in January, 1996. Its origin or
point of isolation is unknown. Air_Raid is a memory resident
infector of .COM files, including COMMAND.COM.
When the first Air_Raid infected program is executed, this virus
will install itself memory resident at the top of system memory
but below the 640K DOS boundary, not moving interrupt 12's return.
Available free memory, as indicated by the DOS CHKDSK program from
DOS 5.0, will have decreased by 416 bytes. Interrupt 21 will be
hooked by the virus in memory.
Once the Air_Raid virus is memory resident, it will infect .COM
files when they are executed. Infected .COM files will have a file
length increase of 330 bytes with the virus being located at the end
of the file. The program's date and time in the DOS disk directory
listing will not be altered. The following text strings are visible
within the viral code:
The "AR" text string can also be found starting in the fourth
byte of all infected files. The "Air Raid" text string will be
located at the very end of all infected files.