Minsk Ghost Virus


 Virus Name:  Minsk Ghost 
 Aliases:    
 V Status:    Rare 
 Discovered:  October, 1992 
 Symptoms:    .COM & .EXE growth; decrease in total system & available free 
              memory; file date set to 13-07-82 
 Origin:      USSR 
 Eff Length:  1,450 - 1,478 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  Sweep, ViruScan, IBMAV, AVTK, F-Prot, NAVDX, 
                    NAV, VAlert, PCScan, ChAV, 
                    NShld, Sweep/N, Innoc, NProt, AVTK/N, LProt, IBMAV/N, 
                    NAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Minsk Ghost virus was submitted in October, 1992.  It is 
       originally from the USSR.  Minsk Ghost is a memory resident 
       infector of .COM and .EXE programs.  It employs some stealth 
       techniques to hide infections and spreads quickly on infected 
       systems. 
 
       The first time a program with the Minsk Ghost virus is executed, 
       this virus will install itself memory resident at the top of 
       system memory but below the 640K DOS boundary.  Total system and 
       available free memory, as indicated by the DOS CHKDSK program, 
       will have decreased by 1,536 bytes.  Interrupt 1A will be hooked 
       by the virus.  Also at this time, Minsk Ghost will infect 
       COMMAND.COM if it was not previously infected. 
 
       Once the Minsk Ghost is memory resident, it will infect .COM and 
       .EXE programs when they are executed or opened for any reason. 
       Infected programs will have a file length increase of 1,450 to 
       1,478 bytes with the virus being located at the end of the file. 
       The Minsk Ghost may reinfect previously infected programs, adding 
       an additional 1,450 bytes.  However, all but 3 to 31 bytes of the 
       file length increase will be hidden by the virus when it is resident 
       in memory.  The file's date in the DOS disk directory listing will 
       have been altered to 13-07-82.  The following text string is 
       visible within the viral code in all Minsk Ghost infected programs: 
 
               "MINSK GHOST,1991" 
 
       It is unknown what Minsk Ghost may do besides replicate. 

Show viruses from discovered during that infect .

Main Page