Alabama Virus


 Virus Name:  Alabama 
 Aliases:     Ala 
 V Status:    Endangered 
 Discovery:   October, 1989 
 Symptoms:    .EXE growth; resident (see text); message; FAT corruption 
 Origin:      Israel     
 Eff Length:  1,560 bytes 
 Type Code:   PRfET - Parasitic Resident .EXE infector 
 Detection Method:  ViruScan, F-Prot, AVTK, NAV, Sweep, 
                    IBMAV, NAVDX, VAlert, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, 
                    NAV/N, IBMAV/N 
 Removal Instructions:  F-Prot, or delete infected files 
 
 General Comments: 
       The Alabama virus was first isolated at Hebrew University in Israel 
       by Ysrael Radai in October, 1989.  Its first known activation was on 
       October 13, 1989.  The Alabama virus will infect .EXE files, 
       increasing their size by 1,560 bytes.  It installs itself memory 
       resident when the first program infected with the virus is executed; 
       however, it doesn't use the normal TSR function.  Instead, this 
       virus hooks interrupts 09 and 21 in available free memory. 
       When a CTL-ALT-DEL combination is detected, the virus causes an 
       apparent boot, but remains in RAM.  The virus loads itself 30K under 
       the highest memory location reported by DOS, and does not lower the 
       amount of memory reported by the BIOS or by DOS. 
 
       After the virus has been memory resident for one hour, the following 
       message will appear in a flashing box: 
 
       "SOFTWARE COPIES PROHIBITED BY INTERNATIONAL LAW.............. 
        Box 1055 Tuscambia ALABAMA USA." 
 
       The Alabama virus uses a complex mechanism to determine whether or 
       not to infect the current file.  First, it checks to see if there is 
       an uninfected file in the current directory, if there is one it 
       infects it.  Only if there are no uninfected files in the current 
       directory is the program being executed infected.  However, 
       sometimes instead of infecting the uninfected candidate file, it 
       will instead manipulate the FATs to exchange the uninfected 
       candidate file with the currently executed file without renaming it, 
       so the user ends up thinking he is executing one file when in effect 
       he is actually executing another one.  The end result is that files 
       are slowly lost on infected systems.  This file swapping occurs when 
       the virus activates on ANY Friday.

Show viruses from discovered during that infect .

Main Page