Virus Name: More-649
V Status: Rare
Discovered: March, 1993
Symptoms: .COM file growth; decrease in total system & available free
memory; file date/time seconds set to "60"
Eff Length: 649 Bytes
Type Code: PRhCK - Parasitic Resident .COM Infector
Detection Method: Sweep, AVTK, F-Prot, ViruScan, IBMAV, ChAV,
NAV, NAVDX, VAlert, PCScan,
Sweep/N, NShld, AVTK/N, NProt, IBMAV/N, Innoc, NAV/N,
Removal Instructions: Delete infected files
The More-649 virus was submitted in March, 1993, and is from
England. More-649 is a memory resident fast infector of .COM
programs, including COMMAND.COM.
When the first More-649 infected program is executed, the More-649
virus will install itself memory resident at the top of system
memory but below the 640K DOS boundary, hooking interrupt 21. Total
system and available free memory, as indicated by the DOS CHKDSK
program, will have decreased by 2,048 bytes. Interrupts 12's return
will not have been moved.
Once the More-649 virus is memory resident, it will infect .COM
programs when they are executed or opened for any reason. Infected
programs will have a file length increase of 649 bytes with the
virus being located at the end of the file. The file's date and
time in the DOS disk directory listing will not appear to be
altered, though the seconds field will have been set to "60". The
More-649 virus is unable to determine when it has previously
infected a file, so it will reinfect already infected programs,
adding an additional 649 bytes with each reinfection.
The following text strings are encrypted within the More-649 viral
"OH NO NOT MORE ARCV."
It is unknown what More-649 may do besides replicate.