Albanian Virus

Virus Name: Albanian Aliases: V Status: Rare Discovery: May, 1992 Symptoms: .COM & .EXE file growth; file date/time altered; decrease in total system and available free memory Origin: Unknown Eff Length: 1,991 Bytes Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, AVTK, Sweep, F-Prot, IBMAV, NAV, NAVDX, VAlert, PCScan, ChAV, NShld, Sweep/N, AVTK/N, NProt, NAV/N, IBMAV/N, Innoc, LProt Removal Instructions: Delete infected files General Comments: The Albanian virus was received in May, 1991. Its origin is unknown. Albanian is a memory resident infector of .COM and .EXE programs, including COMMAND.COM. When the first program infected with the Albanian virus is executed, the Albanian virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. It does not move interrupt 12's return. Total system and available free memory, as measured by the DOS CHKDSK program, will have decreased by 2,000 bytes. Interrupts 08, 17, and 21 will be hooked by Albanian in memory. Also at this time, the virus will infect COMMAND.COM if it was not previously infected. Once the Albanian virus is memory resident, it will infect .COM and .EXE programs when they are executed or opened for any reason. Infected programs will have a file length increase of 1,991 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will have been updated to 12/17/89 7:21p. The following text strings can be found within the viral code in infected programs: "C:\COMMAND.COM" "*.COM" It is unknown what Albanian does besides replicate.