Virus Name: Albanian
V Status: Rare
Discovery: May, 1992
Symptoms: .COM & .EXE file growth; file date/time altered; decrease in
total system and available free memory
Eff Length: 1,991 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, AVTK, Sweep, F-Prot, IBMAV,
NAV, NAVDX, VAlert, PCScan, ChAV,
NShld, Sweep/N, AVTK/N, NProt, NAV/N, IBMAV/N, Innoc,
Removal Instructions: Delete infected files
The Albanian virus was received in May, 1991. Its origin is
unknown. Albanian is a memory resident infector of .COM and .EXE
programs, including COMMAND.COM.
When the first program infected with the Albanian virus is executed,
the Albanian virus will install itself memory resident at the top of
system memory but below the 640K DOS boundary. It does not move
interrupt 12's return. Total system and available free memory, as
measured by the DOS CHKDSK program, will have decreased by 2,000
bytes. Interrupts 08, 17, and 21 will be hooked by Albanian in
memory. Also at this time, the virus will infect COMMAND.COM if it
was not previously infected.
Once the Albanian virus is memory resident, it will infect .COM and
.EXE programs when they are executed or opened for any reason.
Infected programs will have a file length increase of 1,991 bytes
with the virus being located at the end of the file. The program's
date and time in the DOS disk directory listing will have been
updated to 12/17/89 7:21p. The following text strings can be
found within the viral code in infected programs:
It is unknown what Albanian does besides replicate.