Virus Name: Alexander
V Status: Rare
Discovery: October, 1992
Symptoms: .COM & .EXE file growth; decrease in total system & available
Eff Length: 1,951 - 1,965 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, Sweep, IBMAV, AVTK, F-Prot,
NAV, NAVDX, VAlert, PCScan, ChAV,
NShld, Sweep/N, LProt, AVTK/N, NProt, NAV/N, Innoc,
Removal Instructions: Delete infected files
The Alexander virus was received in October, 1992. It appears to
be from Romania. Alexander is a memory resident infector of .COM
and .EXE programs, including COMMAND.COM.
The first time a program infected with the Alexander virus is
executed, the Alexander virus will install itself memory resident
at the top of system memory but below the 640K DOS boundary. Total
system and available free memory, as indicated by the DOS CHKDSK
program, will have decreased by 3,088 bytes. Interrupts 08, 21
and 27 will be hooked by Alexander in memory.
Once the Alexander virus is memory resident, it will infect .COM
and .EXE programs, including COMMAND.COM, when they are executed,
copied, or opened for any reason. Infected .COM programs will
increase in size by 1,951 bytes. Infected .EXE programs will
increase in size by 1,951 to 1,965 bytes. In both cases the virus
will be located at the end of the file. The program's date and
time in the DOS disk directory listing will not be altered. The
following text strings are visible in the viral code in all
The following additional text is encrypted within the viral, and
hence not visible within infected programs:
"Apa depistata in microprocesor
Functionarea poate fi compromisa
Se recomanda oprirea calculatorului
citeva ore pentru uscare"
It is unknown what Alexander does besides replicate.
Known variant(s) of Alexander are:
Alexander.2104: Received in July, 1994, Alexander.2104 is a 2,104
byte variant of the Alexander virus described above. Like
the original virus, it infects .COM and .EXE programs,
including COMMAND.COM, when they are executed, opened, or
copied. Infected .COM files increase in size by 2,104 bytes
while .EXE programs increase in size by 2,104 to 2,118 bytes.
In both cases, the virus will be located at the end of the
file and the program's date and time in the DOS disk
directory listing will not be altered. The following text
string is visible within the viral code:
Origin: Unknown July, 1994.
See: CB-1530 Dark Avenger