Grog 3.1 Virus
Virus Name: Grog 3.1
Aliases:
V Status: Rare
Discovered: April, 1993
Symptoms: .COM file growth;
decrease in total system & available free memory
Origin: Italy
Eff Length: 1,200 Bytes
Type Code: PRhCK - Parasitic Resident .COM Infector
Detection Method: F-Prot, Sweep, AVTK, ViruScan, IBMAV, NAV,
NAVDX, VAlert, PCScan,
Sweep/N, AVTK/N, IBMAV/N, NShld, NProt, NAV/N
Removal Instructions: Delete infected files
General Comments:
The Grog 3.1 virus was submitted in April, 1993, and is from Italy.
Grog 3.1 is a memory resident infector of .COM programs, including
COMMAND.COM, but does not infect .COM files smaller than
approximately 2K.
When the first Grog 3.1 infected program is executed, the Grog 3.1
virus will install itself memory resident at the top of system
memory but below the 640K DOS boundary, hooking interrupt 21. Total
system and available free memory, as indicated by the DOS CHKDSK
program, will have decreased by 4,800 bytes. Interrupt 12's return
will not have been moved. Also at this time, the virus will infect
the copy of COMMAND.COM located in the C: drive root directory if it
was not previously infected.
Once the Grog 3.1 virus is memory resident, it will infect .COM
programs larger than approximately 2K in size when they are executed
or opened for any reason. Infected programs will have a file length
increase of 1,200 bytes with the virus being located at the beginning
of the file. The program's date and time in the DOS disk directory
listing will not be altered. The following text strings are
encrypted within the Grog 3.1 viral code:
"GROG 4EVER!"
"GROG v3.1 (C) '93 by GROG - Italy"
"Microsoft C:\COMMAND.COM"
It is unknown what Grog 3.1 does besides replicate.
Known variant(s) of Grog 3.1 are:
E-Riluttanza: E-Riluttanza was submitted in September, 1993, and
is a non-resident, direct action infector of .COM programs,
including COMMAND.COM. It infects all of the .COM programs
in the current directory when an infected program is executed.
Infected programs will have a file length increase of 689
bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory listing
will not be altered. The following text strings are visible
within the viral code in all E-Riluttanza infected programs:
"*.COM .."
"E-RILUTTANZA (C) '92 by GROG - Italy"
"Sebbene suo marito andasse spesso in viaggio per affari,
ella odiava star sola."
""Ho risolto il nostro problema", disse egli."
""Ti ho comprato un San Bernardo.
Si chiama Estrema Riluttanza.""
""Adesso, quando vado via,
sai che ti lascio con Estreme Riluttanza!"
"Ella lo colpi' con un mestolo."
It is unknown what E-Riluttanza does besides replicate.
Origin: Italy September, 1993.
Grog 3.0: An earlier version of Grog 3.1 described above, this
variant's size in memory is 3,952 bytes, hooking interrupt 21.
It infects .COM programs when they are opened or executed,
as well as COMMAND.COM located in the C: drive root directory
when the first infected program is executed. Infected programs
have a file length increase of 990 bytes with the virus being
located at the end of the file. The program's date and time
in the DOS disk directory listing will not be altered. The
following text strings are encrypted within the Grog 3.0
viral code:
"GROG 4EVER!"
"GROG v3.0 (C) '93 by GROG - Italy"
"Microsoft C:\COMMAND.COM"
Origin: Italy September, 1993.
Grog.202: The Grog.202 variant was submitted in July, 1994, and is
a non-resident, direct action overwriting virus. It infects
the first two .COM files in the current directory when an
infected program is executed. Infected programs have the first
202 bytes overwritten by the viral code. The file's date and
time in the DOS disk directory listing will not be altered.
The following text strings are visible within the viral code in
all infected programs:
"*.COM"
"TRUMPERY (c) '93 by GROG"
"ATD02000000"
Origin: Italy July, 1994
Grog.324: The Grog.324 variant was submitted in July, 1994, and is
a non-resident, direct action parasitic virus. It infects one
.COM file in the current directory when an infected program is
executed. Infected programs will have a file length increase
of 324 bytes with the virus being located at the end of the
file. The program's date and time in the DOS disk directory
listing will have been updated to the current system date and
time when infection occurred. The following text strings are
visible within the viral code in all infected programs:
"Vi E' Mai Venuto In Mente Che Potreste Aver Torto ?"
"[ Aver torto (C) '93 by Grog - Italy ]"
"*.?O?"
Execution of infected programs may result in a system hang or
other failure of the program to execute.
Origin: Italy July, 1994
Grog.377: The Grog.377 variant was submitted in July, 1994, and is
a non-resident, direct action overwriting virus. It infects
zero to many .COM files in the current directory when an
infected program is executed. Infected programs have the first
377 bytes overwritten by the viral code. The file's date and
time in the DOS disk directory listing will not be altered. The
following message is displayed when an infected program is
executed:
""Il nostro amore durera' per sempre", disse lui.
"Oh, si, si, si", esclamo 'lei.
"Intendendo 'sempre' in senso relativo, pero'", disse lui.
Lei lo colpi' con una racchetta da sci."
The above text strings, along with the text string below is
contained within the viral code in all infected programs:
"Sempre_(C)_'93_by_Grog_Italy_"
System hangs may occur when infected programs are executed.
Origin: Italy July, 1994
Grog.566: The Grog.566 variant was submitted in July, 1994, and is
a non-resident, direct action parasitic virus. It infects all
of the .COM files in the current directory when an infected
program is executed. Infected programs will have a file length
increase of 566 bytes with the virus being located at the end
of the file. The program's date and time in the DOS disk
directory listing will have been updated to the current system
date and time when infection occurred. The following text
strings are visible within the viral code in all infected
programs:
"*.cOm"
"}}}- LaTraviata (C) '93 by GROG - Italy -{{{"
"Il suo vero nome era Lavinia Traviata"
"Ma tutti i suoi amici la chaimavano "La""
"Per cui, spesso veniva indicata come "La Traviata""
Origin: Italy July, 1994
Grog.798: The Grog.798 variant was submitted in July, 1994, and is
a non-resident, direct action parasitic virus. It infects all
of the .COM files in the current directory when an infected
program is executed. Infected programs will have a file length
increase of 798 bytes with the virus being located at the end
of the file. The program's date and time in the DOS disk
directory listing will have been updated to the current system
date and time when infection occurred. The following text
strings are visible within the viral code in all infected
programs:
"[ WE ARE BACK! ]"
"[o1/o3]"
"Grog4Ever"
"Grog.Crackers.Wild_Cards (c) 1993 by GROG"
"*.?Om"
Origin: Italy July, 1994
Grog.800: The Grog.800 variant was submitted in July, 1994, and is
a non-resident, direct action parasitic virus. It infects all
of the .COM files in the current directory when an infected
program is executed. Infected programs will have a file length
increase of 800 bytes with the virus being located at the end
of the file. The program's date and time in the DOS disk
directory listing will have been updated to the current system
date and time when infection occurred. The following text
strings are visible within the viral code in all infected
programs:
"Grog4Ever"
"Grog.Crackers.Public_Enemy (c) 1993 by GROG"
"*.?Om"
Origin: Italy July, 1994
Grog.801: The Grog.801 variant was submitted in July, 1994, and is
a non-resident, direct action parasitic virus. It infects all
of the .COM files in the current directory when an infected
program is executed. Infected programs will have a file length
increase of 801 bytes with the virus being located at the end
of the file. The program's date and time in the DOS disk
directory listing will have been updated to the current system
date and time when infection occurred. The following text
strings are visible within the viral code in all infected
programs:
"Grog4Ever"
"Grog.Crackers.Razor (c) 1993 by GROG"
"*.?Om"
Origin: Italy July, 1994
Grog.903: Grog.903 was submitted in June, 1994, and is a
non-resident, direct action infector of .COM programs,
including COMMAND.COM. It infects all of the .COM programs
in the current directory, as well as the C: drive root
directory, when an infected program is executed. Infected
programs will have a file length increase of 903 bytes with
the virus being located at the end of the file. The program's
date and time in the DOS disk directory listing will have been
updated to the current system date and time when infection
occurred. The following text strings are visible within the
viral code in all Grog.903 infected programs:
"TorneoDiGolf (C) '93 by GROG - Italy"
"*.COM *.DL"
"Subito dopo aver vinto il torneo di golf, egli fu
intervistato alla TV."
""Questo e'' il momento piu'' emozionante della mia
vita!", disse."
""Ti ho visto in TV", gli disse sua moglie"
""Credevo che il momento piu'' emozionante della tua vita fosse
stato quando ci"
"siamo sposati.""
"Al torneo successivo, egli non riusci'' a qualificarsi."
It is unknown what Grog.903 does besides replicate.
Origin: Italy June, 1994.
Grog.926: Grog.926 was submitted in July, 1994, and is a
non-resident, direct action infector of .COM programs,
including COMMAND.COM. It infects all of the .COM programs
in the current directory, as well as the C: drive root
directory, when an infected program is executed. Infected
programs will have a file length increase of 926 bytes with
the virus being located at the end of the file. The program's
date and time in the DOS disk directory listing will have been
updated to the current system date and time when infection
occurred. The following text strings are encrypted within the
viral code in all Grog.926 infected programs:
"Mi Ami (C) '93 by GROG - iTALY"
"*.?OM"
""Mi ami?" chiese lei."
""Ma certo", rispose lui."
""Mi ami davvero?" chiese lei."
""Ma certo", rispose lui."
""Mi ami davvero davvero?" chiese lei."
""No", rispose lui."
""Mi ami?" chiese lei."
""Ma certo", rispose lui."
""lei non chiese piu" altro."
"GPE#02"
"FGHKIJMu"
It is unknown what Grog.926 does besides replicate.
Origin: Italy July, 1994.
Grog.2825: Received in July, 1994, Grog.2825 is a later version
of the Grog 3.1 virus. It is a memory resident stealth variant
which infects .COM and .EXE programs, including COMMAND.COM,
when they are executed or opened for any reason. This variant
hides the file length increase when the virus is memory
resident. Its size in memory is 5,712 bytes, hooking
interrupts 20 and 21. At the time it becomes resident, it will
infect the copies of COMMAND.COM located in the C: drive root
and \DOS directories if they were not previously infected.
Infected .COM programs will have a file length increase of
2,825 bytes with the virus being located at the beginning of
the file. .EXE programs will have a file length increase of
3,097 bytes with the virus being located at the end of the
file. The program's date and time in the DOS disk directory
listing will not appear to be altered, but the seconds field
will have been set to 34. The following text strings are
encrypted within the viral code:
"GROG v5.0 (C) '93 by GROG - Italy"
"C:\COMMAND.COM C:\DOS\COMMAND.COM *.*"
"IBMBIOIBMDOSSCAN CLEAN F-PROTCPAV MSAV NAV"
"ANTI-VIR.DAT CHKLIST.* \NAV_._NO"
Some anti-viral programs may fail to function properly when
the virus is memory resident.
Origin: Italy July, 1994.
Grog.Dream: The Grog.Dream variant was submitted in July, 1994,
and is a non-resident, direct action parasitic virus. It
infects all of the .COM files in the current directory when an
infected program is executed. Infected programs will have a
file length increase of 757 bytes with the virus being located
at the end of the file. The program's date and time in the DOS
disk directory listing will have been updated to the current
system date and time when infection occurred. The following
text strings are visible within the viral code:
"THE"
"TEAM"
"Grog4Ever"
"Grog.Crackers.The_Dream_Team (c) 1993 by GROG"
"*.?Om"
Origin: Italy July, 1994
Grog.Gonfie: The Grog.Gonfie variant was submitted in July, 1994.
It is a memory resident .COM infector. This variant's size in
memory is 928 bytes, hooking interrupt 21. It infects .COM
when they are executed, opened or copied. Infected programs
have a file length increase of 902 bytes with the virus being
located at the end of the file. The program's date and time in
the DOS disk directory listing will not be altered. The
following text strings are visible within the viral code:
".oO( GonfieVele (C) '93 by GROG - Italy )Oo."
"Sua moglie aveva sempre odiato il lavoro di lui."
""Non farai mai soldi costruendo modellini di velieri", si
lagnava."
""Al contrario", dichiaro' lui."
"I miei affari vanno a gonfie vele!"
"Lei lo inceneri' col tostapane elettrico."
"80?86 only!"
Origin: Italy July, 1994.
Grog.Hop: The Grog.Hop variant was submitted in July, 1994, and is
a non-resident, direct action overwriting virus. It may infect
one .COM and .EXE program in the current directory when an
infected program is executed. Infected programs have 480 bytes
located near the end of the file overwritten by the viral code.
The file's date and time in the DOS disk directory listing will
not be altered. The following text strings are visible
within the viral code:
"HopHopHop (c) '93 By GROG - Italy"
"*.COM"
""Guida alla Corsa""
"Capitolo primo"
"Come correre al modo dei conigli."
"Hop Hop Hop"
"Hop Hop Hop"
Infected programs may take an extended time to issue output,
and often hang the system.
Origin: Italy July, 1994.
Grog.Il_Mostro: The Grog.Il_Mostro variant was submitted in
July, 1994, and is a non-resident, direct action parasitic
virus. It may infect one .COM file in the current directory
when an infected program is executed. Infected programs will
have a file length increase of 330 bytes with the virus being
located at the end of the file. The program's date and time in
the DOS disk directory listing will have been updated to the
current system date and time when infection occurred. The
following text strings are visible within the viral code:
"Il Mostro e i Coniglietti"
"Storia di terrore e di ansia"
""Boo!", disse il Mostro."
"-=< Il Mostro (C) '93 by Grog - Italy >=-"
"*.??M"
Programs infected with this variant will usually hang the system
when they are executed.
Origin: Italy July, 1994
Grog.IlCuoco: The Grog.IlCuoco variant was submitted in July,
1994. It is a memory resident .EXE infector. It's size in
memory is 2,208 bytes, hooking interrupt 21. It may infect
.EXE files when they are executed. Infected programs will have
a file length increase of 1,007 bytes with the virus being
located at the end of the file. The program's date and time in
the DOS disk directory listing will have been updated to the
current system date and time when infection occurred. The
following text strings are visible within the viral code:
"IlúCuocoú(C)ú'93úbyúGROG"
"Il Cuoco, vedendosi scoperto, impallidi'."
""Siete in arrosto", intimo' il poliziotto."
"Ho un mandato di cottura!"
"IlúCuocoú(C)ú'93úbyúGROG"
"MSAVF-PRCPAVSCANCLEA"
"Il Cuoco (C) '93 by GROG - Italy"
"GROGú4úEVER"
Grog.IlCuoco does not infect very small .EXE files.
Origin: Italy July, 1994.
Grog.Inc: The Grog.Inc variant was submitted in July, 1994, and is
a non-resident, direct action parasitic virus. It will infect
the first .COM file in the current directory when an infected
program is executed. If the first .COM file was previously
infected, a system hang may occur. Infected programs will
have a file length increase of 774 bytes with the virus being
located at the end of the file. The program's date and time in
the DOS disk directory listing will have been updated to the
current system date and time when infection occurred. The
following text strings are visible within the viral code:
"inc"
"Grog4Ever"
"Grog.Crackers.INC (c) 1993 by GROG"
"*.?Om"
Origin: Italy July, 1994
Grog.Noncemale: Grog.Noncemale was submitted in July, 1994, and is
a non-resident, direct action parasitic virus. It infects two
.COM files in the current directory when an infected program is
executed. It will also create the file "KEYB.COM" in the C:
drive root directory containg a copy of the virus. Infected
programs will have a file length increase of 796 bytes with the
virus being located at the end of the file. The program's date
and time in the DOS disk directory listing will not be altered.
The following text strings are visible within the viral code:
"????????COM"
"/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\"
"\ "Non so dirti quanto tiamo", disse lui. /"
"/ "Prova", disse lei." \"
"\ "Ti voglio molto bene", disse lui." /"
"/ "Non c' e' male", disse lei. \"
"\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/"
"*.COm"
"<-> NonCEMale (C) '93 by GROG - Iltay <->"
Origin: Italy July, 1994
Grog.NTA: The Grog.NTA variant was submitted in July, 1994, and is
a non-resident, direct action parasitic virus. It infects all
of the .COM files in the current directory when an infected
program is executed. Infected programs will have a file length
increase of 1,016 bytes with the virus being located at the end
of the file. The program's date and time in the DOS disk
directory listing will have been updated to the current system
date and time when infection occurred. The following text
strings are visible within the viral code in all infected
programs:
"$*BR*$"
"The Nokturnal"
"Trading Alliance"
"Grog4Ever"
"Grog.Crackers.NTA (c) 1993 by GROG"
"*.?Om"
Origin: Italy July, 1994
Grog.Ovile: The Grog.Ovile variant was submitted in July, 1994.
It is a memory resident .COM and .EXE infector. This variant's
size in memory is 1,440 bytes, hooking interrupt 21. It
infects .COM and .EXE programs when they are executed or
opened. Infected programs have a file length increase of 1,417
bytes with the virus being located at the end of the file. The
program's date and time in the DOS disk directory listing will
not be altered. The following text strings are visible within
the viral code:
"OVILE"
"Grog"
"GROG4EVER"
">-> Ovile (C) '93 by GROG - Italy <-<"
"C'erano una volta due topi che vivevano in un museo."
"Una sera, dopo la chiusura, il primo topo si infilo' nella
vetrina contenente"
"le uova di uccelli rari."
"Prima di accorgersene, si era gia' perso."
""Aiuto!", grido' al suo amico."
""Aiutami a uscire dall'ovile!""
Origin: Italy July, 1994.
GSav 1.0: GSav 1.0 was submitted in September, 1993, and is a
non-resident, direct action infector of .COM programs,
including COMMAND.COM. It infects all of the .COM programs in
the current directory when an infected program is executed.
Infected programs will have a file length increase of 794
bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory listing
will not be altered. The following text strings are visible
within the viral code in all GSav 1.0 infected programs:
"G*SAV v1.0 (C) '93 by GROG - Italy"
"*.*"
"Grog*Soft Anti-Virus v1.0 (C) '93 by GROG - Italy"
"Self Integrity Check warning - File was changed!"
"Chose an option:"
"[R] Self Reconstruction."
"[C] Continue execution."
"[E] Exit to DOS"
"Press R, C, or E:"
Origin: Italy September, 1993.
GSav 1.1: GSav 1.1 was submitted in September, 1993, and is a
non-resident, direct action infector of .COM and .EXE programs,
including COMMAND.COM. It infects all of the .COM and .EXE
programs in the current directory when an infected program is
executed. Infected .COM programs will have a file length
increase of 1,082 bytes while .EXE programs increase in size by
1,215 bytes. In both cases, the virus will be located at the
end of the file. The program's date and time in the DOS disk
directory listing will not be altered. The following text
strings are visible within the viral code in all GSav 1.1
infected programs:
"G*SAV v1.1 (C) '93 by GROG - Italy"
"*.*"
"Grog*Soft Anti-Virus v1.1 (C) '93 by GROG - Italy"
"Self Integrity Check warning - File was changed!"
"Chose an option:"
"[R] Self Reconstruction."
"[C] Continue execution."
"[E] Exit to DOS"
"Press R, C, or E:"
Some anti-viral scanning programs may detect this variant as
a variant of Vacsina since it uses Vacsina's technique to
convert .EXE programs to .COM file structures before their
infection.
Origin: Italy September, 1993.
Lor: The most advanced member of the Grog family as of September,
1993, Lor was received in September, 1993. Unlike other Grog
family viruses, this variant hides the file length increase
when the virus is memory resident. Its size in memory is
704 bytes, hooking interrupt 21. It infects .COM and .EXE
programs when they are executed. Infected programs have a
file length increase of 666 bytes with the virus being
located at the end of the file. The program's date and time
in the DOS disk directory listing will not appear to be
altered, but the seconds field will have been set to 60. The
following text strings are visible within the Lor viral code:
"LORú(C)ú'93úbyúGROGúItaly"
"!GROGú4úEVER!"
Origin: Italy September, 1993.
Mila: The Mila variant was submitted in September, 1993, and is
a non-resident, direct action overwriting virus. It infects
all of the .COM and .EXE programs in the current directory
when an infected program is executed. Infected programs have
the first 557 bytes overwritten by the Mila viral code. The
file's date and time in the DOS disk directory listing will
have been updated to the current system date and time when
infection occurred. The following text strings are visible
within the viral code in all Mila infected programs:
">>1/92<<"
"MILA (c) 1992 by GROG - Italy"
"*.COM COM" -or- "*.COM EXE"
Origin: Italy September, 1993
Mormorio: The Mormorio variant was submitted in September, 1993,
and is a non-resident, direct action overwriting virus. It
infects all of the .COM programs in the current directory
when an infected program is executed. Infected programs have
the first 456 bytes overwritten by the Mormorio viral code.
The file's date and time in the DOS disk directory listing will
have been updated to the current system date and time when
infection occurred. The virus will occasionally display the
following message, with five to seven beeps, when an infected
program is executed:
"Joe Mormorio e i suoi fratelli erano borsaioli.
Battevano tutte le fiere della contea.
Come faceva la gente a accorgersi di essere stata borseggoata?
Quando un Mormorio correva tra la folla."
When this message is displayed, a system hang may also occur.
The following text strings are visible within the viral code in
all Mormorio infected programs, as are the text strings
comprising the message above:
"Mormorio (C) '92 by GROG - Italy"
"GROG"
"GROG*.com GROG"
Origin: Italy September, 1993
Nocciola: Nocciola was submitted in September, 1993, and is a
non-resident, direct action infector of .COM programs,
including COMMAND.COM. It infects all of the .COM programs in
the current directory when an infected program is executed.
Infected programs will have a file length increase of 283
bytes with the virus being located at the beginning of the
file. The program's date and time in the DOS disk directory
listing will not be altered. The following text strings are
visible within the viral code in all Nocciola 1.0 infected
programs:
"*.COM"
"Nocciola Vildibranda Crapomena"
"NOCCIOLA (C) '93 by Grog - Italy"
Origin: Italy September, 1993.
Woodstock: The Woodstock variant was submitted in September, 1993,
and is a memory resident .EXE infector. This variant's size in
memory is 1,248 bytes, hooking interrupt 21. It infects .EXE
programs when they are opened or executed. Infected programs
have a file length increase of 1,219 bytes with the virus being
located at the end of the file. The program's date and time
in the DOS disk directory listing will not be altered. The
following text string is visible within the Woodstock
viral code:
"Provero Woodstock... Se vola piu' alto di tre metri,
gli esce sangue dal becco."
The following text strings are encrypted within the viral code:
"|---------|---|---|--|----|-----|"
"|Woodstock|(C)|'93|by|GROG|Italy|"
"|---------|---|---|--|----|-----|"
"*.HLP"
Origin: Italy September, 1993.