McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Anticad.4096.Mozart

• Anticad4

• PlastiqueBoot

Characteristics

Invader is a later version of the Plastique-B virus. Invader is a memory resident, multi-partite virus. It infects .COM and .EXE files. Although it does not infect COMMAND.COM. It also infects boot sectors.

Upon infection, the virus becomes memory resident as a low system memory Terminate-and-Stay Resident (TSR). The TSR is 5,120 bytes and interrupts 08, 09, 13, and 21 are hooked.

At this time, the virus also infects the boot sector of the drive where the infected file was executed. The new boot sector is an MS-DOS 3.30 boot sector, and can be easily identified because the normal DOS error messages found in the boot sector are now at the beginning of the boot sector instead of the end.

Once the virus has become memory resident, any .COM or .EXE file opened is infected by the virus.

Additionally, any non-write protected diskettes which are exposed to the infected system will have their boot sectors infected.

Additional Comments:
The Invader virus was isolated in September, 1990 in China. This virus is a later version of the Plastique-B or Plastique 5.21 virus. It is a memory resident infector of .COM and .EXE files, but not COMMAND.COM. It also infects boot sectors. In September 1990, many reports of infections of this virus have been received, it appears to have spread very rapidly. The first time a program infected with the Invader virus is executed, the virus will install itself memory resident as a low system memory TSR. The TSR is 5,120 bytes and interrupts 08, 09, 13, and 21 will be hooked. At this time, the virus will also infect the boot sector of the drive where the infected program was executed. The new boot sector is an MS-DOS 3.30 boot sector, and can be easily identified because the normal DOS error messages found in the boot sector are now at the beginning of the boot sector instead of the end. After the virus has become memory resident, any .COM or .EXE file (with the exception of COMMAND.COM) opened will be infected by the virus. Infected .COM files will increase in length by 4,096 bytes with the viral code being located at the beginning of the infected file. .EXE files will increase in length between 4,096 and 4,110 bytes with the viral code being located at the end of the infected file. Additionally, any non-write protected diskettes which are exposed to the infected system will have their boot sectors infected. The Invader virus activates after being memory resident for 30 minutes. At that time, a melody may be played on the system speaker. On systems which play the melody, it will continue until the system is rebooted. If the user presses CTL-ALT-DEL to reboot the system, the first track of the system's hard disk will be overwritten with an unencrypted copy of the virus. The melody isn't played on all systems as it is configuration dependent. The melody was originally composed by Mozart. Known variant(s) of Invader are:

Symptoms

The Invader virus activates after being memory resident for 30 minutes. At that time, a melody may be played on the system speaker. On systems which play the melody, it continues until the system is rebooted. If the user presses CTL-ALT-DEL to reboot the system, the first track of the system's hard disk is overwritten with an unencrypted copy of the virus. The melody is not played on all systems as it is configuration dependent. The melody was originally composed by Mozart.

Infected .COM files increase in length by 4,096 bytes . The viral code is located at the beginning of the infected file. Infected .EXE files increase in length between 4,096 and 4,110 bytes. The viral code is located at the end of the infected file.

Method of Infection

Multi-partite viruses have two main routes of infection; either as a Master Boot Record/Boot Sector Virus or as a File Infecting Virus.

Most infections occur when a computer attempts to boot from an infected floppy diskette. The boot sector of the diskette has the code to determine if the diskette is bootable, and to display the "Non-system disk or disk error" message. It is this code that harbors the infection. By the time the non-system disk error message comes up, the infection has occurred.

Once the virus is executed, it will infect the hard drive's MBR and may become memory resident. With every subsequent boot, the virus will be loaded into memory and will attempt to infect floppy diskettes accessed by the machine.

The second route of infection is by receiving an infected file through a multitude of sources including: floppy diskettes, downloads through an online service, network, modem connections, etc. Once the infected file is executed, the virus may activate.

Removal

-

Variants

Variants

• ChineseInvader
• Danube
• Mozart
• SledgeHammer

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Anticad.4096.Mozart

• Anticad4

• PlastiqueBoot

Characteristics

Characteristics -

Invader is a later version of the Plastique-B virus. Invader is a memory resident, multi-partite virus. It infects .COM and .EXE files. Although it does not infect COMMAND.COM. It also infects boot sectors.

Upon infection, the virus becomes memory resident as a low system memory Terminate-and-Stay Resident (TSR). The TSR is 5,120 bytes and interrupts 08, 09, 13, and 21 are hooked.

At this time, the virus also infects the boot sector of the drive where the infected file was executed. The new boot sector is an MS-DOS 3.30 boot sector, and can be easily identified because the normal DOS error messages found in the boot sector are now at the beginning of the boot sector instead of the end.

Once the virus has become memory resident, any .COM or .EXE file opened is infected by the virus.

Additionally, any non-write protected diskettes which are exposed to the infected system will have their boot sectors infected.

Additional Comments:
The Invader virus was isolated in September, 1990 in China. This virus is a later version of the Plastique-B or Plastique 5.21 virus. It is a memory resident infector of .COM and .EXE files, but not COMMAND.COM. It also infects boot sectors. In September 1990, many reports of infections of this virus have been received, it appears to have spread very rapidly. The first time a program infected with the Invader virus is executed, the virus will install itself memory resident as a low system memory TSR. The TSR is 5,120 bytes and interrupts 08, 09, 13, and 21 will be hooked. At this time, the virus will also infect the boot sector of the drive where the infected program was executed. The new boot sector is an MS-DOS 3.30 boot sector, and can be easily identified because the normal DOS error messages found in the boot sector are now at the beginning of the boot sector instead of the end. After the virus has become memory resident, any .COM or .EXE file (with the exception of COMMAND.COM) opened will be infected by the virus. Infected .COM files will increase in length by 4,096 bytes with the viral code being located at the beginning of the infected file. .EXE files will increase in length between 4,096 and 4,110 bytes with the viral code being located at the end of the infected file. Additionally, any non-write protected diskettes which are exposed to the infected system will have their boot sectors infected. The Invader virus activates after being memory resident for 30 minutes. At that time, a melody may be played on the system speaker. On systems which play the melody, it will continue until the system is rebooted. If the user presses CTL-ALT-DEL to reboot the system, the first track of the system's hard disk will be overwritten with an unencrypted copy of the virus. The melody isn't played on all systems as it is configuration dependent. The melody was originally composed by Mozart. Known variant(s) of Invader are:

Symptoms

Symptoms -

The Invader virus activates after being memory resident for 30 minutes. At that time, a melody may be played on the system speaker. On systems which play the melody, it continues until the system is rebooted. If the user presses CTL-ALT-DEL to reboot the system, the first track of the system's hard disk is overwritten with an unencrypted copy of the virus. The melody is not played on all systems as it is configuration dependent. The melody was originally composed by Mozart.

Infected .COM files increase in length by 4,096 bytes . The viral code is located at the beginning of the infected file. Infected .EXE files increase in length between 4,096 and 4,110 bytes. The viral code is located at the end of the infected file.

Method of Infection

Method of Infection -

Multi-partite viruses have two main routes of infection; either as a Master Boot Record/Boot Sector Virus or as a File Infecting Virus.

Most infections occur when a computer attempts to boot from an infected floppy diskette. The boot sector of the diskette has the code to determine if the diskette is bootable, and to display the "Non-system disk or disk error" message. It is this code that harbors the infection. By the time the non-system disk error message comes up, the infection has occurred.

Once the virus is executed, it will infect the hard drive's MBR and may become memory resident. With every subsequent boot, the virus will be loaded into memory and will attempt to infect floppy diskettes accessed by the machine.

The second route of infection is by receiving an infected file through a multitude of sources including: floppy diskettes, downloads through an online service, network, modem connections, etc. Once the infected file is executed, the virus may activate.

Removal -

Removal -

-

Variants

Variants -

• ChineseInvader
• Danube
• Mozart
• SledgeHammer