McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• InvisibleManI

Characteristics

Invisible Man is a memory resident, multi-partite virus. It infects .COM and .EXE files, including COMMAND.COM, and also infects the system hard disk MBR. It is a fast infector, infecting files as they are accessed.

Upon infection, the Invisible Man virus infects the system hard disk MBR, and also becomes memory resident. Interrupt 12's return is not moved. Interrupt 21 is hooked.

Once the Invisible Man virus is memory resident, it infects .COM and .EXE files as they are executed or accessed.

It is not known what Invisible Man does besides replicate.

Additional Comments:
The Invisible Man virus was submitted in May, 1993, and is from Italy. Invisible Man is a memory resident infector of .COM and .EXE programs, including COMMAND.COM, and also infects the system hard disk master boot sector (partition table sector). It is a fast infector, infecting programs when they are accessed for any reason. When the first Invisible Man infected program is executed, the Invisible Man virus will infect the system hard disk master boot sector (partition table sector), and also become memory resident. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 3,456 bytes, and interrupt 21 will be hooked. Interrupt 12's return will not be moved. Once the Invisible Man virus is memory resident, it will infect .COM and .EXE programs when they are executed or accessed for any reason. Infected programs will have a file length increase of 2,926 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. The following text strings are encrypted within the Invisible Man viral code, and are not visible within infected files: "The Invisible Man - Written in SALERNO (ITALY), October 1992." "Dedicated to Ester:" "I don't know either how or when, but I will hold you in my arms again." It is unknown what Invisible Man does besides replicate. Known variant(s) of Invisible Man are:

Symptoms

The following text strings are encrypted within the Invisible Man viral code:

"The Invisible Man - Written in SALERNO (ITALY), October 1992."
"Dedicated to Ester:"
"I don't know either how or when, but I will hold you in my arms again."

Total system and available free memory decreases by 3,456 bytes. Infected files have a file length increase of 2,926 bytes. The virus is located at the end of the file. The file's date and time in the DOS disk directory listing are not altered.

Method of Infection

Multi-partite viruses have two main routes of infection; either as a Master Boot Record/Boot Sector Virus or as a File Infecting Virus.

Most infections occur when a computer attempts to boot from an infected floppy diskette. The boot sector of the diskette has the code to determine if the diskette is bootable, and to display the "Non-system disk or disk error" message. It is this code that harbors the infection. By the time the non-system disk error message comes up, the infection has occurred.

Once the virus is executed, it will infect the hard drive's MBR and may become memory resident. With every subsequent boot, the virus will be loaded into memory and will attempt to infect floppy diskettes accessed by the machine.

The second route of infection is by receiving an infected file through a multitude of sources including: floppy diskettes, downloads through an online service, network, modem connections, etc. Once the infected file is executed, the virus may activate.

Removal

-

Variants

Variants

• InvisibleManII

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• InvisibleManI

Characteristics

Characteristics -

Invisible Man is a memory resident, multi-partite virus. It infects .COM and .EXE files, including COMMAND.COM, and also infects the system hard disk MBR. It is a fast infector, infecting files as they are accessed.

Upon infection, the Invisible Man virus infects the system hard disk MBR, and also becomes memory resident. Interrupt 12's return is not moved. Interrupt 21 is hooked.

Once the Invisible Man virus is memory resident, it infects .COM and .EXE files as they are executed or accessed.

It is not known what Invisible Man does besides replicate.

Additional Comments:
The Invisible Man virus was submitted in May, 1993, and is from Italy. Invisible Man is a memory resident infector of .COM and .EXE programs, including COMMAND.COM, and also infects the system hard disk master boot sector (partition table sector). It is a fast infector, infecting programs when they are accessed for any reason. When the first Invisible Man infected program is executed, the Invisible Man virus will infect the system hard disk master boot sector (partition table sector), and also become memory resident. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 3,456 bytes, and interrupt 21 will be hooked. Interrupt 12's return will not be moved. Once the Invisible Man virus is memory resident, it will infect .COM and .EXE programs when they are executed or accessed for any reason. Infected programs will have a file length increase of 2,926 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. The following text strings are encrypted within the Invisible Man viral code, and are not visible within infected files: "The Invisible Man - Written in SALERNO (ITALY), October 1992." "Dedicated to Ester:" "I don't know either how or when, but I will hold you in my arms again." It is unknown what Invisible Man does besides replicate. Known variant(s) of Invisible Man are:

Symptoms

Symptoms -

The following text strings are encrypted within the Invisible Man viral code:

"The Invisible Man - Written in SALERNO (ITALY), October 1992."
"Dedicated to Ester:"
"I don't know either how or when, but I will hold you in my arms again."

Total system and available free memory decreases by 3,456 bytes. Infected files have a file length increase of 2,926 bytes. The virus is located at the end of the file. The file's date and time in the DOS disk directory listing are not altered.

Method of Infection

Method of Infection -

Multi-partite viruses have two main routes of infection; either as a Master Boot Record/Boot Sector Virus or as a File Infecting Virus.

Most infections occur when a computer attempts to boot from an infected floppy diskette. The boot sector of the diskette has the code to determine if the diskette is bootable, and to display the "Non-system disk or disk error" message. It is this code that harbors the infection. By the time the non-system disk error message comes up, the infection has occurred.

Once the virus is executed, it will infect the hard drive's MBR and may become memory resident. With every subsequent boot, the virus will be loaded into memory and will attempt to infect floppy diskettes accessed by the machine.

The second route of infection is by receiving an infected file through a multitude of sources including: floppy diskettes, downloads through an online service, network, modem connections, etc. Once the infected file is executed, the virus may activate.

Removal -

Removal -

-

Variants

Variants -

• InvisibleManII