Content
June 12TH
- Type
- Virus
- SubType
- File Infector
- Discovery Date
- 09/01/1993
- Length
- 2,660-2,687 Bytes
- Minimum DAT
- 4002 (12/02/1998)
- Updated DAT
- 4002 (12/02/1998)
- Minimum Engine
- 5.1.00
- Description Added
- 09/15/1993
- Description Modified
- 09/15/1993 12:00 AM (PT)
Tab Navigation
Characteristics
June 12TH is a memory resident, file infecting virus. It infects .COM and .EXE files. Although it does not infect COMMAND.COM. It activates on June 12th of any year.
Upon infection, the June 12TH virus becomes memory resident as a low system memory Terminate-and-Stay Resident (TSR) of 2,672 bytes. Interrupt 21 is hooked by June 12TH in memory.
Once the June 12TH virus is memory resident, it infects .COM and .EXE files, as they are executed or opened.
Additional Comments:
The June 12TH virus was submitted in September, 1993. It appears to
be from The Philipines. June 12TH is a memory resident infector of
.COM and .EXE programs, but not COMMAND.COM. It activates on June
12th of any year.
When a program infected with the June 12TH virus is executed, the
June 12TH virus will install itself memory resident as a low system
memory TSR of 2,672 bytes. Interrupt 21 will be hooked by June 12TH
in memory.
Once the June 12TH virus is memory resident, it will infect .COM and
.EXE programs, other than COMMAND.COM, when they are executed or
opened for any reason. Infected .COM files will increase in size by
2,675 to 2,687 bytes, while .EXE files will increase by 2,660 to
2,674 bytes. In both cases the virus will be located at the end of
the file. The program's date and time in the DOS disk directory
listing will not be altered. The following text string can be found
within the viral code in all June 12TH infected programs:
"VDSFSCAN"
The June 12TH virus activates once it has become memory resident on
June 12th of any year. Once resident, it will display the following
three lines of text on the system display, with a graphic of the
Philipine flag after the first line of text, and before the second
line:
"June 12 - the Independence Day of the Philippines."
"MABUHAY ANG PILIPINAS!"
"Dedicated to Manong Eddie."
A song is played on the system speaker while the text and flag
appear. At the completion of the song, the screen is cleared and
the program the user was attempting to execute will run.
The text strings from the graphic display are encrypted within the
virus and are not visible within infected programs.
Symptoms
The following text string is found within the viral code in all June 12TH infected files:
"VDSFSCAN"
The June 12TH virus activates once it has become memory resident on June 12th of any year. Once resident, it displays the following three lines of text on the system display, with a graphic of the Philippine flag after the first line of text, and before the second line:
"June 12 - the Independence Day of the Philippines."
"MABUHAY ANG PILIPINAS!"
"Dedicated to Manong Eddie."
A song is played on the system speaker while the text and flag appear. At the completion of the song, the screen is cleared and the file the user was attempting to execute runs.
Infected .COM files increase in size by 2,675 to 2,687 bytes. Infected .EXE files increase by 2,660 to 2,674 bytes. In both cases the virus is located at the end of the file. The file's date and time in the DOS disk directory listing are not altered.
Method of Infection
The only way to infect a computer with a file infecting virus is to execute an infected file on the computer. The infected file may come from a multitude of sources including: floppy diskettes, downloads through an online service, network, etc. Once the infected file is executed, the virus may activate.
Removal
All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.
PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:
Additional Windows ME/XP removal considerations
Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.
AVERT Recommended Updates :
* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )
* scriptlet.typelib/Eyedog vulnerability patch
* Outlook as an email attachment security update
* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield
For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .
It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Characteristics
Characteristics -
June 12TH is a memory resident, file infecting virus. It infects .COM and .EXE files. Although it does not infect COMMAND.COM. It activates on June 12th of any year.
Upon infection, the June 12TH virus becomes memory resident as a low system memory Terminate-and-Stay Resident (TSR) of 2,672 bytes. Interrupt 21 is hooked by June 12TH in memory.
Once the June 12TH virus is memory resident, it infects .COM and .EXE files, as they are executed or opened.
Additional Comments:
The June 12TH virus was submitted in September, 1993. It appears to
be from The Philipines. June 12TH is a memory resident infector of
.COM and .EXE programs, but not COMMAND.COM. It activates on June
12th of any year.
When a program infected with the June 12TH virus is executed, the
June 12TH virus will install itself memory resident as a low system
memory TSR of 2,672 bytes. Interrupt 21 will be hooked by June 12TH
in memory.
Once the June 12TH virus is memory resident, it will infect .COM and
.EXE programs, other than COMMAND.COM, when they are executed or
opened for any reason. Infected .COM files will increase in size by
2,675 to 2,687 bytes, while .EXE files will increase by 2,660 to
2,674 bytes. In both cases the virus will be located at the end of
the file. The program's date and time in the DOS disk directory
listing will not be altered. The following text string can be found
within the viral code in all June 12TH infected programs:
"VDSFSCAN"
The June 12TH virus activates once it has become memory resident on
June 12th of any year. Once resident, it will display the following
three lines of text on the system display, with a graphic of the
Philipine flag after the first line of text, and before the second
line:
"June 12 - the Independence Day of the Philippines."
"MABUHAY ANG PILIPINAS!"
"Dedicated to Manong Eddie."
A song is played on the system speaker while the text and flag
appear. At the completion of the song, the screen is cleared and
the program the user was attempting to execute will run.
The text strings from the graphic display are encrypted within the
virus and are not visible within infected programs.
Symptoms
Symptoms -
The following text string is found within the viral code in all June 12TH infected files:
"VDSFSCAN"
The June 12TH virus activates once it has become memory resident on June 12th of any year. Once resident, it displays the following three lines of text on the system display, with a graphic of the Philippine flag after the first line of text, and before the second line:
"June 12 - the Independence Day of the Philippines."
"MABUHAY ANG PILIPINAS!"
"Dedicated to Manong Eddie."
A song is played on the system speaker while the text and flag appear. At the completion of the song, the screen is cleared and the file the user was attempting to execute runs.
Infected .COM files increase in size by 2,675 to 2,687 bytes. Infected .EXE files increase by 2,660 to 2,674 bytes. In both cases the virus is located at the end of the file. The file's date and time in the DOS disk directory listing are not altered.
Method of Infection
Method of Infection -
The only way to infect a computer with a file infecting virus is to execute an infected file on the computer. The infected file may come from a multitude of sources including: floppy diskettes, downloads through an online service, network, etc. Once the infected file is executed, the virus may activate.
Removal -
Removal -
All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.
PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:
Additional Windows ME/XP removal considerations
Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.
AVERT Recommended Updates :
* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )
* scriptlet.typelib/Eyedog vulnerability patch
* Outlook as an email attachment security update
* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield
For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .
It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.
Variants
Variants -
N/A
