McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• ABC-2378

• ABC.2378

• ABC.2905

Characteristics

ABC is a memory resident, file infecting virus. It infects .EXE files, and it also alters .COM files.

Upon infection, the ABC virus becomes memory resident at the top of system memory but below the 640K DOS boundary. It hooks interrupts 16 and 1C. The copy of COMMAND.COM pointed to by the COMSPEC environmental variable may also be altered at this time.

Once the ABC virus is memory resident, it infects or alters .COM and .EXE files as they are executed.

Additional Comments:
The ABC virus was received in October, 1992. It is originally from the USSR. ABC is a memory resident infector of .EXE programs, though it does also alter .COM files. The first time a program infected with the ABC virus is executed, the ABC virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, hooking interrupts 16 and 1C. Total system memory, as measured by the DOS CHKDSK program, will not be altered, but available free memory will have decreased by approximately 8,960 bytes. The copy of COMMAND.COM pointed to by the COMSPEC environmental variable may also be altered at this time. Once the ABC virus is memory resident, it will infect or alter .COM and .EXE programs when they are executed. .COM programs are not infected by the virus, but may be altered, adding 4 to 30 bytes to their length. .EXE programs may be infected by the virus, adding 2,952 to 2,972 bytes to their length with the virus being located at the end of the file. .EXE programs which are not infected may be altered, adding 4 to 30 bytes to their length. The file's date and time in the DOS disk directory listing may have been updated to the current system date and time when the file was altered/infected. No text strings are visible within the viral code in infected .EXE programs, but the following text strings are encrypted within the virus: "ABC_FFEA" "Minsk 8.01.92" "ABC" Systems infected with the ABC virus may experience keystrokes on the system keyboard are frequently repeated, as well as system hangs occurring when some programs are executed. Known variant(s) of ABC are:

Symptoms

No text strings are visible within the viral code in infected .EXE files, although the following text strings are encrypted within the virus:

"ABC_FFEA"
"Minsk 8.01.92"
"ABC"

Systems infected with the ABC virus may experience keystrokes on the system keyboard frequently repeated, as well as system hangs occurring when some files are executed.

Total system memory, as measured by the DOS CHKDSK program, is not altered, but available free memory decreases by approximately 8,960 bytes. .COM files are not infected by the virus, but may be altered, adding 4 to 30 bytes to their length. Infected .EXE files have a file length increase of 2,952 to 2,972 bytes. The virus is located at the end of the file. .EXE files which are not infected may be altered, adding 4 to 30 bytes to their length. The file's date and time in the DOS disk directory listing may have been updated to the current system date and time when the file was altered/infected.

Method of Infection

The only way to infect a computer with a file infecting virus is to execute an infected file on the computer. The infected file may come from a multitude of sources including: floppy diskettes, downloads through an online service, network, etc. Once the infected file is executed, the virus may activate.

Removal

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants

• ABC-2918
• ABC-2918B

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• ABC-2378

• ABC.2378

• ABC.2905

Characteristics

Characteristics -

ABC is a memory resident, file infecting virus. It infects .EXE files, and it also alters .COM files.

Upon infection, the ABC virus becomes memory resident at the top of system memory but below the 640K DOS boundary. It hooks interrupts 16 and 1C. The copy of COMMAND.COM pointed to by the COMSPEC environmental variable may also be altered at this time.

Once the ABC virus is memory resident, it infects or alters .COM and .EXE files as they are executed.

Additional Comments:
The ABC virus was received in October, 1992. It is originally from the USSR. ABC is a memory resident infector of .EXE programs, though it does also alter .COM files. The first time a program infected with the ABC virus is executed, the ABC virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, hooking interrupts 16 and 1C. Total system memory, as measured by the DOS CHKDSK program, will not be altered, but available free memory will have decreased by approximately 8,960 bytes. The copy of COMMAND.COM pointed to by the COMSPEC environmental variable may also be altered at this time. Once the ABC virus is memory resident, it will infect or alter .COM and .EXE programs when they are executed. .COM programs are not infected by the virus, but may be altered, adding 4 to 30 bytes to their length. .EXE programs may be infected by the virus, adding 2,952 to 2,972 bytes to their length with the virus being located at the end of the file. .EXE programs which are not infected may be altered, adding 4 to 30 bytes to their length. The file's date and time in the DOS disk directory listing may have been updated to the current system date and time when the file was altered/infected. No text strings are visible within the viral code in infected .EXE programs, but the following text strings are encrypted within the virus: "ABC_FFEA" "Minsk 8.01.92" "ABC" Systems infected with the ABC virus may experience keystrokes on the system keyboard are frequently repeated, as well as system hangs occurring when some programs are executed. Known variant(s) of ABC are:

Symptoms

Symptoms -

No text strings are visible within the viral code in infected .EXE files, although the following text strings are encrypted within the virus:

"ABC_FFEA"
"Minsk 8.01.92"
"ABC"

Systems infected with the ABC virus may experience keystrokes on the system keyboard frequently repeated, as well as system hangs occurring when some files are executed.

Total system memory, as measured by the DOS CHKDSK program, is not altered, but available free memory decreases by approximately 8,960 bytes. .COM files are not infected by the virus, but may be altered, adding 4 to 30 bytes to their length. Infected .EXE files have a file length increase of 2,952 to 2,972 bytes. The virus is located at the end of the file. .EXE files which are not infected may be altered, adding 4 to 30 bytes to their length. The file's date and time in the DOS disk directory listing may have been updated to the current system date and time when the file was altered/infected.

Method of Infection

Method of Infection -

The only way to infect a computer with a file infecting virus is to execute an infected file on the computer. The infected file may come from a multitude of sources including: floppy diskettes, downloads through an online service, network, etc. Once the infected file is executed, the virus may activate.

Removal -

Removal -

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants -

• ABC-2918
• ABC-2918B