McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Anti-Pascal 605 Virus

• AP

• AP-605

• C-605

• V605

Characteristics

Anti-Pascal is a file infecting virus. It infects .COM files, including COMMAND.COM. While this virus does not become memory resident, when it is in the process of infecting files, interrupt 24 is hooked.

Each time a file infected with the Anti-Pascal virus is executed, the virus attempts to infect two other .COM files on the current drive or on drive D: which are between 605 and 64,930 bytes in length. These files must not have the read-only attribute set. If an uninfected .COM file meeting the virus's selection criteria is found, the first 605 bytes of the file is overwritten with the viral code.

If the Anti-Pascal virus cannot find two .COM files to infect, it checks the current drive and directory for .BAK and .PAS files. If these files exist, they are overwritten with the virus's code. If the overwritten files were .PAS files, the system's user has now lost some of their Pascal source code. After overwriting .BAK and .PAS files, the virus attempts to rename them to .COM files, or .EXE files if a .COM file already exists. This renaming does not work due to a bug in the virus.

Additional Comments:
The Anti-Pascal virus, V605 or C-605, was isolated in Sofia, Bulgaria in June 1990 by Vesselin Bontchev. Originally, it was thought that the Anti-Pascal virus was from the USSR or Poland, but it has since been determined to have been a research virus written in Bulgaria over one year before it was isolated. The author was not aware that it had "escaped" until July, 1990. The Anti-Pascal virus is a generic .COM file infector, including COMMAND.COM. While this virus is not memory resident, when it is in the process of infecting files, interrupt 24 will be hooked. When a program infected with the Anti-Pascal virus is executed, the virus will attempt to infect two other .COM files on the current drive or on drive D: which are between 605 and 64,930 bytes in length. These files must not have the read-only attribute set. If an uninfected .COM file meeting the virus's selection criteria is found, the first 605 bytes of the program is overwritten with the viral code. The original 605 bytes of the program is then appended to the end of the infected file. Infected files will have increased in length by 605 bytes, and they will also begin with the text string "PQVWS" as well as contain the string "combakpas???exe" at offset 0x17. Infected files will also have had their file date/time stamps in the directory updated to the date/time that the infection occurred. If the Anti-Pascal virus cannot find two .COM files to infect, it will check the current drive and directory for .BAK and .PAS files. If these files exist, they will be overwritten with the virus's code. If the overwritten files were .PAS files, the system's user has now lost some of their Pascal source code. After overwriting .BAK and .PAS files, the virus will attempt to rename them to .COM files, or .EXE files if a .COM file already exists. This renaming does not work due to a bug in the virus. Known variant(s) Anti-Pascal are:

Symptoms

Infected files increase in length by 605 bytes. They begin with the text string "PQVWS" as well as contain the string "combakpas???exe" at offset 0x17. Infected files have had their file date/time stamps in the directory updated to the date/time that the infection occurred.

Method of Infection

The only way to infect a computer with a file infecting virus is to execute an infected file on the computer. The infected file may come from a multitude of sources including: floppy diskettes, downloads through an online service, network, etc. Once the infected file is executed, the virus may activate.

Removal

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants

• AP-529
• Anti Pascal.407
• Anti Pascal.440.A
• Anti Pascal.480.A
• Anti Pascal.440.B
• Anti Pascal.480.B

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Anti-Pascal 605 Virus

• AP

• AP-605

• C-605

• V605

Characteristics

Characteristics -

Anti-Pascal is a file infecting virus. It infects .COM files, including COMMAND.COM. While this virus does not become memory resident, when it is in the process of infecting files, interrupt 24 is hooked.

Each time a file infected with the Anti-Pascal virus is executed, the virus attempts to infect two other .COM files on the current drive or on drive D: which are between 605 and 64,930 bytes in length. These files must not have the read-only attribute set. If an uninfected .COM file meeting the virus's selection criteria is found, the first 605 bytes of the file is overwritten with the viral code.

If the Anti-Pascal virus cannot find two .COM files to infect, it checks the current drive and directory for .BAK and .PAS files. If these files exist, they are overwritten with the virus's code. If the overwritten files were .PAS files, the system's user has now lost some of their Pascal source code. After overwriting .BAK and .PAS files, the virus attempts to rename them to .COM files, or .EXE files if a .COM file already exists. This renaming does not work due to a bug in the virus.

Additional Comments:
The Anti-Pascal virus, V605 or C-605, was isolated in Sofia, Bulgaria in June 1990 by Vesselin Bontchev. Originally, it was thought that the Anti-Pascal virus was from the USSR or Poland, but it has since been determined to have been a research virus written in Bulgaria over one year before it was isolated. The author was not aware that it had "escaped" until July, 1990. The Anti-Pascal virus is a generic .COM file infector, including COMMAND.COM. While this virus is not memory resident, when it is in the process of infecting files, interrupt 24 will be hooked. When a program infected with the Anti-Pascal virus is executed, the virus will attempt to infect two other .COM files on the current drive or on drive D: which are between 605 and 64,930 bytes in length. These files must not have the read-only attribute set. If an uninfected .COM file meeting the virus's selection criteria is found, the first 605 bytes of the program is overwritten with the viral code. The original 605 bytes of the program is then appended to the end of the infected file. Infected files will have increased in length by 605 bytes, and they will also begin with the text string "PQVWS" as well as contain the string "combakpas???exe" at offset 0x17. Infected files will also have had their file date/time stamps in the directory updated to the date/time that the infection occurred. If the Anti-Pascal virus cannot find two .COM files to infect, it will check the current drive and directory for .BAK and .PAS files. If these files exist, they will be overwritten with the virus's code. If the overwritten files were .PAS files, the system's user has now lost some of their Pascal source code. After overwriting .BAK and .PAS files, the virus will attempt to rename them to .COM files, or .EXE files if a .COM file already exists. This renaming does not work due to a bug in the virus. Known variant(s) Anti-Pascal are:

Symptoms

Symptoms -

Infected files increase in length by 605 bytes. They begin with the text string "PQVWS" as well as contain the string "combakpas???exe" at offset 0x17. Infected files have had their file date/time stamps in the directory updated to the date/time that the infection occurred.

Method of Infection

Method of Infection -

The only way to infect a computer with a file infecting virus is to execute an infected file on the computer. The infected file may come from a multitude of sources including: floppy diskettes, downloads through an online service, network, etc. Once the infected file is executed, the virus may activate.

Removal -

Removal -

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants -

• AP-529
• Anti Pascal.407
• Anti Pascal.440.A
• Anti Pascal.480.A
• Anti Pascal.440.B
• Anti Pascal.480.B