Anti-Pascal 605 Virus (12-Feb-1991)
Entry................ Anti-Pascal 605 Virus
Alias(es)............ AP-605, V605, C-605 Virus
Virus Strain......... Anti-Pascal strain
Virus detected when.. June 1990
              where.. Sofia
Classification....... Program Virus extending .COM, direct action
Length of Virus...... 605 Bytes
--------------------- Preconditions ----------------------------------
Operating System(s).. MS-DOS, PC-DOS
Version/Release...... 2.1x upward
Computer models...... IBM PC/XT/AT and compatibles
--------------------- Attributes -------------------------------------
Easy identification.. Infected files begin with "PQVWS". They also
                         contain the string "combakpas???exe" at 
                         offset 0x17.0
Self identification.. Files are considered infected if the word at
                         offset 7 contains 0x10C.
VIRSCAN string....... BF00018B360C0103F7B95D021E07EA00, scan COM
                         files only.
Type of infection.... Extends .COM files. The virus overwrites the
                         first 605 bytes of the file. The original 605
                         bytes are moved after the end of the file.
Infection Trigger.... Execution of an infected file.
Storage Media affected Infects .COM files on the current drive and on
                         disk D:.
Interrupts hooked.... INT 24h during infection.
Damage............... transient: ---
                      permanent: may overwrite .BAK and .PAS files.
Damage trigger....... If less than two files in the current directory
                         can be infected, a .BAK or .PAS file is
                         selected and overwritten with the virus
                         body.  The virus tries then to rename the 
                         file with a .COM or (if rename is unsuccess-
                         ful) .EXE extension, but due to a bug this 
                         never succeeds.
Infective range...... Only files with length 605 to 64930 bytes are
                         infected.
Particularities...... 1. Files larger than 64674 bytes are no longer
                         loadable after infection.
                      2. If the Archive attribute of the file is
                         reset, the virus sets it after infection.
                      3. If the ReadOnly attribute of the file is
                         set, the virus is not able to infect it.
                      4. File date is modified.
Similarities......... ---
--------------------- Agents -----------------------------------------
Countermeasures...... Category 1: Monitoring files
                      Category 2: Alteration detection
                      Category 3: Eradication
-ditto- successful... Category 1: FluShot+, Anti4us
                      Category 2: Sentry
                      Category 3: V605Clr.Com
Standard means....... Setting the attributes of the .COM files to
                         ReadOnly effectivly prevents this virus 
                         from infecting/spreading.
--------------------- Acknowledgement --------------------------------
Location............. Bulgarian Academy of Sciences, Sofia
Classification by.... Vesselin Bontchev
Documentation by .... Vesselin Bontchev
Date................. June 7, 1990
Information Source... ---

.