ABC (computer virus)

Last updated
ABC
Common nameABC
Technical nameABC
AliasesABC-2378, ABC.2378, ABC.2905, with variants ABC-2918, ABC-2918B
FamilyN/A
Classification Virus
Type DOS
Subtype COM and EXE corrupter, other nuisance behaviors
Isolation1992 [1]
Point of isolationUnknown
Point of origin USSR
Author(s)Unknown

ABC, discovered in October 1992, is a memory-resident, file-infecting computer virus which infects EXE files and may alter both COM and EXE files. ABC activates on the 13th day of every month.

Upon infection, ABC becomes memory-resident at the top of system memory but below the 640K DOS boundary and hooks interrupts 16 and 1C. The copy of command.com pointed to by the COMSPEC environment variable may also be altered. ABC infects/alters COM and EXE files as they are executed.

After infection, total system memory, as measured by the DOS CHKDSK program, will not be altered, but available free memory will have decreased by approximately 8,960 bytes. Altered, but not infected, COM or EXE files will have 4 to 30 bytes added to their length. Infected EXE files (COM files are never infected) have a file length increase of 2,952 to 2,972 bytes, and ABC is located at the end of the infected EXE. An altered/infected file's date and time in the DOS disk directory listing may have been updated to the current system date and time when the file was altered/infected.

No text strings are visible within the viral code in infected EXE files, but the following text strings are encrypted within the initial copy of the ABC virus:

ABC_FFEA
Minsk 8.01.92
ABC

ABC causes keystrokes on the compromised machine to be repeated. It seems double-letter combinations trigger this behavior, e.g. "book" becomes "boook[ sic ]". System hangs may also occur when some programs are executed, a likely side effect of ABC-induced corruption.

The ABC virus is not to be confused with the ABC keylogger trojan, written in 2004 by Jan ten Hove.

Related Research Articles

COM file file format

A COM file is a type of simple executable file. On the Digital Equipment operating systems of the 1970s, .COM was used as a filename extension for text files containing commands to be issued to the operating system. With the introduction of CP/M, the type of files commonly associated with COM extension changed to that of executable files. This convention was later carried over to DOS. Even when complemented by the more general EXE file format for executables, the compact COM files remained viable and frequently used under DOS.

Abraxas, also known as Abraxas5, discovered in April 1993, is an encrypted, overwriting, file infecting computer virus which infects .COM and .EXE files, although it does not infect command.com. It does not become memory resident. Each time an infected file is executed, Abraxas infects the copy of dosshell.com located in the C:\DOS directory, as well as one EXE file in the current directory. Due to a bug in the virus, only the first EXE file in any directory is infected.

Acid is a computer virus which infects .COM and .EXE files including command.com. Each time an infected file is executed, Acid infects all of the .EXE files in the current directory. Later, if an infected file is executed, it infects the .COM files in the current directory. Programs infected with Acid will have had the first 792 bytes of the host program overwritten with Acid's own code. There will be no file length increase unless the original host program was smaller than 792 bytes, in which case it will become 792 bytes in length. The program's date and time in the DOS disk directory listing will not be altered.

Ada is a computer virus that can affect any of the DOS operating systems. Ada was first discovered in 1991.

AI is a computer virus which infects .EXE files. The virus is loaded into memory by executing an infected program and then affects the computer's run time operation and corrupts program or overlay files. It does not appear to work with all .EXE files but does infect standard DOS files easily. AI adds meaningless garbage bytes to the end of the host file.

AIDS (computer virus) computer virus

AIDS is a computer virus written in Turbo Pascal 3.01a which overwrites COM files. AIDS is the first virus known to exploit the MS-DOS "corresponding file" vulnerability. In MS-DOS, if both foo.com and foo.exe exist, then foo.com will always be executed first. Thus, by creating infected com files, AIDS code will always be executed before the intended exe code.

Jerusalem is a logic bomb DOS virus first detected at Hebrew University of Jerusalem, in October 1987. On infection, the Jerusalem virus becomes memory resident, and then infects every executable file run, except for COMMAND.COM. COM files grow by 1,813 bytes when infected by Jerusalem and are not re-infected. Executable files grow by 1,808 to 1,823 bytes each time they are infected, and are then re-infected each time the files are loaded until they are too large to load into memory. Some .EXE files are infected but do not grow because several overlays follow the genuine .EXE file in the same file. Sometimes .EXE files are incorrectly infected, causing the program to fail to run as soon as it is executed.

Westwood is a computer virus, a variant of the Jerusalem family, discovered August 1990, in Westwood, Los Angeles, California. The virus was isolated by a UCLA engineering student who discovered it in a copy of the "speed.com" program distributed with a new motherboard. Viral infection was first indicated when an early version of Microsoft Word reported internal checksum failure and failed to run.

Scott's Valley [sic] is a computer virus, a member of the Slow virus family and distantly related to the Jerusalem virus family. It was discovered in September 1990 in Scotts Valley, California.

Sunday is a computer virus, a member of the Jerusalem virus family. It was discovered in November 1989 after a number of simultaneous reports from Seattle, Washington, United States, and surrounding areas. Several other Seattle outbreaks, including AirCop, were later traced to Asia.

Alabama is a computer virus, discovered October 1989 on the campus of Hebrew University in Jerusalem.

This article contains all the viruses of Ontario family.

Bomber is a DOS polymorphic memory resident computer virus, known for its technique of "patchy infection". This method of infection is very similar to that which is utilised by the OneHalf computer virus.


The Vundo Trojan is either a Trojan horse or a computer worm that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook. It also is used to deliver other malware to its host computers. Later versions include rootkits and ransomware.

Eliza is a computer virus discovered in December 1991. It infects COM files including Command.com. It has been reported that it is defective, yet destroys the .EXE files it creates. The .COM files do not get deleted. The date of the file will not be altered by the infection to avoid detection, infected files increase in length by 1,193 or 1,194 bytes. Eliza is also found in later versions of Windows.

5lo is a computer virus that increases file size and does little more than replicate. Size: 1,032 bytes

Computer virus computer program that can replicate itself and spread from one computer to another

A computer virus is a type of computer program that, when executed, replicates itself by modifying other computer programs and inserting its own code. When this replication succeeds, the affected areas are then said to be "infected" with a computer virus.

The Fun.Exe virus is of the w32.Assarm family of computer viruses. According to Symantec it registers itself as a Windows system process then periodically sends mail with spreading attachments as a response to any unopened emails in Outlook Express. This virus first appeared in early 2008 and is now recognized by most anti virus programs.

Sality is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet for the purpose of relaying spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks. Since 2010, certain variants of Sality have also incorporated the use of rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered to be one of the most complex and formidable forms of malware to date.

References

  1. "ABC Virus". VSUM. Retrieved 12 February 2013.