ABC (computer virus)
Encyclopedia
ABC, discovered in October 1992, is a memory-resident, file-infecting computer virus
which infects EXE
files and may alter both COM
and EXE
files. ABC activates on the 13th day
of every month.
Upon infection, ABC becomes memory-resident at the top of system memory but below the 640K
DOS boundary and hooks
interrupt
s 16 and 1C. The copy of command.com
pointed to by the COMSPEC
environment variable
may also be altered. ABC infects/alters COM and EXE files as they are executed.
After infection, total system memory, as measured by the DOS CHKDSK
program, will not be altered, but available free memory will have decreased by approximately 8,960 byte
s. Altered, but not infected, COM or EXE files will have 4 to 30 bytes added to their length. Infected EXE files (COM files are never infected) have a file length increase of 2,952 to 2,972 bytes, and ABC is located at the end of the infected EXE. An altered/infected file's date and time in the DOS disk directory listing may have been updated to the current system date and time when the file was altered/infected.
No text strings are visible within the viral code in infected EXE files, but the following text strings are encrypted within the initial copy of the ABC virus:
ABC causes keystrokes on the compromised machine to be repeated. It seems double-letter combinations trigger this behavior, e.g. "book" becomes "". System hangs may also occur when some programs are executed, a likely side effect of ABC-induced corruption.
The ABC virus is not to be confused with the ABC keylogger trojan, written in 2004 by Jan ten Hove.
Computer virus
A computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability...
which infects EXE
EXE
EXE is the common filename extension denoting an executable file in the DOS, OpenVMS, Microsoft Windows, Symbian, and OS/2 operating systems....
files and may alter both COM
COM file
In many computer operating systems, a COM file is a type of executable file; the name is derived from the file name extension .COM. Originally, the term stood for "Command file", a text file containing commands to be issued to the operating system , on many of the Digital Equipment Corporation mini...
and EXE
EXE
EXE is the common filename extension denoting an executable file in the DOS, OpenVMS, Microsoft Windows, Symbian, and OS/2 operating systems....
files. ABC activates on the 13th day
Friday the 13th
Friday the 13th occurs when the thirteenth day of a month falls on a Friday, which superstition holds to be a day of bad luck. In the Gregorian calendar, this day occurs at least once, but at most three times a year...
of every month.
Upon infection, ABC becomes memory-resident at the top of system memory but below the 640K
K
K is the eleventh letter of the English and basic modern Latin alphabet.-History and usage:In English, the letter K usually represents the voiceless velar plosive; this sound is also transcribed by in the International Phonetic Alphabet and X-SAMPA....
DOS boundary and hooks
Hooking
In computer programming, the term hooking covers a range of techniques used to alter or augment the behavior of an operating system, of applications, or of other software components by intercepting function calls or messages or events passed between software components...
interrupt
Interrupt
In computing, an interrupt is an asynchronous signal indicating the need for attention or a synchronous event in software indicating the need for a change in execution....
s 16 and 1C. The copy of command.com
COMMAND.COM
COMMAND.COM is the filename of the default operating system shell for DOS operating systems and the default command line interpreter on Windows 95, Windows 98 and Windows Me...
pointed to by the COMSPEC
ComSpec
ComSpec is one of the environment variables used in MS-DOS and Microsoft Windows, which normally points to the command line interpreter, which is by default command.com in MS-DOS or cmd.exe in Windows NT...
environment variable
Environment variable
Environment variables are a set of dynamic named values that can affect the way running processes will behave on a computer.They can be said in some sense to create the operating environment in which a process runs...
may also be altered. ABC infects/alters COM and EXE files as they are executed.
After infection, total system memory, as measured by the DOS CHKDSK
CHKDSK
CHKDSK is a command on computers running DOS, OS/2 and Microsoft Windows operating systems that displays the file system integrity status of hard disks and floppy disk and can fix logical file system errors. It is similar to the fsck command in Unix.The command is implemented as an executable...
program, will not be altered, but available free memory will have decreased by approximately 8,960 byte
Byte
The byte is a unit of digital information in computing and telecommunications that most commonly consists of eight bits. Historically, a byte was the number of bits used to encode a single character of text in a computer and for this reason it is the basic addressable element in many computer...
s. Altered, but not infected, COM or EXE files will have 4 to 30 bytes added to their length. Infected EXE files (COM files are never infected) have a file length increase of 2,952 to 2,972 bytes, and ABC is located at the end of the infected EXE. An altered/infected file's date and time in the DOS disk directory listing may have been updated to the current system date and time when the file was altered/infected.
No text strings are visible within the viral code in infected EXE files, but the following text strings are encrypted within the initial copy of the ABC virus:
- ABC_FFEA
- Minsk 8.01.92
- ABC
ABC causes keystrokes on the compromised machine to be repeated. It seems double-letter combinations trigger this behavior, e.g. "book" becomes "". System hangs may also occur when some programs are executed, a likely side effect of ABC-induced corruption.
The ABC virus is not to be confused with the ABC keylogger trojan, written in 2004 by Jan ten Hove.
External links
- Computer Viruses (A), by Probert Encyclopedia
- ABC, by McAfee
- Symantec Security Response - ABC, by Symantec