Revenge.1122

Upon infection, the virus becomes memory resident as a low system memory Terminate-and-Stay Resident (TSR) of 1,392 bytes. Interrupt 21 is hooked by the virus. COMMAND.COM is also infected by the virus at this time.

Once Revenge Attacker is memory resident, it infects one .COM file each time an infected file is executed.

Additional Comments:
The Revenge Attacker, or 777, virus was received in June, 1991. It originated in the Philipines. Revenge Attacker is a memory resident generic infector of .COM programs, including COMMAND.COM. It is a very destructive virus when it activates. The first time a program infected with Revenge Attacker is executed, the virus will install itself memory resident as a low system memory TSR of 1,392 bytes. Interrupt 21 will be hooked by the virus. COMMAND.COM will also be infected by the virus at this time. Once Revenge Attacker is memory resident, it will infect one .COM program each time an infected program is executed. Infected programs will increase in size by 1,127 bytes with the virus being located at the end of the infected program. Infected programs will also have their date and time in the disk directory updated to the system date and time when infection occurred. Infected programs will be marked by the virus with the text string "777" being found in the fourth through sixth bytes of infected files. There are two other text strings which appear in infected programs: "*** 777 - Revenge Attacker V1.01 ***" "*.COM" Revenge Attacker's low system memory TSR is not used for file infection, but will interfer with system operation when some DOS internal commands are issued. For example, issuing a DIR command when Revenge Attacker is memory resident will result in a directory display with the first directory entry repeated in place of each actual directory entry. After a DIR command, the system will hang. After all .COM programs in the current directory are infected, Revenge Attacker will activate. At this time it will display the first text string indicated above, followed by repeated 7's across the screen. While it is displaying the message and writing the 7's to the screen, it will overwrite the system hard disk starting with Side 0, Cylinder 1, Sector 0. Fat corruption, directory corruption, and file loss may result even if the user turns off the computer immediately when the message is displayed.

"*** 777 - Revenge Attacker V1.01 ***
"*.COM"

Revenge.1127's low system memory TSR is not used for file infection, but interferes with system operation when some DOS internal commands are issued. For example, issuing a DIR command when Revenge.1127 is memory resident results in a directory display with the first directory entry repeated in place of each actual directory entry. After a DIR command, the system hangs.

After all .COM files in the current directory are infected, Revenge.1127 activates. At this time it displays the first text string indicated above, followed by repeated 7's across the screen. While it is displaying the message and writing the 7's to the screen, it overwrites the system hard disk starting with Side 0, Cylinder 1, Sector 0. Fat corruption, directory corruption, and file loss may result even if the user turns the computer off immediately, when the message is displayed.

Infected files increase in size by 1,127 bytes. The virus is located at the end of the infected file. Infected files have their date and time in the disk directory updated to the system date and time of infection.

The only way to infect a computer with a file infecting virus is to execute an infected file on the computer. The infected file may come from a multitude of sources including: floppy diskettes, downloads through an online service, network, etc. Once the infected file is executed, the virus may activate.

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.