Virus.DOS.Alabama

Technical Details

It is a very dangerous resident virus. It affects .EXE-files in the current

disk directory, where a file is being run from or opened in. An infected file

is being searched by the FindFirst and FindNext functions and not necessarily

coincides with a file being opened or executed. On infecting, “Alabama” uses

FCB-functions for work with files, appends to the file end; incorrect

infection is possible. In an infected file the time of last modification is

set to 62 seconds.

This infector tries to “survive” a reboot – for this purpose it sets INT 9h

(keyboard), hooks the Alt-Ctrl-Del combination, then turns off the screen and

calls the boot procedure (INT 19h). During this operation the codes of the

virus are not erased.

Depending on the current time “Alabama” might displays the messages:

+—————————————————–+
? SOFTWARE COPIES ARE PROHIBITED BY INTERNATIONAL LAW ?
?                                                     ?
?          Box 1055 Tuscambia ALABAMA                 ?
+—————————————————–+

The virus hooks INT 9, 21h, contains the text string “????????EXE” and

doesn’t have destructive functions. But it works incorrectly with files and

the memory – might hang up the system.