%%File: VIRS0212.TXT %%Name/Aliases: Carbuncle %%Platform: PC/MS-DOS %%Type: Companion program., %%Disk Location: EXE application., Directory. %%Features: Stealth, Direct acting. , Triggering mechanism that corrupts 5 files each time. %%Damage: Renames files., When triggered, It overwrites the virus code in 5 files with , *.CRP extension. %%Size: Adds a File called carbuncle.com which is 622 bytes long. , The *.EXE file renamed to *.CRP and creates a , companion batch file *.BAT. %%See Also: %%Notes: 1. The virus spreads via an infected file, and as time go on the whole directory will be infected. 2. The infection routine creates a file called " CARBUNCLE.COM " which has the attributes of read _only and hidden. 3. The virus searches for any file with *.EXE. It renames the file to *.CRP and creates a companion batch file as *.BAT. When the user execute an infected file, the companion *.BAT is executed, since *.EXE files are no longer their . The *.BAT has the following lines: @ECHO OFF CARBUNCLE RENAME ....*.CRP .....*.EXE .....*.EXE RENAME ....*.EXE ....*.CRP CARBUNCLE The method of infection and operation is quit clear from the above lines.The ECHO OFF command prevents the user from detecting any foul play in the system. The second line results in executing the various code and eventually more files are infected. The executable functions normally most of the time with a few error messages are issued. 4. The trigger routine is system time dependent. If the system time has a seconds field value less than 17, then the virus code is overwritten into 5 files with the extension of CRP. These files are damages and executing them will result in spreading the virus. 5. The virus is easy to detect and remove. Delete all BAT files and CARBUNCLE.COM file. Then, rename the CRP files to EXE . Some of the EXE files may contain the virus code which can be identified it contains the text string " PC CARBUNCLE:Crypt Newsletter 14 ".