For Home

Virus Profile: Terminator-3549

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 12/1/1992
Date Added: 12/15/1992
Origin: N/A
Length: 3,549 Bytes
Type: Virus
Subtype: File Infector
DAT Required: 4002
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

The following text strings are visible within the viral code in Terminator-3549 infected files:

"*.exe"
"$456789:;=>?u"

Execution of infected files may result in the following message being displayed on the system monitor:

"Divide overflow"

Files infected with the Terminator-3549 virus have the first 3,549 bytes overwritten by the viral code. Unless the .EXE file was originally smaller than 3,549 bytes, there is no file length increase. Files smaller than 3,549 bytes in size before infection become 3,549 bytes in length after infection. The file's date and time in the DOS disk directory listing are updated to the current system date and time of infection.

Methods of Infection

The only way to infect a computer with a file infecting virus is to execute an infected file on the computer. The infected file may come from a multitude of sources including: floppy diskettes, downloads through an online service, network, etc. Once the infected file is executed, the virus may activate.
   

Virus Characteristics

Terminator-3549 is an overwriting, file infecting virus. It does not become memory resident. It infects .EXE files. It permanently damages the files it infects.

Each time an infected file is executed, the Terminator-3549 virus infects one .EXE file located on the C: drive. The virus infects .EXE files in the C: drive's root directory, and slowly works down the directory structure.

Additional Comments:
The Terminator-3549 virus was submitted in December, 1992. It is originally from The Netherlands. Terminator-3549 is a non-resident direct action overwriting virus which infects .EXE programs. It permanently damages the programs it infects. When a program infected with the Terminator-3549 virus is executed, the Terminator-3549 virus will infect one .EXE program located on the C: drive. The virus starting infecting .EXE programs in the C: drive's root directory, and will slowly work down the directory structure. Programs infected with the Terminator-3549 virus will have the first 3,549 bytes of the host program overwritten by the viral code. Unless the .EXE file was originally smaller than 3,549 bytes, there will be no file length increase. Programs smaller than 3,549 bytes in size before infection will become 3,549 bytes in length after infection. The program's date and time in the DOS disk directory listing will have been updated to the current system date and time when infection occurred. The following text strings are visible within the viral code in Terminator-3549 infected programs: "*.exe" "$456789:;=>?u" Execution of infected programs may result in the following message being displayed on the system monitor: "Divide overflow"

   
All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

SCANPM /ADL /CLEAN /ALL

Additional Windows ME/XP removal considerations


Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.