Intruder
Intruder
Type File virus
Creator Mark Ludwig
Date Discovered 1991
Place of Origin United States
Source Language Assembly
Platform DOS
File Type(s) .exe
Infection Length 1,319 - 1,333 bytes
Reported Costs

Intruder is a DOS virus first featured in the "Little Black Book of Computer Viruses" by Mark Ludwig. In the book, it is used as a demonstration of a DOS .exe infector. Intruder.B, functionally similar to the original, was the actual version featured in the Black Book.

Behavior

When an Intruder-infected file is executed, it will search for a suitible file in the current working directory. Such a file must have "MZ" at the beginning, be specifically a DOS .exe (not Windows or OS/2), have an overlay number of "0" and must have room in its relocation pointer table for two more pointers. It also checks for previous infections by checking for its marker, an Initial ip of 0057h, and skips a file when it finds it.

It appends itself to the file and returns control to the host program. Though infected files will show a size increase, the date and time in the DOS directory listing will not be altered. Some systems may hang when an infected file is executed.

Variants

Intruder developed into a decent-sized virus family with close to 30 variants. Most were functionally similar to the original, though varying in size from 1,319 bytes to 2,336 bytes. All were produced in the early and mid-1990s, with the latest known one, Intruder.2051, having been discovered in January of 1996.

Intruder.1440

This variant is one of the few that seems to have an intentional (though still non-destructive) payload that activates after three or four programs have been infected by a particular file. It can simply produce the system hang produced by other variants, or it can produce a warbling sound through the speakers, followed by a system hang. It appeared in November of 1992.

Intruder.1988

This variant is very similar to Intruder.1440 and may be a correction of this virus, possibly by the same coder. Instead of a warbling sound, it plays a melody after three or four infections. It was also first discovered in November of 1992.

Other Variants

  • Intruder.1326 - This variant, discovered in December of 1992, may corrupt .exe files instead of infecting them.
  • Intruder.Bell - Appearing in April of 1993, this variant was altered enough to avoid detection by antivirus programs familiar with the original.
  • Intruder.1336 - This variant was discovered in July of 1995 and contains the text string "Anti-Print II".
  • Intruder.1353 - Also discovered in July of 1995, this variant has a couple interesting text strings, including "Product of Wolters Kluwer Peter Martin." and "SAMPLE XE".

Effects

The virus was exteremely rare in the wild. This, in addition to having no intentionally destructive payload likely means the level of damage it ever caused was negligible. The original intruder was discovered in the wild in March of 1992.

Sources

Mark Ludwig. The Giant Black Book Of Computer Viruses, Second Edition, Chapter 7 Infecting EXE Files. American Eagle Publications, Show Low, Arizona. 1998 pp. 71-80 ISBN: 0-929408-23-3

Patricia Hoffman. Online VSUM, Intruder Virus.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License