This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these messages)
|
Alabama | |
---|---|
Technical name | Alabama |
Alias | Ala |
Type | DOS |
Subtype | DOS file infector |
Classification | Virus |
Family | Alabama |
Origin | Israel |
Authors | Ysrael Radai |
Alabama is a computer virus, discovered in October 1989 on the campus of the Hebrew University of Jerusalem.
Infection
Alabama is a fairly standard file infector outside its odd behaviour of deciding what files to infect. When an infected file is executed, Alabama goes memory resident. Whenever a .EXE file is executed from this point on, Alabama will search out for another file to infect. This is probably intended to place blame on the file that is being executed instead of the virus itself. Files infected by Alabama increase in size by 1,560 bytes.
Symptoms
A number of symptoms are associated with Alabama:
- EXE files will increase by 1,560 bytes in size upon infection.
- On Fridays, Alabama will begin to modify the File Allocation Table. As a result, when a file is executed, another may appear in its place. This is potentially dangerous. For more information, see the payload section.
- One hour after an infected program is run, Alabama will bring up a flashing box with the text: SOFTWARE COPIES PROHIBITED BY INTERNATIONAL LAW..............Box 1055 Tuscambia ALABAMA USA.
The third symptom is by far the clearest indication of an Alabama infection. It is unknown what the PO Box address in the virus refers to. However, the implication of the message is that Alabama was released in an attempt to curb software piracy. Similar motivations led to the creation of the first known PC virus, Brain. This message also suggests that the PO Box may very well not belong to the author: the author clearly meant Tuscumbia, Alabama, as Tuscambia is not a city. This supports the theory that the virus originated in Israel.
Payload
On Fridays, Alabama will begin to modify the File Allocation Table in an odd way. Instead of searching for a file to infect, Alabama searches for a file to cross-reference. The virus modifies the FAT entry so that when the user executes one file, another will appear. For instance, on a machine where Alabama is resident, executing PROGRAM1.EXE on a Friday may cause the virus to search for another program and find PROGRAM2.EXE. Alabama will then modify the FAT so that whenever PROGRAM1.EXE is executed, PROGRAM2.EXE displays instead. This certainly can result in confusion, and may result in programs being lost or incorrectly deleted.
Prevalence
The WildList Archived 2016-12-01 at the Wayback Machine, an organisation tracking computer viruses, never reported Alabama as being in the field. It was isolated spreading in Israel, but this may have been a limited local outbreak.
Since the advent of Windows, even successful DOS viruses have become increasingly rare. As such, Alabama can be considered obsolete.
Variants
There is one known variant of Alabama. Alabama.B was distributed as a modified SDIR.COM. SDIR.COM was a program created to replace the DOS DIR command. Like the original Alabama, the "B" variant does not infect .COM files. The modified SDIR.COM is simply used as a dropper.
References
- "Alabama Virus". Informatik.uni-hamburg. Retrieved 15 February 2013.
- "Alabama Virus". VSUM. Retrieved 15 February 2013.