Zaragosa Virus


 Virus Name:  Zaragosa 
 Aliases:     Caz-1159 
 V Status:    Rare 
 Discovered:  January, 1992 
 Symptoms:    .COM & .EXE growth; decrease in total system & available free 
              memory; disk allocation errors; system hang 
 Origin:      Unknown 
 Eff Length:  1,159 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  Viruscan, AVTK, F-Prot, Sweep, NAV, 
                    IBMAV, NAVDX, VAlert, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, 
                    NAV/N, IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Zaragosa virus was submitted in January, 1992.  Its origin 
       or point of isolation is unknown.  Zaragosa is a memory resident 
       infector of .COM and .EXE programs, including COMMAND.COM.  It 
       employs some stealth techniques. 
 
       The first time a program infected with the Zaragosa virus is 
       executed on a system, the Zaragosa virus will infect the copy of 
       COMMAND.COM located in the C: drive root directory.  A system 
       hang will then occur.  When the user reboots the system from the 
       system hard disk, or a diskette with an infected copy of COMMAND.COM, 
       the Zaragosa virus will become memory resident at the top of system 
       memory but below the 640K DOS boundary.  Interrupt 12's return 
       will not have been moved.  Total system and available free memory, 
       as indicated by the DOS CHKDSK program, will have decreased by 
       2,048 bytes.  Interrupts 21 and 2F will be hooked. 
 
       Once the Zaragosa virus is memory resident, it will infect .COM 
       and .EXE programs when they are opened or executed.  Infected 
       programs will have a file length increase of 1,159 bytes, though 
       the file length increase will not be visible if the Zaragosa virus 
       is memory resident.  The Zaragosa virus will be located at the end 
       of the infected program.  The file's date and time in the DOS disk 
       directory listing will not have been altered. 
 
       The following text strings can be found within the viral code in 
       Zaragosa infected programs: 
 
               "EXECOMC:\COMMAND.COM" 
               "CLEAN." 
 
       Execution of the DOS CHKDSK program with Zaragosa memory resident 
       will result in the utility indicating that all Zaragosa infected 
       programs have a file allocation error. 
 
       It is unknown if Zaragosa does anything besides replicate. 
 
       Known variant(s) of Zaragosa are: 
       Caz-1159: Functionally equivalent to the Zaragosa virus 
                 described above, this variant has three bytes which 
                 differ. 
                 Origin:  Unknown  April, 1992. 
 
       See:   Caz

Show viruses from discovered during that infect .

Main Page