Zherkov Virus
Virus Name: Zherkov
Aliases: Zherkov-1882, ZRK
V Status: Rare
Discovered: February, 1992
Symptoms: .COM & .EXE growth; decrease in total system & available free
memory; graphic (larger variants only)
Origin: USSR
Eff Length: 1,882 - 1,896 Bytes
Type Code: PRtAK - Parasitic Resident .COM & .EXE Infector
Detection Method: Sweep, ViruScan, F-Prot, AVTK, ChAV,
NAV, IBMAV, NAVDX, VAlert, PCScan,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
NAV/N, IBMAV/N
Removal Instructions: Delete infected files
General Comments:
The Zherkov, or Zherkov-1882, virus was received in February, 1992.
This virus, at its variants, are from the USSR. It is based on the
earlier Lozinsky virus. Zherkov is a memory resident infector of
.COM and .EXE programs, including COMMAND.COM.
The first time a program infected with the Zherkov virus is executed,
this virus will install itself memory resident at the top of system
memory but below the 640K DOS boundary, moving interrupt 12's return.
Total system and available free memory, as indicated by the DOS
CHKDSK program, will have decreased by 4,096 bytes. Interrupts 13
and 21 will be hooked by Zherkov. If not previously infected,
COMMAND.COM will be infected at this time.
After the Zherkov virus is memory resident, it will infect .COM and
.EXE programs when they are executed or opened. Infected .COM
programs will have a file length increase of 1,882 bytes. Infected
.EXE programs will increase in size by 1,882 to 1,896 bytes. In
both cases, the virus will be located at the end of the infected
program. The file's date and time in the DOS disk directory listing
will not have been altered.
It is unknown if Zherkov does anything besides replicate.
Known variant(s) of Zherkov are:
Zherkov.1922: Zherkov.1922 is a 1,922 byte variant of Zherkov.
It adds 1,922 bytes to the .COM programs it infects,
and 1,922 to 1,938 bytes to .EXE programs on infection.
When it is memory resident, total system and available
free memory, as indicated by the DOS CHKDSK program,
will have decreased by 5,120 bytes. Interrupt 12's
return will have been moved. Interrupts 01 and 21
are hooked by the virus in memory. The following
text string is encrypted within the viral code:
".EXE .COM COMMAND.COM AIDSTEST.EXE"
Origin: Unknown July, 1995.
Zherkov-1940: Zherkov-1940 is a 1,940 byte variant of Zherkov.
It adds 1,940 bytes to the .COM programs it infects,
and 1,940 to 1,956 bytes to .EXE programs on infection.
When it is memory resident, total system and available
free memory, as indicated by the DOS CHKDSK program,
will have decreased by 5,360 bytes. Interrupt 12's
return will not have been moved. Interrupts 01, and 21
are hooked by Zherkov-1940 in memory. The following
text string is encrypted within the viral code:
".EXE .COM COMMAND.COM AIDSTEST.EXE"
Origin: USSR June, 1993.
Zherkov-1958: Zherkov-1958 is a 1,958 byte variant of Zherkov.
It adds 1,958 bytes to the .COM programs it infects,
and 1,958 to 1,970 bytes to .EXE programs on infection.
When it is memory resident, total system and available
free memory, as indicated by the DOS CHKDSK program,
will have decreased by 5,360 bytes. Interrupt 12's
return will not have been moved. Interrupts 01, 1C,
and 21 are hooked by Zherkov-1958 in memory.
Origin: USSR February, 1992.
Zherkov.2269: Zherkov.2269 is a 2,269 byte variant of Zherkov.
It adds 2,269 bytes to the .COM and .EXE programs it
infects, hiding the file length increase when the virus
is memory resident. When it is memory resident, total
available free memory, as indicated by the DOS CHKDSK
program from DOS 5.0, will have decreased by 4,608
bytes. Interrupts 01, 1C and 21 are hooked by the
virus in memory. The following text string is
encrypted within the viral code:
".EXE .COM COMMAND.COM AIDSTEST.EXE"
The DOS CHKDSK program will indicate file allocation
errors on all infected files when the virus is memory
resident.
Origin: Unknown July, 1995.
Zherkov-2435: Zherkov-2435 is a 2,435 byte variant of Zherkov.
It adds 2,435 bytes to the .COM programs it infects,
and 2,435 to 2,449 bytes to .EXE programs on infection.
When it is memory resident, total system and available
free memory, as indicated by the DOS CHKDSK program,
will have decreased by 4,880 bytes. Interrupt 12's
return will have been moved to 9ECF. Interrupts 01, 08,
and 21 are hooked by Zherkov-2435 in memory.
Origin: USSR September, 1993.
Zherkov-2968: Based on Zherkov, this variant adds 2,968 bytes
to the .COM programs it infects, and 2,968 to 2,982
bytes to .EXE programs. Total system and available
free memory, as indicated by the DOS CHKDSK program,
will have decreased by 10,000 bytes when the virus
is memory resident. Interrupts 01, 09, 1C, and 21
will be hooked, and interrupt 12's return will have
been moved. Systems infected with Zherkov-2968 will
notice that a graphic saying "Aidstest topaywka" will
be displayed on the system monitor every few minutes
while the virus is memory resident. When this occurs,
hitting a key on the system keyboard will refresh the
display to its original contents.
Origin: USSR February, 1992.
Zherkov-2970: Very similar to Zherkov-2968, this variant is two
bytes larger. It adds 2,970 bytes to the .COM programs
it infects, and 2,970 to 2,984 bytes to .EXE programs.
Its usage of memory is the same as Zherkov-2968, and
like Zherkov-2968, it will display the graphic
"Aidstest topaywka" every few minutes.
Origin: USSR February, 1992.
See: Lozinsky