ZigZag Virus


 Virus Name:  ZigZag 
 Aliases:    
 V Status:    Viron 
 Discovered:  May, 1993 
 Symptoms:    .COM files overwritten; programs fail to function properly; 
              display output shown diagonally down screen 
 Origin:      Unknown 
 Eff Length:  127 Bytes (Overwriting) 
 Type Code:   ONCK - Overwriting Non-Resident .COM Infector 
 Detection Method:  ViruScan, F-Prot, AVTK, Sweep, IBMAV, PCScan, 
                    NAV, NAVDX, VAlert, ChAV, 
                    NShld, Sweep/N, NProt, AVTK/N, IBMAV/N, Innoc, NAV/N, 
                    LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The ZigZag virus was submitted in May, 1993.  Its origin or point 
       of isolation is unknown.  ZigZag is a non-resident, direct action 
       overwriting virus which corrupts the .COM programs it infects. 
 
       When a program infected with the ZigZag virus is executed, the 
       ZigZag virus will infect one .COM program located in the current 
       directory.  The user will then be returned to the DOS prompt. 
       Infected programs will have the first 127 bytes of the host 
       program overwritten by the ZigZag virus' viral code.  The file's 
       date and time in the DOS disk directory listing will not be 
       altered.  The following text string is visible within the viral 
       code in all ZigZag infected programs: 
 
               "*.COM *ZZ* v 1.0 DOS" 
 
       The ZigZag virus activates when an infected program is executed 
       after all of the .COM programs in the current directory have been 
       infected.  At this time, the virus will alter the system video 
       characteristics so that any output sent to the system display will 
       be scrolled diagonally down the screen.  This effect continues 
       until the system is reset or rebooted. 
 
       Known variant(s) of ZigZag are: 
       ZigZag.232: Received in January, 1995, ZigZag.232 is a 232 
             byte variant of the ZigZag virus described above.  It infects 
             the first two .COM programs in the current directory each time 
             an infected program is executed.  The execution of the program 
             will then end with the following message being displayed: 
             "Bad command or file name" 
             Infected programs will have the first 232 bytes overwritten 
             by the viral code.  The file's date and time in the DOS 
             disk directory listing will not be altered.  The following 
             text strings are visible within the viral code: 
             "The Tricky Dicky Virus" 
             "*.COM [TrickyDicky] Created in the city of Toronto" 
             "Bad command or file name" 
             "Fail on INT 24 .. NOT!!" 
             Origin:  Unknown  January 1995.

Show viruses from discovered during that infect .

Main Page