ZK900 Virus

Virus Name: ZK900 Aliases: Pray, 900 V Status: Rare Discovered: April, 1991 Symptoms: .COM & .EXE growth; decrease in total system & available memory; music Origin: United States Eff Length: 900 Bytes Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, F-Prot, NAV, Sweep, AVTK, PCScan, IBMAV, NAVDX, VAlert, ChAV, NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N Removal Instructions: Delete infected files General Comments: The ZK900 virus was received in April, 1991, from David Chess of IBM. ZK900 is a memory resident .COM and .EXE infector, and will infect COMMAND.COM. The first time a program infected with ZK900 is executed, the virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 960 bytes. Interrupts 1C and 21 will be hooked by the virus. After becoming memory resident, ZK900 will infect .COM and .EXE programs as they are executed. If COMMAND.COM is executed, it will become infected. Infected programs will increase in size by 900 bytes with the virus being located at the end of the file. The program's date and time in the disk directory will not be altered by the virus. Infected programs will end with the text characters "zx". Systems infected with ZK900 may experience a tune being played every three to five minutes on the system speaker. The tune is the children's rhyme "Pray for the dead, and the dead will pray for you". Known variant(s) of ZK900 are: ZK900-B: Based on the ZK900 virus, this variant doesn't play music three to five minutes after becoming memory resident. Interference with the lower portion of the system display may occur approximately 10 minutes after it becomes memory resident. Seven bytes differ from the original virus. Origin: Unknown December, 1992.