ZMT Virus


 Virus Name:  ZMT 
 Aliases:     262 
 V Status:    Rare 
 Discovered:  January, 1992 
 Symptoms:    .COM file growth; system hangs; file date/time changes 
 Origin:      Unknown 
 Eff Length:  262 Bytes 
 Type Code:   PRCK - Parasitic Resident .COM Infector 
 Detection Method:  Sweep, ViruScan, F-Prot, AVTK, ChAV, 
                    NAV, IBMAV, NAVDX, VAlert, PCScan, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, 
                    NAV/N, IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The ZMT, ZMT-262, or 262, virus was received in January, 1992.  Its 
       origin is unknown.  ZMT is a memory resident infector of .COM 
       programs, including COMMAND.COM. 
 
       The first time a program infected with the ZMT virus is executed, 
       the ZMT virus will install itself memory resident, hooking interrupt 
       21. 
 
       Once the ZMT virus is memory resident, it will infect .COM programs 
       when they are executed.  Infected programs will have a file length 
       increase of 262 bytes with the virus being located at the beginning 
       of the infected file.  The file's date and time in the DOS disk 
       directory listing will have been updated to the current system date 
       and time.  One text string can be found in ZMT infected programs: 
 
               "ZMt93" 
 
       Systems infected with the ZMT virus will experience frequent system 
       hangs when .COM programs are executed.  These hangs occur when 
       infected programs are executed, as well as when the virus infects 
       files.  Occassionally, data from system memory will also be written 
       to the system display.  Boot failures will occur if the user attempts 
       to boot the system from an infected copy of COMMAND.COM. 
 
       Known variant(s) of ZMT are: 
       ZMT-252: Similar to ZMT, this variant adds 252 bytes to the 
                .COM files it infects.  The file's date and time in the 
                DOS disk directory listing will not be altered.  This 
                variant becomes memory resident as a low system memory 
                TSR of 880 bytes, hooking interrupts 21 and F8.  It 
                also allocates an additional block of memory which is 
                3,552 bytes in size.  One text string is found in this 
                variant: "ZMt5". 
                Origin:  Unknown  February, 1992. 
       ZMT-365: Similar to ZMT, this variant adds 365 bytes to the 
                .COM files it infects.  The file's date and time in the 
                DOS disk directory listing will not have been altered. 
                The one text string found in this variant is: "ZMt8". 
                Origin:  Unknown  January, 1992.

Show viruses from discovered during that infect .

Main Page