Zombie Virus

Virus Name: Zombie Aliases: V Status: New Discovered: July, 1993 Symptoms: .COM file growth; possible hard disk corruption; decrease in total system & available free memory Origin: Denmark Eff Length: 747 Bytes Type Code: PRhC - Parasitic Resident .COM Infector Detection Method: ViruScan, AVTK, F-Prot, IBMAV, Sweep, NAVDX, NAV, VAlert, PCScan, NShld, AVTK/N, NProt, Sweep/N, IBMAV/N, NAV/N, Innoc Removal Instructions: Delete infected files General Comments: The Zombie virus was received in July, 1993. It is originally from Denmark. Zombie is a memory resident infector of .COM programs, but not COMMAND.COM. In advanced infections, hard disk corruption may occur. When the first Zombie infected program is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, not moving interrupt 12's return. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 768 bytes. Interrupt 21 will be hooked by the virus in memory. Once the Zombie virus is memory resident, it will infect .COM programs, other than those with an "M" as the 3rd or 4th character of the file name, when they are executed. Infected programs will have a file length increase of 747 bytes with the virus being located at the end of the program. The file's date and time in the DOS disk directory listing will not be altered. The following text string is visible within the viral code in all Zombie infected programs: "Zombie - Danish woodoo hackers (14AUG91)" After the 16th generation of the Zombie virus, this virus will write to the system hard disk, possibly resulting in hard disk corruption. The sectors overwritten are Side 0, Cylinder 0, Sectors 2 through 4.