Caz Virus


 Virus Name:  Caz 
 Aliases:    
 V Status:    Rare 
 Discovery:   September, 1991 
 Symptoms:    .COM & .EXE growth; decrease in total system & available free 
              memory, system hangs, file allocation errors 
 Origin:      Spain 
 Eff Length:  1,204 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, AVTK, Sweep, F-Prot, NAV, IBMAV, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    NShld, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N, 
                    LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Caz virus was isolated in Spain in September, 1991.  Caz is a 
       memory resident infector of .COM and .EXE files, including 
       COMMAND.COM. 
 
       When the first Caz infected program is executed on a system, the 
       Caz virus will become memory resident at the top of system memory 
       but below the 640K DOS boundary.  Total system and available free 
       memory, as indicated by the DOS CHKDSK program, will decrease by 
       2,048 bytes. Interrupts 08, 21, and 2F will be hooked by the 
       virus.  At this time, the virus will check the copy of COMMAND.COM 
       located in the C: drive root directory, and if not already infected, 
       the virus will infect it. 
 
       Once Caz is memory resident, it will infect programs as they are 
       opened or executed.  Infected programs will increase in size by 
       1,204 bytes, though the file size increase will not be able to be 
       seen in directory listings if the virus is memory resident.  Caz 
       will be located at the end of infected files.  The following text 
       string can be found in infected programs: 
 
               "EXECOMC:\COMMAND.COM CLEAN." 
 
       Systems infected with Caz will may experience system hangs when 
       attempting to execute some programs which allocate all available 
       system memory, such as anti-viral utilities.  Other programs may 
       experience unexpected stack overflow errors, though they may 
       successfully execute at a later time.  An additional symptom of 
       Caz infections is that if the virus is memory resident, the DOS 
       CHKDSK program will indicate file allocation errors on all 
       infected programs.   
 
       It is unknown what Caz does when it activates, though it is 
       probably time related. 
 
       Known variant(s) of Caz are: 
       Caz-B: Received in February, 1992, Caz-B is functionally 
              equivalent to the Caz virus described above.  It has two 
              bytes which differ from the original virus. 
              Origin:  Spain  February, 1992. 
 
       See:   Zaragosa

Show viruses from discovered during that infect .

Main Page