Doctor Qumak 2 Virus


 Virus Name:  Doctor Qumak 2 
 Aliases:     Dr Qumak 2 
 V Status:    Rare 
 Discovered:  October, 1992 
 Symptoms:    .COM file growth; decrease in total system & available free 
              memory; disk corruption; "Write protect error" messages 
 Origin:      Krakow, Poland 
 Eff Length:  1,079 Bytes 
 Type Code:   PRtCK - Parasitic Resident .COM Infector 
 Detection Method:  AVTK, F-Prot, Sweep, ViruScan, IBMAV, ChAV, 
                    NAV, NAVDX, VAlert, PCScan 5.02+, 
                    Sweep/N, NShld, Innoc, AVTK/N, NAV/N, IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Doctor Qumak 2 virus was submitted in October, 1992.  It is 
       originally from Krakow, Poland.  Doctor Qumak 2 is a memory resident 
       infector of .COM programs, including COMMAND.COM.  It is a 
       destructive virus. 
 
       The first time a program infected with the Doctor Qumak 2 virus is 
       executed, this virus will install itself memory resident at the top 
       of system memory but below the 640K DOS boundary, moving interrupt 
       12's return.  Total system and available free memory, as indicated 
       by the DOS CHKDSK program, will have decreased by 2,064 bytes. 
       Interrupts 12, 13, and 21 will be hooked by Doctor Qumak 2 in memory. 
 
       Once the Doctor Qumak 2 virus is memory resident, it will infect 
       .COM programs when they are executed or opened for any reason. 
       Infected programs will have a file length increase of 1,079 bytes 
       with the virus being located at the end of the file.  The program's 
       date and time in the DOS disk directory listing will not be altered. 
 
       The Doctor Qumak 2 virus activates under two conditions, the first 
       condition being very destructive, slowly corrupting files on 
       infected systems.  The virus keeps track of how many disk write 
       operations have occurred since it became memory resident.  After 
       100 write operations have occurred, the virus will modify three 
       bytes in the next sector written to disk.  After it has modified 
       50 sectors in this manner, it will display the following message: 
 
          "The famous cooperation strikes again: IT IS DOCTOR QUMAK II! 
           Watch out for the next virus from Krak¢w, Poland!" 
 
       This message is not visible within infected programs as it is 
       encrypted within the viral code. 
 
       The second condition under which Doctor Qumak 2 will activate is 
       during the months of April thru December of any year.  During these 
       months, on Sundays after the 9th of the month, the virus will 
       simulate a "Write protect error" when the user attempts to write 
       to a diskette.

Show viruses from discovered during that infect .

Main Page