Kaczor Virus


 Virus Name:  Kaczor 
 Aliases:     Kaczor.4444 
 V Status:    In the wild 
 Discovered:  July, 1996 
 Symptoms:    .EXE file growth; file date/time seconds = "62"; 
              decrease in available free memory; master boot sector altered; 
              DOS CHKDSK file allocation errors 
 Origin:      Poland 
 Eff Length:  4,444 Bytes 
 Type Code:   PRhEX - Parasitic Resident .EXE & MBR Infector 
 Detection Method:  F-Prot, AVTK, IBMAV, ViruScan, NAV, NAVDX, ChAV, 
                    Innoc, AVTK/N, IBMAV/N, NShld, NAV/N 
 Removal Instructions:  Delete infected files & Replace MBR 
 
 General Comments: 
       The Kaczor virus was received in July, 1996, and is reported to be 
       "in the wild".  It appears to be from Poland.  Kaczor is a memory 
       resident stealth, multi-partite virus which infected the system 
       hard disk master boot sector as well as .EXE files.  It appears to 
       be at least slightly polymorphic as well. 
 
       When the first Kaczor infected program is executed, this virus will 
       become memory resident at the top of system memory but below the 
       640K DOS boundary, not moving interrupt 12's return.  Available 
       free memory, as indicated by the DOS CHKDSK program from DOS 5.0, 
       will have decreased by 6,144 bytes.  Interrupts 13 and 21 will be 
       hooked by the virus in memory.  Also at this time, the virus will 
       infect the system hard disk master boot sector if it was not 
       previously infected, resulting in any boot of the system from the 
       system hard disk making the virus memory resident. 
 
       Once the Kaczor virus is memory resident, it will infect .EXE files 
       when they are executed, opened, or copied.  Infected files will 
       have a file length increase of 4,444 bytes, though this file length 
       increase will be hidden by the virus when it is memory resident. 
       The viral code will be located at the end of the file.  The program's 
       date and time in the DOS disk directory listing will not appear to 
       be altered, though the seconds field will have been set to "62". 
       The following text strings are encrypted within the viral code: 
 
           "Zrobione." 
           "Wersja" 
           "Kodowanie" 
           "Licznik HD" 
           "K a c.z,o r!!t e s t" 
 
       The DOS CHKDSK program will indicate file allocation errors on all 
       infected files when this virus is memory resident.

Show viruses from discovered during that infect .

Main Page