Katvir Virus

Virus Name: Katvir Aliases: Katvir.623 V Status: New Discovered: January, 1996 Symptoms: .COM file growth; file date/time changes; message displayed; decrease in available free memory Origin: Unknown Eff Length: 623 Bytes Type Code: PRhCK - Parasitic Resident .COM Infector Detection Method: F-Prot, AVTK, IBMAV, NAV, NAVDX, ChAV, ViruScan, Innoc, AVTK/N, IBMAV/N, NAV/N, NShld Removal Instructions: Delete infected files General Comments: The Katvir virus was received in January, 1996. Its origin or point of isolation is unknown. It is a memory resident infector of .COM files, including COMMAND.COM. When the first Katvir infected program is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, not moving interrupt 12's return. Total available free memory, as indicated by the DOS CHKDSK program from DOS 5.0, will have decreased by approximately 9,216 bytes. Interrupt 21 will be hooked by the virus in memory. Once the Katvir virus is memory resident, it will infect .COM files when they are executed. Infected files will have a file length increase of 623 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will have been updated to the current system date and time when infection occurred. The following text strings are visible within the viral code in all infected programs: "Dzieciatka wylewaja niewinnie lzy" "bo czuja nieszczescie" "choc go nie pojmuja... - KatVir by Warlock from III LO in Olkusz!" "KAT" The last text string indicated above can be found at the very end of all infected files. This virus may display characters from system memory including the above text strings when infections occur.