Khizhnjak Virus


 Virus Name:  Khizhnjak 
 Aliases:     Khizhnjak.491 
 V Status:    New 
 Discovered:  July, 1995 
 Symptoms:    .COM file growth; TSR; file date/time changes 
 Origin:      Unknown 
 Eff Length:  491 - 499 Bytes 
 Type Code:   PRsC - Parasitic Resident .COM Infector 
 Detection Method:  F-Prot, AVTK, VAlert, ViruScan, NAV, NAVDX, Sweep, 
                    IBMAV, ChAV, PCScan, 
                    AVTK/N, NShld, Sweep/N, NAV/N, IBMAV/N, NProt, Innoc 4.0+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Khizhnjak, or Khizhnjak.491, virus was received in July, 1995. 
       Its origin or point of isolation is unknown.  Khizhnjak is a memory 
       resident infector of .COM files, but not COMMAND.COM. 
 
       When the first Khizhnjak infected program is executed, this virus 
       will install itself memory resident as a low system memory TSR of 
       800 bytes.  Interrupts 21 and 22 will be hooked by the virus in 
       memory. 
 
       Once the Khizhnjak virus is memory resident, it will infect .COM 
       programs, other than COMMAND.COM and very small .COM files, when 
       they are executed.  Infected .COM files will have a file length 
       increase of 491 to 499 bytes with the virus being located at the 
       end of the file.  The program's date and time in the DOS disk 
       directory listing will have been updated to the current system date 
       and time when infection occurred.  The following text string is 
       visible within the viral code in all infected programs: 
 
           ".EXE COMMAND.COM" 
 
       This virus may alter the cursor position or cursor character on the 
       system monitor. 
 
       Known variant(s) of Khizhnjak are: 
       Khizhnjak.306: Received in January, 1996, this is a 306 byte 
           variant of the Khizhnjak virus described above.  It infects one 
           .COM file in the current directory when an infected program is 
           executed.  Infected files will have a file length increase 
           of 306 to 317 bytes with the virus being located at the end of 
           the file.  The program's date and time in the DOS disk directory 
           listing will not be altered.  The following text string is 
           visible within the viral code: 
           "*.COM" 
           Origin:  Unknown  January, 1996. 
       Khizhnjak.419: Received in January, 1996, this is a 419 byte 
           variant of the Khizhnjak virus described above.  It infects one 
           .COM file in the current directory when an infected program is 
           executed.  Files are infected in a manner like that employed by 
           Khizhnjak.509.  Infected files will have a file length increase 
           of 419 to 435 bytes with the virus being located at the end of 
           the file.  The program's date and time in the DOS disk directory 
           listing will have been updated to the current system date and 
           time when infection occurred.  The following text strings are 
           visible within the viral code: 
           "*.COM" 
           ".COM" 
           Origin:  Unknown  January, 1996. 
       Khizhnjak.509: Also received in July, 1995, this is a 509 byte 
           variant of the Khizhnjak virus described above.  It infects the 
           first .COM file in the current directory when an infected 
           program is executed by first adding bytes to the file to bring 
           the file length to a multiple of 16, and then adding 509 bytes 
           of viral code.  As such, the file length increase will be 
           509 to 524 bytes with the virus being located at the end of the 
           file.  The program's date and time in the DOS disk directory 
           listing will have been updated to the current system date and 
           time when infection occurred.  The following text strings are 
           visible within the viral code: 
           "Fox" 
           "*.com" 
           System hangs frequently occur when infected programs are 
           executed.  This virus will usually only infect one .COM file 
           in a given directory. 
           Origin:  Unknown  July, 1995. 
       Khizhnjak.515: Also received in July, 1995, this is a 515 byte 
           variant of the Khizhnjak virus described above.  It infects one 
           .COM file in the current directory when an infected program is 
           executed.  Files are infected in a manner like that employed by 
           Khizhnjak.509.  Infected files will have a file length increase 
           of 515 to 530 bytes with the virus being located at the end of 
           the file.  The program's date and time in the DOS disk directory 
           listing will have been updated to the current system date and 
           time when infection occurred.  No text strings are visible within 
           the viral code.  System hangs frequently occur when infected 
           programs are executed. 
           Origin:  Unknown  July, 1995. 
       Khizhnjak.560: Also received in January, 1996, this is a 560 byte 
           variant of the Khizhnjak virus described above.  It infects up to 
           seven .COM files in the current directory of the C: drive when an 
           infected program is executed.  File are infected in a manner like 
           that employed by Khizhnjak.509.  Infected files will have a file 
           length increase of 560 to 575 bytes with the virus being located 
           at the end of the file.  The program's date and time in the DOS 
           disk directory listing will not be altered.  The following 
           text strings are visible within the viral code: 
           "*.COM" 
           "Killer-94!!" 
           Origin:  Unknown  January, 1996. 
       Khizhnjak.565: Also received in July, 1995, this is a 565 byte 
           variant of the Khizhnjak virus described above.  It infects one 
           .COM file in the current directory of the C: drive when an 
           infected program is executed.  File are infected in a manner like 
           that employed by Khizhnjak.509.  Infected files will have a file 
           length increase of 565 to 580 bytes with the virus being located 
           at the end of the file.  The program's date and time in the DOS 
           disk directory listing will not be altered.  The following 
           text strings are visible within the viral code: 
           "*.COM" 
           "Killer-94!!" 
           System hangs frequently occur when infected programs are 
           executed. 
           Origin:  Unknown  July, 1995. 
       Khizhnjak.586: Also received in January, 1996, this is a 586 byte 
           variant of the Khizhnjak virus described above.  It infects one 
           .COM file in the current directory when an infected program is 
           executed.  Infected files will have a file length increase of 586 
           to 597 bytes with the virus being located at the end of the file. 
           The program's date and time in the DOS disk directory listing will 
           have been updated to the current system date and time when 
           infection occurred.  The following text strings are visible 
           within the viral code: 
           "*.COM" 
           ".com" 
           "m.com" 
           "/noexp$" 
           Origin:  Unknown  January, 1996. 
       Khizhnjak.692.B: Also received in July, 1995, this is a 692 byte 
           variant of the Khizhnjak virus described above.  It infects one 
           .COM file in the current directory when an infected program is 
           executed.  Files are infected in a manner like that employed by 
           Khizhnjak.509.  Infected files will have a file length increase 
           of 692 to 707 bytes with the virus being located at the end of 
           the file.  The program's date and time in the DOS disk directory 
           listing will have been updated to the current system date and 
           time when infection occurred.  The following text strings are 
           visible within the viral code: 
           "*.com" 
           ".com" 
           "command.com" 
           Origin:  Unknown  July, 1995. 
       Khizhnjak.696: Received in January, 1996, this is a 696 byte 
           variant of the Khizhnjak virus described above.  It infects one 
           .COM file in the current directory when an infected program is 
           executed.  Files are infected in a manner like that employed by 
           Khizhnjak.509.  Infected files will have a file length increase 
           of 696 to 711 bytes with the virus being located at the end of 
           the file.  The program's date and time in the DOS disk directory 
           listing will have been updated to the current system date and 
           time when infection occurred.  The following text strings are 
           visible within the viral code: 
           "*.COM" 
           ".COM" 
           "command.com" 
           System hangs frequently occur when infected programs are 
           executed.  Once the boot copy of COMMAND.COM becomes infected, 
           the system will fail to boot. 
           Origin:  Unknown  January, 1996. 
       Khizhnjak.719: Also received in July, 1995, this is a 719 byte 
           variant of the Khizhnjak virus described above.  It infects one 
           .COM file in the current directory when an infected program is 
           executed.  Files are infected in a manner like that employed by 
           Khizhnjak.509.  Infected files will have a file length increase 
           of 719 to 734 bytes with the virus being located at the end of 
           the file.  The program's date and time in the DOS disk directory 
           listing will have been updated to "9-13-81 12:01a".  The 
           following text strings are visible within the viral code: 
           "*.com" 
           ".com" 
           "comm" 
           This variant corrupts the system CMOS, resulting in all hard 
           drives being uninstalled, the system date being reset to January 
           01, 1980, and the time being reset to 00:00:00.  All devices 
           are uninstalled other than the system keyboard. 
           Origin:  Unknown  July, 1995. 
       Khizhnjak.731: Also received in July, 1995, this is a 731 byte 
           variant of the Khizhnjak virus described above.  It infects one 
           .COM file in the current directory when an infected program is 
           executed.  Files are infected in a manner like that employed by 
           Khizhnjak.509.  Infected files will have a file length increase 
           of 731 to 746 bytes with the virus being located at the end of 
           the file.  The program's date and time in the DOS disk directory 
           listing will have been updated to the current system date and 
           time when infection occurred.  The following text strings are 
           visible within the viral code: 
           "*.COM" 
           ".com" 
           "command.com" 
           "Fucking bug !!" 
           The last text string above is displayed on the system monitor 
           as a message each time an infected program is executed. 
           Origin:  Unknown  July, 1995. 
       Khizhnjak.735: Also received in January, 1996, this is a 735 byte 
           variant of the Khizhnjak virus described above.  It infects one 
           .COM file in the current directory when an infected program is 
           executed.  Files are infected in a manner like that employed by 
           Khizhnjak.509.  Infected files will have a file length increase 
           of 735 to 750 bytes with the virus being located at the end of 
           the file.  The program's date and time in the DOS disk directory 
           listing will have been updated to the current system date and 
           time when infection occurred.  The following text strings are 
           visible within the viral code: 
           "*.com" 
           ".com" 
           "(C)KosKon.MREI.1.93." 
           System hangs frequently occur when infected programs are 
           executed. 
           Origin:  Unknown  January, 1996. 
       Khizhnjak.749: Also received in July, 1995, this is a 749 byte 
           variant of the Khizhnjak virus described above.  It infects all 
           of the .COM files in the current directory when an infected 
           program is executed.  Files are infected in a manner like that 
           employed by Khizhnjak.509.  Infected files will have a file 
           length increase of 749 to 764 bytes with the virus being located 
           at the end of the file.  The program's date and time in the DOS 
           disk directory listing will have been updated to the current 
           system date and time when infection occurred.  The following text 
           strings are visible within the viral code: 
           "*.com" 
           "I /M" 
           "command.com" 
           This variant will display flashing colors on the system monitor 
           for about three seconds when an infected program is executed. 
           Origin:  Unknown  July, 1995. 
       Khizhnjak.761: Also received in January, 1996, this is a 761 byte 
           variant of the Khizhnjak virus described above.  It infects one 
           .COM file in the current directory when an infected program is 
           executed.  Files are infected in a manner like that employed by 
           Khizhnjak.509.  Infected files will have a file length increase 
           of 761 to 776 bytes with the virus being located at the end of 
           the file.  The program's date and time in the DOS disk directory 
           listing will have been updated to the current system date and 
           time when infection occurred.  The following text string is 
           visible within the viral code: 
           "OKN COMPANY MINSK 15.12.1993.HELLO .*.COM" 
           System hangs frequently occur when infected programs are 
           executed. 
           Origin:  Unknown  January, 1996. 
       Khizhnjak.823: Also received in July, 1995, this is a 823 byte 
           variant of the Khizhnjak virus described above.  It infects one 
           .COM file in the current directory when an infected program is 
           executed.  Files are infected in a manner like that employed by 
           Khizhnjak.509.  Infected files will have a file length increase 
           of 823 to 838 bytes with the virus being located at the end of 
           the file.  The program's date and time in the DOS disk directory 
           listing will have been updated to the current system date and 
           time when infection occurred.  The following text strings are 
           visible within the viral code: 
           "*.com" 
           "command.com" 
           "   MGUL   " 
           Origin:  Unknown  July, 1995. 
       Khizhnjak.875: Also received in July, 1995, this is a 875 byte 
           variant of the Khizhnjak virus described above.  It infects one 
           .COM file in the current directory when an infected program is 
           executed.  Files are infected in a manner like that employed by 
           Khizhnjak.509.  Infected files will have a file length increase 
           of 875 to 890 bytes with the virus being located at the end of 
           the file.  The program's date and time in the DOS disk directory 
           listing will have been updated to the current system date and 
           time when infection occurred.  The following text strings are 
           visible within the viral code: 
           "*.COM" 
           ".com" 
           "command.com" 
           "Sveta Ltd.(c) 1993.All rights reserved!" 
           This variant will display the last text string indicated above 
           as a message on the system monitor when an infected program is 
           executed. 
           Origin:  Unknown  July, 1995. 
       Khizhnjak.1011: Also received in July, 1995, this is a 1,011 byte 
           variant of the Khizhnjak virus described above.  It infects all 
           of the .COM files in the current directory when an infected 
           program is executed.  Files are infected in a manner like that 
           employed by Khizhnjak.509.  Infected files will have a file 
           length increase of 1,011 to 1,026 bytes with the virus being 
           located at the end of the file.  The program's date and time in 
           the DOS disk directory listing will have been updated to the 
           current system date and time when infection occurred.  The 
           following text strings are visible within the viral code: 
           "I /M" 
           "command.com" 
           "*.COM" 
           "MSTU proudly presents in 1994" 
           "(C)Copyleft IU7-42   Send your special thanks to FREZER" 
           The last two text strings indicated above are displayed as a 
           message on the system monitor when an infected program is 
           executed. 
           Origin:  Unknown  July, 1995. 
       Khizhnjak.1269: Also received in July, 1995, this is a 1,269 byte 
           variant of the Khizhnjak virus described above.  It infects two 
           of the .COM files in the current directory when an infected 
           program is executed.  Files are infected in a manner like that 
           employed by Khizhnjak.509.  Infected files will have a file 
           length increase of 1,269 to 1,283 bytes with the virus being 
           located at the end of the file.  The program's date and time in 
           the DOS disk directory listing will have the file date year 
           changed to "99" (or it will appear as "0107" in a DOS 3.3 DOS 
           DIR directory listing). The following text strings are visible 
           within the viral code: 
           "RETAL" 
           "*.com" 
           "PATH=C:\NC  ITY" 
           "command.com" 
           "BADWARE FROM OREL" 
           System hangs frequently occur when infected programs are 
           executed. 
           Origin:  Unknown  July, 1995.

Show viruses from discovered during that infect .

Main Page