Knight Virus

Virus Name: Knight Aliases: Knight.1944 V Status: New Discovered: July, 1995 Symptoms: .COM & .EXE growth; file date/time seconds = "62"; decrease in available free memory; DOS CHKDSK file allocation errors Origin: Unknown Eff Length: 1,944 - 1,948 Bytes Type Code: PRhA - Parasitic Resident .COM & .EXE Infector Detection Method: AVTK, VAlert, NAV, NAVDX, IBMAV, ViruScan, F-Prot, ChAV, AVTK/N, NAV/N, IBMAV/N, NShld, Innoc 4.0+ Removal Instructions: Delete infected files General Comments: The Knight or Knight.1944 virus was received in July, 1995. Its origin or point of isolation is unknown. Knight is a memory resident stealth type virus which infects .COM and .EXE files, but not COMMAND.COM. When the first Knight infected program is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, not moving interrupt 12's return. Available free memory, as indicated by the DOS CHKDSK program from DOS 5.0, will have decreased by 2,560 bytes. Interrupts 20, 21, 27, 28, 2A, and 2F will be hooked by the virus in memory. Once the Knight virus is memory resident, it will infect .COM and .EXE files, but not COMMAND.COM, when they are executed or opened, but not on copy. Infected .COM files will have a file length increase of 1,948 bytes while .EXE files will have increased in size by 1,944 bytes. The Knight virus, however, hides this file length increase when the virus is memory resident. The viral code will be located at the end of the file. The program's date and time in the DOS disk directory listing will not appear to be altered, though the seconds field will have been set to "62". The following text string is visible within the viral code in all infected programs: "Night Knight!PSS" The DOS CHKDSK program will indicate file allocation errors on all infected programs when this virus is memory resident.