Kolumna Virus


 Virus Name:  Kolumna 
 Aliases:     Kolumna.2048 
 V Status:    New 
 Discovered:  January, 1995 
 Symptoms:    .COM & .EXE growth; beeping; system hangs; 
              decrease in available free memory; 
              file date/time seconds = "62" 
 Origin:      Unknown 
 Eff Length:  2,048 Bytes 
 Type Code:   PRhA - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  F-Prot, IBMAV, AVTK, Sweep, ViruScan, NAVDX, 
                    VAlert, NAV, ChAV, PCScan, 
                    NProt, IBMAV/N, AVTK/N, Sweep/N, NShld, NAV/N, Innoc 4.0+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Kolumna virus was received in January, 1995.  Its origin or point 
       of isolation is unknown.  Kolumna is a memory resident infector of 
       .COM and .EXE files, but not COMMAND.COM. It does not infect small 
       .COM and .EXE files. 
 
       When the first Kolumna infected program is executed, this virus will 
       install itself memory resident at the top of system memory but below 
       the 640K DOS boundary, hooking interrupt 21.  Available free memory, 
       as indicated by the DOS CHKDSK program from DOS 5.0, will have 
       decreased by approximately 4,576 bytes.  Once memory resident, any 
       keystrokes on the system keyboard will be accompanied by a beep being 
       emitted on the system speaker. 
 
       Once the Kolumna virus is memory resident, it will infect .COM and 
       .EXE files when they are executed.  Infected programs will have a 
       file length increase of 2,048 bytes with the virus being located at 
       the end of the file.  The program's date and time in the DOS disk 
       directory listing will not appear to be altered, though the seconds 
       field will have been set to "62".  The following text strings are 
       encrypted within the viral code: 
 
               "ZAKAZ FOTOGRAFOWANIA!" 
               "I co teraz doktorku ?" 
               "Schklist.ms" 
               "Robal to ja !" 
               "Uprasza sie o niegrzebanie w cudzych wirusach." 
               "!! KOPIOWANIE ZABRONIONE !!" 
               "PLEASE DO NOT MAKE ILLEGAL COPIES OF THIS SOFTWARE" 
               "(...) Kolumna prochu nad pochodem." 
               "Rozstapi si posffuszne morze" 
               "Ze jdziemy nisko do czeluptci" 
               "Do pustych piekieff, oraz wy ej" 
               "Nieba sprawdzamy nieprawdziwo" 
               "I wyzwolony od przestrachu" 
               "W piasek si& zamieni caffy pochod" 
               "niesiony przez szyderczy wiatr." 
               "I tak ostatnie echo przejdzie" 
               "Po nieposffusznej pleptni ziemi" 
               "Zostanie tylko b&ben (...)." 
               "Wskoczcie do klozetu i stancie na glowie" 
               "ja zyje, a wyscie umarli panowie !" 
 
       When the Kolumna virus is memory resident, batch files may fail to 
       function properly.  Frequent system hangs also occur when the user 
       attempt to enter commands or execute programs on the system 
       keyboard. 
 
       Known variant(s) of Kolumna are: 
       Kolumna.1100: Received in January, 1996, this is a 1,100 byte 
           variant of the Kolumna virus described above.  Its size in 
           memory is 2,416 bytes, hooking interrupt 21.  It infects .COM 
           and .EXE files, though not small ones nor COMMAND.COM, when 
           they are executed.  Infected files will have a file length 
           increase of 1,100 bytes with the virus being located at the 
           end of the file.  The program's date and time in the DOS disk 
           directory listing will not be altered.  The following text 
           strings are encrypted within the viral code: 
           "I co sie tak gapisz wypierdku ?" 
           "chklist.ms" 
           Origin:  Unknown  January, 1996.

Show viruses from discovered during that infect .

Main Page