Krivmous Virus


 Virus Name:  Krivmous 
 Aliases:    
 V Status:    Rare 
 Discovered:  June, 1992 
 Symptoms:    .COM & .EXE growth; message displayed; system hang 
 Origin:      Bulgaria 
 Eff Length:  972 - 993 Bytes 
 Type Code:   PNA - Parasitic Non-Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, AVTK, Sweep, F-Prot, IBMAV, 
                    NAV, NAVDX, VAlert, PCScan, ChAV, 
                    NShld, Sweep/N, Innoc, AVTK/N, LProt, NAV/N, IBMAV/N 
 Removal Instructions:  Delete infected programs 
 
 General Comments: 
       The Krivmous was received in June 1992.  It is originally from 
       Bulgaria.  Krivmous is a non-resident direct action infector of 
       .COM and .EXE programs, but not COMMAND.COM.  It will occassionally 
       display a message and have the system appear to be hung when an 
       infected program is executed. 
 
       When a program infected with the Krivmous virus is executed, this 
       virus will search the current directory to determine if there is 
       an uninfected .EXE program which the virus can infect.  If an 
       uninfected .EXE program is found, the virus will infect it and 
       then the program the user was attempting to execute will run.  If 
       an uninfected .EXE program was not found, the virus will then check 
       the current directory to determine if an uninfected .COM file can 
       be found, and infect it. 
 
       .COM programs infected by the Krivmous virus will have a file 
       length increase of 979 bytes with the virus being located at the 
       beginning of the file.  .EXE programs will have a file length 
       increase of 972 to 993 bytes with the virus being located at the 
       end of the file.  The program's date and time in the DOS disk 
       directory listing will not be altered. 
 
       The Krivmous virus will occassionally display the following poem 
       when the user executes an infected program.  The system will then 
       appear to be hung, though pressing CTL-C will usually return the 
       user to the DOS prompt: 
 
               "There was a crooked man, and he went a crooked mile, 
                He found a crooked sixpence against a crooked stile, 
                He bought a crooked cat, which caught a crooked mouse, 
                And they all lived together in a little crooked house." 
 
       The above message is not visible within infected programs as it 
       is encrypted within the virus. 
 
       Known variant(s) of Krivmous are: 
       Krivmous-B: Functionally equivalent to the Krivmous virus 
                   described above, this variant has five bytes which 
                   differ. 
                   Origin:  Bulgaria  June, 1992

Show viruses from discovered during that infect .

Main Page