CheckSum Virus


 Virus Name:  CheckSum 
 Aliases:     CheckSum 1.00, CkSum 
 V Status:    Rare 
 Discovery:   January, 1992 
 Symptoms:    .COM file growth; decrease in total system & available free 
              memory; system hangs 
 Origin:      Poland 
 Eff Length:  1,233 Bytes 
 Type Code:   PRhCK - Parasitic Resident .COM Infector 
 Detection Method:  Sweep, F-Prot, ViruScan, AVTK, ChAV, 
                    NAV, IBMAV, NAVDX, VAlert, PCScan, 
                    NShld, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N, 
                    LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The CheckSum virus was submitted in January, 1992.  It is originally 
       from Poland.  CheckSum is a memory resident infector of .COM 
       programs, including COMMAND.COM. 
 
       The first time a program infected with the CheckSum virus is 
       executed, the CheckSum virus will install itself memory resident 
       at the top of system memory but below the 640K DOS boundary. 
       Interrupt 12's return will not have been moved.  Total system and 
       available free memory, as measured by the DOS CHKDSK program, will 
       have decreased by 1,264 bytes.  Interrupt 21 will be hooked by the 
       virus in memory. 
 
       Once the CheckSum virus is memory resident, it will infect .COM 
       programs, including COMMAND.COM, when they are executed.  Programs 
       infected with the CheckSum virus will have a file length increase 
       of 1,233 bytes with the virus being located at the end of the 
       infected file.  There will be no change to the file's date and time 
       in the DOS disk directory listing. 
 
       Systems infected with the CheckSum virus may experience frequent 
       system hangs.  These hangs sometimes occur when the virus attempts 
       to infect a program, and later when the user attempts to execute 
       the program again. 
 
       Known variant(s) of CheckSum are: 
       CheckSum 1.01: Similar to the original CheckSum virus, this 
                 is one byte shorter, adding 1,232 bytes to the .COM 
                 programs it infects. 
                 Origin:  Poland  January, 1992. 
       CheckSum 1.01B: Functionally similar to CheckSum 1.01B, this 
                 variant has six bytes which differ. 
                 Origin:  Poland  August, 1992. 
       CheckSum-1569: Based on the CheckSum virus, this variant has 
                 been updated so that it can also infect .EXE programs. 
                 Its size in memory is 1,600 bytes, hooking interrupt 21. 
                 It infects .COM and .EXE programs when they are executed, 
                 adding 1,569 bytes to the file length.  The virus will 
                 be located at the end of the file.  Most infected .EXE 
                 programs will not execute properly, resulting in a 
                 "Divide overflow" error and the user being returned to the 
                 DOS prompt. 
                 Origin:  Unknown  November, 1992.

Show viruses from discovered during that infect .

Main Page