Virus Name: CheckSum
Aliases: CheckSum 1.00, CkSum
V Status: Rare
Discovery: January, 1992
Symptoms: .COM file growth; decrease in total system & available free
memory; system hangs
Eff Length: 1,233 Bytes
Type Code: PRhCK - Parasitic Resident .COM Infector
Detection Method: Sweep, F-Prot, ViruScan, AVTK, ChAV,
NAV, IBMAV, NAVDX, VAlert, PCScan,
NShld, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N,
Removal Instructions: Delete infected files
The CheckSum virus was submitted in January, 1992. It is originally
from Poland. CheckSum is a memory resident infector of .COM
programs, including COMMAND.COM.
The first time a program infected with the CheckSum virus is
executed, the CheckSum virus will install itself memory resident
at the top of system memory but below the 640K DOS boundary.
Interrupt 12's return will not have been moved. Total system and
available free memory, as measured by the DOS CHKDSK program, will
have decreased by 1,264 bytes. Interrupt 21 will be hooked by the
virus in memory.
Once the CheckSum virus is memory resident, it will infect .COM
programs, including COMMAND.COM, when they are executed. Programs
infected with the CheckSum virus will have a file length increase
of 1,233 bytes with the virus being located at the end of the
infected file. There will be no change to the file's date and time
in the DOS disk directory listing.
Systems infected with the CheckSum virus may experience frequent
system hangs. These hangs sometimes occur when the virus attempts
to infect a program, and later when the user attempts to execute
the program again.
Known variant(s) of CheckSum are:
CheckSum 1.01: Similar to the original CheckSum virus, this
is one byte shorter, adding 1,232 bytes to the .COM
programs it infects.
Origin: Poland January, 1992.
CheckSum 1.01B: Functionally similar to CheckSum 1.01B, this
variant has six bytes which differ.
Origin: Poland August, 1992.
CheckSum-1569: Based on the CheckSum virus, this variant has
been updated so that it can also infect .EXE programs.
Its size in memory is 1,600 bytes, hooking interrupt 21.
It infects .COM and .EXE programs when they are executed,
adding 1,569 bytes to the file length. The virus will
be located at the end of the file. Most infected .EXE
programs will not execute properly, resulting in a
"Divide overflow" error and the user being returned to the
Origin: Unknown November, 1992.