Virus Name: EVCZ
V Status: New
Discovered: February, 1995
Symptoms: .COM & .EXE file corruption; file date/time changes
Eff Length: 161 Bytes (Overwriting)
Type Code: ORsAK - Overwriting Resident .COM & .EXE Infector
Detection Method: F-Prot, AVTK, Sweep, ViruScan, NAVDX, VAlert, NAV,
IBMAV, PCScan, ChAV,
NProt, AVTK/N, Sweep/N, NShld, NAV/N, IBMAV/N, LProt
Removal Instructions: Delete infected files
The EVCZ virus was received in February, 1995. Its origin or point
of isolation is unknown. EVCZ is a memory resident overwriting
virus which infects .COM and .EXE files, including COMMAND.COM. It
permanently corrupts the programs it infects.
When the first EVCZ infected program is executed, this virus will
install itself memory resident as a low system memory TSR. Interrupt
21 will be hooked by the virus in memory.
Once the EVCZ virus is memory resident, it will infect .COM and .EXE
files, including COMMAND.COM, when they are executed. Infected
programs will have the first 161 bytes overwritten by the viral
code. The program's date and time in the DOS disk directory listing
will have been updated to the current system date and time when
infection occurred. The following text strings are visible within
the viral code in all infected programs:
"MaKe ViRii oUT T aSS"
Programs infected with the EVCZ virus will not function properly,
usually returning the user to the system prompt when executed. Once
COMMAND.COM becomes infected, boot failures may occur.