Virus Name: Kaczor
V Status: In the wild
Discovered: July, 1996
Symptoms: .EXE file growth; file date/time seconds = "62";
decrease in available free memory; master boot sector altered;
DOS CHKDSK file allocation errors
Eff Length: 4,444 Bytes
Type Code: PRhEX - Parasitic Resident .EXE & MBR Infector
Detection Method: F-Prot, AVTK, IBMAV, ViruScan, NAV, NAVDX, ChAV,
Innoc, AVTK/N, IBMAV/N, NShld, NAV/N
Removal Instructions: Delete infected files & Replace MBR
The Kaczor virus was received in July, 1996, and is reported to be
"in the wild". It appears to be from Poland. Kaczor is a memory
resident stealth, multi-partite virus which infected the system
hard disk master boot sector as well as .EXE files. It appears to
be at least slightly polymorphic as well.
When the first Kaczor infected program is executed, this virus will
become memory resident at the top of system memory but below the
640K DOS boundary, not moving interrupt 12's return. Available
free memory, as indicated by the DOS CHKDSK program from DOS 5.0,
will have decreased by 6,144 bytes. Interrupts 13 and 21 will be
hooked by the virus in memory. Also at this time, the virus will
infect the system hard disk master boot sector if it was not
previously infected, resulting in any boot of the system from the
system hard disk making the virus memory resident.
Once the Kaczor virus is memory resident, it will infect .EXE files
when they are executed, opened, or copied. Infected files will
have a file length increase of 4,444 bytes, though this file length
increase will be hidden by the virus when it is memory resident.
The viral code will be located at the end of the file. The program's
date and time in the DOS disk directory listing will not appear to
be altered, though the seconds field will have been set to "62".
The following text strings are encrypted within the viral code:
"K a c.z,o r!!t e s t"
The DOS CHKDSK program will indicate file allocation errors on all
infected files when this virus is memory resident.