Virus Name: Katvir
V Status: New
Discovered: January, 1996
Symptoms: .COM file growth; file date/time changes; message displayed;
decrease in available free memory
Eff Length: 623 Bytes
Type Code: PRhCK - Parasitic Resident .COM Infector
Detection Method: F-Prot, AVTK, IBMAV, NAV, NAVDX, ChAV, ViruScan,
Innoc, AVTK/N, IBMAV/N, NAV/N, NShld
Removal Instructions: Delete infected files
The Katvir virus was received in January, 1996. Its origin or point
of isolation is unknown. It is a memory resident infector of .COM
files, including COMMAND.COM.
When the first Katvir infected program is executed, this virus will
install itself memory resident at the top of system memory but below
the 640K DOS boundary, not moving interrupt 12's return. Total
available free memory, as indicated by the DOS CHKDSK program from
DOS 5.0, will have decreased by approximately 9,216 bytes.
Interrupt 21 will be hooked by the virus in memory.
Once the Katvir virus is memory resident, it will infect .COM files
when they are executed. Infected files will have a file length
increase of 623 bytes with the virus being located at the end of
the file. The program's date and time in the DOS disk directory
listing will have been updated to the current system date and time
when infection occurred. The following text strings are visible
within the viral code in all infected programs:
"Dzieciatka wylewaja niewinnie lzy"
"bo czuja nieszczescie"
"choc go nie pojmuja... - KatVir by Warlock from III LO in
The last text string indicated above can be found at the very end
of all infected files.
This virus may display characters from system memory including the
above text strings when infections occur.