Kiev 2049 Virus
Virus Name: Kiev 2049
V Status: Rare
Discovered: December, 1992
Symptoms: .EXE file growth; decrease in available free memory; C: drive
boot sector altered; lost cluster or '.SYS file in C:\
Eff Length: 2,049 Bytes
Type Code: PRsEB - Parasitic Resident .EXE & Hard Disk Boot Sector
Detection Method: AVTK, ViruScan, NAV, NAVDX, PCScan, ChAV,
Sweep/N, AVTK/N, NShld, Innoc, NAV/N, LProt
Removal Instructions: Delete infected files & DOS SYS on C: drive
The Kiev 2049 virus was submitted in December, 1992. It is from the
USSR. Kiev 2049 is a memory resident infector of the C: drive boot
sector and .EXE files.
When the first Kiev 2049 infected program is executed, the Kiev 2049
virus will install itself on the C: drive boot sector, and create
a file named '.SYS in the C: drive root directory. This file will
not usually appear in the directory, but will be a lost cluster on
the drive. The file or lost cluster will contain a pure copy of the
Kiev 2049 viral code. The virus will not be memory resident at this
time, and will not start infecting .EXE files.
The next time the system is booted from the system hard disk, the
Kiev 2049 virus will become memory resident as a device driver in
low system memory. The device driver is 3,152 bytes, hooking
interrupt 21, and will be labelled with the name "NUL".
Once the Kiev 2049 virus is memory resident, it may infect .EXE
programs when they are executed, though it is somewhat sporatic about
when it will infect programs. Infected programs will have a file
length increase of 2,051 to 2,064 bytes with the virus being
located at the end of the file. The program's date and time in the
DOS disk directory listing will not be altered. The following text
strings are visible within the viral code in all Kiev 2049 infected
"SYS CONFIG SYS"
"Non-System disk. Replace and press key"
The last three text string are contained in the boot sector
imbedded within the viral code.
It is unknown what Kiev 2049 does besides replicate.