Kiev 2049 Virus


 Virus Name:  Kiev 2049 
 Aliases:    
 V Status:    Rare 
 Discovered:  December, 1992 
 Symptoms:    .EXE file growth; decrease in available free memory; C: drive 
              boot sector altered; lost cluster or '.SYS file in C:\ 
 Origin:      USSR 
 Eff Length:  2,049 Bytes 
 Type Code:   PRsEB - Parasitic Resident .EXE & Hard Disk Boot Sector 
              Infector 
 Detection Method:  AVTK, ViruScan, NAV, NAVDX, PCScan, ChAV, 
                    Sweep/N, AVTK/N, NShld, Innoc, NAV/N, LProt 
 Removal Instructions:  Delete infected files & DOS SYS on C: drive 
 
 General Comments: 
       The Kiev 2049 virus was submitted in December, 1992.  It is from the 
       USSR.  Kiev 2049 is a memory resident infector of the C: drive boot 
       sector and .EXE files. 
 
       When the first Kiev 2049 infected program is executed, the Kiev 2049 
       virus will install itself on the C: drive boot sector, and create 
       a file named '.SYS in the C: drive root directory.  This file will 
       not usually appear in the directory, but will be a lost cluster on 
       the drive.  The file or lost cluster will contain a pure copy of the 
       Kiev 2049 viral code.  The virus will not be memory resident at this 
       time, and will not start infecting .EXE files. 
 
       The next time the system is booted from the system hard disk, the 
       Kiev 2049 virus will become memory resident as a device driver in 
       low system memory.  The device driver is 3,152 bytes, hooking 
       interrupt 21, and will be labelled with the name "NUL". 
 
       Once the Kiev 2049 virus is memory resident, it may infect .EXE 
       programs when they are executed, though it is somewhat sporatic about 
       when it will infect programs.  Infected programs will have a file 
       length increase of 2,051 to 2,064 bytes with the virus being 
       located at the end of the file.  The program's date and time in the 
       DOS disk directory listing will not be altered.  The following text 
       strings are visible within the viral code in all Kiev 2049 infected 
       programs: 
 
               "KIEV" 
               "c:\'.sys" 
               "SYS CONFIG  SYS" 
               "IBM  3.2" 
               "CONFIG  SYS3" 
               "Non-System disk. Replace and press key" 
 
       The last three text string are contained in the boot sector 
       imbedded within the viral code. 
 
       It is unknown what Kiev 2049 does besides replicate.

Show viruses from discovered during that infect .

Main Page