Virus Name: Legozz
V Status: New
Discovered: July, 1995
Symptoms: .COM & .EXE growth; decrease in available free memory
Eff Length: 1,000 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: F-Prot, AVTK, Sweep, NAV, NAVDX, ViruScan, IBMAV,
Sweep/N, NAV/N, AVTK/N, NProt, IBMAV/N, NShld, Innoc 4.0+
Removal Instructions: Delete infected files
The Legozz virus was received in July, 1995. Its origin or point of
isolation is unknown. Legozz is a memory resident infector of .COM
and .EXE files, including COMMAND.COM.
When the first Legozz infected program is executed, this virus will
install itself memory resident at the top of system memory but
below the 640K DOS boundary, not moving interrupt 12's return.
Available free memory, as indicated by the DOS CHKDSK program from
DOS 5.0, will have decreased by 5,632 bytes. Interrupt 21 will be
hooked by the virus in memory.
Once the Legozz virus is memory resident, it will infect .COM and
.EXE files, including COMMAND.COM, when they are executed. Infected
programs will have a file length increase of 1,000 bytes with the
virus being located at the end of the file. The program's date and
time in the DOS disk directory listing will not be altered. The
following text strings are encrypted within the viral code:
"Szetszedtem a geped! Rakd ossze, LEGO-zz!"
"MESTER (C) 1995"
It is unknown what the Legozz virus may do besides replicate.