Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Zaraza

This is a memory resident, multi-partite, encrypted and to some extend polymorphic virus with the code length of 1024 bytes. It consists of two, in fact independent parts. The virus attacks boot sector of diskettes and it is unique by infecting the files of DOS core (IO.SYS or IBMIO.SYS). When system is loaded from an infected diskette the virus tries to attack the first item of the root directory. It infects only disks that use 16 bites FAT. If there is not enough room for the copy of the system file at the end of the firs partition the infection does not take place. In the opposite case the virus makes a copy of the first item, copies its allocation string FAT and writes the changes into the FAT. After completing the infection the virus sets this item the attribute “Volume label” which serves as an indication of infected file. The infection is sometimes connected with the loss of an item of the root directory. The virus copies the original file IO.SYS or IBMIO.SYS to the end of the first partition. When the system is loaded next time the infected copy of the system file takes over the control. It decreases the amount of usable memory for DOS by 2 Kb, takes over service of the interrupt INT 13h and gives control to the original file IO.SYS or IBMIO.SYS. When the virus is active in the memory it infects diskettes in the drives. In the boot sector of the infected diskette the encrypted part of the virus ensuring infection of the hard disk is stored. The original boot sector and the part of the virus containing the code for infection of diskettes are stored in the last two sectors of the root directory. In August, upon loading the system the virus writes the following text on the screen:

B BOOT CEKTOPE - 3APA3A!

The text in the virus is not visible as it is encrypted. The text in Russian language informs that the boot sector is infected.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.