Virus Database

Trojan.PKZ300b

Description Trojan.PKZ300b

The PKZIP300 is distributed as self-extracting archive named PKZ300B.EXE, 178981 bytes of length.
This archive contains five files, after extracting they are:
filename len what's that?
-------- ---- ------------
PKZINST.EXE 5328 this is real trojan program
WHATSNEW.300 2417 WhatsNew from PkZip 2.04c, 2.04c replaced with 3.0
COMPRESS.000 124005 ARJ 2.41, plus extra bytes
COMPRESS.001 116260 ARJ 2.41
FILE_ID.DIZ 101 DOC file, announces that as Pkzip 3.0b.

There is only one file that is the trojan - PKZINST.EXE. It was written in Turbo-Pascal. Being executed it displays the message:
PKZIP (R) Install Utility Version 3.00b 4-05-950
Copr. 1989-1995 Pkware Inc. All Rights Reserved.
Pkzip Reg. U.S. Pat. and Tm. Off.
Initializing, this may take a few minutesall.

and executes two commands:
COMMAND.COM /C Format c: > NULL
COMMAND.COM /C deltree /y c: > NULL

Fortunately, the author of that trojan hasn't enough of computer knowledge, and the first command just waits for DOS confirmation:
WARNING: ALL DATA ON NON-REMOVABLE DISK
DRIVE C: WILL BE LOST!
Proceed with Format (Y/N)?

This request may be terminated either with reset, or with Ctrl-C/Break. In both cases the trojan is terminated without any harm to data. In case of Ctrl-C it just inform the uses:
Thanks for waiting, moron. You shouldn't have fucked with us.

and returns to DOS.
There is one more bug in that trojan - redirection "> NULL" creates the file NULL in the current directory, to disable any messages the virus author had to write "> NUL".
I see that the virus author learns DOS page-by-page in alphabetical order, he knows how to use the commands that started with "D" and "F", but he still hasn't reached "N" (Null) instructions while reading his DOS User's Guide.
AVP detects that trojan with the name "Trojan.PKZ300b" in extracted executable file, as well as in self-extracting archive.

Check other viruses! Be aware! Use Antiviral Software

Muminki.902

Description Muminki.902

It is not a dangerous nonmemory resident encrypted parasitic virus. It searches for COM files in current directory, then in the C: and C:DOS directories, then writes itself to the end of the file. Depending on the system timer the virus displays one of the messages and returns control to DOS:
IZK=Muminki
;-)) Big smile for Guciu,Ganz,MadMi,Toros etc.$
Out of memory

The virus also contains the text string:
*.com C:*.com C:DOS*.com COMMAND.COM

Mummy family

Description Mummy family

These are very dangerous memory resident parasitic viruses. They hook INT 21h and write themselves to the end of EXE files that are executed or opened. Sometimes they erase the FAT of the current drive. The viruses contain the encrypted texts:
"Mummy.1353":
Mummy Version 1.0
Kaohsiung Senior School
Tzeng Jau Ming presents

"Mummy.1364":
PC Virus Mummy Ver. 2.1
Kaohsiung Senior School
Tzeng Jau Ming presents

"Mummy.1399":
Mummy Version 1.2
Kaohsiung Senior School
Tzeng Jau Ming presents
Series Number = [xxxxx]

"Mummy.1489"
>Mummy Version 1.00.00<
Kaohsiung Senior School
Tzeng Jau Ming presents
Series Number = [xxxxx]

Home