Zerobug
Zerobug
Type File virus
Creator
Date Discovered 1989.09
Place of Origin The Netherlands
Source Language
Platform DOS
File Type(s) .com
Infection Length 1,536 bytes
Reported Costs

Zerobug is a 1989 DOS virus from the Netherlands. It has a small similarity to Vienna.

Behavior

When a file infected with Zerobug is executed, the virus uses the COSMPEC variable to look for COMMAND.COM. If it finds COMMAND.COM, it will infect files from directly from there. If not, the virus becomes memory resident. The virus prepends its 1,536 bytes to every .com file run. In a manner similar to Vienna, the virus marks infected files with the number 62 in the seconds field of the file's timestamp.

After a certain amount of time, the virus will replace any "0" displayed on the screen will be replaced by an ASCII smiley face (ASCII character 01).

The "DIR" command shows the infected files with their original sizes.

Variant

Zerobug.B is 1,840 bytes long. It does not use COSMPEC to infect COMMAND.COM. This variant will only infect .com files that are copied.

Name

Zerobug gets its name from the fact that it replaces all "0"'s with an ASCII smiley face. With antivirus vendors, it is almost universally known as "Zerobug', with a few very minor differences (some have a space between "Zero" and "bug").

Other Facts

In spite of the fact that the virus sets an infected file's seconds timestamp to 62, it is in nearly every other way different from Vienna. Some virus researchers have remarked that the virus was poorly coded.

Sources

F-Secure Antivirus, F-Secure Virus Descriptions : Zero Bug.

Securelist.com, Virus.DOS.Zerobug.1536.a.

Patricia Hoffman. VSUM, Zero Bug Virus.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License