Zerobug | |
---|---|
Type | File virus |
Creator | |
Date Discovered | 1989.09 |
Place of Origin | The Netherlands |
Source Language | |
Platform | DOS |
File Type(s) | .com |
Infection Length | 1,536 bytes |
Reported Costs |
Zerobug is a 1989 DOS virus from the Netherlands. It has a small similarity to Vienna.
Behavior
When a file infected with Zerobug is executed, the virus uses the COSMPEC variable to look for COMMAND.COM. If it finds COMMAND.COM, it will infect files from directly from there. If not, the virus becomes memory resident. The virus prepends its 1,536 bytes to every .com file run. In a manner similar to Vienna, the virus marks infected files with the number 62 in the seconds field of the file's timestamp.
After a certain amount of time, the virus will replace any "0" displayed on the screen will be replaced by an ASCII smiley face (ASCII character 01).
The "DIR" command shows the infected files with their original sizes.
Variant
Zerobug.B is 1,840 bytes long. It does not use COSMPEC to infect COMMAND.COM. This variant will only infect .com files that are copied.
Name
Zerobug gets its name from the fact that it replaces all "0"'s with an ASCII smiley face. With antivirus vendors, it is almost universally known as "Zerobug', with a few very minor differences (some have a space between "Zero" and "bug").
Other Facts
In spite of the fact that the virus sets an infected file's seconds timestamp to 62, it is in nearly every other way different from Vienna. Some virus researchers have remarked that the virus was poorly coded.
Sources
F-Secure Antivirus, F-Secure Virus Descriptions : Zero Bug.
Securelist.com, Virus.DOS.Zerobug.1536.a.
Patricia Hoffman. VSUM, Zero Bug Virus.