The first discovery of this virus was made in late October, 1992.
The virus increases file size with approx. 1000-1100 bytes. A typical
value for this is 1032 bytes. Directly at the end of a infected file is
found the string "92.05.24.5lo.2.23MZ". This is the reason for the odd
name of this virus. Also, the virus carries the name of the infected
file within itself. Strings "????????.EXE" and "*.EXE" are visible
inside the virus code as well.
The virus stays resident and infects only EXE files. Whenever a EXE file
is ran the virus infects it and also one other EXE file. The virus
leaves its infection date and time into the directory entry, which makes
it easier to trace the virus path of infections.
The virus increases a counter within itself after every infection. The
counter is never checked, so the virus never activates. It is well
written and contains code which makes it impossible to dissassemble
automatically with programs such as Sourcer and DIS-DOC. This slows down
the examination of the code a bit.
The virus appends its code at the end of all infected files. It
recognises infected files by changing the field 0Ch in the EXE header
(maximum paragraphs to allocate in addition to executable's size) to
value of FFAAh. Also, the virus identifies itself from memory by using
an interrupt call of INT 21, AX=3521h which it has hooked. All the
checks work correctly and the virus won't infect files multiple times
and it installs itself to memory only once.
When the virus is active in the memory it is not discoverable by using
the command MEM /C. This is because the virus installs itself seemingly
to be part of the operating system. Free memory decreases by approx. two