There are 2 variants but in different names:
When the virus is loaded into memory, it hooks INT 21h and writes itself to the beginning of DOS executables that are accessed with FindFirst (AH=4Eh) function. It avoids COMMAND.COM.
The virus stores the filename of the program to be infected into its code when appending itself into the file.
This is the initial release, most of the programs infected by this virus would fail to work and cause a system hang.
This is the bug fixing release, having the same infection behavior and payload, while the only difference is the programs infected by this variant may function properly.
The following table shows the memory usage of the variants.
|Variant||Memory usage in bytes|
You can obtain information by checking the MD5 hash codes.
When an infected program is run on 1st of any month, the virus displays an ASCII art of message in blue background:
毋忘我 KWOK'S VIRUS III
Translation (from Chinese):
Don't Forget Me
Plus the following message:
Made in Hong Kong (Shatin)
And it also hangs the system.
Shatin.1637 has been identified as Kwok.1637 by some antiviruses.
The virus contains the internal text string:
DOS 1.12, DOS 1.10.2, DOS 2.0