There are 5 variants in 3 versions, represented by the following:
This virus first checks the version of the operating system, if it is later than 5.0, the virus simply exits and nothing will be installed or infected.
When the virus is loaded into memory, it hooks INT 21h and writes itself to the end of executables that are run.
The virus does not infect files which their filename contains any of these substrings:
TB AV SC IV
The virus hides its TSR code when MEM.EXE is run, this will make the program to show there is only 48 bytes less in system free memory. But if MEM is renamed to other filename and run, the actual memory usage will be shown.
The virus removes itself from memory when WIN.EXE is run.
This virus use a quite complex way to get original address of INT 21h handler, it disassembles code of INT 21h handlers up to the original handler in DOS kernel.
The following table shows the memory usage of the variants.
|Variant||Memory usage in bytes|
This variant does not manifest itself.
Zohra.4382, 4488, 4516 and 4525Edit
On April 14th, when the virus is already in the memory, it waits for a program execution, when triggered it shifts the characters on screen quickly. After a while the virus clears the screen line by line from the top and bottom to the center of the screen, and then it displays the message in green color, followed by hanging the system.
Zohra Crack (c) SunSoft
Zohra.4488, 4516 and 4525:
Zohra will live forever ! Necromancy with her...
This family has 5 variants in total:
Zohra.4160 and 4382 belong to other creator(s).
Zohra.4382 contains the encrypted internal text strings:
[Zohra] Crack (c) SunSoft Ralph Roth
Zohra.4488, 4516 and 4525 contain the encrypted internal text strings:
[Zohra] virus by Wintermute/29A, dedicated to the best Necromancer of the Forgotten Realms,... I assure you will live forever, my love... ;)