San Lorenzo Virus


 Virus Name:  San Lorenzo 
 Aliases:     San Lorenzo.1025 
 V Status:    New 
 Discovery:   June, 1996 
 Symptoms:    .COM file growth; decrease in available free memory; 
              file date/time seconds = "58"; message displayed; 
              DOS CHKDSK file allocation errors 
 Origin:      Unknown 
 Eff Length:  1,025 Bytes 
 Type Code:   PRhCL - Parasitic Resident .COM Infector 
 Detection Method:  ChAV, NAV, NAVDX, AVTK 7.68+, ViruScan 2.54+, 
                    Innoc, NAV/N, AVTK/N 7.68+, NShld 2.33+ 
 Removal Instructions:  Delete & replace infected files after booting 
                        from uninfected system diskette 
 General Comments: 
       The San Lorenzo virus was received in June, 1996.  Its origin or 
       point of isolation is unknown.  San Lorenzo is a memory resident 
       size stealthing virus which infects .COM files, including 
       COMMAND.COM. 
 
       When the first San Lorenzo infected program is executed, this 
       virus will become memory resident at the top of system memory but 
       below the 640K DOS boundary, not moving interrupt 12's return. 
       Available free memory, as indicated by the DOS CHKDS program from 
       DOS 5.0, will have decreased by 1,056 bytes.  Interrupt 21 
       will be hooked by the virus in memory.   The following message 
       will be displayed on the system monitor: 
 
          "Globo no existis. En el Bajo Flores vas a morir, sucio ! 
 
           SAN LORENZO CAMPEON 1995 
                                          by Mantis King" 
 
       Once the San Lorenzo virus is memory resident, it will infect .COM 
       programs, including COMMAND.COM, when they are executed.  Programs 
       infected with the San Lorenzo virus will have a file length increase 
       of 1,025 bytes with the virus being located at the end of the file, 
       though this file length increase will be hidden when the virus is 
       memory resident.  The program's date and time in the DOS disk 
       directory listing will not appear to be altered, but the seconds 
       field will have been set to "58".  The following text strings are 
       encrypted within the viral code: 
 
           "chklist.ms  anti-vir.dat tbcheck" 
           "SAN LORENZO CAMPEON 1995" 
           "by Mantis King" 
           "El Ciclon de Boedo se la banca, tiene aguante !" 
           "Boca sos puto, policia y cagon !" 
           "Abuelo Comisario" 
           "Globo no existis. En el Bajo Flores vas a morir, sucio !" 
 
       The DOS CHKDSK program will indicate file allocation errors on all 
       infected files when the virus is memory resident.  Execution of 
       .COM files will result in the above message being displayed.

Show viruses from discovered during that infect .

Main Page