Sarov Virus
Virus Name: Sarov
Aliases: Sarov.1000
V Status: New
Discovery: January, 1996
Symptoms: .COM file growth; file date/time seconds = "60";
decrease in available free memory; system hangs;
DOS CHKDSK file allocation errors
Origin: Unknown
Eff Length: 1,000 Bytes
Type Code: PRhCK - Parasitic Resident .COM Infector
Detection Method: IBMAV, ViruScan, NAV, NAVDX, AVTK, F-Prot,
PCScan, ChAV,
IBMAV/N, NShld, NAV/N, AVTK/N, Innoc
Removal Instructions: Delete infected files
General Comments:
The Sarov or Sarov.1000 virus was received in January, 1996. Its
origin or point of isolation is unknown. Sarov is a memory resident
stealth type virus which infects .COM files, including COMMAND.COM.
It is a fast infector, quickly spreading on infected systems.
When the first Sarov infected program is executed, this virus will
install itself memory resident at the top of system memory but below
the 640K DOS boundary, not moving interrupt 12's return. Available
free memory, as indicated by the DOS CHKDSK program from DOS 5.0,
will have decreased by 2,080 bytes. Interrupts 01, 08, 09 and 21
will be hooked by the virus in memory.
Once the Sarov virus is memory resident, it will infect .COM files
including COMMAND.COM, when they are executed or opened, but not
when copied. It does not infect small .COM files. Programs
infected with the Sarov virus will have a file length increase of
1,000 bytes, though this file length increase will be hidden when
the virus is memory resident. The virus will be located at the
end of the file. The program's date and time in the DOS disk
directory listing will not appear to be altered, though the seconds
field will have been set to "60". Sarov is an encrypted virus and
no text strings are visible within the viral code in infected
programs.
Systems infected with the Sarov virus may experience system hangs
when programs are executed, or possibly when a DOS DIR command is
issued. System hangs also occur if the user attempts to view the
viral code in memory or within infected programs. The DOS CHKDSK
program will indicate file allocation errors on all infected files
when the virus is memory resident.
Known variant(s) of Sarov are:
Sarov.1200.B: Also received in January, 1996, this is a 1,200
byte variant of the Sarov virus described above. Its size in
memory is 2,480 bytes, also hooking interrupts 01, 08, 09, and
21. It adds 1,200 bytes to the .COM files it infects, though
this file length increase will be hidden when the virus is
memory resident. The virus will be located at the end of the
file, and the program's date and time in the DOS disk directory
listing will have had the seconds field set to "60". The
following text string is encrypted within the viral code:
"BIL_92_Sarov"
System hangs and DOS CHKDSK file allocation errors may be
noted on infected systems, as with the Sarov virus above.
Origin: Unknown January, 1996.
Sarov.1400: Also received in January, 1996, this is a 1,400
byte variant of the Sarov virus described above. Its size in
memory is 2,368 bytes, also hooking interrupts 01, 08, 09, and
21. It adds 1,400 bytes to the .COM files it infects, though
this file length increase will be hidden when the virus is
memory resident. The virus will be located at the end of the
file, and the program's date and time in the DOS disk directory
listing will have had the seconds field set to "60". The
following text string is encrypted within the viral code:
"BIL_92_Sarov"
System hangs and DOS CHKDSK file allocation errors may be
noted on infected systems, as with the Sarov virus above.
Origin: Unknown January, 1996.