Sentinel Virus

Virus Name: Sentinel Aliases: Sentinel-3, Sentinel-5, BC V Status: Rare Discovered: January, 1991 Symptoms: .COM & .EXE growth; decrease in available free memory; system hangs; "Keyboard stuck key failure" message Origin: Bulgaria Eff Length: 4,625 Bytes Type Code: PRHAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, AVTK, F-Prot, Sweep, NAV, VAlert, IBMAV, NAVDX, PCScan, ChAV, NShld, LProt, Sweep/N, Innoc, AVTK/N, NAV/N, IBMAV/N, NProt Removal Instructions: Delete infected files General Comments: The Sentinel virus was submitted in January, 1991, and is from Bulgaria. This virus is a memory resident infector of .COM and .EXE files, and will infect COMMAND.COM. Unlike most viruses, this virus was received with its original Turbo Pascal source code. It may be purely a research virus at this time. When the first program infected with Sentinel is executed, the virus will install itself memory resident at the top of system memory, but below the 640K DOS boundary. Interrupt 12's return is not moved by the virus. Interrupt 21 will be hooked by the virus in memory. COMMAND.COM, if not previously infected, will be infected by Sentinel at this time as well. After Sentinel is memory resident, it will infect .COM and .EXE programs larger than 1K as they are opened or executed. Infected programs will have a file length increase of 4,625 bytes, the virus will be located at the end of the file. This virus makes no attempt to hide the file length increase. File date and time in the disk directory is not altered by the virus. The following text strings can be found at the very end of programs infected with Sentinel: "You won't hear me, but you'll feel me.... (c) 1990 by Sentinel. With thanks to Borland." Sentinel does not appear to do anything besides replicate. Known variant(s) of Sentinel are: Sentinel-3: Sentinel-3 is a 5,173 byte variant of the Sentinel virus. Unlike Sentinel, though, it will hide the file length increase on infected programs if it is memory resident. Sentinel-3's size in memory is 5,328 bytes. There are no recognizable text strings visable in infected programs. Systems infected with Sentinel-3 will notice file allocation errors when executing the DOS CHKDSK command when the virus is memory resident. These errors do not occur with the original Sentinel virus since it didn't attempt to hide the infected program's file length increase. Origin: Bulgaria May 1991 Sentinel-5: Sentinel-5 is a 5,402 byte variant of Sentinel-3. When Sentinel-5 is memory resident, it will hide the file length increase on infected programs. Like Sentinel-3, executing the DOS CHKDSK program will uncover file allocation errors when the virus is memory resident. Sentinel-5 will not infect programs smaller than 2K in size. Attempts to boot from an infected COMMAND.COM program may result in the message "Keyboard stuck key failure", though this does not always occur. System hangs will occur if the user attempts to view infected programs with a file editor when Sentinel-5 is resident. Sentinel-5's size in memory is 5,568 bytes. There are no readable text strings within the viral code in Sentinel-5 infected programs. Origin: Bulgaria May 1991