Sofia Term Virus
Virus Name: Sofia Term
Aliases: Sofia Term.839
V Status: New
Discovered: July, 1994
Symptoms: .COM file growth;
decrease in total system and available free memory
Origin: Unknown
Eff Length: 839 Bytes
Type Code: PRhCK - Resident Parasitic .COM Infector
Detection Method: F-Prot, AVTK, IBMAV, ViruScan, Sweep, NAV,
NAVDX, VAlert, ChAV,
NProt, AVTK/N, Sweep/N, IBMAV/N, NShld, NAV/N, Innoc 4.0+
Removal Instructions: Delete infected files
General Comments:
The Sofia Term, or Sofia Term.839, virus was received in July, 1994.
Its origin, or point of isolation, are unknown. Sofia Term is a
memory resident infector of .COM files, including COMMAND.COM.
When the first Sofia Term infected program is executed, this virus
will install itself memory resident at the top of system memory but
below the 640K DOS boundary, not moving interrupt 12's return. Total
system and available free memory, as indicated by the DOS CHKDSK
program, will have decreased by 3,072 bytes. Interrupt 21 will be
hooked by the virus in memory. COMMAND.COM will also be infected at
this time if it was not previously infected.
Once this virus is memory resident, it will infect .COM files when
they are opened or executed. Programs infected with Sofia Term will
have a file length increase of 839 bytes with the virus being located
at the end of the file. Their date and time in the DOS disk directory
list not be altered. The following text string is visible within the
viral code in all infected programs:
"Sofia 1993 by TERMINATOR"
It is unknown what Sofia Term may do besides replicate.
Known variant(s) of Sofia Term are:
Sofia Term.887: Also received in July, 1994, Sofia Term.887 is
a later version of the Sofia Term virus described above.
Its size in memory is 8,192 bytes, hooking interrupt 21.
It infects .COM programs when they are executed, opened, or
copied. Infected programs, other than COMMAND.COM, will
have a file length increase of 887 bytes. In the case of
COMMAND.COM, there will be no file length increase as the
virus will overwrite 887 bytes of the slack (hex '00') area
at the end of the program. The infected program's date and
time in the DOS disk directory listing will not be altered.
The same text string as occurs in the original virus can be
found within this variant.
Origin: Unknown July, 1994.
Sofia Term.899: Received in July, 1995, this is an 899 byte
variant of the Sofia Term virus described above. Its size
in memory is 2,048 bytes, hooking interrupt 21. It infects
.COM files, other than COMMAND.COM, when they are executed
or opened, adding 899 bytes to the file's length. In the
case of COMMAND.COM, it infects the file when the virus
becomes memory resident, placing the virus in the last 899
bytes of hex "00" characters at the end of the file. The
file's date and time in the DOS disk directory listing will
not be altered. The text string from the original virus
also occurs in this variant.
Origin: Unknown July, 1995.
Sofia Term.1369: Received in January, 1996, this is an 1,369
byte variant of the Sofia Term virus described above. Its
size in memory is 3,072 bytes, hooking interrupt 21. It
infects .COM and .EXE files, but not COMMAND.COM, when they
are executed, opened, or copied, adding 1,369 bytes to the
file's length. In the case of COMMAND.COM, it infects the
file when the virus becomes memory resident, placing the
virus in the last 1,369 bytes of hex "00" characters at the
end of the file. The file's date and time in the DOS disk
directory listing will not appear to be altered, though the
seconds field will have been set to "62". The following
text string is visible within the viral code:
"Sofia 1994 by TERMINATOR"
This variant hides the file length increase on infected
files when it is memory resident. It also disinfects
programs as they are read into memory with the virus
memory resident. It does not infect very small .COM and
.EXE files.
Origin: Unknown January, 1996.