Sorlec Virus


 Virus Name:  Sorlec 
 Aliases:     Sorlec 3 
 V Status:    Rare 
 Discovered:  February, 1993 
 Symptoms:    .COM &.EXE file growth; system hangs; decrease in total 
              system & available free memory 
 Origin:      Unknown 
 Eff Length:  597 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  AVTK, F-Prot, ViruScan, Sweep, NAV, IBMAV, PCScan, 
                    NAVDX, VAlert, ChAV, 
                    NShld, AVTK/N, Sweep/N, NAV/N, IBMAV/N, LProt, Innoc 4.0+ 
 Removal Instructions:  Delete infected files 
  
 General Comments: 
       The Sorlec, or Sorlec 3, virus was submitted in February, 1993.  Its 
       origin or point of isolation is unknown.  Sorlec is a memory resident 
       infector of .COM and .EXE programs, including COMMAND.COM. 
 
       When a program infected with the Sorlec virus is executed, the 
       Sorlec virus will install itself memory resident at the top of system 
       memory but below the 640K DOS boundary.  Interrupt 21 will have been 
       hooked by the virus in memory. 
 
       Once the Sorlec virus is memory resident, it will infect .COM and 
       .EXE programs, including COMMAND.COM, when they are executed. 
       Infected programs will have a file length increase of 597 bytes with 
       the virus being located at the end of the file.  The program's date 
       and time in the DOS disk directory listing will not be altered.  The 
       following text strings can be found within the viral code in all 
       Sorlec infected programs: 
 
               "CLtV" 
               "Sorlec 3 - Virus Detonaton!" 
 
       System hangs frequently occur on system infected with the Sorlec 
       virus. 
 
       Known variant(s) of Sorlec are: 
       Sorlec 4: Received in February, 1993, Sorlec 4 is a later 
                 version of the Sorlec virus described above.  This 
                 variant's size in memory is 10,240 bytes, hooking 
                 interrupt 21.  It infects .EXE programs when they are 
                 executed, adding 553 bytes to the file's length.  The 
                 program's date and time in the DOS disk directory listing 
                 will not be altered.  The following text strings are 
                 encrypted within the viral code: 
                 "MSDOS.SYS" 
                 "Sorlec 4" 
                 Origin:  Unknown  February, 1993. 
       Sorlec 5: Also received in February, 1993, Sorlec 5 is a non- 
                 resident version of the Sorlec virus.  It infects all of 
                 the .EXE files in the current directory when an infected 
                 program is executed.  Infected programs will have a file 
                 length increase of 535 bytes with the virus being located 
                 at the end of the file.  The program's date and time in 
                 the DOS disk directory listing will not be altered.  The 
                 following text string is encrypted within the viral code: 
                 "Sorlec 5 *.EXE .." 
                 Origin:  Unknown  February, 1993. 
       Sorlec 6: Received in November, 1993, Sorlec 6 is a non-resident 
                 version of the Sorlec virus.  It infects all of the .COM 
                 and .EXE files in the current directory when an infected 
                 program is executed.  Infected programs will have a file 
                 length increase of 565 bytes with the virus being located 
                 at the end of the file.  The program's date and time in 
                 the DOS disk directory listing will not be altered.  The 
                 following text string is encrypted within the viral code: 
                 "..1... ... 1 *.EXE *.COM .." 
                 Infected programs will usually not function properly, 
                 resulting in a system hang. 
                 Origin:  Unknown  November, 1993.

Show viruses from discovered during that infect .

Main Page