Sov Virus

Virus Name: Sov Aliases: Leningrad, Sov-545, Sov-602 V Status: Rare Discovered: December, 1991 Symptoms: .COM file growth Origin: Unknown Eff Length: See Below Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan, Sweep, AVTK, PCScan, ChAV, F-Prot, NAV, IBMAV, NAVDX, VAlert, NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N Removal Instructions: Delete infected files General Comments: The Sov virus is actually two viruses received in December, 1991. Their origin is unknown. Both viruses are non-resident, direct action infectors of .COM programs, including COMMAND.COM. Since their characteristics are similar, they will be described jointly as Sov, with their differences noted under variants below. When a Sov infected program is executed, the Sov virus will infect one .COM file located in the current directory. If COMMAND.COM is located in this directory, it may become infected. Sov infected programs will have a file length increase which depends on which of the viruses is present (see below). The virus will be located at the end of the file. There will be no change to the file's date and time in the DOS disk directory listing. It is unknown if the Sov viruses do anything besides replicate. Known Sov viruses are: Sov-545: One of the two Sov viruses received in December, 1991, this variant adds 545 to 599 bytes to the files it infects. The following text strings will be found in the viral code in infected files: "*.COM" "PATH=" "That could be a crash, crash, crash" Sov-602: One of the two Sov viruses received in December, 1991, this variant adds 602 to 616 bytes to the files it infects. The following text strings will be found in the viral code in infected files: "*.COM" "PATH=" See: Leningrad II