SVC 6.0 Virus


 Virus Name:  SVC 6.0 
 Aliases:    
 V Status:    Common 
 Discovered:  October, 1991 
 Isolated:    United States 
 Symptoms:    .COM & .EXE growth; decrease in total system and available 
              memory; Master boot sector altered 
 Origin:      USSR 
 Eff Length:  4,644 Bytes 
 Type Code:   PRhAX - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, Sweep, AVTK, F-Prot, PCScan, 
                    IBMAV, NAV, NAVDX, VAlert, ChAV, 
                    NShld, Sweep/N, NProt, AVTK/N, NAV/N, IBMAV/N, Innoc, 
                    LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The SVC 6.0 virus was discovered in the United States in October, 
       1991.  It is originally from the USSR.  SVC 6.0 is a memory 
       resident stealth virus which infects .COM and .EXE programs.  It 
       does not infect COMMAND.COM. 
 
       The first time a program infected with SVC 6.0 is executed, the 
       virus will become memory resident at the top of system memory but 
       below the 640K DOS boundary.  Total system and available free 
       memory, as measured by the DOS CHKDSK program, will have decreased 
       by 4,672 bytes.  Interrupts 08 and 21 will be hooked by the virus, 
       and interrupt 12's return will not have been moved.  The SVC 6.0 
       virus has actually allocated 68K of memory, though it only uses the 
       4,672 bytes. 
 
       If the first SVC 6.0 infected program was executed from the system 
       hard disk, the virus will have also infected the hard disk master 
       boot sector by altering three bytes.  The virus is then written 
       to the hard disk starting at side 0, cylinder 0, sector 2.  The 
       altered three bytes cause the virus to be executed when the system 
       is booted from the hard disk. 
 
       Once SVC 6.0 is memory resident, it will infect .COM and .EXE 
       programs when they are opened or executed.  Infected programs will 
       have a file size increase of 4,644 bytes, though the file size 
       increase will be hidden by the virus when it is memory resident. 
       SVC 6.0 will be located at the end of infected programs.  There 
       will be no change in the file's date and time in the DOS disk 
       directory. 
 
       SVC 6.0 is a true stealth virus.  When programs are read into 
       memory, it "disinfects" them, so a clean copy will be in memory. 
       As such, if SVC 6.0 is memory resident, anti-viral utilities may not 
       be able to detect the virus in the infected files. 
 
       Three text strings will be able to be found within infected programs 
       if the virus is not memory resident: 
 
               "(c) 1990-91 by SVC, Vers. 6.0" 
               "AIDSTEST.C" 
               "SVC 6.0" 
 
       It is unknown what SVC 6.0 does besides replicate. 
 
       Known variant(s) of SVC 6.0 are: 
       SVC 6.0-4677: A later version of SVC 6.0, this variant's size 
                 in memory is 4,704 bytes.  Like the SVC 6.0, it hooks 
                 interrupts 08 and 21.  Once memory resident, SVC 6.0-4677 
                 will infect .COM and .EXE programs when they are executed 
                 or opened for any reason.  Infected programs will have 
                 a file length increase of 4,677 bytes with the virus 
                 being located at the end of the file.  The file length 
                 increase is not visible when SVC 6.0-4677 is memory 
                 resident.  The infected program's date and time in the 
                 DOS disk directory listing will not be altered.  The 
                 following text strings are visible within the SVC 6.0-4677 
                 viral code: 
                 "/* (c) 1990-91 by Moscow SVC, Vers. 6.0 */" 
                 "AIDSTEST.C" 
                 "SVC 6.0" 
                 Like SVC 6.0, SVC 6.0-4677 is a full stealth virus. 
                 Origin:  USSR  October, 1992. 
       SVC 6.01: A later version of SVC 6.0, this variant's size in 
                 memory is 4,688 bytes.  Like the SVC 6.0, it hooks 
                 interrupts 08 and 21.  Once memory resident, SVC 6.01 
                 will infect .COM and .EXE programs when they are executed 
                 or opened for any reason.  Infected programs will have 
                 a file length increase of 4,661 bytes with the virus 
                 being located at the end of the file.  The file length 
                 increase is not visible when SVC 6.01 is memory resident. 
                 The infected program's date and time in the DOS disk 
                 directory listing will not be altered.  The following 
                 text strings are visible within the SVC 6.01 viral code: 
                 "/* (c) 1990 -91 by Moscow SVC, Vers. 6.0 */" 
                 "AIDSTEST.EXE" 
                 "Moscow SVC 6.01" 
                 Like SVC 6.0, SVC 6.01 is a full stealth virus. 
                 Origin:  USSR  July, 1992. 
       SVC 6.01-B: Functionally similar to the SVC 6.01 variant 
                 described above, this is a minor variant.  The text 
                 strings in this variant are: 
                 "/* (c) 1990-91 by Moscow SVC, Vers. 6.0 */" 
                 "AIDSTEST.EXE" 
                 "Moscow SVC 6.01" 
                 Origin:  USSR  October, 1992. 
 
       See:   SVC 3.1    SVC 4.0   SVC 5.0   SVC-2936   SVC.3241

Show viruses from discovered during that infect .

Main Page