Syrian Virus


 Virus Name:  Syrian 
 Aliases:     Syrian.241 
 V Status:    New 
 Discovered:  January, 1995 
 Symptoms:    .COM & .EXE files overwritten; program corruption; 
              file date/time changes 
 Origin:      Unknown 
 Eff Length:  241 Bytes Overwriting 
 Type Code:   ORsAK - Overwriting Resident .COM & .EXE Infector 
 Detection Method:  F-Prot, AVTK, IBMAV, ViruScan, Sweep, NAV, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    AVTK/N, IBMAV/N, NShld, Sweep/N, NProt, NAV/N, Innoc 4.0+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Syrian or Syrian.241 virus was received in January, 1995.  Its 
       origin or point of isolation is unknown.  Syrian is a memory 
       resident overwriting virus which infects .COM and .EXE files, 
       including COMMAND.COM.  It permanently corrupts the programs it 
       infects. 
 
       When the first Syrian infected program is executed, this virus will 
       install itself memory resident as a low system memory TSR.  Interrupt 
       21 wil be hooked by the virus in memory. 
 
       Once the Syrian virus is memory resident, it will infect .COM and 
       .EXE files, including COMMAND.COM, when they are executed.  Infected 
       programs will have the first 241 bytes overwritten by the viral 
       code.  The program's date and time in the DOS disk directory listing 
       will have been updated to the current system date and time when 
       infection occurred.  The following text strings are visible within 
       the viral code in all infected programs: 
 
               "Syrian Brain II" 
               "Bad command or filename" 
               "MS-DOS v4.22" 
               "Volume label for drive Z is Infected!" 
 
       Programs infected with the Syrian virus cannot be disinfected. 
       They must be deleted or erased and replaced within uninfected 
       copies. 
 
       Known variant(s) of Syrian are: 
       Syrian.412: Also received in January, 1995, this is a 412 byte 
             variant of the Syrian virus described above.  It overwrites 
             the first 412 bytes of the programs it infects.  This variant 
             contains the text strings: 
             "Syrian Brain II" 
             "Bad command or filename" 
             "C:\SYRIAN??.II? C:\*.BAT C:\*.SYS C:\*.COM C:\*.EXE 
              C:\AUTOEXEC.* C:\CONFIG.* C:\The C:\Syrian C:\Brain C:\II 
              C:\Has C:\Struck" 
             System hangs frequently occur when infected programs are 
             executed. 
             Origin:  Unknown  January, 1995.

Show viruses from discovered during that infect .

Main Page