SysLock Virus

Virus Name: SysLock Aliases: 3551, 3555 V Status: Endangered Discovered: November, 1988 Symptoms: .COM & .EXE growth; data file corruption Origin: Eff Length: 3,551 Bytes Type Code: PNA - Encrypting Non-Resident .COM & .EXE Infector Detection Method: ViruScan, F-Prot, AVTK, NAV, Sweep, IBMAV, NAVDX, VAlert, PCScan, ChAV, NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N Removal Instructions: F-Prot, or delete infected files General Comments: The SysLock virus is a parasitic encrypting virus which infects both .COM and .EXE files, as well as damaging some data files on infected systems. This virus does not install itself memory resident, but instead searches through the .COM and .EXE files and subdirectories on the current disk, picking one executable file at random to infect. The infected file will have its length increased by approximately 3,551 bytes, though it may vary slightly depending on file infected. The SysLock virus will damage files by searching for the word "Microsoft" in any combination of upper and lower case characters, and when found replace the word with "MACROSOFT". If the SysLock virus finds that an environment variable "SYSLOCK" exists in the system and has been set to "@" (hex 40), the virus will not infect any programs or perform string replacements, but will instead pass control to its host immediately. Known variant(s) of SysLock are: Advent: Reported to be a SysLock variant, the sample of this virus received by the author does not replicate. All known samples of this virus available from anti-viral researchers also do not replicate. Fridrik Skulason of Iceland has indicated that this virus will only replicate it is on an infected .EXE file, and then it will only infect .COM files. This variant is thought to be extinct. Advent-B: Received from the NCSA is September, 1991, Advent-B is a bug fixed version of the Advent variant. Advent-B may infect one .COM or .EXE program in the current directory each time an infected program is executed. It will, however, only infect the first few files in the current directory. Infected files will increase in size by 2,768 to 2,783 bytes with the virus being located at the end of the infected program. The program's date and time in the disk directory will not be altered. Like Advent, Advent-B will activate in December, at which time it will randomly activate, displaying four candles and playing "On Tannenbaum" on the system speaker. Cookie: Based on the SysLock virus, Cookie is a variant which is considerably shorter in length. It is a non-resident, direct action infector of .COM and .EXE programs, including COMMAND.COM. It infects one .COM or .EXE program located in the current directory each time an infected program is executed. Infected programs will have a file length increase of 2,232 to 2,251 bytes with the virus being located at the end of the file. The file's date and time in the DOS disk directory listing. Systems infected with Cookie may experience system hangs when some infected programs are executed. In some cases, the infected program will stop functioning properly after a number of executions. This virus has been reported to display the message "I want a COOKIE!", though the sample received doesn't exhibit this behavior. Origin: Europe January, 1991. Macho-A: same as the SysLock virus, except that "Microsoft" is replaced with "MACHOSOFT".