San Lorenzo Virus
Virus Name: San Lorenzo
Aliases: San Lorenzo.1025
V Status: New
Discovery: June, 1996
Symptoms: .COM file growth; decrease in available free memory;
file date/time seconds = "58"; message displayed;
DOS CHKDSK file allocation errors
Eff Length: 1,025 Bytes
Type Code: PRhCL - Parasitic Resident .COM Infector
Detection Method: ChAV, NAV, NAVDX, AVTK 7.68+, ViruScan 2.54+,
Innoc, NAV/N, AVTK/N 7.68+, NShld 2.33+
Removal Instructions: Delete & replace infected files after booting
from uninfected system diskette
The San Lorenzo virus was received in June, 1996. Its origin or
point of isolation is unknown. San Lorenzo is a memory resident
size stealthing virus which infects .COM files, including
When the first San Lorenzo infected program is executed, this
virus will become memory resident at the top of system memory but
below the 640K DOS boundary, not moving interrupt 12's return.
Available free memory, as indicated by the DOS CHKDS program from
DOS 5.0, will have decreased by 1,056 bytes. Interrupt 21
will be hooked by the virus in memory. The following message
will be displayed on the system monitor:
"Globo no existis. En el Bajo Flores vas a morir, sucio !
SAN LORENZO CAMPEON 1995
by Mantis King"
Once the San Lorenzo virus is memory resident, it will infect .COM
programs, including COMMAND.COM, when they are executed. Programs
infected with the San Lorenzo virus will have a file length increase
of 1,025 bytes with the virus being located at the end of the file,
though this file length increase will be hidden when the virus is
memory resident. The program's date and time in the DOS disk
directory listing will not appear to be altered, but the seconds
field will have been set to "58". The following text strings are
encrypted within the viral code:
"chklist.ms anti-vir.dat tbcheck"
"SAN LORENZO CAMPEON 1995"
"by Mantis King"
"El Ciclon de Boedo se la banca, tiene aguante !"
"Boca sos puto, policia y cagon !"
"Globo no existis. En el Bajo Flores vas a morir, sucio !"
The DOS CHKDSK program will indicate file allocation errors on all
infected files when the virus is memory resident. Execution of
.COM files will result in the above message being displayed.