Sarampo Virus


 Virus Name:  Sarampo 
 Aliases:     Sarampo.A 
 V Status:    New 
 Discovery:   July, 1995 
 Symptoms:    .COM & .EXE growth; file date/time time = 1:13:00pm; 
              decrease in available free memory; system hangs 
 Origin:      Unknown 
 Eff Length:  1,371 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method: F-Prot, AVTK, VAlert, ViruScan, Sweep, NAVDX, NAV, 
                   IBMAV, PCScan, ChAV, 
                   NShld, Sweep/N, NAV/N, IBMAV, AVTK/N, NProt, Innoc 4.0+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Sarampo or Sarampo.A virus was received in July, 1995, along 
       with one variant, Sarampo.B.  Their origin or point of isolation is 
       unknown.  Sarampo is a memory resident infector of .COM and .EXE 
       files, including COMMAND.COM. 
 
       When the first Sarampo infected .EXE program is executed, this virus 
       will install itself memory resident at the top of system memory but 
       below the 640K DOS boundary, hooking interrupt 21.  Available free 
       memory, as indicated by the DOS CHKDSK program from DOS 5.0, will 
       have decreased by a minimum of 1,648 bytes, the size of the virus 
       in memory.  The actual decrease in available free memory may be 
       much larger as the infection proceeds. 
 
       Once the virus is memory resident, it will infect .COM and .EXE 
       files when they are executed, though it does not infect all of 
       them.  Infected programs will have a file length increase of 1,371 
       bytes with the virus being located at the end of the file.  The 
       program's date and time in the DOS disk directory listing will have 
       been altered so that the time is set to "1:13:00pm".  It will also 
       set the file time to this value on the .COM and .EXE files which 
       have been executed with the virus memory resident but were not 
       infected. 
 
       The following text strings can be found within the viral code in all 
       Sarampo infected programs: 
 
           "c:\command.com" 
           "Do you like this Screen Saver ?  I hope so" 
           "Created by Sarampo virus." 
 
       System hangs may occur when some infected .COM files are executed. 
       This virus appears to only infect COMMAND.COM if it is located in 
       the C: drive root directory. 
 
       Known variant(s) of Sarampo are: 
       Sarampo.B: Also received in July, 1995, this is a later variant 
           of the Sarampo virus described above.  Its size in memory is 
           1,664 bytes, hooking interrupt 21.  It infects .COM and .EXE 
           files on a consistent basis when they are executed with the 
           virus memory resident.  Infected files will have a file length 
           increase of 1,371 bytes with the virus being located at the 
           end of the files.  The time field in the file date time in the 
           DOS disk directory listing will have been set to 1:13:00pm.  It 
           contains the same text strings as the original virus. 
           Origin:  Unknown  July, 1995.

Show viruses from discovered during that infect .

Main Page