Virus Name: Sentinel
Aliases: Sentinel-3, Sentinel-5, BC
V Status: Rare
Discovered: January, 1991
Symptoms: .COM & .EXE growth; decrease in available free memory;
system hangs; "Keyboard stuck key failure" message
Eff Length: 4,625 Bytes
Type Code: PRHAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, AVTK, F-Prot, Sweep, NAV, VAlert,
IBMAV, NAVDX, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, AVTK/N, NAV/N, IBMAV/N,
Removal Instructions: Delete infected files
The Sentinel virus was submitted in January, 1991, and is from
Bulgaria. This virus is a memory resident infector of .COM and
.EXE files, and will infect COMMAND.COM. Unlike most viruses, this
virus was received with its original Turbo Pascal source code. It
may be purely a research virus at this time.
When the first program infected with Sentinel is executed, the
virus will install itself memory resident at the top of system
memory, but below the 640K DOS boundary. Interrupt 12's return is
not moved by the virus. Interrupt 21 will be hooked by the virus
in memory. COMMAND.COM, if not previously infected, will be
infected by Sentinel at this time as well.
After Sentinel is memory resident, it will infect .COM and .EXE
programs larger than 1K as they are opened or executed. Infected
programs will have a file length increase of 4,625 bytes, the virus
will be located at the end of the file. This virus makes no
attempt to hide the file length increase. File date and time in
the disk directory is not altered by the virus.
The following text strings can be found at the very end of programs
infected with Sentinel:
"You won't hear me, but you'll feel me....
(c) 1990 by Sentinel.
With thanks to Borland."
Sentinel does not appear to do anything besides replicate.
Known variant(s) of Sentinel are:
Sentinel-3: Sentinel-3 is a 5,173 byte variant of the Sentinel
virus. Unlike Sentinel, though, it will hide the file
length increase on infected programs if it is memory
resident. Sentinel-3's size in memory is 5,328 bytes.
There are no recognizable text strings visable in
infected programs. Systems infected with Sentinel-3
will notice file allocation errors when executing the
DOS CHKDSK command when the virus is memory resident.
These errors do not occur with the original Sentinel
virus since it didn't attempt to hide the infected
program's file length increase.
Origin: Bulgaria May 1991
Sentinel-5: Sentinel-5 is a 5,402 byte variant of Sentinel-3.
When Sentinel-5 is memory resident, it will hide the
file length increase on infected programs. Like
Sentinel-3, executing the DOS CHKDSK program will
uncover file allocation errors when the virus is
memory resident. Sentinel-5 will not infect programs
smaller than 2K in size. Attempts to boot from an
infected COMMAND.COM program may result in the message
"Keyboard stuck key failure", though this does not
always occur. System hangs will occur if the user
attempts to view infected programs with a file editor
when Sentinel-5 is resident. Sentinel-5's size in
memory is 5,568 bytes. There are no readable text
strings within the viral code in Sentinel-5 infected
Origin: Bulgaria May 1991