Socha Virus

Virus Name: Socha Aliases: V Status: Rare Discovered: November, 1991 Symptoms: .COM file growth; decrease in total system and available free memory; file date/time changes Origin: Unknown Eff Length: 753 Bytes Type Code: PRhCK - Resident Parasitic .COM Infector Detection Method: ViruScan, AVTK, Sweep, F-Prot, PCScan, NAV, IBMAV, NAVDX, VAlert, ChAV, NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N Removal Instructions: Delete infected files General Comments: The Socha virus was received in November, 1991. Its origin, or point of isolation, are unknown. Socha is a memory resident infector of .COM files, including COMMAND.COM. It should be noted that the Socha files only infects programs when the system date has been set so that the year is 1981. The first time a program infected with Socha is executed, the Socha virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 3,008 bytes. Interrupt 21 will be hooked by the virus. COMMAND.COM will also be infected at this time if the year of the system date is 1981. Once Socha is memory resident, it will infect .COM files when they are opened if the system date's year is 1981. In other years, the virus in its current form will not replicate. Programs infected with Socha will have a file length increase of 753 bytes. Their date and time in the DOS disk directory will have been updated to the system date and time when infection occurred. The Socha virus will be located at the end of infected programs. The following text strings can be found near the end of Socha infected files: "Socha" "C:\m_edit\me$.ovl comCOM" Socha does not appear to do anything besides replicate.