Virus Name: Socha
V Status: Rare
Discovered: November, 1991
Symptoms: .COM file growth; decrease in total system and available free
memory; file date/time changes
Eff Length: 753 Bytes
Type Code: PRhCK - Resident Parasitic .COM Infector
Detection Method: ViruScan, AVTK, Sweep, F-Prot, PCScan,
NAV, IBMAV, NAVDX, VAlert, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N,
Removal Instructions: Delete infected files
The Socha virus was received in November, 1991. Its origin, or point
of isolation, are unknown. Socha is a memory resident infector of
.COM files, including COMMAND.COM. It should be noted that the
Socha files only infects programs when the system date has been set
so that the year is 1981.
The first time a program infected with Socha is executed, the Socha
virus will install itself memory resident at the top of system
memory but below the 640K DOS boundary. Total system and available
free memory, as indicated by the DOS CHKDSK program, will have
decreased by 3,008 bytes. Interrupt 21 will be hooked by the
virus. COMMAND.COM will also be infected at this time if the year
of the system date is 1981.
Once Socha is memory resident, it will infect .COM files when they
are opened if the system date's year is 1981. In other years, the
virus in its current form will not replicate.
Programs infected with Socha will have a file length increase of
753 bytes. Their date and time in the DOS disk directory will
have been updated to the system date and time when infection
occurred. The Socha virus will be located at the end of infected
programs. The following text strings can be found near the end
of Socha infected files:
Socha does not appear to do anything besides replicate.