Virus Name: Sno
Aliases: Sno.1015, Sno.1015.A
V Status: New
Discovered: January, 1996
Symptoms: .COM file growth; decrease in available free memory
Eff Length: 1,015 Bytes
Type Code: PRhCK - Parasitic Resident .COM Infector
Detection Method: AVTK, NAV, NAVDX, ViruScan, F-Prot, IBMAV, ChAV,
AVTK/N, NAV/N, IBMAV/N, NShld, Innoc
Removal Instructions: Delete infected files
The Sno, Sno.1015, or Sno.1015.A, virus was received in January,
1996. Its origin or point of isolation is unknown. Sno is a
memory resident fast infector of .COM files, including COMMAND.COM.
When the first Sno infected program is executed, this virus will
install itself memory resident at the top of system memory but below
the 640K DOS boundary, not moving interrupt 12's return. Available
free memory, as indicated by the DOS CHKDSK program from DOS 5.0,
will have decreased by 1,792 bytes. Interrupts 08 and 21 will be
hooked by the virus in memory.
Once the Sno virus is memory resident, it will infect .COM files,
including COMMAND.COM, when they are executed or opened, but not on
copy. Infected programs will have a file length increase of 1,015
bytes with the virus being located at the end of the file. The
program's date and time in the DOS disk directory listing will not
be altered. No text strings are visible within the viral code.
It is unknown what the Sno virus may do besides replicate.
Known variant(s) of Sno are:
Sno.1015.B: Also received in January, 1996, this is a minor
variant of the Sno virus described above. Its size in memory
is 1,824 bytes, also hooking interrupts 08 and 21. Once resident,
it infects .COM file when they are executed or opened, but not
when copied. Infected programs will have a file length increase
of 1,015 bytes with the virus being located at the end of the
file. The program's date and time in the DOS disk directory
listing will have been updated to the current system date and
time when infection occurred. No text strings are visible within
the viral code.
Origin: Unknown January, 1996.