Sno Virus


 Virus Name:  Sno 
 Aliases:     Sno.1015, Sno.1015.A 
 V Status:    New 
 Discovered:  January, 1996 
 Symptoms:    .COM file growth; decrease in available free memory 
 Origin:      Unknown 
 Eff Length:  1,015 Bytes 
 Type Code:   PRhCK - Parasitic Resident .COM Infector 
 Detection Method:  AVTK, NAV, NAVDX, ViruScan, F-Prot, IBMAV, ChAV, 
                    AVTK/N, NAV/N, IBMAV/N, NShld, Innoc 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Sno, Sno.1015, or Sno.1015.A, virus was received in January, 
       1996.  Its origin or point of isolation is unknown.  Sno is a 
       memory resident fast infector of .COM files, including COMMAND.COM. 
 
       When the first Sno infected program is executed, this virus will 
       install itself memory resident at the top of system memory but below 
       the 640K DOS boundary, not moving interrupt 12's return.  Available 
       free memory, as indicated by the DOS CHKDSK program from DOS 5.0, 
       will have decreased by 1,792 bytes.  Interrupts 08 and 21 will be 
       hooked by the virus in memory. 
 
       Once the Sno virus is memory resident, it will infect .COM files, 
       including COMMAND.COM, when they are executed or opened, but not on 
       copy.  Infected programs will have a file length increase of 1,015 
       bytes with the virus being located at the end of the file.  The 
       program's date and time in the DOS disk directory listing will not 
       be altered.  No text strings are visible within the viral code. 
 
       It is unknown what the Sno virus may do besides replicate. 
 
       Known variant(s) of Sno are: 
       Sno.1015.B: Also received in January, 1996, this is a minor 
           variant of the Sno virus described above.  Its size in memory 
           is 1,824 bytes, also hooking interrupts 08 and 21.  Once resident, 
           it infects .COM file when they are executed or opened, but not 
           when copied.  Infected programs will have a file length increase 
           of 1,015 bytes with the virus being located at the end of the 
           file.  The program's date and time in the DOS disk directory 
           listing will have been updated to the current system date and 
           time when infection occurred.  No text strings are visible within 
           the viral code. 
           Origin:  Unknown  January, 1996. 

Show viruses from discovered during that infect .

Main Page