Virus Name: Sofia
V Status: New
Discovered: July, 1995
Symptoms: .COM file growth; DOS CHKDSK file allocation errors;
hidden file "SOFIA" on disk; file date/time seconds = "58"
Eff Length: 528 Bytes
Type Code: PRaCK - Resident Parasitic .COM Infector
Detection Method: AVTK, Sweep, IBMAV, ViruScan, NAV, NAVDX, F-Prot,
AVTK/N, Sweep/N, IBMAV/N, NAV/N, LProt, NShld, Innoc 4.0+
Removal Instructions: Delete infected files
The Sofia or Sofia.528 virus was received in July, 1995. Its origin
or point of isolation is unknown, though it may be from Sweden.
Sofia.528 is a memory resident infector of .COM files, including
When the first Sofia infected program is executed, this virus will
install itself memory resident in allocated system memory, hooking
interrupt 21. Total system and available free memory, as indicated
by the DOS CHKDSK program, will not be altered.
Once the Sofia virus is memory resident, it will infect .COM files
when they are executed. Infected .COM files will have a file length
increase of 528 bytes, though the file length increase will be
hidden when the virus is memory resident. The virus will be located
at the end of the file. The file's date and time in the DOS disk
directory listing will not appear to be altered, though the seconds
field will have been set to "58". The following text strings are
visible within the viral code in all infected programs:
"This Virus is named after a very nice, clever and cute girl,
The DOS CHKDSK program will indicate file allocation errors on all
infected programs when the virus is memory resident. Infected disks
will contain a seven byte file named "SOFIA" which will have the
read-only, system, and hidden attributes set. This file will
contain the following hex string: "B8BEBECD21C303".
Known variant(s) of Sofia are:
Sofia.432: Also received in July, 1995, this is a 432 byte
variant of the Sofia virus described above. It contains the
same text strings. This variant does not hide the 432 byte
file length increase on infected files when the virus is
memory resident, nor does it set the file date/time seconds
field to any specific value. It creates a hidden file named
"SOFIA" like the Sofia virus described above, containing the
Origin: Unknown July, 1995.