Sofia Virus


 Virus Name:  Sofia 
 Aliases:     Sofia.528 
 V Status:    New 
 Discovered:  July, 1995 
 Symptoms:    .COM file growth; DOS CHKDSK file allocation errors; 
              hidden file "SOFIA" on disk; file date/time seconds = "58" 
 Origin:      Unknown 
 Eff Length:  528 Bytes 
 Type Code:   PRaCK - Resident Parasitic .COM Infector 
 Detection Method: AVTK, Sweep, IBMAV, ViruScan, NAV, NAVDX, F-Prot, 
                   ChAV, 
                   AVTK/N, Sweep/N, IBMAV/N, NAV/N, LProt, NShld, Innoc 4.0+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Sofia or Sofia.528 virus was received in July, 1995.  Its origin 
       or point of isolation is unknown, though it may be from Sweden. 
       Sofia.528 is a memory resident infector of .COM files, including 
       COMMAND.COM. 
 
       When the first Sofia infected program is executed, this virus will 
       install itself memory resident in allocated system memory, hooking 
       interrupt 21.  Total system and available free memory, as indicated 
       by the DOS CHKDSK program, will not be altered. 
 
       Once the Sofia virus is memory resident, it will infect .COM files 
       when they are executed.  Infected .COM files will have a file length 
       increase of 528 bytes, though the file length increase will be 
       hidden when the virus is memory resident.  The virus will be located 
       at the end of the file.  The file's date and time in the DOS disk 
       directory listing will not appear to be altered, though the seconds 
       field will have been set to "58".  The following text strings are 
       visible within the viral code in all infected programs: 
 
           "This Virus is named after a very nice, clever and cute girl, 
            Sofia" 
           "Sweden" 
           "LoRD Zeré" 
 
       The DOS CHKDSK program will indicate file allocation errors on all 
       infected programs when the virus is memory resident.  Infected disks 
       will contain a seven byte file named "SOFIA" which will have the 
       read-only, system, and hidden attributes set.  This file will 
       contain the following hex string: "B8BEBECD21C303". 
 
       Known variant(s) of Sofia are: 
       Sofia.432: Also received in July, 1995, this is a 432 byte 
           variant of the Sofia virus described above.  It contains the 
           same text strings.  This variant does not hide the 432 byte 
           file length increase on infected files when the virus is 
           memory resident, nor does it set the file date/time seconds 
           field to any specific value.  It creates a hidden file named 
           "SOFIA" like the Sofia virus described above, containing the 
           same value. 
           Origin:  Unknown  July, 1995. 

Show viruses from discovered during that infect .

Main Page