Solano 2000 Virus
Virus Name: Solano 2000
Aliases: Dyslexia 2.01, Solano
V Status: Rare
Discovered: March, 1990
Symptoms: .COM growth; TSR; unusual file errors
Origin: California, United States
Eff Length: 2,000 Bytes
Type Code: PRsC - Resident Parasitic .COM Infector
Detection Method: ViruScan, F-Prot, AVTK, Sweep, IBMAV, PCScan,
NAV, NAVDX, VAlert, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
NAV/N, IBMAV/N
Removal Instructions: Delete infected files
General Comments:
The Solano 2000 virus was first isolated in Solano County,
California in mid-March 1990 by Edward Winters. The virus may also
be known by the name Dyslexia virus V2.01, which can be produced by
negating some null terminated bytes within the viral code. Using
the same technique, what appears to be the creation date of the
virus, 08FEB90, can be produced. The information regarding the
information produced by negation of bytes was determined by Jay
Parangalan of Solano County. The Solano 2000 virus is a generic
.COM file infector. The first time an infected .COM file is
executed on the system, the virus installs itself memory resident,
then proceeds to infect every .COM file that is executed. Infected
programs can be manually identified by using a sector editor to
view the file. Bytes 1168 through 1952 will consist of '(' or 28h
characters.
Some programs, such as DISKCOPY.COM which is included on all DOS
diskettes, will not run after being infected with this virus,
instead an "invalid drive specification" message will be
displayed. This message is not in the viral code, but is due to an
error condition being induced due to the virus's presence. The
virus-induced error occurring with the DiskCopy program was how the
virus was first spotted and eventually isolated.
When Solano is memory resident, it will take up 3K of RAM memory.
The Solano 2000 virus does no apparent system damage, however it
does check the video buffer occasionally, and may transpose numbers
if they are found in certain locations. This effect, however, was
not experienced on the author's system in researching this virus.
There have also been reports that instead of transposing numeric
characters, the Solano virus may change color attributes on the
display screen when it is active in memory.
Known variant(s) of Solano 2000 are:
Dyslexia 2.00: same as Solano 2000, except that the 28h characters
are now binary zeros. The attempted transposing of
numeric characters in video memory has also been
slowed down. The creation date appears to be
22JAN90 instead of 08FEB90.
Solano 2000-B: same as Solano 2000, except the 28h characters have
been changed to DAh characters, and are located in
bytes 1168 through 1912 in infected files.
Solano D: Similar to the original Solano, this variant has had
its encryption slightly altered in order to avoid
detection. The 28h characters have also been changed
to 00h characters.
Subliminal 1.10: A very early version of the Solano 2000 virus,
this variant infects any .COM programs which are
executed after the virus has become memory resident.
Infected programs will have a file length increase of
1,496 bytes. With the virus memory resident, the
system monitor will appear to flicker. What is
occurring is that the virus is attempting to flash
the message "LOVE, REMEMBER?" in the lower left
portion of the display for a subliminal duration.
The actual amount of time the message displays on the
screen varies due to CPU speed differences.