Suriv 4.02 Virus
Virus Name: Suriv 4.02
V Status: Rare
Discovered: September, 1991
Symptoms: .COM file growth; TSR; programs return user to DOS prompt;
boot failures; message
Eff Length: 897 Bytes
Type Code: PRsC - Parasitic Resident .COM Infector
Detection Method: ViruScan, Sweep, NAV, AVTK, ChAV,
F-Prot, IBMAV, NAVDX, VAlert, PCScan,
NShld, LProt, Sweep/N, NProt, AVTK/N, NAV/N, IBMAV/N,
Removal Instructions: Delete infected files
The Suriv 4.02 virus was received from Ireland in September, 1991.
Suriv 4.02 is a memory resident infector of .COM files, but not
COMMAND.COM. It activates on April 1st.
The first time a program infected with Suriv 4.02 is executed, the
virus will install itself memory resident as a low system memory
Once Suriv 4.02 is memory resident, it will infect .COM programs
when they are executed. If COMMAND.COM is executed, it will also
become infected. Infected .COM files increase in size by 897 bytes
with the virus being located at the beginning of the infected file.
The following text strings can be found in all infected files:
"$$TMP.COM APRIL 1ST"
The first of these strings, "Suriv 4.02", is the infection marker
the virus uses to determine if the file is already infected. It
is located in the fourth through thirteenth bytes of infected
Programs infected with Suriv 4.02 will not execute properly. If
the user attempts to execute them, or execute a non infected .COM
program with the virus memory resident, the user will be returned
to the DOS prompt. Attempts to boot from disks with an infected
COMMAND.COM will result in a boot failure.
Suriv 4.02 activates on April 1st, at which time it will display
the text string "APRIL 1ST" followed by blanks when the next program
is executed after the virus goes memory resident. A system hang
will then occur, requiring the user to reboot the system.
See: Suriv 1.01