Suriv 4.02 Virus

Virus Name: Suriv 4.02 Aliases: V Status: Rare Discovered: September, 1991 Symptoms: .COM file growth; TSR; programs return user to DOS prompt; boot failures; message Origin: Ireland Eff Length: 897 Bytes Type Code: PRsC - Parasitic Resident .COM Infector Detection Method: ViruScan, Sweep, NAV, AVTK, ChAV, F-Prot, IBMAV, NAVDX, VAlert, PCScan, NShld, LProt, Sweep/N, NProt, AVTK/N, NAV/N, IBMAV/N, Innoc 4.0+ Removal Instructions: Delete infected files General Comments: The Suriv 4.02 virus was received from Ireland in September, 1991. Suriv 4.02 is a memory resident infector of .COM files, but not COMMAND.COM. It activates on April 1st. The first time a program infected with Suriv 4.02 is executed, the virus will install itself memory resident as a low system memory TSR. Once Suriv 4.02 is memory resident, it will infect .COM programs when they are executed. If COMMAND.COM is executed, it will also become infected. Infected .COM files increase in size by 897 bytes with the virus being located at the beginning of the infected file. The following text strings can be found in all infected files: "Suriv 4.02" "COMMANDCOM" "$$TMP.COM APRIL 1ST" The first of these strings, "Suriv 4.02", is the infection marker the virus uses to determine if the file is already infected. It is located in the fourth through thirteenth bytes of infected files. Programs infected with Suriv 4.02 will not execute properly. If the user attempts to execute them, or execute a non infected .COM program with the virus memory resident, the user will be returned to the DOS prompt. Attempts to boot from disks with an infected COMMAND.COM will result in a boot failure. Suriv 4.02 activates on April 1st, at which time it will display the text string "APRIL 1ST" followed by blanks when the next program is executed after the virus goes memory resident. A system hang will then occur, requiring the user to reboot the system. See: Suriv 1.01