Sverdlov Virus

 Virus Name:  Sverdlov 
 Aliases:     Hymn-2 
 V Status:    Rare 
 Discovered:  December, 1990 
 Symptoms:    .COM & .EXE growth; decrease in total system and available 
 Origin:      USSR 
 Eff Length:  1,962 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, AVTK, F-Prot, NAV, Sweep, IBMAV, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, 
                    NAV/N, IBMAV/N 
 Removal Instructions:  Delete infected programs 
 General Comments: 
       The Sverdlov virus was submitted in December, 1990.  This virus is 
       believed to have originated in the USSR.  Sverdlov is a memory 
       resident infector of .COM and .EXE files, and will infect 
       COMMAND.COM.  This virus is also encrypted. 
       The first time a program infected with the Sverdlov virus is 
       executed, the virus will install itself memory resident at the top 
       of system memory but below the DOS 640K boundary.  4,080 bytes of 
       memory will have been reserved, and the interrupt 12 return is not 
       altered by the virus.  The DOS CHKDSK program will indicate that 
       total system memory and available free memory is 4,080 bytes less 
       than expected. COMMAND.COM will also be infected at this time if it 
       was not already infected. 
       Once Sverdlov is memory resident, any .COM or .EXE file over 2K in 
       length will become infected if it is executed or opened for any 
       reason. Infected .COM files have a file length increase of 1,962 
       bytes. Infected .EXE files will have a file length increase of 
       1,962 to 1,977 bytes in length.  In both cases, the virus will be 
       located at the end of infected programs. 
       It is unknown if Sverdlov does anything besides replicate. 
       Known variant(s) of Sverdlov are: 
       Sverdlov-B: Very similar to the original Sverdlov virus, this 
                   variant has one basic change in behavior.  It will only 
                   infect .COM and .EXE files over 3K in length before 
                   infection. Otherwise, the virus code is very similar. 
                   This variant may have been altered to avoid detection, 
                   and some anti-viral programs may identify it as Hymn-2. 

Show viruses from discovered during that infect .

Main Page