Sverdlov Virus

Virus Name: Sverdlov Aliases: Hymn-2 V Status: Rare Discovered: December, 1990 Symptoms: .COM & .EXE growth; decrease in total system and available memory Origin: USSR Eff Length: 1,962 Bytes Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, AVTK, F-Prot, NAV, Sweep, IBMAV, NAVDX, VAlert, PCScan, ChAV, NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N Removal Instructions: Delete infected programs General Comments: The Sverdlov virus was submitted in December, 1990. This virus is believed to have originated in the USSR. Sverdlov is a memory resident infector of .COM and .EXE files, and will infect COMMAND.COM. This virus is also encrypted. The first time a program infected with the Sverdlov virus is executed, the virus will install itself memory resident at the top of system memory but below the DOS 640K boundary. 4,080 bytes of memory will have been reserved, and the interrupt 12 return is not altered by the virus. The DOS CHKDSK program will indicate that total system memory and available free memory is 4,080 bytes less than expected. COMMAND.COM will also be infected at this time if it was not already infected. Once Sverdlov is memory resident, any .COM or .EXE file over 2K in length will become infected if it is executed or opened for any reason. Infected .COM files have a file length increase of 1,962 bytes. Infected .EXE files will have a file length increase of 1,962 to 1,977 bytes in length. In both cases, the virus will be located at the end of infected programs. It is unknown if Sverdlov does anything besides replicate. Known variant(s) of Sverdlov are: Sverdlov-B: Very similar to the original Sverdlov virus, this variant has one basic change in behavior. It will only infect .COM and .EXE files over 3K in length before infection. Otherwise, the virus code is very similar. This variant may have been altered to avoid detection, and some anti-viral programs may identify it as Hymn-2.