Virus Name: Sverdlov
V Status: Rare
Discovered: December, 1990
Symptoms: .COM & .EXE growth; decrease in total system and available
Eff Length: 1,962 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, AVTK, F-Prot, NAV, Sweep, IBMAV,
NAVDX, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
Removal Instructions: Delete infected programs
The Sverdlov virus was submitted in December, 1990. This virus is
believed to have originated in the USSR. Sverdlov is a memory
resident infector of .COM and .EXE files, and will infect
COMMAND.COM. This virus is also encrypted.
The first time a program infected with the Sverdlov virus is
executed, the virus will install itself memory resident at the top
of system memory but below the DOS 640K boundary. 4,080 bytes of
memory will have been reserved, and the interrupt 12 return is not
altered by the virus. The DOS CHKDSK program will indicate that
total system memory and available free memory is 4,080 bytes less
than expected. COMMAND.COM will also be infected at this time if it
was not already infected.
Once Sverdlov is memory resident, any .COM or .EXE file over 2K in
length will become infected if it is executed or opened for any
reason. Infected .COM files have a file length increase of 1,962
bytes. Infected .EXE files will have a file length increase of
1,962 to 1,977 bytes in length. In both cases, the virus will be
located at the end of infected programs.
It is unknown if Sverdlov does anything besides replicate.
Known variant(s) of Sverdlov are:
Sverdlov-B: Very similar to the original Sverdlov virus, this
variant has one basic change in behavior. It will only
infect .COM and .EXE files over 3K in length before
infection. Otherwise, the virus code is very similar.
This variant may have been altered to avoid detection,
and some anti-viral programs may identify it as Hymn-2.