Svetlana Virus
Virus Name: Svetlana
Aliases: Svetlana.1110
V Status: New
Discovered: January, 1996
Symptoms: .COM & .EXE growth; file date/time seconds = "60";
decrease in available free memory
Origin: Unknown
Eff Length: 1,110 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ChAV, F-Prot, AVTK, IBMAV, ViruScan, NAV, NAVDX,
Innoc, AVTK/N, IBMAV/N, NShld, NAV/N
Removal Instructions: Delete infected programs
General Comments:
The Svetlana or Svetlana.1110 virus was received in January, 1996,
along with several variants. Svetlana is a memory resident
infector of .COM and .EXE files, including COMMAND.COM.
When the first Svetlana infected program is executed, this virus
will install itself memory resident at the top of system memory
but below the 640K DOS boundary, not moving interrupt 12's return.
Available free memory, as indicated by the DOS CHKDSK program from
DOS 5.0, will have decreased by 1,120 bytes. Interrupt 21 will
be hooked by the virus in memory.
Once the Svetlana virus is memory resident, it will infect .COM
and .EXE files, including COMMAND.COM, when they are executed.
Infected files will have a file length increase of 1,110 bytes
with the virus being located at the end of the file. The program's
date and time in the DOS disk directory listing will not appear to
be altered, though the seconds field will have been set to "60".
The following text string is visible within the viral code:
"Svetlana v. 1.0"
Known variant(s) of Svetlana are:
Svetlana.2060: Also received in January, 1996, this is a
2,060 byte variant. Its size in memory is 2,112 bytes, hooking
interrupts 08, 09, and 21. Once resident, it infects .COM
and .EXE files when they are executed, adding 2,060 bytes to
the file's length. The virus will be located at the end of
the file. The program's date and time in the DOS disk directory
listing will not appear to be altered, though the seconds field
will have been set to "60". The following text string is
visible within the viral code:
"Svetlana v 1.1"
This variant may slowly scroll the contents of the system
display from right to left when a key is pressed, then after
a few moments, pressing the escape key or a control-c will
result in the user being returned to DOS.
Origin: Unknown January, 1996.
Svetlana.3410: Also received in January, 1996, this is a
3,410 byte variant. Its size in memory is 3,440 bytes, hooking
interrupts 01, 03, 08, 09, and 21. Once resident, it infects
.COM and .EXE files when they are executed, adding 3,410 bytes
to the file's length. The virus will be located at the end of
the file. The program's date and time in the DOS disk directory
listing will not appear to be altered, though the seconds field
will have been set to "60". The following text string is
visible within the viral code:
"Svetlana v 1.2"
This variant may slowly scroll the contents of the system
display from right to left when a key is pressed, then after
a few moments, pressing the escape key or a control-c will
usually result in a system hang.
Origin: Unknown January, 1996.
Svetlana.4734: Also received in January, 1996, this is a
4,734 byte variant. Its size in memory is 4,784 bytes, hooking
interrupts 01, 03, 1C, and 21. Once resident, it infects
.COM and .EXE files when they are executed, adding 4,734 bytes
to the file's length, though this file length increase will
be hidden by the virus when it is memory resident. The virus
will be located at the end of the file. The program's date and
time in the DOS disk directory listing will not appear to be
altered, though the seconds field will have been set to "60".
The following text string is visible within the viral code:
"Svetlana v 1.3"
This variant will disinfect programs as they are read into
memory, thus avoiding detection by anti-viral scanners unaware
of this variant. System hangs may occur when programs are
executed with the virus memory resident.
Origin: Unknown January, 1996.