Virus Name: Gorlovka
V Status: Rare
Discovered: March, 1993
Symptoms: .COM & .EXE growth; program corruption;
decrease in total system & available free memory
Eff Length: 1,022 - 1,038 Bytes
Type Code: PRhA - Parasitic Resident .COM & .EXE Infector
Detection Method: Sweep, AVTK, F-Prot, IBMAV, ViruScan, NAV,
NAVDX, VAlert, PCScan, ChAV,
Sweep/N, NShld, AVTK/N, NAV/N, NProt, IBMAV/N, Innoc,
Removal Instructions: Delete infected files
The Gorlovka virus was submitted in March, 1993. Its origin or
point of isolation is unknown. Gorlovka is a memory resident
fast infector of .COM and .EXE programs, but not COMMAND.COM. It
will sometimes corrupt the programs it infects.
When the first Gorlovka infected program is executed, the Gorlovka
virus will install itself memory resident at the top of system
memory but below the 640K DOS boundary. It does not move interrupt
12's return. Total system and available free memory, as indicated by
the DOS CHKDSK program, will have decreased by 3,008 bytes.
Interrupt 21 will be hooked by Gorlovka in memory.
Once memory resident, the Gorlovka virus will infect .COM and .EXE
programs when they are executed or opened for any reason. Infected
.COM programs will have a file length increase of 1,022 bytes. .EXE
programs will have a file length increase of 1,024 to 1,038 bytes.
In both cases, the virus will be located at the end of the file and
the file date and time in the DOS disk directory listing will not
be altered. Sometimes, Gorlovka will overwrite a portion of the
host program when it attempts to infect a program. In these cases,
there will be no file length increase and the program will be
corrupted, thus not functioning properly.
The following text strings are visible within the viral code in
Gorlovka infected programs: