Gorlovka Virus

Virus Name: Gorlovka Aliases: V Status: Rare Discovered: March, 1993 Symptoms: .COM & .EXE growth; program corruption; decrease in total system & available free memory Origin: Unknown Eff Length: 1,022 - 1,038 Bytes Type Code: PRhA - Parasitic Resident .COM & .EXE Infector Detection Method: Sweep, AVTK, F-Prot, IBMAV, ViruScan, NAV, NAVDX, VAlert, PCScan, ChAV, Sweep/N, NShld, AVTK/N, NAV/N, NProt, IBMAV/N, Innoc, LProt Removal Instructions: Delete infected files General Comments: The Gorlovka virus was submitted in March, 1993. Its origin or point of isolation is unknown. Gorlovka is a memory resident fast infector of .COM and .EXE programs, but not COMMAND.COM. It will sometimes corrupt the programs it infects. When the first Gorlovka infected program is executed, the Gorlovka virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. It does not move interrupt 12's return. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 3,008 bytes. Interrupt 21 will be hooked by Gorlovka in memory. Once memory resident, the Gorlovka virus will infect .COM and .EXE programs when they are executed or opened for any reason. Infected .COM programs will have a file length increase of 1,022 bytes. .EXE programs will have a file length increase of 1,024 to 1,038 bytes. In both cases, the virus will be located at the end of the file and the file date and time in the DOS disk directory listing will not be altered. Sometimes, Gorlovka will overwrite a portion of the host program when it attempts to infect a program. In these cases, there will be no file length increase and the program will be corrupted, thus not functioning properly. The following text strings are visible within the viral code in Gorlovka infected programs: "EeCcXxOoEeMm" "9101"