Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

SVL

SVL 1.0, SVL 1.1, SVL 1.2
Common feature of all members of this virus family is the length of the added code - 3584 bytes. They take 4 KB of memory by decreasing the length of MCB program, on which they parasite. At the same time they decrease by 4 k also the BIOS variable on the address 0:413h, but they do so only if the victim’s MCB is the last in the MCB string. They are resident, encrypted, polymorphic COM and EXE infectors. If the virus is active in memory, its simple stealth technique conceals the alternation in the infected file length. These viruses are quite “demanding”, they require DOS at least 4.0 and CPU 286 and higher. They manifest themselves by displaying the following text on August 1st to 4th:

I'am SLOVAKIA virus Version 1.0 Copyright (c) 26.1.1994 SVL

or:

I'am SLOVAKIA virus Version 1.1 Copyright (c) 29.1.1994 SVL

The version SVL 1.2 displays between January 1st to 3rd:

I'am SLOVAKIA virus Version 1.2 Copyright (c) 1994 SVL

All of these viruses use the polymorphic library Mdevice v. 1.0. They attack only files on hard disk. They hook the interrupt INT 21h. They do not attack scan, avg, viruscan , astu, alika, rexa, msav, cpav, nod , clean, f-prot , tbav, tbutil , avast , nav , vshield, dizz and vsafe. Moreover, if any of the above mentioned programs is active the viruses do not attack files and they do not conceal their increased length. The viruses delete files of programs for integrity check (chklist.ms, chklist.cps and smartchk.cps) and they switch off the resident protection Vsafe. The viruses contain fragment of a text string of various length:

(C) 26.1.1994 SVL Technické paramete MENO: Slovakia v.1.0. TYP: Rezidentny COM&EXE infektor. KRYPTOVANIE: Koduje sa instr. XOR,SUB,ADD. GENERATOR: Mdevice=(Generator dekoderov (c) SVL v.1.0.). OBSADENA PAMET: 4 kB. BUFFER: 512 Byte pracovny buffer. PRIDANY KOD: 3,5 kB. PRESM. PRERUSENIE: 21h. STEALTH TECHNOLOGIA: Pouzita. Nevidno predlzenie suborov INFIKOVANIE: Pri spusteni suboru. NEINFIKUJE: Avir. programy. Ak je aktivny Avir. proces.

(Meaning: (C) 26.1.1994 SVL Technical parameters NAME: Slovakia v.1.0. TYPE: Resident COM&EXE infector. ENCRYPTING: Instr. Is coded. XOR,SUB,ADD. GENERATOR: Mdevice=(Generator of decoders (c) SVL v.1.0.). MEMORY OCCUPANCY: 4 kB. BUFFER: 512 Byte working buffer. ADDED CODE: 3,5 kB. INTERRUPT REDIRECTION: 21h. STEALTH TECHNOLOGY: used. Increase in file length not seen INFECTION: At file execution. DOES NOT INFECT: Avir. programs. If Avir. process is active.)

The above mentioned string is valid for version 1.0. Version 1.1 contains the date 29.1.1994 at the beginning of the string and name is altered to Slovakia v.1.1. The beginning of the string is different in version SVL 1.2:

(C) SVL MENO: Slovakia v.1.2. TYP: Rezidentny COM&EXE infektor. KRYPTOVANIE: Koduje sa instr. XOR,SUB,ADD. GENERATOR DEKODEROV: Mdevice (c) SVL v.1.0.). ALOKOVANA

(Meaning: (C) SVL NAME: Slovakia v.1.2. TYPE: Resident COM&EXE infector. ENCRYPTING: Coded is the instr. XOR,SUB,ADD. GENERATOR OF DECODERS: Mdevice (c) SVL v.1.0.). ALLOCATED)


SVL.Kill

This version also has all the characteristics of its foregoers but with one exception – while all other versions are harmless, this one overwrites a random sector on the disk at activation between October 1st and 10th. There is the following text in the virus body:

SLOVAKIA virus Kill Version Copyright (c) 1994 SVL

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.