5lo
Encyclopedia
5lo is a computer virus
that increases file size and does little more than replicate. Size: 1,032 bytes
files only. When it infects a file, it increases the file size by about 1000-1100 bytes (though a typical value is 1032 bytes.) At the file's direct end, this message can be found (resulting in the virus's name):
Other strings can be found in the virus's code:
5lo stays resident. Whenever a .EXE file is run, 5lo will infect it (and another .EXE file). The virus also changes the file's timestamp to the date and time of infection. After these infections, a counter within the virus starts. However, this counter is never checked, so the virus doesn't activate. 5lo appends its code into infected files. It also changes the field 0Ch in the .EXE file's header to FFAAh. The virus identifies itself from memory by using the interrupt INT 21, AX=3521h which it has hooked. All the checks work correctly and the virus won't infect files multiple times and it installs itself to memory only once.
When 5lo is running in memory, it isn't discoverable by typing in MEM /C. This is because when the virus installs, it ties itself to the operating system. Free memory decreases by about 2 KB
.
Computer virus
A computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability...
that increases file size and does little more than replicate. Size: 1,032 bytes
Infection
5lo infects resident .EXEEXE
EXE is the common filename extension denoting an executable file in the DOS, OpenVMS, Microsoft Windows, Symbian, and OS/2 operating systems....
files only. When it infects a file, it increases the file size by about 1000-1100 bytes (though a typical value is 1032 bytes.) At the file's direct end, this message can be found (resulting in the virus's name):
92.05.24.5lo.2.23MZ
Other strings can be found in the virus's code:
????????.EXE and *.EXE
5lo stays resident. Whenever a .EXE file is run, 5lo will infect it (and another .EXE file). The virus also changes the file's timestamp to the date and time of infection. After these infections, a counter within the virus starts. However, this counter is never checked, so the virus doesn't activate. 5lo appends its code into infected files. It also changes the field 0Ch in the .EXE file's header to FFAAh. The virus identifies itself from memory by using the interrupt INT 21, AX=3521h which it has hooked. All the checks work correctly and the virus won't infect files multiple times and it installs itself to memory only once.
When 5lo is running in memory, it isn't discoverable by typing in MEM /C. This is because when the virus installs, it ties itself to the operating system. Free memory decreases by about 2 KB
Kilobyte
The kilobyte is a multiple of the unit byte for digital information. Although the prefix kilo- means 1000, the term kilobyte and symbol KB have historically been used to refer to either 1024 bytes or 1000 bytes, dependent upon context, in the fields of computer science and information...
.