128:
5lo appends its code into infected files. It also changes the field 0Ch in the .EXE file's header to FFAAh. The virus identifies itself from memory by using the interrupt INT 21, AX=3521h which it has hooked. All the checks work correctly and the virus won't infect files multiple times and it installs itself to memory only once.
127:
5lo stays resident. Whenever a .EXE file is run, 5lo will infect it (and another .EXE file). The virus also changes the file's timestamp to the date and time of infection. After these infections, a counter within the virus starts. However, this counter is never checked, so the virus doesn't activate.
110:
files only. When it infects a file, it increases the file size by about 1000-1100 bytes (though a typical value is 1032 bytes.) At the file's direct end, this message can be found (resulting in the virus's name):
131:
When 5lo is running in memory, it isn't discoverable by typing in MEM /C. This is because when the virus installs, it ties itself to the operating system. Free memory decreases by about 2
190:
162:
166:
205:
95:
199:
98:
that increases file size and does little more than replicate. Size: 1,032 bytes
150:
132:
59:
107:
49:
38:
81:
73:
65:
55:
44:
34:
26:
21:
119:Other strings can be found in the virus's code:
151:F-Secure Computer Virus Information Pages: 5lo
8:
143:
18:
7:
14:
1:
222:
165:. Symantec. Archived from
123:????????.EXE and *.EXE
191:Symantec's page on 5lo
125:
117:
106:5lo infects resident .
121:
115:92.05.24.5lo.2.23MZ
113:
89:
88:
213:
206:DOS file viruses
179:
178:
176:
174:
159:
153:
148:
19:
221:
220:
216:
215:
214:
212:
211:
210:
196:
195:
187:
182:
172:
170:
169:on June 7, 2011
161:
160:
156:
149:
145:
141:
104:
17:
12:
11:
5:
219:
217:
209:
208:
198:
197:
194:
193:
186:
185:External links
183:
181:
180:
154:
142:
140:
137:
103:
100:
96:computer virus
87:
86:
83:
79:
78:
75:
71:
70:
67:
63:
62:
57:
56:Classification
53:
52:
46:
42:
41:
36:
32:
31:
28:
27:Technical name
24:
23:
16:Computer virus
15:
13:
10:
9:
6:
4:
3:
2:
218:
207:
204:
203:
201:
192:
189:
188:
184:
168:
164:
158:
155:
152:
147:
144:
138:
136:
134:
129:
124:
120:
116:
112:
109:
101:
99:
97:
93:
84:
80:
76:
72:
68:
64:
61:
58:
54:
51:
47:
43:
40:
37:
33:
29:
25:
20:
171:. Retrieved
167:the original
157:
146:
130:
126:
122:
118:
114:
105:
91:
90:
173:10 February
139:References
102:Infection
48:Resident
200:Category
85:Unknown
82:Authors
77:Unknown
45:Subtype
74:Origin
66:Family
163:"5Lo"
94:is a
60:Virus
175:2013
35:Type
108:EXE
92:5lo
69:N/A
50:EXE
39:DOS
30:5lo
22:5lo
202::
135:.
133:KB
177:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.