Type File virus
Date Discovered 1988.11
Place of Origin
Source Language
Platform DOS
File Type(s) .com, .exe
Infection Length 3,551 Bytes
Reported Costs

Syslock is an encrypted virus from 1988. It is a simple direct action infector of both .com and .exe files that replaces instances of the string "Microsoft" with "Macrosoft".


When Syslock is executed, it searches the entire hard disk for .com and .exe files and appends itself to one random file. It searches for the string "microsoft" in any combination of upper or lower case characters and replaces it with "MACROSOFT". The virus will not infect files if it finds an environment variable named "SYSLOCK" set to the "@" character.



The first subvariant only replicates if it is on a .exe file and only infects .com files. These infected .com files will not produce a new virus when executed.

Advent.B fixes this problem. It is between 2,768 and 2,783 bytes. In December it will display four candles and play "Oh Tannenbaum" on the system speaker.


This variant is 2,232 to 2,251 bytes long and originated in Europe in January of 1991. Systems infected with this variant may experience system hangs. It may also display the message "I want a COOKIE!".


This variant is almost entirely similar to the original, except that it replaces "microsoft" with "MACHOSOFT".


Patricia Hoffman. Online VSUM, "SysLock".

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License