
115 lines
5.5 KiB
Raw Normal View History

2021-04-15 11:31:59 -07:00
036/109 24 Sep 89 15:00:00
From: Samson Luk
To: All
Subj: Viruses Pattern Update
Follow is a list of KNOWN virus affecting IBM PCs and compatibles,
including XTs, ATs and PS/2. The hexadecimal pattern can be used to
detect the presence of the virus by using any pattern searching software
such as Norton Utilities.
Additions to the table this time are Datacrime II and a new variant of
Icelandic(listed last time as Saratoga with (1) and (2) in reverse
order). There is also a new "REPORTED" section added at the end of this
message which most of the viruses list there are not yet disassemble.
- Seen and disassembled viruses
Name Aliases / Type Offset Hexadecimal
Infective Pattern
405 0 POC 00AH 26 A2 49 02 26 A2 4B 02 26 A2
Brain Pakistani BF 15EH 8B 0E 07 7C 89 0E 0A 7C E8 57
Cascade (1) Fall,1701,1704 PRC 01BH 31 34 31 24 46 4C 75 F8
Cascade (2) 1704 PRC 01BH 31 34 31 24 46 4C 77 F8
Datacrime 1280 or 1168 PNC 000H 2E 8B 36 01 01 83 EE 03 8B C6
Datacrime II 1514 PNA 022H 2E 8A 07 2E C6 05 22 32 C2 D0
Den Zuk Search BF 03EH BB 90 7C 53 C3 B9 B0 7C 51 C3
Fu Manchu 2086(COM), PRA 1EEH FC B4 E1 CD 21 80 FC E1 73 16
Icelandic (1) Saratoga,656 PRE 0C6H 2E C6 06 87 02 0A 90 50 53 51
Icelandic (2) Saratoga,642 PRE 0B8H 2E C6 06 79 02 02 90 50 53 51
Icelandic (3) Saratoga,632 PRE 106H 2E C6 06 6F 02 0A 90 50 53 51
Italian Pingpong BD 07CH C7 06 4C 00 D0 7C 8C 0E 4E 00
Jerusalem PLO, Israeli, PRA 095H FC B4 E0 CD 21 80 FC E0 73 16
Friday 13th
Lehigh 0 PRO 01CH B4 19 CD 44 04 61 1E 51 52 57
New Zealand (1) Stoned, BM 045H B8 01 02 0E 07 BB 00 02 B9 01
New Zealand (2) Marijuana BM 043H B8 01 02 0E 07 BB 00 02 33 C9
Pentagon BF 03EH 8E D8 FB BD 44 7C 81 76 06
Suriv 1.01 Israeli, 897 PRC 30AH 81 F9 C4 07 72 1B 81 FA 01 04
Suriv 2.01 Israeli, 1488 PRE 05EH 81 F9 C4 07 72 28 81 FA 01 04
Suriv 3.00 Israeli, PRA 099H FC B4 E0 CD 21 80 FC E0 73 16
Traceback 3066 PRA 108H 89 B4 51 01 81 84 51 01 84 08
Vienna (1) Austrian, 648 PNC 005H 8B F2 83 C6 0A 90 BF 00 01 B9
Vienna (2) Unesco 648 PNC 005H 8B F2 81 C6 0A 00 BF 00 01 B9
Yale Alameda, BF 00EH A1 13 00 F7 E3 2D E0 07
- Description for New Added:
Datacrime II - Virus is encrypted. Infected a COM or EXE file each time an
infected program is run. Will infect COMMAND.COM. Formats
part of hard disk on any date up to and including 12 October
(any year) except on Sunday.
Icelandic - Momory resident copy infect once in ten (or one in two for
the Saratoga variant) EXE files executed. Date and time are
changed. Clusters are flagged as bad on hard disk. There is
a variant which does not flag clusters.
- Reported only
Name Aliases Type Description
2730 B
Agiplan PRC Infective length 1536, attachs to beginning
of COM file.
Dbase PRA Transposes random bytes in dBase files
(.DBF). Trashes disk after 90 days.
Missouri ?
Mistake ? Exchanges letters for phonetically similar
once (ie 'C' and 'K') while they are being
output to the printer.
Nichols B
Oropax Music virus PRC Infected files increase by between 2756 &
2806 bytes. Total length becomes divisible
by 51. Plays three different tunes with a
seven minute interval.
Screen PRC Infect all COM files in current directory,
including any already infected, before
going resident. Every few minutes it
transposes two digits in any block of four
on the screen.
Swap BF Does not infect until ten minutes after
boot. One bad culster on track 39, sector 6
& 7 (head unspecified). Uses 2K of RAM.
Type Code:
A = Infects all program files (COM & EXE)
B = Boot virus
C = Infects COM files only
D = Infects DOS boot sector on hard disk
E = Infects EXE files only
F = Floppy (360K) only
M = Infects Master boot sector on hard disk
N = Non-resident (in memory)
O = Overwriting
P = Parasitic virus
R = Resident (in memory)
--- FD 2.00
* Origin: TAIC OPUS - HONG KONG, WOCing through the Blazer at 19.2K (3:700/1)
SEEN-BY: 1/2 3 5 28/6 105/3 4 10 15 16 21 42 68 103 300 301 306 469 496
SEEN-BY: 105/502 622 124/4115 138/108 152/17 204/557 869 280/16 343/6
SEEN-BY: 700/1