textfiles/virus/samson.vir

036/109 24 Sep 89 15:00:00
From:   Samson Luk
To:     All
Subj:   Viruses Pattern Update
Attr:   
------------------------------------------------
 Follow is a list of KNOWN virus affecting IBM PCs and compatibles,
 including XTs, ATs and PS/2. The hexadecimal pattern can be used to
 detect the presence of the virus by using any pattern searching software
 such as Norton Utilities.

 Additions to the table this time are Datacrime II and a new variant of
 Icelandic(listed last time as Saratoga with (1) and (2) in reverse
 order). There is also a new "REPORTED" section added at the end of this
 message which most of the viruses list there are not yet disassemble.

 - Seen and disassembled viruses

 Name            Aliases /      Type    Offset Hexadecimal
                 Infective                     Pattern
                 Lenght

 405             0              POC     00AH   26 A2 49 02 26 A2 4B 02 26 A2
 Brain           Pakistani      BF      15EH   8B 0E 07 7C 89 0E 0A 7C E8 57
 Cascade (1)     Fall,1701,1704 PRC     01BH   31 34 31 24 46 4C 75 F8
 Cascade (2)     1704           PRC     01BH   31 34 31 24 46 4C 77 F8
 Datacrime       1280 or 1168   PNC     000H   2E 8B 36 01 01 83 EE 03 8B C6
 Datacrime II    1514           PNA     022H   2E 8A 07 2E C6 05 22 32 C2 D0
 Den Zuk         Search         BF      03EH   BB 90 7C 53 C3 B9 B0 7C 51 C3
 Fu Manchu       2086(COM),     PRA     1EEH   FC B4 E1 CD 21 80 FC E1 73 16
                 2080(EXE)
 Icelandic (1)   Saratoga,656   PRE     0C6H   2E C6 06 87 02 0A 90 50 53 51
 Icelandic (2)   Saratoga,642   PRE     0B8H   2E C6 06 79 02 02 90 50 53 51
 Icelandic (3)   Saratoga,632   PRE     106H   2E C6 06 6F 02 0A 90 50 53 51
 Italian         Pingpong       BD      07CH   C7 06 4C 00 D0 7C 8C 0E 4E 00
 Jerusalem       PLO, Israeli,  PRA     095H   FC B4 E0 CD 21 80 FC E0 73 16
                 Friday 13th
                 1813(COM),
                 1808(EXE)
 Lehigh          0              PRO     01CH   B4 19 CD 44 04 61 1E 51 52 57
 New Zealand (1) Stoned,        BM      045H   B8 01 02 0E 07 BB 00 02 B9 01
 New Zealand (2) Marijuana      BM      043H   B8 01 02 0E 07 BB 00 02 33 C9
 Pentagon                       BF      03EH   8E D8 FB BD 44 7C 81 76 06
 Suriv 1.01      Israeli, 897   PRC     30AH   81 F9 C4 07 72 1B 81 FA 01 04
 Suriv 2.01      Israeli, 1488  PRE     05EH   81 F9 C4 07 72 28 81 FA 01 04
 Suriv 3.00      Israeli,       PRA     099H   FC B4 E0 CD 21 80 FC E0 73 16
                 1813(COM)
                 1808(EXE)
 Traceback       3066           PRA     108H   89 B4 51 01 81 84 51 01 84 08
 Vienna (1)      Austrian, 648  PNC     005H   8B F2 83 C6 0A 90 BF 00 01 B9
 Vienna (2)      Unesco    648  PNC     005H   8B F2 81 C6 0A 00 BF 00 01 B9
 Yale            Alameda,       BF      00EH   A1 13 00 F7 E3 2D E0 07
                 Merritt

 - Description for New Added:

 Datacrime II - Virus is encrypted. Infected a COM or EXE file each time an
                infected program is run. Will infect COMMAND.COM. Formats
                part of hard disk on any date up to and including 12 October
                (any year) except on Sunday.

 Icelandic    - Momory resident copy infect once in ten (or one in two for
                the Saratoga variant) EXE files executed. Date and time are
                changed. Clusters are flagged as bad on hard disk. There is
                a variant which does not flag clusters.

 - Reported only

 Name        Aliases        Type  Description

 2730                       B
 Agiplan                    PRC   Infective length 1536, attachs to beginning
                                  of COM file.
 Dbase                      PRA   Transposes random bytes in dBase files
                                  (.DBF). Trashes disk after 90 days.
 Missouri                   ?
 Mistake                    ?     Exchanges letters for phonetically similar
                                  once (ie 'C' and 'K') while they are being
                                  output to the printer.
 Nichols                    B
 Oropax      Music virus    PRC   Infected files increase by between 2756 &
                                  2806 bytes. Total length becomes divisible
                                  by 51. Plays three different tunes with a
                                  seven minute interval.
 Screen                     PRC   Infect all COM files in current directory,
                                  including any already infected, before
                                  going resident. Every few minutes it
                                  transposes two digits in any block of four
                                  on the screen.
 Swap                       BF    Does not infect until ten minutes after
                                  boot. One bad culster on track 39, sector 6
                                  & 7 (head unspecified). Uses 2K of RAM.

 Type Code:

 A = Infects all program files (COM & EXE)
 B = Boot virus
 C = Infects COM files only
 D = Infects DOS boot sector on hard disk
 E = Infects EXE files only
 F = Floppy (360K) only
 M = Infects Master boot sector on hard disk
 N = Non-resident (in memory)
 O = Overwriting
 P = Parasitic virus
 R = Resident (in memory)

--- FD 2.00
 * Origin: TAIC OPUS - HONG KONG, WOCing through the Blazer at 19.2K (3:700/1)
SEEN-BY: 1/2 3 5 28/6 105/3 4 10 15 16 21 42 68 103 300 301 306 469 496
SEEN-BY: 105/502 622 124/4115 138/108 152/17 204/557 869 280/16 343/6
SEEN-BY: 700/1