informis
/
textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/virus/virussum.txt

12867 lines
593 KiB
Plaintext
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

VIRUS INFORMATION SUMMARY LIST
April 20, 1991
Copyright (C) 1990-1991 by Patricia M. Hoffman. All Rights Reserved.
This document contains the compiled information from a continuing
research effort by the author into the identification, detection and
removal of MS-DOS Computer Viruses. Hopefully, this listing will
provide some assistance to those who wish to know more about a particular
computer virus. It is not intended to provide a very detailed technical
description, but to allow the reader to understand what a virus
generally does, how it activates, what it is doing to their system, and
most importantly, how to get rid of it.
The user of this listing needs to keep in mind that the
information provided is up-to-date only to the date of the listing
itself. If the listing is one month old, some items may not be
accurate. Also, with the wide dispersion of researchers and the
various names that the same virus may be known by, some of the
information may not be entirely accurate. Lastly, as new variants
of known viruses are isolated, some of the characteristics of the
variant may be different.
There are five sections to the listing. The first section is
an introduction which explains the format of the information in
the listing and includes the code information used in some fields.
The second section is the actual virus information listing.
The third section is a cross-reference of common names for MS-DOS
computer viruses and indicates what name to use for the virus in the
second section. The fourth section, added with the July 1990 release
and in the works for many months, is a chart showing relationships
between various viruses and variants. Lastly, there is a fifth section
which is a revision history of the listing.
Anti-Viral products mentioned in the listing are either commonly
available shareware or public domain programs, or they are commercial
products which have been submitted for evaluation and review by the product's
author with "no strings attached". All Anti-Viral products are reviewed at
the most recent release level available to the author. In some cases, this
may not be the most recent release. All testing is done against the author's
virus collection, results using a different collection of viruses and
variants may differ.
Special thanks go to John McAfee for reviewing the listing before
it is distributed, and to numerous others who have sent their comments,
suggestions, and encouraging support.
The Virus Information Summary List may not be used in a business,
corporation, organization, government, or agency environment without
a negotiated site license. While this document may be referenced in the
documentation for some anti-viral products, the document is not to be
construed as being included in any site license not negotiated with
the author, Patricia M. Hoffman, or an authorized agent of the author.
Licensing information for the Virus Information Summary List can be
requested from the author via US Mail from the address, or by voice or FAX
at the phone numbers below:
Patricia M. Hoffman
1556 Halford Avenue, #127
Santa Clara, CA 95051
Voice: 1-408-246-3915
FAX : 1-408-246-3915
The VSUMAGTS.TXT file included with the Virus Information Summary List
contains a complete listing of domestic and international agents whom have
been authorized to provide sales, service, and support of this listing.
I can also be reached through my Bulletin Board System, Excalibur! BBS,
at 1-408-244-0813. Future versions of this listing may also be obtained
through Excalibur!.
Patricia M. Hoffman
-------------------------------------------------------------------------------
Virus Information Summary List
Introduction & Entry Format
Each of the entries in the list consists of several fields.
Below is a brief description of what is indicated in each of the
fields. For fields where codes may appear, the meaning of each
code in indicated.
Virus Name: Field contains one of the more common names for the
virus. The listing is alphabetized based on this
field.
Aliases: Other names that the same virus may be referred to by.
These names are aliases or A.K.A.'s.
V Status: This field contains one of the following values which indicate
how common the virus is in the public domain.
Common: The virus is one of the most common viruses reported to
various groups which gather virus infection statistics.
Most of these groups are in the United States. Where a
virus has had many reports from a specific geographic area,
the V Status field will contain "Common - xxxxxxxxx" where
xxxxxxxxx is an indicator of geographic location.
Endangered: The "Endangered" classification of viruses are
viruses that are very uncommon and were fairly recently
discovered or isolated. Due to some characteristics of
these viruses, it is highly unlikely that they will ever
become a widespread problem. It doesn't mean that they
don't exist, just that the probability of someone getting
these viruses is fairly low.
Extinct: The "Extinct" classification is for viruses which at
one time may have been widespread (ie. they are not a
research virus which was never released into the public
domain), but have not had a reported infection in at least
one year. "Extinct" viruses will also include "viruses"
which were submitted which actually don't replicate due to
a flaw in their viral code, but if the flaw were corrected
they might be successful. It is still possible that someone
could become infected with one of these viruses, but the
probability is extremely low.
Myth: "Myth" viruses are viruses which have been discussed among
various groups for some time (in excess of one year), but are
not known to actually exist as either a public domain or
research virus. Probably the best case of a "Myth" virus
is the Nichols Virus.
Rare: "Rare" viruses are viruses which were recently (within the
last year) isolated but which do not appear to be widespread.
These viruses, as a general rule, will be viruses which
have characteristics that would make them a possible
future problem. "Rare" viruses have a higher probability
of someone becoming infected than Endangered or Extinct
viruses, but are much less likely to be found than a
"Common" virus.
Research: A "Research" virus is a virus which was originally
received by at least one anti-viral researcher directly
from its source or author. These viruses are not known
to have been released into the public domain, so they are
highly unlikely to be detected on computer systems other
than researchers.
Rumored: The "Rumored" virus classification are for viruses
which the author has received information about, but that
no sample of the virus has been made available for analysis.
Any viruses in this classification should be considered with
a grain of salt, they may not actually exist.
Unknown: The "Unknown" classification is for those viruses where
the original submission of the virus to anti-viral researchers
is suspect for any number of reasons, or that there is
very little information known about the origin of the
virus.
New: The "New" category is for viruses which were recently
received by the author but cannot at the present time be
researched in depth. Instead of leaving these viruses out
of the listing all together, they will be listed but with
a "New" status.
Discovery: First recorded discovery date.
Origin: Author/country of origin
Symptoms: Changes to system that may be noticed by users: messages,
growth in files, TSRs/ Resident TOM (change in CHKDSK
return), BSC - boot sector change (may require cold boot
from known-good protected floppy to find), corruption of
system or files, frequent re-boots, slowdowns.
Origin: Either credited or assumed to be in country of discovery.
Eff Length: The length of the viral code after it has infected
a program or system component. For boot-sector infectors,
the length is indicated as N/A, for not applicable.
Type Code: The type codes indicated for a virus indicate general
behavior characteristics. Following the type code(s) is
a brief text description. The type codes used are:
A = Infects all program files (COM & EXE)
B = Boot virus
C = Infects COM files only
D = Infects DOS boot sector on hard disk
E = Infects EXE files only
F = Floppy (360K) only
K = Infects COMMAND.COM
M = Infects Master boot sector on hard disk
N = Non-resident (in memory)
O = Overwriting virus
P = Parasitic virus
R = Resident (in memory)
(below 640k - segment A000)
a - in unused portion of allocated memory
(does not change free memory, such as virus resident
in CLI stack space or unused system memory)
Example: LeHigh
f - in free (user) memory below TOM
(does not prevent overwriting)
Example: Icelandic
h - in high memory but below TOM
(Resides in high system memory, right below TOM.
Memory is allocated so it won't be accidently
overwritten.)
Example: Flash
s - in low (system/TSR) memory
(reduces free memory, typically uses a normal
Int 21/Int 28 TSR)
Example: Jerusalem
t - above TOM but below 640k (moves Int 12 return)
(Reduces total memory size and free memory)
Example: Pakistani Brain
(above 640k)
b - in BIOS/Video/Shadow RAM area (segment A000 - FFFF)
e - in extended/expanded memory (above 1 Meg)
S = Spawning or companion file virus
(This type of virus creates another file on the disk which
contains the actual viral code. Example: Aids II)
T = Manipulation of the File Allocation Table (FAT)
X = Manipulation/Infection of the Partition Table
Detection Method:
This entry indicates how to determine if a program or
system has been infected by the virus. Where the virus
can be detected with a shareware, public domain, or
readily available commercial program, it is indicated.
Note that a "+" after the anti-viral product's version number
indicates that versions of the product from the indicated version
forward are applicable.
Programs referenced in the listing are:
AVTK - Dr. Solomon's Anti-Virus Toolkit <commercial>
F-PROT - Fridrik Skulason's F-Prot detector/disinfector
IBM Scan - IBM's Virus Scanning Program <commercial>
NAV - Norton AntiVirus <commercial>
Pro-Scan - McAfee Associates' Pro-Scan Program <commercial>
VirexPC - MicroCom's VirexPC Program <commercial>
VirHunt - Digital Dispatch Inc's VirHunt Program <commercial>
ViruScan - McAfee Associates' ViruScan Program
ViruScan/X- McAfee Associates' ViruScan Program with /X switch
Removal Instructions:
Brief instructions on how to remove the virus. Where
a shareware, public domain, or readily available
commercial program is available which will remove the
virus, it is indicated. Programs referenced in the
listing are:
AntiCrim - Jan Terpstra's AntiCrime program
CleanUp - John McAfee's CleanUp universal virus
disinfector.
Note: CleanUp is only indicated for a virus
if it will disinfect the file, rather than
delete the infected file.
DOS COPY - Use the DOS COPY command to copy files from
infected non-bootable disks to newly formatted,
uninfected disks. Note: do NOT use the
DOS DISKCOPY command on boot sector infected
disks, or the new disk will also be infected!
DOS SYS - Use the DOS SYS command to overwrite the boot
sector on infected hard disks or diskettes.
Be sure you power down the system first, and
boot from a write protected master diskette,
or the SYS command will copy the infected
boot sector.
F-PROT - Fridrik Skulason's F-Prot detector/disinfector,
Version 1.07.
M-3066 - Traceback virus disinfector.
MDisk - MD Boot Virus Disinfector. Be sure to use the
program which corresponds to your DOS release.
NAV - Norton AntiVirus
Pro-Scan - Pro-Scan Virus Identifier/Disinfector.
Saturday - European generic Jerusalem virus disinfector.
Scan/D - ViruScan run with the /D option.
Scan/D/A - ViruScan run with the /D /A options.
Scan/D/X - ViruScan run with the /D /X options.
UnVirus - Yuval Rakavy's disinfector for Brain, Jerusalem,
Ping Pong, Ping Pong-B, Typo Boot, Suriv 1.01,
Suriv 2.01, and Suriv 3.00 viruses.
VirexPC - MicroCom's VirexPC Detector/Disinfector
Note: VirexPC is only indicated if it will actually
disinfect the virus, not just delete the infected
file.
VirHunt - Digital Dispatch Inc's VirHunt Detector/Disinfector
Note: VirHunt is only indicated if it will actually
disinfect the virus on all major variants.
Virus Buster - Yuval Tal's Virus Buster Detector/Disinfector
General Comments:
This field includes other information about the virus,
including but not limited to: historical information,
possible origin, possible damage the virus may cause,
and activation criteria.
-------------------------------------------------------------------------------
Virus Information Summary List
MS-DOS Virus Information
Virus Name: 382 Recovery Virus
Aliases: 382
V Status: Rare
Discovery: July, 1990
Symptoms: first 382 bytes of .COM files overwritten, system hangs,
spurious characters on system display, disk drive spinning
Origin: Taiwan
Eff Length: N/A
Type Code: ONAK - Overwriting Non-Resident .COM & .EXE Infector
Detection Method: ViruScan V66+, Pro-Scan 2.01+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The 382 Recovery Virus was isolated in July 1990 in Taiwan. It is
a non-resident generic infector of .COM and .EXE files, including
COMMAND.COM.
Each time a program infected with the 382 Recovery Virus is executed,
the virus will check the current directory for a .COM files that has
not been infected with the virus. If it finds an uninfected .COM
file, it will infect it. If the original file was less than 382 bytes
in length, the infected file will now be 382 bytes in length. Files
which were originally greater than 382 bytes in length will not show
any increase in length. Infected files always have the first 382
bytes of the file overwritten to contain the virus's code.
Once all .COM files in the current directory are infected, the next
time an infected .COM file is executed the virus will rename all .EXE
files to .COM files. These renamed files, however, may or may not
later become infected.
Symptoms of the 382 Recovery Virus being present on a file are that
the program will not execute properly. In some cases, the program will
hang upon execution requiring the system to be rebooted. In other
cases, spurious characters will appear on the system display and the
program will not run. Lastly, the system may do nothing but leave the
disk drive spinning, requiring the system to be powered off and
rebooted.
Since the first 382 bytes of infected files have been overwritten,
the infected files cannot be recovered. The original 382 bytes of
the file are permanently lost. Infected files should be deleted or
erased and replaced with backup copies known to be free of infection.
Virus Name: 405
Aliases: Hammelburg
V Status: Extinct
Discovery: 1987
Symptoms: .COM files fail to run, first 405 bytes of .COM files
overwritten
Origin: Austria or Germany
Eff Length: N/A
Type Code: ONC - Overwriting Non-Resident .COM Infector
Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan 1.4+,
VirexPC 1.1+, VirHunt 2.0+, NAV
Removal Instructions: Scan/D/X, F-Prot, NAV, or delete infected files
General Comments:
The 405 virus is an overwriting virus which infects only .COM
files in the current directory. If the length of the .COM file
was originally less than 405 bytes, the resulting infected file
will have a length of 405 bytes. This virus currently cannot
recognize .COM files that are already infected, so it will
attempt to infect them again.
The 405 Virus doesn't carry an activation date, and doesn't do
anything but replicate in the current directory. However, since
it overwrites the first 405 bytes of .COM files, infected files
are not recoverable except by replacing them from uninfected
backups or master distribution disks.
Virus Name: 512
Aliases: 512-A, Number of the Beast Virus, Stealth Virus
V Status: Rare
Discovery: November, 1989
Origin: Bulgaria
Symptoms: Program crashes, system hangs, TSR.
Eff Length: 512 Bytes
Type Code: PRCK - Parasitic Resident .COM Infector
Detection Method: ViruScan V58+, VirexPC 1.1+
Removal Instructions: CleanUp V58+
General Comments:
The 512 virus is not the same as the Original Friday The 13th COM
virus. The 512 virus was originally isolated in Bulgaria in
November, 1989, by Vesselin Bontchev. It infects .COM files,
including COMMAND.COM, installing itself memory resident when the
first infected program is run. After becoming memory resident, any
.COM file openned for any reason will become infected if its
uninfected length is at least 512 bytes.
Systems infected with the 512 virus may experience program crashes
due to unexpected errors, as well as system hangs. Damage may occur
to infected files if the system user runs CHKDSK with the /F
parameter as the length of the program in the directory entry will not
match the actual disk space used. CHKDSK will then adjust the file
allocation resulting in damaged files.
The virus's alias of "Number of the Beast" Virus is because the
author of the virus used a signature of text 666 near the end of the
virus to determine if the file is already infected. Since 512 adds
its viral code to the end of infected files, it is easy to verify
that a file is infected by the 512 virus by checking for this
signature.
Known variant(s) of the 512 Virus are:
512-B : Similar to the 512 Variant, except that the DOS version check
in the original virus has been omitted. The author's
signature of '666' has been omitted.
512-C : Similar to the 512-B Variant, minor code changes.
512-D : Similar to the 512-C Variant, except that the virus no longer
checks to see if a file has the System Attribute on it before
infecting it.
512-E : Similar to the other 512 viruses, this variant will use some
memory about 640K, such as memory on video cards. Infected
systems will have a 55,104 byte decrease in total system and
available free memory as indicated by the DOS ChkDsk program.
This variant does not use the text 666 signature to designate
infected files.
512-F : Similar to other variants, the DOS ChkDsk program will not show
any decrease in system or available memory when the virus is
resident. The "666" text signature can be found in infected
files as offset 1FD.
Virus Name: 646
Aliases: Vienna C
V Status: Rare
Discovery: October, 1990
Symptoms: COMMAND.COM & .COM growth
Origin: Unknown
Eff Length: 646 Bytes
Type Code: PNCK - Parasitic Non-Resident COM Infector
Detection Method: ViruScan V71+, Pro-Scan 2.01+
Removal Instructions: Pro-Scan 2.01+, Scan/D, or Delete infected files
General Comments:
The 646 Virus was discovered in October, 1990. Its origin is unknown.
This virus is a non-resident infector of .COM files, including
COMMAND.COM.
When a file infected with the 646 Virus is executed, the virus will
infect one other .COM file in the current directory. Infected files
will increase in size by 646 bytes, with the virus being located at
the end of the infected file.
Infected files can be easily identified as they will always end with
the hex string: "EAF0FFFFFF".
This virus appears to do nothing except replicate.
Virus Name: 834 Virus
Aliases: Arab
V Status: Rare
Discovery: February, 1991
Symptoms: .COM file growth; TSR; Partition Table altered;
Unexpected disk accesses to hard disk;
Attempts to boot system from hard disk may hang
Origin: Unknown
Eff Length: 834 Bytes
Type Code: PRsC - Parasitic Resident COM Infector
Detection Method: ViruScan V76+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The 834 Virus was received in February, 1991. Its origin is unknown.
This virus is a memory resident infector of .COM files, but not
COMMAND.COM.
The first time a program infected with the 834 Virus is executed, the
virus will install itself memory resident as a low system memory TSR
of 1,808 bytes. Interrupt 21 will be hooked by the virus as well. At
this time, the virus will access the hard disk partition table, altering
it.
After the 834 Virus is memory resident, it will infect .COM files of
a length greater than 4K in length as they are executed. COMMAND.COM,
however, will not be infected. Infected files will increase in length
by 834 bytes, the virus will be located at the end of the infected
program. The file date and time in the disk directory is not altered
by the virus.
Systems infected with the 834 Virus may notice unexpected accesses to
the system hard disk when executing programs from a diskette. These
accesses are the virus accessing the hard disk partition table each
time an infected program is executed, or a program is infected by the
virus. The system's hard disk partition table does not contain an
infectious copy of the virus, but has been altered so that later
attempts to boot the system from the system hard disk may result in a
system hang occurring during the boot process.
Known variant(s) of 834 include:
834-B/Arab: Similar to the original virus, this variant will infect
.COM files other than COMMAND.COM which are greater than 1K in
length before infection. Two text strings occur within this
variant's code: "nsed Materi" and "COMMAND.COM". Low system
memory TSR is 1,792 bytes in length.
Virus Name: 903
Aliases:
V Status: Rare
Discovery: January, 1991
Symptoms: .COM file growth; TSR; System hangs
Origin: France
Eff Length: 903 Bytes
Type Code: PRsCK - Parasitic Resident COM Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The 903 Virus was discovered France in January, 1991. This virus is
not a particularly viable virus since replicated samples will not
further replicate. It is possible that the original sample is
corrupted. This virus infects .COM program, including COMMAND.COM.
When the original sample of 903 is executed, this virus will install
itself memory resident as a 1,216 byte low system memory TSR. It will
hook interrupt 21. At that time, it will infect COMMAND.COM, adding
903 bytes to the beginning of the program. The following message is
then displayed:
"Fichier introuvable"
Once memory resident, this virus will infect up to three .COM programs
in the current directory if the original sample is again executed.
Later execution of infected files (other than the original) will not
result in the virus spreading to other files. The virus will also
infect files when the DOS Copy command is used, but only if the source
and target files are in the current directory.
Infected .COM programs will have a file size increase of 903 bytes,
the virus will be located at the beginning of the infected program.
The file date and time in the disk directory will not be altered by
the virus.
If 903 becomes memory resident from other than the original sample, it
will not replicate to other .COM programs. The "Fichier introuvable"
message is not displayed with other than the original sample.
Some programs may hang when they are executed on infected systems.
It is unknown if 903 does anything destructive.
Virus Name: 1008
Aliases: Suomi, Oulu
V Status: Rare
Discovery: June, 1990
Symptoms: COMMAND.COM growth, Internal Stack Errors,
System Halt on Boot
Origin: Helsinki, Finland
Eff Length: 1,008 Bytes
Type Code: PRCK - Parasitic Resident COM Infector
Detection Method: ViruScan V64+, F-Prot 1.12+, Pro-Scan 2.01+, NAV
Removal Instructions: Scan/D, F-Prot 1.12+, Pro-Scan 2.01+, NAV,
or delete infected files
General Comments:
The 1008 Virus was discovered in June, 1990 by Petteri Jarvinen of
Helsinki, Finland. It is a memory resident .COM infector, and will
infect COMMAND.COM. This virus is also sometimes referred to as
the Suomi Virus.
The first time a program infected with the 1008 virus is executed,
the virus will install itself memory resident. COMMAND.COM is also
infected at this time, resulting in its length increasing by 1,008
Bytes. The increase in file size of COMMAND.COM cannot be seen by
doing a directory listing if the virus is present in memory.
Booting a system with an infected copy of COMMAND.COM may result in
an internal stack error, and the system being halted. This effect
was noted on the author's test machine which is a 640K XT-clone
running Microsoft MS-DOS Version 3.30.
After the virus is memory resident, it will infect any .COM file which
is executed, adding 1,008 bytes to the file length. The file length
increase cannot be seen by doing a directory listing if the virus is
present in memory.
Virus Name: 1210
Aliases: Prudents Virus
V Status: Rare
Discovery: December, 1989
Symptoms: .EXE growth, disk write failure, TSR
Origin: Spain
Eff Length: 1,210 Bytes
Type Code: PRE - Parasitic Resident .EXE Infector
Detection Method: ViruScan V61+, Pro-Scan 1.4+, F-Prot 1.12+, VirHunt 2.0+,
NAV
Removal Instructions: Scan/D, F-Prot 1.12+, VirHunt 2.0+, NAV,
or delete infected files
General Comments:
The 1210, or Prudents Virus, was first isolated in Barcelona, Spain,
in December 1989. The 1210 is a memory resident virus, infecting
.EXE files when they are executed.
This virus activates between May 1st and May 4th of any year,
causing disk writes to be changed to disk verifies, so writes to
the disk never occur between these dates.
Virus Name: 1226
Aliases: V1226
V Status: Rare
Discovery: July 1990
Symptoms: .COM growth, decrease in system and free memory, system hangs,
spurious characters displayed in place of program executing,
disk drive spinning
Origin: Bulgaria
Eff Length: 1,226 Bytes
Type Code: PRhC - Parasitic Resident .COM Infector
Detection Method: ViruScan V66+, Pro-Scan 2.01+
Removal Instructions: Scan/D, or delete infected files
General Comments:
The 1226 Virus was isolated in Bulgaria in July 1990 by Vesselin
Bontchev. This virus is a memory resident generic .COM infector,
though it does not infect COMMAND.COM. The 1226 Virus is a self-
encrypting virus, and simple search string algorithms will not work
to detect its presence on a system.
The first time a program infected with the 1226 virus is executed,
the virus will install itself memory resident, reserving 8,192 bytes
of memory at the top of free memory. Interrupt 2A will be hooked.
Once 1226 is memory resident, the virus will attempt to infect any
.COM file that is executed that is at least 1,226 bytes in length
before infection. The virus is rather "buggy" and the infection
process is not always entirely successful. Successfully infected
files will increase in length by 1,226 bytes.
This virus will infect .COM files multiple times, it is unable to
determine that the file is already infected. Each time the file
is infected it will grow in length by another 1,226 bytes. Eventually,
the .COM files will grow too large to fit into memory.
Systems infected with the 1226 virus may experience unexpected system
hangs when attempting to execute programs. Another affect is that
instead of a program executing, a line or two of spurious characters
will appear on the system display. Lastly, infected systems will always
indicate that they have 8,192 less bytes of total system and free
memory available than is actually on the machine.
There are two later versions of this virus, 1226D and 1226M, which are
much better replicators than the original 1226 virus. These two
variants are documented as 1226D in this document due to their
different characteristics.
Also see: 1226D
Virus Name: 1226D
Aliases: V1226D
V Status: Rare
Discovery: July 1990
Symptoms: .COM growth, decrease in system and free memory
Origin: Bulgaria
Eff Length: 1,226 Bytes
Type Code: PRhC - Parasitic Resident .COM Infector
Detection Method: ViruScan V66+, Pro-Scan 2.01+, NAV
Removal Instructions: Scan/D, or delete infected files
General Comments:
The 1226D Virus was isolated in Bulgaria in July 1990 by Vesselin
Bontchev. This virus is a memory resident generic .COM infector,
though it does not infect COMMAND.COM. The 1226D Virus is a self-
encrypting virus, and simple search string algorithms will not work
to detect its presence on a system.
The 1226D Virus is based on the 1226 Virus, in fact it is a decrypted
version of the 1226 Virus. It is a better replicator, infecting
successfully on file opens as well as when .COM files are executed.
The first time a program infected with the 1226 virus is executed,
the virus will install itself memory resident, reserving 8,192 bytes
of memory at the top of free memory. Total system and free memory
are decreased by 8,192 bytes. Interrupt 2A will be hooked.
Once 1226 is memory resident, the virus will attempt to infect any
.COM file that is executed that is at least 1,226 bytes in length
before infection. Infected files will increase in length by 1,226
bytes. As with the original 1226 Virus, a .COM file may be infected
multiple times by the 1226D Virus as the virus is unable to determine
that the file was previously infected. Each infection will result in
another 1,226 bytes being added to the infected file's length.
Eventually, the .COM files will grow too large to fit into memory.
In addition to infecting .COM files when they are executed, the 1226D
Virus will infect .COM files with a length of at least 1,226 bytes
when they are openned for any reason. The simple act of copying a
.COM file with the virus memory resident will result in both the
source and target files being infected.
Unlike the 1226 Virus, systems infected with the 1226D virus will not
experience the system hangs or spurious characters symptomatic of the
1226 virus. Infected system will still indicate that they have 8,192
bytes less of total system memory than is installed on the machine.
Known variant(s) of 1226D are:
1226M/V1226M : Similar to the 1226D virus, except that files are not
infected on file open, only when they are executed.
Also see: 1226
Virus Name: 1253
Aliases: AntiCad, V-1
V Status: Rare
Discovery: August, 1990
Symptoms: TSR; BSC; COMMAND.COM & .COM file growth; partition table change
Origin: Austria
Eff Length: 1,253 Bytes
Type Code: PRsBCKX - Parasitic Resident .COM & Partition Table Infector
Detection Method: ViruScan V66+, Pro-Scan 2.01+, NAV
Removal Instructions: Pro-Scan 2.01+, NAV, Scan/D plus MDisk/P
General Comments:
The 1253 Virus was submitted in August 1990. It is believed to have
originated in (or at least to have been first isolated in) Austria.
1253 is a generic infector of .COM files, including COMMAND.COM.
It also infects the boot sector of diskettes and the partition table
of hard disks.
The first time a program infected with the 1253 Virus is executed, the
virus will install itself memory resident as a low system memory TSR.
The TSR will be 2,128 bytes in length, hooking interrupts 08, 13, 21,
and 60. Total system memory will remain unchanged, and free memory
will decrease by 2,128 bytes. At this time, the partition table of
the system's hard disk is infected with the 1253 virus. If the
infected program was executed from a diskette, the diskette's boot
sector will also be infected.
Each time a .COM file is executed with the virus resident in memory,
the .COM file will be infected if it hasn't previously been infected.
The 1253 Virus appends its viral code to the end of the .COM file, and
then changes the first few bytes of the program to be a jump to the
appended code. Infected files increase in length by 1,253 bytes, and
the virus makes no attempt to hide the increase when the directory
is displayed. Infected files will also have their fourth thru sixth
bytes set to "V-1" (hex 562D31).
Any diskettes which are accessed while the virus is present in memory
will have their boot sector infected with this virus. Newly formatted
diskettes, likewise, will be infected immediately.
The 1253 virus is destructive when it activates. The author of this
listing was able to get it to activate by setting the system date to
December 24 and then executing an infected program on drive A:. The
virus promptly went and overwrote the entire diskette in drive
A: with a pattern of 9 sectors of what appears to be a program
fragment. Once the virus has started to overwrite a diskette, the
only way to stop the disk activity is to power off the system.
The virus in the partition table and/or diskette boot sector is of
special note. When the system is booted from the hard disk or diskette
with the virus in the partition table or boot sector, the virus will
install itself memory resident. At this time, the virus resides above
the top of system memory but below the 640K DOS boundary. The change
in total system memory and available free memory will be 77,840 bytes.
It can be seen with the CHKDSK command. At this time, any .COM program
executed will be infected with the 1253 virus, even though no programs
on the hard disk may contain this virus before the system boot occurred.
One effect of this virus, once the system has been booted from an
infected hard drive or floppy is that the FORMAT command may result
in unexpected disk activity to inactive drives. For example, on the
author's system, when formatting a diskette in drive A: with the
current drive being drive C:, there was always disk activity to drive
B:.
Disinfecting the 1253 virus required that besides disinfecting or
deleting infected .COM programs, the hard disks partition table and the
boot sector of any diskettes exposed to the infected system must be
disinfected. The virus can be removed safely from the partition table
and diskette boot sectors by using MDisk with the /P option after
powering off the system and rebooting from a write-protected uninfected
boot diskette. If the partition table and diskette boot sectors are
not disinfected, the system will promptly experience reinfection of
.COM files with the virus following a system boot from the hard disk
or diskette. Disinfecting the partition table and boot sectors, when
done properly, will also result in the system's full memory again being
available.
It is unknown if there are other activation dates for this virus, or
if it will overwrite the hard disk if an infected program is executed
on December 24 from the hard disk.
Virus Name: 1260
Aliases: V2P1
V Status: Research
Discovery: January, 1990
Symptoms: .COM file growth
Origin: Minnesota, USA
Eff Length: 1,260 Bytes
Type Code: PNC - Parasitic Encrypting Non-Resident .COM Infector
Detection Method: ViruScan V57+, IBM Scan, Pro-Scan 1.4+, F-Prot 1.12+,
AVTK 3.5+, VirHunt 2.0+, NAV
Removal Instructions: CleanUp V57+, Pro-Scan 1.4+, F-Prot 1.12+, VirHunt 2.0+
General Comments:
The 1260 virus was first isolated in January, 1990. This
virus does not install itself resident in memory, but is it
extremely virulent at infecting .COM files. Infected files
will have their length increased by 1,260 bytes, and the
resulting file will be encrypted. The encryption key changes
with each infection which occurs.
The 1260 virus is derived from the original Vienna Virus, though
it is highly modified.
This virus was developed as a research virus by Mark Washburn, who
wished to show the anti-viral community why identification string
scanners do not work in all cases. The encryption used in 1260 is
one of many possible cases of the encryption which may occur with
Washburn's later research virus, V2P2.
Also see: V2P2, V2P6, V2P6Z
Virus Name: 1381 Virus
Aliases: Internal
V Status: Rare
Discovery: June, 1990
Symptoms: .EXE growth
Origin:
Eff Length: 1,381 Bytes
Type Code: PNE - Parasitic Non-Resident .EXE Infector
Detection Method: ViruScan V64+, Pro-Scan 2.01+, NAV
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The 1381 Virus was isolated in June, 1990. It is a non-resident
generic .EXE infector.
Each time a program infected with the 1381 Virus is executed, the
virus will attempt to infect one other .EXE file on the current
drive. An .EXE file will only be infected if it is greater than
1,300 bytes in length before infection. After infection, files
will have increased in length by between 1,381 and 1,389 bytes.
The virus can be found at the end of infected files. Infected
files will also contain the following text strings:
"INTERNAL ERROR 02CH.
PLEASE CONTACT YOUR HARDWARE MANUFACTURER IMMEDIATELY !
DO NOT FORGET TO REPORT THE ERROR CODE !"
It is currently unknown what the 1381 Virus does, or what prompts
it to display the above message.
Known variant(s) of 1381 include:
1381-B/Internal: Similar to the original 1381 virus, this variant is
very similar. The major change is that it does not always
infect a .EXE file each time an infected program is executed.
The increase in file length on infected files will 1,381 to
1,395 bytes, and the virus will be located at the end of the
infected file. The message text indicated above for the
original virus will be displayed if the year is 1991 or greater.
When the message is displayed, the program that was being
executed will be disinfected by the virus.
Virus Name: 1392
Aliases: Amoeba Virus
V Status: Rare
Discovery: March, 1990
Symptoms: TSR, .COM & .EXE growth, dates modified
Origin: Indonesia
Eff Length: 1,392 Bytes
Type Code: PRA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V61+, VirexPC 1.1+, F-Prot 1.12+, VirHunt 2.0+,
NAV
Removal Instructions: Scan/D, F-Prot 1.12+, VirHunt 2.0+, NAV,
or delete infected files
General Comments:
The 1392, or Amoeba, Virus was first isolated in Indonesia in
March 1990. The 1392 virus is a memory resident virus that infects
.COM and .EXE files, including COMMAND.COM. As files are infected,
their creation/modification date is changed to the date the files
were infected.
This virus does not appear to cause any destructive damage.
The following message appears in the virus, which is where its
alias of Amoeba was derived from:
"SMA KHETAPUNK - Nouvel Band A.M.O.E.B.A"
Virus Name: 1554
Aliases: Ten Bytes, 9800:0000 Virus, V-Alert, 1559
V Status: Rare
Discovery: February, 1990
Symptoms: .COM & .EXE growth, TSR, linkage corruption, system hang
Origin:
Eff Length: 1,554 Bytes
Type Code: PRfAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V58+, IBM Scan, Pro-Scan 1.4+, VirexPC 1.1+,
AVTK 3.5+, F-Prot 1.12+, VirHunt 2.0+, NAV
Removal Instructions: Scan/D, F-Prot 1.12+, VirHunt 2.0+, Pro-Scan 2.01+
General Comments:
The 1554 virus was accidently sent out over the VALERT-L network
on February 13, 1990 to approximately 600 subscribers. When a
program is executed that is infected with the 1554 virus, the
virus installs itself memory resident. It will then proceed to
infect .COM over 1000 bytes in length and .EXE files over 1024 bytes
in length, including COMMAND.COM, increasing their length after
infection by 1,554 to 1,569 bytes.
The 1554 virus activates in September, October, November, or
December of any year. Upon activation, any files which are written
will be missing the first ten bytes. At the end of these files,
ten bytes of miscellaneous characters will appear. In effect, both
programs and data files will be corrupted.
If the 1554 Virus is executed on a system with less than 640K of
system memory, the virus will hang the system.
Virus Name: 1575
Aliases: 1577, 1591
V Status: Common
Discovery: January, 1991
Symptoms: .COM & .EXE growth; decrease in total system & available memory;
Sluggishness of DIR commands; file date/time changes
Origin: Taiwan
Isolated: Ontario, Canada
Eff Length: 1,575 Bytes
Type Code: PRfAk - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, Clean-Up V74+, or Delete infected files
General Comments:
The 1575 virus was first isolated in Ontario, Canada, in January, 1991.
This virus has been widely reported, and is believed to be from the Far
East, probably Taiwan. It is a memory resident infector of .COM and
.EXE files, and will infect COMMAND.COM.
When the first program infected with the 1575 Virus is executed, the
virus will install itself memory resident in 1,760 to 1,840 bytes at
the top of system memory, but below the 640K DOS boundary. This
memory is not reserved, and may be overwritten later by another
program. Interrupt 21 will be hooked by the virus. COMMAND.COM on
the system C: drive root directory will also be infected at this
time.
Once the 1575 Virus is memory resident, it will infect one .COM and
one .EXE program on the current drive whenever a DOS Dir or Copy
command is executed. This virus does not spread when programs are
executed.
Infected files will have their file date and time in the DOS directory
updated to the system date and time when the infection occurred.
Their file lengths will also show an increase of between 1,577 and
1,591 bytes. This virus will be located at the end of infected files.
It is not know if 1575 does anything besides replicate.
Known variant(s) of the 1575 Virus are:
1575-B : This variant is functionally similar to the 1575 Virus
described above. The major difference is that this variant
reserves the memory it occupies at the top of system memory,
though the interrupt 12 return is not moved.
1575-C : Similar to the 1575-B, this variant will infect files as they
are executed in addition to when a DOS Dir or Copy command
is issued. System may hang when this variant infects
COMMAND.COM.
Virus Name: 1605
Aliases: 1605-B, Solomon, Tel Aviv
V Status: Rare
Discovery: September, 1990
Symptoms: .COM & .EXE growth; TSR; system slowdown
Origin: Unknown
Eff Length: 1,605 Bytes
Type Code: PRsA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V67+, Pro-Scan 2.01+, NAV
Removal Instructions: NAV, Scan/D, or Delete infected files
General Comments:
The 1605 Virus was uploaded to John McAfee's Homebase BBS by an
anonymous user in September, 1990. The origin of this virus is
unknown. The 1605 Virus is a memory resident infector of .COM
and .EXE files, and it does not infect COMMAND.COM. It is based
roughly on the Jerusalem B Virus.
The first time a program infected with the 1605 Virus is executed,
the virus will install itself memory resident as a low system memory
TSR of 1,728 bytes. Interrupts 13 and 21 will be hooked by the
virus. At this time, the system will slowdown by approximately
15-20%.
After becoming memory resident, any .COM or .EXE file executed will
be infected by the virus. .COM files will increase in size by
1,605 bytes in all cases with the virus's code being located at the
beginning of the file. .EXE files will increase in size by between
1,601 and 1,610 bytes with the virus's code being located at the
end of the infected file.
Other than replicating, it is unknown if this virus carries any
damage potential.
Known variant(s) of the 1605 Virus are:
1605-B : This variant was received by MicroCom in London, England in
March 1991 in a plain envelope with a London postmark. The
label on the diskette read "Solomon Virus", though the virus
is not related in any way to Dr. Solomon. This variant is
very similar to the 1605 virus described above, the major
difference is that infected .EXE files will increase in size
by 1,605 to 1,619 bytes.
Virus Name: 1704 Format
Aliases:
V Status: Rare
Discovery: January, 1989
Symptoms: TSR, Falling letters, .COM growth, formatted disk
Origin:
Eff Length: 1,704 Bytes
Type Code: PRC - Parasitic Encrypting Resident .COM Infector
Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC,
AVKT 3.5+, VirHunt 2.0+, NAV
Removal Instructions: CleanUp, Scan/D, F-Prot, Pro-Scan, VirexPC, VirHunt 2.0+
General Comments:
Like the Cascade Virus, but the disk is formatted when the
virus activates. Activation occurs during the months of
October, November, and December of any year except 1993.
Virus Name: 1720
Aliases: PSQR Virus
V Status: Rare
Discovery: March, 1990
Symptoms : TSR, .COM & .EXE growth, partition table damage on activation,
programs on diskette deleted on Friday The 13ths
Origin: Spain
Eff Length: 1,720 Bytes
Type Code: PRsA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V61+, VirexPC 1.1+, F-Prot 1.12+, VirHunt 2.0+,
Pro-Scan 2.01+, NAV
Removal Instructions: NAV, Scan /D, VirHunt 2.0+, or delete infected files
General Comments:
The 1720, or PSQR Virus, is a variant of the Jerusalem Virus which
was first isolated in Barcelona, Spain, in March 1990. This virus,
infects .COM and .EXE files, though unlike Jerusalem, it does not
infect Overlay files. COMMAND.COM will also not be infected.
The first time an infected file is executed, the virus will install
itself memory resident, and then infect each executable file as it
is run.
On Friday The 13ths, the 1720 Virus will activate the first time an
infected program is executed. When the program is executed, it will
be deleted from disk. More damaging, however, is that the 1720 virus
will check to see if the system has a hard disk drive. If a hard
disk drive is present, the virus will overwrite the boot sector and
partition table resulting in all data on the hard disk becoming
unavailable. The system will also appear to hang.
Virus Name: 4096
Aliases: Century Virus, FroDo, IDF Virus, Stealth Virus, 100 Years Virus
V Status: Common
Discovery: January, 1990
Symptoms: .COM, .EXE, & overlay file growth; TSR hides growth; crosslinks;
corruption of data files
Origin: Israel
Eff Length: 4,096 Bytes
Type Code: PRsA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V53+, F-Prot, IBM Scan, Pro-Scan, VirexPC 1.1+,
AVTK 3.5+, VirHunt 2.0+, NAV
Removal Instructions: CleanUp V62+, Pro-Scan 1.4+, F-Prot, VirHunt 2.0+,
NAV, or see note below
General Comments:
The 4096 virus was first isolated in January, 1990. This virus
is considered a Stealth virus in that it is almost invisible
to the system user.
The 4096 virus infects .COM, .EXE, and Overlay files, adding
4,096 bytes to their length. Once the virus is resident in
system memory, the increase in length will not appear in a
directory listing. Once this virus has installed itself into
memory, it will infect any executable file that is opened,
including if it is opened with the COPY or XCOPY command.
This virus is destructive to both data files and executable
files, as it very slowly crosslinks files on the system's
disk. The crosslinking occurs so slowly that it appears there
is a hardware problem, the virus being almost invisible. The
crosslinking of files is the result of the virus manipulating
the FATs, changing the number of available sectors, as well as
the user issuing CHKDSK/F commands which will think that the
files have lost sectors or crosslinking if the virus is in
memory.
As a side note, if the virus is present in memory and you
attempt to copy infected files, the new copy of the file will
not be infected with the virus if the new copy does not have
an executable file extension. Thus, one way to disinfect
a system is to copy off all the infected files to diskettes with a
non-executable file extension (ie. don't use .EXE, .COM, .SYS, etc)
while the virus is active in memory, then power off the system
and reboot from a write protected (uninfected) system disk.
Once rebooted and the virus is not in memory, delete the
infected files and copy back the files from the diskettes to the
original executable file names and extensions.
The above will disinfect the system, if done correctly, but
will still leave the problem of cross-linked files which are
permanently damaged.
On or after September 22 of any year, the 4096 virus will hang
infected systems. This appears to be a "bug" in the virus in that
it goes into a time consuming loop.
The 4096 virus also contains a boot-sector within its code, however,
it is never written out to the disk's boot sector. Moving this
boot sector to the boot sector of a diskette and rebooting the
system will result in the message "FRODO LIVES" being displayed.
September 22 is Bilbo and Frodo Baggin's birthday in the Lord Of
The Rings trilogy.
An important note on the 4096 virus: this virus will also infect some
data files. When this occurs, the data files will appear to be fine
on infected systems. However, after the system is later disinfected,
these files will now be corrupted and unpredictable results may occur.
Known variant(s) of the 4096 virus include:
4096-B : Similar to the 4096 virus, the main change is that the
encryption mechanism has been changed in order to avoid
detection.
4096-C : Isolated in January, 1991, this variant of 4096 is similar
to the original virus. The major difference is that the
DOS ChkDsk command will not show any cross-linking of files
or lost clusters. A symptom of infection by this variant
is that the disk space available according to a DIR command
will be more than the disk space available according to the
DOS ChkDsk program.
Virus Name: 4870 Overwriting
Aliases:
V Status: Rare
Discovery: February, 1991
Origin: Unknown
Symptoms: Programs fail to execute; Program corruption
Eff Length: 4,870 Bytes
Type Code: ONAK - Overwriting Non-Resident .COM & .EXE Infector
Detection Method:
Removal Instructions: Delete infected files
General Comments:
The 4870 Overwriting Virus was isolated in February, 1991. It's origin
or isolation point is not known. This virus is a non-resident direct
action virus that infects .COM and .EXE programs, including
COMMAND.COM.
When a program infected with the 4870 Overwriting Virus is executed,
the virus will search the current directory for an uninfected .COM or
.EXE file. The first such uninfected file located will be infected
by the virus. Infected programs will have the first 4,870 bytes of
the candidate program overwritten by the virus. If the program's
original length was 4,870 bytes or more, there will be no increase in
the file length in the DOS directory. If the program's original
length was less than 4,870 bytes, then the program's length in the DOS
directory will now be 4,870 bytes. The file's date and time in the
directory will not be altered.
Programs infected with the 4870 Overwriting Virus will not execute
properly. Once the virus checked for a program to infect, and infected
the candidate program if one was found, the virus will terminate and
return the user to a DOS prompt.
A side note on this virus: the virus itself is compressed with the
LZEXE utility, which accounts for much of the 4,870 bytes of viral code.
Programs infected with this virus will have the markers of LZEXE version
.91 found in the first 4,870 bytes of the infected program.
It is not possible to disinfect programs infected with the 4870
Overwriting Virus as the first 4,870 bytes of the original program
are lost. Infected programs must be deleted or erased, then replaced
with clean copies.
Virus Name: 5120
Aliases: VBasic Virus, Basic Virus
V Status: Rare
Discovery: May, 1990
Origin: West Germany
Symptoms: .COM & .EXE growth, file corruption, unexpected disk activity
Eff Length: 5,120 Bytes
Type Code: PNAK - Parasitic Non-Resident .COM & .EXE Infector
Detection Method: ViruScan/X V67+, Pro-Scan 1.4+, F-Prot 1.12+
Removal Instructions: Scan/D/X, Pro-Scan 1.4+, F-Prot 1.12+, Pro-Scan 2.01+,
or Delete infected files
General Comments:
The 5120 Virus was first isolated in May, 1990. It is a non-
resident generic file infector, infecting .COM and .EXE files,
including COMMAND.COM. This virus is was written in compiled Turbo
Basic with some assembly language.
When an infected file is executed, the 5120 virus will infect one
.COM and one .EXE file on the current drive and directory, followed
by attempting to infect one randomly selected .COM or .EXE file in
each directory on the system's C: drive. Infected .COM files increase
in length by 5,120 bytes. .EXE files infected by the 5120 Virus will
increase in length by between 5,120 and 5,135 bytes.
Unlike most of the MS-DOS viruses, the 5120 Virus does not intercept
disk write errors when attempting to infect programs. Thus, infected
systems may notice disk write error messages when no access should be
occurring for a drive, such as the C: hard disk partition.
Data files may become corrupted on infected systems, as well as
crosslinking of files may occur.
The following text strings can be found in files infected with the
5120 virus. These strings will appear near the end of the file:
"BASRUN"
"BRUN"
"IBMBIO.COM"
"IBMDOS.COM"
"COMMAND.COM"
"Access denied"
There is one variant of the 5120 Virus which does not contain the
above strings, but behaves in a very similar manner. This second
variant is not indicated here as the author does not have a copy.
Virus Name: AIDS
Aliases: Hahaha, Taunt, VGA2CGA
V Status: Endangered
Discovery: 1989
Symptoms: Message, .COM file corruption
Origin:
Eff Length: N/A
Type Code: ONC - Overwriting Non-Resident .COM Infector
Detection Method: ViruScan/X V67+, Pro-Scan, VirexPC 1.1+, AVTK 3.5+
Removal Instructions: Scan/D/X, or delete infected .COM files
General Comments:
The AIDS virus, also known as the Hahaha virus in Europe and
referred to as the Taunt virus by IBM, is a generic .COM and
.EXE file infector. When the virus activates, it displays the
message "Your computer now has AIDS", with AIDS covering
about half of the screen. The system is then halted, and
must be powered down and rebooted to restart it. Since this
virus overwrites the first 13,952 bytes of the executable program, the
files must be deleted and replaced with clean copies in order
to remove the virus. It is not possible to recover the
overwritten portion of the program.
Note: this is NOT the Aids Info Disk/PC Cyborg Trojan.
Known variant(s) of Aids are:
Aids B : Very similar to the original Aids Virus, this variant is also
13,952 bytes in length. Unlike the original virus, it will
only infect .COM files, as well as COMMAND.COM, and does not
activate as the original virus did. Instead, this variant
will occasionally issue the following error message:
"I/O error 99, PC=2EFD
Program aborted".
This variant was received in January, 1991, origin unknown.
Virus Name: Aids II Virus
Aliases: Companion Virus
V Status: Endangered
Discovery: April, 1990
Symptoms: Creates .COM files, melody, message
Origin:
Eff Length: 8,064 Bytes
Type Code: SNA - Spawning Non-Resident .COM & .EXE Infector
Detection Method: ViruScan/X V67+, Pro-Scan 1.4+, NAV
Removal Instructions: Scan/D/X, or delete corresponding .COM files
General Comments:
The Aids II Virus, or Companion Virus, was isolated for the first
time in April 1990. Unlike other generic file infectors, the
Aids II Virus is the first known virus to employ what could be
termed a "corresponding file technique" of infection so that the
original target .EXE file is never changed. The virus takes
advantage of the DOS feature where if a program exists in both
.COM and .EXE form, the .COM file will be executed.
The Aids II Virus does not directly infect .EXE files, instead it
stores a copy of the virus in a corresponding .COM file which will
be executed when the user tries to execute one of his .COM files.
The .EXE file, and the .COM file containing the viral code will
both have the same base file name.
The method of infection is as follows: when an "infected"
program is executed, since a corresponding .COM file exists, the
.COM file containing the viral code is executed. The virus
first locates an uninfected .EXE file in the current directory and
creates a corresponding (or companion) .COM file with the viral
code. These .COM files will always be 8,064 Bytes in length with
a file date/time of the date/time of infection. The .EXE file is
not altered at all. After creating the new .COM file, the virus
then plays a melody and displays the following message, the "*"
indicated below actually being ansi heart characters:
"Your computer is infected with ...
* Aids Virus II *
- Signed WOP & PGT of DutchCrack -"
The Aids II Virus then spawns to the .EXE file that was attempting
to be executed, and the program runs without problem. After
completion of the program, control returns to the Aids II Virus.
The melody is played again with the following message displayed:
"Getting used to me?
Next time, use a Condom ....."
Since the original .EXE file remains unaltered, CRC checking
programs cannot detect this virus having infected a system.
One way to manually remove the Aids II Virus is to check the
disk for programs which have both a .EXE and a .COM file, with
the .COM file having a length of 8,064 bytes. The .COM files
thus identified should be erased.
The displayed text strings do not appear in the viral code.
Virus Name: AirCop
Aliases:
V Status: Rare
Discovery: July, 1990
Isolated: Washington, USA
Symptoms: BSC; System Halt; Message; decrease in system and free memory
Origin: Taiwan
Eff Length: N/A
Type Code: FR - Resident Floppy Boot Sector Infector
Detection Method: ViruScan V66+, Pro-Scan 2.01+
Removal Instructions: MDisk or DOS SYS command
General Comments:
The AirCop Virus was discovered in the State of Washington in the
United States in July, 1990. Some early infections of this virus,
however, have been traced back to Taiwan, and Taiwan is probably where
it originated. AirCop is a boot sector infector, and it will only
infect 360K 5.25" floppy diskettes.
When a system is booted from a diskette which is infected with the
AirCop virus, the virus will install itself memory resident. The
AirCop Virus installs itself memory resident at the top of high system
memory. The system memory size and available free memory will
decrease by 1,024 bytes when the AirCop virus is memory resident.
AirCop hooks interrupt 13.
Once AirCop is memory resident, any non-write protected diskettes
which are then accessed will have their boot sector infected with
the AirCop virus. AirCop will copy the original disk boot sector
to sector 719 (Side 1, Cyl 39, Sector 9 on a normal 360K 5.25"
diskette) and then replace the boot sector at sector 0 with a copy
of the virus. If a boot sector of a diskette infected with the
AirCop virus is viewed, it will be missing almost all of the messages
which normally appear in a normal boot sector. The only message
remaining will be:
"Non-system..."
This will be located just before the end of the boot sector.
The AirCop Virus will do one of two things on infected systems,
depending on how compatible the system's software and hardware is
with the virus. On most systems, the virus will display the following
message at random intervals:
"Red State, Germ Offensive.
AIRCOP."
On other systems, the virus being present will result in the system
receiving a Stack Overflow Error and the system being halted. In this
case, you must power off the system in order to be able to reboot.
AirCop currently does not infect hard disk boot sectors or partition
tables.
AirCop can be removed from infected diskettes by first powering
off the system and rebooting from a known clean write protected
DOS master diskette. The DOS SYS command should then be used to
replace the infected diskette's boot sector. Alternately, MDisk
can be used following the power-down and reboot.
Virus Name: Akuku
Aliases:
V Status: Rare
Discovery: January, 1991
Symptoms: .COM & .EXE growth; "Error in EXE file" message;
Unexpected drive accesses
Origin: USSR
Eff Length: 891 Bytes
Type Code: PNAK - Parasitic Non-Resident .COM & .EXE Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Akuku Virus was isolated in January, 1991, and comes from the
USSR. This virus is a non-resident direct action infector of .COM and
.EXE files, including COMMAND.COM.
When a program infected with Akuku is executed, the virus will infect
three programs in the current directory. If three uninfected programs
cannot be found in the current directory, the virus will search the
disk directory of the current drive, as well as of the C: drive.
Both .COM and .EXE programs may become infected, as well as COMMAND.COM.
Programs smaller than 1K will not be infected by this virus. Infected
programs will increase in length by 891 to 907 bytes, the virus will be
located at the end of the infected file. The file date and time in the
disk directory will not be altered by the virus.
The following text string is contained within the virus's code, and
can be found in all infected programs:
"A kuku, Nastepny komornik !!!"
Some .EXE programs will fail to execute properly after infection by the
Akuku Virus. These programs may display an "Error in EXE file"
message and terminate when the user attempts to execute them.
Virus Name: Alabama
Aliases:
V Status: Endangered
Discovery: October, 1989
Symptoms: .EXE growth, Resident (see text), message, FAT corruption
Origin: Israel
Eff Length: 1,560 bytes
Type Code: PRfET - Parasitic Resident .EXE infector
Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, AVTK 3.5+,
VirHunt 2.0+, NAV
Removal Instructions: CleanUp, F-Prot, Pro-Scan 1.4+, Scan/D/X, VirHunt 2.0+,
or delete infected files
General Comments:
The Alabama virus was first isolated at Hebrew University in
Israel by Ysrael Radai in October, 1989. Its first known
activation was on October 13, 1989. The Alabama virus will
infect .EXE files, increasing their size by 1,560 bytes. It
installs itself memory resident when the first program infected
with the virus is executed, however it doesn't use the normal
TSR function. Instead, this virus hooks Int 9 as well as making
use of IN and OUT commands. When a CTL-ALT-DEL combination is
detected, the virus causes an apparent boot but remains in RAM.
The virus loads itself 30K under the highest memory location
reported by DOS, and does not lower the amount of memory
reported by BIOS or DOS.
After the virus has been memory resident for one hour, the
following message will appear in a flashing box:
"SOFTWARE COPIES PROHIBITED BY INTERNATIONAL LAW..............
Box 1055 Tuscambia ALABAMA USA."
The Alabama virus uses a complex mechanism to determine whether
or not to infect the current file. First, it checks to see if
there is an uninfected file in the current directory, if there
is one it infects it. Only if there are no uninfected files
in the current directory is the program being executed
infected. However, sometimes instead of infecting the
uninfected candidate file, it will instead manipulate the FATs
to exchange the uninfected candidate file with the currently
executed file without renaming it, so the user ends up thinking
he is executing one file when in effect he is actually
executing another one. The end result is that files are
slowly lost on infected systems. This file swapping occurs
when the virus activates on ANY Friday.
Virus Name: Alameda
Aliases: Merritt, Peking, Seoul, Yale
V Status: Rare
Discovery: 1987
Symptoms: Floppy boot failures, Resident-TOM, BSC
Origin: California, USA
Eff Length: N/A
Type Code: RtF - Resident Floppy Boot Sector Infector
Detection Method: ViruScan, F-Prot, IBM Scan, AVTK 3.5+, VirHunt 2.0+, NAV
Removal Instructions: MDisk, CleanUp, F-Prot, NAV, or DOS SYS
General Comments:
The Alameda virus was first discovered at Merritt college in
Alameda, California in 1987. The original version of this virus
caused no intentional damage, though there is now at least 1
variant of this virus that now causes floppy disks to become
unbootable after a counter has reached its limit (Alameda-C
virus).
The Alameda virus, and its variants, all replicate when the
system is booted with a CTL-ALT-DEL and infect only 5 1/4"
360K diskettes. These viruses do stay in memory thru a warm
reboot, and will infect both system and non-system disks.
System memory can be infected on a warm boot even if Basic is
loaded instead of DOS.
The virus saves the real boot sector at track 39, sector 8,
head 0. The original version of the Alameda virus would only
run on a 8086/8088 machine, though later versions can now run
on 80286 systems.
Also see: Golden Gate, SF Virus
Virus Name: Ambulance Car Virus
Aliases: RedX
V Status: Rare
Discovery: June, 1990
Symptoms: .COM growth, graphic display & sound
Origin: West Germany
Eff Length: 796 Bytes
Type Code: PNC - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V64+, F-Prot 1.12+, Pro-Scan 2.01+, NAV
Removal Instructions: Scan/D, Pro-Scan 2.01+, NAV, or Delete infected files
General Comments:
The Ambulance Car Virus was isolated in West Germany in June, 1990.
This virus is a non-resident .COM infector.
When a program infected with the Ambulance Car Virus is executed,
the virus will attempt to infect one .COM file. The .COM file to
be infected will be located on the C: drive. This virus only infects
one .COM file in any directory, and never the first .COM file in
the directory. It avoids infecting COMMAND.COM as that file is
normally the first .COM file in the root directory.
On a random basis, when an infected file is executed it will
have the affect of a graphics display of an ASCII block drawing of
an ambulance moving across the bottom of the system display. This
graphics display will be accompanied with the sound of a siren
played on the system's speaker. Both of these effects only occur
on systems with a graphics capable display adapter.
Virus Name: Amstrad
Aliases: Amstrad 2, S-847, Pixel, Pixel 2
V Status: Endangered
Discovery: November, 1989
Symptoms: .COM growth, message
Origin: Portugal
Eff Length: 847 Bytes
Type Code: PNC - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC 1.1+,
AVTK 3.5+, VirHunt 2.0+, NAV
Removal Instructions: Scan/D/X, F-Prot, Pro-Scan 1.4+, or
delete infected files
General Comments:
The Amstrad virus was first reported in November, 1989, by
Jean Luz of Portugal, however it has been known of in Spain
and Portugal for a year prior to that. The virus is a generic
.COM infector, but is not memory resident nor does it infect
COMMAND.COM.
The virus carries a fake advertisement for the Amstrad computer.
The Amstrad virus appears to cause no other damage to the
system other than replicating and infecting files.
Known variants of the Amstrad Virus are:
Pixel/V-345 - Similar to the Amstrad virus described above, except
that the virus is 345 Bytes in length, can now infect
COMMAND.COM, and contains the message:
"=!= Program sick error:Call doctor or by PIXEL for
cure description". This message is not displayed.
The Pixel virus was originally distributed in Greece
by Pixel magazine. The Pixel Virus can only infect
programs in the current directory. This variant may
in fact be the original virus in this family, it is
rumored that it was released one year before the
appearance of the virus in Portugal.
Origin: Greece
Pixel 2 - Similar to other members of this family, this variant was
submitted in March 1991 from Europe. Infected files will
increase in size by 850 bytes, with the virus being
located at the beginning of the infected program. This
variant contains the same message as Pixel indicated
above.
S-847 - S-847 is the original "dropper" file of the Pixel 2 virus.
This program is 384 bytes in length, and when executed
will infect all .COM files in the current directory with
Pixel 2.
V-277 - Similar to the Pixel/V-345 virus described above, except
that the virus is now 277 Bytes in length, and does not
contain any message text. The original message text
has been replaced with code to produce a parity error
approximately 50% of the time when an infected program
is executed.
Origin: Bulgaria
V-299 - Similar to Pixel, except that the length of the virus
is 299 Bytes.
Origin: Bulgaria
V-847 - Similar to Pixel, except that the length of the virus
is 847 Bytes.
Origin: Bulgaria
V-847B - Similar to V-847, except that the message in the virus
is now in Spanish and is:
"=!= En tu PC hay un virus RV1, y esta es su quinta
generacion".
This variant was originally distributed by a magazine
in Spain in file NOCARGAR.COM.
Origin: Spain
V-852 - Similar to the V-847 variant, this variant does not
contain any message. It infects all .COM files in the
current directory whenever an infected program is
executed. If the current directory contains COMMAND.COM,
it will be infected as well. The original sample of this
variant received by the author did not contain any text,
however after replicating on a test system, all infected
files then contained text from the video buffer, which
implies the submitted sample was the original distribution
of the virus. This variant checks byte 4 of .COM files
to determine if the file was previously infected, if
bytes 4-5 are 'SS', the virus assumes the file is already
infected. All infected programs will start with the
following hex string, with the nn indicated being a
generation number:
"EB14905353nn2A2E434F4D004F040000"
Origin: Bulgaria
Virus Name: Anthrax
Aliases:
V Status: Rare
Discovery: July, 1990
Symptoms: .COM & .EXE growth
Origin: Bulgaria
Isolated: Netherlands
Eff Length: 1040 - 1279 Bytes
Type Code: PRAKX - Parasitic Resident .COM, .EXE, & Partition Table Infector
Detection Method: ViruScan V66+, Pro-Scan 2.01+
Removal Instructions: Scan/D + MDisk/P, Pro-Scan 2.01+
General Comments:
The Anthrax Virus was isolated in July 1990 in the Netherlands after
it was uploaded onto several BBSes in a trojan anti-viral program,
USCAN.ZIP. It is the second virus to be found in a copy of UScan
during July 1990, the first virus being V2100. Anthrax is a memory
resident generic infector of .COM and .EXE files, including
COMMAND.COM.
The first time a program infected with the Anthrax virus is executed
on the system's hard disk, the virus will infect the hard disk's
partition table. At this point, the virus is not memory resident. It
will also write a copy of itself on the last few sectors of the
system's hard disk. If data existed on those last few sectors of the
hard disk, it will be destroyed.
When the system is booted from the hard disk, the Anthrax virus
will install itself memory resident. It will remain memory resident
until the first program is executed. At that time, it will deinstall
itself from being resident and infect one .COM or .EXE file. This
virus does not infect files in the current directory first, but
instead starts to infect files at the lowest level of the disk's
directory tree.
Later, when an infected program is executed, Anthrax will infect one
.COM or .EXE file, searching the directory structure from the lowest
level of the directory tree. If the executed infected program
was located on the floppy drive, a .COM or .EXE file may or may not
be infected.
The Anthrax Virus's code is 1,024 bytes long, but infected programs
will increase in length by 1,040 to 1,279 bytes. On the author's test
system, the largest increase in length experienced was 1,232 bytes.
Infected files will always have an infected file length that is a
multiple of 16.
The following text strings can be found in files infected with the
Anthrax virus:
"(c)Damage, Inc."
"ANTHRAX"
A third text string occurs in the viral code, but it is in Cyrillics.
Per Vesselin Bontchev, this third string translates to: "Sofia 1990".
Since Anthrax infects the hard disk partition tables, infected systems
must have the partition table disinfected or rebuilt in order to
remove the virus. This disinfection can be done with either a low-
level format or use of the MDisk/P program for the correct DOS
version after powering off and rebooting from a write-protected boot
diskette for the system. Any .COM or .EXE files infected with
Anthrax must also be disinfected or erased. Since a copy of the virus
will exist on the last few sectors of the drive, these must also be
located and overwritten.
Anthrax interacts with another virus: V2100. If a system which was
previously infected with Anthrax should become infected with the V2100
virus, the V2100 virus will check the last few sectors of the hard
disk for the spare copy of Anthrax. If the spare copy is found, then
Anthrax will be copied to the hard disk's partition table.
It is not known if Anthrax carries any destructive capabilities or
trigger/activation dates.
Virus Name: Anti-Pascal
Aliases: Anti-Pascal 605 Virus, AP-605, C-605, V605
V Status: Research
Discovery: June, 1990
Symptoms: .COM growth, .BAK and .PAS file corruption
Origin: Bulgaria
Isolated: Sofia, Bulgaria
Eff Length: 605 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan/X V67+, Pro-Scan 2.01+, NAV
Removal Instructions: Pro-Scan 2.01+, Scan/D/X, NAV, or delete infected files
General Comments:
The Anti-Pascal Virus, V605 or C-605, was isolated in Sofia,
Bulgaria in June 1990 by Vesselin Bontchev. Originally, it was
thought that the Anti-Pascal virus was from the USSR or Poland,
but it has since been determined to have been a research virus
written in Bulgaria over one year before it was isolated. The
author was not aware that it had "escaped" until July, 1990.
The Anti-Pascal Virus is a generic .COM file infector, including
COMMAND.COM. While this virus is not memory resident, when it is
in the process of infecting files, interrupt 24 will be hooked.
When a program infected with the Anti-Pascal virus is executed,
the virus will attempt to infect two other .COM files on the
current drive or on drive D: which are between 605 and 64,930
bytes in length. These files must not have the read only
attribute set. If an uninfected .COM file meeting the virus's
selection criteria is found, the first 605 bytes of the program
is overwritten with the viral code. The original 605 bytes of
the program is then appended to the end of the infected file.
Infected files will have increased in length by 605 bytes, and
they will also begin with the text string "PQVWS" as well as
contain the string "combakpas???exe" at offset 0x17. Infected
files will also have had their file date/time stamps in the
directory updated to the date/time that the infection occurred.
If the Anti-Pascal Virus cannot find two .COM files to infect,
it will check the current drive and directory for .BAK and .PAS
files. If these files exist, they will be overwritten with the
virus's code. If the overwritten files were .PAS files, the
system's user has now lost some of their Pascal source code.
After overwriting .BAK and .PAS files, the virus will attempt to
rename them to .COM files, or .EXE files if a .COM file already
exists. This rename does not work due to a bug in the virus.
Known variant(s) of the Anti-Pascal Virus are:
AP-529 : Similar to the 605 byte Anti-Pascal Virus, the major
differences are that AP-529 will only infect .COM files
over 2,048 bytes in length. Infected files increase in
length by 529 bytes. Additionally, instead of overwriting
the .BAK and .PAS files, one .BAK and .PAS file will be
deleted if there are no uninfected .COM files with a
length of at least 2,048 bytes on the current drive.
.COM files on the C: drive root directory may also be
infected by AP-529 when it is executed from the A: or B:
drive. This variant should be considered a "Research
Virus", it is not believed to have been publicly
released.
Also see: Anti-Pascal II
Virus Name: Anti-Pascal II
Aliases: Anti-Pascal 400, AP-400
V Status: Research
Discovery: June, 1990
Symptoms: .COM growth; .BAK, .BAT and .PAS file deletion, boot sector
alteration on hard disk
Origin: Bulgaria
Isolated: Sofia, Bulgaria
Eff Length: 400 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan/X V67+, Pro-Scan 2.01+, NAV
Removal Instructions: Pro-Scan 2.01+, Scan/D/X, or delete infected files
General Comments:
The Anti-Pascal II Virus, or AP-400, was isolated in Sofia,
Bulgaria in June 1990 by Vesselin Bontchev. It is one of five
viruses/variants in the Anti-Pascal family. Two of the earlier
variants, Anti-Pascal/AP-605 and AP-529, are documented under
the name "Anti-Pascal". The variants listed under Anti-Pascal II
have been separated due to some of their characteristics differing
from the 605 byte and 529 byte viruses.
The Anti-Pascal II Virus is a generic .COM file infector, including
COMMAND.COM. While this virus is not memory resident, when it is
in the process of infecting files, interrupt 21 will be hooked.
The first time a program infected with the Anti-Pascal II virus is
executed on a system, the virus will attempt to infect one (1)
.COM file in the root directory of each drive accessible on the
system. Files are only infected if their length is at least 2,048
bytes, and the resulting infected file will be less than 64K in
length. Since COMMAND.COM is usually the first .COM file on a
drive, it will immediately become infected. One additional .COM
file will also be infected on the current drive. The mechanism used
to infect the file is to write the virus's code to the end of the
file. A jump is used to execute the virus's code before the original
program is executed. Infected files do not have their date/time
stamps in the directory updated to the system date and time when the
infection occurred.
If the Anti-Pascal Virus cannot find a .COM file to infect on a
given drive, or two .COM files to infect on the current drive,
it will check for the existence of .BAK, .PAS, or .BAT files. If
found, these files will be deleted. These deletions only occur in
root directories and on the current drive's current directory. Since
each root directory (as well as the current directory) will typically
not have all of its .COM files infected at the same time, the deletes
will occur on different drives and directories at different times.
Symptoms of infection of the Anti-Pascal II Virus include file length
increases of 400 bytes, unexpected disk access to drives other than
the current drive, and disappearing .BAK, .PAS, and .BAT files. One
other symptom of an Anti-Pascal II infection is that the hard disk's
boot sector will be slightly altered by the virus. Anti-viral programs
which CRC-check the boot sector will indicate that a boot sector
infection may have occurred. The boot sector alteration does not
contain a live virus, but will throw the system user off into thinking
their problem is from a boot sector virus instead of a file infector,
and if the disk as a bootable disk, it will not be unbootable.
The Anti-Pascal II Virus and its variants indicated below are not
believed to have been publicly released. As such, they have been
classified as "Research Viruses".
Known variant(s) of the Anti-Pascal II Virus are:
AP-440 : Very similar to the 400 byte version of the Anti-Pascal II
Virus, the major characteristic change is that this
variant has a length of 440 bytes. The boot sector is no
longer altered by the virus. This variant is an
intermediary between AP-480 and the 400 byte version
documented above.
AP-480 : Similar to the Anti-Pascal II virus, this variant is the
version which is 480 bytes in length. It does not
delete .BAT files, but only .BAK and .PAS. This variant
is the latest variant of the Anti-Pascal II grouping.
Also see: Anti-Pascal
Virus Name: AntiChrist
Aliases:
V Status: New
Discovery: March, 1991
Symptoms: .EXE growth; decrease in total system and available free memory
Origin: USA
Eff Length: 1,008 Bytes
Type Code: PRhE - Parasitic Resident .EXE Infector
Detection Method: ViruScan V76+
Removal Instructions: Scan/D, or Delete Infected Files
General Comments:
The AntiChrist Virus was submitted in March, 1991, by David Grant of the
United States. This virus is a memory resident infector of .EXE files,
and is related to the Murphy Virus from Bulgaria.
The first time a program infected with AntiChrist is executed, the
virus will install itself memory resident at the top of system memory
but below the 640K DOS boundary. Interrupt 12's return is not moved.
Total system memory, and available free memory, as indicated by the
DOS ChkDsk program will decrease by 1,040 bytes. Interrupt 21 is
hooked by the virus.
After AntiChrist is memory resident, it will infect .EXE programs
greater than 1K in length when they are executed or openned for any
reason. Infected programs will have a file length increase of 1,008
bytes, the virus will be located at the end of the infected file. The
disk directory date and time will not be altered.
Of the two samples submitted, one was not a natural infection of
AntiChrist as it was on a .COM program. This virus may be a research
virus and not in the public domain at the time it was submitted.
Also see: Murphy
Virus Name: Arf
Aliases: Rigor Mortis, Thor
V Status: Rare
Discovery: March, 1991
Symptoms: .COM growth; Messages
Origin: United States
Eff Length: 1,000 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: Scan V75+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Arf, Thor, or Rigor Mortis Virus was submitted in March, 1991 from
the United States. This virus is a non-resident infector of .COM
files, including COMMAND.COM. Arf is based on the Vienna Virus, and
some anti-viral programs may identify it as Vienna.
When a program infected with Arf is executed, the virus will check to
see if COMMAND.COM has been previously infected. If it is not infected,
the virus will infect it and display the message:
"Rigor Mortis !!!
I am Hi.pas"
After checking (and possibly infecting) COMMAND.COM, the virus will
search the current directory for one .COM program to infect. If an
uninfected .COM program is found, it will be infected with the following
message being displayed:
"Arf krad krad krad
krad krad kr"
The virus will then proceed to check the B: drive for a file to infect.
Files infected with the Arf virus will have a file length increase of
1,000 bytes. The virus will be located at the end of the infected
program. The above text messages can be found within the infected
files.
The Arf Virus may not be in the public domain, the original sample
submitted is not a natural infection of the virus. Its name is due to
the "Arf" string displayed when files other than COMMAND.COM are
infected. Its alias of Thor is because it is believed to have been
written by a group calling itself Thor.
Note: the original sample of this virus was on an .EXE file, and is
not a natural infection. This virus may be a research virus and not
in the public domain.
Virus Name: Armagedon
Aliases: Armagedon The First, Armagedon The Greek
V Status: Rare
Discovery: June, 1990
Symptoms: text string intermittently sent to COM ports
Origin: Athens, Greece
Eff Length: 1,079 Bytes
Type Code: PRC - Parasitic Resident .COM Infector
Detection Method: ViruScan V64+, F-Prot 1.12+, Pro-Scan 2.01+, NAV
Removal Instructions: Scan/D, F-Prot 1.12+, or Delete infected files
General Comments:
The Armagedon virus was isolated on June 2, 1990, by George
Spiliotis of Athens, Greece. Armagedon is a memory resident
virus which infects .COM files, increasing their length by 1,079
bytes.
The first time an infected program is executed on a system, the
virus installs itself memory resident, hooking interrupts 8 and 21.
Any .COM files which are later executed are then infected by the
resident virus.
Infected systems will experience the text string "Armagedon the GREEK"
being sent to COM ports 1 - 4 at time intervals. Between 5:00 and
7:00, the virus will attempt to use the system's COM ports to make
a phone call to Local Time Information in Crete, Greece. If a
connection is made, the phone line will remain open until the user
notices that the phone line is in use. (Needless to say, this
doesn't work if the system is located outside of Greece as dialing
codes are considerably different between countries.)
This virus otherwise is not destructive.
Virus Name: Ashar
Aliases: Shoe_Virus, UIUC Virus
V Status: Common
Discovery:
Symptoms: BSC, Resident TOM
Origin:
Eff Length: N/A
Type Code: BRt - Resident Boot Sector Infector
Detection Method: ViruScan V41+, F-Prot, IBM Scan, Pro-Scan 1.4+, AVTK 3.5+,
VirHunt 2.0+, NAV
Removal Instructions: MDisk, CleanUp, Pro-Scan 1.4+, F-Prot, NAV, or
DOS SYS command
General Comments:
The Ashar virus is a resident boot sector infector which is
a variant of the Brain virus. It differs from the Brain
virus in that it can infect both floppies and hard disk, and
the message in the virus has been modified to be:
"VIRUS_SHOE RECORD, v9.0. Dedicated to the dynamic
memories of millions of virus who are no longer with us
today".
However, the above message is never displayed. The
identification string "ashar" is normally found at offset
04a6 hex in the virus.
A variant of the Ashar virus exists, Ashar-B or Shoe_Virus-B,
which has been modified so that it can no longer infect hard
drives. The v9.0 in the message has also been altered to v9.1.
Also see: Brain
Virus Name: Attention!
Aliases: USSR 394
V Status: Rare
Discovery: December, 1990
Symptoms: .COM file growth; decrease in system and available memory;
clicking emitted from system speaker on keypress; file date/time
changes
Origin: USSR
Eff Length: 394 Bytes
Type Code: PRhCK - Parasitic Resident .COM Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Attention! Virus was submitted in December, 1990 and was originally
isolated in the USSR. This virus is a memory resident infector of COM
files, including COMMAND.COM.
The first time a program infected with the Attention! Virus is executed,
the virus will reserve 416 bytes at the top of system memory but below
the 640K DOS boundary. The virus becomes memory resident in this area,
and hooks interrupt 21. Total system memory and available free memory
returned by the DOS ChkDsk command will decrease by 416 bytes. The
interrupt 12 return is not moved.
After the virus is memory resident, a clicking sound will be emitted
by the system speaker each time a key is pressed on the keyboard. Some
programs, such as the Edlin program supplied with MS-DOS, will receive
an "Invalid drive or file name" message when they are attempted to be
executed.
Attention! will infect COM files, including COMMAND.COM, when they are
executed. The exception is that very small COM files will not become
infected. Infected files will increase in length by 394 bytes with the
virus being located at the end of the file. Infected programs will also
contain the text string: "ATTENTION !" near the beginning of the
program.
Virus Name: Australian 403
Aliases:
V Status: Rare
Discovery: February, 1991
Symptoms: .COM files become 403 bytes in length; TSR;
File date/time changes; .COM files do not function properly
Origin: Australia
Eff Length: 403 Bytes
Type Code: PRsCK - Parasitic Resident .COM Infector
Detection Method:
Removal Instructions: Delete infected files
General Comments:
The Australian 403 Virus was submitted in February, 1991 by Colin Keeble
of Australia. This virus is a memory resident infector of .COM files,
including COMMAND.COM.
The first time a program infected with the Australian 403 Virus is
executed, the virus will install itself memory resident as a low system
memory TSR of 720 bytes. The virus will hook interrupt 21.
Once the virus is memory resident, the virus will replace two .COM
programs in the current directory with a copy of the virus each time
any program is executed. The replaced programs will have a file length
of 403 bytes, and their date and time in the disk directory will have
been altered to the system date and time when infection occurred.
Needless to say, the replaced programs will not execute properly since
they now only contain the virus's code.
This virus does not do anything besides replicate.
Virus Name: Azusa
Aliases:
V Status: Rare
Discovery: February, 1991
Symptoms: BSR; Decrease in total system and available free memory;
LPT1 & COM1 ports may be disabled
Origin: USA
Eff Length: N/A
Type Code: BRtX - Resident Boot Sector & Partition Table Infector
Detection Method: ViruScan V75+
Removal Instructions: Clean-Up V75+
General Comments:
The Azusa Virus was received in February, 1991. Its origin is unknown.
This virus is a memory resident infector of diskette boot sectors and
the hard disk partition table.
The first time the system is booted from a diskette infected with the
Azusa Virus, the virus will become memory resident at the top of
system memory, but below the 640K DOS boundary. The virus moves the
Interrupt 12 return so that the system will report 1,024 Bytes less
memory than is installed on the system. At this time, the virus will
infect the system's hard disk partition table, overwriting the
partition table with a copy of the Azusa virus. A copy of the original
partition table is not stored by the virus.
Once Azusa is memory resident, it will infect diskettes when they are
accessed on the system with write intent (ie: a file is openned as
output, or with read/write intent) or when attempting to reboot the
system from a diskette via CTL-ALT-DEL. Diskettes are infected by
copying the original diskette boot sector to track 40 sector 8, and
then writing a copy of itself to the diskette's boot sector. On
diskettes other than 360K 5.25" diskettes, the original boot sector
will end up in the middle of the disk, possibly corrupting files.
The Azusa Virus keeps track of how many times the system has been
booted from an infected diskette. After 32 boots, the virus will
disable the COM1 and LPT1 ports on the system, and reset its counter.
A later boot will result in the ports functioning properly again.
Virus Name: Best Wishes
Aliases: Best Wish
V Status: Rare
Discovery: December, 1990
Symptoms: .COM file growth; decrease in system and available free memory;
system hangs; file date/time changes; file not found errors;
boot sector modification
Origin: USSR
Eff Length: 970 Bytes
Type Code: PRtCK - Parasitic Resident .COM Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Best Wishes Virus was submitted in December, 1990 and is believed
to be from the USSR. Best Wishes is a memory resident infector of
COM files, including COMMAND.COM. There is a variant of this virus,
Best Wishes B, which is 1,024 bytes in length.
The first time a program infected with the Best Wishes Virus is
executed, the virus will install itself memory resident in system high
memory, but below the 640K DOS boundary. The interrupt 12 return will
be moved. Total system memory will decrease by 61,440 bytes, available
free memory will decrease by 61,360 bytes. COMMAND.COM will become
infected at this time, and the disk's boot sector will also be modified.
Disks with the boot sector modification and infected COMMAND.COM will
still boot properly.
After Best Wishes is resident, the virus will infect COM files as they
are executed with a probability of 50%. Infected COM files will
increase in length by 970 bytes with the virus being located at the
end of the infected file. Infected programs will also have the following
text string located near the end of the file:
"This programm ... With Best Wishes!"
Best Wishes does not restore the original file date and time in the
directory when it infects programs, so all infected programs will have
their date/time stamps set to the system date and time when infection
occurred.
Two additional symptoms of a Best Wishes infection are that the user
may experience "File not found" errors when the file is actually on
disk, as well as system hangs on every fourth program execution.
Known variant(s) of Best Wishes are:
Best Wishes B - An earlier version of Best Wishes, this variant is
1,024 bytes in length. The major differences are that infected
disks will not boot if COMMAND.COM has been modified. Execution
of a COM program once the virus is memory resident will result in
the program most likely being infected, but the system will also
become hung.
Virus Name: Black Monday
Aliases:
V Status: Rare
Discovery: September, 1990
Symptoms: .COM & .EXE file growth; TSR; file timestamp changes
Origin: Kuala Lumpur, Malaysia
Eff Length: 1,055 Bytes
Type Code: PRsAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V67+, Pro-Scan 2.01+, NAV
Removal Instructions: Pro-Scan 2.01+, Scan/D, or Delete infected files
General Comments:
The Black Monday Virus was isolated in Fiji in September, 1990. It
is reported to be widespread in Fiji and other locations in the Far
East and Asia. This virus is a memory resident generic infector of
.COM and .EXE files, including COMMAND.COM.
The first time a program infected with the Black Monday Virus is
executed, the virus will install itself memory resident as a low
system memory TSR of 2,048 bytes. Interrupt 21 will be hooked by
the virus.
Once the virus is memory resident, any program which is executed
will become infected with the Black Monday Virus. .COM files will
increase in length by 1,055 bytes with the virus's code located at
the end of the infected files. .EXE files will also increase in
length by 1,055 bytes with the virus's code added to the end of
the file. This virus does not infect .EXE files multiple times.
The virus does not hide the change in file length when the directory
is displayed, though a directory display will indicated that the
infected file's date/timestamp have been updated to the system date
and time when the file was infected.
The following text string can be found in all infected files near
the beginning of the virus's code:
"Black Monday 2/3/90 KV KL MAL"
It is unknown when Black Monday activates, or what it does at
activation.
Virus Name: Blood
Aliases: Blood2
V Status: Rare
Discovery: August, 1990
Symptoms: .COM file length increase, system reboots and/or hangs,
cascading screen effect
Origin: Natal, Republic of South Africa
Eff Length: 418 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: Pro-Scan 2.0+, ViruScan V75+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Blood Virus was submitted by Fridrik Skulason in August, 1990.
It was originally isolated in Natal, Republic of South Africa. There
are two variants of this virus, Blood and Blood2. This virus is a
non-resident infector of .COM files, including COMMAND.COM.
When a program infected with the Blood virus is executed, it will
infect one .COM file located in the C: drive root directory. The
newly infected file will have increased in length by 418 bytes. If
the program just infected is COMMAND.COM, a system reboot will
occur. Following the system reboot, executing an infected program
will result in a cascading effect of the cursor down the screen. The
next .COM file executed will then result in the hard disk being
accessed followed by the system hanging. Spurious characters from
memory may also appear on the screen on the line below the command
line.
After August 15, execution of an infected program will result in a
system hang.
Known variant(s) of Blood are:
Blood2 : Similar to Blood, with the major difference being that
system reboots, system hangs, and the cascading cursor
effect no longer occur. This variant also does not hang
the system after August 15.
Virus Name: Bloody!
Aliases:
V Status: Rare
Discovery: December, 1990
Symptoms: Extended boot time; decrease in system & available memory;
message on boot; boot sector & partition table changes
Origin: Taiwan
Eff Length: N/A
Type Code: BRtX - Resident Boot Sector & Partition Table Infector
Detection Method: ViruScan V72+
Removal Instructions: See below
General Comments:
The Bloody! Virus was submitted in December 1990, and infection
reports were received from Europe, Taiwan, and the United States. This
virus is a memory resident infector of floppy diskette boot sectors as
well as the hard disk partition table.
When a system is booted from a floppy or hard disk infected with the
Bloody! Virus, the virus will install itself memory resident at the
top of system memory but below the 640K DOS boundary. Total system
memory and available free memory will decrease by 2,048 bytes. The
interrupt 12 return will be moved. The system boot will also take
much longer than expected. The system's hard disk's partition table
will become infected immediately if it was not the source of the
system boot.
At the time of system boot, the virus also maintains a counter of how
many times the infected diskette or hard drive has been booted. Once
128 boots have occurred, the virus will display the following message
during the boot:
"Bloody! Jun. 4, 1989"
June 4, 1989 is the date of the the confrontation in Beijing, China
between Chinese students and the Chinese Army in which many students
were killed.
This message will later be displayed on every sixth boot once the
128 boot limit has been reached. The text message is encrypted within
the viral code, so it is not visible in the boot sector.
Once Bloody! is memory resident, the virus will infect any diskette
or hard disk when a file or program is accessed. Listing a disk
directory will not be enough to cause the virus to infect the disk.
Infected diskette boot sectors will be missing all of the normal
DOS error messages which are normally found in the boot sector. The
original boot sector will have been moved to sector 11 on 360K diskettes,
a part of the root directory. If there were previously root directory
entries in that sector, those files will be lost.
On the hard disk, the original partition table will have been moved
to side 0, cylinder 0, sector 6.
For floppies of other sizes then 360K, they may become unusable or
corrupted as the virus does not take into account the existence of these
disk types.
For diskettes, Bloody! can be removed by powering the system off and
then booting from a known-clean, write protected original DOS diskette.
The DOS SYS command should then be executed on each of the infected
diskettes.
To remove the Bloody! Virus from the hard disk's partition table, the
original partition table should be located and then copied back to
its original position. The other option is to backup the files on
the hard disk and low level format the drive.
Virus Name: Brain
Aliases: Pakistani, Pakistani Brain
V Status: Common
Discovery: 1986
Symptoms: Extended boot time, Volume label change, Resident TOM,
Three contiguous bad sectors (floppy only), BSC
Origin: Pakistan
Eff Length: N/A
Type Code: BRt - Resident Boot Sector Infector
Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, AVTK 3.5+,
VirHunt 2.0+, NAV
Removal Instructions: MDisk, CleanUp, F-Prot, Pro-Scan, NAV, or
DOS SYS command
General Comments:
The Pakistani Brain virus originated in Lahore, Pakistan and
infects disk boot sectors by moving the original contents of the
boot sector to another location on the disk, marking those 3
clusters (6 sectors) bad in the FAT, and then writing the virus
code in the disk boot sector.
One sign of a disk having been infected, at least with the
original virus, is that the volume label will be changed
to "(c) Brain". Another sign is that the label "(c) Brain" can
be found in sector 0 (the boot sector) on an infected disk.
This virus does install itself resident on infected systems,
taking up between 3K and 7K of RAM. The Brain virus is able to
hide from detection by intercepting any interrupt that might
interrogate the boot sector and redirecting the read to the
original boot sector located elsewhere on the disk, thus some
programs will be unable to see the virus.
The original Brain virus only infected floppies, however variants
to the virus can now infect hard disks. Also, some variants
have had the "(c) Brain" label removed to make them harder to
detect.
Known variants of the Brain virus include:
Brain-B/Hard Disk Brain/Houston Virus - hard disk version.
Brain-C - Brain-B with the "(c) Brain" label removed.
Clone Virus - Brain-C but restores original boot copyright label.
Clone-B - Clone Virus modified to destroy the FAT after 5/5/92.
Also see: Ashar
Virus Name: Burger
Aliases: 541, 909090h, CIA
V Status: Extinct
Discovery: 1986
Symptoms: Programs will not run after infection
Origin: West Germany
Eff Length: 560 Bytes
Type Code: ONAK - Overwriting Non-Resident .COM & .EXE Infector
Detection Method: ViruScan V67+, Pro-Scan 2.01+, NAV
Removal Instructions: Scan /D, or delete infected files
General Comments:
The Burger, or 909090h, Virus was written and copyrighted in 1986 by
Ralf Burger of West Germany. This virus is extinct in the "public
domain". This virus is a non-resident overwriting virus, infecting
.COM and .EXE files, including COMMAND.COM.
When a program infected with the Burger Virus is executed, the virus
will attempt to infect one previously uninfected .COM file located in
the C: drive root directory. To determine if the program was previously
infected, the virus checks to see if the first three bytes of the .COM
file are three NOP instructions (909090h). If the first three bytes are
the NOP instructions, the virus goes on checking until it finds an
uninfected .COM file. If no uninfected .COM file exists, the virus
then renames all the .EXE files in the root directory to .COM files and
checks those files. Once it finds a .COM file to infect, it overwrites
the first 560 bytes of the uninfected program with the virus code. At
this point, the program the user was attempting to run will either
end or hang the system. Infected programs will never execute properly
as the first portion of the program has been destroyed.
Systems which have been infected with the Burger Virus will fail to
boot once the virus has infected the hard disk boot partition's
COMMAND.COM, or the copy of COMMAND.COM on their boot diskette.
Infected files can be easily identified by the "909090B8000026A245"
hex sequence located in the first nine bytes of all infected files.
Infected files cannot be disinfected, they must be replaced from a
clean source.
Known variant(s) of the Burger virus include:
CIA : Discovered in the United States in October, 1990, this virus
is similar to the Burger Virus described above. The first
nine bytes of all infected files in hex will be:
"909090B8000026A3A5". The actual length of this variant
is 541 bytes, though the first 560 bytes of infected programs
are overwritten.
505 : Similar to the Burger virus, this variant's actual code length
is 505 bytes, though the first 560 bytes of infected files
will be overwritten. Infected files will have their first
nine bytes contain the hex string: "909090B8000026A3A0".
509 : Similar to the Burger virus, this variant's actual code length
is 509 bytes, though the first 560 bytes of infected files
will be overwritten. Infected files will have their first
nine bytes contain the hex string: "909090B8000026A3A4".
541 : Similar to the Burger virus, this variant overwrites the
first 560 bytes of infected programs, though the virus's
length is actually 541 bytes. Infected programs will start
with the hex sequence: "909090B8000026A3A4".
Also see: VirDem
Virus Name: Carioca
Aliases:
V Status: Rare
Discovery: November, 1990
Symptoms: TSR; .COM growth
Origin:
Eff Length: 951 Bytes
Type Code: PRsC - Parasitic Resident .COM Infector
Detection Method: ViruScan V71+, Pro-Scan 2.01+
Removal Instructions: Scan/D, Pro-Scan 2.01+, or Delete Infected Files
General Comments:
The Carioca Virus was submitted in November, 1990. This virus is a
memory resident infector of .COM files, it does not infect COMMAND.COM.
The first time a program infected with the Carioca Virus is executed,
the virus will install itself memory resident as a 1,280 byte low
system memory TSR. Interrupt 21 will be hooked by the virus. The
system's available free memory will decrease by 1,312 bytes.
After the virus is memory resident, any .COM file executed (with the
exception of COMMAND.COM) will become infected with the Carioca
Virus. Infected .COM files will show an increase in size of 951 bytes
with the virus being located at the end of the infected file. Infected
files will have the following hex character string located at the
very end of the file: "2EFF1E1A010203CD21".
It is unknown if Carioca contains any damage potential.
Virus Name: Cascade
Aliases: Fall, Falling Letters, 1701, 1704
V Status: Common
Discovery: October, 1987
Symptoms: TSR, Falling letters, .COM file growth
Origin: Germany
Eff Length: 1,701 or 1,704 bytes
Type Code: PRsC - Parasitic Resident Encrypting .COM Infector
Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+,
VirHunt 2.0+, NAV
Removal Instructions: CleanUp, F-Prot, VirexPC, VirHunt 2.0+, Pro-Scan 2.01+
General Comments:
Originally, this virus was a trojan horse which was disguised
as a program which was supposed to turn off the number-lock
light when the system was booted. The trojan horse instead
caused all the characters on the screen to fall into a pile
at the bottom of the screen. In late 1987, the trojan horse
was changed by someone into a memory resident .COM virus.
While the original virus had a length of 1,701 bytes and would
infect both true IBM PCs and clones, a variation exists of
this virus which is 3 bytes longer than the original virus
and does not infect true IBM PCs. Both viruses are
functionally identical in all other respects.
Both of the viruses have some fairly unique qualities: Both
use an encryption algorithm to avoid detection and complicate
any attempted analysis of them. The activation mechanisms
are based on a sophisticated randomization algorithm
incorporating machine checks, monitor types, presence or
absence of a clock card, and the time or season of the year.
The viruses will activate on any machine with a CGA or VGA
monitor in the months of September, October, November, or
December in the years 1980 and 1988.
Known variants of the Cascade virus are:
1701-B : Same as 1701, except that it can activate in the
fall of any year.
1704-D : Same as the 1704, except that the IBM selection
has been disabled so that it can infect true IBM
PCs.
17Y4 : Similar to the Cascade 1704 virus, the only difference is
one byte in the virus which has been altered.
Cunning: Based on the Cascade virus, a major change to the virus
is that it now plays music.
Also see: 1704 Format
Virus Name: Cascade-B
Aliases: Blackjack, 1704-B
V Status: Common
Discovery:
Symptoms: .COM file growth, TSR, random reboots
Origin: Germany
Eff Length: 1,704 bytes
Type Code: PRsC - Parasitic Resident Encrypting .COM Infector
Detection Method: ViruScan, F-Prot, IBM Scan, VirexPC, AVTK 3.5+, Pro-Scan,
VirHunt 2.0+, NAV
Removal Instructions: CleanUp, F-Prot, VirexPC, VirHunt 2.0+
General Comments:
The Cascade-B virus is similar to the Cascade virus, except
that the cascading display has been replaced with a system
reboot which will occur at random time intervals after the
virus activates.
Other variation(s) which have been documented are:
1704-C : Same as 1704-B except that the virus can activate in
December of any year.
Virus Name: Casino
Aliases:
V Status: New
Discovery: April, 1991
Symptoms: .COM growth; decrease in total system & available free memory;
File allocation errors
Origin: Unknown
Eff Length: 2,330 bytes
Type Code: PRhCK - Parasitic Resident .COM Infector
Detection Method:
Removal Instructions: Delete infected files
General Comments:
The Casino Virus was submitted in April, 1991 by David Chess of IBM.
This virus is a memory resident infector of .COM files, including
COMMAND.COM.
The first time a program infected with Casino is executed, Casino will
install itself memory resident at the top of system memory. Total
system and available free memory, as indicated by the DOS ChkDsk
program will decrease by 37,568 to 37,632 bytes. 3,152 bytes in low
system memory will also be used by the virus, and interrupts 00, 23,
and 30 will point to this area. After Casino is resident, it will
then immediately infect COMMAND.COM located in the C: drive root
directory.
After Casino is memory resident, it will infect .COM programs when
any of three events occur. If the system user issues a DIR command,
or a program does an internal DIR command, one .COM file in the
current directory will be infected. Additionally, if the system user
executes an infected program, a .COM program will become infected.
Lastly, Casino will infect .COM programs that are openned by another
program for any reason.
Programs infected with Casino will have a file length increase of
2,332 to 2,346 bytes. The file length increase, however, is mostly
hidden if the virus is memory resident. With the virus memory resident,
infected files will have a file length increase of 1 to 16 bytes, but
occasionally one may show a file length increase of up to 48 bytes.
The virus does not alter the file date and time in the disk directory.
If Casino is memory resident and the DOS ChkDsk program is executed,
file allocation errors will be returned for each infected program. If
the ChkDsk /F option is used, program corruption will occur.
It is unknown if Casino does anything besides replicate.
Virus Name: Casper
Aliases:
V Status: Rare
Discovery: August, 1990
Symptoms: .COM file growth, April 1st disk corruption (see below)
Origin:
Eff Length: 1,200 bytes
Type Code: PNCK - Parasitic Non-Resident Encrypting .COM Infector
Detection Method: ViruScan V67+, Pro-Scan 2.01+, NAV
Removal Instructions: Scan/D, NAV, or Delete infected files
General Comments:
The Casper Virus was isolated in August, 1990 by Fridrik Skulason of
Iceland. The origin of this virus is unknown at this time. Casper
is a non-resident generic infector of .COM files, including COMMAND.COM.
When a program infected with the Casper Virus is executed, the virus
will attempt to infect one .COM program located in the current drive
and directory. Infected files will increase in length by 1,200 bytes,
with the virus's code being located at the end of the .COM file.
The Casper Virus contains the following message, though this message
cannot be seen in infected program as Casper uses a complex self-
encryption mechanism:
"Hi! I'm Casper The Virus, And On April 1st I'm Gonna
Fuck Up Your Hard Disk REAL BAD! In Fact It Might Just
Be Impossible To Recover! How's That Grab Ya! <GRIN>"
On April 1st, when an infected program is executed, this virus will
overwrite the first track of the drive where the infected program was
executed from. Later attempts to access the drive will result in
"Sector not found" errors occurring.
The Casper Virus is based on the Vienna virus. Unlike Vienna, it is
self-encrypting. The self-encryption mechanism employed is similar
to the encryption mechanism used in the V2P6 virus, and requires an
algorithmic approach in order to identify it as there are not any
identifying strings located in the encrypted virus.
Virus Name: Chaos
Aliases:
V Status: Rare
Discovery: December, 1989
Symptoms: Message, TSR, Bad sectors, BSC
Origin: England
Eff Length: N/A
Type Code: BR - Resident Boot Sector Infector
Detection Method: ViruScan V53+
Removal Instructions: MDisk, CleanUp, or DOS SYS Command
General Comments:
First reported in December, 1989 by James Berry of Kent,
England, the Chaos virus is a memory resident boot sector
infector of floppy and hard disks.
When the Chaos virus infects a boot sector, it overwrites the
original boot sector without copying it to another location
on the disk. Infected boot sectors will contain the
following messages:
"Welcome to the New Dungeon"
"Chaos"
"Letz be cool guys"
The Chaos virus will flag the disk as being full of bad
sectors upon activation, though most of the supposed bad
sectors are still readable. It is unknown what the
activation criteria is.
Virus Name: Christmas In Japan
Aliases: Xmas In Japan
V Status: Rare
Discovery: September, 1990
Symptoms: .COM file growth; Message
Origin: Taiwan
Eff Length: 600 Bytes
Type Code: PNCK - Resident Non-Resident .COM Infector
Detection Method: ViruScan V67+, Pro-Scan 2.01+
Removal Instructions: Scan/D, Pro-Scan 2.01+, or Delete infected files
General Comments:
The Christmas In Japan Virus was isolated in Taiwan in late September,
1990. As of early October, it is reported to be widespread in Japan.
This virus is a 600 byte non-resident generic infector of .COM files.
It will infect COMMAND.COM.
When a program infected with the Christmas In Japan Virus is executed,
the virus will infect zero to one other .COM file in the current
directory. If a file is infected, it will increase in length by
600 bytes, with the virus being located at the end of the infected
file.
On December 25, if an infected file is executed, the following message
will be displayed in the center of the screen:
"A merry christmas to you"
The message will flash and will be underlined for approximately half
the time it is displayed. If left alone, the message will go away
after a little while and the program will execute normally, but the
message will return when another infected .COM file is executed.
This virus does not appear to do any malicious damage.
Virus Name: Christmas Virus
Aliases: Tannenbaum, XA1, 1539
V Status: Endangered
Discovery: March, 1990
Symptoms: .COM file growth, display, Partition table destruction
Origin: Germany
Eff Length: 1,539 Bytes
Type Code: PNCX - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V61+, VirexPC, VirHunt 2.0+, Pro-Scan 2.01+, NAV
Removal Instructions: Scan/D, VirHunt 2.0+, Pro-Scan 2.01+, NAV,
or delete infected files
General Comments:
The Christmas Tree, or XA1, Virus was first isolated in March 1990
by Christoff Fischer of West Germany. This virus is an encrypting
virus which will only infect .COM files.
On April 1st of any year, the Christmas Tree virus will activate,
destroying the partition table of infected hard disks the first
time an infected program is executed. During the period from
December 24 until January 1st of any year, when an infected
program is executed, the virus will display a full screen picture
of a christmas tree.
Virus Name: Cookie
Aliases:
V Status: Rare
Discovery: January, 1991
Symptoms: .COM & .EXE growth; system hangs
Origin: Unknown/Europe
Eff Length: 2,232 bytes
Type Code: PNAK - Parasitic Non-Resident .COM & .EXE Infector
Detection Method: ViruScan, F-Prot, VirexPC, NAV
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Cookie Virus was received in January, 1991, it is believed to have
originated in Europe. This virus is based on the SysLock Virus, though
it is considerably shorted in length. Some anti-viral utilities will
identify this virus as SysLock, though it is listed here separately
due to its differences in characteristics. It is a non-resident direct
action virus which infects .COM and .EXE files, including COMMAND.COM.
When a program infected with the Cookie Virus is executed, the virus
will search the current drive and directory for a file to infect. The
virus first looks for a .COM file to infect. If an uninfected .COM
file is located, it will become infected. If an uninfected .COM file
is not found, the virus will then look for an uninfected .EXE file to
infect. In other words, all the .COM files in the directory will become
infected before any of the .EXE files in that directory are infected.
Infected files will show a file length increase of between 2,232 and
2,251 bytes in length. The virus will be located at the end of the
infected file. Infected files will not have their date and time in
the disk directory altered.
Systems infected with the Cookie Virus may experience system hangs
when some infected programs are executed. In some cases, the
infected program will stop functioning properly after a number of
executions, though this does not always occur.
This virus has also been reported to possibly display the message
"I want a COOKIE!", though the sample received doesn't exhibit this
behavior.
Also see: SysLock
Virus Name: Crash
Aliases: 1075
V Status: Rumored
Discovery: December, 1991
Symptoms:
Origin: USSR
Eff Length: 1,075 bytes
Type Code:
Detection Method: ViruScan V76+
Removal Instructions: Delete infected files
General Comments:
The Crash or 1075 Virus has had many samples submitted over the last
few months. The original samples were from the USSR in December, 1990.
All submitted samples of this "virus" do not replicate on an XT or 386
based personal computer. Instead, the system crashes when the sample
file is executed. It may replicate under some other system
configurations.
Virus Name: Crew-2480
Aliases: 2480
V Status: Rare
Discovery: February, 1991
Symptoms: .COM growth; File date/time changes; System hangs; System reboots
Origin: Unknown
Eff Length: 2,480 bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method:
Removal Instructions: Delete infected files
General Comments:
The Crew-2480 Virus was submitted in February, 1991. Its origin, or
isolation point is unknown. This virus is a non-memory resident
infector of .COM programs over 10K in size. It will infect COMMAND.COM.
When a program infected with the Crew-2480 Virus is executed, the virus
may infect one .COM file over 10K in size. When COMMAND.COM is infected
by the virus, the system will reboot. Infected .COM programs will
increase in size by 2,480 bytes with the virus being located at the
end of the infected program. The file's date and time in the disk
directory will have been updated to the system date and time when
infection occurred.
Besides the symptoms indicated above which occur when files are infected,
systems with a Crew-2480 infection may also experience system hangs
when the user attempts to execute infected programs. Later execution
of the same program may be successful. This virus may also display
a formatted message on some systems in place of the system hang which
occurs on monochrome systems.
Virus Name: Dark Avenger
Aliases: Black Avenger, Eddie, Diana
V Status: Common
Discovery: September, 1989
Symptoms: TSR; .COM, .EXE, .SYS file growth; File/Disk Corruption
Origin: Bulgaria
Isolated: Davis, California, USA
Eff Length: 1,800 bytes
Type Code: PRsAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V36+, F-Prot, IBM Scan, Pro-Scan, AVTK 3.5+,
VirHunt 2.0+, NAV
Removal Instructions: CleanUp, Pro-Scan 1.4+, F-Prot, VirHunt 2.0+, NAV
General Comments:
Dark Avenger was first isolated in the United States at the University
of California at Davis. It infects .COM, .EXE, and overlay files,
including COMMAND.COM. The virus will install itself into system
memory, becoming resident, and is extremely prolific at infecting
any executable files that are openned for any reason. This includes
using the DOS COPY and XCOPY commands to copy uninfected files, both
the source and the target files will end up being infected. Infected
files will have their lengths increased by 1,800 bytes.
The Dark Avenger Virus does perform malicious damage. The virus
maintains a counter in the disk's boot sector. After each sixteenth
file is infected, the virus will randomly overwrite a sector on the
disk with a copy of the disk's boot sector. If the randomly
selected sector is a portion of a program or data file, the program
or data file will be corrupted. Programs and data files which have
been corrupted by a sector being overwritten are permanently
damaged and cannot be repaired since the original sector is lost.
If you are infected with Dark Avenger, shutdown your computer
and reboot from a Write Protected boot diskette for the system,
then carefully use a disinfector, following all instructions.
Be sure to re-scan the system for infection once you have finished
disinfecting it.
The Dark Avenger virus contains the words: "The Dark Avenger,
copyright 1988, 1989", as well as the message: "This program
was written in the city of Sofia. Eddie lives.... Somewhere in
Time!".
This virus bears no resemblance or similarity to the Jerusalem
viruses, even though they are similar in size.
Known variant(s) of Dark Avenger are:
Dark Avenger-B : Very similar to the Dark Avenger virus, the major
difference is that .COM files will be reinfected, adding
1,800 bytes to the file length with each infection. This
variant also becomes memory resident in high system memory
instead of being a low system memory TSR. Text strings
found in the virus's code include:
"Eddie lives...somewhere in time!"
"Diana P."
"This program was written in the city of Sofia"
"(C)1988-1989 Dark Avenger"
Also see: V2000, V1024, V651
Virus Name: Datacrime
Aliases: 1168, Columbus Day
V Status: Extinct
Discovery: April, 1989
Symptoms: .COM file growth, floppy disk access; formats
hard disk, message any day from Oct 13 to Dec 31.
Origin: Holland
Eff Length: 1,168 bytes
Type Code: PNC - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC,
AVTK 3.5+, VirHunt 2.0+, NAV
Removal Instructions: AntiCrim, Scan/D/X, Pro-Scan 1.4+, VirexPC, F-Prot,
VirHunt 2.0+, NAV
General Comments:
The Datacrime virus is a parasitic virus, and is also known as
the 1168 virus. The Datacrime virus is a non-resident
virus, infecting .COM files. The virus was originally
discovered in Europe shortly after its release in March, 1989.
The virus will attach itself to the end of a .COM file, increasing
the file's length by 1168 bytes. The first 5 bytes of the host
program are stored off in the virus's code and then replaced by
a branch instruction so that the virus code will be executed
before the host program. In order to propagate, the virus
searches thru directories for .COM files, other than
COMMAND.COM and attaches to any found .COM files (except for
where the 7th letter is a D). Hard drive partitions are
searched before the floppy drives are checked. The virus will
continue to propagate until the date is after October 12 of any
year, then when it is executed it will display a message. The
decrypted message is something like:
"DATACRIME VIRUS"
"RELEASED: 1 MARCH 1989".
Note: only this ASCII message is encrypted in this version.
A low-level format of the hard disk is then done.
Errors in the code will make .COM file infection appear random
and will often make the system crash following infection.
Unlike the other variants of Datacrime, the original Datacrime
virus does not replicate, or infect files, until after April 1
of any year.
Lastly, if the computer system is using an RLL, SCSI, or PC/AT
type hard disk controller, all variants of the Datacrime virus
are not able to successfully format the hard disk, according
to Jan Terpstra of the Netherlands.
Also see: Datacrime II, Datacrime IIB, Datacrime-B
Virus Name: Datacrime II
Aliases: 1514, Columbus Day
V Status: Endangered
Discovered: September, 1989
Symptoms: .EXE & .COM file growth, formats disk
Origin: Netherlands
Eff Length: 1,514 bytes
Type Code: PNAK - Non-Resident Encrypting .COM & .EXE Infector
Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC,
AVTK 3.5+, VirHunt 2.0+, NAV
Removal Instructions: AntiCrim, Scan/D/X, Pro-Scan 1.4+, VirexPC, F-Prot,
VirHunt 2.0+
General Comments:
The Datacrime II virus is a variant of the Datacrime virus, the
major characteristic changes are that the effective length of
the virus is 1,514 bytes, and that it can now infect both
.COM and .EXE files, including COMMAND.COM. There is also an
encryption mechanism in the Datacrime II virus.
The Datacrime II virus will not format disks on Mondays.
Also see: Datacrime, Datacrime IIB, Datacrime-B
Virus Name: Datacrime IIB
Aliases: 1917, Columbus Day
V Status: Endangered
Discovered: November, 1989
Symptoms: .EXE & .COM growth, formats disk, floppy disk access.
Origin: Netherlands
Eff Length: 1,917 bytes
Type Code: PNAK - Non-Resident Encrypting .COM & .EXE Infector
Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC,
VirHunt 2.0+, NAV
Removal Instructions: AntiCrim, Scan/D/X, F-Prot, VirexPC, VirHunt 2.0
General Comments:
The Datacrime IIB virus is a variant of the Datacrime II virus,
and was isolated by Jan Terpstra of the Netherlands in
November, 1989. This virus, as with Datacrime II, infects
generic .COM & .EXE files, including COMMAND.COM, adding 1,917
bytes to the file length. The virus differs from Datacrime II
in that the encryption method used by the virus to avoid
detection has been changed.
The Datacrime IIB virus will not format disks on Mondays.
Also see: Datacrime, Datacrime II, Datacrime-B
Virus Name: Datacrime-B
Aliases: 1280, Columbus Day
V Status: Extinct
Discovered: April, 1989
Symptoms: .EXE file growth, formats MFM/RLL hard drives, odd
floppy disk access.
Origin: Netherlands
Eff Length: 1,280 bytes
Type Code: PNE - Parasitic Non-Resident Generic .EXE Infector
Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC,
AVTK 3.5+, VirHunt 2.0+, NAV
Removal Instructions: AntiCrim, Scan/D/X, VirexPC, Pro-Scan 1.4+, F-Prot,
VirHunt 2.0, NAV
General Comments:
The Datacrime-B virus is a variant of the Datacrime virus, the
differences being that the effective length of the virus is
1,280 bytes, and instead of infecting .COM files, .EXE files
are infected.
Also see: Datacrime, Datacrime II, Datacrime II-B
Virus Name: DataLock
Aliases: DataLock 1.00, V920
V Status: Common
Discovered: November, 1990
Symptoms: .EXE & COMMAND.COM file growth; decrease in system and available
memory; file date/time changes
Origin: USA
Eff Length: 920 bytes
Type Code: PRtEK - Parasitic Resident .EXE and COMMAND.COM Infector
Detection Method: ViruScan V71+, Pro-Scan 2.01+
Removal Instructions: Clean-Up V71+, or Delete infected files
General Comments:
The DataLock, or V920, Virus was isolated in many locations in the
United States starting on November 1, 1990. This virus is a generic
memory resident infector of .EXE files, but it will also infect
COMMAND.COM if it is executed.
The first time a program infected with the DataLock Virus is executed,
the virus will install itself memory resident at the top of free memory,
but below the 640K DOS boundary. Infected systems will find that total
system memory and available free memory will be 2,048 bytes less than
is expected. Interrupt 21 will be hooked by the virus.
After the virus is memory resident, any .EXE file that is executed will
be infected by the virus. Infected files will have a file length
increase of 920 bytes, and their date/time indicated in the disk
directory will have been changed to the system date and time when the
infection occurred. The virus is located at the end of infected files.
The following text, indicating the virus's name, can be found at the
end of all infected files:
"DataLock version 1.00"
It is unknown if DataLock carries an activation date, or its potential
for damage.
Virus Name: dBASE
Aliases: DBF Virus
V Status: Extinct
Discovered: September, 1988
Symptoms: .COM & .OVL file growth, corrupt .DBF files, TSR, FAT and root
directory overwritten
Origin: New York, USA
Eff Length: 1,864 bytes
Type Code: PRC - Parasitic Resident .COM and Overlay Infector
Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC,
AVTK 3.5+, VirHunt 2.0+, NAV
Removal Instructions: Scan/D/X, Pro-Scan 1.4+, F-Prot, VirHunt 2.0+, NAV
General Comments:
The dBASE virus was discovered by Ross Greenberg of New York.
This virus infects .COM & .OVL files, and will corrupt data in
.DBF files by randomly transposing bytes in any open .DBF file.
It keeps track of which files and bytes were transposed in a
hidden file (BUG.DAT) in the same directory as the .DBF file(s).
The virus restores these bytes if the file is read, so it
appears that nothing is wrong. Once the BUG.DAT file is 90
days old or more, the virus will overwrite the FAT and root
directory on the disk.
After this virus has been detected, if you remove the infected
dBASE program and replace it with a clean copy, your DBF files
that were openned during the period that you were infected
will be useless since they are garbled on the disk even
though they would be displayed as expected by the infected
dBASE program.
Virus Name: Deicide
Aliases: Glenn
V Status: Rare
Discovered: February, 1991
Symptoms: .COM files overwritten; Message; FAT Corruption; System hang
Origin: Netherlands
Eff Length: 666 Bytes
Type Code: ONC - Overwriting Non-Resident .COM Infector
Detection Method:
Removal Instructions: Delete Infected Programs
General Comments:
The Deicide Virus was received in February, 1991 from the Netherlands.
This virus is a non-resident overwriting virus which infects .COM files,
but not COMMAND.COM.
When a program infected with Deicide is executed, the virus will
search the current directory for an uninfected .COM program. If an
uninfected .COM program is found, the virus will infect it, overwriting
the first 666 bytes of the program with the virus. If the newly
infected program's original file length was 666 bytes or more, then no
file length change will show in the disk directory. If originally the
program was smaller than 666 bytes, its length will now be 666 bytes.
The following message may be displayed by the virus after infecting
a file:
"File corruption error."
If the virus does not find an uninfected .COM program in the current
directory, it will display the following message double spaced, and
overwrite the first 80 sectors of the system hard disk:
"DEICIDE!
Glenn (666) says : BYE BYE HARDDISK!!
Next time be carufull with illegal stuff"
The above messages can be found in all infected files, along with the
following message which is not displayed:
"This experimental virus was written by Glenn Benton
to see if I can make a virus while learning machinecode
for 2,5 months. (C) 10-23-1990 by Glenn.
I keep on going making virusses."
Virus Name: Den Zuk
Aliases: Search, Venezuelan
V Status: Common
Discovered: September, 1988
Symptoms: Message, floppy format, TSR, BSC
Origin: Indonesia
Eff Length: N/A
Type Code: RtF - Resident Floppy Boot Sector Infector
Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+,
VirHunt 2.0+, NAV
Removal Instructions: MDisk, CleanUp, F-Prot, Pro-Scan 1.4+, NAV,
or DOS SYS command
General Comments:
The Den Zuk virus is a memory-resident, boot sector infector of
360K 5 1/4" diskettes. The virus can infect any diskette
in a floppy drive that is accessed, even if the diskette is
not bootable. If an attempt is made to boot the system with an
infected non-system disk, Den Zuk will install itself into
memory even though the boot failed. After the system is booted
with an infected diskette, a purple "DEN ZUK" graphic will appear
after a CTL-ALT-DEL is performed if the system has a CGA, EGA, or
VGA monitor. While the original Den Zuk virus did not cause any
damage to the system, some variants maintain a counter of how
many times the system has been rebooted, and after the counter
reaches its limit, the floppy in the disk drive is reformatted.
The counter in these variants of the virus is usually in the
range of 5 to 10.
The following text strings can be found in the viral code on
diskettes which have been infected with the Den Zuk virus:
"Welcome to the
C l u b
--The HackerS--
Hackin'
All The Time
The HackerS"
The diskette volume label of infected diskettes may be changed
to Y.C.1.E.R.P., though this change only occurs if the Den Zuk
virus removed a Pakistani Brain infection before infecting the
diskette with Den Zuk. The Den Zuk virus will also remove
an Ohio virus infection before infecting the diskette with
Den Zuk.
The Den Zuk virus is thought to be written by the same person
or persons as the Ohio virus. The "Y.C.1.E.R.P." string is
found in the Ohio virus, and the viral code is similar in
many respects.
Also see: Ohio
Virus Name: Destructor V4.00
Aliases: Destructor
V Status: Rare
Discovered: December, 1990
Symptoms: .COM & .EXE growth; decrease in system and available free memory
Origin: Bulgaria
Eff Length: 1,150 Bytes
Type Code: PRtAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Destructor V4.00 Virus was received in December, 1990. This virus
is from Bulgaria, and is a memory resident infector of .COM and .EXE
files, including COMMAND.COM.
When the first program infected with the Destructor V4.00 Virus is
executed, the virus will install itself memory resident at the top of
system memory but below the 640K DOS boundary. Interrupt 12's return
is moved. Total system memory and available free memory will be
1,216 bytes less than what is expected on the infected system. At this
time, the virus will also infect COMMAND.COM if it is not already
infected.
Once Destructor V4.00 is memory resident, it will infect programs as
they are openned or executed.
Infected .COM programs will have increased in size by 1,150 bytes.
.EXE programs will have increased in size by 1,154 to 1,162 bytes.
In both cases, the virus will be located at the end of the infected
file. This virus does not alter the file's date/time in the disk
directory, and it also makes no attempt to hide the file length increase
on infected programs.
The following text string can be found in files infected with this
virus:
"DESTRUCTOR V4.00 (c) 1990 by ATA
It is unknown what Destructor V4.00 does, if anything, besides
replicate.
Virus Name: Devil's Dance
Aliases: Mexican
V Status: Rare
Discovered: December, 1989
Symptoms: Message, .COM growth, FAT corruption, TSR
Origin: Mexico
Eff Length: 941 Bytes
Type Code: PRCT - Parasitic Resident .COM Infector
Detection Method: ViruScan V52+, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+,
VirHunt 2.0+, NAV
Removal Instructions: Scan/D, Pro-Scan 1.4+, VirHunt 2.0+, NAV,
or delete infected files
General Comments:
The Devil's Dance virus was first isolated in December, 1989,
by Mao Fragoso of Mexico City. The Devil's Dance virus
increases the size of infected .COM files by 941 bytes, and
will infect a file multiple times until the file becomes too
large to fit in available system memory.
Once an infected program has been run, any subsequent warm-
reboot (CTL-ALT-DEL) will result in the following message
being displayed:
"DID YOU EVER DANCE WITH THE DEVIL IN THE WEAK MOONLIGHT?
PRAY FOR YOUR DISKS!!
The Joker"
The Devil's Dance virus is destructive. After the first 2,000
keystrokes, the virus starts changing the colors of any text
displayed on the system monitor. After the first 5,000
keystrokes, the virus erases the first copy of the FAT. At
this point, when the system is rebooted, it will display the
message above and again destroy the first copy of the FAT, then
allow the boot to proceed.
Virus Name: Dir Virus
Aliases:
V Status: Rare
Discovered: January, 1991
Symptoms: .COM growth; TSR; Sluggishness of DIR commands;
File allocation errors
Origin: USSR
Eff Length: 691 Bytes
Type Code: PRsCK - Parasitic Resident .COM Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Dir Virus was submitted in January, 1991. It originated in the
USSR. The Dir Virus is a memory resident infector of .COM programs,
including COMMAND.COM.
The first time a program infected with the Dir Virus is executed, the
virus will install itself memory resident as a low system memory TSR
of 1,008 bytes. Interrupt 21 will be hooked by the virus. If
COMMAND.COM is not already infected, it will become infected at this
time.
After the Dir Virus is memory resident, it will only infect .COM
programs when a DOS Dir command is performed. It does not infect
programs on execution, or when .COM files are openned. When a Dir
command is performed, the first uninfected .COM program that is found
in the directory will become infected. When the virus infects a .COM
file, there will be a pause in the output of the dir command while the
program is being infected, then the output will continue.
Infected programs will increase in size by 691 bytes, though the file
length increase cannot be seen when a directory command is performed if
the virus is memory resident. The virus will be located at the end of
infected programs. Infected programs will not have their date and time
altered by the virus.
Systems infected with the Dir Virus will receive file allocation errors
when the DOS ChkDsk program is executed on a drive containing infected
programs. If the virus is not memory resident, these errors will not
be found. Execution of the DOS ChkDsk program with the /F option when
the virus is memory resident will result in corruption of the infected
programs.
This virus does not appear to contain any activation mechanism.
Virus Name: Discom
Aliases:
V Status: Rare
Discovered: November, 1990
Symptoms: TSR; .COM & .EXE growth
Origin: Unknown
Eff Length: 2,053 Bytes
Type Code: PRsA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V76+
Removal Instructions: CleanUp V75+, or Delete infected files
General Comments:
The Discom Virus was submitted in November, 1990. The location where
the sample was isolated is unknown. Discom is a memory resident
infector of .COM and .EXE files, and will not infect COMMAND.COM.
This virus is based on the Jerusalem Virus, and also contains some code
from the Sunday Virus. As such, some anti-viral utilities may identify
files infected with this virus as containing both Jerusalem and Sunday.
This virus does not exhibit symptoms or the activation of either the
Jerusalem or Sunday viruses.
The first time a program infected with the Discom Virus is executed,
the virus will install itself memory resident as a 2,304 byte low
system memory TSR. Interrupts 08 and 21 will be hooked by the virus.
Once memory resident, the virus will infect .COM and .EXE files when
they are executed. Infected .COM files will increase in length by
2,053 bytes and have the virus located at the beginning of the infected
file. Infected .EXE files will increase in length by 2,059 to 2,068
bytes with the virus being located at the end of the file. All infected
files will end with the following hex character string: 11121704D0.
Unlike many Jerusalem Variants, this virus does not exhibit a system
slowdown after being memory resident for 30 minutes, and no "black
window" appears.
Virus Name: Disk Killer
Aliases: Computer Ogre, Disk Ogre, Ogre
V Status: Common
Discovered: April, 1989
Symptoms: Bad blocks, message, BSC, TSR, encryption of disk
Origin: Taiwan
Isolated: Milpitas, California, USA
Eff Length: N/A
Type Code: BRtT - Resident Boot Sector Infector
Detection Method: ViruScan V39+, F-Prot, IBM Scan, Pro-Scan, VirexPC,
AVTK 3.5+, VirHunt 2.0+, NAV
Removal Instructions: MDisk, CleanUp, Pro-Scan 1.4+, F-Prot, NAV, or
DOS COPY & SYS
General Comments:
The Disk Killer virus is a boot sector infector that spreads by
writing copies of itself to 3 blocks on either a floppy or
hard disk. The virus does not care if these blocks are in use
by another program or are part of a file. These blocks will then
be marked as bad in the FAT so that they cannot be overwritten.
The boot sector is patched so that when the system is booted, the
virus code will be executed and it can attempt to infect any new
disks exposed to the system.
The virus keeps track of the elapsed disk usage time since initial
infection, and does no harm until it has reached a predetermined
limit. The predetermined limit is approximately 48 hours. (On
most systems, Disk Killer will reach its limit within 1 - 6
weeks of its initial hard disk infection.)
When the limit is reached or exceeded and the system is rebooted,
a message is displayed identifying COMPUTER OGRE and a date of
April 1. It then says to leave alone and proceeds to encrypt the
disk by alternately XORing sectors with 0AAAAh and 05555h,
effectively destroying the information on the disk. The only recourse
after Disk Killer has activated and encrypted the entire disk is to
reformat.
The message text that is displayed upon activation, and can be found
in the viral code is:
"Disk Killer -- Version 1.00 by COMPUTER OGRE 04/01/89
Warning!!
Don't turn off the power or remove the diskette while Disk Killer is
Processing!
PROCESSING
Now you can turn off the power. I wish you Luck!"
It is important to note that when the message is displayed, if the
system is turned off immediately it may be possible to salvage
some files on the disk using various utility programs as this
virus first destroys the boot, FAT, and directory blocks.
Disk Killer can be removed by using McAfee Associate's MDisk or
CleanUp utility, or the DOS SYS command, to overwrite the boot
sector on hard disks or bootable floppies. On non-system floppies,
files can be copied to non-infected floppies, followed by reformatting
the infected floppies. Be sure to reboot the system from a
write protected master diskette before attempting to remove the
virus first or you will be reinfected by the virus in memory.
Note: Disk Killer may have damaged one or more files on the disk
when it wrote a portion of its viral code to 3 blocks on the disk.
Once the boot sector has been disinfected as indicated above, these
corrupted files cannot reinfect the system, however they should be
replaced with backup copies since the 3 blocks were overwritten.
Note: Do not use the DOS DiskCopy program to backup infected
diskettes as the new backup diskettes will contain the virus
as well.
Virus Name: Do-Nothing Virus
Aliases: The Stupid Virus
V Status: Extinct
Discovered: October, 1989
Symptoms: .COM file growth, TSR (see text)
Origin: Israel
Eff Length: 608 Bytes
Type Code: PRfC - Parasitic Resident .COM Infector
Detection Method: ViruScan/X V67+, F-Prot, Pro-Scan, VirexPC, AVTK 3.5+,
NAV
Removal Instructions: Scan/D/X, Pro-Scan 1.4+, F-Prot, or NAV
General Comments:
This virus was first reported by Yuval Tal of Israel in
October, 1989. The virus will infect .COM files, but only the
first one in the current directory, whether it was previously
infected or not. The Do-Nothing virus is also memory
resident, always installing itself to memory address
9800:100h, and can only infect systems with 640K of memory.
The virus does not protect this area of memory in any way,
and other programs which use this area will overwrite it in
memory, removing the program from being memory resident.
The Do-Nothing virus does no apparent damage, nor does it
affect operation of the system in any observable way, thus
its name.
Also see: Saddam
Virus Name: Dot Killer
Aliases: 944, Point Killer
V Status: Rare
Discovered: October, 1990
Symptoms: .COM growth; removal of all dots (.) from display
Origin: Koszalin, Poland
Eff Length: 944
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V72+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Dot Killer Virus was isolated in Koszalin, Poland in October, 1990.
It is a non-resident infector of .COM files, including COMMAND.COM.
When a program infected with the Dot Killer Virus is executed, the
virus will infect one other .COM file in the current directory.
Infected .COM files will increase in length by 944 bytes. The virus
will be located at the end of infected files.
While the Dot Killer Virus contains code to attempt to avoid infecting
the program pointed to by the COMSPEC environmental parameter, this
logic contains a bug and does not function properly. If COMMAND.COM,
or the program pointed to by COMSPEC, is located in the current
directory it will become infected just like any other .COM program.
When the Dot Killer Virus activates, it will remove all dots (.) from
the system display.
Virus Name: Dutch 555
Aliases: 555
V Status: Rare
Discovered: November, 1990
Symptoms: .COM & .EXE growth; Decrease in system and available memory
Origin: Netherlands
Eff Length: 555 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V75+
Removal Instructions: Scan/D, or Delete Infected Files
General Comments:
The Dutch 555 Virus was received in February 1991 from Righard
Zwienenberg of the Netherlands. This virus was accidently released
into the public domain by its author in November, 1990. It is a
memory resident infector of .COM and .EXE files, including COMMAND.COM.
The first time a program infected with the Dutch 555 Virus is executed,
the virus will install itself memory resident at the top of system
memory, but below the 640K DOS boundary. The interrupt 12 return is
not moved, though the DOS ChkDsk program will show a decrease in total
system and available free memory of 560 bytes. Interrupt 21 will be
hooked by the virus.
Once the Dutch 555 Virus is memory resident, it will infect .COM and
.EXE files, including COMMAND.COM, as they are executed. Infected files
will increase in size by 555 bytes, with the virus being located at the
end of the infected file.
This virus does not do anything besides replicate.
Virus Name: EDV
Aliases: Cursy, Stealth Virus
V Status: Rare
Discovered: 1988
Symptoms: BSC; partition table corruption; unusual system crashes
Origin: France
Eff Length: N/A
Type Code: BRX - Resident Boot Sector/Partition Table Infector
Detection Method: ViruScan V58+, IBM Scan, Pro-Scan 1.4+, VirHunt 2.0+, NAV
Removal Instructions: MDisk/P, CleanUp V67+, Pro-Scan 1.4+, or NAV
General Comments:
The EDV, or Cursy, Virus was first discovered in Le Havre, France in
1988 by Jean-Luc Nail. At that time, it was named the Cursy Virus.
Later, in January 1990, it was isolated separately and named the
EDV virus. This virus is a memory resident infector of floppy
diskette boot sectors and hard disk partition tables.
When a system is booted from a diskette infected with the EDV virus,
the virus will install itself memory resident at the top of high
system memory. The value returned by interrupt 12 will be decreased.
Once the virus is memory resident, and disk accessed by the system
will become infected. When the virus infects a diskette, it moves
the original boot sector to side 1, track 39, sector 8. After
moving the original boot sector, it then copies the virus's code
to absolute sector 0, the boot sector of the diskette.
EDV will also infect hard disk drives when they are accessed. In the
case of hard disks, the virus will move absolute sector 0 (the
partition table) to side 1, track 39, sector 8 as though it were a
360K 5.25" floppy diskette. After moving the partition table, it will
then overwrite the partition table with the viral code.
Once the virus has infected six disks with the virus in memory, the
EDV virus will activate. Upon activation, the virus access the
keyboard interrupt to disable the keyboard and then will overwrite
the first 3 tracks of each disk on the system, starting with the
hard disks. After overwriting the disks, it will then display the
following message:
"That rings a bell, no? From Cursy"
Upon activation, the user must power off the machine and reboot from
a system diskette in order to regain any control over the machine.
The following identification string appears at the very end of the
boot sector on infected floppy disks and the partition table of
infected hard drives, though it cannot be seen if the virus is
in memory:
"MSDOS Vers. E.D.V."
Jean-Luc Nail has indicated that the EDV or Cursy virus is quiet
common in the Le Havre area of France, although it is rare outside
of France.
Virus Name: Eight Tunes
Aliases: 1971
V Status: Rare
Discovered: April, 1990
Symptoms: file growth, music, decrease in available memory
Origin: West Germany
Eff Length: 1,971 Bytes
Type Code: PRsA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V62+, Pro-Scan 1.4+, VirexPC, AVTK 3.5+,
VirHunt 2.0+, NAV
Removal Instructions: Scan/D, VirHunt 2.0+, NAV, or delete infected files
General Comments:
The Eight Tunes, or 1971, Virus was originally isolated in April
1990 by Fridrik Skulason of Iceland. This virus is a memory resident
generic file infector of .COM, .EXE, and overlay files. The virus will
not infect COMMAND.COM, or .COM files which are smaller than 8K.
After the virus is memory resident, programs are infected as they
are executed. Infected files will increase in length by between
1,971 - 1,985 bytes.
Available memory will decrease by 1,984 bytes when the virus is
present.
This virus does not cause system damage, however it is disruptive.
When the virus is memory resident, it will play 8 German folk songs
at random intervals thirty minutes after the virus becomes memory
resident.
Virus Name: Enigma
Aliases: Cracker Jack
V Status: Rare
Discovered: February, 1991
Symptoms: .EXE growth
Origin: Italy
Eff Length: 1,755 Bytes
Type Code: PNE - Parasitic Non-Resident .EXE Infector
Detection Method: ViruScan V76+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Enigma Virus was submitted in February, 1991, by Alberto Colusa of
Italy. This virus is a non-resident infector of .EXE files. The
original submitted sample of this virus was not a natural infection of
the virus, being on a .COM file, so the virus may actually be a
research virus.
When a program infected with Enigma is executed, one .EXE program in
the current directory will be infected by the virus. Infected .EXE
programs will increase in length by 1,755 bytes. The virus will be
located at the end of infected programs. Infected programs will also
contain the following text strings:
"This is the voice of the Enigma virus......
the spirits of the hell are coming back!"
"(C) 1991 by Cracker Jack * Italy * *.exe"
"newenigmavir"
It is not known if Enigma does anything besides replicate.
Also see: Yankee 2
Virus Name: Evil
Aliases: P1, V1701New
V Status: Rare
Discovered: July, 1990
Symptoms: .COM growth, system reboots, CHKDSK program failure,
COMMAND.COM header change
Origin: Bulgaria
Eff Length: 1,701 Bytes
Type Code: PRhCK - Parasitic Resident .COM Infector
Detection Method: ViruScan V66+, NAV
Removal Instructions: Scan/D, NAV, or delete infected files
General Comments:
The Evil Virus is of Bulgarian origin, and was submitted to
the author of this document in July, 1990 by Vesselin Bontchev.
This virus is one of a family of three (3) viruses which may be
referred to as the P1 or Phoenix Family. Each of these viruses is
being documented separately due to their varying characteristics.
The Evil virus is a memory resident, generic infector of .COM
files, and will infect COMMAND.COM. It is the most advanced of the
three viruses in the Phoenix Family.
The Evil, or V1701New, Virus is a later version of the PhoenixD virus.
The first time a program infected with the Evil virus is executed,
the virus will install itself memory resident in free high memory,
reserving 8,192 bytes. Interrupt 2A will be hooked by the virus.
System total memory and free memory will decrease by 8,192 bytes.
Evil will then check to see if the current drive's root directory
contains a copy of COMMAND.COM. If a copy of COMMAND.COM is found,
it will be infected by Evil by overwriting part of the binary zero
portion of the program, and changing the program's header information.
COMMAND.COM will not change in file length. The virus will then
similarly infect COMMAND.COM residing in the C: drive root directory.
After becoming memory resident, the virus will attempt to infect any
.COM file executed. Evil is a better replicator than either the
original Phoenix Virus or PhoenixD, and was successful in infecting
.COM files in all cases on the author's system. Infected files will
increase in size by 1,701 bytes.
Evil is not able to recognize when it has previously infected a
file, so it may reinfect .COM files several times. Each infection will
result in another 1,701 bytes of viral code being appended to the
file.
Like PhoenixD, Evil will infect files when they are openned for
any reason in addition to when they are executed. The simple act of
copying a .COM file will result in both the source and target .COM
files being infected.
Systems infected with the Evil virus will experience problems with
executing CHKDSK.COM. Attempts to execute this program with Evil
memory resident will result in a warm reboot of the system occurring.
The system, however, will not perform either a RAM memory check or
request Date and Time if an autoexec.bat file is not present.
This virus is not related to the Cascade (1701/1704) virus.
The Evil Virus employs a complex encryption mechanism, and virus
scanners which are only able to look for simple hex strings will not
be able to detect it. There is no simple hex string in this virus
that is common to all infected samples.
Known variant(s) of Evil are:
Evil-B : This is a earlier version of Evil, and is a rather
poor replicator. It also has not to viable as infected
programs will hang when they are executed, with the
exception of the Runme.Exe file which the author
received. The Runme.Exe file was probably the original
release file distributed by the virus's author.
(Originally listed in VSUM9008 as V1701New-B)
Also see: Phoenix, PhoenixD
Virus Name: F-Word Virus
Aliases: Fuck You
V Status: Rare
Discovered: December, 1990
Symptoms: .COM growth; decrease in system and available free memory;
file date/time changes
Origin: USSR
Eff Length: 417 Bytes
Type Code: PRtCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The F-Word, or Fuck You, Virus was submitted in December, 1990 and
is from the USSR. This virus is a memory resident infector of COM
files, including COMMAND.COM.
The first time a program infected with the F-Word Virus is executed
the virus will install itself memory resident at the top of system
memory but below the 640K DOS boundary. Interrupt 12's return will
be moved. Total system memory and available free memory will decrease
by 1,024 bytes. Interrupts 08 and 21 will be hooked by the virus.
After F-Word is memory resident, it will infect COM files over
approximately 2K in length when they are executed. Infected files will
have a length increase of 417 bytes with the virus being located at the
end of the program. The file's date and time in the directory will also
have been changed to the system date and time when infection occurred.
Attempts to executed the DOS Edlin program will result in a
"Invalid drive of file name" message being displayed, and the program
terminated.
The text string "Fuck You!" can be found in all infected files.
Virus Name: Father Christmas
Aliases: Choinka
V Status: Rare
Discovered: November, 1990
Symptoms: .COM growth; lost cluster; cross-linking of files;
graphic and message displayed on activation
Origin: Poland
Eff Length: 1,881 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V71+
Removal Instructions: Scan/D, or delete infected files
General Comments:
The Father Christmas, or Choinka, Virus was discovered in Poland in
November, 1990. This virus is based on the Vienna Virus, and is a
non-resident infector of .COM files, including COMMAND.COM.
When a program infected with the Father Christmas Virus is executed,
the virus will infect one other .COM file in the current directory.
If no uninfected .COM files exist in the current directory, the virus
will follow the system path to find an uninfected program. Infected
files will increase in length by 1,881 bytes with the virus being
located at the end of the infected program.
Systems infected with the Father Christmas Virus may notice crosslinking
of files and lost clusters.
During the period from December 19 - December 31 of any year, this
virus will activate. On these dates, when infected programs are
executed a christmas trees graphic is displayed on the system monitor
with the following message:
Merry Christmas
&
a Happy New Year
for all my lovely friends
from
FATHER CHRISTMAS
If the graphic is displayed, the user must strike a key in order to
have the program being executed finish running.
Virus Name: Fellowship
Aliases: 1022
V Status: Rare
Discovered: July, 1990
Isolated: Australia
Symptoms: TSR, .COM & .EXE file growth
Origin: Malaysia
Eff Length: 1,022 Bytes
Type Code: PRsE - Parasitic Resident .EXE Infector
Detection Method: ViruScan V66+, F-Prot 1.12+, Pro-Scan 2.01+, NAV
Removal Instructions: Scan/D, F-Prot 1.12+, NAV, or delete infected files
General Comments:
The Fellowship or 1022 Virus was isolated in Australia in July 1990.
Fellowship is a memory resident generic infector of .EXE files. It
does not infect .COM or overlay files.
The first time a program infected with the Fellowship Virus is
executed, the virus will install itself memory resident as a 2,048
byte TSR in low system memory. Available free memory will be decreased
by a corresponding 2,048 bytes. Interrupt 21 will also now be
controlled by the virus.
After the virus is memory resident, the virus will infect .EXE files
when they are executed. Infected .EXE files will increase in size
by between 1,019 and 1,027 bytes. The virus's code will be located
at the end of infected files.
Infected files will contain the following text strings very close to
the end of the file:
"This message is dedicated to
all fellow PC users on Earth
Toward A Better Tomorrow
And a better Place To Live In"
"03/03/90 KV KL MAL"
This virus is believed to have originated in Kuala Lumpur, Malaysia.
Virus Name: Fish Virus
Aliases: European Fish Viruses, Fish 6, Stealth Virus
V Status: Rare
Discovered: May 1990
Symptoms: .COM & .EXE growth, monitor/display flickering, system
memory decrease
Origin: West Germany
Eff Length: 3,584 Bytes
Type Code: PRsAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V63+, Pro-Scan 1.4+, VirexPC, F-Prot 1.12+,
VirHunt 2.0+, NAV
Removal Instructions: Scan/D, CleanUp V66+, Pro-Scan 1.4+, VirHunt 2.0+,
NAV, or delete infected files
General Comments:
The Fish Virus was isolated in May 1990. At the time of isolation,
it was reported to be widespread in Europe, and it is thought to
have originated in West Germany. It is a generic resident .COM
and .EXE infector, and will infect COMMAND.COM. This virus will
remain memory resident thru a warm reboot, or Ctrl-Alt-Del. The
virus is encrypted, though infected programs can be found by
searching for the text string "FISH FI" appearing near the end of
the program. The "FISH FI" string may later disappear from the
program.
The first time a program infected with the Fish Virus is executed,
the virus will go memory resident, installing itself into the low
available free memory. If interrupt 13 has not been hooked by
another program, it will hook interrupt 13. If it can hook
interrupt 13, it will take up 8,192 bytes in memory. If the virus
cannot hook interrupt 13 because another program is already using it,
it will be 4,096 bytes in memory.
When interrupt 13 is not hooked, and the virus is memory resident,
the virus will cause a random warm reboot, thus allowing it to
infect COMMAND.COM and hook interrupt 13. Warm reboots do not
appear to randomly occur after interrupt 13 has been hooked.
After the virus is memory resident, all .COM and .EXE programs which
are openned for any reason will be infected. Infected programs
increase in length by 3,584 bytes. The increase in program size
cannot be seen by listing the disk directory if the virus is in
memory. Also, if a CHKDSK command is run on an infected system,
it will detect file allocation errors on infected files. If CHKDSK
is run with the /F option, it will result in lost clusters and
cross-linking of files.
The virus slows down video writes, and flickering of the monitor
display can be noticed on an infected system.
Anti-viral programs which perform CRC checking cannot detect the
infection of the program by the Fish Virus if the virus is memory
resident. This virus can also bypass software write protect
mechanisms used to protect a hard drive.
The Fish Virus is a modified version of the 4096 Virus, though it is
more sophisticated in that it constantly re-encrypts itself in
system memory. Viewing system memory with the virus resident will
show that the names of several fish are present.
It is unknown what the Fish virus does when it activates, though it
does appear to check to determine if the year of the system time is
1991.
Virus Name: Flash
Aliases:
V Status: Rare
Discovered: July 1990
Symptoms: .COM & .EXE growth, decrease in available free memory,
video screen flicker
Origin: West Germany
Eff Length: 688 Bytes
Type Code: PRfA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V64+, Pro-Scan 2.01+, NAV
Removal Instructions: Scan/D, Pro-Scan 2.01+, NAV, or Delete infected files
General Comments:
The Flash Virus was discovered in July 1990 in West Germany. Flash
is a memory resident generic file infector, and will infect .COM and
.EXE files, but not COMMAND.COM.
The first time a program infected with the Flash Virus is executed,
the virus will install itself memory resident. 976 bytes will be
allocated in high memory, and available free memory will decrease by
a corresponding 976 bytes. A mapping of memory will also indicate
that when Flash is resident in memory, interrupts 00, 23, 24, 30,
ED, F5, and FB are now in free memory. Total system memory reported
by DOS, as well as low memory used by the operating system and TSRs
will not have changed.
Once Flash is memory resident, each time a .COM or .EXE program is
executed it is a candidate for infection. An uninfected .EXE program
will always be infected upon execution. Uninfected .COM files are
only infected if they are greater than approximately 500 bytes in
length. Infected files will always increase in length by 688 bytes.
After June of 1990, systems with a graphics capable monitor may notice
a screen flicker occurring at approximately seven minute intervals.
The virus causes this effect by manipulating some screen blanking bits
every seven minutes.
Virus Name: Flip
Aliases:
V Status: Rare
Discovered: July 1990
Symptoms: .COM & .EXE growth; decrease in system and free memory;
boot sector and partition table altered; file allocation errors
Origin: West Germany
Eff Length: 2,343 Bytes
Type Code: PRhABKX - Parasitic Resident .COM, .EXE, Partition Table Infector
Detection Method: ViruScan V66+, F-Prot 1.12+, Pro-Scan 2.01+, NAV
Removal Instructions: Clean-Up V71+, Scan/D, or Delete infected files
General Comments:
The Flip Virus was discovered in West Germany in July 1990. It is
a generic file infector, and will infect .COM, .EXE, and overlay files.
This virus will also infect COMMAND.COM, as well as alter the partition
table and boot sector of hard disks. It is important to note that the
Flip virus is not infective from .COM files or boot sectors.
The first time an EXE program infected with the Flip Virus is executed,
it installs itself memory resident in high memory. System memory as
reported by the CHKDSK command as well as free memory will have
decreased by 3,064 bytes. At this time, the copy of COMMAND.COM
located in the C: drive root directory will be infected, though no
file length change will be apparent with the virus in memory. The
system's hard disk partition table and boot sector will also be
slightly modified. If the infected program was executed from a
floppy, COMMAND.COM on the floppy will be infected, though the size
change will be noticeable.
After Flip becomes memory resident, any .COM or .EXE files executed
will become infected. Infected programs will show a file length
increase of 2,343 bytes. If a program is executed which uses an
overlay file, the overlay file will also become infected.
Systems infected Flip may experience file allocation errors resulting
in file linkage errors. Some data files may become corrupted.
On the second of any month, systems which were booted from an infected
hard disk and have an EGA or VGA capable display adapter may experience
the display on the system monitor being horizontally "flipped" between
16:00 and 16:59.
Flip can only be passed between systems on infected .EXE files.
Infected .COM files, and altered floppy boot sectors do not transfer
the virus.
Known variant(s) of Flip include:
Flip B : Similar to the original Flip Virus, this variant has an
effective length of 2,153 bytes. Its memory resident portion
at the top of system memory is 2,672 bytes. The major
difference between this variant and the original virus is
that Flip B can infect programs from the hard disk partition
table infection.
Isolated: January, 1991. Origin: Unknown.
Virus Name: FORM-Virus
Aliases: Form, Form Boot
V Status: Rare
Discovered: June 1990
Symptoms: BSC, clicking noise from system speaker
Origin: Switzerland
Eff Length: N/A
Type Code: BR - Resident Boot Sector Infector
Detection Method: ViruScan V64+, F-Prot 1.12+, VirHunt 2.0+, NAV
Removal Instructions: MDisk, NAV, or DOS SYS command
General Comments:
The Form, or Form Boot, Virus is a memory resident infector of
floppy and hard disk boot sectors. It was originally isolated in
Switzerland.
When a system is first booted with a diskette infected with the
Form Boot virus, the virus will infect system memory as well as
seek out and infect the system's hard disk. The floppy boot may
or may not be successful, on the author's test system, a boot
from floppy diskette infected with Form Boot never succeeded,
instead the system would hang. It should be noted that the virus
was received by the author of this document as a binary file, and
it may have been damaged in some way.
The following text message is contained in the Form Boot virus binary
code as received by the author of this document:
"The FORM-Virus sends greetings to everyone who's reading
this text.FORM doesn't destroy data! Don't panic! Fuckings
go to Corinne."
These messages, however, may not appear in all cases. For example,
I did not find these messages anywhere on a hard disk infected with
Form Boot.
Systems infected with the FORM-Virus in memory may notice that a
clicking noise may be emitted from the system speaker on the 24th
day of any month.
This virus can be removed with the same technique as used with many
boot sector infectors. First, power off the system and then boot
from a known clean write-protected boot diskette. The DOS SYS
command can then be used to recreate the boot sector. Alternately,
MDisk from McAfee Associates may be used to recreate the boot
sector.
Virus Name: Frere Jacques
Aliases: Frere Virus
V Status: Rare
Discovered: May 1990
Symptoms: .COM & .EXE growth, available memory decreases, system hangs,
music (Frere Jacques) on Fridays
Origin: California, USA
Eff Length: 1,808 Bytes
Type Code: PRA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V63+, Pro-Scan 1.4+, F-Prot 1.12+, NAV
Removal Instructions: Scan/D, Pro-Scan 1.4+, NAV, or Delete infected files
General Comments:
The Frere Jacques Virus was isolated in May, 1990. It is a memory
resident generic file infector, infecting .COM, .EXE, and Overlay
files. It does not infect COMMAND.COM. This virus is based on
the Jerusalem B Virus.
The first time an infected program is executed, the virus will
install itself memory resident in low available free memory.
The memory resident virus occupies 2,064 bytes, and attaches itself
to interrupt 21. After becoming memory resident, Frere Jacques will
infect any program which is then executed. Infected programs will
increase in size by between 1,808 bytes and 1,819 bytes, though
.COM files always increase in size by 1,813 bytes.
Systems infected with Frere Jacques will experience a decrease in
available free memory, as well as executable files increasing in
size. System hangs will also intermittently occur when the virus
attempts to infect programs, thus resulting in the possible loss
of system data.
On Fridays, the Frere Jacques virus activates, and will play the
tune Frere Jacques on the system speaker.
Also see: Jerusalem B
Virus Name: Friday The 13th COM Virus
Aliases: COM Virus, Miami, Munich, South African, 512 Virus, Virus B
V Status: Extinct
Discovered: November, 1987
Symptoms: .COM growth, floppy disk access, file deletion
Origin: Republic of South Africa
Eff Length: 512 Bytes
Type Code: PNC - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, AVTK 3.5+,
VirHunt 2.0+, NAV
Removal Instructions: Scan/D/X, Pro-Scan 1.4+, VirHunt 2.0+, F-Prot, or NAV
General Comments:
The original Friday The 13th COM virus first appeared in
South Africa in 1987. Unlike the Jerusalem (Friday The 13th)
viruses, it is not memory resident, nor does it hook any
interrupts. This virus only infects .COM files, but not
COMMAND.COM. On each execution of an infected file, the
virus looks for two other .COM files on the C drive and 1
on the A drive, if found they are infected. This virus is
extremely fast, and the only indication of propagation occurring
is the access light being on for the A drive, if the current
default drive is C. The virus will only infect a .COM file
once. The files, after infection, must be less than 64K in
length.
On every Friday the 13th, if the host program is executed, it
is deleted.
Known variants of the Friday The 13th COM virus are:
Friday The 13th-B: same, except that it will infect every
file in the current subdirectory or in the system path if
the infected .COM program is in the system path.
Friday The 13th-C: same as Friday The 13th-B, except that the
message "We hope we haven't inconvenienced you" is
displayed whenever the virus activates.
Author's note: All samples of this virus that are available were
created by reassembling a disassembly of this virus. These viruses
may not actually exist "in the wild".
Virus Name: Frog's Alley
Aliases: Frog
V Status: New
Discovered: March, 1991
Symptoms: .COM growth; Message; FAT & Directory damage; programs disappear;
Disk Volume Label change; long disk access times
Origin: USA
Eff Length: 1,500 Bytes
Type Code: PRCK - Parasitic Resident .COM Infector
Detection Method: ViruScan V76+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Frog's Alley Virus was submitted in March, 1991 by David Grant of
the United States. This virus is a memory resident infector of .COM
files, including COMMAND.COM.
When the first program infected with Frog's Alley is executed, this
virus will install itself memory resident in low, unreserved system
memory. Interrupts 09, 20, 21, and 2F will be hooked by the virus.
At this time, Frog's Alley will also infect COMMAND.COM and one other
.COM file in the current directory.
After becoming memory resident, Frog's Alley will infect 1 .COM file
each time an infected program is executed or a DIR command is
performed. In either case, long disk accesses will be noticable either
when an infected .COM program is executed, or as the DIR command
completes. .COM files are only infected if their original file length
was 1,500 or more bytes.
Programs infected with Frog's Alley will have a file size increase of
1,500 bytes, and the file's date and time in the disk directory will
have been updated to the system date and time when the infection
occurred. The virus will be located at the beginning of infected
programs.
Frog's Alley activates on the 5th day of any month. When an infected
program is executed on the 5th, the following message will be displayed:
(V) AIDS R.2A - Welcome to Frog's Alley !, (c) STPII Laboratory - Jan 1990
This message will again be displayed whenever a DIR command is
performed. The first time the message is displayed, the virus will
remove the system files and COMMAND.COM from the disk. Other programs
will still be accessible until they are also removed, or the virus is
no longer in memory. Once the virus is no longer in memory, the disk
will display the volume label "s Alley !" and have no files found when
a DIR command is performed. The disk's FAT and root directory will have
been overwritten with the above message multiple times.
Other symptom's of Frog's Alley are long disk access times when
executing programs or performing DIR commands, as well as occassional
unexpected accesses to the B: disk drive. Some memory intensive
applications will hang when Frog's Alley is active in memory.
Virus Name: Fu Manchu
Aliases: 2080, 2086
V Status: Rare
Discovered: March, 1988
Symptoms: .SYS, .BIN, .COM & .EXE growth, messages
Origin:
Eff Length: 2,086 (COM files) & 2,080 (EXE files) bytes
Type Code: PRsA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+,
VirHunt 2.0+, NAV
Removal Instructions: Scan/D, F-Prot, Pro-Scan 1.4+, VirHunt 2.0+, VirexPC,
NAV
General Comments:
The Fu Manchu virus attaches itself to the beginning of .COM
files or the end of .EXE files. This virus will infect any
executable program, including overlay, .SYS, and .BIN files
as well. It appears to be a rewritten version of the Jerusalem
virus, with a possible creation date of 3/10/88.
A marker or id string usually found in this virus is
'sAXrEMHOr', though the virus only uses the 'rEMHOr' portion
of the string to identify infected files.
One out of sixteen infections will result in a timer being
installed, and after a random amount of time, the message
"The world will hear from me again!" is displayed and
the system reboots. This message will also be displayed on
an infected system after a warm reboot, though the virus doesn't
survive in memory.
After August 1, 1989, the virus will monitor the keyboard buffer,
and will add derogatory comments to the names of various
politicians. These comments go to the keyboard buffer, so
their effect is not limited to the display. The messages within
the virus are encrypted.
This virus is very rare in the United States.
Also see: Jerusalem B, Taiwan 3
Virus Name: Ghostballs
Aliases: Ghost Boot, Ghost COM
V Status: Extinct
Discovered: October, 1989
Symptoms: moving graphic display, .COM file growth, file corruption, BSC.
Origin: Iceland
Eff Length: 2,351 bytes
Type Code: PNCB - Parasitic Non-Resident .COM & Boot Sector Infector
Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC,
AVTK 3.5+, VirHunt 2.0+, NAV
Removal Instructions: MDisk or DOS SYS and erase infected .COM files,
or CleanUp, F-Prot, Pro-Scan 1.4+, VirexPC, Scan/D/X, VirHunt 2.0+, NAV
General Comments:
The Ghostball virus (Ghost Boot and Ghost COM) were discovered in
October, 1989 by Fridrik Skulason of Iceland. The Ghostballs Virus
virus infects generic .COM files, increasing the file size by
2,351 bytes. It also alters the disk boot sector, replacing it
with viral code similar to the Ping Pong virus. This altered
boot sector, however, will not replicate.
Symptoms of this virus are very similar to the Ping Pong
virus, and random file corruption may occur on infected
systems.
The Ghostballs virus was the first known virus that could infect
both files (.COM files in this case) and disk boot sectors.
After the boot sector is infected, the system experiences the
bouncing ball effect of the Ping Pong virus. If the boot sector
is overwritten to remove the boot viral infection, it will again
become corrupted the next time an infected .COM file is executed.
The Ghostballs Virus is based on the code of two other viruses.
The .COM infector portion consists of a modified version of the
Vienna virus. The boot sector portion of the virus is based on
the Ping Pong virus.
To remove this virus, turn off the computer and reboot from
a write protected master diskette for the system. Then
use either MDisk or the DOS SYS command to replace the boot
sector on the infected disk. Any infected .COM files must
also be erased and deleted, then replaced with clean copies
from your original distribution diskettes.
Virus Name: Golden Gate
Aliases: Mazatlan, 500 Virus
V Status: Extinct
Discovered: 1988
Symptoms: BSC, disk format, Resident TOM
Origin: California, USA
Eff Length: N/A
Type Code: BRt - Resident Boot Sector Infector
Detection Method: ViruScan (identifies as Alameda)
Removal Instructions: MDisk, F-Prot, or DOS SYS command
General Comments:
The Golden Gate virus is a modified version of the Alameda virus
which activates when the counter in the virus has determined
that it is infected 500 diskettes. The virus replicates when
a CTL-ALT-DEL is performed, infecting any diskette in the floppy
drive. Upon activation, the C: drive is formatted. The
counter in the virus is reset on each new floppy or hard drive
infected.
Known Variants of this virus are:
Golden Gate-B: same as Golden Gate, except that the counter
has been changed from 500 to 30 infections before
activation, and only diskettes are infected.
Golden Gate-C: same as Golden Gate-B, except that the hard
drive can also be infected. This variant is also known
as the Mazatlan Virus, and is the most dangerous of the
Golden Gate viruses.
Also see: Alameda
Virus Name: Grither
Aliases:
V Status: Rare
Discovered: January, 1991
Symptoms: .COM growth; C: & D: drive disk corruption
Origin: United States
Eff Length: 774 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM & .EXE Infector
Detection Method: ViruScan V72+
Removal Instructions: Scan/D, Delete infected files
General Comments:
The Grither Virus was submitted in January, 1991, by Paul Ferguson
of the United States. This virus is a non-resident direct action
infector of .COM files, including COMMAND.COM.
When a program infected with Grither is executed, the virus will infect
one .COM file in the current directory. COMMAND.COM may become
infected if it exists in the current directory.
.COM programs infected with Grither will increase in length by 774
bytes, the virus will be located at the end of the infected file. The
file's date and time in the disk directory will not be altered by the
virus.
The Grither Virus can be extremely destructive. With a probability of
approximately one out of every eight times an infected program is
executed, the virus may activate. On activation, Grither will overwrite
the beginning of the C: and D: drives of the system's hard disk.
Effectively, this corrupts the disk's boot sector, file allocation
tables, and directory, as well as the system files.
Grither is roughly based on the Vienna and Violator viruses.
ViruScan V72 will identify Grither infected files as Vienna B, though
it may also identify them as Violator in rare circumstances.
Virus Name: Groen Links
Aliases: Green Left
V Status: Rare
Discovered: March, 1990
Symptoms: .COM & .EXE growth; TSR; Music
Origin: Amsterdam, Holland
Eff Length: 1,888 Bytes
Type Code: PRsA - Resident Parasitic .COM &.EXE Infector
Detection Method: ViruScan V67+, Pro-Scan 2.01+
Removal Instructions: Scan/D, Pro-Scan 2.01+, or Delete infected files
General Comments:
The Groen Links Virus was originally reported in Amsterdam, Holland,
in March 1990. This virus is a memory resident infector of .COM and
.EXE files. It does not infect COMMAND.COM. It is a variant of the
Jerusalem B virus, though is listed separately here as it is a different
length and exhibits different characteristics.
The first time a program infected with the Groen Links Virus is
executed, the virus will install itself memory resident as a low
system memory TSR of 1,872 bytes. Interrupts 21 and CE will be hooked
by the virus.
After the virus is memory resident, it will infect .COM and .EXE files
as they are executed. Infected .COM files will increase in length
by 1,893 bytes with the virus being located at the beginning of the
file. .EXE files will increase in length by 1,888 to 1,902 bytes with
the virus located at the end of infected files. As with many of the
Jerusalem variants, this virus will reinfect .EXE files. After the
first infection, .EXE files will increase by 1,888 bytes on subsequent
infections. Infected files will contain the text string: "GRLKDOS".
After the virus has been resident for 30 minutes, it may play
"Stem op Groen Links" every 30 minutes. The name of the tune translates
to "Vote Green Left", Green Left being a political party in Holland.
Virus Name: Guppy
Aliases:
V Status: Rare
Discovered: October, 1990
Symptoms: TSR, .COM growth, error messages, disk boot failures
Origin: United States
Eff Length: 152 Bytes
Type Code: PRsCK - Resident Parasitic .COM &.EXE Infector
Detection Method: Pro-Scan 2.01+, ViruScan V76+
Removal Instructions: Pro-Scan 2.01+, or Delete infected files
General Comments:
The Guppy Virus was submitted in late October, 1990 by Paul Ferguson
of Washington, DC. Guppy is a memory resident infector of .COM files,
including COMMAND.COM.
The first time a program infected with the Guppy Virus is executed, the
virus will install itself memory resident as a low system memory TSR
with interrupt 21 hooked. Available free memory will decrease by
720 bytes.
After the virus is memory resident, any .COM file with a file length of
at least 100 bytes (approximately) that is executed will become infected
with Guppy. Infected files will increase in length by 152 bytes, with
two bytes added to the beginning of the .COM file, and 150 bytes added
to the end of the file. Infected files will also have their date/time
stamps in the directory updated to the system date and time when the
infection occurred.
If COMMAND.COM is executed with Guppy memory resident, it will become
infected. If the system is later booted from a disk with a Guppy
infected COMMAND.COM, the boot will fail and a "Bad or Missing Command
Interpreter" message will be displayed.
Some programs will also fail to execute properly once infected with
Guppy. For example, attempts to execute EDLIN.COM after it was
executed on my system resulted in a consistent "Invalid drive or
file name" message, and EDLIN ending execution.
Infected files can be identified as they will end with the following
hex character string: 3ECD211F5A5B58EA
Known variant(s) of Guppy include:
Guppy-B: Almost identical to Guppy, there are a few bytes which have
been altered in this variant.
Virus Name: Halloechen
Aliases:
V Status: Rare
Discovered: October, 1989
Symptoms: TSR, .COM & .EXE growth, garbled keyboard input.
Origin: West Germany
Eff Length: 2,011 Bytes
Type Code: PRsA - Resident Parasitic .COM &.EXE Infector
Detection Method: ViruScan V57+, Pro-Scan 1.4+, VirexPC, AVTK 3.5+,
VirHunt 2.0+, NAV
Removal Instructions: VirHunt 2.0+, Scan/D, NAV, or delete infected files
General Comments:
The Halloechen virus was reported by Christoff Fischer of
the University of Karlsruhe in West Germany. The virus is
a memory resident generic .COM & .EXE file infector which is
reported to be widespread in West Germany.
The Halloechen virus installs itself memory resident when the
first infected program is executed. Thereafter, the virus will
infect any .EXE or .COM file which is run unless the resulting
infected file would be greater than 64K in size, or the file's
date falls within the system date's current month and year.
Once a file has been determined to be a candidate for infection,
and is less than approximately 62K in size as well as having a
date outside of the current month and year, it is infected.
In the process of infecting the file, the files size is first
increased so that it is a multiple of 16 (ends on a paragraph
boundary), then the 2,011 bytes of viral code are added.
When infected files are run, input from the keyboard is garbled.
Virus Name: Happy New Year
Aliases: Happy N.Y., V1600
V Status: Rare
Discovered: December, 1989
Symptoms: TSR; .COM & .EXE Growth; Floppy Boot Sector altered;
Boot failures; Bad or missing command interpretor message
Origin: Bulgaria
Eff Length: 1,600 Bytes
Type Code: PRsAK - Resident Parasitic .COM & .EXE Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Happy New Year, or V1600, Virus was submitted in December, 1990.
This virus is originally from Bulgaria, and is a memory resident
infector of .COM and .EXE files. It will infect COMMAND.COM.
The first time a program infected with the Happy New Year Virus is
executed, the virus will install itself memory resident as a 2,432
bytes low system memory TSR. Interrupt 21 will be hooked by the
virus. At this time, the virus will also make a slight alteration
to the floppy boot sector, and infect COMMAND.COM. Infected
COMMAND.COM files will not show a file length increase as the virus
will overwrite a portion of the hex 00 section of the file. The
altered floppy boot sector does not contain a copy of the virus, and
is not infectious.
Once Happy New Year is memory resident, it will infect .COM and .EXE
programs as they are executed. Infected programs will increase in
length by 1,600 bytes and have the virus located at the end of the
infected file.
The following text message can be found in infected programs:
"Dear Nina, you make me write this virus; Happy new year!"
"1989"
This message is not displayed by the virus.
Systems infected with the Happy New Year Virus may fail to boot,
receiving a "Bad or missing command interpretor" message if COMMAND.COM
is infected on the boot diskette or hard drive.
It is unknown if Happy New Year carries any destructive capabilities.
Known variant(s) of Happy New Year are:
Happy New Year B : Similar to Happy New Year, this variant has five
bytes which differ from the original virus. Unlike Happy
New Year, COMMAND.COM will only be infected if it is executed
for some reason.
Virus Name: HIV
Aliases:
V Status: New
Discovered: March, 1991
Symptoms: .COM & .EXE growth; decrease in total system & available memory
Origin: USA
Eff Length: 1,614 Bytes
Type Code: PRhAK - Resident Parasitic .COM & .EXE Infector
Detection Method: ViruScan V76+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The HIV Virus was submitted in March, 1991, by David Grant of the
United States. This virus is based on the Murphy Virus, and is a
memory resident infector of .COM and .EXE files, as well as COMMAND.COM.
When a program infected with HIV is executed, HIV will check to see if
it is already present in memory. If it is not already memory resident,
it will install itself at the top of system memory but below the 640K
DOS boundary. Interrupt 21 will be hooked by the virus, and total
system memory and available free memory as measured by the DOS ChkDsk
program will decrease by 1,632 bytes.
After becoming memory resident, HIV will infect .COM and .EXE files
when they are executed or openned for any reason. Infected programs
will increase in size by 1,614 bytes with the virus being located at
the end of infected files. The file date and time in the disk
directory will not be altered.
Programs infected with HIV will contain the following text strings:
"HIV Virus - Release 1.0
Created by Cracker Jack
(C) 1991 Italian Virus Laboratory"
It is not known what HIV does besides replicate. This virus may also
be a research virus and not in the public domain since the original
sample submitted is not a natural infection of the virus.
Also see: Murphy
Virus Name: Holland Girl
Aliases: Sylvia
V Status: Rare
Discovered: December, 1989
Symptoms: .COM growth, TSR
Origin: Netherlands
Eff Length: 1,332 Bytes
Type Code: PRsC - Resident Parasitic .COM Infector
Detection Method: ViruScan V50+, F-Prot, IBM Scan, Pro-Scan, VirexPC,
AVTK 3.5+, VirHunt 2.0+, NAV
Removal Instructions: F-Prot, Pro-Scan 1.4+, VirHunt 2.0+, or Scan/D
General Comments:
The Holland Girl or Sylvia Virus was first reported by Jan
Terpstra of the Netherlands. This virus is memory resident
and infects only .COM files, increasing their size by 1,332
bytes. The virus apparently does no other damage, and
does not infect COMMAND.COM.
The virus's name is due to the fact that the virus code
contains the name and phone number of a girl named Sylvia
in Holland, along with her address, requesting that post cards
be sent to her. The virus is believed to have been written
by her ex-boyfriend.
Also see: Holland Girl 2
Virus Name: Holland Girl 2
Aliases: Sylvia 2
V Status: Rare
Discovered: January, 1991
Symptoms: .COM growth
Origin: New Brunswick, Canada
Eff Length: 1,332 Bytes
Type Code: PNC - Resident Parasitic .COM Infector
Detection Method: ViruScan V76+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Holland Girl 2, or Sylvia 2, Virus was discovered in New Brunswick,
Canada in January 1991. This virus is similar to the Holland Girl
Virus, though it has been altered significantly. This virus is a non-
resident infector of .COM files, including COMMAND.COM.
When a program infected with the Holland Girl 2 Virus is executed, the
virus will infect up to four .COM files. It first checks the C: drive
root directory to look for candidate files, then the current drive and
current directory.
.COM Programs infected with the Holland Girl 2 Virus will increase in
length by 1,332 bytes with the virus being located at the beginning of
the infected program. Infected programs will also contain the following
text:
"This program is infected by a HARMLESS Text-Virus V2.1"
"Send a FUNNY postcard to : Sylvia"
"You might get an ANTIVIRUS program....."
Sylvia's last name, and full address are in the virus in plain text,
and are not repeated here for privacy reasons.
Also see: Holland Girl
Virus Name: Holocaust
Aliases: Stealth, Holo
V Status: Rare
Discovered: December, 1990
Symptoms: decrease in system & available memory; file allocation errors
Origin: Barcelona, Spain
Eff Length: 3,784 Bytes
Type Code: PRhCK - Resident Parasitic .COM Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Holocaust Virus was submitted in December, 1990 by David Llamas of
Barcelona, Spain. Holocaust is a self-encrypting memory resident
infector of .COM files, including COMMAND.COM. This virus is qualifies
as a Stealth virus as it hides the file length increase on infected
files as well as infecting on file open and execution.
The first time a program infected with the Holocaust Virus is
executed, the virus will install itself memory resident. It will
reserve 4,080 bytes of high system memory below the 640K DOS boundary.
This memory will be marked as Command Data, and interrupt 21 will be
hooked. Some memory mapping utilities will show the memory resident
command interpretor to have grown by the 4,080 bytes, though it is
actually in high memory instead of low memory.
Once Holocaust is memory resident, it will infect COM programs which
are executed or openned for any reason. This virus, however, will not
infect very small COM files of less than 1K in size. Infected COM
programs will increase in size by 3,784 bytes, though this file size
increase will not be seen in a directory listing if the virus is
memory resident. The viral code will be located at the end of
infected files.
If the Holocaust Virus is memory resident and the DOS ChkDsk command
is executed, infected files will be indicated as having a file
allocation error. Execution of the command with the /F parameter on
systems with the virus memory resident will result in the infected
files becoming damaged. The file allocation errors do not occur if
the virus is not in memory since at that time the directory size will
match the file allocation in the FAT.
The Holocaust Virus is a self-encrypting virus, and will occasionally
produce an infected file which is encrypted differently from its
original encryption mechanism. Some infected files will contain the
following text at the end of the program, while other samples will have
this text encrypted:
"Virus Anti - C.T.N.E. v2.10a. (c)1990 Grupo Holokausto.
Kampanya Anti-Telefonica. Menos tarifas y mas servicio.
Programmed in Barcelona (Spain). 23-8-90.
- 666 -"
Holocaust is reported by David Llamas to be widespread in Barcelona
as of December, 1990. It is not known if this virus activates, and
what it does on activation. It does not match a similar virus
reported by Jim Bates of the United Kingdom named Spanish Telecom.
Virus Name: Hybryd
Aliases: Hybrid
V Status: Rare
Discovered: January, 1991
Symptoms: .COM growth
Origin: Poland
Eff Length: 1,306 Bytes
Type Code: PRhA - Resident Parasitic .COM & .EXE Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Hybryd Virus was submitted in January, 1991, and is from Poland.
This virus is a non-resident direct action infector of .COM files,
including COMMAND.COM.
When a program infected with Hybryd is executed, the virus will
look for an uninfected .COM program in the current directory. If an
uninfected program is found, the virus will infect it. Infected
.COM programs will have a file length increase of 1,306 bytes, the
virus will be located at the end of the infected program. This virus
alters the file time so that the seconds field in the file time is 62,
the indicator that the file is infected. Just viewing the directory,
though, it appears that the file date and time has not been altered.
The following text strings are contained within the Hybryd Virus, though
they cannot be viewed in infected files as they are encrypted:
"(C) Hybryd Soft
Specjalne podziekowania dla
Andrzeja Kadlofa i Mariusza Deca
za artykuly w Komputerze 11/88"
In the submitted sample, the one text string that is not encrypted is
the following, which is also found in replicated samples:
"Copyright IBM Corp 1981,1987
Licensed Material - Program Property of IBM"
This string should not be taken to indicate that IBM necessarily had
anything to do with the creation of this virus.
On Friday The 13ths starting in 1992, this virus will overwrite the
current drive's boot sector when an infected program is executed. It
may also corrupt program files at that time when they are executed.
Virus Name: Hymn
Aliases:
V Status: Rare
Discovered: December, 1990
Symptoms: .COM & .EXE growth; decrease in system and available free memory
Origin: USSR
Eff Length: 1,865 Bytes
Type Code: PRhA - Resident Parasitic .COM & .EXE Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Hymn Virus was submitted in December, 1990, and originated in the
USSR. This virus is a memory resident infector of .COM and .EXE files,
and will infect COMMAND.COM.
The first time a program infected with the Hymn Virus is executed, the
virus will install itself memory resident at the top of system memory
but below the 640K DOS boundary. The DOS ChkDsk program will show that
total system memory and available free memory have decreased by 3,712
bytes. This virus does not move the interrupt 12 return. COMMAND.COM
will also become infected at this time.
Once Hymn is memory resident, it will infect .COM and .EXE files which
are over approximately 2K in length when they are executed or openned
for any reason. Infected .COM files will increase in length by
1,865 bytes. Infected .EXE files will have a file length increase of
1,869 to 1,883 bytes. In both cases the virus will be located at the
end of the infected file.
Infected programs will contain two text strings within the viral code:
"ibm@SNS"
"@ussr@"
It is not known what Hymn does when it activates, but it is assumed
from the name that under some conditions it may play music.
Virus Name: Icelandic
Aliases: 656, One In Ten, Disk Crunching Virus, Saratoga 2
V Status: Extinct
Discovered: June, 1989
Symptoms: .EXE growth, Resident TOM, bad sectors, FAT corruption
Origin: Iceland
Eff Length: 656 bytes
Type Code: PRfE - Resident Parasitic .EXE Infector
Detection Method: ViruScan/X V67+, F-Prot, Pro-Scan, VirexPC, AVTK 3.5+
VirHunt 2.0+, NAV
Removal Instructions: Scan/D/X, Pro-Scan 1.4+, VirexPC 1.1B, F-Prot,
VirHunt 2.0+, NAV
General Comments:
The Icelandic, or "Disk Crunching Virus", was originally
isolated in Iceland in June 1989. This virus only infects
.EXE files, with infected files growing in length between
656 and 671 bytes. File lengths after infection will always
be a multiple of 16. The virus attaches itself to the end
of the programs it infects, and infected files will always
end with hex '4418,5F19'.
The Icelandic virus will copy itself to the top of free memory
the first time an infected program is executed. Once in high
memory, it hides from memory mapping programs. If a program
later tries to write to this area of memory, the computer will
crash. If the virus finds that some other program has "hooked"
Interrupt 13, it will not proceed to infect programs. If
Interrupt 13 has not been "hooked", it will attempt to infect
every 10th program executed.
On systems with only floppy drives, or 10 MB hard disks, the
virus will not cause any damage. However, on systems with
hard disks larger than 10 MB, the virus will select one unused
FAT entry and mark the entry as a bad sector each time it
infects a program.
Also see: Icelandic-II, Icelandic-III, Mix/1, Saratoga
Virus Name: Icelandic-II
Aliases: System Virus, One In Ten
V Status: Extinct
Discovered: July, 1989
Symptoms: .EXE growth, Resident TOM, FAT corruption
date changes, loss of Read-Only
Origin: Iceland
Eff Length: 632 Bytes
Type Code: PRfE - Parasitic Resident .EXE Infector
Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC,
AVTK 3.5+, VirHunt 2.0+, NAV
Removal Instructions: Scan/D/X, Pro-Scan 1.4+, VirexPC 1.1B, F-Prot,
VirHunt 2.0+, NAV
General Comments:
The Icelandic-II Virus is a modified version of the Icelandic
Virus, and was isolated for the first time in July 1989 in
Iceland. These two viruses are very similar, so only the
changes to this variant are indicated here, refer to Icelandic
for the base virus information.
Each time the Icelandic-II virus infects a program, it will
modify the file's date, thus making it fairly obvious that
the program has been changed. The virus will also remove
the read-only attribute from files, but does not restore it
after infecting the program.
The Icelandic-II virus can infect programs even if the system
is running an anti-viral TSR that monitors interrupt 21, such
as FluShot+.
On hard disks larger than 10 MB, there are no bad sectors
marked in the FAT as there is with the Icelandic virus.
Also see: Icelandic, Icelandic-III, Mix/1, Saratoga
Virus Name: Icelandic-III
Aliases: December 24th
V Status: Endangered
Discovered: December, 1989
Symptoms: .EXE growth, Resident TOM, bad sectors, FAT corruption,
Dec 24 message.
Origin: Iceland
Eff Length: 853 Bytes
Type Code: PRfE - Parasitic Resident .EXE Infector
Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC,
AVTK 3.5+, VirHunt 2.0+, NAV
Removal Instructions: F-Prot, Scan/D/X, Pro-Scan 1.4+, VirexPC 1.1B,
VirHunt 2.0+, NAV, or delete infected files
General Comments:
The Icelandic-III Virus is a modified version of the Icelandic
Virus, and was isolated for the first time in December 1989 in
Iceland. These two viruses are very similar, so only the
changes to this variant are indicated here, refer to Icelandic
for the base virus information.
The Icelandic-III virus's id string in the last 2 words of the
program is hex '1844,195F', the bytes in each word being
reversed from the id string ending the Icelandic and
Icelandic-II viruses. There are also other minor changes to
the virus from the previous Icelandic viruses, including the
addition of several NOP instructions.
Before the virus will infect a program, it checks to see if the
program has been previously infected with Icelandic or
Icelandic-II, if it has, it does not infect the program.
Files infected with the Icelandic-III virus will have their
length increased by between 848 and 863 bytes.
If an infected program is run on December 24th of any year,
programs subsequently run will be stopped, later displaying
the message "Gledileg jol" ("Merry Christmas" in Icelandic)
instead.
Also see: Icelandic, Icelandic-II, Mix/1, Saratoga
Virus Name: IKV 528
Aliases:
V Status: Rare
Discovered: January, 1991
Symptoms: .COM & .EXE growth
Origin: Unknown
Eff Length: 528 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The IKV 528 Virus was submitted in January, 1991, its origin and
isolation point are unknown. This virus is a non-resident infector
of .COM files. It will infect COMMAND.COM.
When a program infected with IKV 528 is executed, the virus will
infect two .COM programs in the current directory. .COM programs which
are smaller than 520 bytes will not be infected. Infected .COM
programs will increase in length by 528 bytes. The virus will be
located at the end of infected programs. The file date and time in the
disk directory will not be altered by the virus.
This virus does not do anything besides replicate.
Virus Name: Invader
Aliases: Plastique Boot
V Status: Common
Discovered: September, 1990
Symptoms: TSR; .COM & .EXE growth; BSC; music
Origin: Taiwan/China
Eff Length: 4,096 Bytes
Type Code: PRsAB - Parasitic Resident .COM, .EXE, & Boot Sector Infector
Detection Method: ViruScan V67+, Pro-Scan 2.01+
Removal Instructions: Scan/D, CleanUp V67+, or Delete infected files
General Comments:
The Invader Virus was isolated in September, 1990 in China.
This virus is a later version of the Plastique-B or Plastique 5.21
Virus. It is a memory resident infector of .COM and .EXE files,
but not COMMAND.COM. It also infects boot sectors. In September
1990, many reports of infections of this virus have been received,
it appears to have spread very rapidly.
The first time a program infected with the Invader virus is
executed, the virus will install itself memory resident as a low
system memory TSR. The TSR is 5,120 Bytes and interrupts 08, 09,
13, and 21 will be hooked.
At this time, the virus will also infect the boot sector of the drive
where the infected program was executed. The new boot sector is an
MSDOS 3.30 boot sector, and can be easily identified because the
normal DOS error messages found in the boot sector are now at the
beginning of the boot sector instead of the end.
After the virus has become memory resident, any .COM or .EXE file
(with the exception of COMMAND.COM) openned will be infected by the
virus. Infected .COM files will increase in length by 4,096 bytes
with the viral code being located at the beginning of the infected
file. .EXE files will increase in length between 4,096 and 4,110
bytes with the viral code being located at the end of the infected
file.
Additionally, any non-write protected diskettes which are exposed to
the infected system will have their boot sectors infected.
The Invader Virus activates after being memory resident for
30 minutes. At that time, a melody may be played on the system
speaker. On systems which play the melody, it will continue until
the system is rebooted. The melody isn't played on 286 based systems,
but is noticeable on the author's 386SX test machine.
Also see: Plastique, Plastique-B
Virus Name: Iraqui Warrior
Aliases: Iraqui
V Status: Rare
Discovered: January, 1991
Symptoms: .COM growth; Closely spaced beeps from system speaker;
system hangs; boot failures
Origin: USA
Eff Length: 777 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Iraqui Warrior Virus was isolated on January 17, 1991 in the
United States. This virus is a non-memory resident infector of .COM
files, including COMMAND.COM. It is based on the Vienna Virus.
When a program infected with the Iraqui Warrior Virus is executed, the
virus will infect one of the first four .COM files located on the
current drive and current directory. Infected .COM files will have
a file length increase of 777 bytes with the virus being located at the
end of the file.
The following text strings can be found in infected files, the first
two occurring near the beginning of the virus, and the last being
located very near the end of the infected file:
"I come to you from The Ayatollah!"
"(c)1990, VirusMasters"
"An Iraqui Warrior is in your computer..."
None of these messages are displayed by the virus.
Systems infected with the Iraqui Warrior virus may occassionally
experience the system speaker issuing a series of closely spaced beeps
when an infected program is executed. When this occurs, the system
will hang and have to be rebooted. The beeps continue until the reboot
occurs.
Booting from a disk where COMMAND.COM has been infected will result in
a "Memory allocation error, Cannot start COMMAND, exiting" message
appearing.
The Iraqui Warrior does not appear to do anything else besides the
above.
Virus Name: Italian 803
Aliases:
V Status: New
Discovered: March, 1991
Symptoms: .COM & .EXE growth
Origin: Italy
Eff Length: 803 Bytes
Type Code: PNAK - Parasitic Non-Resident .COM & .EXE Infector
Detection Method:
Removal Instructions: Delete infected files
General Comments:
The Italian 803 Virus was submitted in March, 1991. This virus is a
non-resident direct action infector of .COM and .EXE files. It will
infect COMMAND.COM.
When a program infected with Italian 803 is executed, the virus will
look for an uninfected .EXE file in the current directory to infect.
If one is found, it will become infected. If an uninfected .EXE file
does not exist in the current directory, the virus will then look for
an uninfected .COM file in the current directory. If an uninfected
.COM file is found, it will then be infected.
Programs infected with Italian 803 will have a file length increase
of 803 to 817 bytes with the virus being located at the end of the
infected file. This virus does not alter the file date and time in the
disk directory.
The Italian 803 Virus may reinfect programs already infected with this
virus. The reinfection only occurs when an infected program is copied,
and then another infected program is executed. Reinfections of Italian
803 will result in an additional 816 bytes being added to the file.
Italian 803 does not do anything besides replicate.
Known variant(s) of Italian 803 include:
Italian 803-B: Similar to Italian 803, this variant differs by only
1 byte.
Virus Name: Itavir
Aliases: 3880
V Status: Endangered
Discovered: March, 1990
Symptoms: .EXE growth, COMMAND.COM file, Boot sector corruption
Origin: Italy
Eff Length: 3,880 Bytes
Type Code: PNE - Parasitic Non-Resident .EXE Infector
Detection Method: ViruScan V60+, Pro-Scan 1.4+
Removal Instructions: Scan/D, or delete infected files
General Comments:
The Itavir virus was isolated in March 1990 by a group of
students at the Milan Politechnic in Milan, Italy. The Itavir
virus is a non-resident generic .EXE Infector. Infected files
will increase in length by 3,880 bytes. Infected systems,
besides having files which have increased in length, will
usually have a file with the name COMMAND.COM somewhere on
the disk. The first character of this file name is an
unprintable character. The COMMAND.COM file contains the
pure virus code and is used for appending to files as they
are infected.
The Itavir virus activates at some time period after the system
has been running for more than 24 hours. When it activates, the
boot sector is corrupted, rendering the system unbootable. The
virus also displays a message in Italian and writes ansi values
from 0 thru 255 to all available I/O ports, thus confusing any
attached peripheral devices. Some monitors may show a flickering
effect when this occurs, while some VGA monitors may actually
"hiss".
Virus Name: Jeff
Aliases:
V Status: Rare
Discovered: December, 1990
Symptoms: .COM growth; overwritten sectors on hard disk
Origin: USA
Eff Length: 814 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V72+, Pro-Scan 2.01+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Jeff Virus was isolated in the United States in December, 1990.
This virus is a non-resident infector of .COM files, including
COMMAND.COM.
When a program infected with the Jeff Virus is executed, the virus
will attempt to infect one .COM file on the C: drive, starting in
the root directory. Infected .COM files will increase in size by
814 to 828 bytes, with the virus being located at the end of the
infected program.
The Jeff Virus received its name from the following text string which
is encrypted in the viral code:
"Jeff is visiting your hard disk"
While Jeff is visiting your hard disk, it will occasionally write
some sectors of random memory contents to the hard disk. If these
sectors are written to the boot sector, partition table, or FAT, the
contents of the disk may become inaccessible or produce unexpected
results.
Virus Name: Jerk
Aliases: Talentless Jerk, SuperHacker
V Status: Rare
Discovered: March, 1991
Symptoms: .COM & .EXE growth; Message; Unexpected access to C: drive
Origin: Unknown
Eff Length: 1,077 Bytes
Type Code: PNAK - Parasitic Non-Resident .COM & .EXE Infector
Detection Method:
Removal Instructions: Delete infected programs
General Comments:
The Jerk, Talentless Jerk, or SuperHacker Virus was submitted in
March, 1991. Its origin is unknown. This virus is a non-memory
resident infector of .COM and .EXE programs, and it will infect
COMMAND.COM.
When a program is executed which is infected with the Jerk Virus, it
will search the directory structure of the C: drive to find a program
to infect. If the user executed the infected program from a diskette,
an unexpected access to the system hard disk will occur. Once the
virus has selected a .COM or .EXE program to infect, it will alter the
first nine bytes of the candidate file, and then append the virus to the
end of the newly infected program. The following message may also be
displayed on the system monitor, though this does not always occur:
"Craig Murphy calls himself SUPERHACKER but he's just a talentless jerk!"
This message cannot be seen within infected programs as it is
encrypted within the virus.
Programs infected with the Jerk Virus will have a file length increase
of 1,077 bytes. The text string "MURPHY" will also be found starting
at the fourth byte of the infected file. The other text string which
can be found in infected files is:
"COMMAND.COM *.COM *.EXE Bad command or file name"
The Jerk Virus does not do anything besides replicate.
Virus Name: Jerusalem
Aliases: PLO, Israeli, Friday 13th, Russian, 1813(COM), 1808(EXE)
V Status: Common
Discovered: October, 1987
Symptoms: TSR, .EXE & .COM growth, system slowdown, deleted files
on Friday 13th, "Black WIndow"
Origin: Israel
Eff Length: 1,813 (COM files) & 1,808 (EXE files) bytes
Type Code: PRsA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC 1.1+,
AVTK 3.5+, VirHunt 2.0+, NAV
Removal Instructions: Scan/D/A, Saturday, CleanUp, UnVirus, F-Prot,
VirexPC 1.1+, Pro-Scan 1.4+, NAV
General Comments:
The Jerusalem Virus was originally isolated at Hebrew
University in Israel in the Fall of 1987. Jerusalem is a memory
resident infector of .COM and .EXE files, with .EXE file being
reinfected each time they are executed due to a bug in the
virus.
This virus redirects interrupt 8, and 1/2 hour after execution
of an infected program the system will slow down by a factor
of 10. Additionally, some Jerusalem Virus variants will have a
"Black Window" or "Black Box" appear on the lower left side of
the screen which will scroll up the screen as the screen scrolls.
On Friday The 13ths, after the virus is installed in memory,
every program executed will be deleted from disk.
The identifier for some strains is "sUMsDos", however,
this identifier is usually not found in the newer variants of
Jerusalem.
The Jerusalem Virus is thought to have been based on the Suriv 3.00
Virus, though the Suriv 3.00 Virus was isolated after the Jerusalem
Virus.
Also see: Jerusalem B, New Jerusalem, Payday, Suriv 3.00
Virus Name: Jerusalem B
Aliases: Arab Star, Black Box, Black Window, Hebrew University
V Status: Common
Discovered: January, 1988
Symptoms: TSR, .EXE & .COM growth, system slowdown, deleted files
on Friday 13th, "Black WIndow"
Origin: Israel
Eff Length: 1,813 (.COM files) & 1,808 (.EXE files) bytes
Type Code: PRsA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC 1.1+,
AVTK 3.5+, VirHunt 2.0+, NAV
Removal Instructions: F-Prot, Saturday, CleanUp, UnVirus, VirexPC 1.1+
Pro-Scan 1.4+, NAV
General Comments:
Identical to the Jerusalem virus, except that in some cases
it does not reinfect .EXE files. Jerusalem B is the most
common of all PC viruses, and can infect .SYS and program
overlay files in addition to .COM and .EXE files.
Not all variants of the Jerusalem B virus slow down the
system after an infection has occurred.
Also, it should be noted that Jerusalem viruses will only activate
if they actually become memory resident on their activation date. If
the system clock rolls over to the activation date and the virus is
already memory resident, they will not typically activate and perform
any destructive behavior they may be intended to perform.
Known variants of Jerusalem B are:
A-204 : Jerusalem B with the sUMsDos text string changed to
*A-204*, and a couple of instructions changed in order to
avoid detection. This variant will slow down the system
after being memory resident for 30 minutes, as well as having
a black box appear at that time.
Origin: Delft, The Netherlands
Anarkia : Jerusalem B with the timer delay set to slow
down the system to a greater degree, though this effect
doesn't show until a much longer time has elapsed. No
Black Box is never displayed. The sUMsDos id-string has
been changed to ANARKIA. Lastly, the virus's activation
date has been changed to Tuesday The 13ths, instead of
Friday The 13ths. Origin: Spain
Anarkia-B : Similar to Anarkia, with the exception that the
virus now activates on any October 12th instead of on
Tuesday The 13ths.
Jerusalem-C: Jerusalem B without the timer delay to slow
down the processor.
Jerusalem-D: Jerusalem C which will destroy both copies of
the FAT on any Friday The 13th after 1990.
Jerusalem-E: Jerusalem D but the activation is in 1992.
Mendoza : Based on the Jerusalem B virus, this variant does
not reinfect .EXE files. It is also missing the black box
effect. Mendoza activates in the second half of the year
(July - December), at which time any day will have a 10%
chance of having all programs executed deleted.
Origin: Argentina
Park ESS: Isolated in October, 1990 in Happy Camp, California, this
variant is very similar to other Jerusalem viruses. Infected
.COM files increase in length by 1,813 bytes, and infected .EXE
files will increase in length by 1,808 to 1,822 bytes with the
first infection, and 1,808 on later subsequent infections. This
variant will also infect COMMAND.COM. The other major difference
from the "normal" Jerusalem is that the sUMsDos string has been
replaced. The string PARK ESS can be found in the viral code
within all infected files. This variant slows down the system
by approximately 20 percent and a "black window" will appear after
the virus has been memory resident for 30 minutes.
Puerto : Isolated in June, 1990 in Puerto Rico, this variant is
very similar to the Mendoza variant, the virus contains the
sUMsDos id-string. .EXE files may be infected multiple times.
Skism-1 : Isolated in December, 1990 in New York State, this variant
is similar to many other Jerusalems except with regards to when
and what it does upon activation. Rather than activate on
Friday The 13ths and delete files, this variant activates in the
years 1991 and later on any Friday which occurs after the 15th of
the month. On activation, it truncates any file which is attempted
to be executed to zero bytes. COM files will increase in size
upon infection by 1,808 bytes, EXE files will increase by 1,808 to
1,822 bytes. EXE files will be reinfected by the virus. The
sUMsDos string in the virus is now SKISM-1. Like Jerusalem, this
variant produces a "black window" 30 minutes after becoming
memory resident, and also slows down the system.
Spanish JB : Similar to Jerusalem, it reinfects .EXE files.
The increased file size on .COM files is always 1,808
bytes. On .EXE files, the increased file size may be
either 1,808 or 1,813, with reinfections always adding
1,808 bytes to the already infected file. No "Black
Box" appears. The characteristic sUMsDos id-string does
not appear in the viral code. This variant is also sometimes
identified as Jerusalem E2. Origin: Spain
Jerusalem DC: Similar to Jerusalem B, this variant has the sUMsDos
text string changed to 00h characters. After being memory resident
for 30 minutes, the system will slow down by 30% and the common
"black window" will appear on the lower left side of the screen.
Like Jerusalem, it will infect .EXE files multiple times. This
variant does not carry an activation date when it will delete
files, it appears for all intents to be "defanged".
Origin: Washington, DC, USA
Captain Trips: The Captain Trips variant was submitted in March, 1991,
and is from the United States. Its name comes from the text string
"Captain Trips X." which occurs within the viral code. Unlike
most Jerusalem B variants, this variant does not display a black
window after being memory resident for 30 minutes, nor does it
slow down the system. On Friday The 13th, it does not delete
programs. The text string "MsDos" does not occur in infected
programs. .COM programs will increase in size by 1,813 bytes.
.EXE programs will increase in size by 1,808 to 1,822 bytes with
the first infection of the file, and then by 1,808 bytes with
subsequent infections.
Swiss 1813 : Submitted in February, 1991, from Switzerland, this
Jerusalem variant does not exihibit the "black window" after being
memory resident for 30 minutes, nor does it slow down the system.
It also does not delete programs on Friday The 13th, or any other
Friday. The sUMsDos text string has been changed to binary zeros.
Also see: Jerusalem, Frere Jacques, New Jerusalem, Payday,
Suriv 3.00, Westwood
Virus Name: JoJo
Aliases:
V Status: Rare
Discovered: May, 1990
Symptoms: .COM growth, system hangs
Origin: Israel
Eff Length: 1,701 Bytes
Type Code: PRaC - Parasitic Resident .COM Infector
Detection Method: ViruScan V63+, Pro-Scan 1.4+, VirexPC, F-Prot 1.12+, NAV
Removal Instructions: Scan/D, F-Prot 1.12+, Pro-Scan 2.01+
General Comments:
The JoJo virus was discovered in Israel in May, 1990. The virus'
name comes from a message within the viral code:
"Welcome to the JOJO Virus."
One other message appears within the virus, indicating that it was
written in 1990. This message is: "Fuck the system (c) - 1990".
Both messages within the viral code are never displayed.
When the first file infected with the JoJo Virus is executed on a
system, the virus will install itself memory resident. The
method used is to alter the Command Interpreter in memory,
expanding its size. As an example, on my test system, the
Command Interpreter in memory increased in size from 3,536 bytes
to 5,504 bytes. One block of 48 bytes is also reserved in
available free memory. The change in free memory will
be a net decrease of 2,048 bytes.
The JoJo Virus will not infect files if interrupt 13 is in use
by any other program. Instead the virus will clear the screen,
and the system will be hung. If the user performs a warm reboot
(Ctrl-Alt-Del), the virus will remain in memory.
Once the virus is able to become memory resident with interrupt 13
hooked, any .COM file executed will be infected by the virus.
Infected files will increase in length by 1,701 bytes.
While this virus has the same length as the Cascade/1701 Virus, it
is not a variant of Cascade.
Also see: JoJo 2
Virus Name: JoJo 2
Aliases:
V Status: Rare
Discovered: January, 1991
Symptoms: .COM growth; Message; "Not enough memory" errors; system hangs;
cursor position off 1 character
Origin: United States
Eff Length: 1,703 Bytes
Type Code: PRaCK - Parasitic Resident .COM Infector
Detection Method:
Removal Instructions: Delete infected files
General Comments:
The JoJo 2 Virus was submitted in January, 1991, by David Grant of the
United States. This virus is based on the JoJo Virus as well as
containing part of the decryption string for the Cascade Virus. It is
a memory resident infector of .COM files, including COMMAND.COM.
The first time a program infected with the JoJo 2 Virus is executed,
the virus will install itself memory resident by altering the command
interpretor in memory. The command interpretor in memory will have a
size increase of 1,904 bytes. There is an additional 48 bytes which is
reserved by the virus as well, similar to JoJo.
Once the virus is memory resident, it will infect .COM files as they
are executed. If COMMAND.COM is executed for any reason, it will become
infected. Infected .COM programs will have a file size increase of
1,703 bytes with the virus being located at the end of the infected
file.
Text strings which can be found in files infected with the JoJo 2 Virus
are:
"The JOJO virus strikes again.xxxxxxxxxxxx zzz"
"Fuck the system 1990 - (c)"
"141$FLu"
Systems infected with the JoJo 2 virus may experience system hangs
when some infected programs are executed. Infected programs may also
display the "Fuck the system 1990 - (c)" string, or a string of garbage
characters from memory. Attempts to execute some programs may also
fail due to "Not enough memory" errors. Lastly, after the virus has
been resident for awhile, the user may notice that the cursor on the
system monitor is off by one position to the right from where it should
be.
JoJo 2 may be detected by some anti-viral utilities as an infection
of JoJo and Cascade/1701/1704.
Also see: JoJo
Virus Name: Joker
Aliases: Jocker
V Status: Extinct
Discovered: December, 1989
Symptoms: Messages, .EXE/.DBF growth
Origin: Poland
Eff Length: ??? Bytes
Type Code: PNE - Parasitic Non-Resident .EXE Infector
Detection Method: ViruScan/X V67+, Pro-Scan, VirexPC
Removal Instructions: Scan/D/X, or delete infected files
General Comments:
The Joker Virus was isolated in Poland in December, 1989.
This virus is a generic .EXE file infector, and is a poor
replicator (ie. it does not quickly infect other files).
Programs which are infected with the Joker virus will
display bogus error messages and comments. These messages
and comments can be found in the infected files at the
beginning of the viral code. Here are some of the
messages and comments that may be displayed:
"Incorrect DOS version"
"Invalid Volume ID Format failure"
"Please put a new disk into drive A:"
"End of input file"
"END OF WORKTIME. TURN SYSTEM OFF!"
"Divide Overflow"
"Water detect in Co-processor"
"I am hungry! Insert HAMBURGER into drive A:"
"NO SMOKING, PLEASE!"
" Thanks."
"Don't beat me !!"
"Don't drink and drive."
"Another cup of cofee ?"
" OH, YES!"
"Hard Disk head has been destroyed. Can you borow me your one?"
"Missing light magenta ribbon in printer!"
"In case mistake, call GHOST BUSTERS"
"Insert tractor toilet paper into printer."
This virus may also alter .DBF files, adding messages to
them.
The sample in the author of this listing possession does not
replicate on an 8088 based system. This entry has been included
since the sample may have been damaged before its receipt by
the author. At best, there is a serious bug in the replication
portion of this virus which prevents it from replicating.
Virus Name: Joshi
Aliases: Happy Birthday Joshi, Stealth Virus
V Status: Common
Discovered: June, 1990
Symptoms: BSC, machine hangs and message
Origin: India
Eff Length: N/A
Type Code: BRX - Resident Boot Sector/Partition Table Infector
Detection Method: ViruScan V64+, Pro-Scan 1.4+, NAV
Removal Instructions: CleanUp V66+, Pro-Scan 1.4+, RmJoshi, NAV
or Low-Level Format Harddisk and DOS SYS floppies
General Comments:
The Joshi Virus was isolated in India in June 1990. At the time it was
isolated, it was reported to be widespread in India as well as
portions of the continent of Africa. Joshi is a memory resident
boot sector infector of 5.25" diskettes. It will also infect
hard disks, though in the case of hard disks it infects the partition
table or master boot sector rather than the boot sector (sector 0).
After a system has been booted from a Joshi-infected diskette, the
virus will be resident in memory. Joshi takes up approximately
6K of system memory, and infected systems will show that total
system memory is 6K less than is installed if the DOS CHKDSK program
is run.
Joshi has some similarities to two other boot sector infectors.
Like the Stoned virus, it infects the partition table of hard disks.
Similar to the Brain virus's method of redirecting all attempts to
read the boot sector to the original boot sector, Joshi does this with
the partition table.
On January 5th of any year, the Joshi virus activates. At that
time, the virus will hang the system while displaying the message:
"type Happy Birthday Joshi"
If the system user then types "Happy Birthday Joshi", the system
will again be usable.
This virus may be recognized on infected systems by powering off
the system and then booting from a known-clean write-protected
DOS diskette. Using a sector editor or viewer to look at the
boot sector of suspect diskettes, if the first two bytes of the
boot sector are hex EB 1F, then the disk is infected. The EB 1F
is a jump instruction to the rest of the viral code. The remainder
of the virus is stored on track 41, sectors 1 thru 5 on 360K
5.25 inch Diskettes. For 1.2M 5.25 inch diskettes, the viral code
is located at track 81, sectors 1 thru 5.
To determine if a system's hard disk is infected, you must look at
the hard disk's partition table. If the first two bytes of the
partition table are EB 1F hex, then the hard disk is infected. The
remainder of the virus can be found at track 0, sectors 2 thru 6.
The original partition table will be a track 0, sector 9.
The Joshi virus can be removed from an infected system by first
powering off the system, and then booting from a known-clean, write-
protected master DOS diskette. If the system has a hard disk, the
hard disk should have data and program files backed up, and the
disk must be low-level formatted. As of July 15, 1990, there are
no known utilities which can disinfect the partition table of the
hard disk when it is infected with Joshi. Diskettes are easier to
remove Joshi from, the DOS SYS command can be used, or a program
such as MDisk from McAfee Associates, though this will leave the
viral code in an inexecutable state on track 41.
Virus Name: July 13TH
Aliases:
V Status: Endangered
Discovered: April, 1990
Symptoms: .EXE file growth, screen effects on July 13
Origin: Madrid, Spain
Eff Length: 1,201 Bytes
Type Code: PNE - Parasitic Non-Resident .EXE Infector
Detection Method: ViruScan V64+, VirexPC, F-Prot 1.12+, NAV
Removal Instructions: Scan/D, F-Prot 1.12+, or delete infected files
General Comments:
The July 13TH Virus was isolated in Madrid, Spain, in April 1990
by Guillermo Gonzalez Garcia. This virus is a generic .EXE file
infector, and is not memory resident.
When a program infected with the July 13TH Virus is executed, the
virus will attempt to infect a .EXE file. Files are only infected
if they are greater in length than 1,201 bytes. Infected files
increase in size by 1,201 to 1,209 bytes.
The July 13TH Virus activates on July 13th of any year. At that
time, a bouncing ball effect occurs on the system monitor's screen
similar to the bouncing ball effect of the Ping Pong virus. While
this virus is disruptive, it does not cause any overt damage to
files other than infecting them. The bouncing ball effect created
by this virus will occasionally leave dots on the screen where
it was passing if the screen has been scrolled for any reason.
Virus Name: June 16TH
Aliases: Pretoria
V Status: Endangered
Discovered: April, 1990
Symptoms: .COM file growth, long disk accesses, June 16th FAT alteration
Origin: Republic of South Africa
Eff Length: 879 Bytes
Type Code: PNC - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V62+, Pro-Scan 1.4+, VirexPC, AVTK 3.5+,
F-Prot 1.12+, VirHunt 2.0+, NAV
Removal Instructions: VirHunt 2.0+, Scan/D, Pro-Scan 2.01+, NAV
General Comments:
The June 16TH, or Pretoria, virus was discovered in April 1990.
This virus is a non-resident generic .COM file infector, and is
encrypted. The first time an infected file is executed, the virus
will search the current drive (all directories) and infect all
.COM files found. The search period can be quite long, and it is
very obvious on hard disk based systems that the program is taking
too long to load.
On June 16TH of any year, the first time an infected file is
executed the virus will activate. On activation, the virus will
change all entries in the root directory and the file allocation
table to "ZAPPED".
The June 16TH virus is thought to have originated in South
Africa.
Virus Name: Kamasya
Aliases:
V Status: New
Discovered: March, 1991
Symptoms: .EXE growth; decrease in total system & available memory
Origin: USA
Eff Length: 1,098 Bytes
Type Code: PRE - Parasitic Resident .EXE Infector
Detection Method: ViruScan V76+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Kamasya Virus was submitted by David Grant of the United States in
March, 1991. The Kamasya Virus is based on the Murphy Virus from
Bulgaria. It is a memory resident infector of .EXE files.
When a program infected with the Kamasya Virus is executed, the virus
will check if it is already memory resident. If it isn't already
memory resident, it will install itself memory resident at the top
of system memory but below the 640K DOS boundary. A portion of the
virus will also be in low system memory. Interrupt 21 will be hooked
by the virus in high system memory, and interrupt 00 in low system
memory. Total system and available free memory, as indicated by the
DOS ChkDsk program, will decrease by 1,120 bytes.
Once Kamasya is memory resident, it will infect .EXE programs over 1K
in length when they are executed or openned for any reason. Infected
programs will increase in size by 1,098 bytes with the virus being
located at the end of the infected program. The program's date and
time in the DOS disk directory will not be altered.
Programs infected with Kamasya will contain the following text strings:
"Kamasya nendriya pritir
labho jiveta yavata
jivasya tattva jijnasa
nartho ya ceha karmabhih"
It is unknown if Kamasya does anything besides replicate.
This virus may be a research virus and not in the public domain. The
original sample submitted is not a natural infection of the virus.
Also see: Murphy
Virus Name: Kamikazi
Aliases:
V Status: Endangered
Discovered: August, 1990
Symptoms: program corruption, system hangs, system reboots
Origin: Bulgaria
Eff Length: 4,031 Bytes
Type Code: ONE - Overwriting Non-Resident .EXE Infector
Detection Method: Pro-Scan 2.01+
Removal Instructions: Delete infected files
General Comments:
The Kamikazi Virus was submitted by Vesselin Bontchev of Bulgaria in
August, 1990. This virus is a non-resident overwriting virus, and
infects .EXE files.
When a program infected with the Kamikazi virus is executed, the virus
will infect another .EXE file in the current directory if the .EXE
file's length is greater than 4,031 bytes. Kamikazi simply overwrites
the first 4,031 bytes of the candidate program with its viral code,
thus permanently damaging the candidate program being infected. The
original 4,031 bytes of code is not stored at any other location.
Infected files do not change in length.
After infecting another .EXE program, the virus will then change the
first 8 bytes of the infected program that was executed to
"kamikazi", thus the virus's name. At this point, one of several
symptoms may appear: the system may be rebooted by the virus, some
of the contents of memory may get displayed on the screen, or the
program may complete execution having appeared to have done nothing
at all. In any event, the original executed program will never run
successfully, doing what the user expects.
If the infected program is executed a second time, it will hang the
system since it is no longer an executable program. The .EXE header
has been permanently damaged due to the first 8 characters having been
changed to "kamikazi" by the virus when it was first executed.
Virus Name: Kemerovo
Aliases: USSR 257, Kemerovo-B
V Status: Rare
Discovered: December, 1990
Symptoms: .COM growth; ????????COM Path not found." message;
file date/time changes
Origin: USSR
Eff Length: 257 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Kemerovo Virus was submitted in December, 1990 and is from the
USSR. This virus is a non-resident direct action infector of .COM
files, including COMMAND.COM.
When a program infected with the Kemerovo Virus is executed, the virus
will search the current drive and directory for a .COM program to
infect. If an uninfected COM program is found, the virus will infect
it, adding its viral code to the end of the original program. The
newly infected program's date and time in the disk directory will also
be updated to the current system date and time of infection. Infected
programs will increase in length by 257 bytes.
If an uninfected .COM file was not found in the current directory, the
message "????????COM Path not found" may be displayed and the program
the user is attempting to execute will be terminated.
Kemerovo does not do anything besides replicate.
Known variant(s) of Kemerovo include:
Kemerovo-B : Similar to Kemerovo, this variant is from the United States
and has been altered to avoid detection by some anti-viral
programs. Its major distinction from the original virus is
that it will infect five .COM programs in the current directory.
Virus Name: Kennedy
Aliases: Dead Kennedy, 333
V Status: Endangered
Discovered: April, 1990
Symptoms: .COM growth, message on trigger dates (see text),
crosslinking of files, lost clusters, FAT corruption
Origin: Denmark
Eff Length: 333 Bytes
Type Code: PNCKF - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V62+, Pro-Scan 1.4+, VirexPC, F-Prot 1.12+,
VirHunt 2.0+, NAV
Removal Instructions: Scan/D, F-Prot 1.12+, VirHunt 2.0+,
or delete infected files
General Comments:
The Kennedy Virus was isolated in April 1990. It is a generic
infector of .COM files, including COMMAND.COM.
This virus has three activation dates: June 6 (assassination of
Robert Kennedy 1968), November 18 (death of Joseph Kennedy 1969),
and November 22 (assassination of John F. Kennedy 1963) of any
year. On activation, the virus will display a message the following
message:
"Kennedy is dead - long live 'The Dead Kennedys'"
The following text strings can be found in the viral code:
"\command.com"
"The Dead Kennedys"
Systems infected with the Kennedy Virus will experience
crosslinking of files, lost clusters, and file allocation table
errors (including messages that the file allocation table is
bad).
Virus Name: Keypress
Aliases:
V Status: Common
Discovered: October, 1990
Symptoms: .COM & .EXE growth; decrease in available free memory;
keystrokes repeated unexpectedly
Origin: USA
Eff Length: 1,232 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V71+, Pro-Scan 2.01+
Removal Instructions: Clean-Up V71+, or Delete infected files
General Comments:
The Keypress Virus was reported and isolated in many locations in the
United States in late October, 1990. This virus is a memory resident
infector of .COM and .EXE files, including COMMAND.COM.
The first time a program infected with the Keypress Virus is executed,
the virus will install itself memory resident at the top of free
available memory, but below the 640K DOS boundary. Interrupts 1C and
21 will be hooked by the virus. Available free memory on the system
will have decreased by 1,232 bytes.
After the virus is memory resident, any file executed may become
infected by the virus. In the case of .COM files, they are only
infected if their original file length was greater than 1,232 bytes.
.EXE files of any length will be infected, as will COMMAND.COM if it
is executed. Infected programs will have their directory date/time
changed to the system date and time when they were infected by this
virus. .COM files will increase in length by between 1,234 and
1,248 bytes upon infection. .EXE files will increase by 1,472 to
1,486 bytes upon infection. In either case, the virus will be located
at the end of the infected file.
The Keypress Virus activates after being memory resident for 30 minutes.
Upon activation, the virus may interfer with keyboard input by repeating
keystrokes. For example, if "a" is entered on the keyboard, it may be
changed to "aaaaaa" by the virus.
Infected files can be identified by containing the following hex string
near the end of the infected program: 4333C98E1E2901CD21.
Virus Name: Korea
Aliases: LBC Boot
V Status: Common - Korea
Discovered: March, 1990
Symptoms: BSC - 360k disks
Origin: Seoul, Korea
Eff Length: N/A
Type Code: RF - Resident Floppy Boot Sector Infector
Detection Method: ViruScan V61+, VirHunt 2.0+
Removal Instructions: M-Disk, or DOS SYS Command
General Comments:
The Korea, or LBC Boot, Virus was isolated in March 1990 in
Seoul, Korea. This virus is a memory resident boot sector
infector for 5.25" 360K diskettes.
The Korea virus is not intentionally destructive, it does nothing
in its current form except for replicating. In some instances,
when Korea infects a diskette it will damage the root directory as
it moves the original boot sector to sector 11, the last sector of
the root directory. If sector 11 previously contained directory
entries, they will be lost.
Virus Name: Lazy
Aliases:
V Status: Rare
Discovered: February, 1991
Symptoms: .COM & .EXE growth; System slowdown; Slow screen writes;
System hangs
Origin: Unknown
Eff Length: 720 Bytes
Type Code: PRxCK - Parasitic Resident .COM Infector
Detection Method: ViruScan V75+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Lazy Virus was isolated in February, 1991, and its origin is
unknown. This virus is a memory resident infector of .COM files,
including COMMAND.COM.
The first time a program infected with the Lazy Virus is executed on
a system, the virus will install itself memory resident in unreserved
low system memory hooking interrupts 10 and 21. The system processor
will be significantly slowed down, resulting in very slow screen
writes occurring.
After Lazy is memory resident, it will infect .COM programs as they
are executed. Infected .COM programs will increase in size by 720
bytes with the virus being located at the end of the infected file.
The program's date and time in the disk directory will be updated to
the current system date and time when infection occurred. Infected
programs can be identified by the text string "lazy" which will occur
near the end of all infected programs.
Systems infected with the Lazy Virus may experience unexpected system
hangs. These hangs occur when some programs are executed which allocate
and overwrite the memory where the Lazy Virus resides in memory. For
example, ViruScan will hang when it checks memory if Lazy is currently
resident.
Virus Name: Lehigh
Aliases: Lehigh University
V Status: Rare
Discovered: November, 1987
Symptoms: Corrupts boot sector & FAT
Origin: Pennsylvania, USA
Eff Length: N/A
Type Code: ORaKT - Overwriting Resident COMMAND.COM Infector
Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+,
VirHunt 2.0+, NAV
Removal Instructions: MDisk & replace COMMAND.COM with clean copy, or
F-Prot, NAV
General Comments:
The Lehigh virus infects only the COMMAND.COM file on both
floppies and hard drives. The infection mechanism is to over-
write the stack space. When a disk which contains an
uninfected copy of COMMAND.COM is accessed, that disk is then
infected. A infection count is kept in each copy of the virus,
and after 4 infections, the virus overwrites the boot sector and
FATs.
A variation of the Lehigh virus, Lehigh-2, exists which
maintains its infection counter in RAM and corrupts the boot
sector and FATs after 10 infections.
Known variants of the Lehigh virus are:
Lehigh-2 : Similar to Lehigh, but the infection counter is maintained
in RAM, and the corruption of the boot sector and FATs
occurs after 10 infections.
Lehigh-B : Similar to Lehigh, the virus has been modified to
avoid detection.
Virus Name: Leprosy
Aliases: Leprosy 1.00, News Flash
V Status: Rare
Discovered: August, 1990
Symptoms: unusual messages; program corruption
Origin: California, USA
Eff Length: 666 Bytes
Type Code: ONAK - Overwriting Non-Resident .COM & .EXE Infector
Detection Method: ViruScan/X V67+, NAV
Removal Instructions: Scan/D/X, or Delete infected files
General Comments:
The Leprosy Virus was discovered in the San Francisco Bay Area of
California on August 1, 1990. This virus is a non-resident
overwriting virus infecting .COM and .EXE files, including
COMMAND.COM. Its original carrier file is suspected to be a file
called 486COMP.ZIP which was uploaded to several BBSes.
When you execute a program infected with the Leprosy virus, the virus
will overwrite the first 666 bytes of all .COM and .EXE files in
the directory one level up from the current directory. If the
current directory is the root directory, all programs in the root
directory will be infected. If COMMAND.COM is located in the directory
being infected, it will also be overwritten. Infected files will show
no file length increase unless they were originally less than 666
bytes in length, in which case their length will become 666 bytes.
After the virus has infected the .COM and .EXE files, it will display
a message. The message will be either:
"Program to big to fit in memory"
or:
"NEWS FLASH!! Your system has been infected with the
incurable decay of LEPROSY 1.00, a virus invented by
PCM2 in June of 1990. Good luck!"
The second message will only be displayed by one out of every seven
.COM and .EXE files that the program infects.
Since Leprosy is an overwriting virus, the programs which are
infected with it will not function properly. In fact, once they are
infected with this virus they will run for awhile (while the virus is
infecting other files) and then display one of the two messages. The
program execution will then end.
If the system is booted from a diskette or hard drive that has Leprosy
in its COMMAND.COM file, one of the above two messages will be
displayed followed by:
"Bad or missing Command Interpreter"
This boot problem occurs because COMMAND.COM is no longer really
COMMAND.COM. The boot will not proceed until a system boot diskette
is inserted into the system and another boot is attempted.
While Leprosy's messages are encrypted in the virus, infected files
can be found by checking for the following hex string near the
beginning of the file:
740AE8510046FE06F002EB08
Infected files must be deleted and replaced with clean, uninfected
copies. There is no way to disinfect this virus since the first 666
bytes of the file have been overwritten, the virus does not store
those bytes anywhere else.
Known variant(s) of the Leprosy virus are:
Leprosy-B : The major differences between the Leprosy and Leprosy-B
virus are that Leprosy-B uses a slightly different encryption
method, thus allowing it to avoid detection once Leprosy was
isolated. Additionally, instead of infecting all programs in
the directory selected for infection, Leprosy-B will infect
four programs in the current directory each time an infected
program is executed. If four non-infected files do not exist
in the current directory, it will move up one level in the
directory structure and infect up to four files in that
directory. Like Leprosy, it overwrites the first 666 bytes
of infected files. The Leprosy message has been replaced
with the following message:
"ATTENTION! Your computer has been afflicted with
the incurable decay that is the fate wrought by
Leprosy Strain B, a virus employing Cybernetic
Mutation Technology (tm) and invented by PCM2 08/90."
Virus Name: Liberty
Aliases:
V Status: Common
Discovered: May, 1990
Symptoms: .COM, .EXE, .OVL growth
Origin: Sydney, Australia
Eff Length: 2,862 Bytes
Type Code: PRfAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V63+, Pro-Scan 1.4+, VirexPC, F-Prot 1.12+,
VirHunt 2.0+, NAV
Removal Instructions: VirHunt 2.0+, Clean-Up V72+, or Delete infected files
General Comments:
The Liberty Virus was isolated in Sydney, Australia in May, 1990.
Liberty is a memory resident generic file infector, infecting
.COM, .EXE, and overlay files. COMMAND.COM may also become
infected.
The Liberty Virus gets its name from the text string "Liberty"
which will appear in all infected files. In .EXE files, it will
be located in the last 3K of the file. In .COM files, it will
appear near the very beginning of the program, as well as within the
last 3K of the infected file.
The first time a file infected with the Liberty Virus is executed,
the virus will become memory resident. Liberty installs itself
resident in high free memory, resulting in a decrease of 8,496 bytes
of available free memory. It also directly changes the interrupt
map page in memory so that interrupts 21 and 24 will put the virus in
control. Total system memory does not change.
After becoming memory resident, programs which are executed may
be infected by the virus. All .EXE files will be infected, but
only .COM files over 2K in length will become infected. Overlay
files will also become infected. Infected files will increase
in size between 2,862 and 2,887 bytes, and will end with the hex
character string: 80722D80FA81772880. The main body of the virus will
be located at the end of all infected files.
Infected .COM files can also be identified by the following text
string which will appear near the beginning of the infected program:
"- M Y S T I C - COPYRIGHT (C) 1989-2000, by SsAsMsUsEsL"
This string does not appear in infected .EXE files, the area where
this string would have appeared in infected .EXE files will be 00h
characters.
Liberty is a self-encrypting virus. It is not yet known if it
is destructive.
Known variant(s) of Liberty are:
Liberty-B : Isolated in November, 1990, this strain is functionally
similar to the original Liberty Virus. The string which
occurs at the end of all infected files has been changed
to: C8004C40464842020EB. The word "MAGIC" will also be found
repeated together many times in infected files.
Liberty-C : Isolated in January, 1991, this variant is very similar to
Liberty-B, there are 16 bytes which have been changed. Like
Liberty-B, the word "MAGIC" will be found repeated together
many times in infected files. The string which occurs at the
end of all infected files has been changed to:
C8004C404648422020E9.
Virus Name: Lisbon
Aliases:
V Status: Rare
Discovered: November, 1989
Symptoms: .COM growth, Unusable files (see text)
Origin: Lisbon, Portugal
Eff Length: 648 bytes
Type Code: PNC - Parasitic Non-Resident COM Infector
Detection Method: ViruScan V49+, F-Prot, IBM Scan, Pro-Scan, AVTK 3.5+,
VirHunt 2.0+, NAV
Removal Instructions: Scan/D, Pro-Scan 1.4+, VirexPC, F-Prot, VirHunt 2.0+,
NAV
General Comments:
The Lisbon virus is a strain of the Vienna virus first
isolated by Jean Luz in Portugal in November, 1989. The virus
is very similar to Vienna, except that almost every word in
the virus has been shifted 1-2 bytes in order to avoid virus
identification/detection programs which could identify the
Vienna virus.
1 out of every 8 infected files will have the 1st 5 bytes of
the 1st sector changed to "@AIDS", thus rendering the
program unusable.
Also see: Vienna
Virus Name: Little Pieces
Aliases: 1374
V Status: Rare
Discovered: January, 1991
Symptoms: .COM & .EXE growth; decrease in available free memory; message;
system hangs; unexpected screen clears
Origin: Italy
Eff Length: 1,374 Bytes
Type Code: PRaE - Parasitic Resident .EXE Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected programs
General Comments:
The Little Pieces Virus was isolated in January, 1991, in Italy. This
virus is a 1,374 byte memory resident infector of .EXE files.
The first time a program infected with Little Pieces is executed, the
virus will install itself memory resident. The area where it is memory
resident is 1,392 bytes long and labelled COMMAND Data in low system
memory. Some memory mapping utilities will combine this area with the
command interpretor, so the command interpretor will appear to be 1,392
bytes longer than expected. Interrupts 13, 16, and 21 are hooked by
the Little Pieces Virus.
Once Little Pieces is memory resident, it will infect .EXE programs
as they are executed. Infected .EXE programs will increase in size by
1,374 bytes and have the virus located at the end of the infected
file. Infected files will not have their date and time in the disk
directory altered.
Systems infected with the Little Pieces Virus may experience the system
display being cleared unexpectedly after a key is pressed on the
keyboard. The following message is usually displayed after the
screen is cleared, though not always:
"One of these days I'm going to cut you into little pieces"
This message cannot be viewed in infected files as it is encrypted
within the virus.
Infected system may also experience unexpected system hangs occurring,
requiring the system to be rebooted. These hangs sometimes occur after
the above message is displayed.
Virus Name: Lozinsky
Aliases:
V Status: Rare
Discovered: December, 1990
Symptoms: .COM file growth; file date/time changes;
decrease in total system and available free memory
Origin: USSR
Eff Length: 1,023 Bytes
Type Code: PRtCK - Parasitic Resident .COM Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected programs
General Comments:
The Lozinsky Virus was submitted in December, 1990 from the USSR.
Lozinsky is a memory resident infector of .COM files, including
COMMAND.COM.
When the first program infected with Lozinsky is executed, the virus
will install itself memory resident at the top of system memory but
below the 640K DOS boundary. Interrupt 12's return will be moved so
that the system will report 2,048 bytes of memory less than what is
actually installed. Interrupts 13 and 21 will be hooked by the virus.
COMMAND.COM will also become infected at this time.
After Lozinsky is memory resident, it will infect .COM files which are
executed or openned for any reason. Infected programs will show a file
length increase of 1,023 bytes and have the virus located at the end
of the program. Their date and time in the disk directory will also
have been updated to the system date and time when the program was
infected by Lozinsky.
It is unknown if Lozinsky does anything besides replicate.
Virus Name: Mardi Bros
Aliases:
V Status: Rare
Discovered: July, 1990
Symptoms: BSC; volume label change; decrease in system and free memory
Origin: France
Eff Length: N/A
Type Code: FR - Floppy Boot Sector Infector
Detection Method: ViruScan V66+
Removal Instructions: M-Disk, or DOS SYS Command
General Comments:
The Mardi Bros Virus was isolated in July 1990 in France. This virus
is a memory resident infector of floppy disk boot sectors. It does
not infect hard disk boot sectors or partition tables.
When a system is booted from a diskette infected with the Mardi Bros
Virus, the virus will install itself memory resident. It resides in
7,168 bytes above the top of memory, but below the 640K DOS Boundary.
The decrease in system and free memory can be seen using the DOS
CHKDSK command, or several other memory mapping utilities.
Mardi Bros will infect any non-write protected diskette which is
exposed to the system. Infected diskettes can be easily identified
as their volume label will be changed to "Mardi Bros". The CHKDSK
program will show the following for the diskette's Volume label
information:
"Volume Mardi Bros created ira 0, 1980 12:00a"
While the infected boot sector on the diskette will have the DOS
messages still remaining, it will also include the following phrase
near the end:
"Sudah ada vaksin"
It is unknown if Mardi Bros is destructive, it appears to do nothing
but spread.
Mardi Bros can be removed from infected diskettes by first powering
off the system and rebooting from a known clean write protected
DOS master diskette. The DOS SYS command should then be used to
replace the infected diskette's boot sector. Alternately, MDisk
can be used following the power-down and reboot.
Virus Name: MG
Aliases:
V Status: Rare
Discovered: September, 1990
Symptoms: .COM file growth; DIR command may not function properly;
File allocation errors; System hangs
Origin: Bulgaria
Eff Length: 500 Bytes
Type Code: PRCK - Parasitic Resident .COM Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The MG Virus was submitted in January, 1991, though it has been
mentioned by Bulgarian researchers several times since September, 1990.
This virus is named MG as it was originally isolated at
Matematicheska Gimnazia, a school in Varna, Bulgaria. It is a memory
resident infector of .COM files, including COMMAND.COM.
The first time a program infected with MG is executed, the virus will
install itself memory resident in a portion of the interrupt table in
memory. Interrupt 24 is hooked by the virus, as are several other
interrupts.
After MG is memory resident, it will infect programs when one of two
things occurs: either the user attempts to execute any program, or a
Dir command is performed. In the case of a program being executed, the
virus will infect one program in the current directory, though not
necessarily the program being executed. When a Dir command is executed,
one program in the current directory will be infected as well.
.COM programs infected with MG will increase in length by 500 bytes,
though the file length increase will not be visible in a dir listing
if the virus is memory resident. File date and time in the disk
directory are also not altered. The virus will be located at the end
of infected programs.
Symptoms of a MG infection are that the DOS Chkdsk program will show
File allocation errors on all infected .COM programs if the virus is
present in memory. The DOS Dir command may also not function properly,
for example DIR A:*.COM will yield "File not found" even though .COM
files exist on the A: drive. At other times, pauses will occur in the
disk directory being displayed by the Dir command. Another symptom is
that unexpected system hangs may occur due to the interrupt table being
infected in memory.
Also see: MG-2
Virus Name: MG-2
Aliases:
V Status: Rare
Discovered: December, 1990
Symptoms: .COM file growth; File Allocation Errors;
Dir command may not function properly
Origin: Bulgaria
Eff Length: 500 Bytes
Type Code: PRsCK - Parasitic Resident .COM Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The MG-2 Virus was received in December, 1990, and is believed to have
originated in Bulgaria. This virus is a direct action, memory resident
infector of .COM programs, including COMMAND.COM.
When a program infected with the MG-2 Virus is first executed, the
virus will install itself memory resident. The DOS ChkDsk command,
when executed on an infected system, will indicate that total system
memory and available free memory have decreased by 55,104 bytes. This
virus remaps many interrupts, including interrupt 24. A portion of the
virus will also be resident above 640K if memory is available.
After the MG-2 Virus is memory resident, it will infect one .COM
program in the current directory each time an infected .COM program is
executed. Infected .COM programs will not show a file length increase
if the virus is memory resident. With the virus memory resident, the
DOS ChkDsk command will indicate a file allocation error for all
infected files. Infected files actually increase 500 bytes in length
and have the virus located at the end of the infected file.
Systems infected with the MG-2 Virus may notice that the DOS Dir
command does not always return the results expected. For example,
issuing a "DIR C:\DOS" command may result in the C: drive root directory
being displayed instead of the C:\DOS directory. Another case is that
issuing the command "DIR A:*.COM" will result in "File not found" though
.COM files exist on that drive.
Known variant(s) of MG-2 are:
MG-3 : Functionally similar to MG-2, this variant has been altered
to avoid detection. It is also 500 bytes in length.
Also see: MG
Virus Name: MGTU
Aliases:
V Status: Rare
Discovered: December, 1990
Symptoms: .COM file growth; excessive disk activity; file date/time changes;
"????????COM Path not found." message
Origin: USSR
Eff Length: 273 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The MGTU Virus was submitted in December, 1990 and came from the USSR.
This virus is a non-resident direct action infector of .COM files,
including COMMAND.COM.
When a program infected with the MGTU Virus is executed, the virus will
search the current drive and directory for uninfected .COM programs.
All uninfected .COM programs will become infected with the virus.
Infected .COM programs will have a file length increase of 273 bytes
with the virus being located at the end of the file. Their date and
time in the disk directory will also have been updated to the system
date and time when infection occurred.
Infected systems will display excessive disk activity each time an
infected program is executed. This activity occurs because the virus
is checking all of the .COM programs in the current directory to
determine if they are already infected, or if they need to be infected.
Infected systems may also experience the following message being
displayed for no apparent reason:
"????????COM Path not found."
MGTU does not do anything besides replicate.
Virus Name: Microbes
Aliases:
V Status: Common - India
Discovered: June, 1990
Symptoms: BSR
Origin: Bombay, India
Eff Length: N/A
Type Code: BR - Floppy and Hard Disk Boot Sector Infector
Detection Method: ViruScan V64+, Pro-Scan 1.4+
Removal Instructions: M-Disk, Pro-Scan 1.4+, or DOS SYS Command
General Comments:
The Microbes virus was isolated in June, 1990 in India. It is a
memory resident boot sector infector of both floppy diskettes and
hard disks.
The Microbes virus becomes memory resident when a system is booted
from a disk infected with the Microbes virus. The system may hang
on this boot, and inserted a diskette to boot from will result in
this new diskette becoming infected. At least on the author's XT
test system, the system could not successfully boot with the
Microbes virus present without powering off the system and rebooting
from a write protected master boot diskette.
As with other boot sector infectors, Microbes can be disinfected
from diskettes and hard drives by powering off the system and
booting from a known clean write protected master boot diskette
for the system. The DOS SYS command can then be used to recreate
the boot sector on the diskette.
Virus Name: Migram
Aliases:
V Status: New
Discovered: March, 1991
Symptoms: .EXE growth; decrease in total system & available free memory
Origin: USA
Eff Length: 1,221 Bytes
Type Code: PRhE - Parasitic Resident .EXE Infector
Detection Method: ViruScan V76+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Migram Virus was submitted in March, 1991, by David Grant of the
United States. This virus is a memory resident infector of .EXE files
and is based on the Murphy Virus from Bulgaria.
When a program infected with the Migram Virus is executed, the virus
will check to see if it is already memory resident. If the virus is
not resident, the virus will install itself resident at the top of
system memory, but below the 640K DOS boundary. The interrupt 12
return is not moved. Interrupt 21 is hooked by the virus. Total
system memory and available free memory, as indicated by the DOS ChkDsk
program, will decrease by 1,248 bytes.
Once Migram is memory resident, it will infect .EXE files over 1K in
length when they are executed or openned for any reason. Infected
programs will increase in length by 1,221 bytes with the virus being
located at the end of the infected file. The file's date and time in
the disk directory will not be altered.
Programs infected with Migram will contain the following text strings:
"MIGRAM VIRUS 1.0
(C) 1991 IVL"
It is unknown what Migram does besides replicate.
The original sample of this virus is not a natural infection of the
virus, so it is possible this virus is a research virus and not in the
public domain as of March, 1991.
Also see: Murphy
Virus Name: Mirror
Aliases:
V Status: Rare
Discovered: October, 1990
Symptoms: .EXE growth; decrease in available free memory; mirror effect
of display on activation
Origin: Unknown
Eff Length: 927 Bytes
Type Code: PRhE - Parasitic Resident .EXE Infector
Detection Method: ViruScan V67+, Pro-Scan 2.01+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Mirror Virus was discovered in October, 1990. This virus is a
memory resident direct action infector of .EXE files.
The first time a program infected with the Mirror Virus is executed,
the virus will install itself memory resident at the top of free
available memory. Free available memory will decrease by 928 bytes,
and the virus will hook interrupt 21. At this time, the virus will
also infect all other .EXE programs located in the current directory.
Infected programs will increase in length by 927 to 940 bytes, with
the virus being located at the end of the infected file. Infected
programs will also always end with the two text characters "IH".
The Mirror Virus gets its name from its behavior. Every once in awhile
it will change the system's video display so that a mirror image of
what was previously on the display appears.
Virus Name: MIX/1
Aliases: MIX1, Mix1
V Status: Rare
Discovered: August, 1989
Symptoms: TSR, .EXE growth, location 0:33C = 77h, garbled output
Origin: Israel
Eff Length: 1,618 Bytes
Type Code: PRsE - Parasitic Resident .EXE Infector
Detection Method: ViruScan V37+, F-Prot, IBM Scan, Pro-Scan, VirexPC,
AVTK 3.5+, VirHunt 2.0+, NAV
Removal Instructions: Scan/D, Virus Buster, Pro-Scan 1.4+, VirexPC 1.1B+,
F-Prot, VirHunt 2.0+
General Comments:
The MIX1 Virus was originally isolated on August 22, 1989, on
several BBSs in Israel. This virus is a parasitic memory-
resident .EXE file infector. Once an infected program has been
executed, the virus will take up 2,048 bytes in RAM. Each
.EXE file then executed will grow in length between 1,618 and
1,634 bytes, depending on the original file size. The virus
will not, however, infect files of less than 8K in size.
Infected files can be manually identified by a characteristic
"MIX1" always being the last 4 bytes of an infected file.
Using Debug, if byte 0:33C equals 77h, then the MIX1 virus is
in memory.
This virus will cause garbled output on both serial and
parallel devices, as well as the num-lock being constantly
on. After the 6th infection, booting the system will crash
the system due to a bug in the code, and a ball will start
bouncing on the system monitor.
There is a variant of this virus which does not have the
problem of system crashes occurring, and will only infect files
that are greater than 16K in length.
Mix/1 has several code similarities to Icelandic, which it may
have been derived from.
Also see: Icelandic, Mix2
Virus Name: Mix2
Aliases:
V Status: New
Discovered: March, 1991
Symptoms: .COM & .EXE growth; system hangs;
Decrease in total system and available free memory
Origin: Europe
Eff Length: 2,287 Bytes
Type Code: PRhA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V76+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Mix2 Virus was submitted in March, 1991. Original reports of this
virus were received from Europe. Mix2 is based on the Mix1 virus, and
is a memory resident infector of .COM and .EXE files. It does not
infect COMMAND.COM
When the first program infected with Mix2 is executed, Mix2 will install
itself memory resident at the top of system memory, but below the 640K
DOS boundary. It will mark this area of reserved memory "COMMAND Data"
and will hook interrupt 21. Total system and available free memory, as
indicated by the DOS ChkDsk program, will decrease by 3,040 bytes.
Interrupt 12's return will not be moved.
Once Mix2 is memory resident, it will infect .COM and .EXE programs over
9K in length when they are executed. Infected programs will increase
in length by 2,287 to 2,294 bytes with the virus being located at the
end of the infected file. This virus does not alter the file date and
time in the disk directory.
Some programs which are memory intensive, or which allocate all
available memory will hang when executed with Mix2 memory resident.
It is unknown what Mix2 does besides replicate.
Also see: Mix1
Virus Name: Monxla
Aliases: Time Virus
V Status: Rare
Discovered: November, 1990
Symptoms: .COM growth; system hangs and/or reboots; program execution
failures
Origin: Hungary
Eff Length: 939 Bytes
Type Code: PRfCK - Parasitic Resident .COM Infector
Detection Method: ViruScan V71+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Monxla, or Time, Virus was discovered in November, 1990 in Hungary.
This virus is a memory resident direct action infector of .COM files,
including COMMAND.COM.
When a program infected with the Monxla Virus is executed, the virus
will check the current system time. If the system time's current
seconds is greater than 32/100's of a second, the virus will install
a very small portion of itself memory resident at the top of free
memory but below the 640K DOS boundary. The virus allocates 80 bytes,
and will hook interrupts 20 and F2. The F2 interrupt is later used to
determine if the virus is in memory, thus avoiding multiple memory
allocations. The memory resident portion of the virus is not used to
infect files.
Each time a program infected with the Monxla Virus is executed, the
virus will search for one uninfected .COM file with a length between
3,840 and 64,000 bytes to infect. The current directory is searched
first, and then the directories along the system path. Once an
uninfected .COM file is found that satisfies the length requirement,
the virus will infect it. On other than the 13th day of any month,
the virus will add its viral code to the end of the candidate file,
increasing the file's length by 939 bytes.
On the 13th day of any month, the virus activates. The activation
involves damaging the files that it infects based on the current
seconds in the system time. At the time the virus attempts to infect
another .COM file, the virus will damage the file in one of three
ways. If the current seconds was greater than 60/100's, 4 HLTs followed
by a random interrupt will be placed at the beginning of the file
being infected. Later when the program is executed, it may perform
rather strangely be destructive. It depends on what the random interrupt
was. If the current seconds was greater than 30/100's, but less than
60/100's, two INT 19 calls are placed at the beginning of the file.
Later when the program is executed, it will attempt to perform a warm
reboot preserving the current interrupt vectors. This, however, will
result in a system hang if any interrupt between 00h and 1Ch was
previously hooked. If the current seconds was greater than 00/100's
but less than 30/100's, a INT 20 call is placed at the beginning of
the program being infected, thus resulting in it immediately terminating
when later executed.
Virus Name: Monxla B
Aliases: Time B
V Status: Rare
Discovered: January, 1991
Symptoms: .COM growth; File corruption
Origin: Hungary
Eff Length: 535 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Monxla B Virus was isolated in January, 1991 in Hungary. This virus
is a non-resident direct action infector of .COM files, including
COMMAND.COM.
When a program infected with Monxla B is executed, the virus will check
the seconds portion of the system time. Depending on the value found,
either one .COM program in the current directory will be infected, or
one .COM program in the current directory will be corrupted.
If the seconds portion of the system time is equal 0 or a multiple of 8,
one .COM program in the current directory, or on the system path, will
be corrupted by the first five characters of the selected .COM program
being changed to the hex string: 004D004F4D, or " M OM" in text.
Corrupted programs will not have a file length increase. Later
execution of these corrupted programs will usually result in the
system being hung, requiring a reboot.
If the seconds portion of the system time was not 0 or a multiple of 8,
a .COM program in the current directory will be infected with Monxla B.
If no programs exist in the current directory which are neither
corrupted or infected, the virus will follow the system path to find a
candidate program to infect.
Infected .COM programs will increase in length by 535 bytes, the virus
will be located at the end of infected programs. The virus will also
have changed the seconds in the file time in the disk directory to 58
so that the virus can later tell that the file is infected.
Virus Name: Murphy
Aliases: Murphy-1, V1277, Stealth Virus
V Status: Common - Bulgaria
Discovered: April, 1990
Symptoms: .COM & .EXE growth, system hangs, speaker noise,
possible bouncing ball effect (see Murphy-2 below)
Origin: Sofia, Bulgaria
Eff Length: 1,277 Bytes
Type Code: PRA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V63+, Pro-Scan 1.4+, F-Prot 1.12+, NAV
Removal Instructions: Scan/D, Pro-Scan 1.4+, NAV, or Delete infected files
General Comments:
The Murphy Virus was isolated in Bulgaria in April, 1990. It is
a memory resident generic .COM & .EXE infector, and will infect
COMMAND.COM.
The first time an infected program is executed on a system, the
virus installs itself memory resident. After it is memory resident,
if a file is executed, or openned for any reason, it is infected by
the Murphy Virus. When the first non-infected program is executed
with the virus in memory, the virus will attempt to infect
COMMAND.COM. The program being executed will also be infected at
that time. Infected programs will increase in length by
1,277 Bytes. Programs which are less than 1,277 Bytes in length
will not be infected.
The Murphy Virus watches the system time. When the system time is
between 10AM and 11AM, the virus will turn on the system speaker
and send a 61h to it. At any other time, the virus will not
attempt to use the system speaker.
The following text message is contained within the Murphy Virus,
giving an idea of when it was written and by whom, though they are
not displayed:
"Hello, I'm Murphy. Nice to meet you friend.
I'm written since Nov/Dec.
Copywrite (c)1989 by Lubo & Ian, Sofia, USM Laboratory."
Systems infected by the Murphy Virus may also experience system
hangs when the virus attempts to infect .EXE files.
Known variant(s) of the Murphy Virus are:
Murphy-2 or V1521 - Similar to the Murphy Virus, its length is 1,521
Bytes. The non-displayed messages in the virus are now:
"It's me - Murphy.
Copywrite (c)1990 by Lubo & Ian, Sofia, USM Laboratory."
The Murphy-2 will infect any .EXE file, as well as any .COM
file over 900 Bytes. Instead of turning the system speaker
on between 10AM and 11AM, this variant waits for the system
time to have the minutes set to 00, then it may have a
"bouncing ball" effect similar to several other viruses.
This effect does not, however, occur on all systems.
Also see: AntiChrist, HIV, Kamasya, Migram
Virus Name: MusicBug
Aliases: Music Boot, Music Bug
V Status: Common
Discovered: December, 1990
Symptoms: decrease in total system and available free memory; clicking;
music randomly played on system speaker; lost clusters
Origin: Taiwan
Eff Length: N/A
Type Code: BRtX - Resident Boot Sector & Partition Table Infector
Detection Method: ViruScan V72+
Removal Instructions: Clean-Up V74+, or see below
General Comments:
The MusicBug Virus is a memory resident boot sector and partition table
infector discovered in December, 1990. It originated in Taiwan.
When a system is booted from a diskette infected with the MusicBug
Virus, the virus will install itself memory resident at the top of
system memory but below the 640K DOS boundary. The interrupt 12 return
will be moved, so 640K systems will now report 638K of installed
system memory. Clicking may be heard for a short time from the system
speaker before the boot proceeds, but more likely a section of a tune
will be played. The boot will then proceed.
Once MusicBug is memory resident, it will periodically play another
portion of the same tune when disk accesses occur. It is thus rather
disruptive.
When MusicBug is memory resident, any disk accessed (including the
system hard disk) will become infected with the virus. In the case
of hard disks, MusicBug infects the hard disk partition table and boot
sector.
Infected disks will have 4K in lost clusters which will contain the
virus's code as well as a copy of the disk's original boot sector.
The following text strings can also be found in these lost clusters:
"MusicBug v1.06. MacroSoft Corp."
"Made in Taiwan"
Diskettes infected with the MusicBug Virus can be disinfected after
powering off the system and booting from a write protected system
diskette, then using the DOS SYS command. The lost clusters can then
be removed by using the ChkDsk command with the /F parameter.
Hard disks, however, cannot be disinfected in the same way. While
the DOS SYS command will remove the virus from the hard disk's boot
sector, and the lost clusters can be recovered, the hard disk will
remain an unbootable non-system disk until a low-level format is
performed.
Virus Name: New Jerusalem
Aliases:
V Status: Rare
Discovered: October, 1989
Symptoms: TSR; .EXE, .COM, etc. (see below) growth; system slowdown;
deleted files on Friday 13th
Origin: Holland
Eff Length: 1,813 Bytes (.COM) & 1,808 Bytes (.EXE)
Type Code: PRsA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V45+, F-Prot, Pro-Scan 1.4+
Removal Instructions: Saturday, CleanUp, F-Prot, Pro-Scan 1.4+
General Comments:
New Jerusalem is a variation of the original Jerusalem virus
which has been modified to be undetectable by ViruScan versions
prior to V45 as well as IBM's VIRSCAN product as of October 20,
1989. The virus was first detected when it was uploaded to
several BBSs in Holland beginning on October 14, 1989. It
infects both .EXE and .COM files and activates on any Friday The
13th, deleting infected programs when they are attempted to be
run.
This virus is memory resident, and as with other Jerusalem
viruses, may infect overlay, .SYS, .BIN, and .PIF files.
Also see: Jerusalem, Jerusalem B, Payday, Suriv 3.00
Virus Name: Nina
Aliases:
V Status: Rare
Discovered: December, 1990
Symptoms: .COM growth; decrease in total system and available free memory;
Origin: Bulgaria
Eff Length: 256 Bytes
Type Code: PRhCK - Parasitic Resident .COM & Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Nina Virus was received in December, 1990, and is from Bulgaria.
This virus is a memory resident infector of .COM files, including
COMMAND.COM.
When the first program infected with the Nina Virus is executed, Nina
will install itself memory resident at the top of system memory but
below the 640K DOS boundary. Total system memory and available free
memory will decrease by 1,024 bytes as shown by the DOS ChkDsk command.
Interrupt 21 will be hooked by the virus.
After Nina is memory resident, it will infect .COM programs that are
greater than 256 bytes in length as they are executed. If COMMAND.COM
is executed, it will become infected. Infected .COM programs increase
in length by 256 bytes, and will have the virus located at the beginning
of the infected file.
The Nina Virus is named Nina because the virus contains the text
string "Nina" within the viral code.
This virus does not do anything besides replicate.
Virus Name: Nomenklatura
Aliases: Nomenclature, 1024-B
V Status: Rare
Discovered: August, 1990
Symptoms: .EXE, .COM growth; decrease in available free memory;
"sector not found" messages on diskettes;
Origin: Netherlands
Eff Length: 1,024 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V67+, Pro-Scan 2.01+, NAV
Removal Instructions: Scan/D or Delete infected files
General Comments:
The Nomenklatura Virus was isolated in August, 1990 in the
Netherlands. This virus is a memory resident infector of .COM and
.EXE files, including COMMAND.COM. It is not related to the V1024
virus, though it is the same length.
The first time a program infected with the Nomenklatura Virus is
executed on a system, the virus installs itself memory resident at
the top of available system memory, but below the 640K DOS boundary.
Available system memory will decrease by 1,024 bytes, and interrupt
21 will be hooked by the virus.
When the virus is memory resident, any .COM or .EXE program greater in
length then approximately 1,023 bytes that is executed or openned
for any reason will be infected by the Nomenklatura virus. Infected
files will have their file lengths increased by 1,024 bytes. The
virus does not hide the increase in file length when the disk directory
is displayed.
Attempts to execute uninfected programs from a write-protected diskette
with the virus in memory will result in a "Sector not found error"
message being displayed, and the program not being executed.
The Nomenklatura Virus is destructive to the contents of diskettes
exposed to infected systems. File corruption will randomly occur,
with the frequency increasing as the disk becomes more filled with data.
The file errors may occur on data files as well program files. This
file corruption occurs due to the virus occassionally swapping a pair of
words in the sector buffer. It may also do this to critical system
areas such as the FAT, boot sector, or directories since it may occur
to any clusters on the disk. If a file or critical system area was
residing in a corrupted cluster, it will be corrupted. As such, systems
which has been exposed to the Nomenklatura Virus must be carefully
checked as the integrity of non-infected programs and any datafiles
should be considered suspect.
The virus has been named Nomenklatura as this text string appears in
all programs infected with this virus.
Virus Name: Number One
Aliases: Number 1
V Status: Extinct
Discovered: 1987 (see below)
Symptoms: .COM files fail to function; <Smile> displayed
Origin: West Germany
Eff Length: 12,032 Bytes
Type Code: ONC - Overwriting Non-Resident .COM Infector
Detection Method:
Removal Instructions: Scan/D or Delete infected files
General Comments:
The Number One Virus was submitted for inclusion in this listing in
September, 1990. This virus, however, is not a new virus but is an
extinct rather "old" virus. The Number One Virus was written in
October, 1987, by M. Vallen using Turbo Pascal 3.01A. It is
documented, complete with source, in a book by Ralf Burger. This
virus is an non-resident overwriting virus which infects .COM files.
When a program infected with the Number One Virus is executed, the virus
will infect the first uninfected .COM file it finds in the current
directory. If the .COM file was originally less than 12,032 bytes in
length, it will now have a 12,032 bytes. Infected files will also have
their date/timestamps in the directory changed to reflect the time of
infection. After Number One has finished infecting a .COM file, it will
display the message:
"This File Has Been Infected by Number One!
XXXXXXXX.COMinfected."
The XXXXXXXX is the name of the .COM file that has just been infected
by the virus. When there are no more .COM files for Number One to
infect in the current directory, it will display the following
message:
"This File Has Been Infected by Number One!
<Smile>"
Number One will not infect any files which have the Read Only Attribute
set.
Since Number One is an overwriting virus, it is not possible to
remove the virus from infected files and repair the damage. Infected
files should be erased and replaced with clean copies.
Virus Name: Ohio
Aliases:
V Status: Common
Discovered: June, 1988
Symptoms: BSC, Resident TOM
Origin: Indonesia
Eff Length: N/A
Type Code: RtF - Resident Floppy Boot Sector Infector
Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+,
VirHunt 2.0+
Removal Instructions: MDisk, F-Prot, VirexPC, Pro-Scan 1.4+,
or DOS SYS Command
General Comments:
The Ohio virus is a memory resident boot sector infector, only
infecting 360K floppy disks. The Ohio virus is similar in
many respects to the Den Zuk virus, and is believed to possibly
be the earlier version of Den Zuk. A diskette infected with
Ohio will be immune to infection by the Pakistani Brain virus.
The following text strings appear in the Ohio virus:
"V I R U S
b y
The Hackers
Y C 1 E R P
D E N Z U K 0
Bandung 40254
Indonesia
(C) 1988, The Hackers Team...."
Also see: Den Zuk
Virus Name: Ontario
Aliases:
V Status: Rare
Discovered: July, 1990
Symptoms: .COM & .EXE growth; decrease in system and free memory;
hard disk errors in the case of extreme infections
Origin: Ontario, Canada
Eff Length: 512 Bytes
Type Code: PRtAK - Parasitic Encrypted Resident .COM & .EXE Infector
Detection Method: ViruScan V66+, Pro-Scan 2.01+, NAV
Removal Instructions: SCAN /D, or Delete infected files
General Comments:
The Ontario Virus was isolated by Mike Shields in Ontario, Canada
in July, 1990. The Ontario virus is a memory resident infector of
.COM, .EXE, and overlay files. It will infect COMMAND.COM.
The first time a program infected with the Ontario Virus is executed,
it will install itself memory resident above the top of system memory
but below the 640K DOS boundary. Total system memory and free memory
will be decreased by 2,048 bytes. At this time, the virus will
infect COMMAND.COM on the C: drive, increasing its length by 512 bytes.
Each time an uninfected program is executed on the system with the
virus memory resident, the program will become infected with the viral
code located at the end of the file. For .COM files, they will
increase by 512 bytes in all cases. For .EXE and overlay files, the
file length increase will be 512 - 1023 bytes. The difference in
length for .EXE and overlay files is because the virus will fill out
the unused space at the end of the last sector of the uninfected file
with random data (usually a portion of the directory) and then append
itself to the end of the file at the next sector. Systems using
a sector size of more than 512 bytes may notice larger file increases
for infected files. Infected files will always have a file length
that is a multiple of the sector size on the disk.
In the case of extreme infections of the Ontario Virus, hard disk
errors may be noticed.
Ontario uses a complex encryption routine, and a simple identification
string will not identify this virus.
Virus Name: Oropax
Aliases: Music Virus, Musician
V Status: Rare
Discovered: December, 1989
Symptoms: .COM growth, tunes
Origin:
Eff Length: 2,756 - 2,806 bytes, but usually 2,773 bytes
Type Code: PRC - Parasitic Resident .COM Infector
Detection Method: ViruScan V53+, F-Prot, IBM Scan, Pro-Scan, VirexPC,
AVTK 3.5+, VirHunt 2.0+, NAV
Removal Instructions: SCAN /D, F-Prot, VirexPC, Pro-Scan 1.4+, VirHunt 2.0+
or delete infected files
General Comments:
The Oropax virus has had several reports, but wasn't first isolated
until December 1989. It infects .COM files, increasing their length
by between 2,756 bytes and 2,806 bytes. Infected files will always
have a length divisible by 51. The virus may become active (on a
random basis) five minutes after infection of a file, playing three
different tunes with a seven minute interval in between.
One variant recently reported in Europe plays six different
tunes at seven minute intervals.
Virus Name: Paris
Aliases:
V Status: Rare
Discovery: August, 1990
Symptoms: .COM & .EXE file growth; slow program loads upon execution;
Diskette corruption after diskette boot
Origin: Paris, France
Eff Length: 4,909 Bytes
Type Code: PNAK - Parasitic Non-Resident .COM & .EXE Infector
Detection Method: ViruScan V66+, Pro-Scan 2.01+, NAV
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Paris Virus was isolated in Paris, France, in early August, 1990.
This virus is a generic infector of .COM, .EXE and overlay files,
and will infect COMMAND.COM. It is not memory resident.
When a program infected with the Paris Virus is executed, the virus
will infect all .COM, .EXE and overlay files on the current drive
and directory, with the exception of very small .COM files. It will
also check to see if COMMAND.COM on the C: drive is uninfected, if it
has not previously been infected it will become infected. Infected
files will increase in length by between 4,909 - 4, 25 bytes, with the
virus located at the end of the infected file.
The Paris Virus can be destructive in some instances, resulting in
diskettes becoming corrupted if the system is booted from a diskette
with a Paris infected COMMAND.COM program.
Virus Name: Parity
Aliases:
V Status: Rare
Discovered: December, 1990
Symptoms: .COM file growth; long .COM program loads;
possibly intermittent parity errors
Origin: Bulgaria
Eff Length: 441 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Parity Virus was received in December, 1990, and originated in
Bulgaria. This virus is a non-memory resident infector of .COM files,
and will infect COMMAND.COM.
When a program infected with the Parity Virus is executed, the virus
will infect all .COM files in the current directory. If COMMAND.COM
is in the current directory, it will become infected.
Infected .COM programs will increase in length by 441 bytes, the virus
being located at the end of the infected program. The program's date
and time in the disk directory will not be altered by the virus.
The major symptom of a Parity Virus infection is that it will take
significantly longer to load and execute infected .COM files. The
increase in time is due to the virus searching the current drive for
.COM files to infect.
This virus may also display a message "PARITY CHECK 2" at times, and
halt the system.
Virus Name: Payday
Aliases:
V Status: Rare
Discovered: November, 1989
Symptoms: TSR, .EXE & .COM growth, system slowdown, deleted files
on Friday EXCEPT 13th, "Black WIndow"
Origin: Netherlands
Eff Length: 1,808 Bytes (.EXE) & 1,813 Bytes (.COM)
Type Code: PRA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V51+, F-Prot, Pro-Scan 1.4+, AVTK 3.5+,
VirHunt 2.0+, NAV
Removal Instructions: UnVirus, Saturday, CleanUp, F-Prot, Pro-Scan 1.4+,
NAV
General Comments:
The Payday virus was isolated by Jan Terpstra of the Netherlands
in November, 1989. It is a variant of the Jerusalem B virus,
the major difference being that the activation criteria to
delete files has been changed from every Friday The 13th to
any Friday but Friday The 13ths.
Also see: Jerusalem, Jerusalem B, New Jerusalem, Suriv 3.00
Virus Name: Pentagon
Aliases:
V Status: Extinct
Discovered: January, 1988
Symptoms: TSR, BSC 360k floppies, file (see text)
Origin: USA
Eff Length: N/A
Type Code: RF - Resident Floppy Boot Sector Infector
Detection Method: ViruScan, F-Prot, VirexPC
Removal Instructions: MDisk, CleanUp, or DOS SYS Command
General Comments:
The Pentagon virus consists of a normal MS-DOS 3.20 boot
sector where the name 'IBM' has been replaced by 'HAL', along
with two files. The first file has a name of the hex
character 0F9H, and contains the portion of the virus code
which would not fit into the boot sector, as well as the
original boot sector of the infected disk. The second file
is named PENTAGON.TXT and does not appear to be used or contain
any data. The 0F9H file is accessed by its absolute storage
address. Portions of this virus are encrypted.
The Pentagon virus only infects 360K floppies, and will look
for and remove the Brain virus from any disk that it infects.
It is memory resident, occupying 5K of RAM, and can survive
a warm reboot or CTL-ALT-DEL.
Virus Name: Perfume
Aliases: 765, 4711
V Status: Endangered
Discovered: December, 1989
Symptoms: .COM growth, messages
Origin: Germany
Eff Length: 765 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC,
AVTK 3.5+, VirHunt 2.0+, NAV
Removal Instructions: Scan/D/X, F-Prot, Pro-Scan 1.4+, VirHunt 2.0+, NAV,
or delete infected files
General Comments:
The Perfume virus is of German origin, and has also been
isolated in Poland in December, 1989. This virus infects
.COM files, and will look for COMMAND.COM and infect it if
it isn't already infected. Infected files always grow in
length by 765 bytes.
The virus will sometimes ask the system user a question,
and then not run the infected program unless the system
user responds by typing 4711, the name of a German perfume.
In the most common variant of this virus, however, the
questions have been overwritten with miscellaneous
characters.
Also see: Sorry
Virus Name: Phantom
Aliases:
V Status: Rare
Discovered: January, 1991
Symptoms: .COM growth; Message; Shift of System Display;
Decrease in total system and available memory
Origin: Hungary
Eff Length: 2,274 Bytes
Type Code: PRhC - Parasitic Resident .COM Infector
Detection Method: ViruScan V75+
Removal Instructions: Scan/D, or delete infected files
General Comments:
The Phantom Virus was isolated in Hungary in January, 1991, by Dr.
Szegedi Imre. This virus is a memory resident infector of .COM files,
but not COMMAND.COM.
The first time a program infected with the Phantom Virus is executed,
the Phantom Virus will install itself memory resident at the top of
system memory but below the 640K DOS boundary. Infected systems will
have interrupts 20 and 21 hooked by the virus, and the DOS ChkDsk
program will report total system and available memory as 2,704 bytes
less than expected.
After becoming memory resident, the Phantom Virus will infect .COM
programs as they are executed or openned if the original file length
is greater than 2K. Infected programs will increase in size by 2,274
bytes with the virus being located at the end of infected programs.
Systems infected with the Phantom Virus will experience the following
message being displayed intermittently when programs are executed:
"HI ROOKIE!
I`m a THESEASE! I live in YOUR computer - sorry...
Thanks to Brains in the Computer Siences!"
This message, as with the following text strings which also occur in
the virus's code, cannot be seen in infected programs as they are
encrypted. The other text strings which are encrypted in the viral
code are:
"The PHANTOM Was HERE - SORRY"
"(c) PHANTOM - This virus was designed in the HUNGARIAN
VIRUS DEVELOPING LABORATORY. (H.V.D.L.) v1.0"
Another symptom of the Phantom Virus is that it will occasionally
alter the system display so that what should start on the left side of
the screen starts in the middle (it is shifted 50% with wrap around on
the same line).
Virus Name: Phoenix
Aliases: P1
V Status: Rare
Discovered: July, 1990
Symptoms: .COM growth, system reboots, CHKDSK program failure,
COMMAND.COM header change
Origin: Bulgaria
Eff Length: 1,704 Bytes
Type Code: PRhCK - Parasitic Resident .COM Infector
Detection Method: ViruScan V66+, Pro-Scan 2.01+, NAV
Removal Instructions: Scan/D, or delete infected files
General Comments:
The Phoenix virus is of Bulgarian origin, and was submitted to
the author of this document in July, 1990 by Vesselin Bontchev.
This virus is one of a family of three (3) viruses which may be
referred to as the P1 or Phoenix Family. Each of these viruses is
being documented separately due to their varying characteristics.
The Phoenix virus is a memory resident, generic infector of .COM
files, and will infect COMMAND.COM.
The first time a program infected with the Phoenix virus is executed,
the virus will install itself memory resident in free high memory,
reserving 8,192 bytes. Interrupt 2A will be hooked by the virus.
System total memory and free memory will decrease by 8,192 bytes.
If the program was executed from a floppy drive, and COMMAND.COM was
not present on the diskette, the virus will request that a diskette
with \COMMAND.COM present be inserted in the drive. Phoenix will
immediately infect COMMAND.COM by overwriting part of the binary zero
portion of the program, and changing the program's header information.
COMMAND.COM will not change in file length. The virus will then
similarly infect COMMAND.COM residing in the C: drive root directory.
After becoming memory resident, the virus will attempt to infect any
.COM file executed. Most of its attempts, however, will not result in
a file being infected. Phoenix is a fairly poor replicator. If the
virus is successful in infecting the file, it will append its viral
code to the end of the file, increasing the file's length by 1,704
bytes.
Phoenix is not able to recognize when it has previously infected a file,
so it may reinfect .COM files several times. Each infection will
result in another 1,704 bytes of viral code being appended to the
file.
Systems infected with the Phoenix virus will experience problems with
executing CHKDSK.COM. Attempts to execute this program with Phoenix
memory resident will result in a warm reboot of the system occurring,
however the memory resident version of Phoenix will not survive the
reboot. If an autoexec.bat file is not present on the drive being
booted from, the system will prompt for the user to enter Date and
Time.
The Phoenix Virus employs a complex encryption mechanism, and virus
scanners which are only able to look for simple hex strings will not
be able to detect it. There is no simple hex string in this virus
that is common to all infected samples.
This virus is not related to the Cascade (1701/1704) Virus.
Also see: Evil, PhoenixD
Virus Name: PhoenixD
Aliases: P1
V Status: Rare
Discovered: July, 1990
Symptoms: .COM growth, system reboots, CHKDSK program failure,
COMMAND.COM header change
Origin: Bulgaria
Eff Length: 1,704 Bytes
Type Code: PRhCK - Parasitic Resident .COM Infector
Detection Method: ViruScan V66+, Pro-Scan 2.01+, NAV
Removal Instructions: Scan/D, or delete infected files
General Comments:
The PhoenixD virus is of Bulgarian origin, and was submitted to
the author of this document in July, 1990 by Vesselin Bontchev.
This virus is one of a family of three (3) viruses which may be
referred to as the P1 or Phoenix Family. Each of these viruses is
being documented separately due to their varying characteristics.
The PhoenixD virus is a memory resident, generic infector of .COM
files, and will infect COMMAND.COM.
The PhoenixD Virus is a "bug fixed" version of the Phoenix virus.
The first time a program infected with the PhoenixD virus is executed,
the virus will install itself memory resident in free high memory,
reserving 8,192 bytes. Interrupt 2A will be hooked by the virus.
System total memory and free memory will decrease by 8,192 bytes.
PhoenixD will then check to see if the current drive's root directory
contains a copy of COMMAND.COM. If a copy of COMMAND.COM is found,
it will be infected by PhoenixD by overwriting part of the binary zero
portion of the program, and changing the program's header information.
COMMAND.COM will not change in file length. The virus will then
similarly infect COMMAND.COM residing in the C: drive root directory.
After becoming memory resident, the virus will attempt to infect any
.COM file executed. PhoenixD is a much better replicator than the
original Phoenix Virus, and is usually able to infect files. Infected
files will increase in length by 1,704 bytes.
PhoenixD is not able to recognize when it has previously infected a
file, so it may reinfect .COM files several times. Each infection will
result in another 1,704 bytes of viral code being appended to the
file.
A characteristic present in the PhoenixD Virus which is not found in
the original Phoenix Virus is that in addition to it infecting .COM
files as they are executed, .COM files will be infected when they
are opened for any reason. The simple act of copying a .COM file
with PhoenixD present in memory will result in both the source and
target files being infected.
Systems infected with the PhoenixD virus will experience problems with
executing CHKDSK.COM. Attempts to execute this program with Phoenix
memory resident will result in a warm reboot of the system occurring.
If an autoexec.bat file is not present on the drive being booted from,
the system will prompt for the user to enter Date and Time.
The PhoenixD Virus employs a complex encryption mechanism, and virus
scanners which are only able to look for simple hex strings will not
be able to detect it. There is no simple hex string in this virus
that is common to all infected samples.
This virus is not related to the Cascade (1701/1704) virus.
Also see: Evil, Phoenix
Virus Name: Ping Pong
Aliases: Bouncing Ball, Bouncing Dot, Italian, Vera Cruz
V Status: Extinct
Discovered: March, 1988
Symptoms: Graphic display (see text), TSR, BSC
Origin:
Eff Length: N/A
Type Code: RsF - Resident Floppy Boot Sector Infector
Detection Method: ViruScan, F-Prot, IBM Scan, VirexPC, Pro-Scan,
AVTK 3.5+, VirHunt 2.0+, NAV
Removal Instructions: MDisk, CleanUp, F-Prot, Pro-Scan 1.4+, VirexPC, NAV,
or DOS SYS command
General Comments:
The Ping Pong virus is a boot sector virus which was first
reported in March 1988. The original Ping Pong virus only
infects Floppy Disks.
When the virus activates, which is on a random basis, a
bouncing ball or dot appears on the screen. This display
can only be stopped thru a system reboot. No other damage
is apparently done.
The Ping Pong Virus is extinct, though the hard disk variant,
Ping Pong-B listed below, is one of the most common MS-DOS
viruses.
Virus Name: Ping Pong-B
Aliases: Bouncing Ball Boot, Italian-A
V Status: Common
Discovered: May, 1988
Symptoms: Graphic display (see text), TSR, BSC
Origin:
Eff Length: N/A
Type Code: BRs - Resident Boot Sector Infector
Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC,
AVTK 3.5+, VirHunt 2.0+, NAV
Removal Instructions: CleanUp, MDisk, Pro-Scan 1.4+, F-Prot, VirexPC, NAV,
or DOS SYS Command
General Comments:
The Ping Pong-B virus is a variant of the Ping Pong virus. The
major difference is that Ping Pong-B can infect hard disks as
well as floppies.
Known variants of Ping Pong-B include:
Ping Pong-C : Similar to Ping Pong-B, though this variant does
not have the bouncing ball screen effect.
Origin: Argentina, June 1990.
Virus Name: Plastique
Aliases: Plastic Bomb, Plastique 3012, Plastique 1
V Status: Rare
Discovered: July, 1990
Symptoms: TSR; .COM & .EXE growth; possible system slowdown or bomb
noises after September 20
Origin: Taiwan
Eff Length: 3,012 Bytes
Type Code: PRsA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V66+, Pro-Scan 2.01+
Removal Instructions: Clean-Up V72+, Pro-Scan 2.01+, or Delete infected files
General Comments:
The Plastique, or Plastic Bomb, Virus was submitted in July 1990, it
comes to us from Taiwan. Plastique is a memory resident generic
infector of .COM and .EXE files, though it does not infect
COMMAND.COM. Unlike the Plastique-B Virus listed below, this virus
does not infect floppy disk boot sectors.
The first time a program infected with Plastique is executed, the
virus will install itself memory resident as a TSR in low system
memory. The TSR is 3,264 bytes in length, and hooks interrupt 21.
After the virus is memory resident, it will attempt to infect any
.COM or .EXE file which is executed. This virus is rather "buggy",
and it is not always successful in infecting files when they are
executed. When it is successful infecting the file, the file's
length will increase. For infected .COM files, the length will
increase by 3,012 bytes. For infected .EXE files, their length
will increase between 3,012 and 3,020 bytes.
Plastique will also attempt to infect files when they are opened for
any reason, though again, it is not always successful.
After September 20th of any year, the Plastique Virus activates. At
that time, it will do either of two things. It will either
progressively slowdown the system, or it will intermittently emit
"bomb" noises from the system speaker.
Known variant(s) of Plastique are:
HM2 : The earliest known version of this virus, it does
not replicate. Executing an infected file results
in the system hanging requiring a reboot.
Origin: Taiwan, May 1990.
Plastique 4.51 : A variant of the Plastique virus described above,
the only real difference is that the encryption
of the virus is slightly different. Otherwise it
behaves exactly the same as Plastique.
Origin: Taiwan, July 1990.
Plastique COBOL: A variant of the Plastique virus described above, this
version is 3,004 bytes in length, and its memory
resident TSR is 3,248 bytes in length. The only text
character string which can be found in this variant is
"COBOL". This string does not occur in other variants
of the Plastique Virus, or related viruses. Infected
.COM programs will increase in size by 3,004 bytes,
.EXE files by 3,004 to 3,019 bytes. COMMAND.COM will
not become infected. Activation of the virus has also
been altered. Between January 1 and September 21, the
virus will progressively slowdown the system. After 20
minutes, the system will execute at approximately 50%
of its original speed. After 30 minutes, the virus
may lockout the system keyboard, as well as corrupt
the system's CMOS configuration. Between September 22
and December 31, the virus does not activate, and no
system slowdown or CMOS corruption will occur.
Also see: Invader, Plastique-B
Virus Name: Plastique-B
Aliases: Plastic Bomb, Plastique 5.21, Plastique 2
V Status: Rare
Discovered: July, 1990
Symptoms: TSR, .COM & .EXE file growth; BSC;
Origin: Taiwan
Eff Length: 4,096 Bytes
Type Code: PRsAB - Parasitic Resident .COM & .EXE, & Boot Sector Infector
Detection Method: ViruScan V66+, Pro-Scan 2.01+
Removal Instructions: Clean-Up V72+, Pro-Scan 2.01+, or Delete Infected Files
General Comments:
The Plastique-B, or Plastique 5.21, virus is a later version of
the Plastique virus. Like Plastique, it is a memory resident
generic infector of .COM and .EXE files. This version will also
infect diskette boot sectors. It does not infect COMMAND.COM.
If the system date is before September 20th, the first time a program
infected with Plastique-B is executed, the virus will install itself
memory resident as a TSR in low system memory. The TSR is 5,120 bytes
in length. Interrupts 08, 09, 13, 21, and ED are hooked by the virus.
If the system date is after September 20th, the virus will install
itself memory resident in high system memory but below the 640K DOS
boundary. The same interrupts will be hooked by the virus.
After the virus is memory resident, it will attempt to infect any
.COM or .EXE file which is executed or opened for any reason. It
has had many of the "bugs" fixed that were in Plastique, and is
usually successful in infecting files. Infected .COM and .EXE files
will increase in length by 4,096 bytes.
Plastique-B will also infect the boot sector of any diskettes accessed
on an infected system.
After September 20th, 1990, the Plastique-B virus activates. It
will either progressively slowdown the system or cause "bomb" noises
to be emitted periodically from the system speaker. It may also
overwrite the contents of all drives after this date, depending on if
a predetermined limit in the virus has been reached.
Also see: Plastique, Invader
Virus Name: Polimer
Aliases: Polimer Tapeworm
V Status: Rare
Discovered: November, 1990
Symptoms: .COM growth; Message
Origin: Hungary
Eff Length: 512 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V71+, Pro-Scan 2.01+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Polimer Virus was discovered in Hungary in November, 1990. This
virus is a non-resident infector of .COM files, including COMMAND.COM.
When a program infected with the Polimer Virus is executed, the
following message will be displayed:
"A le' jobb kazetta a POLIMER kazetta ! Vegye ezt !"
This message can be found near the beginning of all infected files.
After the message is displayed, the virus will attempt to infect one
.COM file on the current drive and directory, and one .COM file on the
C: drive's current directory. This virus will only infect .COM files
which are between 512 and 64,758 bytes in length. If the .COM file it
attempts to infect has the Read-Only attribute, it will not be infected,
and the message $ERROR will be displayed.
Although this virus is actually 456 bytes in length, infected .COM files
will increase in size by 512 bytes with the virus's code being located
at the beginning of the file.
This virus does not appear to do anything besides replicating.
Virus Name: Polish 217
Aliases: 217, Polish Stupid
V Status: Rare
Discovered: October, 1990
Symptoms: .COM growth; system reboot
Origin: Koszalin, Poland
Eff Length: 217 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V71+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Polish 217, or Polish Stupid, Virus was discovered in Koszalin,
Poland, in October, 1990. This virus is a non-resident infector of
.COM files, including COMMAND.COM.
When a program infected with the Polish Stupid Virus is executed, the
virus will infect the first uninfected .COM file found in the current
directory. Infected .COM files will increase in length by 217 bytes
with the virus's code being located at the end of the file. Infected
files will also end with the hex string 5757h. The file's date and
time in the disk directory is not altered.
A side note on this virus: when the copy of COMMAND.COM pointed to by
the COMSPEC environmental variable is infected by the virus, the system
will experience a warm reboot.
This virus does nothing besides replicating in its current version.
Known variant(s) of Polish 217 are:
Polish 217 B : The Polish 217 B variant's major difference is that
when COMMAND.COM is infected, a warm reboot does not occur.
Execution of COMMAND.COM will result in the error message:
"Specified COMMAND search directory bad". Execution of
infected programs may also result in the following message
being displayed and the program terminated:
"????????COM
Path not found."
Programs which can detect Polish 217 may not be able to detect
Polish 217 B as it has been altered. Scan V72 and below will
not detect it.
Virus Name: Polish 529
Aliases: 529
V Status: Rare
Discovered: September, 1990
Symptoms: .COM growth; TSR
Origin: Poland
Eff Length: 529 Bytes
Type Code: PRsCK - Parasitic Resident .COM Infector
Detection Method: ViruScan V71+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Polish 529 Virus was isolated in September, 1990 in Poland. This
virus is a memory resident infector of .COM files. It will infect
COMMAND.COM if it is executed with the virus in memory.
The first time a program infected with the Polish 529 Virus is executed,
the virus will install itself memory resident as a low system memory
TSR of 1,664 bytes. Interrupt 21 will be hooked by the virus.
Once the virus is memory resident, any .COM file over approximately
1600 bytes in length will be infected by the virus. Infected .COM
files will show a file length increase of 529 bytes and have the
virus's code located at the beginning of the file.
This virus does not appear to do anything but replicate.
Virus Name: Polish 583
Aliases:
V Status: Rare
Discovered: December, 1990
Symptoms: .COM file growth
Origin: Poland
Eff Length: 583 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Polish 583 Virus originated in Poland and was submitted in
December, 1990. This virus is a non-resident, direct action infector
of .COM files, including COMMAND.COM.
When a program infected with Polish 583 is executed, the virus will
infect one other .COM file on the current drive and directory. The
newly infected program will increase in length by 583 bytes with the
virus's code being located at the end of the infected program. The
program's date and time in the disk directory is not altered.
This virus does not do anything besides replicate.
Virus Name: Print Screen
Aliases: EB 21, 8290, PRTSC Virus
V Status: Rare
Discovered: November, 1989
Symptoms: BSC, hard disk access slowdown
Origin: Bombay, India
Eff Length: N/A
Type Code: BR - Resident Boot Sector Infector
Detection Method: ViruScan V64+, Pro-Scan 1.4+, VirexPC, F-Prot 1.12+,
VirHunt 2.0+, NAV
Removal Instructions: M-Disk, Pro-Scan 1.4+, NAV, or DOS SYS Command
General Comments:
The Print Screen Virus was isolated in Bombay, India in November, 1989
by Neville Bulsara. It is the first virus to have originated in
India. There are two versions of Print Screen, the later version
having had some bugs fixed.
When a system is booted from a Print Screen infected diskette or
hard drive, the virus will install itself memory resident in the
top of memory. The virus then adjusts the amount of memory DOS
thinks is installed. Infected systems will show that total system
memory is 2K less than is installed. On floppy disks, the original
boot sector of the diskette will be copied to sector 11.
After becoming memory resident, the virus will infect any hard
disk or floppy diskette which is accessed by the system.
Infected system users will notice that hard disk accesses done for
any reason will be much slower than expected. In some cases,
listing the root directory will show apparently garbage entries in
it. These entries are actually part of the virus's code.
The first version of the Print Screen virus is buggy, and as such
it doesn't actually accomplish anything having to do with printing
screens.
This virus appears to have been based on the Ping Pong Virus, and
some anti-viral programs will identify it as such.
Known variant(s) of Print Screen are:
Print Screen-2: Print Screen-2 is the later, bug fixed version of
the Print Screen Virus. This version will attempt to perform
a screen print or dump to the system's printer after every
255 disk I/Os have occurred.
Virus Name: Proud
Aliases: V1302, P1 Related
V Status: Rare
Discovery: August, 1990
Symptoms: .COM growth; decrease in total system and available memory;
FAT entry corruption
Origin: Bulgaria
Eff Length: 1,302 Bytes
Type Code: PRtCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V71+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Proud, or V1302, Virus was isolated in August of 1990 in Bulgaria
by Vesselin Bontchev. Proud is a memory resident infector of .COM
files, including COMMAND.COM.
The first time a program infected with Proud is executed, the virus
checks to determine if interrupt 13 is in use by another program, and
if it is, the virus will hang the system. If interrupt 13 is not in
use by another program, Proud will install itself memory resident at
the top of system memory, but below the 640K DOS boundary. Total
system memory and free available memory will decrease by 8,192 bytes.
Interrupt 2A will be replaced by the virus.
Once the virus is memory resident, it will infect .COM files within
certain candidate length ranges whend they are openned for any reason.
The candidate file length ranges are:
2,048 - 14,335 bytes
16,384 - 30,719 bytes
32,768 - 47,103 bytes
49,152 - 63,487 bytes
Proud is an encrypted virus, and is unusual in that it "splits"
the .COM file being infected into two parts, placing the viral code
between the two sections. Proud also is unable to distinguish when
a file has been previously infected, so .COM files can become infected
multiple times. Each infection, with the exception of COMMAND.COM,
will add 1,302 bytes to the file length. Infected COMMAND.COM files
generally don't increase in length on the first infection as the virus
will overwrite part of the 00h area of COMMAND.COM with the viral code.
Proud can be a damaging virus, with a probability of 1 out of 256, it
may swap entries in the file allocation table.
Virus Name: RaubKopie
Aliases:
V Status: New
Discovery: March, 1991
Symptoms: .COM & .EXE growth; Messages
Origin: Germany
Eff Length: 2,219 Bytes
Type Code: PNAK - Parasitic Non-Resident .COM & .EXE Infector
Detection Method: ViruScan V76+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The RaubKopie Virus was submitted in March, 1991 by Jan Terpstra of
the Netherlands. It is originally from Germany. Raubkopie is a
non-resident direct action infector of .COM and .EXE files. It will
infect COMMAND.COM.
When a program infected with RaubKopie is executed, the virus will
infect up to five .COM programs in the currect directory. If less than
five uninfected .COM programs existed in the current directory, it will
then infect .EXE files until the total number of programs it has
infected on this execution totals five.
.COM programs infected with Raubkopie will increase in size by 2,219
bytes with the virus being located at the beginning of the infected
file. The program's date and time in the disk directory will not be
altered.
.EXE programs infected with Raubkopie will increase in size by 2,475
to 2,491 bytes with the virus being located at the end of the file.
The larger file size increase with .EXE files is due to a different
mechanism being used to infect the programs. With .EXE files, the
virus will first add up to 16 bytes to the candidate .EXE file so that
the program's length is now divisible by 16. After adding the
additional bytes, it then adds 256 bytes of hex 00's and appends the
Raubkopie code to the end of the program. The program's date and
time in the disk directory will not be altered.
The RaubKopie Virus will occassionally display messages and require
a response when an infected program is invoked. The messages displayed
cannot be seen within infected programs, they are encrypted. The
first message displayed when the messages occur is:
" A C H T U N G
---------------------------
Die Benutzung einer RAUBKOPIE ist strafbar!
Nur wer Original-Disketten, Handbucher,
oder PD-Lizenzen besitzt, darf Kopien verwenden.
Programmierung is muhevolle Detailarbeit:
Wer Raubkopien verwendet, betrugt
Programmierer un den Lohn ihrer Arbeit.
--------------------------- "
A pause will then occur, and the following question will be displayed:
"Bist Du sauber ? (J/N) "
Entering "J" for yes will result in the following message being
displayed and the program which the user was attempting to execute
will proceed to execute:
"Ich will glauben, was Du sagst ..... "
Entering "N" for no will result in the following messages, the second
of which is garbled, and the program the user was attempting to execute
will be terminated:
"CPU-ID wird gespeichert...
**** LO<garbled> "
The last garbled message in original samples of this virus is:
"**** Losche dieses Programm ****".
There is also code within the RaubKopie virus to format the boot
sector of the system hard disk if the system date is greater than the
12th of the month, or the hour is above 17:00 (5:00 PM). This code,
however, does not function properly due to a bug within the RaubKopie
Virus.
Besides the messages and file growth, infected systems may have some
of the directories containing RaubKopie infected programs sorted so
that .COM files appear at the beginning of the directory listing.
Virus Name: Red Diavolyata
Aliases: USSR 830
V Status: Rare
Discovery: December, 1990
Symptoms: .COM growth; decrease in system and available memory;
file date/time changes
Origin: USSR
Eff Length: 830 Bytes
Type Code: PRhCK - Parasitic Resident .COM Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Red Diavolyata Virus is an 830 byte memory resident infector of
.COM files, including COMMAND.COM. It was submitted in December, 1990,
and originated in the USSR.
The first time a program infected with Red Diavolyata is executed, the
virus will install itself memory resident at the top of system memory
but below the 640K DOS boundary. The interrupt 12 return is not moved.
The DOS ChkDsk command will indicate that total system memory and
available free memory have decreased by 960 bytes. Interrupt 21 will
be hooked by the virus.
Once Red Diavolyata is memory resident, any .COM program executed will
become infected by the virus. If COMMAND.COM is executed, it will be
infected.
Infected .COM programs will have their file length increased by 830
bytes, and their date and time in the disk directory will have been
altered to the system date and time when infection occurred. The virus
will be located at the end of the infected program.
The following text strings can be found at the end of infected
programs:
"Eddie die somewhere in time"
"This programm was written in the city of Prostokwashino"
"(C) 1990 RED DIAVOLYATA"
"Hello! MLTI!"
Additionally, the text string "MLTI!COMMAND" can be found within
infected files.
It is unknown if Red Diavolyata does anything besides replicate.
Virus Name: RPVS
Aliases: 453
V Status: Endangered
Discovery: August, 1990
Symptoms: .COM growth
Origin: West Germany
Eff Length: 453 Bytes
Type Code: PNC - Parasitic Non-Resident .COM Infector
Detection Method: Pro-Scan 2.01+, ViruScan V76+
Removal Instructions: Pro-Scan 2.01+, or Delete infected files
General Comments:
The RPVS, or 453, Virus was discovered in West Germany in early
August, 1990. This virus is a non-resident infector of .COM files.
The RPVS is named for an unusual string that appears in a file
dump of the virus - "TUQ.RPVS" - this in not really a text string,
but a series of PUSH instructions.
The RPVS Virus is rather unsophisticated virus. Whenever a .COM
program infected with the RPVS or 453 virus is executed, the virus
will look for an uninfected .COM file in the current directory. The
virus determines if the .COM file has been previously infected by
checking to see if the last two bytes of the file are 9090h. If the
last two bytes are not 9090h, the file will be infected, appending
453 bytes of viral code to the end of the file. One .COM file is
infected each time an infected program is executed. COMMAND.COM
will not normally be infected.
This virus does not contain any logic to activate and cause damage
in its current state. It does contain many NOP instructions and odd
jumps which leave plenty of space for later additions.
Known variant(s) of RPVS are:
RPVS-B : The RPVS virus after additional bytes have been added to the
end of an infected program. When this occurs, the virus
will act differently. It will not be able to determine that
it has already infected a .COM file, so it will reinfect
the first .COM file it finds in the current directory over
and over again.
Virus Name: Saddam
Aliases:
V Status: Rare
Discovery: January, 1991
Symptoms: .COM growth; Message; Disk boot failures; I/O error message;
"Insufficient memory" message when attempting to run .BAT files;
Dir command errors; System hangs
Origin: France (reported September, 1990)
Isolated: Israel
Eff Length: 919 Bytes
Type Code: PRsCK - Resident Parasitic .COM Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Saddam Virus was first reported in France in September, 1990. In
January, 1991, the first sample of this virus was actually received, its
isolation point was Israel. Saddam is a memory resident infector of
.COM files, including COMMAND.COM. It is based on the Do-Nothing virus.
The first time a program infected with the Saddam Virus is executed,
the virus will install itself memory resident in low system memory,
though not as a TSR. Interrupts 21 and 22 will be hooked by the virus.
COMMAND.COM will be infected at this time if it has not previously
been infected.
Once Saddam is memory resident, it will infect .COM programs as they
are executed or openned. Infected .COM files will have a file length
increase of 919 bytes, the virus will be located at the end of
infected programs. Programs infected with this virus will not have
their file date and time altered upon infection.
There are several symptoms which may be experienced on systems infected
with the Saddam Virus. The most obvious symptom is that the following
message will occasionally be displayed:
"HEY SADAM
LEAVE QUEIT BEFORE I COME"
This message cannot be seen in infected files, it is encrypted.
Other symptoms are that attempts to execute .BAT files will result in
an insufficient memory message. Attempts to boot from a disk with a
Saddam infected COMMAND.COM will fail, the system will hang. Execution
of some infected programs will result in an I/O error and the program
aborting execution. The DOS Directory command may also not function
properly. Lastly, infected systems may experience frequent system
hangs requiring the user to reboot the system.
Also see: Do-Nothing
Virus Name: Saratoga
Aliases: 642, One In Two
V Status: Extinct
Discovery: July, 1989
Symptoms: .EXE growth, Resident, bad sectors, FAT corruption
Origin: California, USA
Eff Length: 642 Bytes
Type Code: PRsE - Resident Parasitic .EXE Infector
Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan 1.4+, VirexPC,
VirHunt 2.0+, NAV
Removal Instructions: Scan/D/X, F-Prot, VirexPC, Pro-Scan 1.4+, VirexPC 1.1B+,
VirHunt 2.0+, NAV, or delete infected files
General Comments:
The Saratoga Virus was first isolated in California in July 1989.
This virus is very similar to the Icelandic and Icelandic-II
viruses, so only the differences from the Icelandic viruses
are indicated here. Please refer back to the description of
the Icelandic virus for the base information.
The Saratoga virus's main difference from the Icelandic virus
is that when it copies itself to memory, it modifies the memory
block so that it appears to belong to the operating system,
thus avoiding another program reusing the block.
Similar to the Icelandic-II virus, the Saratoga can infect
programs even if the system has installed an anti-viral TSR
which "hooks" interrupt 21, such as FluShot+. Also like
Icelandic-II is that this virus can infect programs which have
been marked Read-Only, though it does not restore the Read-Only
attribute to the file afterwards.
Also see: Icelandic, Icelandic-II
Virus Name: Saturday The 14TH
Aliases: Durban
V Status: Rare
Discovered: March, 1990
Symptoms: TSR;.COM, .EXE, .OV? growth; corrupts boot sector,
FAT. & partition table on Saturday 14th
Origin: Republic of South Africa
Eff Length: 685 Bytes
Type Code: PRA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V61+, Pro-Scan 1.4+, VirexPC, AVTK 3.5+,
VirHunt 2.0+, NAV
Removal Instructions: Scan/D, VirHunt 2.0+, Pro-Scan 2.01+
General Comments:
The first reports of the Saturday The 14TH virus came from
South Africa in March 1990. The Saturday The 14TH, or Durban
Virus, is a memory resident generic file infector, infecting
.COM, .EXE, and overlay files, but not COMMAND.COM. Infected
files will increase in length by between 669 and 684 bytes.
The Saturday The 14TH virus activates on any Saturday that falls
on the 14TH of any month, at which time it will overwrite the
first 100 logical sectors of the C: drive, B: drive, and A:
drive. In effect, on drive C:, the virus destroys the hard
disk boot sector, partition table, and file allocation table (FAT).
Virus Name: Scott's Valley
Aliases: 2131
V Status: Rare
Discovered: September, 1990
Symptoms: TSR; .COM and .EXE growth
Origin: Scott's Valley, California, USA
Eff Length: 2,131 Bytes
Type Code: PRsA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V67+, Pro-Scan 2.01+
Removal Instructions: Scan/D, or delete infected files
General Comments:
The Scott's Valley Virus was discovered in September, 1990 in
Scott's Valley, California. This virus is a memory resident generic
infector of .COM and .EXE files, and does not infect COMMAND.COM.
The first time a program infected with the Scott's Valley Virus is
executed, the virus installs itself memory resident as a low system
memory TSR of 2,384 bytes. Interrupt 21 is hooked by the virus.
After the virus is memory resident, any .COM or .EXE file executed
will be infected with the virus. .COM files will increase in length
by 2,131 bytes. .EXE files will increase in length between 2,131
and 2,140 bytes.
Infected programs will contain the following hex string in the virus's
code: 5E8BDE909081C63200B912082E.
It is unknown if this virus is malicious.
Virus Name: Sentinel
Aliases:
V Status: Rare
Discovered: January, 1991
Symptoms: .COM & .EXE growth; decrease in available free memory
Origin: Bulgaria
Eff Length: 4,625 Bytes
Type Code: PRHAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Sentinel Virus was submitted in January, 1991, and is from
Bulgaria. This virus is a memory resident infector of .COM and .EXE
files, and will infect COMMAND.COM. Unlike most viruses, this virus
was received with its original Turbo Pascal source code. It may be
purely a research virus at this time.
When the first program infected with Sentinel is executed, the virus
will install itself memory resident at the top of system memory, but
below the 640K DOS boundary. Interrupt 12's return is not moved by
the virus. Interrupt 21 will be hooked by the virus in memory.
COMMAND.COM, if not previously infected, will be infected by Sentinel
at this time as well.
After Sentinel is memory resident, it will infect .COM and .EXE
programs larger than 1K as they are openned or executed. Infected
programs will have a file length increase of 4,625 bytes, the virus
will be located at the end of the file. This virus makes no attempt
to hide the file length increase. File date and time in the disk
directory is not altered by the virus.
The following text strings can be found at the very end of programs
infected with Sentinel:
"You won't hear me, but you'll feel me....
(c) 1990 by Sentinel.
With thanks to Borland."
Sentinel does not appear to do anything besides replicate.
Virus Name: SF Virus
Aliases:
V Status: Extinct
Discovered: December, 1987
Symptoms: BSC 360k floppies, Resident TOM, formatted disks
Origin: California, USA
Eff Length: N/A
Type Code: RtF - Resident Floppy Boot Sector Infector
Detection Method: ViruScan (identifies as Alameda)
Removal Instructions: MDisk, CleanUp, F-Prot, or DOS SYS command
General Comments:
The SF Virus is a modified version of the Alameda virus
which activates when the counter in the virus has determined
that it is infected 100 diskettes. The virus replicates when
a CTL-ALT-DEL is performed, infecting the disk in the floppy
drive. Upon activation, the diskette in the floppy drive is
reformatted. The SF Virus only infects 5 1/4" 360K floppies.
Also see: Alameda
Virus Name: Shake Virus
Aliases:
V Status: Rare
Discovered: May, 1990
Symptoms: .COM growth, message, change in COMMAND.COM memory allocation
Origin: Bulgaria
Eff Length: 476 Bytes
Type Code: PRCK - Resident Parasitic .COM Infector
Detection Method: ViruScan V63+, Pro-Scan 1.4+, VirexPC, F-Prot 1.12+,
VirHunt 2.0+, NAV
Removal Instructions: Scan/D, Pro-Scan 2.01+, or Delete Infected Files
General Comments:
The Shake Virus was first isolated in Bulgaria in May, 1990 by
Daniel Kalchev. It is a memory resident generic .COM infector, and
will infect COMMAND.COM.
The first time an infected program is executed, the Shake Virus will
install itself memory resident, altering the image of COMMAND.COM in
memory.
The Shake Virus infects .COM files, infecting them as they are
accessed. Infected files increase in size by 476 Bytes, though the
size increase cannot be seen using a DIR (list directory) command
if the virus is memory resident.
While the virus is not destructive, it will occasionally
display the message: "Shake well before use !" when an infected
file is attempted to be run. When this message is displayed, the
program terminates rather than executes. A second attempt to run
the same program result in it running successfully.
Virus Name: Slayer Family
Aliases: Brain Slayer, Slayer, Yankee Doodle Dropper
V Status: New
Discovered: March, 1991
Symptoms: .COM & .EXE growth; Long disk accesses; Disk directory altered;
Disk accesses to unexpected drives
Origin: USA
Eff Length: 5,120 Bytes
Type Code: PNA - Resident Non-Parasitic .COM & .EXE Infector
Detection Method: ViruScan V76+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Slayer Family of Viruses was discovered in March, 1991. This
group of viruses currently consists of five known variants which were
submitted from different locations at approximately the same time. All
of the variants are non-resident direct action infectors of .COM and
.EXE files. They do not infect COMMAND.COM.
Below is a generic description of the viruses in this family. Specifics
for each variant are listed under "Known variants" at the end of this
entry. In some cases, the only difference between the variants is a
few bytes.
When a program infected with a Slayer Family virus is executed, it will
infect all .COM and .EXE programs in the current directory on the
current drive. Additionally, depending on the variant, it may infect
some programs on other drives as well.
Programs infected with a Slayer Family virus will increase in size
between 5,120 and 5,135 bytes with the virus being located at the end
of the infected file. The program's date and time in the disk directory
will not be altered.
Symptoms of Slayer Family viruses include long disk accesses when
attempting to execute an infected program, and possibly disk accesses
to unexpected drives. The order of the disk directory on infected
systems may also be altered so that .COM programs appear first in the
directory.
At least one member of this family, Slayer-E or Yankee Doodle Dropper,
carries the Yankee Doodle Virus which it will later release on infected
systems. This Yankee Doodle is the TP45VIR variant.
Known variant(s) of Slayer include:
Slayer-A : Slayer-A will infect up to nine programs in a directory,
other than the root directory, on the system C: drive in
addition to programs on the current drive when an infected
program is executed.
Slayer-B : Similar to Slayer-A, this variant will infect programs
located in the C: drive root directory in addition to those
located on the current drive and directory.
Slayer-C : Similar to Slayer-A and Slayer-B, Slayer-C will infect all
programs located on the current drive and all programs
located on the C: drive. The following text strings can be
found in samples of Slayer-C:
"KEYB*.COM KEYB*.EXE BASRUN BRUN COBRUN NET$OS *.COM"
"IBMBIO.COM"
"IBMDOS.COM COMMAND.COM *.* .. \ .. *.EXE"
"Access denied."
Slayer-D : Slayer-D is similar to Slayer-C, the major difference being
that while it accesses the C: drive when an infected program
is executed, it will not infect any programs on the C: drive
unless the infected program was being executed from C:.
The text strings indicated for Slayer-C also occur for this
variant.
Slayer-E : Slayer-E is also known as the Yankee Doodle Dropper. When
an infected program is executed, it will infect all the
programs on the current drive and directory, and then infect
a few programs on the C: drive. After some period of time
has elasped since the original infection, this variant will
release the Yankee Doodle Virus onto the system, resulting
in an active Yankee Doodle infection. If the system user
successfully removes Yankee Doodle, but doesn't remove the
Slayer-E infection, Yankee Doodle will promptly reinfect the
system from the Slayer-E infected programs which remain.
This variant is known to be in the public domain.
Virus Name: Slow
Aliases: Slowdown
V Status: Common
Discovered: May, 1990
Symptoms: .COM & .EXE growth
Origin: Australia
Eff Length: 1,701 Bytes
Type Code: PRsA - Resident Parasitic .COM & .EXE Infector
Detection Method: ViruScan V63+, Pro-Scan 1.4+, NAV
Removal Instructions: CleanUp V67+, Scan/D, Pro-Scan 2.01+, NAV
General Comments:
The Slow Virus was discovered in Australia in May 1990. It is
a memory resident generic file infector, infected .COM, .EXE, and
overlay files. COMMAND.COM is not infected by this virus.
The first time an infected file is executed on a system, the virus
installs itself memory resident as a low system memory TSR, taking up
1,984 bytes of free memory. Interrupt 21 will be hooked by the virus.
Later, as programs are executed, they will be infected by the Slow
Virus. While the Slow Virus's viral code is actually 1,701 bytes in
length, infected files will increase by more than this amount. Infected
.COM files will increase in length by 1,721 bytes with the virus
located at the beginning of the infected program. .EXE files will
increase in length by 1,716 to 1,728 bytes with the virus located at
the end of the infected program.
In the process of infecting some .EXE files, the virus may hang the
system, causing the user to have to reboot.
The Slow Virus is based on the Jerusalem B virus.
It is unknown what else the Slow virus does.
Virus Name: Solano 2000
Aliases: Dyslexia 2.01
V Status: Rare
Discovered: March, 1990
Symptoms: .COM growth, TSR, unusual file errors
Origin: California, USA
Eff Length: 2,000 Bytes
Type Code: PRsC - Resident Parasitic .COM Infector
Detection Method: ViruScan V60+, Pro-Scan 1.4+, VirexPC, F-Prot 1.12+,
VirHunt 2.0+, NAV
Removal Instructions: Scan/D, Pro-Scan 2.01+, or Delete Infected Files
General Comments:
The Solano 2000 Virus was first isolated in Solano County,
California in mid-March 1990 by Edward Winters. The virus may
also be known by the name Dyslexia Virus V2.01, which can be
produced by negating some null terminated bytes within the
viral code. Using the same technique, what appears to be the
creation date of the virus, 08FEB90, can be produced. The
information regarding the information produced by negation of
bytes was determined by Jay Parangalan of Solano County.
The Solano 2000 Virus is a generic .COM file infector. The first
time an infected .COM file is executed on the system, the virus
installs itself memory resident, then proceeds to infect every
.COM file that is executed. Infected programs can be manually
identified by using a sector editor to view the file. Bytes
1168 thru 1952 will consist of '(' or 28h characters.
Some programs, such as DiskCopy.COM which is included on all
DOS diskettes, will not run after being infected with this virus,
instead an "invalid drive specification" message will be
displayed. This message is not in the viral code, but is due
to an error condition being induced due to the virus's presence.
The virus-induced error occurring with the DiskCopy program was how
the virus was first spotted and eventually isolated.
This particular virus, in its current state, does not survive a
system warm reboot (CTL-ALT-DEL). When it is memory resident, it
takes up 3K bytes of RAM.
The Solano 2000 Virus does no apparent system damage, however it
does check the video buffer occasionally, and may transpose
numbers if they are found in certain locations. This effect,
however, was not experienced on the author's system in researching
this virus. There have also been reports that instead of transposing
numeric characters, the Solano virus may change color attributes on
the display screen when it is active in memory.
Known variants of the Solano 2000 virus:
Solano 2000-B: same as Solano 2000, except the 28h characters
have been changed to DAh characters, and are located in
bytes 1168 thru 1912 in infected files.
Dyslexia 2.00: same as Solano 2000, except that the 28h characters
are now binary zeros. The attempted transposing of numeric
characters in video memory has also been slowed down. The
creation date appears to be 22JAN90 instead of 08FEB90.
Also see: Subliminal 1.10
Virus Name: Sorry
Aliases: G-Virus V1.3
V Status: Rare
Discovered: June, 1990
Symptoms: .COM growth, decrease in system and free memory
Origin:
Eff Length: 731 Bytes
Type Code: PRNCK - Parasitic Resident .COM Infector
Detection Method: ViruScan V64+, F-Prot, Pro-Scan 2.01+, NAV
Removal Instructions: Scan/D, Pro-Scan 2.01+, NAV, or delete infected files
General Comments:
The Sorry Virus was isolated in June, 1990. Its name comes from
a german phrase in the virus: "Tut mir Leid !". This
virus is based on the Perfume Virus from West Germany, and some
anti-viral programs will identify it as Perfume or 4711.
The first time a program infected with the Sorry Virus is executed,
the virus will install itself memory resident in high memory. Total
system memory and free memory will both decrease by 1,024 bytes.
Interrupt 21 will be hooked by the virus. COMMAND.COM is immediately
infected by the virus, thus insuring on later system boots that the
virus becomes memory resident immediately.
After the virus is memory resident, it will infect any .COM file
which is executed, increasing the file's length by 731 bytes. The
viral code is located at the end of infected files.
The Sorry Virus contains the following text strings:
"G-VIRUS V1.3"
"Bitte gebe den G-Virus Code ein"
"Tut mir Leid !"
It is unknown what the Sorry Virus does when it activates.
Also see: Perfume
Virus Name: Sparse
Aliases:
V Status: New
Discovered: April, 1991
Symptoms: TSR; .COM growth
Origin: Unknown
Eff Length: 3,840 Bytes
Type Code: PRsCK - Parasitic Resident .COM Infector
Detection Method:
Removal Instructions: Delete infected files
General Comments:
The Sparse Virus was received in April, 1991. Sparse is a memory
resident infector of .COM files, including COMMAND.COM.
The first time a program infected with Sparse is executed, the virus
will install itself memory resident as a low system memory TSR of
3,872 bytes. Interrupts 21, D1 and D3 will be hooked by the virus.
Once Sparse is memory resident, it will infect .COM programs, including
COMMAND.COM, when they are executed. Infected .COM programs will
increase in size by 3,840 bytes with the virus being located at the
beginning of the infected file. The infected file's date and time in
the disk directory will also be updated to the system date and time
when infection occurred.
Programs infected with Sparse will have the ASCII characters "UK" as
the second and third bytes of the executable program. They will also
contain the text string SHELLC, and contain the name of the program
that originally resulted in the virus becoming memory resident. (If
the first infected program executed was "sparse.com", then "sparse.com"
will be found in all later infected programs as long as the virus was
memory resident.)
It is not known if Sparse does anything besides replicate.
Virus Name: Spyer
Aliases:
V Status: Rare
Discovered: November, 1990
Symptoms: TSR; .COM & .EXE growth; system hangs
Origin: Taiwan
Eff Length: 1,181 Bytes
Type Code: PRsA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V71+
Removal Instructions: Scan/D or Delete infected files
General Comments:
The Spyer Virus was isolated in November, 1990 in Taiwan. This virus
is a memory resident infector of .COM and .EXE files. It does not
infect COMMAND.COM.
The first time a program infected with the Spyer Virus is executed,
the Spyer Virus will install itself memory resident as a 1,760 byte
low system memory TSR. Interrupts 21 and 22 will be hooked by the
virus.
Once the virus is memory resident, the virus will attempt to infect
the next program that is executed. If the program is already infected
with the Spyer Virus, the system will become hung. If the program was
not already infected, Spyer will infect it and then hang the system.
Infected .COM files will always increase in length by 1,181 bytes.
.EXE files infected with Spyer will have a file length increase between
1,181 and 1,195 bytes. In both cases, the virus will be located at
the end of the infected file. Infected files will also always have the
following hex character sequence at the end of file: "CBDFD9DE848484".
The Spyer Virus, in its present form, is not expected to ever be a
serious problem. Since it always hangs the system when the next program
is executed after becoming memory resident, it is simply too obvious
that something is wrong.
Virus Name: Staf
Aliases: Staff
V Status: New
Discovered: April, 1991
Symptoms: .COM growth; Messages; Programs may fail to execute
Origin: Unknown
Eff Length: 2,083 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V76+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Staf Virus was received in April, 1991. Its origin is unknown, but
first reports of it were out of Europe. This virus is a non-resident
direct action .COM file infector. It will infect COMMAND.COM.
When a program infected with the Staf Virus is executed, the virus will
display the following message:
"This program has been infected by:
Virus Demo Ver.: 1.1 - Handle with care!
By STAF (Tel.: (819) 595-0787)
Generation #n
Infecting: xxxxxxxx.COM
Press any key to execute original program..."
The "n" following the pound sign above will be replaced with the
generation number of the virus. The "xxxxxxxx.COM" will contain the
name of the .COM program in the current directory which the virus has
just infected. If no uninfected .COM file existed in the current
directory when an infected program is executed, the "Infecting:"
portion of the message will be replaced with:
"I have infected all your files in the current directory!
Have a nice day!"
Programs infected with Staf may also fail to execute, with the
following message being displayed:
"VIRUS ERROR #nn - Aborting process."
Programs infected with Staf have a file size increase of 2,083 bytes
with the virus being located at the beginning of the infected file.
The virus does not alter the file date and time in the disk directory
at the time a program is infected.
Staf does not do anything besides replicate.
Virus Name: StarDot 600
Aliases:
V Status: New
Discovered: April, 1991
Symptoms: .EXE growth
Origin: Unknown
Eff Length: 600 Bytes
Type Code: PNE - Parasitic Non-Resident .EXE Infector
Detection Method:
Removal Instructions: Delete infected files
General Comments:
The StarDot 600 Virus was submitted in April, 1991. Its origin is
unknown. This virus is a non-resident infector of .EXE programs.
When a program infected with StarDot 600 is executed, StarDot 600 will
infect one .EXE program in the current directory. Programs infected
with StarDot 600 will increase in length by 604 to 616 bytes with the
virus being located at the end of the newly infected file. The file's
date and time in the disk directory will not be altered.
StarDot 600 does not do anything besides replicate.
Virus Name: StarDot 801
Aliases:
V Status: New
Discovered: April, 1991
Symptoms: .COM & .EXE growth; System hangs
Origin: Unknown
Eff Length: 801 Bytes
Type Code: PNAK - Parasitic Non-Resident .COM & .EXE Infector
Detection Method:
Removal Instructions: Delete infected files
General Comments:
The StarDot 801 Virus was submitted in April, 1991. Its origin is
unknown, though it is very similar to the Italian 803 virus, so it
may also be from Italy. StarDot 801 is a non-resident, direct action
infector of .COM and .EXE programs. It will infect COMMAND.COM.
When a program infected with StarDot 801 is executed, the virus will
look for an uninfected .EXE program in the current directory to infect.
If an uninfected .EXE program does not exist in the current directory,
it will then look for an uninfected .COM program to infect. Once an
uninfected program is selected, the virus will infect it, adding the
viral code to the end of the program.
Programs infected with StarDot 801 will increase in size by 804 to
817 bytes. Their date and time in the disk directory will not be
altered.
StarDot 801 does not appear to do anything besides replicate. System
hangs, however, may occur when some infected programs are executed.
Virus Name: Stone`90
Aliases: Polish 961, Stone-90
V Status: Rare
Discovered: December, 1990
Symptoms: .COM file growth
Origin: Poland
Eff Length: 961 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Stone`90 Virus, or Polish 961, is a non-resident direct action
infector of .COM programs, including COMMAND.COM. It was submitted
in December, 1990, and is from Poland.
When a program infected with the Stone`90 Virus is executed, the virus
will look for one .COM program on the current drive and in the current
directory to infect. If one is found, the virus will infected it.
The newly infected .COM program will increase in length by 961 bytes,
and have the virus's code located at the end of the program.
The following text strings can be found in infected files:
"Sorry, I`m INFECTED!"
"I`m already NOT infected!"
"(C) Stone`90"
Stone`90 does not appear to do anything besides replicate.
Virus Name: Stoned
Aliases: Donald Duck, Hawaii, Marijuana, New Zealand, Rostov, San Diego,
Sex Revolution, Smithsonian, Stoned II
V Status: Common
Discovered: February, 1988
Symptoms: BSC, TSR, messages, RLL controller hangs
Origin: New Zealand
Eff Length: N/A
Type Code: BRtX - Resident Boot Sector & Partition Table Infector
Detection Method: ViruScan, CleanUp, F-Prot, IBM Scan, Pro-Scan, VirexPC,
AVTK 3.5+, VirHunt 2.0+, NAV
Removal Instructions: CleanUp, MDisk, F-Prot, Pro-Scan 1.4+, NAV
General Comments:
The Stoned virus was first reported in Wellington, New Zealand in
early 1988. The original virus only infected 360KB 5 1/4" diskettes,
doing no overt damage. The original diskette-only infector is extinct,
however, and all known variants of this virus are capable of infecting
the hard disk partition table as well as may damage directory or FAT
information. Most variants of this virus have only minor modifications,
usually in what the message is that the virus may display on boot.
When a computer system is booted with a Stoned infected disk, this
virus will install itself memory resident at the top of system memory.
The interrupt 12 return will be moved, and ChkDsk will indicate that the
computer system as 2K less total memory than what is installed. If the
system boot was from a diskette, the virus will also attempt to infect
the hard disk partition table, if it was not previously infected.
During the boot process, the Stoned Virus may display a message. The
message is displayed more or less on a random basis. The most common
text for the message is:
"Your computer is now stoned."
Or:
"Your PC is now Stoned!"
After Stoned is memory resident, it will infect diskettes as they are
accessed on the system. When Stoned infects a diskette, it moves the
original boot sector (sector 0) to sector 11. The Stoned Virus then
copies itself into sector 0. Since sector 11 is normally part of the
diskette root directory on 360K 5.25" diskettes, any files which had
their directory entries located in this sector will be lost. Some
versions of DOS have sector 11 as part of the File Allocation Table,
which may also result in the disk's FAT being corrupted.
When Stoned infects that system hard disk, it copies the hard disk's
original partition table to side 0, cyl 0, sector 7. A copy of the
Stoned Virus is then placed at side 0, cyl 0, sector 1, the original
location of the hard disk partition table. If the hard disk was
formatted with software which starts the boot sector, file allocation
table, or disk directory on side 0, cyl 0 right after the partition
table, the hard disk may be corrupted as well.
In order to disinfect a system infected with the Stoned Virus, the
system must be powered off and booted with an uninfected, write-
protected boot diskette. If this is not done, the virus may reinfect
diskettes as soon as they are disinfected.
There are many programs which can disinfect Stoned infected diskettes
and hard disks. To successfully use one of these, follow the
instructions with the program.
To remove Stoned manually, the DOS SYS command can be used on 5.25"
360K diskettes. On the hard disk, the original partition table must
be copied back to side 0, cyl 0, sector 1. This can be performed with
Norton Utilities, or other sector editors.
Known variants of the Stoned Virus are:
Stoned-A : Same as Stoned above, but does not infect the system hard
disk. This is the original virus and is now extinct. The
text found in the boot sector of infected diskettes is:
"Your computer is now stoned. Legalize Marijuana".
The "Legalize Marijuana" portion of the text is not
displayed.
Stoned-B : Same as Stoned indicated above. Systems with RLL controllers
may experience frequent system hangs. Text typically found
in this variant is:
"Your computer is now stoned. Legalise Marijuana".
The "Legalise Marijuana" may also be in capital letters, or
may be partially overwritten. It is not displayed.
Stoned-C : same as Stoned, except that the message has been
removed.
Stoned-D : same as Stoned, with the exception that this variant
can infect high density 3.5" and 5.25" diskettes.
Stoned II: Based on Stoned-B, this variant has been modified to
avoid detection by anti-viral utilities. Since its
isolation in June, 1990, most utilities can now detect
this variant. Text in the virus has been changed to:
"Your PC is now Stoned! Version 2"
Or:
"Donald Duck is a lie."
The "Version 2" portion of the text may be corrupted as well.
Rostov : Similar to Stoned-B, this variant does not display any
message. It contains the text:
"Non-system disk" and "Replace and strike".
Submitted in December, 1990, origin unknown.
Sex Revolution V1.1 :
Submitted in December, 1990, this variant is similar to
Stoned-B. This variant may display the following message:
"EXPORT OF SEX REVOLUTION ver. 1.1"
Sex Revolution V2.0 :
Similar to Sex Revolution V1.1, the message has been changed
to:
"EXPORT OF SEX REVOLUTION ver. 2.0"
Stoned-E : Similar to Stoned-B, this variant now emits a "beep" thru
the system speaker when the following message is displayed:
"Your PC is now Stoned!"
The text "LEGALISE MARIJUANA!" can also be found in the
boot sector and system partition table.
Stoned-F : Similar to Stoned-E, this variant also emits a "beep" thru
the system speaker when its message is displayed. The
displayed message is:
"Twoj PC jest teraz be!"
The text "LEGALISE MARIJUANA?" can also be found in the
boot sector and system partition table.
Virus Name: Striker #1
Aliases:
V Status: Rare
Discovered: March, 1991
Symptoms: .COM growth
Origin: United States
Eff Length: 461 Bytes
Type Code: PNC - Non-Resident Parasitic .COM Infector
Detection Method: ViruScan V76+
Removal Instructions: Delete Infected Files
General Comments:
The Striker #1 Virus was isolated in the Eastern United States in
March, 1991. This virus is a non-resident, direct action infector of
.COM programs, including COMMAND.COM.
When a program infected with Striker #1 is executed, the virus will
infect one .COM program. Infected .COM programs will have the first
thirteen bytes altered, and then the body of the virus appended to the
end of the program. Infected programs will show a file length increase
of 461 bytes in the disk directory, file date and times are not altered.
Infected programs can be easily identified as the text string
"Striker #1" will appear in the fourth thru thirteenth bytes of all
infected programs. This string also appears near the end of infected
programs.
Striker #1 does not appear to do anything besides replicate.
Virus Name: Subliminal 1.10
Aliases:
V Status: Rare
Discovered: May, 1990
Symptoms: .COM growth, TSR, unusual file errors, video display flicker
Origin: California, USA
Eff Length: 1,496 Bytes
Type Code: PRsC - Resident Parasitic .COM Infector
Detection Method: ViruScan V64+, Pro-Scan 1.4+, NAV
Removal Instructions: Scan/D, Pro-Scan 1.4+, or Delete Infected Files
General Comments:
The Subliminal 1.10 Virus was first isolated in Solano County,
California in May 1990 by Jay Parangalan. The name of the
virus can be produced by negating (XORing with FF) some null
terminated bytes in the viral code. Using this technique, the
creation date of the virus appears to be 02OCT89. The
Subliminal 1.10 Virus appears to be a very early version of the
Solano 2000 Virus, and has only been reported at Solano
Community College.
The first time a program infected with the Subliminal 1.10 Virus
is executed, the virus installs itself memory resident. Any
.COM files which are then executed are infected. Infected
programs will increase in length by 1,496 bytes.
With the virus memory resident, the system monitor will appear to
flicker. What is occurring is that the virus is attempting to
flash the message "LOVE, REMEMBER?" in the lower left portion of
the display for a subliminal duration. The actual amount of time
the message displays on the screen varies between systems due to
CPU speed.
Also see: Solano 2000
Virus Name: Sunday
Aliases:
V Status: Common
Discovered: November, 1989
Symptoms: TSR, executable file growth, messages, FAT corruption
Origin: Washington (state), USA
Eff Length: 1,636 Bytes
Type Code: PRsAT - Parasitic Resident .COM, .EXE. & .OV? Infector
Detection Method: ViruScan V49+, F-Prot, IBM Scan, Pro-Scan, VirexPC 1.1+,
AVTK 3.5+, VirHunt 2.0+, NAV
Removal Instructions: CleanUp, Scan/D, F-Prot, Pro-Scan 1.4+, VirexPC,
VirHunt 2.0+, NAV
General Comments:
The Sunday virus was discovered by many users in the Seattle,
Washington area in November, 1989. This virus activates on
any Sunday, displaying the message:
"Today is Sunday! Why do you work so hard?
All work and no play make you a dull boy!
Come on! Let's go out and have some fun!"
The Sunday virus appears to have been derived from the
Jerusalem virus, the viral code being similar in many
respects.
Damage to the file allocation table or FAT has been reported
from a number of infected users.
Known variants of the Sunday Virus are:
Sunday-B : Similar to the Sunday Virus, this variant does not activate
on any day of the week due to an error in the day of the
week checking routine. The message in the virus is never
displayed, and no damage is done to the file allocation
table.
Sunday-C : Similar to Sunday-B, this variant also never activates. It
has, however, been modified so that it differs from both
the Sunday and Sunday-B viruses. Functionally, it is the
same as Sunday-B.
Virus Name: Suriv 1.01
Aliases: April 1st, Israeli, Suriv01
V Status: Extinct
Discovered: April, 1987
Symptoms: TSR, .COM growth, messages, system lock April 1st
Origin: Israel
Eff Length: 897 bytes
Type Code: PRsC - Parasitic Resident .COM Infector
Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC,
AVTK 3.5+, VirHunt 2.0+, NAV
Removal Instructions: Scan/D/X, F-Prot, VirHunt 2.0+, or UnVirus
General Comments:
The Suriv 1.01 virus is a memory resident .COM infector. It
will activate on April 1st after memory is infected by running
an infected file and then a uninfected .COM file is executed.
On activation, it will display the message:
"APRIL 1ST HA HA HA YOU HAVE A VIRUS".
The system will then lock up, requiring it to be powered off and
then back on.
The text "sURIV 1.01" can be found in the viral code.
Virus Name: Suriv 2.01
Aliases: April 1st-B, Israeli, Suriv02
V Status: Extinct
Discovered: 1987
Symptoms: TSR, .EXE growth, messages, system lock April 1st
Origin: Israel
Eff Length: 1,488 bytes
Type Code: PRsE - Parasitic Resident .EXE Infector
Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, VirexPC, Pro-Scan,
AVTK 3.5+, VirHunt 2.0+, NAV
Removal Instructions: Scan/D/X, F-Prot, UnVirus, VirHunt 2.0+
General Comments:
The Suriv 2.01 virus is a memory resident .EXE infector. It
will activate on April 1st after memory is infected by running
an infected file, displaying the same message as Suriv 1.01
and locking up the system. The virus will cause a similar
lockup, though no message, 1 hour after an infected .EXE file
is executed on any day on which the system default date of
01-01-80 is used. The virus will only infect the file once.
Virus Name: Suriv 3.00
Aliases: Israeli, Suriv03
V Status: Extinct
Discovered: 1988
Symptoms: TSR, .COM, .EXE, & .SYS growth; Black Window; system slowdown
Origin: Israel
Eff Length: 1,813 (COM files) & 1,808 (EXE files) bytes
Type Code: PRsA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan/X V67+, F-Prot, Pro-Scan, VirexPC, AVTK 3.5+,
VirHunt 2.0+, NAV
Removal Instructions: CleanUp, Scan/D/X, F-Prot, Unvirus, VirHunt 2.0+
General Comments:
May be a variant of the Jerusalem virus. The string "sUMsDos"
has been changed to "sURIV 3.00". The Suriv 3.00 virus
activates on Friday The 13ths when an infected program is
run or if it is already present in system memory, however
files are not deleted due to a bug in the viral code.
Other than on Friday The 13ths, after the virus is memory
resident for 30 seconds, an area of the screen is turned into
a "black window" and a time wasting loop is executed with
each timer interrupt.
As with the Jerusalem B viruses, this virus can also infect
overlay, .SYS, and other executable files besides .EXE and
.COM files, though it does not infect COMMAND.COM itself.
Also see: Jerusalem, Jerusalem B
Virus Name: Sverdlov
Aliases: Hymn-2
V Status: Rare
Discovered: December, 1990
Symptoms: .COM & .EXE growth; decrease in total system and available memory
Origin: USSR
Eff Length: 1,962 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected programs
General Comments:
The Sverdlov Virus was submitted in December, 1990. This virus is
believed to have originated in the USSR. Sverdlov is a memory resident
infector of .COM and .EXE files, and will infect COMMAND.COM. This
virus is also encrypted.
The first time a program infected with the Sverdlov Virus is executed,
the virus will install itself memory resident at the top of system
memory but below the DOS 640K boundary. 4,080 bytes of memory will
have been reserved, and the interrupt 12 return is not altered by the
virus. The DOS ChkDsk program will indicate that total system memory
and available free memory is 4,080 bytes less than expected.
COMMAND.COM will also be infected at this time if it was not already
infected.
Once Sverdlov is memory resident, any .COM or .EXE file over 2K in
length will become infected if it is executed or openned for any reason.
Infected .COM files have a file length increase of 1,962 bytes.
Infected .EXE files will have a file length increase of 1,962 to
1,977 bytes in length. In both cases, the virus will be located at the
end of infected programs.
It is unknown if Sverdlov does anything besides replicate.
Known variant(s) of Sverdlov include:
Sverdlov-B : Very similar to the original Sverdlov Virus, this variant
has one basic change in behavior. It will only infect
.COM and .EXE files over 3K in length before infection.
Otherwise, the virus code is very similar. This variant
may have been altered to avoid detection, and some
anti-viral programs may identify it as Hymn-2.
Virus Name: SVir
Aliases:
V Status: Endangered
Discovered: 1990
Symptoms: .EXE growth; file date/time changes; system hangs
Origin: Poland
Eff Length: 512 Bytes
Type Code: PNE - Parasitic Non-Resident .EXE Infector
Detection Method: ViruScan V76+, NAV
Removal Instructions: Scan/D, or Delete infected programs
General Comments:
The SVir Virus was originally isolated in Poland early in 1990. The
original virus which was isolated had a fatal flaw in its code which
prevented it from executing. In August, 1990, a sample was obtained
from Fridrik Skulason which now does replicate. This second sample,
identified as SVir-B, is a non-resident infector of .EXE files. A
third variant was received in April, 1991.
Each time a program infected with the SVir-B Virus is executed, the
virus will infect one .EXE file. Infected files will increase in
length between 516 and 526 bytes with the virus's code appended to the
end of the file. If the virus could not find an .EXE file to infect,
it will leave the drive "spinning" as it will be in an endless loop
looking for a file to infect.
Interestingly enough, this virus will only infect files located on the
A: drive.
Infected files will also have their date/time in the disk directory
changed to the date and time when the infection occurred.
SVir, at least in the three known variants, does not do anything
malicious, it simply replicates.
Known variants of SVir are:
SVir-A : The original "virus" from Poland in early 1990 which did not
replicate.
SVir-B : A variant isolated in August, 1990 which has the bug in SVir-A
fixed so that it will now replicate.
SVir-0 : A variant received in April, 1991, this variant is very
similar to SVir-B. When an infected program is executed, the
virus may infect either 1 or 2 previously uninfected .EXE
files in the current directory. Execution of some infected
programs may result in a system hang.
Virus Name: Swap
Aliases: Falling Letters Boot, Israeli Boot
V Status: Rare
Discovered: August, 1989
Symptoms: Graphic display, BSC (floppy only), TSR, bad cluster,
Origin: Israel
Eff Length: N/A
Type Code: RsF - Resident Floppy Boot Sector Infector
Detection Method: ViruScan, F-Prot, IBM Scan, VirexPC, VirHunt 2.0+
Removal Instructions: MDisk, CleanUp, F-Prot, or DOS SYS Command
General Comments:
The Swap Virus, or Israeli Boot Virus, was first reported in
August 1989. This virus is a memory resident boot sector
infector that only infects floppies. The floppy's boot
sector is infected the first time it is accessed. One bad
cluster will be written on track 39, sectors 6 and 7 with the
head unspecified. If track 39, sectors 6 and 7, are not
empty, the virus will not infect the disk. Once the virus
is memory resident, it uses 2K or RAM. The actual length of
the viral code is 740 bytes.
The Swap virus activates after being memory resident for 10
minutes. A cascading effect of letters and characters on the
system monitor is then seen, similar to the cascading effect
of the Cascade and Traceback viruses.
The virus was named the Swap virus because the first isolated
case had the following phrase located at bytes 00B7-00E4 on
track 39, sector 7:
"The Swapping-Virus. (C) June, 1989 by the CIA"
However, this phrase is not found on diskettes which have been
freshly infected by the Swap virus.
A diskette infected with the Swap virus can be easily identified
by looking at the boot sector with a sector editor, such as
Norton Utilities. The error messages which normally occur at
the end of the boot sector will not be there, instead the start
of the virus code is present. The remainder of the viral code
is located on track 39, sectors 6 and 7.
Virus Name: Swedish Disaster
Aliases:
V Status: Rare
Discovered: January, 1991
Symptoms: BSC; Partition Table Altered;
Decrease in system and available free memory
Origin: Sweden
Eff Length: N/A
Type Code: BRhX - Resident Boot Sector & Partition Table Infector
Detection Method: ViruScan V74+
Removal Instructions: MDisk/P
General Comments:
The Swedish Disaster was isolated in January, 1991. This virus appears
to be from Sweden. It is a memory resident infector of floppy boot
sectors and the hard disk partition table.
When the system is booted from a diskette whose boot sector is infected
with the Swedish Disaster Virus, the virus will infect the system
hard disk's partition table, with the original hard disk partition
table moved to side 0, cylinder 0, sector 6. The virus will also
install itself memory resident at the top of system memory but below
the 640K DOS boundary. Total system memory will decrease by 2,048
bytes, available free memory will be 6,944 bytes less than what is
expected by the user. Interrupt 12's return will have been moved by
the virus.
After Swedish Disaster is memory resident, the virus will infect all
non-write protected diskettes which are accessed on the system. On
360K 5.25" diskettes, the original boot sector will have been moved
to sector 11, which is normally a part of the root directory. This
means that if the disk originally had directory entries in that sector,
they will be lost.
The following text string can be found at the end of the boot sector
of infected diskettes, as well as within the partition table on infected
hard disks:
"The Swedish Disaster"
Diskettes infected with the Swedish Disaster can be disinfected by
powering off the system and rebooting from a write-protected original
DOS diskette. The DOS Sys command can then be used to replace the
boot sector on infected diskettes. For hard disks, the MDisk/P program
will remove this virus, though the above text string will remain in
the partition table.
Virus Name: Swiss 143
Aliases:
V Status: Rare
Discovered: January, 1991
Symptoms: .COM growth; File date/time changes
Origin: Switzerland
Eff Length: 143 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Swiss 143 Virus was submitted in January, 1991, by Dany Schoch of
Hagendern, Switzerland. This virus is a non-memory resident infector
of .COM files, including COMMAND.COM.
When a program infected with Swiss 143 is executed, the virus will
infect all .COM files in the current directory. Infected programs
will increase in length by 143 bytes, the virus will be located at the
end of the infected program. The disk directory date and time will also
be altered to the current system date and time when the programs were
infected.
This virus does not do anything besides replicate.
Virus Name: SysLock
Aliases: 3551, 3555
V Status: Endangered
Discovered: November, 1988
Symptoms: .COM & .EXE growth, data file corruption
Origin:
Eff Length: 3,551 Bytes
Type Code: PNA - Encrypting Non-Resident .COM & .EXE Infector
Detection Method: ViruScan, F-Prot, Pro-Scan, AVTK 3.5+, VirHunt 2.0+, NAV
Removal Instructions: Scan/D, or F-Prot
General Comments:
The SysLock virus is a parasitic encrypting virus which
infects both .COM and .EXE files, as well as damaging some
data files on infected systems. This virus does not install
itself memory resident, but instead searches through the
.COM and .EXE files and subdirectories on the current disk,
picking one executable file at random to infect. The
infected file will have its length increased by approximately
3,551 bytes, though it may vary slightly depending on file
infected.
The SysLock virus will damage files by searching for the word
"Microsoft" in any combination of upper and lower case
characters, and when found replace the word with "MACROSOFT".
If the SysLock virus finds that an environment variable
"SYSLOCK" exists in the system and has been set to "@" (hex 40),
the virus will not infect any programs or perform string
replacements, but will instead pass control to its host
immediately.
Known variant(s) of SysLock are:
Advent : Reported to be a Syslock variant, the sample of this virus
received by the author does not replicate. All known
samples of this virus available from anti-viral researchers
also do not replicate. Fridrik Skulason of Iceland has
indicated that this virus will only replicate it is on an
infected .EXE file, and then it will only infect .COM
files. This variant is thought to be extinct.
Macho-A : same as the SysLock virus, except that "Microsoft"
is replaced with "MACHOSOFT".
Also see: Cookie
Virus Name: Taiwan
Aliases: Taiwan 2, Taiwan-B
V Status: Endangered
Discovered: January, 1990
Symptoms: .COM growth, 8th day any month corrupts BOOT, FAT,
& Partition tables.
Origin: Taiwan
Eff Length: 743 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V56+, F-Prot, Pro-Scan 1.4+, VirexPC, NAV
Removal Instructions: Scan/D, F-Prot 1.12+, NAV, or delete infected files
General Comments:
The Taiwan virus was first isolated in January, 1990 in
Taiwan, R.O.C. This virus infects .COM files, including
COMMAND.COM, and does not install itself into system memory.
Each time a program infected with the Taiwan virus is executed, the
virus will attempt to infect up to 3 .COM files. The current
default directory is not first infected, instead the virus will
start its search for candidate files in the C: drive root directory.
Once an uninfected .COM file is located, the virus infects the file
by copying the viral code to the first 743 bytes of the file, the
original first 743 bytes of the file is relocated to the end of the
.COM file. A bug exists in this virus, if the uninfected .COM file
is less than 743 bytes in length, the resulting infected .COM file
will always be 1,486 bytes in length. This effect is due to the
virus not checking to see if it read less than 743 bytes of the
original file before infecting it.
The Taiwan virus is destructive. On the 8th day of any month, when
an infected program is run the virus will perform an absolute disk
write for 160 sectors starting at logical sector 0 on the C: and
D: drives. In effect, this logical write will result in the FATs
and root directory being overwritten.
Known variant(s) of Taiwan include:
Taiwan-B : Apparently an earlier version of the Taiwan virus, this
variant will hang the system when infected files are
executed, but after it has infected another file using
the selection mechanism indicated for the Taiwan virus.
Virus Name: Taiwan 3
Aliases:
V Status: Rare
Discovered: June, 1990
Symptoms: .COM & .EXE growth, decrease in available free memory,
system hangs
Origin: Taiwan
Eff Length: 2,900 Bytes
Type Code: PRA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V64+, Pro-Scan 2.01+
Removal Instructions: Clean-Up V71+, Scan/D, or delete infected files
General Comments:
The Taiwan 3 Virus was isolated in June, 1990 in Taiwan, R.O.C. It
was dubbed the Taiwan 3 Virus by John McAfee because it is the third
virus from Taiwan, the other two are Taiwan and Disk Killer. This
virus is not related to either of these two viruses.
The first time a program infected with the Taiwan 3 Virus is executed
on a system, the virus will install itself memory resident in low
system free memory. Available free memory will decrease by 3,152
bytes. The virus hooks interrupt 21.
After becoming memory resident, Taiwan 3 will infect any program
which is executed. .COM files will increase in length by 2,900
bytes, .EXE files will increase by between 2,900 and 2,908 bytes.
Overlay files may also become infected as well.
It is unknown what the activation criteria is for this virus, or
what it does besides spreading.
Also see: Fu Manchu
Virus Name: Taiwan 4
Aliases: 2576
V Status: Common
Discovered: October, 1990
Symptoms: TSR; .COM & .EXE file growth; system slowdown
Isolated: USA and Thailand
Origin: Taiwan
Eff Length: 2,576 Bytes
Type Code: PRsA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V71+, Pro-Scan 2.01+
Removal Instructions: Clean-Up V71+, Pro-Scan 2.01+, or Delete infected files
General Comments:
The Taiwan 4, or 2576, Virus was isolated in October, 1990. While one
copy of this virus was submitted by a user of Excalibur! who indicated
that it had been received from a download of AutoCad from another BBS,
a second copy was submitted to John McAfee from Thailand on
approximately the same date. This virus appears to have originated in
Taiwan, and is based on the Taiwan 3 virus. It is a memory resident
infector of .COM and .EXE files, but will not infect COMMAND.COM.
When a program infected with the Taiwan 4 Virus is executed, the virus
will check to see if it is already memory resident. If the virus isn't
already in memory, the virus will install itself memory resident as a
low system memory TSR of 2,832 bytes. Interrupts 08 and 21 will be
hooked by the virus.
After the virus is resident, the virus will start to slow down the
system gradually. After approximately 30 minutes, it will have slowed
the system down by approximately 30 percent.
Any .COM or .EXE file executed with Taiwan 4 active in memory will
become infected. Infected programs will have their file length
increased by 2,576 bytes for .COM files, and 2,576 - 2,590 bytes for
.EXE files. The virus is located at the beginning of .COM files, and
the end of .EXE files. The following text message can be found in all
infected programs:
"To Whom see this: Shit! As you can see this document,
you may know what this program is. But I must tell you:
DO NOT TRY to WRITE ANY ANTI-PROGRAM to THIS VIRUS.
This is a test-program, the real dangerous code will
implement on November. I use MASM to generate varius
virus easily and you must use DEBUG against my virus
hardly, this is foolish. Save your time until next month.
OK? Your Sincerely, ABT Group., Oct 13th, 1989 at FCU."
Another text string that can be found in all infected programs is:
"ACAD.EXECOMMAND.COM".
Virus Name: Tester
Aliases: TestVir
V Status: New
Discovered: April, 1991
Symptoms: .COM growth; Messages
Origin: United States
Eff Length: 1,000 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V76+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Tester, or TestVir, Virus was received in April, 1991. Its origin
is unknown. This virus is a non-resident infector of .COM files. It
will infect COMMAND.COM.
When a program infected with Tester is executed, the virus will display
the following messages, requiring a response by the system user:
"This is TESTVIRUS B V1.4 !
1 = infect COM-files of this directory + run orig. prog.
5 = run only orig. program
9 = abort"
If a "1" is entered by the system user, the virus will then infect all
of the .COM programs in the current directory, and then execute the
original program. When Tester infects .COM programs, it will display
one of the following two lines, indicating which .COM program it is
currently processing. The first line is displayed for the program if
it was previously infected, the second line only if it is currently
infecting the program:
"Already infected: xxxxxxxx.COM"
"INFECTED: ------> xxxxxxxx.COM"
Entering a "5" will result in no additional programs being infected, and
the original program is executed. Finally, entering a "9" will result
in the program terminating and the user being returned to a DOS prompt.
Programs infected with Tester will increase in size by 1,000 bytes, the
virus will be located at the beginning of the infected file. The
program's date and time in the DOS disk directory will have also been
updated to the date and time when infection occurred.
Virus Name: The Plague
Aliases:
V Status: Rare
Discovered: January, 1991
Symptoms: "Program too big to fit in memory" message;
Programs do not execute properly; Long disk accesses;
Message and disk overwrite
Origin: United States
Eff Length: 590 Bytes
Type Code: ONAK - Overwriting Non-Resident .COM & .EXE Infector
Detection Method:
Removal Instructions: Delete infected files
General Comments:
The Plague Virus was isolated in January, 1991 in the United States.
This virus is a non-memory resident infector of .COM and .EXE files,
including COMMAND.COM.
When a program infected with The Plague is executed, the virus will
attempt to infect up to three programs on the current drive, starting
in the current directory. Infected programs can be either .COM or
.EXE files, and COMMAND.COM can become infected. This virus is an
overwriting virus. It replaces the first 590 bytes of the program
being infected with a copy of itself. The file date and time in the
disk directory are not altered.
Programs infected with The Plague will not function properly. For .EXE
files, the following message will usually be displayed upon program
execution:
"Program too big to fit in memory"
This message may also occur for some .COM programs, but not usually.
The Plague activates when an infected program is executed and it can
not find an uninfected program to infect, though there is some
randomness to whether or not the activation will actually occur.
When this virus activates, the following message is displayed:
"Autopsy indicates the cause of
death was THE PLAGUE
Dedicated to the dudes at SHHS
VIVE LE SHE-MAN!"
While the message is being displayed, the disk in the current drive
will be overwritten with garbage characters, rendering it unrecoverable.
Programs infected with The Plague cannot be disinfected since the
first 590 bytes of the program no longer exists. The programs must
be deleted and replaced with clean copies.
Virus Name: Tiny Family
Aliases: Tiny-133, Tiny-134, Tiny-138, Tiny-143, Tiny-154, Tiny-156,
Tiny-158, Tiny-159, Tiny-160, Tiny-167, Tiny-198
V Status: Rare
Discovery: July, 1990
Symptoms: .COM file growth
Origin: Bulgaria
Eff Length: 133 - 198 Bytes (see below)
Type Code: PRC - Parasitic Resident .COM Infector
Detection Method: ViruScan V66+, Pro-Scan 2.01+ (larger variants only)
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Tiny Family of Viruses was received by the author in July 1990
from Vesselin Bontchev of Bulgaria. All the viruses in this grouping
share the same characteristics, with the only real difference is the
effective length of the viral code. There were five (5) viruses
included in the "family" as of July, 1990: Tiny-158, Tiny-159,
Tiny-160, Tiny-167, and Tiny-198. In October 1990, five (5)
additional viruses in this family were received from Vesselin
Bontchev: Tiny-134, Tiny-138, Tiny-143, Tiny-154, and Tiny-156.
In December 1990, an eleventh member was added to this family:
Tiny-133.
The first time a file infected with one of the Tiny Family viruses
is executed on a system, the virus will install itself memory resident
at memory segment 60h. This area of memory is normally only used by
DOS when the system is booted, after that it is never used or
referenced. Interrupt 21 will be hooked by the virus.
After the virus is memory resident, the virus will infect any .COM
program that is executed. Infected programs will have a file length
increase of between 134 - 198 bytes, depending on which variant is
present on the system. The file's date and time in the directory will
also have been updated to the system date and time when the infection
occurred.
The Tiny Family of Viruses currently does not do anything but
replicate.
The viruses in this "family" are not related to the Tiny Virus
documented below.
Known members of the Tiny Family are:
Tiny-133 : Similar to Tiny-134, this variant's effective length is
133 bytes. The bugs in Tiny-134 have been fixed, this
virus is an excellent replicator. This variant has also
been altered so that it cannot be detected by anti-viral
utilities which were aware of other members of this family.
Tiny-134 : This variant's effective length is 134 bytes. This
variant is the only member of this family which is not
a very viable virus, it will usually hang the system
when it attempts to infect .COM files.
Tiny-138 : Same as above, effective length is 138 bytes.
Tiny-143 : Same as above, effective length is 143 bytes.
Tiny-154 : Same as above, effective length is 154 bytes.
Tiny-156 : Same as above, effective length is 156 bytes.
Tiny-158 : Same as above, effective length is 158 bytes.
Tiny-159 : Same as above, effective length is 159 bytes.
Tiny-160 : Same as above, effective length is 160 bytes.
Tiny-167 : Same as above, effective length is 167 bytes.
Tiny-198 : Same as above, effective length is 198 bytes.
Also see: Tiny Virus
Virus Name: Tiny Virus
Aliases: 163 COM Virus, Tiny 163 Virus
V Status: Rare
Discovery: June, 1990
Symptoms: COMMAND.COM & .COM file growth
Origin: Denmark
Eff Length: 163 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V64+, VirexPC, F-Prot 1.12+, NAV
Removal Instructions: Scan/D, F-Prot 1.12+, or Delete infected files
General Comments:
The 163 COM Virus, or Tiny Virus, was isolated by Fridrik Skulason
of Iceland in June 1990. This virus is a non-resident generic
.COM file infector, and it will infect COMMAND.COM.
The first time a file infected with the 163 COM Virus is executed,
the virus will attempt to infect the first .COM file in the
current directory. On bootable diskettes, this file will normally
be COMMAND.COM. After the first .COM file is infected, each time
an infected program is executed another .COM file will attempt to
be infected. Files are infected only if their original length is
greater than approximately 1K bytes.
Infected .COM files will increase in length by 163 bytes, and have
date/time stamps in the directory changed to the date/time the
infection occurred. Infected files will also always end with this
hex string: '2A2E434F4D00'.
This virus currently does nothing but replicate, and is the
smallest MS-DOS virus known as of its isolation date.
The Tiny Virus may or may not be related to the Tiny Family documented
elsewhere in this listing.
Also see: Tiny Family
Virus Name: Traceback
Aliases: 3066
V Status: Extinct
Discovered: October, 1988
Symptoms: .COM & .EXE growth, TSR, graphic display 1 hour after boot
Origin:
Eff Length: 3,066 bytes
Type Code: PRsA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC,
AVTK 3.5+, VirHunt 2.0+, NAV
Removal Instructions: M-3066, VirClean, F-Prot, VirexPC, Pro-Scan 1.4+,
VirHunt 2.0+, NAV, or delete infected files
General Comments:
The Traceback virus infects both .COM and .EXE files, adding
3,066 bytes to the length of the file. After an infected
program is executed, it will install itself memory resident
and infect other programs that are opened. Additionally, if
the system date is after December 5, 1988, it will attempt to
infect one additional .COM or .EXE file in the current
directory. If an uninfected file doesn't exist in the current
directory, it will search the entire disk, starting at the
root directory, looking for a candidate. This search
process terminates if it encounters an infected file before
finding a candidate non-infected file.
This virus derives its name from two characteristics. First,
infected files contain the directory path of the file causing
the infection within the viral code, thus is it possible
to "trace back" the infection through a number of files. Second,
when it succeeds in infected another file, the virus will
attempt to access the on-disk copy of the program that the
copy of the virus in memory was loaded from so that it can
update a counter in the virus. The virus takes over disk
error handling while trying to update the original infected
program, so if it can't infect it, the user will be unaware
that an error occurred.
The primary symptom of the Traceback virus having infected
the system is that if the system date is after December 28,
1988, the memory resident virus will produce a screen display
with a cascading effect similar to the Cascade/1701/1704
virus. The cascading display occurs one hour after system
memory is infected. If a keystroke is entered from the key-
board during this display, a system lockup will occur. After
one minute, the display will restore itself, with the characters
returning to their original positions. This cascade and
restore display are repeated by the virus at one hour
intervals.
Known variant(s) of the Traceback virus are:
Traceback-B : Similar to the Traceback virus, the major differences
are that Traceback-B will infect COMMAND.COM and there
is no cascading display effect after the virus has
been resident for one (1) hour. Infected files will
also not contain the name of the file from which the
virus originally became memory resident, but instead
the name of the current file. A text string:
"MICRODIC MSG" can be found in files infected with
Traceback-B. If the system is booted from a diskette
whose copy of COMMAND.COM is infected, attempting to
execute any program will result in a memory allocation
error and the system being halted.
Origin: Spain, March 1990.
Traceback-B2: Similar to Traceback-B2, this variant has the cascading
display effect after the virus has been resident in
memory for one (1) hour. The text string " XPO DAD "
replaces the "MICRODIS MSG" text string in Traceback-B.
Origin: Spain, May 1990.
Also see: Traceback II
Virus Name: Traceback II
Aliases: 2930
V Status: Extinct
Discovered: October, 1988
Symptoms: .COM & .EXE growth, TSR, graphic display 1 hour after boot
Origin:
Eff Length: 2,930 Bytes
Type Code: PRA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC,
AVTK 3.5+, VirHunt 2.0+, NAV
Removal Instructions: Scan/D/X, F-Prot, VirexPC, Pro-Scan 1.4+, VirHunt 2.0+,
NAV, or delete infected files.
General Comments:
The Traceback II virus is a variant of the Traceback (3066)
virus. It is believed that Traceback II predates the
Traceback virus, however the Traceback virus was isolated
and reported first. As with the Traceback virus, the
Traceback II virus is memory resident and infects both .COM
& .EXE files.
The comments indicated for the Traceback virus generally
apply to the Traceback II virus, with the exception that the
file length increase is 2,930 bytes instead of 3,066 bytes.
Known variant(s) of the Traceback II Virus are:
Traceback II-B: Similar to Traceback II, this variant will infect
COMMAND.COM. When the cascading effect occurs, the
screen will not be restored, instead the system will
be hung requiring it to be powered off and rebooted.
Also see: Traceback
Virus Name: Turbo 448
Aliases: @ Virus, Turbo @, Polish-2
V Status: Rare
Discovered: November, 1990
Symptoms: .COM growth; File not found errors with some utilities.
Origin: Hungary
Eff Length: 448 Bytes
Type Code: PRCK - Parasitic Resident .COM Infector
Detection Method: ViruScan V71+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Turbo 448, or @ Virus, was discovered in Hungary in November, 1990.
This virus is a memory resident infector of .COM files, including
COMMAND.COM.
The first time a program infected with the Turbo 448 Virus is executed,
the virus will install itself memory resident at the end of the
Command Interpretor in memory. Total system memory and available free
memory will not decrease. Interrupt 21 will be hooked by the virus.
The Turbo 448 Virus is unusual in that it does not infect programs when
they are executed. Instead, it infects .COM files when they are openned
for some other reason besides execution. For example, if the virus is
memory resident a program A.COM is copied to B.COM, both programs will
become infected by the virus.
Infected files will increase in length by 448 bytes, with the virus
being located at the end of the file. The program's date and time in
the disk directory will also have been updated to the system date and
time when the file was infected. The following text string can be
found at the end of all infected programs:
"Udv minden nagytudasunak! Turbo @"
Another interesting behavior of this virus is that when the virus is
memory resident, anti-viral products which are unaware of the Turbo 448's
presence in memory will not function properly. After the third file is
read, the program may fail due to a "file not found" error being received
when it attempts to open the fourth program.
Also see: Turbo Kukac 9.9
Virus Name: Turbo Kukac
Aliases: Kukac, Turbo Kukac 9.9, Polish-2
V Status: Rare
Discovered: November, 1990
Symptoms: .COM growth; Decrease in total system and free available memory;
File not found errors with some utilities.
Origin: Hungary
Eff Length: 512 Bytes
Type Code: PRCK - Parasitic Resident .COM Infector
Detection Method: ViruScan V71+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Turbo Kukac, or Kukac, Virus was discovered in Hungary in November,
1990. This virus is a memory resident infector of .COM files, including
COMMAND.COM. It is very similar to the Turbo 448 Virus.
The first time a program infected with the Turbo Kukac Virus is executed,
the virus will install itself memory resident following the Command
Interpretor and any previously loaded TSRs. Total system memory and
available free memory will decrease by 1,040 bytes. Interrupts 05 and
21 will be hooked by the virus. Note that this virus does not use a low
system memory TSR, but instead creates a sort of "hole" in memory for
its usage.
Like the Turbo 448 Virus, this virus does not infect program when
they are executed. Instead, it infects .COM files when they are openned
for some other reason besides execution. For example, if the virus is
memory resident a program A.COM is copied to B.COM, both programs will
become infected by the virus.
Infected files will increase in length by 512 bytes with the virus being
located at the end of the file. The program's date and time in the
directory will also have been updated to the system date and time when
the file was infected. The following text string can be found at the
end of all infected programs:
"Turbo Kukac 9.9 $"
An interesting behavior of this virus is that when the virus is
memory resident, anti-viral products which are unaware of the Turbo
Kukac's presence in memory will not function properly. After the
fourth file is read, the program may fail due to a "file not found"
error being received when it attempts to open the fifth program.
Also see: Turbo 448
Virus Name: Typo Boot
Aliases: Mistake
V Status: Rare
Discovered: June, 1989
Symptoms: BSC, Resident TOM, garbled printout.
Origin: Israel
Eff Length: N/A
Type Code: BRt - Resident Boot Sector Infector
Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, AVTK 3.5+,
VirHunt 2.0+, NAV
Removal Instructions: MDisk, Pro-Scan 1.4+, F-Prot, NAV, or DOS SYS Command
General Comments:
The Typo Boot virus was first isolated in Israel by Y. Radai
in June, 1989. This virus is a memory resident boot sector
infector, taking up 2K at the upper end of system memory once
it has installed itself memory resident.
The major symptom that will be noticed on systems infected
with the Typo Boot virus is that certain characters in
printouts are always replaced with other phonetically
similar characters. Since the virus also substitutes hebrew
letters for other hebrew letters, the virus was most likely
written by someone in Israel. Digits in numbers may also
be transposed or replaced with other numbers. The substitutions
impact printouts only, the screen display and data in files are
not affected.
The Typo Boot virus is similar structurally to the Ping Pong
virus, and may be a variant of Ping Pong. It can be removed
from a disk by using MDisk, CleanUp, DOS SYS command, or
just about any Ping Pong disinfector.
Virus Name: Typo COM
Aliases: Fumble, 867
V Status: Extinct
Discovered: November, 1989
Symptoms: .COM growth, Resident TOM, garbled printout (see text).
Origin: England
Eff Length: 867 Bytes
Type Code: PRtC - Parasitic Resident .COM Infector
Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, AVTK 3.5+,
VirHunt 2.0+, NAV
Removal Instructions: Scan/D/X, F-Prot, Pro-Scan 1.4+, VirHunt 2.0+,
or delete infected files
General Comments:
The Typo COM virus is similar to the Typo Boot virus in that
it will garble data that is sent to the parallel port once it
has activated. Unlike the Boot virus, the COM virus infects
generic .COM files. This virus was first reported by Joe
Hirst of Brighton, UK, in November, 1989.
The Typo COM virus only infects .COM files on even-numbered
days.
Virus Name: USSR
Aliases:
V Status: Rare
Discovered: October, 1990
Symptoms: .EXE growth; hard disk boot sector and partition table damage;
system hangs; long program load times
Origin: USSR
Eff Length: 576 Bytes
Type Code: PNE - Parasitic Non-Resident .EXE Infector
Detection Method: ViruScan V71+, Pro-Scan 2.01+
Removal Instructions: Scan/D, or Delete infected Files
General Comments:
The USSR Virus was discovered in October, 1990 in the USSR. It is
an encrypted, non-resident generic infector of .EXE files.
Each time a program infected with the USSR Virus is executed, it will
search the currect directory for the first uninfected .EXE file. If
it finds one, it will attempt to infect it. Sometimes when the virus
attempts to infect a file, it will hang the system leaving the drive
light on, however most of the time the virus is successful. Infected
files will increase in length by 576 to 586 bytes, with the virus
located at the end of the file.
Systems infected with this virus may go to boot their system from its
hard disk only to find that the hard disk's boot sector has been
removed, and the partition table has been damaged, thus rendering the
hard disk inaccessible. This damage can be repaired using Norton
Disk Doctor, or MDisk with the /P option.
Infected systems will also experience longer than normal load times
when infected programs are executed. The longer than normal load time
is due to the virus searching for a file to infect, and then infecting
the candidate file if one was found.
Virus Name: USSR 311
Aliases: V-311
V Status: Rare
Discovered: January, 1991
Symptoms: .COM growth; COMMAND.COM renamed to COMMAND.CON
Origin: USSR
Eff Length: 311 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The USSR 311, or V-311, Virus was submitted in January, 1991. It
originated in the USSR. This virus is a non-resident infector of .COM
programs, including COMMAND.COM.
When a program infected with USSR 311 is executed, the virus will check
the system time to see if the seconds value is equal to one of 16
values. If it was equal to one of those 16 values, COMMAND.COM will be
renamed to COMMAND.CON. Whether or not the rename of COMMAND.COM
occurred, the virus will then infect one .COM program in the current
directory.
Infected .COM programs will increase in length by 311 bytes, the virus
will be located at the end of the infected file. The file's time in
the disk directory will also be modified to be 11:19:32, the infection
marker for this virus. The file date in the directory is not altered.
USSR 3111 will also alter the file attributes for the file in the
directory. In particular, bits 8 thru 15 will be reset, which may
produce unexpected results in environments that make use of these
bits.
Virus Name: USSR 492
Aliases:
V Status: Rare
Discovered: December, 1990
Symptoms: .COM file growth; File date/time changes
Origin: USSR
Eff Length: 495 - 508 Bytes
Type Code: PRfCK - Parasitic Resident .COM Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The USSR 492 Virus was submitted in December, 1990 and is from the
USSR. This virus is a memory resident .COM file infector, it will
infect COMMAND.COM.
When the first program infected with USSR 492 is executed, the virus
will install itself memory resident in high system memory, but below
the 640K DOS boundary. This memory is not reserved by the virus.
Interrupt 21 will be hooked by the virus. At the time of going memory
resident, the virus will check to determine if COMMAND.COM on the C:
drive is infected, if it isn't, then the virus will infect it.
Once USSR 492 is memory resident, it will infect any .COM program which
is executed. Execution of COMMAND.COM on the A: drive is the only way
to infect COMMAND.COM on A:.
Programs infected with USSR 492 will have a file length increase of
495 to 508 bytes. The virus will be located at the end of infected
programs. Infected programs will also have their date and time in the
disk directory changed to the system date and time when infection
occurred.
USSR 492 does not appear to do anything besides replicate.
Virus Name: USSR 516
Aliases: Leapfrog
V Status: Rare
Discovered: December, 1990
Symptoms: .COM file growth
Origin: USSR
Eff Length: 516 Bytes
Type Code: PRCK - Parasitic Resident .COM Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The USSR 516 Virus was submitted in December, 1990. It is from the
USSR. This virus is a memory resident infector of .COM programs,
including COMMAND.COM. It infects on file execution.
The first time a program infected with the USSR 516 Virus is executed,
the virus will install itself memory resident in a "hole in memory"
between MSDOS and the DOS Stacks. This area will be labelled
DOS Data. Interrupt 21 will be hooked by the virus. There will be
no change in total system memory or available free memory.
After the virus is memory resident, it will infect .COM programs which
are executed that had an uninfected file length which was greater than
512 bytes. Infected .COM programs will have their length increased
by 516 bytes, the virus will be located at the end of the program.
USSR 516 does not appear to do anything besides replicate. The original
submitted sample was not a natural infection of this virus, so this may
be a research virus.
Virus Name: USSR 600
Aliases:
V Status: Rare
Discovered: December, 1990
Symptoms: .COM file growth
Origin: USSR
Eff Length: 600 Bytes
Type Code: PRhCK - Parasitic Resident .COM Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The USSR 600 Virus was submitted in December, 1990, and is from the
USSR. This virus is a memory resident infector of .COM programs,
including COMMAND.COM.
When the first program infected with USSR 600 is executed, the virus
will install itself memory resident at the top of system memory but
below the 640K DOS boundary. The DOS ChkDsk program will indicate
that total system memory and available free memory are 2,048 bytes
less than expected. This virus does not move the interrupt 12
return. USSR 600 uses interrupts 21 and 24.
Once USSR 600 is memory resident, it will infect .COM programs which
are executed if they have an original file length of at least 600
bytes. Infected files will increase in size by 600 bytes, and the
virus's code will be located at the beginning of the infected program.
It is unknown if this virus does anything besides replicate.
Virus Name: USSR 707
Aliases:
V Status: Rare
Discovered: December, 1990
Symptoms: .COM file growth; decrease in total system and available memory
Origin: USSR
Eff Length: 707 Bytes
Type Code: PRtCK - Parasitic Resident .COM Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The USSR 707 Virus was submitted in December, 1990. It is from the
USSR. This virus is a memory resident infector of .COM programs,
including COMMAND.COM.
When the first program infected with the USSR 707 Virus is executed,
this virus will install itself memory resident at the top of system
memory but below the 640K DOS boundary. It will move the interrupt 12
return so that the virus in memory cannot be overwritten. USSR 707
makes use of interrupt 21, which will now map to the virus in high
system memory. Total system memory and available free memory will
be 720 bytes less than expected.
After USSR 707 is memory resident, any .COM program executed will
become infected by the virus. Infected .COM programs will have a
file length increase of 707 bytes, the virus will be located at the
end of the file. If COMMAND.COM is executed, it will be infected.
It is unknown if USSR 707 does anything besides replicate.
Virus Name: USSR 711
Aliases:
V Status: Rare
Discovered: December, 1990
Symptoms: .COM file growth; system hangs;
decrease in total system and available memory
Origin: USSR
Eff Length: 711 Bytes
Type Code: PRhC - Parasitic Resident .COM Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The USSR 711 Virus was submitted in December, 1990, and comes from the
USSR. This virus is a memory resident infector of .COM files. It does
not infect COMMAND.COM.
When the first program infected with USSR 711 is executed, the virus
will install itself memory resident at the top of system memory but
below the 640K DOS boundary. This memory is reserved. The virus also
hooks interrupts 08, 13, and 21. The DOS ChkDsk program will indicate
that total system memory and available free memory is 704 bytes less
than what the user expects. The interrupt 12 return is not altered
by this virus.
After USSR 711 is memory resident, any .COM file which is executed that
had an original file length of at least 1600 bytes will be infected by
the virus. Infected .COM files will increase in size by 705 to 717
bytes, and the virus will be located at the end of the infected file.
Systems infected with USSR 711 may notice occasional system hangs which
may occur when this virus attempts to infect .COM programs.
It is unknown if USSR 711 does anything besides replicate and
occasionally hang the system when infecting files.
Virus Name: USSR 948
Aliases:
V Status: Rare
Discovered: December, 1990
Symptoms: .COM & .EXE growth; decrease in total system and available memory
Origin: USSR
Eff Length: 948 Bytes
Type Code: PRhA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The USSR 948 Virus was received in December, 1990, and originated in
the USSR. This virus is a memory resident infector of .COM and .EXE
files, and will also infect COMMAND.COM.
When the first program infected with USSR 948 is executed, this virus
will install itself memory resident at the top of system memory but
below the 640K DOS boundary. The interrupt 12 return will not be
altered, although the memory in use by the virus is reserved.
Interrupts 1C and 21 will be hooked by the virus.
After USSR 948 is memory resident, and .COM or .EXE program which is
executed or openned for any reason will become infected by the virus.
Infected programs, with the exception of COMMAND.COM, will increase
in size by between 950 to 963 bytes. In the case of COMMAND.COM, the
virus will overwrite a portion of the stack space located in the file,
so the file will not have a length change. In all cases, the file
date and times in the disk directory are not altered. Infected
programs will have the virus located at the end of the file.
It is unknown if USSR 948 does anything besides replicate.
Virus Name: USSR 1049
Aliases:
V Status: Rare
Discovered: December, 1990
Symptoms: .COM & .EXE growth; system hangs;
decrease in total system and available free memory
Origin: USSR
Eff Length: 1,049 Bytes
Type Code: PRhA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The USSR 1049 virus was received in December, 1990. It originated in
the USSR. This virus is a memory resident infector of .COM and .EXE
files, and does not infect COMMAND.COM.
When the first program infected with USSR 1049 is executed, the virus
will install itself memory resident at the top of system memory but
below the 640K DOS boundary. This memory will be 1,056 bytes in
size and is reserved. The interrupt 12 return is not moved. Interrupt
21 will be hooked by the virus.
After USSR 1049 is memory resident, the virus will infect .COM and
.EXE files when they are executed. The virus, however, will not infect
very small .EXE files. Infected files will increase in size by
1,051 to 1,064 bytes, the virus will be located at the end of the
infected program.
Systems infected with the USSR 1049 Virus may experience system hangs
when attempting to execute .EXE programs. These hangs occassionally
occur when the virus infects .EXE program, though the program being
infected will actually be infected.
It is unknown if USSR 1049 does anything besides replicate.
Virus Name: USSR 1689
Aliases: SVC V4.00
V Status: Rare
Discovered: December, 1990
Symptoms: .COM & .EXE growth; system hangs
Origin: USSR
Eff Length: 1,689 Bytes
Type Code: PRA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The USSR 1689 Virus was received in December, 1990. It is from the
USSR. This virus is not a very viable virus, though it does infect
both .COM and .EXE programs.
When the first program infected with USSR 1689 is executed, this virus
will install itself memory resident in the in-memory command
interpretor.
After the virus is memory resident, the virus will infect the next
.COM or .EXE program executed, though a system hang will also occur.
Infected programs will increase in size by 1,689 bytes, though on files
larger than 1,689 bytes, the virus will hide the file length increase
if the virus is already in memory. Files originally smaller than 1,689
bytes will indicate a file size increase in the DOS directory when the
virus is resident. In all cases, the virus will be located at the end
of infected programs.
With the system hang which occurs each time a program is infected by
this virus, it is not a very viable virus, and should not be considered
a threat in its current state.
Virus Name: USSR 2144
Aliases:
V Status: Rare
Discovered: December, 1990
Symptoms: .COM & .EXE growth; decrease in total system and available memory
Origin: USSR
Eff Length: 2,144 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The USSR 2144 Virus was submitted in December, 1990, and is from the
USSR. This virus is a memory resident infector of .COM and .EXE files,
including COMMAND.COM.
When the first program infected with the USSR 2144 Virus is executed,
the virus will install itself memory resident at the top of system
memory but below the 640K DOS boundary. The DOS ChkDsk program will
indicate memory values that show 4,608 bytes less total system memory
and available free memory than expected. This virus does not move
the interrupt 12 return. The virus also directly alters the interrupt
page in memory so that some interrupts will now execute the virus's
code.
After USSR 2144 is memory resident, and program which was originally
greater in length than 2K that is executed or openned for reason will
become infected by the virus. Infected .COM programs will increase in
length by 2,144 bytes. .EXE programs will increase in length by 2,144
to 2,59 bytes. In both cases, the virus will be located at the end
of infected files. Infected files will not have their date and time in
the disk directory altered, and this virus does not hide the change in
file length of infected files.
It is unknown if USSR 2144 does anything besides replicate.
Virus Name: V651
Aliases: Eddie 3, Stealth Virus
V Status: Rare
Discovered: April, 1990
Symptoms: .COM & .EXE growth, decrease in system and free memory,
file allocation errors
Origin: Sofia, Bulgaria
Eff Length: 651 Bytes
Type Code: PRtA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V66+, VirHunt 2.0+
Removal Instructions: Scan/D, VirHunt 2.0+, or Delete infected files
General Comments:
The V651, or Eddie 3, Virus was isolated in Sofia, Bulgaria in
April 1990 by Vesselin Bontchev. V651 is believed to have been
written by the same author as Dark Avenger, V1024, and V2000.
This virus is a generic infector for .COM and .EXE files.
The first time a program infected with V651 is executed, the virus
will install itself memory resident. Using the DOS CHKDSK program,
total system memory, as well as available free memory, will be
decreased by 688 bytes.
Later, as programs with a length of 651 bytes or greater are executed,
they will be infected by the virus. Infected files increase in length
by 651 bytes, though the increase in file length will not be seen by
performing a directory command with the virus present in memory. The
total available disk space will also be adjusted by the virus so that
the decrease in available disk space due to the virus's activities
cannot be seen. Powering off the system and booting from a known
clean boot diskette, followed by issuing a directory command will
result in the correct infected file lengths being displayed as well
as the actual available space on the disk.
Infected files can be easily identified as the text string "Eddie
Lives." appears near the end of the infected file. These files will
also be 651 bytes longer than expected when the virus is not
present in memory.
A side effect of the V651 virus is that lost clusters may occur on
infected systems if the CHKDSK /F command is used. While this does
not occur for all infected files, the number of errors reported by
CHKDSK will be much higher statistically when V651 is present.
Unlike Dark Avenger and V2000, this virus does not infect
files on any file open. It only infects when programs are executed.
Also see: Dark Avenger, V1024, V2000
Virus Name: V800
Aliases: Live after Death Virus, Stealth Virus
V Status: Rare
Discovered: May, 1990
Symptoms: .COM growth, decrease in total system and available memory
Origin: Bulgaria
Eff Length: 800 Bytes
Type Code: PRC - Parasitic Resident .COM Infector
Detection Method: ViruScan V63+, Pro-Scan 1.4+, F-Prot 1.12+, NAV
Removal Instructions: CleanUp V64+, Scan/D, F-Prot 1.12+, or
delete infected files
General Comments:
The V800, or Live after Death, Virus was isolated in Bulgaria by
Vesselin Bontchev in May, 1990. The V800 is a self-encrypting
memory resident .COM infector, and it does not infect COMMAND.COM.
This virus is thought to have been written by the same person as
the Dark Avenger virus since many of the same techniques are
used.
The virus has received an alias of the Live after Death Virus as
the virus contains the "Live after Death" string, though it
cannot be seen in infected files as the virus is encrypted.
The first time an infected program is run on a system, the V800
Virus will install itself memory resident. In the process of
installing itself resident, it will decrease available system
memory by 16K, using 8,192 Bytes for itself in the top of
available free memory. It will also hook interrupt 2A.
Once in memory, every time a .COM file is attempted to be
executed, the virus will check to see if it is a candidate for
infection. Whether the file will be infected depends on the
size of the .COM file when it is attempted to be executed. In
no event is a .COM file smaller than 1024 bytes infected, but
not all .COM files over 1024 bytes are infected either.
The V800 Virus will reinfect .COM files, with the file's size
increasing by 800 bytes with each infection. It does not,
however, infect .COM files more than eight times.
Known variant(s) of the V800 Virus include:
V800M : Very similar to V800, the major difference is that V800M
will infect files on both file open and file execute,
putting this variant into the "Stealth" virus category.
When the virus becomes memory resident, total system and free
memory will decrease by only 8,192 bytes. This variant
does not have the "Live after Death" string in it.
Virus Name: V801
Aliases: V791
V Status: New
Discovered: March, 1991
Symptoms: .COM & .EXE growth; System hangs
Origin: USA
Eff Length: 791 Bytes
Type Code: PNAK - Parasitic Non-Resident .COM & .EXE Infector
Detection Method: ViruScan V76+
Removal Instructions: Scan/D/A, or Delete infected files
General Comments:
The V801 Virus was received in March, 1991 from the United States.
This virus is a non-resident, direct action infector of .COM and .EXE
programs. It will infect COMMAND.COM.
When a program infected with V801 is executed, the virus will search
the current directory for an uninfected .EXE program. If one is found,
it will infect the program. If an uninfected .EXE program is not found,
the virus will then search for an uninfected .COM program in the
current directory, and infect it.
Programs infected with V801 will increase in size by 791 to 808 bytes.
.COM programs will have the virus located at their beginning. .EXE
programs will have the virus located at the end of the infected file.
The program's date and time in the disk directory will not be altered.
Some infected programs may cause a system hang when they are attempted
to be executed.
V801 doesn't appear to do anything besides replicate.
Virus Name: V1024
Aliases: Dark Avenger III, Stealth Virus, Diamond
V Status: Rare
Discovered: May, 1990
Symptoms: TSR; decrease in available free memory
Origin: Bulgaria
Eff Length: 1,024 Bytes
Type Code: PRA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V64+, NAV
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The V1024, or Dark Avenger III, Virus was discovered in Bulgaria in
April 1990 by Daniel Kalchev. V1024 is a memory resident generic
infector of .COM and .EXE files. It is believed to have been written
by the same person that wrote Dark Avenger and V2000. This virus may
actually be an earlier version of the Dark Avenger virus, it has many
of the same characteristics, though it does not infect all files when
they are opened for any reason.
The first time a program infected with V1024 is executed, the virus
will install itself memory resident. At this time, it checks to see
if several interrupts are being monitored, including interrupts 1
and 3. If interrupts 1 and 3 are monitored, V1024 allow the current
program to run, but any subsequent program executed will hang the
system and V1024 will not replicate. When V1024 is memory resident,
infected systems will experience a decrease in free memory by 1,072
bytes. Total system memory will not have changed. The virus will
have remapped several interrupts by altering their location in the
interrupt map page in memory. These interrupts will now be controlled
by V1024.
After V1024 becomes memory resident, the virus will infect any
program executed which is greater in length than 1,024 bytes. Both
.COM and .EXE files are infected, COMMAND.COM is not infected.
Infected files increase in length by 1,024 bytes, though this increase
will not appear if the virus is present in memory and a DIR listing
is done.
V1024 infected files can be identified by a text string which
appears very close to the end of infected files. The text string is:
'7106286813'.
V1024 does not appear contain any activation date.
Known variant(s) of V1024 include:
Diamond : Similar to V1024, Diamond's main difference is that it
becomes memory resident at the top of system memory but
below the 640K DOS boundary. Total system memory, and
available free memory, as measured by the DOS ChkDsk
program will decrease by 1,072 bytes. Interrupts 08 and
21 will be hooked by the virus.
Diamond-B : Similar to Diamond, this variant has been slightly altered
to avoid detection by some anti-viral programs.
Also see: Dark Avenger, V2000, V651
Virus Name: V2000
Aliases: Dark Avenger II, Stealth Virus, Travel Virus
V Status: Rare
Discovered: 1989
Symptoms: TSR; .COM, .EXE, .OV? growth (see text); crashes;
crosslinked files following CHKDSK.
Origin: Bulgaria
Eff Length: 2,000 Bytes
Type Code: PRA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V59+, Pro-Scan 1.4+, AVTK 3.5+, VirHunt 2.0+,
NAV
Removal Instructions: Scan/D, Pro-Scan 1.4+, NAV, or delete infected files
General Comments:
The V2000, or Dark Avenger II, virus is a memory resident generic
file infector. The first isolated samples of this virus were
received from Bulgaria, where it was isolated by Daniel Kalchev
and Niki Spahiev.
V2000 will infect .COM, .EXE, and Overlay files, as well as
COMMAND.COM. When the first infected file is executed, the virus
installs itself memory resident, and then infected COMMAND.COM if
it has not already been infected. Then, when an executable file
is opened for any reason, it is infected if it hasn't been
previously infected.
Increased file lengths will not be shown if the V2000 virus is
present in memory when a DIR command is issued. Issuing a
CHKDSK /F command on infected systems may result in crosslinking
of files since the directory information may not appear to match
the entries in the file allocation table (FAT).
Systems infected with the V2000 virus will experience unexpected
system crashes, resulting in lost data. Some systems may also
become unbootable due to the modification of COMMAND.COM or the
hidden system files.
One of the following two text strings will appear in the viral code
in infected files, thus accounting for the alias of Travel Virus used in
Bulgaria:
"Zopy me - I want to travel"
"Copy me - I want to travel"
There are reports from Bulgaria that the V2000 virus looks for and
hangs the system if programs written by Vesselin Bontchev are
attempted to be executed. This would explain the presence of the
following copyright notice within the viral code:
"(c) 1989 by Vesselin Bontchev"
Known variants of the V2000 virus include:
V2000-B/Die Young : Similar to the V2000 virus, the main difference is
that the text string "Zopy me - I want to travel" is now
"Only the Good die young..." or "Mnly the Good die young..."
and the encryption used by the virus is different. This
variant is actually the original virus, predating V2000.
Also see: Dark Avenger, V1024, V651
Virus Name: V2100
Aliases: 2100, Stealth Virus, UScan Virus
V Status: Rare
Discovered: July, 1990
Symptoms: file allocation errors, decrease in system and free memory
Origin: Bulgaria
Eff Length: 2,100 Bytes
Type Code: PRtA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V66+, NAV
Removal Instructions: Scan/D, NAV, or delete infected files
General Comments:
The V2100, or 2100, Virus was first isolated in Sofia, Bulgaria by
Vesselin Bontchev in July 1990. It is a resident generic infector
of .COM, .EXE, and overlay files. It will also infect COMMAND.COM.
This virus appears to have been originally released into the public
domain on an anti-viral program named UScan which was uploaded to
a BBS in Europe. While not all copies of UScan are carriers
of this virus, there was one version which exists that has the virus
embedded in its program code. The virus cannot be detected on this
trojan version using search algorithms for this virus. V2100 is
believed to have been written by the author of Dark Avenger.
The first time a program infected with V2100 is executed, the virus
will install itself memory resident above top of memory but below
the 640K boundary. The top of memory returned by interrupt 12 will
be lower than expected by 4,288 bytes. Likewise, free memory will
have decreased by 4,288 bytes. At this same point, V2100 will infect
COMMAND.COM though the change in file length will be hidden by the
virus.
Once the virus is memory resident, it will infect any .COM, .EXE, or
overlay file with a file length of at least 2100 bytes that is
executed or opened for any reason. The simple act of copying an
executable file will result in both the source and target files
becoming infected. Infected files will be 2,100 bytes longer,
though the virus will hide the change in file length so that
it isn't noticeable when directories are listed. In some cases,
infected files will appear to be 2,100 bytes smaller than expected
if the virus is present in memory.
Systems infected with the V2100 virus will notice file allocation
errors occurring, along with crosslinking of files. Due to these
errors, some files may become corrupted. These file allocation
errors are truly errors, they exist whether or not the virus is
present in memory.
A side note on the V2100 Virus: if the system had previously been
infected with the Anthrax virus, V2100's introduction will result
in the Anthrax virus again being present in the hard disk partition
table. This effect occurs because Anthrax stores a copy of itself
on the last sectors of the hard disk. When V2100 becomes resident,
it searches the last 16 cylinders of the hard disk for a copy of
Anthrax. If V2100 finds the hidden copy of Anthrax, it copies it
into the hard disk's partition table. On the next system boot from
the hard disk, Anthrax will once again be active on the system.
Virus Name: V2P2
Aliases:
V Status: Research
Discovered: June, 1990
Symptoms: .COM file growth
Origin: Minnesota, USA
Eff Length: 1,426 - 2,157 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan/X V67+, Pro-Scan 2.01+, NAV
Removal Instructions: Scan/D/X, or delete infected files
General Comments:
The V2P2 Virus is a research virus written by Mark Washburn and
distributed to some anti-viral program authors in June of 1990.
This virus, according to its author, has not been released. This
virus is a non-resident generic infector of .COM files.
When a program infected with the V2P2 virus is executed, it will
infect the first .COM file it finds in the current directory which
is not infected with the virus. The virus adds its code to the
end of the file, and the infected file's length will increase
between 1,426 and 2,157 bytes.
Like the 1260 virus, this virus uses a complex encryption method.
In fact, the encryption used with the 1260 virus is one of several
possible encryptions that V2P2 may produce. As a result, virus
scanning software will often identify the 1260 virus in a file as
being both 1260 and V2P2. This identification is entirely valid
as 1260 is a special case of V2P2.
Also see: 1260, V2P6, V2P6Z
Virus Name: V2P6
Aliases:
V Status: Research
Discovered: July, 1990
Symptoms: .COM file growth
Origin: Minnesota, USA
Eff Length: 1,946 - 2,111 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan/X V67+, Pro-Scan 2.01+, NAV
Removal Instructions: Scan/D/X, NAV, or delete infected files
General Comments:
The V2P6 Virus is a research virus written by Mark Washburn and
distributed to some anti-viral program authors in July of 1990.
This virus, according to its author, has not been released. This
virus is a non-resident generic infector of .COM files similar to
the 1260, V2P2, and V2P6Z viruses.
When a program infected with the V2P6 virus is executed, it will
infect the first .COM file it finds in the current directory which
is not infected with the virus. The virus adds its code to the
end of the file, and the infected file's length will increase
between 1,946 and 2,111 bytes.
Like the 1260 and other viruses by Mark Washburn, this virus uses
a complex encryption method. The encryption method used by V2P6 is
more complex than that used in V2P2, but less complex than that used
in the last known virus in this family, V2P6Z. Like V2P2, an
algorithmic approach must be used to identify this virus.
Known variant(s) of V2P6 include:
V2P6-B : Similar to V2P6 in behavior, programs infected with this
variant will increase in size by 1,990 to 2,261 bytes.
Also see: 1260, V2P2, V2P6Z
Virus Name: V2P6Z
Aliases:
V Status: Research
Discovered: August, 1990
Symptoms: .COM file growth
Origin: Minnesota, USA
Eff Length: 2,076 - 2,364 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: NAV
Removal Instructions: NAV, or Delete infected files
General Comments:
The V2P6Z Virus is a research virus written by Mark Washburn and
distributed to some anti-viral program authors in August, 1990.
This virus, according to its author, has not been released. This
virus is a non-resident generic infector of .COM files similar to
the 1260, V2P2, and V2P6 viruses.
When a program infected with the V2P6Z virus is executed, it will
infect the first .COM file it finds in the current directory which
is not infected with the virus. The virus adds its code to the
end of the file, and the infected file's length will increase
between 2,076 and 2,364 bytes.
Like the 1260 and other viruses by Mark Washburn, this virus uses
a complex encryption method. The encryption method used by V2P6Z is
the most complex of the encryption methods employed by the viruses in
this family of viruses. Like V2P2 and V2P6, an algorithmic approach
must be used to identify this virus as there is no possible
identification string within the encrypted viral code.
Also see: 1260, V2P2, V2P6
Virus Name: Vacsina
Aliases:
V Status: Endangered
Discovered: November, 1989
Symptoms: TSR; .COM, .EXE, .BIN, & .SYS growth; "beeps"
Origin: Bulgaria
Eff Length: 1,206 bytes
Type Code: PRsA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, F-Prot, Pro-Scan 1.4+, VirexPC, AVTK 3.5+,
VirHunt 2.0+, NAV
Removal Instructions: CleanUp V64+, Scan/D/A, F-Prot, VirHunt 2.0+,
or delete infected files
General Comments:
The Vacsina virus is approximately 1200 bytes in length and can
be found in memory on infected systems. There are at least 48
variants of the Vacsina virus, also known as the TP virus
family, though not all of them have been isolated. Later versions
of this virus are included in this listing under the name
"Yankee Doodle".
Generally, the Vacsina Virus infects both .COM and .EXE files,
as well as .SYS and .BIN files. This virus, when infecting a .EXE
file, will first convert it into .COM format by changing the MZ
or ZM identifier in the first two bytes of the file to a JMP
instruction and then adding a small piece of relocator code, so
that the .EXE file can be infected as though it were originally a
.COM file.
One sign of a Vacsina infection is that programs which have been
infected may "beep" when executed. Infected programs will also
have their date/time in the disk directory changed to the date and
time they were infected.
Known Vacsina Variants Include:
TP04VIR - Infects .EXE files, changing them internally into .COM
files. Infected programs may beep when executed, and
may be identified by searching for the text string
"VACSINA" along with the second byte from the end of
the file containing a 04h. This version of Vacsina is
a poor replicator, and while it will always convert a
.EXE file to .COM file format, adding 132 bytes, it does
not always infect executed files.
TP05VIR - Similar to TP04VIR, except that the second to the last
byte in the file is now a 05h. System hangs may also
be experienced.
TP06VIR - Similar to TP05VIR, except the second to the last byte in
the file is now a 06h.
TP16VIR - Similar to TP06VIR, the second to the last byte in the
infected file is now 10h.
TP23VIR - Similar to TP16VIR, the second to the last byte in the
infected file is now 17h. The text "VACSINA" no longer
appears in the virus.
TP24VIR - Similar to TP23VIR, the second to the last byte in the
infected file is now 18h.
TP25VIR - Similar to TP24VIR, the second to the last byte in the
infected file is now 19h.
Also see: Yankee Doodle
Virus Name: VComm
Aliases: 637
V Status: Rare
Discovered: December, 1989
Symptoms: .EXE growth, TSR, write failures
Origin: Poland
Eff Length: 637 Bytes
Type Code: PRaE - Parasitic Resident .EXE Infector
Detection Method: F-Prot, ViruScan V60+, IBM Scan, Pro-Scan, VirexPC,
AVTK 3.5+, VirHunt 2.0+, NAV
Removal Instructions: F-Prot, Scan/D, VirexPC, or delete infected files
General Comments:
The Vcomm virus is of Polish origin, first isolated in
December, 1989. The virus is a .EXE file infector. When an
infected file is run, the virus will attempt to infect one
.EXE file in the current directory. It will also infect the
memory resident version of the system's command interpreter.
When Vcomm infects a file, it first pads the file so that the
files length is a multiple of 512 bytes, then it adds its
637 bytes of virus code to the end of the file.
The memory resident portion of the virus intercepts any
disk writes that are attempted, and changes them into disk
reads.
Virus Name: VFSI
Aliases: 437, Happy Day
V Status: Rare
Discovered: September, 1990
Symptoms: .COM growth; message
Origin: Bulgaria
Eff Length: 437 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V71+, Pro-Scan 2.01+
Removal Instructions: Scan/D, Pro-Scan 2.01+, or Delete infected files
General Comments:
The VFSI Virus was isolated in September, 1990 at VFSI (the Higher
Institute of Financial Management) located in Svistov, a town on the
Danube. VFSI is a non-resident, direct action, infector of .COM files,
including COMMAND.COM.
When a program infected with the VFSI virus is executed, it will infect
one other .COM file located in the current directory. Candidate files
to be infected are first aligned to be a multiple of 16, and then the
viral code is added. Infected files will increase in length by between
437 and 452 bytes, with the viral code being located at the end of
infected files.
Infected files can be easily identified as they will always contain the
following hex string: 3A483F244B6F636E706C74.
On approximately one out of five executions of an infected program, the
program will flash the following message on the screen:
"HELLO!!! HAPPY DAY and SUCCESS
from virus 1.1 VFSI-Svistov"
This message is encrypted in the viral code, so it is not visible in
infected files.
Virus Name: VHP
Aliases: VHP-348, VHP-353, VHP-367, VHP-435
V Status: Research
Discovered: July 1989
Symptoms: .COM growth, system hangs
Origin: Bulgaria
Eff Length: 348 - 435 Bytes
Type Code: PNC - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V64+, AVTK 3.5+, F-Prot 1.12+, Pro-Scan 2.01+,
NAV
Removal Instructions: Scan/D, F-Prot 1.12+, or Delete infected files
General Comments:
The VHP Virus is actually a small group or "family" of viruses that
was discovered in Bulgaria in early 1990. There are currently four
identified variants to the VHP Virus, with the VHP-435 variant being
the one with the most potential for spreading. These viruses were
originally based on the Vienna virus. The progression of the
variants shows each variant to be a slightly better replicator.
The VHP Viruses are:
VHP-348 : This variant does not replicate due to bugs in the
virus code. If it did replicate, it would infect
.COM files. The virus's effective length is 348 bytes.
VHP-353 : VHP-348 fixed so that it will infected COMMAND.COM,
increasing its size by 353 bytes. It does not infect
other .COM files. This variant is still buggy, and it
will occasionally hang systems when attempting to find
a .COM file to infect.
VHP-367 : VHP-353 which will now infect .COM files besides
COMMAND.COM. Infected files increase in size by 367
bytes. Very rarely, this virus will reinfect an infected
.COM file. VHP-353 does not always infect a .COM file
when an infected program is executed, it will sometimes
not infect any .COM file, though it has in effect
immunized the file from infection. This effect is
probably a bug in this variant.
VHP-435 : Isolated in July, 1989, this variant is 435 bytes in
length and is not destructive, all it does is spread.
VHP-435 will attempt to infect 1 file each time an
infected program is executed. COMMAND.COM and .EXE
files are not infected. After infecting all of the
.COM files on the current drive and directory, it will
attempt to infect drive C:. VHP-435 is the VHP-367
virus with some modifications to make it less likely to
be noticed.
Also see: Vienna, VHP2
Virus Name: VHP2
Aliases: 623, VHP-623
V Status: Research
Discovered: March, 1990
Symptoms: .COM growth, reboots or system hangs
Origin: Bulgaria
Eff Length: 623 bytes
Type Code: PNC - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V64+, Pro-Scan 1.4+, AVTK 3.5+, F-Prot 1.12+,
VirHunt 2.0+, NAV
Removal Instructions: Scan/D, Pro-Scan 1.4+, F-Prot 1.12+, or
Delete infected files
General Comments:
The VHP2 Virus was isolated in Bulgaria in March, 1990. This virus
is based on the Vienna Virus, and has many of the same characteristics
of the VHP-435 variant of the VHP virus. It's major difference is that
of effective length, and that 1 of every 8 infected programs will
perform a system warm reboot.
VHP2 is 623 bytes long, infecting only .COM files but not COMMAND.COM.
Known variants of the Vienna Virus include:
VHP-627 : Similar to VHP-623, except that its length is 627 bytes.
Also see: VHP, Vienna
Virus Name: Victor
Aliases:
V Status: Rare
Discovered: May, 1990
Symptoms: .COM &.EXE growth, data file corruption, file linkage errors,
and unexpected system reboots
Origin: USSR
Eff Length: 2,458 bytes
Type Code: PRAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V63+, Pro-Scan 1.4+, VirexPC, F-Prot 1.12+, NAV
Removal Instructions: Scan/D, Pro-Scan 1.4+, F-Prot 1.12+, NAV, or
Delete infected files
General Comments:
The Victor Virus was first isolated in May, 1990. It is believed
to have originated in the USSR due to messages which appear within
the viral code:
"Victor V1.0 The Incredible High Performance Virus
Enhanced versions available soon.
This program was imported from USSR.
Thanks to Ivan."
The above message can be found at the end of infected files, but
does not appear to ever be displayed.
The first time a program infected with the Victor Virus is executed,
the virus will install itself memory resident, occupying 3,072 bytes
at the top of free memory. Interrupt 21 will be intercepted by
the virus. After becoming memory resident, Victor will then
seek out and infect COMMAND.COM.
Victor is a very slow file infector, only infected approximately
1 in every 10 programs executed after it becomes memory resident.
Infected programs will increase in length by between 2,443 and
2,458 bytes. The increase in file size is not hidden by the
virus.
Occasionally in the process of infecting a file, the virus will
hang the system, which may result in data file corruption.
Overlay files may also be infected, resulting in file linkage
errors.
Virus Name: Vienna
Aliases: Austrian, Unesco, DOS-62, DOS-68, 1-in-8, 648
V Status: Rare
Discovered: April, 1988
Symptoms: .COM growth; System reboots; System hangs
Origin: Austria
Eff Length: 648 bytes
Type Code: PNC - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+,
VirHunt 2.0+, NAV
Removal Instructions: CleanUp V66+, VirClean, F-Prot, VirHunt 2.0+,
Pro-Scan 1.4+, VirexPC, or NAV
General Comments:
The Vienna virus was first isolated in April, 1988, in Moscow at
a UNESCO children's computer summer camp. The Vienna virus is a
non-resident, direct action infector of .COM programs, including
COMMAND.COM.
When a program infected with the Vienna Virus is executed, the virus
will select a .COM program in the current directory which as previously
not been modified by the virus. Usually, the Vienna Virus will infect
this file and set the seconds in the file's time in the disk directory
to 62. Infected programs will have a file length increase of 648
bytes with the virus being located at the end of the infected program.
One out of every six programs which Vienna selects will not be actively
infected by the virus. Instead, the first five bytes of the selected
.COM program will be changed to the hex character string "EAF0FF00F0",
and the seconds field in the file time will be set to 62. When these
programs are later executed, a system warm boot may occur. Since these
corrupted programs do not actually contain the Vienna Virus, and most
anti-viral programs cannot detect them, systems which have been infected
by Vienna will continue to experience unexpected reboots until all of
the corrupted .COM programs have been replaced with clean copies.
Some programs will hang upon execution after they have been infected
by the Vienna virus.
The Vienna virus was written by a high school student in Vienna
Austria as an experiment. Its large number of variants, as well as
other viruses which are in part based on Vienna code, can be
accounted for as its source code has been published many times.
Due to the large number of variants, Vienna infections may not exhibit
exactly the symptoms indicated above.
Known variants of the Vienna Virus include:
Vienna-B : Similar to Vienna, except that instead of a warm reboot,
the program being executed will be deleted.
Vienna-B 645 : Similar to the Vienna-B variant, this variant's
effective length is 645 bytes. It does not perform either
a warm reboot or delete executed programs. It does,
however, infect COMMAND.COM
Origin: United States
Vien6 : Similar to Vienna, except that the warm reboot has been
removed. Effective length of the virus is still 648 bytes.
After 7 files have become infected on the current drive,
the virus will then start infecting .COM files on drive C:.
Also see: 1260, Arf, Ghostballs, Grither, Lisbon, W13, VHP, VHP-2,
Violator
Virus Name: Violator
Aliases: Violator Strain B
V Status: Endangered
Discovered: August, 1990
Symptoms: .COM growth, Sector not found error on drive B:
Origin: USA
Eff Length: 1,055 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V67+, Pro-Scan 2.01+, NAV
Removal Instructions: Clean-Up V71+, Scan/D, or Delete infected files
General Comments:
The Violator Virus was submitted in August, 1990 by an anonymous
user of Homebase BBS. This virus is a non-resident parasitic
virus which infects .COM files, including COMMAND.COM.
When a program infected with the Violator Virus is executed, what
happens depends on what the system date is set to. If the date is
prior to August 15, 1990, the virus will infect 1 .COM file located
in the current directory, adding 1,055 bytes to the program. If the
date is August 15, 1990 or after, the virus will not infect any files.
Symptoms of an infection of the Violator Virus include unexpected
attempts to access drive B:. If there is no diskette in drive B:,
or the diskette in drive B: is write-protected, a Sector not found
error will result.
The following message appears in the viral code located in infected
programs:
"TransMogrified (TM) 1990 by
RABID N'tnl Development Corp
Copyright (c) 1990 RABID!
Activation Date: 08/15/90
- Violator Strain B -
! (Field Demo Test Version) !
! * NOT TO BE DISTRIBUTED * !"
Also see: Vienna, Violator B4
Virus Name: Violator B4
Aliases: Christmas Violator, Violator Strain B4
V Status: Rare
Discovered: December, 1990
Symptoms: .COM growth on 8088 based system;
Hard Disk Corruption on 80286 & 80386 based systems
Origin: United States
Eff Length: 5,302 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Violator B4 Virus was isolated in December, 1990 in the United
States. This virus was originally released into the public domain
on a trojan version of DSZ (DSZ1203). It is a non-resident infector
of .COM files, including COMMAND.COM.
What Violator B4 does depends on what processor is in the personal
computer it is being executed on. On 80286 and above processors, the
virus will activate immediately, overwriting the beginning portion of
the system hard disk. It will also attempt to display a Christmas
greeting at that time, but the greeting display will be garbled if
Ansi.Sys is not loaded. Damage caused by Violator B4 at activation
can be repaired using Norton Disk Doctor.
On an 8088 based system, Violator B4 will do nothing but replicate.
Each time an infected program is executed, the virus will infect one
other .COM program in the current directory. Violator B4 infected
files will have a file length increase of 5,302 bytes. The file's
date and time in the disk directory will not be altered. The virus
will be located at the end of the infected file.
The following text message is contained within the Violator B4 virus,
though it is never displayed:
"Violator Strain B4 - Written by RABID Nat'nl Development Corp.
RABID would like to take this opportunity to extend it's sincerest
holiday wishes to all Pir8 lamers around the world! If you are
reading this, then you are lame!!!
Anyway, to John McAffe! Have a Merry Christmas and a virus filled
new year. Go ahead! Make our day!
Remember! In the festive season, Say No to drugs!!! They suck shit!
(Bah! We make a virus this large, might as well have
something positive!)"
Virus Name: VirDem
Aliases: VirDem 2
V Status: Endangered
Discovered: 1986-1987
Symptoms: .COM growth, Messages
Origin: Germany
Eff Length: 1,236 Bytes
Type Code: PNC - Parasitic Non-Resident .COM Infector
Detection Method: VirexPC, AVTK 3.5+, F-Prot 1.12+, ViruScan V71+,
VirHunt 2.0+, Pro-Scan 2.01+, NAV
Removal Instructions: F-Prot 1.12+, Scan/D, or Delete infected files
General Comments:
The VirDem Virus was written in 1986-1987 by Ralf Burger of Germany.
The virus was originally distributed in Europe as a demonstration
virus, to assist computer users in understanding how a computer
virus operates.
The VirDem virus is not memory resident, and only infects .COM files
on the A: drive. It will always skip the first .COM file in the
root directory, so normally it will not infect COMMAND.COM. It will
also not infect .COM files past the second subdirectory on the disk.
Infected files that were originally less than approximately 1,500
bytes will be 2,616 bytes after infection. .COM files which were
greater than 1,500 bytes will increase in size by approximately
1,236 bytes.
When an infected program is executed, VirDem will infect the next
candidate .COM file. Infected files will contain the viral code,
followed by the original program. After infecting the .COM file,
the virus will play a "game" with you, starting with the following
text being displayed:
" VirDem Ver.: 1.06 (Generation #) aktive.
Copyright by R.Burger 1986,1987
Phone.: D - xxxxx/xxxx
This is a demoprogram for
computerviruses. Please put in a
number now.
If you're right, you'll be
able to continue.
The number is between
0 and # "
(Note: I have removed the phone number here, but it
appears where xxxxx/xxxx is above. Where # is, the
virus's generation number appears.)
At this point, you must guess the correct number and enter it. If
you put in the wrong number, you get the following message and
your program is not run:
" Sorry, you're wrong
More luck at next try .... "
If you guess the correct number, you receive the following message
and your program then executes:
" Famous. You're right.
You'll be able to continue. "
Finally, after all the candidate .COM files on the A: drive are
infected, the following message is displayed:
" All your programs are
struck by VIRDEM.COM now."
VIRDEM.COM was the original distribution file containing the virus,
and had a VIRDEM.DOC file included with it. VirDem is not widespread,
and is not destructive.
Known variant(s) of VirDem include:
VirDem 2 : Similar to the virus described above, the major difference
is that the text messages have been translated to German.
Also see: Burger
Virus Name: Virus-90
Aliases:
V Status: Research
Discovered: December, 1989
Symptoms: .COM growth, TSR
Origin: District of Columbia, USA
Eff Length: 857 bytes
Type Code: PRC - Parasitic Resident .COM Infector
Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan 1.4+, VirexPC,
AVTK 3.5+, NAV
Removal Instructions: Scan/D/X, F-Prot, Pro-Scan 1.4+,
or delete infected files
General Comments:
The Virus-90 virus was originally distributed in December, 1989
by Patrick Toulme as an "educational tool", with the virus
source also available for sale. In January, 1990, the
author contacted the sites where he had uploaded the virus
requesting that they remove it from their systems, his having
decided a live virus was not a "good idea" for an educational
tool after being contacted by several viral authorities.
The following description was submitted by Patrick Toulme in
November 1990 for inclusion in this listing:
"This educational, research virus was written by Patrick Toulme
to aid developers in understanding direct-virus action and in
creating virus-resistant software. This virus is a simple COM
infector that will not infect a hard drive and advises the user
when a file on a floppy disk is to be infected. Of course, no
damage occurs from the virus and all infected files advise the
user of the infection upon execution. The safeguards provided by
the author prevent accidental infection and the dis-assembly of the
code is extremely difficult. Upon request from the anti-viral
community, Virus-90 is now only available to approved anti-virus
researchers."
Also see: Virus101
Virus Name: Virus101
Aliases:
V Status: Research
Discovered: January, 1990
Symptoms: TSR, BSC, .COM growth (floppy only)
Origin: District of Columbia, USA
Eff Length: 2,560 Bytes
Type Code: PRAFK - Parasitic Resident Infector
Detection Method: ViruScan/X V67+, Pro-Scan 1.4+, F-Prot 1.12+, VirHunt 2.0+,
NAV
Removal Instructions: Scan/D/X or delete infected files
General Comments:
The Virus101 is the "big brother" of Virus-90, also written by
Patrick Toulme as an "educational tool" in January 1990.
This virus is memory resident, and employs an encryption scheme
to avoid detection on files. It infects COMMAND.COM, and all
other executable file types. Once it has infected all the
files on a diskette, it will infect the diskette's boot
sector. It only infects floppy diskettes in its current
version.
The following description was submitted by Patrick Toulme for
inclusion in this listing in November 1990:
"Virus-101 is a sophisticated, continually encrypting, research
virus written by Patrick Toulme, author of Virus-90. Virus-101
infects both COM and EXE files and will evade most anti-virus
software and will continually encrypt itself to prevent
non-algorithmic search scans. This virus is not available to the
general public and is presently used by government agencies and
corporate security departments to test anti-virus software and
hardware devices."
Also see: Virus-90
Virus Name: Voronezh
Aliases:
V Status: Rare
Discovered: December 1990
Symptoms: .COM & .EXE growth; decrease in total system and available memory
Origin: USSR
Eff Length: 1,600 Bytes
Type Code: PRhA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Voronezh Virus was received in December, 1990. It is originally
from the USSR. Voronezh is a memory resident infector of .COM and
.EXE files, and does not infect COMMAND.COM.
The first time a program infected with Voronezh is executed the virus
will install itself memory resident. This virus will be resident at
the top of system memory but below the 640K DOS boundary. While the
virus reserves 3,744 bytes of memory for itself, it does not move the
interrupt 12 return. Interrupt 21 will be hooked by the virus. This
virus may also reserve 24 bytes of display memory on the display
adapter card.
After Voronezh is memory resident, .COM and .EXE files will be
infected when they are executed. Infected files will increase in
length by 1,600 bytes, the virus will be located at the end of
infected programs. Infected programs will also contain the
text string:
"Voronezh,1990 2.01".
It is unknown if this virus does anything besides replicate.
Known variant(s) of Voronezh are:
Voronezh B: Similar to the Voronezh Virus described above, the major
difference with Voronezh B is that Voronezh B will infect files
when they are executed or openned for any reason. The original
virus did not infect on file open. The text string indicated
for Voronezh is also found in this variant.
Virus Name: VP
Aliases:
V Status: Rare
Discovered: May 1990
Symptoms: COMMAND.COM & .COM file growth, system slowdown
Origin: England
Eff Length: 913 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V64+, Pro-Scan 1.4+, AVTK 3.5+, F-Prot 1.12+,
VirHunt 2.0+, NAV
Removal Instructions: Scan/D, Pro-Scan 1.4+, F-Prot 1.12+, VirHunt 2.0+, or
Delete infected files
General Comments:
The VP Virus was first isolated in May, 1990. It is a non-resident
generic .COM infector, and will infect COMMAND.COM. When an
infected program is run, the virus will attempt to locate and
infect another .COM file. In some cases, such as COMMAND.COM, the
virus will display the contents of the program being infected. In
other cases, the virus may attempt to execute the program being
infected. Infected files increase in length by 913 bytes, and
can be identified as the following hex string will appear near both
the beginning and the end of an infected program: '4503EB1808655650'.
Virus Name: W13
Aliases: Toothless Virus, W13-A
V Status: Endangered
Discovered: December, 1989
Symptoms: .COM growth
Origin: Poland
Eff Length: 534 Bytes
Type Code: PNC - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V63+, F-Prot, IBM Scan, Pro-Scan 1.4+, VirexPC,
AVTK 3.5+, VirHunt 2.0+, NAV
Removal Instructions: Scan/D, F-Prot, Pro-Scan 1.4+, VirHunt 2.0+, NAV,
or delete infected files
General Comments:
The W13 virus is a .COM file infector that doesn't do much
except for infect files. The virus was isolated in December
1989 in Poland.
While W13 is based on the Vienna virus, it does not damage files
or have some of the other side effects of the Vienna virus. It
contains a number of bugs which prevent it from being a good
replicator.
Known variant(s) of W13 include:
W13-B : The original W13 Virus with several bugs fixed. This
variants length is 507 bytes instead of 534 bytes.
Virus Name: Westwood
Aliases:
V Status: Rare
Discovered: August, 1990
Symptoms: .COM & .EXE growth; TSR; system slowdown; black window;
file deletion on Friday The 13ths
Origin: Westwood, California, USA
Eff Length: 1,819 - 1,829 Bytes
Type Code: PRsA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V67+, F-Prot 1.12+, Pro-Scan 2.01+, NAV
Removal Instructions: Scan/D, CleanUp, NAV, or Delete infected files
General Comments:
The Westwood Virus was isolated in August, 1990 in Westwood, California.
This virus is a substantially altered variant of the Jerusalem B virus,
enough so that all anti-virals tested which could detect Jerusalem B
were unable to identify it. Like Jerusalem, it infects .COM, .EXE, and
overlay files, but not COMMAND.COM.
The first time a program infected with the Westwood virus is executed,
the virus will install itself memory resident as a low system memory
TSR of 1,808 bytes. Interrupts 8 and 21 will be hooked. If the
system date happens to be a Friday The 13th, interrupt 22 will also
be hooked.
After the virus is memory resident, any program which is executed
will become infected with the Westwood virus. .COM files will
increase by 1,829 bytes with the virus's code located at the beginning
of the infected program. .EXE files and overlay files are infected
with the virus's code added to the end of the program. .EXE files
increase in length by between 1,819 and 1,829 bytes. Unlike most
variants of the Jerusalem virus, Westwood does not reinfect .EXE files.
Infected systems will experience a system slowdown occurring after
the virus has been memory resident for 30 minutes. At this time, the
"black window" or "black box" common to the Jerusalem virus will
appear on the lower left hand side of the system display. Screen
contain around the area of the "box" may be corrupted if screen writes
happened to be occurring when the box appeared.
On Friday The 13ths, the Westwood Virus will delete any programs that
are executed once the virus becomes memory resident.
Also see: Jerusalem B
Virus Name: Whale
Aliases: Mother Fish, Stealth Virus, Z The Whale
V Status: Research
Discovered: August, 1990
Symptoms: .COM & .EXE growth; decrease in available memory;
system slowdown; video flicker; slow screen writes;
file allocation errors; simulated system reboot
Origin: Hamburg, West Germany
Eff Length: 9,216 Bytes
Type Code: PRhA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V67+, Pro-Scan 2.01+, NAV
Removal Instructions: Scan/D, CleanUp V67+, Pro-Scan 2.01+,
or Delete infected files
General Comments:
The Whale Virus was submitted in early September, 1990. This virus
had been rumored to exist since the isolation of the Fish 6 Virus in
June, 1990. It has been referred to by several names besides Whale,
including Mother Fish and Z The Whale. The origin of this virus is
subject to some speculation, though it is probably from Hamburg,
West Germany due to a reference within the viral code once it is
decrypted.
The first time a program infected with the Whale Virus is executed,
the Whale will install itself memory resident in high system memory
but below the 640K DOS boundary. On the author's XT clone, the
virus always starts at address 9D90. Available free memory will
be decreased by 9,984 bytes. Most utilities which display memory
usage will also indicate a value for total system memory which is
9,984 bytes less than what is actually installed.
The following text string can be found in memory on systems
infected with the Whale virus:
"Z THE WHALE".
Immediately upon becoming memory resident, the system user will
experience the system slowing down. Noticeable effects of the
system slowdown include video flicker to extremely slow screen
writes. Some programs may appear to "hang", though they will
eventually execute properly in most cases since the "hang" is due
to the slowing of the system.
When a program is executed with the Whale memory resident, the virus
will infect the program. Infected programs increase in length, the
actual change in length is usually 9,216 bytes. Note the "usually":
this virus does occasionally infect a program with a "mutant" which
will be a different length. If the file length increase is exactly
9,216 bytes, the Whale will hide the change in file length when a
disk directory command is executed. If the file length of the viral
code added to the program is other than 9,216 bytes, the file length
displayed with the directory command will either the actual infected
file length, or the actual infected file length minus 9,216 bytes.
Executing the DOS CHKDSK program on infected systems will result in
file allocation errors being reported. If CHKDSK /F is executed,
file damage will result.
The Whale also alters the program's date/time in the directory when
the file is executed, though it is not set to the system date/time
of infection. Occasionally, Whale will alter the directory entry
for the program it is infecting improperly, resulting in the directory
entry becoming invalid. These programs with invalid directory
entries will appear when the directory is listed, but some disk
utilities will not allow access to the program. In these cases, the
directory entry can be fixed with Norton Utilities FD command to
reset the file date.
The Whale occasionally will change its behavior while it is memory
resident. While most of the time it only infects files when
executed, there are periods of time when it will infect any file
opened for any reason. It will also, at times, disinfect files
when they are copied with the DOS copy command, at other times it
will not "disinfect on the fly".
Occasionally, the Whale Virus will simulate what appears to be a
system reboot. While this doesn't always occur, when it does occur
the Break key is disabled so that the user cannot exit unexpectedly
from the execution of the system's AutoExec.Bat file. If the
AutoExec.Bat file contained any software which does file opens of
other executable programs, those opened executable programs will
be infected at that time if they were not previously infected.
Typically, files infected in this manner will increase by 9,216
bytes though it will not be shown in a directory listing.
A hidden file may be found in the root directory of drive C: on
infected files. This file is not always present, the virus will
sometimes remove it, only to recreate it again at a later time.
The name of this hidden file is FISH-#9.TBL, it contains an
image of the hard disk's partition table along with the following
message:
"Fish Virus #9
A Whale is no Fish!
Mind her Mutant Fish
and the hidden Fish Eggs
for they are damaging.
The sixth Fish mutates
only if the Whale is in
her Cave."
After the discovery of this hidden file, the author of this
document made several attempt to have the Fish 6 Virus mutate
by introducing it and Whale into a system. Under no circumstances
did a mutation of either virus result, the resultant files were
infected with both an identifiable Fish 6 infection and a Whale
infection.
Whale is hostile to debuggers and contains many traps to prevent
successful decryption of the virus. One of its "traps" is to lock
out the keyboard if it determines a debugger is in use.
Virus Name: Wisconsin
Aliases: Death To Pascal
V Status: Rare
Discovered: September, 1990
Symptoms: .COM growth; Message; Write Protect Errors; .PAS files
disappear; file date/time changes
Origin: Wisconsin, USA
Eff Length: 825 Bytes
Type Code: PNC - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V67+, Pro-Scan 2.01+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Wisconsin Virus was received in September, 1990. The origin of
the sample was Wisconsin, which is where its name came from. It is
also reported to have been isolated at about this same time in
California. Wisconsin is a non-resident infector of .COM files, but
it does not infect COMMAND.COM.
When a program infected with the Wisconsin Virus is executed, the virus
will alter the date and time of the program being executed to the
current system date and time. The Wisconsin Virus will then infect
one other .COM file in the current directory. Infected files will
increase in length by 825 bytes, with the viral code located at the
beginning of the file.
If an attempt is made to execute a program infected with the Wisconsin
virus from a write-protected diskette, a write protect error will
occur. This virus does not intercept this error.
Infected programs may display the following message:
"Death to Pascal."
When this message is displayed, any .PAS files located in the
current directory will be deleted. This message cannot be seen in
infected files as it is encrypted.
Virus Name: Wolfman
Aliases:
V Status: Rare
Discovered: July, 1990
Symptoms: TSR; .COM & .EXE growth
Origin: Taiwan
Eff Length: 2,064 Bytes
Type Code: PRsA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V66+, Pro-Scan 2.01+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Wolfman Virus was discovered in Taiwan in July, 1990. It is a
memory resident generic infector of .COM and .EXE files, but not
COMMAND.COM.
The first time a program infected with the Wolfman Virus is executed,
the virus will install itself memory resident as a TSR with 2 blocks
of memory reserved. The first block of memory reserved is 68,032
bytes in length, the second block of reserved memory is 4,544 bytes
in length. The total 72,640 bytes of memory is in low system memory,
and available free memory is decreased by a corresponding amount.
The virus hooks interrupts 09, 10, 16, 21, 2F, ED, and F5.
Once the virus is memory resident, the virus will infect any .COM or
.EXE file which is executed if the pre-infection file length is
greater than or equal to 2,064 bytes. Infected files increase in
length by 2,064 bytes. .COM files which are infected will have the
virus's code located at the beginning of the .COM file, .EXE files
will have the virus located at the end. Infected files will have
their date and time in the disk directory altered to the system
date and time when infection occurred.
It is unknown when Wolfman activates, or if it is destructive.
Known variant(s) of Wolfman include:
Wolfman 2: This variant is fairly similar to the Wolfman Virus. Its
memory resident TSR is 67,984 bytes, and it hooks interrupts
09, 10, 16, 21, CF, D1, D3, and several others. Files
smaller than 5,120 bytes will not be infected by the virus.
Infected .EXE files will contain the text string "WOlf_mAN",
though this string cannot be found in infected .COM programs
as it will be encrypted.
Virus Name: Yankee Doodle
Aliases: TP44VIR, Five O'clock Virus
V Status: Common - Europe
Discovered: September, 1989
Symptoms: .COM & .EXE growth, melody @ 5 p.m.
Origin: Austria or Bulgaria
Eff Length: 2,885 or 2,899 Bytes
Type Code: PRsA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V42+, F-Prot, IBM Scan, Pro-Scan, VirexPC,
AVTK 3.5+, VirHunt 2.0+, NAV
Removal Instructions: CleanUp V64+, Scan/D, VirClean, F-Prot, NAV, or
delete infected files
General Comments:
The Yankee Doodle virus was isolated by Alexander Holy of
the North Atlantic Project in Vienna, Austria, on
September 30, 1989. It was also isolated in Bulgaria shortly
thereafter, where it is known as TP44VIR.
This virus is a parasitic virus which infects both .COM and .EXE
files, and installs itself memory resident. After installing itself
memory resident, it will play Yankee Doodle on the system speaker at
17:00. Infected programs will be increased in length by 2,899 bytes.
Other than being disruptive by playing Yankee Doodle, this
virus currently does nothing else harmful besides infecting
files.
As a side note, some variants of the Yankee Doodle Virus will seek
out and modify Ping Pong viruses, changing them so that they self-
destruct after 100 infections.
Known variants of the Yankee Doodle Virus are:
TP33VIR - This variant disables interrupts 1 and 3, thus interfering
with using debuggers to isolate it. The behavior of the
virus also has been changed so that it infected programs
will play Yankee Doodle at 5PM. The second to the last
byte in infected files is the virus's "version number",
in the case of TP33VIR, it is 21h (33 in hex).
TP34VIR - Similar to TP33VIR, except that this variant is memory
resident, and infects programs as they are executed.
The second to the last byte in infected files is 22h.
TP38VIR - Similar to TP34VIR, except that .COM and .EXE files are
handled in a different way, and this variant will
disinfect itself if it is loaded with CodeView active in
memory. The second to the last byte in infected files
is 26h. TP38VIR was first isolated in Bulgaria in
July 1988, and is the oldest virus known in Bulgaria.
TP41VIR - Similar to TP38VIR, except the second to the last byte
in infected files is 29h.
TP42VIR - This variant of Vacsina tests to determine if the system
is infected with the Ping Pong virus, and if it is, will
attempt to disable the Ping Pong virus by modifying it.
The second to the last byte in infected files is now 2Ah.
TP44VIR - Similar to TP42VIR, the second to the last byte of infected
files is 2Ch.
TP45VIR - Similar to TP44VIR, the second to the last byte of infected
files is 2Dh.
TP46VIR - Similar to TP45VIR, except that this variant can detect
and kill the Cascade (1701) Virus. The second to the last
byte of infected files is now 2Eh.
Yankee Doodle-B: Very similar to the Yankee Doodle virus, except
the length of the viral code is 2,772 bytes.
Also see: Vacsina
Virus Name: Yankee 2
Aliases: Yankee Virus, Yankee-go-Home, 1961
V Status: Endangered
Discovered: September, 1989
Symptoms: .EXE growth, Yankee Doodle
Origin: Bulgaria
Eff Length: 1,961 Bytes
Type Code: PNE - Parasitic Non-Resident .EXE Infector
Detection Method: ViruScan V62+, Virex PC, AVTK 3.5+, VirHunt 2.0+, NAV
Removal Instructions: Scan/D, or delete infected files
General Comments:
The Yankee 2, or Yankee Virus, was isolated in Bulgaria
in 1989. Unlike the Yankee Doodle Virus, the Yankee 2
Virus is not memory resident. It also only infects .EXE files,
adding 1,961 bytes to their length. The virus will attempt to
infect an .EXE file in the current directory whenever an
infected program is executed. If it is successful in locating
an uninfected .EXE file, and infects it, Yankee Doodle will be
played on the system speaker. Infected files will have the
hex string '6D6F746865726675636B6572' at the end.
The Yankee 2 Virus will not infect CodeView.
Known variant(s) of the Yankee 2 virus are:
1624 - This variant is similar to Yankee 2 in function, the major
change is that its effective length is 1,624 bytes.
Also see: Enigma
Virus Name: Yap Virus
Aliases:
V Status: New
Discovered: March, 1991
Symptoms: .COM growth; TSR; "Bugs" may appear in screen;
Decrease in available free memory
Origin: USA
Eff Length: 6,258 Bytes
Type Code: PRsCK - Parasitic Resident .COM Infector
Detection Method: ViruScan V75+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Yap Virus was discovered in March, 1991, in the United States.
Yap is a memory resident .COM file infector. It will infect
COMMAND.COM.
The first time a program infected with the Yap Virus is executed, the
virus will install itself memory resident as a low system memory TSR
of 11,344 bytes. Interrupts 09 and 21 will be hooked by the virus.
After Yap is memory resident, it will infect .COM programs as they
are executed. If COMMAND.COM is executed, it will become infected.
.COM Programs infected with Yap will increase in size by 6,258 bytes.
The virus will be located at the end of infected programs. The file's
date and time in the disk directory will not be altered.
With the Yap Virus memory resident, if the system user holds down the
ALT key, or presses the ALT key and another key in combination,
numerous graphic "bugs" will appear on the screen which will eat the
contents of the system display. Pressing the ALT key, or ALT key
combination, again will result in the system's display being restored.
Yap is an encrypted virus, using encryption very similar to that
employed by the Cascade Virus and its variants.
Virus Name: Yukon Overwriting
Aliases:
V Status: Rare
Discovered: January, 1991
Symptoms: Divide Overflow errors; Beginning of Programs Overwritten
Origin: Canada
Eff Length: 151 Bytes
Type Code: ONCK - Overwriting Non-Resident .COM Infector
Detection Method:
Removal Instructions: Delete infected files
General Comments:
The Yukon Overwriting Virus was isolated in January, 1991 in Canada.
This virus is a non-resident overwriting virus that infects .COM files,
including COMMAND.COM.
When a program infected with the Yukon Overwriting Virus is executed,
the virus will infect all .COM programs in the current directory.
Infected programs will have the first 151 bytes of the program
overwritten with the virus. Their date and time in the disk directory
will not be altered in the process of infection.
After infecting all of the .COM files in the current directory, the
program the user was attempting to execute will fail with a Divide
Overflow error.
Infected programs can be easily identified because the text string
Divide Overflow$ will be located beginning at offset 87h within the
infected program.
Programs infected with the Yukon Overwriting Virus cannot be
disinfected as the portion overwritten by the virus is not stored.
Infected programs must be deleted and replaced with uninfected copies.
Virus Name: Zero Bug
Aliases: Palette, 1536
V Status: Endangered
Discovered: September, 1989
Symptoms: .COM growth (see text), TSR, graphics display
Origin: Netherlands
Eff Length: 1,536 bytes
Type Code: PRsC - Parasitic Resident .COM Infector
Detection Method: Viruscan/X V67+, F-Prot, Pro-Scan 1.4+, VirexPC, AVTK 3.5+,
VirHunt 2.0+, NAV
Removal Instructions: Scan/D/X, CleanUp V66+, F-Prot, Pro-Scan 1.4+,
VirHunt 2.0+, or delete infected files
General Comments:
The Zero Bug virus was first isolated in the Netherlands by
Jan Terpstra in September, 1989. This virus is a memory
resident .COM file infector. Infected .COM files will
increase in size by 1,536 bytes, however the increase in file
length will not show up when the disk directory is displayed.
The virus's main objective is to infect the copy of
COMMAND.COM indicated by the environment variable COMSPEC.
If COMSPEC doesn't point to anything, the Zero Bug virus will
install itself memory resident using INT 21h.
After the virus has either infected COMMAND.COM or become
memory resident, it will infect all .COM files that are
accessed, including those accessed by actions such as COPY or
XCOPY. Any .COM file created on an infected system will also
be infected.
If the currently loaded COMMAND.COM is infected, the virus
will hook into the timer interrupt 1Ch, and after a certain
amount of time has past, a smiley face character (ASCII 01)
will appear and eat all the zeros it can find on the screen.
The virus does not delete files or format disks in its present
form.
Virus Name: ZeroHunt
Aliases: Minnow, Stealth
V Status: Research
Discovered: December, 1990
Symptoms: Internal changes to COM files
Origin: USA
Eff Length: 416 Bytes
Type Code: PRCK - Parasitic Overwriting .COM Infector
Detection Method: Viruscan V72+, Pro-Scan 2.01+
Removal Instructions: Scan/D, Pro-Scan 2.01+, or Delete infected files
General Comments:
The ZeroHunt, or Minnow, Virus was submitted in December, 1990 by
Paul Ferguson of Washington, DC. ZeroHunt is a memory resident
overwriting infector of COM files, including COMMAND.COM. This virus
is classified as a Stealth Virus.
When the first program infected with the ZeroHunt Virus is executed,
the virus will install itself memory resident in the command environment
area. It occupies approximately 200 bytes of memory and hooks a number
of interrupts, including interrupt 21 by remapping.
Once ZeroHunt is memory resident, it waits for a COM file to be openned
or executed which contains 416 or more bytes of 00h characters. These
characters usually are stack space in the file, and most commonly occur
in EXE files which have been converted to COM files. If the candidate
COM file contains enough 00h characters, ZeroHunt will infect the file
by writing its viral code over the first 416 bytes of the 00h characters.
ZeroHunt then alters the first four bytes of the newly infected file so
that upon execution its viral code will execute first.
Like other Stealth class viruses, ZeroHunt will disinfect the file on
the fly, so that the virus cannot be detected in files if it is memory
resident. Since infected files have been infected internally by over-
writing stack space, there will be no change in infected file length.
ZeroHunt carries no activation criteria at the present time, it just
replicates.
Known variant(s) of ZeroHunt include:
ZeroHunt B: Based on the ZeroHunt virus, this variant becomes memory
resident in 1,408 bytes of reserved low system memory. It
hooks interrupts 21, 25, 26, and several others. It
infects .COM programs when they are executed provided that
a block of at least 411 bytes of binary zeros can be found
within the candidate program. If the block is found, then
the virus will overwrite the last 411 bytes of binary
zeros in the block, and alter the first four characters of
the program so that the viral code will be executed first.
Virus Name: ZK900
Aliases: Pray
V Status: New
Discovered: April, 1991
Symptoms: .COM & .EXE growth; Decrease in total system & available memory;
Music
Origin: USA
Eff Length: 900 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method:
Removal Instructions: Delete infected files
General Comments:
The ZK900 Virus was received in April, 1991, from David Chess of IBM.
ZK900 is a memory resident .COM and .EXE infector, and will infect
COMMAND.COM.
The first time a program infected with ZK900 is executed, the virus
will install itself memory resident at the top of system memory but
below the 640K DOS boundary. Interrupts 1C and 21 will be hooked by
the virus.
After becoming memory resident, ZK900 will infect .COM and .EXE
programs as they are executed. If COMMAND.COM is executed, it will
become infected. Infected programs will increase in size by 900 bytes
with the virus being located at the end of the file. The program's
date and time in the disk directory will not be altered by the virus.
Infected programs will end with the text characters "zx".
Systems infected with ZK900 may experience a tune being played every
three to five minutes on the system speaker. The tune is the children's
rhyme "Pray for the dead, and the dead will pray for you".
-------------------------------------------------------------------------------
Virus Information Summary List
Virus Common Name Cross-Reference
The following is a cross-reference of common virus names back to
the name they are listed by in the virus information section.
Hopefully, this cross-reference will alleviate some confusion when
different anti-viral software packages refer to different names for
the same virus.
Virus Name Refer To Virus(es) In VirusSum.Doc:
---------------------- -----------------------------------------------
@ Virus Turbo 448
62-B Vienna
100 Years Virus 4096
163 COM Virus Tiny Virus
217 Polish 217
333 Kennedy
382 382 Recovery Virus
382 Recovery Virus 382 Recovery Virus
405 405
437 VFSI
453 RPVS
500 Virus Golden Gate
505 Burger
509 Burger
512 512
512-A 512
512-B 512
512-C 512
512-D 512
512-E 512
512-F 512
512 Virus Friday The 13th COM Virus
529 Polish 529
541 Burger
555 Dutch 555
623 VHP2
632 Saratoga
637 Vcomm
642 Icelandic
646 646
648 Vienna
765 Perfume
834 Virus 834 Virus
834-B 834 Virus
867 Typo COM
903 903
944 Dot Killer
1008 1008
1022 Fellowship
1024-B Nomenklatura
1075 Crash
1168 Datacrime-B
1210 1210
1226 1226
1226D 1226D
1226M 1226D
1253 1253
1260 1260
1280 Datacrime
1374 Little Pieces
1381 Virus 1381 Virus
1381-B 1381 Virus
1392 1392
1514 Datacrime II
1536 Zero Bug
1539 Christmas Virus
1554 1554
1559 1554
1575 1575
1575-B 1575
1575-C 1575
1577 1575
1591 1575
1605 1605
1605-B 1605
1624 Yankee 2
1701 Cascade
1704 Cascade, Cascade-B
1704 Format 1704 Format
1704-B Cascade B
1720 1720
17Y4 Cascade
1808 Jerusalem
1813 Jerusalem
1917 Datacrime IIB
1961 Yankee 2
1971 Eight Tunes
2080 Fu Manchu
2086 Fu Manchu
2100 V2100
2131 2131
2480 Crew-2480
2576 Taiwan 4
2930 Traceback II
2930-B Traceback II
3012 Plastique
3066 Traceback
3066-B Traceback
3066-B2 Traceback
3551 SysLock
3555 SysLock
3880 Itavir
4096 4096
4096-B 4096
4096-C 4096
4711 Perfume
4870 Overwriting 4870 Overwriting
5120 5120
8920 Print Screen
909090h Virus Burger
9800:0000 Virus 1554
A-204 Jerusalem B
Advent Syslock
Arf Arf
AIDS AIDS
AIDS II AIDS II
AirCop AirCop
Akuku Akuku
Alabama Alabama
Alameda Alameda
Ambulance Car Ambulance Car
Amoeba Virus 1392
Amstrad Amstrad
Anarkia Jerusalem B
Anarkia-B Jerusalem B
Anthrax Anthrax
AntiCad 1253
Anti-Pascal Anti-Pascal
Anti-Pascal 400 Anti-Pascal II
Anti-Pascal 440 Anti-Pascal II
Anti-Pascal 480 Anti-Pascal II
Anti-Pascal 529 Anti-Pascal
Anti-Pascal 605 Anti-Pascal
Anti-Pascal II Anti-Pascal II
AntiChrist AntiChrist
AP-400 Anti-Pascal II
AP-440 Anti-Pascal II
AP-480 Anti-Pascal II
AP-529 Anti-Pascal
AP-605 Anti-Pascal
April 1st Suriv 1.01
April 1st-B Suriv 2.01
Arab 834 Virus
Arab Star Jerusalem B
Armagedon Armagedon
Armagedon The First Armagedon
Armagedon The Greek Armagedon
Ashar Ashar
Attention! Attention!
Australian 403 Australian 403
Austrian Vienna
Azusa Azusa
Basic Virus 5120
Best Wish Best Wishes
Best Wishes Best Wishes
Best Wishes B Best Wishes
Black Avenger Dark Avenger
Black Friday Jerusalem
Black Monday Black Monday
Blackjack Cascade-B
Blood Blood
Blood 2 Blood
Bloody! Bloody!
Boot Ping Pong-B
Bouncing Ball Ping Pong
Bouncing Dot Ping Pong
Brain Brain
Brain Slayer Slayer Family
Burger Burger
C-605 Anti-Pascal
Captain Trips Jerusalem B
Carioca Carioca
Cascade Cascade
Cascade-B Cascade-B
Casino Casino
Casper Casper
Century Virus 4096
Chaos Chaos
Choinka Father Christmas
Christmas In Japan Christmas In Japan
Christmas Violator Violator B4
Christmas Virus Christmas Virus
CIA Burger
Columbus Day Datacrime, Datacrime II, Datacrime IIB, Datacrime-B
COM Virus Friday The 13th COM Virus
Computer Ogre Disk Killer
Cookie Cookie
Cracker Jack Enigma
Crash Crash
Crew-2480 Crew-2480
Cunning Cascade
Cursy Cursy
Dark Avenger Dark Avenger
Dark Avenger-B Dark Avenger
Dark Avenger II V2000
Dark Avenger III V1024
Datacrime Datacrime
Datacrime II Datacrime II
Datacrime IIB Datacrime IIB
Datacrime-B Datacrime-B
DataLock DataLock
DataLock 1.00 DataLock
DBase DBase
DBF Virus DBase
Dead Kennedy Kennedy
Death To Pascal Wisconsin
December 24th Icelandic-III
Deicide Deicide
Den Zuk Den Zuk
Destructor Destructor V4.00
Destructor V4.00 Destructor V4.00
Devil's Dance Devil's Dance
Diamond V1024
Diamond-B V1024
Diana Dark Avenger
Die Young Virus V2000
Dir Virus Dir Virus
Discom Discom
Disk Crunching Virus Icelandic, Saratoga
Disk Killer Disk Killer
Disk Ogre Disk Killer
Do-Nothing Virus Do-Nothing Virus
Donald Duck Stoned
DOS-62 Vienna
DOS-68 Vienna
Durban Saturday The 14TH
Dutch 555 Dutch 555
Dyslexia Solano 2000
Dyslexia 2.00 Solano 2000
Dyslexia 2.01 Solano 2000
EB 21 Print Screen
Eddie Dark Avenger
Eddie Virus Dark Avenger
Eddie 3 V651
EDV EDV
Eight Tunes Eight Tunes
Enigma Enigma
European Fish Viruses Fish Virus
Evil Evil
Evil-B Evil
F-Word Virus F-Word Virus
Fall Cascade
Falling Letters Cascade, Ping Pong-B
Falling Letters Boot Swap Boot
Father Christmas Father Christmas
Fellowship Fellowship
Fish 6 Fish Virus
Fish Virus Fish Virus
Five O'Clock Virus Yankee Doodle
Flash Flash
Flip Flip
Flip B Flip
Form FORM-Virus
Form Boot FORM-Virus
FORM-Virus FORM-Virus
Frere Virus Frere Jacques
Frere Jacques Frere Jacques
Friday 13th Jerusalem
Friday 13th COM Virus Friday The 13th COM Virus
Friday 13th-B Friday The 13th COM Virus
Friday 13th-C Friday The 13th COM Virus
FroDo 4096
Frog Frog's Alley
Frog's Alley Frog's Alley
Fu Manchu Fu Manchu
Fuck You F-Word
Fumble Typo COM
G-Virus V1.3 Sorry
Ghost Boot Ghostballs
Ghost COM Ghostballs
Ghostballs Ghostballs
Glenn Deicide
Golden Gate Golden Gate
Grither Grither
Green Left Virus Groen Links
Groen Links Groen Links
Guppy Guppy
Guppy-B Guppy
Hahaha AIDS
Halloechen Halloechen
Hammelburg 405
Happy Birthday Joshi Joshi
Happy N.Y. Happy New Year, Happy New Year B
Happy New Year Happy New Year
Happy New Year Happy New Year B
Hawaii Stoned
Hebrew University Jerusalem B
Hemp Virus Stoned
HIV HIV
HM2 Plastique
Holland Girl Holland Girl
Holland Girl 2 Holland Girl 2
Holo Holocaust
Holocaust Holocaust
Hybrid Hybryd
Hybryd Hybryd
Hymn Hymn
Hymn-2 Sverdlov
Icelandic Icelandic
Icelandic-II Icelandic-II
Icelandic-III Icelandic-III
Ick IKV 528
IDF Virus 4096
IKV 528 IKV 528
Internal 1381 Virus
Invader Invader
Iraqui Iraqui Warrior
Iraqui Warrior Iraqui Warrior
Israeli Jerusalem, Suriv 1.01, Suriv 2.01, Suriv 3.00
Israeli Boot Swap
Italian Ping Pong
Italian 803 Italian 803
Italian 803-B Italian 803
Italian-A Ping Pong, Ping Pong B
Itavir Itavir
Jeff Jeff
Jerk Jerk
Jerusalem Jerusalem
Jerusalem A Jerusalem
Jerusalem B Jerusalem B
Jerusalem C Jerusalem B
Jerusalem D Jerusalem B
Jerusalem DC Jerusalem B
Jerusalem E Jerusalem B
Jerusalem E2 Jerusalem B
Jocker Joker
JoJo JoJo
JoJo 2 JoJo 2
Joker Joker
Joshi Joshi
July 13TH July 13TH
June 16TH June 16TH
Kamasya Kamasya
Kamikazi Kamikazi
Kemerovo Kemerovo
Kemerovo Kemerovo-B
Kennedy Kennedy
Keypress Keypress
Korea Korea
Kukac Turbo Kukac
Lazy Lazy
LBC Boot Korea
Leapfrog USSR 516
Lehigh Lehigh
Lehigh University Lehigh
Lehigh-2 Lehigh
Lehigh-B Lehigh
Leprosy Leprosy
Leprosy 1.00 Leprosy
Leprosy-B Leprosy
Liberty Liberty
Liberty-B Liberty
Liberty-C Liberty
Lisbon Lisbon
Little Pieces Little Pieces
Live after Death Virus V800
Lozinsky Lozinsky
Mardi Bros Mardi Bros
Marijuana Stoned
Mazatlan Golden Gate
Merritt Alameda
Mendoza Jerusalem B
Mexican Devil's Dance
MG MG
MG-2 MG-2
MG-3 MG-2
MGTU MGTU
Miami Friday The 13th
Microbes Microbes
Migram Migram
Minnow ZeroHunt
Mirror Mirror
Mistake Typo Boot
MIX1 MIX1
MIX2 MIX2
MIX/1 MIX1
Mix1 MIX1
Mix2 MIX2
Monxla Monxla
Monxla B Monxla B
Mother Fish Whale
Munich Friday The 13th COM Virus
Murphy Murphy, AntiChrist, HIV, Kamaysa, Migram
Murphy-1 Murphy
Murphy-2 Murphy
Music Boot MusicBug
Music Bug MusicBug
Music Virus Oropax
MusicBug MusicBug
Musician Oropax
New Jerusalem New Jerusalem
New Zealand Stoned
News Flash Leprosy
Nina Nina
Nomenclature Nomenklatura
Nomenklatura Nomenklatura
Number 1 Number One
Number of the Beast 512 Virus
Number One Number One
Ogre Disk Killer
Ohio Ohio
One In Eight Vienna
One In Ten Icelandic, Icelandic-II
One In Two Saratoga
Ontario Ontario
Oropax Oropax
Oulu 1008
P1 Evil, Phoenix, PhoenixD, Proud
Pakistani Brain
Pakistani Brain Brain
Palette Zero Bug
Paris Paris
Parity Parity
Park ESS Jerusalem B
Payday Payday
Peking Alameda
Pentagon Pentagon
Perfume Perfume
Phantom Phantom
Phoenix Phoenix
PhoenixD PhoenixD
Ping Pong Ping Pong
Ping Pong-B Ping Pong-B
Ping Pong-C Ping Pong-C
Pixel Amstrad
Pixel 2 Amstrad
Plastique Plastique
Plastique 1 Plastique
Plastique 2 Plastique-B
Plastique 4.51 Plastique
Plastique 5.21 Plastique-B
Plastique Boot Invader
Plastique-B Plastique-B
PLO Jerusalem
Point Killer Dot Killer
Polimer Polimer
Polimer Tapeworm Polimer
Polish 217 Polish 217
Polish 217 B Polish 217
Polish 529 Polish 529
Polish 583 Polish 583
Polish 961 Stone`90
Polish Stupid Polish 217
Polish-2 Turbo 448, Turbo Kukac
Pray ZK900
Pretoria June 16TH
Print Screen Print Screen
Print Screen-2 Print Screen
Proud Proud
PRTSC Virus Print Screen
Prudents Virus 1210
PSQR Virus 1720
Puerto Jerusalem B
RaubKopie RaubKopie
Red Diavolyata Red Diavolyata
RedX Ambulance Car
Rigor Mortis Arf
Rostov Stoned
RPVS RPVS
RPVS-B RPVS
Russian Jerusalem
S-847 Amstrad
Saddam Saddam
San Diego Stoned
Saturday The 14th Saturday The 14th
Saratoga Saratoga
Saratoga 2 Icelandic
Scott's Valley Scott's Valley
Seoul Alameda
Sentinel Sentinel
Sex Revolution v1.1 Stoned
Sex Revolution v2.0 Stoned
SF Virus SF Virus
Shake Virus Shake Virus
Shoe_Virus Ashar
Shoe_Virus-B Ashar-B
Skism-1 Jerusalem B
Slayer Slayer Family
Slayer Family Slayer Family
Slayer-A Slayer Family
Slayer-B Slayer Family
Slayer-C Slayer Family
Slayer-D Slayer Family
Slayer-E Slayer Family
Slow Slow
Slowdown Slow
Smithsonian Stoned
Solano 2000 Solano 2000
Solomon 1605
Sorry Sorry
South African Friday The 13th COM Virus
Sparse Sparse
Spyer Spyer
Staf Staf
Staff Staf
StarDot StarDot 600, StarDot 801
StarDot 600 StarDot 600
StarDot 801 StarDot 801
Stealth Viruses EDV, Fish, Holocaust, Joshi, Murphy, V651, V800, V1024,
V2000, V2100, ZeroHunt, 512, 4096
Stone`90 Stone`90
Stone-90 Stone`90
Stoned Stoned
Stoned II Stoned
Stoned-B Stoned
Stoned-C Stoned
Stoned-D Stoned
Stoned-E Stoned
Stoned-F Stoned
Striker #1 Striker #1
Stupid Virus Do-Nothing
Subliminal 1.10 Subliminal 1.10
Sunday Sunday
Sunday-B Sunday
Sunday-C Sunday
Suomi 1008
SuperHacker Jerk
Suriv 1.01 Suriv 1.01
Suriv 2.01 Suriv 2.01
Suriv 3.00 Suriv 3.00
Suriv A Suriv 1.01, Suriv 2.01
Suriv B Suriv 3.00
Suriv01 Suriv 1.01
Suriv02 Suriv 2.01
Suriv03 Suriv 3.00
SVC V4.00 USSR 1689
Sverdlov Sverdlov
Sverdlov-B Sverdlov
SVir SVir
SVir_0 SVir
SVir-A SVir
SVir-B SVir
Swap Swap
Swedish Disaster Swedish Disaster
Swiss 143 Swiss 143
Swiss 1813 Jerusalem B
Sylvia Holland Girl
Sylvia 2 Holland Girl 2
SysLock Syslock
System Virus Icelandic-II
Taiwan Taiwan
Taiwan 2 Taiwan
Taiwan 3 Taiwan 3
Taiwan 4 Taiwan 4
Taiwan-B Taiwan
Talentless Jerk Jerk
Tannenbaum Christmas Virus
Taunt AIDS
Tel Aviv 1605
Ten Bytes 1554
Tester Tester
TestVir Tester
The Plague The Plague
Thor Arf
Time Monxla
Time B Monxla B
Tiny Family Tiny Family
Tiny Virus Tiny Virus
Tiny 134 Virus Tiny Family
Tiny 138 Virus Tiny Family
Tiny 143 Virus Tiny Family
Tiny 154 Virus Tiny Family
Tiny 156 Virus Tiny Family
Tiny 158 Virus Tiny Family
Tiny 159 Virus Tiny Family
Tiny 160 Virus Tiny Family
Tiny 163 Virus Tiny Virus
Tiny 169 Virus Tiny Family
Tiny 198 Virus Tiny Family
Toothless Virus W13
TP04VIR Virus Vacsina
TP05VIR Virus Vacsina
TP06VIR Virus Vacsina
TP16VIR Virus Vacsina
TP23VIR Virus Vacsina
TP24VIR Virus Vacsina
TP25VIR Virus Vacsina
TP33VIR Virus Yankee Doodle
TP34VIR Virus Yankee Doodle
TP38VIR Virus Yankee Doodle
TP41VIR Virus Yankee Doodle
TP42VIR Virus Yankee Doodle
TP44VIR Virus Yankee Doodle
TP45VIR Virus Yankee Doodle
TP46VIR Virus Yankee Doodle
Traceback Traceback
Traceback II Traceback II
Traceback II-B Traceback II
Traceback-B Traceback
Traceback-B2 Traceback
Travel Virus V2000
Turbo @ Turbo 448
Turbo 448 Turbo 448
Turbo Kukac Turbo Kukac
Turbo Kukac 9.9 Turbo Kukac
Typo Boot Typo Boot
Typo COM Typo COM
UIUC Virus Ashar
UIUC Virus-B Ashar
Unesco Vienna
UScan Virus V2100
USSR USSR
USSR 257 Kemerovo
USSR 311 USSR 311
USSR 394 Attention!
USSR 492 USSR 492
USSR 516 USSR 516
USSR 600 USSR 600
USSR 707 USSR 707
USSR 711 USSR 711
USSR 830 Red Diavolyata
USSR 948 USSR 948
USSR 1049 USSR 1049
USSR 1689 USSR 1689
USSR 2144 USSR 2144
V-1 1253
V-277 Amstrad
V-299 Amstrad
V-311 USSR 311
V-345 Amstrad
V-847 Amstrad
V-847B Amstrad
V-852 Amstrad
V-Alert 1554
V605 Anti-Pascal
V651 V651
V791 V801
V800 V800
V800M V800
V801 V801
V920 DataLock
V1024 V1024
V1226 1226
V1226D 1226D
V1226M 1226D
V1277 Murphy
V1302 Proud
V1521 Murphy
V1600 Happy New Year
V1701New Evil
V1701New-B Evil
V2000 V2000
V2000-B V2000
V2100 V2100
V2P1 1260
V2P2 V2P2
V2P6 V2P6
V2P6-B V2P6
V2P6Z V2P6Z
Vacsina Vacsina
VBasic Virus 5120
Vcomm Vcomm
Vera Cruz Ping Pong
VFSI VFSI
VGA2CGA AIDS
VHP VHP
VHP2 VHP2
VHP-348 VHP
VHP-353 VHP
VHP-367 VHP
VHP-435 VHP
VHP-623 VHP2
VHP-627 VHP2
Victor Victor
Vien6 Vienna
Vienna Vienna
Vienna C 646
Vienna-B Vienna
Vienna-B 645 Vienna
Violator Violator
Violator B4 Violator B4
Violator Strain B Violator
Violator Strain B4 Violator B4
VirDem VirDem
VirDem 2 VirDem
Virus-90 Virus-90
Virus-B Friday The 13th COM Virus
Virus101 Virus101
Voronezh Voronezh
Voronezh B Voronezh
VP VP
W13 W13
W13-A W13
W13-B W13
Westwood Westwood
Whale Whale
Wisconsin Wisconsin
Wolfman Wolfman
Wolfman 2 Wolfman
XA1 Christmas Tree
Xmas In Japan Christmas In Japan
Yale Alameda
Yankee 2 Yankee 2
Yankee Doodle Yankee Doodle
Yankee Doodle Dropper Slayer Family
Yankee Virus Yankee 2
Yankee-go-Home Yankee 2
Yap Yap
Yukon Overwriting Yukon Overwriting
Z The Whale Whale
Zero Bug Zero Bug
ZeroHunt ZeroHunt
ZeroHunt B ZeroHunt
ZK900 ZK900
-------------------------------------------------------------------------------
Virus Information Summary List
Virus Relationship Chart
512 Virus --> 512-B --> 512-C --> 512-D
--> 512-E
--> 512-F
834 --> 834-B/Arab
1226 --> 1226M --> 1226D
4096 --> 4096-B --> 4096-C
--> Fish --> Whale
Alameda --> Alameda-2
--> Golden Gate --> Golden Gate-B --> Golden Gate-C
--> SF Virus
Anti-Pascal --> AP-529 --> AP-400 --> AP-440 --> AP-480
Note: AP-480, AP-440, and AP-400 are grouped together in the listing
as Anti-Pascal II
Blood --> Blood2
Brain --> Ashar
--> Clone
--> Chaos
--> EDV
Cascade/1701 --> 1701-B
--> 1704 --> 1704 Format
--> 1704-B
--> 17Y4
--> Cunning
Datacrime --> Datacrime-B
--> Datacrime II --> Datacrime IIB
Do-Nothing --> Saddam
Fri 13th COM --> Fri 13th-B --> Fri 13th-C
--> Virus-B
Happy New Year --> Happy New Year B
HM2 --: --> Plastique COBOL
--> Plastique --> Plastique 4.21 --> Plastique 5.21
Jerusalem B --: :
V
Invader
Holland Girl --> Holland Girl 2
Icelandic --> Saratoga
--> Iceland II --> Icelandic III
--> Dec 24th
--> Mix1 --> Mix1-B
--> Mix2
JoJo --> JoJo 2
Kemerovo --> Kemerovo-B
Kennedy --> Tiny 163
Leprosy --> Leprosy-B --> The Plague
MG --> MG-2 --> MG-3
Murphy-1 --> Murphy-2
--> AntiChrist
--> HIV
--> Kamasya
--> Migram
Ohio --> Den Zuk
Perfume --> Sorry
Phoenix --> PhoenixD
--> Evil-B --> Evil
Ping Pong --> Ping Pong-B --> Ping Pong-C
--> Big Italian
--> Typo
--> Print Screen --> Print Screen-2
--> Ghostballs
Pixel --> Amstrad --> V-847B
--> V-852
--> V-345 --> V-299 --> V-277
--> S-847 --> Pixel 2
Polish 217 --> Polish 217 B
Stoned --> Stoned-B --> Rostov
--> Sex Revolution v1.1 --> Sex Revolution v2.0
--> Stoned-C
--> Stoned-D
--> Stoned-E
--> Stoned-F
--> Stoned II
--> Swedish Disaster
Suriv 3.00 --> Jerusalem --> Fu Manchu --> Taiwan 3
--> Jerusalem B --> New Jerusalem
--> Payday
--> Sunday --> Sunday-B
--> Sunday-C
--> Jerusalem C
--> Jerusalem D
--> Jerusalem E
--> Jerusalem F (Spanish)
--> 1720/PSQR
--> 1210/Prudents
--> Frere Jacques
--> Anarkia --> Anarkia-B
--> Slow
--> Westwood
--> 1605 --> 1605-B
--> Park ESS
--> Skism-1
--> (also see HM2 above)
--> Discom
--> Captain Trips
--> Swiss 1813
Sverdlov --> Sverdlov-B
Syslock --> Macho --> Macho-B
--> Advent
--> Cookie
Tiny-198 --> Tiny-167
--> Tiny-160
--> Tiny-159
--> Tiny-158
--> Tiny-156
--> Tiny-154
--> Tiny-143
--> Tiny-138
--> Tiny-134
--> Tiny-133
Note: The Tiny-nnn Viruses indicated above are grouped together in
the listing as "Tiny Family". The Tiny-163 virus is not
related to the above group of viruses.
Traceback II --> Traceback --> Traceback-B --> Traceback-B2
--> Traceback II-B
V1024 --> Dark Avenger --> V651
--> V800 --> V800M
--> V2000 --> V2000-B
--> V2100
Vienna --> Father Christmas
--> Lisbon
--> Ghostballs
--> 1260 --> V2P2 --> Casper
--> V2P6 --> V2P6Z
--> W13/V-534 --> W13-B/V-507
--> Wien (Poland)
--> Vien6
--> Vienna-B --> Vienna-B 645
--> Violator --> Violator B4
--> Grither
--> VHP-348 --> VHP-353 --> VHP-367 --> VHP-435
--> VHP-623 --> VHP-627
--> Iraqui Warrior
--> Arf
Note: VHP-348, VHP-353, VHP-367, and VHP-435 are listed as VHP.
VHP-623 and VHP-627 are listed as VHP2.
Virus-90 --> Virus101
Wolfman --> Wolfman 2
Yankee 2 --> Enigma
ZeroHunt --> ZeroHunt B
-------------------------------------------------------------------------------
Virus Information Summary List
Revision History
20 April, 1991 - VSUM9104.ZIP
The following virus descriptions have been updated, or new variants
added:
405 - Hammelburg Alias Added
512 - V512-E Variant
- V512-F Variant
834 - Arab Alias Added
- 834-B Variant
1381 - Internal Alias Added
- 1381-B Variant
1605 - Tel Aviv Alias Added
Amstrad - Pixel, Pixel 2, and S-847 Aliases Added
- Pixel 2 Variant
- S-847 Variant
Enigma - Reference to Yankee 2
Friday The 13th COM
- Virus B Alias Added
Guppy - Guppy-B Variant
Mix1 - Reference to Mix2
Murphy - References to AntiChrist, HIV, Kamasya, Migram
Ping Pong B - Italian-A Alias Added
Sverdlov - Hymn-2 Alias Added
- Sverdlov-B Variant
SVir - SVir_0 Variant
V1024 - Diamond Alias Added
- Diamond Variant
- Diamond-B Variant
V2P6 - V2P6-B Variant
Yankee 2 - Reference to Enigma
The following new viruses have been added to the listing:
AntiChrist
Casino
Crash/1075
Frog's Alley
HIV
Italian 803 - Italian 803
- Italian 803-B
Kamasya
Migram
Mix2
Raubkopie
Slayer Family - Slayer-A
- Slayer-B
- Slayer-C
- Slayer-D
- Slayer-E
Sparse
Staf
StarDot 600
StarDot 801
Tester/TestVir
V801/V791
Yap Virus
ZK900/Pray
Information for the following anti-viral products has been added or
updated:
NAV - Norton AntiVirus, Version 1.00
ViruScan - updated for version V76
17 March, 1991 - VSUM9103.ZIP
The following virus descriptions have been updated, or new variants
added:
1575 - 1575-C Variant
1605 - 1605-B/Solomon Variant
Jerusalem B - Captain Trips Variant
- Swiss 1813 Variant
Kemerovo - Kemerovo-B Variant
Vienna - Description Updated
Wolfman - Wolfman 2 Variant
ZeroHunt - ZeroHunt B Variant
The following new viruses have been added to the listing:
834 Virus
Arf Virus
Australian 403
Azusa
Crew-2480
Deicide
Dutch 555
Enigma
Jerk
Lazy
Phantom
Striker #1
Information for the following anti-viral products has been added or
updated:
Clean-Up - updated for version V75
ViruScan - updated for version V75
14 February, 1991 - VSUM9102.ZIP
The following virus descriptions have been updated, or new variants
added:
4096 - 4096-C Variant
Aids - Aids B Variant
Flip - Flip B Variant
Liberty - Clarificiation to entry, change to Liberty B
identification string for use with Scan.
- Liberty B Variant
Paris - Update to description
Plastique - Plastique COBOL Variant
Polish 217 - Polish 217 B Variant
Stoned - rewrote entry & merged in Stoned II entry
- Rostov Variant
- Sex Revolution v1.1 Variant
- Sex Revolution v2.0 Variant
- Stoned E Variant
- Stoned F Variant
USSR 1689 - Added SVC V4.00 alias
The following new viruses have been added to the listing:
903
1575 - 1575 Virus
- 1575-B Variant
4870 Overwriting
Akuku
Cookie
Destructor V4.00
Dir Virus
Discom
Grither
Happy New Year - Happy New Year
- Happy New Year B Variant
Holland Girl 2
Hybryd
IKV 528
Iraqui Warrior
JoJo 2
Little Pieces/1374
MG
MG-2 - MG-2
- MG-3 Variant
Monxla B
Nina
Parity
Saddam
Sentinel
Swedish Disaster
Swiss 143
The Plague
USSR 311
USSR 492
Violator B4
Yukon Overwriting
Information for the following anti-viral products has been added
or updated:
Pro-Scan - additional disinfection updates for version 2.01
Clean-Up - updated for version V74
ViruScan - updated for version V74
08 January, 1991 - VSUM9101.ZIP
The following virus descriptions have been updated, or new variants
added:
4096 - additional information added
Flip - additional information added
Invader - correction to Type Code
Jerusalem B - Skism-1 Variant
Nomenklatura - additional damage information added
Plastique - additional information, activation data
Plastique B - additional information, activation data
Tiny Family - Tiny 133 Variant
The following new viruses have been added to the listing:
Attention!
Best Wishes - Best Wishes
- Best Wishes B
Bloody!
F-Word Virus
Holocaust
Hymn
Jeff
Kemerovo
Lozinsky
MGTU
MusicBug
Polish 583
Red Diavolyata
Stone`90/Polish 961
Sverdlov
USSR 516
USSR 600
USSR 707
USSR 711
USSR 948
USSR 1049
USSR 1689
USSR 2144
Voronezh - Voronezh
- Voronezh B
ZeroHunt
Information for the following anti-viral products has been added or
updated:
Clean-Up - updated for version V72
Pro-Scan - updated for version 2.01
ViruScan - updated for version V72
03 December, 1990 - VSUM9013.ZIP (Not publicly distributed.)
Pro-Scan Version 2.0 has not been added to the listing.
02 December, 1990 - VSUM9012.ZIP
The following virus descriptions have been updated, or new variants
added:
Burger - 505 Variant
- 509 Variant
- 541 Variant
- CIA Variant
Christmas - Tannenbaum alias added
Kennedy - 333 alias added
Leprosy - News Flash alias added
Liberty - Liberty-B Variant
Slow - Updated for file length increases,
Slowdown alias added
Wisconsin - Updated for file date/time change
VirDem - VirDem 2 Variant
Virus-90 - Added description submitted by P. Toulme
Virus101 - Added description submitted by P. Toulme
Yankee 2 - Yankee-go-Home alias added
- 1624 variant added
The following new viruses have been added to the listing:
646
Carioca
DataLock
Dot Killer
Father Christmas
Groen Links
Keypress
Mirror
Monxla
Polimer
Polish 217
Polish 529
Spyer
Taiwan 4/2576
Turbo 448
Turbo Kukac
USSR
Information for the following anti-viral products/programs have been
added/updated with this release:
Clean-Up - McAfee Associates' Clean-Up Disinfector, Vers V71
Pro-Scan - McAfee Associates' Pro-Scan Anti-Viral, Vers. 2.0
VirHunt - Digital Dispatch, Inc.'s VirHunt Anti-Viral, Vers 2.0
Note: boot sector disinfection not tested
ViruScan - McAfee Associates' ViruScan Detector, Vers V71
Removed the following anti-viral products for the reason indicated:
M-1704 - replaced by McAfee Associates' Clean-Up
M-1704C - replaced by McAfee Associates' Clean-Up
M-DAV - replaced by McAfee Associates' Clean-Up
M-JRUSLM - replaced by McAfee Associates' Clean-Up
M-Vienna - replaced by McAfee Associates' Clean-Up
02 November, 1990 - VSUM9011.ZIP
The following virus descriptions have been updated, or new variants
added:
Amstrad - V852 Variant
Anthrax - Updated information
Jerusalem B - Park ESS Variant
Tiny Family - Tiny 134 Variant
- Tiny 138 Variant
- Tiny 143 Variant
- Tiny 154 Variant
- Tiny 156 Variant
V2100 - Updated information
The following new viruses have been added to the listing:
Guppy
Proud/V1302
VFSI
05 October, 1990 - VSUM9010.ZIP
[Note: There was no VSUM9009 release.]
The following virus descriptions have been updated, or new variants
added:
512 - Clarification of why file damage may occur
1008 - Origin information, Suomi alias
4096 - FroDo alias
Anti-Pascal - correction to indicated text string
Cascade - 17Y4 Variant
Dark Avenger- Dark Avenger-B Variant
EDV - Added Cursy alias and activation information
Evil - previously in VSUM9008 as V1701New and V1701New-B
Flash - Symptom and activation information
FORM-Virus - Activation information
Jerusalem B - Jerusalem DC Variant
Leprosy - Leprosy-B Variant
Paris - rename of virus listed as TCC in VSUM9008
Syslock - Advent Variant
Taiwan - Taiwan-B Variant
Tiny Virus - Origin information
The following new viruses have been added to the listing:
1605
Black Monday
Blood - Blood Variant
- Blood2 Variant
Burger
Casper
Christmas In Japan
Invader
Kamikazi
Nomenklatura
Number One
Scott's Valley
Stoned II
SVir - SVir-A Variant
- SVir-B Variant
Westwood
Whale
V2P2
V2P6
V2P6Z
Violator
Wisconsin
The following entries in the cross-reference have been corrected:
1226D - incorrectly pointed to V1226D instead of 1226D
1226M - incorrectly pointed to V1226D instead of 1226D
Brain - missing from VSUM9008 cross-reference
Information for the following anti-viral products/programs have been
added/updated with this release:
CleanUp - McAfee Associates' CleanUp Disinfector, Version V67
AVTK - Dr. Solomon's Anti-Viral Toolkit, Version 3.5
F-Prot - Fridrik Skulason's F-Prot, Version 1.12
VirexPC - MicroCom's Virex PC, Version 1.10B
ViruScan - McAfee Associates' ViruScan Detector, Version V67
[Note: For ViruScan, as of version V67, any viruses which now
require the /X command line parameter to be used have been
indicated under Detection Method.]
The following viruses have not been added to the listing at this time
for the reason indicated:
Big Italian - No Sample Available
TP43Vir - Sample does not replicate.
Doom2 - Unable to get samples to replicate.
10 August, 1990 - VSUM9008.ZIP
The following virus descriptions have been updated, or new variants
added:
1720 - Activation information added
Anti-Pascal - Anti-Pascal 529/AP-529 Variant
Sunday - Sunday-B Variant
- Sunday-C Variant
Tiny Virus - previously in VSUM9007 as 163 COM Virus
Traceback - Traceback-B Variant
- Traceback-B2 Variant
Traceback II
- Traceback II-B Variant
V800 - V800M Variant
Vienna - Vienna-B 645 Variant
The following new viruses have been added to the listing:
382 Recovery Virus
1226 - 1226 Virus
1226D - 1226D Variant
- 1226M Variant
1253/V-1
AirCop
Anthrax
Anti-Pascal II
- Anti-Pascal 400/AP-400
- Anti-Pascal 440/AP-440
- Anti-Pascal 480/AP-480
Fellowship
Flip
Leprosy
Mardi Bros
Ontario
Phoenix/P1
PhoenixD/P1
Plastique - HM2
- Plastique
- Plastique 4.51
Plastique-B - Plastique 5.21
RPVS/453 - RPVS
- RPVS-B Variant
TCC
Tiny Family - Tiny 158 Virus
- Tiny 159 Virus
- Tiny 160 Virus
- Tiny 167 Virus
- Tiny 198 Virus
V1701New/P1 - V1701New
- V1701New-B (earlier version)
V2100
Wolfman
Information on the following anti-viral products was updated or added
to this release:
CleanUp - Version V66
Pro-Scan - Version 1.4
VirexPC - Version 1.1
ViruScan - Version V66
The following viruses have not been included in the listing at this
time, for the reason indicated:
Advent - No Sample Available
Big Italian - No Sample Available
Stoned II - No Sample Available
15 July, 1990 - VSUM9007.ZIP
Added Virus Relationship Chart section to document, as well as new
data field "V Status" to all entries (see introduction and format
information for description).
The following viruses have been updated, or new variants added:
1554
Amstrad
Cascade - Cunning Variant
Disk Killer
Ghostballs - combined Ghost COM and Ghost Boot
Jerusalem B - Puerto Variant
Kennedy
Lehigh - Lehigh-B Variant
Vienna - VHP-627 Variant
- Vien6 Variant
W13
The following new viruses were added to the listing:
1008 Virus
1381 Virus
Ambulance Car
Anti-Pascal Virus
Armagedon
Flash
FORM-Virus
Joshi
July 13th
Microbes
Print Screen
Print Screen - Print Screen-2 Variant
Sorry
Taiwan 3
V651/Eddie 3
V1024/Dark Avenger 3
VHP - VHP-348 Variant
- VHP-353 Variant
- VHP-367 Variant
- VHP-435 Variant
VHP2 - VHP-623 Variant
- VHP-627 Variant
15 June, 1990 - VSUM9006.ZIP
Many viruses had their descriptions updated, the ones listed below
receiving updates for variants or major changes:
163 COM Virus
512 - 512-B Variant
- 512-C Variant
- 512-D Variant
1554 Virus
4096 - 4096-B Variant
Amstrad - Pixel/V-345 Variant
- V-277 Variant
- V-299 Variant
- V-847 Variant
- V-847B Variant
Jerusalem B - A-204 Variant
- Anarkia Variant
- Anarkia-B Variant
- Mendoza Variant
Ping Pong-B - Ping Pong-C Variant
Solano 2000 - Dyslexia 2.01 Variant
V2000 - V2000-B/Die Young Variant
Vacsina - TP04VIR Variant
- TP05VIR Variant
- TP06VIR Variant
- TP16VIR Variant
- TP23VIR Variant
- TP24VIR Variant
- TP25VIR Variant
Yankee Doodle
- TP33VIR Variant
- TP34VIR Variant
- TP38VIR Variant
- TP41VIR Variant
- TP42VIR Variant
- TP44VIR Variant
- TP45VIR Variant
- TP46VIR Variant
Vienna - VHP-435
- VHP-623
The Vienna-B variant has been moved under the Vienna entry.
The following new viruses were added to the listing:
5120
Eight Tunes
Fish Virus
Frere Jacques
JoJo
Liberty
Murphy - 2 variants (Murphy-1 and Murphy-2)
Shake Virus
Slow
Subliminal 1.10
V800
Victor
VirDem
VP
Yankee 2
4 May, 1990 - VSUM9005.ZIP (Not publicly distributed.)
Added listings for Discovered, Symptoms, Origin, Subdivided
memory-resident classes, Aligned data entry blocks, placed files
in ASCII order, placed revision history in descending order.
Information on the following virii was updated:
1168/Datacrime
1280/Datacrime
Kennedy
18 April, 1990 - VSUM9004.ZIP
Information on the following viruses was updated:
Friday The 13th Original COM Virus
Halloechen
Jerusalem
Jerusalem B
Stoned
Sunday
VComm
4096
The 1559 virus has been renamed to the 1554 virus in order to
accurately reflect the virus's effective length.
The following new viruses were added to the listing:
AIDS II
Anarkia (see Jerusalem B)
Christmas Virus
Itavir
June 16TH
Kennedy
Korea
Saturday The 14th
Solano 2000
Spanish Jerusalem B (see Jerusalem B)
V2000
1210
1392
1720
McAfee Associates' PRO-SCAN commercial anti-viral program, has
been added, as well as the information for IBM's VirScan program
updated to reflect IBM's March 1990 program release.
22 February, 1990 - Not publicly distributed.
Information on the following viruses was updated:
Disk Killer
The following new viruses were added to the listing:
EDV
512
1559
18 February, 1990 - VSUM9003.ZIP
Change to Copyright notice to reflect author's full name.
Information on the following viruses has been updated:
Taiwan
4096
04 February, 1990 - VSUM9002.ZIP
Second release of listing, which now includes updated information
for the following viruses:
Alabama
Chaos
Den Zuk
Datacrime II, Datacrime IIB
Do-Nothing
Icelandic, Icelandic-II
Ohio
Saratoga
Stoned
Swap
SysLock
Traceback, Traceback II (was 2930 in previous release)
Typo Boot
The following new Ms-Dos computer viruses were added to the
listing:
Halloechen
Icelandic-III
Joker
Perfume
Vcomm
Virus101
W13
1260
15 January, 1990 - VSUM9001.ZIP
First release of listing, which contained 52 of 61 known Ms-Dos
computer viruses. Of the 9 known viruses which were not
completed, they contained very basic information, though no
detailed description, those viruses were:
Chaos Swap
Icelandic Taiwan
Icelandic-II Typo Boot
Ohio 2930
Saratoga

Reference in New Issue View Git Blame Copy Permalink