home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Vectronix 2
/
VECTRONIX2.iso
/
FILES_07
/
UVK_6_1.ZIP
/
DOX
/
VIRUSES.TXT
< prev
Wrap
Text File
|
1994-01-09
|
71KB
|
1,753 lines
THE KNOWN VIRUSES ON THE ST AND THEIR SYMPTOMS
This is a systematic description of all viruses that are
recognized by the "Ultimate Virus Killer". It is rather technical
by nature; in case you are interested but you don't know what to do
with all the various phrases you get hurled at you, please refer to
other books on the subject.
Name: Official name of the virus. When several different versions
of one virus exist, their difference is indicated by one additional
character - "A" for the earliest or most widely spread version, "B"
for the next, etc.
Type: The description of the virus fitting the most common virus
classification.
Discovery date: The date when the virus was earliest reported to
be seen. If the discoverer is known, his/her name is added between
brackets.
Virus can copy to drive(s): This indicates to which drives the
virus can copy itself. "Current drive" implies that the virus
copies to the drive that is currently in use of the ones listed.
Virus attaches itself to: Here it is mentioned which system
vector(s) the virus attaches itself to. When indicated to be
'undocumented reset-proof', this refers to the undocumented method
for programs to become reset-resistant through the $12123456
method.
Disks can be immunized against it: Informs of whether a virus
cannot be immunized against, or whether it can be immunized
against. In the latter case, it is indicated how one can immunize
against it. The format of the immunization method is: Offset
(hexadecimal), Byte/Word/Longword, and the hexadecimal value
expected at that offset.
Disks can be immunized with UVK: Indicates whether or not a
particular virus' immunization was capable of being including in
the "Ultimate Virus Killer" advanced immunization method.
What can happen: Lists the effect that the virus is programmed to
cause to occur.
When does that happen: Specifies when the above will happen
(ahem).
Reset-proof: Tells you whether or not the virus can survive a warm
reset.
Can copy to hard disk: Tells you...er...well...this is pretty
obvious, actually.
Remarks: Here all the other things worth mentioning are summed up.
BOOTSECTOR VIRUSES
Virus #1
Name: Signum/BPL Virus A.
Type: Memory-resident bootsector virus.
Discovery date: November 22nd 1987 (Klaus Seligmann).
Virus can copy to drive(s): A or B (current drive).
Virus attaches itself to: Hdv_bpb vector.
Disks can be immunized against it: Yes (0.W $6038).
Immunizable with UVK: Yes.
What can happen: Not known.
When does that happen: When key is found on other disks (this has
never been found - yet).
Reset-proof: No.
Can copy to hard disk: No.
Remark: This is the most widely spread virus; an approximate
estimate brings it to at least 1.5 million copies worldwide!
Virus #2
Name: Mad Virus A.
Type: Memory-resident bootsector virus.
Discovery date: March 26th 1988 (Eerk Hofmeester).
Virus can copy to drive(s): A or B (current drive).
Virus attaches itself to: Hdv_rw vector.
Disks can be immunized against it: Yes (0.B $60).
Immunizable with UVK: Yes.
What can happen: Fools around with screen or bleeps with the sound
chip.
When does that happen: After it makes five copies of itself, and
then at every disk access.
Reset-proof: No.
Can copy to hard disk: No.
Remark: A relatively harmless virus, therefore also sometimes
referred to as 'FUN Virus'. This is improper, however, as there
already is a virus sometimes called 'Fun Virus', too (the Merlin
Mad Virus, #60). For more remarks on the 'Mad Virus', see Mad
Virus B (#49).
Virus #3
Name: Signum/BPL Virus B.
Discovery date: Summer 1988 (Anton Raves).
Symptoms: Disk on which the virus is present is unreadable due to
a damaged BPB.
Remark: This is no true other virus, but a virus that was
corrupted while active in the system. For more info see the
Signum/BPL Virus A.
Virus #4
Name: ACA Virus.
Type: Reset-proof memory-resident bootsector virus.
Discovery date: June 29th 1988 (Little Joe).
Virus can copy to drive(s): Boot device.
Virus attaches itself to: Undocumented RESET-resistant.
Disks can be immunized against it: Yes (0.B $60 or 4.W $4143)
Immunizable with UVK: Yes.
What can happen: Track 0 is cleared (BPB, bootsector and FAT).
Data is then irretrievably lost.
When does that happen: After it has made 10 copies of itself.
This is done each time you press reset.
Reset-proof: Yes.
Can copy to hard disk: No.
Remark: This virus is made by the ACA crew (ACA stands for Anti
Copyright Association) from Sweden. In April 1990 it became known
that this ACA crew also made a virus killer (with lotsa graphics
and a scroller in the lower border). This killer could allegedly
also SPREAD viruses when you pressed a certain key combination! In
a 1988 issue of the German "ST Magazin" an interview with ACA was
published, in which they stated to have written (but not spread)
even worse viruses.
Virus #5
Name: Freeze Virus.
Type: Memory-resident bootsector virus.
Discovery date: July 12th 1988 (Carsten Frischkorn).
Virus can copy to drive(s): A or B (current drive).
Virus attaches itself to: Hdv_rw vector; also installs MFP
interrupt.
Disks can be immunized against it: Yes (0.B $60).
Immunizable with UVK: Yes.
What can happen: The system slows down more and more, until it
freezes.
When does that happen: Right from the beginning on, increasing at
every access of logical sector 11 (directory).
Reset-proof: No.
Can copy to hard disk: No.
Virus #6
Name: Screen Virus.
Type: Memory-resident bootsector virus.
Discovery date: July 12th 1988 (Carsten Frischkorn).
Virus can copy to drive(s): A.
Virus attaches itself to: Hdv_bpb vector; 200 Hz System Clock
vector; Etv_critic vector.
Disks can be immunized against it: Yes (executable).
Immunizable with UVK: Yes.
What can happen: Screen is blackened.
When does that happen: 54 minutes after virus installation.
Reset-proof: No.
Can copy to hard disk: No.
Remark: Only works on 02.06.1986 ROMs (German pre-blitter TOS).
Virus #7
Name: C'T Virus.
Type: Reset-proof memory-resident bootsector virus.
Discovery date: Summer 1988 (Wim Nottroth).
Virus can copy to drive(s): Any (including hard disk).
Virus attaches itself to: Undocumented RESET resistant.
Disks can be immunized against it: Yes (executable).
Immunizable with UVK: Yes.
What can happen: Deletes FAT of floppy-and hard disk (all data
irretrievably lost).
When does that happen: If date stamp is 1987.
Reset-proof: Yes.
Can copy to hard disk: Yes.
Remark: This virus was featured in a German magazine called
"Computer & Technik". The author claims he 'found it' on one
of his disks. A listing was included, so that people could
reproduce and adapt the virus with ease. It writes the message
"ARRRGGGHHH Diskvirus hat wieder zugeschlagen" on the screen
when it is activated. Due to the fact that it forgets to check
whether or not the device is higher than "B", it can also copy
itself to hard disk.
Virus #8
Name: Maulwurf I Virus B (English TOS version).
Type: Reset-proof memory-resident bootsector virus.
Discovery date: September 3rd 1988 (Joerg Kruse).
Virus can copy to drive(s): A of B (current drive).
Virus attaches itself to: Reset vector, Hdv_bpb vector and VBL
vector (this virus operates out of the VBL!).
Disks can be immunized against it: Yes (0.W $601C or 2.W $001C,
AND must be executable).
Immunizable with UVK: Yes.
What can happen: Message on screen "Maulwurf I - SSG (Subversive
Software Group)" and computer locks up.
When does that happen: If original Hdv_bpb vector is re-
installed, or when someone changes the Hz200 counter.
Reset-proof: Yes.
Can copy to hard disk: No.
Remark: This virus was made by the Subversive Software Group in
Germany. It is also called "Caterpillar Virus", as that is its
name in English.
Virus #9
Name: Bayerische Hacker Post (BHP) Virus.
Type: Memory-resident bootsector virus.
Discovery date: September 10th 1988 (Henrik Alt).
Virus can copy to drive(s): A or B (current drive)
Virus attaches itself to: Hdv_bpb vector
Disks can be immunized against it: Yes (ANY value on 0.W)
Immunizable with UVK: Yes
What can happen: Nothing. It only copies itself
When does that happen: Never (how could it?)
Reset-proof: No
Can copy to hard disk: No
Remark: Made by the Bayerische Hacker Post. This is a small
computer user's group in Germany that also publishes a small club
magazine. In that magazine, the virus was said to reset- proof,
and that it would 'write through the write-protect notch'
(haha!). None if this is true. It checks the WP notch, however, in
a way that only works successfully on pre-blitter TOS versions
(i.e. TOS version before 1.02). The Bayerische Hacker Post
address: c/o BASIS, Adalbertstra₧e. 41b, D-8000 München 40,
Germany.
Virus #10
Name: Lab-Virus.
Type: Memory-resident bootsector virus.
Discovery date: September 10th 1988 (Henrik Alt).
Virus can copy to drive(s): A or B (current drive).
Virus attaches itself to: Hdv_bpb vector.
Disks can be immunized against it: No.
Immunizable with UVK: No.
What can happen: Screen is made entirely black.
When does that happen: After copying itself 10 times.
Reset-proof: No.
Can copy to hard disk: No.
Remark: Checks the write-protect status address in an illegal way,
and will therefore not work correctly on any TOS version above
1.04. This virus seems to be an adapted version of the BHP virus.
Virus #11
Name: FAT-Virus.
Type: Reset-proof memory-resident bootsector call virus.
Discovery date: May 1st 1988 (Stephen E. Schneider).
Virus can copy to drive(s): A.
Virus attaches itself to: Hdv_bpb and reset vector.
Disks can be immunized against it: Yes (executable).
Immunizable with UVK: Yes.
What can happen: Random memory accesses, resulting in blots
appearing on the screen and current programme running crashing.
When does that happen: After three hours, and then at the first
time $114 is changed from its original value (this is the MFP
Interrupt 5 vector).
Reset-proof: Yes.
Can copy to hard disk: No.
Remark: Only works on 02-06-1986 ROMs (German TOS 1.00). It uses
time delays to make it more difficult to detect. This virus
spreads easily and rapidly. It is bigger than just one bootsector
and also uses the last FAT sector to write itself on. It is
probably made in Switzerland, and is also called "Swiss"-or
"Blot"-virus.
Virus #12
Name: Ghost Virus A.
Type: Reset-proof memory-resident bootsector virus.
Discovery date: November 20th 1988 (Carmen Brunner).
Virus can copy to drive(s): A or B (current drive).
Virus attaches itself to: Hdv_bpb and resvector; it is also non-
documented reset-resistant.
Disks can be immunized against it: No.
Immunizable with UVK: No.
What can happen: Mouse Y directions are inverted.
When does that happen: After copying itself 10 times.
Reset-proof: Yes.
Can copy to hard disk: No.
Remark: RUMOURED to be made by someone called Pash in Doncaster,
England. It is very widely spread (England, Holland, Sweden and
West Germany in particular). It is also called "Mouse" virus.
Virus #13
Name: 5th Generation Virus.
Type: Memory-resident bootsector virus.
Discovery date: December 6th 1988.
Virus can copy to drive(s): A.
Virus attaches itself to: Trap #13 vector.
Disks can be immunized against it: Yes (executable).
Immunizable with UVK: Yes.
What can happen: Writes trash in the first 34 sectors of a disk,
lethally corrupting the bootsector, FAT, and directory.
When does that happen: When the virus has reached its fifth
generation.
Reset-proof: No.
Can copy to hard disk: No.
Virus #14
Name: OLI Virus.
Type: Reset-proof memory-resident bootsector virus.
Discovery date: December 10th 1988.
Virus can copy to drive(s): Boot device.
Virus attaches itself to: Hdv_rw and trap #14 vector; also non-
documented reset-resistant.
Disks can be immunized against it: No.
Immunizable with UVK: No.
What can happen: The text "OLI-VIRUS installed ." appears on the
screen. Then, it starts slowing down the ST by hooking itself on
an interrupt vector. In certain cases, it can also corrupt disk
data.
When does that happen: After having made 20 copies of itself.
Reset-proof: Yes.
Can copy to hard disk: No.
Virus #15
Name: Maulwurf I Virus A (German TOS version).
Discovery date: January 1st 1989.
Symptoms and remark: See virus #8. Only three branch addresses
are different, so as to work on German instead of English TOS.
Virus #16
Name: Kobold #2 Virus.
Type: Reset-proof memory-resident bootsector virus.
Discovery date: January 2nd 1989.
Virus can copy to drive(s): A (?).
Virus attaches itself to: Hdv_bpb and resvector; Vbl_queue; also
undocumented reset-resistant.
Disks can be immunized against it: No.
Immunizable with UVK: No.
What can happen: The mouse X-direction will be slightly distorted,
resulting in the user slowly moving it off the desk. It might do
something more, but it is not known WHAT.
When does that happen: ?.
Reset-proof: Yes.
Can copy to hard disk: No.
Remark: This is the toughest virus yet. Not many statements can be
made about it with certainty. It installs itself in memory on
booting, and only after ANOTHER reset will it install the vectors
mentioned above. Then, it will also print the text "KOBOLD#2
AKTIV!" (this leads to the belief that the virus is German). What
it can actually do more (besides copying itself and that mouse
stuff), and when it does that, is unknown (but at least it does
not do anything with disk data).
Virus #17
Name: Mad Virus C.
Discovery date: January 1989 (Frits Couwenberg).
Symptoms: See virus #2.
Remark: Some of the last screen fiddle/sound routines in this
virus have been corrupted by alien code. It will therefore crash
when these routines are executed.
Virus #18
Name: Mutant Antivirus #1 A.
Discovery date: January 28th 1989.
Symptoms: Copies itself to other disks (except when they're
executable). Some of the latter half of its code is corrupted by
alien code, however, and may/will result in a system crash.
Remark: Read further for more info about anti-viruses.
Virus #19
Name: Goblin Virus.
Type: Reset-proof memory-resident bootsector virus.
Discovery date: April 3rd 1989 (Clive Duberley).
Virus can copy to drive(s): A or B (drive used by disk access
call).
Virus attaches itself to: Hdv_bpb and resvector; also non-
documented reset-resistant.
Disks can be immunized against it: Yes (1A2.L $27182818).
Immunizable with UVK: Yes.
What can happen: It puts the message "The Green Goblins Strike
Again" on the screen; it can also mess up the display.
When does that happen: The message appears after 128 copies of
itself have been made; the messing up of the display is done after
16 copies of itself have been made.
Reset-proof: Yes.
Can copy to hard disk: No.
Remark: Probably made in England.
Virus #20
Name: Mutant Antivirus #1 B.
Discovery Date: March 6th 1989 (Thomas Gathen).
Symptoms: System crashes, mainly. This is just a gigantically
busted AntiVirus #1, and really can't do anything decent. Most
probably doesn't even multiply...
Virus #21
Name: Counter Virus.
Tyoe: Memory-resident bootsector virus.
Discovery Date: May 1989.
Virus can copy to drive(s): A or B (current drive).
Virus attaches itself to: ?.
Disks can be immunized against it: ?.
Immunizable with UVK: ?.
What can happen: Nothing.
When does that happen: Never (would it?).
Reset-proof: No.
Can copy to hard disk: No.
Symptoms: This virus keeps a generation counter, but doesn't do
anything more.
Virus #22
Name: Help Virus.
Type: Memory-resident bootsector virus.
Discovery date: September 1988.
Virus can copy to drive(s): None.
Virus attaches itself to: ?.
Disks can be immunized against it: ?.
Immunizable with UVK: ?.
What can happen: Screen is filled with bombs.
When does that happen: At booting.
Reset-proof: No.
Can copy to hard disk: No.
Remark: No real virus, because it actually cannot multiply without
external help. Since it resides in the bootsector, since another
virus killer classified it as a 'virus' and since it does
something a computer user would not like, it is still listed here
as a 'virus'.
Virus #23
Name: Exception Virus.
Type: Reset-proof memory-resident bootsector virus.
Discovery date: September 1988.
Virus can copy to drive(s): A or B (current drive).
Virus attaches itself to: Hdv_bpb vector, undocumented reset-
resistant.
Disks can be immunized against it: No.
Immunizable with UVK: No.
What can happen: System crashes due to random values written to
random memory locations.
When does that happen: About 22 minutes after a vbl routine is
installed, which happens after accessing a non-write protected
disk in drive A or B.
Reset-proof: Yes.
Can copy to hard disk: No.
Remark: Does not work when Hdv_bpb points at an address below $FFFF
(generally this is the case when a hard disk is installed). It was
previously also known as Random virus, and it only works on TOS
1.00 and 1.02.
Virus #24
Name: Gauweiler Virus.
Type: Reset-proof memory-resident bootsector virus.
Discovery date: July 12th 1989 (Harald Wend).
Virus can copy to drive(s): A or B (current drive).
Virus attaches itself to: Hdv_bpb; undocumented reset-resistant.
Disks can be immunized against it: No.
Immunizable with UVK: No.
What can happen: Writes "AIDS?" on the screen and zeroes track 1 of
a floppy disk (irretrievably destroying bootsector, FAT, and
directory).
When does that happen: After the first reset after booting it.
Reset-proof: Yes.
Can copy to hard disk: No.
Remark: Version 3.0 of this virus (version number contained in boot
code) is supposed to be programmed on July 7th 1988 (also
contained in boot code). So it was almost exactly one year old
when it was discovered...
Virus #25
Name: Evil Virus.
Type: Reset-proof memory-resident bootsector virus.
Discovery date: May 23rd 1989 (Jeremy Hughes).
Virus can copy to drive(s): A or B (current drive).
Virus attaches itself to: Resetvector and Hdv_bpb.
Disks can be immunized against it: Yes (0.L $60380666).
Immunizable with UVK: No.
What can happen: Screen colours inverted.
When does that happen: After 100 copies of itself are made.
Reset-proof: Yes.
Can copy to hard disk: No.
Remarks: Contains the text " EVIL ! - A Gift from Old Nick". It is
written in England. Obviously, the author acquired a copy of an
earlier version of the "Ultimate Virus Killer" - he made sure the
virus was recognized to be an Atari system disk! Very cleverly
done, by using the recognition bytes somewhere in the virus code.
I am glad to say that we're now at least ONE step ahead of this
guy!
This virus is very often found in Scandinavian countries.
Virus #26
Name: P.M.S. Virus.
Type: Reset-proof memory-resident bootsector virus.
Discovery date: May 20th 1989 (Chris Dudley).
Virus can copy to drive(s): A.
Virus attaches itself to: XBIOS trap vector and reset vector.
Disks can be immunized against it: Yes (1B4.L $2A2A2A20).
Immunizable with UVK: Yes.
What can happen: Text "*** The Pirate Trap ***, * Youre being
watched *, *** (C) P.M.S. 1987 ***" (sic) appears on the screen.
When does that happen: At each fiftieth copy of itself that is
made.
Reset-proof: Yes.
Can copy to hard disk: No.
Remark: Contains a copyright message for 1987 (!). This virus
might thus be VERY old and it is a miracle that is had slipped
through the attention of ALL virus killers thus far. It is
thought to be made by a software vendor to prevent people from
copying software in his shop. Due to obvious reasons, it is also
called "Pirate Trap Virus".
This virus patched the XBIOS vector in such an effective way that,
once the virus is in memory, it even patches bootsector reads to
hide its presence. It copies itself at each use of Floprd (XBIOS
8)!
Virus #27
Name: Ghost Virus B.
Discovery date: June 15th 1989 (R. de Groen).
Symptoms: See Virus #12 (Ghost Virus). This virus has a few
damaged bytes and will therefore crash easily.
Virus #28
Name: Arnold/Rambo Virus.
Type: Memory-resident bootsector virus.
Discovery date: November 1989.
Virus can copy to drive(s): A or B (current drive).
Virus attaches itself to: Hdv_bpb vector.
Disks can be immunized against it: Yes (0.B $60).
Immunizable with UVK: Yes.
What can happen: Nothing.
When does that happen: After five copies were made.
Reset-proof: No.
Can copy to hard disk: No.
Remark: This virus was actually designed to have precisely the
same effects as the Mad virus, but due to a wrong branch and a
non-working counter this does not work.
Virus #29
Name: Monitor Virus.
Type: Reset-proof memory-resident bootsector virus.
Discovery date: November 1989.
Virus can copy to drive(s): A or B.
Virus attaches itself to: ?.
Disks can be immunized against it: ?.
What can happen: Random lines are put on the screen.
When does that happen: ?.
Reset-proof: Yes.
Can copy to hard disk: No.
Symptoms: Some random lines are put on the screen, which are
probably meant to hint at a busted monitor. Of course, this virus
doesn't harm the monitor at all.
Virus #30
Name: Anti-ACA Virus.
Type: Memory-resident bootsector virus.
Discovery date: December 28th 1989.
Virus can copy to drive(s): A or B (current drive).
Virus attaches itself to: GEMDOS trap vector.
Disks can be immunized against it: Yes (0.W $601C).
Immunizable with UVK: No.
What can happen: Text "GREETINGS TO ACA, THE FIRST GROUP TO BE
GREETED IN A VIRUS! (AND THEY ARE THE GUYS WHO MADE THE 1ST ST
VIRUS" on screen, followed by the computer crashing.
When does that happen: After four copies of itself are made.
Reset-proof: No.
Can copy to hard disk: No.
Remarks: This virus was written in Norway by someone called himself
The Lazy Lion (as were viruses 31-36!). Actually, unlike this
virus claims, the first virus on the ST was not that of the ACA
(but who cares).
All these viruses patch the GEMDOS trap vector, and will get
active and/or copy themselves at any Fopen or Fsfirst GEMDOS call.
Virus #31
Name: Chopin Virus.
Type: Memory-resident bootsector virus.
Discovery date: December 28th 1989.
Virus can copy to drive(s): A.
Virus attaches itself to: GEMDOS trap vector.
Disks can be immunized against it: No.
Immunizable with UVK: No.
What can happen: Music of Chopin's Death March start playing
endlessly and system freezes to a halt. At each music end, it also
prints the message "FUCK! YOU'VE GOT A VIRUS!" on the screen.
When does that happen: After 26 copies of itself are made.
Reset-proof: No.
Can copy to hard disk: No.
Virus #32
Name: Cookie Monster Virus A.
Type: Memory-resident bootsector virus.
Discovery date: December 28th 1989.
Virus can copy to drive(s): A.
Virus attaches itself to: GEMDOS trap vector.
Disks can be immunized against it: No.
Immunizable with UVK: No.
What can happen: Writes "YOU KNOW WHAT? I WANT A COOKIE!" on the
screen, and then waits for the user to type COOKIE. After having
done this, it will enable the user to continue whatever he was
doing. After each 20 further copies, it appears again.
When does that happen: After 30 copies of itself are made.
Reset-proof: No.
Can copy to hard disk: No.
Virus #33
Name: Cookie Monster Virus B.
Type: Reset-proof memory-resident bootsector virus.
Discovery date: December 28th 1989.
Virus can copy to drive(s): A.
Virus attaches itself to: GEMDOS trap vector and resvector.
Disks can be immunized against it: No.
Immunizable with UVK: No.
What can happen: See virus #32.
When does that happen: See virus #32.
Reset-proof: Yes.
Can copy to hard disk: No.
Remark: The only difference with virus #32 is that it is reset-
proof.
Virus #34
Name: Puke Virus A.
Type: Memory-resident bootsector virus.
Discovery date: December 28th 1989.
Virus can copy to drive(s): A or B (current drive).
Virus attaches itself to: GEMDOS trap vector.
Disks can be immunized against it: Yes (0.W $601C).
Immunizable with UVK: No.
What can happen: First file deleted from current floppy drive.
When does that happen: After five copies of itself are made.
Reset-proof: No.
Can copy to hard disk: No.
Remark: The boot code also includes the address of a well known
member of the ST society, who was supposed to be blackmailed using
this virus (but who did NOT write it!).
Virus #35
Name: Puke Virus B.
Type: Memory-resident bootsector virus.
Discovery date: December 28th 1989.
Virus can copy to drive(s): A or B (current drive).
Virus attaches itself to: XBIOS trap vector.
Disks can be immunized against it: Yes (19E.L $70756B65).
Immunizable with UVK: Yes.
What can happen: Track 1 gets the memory contents of $78000 (screen
memory on half meg machines) written on it (irretrievably
corrupting bootsector, FAT and directory sectors).
When does that happen: After making five copies of itself, and
then after each second copy.
Reset-proof: No.
Can copy to hard disk: No.
Remark: See virus #34.
Virus #36
Name: Upside Down Virus.
Type: Memory-resident bootsector virus.
Discovery date: December 28th 1989.
Virus can copy to drive(s): A or B (current drive).
Virus attaches itself to: GEMDOS trap vector.
Disks can be immunized against it: Yes (0.W $601C).
Immunizable with UVK: No.
What can happen: Screen turns upside down.
When does that happen: After four copies of itself are made, and
then after each second copy.
Reset-proof: No.
Can copy to hard disk: No.
Remark: Due to a small bug, it seems to write only non- executable
copies of itself?
Virus #37
Name: Mutant Antivirus #4.
Discovery date: Autumn 1989.
Symptoms: As this is an anti-virus with almost 50 percent of its
code destroyed, it probably only crashes the system on boot-up.
Virus #38
Name: G-DATA Virus.
Type: Memory-resident bootsector virus.
Discovery date: May 5th 1990.
Virus can copy to drive(s): A or B (current drive).
Virus attaches itself to: Hdv_bpb vector.
Disks can be immunized against it: Yes (0.B $60).
Immunizable with UVK: Yes.
What can happen: Nothing.
Reset-proof: No.
Can copy to hard disk: No.
Remark: This virus was not written by G-Data (which is a German
company that has also made a virus killer), but owes its name to
the fact that it contains the message "ANTI-VIREN KIT 3KEIN VIRUS
IM BOOTSECTOR" (translation: "ANTI-VIREN KIT 3NO VIRUS IN THE
BOOTSECTOR"), suggesting that it is a disk immunized by the G-Data
virus killer (which, of course, it isn't). It's based on the
Exception Virus.
Virus #39
Name: Media Change Virus.
Type: Reset-proof memory-resident bootsector viruses.
Discovery date: October 27th 1989.
Virus can copy to drive(s): All boot devices.
Virus attaches itself to: Mediach (Media Change) vector, and
undocumented reset-resistant.
Disks can be immunized against it: Yes (executable).
Immunizable with UVK: Yes.
What can happen: Text turns to screen colour.
When does that happen: Every fifth copy.
Reset-proof: Yes.
Can copy to hard disk: Yes.
Remark: Since it does not check for drives higher than B, and
since it uses the BIOS Rwabs call, it can also copy to hard disk
when you have booted from that!
Virus #40
Name: Ghost Virus C.
Discovery date: March 9th 1990.
Remark: A version of the original Ghost Virus in which three bytes
have been corrupted, causing the branch to be (non-fatally) misled
and the mouse reversion routine to malfunction. It copies without
any problems, though, and is indeed reset-proof.
Virus #41
Name: Bat Virus.
Type: Non-executable reset-proof memory-resident bootsector call
virus.
Discovery date: March 17th 1990 (George Woodside).
Virus can copy to drive(s): Current drive.
Virus attaches itself to: Hdv_bpb vector, timer vectors, reset
vector. Also undocumented reset-resistant.
Disks can be immunized against it: No.
Immunizable with UVK: No.
What can happen: Last sectors of directory can be destroyed if the
directory is very long. The mouse pointer will turn into a batman
logo.
When does that happen: The directory bit can happen each time it
copies itself; the mouse pointer will change after one hour.
Reset-proof: Yes.
Can copy to hard disk: ?.
Remark: Written by some kid for a French journalist. He's an author
who has e.g. written articles about viruses, and he has probably
done this virus to check how fast they can multiply and to check
how good virus killers are. Previously, this virus was considered
to be 100% safe by ALL virus killers, as the bootsector is NOT
executable - yet it is a bootsector virus! It is really a very
ingenious viruses, but the "Ultimate Virus Killer" is ahead of its
prey!
Virus #42
Name: Grim Reaper Virus.
Type: Memory-resident bootsector virus.
Discovery date: May 9th 1990 (John).
Virus can copy to drive(s): Drive A only.
Virus attaches itself to: Hdv_bpb vector.
Disks can be immunized against it: Yes (0.W $6A38, 3A.W $41FA).
Immunizable with UVK: No.
What can happen: De-installs itself, screws up the screen, prints
garbage on the screen and writes to contents of memory at $78000
(screen address on half megabyte machines) to the first 20 sectors
of a disk, lethally corrupting bootsector, FAT and directory.
When does that happen: After 47 copies of itself are made.
Reset-proof: No.
Can copy to hard disk: No.
Remark: A nasty one, this virus. Its installation structure is
identical with George Woodside's Antivirus "VKill Guard". The
bootsector also contains the text " -= The Jumper strikes again =-
Pirates, the grim reaper draws near ".
Virus #43
Name: Megacunt V2.0 virus.
Type: Memory-resident bootsector virus.
Discovery date: December 1989 (Dave Moss).
Virus can copy to drive(s): Current drive (floppy only), and only
to immunized disks.
Virus attaches itself to: Hdv_bpb vector.
Disks can be immunized against it: No.
Immunizable with UVK: No.
What can happen: Acid-colours will be on the background screen
colour, done by the level 4 interrupt.
When does that happen: After 20 copies of itself are made.
Reset-proof: No.
Can copy to hard disk: No.
Remark: Written by a chap calling himself Alcoholica, and only
copies to immunized disks (!crikey!). Several other versions of
this virus are believed to exist, but none have been sighted.
Virus #44
Name: Horror Virus.
Type: Non-executable reset-proof memory-resident bootsector call
virus.
Discovery date: August 23rd 1990.
Virus can copy to drive(s): Drive A.
Virus attaches itself to: Hdv_bpb vector, timer C vector. Also
undocumented reset-resistant.
Disks can be immunized against it: No.
Immunizable with UVK: No.
What can happen: Screen will switch colours, sound will be heard.
When does that happen: At a certain time after copying itself
five times.
Reset-proof: Yes.
Can copy to hard disk: No.
Remark: Written by a member of ULM from Luxemburg, for test
purposes. He did this early spring 1990. It has never been spread,
but he gave it to me 'just in case'. Previously, this virus was
considered to be 100% safe by ALL virus killers, as the bootsector
is NOT executable - yet it is a bootsector virus (see 'Batman
Virus')!
Virus #45
Name: DJA Virus.
Type: Memory-resident bootsector virus.
Discovery date: Summer 1990.
Virus can copy to drive(s): Current drive.
Virus attaches itself to: Hdv_bpb vector.
Disks can be immunized against it: Yes (0.W $6038).
Immunizable with UVK: Yes.
What can happen: Message will be displayed on screen ("Du ar
smetted av DJA viruset Generatio....(generation number)") and
system will lock up.
When does that happen: After a fourth disk is found with the virus
on it (or any disk starting with $6038 - including immunized
ones!).
Reset-proof: No.
Can copy to hard disk: Yes.
Remark: Written in Norway or Denmark, as the text it prints means
"You are infected by the DJA virus" in one of these languages). A
good thing is that it does not copy to immunized disks - but
unfortunately these immunized disks DO trigger the 'destruction'
routine!
Virus #46
Name: TOI Virus.
Type: Reset-proof memory-resident bootsector virus.
Discovery date: November 10th 1990 (George Woodside).
Virus can copy to drive(s): Current drive.
Virus attaches itself to: Hdv_bpb and resvector; it is also non-
documented reset-resistant.
Disks can be immunized against it: No.
Immunizable with UVK: No.
What can happen: Inverts the vertical mouse movements (just like
the "Ghost" virus which is it's previrus). After that, it also
toggles the bits of a random memory location (this leads to
unpredictable crashes and small things going wrong).
When does that happen: After five copies of itself have been made.
Reset-proof: Yes.
Can copy to hard disk: No.
Remark: An adapted versions of the "Ghost" virus. The name comes
from the TOI programming group in Denver, Colorado, USA, who are
reported to be be responsible for this one.
Virus #47
Name: Flying Chimp Virus.
Type: Memory-resident bootsector virus.
Discovery date: December 15th 1990 (Les Neidig).
Virus can copy to drive(s): Drive A.
Virus attaches itself to: Hdv_bpb vector.
Disks can be immunized against it: No.
Immunizable with UVK: No.
What can happen: Message will be displayed on screen ("Zapped by
Waldo the Flying Chimp!").
When does that happen: After it has multiplied itself five times,
or when it has had 20 bootsector accesses.
Reset-proof: No.
Can copy to hard disk: No.
Remark: Thought to have been written in the USA. Also known as the
"Waldo Virus".
Virus #48
Name: Reset Virus.
Type: Memory-resident bootsector virus.
Discovery date: Summer 1988 (Volker Söhnitz).
Virus can copy to drive(s): ?.
Virus attaches itself to: Hdv_bpb, Hdv_rw and Hdv_mediach vectors.
Disks can be immunized against it: No.
Immunizable with UVK: No.
What can happen: It writes a message "Ihr Rechner hat Aids" (German
for "Your computer has AIDS") on the screen and then freezes the
system.
When does that happen: Three hours after booting.
Reset-proof: No.
Can copy to hard disk: No.
Remark: Strangely enough, this virus will not copy itself when
you've got a cartridge installed with the word "Dent" at address
$FA0066.
Virus #49
Name: MAD Virus B.
Discovery date: December 1987 (Volker Söhnitz).
Symptoms: See virus #2.
Remark: Published in a magazine called "Atari Spezial" (German),
and therefore also known under the name "Atari Spezial Virus".
This is the original MAD virus, which is exactly the same as MAD
virus A (which was spread the most) except for the offset of most
code. It was written by J. Schuppener, and it was published
towards the end of the year 1987 in the mentioned magazine. The
magazine now seems to be defunct, but the publisher used to be
CAV-GmbH, He₧stra₧e 90, D-8000 München, Germany.
Virus #50
Name: Ghost Virus D.
Discovery date: February 17th 1990.
Symptoms: See Virus #12 (Ghost Virus). This virus has a few
damaged bytes and will not work properly - may even crash.
Virus #51
Name: Ghost Virus E.
Discovery date: April 1991.
Symptoms: Principally it's the same as the Ghost Virus (#12), but
the symptoms are different. It does something with the vertical
blank queue and leaves the mouse alone. Unfortunately the precise
symptoms are unknown as the copies of this virus that were found
were both damaged.
Virus #52
Name: Ghost virus F.
Discovery date: April 1991.
Symptoms: See virus #12 (Ghost Virus), Unfortunately, there is some
corrupted code in the virus copy routine so that it can cause a
disk to be corrupted (the bootsector can be written wrongly, not
corrupting the actual data but making it inaccessible).
Virus #53
Name: Megaguru & Argo 2 Virus.
Type: Memory-resident bootsector virus.
Discovery date: June 22nd 1991 (Paolo Munarin).
Virus can copy to drive(s): A or B (current drive).
Virus attaches itself to: Hdv_bpb vector.
Disks can be immunized against it: No.
Immunizable with UVK: No.
What can happen: At booting, writes the text "* MEGAGURU & ARGO 2
001 * ANTEPRIME ATARI E AMIGA PRESENTANO :" on the screen. When
things go 'wrong' the screen inverts and a bleep sounds.
When does that happen: At each disk with an executable bootsector
that is accessed - with the exception of disks that have the virus
on them.
Reset-proof: No.
Can copy to hard disk: No.
Remark: This virus is from Italy. It was found on a disk which
contained a text file from a hacker called Megaguru, who (quote)
"would like to swap Amiga and ST software". Even his phone number
was on it!
Virus #54
Name: Ghost virus G.
Discovery date: June 1991 (Kai Holst).
Symptoms: See virus #12 (Ghost Virus). This seems to be an adapted
version of the Ghost Virus, and the pre-virus to most recent
mutant Ghost Viruses (of which there are rather an absurd lot).
Virus #55
Name: Finland Virus.
Type: Memory-resident reset-proof bootsector virus.
Discovery date: Early July 1991 (Steffen Fischer).
Virus can copy to drive(s): A.
Virus attaches itself to: Hdv_bpb vector, resvector. Also
undocumented reset-resistant.
Disks can be immunized against it: Yes (executable).
Immunizable with UVK: Yes.
What can happen: Fiddling with the screen colours (this comes down
to the green and white colours of the desktop being reversed when
in colour mode).
When does that happen: After is has done each 12th copy of itself.
The virus only copies to non-executable disks, or executable disks
that have viral symptoms (i.e. other viruses and itself) or that
have the word 'Boot' contained at hexadecimal offset $82 (any disk
'protected' by the boot program of the German PD virus killer
"Sagrotan" has the word 'Boot' at this offset!).
Reset-proof: Yes.
Can copy to hard disk: No.
Remark: This virus was coded by a chap called Toubab, on August
30th 1990. It got sent to me by two people almost at the same time
after the virus was almost one year old! Both occurrences,
however, were in Scandinavia (i.e. disks from Finland and Norway)
so this leads me to believe it was written in Scandinavia. It was
a real pain in the posterior, as it started with a longword
'00000000' value, that lead the "Ultimate Virus Killer" to not
finding it suspect!
Virus #56
Name: Ghost virus H.
Discovery date: August 5th 1991 (Harald Uenzelmann).
Symptoms: See virus #12 (Ghost Virus). This is principally exactly
the same as the standard Ghost Virus, but someone apparently found
it necessary to change the Branch into BLS instead of BRA - which
has the same result when executed but which effectively caused it
not to be recognized.
Virus #57
Name: Signum virus C.
Discovery date: September 25th 1991 (Darren Laidler).
Symptoms: See virus #1 (Signum virus A). This is exactly the same
with regard to symptoms and the way it works. The only reason why
it is basically different is that someone (probably someone in
England) optimized it a bit, and some machine code instructions
have been replaced by others.
Virus #58
Name: Joe Virus.
Type: Memory-resident bootsector virus.
Discovery date: November 25th 1991 (ACN).
Virus can copy to drive(s): Current floppy drive (A or B).
Virus attaches itself to: Hdv_bpb vector.
Disks can be immunized against it: Yes (0.W $4E71).
Immunizable with UVK: No.
What can happen: When it finds itself with a specific value in the
fourth and fifth byte, it will execute itself again, probably
cluttering up the system.
When does that happen: When it finds itself again, and then every
second time.
Reset-proof: No.
Can copy to hard disk: No.
Remark: As this virus has no particular characteristics, it was
called "Joe Virus" as I was listening to Jimi Hendrix' "Hey Joe"
when I disassembled it.
Virus #59
Name: Directory Waster Virus.
Type: Reset-proof memory-resident bootsector virus.
Discovery date: Unknown (Michael Schussler).
Virus can copy to drive(s): Current floppy drive (A or B).
Virus attaches itself to: Hdv_bpb vector, resvector; also
undocumented reset-resistant.
Disks can be immunized against it: No.
Immunizable with UVK: No.
What can happen: First twenty tracks of your disk get destroyed
(both side 0 and side 1!) When does that happen: After each
twentieth copy it made of itself.
Reset-proof: Yes.
Can copy to hard disk: No.
Remark: The name is quite improper, as it destroys about 25% of a
disk and not just the directory. Initially, this virus only
installs itself on the standard reset vector. After the first
reset, it bends the hdv_bpb vector and becomes reset-resistant in
the undocumented way.
Virus #60
Name: Merlin's Mad Virus.
Type: Memory-resident bootsector programme.
Discovery date: Unknown (Mike Mee).
Virus can copy to drive(s): Not at all.
Virus attaches itself to: Nowhere.
Disks can be immunized against it: No need to immunize.
Immunizable with UVK: Not applicable.
What can happen: See the Mad Virus - it does the same things with
the screen and/or makes a sound.
When does that happen: When booting with a disk containing this
'virus'.
Reset-proof: Not applicable (i.e. "no").
Can copy to hard disk: Not applicable.
Remark: This is no virus at all, but it has been classified here as
Mike Mee sent it to me who classifies it as a virus in his
"Professional Virus Killer" programme. It was written by Merlin
the Welsh Wizard, and it's TOTALLY HARMLESS. It can not copy
itself, and only fiddles around with the screen in the same
fashion as the "MAD Virus" after which it is called.
Virus #61
Name: Wolf Virus.
Type: Memory-resident bootsector virus.
Discovery date: February 4th 1991 (Carsten Frischkorn).
Virus can copy to drive(s): Current floppy drive (A or B).
Virus attaches itself to: BIOS vector.
Disks can be immunized against it: Yes (0.W $EB34).
Immunizable with UVK: No.
What can happen: RAM memory amount it halved (this does not imply
you actually LOSE RAM, it just means that it makes the computer
THINK it has less RAM!).
When does that happen: After the eighth generation is found.
Reset-proof: No.
Can copy to hard disk: No.
Remark: A rather nasty virus. For starters, it starts off with the
bytes you'd normally find on an MS-DOS disk, i.e. all virus
killers think it's an MS-DOS bootsector. Second, it fools the user
by putting the message "Kein Virus im bootsector!" on the screen
at booting. This is the boot message of the virus-free bootsector
of the German virus killer "Sagrotan". It de-installs itself after
three infections (i.e. your computer will think you've got 1/8th
of your actual amount of RAM memory by then!).
Virus #62
Name: Ghost virus I.
Discovery date: October 5th 1991 (Frank Jonkers).
Symptoms: See virus #12 (Ghost Virus), Unfortunately, there is some
corrupted code in the virus copy routine so that it can cause a
disk to be corrupted (the bootsector can be written wrongly, not
corrupting the actual data but making it inaccessible).
Virus #63
Name: Menace Virus.
Type: Reset-proof memory-resident bootsector call virus.
Discovery date: Spring 1992 (David of H-Street).
Virus can copy to drive(s): Current floppy drive (A or B).
Virus attaches itself to: Xbios vector, Hdv_bpb vector and
interrupt level 4 interrupt; also undocumented reset-resistant.
Disks can be immunized against it: No.
Immunizable with UVK: No.
What can happen: Overwrites the bootsector of your floppy disk
with a message in an Elfish language (Tolkien).
When does that happen: After having made ten copies ot itself.
Resetproof: Yes.
Can copy to harddisk: No.
Remark: This virus uses TWO sectors on disk, sector 1 and 10. It's
rather cleverly written and thought to come from Malta. Several
versions are believed to exist.
Virus #64
Name: Ashton Nirvana Virus.
Type: Reset-proof memory-resident bootsector virus.
Discovery date: Spring 1992 (David of H-Street).
Virus can copy to drive(s): Current floppy drive (A or B).
Virus attaches itself to: Hdv_bpb vector; also undocumented
reset-resistant.
Disks can be immunized against it: No.
Immunizable with UVK: No.
What can happen: Random sectors will be read from the current drive
(including hard disk!) and written back with the word "ASHTON" in
it. This obviously corrupts your media, at one sector per Hdv_bpb
use.
When does that happen: Each time a floppy/hard disk is read from
or written to.
Resetproof: Yes.
Can copy to harddisk: No.
Remark: Perhaps this virus was written by the same person as the
"Menace" virus. It's a nasty one as it can corrupt hard disks as
well!
Virus #65
Name: Lietuva Virus.
Type: Reset-proof memory-resident bootsector virus.
Discovery date: Spring 1992 (Paragraph Headquarters).
Virus can copy to drive(s): Current floppy drive (A or B).
Virus attaches itself to: Vbl queue, resetvector; also
undocumented reset-resistant.
Disks can be immunized against it: No.
Immunizable with UVK: No.
What can happen: Bootsector will be zeroed.
When does that happen: After the first eight copies of itself are
made, and every six copies afterwards. A copy is made every time a
disk's bootsector is read/written.
Resetproof: Yes.
Can copy to harddisk: No.
Remark: Written by a chap in the former U.S.S.R. who now lives in
Lithuania. It does not bend any actual system variable which makes
it rather revolutionary.
Virus #66
Name: Signum virus D.
Discovery date: March 25th 1992 (Volker Söhnitz).
Remark: This is an optimized version of the original Signum A
virus, which is also somewhat smaller in size. It is no longer
immunizable with the standard Signum immunization (0.W $6038) but
instead requires to be immunized with 2.W $07C4. This effectively
makes it impossible to immunize it with the "Ultimate Virus
Killer"...
Virus #67
Name: Zorro Virus A.
Type: Reset-proof memory-resident bootsector virus.
Discovery date: June 1992 (P. van Zanten)
Virus can copy to drive(s): Current floppy drive (A or B).
Virus attaches itself to: Hdv_rw, Hdv_bpb, resvector and also
undocumented reset-resistant.
Disks can be immunized against it: No.
Immunizable with UVK: No.
What can happen: System will lock itself.
When does that happen: After a specific number of copies are made.
Resetproof: Yes.
Can copy to harddisk: No.
Remark: A very complex virus that evaded virus killers previously
by being recognized as an MS-DOS bootsector. It's heavily coded
and installs itself in memory in a very complex way. On top of
that it seems capable of installing differently coded versions of
itself so that per definition each copy of this virus differs from
all other copies of it.
Virus #68
Name: Zoch Virus.
Type: Memory-resident bootsector virus.
Discovery date: December 1992.
Virus can copy to drive(s): Current floppy drive (A or B).
Virus attaches itself to: Hdv_bpb.
Disks can be immunized against it: Yes (0.L $5A4F4348, "ZOCH").
Immunizable with UVK: No.
What can happen: Text on screen (The Night Force Virus Breaker by
Zoch), and copies itself.
When does that happen: Text appears on installation. It copies
itself to all disk it is not on already.
Resetproof: No.
Can copy to harddisk: No.
Remark: To all intent and purpose this virus was written as an
antivirus. Unfortunately it copies itself across ALL bootsectors
it finds with the exception of ones it finds itself on. This
means that it will destroy any previous program in the bootsector,
whether needed or virus!
Virus #69
Name: Macumba 3.3 Virus.
Type: Reset-proof memory-resident bootsector virus.
Discovery date: February 1993 (Chris Brookes).
Virus can copy to drive(s): Current floppy drive (A or B).
Virus attaches itself to: Hdv_bpb, undocumented reset-resistant.
Disks can be immunized against it: No.
Immunizable with UVK: No.
What can happen: The system freezes totally and abruptly.
When does that happen: After a specific number of copies have been
made of itself.
Resetproof: Yes.
Can copy to harddisk: No.
Remark: This virus also codes itself and also fakes to be an MS-DOS
disk (just like the Zorro Virus). Quite naughty.
Virus #70
Name: Zorro Virus B.
Discovery date: February 17th 1993 (Kenneth Elofsson)
Remark: Virtually identical to Zorro Virus A, so refer to
information given there. Only a few bytes have been changed.
Virus #71
Name: Beilstein Virus.
Type: Reset-proof memory-resident bootsector call virus.
Discovery date: March 16th 1993 (Volker Söhnitz).
Virus can copy to drive(s): Current floppy drive (A or B).
Virus attaches itself to: Hdv_bpb, Vbl_queue, Hdv_rw, Hdv_boot,
Gemdos, Xbios, regularly reset-resistant AND undocumented reset-
resistant.
Disks can be immunized against it: No.
Immunizable with UVK: No.
What can happen, and when: 1) It can delete specific files when
these are loaded by the user. These files are 'SAGROTAN', 'MDISK',
'FCOPYIII', 'FCOPY3??', 'DISKUS', 'DISKDEMO', 'TED_???' and
'G_COPY', 2) It can clear partition "C" of your hard disk when the
virus in memory discovers that you are trying to trace it (trace
bit set, for example in a debugger), 3) It can create garbage on
your screen, 4) Keyboard, mouse and joystick can be disabled, 5)
Mouse movements can be inverted (like with the "Ghost Virus"), 6)
Printer output can be corrupted, 7) Modem output can be corrupted,
8) A bomb error can be created, 9) The system can be frozen until
you enter the password "Apokalypse", 10) Memory can be cleared,
followed by a reset, 11) The first hundred sectors of a floppy
disk can be cleared, and 12) It can delete a folder. These are
quite an amount of things that can go wrong!
Resetproof: Yes.
Can copy to harddisk: No.
Remarks: This virus also codes itself and also fakes to be an MS-
DOS disk (just like the Zorro Virus). On top of that it uses an
ingenious system where bits of its code are swapped around and
where different bootsector offsets are used to make things extra
difficult. Even when not yet coded, there are at least 10
different versions that this virus can generate of itself. With
coding added, over 650,000 versions of this virus can exist. But
that's not everything: The bootsector that was on the disk before
it got infected (e.g. a virus free disk) is stored somewhere else
and executed after the virus installs itself. This means that the
message "this is a virus free disk" will STILL appear even after
the disk has been infected! It is a very complex virus that, apart
from the bootsector, uses four other sectors on disk that are
marked BAD in the FAT to make sure they're not overwritten. The
use of these four extra sectors enable the virus to be bigger
(hence the many different destruction routines) and also allow it
to buffer the original bootsector previously present on the disk.
The last naughty bit about this virus is that, when it bends
system variables, it supplies regular XBRA ID codes of popular
harmless applications to itself (for example HABO, VREP, VIRA,
CB2K, SBTS and WINZ). The "Ultimate Virus Killer" correctly
recognizes it anyway!
This is without a doubt the most nasty virus yet. It was written
by a student from Beilstein, a town in South Germany (hence its
name). It has only been supplied to specific virus killer
programmers and has so far not actually been spread as such. Let's
hope it will stay that way!
Virus #72
Name: Temporary Madness Virus.
Type: Reset-proof memory-resident bootsector virus.
Discovery date: March 16th 1993 (Volker Söhnitz).
Virus can copy to drive(s): Current floppy drive (A or B).
Virus attaches itself to: Hdv_bpb, undocumented reset-resistant.
Disks can be immunized against it: No.
Immunizable with UVK: No.
What can happen, and when: Every 65536 vertical blanks (on colour
that means about every 22 minutes) the mouse movement is inverted
for about 10 seconds.
Resetproof: Yes.
Can copy to harddisk: No.
Remark: In Germany, this virus is known as the "Mouse Coordinate"
virus.
Virus #73
Name: Darkness Virus (Nightmare of Brooklyn #2 'Darkness').
Type: Reset-proof memory-resident bootsector virus.
Discovery date: July 17th 1993 (Piotr Kowalczyk).
Virus can copy to drive(s): Current floppy drive (A or B).
Virus attaches itself to: Hdv_bpb, undocumented reset-resistant,
resvector, vbl_queue.
Disks can be immunized against it: No.
Immunizable with UVK: No.
What can happen: It can write garbage on the first 9 sectors of a
random track between 1 and 79. The first of those sectors will
then contain the text between quotes mentioned above with 'Name'.
Additionally, the virus can screen black.
When does that happen: The disk track garbage writing happens every
other 8 copies that it writes of itself. The screen blackening
happens every 32768 vertical blanks (i.e. after about 11 minutes
on colour monitors, about 7.5 minutes on monochrome).
Resetproof: Yes.
Can copy to harddisk: No.
Remark: First discovered in Poland. This virus uses an intricate
coding method which, like other recent viruses, allows it to
create hundreds of differently recognizable versions of itself.
Virus #74
Name: Small Virus.
Type: Memory-resident bootsector virus.
Discovery date: Autumn 1993 (Chris Brookes).
Virus can copy to drive(s): Current floppy drive (A or B).
Virus attaches itself to: Hdv_bpb.
Disks can be immunized against it: No.
Immunizable with UVK: No.
What can happen: Nothing harmful actually. It has no destruction
routine nor a trigger routine.
When does that happen: Never.
Resetproof: No.
Can copy to harddisk: No.
Remark: Named after the fact that it is very small, less than half
the bootsector size. Only copies itself. Nothing else.
Virus #75
Name: Ghost Virus J.
Type: Reset-proof memory-resident bootsector virus.
Discovery date: Autumn 1993 (ORQ Computer Group).
Virus can copy to drive(s): Current floppy drive (A or B).
Virus attaches itself to: Hdv_bpb and resvector; it is also non-
documented reset-resistant.
Disks can be immunized against it: No.
Immunizable with UVK: No.
What can happen: Most likely nothing. It is changed (or has
mutated) so that it manipulated a wrong memory value. The mouse
pointer Y direction is NOT inverted.
When does that happen: After copying itself 10 times.
Resetproof: Yes.
Can copy to harddisk: No.
Remark: It is almost identical to "Ghost Virus A", much more than
the other variants. It was discovered in Australia, and also known
as "Silent Virus".
Virus #76
Name: Zorro Virus C.
Type: Reset-proof memory-resident bootsector virus.
Discovery date: November 2nd 1993 (Piotr Kowalczyk).
Virus can copy to drive(s): Current floppy drive (A or B).
Virus attaches itself to: Hdv_rw, Hdv_bpb, resvector and also
undocumented reset-resistant.
Disks can be immunized against it: No.
Immunizable with UVK: No.
What can happen: System will lock itself.
When does that happen: After a specific number of copies are made.
Resetproof: Yes.
Can copy to harddisk: No.
Remark: Although it does almost exactly the same as Zorro Virus A,
it is much more different from it than Zorro Virus B. For starters
all its individual routines are interchanged, causing the uncoded
virus start to be quite different too. It also installs itself on
a different location in memory. This virus is believed to have
been done in Poland, which seems to indicate that all Zorro
viruses were coded there. It also goes by the name of "Wredniak"
(which is Polish for "Nasty Virus").
LINK VIRUSES
Virus #1
Name: Milzbrand.
Type: Non-resident non-overwriting link virus.
Discovery date: Spring 1988 (Wim Nottroth).
Symptoms: When the date stamp is set to 1987, it clears track 0 of
your floppy disk, destroying all FAT data and filling the
bootsector with a message "Dies ist ein Virus!" ("This is a
virus!"). Symptoms can vary because the virus was offered as a,
fully documented, type-in-listing (!) in the German mag "Computer
& Technik" and the reader could easily adapt the routines
himself.
Remark: This virus was written by Eckhard Krabel, who lives in
Berlin, Germany. The editorial address of C'T Magazine is Verlag
Heinz Heise GmbH, Helstorfer Str. 7, Postfach 61 04 07, D-3000
Hannover 61, West Germany. Telephone (Germany) (0)511/5352-0. It's
also called "Anthrax Virus" (which is English for the original
name in German).
Virus #2
Name: Virus Construction Set Part II.
Type: Non-resident non-overwriting link virus.
Discovery date: September 4th 1988 (Frank Lemmen).
Symptoms: These vary from the message "You have ten seconds to find
out how to prevent a reset" (after which a countdown follows and
a reset) to routines that can be written by the user himself -
the "Virus Construction Set" is a programme with which the user
can create his own viruses! Symptoms are therefore without limit!
Remark: The "Virus Construction Set Part II" was published by GFE
R. Becker KG, Königsteiner Str. 76, D-6232 Bad Soden am Taunus,
West Germany. It used to be for sale at 80 German Marks, but isn't
any more.
Virus #3
Name: Uluru.
Type: Memory-resident non-overwriting link virus.
Discovery date: November 1988.
Symptoms: Installs itself in memory but is not reset-resistant. It
infects every programme that will be started once an infected
programme has caused it to be installed, and only does this on
drive A or B, and on files that are at least 10,000 bytes in size.
After a certain time, it writes a dummy text file on disk when
infecting a file. This text file contains the sentence 'MAD
Zimmermann will be watching you'.
Remark: Also called "Mad Zimmermann Virus", for obvious reasons.
Virus #4
Name: Papa & Garfield.
Type: Memory-resistant reset-proof non-overwriting link virus.
Discovery date: November 1988.
Symptoms: This is a reset-proof virus, that installs itself in
memory when an infected programme is loaded. After that, every
other programme that is loaded into memory is infected. It can be
recognized by a flashing pixel in the left top corner of the
screen and the message "Garfield and Papa was here", preceded by
a bleep sound.
Remark: Probably only works on one megabyte machines (or higher)
since it uses the absolute screen address $F8000.
Virus #5
Name: Crash.
Type: Memory-resident reset-proof non-overwriting link virus.
Discovery Date: March 20th 1989 (Claus-Peter Moeller).
Symptoms: A reset-proof virus, that also installs itself in your
system and then infects every programme you load in afterwards. Is
only active on the current drive, but can copy itself into any
folder. It can even infect files that have been immunized with the
"Ultimate Virus Killer".
Remark: Probably programmed in Switzerland.
ANTI-VIRUSES
An Anti-virus is a small programme that works just like a virus,
but that doesn't format your disk, clear FAT sectors, lock up the
system or do anything of the kind. Instead of doing evil things, it
e.g. warns you when it finds an executable disk in the drive (it
can then for example start bleeping and flashing). This is a good
way to find out if a disk has an executable bootsector or not
(which does not mean that it has or hasn't a virus!). For First Aid
help, anti-viruses are quite neat. They also copy themselves to
other disks (not to hard disk), except when these already contain
an executable bootsector (in which case they warn you).
Anti-virus #1
Name: AntiVirus.
Remark: There are sixteen different versions of this AntiVirus,
which were all written by Helmut Neunkirchen. The following table
includes them all. They are all recognized by the UVK, and the
English versions of 5.1 can be written using the 'REPAIR DISK'
option. The texts vary slightly and are not specified here. None
of them copy to hard disk, and none of them are reset-proof.
* Version 3.0GB
Discovery date: August 8th 1988.
Written on May 3rd 1988.
Symptoms: On system boot-up, a message appears on your screen:
"This Anti-virus beeps and flashes if the actual bootsector is
executable then that might be a virus! Remove this Anti-virus by
reset!" It multiplies itself to other, non-executable floppy
disks.
* Version 3.0NL
Remark: This was a simple translation job by yours truly.
* Version 4.0
Written on August 21st 1988.
* Version 4.1
Written on September 21st 1988.
Remark: Also recognizes IBM disks on which it does not copy
itself.
* Version 4.2
Written on September 21st 1988.
Remark: A version of 4.2 that does not copy itself to other disks.
* Version 4.5
Written on October 18th 1988.
Remark: There are German and English versions of this AntiVirus.
* Version 4.6
Written on October 18th 1988.
Remark: A version of 4.5 that does not copy itself to other disks.
* Version 4.8
Written on December 5th 1988.
Remark: Uses XBRA structures, completely reprogrammed.
* Version 4.10
Written on May 19th 1989.
Remark: Calls itself 'VirusLähmer'.
* Version 4.11
Written on June 24th 1989.
Remark: A version of 4.10 that does not copy itself to other
disks.
* Version 5.0
Written on May 12th 1989.
Remark: This was a version released by mistake, and actually older
than 4.11.
* Version 5.1
Written on April 23rd 1990.
Remark: There are cloning and non-cloning versions of this
AntiVirus, each in in a German and an English version. Recognizes
mutation, and recognizes disks that are immunized using the UVK.
* Version 5.2
Written on ?
Remark: Helmut has in the mean time stopped developing the
AntiVirus.
Anti-virus #2
Name: Antivirus #2.
Discovery date: September 10th 1988.
Symptoms: On system boot-up, a message appears on your screen at
the top line: "ANTI-VIRUS". It multiplies itself to other non-
executable disks, except when it's already present on them. When
an executable bootsector is found, it inverts all colours and
bleeps.
Anti-virus #3
Name: Antivirus User V1.4.
Discovery date: May 30th 1989 (Carmen Brunner).
Symptoms: Installs itself in memory and warns you when it finds
certain disks: RED = Virus 1 (Signum Virus), PURPLE = Virus 2 (Mad
Virus), BLUE = Bootsector, WHITE = Nothing. It multiplies itself
to WHITE disks on drive A only. Its virus recognition is very
bad, and many other disks are also suspected of being RED or
PURPLE - including perfectly harmless ones.
Remark: Written by someone called Le Fele.
Anti-virus #4
Name: Antivirus #4.
Discovery date: June 28th 1989 (Wim Maarse).
Symptoms: This antivirus is reset-proof. It probably only works on
German Blitter TOS (TOS 1.02 version from 22.04.87), since it uses
an absolute ROM jump address to the Get_BPB routine of that TOS.
It copies to other disks.
Anti-virus #5
Name: Terminator V1.0.
Discovery date: March 1990.
Symptoms: Does not copy itself, and is reset-proof. Automatically
checks disks for executable bootsectors, and checks memory for
resident programmes.
Remark: Written by Claus-Georg Frein for a commercial copy
programme called "Turbobooster".
Anti-virus #6
Name: Pashley Antivirus.
Discovery date: January 18th 1990 (Terry Simmons).
Symptoms: Copies itself to other disks, and will flash the screen
and beep when an executable bootsector is found.
Remark: Written by Simeon Pashley.
Anti-virus #7
Name: Powell Antivirus.
Discovery date: July 30th 1989 (George Woodside).
Symptoms: Does not copy itself to other disks. Will bleep and
flash the screen when an executable bootsector is found.
Remark: Written by virus killer programmer Mark S. Powell.
Anti-virus #8
Name: The Killer V2.0.
Discovery date: March 18th 1990 (George Woodside).
Symptoms: Does not copy itself. Gives out messages in French when
executable bootsector is found.
Remark: Written by Emmanuel Collignon/Omikron France.
Anti-virus #9
Name: VKill Guard.
Discovery date: May 14th 1990.
Symptoms: Does not copy itself, yet installs itself in memory and
flashes and beeps when executable bootsectors are found. Its sign-
on message is 'This Guard remains active until reset. If it
detects an executable bootsector, it will beep and flash the
screen.'
Remark: Written by George Woodside for his programme "VKill".
Anti-virus #10
Name: New Order Antivirus 1.02.
Discovery date: May 22nd 1990 (Glenn Robison).
Symptoms: Prints message and locks up the computer when a virus is
found to bend a bector. It checks the following vectors: Hdv_init,
Hdv_bpb, Hdv_rw, Hdv_boot, Hdv_mediach, BIOS and XBIOS.
Anti-virus #11
Name: Floppyshop Antivirus.
Disovery date: April 29th 1990 (Kevin Brown).
Symptoms: Beeps and flashes the screen when an executable
bootsector is found that doesn't contain itself. Doesn't multiply.
Anti-virus #12
Name: Protector II Antivirus.
Anti-virus #13
Name: Incoder Antivirus.
Discovery date: July 1990.
Symptoms: Checks the bootsector for the occurrence of the Hdv_bpb
address ($472). Checks if Hdv_bpb points at $FCxxxx or not (will
therefore imply something is wrong when you work on an STE, ST
Book or when you use a hard disk). If things are wrong, it colours
the screen and locks the system. If things are OK it will print
"The Incoders - safe boot" and flash one colour.
Anti-virus #14
Name: Auntie-Virus.
Discovery date: Summer 1990 (David Heiland).
Symptoms: Same as Anti-virus #1. Only the texts have been changed.
Remark: Probably made in England.
Anti-virus #15
Name: Shadow Antivirus.
Discovery date: July 1990.
Symptoms: Checks the system for reset-resistant programmes in
memory on boot-up. Not resident, does not copy itself.
Remark: Written by the Shadow of the Dynamic Duo, England.
Anti-virus #16
Name: Fury Antivirus.
Discovery date: August 24th 1990.
Symptoms: Same at Antivirus #13, of which it is an adapted
version.
Remark: Made by Fury of Legacy (ex-Replicants).
Anti-virus #17
Name: Unicorn Anti-Virus-Reset Antivirus.
Discovery date: December 11th 1990.
Symptoms: It is a resident programme that will clear all reset
vectors upon reset.
Remark: Probably written in Holland.
Anti-virus #18
Name: Zarko Berberski Antivirus.
Discovery date: Unknown (Mike Mee).
Symptoms: There are two different versions of this. One copies
itself and one doesn't. They both have the additional ability to
wait 'x' seconds until the hard disk has finished booting.
Remark: Written by Zarko Berberski from what used to be
Jugoslavia.
Anti-virus #19
Name: Odie Antivirus.
Discovery date: Unknown (Mike Mee).
Symptoms: Puts a picture of Odie (dog character in Garfield
cartoons) on the screen. Is resident, and checks for executable
disks. It will copy itself on non-executable disks, and it will
warn when it finds an executable disk that does not have itself on
it (the screen is turned red).
Remark: Uses the XBRA protocol.
Anti-virus #20
Name: TDT 4.0 Antighost.
Discovery date: June 1992.
Symptoms: Is a resident antivirus that copies itself across a
bootsector that it finds the Ghost virus on.
Remark: Written by Altair in France.
Anti-virus #21
Name: Caledonia Exorcist 2.0.
Discovery date: December 1992.
Symptoms: At startup it will put the message "Caledonia Exorcist
2.0" on the screen. Whenever an executable bootsector is found
during it being resident in memory, it will warn you. At any time
you can press ALT-HELP to have this antivirus install itself on
the current disk. It will not copy itself without you wanting it
to.
Remark: Written for/by the Caledonia PD library. The copy routine
crashes on my system. Not to be confused with some virus free
disks of the same name made by some French hackers.
Anti-virus #22
Name: Agrajag Boot 2.
Discovery date: July 1993.
Symptoms: At startup it will put the message "AGRABOOT 2" on the
screen. Whenever an executable bootsector is found while it is
present in memory, the screen will flash. It will flash RED when
such a bootsector is suspicious. Upon starting it will also find
reset-proof programs and the like. It will not copy itself to any
other disks of its own accord.
Remark: Written by Michael James from Glasgow, autumn 1992. Quite a
good Anti-virus actually.