DOS/V Power Report 2001 January

home *** CD-ROM | disk | FTP | other *** search

/ DOS/V Power Report 2001 January / VPR0101A.BIN / ANTI_VIR / NAV2001_2000 / navtrnt2k.exe / VirusDef / VIRSCAN.INF < prev next >

Wrap

INI File | 2000-07-13 | 355KB | 66 lines

The Norton AntiVirus Information File Copyright Symantec Corp. 1993-98 All Rights Reserved Version #9609 ﾘt====================================================uｰ-'ﾓyﾓyﾓy&4&47Y ｴｴ5Uu>e･･ﾎ' ' C ｢ hｰｰﾑﾑﾅﾛu00aaaaaaaaｳｳｳ(B__{ｮﾍﾍ, e e ｮｮｮｮｮﾇﾚ !R!r!!!"O"O"a"a"t""##5#5#5#5#5#5#5#5#5#5#5#5#5#5#5#K#$,$R$｡$s$s$｡$｡$｡$｡$｡$｡$｡$ﾉ$ﾉ$ﾉ$$%%.%5%G%k%%/&/&L&[&[&[&&''E''ｶ''J(~(((ﾑ((())O)O)O)O)f)t)')')+*D*D*l*l************ﾇ**+++G+]+]+]+,?,?,?,?,?,?,?,+++ｯ+ｯ+ｯ+ｯ+ｯ+ｯ+ｯ+ｯ+ｯ+ｯ+ｯ+ｯ+++ﾏ+ﾏ+ﾏ+ﾏ+++++++++++,,,,, ----<-h--,.,.ｦ.ｦ.ｦ.ｦ.. /r/r///ｯ////////ﾋ/ﾋ//// 0^0^0~0~0ｩ0ｩ0ｩ0ｩ0ｩ0ｩ0ｩ0ｩ0ｩ0/1p1p1p1p1p1ｽ11122 3ﾓ2211L蛩3}3}3}3ｼ3ﾒ3ﾒ33334G4i4黏黏4 5 5*55556E677*7*7*7*7*77ｼ7ｼ7ｼ7788ｱ8ｱ8ｱ8ﾅ8ﾚ8899+9+9:B9B9B9i9i9i9i9i9ｨ9ｼ9{:ｨ:ｨ:ｨ:"ﾇ:ﾇ:ﾇ:ﾇ:ﾇ:;;;D;l;l;l;l;;;ｿ;D<D<D<D<D<"=?=f==!>c>c>c>c>c>c>)>>ﾁ>ﾁ>"?3?j?ｸ??,@6@6@6@6@H@｡@ﾋ@%D%D%DAAABQBsBﾊBCCCC5C5CNCeC{C櫃ﾉCEE~E~E~E~E~E｢E｢E｢E｢E｢E｢E｢E｢E蹙FF$F$F$F$F$F$F$F$F$FEFEFEF彦彦彦彦彦彦彦彦彦鵰鵰HHH9HUHpHwHwHIIII0IｵIｵI瓷瓷瓷瓷 J J4J4JNJGKZKZKZK}K｡K｡KﾚKﾚKﾚKﾚKﾚKLLLLL/L/L/L/L/L/L/L/L/L/L/L/L/L/L/L/L/L/L/L/L/L/L^L^L^L^L^L^L^L^L^L^L^L^L^L^L/L/L/L/L/L/L/L/L/L/L/L/LnLnLnLnLnLnL/L/L/L/L/L/L/L/L/L/L/L/L/L/L/L/L/L/L/L/L/L/L/L/L/L/L/L/L/L/L/L/LL&&&&&&&&&&&&&&&&&&&&&&LLLLLLLLLLL朖朖朖朖朖LLLLLLLLLLLLLLLLLLﾌLﾌLLLLLLLLMMLLLLLLCMkMkMkMkMkMkMｨMｨMﾆMﾆMﾆMLLLL膊膊膊膊膊LLN(NCN}NO8OUO飽躇躇P#P#P#P#P`P弃ｭPｭPｭPｭPPﾌPﾌPPPPPPPPPPPP%Q%Q%Q%QIQｱQﾕQ鷁RRRR$R3R>RTRヽヽｰR甁甁RRSS+SXS|S抓抓澳澳澳澳澳澳澳澳澳澳澳澳澳澳澳澳澳澳澳澳澳澳TT"TFTMTMTMTMTMTMT･TｵTｵT覽覽覽覽覽覽vUvU散俵甼V$VlVｧVWWWNWaW{W｣W｣W｣WｱWｸWﾈWﾈWﾈWﾈWﾈWﾈWﾈWﾈWﾈWﾈWWX5X5XoXoX｣XｭXｿXｿXｿX濆偀偀偀Y0YKYZZZZZZZZZZ1Z=ZdZdZdZ技抻ｭZｿZﾕZ[$[_[ゼゼﾜ[ﾜ[ﾜ[ﾜ[ﾜ[犱 \ \ \:\:\ｩ\ｩ\ｽ\ｽ\ｽ\ｽ\ｽ\ｽ\ｽ\ｽ\ｽ\ｽ\ｽ\ｽ\ｽ\ｽ\ｽ\ｽ\?]h]脳ｽ]ｽ]ｽ]ｽ]ｽ]ｽ]ｽ]ｽ]ｽ]ｽ]ｽ]ｽ]ｽ]ｽ]ｽ]ｽ]ｽ]ｽ]ｽ]ｽ]ｽ]ｽ]ｽ]ｽ]ｽ]ｽ]ﾘ]ｽ]ｽ]ｽ]饐饐^=^ﾌ^ﾌ^ﾝ^(_(_(_:_K_K_兩兩ｵ_ﾐ_ﾝ_ﾝ_ﾝ_ﾝ_ﾝ_ﾝ_ﾝ_ﾝ_ﾝ_`6`6`6`6`6`6`6`6``````````ｫ`ｫ`ｫ`aaaaaaaaa%aFaca彗彗ｶaｶaﾃaﾒa藺藺a+b+bZb}b}b獣]czc喞喞喞ｫcｫcｫcｫcｫcｫcｻcｻcｻcｻcｻcｻccc)dCdZdZdsd‘‘‘‘‘‘Af鞠fｯfｯfｯfｯfｯfｯfｯfｯfｯfｯfｯfｯfｯfｯfｯfｯfｯfｯfｯfｯfｯfｯfｯfｯfｯfｯfｯfｯfｯfｯfｯfｯfｯfｯf瀁gg=gDgwgwgwgwgwgwgwg組枠ｱg馮馮馮馮馮 h h h<hThghuh紘ﾄhﾔhi5i5i5i{i{i{i{i彿彿ｼi詈jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj_jqｨqｺqｺqrr.r.r^r^rssDs^s5t?tot|tｷtﾃtﾃtﾃtﾊtﾊtRucuｹuｹuﾕuxaﾜu黏黏黏黏黏黏黏黏黏vvavavavavＷＷＷＷＷＷＷﾇvﾔvﾔv縋wwww?w?wgwuw毆ﾌwﾓwﾓwﾓwﾓwﾓwﾓwﾓw縢縢縢縢x^x警警警｢xﾂxﾙx1yoyyｵyz7zDzTzTzTzTzzｵz{{{{{{G{b{$BBBBｬﾐﾐ4PPPvv摩ｱｱｱｱｱｱﾌﾌﾌﾌﾌﾌﾌﾌﾌ【【【【※※∈れｋｋがのゑゑゑゑクドュュ.666ш}66666666ЁЁЁЁЁЁЁЭь┷┷┷┷┷┷┷ﾘﾘ Ysss遵遵遵ｳ*^^lｆ｡ｬｬｬｬﾆﾓ瘋㌣㈹㈹㈹㈹㈹㈹㈹ｶﾚ奣奣奣gyyyyyy宙宙宙宙宙宙宙宙宙宙宙宙宙宙宙宙宙宙宙宙宙ｺ絢伊伊伊伊伊韻云云艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶艶俺俺俺俺俺俺俺俺俺俺俺艶歌歌歌歌歌歌歌歌歌歌歌歌歌歌歌歌歌歌歌歌歌歌峨廻廻0外外寄 $+++++:犠犠丘亨欣.結拳拳拳拳拳拳拳拳拳拳拳拳拳拳拳拳拳拳拳拳拳拳拳拳拳拳拳拳拳拳拳拳拳拳拳拳拳拳拳後後%ﾖ9ﾖ\ﾖrﾖω曼ｴﾖﾝﾖﾝﾖﾝﾖﾝﾖﾝﾖﾝﾖﾝﾖﾝﾖﾝﾖﾗﾗﾗﾗ;ﾗPﾗPﾗdﾗｧﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾊﾗﾘDﾘYﾘYﾘYﾘvﾘvﾘvﾘﾘﾕﾘﾕﾘ靼ﾙVﾙVﾙVﾙVﾙVﾙVﾙVﾙ{ﾙ異#Pddﾔ･ﾀ{4"}#>/Z/ﾚ0ﾚ03ﾑ{8&i9ﾘ9*{ﾌE&ｬﾙ顥ﾚﾚMT|FﾚfﾚxﾚP|Z/詳ｩﾚﾝﾚﾚﾛ>ﾛ||Xﾛvﾛ｢ﾛ錞[[[[[>/ 黏<ﾅ8')w w ++,,NC｢Ew+wwww ｬ(++,>/[[[[[?w貸"6r蚪{&鮏|ｲﾟOﾜﾂ|ﾔ|"6"6"6"6ｯﾜ&ｴ{ｴ{Fﾝ]ﾝ:貸蛞ﾃﾝﾖﾝｦ!9杰ｲﾟｬﾙ>ﾛ.}bﾊ}ｪ{Oﾜﾖﾜ|ｿj/jjjjjjjjwjj'|+nLnL$[馮馮H@H@H@ｽ]宙#w,c>ww?ｻc縋kMwh-$FLD -i9,?yｻcｿ;wDﾘ??w[,ｦ:w=?ｩ0wｰ1::｡<ｼ3X宙L蜈22tFtFtF6`五ｻc五%%ｶ {:{:{:{:靴ﾝﾝｱｱﾝaﾞ謹+ﾞ~ﾞ<-滿類;ﾞO3O3ﾘｳ}州.}.}.}.}.}.}ｽ\ｽ\ｽ\ｽ\ｽ\ ｽ\ｽ\ｽ\ Ｖｽ\ｽ\ ｽ\ｽ\ｽ\ｽ\ｽ\ｽ\ｽ\ｽ\ｽ\X;q･ﾛ0ﾃ*Vｸ7ｾ![ﾝﾝK{Pｱｬｦ9ｧ}3?,?,?,B9|+|+|+ｼE'c>f@.r?E'>>>>｢EﾜＶＶＶＶＶＶＶＶＶＶＶw11熏11|+|+1>ｲe瀑瀑瀑瀑瀑伶ｫｴ&勲83ｼ3jDc>#(ﾁtF?,翠翠翠g宙翠翠翠翠翠翠翠翠翠e炸ﾀﾀ!!8;疔疔甎癘:j瘠jｯfzcﾀ瓲'??/L #W#''11}3;7ﾎﾞN､Kﾟﾟﾟﾟ9ﾟcﾟ凩｣}sﾟ已･ﾟP?UﾟUﾟ1C<?,Yeや鯛壺ｪ筱笘?5#ﾈ[&;:'ﾎ)"}ﾅ#裘裘裘}T5##ｱ.ｱ.1絮P|､?]?]]ﾏE'ﾎ)ﾎ)++ﾁ>?,｡@｡@|+444&4&424ｼ3ｦ.'E''>>jjjjjjj/ ~ｰ~j√上}}}}}}}}}ﾒ3-xUx yotot}ototototot}}ﾆ`}技Tz{{/&/&8I $%罌ｺﾈ_~ｰｰ##LL6"65#W#>ｼ3U2膓ゥゥゥﾁ~ﾁ~GDp舊舊艫DC~僴ﾏ蓖Cﾞ~B)B)B)B)B)B)\'\'ﾜ葆臀'\'8}31'*ｴｴ1A h5|+E6:>>>>LLLu>>CCeCF>?,<-#ﾚ06a1,.,.E'jD ｰ##( _ 0 0｡$ ||5#>>>ﾎ)ｽ1<--+p&p&p&p&p&p&p&p&p&+jD5C5C}3;: /"jDﾎ"茶eﾇ-廷R塚,_kv｡<#ﾈ衒#E#E韃韃(-[咲﨓[[[T餤餤T餤餤55琺｣琺}8U皜絈 ｦ Y}ﾅ5W(W(智智匁G.黎1摠;釦釦釦i<%D吩吩吩_k鸙c.ﾂ'sj0j鷭硤r ﾇtFw_k_kﾌﾌﾌe ｦﾟqﾌq_k_k;VﾘoｰOｱﾖ笠eef\[}[}ﾂｹ%_k_k]\6>Y^ﾁ6@UU&\Dvﾟ`l@o\6lAKl==ﾒ=>Re ｽcJ>ﾌdﾉ? LｩkBkBkBkBkBkBkBkBkｹUAUAAAﾙ#ﾃkﾟｴ&rｴﾔﾋﾍe］*ﾂZEt｢琺UﾉﾔPｱﾁｯ籠R戟ﾇ&ﾈ屬走崧nnﾝｴﾝｴ走nnﾁ｡走ﾁ｡ﾁ｡鬩ﾁｯnｪｳﾍｳ崧籠籠3333nﾅｨﾍｳ走走走3ﾁｯﾝｴ3ｬ凵ﾇ3ﾟ凵ﾇ走崧崧崧ﾁｯ走3ﾇ3ﾇ3ﾇ3ﾇ3ﾇ3ﾇ3ﾇ3ﾇ3ﾇ3ﾇ3ﾇﾍｳ走3ﾝｴ籠ｬ凵ﾇ走3Iｵﾟ凵ﾇ3 9ｧ3nｬｦPｱ軈軈軈軈軈軈軈軈軈軈軈軈軈軈軈軈軈軈ｼﾞｼﾞｼﾞ.}/[7[7[7[7[7ｪ)+N:+**ﾝ*ﾝ｣裘ﾝｮKtndｩ籠籖2Bﾁｯ崧Uﾉ3T籠籠籠nﾂｧ走ﾈ驕ﾇ籠崧nｦﾜﾝｴ籠走升f｡n籠籠籠n3ﾂ香ﾇ>,.?ｰC>>>>>>>>>>>`Oｦ.ｦ.jDjDjDjDjDjDjDjDjDjDjDjDjDｼ7&ﾏO3 jD$F ･'6ｰa"I｣#｣#｣#9ｧｬｦPｱ晁ﾌﾇ鸚k_k_k_k_k_k_k_k_kｦAyuT^JRY圭<ｵ2ﾏΦ-ｯDﾌAｬA2ｶ賢賢:dｯｫ%eﾍｦﾛ7e ?U糯璧F]ﾖ橈rｮ艇ｸU璧璧穿tｭｭ胯ｭｭbN-\i槙烙烙娉娉･cﾋ歟bﾃbﾃbﾓbﾃbﾃbﾓb~痿痿'c晁ﾎ" a ﾎ -LcﾃﾕﾖjQ2b"@@_ksﾃ廐ﾜｱﾕﾂｹｹﾕﾕSS7ﾃRｨbｬ5侔@oｹｹｹｹa:瀅ｰe,ﾃe,ﾓR_ﾓRN[xV#:@oﾒKZ|Z2・ﾕﾕl誾ｶ9-0ｹ4PgPgPgPg??????*2\6@oBkBkuLｩﾓｿ､ｸs孕ﾛBﾌA裘ﾘ･･ﾈOｸﾜlg8俘,徇Rn}mbmvG0ｮJp^㎝aｨ卿教ｳﾉJKKKpﾊ涇ｴ託ｬｹSIｻnﾊ'ozﾐ<mｰgUｲｭ.eﾗYﾗYｧQｧQ3ｱeff#8N菱]l､|ｺp縣qP8+8zUﾆ蹈{n奣溟周ｿoxnf蓐_kｰ[k<TGox.}ｬ{{/0c>c>c>c>c>jD,E'~(~(ｯ+?, d5;7ｰjD裘｡$ｼ7uｼ7;7jDｯ+｡$C#j?>ｼ7ｼ7ｼ7ｼ7ｰ/&CxPﾟ?75#P? ｢E/&R!R!R!-'ｼ7K_K_K_L&L& ｢E:ｼ3c>((ｰｹ+i9i9,:"++ >>ujDｰW#44444c>c>>>>>>>>>>>K_<-P ﾚzｾwwpJ%鏸kﾗ7嫐E!%ﾖ繰'G<fhis Worm uses Ou"ook to send itself tThis is a trojan horse that creates a network security hole unto your system. It needs to be deleted.h鮏甁Rｳ訒_kf｡Pｱﾄ｣Gｰθｱﾁｯﾘ澈ｲ翰PｱPｱ3走nn走走ﾄ｣些ｨ&vｼｴｬﾁｯｲ斡斡些ﾎｼ羹rｰPｱ些走ﾟ&氏ﾇ羹ｰﾟ走些nﾂ歳ｼﾎｼｰﾄ｣羹nﾄ｣Uﾉnnnｰｰﾟ听听听听3羹羹ｨ/0ｨﾟ听听听听听冢ｰ些Sｧvｼθuｯﾟ听3ﾟ听听ｰｰｷｩｨｦｰｨ&釈听3nｱｱｱｱｱｱﾝｴﾝｴﾝｴ羹ｷｩﾎｼWﾇｰｨﾂﾟ听听听听3nﾁｯﾝｴﾝｴﾝｴﾝｴﾝｴｲ鈊ﾓｪ皋ｷｩY､ﾝｴ33ﾟｿｫ遶ﾟ听卍在ｴﾝｴ走3種ｱGｰ&走走走走走走走33333333ﾟ冢9ｦ愷ﾝｴｲﾝｴ羹ﾟｲﾝｴvｼﾝｴｰ/ﾁﾁｯﾁｯﾟ听/ﾁﾟ!ｳﾟ/ﾁﾟ/ﾁﾁｯGｰ/ﾁ/ﾁﾄ｣ﾝｴ/ﾁGｰﾟ劍ｱｱｱｱｱｱｱ走走nnnnﾃVﾆgnVI桑走走走走33nﾂｧ鬩cｯﾁｯｰｰIｲﾎｼ^ﾇ走ﾝｴ走3nﾁｯﾟ剔桝ﾁｯﾁｯﾝｴﾝｴﾟｱｱ走ﾝｴ33Pｱ/ﾁ3ﾝｴﾝｴﾍｳ/ﾁﾝｴ/ﾁﾟ听听听凵ﾇ3ﾁｯ3ﾝｴﾝｴﾝｴﾝｴ走ｨ3鬩n崧ﾂｧﾒ｢[ﾋ走/ﾁnnn'ﾅﾁｯﾟ走走ﾝｴﾝｴn走ﾝｴﾂ債国3走ﾝｴﾝｴﾁｯ/ﾁ33f｡走3ﾟ听/ﾁﾝｴ走33ｰnnｱ3走ﾁｯUﾉｱﾓｪ3ﾝｴﾁｯｱnnﾓｪ籠ﾝｴ走ﾝｴﾝｴﾝｴﾝｴﾓｪGｰﾟ吽ｴ羹/ﾁﾍｳ33ﾟｱｱｱｱｱｱｱｱｱｱﾝｴｱﾝｴ｣團走nｰｰｰ走ｪｳﾍｳﾂﾝｴｪｳﾍｳ3患/ﾁﾓｪﾝｴﾝｴ33走333ﾝｴﾝｴｧｧｧ33ﾓｪﾝｴ33ｷｩﾓｪ{ｻ走3n籠ｱ33ｱｿｫYｰnｪｳﾍｳnﾝｴ33nﾝｴﾝｴ33走3走崧ﾝｴｼﾝｴｲｱﾍｳｿｫﾝｴﾝｴﾝｴﾝｴﾝｴﾝｴﾝｴﾝｴ33ﾎｼｷｴﾝｴｱﾁｯﾁｯﾁｯ3n走ﾝｴ3ﾟ走ﾝｴﾝｴﾟnﾁｯ崧ﾝｴﾝｴ3KK/致ﾄ｣ｰｰｰｰｰｰｰｱｱPｱｷｴ羹ｨﾎｼhﾌﾁｯｨｨｯｨｨｨﾟ听听听ﾎｼﾍ寂ﾄﾎｼﾁｯﾌ籠1ﾍﾇｴﾍ氏ﾇｦｰn堽vｼ`ｪ`ｪﾎｼﾂｧﾂｧﾛﾓ愬ｦｰ斡ｬ勳卉ｯﾁｯﾁｯﾁｯﾁｯﾅﾁPｱDｲ%%}ｱ些些Mnnnnﾟ･ｬｦｧ.ｧぉ奨uｯﾁｯ隸aｴWﾅ走n_k値Uﾉ析翰]Yﾆﾐｰﾒﾅ翰Uﾉp冢ﾟaﾍ値値値値ｴ#ﾎ蠻ﾂｱﾁｯ斡uｰ#ﾎﾖ｢ｯｼ_kﾎ値ﾁｯ値Iﾌﾄf｡愬ｮﾎ6｢}ﾅ翰ﾄｨｼﾆUﾉUﾉ斡翰翰翰?U?UﾁｯﾄﾍﾁｯﾏSﾎ錝ｴ翰値ﾀﾈ=ﾏnﾏﾟ*｡5ｻﾄﾍﾁｯ斡(ﾆ2ﾕZﾁ5ｻ羹ｱﾏ羹#ﾌ斡Wｼﾀﾈ斡Dｼﾁｯｨﾋp6籠~單Uﾉ|ﾟﾏﾎnﾏﾐﾄEﾔaｴﾁｯ=ﾏﾁｯ:oｨｴ緩BﾐｮqHﾟﾐH'値紹 oｨ;fj緩癖Pｱｬｦ9ｦHXｫｬｦjﾁ緩:m 緩ｸ Bﾐｲﾐ:｢]m V ｪ;ﾆn ﾂﾓ L /Pｱ斡@o@oqoｨoZﾁﾘooo*ｫBﾐnﾏ奣5ｴ紹ｷｴ兵ﾒﾐRYzYzYBﾐY卉Iｲcｫ｡咼ﾔoｨ尢eﾐﾅ紹Bﾐ5ｻ斡斡紹5ｻn ﾄ5ｻ~嘸咯+ﾋjﾁｳ-ｳ-ｾﾉ籠Y摠5ｴﾟUﾉ緩ｾﾉ翰ｼﾋ[ﾋ$$$航航ﾁｯ{ｻﾀﾈ5ｻ5ｻ5ｻ粧KﾀYｳｺﾆJWfxｭｷﾒ挧｡摠5ｻ5ｻ!o`$｡嗹ﾀwﾀwﾀｿ謀魂5ｻ5ｻEﾋ^･ｲ･ｱﾕｱﾕﾕqyﾔﾔ8ﾀ8ﾀﾁﾁﾍﾊ淕 Bﾐﾂﾎ問弡FｨNﾁV ､G緩^･ﾈ!^ｰｽrnﾏｲﾐ紹Vﾂ%ﾑ紹紹SﾎeﾐﾔﾕFｨBﾐnﾏ'ﾔ3ｯG哥ﾑFｨ逡恫*ｫ|ﾑ瞋棡dｻｬｱｯﾑﾓﾔｲﾐﾁ惺ｴ3ｯ｡ｦ魂ｦｱﾉ28ﾀwﾀjﾁR彳ﾕｫｻ｡亅ｿ愷ﾒｲﾐｽｿ耗Jｵｸ9ｸqﾂqﾂqｸvｼｱﾕ失ﾏﾇｫｬｱ,ﾉｸ"ｹvｼyｹｰﾀｬｱｫwﾀ凍ﾎ~｣ｬｱqﾂｦﾁｯﾒXｫUﾉ|ﾑ'Nｨ7k｣ｰｰｰﾇｺﾇｺ坎｡噤ﾇﾁ浜ﾁ蔽ﾂyﾔｬﾚﾀH｣9ｸp弡駐ﾁ罰ﾕｪｸｸ･ﾏｸﾁ列ﾐzﾒ&k1ｪｾﾉｾﾉ坎緩%ﾃ緩ﾅｱﾕｱﾕｱﾕ<ｬﾖ懽ｬｭﾓqﾂﾁ篇ﾌ纏ｬqﾂ牀ｮhｮ動ﾉｮ諶s､;･9ｸ|ｲ8ﾀoｨｯﾑ_ﾈｩｼﾖb#ﾊzｽ&ﾓ凌ﾟｹ:ｹﾜ淺迷ｽ9ｸ.ｾ~ｾNｮﾍｾﾗ嗜認ｾﾖ:ｹ9ｸZ覗ｺQ:賭ｵ;9ｸﾌｵﾃYQ[$迩韮矢ｵzQｶ閉ｽ成ﾀﾃｺｻlｪｵO1容ｲﾐEﾆﾄ栃ｨTｶｱ｣ｾ亊ｮ岻､ｻｿ･)ｫ勇ｻzｶﾞｲｻk攜ｳDﾞｲE.歎Toﾇｶｪｴ漸#=ｭqL庄轟攜挂Lﾊ#洫鐘敕絶"ｴｾW`fQ浙販少ｺ愡b昶ｾｻ)ｲ鮓8掫嶼岨棯ｬｪｵd4n椶ｲK檀=盾常竦0ｿ竦ﾌｵL匝荘Dｷfｷﾙｷﾃ｣ｾZｽﾄq府.竦ﾄThis ｰﾒcro virus replicessing "normal.dﾑﾒ It dispwﾓys "TﾆA INFOTECH ONLINThis is a Worm that uses Outlook to send itself to everyone in the Address Book. It copies itself in Windows system directory and into the root directory of all mapped drives as "KIUYCV5.VBS".versions of Word.銧ｩfff菶*的ﾒ4pｵfffｻ9ｸﾐ dﾂ Xｦｱ,b厨n致#(ｳ-ｳ-Sf膊[7 NNNU1,掬ﾖvqﾙFｯFo>o>宙宙ｷラ9lﾞｧa.ﾟﾗﾟﾗﾟﾗﾟﾗ裘;値ﾙﾌG踪Vqﾌm&n^pﾛ挧Q,裘裘裘挧up翠p6ｷYｷYｬWidowmakeFis a twice encrypted polymorphic.le infector. It will randomly destroy your data by copying it' 昱ode over your File Allocation Table and other areas.>ﾁH 沌ｬ軒軒軒xVj哢W･I 7B=ｭｨﾔろi^ﾚ!1111ﾀNo additional information.The virus creates a "companion" .COM file for .EXE programs. DOS chooses to execute COM files where both COM and EXEs exist. Thus the viral file gets executed instead of the expected file. Delete files of this type.This is a little COM virus not really doing much of anything This is a damaged version of the original virus.This is not a virus. It is a program designed to release a virus on your system. You should delete this file.This is a first generation sample of the virus. A first generation sample is one where all the second generation viruses are the same but differ from the first generation virus sample.This is a harmless joke program. Delete if found.This virus loads itself into memory and infects files as they are run. It contains the text "Kiev '95" once it has decrypted itself into memory. This virus can be repaired.This virus infects EXE files on the current directory. It corrupts EXE files that have debugging information in it. It has text "I am Jonny5"This is not a virus. It is a Trojan Horse program. It does malicious activity like deleting file. You must delete this file to prevent any damage. See "Trojan" in the Glossary section of your manual.When executed it will display a question for you to choose a number. If you choose 3 it won't infect your system. If you choose any other number it will delete "system.ini", "win.ini", "win.com", "command.com" and "io.sys".This trojan horse program attempts to dial 911 through COM1. You must delete this file. This is not a virus. It is a Trojan Horse program. You should delete this file to prevent any damage. This is not a virus. It is a Trojan Horse program. You should delete this file to prevent any damage. This document, when opened, will delete win.com, user.dat, system.dat, *.ini.This trojan drops attempts to run the file \windows\winupdate.exe which it drops by modifying the registry at HKLM\Software\Microsoft\Windows\CurrentVersion\Run and RunServices. This file is corrupted and does not run. This is not a virus. It is a Trojan Horse program. You should delete this file to prevent any damage.This trojan horse creates a "RUNDLL.VBS" in "Windows\System" directory. That file should be deleted. This trojan horse also adds a path to the registry.This script Worm uses Outlook to e-mail the first 60 entries in the address book. The e-mail has an executable file called "Irok.exe" attached to it.This virus when executed, infects ".com" and ".exe" files. It drops a "irokrun.vbs" in the "startup" folder of Windows. It also drops "Winrde.dll" and "irok.exe" in "C:\Windows\System".This virus is a variant of "Irok.Trojan.Worm". It has similar behavior. The infected size of this virus is 7876 bytes.This trojan drops a "Wbdbs32i.dll" in the current directory, deletes ".xls" & ".doc" files in "C:\My Documents", files in "C:\LOTUS\Work\123\", "C:\LOTUS\Work\123W\", "C:\LOTUS\Work\Wordpro\", and a few other directories.This WORM drops "Win.js" into the windows directory and adds an entry in the system registry to load itself up automatically. This J Script also drops "default.ini" and "default2.ini" in "C:\". You should delete this files.This is not a virus. It is a Trojan Horse program. This file is a simple program which when executed drops several trojan files onto your system.This is not a virus. It is a dangerous trojan horse program that tries to delete all the files on your harddrive and format it using installed batch files that invoked by C:\AUTOEXEC.BAT.748, Tea Time, ThereseBetween 3:10pm and 3:13pm every day, the virus interferes with keyboard input.A large portion of the body of the virus is dedicated solely to encrypted text. One of many encrypted phrases inside the virus body reads: "Hullo ! Welcome to 2UP virus. Don't try so hard!Advertised as the installation program for PKZIP version 3.00b, this trojan will attempt to utilize the FORMAT and DELTREE commands. Delete if found.Infected boot sectors begin with 3 NOP (no operation) instructions. These appear as "".4870 OverwritingThe virus destroys program files by overwriting the first 4870 bytes with its viral code.The virus changes an infected program's date and time stamp.A&AThe virus changes an infected program's date and time stamp. When activated, the virus clears and reprints blocks of the screen.The virus changes an infected program's date and time stamp. It activates on the 13th of each month. When double letters are typed it triples the letter. For example, "book" becomes "boook".This is a Boot Sector virus. The virus will infect between the hard drive and floppy drive boot sectors.This program attempts to change the security level of the user to any security level such as the Administrator. This program only works under Windows NT.This is a Master Boot Sector virus. The virus will infect between the hard drive and floppy drive boot sectors.The virus produces a slow clicking sound. The virus targets the antivirus package PC-cillin. It contains the text "HATI-HATI !! ADA VIRUS DISINI !!" Note: Erases boot sectors and FAT on 1st HD if PCCILLIN.COM is found.Adolf HitlerThe virus changes an infected program's date and time stamp. Contains the text "Adolph Hitler".The virus may display the message "Your computer is infected with" and "AIDS VIRUS II" and play music. As a companion virus, simply delete all infected files.After a computer boots from an infected floppy disk, the message "RED STATE, Germ offensive--AIRCOP" appears.The infected program stops after displaying the message "A kuku, Nastepny komornik!!".A variant of the Akuku virus containing the text "Sorry, I'm copmpletly dead". Note that "completely" is misspelled.AlaOne hour after the virus is activated, the following message appears: "SOFTWARE COPIES PROHIBITED BY INTERNATIONAL LAW..."The virus only spreads when Ctrl+Alt+Del is pressed. The virus writes to the last sectors of the diskette and may corrupt data.The virus changes an infected program's date and time stamp. Infected programs contain the text "Albania".The virus changes an infected program's date and time stamp to 17DEC89 7:21pm. Infected programs contain the text "C:\COMMAND.COM" and "*.COM".The virus changes an infected program's date and time stamp. Contains the text "One Night Virus (C) Alex Hacker" and "*.COM".The virus changes an infected program's date and time stamp. Contains the text "The Kite Virus (C) Alex Hacker" and "*.EXE".The virus occasionally displays a boxed text and plays a tune. The text is encrypted and says, in part, "Alexander - Constanta, Romania".Red-X, Ambulance CarThe virus may display a moving ambulance while emitting the sound of a siren.Randomly displays one of these messages: "ZAGZIG UNIV", "HELLO SHSHTAY", or "GODBYE AMIN". The messages are encrypted in the virus. The string "COMexecomEXE" is visible in infected files.1392The virus overwrites a program's first 1089 bytes with viral code, placing the original code at the end, and then adds 303 more bytes to the end of the file. Infected programs contain the text "... Nouvel Band A.M.O.E.B.A".Contains the messages "-< The Andromeda Strain >- Version 1.00 By : Crypt Keeper" and "Mission Complete... Have fun with your virus(es).AndreIn addition to infecting programs when they are accessed or run, the virus infects programs that are copied or accessed, using the DOS DIR command.The virus changes an infected program's date and time stamp. Infected programs contain the text "*.COM".The virus changes an infected program's date and time stamp. The virus infects one additional COM program each time an infected program is run.Infected programs contain the text "Anthrax" and "Damage, Inc". The virus writes a copy of itself to the last few sectors of the hard disk. Any data located there is destroyed.Jerusalem.AntiCAD, Plastique, HM2The virus targets the AutoCAD program when ACAD.EXE is run or Ctrl+Alt+Del is pressed. The virus overwrites data on floppy disks and hard disks and garbles the CMOS information.Jerusalem.AntiCAD.4096, InvaderMay play music and display the message "by Invader, Feng Chia U., Warning: Don't run AC".Jerusalem.AntiCAD, Taiwan, PlastiqueThe virus targets the AutoCAD program. It activates when ACAD.EXE is running or when Ctrl+Alt+Del is pressed. The virus overwrites data on floppy disks and hard disks and garbles the CMOS information.This virus infects the master boot record and boot record of floppy disks. Bootup from infected floppies often causes system hangsLenartThis virus contains the text, "I am Li Xibin!". Bootup from infected floppies often causes system hangsCMOS4, D3, NewBugThis virus contains code to corrupt a specific .EXE program of 200,256 bytes (the specific file is unknown). AntiEXE will overwrite the MBR without saving a copy first.SuxInfected programs contain the text "[Anti-MIT]". When active on December 1st, the virus destroys all of the data on the hard disk and displays "MIT Sux!"PandaFluRunning an infected program causes all COM programs located in the C: drive root directory to be infected. Infected programs contain the text "FLUSHOT3.COM" and "C:\PANDA\MONITOR.COM..."The virus changes an infected program's date and time stamp. Files with .PAS and .BAK extension are deleted.AP-400/-440/-480, AntiPascal IIIf the virus cannot locate a program to infect, it deletes files with .BAK, .PAS, or .BAT extensions.Standard boot virus. Infects MBR and floppies.This AOL4Free trojan horse program searches for the DOS program DELTREE.EXE in various directories, and then uses DELTREE.EXE to delete all files from C drive. You should delete this file.834The virus alters the hard disk in a way that causes an incomplete boot up.After September 1, this virus will cause the beeper to emit a continuous tone and place messages on the screen. But it will not be spreading while the tone is being emitted. Before September, it just spreads.These are not dangerous viruses. They search for COM- and EXE-files and infect them by a standard manner. Some of the "Arcv" viruses use polymorphic algorithms and some variants has encrypted message in it.These are typically hacked versions of Bleem that may compromise computer security, or perform other malicious activity.BIOSPASSThis program lets other who runs it know the Password to your System BIOS. That will allow someone to change the BIOS setting.Upon loading from infected floppy, this virus overwrites boot sector of C: drive. It does not save original boot sector and tries load DOS by itself. The infected file must be deleted immediately.Fair.2102(x), Fair.1936, Fair.1936(x)This memory resident encrypted virus hooks INT 21h and infects COM and EXE files that are accessed. It sometimes displays the message "This is an [ illegal copy ] of KeyPress virus remover ..."This is not a dangerous memory resident virus. It hooks INT 21h and write itself to the end of COM and EXE files that are executed. This variant just "shifts" a screen to the right.This is a memory resident virus. It overwrites any EXE file that is being executed. The infected file size remains unchanged. The infected must be deleted or replaced with a clean copy.This virus prepends itself to all the COM and EXE files and drops a file named "kasienka.exe" in the current directory.This virus simply attaches itself to the end of all COM files in the current directory.This is a dangerous memory resident encrypted multipartite virus. It writes itself to the end of COM files and infects the MBR of the hard drive and boot sector of floppy disks. The virus also corruptedly infects Windows's COMMAND.COMKuSuMah.4268This virus is not a dangerous memory resident. It infects all the COM and EXE files in the current directory that are executed.This virus destroys the MBR and Boot record and make it unrepairable.This is not a dangerous memory resident virus. It simply appends itself to the end of EXE files when they are executed.This is not a virus. It is a worm that renames your files and subdirectories inside of the C:\WINDOWS directory to invalid names. This cause the operating system to be inoperable.This virus searches for the .COM and .EXE files and overwrites them with with the virus body and them unrepairable.November 17.880 (x)This virus infects standard executable COM and EXE files. It is memory-resident and does not attempt to encrypt itself. It only spreads through files and does not infect boot records.This virus infects standard executable COM files. The virus goes memory-resident after being executed and will infect any COM file that is run thereafter.This WORM drops AVM.VBS into the windows directory and added an entry in the system registry to load itself up automatically. This VB Script sends out itself using MS Outlook. You should delete the above files.This trojan will delete all ".vbs" and ".js" files in the current directory.This trojan will infect only those who have IRC. It drop "default.ini" where "mirc.ini" file is. Also modifies mirc.ini file.This Worm is dropped by JS.Aphex. It uses mIRC channels to spread. It should delete this file.This Worm drops "Story.vbs" in "Windows" directory and in "My Documents". It adds an entry in the system registry to load itself up automatically. It also creates a file "script.ini" in "mirc" directory.This virus notifies the creator when the infected user logs into IRC. Additionally, it modifies the registry and writes a temporary batch file (c:\temp.bat) to facilitate replication.BubbleBoyThis WORM uses ActiveX to drop UPDATE.HTA into the windows program startup menu. This HTA Script sends out the worm email message using MS Outlook. You should delete the above file.This worm uses mIRC and Outlook to send itself to others. This worm will disable your desktop (this prevents any icons from appearing) and enable itself at startup by modifying the registry.This virus uses mIRC to replicate. It modifies the registry and drops a copy of the trojan program Backdoor.TheThing.c. It overwrites .VBS files in several directories. Additionally, on December 31 it overwrites autoexec.bat.This virus uses mIRC to replicate. In several directories, it overwrites and creates .VBS files with its viral code.This trojan attempts to connect to several FTP sites and download replacements for selected Windows system files.This polymorphic .VBS worm spreads using Outlook and mIRC. The name of the .VBS file changes on each new infection. On Jun 20, a message box is displayed announcing the infection and the keyboard and mouse are disabled.When opened, this html page displays a message to distract the user's attention while infecting the computer. It changes the registry, overwrites mirc.ini (IRC script file) and attempts to spread by e-mail using Outlook.This trojan overwrites "autoexec.bat" and drops "winstart.bat" into "c:\windows" directory. These batch files will contain instructions to delete system files.This Worm spreads using mIRC. It Creates a file "script.ini" in "mirc" directory and uses that ini file to send other users. It also modifies the registry and drops many files with .vbs extension.This virus creates three files "MyPicture.bmp.vbs" and one "RunDLL.vbs" in several directories in "C" drive. It overwrites ".VBS" files also.This Worm copies it self in Windows Startup folder as "RunDLL.vbs" and copies in Windows "System", "My Documents", and in "C:\" as "mynewpicture.jpg.vbs". It also overwrites ".VBS" files in some directories.This .VBS trojan deletes all .DLL and .EXE files and renames all remaining files with a .VBS extension. This file must be deleted.This .VBS worm replicates by mapping to shared network drives and copying itself. It keeps a logfile in the root of C:\ named NETWORK.LOG.This .VBS worm replicates by mapping to shared network drives and copying itself. This worm also drops a Dial-up networking password stealer. The worm keeps a logfile in the root of C:\ named NETWORK.LOG.This .VBS worm replicates by mapping to shared network drives and copying itself. This worm also drops a hacked version of the distributed.net client. The worm keeps a logfile in the root of C:\ named NETWORK.LOG.This virus will copy itself over all files in the current directory. On certain occasions it will display a message box. It creates an internet shortcut to the virus writers homepage that gets loaded when the script is executed.This polymorphic .VBS worm spreads using Outlook and mIRC. The subject on the email is "Check this out, it's funny!". When executed, it sends an EXE file that is polymorphic.This VBScript virus uses Outlook, mIRC, and Pirch to replicate. It modifies the registry to run at startup, and drops copies of itself in several locations (including network drives).This is a boot virus. It infects the MBR and the FLOPPY upon accessing. The virus overwrites the FLOPPY, but it saves the MBR of the hard-disk making the FLOPPY unrepairable.This is a memory resident virus. Upon executing, the virus goes resident and will infect any COM or EXE files that are being run.JoanneContains an encrypted message dedicating the virus to a girl named Joanne.Evul.805Another virus from ARCV. This one goes resident and infects EXE on execution. It's buggy and often crashes program upon execution. It has an encrypted message dedicating the virus to a girl named Connie.Evul.805.drThis is a dropper of ARCV.Evul.805.Greek, ArmaWhen active between 5 and 7 P.M., the virus attempts to use the local COM ports to make a phone call to local time information in Crete, Greece.1590On November 20th the virus prints a long message in Spanish, which includes the phrase "Spain Jaws && Sharks" in English.The virus changes an infected program's date and time stamp.Writes random information to the disk on the 11th of any month.The virus corrupts data files by deleting 700 bytes from them. Infected programs contain the text "(C) AsTrA, 1991..."On the 1st of any month, it encrypts the MBR.The virus changes date and time stamp of infected programs. The virus infects programs only on AT286 computers or better.The message "OK" or "I like to travel" appears when infected programs are run. The virus changes an infected program's date and time stamp. It contains the text "ATAS(Kiev)" and a version number.The virus contains the encrypted text "ATAS Corporation (C)1992" and a version number.An encrypted virus that immediately infects other EXE files when executed.USSRWhen a key is pressed, a click sound is emitted. When some infected programs are run, the message "Invalid drive or file name" appears.Infects programs when they are run or opened. Contains the text "Ava."Each variant has a different string but they all claim to be written in Argentina.Stoned.Azusa, Hong KongThe virus overwrites parts of the hard disk's master boot record with viral code. The virus may interfere with printer port activities.This trojan horse must be deleted. It opens numerous ports and mails out information about the infected system. It modifies WIN.INI, SYSTEM.INI and the registry with the filename WINCMP32.EXE to run at startup.This is a trojan horse that must be deleted. It opens numerous ports for listening. It modifies SYSTEM.INI so that ATAPI.EXE runs at startup.This is a type trojan program which can be used to allow unauthorized access to your computer. It adds itself under the following registry key: HKLM/Software/Microsoft/Windows/CurrentVersion/Run. You should delete this file.This is a type trojan program which can be used to allow unauthorized access to your computer. It adds itself under the following registry key: HKLM/Software/Microsoft/Windows/CurrentVersion/Run. You should delete this file.This is a type trojan program which can be used to allow unauthorized access to your computer. It adds itself under the following registry key: HKLM/Software/Microsoft/Windows/CurrentVersion/Run. You should delete this file.This is a type trojan program which can be used to allow unauthorized access to your computer. It adds itself under the following registry key: HKLM/Software/Microsoft/Windows/CurrentVersion/Run. You should delete this file.This is a type trojan program which can be used to allow unauthorized access to your computer. It will not allow the user to restart the computer.This is a type trojan program which can be used to allow unauthorized access to your computer. Please delete this fileThis is a type trojan program which can be used to allow unauthorized access to your computer.This is a type trojan program which can be used to allow unauthorized access to your computer.This is dropped by the "Backdoor.DGS". You must delete this file.This is a trojan horse program and not a virus. This program can be used to allow unauthorized access to your computer. You must delete this file.This trojan horse allows unauthorized access to your system. It creates another file within the same directory called ddick.exe. You must delete both of these files.This is a trojan horse program and not a virus. This program can be used to allow unauthorized access to your computer. You must delete this file.This trojan drops "intld.vxd", "nmiopl.exe" and "tsdm.dat" files in "windows\system\" directory. It also adds a folder in the registry "HKLM\system\CurrentControlSet\Services\VxD\INTLD".This trojan copies itself as \WINDOWS\SYSTEM\RMAAPP.EXE. It modifies the registry key HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN to enable itself at startup. This trojan allows unauthorized access to your system.This is a trojan horse program and not a virus. This program can be used to allow unauthorized access to your computer. You must delete this file.This is a trojan horse program and not a virus. This program can be used to allow unauthorized access to your computer. You must delete this file.This backdoor trojan drops 3 files: Kernel32.exe and Sysexplr.exe in the \Windows\Sytem, and Psw.tmp in \Windows\temp; it adds itself in the registry HKLM\Software\Microsoft\Windows\CurrentVersion\Run & RunServices.This is a trojan horse program and not a virus. This program can be used to allow unauthorized access to your computer. You must delete this file.This is a trojan horse program and not a virus. It is a backdoor type trojan program which can be used to allow unauthorized access to your computer. You must delete this file.This is a trojan horse program and not a virus. It is a backdoor type trojan program which can be used to allow unauthorized access to your computer. You must delete this file. It disguises itself as a Y2K system updater.This polymorphic backdoor trojan allows unauthorized access to your computer. It drops an EXE file in Windows folder that contains garbage characters, and adds itself to HKLM/Software/Microsoft/Windows/CurrentVersion/Run.This is a polymorphic backdoor type trojan horse which can be used to allow unauthorized access to your computer. The names of two files it drops in Windows folder, are random characters. The size of the dropped files are 10K and 373K.This is dropped by the "Backdoor.Poly" or "Backdoor.SubSeven". You must delete this file.This is a Client program to access the Backdoor Trojan Backdoor.Rat.This backdoor trojan allows unauthorized access to your computer. It drops itself in Windows directory as "msgsrv36.exe", and adds a key in HKLM/Software/Microsoft/Windows/CurrentVersion/Run as "msgsrv36.exe".This is a backdoor type trojan horse which can be used to allow unauthorized access to your computer. It drops it self in Windows directory as "sxplorer.exe" and replaces "C:\Windows\win.com" with its own version.This backdoor trojan allows unauthorized access to your computer. It adds itself to HKLM/Software/Microsoft/Windows/CurrentVersion/Run as Explorer32 with a value of "C:\WIN95\Expl32.exe". You must delete this file.This is a trojan horse program and not a virus. This program can be used to allow unauthorized access to your computer. You must delete this file. This program requires ICQ and a file "Packet32.dll"This is a trojan horse program and not a virus. This program can be used to allow unauthorized access to your computer. You must delete this file.This is a trojan horse program and not a virus. This program can be used to allow unauthorized access to your computer. You must delete this file.This is a trojan horse program and not a virus. This program can be used to allow unauthorized access to your computer. You must delete this file.This backdoor trojan allows unauthorized access to your computer. It adds itself to HKLM/Software/Microsoft/Windows/CurrentVersion/Run. You must delete this file.This is a backdoor type trojan horse program and not a virus. It can be used to allow unauthorized access to your computer. You must delete this file.This is not a virus BUT a Trojan Horse program. You must DELETE this file. It drops the file KeyHook.DLL into the windows directory You also need to remove its REGISTRY entry.Client program to access Backdoor.Netbus.clifile dropped by Backdoor.Netbus.svr. You must DELETE this file.This is a trojan horse program and not a virus. This program can be used to allow unauthorized access to your computer. You must delete this file.This is a trojan horse program and not a virus. This program will add itself to the registry key: HKLM/Software/Microsoft/Windows/CurrentVersion/Run. You must delete this file.This is a trojan horse program and not a virus. This program can be used to allow unauthorized access to your computer. You must delete this file.This is a trojan horse program and not a virus. This program can be used to allow unauthorized access to your computer. It also logs keystrokes to the file, "C:\iosubnet.sys" You must delete this file.This is a trojan horse program and not a virus. This program can be used to allow unauthorized access to your computer. You must delete this file.This is a trojan horse program and not a virus. This program can be used to allow unauthorized access to your computer. You must delete this file.This is a trojan horse program and not a virus. This program can be used to allow unauthorized access to your computer. You must delete this any files associated with this name.This backdoor trojan allows unauthorized access to your computer, deletes "C:\windows\Netstate.exe", copies itself into "C:\Windows\system" as different name, and adds HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices.This is a trojan horse program and not a virus. This program can be used to allow unauthorized access to your computer. You must delete this any files associated with this name.This backdoor trojan allows unauthorized access to your computer, adds itself to the registry key: HKLM/Software/Microsoft/Windows/CurrentVersion/Run You need to delete this file.This is a backdoor type trojan program which can be used to allow unauthorized access to your computer.This backdoor trojan modifies the registry to execute when the machine is started. It drops the files RSRCLOAD.EXE, MGADESKDLL.EXE, and CMSCTRL32.EXE.This is a backdoor type trojan program which can be used to allow unauthorized access to your computer and passwords.This is a backdoor type trojan program which can be used to allow unauthorized access to your computer.This is a trojan horse program and not a virus. This program can be used to allow unauthorized access to your computer. You must delete this file.This is a trojan horse program that can be used to allow unauthorized access to your computer. Delete C:\Windows\System\tskmngr.exe and HKLM\Software\ Microsoft\Windows\CurrentVersion\Run\Task Manager="tskmngr.exe".This is a trojan horse program and not a virus. This program can be used to allow unauthorized access to your computer. You must delete this file.This is a backdoor type trojan program which can be used to allow unauthorized access to your computer.This is a backdoor type trojan program which can be used to allow unauthorized access to your computer.This is a backdoor type trojan program which can be used to allow unauthorized access to your computer. It requires the MSVBVM60.DLL file for execution. You must delete this file.This is a backdoor type trojan program which can be used to allow unauthorized access to your computer. It requires the MSVBVM50.DLL file for execution. You must delete this file.This is a backdoor type trojan program which can be used to allow unauthorized access to your computer.This is a trojan program which can allow unauthorized access to your computer. It modifies the registry, your SYSTEM.INI and drops some files which need to be deleted (ms097.exe and winspc13.exe).This backdoor trojan loads by adding to the line shell=explorer.exe in the SYSTEM.INI file. To clean, replace that line and delete the corresponding file from the C:\WINDOWS directory.This is a backdoor type trojan program which can be used to allow unauthorized access to your computer.This is a backdoor type trojan program which can be used to allow unauthorized access to your computer.This is a Client program to access the Backdoor Trojan Backdoor.WinMap.905, BadsecWhen the virus is active, the fonts on EGA and VGA monitors are changed. A cold boot may be required after running an infected program.BackFormat.A, .2345, .2381This group of viruses causes unusual side effects while resident; most commonly, printing of random characters to the console.BackForm.2000This virus infects COMMAND.COM (before Win95) without increasing its size. It also infects COM and EXE file. The payload destroy some sectors on floppy. This virus is memory resident and infects EXE and COM files. This virus also claims to infect Macintosh files under certain conditions. It may display a poem on July 26th. It may corrupt files.Cawber, T4, GriffeContains encrypted text saying it was produced at "BACTERIOPHAGE LABS".Infected programs contain the text "The bad boy halt your system..." A cold boot may be required after running an infected program.BBInfected programs may not run properly.The virus changes an infected program's date and time stamp.When the virus is active on January 5th, it erases the MBR, and displays flashing vertical bars and the message "Virus BARROTES por OSoft".Barrotes.1310.E, GalizaThis virus destroys the MBR on January 5th of any year. It contains the text, "Galiza Xakobeo". It often disrupts the functioning of pipes in DOS.This virus destroys the MBR on July 20th of any year.This virus destroys the MBR on September 23rd of any year. It contains the text, "Sta Tecla (MAD1)"This virus destroys the MBR on January 5th of any year.USSRInfected programs simply stop after emitting a clicking noise. The virus may display a box with the phrase "Skagi 'bebe' >" and when the user types "bebe" the virus prints "Fig Tebe !"439Infected programs' size increases by 439 bytes.Beer-2794When active, the virus plays a tune, and a message in Russian appears.WishesIf COMMAND.COM is infected, it does not function properly. Infected programs contain the text "This program ... With Best Wishes!"MudThe virus plays tricks with the screen. Contains the text "Mexican Mud (c)1992 MaZ" and "+Sweden+".Death RattleThe virus plays tricks with the screen. Contains the text "DEATH RATTLE V1.00" and "+S+W+E+D+E+N+".FellowshipInfected programs contain the text "This message is dedicated to all fellow PC users on Earth..."Monday the 1stWhen the virus is active on any Monday the 1st, the boot record of any floppy disk in drive A: is overwritten. Contains the text "BEWARE ME - 0.01, Copr (c) DarkGraveSoft - Moscow 1990".The following messages appear: "At last ... ALIVE!!!!!" and "I guess your computer is infected by the Big Joke Virus..."NedWhen an infected COMMAND.COM runs, the virus reboots your computer continuously. Contains the text "KMIT-NB Date 12/28/1990 BIOS".Infected programs contain the text "BIT ADDICT..."BljecThe virus changes an infected program's date and time stamp. This virus infects by adding itself to the start of the host file. This family of viruses often hang the infected machine.Digital F/XThe virus changes an infected program's date and time stamp. Contains the text "Digital F/X" at the beginning of the virus code. When the virus runs, this text is executed as code and will hang pre-80286 computers.SadThe virus changes an infected program's date and time stamp. If active in September the virus destroys data and prints the text "Sad virus - 24/8/91".The virus destroys COM and EXE programs by overwriting them. Prints the message "The Eternal Blaze Virus has been unleashed...Beware!"Black Monday Borderline, MondayInfected programs contain the text "Black Monday 2/3/9KV KL MAL".Blood 2The message "File infected by BLOOD VIRUS version 1.20" appears.Trivial-Blood LustInfected programs contain the text "Hi! This is the virus Bloodlust striking!..."This is a standard polymorphic virus.This is a plugin to the Back Orifice Trojan that broadcasts the IP address of the computer to a remote server.V-5792, 5792, PaThe virus infects three EXE programs, displays the error message "Error in *.EXE file", and then returns to the DOS prompt. When infected program is running, the message "Pa,pa slodki bobasku..." appears.Malanesian BomberWhen the virus is active on August 31st, a beep is emitted and the message "! I AM STEALTH BOMBER !" appears.Infected programs' size increases between 340 and 350 bytes.BFD-451When active, the virus overwrites the boot record of floppy disks. The virus locates itself in the unused header space of EXE programs.This virus does little but replicate. Note that Boot-437 does not infect the MBR of the hard drive; it infects only the Boot Sector.BAT.506This virus does little but replicate by adding itself to the top of BATCH files *.BAT in the same directory.This is a Internet worm that uses .bat files to search through a range of IP addresses of known ISPs to find an accessible computer. If an accessible computer shares its C drive, it copies its files onto the other computer.The virus starts deleting EXE programs when it runs out of COM programs to infect.Pakistani, AsharThe virus changes the infected disk's volume label to either "(c) Brain" or "(c) ashar".WarriorA cold boot may be required after running an infected program.ShieldThe message "I greet you user. I am COM-CHILD..." sometimes appears.When active on Fridays before 3:00 P.M., the virus changes files to read-only. Contains the text "BRYANSK 1992, BITE 0.01 (C)".Big Caibua, Butthead, Vienna.BUAFirst distributed over the Internet. Between 3pm and 7pm it displays a phallus. After 2296 file infections, it will delete files in the current directory and overwrite parts of the system area.These are dangerous viruses. On February, 2th they write to the files the command INT 20h (return to DOS). They contain the text: "[Marauder] 1992 Hellraiser - Phalcon/Skism..."The virus damages infected programs by overwriting them with viral code. Contains the text 'FLOW LIKE A RIVER - STRIKE LIKE A THUNDER".TravellerContains the message "Traveller (C) BUPT IE 1991.4 Don't panic, I'm harmless!"Burger is a family of overwriting viruses based on source code published in a book.Infected programs contain the text "GS/02".TempestContains the message "[Tempest - `] Rangon, Burma."This is a backdoor type trojan program which can be used to allow unauthorized access to your computer. This is a standard virus that appends itself to EXE files. This is a standard virus that appends itself to COM and EXE files.DIR.BywayByway creates a file called CHKLIST.MS in the root directory. DO NOT delete this file, as you will lose original file data!This virus appears to have a piece of a Commodore 64 emulator in it. It contains the text, "Scelestos V0.1 Preversion to test sth" among other things.After a computer boots from an infected floppy disk, the message "Hey man, I don't wanna work..." appears.Infected programs' size increases by 927 bytes. The virus uses the encryption system from the Cascade virus family, but is internally quite different.The virus overwrites a disk's boot record in an attempt to eliminate boot sector viruses. Infected programs contain the text "Virus Es en memoria!".When the virus is active in November or December after the 14th, the virus halts the computer. Contains the text "COMMAND.COM".BlackJack, Falling LettersWhen the virus is active from September through December of the years 1980 - 1988, the characters displayed fall into a pile at the bottom of the screen.17Y4, Jo-Jo, YapThe original 1701 and 1704 versions of this virus are widespread, therefore many minor variants exist. They differ little from the originals.FAT ChanceWhen active on January 15, April 15, and August 15, the virus plays a slot machine game and the message "CASINO DE MALTE JACKPOT..." appears. If you lose, your file allocation table is lost.Contains the text "Cry Havoc, and let slip the Dogs of War! [Catphish] FirstStrike Kraft!"Infected programs contain the text "EXECOMC:\COMMAND.COM CLEAN".Corrupted directory entries may occur.No information available.Infected programs contain the text "***CCCP-75!***" and "DoomsDay".When the virus is active, a picture of a dog's head may be displayed in the upper left half of the screen, which eats its way to the right.The virus may disable extended memory, print the message "Sorry. I need MHz today! (CFSK)" and hang the machine.The virus changes an infected program's date and time stamp to 00-00-80 00:00. It may print a picture of a cartoon character peering over a wall with the text "WOT!! No Anti - Virus Software..."This Boot virus puts 2 extra sectors of its code at the end of the Hard Drive. If these sectors are overwritten accidentally by a file, the system will not boot from the HD.Contains the phrase "YOU CAN CHANG SOMETHING OF THE PROGRAM" in clear text near the end of an infected program.CentryThe virus contains the following text strings: "(c)Copyright 1991. Mr. YaQi. Changsha China" and "New Century of Computer Now!" Changsha does little more than replicate.Faust, SpyerInfected boot records contain the text "Welcome to the New Dungeon", "Chaos", and "Letz be cool guys".Infected programs contain the text "COMEXESYSBAT ChCC".Checksum 1.00, CkSumA cold boot may be required after running an infected program.Files with COM extensions are infected when they are copied. Contains the text "CHEEBA Makes Ya High Harmlessly" and some profanity.This is a memory-resident virus that infects .EXE files (as well as .COM files with an internal .EXE format) when they are executed.Chill TouchContains the encrypted message "[CHiLL TOUCH] You cannot touch these phantoms". Will corrupt .COM files over 64k. The virus contains code to format tracks on the hard drive, but the code is disabled.Fish BootDisplays the message "Hello! I am FISH, please don't kill me..." May wipe out CMOS information.Contains the message "[Chromosome Glitch] v1.0 Copyright (c) 1993 Memory Lapse."When the virus is active, a hidden program named CINDEREL.LA is created, after a certain number of key presses. The virus can infect programs with or without file extensions.Proto-TInfected programs contain the text "Civil War, (c) 1992 Dark Helmet" and "*.COM".Execution of an infected file will infect the MBR. Viral code is then removed from the infected file. This "self cleaning" mechanism is an attempt to hide the origin of the infection.TrekWarContains a poem about an astronaut and the text "[TrekWar]". When an infected program is run, the message "EXEC failure" appears and then the DOS prompt returns.Infected programs contain the text "C:\IO.SYS C:\IBMBIO.COM" and "Close..."This is a direct file infector. It infects EXE files in the current directory when the virus is executed.When the virus is active, the computer's screen clears unexpectedly.This is a Joke program and not a virus. It shows weird characters on screen when computer is infected. This does not infect other files on the system. Delete if found.TS.1418 Rusty.1423This virus loads itself into memory, infecting COM and EXE files as they are executed or accessed, and may also corrupt disk sectors.Infected programs' size increases by 572 bytes.This virus traces past 256 instructions of the original host and places a small piece of code there that decrypts the virus and calls the main virus body.VCLIf the virus cannot infect more files, the message "**CODE ZERO**" appears.Infected programs contain the text "Coffeeshop".ASP-472Infected programs contain the text "ASP".BomberThe virus builds a complex path of execution to its own code in order to avoid detection. Although polymorphic, the virus is not encrypted.Como-LakeInfected programs contain the text "...by a software group resident near Como Lake (North Italy)..."The virus creates a COM program with the same file name as an EXE program. The COM program is hidden from a normal directory listing.Syslock, 3551, 3555When the virus is active, the message "I want a COOKIE" sometimes appears.1193, 1205A false copyright message appears. The virus changes an infected program's date and time stamp.This virus appears to do nothing but replicate.When a program is successfully infected, the message "COSSIGA ?! NO GRAZIE!..." appears.Infected programs contain the text "COSTEAU End.MZ".Chile, CPW.1459Contains the text "Esta programa fue hecho en Chile en 1992 por CPW". It avoids infecting, and may delete, specific antivirus products. A cold boot may be required after running an infected program.Chile, CPW.1527Contains the texts "CPW fue hecho en Chile en 1992" and "VIVA CHILE" in an encrypted form. Targets several antivirus programs.Contains , "WARNING !! THIS IS A VIRUS !! RESEARCH ONLY !!" as well as a few other strings at the end of infected files.The virus creates COM files with the text "The Creepy Crawly."This trojan when executed will display black screen with a message. it will try to delete the "himem.sys", "win.ini" and "system.ini" from Windows directory. Then it crashes Windows.Displays a message after 8995 disk reads. After the message is displayed, the computer will hang.CrayzedWhen active on Mondays the 28th and January 28th, the virus overwrites the hard disk with characters. Infected programs contain the text "Crazy Eddie."Crazy, ImpThe virus removes itself from infected programs when it is read into memory.Creeper TormentorThe virus searches for the text "Tormentor" in memory.2480, V2480, Crew-2480The message "European Cracking Crew" appears. The virus infects programs that have a date stamp of January through May, are larger than 10,240 bytes, and have COM extensions.The virus monitors for specific letters in the command line. If found it renames all files in the directory to "CRIMINAL" and prints a message calling the user a criminal guilty of software piracy.Krivmous, OnlyInfected programs contain the text "Only God knows!" The poem "There was a crooked man" may appear.MicroElephantWhen an infected program is run, the message "Bad Command or file name" appears and then the DOS prompt returns. Infected programs contain the text "Microelephant V4" and "by CSL".When the virus is active, the message "This file infected with COMVIRUS 1.0" appears.Nowhere Man, VMessiahWhen an infected program is run, the message "Out of memory" appears and then the DOS prompt returns.This is a group of viruses calling themselves the "Cybertech Virus".Dark AvengerA variant of the original Dark Avenger.1800 based on the author's source code, which he released in January of 1990.V-1800, Eddie, Dark AvengerThe virus contains the message "Eddie Lives...somewhere in time". Randomly overwrites disk sectors.V2000, Traveller, Dark AvengerInfected programs contain the text "Copy me - I want to travel".V-2100, Dark AvengerInfected programs contain the text "Eddie Lives".This infects the boot record and floppy disk boot records. The viral code is resident in interrupt vector 87.Infected programs contain the text "da,da". Infected programs over 65536 bytes in size do not run properly.This virus infects EXE files in the current directory.Kennedy, Dead KennedyWhen active, the virus displays varying messages. This virus goes memory resident, then infects .com files that are executed.This virus infects COM and EXE files in the current, root and DOS directories. It appends its encrypted code to the end of the file.When the virus is active on October 15th, the computer's screen clears if not in graphics mode, and data on drive C: is corrupted. Contains the text "(c) Dark End".This virus infects COM files, as well as any file with an extension that begins with ".C". When an infected file is executed on a particular minute of the hour, the virus will display a flaming background.Programs with COM extensions are infected only when they are copied. Infected programs do not run properly. Contains the text "Darth Vader".Infected programs' size increases by 1876 bytes.Columbus DayWhen the virus is active between October 13th and the end of the year, the messages "DATACRIME VIRUS" and "RELEASED: 1 MARCH 1989" appear.Datalock 1.00, V920, Datalock-1043Infected programs contain the text "DataLock version 1.00". If the date is after August 1990, the virus locks files with the .DBF extension.SYPIf the virus is active on a date divisible by 10, the data on the hard disk is destroyed.The virus corrupts data in files with the DBF extension. The FAT and root directory on drives D: through Z: are damaged when attempts are made to write to a DBF file that is more than three months old.Dead.1373, Dead.1373 (x)There are many variants of the Dead virus Family. Most infect both EXE and COM files. They simply append their viral code to the end of the file. Some variants attempt to delete your hard drive on the 256th generation of the virus.This virus infects COM and EXE files. The virus overwrites the first 4 bytes of COM files, but only saves the first 3 bytes correctly. Because of this, infected COM files may not run properly, even after disinfection.The virus overwrites the first 80 sectors on drive C: and the message "DEICIDE! BYE BYE HEN" appears.DNA.1206 Evolution.1206This virus infects files across directories. It contains the string "DNA = Evolution"A 1128 byte resident COM and EXE infector. It will randomly corrput the CMOS settings of the computer on which it is run. Trojan.delpartThis trojan horse type program will delete the partition table from the hard drive. This program should be deleted if found.Infected programs contain obscene text.On December 26, the virus occasionally scrolls the top line off the screen. It appears to contain code to interfere with Windows, and avoids programs starting with "SC" or "VI". It contains the text, "DELWIN."On the 17th of any month, the virus replaces the master boot sector code so the message "DEMOLITION is here!" prints on the next boot up.When an infected program is run on Tuesdays, the message "Error eating drive C:" appears, and then the virus overwrites 160 sectors of the hard disk. The virus changes an infected program's date and time stamp.Den ZukWhen Ctrl+Alt+Del is pressed, the message "DEN ZUKO" appears. The virus destroys data on floppy disks.Den Zuk, Hacker, OhioThe virus searches for the "Brain" virus and removes it if it is found.Infected programs contain the text "DESTRUCTOR V4.00..."Mexican, Devil's Dance-BWhen the virus is active, screen colors may change after 2000 keystrokes. After 5000 keystrokes, the message "Have you ever danced with the devil..." appears.Kewl DewdzThe message "Kewl Dewdz!" appears. A cold boot may be required after running an infected program.1024When the virus is active on the hour, diamonds explode and bounce around the screen.A variant of the Diamond virus based on printed source code.OZ, Die Hard.II, Die-Hard.4000.dInfected programs have the word "OZ" near the end of the file.Programs with COM and EXE extensions are overwritten with other code and do not function properly. Infected programs contain the text "C) DIGGER".Digital.3547 Digi.3547On May 28th, this polymorphic virus overwrites the first 20 cylinders of HD starting from the MBR with "DIGI POWER", displays a message, a flag, and plays music.When the virus is active at 9 P.M. the message "9pm" appears. A cold boot may be required after running an infected program.DirVirPrograms with COM extensions are infected when the DOS DIR command is used. The DOS CHKDSK program reports file allocation errors on a drive with infected programs.Creeping DeathChanges directory entries to point to itself. Using the "CHKDSK /F" command will destroy all program file linkage. To repair infected systems, you must use the DOS version of NAV.Computer Ogre, Disk Ogre, OgreAfter an infected computer has been on for 48 hours, the message "Disk Killer--Version 1.00..." appears. The virus then encrypts the entire hard drive.V-1385A cold boot may be required after running an infected program.1308When the virus infects files, lost clusters may occur on infected diskettes.The original sample contains a message from the author, "Annihilator" in Sweden. Later generations do not contain the message.This is a trojan program that may allow unauthorized access to your computer. This program cannot be repaired, it must be deleted.A cold boot may be required after running an infected program. Infected programs contain the text "(C)1990 DM".This family of viruses contain the text "Drive Not Ready."These viruses contain the message "DOOM II (C) Dr. Jones, NCU..." A cold boot may be required after running an infected program.Null Set, ScionThe virus may encrypt sectors on the current disk and display the message "Your disk is dead! Long live DOOMSDAY 1.0". The virus also contains a poem and says it was written in Orlando, Florida (USA) on 13MAY91.Contains the text "DOS-1".Contains messages indicating that it is DOS 7 and contains negative messages about DOS 6's antivirus.B3When active on June 26th, the virus overwrites data on the hard disk.HLLC.Dosinfo.52480This worm copies itself to the \DOS directory if .BAT file is present there. It also adds a call to the worm inside of the .BAT file.This worm copies itself to \Windows\Command under 8-byte random with COM extension. It also modifies SYS.COM and renames it to SYS.OLD. It then creates a SYS.BAT as a companion and use it to spread itself.This is a standard virus that appends itself to EXE and COM files.Dot Killer, 944, Point KillerWhen the virus is active, any period (.) entered from the keyboard is erased from the screen.This virus is 1206 bytes long and infects executable files. The virus will append 1206 bytes to the end of the fileVienna, DOS-62, UnescoInfected programs contain the text "(C) DOCTOR QUMAK". A cold boot may be required after running an infected program.Dr WThe virus creates a file called C:\DRWATSON.COM and adds the line "@drwatson" to C:\AUTOEXEC.BAT. May display the message "Tracing mode has been destroyed."The virus changes an infected program's date and time stamp. Letters on the screen may drop.The virus writes its code to the middle of the host file. An infected system runs slowly.GaneauThe virus will trigger only on March 20, 1994. It prints the message "Beware of the BUG !!!" and hangs the machine. It avoids infecting some anti-virus software and QBASIC.EXE.When the virus is active, running programs from a write-protected disk results in the "write protect error".CursyThe virus moves the original boot record to the last track of floppy disks. The text "EV" is written at the end of the boot record.When an infected program is run, questions about the anatomy of the human ear appear.A virus based on Ear, but without the anatomy quiz. An MBR and Boot Sector infector, this virus stores the original MBR and BS somewhere out on the infected HD.Infected programs contain obscene text.V-651The virus changes the seconds field in an infected program's time stamp to "62". Contains the text "Eddie lives".1971, 8_TUNESWhen the virus is active, it plays one of eight different tunes. It does not infect programs smaller than 8192 bytes.The virus only infects programs when they are copied. The virus changes the seconds field in an infected program's time stamp to "62".If a program with an EXE file extension is infected, the program is irreparably damaged. May format the drive and display the message "++ Hi! I am Eliza. Good Luck! ++".When the virus is active, characters entered from the keyboard are sometimes repeated. Contains the text "My name is Emmie, I am Eddie's sister."This virus infects COM and EXE files, MBR and boot records. It is memory resident, encrypted and polymorphic. Infected hard drives and floppy disks cannot be accessed unless the virus is running.The virus infects programs when the DOS DIR command is used. The text "end of" will be found at the end of infected files.Contains the text "Enola Gay is now flying to SoftPanorama!" A cold boot may be required after running an infected program.The virus changes an infected program's date and time stamp. Running an infected program results in the error message "Exec failure" or "Bad command or file name".This virus occasionally prevents the computer from booting.Riot.Eternity.565This is a direct file infector. When executed, it infects all EXE files in the current directory.E.T.C.The virus changes an infected program's date and time stamp. Infected programs contain the text "E.T.C. VIRUS, Version 3.0, Copyright (c) 1989 by E.T.C. Co".This virus infects all EXE file in the current, parent, and c:\windows\command directory when run.On March 28th between 10am and 12am, if an infected program is run the virus prints out a message in Spanish. This virus is very particular about files that it infects.Dutch 424When the is virus active in the year 1992, the message "Europe/92 4EVER!" appears.The virus places itself into the free space in EXE headers so infected files do not increase in size.CMOS KillerThis family of viruses attempts to modify CMOS information. EXE files are overwritten by virus code turning them into droppers.Experiments-755Infected programs contain the text "----Small experiments path 2.1----".W32.Net666 W32.Semisoft.B/C/59392It drops WINIPX.EXE, WINIPXA.EXE, NOTEPAD.EXE in \WINDOWS directory. Simply delete all detected files. To restore NOTEPAD.EXE, rename \WINDOWS\NOTEPADX.EXE into NOTEPAD.EXE.This is a Denial-of-Service type program. They are meant to run unobserved on many machines until they are signaled to flood a specified internet site with data, thus shutting the site down.W32.Net666 W32.Semisoft.59392It drops WINIPX.EXE, WINIPXA.EXE, NOTEPAD.EXE in \WINDOWS directory. Some files may be too large to repair.Explosion Explosion.1000Explosion is a memory resident virus that infects DOS COM and EXE files. It appends 1000 bytes of viral code to the end of the file.V337Infected programs' size increases by 337 bytes.Frodo SoftInfected programs contain the text "(c) Frodo Soft".F-WordThe virus changes an infected program's date and time stamp.WTFContains a message made of letters and extended character that asks what this world if coming to and says "SMAUG LIVES."Fairzh, Khobar, Eternal, Fair.1936Contains the encrypted messages "This is an [ illegal copy ] of KeyPress virus remover", "System Halted" and "Eternal Fair".This virus a typical prepender that infects only COM files. It will infects files in c:\windows\command directory and the current directory if c:\windows\command directory is not found. This virus will also reset the CMOSTopo, Pisello, MosquitoThe virus infects all programs, except those run from drive A:. Function keys may not work properly. Contains encrypted text.384The virus uses the early DOS FCB methods of handling files. The virus changes an infected program's date and time stamp.Contains an apology for the Proto-T.Ritzen viruses.The virus changes an infected program's date and time stamp. Infected programs contain the text "R.Feist".This is a simple boot infector. This virus affects hard drive MBRs and floppy boot sectors. It is usually dropped by the program FEC.Dropper.This program drops the boot virus FEC(b) on your computer. This file should be deleted.This is a trojan and must be deleted. It shows an image while it deletes system files (win.com, system.dat, user.dat, etc.). It displays messages regarding rebooting your machine.On Infected computers, the clock may return to a default date. Infected programs contain the text "PSQRVW".903, Fich, CHV 2.1Infected programs contain the text "FICHV 2.1 vous a Eu".The virus changes an infected program's date and time stamp to "8-17-88 2:08a".789When active on Friday, the virus hides files.No information available.The virus formats an extra track on the floppy disk and places itself in that space. Corrupts FAT. Displays a message in Swedish.Swedish 709Infected programs' size increases by 709 bytes.Displays a message to send your artwork via Fax.May attempt to print the message "Copyright 1992 by Fisher . PUNK-ROCK && BEER FOREVER".The virus only infects programs that are larger than 500 bytes. When the virus is active after June 1990, the screen flickers at seven-minute intervals.OmicronWhen the virus is active between 16:00 and 16:59 on the second of any month, the screen may be "flipped" upside down.This virus becomes memory resident and infects .com and .exe files. It also corrupts boot sectors and partition tables.880When the virus is active on November 11th, the message "FLOWER..." appears.Infected programs contain the text "*.exe". The virus sometimes corrupts the data as it is written to disk.On the 18th of any month, the virus plays a clicking sound whenever a key is pressed. The virus contains the text: "The FORM-Virus sends greetings to everyone who's reading this text. FORM doesn't destroy data! Don't panic!"Form II, Form.StirThis Form virus variant contains the text "STIR!"This virus appends its encrypted code to the end of COM and EXE files. It is memory resident.Disables LPT1-LPT4 between October and December of any year after 1991.The virus zeros out the partition information in the master boot sector and stores the original sector in an encrypted form. Using FDISK /MBR will leave the hard drive corrupted.Infected programs contain the text "Freddy Krg". Infects COMMAND.COM in a way similar to the Lehigh virus.Infects files recursively in all directories, starting with the root.Freew-692When the virus is active in 1993, the message "Program terminated normally" appears. Contains the text "Freew".South African, Virus BWhen the virus is active on Friday the 13th, an infected program is deleted when it runs.European Fish, StealthThe virus causes flickering of the screen. When the virus is resident, the computer's memory contains names of fish.4096, 4K, Century, Stealth, IDFWhen the virus is active on Sept. 22, the message "FRODO LIVES" appears. A cold boot may be required after running an infected program. Can corrupt data files. The virus does not function with DOS 4 or higher.Frog's AlleyWhen the virus is active on the 5th day of any month, the message "(V) AIDS R.2A-Welcome to Frog's Alley!,(c)STPII Laboratory-Jan1990" appears.TypoThe virus inserts typos that appear in the printout, but it does not affect the screen or data files.ZK 900, Death MarchThe virus plays a funeral march and then causes the computer to reboot. The virus changes an infected program's date and time stamp.Infects EXE files on execution. Infected files grow by 813 bytes.When active on the 29th of any month, the virus overwrites a sector on the current drive. Infected programs contain the text "GEEK".This program installs itself in the Windows registry. It changes the caption in each open window. There is no repair for this file. It must be deleted. The entry in the registry must also be removed.Nuke.1680, NGV.1216, NUKEGVThis virus infects the first uninfected COM file in the current directory. The virus overwrites all or part of the original file, rendering it unrepairable.The virus reinfects previously infected programs and destroys programs smaller than itself. The virus changes an infected program's date and time stamp.Polymorphic memory resident virus. Fast infector that will infect files greater than 1000 bytes.This is a memory resident virus. This virus infects EXE files. The virus is 792 bytes long and appends to files.Bad Seed,Gingerbread,Gingerbread ManThe following text strings can be found in the virus body on Side 0, Track 0, Sector 2 on the hard drive: "PTT (You can't catch the Gingerbread Man!)" "Bad Seed - Made in OZ!" Ginger does little more than replicate.Bad Seed,Gingerbread,Gingerbread ManInfects the hard disk boot sector by changing partition table. It has one flaw in that at assumes the clean boot sector is always at Head 0, Cylinder 0, Sector 1, so if it isn't the virus may make the drive unrepairable.Prints "Runtime error 213" and hangs the computer. Contains several file names and the text "users.bbsfiles.bbs."The virus displays the names of the programs it has infected. May print a long message in German that starts "Dies ist ein Demonstrations-Computervirus !"A cold boot may be required after running an infected program. Infected programs contain the text "Glo" and "Virus 3 M.00".Grand YorkThe virus damages the sectors in boot and partition records.Win.Gollum GollumIIInfected DOS EXE drops a file called GOLLUM.386 in C:\windows\system directory and adds DEVICE=GOLLUM.386 in [386ENH] section of C:\WINDOWS\SYSTEM.INI file. You need to delete GOLLUM386 and edit SYSTEM.INI file.Win.Gollum GollumIIThis is the GOLLUM.386 file that Gollum.7167 drops in C:\windows\system directory You need to delete GOLLUM386 and edit SYSTEM.INI file to remove the DEVICE=GOLLUM.386 line.This is NOT a virus. It is a trojan horse that allow malicious users to have unauthorized access to your computer.Contains a message in Russian.When the virus is active from January through June, it just spreads. From July through December, it interferes with printing functions, sends the contents of the screen to the printer, and creates a hidden file named "G OT YOU".Infected programs contain the text "GOTCHA!" This virus loads itself into memory, then infects .com and .exe files when they are executed. Infected files contain the text: [School.1st_grade] by [LittleJ], (R) 1996..Dedicated to JohnyDutch 1039, 1012+27, 1039A cold boot may be required after running an infected program. Sometimes the message "GRAPJE!" appears.1575, 1577, 1591, FindAbout two months after initial infection, a green caterpillar may appear and move across the screen. The program's time and date stamp are changed.Flashes the "subliminal" messages "grog4ever" and "razor" on the screen.The virus contains message "GROG 4EVER! GROG v3.1 (C) '93 by GROG - Italy"Contains the text "OUTWIT" and "(C) '93 by GROG - Italy S."267+The virus increases file size by one byte with each infection.The virus corrupts data files. Contains encrypted text in German, including the phrase "Grune Partei der Schweiz".Contains the encrypted text "+ALLERBMU NORI+ (C)1991 by SMAUG" and says it was programmed in Germany.The virus changes an infected program's date and time stamp. When COMMAND.COM is infected, the computer will fail to boot. The message "Bad or Missing Command Interpreter" appears.When infected files are executed, a worm goes across the screen, and the text, "BUEN DIA!!! Yo Soy un GUSANO" is displayed.When COMMAND.COM is infected the computer will fail to boot. When the virus is active, the message "Bad command or file name" appears, and then the DOS prompt returns.When the virus is active, the message "HA!" appears in large characters.This is a trojan horse program that attempts to gain access to other system. You must delete this file. You may also have to remove its entry in the Windows Registry. This is similar to NetBus and BackOrifice.The virus overwrites the hard disk.HafenInfects EXE files and "drops" the Ambulance virus into COM files.The virus changes an infected program's date and time stamp. Infected programs contain the text "HAIFA VIRUS V1.12".The virus changes an infected program's date and time stamp. This is a variant of the Haifa virus.This boot sector virus infects Master Boot Record (MBR) and Floppy Boot Record. It sometimes prints "HAL 3001" message while booting.HalloThe virus infects programs larger than 5120 bytes. It does not infect programs with a date other than the current month or year. Keyboard input appears garbled.Happy HalloweenWhen active on October 31st, the virus creates a 10,000 byte file with no file name. The error message "Runtime error 150 at 0000:0AC8" appears.When the virus is active, the message "Thank you for running the Happy virus..." appears. The virus changes an infected program's date and time stamp.I-Worm.HappyThis worm modifies WSOCK32.DLL to send itself as attachment when a posting is made to USENET or MAIL. Delete SKA.EXE and SKA.DLL in WINDOWS\SYSTEM folder and replace WSOCK32.DLL with WSOCK32.SKA in WINDOWS\SYSTEM folder.Worm.BadassThis worm displays an insulting message box while sending itself using MS Outlook in the background. The message box has an unclickable NO button that moves around when clicked.Worm.PassionThis worm is similar to W32.Badass.24576 and W32.MyPics.Worm. It usually comes as ICQ_GREETINGS.EXE It uses MS Outlook to email itself out.Worm.VideoThis worm is similar to W32.Passion.27648. It usually comes as VIDEO.EXE It uses MS Outlook to email itself out.Worm.NewaptThis worm uses MS Outlook Express or Netscape Mail to mail itself out. It uses several names for the attachment.Nina-2Fails to correctly infect COMMAND.COM in some DOS versions causing boot failures. Contains the message "Dear Nina, you make me write this virus; Happy new year!"When the virus is active, the message "Your PC is alive and infected with the Harakiri virus!" appears. This virus will infect the master boot record and floppy boot records. It is polymorphic and will also infect files.HaryWhen the virus is active, the message "WeLcOmE tO hArY aNtO" appears. The virus changes an infected program's date and time stamp.KlaerenThe virus cannot infect files larger than 4096 bytes. Infected programs contain the text "Klaeren..."This Trojan writes a boot sector that checks the date in CMOS. After 5 months there is a 1 in 4 chance on each boot that 128 sectors of the hard drive will be overwritten and the CMOS zeroed out. The Trojan also modifies FORMAT.COM.May type the message "Headcrash Industries celebrate 001F hex". This is a direct infector of COM files. On the first of each month, it displays graphics and text on the screen, and beeps. It sometimes corrupts files.1376Infected programs contain the text "HELLWEEN???!!"When the virus is active, programs smaller than 65536 bytes return to the DOS prompt. The message "Program too big to fit in memory" appears.923When the virus is active, the message "Hey, YOU!!..." appears, and then the DOS prompt returns.Gomb, GMBInfected programs contain the encrypted text "HARD HIT && HEAVY HATE the HUMANS".The virus changes an infected program's date and time stamp. Contains the text "Hi."The message "Hi! boy. Do you know 'hide-and-seek'?..." appears.Infected files contain the text "sDos" near the start of the virus code.When the virus is active on the 29th of any month, the message "Highlander 1 RULES!" appears 21 times. A cold boot may be required after running an infected program.When the virus infects COMMAND.COM, the theme song from the Hitchcock TV program is played five to ten minutes after the computer starts up.This virus is erratic. Infections (companion .EXE files) contain code for the virus, but also contain random code at the end. As a companion virus, simply delete all infected files.When active, the virus emits beeps.The virus creates a COM program with the same file name as an EXE program. The COM program is hidden from a normal directory listing.Sauna.EXE files are usually hidden by an attribute change, but a bug in the virus code will sometimes cause this attribute change to fail.This virus was written in a high level language. It spreads by overwriting the target program.Execution of an infected file will first infect other files, and then overwrite itself with the text: "Dangerous Messanger was here!". The overwritten file is then deleted.HTML.InternalThis virus attempts to infect HTML files. The virus must be viewed by a VBScript capable browser locally and will only infect local *.HTM and *.HTML files. The virus prepends its VBScript code to HTML files.This virus infects HTML files. The virus must be viewed by a VBScript capable browser locally and will only infect local *.HTM, *.ASP, *.HTT and *.HTML files. The virus drops files buz.dll and microbuz.com.No information available.This is a DOS virus. The virus loads itself into memory and infects COMMAND.COM. This allows the virus to infect files when they are executed. Infected files contain the string "I'm very sorry, today is my holiday."A Prepending 4676 byte virus that was written in a High Level language. The virus encrypts the original host with a very complex algorithm.May display the message "This is HORROR!" and erase sectors on the hard drive. A cold boot may be required after running an infected program.Naughty HackerThe virus scrolls the screen and emits a buzzing noise. Pressing keys produces a clicking noise. Contains the text "Sophia" and "(c) Naughty Hacker."The virus moves a floppy disk's original boot record to the last sector. Any data located there is lost.Infected programs do not function properly and then the DOS prompt returns. Infected programs contain the text "*HOUSEVIRUS*."When the virus is active on November 7th, the message "Format ..." appears, and then the hard disk is formatted.The message "HYDRA..." appears. The virus changes an infected program's date and time stamp. May delete COMMAND.COM or EXE files.When the month and day number are the same (1/1, 2/2, etc) the virus destroys the hard drive boot sector, plays music, and displays boxes with the message "USSR ViruSoft (c) v1. 1990."The first time an infected file is run the virus moves itself into memory. From memory the virus infects programs as they are run.1 in 10When the virus infects a program on a 10MB hard drive, it marks one unused FAT entry as bad.This trojan sends users to a web page,http://download-icq2000.hypermart.net/, and sends mail to people on the users icq contact list directing them there as well.This is a Trojan Horse type program designed to steal passwords used with the ICQ program. If found, it should be deleted.This is a an ICQ password stealer. It needs to be deleted. To clean, delete the file C:\WINDOWS\WINRSX.EXE and remove C:\WINDOWS\WINRSX.EXE from the C:\WINDOWS\WINSTART.BAT file.This is a an ICQ password stealer. You should delete this file and "C:\WINDOWS\WINSTART.BAT" that it drops.This trojan will drop itself in Windows directory. Then it will modifies the "win.ini" and the registry HKLM\Software\Microsoft\Windows\CurrentVersion\Run to run the dropped file at Windows startup.This is a an ICQ password stealer. It needs to be deleted. To clean, delete C:\WINDOWS\WIN32S.EXE, and remove any occurrences of win32s.exe from the registry, WIN.INI SYSTEM.INI.This file creates a copy of itself named SYSTEM32.EXE, places it in the WINDOWS\SYSTEM directory, and modifies the registry to launch it file upon startup.This file creates a copy of itself named IEXPAND.EXE, places it in the WINDOWS\SYSTEM directory, and deletes the original executable. It then runs as a service until the machine is rebooted.IerThe virus changes an infected program's date and time stamp. The message "Mulier pulchra est... St. Ieronim" appears.The virus changes an infected program's date and time stamp. The message "Mulier pulchra est... St. Ieronim" appears.When the virus is active, the message "DON'T COPY IT and now ... I AM ILL!!" appears and beeps are emitted.The virus changes an infected program's date and time stamp. Infected programs contain the text "INCOM".No information available.Every third infection displays a message in Russian. A cold boot may be required after running an infected program.This "Backdoor"-type trojan listens for incoming connections on TCP Port 146. This program may allow unauthorized access to your computer and should therefore be deleted.This virus loads itself into memory and infects other files when they are run. Once decrypted, it contains the text "Inferno is unleashed Goodluck!" Installs the file info.com (which is actually a windows PE-type EXE file) in c:\windows and sets it up to execute when the system is booted.No information available.Infected programs' size increases by 160 bytes.The virus will infect only under DOS 3.3. Corrupts COMMAND.COM.LabelThe virus infects programs with the COM extension when they are accessed using the DOS DIR command. Infected programs contain the text "Int 13".This is a boot sector virus which infects floppy disk boot sectors and the master boot record of your hard drive. Floppy diskettes which are infected may hang the computer when used as a boot disk.This is only and intended virus and not an active one. The code does not execute properly which prevents it from replicating. Files detected as such will still run properly.1381, Internal ErrorWhen the virus is active 90 days after the original infection date, the screen information is garbled and the message "INTERNAL ERROR 02CH..." appears.Searches directory trees on all logical drives for EXE files to infect. Contains the text "\*.EXE". A cold boot may be required after running an infected program.Invol, vansiOn the 19th of any month, the virus will destroy the FAT on the C: drive and display a message thanking the user for his or her "involuntary cooperation."Ionki 231The virus changes an infected program's date and time stamp. May print a message in Russian.Infected programs contain the text "????????COM" and "IPER".This file is an INI file used by mIRC. This file can spread to other IRC users and contains malicious code. This file is only active when using mIRC. This file should be deleted.This worm will send it self to other users in IRC.This trojan performs some IRC functions, drops itself in "c:\windows\system\srvcp.exe", and adds itself in the registry "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"This file is an INI file used by mIRC. The file executes its instructions when connecting to mIRC and sends a trojan horse program to other users. You must delete this file.August 16thInfected programs contain the text "=!= IRON MAIDEN". After August 16th, 1990 the virus may erase two random disk sectors.Istanbul.1367 Istanbul.1349This virus loads itself into memory once it is executed. It infects other files once they are run. It contains the text "Written in the city of Istanbul".3880After being active for 24 hours, the virus overwrites the boot record.Itti-AThe message "EXEC failure" appears, and then the DOS prompt returns. A cold boot may be required after running an infected program.BubblesThe messages "Bubbles Virus" and "[IVP]" appear.A big picture of a car with the letters HI appear. This infects COM and EXE filesJW2The message "BEWARE THE JABBERWOCKY!" appears.This virus modifies the partition table to point to the virus sectors on track 0. These virus sectors then load the original boot sector after they've gone memory resident.Christmas in JapanWhen the virus is active on December 25th, the message "A merry christmas to you" appears.The virus changes an infected program's date and time stamp.June 7Infected programs contain the text "Jeff is visiting your hard disk."The non-standard Jerusalem viruses are resident infectors of COM and EXE programs.PLO, Israeli, Friday 13th, 1813When the virus is active on Friday the 13th, running programs are deleted. After 30 minutes the computer slows down and the screen scrolls up two lines.Captain TripsThe virus plays tricks with the screen display.Frere JacquesWhen the virus attempts to infect programs, the computer simply stops and data is lost. When the virus is active on Friday the 13th, the virus plays the "Frere Jacques" tune.2080, 2086, Fu ManchuWhen the virus is active and you press Ctrl+Alt+Del, the message "The world will hear from me again!" teletypes across the screen before the computer reboots.Moctezumas Revenge, CiudadoWhen COMMAND.COM is infected, boot failures occur. The virus may infect DOS hidden system files.MummyVariants contain a version number and the encrypted text "Kaohsiung Senior School Tzeng Jao Ming presents". A cold boot may be required after running an infected program.PcVrsDs, PCVWhen the virus is active on Monday the 23rd of any month, the virus formats the beginning of the hard disk and deletes programs when they are accessed.Jerusalem.SundayInfected programs contain the text "Today is SunDay! Why do you work so hard?..." This message is never displayed due to a bug in the virus.Argentina, Suriv 1, April 1.COMWhen the virus is active on April 1st, the message "APRIL 1ST HA HA HA YOU HAVE A VIRUS" appears.The Jerusalem.Suriv1 family infects only COM files while most Jerusalem viruses infect both COM and EXE files.April 1.EXE, Suriv 2When the virus is active on April 1st, the message "APRIL 1ST HA HA HA YOU HAVE A VIRUS" appears.Jerusalem, Israeli, SurivWhen an infected program is run on Friday the 13th, a black window appears within 30 seconds.Slow, Jerusalem.1716.A (x)May cause the system to slow down. A cold boot may be required after running an infected program.Something, Water, 621When the virus is active on Friday the 13th, the message "Something wonderful has happened, your PC is alive..." appears.WabikThe virus overwrites EXE programs, and silly messages like "Water detect in Co-processor..." appear.Joker 2The virus infects programs smaller than 9000 bytes. A cold boot may be required after running an infected program.This virus goes memory-resident, and then infects by appending itself to EXE programs when they are run.Infected programs contain the text "Release date 12-22-1990..." The virus only infects programs when they are run.788 byte direct action infector. The text in the virus claims that you must restore your files from backup, but this is not true. The virus can be repaired.This password stealer trojan drops "C:\Windows\System\sysed.exe", modifies the win.ini, system.ini and the "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" registry key to run "sysed.exe" at Windows startup.This is a polymorphic virus that infects only *.COM files. It will target files in the c:\dos directory as well as others.The virus infects programs larger than 1201 bytes. When the virus is active on July 13th of any year, a bouncing ball appears.Pretoria, JuneWhen the virus is active on June 16th, the virus changes all the root directory entries to "ZAPPED".Infected programs contain the text "Jr".Panic.398It infects one COM file in current directory at a time. When no more COM file left uninfected, the virus erases random disk sectors. It displays "Don't panic it ! It is just a virus exist in your system!"Contains the text "AND JUSTICE FOR ALL" A cold boot may be required after running an infected program.Drops TEMP$01.EXE in \Windows and \Windows\System. It also drops TEMP#01.EXE in \Windows. These files should be deleted, as well as the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"TEMP$01.task"When the virus is active, the message "VDV 91" appears. Infected programs contain the text "I don't like mondays..."KamikazeInfected programs contain the text "kamikaze". A cold boot may be required after running an infected program.Anti-Tel, Campana, Spanish TelecomAfter 401 boots, the virus overwrites all sectors on the first and second hard disks with garbage as it displays the message "Campana Anti-TELEFONICA (Barcelona)." The file virus drops the Kampana boot virus.RedstarWhen the virus is active on October 23rd, the message "Karin hat GERBURTSTAG" appears.Once executed, the virus gets loaded into memory. It infects other files when they are run. Files infected with this virus can be repaired.May print a garbled message ending with the clear text "- 4 KELA".USSR, V257The virus changes an infected program's date and time stamp. The message "????????COM Path not found" appears.Turku, TwinsAfter the virus is active for 30 minutes, keystrokes are repeated. The text "OOOOOOOOOOOOOOOO" appears and beeps are emitted.Turku, Samsoft, Saddam, MubarkAfter the virus is active for 30 minutes, keystrokes are repeated. The text "OOOOOOOOOOOOOOOO" appears and beeps are emitted. Variants of the original contain various text messages.Keyboard Bug, KBD Bug, KeyBug 1596The virus interferes with keyboard input. A cold boot may be required after the DOS COPY command is used.483, Keiv 483Infected programs contain the text "Kiev 1990".This trojan is distributed through illegal copies of Windows 98 and activates its destructive payload starting January 1st, 2000.This trojan drops a file named C:\Windows\WINDOWN.EXE and modifies C:\Windows\SYSTEM.INI to load itself during the boot process.Standard encrypted resident EXE and COM virusStandard encrypted resident EXE virus.When the virus is active on Friday the 11th, the message "Sam Kinnison 1954-1992..." appears. The virus interferes with keyboard functions.Infected programs contain the text "Copyright 1991-1999.KIT VIRUS (version 2.0)".Kiwi 550Infected programs contain the text "I'm KIWI-586.(C) Vegetable-Soft.DOS AIDSTESTP".KLF-356Infected programs contain the text "KLF" and "The KLF3".May corrupt COM files it tries to infect. Contains the text "Ko".The message "-=+ Kode4 +=-, The one and ONLY!" appears.An overwriting version ot the Kode4 virus.Dr Qumak IIContains an encrypted message, including the text "IT IS DOCTOR QUMAK II!"Attempts to run programs from a write-protected disk result in write protect errors. When the virus is active on May 20th of any year, the message "Today is my birthday" appears.TurboThe virus changes an infected program's date and time stamp. Infected COMMAND.COMs will not function. When the "Print Screen" key is pressed it displays the message "Turbo Kukac".Kuku-448The message "Kuku!" appears in colorful boxes all over the screen.Prepending memory resident virus that only infects .COM files.This virus infects SYS files. It appends itself to the end of SYS files when device drivers are loaded.Infected programs contain the text "Larry on a Screen".No information available.The virus changes an infected program's date and time stamp. A cold boot may be required after running an infected program. Contains the text "[ lazy ]".USSR-516Infected programs' size increases by 516 bytes. The virus does not modify the host file beginning as other viruses do. It redirects execution to itself later in the host.Leech2, ToplerThe virus infects programs larger than 10240 bytes. When it infects programs with a time stamp of 12:00, the time disappears.Lehigh UniversityThe virus only infects COMMAND.COM. After four infections, it overwrites the first 32 sectors of the hard disk.SovWhen the virus is active on Friday the 13th, the message "That could be a crash, crash, crash!" appears.This virus loads itself into memory and appends its code to COM and EXE files that are executed. It contains the text "(c) Leonard. Constanta, Romania"News Flash, Leprosy 1.00When the virus is active, the following message appears "NEWS FLASH!! ...infected with LEPROSY 1.00..."The virus changes an infected program's date and time stamp. The error messages "Exec failure" and "Too many files open" appear.Tormentor 205The virus changes an infected program's date and time stamp. The error messages "Exec failure" and "Too many files open" appear.No information available.MysticThe virus changes an infected program's date and time stamp. Infected programs contain the text "-MYSTIS-COPYRIGHT (C) 1989-2000..." and "SsAsMsUsEsL".This is a polymorphic boot virus. In some cases, it will print out a poem upon hitting PrintScreen key. The virus is stored in more than one sector on the hard drive or floppy diskette.Infected programs contain the text "(C)Rom1Soft(LipPI)1991".Little GirlSometimes the following message appears: "File was destroyed by virus Little girl ver 2.00". Attempts to run programs from a write-protected disk may result in write protect errors.Infected programs contain the text "Little Brother" and "EXE COM".Little PiecesWhen the virus is active, the following message appears: "One of these days I'm going to cut you into little pieces".VCL.Gabber.7428 CodeRed.7428It searches for all COM files in the drive and infects them. Encrypted message: "The Code_Red Virus Has Stopped Your System"Infected EXE's drop a file called LZD.VXD in C:\windows\system\iosubsys When Windows 95 loads, LZD.VXD goes resident and attempts to infect other EXE files. LZD.VXD should be deleted from the ...\iosubsys directory.MerdeA cold boot may be required after running an infected program. Contains the text "Loki".No information available.Reboot PatcherThe time stamp on some infected programs disappears. The virus may modify programs so that they reboot the system when run.This is a polymorphic virus that infects COM and EXE files. The virus places the text "Lord of the Dance" and a message in German at the end of infected files.The virus may modify EXE programs in such a way that running them will erase sectors on the hard drive. Contains the text "LoveChild in reward for software sealing". Note that "stealing" is misspelled.Lowercase, LCVInfected programs' size increases by 864 bytes.The virus changes an infected program's date and time stamp. It interferes with printing.This is a Trojan Horse program which creates lots of file in the windows system folder \WINDOWS\SYSTEM\. These files are based on "?hp???b.dll" naming pattern, where "?" represent any character.Infected programs contain the text "*.COM".This virus infects the MBR on the hard drive, boot sector on floppy, and DOS EXE files. Sometimes it displays the text message on the screen: "hello! This is <Lung-Hua 1.0> virus....."The virus only infects COMMAND.COM and changes the program's date and time stamp. May play a series of beeps.This is a boot sector virus. It will copy over the master boot record and boot records of floppy disks. You may experience the inability to access your hard drive.This is a direct infector that seaches and infects all COM and EXE files in all drives.Lycee, LyceumThe time stamp on some infected programs disappears or is changed to 00.Lycee, LyceumThe time stamp on some infected programs disappears or is changed to 00. After a period of no keyboard activity the virus a red box on the screen with a Russian message that ends "133-20-60".When the virus is active, the message "MacedoniaToTheMacedonians" appears.334The virus changes an infected program's date and time stamp. Contains the text "Made in England".The virus infects all programs with the EXE extension. The message "Madismo Strikes Again!" appears and the virus changes the program's date and time stamp.Infected programs' size increases by 323 to 491 bytes.No information available.2560Infected programs' size increases by 2048 to 2560 bytes.MagnitogorskInfected programs contain a derogatory message to a known antivirus writer. The virus infects programs larger than 2048 bytes.In addition to infecting programs when they are accessed or run, this virus infects programs when they are accessed using the DOS DIR command.Infected programs contain the text "Welcome into the virus..."This virus writes over portions of an infected file, rendering it unrepairable.Malign-575In addition to infecting programs when they are accessed or run, this virus infects files when they are accessed using the DOS DIR command. The virus changes the seconds field in an infected program's time stamp to "01".Maltese AmoebaWhen the virus is active on March 15th and November 1st, the first four records of the hard drive are overwritten. Infected programs contain a poem and a message about the University of Malta.The virus interferes with printing.Infected programs contain the text "Soy un Manuel Virus de tipo C".When active on February 2nd, the virus overwrites all programs in the current directory the with the text "= [Marauder] 1992..."Infected programs contain the text "MATURA '92".Jews2When active, the virus emits a static-like sound. At 30 seconds to the hour, it plays music and beeps. Contains the text "Jews-2 Virus. MSU 1991".An infected program's time stamp disappears. A cold boot may be required after running an infected program.GuruInfected programs contain the text "Software Failure. Task Held. Guru Meditation #456789:#34567?????"No information available. Meth.1536, Bap.1536This program will drop a virus (See TD.1536). This virus infects files and the MBR. Since, this file is a dropper, it should be deleted. Meth.1536, Bap.1536This virus infects files and the MBR. This virus goes resident and also attempts to infect c:\windows\win.com. This virus will attmpt to delete c:\windows\system\iosubsys\hsflop.pdr which may disable your floppy drive. TD.1536.2 (b)This virus infects files, MBR and floppy disks. This virus goes resident and infects files that are executed.This virus infects files, MBR and floppy disks. This virus goes resident and infects files that are executed.This is a trojan horse type program and should be deleted.A cold boot may be required after running an infected program.The virus changes an infected program's date and time stamp. Sometimes the message "????????COM Path not found" appears.The virus sometimes displays a bouncing ball.The virus changes an infected program's date and time stamp. It remains resident in the first memory segment, so total available memory is not affected.Infected programs contain text saying the virus was written by Cracker Jack, in Milan, Italy.This virus is a direct infector. It infects COM files.TrivialThe virus changes an infected program's date and time stamp.The virus changes an infected program's date and time stamp.The virus may corrupt the data in dBase files with the extension DBF.Occasionally the virus displays a mirror image of what was previously on the screen.LockUp, LK, Mithrandir IIIThe virus changes an infected program's date and time stamp to 24MAR23 2:17a.The virus alters output to the printer and the NumLock key, and may display a bouncing ball.Ghost-1447The virus changes an infected program's date stamp to 13JUL82. Contains the text "MINSK GHOST,1991".08/15, Many FingersWhen the virus is active after November 11th, 1990, the following message appears: "CRITICAL ERROR 08/15: TOO MANY FINGERS ON THE KEYBOARD ERROR".Windows PE EXE worm that copies itself to the \WINDOWS directory.1063On computers with monochrome monitors that have 80-column and 25-line displays, the virus deletes files when infected programs are run.Agiplan, Agi-planThe virus starts corrupting data after being active for several months. May display the message "Load error" and contains code to erase data on all disk drives.Morphine.AThis polymorphic virus will randomly display an inverted cross with blood running down the screen. The infected computer will have to be rebooted at this point.The virus changes an infected program's date and time stamp. Infected programs contain the text "(C) MPS-OPC 1991 v#.#".Infected programs contain the text "Mr.Virus Ver. 1.10".The virus changes an infected program's date and time stamp. The virus causes reboots.PalestinianThe virus changes an infected program's date and time stamp. Contains a political message.Overwrites all EXE files in the current directory and may corrupt the C: drive. Displays the message "The Midnight Serial Killer is roaming in your computer...Beware! [JD]".Overwrites the first found COM file in the current and parent directory. Overwritten programs contain the text "mainman" in the beginning of the file.Appends virus to the first found COM file in the current and parent directory. Increases filesize by 213 bytes.Infected programs contain the text "This program was written in MSTUm 1990".Mutation Engine, DAMEThe MtE (Mutation Engine) is an encryption technique used by virus writers to make a virus polymorphic. Polymorphic viruses make detection more difficult.This virus corrupts the boot sector in unrepairable way. Some times if the corruption is not too much the virus can be removed by using SYS.COM file under C:\DOS or C:\WINDOWS\COMMAND.Face, MFaceThis virus infects the first .SYS file associated with a DEVICE= line in your CONFIG.SYS. Subsequent bootup starts infecting executables.Face, MFaceAttempts to run programs from a write-protected disk result in write protect errors. When the virus is active, multiple smiley faces sometimes appear.The virus contains two of the Tiny viruses and may release them. Contains the text "MultiVirus(R), Release 1.0". The virus changes an infected program's date and time stamp.When active, the virus displays multiple messages. A cold boot may be required after running an infected program. Infected computers may experience boot failures.A group of viruses based on released source code. Most variants contain messages and some display them.PatriciaContains a message to virus researcher Patricia Hoffman.Arka, ArkanoidA cold boot may be required after running an infected program. Infected programs contain the text "THE MVF-FILEVIRUS..." It is detected as Cascade in memory, having similar characteristics.Contains the text "MX".Contains the text "*.COM Nazgul". A cold boot may be required after running an infected program.The virus changes an infected program's date and time stamp. The message "PARITY ERROR ADDR (HEX)..." appears. A cold boot may be required after running an infected program.This trojan horse uses NetSphereClient.exe. The server program is called nssx.exe and is placed in the c:\windows\system directory. A value named "NSSX" is added to the Run registry that launches the server.B1NYB is a fairly generic MBR and Floppy Boot Sector Infector. It goes resident, but does not destroy anything intentionally. However, some floppies have been reported as corrupted.1963, OverwriteInfected programs' size increases by 1963 bytes.GnoseWhen active on November 21st, the virus beeps and displays a message. The message includes the phrase "Happy Birthday, Necros!"Raadioga.1000This is a fast infector that infects *.EXE on currect directory. On March 10th, it displays "HAIGUSTE RAVI KONTROLLITUD VAIKUSE PIMEDUSE JA RAADIOGA"The virus interferes with printing by changing 0 to 9, 8 to 1, etc.Infected programs contain the text "Mutant Ninja Version 2.0..."A cold boot may be required after running an infected program. In addition to infecting programs when they are accessed or run, this virus infects files when they are accessed using the DOS DIR command.Oi DudleyThis virus contains the following encrypted text string in its viral code: "<[Oi Dudley!][PuKE]>"1024-B, NomenThe virus corrupts data and programs by swapping FAT entries. Contains the word "Nomenklatura".Milous, CadkillAt noon the virus beeps 6 times. Contains the text "byMH&&MHsoftware" in an encrypted form.Infected programs' size increases by 586 bytes.855, November 17thInfected programs contain the text "SCAN.CLEAN.COMEXE". When the virus is active on November 17th, the virus overwrites the hard disk.440When the virus is active between January 01, 1980 and September 30, 1980, the message "No Bock today error. System halted" appears. A cold boot may be required after running an infected program.Evil GeniusWhen the virus is active on the 18th of any month, the hard disk is overwritten. Contains the text "Evil Genius V2.0".This is a trojan program that seems to be used with a program named NETSPY.EXE When executed, it can be used to allow unauthorized access to your computer. Please delete this file.The virus changes an infected program's date and time stamp. The message "This file Has Been Infected by Number One! XXXXXXXX.COMinfected" appears.The virus changes an infected program's date and time stamp. Contains the encrypted text "(c)Nygus v2.0".The virus changes an infected program's date and time stamp. This is a much smaller, unencrypted version from the Nygus family.Text message, encrypted within Neuroquila's virus body: "GRIPPED-BY-FEAR-UNTIL-DEATH-DO-US-PART."V-512, 666Infected programs contain the text "666".1961, Yankee 2, BanditzThe virus plays the "Yankee Doodle" tune after infecting a program.Reset, Friday-13th-440When the virus is active on Friday the 13th, an omega symbol appears, and then the hard disk is overwritten.4915A cold boot may be required after running an infected program. Infected programs contain the text "ondra.dat".Attempts to avoid detection by toggling a bit in the decryptor on each infection.SBCInfected programs' size increases by 1024 bytes. The virus is based on the Ontario.512 virus, but with full stealth and polymorphism added.Infected programs' size increases by 696.This is a trojan horse type program and should be deleted.Infected programs contain the text "Orion System".MusicSometimes the virus plays three melodies repeatedly.When the virus is active on Friday the 13th, running programs are deleted.Otto6Infected programs contain the text "OTTO6 VIRUS..."May print a message in Russian.Infected programs' size increases by 1589 bytes. There is a large block of zero byte "padding" near the end of the virus.Memory resident virus which appends to the end of files.TCCThe virus may modify the starting cluster on files, making them useless. An infected COMMAND.COM may not run. Contains the text "IBMBIO COMIBMDOS COMAUTOEXECBATCOMMAND COMSYSEXECOM".Generic 1When the virus is active, the message "PARITY CHECK 2" appears. A cold boot may be required after running an infected program.Pascal 3072Infected programs' size increases by 3072 to 3199 bytes.Pascal 7808Infected programs' size increases by 7808 bytes.This virus infects all the EXE and COM files in the current directory. It also deletes and replaces the WIN.COM file in WINDOWS directoryThis virus is memory resident and infects EXE and COM files.This virus is memory resident and infects EXE and COM files. If banner.exe is detected, it must be deleted.Worm.DmSetup.EThis virus creates numerous directories that contains non-English like characters in C: folder. It also modifies the C:\Autoexec.bat to invoke itself when windows start up to reduce the system's performance.This virus overwrites the .COM files in the current directory and also displays a message saying "Incorrect DOS version" when executed. You should either delete the infected files or replace them with new copies.VHP-547, Vienna-547A cold boot may be required after running an infected program. Random characters may appear.The virus finds a program, renames it to PATHHUNT, infects it, and then returns the original file name. May damage DBF files.FluA cold boot may be required after an infected program is run.Flu-2There are a group of polymorphic viruses based on PC-FLU.1677, Plaice, PC Byte BanditThe virus changes an infected program's date and time stamp. Infected programs contain the text "PCBB". A cold boot may be required after running an infected program.The virus attacks the Central Point AntiVirus product by deleting a critical file. Sometimes a reboot occurs.Pemp.1943When an infected file is executed, this file loads itself into memory, infecting any .EXE file that is subsequently run.Sorry, G-VirusThe virus may ask a question, and if the answer is not "4711", the program will not run.Sorry, G-VirusInfected programs from the Perfume.Sorry variant contain the text "G-Virus".Beta, CloudInfected programs' size increases by 1117 to 1168 bytes. Contains an encrypted poem.When the virus is active, the message "The PHANTOM Was HERE-Sorry..." appears. The virus may shift the image to the middle of the screen.Win32.PhaseThis is a hacker's remote administration utility similar to BackOrifice. It allows someone to administrate the affected computers from remote console, to steal files, to damage installed software, etc.W32.PrettyParkThis worm comes as "Pretty Park.EXE" in email. You need to restore a registry entry as shown in: http://www.symantec.com/avcenter/venc/data/prettypark.worm.htmlWorm.ExploreZip(pack)This worm usually comes "Explore.EXE" in email. When executed, it gives out a fake error message that the ZIP file is invalid. See http://www.symantec.com/avcenter for detail info on this worm.This trojan is intended to corrupt files on your hard drive. It contains text suggesting the user's only option is to reformat their system.ProMailThis is a trojanized email client. It is a fully functional POP email client, but it has a hidden feature that sends your email account information to an anonymous email address.Live After DeathOne out of 256 infections that result in FAT entries being swapped.This program is just a spam demo of what Trojan programs can do. This file may be safely deleted. This .PIF file worm spreads using mIRC. It modifies C:\mirc\script.ini and will attempt to send itself to other IRC users from the infected users machine. This file should be deleted. This .PIF file worm spreads using mIRC. It modifies C:\mirc\script.ini and will attempt to send itself to other IRC users from the infected users machine. This file should be deleted. This .PIF file worm spreads using mIRC. It modifies C:\mirc\script.ini and will attempt to send itself to other IRC users from the infected users machine. This file should be deleted.Infected programs contain the text "PIF-PAF B v1.0 Nincs kegyelem!"This virus infects files with a .COM extension in the current directory, as well as the root directory.Infected programs' size increases by 4010 to 4200 bytes. Contains the strings "CHKLIST.MS" and "ANTI-VIR.DAT".After the virus is active for 15 to 30 minutes, a high-pitched noise is emitted.Polish 529Infected programs' size increases by 529 bytes.Amstrad, Cancer, Polish PixelThe virus changes an infected program's date and time stamp. Infected programs contain the text "=!= Program sick error:Call doctor or buy Pixel cure description".Play TetrisInfected programs contain the text "PLAY TETRIS, HI-HI-HI..."New 800The DOS CHKDSK program reports file allocation errors on all infected programs. Infected programs contain the text "(c) Damage inc. Ver #.#,Plovdiv,1991".Polish TinyAfter the virus infects a program, the DOS prompt returns. The virus changes an infected program's date and time stamp.No information available.Infected programs contain the text "pLuTto_B".This trojan attempts to steal PWL and ICQ passwords from the user's system. An animated program is executed to appear as if nothing harmful is happening.Infected programs' size increases by 1,919 bytes.Infected programs' size increases by 4,028 bytes.No information available.When the virus is active, the message "A le' jobb kazetta a POLIMER kazetta! Vegye ezt!" appears.Polish TinyAfter the virus infects a program, the DOS prompt returns. The virusThis virus will infect EXE and COM programs. The file size will increase by 513 bytes Infected programs contain the text "STRONG.POPPY"After the virus is active for 15 to 20 minutes, a program may be erased when run. Infected programs contain the text "POSSESSED!This companion virus copies itself into DOS\POWER.EXE, then searches for .EXE files and creates companion .COM files. The companion COM files executes POWER.EXE and then executes the host program.The Backtime virus causes the computer clock to run backwards. Contains the text "BackTime".The Blinker virus causes the screen to blink. Contains the text "Joker".A variant of BackTime that contains the text "Joker".Sometimes the Shaker virus causes the screen display to "shake". Contains the text "Shaker".When the virus is active on Fridays between 10:00am and 11:00am, the virus changes file names to 'PREGNANT' if they are accessed using the DOS DIR command. Infected programs with the time stamp of 12:00a are erased.When the virus is active, the message "Press any key" appears.When an infected program is run, a reboot occurs. Infected programs contain the text "Prime Evil! (C) Spellbound, Line Noise 1992".This trojan modifies registry entries to ensure execution at startup. It adds entries to WIN.INI and SYSTEM.INI and drops WIN32S.EXE in the \Windows folder.The virus interferes with printing. Infected programs contain the text "PrintMonster30".In addition to infecting programs when they are accessed or run, this virus infects files when they are copied. Contains the text "THIS IS YOUR PROBLEM !"Very simple direct-acting virus that appends itself to COM files. Contains the text "This file is infected with Project".Contains the text "File protection". May disable the mouse driver. A cold boot may be required after running an infected program.Infected programs contain the text "[PROTO-T by Dumbco, INC.]". A cold boot may be required after running an infected program.1024PrScr, Print ScreenWhen the virus is active, pressing the PrtScr key displays CMOS information on the screen instead of sending the screen display to the printer.1210When the virus is active on May 1st through May 4th, the virus interferes with disk writes, so that data is not saved to the disk.The PS-MPC family of viruses are generated by a virus production utility.Along with file infections this virus will also infect system's partition table.This virus will display following message when infected system is booted up between June 2nd and June 14th. "Un regalito para el JUAN XXIII y el CHICHE Viegas" and then the system hangs.No information available.This is not a virus but a Trojan Horse program. You must DELETE this file. This program targets Windows 95/NT users. It takes a user's password for their Internet Service Provider, and e-mails it to the trojan author.BackOrifice, Orifice.drThis is NOT a virus but a Trojan Horse program that may jeopardize your system's security. If a firewall is being used, your system should remain secured. Delete this file and its Win95 registry entry.This is NOT a virus but a Poland Trojan Horse program that may jeopardize your system's security. If a firewall is being used, your system should remain secured. Delete this file and its Win95 registry entry.BackOrifice 2000This is NOT a virus but a Trojan Horse program that may jeopardize your system's security. If a firewall is being used, your system should remain secured. Delete this file and its Win95 registry entry.BackOrifice 2000 InstallerThis is NOT a virus but an installer for BackOrifice2K.Trojan. See BackOrifice2K.Trojan.AOL Password Stealer PWSteal.Trojan.BThis is not a virus BUT a Trojan Horse program. DELETE this file! This program will send your password via email to its author. It is loaded via the WIN.INI [LOAD] or [RUN] line, or Windows Registry.This is a password stealer trojan. You should delete this file. Also delete it's dropped files "pvdslg.dll" and "pvdsdll.dll" from Windows\System directory.This is a password stealer trojan. You should delete this file. Also delete it's dropped files "winupdate.exe" Windows directory.This is a Trojan Horse program. This program will send your AOL password via email to its author. When executed this trojan will copy it self to "C:\aim.exe", "C:\Windows\temp\pkg####" and "office.exe" in the startup folder.IE0199 trojanThis is not a virus BUT a Trojan Horse program. DELETE this file! This program will install its DLL and program as MPREXE.DLL and SNDVOL.EXE in WINDOWS\SYSTEM directory.Backdoor.SPingThis is not a virus BUT a Trojan Horse program. DELETE this file!Backdoor.NoteThis is not a virus BUT a Trojan Horse program. DELETE this file! This program will send your AOL user info via email to its author. It is loaded via the WIN.INI [RUN] line as NOTE.EXE.This is not a virus BUT a Trojan Horse program. You must DELETE this file. This program may delete files or try to get your America Online account information.Drops C:\Autoexec.exe and adds "Eugenic"="C:\Autoexec.exe" to the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\RunThis trojan horse adds scanregw.exe/.dll/.dl to your WINDOWS\SYSTEM directory. It modifies the registry to load itself when the system starts. Delete the occurence of scanregw from your registry.This trojan horse drops winprotecte.exe, temp#01.exe and temp$01.exe into the \Windows directory, and adds a "Winprotect System" entry in the registry to load itself on startup.This is a trojan horse program that allows you to create a batch file which can be used to remap keys on the keyboard. You should delete this file.This is not a virus but a Trojan Horse program. When executed, the program drops wincore.exe, temp#01.exe and temp$01.exe into the \Windows directory. It also adds a "Wincore" entry in the registry to load itself on startup.This Trojan Horse simulates the installation of a virus which intends to delete the hard drive. "Hard Drive Deleted" flashes on the screen and a reboot is required to exit the program.This is Trojan Horse program. You must DELETE this file. When run, it will run hidden in the background, and may cause harm to your system.This is a Trojan Horse program. You must delete this file. When run it will pop up a window called unlock. It is actually just modifying the file "Autoexec.bat" to format the c drive and to run deltree on c:\.This Trojan Horse copies itself as \Windows\MSREXE.EXE, adds msrexe.exe to the "shell=" line in \windows\system.ini. You should delete the word msrexe.exe from this line.This Trojan Horse copies itself as \Windows\MSREXE.EXE, adds msrexe.exe to the "run=" line in \windows\win.ini, and modifies the registry to run itself each time the computer boots.This is Trojan Horse program. You must DELETE this file. When run, it modifies the file "autoexec.bat" to format the C drive the next time the computer boots. Upon closing the dialog box that pops up, the computer is shut down.This trojan horse attempts to connect to a large number of internet addresses. It loads itself at startup by modifying the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run.This trojan horse removes all entries from WIN.INI. It also deletes COMMAND.COM from the root directory. You need to delete this file.This is not a virus BUT a Trojan Horse program. You must DELETE this file.This is not a virus BUT a Trojan Horse program. You must DELETE this file. If run, this file renames root directory files.This is not a virus BUT a Trojan Horse program. You must DELETE this file. It jeopardizes your network security the way BackOrifice.Trojan does. You also need to remove its Win95 REGISTRY entry.This is not a virus BUT a Trojan Horse program. You must DELETE this file.This is a Trojan Horse type program. It installs itself in the \windows directory and runs in the background. You should DELETE this file.This is not a virus BUT a Trojan Horse program. You must DELETE this file. The program copies itself as rsrcload.exe in \windows, and as csmctrl32.exe and mgadeskdll.exe in \windows\system.This is not a virus BUT a Trojan Horse program. You must DELETE this file.This is not a virus BUT a Trojan Horse program. You must DELETE this file.This is not a virus BUT a Trojan Horse program. You must DELETE this file.This Trojan Horse creates many (over a thousand) directories which cannot be deleted without the aid of a disk utility, and modifies autoexec.bat to run itself at startup. It also tries to spread using the mIRC chat program.This is a trojan horse program and not a virus. You must delete this file.Trojan.Win32.AlephThis is a potentially harmful program. It should be deleted if found.This is a potentially harmful program. It should be deleted if found.This trojan horse modifies the registry to disable the Find, Run, and ShutDown options from the Start Menu, and hides your desktop and inserts a text message prior to login about the human era ending.This is not a virus. It is a Trojan Horse program. This prgram may allow unathorized users to access information on your computer. You should delete this file.This is not a virus. It is a Trojan Horse program. This prgram may allow unathorized users to access information on your computer. You should delete this file.This is not a virus. It is a Trojan Horse program. This prgram may allow unathorized users to access information on your computer. You should delete this file.QQ-1513The virus changes an infected program's date and time stamp. Infected programs contain the text "Bad command or file name".This is a Trojan Horse program which causes the letters on the DOS screen to fall to the bottom of the screen periodically.This is a Trojan Horse program which you should DELETE.The virus causes the screen display to "shake".The infection size grows depending upon the time since the virus was first launched.Infected programs contain the text "t=1024 /write=off /win /quiet".Dutch 555The virus changes an infected program's date and time stamp.On May 2nd this virus destroys the hard disk by writing random data to it.On February 7th this virus destroys the hard disk by writing random data to it.The message "Pray for death-RABID '91" appears.R10When the virus is active, the hard drive is overwritten with 0FFh bytes starting at sector 0. The DOS CHKDSK program reports file allocation errors on all infected programs.Zodiac, R11, LOLWhen the virus is active, the hard drive is overwritten with 0FFh bytes starting at sector 0. The DOS CHKDSK program reports file allocation errors on all infected programs.When the virus is active after the 12th of the month and the time is 5 P.M., sometimes the hard drive boot record is formatted and messages in German appear.DodgyThe virus infects the partition table of the hard drive and boot record of floppy disks. If the file RAV*.* is run, there is a 1 in 256 chance it will write over the hard disk with garbage rendering it useless.This virus infects EXE and COM files. This virus is polymorphic and encyrpted This virus may modify your AUTOEXEC.BAT file. Also, this virus may drop a KEYB.SYS file in your root directory, dos directory, and windows directory.A cold boot may be required after running an infected program. Infected programs contain the text "891221".The virus displays a message in Polish.Fake VirXWhen the virus is active on Friday the 13th, the message "VirX 3/90" appears. A cold boot may be required after running an infected program.Joe's Demise, LaterInfected programs contain the text "This program requires MS-DOS 3.00 or later".777, Revenge AttackerWhen the virus is active after all files in the current directory have been infected, the virus overwrites the hard drive and displays 7's on the screen. Infected programs contain the text "777- Revenge Attacker V1.01".This trojan program acts as an FTP server that can be accessed by any FTP client. This file should be deleted.RingZero.gen TrojanThis trojan uses the internet to send and receive data on the victim's system. It creates ITS.DAT and RING0.VXD file in the \WINDOWS\SYSTEM directory. These files as well as the trojan should be deleted.A cold boot may be required after running an infected program. After infecting other programs this virus creates zero-byte files in the current directory.This is a boot sector virus which infects floppy disk boot sectors and the master boot record of your hard drive.When active, the virus emits beeps.Beeper, Russian Mirror, USSRThe virus overwrites the hard disk in a way that causes an "Invalid drive specification" error message. When infected programs are run, a beep noise is emitted.The virus infects programs when they are copied.Infected programs' size increases by 1710 to 1725 bytes. Contains the text "(C) Dialogue, Rust. 1990".An improved over writting virus that encrypts the original hosts code. This virus is very similar to the various strains of Weed.Infected programs contain the text "!!RYAZAN."No information available.MLTIThe virus changes an infected program's date and time stamp. Infected programs contain the text "(C) 1990 RED DIAVOLYATA".This virus has a large number of NOP instructions (90h) throughout it's code. It has some bugs and my corrupt files when infecting them. These corrupted files need to be restored from backups.This virus infects EXE files accessed on floppy disks. When an infected file is executed, the virus installs itself in memory. Infected files do not grow in size because the viral code is inserted into the PE header.Infected programs contain the text "CopyRight by Vadim V.N.1989."A cold boot may be required after running an infected program. Sometimes the error message "Too many files open" appears.The virus adds about 3480 bytes to infected files plus a polymorphic decryption routine that ranges in length from about 350 to 1500 bytes. Adds 100 years to file date. Contains the encrypted text "Satan Bug virus".When the virus is active on Saturday the 14th, the virus overwrites the C: drive, B: drive, and the A: drive.No information available.V-1014Infected programs' size increases by 1014 bytes.Infected programs contain the text "Screaming Fist".V-948The virus overwrites COMMAND.COM when infecting it, making it invalid.The virus changes an infected program's date and time stamp.The virus changes an infected program's date and time stamp. The virus cannot infect files smaller than itself, but the data in these files can be corrupted.It directly infects COM files and has a message "In member to Selina, RIP in peace girl, (c) 1998 by Dr.Fanatic"When the virus is active for 60 minutes, a multi-colored screen is displayed. Infected programs contain the text "S E M T E X..."Infected programs contain the text "...(c) 1990 by Sentinel".Serbu.3322A memory-resident virus that infects files as they are executed copied. Files with COM, EXE, JPG or GIF files will be infected. Infected files contain the unencrupted text string: ">> BL-93115 <<"Infected programs contain the text "[Shadow]..."Infected programs contain the text "!seviL etybwodahS".Infected programs simply stop after displaying the message "Shake well before use !"When the virus is active, the message "...SHHS The BOOT SECTOR Infector..." appears.Infected programs contain the text "IWANTSHIRLEY..."This virus infects COM and EXE files. It is memory resident. It loads into the memory and infects when COM or EXE files are executed.The virus often corrupts the files it infects. Contains code that will not run on older microprocessors. This virus infects COM files and is memory resident.Infected programs contain the text "Signs Of Life".The virus clears the monitor, draws a face and causes the message "Hello, I'm Silly Willy!-..." or "ERROR: No SYSTEM found!" to appear.No information available.The infected program simply stops after displaying the message "ALIVE...Your system is infected by the SIMULATION virus..." This virus contains messages from four other viruses.No information available.A cold boot may be required after running an infected program.The virus causes a bouncing ball to appear when some programs or BAT files run. A cold boot may be required after running an infected program. Contains the text "Sistor && Co".The virus changes an infected program's date and time stamp. When active, the virus moves text around the screen.Originating from the SKEW family of viruses, this virus does not have the screen effects. It attempts to overwrite disks < 32Meg, but may or may not succeed.Contains the text "Sleepwalker".NV71Once the virus is active, it plays the "Silent Night" tune.A size-stealth polymorphic virus that infects COM and EXE files. Contains the text "SLOVAKIA virus version 1.#"The following message appears "SLOVAKIA virus version #.##...type the word SLOVAKIA:".When the virus is active, smiley faces appear and bounce around the screen. Contains the text "OVFyANKEE Doodle#and VACsin."The virus changes an infected program's date and time stamp. Contains the text "Socha".When the virus is active on Friday the 13th, the message "Something wonderful has happened, your PC is alive" appears.An infected program's time stamp is missing when the file is accessed using the DOS DIR command. Infected programs contain the text "INFECTED! *SPANZ*".Contains the string "Aren't you glad you ran me first? SPARKLING CYANIDE"The virus changes an infected program's date and time stamp.The trojan deletes a variety of files in c:\Windows, c:\trumpet, c:\winword, and files in root directory. It also creates directories called Sh*T and LamMaH??. Delete this file.Contains the text "Nguyen Van Cuong". Infected programs' size increases by 852 bytes.When the virus is active, the program SCAN.EXE is run, the program is erased and the DOS prompt returns. The virus changes an infected program's date and time stamp. The virus also squeaks.Tiny HunterWhen the virus is active, programs that contain more than 340 bytes of hex "00" characters are reinfected.7th SonThe virus changes an infected program's date and time stamp. Infected programs contain the text "Seventh Son of a seventh son" and "*.COM".7th SonThe virus changes an infected program's date and time stamp. Infected programs contain the text "Fight Fire With Fire" and "*.COM".When infected programs run, the following message appears: "The program has been infected by:...By STAF..."Infected programs contain the text "Ich bin da!"A cold boot may be required after running an infected program.When the virus is active on February 13th at 1 P.M. or later, random data is written to all drives (starting with drive Z:), and the last two bytes in the file are "*.".The virus modifies the partition table in the master boot sector. It infects COM and EXE files. May beep continuously while replacing characters on the screen with dots. Contains the encrypted text >STARSHIP_1<".When the virus is active, the seconds field in an infected program's time stamp is changed to "42". The message "Stasi is watching you" appears.This virus infects the master boot record and boot record of floppy disks. Bootup from infected floppies often causes system hangsThis virus was discovered in IsraelContains the string "STERCULIUS".The virus only activates on 286 computers and above. May display a message containing the word "StinkFoot".GullionThe virus damages the file allocation table. An infected floppy disk's programs and data files are damaged.TatouWhen the virus is active, the seconds field in an infected program's time stamp is changed to "62".QD335Infected programs contain the text "Striker #1".MonkeyThis virus encrypts the partition table, moves it to a different locale on the hard drive and then takes the place of the real one. In order to read the real partition (and see the drive), the virus must be active in memory.Contains the encrypted text "dinamo".This is a member of the Stoned.Empire virus family, which were reportedly produced at the University of Alberta.Evil EmpireThe boot record of an infected disk contains a message about Desert Storm. The virus overwrites sector 10 of the floppy disk directory, destroying any data located there.Bloody!After the 128th time a computer boots from an infected disk, the message "Bloody! June 4, 1989" appears.MichelangeloIf an infected system is booted any time on March 6th, the virus will silently overwrite the first 17 Sectors of the first 256 Cylinders of the hard drive with random information from memory.Bloomington,Stoned.No_Int,New ZealandThe virus overwrites the root directory on floppy disks. Any data located there is lost. Booting from an infected floppy disk displays the error message: "Disk boot failure."Deunis, Marijuana, New ZealandThere is a 1 in 8 chance that the virus will beep and display its message on startup: "Your PC is now stoned! LEGALIZE MARIJUANA!" The virus is extremely common and many other viruses have been based on it.Monitoba, StonhengeThe virus is a modification of the Stoned virus.Stoned.Whit, LzrwThe virus is a modification of the Stoned virus.AngelinaContains the text "Greetings for ANGELINA !!!/by Garfield/Zielona Gora".The virus is a modification of the Stoned virus.Brunswick, Stoned 3This variant of Stoned stores the original master boot sector on physical sector 16.BravoThis virus can corrupt some disk's MBR.Natas, SatanA highly polymorphic multi-partite virus that infects everything. It is most prevalent in Mexico, though originally written in San Diego by the author of SatanBug.Shrapnel (b), Shrapnel.6067A multi-partite virus that infects floppy, MBR and executable files. The infected files drop the virus into MBR. It contains encrypted string "Shrapnel v 1.0"This is a simple virus that does nothing but replicate.ICE-9Contains the text "[224] ICE-9".SimpContains the encrypted text "STIMP-VIRUS made in Poland."Contains the encrypted text "Produced by Mr.Watshira Sae-eu KMIT-NB Date 12/28/1990 BIOS".Ibex, 7-BootOn the seventh of any month, the virus will overwrite the first hard drive with garbage. A bug in the virus may make floppy boot sectors appear to be invalid under some versions of BIOS.This virus appears to do nothing but replicate.Contains the phrase "SATYRICON ays status of programs, ..."Randomly shifts letters on the screen to be one higher. "E" becomes "F", "S" becomes "T", etc. For COMMAND.COM, it stores itself in unused space (no size increase).Terribly buggy. Tries to add an infinite loop to your autoexec.bat which would print "Looking for Sibylle".69On 30NOV, will show a message on the screen. Encrypted within the multi-sectored virus is "S A M P O" and proclaiming itself from the Phillipines. In the wild in Asia, Europe, and the US.This is a memory resident virus that infects the boot sectors of floppies and the master boot records of hard drives. The virus hides itself by presenting a fake boot sector on read attempts.Sword is a typical appending infector. At the end of all infected files is the text: "The POWER of my SWORD!!!"Infections will occur upon file creation and after issuing a DIR command.This trojan horse program that allows a remote user to control a victim's computer through a network connection. The server program must be running on the victim's computer.No additional information.The virus infects all programs with the COM extension in the root directory of the C: drive. Contains the text "STSV".Do Nothing, SadamThe computer halts when the virus attempts to infect it. May overwrite sectors on the hard drive.This virus infects SYS files. It appends itself to the end of SYS files when device drivers are loaded.This program drops a copy of Backdoor.Subseven on the user's computer.1008Infects COMMAND.COM immediately and other files randomly. The computer may halt if booted from an infected COMMAND.COM.JerkThe virus infects programs with EXE extensions that are smaller than 65536 bytes. The message "...calls himself SUPERHACKER..." appears.JewsInfected programs contain the text "Jews NEVER surrender!"May delete a file rather than infect it. Contains the text "Susan".A cold boot may be required after running an infected program. Infected programs contain the text "(c) 1990 by SVC, Vers.#".The virus changes an infected program's date and time stamp. The virus only infects files on the A: drive. Contains the text "a:*.*".When the virus is active on December 25th, the following message appears: "TERMINATOR 1991. Made by SVS-009".Why Windows, Data Molester, HeadacheWhen the virus is active in February, it attempts to delete AUTOEXEC.BAT and CONFIG.SYS and corrupt the hard disk.The DOS CHKDSK program reports file allocation errors on all infected programs. Infected programs contain the text "Phnix".The virus changes an infected program's date and time stamp. Files smaller than the virus are corrupted.Holland GirlInfected programs contain the text "This program is infected by a HARMLESS text-Virus V2.1..."The virus will not infect programs if the environment contains "SYSLOCK=@".This is an encrypted memory-resident virus that infects COM and EXE programs.Sometimes the message "TABULERO" appears. Infected programs contain the text "pTpApBpUpLpEpRpOp..."The message "Hello, I am virus" appears. A cold boot may be required after running an infected program. The virus corrupts the infected file.This virus is polymorphic, encrypted and memory resident. It infects COM and EXE files.Doom II Death, Doom2The string "Your version of DOOM2.EXE matches the illegal RAZOR release of DOOM2" is located near the end of the file. Does nothing of what it claims to be capable of.When the virus is active on the 8th day of any month, the virus overwrites the first 160 sectors of drives C: and D:, resulting in the loss of the boot record and root directory.The virus avoids the system COM files. Contains the text "Tankard".May display the word "TECHNO" repeatedly across the screen while playing a tune. If a key is pressed the phrase "Don't touch the keyboard" is displayed and the virus goes back to printing "TECHNO".Valert (1554)When the virus is activated from September through December, the first ten characters written to disk are replaced with garbage characters.StealthAfter initial infection of the hard drive, it only infects files for the first 4 months. From then on, every 4-month anniversary of the infection, it displays a message. If the instructions are followed, "author credits" are displayed.HLLP.Termite.5000/7800/9100This is an improved prepending virus that encrypts part of the files. Those with Win32 NAV products should use NAVDX to repair this virus. For more information, look up Termite at http://www.symantec.com/avcenter/1501, 918Infected programs contain the text "Terminator Attack Now". May display this message and overwrite disk sectors.2294Infected programs contain the encrypted text "TERMINATOR". May display this message and erase the CMOS and overwrite disk sectors.526The virus changes an infected program's date and time stamp. On December 25th it displays the text "TERMINATOR 1991. Made by SVS-009."Infected programs contain the text "Terror".The virus changes an infected program's date and time stamp. The virus displays a message requiring a response.When active, the virus overwrites programs. Contains the text "The Rat, Sophia".13 MinutesThis virus may attach garbage bytes to infected programs. A cold boot may be required after running an infected program.1253, V-1When the virus is active on December 24th, it overwrites floppy disks with program fragments.CDWhen the virus is active on Thursday the 12th, a window appears warning that the next day is Friday the 13th.Infected programs' size increases by 109 bytes.On November 6th, or when booting on the 6th of any month between 3:00 and 4:00 PM, the Master Boot Record of the hard drive will be overwritten.This is a Trojan Horse type program which sets the system time to 11:59pm, December 31, 1999.This virus is a direct infector. This virus infect COM files in the current directory and parent directories. This virus attempts to delete anti-virus datafiles and directories.Infected programs' size increases by 1062 to 1098 bytes.Many variants of the virus have appeared based on published source code. When booted from an infected COMMAND.COM, the computer may halt.2330No information available.The virus changes an infected program's date and time stamp.When COMMAND.COM is infected, boot failures occur. Infected programs contain the text "*.com".Infected programs' size increases by 129 bytes.May display the message "I think you're tired to the bone. You'd better go home." Infected programs' size increases by 1740 to 1771 bytes.1993Infected programs contain the text "COMSPEC=(C)Todor..."Contains the text "I am the virus x". A cold boot may be required after running an infected program.The virus changes an infected program's date and time stamp. The computer halts when the virus attempts to infect a program.On the first day of any month, programs having names that begin with "B" are infected. On the second day programs having names that begin with "C" are infected and so on until the end of the month.Coffee shop, Girafe, T4EXEThe TPE (Trident Polymorphic Engine) is not a virus, but an object file that virus authors can link to their own code, making the new virus polymorphic.Multipartite virus infects COM and EXE files, as well as MBR's. "Taiwan Power Virus Organization" appears in the body of the virus.The virus changes an infected program's date and time stamp. Sometimes the message "Find me!" appears.After the virus is active for one hour, it produces a cascading text effect. This virus is reported from ItalySignedMay overwrite disk sectors and display "ThereCanBeOnlyOne .....Signed -Traveling Jack-E", the "J" in jack being a square root symbol.Sometimes the screen is cleared, then the following message appears: "-=>T.R.E.M.O.R was done by NEUROBASHER...", and then everything returns to normal. The virus disables the antivirus program that is included with MS-DOS 6.Zit.###, MinimalInfected programs are overwritten with viral code.Trivial.ow.i, TrivialThis virus infects files in the \WINDOWS\COMMAND directory. It overwrites the first 15360 bytes in the file. There is no repair available for this virus.When the virus is active, sometimes characters typed from the keyboard do not appear on the screen. Files for output to disk may not get written to disk. Infected programs contain the text "The Troi Virus".Infected programs contain the text ">>>Troi Two-->".The virus infects programs larger than 8k. Infected programs contain the word "Tu".Tula-419The virus changes an infected program's date and time stamp. Infected programs contain the text "Tula 1990.Sat".Infected programs contain obscene text.The virus can produce graphics and music. The virus changes an infected program's date and time stamp.RPVSInfected programs contain the text "TUQRPVS".Ontario-730Infected programs contain the text "!=TVu."The virus creates hidden COM files. When active, the virus further "hides" these infected files from utilities that can display hidden files.Infected programs contain the text "*.com". May erase FAT on the current disk.The virus changes an infected program's date and time stamp. Infected programs contain the text "Come On, no. 51, You Time is up" and "Ungame(C)Dr".This virus places itself in memory, and infects DOS executables when they are run. It adds itself to the end of the executable files, increasing their size by 1909 bytes.A cold boot may be required after running an infected program. Infected programs contain the text "C:SYSTEM\COMMAND.COMMMAND.COM".Uruguay is a family of highly polymorphic "test" viruses. When the viruses are active sometimes the message "'Uruguay #' Virus..." appears and then tones are emitted.A cold boot may be required after running an infected program. Infected programs contain the text "V 1.0 Igor,1992 The Uruk-hai are upon you!"Infected programs' size increases by 707 bytes. Works only under DOS 3.30.1260, CasperInfected programs contain code to prevent detection. V2PX are polymorphic Vienna viruses.1260, CasperThe virus contains code to prevent detection.TP##VIRIf the virus finds an old version of itself, it reinfects the program with the newer version. The virus changes an infected program's date and time stamp. The virus version number is found at the end of the infected file.Standard encrypted EXE infector. Deletes files in \Windows directory on Valentine's Day.May play a tune. Contains the text "GCSBRO" and "ROMANIAN VAMPIRUS".SlayerThe virus is written in compiled BASIC. The text "BASRUN" and "BRUN..." appear in the virus.VCL is a group of simple viruses created with a menu-based program called the Virus Construction Lab. Of the samples that come with the lab, only one works.Polish 637The virus changes a disk write to a disk read.MantaThe VCS viruses are mediocre infectors of COM programs created with a program called the Virus Construction Set. The viruses delete the AUTOEXEC.BAT and the CONFIG.SYS files.The VCS viruses are mediocre infectors of COM programs created with a program called the Virus Construction Set. Some variants infect COMMAND.COM also.The virus changes the seconds field in an infected program's time stamp to "56". Infected programs contain the text "***Vengeance is ours!***".Happy DayThe following message appears "HELLO!!! HAPPY DAY and SUCCESS from virus 1.1 VFSI-Svistov".When the virus is active on Wednesdays, all programs with COM and EXE extensions are infected at the same time. Infected programs contain the text "Victor V1.0 The incredible High Performance Virus".VHP, WienThe virus changes the seconds field in an infected program's time stamp to "62". Many variants exist due to published source code.ViolatorInfected programs contain the text "Activation Date: 08/15/90-Violator Strain B..."ToothlessThe virus changes the month field in an infected program's date stamp to "13".CrossInfected programs contain the text "V*I*N*D*I*C*A*T*O*R*1".If a program's size before infection is less than 3840 bytes, its size after infection is 7678. Infected programs contain the text "VIOLETTA".The virus displays several messages beginning with "VirDem Ver.:1.06 (Generation #) aktive..."The message "Infected" appears when an infected program is run. The virus only infects programs on the A: and B: drives.The virus infects COMMAND.COM as the Lehigh virus does. Contains encrypted text that the virus checks for modifications.Only COM files are infected. The virus is written in the empty spaces of the file or appended to the end, increasing the files size between 0 and 691 bytes.Only COM files are infected. The virus appends itself to the end of the file, or puts itself in unused buffers inside the host. This may cause it to corrupt the host file.This is a direct file infector. Once executed, it infects EXE files in the current, \DOS, \WINDOWS, and \WINDOWS\COMMAND directories. Once decrypted it contains the text "Viva Mexico".Does not function on most machines. When Ctrl+Alt+Del is pressed it displays a message in Russian.ACDC, PoemWhen the virus is active on December 21st, a poem appears, and the C: drive is overwritten.No information available.Infected programs contain the text "Voronezh,1990 2.01".When the virus is active, the computer halts when a BAT file or DOS command is run. The virus displays a message telling the user to vote.The hex string '4503EB1808655650' appears near the beginning and the end of infected programs.The virus displays "Something's coming up...", then a high-pitched noise is emitted and the following message appears: "Vriest of g greets Vic ear Moeli".Infected programs contain the text "VVF 3.4".This virus is a direct file infector. It will only infect other files once an infected program is executed. NAV repairs cases of infection in both EXE and COM files.When the virus is active, a graphic man walks across the screen, and keyboard input is halted until he disappears. Infected programs contain the text "WALKER V1.00..."This is intended to infect systems with a virus, but it hangs the computer instead. You should DELETE this file.Infected programs contain the text "And the alone warrior is warrior..."VulnerA cold boot may be required after running an infected program. Infected programs contain the text >"Et tu vulneratus es sicut et nos..."An improved overwriting virus that encryptes the original host. If the host is less than 3263 bytes it will be padded out to 3263 before infection. Files that were originally smaller than 3263 will be 3263 bytes after repair.The message "Were Here" appears when infected programs run in 1992.Whale is a huge full stealth virus that seldom activates.This virus has trigger to go off on 3/21,12/1,12/07.When the virus is active, the message "Wilbur sez HI!" appears. WizKid.RaDD (Gen1) When infected files are executed, they infect .com files on the A: drive. The infection works by overwriting the first 559 bytes of the file, so repair is impossible.AccessiV JETDB JERK1NThis is MS Access macro virus. It uses an "autoexec" macro and VBA module named "Virus". It is a direct action virus that searches for MDB files in the current directory to infect.This is MS Access macro trojan.JaringThis is an intended MS Access macro virus. It does NOT work!ToxThis is an MS Access database (MDB) macro virus.WM.ABCThis macro virus is very similar to WM.Concept. When executing FileSaveAs, there is 25% chance that it will modify the FileSummaryInfo and displays a message "I am happy; are you too?"This is a Word 95 macro virus. It works only in French version of Word.WM.AlienThis macro virus removes Macro & Customize item from Tools menu. It shows "Another Year of Survival" on Aug 1; "It's Sunday & I intend to relax" every Sunday; and other "Alien" messages at random.WM.AllianceThis macro virus puts "You Have Been Infected by the Alliance" in Subject of FileSumarryInfo. It only infects new or opened documents on the 2nd, 7th, 11th and 12th of the month.WM.Anak FamilyThis macro virus removes Customize item from Tools menu; Templates item from File menu; Macro item from both menu. It edits Registry and creates a NORMAL.DOT w/ "introducing anakSMU Semarang, March 1997"Anarchy.6093This is a combo of macro virus and DOS virus. The Macro part drops and runs a DOS program that goes resident. Intercepting DOS file-open, it puts a macro to DOC files. It corrupts some DOC files, especiall Word97 files.FunYour NTTHNTA Wazzu Colors.AEOpening infected document for the 20th time, some variants of WM.Appder delete C:\DOC\*.EXE, C:\DOC\*.COM, C:\WINDOWS\*.EXE, C:\WINDOWS\SYSTEM\*.TTF and C:\WINDOWS\SYSTEM\*.FOTFunYour NTTHNTAUnlike WM.Appder.A and other variants, this one doesn't have the destructive payload. The payload has been removed.This macro virus attempts to delete c:\*.* on Oct., Nov., and Dec. on any day after the 14th. However, due to a bug in the macro code this virus does not work properly.This macro infects Normal.dot and displays message boxes.This macro infects Normal.dot and drop "C:\FF.SYS" which contains the viral code.This macro infects Normal.dot and modifies MS WORD settingsThis macro infects Normal.dot and modifies MS WORD settings such that the menu bar disappears. It also attemps to copy the file ipid.exe in the windows directory. If this file exists, it should be deleted.This macro trojan saves the active document as "c:\windows\command.com", "c:\windows\win.com", "c:\windows\win.ini" and "c:\mydocuments\cat.doc"The virus besides replicating, it creates a new document in the current folder with the same name of the infected document concatenated 3 times.This virus infects the "normal.dot". It also creates a file in "C:\" named "ffastun.drv". If it exists, delete that file.This Word 97 macro virus infects the "normal.dot" when opened.This Word 97 macro virus infects the "normal.dot" when opened. Also changes some option settings and tries to delete "ntoskrnl.exe" from c:\winnt\system32\" on a NT system.This is a Word 97 macro virus. On every Friday when the Day is the 1-st or the 22-nd, it tries to run the payload. It never gets a chance because of a syntax error in the module.This virus infects when opened. It also appends some empty bytes to "MAJORANA.E" file in "C:\Windows" folder. Delete that file if exists.This Word 97 macro virus has a password protection lock when you try to see its macros under Tools|Macros. It drops \windows\mlc32v5.drv. On a certain day and month, it deletes everything from C drive.This is a polymorphic macro virus. On May 5-th it writes "Is it not a Camel?" in your document.This is a Word 97 macro virus. It creates a text file in the current directory. The text files names start with "CMC".This is a Word 97 macro virus. After June of year 2000, it creates ".doc" files in "Windows" directory 999999991 times. The file names start with "Aa".This is a Word 97 macro virus does noting but replicate. It infects when the document is closed.This is a Word 97 macro virus that infects Word97 documents and templates. On certain days and month, it triggers a message and imports a file saved as "bdoc2.txt".This macro virus infects "Normal.dot". If you open any document, while the infected normal template is in your default tempate directory, then this file will become infected.This polymorphic macro virus infects "Normal.dot" and modifies MS WORD virus protection settings.This macro virus infects both MS EXCEL and WORD documents. It infects "Normal.dot" and drops infected "cs.xls" into EXCEL start directory.W97M.Titch.CA Word 97 macro virus. It infects when closed. It also drops a file in "C:\" named "arbind2000.tmp". Delete it if it's there.This is a Word 97 macro virus. It infects when closing the file. It also drops a file in "C:\" named "arbind2000.tmp". Delete it if it's there.This is a Word 97 macro virus. It spreads when an infected file is opened, closed, or saved and also when exiting from Word. The virus disables the VB editor by requiring a password to access it.This virus infects when opened. Also on certain date 11/10 or 7/1 if opened, it changes the options of MS-Word.This virus infects when opened. It changes options of the MS-Word. Also, if the file is opened after a june of the each year following 2000, the file will replicate it-self 999999991 times.This virus infects when opened. It changes options of the MS-Word. Also, if the file is opened after a june of the each year following 2000, the file will replicate it-self 999999991 times.This virus infects Word97 documents when opened. Also, if an infected document is opened on July 1 the virus will attempt to open all documents on the C: drive, infect them, and set the password to "xyz"This virus infects Word97 documents when opened. Also, if an infected document is opened on July 7 or November 10 the virus will attempt to open all documents on the C: drive and infect them.This macro virus creates SNRML.DOT and SNRML.SRC in the MSOffice STARTUP directory. You must delete SNRML.SRC. It also changes the path of the template directory.Blindlove, BlindThis macro virus creates BLIND.DOT and BLIND.SRC in the MSOffice STARTUP directory. You should delete BLIND.SRC. It also changes the path of the template directory.This macro virus creates MAMM.DOT and MAMM.SRC in the MSOffice STARTUP directory. You should delete these files. It also changes the path of the template directory.Macro.Word97.Trojan.BotschafterThis macro is not viral. It adds an entry to the RunServices directory of the Windows registry. The entry attempts to delete all files on the c: drive upon startup.Macro Word97 "CAPUT"This macro virus creates a file "system.drv" in "C:\" directory. Under "properties->summary->comments" displays "JU$t bEEn CAPuted!" message.WM.Adult WM.AtomicSome variants of this macro virus delete all files in current directory on December 13. Doing File|SaveAs on the 13th seconds of the time will set document password to ATOM#1, or ADULTSEX#1.This macro virus drops a file "C:\system.dos" to write the path of the active document. When "system.dos" file becomes larger than 1024 bytes, the virus will try to delete all files in the path of "system.dos" contents.This Chinese language virus pops up a message box at certain trigger times. This macro virus infects the normal template and any Word documents that are opened or closed. This version of the virus does not carry any destructive payload.This Word 97 macro will, on document open or close add random shapes/lines only on the 23rd of each month.This Russian macro virus does little but replicateThis Word 97 macro attempts to infect HTML files. It also attempts to infect Word documents.Hubad GandaThis polymorphic Word 97 macro inserts an ASCII-picture when printing an infect Word documents. W97M.Junefill.AThis Word 97 macro triggers July, 2000, and continually saves the currently infected document to c:\windows as random file names. It is also inserts the user name/address/initials into the code. W97M.Marker.CE W97M.Marker.CSThis Word 97 macro is a June/July Variant. It infects the Normal.dot and any active documents and saves them as AA and AA.doc.This is polymorphic macro virus. This virus creates a "EmailMe.html" in the Windows directory. You should delete this file.This is polymorphic macro virus. This virus creates a "EmailMe.html" in the Windows directory. You should delete this file.When the document is opened or closed On 3/11, this macro virus will display "Happy Birthday". It will try to delete "*.sys" files from "C:\". It will also delete some words in the document.This Word 97 Macro virus adds a password of 8941 to all documents. One would need to first disable the password before attempting to repair with NAV.W97M.PSDAt certain time of the day, it will add colorful AutoShape objects to the current document when opening or closing the document.Doing "File Save" and "File Save As" on August 30th will cause this macro virus to display message box. Also user would need to enter correct password to continue editing this document. The password is "WM.MALAYSIA 1998".This is a basic Word97 macro virus. It replicates it's infection when an infected document is closed.This is a macro virus that infects Word97 documents and templates only. This macro virus is stealth and uses anti-debugging techniques. This macro virus may prevent you from opening documents on Sunday.WM.Jakarta WM.KacawThe original variant deletes all files but C:\WINDOWS, C:\WINWORD, C:\WINWORD6 everyday after the 19th when starting Word after 11am. It drops a "PESAN.TXT" text file. Most variants are by corruption.W32.Beast W32.Beast.56230/41472This virus uses macro and EXE to spread. Infected document carries an embedded EXE object that gets activated by the AutoOpen macro in the document. The EXE goes resident and infects other opened documents in MS Word.This Word macro virus is dangerous. It tries to add few lines in your "C:\Autoexec.bat" file which is "Deltree c:\*.* /y". You should delete that line if it is there.Beast.A.Trojan CDtray.Trojan BeastThis is the EXE part of W97M/W32.Beast. See W97M.Beast for description.This macro virus attaches itself into a template in an attempt to clean WM.Concept infection.This macro virus does not replicate, but will do 3 different renamings: command.com->berau.com on the 1st of the month; win.ini->berau1.ini system.ini->berau2.ini on the 10th; config.sys to berau.sys on the 20th.A Word97 macro virus that creates \windows\system\microsof.386 file and uses it for infecting other documents. Removal of this file is recommended.W97M.AntiSocialThis encrypted Word97 macro virus replaces the content of the document with "Antisocial..." when closing the document on the 59th minute of the hour, or drops an AUTORUN.INF with DELTREE command to erase C: drive.On 10/11 displays the message "OCT11-80/LYS is BLISS" and terminates leaving the source decrypted and preventing further infections. Resumes normal behavior on the following day.User should delete both files in the root of C: named ####.sys and ####.vba - where #### is between 1 and 9999. Also search registry and delete any entries containing the text "Nachfolgerin".ArmagidonThis simple macro virus adds ARMAGIDON module in Global Template. On May 8, it adds a red-cross cursor. On printing, it may replace some character.On November 11 and July 1 scans all subdirectories on C: for *.doc files and password protects the files with "xyz".This Word97 macro virus copies NORMAL.DOT into MS Office directory as WINDOT.DLL and WININF.DLL. It changes The Assistant animation, displays messages "AAARGHH", and intercepts Tools-Macro to display a message.A Word97 macro virus that has any one of these macros: AutoOpen, AutoSave, FileSave, FileSaveAs, and BIO_M9. Standard infection routine, exports code to c:\bio_m9.drv. Nothing malicious.This Word97 macro virus does little but replicate. Once infected, selecting Tools>Options diplays a form with an Indonesian flag and some (ovbiously Indonesian) text. Clicking the okay button hides the form.After the year 2000, this macro virus sets the computer date to 1/1/80, creates the file C:\SYSBOOT.BIN, and password protect your document with a random password. On Friday's a message box will be displayed.A Word97 macro virus that has any one of these macros: AutoOpen, AutoClose, ToolsMacro, ToolsOption, HelpAbout, FileTemplates, AutoExit, AutoExec, ViewVBCode, or VicodinES.W97M.ElfThis Word 97 macro virus does little but replicate.This Chinese macro virus creates C:\WINDOWS\TWNOS1\LA.WAV and C:\DOS\BBB.COM which drops One Half MBR virus. Deleting both files is advised. Other payloads formats HD & prints messages while printing.WM.Cap FamilyThis macro virus removes Macro & Customize item from Tools menu. It deletes all existing macros before infection. Saving into RTF file actually creates an infected Word Document w/ RTF extension.This is a remnant of WM.Cap virus. If NORMAL.DOT is infected or an infected document is opened, MS Word fails to execute FileOpen, FileSave, FileSaveAs or FileClose and gives "WordBasic Err" message.W97M.CaliGula.AThis macro virus uses temporary text file C:\IO.VXD while infecting. It display a message on the 31st of the month. If you have PGP installed, it tries to find SECRING.SKR and upload it to an ftp site.This macro virus removes Macro from Tools menu. It displays a picture when Help|About is accessed or when exiting from Word97 on Friday.Class.Poppy, WoobieThis is a polymorphic Word97 macro virus. Some variants display insulting messages like telling user "is a jerk", etc. Some variants quietly do their infections on opening and closing documents.MV Version 1eThis W97M.Class variant uses C:\SYSTEM.SYS as a temporary text file. It display the following message for Tools-Macro menu: "This program has performed an illegal operation and will shut down."Polymorphic Word 97 macro virus. Infects the normal template.Polymorphic Word 97 macro virus. This virus drops files "CV.SYS" and "CV.HTM" in "C:\". It those files exist, than delete it.This macro infects MS Excel spreadsheets and MS Word Normal.dot. It drops "c:\cross.sys" file and modifies the Regestry.This macro does little but replicatesThis Excel 97 virus drops "Books.xls" in the XLstart directory. When opened a message box pops up displaying unreadable characters.This Excel 97 virus drops "Books.xls" in the XLstart directory. It then uses that dropped file to replicate.This Word 97 virus infects normal template.This macro virus does little but replicate.This macro virus is polymorphic. It infects "Normal.dot". It also uses Aplication.UserName to name a ".tmp" file created in the "c:\windows\temp" directory and containing the source code of the virus.W97M.Chack.VariantThis is a generic Word97 macro virus. It infects documents by using the Normal Template on opening, closing, and as well as most of the other commands available through word menu.W97M.Zippy Class.ZippyThis polymorphic macro virus remove the Macro and Options from Tools menu. It prints the active document on the 10, 15, 20, 25 everytime the infected document is opened or close.This polymorphic macro virus removes the Macro and Options items from the Tools menu. It also prints the active document on the 13th during the months of August through December.W97M.Zippy Class.Zippy FurbyThis polymorphic macro virus uses OFFICE.DLL in MS Office directory as a temporary text file.Class.TNTThis polymorphic macro virus display messages on Dec 23 and 24. On Dec 25, it password protects the infected document with "TNT"Class.InsertThis macro virus display message "1nternal / Class.Insert" on Oct 16.This macro virus infects the global template Normal.dot to spread. The virus diplays a message and beeps 100 times if excuted anytime before 9:00 PM on Fridays and Sundays. It also modifies several menu commands and dialog boxes.This macro virus infects the global template Normal.dot to spread. It displays Input Box with a title "AV MACRO", when selecting the "Visual Basic Editor".This virus diplays a message and beeps 100 times if excuted anytime before 9:00 PM on Fridays and Sundays. It also modifies several menu commands and dialog boxes.This virus diplays a message and beeps 100 times if excuted anytime before 9:00 PM on Fridays and Sundays. It also modifies several menu commands and dialog boxes.This virus diplays a message and beeps 100 times if excuted anytime before 9:00 PM on Fridays and Sundays. It also modifies several menu commands and dialog boxes.This virus diplays a message and beeps 100 times if excuted anytime before 9:00 PM on Fridays and Sundays. It also modifies several menu commands and dialog boxes.This virus diplays a message and beeps 100 times if excuted anytime before 9:00 PM on Fridays and Sundays. It also modifies several menu commands and dialog boxes.This virus diplays a message and beeps 100 times if excuted anytime before 9:00 PM on Fridays and Sundays. It also modifies several menu commands and dialog boxes.This macro virus infects the global template Normal.dot to spread. The virus diplays a message and beeps 100 times if excuted anytime before 9:00 PM on Fridays and Sundays. It also modifies several menu commands and dialog boxes.This macro virus infects the global template Normal.dot to spread. The virus diplays a message and beeps 100 times if excuted anytime before 9:00 PM on Fridays and Sundays. It also modifies several menu commands and dialog boxes.This macro virus infects the global template Normal.dot to spread. The virus diplays a message if excuted anytime before 9:00 PM on Fridays and Sundays. It also modifies several menu commands and dialog boxes.This macro virus drops infected "START12.XLS" into Microsoft Excel startup directory ("C:\Program Files\Microsoft Office\Office\Xlstart").This macro virus drops infected "START17.XLS" into Microsoft Excel startup directory ("C:\Program Files\Microsoft Office\Office\Xlstart").This virus works only in Chinese version of Word 97. It randomly generates a number 1-12. If the number is the same month number of today's Date, it changes some font settings.This Word97 macro virus contains a module called Claudio that infects during the closing of the document. Another infectious module called Modulo1 is called during the opening of new documents.This is a macro virus that infects Word97 documents and templates. It contains a module called Modulo1 that infects during the Open of the document.This is a macro virus that infects Word97 documents and templates. It contains a module called Modulo1 that infects when documents are opened.This is a macro virus that infects Word97 documents and templates. It contains a module called Claudio2. On 11/10 and 7/1, it will search your entire C drive for "*.doc" files and change some option settings.This German macro virus may display current time on the 25th of a month when starting MS Word, and every 2 minute after that. It may also flip SaveAs & Open on FILE menu while saving a file.WM.Colors Family, RainbowThis macro virus maintains a counter in INI file. After a certain number of accesses, it modifies WIN.INI to change the Windows desktop color settings. It is known to snatch AutoOpen and various FILE macros.Prank, Concept.A, B:Fr, C, H, O, P, QThis macro virus is one of the first in the wild. It infects using File|SaveAs. It displays "1" upon infection. Some variants may have destructive payload or corrupted/snatched macros.WM.HahaWhen doing File|SaveAs, this Concept Variant changes text color to white and inserts "i said: say goodbye to all your stuff (look at that hard drive spin!)" to the document while saving the file 100 times.When doing File|SaveAs, this Concept Variant tries to save a copy of the document in "T:\VIR\." It displays "1" upon infection.WM.ParasiteThis Concept variant has several payload: replace "and" w/ "not"; '.' w/ ','; 'a' w/ 'e' in the document; and displays "Parasite virus 1.0" Variants are by corruption.WM.Concept.CJThis Concept variant has several payload: It sometimes replaces "." with "," and "$" with "S" or password protect a document with "FrazzleFuck_100" or destroy C:\COMMAND.COM, C:\AUTOEXEC.BAT, C:\CONFIG.SYS and C:\MSDOS.SYS.This Italian Concept variant infects while closing document or Tools|Spelling. It displays "1" upon infection. Variants are by corruption or snatched/lost macros.WM.Pheew:NlThis Dutch Concept Variant displays "STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC Final Warning!" Clicking "NO" button will delete files in C:\ & C:\DOS making the system unbootable.WM.BlastCThis Concept Variant shows a welcome message when opening document & "Uh Ohhh. NORMAL.DOT just got infected" when infecting NORMAL.DOT. Variant L tries to delete C:\DELETEME on the 24th.This Concept Variant is an intended virus that spreads manually when user runs the macros XutoOpen.This Concept Variant uses "lev0l0r" instead of Payload. After 117 times opening infected documents, it minimize MS Word. The counter is stored in file C:\BOOT.DA0ConceptWhen infecting a document, this variant of the WM.Concept macro virus family randomly password-protects it with random numbers between 1-100. The password is three characters long and uses leading spaces to make up the three characters.WM.DiamondSutraThis variant of WM.Concept redefines AutoCorrect of "teh" into "Shoshi in 1983 is the Sun" It displays message boxes referring to "CTF."WM.MicroSlothThis variant of WM.Concept at random displays "Microsloth - Who do you want to own today?" message box; open 20 new documents; open or delete all all files in current directory; or format disk in drive A.This variant of WM.Concept creates a file C:\foodies.txt which contains useless data. This file should be deleted.This variant of WM.Concept add an advertisement to the end of C:\AUTOEXEC.BAT file. It also creates a C:\WINDOWS\FIREFOX.INI file.WM.Concept VariantA non-infectious copy of Concept.A due to some improper "removal" of the Concept.A infection. The macros may have been renamed or even changed improperly. It is NOT infectious but is an inconvenience.When the day of the month equals the minute, this virus will attempt to delete all files on the C: drive upon opening, printing or saving a file. "Macros..." or "Visual Basic Editor" will do the same (on any date).This macro virus infects Word 95 and Word 97 documents. It does not always infect other documents correctly.WM.Concept VariantThis is a partial copy of the Concept macro virus. These do not infect other documents, but may be detected as a partial infection of WM.Concept.WM.Concept.BBThis macro virus is a sub-family of WM.Concept. Its infection mechanism is similar to Concept's. Some variants display a message box when opening document. Others simply have corrupted/snatched macros.W97M.Concept.BBThis macro virus is an upconvert of a sub-family of WM.Concept. It is very similar to Concept's. Some variants display a message box when opening document. Others simply have corrupted/snatched/empty macros.This macro virus is a macro virus that only infect Normal.dot. Prints "your computer infected by a virs .his name bad boyyou are a donkey" to Normal.dotThis virus copies all macro in the template along with it whether they are part of the virus or not.W97M.CobraThis Word97 macro virus has payloads that adds macro to display message box on File-Exit and one that deletes all files from C: drive on File-New. Different variants of this macro virus triggers on different date.W97M.Cobra.KThis Word97 macro virus when opened has payloads that replicates itself to the Normal.dot and any other files that are currently open under Word. This virus is polymorphic and triggers during certain days of the year.This is a Word 97 macro virus. This virus changes some ofthe captions of the Menu items. For example it changes the "Macro" item from the "Tools" Menu to "Makmu, Cok.....!!!!".W97M.Cobra.LThis Word97 macro virus has Melissa-like payload. Besides that, it infects Normal.dot and any other files that are open, saved, or exiting Word.ComboThis Word97 macro virus has Melissa-like payload. It also maintain a counter from 100 to prompt "Is the man the virus of the planet"This Word97 macro virus has payloads that only work in Windows 98. One of the payload sends an email to the editor of Virus Bulletin.W97M.Ethan.BThis Word97 macro virus uses ETHAN.___ temporary text file while infecting, removes the C:\Class.sys temporary text file that W97M.Class uses, and changes the File Summary Information.W97M.BrendaThis Word97 macro virus modifies Win95 registry entries, notably Nico Mak's WinZip utility. It also modifies the icon and title of "My Computer" to "Little Miss Nick"This macro virus maintains a counter, but its payload never gets executed.This macrovirus replicates via AutoOpen and FileSave.If MS Word Global template is infected, opening a document between 08/27/1998 and 09/03/1998 after 7.30pm will trigger the virus to replace lines with "Se fodeu. HaHaHaHaHa!!!" and displays a message before it closes MS Word.This macro virus pretends to be disinfector of WM.Concept. It infects during file-open and filesave-as. It intercepts Tools-Macro to display a dialog box asking for a password.This is a polymorphic macro virus - the names of the macros change with each infection.Macro.Word97.AljadezzThis is a polymorphic macro virus. When printing an infected document, the virus will print "-=$$DERRCOHE$$=-". It will also look for and delete anti-virus files.Winword.DMVWritten and published as a research virus in December of 1994. Not intended to be released, however after the paper's publication, modified versions of DMV were soon found in the general population.LoopHoleThis is a modified version of WM.DMV claiming to point out loopholes in systems and not as a destructive virus.WM.CKE:TwWord macro virus that infects only under Chinese versions of Word and Windows. Creates a document called CKE.DOT in the startup directory instead of infecting NORMAL.DOT.This macro virus contains a macro "AAAAA"Winword.FormatCThis is a trojan which attempts to format drive C: when an infected document is opened.Word macro virus. It is corrupted, hence the payload can not be triggered. It attempts to add a call to a batch file in AUTOEXEC.BAT to delete GIF, BMP, and JPG files on the computer.This macro virus contains a corrupted macro "WORM"This macro virus drops a GSIS.DOT into MS-Word's Startup directory. The next time MS-Word starts, GSIS.DOT infects the global template NORMAL.DOT. It inserts "Natural & Gnomo are back" while printing.A macro virus that is known to pop up dialog box when opening/closing document. It requires an input of ""fishfood","worms","worm","pryme", or "core" to close the dialog box.This virus is very similar to Concept. In fact the creators claim that they were the ones who wrote Concept. The virus adds a new section in the help menu which exclaims their accomplishments.GoodNightThis virus infects MS Word Documents using the Word Basic Macro language. 18 minutes after an infected document is opened Word will be exited.W97M.FootPrintIt uses FOOTPRINT.$$$ and FOOTPRINT.$$1 as temporary file while infecting. It also adds "FootPrint1" custom document property to mark its infection.Groovie, IPAttackIt creates DATA.DOT in MS Word startup directory. It is recommended to delete this DATA.DOT file along with C:\groovie.sys, c:\script.sys and c:\ip.txt if they exist.It creates DATA.DOT in MS Word startup directory. It is recommended to delete this DATA.DOT file along with C:\info.sys, c:\script.sys and c:\ip.txt if they exist.It creates DATA.DOT in MS Word startup folder. It is recommended to delete this DATA.DOT file along with C:\NEW_IMPROVED.sys file if they exist.This virus infects MS Word Documents using the Word Basic Macro language. It has two macros: HarkOne, and either AutoOpen or AutoClose.Win95/W97M.Heathen.12288.AThis Win95+W97M macro virus drops HEATHEN.VDO and HEATHEN.VDL and modifies EXPLORER.EXE in Windows directory. HEATHEN.VDL and HEATHEN.VDO needs to be deleted. EXPLORER.EXE needs to be restored from clean copy.Win95/W97M.Heathen.12288.AThis Win95+W97M macro virus drops HEATHEN.VDO and HEATHEN.VDL and modifies EXPLORER.EXE in Windows directory. HEATHEN.VDL and HEATHEN.VDO needs to be deleted. EXPLORER.EXE needs to be restored from clean copy.WM.HelpEvery 100 days, WM.Helper is known to encrypt the documents on your hard drive with the password "help". To restore these documents, use Word to remove the password and re-save.WM.Hybrid familyThe original Hybrid removed the Concept virus. This variant is corrupted. It will spread to the normal template and any document that is open, but will not remove Concept anymore.A macro virus that shows "DMV" (A,B,D variant), "WORMY-1 by NAENBGOURSG" (E), or no message at all (C variant) in the status bar when infecting the GLOBAL Template.A macro virus that replaces the ToolsMacro and ToolsCustomize with a message stating the file FORMATER.DLL is missing.A macro virus that creates "India ########.txt" in the current directory for every infection. Text files contain the following string: "Kashmir is an integral part of INDIA. JAI HIND"WM.FluA macro virus that replace the ToolsMacro with a message "You cannot create, edit or delete your macro right now!.." Starting MS-Word on Sep 9 or April 16 will trigger a message "Don't work too hard...It's your birthday!"W97M.IRCJack.BIn addition to infecting documents, STORY.DOC is added to C:\WINDOWS, and SCRIPT.INI is added to C:\MIRC if C:\MIRC\MIRC32.EXE is installed. The script will copy itself to C:\WINDOWS\SCRIPT1.INI when executed.The macro virus will change the Windows colors setting and set the screen saver to the Marquee with "Happy Saint Patties Day". It targets the registry in 32-bit Windows systems to change these settings.This macro virus creates STARTUP.DOT in the MSOFFICE STARTUP directory. It also creates STARTUP.DOT and DEFAULT.DOT when you save a file.It switches BOLD and UNDERLINE formating. On the 13th, it adds text to the end. On July 4, it adds "Ivana" to the end of the document and password protect the document with "Ivana"W97M.JediMOn Exit, it shows a message box.This macro virus infects Word 97 NORMAL.DOT templates. The virus does not always infect all Word documents.On Exit, it shows a message box "I love you *.*".IRCWorm.Jim.AThis is a macro virus which turns on file server functionality in mIRC and utilizes Pegasus Mail to propagate itself. This virus drops multiple non-viral text files in the C:\ directory.Variant of WM.Johnny that has some corrupted or empty macros. FileSave command may give an error, but the virus still spreads through the FileSaveAs command.This is the same as WM.Johnny.A, except one of the macros is corrupted, requiring a new detection.W97M.AutoExecIt adds a viral C:\AUTOEXEC.DOT as a startup template & infects all opened docs. On July, it shows a Chinese input box. Changing the default input three times trigger the payload: replacing AUTOEXEC.BAT w/ DELTREE command.This is a macro virus. It spreads by copying its macros to the Normal.dot template located in C:\MsOffice\Templates.This is a Russian macro virus. On May 11 and Aug 3, it will display a message box. It will also start deleting .BAT and .SYS files in C:\, .DLL and .EXE c:\WINDOWS, and .COM, .EXE, and .VXD in c:\WINDOWS\SYSTEM.On certain date of a month, this macro virus replaces the Footer and Header of the infected document.On certain day of a month and certain month of the year this macro virus writes junk characters into the document with "SK" at the end. If day divided by month is equal zero then it inserts the junk characters.This is a self modifying macro virus. It infects when document is opened.This is a macro virus. It spreads by exporting/importing its code to/from the file "c:\ZX_SOMEBODY_POP_JAMES_BRANNON.sys" on August 3rd.This is a macro virus. It spreads by using the most common method of copying itself to the excel default startup directory and rename it to "C B I.XLS"This macro virus creats a file in your "XLSTART" folder called "Manalo.xls". You should delete this file.This macro virus creats a file in your "XLSTART" folder called "Manalo.xls". You should delete this file.This macro virus creats "Personal.xls" in Excel Startup directory, "c:\permanent.sys", "c:\windows\<username>.xlb. You should delete these files.This macro virus creats a file in your "XLSTART" folder called "Shn.xls". You should delete this file.This Excel macro virus drops HJB.XLS into XLSTART directory. On April 24th, when the hour is 14:00 the victim is given 2 chances to answer questions or the file gets deleted. The macro doesn't actually delete the file.This is a macro virus. It spreads by using the most common method of copying its viral code to the excel default startup directory as "personal.xls". The virus sometimes modifies C:\Autoexec.batThis is a Excel macro virus. It drops "personal.xls" in the Excel default startup directory. It also drops "sys32.reg", "sys32.bat" and "cate.sys". The virus sometimes modifies C:\Autoexec.batThis is a macro virus. It spreads by copying itself into other excel workbooks when they are saved.This is a macro virus. It spreads by using the most common method of exporting its viral code to C:\System.dat and use it to import/infect the global template Normal.dotThis is a macro worm. It does not spreads like other macro viruses, instead it uses word application files to trigger malicious attacks to the computer. It tries to deletes files with EXE COM TTF FOT extensions.This is a macro worm. It infects the global template Normal.dot on opening an infected document. The virus also drops MAMM.dot and MAMM.src into the Office startup folder.W97M.ThusThis is a macro virus. It infects the global template Normal.dot on opening or closing an infected document.This is a macro virus. It spreads by opening and closing documents. It will attempt to delete files from your hard driveThis macro virus changes the company name in the user profile to "Hyder". Periodically, the virus will print the time with the message: "I think works is enought" "You should back home!"This is a modified version of Kompu.A. There is no payload to trigger.This is a modified version of Kompu.A. The trigger check looks for Day to return either 66 or 68, which is wrong. If it were to trigger it would ask for "komm" to be entered.This virus is similar to both WM.Kompu and WM.Concept. It has two macros: AutoOpen and AutoClose. The virus is harmless.This is a corrupted / modified variant of WM.MDMA. MS Word may displays error messages while closing a document because of the corruption / modification.It may password-protect document with "Voce Gay por acaso??" On May 19, it adds a line into Autoexec.bat to format the HD. Then, it displays a message box "Alevirus labs..."WM.MuckThis is a simple macro virus that occasionally displays a message box that says 'Muck'. Other than that this virus does nothing but replicating. It is known to snatch user's AUTONEW macro.This is a version of the WM.Niceday macro virus, but with a corrupted or missing macro.This is a version of the WM.Niceday macro virus, but with a corrupted or missing macro.This is a version of the WM.Niceday macro virus, but with a different, harmless payload macro.This is a version of the WM.Niceday macro virus, but with a different, payload macro named PLAY.This macro virus attempts to drop a picture file to replace Win95 wallpaper. It drops a file C:\Windows\Command\evah.nik and creates a hidden directory C:\EvaHzg2.This macro virus displays a message box "Nova Votima" while exiting from MS Word. It infects on closing a document.This macro virus displays a message box on July 28th while exiting from MS Word. It infects on closing a document.Word Macrovirus that prints "IMPORTAT NOTTICE!" on Dec 13Npad macro virus variant whose AUTOOPEN macro is partially corrupted. As Npad maintains a counter in WIN.INI file, it may generate an error message after 23 execution when it tries to display a scrolling message.Winword.NuclearOn April 5th, it tries to overwrite system file IO.SYS, MSDOS.SYS & COMMAND.COM Printing within 5 seconds of a minute will insert at the end: "STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC". It also tries to drop a DOS virus.It intercepts Tools-Macro to display "1997 Master of Infection" message. It infects on opening document and File-save-as.W97M.Opey.B, W97M.Opey.CStandard macrovirus. On certain holidays, it appends a greeting to C:\autoexec.bat. It changes various name setting to "Opey"Standard macrovirus. On certain holidays, it appends a greeting to C:\autoexec.bat. It also changes various name setting.This Word 97 macro virus spreads its infection on all file access commands within Word: open, close, save, saveas and exit. It changes the user information, and removes any macros (good or bad) when it infects documents.This virus spreads its infection when opened. It drops a file called "FF.sys" in "C:\" directory. You can delete this file.At trigger date 10, 13, or 25, opening a document will replace its content with "Say goodbye to your data" 95 times followed by "(c) 96 Bandung" It also removes existing macros when opening a template.This is a Word macro virus. This virus infects NORMAL.DOT. It infects documents when they are opened. There is no payload contained in this virus.W97M.System.AThis virus is polymorphic. It will try to send it's self to everyone in the address book. It randomly picks string to place in the subject of email. Strings: (1)"version finale" or (2)"Un peu d aide..." or (3)"suggestion..."This is a Word macro virus. It infects when opened.On the 25th of the month, it will display a message box in Indonesian asking if you have pick up your paycheck. Tools|Macro is replaced with an error message "Internal error was occured in module UNIDRV.DLL"WM.UbahFile.AThis macro virus carries a destructive function that creates in C:\DOS batch files correspond to DOS command ChkDsk, Format, DeFrag & ScanDisk. Executing these DOS command will delete all directories from C:\.WM.AgentThis slow-polymorphic macro virus carries an unusual payload: at random time it tries to post the current document into USENET Newsgroup, provided Forte Agent Newsreader is installed.This is another damaged version of the Rapi macro virus. Unlike the others This does not degenerate into two lesser forms.Word Macro Virus. This is the second degenerate form, as the original RAPI will infect documents, but loses FileOpen macro along the way.Word Macro Virus. This is the lowest degenerate form, as the original RAPI will infect documents, but does not copy all macros from parent. It evolves on each infection until it reaches this version.Word Macro Virus, with 3 macros: AutoOpen, WINUPDATE, WORDSYSTEM. normal.dot has 2 additional: FileSave, FileSaveAs. Keeps a counter in winword6.ini; when Counter reaches 100, attempts to delete command.comMacro.Word.MessaAfter saving an infected file three times, it tries to delete all files in drive A (floppy drive) while saving the file. Its variants have corrupted macro(s).BigJohnsonAfter 5/28/98, it announces itself as "Big Johnson virus" and offers to remove itself. It also changes several spelling, like School => Schoo.Anti-virus-virusThis macro virus removes some well known macro virus family before infecting, stores variables in WIN.INI & WINWORD.INI, and drops an INLAY.DOT in WINWORD\STARTUP folder.AlarmIt uses AutoOpen to infect global template and document. Every five minutes, it runs AutoOpen again. Variants are by corruption or minor changes.Most variant of this macro virus has corrupted or others' AutoExec as it's SHOW/AUTOEXEC macro. Despite this, the spread occurs since the corrupted macro is not the one which copies the virus to other documents.ShareTheFunIf MS Mail is running on an infected system, this virus will use it to send mail to three random adressees. The message has the subject "You have GOT to read this!" and has an infected document attached.This Word97 macro virus intercepts Tools|Macro and File|templates to display message box "Word Basic Err =7" and replaced "Walkerden" with "Walkonair".This Word97 macro virus creates a hidden, system file c:\surround.key which should be deleted. On the 21st of any month the system will beep when NORMAL.DOT is being infected. On 12/29 the virus will delete C:\WIN*\win.com.This is a Word97 macro virus. This virus spreads its infection when a document is open or closed or when a new document is created.This is a Word97 macro virus. This virus spreads its infection when a document is closed or saved or when a new document is created.This is a Word97 macro virus. This virus spreads its infection when a document is closed or saved or when a new document is created.This is a Word97 macro virus. This virus spreads its infection when a document is open or closed or when a new document is created.This is a Word97 macro virus. This virus spreads its infection when a document is open or closed or when a new document is created.W97M.Thus.KThis is a Word97 macro virus. This virus spreads its infection when a document is opened or closed and when a new document is created.This is a Word97 macro virus. This virus spreads its infection when a document is opened or closed and when a new document is created.This Word97 macro virus spreads when a document is opened, closed, or newly created. When triggered, it opens up a new text file and outputting TestMakro Thus_100.This is a Word97 macro virus. This virus spreads its infection when a document is open or closed and when a new document is created.This is a Word97 macro virus. This virus spreads its infection when opened. On Dec 13 it searches the entire "C:" drive which does nothing but search for files.This is a Word97 macro virus. On March 11 it tries to delete all "*.sys" files from "C:\". It also displays a message "Happy Birthday". When pressed OK, it will delete all text from the document.This is a Word97 macro virus. This virus spreads its infection when a document is open or closed and when a new document is created.This is a Word97 macro virus. This virus spreads its infection when a document is open or closed and when a new document is created.This is a Word97 macro virus. On Dec. 13 of any year, it will delete all files from "C:" drive.This is a Word97 macro virus. This virus spreads its infection when a document is open or closed and when a new document is created. It also will create random documents using existing filenames throughout the computer.This is a Word97 macro virus. It infects normal template and drops infected template into the MS Office start up directory. It will execute its payload in the year 2002.W97M.JoyThis Word97 macro virus is a polymorphic virus. It infects the global template with AutoOpen and generates random comment lines within macros. It also display MessageBox and set passwords once awhile.W97M.AlejaThis Word97 macro virus infects the global template so that any document can be infected when it closes. The virus removes the Macro popup from the Tool menu and shows a Spanish virus message through the HeaderThis German Word 95/97 macro virus infects the global template. It only infects the German version of Word 95/97.This macro virus infects the normal template by using the attachment of an external template, i.e., the URL.This Excel95 macro virus drops Personal.xls into the excel startup directory so that it can infect other excel spreadsheets when they are opened.This Excel97 macro virus removes many menu-items menu-bar. It also drops N-E-G.XLM into the excel startup directory so that it can infect other excel spreadsheets when they are activated.This Word95 macro virus infects the global template Normal.dot with AUTOOPEN, AUTOCLOSE, FILEOPEN, FILECLOSE, FILESAVE, and FILESAVEAS.This Word97 macro virus infects the global template Normal.dot with FileSave and FileClose.This macro virus drops its code into the file c:\G00ber.sys which can be deleted. It replaces all occurrences of "the" with "shithe!", it tries to disable F-prot and older versions of NAV if present and it changes the document summary information.This Word97 macro virus infects the global template Normal.dot with AutoOpen, but all it does is spreading. It does not have any payload.This Word97 macro virus infects the global template Normal.dot. It drops a file "config.win" in "C:\" which is the viral code encrypted. You should delete this file.This Word97 macro virus modifies uses the assistant to wish Happy Birthday to the user on June 14.This Word97 macro virus will randomly replace lines of text of within the document. It also creates a copy of the viral code in the file c:\ﾉtudiant.cfg, which can be deleted.This Word97 macro virus creates a file c:\renegade.386. It also uses the assistant on the 5th of every month to inform the user the file is infected.This macro virus replicates using the "normal.dot". If the time is 8:45, it will show the Assistant with a message "Baby[Bench]Millenium". Then the text in the document will go blur.This Word97 macro virus adds a text footer of ####@hnet.pen to the active document when opened on Wednesday. Also, on the 1st of January, renames win.ini to a number based on a value (seqnum) within the macro.W97M.SolarThis Word97 macro virus has a payload triggered on the 30th of the month. The payload adds an infinite-loop into AUTOEXEC.BAT to display a message announcing its infection as "WM97.Solar"W97M.Steak.A, W97M.Steak.BThis macro virus affects Word 97 documents, and contains no payload. Copies of the viral code used are stored in C:\A1.sys and C:\A1.inf. These files can be deleted, but are harmless by themselves.A Word97 macro virus. It infects when you open or close the document.SkylineA Word97 macro virus. It infects when you open it. It drops a file "ascii.vxd" in "C:\" directory. That file can be safely deleted.W97M.VMPCK1.GenInfects by exporting INJEKT module as "c:\startup.log", and then importing into new documents. Changes volume label to "testicle". It also display various message boxes..W97M.SatteliteThis polymorphic Word97 macro virus also encrypts part of its viral body.It shows a scrolling message "Lontong Micro Device (c) 1993 By ICE-Man" It intercept Tools|Macro and File|Templates to display "Sorry" message box. It infects through AutoOpen and FileSaveAsThis virus disables the Tools:Macro submenu, and turns off macro protection, confirm conversion at Open, and prompt to save Normal. The names of two documents will be swapped unless PROTECT.SYS is in the root directory.When running MS-Word at exact minute, this macro virus tries to delete Access, Excel, Program Groups & Help files and replace text in document. It shows a fake error message when doing ToolsMacro.WM.Skam.AThis may set the File Summary Info to claim that the Green Bay Packers are champions of the 31st superbowl. It has a macro Skammy. Some variants of it has only AutoOpen macro.WM.SkammyBecause this WM.Swlabs has improper FileOpen, AutoClose, AutoExit, AutoNew, FileClose macros, MS Word does not respond when trying to Open, close, create new or exit from an infected file.These are modification of macro viruses generated from Swlabs generator. Some of the variants are improperly modified that MS Word will generate Word Basic Err message while opening any document.These are modification of macro viruses generated from Swlabs generator. Infects from normal.dot to new documents only on days 2,7,11,12 of the month.This do-nothing macro virus spreads on opening and saving MS Word Documents. Some variants have corrupted macros that make MS Word display "Word Basic Err" or "Out of Memory" error message.This is a word macro virus that spreads to documents and the normal.dot file. The virus produces a visual basic syntax error.This is a word macro virus that spreads to documents and the normal.dot file. The virus inserts three macros into the normal template, TH41, AutoExec, and FileOpen. It also creates random module names for the infected document modules.This Word 97 macro virus infects the normal.dot. It drops "Shabari.sys" in "C:\" directory. You should delete "Shabari.sys".This non-destructive macro virus infects normal.dot and creates a module called 'NOTHINGTOLOSE' in the document.This encrypted polymorphic macro virus temporarily creates a file in the root of c:\ called "flitnic.bat". This file is automatically deleted after infection.This non-destructive polymorphic macro virus creates the following files in the \windows\system folder: vnames.cpl export.sys pmf1199.cpl as well as two randomly named .cpl files. These files should be deleted.This macro virus infects Word97 files. It modifies the registry such the Internet explorer default start page is www.escalix.com/freepage/angel. Payload on thurs is to ask the user a riddle who's answer is Drawbridge.On the 17th day of any month, this virus appends it's destructive payload to c:\autoexec.bat.If this macro is executed on or after July 1, 2000, it will save the Active document up to 999999991 times into the C:\windows\ folder as AA#AA.doc (where # is between 1 and 999999991).Basic Macro virus. No Payload.This non-destructive macro virus displays a graphic form on Saturdays. The text of the form reads "Destro EXl - Silent Warrior 1998 - Tama Na!!!"This virus replicates when you open, close or create new document.This is a Word 97 macro virus. When opened or closed a message box pops displaying "CISI-LUPI".This virus employs several stealting techniques. It modifies c:\himem.sys and c:\windows\win.ini. It also creates a Visual Basic script that is executed from win.ini on the next restart of windows.This virus employs several stealting techniques. It also creates a Visual Basic script that is executed from win.ini on the next restart of windows. It is possibly related to the W97M.OverlordThis virus infects the normal.dot and deletes "C:\config.sys". In the document it displays "Foster" three times.This is a polymorphic macro virus. It tries to add a string in "autoexec.bat" file to delete all the files from "c","d" and "e" drive by using deltree command. It also drops "kill.bat", "autoexec.kil" and "stand.log" files in "C:\".When closing the infected document, it will create "C:\My Documents\粳砒饅" and copy the infected document in the new created document.This encrypted macro virus can infect both Excel 97 and Word 97 files.This polymorphic macro virus infects both Excel 97 and Word 97 files. Variant A displays a message on the 14th after May "I think USER is a a big stupid jerk". Variant B displays encrypted message.This virus infects both the MS-Word and Excel. It drops a file called "Word8.dot" in the "Office\Startup" folder or in "C:\". It infects the "normal.dot" also. In Excel it creats a file called "Personal.xls" in the "Office/XlStart" folder. It also creats 4 files in "C\". "sentry.sys", "ShThis macro virus can infect Excel 97, Word 97, and PowerPoint 97 files.W97M.StrangeDays W97M.TeoCatlThis macro virus can infect both Excel 97 and Word 97 files. It also tries to delete files from the current directory on the 26th of the month.W97M.Shiver X97M.ShiverThis macro virus can infect both Excel 97 and Word 97 files. At random, it modifies the caption of MS Word command bar or displays a nasty message. In Excel, it adds comment to randomly selected cells.W97M.Shiver X97M.ShiverThis virus creates files on the hard drive. You must delete them. The files are \SHIVER.SYS and \SENTRY.SYS. Please refer to O97M.Shiver.W97M.Shiver X97M.ShiverIt creates files that you must delete: \SHIVER.SYS, \SENTRY.SYS, \o6.reg, and \o6.bat. It also add HKEY_CURRENT_USER\Software\VB and VBA Program Settings key to the registry.PowerPoint 97 virusThis macro virus infects PowerPoint files. See WHATSNEW.TXT to find instruction on how to turn on PowerPoint scanning.WM.TwoLines WM.MsRun familyThe original WM.TwoLines has a timer to insert "~~" at certain interval of time. It infects when opening, closing and doing save-as a document.Standard macrovirus spreads via AutoOpen, AutoNew, AutoClose.Most variant of this macro virus family has destructive payload, like deleting files at random while closing an infected document. This family of macro virus is usually found in Taiwan.This virus is of the macro virus family. This virus will attempt to delete files in Word's graphics-filter, text-converter, and style-gallery-template default directories.Accessing Tools|Macro menu will password-protect the current document with "VHDL" as the password. It also tries to remove Tools|Option, Macro, and Customize, and File|Templates menu.W97M.DBThis is a Word 97 macro virus. On 11/6/2000 or after, it opens 21 documents if you open the infected document. Also closing the infected document, it open another 21.W97M.VMPCK1.GenThis VMPCK1 generated macro virus infects Word97 files. On February 29, it replaces all "year" to "fear" in the document. On exiting MS Word, it searches and infects DOC files in current directory.W97M.VMPCK1.GenThis VMPCK1 generated macro virus infects Word97 files. It may change the desktop color.W97M.VMPCK1.BH/BI/BJ W97M.AKRNLThis VMPCK1 generated macro virus infects Word97 files. It adds AKRNL macro module to infected Word document.This VMPCK1 generated macro virus infects Word97 files. It adds AKRNL macro module to infected Word document. It also exports the akrnl module to the file c:\ﾉtudiant.cfg.This VMPCK1 generated macro virus infects Word97 files. It adds XIX macro module to infected Word document. On a certain date, it will start replacing text and modify the EDIT menu/toolbar.It uses QUEEG_7450LX macro module, uses c:\queeg_7450lx.sys temporary text file, randomly changes disk drive's icon, and creates a file ("porno.doc", "readme!.doc",or "sex.doc") in P:, >R:, and s: drives.This macro virus is similar to W97M.VMPCK1.BM with HUM0_SUM0_1234 module. In addition, It will display a message "Happy Birthday Jesus!" on Dec 25 and run a program. Delete c:\start.scr or c:\start.exe if found.It creates DATA.DOT in MS Word startup directory. It is recommended to delete this DATA.DOT file along with C:\calvert.sys, c:\script.sys and c:\ip.txt if they exist.W97M.VMPCK1C.GenThis VMPCK1 generated macro virus infects Word97 files. It drops c:\sajoo.sys and C:\Program Files\Microsoft Office\Office\STARTUP\data.doc upon infection. It also changes the volume label of the C:\ drive to Sajoo.This VMPCK1 generated macro virus infects Word97 files. It adds AKRNL macro module to infected Word document. It also exports the akrnl module to the file c:\ﾉtudiant.cfg.This VMPCK1 generated macro virus infects Word97 files. It adds AKRNL macro module to infected Word document. It also exports the akrnl module to the file c:\ﾉtudiant.cfg.This macro virus infects Word97 NORMAL TEMPLATE and documents. It drops "c:\swinger.sys" containing a VBA code. In addition it drops "info.dot" infected template into MS Office start up directory.This macro virus infects Word97 NORMAL TEMPLATE and all open documents. It disables virus protection, macro VBA editor and spell checking tools. In addition, it deletes "c:\*.sys" on march 11th and deletes content of the active document.This macro virus replicates using "normal.dot". The payload is triggered after the month May, which will delete all files in "C:\" directory.WazzuThis virus is one of the most prevalent macro viruses in the wild. It has two payloads: 1) It can move up to 3 words to a random document location and 2) It can insert "Wazzu" or "" into the document.WazzuUnlike other Wazzu variants, this one does not have payload.WazzuWhen opening a document, this variant of the WM.Wazzu macro virus family randomly password-protects it with random numbers or inserts "Only Lucky ONE gets Mad Cow." into the document.WazzuWhen opening a document, this WM.Wazzu at random insert " BIG FUCK TO LAVOISIER LYCEE DE MERDE " into the document and delete words at random.WazzuUnlike other Wazzu variants, this one infects on closing a document. This virus attempts to remove the Concept virus.WazzuWhen opening a document, this WM.Wazzu variant moves words around or password-protects the document using the filename as the password if the document has more than 2000 words or it is the 15th of the month.WazzuUnlike other Wazzu variants, this one infects on closing a document.WM.AntiNS W97M.AntiNS.ASimilar to Wazzu.X. For more detail information, please visit http://www.symantec.com/avcenter/venc/data/w97m.wazzu.du.htmlWazzuWazzu variant with only an AutoOpen macro. Attempts to delete c:\windows\system\*.* on the 13th of the month.WazzuUnlike other Wazzu variants, this one infects on closing a document.WazzuThis is a Wm.Wazzu variant. This variant will change the attribute of the file making your document read only.It displays a message box "Microsoft AntiVirus Protection Version 1.0". It also removes macros while infecting, notably FileOpen, AutoOpen, FileSaveAs, AutoExec, etc.It replaces words at random, deletes c:\config.sys and c:\autoexec.bat on March 31, and shows a message in German saying "Hello, I'm the Easter Bunny telling you not to use computer on Easter Day, Easter Bunny Police"W97M.Worldcup98On the 12th or at 12th hour, it either displays a rotating text "World Cup 98" or a "form" titled "Virus WorldCup98" in French. Wrongly answering the form may trigger its destructive payload: deleting files/document content.Members of this virus family infect MS Word documents and templates. They use the WordBasic programming language to infect and trasmit to opened documents. They will transmit among various PC platforms including DOS, Mac, Windows and NT.This appears to be an unknown variant of a macro virus. Please submit this sample to the Symantec AntiVirus Research Center for analysis, as described in your manual.This file possibly contains viral macros from one or more sets of known macro viruses. Repairing will remove all of these viral macros.This virus infects MS Word Documents using the Macro language. It is most often transmitted via .DOC and .DOT files.BoliersThis Excel macro virus infects all currently opened spreadsheets and files in "C:\mes documents" directory. It also tries to add internet shortcut and bookmark to a www.groupeblier.chXM.BuletThis Japanese Excel macro virus infects opened spreadsheets. After an infected file is opened it tries to delete the file.XM.CauliflowerThis Excel macro virus infects opened spreadsheets that haven't been saved. After 1/1/1999, it displays a message: "Are you depressed" Answering YES will display "Depression hurts. PROZAC can help"DeltaThis virus infects MS Excel Spreadsheets using the MS Visual Basic Macro language. On the 5th of any month after January the virus tries to delete all *.ini files in the C:\WINDOWS directory and all files on the A: dirve.DiablosThis virus infects MS Excel Spreadsheets using the VBA language. It adds a hidden DIABLOS sheet into the Spreadsheet and drops PERSONAL.XLS in XLSTART directory. Scanning XLSTART directory is recommended.This virus infects MS Excel Spreadsheets using the VBA language. It drops an infectious Excel document "OFF97COM.XLA", or "Office 97 Compatibility" in LIBRARY directory.This virus infects MS Excel Spreadsheets using the VBA language. It drops EXTRAS.XLS, "Windows Extras.XLS", or "Macintosh Extras" in XLSTART directory. The module name is a random 25 characters, changing with each infection.This almost-intended macro virus drops AUTOSAVES.XLA in MS EXcel templates directory and deletes all files in XLSTART directory. It displays a fake error message "This program has performed illegal ..."This virus infect Excel spreadsheets and enables password protection in infected files. The password is GTHOMSON197168 or a number between 197 and 365 inclusive.LarouxThis virus infects MS Excel Spreadsheets using the VBA language. It adds a hidden LAROUX sheet into the Spreadsheet and drops PERSONAL.XLS in XLSTART directory. Scanning XLSTART directory is recommended.XM.LarouxThis virus infects MS Excel Spreadsheets using the VBA language. It adds a hidden LAROUX sheet into the Spreadsheet and drops a file in XLSTART directory. Scanning XLSTART directory is recommended.XM.LarouxThis virus infects MS Excel Spreadsheets using the VBA language. It adds a hidden sheet into the Spreadsheet and drops PERSONAL.XLS in XLSTART directory. Scanning XLSTART directory is recommended.This virus infects MS Excel Spreadsheets using the VBA language. It adds a hidden sheet into the Spreadsheet and drops KKKKK.XLS in XLSTART directory. Scanning XLSTART directory is recommended.Base5874This virus infects MS Excel 97 Spreadsheets using the VBA language. It adds a BASE5874.XLS In XLSTART directory. Removal of BASE5874.XLS is recommended.Base5874This virus infects MS Excel 97 Spreadsheets.It adds a "BASE5874.XLS" in XLSTART directory. Removal of "BASE5874.XLS" is recommended.This is an Excel macro virus. It copies itself into the XLSTART directory to be loaded each time Excel is opened. On June 1 a message box opens wishing a happy birthday to someone.XF.BlackFriday XF.SemanggiThis virus infects MS Excel Spreadsheets using Excel formulas (instead of macros). On the 13th of the month, it may displays messages about "Semanggi Clash"XF.Tjoro#2This virus infects MS Excel Spreadsheets using Excel formulas (instead of macros). It drops a file XL5GLRY. in XLSTART directory. Removing "XL5GLRY." is recommended.PaixThis virus infects MS Excel Spreadsheets using Excel formulas (instead of macros). It drops a file XLSHEET.XLA into the XLSTART or WINDOWS directory. Scanning for XLSHEET.XLA is recommended.Paix DamagedThis is a variant of the XF.Paix.A macro virus but it is corrupted and does not replicate.SicThis virus infects MS Excel Spreadsheets using Excel formulas (instead of macros).Laroux.CThis virus infects MS Excel Spreadsheets using the VBA language. It is transmitted via .XLS files. It drops a BINV.XLS in XLSTART directory. Removal of BINV.XLS is recommended.XM.PLDTThis virus infects MS Excel Spreadsheets using the VBA language. It adds a hidden PLDT sheet into the Spreadsheet and drops PLDT.XLS in XLSTART directory. Removal of PLDT.XLS is recommended.XM.PLDT XM.Laroux.EThis virus infects MS Excel Spreadsheets using the VBA language. It adds a hidden PLDT sheet into the Spreadsheet and drops a file in XLSTART directory. Scanning XLSTART directory is recommended.XM.LarouxThis virus infects MS Excel Spreadsheets using the VBA language. It adds a hidden sheet into the Spreadsheet and drops PLDT.XLS in XLSTART directory. Removal of PLDT.XLS is recommended.XM.Laroux damagedThis is a remnant of XM.Laroux.E that infects one time only. It PLDT.XLS in XLSTART directory. Removal of PLDT.XLS is recommended.XM.PLDTThis is a MAC version of XM.Laroux.E. See XM.Laroux.E for more details. You also need to scan the XLSTART folder.Laroux.AA LarouxThis virus infects MS Excel Spreadsheets using the VBA language. It is transmitted via .XLS files. It drops a PERSON2.XLS in XLSTART directory. Removal of PERSON2.XLS is recommended.LarouxThis virus infects MS Excel Spreadsheets using the VBA language. It is transmitted via .XLS files. It drops a A-A.XLS in XLSTART directory and creates hidden VIRUS-EDY sheet. Removal of A-A.XLS is recommended.LarouxThis virus infects all MS Excel Spreadsheets that is opened at the time. It drops the module CMDBUTTON to all the opened spreadsheets and add an icon next to the File menu.Laroux Laroux.ABThis virus infects MS Excel Spreadsheets using the VBA language. It is transmitted via .XLS files. It drops a PERSONAL2.XLS in XLSTART directory. Removal of PERSONAL2.XLS is recommended.LarouxThis virus infects MS Excel Spreadsheets using the VBA language. It is transmitted via .XLS files. It drops a VACATION.XLS in XLSTART directory. Removal of VACATION.XLS is recommended.LarouxThis virus infects MS Excel Spreadsheets using the VBA language. It is transmitted via .XLS files. It drops MERALCO.XLS in XLSTART directory. Removal of MERALCO.XLS is recommended.LarouxThis virus infects MS Excel Spreadsheets using the VBA language. It is transmitted via .XLS files. It drops a BOOK1.XLS in XLSTART directory. Removal of BOOKn.XLS is recommended (where n = number).LarouxThis virus infects MS Excel Spreadsheets using the VBA language. It is transmitted via .XLS files. It drops CECILIA.XLS in XLSTART directory. Removal of CECILIA.XLS is recommended.LarouxThis virus infects MS Excel Spreadsheets using the VBA language. It is transmitted via .XLS files. It drops a TAYASHIN.XLS in XLSTART directory. Removal of TAYASHIN.XLS is recommended.LarouxThis virus infects MS Excel Spreadsheets using the VBA language. It is transmitted via .XLS files. It drops a HOMGRID.XLS in XLSTART directory. Removal of HOMGRID.XLS is recommended.LarouxThis virus infects MS Excel Spreadsheets using the VBA language. It is transmitted via .XLS files. It drops GAY.XLS in XLSTART directory. Removal of GAY.XLS is recommended.LarouxThis virus infects MS Excel Spreadsheets using the VBA language. It is transmitted via .XLS files. It drops a CAR.XLS in XLSTART directory. Removal of CAR.XLS is recommended.LarouxThis virus infects MS Excel Spreadsheets using the VBA language. It is transmitted via .XLS files. It drops 1.XLS in XLSTART directory. Removal of 1.XLS is recommended.XM.NOCALThis virus infects MS Excel 97 and 95 Spreadsheets using the VBA language. It also copy itself into MS Excel startup directory the way XM.Laroux does, but as NOCAL.XLS. Removal of NOCAL.XLS is recommended.LarouxThis virus infects MS Excel Spreadsheets using the VBA language. It is transmitted via .XLS files. It drops SGV.XLS in XLSTART directory. Removal of SGV.XLS is recommended.LarouxThis virus infects MS Excel Spreadsheets using the VBA language. It is transmitted via .XLS files. It drops WINDOS.XLS in C:\WINDOS directory. Scanning C:\WINDOS directory is recommended.Laroux FOXZThis LAROUX variant uses FOXZ module sheet and drops NEGS.XLS in XLSTART directory. Removal of NEGS.XLS is recommended.LarouxThis LAROUX variant uses VIRUS module sheet and drops CREATIVE.XLS in XLSTART directory. Removal of CREATIVE.XLS is recommended.LarouxThis virus infects MS Excel Spreadsheets using the VBA language. It is transmitted via .XLS files. It drops SING.XLS in XLSTART directory. Removal of SING.XLS is recommended.JuniorThis Laroux variant uses JUNIOR module sheet. It drops MAIN.XLS in XLSTART directory. Removal of MAIN.XLS is recommended.LarouxThis Laroux variant uses PLDT module sheet. It drops PLDT.XLS in XLSTART directory. Removal of PLDT.XLS is recommended.LarouxThis Laroux variant uses ME module sheet. It drops INFECTED.XLS in XLSTART directory. Removal of INFECTED.XLS is recommended.Laroux, XM.LocasThis Laroux variant uses LOCAS module sheet. It drops VERA.XLS in XLSTART directory. Removal of VERA.XLS is recommended.Laroux.EO Laroux.GE GuyanThis XM.Laroux variant uses GUYAN module sheet. It drops PERSONAL.XLS in XLSTART directory. Scan and repair of PERSONAL.XLS is recommended.Laroux.DRThis Laroux variant uses RESULTS module sheet. It drops RESULTS.XLS in XLSTART directory. Removal of RESULTS.XLS is recommended.This Laroux variant uses the MONCI module sheet and drops DIMON.XLS in XLSTART directory. Removal of DIMON.XLS is recommended.This Laroux variant uses the SGV module sheet. It drops SGV.XLS in XLSTART directory. Removal of SGV.XLS is recommended.This Laroux variant uses SIEMENS module sheet & drops SIEMENS.XLS in XLSTART directory. Removal of SIEMENS.XLS is recommended. At 10am, 12pm, 2pm 3pm and 8pm, it moves cell around and changes cell format.This Laroux variant uses the LAWSON module sheet. It drops D-CVS.XLS in XLSTART directory. Removal of D-CVS.XLS is recommended.XM.BayantelThis virus infects MS Excel Spreadsheets using the VBA language. It adds a hidden BAYANTEL sheet into the Spreadsheet and drops BAYANTEL.XLS in XLSTART directory. Removal of BAYANTEL.XLS is recommended.This virus infects MS Excel Spreadsheets using the VBA language. It adds a hidden MARS sheet into the Spreadsheet and drops PERSONAL.XLS in XLSTART directory. Scanning of PERSONAL.XLS is recommended.This virus infects MS Excel Spreadsheets using the VBA language. It adds a hidden AOLA sheet into the Spreadsheet and drops PERSON.XLS in XLSTART directory. Removal of PERSON.XLS is recommended.This virus infects MS Excel Spreadsheets using the VBA language. It adds a hidden VIRUS sheet into the Spreadsheet and drops VIRUS.XLS in XLSTART directory. Removal of VIRUS.XLS is recommended.X97M.PTHThis virus infects MS Excel Spreadsheets using the VBA language. It adds a hidden PTH sheet into the Spreadsheet and drops PERSONAL.XLS in XLSTART directory. Scanning and repairing PERSONAL.XLS is recommended.This virus infects MS Excel Spreadsheets using the VBA language. It adds a hidden MARS sheet into the Spreadsheet and drops TRIAL.XLS in XLSTART directory. Scanning of TRIAL.XLS is recommended.This Laroux variant uses VODAFONE module sheet & drops PERSONAL.XLS in XLSTART directory. Scanning PERSONAL.XLS is recommended. It adds a footer and change the username to "free Kevin" referring to Kevin MitnickThis Laroux variant uses PA and CLASS1 modules. It drops PERSONAL.XLS in XLSTART directory. Scanning PERSONAL.XLS is recommended.This Laroux variant uses "BLEQQQ" module. It drops Auto2000.xls in XLSTART directory. Scanning Auto2000.xls is recommended.MajoduckThis Laroux variant uses MAJODUCK_SK_1 module sheet & drops OFFICE_.XLS in XLSTART directory. Deleting OFFICE_.XLS is recommended. At random, it deletes *.B*, *.C*, *.DLL, *.HLP from current directory.This virus infects MS Excel Spreadsheets using the VBA language. It adds a hidden sheet into the Spreadsheet and drops TMN.XLS in XLSTART directory. Scanning XLSTART directory is recommended.This Laroux variant uses "MARS" module. It drops "Personal.xls" in XLSTART directory. Scanning "Personal.xls" is recommended.This virus infects MS Excel Spreadsheets using the VBA language. It adds a hidden sheet into the Spreadsheet and drops PERSONAL.XLS in XLSTART directory. Scanning XLSTART directory is recommended.This virus infects MS Excel Spreadsheets using the VBA language. It adds a hidden sheet into the Spreadsheet and drops BAYANTEL.XLS in XLSTART directory. Scanning XLSTART directory is recommended.It drops a NINJA.XLS into XLSTART directory/folder and creates a hidden module sheet NINJA in infected spreadsheet. It doesn't infect spreadsheet whose name starts with "BOOK"MicrosofaThis virus infects MS Excel Spreadsheets using the MS Visual Basic Macro language. The virus changes the caption from "Microsoft Excel" to "Microsofa Excel". The virus is known to create buggy infections that cannot be repaired.This is a polymorphic direct infecting Excel macro virus. It infects any XLS file in the current directory with 25% chance. If the current directory is on A drive, it scrolls the caption when closing a file.Sugar.Poppy.A XM.SugarThis Excel macro virus infects all worksheets (including ThisWorkbook) in all open workbooks. It drops a "BOOK1" file in XLSTART.Sugar.Poppy.BThis Excel macro virus infects all worksheets (including ThisWorkbook) in all open workbooks. It drops a "BOOK1" file in XLSTART, and adds "AutoExec" subfunction in MS Word's NORMAL.DOT.Sugar.PoppyThis VBA module has Auto_Close subfunction added by X97M.Sugar. This Auto_Close will try to re-infect the file. The repair will remove this VBA Module including your own code in the module.Sugar.Poppy.PayloadThis is the AUtoExec subfunction that X97M.Sugar.B adds into MS Word's NORMAL.DOT. This is not a virus, but it should be repaired or deleted nonetheless.This virus infects MS Excel Spreadsheets using the VBA language. It attempts to clear your worksheet if you open it on a weekend, producing the message: "Today is rest day! Why do you work so hard?"This Excel macro virus drops a TDK-MAC.XLS in XLSTART directory and adds " A-TDK " viral-module-sheet. Depending on a marker in the Sheet1, it may password protect some worksheets with "uedasan"This Excel macro virus drops a #1SLIDER.XLA in XLSTART directory and adds " A-TPC " viral-module-sheet.X97M.XLScan X97M.OverKill VCX.VariantThis variant of X97M.VCX drops a XLSCAN.XLS in XLSTART directory and XLSCAN.386 in \WINDOWS\SYSTEM directory. It also generates many files with VCX or INF extensions in \WINDOWS\SYSTEM directory.X97M.XLScan X97M.VCX.VariantThis Excel macro virus drops a XLSCAN.XLS in XLSTART directory & MSOFFICE8.386 in \WINDOWS\SYSTEM directory. It also generates up to 12 files with VCX or INF extensions in \WINDOWS\SYSTEM directory. Winvir 1.4Infected programs contain the text "Virus_for_Windows v1.4" "MK92".Death to PascalWhen the virus is active, the message "Death to Pascal" appears, and all .PAS files in the current directory are erased.The infected program simply stops after the message "IT'S WITCHING HOUR..." appears.Different messages appear, based on how the virus is activated.The message "I'm WIZARD 3.0" appears one character at a time, and beeps are emitted.No information available.Boot virus that stores itself in the last four sectors of floppy or hard disk.The virus destroys the programs it infects. An infected program's date and time stamp are changed. A cold boot may be required after running an infected program.WordsWhen programs are written to disk, the virus swaps words within the file.Infected programs' size increases by 217 bytes.Probably meant to spread the WW-217 virus, this program instead causes the computer to hang, requiring a reboot.A cold boot may be required after running an infected program. The virus changes an infected program's date and time stamp.When the virus is active on March 5th, the message "...The ARcV [X-1]..." appears.FungusInfected programs contain the text "X-Fungus by...Nugga! Greets SCP..."Christmas Tree, Apr. 1st, TannenbaumWhen active on April 1st, the virus destroys the hard disk master boot record. From December 21st through January 1st, a Christmas Tree is displayed.Direct action EXE infector that will infect file all around your hard drive.Mog, MacabiThe message "Maccabi Yafo Alufa !!!" appears. The virus changes an infected program's date and time stamp to 15FEB91 12:00a.TP##VIRThe virus plays the "Yankee Doodle" tune each time it infects a program.Yankee.44.A Yankee.44.BThe virus goes memory resident and infects exe and com programs when they are run. Repaired files may be slightly larger than uninfected files, because of harmless padding bytes at the end of the file.Wench, June 17thWhen active on June 17th, the virus displays two hearts that outline the screen and meet in the center, types "Yaunch && Wench" and frames the text in hearts.EUPM, AprilaprilWhen the virus is active in 1992, the hard drive is overwritten.When the virus is active on March 23rd, the following message appears: "Be Careful. YEKE Controls Your Computer".Infected programs contain the text "McAfee, geht nach Hause!..."When the virus is active, the message "Divide overflow" appears.This is a trojan and must be deleted. This program pretends to be a Y2K compatibility checking program when in actuality it is corrupting all files on your system. The only repair available is to restore your system from backup copies.MinnowThe virus places its code in unused areas of the infected program.Zero-to-0The virus infects two programs at a time by overwriting them with viral code. These infected programs no longer run properly. Changes zeroes on the screen to capitol O's. Contains the text "ScUD 1991!".PaletteThe virus changes the seconds field in an infected program's time stamp to "62". After the virus infects COMMAND.COM and a certain amount of time has passed, a smiley face appears and deletes all 0's on the screen.LozinskiWhen the virus is active, sometimes the message "Aidstest topaywka" appears. The virus changes an infected program's date and time stamp.Has a video effect. Contains the text "comexe".The virus changes an infected program's date and time stamp. When the virus is active, sometimes the message "ZZ Top is the best!!!" appears.Happy Birthday Joshi, Stealth VirusIf the computer is booted on Jan. 5th of any year, the virus displays the message: "type Happy Birthday Joshi" and halt the computer. If the user responds appropriately the system continues normally. If not, the system hangs.The virus drops a character to make it appear that a keystroke was missed.KoreaThe virus moves the original boot record to the last sector of the root directory. Any data located there is lost.Thailand, Loa DoungThe virus plays a tune on each 128th disk access. The virus infects floppy disks when they are accessed using the DOS DIR command.The virus may cause the computer to halt when it starts. Booting from a new floppy disk causes that disk to become infected.Mistake, TypoThe virus inserts typos in all text going to the printer.After the virus is active for four months, it plays a tune when a floppy disk is accessed.Bouncing Ball, ItalianWhen the virus is active, a small ball appears and bounces around the screen.Bouncing Ball, Italian BWhen the virus is active, a small ball appears and bounces around the screen. This virus can infect the hard disk boot records. The virus functions only on 8086 and 8088 processors.India, PrtScThe virus moves the original boot record to the last sector of the root directory. Any data located there is lost.QueenslandWhen the virus triggers the MBR is erased and the message "Unauthorized Access - Micro Cop" flashes on the screen.Smiley WormThe virus changes the computer's time stamp to zeros. It hides the infected boot record on floppies to avoid detection.Telefonica, Anti-tel, CampanaThis boot sector virus is spread by the Kampana family of file viruses.SwapAfter the virus is active for 10 minutes, the characters displayed fall into a pile at the bottom of the screen.The virus overwrites the root directory on floppy disks. Any data located there is lost. Booting from an infected floppy disk displays the error message "Disk boot failure".The virus copies the hard disk's C: drive boot record to the last sector on the hard disk, and then infects the C: drive's boot record.AthensThis is a fairly generic file infector. It goes resident, but does little more than replicate. The following text string is encrypted within the viral code: TROJECTOR II,(c) Armagedon Utilities, Athens 1992When a write-protected floppy disk is accessed, a slash / character or a flashing box appears as the virus attempts to infect the disk.The virus infects when programs are run or DOS "dir" command is used. After 20 infections it formats the first track on C:, A:, and B: and displays: "Your disk is formated by the LOREN virus."AMSES, NOPS, STB, StelbooThe virus is based on published code from a virus tutorial. It does not contain any intentionally damaging code. Starting Windows with the virus resident will dump you to a DOS prompt and leave the system unstable.January 1This variant of the November 17 virus triggers on January 1st of any year by overwritting critical sectors on the current drive.Quarry, QueryAn infected boot sector contains the string "QRry". If the month is December of any year, the virus overwrites portions of the current drive.This virus steals 4K from top of memory. On 21OCT, it prints "Leandro and Kelly ! GV-MG-Brazil" and the date of first infection.The MBR component of this virus slowly encrypts the harddisk. Infected files can be deleted.Contains the text "M a d e i n C h e n g d e n" and the lyrics to the Michael Jackson song Thriller.Red BookCode in the virus to seek host files is visible as the text strings: "=EXt", "=COu", "MuZ", and "EuN".The virus contains the text "A pretty girl came into the world on 1-9-1968 I love her".Jack the RipperWhen active in memory, Ripper will randomly corrupt disk writes. Approximately 1 in every 1,000 disk writes will be affected. The virus contains the encrypted message: "(C) 1992 Jack Ripper"Cansu, SigalitThis virus displays a large red "V" on the screen and halts the computer after it infects 64 diskettes. The virus tries to locate and remove the Stoned virus, but fails due to a bug.Swiss ArmyContains a message in German about disbanding the Swiss army.MISiS, NIKAContains messages in Cyrillic text.2448Often partially infects files by adding code to the end of the file but failing to modify the file header.Lycee, LyceumThe time stamp on infected programs is changed to 00. The program avoids infecting an eight-letter program that starts with "AI" and any program with "SCAN" in it.1784, 3-Tunes, PinchinchaRandomly plays one of three tunes.This companion virus spreads in a compressed form. It creates .COM file to hide .EXE from operating system. You can avoid that by deleting this virus.LapseContains the phrase "Memory Lapse".This virus goes memory resident and infects exe files that users run.Infected files contain the phrase "sayha watpu".Infected files end with the phrase "Wildfire".Contains an encrypted poem.Contains the text "peace man, peace" and displays a visual graphic of a face and two hands giving the peace sign.Pathogen, Queeg, ResultThese viruses contain the SMEG mutation engine.Infected files end with the text "Turbo Hamster Virus!"James BondInfected files have the text "James Bond is alive!" at the end of the file.Contains the encrypted text "You have the Joker ]I[ virus by Crypt Keeper" and several "joke" error messages.Contains the text "MUTAtOR (C) Mutation Inc."BootacheContains the encrypted message "*YAM*. Your PC has a bootache! - Get some medicine! Ontario-3 by Death Angel."512Contains the encrypted texts "Virus", "INFECTED", "RB91", and "G2".Contains messages asking for money.We Are PROContains the encrypted message "We are PRO".ARCV-4Contains the text "[ARCV-4] Apache Warrier, ARCV Pres."Infected files end with the text "[LockUp] VCL".Contains the encrypted messages "Wild Thing" and "It's Friday... Enjoy the weekend with your computer."Contains the text "WILLOW come in."ZZInfected files end with the text "*ZZ* v 1.0".Generic-1The virus checks to see if it has infected a diskette every hour. If it has not infected a diskette in that time, it prints the message "PARITY CHECK" to the screen and hangs the computer. This virus can survive a warm boot.This DOS virus hooks INT 21 and infects both EXE and COM files upon execution.TrackerModifies CMOS hour alarm field and may modify data written to disk.Contains the encrypted messages "Sweden 1994" and "The Junkie Virus - Written in Malmo". The virus contains no intentionally damaging code, but will corrupt .COM files over 64k. It disables the antivirus included with MS-DOS 6.James Bond The message "James Bond is Alive!" can be seen at the end of infected files.This family of viruses contain the text "Viking#", where "#" is the version number, which is visible at the end of infected files.Dec3This variant of the Viking family appears to be in the wild.Contains encrypted text calling it the "YB" virus.Contains encrypted text calling it the "K-4C Virus".The text "Junior" is visible at the end of infected files.The virus infects one .COM and one .EXE file in the current PATH when an infected file is executed. If the PATH variable is not set, the virus may hang the system. The message "KAOS4 / Khntark" is visible near the end of infected files.These viruses contain the names of characters from an old television show.The virus often hangs the system. It may occasionally play music.RitzenContains a dedication to a Minister of Education and Science and complains about budget cuts.At 11:00 am on any Friday it may print the message "Runtime error 412".Prints the message "Nice to meet you! Copyright(c) 1-10-1993 By Ming. From Tuen Mun, Hong Kong Version 1.00"These viruses contain the encrypted text "RuBBit RuBBIt" and a version number.Contains the text "[Whisper presenterar Tai-Pan]".The virus infects by recursively searching the directory structure. It randomly writes garbage to files. Contains encrypted messages including "A teraz maly test ... Hi,hi. Piotr Panek Corp 1992 version v1.4".The virus disinfects an infected file when it is executed and infects another file in the same directory. Contains the text "Magyar V ndor '92 V rMiki. Ez a program fert z tt (volt)! Most Megyek, cs!"Contains the text "Old Scribe by Nostradamus [NuKE'94]". Interferes with screen output.Contains the text "Kaakon and Kristin Blew It Up Again". Overwrites hard disk.Infected files grow between 654 and 669 bytes. Repaired files may have extra bytes attached as a result. But the virus will be gone. This one only infects EXE files while the other Trakias also infect COMs. Discovered in Turkey.Often clears the screen and displays garbage.Prints the message "You shouldn't use your computer so much, its bad for you and your computer." each Christmas.This virus contains the text, "Tony" and "SSI v . 1.00"Contains text of heavy metal songsPrints the text, "T-1000" after an infected file is executedPrints the text, "------------------------ Hello, I am virus ! ------------------" when an infected file is executed.Contains, "Tempest - Of Luxemburg". On the 30th of any month after 1992, it destroys partitions less than 32MB. Marzia.C (x), Marzia.2048.ww.c, MarziThis virus appears to have no triggers. When it infects the MBR, it's location is stored based on the geometry of the disk.On 1st and 2nd of each month it displays messages and gives credit to the author_1099This virus appears to do nothing but replicate.Contains the text, "-=*@DIE_LAMER@*=-" and "VLamiX-1". It is often necessary to copy and infected file to another name/file and then repair the copied file. Once repaired, copy the repaired file back over the infected one.7%, Seven PercentA PS-MPC creation. It can zero CMOS and wipe out drives less than 32Meg.ShawareContains the phrase "This virus is shaware!"ShinyA PS-MPC creation. Contains the phrase "Shiny Happy Virus".The strings "Welcome" and "BUPT" exist near the end of infected files. Believed to come from China.A family of viruses created by a virus creation tool.JIMIIn the wild in Europe.Peter IIOn 27FEB, will scramble the hard disk and ask music questions. "Correct" answers are 4,4,2. Will unscamble only if supplied the "correct" answers. DO NOT TURN OFF THE MACHINE DURING THIS STAGE! In the wild in Japan and US.Upon infection, the following text is printed: "The Rise and Fall of ThunderBye-1994-Australia. You Will Never Trust Anti-Virus Software Again!! [LEMMING]Renegade.1176Part of the infection process of the Renegade virus is to modify the time stamp of the file, changing the seconds field to 62 (a system impossibility). This is the means by which it verifies if it has already infected a given file.Term3291Creates a hidden system file named VMEM.SYS and then includes a device line in the CONFIG.SYS. Once the system boots, this virus will go memory resident.This is a trojan horse written in Visual Basic 5.0. It will delete many important system files in the windows directory and random files on your disk. It may also drop a file called bye.bat. Delete this file.This virus appears to do nothing but replicate.This virus uses a primitive method of polymorphism to avoid detection.2kb, French Boot, Neuville, ToucheThis virus goes resident, but does not destroy anything intentionally. It is highly prolific in Europe.1813, Friday 13th, IsraeliThe virus goes active on Friday the 13th of any month. Once active, any program run on that day is deleted. 30 minutes after the first deletion, the computer slows down and the screen scrolls up two lines.Oi DudleyThis is a fairly generic file infector (appending). It contains the following encrypted text string in the viral code: "[Oi Dudley!][PuKE]"Stealth 2This is a fairly generic Floppy Boot Sector and MBR infector. It goes resident, but does not destroy anything intentionally. When resident, it will attempt to infect any disk accessed.Urkel has no known intentional destructive abilities. It does, however, trigger on the hour and print the following text to the screen: "Urkel"A bug in the virus will cause irreparable damage to files that are originally less than 400 bytes or greater than 63000 bytes.Happy Days TrojanAttempts to delete DLL, INI, GRP, DRV, COM, and EXE files from the WINDOWS and DOS directory. Also attempts to overwrite AUTOEXEC.BAT with its own version. Delete infected files.BizatchDirect action infector of Windows 95 Portable Executable (PE) files. Due to bugs in Boza, infected files may be corrupted. On the 30th of any month, a dialog box displaying: "The taste of fame just got tastier" is displayed to the screen.NAV Test FileThis is a sample text file for which a unique definition exists in NAV. Its purpose is to demonstrate NAV virus file detection without the use of an actual virus file. Use the DOS command TYPE to read the file for more information.Fated TrojanThis is a simple batch file trojan that enters multiple directories on the C drive and deletes many of the files. Delete this if found.Deleting this definition from the set will cause NAV for NetWare to create a new def file. Its automated update capability will then update all other NLMs with new defs. If you are updating your NLM with this new set, delete this def now.The virus is actually a "stub" that the Virus Creation Lab (VCL) adds subroutines to in order to create viruses. This stub is not viral, but reboots the machine. This may also detect viruses created by VCL.The virus prints a message on August 1st, and hangs the machine with a tone coming out of the speaker. It frequently overwrites files with zeros, or mangles them so they don't run.This does not infect other files, but gets a user's password and user ID and e-mails it to a 3rd party, who then uses it unlawfully. Contact AOL if this trojan is found. Delete the infected file.This does not infect other files, but gets a user's password and user ID and e-mails it to a 3rd party, who then uses it unlawfully. Contact AOL if this trojan is found. Delete the infected file.Stoned.Empire.DamagedThis is a remnant of Stoned.Empire.Monkey.C after FDISK has been run on an infected MBR. This is almost always found on the 2nd physical hard drive.THIS IS NOT A VIRUS. The EICAR Test File is an internationally recognized, non-virus code string included for analysis purposes only. Again, THIS IS NOT A VIRUS.THIS IS NOT A VIRUS. This is a test file for LANdesk Virus Protect, NOT A VIRUS.The routines that infect EXE files in this virus are buggy. "Infected" EXE files will not run, nor are they repairable.In rare cases the virus will fail to save the original code segment of the uninfected host. No repair is possible for these files. If a file that was repaired no longer runs properly it should be deleted.Pinworm.2585, Pinworm.2371This occasionally corrupts files it infects. These "infected" files will not run, nor are they repairable.This is not a dangerous nonmemory resident parasitic virus. It searches for .COM files and writes itself to the end of the file. It blinks with NumLock/CapsLock/ScrollLock indicators.Simple companion virus. Erase the detected file. Original files will be renamed. For example, LIST.EXE becomes LIST .EXE (the extra unviewable character is the alt+255 character.)This appends itself onto EXE files, but does not change any of the program's instructions. The virus code is never executed in EXE files, and thus is not infectious. COM files are infected in a typical manner, and easily detected.This infects COM and EXE files, but is also easily repaired. It is very unremarkable, and not appear to do any damage.Blah.3379, Blah.3385This infects AUTOEXEC.BAT with commands to infect the boot record of the boot drive. Drives with infected boot records will not boot due to a bug in the virus code.On December 4th of every year, this prints a birthday greeting to a tennis player, and says how old the player is on that day.This forces the computer to constantly reboot on July 27, rendering it inoperable. The string "Ugly Jo's birthday" is present on infected disks.On April 21st of every year, a message box appears giving credit to the author of this virus.Compback.3783This is a very stealthy virus which infects files and MBRs. On occaision, it will modify the header of a file, but not append the virus, leaving it unrepairably damaged.This is a simple memory-resident file infector. It is different from other viruses because it contains code to avoid infecting well-known anti-virus programs.This virus will attempt to corrupt the A:, B:, and C: drives on May 4th, with a great risk of data loss. Infected files contain the strings '(C) May 4th 1993' and 'Indonesia'.Makes copies of original files as hidden files in the root directory. Check the root directory for hidden files after infection is detected to retrieve disk spaces. Hidden files are clean. Triggers if hundredths timer is 9 or less.Infects EXE files, sometimes inserting itself into the middle of the file, instead of appending to the end. This is buggy, and often corrupts its hosts.File infector. Display a string about the virus being for those that died for Madrid. Infects only COM files.ElviraPolymorphic file infector based on date. It contains text in french. Infected COMS are converted to EXE's.COM file infector. Easily repaired. A generic virus. Seems to have been created just to spread. No payload found.BigCaibua.2262,Vienna-Drp,MCA.BUAThis infects other files with Vien.Bua.2263. Delete the (Gen1) versions of this if found. Other infections can be easily repaired.Weed v1.1This infects other files directly as soon as it runs. It infects multiple files at once everytime it is run. It turns files into an EXE regardless if the original was a COM or EXE. Encrypts using WORD encryption.This trojan drops a filed called Rfpmgrtoet.exe in c:\windows directory and adds a call for that file in win.ini and system.ini. It adds itself under the following registry key: HKLM/Software/Microsoft/Windows/CurrentVersion/RunServices. You shouldUnashamed NakedBuggy boot sector virus that can corrupt the system if infected more than once. In these cases NAV may not be able to repair and you must use a rescue diskApocolypticMemory resident COM and EXE infector. It uses three layers of encryption.This is a generic file infector. Infected files will display the banner ChEaPeXe v2.0 Virus if it is the 4, 12, 17, or 25 of the month. It infects COMs and EXEs.A boot infector. A machine with an infected hard disk will infect and unprotected floppy disks that is used in the machine. It is encrypted and hides itself from disk reads.This is a Floppy infector. Booting from a floppy infects the harddrive by changing the partition table. The system unable to clean-boot with MS-DOS 5.0 Use a clean MS-DOS 3 and run NAV. After 120 boots, it writes HD randomly.Any unprotected floppy disk will be infected. It infects MBR of Hard Drive such that the HD is unreadable. Based on the current time, it trashes HD & displays "INTERNET esta' restringido."Similar to Rotceh, any unprotected disk will be infected. It infects MBR such that the HD is unreadable. Based on the current time, it trashes HD & displays "Claudia H.E. Quisiera poder no sentir, lo que ahora quisiera poder alvidar"Third version of this file infector. It infects a set number of files in the current directory, but now goes to other drives to infect as well. When the payload triggers, a space-like screen will appear.A highly encrypted file infecting virus that will randomly print out the message: "I'm the XUXA 2.1 virus... everybody is happy."Will infect the first 3 uninfected files it can find. The infection will trigger on a random Month/Day pair and attempt to destroy the hard drive and any disks in the floppy drives.Simple file infector that infects COM and EXE files.This attempts to steal a user's password for their on-line service, and e-mail it to someone else. Delete if found.This is an encrypted file-infecting virus. Only files in EXE format are infected. Files with *.COM names will be infected if they are internally formatted like EXE files.A simple file infector. It appends itself to COM and EXE files. It may corrupt the host file and render it useless before and after it is repaired. ContainsDelta Forever X.A simple file infector. It appends itself to COM files. After infecting a few files, the machine will crash.This trojan intercepts passwords and e-mails them to an unknown user. It infects by adding a line to WIN.INI. A message box with the title "HaVoK Password" appears when windows is started. Delete if found.A multipartite file infector. Will infect the hard drive and any disk accessed by an infected machine. Infected COM files will infect other machines when executed.If the Norton AntiVirus reports this infection in a file, this means the Bloodhound (TM) system has analyzed and determined the file exhibits virus- like behavior (i.e. it may contain a new/unknown virus).If the Norton AntiVirus reports this infection in a file, this means the Bloodhound (TM) system has analyzed and determined the file contains some viral signature (i.e. it may contain a virus).If the Norton AntiVirus reports this infection in a Word file, this means the Bloodhound (TM) system has analyzed and determined the file exhibits virus- like behavior (i.e. it may contain a new/unknown macro virus).If the Norton AntiVirus reports this infection in an Excel file, this means the Bloodhound (TM) system has analyzed and determined the file exhibits virus- like behavior (i.e. it may contain a new/unknown macro virus).If the Norton AntiVirus reports this infection on a disk, this means the Bloodhound (TM) system has analyzed and determined the disk exhibits virus- like behavior (i.e. it may contain a new/unknown boot virus).If the Norton AntiVirus reports this infection on a disk, this means the Bloodhound (TM) system has analyzed and determined the disk contains some viral signature (i.e. it may contain a boot virus).Will appened itself to a number of files when an infected file is exectued. Does not infect all files at once however. Virus will infect over itself.File virus which goes memory resident. Adds some padding bytes to infected files, hence after repair, extra bytes may remain on file.Boot infector. Will overwrite the boot sector code with it's own, but retains BPB. TSR's should not function properly since it make INT 12 always return 639k bytes free.It will hook the infection routine to interrrupt 8, then restore it after it hooks interrupt 21. No clean as it doesn't save original file date. Delete infected files.On the 19th of January, this virus will corrupt the hard drive's file allocation table, making it almost totally unusable.This is a file appender infecting COM and EXE files. It contains the string "I love you" and it's maker. It adds padding, but the infection size is constant.A polymorphic file infector targeting EXE files. The decryption is very basic despite being a polymorphic virus. Only the decrypting code is polymorphic.Anxiety.PoppyThis virus infects 32-bit Windows programs. Infected files can easily be identified by the string "Anxiety.Poppy.95 by Vicodin" found near the end of the file.Anxiety.Poppy.IIThis virus infects 32-bit Windows programs. Infected files can easily be identified by the string "Anxiety.Poppy.II by VicodinES" followed by a poem found near the end of the file.This is a stealthing, encrypted file infector. This will destroy the user's hard disk on the 25th of November every year.This infects 16-bit Windows executables. Infected files contain the string "Poppy by VicodinES and the Narkotic Crew".This infects 16-bit Windows executables. Infected files contain the string "Skim.Poppy by VicodinES".DelTree Trojan #2This invokes the deltree command to delete the user's hard disk. If the deltree command is not valid, an error message will result. Delete if found.It invokes the deltree command either directly or by adding it into AutoExec.BAT to delete the user's hard disk. Delete if found.This is a simple boot sector virus that infects the boot sector on hard drives also.This is a slightly corrupted version of WM.Cap.A. Files that are infected by this will be detected and repaired as WM.Cap Family.The original variant of this macro virus contains the text "I love you, Roberta" in Italian. It infects documents when they are closed.WM.VNo1This virus originated in Japan in early 1998. It replicates easily, and on the 13th of every month, displays several messages in Japanese, and makes many changes to the user's document.Vice5.3952This is a polymorphic virus that infects files as they are opened, not as they are run.Lizard.W95This is a dropper that puts the file LZD.VXD in the IOSUBSYS directory of a Windows95 system, and adds an entry to it in the SYSTEM.INI file.This is a VXD that is dropped by Lizard.2633 into the IOSUBSYS directory of a Windows95 system. It does not do anything, but will replace itself if deleted. It can be deleted manually after booting into 'safe mode'.This is a dropper that puts the file DZL.386 in the SYSTEM directory of a computer running the Windows OS, and makes a reference to the file in SYSTEM.INI.This is a device driver file that crashes the system when loaded at boot-up. To remove, delete the file from the SYSTEM directory, and delete the reference to in in SYSTEM.INI.This trojan appears to be deleting all the files on the user's hard disk when it runs, but actually does nothing. It was written as a lesson to unsuspecting users. Delete if found.W32.ApathyW32.Apathy is a memory resident virus that infects Windows PE executables. It delays before infecting files.W32/ASpam, TROJ_ASPAM.A, Aspam.TrojanW32.ASpam.Trojan is a remote access trojan that may allow unauthorized users to access files on your PC. You should delete the file C:\WINDOWS\SYSTEM\ AMCIS32.DLL from your computer.W32.ASpam.Trojan.B is a remote access trojan that may allow unauthorized users to access files on your PC. You should delete the file C:\WINDOWS\SYSTEM\ DRVMAN32.DLL from your computer.This is an internet worm. The original version is infected with the W32.CTX virus with the file name of SETUP.EXE. It copies itself as RPCSRV.EXE.W32.CTX is a direct infector of Windows executables. Due to the complex nature of this virus, NAV may take a few minutes to detect a file infected with this virus. The repair can also take a minute or two.This is a direct infector of Windows PE executables. It displays message boxes on Sep 24, 1999 - "This >TOTILIX< Virus was assembled at the city of Oporto Portugal! gas_par@hotmail.com (c) 1999 G@SP@R aka Sexus".This is not a dangerous nonmemory resident parasitic virus. It searches for new EXE files in current and C:/WINDOWS directories, then writes itself to the end of the file. While infecting the virus creates temporary C:\TENTACLE.W32.CabanasThis virus infects Win 95 EXE files in the current directory, as well as the \Windows and \Windows\System directories.Win32.Champ.5447.bThis virus is a direct infector of Win 95 EXE files. During some infections the virus corrupts the file.Chernobyl CIH_SpaceFiller PE_CIHThis virus infects Win 95 EXE files. The virus may cause damage to the user's computer on the 26th of the month. The virus hides itself in unused portions of the host, so the host file size does not change.This Windows virus becomes memory resident and infects files that are accessed. To clean this virus, one must first boot clean so that the antivirus program does not become infected.This virus is a direct infector of PE EXE files. It only replicates when run under DOS. It writes the viral code into 300h from the top of the file if the byte at 300h is zero.This virus infects Windows PE EXE files. It renames the original file with a .BIN extension. It copies the viral code to the original filename with the .EXE extension. To fix your files, rename the .BIN back to .EXE.This virus infects PE EXE files. The virus is memory resident and infects KERNEL32.DLL. The next time Windows is rebooted, the virus infects files that are executed.This virus infects PE EXE files. The virus is memory resident. It drops a DLL file in the WINDOWS/SYSTEM directory.This virus infects Win 95 EXE files. The virus will sometimes destroy parts of the orignal host so infected files must be replaced.This virus drops three files to windows system directory and temp directories which should be deleted. Those three files are named DISCV.DLL, LCV_SYS.EXE and TCV.EXEW95.HPS infects Windows 95 EXE files. Running an infected program will cause the virus to go memory resident. The virus will then infect any program that is run subsequently.El IncaThis is the file FONO98.VXD that W95.Fono drops in \Windows\System. The virus also adds "device=c:\windows\system\fono98.vxd" to SYSTEM.INI. This line should be deleted from the SYSTEM.INI file, and FONO98.VXD should be deleted.El IncaW95.Fono first drops FONO98.VXD in \Windows\System. The next time that the user boots up the system, the virus goes memory resident and attempts to infect Windows95 executable files when they are run.W95.Kenston infects Windows 95 EXE files. Running an infected program will cause the virus to go memory resident. The virus will then infect any program that is run subsequently.MrKlunkyThis is a Win95 virus that infects using a MrKlunky.VxD file hidden in \WINDOWS\SYSTEM or \WINDOWS directory. Please scan those directory or delete the files manually.MrKlunky DamagedThis file is probably damaged/corrupted by W95.Klunky virus. Please restore from backup.MrKlunkyThis is a Win95 VXD (MrKlunky.VxD) file dropped by W95.Klunky virus. This VxD file must be deleted, and Win95 registy entry that loads it needs to be removed.Win32.Kriz.3740This virus infects Windows PE EXE files. It has a payload that gets triggered on Dec 25. It will erase the CMOS, attempt to kill the Flash BIOS and overwrite all files on all drives.This virus infects Windows PE EXE files. It is a direct infector. For EXPLORER.EXE, it only appends 8233 bytes to the end of the file but does not change the entry point.This Win95 virus modifies KERNEL32.DLL & saves it in the WINDOWS directory. The virus infects all .EXE files that are accessed. The infected KERNEL32.DLL in the WINDOWS directory must be deleted.W95.Lud.Jadis is a direct infector that infects Windows PE executables. The virus infects files in the current directory and its subdirectories.W95.Lud.Jez is a direct infector that infects Windows PE executables. The virus infects files in the current directory and its subdirectories.W95.Marburg infects Windows 95 EXE files. It infects files in the \Windows and \Windows\System directories. The virus is polymorphic. Infected files are padded so that the filesize will be divisible by 101.W95.MarkJ infects Windows 95 EXE files. Running an infected program will cause the virus to go memory resident. The virus will then infect any program that is run subsequently.W95.Maya is a direct infector that infects Windows PE executables. The virus infects files in the current and Windows directories.W95.Memorial infects Windows 95 EXE files, as well as DOS executable files (COM and EXE). The virus drops CLINT.VXD in the root directory, and uses it to infect other files. The file CLINT.VXD should be deleted.W31.NEHeader is a direct infector of NE EXE files. It only replicates when run under DOS.W32.Niko is a memory resident virus. It infects Windows PE files. The viral code is encrypted.W95.Obsolete is a direct infector of PE EXE files that have DUM as the first three letters in the filename. It infects files in the current, WINDOWS and WINDOWS\SYSTEM directories.W95.Padania infects Windows 95 EXE files by going memory resident, and then infecting any other files that are run. The virus usually overwrites part of the host, making a complete repair impossible.This virus infects Windows PE EXE files. It is a memory resident virus. Infected files grow by 2048 bytes.W32.Redemption is a memory resident virus that infects all EXE files (PE, NE and DOS) in the WINDOWS, WINDOWS/SYSTEM and current directory. It only replicates under Win32.W95.Regswap infects Windows EXE files in the current directory. Some infected files may be corrupted.W95.Rinim.431 infects Windows EXE files in the current directory. It copies itself to the gap in the PE header. So infected files do not grow in size.W32.Ruff is a memory resident virus. It infects Windows PE files that are executed.W32.Savior.1832 is a direct infector. It infects Windows PE EXE and SCR files in the current directory.W95.Sexy is a direct infector. It infects all executable files with a PE header (e.g., .EXE, .DLL, .DRV, .CPL, etc.). It attempts to infect files in all directories on the hard drive.This is a worm. When executed, the program copies itself to the root directory as smile.exe. It adds the key: Vic ""c:\smile.exe"" to the registry, in HKEY_USERS\Default\Software\Microsoft\Windows\CurrentVersion\Run to run itselfThis is a worm. When executed, the program copies itself to the root directory as dat0.exe. It adds the key: Vic ""c:\dat0.exe"" to the registry, in HKEY_USERS\Default\Software\Microsoft\Windows\CurrentVersion\Run to run itselfThis is a memory resident Dos virus. It stays in memory when executed. Then when you run another program, it infects it.W95.Tentacle.2048 is a memory resident virus. It infects Windows PE EXE files.W95.Uwaga is a direct infector. It infects Windows PE EXE files in the current directory.W32.HLLP.VB.14336.A is a direct infector. It infects Windows PE EXE files in the current directory.This virus infects Windows PE EXE files. It is a memory resident virus. The virus searches through WINDOWS, PROGRAM FILES and their subdirectories to append itself to the end of files.As part of its infection routine, W32.Weird drops a randomly named file with a size of 10,240 bytes. This file may be safely deleted.W95.Yabran is a memory resident infector. It infects Windows PE executables.W95.Zerg is a memory resident infector. It infects Windows PE executables that are accessed.Win.Red TeamThis infects 16-bit Windows applications, and attempts to send itself to other computers via e-mail. The e-mail attachment sent must be executed by the recipient in order to spread the virus.W32.IE403rThis Win32 virus spreads through WinNT network if it's introduced into the network using administrator account with the necessary privileges. It creates "Remote Explorer" service running IE403R.SYS and TASKMGR.SYS.This claims to be a virus that corrupts files. It does not appear to replicate, but does occaisionally corrupt files. The only way to fix this corruption is to restore the file from a backup or the original media.IdeaThis is a triple-encrypted polymorphic virus. If it is between 30 minutes and 30 minutes, 15 seconds after the hour, the words "Warning! Strong Encryption Inside" will appear spinning on the screen.RaidKrile variants are unrepairable by the NAVIEG and NAVFW scanners as the virus uses the filedate and time in its encryption. As there is no date and time information sent with the file, the decryption key is impossible to recover.This virus is unrepairable by the NAVIEG and NAVFW scanners as the virus uses the filedate and time in its encryption. As there is no date and time information sent with the file, the decryption key is impossible to recover.This is a trojan horse program that deletes a popular multi-player game from the user's hard drive. It claims to help train the user to play in multi- player mode. Delete if found.This is a macro virus from Brazil. This displays an image of a worm using text characters.This macro virus attempts to change the user's wallpaper to a skull and crossbones by altering the registry.This moves words randomly, and there is a 1% chance the document will be password-protected with the password "HI" each time the macro is run.This is a macro virus presumably written in South America. Some of it's macros are corrupted.This is a spreadsheet macro virus that uses macros with 25-character random names.FistThis encrypted virus only replicates and infects COM files.This is another variant of the DMV macro virus. It contains a message criticizing a school, but it is never displayed.2001This prints the message "2001 ~ a viral Oddessy" on the screen, along with a rainbow graphic. Note that 'Oddessy' is misspelled. Files infected with this virus are unrepairable.On the 9th of August, this macro virus will delete all the user's worksheets in the current file, and then save the worksheet, effectively deleting their work.This is a simple macro virus that is believed to have originated from Indonesia.This is a trojan horse that corrupts many files on a Windows 95 system. Delete if found.This trojan corrupts the user's screen display. Delete if found.This trojan horse program utilizes many features of Internet Relay Chat (IRC) to crash other computers. Delete if found.This trojan horse program utilizes Internet Relay Chat (IRC). Delete if found.This is a simple macro virus that replicates easily. On occaision, this will fill the screen with numbers or beep the speaker endlessly if the user tries to print.This checks the system date, and if the current year is 1999 or later, the main menu bar gets rearranged.The AutoClose macro in this virus attempts to create a file named login.sys the root directory of the C: drive, but fails because the macro is corrupted.This macro virus spreads itself through E-mail. While replicating it sends the opened (infected) document to everyone in the user's address book. It also sends the user's address book to chainnail@hotmail.com.This virus spreads when the infected document opens. The virus removes itself after April 1, 1999 and it does not replicate after this date.This virus infects documents when they are opened. It spreads by exporting temporary files (temp.dat, moody.dat, and f[word].txt) on C:\ and silently delete them when it finishes.This virus has some buggy code in it that generates VB errors under certain conditions.This virus has some buggy code in it that generates VB errors under certain conditions. It infectes Normal.dot and drops log.drv into C:\WINDOWS\SYSYTEM.This virus infects documents using AutoOpen or AutoClose. It will disable all your toolbars, requiring a reinstall of Microsoft Office.This virus infects documents when they are opened. It contains to macros AUTOOPEN and TOOLSMACRO. It infects using the AUTOOPEN only and the TOOLSMACRO gives a silly error message saying "Internal Error"This virus infects workbooks that are activate and deactivate. The nice thing about this virus is it doesn't have any payload.This is a Word 97 macro virus. It infects the "normal.dot" and uses that file to replicate.This is a polymorphic macro virus and it infects the global normal template when the infected document opens and this is how it spreads.This is a Excel 97 macro virus. It creates a file in the "Office\XLSTART" folder called "Base5874.xls". It then uses that file to replicate.X97M.TrackerThis is a Excel 97 macro virus. It creates a file in the "Office\XLSTART" folder called "Base5874.xls". It adds entries to the dialog File->Properties->CustomThis is a Excel 97 macro virus. It creates a file in the "Office\XLSTART" folder called "874.xls". It then uses that file to replicate.This is a Excel 97 macro virus. It creates a file in the "Office\XLSTART" folder called "HI.xls". It then uses that file to replicate.This Excel macro virus infects all currently opened spreadsheets. Its payload is that of deleting command.com if it is the 15th of any month. It will also disable random menu options in Microsoft Excel.This is a Word 97 macro virus. It changes the Application User Name to "sherl0ck". It also changes some Option Settings in Word.XM.Trasher.Enigma, XM.Trasher.FreezerThis virus infects excel spreadsheets 95/97. It spreads when the infected document opens. Depends on the version, this virus try to delete files on C:\ using the DELTREE command with different methods.The AutoClose macro in this virus is corrupted, but replicates this virus. This is very similar to other MDMA strains.This virus doesn't replicate well, and is prone to errors. It only replicates.This is a joke program that appears to delete the user's system files, but is actually an advertisment for a "virus game". It is harmless. You may delete this file.This Java applet crashes Netscape Communicator 4.xThis Java applet creates files to fill up the Harddrive.This Java applet demo the potential security problem with Java Wallet.This ActiveX control renames c:\windows to c:\windows.activex. This could potentially crashes Win95 due to registry not found.This ActiveX control demos how possible it is to send your file to someone else.This ActiveX control shuts down Win95.This ActiveX control demos the execution of another program from ActiveX control. It only runs COMMAND.COMThis ActiveX control demos the potential problem of deleting files. It creates a new directory; copy files to that directory, and delete them.This is a corrupted version of WM.Panjang.A that only reproduces. Because of its macro corruption, an "out of memory" error may be displayed.This virus appears in the "THISDOCUMENT" macro. On the 14th of any month after May, a message box appears insulting the user.This virus will delete the entire contents of the document if the Tools/Macro menu item is selected, and replace it with a link to a web page about a popular cartoon series.VBS.Chantal BAT.ChantalThis macro virus also drops a BAT and VBS script. It uses January 1, 2000 as a trigger date to delete all files in C:\ The VBS script is used to reinfect MS Word global template.This Word 97 macro virus modifies VBA settins in registry and inserts and deletes code from the infected file.CyberShadow, PolymacThis polymorphic and encrypted macro virus creates infected documents in MS Office template folder. Infected documents often crash MS Word upon closing them.W97M.DWMVCK1/ZMK.GenThis virus is a Word97 macro virus that infects Word97 documents. This virus was created by macro virus generator.W97M.Ozwer W97M.ZMK.PThis macro virus tries to be stealthy by displaying a fake Tools-Macro dialog box.This virus is a Word97 macro virus that infects Word97 documents. This macro virus disables some items from Tools menu.This infects EXE files across many directories on the user's hard disk. It only appears to replicate.Tonya.819This virus contains text which refers to a well-known figure skater.This virus creates magrip.sys and WinMG32.sys in the root directory, Word8.dot in the StartUp directory Please do the following: COPY \PERK.BAT \AUTOEXEC.BAT DEL PERK.BATThis Word97 macro virus keeps a log of time of infection, name and address as set in Word97. This log is then uploaded to codebreakers.org ftp site.It drops the file "Nie.html" into your system directory (\Windows) which contains a poem from the author. This gets set to run every time you boot until 12th day of the month.This modified W97M.Marker variant keeps a log of its infections. It drops the file "jon.html" into your system directory (\Windows) which contains a poem from the author. This gets set as your wallpaper on the 1st day of the week.W97M.ShankarThis modified W97M.Marker variant has many message boxes triggered on the birthday of a person name "Shankar".W97M.ShankarThis modified W97M.Marker variant and will be triggered on a certain day and year. When triggered, it will save files as "AAxxxAA.doc".This modified W97M.Marker variant will delete files in the current directory and display the message: "That's right. It's Murder" continuously on Feb 22.This modified W97M.Marker variant has W97M.Ethan routine that changes the author to Ethan FromeW97M.Mailissa.AThis Word97 macro virus tries to email a copy of the infected document using MS Outlook. It tries to send to everyone in MS Outlook address book. In MS Word 2000, it turns security level to low.W97M.MelissaSister W97M.Melissa.CThis is a modified variant of W97M.Melissa.A. The macro module is named MELISSASLITTLESISTER. It also tries to use MS Outlook the way W97M.Melissa.A does.W97M.Mailissa.BGThis Word97 macro virus tries to email a copy of the infected document using MS Outlook. It tries to send to everyone in MS Outlook address book. On closure of the document it deletes C:\*.* along with many others.This modified variant of W97M.Melissa fails to infect other documents because of the modification. Unfortunately, the mass email payload still works.MelissaFXThis modified variant of W97M.Melissa uses a random subject line in the email address. It mails between 30% and 60% of the number of entry in MS Outlook email address book. It also sets the shared property of C drive.Melissa variant w/o the email part, but if McAfee Vshield is installed it copies the file c:\windows\system\vshield.exe to a:\msdos.bak. Otherwise, it overwrites the vshield.exe file with a:\msdos.bak.Melissa variant that tries to e-mail using MS Outlook with the infected document attached. If the virus is executed on Dec. 25, it modifies the AUTOEXEC.BAT file to format the C: drive.This one mails the first 100 entries in the global address book with Subject: "Duhalde Presidente" + username and Body: "Programa de gobierno 1999 - 2004." Also, if activated when Day+1=Minute+2, replaces selection text with " ".This macro virus tries to email a copy of the infected document using MS Outlook. It also modifies the registry.It doesn't replicate, but it is destructive. On the 4th or 20th day of the month or, if the hour is 12 or 1, it appends its destructive payload to autoexec.bat.MYNAMEISVIRUSThis non-destructive macro virus infects THISDOCUMENT module.A harmless macro virus that may disable Word's built-in macro protection, and spreads when a file is created or opened.W97M.Project1This macro virus infects THISDOCUMENT module. Its payload is similar to the payload of W97M.Melissa.A. It increases the limit to 69 addressbook entry in mass-emailing the infected document.MadCow VeronicaThis macro virus infects THISDOCUMENT module. Its payload is similar to the payload of W97M.Melissa.A. It limits the mass-email to 20 addressbook entry in mass-emailing the infected document.This is a macro virus. If executed on Feb. 25 the virus payload is added to c:\autoexec.bat to move the progra~1 and windows directories to tempt1 and tempt2. It will also display a dialog box which cycles through messages from the virus writer.This macro virus has a payload that deletes EXE and DLL files from \Windows and \Windows\System directories.This macro virus utilizes the Windows Scripting Host. The virus creates SYS, DLL, and VBS files under the \WINDOWS\SYSTEM directory and write to the registry. Files will be infected when opened after windows restartThis HTML worm uses mIRC to send itself to other users. It modifies the registry and drops c:\windows\system\win95dll.vbs to run at Windows startup.This macro virus displays chinese character strings with a chance of 1 out of 12.This macro virus infects THISDOCUMENT module. It doesn't have any payload.W97M.ACMThis macro virus tries to email a copy of the infected file using the default MAPI email client.Melissa ExcelThis Excel97 macro virus tries to email a copy of the infected file using MS Outlook. It tries to send to people listed in MS Outlook address book.W97M.Koyaanisqatsi OpicThis Word97 macro virus adds its viral code into ThisDocument module. It also "ping" four internet site continuously.W97M.ReplicatorThis virus only replicates using the AutoClose macro. It is harmless.This trojan horse copies itself to the Windows directory on the user's system, and renames itself to SHELL32.EXE. It contains apparently obscene references in an eastern European language. Delete this file.This virus only replicates with Asian versions of a well-known word- processing application.This virus replicates very quickly, but only infects EXE files. It was first discovered to be in the wild in August 1998.Once a system is infected with this boot virus, any hard drives or floppies accessed will become infected. This virus only replicates, however.This macro virus is named because it contains the string "I love my kitty". When run there is a chance that a batch file that deletes the contents of the template directory will be placed in the Windows Startup directory.This contains infected AUTOOPEN macro.W97M.Nottice.KThis macro virus only replicates, unlike other members of the WM.Nottice family.The name of this macro virus is derived from references within its code - it is not misspelled. On August 20th of each year, it displays a message box saying "I'm x years old.", where x is the number of years since 1998.This is a simple virus that infects only COM files. The string "[FLEX]" appears at the end of infected files.This is a strain of the NOP macro virus that doesn't reproduce.This is a program that attempts to infect, or 'drop' the Cannabis.C virus on the boot sector of a system that runs this. It usually crashes when run.This is a polymorphic virus that infects both COM and EXE files. The size of the virus varies with each infection.This is a variant of the CopyCap macro virus. It does not reproduce because it is corrupted.HellforiaThis is a large, simplistic virus that overwrites EXE files in the current directory. Infections are easily spotted because they are 117,115 bytes in size.This virus is similar to WM.Cap. It disables the Tools\Macro and Tools\Customize menu items. It removes all existing macros before infecting.This virus does not appear to infect other files, due to a bug. It contains the text 'TopWall Copyright (C) 1996-1997'.This is very similar to other BW-type viruses. No samples of this particular strain have been found that successfully infect other files.This is a polymorphic virus that only infects files larger than 10k. If this virus is resident in memory, it will hide that file size increase on infected files.This virus jumps to other directories and infects COM files.This virus overwrites 159 bytes over COM and EXE files, thus making repair impossible.This virus is memory resident, and appends at least 692 bytes to the host.This virus directly infects EXE files in the local directory.This is a virus simulator that can generate the following: companion COM files that remove themselves after an hour, COM/EXE files and boot image that simply print a message, and a memory strain that flashes a message.Some variants of this virus might be memory resident. Sometimes it overwrites the .COM and .EXE files and make them unrepairable.This is a virus that has a generic encryption. It's a direct COM infector.This is a direct COM overwriter, so it destroys part of the host.This virus appends approximately 2109 bytes to COM files and EXE files.This virus appends 421 decimal bytes to the host. It is a memory resident virus.This is a memory resident virus. It infects DOS SYS, EXE and COM files. The viral code is encrypted.This virus appends 1361 decimal bytes to the host. It is polymorphic. It uses generic encryption. It goes memory resident.This virus appends 1513 decimal bytes to the host. It goes memory resident.This virus appends a variable number of static bytes to the host. It is a memory resident virus that deletes the infected program on Friday.This virus infect EXE's as well as COM files. It encrypts its host body. its test says, "Is it me or does that Make no sense at all? [IVP]"This polymorphic COM virus encrypts its host body. It infect up to 5 files infected file and searches in the current directory, c:\dos directory.This virus appends 1210 bytes to other host files. It goes memory resident, and infects most COM/EXE files that the user executes afterwards. It is NOT polymorphic.This virus overwrites 12301 bytes on COM files, thus making those files unrepairable. It is not polymorphic.This virus overwrites 5743 bytes on EXE files, thus making those files unrepairable. It is not polymorphic.This virus is encypted and polymorphic. It appends 1906 bytes to the host. It only infects COM files. It is memory resident.AOL Password Stealer, Buddy List TrojaIn WIN.INI, remove c:\...\RegistryReminder.exe from RUN= ; c:\...\BuddyList.exe from LOAD=. In SYSTEM.INI, remove SCRNSAVE.EXE=c:\...\WinSaver.exe Use REGEDIT to search & remove "WinProfile"="C:\Command.exe" from Registry.This is a memory resident virus that appends to the end of COM files.When the virus is active on March 1st or on September 13th at 10 AM, random data is written to all drives (starting with drive Z:).Information on this Windows virus will be available soon.This virus prepends 674 bytes and appends 5 bytes on the host files that it infects. It only infects COM files, and it is memory resident.W97M.Suppl.16384.A W95.Suppl.16384.A(DThis worm rename the original WSOCK32.DLL to WSOCK33.DLL and drops its own WSOCK32.DLL which needs to be deleted. Rename WSOCK33.DLL back to WSOCK32.DLL after deleting the detected WSOCK32.DLL.This boot virus revectors INT 13h and INT 9h, goes memory resident and infects other floppy boot records and master boot records. In some circumstances, it deletes floppy disk sectors.chode foreskin NineOneOneThis batch file worm searches for accessible computer in well known ISP network. On the 19th of the month, it deletes system files. You need to delete this file.This trojan installes DUMMR32.EXE to be run as a service.This trojan is a batch file which deletes all files on your C: drive. You must delete this file.This batch file works only on a French operating system. It will format your C drive automatically when run.This trojan is a batch file which formats your C: drive. You must delete this file.This trojan is a batch file which deletes essential Windows files, among these are critical Norton AntiVirus files. The trojan also creates a number of empty directories.This trojan deletes the text "Explorer.exe" from the right-side of "shell=" inside the file SYSTEM.INI.SubSeven Server 2.1, Backdoor.SubSevenThis is a backdoor trojan that creates a security hole unto your system.W32.FunLove.4099 is a new virus that replicates under Windows 95 and Windows NT systems and infects applications with EXE, SCR or OCX extensions.VBS.BubbleBoy is a worm that works under Windows 98 and Windows 2000. The worm will also work under Windows 95 only if the Windows Scripting Host is installed.Drops Freelove.vbs in C:\windows and C:\. Mails a copy of itself to entire Outlook address book with Subject "Important Notice From (username)" and body "Heya, check out the attachment attached to this email asap!"This Worm uses Outlook to send it self to everyone in the Address Book. It also infects the "normal.dot" to delete all files in the "C:\" directory, if month is after May._Loc] = #0 [Header_Length] = #0 [Book_Mark_Loc] = #0 [Book_Mark] = 0x0000 [DEFEND] ;************************************************************************* [CommentBegin] Virus Name : TRASHSOF Def Author W32.Mypics.Worm.36352This is a dangerous worm program that spams itself to many people. On year 2000, it will zero out the high byte of your CMOS checksum, and it will try to reformat drive c and drive d.This is a harmless joke program that will cycle through 59 fake Windows error messages. It edits your WIN.INI file so that the program will load each time Windows is started. Simply remove winerror.exe from the "load=" line in WIN.INI.This is a Windows NT Worm. Please refer to our write-up for more information about this virus.This is a virus that infects Windows PE files and Windows Help files. Please refer to our write-up for more information about this virus.This is a macro virus that may only infect via IRC.This is a Windows PE infecting virus. It is a direct infector. The viral code is encrypted and is located in the last section of the file. The virus adds this new section when it infects.It copies itself to the root directory of all drives as well as the windows system directory. When executed in January or on the 10th or 15th of any month, it attempts to delete all files on the C: drive.This variant of W97M.Thus infects all open documents as well as the Normal.DOT file. On December 13th, W97M.Thus.O counts all files that are located on the C: drive.When closing the infected document, this macro virus inserts the text "CIAO!!!". When creating a new document, the text "Microsoft vous souhaite la bienvenue !!!" is inserted.This program attempts to change the scanning options in Norton AntiVirus so that it does not scan EXE files anymore.This program changes the desktop settings without changing it back again. After changing the desktop settings, it displays a taunting message.The Word macro part infects Normal.dot and all active documents. It also creates the file W32Coke.exe. The Windows executable part drops an infected Normal.dot and sends e-mail with an infected file attached.This trojan places "c:\con\con" in the following registry key: HKLM\Software\CLASSES\exefile\shell\open\commandThis stealthing virus infects active documents and the Normal.Dot template. It keeps a log file (C:\systemDos) with the directories to all infected documents. When the file size exceeds 1024 characters this virus deletes all files in those directories.This stealthing virus infects MS Word 97 documents. When the time at document open or close is between XX:30 and XX:40 or between XX:40 and XX:60 one of two possible messages is displayed.This virus infects active documents and the Normal.Dot template.This virus infects active documents and the Normal.Dot template. It drops it's code in C:\Surround.key and may have a payload to delete the WIN.COM file.This virus only infects the Normal.Dot template file.This virus infects the active workbook and drops an infected Normal.XLS in the Excel startup folder.This is a backdoor trojan that creates a security hole unto your system. This file should be deleted.This worm uses Outlook to e-mail itself out to all address book entries. The e-mail message speaks of free MP3 files. It also copies itself to all connected network drives.ANTI-AngeThe virus infects application and application-like files, spreading only under System 6 Finder configurations. If you are running MultiFinder or System 7, Anti can infect one file only, but cannot spread.The virus infects application and application-like files, spreading only under System 6 Finder configurations. If you are running MultiFinder or System 7, Anti can infect one file only, but cannot spread.The virus infects only desktop files (invisible files used by the Finder). As with most desktop viruses, System 7 is immune to the CDEF virus. Though CDEF can attach to desktop files, it will not damage the system.When active between June 6th and December 31st, the message "You have a virus..." appears, it deletes viral code from system file and current application. Between Jan 1st and June 5th after 1991 the just virus spreads.The virus affects HyperCard stacks only. When active, the message "Dukakis for President" appears then deletes itself.Virus draws a bomb icon. The message "Frankie says No more piracy!" then appears and the computer stops. Frankie only infects application files (including Finder), and spreads under System 6 Finder on Aladdin emulator systems.This Boot Sector virus infects hard disk boot sectors by changing the information in the partition table to point to a different boot sector.The virus only infects HyperCard stacks. When active, the message "Hey, what are you doing?" appears. It plays a couple of folk songs, displays pop-up menus and after 15 minutes, the message "Don't panic" appears.INIT 17 activates on startup after October 31, 1993. The virus causes a message to display one time only. It infects System and application files and may cause crashes on the Plus, SE and Classic Macintosh CPUs.The virus activates on startup on any Friday the 13th (1991 or later). The virus changes Finder type and creator file information, renames files, or even may even delete them from your disks.Only infected system files or applications can spread this virus, infecting infecting any and all files that contain resource forks. INIT 29 attempts to infect floppy disks.INIT M can actively reproduce at any time. The virus does its damage on Friday the 13th by changing names, types and creator Finder information. It only affects Mac running System 7.0 or above.This virus infects the system file by adding an 'INIT' resource. When an infected system is started on March 2, 1988, the virus displays a peace message and deletes itself from the system file.The MBDF A/B infects applications and System files and spreads rapidly. The virus can cause systems to crash, particularly when commands are selected from menus when running System 7.0.1.Garfield, Top CatThe virus only infects application software, sparing system files and other documents. Some strains attempt to bypass early virus detection software.MDEF D only infects application software, sparing system files and other documents. Some strains attempt to bypass early virus detection software.MerryXmas affects only HyperCard stacks, from Home stack to other stacks. Due to an error in HyperCard program code, an error message will be displayed on every new infection.This was probably intended to be a dropper for Stoned.Empire.Monkey. In reality all it does is hang the computer, requiring a reboot.The virus is the most prolific of all known Macintosh viruses with two basic strains and nine variants. nVIR first infects an active System file then becomes memory resident, infecting all files it comes in contact with.Scores infects System, notebook, and Scrapbook files. Icons of the latter two become generic document icons. It creates 2 invisible files. 4 to 7 days later, frequent system error messages will start occurring.T4-A, T4-B, T4-CThe T4 virus infects applications, the Finder and attempts to modify the System file startup (or boot) code and interferes with the loading of system extensions.CPro,FntFnder,Mosaic,4-cycle,VInfoThese Trojan horses secretly install viruses on your Macintosh. Some will attempt to format disks that are currently mounted. Others will erase the directory of your hard disk. Delete if found.The virus masquerades as a female voice sound driver that is MacinTalk compatible (Macintalk is a software-based speech synthesizer). It is actually a system extension that erases hard disks. Delete if found.The virus causes beeping and frequent system crashes. Fonts may become corrupted and improperly displayed. WDEF spreads rapidly, copying itself from desktop to desktop usually through the sharing of software and disks.On December 28th, it will crash the system by destroying important system information.ZUC B, ZUC CThe virus only infects application software, but can transmit and spread across a network. While running infected apps the cursor may move across the screen in a diagonal motion or "jumping" has also been observed.This trojan deletes files from c:\dos and c:\windows directory and creates lots of empty directories. You should delete this file.zhitomir FICTDos virus that infects only EXE files in the current directory.The virus spreads only under Italian versions of the Macintosh operating system. It infects finder and selected applications. Upon triggering, it attempts to destroy the startup hard drive.It triggers on October 31 to rename your hard disk to "Trent Saburo." It infects System files and many applications files as they are run. It only infects files with jump table entry in 'CODE' 0 points to 'CODE' 1.This WORM drops MONOPOLY.WSH, MONOPOLY.VBE & MONOPOLY.JPG. This VB Script sends out itself using MS Outlook. You should delete the above files.This WORM creates c:\windows\links.vbs and c:\windows\system\rundll.vbs. It is written in VB script and user must delete these files.This WORM uses OutLook to send it self to all the addresses in the address entry book. It drops C:\windows\system\rundll.vbs and C:\windows\system\links.vbs files.This script works if you have the Gnutella program.