home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hackers Underworld 2: Forbidden Knowledge
/
Hackers Underworld 2: Forbidden Knowledge.iso
/
VIRUS
/
ALLVIRUS.TXT
< prev
next >
Wrap
Text File
|
1989-10-21
|
22KB
|
530 lines
PC VIRUS LISTING
By Jim Goodwin
This document is copyrighted, 1989, by Jim Goodwin. It
may be freely distributed provided no changes,
additions or deletions are made, and providing this
copyright notice accompanies all copies. I would like
to thank John McAfee and the entire HomeBase users
group for providing the raw materials for this
document.
It is difficult to name, identify and classify PC viruses.
Everyone who first discovers a virus will name it and describe
what they think of it. In most cases, the virus is not new and
has been named and described dozens of times before. None of the
names and few of the descriptions will match. While I'm writing
this, for example, I feel certain that someone, somewhere has
just been infected by the Jerusalem virus and they are telling
their co-workers and friends about it as if it were newborn - and
for them perhaps it is. It will be impossible to verify the
strain and variety of the infection, however, unless we can get a
living sample of the virus to analyze and compare with other
strains of this same virus. So problem number one is filtering
the reports of infection and collecting samples that can be
placed under the knife.
Problem number two is - where do you draw the line between
an original virus and a true variation of the virus? The
original Brain virus, for example, could only infect a floppy
diskette. Do the varieties of the Brain that can infect hard
disks (but in every other respect are identical) deserve to be
called new viruses, or are they still the Brain? What about
further modifications that destroy data? Is this now a new
virus? What if someone extracts a segment of the Brain code and
uses it as a basis for a new virus? What if nothing changes but
the imbedded text data, so that the virus is in every way
functionally identical, but the volume label changes to "SMURF"
instead of BRAIN. All of these modifications to the Brain have
been discovered and logged. How do we deal with them?
I choose to deal with these modifications in the simplest
way I know. If the virus differs in any way from the original
(assuming that the "original" can in fact be identified), then I
log it as a new strain. This relieves me from having to make
decisions. Those of you who see the world differently can merely
take this listing and lump together all of the different strains
that you like. That way we'll all be happy.
This will be, by the way, my last virus document. I have
worked double time for the past eighteen months helping John
McAfee and his Homebase folks and, while I have thouroughly
enjoyed myself, I have finally burned out. It has been great fun
and I've learned a lot, and hopefully some of my works, like the
product review with Sankary and Marsh, will end up being somehow
useful to the world. But now I have the irresistible urge to go
fishing, and, perhaps afterwards, to contemplate my navel for a
few years. In-between times I intend to write a book on the
craziness in this industry and about the unique personalities
I've had the pleasure to work with in the Virus Marine Corps.
It's been quite an adventure. Thank you all.
Jim Goodwin From the Homebase BBS 408 988 4004
THE VIRUSES
I have arranged these viruses so that similar varieties are
described in the sequence in which they appeared within the virus
sub-group (to the best of my knowledge). Not everyone agrees
with my groupings. Many people believe, for instance, that the
Golden Gate-C (Mazatlan Virus) is a distinctly original virus and
is not a variation of the Alameda. I think differently and have
endeavored to show how the Golden Gate evolved from the Alameda,
through each precursor virus. I cannot prove, of course, that
the sequence of appearances is the correct sequence, and in many
cases I have had to guess. If anyone wishes to re-order
these virus, I will not be offended.
I have not included any of the specific application trojans
in this list. There has been a lot of discussion about the Lotus
123 and DBASE "viruses", for example. These are not replicating
programs and I do not classify them as viruses. I had originally
intended a separate list to include these non-replicating trojans
but Time caught up with me.
1. ALAMEDA VIRUS
(Also called: Yale; Merritt; Pecking; Seoul)
This is a boot sector infector. First discovered at Merritt
college in California (1987). Original version caused no
intentional damage. Replicates at boot time <ctrl>-<alt>-
<del> and infects only 5 1/4" 360KB floppies. It saves the
real boot sector at track 39, sector 8, head 0. Contains a
count of the number of times it has infected other
diskettes, although it is referenced for write only and is
not used as part of an activation algorithm. The virus
remains resident at all times after it is booted, even if no
floppy is booted and BASIC is loaded. Contains a rare POP
CS instruction that makes it incapable of infecting 286
systems.
2. ALAMEDA-B
(Also called Sacramento Virus)
This is the original Alameda Virus that has the POP CS
removed. Relocation is accomplished through a long jump
instruction. All other characteristics are identical. This
version runs OK on a 286.
3. ALAMEDA-C
This is the Alameda-B virus that has been modified to
disable the boot function after 100 infections. The
counter in the original Alameda virus has been re-activated
and is interrogated at each bootup. When it reaches 100 the
virus disconnects from the original boot sector (control is
no longer passed) and the diskette will no longer boot. At
infection time, the counter is zeroed on the host diskette.
4. SF VIRUS
This is the Alameda-C that has been modified to format the
boot diskette when the counter runs out.
5. GOLDEN GATE VIRUS
(Also called The 500 Virus)
This is the SF Virus that has been modified to format the C
drive when the counter runs out. The activation occurs
after 500 infections, instead of 100 infections. Note that
in all three of these strains, the counter is zeroed on the
host diskette at infection time. Thus, the activation
period on this virus will on the average stretch into many
years. No corruption will occur until 500 new diskettes
have been infected from within a given machine. Since the
infection can only occur when the system is booted with a
new diskette, infection is not frequent with this virus. I
expect that the overwhelming majority of infections will
never activate. The IBM PC will have long since been
supplanted by another architecture in most environments.
6. GOLDEN GATE-B
This virus is the Golden Gate virus that has had the
activation delay reset to 30 infections. This virus should
activate within a couple of years in most environments.
7. GOLDEN GATE-C
(Also called the Mazatlan Virus)
This virus is the Golden Gate virus that is able to infect a
hard disk. It is a nasty virus, since it has more of an
opportunity to do damage than previous versions. Prior
versions were limited since systems with hard disks are only
infrequently booted from floppy and booting from hard disk
overwrote earlier versions.
8. GOLDEN GATE-D
This virus is identical to number 7, except the counter has
been disabled (similar to original Alameda).
9. THE BRAIN
(Also called, Pakistani Brain; Basit Virus)
This virus originated in January, 1986, in Lahore Pakistan.
It is the only virus yet discovered that includes the valid
names address and phone numbers of the original
perpetrators. The Brain is a boot sector infector,
approximately 3K in length, that infects 5 1/4" floppies.
It c