home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Night Owl 6
/
Night Owl's Shareware - PDSI-006 - Night Owl Corp (1990).iso
/
030a
/
ibmvirus.zip
/
VIRSCAN.DOC
< prev
next >
Wrap
Text File
|
1991-08-08
|
104KB
|
2,415 lines
The IBM Anti-Virus Product Version 2.1.2
Copyright (c) IBM Corporation 1989, 1990, 1991. All rights reserved.
1.0 TABLE OF CONTENTS
______________________
2.0 INTRODUCTION TO THE IBM VIRUS SCANNING PROGRAM
2.1 How to Use the IBM Virus Scanning Program
2.2 The IBM Virus Scanning Program: Capabilities and Limitations
2.3 Files Associated with the IBM Anti-Virus Product
3.0 SAFE USE OF THE IBM VIRUS SCANNING PROGRAM
3.1 Safely Using the IBM Virus Scanning Program
3.2 Safely Creating a Bootable Diskette
3.3 Safely Copying the IBM Virus Scanning Program
3.4 Examples of Output from the IBM Virus Scanning Program
3.4.1 Scanning an Uninfected System
3.4.2 Scanning an Infected System
3.4.3 If VIRSCAN.EXE Has Been Accidentally Modified
3.4.4 If VIRSIG.LST Has Been Accidentally Modified
3.4.5 If VIRSCAN.MSG Has Been Accidentally Modified
4.0 TECHNICAL DETAILS
4.1 Operating Systems
4.2 What The IBM Virus Scanning Program Checks
4.3 The Format of the Signature Files
4.3.1 Scanning Files
4.3.2 Scanning Boot Records
4.4 Adding More Virus Signatures
4.5 Command-Line Options
4.6 Values of ERRORLEVEL Returned
4.7 Limitations
4.7.1 The IBM Virus Scanning Program Is Not a Cure-All
4.7.2 The IBM Virus Scanning Program Does Not Remove Viruses
4.7.3 The IBM Virus Scanning Program May Not Find Viruses in Archives
4.7.4 Scanning Boot Sectors
4.8 Common Problems
4.8.1 Systems With Damaged Directory Trees
4.8.2 Incompatible Versions of PC-DOS and COMMAND.COM
4.8.3 Limitation When Scanning Boot Records of Network Drives
4.8.4 False Alarms When Scanning Memory
5.0 VIRUSES DETECTED BY THE IBM VIRUS SCANNING PROGRAM
5.1 Virus List and Characteristics
5.2 Cross-Reference of Common Virus Names
2.0 INTRODUCTION TO THE IBM VIRUS SCANNING PROGRAM
___________________________________________________
This document describes the IBM Virus Scanning Program version 2.1.2,
which is part of the IBM Anti-Virus Product version 2.1.2. This
section provides an introduction to using the program. Later sections
describe further technical details.
2.1 HOW TO USE THE IBM VIRUS SCANNING PROGRAM
______________________________________________
The IBM Virus Scanning Program can be used to test files and boot
sectors on disks for patterns that are found in some common PC-DOS
computer viruses. To scan for these viruses on the C: drive, for
instance, type the following at the DOS or OS/2 command prompt:
VIRSCAN C:
To scan a diskette in the A: drive, for instance, type the following:
VIRSCAN A:
For further instruction on the program, and to view the on-line help,
simply type VIRSCAN without any arguments. Type VIRSCAN ? for a short
description of the available command line options. Type VIRSCAN ??
for some usage examples.
We recommend that the IBM Virus Scanning Program be run only after
cold-booting your system from a write-protected diskette. This is the
safest way to ensure that a virus infection does not interfere with
the scan. See "Safely Using the IBM Virus Scanning Program" for
further details.
2.2 THE IBM VIRUS SCANNING PROGRAM: CAPABILITIES AND LIMITATIONS
_________________________________________________________________
This program is designed to detect many common PC-DOS computer
viruses. It is used internally by IBM to detect computer viruses. It
scans boot records and executable files, looking for signatures of
viruses known to IBM when this version of the program was made
available. A signature is a bit pattern that is found in a particular
virus. The virus signatures were obtained by performing "reverse
engineering" on virus samples. The files that are scanned by this
program must be in their native executable form (e.g., not encrypted
and not packed) in order for the signatures to be found. The IBM
Virus Scanning Program does *not* remove viruses, inhibit virus
propagation, or recover from any damage caused by viruses to programs
or data. It simply scans files looking for bit patterns matching the
virus signatures. There may be viruses that currently exist, or that
will exist in the future, that this program will not detect. We know
of no available, guaranteed solution to the computer virus problem.
For this reason, we recommend that you continue to perform regular
backups of your data, and exercise caution in acquiring and using
software.
2.3 FILES ASSOCIATED WITH THE IBM ANTI-VIRUS PRODUCT
_____________________________________________________
There are five files distributed with the IBM Anti-Virus Product. You
should verify that each one has the length stated below, and not use
the IBM Anti-Virus Product if any are different.
VIRSCAN.EXE This is the executable file for the IBM Virus Scanning
Program. It is 74,863 bytes long.
VIRSIG.LST This file contains signatures for viruses. These are
viruses of which IBM was aware at the time the program
was distributed. This file must be located in the same
directory as VIRSCAN.EXE. It is 68,411 bytes long.
VIRSCAN.MSG This file contains message text used by VIRSCAN. This
file must be located in the same directory as
VIRSCAN.EXE. It is 23,034 bytes long.
READ.ME This file contains the IBM License Agreement for the IBM
Anti-Virus Product. It is 6,876 bytes long.
VIRSCAN.DOC This is the document you are currently reading. It is
104,485 bytes long.
In addition, you may create two other files which can be used by
VIRSCAN. The file ADDENDA.LST can contain signatures for additional
viruses. See "Adding More Virus Signatures" (below) for more details
on this file. The file LOCAL.MSG can contain a message (up to 10
lines long) that will be displayed at program termination if any virus
signatures were found. See "Scanning an Infected System" (below) for
more details on this file.
3.0 SAFE USE OF THE IBM VIRUS SCANNING PROGRAM
_______________________________________________
You should be careful when copying and using the IBM Virus Scanning
Program. The procedures in this section will help you create
diskettes containing the IBM Virus Scanning Program, minimizing the
chance of contaminating them with viruses. This section will also
help you use the IBM Virus Scanning Program most effectively.
3.1 SAFELY USING THE IBM VIRUS SCANNING PROGRAM
________________________________________________
We recommend running the IBM Virus Scanning Program only after
cold-booting your PC or PS/2 from a write-protected diskette that is
known to be virus-free. It is possible to use the IBM Virus Scanning
Program without cold-booting your system from a virus-free diskette.
If this is done, however, it is possible for a virus to be active in
your system during the scan. This could potentially cause the IBM
Virus Scanning Program to miss the presence of a virus in your system.
It is also possible to run the IBM Virus Scanning Program from a hard
disk rather than a write-protected floppy diskette. If this is done,
however, it is possible for the IBM Virus Scanning Program itself to
become infected with a virus. While there are features in the IBM
Virus Scanning Program to help detect these conditions, it is always
safest to cold-boot your system from a virus-free diskette.
The procedure for cold-booting your system from a diskette containing
the IBM Virus Scanning Program, and scanning the C: drive (for
instance), is as follows.
1. Cold-boot your system from your write-protected, virus-free
diskette containing the IBM Virus Scanning Program.
a. Turn your PC or PS/2 off.
b. Insert your write-protected, bootable diskette containing the
IBM Virus Scanning Program. (See "Safely Creating a Bootable
Diskette" for instructions on creating this virus-free
diskette.)
c. Turn your PC or PS/2 on and let it boot from the A: drive.
2. Scan any hard disks or floppy diskettes that you wish to check by
typing (for instance):
VIRSCAN C:
3.2 SAFELY CREATING A BOOTABLE DISKETTE
________________________________________
We recommend running the IBM Virus Scanning Program only after
cold-booting your PC or PS/2 from a diskette is known to be
virus-free; this procedure is for creating such a virus-free bootable
diskette.
We assume here that you will be formatting your new diskette in the A:
drive. If not, you should modify the "FORMAT" step (2) that follows.
We also assume that you either have a non-bootable diskette in the B:
drive containing all of the files necessary to run the IBM Virus
Scanning Program, or have downloaded all of these files (and only
these files) into the directory C:\VIRSCAN. If you have put these
files elsewhere, you should modify the "COPY" step (3) that follows.
1. Cold-boot your system. This is important to ensure that no virus
is active when you copy the IBM Virus Scanning Program.
a. Turn your PC or PS/2 off.
b. Insert your original manufacturer's write-protected PC-DOS
diskette into the A: drive. If you are using DOS 4.0, use the
"install" diskette.
c. Turn your PC or PS/2 on and let it boot from the A: drive. If
you are using DOS 4.0 from the "install" diskette, press the
"Esc" key and then the "F3" key to end the install process.
2. At the DOS prompt, type:
FORMAT A: /S
and follow the prompts to format a new diskette.
Note: If you are using DOS 4.0, you may wish to create an
AUTOEXEC.BAT file that automatically installs the SHARE program
when a PC or PS/2 is booted from this diskette. If you are
planning to use the diskette to scan disk partitions that are
greater than 32 megabytes in size, then you *must* use DOS 4.0 and
SHARE.EXE. Refer to your PC-DOS manual for further instructions.
3. Copy the files necessary to run the IBM Virus Scanning Program to
the A: diskette.
o If these files are on a diskette in the B: drive, type the
following at the DOS prompt:
COPY B:\*.* A:\
and follow the prompts on the screen to copy the contents of
the diskette containing the IBM Virus Scanning Program to the
A: diskette.
o If you have downloaded these files to the directory
C:\VIRSCAN, type the following at the DOS prompt:
COPY C:\VIRSCAN\*.* A:\
and follow the prompts on the screen to copy the contents of
the subdirectory containing the IBM Virus Scanning Program to
the A: diskette.
4. Remove the new diskette and write-protect it with a write-protect
tab (on a 5.25" diskette) or by moving the write protect switch
(on a 3.5" diskette) so that you can see through the hole located
in the bottom right while looking at the back of the diskette. We
recommend leaving this diskette write-protected at all times.
This is important to prevent the diskette from becoming infected
with a virus at a later time.
5. To test your new, bootable diskette, turn your PC or PS/2 off,
insert your new, bootable diskette in the A: drive, turn your PC
or PS/2 on and let it boot from the A: drive. At the DOS prompt,
type:
VIRSCAN A:
6. If the IBM Virus Scanning Program tells you that a virus is
present on the A: drive, or that any of the files have been
modified, do *not* use the diskette!! The files may not have been
installed correctly on the diskette, or it may be infected with a
virus. Go back to the beginning of this procedure and follow the
steps very carefully to install the files on your diskette. If,
after repeated attempts, the IBM Virus Scanning Program continues
to tell you that something is wrong with the diskette, contact
competent technical personnel for help.
3.3 SAFELY COPYING THE IBM VIRUS SCANNING PROGRAM
__________________________________________________
The following procedure is for making a copy of a bootable diskette
containing the IBM Virus Scanning Program.
1. Cold-boot your system. This is important to ensure that no virus
is active when you copy the IBM Virus Scanning Program.
a. Turn your PC or PS/2 off.
b. Insert your original manufacturer's write-protected PC-DOS
diskette into the A: drive. If you are using DOS 4.0, use the
"install" diskette.
c. Turn your PC or PS/2 on and let it boot from the A: drive. If
you are using DOS 4.0 from the "install" diskette, press the
"Esc" key and then the "F3" key to end the install process.
2. At the DOS prompt, type:
DISKCOPY A: B:
and follow the prompts on the screen to copy the contents of the
original the IBM Virus Scanning Program diskette (the source
diskette) to a new diskette (the target diskette).
3. Remove the new diskette and write-protect it with a write-protect
tab (on a 5.25" diskette) or by moving the write protect switch
(on a 3.5" diskette) so that you can see through the hole located
in the bottom right while looking at the back of the diskette.
This is important to prevent the diskette from becoming infected
with a virus at a later time. We recommend leaving this diskette
write-protected at all times. This is important to prevent the
diskette from becoming infected with a virus at a later time.
4. Scan the new diskette by reinserting it into the A: drive and
typing at the DOS prompt:
VIRSCAN A:
5. If the IBM Virus Scanning Program tells you that a virus is
present on the A: drive, or that any of the files have been
modified, do *not* use the diskette!! The files may not have been
copied correctly to the diskette, or it may be infected with a
virus. Go back to the beginning of this procedure and follow the
steps very carefully to copy the diskette. If, after repeated
attempts, the IBM Virus Scanning Program continues to tell you
that something is wrong with the diskette, contact competent
technical personnel for help.
3.4 EXAMPLES OF OUTPUT FROM THE IBM VIRUS SCANNING PROGRAM
___________________________________________________________
The IBM Virus Scanning Program always displays the following banner
when it scans for viruses.
----------------------------------------------------------------------
The IBM Virus Scanning Program Version 2.1.2
(c) Copyright International Business Machines Corporation 1989, 1990, 1991
Licensed Material - Program Property of IBM, All Rights Reserved.
NOTICE TO USERS
For users in the United States and Puerto Rico:
THE IBM VIRUS SCANNING PROGRAM IS LICENSED "AS IS." Your use of this program
is subject to the IBM Program License Agreement for the IBM Virus Scanning
Program, which is set out in the "READ.ME" file distributed with this program.
For users outside the United States and Puerto Rico:
See your IBM representative or IBM authorized supplier for contract terms.
Press Y to accept the license agreement, or press any other key to exit.
----------------------------------------------------------------------
3.4.1 SCANNING AN UNINFECTED SYSTEM
____________________________________
When you use the IBM Virus Scanning Program to scan a disk or diskette
that does not contain viruses, it will display the banner, then
something similar to the following.
----------------------------------------------------------------------
Starting virus scan on Thu Feb 08 09:18:43 1991
Scan completed.
24 files were scanned.
1 system boot sector was scanned.
1 master boot record was scanned.
System memory was scanned for dangerous and/or well hidden resident viruses.
Total bytes scanned = 2661470, in 26 seconds.
No viruses listed in the signature files were found.
----------------------------------------------------------------------
This indicates that none of the scanned files or boot records
contained any of the virus signatures listed in the signature files.
3.4.2 SCANNING AN INFECTED SYSTEM
__________________________________
If the IBM Virus Scanning Program finds any of the signatures listed
in the signature files, it will display the name of the files or boot
sectors in which they were found, as well as the signatures found and
the name of the viruses to which they correspond. The total number of
viral signatures that were found is displayed when the program exits.
Here is a sample run, where the IBM Virus Scanning Program found a
virus signature.
----------------------------------------------------------------------
Starting virus scan on Thu Feb 08 09:18:43 1991
Found signature in (C:\UTIL\PAPAYA.COM)
This file may be infected with the 1813 virus.
(Continuing Scan)
Scan completed.
24 files were scanned.
1 system boot sector was scanned.
1 master boot record was scanned.
System memory was scanned for dangerous and/or well hidden resident viruses.
Total bytes scanned = 2661470, in 26 seconds.
1 Viral signature found in 1 object.
----------------------------------------------------------------------
After all other messages are displayed, if the IBM Virus Scanning
Program can find a file called "LOCAL.MSG", in the same directory as
"VIRSCAN.EXE", it will display lines from that file, up to a maximum
of 10 lines.
If the IBM Virus Scanning Program finds signatures of any viruses, it
is very likely that the indicated objects are infected with those
viruses. You should get expert technical help immediately, to clean
up the infection.
3.4.3 IF VIRSCAN.EXE HAS BEEN ACCIDENTALLY MODIFIED
____________________________________________________
The IBM Virus Scanning Program checks the program file VIRSCAN.EXE to
verify that it has not been modified. (This may happen accidentally,
or it may indicate that VIRSCAN.EXE has been infected with a virus.)
If it has been modified for any reason, the IBM Virus Scanning Program
will display the following message:
----------------------------------------------------------------------
The program (A:\VIRSCAN.EXE) has been modified.
This may be due to a virus, or to other causes.
Scan terminated early due to error
----------------------------------------------------------------------
In this event, an original (unmodified) copy of VIRSCAN.EXE should be
used to replace the modified copy. If, after it is replaced, the IBM
Virus Scanning Program continues to tell you that something is wrong,
it is possible that your original copy of VIRSCAN.EXE was damaged.
Contact competent technical personnel for help.
3.4.4 IF VIRSIG.LST HAS BEEN ACCIDENTALLY MODIFIED
___________________________________________________
The IBM Virus Scanning Program also checks the file VIRSIG.LST to
verify that it has not been modified. If it has been modified for any
reason, the IBM Virus Scanning Program will inform you, then it will
terminate. If VIRSIG.LST has been modified, a message similar to the
following will be displayed.
----------------------------------------------------------------------
Starting virus scan
The file (A:\VIRSIG.LST) has been modified.
Scan terminated early due to error
----------------------------------------------------------------------
If the signature file has been modified, it should be replaced with an
original (unmodified) copy. If, after it is replaced, the IBM Virus
Scanning Program continues to tell you that something is wrong, it is
possible that your original copy of the signature file was damaged.
Contact competent technical personnel for help.
3.4.5 IF VIRSCAN.MSG HAS BEEN ACCIDENTALLY MODIFIED
____________________________________________________
The IBM Virus Scanning Program also checks the file VIRSCAN.MSG to
verify that it has not been modified. If it has been modified for any
reason, the IBM Virus Scanning Program will inform you, then it will
terminate. If VIRSCAN.MSG has been modified, a message similar to the
following will be displayed.
----------------------------------------------------------------------
The file (A:\VIRSCAN.MSG) has been modified.
Scan terminated early due to error
----------------------------------------------------------------------
If the message file has been modified, it should be replaced with an
original (unmodified) copy. If, after it is replaced, the IBM Virus
Scanning Program continues to tell you that something is wrong, it is
possible that your original copy of the message file was damaged.
Contact competent technical personnel for help.
4.0 TECHNICAL DETAILS
______________________
This section describes further technical details of the IBM Virus
Scanning Program. While it is not necessary to read this section to
use the program in simple situations, we recommend that you
familiarize yourself with it, so that you understand the operation of
the program more completely.
4.1 OPERATING SYSTEMS
______________________
The IBM Virus Scanning Program will run in the following operating
systems:
o PC-DOS versions 2.0, 2.1, 3.0, 3.1, 3.2, 3.3, 4.0 and 5.0.
o OS/2, both Standard Edition and Extended Edition, versions 1.0,
1.1, 1.2, and 1.3. It supports both the DOS ("FAT") file system
and OS/2's High Performance File System. It will run in an OS/2
Presentation Manager window and in OS/2's DOS compatibility box.
4.2 WHAT THE IBM VIRUS SCANNING PROGRAM CHECKS
_______________________________________________
The IBM Virus Scanning Program checks to make sure that it is
operating properly, and then checks for viruses. Specifically, it
checks your system in the following sequence (though there are
command-line options that can alter this):
1. The executable file VIRSCAN.EXE is checked to ensure that it has
not been modified. If it has been modified, it may indicate that
it has been accidentally changed, or that it has been infected by
a virus. The program will not continue if it has been modified.
2. The file VIRSCAN.MSG is checked to ensure that it has not been
modified. (Precisely, this step actually occurs when the first
message is displayed.) If VIRSCAN.MSG has been modified, the IBM
Virus Scanning Program will not continue.
3. The file VIRSIG.LST is checked to ensure that it has not been
modified. If VIRSIG.LST has been modified, the IBM Virus Scanning
Program will not continue.
4. When run under PC-DOS (or in the DOS compatibility box of OS/2),
system memory is scanned for resident viruses.
5. Files are scanned for viruses. The default is to scan EXE, COM,
OV?, INI, SYS, and BIN files. Boot records are scanned for
viruses. The default is to scan the system boot sector of any
specified drives, and the master boot record of the first hard
drive if any drive letter C: or higher is specified. These
defaults can be changed by command-line options.
4.3 THE FORMAT OF THE SIGNATURE FILES
______________________________________
The IBM Virus Scanning Program uses the signatures found in the file
VIRSIG.LST. and (if it is present) ADDENDA.LST to scan for viruses.
Both of these files must be in the same directory as VIRSCAN.EXE.
Both of these files has the same basic format:
o Comment lines have an asterisk ("*") as their first character.
The IBM Virus Scanning Program does not use these lines in its
virus scan. (The entire contents of VIRSIG.LST, including comment
lines, is checked during self-test to ensure that it has not been
modified. The file ADDENDA.LST is not checked.) Comment lines
are used to give additional, human-readable comments about the
information in the signature files.
o One of the comment lines at the beginning of the file VIRSIG.LST
contains the string "CRCVMARK" followed by eight hexadecimal
digits. This line is used by the IBM Virus Scanning Program to
ensure that these files have not been modified. This line is not
used in ADDENDA.LST.
o The body of the file consists of entries that tell the IBM Virus
Scanning Program what to do for each virus. Each entry is made up
of three lines:
1. A hexadecimal string, which is the string that the IBM Virus
Scanning Program looks for in order to determine that this
particular virus is contained in the file. We recommend that
you use at least 24 hexadecimal digits (that is, at least 12
bytes) in any signature that you add to ADDENDA.LST, and more
whenever possible. Shorter signatures have a larger chance of
being found in normal programs which are not infected with any
virus, leading to false reports of viruses. The signature
should be taken from a code area of the virus, rather than a
data area, to minimize the possibility of false alarms. We
also recommend that you test any new signatures against a
number of programs before using them widely, to ensure that no
common programs give false alarms for the signature.
Two question mark characters ("??") may be used in place of a
pair of hexadecimal characters representing a signature byte.
This indicates that the specified byte position in the
signature string may have any value. Don't count these "don't
care" bytes when following the signature length guidelines in
the previous paragraph. If a signature string has any "??"
substrings in it, no scan for variations on the signature will
be performed, even if the "-m" command line option is used.
If a signature string has any "??" strings in it, any "FF"
values in the signature string will be treated as "don't care"
bytes.
A "%N" sequence, where 'N' is a single hexadecimal digit, may
also be used in place of a pair of hexadecimal characters
representing a signature byte. This tells virscan that 0 to N
arbitrary filler bytes may be at that position in a real
virus, and that they should be ignored. For example,
"ABCD77%4888C5A31663499001277" tells virscan that it should
search for the hex string "ABCD77", followed by zero to 4
arbitrary bytes, followed by the rest of the search string.
Don't count these "don't care" bytes when following the
signature length guidelines. If a signature string has any
"%" characters in it, no scan for variations on the signature
will be performed, even if the "-m" command line option is
used. If a signature string has any "%" characters in it, any
"FE" values in the signature string will be treated as "don't
care" bytes.
2. A message that is displayed if the string is found in the
specified files, to indicate that the virus was found. The
text of this message can be in either upper or lower case. If
the message contains a %s, the %s will be replaced with a
message appropriate for the object in which the virus
signature was found. For instance, if the virus signature was
found in a file, the %s would be replaced with "This file may
be infected with".
3. A line containing one or more strings which indicate what the
IBM Virus Scanning Program should do if the signature is
found.
COM Used to tell the IBM Virus Scanning Program
that it should expect to find this signature
in COM files. (Currently this string is not
used, and the IBM Virus Scanning Program will
display the indicated message if the signature
is found in any file or boot sector.)
EXE Used to tell the IBM Virus Scanning Program
that it should display the indicated message
if the signature is found in a file which has
an EXE header. The IBM Virus Scanning Program
will not display messages for signatures found
in files with EXE headers unless the "EXE"
string is specified. The IBM Virus Scanning
Program does not rely on the filetype being
.EXE to determine this. Instead, it checks to
see if the file's first two bytes are
hexadecimal 4D and 5A, which are the first two
bytes of an EXE header. (If the "-G" option
is specified on the command line, the
indicated message will be displayed no matter
where the signature is found.)
Offset The next string after "Offset" (delimited by
blanks) must be a numeric string, and is used
as an integer offset into the object (file or
boot sector) at which the virus signature is
expected to be found. If the signature is
found elsewhere, the indicated message will
not be displayed. (If the "-G" option is
specified, the indicated message will be
displayed no matter where the signature is
found.)
Boot Used to tell the IBM Virus Scanning Program
that it should expect to find this signature
in boot records. By default, the IBM Virus
Scanning Program won't display messages for
"boot" signatures found in files unless the
"COM" or "EXE" keywords are used (on the same
line as "Boot"). (If the "-G" option is
specified on the command line, the indicated
message will be displayed no matter where the
signature is found.)
Pause if found Used to tell the IBM Virus Scanning Program
to pause with a dire warning the first time
during a scan that the signature is found in
system memory, or if the system memory scan
has been bypassed using option "-nms", the
first time that the signature is found in a
file. If you encounter this warning, you
should make very certain that you are
executing the IBM Virus Scanning Program after
having cold-booted from a write-protected DOS
diskette containing the IBM Virus Scanning
Program, which has been certified to be free
of viruses. Otherwise, the dire warning
indicates that continuing the scan may result
in corruption of other files by a virus. (No
pause will occur if the IBM Virus Scanning
Program is run in an OS/2 protect mode
session.)
Scan memory This tells the IBM Virus Scanning Program to
report any instances of this virus that it
finds as it scans system memory. It is used
for viruses which can cause significant
problems if they are resident in system memory
when the IBM Virus Scanning Program is
executed. (If the "-G" option is specified,
the indicated message will be displayed if
*any* of the signatures is found in system
memory. This is not done as the default
behavior because signatures can be left in
system memory by other programs, particularly
other virus scanners, even though no viruses
are resident.)
No mutants This tells the IBM Virus Scanning Program to
not search for variations on this virus even
when the "-M" option is used. If a signature
is found to be prone to false alarms (most
likely when the "-M" option is used), this
keyphrase will eliminate these false alarms.
For example, suppose that you discover a new virus, which you call the
"Purple Virus." You have determined that the string
EA6061626364786566676869716A6B6C6D6E516FC0C1C8C958D6F1 appears in
every copy of the virus, that the virus infects boot sectors, and that
the virus installs a resident extension that tries to hide the
infection from virus detectors. You could add the following lines to
your ADDENDA.LST file to scan for this virus: (Naturally, this is
just an example, not a real virus. Please don't use this signature or
entry.)
----------------------------------------------------------------------
*
* Entry for the non-existent Purple virus (just an example).
*
EA6061626364786566676869716A6B6C6D6E516FC0C1C8C958D6F1
A boot record of this disk may have the Purple virus.
(Boot records, Scan memory.)
----------------------------------------------------------------------
To view VIRSIG.LST, use the TYPE command to display the file on your
monitor, or use the PRINT command to print it on your printer. If you
wish to view VIRSIG.LST with an editor, make a copy of the file and
edit the copy. Some editors make subtle changes to files. The IBM
Virus Scanning Program will detect changes in VIRSIG.LST, and refuse
to run if it is changed.
4.3.1 SCANNING FILES
_____________________
VIRSIG.LST contains the virus signatures, including signatures for
viruses that can infect executable files. Its format is described in
the preceding section entitled "The Format of the Signature Files".
By default, the IBM Virus Scanning Program scans files of type .EXE,
.COM, .OV?, .INI, .BIN, and .SYS. This can be changed with command
line options.
4.3.2 SCANNING BOOT RECORDS
____________________________
VIRSIG.LST also contains signatures for viruses that can infect boot
records of diskettes and hard disks, and for viruses that can infect
both files and boot records. The IBM Virus Scanning Program will test
system boot sectors of any drives that are specified, and will test
the master boot record of the first hard drive if a drive letter C: or
higher is specified. There are also command line options to scan any
particular drive for boot sector viruses. System boot sectors are
sometimes known as partition boot sectors or DOS boot sectors. The
master boot record contains the partition table for a physical hard
disk.
Reference "Limitations" for further technical details about scanning
boot sectors.
4.4 ADDING MORE VIRUS SIGNATURES
_________________________________
If you want the IBM Virus Scanning Program to scan for signatures
other than those in VIRSIG.LST, you should create a file called
ADDENDA.LST and put the new signatures in this file. ADDENDA.LST must
be placed in the same directory as VIRSCAN.EXE in order for the IBM
Virus Scanning Program to find it. If the IBM Virus Scanning Program
can find an ADDENDA.LST file, it will load it along with VIRSIG.LST.
You can use the "-V" option to verify that the IBM Virus Scanning
Program is loading your ADDENDA.LST file correctly. ADDENDA.LST (if
it exists) has the same format as VIRSIG.LST. ADDENDA.LST is not
checked for modifications.
4.5 COMMAND-LINE OPTIONS
_________________________
Options to the IBM Virus Scanning Program may be specified on the
command line as follows:
VIRSCAN [options]
[options] may be specified in any order, in upper or lower case, and
may consist of one or more of the following.
-A Scan all files on the indicated drives. This is useful when you
are cleaning up after a virus infection, to check absolutely
every file on a drive for the presence of viruses. (See the
"-G" option, which is also useful during cleanup.)
The following will scan all files on the C: and D: drives:
VIRSCAN C: D: -A
By default, the IBM Virus Scanning Program only scans files of
type EXE and COM, and boot sectors, on specified disks.
-B Scan a boot sector. If a logical drive letter is specified
(e.g. -BC:), then the system boot sector of the drive is
scanned. If a physical drive number is specified (e.g. -B80),
then the master boot record of the drive is scanned.
The following scans only the system boot sector of the C: drive:
VIRSCAN -BC:
The following scans only the master boot record of physical
drive 80, which is the first physical hard disk.
VIRSCAN -B80
By default, the IBM Virus Scanning Program scans the system boot
sector of specified drives (see the description of the "path"
that follows), and the master boot record of the first hard
drive if drive C: or above is specified.
-C Continue scan if there is an error opening a file for scanning.
In some operating environments, a few files may be locked for
some reason. If the IBM Virus Scanning Program is failing
because it can't open such a file, use this option to force the
IBM Virus Scanning Program to continue the scan.
-CAD Continue if access denied. If this option is used, the IBM
Virus Scanning Program will continue the scan even if it is
unable to scan a particular subdirectory tree because access was
denied.
-E Do not scan boot sectors unless explicitly specified with the -B
option. This is useful if there is a problem scanning the boot
sector of a drive (for instance, a network drive). If this
option is used, the IBM Virus Scanning Program will not find
boot sector viruses unless the -B option is used.
-G The Guru option, for use primarily by technically inclined
users. By default, the IBM Virus Scanning Program only reports
signatures found in places where it expects them. For instance,
signatures that are not specified as EXE file signatures in the
signature file are not reported if they are found in EXE-type
files (that is, files that have EXE headers). If an offset for
a signature is specified in the signature file, it will not be
reported if it is found at another location. If the "Scan
memory" keyphrase is not specified in the signature file, the
signature will not be reported if it is found in memory. The
Guru option tells the IBM Virus Scanning Program to report a
signature no matter where it is found. This is useful in
cleaning up after a virus infection, to make sure that you have
scanned absolutely everything that could be harboring a copy of
the virus. It can cause false alarms, though, for instance when
remnants of infected files remain in memory even though they are
not dangerous. (See the "-A" option, which is also useful
during cleanup.)
-H Help. A brief summary of the command-line options is displayed.
-L Scan the files listed in the specified file for viral
signatures. The specified file should contain one filename per
line. The files to be scanned may be specified relative to the
current drive and directory, or may be given fully qualified
pathnames.
The following scans the files listed in FILES.DAT for viral
signatures:
VIRSCAN -LFILES.DAT
-M Maybe detect mutants. This tells the IBM Virus Scanning Program
to try to detect small variations on the viruses listed in the
signature files. Virus signatures are broken into random
fragments, and the IBM Virus Scanning Program will scan for the
fragments as well as for the original signatures. Additionally,
this option tells the IBM Virus Scanning Program to report *all*
signatures that are partially matched. the IBM Virus Scanning
Program doesn't require that all bytes in a a long signature be
matched; the number of mismatched bytes allowed is a function of
the length of a signature; the longer the signature, the more
mismatched bytes are allowed. By default, if the IBM Virus
Scanning Program finds one or more partial match (and no
complete matches) it will report the closest partial match. If
this option is used, the IBM Virus Scanning Program will report
*all* partial matches. There is a small possibility of false
alarms if this option is used, since short fragments may be
found in files which do not contain viruses. So, use this
option with care, and be prepared to investigate in more detail
any reports of signatures found. By default, the IBM Virus
Scanning Program uses the entire signature string in the scan.
-MEM Scan system memory By default, the IBM Virus Scanning Program
will scan memory before it scans anything else. The -mem switch
tells the IBM Virus Scanning Program to scan memory even if it
scans nothing else. Switches -nhms, -g and -m all modify the
behavior of the memory scan. By default, the IBM Virus Scanning
Program will only scan memory for certain viruses; if the -g
switch is used, when the IBM Virus Scanning Program scans memory
for viruses, it will scan for all of the viruses that it knows
about.
-NB No beep. By default, the IBM Virus Scanning Program will beep
when a virus signature is found. This switch turns off the
beep. If the both the -NB and -Z switch are used, -NB will not
turn off the beeps at program termination; only the beeps issued
when a virus signature is found are disabled.
-NMBRS No master boot record scan. Do not scan the master boot record
of the first hard drive unless explicitly specified with the -b
option. This is useful if there is a problem scanning the
master boot record for some reason, but other boot sectors can
be scanned. If this option is used, the IBM Virus Scanning
Program won't find master boot record viruses (such as the
Stoned virus) on the first hard drive unless the -B option is
used. (-B80 tells the IBM Virus Scanning Program to scan the
master boot record of the first hard drive.)
-NLA Do not display the banner containing the copyright notice and
license agreement when scanning for viruses, and do not require
the user to type "Y" before starting the scan. This is useful
when running the IBM Virus Scanning Program from a BAT or CMD
file that should not require user interaction. Your use of the
IBM Virus Scanning Program is still subject to the terms and
conditions set out in the license agreement for this program.
(For users in the United States and Puerto Rico, these are set
out in the READ.ME file distributed with this program. For
users in other locations, see your IBM representative or IBM
authorized supplier for contract terms.) See the "-Q" and "-QQ"
options for related functions.
-NHMS No high memory scan. Under PC-DOS, the IBM Virus Scanning
Program scans system memory for indications of some resident
viruses. This is because it is important for your system to be
free of certain resident viruses when the IBM Virus Scanning
Program is executed. This option disables the memory scan above
absolute address A0000. That means that the first 640K will be
scanned, but not the memory between 640K and 1MB. Most memory
resident viruses install themselves in the first 640K. This
option can be useful if you are having trouble with the memory
scan, but we do not recommend its use in general. This option
is slightly risky, because it may miss viruses installed in
memory higher than the first 640K.
-NMS No memory scan. Under PC-DOS, the IBM Virus Scanning Program
scans system memory for indications of some resident viruses.
This is because it is important for your system to be free of
resident viruses when the IBM Virus Scanning Program is
executed. This option disables the memory scan completely. It
can be useful if you are having trouble with the memory scan,
but we do not recommend its use in general. If you are having
trouble with the memory scan, we suggest that you try "-nhms"
first. Use this option at your own risk!
-NMUT No mutant detection. By default, if the IBM Virus Scanning
Program finds one or more partially matched signature strings
(and no complete matches) it will report the closest partial
match. If this option is used, the IBM Virus Scanning Program
will not report partial matches. This is useful if false alarms
are being encountered with the default mutant detection.
-NP No progress indicator. By default, the IBM Virus Scanning
Program displays the name of each file or boot sector as it is
scanned, to give you an indication of what it is doing. This
option tells the IBM Virus Scanning Program not to display these
names. (It will continue to display the names of files or boot
sectors containing any of the virus signatures.) This is useful
if you are redirecting the output of the IBM Virus Scanning
Program to a file and only want the summary of the scan.
The following will produce a summary of a scan of the C: drive
in the file VIRSCAN.OUT in the current directory, without the
long list of all files that were scanned:
VIRSCAN C: -NP > VIRSCAN.OUT
-NST No self-test. By default, the IBM Virus Scanning Program
verifies that VIRSCAN.EXE, VIRSIG.LST and VIRSCAN.MSG have not
been modified, either accidentally or by a virus. This option
disables the test. While the self-test takes a little time, it
is an important aid in maintaining the integrity of the program
and the signature files. Use this option at your own risk!
-P Build a list of files that tested positive. This is useful if
you want to have a list of infected files for use in a cleanup
process. If no filename is specified, the default output file
POSITIVE.VIR in the current directory will be used. The file
will not be created unless one or more virus signatures are
found.
The following will scan the C: and E: drives, and put the names
of any infected files into the file POSITIVE.VIR in the current
directory:
VIRSCAN E: C: -P
The following will scan D:\MANGO and its subdirectories, and put
the names of any infected files into the file C:\INFECTED.LST:
VIRSCAN D:\MANGO -PC:\INFECTED.LST
path Scan a PC-DOS or OS/2 logical drive or directory. (Also
available as -Dpath) This is the most common option to specify
to the IBM Virus Scanning Program. If you specify only a drive
letter, the IBM Virus Scanning Program will scan the system boot
sector of that drive, and all subdirectories on the drive. If
you specify a path, the IBM Virus Scanning Program will scan the
directory specified by that path, and all of its subdirectories.
If a drive letter is given as part of the path specification,
its system boot sector will be scanned as well. If drive C: or
above is specified (e.g. C:, D:, E:, etc.), the master boot
record of the first hard drive will be scanned.
The following two commands are equivalent, and will scan the
master boot record on physical drive 80, the system boot sector
on the C: drive, and all subdirectories on the C: drive:
VIRSCAN C:
VIRSCAN -DC:
The following scans the subdirectory \LIME\GUAVA on drive D:,
all of its subdirectories, as well as the master boot record of
physical drive 80 and the system boot sector of drive D:
VIRSCAN D:\LIME\GUAVA
The following scans the subdirectory GUAVA under the current
directory of the current drive, and all of its subdirectories:
VIRSCAN .\GUAVA
Note that it does not scan the boot sectors of the current
drive, since no drive letter was specified.
-Q Quiet output. Do not display the banner containing the
copyright information for this program. The only messages that
will be displayed are those that indicate that a viral signature
has been found, error messages, and warnings if particularly
troublesome viruses are found (as indicated by "Pause if found"
in the signature files). This is useful when executing the IBM
Virus Scanning Program from a BAT or CMD file that checks the
error level and takes its own action if a virus is found.
Your use of the IBM Virus Scanning Program is still subject to
the terms and conditions set out in the license agreement for
this program. (For users in the United States and Puerto Rico,
these are set out in the READ.ME file distributed with this
program. For users in other locations, see your IBM
representative or IBM authorized supplier for contract terms.)
"-QQ" option for similar function. See the"-NLA" and "-QQ"
options for similar functions.
-QQ Very quiet output. Do not display the banner containing the
copyright information for this program. Also disable display of
any other messages, except for fatal error messages and warnings
if particularly troublesome viruses are found. (The latter is
indicated by "Pause if found" in the signature files.) The only
indication that viral signatures have been found is the error
level returned by the IBM Virus Scanning Program. This is
useful when executing the IBM Virus Scanning Program from a BAT
or CMD file that checks the error level and takes its own action
if a virus is found.
Your use of the IBM Virus Scanning Program is still subject to
the terms and conditions set out in the license agreement for
this program. (For users in the United States and Puerto Rico,
these are set out in the READ.ME file distributed with this
program. For users in other locations, see your IBM
representative or IBM authorized supplier for contract terms.)
"-QQ" option for similar function. See the"-NLA" and "-QQ"
options for similar functions.
-R Removable media support. This indicates that a given drive has
removable media, such as floppy diskettes. If that drive is
then specified as a drive to be scanned, The IBM Virus Scanning
Program will prompt the user to insert additional diskettes to
be scanned in that drive. This is useful when you are scanning
a number of floppy diskettes, which is a common thing to do when
first scanning a system, or when cleaning up after an infection.
The following will let you scan every diskette in a box of
diskettes in the A: drive:
VIRSCAN -RA: A:
Note that the "-RA:" option just tells the IBM Virus Scanning
Program that drive A: has removable media. The separate "A:"
option tells the IBM Virus Scanning Program to scan the A:
drive.
-S Use a non-default signature file for this scan. By default, the
IBM Virus Scanning Program uses the signatures in the files
VIRSIG.LST, and (if it is present) ADDENDA.LST for its scan.
This option allows you to use other files instead.
If this option is used, the default signature file isn't used,
unless it is also specified explicitly with the "-S" option.
For this reason, you should use this option with care, and at
your own risk!
The following scans the C: drive using the signatures in the
file MYSIG.DAT, as well as the file VIRSIG.LST. in the current
directory.
VIRSCAN C: -SVIRSIG.LST -SMYSIG.DAT
The following scans the D: drive using only the signatures in
the file C:\UTIL\MYSIG.DAT. It does *not* use the signatures in
VIRSIG.LST.
VIRSCAN D: -SC:\UTIL\MYSIG.DAT
-T Scan a single, specified file for viral signatures.
The following scans the file PRUNE.OVL in the current directory:
VIRSCAN -TPRUNE.OVL
The following scans the file C:\UTIL\PLUM\PRUNE.OVL:
VIRSCAN -TC:\UTIL\PLUM\PRUNE.OVL
-V Verbose output. This displays a list of files and boot sectors
as they are scanned, and in general forces the IBM Virus
Scanning Program to display more information than normal. It
forces the IBM Virus Scanning Program to do a hexadecimal
display of any virus signatures that are found. It is very
helpful to use this option to help diagnose the problem if a
scan terminates early due to error. It is also useful if you
are experimenting with command line options, to verify that what
you think you specified is what you specified. Note: If you use
the "-V" option, you should specify it on the command line
before any other options.
-VV Very verbose output. This is similar to the "-V" option, except
that a hexadecimal dump of boot sectors is also displayed. This
is useful when diagnosing problems with scanning boot sectors.
Note: If you use the "-VV" option, you should specify it on the
command line before any other options.
-VL Create a log file. This tells virscan to create a log of the
virus scan. The default log file name is "virscan.lgf", in the
current directory. A file name may also be specified explicitly.
The following scans the C: drive and creates the log file
"virus.log" in the root directory of the C: drive.
VIRSCAN C: -VLC:\VIRUS.LOG
-W Wildcard file specification. By default, the IBM Virus Scanning
Program only scans files of type EXE, COM, OV?, INI, and SYS.
(and boot sectors, of course). This option can be used to
specify arbitrary file types to scan.
The following will scan files of type OVL and MEM on the C: and
D: drives:
VIRSCAN C: D: -W*.OVL,*.MEM
The following will scan all files with file name KIWI on the E:
drive:
VIRSCAN E: -WKIWI.*
-Z Pause with beeps if any virus signatures were found. When the
scan finishes, if any virus signatures were found, this switch
will force the IBM Virus Scanning Program to beep once per
second and wait for the user to press a key.
* Scan all fixed disks. (Not supported under DOS 2.0 or 2.1) This
option tells virscan to scan all of the system's local
non-removable disks. For example, if the system has 2 fixed
disks partitioned into 3 disk partitions "C:", "D:", and "E:",
and a virtual disk "F:"
VIRSCAN *
is equivalent to
VIRSCAN C: D: E: F:
Similarly, all network drives can be scanned with
VIRSCAN *n
and all network and local non-removable drives can be scanned
with
VIRSCAN *fn
? Help. A brief summary of the command line options is displayed.
?? Usage examples. Examples are given showing how to use the IBM
Virus Scanning Program in some of the most common circumstances.
4.6 VALUES OF ERRORLEVEL RETURNED
__________________________________
The IBM Virus Scanning Program sets the DOS or OS/2 error level upon
exit to one of several values, depending upon what it found.
0 No virus signatures were found, and no other fatal errors
occurred.
1 No virus signatures were found, but the program terminated
with some other error before the scan was complete.
2 One or more virus signatures were found.
These error levels can be used within BAT and CMD files that execute
the IBM Virus Scanning Program, to respond differently to what the
program finds.
4.7 LIMITATIONS
________________
While the IBM Virus Scanning Program can help you detect the presence
of many viruses, it does have its limitations. It is important to
understand what these are, and how to use the IBM Virus Scanning
Program properly, in order to best protect your system.
4.7.1 THE IBM VIRUS SCANNING PROGRAM IS NOT A CURE-ALL
_______________________________________________________
In typical computing systems, it is not possible for any program to
detect all possible viruses that may exist in the future. The IBM
Virus Scanning Program is designed to help you detect the presence of
many of the viruses that we already know about. It does this by
scanning for the signatures found in the file VIRSIG.LST, and
ADDENDA.LST if it is present. Viruses whose signatures are not
contained in these files will probably not be detected.
4.7.2 THE IBM VIRUS SCANNING PROGRAM DOES NOT REMOVE VIRUSES
_____________________________________________________________
The IBM Virus Scanning Program does not attempt to remove viral
infections from a system. If you discover that your system is
infected with a virus, you should seek competent technical assistance
to prevent the infection from spreading to other systems, and to clean
up the infection safely.
4.7.3 THE IBM VIRUS SCANNING PROGRAM MAY NOT FIND VIRUSES IN ARCHIVES
______________________________________________________________________
The IBM Virus Scanning Program cannot find virus signatures in files
that are compressed or encrypted. This includes files that have been
compressed by archiving programs.
To scan such files, unpack them first, and then scan their constituent
files.
Self-extracting archives are programs (typically files of type EXE)
that are compressed, but decompress themselves into their constituent
files when they are executed. Some viruses can infect the
decompression part of these programs, and the IBM Virus Scanning
Program will detect them. It is also possible for the compressed
programs stored within these files to be infected. The IBM Virus
Scanning Program will not detect this while they are compressed.
4.7.4 SCANNING BOOT SECTORS
____________________________
When the IBM Virus Scanning Program is run in an OS/2 protect mode
session, it cannot scan the master boot record of the hard disk. As a
result, it cannot find master-boot-record viruses (such as the Stoned
virus) on hard disks, when it is executed under OS/2. The master boot
record is scanned when the IBM Virus Scanning Program is executed
under PC-DOS, including the DOS Compatibility Box of OS/2.
When the IBM Virus Scanning Program is asked to scan any drive with a
drive letter of C: or greater, it scans the partition boot sector of
each requested drive, and the master boot record of the physical hard
disk 80, which is the first physical hard disk. This is usually
sufficient, since most systems only use this master boot record. If
you want to scan the master boot record of any other physical hard
disk, you must specify it explicitly. For instance, the following
will scan the master boot record of physical disk 81, which is
typically the second physical disk:
VIRSCAN -B81
4.8 COMMON PROBLEMS
____________________
There are a few circumstances in which users have difficulties with
the IBM Virus Scanning Program. This section discusses the most
common problems and tells you what to do about them.
4.8.1 SYSTEMS WITH DAMAGED DIRECTORY TREES
___________________________________________
On some systems, the IBM Virus Scanning Program will terminate with an
error (usually "run-time error 6000"). This is often due to the
system having a damaged directory tree, in which one part of the tree
appears to contain the entire directory all over again. While this
condition is not caused by the IBM Virus Scanning Program, it will
prevent the IBM Virus Scanning Program from scanning the disk
correctly.
You should run the CHKDSK program to diagnose any such problems. If
CHKDSK reports errors, refer to your PC-DOS or OS/2 manuals for
instructions on correcting them.
4.8.2 INCOMPATIBLE VERSIONS OF PC-DOS AND COMMAND.COM
______________________________________________________
Occasionally, users will have a version of COMMAND.COM which is not
compatible with the version of PC-DOS that they are using. This may
happen when PC-DOS is updated, but the user forgets to update
COMMAND.COM. It causes the following message when attempting to
execute the IBM Virus Scanning Program: "SYS2090: The system is
unable to load the program." While this is not caused by the IBM Virus
Scanning Program, it will prevent the IBM Virus Scanning Program from
executing.
If you encounter this error, type VER to determine which version of
the operating system you are using. Then replace all copies of
COMMAND.COM with the version contained on the manufacturer's original,
write-protected diskette for the correct version of the operating
system. Reboot the system and try running the IBM Virus Scanning
Program again.
4.8.3 LIMITATION WHEN SCANNING BOOT RECORDS OF NETWORK DRIVES
______________________________________________________________
Some local area network programs allow you to access a disk drive on a
remote system as if it were one of your own local drives. The IBM
Virus Scanning Program sometimes cannot scan the boot sectors of these
drives, due to limitations in the local area network software. In
these cases, it will display a message similar to the following.
----------------------------------------------------------------------
There was an error reading system boot sector for drive G:, INT 25 rc=000D
Error scanning system boot sector of drive G:
(This is normal if drive G: is a network drive.)
(Continuing Scan)
----------------------------------------------------------------------
This indicates that the IBM Virus Scanning Program could not scan the
boot sector of that drive, but that the scan continued normally. This
is not a fatal error.
4.8.4 FALSE ALARMS WHEN SCANNING MEMORY
________________________________________
When the IBM Virus Scanning Program scans system memory, it will
occasionally find remnants of virus signatures left over from programs
that had been run previously. In particular, some other virus
scanning programs will leave remnants of the signatures they use in
memory. (This includes the IBM Virus Scanning Program version 1.0.)
This can cause the IBM Virus Scanning Program to report the possible
presence of a virus in memory when there is none. This is most likely
to happen when the "-G" option is used, which asks the IBM Virus
Scanning Program to report any signatures found, regardless of where
they are found.
If this problem is suspected, cold-boot the system from a virus-free,
write-protected floppy diskette (see "Safely Using the IBM Virus
Scanning Program" for details), and run the IBM Virus Scanning Program
again. This will ensure that there are no remnants of previous
programs in memory when the IBM Virus Scanning Program executes.
5.0 VIRUSES DETECTED BY THE IBM VIRUS SCANNING PROGRAM
_______________________________________________________
This section describes the viruses scanned for by this version of the
IBM Virus Scanning Program.
5.1 VIRUS LIST AND CHARACTERISTICS
___________________________________
The following table summarizes the characteristics of the PC-DOS
viruses that the IBM Virus Scanning Program version 2.1.2 scans for.
The meaning of the columns is as follows.
o Infects COM. The virus infects COM files.
o Infects EXE. The virus infects EXE files.
o Uses "MZ" for criterion. The virus looks for an EXE header,
rather than a file type of EXE, in order to determine which files
to infect. An EXE header has the ASCII characters MZ (hexadecimal
4A and 5D) as the first two bytes of the file. If it finds these
two bytes, the virus will infect that file. Viruses that use this
infection criterion can infect files of any type, as long as the
files have an EXE header. (This is the same criterion used by the
DOS loader to decide if a file has an EXE format.)
o Infects diskette boot. The virus infects the boot sectors of
floppy diskettes and will become active in a system which is
booted from an infected floppy diskette.
o Infects HD system boot. The virus infects the system boot sector
of hard disks and will become active in a system which is booted
from an infected hard disk.
o Infects HD master boot. The virus infects the master boot record
of hard disks and will become active in a system which is booted
from an infected hard disk.
o Resident. The virus installs itself as a
terminate-and-stay-resident (TSR) extension to DOS when it is run.
This TSR is then used to spread the infection. The virus will
remain active in a system even after the infected program has
finished running. Some of these viruses will remain active even
if the system is rebooted using Ctl-Alt-Del. They will not remain
active if the system is cold-booted from a disk or diskette that
is known to be free of viruses.
An "x" is placed in a column if a virus possesses that characteristic.
A "." is placed in the column if it does not.
New or name changed with this release---+
Resident------------------------------+ |
Infects HD master boot--------------+ | |
Infects HD system boot------------+ | | |
Infects diskette boot-----------+ | | | |
Uses "MZ" for criterion-------+ | | | | |
Infects EXE-----------------+ | | | | | |
Infects COM---------------+ | | | | | | |
| | | | | | | |
Virus V V V V V V V V Notes
---------------------------------------- ----------------------------------
1067 x . . . . . x .
1253 x . . x . x x .
1381 . x ? . . . x .
1392 x x x . . . x .
1536 x . x . . . x .
1575 x x . . . . x .
1624 . x x . . . . .
1701 x . x . . . x .
1701-Jojo x . x . . . x .
1704 x . x . . . x .
1704-B x . x . . . x .
1704-C x . x . . . x .
1704-Format x . x . . . x .
1704-Y x . x . . . x .
1813 x x . . . . x .
1813-00 x x . . . . x . Minor variant, virscan says "1813".
1813-1605 x x . . . . x .
1813-ANARKIA x x . . . . x .
1813-Discom x x . . . . x .
1813-Groen Links x x . . . . x .
1813-Not-13 x x . . . . x .
1813-Puerto x x . . . . x .
1813-Swiss x x . . . . x .
1813-Westwood x x . . . . x .
2086 x x . . . . x .
3445 x x . . . x x x Infects MBR with Campana virus.
382 x . . . . . . x
4096 x x x . . . x .
453 x . . . . . . .
5120 x x ? ? ? ? ? .
555 x x x . . . x .
637 . x x . . . . .
9800:0000 x x x . . . x .
Agiplan x x ? ? ? ? ? .
Aircop . . . x . . x .
Alabama . x . . . . x .
Ambulance x . . . . . . .
ANTHRAX x x ? ? ? x ? .
AntiPascal-400 x . . . . . . .
AntiPascal-440 x . . . . . . .
AntiPascal-480 x . . . . . . .
AntiPascal-529 x . . . . . . .
AntiPascal-605 x . . . . . . .
April 1st COM x . . . . . x .
April 1st EXE . x . . . . x .
Armagedon x ? ? ? ? ? ? .
Azusa . . . x . x x .
Black Monday x x . . . . x .
Blood x . . . . . . .
Bloody! . . . x . x x .
Bouncing Ball . . . x x . x .
Bouncing Ball/286 . . . x x . x .
Brain . . . x . . x .
Brain-Ashar . . . x . . x .
Brain-Shoe . . . x . . x .
Brunswick . . . x . x x .
Burger-405 x . . . . . . .
Burger-537 x x . . . . . .
Burger-541 x x . . . . . .
Burger-542 x x . . . . . .
Burger-560 x . . . . . . .
Campana . . . x . x x .
CARA x . . . . . x .
Carioca x ? ? ? ? ? ? .
Casino x . . . . . x .
CHV 2.1 x . . . . . x .
Crash-1075 x x . . . . x .
Crazy Eddie x x ? ? ? x ? .
Crew-2480 x . . . . . . .
CSSR-528 x . . . . . . .
Dark Avenger x x x . . . x .
Dark Avenger-2100 x x x . . . x .
DataCrime II x x x . . . . .
DataCrime II-B x x x . . . . .
DataCrime-1168 x . . . . . . .
DataCrime-1280 x . . . . . . .
DataLock x x x . . . x .
DBF x . . . . . x .
December 24th . x x . . . x .
DEICIDE x . . . . . . .
Den Zuk . . . x . . x .
Devil's Dance-941 x . . . . . x .
DIRVIR x ? ? ? ? ? x .
Disk Killer . . . x x . x .
Doom 2 x x . . . . x x
Do-Nothing x . . . . . x .
Do-Nothing 2 x . . . . . x .
Eddie-651 x x x . . . x .
EDV . . . x . x x .
Eight Tunes-1971 x x x . . . x .
Evil Empire . . . x . x x .
Evil Empire-B . . . x . x x .
Falling Letters Boot . . . x . . x .
Fellowship x x . . . . x .
FILLER . . . ? ? ? ? .
Fish 6 x x x . . . x .
FLASH x x . . . . x .
Flip-2153 x x x . . x x . Also changes 1 byte HD system boot
Flip-2343 x x x . . x x . Also changes 1 byte HD system boot
FORM . . . x x . x .
Friday the 13th COM x . . . . . . .
Fumble-867 x . . . . . . . Has a non-viral resident extension
Guppy x . x . . . x .
Halloechen x x x . . . x .
Happy Day x . . . . . . .
Iceland II . x . . . . x .
ITAVIR . x x . . . . .
Japanese Christmas x . ? ? ? ? ? .
Jeff x . x . . . . .
Joshi . . . x . x x .
July 13th . x ? ? ? ? ? .
June 16th x . . . . . . .
Kamikaze x x x . . . x .
Kennedy-163 x . . . . . . .
Kennedy-333 x . . . . . . .
KeyPress x x ? ? ? ? x .
Klaeren x x . . . . x .
LAO DOUNG . . . x x . x x
LBC . . . x . . x .
Lehigh I x . . . . . x . Only infects COMMAND.COM
Leprosy x . . . . . . .
Leprosy-B x . . . . . . .
Liberty x x x . . . x .
Mardi Bros ? ? ? ? ? ? ? . Infects boot records for sure.
MG1 x ? ? ? ? ? ? .
MG3 x ? ? ? ? ? ? .
Michelangelo . . . x . x x .
MICROBE . . . x . . x .
Mirror x x . . . . x .
MIX1 . x . . . . x .
MIX1-B . x . . . . x .
Murphy 1 x x ? ? ? ? x .
Murphy 2 x x ? ? ? ? x .
MusicBug . . . x ? ? x .
Nobock x . . . . . . .
Noint . . . x . x x .
Nomenklatura x x x . . . x .
Ohio . . . x . . x .
Ohio0 . . . x . . x .
Ontario x x x . . . x x
OROPAX x . . . . . x .
Pentagon . . . x . . x .
Perfume-765 x . . . . . x .
Pixel-277 x . . . . . . .
Pixel-299 x . . . . . . .
Pixel-345 x . . . . . . .
Pixel-740 x . . . . . . .
Pixel-847 x . . . . . . .
Pixel-852 x . . . . . . .
Plastique 4.51 x x ? . . . ? .
Plastique 5.21 x x ? x ? x x .
Plastique-2576 x x ? ? ? ? ? .
Plastique-2900 x x ? ? ? ? ? .
Plastique-Invader x x . x . x x .
POLIMER x . ? . . . . .
PrtSc . . . x . x x .
Prudents-1210 . x x . . . . .
PSQR-1720 x x . . . . x .
Raubkopi x x x . . . . .
SADAM x . . . . . x .
Saratoga 1 . x . . . . x .
Saratoga 2 . x . . . . x .
Saturday 14th x x x . . . x .
Shake x . . . . . x .
Slow x x x . . . x .
Slow-2131 x x ? ? ? ? x .
Smiley Worm . . . x x . x x
Solano x . x . . . x .
Sparse x . . . . . x .
STAF x . . . . . . .
Stardot-600 x . x . . . . .
Stardot-789 x x x . . . . x
Stardot-801 x x x . . . . .
Stoned . . . x . x x .
Stoned 2 . . . x . x x .
Stoned-Alberta . . . x . x x .
Stoned-ZAPPED . . . x . x x .
Sunday x x . . . . x .
Sunday 2 x x . . . . x .
Suomi x . ? ? ? ? . .
sURIV 3.00 x x . . . . x .
SVIR . x . . . . . .
Swedish Disaster . . . x . x x .
Sylvia x . . . . . . .
SYSLOCK x x x . . . . .
Taiwan x . . . . . . .
Taiwan 2 x . . . . . . .
Talentless Jerk x . . . . . . .
Tequila . x . . . x x .
Telecom x . . . . x x x Infects MBR with Campana virus
Tiny-134 x . x . . . x .
Tiny-138 x . x . . . x .
Tiny-143 x . x . . . x .
Tiny-154 x . x . . . x .
Tiny-156 x . x . . . x .
Tiny-158 x . x . . . x .
Tiny-159 x . x . . . x .
Tiny-160 x . x . . . x .
Tiny-167 x . x . . . x .
Tiny-198 x . x . . . x .
TP06VIR x ? ? ? ? ? x . Relatives of the 2885 and VACSINA
TP16VIR x ? ? ? ? ? x .
TP23VIR x ? ? ? ? ? x .
TP24VIR x ? ? ? ? ? x .
TP25VIR x ? ? ? ? ? x .
TP33VIR x ? ? ? ? ? x .
TP34VIR x ? ? ? ? ? x .
TP41VIR x ? ? ? ? ? x .
TP42VIR x ? ? ? ? ? x .
TP45VIR x ? ? ? ? ? x .
TP46VIR x ? ? ? ? ? x .
Traceback-2930 x x x . . . x .
Traceback-3066 x x x . . . x .
Turbo-448 x . ? . . . x .
Turbo-Kukac x . ? . . . x .
Typo Boot . . . x x . x .
V1024 x x x . . . x .
V2000 x x x . . . x .
V512 x . . . . . x .
V512-B x . . . . . x .
V512-C x . . . . . x .
V512-D x . . . . . x .
V800 x x ? ? ? ? ? .
VACSINA x . x . . . x . Changes EXE files to COM files
VCS 1.0 x . . . . . . .
VHP-348 x . . . . . . .
VHP-353 x . . . . . . .
VHP-367 x . . . . . . .
VHP-435 x . . . . . . .
VHP-623 x . . . . . . .
VHP-627 x . . . . . . .
Victor x x ? ? ? ? x .
Vienna-535 x . . . . . . .
Vienna-646 x . . . . . . .
Vienna-648 x . . . . . . . Puts reboot code in COM files
Vienna-Choinka x . . . . . . .
Vienna-Ghost x . . . . . . . Puts non-viral code in boot sectors
Vienna-Ira x . . . . . . .
Vienna-Lisbon x . . . . . . . Puts the string "@AIDS" in COM files
Vienna-Monxla x . ? . . . . . Sometimes installs non-viral int hdlr
Vienna-Viola x . . . . . . .
Vienna-Viola B4 x . . . . . . .
VIRDEM x . . . . . . .
VIRDEM 2 x . . . . . . .
VIRUS-90 x . x . . . . .
VP x . . . . . . .
Vriest x . . . . . x .
W13-A x . . . . . . .
W13-B x . . . . . . .
Washburn-1260 x . . . . . . .
Washburn-Casper x . . . . . . .
Washburn-V2P2 x . . . . . . .
Whale x x ? ? ? ? x .
Whale-B x x ? ? ? ? x .
Wisconsin x . ? ? ? ? . .
XA1 x . . . . . . . Overwrites boot records on April 1
Yale . . . x . . x .
Yankee Doodle-2772 x x x . . . x .
Yankee Doodle-2885 x x x . . . x .
Yankee-1961 . x x . . . . .
Yaunch . x . . . . . x
Zero Hunt x . x . . . x .
Zero Hunt-B x . x . . . x .
ZK-900 x x x . . . x .
5.2 CROSS-REFERENCE OF COMMON VIRUS NAMES
__________________________________________
Computer viruses are called by a variety of names. Sometimes,
different people refer to the same virus by different names, or to
different viruses by the same name. This table attempts to translate
some of the more common names into the name used by the IBM Virus
Scanning Program. Since these names are used differently by different
people, the entries in this table may not reflect every use of these
names by others. Sometimes different people use the same name, but it
differs in capitalization (e.g. ANTHRAX v.s. Anthrax). In such
cases, this table only includes an entry for our capitalization.
Nickname Name Used By the IBM Virus Scanning Program
100 Years 4096
1008 Suomi
1022 Fellowship
1024 V1024
1168 DataCrime-1168
1210 Prudents-1210
1253 1253
1260 Washburn-1260, Washburn-V2P2 or Washburn-Casper
1260-Casper Washburn-1260, Washburn-V2P2 or Washburn-Casper
1280 DataCrime-1280
1381 1381
1392 1392
1392 (Amoeba) 1392
1514 DataCrime II
1536 1536
1536 (Zero Bug) 1536
1539 XA1
1554 9800:0000
1559 9800:0000
1575 1575
1605 1813-1605
1624 1624
1701 1701
1701-Jojo 1701-Jojo
1701-Jojo 1701-Jojo
1701/1704 - Version B 1701, 1704, 1704-B, 1704-C, 1704-Format, 1704-Y
1704 1704
1704 Format 1704-Format
1704-B 1704-B
1704-C 1704-C
1704-Format 1704-Format
1704-Y 1704-Y
170X 1701, 1704, 1704-B, 1704-C, 1704-Format, 1704-Y
1720 PQSR
17XX 1701, 1704, 1704-B, 1704-C, 1704-Format, 1704-Y
17Y4 1704-Y
1808(EXE) 1813
1813 1813
1813(COM) 1813
1813-00 1813
1813-1605 1813-1605
1813-ANARKIA 1813-ANARKIA
1813-Mendoza 1813 (Not differentiated by VIRSCAN)
1813-not-13 1813-not-13
1813-Puerto 1813-Puerto
1813-Swiss 1813-Swiss
1813-Tuesday-1st 1813 (Not differentiated by VIRSCAN)
1813-Westwood 1813-Westwood
1917 DataCrime II-B
1961 (Yankee) Yankee-1961
1971 Eight Tunes-1971
1971(Eight Tunes) Eight Tunes-1971
2086 2086
2131 Slow-2131
2153 (Flip) Flip-2153
2343 (Flip) Flip-2343
2772 Yankee Doodle-2772
2885 Yankee Doodle-2885
2930 Traceback-2930
3066 Traceback-3066
3066/2930 Traceback Traceback-2930, Traceback-3066
333 Kennedy-333
3445 3445
3551 SYSLOCK
3551 (Syslock) SYSLOCK
3555 SYSLOCK
382 382
3880 ITAVIR
405 Burger-405
4096 4096
453 453
4711 Perfume-765
512 V512
5120 5120
537 Burger-537
541 Burger-541
555 555
560 Burger-560
637 637
640k Do Nothing
648 Vienna-648
648-Lisbon Vienna-Lisbon
651 Eddie-651
688 FLASH
765 Perfume-765
847 Pixel-847
867 Fumble-867
903 CHV 2.1
941 Devil's Dance-941
9800:0000 9800:0000
Agiplan Agiplan
Aircop Aircop
Alabama Alabama
Alameda Yale
Ambulance Ambulance
Ambulance Car Ambulance
AMOEBA 1392
Amstrad Pixel-847
ANARKIA 1813-ANARKIA
ANTHRAX ANTHRAX
AntiCad 1253
AntiCad 4.Mozart Plastique-Invader
AntiCad 5 Plastique-2576
Anticad 3.a Plastique 4.51
Anticad 1.a Plastique 5.21
AntiPascal-400 AntiPascal-400
AntiPascal-440 AntiPascal-440
AntiPascal-480 AntiPascal-480
AntiPascal-529 AntiPascal-529
AntiPascal-605 AntiPascal-605
April 1st April 1st COM, April 1st EXE, Suriv 1.01
April 1st COM April 1st COM
April 1st EXE April 1st EXE
Arab Star 1813
Armagedon Armagedon
Armagedon the First Armagedon
Armagedon the GREEK Armagedon
Ashar Brain-Ashar
Austrian Vienna-648
Austrian 2 1701, 1704
Autocad 2 Plastique-2900
Autumn 1701, 1704
Autumn Leaves 1701, 1704
Azusa Azusa
BASIC 5120
Better world Fellowship
Black Avenger Dark Avenger
Black Friday 1813
Black Hole 1813
Black Monday Black Monday
Black Window 1813
Blackjack 1704B
Blood Blood
Bloody Bloody!
Bloody! Bloody!
Bouncing Ball Bouncing Ball
Bouncing Ball/286 Bouncing Ball/286
Bouncing Dot Bouncing Ball
Brain Brain
Brain-Ashar Brain-Ashar
Brain-Shoe Brain-Shoe
Brunswick Brunswick
Burger-405 Burger-405
Burger-537 Burger-537
Burger-541 Burger-541
Burger-542 Burger-542
Burger-560 Burger-560
Campana Campana
CARA CARA
Carioca Carioca
Cascade 1701, 1704
Cascade-B 1704-B
Casino Casino
Casper Washburn-1260, Washburn-V2P2 or Washburn-Casper
Chameleon Washburn-1260
Choinka Vienna-Choinka
Christmas in Japan Japanese Christmas
CHV 2.1 CHV 2.1
Columbus Day DataCrime-1280, DataCrime-1168, DataCrime II, DataCrime II B
COM Friday the 13th COM
Computer Ogre Disk Killer
Crash-1075 Crash-1075
Crazy Eddie Crazy Eddie
Crew-2480 Crew-2480
CSSR CSSR-528
CSSR-528 CSSR-528
Cursey EDV
Dark Avenger Dark Avenger
Dark Avenger 2 Eddie-651
Dark Avenger II V2000
Dark Avenger III V1024
Dark Avenger-2100 Dark Avenger-2100
DataCrime DataCrime-1280, DataCrime-1168
DataCrime B DataCrime-1168
DataCrime II DataCrime II
DataCrime II B DataCrime II-B
DataCrime II b DataCrime II-B
DataCrime II-B DataCrime II-B
DataCrime-1168 DataCrime-1168
DataCrime-1280 DataCrime-1280
DataCrime-2 DataCrime II
DataLock DataLock
DBASE DBF
DBase DBF
DBF DBF
Dead Kennedy Kennedy-333
Dead Kennedys Kennedy-333
Death to Pascal Wisconsin
December 24th December 24th
DEICIDE DEICIDE
Den Zuk Den Zuk
DENZUKO Den Zuk
Devil Devil's Dance-941
Devil's Dance Devil's Dance-941
Devil's Dance-941 Devil's Dance-941
Diamond V1024
Diana Dark Avenger
DIRVIR DIRVIR
Discom Discom
Disk Crunching Icelandic II, Saratoga 1, Saratoga 2, December 24th
Disk Killer Disk Killer
Disk Ogre Disk Killer
Do Nothing Do-Nothing, Do-Nothing 2
Do Nothing 2 Do-Nothing 2
Donald Duck Stoned 2
Doom 2 Doom 2
DOS-62 Vienna-648
DOS-68 Vienna-648
Durban Saturday 14th
EB 21 PrtSc
Eddie Dark Avenger
Eddie 2 Eddie-651
Eddie 3 Eddie-651
Eddie-651 Eddie-651
EDV EDV
Eight Tunes Eight Tunes-1971
Eight Tunes-1971 Eight Tunes-1971
European Fish Viruses Fish 6
Evil Empire Evil Empire
Evil Empire-B Evil Empire-B
Fall 1701, 1704
Falling Letters Boot Falling Letters Boot
Falling Tears 1701, 1704
Father Christmas Vienna-Choinka
Fellowship Fellowship
FILLER FILLER
First Austrian Vienna-648
Fish Fish 6
Fish 6 Fish 6
FLASH FLASH
Flip Flip-2343, Flip-2153
Flip-2153 Flip-2153
Flip-2343 Flip-2343
FORM FORM
Form Boot FORM
FORM-Virus FORM
Friday 13th Friday the 13th COM
Friday the 13th Friday the 13th COM
Friday the 13th COM Friday the 13th COM
Frodo 4096
Fu Manchu 2086
Fu Manchu - Version A 2086
Fumble Fumble-867
Fumble-867 Fumble-867
Ghost Vienna-Ghost
Ghost Boot Vienna-Ghost
Ghost COM Vienna-Ghost
Ghost Version of DOS 62 Vienna-Ghost
Ghostballs Vienna-Ghost
Guppy Guppy
Hacker Ohio
Halloechen Halloechen
Happy Birthday Joshi Joshi
Happy Day Happy Day
Hawaii Stoned
Hebrew University 1813
Hello (1A) Halloechen
Hemp Stoned
Herbst 1701, 1704
Holland Sylvia
Holland Girl Sylvia
Iceland Iceland II, Saratoga 1, Saratoga 2, December 24th
Iceland I Saratoga 2
Iceland II Iceland II
Icelandic Iceland II, Saratoga 1, Saratoga 2, December 24th
Icelandic II Iceland II
Icelandic III December 24th
Icelandic-3 December 24th
IDF 4096
Invader Plastique-Invader
Ira Vienna-Ira
Israeli 1813
Israeli Boot Falling Letters Boot
Israeli Defense Forces 4096
Italian Bouncing Ball
ITAVIR ITAVIR
Japanese Christmas Japanese Christmas
Japanese-Xmas Japanese Christmas
Jeff Jeff
Jeru-Discom 1813-Discom
Jeru.Swiss 1813-Swiss
Jeru-Sunday Sunday
Jeru-Sunday2 Sunday 2
Jerusalem 1813
Jerusalem Strain B 1813, 1813-ANARKIA, 1813-not-13, 1813-Swiss
Jerusalem-B 1813
Jerusalem-E sURIV 3.00
Jerusalem.Not13 1813-not-13
JOJO 1701-Jojo
Joshi Joshi
July 13th July 13th
June 16th June 16th
June-the-16th June 16th
JUNE16 June 16th
JV 1813
Kamikaze Kamikaze
Kennedy Kennedy-333
Kennedy-163 Kennedy-163
Kennedy-333 Kennedy-333
KeyPress KeyPress
KHETAPUNK 1392
Klaeren Klaeren
Korea LBC
Kukac-2 Turbo-Kukac
LBC LBC
LBC Boot LBC
Lehigh Lehigh I
Lehigh I Lehigh I
Leprosy Leprosy
Leprosy 1.00 Leprosy
Leprosy-B Leprosy-B
Liberty Liberty
Lisbon Vienna-Lisbon
Live After Death V800
MACROSOFT SYSLOCK
Mardi Bros Mardi Bros
Marijuana Stoned
Marti Brothers Mardi Bros
Mendoza 1813 (Not differentiated by VIRSCAN)
Merritt Yale
Mexican Devil's Dance
MG1 MG1
MG3 MG3
Miami Friday the 13th COM
Michelangelo Michelangelo
MICROBE MICROBE
Mirror Mirror
Mistake Fumble-867, Typo Boot
MIX1 MIX1, MIX1-B
MIX1-B MIX1-B
MIX1/Icelandic Saratoga 1, Saratoga 2, Iceland II
Mixer1 MIX1
Monxla Vienna-Monxla
Morbus Waiblingen 1813
Mother Fish Whale
Munich Friday the 13th COM
Murphy Murphy 1
Murphy 1 Murphy 1
Murphy 2 Murphy 2
Murphy-1 Murphy 1
Murphy-2 Murphy 2
Music OROPAX
MusicBug MusicBug
Musician OROPAX
MYSTIK Liberty
New Zealand Stoned
Nobock Nobock
Noint Noint
Nomenclature Nomenklatura
Nomenklatura Nomenklatura
Number of the Beast V512
Ogre Disk Killer
Ohio Ohio
Ohio0 Ohio0
Old Yankee-1 Yankee-1961
Omicron Flip-2343, Flip-2153
OMICRON Psychoblaster Flip-2343, Flip-2153
Ontario Ontario
One-In-Eight Vienna-648
OROPAX OROPAX
Pakistani Brain
Pakistani Brain Brain
Palette 1536
Payday 1813-not-13
Peking Yale
Pentagon Pentagon
Perfume Perfume-765
Perfume-765 Perfume-765
Ping Pong-B Bouncing Ball
Ping-Pong Bouncing Ball
Pixel Pixel-847
Pixel-277 Pixel-277
Pixel-299 Pixel-299
Pixel-345 Pixel-345
Pixel-740 Pixel-740
Pixel-847 Pixel-847
Pixel-852 Pixel-852
Plastique 4.51 Plastique 4.51
Plastique 5.21 Plastique 5.21
Plastique Boot Plastique-Invader
Plastique-2576 Plastique-2576
Plastique-2900 Plastique-2900
Plastique-Invader Plastique-Invader
PLO 1813
POLIMER POLIMER
Polimer-2 POLIMER
Pretoria JUNE16
Print Screen PrtSc
PrtSc PrtSc
Prudents Prudents-1210
Prudents-1210 Prudents-1210
PSQR PSQR-1720
PSQR-1720 PSQR-1720
Raubkopi Raubkopi
Red X Ambulance
RPVS 453
Russian 1813
SADAM SADAM
San Diego Stoned
Saratoga Iceland II, Saratoga 1, Saratoga 2, December 24th
Saratoga 1 Saratoga 1
Saratoga 2 Saratoga 2
Saratoga 3 Iceland II
SAT14 Saturday 14th
Saturday 14th Saturday 14th
Saturday-the-14th Saturday 14th
Scott's Valley Slow-2131
Search Den Zuk
Second Austrian 1704
Seoul Yale
Shake Shake
Shoe Brain-Shoe
Shoe_Virus Brain-Shoe
Slow Slow
Slow-2131 Slow-2131
Smiley Worm Smiley Worm
Smithsonian Stoned
Solano Solano
South African Friday the 13th COM
Sparse Sparse
STAF STAF
Stardot-600 Stardot-600
Stardot-789 Stardot-789
Stardot-801 Stardot-801
Stealth 4096, EDV, Fish 6, Joshi, Murphy 1
Stoned Stoned
Stoned 2 Stoned 2
Stoned-Alberta Stoned-Alberta
Stoned-ZAPPED Stoned-ZAPPED
Stupid Do-Nothing
Stupid-2 Do-Nothing 2
sUMsDos 1813
Sunday Sunday,Sunday 2
Sunday 2 Sunday 2
Suomi Suomi
SuperHacker Talentless Jerk
sURIV 1.01 April 1st COM
sURIV 2.01 April 1st EXE
sURIV 3.00 sURIV 3.00
Suriv A April 1st COM, April 1st EXE
Suriv B sURIV 3.0
SURIV01 April 1st COM
SURIV02 April 1st EXE
SURIV03 sURIV 3.00
SVIR SVIR
Swap Falling Letters Boot
Swedish Disaster Swedish Disaster
Sylvia Sylvia
SYSLOCK SYSLOCK
System Iceland II
T1 1813 (Not differentiated by VIRSCAN)
Taiwan 1 Taiwan
Taiwan Taiwan, Taiwan 2
Taiwan 2 Taiwan 2
Taiwan 3 Plastique-2900
Taiwan 4 Plastique-2576
Talentless Jerk Talentless Jerk
Telecom Telecom
TELEFONICA Campana
Ten Bytes 9800:0000
TenBytes 9800:0000
Tequila Tequila
Thanksgiving 1253
Tiny-134 Tiny-134
Tiny-138 Tiny-138
Tiny-143 Tiny-143
Tiny-154 Tiny-154
Tiny-156 Tiny-156
Tiny-158 Tiny-158
Tiny-159 Tiny-159
Tiny-160 Tiny-160
Tiny-163 Kennedy-163
Tiny-167 Tiny-167
Tiny-198 Tiny-198
Toothless W13-A, W13-B
TP06VIR TP06VIR
TP16VIR TP16VIR
TP23VIR TP23VIR
TP24VIR TP24VIR
TP25VIR TP25VIR
TP33VIR TP33VIR
TP34VIR TP34VIR
TP39VIR Yankee Doodle-2772
TP41VIR TP41VIR
TP42VIR TP42VIR
TP44VIR Yankee Doodle-2885
TP45VIR TP45VIR
TP46VIR TP46VIR
Traceback Traceback-2930, Traceback-3066
Traceback II Traceback-2930
Traceback-2930 Traceback-2930
Traceback-3066 Traceback-3066
TUQ 453
Turbo-448 Turbo-448
Turbo-Kukac Turbo-Kukak
Turin Bouncing Ball
Typo Fumble-867, Typo Boot
Typo Boot Typo Boot
Typo COM Fumble-867
UIUC Brain-Ashar
UIUC Brain-Shoe
Unesco Vienna-648
V-277 Pixel-277
V-299 Pixel-299
V-345 Pixel-345
V-Alert 9800:0000
V1024 V1024
V1277 Murphy 1
V1539 XA1
V2000 V2000
V2100 Dark Avenger-2100
V2P1 Washburn-1260, Washburn-V2P2 or Washburn-Casper
V2P2 Washburn-1260, Washburn-V2P2 or Washburn-Casper
V512 V512
V512-B V512-B
V512-C V512-C
V512-D V512-D
V651 Eddie-651
V800 V800
VACSINA VACSINA
Vacsina-39 virus Yankee Doodle-2772
Vacsina-44 virus Yankee Doodle-2885
VBASIC 5120
VCOMM 637
VCS 1.0 VCS 1.0
Venezuelan Den Zuk
Vera Cruz Bouncing Ball
VHP-348 VHP-348
VHP-353 VHP-353
VHP-367 VHP-367
VHP-435 VHP-435
VHP-623 VHP-623
VHP-627 VHP-627
Victor Victor
Vienna Vienna-648
Vienna (DOS62) Version B Vienna-648
Vienna-535 Vienna-535
Vienna-646 Vienna-646
Vienna-648 Vienna-648
Vienna-Choinka Vienna-Choinka
Vienna-Ghost Vienna-Ghost
Vienna-Ira Vienna-Ira
Vienna-Lisbon Vienna-Lisbon
Vienna-Monxla Vienna-Monxla
Vienna-Viola Vienna-Viola
Vienna-Viola B4 Vienna-Viola B4
Viola Vienna-Viola
Viola B4 Vienna-Viola B4
Violator Vienna-Viola
VIR13J July 13th
VIRDEM VIRDEM
VIRDEM 2 VIRDEM 2
VIRUS-90 VIRUS-90
Virus-B Friday the 13th COM
VP VP
Vriest Vriest
W13 W13-A, W13-B
W13-A W13-A
W13-B W13-B
Washburn-Casper Washburn-1260, Washburn-V2P2 or Washburn-Casper
Weinacht XA1
Westwood 1813-Westwood
Whale Whale
Whale-B Whale-B
Wisconsin Wisconsin
XA1 XA1
XA1 (1539) Christmas XA1
Yale Yale
Yale Boot Yale
Yankee 2 Yankee-1961
Yankee Doodle Yankee Doodle-2885, Yankee Doodle-2772
Yankee Doodle-2772 Yankee Doodle-2772
Yankee Doodle-2885 Yankee Doodle-2885
Yankee-1961 Yankee-1961
Yaunch Yaunch
Z the Whale Whale
ZAPPER Stoned-ZAPPED
ZBug 1536
Zero Bug 1536
Zero Hunt Zero Hunt
Zero Hunt-B Zero Hunt-B
Zerotime SLOW
ZK-900 ZK-900