Night Owl 6

home *** CD-ROM | disk | FTP | other *** search

/ Night Owl 6 / Night Owl's Shareware - PDSI-006 - Night Owl Corp (1990).iso / 030a / ibmvirus.zip / VIRSCAN.DOC < prev next >

Wrap

Text File | 1991-08-08 | 104KB | 2,415 lines

The IBM Anti-Virus Product Version 2.1.2 Copyright (c) IBM Corporation 1989, 1990, 1991. All rights reserved. 1.0 TABLE OF CONTENTS ______________________ 2.0 INTRODUCTION TO THE IBM VIRUS SCANNING PROGRAM 2.1 How to Use the IBM Virus Scanning Program 2.2 The IBM Virus Scanning Program: Capabilities and Limitations 2.3 Files Associated with the IBM Anti-Virus Product 3.0 SAFE USE OF THE IBM VIRUS SCANNING PROGRAM 3.1 Safely Using the IBM Virus Scanning Program 3.2 Safely Creating a Bootable Diskette 3.3 Safely Copying the IBM Virus Scanning Program 3.4 Examples of Output from the IBM Virus Scanning Program 3.4.1 Scanning an Uninfected System 3.4.2 Scanning an Infected System 3.4.3 If VIRSCAN.EXE Has Been Accidentally Modified 3.4.4 If VIRSIG.LST Has Been Accidentally Modified 3.4.5 If VIRSCAN.MSG Has Been Accidentally Modified 4.0 TECHNICAL DETAILS 4.1 Operating Systems 4.2 What The IBM Virus Scanning Program Checks 4.3 The Format of the Signature Files 4.3.1 Scanning Files 4.3.2 Scanning Boot Records 4.4 Adding More Virus Signatures 4.5 Command-Line Options 4.6 Values of ERRORLEVEL Returned 4.7 Limitations 4.7.1 The IBM Virus Scanning Program Is Not a Cure-All 4.7.2 The IBM Virus Scanning Program Does Not Remove Viruses 4.7.3 The IBM Virus Scanning Program May Not Find Viruses in Archives 4.7.4 Scanning Boot Sectors 4.8 Common Problems 4.8.1 Systems With Damaged Directory Trees 4.8.2 Incompatible Versions of PC-DOS and COMMAND.COM 4.8.3 Limitation When Scanning Boot Records of Network Drives 4.8.4 False Alarms When Scanning Memory 5.0 VIRUSES DETECTED BY THE IBM VIRUS SCANNING PROGRAM 5.1 Virus List and Characteristics 5.2 Cross-Reference of Common Virus Names 2.0 INTRODUCTION TO THE IBM VIRUS SCANNING PROGRAM ___________________________________________________ This document describes the IBM Virus Scanning Program version 2.1.2, which is part of the IBM Anti-Virus Product version 2.1.2. This section provides an introduction to using the program. Later sections describe further technical details. 2.1 HOW TO USE THE IBM VIRUS SCANNING PROGRAM ______________________________________________ The IBM Virus Scanning Program can be used to test files and boot sectors on disks for patterns that are found in some common PC-DOS computer viruses. To scan for these viruses on the C: drive, for instance, type the following at the DOS or OS/2 command prompt: VIRSCAN C: To scan a diskette in the A: drive, for instance, type the following: VIRSCAN A: For further instruction on the program, and to view the on-line help, simply type VIRSCAN without any arguments. Type VIRSCAN ? for a short description of the available command line options. Type VIRSCAN ?? for some usage examples. We recommend that the IBM Virus Scanning Program be run only after cold-booting your system from a write-protected diskette. This is the safest way to ensure that a virus infection does not interfere with the scan. See "Safely Using the IBM Virus Scanning Program" for further details. 2.2 THE IBM VIRUS SCANNING PROGRAM: CAPABILITIES AND LIMITATIONS _________________________________________________________________ This program is designed to detect many common PC-DOS computer viruses. It is used internally by IBM to detect computer viruses. It scans boot records and executable files, looking for signatures of viruses known to IBM when this version of the program was made available. A signature is a bit pattern that is found in a particular virus. The virus signatures were obtained by performing "reverse engineering" on virus samples. The files that are scanned by this program must be in their native executable form (e.g., not encrypted and not packed) in order for the signatures to be found. The IBM Virus Scanning Program does *not* remove viruses, inhibit virus propagation, or recover from any damage caused by viruses to programs or data. It simply scans files looking for bit patterns matching the virus signatures. There may be viruses that currently exist, or that will exist in the future, that this program will not detect. We know of no available, guaranteed solution to the computer virus problem. For this reason, we recommend that you continue to perform regular backups of your data, and exercise caution in acquiring and using software. 2.3 FILES ASSOCIATED WITH THE IBM ANTI-VIRUS PRODUCT _____________________________________________________ There are five files distributed with the IBM Anti-Virus Product. You should verify that each one has the length stated below, and not use the IBM Anti-Virus Product if any are different. VIRSCAN.EXE This is the executable file for the IBM Virus Scanning Program. It is 74,863 bytes long. VIRSIG.LST This file contains signatures for viruses. These are viruses of which IBM was aware at the time the program was distributed. This file must be located in the same directory as VIRSCAN.EXE. It is 68,411 bytes long. VIRSCAN.MSG This file contains message text used by VIRSCAN. This file must be located in the same directory as VIRSCAN.EXE. It is 23,034 bytes long. READ.ME This file contains the IBM License Agreement for the IBM Anti-Virus Product. It is 6,876 bytes long. VIRSCAN.DOC This is the document you are currently reading. It is 104,485 bytes long. In addition, you may create two other files which can be used by VIRSCAN. The file ADDENDA.LST can contain signatures for additional viruses. See "Adding More Virus Signatures" (below) for more details on this file. The file LOCAL.MSG can contain a message (up to 10 lines long) that will be displayed at program termination if any virus signatures were found. See "Scanning an Infected System" (below) for more details on this file. 3.0 SAFE USE OF THE IBM VIRUS SCANNING PROGRAM _______________________________________________ You should be careful when copying and using the IBM Virus Scanning Program. The procedures in this section will help you create diskettes containing the IBM Virus Scanning Program, minimizing the chance of contaminating them with viruses. This section will also help you use the IBM Virus Scanning Program most effectively. 3.1 SAFELY USING THE IBM VIRUS SCANNING PROGRAM ________________________________________________ We recommend running the IBM Virus Scanning Program only after cold-booting your PC or PS/2 from a write-protected diskette that is known to be virus-free. It is possible to use the IBM Virus Scanning Program without cold-booting your system from a virus-free diskette. If this is done, however, it is possible for a virus to be active in your system during the scan. This could potentially cause the IBM Virus Scanning Program to miss the presence of a virus in your system. It is also possible to run the IBM Virus Scanning Program from a hard disk rather than a write-protected floppy diskette. If this is done, however, it is possible for the IBM Virus Scanning Program itself to become infected with a virus. While there are features in the IBM Virus Scanning Program to help detect these conditions, it is always safest to cold-boot your system from a virus-free diskette. The procedure for cold-booting your system from a diskette containing the IBM Virus Scanning Program, and scanning the C: drive (for instance), is as follows. 1. Cold-boot your system from your write-protected, virus-free diskette containing the IBM Virus Scanning Program. a. Turn your PC or PS/2 off. b. Insert your write-protected, bootable diskette containing the IBM Virus Scanning Program. (See "Safely Creating a Bootable Diskette" for instructions on creating this virus-free diskette.) c. Turn your PC or PS/2 on and let it boot from the A: drive. 2. Scan any hard disks or floppy diskettes that you wish to check by typing (for instance): VIRSCAN C: 3.2 SAFELY CREATING A BOOTABLE DISKETTE ________________________________________ We recommend running the IBM Virus Scanning Program only after cold-booting your PC or PS/2 from a diskette is known to be virus-free; this procedure is for creating such a virus-free bootable diskette. We assume here that you will be formatting your new diskette in the A: drive. If not, you should modify the "FORMAT" step (2) that follows. We also assume that you either have a non-bootable diskette in the B: drive containing all of the files necessary to run the IBM Virus Scanning Program, or have downloaded all of these files (and only these files) into the directory C:\VIRSCAN. If you have put these files elsewhere, you should modify the "COPY" step (3) that follows. 1. Cold-boot your system. This is important to ensure that no virus is active when you copy the IBM Virus Scanning Program. a. Turn your PC or PS/2 off. b. Insert your original manufacturer's write-protected PC-DOS diskette into the A: drive. If you are using DOS 4.0, use the "install" diskette. c. Turn your PC or PS/2 on and let it boot from the A: drive. If you are using DOS 4.0 from the "install" diskette, press the "Esc" key and then the "F3" key to end the install process. 2. At the DOS prompt, type: FORMAT A: /S and follow the prompts to format a new diskette. Note: If you are using DOS 4.0, you may wish to create an AUTOEXEC.BAT file that automatically installs the SHARE program when a PC or PS/2 is booted from this diskette. If you are planning to use the diskette to scan disk partitions that are greater than 32 megabytes in size, then you *must* use DOS 4.0 and SHARE.EXE. Refer to your PC-DOS manual for further instructions. 3. Copy the files necessary to run the IBM Virus Scanning Program to the A: diskette. o If these files are on a diskette in the B: drive, type the following at the DOS prompt: COPY B:\*.* A:\ and follow the prompts on the screen to copy the contents of the diskette containing the IBM Virus Scanning Program to the A: diskette. o If you have downloaded these files to the directory C:\VIRSCAN, type the following at the DOS prompt: COPY C:\VIRSCAN\*.* A:\ and follow the prompts on the screen to copy the contents of the subdirectory containing the IBM Virus Scanning Program to the A: diskette. 4. Remove the new diskette and write-protect it with a write-protect tab (on a 5.25" diskette) or by moving the write protect switch (on a 3.5" diskette) so that you can see through the hole located in the bottom right while looking at the back of the diskette. We recommend leaving this diskette write-protected at all times. This is important to prevent the diskette from becoming infected with a virus at a later time. 5. To test your new, bootable diskette, turn your PC or PS/2 off, insert your new, bootable diskette in the A: drive, turn your PC or PS/2 on and let it boot from the A: drive. At the DOS prompt, type: VIRSCAN A: 6. If the IBM Virus Scanning Program tells you that a virus is present on the A: drive, or that any of the files have been modified, do *not* use the diskette!! The files may not have been installed correctly on the diskette, or it may be infected with a virus. Go back to the beginning of this procedure and follow the steps very carefully to install the files on your diskette. If, after repeated attempts, the IBM Virus Scanning Program continues to tell you that something is wrong with the diskette, contact competent technical personnel for help. 3.3 SAFELY COPYING THE IBM VIRUS SCANNING PROGRAM __________________________________________________ The following procedure is for making a copy of a bootable diskette containing the IBM Virus Scanning Program. 1. Cold-boot your system. This is important to ensure that no virus is active when you copy the IBM Virus Scanning Program. a. Turn your PC or PS/2 off. b. Insert your original manufacturer's write-protected PC-DOS diskette into the A: drive. If you are using DOS 4.0, use the "install" diskette. c. Turn your PC or PS/2 on and let it boot from the A: drive. If you are using DOS 4.0 from the "install" diskette, press the "Esc" key and then the "F3" key to end the install process. 2. At the DOS prompt, type: DISKCOPY A: B: and follow the prompts on the screen to copy the contents of the original the IBM Virus Scanning Program diskette (the source diskette) to a new diskette (the target diskette). 3. Remove the new diskette and write-protect it with a write-protect tab (on a 5.25" diskette) or by moving the write protect switch (on a 3.5" diskette) so that you can see through the hole located in the bottom right while looking at the back of the diskette. This is important to prevent the diskette from becoming infected with a virus at a later time. We recommend leaving this diskette write-protected at all times. This is important to prevent the diskette from becoming infected with a virus at a later time. 4. Scan the new diskette by reinserting it into the A: drive and typing at the DOS prompt: VIRSCAN A: 5. If the IBM Virus Scanning Program tells you that a virus is present on the A: drive, or that any of the files have been modified, do *not* use the diskette!! The files may not have been copied correctly to the diskette, or it may be infected with a virus. Go back to the beginning of this procedure and follow the steps very carefully to copy the diskette. If, after repeated attempts, the IBM Virus Scanning Program continues to tell you that something is wrong with the diskette, contact competent technical personnel for help. 3.4 EXAMPLES OF OUTPUT FROM THE IBM VIRUS SCANNING PROGRAM ___________________________________________________________ The IBM Virus Scanning Program always displays the following banner when it scans for viruses. ---------------------------------------------------------------------- The IBM Virus Scanning Program Version 2.1.2 (c) Copyright International Business Machines Corporation 1989, 1990, 1991 Licensed Material - Program Property of IBM, All Rights Reserved. NOTICE TO USERS For users in the United States and Puerto Rico: THE IBM VIRUS SCANNING PROGRAM IS LICENSED "AS IS." Your use of this program is subject to the IBM Program License Agreement for the IBM Virus Scanning Program, which is set out in the "READ.ME" file distributed with this program. For users outside the United States and Puerto Rico: See your IBM representative or IBM authorized supplier for contract terms. Press Y to accept the license agreement, or press any other key to exit. ---------------------------------------------------------------------- 3.4.1 SCANNING AN UNINFECTED SYSTEM ____________________________________ When you use the IBM Virus Scanning Program to scan a disk or diskette that does not contain viruses, it will display the banner, then something similar to the following. ---------------------------------------------------------------------- Starting virus scan on Thu Feb 08 09:18:43 1991 Scan completed. 24 files were scanned. 1 system boot sector was scanned. 1 master boot record was scanned. System memory was scanned for dangerous and/or well hidden resident viruses. Total bytes scanned = 2661470, in 26 seconds. No viruses listed in the signature files were found. ---------------------------------------------------------------------- This indicates that none of the scanned files or boot records contained any of the virus signatures listed in the signature files. 3.4.2 SCANNING AN INFECTED SYSTEM __________________________________ If the IBM Virus Scanning Program finds any of the signatures listed in the signature files, it will display the name of the files or boot sectors in which they were found, as well as the signatures found and the name of the viruses to which they correspond. The total number of viral signatures that were found is displayed when the program exits. Here is a sample run, where the IBM Virus Scanning Program found a virus signature. ---------------------------------------------------------------------- Starting virus scan on Thu Feb 08 09:18:43 1991 Found signature in (C:\UTIL\PAPAYA.COM) This file may be infected with the 1813 virus. (Continuing Scan) Scan completed. 24 files were scanned. 1 system boot sector was scanned. 1 master boot record was scanned. System memory was scanned for dangerous and/or well hidden resident viruses. Total bytes scanned = 2661470, in 26 seconds. 1 Viral signature found in 1 object. ---------------------------------------------------------------------- After all other messages are displayed, if the IBM Virus Scanning Program can find a file called "LOCAL.MSG", in the same directory as "VIRSCAN.EXE", it will display lines from that file, up to a maximum of 10 lines. If the IBM Virus Scanning Program finds signatures of any viruses, it is very likely that the indicated objects are infected with those viruses. You should get expert technical help immediately, to clean up the infection. 3.4.3 IF VIRSCAN.EXE HAS BEEN ACCIDENTALLY MODIFIED ____________________________________________________ The IBM Virus Scanning Program checks the program file VIRSCAN.EXE to verify that it has not been modified. (This may happen accidentally, or it may indicate that VIRSCAN.EXE has been infected with a virus.) If it has been modified for any reason, the IBM Virus Scanning Program will display the following message: ---------------------------------------------------------------------- The program (A:\VIRSCAN.EXE) has been modified. This may be due to a virus, or to other causes. Scan terminated early due to error ---------------------------------------------------------------------- In this event, an original (unmodified) copy of VIRSCAN.EXE should be used to replace the modified copy. If, after it is replaced, the IBM Virus Scanning Program continues to tell you that something is wrong, it is possible that your original copy of VIRSCAN.EXE was damaged. Contact competent technical personnel for help. 3.4.4 IF VIRSIG.LST HAS BEEN ACCIDENTALLY MODIFIED ___________________________________________________ The IBM Virus Scanning Program also checks the file VIRSIG.LST to verify that it has not been modified. If it has been modified for any reason, the IBM Virus Scanning Program will inform you, then it will terminate. If VIRSIG.LST has been modified, a message similar to the following will be displayed. ---------------------------------------------------------------------- Starting virus scan The file (A:\VIRSIG.LST) has been modified. Scan terminated early due to error ---------------------------------------------------------------------- If the signature file has been modified, it should be replaced with an original (unmodified) copy. If, after it is replaced, the IBM Virus Scanning Program continues to tell you that something is wrong, it is possible that your original copy of the signature file was damaged. Contact competent technical personnel for help. 3.4.5 IF VIRSCAN.MSG HAS BEEN ACCIDENTALLY MODIFIED ____________________________________________________ The IBM Virus Scanning Program also checks the file VIRSCAN.MSG to verify that it has not been modified. If it has been modified for any reason, the IBM Virus Scanning Program will inform you, then it will terminate. If VIRSCAN.MSG has been modified, a message similar to the following will be displayed. ---------------------------------------------------------------------- The file (A:\VIRSCAN.MSG) has been modified. Scan terminated early due to error ---------------------------------------------------------------------- If the message file has been modified, it should be replaced with an original (unmodified) copy. If, after it is replaced, the IBM Virus Scanning Program continues to tell you that something is wrong, it is possible that your original copy of the message file was damaged. Contact competent technical personnel for help. 4.0 TECHNICAL DETAILS ______________________ This section describes further technical details of the IBM Virus Scanning Program. While it is not necessary to read this section to use the program in simple situations, we recommend that you familiarize yourself with it, so that you understand the operation of the program more completely. 4.1 OPERATING SYSTEMS ______________________ The IBM Virus Scanning Program will run in the following operating systems: o PC-DOS versions 2.0, 2.1, 3.0, 3.1, 3.2, 3.3, 4.0 and 5.0. o OS/2, both Standard Edition and Extended Edition, versions 1.0, 1.1, 1.2, and 1.3. It supports both the DOS ("FAT") file system and OS/2's High Performance File System. It will run in an OS/2 Presentation Manager window and in OS/2's DOS compatibility box. 4.2 WHAT THE IBM VIRUS SCANNING PROGRAM CHECKS _______________________________________________ The IBM Virus Scanning Program checks to make sure that it is operating properly, and then checks for viruses. Specifically, it checks your system in the following sequence (though there are command-line options that can alter this): 1. The executable file VIRSCAN.EXE is checked to ensure that it has not been modified. If it has been modified, it may indicate that it has been accidentally changed, or that it has been infected by a virus. The program will not continue if it has been modified. 2. The file VIRSCAN.MSG is checked to ensure that it has not been modified. (Precisely, this step actually occurs when the first message is displayed.) If VIRSCAN.MSG has been modified, the IBM Virus Scanning Program will not continue. 3. The file VIRSIG.LST is checked to ensure that it has not been modified. If VIRSIG.LST has been modified, the IBM Virus Scanning Program will not continue. 4. When run under PC-DOS (or in the DOS compatibility box of OS/2), system memory is scanned for resident viruses. 5. Files are scanned for viruses. The default is to scan EXE, COM, OV?, INI, SYS, and BIN files. Boot records are scanned for viruses. The default is to scan the system boot sector of any specified drives, and the master boot record of the first hard drive if any drive letter C: or higher is specified. These defaults can be changed by command-line options. 4.3 THE FORMAT OF THE SIGNATURE FILES ______________________________________ The IBM Virus Scanning Program uses the signatures found in the file VIRSIG.LST. and (if it is present) ADDENDA.LST to scan for viruses. Both of these files must be in the same directory as VIRSCAN.EXE. Both of these files has the same basic format: o Comment lines have an asterisk ("*") as their first character. The IBM Virus Scanning Program does not use these lines in its virus scan. (The entire contents of VIRSIG.LST, including comment lines, is checked during self-test to ensure that it has not been modified. The file ADDENDA.LST is not checked.) Comment lines are used to give additional, human-readable comments about the information in the signature files. o One of the comment lines at the beginning of the file VIRSIG.LST contains the string "CRCVMARK" followed by eight hexadecimal digits. This line is used by the IBM Virus Scanning Program to ensure that these files have not been modified. This line is not used in ADDENDA.LST. o The body of the file consists of entries that tell the IBM Virus Scanning Program what to do for each virus. Each entry is made up of three lines: 1. A hexadecimal string, which is the string that the IBM Virus Scanning Program looks for in order to determine that this particular virus is contained in the file. We recommend that you use at least 24 hexadecimal digits (that is, at least 12 bytes) in any signature that you add to ADDENDA.LST, and more whenever possible. Shorter signatures have a larger chance of being found in normal programs which are not infected with any virus, leading to false reports of viruses. The signature should be taken from a code area of the virus, rather than a data area, to minimize the possibility of false alarms. We also recommend that you test any new signatures against a number of programs before using them widely, to ensure that no common programs give false alarms for the signature. Two question mark characters ("??") may be used in place of a pair of hexadecimal characters representing a signature byte. This indicates that the specified byte position in the signature string may have any value. Don't count these "don't care" bytes when following the signature length guidelines in the previous paragraph. If a signature string has any "??" substrings in it, no scan for variations on the signature will be performed, even if the "-m" command line option is used. If a signature string has any "??" strings in it, any "FF" values in the signature string will be treated as "don't care" bytes. A "%N" sequence, where 'N' is a single hexadecimal digit, may also be used in place of a pair of hexadecimal characters representing a signature byte. This tells virscan that 0 to N arbitrary filler bytes may be at that position in a real virus, and that they should be ignored. For example, "ABCD77%4888C5A31663499001277" tells virscan that it should search for the hex string "ABCD77", followed by zero to 4 arbitrary bytes, followed by the rest of the search string. Don't count these "don't care" bytes when following the signature length guidelines. If a signature string has any "%" characters in it, no scan for variations on the signature will be performed, even if the "-m" command line option is used. If a signature string has any "%" characters in it, any "FE" values in the signature string will be treated as "don't care" bytes. 2. A message that is displayed if the string is found in the specified files, to indicate that the virus was found. The text of this message can be in either upper or lower case. If the message contains a %s, the %s will be replaced with a message appropriate for the object in which the virus signature was found. For instance, if the virus signature was found in a file, the %s would be replaced with "This file may be infected with". 3. A line containing one or more strings which indicate what the IBM Virus Scanning Program should do if the signature is found. COM Used to tell the IBM Virus Scanning Program that it should expect to find this signature in COM files. (Currently this string is not used, and the IBM Virus Scanning Program will display the indicated message if the signature is found in any file or boot sector.) EXE Used to tell the IBM Virus Scanning Program that it should display the indicated message if the signature is found in a file which has an EXE header. The IBM Virus Scanning Program will not display messages for signatures found in files with EXE headers unless the "EXE" string is specified. The IBM Virus Scanning Program does not rely on the filetype being .EXE to determine this. Instead, it checks to see if the file's first two bytes are hexadecimal 4D and 5A, which are the first two bytes of an EXE header. (If the "-G" option is specified on the command line, the indicated message will be displayed no matter where the signature is found.) Offset The next string after "Offset" (delimited by blanks) must be a numeric string, and is used as an integer offset into the object (file or boot sector) at which the virus signature is expected to be found. If the signature is found elsewhere, the indicated message will not be displayed. (If the "-G" option is specified, the indicated message will be displayed no matter where the signature is found.) Boot Used to tell the IBM Virus Scanning Program that it should expect to find this signature in boot records. By default, the IBM Virus Scanning Program won't display messages for "boot" signatures found in files unless the "COM" or "EXE" keywords are used (on the same line as "Boot"). (If the "-G" option is specified on the command line, the indicated message will be displayed no matter where the signature is found.) Pause if found Used to tell the IBM Virus Scanning Program to pause with a dire warning the first time during a scan that the signature is found in system memory, or if the system memory scan has been bypassed using option "-nms", the first time that the signature is found in a file. If you encounter this warning, you should make very certain that you are executing the IBM Virus Scanning Program after having cold-booted from a write-protected DOS diskette containing the IBM Virus Scanning Program, which has been certified to be free of viruses. Otherwise, the dire warning indicates that continuing the scan may result in corruption of other files by a virus. (No pause will occur if the IBM Virus Scanning Program is run in an OS/2 protect mode session.) Scan memory This tells the IBM Virus Scanning Program to report any instances of this virus that it finds as it scans system memory. It is used for viruses which can cause significant problems if they are resident in system memory when the IBM Virus Scanning Program is executed. (If the "-G" option is specified, the indicated message will be displayed if *any* of the signatures is found in system memory. This is not done as the default behavior because signatures can be left in system memory by other programs, particularly other virus scanners, even though no viruses are resident.) No mutants This tells the IBM Virus Scanning Program to not search for variations on this virus even when the "-M" option is used. If a signature is found to be prone to false alarms (most likely when the "-M" option is used), this keyphrase will eliminate these false alarms. For example, suppose that you discover a new virus, which you call the "Purple Virus." You have determined that the string EA6061626364786566676869716A6B6C6D6E516FC0C1C8C958D6F1 appears in every copy of the virus, that the virus infects boot sectors, and that the virus installs a resident extension that tries to hide the infection from virus detectors. You could add the following lines to your ADDENDA.LST file to scan for this virus: (Naturally, this is just an example, not a real virus. Please don't use this signature or entry.) ---------------------------------------------------------------------- * * Entry for the non-existent Purple virus (just an example). * EA6061626364786566676869716A6B6C6D6E516FC0C1C8C958D6F1 A boot record of this disk may have the Purple virus. (Boot records, Scan memory.) ---------------------------------------------------------------------- To view VIRSIG.LST, use the TYPE command to display the file on your monitor, or use the PRINT command to print it on your printer. If you wish to view VIRSIG.LST with an editor, make a copy of the file and edit the copy. Some editors make subtle changes to files. The IBM Virus Scanning Program will detect changes in VIRSIG.LST, and refuse to run if it is changed. 4.3.1 SCANNING FILES _____________________ VIRSIG.LST contains the virus signatures, including signatures for viruses that can infect executable files. Its format is described in the preceding section entitled "The Format of the Signature Files". By default, the IBM Virus Scanning Program scans files of type .EXE, .COM, .OV?, .INI, .BIN, and .SYS. This can be changed with command line options. 4.3.2 SCANNING BOOT RECORDS ____________________________ VIRSIG.LST also contains signatures for viruses that can infect boot records of diskettes and hard disks, and for viruses that can infect both files and boot records. The IBM Virus Scanning Program will test system boot sectors of any drives that are specified, and will test the master boot record of the first hard drive if a drive letter C: or higher is specified. There are also command line options to scan any particular drive for boot sector viruses. System boot sectors are sometimes known as partition boot sectors or DOS boot sectors. The master boot record contains the partition table for a physical hard disk. Reference "Limitations" for further technical details about scanning boot sectors. 4.4 ADDING MORE VIRUS SIGNATURES _________________________________ If you want the IBM Virus Scanning Program to scan for signatures other than those in VIRSIG.LST, you should create a file called ADDENDA.LST and put the new signatures in this file. ADDENDA.LST must be placed in the same directory as VIRSCAN.EXE in order for the IBM Virus Scanning Program to find it. If the IBM Virus Scanning Program can find an ADDENDA.LST file, it will load it along with VIRSIG.LST. You can use the "-V" option to verify that the IBM Virus Scanning Program is loading your ADDENDA.LST file correctly. ADDENDA.LST (if it exists) has the same format as VIRSIG.LST. ADDENDA.LST is not checked for modifications. 4.5 COMMAND-LINE OPTIONS _________________________ Options to the IBM Virus Scanning Program may be specified on the command line as follows: VIRSCAN [options] [options] may be specified in any order, in upper or lower case, and may consist of one or more of the following. -A Scan all files on the indicated drives. This is useful when you are cleaning up after a virus infection, to check absolutely every file on a drive for the presence of viruses. (See the "-G" option, which is also useful during cleanup.) The following will scan all files on the C: and D: drives: VIRSCAN C: D: -A By default, the IBM Virus Scanning Program only scans files of type EXE and COM, and boot sectors, on specified disks. -B Scan a boot sector. If a logical drive letter is specified (e.g. -BC:), then the system boot sector of the drive is scanned. If a physical drive number is specified (e.g. -B80), then the master boot record of the drive is scanned. The following scans only the system boot sector of the C: drive: VIRSCAN -BC: The following scans only the master boot record of physical drive 80, which is the first physical hard disk. VIRSCAN -B80 By default, the IBM Virus Scanning Program scans the system boot sector of specified drives (see the description of the "path" that follows), and the master boot record of the first hard drive if drive C: or above is specified. -C Continue scan if there is an error opening a file for scanning. In some operating environments, a few files may be locked for some reason. If the IBM Virus Scanning Program is failing because it can't open such a file, use this option to force the IBM Virus Scanning Program to continue the scan. -CAD Continue if access denied. If this option is used, the IBM Virus Scanning Program will continue the scan even if it is unable to scan a particular subdirectory tree because access was denied. -E Do not scan boot sectors unless explicitly specified with the -B option. This is useful if there is a problem scanning the boot sector of a drive (for instance, a network drive). If this option is used, the IBM Virus Scanning Program will not find boot sector viruses unless the -B option is used. -G The Guru option, for use primarily by technically inclined users. By default, the IBM Virus Scanning Program only reports signatures found in places where it expects them. For instance, signatures that are not specified as EXE file signatures in the signature file are not reported if they are found in EXE-type files (that is, files that have EXE headers). If an offset for a signature is specified in the signature file, it will not be reported if it is found at another location. If the "Scan memory" keyphrase is not specified in the signature file, the signature will not be reported if it is found in memory. The Guru option tells the IBM Virus Scanning Program to report a signature no matter where it is found. This is useful in cleaning up after a virus infection, to make sure that you have scanned absolutely everything that could be harboring a copy of the virus. It can cause false alarms, though, for instance when remnants of infected files remain in memory even though they are not dangerous. (See the "-A" option, which is also useful during cleanup.) -H Help. A brief summary of the command-line options is displayed. -L Scan the files listed in the specified file for viral signatures. The specified file should contain one filename per line. The files to be scanned may be specified relative to the current drive and directory, or may be given fully qualified pathnames. The following scans the files listed in FILES.DAT for viral signatures: VIRSCAN -LFILES.DAT -M Maybe detect mutants. This tells the IBM Virus Scanning Program to try to detect small variations on the viruses listed in the signature files. Virus signatures are broken into random fragments, and the IBM Virus Scanning Program will scan for the fragments as well as for the original signatures. Additionally, this option tells the IBM Virus Scanning Program to report *all* signatures that are partially matched. the IBM Virus Scanning Program doesn't require that all bytes in a a long signature be matched; the number of mismatched bytes allowed is a function of the length of a signature; the longer the signature, the more mismatched bytes are allowed. By default, if the IBM Virus Scanning Program finds one or more partial match (and no complete matches) it will report the closest partial match. If this option is used, the IBM Virus Scanning Program will report *all* partial matches. There is a small possibility of false alarms if this option is used, since short fragments may be found in files which do not contain viruses. So, use this option with care, and be prepared to investigate in more detail any reports of signatures found. By default, the IBM Virus Scanning Program uses the entire signature string in the scan. -MEM Scan system memory By default, the IBM Virus Scanning Program will scan memory before it scans anything else. The -mem switch tells the IBM Virus Scanning Program to scan memory even if it scans nothing else. Switches -nhms, -g and -m all modify the behavior of the memory scan. By default, the IBM Virus Scanning Program will only scan memory for certain viruses; if the -g switch is used, when the IBM Virus Scanning Program scans memory for viruses, it will scan for all of the viruses that it knows about. -NB No beep. By default, the IBM Virus Scanning Program will beep when a virus signature is found. This switch turns off the beep. If the both the -NB and -Z switch are used, -NB will not turn off the beeps at program termination; only the beeps issued when a virus signature is found are disabled. -NMBRS No master boot record scan. Do not scan the master boot record of the first hard drive unless explicitly specified with the -b option. This is useful if there is a problem scanning the master boot record for some reason, but other boot sectors can be scanned. If this option is used, the IBM Virus Scanning Program won't find master boot record viruses (such as the Stoned virus) on the first hard drive unless the -B option is used. (-B80 tells the IBM Virus Scanning Program to scan the master boot record of the first hard drive.) -NLA Do not display the banner containing the copyright notice and license agreement when scanning for viruses, and do not require the user to type "Y" before starting the scan. This is useful when running the IBM Virus Scanning Program from a BAT or CMD file that should not require user interaction. Your use of the IBM Virus Scanning Program is still subject to the terms and conditions set out in the license agreement for this program. (For users in the United States and Puerto Rico, these are set out in the READ.ME file distributed with this program. For users in other locations, see your IBM representative or IBM authorized supplier for contract terms.) See the "-Q" and "-QQ" options for related functions. -NHMS No high memory scan. Under PC-DOS, the IBM Virus Scanning Program scans system memory for indications of some resident viruses. This is because it is important for your system to be free of certain resident viruses when the IBM Virus Scanning Program is executed. This option disables the memory scan above absolute address A0000. That means that the first 640K will be scanned, but not the memory between 640K and 1MB. Most memory resident viruses install themselves in the first 640K. This option can be useful if you are having trouble with the memory scan, but we do not recommend its use in general. This option is slightly risky, because it may miss viruses installed in memory higher than the first 640K. -NMS No memory scan. Under PC-DOS, the IBM Virus Scanning Program scans system memory for indications of some resident viruses. This is because it is important for your system to be free of resident viruses when the IBM Virus Scanning Program is executed. This option disables the memory scan completely. It can be useful if you are having trouble with the memory scan, but we do not recommend its use in general. If you are having trouble with the memory scan, we suggest that you try "-nhms" first. Use this option at your own risk! -NMUT No mutant detection. By default, if the IBM Virus Scanning Program finds one or more partially matched signature strings (and no complete matches) it will report the closest partial match. If this option is used, the IBM Virus Scanning Program will not report partial matches. This is useful if false alarms are being encountered with the default mutant detection. -NP No progress indicator. By default, the IBM Virus Scanning Program displays the name of each file or boot sector as it is scanned, to give you an indication of what it is doing. This option tells the IBM Virus Scanning Program not to display these names. (It will continue to display the names of files or boot sectors containing any of the virus signatures.) This is useful if you are redirecting the output of the IBM Virus Scanning Program to a file and only want the summary of the scan. The following will produce a summary of a scan of the C: drive in the file VIRSCAN.OUT in the current directory, without the long list of all files that were scanned: VIRSCAN C: -NP > VIRSCAN.OUT -NST No self-test. By default, the IBM Virus Scanning Program verifies that VIRSCAN.EXE, VIRSIG.LST and VIRSCAN.MSG have not been modified, either accidentally or by a virus. This option disables the test. While the self-test takes a little time, it is an important aid in maintaining the integrity of the program and the signature files. Use this option at your own risk! -P Build a list of files that tested positive. This is useful if you want to have a list of infected files for use in a cleanup process. If no filename is specified, the default output file POSITIVE.VIR in the current directory will be used. The file will not be created unless one or more virus signatures are found. The following will scan the C: and E: drives, and put the names of any infected files into the file POSITIVE.VIR in the current directory: VIRSCAN E: C: -P The following will scan D:\MANGO and its subdirectories, and put the names of any infected files into the file C:\INFECTED.LST: VIRSCAN D:\MANGO -PC:\INFECTED.LST path Scan a PC-DOS or OS/2 logical drive or directory. (Also available as -Dpath) This is the most common option to specify to the IBM Virus Scanning Program. If you specify only a drive letter, the IBM Virus Scanning Program will scan the system boot sector of that drive, and all subdirectories on the drive. If you specify a path, the IBM Virus Scanning Program will scan the directory specified by that path, and all of its subdirectories. If a drive letter is given as part of the path specification, its system boot sector will be scanned as well. If drive C: or above is specified (e.g. C:, D:, E:, etc.), the master boot record of the first hard drive will be scanned. The following two commands are equivalent, and will scan the master boot record on physical drive 80, the system boot sector on the C: drive, and all subdirectories on the C: drive: VIRSCAN C: VIRSCAN -DC: The following scans the subdirectory \LIME\GUAVA on drive D:, all of its subdirectories, as well as the master boot record of physical drive 80 and the system boot sector of drive D: VIRSCAN D:\LIME\GUAVA The following scans the subdirectory GUAVA under the current directory of the current drive, and all of its subdirectories: VIRSCAN .\GUAVA Note that it does not scan the boot sectors of the current drive, since no drive letter was specified. -Q Quiet output. Do not display the banner containing the copyright information for this program. The only messages that will be displayed are those that indicate that a viral signature has been found, error messages, and warnings if particularly troublesome viruses are found (as indicated by "Pause if found" in the signature files). This is useful when executing the IBM Virus Scanning Program from a BAT or CMD file that checks the error level and takes its own action if a virus is found. Your use of the IBM Virus Scanning Program is still subject to the terms and conditions set out in the license agreement for this program. (For users in the United States and Puerto Rico, these are set out in the READ.ME file distributed with this program. For users in other locations, see your IBM representative or IBM authorized supplier for contract terms.) "-QQ" option for similar function. See the"-NLA" and "-QQ" options for similar functions. -QQ Very quiet output. Do not display the banner containing the copyright information for this program. Also disable display of any other messages, except for fatal error messages and warnings if particularly troublesome viruses are found. (The latter is indicated by "Pause if found" in the signature files.) The only indication that viral signatures have been found is the error level returned by the IBM Virus Scanning Program. This is useful when executing the IBM Virus Scanning Program from a BAT or CMD file that checks the error level and takes its own action if a virus is found. Your use of the IBM Virus Scanning Program is still subject to the terms and conditions set out in the license agreement for this program. (For users in the United States and Puerto Rico, these are set out in the READ.ME file distributed with this program. For users in other locations, see your IBM representative or IBM authorized supplier for contract terms.) "-QQ" option for similar function. See the"-NLA" and "-QQ" options for similar functions. -R Removable media support. This indicates that a given drive has removable media, such as floppy diskettes. If that drive is then specified as a drive to be scanned, The IBM Virus Scanning Program will prompt the user to insert additional diskettes to be scanned in that drive. This is useful when you are scanning a number of floppy diskettes, which is a common thing to do when first scanning a system, or when cleaning up after an infection. The following will let you scan every diskette in a box of diskettes in the A: drive: VIRSCAN -RA: A: Note that the "-RA:" option just tells the IBM Virus Scanning Program that drive A: has removable media. The separate "A:" option tells the IBM Virus Scanning Program to scan the A: drive. -S Use a non-default signature file for this scan. By default, the IBM Virus Scanning Program uses the signatures in the files VIRSIG.LST, and (if it is present) ADDENDA.LST for its scan. This option allows you to use other files instead. If this option is used, the default signature file isn't used, unless it is also specified explicitly with the "-S" option. For this reason, you should use this option with care, and at your own risk! The following scans the C: drive using the signatures in the file MYSIG.DAT, as well as the file VIRSIG.LST. in the current directory. VIRSCAN C: -SVIRSIG.LST -SMYSIG.DAT The following scans the D: drive using only the signatures in the file C:\UTIL\MYSIG.DAT. It does *not* use the signatures in VIRSIG.LST. VIRSCAN D: -SC:\UTIL\MYSIG.DAT -T Scan a single, specified file for viral signatures. The following scans the file PRUNE.OVL in the current directory: VIRSCAN -TPRUNE.OVL The following scans the file C:\UTIL\PLUM\PRUNE.OVL: VIRSCAN -TC:\UTIL\PLUM\PRUNE.OVL -V Verbose output. This displays a list of files and boot sectors as they are scanned, and in general forces the IBM Virus Scanning Program to display more information than normal. It forces the IBM Virus Scanning Program to do a hexadecimal display of any virus signatures that are found. It is very helpful to use this option to help diagnose the problem if a scan terminates early due to error. It is also useful if you are experimenting with command line options, to verify that what you think you specified is what you specified. Note: If you use the "-V" option, you should specify it on the command line before any other options. -VV Very verbose output. This is similar to the "-V" option, except that a hexadecimal dump of boot sectors is also displayed. This is useful when diagnosing problems with scanning boot sectors. Note: If you use the "-VV" option, you should specify it on the command line before any other options. -VL Create a log file. This tells virscan to create a log of the virus scan. The default log file name is "virscan.lgf", in the current directory. A file name may also be specified explicitly. The following scans the C: drive and creates the log file "virus.log" in the root directory of the C: drive. VIRSCAN C: -VLC:\VIRUS.LOG -W Wildcard file specification. By default, the IBM Virus Scanning Program only scans files of type EXE, COM, OV?, INI, and SYS. (and boot sectors, of course). This option can be used to specify arbitrary file types to scan. The following will scan files of type OVL and MEM on the C: and D: drives: VIRSCAN C: D: -W*.OVL,*.MEM The following will scan all files with file name KIWI on the E: drive: VIRSCAN E: -WKIWI.* -Z Pause with beeps if any virus signatures were found. When the scan finishes, if any virus signatures were found, this switch will force the IBM Virus Scanning Program to beep once per second and wait for the user to press a key. * Scan all fixed disks. (Not supported under DOS 2.0 or 2.1) This option tells virscan to scan all of the system's local non-removable disks. For example, if the system has 2 fixed disks partitioned into 3 disk partitions "C:", "D:", and "E:", and a virtual disk "F:" VIRSCAN * is equivalent to VIRSCAN C: D: E: F: Similarly, all network drives can be scanned with VIRSCAN *n and all network and local non-removable drives can be scanned with VIRSCAN *fn ? Help. A brief summary of the command line options is displayed. ?? Usage examples. Examples are given showing how to use the IBM Virus Scanning Program in some of the most common circumstances. 4.6 VALUES OF ERRORLEVEL RETURNED __________________________________ The IBM Virus Scanning Program sets the DOS or OS/2 error level upon exit to one of several values, depending upon what it found. 0 No virus signatures were found, and no other fatal errors occurred. 1 No virus signatures were found, but the program terminated with some other error before the scan was complete. 2 One or more virus signatures were found. These error levels can be used within BAT and CMD files that execute the IBM Virus Scanning Program, to respond differently to what the program finds. 4.7 LIMITATIONS ________________ While the IBM Virus Scanning Program can help you detect the presence of many viruses, it does have its limitations. It is important to understand what these are, and how to use the IBM Virus Scanning Program properly, in order to best protect your system. 4.7.1 THE IBM VIRUS SCANNING PROGRAM IS NOT A CURE-ALL _______________________________________________________ In typical computing systems, it is not possible for any program to detect all possible viruses that may exist in the future. The IBM Virus Scanning Program is designed to help you detect the presence of many of the viruses that we already know about. It does this by scanning for the signatures found in the file VIRSIG.LST, and ADDENDA.LST if it is present. Viruses whose signatures are not contained in these files will probably not be detected. 4.7.2 THE IBM VIRUS SCANNING PROGRAM DOES NOT REMOVE VIRUSES _____________________________________________________________ The IBM Virus Scanning Program does not attempt to remove viral infections from a system. If you discover that your system is infected with a virus, you should seek competent technical assistance to prevent the infection from spreading to other systems, and to clean up the infection safely. 4.7.3 THE IBM VIRUS SCANNING PROGRAM MAY NOT FIND VIRUSES IN ARCHIVES ______________________________________________________________________ The IBM Virus Scanning Program cannot find virus signatures in files that are compressed or encrypted. This includes files that have been compressed by archiving programs. To scan such files, unpack them first, and then scan their constituent files. Self-extracting archives are programs (typically files of type EXE) that are compressed, but decompress themselves into their constituent files when they are executed. Some viruses can infect the decompression part of these programs, and the IBM Virus Scanning Program will detect them. It is also possible for the compressed programs stored within these files to be infected. The IBM Virus Scanning Program will not detect this while they are compressed. 4.7.4 SCANNING BOOT SECTORS ____________________________ When the IBM Virus Scanning Program is run in an OS/2 protect mode session, it cannot scan the master boot record of the hard disk. As a result, it cannot find master-boot-record viruses (such as the Stoned virus) on hard disks, when it is executed under OS/2. The master boot record is scanned when the IBM Virus Scanning Program is executed under PC-DOS, including the DOS Compatibility Box of OS/2. When the IBM Virus Scanning Program is asked to scan any drive with a drive letter of C: or greater, it scans the partition boot sector of each requested drive, and the master boot record of the physical hard disk 80, which is the first physical hard disk. This is usually sufficient, since most systems only use this master boot record. If you want to scan the master boot record of any other physical hard disk, you must specify it explicitly. For instance, the following will scan the master boot record of physical disk 81, which is typically the second physical disk: VIRSCAN -B81 4.8 COMMON PROBLEMS ____________________ There are a few circumstances in which users have difficulties with the IBM Virus Scanning Program. This section discusses the most common problems and tells you what to do about them. 4.8.1 SYSTEMS WITH DAMAGED DIRECTORY TREES ___________________________________________ On some systems, the IBM Virus Scanning Program will terminate with an error (usually "run-time error 6000"). This is often due to the system having a damaged directory tree, in which one part of the tree appears to contain the entire directory all over again. While this condition is not caused by the IBM Virus Scanning Program, it will prevent the IBM Virus Scanning Program from scanning the disk correctly. You should run the CHKDSK program to diagnose any such problems. If CHKDSK reports errors, refer to your PC-DOS or OS/2 manuals for instructions on correcting them. 4.8.2 INCOMPATIBLE VERSIONS OF PC-DOS AND COMMAND.COM ______________________________________________________ Occasionally, users will have a version of COMMAND.COM which is not compatible with the version of PC-DOS that they are using. This may happen when PC-DOS is updated, but the user forgets to update COMMAND.COM. It causes the following message when attempting to execute the IBM Virus Scanning Program: "SYS2090: The system is unable to load the program." While this is not caused by the IBM Virus Scanning Program, it will prevent the IBM Virus Scanning Program from executing. If you encounter this error, type VER to determine which version of the operating system you are using. Then replace all copies of COMMAND.COM with the version contained on the manufacturer's original, write-protected diskette for the correct version of the operating system. Reboot the system and try running the IBM Virus Scanning Program again. 4.8.3 LIMITATION WHEN SCANNING BOOT RECORDS OF NETWORK DRIVES ______________________________________________________________ Some local area network programs allow you to access a disk drive on a remote system as if it were one of your own local drives. The IBM Virus Scanning Program sometimes cannot scan the boot sectors of these drives, due to limitations in the local area network software. In these cases, it will display a message similar to the following. ---------------------------------------------------------------------- There was an error reading system boot sector for drive G:, INT 25 rc=000D Error scanning system boot sector of drive G: (This is normal if drive G: is a network drive.) (Continuing Scan) ---------------------------------------------------------------------- This indicates that the IBM Virus Scanning Program could not scan the boot sector of that drive, but that the scan continued normally. This is not a fatal error. 4.8.4 FALSE ALARMS WHEN SCANNING MEMORY ________________________________________ When the IBM Virus Scanning Program scans system memory, it will occasionally find remnants of virus signatures left over from programs that had been run previously. In particular, some other virus scanning programs will leave remnants of the signatures they use in memory. (This includes the IBM Virus Scanning Program version 1.0.) This can cause the IBM Virus Scanning Program to report the possible presence of a virus in memory when there is none. This is most likely to happen when the "-G" option is used, which asks the IBM Virus Scanning Program to report any signatures found, regardless of where they are found. If this problem is suspected, cold-boot the system from a virus-free, write-protected floppy diskette (see "Safely Using the IBM Virus Scanning Program" for details), and run the IBM Virus Scanning Program again. This will ensure that there are no remnants of previous programs in memory when the IBM Virus Scanning Program executes. 5.0 VIRUSES DETECTED BY THE IBM VIRUS SCANNING PROGRAM _______________________________________________________ This section describes the viruses scanned for by this version of the IBM Virus Scanning Program. 5.1 VIRUS LIST AND CHARACTERISTICS ___________________________________ The following table summarizes the characteristics of the PC-DOS viruses that the IBM Virus Scanning Program version 2.1.2 scans for. The meaning of the columns is as follows. o Infects COM. The virus infects COM files. o Infects EXE. The virus infects EXE files. o Uses "MZ" for criterion. The virus looks for an EXE header, rather than a file type of EXE, in order to determine which files to infect. An EXE header has the ASCII characters MZ (hexadecimal 4A and 5D) as the first two bytes of the file. If it finds these two bytes, the virus will infect that file. Viruses that use this infection criterion can infect files of any type, as long as the files have an EXE header. (This is the same criterion used by the DOS loader to decide if a file has an EXE format.) o Infects diskette boot. The virus infects the boot sectors of floppy diskettes and will become active in a system which is booted from an infected floppy diskette. o Infects HD system boot. The virus infects the system boot sector of hard disks and will become active in a system which is booted from an infected hard disk. o Infects HD master boot. The virus infects the master boot record of hard disks and will become active in a system which is booted from an infected hard disk. o Resident. The virus installs itself as a terminate-and-stay-resident (TSR) extension to DOS when it is run. This TSR is then used to spread the infection. The virus will remain active in a system even after the infected program has finished running. Some of these viruses will remain active even if the system is rebooted using Ctl-Alt-Del. They will not remain active if the system is cold-booted from a disk or diskette that is known to be free of viruses. An "x" is placed in a column if a virus possesses that characteristic. A "." is placed in the column if it does not. New or name changed with this release---+ Resident------------------------------+ | Infects HD master boot--------------+ | | Infects HD system boot------------+ | | | Infects diskette boot-----------+ | | | | Uses "MZ" for criterion-------+ | | | | | Infects EXE-----------------+ | | | | | | Infects COM---------------+ | | | | | | | | | | | | | | | Virus V V V V V V V V Notes ---------------------------------------- ---------------------------------- 1067 x . . . . . x . 1253 x . . x . x x . 1381 . x ? . . . x . 1392 x x x . . . x . 1536 x . x . . . x . 1575 x x . . . . x . 1624 . x x . . . . . 1701 x . x . . . x . 1701-Jojo x . x . . . x . 1704 x . x . . . x . 1704-B x . x . . . x . 1704-C x . x . . . x . 1704-Format x . x . . . x . 1704-Y x . x . . . x . 1813 x x . . . . x . 1813-00 x x . . . . x . Minor variant, virscan says "1813". 1813-1605 x x . . . . x . 1813-ANARKIA x x . . . . x . 1813-Discom x x . . . . x . 1813-Groen Links x x . . . . x . 1813-Not-13 x x . . . . x . 1813-Puerto x x . . . . x . 1813-Swiss x x . . . . x . 1813-Westwood x x . . . . x . 2086 x x . . . . x . 3445 x x . . . x x x Infects MBR with Campana virus. 382 x . . . . . . x 4096 x x x . . . x . 453 x . . . . . . . 5120 x x ? ? ? ? ? . 555 x x x . . . x . 637 . x x . . . . . 9800:0000 x x x . . . x . Agiplan x x ? ? ? ? ? . Aircop . . . x . . x . Alabama . x . . . . x . Ambulance x . . . . . . . ANTHRAX x x ? ? ? x ? . AntiPascal-400 x . . . . . . . AntiPascal-440 x . . . . . . . AntiPascal-480 x . . . . . . . AntiPascal-529 x . . . . . . . AntiPascal-605 x . . . . . . . April 1st COM x . . . . . x . April 1st EXE . x . . . . x . Armagedon x ? ? ? ? ? ? . Azusa . . . x . x x . Black Monday x x . . . . x . Blood x . . . . . . . Bloody! . . . x . x x . Bouncing Ball . . . x x . x . Bouncing Ball/286 . . . x x . x . Brain . . . x . . x . Brain-Ashar . . . x . . x . Brain-Shoe . . . x . . x . Brunswick . . . x . x x . Burger-405 x . . . . . . . Burger-537 x x . . . . . . Burger-541 x x . . . . . . Burger-542 x x . . . . . . Burger-560 x . . . . . . . Campana . . . x . x x . CARA x . . . . . x . Carioca x ? ? ? ? ? ? . Casino x . . . . . x . CHV 2.1 x . . . . . x . Crash-1075 x x . . . . x . Crazy Eddie x x ? ? ? x ? . Crew-2480 x . . . . . . . CSSR-528 x . . . . . . . Dark Avenger x x x . . . x . Dark Avenger-2100 x x x . . . x . DataCrime II x x x . . . . . DataCrime II-B x x x . . . . . DataCrime-1168 x . . . . . . . DataCrime-1280 x . . . . . . . DataLock x x x . . . x . DBF x . . . . . x . December 24th . x x . . . x . DEICIDE x . . . . . . . Den Zuk . . . x . . x . Devil's Dance-941 x . . . . . x . DIRVIR x ? ? ? ? ? x . Disk Killer . . . x x . x . Doom 2 x x . . . . x x Do-Nothing x . . . . . x . Do-Nothing 2 x . . . . . x . Eddie-651 x x x . . . x . EDV . . . x . x x . Eight Tunes-1971 x x x . . . x . Evil Empire . . . x . x x . Evil Empire-B . . . x . x x . Falling Letters Boot . . . x . . x . Fellowship x x . . . . x . FILLER . . . ? ? ? ? . Fish 6 x x x . . . x . FLASH x x . . . . x . Flip-2153 x x x . . x x . Also changes 1 byte HD system boot Flip-2343 x x x . . x x . Also changes 1 byte HD system boot FORM . . . x x . x . Friday the 13th COM x . . . . . . . Fumble-867 x . . . . . . . Has a non-viral resident extension Guppy x . x . . . x . Halloechen x x x . . . x . Happy Day x . . . . . . . Iceland II . x . . . . x . ITAVIR . x x . . . . . Japanese Christmas x . ? ? ? ? ? . Jeff x . x . . . . . Joshi . . . x . x x . July 13th . x ? ? ? ? ? . June 16th x . . . . . . . Kamikaze x x x . . . x . Kennedy-163 x . . . . . . . Kennedy-333 x . . . . . . . KeyPress x x ? ? ? ? x . Klaeren x x . . . . x . LAO DOUNG . . . x x . x x LBC . . . x . . x . Lehigh I x . . . . . x . Only infects COMMAND.COM Leprosy x . . . . . . . Leprosy-B x . . . . . . . Liberty x x x . . . x . Mardi Bros ? ? ? ? ? ? ? . Infects boot records for sure. MG1 x ? ? ? ? ? ? . MG3 x ? ? ? ? ? ? . Michelangelo . . . x . x x . MICROBE . . . x . . x . Mirror x x . . . . x . MIX1 . x . . . . x . MIX1-B . x . . . . x . Murphy 1 x x ? ? ? ? x . Murphy 2 x x ? ? ? ? x . MusicBug . . . x ? ? x . Nobock x . . . . . . . Noint . . . x . x x . Nomenklatura x x x . . . x . Ohio . . . x . . x . Ohio0 . . . x . . x . Ontario x x x . . . x x OROPAX x . . . . . x . Pentagon . . . x . . x . Perfume-765 x . . . . . x . Pixel-277 x . . . . . . . Pixel-299 x . . . . . . . Pixel-345 x . . . . . . . Pixel-740 x . . . . . . . Pixel-847 x . . . . . . . Pixel-852 x . . . . . . . Plastique 4.51 x x ? . . . ? . Plastique 5.21 x x ? x ? x x . Plastique-2576 x x ? ? ? ? ? . Plastique-2900 x x ? ? ? ? ? . Plastique-Invader x x . x . x x . POLIMER x . ? . . . . . PrtSc . . . x . x x . Prudents-1210 . x x . . . . . PSQR-1720 x x . . . . x . Raubkopi x x x . . . . . SADAM x . . . . . x . Saratoga 1 . x . . . . x . Saratoga 2 . x . . . . x . Saturday 14th x x x . . . x . Shake x . . . . . x . Slow x x x . . . x . Slow-2131 x x ? ? ? ? x . Smiley Worm . . . x x . x x Solano x . x . . . x . Sparse x . . . . . x . STAF x . . . . . . . Stardot-600 x . x . . . . . Stardot-789 x x x . . . . x Stardot-801 x x x . . . . . Stoned . . . x . x x . Stoned 2 . . . x . x x . Stoned-Alberta . . . x . x x . Stoned-ZAPPED . . . x . x x . Sunday x x . . . . x . Sunday 2 x x . . . . x . Suomi x . ? ? ? ? . . sURIV 3.00 x x . . . . x . SVIR . x . . . . . . Swedish Disaster . . . x . x x . Sylvia x . . . . . . . SYSLOCK x x x . . . . . Taiwan x . . . . . . . Taiwan 2 x . . . . . . . Talentless Jerk x . . . . . . . Tequila . x . . . x x . Telecom x . . . . x x x Infects MBR with Campana virus Tiny-134 x . x . . . x . Tiny-138 x . x . . . x . Tiny-143 x . x . . . x . Tiny-154 x . x . . . x . Tiny-156 x . x . . . x . Tiny-158 x . x . . . x . Tiny-159 x . x . . . x . Tiny-160 x . x . . . x . Tiny-167 x . x . . . x . Tiny-198 x . x . . . x . TP06VIR x ? ? ? ? ? x . Relatives of the 2885 and VACSINA TP16VIR x ? ? ? ? ? x . TP23VIR x ? ? ? ? ? x . TP24VIR x ? ? ? ? ? x . TP25VIR x ? ? ? ? ? x . TP33VIR x ? ? ? ? ? x . TP34VIR x ? ? ? ? ? x . TP41VIR x ? ? ? ? ? x . TP42VIR x ? ? ? ? ? x . TP45VIR x ? ? ? ? ? x . TP46VIR x ? ? ? ? ? x . Traceback-2930 x x x . . . x . Traceback-3066 x x x . . . x . Turbo-448 x . ? . . . x . Turbo-Kukac x . ? . . . x . Typo Boot . . . x x . x . V1024 x x x . . . x . V2000 x x x . . . x . V512 x . . . . . x . V512-B x . . . . . x . V512-C x . . . . . x . V512-D x . . . . . x . V800 x x ? ? ? ? ? . VACSINA x . x . . . x . Changes EXE files to COM files VCS 1.0 x . . . . . . . VHP-348 x . . . . . . . VHP-353 x . . . . . . . VHP-367 x . . . . . . . VHP-435 x . . . . . . . VHP-623 x . . . . . . . VHP-627 x . . . . . . . Victor x x ? ? ? ? x . Vienna-535 x . . . . . . . Vienna-646 x . . . . . . . Vienna-648 x . . . . . . . Puts reboot code in COM files Vienna-Choinka x . . . . . . . Vienna-Ghost x . . . . . . . Puts non-viral code in boot sectors Vienna-Ira x . . . . . . . Vienna-Lisbon x . . . . . . . Puts the string "@AIDS" in COM files Vienna-Monxla x . ? . . . . . Sometimes installs non-viral int hdlr Vienna-Viola x . . . . . . . Vienna-Viola B4 x . . . . . . . VIRDEM x . . . . . . . VIRDEM 2 x . . . . . . . VIRUS-90 x . x . . . . . VP x . . . . . . . Vriest x . . . . . x . W13-A x . . . . . . . W13-B x . . . . . . . Washburn-1260 x . . . . . . . Washburn-Casper x . . . . . . . Washburn-V2P2 x . . . . . . . Whale x x ? ? ? ? x . Whale-B x x ? ? ? ? x . Wisconsin x . ? ? ? ? . . XA1 x . . . . . . . Overwrites boot records on April 1 Yale . . . x . . x . Yankee Doodle-2772 x x x . . . x . Yankee Doodle-2885 x x x . . . x . Yankee-1961 . x x . . . . . Yaunch . x . . . . . x Zero Hunt x . x . . . x . Zero Hunt-B x . x . . . x . ZK-900 x x x . . . x . 5.2 CROSS-REFERENCE OF COMMON VIRUS NAMES __________________________________________ Computer viruses are called by a variety of names. Sometimes, different people refer to the same virus by different names, or to different viruses by the same name. This table attempts to translate some of the more common names into the name used by the IBM Virus Scanning Program. Since these names are used differently by different people, the entries in this table may not reflect every use of these names by others. Sometimes different people use the same name, but it differs in capitalization (e.g. ANTHRAX v.s. Anthrax). In such cases, this table only includes an entry for our capitalization. Nickname Name Used By the IBM Virus Scanning Program 100 Years 4096 1008 Suomi 1022 Fellowship 1024 V1024 1168 DataCrime-1168 1210 Prudents-1210 1253 1253 1260 Washburn-1260, Washburn-V2P2 or Washburn-Casper 1260-Casper Washburn-1260, Washburn-V2P2 or Washburn-Casper 1280 DataCrime-1280 1381 1381 1392 1392 1392 (Amoeba) 1392 1514 DataCrime II 1536 1536 1536 (Zero Bug) 1536 1539 XA1 1554 9800:0000 1559 9800:0000 1575 1575 1605 1813-1605 1624 1624 1701 1701 1701-Jojo 1701-Jojo 1701-Jojo 1701-Jojo 1701/1704 - Version B 1701, 1704, 1704-B, 1704-C, 1704-Format, 1704-Y 1704 1704 1704 Format 1704-Format 1704-B 1704-B 1704-C 1704-C 1704-Format 1704-Format 1704-Y 1704-Y 170X 1701, 1704, 1704-B, 1704-C, 1704-Format, 1704-Y 1720 PQSR 17XX 1701, 1704, 1704-B, 1704-C, 1704-Format, 1704-Y 17Y4 1704-Y 1808(EXE) 1813 1813 1813 1813(COM) 1813 1813-00 1813 1813-1605 1813-1605 1813-ANARKIA 1813-ANARKIA 1813-Mendoza 1813 (Not differentiated by VIRSCAN) 1813-not-13 1813-not-13 1813-Puerto 1813-Puerto 1813-Swiss 1813-Swiss 1813-Tuesday-1st 1813 (Not differentiated by VIRSCAN) 1813-Westwood 1813-Westwood 1917 DataCrime II-B 1961 (Yankee) Yankee-1961 1971 Eight Tunes-1971 1971(Eight Tunes) Eight Tunes-1971 2086 2086 2131 Slow-2131 2153 (Flip) Flip-2153 2343 (Flip) Flip-2343 2772 Yankee Doodle-2772 2885 Yankee Doodle-2885 2930 Traceback-2930 3066 Traceback-3066 3066/2930 Traceback Traceback-2930, Traceback-3066 333 Kennedy-333 3445 3445 3551 SYSLOCK 3551 (Syslock) SYSLOCK 3555 SYSLOCK 382 382 3880 ITAVIR 405 Burger-405 4096 4096 453 453 4711 Perfume-765 512 V512 5120 5120 537 Burger-537 541 Burger-541 555 555 560 Burger-560 637 637 640k Do Nothing 648 Vienna-648 648-Lisbon Vienna-Lisbon 651 Eddie-651 688 FLASH 765 Perfume-765 847 Pixel-847 867 Fumble-867 903 CHV 2.1 941 Devil's Dance-941 9800:0000 9800:0000 Agiplan Agiplan Aircop Aircop Alabama Alabama Alameda Yale Ambulance Ambulance Ambulance Car Ambulance AMOEBA 1392 Amstrad Pixel-847 ANARKIA 1813-ANARKIA ANTHRAX ANTHRAX AntiCad 1253 AntiCad 4.Mozart Plastique-Invader AntiCad 5 Plastique-2576 Anticad 3.a Plastique 4.51 Anticad 1.a Plastique 5.21 AntiPascal-400 AntiPascal-400 AntiPascal-440 AntiPascal-440 AntiPascal-480 AntiPascal-480 AntiPascal-529 AntiPascal-529 AntiPascal-605 AntiPascal-605 April 1st April 1st COM, April 1st EXE, Suriv 1.01 April 1st COM April 1st COM April 1st EXE April 1st EXE Arab Star 1813 Armagedon Armagedon Armagedon the First Armagedon Armagedon the GREEK Armagedon Ashar Brain-Ashar Austrian Vienna-648 Austrian 2 1701, 1704 Autocad 2 Plastique-2900 Autumn 1701, 1704 Autumn Leaves 1701, 1704 Azusa Azusa BASIC 5120 Better world Fellowship Black Avenger Dark Avenger Black Friday 1813 Black Hole 1813 Black Monday Black Monday Black Window 1813 Blackjack 1704B Blood Blood Bloody Bloody! Bloody! Bloody! Bouncing Ball Bouncing Ball Bouncing Ball/286 Bouncing Ball/286 Bouncing Dot Bouncing Ball Brain Brain Brain-Ashar Brain-Ashar Brain-Shoe Brain-Shoe Brunswick Brunswick Burger-405 Burger-405 Burger-537 Burger-537 Burger-541 Burger-541 Burger-542 Burger-542 Burger-560 Burger-560 Campana Campana CARA CARA Carioca Carioca Cascade 1701, 1704 Cascade-B 1704-B Casino Casino Casper Washburn-1260, Washburn-V2P2 or Washburn-Casper Chameleon Washburn-1260 Choinka Vienna-Choinka Christmas in Japan Japanese Christmas CHV 2.1 CHV 2.1 Columbus Day DataCrime-1280, DataCrime-1168, DataCrime II, DataCrime II B COM Friday the 13th COM Computer Ogre Disk Killer Crash-1075 Crash-1075 Crazy Eddie Crazy Eddie Crew-2480 Crew-2480 CSSR CSSR-528 CSSR-528 CSSR-528 Cursey EDV Dark Avenger Dark Avenger Dark Avenger 2 Eddie-651 Dark Avenger II V2000 Dark Avenger III V1024 Dark Avenger-2100 Dark Avenger-2100 DataCrime DataCrime-1280, DataCrime-1168 DataCrime B DataCrime-1168 DataCrime II DataCrime II DataCrime II B DataCrime II-B DataCrime II b DataCrime II-B DataCrime II-B DataCrime II-B DataCrime-1168 DataCrime-1168 DataCrime-1280 DataCrime-1280 DataCrime-2 DataCrime II DataLock DataLock DBASE DBF DBase DBF DBF DBF Dead Kennedy Kennedy-333 Dead Kennedys Kennedy-333 Death to Pascal Wisconsin December 24th December 24th DEICIDE DEICIDE Den Zuk Den Zuk DENZUKO Den Zuk Devil Devil's Dance-941 Devil's Dance Devil's Dance-941 Devil's Dance-941 Devil's Dance-941 Diamond V1024 Diana Dark Avenger DIRVIR DIRVIR Discom Discom Disk Crunching Icelandic II, Saratoga 1, Saratoga 2, December 24th Disk Killer Disk Killer Disk Ogre Disk Killer Do Nothing Do-Nothing, Do-Nothing 2 Do Nothing 2 Do-Nothing 2 Donald Duck Stoned 2 Doom 2 Doom 2 DOS-62 Vienna-648 DOS-68 Vienna-648 Durban Saturday 14th EB 21 PrtSc Eddie Dark Avenger Eddie 2 Eddie-651 Eddie 3 Eddie-651 Eddie-651 Eddie-651 EDV EDV Eight Tunes Eight Tunes-1971 Eight Tunes-1971 Eight Tunes-1971 European Fish Viruses Fish 6 Evil Empire Evil Empire Evil Empire-B Evil Empire-B Fall 1701, 1704 Falling Letters Boot Falling Letters Boot Falling Tears 1701, 1704 Father Christmas Vienna-Choinka Fellowship Fellowship FILLER FILLER First Austrian Vienna-648 Fish Fish 6 Fish 6 Fish 6 FLASH FLASH Flip Flip-2343, Flip-2153 Flip-2153 Flip-2153 Flip-2343 Flip-2343 FORM FORM Form Boot FORM FORM-Virus FORM Friday 13th Friday the 13th COM Friday the 13th Friday the 13th COM Friday the 13th COM Friday the 13th COM Frodo 4096 Fu Manchu 2086 Fu Manchu - Version A 2086 Fumble Fumble-867 Fumble-867 Fumble-867 Ghost Vienna-Ghost Ghost Boot Vienna-Ghost Ghost COM Vienna-Ghost Ghost Version of DOS 62 Vienna-Ghost Ghostballs Vienna-Ghost Guppy Guppy Hacker Ohio Halloechen Halloechen Happy Birthday Joshi Joshi Happy Day Happy Day Hawaii Stoned Hebrew University 1813 Hello (1A) Halloechen Hemp Stoned Herbst 1701, 1704 Holland Sylvia Holland Girl Sylvia Iceland Iceland II, Saratoga 1, Saratoga 2, December 24th Iceland I Saratoga 2 Iceland II Iceland II Icelandic Iceland II, Saratoga 1, Saratoga 2, December 24th Icelandic II Iceland II Icelandic III December 24th Icelandic-3 December 24th IDF 4096 Invader Plastique-Invader Ira Vienna-Ira Israeli 1813 Israeli Boot Falling Letters Boot Israeli Defense Forces 4096 Italian Bouncing Ball ITAVIR ITAVIR Japanese Christmas Japanese Christmas Japanese-Xmas Japanese Christmas Jeff Jeff Jeru-Discom 1813-Discom Jeru.Swiss 1813-Swiss Jeru-Sunday Sunday Jeru-Sunday2 Sunday 2 Jerusalem 1813 Jerusalem Strain B 1813, 1813-ANARKIA, 1813-not-13, 1813-Swiss Jerusalem-B 1813 Jerusalem-E sURIV 3.00 Jerusalem.Not13 1813-not-13 JOJO 1701-Jojo Joshi Joshi July 13th July 13th June 16th June 16th June-the-16th June 16th JUNE16 June 16th JV 1813 Kamikaze Kamikaze Kennedy Kennedy-333 Kennedy-163 Kennedy-163 Kennedy-333 Kennedy-333 KeyPress KeyPress KHETAPUNK 1392 Klaeren Klaeren Korea LBC Kukac-2 Turbo-Kukac LBC LBC LBC Boot LBC Lehigh Lehigh I Lehigh I Lehigh I Leprosy Leprosy Leprosy 1.00 Leprosy Leprosy-B Leprosy-B Liberty Liberty Lisbon Vienna-Lisbon Live After Death V800 MACROSOFT SYSLOCK Mardi Bros Mardi Bros Marijuana Stoned Marti Brothers Mardi Bros Mendoza 1813 (Not differentiated by VIRSCAN) Merritt Yale Mexican Devil's Dance MG1 MG1 MG3 MG3 Miami Friday the 13th COM Michelangelo Michelangelo MICROBE MICROBE Mirror Mirror Mistake Fumble-867, Typo Boot MIX1 MIX1, MIX1-B MIX1-B MIX1-B MIX1/Icelandic Saratoga 1, Saratoga 2, Iceland II Mixer1 MIX1 Monxla Vienna-Monxla Morbus Waiblingen 1813 Mother Fish Whale Munich Friday the 13th COM Murphy Murphy 1 Murphy 1 Murphy 1 Murphy 2 Murphy 2 Murphy-1 Murphy 1 Murphy-2 Murphy 2 Music OROPAX MusicBug MusicBug Musician OROPAX MYSTIK Liberty New Zealand Stoned Nobock Nobock Noint Noint Nomenclature Nomenklatura Nomenklatura Nomenklatura Number of the Beast V512 Ogre Disk Killer Ohio Ohio Ohio0 Ohio0 Old Yankee-1 Yankee-1961 Omicron Flip-2343, Flip-2153 OMICRON Psychoblaster Flip-2343, Flip-2153 Ontario Ontario One-In-Eight Vienna-648 OROPAX OROPAX Pakistani Brain Pakistani Brain Brain Palette 1536 Payday 1813-not-13 Peking Yale Pentagon Pentagon Perfume Perfume-765 Perfume-765 Perfume-765 Ping Pong-B Bouncing Ball Ping-Pong Bouncing Ball Pixel Pixel-847 Pixel-277 Pixel-277 Pixel-299 Pixel-299 Pixel-345 Pixel-345 Pixel-740 Pixel-740 Pixel-847 Pixel-847 Pixel-852 Pixel-852 Plastique 4.51 Plastique 4.51 Plastique 5.21 Plastique 5.21 Plastique Boot Plastique-Invader Plastique-2576 Plastique-2576 Plastique-2900 Plastique-2900 Plastique-Invader Plastique-Invader PLO 1813 POLIMER POLIMER Polimer-2 POLIMER Pretoria JUNE16 Print Screen PrtSc PrtSc PrtSc Prudents Prudents-1210 Prudents-1210 Prudents-1210 PSQR PSQR-1720 PSQR-1720 PSQR-1720 Raubkopi Raubkopi Red X Ambulance RPVS 453 Russian 1813 SADAM SADAM San Diego Stoned Saratoga Iceland II, Saratoga 1, Saratoga 2, December 24th Saratoga 1 Saratoga 1 Saratoga 2 Saratoga 2 Saratoga 3 Iceland II SAT14 Saturday 14th Saturday 14th Saturday 14th Saturday-the-14th Saturday 14th Scott's Valley Slow-2131 Search Den Zuk Second Austrian 1704 Seoul Yale Shake Shake Shoe Brain-Shoe Shoe_Virus Brain-Shoe Slow Slow Slow-2131 Slow-2131 Smiley Worm Smiley Worm Smithsonian Stoned Solano Solano South African Friday the 13th COM Sparse Sparse STAF STAF Stardot-600 Stardot-600 Stardot-789 Stardot-789 Stardot-801 Stardot-801 Stealth 4096, EDV, Fish 6, Joshi, Murphy 1 Stoned Stoned Stoned 2 Stoned 2 Stoned-Alberta Stoned-Alberta Stoned-ZAPPED Stoned-ZAPPED Stupid Do-Nothing Stupid-2 Do-Nothing 2 sUMsDos 1813 Sunday Sunday,Sunday 2 Sunday 2 Sunday 2 Suomi Suomi SuperHacker Talentless Jerk sURIV 1.01 April 1st COM sURIV 2.01 April 1st EXE sURIV 3.00 sURIV 3.00 Suriv A April 1st COM, April 1st EXE Suriv B sURIV 3.0 SURIV01 April 1st COM SURIV02 April 1st EXE SURIV03 sURIV 3.00 SVIR SVIR Swap Falling Letters Boot Swedish Disaster Swedish Disaster Sylvia Sylvia SYSLOCK SYSLOCK System Iceland II T1 1813 (Not differentiated by VIRSCAN) Taiwan 1 Taiwan Taiwan Taiwan, Taiwan 2 Taiwan 2 Taiwan 2 Taiwan 3 Plastique-2900 Taiwan 4 Plastique-2576 Talentless Jerk Talentless Jerk Telecom Telecom TELEFONICA Campana Ten Bytes 9800:0000 TenBytes 9800:0000 Tequila Tequila Thanksgiving 1253 Tiny-134 Tiny-134 Tiny-138 Tiny-138 Tiny-143 Tiny-143 Tiny-154 Tiny-154 Tiny-156 Tiny-156 Tiny-158 Tiny-158 Tiny-159 Tiny-159 Tiny-160 Tiny-160 Tiny-163 Kennedy-163 Tiny-167 Tiny-167 Tiny-198 Tiny-198 Toothless W13-A, W13-B TP06VIR TP06VIR TP16VIR TP16VIR TP23VIR TP23VIR TP24VIR TP24VIR TP25VIR TP25VIR TP33VIR TP33VIR TP34VIR TP34VIR TP39VIR Yankee Doodle-2772 TP41VIR TP41VIR TP42VIR TP42VIR TP44VIR Yankee Doodle-2885 TP45VIR TP45VIR TP46VIR TP46VIR Traceback Traceback-2930, Traceback-3066 Traceback II Traceback-2930 Traceback-2930 Traceback-2930 Traceback-3066 Traceback-3066 TUQ 453 Turbo-448 Turbo-448 Turbo-Kukac Turbo-Kukak Turin Bouncing Ball Typo Fumble-867, Typo Boot Typo Boot Typo Boot Typo COM Fumble-867 UIUC Brain-Ashar UIUC Brain-Shoe Unesco Vienna-648 V-277 Pixel-277 V-299 Pixel-299 V-345 Pixel-345 V-Alert 9800:0000 V1024 V1024 V1277 Murphy 1 V1539 XA1 V2000 V2000 V2100 Dark Avenger-2100 V2P1 Washburn-1260, Washburn-V2P2 or Washburn-Casper V2P2 Washburn-1260, Washburn-V2P2 or Washburn-Casper V512 V512 V512-B V512-B V512-C V512-C V512-D V512-D V651 Eddie-651 V800 V800 VACSINA VACSINA Vacsina-39 virus Yankee Doodle-2772 Vacsina-44 virus Yankee Doodle-2885 VBASIC 5120 VCOMM 637 VCS 1.0 VCS 1.0 Venezuelan Den Zuk Vera Cruz Bouncing Ball VHP-348 VHP-348 VHP-353 VHP-353 VHP-367 VHP-367 VHP-435 VHP-435 VHP-623 VHP-623 VHP-627 VHP-627 Victor Victor Vienna Vienna-648 Vienna (DOS62) Version B Vienna-648 Vienna-535 Vienna-535 Vienna-646 Vienna-646 Vienna-648 Vienna-648 Vienna-Choinka Vienna-Choinka Vienna-Ghost Vienna-Ghost Vienna-Ira Vienna-Ira Vienna-Lisbon Vienna-Lisbon Vienna-Monxla Vienna-Monxla Vienna-Viola Vienna-Viola Vienna-Viola B4 Vienna-Viola B4 Viola Vienna-Viola Viola B4 Vienna-Viola B4 Violator Vienna-Viola VIR13J July 13th VIRDEM VIRDEM VIRDEM 2 VIRDEM 2 VIRUS-90 VIRUS-90 Virus-B Friday the 13th COM VP VP Vriest Vriest W13 W13-A, W13-B W13-A W13-A W13-B W13-B Washburn-Casper Washburn-1260, Washburn-V2P2 or Washburn-Casper Weinacht XA1 Westwood 1813-Westwood Whale Whale Whale-B Whale-B Wisconsin Wisconsin XA1 XA1 XA1 (1539) Christmas XA1 Yale Yale Yale Boot Yale Yankee 2 Yankee-1961 Yankee Doodle Yankee Doodle-2885, Yankee Doodle-2772 Yankee Doodle-2772 Yankee Doodle-2772 Yankee Doodle-2885 Yankee Doodle-2885 Yankee-1961 Yankee-1961 Yaunch Yaunch Z the Whale Whale ZAPPER Stoned-ZAPPED ZBug 1536 Zero Bug 1536 Zero Hunt Zero Hunt Zero Hunt-B Zero Hunt-B Zerotime SLOW ZK-900 ZK-900