home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Shareware Overload
/
ShartewareOverload.cdr
/
virus
/
fprot114.zip
/
FILVIR-1.TXT
< prev
next >
Wrap
Text File
|
1991-01-21
|
39KB
|
998 lines
A description of PC viruses and their symptoms - Jan. '91
This document lists the file viruses recognized by F-PROT at the time of
writing. Since new viruses are continually appearing, this document will
never be completely up to date. A short description of the viruses follows,
but it is far from complete.
The .EXE and .COM infecting viruses known by F-PROT are:
217
405
417
440
492
512 --> Number of the beast
516
600 --> Voronezh
696
699
707
800
948
1024 --> Diamond
1049 --> Yankee
1067 --> Ambulance
1075
1226 --> Phoenix
1260
1392 --> Amoeba
1600
2144
2480
2930 --> Traceback
4096 --> Frodo
5120
8-tunes
A-204 --> Jerusalem
Advent --> Syslock
Agiplan
AIDS
AIDS-2
Alabama
Ambulance
Amoeba
Amstrad
Anarkia --> Jerusalem
AntiCAD --> Plastique
AntiPascal
AntiPascal-2
April 1st
Armagedon
Attention
Bebe
Best Wishes
Black Monday
Blood
Bulgarian Tiny
Burger
Cancer --> Amstrad
Carioca
Casper --> 1260
Cascade
Century --> Jerusalem
Choinka --> Vienna
Christmas in Japan
Cookie --> Syslock
Dark Avenger --> Eddie
DataCrime
DataCrime II
Datalock
dBase
December 24th
Destructor
Devil's Dance
Diamond
DIR
Do-Nothing --> Stupid
Doteater
Durban
Dyslexia
Eddie
Eddie II
Evil --> Phoenix
Father Christmas --> Vienna
Fellowship
Frere --> Jerusalem
Fish 6 --> Frodo
Flash
Flip
Frodo
Fuck You --> 417
Fumble
Fu Manchu
Ghost
Groen Links --> Jerusalem
Guppy
Hallöchen
Happy --> VFSI
Holland Girl --> Sylvia
Hymn --> Eddie
Icelandic
Icelandic II
IDF --> Frodo
Internal
Invader --> Plastique
Itavir
Jerusalem
Jo-Jo
Joker
Joker-01
July 13th
Kemerovo
Kennedy
Lehigh
Leprosy
Liberty
Lisbon --> Vienna
Lozinsky
Macho --> Syslock
Mendoza --> Jerusalem
MG
MG-3
MGTU
Minnow --> Zero Hunt
MIX1
MLTI
Monxla --> Vienna
Mother Fish -> Whale
Murphy
Mystic -> Liberty
New Jerusalem --> Jerusalem
New Vienna --> Vienna
Nina
Nomenklatura
Number of the Beast
Old Yankee
Oropax
Palette --> Zero Bug
Parity
Payday --> Jerusalem
Perfume
Phoenix
Piter
Pixel --> Amstrad
Plastique
Polimer
Pretoria
Proud
Prudents
PSQR (1720) --> Jerusalem
Puerto --> Jerusalem
Saddam --> Stupid
Saratoga --> Icelandic
Scottish Murphy --> Superhack
Scott's Valley --> Slow
Shake
Slow
Solano --> Dyslexia
South African "Friday 13."
Stupid
Sunday --> Jerusalem
Suomi
Superhack
SVC
Sverdlov
Svir
Sylvia
SysLock
Taiwan
Tenbyte
Time --> Vienna
Tiny --> Kennedy
Tiny Family --> Bulgarian Tiny
Traceback
TUQ
Turbo Kukac
V-1 --> see BOOTVIR.TXT for description
V2P2 --> 1260
V2P6 --> 1260
Vacsina
Vcomm
Victor
Vienna
Virdem
Virus-90
Virus-101 --> Virus-90
Virus-B --> South African
Voronezh
VP
W13
Westwood --> Jerusalem
Whale
Wisconsin
XA1
Yankee Doodle --> Vacsina
Zero Bug
Zero Hunt
In addition there may be some recently discovered viruses, which have not
yet become available to the author.
It must be noted here, that F-PROT will provide some protection against
viruses not yet written. The programs in the package will not, however,
be able to remove unknown viruses, unless they are minor variants of
known viruses.
Now, let's have a look at the viruses mentioned above. In some cases
the descriptions are very short, perhaps only a couple of lines. This
indicates a new virus, which has not yet been fully dissected. In those
cases the effects of the virus may be only partially known. The
description will be expanded as better information becomes available.
217
This is a small, not very interesting virus from Poland, which only
infects .COM files.
405
Unlike most other program viruses, this one will not increase the length
of infected programs (unless they are shorter than 405 bytes). It will
overwrite the first 405 bytes in the files it infects. As this primitive
method causes the destruction of many programs, the virus is easily found,
and therefore not a serious threat. The "405" virus will only infect .COM
files, but it it unable to recognize a file already infected.
417
This is a simple 417 byte virus from Eastern Europe. The only text
message inside the virus are the words "Fuck You". The virus has not
been fully analyzed yet.
440
A 440 byte, direct-action .COM infecting virus. Awaiting analysis.
492
This virus from eastern Europe would not be remarkable, if it was not for
the fact that it will not work on the 8088 or 8086 processor. The reason
is the use of an instruction (PUSH-immediate) which only exist of
later-generation processors. The virus only infects COM files.
516
This simple, Russian COM virus is interesting in one way - it is the
first virus which does not modify the beginning of the programs it
infects. The virus code is located at the end of infected programs, but
the jump to the virus is inside the program, not at the beginning, as is
usual.
696
This is a simple direct-action Russian COM virus, which has not been
analysed yet.
699
This virus adds 699 bytes to the files it infects, but in addition it may
add several "garbage" bytes. As a result disinfected files will often not
be of exactly the same length as the original file.
707
This a Russian, 707 byte COM virus, which is awaiting analysis.
948
This Russian virus seems related to the Yankee virus, or at least it is
identified as "Yankee" by F-DRIVER, although F-FCHK will identify and
remove it correctly. It infects EXE and COM files, including
COMMAND.COM, which is infected by overwriting, and should be replaced if
infected.
1075
This Russian virus does not seem to work on the 8088 IBM-PC I use for testing
viruses - infected programs simply hang the machine. The virus seems to
be able to infect EXE and COM files, but has not been analysed yet.
1260
This virus is based on the Vienna virus, but the author, Mark Washburn,
has made considerable modifications to it. The most significant change is
that the virus is now encrypted. As the name indicates, the virus adds
1260 bytes to the files it infects. The first 39 bytes contain a simple
decryption routine, similar to the one used by the Cascade virus. There
is one important difference, however. A variable number of short (1- or
2-byte) instructions are added between the decoding instructions. The
extra instructions do not affect the operation of the virus - they are
only placed there in an attempt to prevent virus scanners from using
identification strings. This makes it a little harder to detect the
virus, but F-FCHK is nevertheless able to do it. Another variant of the
virus exists. It is named Casper because of the following text which is
found inside the virus.
Hi! I'm Casper The Virus, And On April The 1st I'm Gonna
Fuck Up Your Hard Disk REAL BAD! In Fact It Might Just
Be Impossible To Recover! How's That Grab Ya! <GRIN>
The virus will indeed activate on April 1st and try to format the boot
sector, with incorrect parameters. The code seems to contain an error,
though.
The author of the 1260 virus, Mark Washburn, has also written and
distributed the V2P2 virus, which is somewhat longer than 1260 virus.
His last virus, V2P6 is still longer, and uses a much more complex
self-modifying encryption method. F-FCHK will detect the virus, but can
not remove it. If your system ever gets infected by this virus, I
suggest you contact the author and demand a disinfection program from
him. His address is:
Mark Washburn
4656 Polk Street NE
Coloumbia Heights, MN 55421
USA
1600
According to reports from Bulgaria, the author of this virus is the same
as the one who wrote the Nina virus, and inside the 1600 virus the
following message can be found:
Dear Nina, you make me write this virus; Happy new year!
The 1600 virus infects .EXE and .COM files, increasing their length by
1600 bytes, but COMMAND.COM is overwritten. At least some versions of
COMMAND.COM will not work if infected, and infected COMMAND.COM files
should be replaced, not disinfected.
2144
This Russian virus appears to be related to the Voronezh virus - perhaps
having the same author. It is an encrypted COM and EXE infector, which
has not been fully analyzed yet, but is reported to have a similar effect
as the Sverdlov virus.
2480
This virus is not a serious threat on most systems, as it only spreads if
the year is set to 1988. It was found in Finland, and has not yet been
reported elsewhere. It only infects .COM files, and as the name
indicates, it is 2480 bytes long.
5120
This is one of the largest viruses known, 5120 bytes. It will infect
both .COM and .EXE files, selecting one file of each type to infect,
when an infected program is run. Parts of the virus seem to have been
written in a high-level language, probably compiled BASIC, but the
initialization code is written in assembly language.
800
One of the Bulgarian viruses - 800 bytes long. It bears some resemblance
to the Dark Avenger. It seems to overwrite directories, but has not been
fully dissected yet.
8-tunes
Just as most other "music" viruses, this one is from Germany. It infects
.COM files as well as .EXE files. When it activates it will play one out
of 8 different tunes. The length of the virus code is 1971 bytes.
Agiplan
This virus was first reported in the German AGIPLAN company, put then it
disappeared for nearly two years, until a sample appeared in South
Africa. Structurally the virus is similar to the Zero Bug virus, as both
add 1536 bytes to the beginning of the programs they infect. The virus
will not have any serious effects until it has been active on an infected
machine for several months, but then it will start corrupting writes.
AIDS
This is a long virus, over 12K, written in Pascal, which overwrites the
files it infects. It is therefore easily detected, and not a serious
threat.
AIDS-2
This is a "companion" virus, in the form of a .COM file, which will
locate a .EXE file and create a corresponding .COM file, exploiting the
fact that DOS will first execute the .COM file, containing the virus.
The virus will then later execute the .EXE file.
Alabama
This virus was first reported in Israel, but a text string inside it says:
SOFTWARE COPIES PROHIBITED BY INTERNATIONAL LAW..............
Box 1055 Tuscambia ALABAMA USA.
This message will also appear on the screen in a box on the screen one
hour after an infected program is run.
Like a few other viruses this one cannot be removed from memory by
pressing Ctrl-Alt-Del. It will simply fake a "reboot" and remain in RAM.
Alabama will only infect .EXE files, increasing their size by 1560 bytes.
Unlike most other resident viruses, it will not automatically infect
every new program executed. When a program is run, Alabama will instead
search for some other program to infect - probably so the program being
executed will get the blame. It will only be infected if no uninfected
file is found in the current directory.
Every Friday the virus will do something odd. It searches for a file to
infect as described above, and executes it instead of the file the user was
planning to execute. A bit weird ...!
One variant of this virus, Alabama-B is also known. It has been
distributed in the form of a modified SDIR.COM file, but normally Alabama
will not infect .COM files.
Ambulance
As the name indicates, the ambulance virus displays an ambulance on the
screen. It is a 796 byte .COM infecting virus. A related virus, 1067
byte long is also known, but it has not been analyzed yet.
Amoeba
This is a 1392 byte .EXE and .COM infecting virus, but little is yet
known about it. It overwrites the first 1089 bytes of .COM files, placing
the original code at the end and then it appends another 303 bytes.
The name of the virus is derived from the following text found inside it.
SMA KHETAPUNK - Nouvel Band A.M.O.E.B.A
The virus was first reported in Indonesia.
Amstrad/Pixel
This virus is rather interesting. It is a direct-action virus, that will add
847 bytes to the front of any .COM file it finds in the current directory.
The virus code is only around 334 bytes, which made it for a while one of the
shortest PC virus known. The rest contains zeros and an advertisement
for Amstrad computers which is occasionally displayed. Until the virus
reaches the 5th generation, no effects are visible, but in generation 5
or later there is a 50% chance that the message will appear. In a
variant of the virus the message is different:
En tu PC hay un virus RV1, y ésta es su quinta generación.
It has been reported that this virus was also published in a Greek magazine
named "Pixel" in the form of a BASIC program that would create an infected
program when run. This program contained a different message:
"Program sick error: Call doctor or buy PIXEL for cure description"
A disinfection program, written by the virus author was then published in the
next issue of Pixel.
Five other variants of this virus are now known, all from Bulgaria. The
major difference is in the length - 852, 740, 345, 299 and 277 bytes. The
740 byte variant is also known as 'Cancer'. It seems that some virus
writers there are competing with each other to create the shortest
possible version of the virus. The shortest variant, with a length of 277
displays a different message, "PARITY ERROR", simulating a hardware
failure.
AntiPascal
Two viruses, probably from Bulgaria, 605 and 529 byt long, designed to
corrupt .PAS and .BAK files. They are said to have been written as a
revenge against a former employer of the virus author. The viruses are
added to the front of infected programs.
AntiPascal-2
A group of three viruses, 400, 440 and 480 bytes long, which are similar
to the AntiPascal viruses, but somewhat different structurally - for
example they add the virus code to the end of the programs they infect,
rather than the beginning.
April 1.
Here we actually have not one virus, but two different viruses, probably
written by the same author, somewhere in Israel. One of them infects .EXE
files, the other .COM files. The two viruses have the same effect, however.
On April 1st an infected computer will display the following message:
APRIL 1ST HA HA HA YOU HAVE A VIRUS.
The .COM virus is 897 bytes long, but the .EXE virus is a bit longer,
1488 bytes.
Those two viruses were later combined into one, called SURIV 3, which
evolved into the Jerusalem virus.
Armagedon
This virus originated in Greece. It is 1079 byte long, infects .COM files,
other than COMMAND.COM, by adding itself in front of the original program.
This virus has an interesting effect if a Hayes compatible modem is
installed in the computer, including dialing the number 081-141. This is
the number of the "speaking clock" on the island of Crete.
Attention
This 394 byte Russian virus gets its name from the string "ATTENTION"
which is written near the beginning of infected files. Like most of the
other recent Eastern Europe viruses it has not been analyzed yet.
Bebe
This Russian virus contains the following pieces of text:
VIRUS! Skagi "bebe" Fig Tebe !
A translation is not yet available. This is a 1004 byte virus, which
only infects COM files.
Best Wishes
A 1024 byte .COM infecting virus, containing the text
This programm ... With Best Wishes!
The virus has not been analyzed yet, but many programs, including
COMMAND.COM, will not work properly when infected.
Black Monday
The name of this virus is derived from a text string found inside it:
Black Monday 2/3/90 KV KL MAL
This is a 1055 byte virus, which will infect .EXE and .COM files. It is
not possible to restore infected .EXE files, as the virus may overwrite
some bytes at the end of the file.
Blood
A very simple 418 byte non-resident virus from Natal in South-Africa. It
was written by a student, who claims to have no knowledge of how it
"escaped". This virus, just like Kennedy, will only infect .COM files
starting with a JMP statement (E9). Infected programs may occasionally
display the following message when they are executed.
File infected by BLOOD VIRUS version 1.20
Reports of a Blood-2 virus are based on a misunderstanding.
Bulgarian Tiny
This family of viruses currently contains the smallest viruses known -
198, 167, 160, 159, 158, 156, 154, 143, 138, 134 and 133 byte long. They
do nothing of particular interest, but appear to be written in an
attempt to write the smallest virus possible.
Burger
This virus was written by R. Burger, author of the Virdem virus. The
virus is not a serious threat - a 560 byte destructive/overwriting virus,
which is easily noticed as infected programs will not run normally.
As with the 405 virus, disinfection is not possible. A few variants,
slightly modified, possibly in order to bypass some scanning program are
also known.
Carioca
This is a 951 byte .COM virus, which has not been analyzed yet.
Cascade
The Cascade virus, also known as 1701 or 1704, is probably one of the
most common viruses around. The problem is just that it is often not
detected, because it produces no obvious effects. In the original
version, the virus contained code that was set to "go off" between
Oct 1. and Dec 31. 1988, shortly after an infected program is run.
The effect is actually quite amusing - the characters on the screen fall
down and end in a heap on the bottom.
There is a bug in some versions of the virus - it seems that the author
intended the virus to infect all computers, except those from IBM.
However, it did not work as planned - the virus would also infect "true"
IBM machines.
There is one variant of this virus, reported as 17Y4, which is almost
identical to the most common 1704 variant. One byte has been changed,
probably due to a random "mutation". This, however, has resulted in a
"bug" in the virus. Another mutated variant is also known - it infects
the same file over and over.
Christmas in Japan
This is a 600 byte virus from Japan, reported to activate on Dec. 25.
It only infects .COM files, but has not been fully analyzed yet.
DataCrime
The DataCrime virus was probably written in W. Germany or the Netherlands.
It caused much panic around Oct. 13th 1989 when it was set to go off. Any
infected program run on Oct. 13 or later in the year would format the
first nine tracks of the hard disk and display the message
DATACRIME VIRUS RELEASED: 1 MARCH 1989
Since this virus is currently very rare, it is not a serious threat, but
it could become a problem in the future.
The two variants of this virus, 1280 and 1168 are practically equivalent,
but another virus, called "DataCrime II" exists as well. It infects .EXE
and .COM files, but the original "DataCrime" could only infect .COM files.
DataCrime 2 is also a bit larger, 1514 bytes long and more complicated
than the original virus. The latest variant, called DataCrime II-B is
very similar to DataCrime II, but is only 1480 bytes long.
Datalock
A new, 920 byte virus, which has not been fully analyzed yet. It will
infect .EXE files, but only some .COM files including COMMAND.COM.
dBase
The dBase virus is very rare, but rather curious. It is clearly intended
to garble dBase files, or rather any file with a name that ends in .DBF.
If the virus is active in memory when a program writes to a .DBF file, it
will garble all the outgoing data. However, when the data is read back
later, the virus will correct the garbled data.
There is just one problem. If the virus is detected and removed, the data
will be useless because the virus will not be present to "de-garble"
it when it is read back.
There is a more harmful side to this virus. If an attempt is made to
write to a .DBF file that is more that three months old, the virus will
try to destroy the FAT and root directory on drives D:, E: .... Z:
There is a bug in the code, however, so the destruction will be rather
unpredictable.
The dBase virus will only infect .COM files, increasing their size by
1864 bytes.
December 24th
This virus was discovered in Iceland on Dec. 24th 1989. Several computers
refused to run any programs at all on that date, but simply displayed the
message "Gledileg jol" ("Merry Christmas") instead. The virus is a variant
of the Icelandic-2 virus, but with several minor corrections and modifications.
One out of every ten programs run is checked to see if it is a non-infected
.EXE file. If so, the virus adds 848-863 bytes to the file.
Destructor
The name of this virus is derived from the following string which is
stored inside it:
DESTRUCTOR V4.00 (c) 1990 by ATA
This is a 1150 byte wirus, which infects COM as well as EXE files.
Devil's Dance
A .COM infector reported to have originated in Spain or Mexico. It adds
951 bytes to the end of any file it infects. It will infect the same file
over and over until it become too large to fit in memory. The virus traps
INT 9 (the keyboard interrupt) and when CTRL-ALT-DEL is pressed it will
display the message:
DID YOU EVER DANCE WITH THE DEVIL IN THE WEAK MOONLIGHT ?
PRAY FOR YOUR DISKS!!
The Joker
The virus also monitors any keystrokes, activating when 2000 are reached.
It will then change the colors of any text displayed on the screen. When
5000 keystrokes are reached the virus will trash the first copy of the
FAT.
Diamond
This is a 1024 byte virus from Bulgaria, which has been reported as
bearing some resemblance to the "Eddie" virus, possibly written by the
"Dark Avenger" as well. The virus makes some effort to disable any
debugger program used to monitor it, but does not seem to do anything of
particular interest.
DIR
This Bulgarian virus will infect files when the DIR command is given,
hence the name. It is 691 bytes long, and will only infect .COM files.
no destructive code has been found in the virus.
Doteater
A rather primitive 944 byte virus, probably written in Poland. It infects
only .COM files, and when it activates it will remove all dots (.) from
the screen.
Durban (Saturday the 14th)
This virus infects both .EXE and .COM files. It first adds 1-16 bytes to
the files it infects length, so they end on a paragraph boundary. Then 669
additional bytes, containing the virus itself are written to the end.
Durban is a resident virus, using a method similar to that used by Jerusalem
to check if it already installed.
On any Saturday the 14th, the first 100 logical sectors of drive C, then B,
then A are overwritten with rubbish.
Dyslexia
Another name for this virus is "Solano", indicating its origin in Solano
county in California. It is 2000 bytes long, adding 1991 bytes in front
of .COM files, and 9 bytes at the end. The virus may prevent the proper
execution of some programs, but does no serious damage. It is reported
to transpose adjacent characters on the screen. The name is hidden in
encrypted form inside the virus.
Eddie
This virus contains two interesting text strings:
"Eddie lives...somewhere in time"
and
"This program was written in the city of Sofia (C) 1988-89 Dark Avenger"
"Eddie" is probably the skeleton mascot of the heavy metal band "Iron Maiden".
This was the first virus reported to have originated in Bulgaria, but
it was soon followed by many other.
There is only one thing unusual about this virus. It remains resident,
just as many other viruses, but it will not only infect a program when it
is run, but also when the program file is read. This means that a harmless
program that opened each .EXE and .COM file in turn, for example to check
them for infection, could easily cause an "epidemic".
The virus will infect .EXE and .COM files, adding 1800 bytes to the
length. COMMAND.COM will be one of the first programs to become infected.
When an infected program is run, there is a 1-in-16 chance that the virus
will trash a random disk sector.
One 2000 byte variant is known. It is also from Bulgaria, probably
written by the same author as the original one. It has been improved a
bit - you won't see an increase in file length when you issue a DIR
command. The third known variant, also by "Dark Avenger" is 2100 bytes
long.
Inside the virus one finds the following string
Copy me - I want to travel
or, in some versions
Only the Good die young...
The virus author also included the following string in the virus:
Copyright (C) 1989 by Vesselin Bontchev
Vesselin Bontchev, however, is a Bulgarian author of anti-virus programs,
and has has nothing to do with the creation of the virus. The reason
this message appears is that the virus searches for it in every program
executed, and halts the computer when it is found.
The author of the virus - Dark Avenger - has distributed the source
and several new viruses can be expected in this family. One has appeared
in the Soviet Union. It is known as "Hymn" and is 1865 bytes long.
Eddie II
A fairly harmless virus from Bulgaria - called "Eddie II" because it
contains the string "Eddie lives". This string is similar to the string
contained in the original "Eddie" virus. Eddie II can infect .EXE files
as well as .COM files, but unlike most other .EXE infecting viruses, it
does not pad them so their length becomes a multiple of 16 bytes, before
they are infected. Infected files are marked with a value of 62 in the
"seconds" field of the timestamp, which makes them immune to infection by
Vienna or Zero Bug. Infected files grow by 651 bytes, but this increase
will not be seen if a "DIR" command is given, because the virus intercepts
the "find-first" and "find-next" functions, and if the "seconds" field
contains 62, the virus will decrement the file length by 651. Apart
from this the virus does nothing of interest.
Fellowship
The name of this virus is derived from the following text, which can be
found inside it:
This message is dedicated to
all fellow PC users on Earth
Towards A Better Tomorrow
And A Better Place To Live In
The virus is actually not very friendly - it attaches it to the end of
.EXE files, but may overwrite the last 20 bytes or so of the original
file. The virus itself is 1019 bytes long. It may cause further damage,
but it has not yet been analyzed.
Flash
This virus probably originated in Germany. It adds 688 bytes to any .COM
or .EXE file it infects. The virus is still awaiting full analysis.
Flip
The Flip virus is 2343 bytes long, and infects both .EXE and .COM files
as well as boot sectors of hard disks. When the virus activates on a
computer with an EGA or VGA display adapter, it will "flip" the screen
horizontally and switch to a special character set, which reverses each
character. This effect only happens on the second day of each month,
between 16:00 and 16:59. The method used to infect boot sector is
similar to that used by the V-1 virus, except the Flip virus will only
infect hard disks, not diskettes.
Frodo (4096, IDF)
The Frodo virus infects both .EXE and .COM files. It is very advanced in
some ways, being able to hide the infection by using a method similar to
that used by the "Zero Bug" virus. If the virus is active in memory and
you look at the directory, the virus will show you the original length of
any infected program. The virus seems to be able to cause damage to data,
as files may become crosslinked when it is active
It activates on Sept. 22. when it may attempt to place a Trojan on boot
sectors. This Trojan will display the message "FRODO LIVES" in large
letters on the screen, surrounded by a moving pattern. The code to write
the Trojan to the disk seems to be garbled in all known versions of the
virus and will probably "hang" the computer.
The length of infected files increases by 4096 bytes, but a variant "Fish 6",
3584 bytes long was recently reported. The effects of this variants are
not known yet.
Fu Manchu
The author of the Fu Manchu virus seems to have intended to write one of
the most humorous viruses around. He started with the Jerusalem virus,
removed the harmful part of it and added several new features:
The virus will censor the text the user types, deleting two four letter
words.
It will also take action if the user types "Thatcher", "Reagan", "Botha",
or "Waldheim". In those cases it will add comments to the text.
When Ctrl-Alt-Del is pressed, the virus will display the message
The world will hear from me again!
In other respects the virus is similar to the Jerusalem virus. It will
infect both .EXE and .COM files, making them grow by about 2086 bytes.
Fumble
The "Fumble" virus is a small, memory resident .COM infecting virus that
will generate typing errors, every now and then. That is, if you press
the "R" key for example, it will occasionally insert another letter like
"E" in the text instead. The only unusual feature of this virus is that it
will only infect programs on odd-numbered days.
Infected .COM files grow by 867 bytes.
GhostBalls
This virus was written in Iceland and first discovered there in October
1989. It contains the following text strings:
GhostBalls, Product of Iceland
Copyright (c) 1989, 4418 and 5F19
It will infect .COM files, making them grow in size by 2351 bytes.
Basically it is just the Vienna virus - the variant in the book by Ralf
Burger to be specific, with an extra twist. When an infected program is
run, the virus will search for other programs to infect, but also try to
place a modified copy of the Ping-Pong virus on the diskette in drive A,
provided it is a 360K diskette. This Ping-Pong variant has been changed,
so that it is not infectious, but it will also work on a '286 machine.
This modified boot sector is not a virus, but F-DISINF will remove it.
Guppy
This is simple, 152 byte virus, which only infects .COM files, and may
infect the same file over and over. Like the Kennedy virus, it will only
infect files starting with a JMP.
Hallöchen
This is a .COM and .EXE infector, probably written in W-Germany. It
contains two text strings:
Hallöchen !!!!!!, Here I'm..
Acrivate Level 1..
This virus is a bit unusual in some ways - for example it will not infect
"old" files. If the value of the "month" or "year" fields in the
timestamp is different from the current date, the file will not be
infected.
The virus does not modify the creation date when it infects the virus,
and like most other viruses it is easily able to defeat the read-only
attribute. It will only infect files larger than 5000 bytes, increasing
their length by 2011 bytes.
The major effect is reported to be garbling of keyboard input.
Icelandic
This virus was first found in Iceland in June '89. If only infects files
with names ending in .EXE. When an infected program is run, it will hide
in memory by directly manipulating the Memory Control Blocks. Programs
that watch out for any program "going TSR" will therefore not be able
to catch it.
This virus will mark one cluster on the hard disk as bad, every time it
infects a file.
A minor variant of this virus was later found in Saratoga, and a radically
modified version appeared in Iceland in July '89. This new version
(Icelandic-2) does not use INT 21 calls like the original, but instead
makes direct JMPs into the operating systems. This means that many
protection programs will be unable to catch it. Icelandic-1 is 656 bytes
long, Saratoga is 642 bytes but Icelandic-2 adds 632 bytes to any file it
infects. Actually the file may grow a bit more because all the viruses
will first pad the file so the length becomes a multiple of 16 bytes.
Internal
A 1381 byte .EXE-infecting virus, which may occasionally garble the
screen and display a fake error message.
Itavir
This is a fairly long, 3880 byte, Italian EXE file infector. The virus
is reported to activate after the system has been left running for at
least 24 hours It will then corrupt the boot sector, write out a message
in Italian, and start writing random values to all I/O ports. This is
reported to cause a "hissing" sound from some VGA monitors.
