Shareware Overload

home *** CD-ROM | disk | FTP | other *** search

/ Shareware Overload / ShartewareOverload.cdr / virus / vsum9102.zip / VIRUSSUM.DOC

Wrap

Text File | 1991-02-14 | 531KB | 11,266 lines

VIRUS INFORMATION SUMMARY LIST February 14, 1991 Copyright (C) 1990-1991 by Patricia M. Hoffman. All Rights Reserved. This document contains the compiled information from a continuing research effort by the author into the identification, detection and removal of MS-DOS Computer Viruses. Hopefully, this listing will provide some assistance to those who wish to know more about a particular computer virus. It is not intended to provide a very detailed technical description, but to allow the reader to understand what a virus generally does, how it activates, what it is doing to their system, and most importantly, how to get rid of it. The user of this listing needs to keep in mind that the information provided is up-to-date only to the date of the listing itself. If the listing is one month old, some items may not be accurate. Also, with the wide dispersion of researchers and the various names that the same virus may be known by, some of the information may not be entirely accurate. Lastly, as new variants of known viruses are isolated, some of the characteristics of the variant may be different. There are five sections to the listing. The first section is an introduction which explains the format of the information in the listing and includes the code information used in some fields. The second section is the actual virus information listing. The third section is a cross-reference of common names for MS-DOS computer viruses and indicates what name to use for the virus in the second section. The fourth section, added with the July 1990 release and in the works for many months, is a chart showing relationships between various viruses and variants. Lastly, there is a fifth section which is a revision history of the listing. Anti-Viral products mentioned in the listing are either commonly available shareware or public domain programs, or they are commercial products which have been submitted for evaluation and review by the product's author with "no strings attached". All Anti-Viral products are reviewed at the most recent release level available to the author. In some cases, this may not be the most recent release. All testing is done against the author's virus collection, results using a different collection of viruses and variants may differ. Special thanks go to John McAfee for reviewing the listing before it is distributed, and to numerous others who have sent their comments, suggestions, and encouraging support. The Virus Information Summary List may be freely distributed by non-commercial systems and non-profit organizations, as long as the distribution file is not altered, and no more than a reasonable cost-of-duplication fee is charged. The author of this document does not consider the United States Government or any of its numerous entities to be a "non-profit organization", therefore they are expressly prohibited from using or distributing this document without the author's permission. CompuServe, and Genie are also expressly permitted to carry this file for distribution purposes only, they are not to be construed as being licensed for internal use of the document. The Virus Information Summary List may not be used in a business, corporation, organization, government, or agency environment without a negotiated site license. While this document may be referenced in the documentation for some anti-viral products, the document is not to be construed as being included in any site license not negotiated with the author, Patricia M. Hoffman, or Roger Aucoin. Licensing information for the Virus Information Summary List can be requested from the author via US Mail from the address, or by voice or FAX at the phone numbers below: Patricia M. Hoffman 1556 Halford Avenue, #127 Santa Clara, CA 95051 Voice: 1-408-246-3915 FAX : 1-408-246-3915 Roger Aucoin can be contacted for United States and Canadian site licensing information via US Mail from the address, or by voice or FAX as indicated below: Roger Aucoin Vacci Virus 84 Hammond Street Waltham, MA 02154 Voice: 1-617-893-8282 FAX : 1-617-969-0385 For sites outside of the United States and Canada, or for information about becoming a VSUM agent, Jim Lynch should be contacted as indicated below: Jim Lynch, International Marketing Manager c/o Patricia M. Hoffman 1556 Halford Avenue, #127 Santa Clara, CA 95051 Direct Voice: 1-408-727-7966 Direct FAX : 1-408-727-7967 I can also be reached through my Bulletin Board System, Excalibur! BBS, at 1-408-244-0813. Future versions of this listing may also be obtained through Excalibur!. Patricia M. Hoffman ------------------------------------------------------------------------------- Virus Information Summary List Introduction & Entry Format Each of the entries in the list consists of several fields. Below is a brief description of what is indicated in each of the fields. For fields where codes may appear, the meaning of each code in indicated. Virus Name: Field contains one of the more common names for the virus. The listing is alphabetized based on this field. Aliases: Other names that the same virus may be referred to by. These names are aliases or A.K.A.'s. V Status: This field contains one of the following values which indicate how common the virus is in the public domain. Common: The virus is one of the most common viruses reported to various groups which gather virus infection statistics. Most of these groups are in the United States. Where a virus has had many reports from a specific geographic area, the V Status field will contain "Common - xxxxxxxxx" where xxxxxxxxx is an indicator of geographic location. Endangered: The "Endangered" classification of viruses are viruses that are very uncommon and were fairly recently discovered or isolated. Due to some characteristics of these viruses, it is highly unlikely that they will ever become a widespread problem. It doesn't mean that they don't exist, just that the probability of someone getting these viruses is fairly low. Extinct: The "Extinct" classification is for viruses which at one time may have been widespread (ie. they are not a research virus which was never released into the public domain), but have not had a reported infection in at least one year. "Extinct" viruses will also include "viruses" which were submitted which actually don't replicate due to a flaw in their viral code, but if the flaw were corrected they might be successful. It is still possible that someone could become infected with one of these viruses, but the probability is extremely low. Myth: "Myth" viruses are viruses which have been discussed among various groups for some time (in excess of one year), but are not known to actually exist as either a public domain or research virus. Probably the best case of a "Myth" virus is the Nichols Virus. Rare: "Rare" viruses are viruses which were recently (within the last year) isolated but which do not appear to be widespread. These viruses, as a general rule, will be viruses which have characteristics that would make them a possible future problem. "Rare" viruses have a higher probability of someone becoming infected than Endangered or Extinct viruses, but are much less likely to be found than a "Common" virus. Research: A "Research" virus is a virus which was originally received by at least one anti-viral researcher directly from its source or author. These viruses are not known to have been released into the public domain, so they are highly unlikely to be detected on computer systems other than researchers. Rumored: The "Rumored" virus classification are for viruses which the author has received information about, but that no sample of the virus has been made available for analysis. Any viruses in this classification should be considered with a grain of salt, they may not actually exist. Unknown: The "Unknown" classification is for those viruses where the original submission of the virus to anti-viral researchers is suspect for any number of reasons, or that there is very little information known about the origin of the virus. New: The "New" category is for viruses which were recently received by the author but cannot at the present time be researched in depth. Instead of leaving these viruses out of the listing all together, they will be listed but with a "New" status. Discovery: First recorded discovery date. Origin: Author/country of origin Symptoms: Changes to system that may be noticed by users: messages, growth in files, TSRs/ Resident TOM (change in CHKDSK return), BSC - boot sector change (may require cold boot from known-good protected floppy to find), corruption of system or files, frequent re-boots, slowdowns. Origin: Either credited or assumed to be in country of discovery. Eff Length: The length of the viral code after it has infected a program or system component. For boot-sector infectors, the length is indicated as N/A, for not applicable. Type Code: The type codes indicated for a virus indicate general behavior characteristics. Following the type code(s) is a brief text description. The type codes used are: A = Infects all program files (COM & EXE) B = Boot virus C = Infects COM files only D = Infects DOS boot sector on hard disk E = Infects EXE files only F = Floppy (360K) only K = Infects COMMAND.COM M = Infects Master boot sector on hard disk N = Non-resident (in memory) O = Overwriting virus P = Parasitic virus R = Resident (in memory) (below 640k - segment A000) a - in unused portion of allocated memory (does not change free memory, such as virus resident in CLI stack space or unused system memory) Example: LeHigh f - in free (user) memory below TOM (does not prevent overwriting) Example: Icelandic h - in high memory but below TOM (Resides in high system memory, right below TOM. Memory is allocated so it won't be accidently overwritten.) Example: Flash s - in low (system/TSR) memory (reduces free memory, typically uses a normal Int 21/Int 28 TSR) Example: Jerusalem t - above TOM but below 640k (moves Int 12 return) (Reduces total memory size and free memory) Example: Pakistani Brain (above 640k) b - in BIOS/Video/Shadow RAM area (segment A000 - FFFF) e - in extended/expanded memory (above 1 Meg) S = Spawning or companion file virus (This type of virus creates another file on the disk which contains the actual viral code. Example: Aids II) T = Manipulation of the File Allocation Table (FAT) X = Manipulation/Infection of the Partition Table Detection Method: This entry indicates how to determine if a program or system has been infected by the virus. Where the virus can be detected with a shareware, public domain, or readily available commercial program, it is indicated. Note that a "+" after the anti-viral product's version number indicates that versions of the product from the indicated version forward are applicable. Programs referenced in the listing are: AVTK - Dr. Solomon's Anti-Virus Toolkit <commercial> F-PROT - Fridrik Skulason's F-Prot detector/disinfector IBM Scan - IBM's Virus Scanning Program <commercial> Pro-Scan - McAfee Associates' Pro-Scan Program <commercial> VirexPC - MicroCom's VirexPC Program <commercial> VirHunt - Digital Dispatch Inc's VirHunt Program <commercial> ViruScan - McAfee Associates' ViruScan Program ViruScan/X- McAfee Associates' ViruScan Program with /X switch Removal Instructions: Brief instructions on how to remove the virus. Where a shareware, public domain, or readily available commercial program is available which will remove the virus, it is indicated. Programs referenced in the listing are: AntiCrim - Jan Terpstra's AntiCrime program CleanUp - John McAfee's CleanUp universal virus disinfector. Note: CleanUp is only indicated for a virus if it will disinfect the file, rather than delete the infected file. DOS COPY - Use the DOS COPY command to copy files from infected non-bootable disks to newly formatted, uninfected disks. Note: do NOT use the DOS DISKCOPY command on boot sector infected disks, or the new disk will also be infected! DOS SYS - Use the DOS SYS command to overwrite the boot sector on infected hard disks or diskettes. Be sure you power down the system first, and boot from a write protected master diskette, or the SYS command will copy the infected boot sector. F-PROT - Fridrik Skulason's F-Prot detector/disinfector, Version 1.07. M-3066 - Traceback virus disinfector. MDisk - MD Boot Virus Disinfector. Be sure to use the program which corresponds to your DOS release. Pro-Scan - Pro-Scan Virus Identifier/Disinfector <Commercial>. Saturday - European generic Jerusalem virus disinfector. Scan/D - ViruScan run with the /D option. Scan/D/A - ViruScan run with the /D /A options. Scan/D/X - ViruScan run with the /D /X options. UnVirus - Yuval Rakavy's disinfector for Brain, Jerusalem, Ping Pong, Ping Pong-B, Typo Boot, Suriv 1.01, Suriv 2.01, and Suriv 3.00 viruses. VirexPC - MicroCom's VirexPC Detector/Disinfector Note: VirexPC is only indicated if it will actually disinfect the virus, not just delete the infected file. VirHunt - Digital Dispatch Inc's VirHunt Detector/Disinfector Note: VirHunt is only indicated if it will actually disinfect the virus on all major variants. Virus Buster - Yuval Tal's Virus Buster Detector/Disinfector General Comments: This field includes other information about the virus, including but not limited to: historical information, possible origin, possible damage the virus may cause, and activation criteria. ------------------------------------------------------------------------------- Virus Information Summary List MS-DOS Virus Information Virus Name: 382 Recovery Virus Aliases: 382 V Status: Rare Discovery: July, 1990 Symptoms: first 382 bytes of .COM files overwritten, system hangs, spurious characters on system display, disk drive spinning Origin: Taiwan Eff Length: N/A Type Code: ONAK - Overwriting Non-Resident .COM & .EXE Infector Detection Method: ViruScan V66+, Pro-Scan 2.01+ Removal Instructions: Scan/D, or Delete infected files General Comments: The 382 Recovery Virus was isolated in July 1990 in Taiwan. It is a non-resident generic infector of .COM and .EXE files, including COMMAND.COM. Each time a program infected with the 382 Recovery Virus is executed, the virus will check the current directory for a .COM files that has not been infected with the virus. If it finds an uninfected .COM file, it will infect it. If the original file was less than 382 bytes in length, the infected file will now be 382 bytes in length. Files which were originally greater than 382 bytes in length will not show any increase in length. Infected files always have the first 382 bytes of the file overwritten to contain the virus's code. Once all .COM files in the current directory are infected, the next time an infected .COM file is executed the virus will rename all .EXE files to .COM files. These renamed files, however, may or may not later become infected. Symptoms of the 382 Recovery Virus being present on a file are that the program will not execute properly. In some cases, the program will hang upon execution requiring the system to be rebooted. In other cases, spurious characters will appear on the system display and the program will not run. Lastly, the system may do nothing but leave the disk drive spinning, requiring the system to be powered off and rebooted. Since the first 382 bytes of infected files have been overwritten, the infected files cannot be recovered. The original 382 bytes of the file are permanently lost. Infected files should be deleted or erased and replaced with backup copies known to be free of infection. Virus Name: 405 Aliases: V Status: Extinct Discovery: 1987 Symptoms: .COM files fail to run, first 405 bytes of .COM files overwritten Origin: Austria or Germany Eff Length: N/A Type Code: ONC - Overwriting Non-Resident .COM Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan 1.4+, VirexPC 1.1+, VirHunt 2.0+ Removal Instructions: Scan/D/X, F-Prot, or delete infected files General Comments: The 405 virus is an overwriting virus which infects only .COM files in the current directory. If the length of the .COM file was originally less than 405 bytes, the resulting infected file will have a length of 405 bytes. This virus currently cannot recognize .COM files that are already infected, so it will attempt to infect them again. The 405 Virus doesn't carry an activation date, and doesn't do anything but replicate in the current directory. However, since it overwrites the first 405 bytes of .COM files, infected files are not recoverable except by replacing them from uninfected backups or master distribution disks. Virus Name: 512 Aliases: 512-A, Number of the Beast Virus, Stealth Virus V Status: Rare Discovery: November, 1989 Origin: Bulgaria Symptoms: Program crashes, system hangs, TSR. Eff Length: 512 Bytes Type Code: PRCK - Parasitic Resident .COM Infector Detection Method: ViruScan V58+, VirexPC 1.1+ Removal Instructions: CleanUp V58+ General Comments: The 512 virus is not the same as the Original Friday The 13th COM virus. The 512 virus was originally isolated in Bulgaria in November, 1989, by Vesselin Bontchev. It infects .COM files, including COMMAND.COM, installing itself memory resident when the first infected program is run. After becoming memory resident, any .COM file openned for any reason will become infected if its uninfected length is at least 512 bytes. Systems infected with the 512 virus may experience program crashes due to unexpected errors, as well as system hangs. Damage may occur to infected files if the system user runs CHKDSK with the /F parameter as the length of the program in the directory entry will not match the actual disk space used. CHKDSK will then adjust the file allocation resulting in damaged files. The virus's alias of "Number of the Beast" Virus is because the author of the virus used a signature of text 666 near the end of the virus to determine if the file is already infected. Since 512 adds its viral code to the end of infected files, it is easy to verify that a file is infected by the 512 virus by checking for this signature. Known variant(s) of the 512 Virus are: 512-B : Similar to the 512 Variant, except that the DOS version check in the original virus has been omitted. The author's signature of '666' has been omitted. 512-C : Similar to the 512-B Variant, minor code changes. 512-D : Similar to the 512-C Variant, except that the virus no longer checks to see if a file has the System Attribute on it before infecting it. Virus Name: 646 Aliases: Vienna C V Status: Rare Discovery: October, 1990 Symptoms: COMMAND.COM & .COM growth Origin: Unknown Eff Length: 646 Bytes Type Code: PNCK - Parasitic Non-Resident COM Infector Detection Method: ViruScan V71+, Pro-Scan 2.01+ Removal Instructions: Pro-Scan 2.01+, Scan/D, or Delete infected files General Comments: The 646 Virus was discovered in October, 1990. Its origin is unknown. This virus is a non-resident infector of .COM files, including COMMAND.COM. When a file infected with the 646 Virus is executed, the virus will infect one other .COM file in the current directory. Infected files will increase in size by 646 bytes, with the virus being located at the end of the infected file. Infected files can be easily identified as they will always end with the hex string: "EAF0FFFFFF". This virus appears to do nothing except replicate. Virus Name: 903 Aliases: V Status: New Discovery: January, 1991 Symptoms: .COM file growth; TSR; System hangs Origin: France Eff Length: 903 Bytes Type Code: PRsCK - Parasitic Resident COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The 903 Virus was discovered France in January, 1991. This virus is not a particularly viable virus since replicated samples will not further replicate. It is possible that the original sample is corrupted. This virus infects .COM program, including COMMAND.COM. When the original sample of 903 is executed, this virus will install itself memory resident as a 1,216 byte low system memory TSR. It will hook interrupt 21. At that time, it will infect COMMAND.COM, adding 903 bytes to the beginning of the program. The following message is then displayed: "Fichier introuvable" Once memory resident, this virus will infect up to three .COM programs in the current directory if the original sample is again executed. Later execution of infected files (other than the original) will not result in the virus spreading to other files. The virus will also infect files when the DOS Copy command is used, but only if the source and target files are in the current directory. Infected .COM programs will have a file size increase of 903 bytes, the virus will be located at the beginning of the infected program. The file date and time in the disk directory will not be altered by the virus. If 903 becomes memory resident from other than the original sample, it will not replicate to other .COM programs. The "Fichier introuvable" message is not displayed with other than the original sample. Some programs may hang when they are executed on infected systems. It is unknown if 903 does anything destructive. Virus Name: 1008 Aliases: Suomi, Oulu V Status: Rare Discovery: June, 1990 Symptoms: COMMAND.COM growth, Internal Stack Errors, System Halt on Boot Origin: Helsinki, Finland Eff Length: 1,008 Bytes Type Code: PRCK - Parasitic Resident COM Infector Detection Method: ViruScan V64+, F-Prot 1.12+, Pro-Scan 2.01+ Removal Instructions: Scan/D, F-Prot 1.12+, Pro-Scan 2.01+, or delete infected files General Comments: The 1008 Virus was discovered in June, 1990 by Petteri Jarvinen of Helsinki, Finland. It is a memory resident .COM infector, and will infect COMMAND.COM. This virus is also sometimes referred to as the Suomi Virus. The first time a program infected with the 1008 virus is executed, the virus will install itself memory resident. COMMAND.COM is also infected at this time, resulting in its length increasing by 1,008 Bytes. The increase in file size of COMMAND.COM cannot be seen by doing a directory listing if the virus is present in memory. Booting a system with an infected copy of COMMAND.COM may result in an internal stack error, and the system being halted. This effect was noted on the author's test machine which is a 640K XT-clone running Microsoft MS-DOS Version 3.30. After the virus is memory resident, it will infect any .COM file which is executed, adding 1,008 bytes to the file length. The file length increase cannot be seen by doing a directory listing if the virus is present in memory. Virus Name: 1210 Aliases: Prudents Virus V Status: Rare Discovery: December, 1989 Symptoms: .EXE growth, disk write failure, TSR Origin: Spain Eff Length: 1,210 Bytes Type Code: PRE - Parasitic Resident .EXE Infector Detection Method: ViruScan V61+, Pro-Scan 1.4+, F-Prot 1.12+, VirHunt 2.0+ Removal Instructions: Scan/D, F-Prot 1.12+, VirHunt 2.0+, or delete infected files General Comments: The 1210, or Prudents Virus, was first isolated in Barcelona, Spain, in December 1989. The 1210 is a memory resident virus, infecting .EXE files when they are executed. This virus activates between May 1st and May 4th of any year, causing disk writes to be changed to disk verifies, so writes to the disk never occur between these dates. Virus Name: 1226 Aliases: V1226 V Status: Rare Discovery: July 1990 Symptoms: .COM growth, decrease in system and free memory, system hangs, spurious characters displayed in place of program executing, disk drive spinning Origin: Bulgaria Eff Length: 1,226 Bytes Type Code: PRhC - Parasitic Resident .COM Infector Detection Method: ViruScan V66+, Pro-Scan 2.01+ Removal Instructions: Scan/D, or delete infected files General Comments: The 1226 Virus was isolated in Bulgaria in July 1990 by Vesselin Bontchev. This virus is a memory resident generic .COM infector, though it does not infect COMMAND.COM. The 1226 Virus is a self- encrypting virus, and simple search string algorithms will not work to detect its presence on a system. The first time a program infected with the 1226 virus is executed, the virus will install itself memory resident, reserving 8,192 bytes of memory at the top of free memory. Interrupt 2A will be hooked. Once 1226 is memory resident, the virus will attempt to infect any .COM file that is executed that is at least 1,226 bytes in length before infection. The virus is rather "buggy" and the infection process is not always entirely successful. Successfully infected files will increase in length by 1,226 bytes. This virus will infect .COM files multiple times, it is unable to determine that the file is already infected. Each time the file is infected it will grow in length by another 1,226 bytes. Eventually, the .COM files will grow too large to fit into memory. Systems infected with the 1226 virus may experience unexpected system hangs when attempting to execute programs. Another affect is that instead of a program executing, a line or two of spurious characters will appear on the system display. Lastly, infected systems will always indicate that they have 8,192 less bytes of total system and free memory available than is actually on the machine. There are two later versions of this virus, 1226D and 1226M, which are much better replicators than the original 1226 virus. These two variants are documented as 1226D in this document due to their different characteristics. Also see: 1226D Virus Name: 1226D Aliases: V1226D V Status: Rare Discovery: July 1990 Symptoms: .COM growth, decrease in system and free memory Origin: Bulgaria Eff Length: 1,226 Bytes Type Code: PRhC - Parasitic Resident .COM Infector Detection Method: ViruScan V66+, Pro-Scan 2.01+ Removal Instructions: Scan/D, or delete infected files General Comments: The 1226D Virus was isolated in Bulgaria in July 1990 by Vesselin Bontchev. This virus is a memory resident generic .COM infector, though it does not infect COMMAND.COM. The 1226D Virus is a self- encrypting virus, and simple search string algorithms will not work to detect its presence on a system. The 1226D Virus is based on the 1226 Virus, in fact it is a decrypted version of the 1226 Virus. It is a better replicator, infecting successfully on file opens as well as when .COM files are executed. The first time a program infected with the 1226 virus is executed, the virus will install itself memory resident, reserving 8,192 bytes of memory at the top of free memory. Total system and free memory are decreased by 8,192 bytes. Interrupt 2A will be hooked. Once 1226 is memory resident, the virus will attempt to infect any .COM file that is executed that is at least 1,226 bytes in length before infection. Infected files will increase in length by 1,226 bytes. As with the original 1226 Virus, a .COM file may be infected multiple times by the 1226D Virus as the virus is unable to determine that the file was previously infected. Each infection will result in another 1,226 bytes being added to the infected file's length. Eventually, the .COM files will grow too large to fit into memory. In addition to infecting .COM files when they are executed, the 1226D Virus will infect .COM files with a length of at least 1,226 bytes when they are openned for any reason. The simple act of copying a .COM file with the virus memory resident will result in both the source and target files being infected. Unlike the 1226 Virus, systems infected with the 1226D virus will not experience the system hangs or spurious characters symptomatic of the 1226 virus. Infected system will still indicate that they have 8,192 bytes less of total system memory than is installed on the machine. Known variant(s) of 1226D are: 1226M/V1226M : Similar to the 1226D virus, except that files are not infected on file open, only when they are executed. Also see: 1226 Virus Name: 1253 Aliases: AntiCad, V-1 V Status: Rare Discovery: August, 1990 Symptoms: TSR; BSC; COMMAND.COM & .COM file growth; partition table change Origin: Austria Eff Length: 1,253 Bytes Type Code: PRsBCKX - Parasitic Resident .COM & Partition Table Infector Detection Method: ViruScan V66+, Pro-Scan 2.01+ Removal Instructions: Pro-Scan 2.01+, Scan/D plus MDisk/P General Comments: The 1253 Virus was submitted in August 1990. It is believed to have originated in (or at least to have been first isolated in) Austria. 1253 is a generic infector of .COM files, including COMMAND.COM. It also infects the boot sector of diskettes and the partition table of hard disks. The first time a program infected with the 1253 Virus is executed, the virus will install itself memory resident as a low system memory TSR. The TSR will be 2,128 bytes in length, hooking interrupts 08, 13, 21, and 60. Total system memory will remain unchanged, and free memory will decrease by 2,128 bytes. At this time, the partition table of the system's hard disk is infected with the 1253 virus. If the infected program was executed from a diskette, the diskette's boot sector will also be infected. Each time a .COM file is executed with the virus resident in memory, the .COM file will be infected if it hasn't previously been infected. The 1253 Virus appends its viral code to the end of the .COM file, and then changes the first few bytes of the program to be a jump to the appended code. Infected files increase in length by 1,253 bytes, and the virus makes no attempt to hide the increase when the directory is displayed. Infected files will also have their fourth thru sixth bytes set to "V-1" (hex 562D31). Any diskettes which are accessed while the virus is present in memory will have their boot sector infected with this virus. Newly formatted diskettes, likewise, will be infected immediately. The 1253 virus is destructive when it activates. The author of this listing was able to get it to activate by setting the system date to December 24 and then executing an infected program on drive A:. The virus promptly went and overwrote the entire diskette in drive A: with a pattern of 9 sectors of what appears to be a program fragment. Once the virus has started to overwrite a diskette, the only way to stop the disk activity is to power off the system. The virus in the partition table and/or diskette boot sector is of special note. When the system is booted from the hard disk or diskette with the virus in the partition table or boot sector, the virus will install itself memory resident. At this time, the virus resides above the top of system memory but below the 640K DOS boundary. The change in total system memory and available free memory will be 77,840 bytes. It can be seen with the CHKDSK command. At this time, any .COM program executed will be infected with the 1253 virus, even though no programs on the hard disk may contain this virus before the system boot occurred. One effect of this virus, once the system has been booted from an infected hard drive or floppy is that the FORMAT command may result in unexpected disk activity to inactive drives. For example, on the author's system, when formatting a diskette in drive A: with the current drive being drive C:, there was always disk activity to drive B:. Disinfecting the 1253 virus required that besides disinfecting or deleting infected .COM programs, the hard disks partition table and the boot sector of any diskettes exposed to the infected system must be disinfected. The virus can be removed safely from the partition table and diskette boot sectors by using MDisk with the /P option after powering off the system and rebooting from a write-protected uninfected boot diskette. If the partition table and diskette boot sectors are not disinfected, the system will promptly experience reinfection of .COM files with the virus following a system boot from the hard disk or diskette. Disinfecting the partition table and boot sectors, when done properly, will also result in the system's full memory again being available. It is unknown if there are other activation dates for this virus, or if it will overwrite the hard disk if an infected program is executed on December 24 from the hard disk. Virus Name: 1260 Aliases: V2P1 V Status: Research Discovery: January, 1990 Symptoms: .COM file growth Origin: Minnesota, USA Eff Length: 1,260 Bytes Type Code: PNC - Parasitic Encrypting Non-Resident .COM Infector Detection Method: ViruScan V57+, IBM Scan, Pro-Scan 1.4+, F-Prot 1.12+, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: CleanUp V57+, Pro-Scan 1.4+, F-Prot 1.12+, VirHunt 2.0+ General Comments: The 1260 virus was first isolated in January, 1990. This virus does not install itself resident in memory, but is it extremely virulent at infecting .COM files. Infected files will have their length increased by 1,260 bytes, and the resulting file will be encrypted. The encryption key changes with each infection which occurs. The 1260 virus is derived from the original Vienna Virus, though it is highly modified. This virus was developed as a research virus by Mark Washburn, who wished to show the anti-viral community why identification string scanners do not work in all cases. The encryption used in 1260 is one of many possible cases of the encryption which may occur with Washburn's later research virus, V2P2. Also see: V2P2, V2P6, V2P6Z Virus Name: 1381 Virus Aliases: V Status: Rare Discovery: June, 1990 Symptoms: .EXE growth Origin: Eff Length: 1,381 Bytes Type Code: PNE - Parasitic Non-Resident .EXE Infector Detection Method: ViruScan V64+, Pro-Scan 2.01+ Removal Instructions: Scan/D, or Delete infected files General Comments: The 1381 Virus was isolated in June, 1990. It is a non-resident generic .EXE infector. Each time a program infected with the 1381 Virus is executed, the virus will attempt to infect one other .EXE file on the current drive. An .EXE file will only be infected if it is greater than 1,300 bytes in length before infection. After infection, files will have increased in length by between 1,381 and 1,389 bytes. The virus can be found at the end of infected files. Infected files will also contain the following text strings: "INTERNAL ERROR 02CH. PLEASE CONTACT YOUR HARDWARE MANUFACTURER IMMEDIATELY ! DO NOT FORGET TO REPORT THE ERROR CODE !" It is currently unknown what the 1381 Virus does, or what prompts it to display the above message. Virus Name: 1392 Aliases: Amoeba Virus V Status: Rare Discovery: March, 1990 Symptoms: TSR, .COM & .EXE growth, dates modified Origin: Indonesia Eff Length: 1,392 Bytes Type Code: PRA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V61+, VirexPC 1.1+, F-Prot 1.12+, VirHunt 2.0+ Removal Instructions: Scan/D, F-Prot 1.12+, VirHunt 2.0+, or delete infected files General Comments: The 1392, or Amoeba, Virus was first isolated in Indonesia in March 1990. The 1392 virus is a memory resident virus that infects .COM and .EXE files, including COMMAND.COM. As files are infected, their creation/modification date is changed to the date the files were infected. This virus does not appear to cause any destructive damage. The following message appears in the virus, which is where its alias of Amoeba was derived from: "SMA KHETAPUNK - Nouvel Band A.M.O.E.B.A" Virus Name: 1554 Aliases: Ten Bytes, 9800:0000 Virus, V-Alert, 1559 V Status: Rare Discovery: February, 1990 Symptoms: .COM & .EXE growth, TSR, linkage corruption, system hang Origin: Eff Length: 1,554 Bytes Type Code: PRfAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V58+, IBM Scan, Pro-Scan 1.4+, VirexPC 1.1+, AVTK 3.5+, F-Prot 1.12+, VirHunt 2.0+ Removal Instructions: Scan/D, F-Prot 1.12+, VirHunt 2.0+, Pro-Scan 2.01+ General Comments: The 1554 virus was accidently sent out over the VALERT-L network on February 13, 1990 to approximately 600 subscribers. When a program is executed that is infected with the 1554 virus, the virus installs itself memory resident. It will then proceed to infect .COM over 1000 bytes in length and .EXE files over 1024 bytes in length, including COMMAND.COM, increasing their length after infection by 1,554 to 1,569 bytes. The 1554 virus activates in September, October, November, or December of any year. Upon activation, any files which are written will be missing the first ten bytes. At the end of these files, ten bytes of miscellaneous characters will appear. In effect, both programs and data files will be corrupted. If the 1554 Virus is executed on a system with less than 640K of system memory, the virus will hang the system. Virus Name: 1575 Aliases: 1577, 1591 V Status: New Discovery: January, 1991 Symptoms: .COM & .EXE growth; decrease in total system & available memory; Sluggishness of DIR commands; file date/time changes Origin: Taiwan Isolated: Ontario, Canada Eff Length: 1,575 Bytes Type Code: PRfAk - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, Clean-Up V74+, or Delete infected files General Comments: The 1575 virus was first isolated in Ontario, Canada, in January, 1991. This virus has been widely reported, and is believed to be from the Far East, probably Taiwan. It is a memory resident infector of .COM and .EXE files, and will infect COMMAND.COM. When the first program infected with the 1575 Virus is executed, the virus will install itself memory resident in 1,760 to 1,840 bytes at the top of system memory, but below the 640K DOS boundary. This memory is not reserved, and may be overwritten later by another program. Interrupt 21 will be hooked by the virus. COMMAND.COM on the system C: drive root directory will also be infected at this time. Once the 1575 Virus is memory resident, it will infect one .COM and one .EXE program on the current drive whenever a DOS Dir or Copy command is executed. This virus does not spread when programs are executed. Infected files will have their file date and time in the DOS directory updated to the system date and time when the infection occurred. Their file lengths will also show an increase of between 1,577 and 1,591 bytes. This virus will be located at the end of infected files. It is not know if 1575 does anything besides replicate. Known variant(s) of the 1575 Virus are: 1575-B : This variant is functionally similar to the 1575 Virus described above. The major difference is that this variant reserves the memory it occupies at the top of system memory, though the interrupt 12 return is not moved. Virus Name: 1605 Aliases: V Status: Rare Discovery: September, 1990 Symptoms: .COM & .EXE growth; TSR; system slowdown Origin: Unknown Eff Length: 1,605 Bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V67+, Pro-Scan 2.01+ Removal Instructions: Scan/D, or Delete infected files General Comments: The 1605 Virus was uploaded to John McAfee's Homebase BBS by an anonymous user in September, 1990. The origin of this virus is unknown. The 1605 Virus is a memory resident infector of .COM and .EXE files, and it does not infect COMMAND.COM. It is based roughly on the Jerusalem B Virus. The first time a program infected with the 1605 Virus is executed, the virus will install itself memory resident as a low system memory TSR of 1,728 bytes. Interrupts 13 and 21 will be hooked by the virus. At this time, the system will slowdown by approximately 15-20%. After becoming memory resident, any .COM or .EXE file executed will be infected by the virus. .COM files will increase in size by 1,605 bytes in all cases with the virus's code being located at the beginning of the file. .EXE files will increase in size by between 1,601 and 1,610 bytes with the virus's code being located at the end of the infected file. Other than replicating, it is unknown if this virus carries any damage potential. Virus Name: 1704 Format Aliases: V Status: Rare Discovery: January, 1989 Symptoms: TSR, Falling letters, .COM growth, formatted disk Origin: Eff Length: 1,704 Bytes Type Code: PRC - Parasitic Encrypting Resident .COM Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVKT 3.5+, VirHunt 2.0+ Removal Instructions: CleanUp, Scan/D, F-Prot, Pro-Scan, VirexPC, VirHunt 2.0+ General Comments: Like the Cascade Virus, but the disk is formatted when the virus activates. Activation occurs during the months of October, November, and December of any year except 1993. Virus Name: 1720 Aliases: PSQR Virus V Status: Rare Discovery: March, 1990 Symptoms : TSR, .COM & .EXE growth, partition table damage on activation, programs on diskette deleted on Friday The 13ths Origin: Spain Eff Length: 1,720 Bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V61+, VirexPC 1.1+, F-Prot 1.12+, VirHunt 2.0+, Pro-Scan 2.01+ Removal Instructions: Scan /D, VirHunt 2.0+, or delete infected files General Comments: The 1720, or PSQR Virus, is a variant of the Jerusalem Virus which was first isolated in Barcelona, Spain, in March 1990. This virus, infects .COM and .EXE files, though unlike Jerusalem, it does not infect Overlay files. COMMAND.COM will also not be infected. The first time an infected file is executed, the virus will install itself memory resident, and then infect each executable file as it is run. On Friday The 13ths, the 1720 Virus will activate the first time an infected program is executed. When the program is executed, it will be deleted from disk. More damaging, however, is that the 1720 virus will check to see if the system has a hard disk drive. If a hard disk drive is present, the virus will overwrite the boot sector and partition table resulting in all data on the hard disk becoming unavailable. The system will also appear to hang. Virus Name: 4096 Aliases: Century Virus, FroDo, IDF Virus, Stealth Virus, 100 Years Virus V Status: Common Discovery: January, 1990 Symptoms: .COM, .EXE, & overlay file growth; TSR hides growth; crosslinks; corruption of data files Origin: Israel Eff Length: 4,096 Bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V53+, F-Prot, IBM Scan, Pro-Scan, VirexPC 1.1+, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: CleanUp V62+, Pro-Scan 1.4+, F-Prot, VirHunt 2.0+, or see note below General Comments: The 4096 virus was first isolated in January, 1990. This virus is considered a Stealth virus in that it is almost invisible to the system user. The 4096 virus infects .COM, .EXE, and Overlay files, adding 4,096 bytes to their length. Once the virus is resident in system memory, the increase in length will not appear in a directory listing. Once this virus has installed itself into memory, it will infect any executable file that is opened, including if it is opened with the COPY or XCOPY command. This virus is destructive to both data files and executable files, as it very slowly crosslinks files on the system's disk. The crosslinking occurs so slowly that it appears there is a hardware problem, the virus being almost invisible. The crosslinking of files is the result of the virus manipulating the FATs, changing the number of available sectors, as well as the user issuing CHKDSK/F commands which will think that the files have lost sectors or crosslinking if the virus is in memory. As a side note, if the virus is present in memory and you attempt to copy infected files, the new copy of the file will not be infected with the virus if the new copy does not have an executable file extension. Thus, one way to disinfect a system is to copy off all the infected files to diskettes with a non-executable file extension (ie. don't use .EXE, .COM, .SYS, etc) while the virus is active in memory, then power off the system and reboot from a write protected (uninfected) system disk. Once rebooted and the virus is not in memory, delete the infected files and copy back the files from the diskettes to the original executable file names and extensions. The above will disinfect the system, if done correctly, but will still leave the problem of cross-linked files which are permanently damaged. On or after September 22 of any year, the 4096 virus will hang infected systems. This appears to be a "bug" in the virus in that it goes into a time consuming loop. The 4096 virus also contains a boot-sector within its code, however, it is never written out to the disk's boot sector. Moving this boot sector to the boot sector of a diskette and rebooting the system will result in the message "FRODO LIVES" being displayed. September 22 is Bilbo and Frodo Baggin's birthday in the Lord Of The Rings trilogy. An important note on the 4096 virus: this virus will also infect some data files. When this occurs, the data files will appear to be fine on infected systems. However, after the system is later disinfected, these files will now be corrupted and unpredictable results may occur. Known variant(s) of the 4096 virus include: 4096-B : Similar to the 4096 virus, the main change is that the encryption mechanism has been changed in order to avoid detection. 4096-C : Isolated in January, 1991, this variant of 4096 is similar to the original virus. The major difference is that the DOS ChkDsk command will not show any cross-linking of files or lost clusters. A symptom of infection by this variant is that the disk space available according to a DIR command will be more than the disk space available according to the DOS ChkDsk program. Virus Name: 4870 Overwriting Aliases: V Status: New Discovery: February, 1991 Origin: Unknown Symptoms: Programs fail to execute; Program corruption Eff Length: 4,870 Bytes Type Code: ONAK - Overwriting Non-Resident .COM & .EXE Infector Detection Method: Removal Instructions: Delete infected files General Comments: The 4870 Overwriting Virus was isolated in February, 1991. It's origin or isolation point is not known. This virus is a non-resident direct action virus that infects .COM and .EXE programs, including COMMAND.COM. When a program infected with the 4870 Overwriting Virus is executed, the virus will search the current directory for an uninfected .COM or .EXE file. The first such uninfected file located will be infected by the virus. Infected programs will have the first 4,870 bytes of the candidate program overwritten by the virus. If the program's original length was 4,870 bytes or more, there will be no increase in the file length in the DOS directory. If the program's original length was less than 4,870 bytes, then the program's length in the DOS directory will now be 4,870 bytes. The file's date and time in the directory will not be altered. Programs infected with the 4870 Overwriting Virus will not execute properly. Once the virus checked for a program to infect, and infected the candidate program if one was found, the virus will terminate and return the user to a DOS prompt. A side note on this virus: the virus itself is compressed with the LZEXE utility, which accounts for much of the 4,870 bytes of viral code. Programs infected with this virus will have the markers of LZEXE version .91 found in the first 4,870 bytes of the infected program. It is not possible to disinfect programs infected with the 4870 Overwriting Virus as the first 4,870 bytes of the original program are lost. Infected programs must be deleted or erased, then replaced with clean copies. Virus Name: 5120 Aliases: VBasic Virus, Basic Virus V Status: Rare Discovery: May, 1990 Origin: West Germany Symptoms: .COM & .EXE growth, file corruption, unexpected disk activity Eff Length: 5,120 Bytes Type Code: PNAK - Parasitic Non-Resident .COM & .EXE Infector Detection Method: ViruScan/X V67+, Pro-Scan 1.4+, F-Prot 1.12+ Removal Instructions: Scan/D/X, Pro-Scan 1.4+, F-Prot 1.12+, Pro-Scan 2.01+, or Delete infected files General Comments: The 5120 Virus was first isolated in May, 1990. It is a non- resident generic file infector, infecting .COM and .EXE files, including COMMAND.COM. This virus is was written in compiled Turbo Basic with some assembly language. When an infected file is executed, the 5120 virus will infect one .COM and one .EXE file on the current drive and directory, followed by attempting to infect one randomly selected .COM or .EXE file in each directory on the system's C: drive. Infected .COM files increase in length by 5,120 bytes. .EXE files infected by the 5120 Virus will increase in length by between 5,120 and 5,135 bytes. Unlike most of the MS-DOS viruses, the 5120 Virus does not intercept disk write errors when attempting to infect programs. Thus, infected systems may notice disk write error messages when no access should be occurring for a drive, such as the C: hard disk partition. Data files may become corrupted on infected systems, as well as crosslinking of files may occur. The following text strings can be found in files infected with the 5120 virus. These strings will appear near the end of the file: "BASRUN" "BRUN" "IBMBIO.COM" "IBMDOS.COM" "COMMAND.COM" "Access denied" There is one variant of the 5120 Virus which does not contain the above strings, but behaves in a very similar manner. This second variant is not indicated here as the author does not have a copy. Virus Name: AIDS Aliases: Hahaha, Taunt, VGA2CGA V Status: Endangered Discovery: 1989 Symptoms: Message, .COM file corruption Origin: Eff Length: N/A Type Code: ONC - Overwriting Non-Resident .COM Infector Detection Method: ViruScan/X V67+, Pro-Scan, VirexPC 1.1+, AVTK 3.5+ Removal Instructions: Scan/D/X, or delete infected .COM files General Comments: The AIDS virus, also known as the Hahaha virus in Europe and referred to as the Taunt virus by IBM, is a generic .COM and .EXE file infector. When the virus activates, it displays the message "Your computer now has AIDS", with AIDS covering about half of the screen. The system is then halted, and must be powered down and rebooted to restart it. Since this virus overwrites the first 13,952 bytes of the executable program, the files must be deleted and replaced with clean copies in order to remove the virus. It is not possible to recover the overwritten portion of the program. Note: this is NOT the Aids Info Disk/PC Cyborg Trojan. Known variant(s) of Aids are: Aids B : Very similar to the original Aids Virus, this variant is also 13,952 bytes in length. Unlike the original virus, it will only infect .COM files, as well as COMMAND.COM, and does not activate as the original virus did. Instead, this variant will occasionally issue the following error message: "I/O error 99, PC=2EFD Program aborted". This variant was received in January, 1991, origin unknown. Virus Name: Aids II Virus Aliases: Companion Virus V Status: Endangered Discovery: April, 1990 Symptoms: Creates .COM files, melody, message Origin: Eff Length: 8,064 Bytes Type Code: SNA - Spawning Non-Resident .COM & .EXE Infector Detection Method: ViruScan/X V67+, Pro-Scan 1.4+ Removal Instructions: Scan/D/X, or delete corresponding .COM files General Comments: The Aids II Virus, or Companion Virus, was isolated for the first time in April 1990. Unlike other generic file infectors, the Aids II Virus is the first known virus to employ what could be termed a "corresponding file technique" of infection so that the original target .EXE file is never changed. The virus takes advantage of the DOS feature where if a program exists in both .COM and .EXE form, the .COM file will be executed. The Aids II Virus does not directly infect .EXE files, instead it stores a copy of the virus in a corresponding .COM file which will be executed when the user tries to execute one of his .COM files. The .EXE file, and the .COM file containing the viral code will both have the same base file name. The method of infection is as follows: when an "infected" program is executed, since a corresponding .COM file exists, the .COM file containing the viral code is executed. The virus first locates an uninfected .EXE file in the current directory and creates a corresponding (or companion) .COM file with the viral code. These .COM files will always be 8,064 Bytes in length with a file date/time of the date/time of infection. The .EXE file is not altered at all. After creating the new .COM file, the virus then plays a melody and displays the following message, the "*" indicated below actually being ansi heart characters: "Your computer is infected with ... * Aids Virus II * - Signed WOP & PGT of DutchCrack -" The Aids II Virus then spawns to the .EXE file that was attempting to be executed, and the program runs without problem. After completion of the program, control returns to the Aids II Virus. The melody is played again with the following message displayed: "Getting used to me? Next time, use a Condom ....." Since the original .EXE file remains unaltered, CRC checking programs cannot detect this virus having infected a system. One way to manually remove the Aids II Virus is to check the disk for programs which have both a .EXE and a .COM file, with the .COM file having a length of 8,064 bytes. The .COM files thus identified should be erased. The displayed text strings do not appear in the viral code. Virus Name: AirCop Aliases: V Status: Rare Discovery: July, 1990 Isolated: Washington, USA Symptoms: BSC; System Halt; Message; decrease in system and free memory Origin: Taiwan Eff Length: N/A Type Code: FR - Resident Floppy Boot Sector Infector Detection Method: ViruScan V66+, Pro-Scan 2.01+ Removal Instructions: MDisk or DOS SYS command General Comments: The AirCop Virus was discovered in the State of Washington in the United States in July, 1990. Some early infections of this virus, however, have been traced back to Taiwan, and Taiwan is probably where it originated. AirCop is a boot sector infector, and it will only infect 360K 5.25" floppy diskettes. When a system is booted from a diskette which is infected with the AirCop virus, the virus will install itself memory resident. The AirCop Virus installs itself memory resident at the top of high system memory. The system memory size and available free memory will decrease by 1,024 bytes when the AirCop virus is memory resident. AirCop hooks interrupt 13. Once AirCop is memory resident, any non-write protected diskettes which are then accessed will have their boot sector infected with the AirCop virus. AirCop will copy the original disk boot sector to sector 719 (Side 1, Cyl 39, Sector 9 on a normal 360K 5.25" diskette) and then replace the boot sector at sector 0 with a copy of the virus. If a boot sector of a diskette infected with the AirCop virus is viewed, it will be missing almost all of the messages which normally appear in a normal boot sector. The only message remaining will be: "Non-system..." This will be located just before the end of the boot sector. The AirCop Virus will do one of two things on infected systems, depending on how compatible the system's software and hardware is with the virus. On most systems, the virus will display the following message at random intervals: "Red State, Germ Offensive. AIRCOP." On other systems, the virus being present will result in the system receiving a Stack Overflow Error and the system being halted. In this case, you must power off the system in order to be able to reboot. AirCop currently does not infect hard disk boot sectors or partition tables. AirCop can be removed from infected diskettes by first powering off the system and rebooting from a known clean write protected DOS master diskette. The DOS SYS command should then be used to replace the infected diskette's boot sector. Alternately, MDisk can be used following the power-down and reboot. Virus Name: Akuku Aliases: V Status: New Discovery: January, 1991 Symptoms: .COM & .EXE growth; "Error in EXE file" message; Unexpected drive accesses Origin: USSR Eff Length: 891 Bytes Type Code: PNAK - Parasitic Non-Resident .COM & .EXE Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Akuku Virus was isolated in January, 1991, and comes from the USSR. This virus is a non-resident direct action infector of .COM and .EXE files, including COMMAND.COM. When a program infected with Akuku is executed, the virus will infect three programs in the current directory. If three uninfected programs cannot be found in the current directory, the virus will search the disk directory of the current drive, as well as of the C: drive. Both .COM and .EXE programs may become infected, as well as COMMAND.COM. Programs smaller than 1K will not be infected by this virus. Infected programs will increase in length by 891 to 907 bytes, the virus will be located at the end of the infected file. The file date and time in the disk directory will not be altered by the virus. The following text string is contained within the virus's code, and can be found in all infected programs: "A kuku, Nastepny komornik !!!" Some .EXE programs will fail to execute properly after infection by the Akuku Virus. These programs may display an "Error in EXE file" message and terminate when the user attempts to execute them. Virus Name: Alabama Aliases: V Status: Endangered Discovery: October, 1989 Symptoms: .EXE growth, Resident (see text), message, FAT corruption Origin: Israel Eff Length: 1,560 bytes Type Code: PRfET - Parasitic Resident .EXE infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: CleanUp, F-Prot, Pro-Scan 1.4+, Scan/D/X, VirHunt 2.0+, or delete infected files General Comments: The Alabama virus was first isolated at Hebrew University in Israel by Ysrael Radai in October, 1989. Its first known activation was on October 13, 1989. The Alabama virus will infect .EXE files, increasing their size by 1,560 bytes. It installs itself memory resident when the first program infected with the virus is executed, however it doesn't use the normal TSR function. Instead, this virus hooks Int 9 as well as making use of IN and OUT commands. When a CTL-ALT-DEL combination is detected, the virus causes an apparent boot but remains in RAM. The virus loads itself 30K under the highest memory location reported by DOS, and does not lower the amount of memory reported by BIOS or DOS. After the virus has been memory resident for one hour, the following message will appear in a flashing box: "SOFTWARE COPIES PROHIBITED BY INTERNATIONAL LAW.............. Box 1055 Tuscambia ALABAMA USA." The Alabama virus uses a complex mechanism to determine whether or not to infect the current file. First, it checks to see if there is an uninfected file in the current directory, if there is one it infects it. Only if there are no uninfected files in the current directory is the program being executed infected. However, sometimes instead of infecting the uninfected candidate file, it will instead manipulate the FATs to exchange the uninfected candidate file with the currently executed file without renaming it, so the user ends up thinking he is executing one file when in effect he is actually executing another one. The end result is that files are slowly lost on infected systems. This file swapping occurs when the virus activates on ANY Friday. Virus Name: Alameda Aliases: Merritt, Peking, Seoul, Yale V Status: Rare Discovery: 1987 Symptoms: Floppy boot failures, Resident-TOM, BSC Origin: California, USA Eff Length: N/A Type Code: RtF - Resident Floppy Boot Sector Infector Detection Method: ViruScan, F-Prot, IBM Scan, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: MDisk, CleanUp, F-Prot, or DOS SYS General Comments: The Alameda virus was first discovered at Merritt college in Alameda, California in 1987. The original version of this virus caused no intentional damage, though there is now at least 1 variant of this virus that now causes floppy disks to become unbootable after a counter has reached its limit (Alameda-C virus). The Alameda virus, and its variants, all replicate when the system is booted with a CTL-ALT-DEL and infect only 5 1/4" 360K diskettes. These viruses do stay in memory thru a warm reboot, and will infect both system and non-system disks. System memory can be infected on a warm boot even if Basic is loaded instead of DOS. The virus saves the real boot sector at track 39, sector 8, head 0. The original version of the Alameda virus would only run on a 8086/8088 machine, though later versions can now run on 80286 systems. Also see: Golden Gate, SF Virus Virus Name: Ambulance Car Virus Aliases: RedX V Status: Rare Discovery: June, 1990 Symptoms: .COM growth, graphic display & sound Origin: West Germany Eff Length: 796 Bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V64+, F-Prot 1.12+, Pro-Scan 2.01+ Removal Instructions: Scan/D, Pro-Scan 2.01+, or Delete infected files General Comments: The Ambulance Car Virus was isolated in West Germany in June, 1990. This virus is a non-resident .COM infector. When a program infected with the Ambulance Car Virus is executed, the virus will attempt to infect one .COM file. The .COM file to be infected will be located on the C: drive. This virus only infects one .COM file in any directory, and never the first .COM file in the directory. It avoids infecting COMMAND.COM as that file is normally the first .COM file in the root directory. On a random basis, when an infected file is executed it will have the affect of a graphics display of an ASCII block drawing of an ambulance moving across the bottom of the system display. This graphics display will be accompanied with the sound of a siren played on the system's speaker. Both of these effects only occur on systems with a graphics capable display adapter. Virus Name: Amstrad Aliases: V Status: Endangered Discovery: November, 1989 Symptoms: .COM growth, message Origin: Portugal Eff Length: 847 Bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC 1.1+, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D/X, F-Prot, Pro-Scan 1.4+, or delete infected files General Comments: The Amstrad virus was first reported in November, 1989, by Jean Luz of Portugal, however it has been known of in Spain and Portugal for a year prior to that. The virus is a generic .COM infector, but is not memory resident nor does it infect COMMAND.COM. The virus carries a fake advertisement for the Amstrad computer. The Amstrad virus appears to cause no other damage to the system other than replicating and infecting files. Known variants of the Amstrad Virus are: Pixel/V-345 - Similar to the Amstrad virus described above, except that the virus is 345 Bytes in length, can now infect COMMAND.COM, and contains the message: "=!= Program sick error:Call doctor or by PIXEL for cure description". This message is not displayed. The Pixel virus was originally distributed in Greece by Pixel magazine. The Pixel Virus can only infect programs in the current directory. This variant may in fact be the original virus in this family, it is rumored that it was released one year before the appearance of the virus in Portugal. Origin: Greece V-277 - Similar to the Pixel/V-345 virus described above, except that the virus is now 277 Bytes in length, and does not contain any message text. The original message text has been replaced with code to produce a parity error approximately 50% of the time when an infected program is executed. Origin: Bulgaria V-299 - Similar to Pixel, except that the length of the virus is 299 Bytes. Origin: Bulgaria V-847 - Similar to Pixel, except that the length of the virus is 847 Bytes. Origin: Bulgaria V-847B - Similar to V-847, except that the message in the virus is now in Spanish and is: "=!= En tu PC hay un virus RV1, y esta es su quinta generacion". This variant was originally distributed by a magazine in Spain in file NOCARGAR.COM. Origin: Spain V-852 - Similar to the V-847 variant, this variant does not contain any message. It infects all .COM files in the current directory whenever an infected program is executed. If the current directory contains COMMAND.COM, it will be infected as well. The original sample of this variant received by the author did not contain any text, however after replicating on a test system, all infected files then contained text from the video buffer, which implies the submitted sample was the original distribution of the virus. This variant checks byte 4 of .COM files to determine if the file was previously infected, if bytes 4-5 are 'SS', the virus assumes the file is already infected. All infected programs will start with the following hex string, with the nn indicated being a generation number: "EB14905353nn2A2E434F4D004F040000" Origin: Bulgaria Virus Name: Anthrax Aliases: V Status: Rare Discovery: July, 1990 Symptoms: .COM & .EXE growth Origin: Bulgaria Isolated: Netherlands Eff Length: 1040 - 1279 Bytes Type Code: PRAKX - Parasitic Resident .COM, .EXE, & Partition Table Infector Detection Method: ViruScan V66+, Pro-Scan 2.01+ Removal Instructions: Scan/D + MDisk/P, Pro-Scan 2.01+ General Comments: The Anthrax Virus was isolated in July 1990 in the Netherlands after it was uploaded onto several BBSes in a trojan anti-viral program, USCAN.ZIP. It is the second virus to be found in a copy of UScan during July 1990, the first virus being V2100. Anthrax is a memory resident generic infector of .COM and .EXE files, including COMMAND.COM. The first time a program infected with the Anthrax virus is executed on the system's hard disk, the virus will infect the hard disk's partition table. At this point, the virus is not memory resident. It will also write a copy of itself on the last few sectors of the system's hard disk. If data existed on those last few sectors of the hard disk, it will be destroyed. When the system is booted from the hard disk, the Anthrax virus will install itself memory resident. It will remain memory resident until the first program is executed. At that time, it will deinstall itself from being resident and infect one .COM or .EXE file. This virus does not infect files in the current directory first, but instead starts to infect files at the lowest level of the disk's directory tree. Later, when an infected program is executed, Anthrax will infect one .COM or .EXE file, searching the directory structure from the lowest level of the directory tree. If the executed infected program was located on the floppy drive, a .COM or .EXE file may or may not be infected. The Anthrax Virus's code is 1,024 bytes long, but infected programs will increase in length by 1,040 to 1,279 bytes. On the author's test system, the largest increase in length experienced was 1,232 bytes. Infected files will always have an infected file length that is a multiple of 16. The following text strings can be found in files infected with the Anthrax virus: "(c)Damage, Inc." "ANTHRAX" A third text string occurs in the viral code, but it is in Cyrillics. Per Vesselin Bontchev, this third string translates to: "Sofia 1990". Since Anthrax infects the hard disk partition tables, infected systems must have the partition table disinfected or rebuilt in order to remove the virus. This disinfection can be done with either a low- level format or use of the MDisk/P program for the correct DOS version after powering off and rebooting from a write-protected boot diskette for the system. Any .COM or .EXE files infected with Anthrax must also be disinfected or erased. Since a copy of the virus will exist on the last few sectors of the drive, these must also be located and overwritten. Anthrax interacts with another virus: V2100. If a system which was previously infected with Anthrax should become infected with the V2100 virus, the V2100 virus will check the last few sectors of the hard disk for the spare copy of Anthrax. If the spare copy is found, then Anthrax will be copied to the hard disk's partition table. It is not known if Anthrax carries any destructive capabilities or trigger/activation dates. Virus Name: Anti-Pascal Aliases: Anti-Pascal 605 Virus, AP-605, C-605, V605 V Status: Research Discovery: June, 1990 Symptoms: .COM growth, .BAK and .PAS file corruption Origin: Bulgaria Isolated: Sofia, Bulgaria Eff Length: 605 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan/X V67+, Pro-Scan 2.01+ Removal Instructions: Pro-Scan 2.01+, Scan/D/X, or delete infected files General Comments: The Anti-Pascal Virus, V605 or C-605, was isolated in Sofia, Bulgaria in June 1990 by Vesselin Bontchev. Originally, it was thought that the Anti-Pascal virus was from the USSR or Poland, but it has since been determined to have been a research virus written in Bulgaria over one year before it was isolated. The author was not aware that it had "escaped" until July, 1990. The Anti-Pascal Virus is a generic .COM file infector, including COMMAND.COM. While this virus is not memory resident, when it is in the process of infecting files, interrupt 24 will be hooked. When a program infected with the Anti-Pascal virus is executed, the virus will attempt to infect two other .COM files on the current drive or on drive D: which are between 605 and 64,930 bytes in length. These files must not have the read only attribute set. If an uninfected .COM file meeting the virus's selection criteria is found, the first 605 bytes of the program is overwritten with the viral code. The original 605 bytes of the program is then appended to the end of the infected file. Infected files will have increased in length by 605 bytes, and they will also begin with the text string "PQVWS" as well as contain the string "combakpas???exe" at offset 0x17. Infected files will also have had their file date/time stamps in the directory updated to the date/time that the infection occurred. If the Anti-Pascal Virus cannot find two .COM files to infect, it will check the current drive and directory for .BAK and .PAS files. If these files exist, they will be overwritten with the virus's code. If the overwritten files were .PAS files, the system's user has now lost some of their Pascal source code. After overwriting .BAK and .PAS files, the virus will attempt to rename them to .COM files, or .EXE files if a .COM file already exists. This rename does not work due to a bug in the virus. Known variant(s) of the Anti-Pascal Virus are: AP-529 : Similar to the 605 byte Anti-Pascal Virus, the major differences are that AP-529 will only infect .COM files over 2,048 bytes in length. Infected files increase in length by 529 bytes. Additionally, instead of overwriting the .BAK and .PAS files, one .BAK and .PAS file will be deleted if there are no uninfected .COM files with a length of at least 2,048 bytes on the current drive. .COM files on the C: drive root directory may also be infected by AP-529 when it is executed from the A: or B: drive. This variant should be considered a "Research Virus", it is not believed to have been publicly released. Also see: Anti-Pascal II Virus Name: Anti-Pascal II Aliases: Anti-Pascal 400, AP-400 V Status: Research Discovery: June, 1990 Symptoms: .COM growth; .BAK, .BAT and .PAS file deletion, boot sector alteration on hard disk Origin: Bulgaria Isolated: Sofia, Bulgaria Eff Length: 400 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan/X V67+, Pro-Scan 2.01+ Removal Instructions: Pro-Scan 2.01+, Scan/D/X, or delete infected files General Comments: The Anti-Pascal II Virus, or AP-400, was isolated in Sofia, Bulgaria in June 1990 by Vesselin Bontchev. It is one of five viruses/variants in the Anti-Pascal family. Two of the earlier variants, Anti-Pascal/AP-605 and AP-529, are documented under the name "Anti-Pascal". The variants listed under Anti-Pascal II have been separated due to some of their characteristics differing from the 605 byte and 529 byte viruses. The Anti-Pascal II Virus is a generic .COM file infector, including COMMAND.COM. While this virus is not memory resident, when it is in the process of infecting files, interrupt 21 will be hooked. The first time a program infected with the Anti-Pascal II virus is executed on a system, the virus will attempt to infect one (1) .COM file in the root directory of each drive accessible on the system. Files are only infected if their length is at least 2,048 bytes, and the resulting infected file will be less than 64K in length. Since COMMAND.COM is usually the first .COM file on a drive, it will immediately become infected. One additional .COM file will also be infected on the current drive. The mechanism used to infect the file is to write the virus's code to the end of the file. A jump is used to execute the virus's code before the original program is executed. Infected files do not have their date/time stamps in the directory updated to the system date and time when the infection occurred. If the Anti-Pascal Virus cannot find a .COM file to infect on a given drive, or two .COM files to infect on the current drive, it will check for the existence of .BAK, .PAS, or .BAT files. If found, these files will be deleted. These deletions only occur in root directories and on the current drive's current directory. Since each root directory (as well as the current directory) will typically not have all of its .COM files infected at the same time, the deletes will occur on different drives and directories at different times. Symptoms of infection of the Anti-Pascal II Virus include file length increases of 400 bytes, unexpected disk access to drives other than the current drive, and disappearing .BAK, .PAS, and .BAT files. One other symptom of an Anti-Pascal II infection is that the hard disk's boot sector will be slightly altered by the virus. Anti-viral programs which CRC-check the boot sector will indicate that a boot sector infection may have occurred. The boot sector alteration does not contain a live virus, but will throw the system user off into thinking their problem is from a boot sector virus instead of a file infector, and if the disk as a bootable disk, it will not be unbootable. The Anti-Pascal II Virus and its variants indicated below are not believed to have been publicly released. As such, they have been classified as "Research Viruses". Known variant(s) of the Anti-Pascal II Virus are: AP-440 : Very similar to the 400 byte version of the Anti-Pascal II Virus, the major characteristic change is that this variant has a length of 440 bytes. The boot sector is no longer altered by the virus. This variant is an intermediary between AP-480 and the 400 byte version documented above. AP-480 : Similar to the Anti-Pascal II virus, this variant is the version which is 480 bytes in length. It does not delete .BAT files, but only .BAK and .PAS. This variant is the latest variant of the Anti-Pascal II grouping. Also see: Anti-Pascal Virus Name: Armagedon Aliases: Armagedon The First, Armagedon The Greek V Status: Rare Discovery: June, 1990 Symptoms: text string intermittently sent to COM ports Origin: Athens, Greece Eff Length: 1,079 Bytes Type Code: PRC - Parasitic Resident .COM Infector Detection Method: ViruScan V64+, F-Prot 1.12+, Pro-Scan 2.01+ Removal Instructions: Scan/D, F-Prot 1.12+, or Delete infected files General Comments: The Armagedon virus was isolated on June 2, 1990, by George Spiliotis of Athens, Greece. Armagedon is a memory resident virus which infects .COM files, increasing their length by 1,079 bytes. The first time an infected program is executed on a system, the virus installs itself memory resident, hooking interrupts 8 and 21. Any .COM files which are later executed are then infected by the resident virus. Infected systems will experience the text string "Armagedon the GREEK" being sent to COM ports 1 - 4 at time intervals. Between 5:00 and 7:00, the virus will attempt to use the system's COM ports to make a phone call to Local Time Information in Crete, Greece. If a connection is made, the phone line will remain open until the user notices that the phone line is in use. (Needless to say, this doesn't work if the system is located outside of Greece as dialing codes are considerably different between countries.) This virus otherwise is not destructive. Virus Name: Ashar Aliases: Shoe_Virus, UIUC Virus V Status: Common Discovery: Symptoms: BSC, Resident TOM Origin: Eff Length: N/A Type Code: BRt - Resident Boot Sector Infector Detection Method: ViruScan V41+, F-Prot, IBM Scan, Pro-Scan 1.4+, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: MDisk, CleanUp, Pro-Scan 1.4+, F-Prot or DOS SYS command General Comments: The Ashar virus is a resident boot sector infector which is a variant of the Brain virus. It differs from the Brain virus in that it can infect both floppies and hard disk, and the message in the virus has been modified to be: "VIRUS_SHOE RECORD, v9.0. Dedicated to the dynamic memories of millions of virus who are no longer with us today". However, the above message is never displayed. The identification string "ashar" is normally found at offset 04a6 hex in the virus. A variant of the Ashar virus exists, Ashar-B or Shoe_Virus-B, which has been modified so that it can no longer infect hard drives. The v9.0 in the message has also been altered to v9.1. Also see: Brain Virus Name: Attention! Aliases: USSR 394 V Status: Rare Discovery: December, 1990 Symptoms: .COM file growth; decrease in system and available memory; clicking emitted from system speaker on keypress; file date/time changes Origin: USSR Eff Length: 394 Bytes Type Code: PRhCK - Parasitic Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Attention! Virus was submitted in December, 1990 and was originally isolated in the USSR. This virus is a memory resident infector of COM files, including COMMAND.COM. The first time a program infected with the Attention! Virus is executed, the virus will reserve 416 bytes at the top of system memory but below the 640K DOS boundary. The virus becomes memory resident in this area, and hooks interrupt 21. Total system memory and available free memory returned by the DOS ChkDsk command will decrease by 416 bytes. The interrupt 12 return is not moved. After the virus is memory resident, a clicking sound will be emitted by the system speaker each time a key is pressed on the keyboard. Some programs, such as the Edlin program supplied with MS-DOS, will receive an "Invalid drive or file name" message when they are attempted to be executed. Attention! will infect COM files, including COMMAND.COM, when they are executed. The exception is that very small COM files will not become infected. Infected files will increase in length by 394 bytes with the virus being located at the end of the file. Infected programs will also contain the text string: "ATTENTION !" near the beginning of the program. Virus Name: Best Wishes Aliases: Best Wish V Status: Rare Discovery: December, 1990 Symptoms: .COM file growth; decrease in system and available free memory; system hangs; file date/time changes; file not found errors; boot sector modification Origin: USSR Eff Length: 970 Bytes Type Code: PRtCK - Parasitic Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Best Wishes Virus was submitted in December, 1990 and is believed to be from the USSR. Best Wishes is a memory resident infector of COM files, including COMMAND.COM. There is a variant of this virus, Best Wishes B, which is 1,024 bytes in length. The first time a program infected with the Best Wishes Virus is executed, the virus will install itself memory resident in system high memory, but below the 640K DOS boundary. The interrupt 12 return will be moved. Total system memory will decrease by 61,440 bytes, available free memory will decrease by 61,360 bytes. COMMAND.COM will become infected at this time, and the disk's boot sector will also be modified. Disks with the boot sector modification and infected COMMAND.COM will still boot properly. After Best Wishes is resident, the virus will infect COM files as they are executed with a probability of 50%. Infected COM files will increase in length by 970 bytes with the virus being located at the end of the infected file. Infected programs will also have the following text string located near the end of the file: "This programm ... With Best Wishes!" Best Wishes does not restore the original file date and time in the directory when it infects programs, so all infected programs will have their date/time stamps set to the system date and time when infection occurred. Two additional symptoms of a Best Wishes infection are that the user may experience "File not found" errors when the file is actually on disk, as well as system hangs on every fourth program execution. Known variant(s) of Best Wishes are: Best Wishes B - An earlier version of Best Wishes, this variant is 1,024 bytes in length. The major differences are that infected disks will not boot if COMMAND.COM has been modified. Execution of a COM program once the virus is memory resident will result in the program most likely being infected, but the system will also become hung. Virus Name: Black Monday Aliases: V Status: Rare Discovery: September, 1990 Symptoms: .COM & .EXE file growth; TSR; file timestamp changes Origin: Kuala Lumpur, Malaysia Eff Length: 1,055 Bytes Type Code: PRsAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V67+, Pro-Scan 2.01+ Removal Instructions: Pro-Scan 2.01+, Scan/D, or Delete infected files General Comments: The Black Monday Virus was isolated in Fiji in September, 1990. It is reported to be widespread in Fiji and other locations in the Far East and Asia. This virus is a memory resident generic infector of .COM and .EXE files, including COMMAND.COM. The first time a program infected with the Black Monday Virus is executed, the virus will install itself memory resident as a low system memory TSR of 2,048 bytes. Interrupt 21 will be hooked by the virus. Once the virus is memory resident, any program which is executed will become infected with the Black Monday Virus. .COM files will increase in length by 1,055 bytes with the virus's code located at the end of the infected files. .EXE files will also increase in length by 1,055 bytes with the virus's code added to the end of the file. This virus does not infect .EXE files multiple times. The virus does not hide the change in file length when the directory is displayed, though a directory display will indicated that the infected file's date/timestamp have been updated to the system date and time when the file was infected. The following text string can be found in all infected files near the beginning of the virus's code: "Black Monday 2/3/90 KV KL MAL" It is unknown when Black Monday activates, or what it does at activation. Virus Name: Blood Aliases: Blood2 V Status: Rare Discovery: August, 1990 Symptoms: .COM file length increase, system reboots and/or hangs, cascading screen effect Origin: Natal, Republic of South Africa Eff Length: 418 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: Pro-Scan 2.0+ Removal Instructions: Delete infected files General Comments: The Blood Virus was submitted by Fridrik Skulason in August, 1990. It was originally isolated in Natal, Republic of South Africa. There are two variants of this virus, Blood and Blood2. This virus is a non-resident infector of .COM files, including COMMAND.COM. When a program infected with the Blood virus is executed, it will infect one .COM file located in the C: drive root directory. The newly infected file will have increased in length by 418 bytes. If the program just infected is COMMAND.COM, a system reboot will occur. Following the system reboot, executing an infected program will result in a cascading effect of the cursor down the screen. The next .COM file executed will then result in the hard disk being accessed followed by the system hanging. Spurious characters from memory may also appear on the screen on the line below the command line. After August 15, execution of an infected program will result in a system hang. Known variant(s) of Blood are: Blood2 : Similar to Blood, with the major difference being that system reboots, system hangs, and the cascading cursor effect no longer occur. This variant also does not hang the system after August 15. Virus Name: Bloody! Aliases: V Status: Rare Discovery: December, 1990 Symptoms: Extended boot time; decrease in system & available memory; message on boot; boot sector & partition table changes Origin: Taiwan Eff Length: N/A Type Code: BRtX - Resident Boot Sector & Partition Table Infector Detection Method: ViruScan V72+ Removal Instructions: See below General Comments: The Bloody! Virus was submitted in December 1990, and infection reports were received from Europe, Taiwan, and the United States. This virus is a memory resident infector of floppy diskette boot sectors as well as the hard disk partition table. When a system is booted from a floppy or hard disk infected with the Bloody! Virus, the virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. Total system memory and available free memory will decrease by 2,048 bytes. The interrupt 12 return will be moved. The system boot will also take much longer than expected. The system's hard disk's partition table will become infected immediately if it was not the source of the system boot. At the time of system boot, the virus also maintains a counter of how many times the infected diskette or hard drive has been booted. Once 128 boots have occurred, the virus will display the following message during the boot: "Bloody! Jun. 4, 1989" June 4, 1989 is the date of the the confrontation in Beijing, China between Chinese students and the Chinese Army in which many students were killed. This message will later be displayed on every sixth boot once the 128 boot limit has been reached. The text message is encrypted within the viral code, so it is not visible in the boot sector. Once Bloody! is memory resident, the virus will infect any diskette or hard disk when a file or program is accessed. Listing a disk directory will not be enough to cause the virus to infect the disk. Infected diskette boot sectors will be missing all of the normal DOS error messages which are normally found in the boot sector. The original boot sector will have been moved to sector 11 on 360K diskettes, a part of the root directory. If there were previously root directory entries in that sector, those files will be lost. On the hard disk, the original partition table will have been moved to side 0, cylinder 0, sector 6. For floppies of other sizes then 360K, they may become unusable or corrupted as the virus does not take into account the existence of these disk types. For diskettes, Bloody! can be removed by powering the system off and then booting from a known-clean, write protected original DOS diskette. The DOS SYS command should then be executed on each of the infected diskettes. To remove the Bloody! Virus from the hard disk's partition table, the original partition table should be located and then copied back to its original position. The other option is to backup the files on the hard disk and low level format the drive. Virus Name: Brain Aliases: Pakistani, Pakistani Brain V Status: Common Discovery: 1986 Symptoms: Extended boot time, Volume label change, Resident TOM, Three contiguous bad sectors (floppy only), BSC Origin: Pakistan Eff Length: N/A Type Code: BRt - Resident Boot Sector Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: MDisk, CleanUp, F-Prot, Pro-Scan, or DOS SYS command General Comments: The Pakistani Brain virus originated in Lahore, Pakistan and infects disk boot sectors by moving the original contents of the boot sector to another location on the disk, marking those 3 clusters (6 sectors) bad in the FAT, and then writing the virus code in the disk boot sector. One sign of a disk having been infected, at least with the original virus, is that the volume label will be changed to "(c) Brain". Another sign is that the label "(c) Brain" can be found in sector 0 (the boot sector) on an infected disk. This virus does install itself resident on infected systems, taking up between 3K and 7K of RAM. The Brain virus is able to hide from detection by intercepting any interrupt that might interrogate the boot sector and redirecting the read to the original boot sector located elsewhere on the disk, thus some programs will be unable to see the virus. The original Brain virus only infected floppies, however variants to the virus can now infect hard disks. Also, some variants have had the "(c) Brain" label removed to make them harder to detect. Known variants of the Brain virus include: Brain-B/Hard Disk Brain/Houston Virus - hard disk version. Brain-C - Brain-B with the "(c) Brain" label removed. Clone Virus - Brain-C but restores original boot copyright label. Clone-B - Clone Virus modified to destroy the FAT after 5/5/92. Also see: Ashar Virus Name: Burger Aliases: 541, 909090h, CIA V Status: Extinct Discovery: 1986 Symptoms: Programs will not run after infection Origin: West Germany Eff Length: 560 Bytes Type Code: ONAK - Overwriting Non-Resident .COM & .EXE Infector Detection Method: ViruScan V67+, Pro-Scan 2.01+ Removal Instructions: Scan /D, or delete infected files General Comments: The Burger, or 909090h, Virus was written and copyrighted in 1986 by Ralf Burger of West Germany. This virus is extinct in the "public domain". This virus is a non-resident overwriting virus, infecting .COM and .EXE files, including COMMAND.COM. When a program infected with the Burger Virus is executed, the virus will attempt to infect one previously uninfected .COM file located in the C: drive root directory. To determine if the program was previously infected, the virus checks to see if the first three bytes of the .COM file are three NOP instructions (909090h). If the first three bytes are the NOP instructions, the virus goes on checking until it finds an uninfected .COM file. If no uninfected .COM file exists, the virus then renames all the .EXE files in the root directory to .COM files and checks those files. Once it finds a .COM file to infect, it overwrites the first 560 bytes of the uninfected program with the virus code. At this point, the program the user was attempting to run will either end or hang the system. Infected programs will never execute properly as the first portion of the program has been destroyed. Systems which have been infected with the Burger Virus will fail to boot once the virus has infected the hard disk boot partition's COMMAND.COM, or the copy of COMMAND.COM on their boot diskette. Infected files can be easily identified by the "909090B8000026A245" hex sequence located in the first nine bytes of all infected files. Infected files cannot be disinfected, they must be replaced from a clean source. Known variant(s) of the Burger virus include: CIA : Discovered in the United States in October, 1990, this virus is similar to the Burger Virus described above. The first nine bytes of all infected files in hex will be: "909090B8000026A3A5". The actual length of this variant is 541 bytes, though the first 560 bytes of infected programs are overwritten. 505 : Similar to the Burger virus, this variant's actual code length is 505 bytes, though the first 560 bytes of infected files will be overwritten. Infected files will have their first nine bytes contain the hex string: "909090B8000026A3A0". 509 : Similar to the Burger virus, this variant's actual code length is 509 bytes, though the first 560 bytes of infected files will be overwritten. Infected files will have their first nine bytes contain the hex string: "909090B8000026A3A4". 541 : Similar to the Burger virus, this variant overwrites the first 560 bytes of infected programs, though the virus's length is actually 541 bytes. Infected programs will start with the hex sequence: "909090B8000026A3A4". Also see: VirDem Virus Name: Carioca Aliases: V Status: Rare Discovery: November, 1990 Symptoms: TSR; .COM growth Origin: Eff Length: 951 Bytes Type Code: PRsC - Parasitic Resident .COM Infector Detection Method: ViruScan V71+, Pro-Scan 2.01+ Removal Instructions: Scan/D, Pro-Scan 2.01+, or Delete Infected Files General Comments: The Carioca Virus was submitted in November, 1990. This virus is a memory resident infector of .COM files, it does not infect COMMAND.COM. The first time a program infected with the Carioca Virus is executed, the virus will install itself memory resident as a 1,280 byte low system memory TSR. Interrupt 21 will be hooked by the virus. The system's available free memory will decrease by 1,312 bytes. After the virus is memory resident, any .COM file executed (with the exception of COMMAND.COM) will become infected with the Carioca Virus. Infected .COM files will show an increase in size of 951 bytes with the virus being located at the end of the infected file. Infected files will have the following hex character string located at the very end of the file: "2EFF1E1A010203CD21". It is unknown if Carioca contains any damage potential. Virus Name: Cascade Aliases: Fall, Falling Letters, 1701, 1704 V Status: Common Discovery: October, 1987 Symptoms: TSR, Falling letters, .COM file growth Origin: Germany Eff Length: 1,701 or 1,704 bytes Type Code: PRsC - Parasitic Resident Encrypting .COM Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: CleanUp, F-Prot, VirexPC, VirHunt 2.0+, Pro-Scan 2.01+ General Comments: Originally, this virus was a trojan horse which was disguised as a program which was supposed to turn off the number-lock light when the system was booted. The trojan horse instead caused all the characters on the screen to fall into a pile at the bottom of the screen. In late 1987, the trojan horse was changed by someone into a memory resident .COM virus. While the original virus had a length of 1,701 bytes and would infect both true IBM PCs and clones, a variation exists of this virus which is 3 bytes longer than the original virus and does not infect true IBM PCs. Both viruses are functionally identical in all other respects. Both of the viruses have some fairly unique qualities: Both use an encryption algorithm to avoid detection and complicate any attempted analysis of them. The activation mechanisms are based on a sophisticated randomization algorithm incorporating machine checks, monitor types, presence or absence of a clock card, and the time or season of the year. The viruses will activate on any machine with a CGA or VGA monitor in the months of September, October, November, or December in the years 1980 and 1988. Known variants of the Cascade virus are: 1701-B : Same as 1701, except that it can activate in the fall of any year. 1704-D : Same as the 1704, except that the IBM selection has been disabled so that it can infect true IBM PCs. 17Y4 : Similar to the Cascade 1704 virus, the only difference is one byte in the virus which has been altered. Cunning: Based on the Cascade virus, a major change to the virus is that it now plays music. Also see: 1704 Format Virus Name: Cascade-B Aliases: Blackjack, 1704-B V Status: Common Discovery: Symptoms: .COM file growth, TSR, random reboots Origin: Germany Eff Length: 1,704 bytes Type Code: PRsC - Parasitic Resident Encrypting .COM Infector Detection Method: ViruScan, F-Prot, IBM Scan, VirexPC, AVTK 3.5+, Pro-Scan, VirHunt 2.0+ Removal Instructions: CleanUp, F-Prot, VirexPC, VirHunt 2.0+ General Comments: The Cascade-B virus is similar to the Cascade virus, except that the cascading display has been replaced with a system reboot which will occur at random time intervals after the virus activates. Other variation(s) which have been documented are: 1704-C : Same as 1704-B except that the virus can activate in December of any year. Virus Name: Casper Aliases: V Status: Rare Discovery: August, 1990 Symptoms: .COM file growth, April 1st disk corruption (see below) Origin: Eff Length: 1,200 bytes Type Code: PNCK - Parasitic Non-Resident Encrypting .COM Infector Detection Method: ViruScan V67+, Pro-Scan 2.01+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Casper Virus was isolated in August, 1990 by Fridrik Skulason of Iceland. The origin of this virus is unknown at this time. Casper is a non-resident generic infector of .COM files, including COMMAND.COM. When a program infected with the Casper Virus is executed, the virus will attempt to infect one .COM program located in the current drive and directory. Infected files will increase in length by 1,200 bytes, with the virus's code being located at the end of the .COM file. The Casper Virus contains the following message, though this message cannot be seen in infected program as Casper uses a complex self- encryption mechanism: "Hi! I'm Casper The Virus, And On April 1st I'm Gonna Fuck Up Your Hard Disk REAL BAD! In Fact It Might Just Be Impossible To Recover! How's That Grab Ya! <GRIN>" On April 1st, when an infected program is executed, this virus will overwrite the first track of the drive where the infected program was executed from. Later attempts to access the drive will result in "Sector not found" errors occurring. The Casper Virus is based on the Vienna virus. Unlike Vienna, it is self-encrypting. The self-encryption mechanism employed is similar to the encryption mechanism used in the V2P6 virus, and requires an algorithmic approach in order to identify it as there are not any identifying strings located in the encrypted virus. Virus Name: Chaos Aliases: V Status: Rare Discovery: December, 1989 Symptoms: Message, TSR, Bad sectors, BSC Origin: England Eff Length: N/A Type Code: BR - Resident Boot Sector Infector Detection Method: ViruScan V53+ Removal Instructions: MDisk, CleanUp, or DOS SYS Command General Comments: First reported in December, 1989 by James Berry of Kent, England, the Chaos virus is a memory resident boot sector infector of floppy and hard disks. When the Chaos virus infects a boot sector, it overwrites the original boot sector without copying it to another location on the disk. Infected boot sectors will contain the following messages: "Welcome to the New Dungeon" "Chaos" "Letz be cool guys" The Chaos virus will flag the disk as being full of bad sectors upon activation, though most of the supposed bad sectors are still readable. It is unknown what the activation criteria is. Virus Name: Christmas In Japan Aliases: Xmas In Japan V Status: Rare Discovery: September, 1990 Symptoms: .COM file growth; Message Origin: Taiwan Eff Length: 600 Bytes Type Code: PNCK - Resident Non-Resident .COM Infector Detection Method: ViruScan V67+, Pro-Scan 2.01+ Removal Instructions: Scan/D, Pro-Scan 2.01+, or Delete infected files General Comments: The Christmas In Japan Virus was isolated in Taiwan in late September, 1990. As of early October, it is reported to be widespread in Japan. This virus is a 600 byte non-resident generic infector of .COM files. It will infect COMMAND.COM. When a program infected with the Christmas In Japan Virus is executed, the virus will infect zero to one other .COM file in the current directory. If a file is infected, it will increase in length by 600 bytes, with the virus being located at the end of the infected file. On December 25, if an infected file is executed, the following message will be displayed in the center of the screen: "A merry christmas to you" The message will flash and will be underlined for approximately half the time it is displayed. If left alone, the message will go away after a little while and the program will execute normally, but the message will return when another infected .COM file is executed. This virus does not appear to do any malicious damage. Virus Name: Christmas Virus Aliases: Tannenbaum, XA1, 1539 V Status: Endangered Discovery: March, 1990 Symptoms: .COM file growth, display, Partition table destruction Origin: Germany Eff Length: 1,539 Bytes Type Code: PNCX - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V61+, VirexPC, VirHunt 2.0+, Pro-Scan 2.01+ Removal Instructions: Scan/D, VirHunt 2.0+, Pro-Scan 2.01+, or delete infected files General Comments: The Christmas Tree, or XA1, Virus was first isolated in March 1990 by Christoff Fischer of West Germany. This virus is an encrypting virus which will only infect .COM files. On April 1st of any year, the Christmas Tree virus will activate, destroying the partition table of infected hard disks the first time an infected program is executed. During the period from December 24 until January 1st of any year, when an infected program is executed, the virus will display a full screen picture of a christmas tree. Virus Name: Cookie Aliases: V Status: New Discovery: January, 1991 Symptoms: .COM & .EXE growth; system hangs Origin: Unknown/Europe Eff Length: 2,232 bytes Type Code: PNAK - Parasitic Non-Resident .COM & .EXE Infector Detection Method: ViruScan, F-Prot, VirexPC Removal Instructions: Scan/D, or Delete infected files General Comments: The Cookie Virus was received in January, 1991, it is believed to have originated in Europe. This virus is based on the SysLock Virus, though it is considerably shorted in length. Some anti-viral utilities will identify this virus as SysLock, though it is listed here separately due to its differences in characteristics. It is a non-resident direct action virus which infects .COM and .EXE files, including COMMAND.COM. When a program infected with the Cookie Virus is executed, the virus will search the current drive and directory for a file to infect. The virus first looks for a .COM file to infect. If an uninfected .COM file is located, it will become infected. If an uninfected .COM file is not found, the virus will then look for an uninfected .EXE file to infect. In other words, all the .COM files in the directory will become infected before any of the .EXE files in that directory are infected. Infected files will show a file length increase of between 2,232 and 2,251 bytes in length. The virus will be located at the end of the infected file. Infected files will not have their date and time in the disk directory altered. Systems infected with the Cookie Virus may experience system hangs when some infected programs are executed. In some cases, the infected program will stop functioning properly after a number of executions, though this does not always occur. This virus has also been reported to possibly display the message "I want a COOKIE!", though the sample received doesn't exhibit this behavior. Also see: SysLock Virus Name: Dark Avenger Aliases: Black Avenger, Eddie, Diana V Status: Common Discovery: September, 1989 Symptoms: TSR; .COM, .EXE, .SYS file growth; File/Disk Corruption Origin: Bulgaria Isolated: Davis, California, USA Eff Length: 1,800 bytes Type Code: PRsAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V36+, F-Prot, IBM Scan, Pro-Scan, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: CleanUp, Pro-Scan 1.4+, F-Prot, VirHunt 2.0+ General Comments: Dark Avenger was first isolated in the United States at the University of California at Davis. It infects .COM, .EXE, and overlay files, including COMMAND.COM. The virus will install itself into system memory, becoming resident, and is extremely prolific at infecting any executable files that are openned for any reason. This includes using the DOS COPY and XCOPY commands to copy uninfected files, both the source and the target files will end up being infected. Infected files will have their lengths increased by 1,800 bytes. The Dark Avenger Virus does perform malicious damage. The virus maintains a counter in the disk's boot sector. After each sixteenth file is infected, the virus will randomly overwrite a sector on the disk with a copy of the disk's boot sector. If the randomly selected sector is a portion of a program or data file, the program or data file will be corrupted. Programs and data files which have been corrupted by a sector being overwritten are permanently damaged and cannot be repaired since the original sector is lost. If you are infected with Dark Avenger, shutdown your computer and reboot from a Write Protected boot diskette for the system, then carefully use a disinfector, following all instructions. Be sure to re-scan the system for infection once you have finished disinfecting it. The Dark Avenger virus contains the words: "The Dark Avenger, copyright 1988, 1989", as well as the message: "This program was written in the city of Sofia. Eddie lives.... Somewhere in Time!". This virus bears no resemblance or similarity to the Jerusalem viruses, even though they are similar in size. Known variant(s) of Dark Avenger are: Dark Avenger-B : Very similar to the Dark Avenger virus, the major difference is that .COM files will be reinfected, adding 1,800 bytes to the file length with each infection. This variant also becomes memory resident in high system memory instead of being a low system memory TSR. Text strings found in the virus's code include: "Eddie lives...somewhere in time!" "Diana P." "This program was written in the city of Sofia" "(C)1988-1989 Dark Avenger" Also see: V2000, V1024, V651 Virus Name: Datacrime Aliases: 1168, Columbus Day V Status: Extinct Discovery: April, 1989 Symptoms: .COM file growth, floppy disk access; formats hard disk, message any day from Oct 13 to Dec 31. Origin: Holland Eff Length: 1,168 bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: AntiCrim, Scan/D/X, Pro-Scan 1.4+, VirexPC, F-Prot, VirHunt 2.0+ General Comments: The Datacrime virus is a parasitic virus, and is also known as the 1168 virus. The Datacrime virus is a non-resident virus, infecting .COM files. The virus was originally discovered in Europe shortly after its release in March, 1989. The virus will attach itself to the end of a .COM file, increasing the file's length by 1168 bytes. The first 5 bytes of the host program are stored off in the virus's code and then replaced by a branch instruction so that the virus code will be executed before the host program. In order to propagate, the virus searches thru directories for .COM files, other than COMMAND.COM and attaches to any found .COM files (except for where the 7th letter is a D). Hard drive partitions are searched before the floppy drives are checked. The virus will continue to propagate until the date is after October 12 of any year, then when it is executed it will display a message. The decrypted message is something like: "DATACRIME VIRUS" "RELEASED: 1 MARCH 1989". Note: only this ASCII message is encrypted in this version. A low-level format of the hard disk is then done. Errors in the code will make .COM file infection appear random and will often make the system crash following infection. Unlike the other variants of Datacrime, the original Datacrime virus does not replicate, or infect files, until after April 1 of any year. Lastly, if the computer system is using an RLL, SCSI, or PC/AT type hard disk controller, all variants of the Datacrime virus are not able to successfully format the hard disk, according to Jan Terpstra of the Netherlands. Also see: Datacrime II, Datacrime IIB, Datacrime-B Virus Name: Datacrime II Aliases: 1514, Columbus Day V Status: Endangered Discovered: September, 1989 Symptoms: .EXE & .COM file growth, formats disk Origin: Netherlands Eff Length: 1,514 bytes Type Code: PNAK - Non-Resident Encrypting .COM & .EXE Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: AntiCrim, Scan/D/X, Pro-Scan 1.4+, VirexPC, F-Prot, VirHunt 2.0+ General Comments: The Datacrime II virus is a variant of the Datacrime virus, the major characteristic changes are that the effective length of the virus is 1,514 bytes, and that it can now infect both .COM and .EXE files, including COMMAND.COM. There is also an encryption mechanism in the Datacrime II virus. The Datacrime II virus will not format disks on Mondays. Also see: Datacrime, Datacrime IIB, Datacrime-B Virus Name: Datacrime IIB Aliases: 1917, Columbus Day V Status: Endangered Discovered: November, 1989 Symptoms: .EXE & .COM growth, formats disk, floppy disk access. Origin: Netherlands Eff Length: 1,917 bytes Type Code: PNAK - Non-Resident Encrypting .COM & .EXE Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC, VirHunt 2.0+ Removal Instructions: AntiCrim, Scan/D/X, F-Prot, VirexPC, VirHunt 2.0 General Comments: The Datacrime IIB virus is a variant of the Datacrime II virus, and was isolated by Jan Terpstra of the Netherlands in November, 1989. This virus, as with Datacrime II, infects generic .COM & .EXE files, including COMMAND.COM, adding 1,917 bytes to the file length. The virus differs from Datacrime II in that the encryption method used by the virus to avoid detection has been changed. The Datacrime IIB virus will not format disks on Mondays. Also see: Datacrime, Datacrime II, Datacrime-B Virus Name: Datacrime-B Aliases: 1280, Columbus Day V Status: Extinct Discovered: April, 1989 Symptoms: .EXE file growth, formats MFM/RLL hard drives, odd floppy disk access. Origin: Netherlands Eff Length: 1,280 bytes Type Code: PNE - Parasitic Non-Resident Generic .EXE Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: AntiCrim, Scan/D/X, VirexPC, Pro-Scan 1.4+, F-Prot, VirHunt 2.0 General Comments: The Datacrime-B virus is a variant of the Datacrime virus, the differences being that the effective length of the virus is 1,280 bytes, and instead of infecting .COM files, .EXE files are infected. Also see: Datacrime, Datacrime II, Datacrime II-B Virus Name: DataLock Aliases: DataLock 1.00, V920 V Status: Common Discovered: November, 1990 Symptoms: .EXE & COMMAND.COM file growth; decrease in system and available memory; file date/time changes Origin: USA Eff Length: 920 bytes Type Code: PRtEK - Parasitic Resident .EXE and COMMAND.COM Infector Detection Method: ViruScan V71+, Pro-Scan 2.01+ Removal Instructions: Clean-Up V71+, or Delete infected files General Comments: The DataLock, or V920, Virus was isolated in many locations in the United States starting on November 1, 1990. This virus is a generic memory resident infector of .EXE files, but it will also infect COMMAND.COM if it is executed. The first time a program infected with the DataLock Virus is executed, the virus will install itself memory resident at the top of free memory, but below the 640K DOS boundary. Infected systems will find that total system memory and available free memory will be 2,048 bytes less than is expected. Interrupt 21 will be hooked by the virus. After the virus is memory resident, any .EXE file that is executed will be infected by the virus. Infected files will have a file length increase of 920 bytes, and their date/time indicated in the disk directory will have been changed to the system date and time when the infection occurred. The virus is located at the end of infected files. The following text, indicating the virus's name, can be found at the end of all infected files: "DataLock version 1.00" It is unknown if DataLock carries an activation date, or its potential for damage. Virus Name: dBASE Aliases: DBF Virus V Status: Extinct Discovered: September, 1988 Symptoms: .COM & .OVL file growth, corrupt .DBF files, TSR, FAT and root directory overwritten Origin: New York, USA Eff Length: 1,864 bytes Type Code: PRC - Parasitic Resident .COM and Overlay Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D/X, Pro-Scan 1.4+, F-Prot, VirHunt 2.0+ General Comments: The dBASE virus was discovered by Ross Greenberg of New York. This virus infects .COM & .OVL files, and will corrupt data in .DBF files by randomly transposing bytes in any open .DBF file. It keeps track of which files and bytes were transposed in a hidden file (BUG.DAT) in the same directory as the .DBF file(s). The virus restores these bytes if the file is read, so it appears that nothing is wrong. Once the BUG.DAT file is 90 days old or more, the virus will overwrite the FAT and root directory on the disk. After this virus has been detected, if you remove the infected dBASE program and replace it with a clean copy, your DBF files that were openned during the period that you were infected will be useless since they are garbled on the disk even though they would be displayed as expected by the infected dBASE program. Virus Name: Den Zuk Aliases: Search, Venezuelan V Status: Common Discovered: September, 1988 Symptoms: Message, floppy format, TSR, BSC Origin: Indonesia Eff Length: N/A Type Code: RtF - Resident Floppy Boot Sector Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: MDisk, CleanUp, F-Prot, Pro-Scan 1.4+, or DOS SYS command General Comments: The Den Zuk virus is a memory-resident, boot sector infector of 360K 5 1/4" diskettes. The virus can infect any diskette in a floppy drive that is accessed, even if the diskette is not bootable. If an attempt is made to boot the system with an infected non-system disk, Den Zuk will install itself into memory even though the boot failed. After the system is booted with an infected diskette, a purple "DEN ZUK" graphic will appear after a CTL-ALT-DEL is performed if the system has a CGA, EGA, or VGA monitor. While the original Den Zuk virus did not cause any damage to the system, some variants maintain a counter of how many times the system has been rebooted, and after the counter reaches its limit, the floppy in the disk drive is reformatted. The counter in these variants of the virus is usually in the range of 5 to 10. The following text strings can be found in the viral code on diskettes which have been infected with the Den Zuk virus: "Welcome to the C l u b --The HackerS-- Hackin' All The Time The HackerS" The diskette volume label of infected diskettes may be changed to Y.C.1.E.R.P., though this change only occurs if the Den Zuk virus removed a Pakistani Brain infection before infecting the diskette with Den Zuk. The Den Zuk virus will also remove an Ohio virus infection before infecting the diskette with Den Zuk. The Den Zuk virus is thought to be written by the same person or persons as the Ohio virus. The "Y.C.1.E.R.P." string is found in the Ohio virus, and the viral code is similar in many respects. Also see: Ohio Virus Name: Destructor V4.00 Aliases: Destructor V Status: New Discovered: December, 1990 Symptoms: .COM & .EXE growth; decrease in system and available free memory Origin: Bulgaria Eff Length: 1,150 Bytes Type Code: PRtAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Destructor V4.00 Virus was received in December, 1990. This virus is from Bulgaria, and is a memory resident infector of .COM and .EXE files, including COMMAND.COM. When the first program infected with the Destructor V4.00 Virus is executed, the virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. Interrupt 12's return is moved. Total system memory and available free memory will be 1,216 bytes less than what is expected on the infected system. At this time, the virus will also infect COMMAND.COM if it is not already infected. Once Destructor V4.00 is memory resident, it will infect programs as they are openned or executed. Infected .COM programs will have increased in size by 1,150 bytes. .EXE programs will have increased in size by 1,154 to 1,162 bytes. In both cases, the virus will be located at the end of the infected file. This virus does not alter the file's date/time in the disk directory, and it also makes no attempt to hide the file length increase on infected programs. The following text string can be found in files infected with this virus: "DESTRUCTOR V4.00 (c) 1990 by ATA It is unknown what Destructor V4.00 does, if anything, besides replicate. Virus Name: Devil's Dance Aliases: Mexican V Status: Rare Discovered: December, 1989 Symptoms: Message, .COM growth, FAT corruption, TSR Origin: Mexico Eff Length: 941 Bytes Type Code: PRCT - Parasitic Resident .COM Infector Detection Method: ViruScan V52+, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D, Pro-Scan 1.4+, VirHunt 2.0+, or delete infected files General Comments: The Devil's Dance virus was first isolated in December, 1989, by Mao Fragoso of Mexico City. The Devil's Dance virus increases the size of infected .COM files by 941 bytes, and will infect a file multiple times until the file becomes too large to fit in available system memory. Once an infected program has been run, any subsequent warm- reboot (CTL-ALT-DEL) will result in the following message being displayed: "DID YOU EVER DANCE WITH THE DEVIL IN THE WEAK MOONLIGHT? PRAY FOR YOUR DISKS!! The Joker" The Devil's Dance virus is destructive. After the first 2,000 keystrokes, the virus starts changing the colors of any text displayed on the system monitor. After the first 5,000 keystrokes, the virus erases the first copy of the FAT. At this point, when the system is rebooted, it will display the message above and again destroy the first copy of the FAT, then allow the boot to proceed. Virus Name: Dir Virus Aliases: V Status: New Discovered: January, 1991 Symptoms: .COM growth; TSR; Sluggishness of DIR commands; File allocation errors Origin: USSR Eff Length: 691 Bytes Type Code: PRsCK - Parasitic Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Dir Virus was submitted in January, 1991. It originated in the USSR. The Dir Virus is a memory resident infector of .COM programs, including COMMAND.COM. The first time a program infected with the Dir Virus is executed, the virus will install itself memory resident as a low system memory TSR of 1,008 bytes. Interrupt 21 will be hooked by the virus. If COMMAND.COM is not already infected, it will become infected at this time. After the Dir Virus is memory resident, it will only infect .COM programs when a DOS Dir command is performed. It does not infect programs on execution, or when .COM files are openned. When a Dir command is performed, the first uninfected .COM program that is found in the directory will become infected. When the virus infects a .COM file, there will be a pause in the output of the dir command while the program is being infected, then the output will continue. Infected programs will increase in size by 691 bytes, though the file length increase cannot be seen when a directory command is performed if the virus is memory resident. The virus will be located at the end of infected programs. Infected programs will not have their date and time altered by the virus. Systems infected with the Dir Virus will receive file allocation errors when the DOS ChkDsk program is executed on a drive containing infected programs. If the virus is not memory resident, these errors will not be found. Execution of the DOS ChkDsk program with the /F option when the virus is memory resident will result in corruption of the infected programs. This virus does not appear to contain any activation mechanism. Virus Name: Discom Aliases: V Status: New Discovered: November, 1990 Symptoms: TSR; .COM & .EXE growth Origin: Unknown Eff Length: 2,053 Bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: Removal Instructions: Delete infected files General Comments: The Discom Virus was submitted in November, 1990. The location where the sample was isolated is unknown. Discom is a memory resident infector of .COM and .EXE files, and will not infect COMMAND.COM. This virus is based on the Jerusalem Virus, and also contains some code from the Sunday Virus. As such, some anti-viral utilities may identify files infected with this virus as containing both Jerusalem and Sunday. This virus does not exhibit symptoms or the activation of either the Jerusalem or Sunday viruses. The first time a program infected with the Discom Virus is executed, the virus will install itself memory resident as a 2,304 byte low system memory TSR. Interrupts 08 and 21 will be hooked by the virus. Once memory resident, the virus will infect .COM and .EXE files when they are executed. Infected .COM files will increase in length by 2,053 bytes and have the virus located at the beginning of the infected file. Infected .EXE files will increase in length by 2,059 to 2,068 bytes with the virus being located at the end of the file. All infected files will end with the following hex character string: 11121704D0. Unlike many Jerusalem Variants, this virus does not exhibit a system slowdown after being memory resident for 30 minutes, and no "black window" appears. Virus Name: Disk Killer Aliases: Computer Ogre, Disk Ogre, Ogre V Status: Common Discovered: April, 1989 Symptoms: Bad blocks, message, BSC, TSR, encryption of disk Origin: Taiwan Isolated: Milpitas, California, USA Eff Length: N/A Type Code: BRtT - Resident Boot Sector Infector Detection Method: ViruScan V39+, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: MDisk, CleanUp, Pro-Scan 1.4+, F-Prot, or DOS COPY & SYS General Comments: The Disk Killer virus is a boot sector infector that spreads by writing copies of itself to 3 blocks on either a floppy or hard disk. The virus does not care if these blocks are in use by another program or are part of a file. These blocks will then be marked as bad in the FAT so that they cannot be overwritten. The boot sector is patched so that when the system is booted, the virus code will be executed and it can attempt to infect any new disks exposed to the system. The virus keeps track of the elapsed disk usage time since initial infection, and does no harm until it has reached a predetermined limit. The predetermined limit is approximately 48 hours. (On most systems, Disk Killer will reach its limit within 1 - 6 weeks of its initial hard disk infection.) When the limit is reached or exceeded and the system is rebooted, a message is displayed identifying COMPUTER OGRE and a date of April 1. It then says to leave alone and proceeds to encrypt the disk by alternately XORing sectors with 0AAAAh and 05555h, effectively destroying the information on the disk. The only recourse after Disk Killer has activated and encrypted the entire disk is to reformat. The message text that is displayed upon activation, and can be found in the viral code is: "Disk Killer -- Version 1.00 by COMPUTER OGRE 04/01/89 Warning!! Don't turn off the power or remove the diskette while Disk Killer is Processing! PROCESSING Now you can turn off the power. I wish you Luck!" It is important to note that when the message is displayed, if the system is turned off immediately it may be possible to salvage some files on the disk using various utility programs as this virus first destroys the boot, FAT, and directory blocks. Disk Killer can be removed by using McAfee Associate's MDisk or CleanUp utility, or the DOS SYS command, to overwrite the boot sector on hard disks or bootable floppies. On non-system floppies, files can be copied to non-infected floppies, followed by reformatting the infected floppies. Be sure to reboot the system from a write protected master diskette before attempting to remove the virus first or you will be reinfected by the virus in memory. Note: Disk Killer may have damaged one or more files on the disk when it wrote a portion of its viral code to 3 blocks on the disk. Once the boot sector has been disinfected as indicated above, these corrupted files cannot reinfect the system, however they should be replaced with backup copies since the 3 blocks were overwritten. Note: Do not use the DOS DiskCopy program to backup infected diskettes as the new backup diskettes will contain the virus as well. Virus Name: Do-Nothing Virus Aliases: The Stupid Virus V Status: Extinct Discovered: October, 1989 Symptoms: .COM file growth, TSR (see text) Origin: Israel Eff Length: 608 Bytes Type Code: PRfC - Parasitic Resident .COM Infector Detection Method: ViruScan/X V67+, F-Prot, Pro-Scan, VirexPC, AVTK 3.5+ Removal Instructions: Scan/D/X, Pro-Scan 1.4+, or F-Prot General Comments: This virus was first reported by Yuval Tal of Israel in October, 1989. The virus will infect .COM files, but only the first one in the current directory, whether it was previously infected or not. The Do-Nothing virus is also memory resident, always installing itself to memory address 9800:100h, and can only infect systems with 640K of memory. The virus does not protect this area of memory in any way, and other programs which use this area will overwrite it in memory, removing the program from being memory resident. The Do-Nothing virus does no apparent damage, nor does it affect operation of the system in any observable way, thus its name. Also see: Saddam Virus Name: Dot Killer Aliases: 944, Point Killer V Status: Rare Discovered: October, 1990 Symptoms: .COM growth; removal of all dots (.) from display Origin: Koszalin, Poland Eff Length: 944 Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V72+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Dot Killer Virus was isolated in Koszalin, Poland in October, 1990. It is a non-resident infector of .COM files, including COMMAND.COM. When a program infected with the Dot Killer Virus is executed, the virus will infect one other .COM file in the current directory. Infected .COM files will increase in length by 944 bytes. The virus will be located at the end of infected files. While the Dot Killer Virus contains code to attempt to avoid infecting the program pointed to by the COMSPEC environmental parameter, this logic contains a bug and does not function properly. If COMMAND.COM, or the program pointed to by COMSPEC, is located in the current directory it will become infected just like any other .COM program. When the Dot Killer Virus activates, it will remove all dots (.) from the system display. Virus Name: EDV Aliases: Cursy, Stealth Virus V Status: Rare Discovered: 1988 Symptoms: BSC; partition table corruption; unusual system crashes Origin: France Eff Length: N/A Type Code: BRX - Resident Boot Sector/Partition Table Infector Detection Method: ViruScan V58+, IBM Scan, Pro-Scan 1.4+, VirHunt 2.0+ Removal Instructions: MDisk/P, CleanUp V67+, or Pro-Scan 1.4+ General Comments: The EDV, or Cursy, Virus was first discovered in Le Havre, France in 1988 by Jean-Luc Nail. At that time, it was named the Cursy Virus. Later, in January 1990, it was isolated separately and named the EDV virus. This virus is a memory resident infector of floppy diskette boot sectors and hard disk partition tables. When a system is booted from a diskette infected with the EDV virus, the virus will install itself memory resident at the top of high system memory. The value returned by interrupt 12 will be decreased. Once the virus is memory resident, and disk accessed by the system will become infected. When the virus infects a diskette, it moves the original boot sector to side 1, track 39, sector 8. After moving the original boot sector, it then copies the virus's code to absolute sector 0, the boot sector of the diskette. EDV will also infect hard disk drives when they are accessed. In the case of hard disks, the virus will move absolute sector 0 (the partition table) to side 1, track 39, sector 8 as though it were a 360K 5.25" floppy diskette. After moving the partition table, it will then overwrite the partition table with the viral code. Once the virus has infected six disks with the virus in memory, the EDV virus will activate. Upon activation, the virus access the keyboard interrupt to disable the keyboard and then will overwrite the first 3 tracks of each disk on the system, starting with the hard disks. After overwriting the disks, it will then display the following message: "That rings a bell, no? From Cursy" Upon activation, the user must power off the machine and reboot from a system diskette in order to regain any control over the machine. The following identification string appears at the very end of the boot sector on infected floppy disks and the partition table of infected hard drives, though it cannot be seen if the virus is in memory: "MSDOS Vers. E.D.V." Jean-Luc Nail has indicated that the EDV or Cursy virus is quiet common in the Le Havre area of France, although it is rare outside of France. Virus Name: Eight Tunes Aliases: 1971 V Status: Rare Discovered: April, 1990 Symptoms: file growth, music, decrease in available memory Origin: West Germany Eff Length: 1,971 Bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V62+, Pro-Scan 1.4+, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D, VirHunt 2.0+, or delete infected files General Comments: The Eight Tunes, or 1971, Virus was originally isolated in April 1990 by Fridrik Skulason of Iceland. This virus is a memory resident generic file infector of .COM, .EXE, and overlay files. The virus will not infect COMMAND.COM, or .COM files which are smaller than 8K. After the virus is memory resident, programs are infected as they are executed. Infected files will increase in length by between 1,971 - 1,985 bytes. Available memory will decrease by 1,984 bytes when the virus is present. This virus does not cause system damage, however it is disruptive. When the virus is memory resident, it will play 8 German folk songs at random intervals thirty minutes after the virus becomes memory resident. Virus Name: Evil Aliases: P1, V1701New V Status: Rare Discovered: July, 1990 Symptoms: .COM growth, system reboots, CHKDSK program failure, COMMAND.COM header change Origin: Bulgaria Eff Length: 1,701 Bytes Type Code: PRhCK - Parasitic Resident .COM Infector Detection Method: ViruScan V66+ Removal Instructions: Scan/D, or delete infected files General Comments: The Evil Virus is of Bulgarian origin, and was submitted to the author of this document in July, 1990 by Vesselin Bontchev. This virus is one of a family of three (3) viruses which may be referred to as the P1 or Phoenix Family. Each of these viruses is being documented separately due to their varying characteristics. The Evil virus is a memory resident, generic infector of .COM files, and will infect COMMAND.COM. It is the most advanced of the three viruses in the Phoenix Family. The Evil, or V1701New, Virus is a later version of the PhoenixD virus. The first time a program infected with the Evil virus is executed, the virus will install itself memory resident in free high memory, reserving 8,192 bytes. Interrupt 2A will be hooked by the virus. System total memory and free memory will decrease by 8,192 bytes. Evil will then check to see if the current drive's root directory contains a copy of COMMAND.COM. If a copy of COMMAND.COM is found, it will be infected by Evil by overwriting part of the binary zero portion of the program, and changing the program's header information. COMMAND.COM will not change in file length. The virus will then similarly infect COMMAND.COM residing in the C: drive root directory. After becoming memory resident, the virus will attempt to infect any .COM file executed. Evil is a better replicator than either the original Phoenix Virus or PhoenixD, and was successful in infecting .COM files in all cases on the author's system. Infected files will increase in size by 1,701 bytes. Evil is not able to recognize when it has previously infected a file, so it may reinfect .COM files several times. Each infection will result in another 1,701 bytes of viral code being appended to the file. Like PhoenixD, Evil will infect files when they are openned for any reason in addition to when they are executed. The simple act of copying a .COM file will result in both the source and target .COM files being infected. Systems infected with the Evil virus will experience problems with executing CHKDSK.COM. Attempts to execute this program with Evil memory resident will result in a warm reboot of the system occurring. The system, however, will not perform either a RAM memory check or request Date and Time if an autoexec.bat file is not present. This virus is not related to the Cascade (1701/1704) virus. The Evil Virus employs a complex encryption mechanism, and virus scanners which are only able to look for simple hex strings will not be able to detect it. There is no simple hex string in this virus that is common to all infected samples. Known variant(s) of Evil are: Evil-B : This is a earlier version of Evil, and is a rather poor replicator. It also has not to viable as infected programs will hang when they are executed, with the exception of the Runme.Exe file which the author received. The Runme.Exe file was probably the original release file distributed by the virus's author. (Originally listed in VSUM9008 as V1701New-B) Also see: Phoenix, PhoenixD Virus Name: F-Word Virus Aliases: Fuck You V Status: Rare Discovered: December, 1990 Symptoms: .COM growth; decrease in system and available free memory; file date/time changes Origin: USSR Eff Length: 417 Bytes Type Code: PRtCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The F-Word, or Fuck You, Virus was submitted in December, 1990 and is from the USSR. This virus is a memory resident infector of COM files, including COMMAND.COM. The first time a program infected with the F-Word Virus is executed the virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. Interrupt 12's return will be moved. Total system memory and available free memory will decrease by 1,024 bytes. Interrupts 08 and 21 will be hooked by the virus. After F-Word is memory resident, it will infect COM files over approximately 2K in length when they are executed. Infected files will have a length increase of 417 bytes with the virus being located at the end of the program. The file's date and time in the directory will also have been changed to the system date and time when infection occurred. Attempts to executed the DOS Edlin program will result in a "Invalid drive of file name" message being displayed, and the program terminated. The text string "Fuck You!" can be found in all infected files. Virus Name: Father Christmas Aliases: Choinka V Status: Rare Discovered: November, 1990 Symptoms: .COM growth; lost cluster; cross-linking of files; graphic and message displayed on activation Origin: Poland Eff Length: 1,881 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V71+ Removal Instructions: Scan/D, or delete infected files General Comments: The Father Christmas, or Choinka, Virus was discovered in Poland in November, 1990. This virus is based on the Vienna Virus, and is a non-resident infector of .COM files, including COMMAND.COM. When a program infected with the Father Christmas Virus is executed, the virus will infect one other .COM file in the current directory. If no uninfected .COM files exist in the current directory, the virus will follow the system path to find an uninfected program. Infected files will increase in length by 1,881 bytes with the virus being located at the end of the infected program. Systems infected with the Father Christmas Virus may notice crosslinking of files and lost clusters. During the period from December 19 - December 31 of any year, this virus will activate. On these dates, when infected programs are executed a christmas trees graphic is displayed on the system monitor with the following message: Merry Christmas & a Happy New Year for all my lovely friends from FATHER CHRISTMAS If the graphic is displayed, the user must strike a key in order to have the program being executed finish running. Virus Name: Fellowship Aliases: 1022 V Status: Rare Discovered: July, 1990 Isolated: Australia Symptoms: TSR, .COM & .EXE file growth Origin: Malaysia Eff Length: 1,022 Bytes Type Code: PRsE - Parasitic Resident .EXE Infector Detection Method: ViruScan V66+, F-Prot 1.12+, Pro-Scan 2.01+ Removal Instructions: Scan/D, F-Prot 1.12+, or delete infected files General Comments: The Fellowship or 1022 Virus was isolated in Australia in July 1990. Fellowship is a memory resident generic infector of .EXE files. It does not infect .COM or overlay files. The first time a program infected with the Fellowship Virus is executed, the virus will install itself memory resident as a 2,048 byte TSR in low system memory. Available free memory will be decreased by a corresponding 2,048 bytes. Interrupt 21 will also now be controlled by the virus. After the virus is memory resident, the virus will infect .EXE files when they are executed. Infected .EXE files will increase in size by between 1,019 and 1,027 bytes. The virus's code will be located at the end of infected files. Infected files will contain the following text strings very close to the end of the file: "This message is dedicated to all fellow PC users on Earth Toward A Better Tomorrow And a better Place To Live In" "03/03/90 KV KL MAL" This virus is believed to have originated in Kuala Lumpur, Malaysia. Virus Name: Fish Virus Aliases: European Fish Viruses, Fish 6, Stealth Virus V Status: Rare Discovered: May 1990 Symptoms: .COM & .EXE growth, monitor/display flickering, system memory decrease Origin: West Germany Eff Length: 3,584 Bytes Type Code: PRsAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V63+, Pro-Scan 1.4+, VirexPC, F-Prot 1.12+, VirHunt 2.0+ Removal Instructions: Scan/D, CleanUp V66+, Pro-Scan 1.4+, VirHunt 2.0+, or delete infected files General Comments: The Fish Virus was isolated in May 1990. At the time of isolation, it was reported to be widespread in Europe, and it is thought to have originated in West Germany. It is a generic resident .COM and .EXE infector, and will infect COMMAND.COM. This virus will remain memory resident thru a warm reboot, or Ctrl-Alt-Del. The virus is encrypted, though infected programs can be found by searching for the text string "FISH FI" appearing near the end of the program. The "FISH FI" string may later disappear from the program. The first time a program infected with the Fish Virus is executed, the virus will go memory resident, installing itself into the low available free memory. If interrupt 13 has not been hooked by another program, it will hook interrupt 13. If it can hook interrupt 13, it will take up 8,192 bytes in memory. If the virus cannot hook interrupt 13 because another program is already using it, it will be 4,096 bytes in memory. When interrupt 13 is not hooked, and the virus is memory resident, the virus will cause a random warm reboot, thus allowing it to infect COMMAND.COM and hook interrupt 13. Warm reboots do not appear to randomly occur after interrupt 13 has been hooked. After the virus is memory resident, all .COM and .EXE programs which are openned for any reason will be infected. Infected programs increase in length by 3,584 bytes. The increase in program size cannot be seen by listing the disk directory if the virus is in memory. Also, if a CHKDSK command is run on an infected system, it will detect file allocation errors on infected files. If CHKDSK is run with the /F option, it will result in lost clusters and cross-linking of files. The virus slows down video writes, and flickering of the monitor display can be noticed on an infected system. Anti-viral programs which perform CRC checking cannot detect the infection of the program by the Fish Virus if the virus is memory resident. This virus can also bypass software write protect mechanisms used to protect a hard drive. The Fish Virus is a modified version of the 4096 Virus, though it is more sophisticated in that it constantly re-encrypts itself in system memory. Viewing system memory with the virus resident will show that the names of several fish are present. It is unknown what the Fish virus does when it activates, though it does appear to check to determine if the year of the system time is 1991. Virus Name: Flash Aliases: V Status: Rare Discovered: July 1990 Symptoms: .COM & .EXE growth, decrease in available free memory, video screen flicker Origin: West Germany Eff Length: 688 Bytes Type Code: PRfA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V64+, Pro-Scan 2.01+ Removal Instructions: Scan/D, Pro-Scan 2.01+, or Delete infected files General Comments: The Flash Virus was discovered in July 1990 in West Germany. Flash is a memory resident generic file infector, and will infect .COM and .EXE files, but not COMMAND.COM. The first time a program infected with the Flash Virus is executed, the virus will install itself memory resident. 976 bytes will be allocated in high memory, and available free memory will decrease by a corresponding 976 bytes. A mapping of memory will also indicate that when Flash is resident in memory, interrupts 00, 23, 24, 30, ED, F5, and FB are now in free memory. Total system memory reported by DOS, as well as low memory used by the operating system and TSRs will not have changed. Once Flash is memory resident, each time a .COM or .EXE program is executed it is a candidate for infection. An uninfected .EXE program will always be infected upon execution. Uninfected .COM files are only infected if they are greater than approximately 500 bytes in length. Infected files will always increase in length by 688 bytes. After June of 1990, systems with a graphics capable monitor may notice a screen flicker occurring at approximately seven minute intervals. The virus causes this effect by manipulating some screen blanking bits every seven minutes. Virus Name: Flip Aliases: V Status: Rare Discovered: July 1990 Symptoms: .COM & .EXE growth; decrease in system and free memory; boot sector and partition table altered; file allocation errors Origin: West Germany Eff Length: 2,343 Bytes Type Code: PRhABKX - Parasitic Resident .COM, .EXE, Partition Table Infector Detection Method: ViruScan V66+, F-Prot 1.12+, Pro-Scan 2.01+ Removal Instructions: Clean-Up V71+, Scan/D, or Delete infected files General Comments: The Flip Virus was discovered in West Germany in July 1990. It is a generic file infector, and will infect .COM, .EXE, and overlay files. This virus will also infect COMMAND.COM, as well as alter the partition table and boot sector of hard disks. It is important to note that the Flip virus is not infective from .COM files or boot sectors. The first time an EXE program infected with the Flip Virus is executed, it installs itself memory resident in high memory. System memory as reported by the CHKDSK command as well as free memory will have decreased by 3,064 bytes. At this time, the copy of COMMAND.COM located in the C: drive root directory will be infected, though no file length change will be apparent with the virus in memory. The system's hard disk partition table and boot sector will also be slightly modified. If the infected program was executed from a floppy, COMMAND.COM on the floppy will be infected, though the size change will be noticeable. After Flip becomes memory resident, any .COM or .EXE files executed will become infected. Infected programs will show a file length increase of 2,343 bytes. If a program is executed which uses an overlay file, the overlay file will also become infected. Systems infected Flip may experience file allocation errors resulting in file linkage errors. Some data files may become corrupted. On the second of any month, systems which were booted from an infected hard disk and have an EGA or VGA capable display adapter may experience the display on the system monitor being horizontally "flipped" between 16:00 and 16:59. Flip can only be passed between systems on infected .EXE files. Infected .COM files, and altered floppy boot sectors do not transfer the virus. Known variant(s) of Flip include: Flip B : Similar to the original Flip Virus, this variant has an effective length of 2,153 bytes. Its memory resident portion at the top of system memory is 2,672 bytes. The major difference between this variant and the original virus is that Flip B can infect programs from the hard disk partition table infection. Isolated: January, 1991. Origin: Unknown. Virus Name: FORM-Virus Aliases: Form, Form Boot V Status: Rare Discovered: June 1990 Symptoms: BSC, clicking noise from system speaker Origin: Switzerland Eff Length: N/A Type Code: BR - Resident Boot Sector Infector Detection Method: ViruScan V64+, F-Prot 1.12+, VirHunt 2.0+ Removal Instructions: MDisk, or DOS SYS command General Comments: The Form, or Form Boot, Virus is a memory resident infector of floppy and hard disk boot sectors. It was originally isolated in Switzerland. When a system is first booted with a diskette infected with the Form Boot virus, the virus will infect system memory as well as seek out and infect the system's hard disk. The floppy boot may or may not be successful, on the author's test system, a boot from floppy diskette infected with Form Boot never succeeded, instead the system would hang. It should be noted that the virus was received by the author of this document as a binary file, and it may have been damaged in some way. The following text message is contained in the Form Boot virus binary code as received by the author of this document: "The FORM-Virus sends greetings to everyone who's reading this text.FORM doesn't destroy data! Don't panic! Fuckings go to Corinne." These messages, however, may not appear in all cases. For example, I did not find these messages anywhere on a hard disk infected with Form Boot. Systems infected with the FORM-Virus in memory may notice that a clicking noise may be emitted from the system speaker on the 24th day of any month. This virus can be removed with the same technique as used with many boot sector infectors. First, power off the system and then boot from a known clean write-protected boot diskette. The DOS SYS command can then be used to recreate the boot sector. Alternately, MDisk from McAfee Associates may be used to recreate the boot sector. Virus Name: Frere Jacques Aliases: Frere Virus V Status: Rare Discovered: May 1990 Symptoms: .COM & .EXE growth, available memory decreases, system hangs, music (Frere Jacques) on Fridays Origin: California, USA Eff Length: 1,808 Bytes Type Code: PRA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V63+, Pro-Scan 1.4+, F-Prot 1.12+ Removal Instructions: Scan/D, Pro-Scan 1.4+, or Delete infected files General Comments: The Frere Jacques Virus was isolated in May, 1990. It is a memory resident generic file infector, infecting .COM, .EXE, and Overlay files. It does not infect COMMAND.COM. This virus is based on the Jerusalem B Virus. The first time an infected program is executed, the virus will install itself memory resident in low available free memory. The memory resident virus occupies 2,064 bytes, and attaches itself to interrupt 21. After becoming memory resident, Frere Jacques will infect any program which is then executed. Infected programs will increase in size by between 1,808 bytes and 1,819 bytes, though .COM files always increase in size by 1,813 bytes. Systems infected with Frere Jacques will experience a decrease in available free memory, as well as executable files increasing in size. System hangs will also intermittently occur when the virus attempts to infect programs, thus resulting in the possible loss of system data. On Fridays, the Frere Jacques virus activates, and will play the tune Frere Jacques on the system speaker. Also see: Jerusalem B Virus Name: Friday The 13th COM Virus Aliases: COM Virus, Miami, Munich, South African, 512 Virus V Status: Extinct Discovered: November, 1987 Symptoms: .COM growth, floppy disk access, file deletion Origin: Republic of South Africa Eff Length: 512 Bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D/X, Pro-Scan 1.4+, VirHunt 2.0+, or F-Prot General Comments: The original Friday The 13th COM virus first appeared in South Africa in 1987. Unlike the Jerusalem (Friday The 13th) viruses, it is not memory resident, nor does it hook any interrupts. This virus only infects .COM files, but not COMMAND.COM. On each execution of an infected file, the virus looks for two other .COM files on the C drive and 1 on the A drive, if found they are infected. This virus is extremely fast, and the only indication of propagation occurring is the access light being on for the A drive, if the current default drive is C. The virus will only infect a .COM file once. The files, after infection, must be less than 64K in length. On every Friday the 13th, if the host program is executed, it is deleted. Known variants of the Friday The 13th COM virus are: Friday The 13th-B: same, except that it will infect every file in the current subdirectory or in the system path if the infected .COM program is in the system path. Friday The 13th-C: same as Friday The 13th-B, except that the message "We hope we haven't inconvenienced you" is displayed whenever the virus activates. Author's note: All samples of this virus that are available were created by reassembling a disassembly of this virus. These viruses may not actually exist "in the wild". Virus Name: Fu Manchu Aliases: 2080, 2086 V Status: Rare Discovered: March, 1988 Symptoms: .SYS, .BIN, .COM & .EXE growth, messages Origin: Eff Length: 2,086 (COM files) & 2,080 (EXE files) bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D, F-Prot, Pro-Scan 1.4+, VirHunt 2.0+, VirexPC General Comments: The Fu Manchu virus attaches itself to the beginning of .COM files or the end of .EXE files. This virus will infect any executable program, including overlay, .SYS, and .BIN files as well. It appears to be a rewritten version of the Jerusalem virus, with a possible creation date of 3/10/88. A marker or id string usually found in this virus is 'sAXrEMHOr', though the virus only uses the 'rEMHOr' portion of the string to identify infected files. One out of sixteen infections will result in a timer being installed, and after a random amount of time, the message "The world will hear from me again!" is displayed and the system reboots. This message will also be displayed on an infected system after a warm reboot, though the virus doesn't survive in memory. After August 1, 1989, the virus will monitor the keyboard buffer, and will add derogatory comments to the names of various politicians. These comments go to the keyboard buffer, so their effect is not limited to the display. The messages within the virus are encrypted. This virus is very rare in the United States. Also see: Jerusalem B, Taiwan 3 Virus Name: Ghostballs Aliases: Ghost Boot, Ghost COM V Status: Extinct Discovered: October, 1989 Symptoms: moving graphic display, .COM file growth, file corruption, BSC. Origin: Iceland Eff Length: 2,351 bytes Type Code: PNCB - Parasitic Non-Resident .COM & Boot Sector Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: MDisk or DOS SYS and erase infected .COM files, or CleanUp, F-Prot, Pro-Scan 1.4+, VirexPC, Scan/D/X, VirHunt 2.0+ General Comments: The Ghostball virus (Ghost Boot and Ghost COM) were discovered in October, 1989 by Fridrik Skulason of Iceland. The Ghostballs Virus virus infects generic .COM files, increasing the file size by 2,351 bytes. It also alters the disk boot sector, replacing it with viral code similar to the Ping Pong virus. This altered boot sector, however, will not replicate. Symptoms of this virus are very similar to the Ping Pong virus, and random file corruption may occur on infected systems. The Ghostballs virus was the first known virus that could infect both files (.COM files in this case) and disk boot sectors. After the boot sector is infected, the system experiences the bouncing ball effect of the Ping Pong virus. If the boot sector is overwritten to remove the boot viral infection, it will again become corrupted the next time an infected .COM file is executed. The Ghostballs Virus is based on the code of two other viruses. The .COM infector portion consists of a modified version of the Vienna virus. The boot sector portion of the virus is based on the Ping Pong virus. To remove this virus, turn off the computer and reboot from a write protected master diskette for the system. Then use either MDisk or the DOS SYS command to replace the boot sector on the infected disk. Any infected .COM files must also be erased and deleted, then replaced with clean copies from your original distribution diskettes. Virus Name: Golden Gate Aliases: Mazatlan, 500 Virus V Status: Extinct Discovered: 1988 Symptoms: BSC, disk format, Resident TOM Origin: California, USA Eff Length: N/A Type Code: BRt - Resident Boot Sector Infector Detection Method: ViruScan (identifies as Alameda) Removal Instructions: MDisk, F-Prot, or DOS SYS command General Comments: The Golden Gate virus is a modified version of the Alameda virus which activates when the counter in the virus has determined that it is infected 500 diskettes. The virus replicates when a CTL-ALT-DEL is performed, infecting any diskette in the floppy drive. Upon activation, the C: drive is formatted. The counter in the virus is reset on each new floppy or hard drive infected. Known Variants of this virus are: Golden Gate-B: same as Golden Gate, except that the counter has been changed from 500 to 30 infections before activation, and only diskettes are infected. Golden Gate-C: same as Golden Gate-B, except that the hard drive can also be infected. This variant is also known as the Mazatlan Virus, and is the most dangerous of the Golden Gate viruses. Also see: Alameda Virus Name: Grither Aliases: V Status: New Discovered: January, 1991 Symptoms: .COM growth; C: & D: drive disk corruption Origin: United States Eff Length: 774 Bytes Type Code: PNCK - Parasitic Non-Resident .COM & .EXE Infector Detection Method: ViruScan V72+ Removal Instructions: Scan/D, Delete infected files General Comments: The Grither Virus was submitted in January, 1991, by Paul Ferguson of the United States. This virus is a non-resident direct action infector of .COM files, including COMMAND.COM. When a program infected with Grither is executed, the virus will infect one .COM file in the current directory. COMMAND.COM may become infected if it exists in the current directory. .COM programs infected with Grither will increase in length by 774 bytes, the virus will be located at the end of the infected file. The file's date and time in the disk directory will not be altered by the virus. The Grither Virus can be extremely destructive. With a probability of approximately one out of every eight times an infected program is executed, the virus may activate. On activation, Grither will overwrite the beginning of the C: and D: drives of the system's hard disk. Effectively, this corrupts the disk's boot sector, file allocation tables, and directory, as well as the system files. Grither is roughly based on the Vienna and Violator viruses. ViruScan V72 will identify Grither infected files as Vienna B, though it may also identify them as Violator in rare circumstances. Virus Name: Groen Links Aliases: Green Left V Status: Rare Discovered: March, 1990 Symptoms: .COM & .EXE growth; TSR; Music Origin: Amsterdam, Holland Eff Length: 1,888 Bytes Type Code: PRsA - Resident Parasitic .COM &.EXE Infector Detection Method: ViruScan V67+, Pro-Scan 2.01+ Removal Instructions: Scan/D, Pro-Scan 2.01+, or Delete infected files General Comments: The Groen Links Virus was originally reported in Amsterdam, Holland, in March 1990. This virus is a memory resident infector of .COM and .EXE files. It does not infect COMMAND.COM. It is a variant of the Jerusalem B virus, though is listed separately here as it is a different length and exhibits different characteristics. The first time a program infected with the Groen Links Virus is executed, the virus will install itself memory resident as a low system memory TSR of 1,872 bytes. Interrupts 21 and CE will be hooked by the virus. After the virus is memory resident, it will infect .COM and .EXE files as they are executed. Infected .COM files will increase in length by 1,893 bytes with the virus being located at the beginning of the file. .EXE files will increase in length by 1,888 to 1,902 bytes with the virus located at the end of infected files. As with many of the Jerusalem variants, this virus will reinfect .EXE files. After the first infection, .EXE files will increase by 1,888 bytes on subsequent infections. Infected files will contain the text string: "GRLKDOS". After the virus has been resident for 30 minutes, it may play "Stem op Groen Links" every 30 minutes. The name of the tune translates to "Vote Green Left", Green Left being a political party in Holland. Virus Name: Guppy Aliases: V Status: Rare Discovered: October, 1990 Symptoms: TSR, .COM growth, error messages, disk boot failures Origin: United States Eff Length: 152 Bytes Type Code: PRsCK - Resident Parasitic .COM &.EXE Infector Detection Method: Pro-Scan 2.01+ Removal Instructions: Pro-Scan 2.01+, or Delete infected files General Comments: The Guppy Virus was submitted in late October, 1990 by Paul Ferguson of Washington, DC. Guppy is a memory resident infector of .COM files, including COMMAND.COM. The first time a program infected with the Guppy Virus is executed, the virus will install itself memory resident as a low system memory TSR with interrupt 21 hooked. Available free memory will decrease by 720 bytes. After the virus is memory resident, any .COM file with a file length of at least 100 bytes (approximately) that is executed will become infected with Guppy. Infected files will increase in length by 152 bytes, with two bytes added to the beginning of the .COM file, and 150 bytes added to the end of the file. Infected files will also have their date/time stamps in the directory updated to the system date and time when the infection occurred. If COMMAND.COM is executed with Guppy memory resident, it will become infected. If the system is later booted from a disk with a Guppy infected COMMAND.COM, the boot will fail and a "Bad or Missing Command Interpreter" message will be displayed. Some programs will also fail to execute properly once infected with Guppy. For example, attempts to execute EDLIN.COM after it was executed on my system resulted in a consistent "Invalid drive or file name" message, and EDLIN ending execution. Infected files can be identified as they will end with the following hex character string: 3ECD211F5A5B58EA Virus Name: Halloechen Aliases: V Status: Rare Discovered: October, 1989 Symptoms: TSR, .COM & .EXE growth, garbled keyboard input. Origin: West Germany Eff Length: 2,011 Bytes Type Code: PRsA - Resident Parasitic .COM &.EXE Infector Detection Method: ViruScan V57+, Pro-Scan 1.4+, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: VirHunt 2.0+, Scan/D or delete infected files General Comments: The Halloechen virus was reported by Christoff Fischer of the University of Karlsruhe in West Germany. The virus is a memory resident generic .COM & .EXE file infector which is reported to be widespread in West Germany. The Halloechen virus installs itself memory resident when the first infected program is executed. Thereafter, the virus will infect any .EXE or .COM file which is run unless the resulting infected file would be greater than 64K in size, or the file's date falls within the system date's current month and year. Once a file has been determined to be a candidate for infection, and is less than approximately 62K in size as well as having a date outside of the current month and year, it is infected. In the process of infecting the file, the files size is first increased so that it is a multiple of 16 (ends on a paragraph boundary), then the 2,011 bytes of viral code are added. When infected files are run, input from the keyboard is garbled. Virus Name: Happy New Year Aliases: Happy N.Y., V1600 V Status: New Discovered: December, 1989 Symptoms: TSR; .COM & .EXE Growth; Floppy Boot Sector altered; Boot failures; Bad or missing command interpretor message Origin: Bulgaria Eff Length: 1,600 Bytes Type Code: PRsAK - Resident Parasitic .COM & .EXE Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Happy New Year, or V1600, Virus was submitted in December, 1990. This virus is originally from Bulgaria, and is a memory resident infector of .COM and .EXE files. It will infect COMMAND.COM. The first time a program infected with the Happy New Year Virus is executed, the virus will install itself memory resident as a 2,432 bytes low system memory TSR. Interrupt 21 will be hooked by the virus. At this time, the virus will also make a slight alteration to the floppy boot sector, and infect COMMAND.COM. Infected COMMAND.COM files will not show a file length increase as the virus will overwrite a portion of the hex 00 section of the file. The altered floppy boot sector does not contain a copy of the virus, and is not infectious. Once Happy New Year is memory resident, it will infect .COM and .EXE programs as they are executed. Infected programs will increase in length by 1,600 bytes and have the virus located at the end of the infected file. The following text message can be found in infected programs: "Dear Nina, you make me write this virus; Happy new year!" "1989" This message is not displayed by the virus. Systems infected with the Happy New Year Virus may fail to boot, receiving a "Bad or missing command interpretor" message if COMMAND.COM is infected on the boot diskette or hard drive. It is unknown if Happy New Year carries any destructive capabilities. Known variant(s) of Happy New Year are: Happy New Year B : Similar to Happy New Year, this variant has five bytes which differ from the original virus. Unlike Happy New Year, COMMAND.COM will only be infected if it is executed for some reason. Virus Name: Holland Girl Aliases: Sylvia V Status: Rare Discovered: December, 1989 Symptoms: .COM growth, TSR Origin: Netherlands Eff Length: 1,332 Bytes Type Code: PRsC - Resident Parasitic .COM Infector Detection Method: ViruScan V50+, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: F-Prot, Pro-Scan 1.4+, VirHunt 2.0+, or Scan/D General Comments: The Holland Girl or Sylvia Virus was first reported by Jan Terpstra of the Netherlands. This virus is memory resident and infects only .COM files, increasing their size by 1,332 bytes. The virus apparently does no other damage, and does not infect COMMAND.COM. The virus's name is due to the fact that the virus code contains the name and phone number of a girl named Sylvia in Holland, along with her address, requesting that post cards be sent to her. The virus is believed to have been written by her ex-boyfriend. Also see: Holland Girl 2 Virus Name: Holland Girl 2 Aliases: Sylvia 2 V Status: New Discovered: January, 1991 Symptoms: .COM growth Origin: New Brunswick, Canada Eff Length: 1,332 Bytes Type Code: PNC - Resident Parasitic .COM Infector Detection Method: Removal Instructions: Delete infected files General Comments: The Holland Girl 2, or Sylvia 2, Virus was discovered in New Brunswick, Canada in January 1991. This virus is similar to the Holland Girl Virus, though it has been altered significantly. This virus is a non- resident infector of .COM files, including COMMAND.COM. When a program infected with the Holland Girl 2 Virus is executed, the virus will infect up to four .COM files. It first checks the C: drive root directory to look for candidate files, then the current drive and current directory. .COM Programs infected with the Holland Girl 2 Virus will increase in length by 1,332 bytes with the virus being located at the beginning of the infected program. Infected programs will also contain the following text: "This program is infected by a HARMLESS Text-Virus V2.1" "Send a FUNNY postcard to : Sylvia" "You might get an ANTIVIRUS program....." Sylvia's last name, and full address are in the virus in plain text, and are not repeated here for privacy reasons. Also see: Holland Girl Virus Name: Holocaust Aliases: Stealth, Holo V Status: Rare Discovered: December, 1990 Symptoms: decrease in system & available memory; file allocation errors Origin: Barcelona, Spain Eff Length: 3,784 Bytes Type Code: PRhCK - Resident Parasitic .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Holocaust Virus was submitted in December, 1990 by David Llamas of Barcelona, Spain. Holocaust is a self-encrypting memory resident infector of .COM files, including COMMAND.COM. This virus is qualifies as a Stealth virus as it hides the file length increase on infected files as well as infecting on file open and execution. The first time a program infected with the Holocaust Virus is executed, the virus will install itself memory resident. It will reserve 4,080 bytes of high system memory below the 640K DOS boundary. This memory will be marked as Command Data, and interrupt 21 will be hooked. Some memory mapping utilities will show the memory resident command interpretor to have grown by the 4,080 bytes, though it is actually in high memory instead of low memory. Once Holocaust is memory resident, it will infect COM programs which are executed or openned for any reason. This virus, however, will not infect very small COM files of less than 1K in size. Infected COM programs will increase in size by 3,784 bytes, though this file size increase will not be seen in a directory listing if the virus is memory resident. The viral code will be located at the end of infected files. If the Holocaust Virus is memory resident and the DOS ChkDsk command is executed, infected files will be indicated as having a file allocation error. Execution of the command with the /F parameter on systems with the virus memory resident will result in the infected files becoming damaged. The file allocation errors do not occur if the virus is not in memory since at that time the directory size will match the file allocation in the FAT. The Holocaust Virus is a self-encrypting virus, and will occasionally produce an infected file which is encrypted differently from its original encryption mechanism. Some infected files will contain the following text at the end of the program, while other samples will have this text encrypted: "Virus Anti - C.T.N.E. v2.10a. (c)1990 Grupo Holokausto. Kampanya Anti-Telefonica. Menos tarifas y mas servicio. Programmed in Barcelona (Spain). 23-8-90. - 666 -" Holocaust is reported by David Llamas to be widespread in Barcelona as of December, 1990. It is not known if this virus activates, and what it does on activation. It does not match a similar virus reported by Jim Bates of the United Kingdom named Spanish Telecom. Virus Name: Hybryd Aliases: Hybrid V Status: New Discovered: January, 1991 Symptoms: .COM growth Origin: Poland Eff Length: 1,306 Bytes Type Code: PRhA - Resident Parasitic .COM & .EXE Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Hybryd Virus was submitted in January, 1991, and is from Poland. This virus is a non-resident direct action infector of .COM files, including COMMAND.COM. When a program infected with Hybryd is executed, the virus will look for an uninfected .COM program in the current directory. If an uninfected program is found, the virus will infect it. Infected .COM programs will have a file length increase of 1,306 bytes, the virus will be located at the end of the infected program. This virus alters the file time so that the seconds field in the file time is 62, the indicator that the file is infected. Just viewing the directory, though, it appears that the file date and time has not been altered. The following text strings are contained within the Hybryd Virus, though they cannot be viewed in infected files as they are encrypted: "(C) Hybryd Soft Specjalne podziekowania dla Andrzeja Kadlofa i Mariusza Deca za artykuly w Komputerze 11/88" In the submitted sample, the one text string that is not encrypted is the following, which is also found in replicated samples: "Copyright IBM Corp 1981,1987 Licensed Material - Program Property of IBM" This string should not be taken to indicate that IBM necessarily had anything to do with the creation of this virus. On Friday The 13ths starting in 1992, this virus will overwrite the current drive's boot sector when an infected program is executed. It may also corrupt program files at that time when they are executed. Virus Name: Hymn Aliases: V Status: Rare Discovered: December, 1990 Symptoms: .COM & .EXE growth; decrease in system and available free memory Origin: USSR Eff Length: 1,865 Bytes Type Code: PRhA - Resident Parasitic .COM & .EXE Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Hymn Virus was submitted in December, 1990, and originated in the USSR. This virus is a memory resident infector of .COM and .EXE files, and will infect COMMAND.COM. The first time a program infected with the Hymn Virus is executed, the virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. The DOS ChkDsk program will show that total system memory and available free memory have decreased by 3,712 bytes. This virus does not move the interrupt 12 return. COMMAND.COM will also become infected at this time. Once Hymn is memory resident, it will infect .COM and .EXE files which are over approximately 2K in length when they are executed or openned for any reason. Infected .COM files will increase in length by 1,865 bytes. Infected .EXE files will have a file length increase of 1,869 to 1,883 bytes. In both cases the virus will be located at the end of the infected file. Infected programs will contain two text strings within the viral code: "ibm@SNS" "@ussr@" It is not known what Hymn does when it activates, but it is assumed from the name that under some conditions it may play music. Virus Name: Icelandic Aliases: 656, One In Ten, Disk Crunching Virus, Saratoga 2 V Status: Extinct Discovered: June, 1989 Symptoms: .EXE growth, Resident TOM, bad sectors, FAT corruption Origin: Iceland Eff Length: 656 bytes Type Code: PRfE - Resident Parasitic .EXE Infector Detection Method: ViruScan/X V67+, F-Prot, Pro-Scan, VirexPC, AVTK 3.5+ VirHunt 2.0+ Removal Instructions: Scan/D/X, Pro-Scan 1.4+, VirexPC 1.1B, F-Prot, VirHunt 2.0+ General Comments: The Icelandic, or "Disk Crunching Virus", was originally isolated in Iceland in June 1989. This virus only infects .EXE files, with infected files growing in length between 656 and 671 bytes. File lengths after infection will always be a multiple of 16. The virus attaches itself to the end of the programs it infects, and infected files will always end with hex '4418,5F19'. The Icelandic virus will copy itself to the top of free memory the first time an infected program is executed. Once in high memory, it hides from memory mapping programs. If a program later tries to write to this area of memory, the computer will crash. If the virus finds that some other program has "hooked" Interrupt 13, it will not proceed to infect programs. If Interrupt 13 has not been "hooked", it will attempt to infect every 10th program executed. On systems with only floppy drives, or 10 MB hard disks, the virus will not cause any damage. However, on systems with hard disks larger than 10 MB, the virus will select one unused FAT entry and mark the entry as a bad sector each time it infects a program. Also see: Icelandic-II, Icelandic-III, Mix/1, Saratoga Virus Name: Icelandic-II Aliases: System Virus, One In Ten V Status: Extinct Discovered: July, 1989 Symptoms: .EXE growth, Resident TOM, FAT corruption date changes, loss of Read-Only Origin: Iceland Eff Length: 632 Bytes Type Code: PRfE - Parasitic Resident .EXE Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D/X, Pro-Scan 1.4+, VirexPC 1.1B, F-Prot, VirHunt 2.0+ General Comments: The Icelandic-II Virus is a modified version of the Icelandic Virus, and was isolated for the first time in July 1989 in Iceland. These two viruses are very similar, so only the changes to this variant are indicated here, refer to Icelandic for the base virus information. Each time the Icelandic-II virus infects a program, it will modify the file's date, thus making it fairly obvious that the program has been changed. The virus will also remove the read-only attribute from files, but does not restore it after infecting the program. The Icelandic-II virus can infect programs even if the system is running an anti-viral TSR that monitors interrupt 21, such as FluShot+. On hard disks larger than 10 MB, there are no bad sectors marked in the FAT as there is with the Icelandic virus. Also see: Icelandic, Icelandic-III, Mix/1, Saratoga Virus Name: Icelandic-III Aliases: December 24th V Status: Endangered Discovered: December, 1989 Symptoms: .EXE growth, Resident TOM, bad sectors, FAT corruption, Dec 24 message. Origin: Iceland Eff Length: 853 Bytes Type Code: PRfE - Parasitic Resident .EXE Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: F-Prot, Scan/D/X, Pro-Scan 1.4+, VirexPC 1.1B, VirHunt 2.0+, or delete infected files General Comments: The Icelandic-III Virus is a modified version of the Icelandic Virus, and was isolated for the first time in December 1989 in Iceland. These two viruses are very similar, so only the changes to this variant are indicated here, refer to Icelandic for the base virus information. The Icelandic-III virus's id string in the last 2 words of the program is hex '1844,195F', the bytes in each word being reversed from the id string ending the Icelandic and Icelandic-II viruses. There are also other minor changes to the virus from the previous Icelandic viruses, including the addition of several NOP instructions. Before the virus will infect a program, it checks to see if the program has been previously infected with Icelandic or Icelandic-II, if it has, it does not infect the program. Files infected with the Icelandic-III virus will have their length increased by between 848 and 863 bytes. If an infected program is run on December 24th of any year, programs subsequently run will be stopped, later displaying the message "Gledileg jol" ("Merry Christmas" in Icelandic) instead. Also see: Icelandic, Icelandic-II, Mix/1, Saratoga Virus Name: IKV 528 Aliases: V Status: New Discovered: January, 1991 Symptoms: .COM & .EXE growth Origin: Unknown Eff Length: 528 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The IKV 528 Virus was submitted in January, 1991, its origin and isolation point are unknown. This virus is a non-resident infector of .COM files. It will infect COMMAND.COM. When a program infected with IKV 528 is executed, the virus will infect two .COM programs in the current directory. .COM programs which are smaller than 520 bytes will not be infected. Infected .COM programs will increase in length by 528 bytes. The virus will be located at the end of infected programs. The file date and time in the disk directory will not be altered by the virus. This virus does not do anything besides replicate. Virus Name: Invader Aliases: Plastique Boot V Status: Common Discovered: September, 1990 Symptoms: TSR; .COM & .EXE growth; BSC; music Origin: Taiwan/China Eff Length: 4,096 Bytes Type Code: PRsAB - Parasitic Resident .COM, .EXE, & Boot Sector Infector Detection Method: ViruScan V67+, Pro-Scan 2.01+ Removal Instructions: Scan/D, CleanUp V67+, or Delete infected files General Comments: The Invader Virus was isolated in September, 1990 in China. This virus is a later version of the Plastique-B or Plastique 5.21 Virus. It is a memory resident infector of .COM and .EXE files, but not COMMAND.COM. It also infects boot sectors. In September 1990, many reports of infections of this virus have been received, it appears to have spread very rapidly. The first time a program infected with the Invader virus is executed, the virus will install itself memory resident as a low system memory TSR. The TSR is 5,120 Bytes and interrupts 08, 09, 13, and 21 will be hooked. At this time, the virus will also infect the boot sector of the drive where the infected program was executed. The new boot sector is an MSDOS 3.30 boot sector, and can be easily identified because the normal DOS error messages found in the boot sector are now at the beginning of the boot sector instead of the end. After the virus has become memory resident, any .COM or .EXE file (with the exception of COMMAND.COM) openned will be infected by the virus. Infected .COM files will increase in length by 4,096 bytes with the viral code being located at the beginning of the infected file. .EXE files will increase in length between 4,096 and 4,110 bytes with the viral code being located at the end of the infected file. Additionally, any non-write protected diskettes which are exposed to the infected system will have their boot sectors infected. The Invader Virus activates after being memory resident for 30 minutes. At that time, a melody may be played on the system speaker. On systems which play the melody, it will continue until the system is rebooted. The melody isn't played on 286 based systems, but is noticeable on the author's 386SX test machine. Also see: Plastique, Plastique-B Virus Name: Iraqui Warrior Aliases: Iraqui V Status: New Discovered: January, 1991 Symptoms: .COM growth; Closely spaced beeps from system speaker; system hangs; boot failures Origin: USA Eff Length: 777 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Iraqui Warrior Virus was isolated on January 17, 1991 in the United States. This virus is a non-memory resident infector of .COM files, including COMMAND.COM. It is based on the Vienna Virus. When a program infected with the Iraqui Warrior Virus is executed, the virus will infect one of the first four .COM files located on the current drive and current directory. Infected .COM files will have a file length increase of 777 bytes with the virus being located at the end of the file. The following text strings can be found in infected files, the first two occurring near the beginning of the virus, and the last being located very near the end of the infected file: "I come to you from The Ayatollah!" "(c)1990, VirusMasters" "An Iraqui Warrior is in your computer..." None of these messages are displayed by the virus. Systems infected with the Iraqui Warrior virus may occassionally experience the system speaker issuing a series of closely spaced beeps when an infected program is executed. When this occurs, the system will hang and have to be rebooted. The beeps continue until the reboot occurs. Booting from a disk where COMMAND.COM has been infected will result in a "Memory allocation error, Cannot start COMMAND, exiting" message appearing. The Iraqui Warrior does not appear to do anything else besides the above. Virus Name: Itavir Aliases: 3880 V Status: Endangered Discovered: March, 1990 Symptoms: .EXE growth, COMMAND.COM file, Boot sector corruption Origin: Italy Eff Length: 3,880 Bytes Type Code: PNE - Parasitic Non-Resident .EXE Infector Detection Method: ViruScan V60+, Pro-Scan 1.4+ Removal Instructions: Scan/D, or delete infected files General Comments: The Itavir virus was isolated in March 1990 by a group of students at the Milan Politechnic in Milan, Italy. The Itavir virus is a non-resident generic .EXE Infector. Infected files will increase in length by 3,880 bytes. Infected systems, besides having files which have increased in length, will usually have a file with the name COMMAND.COM somewhere on the disk. The first character of this file name is an unprintable character. The COMMAND.COM file contains the pure virus code and is used for appending to files as they are infected. The Itavir virus activates at some time period after the system has been running for more than 24 hours. When it activates, the boot sector is corrupted, rendering the system unbootable. The virus also displays a message in Italian and writes ansi values from 0 thru 255 to all available I/O ports, thus confusing any attached peripheral devices. Some monitors may show a flickering effect when this occurs, while some VGA monitors may actually "hiss". Virus Name: Jeff Aliases: V Status: Rare Discovered: December, 1990 Symptoms: .COM growth; overwritten sectors on hard disk Origin: USA Eff Length: 814 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V72+, Pro-Scan 2.01+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Jeff Virus was isolated in the United States in December, 1990. This virus is a non-resident infector of .COM files, including COMMAND.COM. When a program infected with the Jeff Virus is executed, the virus will attempt to infect one .COM file on the C: drive, starting in the root directory. Infected .COM files will increase in size by 814 to 828 bytes, with the virus being located at the end of the infected program. The Jeff Virus received its name from the following text string which is encrypted in the viral code: "Jeff is visiting your hard disk" While Jeff is visiting your hard disk, it will occasionally write some sectors of random memory contents to the hard disk. If these sectors are written to the boot sector, partition table, or FAT, the contents of the disk may become inaccessible or produce unexpected results. Virus Name: Jerusalem Aliases: PLO, Israeli, Friday 13th, Russian, 1813(COM), 1808(EXE) V Status: Common Discovered: October, 1987 Symptoms: TSR, .EXE & .COM growth, system slowdown, deleted files on Friday 13th, "Black WIndow" Origin: Israel Eff Length: 1,813 (COM files) & 1,808 (EXE files) bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC 1.1+, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D/A, Saturday, CleanUp, UnVirus, F-Prot, VirexPC 1.1+, Pro-Scan 1.4+ General Comments: The Jerusalem Virus was originally isolated at Hebrew University in Israel in the Fall of 1987. Jerusalem is a memory resident infector of .COM and .EXE files, with .EXE file being reinfected each time they are executed due to a bug in the virus. This virus redirects interrupt 8, and 1/2 hour after execution of an infected program the system will slow down by a factor of 10. Additionally, some Jerusalem Virus variants will have a "Black Window" or "Black Box" appear on the lower left side of the screen which will scroll up the screen as the screen scrolls. On Friday The 13ths, after the virus is installed in memory, every program executed will be deleted from disk. The identifier for some strains is "sUMsDos", however, this identifier is usually not found in the newer variants of Jerusalem. The Jerusalem Virus is thought to have been based on the Suriv 3.00 Virus, though the Suriv 3.00 Virus was isolated after the Jerusalem Virus. Also see: Jerusalem B, New Jerusalem, Payday, Suriv 3.00 Virus Name: Jerusalem B Aliases: Arab Star, Black Box, Black Window, Hebrew University V Status: Common Discovered: January, 1988 Symptoms: TSR, .EXE & .COM growth, system slowdown, deleted files on Friday 13th, "Black WIndow" Origin: Israel Eff Length: 1,813 (.COM files) & 1,808 (.EXE files) bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC 1.1+, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: F-Prot, Saturday, CleanUp, UnVirus, VirexPC 1.1+ Pro-Scan 1.4+ General Comments: Identical to the Jerusalem virus, except that in some cases it does not reinfect .EXE files. Jerusalem B is the most common of all PC viruses, and can infect .SYS and program overlay files in addition to .COM and .EXE files. Not all variants of the Jerusalem B virus slow down the system after an infection has occurred. Also, it should be noted that Jerusalem viruses will only activate if they actually become memory resident on their activation date. If the system clock rolls over to the activation date and the virus is already memory resident, they will not typically activate and perform any destructive behavior they may be intended to perform. Known variants of Jerusalem B are: A-204 : Jerusalem B with the sUMsDos text string changed to *A-204*, and a couple of instructions changed in order to avoid detection. This variant will slow down the system after being memory resident for 30 minutes, as well as having a black box appear at that time. Origin: Delft, The Netherlands Anarkia : Jerusalem B with the timer delay set to slow down the system to a greater degree, though this effect doesn't show until a much longer time has elapsed. No Black Box is never displayed. The sUMsDos id-string has been changed to ANARKIA. Lastly, the virus's activation date has been changed to Tuesday The 13ths, instead of Friday The 13ths. Origin: Spain Anarkia-B : Similar to Anarkia, with the exception that the virus now activates on any October 12th instead of on Tuesday The 13ths. Jerusalem-C: Jerusalem B without the timer delay to slow down the processor. Jerusalem-D: Jerusalem C which will destroy both copies of the FAT on any Friday The 13th after 1990. Jerusalem-E: Jerusalem D but the activation is in 1992. Mendoza : Based on the Jerusalem B virus, this variant does not reinfect .EXE files. It is also missing the black box effect. Mendoza activates in the second half of the year (July - December), at which time any day will have a 10% chance of having all programs executed deleted. Origin: Argentina Park ESS: Isolated in October, 1990 in Happy Camp, California, this variant is very similar to other Jerusalem viruses. Infected .COM files increase in length by 1,813 bytes, and infected .EXE files will increase in length by 1,808 to 1,822 bytes with the first infection, and 1,808 on later subsequent infections. This variant will also infect COMMAND.COM. The other major difference from the "normal" Jerusalem is that the sUMsDos string has been replaced. The string PARK ESS can be found in the viral code within all infected files. This variant slows down the system by approximately 20 percent and a "black window" will appear after the virus has been memory resident for 30 minutes. Puerto : Isolated in June, 1990 in Puerto Rico, this variant is very similar to the Mendoza variant, the virus contains the sUMsDos id-string. .EXE files may be infected multiple times. Skism-1 : Isolated in December, 1990 in New York State, this variant is similar to many other Jerusalems except with regards to when and what it does upon activation. Rather than activate on Friday The 13ths and delete files, this variant activates in the years 1991 and later on any Friday which occurs after the 15th of the month. On activation, it truncates any file which is attempted to be executed to zero bytes. COM files will increase in size upon infection by 1,808 bytes, EXE files will increase by 1,808 to 1,822 bytes. EXE files will be reinfected by the virus. The sUMsDos string in the virus is now SKISM-1. Like Jerusalem, this variant produces a "black window" 30 minutes after becoming memory resident, and also slows down the system. Spanish JB : Similar to Jerusalem, it reinfects .EXE files. The increased file size on .COM files is always 1,808 bytes. On .EXE files, the increased file size may be either 1,808 or 1,813, with reinfections always adding 1,808 bytes to the already infected file. No "Black Box" appears. The characteristic sUMsDos id-string does not appear in the viral code. This variant is also sometimes identified as Jerusalem E2. Origin: Spain Jerusalem DC: Similar to Jerusalem B, this variant has the sUMsDos text string changed to 00h characters. After being memory resident for 30 minutes, the system will slow down by 30% and the common "black window" will appear on the lower left side of the screen. Like Jerusalem, it will infect .EXE files multiple times. This variant does not carry an activation date when it will delete files, it appears for all intents to be "defanged". Origin: Washington, DC, USA Also see: Jerusalem, Frere Jacques, New Jerusalem, Payday, Suriv 3.00, Westwood Virus Name: JoJo Aliases: V Status: Rare Discovered: May, 1990 Symptoms: .COM growth, system hangs Origin: Israel Eff Length: 1,701 Bytes Type Code: PRaC - Parasitic Resident .COM Infector Detection Method: ViruScan V63+, Pro-Scan 1.4+, VirexPC, F-Prot 1.12+ Removal Instructions: Scan/D, F-Prot 1.12+, Pro-Scan 2.01+ General Comments: The JoJo virus was discovered in Israel in May, 1990. The virus' name comes from a message within the viral code: "Welcome to the JOJO Virus." One other message appears within the virus, indicating that it was written in 1990. This message is: "Fuck the system (c) - 1990". Both messages within the viral code are never displayed. When the first file infected with the JoJo Virus is executed on a system, the virus will install itself memory resident. The method used is to alter the Command Interpreter in memory, expanding its size. As an example, on my test system, the Command Interpreter in memory increased in size from 3,536 bytes to 5,504 bytes. One block of 48 bytes is also reserved in available free memory. The change in free memory will be a net decrease of 2,048 bytes. The JoJo Virus will not infect files if interrupt 13 is in use by any other program. Instead the virus will clear the screen, and the system will be hung. If the user performs a warm reboot (Ctrl-Alt-Del), the virus will remain in memory. Once the virus is able to become memory resident with interrupt 13 hooked, any .COM file executed will be infected by the virus. Infected files will increase in length by 1,701 bytes. While this virus has the same length as the Cascade/1701 Virus, it is not a variant of Cascade. Also see: JoJo 2 Virus Name: JoJo 2 Aliases: V Status: New Discovered: January, 1991 Symptoms: .COM growth; Message; "Not enough memory" errors; system hangs; cursor position off 1 character Origin: United States Eff Length: 1,703 Bytes Type Code: PRaCK - Parasitic Resident .COM Infector Detection Method: Removal Instructions: Delete infected files General Comments: The JoJo 2 Virus was submitted in January, 1991, by David Grant of the United States. This virus is based on the JoJo Virus as well as containing part of the decryption string for the Cascade Virus. It is a memory resident infector of .COM files, including COMMAND.COM. The first time a program infected with the JoJo 2 Virus is executed, the virus will install itself memory resident by altering the command interpretor in memory. The command interpretor in memory will have a size increase of 1,904 bytes. There is an additional 48 bytes which is reserved by the virus as well, similar to JoJo. Once the virus is memory resident, it will infect .COM files as they are executed. If COMMAND.COM is executed for any reason, it will become infected. Infected .COM programs will have a file size increase of 1,703 bytes with the virus being located at the end of the infected file. Text strings which can be found in files infected with the JoJo 2 Virus are: "The JOJO virus strikes again.xxxxxxxxxxxx zzz" "Fuck the system 1990 - (c)" "141$FLu" Systems infected with the JoJo 2 virus may experience system hangs when some infected programs are executed. Infected programs may also display the "Fuck the system 1990 - (c)" string, or a string of garbage characters from memory. Attempts to execute some programs may also fail due to "Not enough memory" errors. Lastly, after the virus has been resident for awhile, the user may notice that the cursor on the system monitor is off by one position to the right from where it should be. JoJo 2 may be detected by some anti-viral utilities as an infection of JoJo and Cascade/1701/1704. Also see: JoJo Virus Name: Joker Aliases: Jocker V Status: Extinct Discovered: December, 1989 Symptoms: Messages, .EXE/.DBF growth Origin: Poland Eff Length: ??? Bytes Type Code: PNE - Parasitic Non-Resident .EXE Infector Detection Method: ViruScan/X V67+, Pro-Scan, VirexPC Removal Instructions: Scan/D/X, or delete infected files General Comments: The Joker Virus was isolated in Poland in December, 1989. This virus is a generic .EXE file infector, and is a poor replicator (ie. it does not quickly infect other files). Programs which are infected with the Joker virus will display bogus error messages and comments. These messages and comments can be found in the infected files at the beginning of the viral code. Here are some of the messages and comments that may be displayed: "Incorrect DOS version" "Invalid Volume ID Format failure" "Please put a new disk into drive A:" "End of input file" "END OF WORKTIME. TURN SYSTEM OFF!" "Divide Overflow" "Water detect in Co-processor" "I am hungry! Insert HAMBURGER into drive A:" "NO SMOKING, PLEASE!" " Thanks." "Don't beat me !!" "Don't drink and drive." "Another cup of cofee ?" " OH, YES!" "Hard Disk head has been destroyed. Can you borow me your one?" "Missing light magenta ribbon in printer!" "In case mistake, call GHOST BUSTERS" "Insert tractor toilet paper into printer." This virus may also alter .DBF files, adding messages to them. The sample in the author of this listing possession does not replicate on an 8088 based system. This entry has been included since the sample may have been damaged before its receipt by the author. At best, there is a serious bug in the replication portion of this virus which prevents it from replicating. Virus Name: Joshi Aliases: Happy Birthday Joshi, Stealth Virus V Status: Common Discovered: June, 1990 Symptoms: BSC, machine hangs and message Origin: India Eff Length: N/A Type Code: BRX - Resident Boot Sector/Partition Table Infector Detection Method: ViruScan V64+, Pro-Scan 1.4+ Removal Instructions: CleanUp V66+, Pro-Scan 1.4+, RmJoshi, or Low-Level Format Harddisk and DOS SYS floppies General Comments: The Joshi Virus was isolated in India in June 1990. At the time it was isolated, it was reported to be widespread in India as well as portions of the continent of Africa. Joshi is a memory resident boot sector infector of 5.25" diskettes. It will also infect hard disks, though in the case of hard disks it infects the partition table or master boot sector rather than the boot sector (sector 0). After a system has been booted from a Joshi-infected diskette, the virus will be resident in memory. Joshi takes up approximately 6K of system memory, and infected systems will show that total system memory is 6K less than is installed if the DOS CHKDSK program is run. Joshi has some similarities to two other boot sector infectors. Like the Stoned virus, it infects the partition table of hard disks. Similar to the Brain virus's method of redirecting all attempts to read the boot sector to the original boot sector, Joshi does this with the partition table. On January 5th of any year, the Joshi virus activates. At that time, the virus will hang the system while displaying the message: "type Happy Birthday Joshi" If the system user then types "Happy Birthday Joshi", the system will again be usable. This virus may be recognized on infected systems by powering off the system and then booting from a known-clean write-protected DOS diskette. Using a sector editor or viewer to look at the boot sector of suspect diskettes, if the first two bytes of the boot sector are hex EB 1F, then the disk is infected. The EB 1F is a jump instruction to the rest of the viral code. The remainder of the virus is stored on track 41, sectors 1 thru 5 on 360K 5.25 inch Diskettes. For 1.2M 5.25 inch diskettes, the viral code is located at track 81, sectors 1 thru 5. To determine if a system's hard disk is infected, you must look at the hard disk's partition table. If the first two bytes of the partition table are EB 1F hex, then the hard disk is infected. The remainder of the virus can be found at track 0, sectors 2 thru 6. The original partition table will be a track 0, sector 9. The Joshi virus can be removed from an infected system by first powering off the system, and then booting from a known-clean, write- protected master DOS diskette. If the system has a hard disk, the hard disk should have data and program files backed up, and the disk must be low-level formatted. As of July 15, 1990, there are no known utilities which can disinfect the partition table of the hard disk when it is infected with Joshi. Diskettes are easier to remove Joshi from, the DOS SYS command can be used, or a program such as MDisk from McAfee Associates, though this will leave the viral code in an inexecutable state on track 41. Virus Name: July 13TH Aliases: V Status: Endangered Discovered: April, 1990 Symptoms: .EXE file growth, screen effects on July 13 Origin: Madrid, Spain Eff Length: 1,201 Bytes Type Code: PNE - Parasitic Non-Resident .EXE Infector Detection Method: ViruScan V64+, VirexPC, F-Prot 1.12+ Removal Instructions: Scan/D, F-Prot 1.12+, or delete infected files General Comments: The July 13TH Virus was isolated in Madrid, Spain, in April 1990 by Guillermo Gonzalez Garcia. This virus is a generic .EXE file infector, and is not memory resident. When a program infected with the July 13TH Virus is executed, the virus will attempt to infect a .EXE file. Files are only infected if they are greater in length than 1,201 bytes. Infected files increase in size by 1,201 to 1,209 bytes. The July 13TH Virus activates on July 13th of any year. At that time, a bouncing ball effect occurs on the system monitor's screen similar to the bouncing ball effect of the Ping Pong virus. While this virus is disruptive, it does not cause any overt damage to files other than infecting them. The bouncing ball effect created by this virus will occasionally leave dots on the screen where it was passing if the screen has been scrolled for any reason. Virus Name: June 16TH Aliases: Pretoria V Status: Endangered Discovered: April, 1990 Symptoms: .COM file growth, long disk accesses, June 16th FAT alteration Origin: Republic of South Africa Eff Length: 879 Bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V62+, Pro-Scan 1.4+, VirexPC, AVTK 3.5+, F-Prot 1.12+, VirHunt 2.0+ Removal Instructions: VirHunt 2.0+, Scan/D, Pro-Scan 2.01+ General Comments: The June 16TH, or Pretoria, virus was discovered in April 1990. This virus is a non-resident generic .COM file infector, and is encrypted. The first time an infected file is executed, the virus will search the current drive (all directories) and infect all .COM files found. The search period can be quite long, and it is very obvious on hard disk based systems that the program is taking too long to load. On June 16TH of any year, the first time an infected file is executed the virus will activate. On activation, the virus will change all entries in the root directory and the file allocation table to "ZAPPED". The June 16TH virus is thought to have originated in South Africa. Virus Name: Kamikazi Aliases: V Status: Endangered Discovered: August, 1990 Symptoms: program corruption, system hangs, system reboots Origin: Bulgaria Eff Length: 4,031 Bytes Type Code: ONE - Overwriting Non-Resident .EXE Infector Detection Method: Pro-Scan 2.01+ Removal Instructions: Delete infected files General Comments: The Kamikazi Virus was submitted by Vesselin Bontchev of Bulgaria in August, 1990. This virus is a non-resident overwriting virus, and infects .EXE files. When a program infected with the Kamikazi virus is executed, the virus will infect another .EXE file in the current directory if the .EXE file's length is greater than 4,031 bytes. Kamikazi simply overwrites the first 4,031 bytes of the candidate program with its viral code, thus permanently damaging the candidate program being infected. The original 4,031 bytes of code is not stored at any other location. Infected files do not change in length. After infecting another .EXE program, the virus will then change the first 8 bytes of the infected program that was executed to "kamikazi", thus the virus's name. At this point, one of several symptoms may appear: the system may be rebooted by the virus, some of the contents of memory may get displayed on the screen, or the program may complete execution having appeared to have done nothing at all. In any event, the original executed program will never run successfully, doing what the user expects. If the infected program is executed a second time, it will hang the system since it is no longer an executable program. The .EXE header has been permanently damaged due to the first 8 characters having been changed to "kamikazi" by the virus when it was first executed. Virus Name: Kemerovo Aliases: USSR 257 V Status: Rare Discovered: December, 1990 Symptoms: .COM growth; ????????COM Path not found." message; file date/time changes Origin: USSR Eff Length: 257 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Kemerovo Virus was submitted in December, 1990 and is from the USSR. This virus is a non-resident direct action infector of .COM files, including COMMAND.COM. When a program infected with the Kemerovo Virus is executed, the virus will search the current drive and directory for a .COM program to infect. If an uninfected COM program is found, the virus will infect it, adding its viral code to the end of the original program. The newly infected program's date and time in the disk directory will also be updated to the current system date and time of infection. Infected programs will increase in length by 257 bytes. If an uninfected .COM file was not found in the current directory, the message "????????COM Path not found" may be displayed and the program the user is attempting to execute will be terminated. Kemerovo does not do anything besides replicate. Virus Name: Kennedy Aliases: Dead Kennedy, 333 V Status: Endangered Discovered: April, 1990 Symptoms: .COM growth, message on trigger dates (see text), crosslinking of files, lost clusters, FAT corruption Origin: Denmark Eff Length: 333 Bytes Type Code: PNCKF - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V62+, Pro-Scan 1.4+, VirexPC, F-Prot 1.12+, VirHunt 2.0+ Removal Instructions: Scan/D, F-Prot 1.12+, VirHunt 2.0+, or delete infected files General Comments: The Kennedy Virus was isolated in April 1990. It is a generic infector of .COM files, including COMMAND.COM. This virus has three activation dates: June 6 (assassination of Robert Kennedy 1968), November 18 (death of Joseph Kennedy 1969), and November 22 (assassination of John F. Kennedy 1963) of any year. On activation, the virus will display a message the following message: "Kennedy is dead - long live 'The Dead Kennedys'" The following text strings can be found in the viral code: "\command.com" "The Dead Kennedys" Systems infected with the Kennedy Virus will experience crosslinking of files, lost clusters, and file allocation table errors (including messages that the file allocation table is bad). Virus Name: Keypress Aliases: V Status: Common Discovered: October, 1990 Symptoms: .COM & .EXE growth; decrease in available free memory; keystrokes repeated unexpectedly Origin: USA Eff Length: 1,232 Bytes Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V71+, Pro-Scan 2.01+ Removal Instructions: Clean-Up V71+, or Delete infected files General Comments: The Keypress Virus was reported and isolated in many locations in the United States in late October, 1990. This virus is a memory resident infector of .COM and .EXE files, including COMMAND.COM. The first time a program infected with the Keypress Virus is executed, the virus will install itself memory resident at the top of free available memory, but below the 640K DOS boundary. Interrupts 1C and 21 will be hooked by the virus. Available free memory on the system will have decreased by 1,232 bytes. After the virus is memory resident, any file executed may become infected by the virus. In the case of .COM files, they are only infected if their original file length was greater than 1,232 bytes. .EXE files of any length will be infected, as will COMMAND.COM if it is executed. Infected programs will have their directory date/time changed to the system date and time when they were infected by this virus. .COM files will increase in length by between 1,234 and 1,248 bytes upon infection. .EXE files will increase by 1,472 to 1,486 bytes upon infection. In either case, the virus will be located at the end of the infected file. The Keypress Virus activates after being memory resident for 30 minutes. Upon activation, the virus may interfer with keyboard input by repeating keystrokes. For example, if "a" is entered on the keyboard, it may be changed to "aaaaaa" by the virus. Infected files can be identified by containing the following hex string near the end of the infected program: 4333C98E1E2901CD21. Virus Name: Korea Aliases: LBC Boot V Status: Common - Korea Discovered: March, 1990 Symptoms: BSC - 360k disks Origin: Seoul, Korea Eff Length: N/A Type Code: RF - Resident Floppy Boot Sector Infector Detection Method: ViruScan V61+, VirHunt 2.0+ Removal Instructions: M-Disk, or DOS SYS Command General Comments: The Korea, or LBC Boot, Virus was isolated in March 1990 in Seoul, Korea. This virus is a memory resident boot sector infector for 5.25" 360K diskettes. The Korea virus is not intentionally destructive, it does nothing in its current form except for replicating. In some instances, when Korea infects a diskette it will damage the root directory as it moves the original boot sector to sector 11, the last sector of the root directory. If sector 11 previously contained directory entries, they will be lost. Virus Name: Lehigh Aliases: Lehigh University V Status: Rare Discovered: November, 1987 Symptoms: Corrupts boot sector & FAT Origin: Pennsylvania, USA Eff Length: N/A Type Code: ORaKT - Overwriting Resident COMMAND.COM Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: MDisk & replace COMMAND.COM with clean copy, or F-Prot General Comments: The Lehigh virus infects only the COMMAND.COM file on both floppies and hard drives. The infection mechanism is to over- write the stack space. When a disk which contains an uninfected copy of COMMAND.COM is accessed, that disk is then infected. A infection count is kept in each copy of the virus, and after 4 infections, the virus overwrites the boot sector and FATs. A variation of the Lehigh virus, Lehigh-2, exists which maintains its infection counter in RAM and corrupts the boot sector and FATs after 10 infections. Known variants of the Lehigh virus are: Lehigh-2 : Similar to Lehigh, but the infection counter is maintained in RAM, and the corruption of the boot sector and FATs occurs after 10 infections. Lehigh-B : Similar to Lehigh, the virus has been modified to avoid detection. Virus Name: Leprosy Aliases: Leprosy 1.00, News Flash V Status: Rare Discovered: August, 1990 Symptoms: unusual messages; program corruption Origin: California, USA Eff Length: 666 Bytes Type Code: ONAK - Overwriting Non-Resident .COM & .EXE Infector Detection Method: ViruScan/X V67+ Removal Instructions: Scan/D/X, or Delete infected files General Comments: The Leprosy Virus was discovered in the San Francisco Bay Area of California on August 1, 1990. This virus is a non-resident overwriting virus infecting .COM and .EXE files, including COMMAND.COM. Its original carrier file is suspected to be a file called 486COMP.ZIP which was uploaded to several BBSes. When you execute a program infected with the Leprosy virus, the virus will overwrite the first 666 bytes of all .COM and .EXE files in the directory one level up from the current directory. If the current directory is the root directory, all programs in the root directory will be infected. If COMMAND.COM is located in the directory being infected, it will also be overwritten. Infected files will show no file length increase unless they were originally less than 666 bytes in length, in which case their length will become 666 bytes. After the virus has infected the .COM and .EXE files, it will display a message. The message will be either: "Program to big to fit in memory" or: "NEWS FLASH!! Your system has been infected with the incurable decay of LEPROSY 1.00, a virus invented by PCM2 in June of 1990. Good luck!" The second message will only be displayed by one out of every seven .COM and .EXE files that the program infects. Since Leprosy is an overwriting virus, the programs which are infected with it will not function properly. In fact, once they are infected with this virus they will run for awhile (while the virus is infecting other files) and then display one of the two messages. The program execution will then end. If the system is booted from a diskette or hard drive that has Leprosy in its COMMAND.COM file, one of the above two messages will be displayed followed by: "Bad or missing Command Interpreter" This boot problem occurs because COMMAND.COM is no longer really COMMAND.COM. The boot will not proceed until a system boot diskette is inserted into the system and another boot is attempted. While Leprosy's messages are encrypted in the virus, infected files can be found by checking for the following hex string near the beginning of the file: 740AE8510046FE06F002EB08 Infected files must be deleted and replaced with clean, uninfected copies. There is no way to disinfect this virus since the first 666 bytes of the file have been overwritten, the virus does not store those bytes anywhere else. Known variant(s) of the Leprosy virus are: Leprosy-B : The major differences between the Leprosy and Leprosy-B virus are that Leprosy-B uses a slightly different encryption method, thus allowing it to avoid detection once Leprosy was isolated. Additionally, instead of infecting all programs in the directory selected for infection, Leprosy-B will infect four programs in the current directory each time an infected program is executed. If four non-infected files do not exist in the current directory, it will move up one level in the directory structure and infect up to four files in that directory. Like Leprosy, it overwrites the first 666 bytes of infected files. The Leprosy message has been replaced with the following message: "ATTENTION! Your computer has been afflicted with the incurable decay that is the fate wrought by Leprosy Strain B, a virus employing Cybernetic Mutation Technology (tm) and invented by PCM2 08/90." Virus Name: Liberty Aliases: V Status: Common Discovered: May, 1990 Symptoms: .COM, .EXE, .OVL growth Origin: Sydney, Australia Eff Length: 2,862 Bytes Type Code: PRfAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V63+, Pro-Scan 1.4+, VirexPC, F-Prot 1.12+, VirHunt 2.0+ Removal Instructions: VirHunt 2.0+, Clean-Up V72+, or Delete infected files General Comments: The Liberty Virus was isolated in Sydney, Australia in May, 1990. Liberty is a memory resident generic file infector, infecting .COM, .EXE, and overlay files. COMMAND.COM may also become infected. The Liberty Virus gets its name from the text string "Liberty" which will appear in all infected files. In .EXE files, it will be located in the last 3K of the file. In .COM files, it will appear near the very beginning of the program, as well as within the last 3K of the infected file. The first time a file infected with the Liberty Virus is executed, the virus will become memory resident. Liberty installs itself resident in high free memory, resulting in a decrease of 8,496 bytes of available free memory. It also directly changes the interrupt map page in memory so that interrupts 21 and 24 will put the virus in control. Total system memory does not change. After becoming memory resident, programs which are executed may be infected by the virus. All .EXE files will be infected, but only .COM files over 2K in length will become infected. Overlay files will also become infected. Infected files will increase in size between 2,862 and 2,887 bytes, and will end with the hex character string: 80722D80FA81772880. The main body of the virus will be located at the end of all infected files. Infected .COM files can also be identified by the following text string which will appear near the beginning of the infected program: "- M Y S T I C - COPYRIGHT (C) 1989-2000, by SsAsMsUsEsL" This string does not appear in infected .EXE files, the area where this string would have appeared in infected .EXE files will be 00h characters. Liberty is a self-encrypting virus. It is not yet known if it is destructive. Known variant(s) of Liberty are: Liberty-B : Isolated in November, 1990, this strain is functionally similar to the original Liberty Virus. The string which occurs at the end of all infected files has been changed to: C8004C40464842020EB. The word "MAGIC" will also be found repeated together many times in infected files. Liberty-C : Isolated in January, 1991, this variant is very similar to Liberty-B, there are 16 bytes which have been changed. Like Liberty-B, the word "MAGIC" will be found repeated together many times in infected files. The string which occurs at the end of all infected files has been changed to: C8004C404648422020E9. Virus Name: Lisbon Aliases: V Status: Rare Discovered: November, 1989 Symptoms: .COM growth, Unusable files (see text) Origin: Lisbon, Portugal Eff Length: 648 bytes Type Code: PNC - Parasitic Non-Resident COM Infector Detection Method: ViruScan V49+, F-Prot, IBM Scan, Pro-Scan, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D, Pro-Scan 1.4+, VirexPC, F-Prot, VirHunt 2.0+ General Comments: The Lisbon virus is a strain of the Vienna virus first isolated by Jean Luz in Portugal in November, 1989. The virus is very similar to Vienna, except that almost every word in the virus has been shifted 1-2 bytes in order to avoid virus identification/detection programs which could identify the Vienna virus. 1 out of every 8 infected files will have the 1st 5 bytes of the 1st sector changed to "@AIDS", thus rendering the program unusable. Also see: Vienna Virus Name: Little Pieces Aliases: 1374 V Status: New Discovered: January, 1991 Symptoms: .COM & .EXE growth; decrease in available free memory; message; system hangs; unexpected screen clears Origin: Italy Eff Length: 1,374 Bytes Type Code: PRaE - Parasitic Resident .EXE Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected programs General Comments: The Little Pieces Virus was isolated in January, 1991, in Italy. This virus is a 1,374 byte memory resident infector of .EXE files. The first time a program infected with Little Pieces is executed, the virus will install itself memory resident. The area where it is memory resident is 1,392 bytes long and labelled COMMAND Data in low system memory. Some memory mapping utilities will combine this area with the command interpretor, so the command interpretor will appear to be 1,392 bytes longer than expected. Interrupts 13, 16, and 21 are hooked by the Little Pieces Virus. Once Little Pieces is memory resident, it will infect .EXE programs as they are executed. Infected .EXE programs will increase in size by 1,374 bytes and have the virus located at the end of the infected file. Infected files will not have their date and time in the disk directory altered. Systems infected with the Little Pieces Virus may experience the system display being cleared unexpectedly after a key is pressed on the keyboard. The following message is usually displayed after the screen is cleared, though not always: "One of these days I'm going to cut you into little pieces" This message cannot be viewed in infected files as it is encrypted within the virus. Infected system may also experience unexpected system hangs occurring, requiring the system to be rebooted. These hangs sometimes occur after the above message is displayed. Virus Name: Lozinsky Aliases: V Status: Rare Discovered: December, 1990 Symptoms: .COM file growth; file date/time changes; decrease in total system and available free memory Origin: USSR Eff Length: 1,023 Bytes Type Code: PRtCK - Parasitic Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected programs General Comments: The Lozinsky Virus was submitted in December, 1990 from the USSR. Lozinsky is a memory resident infector of .COM files, including COMMAND.COM. When the first program infected with Lozinsky is executed, the virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. Interrupt 12's return will be moved so that the system will report 2,048 bytes of memory less than what is actually installed. Interrupts 13 and 21 will be hooked by the virus. COMMAND.COM will also become infected at this time. After Lozinsky is memory resident, it will infect .COM files which are executed or openned for any reason. Infected programs will show a file length increase of 1,023 bytes and have the virus located at the end of the program. Their date and time in the disk directory will also have been updated to the system date and time when the program was infected by Lozinsky. It is unknown if Lozinsky does anything besides replicate. Virus Name: Mardi Bros Aliases: V Status: Rare Discovered: July, 1990 Symptoms: BSC; volume label change; decrease in system and free memory Origin: France Eff Length: N/A Type Code: FR - Floppy Boot Sector Infector Detection Method: ViruScan V66+ Removal Instructions: M-Disk, or DOS SYS Command General Comments: The Mardi Bros Virus was isolated in July 1990 in France. This virus is a memory resident infector of floppy disk boot sectors. It does not infect hard disk boot sectors or partition tables. When a system is booted from a diskette infected with the Mardi Bros Virus, the virus will install itself memory resident. It resides in 7,168 bytes above the top of memory, but below the 640K DOS Boundary. The decrease in system and free memory can be seen using the DOS CHKDSK command, or several other memory mapping utilities. Mardi Bros will infect any non-write protected diskette which is exposed to the system. Infected diskettes can be easily identified as their volume label will be changed to "Mardi Bros". The CHKDSK program will show the following for the diskette's Volume label information: "Volume Mardi Bros created ira 0, 1980 12:00a" While the infected boot sector on the diskette will have the DOS messages still remaining, it will also include the following phrase near the end: "Sudah ada vaksin" It is unknown if Mardi Bros is destructive, it appears to do nothing but spread. Mardi Bros can be removed from infected diskettes by first powering off the system and rebooting from a known clean write protected DOS master diskette. The DOS SYS command should then be used to replace the infected diskette's boot sector. Alternately, MDisk can be used following the power-down and reboot. Virus Name: MG Aliases: V Status: New Discovered: September, 1990 Symptoms: .COM file growth; DIR command may not function properly; File allocation errors; System hangs Origin: Bulgaria Eff Length: 500 Bytes Type Code: PRCK - Parasitic Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The MG Virus was submitted in January, 1991, though it has been mentioned by Bulgarian researchers several times since September, 1990. This virus is named MG as it was originally isolated at Matematicheska Gimnazia, a school in Varna, Bulgaria. It is a memory resident infector of .COM files, including COMMAND.COM. The first time a program infected with MG is executed, the virus will install itself memory resident in a portion of the interrupt table in memory. Interrupt 24 is hooked by the virus, as are several other interrupts. After MG is memory resident, it will infect programs when one of two things occurs: either the user attempts to execute any program, or a Dir command is performed. In the case of a program being executed, the virus will infect one program in the current directory, though not necessarily the program being executed. When a Dir command is executed, one program in the current directory will be infected as well. .COM programs infected with MG will increase in length by 500 bytes, though the file length increase will not be visible in a dir listing if the virus is memory resident. File date and time in the disk directory are also not altered. The virus will be located at the end of infected programs. Symptoms of a MG infection are that the DOS Chkdsk program will show File allocation errors on all infected .COM programs if the virus is present in memory. The DOS Dir command may also not function properly, for example DIR A:*.COM will yield "File not found" even though .COM files exist on the A: drive. At other times, pauses will occur in the disk directory being displayed by the Dir command. Another symptom is that unexpected system hangs may occur due to the interrupt table being infected in memory. Also see: MG-2 Virus Name: MG-2 Aliases: V Status: New Discovered: December, 1990 Symptoms: .COM file growth; File Allocation Errors; Dir command may not function properly Origin: Bulgaria Eff Length: 500 Bytes Type Code: PRsCK - Parasitic Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The MG-2 Virus was received in December, 1990, and is believed to have originated in Bulgaria. This virus is a direct action, memory resident infector of .COM programs, including COMMAND.COM. When a program infected with the MG-2 Virus is first executed, the virus will install itself memory resident. The DOS ChkDsk command, when executed on an infected system, will indicate that total system memory and available free memory have decreased by 55,104 bytes. This virus remaps many interrupts, including interrupt 24. A portion of the virus will also be resident above 640K if memory is available. After the MG-2 Virus is memory resident, it will infect one .COM program in the current directory each time an infected .COM program is executed. Infected .COM programs will not show a file length increase if the virus is memory resident. With the virus memory resident, the DOS ChkDsk command will indicate a file allocation error for all infected files. Infected files actually increase 500 bytes in length and have the virus located at the end of the infected file. Systems infected with the MG-2 Virus may notice that the DOS Dir command does not always return the results expected. For example, issuing a "DIR C:\DOS" command may result in the C: drive root directory being displayed instead of the C:\DOS directory. Another case is that issuing the command "DIR A:*.COM" will result in "File not found" though .COM files exist on that drive. Known variant(s) of MG-2 are: MG-3 : Functionally similar to MG-2, this variant has been altered to avoid detection. It is also 500 bytes in length. Also see: MG Virus Name: MGTU Aliases: V Status: Rare Discovered: December, 1990 Symptoms: .COM file growth; excessive disk activity; file date/time changes; "????????COM Path not found." message Origin: USSR Eff Length: 273 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The MGTU Virus was submitted in December, 1990 and came from the USSR. This virus is a non-resident direct action infector of .COM files, including COMMAND.COM. When a program infected with the MGTU Virus is executed, the virus will search the current drive and directory for uninfected .COM programs. All uninfected .COM programs will become infected with the virus. Infected .COM programs will have a file length increase of 273 bytes with the virus being located at the end of the file. Their date and time in the disk directory will also have been updated to the system date and time when infection occurred. Infected systems will display excessive disk activity each time an infected program is executed. This activity occurs because the virus is checking all of the .COM programs in the current directory to determine if they are already infected, or if they need to be infected. Infected systems may also experience the following message being displayed for no apparent reason: "????????COM Path not found." MGTU does not do anything besides replicate. Virus Name: Microbes Aliases: V Status: Common - India Discovered: June, 1990 Symptoms: BSR Origin: Bombay, India Eff Length: N/A Type Code: BR - Floppy and Hard Disk Boot Sector Infector Detection Method: ViruScan V64+, Pro-Scan 1.4+ Removal Instructions: M-Disk, Pro-Scan 1.4+, or DOS SYS Command General Comments: The Microbes virus was isolated in June, 1990 in India. It is a memory resident boot sector infector of both floppy diskettes and hard disks. The Microbes virus becomes memory resident when a system is booted from a disk infected with the Microbes virus. The system may hang on this boot, and inserted a diskette to boot from will result in this new diskette becoming infected. At least on the author's XT test system, the system could not successfully boot with the Microbes virus present without powering off the system and rebooting from a write protected master boot diskette. As with other boot sector infectors, Microbes can be disinfected from diskettes and hard drives by powering off the system and booting from a known clean write protected master boot diskette for the system. The DOS SYS command can then be used to recreate the boot sector on the diskette. Virus Name: Mirror Aliases: V Status: Rare Discovered: October, 1990 Symptoms: .EXE growth; decrease in available free memory; mirror effect of display on activation Origin: Unknown Eff Length: 927 Bytes Type Code: PRhE - Parasitic Resident .EXE Infector Detection Method: ViruScan V67+, Pro-Scan 2.01+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Mirror Virus was discovered in October, 1990. This virus is a memory resident direct action infector of .EXE files. The first time a program infected with the Mirror Virus is executed, the virus will install itself memory resident at the top of free available memory. Free available memory will decrease by 928 bytes, and the virus will hook interrupt 21. At this time, the virus will also infect all other .EXE programs located in the current directory. Infected programs will increase in length by 927 to 940 bytes, with the virus being located at the end of the infected file. Infected programs will also always end with the two text characters "IH". The Mirror Virus gets its name from its behavior. Every once in awhile it will change the system's video display so that a mirror image of what was previously on the display appears. Virus Name: MIX/1 Aliases: MIX1, Mix1 V Status: Rare Discovered: August, 1989 Symptoms: TSR, .EXE growth, location 0:33C = 77h, garbled output Origin: Israel Eff Length: 1,618 Bytes Type Code: PRsE - Parasitic Resident .EXE Infector Detection Method: ViruScan V37+, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D, Virus Buster, Pro-Scan 1.4+, VirexPC 1.1B+, F-Prot, VirHunt 2.0+ General Comments: The MIX1 Virus was originally isolated on August 22, 1989, on several BBSs in Israel. This virus is a parasitic memory- resident .EXE file infector. Once an infected program has been executed, the virus will take up 2,048 bytes in RAM. Each .EXE file then executed will grow in length between 1,618 and 1,634 bytes, depending on the original file size. The virus will not, however, infect files of less than 8K in size. Infected files can be manually identified by a characteristic "MIX1" always being the last 4 bytes of an infected file. Using Debug, if byte 0:33C equals 77h, then the MIX1 virus is in memory. This virus will cause garbled output on both serial and parallel devices, as well as the num-lock being constantly on. After the 6th infection, booting the system will crash the system due to a bug in the code, and a ball will start bouncing on the system monitor. There is a variant of this virus which does not have the problem of system crashes occurring, and will only infect files that are greater than 16K in length. Mix/1 has several code similarities to Icelandic, which it may have been derived from. Also see: Icelandic Virus Name: Monxla Aliases: Time Virus V Status: Rare Discovered: November, 1990 Symptoms: .COM growth; system hangs and/or reboots; program execution failures Origin: Hungary Eff Length: 939 Bytes Type Code: PRfCK - Parasitic Resident .COM Infector Detection Method: ViruScan V71+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Monxla, or Time, Virus was discovered in November, 1990 in Hungary. This virus is a memory resident direct action infector of .COM files, including COMMAND.COM. When a program infected with the Monxla Virus is executed, the virus will check the current system time. If the system time's current seconds is greater than 32/100's of a second, the virus will install a very small portion of itself memory resident at the top of free memory but below the 640K DOS boundary. The virus allocates 80 bytes, and will hook interrupts 20 and F2. The F2 interrupt is later used to determine if the virus is in memory, thus avoiding multiple memory allocations. The memory resident portion of the virus is not used to infect files. Each time a program infected with the Monxla Virus is executed, the virus will search for one uninfected .COM file with a length between 3,840 and 64,000 bytes to infect. The current directory is searched first, and then the directories along the system path. Once an uninfected .COM file is found that satisfies the length requirement, the virus will infect it. On other than the 13th day of any month, the virus will add its viral code to the end of the candidate file, increasing the file's length by 939 bytes. On the 13th day of any month, the virus activates. The activation involves damaging the files that it infects based on the current seconds in the system time. At the time the virus attempts to infect another .COM file, the virus will damage the file in one of three ways. If the current seconds was greater than 60/100's, 4 HLTs followed by a random interrupt will be placed at the beginning of the file being infected. Later when the program is executed, it may perform rather strangely be destructive. It depends on what the random interrupt was. If the current seconds was greater than 30/100's, but less than 60/100's, two INT 19 calls are placed at the beginning of the file. Later when the program is executed, it will attempt to perform a warm reboot preserving the current interrupt vectors. This, however, will result in a system hang if any interrupt between 00h and 1Ch was previously hooked. If the current seconds was greater than 00/100's but less than 30/100's, a INT 20 call is placed at the beginning of the program being infected, thus resulting in it immediately terminating when later executed. Virus Name: Monxla B Aliases: Time B V Status: New Discovered: January, 1991 Symptoms: .COM growth; File corruption Origin: Hungary Eff Length: 535 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Monxla B Virus was isolated in January, 1991 in Hungary. This virus is a non-resident direct action infector of .COM files, including COMMAND.COM. When a program infected with Monxla B is executed, the virus will check the seconds portion of the system time. Depending on the value found, either one .COM program in the current directory will be infected, or one .COM program in the current directory will be corrupted. If the seconds portion of the system time is equal 0 or a multiple of 8, one .COM program in the current directory, or on the system path, will be corrupted by the first five characters of the selected .COM program being changed to the hex string: 004D004F4D, or " M OM" in text. Corrupted programs will not have a file length increase. Later execution of these corrupted programs will usually result in the system being hung, requiring a reboot. If the seconds portion of the system time was not 0 or a multiple of 8, a .COM program in the current directory will be infected with Monxla B. If no programs exist in the current directory which are neither corrupted or infected, the virus will follow the system path to find a candidate program to infect. Infected .COM programs will increase in length by 535 bytes, the virus will be located at the end of infected programs. The virus will also have changed the seconds in the file time in the disk directory to 58 so that the virus can later tell that the file is infected. Virus Name: Murphy Aliases: Murphy-1, V1277, Stealth Virus V Status: Common - Bulgaria Discovered: April, 1990 Symptoms: .COM & .EXE growth, system hangs, speaker noise, possible bouncing ball effect (see Murphy-2 below) Origin: Sofia, Bulgaria Eff Length: 1,277 Bytes Type Code: PRA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V63+, Pro-Scan 1.4+, F-Prot 1.12+ Removal Instructions: Scan/D, Pro-Scan 1.4+, or Delete infected files General Comments: The Murphy Virus was isolated in Bulgaria in April, 1990. It is a memory resident generic .COM & .EXE infector, and will infect COMMAND.COM. The first time an infected program is executed on a system, the virus installs itself memory resident. After it is memory resident, if a file is executed, or openned for any reason, it is infected by the Murphy Virus. When the first non-infected program is executed with the virus in memory, the virus will attempt to infect COMMAND.COM. The program being executed will also be infected at that time. Infected programs will increase in length by 1,277 Bytes. Programs which are less than 1,277 Bytes in length will not be infected. The Murphy Virus watches the system time. When the system time is between 10AM and 11AM, the virus will turn on the system speaker and send a 61h to it. At any other time, the virus will not attempt to use the system speaker. The following text message is contained within the Murphy Virus, giving an idea of when it was written and by whom, though they are not displayed: "Hello, I'm Murphy. Nice to meet you friend. I'm written since Nov/Dec. Copywrite (c)1989 by Lubo & Ian, Sofia, USM Laboratory." Systems infected by the Murphy Virus may also experience system hangs when the virus attempts to infect .EXE files. Known variant(s) of the Murphy Virus are: Murphy-2 or V1521 - Similar to the Murphy Virus, its length is 1,521 Bytes. The non-displayed messages in the virus are now: "It's me - Murphy. Copywrite (c)1990 by Lubo & Ian, Sofia, USM Laboratory." The Murphy-2 will infect any .EXE file, as well as any .COM file over 900 Bytes. Instead of turning the system speaker on between 10AM and 11AM, this variant waits for the system time to have the minutes set to 00, then it may have a "bouncing ball" effect similar to several other viruses. This effect does not, however, occur on all systems. Virus Name: MusicBug Aliases: Music Boot, Music Bug V Status: Common Discovered: December, 1990 Symptoms: decrease in total system and available free memory; clicking; music randomly played on system speaker; lost clusters Origin: Taiwan Eff Length: N/A Type Code: BRtX - Resident Boot Sector & Partition Table Infector Detection Method: ViruScan V72+ Removal Instructions: Clean-Up V74+, or see below General Comments: The MusicBug Virus is a memory resident boot sector and partition table infector discovered in December, 1990. It originated in Taiwan. When a system is booted from a diskette infected with the MusicBug Virus, the virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. The interrupt 12 return will be moved, so 640K systems will now report 638K of installed system memory. Clicking may be heard for a short time from the system speaker before the boot proceeds, but more likely a section of a tune will be played. The boot will then proceed. Once MusicBug is memory resident, it will periodically play another portion of the same tune when disk accesses occur. It is thus rather disruptive. When MusicBug is memory resident, any disk accessed (including the system hard disk) will become infected with the virus. In the case of hard disks, MusicBug infects the hard disk partition table and boot sector. Infected disks will have 4K in lost clusters which will contain the virus's code as well as a copy of the disk's original boot sector. The following text strings can also be found in these lost clusters: "MusicBug v1.06. MacroSoft Corp." "Made in Taiwan" Diskettes infected with the MusicBug Virus can be disinfected after powering off the system and booting from a write protected system diskette, then using the DOS SYS command. The lost clusters can then be removed by using the ChkDsk command with the /F parameter. Hard disks, however, cannot be disinfected in the same way. While the DOS SYS command will remove the virus from the hard disk's boot sector, and the lost clusters can be recovered, the hard disk will remain an unbootable non-system disk until a low-level format is performed. Virus Name: New Jerusalem Aliases: V Status: Rare Discovered: October, 1989 Symptoms: TSR; .EXE, .COM, etc. (see below) growth; system slowdown; deleted files on Friday 13th Origin: Holland Eff Length: 1,813 Bytes (.COM) & 1,808 Bytes (.EXE) Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V45+, F-Prot, Pro-Scan 1.4+ Removal Instructions: Saturday, CleanUp, F-Prot, Pro-Scan 1.4+ General Comments: New Jerusalem is a variation of the original Jerusalem virus which has been modified to be undetectable by ViruScan versions prior to V45 as well as IBM's VIRSCAN product as of October 20, 1989. The virus was first detected when it was uploaded to several BBSs in Holland beginning on October 14, 1989. It infects both .EXE and .COM files and activates on any Friday The 13th, deleting infected programs when they are attempted to be run. This virus is memory resident, and as with other Jerusalem viruses, may infect overlay, .SYS, .BIN, and .PIF files. Also see: Jerusalem, Jerusalem B, Payday, Suriv 3.00 Virus Name: Nina Aliases: V Status: New Discovered: December, 1990 Symptoms: .COM growth; decrease in total system and available free memory; Origin: Bulgaria Eff Length: 256 Bytes Type Code: PRhCK - Parasitic Resident .COM & Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Nina Virus was received in December, 1990, and is from Bulgaria. This virus is a memory resident infector of .COM files, including COMMAND.COM. When the first program infected with the Nina Virus is executed, Nina will install itself memory resident at the top of system memory but below the 640K DOS boundary. Total system memory and available free memory will decrease by 1,024 bytes as shown by the DOS ChkDsk command. Interrupt 21 will be hooked by the virus. After Nina is memory resident, it will infect .COM programs that are greater than 256 bytes in length as they are executed. If COMMAND.COM is executed, it will become infected. Infected .COM programs increase in length by 256 bytes, and will have the virus located at the beginning of the infected file. The Nina Virus is named Nina because the virus contains the text string "Nina" within the viral code. This virus does not do anything besides replicate. Virus Name: Nomenklatura Aliases: Nomenclature, 1024-B V Status: Rare Discovered: August, 1990 Symptoms: .EXE, .COM growth; decrease in available free memory; "sector not found" messages on diskettes; Origin: Netherlands Eff Length: 1,024 Bytes Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V67+, Pro-Scan 2.01+ Removal Instructions: Scan/D or Delete infected files General Comments: The Nomenklatura Virus was isolated in August, 1990 in the Netherlands. This virus is a memory resident infector of .COM and .EXE files, including COMMAND.COM. It is not related to the V1024 virus, though it is the same length. The first time a program infected with the Nomenklatura Virus is executed on a system, the virus installs itself memory resident at the top of available system memory, but below the 640K DOS boundary. Available system memory will decrease by 1,024 bytes, and interrupt 21 will be hooked by the virus. When the virus is memory resident, any .COM or .EXE program greater in length then approximately 1,023 bytes that is executed or openned for any reason will be infected by the Nomenklatura virus. Infected files will have their file lengths increased by 1,024 bytes. The virus does not hide the increase in file length when the disk directory is displayed. Attempts to execute uninfected programs from a write-protected diskette with the virus in memory will result in a "Sector not found error" message being displayed, and the program not being executed. The Nomenklatura Virus is destructive to the contents of diskettes exposed to infected systems. File corruption will randomly occur, with the frequency increasing as the disk becomes more filled with data. The file errors may occur on data files as well program files. This file corruption occurs due to the virus occassionally swapping a pair of words in the sector buffer. It may also do this to critical system areas such as the FAT, boot sector, or directories since it may occur to any clusters on the disk. If a file or critical system area was residing in a corrupted cluster, it will be corrupted. As such, systems which has been exposed to the Nomenklatura Virus must be carefully checked as the integrity of non-infected programs and any datafiles should be considered suspect. The virus has been named Nomenklatura as this text string appears in all programs infected with this virus. Virus Name: Number One Aliases: Number 1 V Status: Extinct Discovered: 1987 (see below) Symptoms: .COM files fail to function; <Smile> displayed Origin: West Germany Eff Length: 12,032 Bytes Type Code: ONC - Overwriting Non-Resident .COM Infector Detection Method: Removal Instructions: Scan/D or Delete infected files General Comments: The Number One Virus was submitted for inclusion in this listing in September, 1990. This virus, however, is not a new virus but is an extinct rather "old" virus. The Number One Virus was written in October, 1987, by M. Vallen using Turbo Pascal 3.01A. It is documented, complete with source, in a book by Ralf Burger. This virus is an non-resident overwriting virus which infects .COM files. When a program infected with the Number One Virus is executed, the virus will infect the first uninfected .COM file it finds in the current directory. If the .COM file was originally less than 12,032 bytes in length, it will now have a 12,032 bytes. Infected files will also have their date/timestamps in the directory changed to reflect the time of infection. After Number One has finished infecting a .COM file, it will display the message: "This File Has Been Infected by Number One! XXXXXXXX.COMinfected." The XXXXXXXX is the name of the .COM file that has just been infected by the virus. When there are no more .COM files for Number One to infect in the current directory, it will display the following message: "This File Has Been Infected by Number One! <Smile>" Number One will not infect any files which have the Read Only Attribute set. Since Number One is an overwriting virus, it is not possible to remove the virus from infected files and repair the damage. Infected files should be erased and replaced with clean copies. Virus Name: Ohio Aliases: V Status: Common Discovered: June, 1988 Symptoms: BSC, Resident TOM Origin: Indonesia Eff Length: N/A Type Code: RtF - Resident Floppy Boot Sector Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: MDisk, F-Prot, VirexPC, Pro-Scan 1.4+, or DOS SYS Command General Comments: The Ohio virus is a memory resident boot sector infector, only infecting 360K floppy disks. The Ohio virus is similar in many respects to the Den Zuk virus, and is believed to possibly be the earlier version of Den Zuk. A diskette infected with Ohio will be immune to infection by the Pakistani Brain virus. The following text strings appear in the Ohio virus: "V I R U S b y The Hackers Y C 1 E R P D E N Z U K 0 Bandung 40254 Indonesia (C) 1988, The Hackers Team...." Also see: Den Zuk Virus Name: Ontario Aliases: V Status: Rare Discovered: July, 1990 Symptoms: .COM & .EXE growth; decrease in system and free memory; hard disk errors in the case of extreme infections Origin: Ontario, Canada Eff Length: 512 Bytes Type Code: PRtAK - Parasitic Encrypted Resident .COM & .EXE Infector Detection Method: ViruScan V66+, Pro-Scan 2.01+ Removal Instructions: SCAN /D, or Delete infected files General Comments: The Ontario Virus was isolated by Mike Shields in Ontario, Canada in July, 1990. The Ontario virus is a memory resident infector of .COM, .EXE, and overlay files. It will infect COMMAND.COM. The first time a program infected with the Ontario Virus is executed, it will install itself memory resident above the top of system memory but below the 640K DOS boundary. Total system memory and free memory will be decreased by 2,048 bytes. At this time, the virus will infect COMMAND.COM on the C: drive, increasing its length by 512 bytes. Each time an uninfected program is executed on the system with the virus memory resident, the program will become infected with the viral code located at the end of the file. For .COM files, they will increase by 512 bytes in all cases. For .EXE and overlay files, the file length increase will be 512 - 1023 bytes. The difference in length for .EXE and overlay files is because the virus will fill out the unused space at the end of the last sector of the uninfected file with random data (usually a portion of the directory) and then append itself to the end of the file at the next sector. Systems using a sector size of more than 512 bytes may notice larger file increases for infected files. Infected files will always have a file length that is a multiple of the sector size on the disk. In the case of extreme infections of the Ontario Virus, hard disk errors may be noticed. Ontario uses a complex encryption routine, and a simple identification string will not identify this virus. Virus Name: Oropax Aliases: Music Virus, Musician V Status: Rare Discovered: December, 1989 Symptoms: .COM growth, tunes Origin: Eff Length: 2,756 - 2,806 bytes, but usually 2,773 bytes Type Code: PRC - Parasitic Resident .COM Infector Detection Method: ViruScan V53+, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: SCAN /D, F-Prot, VirexPC, Pro-Scan 1.4+, VirHunt 2.0+ or delete infected files General Comments: The Oropax virus has had several reports, but wasn't first isolated until December 1989. It infects .COM files, increasing their length by between 2,756 bytes and 2,806 bytes. Infected files will always have a length divisible by 51. The virus may become active (on a random basis) five minutes after infection of a file, playing three different tunes with a seven minute interval in between. One variant recently reported in Europe plays six different tunes at seven minute intervals. Virus Name: Paris Aliases: V Status: Rare Discovery: August, 1990 Symptoms: .COM & .EXE file growth; slow program loads upon execution; Diskette corruption after diskette boot Origin: Paris, France Eff Length: 4,909 Bytes Type Code: PNAK - Parasitic Non-Resident .COM & .EXE Infector Detection Method: ViruScan V66+, Pro-Scan 2.01+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Paris Virus was isolated in Paris, France, in early August, 1990. This virus is a generic infector of .COM, .EXE and overlay files, and will infect COMMAND.COM. It is not memory resident. When a program infected with the Paris Virus is executed, the virus will infect all .COM, .EXE and overlay files on the current drive and directory, with the exception of very small .COM files. It will also check to see if COMMAND.COM on the C: drive is uninfected, if it has not previously been infected it will become infected. Infected files will increase in length by between 4,909 - 4, 25 bytes, with the virus located at the end of the infected file. The Paris Virus can be destructive in some instances, resulting in diskettes becoming corrupted if the system is booted from a diskette with a Paris infected COMMAND.COM program. Virus Name: Parity Aliases: V Status: New Discovered: December, 1990 Symptoms: .COM file growth; long .COM program loads; possibly intermittent parity errors Origin: Bulgaria Eff Length: 441 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Parity Virus was received in December, 1990, and originated in Bulgaria. This virus is a non-memory resident infector of .COM files, and will infect COMMAND.COM. When a program infected with the Parity Virus is executed, the virus will infect all .COM files in the current directory. If COMMAND.COM is in the current directory, it will become infected. Infected .COM programs will increase in length by 441 bytes, the virus being located at the end of the infected program. The program's date and time in the disk directory will not be altered by the virus. The major symptom of a Parity Virus infection is that it will take significantly longer to load and execute infected .COM files. The increase in time is due to the virus searching the current drive for .COM files to infect. This virus may also display a message "PARITY CHECK 2" at times, and halt the system. Virus Name: Payday Aliases: V Status: Rare Discovered: November, 1989 Symptoms: TSR, .EXE & .COM growth, system slowdown, deleted files on Friday EXCEPT 13th, "Black WIndow" Origin: Netherlands Eff Length: 1,808 Bytes (.EXE) & 1,813 Bytes (.COM) Type Code: PRA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V51+, F-Prot, Pro-Scan 1.4+, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: UnVirus, Saturday, CleanUp, F-Prot, Pro-Scan 1.4+ General Comments: The Payday virus was isolated by Jan Terpstra of the Netherlands in November, 1989. It is a variant of the Jerusalem B virus, the major difference being that the activation criteria to delete files has been changed from every Friday The 13th to any Friday but Friday The 13ths. Also see: Jerusalem, Jerusalem B, New Jerusalem, Suriv 3.00 Virus Name: Pentagon Aliases: V Status: Extinct Discovered: January, 1988 Symptoms: TSR, BSC 360k floppies, file (see text) Origin: USA Eff Length: N/A Type Code: RF - Resident Floppy Boot Sector Infector Detection Method: ViruScan, F-Prot, VirexPC Removal Instructions: MDisk, CleanUp, or DOS SYS Command General Comments: The Pentagon virus consists of a normal MS-DOS 3.20 boot sector where the name 'IBM' has been replaced by 'HAL', along with two files. The first file has a name of the hex character 0F9H, and contains the portion of the virus code which would not fit into the boot sector, as well as the original boot sector of the infected disk. The second file is named PENTAGON.TXT and does not appear to be used or contain any data. The 0F9H file is accessed by its absolute storage address. Portions of this virus are encrypted. The Pentagon virus only infects 360K floppies, and will look for and remove the Brain virus from any disk that it infects. It is memory resident, occupying 5K of RAM, and can survive a warm reboot or CTL-ALT-DEL. Virus Name: Perfume Aliases: 765, 4711 V Status: Endangered Discovered: December, 1989 Symptoms: .COM growth, messages Origin: Germany Eff Length: 765 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D/X, F-Prot, Pro-Scan 1.4+, VirHunt 2.0+, or delete infected files General Comments: The Perfume virus is of German origin, and has also been isolated in Poland in December, 1989. This virus infects .COM files, and will look for COMMAND.COM and infect it if it isn't already infected. Infected files always grow in length by 765 bytes. The virus will sometimes ask the system user a question, and then not run the infected program unless the system user responds by typing 4711, the name of a German perfume. In the most common variant of this virus, however, the questions have been overwritten with miscellaneous characters. Also see: Sorry Virus Name: Phoenix Aliases: P1 V Status: Rare Discovered: July, 1990 Symptoms: .COM growth, system reboots, CHKDSK program failure, COMMAND.COM header change Origin: Bulgaria Eff Length: 1,704 Bytes Type Code: PRhCK - Parasitic Resident .COM Infector Detection Method: ViruScan V66+, Pro-Scan 2.01+ Removal Instructions: Scan/D, or delete infected files General Comments: The Phoenix virus is of Bulgarian origin, and was submitted to the author of this document in July, 1990 by Vesselin Bontchev. This virus is one of a family of three (3) viruses which may be referred to as the P1 or Phoenix Family. Each of these viruses is being documented separately due to their varying characteristics. The Phoenix virus is a memory resident, generic infector of .COM files, and will infect COMMAND.COM. The first time a program infected with the Phoenix virus is executed, the virus will install itself memory resident in free high memory, reserving 8,192 bytes. Interrupt 2A will be hooked by the virus. System total memory and free memory will decrease by 8,192 bytes. If the program was executed from a floppy drive, and COMMAND.COM was not present on the diskette, the virus will request that a diskette with \COMMAND.COM present be inserted in the drive. Phoenix will immediately infect COMMAND.COM by overwriting part of the binary zero portion of the program, and changing the program's header information. COMMAND.COM will not change in file length. The virus will then similarly infect COMMAND.COM residing in the C: drive root directory. After becoming memory resident, the virus will attempt to infect any .COM file executed. Most of its attempts, however, will not result in a file being infected. Phoenix is a fairly poor replicator. If the virus is successful in infecting the file, it will append its viral code to the end of the file, increasing the file's length by 1,704 bytes. Phoenix is not able to recognize when it has previously infected a file, so it may reinfect .COM files several times. Each infection will result in another 1,704 bytes of viral code being appended to the file. Systems infected with the Phoenix virus will experience problems with executing CHKDSK.COM. Attempts to execute this program with Phoenix memory resident will result in a warm reboot of the system occurring, however the memory resident version of Phoenix will not survive the reboot. If an autoexec.bat file is not present on the drive being booted from, the system will prompt for the user to enter Date and Time. The Phoenix Virus employs a complex encryption mechanism, and virus scanners which are only able to look for simple hex strings will not be able to detect it. There is no simple hex string in this virus that is common to all infected samples. This virus is not related to the Cascade (1701/1704) Virus. Also see: Evil, PhoenixD Virus Name: PhoenixD Aliases: P1 V Status: Rare Discovered: July, 1990 Symptoms: .COM growth, system reboots, CHKDSK program failure, COMMAND.COM header change Origin: Bulgaria Eff Length: 1,704 Bytes Type Code: PRhCK - Parasitic Resident .COM Infector Detection Method: ViruScan V66+, Pro-Scan 2.01+ Removal Instructions: Scan/D, or delete infected files General Comments: The PhoenixD virus is of Bulgarian origin, and was submitted to the author of this document in July, 1990 by Vesselin Bontchev. This virus is one of a family of three (3) viruses which may be referred to as the P1 or Phoenix Family. Each of these viruses is being documented separately due to their varying characteristics. The PhoenixD virus is a memory resident, generic infector of .COM files, and will infect COMMAND.COM. The PhoenixD Virus is a "bug fixed" version of the Phoenix virus. The first time a program infected with the PhoenixD virus is executed, the virus will install itself memory resident in free high memory, reserving 8,192 bytes. Interrupt 2A will be hooked by the virus. System total memory and free memory will decrease by 8,192 bytes. PhoenixD will then check to see if the current drive's root directory contains a copy of COMMAND.COM. If a copy of COMMAND.COM is found, it will be infected by PhoenixD by overwriting part of the binary zero portion of the program, and changing the program's header information. COMMAND.COM will not change in file length. The virus will then similarly infect COMMAND.COM residing in the C: drive root directory. After becoming memory resident, the virus will attempt to infect any .COM file executed. PhoenixD is a much better replicator than the original Phoenix Virus, and is usually able to infect files. Infected files will increase in length by 1,704 bytes. PhoenixD is not able to recognize when it has previously infected a file, so it may reinfect .COM files several times. Each infection will result in another 1,704 bytes of viral code being appended to the file. A characteristic present in the PhoenixD Virus which is not found in the original Phoenix Virus is that in addition to it infecting .COM files as they are executed, .COM files will be infected when they are opened for any reason. The simple act of copying a .COM file with PhoenixD present in memory will result in both the source and target files being infected. Systems infected with the PhoenixD virus will experience problems with executing CHKDSK.COM. Attempts to execute this program with Phoenix memory resident will result in a warm reboot of the system occurring. If an autoexec.bat file is not present on the drive being booted from, the system will prompt for the user to enter Date and Time. The PhoenixD Virus employs a complex encryption mechanism, and virus scanners which are only able to look for simple hex strings will not be able to detect it. There is no simple hex string in this virus that is common to all infected samples. This virus is not related to the Cascade (1701/1704) virus. Also see: Evil, Phoenix Virus Name: Ping Pong Aliases: Bouncing Ball, Bouncing Dot, Italian, Vera Cruz V Status: Extinct Discovered: March, 1988 Symptoms: Graphic display (see text), TSR, BSC Origin: Eff Length: N/A Type Code: RsF - Resident Floppy Boot Sector Infector Detection Method: ViruScan, F-Prot, IBM Scan, VirexPC, Pro-Scan, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: MDisk, CleanUp, F-Prot, Pro-Scan 1.4+, VirexPC, or DOS SYS command General Comments: The Ping Pong virus is a boot sector virus which was first reported in March 1988. The original Ping Pong virus only infects Floppy Disks. When the virus activates, which is on a random basis, a bouncing ball or dot appears on the screen. This display can only be stopped thru a system reboot. No other damage is apparently done. The Ping Pong Virus is extinct, though the hard disk variant, Ping Pong-B listed below, is one of the most common MS-DOS viruses. Virus Name: Ping Pong-B Aliases: Bouncing Ball Boot V Status: Common Discovered: May, 1988 Symptoms: Graphic display (see text), TSR, BSC Origin: Eff Length: N/A Type Code: BRs - Resident Boot Sector Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: CleanUp, MDisk, Pro-Scan 1.4+, F-Prot, VirexPC or DOS SYS Command General Comments: The Ping Pong-B virus is a variant of the Ping Pong virus. The major difference is that Ping Pong-B can infect hard disks as well as floppies. Known variants of Ping Pong-B include: Ping Pong-C : Similar to Ping Pong-B, though this variant does not have the bouncing ball screen effect. Origin: Argentina, June 1990. Virus Name: Plastique Aliases: Plastic Bomb, Plastique 3012, Plastique 1 V Status: Rare Discovered: July, 1990 Symptoms: TSR; .COM & .EXE growth; possible system slowdown or bomb noises after September 20 Origin: Taiwan Eff Length: 3,012 Bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V66+, Pro-Scan 2.01+ Removal Instructions: Clean-Up V72+, Pro-Scan 2.01+, or Delete infected files General Comments: The Plastique, or Plastic Bomb, Virus was submitted in July 1990, it comes to us from Taiwan. Plastique is a memory resident generic infector of .COM and .EXE files, though it does not infect COMMAND.COM. Unlike the Plastique-B Virus listed below, this virus does not infect floppy disk boot sectors. The first time a program infected with Plastique is executed, the virus will install itself memory resident as a TSR in low system memory. The TSR is 3,264 bytes in length, and hooks interrupt 21. After the virus is memory resident, it will attempt to infect any .COM or .EXE file which is executed. This virus is rather "buggy", and it is not always successful in infecting files when they are executed. When it is successful infecting the file, the file's length will increase. For infected .COM files, the length will increase by 3,012 bytes. For infected .EXE files, their length will increase between 3,012 and 3,020 bytes. Plastique will also attempt to infect files when they are opened for any reason, though again, it is not always successful. After September 20th of any year, the Plastique Virus activates. At that time, it will do either of two things. It will either progressively slowdown the system, or it will intermittently emit "bomb" noises from the system speaker. Known variant(s) of Plastique are: HM2 : The earliest known version of this virus, it does not replicate. Executing an infected file results in the system hanging requiring a reboot. Origin: Taiwan, May 1990. Plastique 4.51 : A variant of the Plastique virus described above, the only real difference is that the encryption of the virus is slightly different. Otherwise it behaves exactly the same as Plastique. Origin: Taiwan, July 1990. Plastique COBOL: A variant of the Plastique virus described above, this version is 3,004 bytes in length, and its memory resident TSR is 3,248 bytes in length. The only text character string which can be found in this variant is "COBOL". This string does not occur in other variants of the Plastique Virus, or related viruses. Infected .COM programs will increase in size by 3,004 bytes, .EXE files by 3,004 to 3,019 bytes. COMMAND.COM will not become infected. Activation of the virus has also been altered. Between January 1 and September 21, the virus will progressively slowdown the system. After 20 minutes, the system will execute at approximately 50% of its original speed. After 30 minutes, the virus may lockout the system keyboard, as well as corrupt the system's CMOS configuration. Between September 22 and December 31, the virus does not activate, and no system slowdown or CMOS corruption will occur. Also see: Invader, Plastique-B Virus Name: Plastique-B Aliases: Plastic Bomb, Plastique 5.21, Plastique 2 V Status: Rare Discovered: July, 1990 Symptoms: TSR, .COM & .EXE file growth; BSC; Origin: Taiwan Eff Length: 4,096 Bytes Type Code: PRsAB - Parasitic Resident .COM & .EXE, & Boot Sector Infector Detection Method: ViruScan V66+, Pro-Scan 2.01+ Removal Instructions: Clean-Up V72+, Pro-Scan 2.01+, or Delete Infected Files General Comments: The Plastique-B, or Plastique 5.21, virus is a later version of the Plastique virus. Like Plastique, it is a memory resident generic infector of .COM and .EXE files. This version will also infect diskette boot sectors. It does not infect COMMAND.COM. If the system date is before September 20th, the first time a program infected with Plastique-B is executed, the virus will install itself memory resident as a TSR in low system memory. The TSR is 5,120 bytes in length. Interrupts 08, 09, 13, 21, and ED are hooked by the virus. If the system date is after September 20th, the virus will install itself memory resident in high system memory but below the 640K DOS boundary. The same interrupts will be hooked by the virus. After the virus is memory resident, it will attempt to infect any .COM or .EXE file which is executed or opened for any reason. It has had many of the "bugs" fixed that were in Plastique, and is usually successful in infecting files. Infected .COM and .EXE files will increase in length by 4,096 bytes. Plastique-B will also infect the boot sector of any diskettes accessed on an infected system. After September 20th, 1990, the Plastique-B virus activates. It will either progressively slowdown the system or cause "bomb" noises to be emitted periodically from the system speaker. It may also overwrite the contents of all drives after this date, depending on if a predetermined limit in the virus has been reached. Also see: Plastique, Invader Virus Name: Polimer Aliases: Polimer Tapeworm V Status: Rare Discovered: November, 1990 Symptoms: .COM growth; Message Origin: Hungary Eff Length: 512 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V71+, Pro-Scan 2.01+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Polimer Virus was discovered in Hungary in November, 1990. This virus is a non-resident infector of .COM files, including COMMAND.COM. When a program infected with the Polimer Virus is executed, the following message will be displayed: "A le' jobb kazetta a POLIMER kazetta ! Vegye ezt !" This message can be found near the beginning of all infected files. After the message is displayed, the virus will attempt to infect one .COM file on the current drive and directory, and one .COM file on the C: drive's current directory. This virus will only infect .COM files which are between 512 and 64,758 bytes in length. If the .COM file it attempts to infect has the Read-Only attribute, it will not be infected, and the message $ERROR will be displayed. Although this virus is actually 456 bytes in length, infected .COM files will increase in size by 512 bytes with the virus's code being located at the beginning of the file. This virus does not appear to do anything besides replicating. Virus Name: Polish 217 Aliases: 217, Polish Stupid V Status: Rare Discovered: October, 1990 Symptoms: .COM growth; system reboot Origin: Koszalin, Poland Eff Length: 217 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V71+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Polish 217, or Polish Stupid, Virus was discovered in Koszalin, Poland, in October, 1990. This virus is a non-resident infector of .COM files, including COMMAND.COM. When a program infected with the Polish Stupid Virus is executed, the virus will infect the first uninfected .COM file found in the current directory. Infected .COM files will increase in length by 217 bytes with the virus's code being located at the end of the file. Infected files will also end with the hex string 5757h. The file's date and time in the disk directory is not altered. A side note on this virus: when the copy of COMMAND.COM pointed to by the COMSPEC environmental variable is infected by the virus, the system will experience a warm reboot. This virus does nothing besides replicating in its current version. Known variant(s) of Polish 217 are: Polish 217 B : The Polish 217 B variant's major difference is that when COMMAND.COM is infected, a warm reboot does not occur. Execution of COMMAND.COM will result in the error message: "Specified COMMAND search directory bad". Execution of infected programs may also result in the following message being displayed and the program terminated: "????????COM Path not found." Programs which can detect Polish 217 may not be able to detect Polish 217 B as it has been altered. Scan V72 and below will not detect it. Virus Name: Polish 529 Aliases: 529 V Status: Rare Discovered: September, 1990 Symptoms: .COM growth; TSR Origin: Poland Eff Length: 529 Bytes Type Code: PRsCK - Parasitic Resident .COM Infector Detection Method: ViruScan V71+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Polish 529 Virus was isolated in September, 1990 in Poland. This virus is a memory resident infector of .COM files. It will infect COMMAND.COM if it is executed with the virus in memory. The first time a program infected with the Polish 529 Virus is executed, the virus will install itself memory resident as a low system memory TSR of 1,664 bytes. Interrupt 21 will be hooked by the virus. Once the virus is memory resident, any .COM file over approximately 1600 bytes in length will be infected by the virus. Infected .COM files will show a file length increase of 529 bytes and have the virus's code located at the beginning of the file. This virus does not appear to do anything but replicate. Virus Name: Polish 583 Aliases: V Status: Rare Discovered: December, 1990 Symptoms: .COM file growth Origin: Poland Eff Length: 583 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Polish 583 Virus originated in Poland and was submitted in December, 1990. This virus is a non-resident, direct action infector of .COM files, including COMMAND.COM. When a program infected with Polish 583 is executed, the virus will infect one other .COM file on the current drive and directory. The newly infected program will increase in length by 583 bytes with the virus's code being located at the end of the infected program. The program's date and time in the disk directory is not altered. This virus does not do anything besides replicate. Virus Name: Print Screen Aliases: EB 21, 8290, PRTSC Virus V Status: Rare Discovered: November, 1989 Symptoms: BSC, hard disk access slowdown Origin: Bombay, India Eff Length: N/A Type Code: BR - Resident Boot Sector Infector Detection Method: ViruScan V64+, Pro-Scan 1.4+, VirexPC, F-Prot 1.12+, VirHunt 2.0+ Removal Instructions: M-Disk, Pro-Scan 1.4+, or DOS SYS Command General Comments: The Print Screen Virus was isolated in Bombay, India in November, 1989 by Neville Bulsara. It is the first virus to have originated in India. There are two versions of Print Screen, the later version having had some bugs fixed. When a system is booted from a Print Screen infected diskette or hard drive, the virus will install itself memory resident in the top of memory. The virus then adjusts the amount of memory DOS thinks is installed. Infected systems will show that total system memory is 2K less than is installed. On floppy disks, the original boot sector of the diskette will be copied to sector 11. After becoming memory resident, the virus will infect any hard disk or floppy diskette which is accessed by the system. Infected system users will notice that hard disk accesses done for any reason will be much slower than expected. In some cases, listing the root directory will show apparently garbage entries in it. These entries are actually part of the virus's code. The first version of the Print Screen virus is buggy, and as such it doesn't actually accomplish anything having to do with printing screens. This virus appears to have been based on the Ping Pong Virus, and some anti-viral programs will identify it as such. Known variant(s) of Print Screen are: Print Screen-2: Print Screen-2 is the later, bug fixed version of the Print Screen Virus. This version will attempt to perform a screen print or dump to the system's printer after every 255 disk I/Os have occurred. Virus Name: Proud Aliases: V1302, P1 Related V Status: Rare Discovery: August, 1990 Symptoms: .COM growth; decrease in total system and available memory; FAT entry corruption Origin: Bulgaria Eff Length: 1,302 Bytes Type Code: PRtCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V71+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Proud, or V1302, Virus was isolated in August of 1990 in Bulgaria by Vesselin Bontchev. Proud is a memory resident infector of .COM files, including COMMAND.COM. The first time a program infected with Proud is executed, the virus checks to determine if interrupt 13 is in use by another program, and if it is, the virus will hang the system. If interrupt 13 is not in use by another program, Proud will install itself memory resident at the top of system memory, but below the 640K DOS boundary. Total system memory and free available memory will decrease by 8,192 bytes. Interrupt 2A will be replaced by the virus. Once the virus is memory resident, it will infect .COM files within certain candidate length ranges whend they are openned for any reason. The candidate file length ranges are: 2,048 - 14,335 bytes 16,384 - 30,719 bytes 32,768 - 47,103 bytes 49,152 - 63,487 bytes Proud is an encrypted virus, and is unusual in that it "splits" the .COM file being infected into two parts, placing the viral code between the two sections. Proud also is unable to distinguish when a file has been previously infected, so .COM files can become infected multiple times. Each infection, with the exception of COMMAND.COM, will add 1,302 bytes to the file length. Infected COMMAND.COM files generally don't increase in length on the first infection as the virus will overwrite part of the 00h area of COMMAND.COM with the viral code. Proud can be a damaging virus, with a probability of 1 out of 256, it may swap entries in the file allocation table. Virus Name: Red Diavolyata Aliases: USSR 830 V Status: Rare Discovery: December, 1990 Symptoms: .COM growth; decrease in system and available memory; file date/time changes Origin: USSR Eff Length: 830 Bytes Type Code: PRhCK - Parasitic Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Red Diavolyata Virus is an 830 byte memory resident infector of .COM files, including COMMAND.COM. It was submitted in December, 1990, and originated in the USSR. The first time a program infected with Red Diavolyata is executed, the virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. The interrupt 12 return is not moved. The DOS ChkDsk command will indicate that total system memory and available free memory have decreased by 960 bytes. Interrupt 21 will be hooked by the virus. Once Red Diavolyata is memory resident, any .COM program executed will become infected by the virus. If COMMAND.COM is executed, it will be infected. Infected .COM programs will have their file length increased by 830 bytes, and their date and time in the disk directory will have been altered to the system date and time when infection occurred. The virus will be located at the end of the infected program. The following text strings can be found at the end of infected programs: "Eddie die somewhere in time" "This programm was written in the city of Prostokwashino" "(C) 1990 RED DIAVOLYATA" "Hello! MLTI!" Additionally, the text string "MLTI!COMMAND" can be found within infected files. It is unknown if Red Diavolyata does anything besides replicate. Virus Name: RPVS Aliases: 453 V Status: Endangered Discovery: August, 1990 Symptoms: .COM growth Origin: West Germany Eff Length: 453 Bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: Pro-Scan 2.01+ Removal Instructions: Pro-Scan 2.01+, or Delete infected files General Comments: The RPVS, or 453, Virus was discovered in West Germany in early August, 1990. This virus is a non-resident infector of .COM files. The RPVS is named for an unusual string that appears in a file dump of the virus - "TUQ.RPVS" - this in not really a text string, but a series of PUSH instructions. The RPVS Virus is rather unsophisticated virus. Whenever a .COM program infected with the RPVS or 453 virus is executed, the virus will look for an uninfected .COM file in the current directory. The virus determines if the .COM file has been previously infected by checking to see if the last two bytes of the file are 9090h. If the last two bytes are not 9090h, the file will be infected, appending 453 bytes of viral code to the end of the file. One .COM file is infected each time an infected program is executed. COMMAND.COM will not normally be infected. This virus does not contain any logic to activate and cause damage in its current state. It does contain many NOP instructions and odd jumps which leave plenty of space for later additions. Known variant(s) of RPVS are: RPVS-B : The RPVS virus after additional bytes have been added to the end of an infected program. When this occurs, the virus will act differently. It will not be able to determine that it has already infected a .COM file, so it will reinfect the first .COM file it finds in the current directory over and over again. Virus Name: Saddam Aliases: V Status: New Discovery: January, 1991 Symptoms: .COM growth; Message; Disk boot failures; I/O error message; "Insufficient memory" message when attempting to run .BAT files; Dir command errors; System hangs Origin: France (reported September, 1990) Isolated: Israel Eff Length: 919 Bytes Type Code: PRsCK - Resident Parasitic .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Saddam Virus was first reported in France in September, 1990. In January, 1991, the first sample of this virus was actually received, its isolation point was Israel. Saddam is a memory resident infector of .COM files, including COMMAND.COM. It is based on the Do-Nothing virus. The first time a program infected with the Saddam Virus is executed, the virus will install itself memory resident in low system memory, though not as a TSR. Interrupts 21 and 22 will be hooked by the virus. COMMAND.COM will be infected at this time if it has not previously been infected. Once Saddam is memory resident, it will infect .COM programs as they are executed or openned. Infected .COM files will have a file length increase of 919 bytes, the virus will be located at the end of infected programs. Programs infected with this virus will not have their file date and time altered upon infection. There are several symptoms which may be experienced on systems infected with the Saddam Virus. The most obvious symptom is that the following message will occasionally be displayed: "HEY SADAM LEAVE QUEIT BEFORE I COME" This message cannot be seen in infected files, it is encrypted. Other symptoms are that attempts to execute .BAT files will result in an insufficient memory message. Attempts to boot from a disk with a Saddam infected COMMAND.COM will fail, the system will hang. Execution of some infected programs will result in an I/O error and the program aborting execution. The DOS Directory command may also not function properly. Lastly, infected systems may experience frequent system hangs requiring the user to reboot the system. Also see: Do-Nothing Virus Name: Saratoga Aliases: 642, One In Two V Status: Extinct Discovery: July, 1989 Symptoms: .EXE growth, Resident, bad sectors, FAT corruption Origin: California, USA Eff Length: 642 Bytes Type Code: PRsE - Resident Parasitic .EXE Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan 1.4+, VirexPC, VirHunt 2.0+ Removal Instructions: Scan/D/X, F-Prot, VirexPC, Pro-Scan 1.4+, VirexPC 1.1B+, VirHunt 2.0+, or delete infected files General Comments: The Saratoga Virus was first isolated in California in July 1989. This virus is very similar to the Icelandic and Icelandic-II viruses, so only the differences from the Icelandic viruses are indicated here. Please refer back to the description of the Icelandic virus for the base information. The Saratoga virus's main difference from the Icelandic virus is that when it copies itself to memory, it modifies the memory block so that it appears to belong to the operating system, thus avoiding another program reusing the block. Similar to the Icelandic-II virus, the Saratoga can infect programs even if the system has installed an anti-viral TSR which "hooks" interrupt 21, such as FluShot+. Also like Icelandic-II is that this virus can infect programs which have been marked Read-Only, though it does not restore the Read-Only attribute to the file afterwards. Also see: Icelandic, Icelandic-II Virus Name: Saturday The 14TH Aliases: Durban V Status: Rare Discovered: March, 1990 Symptoms: TSR;.COM, .EXE, .OV? growth; corrupts boot sector, FAT. & partition table on Saturday 14th Origin: Republic of South Africa Eff Length: 685 Bytes Type Code: PRA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V61+, Pro-Scan 1.4+, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D, VirHunt 2.0+, Pro-Scan 2.01+ General Comments: The first reports of the Saturday The 14TH virus came from South Africa in March 1990. The Saturday The 14TH, or Durban Virus, is a memory resident generic file infector, infecting .COM, .EXE, and overlay files, but not COMMAND.COM. Infected files will increase in length by between 669 and 684 bytes. The Saturday The 14TH virus activates on any Saturday that falls on the 14TH of any month, at which time it will overwrite the first 100 logical sectors of the C: drive, B: drive, and A: drive. In effect, on drive C:, the virus destroys the hard disk boot sector, partition table, and file allocation table (FAT). Virus Name: Scott's Valley Aliases: 2131 V Status: Rare Discovered: September, 1990 Symptoms: TSR; .COM and .EXE growth Origin: Scott's Valley, California, USA Eff Length: 2,131 Bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V67+, Pro-Scan 2.01+ Removal Instructions: Scan/D, or delete infected files General Comments: The Scott's Valley Virus was discovered in September, 1990 in Scott's Valley, California. This virus is a memory resident generic infector of .COM and .EXE files, and does not infect COMMAND.COM. The first time a program infected with the Scott's Valley Virus is executed, the virus installs itself memory resident as a low system memory TSR of 2,384 bytes. Interrupt 21 is hooked by the virus. After the virus is memory resident, any .COM or .EXE file executed will be infected with the virus. .COM files will increase in length by 2,131 bytes. .EXE files will increase in length between 2,131 and 2,140 bytes. Infected programs will contain the following hex string in the virus's code: 5E8BDE909081C63200B912082E. It is unknown if this virus is malicious. Virus Name: Sentinel Aliases: V Status: New Discovered: January, 1991 Symptoms: .COM & .EXE growth; decrease in available free memory Origin: Bulgaria Eff Length: 4,625 Bytes Type Code: PRHAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Sentinel Virus was submitted in January, 1991, and is from Bulgaria. This virus is a memory resident infector of .COM and .EXE files, and will infect COMMAND.COM. Unlike most viruses, this virus was received with its original Turbo Pascal source code. It may be purely a research virus at this time. When the first program infected with Sentinel is executed, the virus will install itself memory resident at the top of system memory, but below the 640K DOS boundary. Interrupt 12's return is not moved by the virus. Interrupt 21 will be hooked by the virus in memory. COMMAND.COM, if not previously infected, will be infected by Sentinel at this time as well. After Sentinel is memory resident, it will infect .COM and .EXE programs larger than 1K as they are openned or executed. Infected programs will have a file length increase of 4,625 bytes, the virus will be located at the end of the file. This virus makes no attempt to hide the file length increase. File date and time in the disk directory is not altered by the virus. The following text strings can be found at the very end of programs infected with Sentinel: "You won't hear me, but you'll feel me.... (c) 1990 by Sentinel. With thanks to Borland." Sentinel does not appear to do anything besides replicate. Virus Name: SF Virus Aliases: V Status: Extinct Discovered: December, 1987 Symptoms: BSC 360k floppies, Resident TOM, formatted disks Origin: California, USA Eff Length: N/A Type Code: RtF - Resident Floppy Boot Sector Infector Detection Method: ViruScan (identifies as Alameda) Removal Instructions: MDisk, CleanUp, F-Prot, or DOS SYS command General Comments: The SF Virus is a modified version of the Alameda virus which activates when the counter in the virus has determined that it is infected 100 diskettes. The virus replicates when a CTL-ALT-DEL is performed, infecting the disk in the floppy drive. Upon activation, the diskette in the floppy drive is reformatted. The SF Virus only infects 5 1/4" 360K floppies. Also see: Alameda Virus Name: Shake Virus Aliases: V Status: Rare Discovered: May, 1990 Symptoms: .COM growth, message, change in COMMAND.COM memory allocation Origin: Bulgaria Eff Length: 476 Bytes Type Code: PRCK - Resident Parasitic .COM Infector Detection Method: ViruScan V63+, Pro-Scan 1.4+, VirexPC, F-Prot 1.12+, VirHunt 2.0+ Removal Instructions: Scan/D, Pro-Scan 2.01+, or Delete Infected Files General Comments: The Shake Virus was first isolated in Bulgaria in May, 1990 by Daniel Kalchev. It is a memory resident generic .COM infector, and will infect COMMAND.COM. The first time an infected program is executed, the Shake Virus will install itself memory resident, altering the image of COMMAND.COM in memory. The Shake Virus infects .COM files, infecting them as they are accessed. Infected files increase in size by 476 Bytes, though the size increase cannot be seen using a DIR (list directory) command if the virus is memory resident. While the virus is not destructive, it will occasionally display the message: "Shake well before use !" when an infected file is attempted to be run. When this message is displayed, the program terminates rather than executes. A second attempt to run the same program result in it running successfully. Virus Name: Slow Aliases: Slowdown V Status: Common Discovered: May, 1990 Symptoms: .COM & .EXE growth Origin: Australia Eff Length: 1,701 Bytes Type Code: PRsA - Resident Parasitic .COM & .EXE Infector Detection Method: ViruScan V63+, Pro-Scan 1.4+ Removal Instructions: CleanUp V67+, Scan/D, Pro-Scan 2.01+ General Comments: The Slow Virus was discovered in Australia in May 1990. It is a memory resident generic file infector, infected .COM, .EXE, and overlay files. COMMAND.COM is not infected by this virus. The first time an infected file is executed on a system, the virus installs itself memory resident as a low system memory TSR, taking up 1,984 bytes of free memory. Interrupt 21 will be hooked by the virus. Later, as programs are executed, they will be infected by the Slow Virus. While the Slow Virus's viral code is actually 1,701 bytes in length, infected files will increase by more than this amount. Infected .COM files will increase in length by 1,721 bytes with the virus located at the beginning of the infected program. .EXE files will increase in length by 1,716 to 1,728 bytes with the virus located at the end of the infected program. In the process of infecting some .EXE files, the virus may hang the system, causing the user to have to reboot. The Slow Virus is based on the Jerusalem B virus. It is unknown what else the Slow virus does. Virus Name: Solano 2000 Aliases: Dyslexia 2.01 V Status: Rare Discovered: March, 1990 Symptoms: .COM growth, TSR, unusual file errors Origin: California, USA Eff Length: 2,000 Bytes Type Code: PRsC - Resident Parasitic .COM Infector Detection Method: ViruScan V60+, Pro-Scan 1.4+, VirexPC, F-Prot 1.12+, VirHunt 2.0+ Removal Instructions: Scan/D, Pro-Scan 2.01+, or Delete Infected Files General Comments: The Solano 2000 Virus was first isolated in Solano County, California in mid-March 1990 by Edward Winters. The virus may also be known by the name Dyslexia Virus V2.01, which can be produced by negating some null terminated bytes within the viral code. Using the same technique, what appears to be the creation date of the virus, 08FEB90, can be produced. The information regarding the information produced by negation of bytes was determined by Jay Parangalan of Solano County. The Solano 2000 Virus is a generic .COM file infector. The first time an infected .COM file is executed on the system, the virus installs itself memory resident, then proceeds to infect every .COM file that is executed. Infected programs can be manually identified by using a sector editor to view the file. Bytes 1168 thru 1952 will consist of '(' or 28h characters. Some programs, such as DiskCopy.COM which is included on all DOS diskettes, will not run after being infected with this virus, instead an "invalid drive specification" message will be displayed. This message is not in the viral code, but is due to an error condition being induced due to the virus's presence. The virus-induced error occurring with the DiskCopy program was how the virus was first spotted and eventually isolated. This particular virus, in its current state, does not survive a system warm reboot (CTL-ALT-DEL). When it is memory resident, it takes up 3K bytes of RAM. The Solano 2000 Virus does no apparent system damage, however it does check the video buffer occasionally, and may transpose numbers if they are found in certain locations. This effect, however, was not experienced on the author's system in researching this virus. There have also been reports that instead of transposing numeric characters, the Solano virus may change color attributes on the display screen when it is active in memory. Known variants of the Solano 2000 virus: Solano 2000-B: same as Solano 2000, except the 28h characters have been changed to DAh characters, and are located in bytes 1168 thru 1912 in infected files. Dyslexia 2.00: same as Solano 2000, except that the 28h characters are now binary zeros. The attempted transposing of numeric characters in video memory has also been slowed down. The creation date appears to be 22JAN90 instead of 08FEB90. Also see: Subliminal 1.10 Virus Name: Sorry Aliases: G-Virus V1.3 V Status: Rare Discovered: June, 1990 Symptoms: .COM growth, decrease in system and free memory Origin: Eff Length: 731 Bytes Type Code: PRNCK - Parasitic Resident .COM Infector Detection Method: ViruScan V64+, F-Prot, Pro-Scan 2.01+ Removal Instructions: Scan/D, Pro-Scan 2.01+, or delete infected files General Comments: The Sorry Virus was isolated in June, 1990. Its name comes from a german phrase in the virus: "Tut mir Leid !". This virus is based on the Perfume Virus from West Germany, and some anti-viral programs will identify it as Perfume or 4711. The first time a program infected with the Sorry Virus is executed, the virus will install itself memory resident in high memory. Total system memory and free memory will both decrease by 1,024 bytes. Interrupt 21 will be hooked by the virus. COMMAND.COM is immediately infected by the virus, thus insuring on later system boots that the virus becomes memory resident immediately. After the virus is memory resident, it will infect any .COM file which is executed, increasing the file's length by 731 bytes. The viral code is located at the end of infected files. The Sorry Virus contains the following text strings: "G-VIRUS V1.3" "Bitte gebe den G-Virus Code ein" "Tut mir Leid !" It is unknown what the Sorry Virus does when it activates. Also see: Perfume Virus Name: Spyer Aliases: V Status: Rare Discovered: November, 1990 Symptoms: TSR; .COM & .EXE growth; system hangs Origin: Taiwan Eff Length: 1,181 Bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V71+ Removal Instructions: Scan/D or Delete infected files General Comments: The Spyer Virus was isolated in November, 1990 in Taiwan. This virus is a memory resident infector of .COM and .EXE files. It does not infect COMMAND.COM. The first time a program infected with the Spyer Virus is executed, the Spyer Virus will install itself memory resident as a 1,760 byte low system memory TSR. Interrupts 21 and 22 will be hooked by the virus. Once the virus is memory resident, the virus will attempt to infect the next program that is executed. If the program is already infected with the Spyer Virus, the system will become hung. If the program was not already infected, Spyer will infect it and then hang the system. Infected .COM files will always increase in length by 1,181 bytes. .EXE files infected with Spyer will have a file length increase between 1,181 and 1,195 bytes. In both cases, the virus will be located at the end of the infected file. Infected files will also always have the following hex character sequence at the end of file: "CBDFD9DE848484". The Spyer Virus, in its present form, is not expected to ever be a serious problem. Since it always hangs the system when the next program is executed after becoming memory resident, it is simply too obvious that something is wrong. Virus Name: Stone`90 Aliases: Polish 961, Stone-90 V Status: Rare Discovered: December, 1990 Symptoms: .COM file growth Origin: Poland Eff Length: 961 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Stone`90 Virus, or Polish 961, is a non-resident direct action infector of .COM programs, including COMMAND.COM. It was submitted in December, 1990, and is from Poland. When a program infected with the Stone`90 Virus is executed, the virus will look for one .COM program on the current drive and in the current directory to infect. If one is found, the virus will infected it. The newly infected .COM program will increase in length by 961 bytes, and have the virus's code located at the end of the program. The following text strings can be found in infected files: "Sorry, I`m INFECTED!" "I`m already NOT infected!" "(C) Stone`90" Stone`90 does not appear to do anything besides replicate. Virus Name: Stoned Aliases: Donald Duck, Hawaii, Marijuana, New Zealand, Rostov, San Diego, Sex Revolution, Smithsonian, Stoned II V Status: Common Discovered: February, 1988 Symptoms: BSC, TSR, messages, RLL controller hangs Origin: New Zealand Eff Length: N/A Type Code: BRtX - Resident Boot Sector & Partition Table Infector Detection Method: ViruScan, CleanUp, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: CleanUp, MDisk, F-Prot, Pro-Scan 1.4+ General Comments: The Stoned virus was first reported in Wellington, New Zealand in early 1988. The original virus only infected 360KB 5 1/4" diskettes, doing no overt damage. The original diskette-only infector is extinct, however, and all known variants of this virus are capable of infecting the hard disk partition table as well as may damage directory or FAT information. Most variants of this virus have only minor modifications, usually in what the message is that the virus may display on boot. When a computer system is booted with a Stoned infected disk, this virus will install itself memory resident at the top of system memory. The interrupt 12 return will be moved, and ChkDsk will indicate that the computer system as 2K less total memory than what is installed. If the system boot was from a diskette, the virus will also attempt to infect the hard disk partition table, if it was not previously infected. During the boot process, the Stoned Virus may display a message. The message is displayed more or less on a random basis. The most common text for the message is: "Your computer is now stoned." Or: "Your PC is now Stoned!" After Stoned is memory resident, it will infect diskettes as they are accessed on the system. When Stoned infects a diskette, it moves the original boot sector (sector 0) to sector 11. The Stoned Virus then copies itself into sector 0. Since sector 11 is normally part of the diskette root directory on 360K 5.25" diskettes, any files which had their directory entries located in this sector will be lost. Some versions of DOS have sector 11 as part of the File Allocation Table, which may also result in the disk's FAT being corrupted. When Stoned infects that system hard disk, it copies the hard disk's original partition table to side 0, cyl 0, sector 7. A copy of the Stoned Virus is then placed at side 0, cyl 0, sector 1, the original location of the hard disk partition table. If the hard disk was formatted with software which starts the boot sector, file allocation table, or disk directory on side 0, cyl 0 right after the partition table, the hard disk may be corrupted as well. In order to disinfect a system infected with the Stoned Virus, the system must be powered off and booted with an uninfected, write- protected boot diskette. If this is not done, the virus may reinfect diskettes as soon as they are disinfected. There are many programs which can disinfect Stoned infected diskettes and hard disks. To successfully use one of these, follow the instructions with the program. To remove Stoned manually, the DOS SYS command can be used on 5.25" 360K diskettes. On the hard disk, the original partition table must be copied back to side 0, cyl 0, sector 1. This can be performed with Norton Utilities, or other sector editors. Known variants of the Stoned Virus are: Stoned-A : Same as Stoned above, but does not infect the system hard disk. This is the original virus and is now extinct. The text found in the boot sector of infected diskettes is: "Your computer is now stoned. Legalize Marijuana". The "Legalize Marijuana" portion of the text is not displayed. Stoned-B : Same as Stoned indicated above. Systems with RLL controllers may experience frequent system hangs. Text typically found in this variant is: "Your computer is now stoned. Legalise Marijuana". The "Legalise Marijuana" may also be in capital letters, or may be partially overwritten. It is not displayed. Stoned-C : same as Stoned, except that the message has been removed. Stoned-D : same as Stoned, with the exception that this variant can infect high density 3.5" and 5.25" diskettes. Stoned II: Based on Stoned-B, this variant has been modified to avoid detection by anti-viral utilities. Since its isolation in June, 1990, most utilities can now detect this variant. Text in the virus has been changed to: "Your PC is now Stoned! Version 2" Or: "Donald Duck is a lie." The "Version 2" portion of the text may be corrupted as well. Rostov : Similar to Stoned-B, this variant does not display any message. It contains the text: "Non-system disk" and "Replace and strike". Submitted in December, 1990, origin unknown. Sex Revolution V1.1 : Submitted in December, 1990, this variant is similar to Stoned-B. This variant may display the following message: "EXPORT OF SEX REVOLUTION ver. 1.1" Sex Revolution V2.0 : Similar to Sex Revolution V1.1, the message has been changed to: "EXPORT OF SEX REVOLUTION ver. 2.0" Stoned-E : Similar to Stoned-B, this variant now emits a "beep" thru the system speaker when the following message is displayed: "Your PC is now Stoned!" The text "LEGALISE MARIJUANA!" can also be found in the boot sector and system partition table. Stoned-F : Similar to Stoned-E, this variant also emits a "beep" thru the system speaker when its message is displayed. The displayed message is: "Twoj PC jest teraz be!" The text "LEGALISE MARIJUANA?" can also be found in the boot sector and system partition table. Virus Name: Subliminal 1.10 Aliases: V Status: Rare Discovered: May, 1990 Symptoms: .COM growth, TSR, unusual file errors, video display flicker Origin: California, USA Eff Length: 1,496 Bytes Type Code: PRsC - Resident Parasitic .COM Infector Detection Method: ViruScan V64+, Pro-Scan 1.4+ Removal Instructions: Scan/D, Pro-Scan 1.4+, or Delete Infected Files General Comments: The Subliminal 1.10 Virus was first isolated in Solano County, California in May 1990 by Jay Parangalan. The name of the virus can be produced by negating (XORing with FF) some null terminated bytes in the viral code. Using this technique, the creation date of the virus appears to be 02OCT89. The Subliminal 1.10 Virus appears to be a very early version of the Solano 2000 Virus, and has only been reported at Solano Community College. The first time a program infected with the Subliminal 1.10 Virus is executed, the virus installs itself memory resident. Any .COM files which are then executed are infected. Infected programs will increase in length by 1,496 bytes. With the virus memory resident, the system monitor will appear to flicker. What is occurring is that the virus is attempting to flash the message "LOVE, REMEMBER?" in the lower left portion of the display for a subliminal duration. The actual amount of time the message displays on the screen varies between systems due to CPU speed. Also see: Solano 2000 Virus Name: Sunday Aliases: V Status: Common Discovered: November, 1989 Symptoms: TSR, executable file growth, messages, FAT corruption Origin: Washington (state), USA Eff Length: 1,636 Bytes Type Code: PRsAT - Parasitic Resident .COM, .EXE. & .OV? Infector Detection Method: ViruScan V49+, F-Prot, IBM Scan, Pro-Scan, VirexPC 1.1+, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: CleanUp, Scan/D, F-Prot, Pro-Scan 1.4+, VirexPC, VirHunt 2.0+ General Comments: The Sunday virus was discovered by many users in the Seattle, Washington area in November, 1989. This virus activates on any Sunday, displaying the message: "Today is Sunday! Why do you work so hard? All work and no play make you a dull boy! Come on! Let's go out and have some fun!" The Sunday virus appears to have been derived from the Jerusalem virus, the viral code being similar in many respects. Damage to the file allocation table or FAT has been reported from a number of infected users. Known variants of the Sunday Virus are: Sunday-B : Similar to the Sunday Virus, this variant does not activate on any day of the week due to an error in the day of the week checking routine. The message in the virus is never displayed, and no damage is done to the file allocation table. Sunday-C : Similar to Sunday-B, this variant also never activates. It has, however, been modified so that it differs from both the Sunday and Sunday-B viruses. Functionally, it is the same as Sunday-B. Virus Name: Suriv 1.01 Aliases: April 1st, Israeli, Suriv01 V Status: Extinct Discovered: April, 1987 Symptoms: TSR, .COM growth, messages, system lock April 1st Origin: Israel Eff Length: 897 bytes Type Code: PRsC - Parasitic Resident .COM Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D/X, F-Prot, VirHunt 2.0+, or UnVirus General Comments: The Suriv 1.01 virus is a memory resident .COM infector. It will activate on April 1st after memory is infected by running an infected file and then a uninfected .COM file is executed. On activation, it will display the message: "APRIL 1ST HA HA HA YOU HAVE A VIRUS". The system will then lock up, requiring it to be powered off and then back on. The text "sURIV 1.01" can be found in the viral code. Virus Name: Suriv 2.01 Aliases: April 1st-B, Israeli, Suriv02 V Status: Extinct Discovered: 1987 Symptoms: TSR, .EXE growth, messages, system lock April 1st Origin: Israel Eff Length: 1,488 bytes Type Code: PRsE - Parasitic Resident .EXE Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, VirexPC, Pro-Scan, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D/X, F-Prot, UnVirus, VirHunt 2.0+ General Comments: The Suriv 2.01 virus is a memory resident .EXE infector. It will activate on April 1st after memory is infected by running an infected file, displaying the same message as Suriv 1.01 and locking up the system. The virus will cause a similar lockup, though no message, 1 hour after an infected .EXE file is executed on any day on which the system default date of 01-01-80 is used. The virus will only infect the file once. Virus Name: Suriv 3.00 Aliases: Israeli, Suriv03 V Status: Extinct Discovered: 1988 Symptoms: TSR, .COM, .EXE, & .SYS growth; Black Window; system slowdown Origin: Israel Eff Length: 1,813 (COM files) & 1,808 (EXE files) bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan/X V67+, F-Prot, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: CleanUp, Scan/D/X, F-Prot, Unvirus, VirHunt 2.0+ General Comments: May be a variant of the Jerusalem virus. The string "sUMsDos" has been changed to "sURIV 3.00". The Suriv 3.00 virus activates on Friday The 13ths when an infected program is run or if it is already present in system memory, however files are not deleted due to a bug in the viral code. Other than on Friday The 13ths, after the virus is memory resident for 30 seconds, an area of the screen is turned into a "black window" and a time wasting loop is executed with each timer interrupt. As with the Jerusalem B viruses, this virus can also infect overlay, .SYS, and other executable files besides .EXE and .COM files, though it does not infect COMMAND.COM itself. Also see: Jerusalem, Jerusalem B Virus Name: Sverdlov Aliases: V Status: Rare Discovered: December, 1990 Symptoms: .COM & .EXE growth; decrease in total system and available memory Origin: USSR Eff Length: 1,962 Bytes Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected programs General Comments: The Sverdlov Virus was submitted in December, 1990. This virus is believed to have originated in the USSR. Sverdlov is a memory resident infector of .COM and .EXE files, and will infect COMMAND.COM. This virus is also encrypted. The first time a program infected with the Sverdlov Virus is executed, the virus will install itself memory resident at the top of system memory but below the DOS 640K boundary. 4,080 bytes of memory will have been reserved, and the interrupt 12 return is not altered by the virus. The DOS ChkDsk program will indicate that total system memory and available free memory is 4,080 bytes less than expected. COMMAND.COM will also be infected at this time if it was not already infected. Once Sverdlov is memory resident, any .COM or .EXE file over 2K in length will become infected if it is executed or openned for any reason. Infected .COM files have a file length increase of 1,962 bytes. Infected .EXE files will have a file length increase of 1,962 to 1,977 bytes in length. In both cases, the virus will be located at the end of infected programs. It is unknown if Sverdlov does anything besides replicate. Virus Name: SVir Aliases: V Status: Endangered Discovered: 1990 Symptoms: .EXE growth; file date/time changes; system hangs Origin: Poland Eff Length: 512 Bytes Type Code: PNE - Parasitic Non-Resident .EXE Infector Detection Method: Removal Instructions: Delete infected programs General Comments: The SVir Virus was originally isolated in Poland early in 1990. The original virus which was isolated had a fatal flaw in its code which prevented it from executing. In August, 1990, a sample was obtained from Fridrik Skulason which now does replicate. This second sample, identified as SVir-B, is a non-resident infector of .EXE files. Each time a program infected with the SVir-B Virus is executed, the virus will infect one .EXE file. Infected files will increase in length between 516 and 526 bytes with the virus's code appended to the end of the file. If the virus could not find an .EXE file to infect, it will leave the drive "spinning" as it will be in an endless loop looking for a file to infect. Interestingly enough, this virus will only infect files located on the A: drive. Infected files will also have their date/time in the disk directory changed to the date and time when the infection occurred. SVir, at least in the two known variants, does not do anything malicious, it simply replicates. Known variants of SVir are: SVir-A : The original "virus" from Poland in early 1990 which did not replicate. SVir-B : A variant isolated in August, 1990 which has the bug in SVir-A fixed so that it will now replicate. Virus Name: Swap Aliases: Falling Letters Boot, Israeli Boot V Status: Rare Discovered: August, 1989 Symptoms: Graphic display, BSC (floppy only), TSR, bad cluster, Origin: Israel Eff Length: N/A Type Code: RsF - Resident Floppy Boot Sector Infector Detection Method: ViruScan, F-Prot, IBM Scan, VirexPC, VirHunt 2.0+ Removal Instructions: MDisk, CleanUp, F-Prot, or DOS SYS Command General Comments: The Swap Virus, or Israeli Boot Virus, was first reported in August 1989. This virus is a memory resident boot sector infector that only infects floppies. The floppy's boot sector is infected the first time it is accessed. One bad cluster will be written on track 39, sectors 6 and 7 with the head unspecified. If track 39, sectors 6 and 7, are not empty, the virus will not infect the disk. Once the virus is memory resident, it uses 2K or RAM. The actual length of the viral code is 740 bytes. The Swap virus activates after being memory resident for 10 minutes. A cascading effect of letters and characters on the system monitor is then seen, similar to the cascading effect of the Cascade and Traceback viruses. The virus was named the Swap virus because the first isolated case had the following phrase located at bytes 00B7-00E4 on track 39, sector 7: "The Swapping-Virus. (C) June, 1989 by the CIA" However, this phrase is not found on diskettes which have been freshly infected by the Swap virus. A diskette infected with the Swap virus can be easily identified by looking at the boot sector with a sector editor, such as Norton Utilities. The error messages which normally occur at the end of the boot sector will not be there, instead the start of the virus code is present. The remainder of the viral code is located on track 39, sectors 6 and 7. Virus Name: Swedish Disaster Aliases: V Status: New Discovered: January, 1991 Symptoms: BSC; Partition Table Altered; Decrease in system and available free memory Origin: Sweden Eff Length: N/A Type Code: BRhX - Resident Boot Sector & Partition Table Infector Detection Method: ViruScan V74+ Removal Instructions: MDisk/P General Comments: The Swedish Disaster was isolated in January, 1991. This virus appears to be from Sweden. It is a memory resident infector of floppy boot sectors and the hard disk partition table. When the system is booted from a diskette whose boot sector is infected with the Swedish Disaster Virus, the virus will infect the system hard disk's partition table, with the original hard disk partition table moved to side 0, cylinder 0, sector 6. The virus will also install itself memory resident at the top of system memory but below the 640K DOS boundary. Total system memory will decrease by 2,048 bytes, available free memory will be 6,944 bytes less than what is expected by the user. Interrupt 12's return will have been moved by the virus. After Swedish Disaster is memory resident, the virus will infect all non-write protected diskettes which are accessed on the system. On 360K 5.25" diskettes, the original boot sector will have been moved to sector 11, which is normally a part of the root directory. This means that if the disk originally had directory entries in that sector, they will be lost. The following text string can be found at the end of the boot sector of infected diskettes, as well as within the partition table on infected hard disks: "The Swedish Disaster" Diskettes infected with the Swedish Disaster can be disinfected by powering off the system and rebooting from a write-protected original DOS diskette. The DOS Sys command can then be used to replace the boot sector on infected diskettes. For hard disks, the MDisk/P program will remove this virus, though the above text string will remain in the partition table. Virus Name: Swiss 143 Aliases: V Status: New Discovered: January, 1991 Symptoms: .COM growth; File date/time changes Origin: Switzerland Eff Length: 143 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Swiss 143 Virus was submitted in January, 1991, by Dany Schoch of Hagendern, Switzerland. This virus is a non-memory resident infector of .COM files, including COMMAND.COM. When a program infected with Swiss 143 is executed, the virus will infect all .COM files in the current directory. Infected programs will increase in length by 143 bytes, the virus will be located at the end of the infected program. The disk directory date and time will also be altered to the current system date and time when the programs were infected. This virus does not do anything besides replicate. Virus Name: SysLock Aliases: 3551, 3555 V Status: Endangered Discovered: November, 1988 Symptoms: .COM & .EXE growth, data file corruption Origin: Eff Length: 3,551 Bytes Type Code: PNA - Encrypting Non-Resident .COM & .EXE Infector Detection Method: ViruScan, F-Prot, Pro-Scan, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D, or F-Prot General Comments: The SysLock virus is a parasitic encrypting virus which infects both .COM and .EXE files, as well as damaging some data files on infected systems. This virus does not install itself memory resident, but instead searches through the .COM and .EXE files and subdirectories on the current disk, picking one executable file at random to infect. The infected file will have its length increased by approximately 3,551 bytes, though it may vary slightly depending on file infected. The SysLock virus will damage files by searching for the word "Microsoft" in any combination of upper and lower case characters, and when found replace the word with "MACROSOFT". If the SysLock virus finds that an environment variable "SYSLOCK" exists in the system and has been set to "@" (hex 40), the virus will not infect any programs or perform string replacements, but will instead pass control to its host immediately. Known variant(s) of SysLock are: Advent : Reported to be a Syslock variant, the sample of this virus received by the author does not replicate. All known samples of this virus available from anti-viral researchers also do not replicate. Fridrik Skulason of Iceland has indicated that this virus will only replicate it is on an infected .EXE file, and then it will only infect .COM files. This variant is thought to be extinct. Macho-A : same as the SysLock virus, except that "Microsoft" is replaced with "MACHOSOFT". Also see: Cookie Virus Name: Taiwan Aliases: Taiwan 2, Taiwan-B V Status: Endangered Discovered: January, 1990 Symptoms: .COM growth, 8th day any month corrupts BOOT, FAT, & Partition tables. Origin: Taiwan Eff Length: 743 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V56+, F-Prot, Pro-Scan 1.4+, VirexPC Removal Instructions: Scan/D, F-Prot 1.12+, or delete infected files General Comments: The Taiwan virus was first isolated in January, 1990 in Taiwan, R.O.C. This virus infects .COM files, including COMMAND.COM, and does not install itself into system memory. Each time a program infected with the Taiwan virus is executed, the virus will attempt to infect up to 3 .COM files. The current default directory is not first infected, instead the virus will start its search for candidate files in the C: drive root directory. Once an uninfected .COM file is located, the virus infects the file by copying the viral code to the first 743 bytes of the file, the original first 743 bytes of the file is relocated to the end of the .COM file. A bug exists in this virus, if the uninfected .COM file is less than 743 bytes in length, the resulting infected .COM file will always be 1,486 bytes in length. This effect is due to the virus not checking to see if it read less than 743 bytes of the original file before infecting it. The Taiwan virus is destructive. On the 8th day of any month, when an infected program is run the virus will perform an absolute disk write for 160 sectors starting at logical sector 0 on the C: and D: drives. In effect, this logical write will result in the FATs and root directory being overwritten. Known variant(s) of Taiwan include: Taiwan-B : Apparently an earlier version of the Taiwan virus, this variant will hang the system when infected files are executed, but after it has infected another file using the selection mechanism indicated for the Taiwan virus. Virus Name: Taiwan 3 Aliases: V Status: Rare Discovered: June, 1990 Symptoms: .COM & .EXE growth, decrease in available free memory, system hangs Origin: Taiwan Eff Length: 2,900 Bytes Type Code: PRA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V64+, Pro-Scan 2.01+ Removal Instructions: Clean-Up V71+, Scan/D, or delete infected files General Comments: The Taiwan 3 Virus was isolated in June, 1990 in Taiwan, R.O.C. It was dubbed the Taiwan 3 Virus by John McAfee because it is the third virus from Taiwan, the other two are Taiwan and Disk Killer. This virus is not related to either of these two viruses. The first time a program infected with the Taiwan 3 Virus is executed on a system, the virus will install itself memory resident in low system free memory. Available free memory will decrease by 3,152 bytes. The virus hooks interrupt 21. After becoming memory resident, Taiwan 3 will infect any program which is executed. .COM files will increase in length by 2,900 bytes, .EXE files will increase by between 2,900 and 2,908 bytes. Overlay files may also become infected as well. It is unknown what the activation criteria is for this virus, or what it does besides spreading. Also see: Fu Manchu Virus Name: Taiwan 4 Aliases: 2576 V Status: Common Discovered: October, 1990 Symptoms: TSR; .COM & .EXE file growth; system slowdown Isolated: USA and Thailand Origin: Taiwan Eff Length: 2,576 Bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V71+, Pro-Scan 2.01+ Removal Instructions: Clean-Up V71+, Pro-Scan 2.01+, or Delete infected files General Comments: The Taiwan 4, or 2576, Virus was isolated in October, 1990. While one copy of this virus was submitted by a user of Excalibur! who indicated that it had been received from a download of AutoCad from another BBS, a second copy was submitted to John McAfee from Thailand on approximately the same date. This virus appears to have originated in Taiwan, and is based on the Taiwan 3 virus. It is a memory resident infector of .COM and .EXE files, but will not infect COMMAND.COM. When a program infected with the Taiwan 4 Virus is executed, the virus will check to see if it is already memory resident. If the virus isn't already in memory, the virus will install itself memory resident as a low system memory TSR of 2,832 bytes. Interrupts 08 and 21 will be hooked by the virus. After the virus is resident, the virus will start to slow down the system gradually. After approximately 30 minutes, it will have slowed the system down by approximately 30 percent. Any .COM or .EXE file executed with Taiwan 4 active in memory will become infected. Infected programs will have their file length increased by 2,576 bytes for .COM files, and 2,576 - 2,590 bytes for .EXE files. The virus is located at the beginning of .COM files, and the end of .EXE files. The following text message can be found in all infected programs: "To Whom see this: Shit! As you can see this document, you may know what this program is. But I must tell you: DO NOT TRY to WRITE ANY ANTI-PROGRAM to THIS VIRUS. This is a test-program, the real dangerous code will implement on November. I use MASM to generate varius virus easily and you must use DEBUG against my virus hardly, this is foolish. Save your time until next month. OK? Your Sincerely, ABT Group., Oct 13th, 1989 at FCU." Another text string that can be found in all infected programs is: "ACAD.EXECOMMAND.COM". Virus Name: The Plague Aliases: V Status: New Discovered: January, 1991 Symptoms: "Program too big to fit in memory" message; Programs do not execute properly; Long disk accesses; Message and disk overwrite Origin: United States Eff Length: 590 Bytes Type Code: ONAK - Overwriting Non-Resident .COM & .EXE Infector Detection Method: Removal Instructions: Delete infected files General Comments: The Plague Virus was isolated in January, 1991 in the United States. This virus is a non-memory resident infector of .COM and .EXE files, including COMMAND.COM. When a program infected with The Plague is executed, the virus will attempt to infect up to three programs on the current drive, starting in the current directory. Infected programs can be either .COM or .EXE files, and COMMAND.COM can become infected. This virus is an overwriting virus. It replaces the first 590 bytes of the program being infected with a copy of itself. The file date and time in the disk directory are not altered. Programs infected with The Plague will not function properly. For .EXE files, the following message will usually be displayed upon program execution: "Program too big to fit in memory" This message may also occur for some .COM programs, but not usually. The Plague activates when an infected program is executed and it can not find an uninfected program to infect, though there is some randomness to whether or not the activation will actually occur. When this virus activates, the following message is displayed: "Autopsy indicates the cause of death was THE PLAGUE Dedicated to the dudes at SHHS VIVE LE SHE-MAN!" While the message is being displayed, the disk in the current drive will be overwritten with garbage characters, rendering it unrecoverable. Programs infected with The Plague cannot be disinfected since the first 590 bytes of the program no longer exists. The programs must be deleted and replaced with clean copies. Virus Name: Tiny Family Aliases: Tiny-133, Tiny-134, Tiny-138, Tiny-143, Tiny-154, Tiny-156, Tiny-158, Tiny-159, Tiny-160, Tiny-167, Tiny-198 V Status: Rare Discovery: July, 1990 Symptoms: .COM file growth Origin: Bulgaria Eff Length: 133 - 198 Bytes (see below) Type Code: PRC - Parasitic Resident .COM Infector Detection Method: ViruScan V66+, Pro-Scan 2.01+ (larger variants only) Removal Instructions: Scan/D, or Delete infected files General Comments: The Tiny Family of Viruses was received by the author in July 1990 from Vesselin Bontchev of Bulgaria. All the viruses in this grouping share the same characteristics, with the only real difference is the effective length of the viral code. There were five (5) viruses included in the "family" as of July, 1990: Tiny-158, Tiny-159, Tiny-160, Tiny-167, and Tiny-198. In October 1990, five (5) additional viruses in this family were received from Vesselin Bontchev: Tiny-134, Tiny-138, Tiny-143, Tiny-154, and Tiny-156. In December 1990, an eleventh member was added to this family: Tiny-133. The first time a file infected with one of the Tiny Family viruses is executed on a system, the virus will install itself memory resident at memory segment 60h. This area of memory is normally only used by DOS when the system is booted, after that it is never used or referenced. Interrupt 21 will be hooked by the virus. After the virus is memory resident, the virus will infect any .COM program that is executed. Infected programs will have a file length increase of between 134 - 198 bytes, depending on which variant is present on the system. The file's date and time in the directory will also have been updated to the system date and time when the infection occurred. The Tiny Family of Viruses currently does not do anything but replicate. The viruses in this "family" are not related to the Tiny Virus documented below. Known members of the Tiny Family are: Tiny-133 : Similar to Tiny-134, this variant's effective length is 133 bytes. The bugs in Tiny-134 have been fixed, this virus is an excellent replicator. This variant has also been altered so that it cannot be detected by anti-viral utilities which were aware of other members of this family. Tiny-134 : This variant's effective length is 134 bytes. This variant is the only member of this family which is not a very viable virus, it will usually hang the system when it attempts to infect .COM files. Tiny-138 : Same as above, effective length is 138 bytes. Tiny-143 : Same as above, effective length is 143 bytes. Tiny-154 : Same as above, effective length is 154 bytes. Tiny-156 : Same as above, effective length is 156 bytes. Tiny-158 : Same as above, effective length is 158 bytes. Tiny-159 : Same as above, effective length is 159 bytes. Tiny-160 : Same as above, effective length is 160 bytes. Tiny-167 : Same as above, effective length is 167 bytes. Tiny-198 : Same as above, effective length is 198 bytes. Also see: Tiny Virus Virus Name: Tiny Virus Aliases: 163 COM Virus, Tiny 163 Virus V Status: Rare Discovery: June, 1990 Symptoms: COMMAND.COM & .COM file growth Origin: Denmark Eff Length: 163 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V64+, VirexPC, F-Prot 1.12+ Removal Instructions: Scan/D, F-Prot 1.12+, or Delete infected files General Comments: The 163 COM Virus, or Tiny Virus, was isolated by Fridrik Skulason of Iceland in June 1990. This virus is a non-resident generic .COM file infector, and it will infect COMMAND.COM. The first time a file infected with the 163 COM Virus is executed, the virus will attempt to infect the first .COM file in the current directory. On bootable diskettes, this file will normally be COMMAND.COM. After the first .COM file is infected, each time an infected program is executed another .COM file will attempt to be infected. Files are infected only if their original length is greater than approximately 1K bytes. Infected .COM files will increase in length by 163 bytes, and have date/time stamps in the directory changed to the date/time the infection occurred. Infected files will also always end with this hex string: '2A2E434F4D00'. This virus currently does nothing but replicate, and is the smallest MS-DOS virus known as of its isolation date. The Tiny Virus may or may not be related to the Tiny Family documented elsewhere in this listing. Also see: Tiny Family Virus Name: Traceback Aliases: 3066 V Status: Extinct Discovered: October, 1988 Symptoms: .COM & .EXE growth, TSR, graphic display 1 hour after boot Origin: Eff Length: 3,066 bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: M-3066, VirClean, F-Prot, VirexPC, Pro-Scan 1.4+, VirHunt 2.0+ or delete infected files General Comments: The Traceback virus infects both .COM and .EXE files, adding 3,066 bytes to the length of the file. After an infected program is executed, it will install itself memory resident and infect other programs that are opened. Additionally, if the system date is after December 5, 1988, it will attempt to infect one additional .COM or .EXE file in the current directory. If an uninfected file doesn't exist in the current directory, it will search the entire disk, starting at the root directory, looking for a candidate. This search process terminates if it encounters an infected file before finding a candidate non-infected file. This virus derives its name from two characteristics. First, infected files contain the directory path of the file causing the infection within the viral code, thus is it possible to "trace back" the infection through a number of files. Second, when it succeeds in infected another file, the virus will attempt to access the on-disk copy of the program that the copy of the virus in memory was loaded from so that it can update a counter in the virus. The virus takes over disk error handling while trying to update the original infected program, so if it can't infect it, the user will be unaware that an error occurred. The primary symptom of the Traceback virus having infected the system is that if the system date is after December 28, 1988, the memory resident virus will produce a screen display with a cascading effect similar to the Cascade/1701/1704 virus. The cascading display occurs one hour after system memory is infected. If a keystroke is entered from the key- board during this display, a system lockup will occur. After one minute, the display will restore itself, with the characters returning to their original positions. This cascade and restore display are repeated by the virus at one hour intervals. Known variant(s) of the Traceback virus are: Traceback-B : Similar to the Traceback virus, the major differences are that Traceback-B will infect COMMAND.COM and there is no cascading display effect after the virus has been resident for one (1) hour. Infected files will also not contain the name of the file from which the virus originally became memory resident, but instead the name of the current file. A text string: "MICRODIC MSG" can be found in files infected with Traceback-B. If the system is booted from a diskette whose copy of COMMAND.COM is infected, attempting to execute any program will result in a memory allocation error and the system being halted. Origin: Spain, March 1990. Traceback-B2: Similar to Traceback-B2, this variant has the cascading display effect after the virus has been resident in memory for one (1) hour. The text string " XPO DAD " replaces the "MICRODIS MSG" text string in Traceback-B. Origin: Spain, May 1990. Also see: Traceback II Virus Name: Traceback II Aliases: 2930 V Status: Extinct Discovered: October, 1988 Symptoms: .COM & .EXE growth, TSR, graphic display 1 hour after boot Origin: Eff Length: 2,930 Bytes Type Code: PRA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D/X, F-Prot, VirexPC, Pro-Scan 1.4+, VirHunt 2.0+, or delete infected files. General Comments: The Traceback II virus is a variant of the Traceback (3066) virus. It is believed that Traceback II predates the Traceback virus, however the Traceback virus was isolated and reported first. As with the Traceback virus, the Traceback II virus is memory resident and infects both .COM & .EXE files. The comments indicated for the Traceback virus generally apply to the Traceback II virus, with the exception that the file length increase is 2,930 bytes instead of 3,066 bytes. Known variant(s) of the Traceback II Virus are: Traceback II-B: Similar to Traceback II, this variant will infect COMMAND.COM. When the cascading effect occurs, the screen will not be restored, instead the system will be hung requiring it to be powered off and rebooted. Also see: Traceback Virus Name: Turbo 448 Aliases: @ Virus, Turbo @, Polish-2 V Status: Rare Discovered: November, 1990 Symptoms: .COM growth; File not found errors with some utilities. Origin: Hungary Eff Length: 448 Bytes Type Code: PRCK - Parasitic Resident .COM Infector Detection Method: ViruScan V71+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Turbo 448, or @ Virus, was discovered in Hungary in November, 1990. This virus is a memory resident infector of .COM files, including COMMAND.COM. The first time a program infected with the Turbo 448 Virus is executed, the virus will install itself memory resident at the end of the Command Interpretor in memory. Total system memory and available free memory will not decrease. Interrupt 21 will be hooked by the virus. The Turbo 448 Virus is unusual in that it does not infect programs when they are executed. Instead, it infects .COM files when they are openned for some other reason besides execution. For example, if the virus is memory resident a program A.COM is copied to B.COM, both programs will become infected by the virus. Infected files will increase in length by 448 bytes, with the virus being located at the end of the file. The program's date and time in the disk directory will also have been updated to the system date and time when the file was infected. The following text string can be found at the end of all infected programs: "Udv minden nagytudasunak! Turbo @" Another interesting behavior of this virus is that when the virus is memory resident, anti-viral products which are unaware of the Turbo 448's presence in memory will not function properly. After the third file is read, the program may fail due to a "file not found" error being received when it attempts to open the fourth program. Also see: Turbo Kukac 9.9 Virus Name: Turbo Kukac Aliases: Kukac, Turbo Kukac 9.9, Polish-2 V Status: Rare Discovered: November, 1990 Symptoms: .COM growth; Decrease in total system and free available memory; File not found errors with some utilities. Origin: Hungary Eff Length: 512 Bytes Type Code: PRCK - Parasitic Resident .COM Infector Detection Method: ViruScan V71+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Turbo Kukac, or Kukac, Virus was discovered in Hungary in November, 1990. This virus is a memory resident infector of .COM files, including COMMAND.COM. It is very similar to the Turbo 448 Virus. The first time a program infected with the Turbo Kukac Virus is executed, the virus will install itself memory resident following the Command Interpretor and any previously loaded TSRs. Total system memory and available free memory will decrease by 1,040 bytes. Interrupts 05 and 21 will be hooked by the virus. Note that this virus does not use a low system memory TSR, but instead creates a sort of "hole" in memory for its usage. Like the Turbo 448 Virus, this virus does not infect program when they are executed. Instead, it infects .COM files when they are openned for some other reason besides execution. For example, if the virus is memory resident a program A.COM is copied to B.COM, both programs will become infected by the virus. Infected files will increase in length by 512 bytes with the virus being located at the end of the file. The program's date and time in the directory will also have been updated to the system date and time when the file was infected. The following text string can be found at the end of all infected programs: "Turbo Kukac 9.9 $" An interesting behavior of this virus is that when the virus is memory resident, anti-viral products which are unaware of the Turbo Kukac's presence in memory will not function properly. After the fourth file is read, the program may fail due to a "file not found" error being received when it attempts to open the fifth program. Also see: Turbo 448 Virus Name: Typo Boot Aliases: Mistake V Status: Rare Discovered: June, 1989 Symptoms: BSC, Resident TOM, garbled printout. Origin: Israel Eff Length: N/A Type Code: BRt - Resident Boot Sector Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: MDisk, Pro-Scan 1.4+, F-Prot, or DOS SYS Command General Comments: The Typo Boot virus was first isolated in Israel by Y. Radai in June, 1989. This virus is a memory resident boot sector infector, taking up 2K at the upper end of system memory once it has installed itself memory resident. The major symptom that will be noticed on systems infected with the Typo Boot virus is that certain characters in printouts are always replaced with other phonetically similar characters. Since the virus also substitutes hebrew letters for other hebrew letters, the virus was most likely written by someone in Israel. Digits in numbers may also be transposed or replaced with other numbers. The substitutions impact printouts only, the screen display and data in files are not affected. The Typo Boot virus is similar structurally to the Ping Pong virus, and may be a variant of Ping Pong. It can be removed from a disk by using MDisk, CleanUp, DOS SYS command, or just about any Ping Pong disinfector. Virus Name: Typo COM Aliases: Fumble, 867 V Status: Extinct Discovered: November, 1989 Symptoms: .COM growth, Resident TOM, garbled printout (see text). Origin: England Eff Length: 867 Bytes Type Code: PRtC - Parasitic Resident .COM Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D/X, F-Prot, Pro-Scan 1.4+, VirHunt 2.0+, or delete infected files General Comments: The Typo COM virus is similar to the Typo Boot virus in that it will garble data that is sent to the parallel port once it has activated. Unlike the Boot virus, the COM virus infects generic .COM files. This virus was first reported by Joe Hirst of Brighton, UK, in November, 1989. The Typo COM virus only infects .COM files on even-numbered days. Virus Name: USSR Aliases: V Status: Rare Discovered: October, 1990 Symptoms: .EXE growth; hard disk boot sector and partition table damage; system hangs; long program load times Origin: USSR Eff Length: 576 Bytes Type Code: PNE - Parasitic Non-Resident .EXE Infector Detection Method: ViruScan V71+, Pro-Scan 2.01+ Removal Instructions: Scan/D, or Delete infected Files General Comments: The USSR Virus was discovered in October, 1990 in the USSR. It is an encrypted, non-resident generic infector of .EXE files. Each time a program infected with the USSR Virus is executed, it will search the currect directory for the first uninfected .EXE file. If it finds one, it will attempt to infect it. Sometimes when the virus attempts to infect a file, it will hang the system leaving the drive light on, however most of the time the virus is successful. Infected files will increase in length by 576 to 586 bytes, with the virus located at the end of the file. Systems infected with this virus may go to boot their system from its hard disk only to find that the hard disk's boot sector has been removed, and the partition table has been damaged, thus rendering the hard disk inaccessible. This damage can be repaired using Norton Disk Doctor, or MDisk with the /P option. Infected systems will also experience longer than normal load times when infected programs are executed. The longer than normal load time is due to the virus searching for a file to infect, and then infecting the candidate file if one was found. Virus Name: USSR 311 Aliases: V-311 V Status: New Discovered: January, 1991 Symptoms: .COM growth; COMMAND.COM renamed to COMMAND.CON Origin: USSR Eff Length: 311 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The USSR 311, or V-311, Virus was submitted in January, 1991. It originated in the USSR. This virus is a non-resident infector of .COM programs, including COMMAND.COM. When a program infected with USSR 311 is executed, the virus will check the system time to see if the seconds value is equal to one of 16 values. If it was equal to one of those 16 values, COMMAND.COM will be renamed to COMMAND.CON. Whether or not the rename of COMMAND.COM occurred, the virus will then infect one .COM program in the current directory. Infected .COM programs will increase in length by 311 bytes, the virus will be located at the end of the infected file. The file's time in the disk directory will also be modified to be 11:19:32, the infection marker for this virus. The file date in the directory is not altered. USSR 3111 will also alter the file attributes for the file in the directory. In particular, bits 8 thru 15 will be reset, which may produce unexpected results in environments that make use of these bits. Virus Name: USSR 492 Aliases: V Status: New Discovered: December, 1990 Symptoms: .COM file growth; File date/time changes Origin: USSR Eff Length: 495 - 508 Bytes Type Code: PRfCK - Parasitic Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The USSR 492 Virus was submitted in December, 1990 and is from the USSR. This virus is a memory resident .COM file infector, it will infect COMMAND.COM. When the first program infected with USSR 492 is executed, the virus will install itself memory resident in high system memory, but below the 640K DOS boundary. This memory is not reserved by the virus. Interrupt 21 will be hooked by the virus. At the time of going memory resident, the virus will check to determine if COMMAND.COM on the C: drive is infected, if it isn't, then the virus will infect it. Once USSR 492 is memory resident, it will infect any .COM program which is executed. Execution of COMMAND.COM on the A: drive is the only way to infect COMMAND.COM on A:. Programs infected with USSR 492 will have a file length increase of 495 to 508 bytes. The virus will be located at the end of infected programs. Infected programs will also have their date and time in the disk directory changed to the system date and time when infection occurred. USSR 492 does not appear to do anything besides replicate. Virus Name: USSR 516 Aliases: Leapfrog V Status: Rare Discovered: December, 1990 Symptoms: .COM file growth Origin: USSR Eff Length: 516 Bytes Type Code: PRCK - Parasitic Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The USSR 516 Virus was submitted in December, 1990. It is from the USSR. This virus is a memory resident infector of .COM programs, including COMMAND.COM. It infects on file execution. The first time a program infected with the USSR 516 Virus is executed, the virus will install itself memory resident in a "hole in memory" between MSDOS and the DOS Stacks. This area will be labelled DOS Data. Interrupt 21 will be hooked by the virus. There will be no change in total system memory or available free memory. After the virus is memory resident, it will infect .COM programs which are executed that had an uninfected file length which was greater than 512 bytes. Infected .COM programs will have their length increased by 516 bytes, the virus will be located at the end of the program. USSR 516 does not appear to do anything besides replicate. The original submitted sample was not a natural infection of this virus, so this may be a research virus. Virus Name: USSR 600 Aliases: V Status: Rare Discovered: December, 1990 Symptoms: .COM file growth Origin: USSR Eff Length: 600 Bytes Type Code: PRhCK - Parasitic Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The USSR 600 Virus was submitted in December, 1990, and is from the USSR. This virus is a memory resident infector of .COM programs, including COMMAND.COM. When the first program infected with USSR 600 is executed, the virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. The DOS ChkDsk program will indicate that total system memory and available free memory are 2,048 bytes less than expected. This virus does not move the interrupt 12 return. USSR 600 uses interrupts 21 and 24. Once USSR 600 is memory resident, it will infect .COM programs which are executed if they have an original file length of at least 600 bytes. Infected files will increase in size by 600 bytes, and the virus's code will be located at the beginning of the infected program. It is unknown if this virus does anything besides replicate. Virus Name: USSR 707 Aliases: V Status: Rare Discovered: December, 1990 Symptoms: .COM file growth; decrease in total system and available memory Origin: USSR Eff Length: 707 Bytes Type Code: PRtCK - Parasitic Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The USSR 707 Virus was submitted in December, 1990. It is from the USSR. This virus is a memory resident infector of .COM programs, including COMMAND.COM. When the first program infected with the USSR 707 Virus is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. It will move the interrupt 12 return so that the virus in memory cannot be overwritten. USSR 707 makes use of interrupt 21, which will now map to the virus in high system memory. Total system memory and available free memory will be 720 bytes less than expected. After USSR 707 is memory resident, any .COM program executed will become infected by the virus. Infected .COM programs will have a file length increase of 707 bytes, the virus will be located at the end of the file. If COMMAND.COM is executed, it will be infected. It is unknown if USSR 707 does anything besides replicate. Virus Name: USSR 711 Aliases: V Status: Rare Discovered: December, 1990 Symptoms: .COM file growth; system hangs; decrease in total system and available memory Origin: USSR Eff Length: 711 Bytes Type Code: PRhC - Parasitic Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The USSR 711 Virus was submitted in December, 1990, and comes from the USSR. This virus is a memory resident infector of .COM files. It does not infect COMMAND.COM. When the first program infected with USSR 711 is executed, the virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. This memory is reserved. The virus also hooks interrupts 08, 13, and 21. The DOS ChkDsk program will indicate that total system memory and available free memory is 704 bytes less than what the user expects. The interrupt 12 return is not altered by this virus. After USSR 711 is memory resident, any .COM file which is executed that had an original file length of at least 1600 bytes will be infected by the virus. Infected .COM files will increase in size by 705 to 717 bytes, and the virus will be located at the end of the infected file. Systems infected with USSR 711 may notice occasional system hangs which may occur when this virus attempts to infect .COM programs. It is unknown if USSR 711 does anything besides replicate and occasionally hang the system when infecting files. Virus Name: USSR 948 Aliases: V Status: Rare Discovered: December, 1990 Symptoms: .COM & .EXE growth; decrease in total system and available memory Origin: USSR Eff Length: 948 Bytes Type Code: PRhA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The USSR 948 Virus was received in December, 1990, and originated in the USSR. This virus is a memory resident infector of .COM and .EXE files, and will also infect COMMAND.COM. When the first program infected with USSR 948 is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. The interrupt 12 return will not be altered, although the memory in use by the virus is reserved. Interrupts 1C and 21 will be hooked by the virus. After USSR 948 is memory resident, and .COM or .EXE program which is executed or openned for any reason will become infected by the virus. Infected programs, with the exception of COMMAND.COM, will increase in size by between 950 to 963 bytes. In the case of COMMAND.COM, the virus will overwrite a portion of the stack space located in the file, so the file will not have a length change. In all cases, the file date and times in the disk directory are not altered. Infected programs will have the virus located at the end of the file. It is unknown if USSR 948 does anything besides replicate. Virus Name: USSR 1049 Aliases: V Status: Rare Discovered: December, 1990 Symptoms: .COM & .EXE growth; system hangs; decrease in total system and available free memory Origin: USSR Eff Length: 1,049 Bytes Type Code: PRhA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The USSR 1049 virus was received in December, 1990. It originated in the USSR. This virus is a memory resident infector of .COM and .EXE files, and does not infect COMMAND.COM. When the first program infected with USSR 1049 is executed, the virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. This memory will be 1,056 bytes in size and is reserved. The interrupt 12 return is not moved. Interrupt 21 will be hooked by the virus. After USSR 1049 is memory resident, the virus will infect .COM and .EXE files when they are executed. The virus, however, will not infect very small .EXE files. Infected files will increase in size by 1,051 to 1,064 bytes, the virus will be located at the end of the infected program. Systems infected with the USSR 1049 Virus may experience system hangs when attempting to execute .EXE programs. These hangs occassionally occur when the virus infects .EXE program, though the program being infected will actually be infected. It is unknown if USSR 1049 does anything besides replicate. Virus Name: USSR 1689 Aliases: SVC V4.00 V Status: Rare Discovered: December, 1990 Symptoms: .COM & .EXE growth; system hangs Origin: USSR Eff Length: 1,689 Bytes Type Code: PRA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The USSR 1689 Virus was received in December, 1990. It is from the USSR. This virus is not a very viable virus, though it does infect both .COM and .EXE programs. When the first program infected with USSR 1689 is executed, this virus will install itself memory resident in the in-memory command interpretor. After the virus is memory resident, the virus will infect the next .COM or .EXE program executed, though a system hang will also occur. Infected programs will increase in size by 1,689 bytes, though on files larger than 1,689 bytes, the virus will hide the file length increase if the virus is already in memory. Files originally smaller than 1,689 bytes will indicate a file size increase in the DOS directory when the virus is resident. In all cases, the virus will be located at the end of infected programs. With the system hang which occurs each time a program is infected by this virus, it is not a very viable virus, and should not be considered a threat in its current state. Virus Name: USSR 2144 Aliases: V Status: Rare Discovered: December, 1990 Symptoms: .COM & .EXE growth; decrease in total system and available memory Origin: USSR Eff Length: 2,144 Bytes Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The USSR 2144 Virus was submitted in December, 1990, and is from the USSR. This virus is a memory resident infector of .COM and .EXE files, including COMMAND.COM. When the first program infected with the USSR 2144 Virus is executed, the virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. The DOS ChkDsk program will indicate memory values that show 4,608 bytes less total system memory and available free memory than expected. This virus does not move the interrupt 12 return. The virus also directly alters the interrupt page in memory so that some interrupts will now execute the virus's code. After USSR 2144 is memory resident, and program which was originally greater in length than 2K that is executed or openned for reason will become infected by the virus. Infected .COM programs will increase in length by 2,144 bytes. .EXE programs will increase in length by 2,144 to 2,59 bytes. In both cases, the virus will be located at the end of infected files. Infected files will not have their date and time in the disk directory altered, and this virus does not hide the change in file length of infected files. It is unknown if USSR 2144 does anything besides replicate. Virus Name: V651 Aliases: Eddie 3, Stealth Virus V Status: Rare Discovered: April, 1990 Symptoms: .COM & .EXE growth, decrease in system and free memory, file allocation errors Origin: Sofia, Bulgaria Eff Length: 651 Bytes Type Code: PRtA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V66+, VirHunt 2.0+ Removal Instructions: Scan/D, VirHunt 2.0+, or Delete infected files General Comments: The V651, or Eddie 3, Virus was isolated in Sofia, Bulgaria in April 1990 by Vesselin Bontchev. V651 is believed to have been written by the same author as Dark Avenger, V1024, and V2000. This virus is a generic infector for .COM and .EXE files. The first time a program infected with V651 is executed, the virus will install itself memory resident. Using the DOS CHKDSK program, total system memory, as well as available free memory, will be decreased by 688 bytes. Later, as programs with a length of 651 bytes or greater are executed, they will be infected by the virus. Infected files increase in length by 651 bytes, though the increase in file length will not be seen by performing a directory command with the virus present in memory. The total available disk space will also be adjusted by the virus so that the decrease in available disk space due to the virus's activities cannot be seen. Powering off the system and booting from a known clean boot diskette, followed by issuing a directory command will result in the correct infected file lengths being displayed as well as the actual available space on the disk. Infected files can be easily identified as the text string "Eddie Lives." appears near the end of the infected file. These files will also be 651 bytes longer than expected when the virus is not present in memory. A side effect of the V651 virus is that lost clusters may occur on infected systems if the CHKDSK /F command is used. While this does not occur for all infected files, the number of errors reported by CHKDSK will be much higher statistically when V651 is present. Unlike Dark Avenger and V2000, this virus does not infect files on any file open. It only infects when programs are executed. Also see: Dark Avenger, V1024, V2000 Virus Name: V800 Aliases: Live after Death Virus, Stealth Virus V Status: Rare Discovered: May, 1990 Symptoms: .COM growth, decrease in total system and available memory Origin: Bulgaria Eff Length: 800 Bytes Type Code: PRC - Parasitic Resident .COM Infector Detection Method: ViruScan V63+, Pro-Scan 1.4+, F-Prot 1.12+ Removal Instructions: CleanUp V64+, Scan/D, F-Prot 1.12+, or delete infected files General Comments: The V800, or Live after Death, Virus was isolated in Bulgaria by Vesselin Bontchev in May, 1990. The V800 is a self-encrypting memory resident .COM infector, and it does not infect COMMAND.COM. This virus is thought to have been written by the same person as the Dark Avenger virus since many of the same techniques are used. The virus has received an alias of the Live after Death Virus as the virus contains the "Live after Death" string, though it cannot be seen in infected files as the virus is encrypted. The first time an infected program is run on a system, the V800 Virus will install itself memory resident. In the process of installing itself resident, it will decrease available system memory by 16K, using 8,192 Bytes for itself in the top of available free memory. It will also hook interrupt 2A. Once in memory, every time a .COM file is attempted to be executed, the virus will check to see if it is a candidate for infection. Whether the file will be infected depends on the size of the .COM file when it is attempted to be executed. In no event is a .COM file smaller than 1024 bytes infected, but not all .COM files over 1024 bytes are infected either. The V800 Virus will reinfect .COM files, with the file's size increasing by 800 bytes with each infection. It does not, however, infect .COM files more than eight times. Known variant(s) of the V800 Virus include: V800M : Very similar to V800, the major difference is that V800M will infect files on both file open and file execute, putting this variant into the "Stealth" virus category. When the virus becomes memory resident, total system and free memory will decrease by only 8,192 bytes. This variant does not have the "Live after Death" string in it. Virus Name: V1024 Aliases: Dark Avenger III, Stealth Virus V Status: Rare Discovered: May, 1990 Symptoms: TSR; decrease in available free memory Origin: Bulgaria Eff Length: 1,024 Bytes Type Code: PRA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V64+ Removal Instructions: Scan/D, or Delete infected files General Comments: The V1024, or Dark Avenger III, Virus was discovered in Bulgaria in April 1990 by Daniel Kalchev. V1024 is a memory resident generic infector of .COM and .EXE files. It is believed to have been written by the same person that wrote Dark Avenger and V2000. This virus may actually be an earlier version of the Dark Avenger virus, it has many of the same characteristics, though it does not infect all files when they are opened for any reason. The first time a program infected with V1024 is executed, the virus will install itself memory resident. At this time, it checks to see if several interrupts are being monitored, including interrupts 1 and 3. If interrupts 1 and 3 are monitored, V1024 allow the current program to run, but any subsequent program executed will hang the system and V1024 will not replicate. When V1024 is memory resident, infected systems will experience a decrease in free memory by 1,072 bytes. Total system memory will not have changed. The virus will have remapped several interrupts by altering their location in the interrupt map page in memory. These interrupts will now be controlled by V1024. After V1024 becomes memory resident, the virus will infect any program executed which is greater in length than 1,024 bytes. Both .COM and .EXE files are infected, COMMAND.COM is not infected. Infected files increase in length by 1,024 bytes, though this increase will not appear if the virus is present in memory and a DIR listing is done. V1024 infected files can be identified by a text string which appears very close to the end of infected files. The text string is: '7106286813'. V1024 does not appear contain any activation date. Also see: Dark Avenger, V2000, V651 Virus Name: V2000 Aliases: Dark Avenger II, Stealth Virus, Travel Virus V Status: Rare Discovered: 1989 Symptoms: TSR; .COM, .EXE, .OV? growth (see text); crashes; crosslinked files following CHKDSK. Origin: Bulgaria Eff Length: 2,000 Bytes Type Code: PRA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V59+, Pro-Scan 1.4+, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D, Pro-Scan 1.4+, or delete infected files General Comments: The V2000, or Dark Avenger II, virus is a memory resident generic file infector. The first isolated samples of this virus were received from Bulgaria, where it was isolated by Daniel Kalchev and Niki Spahiev. V2000 will infect .COM, .EXE, and Overlay files, as well as COMMAND.COM. When the first infected file is executed, the virus installs itself memory resident, and then infected COMMAND.COM if it has not already been infected. Then, when an executable file is opened for any reason, it is infected if it hasn't been previously infected. Increased file lengths will not be shown if the V2000 virus is present in memory when a DIR command is issued. Issuing a CHKDSK /F command on infected systems may result in crosslinking of files since the directory information may not appear to match the entries in the file allocation table (FAT). Systems infected with the V2000 virus will experience unexpected system crashes, resulting in lost data. Some systems may also become unbootable due to the modification of COMMAND.COM or the hidden system files. One of the following two text strings will appear in the viral code in infected files, thus accounting for the alias of Travel Virus used in Bulgaria: "Zopy me - I want to travel" "Copy me - I want to travel" There are reports from Bulgaria that the V2000 virus looks for and hangs the system if programs written by Vesselin Bontchev are attempted to be executed. This would explain the presence of the following copyright notice within the viral code: "(c) 1989 by Vesselin Bontchev" Known variants of the V2000 virus include: V2000-B/Die Young : Similar to the V2000 virus, the main difference is that the text string "Zopy me - I want to travel" is now "Only the Good die young..." or "Mnly the Good die young..." and the encryption used by the virus is different. This variant is actually the original virus, predating V2000. Also see: Dark Avenger, V1024, V651 Virus Name: V2100 Aliases: 2100, Stealth Virus, UScan Virus V Status: Rare Discovered: July, 1990 Symptoms: file allocation errors, decrease in system and free memory Origin: Bulgaria Eff Length: 2,100 Bytes Type Code: PRtA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V66+ Removal Instructions: Scan/D, or delete infected files General Comments: The V2100, or 2100, Virus was first isolated in Sofia, Bulgaria by Vesselin Bontchev in July 1990. It is a resident generic infector of .COM, .EXE, and overlay files. It will also infect COMMAND.COM. This virus appears to have been originally released into the public domain on an anti-viral program named UScan which was uploaded to a BBS in Europe. While not all copies of UScan are carriers of this virus, there was one version which exists that has the virus embedded in its program code. The virus cannot be detected on this trojan version using search algorithms for this virus. V2100 is believed to have been written by the author of Dark Avenger. The first time a program infected with V2100 is executed, the virus will install itself memory resident above top of memory but below the 640K boundary. The top of memory returned by interrupt 12 will be lower than expected by 4,288 bytes. Likewise, free memory will have decreased by 4,288 bytes. At this same point, V2100 will infect COMMAND.COM though the change in file length will be hidden by the virus. Once the virus is memory resident, it will infect any .COM, .EXE, or overlay file with a file length of at least 2100 bytes that is executed or opened for any reason. The simple act of copying an executable file will result in both the source and target files becoming infected. Infected files will be 2,100 bytes longer, though the virus will hide the change in file length so that it isn't noticeable when directories are listed. In some cases, infected files will appear to be 2,100 bytes smaller than expected if the virus is present in memory. Systems infected with the V2100 virus will notice file allocation errors occurring, along with crosslinking of files. Due to these errors, some files may become corrupted. These file allocation errors are truly errors, they exist whether or not the virus is present in memory. A side note on the V2100 Virus: if the system had previously been infected with the Anthrax virus, V2100's introduction will result in the Anthrax virus again being present in the hard disk partition table. This effect occurs because Anthrax stores a copy of itself on the last sectors of the hard disk. When V2100 becomes resident, it searches the last 16 cylinders of the hard disk for a copy of Anthrax. If V2100 finds the hidden copy of Anthrax, it copies it into the hard disk's partition table. On the next system boot from the hard disk, Anthrax will once again be active on the system. Virus Name: V2P2 Aliases: V Status: Research Discovered: June, 1990 Symptoms: .COM file growth Origin: Minnesota, USA Eff Length: 1,426 - 2,157 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan/X V67+, Pro-Scan 2.01+ Removal Instructions: Scan/D/X, or delete infected files General Comments: The V2P2 Virus is a research virus written by Mark Washburn and distributed to some anti-viral program authors in June of 1990. This virus, according to its author, has not been released. This virus is a non-resident generic infector of .COM files. When a program infected with the V2P2 virus is executed, it will infect the first .COM file it finds in the current directory which is not infected with the virus. The virus adds its code to the end of the file, and the infected file's length will increase between 1,426 and 2,157 bytes. Like the 1260 virus, this virus uses a complex encryption method. In fact, the encryption used with the 1260 virus is one of several possible encryptions that V2P2 may produce. As a result, virus scanning software will often identify the 1260 virus in a file as being both 1260 and V2P2. This identification is entirely valid as 1260 is a special case of V2P2. Also see: 1260, V2P6, V2P6Z Virus Name: V2P6 Aliases: V Status: Research Discovered: July, 1990 Symptoms: .COM file growth Origin: Minnesota, USA Eff Length: 1,946 - 2,111 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan/X V67+, Pro-Scan 2.01+ Removal Instructions: Scan/D/X, or delete infected files General Comments: The V2P6 Virus is a research virus written by Mark Washburn and distributed to some anti-viral program authors in July of 1990. This virus, according to its author, has not been released. This virus is a non-resident generic infector of .COM files similar to the 1260, V2P2, and V2P6Z viruses. When a program infected with the V2P6 virus is executed, it will infect the first .COM file it finds in the current directory which is not infected with the virus. The virus adds its code to the end of the file, and the infected file's length will increase between 1,946 and 2,111 bytes. Like the 1260 and other viruses by Mark Washburn, this virus uses a complex encryption method. The encryption method used by V2P6 is more complex than that used in V2P2, but less complex than that used in the last known virus in this family, V2P6Z. Like V2P2, an algorithmic approach must be used to identify this virus. Also see: 1260, V2P2, V2P6Z Virus Name: V2P6Z Aliases: V Status: Research Discovered: August, 1990 Symptoms: .COM file growth Origin: Minnesota, USA Eff Length: 2,076 - 2,364 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: Removal Instructions: Delete infected files General Comments: The V2P6Z Virus is a research virus written by Mark Washburn and distributed to some anti-viral program authors in August, 1990. This virus, according to its author, has not been released. This virus is a non-resident generic infector of .COM files similar to the 1260, V2P2, and V2P6 viruses. When a program infected with the V2P6Z virus is executed, it will infect the first .COM file it finds in the current directory which is not infected with the virus. The virus adds its code to the end of the file, and the infected file's length will increase between 2,076 and 2,364 bytes. Like the 1260 and other viruses by Mark Washburn, this virus uses a complex encryption method. The encryption method used by V2P6Z is the most complex of the encryption methods employed by the viruses in this family of viruses. Like V2P2 and V2P6, an algorithmic approach must be used to identify this virus as there is no possible identification string within the encrypted viral code. Also see: 1260, V2P2, V2P6 Virus Name: Vacsina Aliases: V Status: Endangered Discovered: November, 1989 Symptoms: TSR; .COM, .EXE, .BIN, & .SYS growth; "beeps" Origin: Bulgaria Eff Length: 1,206 bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, F-Prot, Pro-Scan 1.4+, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: CleanUp V64+, Scan/D/A, F-Prot, VirHunt 2.0+, or delete infected files General Comments: The Vacsina virus is approximately 1200 bytes in length and can be found in memory on infected systems. There are at least 48 variants of the Vacsina virus, also known as the TP virus family, though not all of them have been isolated. Later versions of this virus are included in this listing under the name "Yankee Doodle". Generally, the Vacsina Virus infects both .COM and .EXE files, as well as .SYS and .BIN files. This virus, when infecting a .EXE file, will first convert it into .COM format by changing the MZ or ZM identifier in the first two bytes of the file to a JMP instruction and then adding a small piece of relocator code, so that the .EXE file can be infected as though it were originally a .COM file. One sign of a Vacsina infection is that programs which have been infected may "beep" when executed. Infected programs will also have their date/time in the disk directory changed to the date and time they were infected. Known Vacsina Variants Include: TP04VIR - Infects .EXE files, changing them internally into .COM files. Infected programs may beep when executed, and may be identified by searching for the text string "VACSINA" along with the second byte from the end of the file containing a 04h. This version of Vacsina is a poor replicator, and while it will always convert a .EXE file to .COM file format, adding 132 bytes, it does not always infect executed files. TP05VIR - Similar to TP04VIR, except that the second to the last byte in the file is now a 05h. System hangs may also be experienced. TP06VIR - Similar to TP05VIR, except the second to the last byte in the file is now a 06h. TP16VIR - Similar to TP06VIR, the second to the last byte in the infected file is now 10h. TP23VIR - Similar to TP16VIR, the second to the last byte in the infected file is now 17h. The text "VACSINA" no longer appears in the virus. TP24VIR - Similar to TP23VIR, the second to the last byte in the infected file is now 18h. TP25VIR - Similar to TP24VIR, the second to the last byte in the infected file is now 19h. Also see: Yankee Doodle Virus Name: VComm Aliases: 637 V Status: Rare Discovered: December, 1989 Symptoms: .EXE growth, TSR, write failures Origin: Poland Eff Length: 637 Bytes Type Code: PRaE - Parasitic Resident .EXE Infector Detection Method: F-Prot, ViruScan V60+, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: F-Prot, Scan/D, VirexPC, or delete infected files General Comments: The Vcomm virus is of Polish origin, first isolated in December, 1989. The virus is a .EXE file infector. When an infected file is run, the virus will attempt to infect one .EXE file in the current directory. It will also infect the memory resident version of the system's command interpreter. When Vcomm infects a file, it first pads the file so that the files length is a multiple of 512 bytes, then it adds its 637 bytes of virus code to the end of the file. The memory resident portion of the virus intercepts any disk writes that are attempted, and changes them into disk reads. Virus Name: VFSI Aliases: 437, Happy Day V Status: Rare Discovered: September, 1990 Symptoms: .COM growth; message Origin: Bulgaria Eff Length: 437 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V71+, Pro-Scan 2.01+ Removal Instructions: Scan/D, Pro-Scan 2.01+, or Delete infected files General Comments: The VFSI Virus was isolated in September, 1990 at VFSI (the Higher Institute of Financial Management) located in Svistov, a town on the Danube. VFSI is a non-resident, direct action, infector of .COM files, including COMMAND.COM. When a program infected with the VFSI virus is executed, it will infect one other .COM file located in the current directory. Candidate files to be infected are first aligned to be a multiple of 16, and then the viral code is added. Infected files will increase in length by between 437 and 452 bytes, with the viral code being located at the end of infected files. Infected files can be easily identified as they will always contain the following hex string: 3A483F244B6F636E706C74. On approximately one out of five executions of an infected program, the program will flash the following message on the screen: "HELLO!!! HAPPY DAY and SUCCESS from virus 1.1 VFSI-Svistov" This message is encrypted in the viral code, so it is not visible in infected files. Virus Name: VHP Aliases: VHP-348, VHP-353, VHP-367, VHP-435 V Status: Research Discovered: July 1989 Symptoms: .COM growth, system hangs Origin: Bulgaria Eff Length: 348 - 435 Bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V64+, AVTK 3.5+, F-Prot 1.12+, Pro-Scan 2.01+ Removal Instructions: Scan/D, F-Prot 1.12+, or Delete infected files General Comments: The VHP Virus is actually a small group or "family" of viruses that was discovered in Bulgaria in early 1990. There are currently four identified variants to the VHP Virus, with the VHP-435 variant being the one with the most potential for spreading. These viruses were originally based on the Vienna virus. The progression of the variants shows each variant to be a slightly better replicator. The VHP Viruses are: VHP-348 : This variant does not replicate due to bugs in the virus code. If it did replicate, it would infect .COM files. The virus's effective length is 348 bytes. VHP-353 : VHP-348 fixed so that it will infected COMMAND.COM, increasing its size by 353 bytes. It does not infect other .COM files. This variant is still buggy, and it will occasionally hang systems when attempting to find a .COM file to infect. VHP-367 : VHP-353 which will now infect .COM files besides COMMAND.COM. Infected files increase in size by 367 bytes. Very rarely, this virus will reinfect an infected .COM file. VHP-353 does not always infect a .COM file when an infected program is executed, it will sometimes not infect any .COM file, though it has in effect immunized the file from infection. This effect is probably a bug in this variant. VHP-435 : Isolated in July, 1989, this variant is 435 bytes in length and is not destructive, all it does is spread. VHP-435 will attempt to infect 1 file each time an infected program is executed. COMMAND.COM and .EXE files are not infected. After infecting all of the .COM files on the current drive and directory, it will attempt to infect drive C:. VHP-435 is the VHP-367 virus with some modifications to make it less likely to be noticed. Also see: Vienna, VHP2 Virus Name: VHP2 Aliases: 623, VHP-623 V Status: Research Discovered: March, 1990 Symptoms: .COM growth, reboots or system hangs Origin: Bulgaria Eff Length: 623 bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V64+, Pro-Scan 1.4+, AVTK 3.5+, F-Prot 1.12+, VirHunt 2.0+ Removal Instructions: Scan/D, Pro-Scan 1.4+, F-Prot 1.12+, or Delete infected files General Comments: The VHP2 Virus was isolated in Bulgaria in March, 1990. This virus is based on the Vienna Virus, and has many of the same characteristics of the VHP-435 variant of the VHP virus. It's major difference is that of effective length, and that 1 of every 8 infected programs will perform a system warm reboot. VHP2 is 623 bytes long, infecting only .COM files but not COMMAND.COM. Known variants of the Vienna Virus include: VHP-627 : Similar to VHP-623, except that its length is 627 bytes. Also see: VHP, Vienna Virus Name: Victor Aliases: V Status: Rare Discovered: May, 1990 Symptoms: .COM &.EXE growth, data file corruption, file linkage errors, and unexpected system reboots Origin: USSR Eff Length: 2,458 bytes Type Code: PRAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V63+, Pro-Scan 1.4+, VirexPC, F-Prot 1.12+ Removal Instructions: Scan/D, Pro-Scan 1.4+, F-Prot 1.12+, or Delete infected files General Comments: The Victor Virus was first isolated in May, 1990. It is believed to have originated in the USSR due to messages which appear within the viral code: "Victor V1.0 The Incredible High Performance Virus Enhanced versions available soon. This program was imported from USSR. Thanks to Ivan." The above message can be found at the end of infected files, but does not appear to ever be displayed. The first time a program infected with the Victor Virus is executed, the virus will install itself memory resident, occupying 3,072 bytes at the top of free memory. Interrupt 21 will be intercepted by the virus. After becoming memory resident, Victor will then seek out and infect COMMAND.COM. Victor is a very slow file infector, only infected approximately 1 in every 10 programs executed after it becomes memory resident. Infected programs will increase in length by between 2,443 and 2,458 bytes. The increase in file size is not hidden by the virus. Occasionally in the process of infecting a file, the virus will hang the system, which may result in data file corruption. Overlay files may also be infected, resulting in file linkage errors. Virus Name: Vienna Aliases: Austrian, Unesco, DOS-62, DOS-68, 1-in-8, 648 V Status: Endangered Discovered: April, 1988 Symptoms: .COM growth, reboots or system hangs Origin: Austria Eff Length: 648 bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: CleanUp V66+, VirClean, F-Prot, VirHunt 2.0+, Pro-Scan 1.4+, or VirexPC General Comments: The Vienna virus was first isolated in April, 1988, in Moscow at a UNESCO children's computer summer camp. The virus will infect 1 .COM file whenever a program infected with the virus is run. 1 in every 8 infected programs will perform a system warm reboot whenever the viral code is executed. Some .COM programs infected with this virus may not run. The Vienna virus was written by a high school student in Vienna Austria as an experiment. Its large number of variants can be accounted for as its source code has been published many times. Known variants of the Vienna Virus include: Vienna-B : Similar to Vienna, except that instead of a warm reboot, the program being executed will be deleted. Vienna-B 645 : Similar to the Vienna-B variant, this variant's effective length is 645 bytes. It does not perform either a warm reboot or delete executed programs. It does, however, infect COMMAND.COM Origin: United States Vien6 : Similar to Vienna, except that the warm reboot has been removed. Effective length of the virus is still 648 bytes. After 7 files have become infected on the current drive, the virus will then start infecting .COM files on drive C:. Also see: 1260, Ghostballs, Lisbon, W13, VHP, VHP-2 Virus Name: Violator Aliases: Violator Strain B V Status: Endangered Discovered: August, 1990 Symptoms: .COM growth, Sector not found error on drive B: Origin: USA Eff Length: 1,055 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V67+, Pro-Scan 2.01+ Removal Instructions: Clean-Up V71+, Scan/D, or Delete infected files General Comments: The Violator Virus was submitted in August, 1990 by an anonymous user of Homebase BBS. This virus is a non-resident parasitic virus which infects .COM files, including COMMAND.COM. When a program infected with the Violator Virus is executed, what happens depends on what the system date is set to. If the date is prior to August 15, 1990, the virus will infect 1 .COM file located in the current directory, adding 1,055 bytes to the program. If the date is August 15, 1990 or after, the virus will not infect any files. Symptoms of an infection of the Violator Virus include unexpected attempts to access drive B:. If there is no diskette in drive B:, or the diskette in drive B: is write-protected, a Sector not found error will result. The following message appears in the viral code located in infected programs: "TransMogrified (TM) 1990 by RABID N'tnl Development Corp Copyright (c) 1990 RABID! Activation Date: 08/15/90 - Violator Strain B - ! (Field Demo Test Version) ! ! * NOT TO BE DISTRIBUTED * !" Virus Name: Violator B4 Aliases: Christmas Violator, Violator Strain B4 V Status: New Discovered: December, 1990 Symptoms: .COM growth on 8088 based system; Hard Disk Corruption on 80286 & 80386 based systems Origin: United States Eff Length: 5,302 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Violator B4 Virus was isolated in December, 1990 in the United States. This virus was originally released into the public domain on a trojan version of DSZ (DSZ1203). It is a non-resident infector of .COM files, including COMMAND.COM. What Violator B4 does depends on what processor is in the personal computer it is being executed on. On 80286 and above processors, the virus will activate immediately, overwriting the beginning portion of the system hard disk. It will also attempt to display a Christmas greeting at that time, but the greeting display will be garbled if Ansi.Sys is not loaded. Damage caused by Violator B4 at activation can be repaired using Norton Disk Doctor. On an 8088 based system, Violator B4 will do nothing but replicate. Each time an infected program is executed, the virus will infect one other .COM program in the current directory. Violator B4 infected files will have a file length increase of 5,302 bytes. The file's date and time in the disk directory will not be altered. The virus will be located at the end of the infected file. The following text message is contained within the Violator B4 virus, though it is never displayed: "Violator Strain B4 - Written by RABID Nat'nl Development Corp. RABID would like to take this opportunity to extend it's sincerest holiday wishes to all Pir8 lamers around the world! If you are reading this, then you are lame!!! Anyway, to John McAffe! Have a Merry Christmas and a virus filled new year. Go ahead! Make our day! Remember! In the festive season, Say No to drugs!!! They suck shit! (Bah! We make a virus this large, might as well have something positive!)" Virus Name: VirDem Aliases: VirDem 2 V Status: Endangered Discovered: 1986-1987 Symptoms: .COM growth, Messages Origin: Germany Eff Length: 1,236 Bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: VirexPC, AVTK 3.5+, F-Prot 1.12+, ViruScan V71+, VirHunt 2.0+, Pro-Scan 2.01+ Removal Instructions: F-Prot 1.12+, Scan/D, or Delete infected files General Comments: The VirDem Virus was written in 1986-1987 by Ralf Burger of Germany. The virus was originally distributed in Europe as a demonstration virus, to assist computer users in understanding how a computer virus operates. The VirDem virus is not memory resident, and only infects .COM files on the A: drive. It will always skip the first .COM file in the root directory, so normally it will not infect COMMAND.COM. It will also not infect .COM files past the second subdirectory on the disk. Infected files that were originally less than approximately 1,500 bytes will be 2,616 bytes after infection. .COM files which were greater than 1,500 bytes will increase in size by approximately 1,236 bytes. When an infected program is executed, VirDem will infect the next candidate .COM file. Infected files will contain the viral code, followed by the original program. After infecting the .COM file, the virus will play a "game" with you, starting with the following text being displayed: " VirDem Ver.: 1.06 (Generation #) aktive. Copyright by R.Burger 1986,1987 Phone.: D - xxxxx/xxxx This is a demoprogram for computerviruses. Please put in a number now. If you're right, you'll be able to continue. The number is between 0 and # " (Note: I have removed the phone number here, but it appears where xxxxx/xxxx is above. Where # is, the virus's generation number appears.) At this point, you must guess the correct number and enter it. If you put in the wrong number, you get the following message and your program is not run: " Sorry, you're wrong More luck at next try .... " If you guess the correct number, you receive the following message and your program then executes: " Famous. You're right. You'll be able to continue. " Finally, after all the candidate .COM files on the A: drive are infected, the following message is displayed: " All your programs are struck by VIRDEM.COM now." VIRDEM.COM was the original distribution file containing the virus, and had a VIRDEM.DOC file included with it. VirDem is not widespread, and is not destructive. Known variant(s) of VirDem include: VirDem 2 : Similar to the virus described above, the major difference is that the text messages have been translated to German. Also see: Burger Virus Name: Virus-90 Aliases: V Status: Research Discovered: December, 1989 Symptoms: .COM growth, TSR Origin: District of Columbia, USA Eff Length: 857 bytes Type Code: PRC - Parasitic Resident .COM Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan 1.4+, VirexPC, AVTK 3.5+ Removal Instructions: Scan/D/X, F-Prot, Pro-Scan 1.4+, or delete infected files General Comments: The Virus-90 virus was originally distributed in December, 1989 by Patrick Toulme as an "educational tool", with the virus source also available for sale. In January, 1990, the author contacted the sites where he had uploaded the virus requesting that they remove it from their systems, his having decided a live virus was not a "good idea" for an educational tool after being contacted by several viral authorities. The following description was submitted by Patrick Toulme in November 1990 for inclusion in this listing: "This educational, research virus was written by Patrick Toulme to aid developers in understanding direct-virus action and in creating virus-resistant software. This virus is a simple COM infector that will not infect a hard drive and advises the user when a file on a floppy disk is to be infected. Of course, no damage occurs from the virus and all infected files advise the user of the infection upon execution. The safeguards provided by the author prevent accidental infection and the dis-assembly of the code is extremely difficult. Upon request from the anti-viral community, Virus-90 is now only available to approved anti-virus researchers." Also see: Virus101 Virus Name: Virus101 Aliases: V Status: Research Discovered: January, 1990 Symptoms: TSR, BSC, .COM growth (floppy only) Origin: District of Columbia, USA Eff Length: 2,560 Bytes Type Code: PRAFK - Parasitic Resident Infector Detection Method: ViruScan/X V67+, Pro-Scan 1.4+, F-Prot 1.12+, VirHunt 2.0+ Removal Instructions: Scan/D/X or delete infected files General Comments: The Virus101 is the "big brother" of Virus-90, also written by Patrick Toulme as an "educational tool" in January 1990. This virus is memory resident, and employs an encryption scheme to avoid detection on files. It infects COMMAND.COM, and all other executable file types. Once it has infected all the files on a diskette, it will infect the diskette's boot sector. It only infects floppy diskettes in its current version. The following description was submitted by Patrick Toulme for inclusion in this listing in November 1990: "Virus-101 is a sophisticated, continually encrypting, research virus written by Patrick Toulme, author of Virus-90. Virus-101 infects both COM and EXE files and will evade most anti-virus software and will continually encrypt itself to prevent non-algorithmic search scans. This virus is not available to the general public and is presently used by government agencies and corporate security departments to test anti-virus software and hardware devices." Also see: Virus-90 Virus Name: Voronezh Aliases: V Status: Rare Discovered: December 1990 Symptoms: .COM & .EXE growth; decrease in total system and available memory Origin: USSR Eff Length: 1,600 Bytes Type Code: PRhA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Voronezh Virus was received in December, 1990. It is originally from the USSR. Voronezh is a memory resident infector of .COM and .EXE files, and does not infect COMMAND.COM. The first time a program infected with Voronezh is executed the virus will install itself memory resident. This virus will be resident at the top of system memory but below the 640K DOS boundary. While the virus reserves 3,744 bytes of memory for itself, it does not move the interrupt 12 return. Interrupt 21 will be hooked by the virus. This virus may also reserve 24 bytes of display memory on the display adapter card. After Voronezh is memory resident, .COM and .EXE files will be infected when they are executed. Infected files will increase in length by 1,600 bytes, the virus will be located at the end of infected programs. Infected programs will also contain the text string: "Voronezh,1990 2.01". It is unknown if this virus does anything besides replicate. Known variant(s) of Voronezh are: Voronezh B: Similar to the Voronezh Virus described above, the major difference with Voronezh B is that Voronezh B will infect files when they are executed or openned for any reason. The original virus did not infect on file open. The text string indicated for Voronezh is also found in this variant. Virus Name: VP Aliases: V Status: Rare Discovered: May 1990 Symptoms: COMMAND.COM & .COM file growth, system slowdown Origin: England Eff Length: 913 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V64+, Pro-Scan 1.4+, AVTK 3.5+, F-Prot 1.12+, VirHunt 2.0+ Removal Instructions: Scan/D, Pro-Scan 1.4+, F-Prot 1.12+, VirHunt 2.0+, or Delete infected files General Comments: The VP Virus was first isolated in May, 1990. It is a non-resident generic .COM infector, and will infect COMMAND.COM. When an infected program is run, the virus will attempt to locate and infect another .COM file. In some cases, such as COMMAND.COM, the virus will display the contents of the program being infected. In other cases, the virus may attempt to execute the program being infected. Infected files increase in length by 913 bytes, and can be identified as the following hex string will appear near both the beginning and the end of an infected program: '4503EB1808655650'. Virus Name: W13 Aliases: Toothless Virus, W13-A V Status: Endangered Discovered: December, 1989 Symptoms: .COM growth Origin: Poland Eff Length: 534 Bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V63+, F-Prot, IBM Scan, Pro-Scan 1.4+, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D, F-Prot, Pro-Scan 1.4+, VirHunt 2.0+ or delete infected files General Comments: The W13 virus is a .COM file infector that doesn't do much except for infect files. The virus was isolated in December 1989 in Poland. While W13 is based on the Vienna virus, it does not damage files or have some of the other side effects of the Vienna virus. It contains a number of bugs which prevent it from being a good replicator. Known variant(s) of W13 include: W13-B : The original W13 Virus with several bugs fixed. This variants length is 507 bytes instead of 534 bytes. Virus Name: Westwood Aliases: V Status: Rare Discovered: August, 1990 Symptoms: .COM & .EXE growth; TSR; system slowdown; black window; file deletion on Friday The 13ths Origin: Westwood, California, USA Eff Length: 1,819 - 1,829 Bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V67+, F-Prot 1.12+, Pro-Scan 2.01+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Westwood Virus was isolated in August, 1990 in Westwood, California. This virus is a substantially altered variant of the Jerusalem B virus, enough so that all anti-virals tested which could detect Jerusalem B were unable to identify it. Like Jerusalem, it infects .COM, .EXE, and overlay files, but not COMMAND.COM. The first time a program infected with the Westwood virus is executed, the virus will install itself memory resident as a low system memory TSR of 1,808 bytes. Interrupts 8 and 21 will be hooked. If the system date happens to be a Friday The 13th, interrupt 22 will also be hooked. After the virus is memory resident, any program which is executed will become infected with the Westwood virus. .COM files will increase by 1,829 bytes with the virus's code located at the beginning of the infected program. .EXE files and overlay files are infected with the virus's code added to the end of the program. .EXE files increase in length by between 1,819 and 1,829 bytes. Unlike most variants of the Jerusalem virus, Westwood does not reinfect .EXE files. Infected systems will experience a system slowdown occurring after the virus has been memory resident for 30 minutes. At this time, the "black window" or "black box" common to the Jerusalem virus will appear on the lower left hand side of the system display. Screen contain around the area of the "box" may be corrupted if screen writes happened to be occurring when the box appeared. On Friday The 13ths, the Westwood Virus will delete any programs that are executed once the virus becomes memory resident. Also see: Jerusalem B Virus Name: Whale Aliases: Mother Fish, Stealth Virus, Z The Whale V Status: Research Discovered: August, 1990 Symptoms: .COM & .EXE growth; decrease in available memory; system slowdown; video flicker; slow screen writes; file allocation errors; simulated system reboot Origin: Hamburg, West Germany Eff Length: 9,216 Bytes Type Code: PRhA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V67+, Pro-Scan 2.01+ Removal Instructions: Scan/D, CleanUp V67+, Pro-Scan 2.01+, or Delete infected files General Comments: The Whale Virus was submitted in early September, 1990. This virus had been rumored to exist since the isolation of the Fish 6 Virus in June, 1990. It has been referred to by several names besides Whale, including Mother Fish and Z The Whale. The origin of this virus is subject to some speculation, though it is probably from Hamburg, West Germany due to a reference within the viral code once it is decrypted. The first time a program infected with the Whale Virus is executed, the Whale will install itself memory resident in high system memory but below the 640K DOS boundary. On the author's XT clone, the virus always starts at address 9D90. Available free memory will be decreased by 9,984 bytes. Most utilities which display memory usage will also indicate a value for total system memory which is 9,984 bytes less than what is actually installed. The following text string can be found in memory on systems infected with the Whale virus: "Z THE WHALE". Immediately upon becoming memory resident, the system user will experience the system slowing down. Noticeable effects of the system slowdown include video flicker to extremely slow screen writes. Some programs may appear to "hang", though they will eventually execute properly in most cases since the "hang" is due to the slowing of the system. When a program is executed with the Whale memory resident, the virus will infect the program. Infected programs increase in length, the actual change in length is usually 9,216 bytes. Note the "usually": this virus does occasionally infect a program with a "mutant" which will be a different length. If the file length increase is exactly 9,216 bytes, the Whale will hide the change in file length when a disk directory command is executed. If the file length of the viral code added to the program is other than 9,216 bytes, the file length displayed with the directory command will either the actual infected file length, or the actual infected file length minus 9,216 bytes. Executing the DOS CHKDSK program on infected systems will result in file allocation errors being reported. If CHKDSK /F is executed, file damage will result. The Whale also alters the program's date/time in the directory when the file is executed, though it is not set to the system date/time of infection. Occasionally, Whale will alter the directory entry for the program it is infecting improperly, resulting in the directory entry becoming invalid. These programs with invalid directory entries will appear when the directory is listed, but some disk utilities will not allow access to the program. In these cases, the directory entry can be fixed with Norton Utilities FD command to reset the file date. The Whale occasionally will change its behavior while it is memory resident. While most of the time it only infects files when executed, there are periods of time when it will infect any file opened for any reason. It will also, at times, disinfect files when they are copied with the DOS copy command, at other times it will not "disinfect on the fly". Occasionally, the Whale Virus will simulate what appears to be a system reboot. While this doesn't always occur, when it does occur the Break key is disabled so that the user cannot exit unexpectedly from the execution of the system's AutoExec.Bat file. If the AutoExec.Bat file contained any software which does file opens of other executable programs, those opened executable programs will be infected at that time if they were not previously infected. Typically, files infected in this manner will increase by 9,216 bytes though it will not be shown in a directory listing. A hidden file may be found in the root directory of drive C: on infected files. This file is not always present, the virus will sometimes remove it, only to recreate it again at a later time. The name of this hidden file is FISH-#9.TBL, it contains an image of the hard disk's partition table along with the following message: "Fish Virus #9 A Whale is no Fish! Mind her Mutant Fish and the hidden Fish Eggs for they are damaging. The sixth Fish mutates only if the Whale is in her Cave." After the discovery of this hidden file, the author of this document made several attempt to have the Fish 6 Virus mutate by introducing it and Whale into a system. Under no circumstances did a mutation of either virus result, the resultant files were infected with both an identifiable Fish 6 infection and a Whale infection. Whale is hostile to debuggers and contains many traps to prevent successful decryption of the virus. One of its "traps" is to lock out the keyboard if it determines a debugger is in use. Virus Name: Wisconsin Aliases: Death To Pascal V Status: Rare Discovered: September, 1990 Symptoms: .COM growth; Message; Write Protect Errors; .PAS files disappear; file date/time changes Origin: Wisconsin, USA Eff Length: 825 Bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V67+, Pro-Scan 2.01+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Wisconsin Virus was received in September, 1990. The origin of the sample was Wisconsin, which is where its name came from. It is also reported to have been isolated at about this same time in California. Wisconsin is a non-resident infector of .COM files, but it does not infect COMMAND.COM. When a program infected with the Wisconsin Virus is executed, the virus will alter the date and time of the program being executed to the current system date and time. The Wisconsin Virus will then infect one other .COM file in the current directory. Infected files will increase in length by 825 bytes, with the viral code located at the beginning of the file. If an attempt is made to execute a program infected with the Wisconsin virus from a write-protected diskette, a write protect error will occur. This virus does not intercept this error. Infected programs may display the following message: "Death to Pascal." When this message is displayed, any .PAS files located in the current directory will be deleted. This message cannot be seen in infected files as it is encrypted. Virus Name: Wolfman Aliases: V Status: Rare Discovered: July, 1990 Symptoms: TSR; .COM & .EXE growth Origin: Taiwan Eff Length: 2,064 Bytes Type Code: PRsAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V66+, Pro-Scan 2.01+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Wolfman Virus was discovered in Taiwan in July, 1990. It is a memory resident generic infector of .COM and .EXE files, including COMMAND.COM. The first time a program infected with the Wolfman Virus is executed, the virus will install itself memory resident as a TSR with 2 blocks of memory reserved. The first block of memory reserved is 68,032 bytes in length, the second block of reserved memory is 4,544 bytes in length. The total 72,640 bytes of memory is in low system memory, and available free memory is decreased by a corresponding amount. The virus hooks interrupts 09, 10, 16, 21, 2F, ED, and F5. Once the virus is memory resident, the virus will infect any .COM or .EXE file which is executed if the pre-infection file length is greater than or equal to 2,064 bytes. Infected files increase in length by 2,064 bytes. .COM files which are infected will have the virus's code located at the beginning of the .COM file, .EXE files will have the virus located at the end. It is unknown when Wolfman activates, or if it is destructive. Virus Name: Yankee Doodle Aliases: TP44VIR, Five O'clock Virus V Status: Common - Europe Discovered: September, 1989 Symptoms: .COM & .EXE growth, melody @ 5 p.m. Origin: Austria or Bulgaria Eff Length: 2,885 or 2,899 Bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V42+, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: CleanUp V64+, Scan/D, VirClean, F-Prot, or delete infected files General Comments: The Yankee Doodle virus was isolated by Alexander Holy of the North Atlantic Project in Vienna, Austria, on September 30, 1989. It was also isolated in Bulgaria shortly thereafter, where it is known as TP44VIR. This virus is a parasitic virus which infects both .COM and .EXE files, and installs itself memory resident. After installing itself memory resident, it will play Yankee Doodle on the system speaker at 17:00. Infected programs will be increased in length by 2,899 bytes. Other than being disruptive by playing Yankee Doodle, this virus currently does nothing else harmful besides infecting files. As a side note, some variants of the Yankee Doodle Virus will seek out and modify Ping Pong viruses, changing them so that they self- destruct after 100 infections. Known variants of the Yankee Doodle Virus are: TP33VIR - This variant disables interrupts 1 and 3, thus interfering with using debuggers to isolate it. The behavior of the virus also has been changed so that it infected programs will play Yankee Doodle at 5PM. The second to the last byte in infected files is the virus's "version number", in the case of TP33VIR, it is 21h (33 in hex). TP34VIR - Similar to TP33VIR, except that this variant is memory resident, and infects programs as they are executed. The second to the last byte in infected files is 22h. TP38VIR - Similar to TP34VIR, except that .COM and .EXE files are handled in a different way, and this variant will disinfect itself if it is loaded with CodeView active in memory. The second to the last byte in infected files is 26h. TP38VIR was first isolated in Bulgaria in July 1988, and is the oldest virus known in Bulgaria. TP41VIR - Similar to TP38VIR, except the second to the last byte in infected files is 29h. TP42VIR - This variant of Vacsina tests to determine if the system is infected with the Ping Pong virus, and if it is, will attempt to disable the Ping Pong virus by modifying it. The second to the last byte in infected files is now 2Ah. TP44VIR - Similar to TP42VIR, the second to the last byte of infected files is 2Ch. TP45VIR - Similar to TP44VIR, the second to the last byte of infected files is 2Dh. TP46VIR - Similar to TP45VIR, except that this variant can detect and kill the Cascade (1701) Virus. The second to the last byte of infected files is now 2Eh. Yankee Doodle-B: Very similar to the Yankee Doodle virus, except the length of the viral code is 2,772 bytes. Also see: Vacsina Virus Name: Yankee 2 Aliases: Yankee Virus, Yankee-go-Home, 1961 V Status: Endangered Discovered: September, 1989 Symptoms: .EXE growth, Yankee Doodle Origin: Bulgaria Eff Length: 1,961 Bytes Type Code: PNE - Parasitic Non-Resident .EXE Infector Detection Method: ViruScan V62+, Virex PC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D, or delete infected files General Comments: The Yankee 2, or Yankee Virus, was isolated in Bulgaria in 1989. Unlike the Yankee Doodle Virus, the Yankee 2 Virus is not memory resident. It also only infects .EXE files, adding 1,961 bytes to their length. The virus will attempt to infect an .EXE file in the current directory whenever an infected program is executed. If it is successful in locating an uninfected .EXE file, and infects it, Yankee Doodle will be played on the system speaker. Infected files will have the hex string '6D6F746865726675636B6572' at the end. The Yankee 2 Virus will not infect CodeView. Known variant(s) of the Yankee 2 virus are: 1624 - This variant is similar to Yankee 2 in function, the major change is that its effective length is 1,624 bytes. Virus Name: Yukon Overwriting Aliases: V Status: New Discovered: January, 1991 Symptoms: Divide Overflow errors; Beginning of Programs Overwritten Origin: Canada Eff Length: 151 Bytes Type Code: ONCK - Overwriting Non-Resident .COM Infector Detection Method: Removal Instructions: Delete infected files General Comments: The Yukon Overwriting Virus was isolated in January, 1991 in Canada. This virus is a non-resident overwriting virus that infects .COM files, including COMMAND.COM. When a program infected with the Yukon Overwriting Virus is executed, the virus will infect all .COM programs in the current directory. Infected programs will have the first 151 bytes of the program overwritten with the virus. Their date and time in the disk directory will not be altered in the process of infection. After infecting all of the .COM files in the current directory, the program the user was attempting to execute will fail with a Divide Overflow error. Infected programs can be easily identified because the text string Divide Overflow$ will be located beginning at offset 87h within the infected program. Programs infected with the Yukon Overwriting Virus cannot be disinfected as the portion overwritten by the virus is not stored. Infected programs must be deleted and replaced with uninfected copies. Virus Name: Zero Bug Aliases: Palette, 1536 V Status: Endangered Discovered: September, 1989 Symptoms: .COM growth (see text), TSR, graphics display Origin: Netherlands Eff Length: 1,536 bytes Type Code: PRsC - Parasitic Resident .COM Infector Detection Method: Viruscan/X V67+, F-Prot, Pro-Scan 1.4+, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D/X, CleanUp V66+, F-Prot, Pro-Scan 1.4+, VirHunt 2.0+, or delete infected files General Comments: The Zero Bug virus was first isolated in the Netherlands by Jan Terpstra in September, 1989. This virus is a memory resident .COM file infector. Infected .COM files will increase in size by 1,536 bytes, however the increase in file length will not show up when the disk directory is displayed. The virus's main objective is to infect the copy of COMMAND.COM indicated by the environment variable COMSPEC. If COMSPEC doesn't point to anything, the Zero Bug virus will install itself memory resident using INT 21h. After the virus has either infected COMMAND.COM or become memory resident, it will infect all .COM files that are accessed, including those accessed by actions such as COPY or XCOPY. Any .COM file created on an infected system will also be infected. If the currently loaded COMMAND.COM is infected, the virus will hook into the timer interrupt 1Ch, and after a certain amount of time has past, a smiley face character (ASCII 01) will appear and eat all the zeros it can find on the screen. The virus does not delete files or format disks in its present form. Virus Name: ZeroHunt Aliases: Minnow, Stealth V Status: Research Discovered: December, 1990 Symptoms: Internal changes to COM files Origin: USA Eff Length: 416 Bytes Type Code: PRCK - Parasitic Overwriting .COM Infector Detection Method: Viruscan V72+, Pro-Scan 2.01+ Removal Instructions: Scan/D, Pro-Scan 2.01+, or Delete infected files General Comments: The ZeroHunt, or Minnow, Virus was submitted in December, 1990 by Paul Ferguson of Washington, DC. ZeroHunt is a memory resident overwriting infector of COM files, including COMMAND.COM. This virus is classified as a Stealth Virus. When the first program infected with the ZeroHunt Virus is executed, the virus will install itself memory resident in the command environment area. It occupies approximately 200 bytes of memory and hooks a number of interrupts, including interrupt 21 by remapping. Once ZeroHunt is memory resident, it waits for a COM file to be openned or executed which contains 416 or more bytes of 00h characters. These characters usually are stack space in the file, and most commonly occur in EXE files which have been converted to COM files. If the candidate COM file contains enough 00h characters, ZeroHunt will infect the file by writing its viral code over the first 416 bytes of the 00h characters. ZeroHunt then alters the first four bytes of the newly infected file so that upon execution its viral code will execute first. Like other Stealth class viruses, ZeroHunt will disinfect the file on the fly, so that the virus cannot be detected in files if it is memory resident. Since infected files have been infected internally by over- writing stack space, there will be no change in infected file length. ZeroHunt carries no activation criteria at the present time, it just replicates. ------------------------------------------------------------------------------- Virus Information Summary List Virus Common Name Cross-Reference The following is a cross-reference of common virus names back to the name they are listed by in the virus information section. Hopefully, this cross-reference will alleviate some confusion when different anti-viral software packages refer to different names for the same virus. Virus Name Refer To Virus(es) In VirusSum.Doc: ---------------------- ----------------------------------------------- @ Virus Turbo 448 62-B Vienna 100 Years Virus 4096 163 COM Virus Tiny Virus 217 Polish 217 333 Kennedy 382 382 Recovery Virus 382 Recovery Virus 382 Recovery Virus 405 405 437 VFSI 453 RPVS 500 Virus Golden Gate 505 Burger 509 Burger 512 512 512-A 512 512-B 512 512-C 512 512-D 512 512 Virus Friday The 13th COM Virus 529 Polish 529 541 Burger 623 VHP2 632 Saratoga 637 Vcomm 642 Icelandic 646 646 648 Vienna 765 Perfume 867 Typo COM 903 903 944 Dot Killer 1008 1008 1022 Fellowship 1024-B Nomenklatura 1168 Datacrime-B 1210 1210 1226 1226 1226D 1226D 1226M 1226D 1253 1253 1260 1260 1280 Datacrime 1374 Little Pieces 1381 Virus 1381 Virus 1392 1392 1514 Datacrime II 1536 Zero Bug 1539 Christmas Virus 1554 1554 1559 1554 1575 1575 1575-B 1575 1577 1575 1591 1575 1605 1605 1624 Yankee 2 1701 Cascade 1704 Cascade, Cascade-B 1704 Format 1704 Format 1704-B Cascade B 1720 1720 17Y4 Cascade 1808 Jerusalem 1813 Jerusalem 1917 Datacrime IIB 1961 Yankee 2 1971 Eight Tunes 2080 Fu Manchu 2086 Fu Manchu 2100 V2100 2131 2131 2576 Taiwan 4 2930 Traceback II 2930-B Traceback II 3012 Plastique 3066 Traceback 3066-B Traceback 3066-B2 Traceback 3551 SysLock 3555 SysLock 3880 Itavir 4096 4096 4096-B 4096 4096-C 4096 4711 Perfume 4870 Overwriting 4870 Overwriting 5120 5120 8920 Print Screen 909090h Virus Burger 9800:0000 Virus 1554 A-204 Jerusalem B Advent Syslock AIDS AIDS AIDS II AIDS II AirCop AirCop Akuku Akuku Alabama Alabama Alameda Alameda Ambulance Car Ambulance Car Amoeba Virus 1392 Amstrad Amstrad Anarkia Jerusalem B Anarkia-B Jerusalem B Anthrax Anthrax AntiCad 1253 Anti-Pascal Anti-Pascal Anti-Pascal 400 Anti-Pascal II Anti-Pascal 440 Anti-Pascal II Anti-Pascal 480 Anti-Pascal II Anti-Pascal 529 Anti-Pascal Anti-Pascal 605 Anti-Pascal Anti-Pascal II Anti-Pascal II AP-400 Anti-Pascal II AP-440 Anti-Pascal II AP-480 Anti-Pascal II AP-529 Anti-Pascal AP-605 Anti-Pascal April 1st Suriv 1.01 April 1st-B Suriv 2.01 Arab Star Jerusalem B Armagedon Armagedon Armagedon The First Armagedon Armagedon The Greek Armagedon Ashar Ashar Attention! Attention! Austrian Vienna Basic Virus 5120 Best Wish Best Wishes Best Wishes Best Wishes Best Wishes B Best Wishes Black Avenger Dark Avenger Black Friday Jerusalem Black Monday Black Monday Blackjack Cascade-B Blood Blood Blood 2 Blood Bloody! Bloody! Boot Ping Pong-B Bouncing Ball Ping Pong Bouncing Dot Ping Pong Brain Brain Burger Burger C-605 Anti-Pascal Carioca Carioca Cascade Cascade Cascade-B Cascade-B Casper Casper Century Virus 4096 Chaos Chaos Choinka Father Christmas Christmas In Japan Christmas In Japan Christmas Violator Violator B4 Christmas Virus Christmas Virus CIA Burger Columbus Day Datacrime, Datacrime II, Datacrime IIB, Datacrime-B COM Virus Friday The 13th COM Virus Computer Ogre Disk Killer Cookie Cookie Cunning Cascade Cursy Cursy Dark Avenger Dark Avenger Dark Avenger-B Dark Avenger Dark Avenger II V2000 Dark Avenger III V1024 Datacrime Datacrime Datacrime II Datacrime II Datacrime IIB Datacrime IIB Datacrime-B Datacrime-B DataLock DataLock DataLock 1.00 DataLock DBase DBase DBF Virus DBase Dead Kennedy Kennedy Death To Pascal Wisconsin December 24th Icelandic-III Den Zuk Den Zuk Destructor Destructor V4.00 Destructor V4.00 Destructor V4.00 Devil's Dance Devil's Dance Diana Dark Avenger Die Young Virus V2000 Dir Virus Dir Virus Discom Discom Disk Crunching Virus Icelandic, Saratoga Disk Killer Disk Killer Disk Ogre Disk Killer Do-Nothing Virus Do-Nothing Virus Donald Duck Stoned DOS-62 Vienna DOS-68 Vienna Durban Saturday The 14TH Dyslexia Solano 2000 Dyslexia 2.00 Solano 2000 Dyslexia 2.01 Solano 2000 EB 21 Print Screen Eddie Dark Avenger Eddie Virus Dark Avenger Eddie 3 V651 EDV EDV Eight Tunes Eight Tunes European Fish Viruses Fish Virus Evil Evil Evil-B Evil F-Word Virus F-Word Virus Fall Cascade Falling Letters Cascade, Ping Pong-B Falling Letters Boot Swap Boot Father Christmas Father Christmas Fellowship Fellowship Fish 6 Fish Virus Fish Virus Fish Virus Five O'Clock Virus Yankee Doodle Flash Flash Flip Flip Flip B Flip Form FORM-Virus Form Boot FORM-Virus FORM-Virus FORM-Virus Frere Virus Frere Jacques Frere Jacques Frere Jacques Friday 13th Jerusalem Friday 13th COM Virus Friday The 13th COM Virus Friday 13th-B Friday The 13th COM Virus Friday 13th-C Friday The 13th COM Virus FroDo 4096 Fu Manchu Fu Manchu Fuck You F-Word Fumble Typo COM G-Virus V1.3 Sorry Ghost Boot Ghostballs Ghost COM Ghostballs Ghostballs Ghostballs Golden Gate Golden Gate Grither Grither Green Left Virus Groen Links Groen Links Groen Links Guppy Guppy Hahaha AIDS Halloechen Halloechen Happy Birthday Joshi Joshi Happy N.Y. Happy New Year, Happy New Year B Happy New Year Happy New Year Happy New Year Happy New Year B Hawaii Stoned Hebrew University Jerusalem B Hemp Virus Stoned HM2 Plastique Holland Girl Holland Girl Holland Girl 2 Holland Girl 2 Holo Holocaust Holocaust Holocaust Hybrid Hybryd Hybryd Hybryd Hymn Hymn Icelandic Icelandic Icelandic-II Icelandic-II Icelandic-III Icelandic-III Ick IKV 528 IDF Virus 4096 IKV 528 IKV 528 Invader Invader Iraqui Iraqui Warrior Iraqui Warrior Iraqui Warrior Israeli Jerusalem, Suriv 1.01, Suriv 2.01, Suriv 3.00 Israeli Boot Swap Italian Ping Pong Itavir Itavir Jeff Jeff Jerusalem Jerusalem Jerusalem A Jerusalem Jerusalem B Jerusalem B Jerusalem C Jerusalem B Jerusalem D Jerusalem B Jerusalem DC Jerusalem B Jerusalem E Jerusalem B Jerusalem E2 Jerusalem B Jocker Joker JoJo JoJo JoJo 2 JoJo 2 Joker Joker Joshi Joshi July 13TH July 13TH June 16TH June 16TH Kamikazi Kamikazi Kemerovo Kemerovo Kennedy Kennedy Keypress Keypress Korea Korea Kukac Turbo Kukac LBC Boot Korea Leapfrog USSR 516 Lehigh Lehigh Lehigh University Lehigh Lehigh-2 Lehigh Lehigh-B Lehigh Leprosy Leprosy Leprosy 1.00 Leprosy Leprosy-B Leprosy Liberty Liberty Liberty-B Liberty Liberty-C Liberty Lisbon Lisbon Little Pieces Little Pieces Live after Death Virus V800 Lozinsky Lozinsky Mardi Bros Mardi Bros Marijuana Stoned Mazatlan Golden Gate Merritt Alameda Mendoza Jerusalem B Mexican Devil's Dance MG MG MG-2 MG-2 MG-3 MG-2 MGTU MGTU Miami Friday The 13th Microbes Microbes Minnow ZeroHunt Mirror Mirror Mistake Typo Boot MIX1 MIX1 MIX/1 MIX1 Mix1 MIX1 Monxla Monxla Monxla B Monxla B Mother Fish Whale Munich Friday The 13th COM Virus Murphy Murphy Murphy-1 Murphy Murphy-2 Murphy Music Boot MusicBug Music Bug MusicBug Music Virus Oropax MusicBug MusicBug Musician Oropax New Jerusalem New Jerusalem New Zealand Stoned News Flash Leprosy Nina Nina Nomenclature Nomenklatura Nomenklatura Nomenklatura Number 1 Number One Number of the Beast 512 Virus Number One Number One Ogre Disk Killer Ohio Ohio One In Eight Vienna One In Ten Icelandic, Icelandic-II One In Two Saratoga Ontario Ontario Oropax Oropax Oulu 1008 P1 Evil, Phoenix, PhoenixD, Proud Pakistani Brain Pakistani Brain Brain Palette Zero Bug Paris Paris Parity Parity Park ESS Jerusalem B Payday Payday Peking Alameda Pentagon Pentagon Perfume Perfume Phoenix Phoenix PhoenixD PhoenixD Ping Pong Ping Pong Ping Pong-B Ping Pong-B Ping Pong-C Ping Pong-C Pixel Amstrad Plastique Plastique Plastique 1 Plastique Plastique 2 Plastique-B Plastique 4.51 Plastique Plastique 5.21 Plastique-B Plastique Boot Invader Plastique-B Plastique-B PLO Jerusalem Point Killer Dot Killer Polimer Polimer Polimer Tapeworm Polimer Polish 217 Polish 217 Polish 217 B Polish 217 Polish 529 Polish 529 Polish 583 Polish 583 Polish 961 Stone`90 Polish Stupid Polish 217 Polish-2 Turbo 448, Turbo Kukac Pretoria June 16TH Print Screen Print Screen Print Screen-2 Print Screen Proud Proud PRTSC Virus Print Screen Prudents Virus 1210 PSQR Virus 1720 Puerto Jerusalem B Red Diavolyata Red Diavolyata RedX Ambulance Car Rostov Stoned RPVS RPVS RPVS-B RPVS Russian Jerusalem Saddam Saddam San Diego Stoned Saturday The 14th Saturday The 14th Saratoga Saratoga Saratoga 2 Icelandic Scott's Valley Scott's Valley Seoul Alameda Sentinel Sentinel Sex Revolution v1.1 Stoned Sex Revolution v2.0 Stoned SF Virus SF Virus Shake Virus Shake Virus Shoe_Virus Ashar Shoe_Virus-B Ashar-B Skism-1 Jerusalem B Slow Slow Slowdown Slow Smithsonian Stoned Solano 2000 Solano 2000 Sorry Sorry South African Friday The 13th COM Virus Spyer Spyer Stealth Viruses EDV, Fish, Holocaust, Joshi, Murphy, V651, V800, V1024, V2000, V2100, ZeroHunt, 512, 4096 Stone`90 Stone`90 Stone-90 Stone`90 Stoned Stoned Stoned II Stoned Stoned-B Stoned Stoned-C Stoned Stoned-D Stoned Stoned-E Stoned Stoned-F Stoned Stupid Virus Do-Nothing Subliminal 1.10 Subliminal 1.10 Sunday Sunday Sunday-B Sunday Sunday-C Sunday Suomi 1008 Suriv 1.01 Suriv 1.01 Suriv 2.01 Suriv 2.01 Suriv 3.00 Suriv 3.00 Suriv A Suriv 1.01, Suriv 2.01 Suriv B Suriv 3.00 Suriv01 Suriv 1.01 Suriv02 Suriv 2.01 Suriv03 Suriv 3.00 SVC V4.00 USSR 1689 Sverdlov Sverdlov SVir SVir SVir-A SVir SVir-B SVir Swap Swap Swedish Disaster Swedish Disaster Swiss 143 Swiss 143 Sylvia Holland Girl Sylvia 2 Holland Girl 2 SysLock Syslock System Virus Icelandic-II Taiwan Taiwan Taiwan 2 Taiwan Taiwan 3 Taiwan 3 Taiwan 4 Taiwan 4 Taiwan-B Taiwan Tannenbaum Christmas Virus Taunt AIDS Ten Bytes 1554 The Plague The Plague Time Monxla Time B Monxla B Tiny Family Tiny Family Tiny Virus Tiny Virus Tiny 134 Virus Tiny Family Tiny 138 Virus Tiny Family Tiny 143 Virus Tiny Family Tiny 154 Virus Tiny Family Tiny 156 Virus Tiny Family Tiny 158 Virus Tiny Family Tiny 159 Virus Tiny Family Tiny 160 Virus Tiny Family Tiny 163 Virus Tiny Virus Tiny 169 Virus Tiny Family Tiny 198 Virus Tiny Family Toothless Virus W13 TP04VIR Virus Vacsina TP05VIR Virus Vacsina TP06VIR Virus Vacsina TP16VIR Virus Vacsina TP23VIR Virus Vacsina TP24VIR Virus Vacsina TP25VIR Virus Vacsina TP33VIR Virus Yankee Doodle TP34VIR Virus Yankee Doodle TP38VIR Virus Yankee Doodle TP41VIR Virus Yankee Doodle TP42VIR Virus Yankee Doodle TP44VIR Virus Yankee Doodle TP45VIR Virus Yankee Doodle TP46VIR Virus Yankee Doodle Traceback Traceback Traceback II Traceback II Traceback II-B Traceback II Traceback-B Traceback Traceback-B2 Traceback Travel Virus V2000 Turbo @ Turbo 448 Turbo 448 Turbo 448 Turbo Kukac Turbo Kukac Turbo Kukac 9.9 Turbo Kukac Typo Boot Typo Boot Typo COM Typo COM UIUC Virus Ashar UIUC Virus-B Ashar Unesco Vienna UScan Virus V2100 USSR USSR USSR 257 Kemerovo USSR 311 USSR 311 USSR 394 Attention! USSR 492 USSR 492 USSR 516 USSR 516 USSR 600 USSR 600 USSR 707 USSR 707 USSR 711 USSR 711 USSR 830 Red Diavolyata USSR 948 USSR 948 USSR 1049 USSR 1049 USSR 1689 USSR 1689 USSR 2144 USSR 2144 V-1 1253 V-277 Amstrad V-299 Amstrad V-311 USSR 311 V-345 Amstrad V-847 Amstrad V-847B Amstrad V-852 Amstrad V-Alert 1554 V605 Anti-Pascal V651 V651 V800 V800 V800M V800 V920 DataLock V1024 V1024 V1226 1226 V1226D 1226D V1226M 1226D V1277 Murphy V1302 Proud V1521 Murphy V1600 Happy New Year V1701New Evil V1701New-B Evil V2000 V2000 V2000-B V2000 V2100 V2100 V2P1 1260 V2P2 V2P2 V2P6 V2P6 V2P6Z V2P6Z Vacsina Vacsina VBasic Virus 5120 Vcomm Vcomm Vera Cruz Ping Pong VFSI VFSI VGA2CGA AIDS VHP VHP VHP2 VHP2 VHP-348 VHP VHP-353 VHP VHP-367 VHP VHP-435 VHP VHP-623 VHP2 VHP-627 VHP2 Victor Victor Vien6 Vienna Vienna Vienna Vienna C 646 Vienna-B Vienna Vienna-B 645 Vienna Violator Violator Violator B4 Violator B4 Violator Strain B Violator Violator Strain B4 Violator B4 VirDem VirDem VirDem 2 VirDem Virus-90 Virus-90 Virus-B Friday The 13th COM Virus Virus101 Virus101 Voronezh Voronezh Voronezh B Voronezh VP VP W13 W13 W13-A W13 W13-B W13 Westwood Westwood Whale Whale Wisconsin Wisconsin Wolfman Wolfman XA1 Christmas Tree Xmas In Japan Christmas In Japan Yale Alameda Yankee 2 Yankee 2 Yankee Doodle Yankee Doodle Yankee Virus Yankee 2 Yankee-go-Home Yankee 2 Yukon Overwriting Yukon Overwriting Z The Whale Whale Zero Bug Zero Bug ZeroHunt ZeroHunt ------------------------------------------------------------------------------- Virus Information Summary List Virus Relationship Chart 512 Virus --> 512-B --> 512-C --> 512-D 1226 --> 1226M --> 1226D 4096 --> 4096-B --> 4096-C --> Fish --> Whale Alameda --> Alameda-2 --> Golden Gate --> Golden Gate-B --> Golden Gate-C --> SF Virus Anti-Pascal --> AP-529 --> AP-400 --> AP-440 --> AP-480 Note: AP-480, AP-440, and AP-400 are grouped together in the listing as Anti-Pascal II Blood --> Blood2 Brain --> Ashar --> Clone --> Chaos --> EDV Cascade/1701 --> 1701-B --> 1704 --> 1704 Format --> 1704-B --> 17Y4 --> Cunning Datacrime --> Datacrime-B --> Datacrime II --> Datacrime IIB Do-Nothing --> Saddam Fri 13th COM --> Fri 13th-B --> Fri 13th-C --> Virus-B Happy New Year --> Happy New Year B HM2 --: --> Plastique COBOL --> Plastique --> Plastique 4.21 --> Plastique 5.21 Jerusalem B --: : V Invader Holland Girl --> Holland Girl 2 Icelandic --> Saratoga --> Iceland II --> Icelandic III --> Dec 24th --> Mix1 --> Mix1-B JoJo --> JoJo 2 Kennedy --> Tiny 163 Leprosy --> Leprosy-B --> The Plague MG --> MG-2 --> MG-3 Murphy-1 --> Murphy-2 Ohio --> Den Zuk Perfume --> Sorry Phoenix --> PhoenixD --> Evil-B --> Evil Ping Pong --> Ping Pong-B --> Ping Pong-C --> Big Italian --> Typo --> Print Screen --> Print Screen-2 --> Ghostballs Pixel --> Amstrad --> V-847B --> V-852 --> V-345 --> V-299 --> V-277 Polish 217 --> Polish 217 B Stoned --> Stoned-B --> Rostov --> Sex Revolution v1.1 --> Sex Revolution v2.0 --> Stoned-C --> Stoned-D --> Stoned-E --> Stoned-F --> Stoned II Suriv 3.00 --> Jerusalem --> Fu Manchu --> Taiwan 3 --> Jerusalem B --> New Jerusalem --> Payday --> Sunday --> Sunday-B --> Sunday-C --> Jerusalem C --> Jerusalem D --> Jerusalem E --> Jerusalem F (Spanish) --> 1720/PSQR --> 1210/Prudents --> Frere Jacques --> Anarkia --> Anarkia-B --> Slow --> Westwood --> 1605 --> Park ESS --> Skism-1 --> (also see HM2 above) --> Discom Syslock --> Macho --> Macho-B --> Advent --> Cookie Tiny-198 --> Tiny-167 --> Tiny-160 --> Tiny-159 --> Tiny-158 --> Tiny-156 --> Tiny-154 --> Tiny-143 --> Tiny-138 --> Tiny-134 --> Tiny-133 Note: The Tiny-nnn Viruses indicated above are grouped together in the listing as "Tiny Family". The Tiny-163 virus is not related to the above group of viruses. Traceback II --> Traceback --> Traceback-B --> Traceback-B2 --> Traceback II-B V1024 --> Dark Avenger --> V651 --> V800 --> V800M --> V2000 --> V2000-B --> V2100 Vienna --> Father Christmas --> Lisbon --> Ghostballs --> 1260 --> V2P2 --> Casper --> V2P6 --> V2P6Z --> W13/V-534 --> W13-B/V-507 --> Wien (Poland) --> Vien6 --> Vienna-B --> Vienna-B 645 --> Violator --> Violator B4 --> Grither --> VHP-348 --> VHP-353 --> VHP-367 --> VHP-435 --> VHP-623 --> VHP-627 --> Iraqui Warrior Note: VHP-348, VHP-353, VHP-367, and VHP-435 are listed as VHP. VHP-623 and VHP-627 are listed as VHP2. Virus-90 --> Virus101 ------------------------------------------------------------------------------- Virus Information Summary List Revision History 14 February, 1991 - VSUM9102.ZIP The following virus descriptions have been updated, or new variants added: 4096 - 4096-C Variant Aids - Aids B Variant Flip - Flip B Variant Liberty - Clarificiation to entry, change to Liberty B identification string for use with Scan. - Liberty B Variant Paris - Update to description Plastique - Plastique COBOL Variant Polish 217 - Polish 217 B Variant Stoned - rewrote entry & merged in Stoned II entry - Rostov Variant - Sex Revolution v1.1 Variant - Sex Revolution v2.0 Variant - Stoned E Variant - Stoned F Variant USSR 1689 - Added SVC V4.00 alias The following new viruses have been added to the listing: 903 1575 - 1575 Virus - 1575-B Variant 4870 Overwriting Akuku Cookie Destructor V4.00 Dir Virus Discom Grither Happy New Year - Happy New Year - Happy New Year B Variant Holland Girl 2 Hybryd IKV 528 Iraqui Warrior JoJo 2 Little Pieces/1374 MG MG-2 - MG-2 - MG-3 Variant Monxla B Nina Parity Saddam Sentinel Swedish Disaster Swiss 143 The Plague USSR 311 USSR 492 Violator B4 Yukon Overwriting Information for the following anti-viral products has been added or updated: Pro-Scan - additional disinfection updates for version 2.01 Clean-Up - updated for version V74 ViruScan - updated for version V74 08 January, 1991 - VSUM9101.ZIP The following virus descriptions have been updated, or new variants added: 4096 - additional information added Flip - additional information added Invader - correction to Type Code Jerusalem B - Skism-1 Variant Nomenklatura - additional damage information added Plastique - additional information, activation data Plastique B - additional information, activation data Tiny Family - Tiny 133 Variant The following new viruses have been added to the listing: Attention! Best Wishes - Best Wishes - Best Wishes B Bloody! F-Word Virus Holocaust Hymn Jeff Kemerovo Lozinsky MGTU MusicBug Polish 583 Red Diavolyata Stone`90/Polish 961 Sverdlov USSR 516 USSR 600 USSR 707 USSR 711 USSR 948 USSR 1049 USSR 1689 USSR 2144 Voronezh - Voronezh - Voronezh B ZeroHunt Information for the following anti-viral products has been added or updated: Clean-Up - updated for version V72 Pro-Scan - updated for version 2.01 ViruScan - updated for version V72 03 December, 1990 - VSUM9013.ZIP (Not publicly distributed.) Pro-Scan Version 2.0 has not been added to the listing. 02 December, 1990 - VSUM9012.ZIP The following virus descriptions have been updated, or new variants added: Burger - 505 Variant - 509 Variant - 541 Variant - CIA Variant Christmas - Tannenbaum alias added Kennedy - 333 alias added Leprosy - News Flash alias added Liberty - Liberty-B Variant Slow - Updated for file length increases, Slowdown alias added Wisconsin - Updated for file date/time change VirDem - VirDem 2 Variant Virus-90 - Added description submitted by P. Toulme Virus101 - Added description submitted by P. Toulme Yankee 2 - Yankee-go-Home alias added - 1624 variant added The following new viruses have been added to the listing: 646 Carioca DataLock Dot Killer Father Christmas Groen Links Keypress Mirror Monxla Polimer Polish 217 Polish 529 Spyer Taiwan 4/2576 Turbo 448 Turbo Kukac USSR Information for the following anti-viral products/programs have been added/updated with this release: Clean-Up - McAfee Associates' Clean-Up Disinfector, Vers V71 Pro-Scan - McAfee Associates' Pro-Scan Anti-Viral, Vers. 2.0 VirHunt - Digital Dispatch, Inc.'s VirHunt Anti-Viral, Vers 2.0 Note: boot sector disinfection not tested ViruScan - McAfee Associates' ViruScan Detector, Vers V71 Removed the following anti-viral products for the reason indicated: M-1704 - replaced by McAfee Associates' Clean-Up M-1704C - replaced by McAfee Associates' Clean-Up M-DAV - replaced by McAfee Associates' Clean-Up M-JRUSLM - replaced by McAfee Associates' Clean-Up M-Vienna - replaced by McAfee Associates' Clean-Up 02 November, 1990 - VSUM9011.ZIP The following virus descriptions have been updated, or new variants added: Amstrad - V852 Variant Anthrax - Updated information Jerusalem B - Park ESS Variant Tiny Family - Tiny 134 Variant - Tiny 138 Variant - Tiny 143 Variant - Tiny 154 Variant - Tiny 156 Variant V2100 - Updated information The following new viruses have been added to the listing: Guppy Proud/V1302 VFSI 05 October, 1990 - VSUM9010.ZIP [Note: There was no VSUM9009 release.] The following virus descriptions have been updated, or new variants added: 512 - Clarification of why file damage may occur 1008 - Origin information, Suomi alias 4096 - FroDo alias Anti-Pascal - correction to indicated text string Cascade - 17Y4 Variant Dark Avenger- Dark Avenger-B Variant EDV - Added Cursy alias and activation information Evil - previously in VSUM9008 as V1701New and V1701New-B Flash - Symptom and activation information FORM-Virus - Activation information Jerusalem B - Jerusalem DC Variant Leprosy - Leprosy-B Variant Paris - rename of virus listed as TCC in VSUM9008 Syslock - Advent Variant Taiwan - Taiwan-B Variant Tiny Virus - Origin information The following new viruses have been added to the listing: 1605 Black Monday Blood - Blood Variant - Blood2 Variant Burger Casper Christmas In Japan Invader Kamikazi Nomenklatura Number One Scott's Valley Stoned II SVir - SVir-A Variant - SVir-B Variant Westwood Whale V2P2 V2P6 V2P6Z Violator Wisconsin The following entries in the cross-reference have been corrected: 1226D - incorrectly pointed to V1226D instead of 1226D 1226M - incorrectly pointed to V1226D instead of 1226D Brain - missing from VSUM9008 cross-reference Information for the following anti-viral products/programs have been added/updated with this release: CleanUp - McAfee Associates' CleanUp Disinfector, Version V67 AVTK - Dr. Solomon's Anti-Viral Toolkit, Version 3.5 F-Prot - Fridrik Skulason's F-Prot, Version 1.12 VirexPC - MicroCom's Virex PC, Version 1.10B ViruScan - McAfee Associates' ViruScan Detector, Version V67 [Note: For ViruScan, as of version V67, any viruses which now require the /X command line parameter to be used have been indicated under Detection Method.] The following viruses have not been added to the listing at this time for the reason indicated: Big Italian - No Sample Available TP43Vir - Sample does not replicate. Doom2 - Unable to get samples to replicate. 10 August, 1990 - VSUM9008.ZIP The following virus descriptions have been updated, or new variants added: 1720 - Activation information added Anti-Pascal - Anti-Pascal 529/AP-529 Variant Sunday - Sunday-B Variant - Sunday-C Variant Tiny Virus - previously in VSUM9007 as 163 COM Virus Traceback - Traceback-B Variant - Traceback-B2 Variant Traceback II - Traceback II-B Variant V800 - V800M Variant Vienna - Vienna-B 645 Variant The following new viruses have been added to the listing: 382 Recovery Virus 1226 - 1226 Virus 1226D - 1226D Variant - 1226M Variant 1253/V-1 AirCop Anthrax Anti-Pascal II - Anti-Pascal 400/AP-400 - Anti-Pascal 440/AP-440 - Anti-Pascal 480/AP-480 Fellowship Flip Leprosy Mardi Bros Ontario Phoenix/P1 PhoenixD/P1 Plastique - HM2 - Plastique - Plastique 4.51 Plastique-B - Plastique 5.21 RPVS/453 - RPVS - RPVS-B Variant TCC Tiny Family - Tiny 158 Virus - Tiny 159 Virus - Tiny 160 Virus - Tiny 167 Virus - Tiny 198 Virus V1701New/P1 - V1701New - V1701New-B (earlier version) V2100 Wolfman Information on the following anti-viral products was updated or added to this release: CleanUp - Version V66 Pro-Scan - Version 1.4 VirexPC - Version 1.1 ViruScan - Version V66 The following viruses have not been included in the listing at this time, for the reason indicated: Advent - No Sample Available Big Italian - No Sample Available Stoned II - No Sample Available 15 July, 1990 - VSUM9007.ZIP Added Virus Relationship Chart section to document, as well as new data field "V Status" to all entries (see introduction and format information for description). The following viruses have been updated, or new variants added: 1554 Amstrad Cascade - Cunning Variant Disk Killer Ghostballs - combined Ghost COM and Ghost Boot Jerusalem B - Puerto Variant Kennedy Lehigh - Lehigh-B Variant Vienna - VHP-627 Variant - Vien6 Variant W13 The following new viruses were added to the listing: 1008 Virus 1381 Virus Ambulance Car Anti-Pascal Virus Armagedon Flash FORM-Virus Joshi July 13th Microbes Print Screen Print Screen - Print Screen-2 Variant Sorry Taiwan 3 V651/Eddie 3 V1024/Dark Avenger 3 VHP - VHP-348 Variant - VHP-353 Variant - VHP-367 Variant - VHP-435 Variant VHP2 - VHP-623 Variant - VHP-627 Variant 15 June, 1990 - VSUM9006.ZIP Many viruses had their descriptions updated, the ones listed below receiving updates for variants or major changes: 163 COM Virus 512 - 512-B Variant - 512-C Variant - 512-D Variant 1554 Virus 4096 - 4096-B Variant Amstrad - Pixel/V-345 Variant - V-277 Variant - V-299 Variant - V-847 Variant - V-847B Variant Jerusalem B - A-204 Variant - Anarkia Variant - Anarkia-B Variant - Mendoza Variant Ping Pong-B - Ping Pong-C Variant Solano 2000 - Dyslexia 2.01 Variant V2000 - V2000-B/Die Young Variant Vacsina - TP04VIR Variant - TP05VIR Variant - TP06VIR Variant - TP16VIR Variant - TP23VIR Variant - TP24VIR Variant - TP25VIR Variant Yankee Doodle - TP33VIR Variant - TP34VIR Variant - TP38VIR Variant - TP41VIR Variant - TP42VIR Variant - TP44VIR Variant - TP45VIR Variant - TP46VIR Variant Vienna - VHP-435 - VHP-623 The Vienna-B variant has been moved under the Vienna entry. The following new viruses were added to the listing: 5120 Eight Tunes Fish Virus Frere Jacques JoJo Liberty Murphy - 2 variants (Murphy-1 and Murphy-2) Shake Virus Slow Subliminal 1.10 V800 Victor VirDem VP Yankee 2 4 May, 1990 - VSUM9005.ZIP (Not publicly distributed.) Added listings for Discovered, Symptoms, Origin, Subdivided memory-resident classes, Aligned data entry blocks, placed files in ASCII order, placed revision history in descending order. Information on the following virii was updated: 1168/Datacrime 1280/Datacrime Kennedy 18 April, 1990 - VSUM9004.ZIP Information on the following viruses was updated: Friday The 13th Original COM Virus Halloechen Jerusalem Jerusalem B Stoned Sunday VComm 4096 The 1559 virus has been renamed to the 1554 virus in order to accurately reflect the virus's effective length. The following new viruses were added to the listing: AIDS II Anarkia (see Jerusalem B) Christmas Virus Itavir June 16TH Kennedy Korea Saturday The 14th Solano 2000 Spanish Jerusalem B (see Jerusalem B) V2000 1210 1392 1720 McAfee Associates' PRO-SCAN commercial anti-viral program, has been added, as well as the information for IBM's VirScan program updated to reflect IBM's March 1990 program release. 22 February, 1990 - Not publicly distributed. Information on the following viruses was updated: Disk Killer The following new viruses were added to the listing: EDV 512 1559 18 February, 1990 - VSUM9003.ZIP Change to Copyright notice to reflect author's full name. Information on the following viruses has been updated: Taiwan 4096 04 February, 1990 - VSUM9002.ZIP Second release of listing, which now includes updated information for the following viruses: Alabama Chaos Den Zuk Datacrime II, Datacrime IIB Do-Nothing Icelandic, Icelandic-II Ohio Saratoga Stoned Swap SysLock Traceback, Traceback II (was 2930 in previous release) Typo Boot The following new Ms-Dos computer viruses were added to the listing: Halloechen Icelandic-III Joker Perfume Vcomm Virus101 W13 1260 15 January, 1990 - VSUM9001.ZIP First release of listing, which contained 52 of 61 known Ms-Dos computer viruses. Of the 9 known viruses which were not completed, they contained very basic information, though no detailed description, those viruses were: Chaos Swap Icelandic Taiwan Icelandic-II Typo Boot Ohio 2930 Saratoga