IBM Aptiva Multimedia Exploration CD

home *** CD-ROM | disk | FTP | other *** search

/ IBM Aptiva Multimedia Exploration CD / Aptiva DEMO CD.iso / dos63 / virinfo.lst < prev next >

Wrap

File List | 1993-12-31 | 100KB | 2,233 lines

Descriptions of some known DOS viruses ______________________________________ This section briefly describes some of the DOS viruses analyzed by IBM. It includes all of the viruses that are widespread in the world as of this writing. It also includes many viruses that are not widespread, but that we have analyzed in order to help stay ahead of the problem. These descriptions are based on IBM's detailed analysis of the code of each virus. Each virus has been carefully tested to verify its actual behavior. All of these viruses can be detected when checking disks and diskettes. Viruses that are similar to these viruses will be detected as well. In many cases, even viruses that are not similar to these will be detected as "suspicious" by IBM AntiVirus/DOS. The Aircop Virus ________________ Name Aircop Alias(es) Virus Family Classification Diskette boot record infector Length of Virus Boot record and one additional hard disk or diskette sector Behavior Summary When booted from an infected diskette, the virus loads into memory and infects diskettes used in A: or B: later. Every eight or so times that it infects a new diskette, it displays the message "RED STATE, Germ offensing --Aircop" (presumably an attempt to say "Condition red, virus attack"). The April 1st COM Virus _______________________ Name April 1st COM Alias(es) April 1st, sURIV 1.01 Virus Family 1813 Classification Resident COM infector Length of Virus Approximately 381 bytes Behavior Summary When an infected program is run, the virus installs itself in memory and any COM files run later become infected. If the date is April 1st of any year, executing any program while the virus is in memory will display the message "APRIL 1ST HA HA HA YOU HAVE A VIRUS", and will hang the machine. If the date is after April 1st, 1988, the message "YOU HAVE A VIRUS" will be displayed whenever any program is executed Because infection is so obvious, this virus is probably extinct. The April 1st EXE Virus _______________________ Name April 1st EXE Alias(es) April 1st, sURIV 2, sURIV 2.01 Virus Family 1813 Classification Resident EXE infector Length of Virus 1488 bytes Behavior Summary This virus infects any EXE files that are run, prints a message on April 1st, and sometimes causes the system to hang on Wednesdays. The Azusa Virus _______________ Name Azusa Alias(es) Virus Family Classification Diskette and hard disk boot infector Length of Virus Boot record only Behavior Summary This virus infects diskette and hard disk master boot record. Sometimes the virus zeros out the BIOS tables for COM and printer ports, making printers and serial ports unavailable. The Bouncing Ball Virus _______________________ Name Bouncing Ball Alias(es) Bouncing Dot, Italian, Ping-Pong, Vera Cruz Virus Family Bouncing Ball Classification Diskette and hard disk boot infector Length of Virus Approximately 975 bytes Behavior Summary This virus infects diskettes and the hard disk partition (non-master) boot record. It sometimes produces a bouncing dot on the screen after booting. The Bouncing Ball / 286 Virus _____________________________ Name The Bouncing Ball / 286 Virus Alias(es) Virus Family Bouncing Ball Classification Diskette and hard-disk boot infector Length of Virus Approximately 975 bytes Behavior Summary This virus infects diskettes and the hard disk partition (non-master) boot record. It sometimes produces a bouncing dot on the screen after booting. The Brain Virus _______________ Name Brain Alias(es) Pakistani, Pakistani Brain, (c) Brain Virus Family Brain Classification Diskette boot infector Length of Virus Boot record and 6 additional sectors on hard disk or diskette Behavior Summary This virus changes some diskette volume labels to "(c) Brain" The Brunswick Virus ___________________ Name Brunswick Alias(es) Virus Family Classification Resident diskette and hard disk master boot infector Length of Virus Boot record and one additional hard disk or diskette sector Behavior Summary When you boot from an infected diskette, it infects the first physical hard disk in the system. When you boot from an infected hard disk or diskette, the virus loads into memory and infects diskettes used in drive A or B later. When booting from an infected hard disk, it sometimes overwrites the master boot record with useless data, rendering the disk unbootable. Also, the data becomes inaccessible without technical help. As well as the intentional damage, on some systems the virus overlays user data and possibly part of the file allocation table when it saves the original boot record in the data section of the hard disk. The Burger-405 Virus ____________________ Name Burger-405 Alias(es) 405 Virus Family Burger Classification COM overwriting virus for IBM DOS Length of Virus Overwrites first 405 bytes of victim Behavior Summary This virus is very buggy, apparently based on a published example. When an infected file is run it overlays the first 405 bytes of every file with an extension of COM in the current directory of various hard disks with a copy of itself. The original (pre infection) program does not run. Running an infected program often hangs the machine or otherwise malfunctions. The Campana Virus _________________ Name Campana Alias(es) Telefonica, Anti-Telefonica, Telefon, ANTI-CTNE Virus Family Campana Classification Resident infector of diskette boot records and hard disk master boot records Length of Virus Boot record and one additional hard disk or diskette sector Behavior Summary When a machine is booted from an infected hard disk or diskette, the virus loads itself into high memory and reduces available memory by 1024 bytes. The machine's hard disk (if any) and any diskettes used in drive A or B while the virus is in memory are infected. After a certain number of boots from an infected hard disk or diskette, the virus writes random data to the boot hard disk or diskette and other hard disks in the system and displays a message beginning with the word "Campana". While the virus is in memory, it intercepts most attempts to read the boot record and returns an image of an uninfected boot record to the program making the request. The Campana-B Virus ___________________ Name Campana-B Alias(es) Telefonica, Anti-Telefonica, Telefon, ANTI-CTNE Virus Family Campana Classification Resident infector of diskette boot records and hard disk master boot records Length of Virus Boot record and one additional hard disk or diskette sector Behavior Summary When a machine is booted from an infected hard disk or diskette, the virus loads itself into high memory and reduces available memory by 1024 bytes. The machine's hard disk (if any) and any diskettes used in drive A or B while the virus is in memory are infected (unless they are already infected with the Stoned virus). After a certain number of boots from an infected hard disk or diskette, the virus writes random data to the boot hard disk or diskette and other hard disks in the system and display a message beginning with the word "Campana". While the virus is in memory, it intercepts most attempts to read the hard disk boot record and returns an image of an uninfected boot record to the program making the request. The Cansu Virus _______________ Name Cansu Alias(es) V-Sign Virus Family Classification Resident diskette and hard disk master boot infector Length of Virus Boot record and 2 additional sectors on hard disk or diskette Behavior Summary When you boot from an infected hard disk or diskette, the virus loads into memory and infects diskettes used in drive A or B later; Also, it infects the first two physical hard disks in the system when they are used. In approximately one-in-eight-boots, the virus displays a V-shaped symbol on the display. The virus does no intentional damage; but, on some systems, it overlays your data and perhaps part of the file allocation table when it writes its two sectors to the data section of the hard disk. The Dark Avenger Virus ______________________ Name Dark Avenger Alias(es) Eddie Virus Family Classification Resident COM and EXE file virus for IBM DOS Length of Virus 1800 bytes in infected COM files; some additional padding bytes in infected EXE files. Behavior Summary When an infected program is run, the virus installs itself in memory. It might infect any EXE or COM file run, opened, renamed, or operated on in some way. So any operation that examines many files can spread the virus very quickly if it is active in memory at the time. Approximately every 16 times an infected program is run, it overwrites a random sector of the disk the program was run from with the string "Eddie lives...somewhere in time!" followed by part of the body of the virus. The DataCrime II Virus ______________________ Name DataCrime II Alias(es) 1514, Columbus Day Virus Family DataCrime Classification Non-resident COM and EXE infector for IBM DOS Length of Virus 1514 bytes in infected COM files; some additional padding bytes in infected EXE files. Behavior Summary This virus spreads between COM files. If an infected program is run between October 13th and December 31st, inclusive, in any year, it will display the message "* DATACRIME II VIRUS", and erase part of the hard disk, rendering data inaccessible. The DataCrime II B Virus ________________________ Name DataCrime II B Alias(es) 1480, Columbus Day Virus Family DataCrime Classification Non-resident COM and EXE infector for IBM DOS Length of Virus 1480 bytes in infected COM files; some additional padding bytes in infected EXE files. Behavior Summary This virus spreads between COM files. If an infected program is run between October 13th and December 31st, inclusive, in any year, it will display the message "* DATACRIME II VIRUS", and erase part of the hard disk, rendering data inaccessible. The DataCrime-1168 Virus ________________________ Name DataCrime-1168 Alias(es) 1168, Columbus Day, DataCrime, DataCrime I Virus Family DataCrime Classification Non-resident COM infector for IBM DOS Length of Virus 1168 bytes Behavior Summary This virus spreads between COM files. If an infected program is run between October 13th and December 31st, inclusive, in any year, it will display the message "DATACRIME VIRUS RELEASED: 1 MARCH 1989", and erase part of the hard disk, rendering data inaccessible. The DataCrime-1280 Virus ________________________ Name DataCrime-1280 Alias(es) 1280, Columbus Day, DataCrime, DataCrime I Virus Family DataCrime Classification Non-resident COM infector for IBM DOS Length of Virus 1280 bytes Behavior Summary This virus spreads between COM files. If an infected program is run between October 13th and December 31st, inclusive, in any year, it will display the message "DATACRIME VIRUS RELEASED: 1 MARCH 1989", and erase part of the hard disk, rendering data inaccessible. The December 24th Virus _______________________ Name December 24th Alias(es) Disk Crunching, Iceland, Iceland III, Icelandic, Saratoga Virus Family Iceland/Saratoga Classification Resident EXE infector Length of Virus Approximately 848 bytes Behavior Summary When an infected program is run, the virus installs itself in memory; later, if any file with an extension beginning with "EX" is run, it may be infected. Approximately every tenth file run is infected. The basic code of the virus is similar to the others in the family. This version infects every tenth file run and does not mark sectors as bad. If an infected file is run on December 24th, any attempt to run a program after that will print the message "Gledileg jol", (which is a Christmas greeting in Icelandic) rather than running the program. The Den Zuk Virus _________________ Name Den Zuk Alias(es) Den Zuko Virus Family Ohio Classification Diskette boot record infector Length of Virus Boot record and 8 additional sectors on hard disk or diskette Behavior Summary When you boot from an infected diskette, the virus loads into memory and infects diskettes used in drive A or B later. If the virus finds signs of the Brain virus on a diskette, it will remove the Brain infection before installing itself. If the virus is in memory and a color display is active when you press Ctrl+Alt+Del, the virus will sometimes display a moving graphic "logo" containing the letters "Den Zuk" and a sphere. The Devil Virus _______________ Name Devil's Dance-941 Alias(es) 941, Devil's Dance Virus Family Devil's Dance Classification Resident COM infector for IBM DOS Length of Virus 941 bytes Behavior Summary This virus infects all COM files in the current directory when first invoked. The virus's resident part then infects any file that is run whose extension begins with "C". Sometimes the virus changes the colors of characters typed on a color display. Also, when Ctrl+Alt+Del is pressed it sometimes displays the message "Have you ever danced with the devil under the weak light of the moon? Pray for your disk! The_Joker... Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha" Then the virus sometimes overlays the master boot record of the first hard disk with random data. The DIR II Virus ________________ Name DIR II Alias(es) DIR 2, Cluster Virus Family Classification Cluster virus; resident EXE and COM infector Length of Virus 1024 bytes (but see below) Behavior Summary When an infected program is run, the virus installs itself in the DOS device driver chain and infects any hard disk or diskette used later. When the virus infects a disk, it writes one copy of itself to a usually unused part of the disk and redirects the directory entries for all the programs on the disk to point to that copy. The virus does not appear to be destructive; but because it installs itself in the system at a very low level, it often interacts badly with other software, sometimes leading to malfunctions and data loss. The Disk Killer Virus _____________________ Name Disk Killer Alias(es) Computer Ogre, Disk Ogre, Ogre Virus Family Disk Killer Classification Diskette and hard -disk (DOS) boot infector Length of Virus Boot record and 4 additional sectors on hard disk or diskette Behavior Summary This virus infects diskette boot records and hard disk non-master (DOS) boot records. About 48 hours after booting from an infected hard disk or diskette, the message "Disk Killer -- Version 1.00 by COMPUTER OGRE 04/01/89 Warning!!! Don't turn off the power or remove the diskette while Disk Killer is Processing!" is displayed, and data on the disk booted from (or whatever disk is in the diskette you drive booted from) is scrambled. The EDV Virus _____________ Name EDV Alias(es) Virus Family Classification Diskette and fixed disk master boot infector Length of Virus Boot record and one additional hard disk or diskette sector Behavior Summary When booted from an infected disk or diskette, the virus loads into memory and infects any other disks or diskettes used later. When an internal counter reaches a threshold, the virus overwrite areas on various fixed disks and diskettes with random data. Due to bugs in the virus, and code that attempts to hang the machine when memory is scanned, infected machines sometimes malfunction (not boot, or hang sometime after booting). If a machine with an infected fixed disk is booted from a clean diskette, the fixed disk partitions will often be unreadable by DOS. The Flip-2153 Virus ___________________ Name Flip-2153 Alias(es) Flip 2, Omicron Virus Family Flip Classification IBM DOS EXE, COM, and master boot record infector Length of Virus Approximately 2153 bytes Behavior Summary When an infected file is executed on a machine with a hard disk, the hard disk's master boot record is altered to reinstall the virus in memory even if all infected files are removed. While the virus is in memory, any file executed becomes infected. On some second days of the month between 10:00 and 11:00 a.m., the screen (including the individual characters) turns upside-down if an EGA-compatible display is in use. The Flip-2343 Virus ___________________ Name Flip-2343 Alias(es) Flip 1, Flip Virus Family Flip Classification IBM DOS EXE, COM, and master boot record infector Length of Virus Approximately 2343 bytes Behavior Summary When an infected file is executed on a machine with a hard disk, the hard disk's master boot record is altered to re install the virus in memory even if all infected files are removed. When a system is booted from an infected hard disk, the next program executed (typically COMMAND.COM) is patched. In at least some versions of COMMAND.COM, the patch causes the DIR command to "lie" about the lengths of infected files. While the virus is in memory, any file executed becomes infected. On some second days of the month between 10:00 and 11:00 a.m., the screen (including the individual characters) turns upside-down if an EGA-compatible display is in use. The FORM Virus ______________ Name FORM Alias(es) Virus Family Classification Resident diskette and hard disk DOS boot infector Length of Virus Boot record and one additional hard disk or diskette sector Behavior Summary When you boot from an infected diskette or hard disk, the virus infects the bootable partition on the first hard disk if it exists and if is not already infected. Also, it writes part of itself to one additional sector marked "bad" in the File Allocation Table. The virus remains resident in memory and infects essentially any diskette used later. On the 18th of the month, in machines with a normal real time clock, the virus causes a slight clicking when keys are pressed which often goes unnoticed. If you boot an OS/2 system with HPFS on the boot drive from an infected diskette, some of the data can become corrupted and the system will no longer boot from the hard disk. The Friday the 13th COM Virus _____________________________ Name Friday the 13th COM Alias(es) COM, Friday the 13th, Miami, Munich, South African, Virus-B Virus Family Classification Non-resident COM infector Length of Virus Approximately 540 bytes Behavior Summary When an infected program is run, it infects all COM files in the current directory. On Friday the 13th, infected files attempt to erase themselves when executed. This virus has an indefinite history. It might have been written only as an experiment and not released "into the wild." The sample we have contains code that prints a warning message whenever an infected program is run. The Grain of Sand Virus _______________________ Name Grain of Sand Alias(es) Irish, Maltese Amoeba Virus Family Classification Resident EXE and COM infector Length of Virus Approximately 2520 bytes Behavior Summary When an infected program is executed, the virus installs itself in memory and infects files that are later executed or opened. When the date is November 1 or March 15, it also overwrites the boot areas of the first hard disk and any diskettes with a program that displays a poem (containing the words "grain of sand") instead of booting the machine. Data on infected disks and diskettes is not easy to recover. After it overwrites the boot areas, it hangs the machine, sometimes with a flashing screen-effect on the display. The virus is loosely related to the Casino virus, which does not install itself if the Grain of Sand is active. If the Grain of Sand finds the Casino present in memory, it will attempt to remove it. The Guppy Virus _______________ Name Guppy. Alias(es) None. Virus Family Tiny. Classification Resident COM and EXE file virus for PC DOS Length of Virus 152 bytes Behavior Summary When an infected program is executed, the virus loads into memory and infects COM files that are run later. The Haifa Virus _______________ Name Haifa Alias(es) Virus Family Haifa Classification Resident COM and EXE infector for IBM DOS Length of Virus Approximately 2350 bytes Behavior Summary When an infected file is run, the virus loads into memory and infects COM and EXE files found in directories that are used later. Also, it hangs the machine periodically, prints a message on August 24th and on April 8th, and inserts text strings into certain types of files found. It inserts a text string containing "mov dx,80h" into files with an extension of ASM. It inserts a text string containing "CONST VIRUS=" into files with an extension of PAS. It inserts a text string beginning "OOPS! Hope I" into files with an extension of DOC or TXT. The Haifa-Motzkin Virus _______________________ Name Haifa-Motzkin Alias(es) Motzkin, Mozkin Virus Family Haifa Classification Resident COM and EXE infector for IBM DOS Length of Virus Approximately 2350 bytes Behavior Summary When an infected file is run, the virus loads into memory, and infects COM and EXE files found in directories that are used later. Hangs the machine periodically, prints a message on May 7th, and inserts text strings into certain types of files found; it might also sometimes cause unexpected screen printing. It inserts a text string containing "What are backups" into files with an extension of BAK. It also inserts a text string containing "DES of USA" into files with an extension of ARJ. It also inserts a text string containing "Instead of reading this" into files with an extension of DOC or TXT. The Iceland II Virus ____________________ Name Iceland II Alias(es) Iceland, Icelandic, Icelandic II, Saratoga, Saratoga 3, System Virus Family Iceland/Saratoga Classification Resident EXE infector Length of Virus Approximately 632 bytes Behavior Summary When an infected program is run, the virus installs itself in memory; later, if any file with an extension beginning with "EX" is run it will be infected. This virus differs from the Saratoga 1 in that it does not mark sectors as bad. It avoids using INT 21 to call DOS by finding the "true" DOS function-request entry point and thereby avoiding detection by any anti-virus program that relies on intercepting INT 21. The Joshi Virus _______________ Name Joshi Alias(es) Virus Family Joshi Classification Resident diskette and hard disk master boot infector Length of Virus Boot record and 8 additional sectors on hard disk or diskette Behavior Summary On January 5th, infected machines display the message "Type Happy Birthday Joshi!", and freeze until "happy birthday joshi" is typed on the keyboard. When an infected hard disk or diskette is booted, the virus loads itself into high memory and intercepts the keyboard, timer, disk, and (a bit later) DOS service call vectors. The viral disk I/O handler infects the boot record of BIOS drives 00, 01, 80 and 81 (drives A, B, and the first two physical hard disks) when I/O is done to those drives. It also hides the viral boot record from normal reads, returning an image of the original boot record. The keyboard handler is used by the virus to remain in memory when a soft (Ctrl+Alt+Del) reboot is done. The DOS service call handler is used to choose a good time to activate if the date is January 5th. On infected diskettes, the virus resides in the boot record and in a specially formatted extra track that the virus creates. Using DISKCOPY or other normal disk-imaging or disk-copying tools does not make a true image of the infected diskette (most of the virus and the original boot record will be missing). Virus verification tools tell you that such a diskette is not infected with the normal Joshi virus. If a hard disk that was partitioned by a version of FDISK prior to DOS version 3.0 becomes infected, the virus will overwrite part of the File Allocation Table with part of itself. This is true regardless of the version of DOS actually installed on the disk at the time of infection. The only determining factor is the version of FDISK last used to partition the drive. When the disk is not very full, this does not cause noticeable symptoms for some time. When the disk is full, it causes extensive file cross-linking and corruption. The Joshi-00 Virus __________________ Name Joshi-00 Alias(es) Virus Family Joshi Classification Resident diskette and hard disk master boot infector Length of Virus Boot record and 8 additional sectors on hard disk or diskette Behavior Summary On January 5th, infected machines display the message "Type Happy Birthday Joshi!", and freeze until "happy birthday joshi" is typed on the keyboard. When an infected hard disk or diskette is booted, the virus loads itself into high memory and intercepts the keyboard, timer, disk, and (a bit later) DOS service call vectors. The viral disk I/O handler infects the boot record of BIOS drives 00, 01, 80 and 81 (drives A, B, and the first two physical hard disks) when I/O is done to those drives. It also hides the viral boot record from normal reads, returning an image of the original boot record. Although this version of the virus is slightly damaged and it might be possible to read the viral boot record with a clever use of VERIFY, this has not been tested. The keyboard handler is used by the virus to remain in memory when a soft (Ctrl+Alt+Del) reboot is done. The DOS service call handler is used to choose a good time to activate if the date is January 5th. On infected diskettes, the virus resides in the boot record and in a specially formatted extra track that the virus creates. Using DISKCOPY or other normal disk-imaging or disk-copying tools does not make a true image of the infected diskette (most of the virus and the original boot record will be missing). Virus verification tools tell you that such a diskette is not infected with the normal Joshi virus. If a hard disk that was partitioned by a version of FDISK prior to DOS version 3.0 becomes infected, the virus will overwrite part of the File Allocation Table with part of itself. This is true regardless of the version of DOS actually installed on the disk at the time of infection. The only determining factor is the version of FDISK last used to partition the drive. When the disk is not very full, this does not cause noticeable symptoms for some time. When the disk is full, it causes extensive file cross-linking and corruption. The Joshi-00 is a variant of the Joshi virus. One word has been overwritten with binary zeros, which has little or no effect on the function of the virus. The Kennedy-163 Virus _____________________ Name Kennedy-163 Alias(es) Tiny-163 Virus Family Kennedy Classification Non-resident COM file virus for IBM DOS Length of Virus 163 bytes Behavior Summary This virus does nothing except infect COM files. The Keypress Virus __________________ Name Keypress Alias(es) Turku Virus Family Classification Resident COM and EXE file virus for IBM DOS Length of Virus Approximately 1232 bytes Behavior Summary When an infected file is executed, the virus loads into memory. If the active version of DOS is 3.0 or later, it will infect all files executed later. If the active version of DOS is earlier than 3.0, it infects all files having an extension of COM or EXE that are opened, except system files. At intervals of 10 minutes, the virus causes spurious simulated keystrokes for a period of 2 seconds and causes the keyboard to appear "stuck". The Lao Doung Virus ___________________ Name Lao Doung Alias(es) Loa Doung, Lao Duong Virus Family Classification Resident diskette and hard disk system (non-master) boot infector Length of Virus Boot record and one additional hard disk or diskette sector Behavior Summary When an infected disk or diskette is booted, the virus installs itself in memory. When booted from diskette, it attempts to infect the boot record of the first partition on the first fixed disk. When the virus is in memory, it occasionally plays "music" through the PC speaker (our correspondants in Thailand tell us that the tune is an old folk song called Lao Doung Duen). Due to assumptions made about the setup of hard disks, the virus might fail to infect and/or might damage data on some hard disks. The Lehigh I Virus __________________ Name Lehigh I Alias(es) Virus Family Lehigh Classification Resident COMMAND.COM infector (IBM DOS) Length of Virus Approximately 530 bytes Behavior Summary This virus spreads between COMMAND.COM files. On the fourth infection, it writes random data to lower the 32 sectors of the disk, making files on them inaccessible. Infected COMMAND.COM files do not change in length because the virus writes itself over buffer space within the file. The Liberty Virus _________________ Name Liberty Alias(es) Mystic Virus Family Liberty Classification Resident COM, EXE, and diskette boot infector for IBM DOS Length of Virus Approximately 2857 bytes Behavior Summary When an infected file is run, the virus loads into memory and infects EXE and COM files that are later executed. Rarely does the virus also infect the boot record of a diskette. When you boot from an infected diskette the virus installs itself in memory to infect COM and EXE files, and also installs a number of "prank" routines that sometimes replace text sent to the screen, the printer, or the asynchronous communication ports with the word "MAGIC". Also on rare occasions displays "M A G I C ! ! !" on the first line of the screen momentarily. The Liberty-B Virus ___________________ Name Liberty-B Alias(es) Mystic Virus Family Liberty Classification Resident COM, EXE, and diskette boot infector for IBM DOS. Length of Virus Approximately 2867 bytes Behavior Summary When an infected file is run, the virus loads into memory and infects EXE and COM files that are later run. Rarely does the virus infect the boot record of a diskette. When you boot with an infected diskette, the virus installs itself in memory to infect COM and EXE files and also installs a number of "prank" routines. This is a slight, functionally identical variant of the Liberty virus. The Liberty-X Virus ___________________ Name Liberty-X Alias(es) Mystic Virus Family Liberty Classification Resident COM and EXE infector for IBM DOS Length of Virus Approximately 2857 bytes Behavior Summary When an infected file is run,the virus loads into memory and infects EXE and COM files that are later run. This is a damaged variant of the Liberty virus, which cannot infect diskettes, and does not contain the "prank" code from the Liberty virus. In circumstances where the Liberty would infect a diskette, the Liberty-X malfunctions, generally hanging the system. The Live After Death Virus __________________________ Name Live After Death Alias(es) V810 Virus Family V800 Classification Resident COM infector for IBM DOS Length of Virus 810 bytes Behavior Summary This virus infects only COM files of specific lengths. It attempts to intercept DOS requests at a low level in order to avoid detection by security programs. The Michelangelo Virus ______________________ Name Michelangelo Alias(es) Virus Family Classification Diskette and hard disk master boot-record infector Length of Virus Boot record and one additional hard disk or diskette sector Behavior Summary When booted from diskette, this virus infects the master boot record of the first hard disk (if any) and installs the virus in memory. When booted from an infected hard disk, it only installs the virus in memory. While the virus is in memory, diskettes used in drive A become infected. If the date is March 6th when you boot from an infected disk or diskette is the virus will overwrite parts of the boot disk with random data. The Microbe Virus _________________ Name Microbe Alias(es) Microbes Virus Family Classification Resident diskette boot infector Length of Virus Boot record and 8 additional sectors on hard disk or diskette Behavior Summary When you boot from an infected diskette, the virus installs itself in memory and infects any writeable diskette used in drives A or B later. If a diskette is infected with the Brain virus, it will remove the Brain infection before installing itself. While the virus is active in memory, attempts to read or write to an infected boot record are redirected to the saved original boot record instead. The virus uses eight sectors (four clusters) on diskette, which it marks as "bad" in the DOS File Allocation Table. If the virus has been booted a large number of times, it will display during the boot process a message that begins "This MICROBE is dedicated to...". The MIX1 Virus ______________ Name MIX1 Alias(es) Virus Family Iceland/Saratoga Classification Resident EXE infector Length of Virus Approximately 1618 bytes Behavior Summary When an infected program is run, the virus installs itself in memory; later, if any file with an extension beginning with "EX" is run, it will be infected. This virus differs from the Saratoga 1 in that it does not mark sectors as bad, and it contains code to cause errors (character substitutions) in serial and printer output using BIOS, and to cause a bouncing ball to appear on the screen in some conditions. The bouncing ball code appears to have a bug that sometimes hangs the machine. The MIX1-B Virus ________________ Name MIX1-B Alias(es) Virus Family Iceland/Saratoga Classification Resident EXE infector Length of Virus Approximately 1618 bytes Behavior Summary When an infected program is run, the virus installs itself in memory; later, if any file with an extension beginning with "EX" is run, it will be infected. The virus contains code to cause errors (character substitutions) in serial and printer output using BIOS and to cause a bouncing ball to appear on the screen in some conditions. Some of the errors in the MIX1 virus seem to be fixed in this variant. The Noint Virus _______________ Name Noint Alias(es) Virus Family Classification Diskette and hard disk master boot record infector. Length of Virus Approximately 420 bytes Behavior Summary When booted from diskette, the virus infects the master boot record of the first hard disk (if any) and installs the virus in memory. When booted from an infected hard disk, it only installs the virus in memory. While the virus is in memory, any (not write protected) diskettes read from become infected. If the virus is active in memory, attempts to read the infected boot record from the first hard disk will see the original uninfected boot record instead. The virus has no intentional side-effects, destructive or otherwise. The Ohio Virus ______________ Name Ohio Alias(es) Virus Family Ohio Classification Diskette boot record infector Length of Virus Boot record and 5 additional sectors on hard disk or diskette Behavior Summary When you boot from an infected diskette, the virus loads into memory and infects diskettes used in drive A or B later. If the virus finds signs of the Brain virus on a diskette, it will remove the Brain infection before installing itself. If the virus is in memory and a color display is active when the user presses Ctrl+Alt+Del, the virus will sometimes hang the machine. It seems to be designed to display a graphic, similar to the Den Zuk virus to which it is closely related. In all samples seen so far, the graphic code is missing and the system hangs. The OROPAX Virus ________________ Name OROPAX Alias(es) Virus Family Classification Resident COM infector for IBM DOS Length of Virus Approximately 2765 bytes Behavior Summary When an infected file is executed, the virus installs itself in memory. At certain times later (such as creation of a file or subdirectory. And renaming of a file), the virus infects one additional file having an extension of COM. Infected files can grow by as much as 2815 bytes. Under some circumstances, the virus causes music to play from the PC's speaker (although on some machines the music is never played, in spite of the infection). The Perfume-765 Virus _____________________ Name Perfume-765 Alias(es) 4711 Virus Family Classification Resident COM infector for IBM DOS Length of Virus Approximately 765 bytes Behavior Summary When an infected file is run, the virus installs itself in memory, and any file with an extension of COM that is run later is infected. After a certain number of files have been infected, running an infected program causes a message to be displayed, and execution continues only if you type "4711". In the sample of the virus we have, the message area has been overlayed with zeros and other binary values. There are text variants where the message says something intelligible. The Plastique-Danube Virus __________________________ Name Plastique-Danube Alias(es) Plastique, Invader, Anticad 4.Danube Virus Family Plastique, 1813 Classification Resident COM, EXE, diskette, and partition boot sector infector for IBM DOS Length of Virus Approximately 4096 bytes Behavior Summary When an infected file is run, the virus loads into memory and infects EXE and COM files that are later run or opened as read-only, and infects the partition (DOS) boot sector on diskettes and hard disks that are later read from. When the virus is active in memory, it sometimes slows down the machine, sometimes plays the Blue Danube Waltz through the PC speaker, and sometimes causes hard disk and diskette writes to fail (after a certain number of keystrokes without a hard disk or diskette write). Under various circumstances involving whether or not you have run ACAD.EXE, the number of keystrokes since the last hard disk write, and the user pressing Ctrl+Alt+Del, the virus hangs the system, sometimes after writing garbage to the first two diskettes or the first two physical hard disks. This virus is closely related to the other members of the Plastique family, especially the Plastique 5.21 and the Plastique-Invader viruses. The virus also removes the "Disk Killer" virus from hard disks and diskettes that it infects and attempts to disable that virus if it is resident in memory. The Plastique-Invader Virus ___________________________ Name Plastique-Invader Alias(es) Plastique, Invader, Anticad 4.Mozart Virus Family Plastique, 1813 Classification Resident COM, EXE, diskette, and partition boot sector infector for IBM DOS Length of Virus Approximately 4096 bytes Behavior Summary When an infected file is run, the virus loads into memory and infects EXE and COM files that are later run or opened as read-only, and infects the partition (DOS) boot sector on diskettes and hard disks that are later read from. When the virus is active in memory, it sometimes slows down the machine, sometimes plays the theme from the first movement of Mozart's 40th through the PC speaker, and sometimes causes hard disk or diskette writes to fail (after a certain number of keystrokes without a hard disk or diskette write). Under various circumstances involving whether or not you have run ACAD.EXE, the number of keystrokes since the last disk write, and wether you press Ctrl+Alt+Del, the virus hangs the system, sometimes after writing garbage to the first two diskettes or to the first two physical hard disks. This virus is closely related to the other members of the Plastique family, especially the Plastique 5.21 and the Plastique-Danube viruses. The virus also removes the "Disk Killer" virus from hard disks and diskettes that it infects and attempts to disable that virus if it is resident in memory. The Plastique-2576 Virus ________________________ Name Plastique-2576 Alias(es) Plastique, Anticad, Anticad 5, Taiwan 4 Virus Family Plastique, 1813 Classification Resident COM and EXE infector for IBM DOS Length of Virus Approximately 2576 bytes Behavior Summary When an infected file is run the virus loads into memory and infects EXE and COM files that are later run. When the virus is active in memory, it will sometimes slows down the machine, and sometimes plays music through the PC speaker. If you run a file called ACAD.EXE, it will be overwritten with garbage and erased instead. Much of the code in this virus is taken from the 1813 virus, but many of the 1813 virus's symptoms (such as EXE re-infection, file erasure on Friday the 13th, black boxes) have been removed. The Plastique-2900 Virus ________________________ Name Plastique-2900 Alias(es) Plastique, Anticad, Anticad 2, Taiwan 3 Virus Family Plastique, 1813 Classification Resident COM and EXE infector for IBM DOS Length of Virus Approximately 2900 bytes Behavior Summary When an infected file is run the virus loads into memory and infects EXE and COM files that are later run or opened as read-only. When the virus is active in memory, it sometimes slows down the machine, sometimes plays music through the PC speaker, and sometimes causes hard disk and diskette writes to fail (after a certain number of keystrokes without a hard disk and diskette write). If you execute a file called ACAD.EXE, or press Ctrl+Alt+Del under certain circumstances, the virus hangs the system, sometimes after writing garbage to the first two diskettes and the first two physical hard disks. Much of the code in this virus is taken from the Plastique-2576 virus. The Plastique 4.51 Virus ________________________ Name Plastique 4.51 Alias(es) Plastique, Anticad, Anticad 3.a Virus Family Plastique, 1813 Classification Resident COM and EXE infector for IBM DOS Length of Virus Approximately 3012 bytes Behavior Summary When an infected file is run, the virus loads into memory and infects EXE and COM files that are later run or open as read-only. When the virus is active in memory, it sometimes slows down the machine, sometimes plays music through the PC speaker, and sometimes causes hard disk and diskette writes to fail (after a certain number of keystrokes without a hard disk and diskette write). Under various circumstances involving whether or not you have run a file called ACAD.EXE, the number of keystrokes since the last disk write, and wether you press Ctrl+Alt+Del, the virus hangs the system, sometimes after writing garbage to the first two diskette or the first two physical hard disks. Much of the code in this virus is taken from the Plastique-2900 virus. The Plastique 4.51-b Virus __________________________ Name Plastique 4.51-b Alias(es) Plastique, Anticad, Anticad 3.b Virus Family Plastique, 1813 Classification Resident COM and EXE infector for IBM DOS Length of Virus Approximately 3004 bytes Behavior Summary When an infected file is run, the virus loads into memory and infects EXE and COM files that are later run or opened as read-only. When the virus is active in memory, it sometimes slows down the machine, sometimes plays music through the PC speaker, and sometimes causes hard disk and diskette writes to fail (after a certain number of keystrokes without a hard disk and diskette write). Under various circumstances involving whether or not you have run a file called ACAD.EXE, the number of keystrokes since the last hard disk write, and wether you press Ctrl+Alt+Del, the virus hangs the system, sometimes after writing garbage to the first two diskettes or the first two physical hard disks. This virus is nearly identical to the Plastique 4.51 virus. The Plastique 5.21 Virus ________________________ Name Plastique 5.21 Alias(es) Plastique, Anticad, Anticad 1.b Virus Family Plastique, 1813 Classification Resident COM, EXE, diskette, and partition boot sector infector for IBM DOS Length of Virus Approximately 4096 bytes Behavior Summary When an infected file is run, the virus loads into memory and infects EXE and COM files that are later run or opened as read-only, and the partition (DOS) boot sector on diskettes and hard disks that are later read from. When the virus is active in memory, it sometimes slows down the machine, sometimes plays music through the PC speaker, and sometimes causes hard disk and diskette writes to fail (after a certain number of keystrokes without a hard disk and diskette write). If the you run a program called ACAD.EXE, the virus will print a warning message. Under various circumstances involving whether or not you have run ACAD.EXE, the number of keystrokes since the last hard disk write, and wether you press Ctrl+Alt+Del, the virus hangs the system, sometimes after writing garbage to the first two diskettes or the first two physical hard disks. Much of the code in this virus is taken from the Plastique-2900 virus. The virus also removes the "Disk Killer" virus from hard disks and diskettes that it infects, and attempts to disable that virus if it is resident in memory. The PrtSc Virus _______________ Name PrtSc Alias(es) Print Screen Virus Family Classification Resident diskette and hard disk system (non-master) boot infector Length of Virus Boot record only Behavior Summary When you boot from an infected hard disk or diskette, the virus installs itself in memory and infects any diskette and the boot sector of the first partition of any hard disk read later. At intervals, the virus causes a false INT 5 that usually causes the contents of the screen to be printed on the local printer (the same as pressing the Print Screen key). Because of assumptions made about the setup of hard disks, the virus can fail to infect or damage data on some hard disks. The Saratoga 1 Virus ____________________ Name Saratoga 1 Alias(es) Disk Crunching, Iceland, Icelandic, Saratoga Virus Family Iceland/Saratoga Classification Resident EXE infector Length of Virus Approximately 642 bytes Behavior Summary When an infected program is run, the virus installs itself in memory; later, if any file with an extension beginning with "EX" is run it will be infected. On certain types of hard disks, randomly chosen sectors are marked gradually as "bad". The Saratoga 2 Virus ____________________ Name Saratoga 2 Alias(es) Disk Crunching, Iceland, Icelandic, Saratoga Virus Family Iceland/Saratoga Classification Resident EXE infector Length of Virus Approximately 656 bytes Behavior Summary When an infected program is run, the virus installs itself in memory; later, if any file with an extension beginning with "EX" is run it will be infected. On certain types of hard disks, randomly chosen sectors are marked gradually as "bad". This virus differs from the Saratoga 1 in that it does not install itself if any program has intercepted the BIOS disk I/O request. The SBC Virus _____________ Name SBC Alias(es) Virus Family Classification Resident EXE and COM infector Length of Virus Approximately 2845 bytes Behavior Summary When an infected program is executed, the virus installs itself in memory and infects files that are later executed or opened. The length changes caused by the virus are not obvious if the virus is active in memory. The output of the DIR command shows the original uninfected lengths. The Slow-1721 Virus ___________________ Name Slow-1721 Alias(es) Slow Virus Family Slow, 1813 Classification Resident COM and EXE infector for IBM DOS Length of Virus Approximately 1721 bytes Behavior Summary When an infected file is run, the virus loads into memory and infects files that are later run. On some Fridays, the virus sets to zero the timestamps of files written to. The Solano Virus ________________ Name Solano Alias(es) Dyslexia V2.01 Virus Family Classification Resident COM infector for IBM DOS Length of Virus 2000 bytes Behavior Summary When an infected file is run, the virus loads into memory and infects COM files (except COMMAND.COM) that are later run. While the virus is resident in memory, on rare occasions it swaps a pair of adjacent digits on the display screen. The StarDot-600 Virus _____________________ Name StarDot-600 Alias(es) Virus Family StarDot Classification Non-resident EXE infector for IBM DOS Length of Virus 600 bytes in infected COM files; some additional padding bytes in infected EXE files. Behavior Summary When an infected file is run, the virus chooses from the files on the default drive an uninfected EXE file with the "archive" bit on and infects that file. If the day of the week is equal to the value of an internal counter, the virus will also overwrite random areas on the current disk drive and will send random bytes to the I/O ports associated with system devices, such as printers and displays. The StarDot-789 Virus _____________________ Name StarDot-789 Alias(es) Virus Family StarDot Classification Non-resident COM and EXE infector for IBM DOS Length of Virus Approximately 789 bytes Behavior Summary When an infected file is run, the virus chooses from the files on the default drive an uninfected EXE or COM file with the "archive" bit on and infects that file. If the date is February 13th and the time is after 1 p.m. when an infected file is run, it will overwrite the beginning of every hard disk in the system starting with Z. This virus is functionally identical to the StarDot-801 virus. The StarDot-801 Virus _____________________ Name StarDot-801 Alias(es) Virus Family StarDot Classification Non-resident COM and EXE infector for IBM DOS Length of Virus Approximately 801 bytes Behavior Summary When an infected file is run, the virus chooses from the files on the default drive an uninfected EXE or COM file with the "archive" bit on and infects that file. If the date is February 13th and the time is after 1 p.m. when an infected file is run, it will overwrite the beginning of every hard disk in the system, starting with Z. This virus is functionally identical to the StarDot-789 virus. The Stoned Virus ________________ Name Stoned Alias(es) Hawaii, Marijuana, New Zealand, San Diego, Smithsonian Virus Family Classification Diskette and hard disk boot infector Length of Virus Boot record and one additional hard disk or diskette sector Behavior Summary When a computer is booted from an infected diskette, the virus infects the master boot record of the first physical hard disk, installs itself in memory, and sometimes displays the message "Your PC is now Stoned!" When a computer is booted from an infected hard disk, the virus also installs itself in memory but does not display the message. When the virus is in memory, any diskette used in drive A may become infected. The virus has no intentionally destructive features but causes FAT damage and possible data loss on hard disks partitioned in certain ways. The Stoned-C Virus __________________ Name Stoned-C Alias(es) Hawaii, Marijuana, New Zealand, San Diego, Smithsonian Virus Family Stoned Classification Diskette and hard-disk boot infector Length of Virus Boot record and one additional hard disk or diskette sector Behavior Summary This virus infects diskettes and hard disk master boot record. There are no obvious symptoms. This is a variant of the Stoned virus with the message removed. The Sunday Virus ________________ Name Sunday Alias(es) Virus Family 1813 Classification Resident COM and EXE file virus for IBM DOS Length of Virus 1636 bytes in infected COM files; some additional padding bytes in infected EXE files. Behavior Summary This virus is similar to the 1813 virus, except the file-erasing trick is done only on Sundays after 1989. The slow-down and box-scrolling are replaced with a routine that sometimes prints a message about going out and having some fun. This message is displayed only on Sundays after 1989. The Sunday 2 Virus __________________ Name Sunday 2 Alias(es) Virus Family 1813 Classification Resident COM and EXE file virus for IBM DOS Length of Virus 1733 bytes in infected COM files; some additional padding bytes in infected EXE files. Behavior Summary This virus is similar to the 1813 virus except the file-erasing trick is done only on Sundays after 1989. The slow-down and box-scrolling are replaced with a routine that sometimes prints a message about going out and having some fun. This message is displayed only on Sundays after 1989. Also, the virus sometimes writes the word "PLAY" in the upper-left corner of the display. The sURIV 3.00 Virus ____________________ Name sURIV 3.00 Alias(es) Jerusalem-2E Virus Family 1813 Classification Resident COM and EXE file virus for IBM DOS Length of Virus 1813 bytes in infected COM files; some additional padding bytes in infected EXE files. Behavior Summary This virus erases files executed on Fridays and causes some odd system behavior. It is similar to the 1813 virus. The Sylvia Virus ________________ Name Sylvia Alias(es) Holland Girl Virus Family Classification Non-resident COM infector for IBM DOS Length of Virus Approximately 1332 bytes Behavior Summary When an infected file is run, it infects up to 5 files with an extension of COM in the current directories on the current drive and on drive C. The virus has no known side effects. It gets its name from the presence of an unused text area containing a name and address of someone named Sylvia from the Netherlands plus a suggestion to send her a funny postcard. The SYSLOCK Virus _________________ Name Syslock Alias(es) Macho, Macho-A, 3551 Virus Family Syslock Classification Non-resident COM and EXE infector for IBM DOS Length of Virus 3551 bytes Behavior Summary When an infected file is run, the virus looks through the directory tree on the current drive and infects one EXE or COM file at random. Sometimes (approximately every fifth time it runs), it picks a random sector on the current disk and changes all occurrences of the string "Microsoft" to "MACROSOFT". Also a text variant exists that uses "MACHOSOFT" instead of "MACROSOFT." The Tequila Virus _________________ Name Tequila Alias(es) Virus Family Classification Resident EXE and hard disk master boot infector for IBM DOS Length of Virus Approximately 2470 bytes Behavior Summary When an infected file is run, it infects the master boot record of the first hard disk. When a system is booted from an infected hard disk, the virus loads into memory and infects any EXE files subsequently run. The virus displays a low-resolution Mandelbrot set (a vaguely circular pattern of colors) on the monitor. The virus has a number of complex, but basically uninteresting, features having to do with not infecting files with certain names, trying to escape detection by making each infected file slightly different, and so on. From your point of view, though, detection is not difficult. The TP16VIR Virus _________________ Name TP16VIR Alias(es) Virus Family TPxxVIR Classification Resident EXE-converter and COM infector for IBM DOS Length of Virus Approximately 1339 bytes Behavior Summary This virus converts EXE-formatted files to COM format and infects COM-formatted files. The virus becomes resident when the first infected file is run and converts or infects any files that are run later. This virus is similar to the VACSINA virus. The TP45VIR Virus _________________ Name TP45VIR Alias(es) Yankee Doodle, TP45 Virus Family Yankee Doodle (TPxxVIR) Classification Resident COM and EXE infector for IBM DOS Length of Virus Approximately 2901 bytes Behavior Summary When an infected program is run, this virus loads into memory and infects any program run later. At 5:00 p.m. infected systems sometimes play "Yankee Doodle" through the speaker. This virus also has complex (but basically uninteresting) interactions with previous viruses in the same family, and with the Bouncing Ball virus. From your point of view, this virus is essentially identical to the Yankee Doodle-2885 virus (and some other members of this family). The Traceback-2930 Virus ________________________ Name Traceback-2930 Alias(es) Traceback II Virus Family Traceback Classification Resident COM and EXE infector Length of Virus Approximately 2930 bytes Behavior Summary When an infected program is run, the virus installs itself in memory and also looks for a file to infect on the current disk. Any files executed later can also become infected. Approximately one hour after executing the first infected program, a "falling letters" display, similar to that produced by the 17xx family of viruses, will occur. At the first keystroke after the display, the screen returns to normal; this performance is repeated periodically. This virus is very similar to the 3066 virus. The Traceback-3066 Virus ________________________ Name Traceback-3066 Alias(es) Traceback Virus Family Traceback Classification Resident COM and EXE infector Length of Virus Approximately 3066 bytes Behavior Summary When an infected program is run, the virus installs itself in memory and also looks for a file to infect on the current disk. Any files run later can also become infected. Approximately one hour after running the first infected program, a "falling letters" display, similar to that produced by the 17xx family of viruses, occurs. At the first keystroke after the display, the screen returns to normal. This performance is repeated periodically. This virus is very similar to the 2930 virus. The VACSINA Virus _________________ Name VACSINA Alias(es) Virus Family TPxxVIR Classification Resident EXE-converter and COM infector for IBM DOS Length of Virus Approximately 1206 bytes Behavior Summary This virus converts EXE-formatted files to COM format, and infects COM-format files. The virus becomes resident when the first infected file is run and converts or infects any files that are run later. The system might "beep" when new files are infected. The Vienna-Ghost Virus ______________________ Name Vienna-Ghost Alias(es) Ghostballs Virus Family Vienna, Bouncing Ball Classification Non-resident COM infector / boot modifier Length of Virus 2351 bytes Behavior Summary This virus infects COM files exactly as the Vienna-648 virus does, except it does not do the file damage of the Vienna-648 virus. When an infected file is run, the virus (as well as spreading) writes to drive A a boot sector that resembles the Bouncing Ball/286 boot sector in all functions except spreading. That is, the new boot sector sometimes produces a bouncing ball on the screen after booting and is detected as infected by the Bouncing Ball virus by some detectors, but it will not spread itself to other diskettes (only COM files infected with the Ghost virus spread it). The Vienna-Lisbon Virus _______________________ Name Vienna-Lisbon Alias(es) Lisbon Virus Family Vienna Classification Non-resident COM file virus for IBM DOS Length of Virus 648 bytes Behavior Summary This virus overlays some COM files with the string "@AIDS", rendering them nonfunctional. The Vienna-648 Virus ____________________ Name Vienna-648 Alias(es) Austrian, DOS-62, DOS-68, One-In-Eight, Reboot, Unesco, Vienna Virus Family Vienna Classification Non-resident COM file virus for IBM DOS Length of Virus 648 bytes Behavior Summary When an infected program is run, this virus looks for one uninfected COM file along the DOS PATH and infects it. It overlays some COM files with code that reboots the machine. The W13-A Virus _______________ Name W13-A Alias(es) Polish Virus Family W13 Classification Non-resident COM file virus for IBM DOS Length of Virus 534 bytes Behavior Summary Infected COM files infect other COM files when they are run. No other effects. The W13-B Virus _______________ Name W13-B Alias(es) Polish Virus Family W13 Classification Non-resident COM file virus for IBM DOS Length of Virus 507 bytes Behavior Summary Infected COM files infect other COM files when they are run. No other effects. The Yale Virus ______________ Name Yale Alias(es) Alameda, Merritt, Peking, Seoul, Yale Boot Virus Family Yale Classification Diskette boot infector Length of Virus Boot record and one additional hard disk or diskette sector Behavior Summary This virus has no obvious damage or symptoms; spreads when Ctrl+Alt+Del is pressed in an infected machine with an uninfected diskette in drive A. The Yankee Doodle-2772 Virus ____________________________ Name Yankee Doodle-2772 Alias(es) Yankee Doodle, 2772, TP39VIR, Yankee Doodle-B Virus Family Yankee Doodle (TPxxVIR) Classification Resident COM and EXE infector for IBM DOS Length of Virus Approximately 2772 bytes Behavior Summary When an infected program is run, the virus loads into memory and infects any program run later. At 5:00 p.m. infected systems sometimes play "Yankee Doodle" through the speaker. This virus also has complex (but basically uninteresting) interactions with previous viruses in the same family and with the Bouncing Ball virus. From your point of view, this virus is essentially identical to the Yankee Doodle-2885 (and some other members of this family). The Yankee Doodle-2885 Virus ____________________________ Name Yankee Doodle-2885 Alias(es) Yankee Doodle, 2885, TP44VIR Virus Family Yankee Doodle (TPxxVIR) Classification Resident COM and EXE infector for IBM DOS Length of Virus Approximately 2885 bytes Behavior Summary When an infected program is run, the virus loads into memory and infects any program run later. At 5:00 p.m. infected systems sometimes play "Yankee Doodle" through the speaker. This virus also has complex (but basically uninteresting) interactions with previous viruses in the same family and with the Bouncing Ball virus. From your point of view, this virus is essentially identical to the Yankee Doodle-2772 (and some other members of this family). The 1381 Virus ______________ Name 1381 Alias(es) Internal Virus Family Classification Non-resident EXE infector for IBM DOS Length of Virus Approximately 1381 bytes Behavior Summary When an infected file is run, the virus looks for an uninfected file with an extension of EXE on the current disk (it looks randomly through subdirectories) and infects it. If an infected file is run more than about 90 days after it became infected, it will display random-looking characters across the screen, along with the message "INTERNAL ERROR 02CH. PLEASE CONTACT YOUR HARDWARE MANUFACTURER IMMEDIATELY ! DO NOT FORGET TO REPORT THE ERROR CODE !" The virus then removes itself from the infected file and you are returned to DOS. The 1392 Virus ______________ Name 1392 Alias(es) Amoeba, Khetapunk Virus Family Classification Resident COM and EXE infector for IBM DOS Length of Virus Approximately 1392 bytes Behavior Summary When an infected file is run, the virus installs itself in memory. While in memory, the virus attempts to infect files that are run, and COMMAND.COM files on any disk while a free-space check is made. The DIR command, for instance, does a free-space check. When the virus has gone about four minutes without infecting a file and the display is a CGA (in text mode), the virus talks to the CRT controller to create a 26th line on the display and writes the words "SMA KHETAPUNK - NOUVEL Band A.M.O.E.B.A. by PrimeSoft Inc" in yellow on purple background. The virus contains a serious bug that causes it to replicate imperfectly, and only early generations of the virus are likely to function. The 1536 Virus ______________ Name 1536 Alias(es) Zero Bug, Palette Virus Family Classification Resident COM infector for PC DOS Length of Virus 1536 bytes Behavior Summary This virus infects COMMAND.COM and other COM files that are copied. Under some conditions, a "face" appears on the screen, and "eats" displayed characters. The 1575 Virus ______________ Name 1575 Alias(es) Green Caterpillar Virus Family Classification Resident COM and EXE infector for IBM DOS Length of Virus Approximately 1575 bytes Behavior Summary When an infected file is run, it attempts to infect the COMMAND.COM file in the root directory of drive C and loads itself into memory if it is not already present. It then infects files with an extension of COM or EXE that are found by various file-search calls (a DIR, for instance, often causes files found to be infected). At times, the virus displays a small horizontal green caterpillar running across your color display, moving characters around on the screen and changing their color. The 1701 Virus ______________ Name 1701 Alias(es) 170x, 17xx, Austrian 2, Autumn, Blackjack, Cascade, Fall, Falling Tears Virus Family 17xx Classification Resident COM infector for IBM DOS Length of Virus 1701 bytes Behavior Summary When an infected program is run, the virus loads into memory and infects COM-formatted files run later. The virus occasionally causes letters on the screen to fall into a pile at the bottom of the display screen, while causing "clicks" on the speaker. Due to complex date interactions, it is possible to have an active 1701 infection without this symptom ever appearing. The 1701-NoDate Virus _____________________ Name 1701-NoDate Alias(es) Virus Family 17xx Classification Resident COM infector for IBM DOS Length of Virus 1701 bytes Behavior Summary This virus spreads between COM files in IBM DOS. Occasionally the virus causes letters on the screen to fall into a pile at the bottom of the screen. It is a minor variant of the 1701 virus. The 1704 Virus ______________ Name 1704 Alias(es) 170x, 17xx, Austrian 2, Autumn, Blackjack, Fall, Second Austrian Virus Family 17xx Classification Resident COM infector for IBM DOS Length of Virus 1704 bytes Behavior Summary This virus spreads among COM files in IBM DOS. Occasionally the virus causes letters on the screen to fall into a pile at the bottom. The 1704-B Virus ________________ Name 1704-B Alias(es) 170x, 17xx, Cascade-B Virus Family 17xx Classification Resident COM infector for IBM DOS Length of Virus 1704 bytes Behavior Summary This virus spreads among COM files in IBM DOS. Occasionally the virus causes letters on the screen to fall into a pile at the bottom. The 1704-C Virus ________________ Name 1704-C Alias(es) 170x, 17xx Virus Family 17xx Classification Resident COM infector for IBM DOS Length of Virus 1704 bytes Behavior Summary This virus spreads among COM files in IBM DOS. Occasionally this virus causes letters on the screen to fall into a pile at the bottom. The 1704-Format Virus _____________________ Name 1704-Format Alias(es) 170x, 17xx Virus Family 17xx Classification Resident COM infector for IBM DOS Length of Virus 1704 bytes Behavior Summary This virus spreads among COM files in IBM DOS. Under some conditions, the virus renders data on drive C unreadable. The 1704-Y Virus ________________ Name 1704-Y Alias(es) 170x, 17xx Virus Family 17xx Classification Resident COM infector for IBM DOS Length of Virus 1704 bytes Behavior Summary This virus spreads among COM files in IBM DOS. Occasionally this virus causes letters on the screen to fall into a pile at the bottom. Infected programs often malfunction. This is a damaged variant of the 1704 virus. The 1813 Virus ______________ Name 1813 Alias(es) Black Friday, Black Hole, Hebrew University, Israeli, Jerusalem, JV, Morbus Waiblingen, PLO, Russian, sUMsDos Virus Family 1813 Classification Resident COM and EXE file virus for IBM DOS Length of Virus 1813 bytes in infected COM files; some additional padding bytes in infected EXE files. Behavior Summary When an infected program is run, the virus loads into memory and infects any program run later. Because of a bug in the virus, EXE-formatted files are infected each time they are run. Frequently used files eventually become too large to run. Because of another bug, some files (including OS/2 and Windows EXE files and very large COM files) do not run correctly after being infected. The virus intentionaly causes slowing down of the machine at intervals. Also, causes the appearance of "black boxes" on the display, and erases any file executed on any Friday the 13th. The 1813-00 Virus _________________ Name 1813-00 Alias(es) Virus Family 1813 Classification Resident COM and EXE infector for IBM DOS Length of Virus 1813 bytes in infected COM files; some additional padding bytes in infected EXE files. Behavior Summary This virus is a "mutation" (either accidental or intentional) of the standard 1813 virus. One byte of the virus has been changed to a zero. The main effect is if an uninfected program is run from a write-protected diskette while the virus is active in memory, the program often does not run at all and simply exits back to the DOS command prompt. With this exception, the virus is almost identical to the standard 1813 virus. The 1813-ANARKIA Virus ______________________ Name 1813-ANARKIA Alias(es) Virus Family 1813 Classification Resident COM and EXE file virus for IBM DOS Length of Virus 1813 bytes in infected COM files; some additional padding bytes in infected EXE files. Behavior Summary This virus erases files run on Friday the 13th and causes some odd system behavior. This virus is a slight variant of the 1813 virus. It never causes the 1813 virus's "black box," and has a more drastic system slowdown at times. The 1813-Discom Virus _____________________ Name 1813-Discom Alias(es) Discom Virus Family 1813 Classification Resident COM and EXE infector for IBM DOS Length of Virus 2053 bytes in infected COM files; some additional padding bytes in infected EXE files. Behavior Summary Like the 1813 virus, the Discom virus loads into memory and infects COM and EXE files that are later run. But, unlike the 1813, it does not infect EXE files multiple times and will not infect files with names ending in the letters "acad". Rather than erasing files run on Friday the 13th, the Discom virus has a number of side effects, such as slowing down the system, sending random data out the serial I/O ports, and sometimes overlaying data on the hard drive. The 1813-Not-13 Virus _____________________ Name 1813-Not-13 Alias(es) Payday Virus Family 1813 Classification Resident COM and EXE file virus for IBM DOS Length of Virus 1813 bytes in infected COM files; some additional padding bytes in infected EXE files. Behavior Summary This virus erases files run on Fridays that are not the 13th of the month and causes some odd system behavior. This virus is an almost-identical variant of the 1813 virus. The 1813-Swiss Virus ____________________ Name 1813-Swiss Alias(es) Virus Family 1813 Classification Resident COM and EXE file virus for IBM DOS Length of Virus 1813 bytes in infected COM files; some additional padding bytes in infected EXE files. Behavior Summary This virus erases files run on Friday the 13th and causes some odd system behavior. This virus is a functionally identical code variant of the 1813 virus. The 1813-Tuesday-the-13th Virus _______________________________ Name 1813-Tuesday-the-13th Alias(es) Virus Family 1813 Classification Resident COM and EXE file virus for IBM DOS Length of Virus 1813 bytes in infected COM files; some additional padding bytes in infected EXE files. Behavior Summary This virus erases files executed on Tuesdays that are also the 13th of the month and causes some odd system behavior. It is an almost identical variant of the 1813 virus. The 2086 Virus ______________ Name 2086 Alias(es) Fu Manchu Virus Family 1813 Classification Resident COM and EXE file virus for IBM DOS Length of Virus 2086 bytes in infected COM files; some additional padding bytes in infected EXE files. (More precisely, 2080 bytes of code and 6 bytes of virus self-recognition string in COM files, and 0-15 bytes of padding followed by 2080 bytes of code in EXE files.) Behavior Summary This virus hooks the keyboard interrupts, waits for any of the names "Fu Manchu, Reagan, Thatcher, Botha, or Waldeim" to be typed in upper case or lower case letters followed by a space, and adds its own remarks about them in the keyboard buffer so they are entered as the rest of the text. Also this virus slowly displays a message when the system is restarted by pressing Ctrl+Alt+Del. The 4096 Virus ______________ Name 4096 Alias(es) Stealth, Century Virus Family Classification Resident EXE and COM infector for IBM DOS Length of Virus 4096 bytes Behavior Summary When an infected program is run, the virus becomes resident in memory and infects any files run and any executable files opened and closed later. If the date is between September 22 and December 31 of any year, the virus will generally hang the machine (due to bugs in code that seem to be intended to overwrite the boot record with a program to display the message "Frodo Lives" when the machine boots). The 555 Virus _____________ Name 555 Alias(es) QUIT1992 Virus Family 555 Classification Resident COM and EXE infector for IBM DOS Length of Virus 555 bytes in infected COM files; some additional padding bytes in infected EXE files. Behavior Summary When an infected file is run, the virus loads into memory and infects EXE and COM files that are later run. If the year is 1992 or greater when an infected file is executed, the virus will install itself and exit immediately to DOS, without running the original victim program. The 555-B Virus _______________ Name 555-B Alias(es) QUIT1992 Virus Family 555 Classification Resident COM and EXE infector for IBM DOS Length of Virus 555 bytes in infected COM files; some additional padding bytes in infected EXE files. Behavior Summary When an infected file is run, the virus loads into memory and infects EXE and COM files that are later run. If the year is 1992 or later when an infected file is run, the virus will install itself and will exit immediately to DOS, without running the original program. This virus is almost identical to the 555 virus.