home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
IBM Aptiva Multimedia Exploration CD
/
Aptiva DEMO CD.iso
/
dos63
/
virinfo.lst
< prev
next >
Wrap
File List
|
1993-12-31
|
100KB
|
2,233 lines
Descriptions of some known DOS viruses
______________________________________
This section briefly describes some of the DOS viruses analyzed by IBM.
It includes all of the viruses that are widespread in the world as of
this writing. It also includes many viruses that are not widespread, but
that we have analyzed in order to help stay ahead of the problem.
These descriptions are based on IBM's detailed analysis of the code of
each virus. Each virus has been carefully tested to verify its actual
behavior.
All of these viruses can be detected when checking disks and diskettes.
Viruses that are similar to these viruses will be detected as well. In
many cases, even viruses that are not similar to these will be detected
as "suspicious" by IBM AntiVirus/DOS.
The Aircop Virus
________________
Name Aircop
Alias(es)
Virus Family
Classification Diskette boot record infector
Length of Virus Boot record and one additional hard disk or diskette
sector
Behavior Summary When booted from an infected diskette, the virus loads
into memory and infects diskettes used in A: or B:
later. Every eight or so times that it infects a new
diskette, it displays the message "RED STATE, Germ
offensing --Aircop" (presumably an attempt to say
"Condition red, virus attack").
The April 1st COM Virus
_______________________
Name April 1st COM
Alias(es) April 1st, sURIV 1.01
Virus Family 1813
Classification Resident COM infector
Length of Virus Approximately 381 bytes
Behavior Summary When an infected program is run, the virus installs
itself in memory and any COM files run later become
infected. If the date is April 1st of any year,
executing any program while the virus is in memory
will display the message "APRIL 1ST HA HA HA YOU HAVE
A VIRUS", and will hang the machine. If the date is
after April 1st, 1988, the message "YOU HAVE A VIRUS"
will be displayed whenever any program is executed
Because infection is so obvious, this virus is
probably extinct.
The April 1st EXE Virus
_______________________
Name April 1st EXE
Alias(es) April 1st, sURIV 2, sURIV 2.01
Virus Family 1813
Classification Resident EXE infector
Length of Virus 1488 bytes
Behavior Summary This virus infects any EXE files that are run, prints
a message on April 1st, and sometimes causes the
system to hang on Wednesdays.
The Azusa Virus
_______________
Name Azusa
Alias(es)
Virus Family
Classification Diskette and hard disk boot infector
Length of Virus Boot record only
Behavior Summary This virus infects diskette and hard disk master boot
record. Sometimes the virus zeros out the BIOS tables
for COM and printer ports, making printers and serial
ports unavailable.
The Bouncing Ball Virus
_______________________
Name Bouncing Ball
Alias(es) Bouncing Dot, Italian, Ping-Pong, Vera Cruz
Virus Family Bouncing Ball
Classification Diskette and hard disk boot infector
Length of Virus Approximately 975 bytes
Behavior Summary This virus infects diskettes and the hard disk
partition (non-master) boot record. It sometimes
produces a bouncing dot on the screen after booting.
The Bouncing Ball / 286 Virus
_____________________________
Name The Bouncing Ball / 286 Virus
Alias(es)
Virus Family Bouncing Ball
Classification Diskette and hard-disk boot infector
Length of Virus Approximately 975 bytes
Behavior Summary This virus infects diskettes and the hard disk
partition (non-master) boot record. It sometimes
produces a bouncing dot on the screen after booting.
The Brain Virus
_______________
Name Brain
Alias(es) Pakistani, Pakistani Brain, (c) Brain
Virus Family Brain
Classification Diskette boot infector
Length of Virus Boot record and 6 additional sectors on hard disk or
diskette
Behavior Summary This virus changes some diskette volume labels to "(c)
Brain"
The Brunswick Virus
___________________
Name Brunswick
Alias(es)
Virus Family
Classification Resident diskette and hard disk master boot infector
Length of Virus Boot record and one additional hard disk or diskette
sector
Behavior Summary When you boot from an infected diskette, it infects
the first physical hard disk in the system. When you
boot from an infected hard disk or diskette, the virus
loads into memory and infects diskettes used in drive
A or B later. When booting from an infected hard disk,
it sometimes overwrites the master boot record with
useless data, rendering the disk unbootable. Also, the
data becomes inaccessible without technical help. As
well as the intentional damage, on some systems the
virus overlays user data and possibly part of the file
allocation table when it saves the original boot
record in the data section of the hard disk.
The Burger-405 Virus
____________________
Name Burger-405
Alias(es) 405
Virus Family Burger
Classification COM overwriting virus for IBM DOS
Length of Virus Overwrites first 405 bytes of victim
Behavior Summary This virus is very buggy, apparently based on a
published example. When an infected file is run it
overlays the first 405 bytes of every file with an
extension of COM in the current directory of various
hard disks with a copy of itself. The original (pre
infection) program does not run. Running an infected
program often hangs the machine or otherwise
malfunctions.
The Campana Virus
_________________
Name Campana
Alias(es) Telefonica, Anti-Telefonica, Telefon, ANTI-CTNE
Virus Family Campana
Classification Resident infector of diskette boot records and hard
disk master boot records
Length of Virus Boot record and one additional hard disk or diskette
sector
Behavior Summary When a machine is booted from an infected hard disk or
diskette, the virus loads itself into high memory and
reduces available memory by 1024 bytes. The machine's
hard disk (if any) and any diskettes used in drive A
or B while the virus is in memory are infected. After
a certain number of boots from an infected hard disk
or diskette, the virus writes random data to the boot
hard disk or diskette and other hard disks in the
system and displays a message beginning with the word
"Campana". While the virus is in memory, it intercepts
most attempts to read the boot record and returns an
image of an uninfected boot record to the program
making the request.
The Campana-B Virus
___________________
Name Campana-B
Alias(es) Telefonica, Anti-Telefonica, Telefon, ANTI-CTNE
Virus Family Campana
Classification Resident infector of diskette boot records and hard
disk master boot records
Length of Virus Boot record and one additional hard disk or diskette
sector
Behavior Summary When a machine is booted from an infected hard disk or
diskette, the virus loads itself into high memory and
reduces available memory by 1024 bytes. The machine's
hard disk (if any) and any diskettes used in drive A
or B while the virus is in memory are infected (unless
they are already infected with the Stoned virus).
After a certain number of boots from an infected hard
disk or diskette, the virus writes random data to the
boot hard disk or diskette and other hard disks in the
system and display a message beginning with the word
"Campana". While the virus is in memory, it intercepts
most attempts to read the hard disk boot record and
returns an image of an uninfected boot record to the
program making the request.
The Cansu Virus
_______________
Name Cansu
Alias(es) V-Sign
Virus Family
Classification Resident diskette and hard disk master boot infector
Length of Virus Boot record and 2 additional sectors on hard disk or
diskette
Behavior Summary When you boot from an infected hard disk or diskette,
the virus loads into memory and infects diskettes used
in drive A or B later; Also, it infects the first two
physical hard disks in the system when they are used.
In approximately one-in-eight-boots, the virus
displays a V-shaped symbol on the display. The virus
does no intentional damage; but, on some systems, it
overlays your data and perhaps part of the file
allocation table when it writes its two sectors to the
data section of the hard disk.
The Dark Avenger Virus
______________________
Name Dark Avenger
Alias(es) Eddie
Virus Family
Classification Resident COM and EXE file virus for IBM DOS
Length of Virus 1800 bytes in infected COM files; some additional
padding bytes in infected EXE files.
Behavior Summary When an infected program is run, the virus installs
itself in memory. It might infect any EXE or COM
file run, opened, renamed, or operated on in some way.
So any operation that examines many files can spread
the virus very quickly if it is active in memory at
the time. Approximately every 16 times an infected
program is run, it overwrites a random sector of the
disk the program was run from with the string "Eddie
lives...somewhere in time!" followed by part of the
body of the virus.
The DataCrime II Virus
______________________
Name DataCrime II
Alias(es) 1514, Columbus Day
Virus Family DataCrime
Classification Non-resident COM and EXE infector for IBM DOS
Length of Virus 1514 bytes in infected COM files; some additional
padding bytes in infected EXE files.
Behavior Summary This virus spreads between COM files. If an infected
program is run between October 13th and December 31st,
inclusive, in any year, it will display the message "*
DATACRIME II VIRUS", and erase part of the hard disk,
rendering data inaccessible.
The DataCrime II B Virus
________________________
Name DataCrime II B
Alias(es) 1480, Columbus Day
Virus Family DataCrime
Classification Non-resident COM and EXE infector for IBM DOS
Length of Virus 1480 bytes in infected COM files; some additional
padding bytes in infected EXE files.
Behavior Summary This virus spreads between COM files. If an infected
program is run between October 13th and December 31st,
inclusive, in any year, it will display the message "*
DATACRIME II VIRUS", and erase part of the hard disk,
rendering data inaccessible.
The DataCrime-1168 Virus
________________________
Name DataCrime-1168
Alias(es) 1168, Columbus Day, DataCrime, DataCrime I
Virus Family DataCrime
Classification Non-resident COM infector for IBM DOS
Length of Virus 1168 bytes
Behavior Summary This virus spreads between COM files. If an infected
program is run between October 13th and December 31st,
inclusive, in any year, it will display the message
"DATACRIME VIRUS RELEASED: 1 MARCH 1989", and erase
part of the hard disk, rendering data inaccessible.
The DataCrime-1280 Virus
________________________
Name DataCrime-1280
Alias(es) 1280, Columbus Day, DataCrime, DataCrime I
Virus Family DataCrime
Classification Non-resident COM infector for IBM DOS
Length of Virus 1280 bytes
Behavior Summary This virus spreads between COM files. If an infected
program is run between October 13th and December 31st,
inclusive, in any year, it will display the message
"DATACRIME VIRUS RELEASED: 1 MARCH 1989", and erase
part of the hard disk, rendering data inaccessible.
The December 24th Virus
_______________________
Name December 24th
Alias(es) Disk Crunching, Iceland, Iceland III, Icelandic,
Saratoga
Virus Family Iceland/Saratoga
Classification Resident EXE infector
Length of Virus Approximately 848 bytes
Behavior Summary When an infected program is run, the virus installs
itself in memory; later, if any file with an extension
beginning with "EX" is run, it may be infected.
Approximately every tenth file run is infected. The
basic code of the virus is similar to the others in
the family. This version infects every tenth file run
and does not mark sectors as bad. If an infected file
is run on December 24th, any attempt to run a program
after that will print the message "Gledileg jol",
(which is a Christmas greeting in Icelandic) rather
than running the program.
The Den Zuk Virus
_________________
Name Den Zuk
Alias(es) Den Zuko
Virus Family Ohio
Classification Diskette boot record infector
Length of Virus Boot record and 8 additional sectors on hard disk or
diskette
Behavior Summary When you boot from an infected diskette, the virus
loads into memory and infects diskettes used in drive
A or B later. If the virus finds signs of the Brain
virus on a diskette, it will remove the Brain
infection before installing itself. If the virus is in
memory and a color display is active when you press
Ctrl+Alt+Del, the virus will sometimes display a
moving graphic "logo" containing the letters "Den Zuk"
and a sphere.
The Devil Virus
_______________
Name Devil's Dance-941
Alias(es) 941, Devil's Dance
Virus Family Devil's Dance
Classification Resident COM infector for IBM DOS
Length of Virus 941 bytes
Behavior Summary This virus infects all COM files in the current
directory when first invoked. The virus's resident
part then infects any file that is run whose extension
begins with "C". Sometimes the virus changes the
colors of characters typed on a color display. Also,
when Ctrl+Alt+Del is pressed it sometimes displays the
message "Have you ever danced with the devil under the
weak light of the moon? Pray for your disk!
The_Joker... Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha" Then the
virus sometimes overlays the master boot record of the
first hard disk with random data.
The DIR II Virus
________________
Name DIR II
Alias(es) DIR 2, Cluster
Virus Family
Classification Cluster virus; resident EXE and COM infector
Length of Virus 1024 bytes (but see below)
Behavior Summary When an infected program is run, the virus installs
itself in the DOS device driver chain and infects any
hard disk or diskette used later. When the virus
infects a disk, it writes one copy of itself to a
usually unused part of the disk and redirects the
directory entries for all the programs on the disk to
point to that copy. The virus does not appear to be
destructive; but because it installs itself in the
system at a very low level, it often interacts badly
with other software, sometimes leading to malfunctions
and data loss.
The Disk Killer Virus
_____________________
Name Disk Killer
Alias(es) Computer Ogre, Disk Ogre, Ogre
Virus Family Disk Killer
Classification Diskette and hard -disk (DOS) boot infector
Length of Virus Boot record and 4 additional sectors on hard disk or
diskette
Behavior Summary This virus infects diskette boot records and hard disk
non-master (DOS) boot records. About 48 hours after
booting from an infected hard disk or diskette, the
message "Disk Killer -- Version 1.00 by COMPUTER OGRE
04/01/89 Warning!!! Don't turn off the power or
remove the diskette while Disk Killer is Processing!"
is displayed, and data on the disk booted from (or
whatever disk is in the diskette you drive booted
from) is scrambled.
The EDV Virus
_____________
Name EDV
Alias(es)
Virus Family
Classification Diskette and fixed disk master boot infector
Length of Virus Boot record and one additional hard disk or diskette
sector
Behavior Summary When booted from an infected disk or diskette, the
virus loads into memory and infects any other disks or
diskettes used later. When an internal counter reaches
a threshold, the virus overwrite areas on various
fixed disks and diskettes with random data. Due to
bugs in the virus, and code that attempts to hang the
machine when memory is scanned, infected machines
sometimes malfunction (not boot, or hang sometime
after booting). If a machine with an infected fixed
disk is booted from a clean diskette, the fixed disk
partitions will often be unreadable by DOS.
The Flip-2153 Virus
___________________
Name Flip-2153
Alias(es) Flip 2, Omicron
Virus Family Flip
Classification IBM DOS EXE, COM, and master boot record infector
Length of Virus Approximately 2153 bytes
Behavior Summary When an infected file is executed on a machine with a
hard disk, the hard disk's master boot record is
altered to reinstall the virus in memory even if all
infected files are removed. While the virus is in
memory, any file executed becomes infected. On some
second days of the month between 10:00 and 11:00 a.m.,
the screen (including the individual characters) turns
upside-down if an EGA-compatible display is in use.
The Flip-2343 Virus
___________________
Name Flip-2343
Alias(es) Flip 1, Flip
Virus Family Flip
Classification IBM DOS EXE, COM, and master boot record infector
Length of Virus Approximately 2343 bytes
Behavior Summary When an infected file is executed on a machine with a
hard disk, the hard disk's master boot record is
altered to re install the virus in memory even if all
infected files are removed. When a system is booted
from an infected hard disk, the next program executed
(typically COMMAND.COM) is patched. In at least some
versions of COMMAND.COM, the patch causes the DIR
command to "lie" about the lengths of infected files.
While the virus is in memory, any file executed
becomes infected. On some second days of the month
between 10:00 and 11:00 a.m., the screen (including
the individual characters) turns upside-down if an
EGA-compatible display is in use.
The FORM Virus
______________
Name FORM
Alias(es)
Virus Family
Classification Resident diskette and hard disk DOS boot infector
Length of Virus Boot record and one additional hard disk or diskette
sector
Behavior Summary When you boot from an infected diskette or hard disk,
the virus infects the bootable partition on the first
hard disk if it exists and if is not already infected.
Also, it writes part of itself to one additional
sector marked "bad" in the File Allocation Table. The
virus remains resident in memory and infects
essentially any diskette used later. On the 18th of
the month, in machines with a normal real time clock,
the virus causes a slight clicking when keys are
pressed which often goes unnoticed.
If you boot an OS/2 system with HPFS on the boot drive
from an infected diskette, some of the data can become
corrupted and the system will no longer boot from the
hard disk.
The Friday the 13th COM Virus
_____________________________
Name Friday the 13th COM
Alias(es) COM, Friday the 13th, Miami, Munich, South African,
Virus-B
Virus Family
Classification Non-resident COM infector
Length of Virus Approximately 540 bytes
Behavior Summary When an infected program is run, it infects all COM
files in the current directory. On Friday the 13th,
infected files attempt to erase themselves when
executed. This virus has an indefinite history. It
might have been written only as an experiment and not
released "into the wild." The sample we have contains
code that prints a warning message whenever an
infected program is run.
The Grain of Sand Virus
_______________________
Name Grain of Sand
Alias(es) Irish, Maltese Amoeba
Virus Family
Classification Resident EXE and COM infector
Length of Virus Approximately 2520 bytes
Behavior Summary When an infected program is executed, the virus
installs itself in memory and infects files that are
later executed or opened. When the date is November 1
or March 15, it also overwrites the boot areas of the
first hard disk and any diskettes with a program that
displays a poem (containing the words "grain of sand")
instead of booting the machine. Data on infected disks
and diskettes is not easy to recover. After it
overwrites the boot areas, it hangs the machine,
sometimes with a flashing screen-effect on the
display. The virus is loosely related to the Casino
virus, which does not install itself if the Grain of
Sand is active. If the Grain of Sand finds the Casino
present in memory, it will attempt to remove it.
The Guppy Virus
_______________
Name Guppy.
Alias(es) None.
Virus Family Tiny.
Classification Resident COM and EXE file virus for PC DOS
Length of Virus 152 bytes
Behavior Summary When an infected program is executed, the virus loads
into memory and infects COM files that are run later.
The Haifa Virus
_______________
Name Haifa
Alias(es)
Virus Family Haifa
Classification Resident COM and EXE infector for IBM DOS
Length of Virus Approximately 2350 bytes
Behavior Summary When an infected file is run, the virus loads into
memory and infects COM and EXE files found in
directories that are used later. Also, it hangs the
machine periodically, prints a message on August 24th
and on April 8th, and inserts text strings into
certain types of files found. It inserts a text string
containing "mov dx,80h" into files with an extension
of ASM. It inserts a text string containing "CONST
VIRUS=" into files with an extension of PAS. It
inserts a text string beginning "OOPS! Hope I" into
files with an extension of DOC or TXT.
The Haifa-Motzkin Virus
_______________________
Name Haifa-Motzkin
Alias(es) Motzkin, Mozkin
Virus Family Haifa
Classification Resident COM and EXE infector for IBM DOS
Length of Virus Approximately 2350 bytes
Behavior Summary When an infected file is run, the virus loads into
memory, and infects COM and EXE files found in
directories that are used later. Hangs the machine
periodically, prints a message on May 7th, and inserts
text strings into certain types of files found; it
might also sometimes cause unexpected screen printing.
It inserts a text string containing "What are backups"
into files with an extension of BAK. It also inserts a
text string containing "DES of USA" into files with an
extension of ARJ. It also inserts a text string
containing "Instead of reading this" into files with
an extension of DOC or TXT.
The Iceland II Virus
____________________
Name Iceland II
Alias(es) Iceland, Icelandic, Icelandic II, Saratoga, Saratoga
3, System
Virus Family Iceland/Saratoga
Classification Resident EXE infector
Length of Virus Approximately 632 bytes
Behavior Summary When an infected program is run, the virus installs
itself in memory; later, if any file with an extension
beginning with "EX" is run it will be infected. This
virus differs from the Saratoga 1 in that it does not
mark sectors as bad. It avoids using INT 21 to call
DOS by finding the "true" DOS function-request entry
point and thereby avoiding detection by any anti-virus
program that relies on intercepting INT 21.
The Joshi Virus
_______________
Name Joshi
Alias(es)
Virus Family Joshi
Classification Resident diskette and hard disk master boot infector
Length of Virus Boot record and 8 additional sectors on hard disk or
diskette
Behavior Summary On January 5th, infected machines display the message
"Type Happy Birthday Joshi!", and freeze until "happy
birthday joshi" is typed on the keyboard. When an
infected hard disk or diskette is booted, the virus
loads itself into high memory and intercepts the
keyboard, timer, disk, and (a bit later) DOS service
call vectors. The viral disk I/O handler infects the
boot record of BIOS drives 00, 01, 80 and 81 (drives
A, B, and the first two physical hard disks) when I/O
is done to those drives. It also hides the viral boot
record from normal reads, returning an image of the
original boot record. The keyboard handler is used by
the virus to remain in memory when a soft
(Ctrl+Alt+Del) reboot is done. The DOS service call
handler is used to choose a good time to activate if
the date is January 5th.
On infected diskettes, the virus resides in the boot
record and in a specially formatted extra track that
the virus creates. Using DISKCOPY or other normal
disk-imaging or disk-copying tools does not make a
true image of the infected diskette (most of the virus
and the original boot record will be missing). Virus
verification tools tell you that such a diskette is
not infected with the normal Joshi virus.
If a hard disk that was partitioned by a version of
FDISK prior to DOS version 3.0 becomes infected, the
virus will overwrite part of the File Allocation Table
with part of itself. This is true regardless of the
version of DOS actually installed on the disk at the
time of infection. The only determining factor is the
version of FDISK last used to partition the drive.
When the disk is not very full, this does not cause
noticeable symptoms for some time. When the disk is
full, it causes extensive file cross-linking and
corruption.
The Joshi-00 Virus
__________________
Name Joshi-00
Alias(es)
Virus Family Joshi
Classification Resident diskette and hard disk master boot infector
Length of Virus Boot record and 8 additional sectors on hard disk or
diskette
Behavior Summary On January 5th, infected machines display the message
"Type Happy Birthday Joshi!", and freeze until "happy
birthday joshi" is typed on the keyboard. When an
infected hard disk or diskette is booted, the virus
loads itself into high memory and intercepts the
keyboard, timer, disk, and (a bit later) DOS service
call vectors. The viral disk I/O handler infects the
boot record of BIOS drives 00, 01, 80 and 81 (drives
A, B, and the first two physical hard disks) when I/O
is done to those drives. It also hides the viral boot
record from normal reads, returning an image of the
original boot record. Although this version of the
virus is slightly damaged and it might be possible to
read the viral boot record with a clever use of
VERIFY, this has not been tested. The keyboard handler
is used by the virus to remain in memory when a soft
(Ctrl+Alt+Del) reboot is done. The DOS service call
handler is used to choose a good time to activate if
the date is January 5th.
On infected diskettes, the virus resides in the boot
record and in a specially formatted extra track that
the virus creates. Using DISKCOPY or other normal
disk-imaging or disk-copying tools does not make a
true image of the infected diskette (most of the virus
and the original boot record will be missing). Virus
verification tools tell you that such a diskette is
not infected with the normal Joshi virus.
If a hard disk that was partitioned by a version of
FDISK prior to DOS version 3.0 becomes infected, the
virus will overwrite part of the File Allocation Table
with part of itself. This is true regardless of the
version of DOS actually installed on the disk at the
time of infection. The only determining factor is the
version of FDISK last used to partition the drive.
When the disk is not very full, this does not cause
noticeable symptoms for some time. When the disk is
full, it causes extensive file cross-linking and
corruption.
The Joshi-00 is a variant of the Joshi virus. One word
has been overwritten with binary zeros, which has
little or no effect on the function of the virus.
The Kennedy-163 Virus
_____________________
Name Kennedy-163
Alias(es) Tiny-163
Virus Family Kennedy
Classification Non-resident COM file virus for IBM DOS
Length of Virus 163 bytes
Behavior Summary This virus does nothing except infect COM files.
The Keypress Virus
__________________
Name Keypress
Alias(es) Turku
Virus Family
Classification Resident COM and EXE file virus for IBM DOS
Length of Virus Approximately 1232 bytes
Behavior Summary When an infected file is executed, the virus loads
into memory. If the active version of DOS is 3.0 or
later, it will infect all files executed later. If the
active version of DOS is earlier than 3.0, it infects
all files having an extension of COM or EXE that are
opened, except system files. At intervals of 10
minutes, the virus causes spurious simulated
keystrokes for a period of 2 seconds and causes the
keyboard to appear "stuck".
The Lao Doung Virus
___________________
Name Lao Doung
Alias(es) Loa Doung, Lao Duong
Virus Family
Classification Resident diskette and hard disk system (non-master)
boot infector
Length of Virus Boot record and one additional hard disk or diskette
sector
Behavior Summary When an infected disk or diskette is booted, the virus
installs itself in memory. When booted from diskette,
it attempts to infect the boot record of the first
partition on the first fixed disk. When the virus is
in memory, it occasionally plays "music" through the
PC speaker (our correspondants in Thailand tell us
that the tune is an old folk song called Lao Doung
Duen).
Due to assumptions made about the setup of hard disks,
the virus might fail to infect and/or might damage
data on some hard disks.
The Lehigh I Virus
__________________
Name Lehigh I
Alias(es)
Virus Family Lehigh
Classification Resident COMMAND.COM infector (IBM DOS)
Length of Virus Approximately 530 bytes
Behavior Summary This virus spreads between COMMAND.COM files. On the
fourth infection, it writes random data to lower the
32 sectors of the disk, making files on them
inaccessible. Infected COMMAND.COM files do not change
in length because the virus writes itself over buffer
space within the file.
The Liberty Virus
_________________
Name Liberty
Alias(es) Mystic
Virus Family Liberty
Classification Resident COM, EXE, and diskette boot infector for IBM
DOS
Length of Virus Approximately 2857 bytes
Behavior Summary When an infected file is run, the virus loads into
memory and infects EXE and COM files that are later
executed. Rarely does the virus also infect the boot
record of a diskette. When you boot from an infected
diskette the virus installs itself in memory to infect
COM and EXE files, and also installs a number of
"prank" routines that sometimes replace text sent to
the screen, the printer, or the asynchronous
communication ports with the word "MAGIC". Also on
rare occasions displays "M A G I C ! ! !" on the first
line of the screen momentarily.
The Liberty-B Virus
___________________
Name Liberty-B
Alias(es) Mystic
Virus Family Liberty
Classification Resident COM, EXE, and diskette boot infector for IBM
DOS.
Length of Virus Approximately 2867 bytes
Behavior Summary When an infected file is run, the virus loads into
memory and infects EXE and COM files that are later
run. Rarely does the virus infect the boot record of a
diskette. When you boot with an infected diskette, the
virus installs itself in memory to infect COM and EXE
files and also installs a number of "prank" routines.
This is a slight, functionally identical variant of
the Liberty virus.
The Liberty-X Virus
___________________
Name Liberty-X
Alias(es) Mystic
Virus Family Liberty
Classification Resident COM and EXE infector for IBM DOS
Length of Virus Approximately 2857 bytes
Behavior Summary When an infected file is run,the virus loads into
memory and infects EXE and COM files that are later
run. This is a damaged variant of the Liberty virus,
which cannot infect diskettes, and does not contain
the "prank" code from the Liberty virus. In
circumstances where the Liberty would infect a
diskette, the Liberty-X malfunctions, generally
hanging the system.
The Live After Death Virus
__________________________
Name Live After Death
Alias(es) V810
Virus Family V800
Classification Resident COM infector for IBM DOS
Length of Virus 810 bytes
Behavior Summary This virus infects only COM files of specific lengths.
It attempts to intercept DOS requests at a low level
in order to avoid detection by security programs.
The Michelangelo Virus
______________________
Name Michelangelo
Alias(es)
Virus Family
Classification Diskette and hard disk master boot-record infector
Length of Virus Boot record and one additional hard disk or diskette
sector
Behavior Summary When booted from diskette, this virus infects the
master boot record of the first hard disk (if any) and
installs the virus in memory. When booted from an
infected hard disk, it only installs the virus in
memory. While the virus is in memory, diskettes used
in drive A become infected. If the date is March 6th
when you boot from an infected disk or diskette is the
virus will overwrite parts of the boot disk with
random data.
The Microbe Virus
_________________
Name Microbe
Alias(es) Microbes
Virus Family
Classification Resident diskette boot infector
Length of Virus Boot record and 8 additional sectors on hard disk or
diskette
Behavior Summary When you boot from an infected diskette, the virus
installs itself in memory and infects any writeable
diskette used in drives A or B later. If a diskette is
infected with the Brain virus, it will remove the
Brain infection before installing itself. While the
virus is active in memory, attempts to read or write
to an infected boot record are redirected to the saved
original boot record instead. The virus uses eight
sectors (four clusters) on diskette, which it marks as
"bad" in the DOS File Allocation Table. If the virus
has been booted a large number of times, it will
display during the boot process a message that begins
"This MICROBE is dedicated to...".
The MIX1 Virus
______________
Name MIX1
Alias(es)
Virus Family Iceland/Saratoga
Classification Resident EXE infector
Length of Virus Approximately 1618 bytes
Behavior Summary When an infected program is run, the virus installs
itself in memory; later, if any file with an extension
beginning with "EX" is run, it will be infected. This
virus differs from the Saratoga 1 in that it does not
mark sectors as bad, and it contains code to cause
errors (character substitutions) in serial and printer
output using BIOS, and to cause a bouncing ball to
appear on the screen in some conditions. The bouncing
ball code appears to have a bug that sometimes hangs
the machine.
The MIX1-B Virus
________________
Name MIX1-B
Alias(es)
Virus Family Iceland/Saratoga
Classification Resident EXE infector
Length of Virus Approximately 1618 bytes
Behavior Summary When an infected program is run, the virus installs
itself in memory; later, if any file with an extension
beginning with "EX" is run, it will be infected. The
virus contains code to cause errors (character
substitutions) in serial and printer output using BIOS
and to cause a bouncing ball to appear on the screen
in some conditions. Some of the errors in the MIX1
virus seem to be fixed in this variant.
The Noint Virus
_______________
Name Noint
Alias(es)
Virus Family
Classification Diskette and hard disk master boot record infector.
Length of Virus Approximately 420 bytes
Behavior Summary When booted from diskette, the virus infects the
master boot record of the first hard disk (if any) and
installs the virus in memory. When booted from an
infected hard disk, it only installs the virus in
memory. While the virus is in memory, any (not write
protected) diskettes read from become infected. If the
virus is active in memory, attempts to read the
infected boot record from the first hard disk will see
the original uninfected boot record instead. The virus
has no intentional side-effects, destructive or
otherwise.
The Ohio Virus
______________
Name Ohio
Alias(es)
Virus Family Ohio
Classification Diskette boot record infector
Length of Virus Boot record and 5 additional sectors on hard disk or
diskette
Behavior Summary When you boot from an infected diskette, the virus
loads into memory and infects diskettes used in drive
A or B later. If the virus finds signs of the Brain
virus on a diskette, it will remove the Brain
infection before installing itself. If the virus is in
memory and a color display is active when the user
presses Ctrl+Alt+Del, the virus will sometimes hang
the machine. It seems to be designed to display a
graphic, similar to the Den Zuk virus to which it is
closely related. In all samples seen so far, the
graphic code is missing and the system hangs.
The OROPAX Virus
________________
Name OROPAX
Alias(es)
Virus Family
Classification Resident COM infector for IBM DOS
Length of Virus Approximately 2765 bytes
Behavior Summary When an infected file is executed, the virus installs
itself in memory. At certain times later (such as
creation of a file or subdirectory. And renaming of a
file), the virus infects one additional file having an
extension of COM. Infected files can grow by as much
as 2815 bytes. Under some circumstances, the virus
causes music to play from the PC's speaker (although
on some machines the music is never played, in spite
of the infection).
The Perfume-765 Virus
_____________________
Name Perfume-765
Alias(es) 4711
Virus Family
Classification Resident COM infector for IBM DOS
Length of Virus Approximately 765 bytes
Behavior Summary When an infected file is run, the virus installs
itself in memory, and any file with an extension of
COM that is run later is infected. After a certain
number of files have been infected, running an
infected program causes a message to be displayed, and
execution continues only if you type "4711". In the
sample of the virus we have, the message area has been
overlayed with zeros and other binary values. There
are text variants where the message says something
intelligible.
The Plastique-Danube Virus
__________________________
Name Plastique-Danube
Alias(es) Plastique, Invader, Anticad 4.Danube
Virus Family Plastique, 1813
Classification Resident COM, EXE, diskette, and partition boot sector
infector for IBM DOS
Length of Virus Approximately 4096 bytes
Behavior Summary When an infected file is run, the virus loads into
memory and infects EXE and COM files that are later
run or opened as read-only, and infects the partition
(DOS) boot sector on diskettes and hard disks that are
later read from. When the virus is active in memory,
it sometimes slows down the machine, sometimes plays
the Blue Danube Waltz through the PC speaker, and
sometimes causes hard disk and diskette writes to fail
(after a certain number of keystrokes without a hard
disk or diskette write). Under various circumstances
involving whether or not you have run ACAD.EXE, the
number of keystrokes since the last hard disk write,
and the user pressing Ctrl+Alt+Del, the virus hangs
the system, sometimes after writing garbage to the
first two diskettes or the first two physical hard
disks. This virus is closely related to the other
members of the Plastique family, especially the
Plastique 5.21 and the Plastique-Invader viruses.
The virus also removes the "Disk Killer" virus from
hard disks and diskettes that it infects and attempts
to disable that virus if it is resident in memory.
The Plastique-Invader Virus
___________________________
Name Plastique-Invader
Alias(es) Plastique, Invader, Anticad 4.Mozart
Virus Family Plastique, 1813
Classification Resident COM, EXE, diskette, and partition boot sector
infector for IBM DOS
Length of Virus Approximately 4096 bytes
Behavior Summary When an infected file is run, the virus loads into
memory and infects EXE and COM files that are later
run or opened as read-only, and infects the partition
(DOS) boot sector on diskettes and hard disks that are
later read from. When the virus is active in memory,
it sometimes slows down the machine, sometimes plays
the theme from the first movement of Mozart's 40th
through the PC speaker, and sometimes causes hard disk
or diskette writes to fail (after a certain number of
keystrokes without a hard disk or diskette write).
Under various circumstances involving whether or not
you have run ACAD.EXE, the number of keystrokes since
the last disk write, and wether you press
Ctrl+Alt+Del, the virus hangs the system, sometimes
after writing garbage to the first two diskettes or to
the first two physical hard disks. This virus is
closely related to the other members of the Plastique
family, especially the Plastique 5.21 and the
Plastique-Danube viruses.
The virus also removes the "Disk Killer" virus from
hard disks and diskettes that it infects and attempts
to disable that virus if it is resident in memory.
The Plastique-2576 Virus
________________________
Name Plastique-2576
Alias(es) Plastique, Anticad, Anticad 5, Taiwan 4
Virus Family Plastique, 1813
Classification Resident COM and EXE infector for IBM DOS
Length of Virus Approximately 2576 bytes
Behavior Summary When an infected file is run the virus loads into
memory and infects EXE and COM files that are later
run. When the virus is active in memory, it will
sometimes slows down the machine, and sometimes plays
music through the PC speaker. If you run a file called
ACAD.EXE, it will be overwritten with garbage and
erased instead. Much of the code in this virus is
taken from the 1813 virus, but many of the 1813
virus's symptoms (such as EXE re-infection, file
erasure on Friday the 13th, black boxes) have been
removed.
The Plastique-2900 Virus
________________________
Name Plastique-2900
Alias(es) Plastique, Anticad, Anticad 2, Taiwan 3
Virus Family Plastique, 1813
Classification Resident COM and EXE infector for IBM DOS
Length of Virus Approximately 2900 bytes
Behavior Summary When an infected file is run the virus loads into
memory and infects EXE and COM files that are later
run or opened as read-only. When the virus is active
in memory, it sometimes slows down the machine,
sometimes plays music through the PC speaker, and
sometimes causes hard disk and diskette writes to fail
(after a certain number of keystrokes without a hard
disk and diskette write). If you execute a file called
ACAD.EXE, or press Ctrl+Alt+Del under certain
circumstances, the virus hangs the system, sometimes
after writing garbage to the first two diskettes and
the first two physical hard disks. Much of the code in
this virus is taken from the Plastique-2576 virus.
The Plastique 4.51 Virus
________________________
Name Plastique 4.51
Alias(es) Plastique, Anticad, Anticad 3.a
Virus Family Plastique, 1813
Classification Resident COM and EXE infector for IBM DOS
Length of Virus Approximately 3012 bytes
Behavior Summary When an infected file is run, the virus loads into
memory and infects EXE and COM files that are later
run or open as read-only. When the virus is active in
memory, it sometimes slows down the machine, sometimes
plays music through the PC speaker, and sometimes
causes hard disk and diskette writes to fail (after a
certain number of keystrokes without a hard disk and
diskette write). Under various circumstances involving
whether or not you have run a file called ACAD.EXE,
the number of keystrokes since the last disk write,
and wether you press Ctrl+Alt+Del, the virus hangs the
system, sometimes after writing garbage to the first
two diskette or the first two physical hard disks.
Much of the code in this virus is taken from the
Plastique-2900 virus.
The Plastique 4.51-b Virus
__________________________
Name Plastique 4.51-b
Alias(es) Plastique, Anticad, Anticad 3.b
Virus Family Plastique, 1813
Classification Resident COM and EXE infector for IBM DOS
Length of Virus Approximately 3004 bytes
Behavior Summary When an infected file is run, the virus loads into
memory and infects EXE and COM files that are later
run or opened as read-only. When the virus is active
in memory, it sometimes slows down the machine,
sometimes plays music through the PC speaker, and
sometimes causes hard disk and diskette writes to fail
(after a certain number of keystrokes without a hard
disk and diskette write). Under various circumstances
involving whether or not you have run a file called
ACAD.EXE, the number of keystrokes since the last hard
disk write, and wether you press Ctrl+Alt+Del, the
virus hangs the system, sometimes after writing
garbage to the first two diskettes or the first two
physical hard disks. This virus is nearly identical to
the Plastique 4.51 virus.
The Plastique 5.21 Virus
________________________
Name Plastique 5.21
Alias(es) Plastique, Anticad, Anticad 1.b
Virus Family Plastique, 1813
Classification Resident COM, EXE, diskette, and partition boot sector
infector for IBM DOS
Length of Virus Approximately 4096 bytes
Behavior Summary When an infected file is run, the virus loads into
memory and infects EXE and COM files that are later
run or opened as read-only, and the partition (DOS)
boot sector on diskettes and hard disks that are later
read from. When the virus is active in memory, it
sometimes slows down the machine, sometimes plays
music through the PC speaker, and sometimes causes
hard disk and diskette writes to fail (after a certain
number of keystrokes without a hard disk and diskette
write). If the you run a program called ACAD.EXE, the
virus will print a warning message. Under various
circumstances involving whether or not you have run
ACAD.EXE, the number of keystrokes since the last hard
disk write, and wether you press Ctrl+Alt+Del, the
virus hangs the system, sometimes after writing
garbage to the first two diskettes or the first two
physical hard disks. Much of the code in this virus is
taken from the Plastique-2900 virus.
The virus also removes the "Disk Killer" virus from
hard disks and diskettes that it infects, and attempts
to disable that virus if it is resident in memory.
The PrtSc Virus
_______________
Name PrtSc
Alias(es) Print Screen
Virus Family
Classification Resident diskette and hard disk system (non-master)
boot infector
Length of Virus Boot record only
Behavior Summary When you boot from an infected hard disk or diskette,
the virus installs itself in memory and infects any
diskette and the boot sector of the first partition of
any hard disk read later. At intervals, the virus
causes a false INT 5 that usually causes the contents
of the screen to be printed on the local printer (the
same as pressing the Print Screen key).
Because of assumptions made about the setup of hard
disks, the virus can fail to infect or damage data on
some hard disks.
The Saratoga 1 Virus
____________________
Name Saratoga 1
Alias(es) Disk Crunching, Iceland, Icelandic, Saratoga
Virus Family Iceland/Saratoga
Classification Resident EXE infector
Length of Virus Approximately 642 bytes
Behavior Summary When an infected program is run, the virus installs
itself in memory; later, if any file with an extension
beginning with "EX" is run it will be infected. On
certain types of hard disks, randomly chosen sectors
are marked gradually as "bad".
The Saratoga 2 Virus
____________________
Name Saratoga 2
Alias(es) Disk Crunching, Iceland, Icelandic, Saratoga
Virus Family Iceland/Saratoga
Classification Resident EXE infector
Length of Virus Approximately 656 bytes
Behavior Summary When an infected program is run, the virus installs
itself in memory; later, if any file with an extension
beginning with "EX" is run it will be infected. On
certain types of hard disks, randomly chosen sectors
are marked gradually as "bad". This virus differs from
the Saratoga 1 in that it does not install itself if
any program has intercepted the BIOS disk I/O request.
The SBC Virus
_____________
Name SBC
Alias(es)
Virus Family
Classification Resident EXE and COM infector
Length of Virus Approximately 2845 bytes
Behavior Summary When an infected program is executed, the virus
installs itself in memory and infects files that are
later executed or opened. The length changes caused by
the virus are not obvious if the virus is active in
memory. The output of the DIR command shows the
original uninfected lengths.
The Slow-1721 Virus
___________________
Name Slow-1721
Alias(es) Slow
Virus Family Slow, 1813
Classification Resident COM and EXE infector for IBM DOS
Length of Virus Approximately 1721 bytes
Behavior Summary When an infected file is run, the virus loads into
memory and infects files that are later run. On some
Fridays, the virus sets to zero the timestamps of
files written to.
The Solano Virus
________________
Name Solano
Alias(es) Dyslexia V2.01
Virus Family
Classification Resident COM infector for IBM DOS
Length of Virus 2000 bytes
Behavior Summary When an infected file is run, the virus loads into
memory and infects COM files (except COMMAND.COM) that
are later run. While the virus is resident in memory,
on rare occasions it swaps a pair of adjacent digits
on the display screen.
The StarDot-600 Virus
_____________________
Name StarDot-600
Alias(es)
Virus Family StarDot
Classification Non-resident EXE infector for IBM DOS
Length of Virus 600 bytes in infected COM files; some additional
padding bytes in infected EXE files.
Behavior Summary When an infected file is run, the virus chooses from
the files on the default drive an uninfected EXE file
with the "archive" bit on and infects that file. If
the day of the week is equal to the value of an
internal counter, the virus will also overwrite random
areas on the current disk drive and will send random
bytes to the I/O ports associated with system devices,
such as printers and displays.
The StarDot-789 Virus
_____________________
Name StarDot-789
Alias(es)
Virus Family StarDot
Classification Non-resident COM and EXE infector for IBM DOS
Length of Virus Approximately 789 bytes
Behavior Summary When an infected file is run, the virus chooses from
the files on the default drive an uninfected EXE or
COM file with the "archive" bit on and infects that
file. If the date is February 13th and the time is
after 1 p.m. when an infected file is run, it will
overwrite the beginning of every hard disk in the
system starting with Z. This virus is functionally
identical to the StarDot-801 virus.
The StarDot-801 Virus
_____________________
Name StarDot-801
Alias(es)
Virus Family StarDot
Classification Non-resident COM and EXE infector for IBM DOS
Length of Virus Approximately 801 bytes
Behavior Summary When an infected file is run, the virus chooses from
the files on the default drive an uninfected EXE or
COM file with the "archive" bit on and infects that
file. If the date is February 13th and the time is
after 1 p.m. when an infected file is run, it will
overwrite the beginning of every hard disk in the
system, starting with Z. This virus is functionally
identical to the StarDot-789 virus.
The Stoned Virus
________________
Name Stoned
Alias(es) Hawaii, Marijuana, New Zealand, San Diego, Smithsonian
Virus Family
Classification Diskette and hard disk boot infector
Length of Virus Boot record and one additional hard disk or diskette
sector
Behavior Summary When a computer is booted from an infected diskette,
the virus infects the master boot record of the first
physical hard disk, installs itself in memory, and
sometimes displays the message "Your PC is now
Stoned!" When a computer is booted from an infected
hard disk, the virus also installs itself in memory
but does not display the message. When the virus is in
memory, any diskette used in drive A may become
infected. The virus has no intentionally destructive
features but causes FAT damage and possible data loss
on hard disks partitioned in certain ways.
The Stoned-C Virus
__________________
Name Stoned-C
Alias(es) Hawaii, Marijuana, New Zealand, San Diego, Smithsonian
Virus Family Stoned
Classification Diskette and hard-disk boot infector
Length of Virus Boot record and one additional hard disk or diskette
sector
Behavior Summary This virus infects diskettes and hard disk master boot
record. There are no obvious symptoms. This is a
variant of the Stoned virus with the message removed.
The Sunday Virus
________________
Name Sunday
Alias(es)
Virus Family 1813
Classification Resident COM and EXE file virus for IBM DOS
Length of Virus 1636 bytes in infected COM files; some additional
padding bytes in infected EXE files.
Behavior Summary This virus is similar to the 1813 virus, except the
file-erasing trick is done only on Sundays after 1989.
The slow-down and box-scrolling are replaced with a
routine that sometimes prints a message about going
out and having some fun. This message is displayed
only on Sundays after 1989.
The Sunday 2 Virus
__________________
Name Sunday 2
Alias(es)
Virus Family 1813
Classification Resident COM and EXE file virus for IBM DOS
Length of Virus 1733 bytes in infected COM files; some additional
padding bytes in infected EXE files.
Behavior Summary This virus is similar to the 1813 virus except the
file-erasing trick is done only on Sundays after 1989.
The slow-down and box-scrolling are replaced with a
routine that sometimes prints a message about going
out and having some fun. This message is displayed
only on Sundays after 1989. Also, the virus sometimes
writes the word "PLAY" in the upper-left corner of the
display.
The sURIV 3.00 Virus
____________________
Name sURIV 3.00
Alias(es) Jerusalem-2E
Virus Family 1813
Classification Resident COM and EXE file virus for IBM DOS
Length of Virus 1813 bytes in infected COM files; some additional
padding bytes in infected EXE files.
Behavior Summary This virus erases files executed on Fridays and causes
some odd system behavior. It is similar to the 1813
virus.
The Sylvia Virus
________________
Name Sylvia
Alias(es) Holland Girl
Virus Family
Classification Non-resident COM infector for IBM DOS
Length of Virus Approximately 1332 bytes
Behavior Summary When an infected file is run, it infects up to 5 files
with an extension of COM in the current directories on
the current drive and on drive C. The virus has no
known side effects. It gets its name from the presence
of an unused text area containing a name and address
of someone named Sylvia from the Netherlands plus a
suggestion to send her a funny postcard.
The SYSLOCK Virus
_________________
Name Syslock
Alias(es) Macho, Macho-A, 3551
Virus Family Syslock
Classification Non-resident COM and EXE infector for IBM DOS
Length of Virus 3551 bytes
Behavior Summary When an infected file is run, the virus looks through
the directory tree on the current drive and infects
one EXE or COM file at random. Sometimes
(approximately every fifth time it runs), it picks a
random sector on the current disk and changes all
occurrences of the string "Microsoft" to "MACROSOFT".
Also a text variant exists that uses "MACHOSOFT"
instead of "MACROSOFT."
The Tequila Virus
_________________
Name Tequila
Alias(es)
Virus Family
Classification Resident EXE and hard disk master boot infector for
IBM DOS
Length of Virus Approximately 2470 bytes
Behavior Summary When an infected file is run, it infects the master
boot record of the first hard disk. When a system is
booted from an infected hard disk, the virus loads
into memory and infects any EXE files subsequently
run. The virus displays a low-resolution Mandelbrot
set (a vaguely circular pattern of colors) on the
monitor. The virus has a number of complex, but
basically uninteresting, features having to do with
not infecting files with certain names, trying to
escape detection by making each infected file slightly
different, and so on. From your point of view, though,
detection is not difficult.
The TP16VIR Virus
_________________
Name TP16VIR
Alias(es)
Virus Family TPxxVIR
Classification Resident EXE-converter and COM infector for IBM DOS
Length of Virus Approximately 1339 bytes
Behavior Summary This virus converts EXE-formatted files to COM format
and infects COM-formatted files. The virus becomes
resident when the first infected file is run and
converts or infects any files that are run later. This
virus is similar to the VACSINA virus.
The TP45VIR Virus
_________________
Name TP45VIR
Alias(es) Yankee Doodle, TP45
Virus Family Yankee Doodle (TPxxVIR)
Classification Resident COM and EXE infector for IBM DOS
Length of Virus Approximately 2901 bytes
Behavior Summary When an infected program is run, this virus loads into
memory and infects any program run later. At 5:00 p.m.
infected systems sometimes play "Yankee Doodle"
through the speaker. This virus also has complex (but
basically uninteresting) interactions with previous
viruses in the same family, and with the Bouncing Ball
virus. From your point of view, this virus is
essentially identical to the Yankee Doodle-2885 virus
(and some other members of this family).
The Traceback-2930 Virus
________________________
Name Traceback-2930
Alias(es) Traceback II
Virus Family Traceback
Classification Resident COM and EXE infector
Length of Virus Approximately 2930 bytes
Behavior Summary When an infected program is run, the virus installs
itself in memory and also looks for a file to infect
on the current disk. Any files executed later can also
become infected. Approximately one hour after
executing the first infected program, a "falling
letters" display, similar to that produced by the 17xx
family of viruses, will occur. At the first keystroke
after the display, the screen returns to normal; this
performance is repeated periodically. This virus is
very similar to the 3066 virus.
The Traceback-3066 Virus
________________________
Name Traceback-3066
Alias(es) Traceback
Virus Family Traceback
Classification Resident COM and EXE infector
Length of Virus Approximately 3066 bytes
Behavior Summary When an infected program is run, the virus installs
itself in memory and also looks for a file to infect
on the current disk. Any files run later can also
become infected. Approximately one hour after running
the first infected program, a "falling letters"
display, similar to that produced by the 17xx family
of viruses, occurs. At the first keystroke after the
display, the screen returns to normal. This
performance is repeated periodically. This virus is
very similar to the 2930 virus.
The VACSINA Virus
_________________
Name VACSINA
Alias(es)
Virus Family TPxxVIR
Classification Resident EXE-converter and COM infector for IBM DOS
Length of Virus Approximately 1206 bytes
Behavior Summary This virus converts EXE-formatted files to COM format,
and infects COM-format files. The virus becomes
resident when the first infected file is run and
converts or infects any files that are run later. The
system might "beep" when new files are infected.
The Vienna-Ghost Virus
______________________
Name Vienna-Ghost
Alias(es) Ghostballs
Virus Family Vienna, Bouncing Ball
Classification Non-resident COM infector / boot modifier
Length of Virus 2351 bytes
Behavior Summary This virus infects COM files exactly as the Vienna-648
virus does, except it does not do the file damage of
the Vienna-648 virus. When an infected file is run,
the virus (as well as spreading) writes to drive A a
boot sector that resembles the Bouncing Ball/286 boot
sector in all functions except spreading. That is, the
new boot sector sometimes produces a bouncing ball on
the screen after booting and is detected as infected
by the Bouncing Ball virus by some detectors, but it
will not spread itself to other diskettes (only COM
files infected with the Ghost virus spread it).
The Vienna-Lisbon Virus
_______________________
Name Vienna-Lisbon
Alias(es) Lisbon
Virus Family Vienna
Classification Non-resident COM file virus for IBM DOS
Length of Virus 648 bytes
Behavior Summary This virus overlays some COM files with the string
"@AIDS", rendering them nonfunctional.
The Vienna-648 Virus
____________________
Name Vienna-648
Alias(es) Austrian, DOS-62, DOS-68, One-In-Eight, Reboot,
Unesco, Vienna
Virus Family Vienna
Classification Non-resident COM file virus for IBM DOS
Length of Virus 648 bytes
Behavior Summary When an infected program is run, this virus looks for
one uninfected COM file along the DOS PATH and infects
it. It overlays some COM files with code that reboots
the machine.
The W13-A Virus
_______________
Name W13-A
Alias(es) Polish
Virus Family W13
Classification Non-resident COM file virus for IBM DOS
Length of Virus 534 bytes
Behavior Summary Infected COM files infect other COM files when they
are run. No other effects.
The W13-B Virus
_______________
Name W13-B
Alias(es) Polish
Virus Family W13
Classification Non-resident COM file virus for IBM DOS
Length of Virus 507 bytes
Behavior Summary Infected COM files infect other COM files when they
are run. No other effects.
The Yale Virus
______________
Name Yale
Alias(es) Alameda, Merritt, Peking, Seoul, Yale Boot
Virus Family Yale
Classification Diskette boot infector
Length of Virus Boot record and one additional hard disk or diskette
sector
Behavior Summary This virus has no obvious damage or symptoms; spreads
when Ctrl+Alt+Del is pressed in an infected machine
with an uninfected diskette in drive A.
The Yankee Doodle-2772 Virus
____________________________
Name Yankee Doodle-2772
Alias(es) Yankee Doodle, 2772, TP39VIR, Yankee Doodle-B
Virus Family Yankee Doodle (TPxxVIR)
Classification Resident COM and EXE infector for IBM DOS
Length of Virus Approximately 2772 bytes
Behavior Summary When an infected program is run, the virus loads into
memory and infects any program run later. At 5:00 p.m.
infected systems sometimes play "Yankee Doodle"
through the speaker. This virus also has complex (but
basically uninteresting) interactions with previous
viruses in the same family and with the Bouncing Ball
virus. From your point of view, this virus is
essentially identical to the Yankee Doodle-2885 (and
some other members of this family).
The Yankee Doodle-2885 Virus
____________________________
Name Yankee Doodle-2885
Alias(es) Yankee Doodle, 2885, TP44VIR
Virus Family Yankee Doodle (TPxxVIR)
Classification Resident COM and EXE infector for IBM DOS
Length of Virus Approximately 2885 bytes
Behavior Summary When an infected program is run, the virus loads into
memory and infects any program run later. At 5:00 p.m.
infected systems sometimes play "Yankee Doodle"
through the speaker. This virus also has complex (but
basically uninteresting) interactions with previous
viruses in the same family and with the Bouncing Ball
virus. From your point of view, this virus is
essentially identical to the Yankee Doodle-2772 (and
some other members of this family).
The 1381 Virus
______________
Name 1381
Alias(es) Internal
Virus Family
Classification Non-resident EXE infector for IBM DOS
Length of Virus Approximately 1381 bytes
Behavior Summary When an infected file is run, the virus looks for an
uninfected file with an extension of EXE on the
current disk (it looks randomly through
subdirectories) and infects it. If an infected file is
run more than about 90 days after it became infected,
it will display random-looking characters across the
screen, along with the message "INTERNAL ERROR 02CH.
PLEASE CONTACT YOUR HARDWARE MANUFACTURER IMMEDIATELY
! DO NOT FORGET TO REPORT THE ERROR CODE !" The virus
then removes itself from the infected file and you are
returned to DOS.
The 1392 Virus
______________
Name 1392
Alias(es) Amoeba, Khetapunk
Virus Family
Classification Resident COM and EXE infector for IBM DOS
Length of Virus Approximately 1392 bytes
Behavior Summary When an infected file is run, the virus installs
itself in memory. While in memory, the virus attempts
to infect files that are run, and COMMAND.COM files on
any disk while a free-space check is made. The DIR
command, for instance, does a free-space check. When
the virus has gone about four minutes without
infecting a file and the display is a CGA (in text
mode), the virus talks to the CRT controller to create
a 26th line on the display and writes the words "SMA
KHETAPUNK - NOUVEL Band A.M.O.E.B.A. by PrimeSoft
Inc" in yellow on purple background.
The virus contains a serious bug that causes it to
replicate imperfectly, and only early generations of
the virus are likely to function.
The 1536 Virus
______________
Name 1536
Alias(es) Zero Bug, Palette
Virus Family
Classification Resident COM infector for PC DOS
Length of Virus 1536 bytes
Behavior Summary This virus infects COMMAND.COM and other COM files
that are copied. Under some conditions, a "face"
appears on the screen, and "eats" displayed
characters.
The 1575 Virus
______________
Name 1575
Alias(es) Green Caterpillar
Virus Family
Classification Resident COM and EXE infector for IBM DOS
Length of Virus Approximately 1575 bytes
Behavior Summary When an infected file is run, it attempts to infect
the COMMAND.COM file in the root directory of drive C
and loads itself into memory if it is not already
present. It then infects files with an extension of
COM or EXE that are found by various file-search calls
(a DIR, for instance, often causes files found to be
infected). At times, the virus displays a small
horizontal green caterpillar running across your color
display, moving characters around on the screen and
changing their color.
The 1701 Virus
______________
Name 1701
Alias(es) 170x, 17xx, Austrian 2, Autumn, Blackjack, Cascade,
Fall, Falling Tears
Virus Family 17xx
Classification Resident COM infector for IBM DOS
Length of Virus 1701 bytes
Behavior Summary When an infected program is run, the virus loads into
memory and infects COM-formatted files run later. The
virus occasionally causes letters on the screen to
fall into a pile at the bottom of the display screen,
while causing "clicks" on the speaker. Due to complex
date interactions, it is possible to have an active
1701 infection without this symptom ever appearing.
The 1701-NoDate Virus
_____________________
Name 1701-NoDate
Alias(es)
Virus Family 17xx
Classification Resident COM infector for IBM DOS
Length of Virus 1701 bytes
Behavior Summary This virus spreads between COM files in IBM DOS.
Occasionally the virus causes letters on the screen to
fall into a pile at the bottom of the screen. It is a
minor variant of the 1701 virus.
The 1704 Virus
______________
Name 1704
Alias(es) 170x, 17xx, Austrian 2, Autumn, Blackjack, Fall,
Second Austrian
Virus Family 17xx
Classification Resident COM infector for IBM DOS
Length of Virus 1704 bytes
Behavior Summary This virus spreads among COM files in IBM DOS.
Occasionally the virus causes letters on the screen to
fall into a pile at the bottom.
The 1704-B Virus
________________
Name 1704-B
Alias(es) 170x, 17xx, Cascade-B
Virus Family 17xx
Classification Resident COM infector for IBM DOS
Length of Virus 1704 bytes
Behavior Summary This virus spreads among COM files in IBM DOS.
Occasionally the virus causes letters on the screen to
fall into a pile at the bottom.
The 1704-C Virus
________________
Name 1704-C
Alias(es) 170x, 17xx
Virus Family 17xx
Classification Resident COM infector for IBM DOS
Length of Virus 1704 bytes
Behavior Summary This virus spreads among COM files in IBM DOS.
Occasionally this virus causes letters on the screen
to fall into a pile at the bottom.
The 1704-Format Virus
_____________________
Name 1704-Format
Alias(es) 170x, 17xx
Virus Family 17xx
Classification Resident COM infector for IBM DOS
Length of Virus 1704 bytes
Behavior Summary This virus spreads among COM files in IBM DOS. Under
some conditions, the virus renders data on drive C
unreadable.
The 1704-Y Virus
________________
Name 1704-Y
Alias(es) 170x, 17xx
Virus Family 17xx
Classification Resident COM infector for IBM DOS
Length of Virus 1704 bytes
Behavior Summary This virus spreads among COM files in IBM DOS.
Occasionally this virus causes letters on the screen
to fall into a pile at the bottom. Infected programs
often malfunction. This is a damaged variant of the
1704 virus.
The 1813 Virus
______________
Name 1813
Alias(es) Black Friday, Black Hole, Hebrew University, Israeli,
Jerusalem, JV, Morbus Waiblingen, PLO, Russian,
sUMsDos
Virus Family 1813
Classification Resident COM and EXE file virus for IBM DOS
Length of Virus 1813 bytes in infected COM files; some additional
padding bytes in infected EXE files.
Behavior Summary When an infected program is run, the virus loads into
memory and infects any program run later. Because of a
bug in the virus, EXE-formatted files are infected
each time they are run. Frequently used files
eventually become too large to run. Because of another
bug, some files (including OS/2 and Windows EXE files
and very large COM files) do not run correctly after
being infected. The virus intentionaly causes slowing
down of the machine at intervals. Also, causes the
appearance of "black boxes" on the display, and erases
any file executed on any Friday the 13th.
The 1813-00 Virus
_________________
Name 1813-00
Alias(es)
Virus Family 1813
Classification Resident COM and EXE infector for IBM DOS
Length of Virus 1813 bytes in infected COM files; some additional
padding bytes in infected EXE files.
Behavior Summary This virus is a "mutation" (either accidental or
intentional) of the standard 1813 virus. One byte of
the virus has been changed to a zero. The main effect
is if an uninfected program is run from a
write-protected diskette while the virus is active in
memory, the program often does not run at all and
simply exits back to the DOS command prompt. With this
exception, the virus is almost identical to the
standard 1813 virus.
The 1813-ANARKIA Virus
______________________
Name 1813-ANARKIA
Alias(es)
Virus Family 1813
Classification Resident COM and EXE file virus for IBM DOS
Length of Virus 1813 bytes in infected COM files; some additional
padding bytes in infected EXE files.
Behavior Summary This virus erases files run on Friday the 13th and
causes some odd system behavior. This virus is a
slight variant of the 1813 virus. It never causes the
1813 virus's "black box," and has a more drastic
system slowdown at times.
The 1813-Discom Virus
_____________________
Name 1813-Discom
Alias(es) Discom
Virus Family 1813
Classification Resident COM and EXE infector for IBM DOS
Length of Virus 2053 bytes in infected COM files; some additional
padding bytes in infected EXE files.
Behavior Summary Like the 1813 virus, the Discom virus loads into
memory and infects COM and EXE files that are later
run. But, unlike the 1813, it does not infect EXE
files multiple times and will not infect files with
names ending in the letters "acad". Rather than
erasing files run on Friday the 13th, the Discom virus
has a number of side effects, such as slowing down the
system, sending random data out the serial I/O ports,
and sometimes overlaying data on the hard drive.
The 1813-Not-13 Virus
_____________________
Name 1813-Not-13
Alias(es) Payday
Virus Family 1813
Classification Resident COM and EXE file virus for IBM DOS
Length of Virus 1813 bytes in infected COM files; some additional
padding bytes in infected EXE files.
Behavior Summary This virus erases files run on Fridays that are not
the 13th of the month and causes some odd system
behavior. This virus is an almost-identical variant of
the 1813 virus.
The 1813-Swiss Virus
____________________
Name 1813-Swiss
Alias(es)
Virus Family 1813
Classification Resident COM and EXE file virus for IBM DOS
Length of Virus 1813 bytes in infected COM files; some additional
padding bytes in infected EXE files.
Behavior Summary This virus erases files run on Friday the 13th and
causes some odd system behavior. This virus is a
functionally identical code variant of the 1813 virus.
The 1813-Tuesday-the-13th Virus
_______________________________
Name 1813-Tuesday-the-13th
Alias(es)
Virus Family 1813
Classification Resident COM and EXE file virus for IBM DOS
Length of Virus 1813 bytes in infected COM files; some additional
padding bytes in infected EXE files.
Behavior Summary This virus erases files executed on Tuesdays that are
also the 13th of the month and causes some odd system
behavior. It is an almost identical variant of the
1813 virus.
The 2086 Virus
______________
Name 2086
Alias(es) Fu Manchu
Virus Family 1813
Classification Resident COM and EXE file virus for IBM DOS
Length of Virus 2086 bytes in infected COM files; some additional
padding bytes in infected EXE files. (More precisely,
2080 bytes of code and 6 bytes of virus
self-recognition string in COM files, and 0-15 bytes
of padding followed by 2080 bytes of code in EXE
files.)
Behavior Summary This virus hooks the keyboard interrupts, waits for
any of the names "Fu Manchu, Reagan, Thatcher, Botha,
or Waldeim" to be typed in upper case or lower case
letters followed by a space, and adds its own remarks
about them in the keyboard buffer so they are entered
as the rest of the text. Also this virus slowly
displays a message when the system is restarted by
pressing Ctrl+Alt+Del.
The 4096 Virus
______________
Name 4096
Alias(es) Stealth, Century
Virus Family
Classification Resident EXE and COM infector for IBM DOS
Length of Virus 4096 bytes
Behavior Summary When an infected program is run, the virus becomes
resident in memory and infects any files run and any
executable files opened and closed later. If the date
is between September 22 and December 31 of any year,
the virus will generally hang the machine (due to bugs
in code that seem to be intended to overwrite the boot
record with a program to display the message "Frodo
Lives" when the machine boots).
The 555 Virus
_____________
Name 555
Alias(es) QUIT1992
Virus Family 555
Classification Resident COM and EXE infector for IBM DOS
Length of Virus 555 bytes in infected COM files; some additional
padding bytes in infected EXE files.
Behavior Summary When an infected file is run, the virus loads into
memory and infects EXE and COM files that are later
run. If the year is 1992 or greater when an infected
file is executed, the virus will install itself and
exit immediately to DOS, without running the original
victim program.
The 555-B Virus
_______________
Name 555-B
Alias(es) QUIT1992
Virus Family 555
Classification Resident COM and EXE infector for IBM DOS
Length of Virus 555 bytes in infected COM files; some additional
padding bytes in infected EXE files.
Behavior Summary When an infected file is run, the virus loads into
memory and infects EXE and COM files that are later
run. If the year is 1992 or later when an infected
file is run, the virus will install itself and will
exit immediately to DOS, without running the original
program. This virus is almost identical to the 555
virus.