home *** CD-ROM | disk | FTP | other *** search
-
- Please find enclosed a list of known viruses in the UK prepared by
- Joe Hirst of the BCVRC, he is happy that it be distributed as widely
- as possible.
-
- Of great interest is the new Fu Manchu variant of the Israeli virus,
- a virus with a slightly embarassing manipulation task!
-
- Ps. Joe doesn't have a mail box to date but I will relay any requests,
- comments or information you pass on.
-
- D.Ferbrache
- European co-ordinator
- Comp.Virus
-
- IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM;
- : Joe Hirst British Computer Virus Research Centre :
- : 12 Guildford Street, Brighton, East Sussex, BN1 3LS, England :
- : Telephone: Domestic 0273-26105, International +44-273-26105 :
- : :
- : List of known PC viruses :
- : :
- : This list is intended to give enough information to identify a virus :
- : or a variant form of a virus. It is not intended by itself to supply :
- : enough information for a programmer to deal with a virus. If any virus :
- : is found which does not exactly match any of the following descriptions :
- : the Centre requests that a copy of the virus be sent to us, or to a :
- : local researcher known to be in contact with us. :
- HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM<
-
- 1. 405
- Parasitic virus - overwriting
-
- Type description:
- Virus occurs overwriting the first 405 bytes of a COM file. The virus
- will attempt to infect one COM file on a different disk to the current
- one. If the length of the file to be infected is less than 405 bytes,
- the length will be increased to 405. Due to mistakes in the code it is
- not able to infect other than in the current directory, nor is it able
- to recognise an infected file.
-
- -----------
-
- 2. Brain
- Boot virus - floppy only
-
- Type description:
- This virus consists of a boot sector and three clusters (6 sectors)
- marked as bad in the FAT. The first of these sectors contains the
- original boot sector, and the rest contain the rest of the virus. It
- only infects 360K floppies, and it occupies 7K of memory. It creates a
- label on an infected disk of ' (c) Brain '. There are a number of
- unused character strings which can be used to identify it:
-
- Offset 0010H:
- ' Welcome to the Dungeon '
- ' (c) 1986 Basit & Amjad (pvt) Lt'
- 'd. BRAIN COMPUTER SERVICES..730 NI'
- 'ZAM BLOCK ALLAMA IQBAL TOWN LAHOR'
- 'E-PAKISTAN..PHONE :430791,443248,280530. '
- ' Beware of this VIRUS.....Contact us for vaccin'
- 'ation............... $#@%$@!! '
- Offset 0202H
- '(c) 1986 Basit & Amjads (pvt) Ltd '
- Offset 0355H
- ' (c) 1986 Basit & Amjads (pvt) Ltd'
- Offset 04A6H
- ' (c) Brain $'
-
- Variations:
- All the variations we have so far seen have only involved changes to
- these character strings.
-
- (1) Offset 0010H:
- 'Welcome to the Dungeon (c) 1986 D.C.L', 17H, '&'
- ' Amjads (pvt) Ltd VIRUS_SHOE RECORD v9.0 '
- 'Dedicated to the dynamic memories of millions of'
- ' virus who are no longer with us today - Thanks '
- 'GOODNESS!! BEWARE OF THE er..VIRUS : \thi'
- 's program is catching program follows after'
- ' these messeges..... $#@%$@!! '
- Offset 0202H
- '(c) 1986 Brain & Amjads (pvt) Ltd '
- Offset 0355H
- ' (c) 1986 Brain & Amjads (pvt) Ltd'
- Offset 04A6H
- ' (c) ashar $'
- (2) As variation 1 except 'D.C.L' is changed to 'Brain' in string at offset
- 0010H
- (3) As variation 2 except 'Brain' is changed to 'Jork ' in string at offset
- 0202H
-
- -----------
-
- 3. Cascade - AKA 1701, 1704
- Parasitic virus - resident
-
- Type description:
- The virus occurs attached to the end of a COM file. COM files increase
- in length by 1701 bytes. The first three bytes of the program are
- stored in the virus, and replaced by a branch to the beginning of the
- virus. The virus is encrypted (apart from the first 35 bytes) using an
- algorithm that includes the length of the host program, so every sample
- looks different. It becomes memory-resident when the first infected
- program is run, and it will then infect every COM file run (even if the
- file has an EXE extension). If the system date is between October and
- December 1988 the cascade display will be activated at random
- intervals. The virus tests the BIOS for the string 'COPR. IBM', and
- will not infect if it finds this - however there are errors in the code
- which prevent it from working. Because recognition depends on the
- length of the virus, it will infect programs already infected by
- variants with different lengths.
-
- Variations:
- (1) COM files increase in length by 1704 bytes. The only differences are
- the removal of a conditional jump (which would never have been taken),
- and some necessary segment overrides on the BIOS tests missing in the
- previous version. There is still a mistake preventing an IBM machine
- from being recognised.
-
- -----------
-
- 4. Datacrime - AKA 1168
- Parasitic virus - non-resident
-
- Type description:
- The virus occurs attached to the end of a COM file. COM files increase
- in length by 1168 bytes. The first three bytes of the program are
- stored in the virus, and replaced by a branch to the beginning of the
- virus. The virus will search through full directory structure of the
- disks (in the order C, D, A, B) for a COM file other than COMMAND.COM.
- It will also ignore any COM file if the 7th letter of the name is a D.
- If the date is after 12 October (any year) it will display the message:
- 'DATACRIME VIRUS'
- 'RELEASED: 1 MARCH 1989'
- and do a low level format on track zero, all heads, of the hard disk.
- Due to mistakes in the code the system is almost certain to crash the
- first time the critical error handler is invoked after the virus
- terminates.
-
- -----------
-
- 5. Dbase [report only - no sample]
- Parasitic virus - resident
-
- Type description:
- Infects COM and EXE files. Transposes random bytes of any open .DBF
- file, keeping a record of which bytes in a hidden file (BUG.DAT) in the
- same directory. The virus restores these bytes if the file is read.
- If the BUG.DAT file is 90 days old or more the FAT and root directory
- are overwritten.
-
- -----------
-
- 6. Den Zuk - AKA Search [report only - no sample]
- Boot virus - floppy only
-
- Type description:
- Graphics display of 'DEN ZUK', together with the AT&T logo, slides in
- from the sides of the screen on bootup. After five such bootups the
- disk is trashed - no details of how.
-
- -----------
-
- 7. Fu Manchu
- Parasitic virus - resident
-
- Type description:
- The virus occurs attached to the beginning of a COM file, or the end of
- an EXE file. It is a rewritten version of the Jerusalem virus, and
- most of what is said for that virus applies here with the following
- changes:
-
- a. The code to delete programs, slow down the machine, and display
- the black 'window' has been removed, as has the dead area at
- the end of the virus and some sections of unused code.
- b. The marker is now 'rEMHOr' (six bytes), and the preceeding 'sU'
- is now 'sAX' (Sax Rohmer - creator of Fu Manchu).
- c. COM files now increase in length by 2086 bytes & EXE files 2080
- bytes. EXE files are now only infected once.
- d. One in sixteen times on infection a timer is installed which
- runs for a random number of half-hours (maximum 7.5 hours). At
- the end of this time the message 'The world will hear from me
- again!' is displayed in the centre of the screen and the
- machine reboots. This message is also displayed every time
- Ctrl-Alt-Del is pressed on an infected machine, but the virus
- does not survive the reboot.
- e. There is further code which activates on or after the first of
- August 1989. This monitors the keyboard buffer, and makes
- derogatory additions to the names of politicians (Thatcher,
- Reagan, Botha & Waldheim), censors out two four-letter words,
- and to 'Fu Manchu ' adds 'virus 3/10/88 - latest in the new fun
- line!' All these additions go into the keyboard buffer, so
- their effect is not restricted to the VDU. All messages are
- encryted.
-
- -----------
-
- 8. Italian - AKA Pingpong
- Boot virus - DOS boot sector
-
- Type description:
- This virus consists of a boot sector and 1 cluster (2 sectors used)
- marked as bad in the first copy of the FAT. The first of these sectors
- contains the rest of the virus, and the second contains the original
- boot sector. It infects all disks which have at least two sectors per
- cluster, and it occupies 2K of memory. It displays a single character
- 'bouncing ball' which interacts with some characters on the screen. It
- will not run on an 80286 or an 80386 machine.
-
- -----------
-
- 9. Jerusalem - AKA 1813, Friday the 13th, PLO, Israeli
- Parasitic virus - resident
-
- Type description:
- The virus occurs attached to the beginning of a COM file, or the end of
- an EXE file. A COM file also has the five-byte 'marker' attached to
- the end. This marker is usually (but not always) 'MsDos', and is
- preceeded in the virus by 'sU'. COM files increase in length by 1813
- bytes. EXE files usually increase by 1808 bytes, but the displacement
- at which to write the virus is taken from the length in the EXE header
- and not the actual length. This means that part or all of this 1808
- bytes may be overwritten on the end of the host program. It becomes
- memory-resident when the first infected program is run, and it will
- then infect every program run except COMMAND.COM. COM files are
- infected once only, EXE files are re-infected each time they are run.
- After the system has been infected for thirty minutes an area of the
- screen from row 5 column 5 to row 16 column 16 is scrolled up two lines
- creating a black two line 'window'. From this point a time-wasting
- loop is executed with each timer interrupt. If the system was infected
- with a system date of Friday the thirteenth, every program run will be
- deleted instead. This will continue irrespective of the system date
- until the machine is rebooted. The end of the virus, from offset
- 0600H, is rubbish and will vary from sample to sample.
-
- Variations:
- (1) [report only - no sample]
- This is almost certainly an earlier variant. The string 'sUMsDos' in
- the type version is 'sURIV 3.00' in this version, the 30 minute delay
- is here 30 seconds, and there is a bug in the program delete.
-
- (2) [report only - no sample]
- This is probably the first version. Only COM files are infected, and
- the target date is 1st April. When target date is reached, the trojan
- element is triggered the first time an uninfected file is infected by
- the memory-resident virus. This produces the message 'APRIL 1ST HA HA
- HA YOU HAVE A VIRUS', and the machine locks. Identifying string is
- 'sURIV 1.01'.
-
- (3) [report only - no sample]
- As variation 2, but only infects EXE files. Trojan is triggered first
- time an infected file is run on 1st April. Additionally, machine locks
- one hour after infection if default date of 1-1-80 is used. Virus
- infects file only once. Identifying string is 'sURIV 2.01'.
-
- -----------
-
- 10. Lehigh [report only - no sample]
- Parasitic virus - overwriting
-
- Type description:
- Infects only COMMAND.COM, where it overwrites the stack space. If a
- disk which contains an uninfected copy of COMMAND.COM is accessed, that
- copy is also infected. A count of infections is kept within each copy
- of the virus, and when this count reaches 4 every disk (including hard
- disks) currently in the computer is trashed by overwriting the initial
- tracks (boot sector & FAT). Infection changes the date and time of the
- infected file. If a floppy with an uninfected COMMAND.COM is write-
- protected, there will be a 'WRITE PROTECT ERROR' message from DOS.
-
- -----------
-
- 11. New Zealand - AKA Stoned, Marijuana
- Boot virus - master boot sector
-
- Type description:
- This virus consists of a boot sector only. It infects all disks, and
- it occupies 1K of memory. The original boot sector is held in track
- zero, head one, sector three on a floppy disk, and track zero head
- zero, sector two on a hard disk. The boot sector contains two
- character strings: 'Your PC is now Stoned!' & 'LEGALISE MARIJUANA!'.
- The first of these is only displayed one in eight times when booting
- from an infected floppy, the second is unreferenced.
-
- Variations:
- (1) Much of the code has been reorganised. The only significant change is
- that the original boot sector is stored at track zero, head zero,
- sector seven on a hard disk. The second string is not transfered when
- infecting a hard disk.
-
- -----------
-
- 12. Oropax - AKA Music virus [report only - no sample]
- Parasitic virus - resident
-
- Type description:
- Infects COM files, length increases by 2756-2806 bytes, so that total
- length is divisible by 51. Becomes active (randomly) five minutes
- after infection, playing three different tunes with a seven minute
- interval.
-
- -----------
-
- 13. Pentagon
- Boot virus - floppy only
-
- Type description:
- Virus is possibly an honorary term, at least for this sample, as all
- attempts to run it have so far failed. The following describes what
- would happen if it did work (as future samples might).
- This virus consists of a boot sector and two files. The boot sector is
- a normal PCDOS 3.20 boot sector with three changes:
- 1. The OEM name 'IBM' has been changed to 'HAL'.
- 2. The first part of the virus code overwrites 036H to 0C5H.
- 3. 100H-122H has been overwritten by a character string.
- The name of the first file is the hex character 0F9H. This file
- contains the rest of the virus code followed by the original boot
- sector. The name of the second file is PENTAGON.TXT. This file does
- not appear to be used in any way or contain any meaningful data. Both
- files are created without the aid of DOS, and the first file is
- accessed by its stored absolute location. Four different sections of
- the virus are separately encrypted:
- 1. 004AH - 004BH, key 0ABCDH - load decryption key
- 2. 0059H - 00C4H, key 0FCH - rest of virus code in boot sector.
- 3. 0791H - 07DFH, key 0AAH - the file name and copyright message.
- 4. 0800H - 09FFH, key 0FCH - the original boot sector.
- The virus will survive a warm boot (Ctrl-Alt-Del). It only infects
- 360K floppies, and it will look for and remove Brain from any disk that
- it infects. It occupies 5K in memory.
-
- -----------
-
- 14. Vienna - AKA 648, Austrian, Unesco
- Parasitic virus - non-resident
-
- Type description:
- The virus occurs attached to the end of a COM file. COM files increase
- in length by 648 bytes. The first three bytes of the program are
- stored in the virus, and replaced by a branch to the beginning of the
- virus. The virus looks for, and infects, one COM file - either in the
- current directory or in one of the directories on the PATH. One in
- eight files 'infected' does not get a copy of the virus. Instead the
- first five bytes of the program are replaced by a far jump to the BIOS
- initialization routine.
-
- Variations:
- (1) This is the version published in Ralf Burger's book 'Computer Viruses:
- A High-Tech Disease'. An error has been introduced which disables the
- virus's ability to search through the PATH, and the far jump has been
- replaced by five spaces.
-
- -----------
-
- 15. Yale - AKA Alameda, Merritt
- Boot virus - floppy only
-
- Type description:
- This virus consists of a boot sector only. It infects floppies in the
- A-drive only and it occupies 1K of memory. The original boot sector is
- held in track thirty-nine, head zero, sector eight. It hooks into INT
- 9, and only infects when Ctrl-Alt-Del is pressed. It will not run on
- an 80286 or an 80386 machine, although it will infect on such a
- machine. It has been assembled using A86. It contains code to format
- track thirty-nine, head zero, but this has been disabled.
-
- -----------
-