home *** CD-ROM | disk | FTP | other *** search
Text File | 1995-07-21 | 66.1 KB | 2,152 lines |
-
- [DEFINE]
- Virus Name: Define-1
-
- Virus Type: File Infector Virus (infects .EXE &
- .COM files)
-
- Virus Length: No change
-
- PC Vectors Hooked: None
-
- Executing Procedure:
- 1) Searches for an .EXE or .COM file
- in the current directory.
- 2) Once it locates a file it checks
- whether it has been infected by
- Define-1. If "Yes", it continues
- to look for another uninfected
- .COM or .EXE file.
- 3) It infects only one file at a time.
-
- Damage: Overwrites original file, so the length
- of infected file won't increase.
-
- Note: 1) Doesn't stay resident in memory.
- 2) Define-1 doesn't hook INT 24h when
- infecting files. Error message occurs
- if there is an I/O error (such as write
- protect).
-
- [DISMEMBER]
- Virus Name: Dismember
-
- Virus Type: File Infector Virus (infects .COM
- files)
-
- Virus Length: 288 Bytes(COM)
-
- PC Vectors Hooked: None
-
- Executing Procedure:
- 1) Searches for a .COM file in the
- current directory.
- 2) Once it locates a .COM file it checks
- whether it has been infected by
- Dismember. If "Yes", it continues to
- search for an uninfected .COM file.
- 3) It then infects all .COM files in the
- directory.
- 4) Finally, it executes the originally
- called file.
-
- Damage: None
-
- Detecting Method: Infected files will increase by
- 288 Bytes.
-
-
- Note: 1) Doesn't stay resident in memory.
- 2) Dismember doesn't hook INT 24h when
- infecting files. Error message occurs
- if there is an I/O error (such as write
- protect).
-
- [TIMID]
- Virus Name: Timid
-
- Virus Type: File Infector Virus (infects .COM
- files)
-
- Virus Length: 306 Bytes(COM)
-
-
- PC Vectors Hooked: None
-
- Executing Procedure:
- 1) Searches for a .COM file in the
- current directory.
- 2) Once it locates a file it checks
- whether it has been infected by
- Timid. If "Yes", it continues to
- search for a uninfected .COM file.
- 3) It then infects one file at a time
- and displays the infected file name
- on the screen.
- 4) Once the file is executed the system
- will halt.
-
- Damage: Damages original file.
-
- Detecting Method: 1) Infected files will increase
- by 306 Bytes.
- 2) Other file names are shown
- on the screen.
-
- Note: 1) Doesn't stay resident in memory.
- 2) Timid doesn't hook INT 24h when
- infecting files. Error message occurs if
- there is an I/O error of (such as write
- protect).
-
- [ITTI-A]
-
- Virus Name: Itti-A
-
- Virus Type: File Infector Virus (infects .COM
- files)
-
- Virus Length: No change
-
-
- PC Vectors Hooked: None
-
- Executing Procedure:
- 1) Searches for a .COM file in the
- current directory.
- 2) Once it locates a .COM file it checks
- whether it has been infected by ITTI
- -A. If "Yes", it continues to look
- for any uninfected .COM file.
- 3) It infect only one file at a time.
- Then when the file is executed the
- message "EXEC FAILURE" will show on
- the screen.
- 4) It will finally damage all data on
- current disk if no .COM file is
- infected.
-
- Damage: 1) Overwrites original file, so the
- length of infected file won't
- increase.
- 2) Damages all data on current disk if
- no .COM file is infected.
-
- Note: 1) Doesn't stay resident in memory.
- 2) ITTI-A doesn't hook INT 24h when
- infecting files. Error message occurs if
- there is an I/O error (such as writing
- protect).
-
- [BURGER_560]
- Virus Name: Burger
-
- Virus Type: File Infector Virus (infects .COM
- files)
-
- Virus Length: No change
-
-
- PC Vectors Hooked: None
-
- Executing Procedure:
- 1) Search for a COM file in current
- directory.
- 2) Check whether it has been infected by
- Burger. If "Yes", continue to look
- for a uninfected com file.
- 3) Infect only an uninfected file at one
- time.
- 4) Damage all data of current disk if no
- com file is infected.
-
- Damage: 1) Overwrite original file, so the length
- of infected file won't increase.
- 2) Damage all data of current disk if no
- com file is infected.
-
- Note: 1) Don't stay resident in memory.
- 2) Burger don't hook INT 24h when infecting
- files. Error message occurs if there is
- an error of I/O(such as writing protect).
-
- [WHY]
- Virus Name: Why
-
- Virus Type: File Infector Virus (infects .COM
- files)
-
- Virus Length: 457 Bytes(COM)
-
-
- PC Vectors Hooked: None
-
- Executing Procedure:
- 1) Searches for a .COM file in the
- current directory.
- 2) Once it locates a file it checks
- whether it has been infected by Why.
- If "Yes", it continues to look for
- any uninfected .COM file.
- 3) It will infect only one file at a
- time.
- 4) It then checks the system date. If
- the date is the 12th of May or the
- 25th of February, the virus will
- damage all files on the hard disk.
-
- Damage: If system date is May 12th or February
- 25th,the virus will damage all files on
- the hard disk.
-
- Detecting Method: 1)Infected files will increase
- by 457 Bytes.
-
-
- Note: 1) Doesn't stay resident in memory.
- 2) "Why" doesn't hook INT 24h when
- infecting files. Error message occurs
- if there is an I/O error (such as write
- protect).
-
- [BROTHERS-2]
- Virus Name: Brothers-2
-
- Virus Type: File Infector Virus (infects .COM
- files)
-
- Virus Length: 693 Bytes(COM)
-
-
- PC Vectors Hooked: None
-
- Executing Procedure:
- 1) Checks whether the system date is
- between the 11th and 25th, November
- or December, if "Yes", show the
- message: "Brotherhood... I am seeking
- my brothers "DEICIDE" and "MORGOTH",
- then execute original file.
- 2) If "NO', then it searches for a .COM
- file in the current directory.
- 3) Once it locates a file it checks
- whether it has been infected by
- Brothers-2. If "Yes", it continues to
- look for any uninfected .COM file.
- 4) It will check whether the second word
- of the .COM file is "0xADDE", if
- "yes", it will show such message:
- 'Found my brother "MORGOTH"!!!. then
- execute original file.
- 5) It will also check whether the second
- word of the .COM file is "0x0D90",if
- "yes", it will show such message:
- 'Found my brother "DEIGOTH"!!!. then
- execute original file. 5) If "NO",
- then it will infect .COM files one at
- a time.
- 6) It will execute original file.
-
- Damage: None
-
- Detecting Method: 1) Infected files will increase
- by 693 Bytes.
-
-
- Note: 1) Doesn't stay resident in memory.
- 2) Brothers-2 doesn't hook INT 24h when
- infecting files. Error message occurs
- if there is an I/O error (such as write
- protect).
-
-
- [DEST2]
- Virus Name: DEST2
-
- Virus Type: File Infector Virus (infects .COM
- files only)
-
- Virus Length: 478 Bytes
-
-
- PC Vectors Hooked: INT 24h
-
- Executing Procedure:
- 1) Searches for a COM file in the
- current directory.
- 2) It checks whether it has been
- infected by Dest2. If "Yes", it
- continues to look for an uninfected
- .COM file.
- 3) It then infects the .COM file.
- 4)It finally executes the original file.
-
- Damage: If kill-flag=-1, then deletes a file.
-
- Detecting Method: Infected files will increase
- by 478 Bytes.
-
-
- Note: 1) Doesn't stay resident in memory.
- 2) Dest2 hook INT 24h when infecting files.
- Omits an I/O error (such as write
- protect).
-
- [AIRCOP]
- Virus Name: AIR-COP
-
- Virus Type: Boot Infector
-
- Virus Length: None
-
-
- PC Vectors Hooked: None
-
- Executing Procedure:
- When you execute the program, it will
- write the virus to boot sector of "A:"
-
- Damage: Overwrites boot sector of "A:".
-
- Detecting Method: None.
-
-
- [BURGER_560]
- Virus Name: BURGER_560-8
-
- Virus Type: File Infector Virus (infects .COM
- files)
-
- Virus Length: No change
-
-
- PC Vectors Hooked: None
-
- Executing Procedure:
- 1) Searches for a .COM file in "A:".
- 2) It checks whether it has been
- infected by Burger_560-8. If "Yes",
- it continues to look for an
- uninfected .COM file.
- 3) It then infects an uninfected file
- one at a time.
- 4) If no .COM file is infected, it will
- continue to look for an .EXE file in
- "A:".
- 5) It finally rename the .EXE file to
- .COM , then it infects the .COM file.
-
- Damage: Overwrites the original file, so the
- length of infected file won't increase.
-
- Detecting Method: 1) Changes .EXE file into a
- .COM file
-
- Note: 1) Doesn't stay resident in memory.
- 2) Burger_560-8 don't hooks INT 24h when
- infecting files. Error message occurs
- if there is an I/O error (such as write
- protect).
-
-
- [BOYS]
- Virus Name: BOYS
-
- Virus Type: File Infector Virus (infects .COM
- files)
-
- Virus Length: 500 Bytes(COM)
-
-
- PC Vectors Hooked: None
-
- Executing Procedure:
- 1) It searches for an .EXE file, it
- then changes the attributes into
- "SYSTEM".
- 2) It searches for a .COM file in the
- current directory.
- 3) It then checks whether it has been
- infected by Boys. If "Yes", it
- continues to look for an uninfected
- .COM file.
- 4) It infects only an uninfected file
- at one time, and changes the
- attribute into "READ-ONLY".
- 5) Finally it executes the original
- file.
-
- Damage: None.
-
- Detecting Method: Infected files will increase by
- 500 Bytes.
-
-
- Note: 1) Doesn't stay resident in memory.
- 2) Boys doesn't hook INT 24h when infecting
- files. An error message occurs if there
- is an I/O error (such as write protect).
-
- [NULL]
- Virus Name: NULL
-
- Virus Type: File Infector Virus (infects .COM
- files)
-
- Virus Length: 733 Bytes(COM)
-
-
- PC Vectors Hooked: None
-
- Executing Procedure:
- 1) It first decodes.
- 2) Then it searches for a .COM file in
- the current directory.
- 3) It checks whether it has been
- infected by Null. If "Yes", it
- continues to look for an uninfected
- .COM file.
- 4) It infects only one file at a time.
- 5) It then executes the original file.
- 6) If it can not infect a .COM file,
- then it checks whether the DAY =30.
- If "yes", it destroys all the data on
- the disk, then shows the message:
- "Your disk is dead! long life
- doomsday 1.0 "
-
- Damage: IF DAY = 30 , then destroy all data on
- current disk.
-
- Detecting Method: Infected files will increase by
- 733 Bytes.
-
-
- Note: 1) Doesn't stay resident in memory.
- 2) Null doesn't hook INT 24h when infecting
- files. An error message occurs if there
- is an I/O error (such as write protect).
-
-
- [BIT_ADDICT]
- Virus Name: BIT-ADDICT
-
- Virus Type: Memory Resident, File Infector Virus
- (infects .COM files).
-
- Virus Length: 477 Bytes (COM)
-
- PC Vectors Hooked: INT 21h
-
- Infecting Procedure:
- 1) The virus checks whether it is
- already loaded resident in memory.
- If "No", it then loads itself into
- resident memory by hooking INT 21h.
- 2) It then executes the original file.
- 3) With itself loaded into resident
- memory it will infect any uninfected
- file that is executed.
- 4) It doesn't infect .EXE files.
-
- Damage: When the virus infects 100 files, it will
- destroy all data on the hard disk, then
- show the message: "BIT ADDICTMZ> .... The
- Bit Addict says: You have a good tasting
- hard disk, it was delicious !!!"
-
- Detecting Method: Infected files increase by 477
- Bytes.
-
- Note: The Bit-Addict virus doesn't hook INT 24h
- when infecting files. An error message
- occurs if there is an I/O error (such as
- write protect).
-
- [NOV17]
- Virus Name: NOV_17-1
-
- Virus Type: Highest Memory Resident, File
- Infector Virus (infects .COM &
- .EXE files).
-
- Virus Length: 768 Bytes (COM & EXE)
-
- PC Vectors Hooked: INT 21h (AX=4B00h) (execute
- program)
-
- Infecting Procedure:
- 1) The virus checks whether it is
- already loaded resident in memory.
- If "No", it then loads itself into
- resident memory by hooking INT 21h.
- 2) It then executes the original file.
- 3) With itself loaded into resident
- memory it will infect any uninfected
- file that is executed.
-
- Damage: None.
-
- Detecting Method: 1) Infected files increase by
- 768 Bytes.
-
- Note: The NOV_17-1 virus doesn't hook INT 24h when
- infecting files. An error message occurs if
- there isan I/O error (such as write protect).
-
-
- [SANDWICH]
- Virus Name: SANDWICH
-
- Virus Type: Highest Memory Resident, File Infector
- Virus (infects .COM files).
-
- Virus Length: 1172 Bytes (COM)
-
- PC Vectors Hooked: INT 21h (AX=4B00h) (execute
- program)
-
- Infecting Procedure:
- 1) The virus checks whether it is
- already loaded resident in memory.
- If "No", it then loads itself into
- resident memory by hooking INT 21h.
- 2) It then executes the original file.
- 3) With itself loaded into resident
- memory it will infect any uninfected
- file that is executed. b) It doesn't
- infect .EXE files.
-
- Damage: None.
-
- Detecting Method: 1) Infected files increase by
- 1172 Bytes.
-
- Note: The Sandwich virus doesn't hook INT 24h when
- infecting files. An error message occurs if
- there is an I/O error (such as write protect
- ).
-
- [GOTCHA]
- Virus Name: GOTCHA
-
- Virus Type: Highest Memory Resident, File Infector
- Virus (infects .COM & .EXE files).
-
- Virus Length: 906 Bytes (COM & EXE)
-
- PC Vectors Hooked: INT 21h (AX=4B00h) (execute
- program), INT 24h
-
- Infecting Procedure:
- 1) The virus checks whether it is
- already loaded resident in memory.
- If "No", it then loads itself into
- resident memory (highest memory) by
- hooking INT 21h.
- 2) It then executes the original file.
- 3) With itself loaded into resident
- memory it will infect any uninfected
- file that is executed.
- 4) It also infects when a file is
- renamed, file attributes are set,
- search for a matching file or
- deleting a file.
-
- Damage: None.
-
- Detecting Method: Infected files increase by 906
- Bytes.
-
- Note: The Gotcha virus hooks INT 24h when
- infecting files. Omits I/O error (such as
- write protect).
-
- [PCBB]
- Virus Name: PCBB-B
-
- Virus Type: Highest Memory Resident, File Infector
- Virus (infects .COM & .EXE files).
-
- Virus Length: 3072 Bytes (COM & EXE)
-
- PC Vectors Hooked: INT 21h (AX=4B00h) (execute
- program), INT 24h
-
- Infecting Procedure:
- 1) The virus checks whether it is
- already loaded resident in memory.
- If "No", it then loads itself into
- resident memory (highest memory) by
- hooking INT 21h.
- 2) It then executes the original file.
- 3) With itself loaded into resident
- memory it will infect any uninfected
- file that is executed.
-
- Damage: None.
-
- Detecting Method: Infected files increase by 3072
- Bytes.
-
- Note: The PCBB virus hooks INT 24h when infecting
- files. It omits I/O errors (such as write
- protect).
-
- [CANNA615]
- Virus Name: CANNA615
-
- Virus Type: Highest Memory Resident, File Infector
- Virus (infects .COM & .EXE files).
-
- Virus Length: 1568 Bytes (COM & EXE)
-
- PC Vectors Hooked: INT 21h (AX=4B00h) (execute
- program), INT 24h
-
- Infecting Procedure:
- 1) The virus checks whether it is
- already loaded resident in memory.
- If "No", it then loads itself into
- resident memory by hooking INT 21h.
- 2) It then checks whether system date is
- Friday, and the seconds of the system
- time is zero, if "Yes", then a
- message and a picture appear on the
- screen: "LEGALIZE CANNA615" and a
- picture of a hemp leaf.
- 3) It then executes the original file.
- 4) With itself loaded into resident
- memory it will infect any uninfected
- file that is executed.
-
- Damage: None.
-
- Detecting Method: Infected files increase by 1568
- Bytes.
-
- Note: The Canna615 virus hooks INT 24h when
- infecting files. It omits I/O error (such as
- write protect).
-
- [BRAIN]
- Virus Name: BRAIN2
-
- Virus Type: Memory Resident, File Infector Virus
- (infects .COM & .EXE files).
-
- Virus Length: 1935 Bytes (COM & EXE)
-
- PC Vectors Hooked: INT 21h (AX=4B00h) (execute
- program), INT 24h, INT 1Ch
-
- Infecting Procedure:
- 1) It checks whether the system date is
- the 17th of November or the 6th of
- February, if "Yes", it will show some
- messages and play music.
- 2) The virus then checks whether it is
- already loaded resident in memory. If
- "No", it then loads itself into
- resident memory by hooking INT 21h.
- 3) It then executes the original file.
- 4) It then checks whether the system
- date is the 1st of February, July,
- September or December, If "yes", the
- virus will show a flash square by
- hooking INT 1Ch..
- 5) With itself loaded into resident
- memory it will infect any uninfected
- file that is executed.
-
- Damage: None.
-
- Detecting Method: Infected files increase by 1935
- Bytes.
-
- Note: The Brain2 virus hooks INT 24h when
- infecting files. It omits I/O errors (such
- as write protect).
-
-
- [FIRE]
- Virus Name: Fire
-
- Virus Type: Trojan
-
- Virus Length: 4304 Bytes
-
-
- PC Vectors Hooked: INT 24h
-
-
- Damage: Destroys all data on all disks if drives
- are ready, then it makes a sound.
-
- Detecting Method: Check whether there are files
- with 4304 Bytes.
-
- Note: 1) Doesn't stay resident in memory.
- 2) Doesn't infect any files or partition or
- boot sector.
- 3) The Fire virus hooks INT 24h when
- destroying, it omits I/O errors ( such
- as write protect).
-
- [YONYU]
- Virus Name: YONYU
-
- Virus Type: Boot Sector and Partition Infector
-
- Virus Length: None.
-
-
- PC Vectors Hooked: INT 13h
-
- Executing Procedure:
- 1) A decrease of 1K Bytes in total
- system memory when the system is
- booted from an infected disk.
- 2) It will load itself in the last 1K
- bytes of resident memory.
- 3) It then hooks INT 13h.
- 4) When you boot the machine as usual
- and you READ and WRITE" to a file
- the YONYU virus will hook INT 13H
- and infect the diskette.
-
- Damage: None.
-
- Detecting Method: Decreases total memory size, 1K
- Bytes.
-
-
- Note: 1) YONYU doesn't hook INT 24h when
- infecting files. It omits I/O errors (such
- as write protect).
-
- [Dir2_910]
- Virus Name: DIR2-910
-
- Virus Type: File Infector Virus (infects .COM &
- .EXE files)
-
- Virus Length: 1024 Bytes
-
-
- PC Vectors Hooked: None
-
- Executing Procedure:
- 1) When the virus loads itself resident
- in memory it will change the
- directory structure data, so that
- certain executable files are link to
- itself.
- 2) This makes it so that when you
- execute a file that the DIR2-910
- virus has linked to it also is
- executed. At this point it can begin
- to infect other files.
- 3) The virus stays resident in memory
- but doesn't hook any interrupts. It
- uses another function to infect files
- . It infects .COM &.EXE files when
- they are "READ & WRITE".
-
- Damage: When all the .COM & .EXE files been
- infected on a disk, then it will not be
- possible to execute any files from the
- disk.
-
- Detecting Method: Check the disk by using
- "CHKDSK.EXE", if some files are
- crossed -- linked to the same
- position, then these files must
- be infected.
-
- Note: DIR2-910 doesn't hook INT 24h when infecting
- files. It omits I/O errors (such as write
- protect).
-
- [FLIP]
- Virus Name: FLIP
-
- Virus Type: Multi-partite. An infector of all
- programs being used, either .EXE or
- .COM., when .COM original file length
- is not greater than 63,046 (F646h)
- bytes.
-
- Virus Length: 2672 bytes
-
- Interrupt Vectors Hooked: INT 21h
-
- Infection Process:
- This virus can be spread by executing an
- infected program or from booting the
- system with an infected disk. There are
- several methods of infection.
-
- 1) Infection of a clean system by an
- infected program.
-
- When an infected program is executed in
- a clean system, the virus will copy
- itself in the last side of the last
- cylinder, beginning from the 5th last
- sector to the 1st last sector and the
- virus will subtract the DOS boot sector
- at offset 0x13h (Number of logical
- sectors )with 6. Finally, virus writes
- the virus body to partition sector.
-
- 2) Spreading the infection through a
- disk that has been infected.
-
- If a PC is booted from an infected disk,
- the spreading of the infection is
- complete. The boot code, previously
- overwritten by the virus on the disk
- partition sector, reads the main core of
- the virus from the last 5 sectors to the
- last 1 sector,and loads it as a TSR in
- RAM, occupying 3 Kb of the higher part
- of system memory. As soon as it is
- installed as a TSR, the virus takes
- control of Int 1Ch (Timer Interrupt) to
- verify, with a frequency of 18.2 times
- per second, if the DOS COMMAND.COM is
- loaded. If DOS is present, the virus
- restores the timer and takes control of
- Int 21h.
-
- Damage: Loss of data stored in the 6th last to 1st
- last sectors of the disk. Virus also
- increases file sizes.
-
- Symptoms: Virus turns screen display upside down
- (rotates 180 degrees). File sizes
- increase by 2153 bytes
-
- Note: The virus uses a smart technique to avoid
- anti-virus detection programs, when
- modifying the partition sector, that is
- hooking int 01h, it will turn on a single
- step flag to get the original entry of DOS
- hooked of INT 13h . The virus will then move
- itself to the top of the MCB (memory control
- block), and decrease available memory in the
- MCB by 2672 (A70h) bytes. It will hook Int
- 21h with the same method as for INT 13h and
- then proceeds to run the original program.
-
-
- [MULTI-2]
- Virus Name: Multi-2
-
- Virus Type: Partition table Infector and File
- Infector Virus (infects .COM & .EXE
- files)
-
- Virus Length: Not Applicable
-
-
- PC Vectors Hooked: INT 21h, INT 24h, INT 1Ch,
- INT 13h.
-
- Executing Procedure:
- 1) The Virus will decrease the total
- system memory by 3K Bytes when the
- system is booted from an infected
- disk.
- 2) It then checks whether it has is
- loaded in resident memory, if "No",
- then it will load to the last 3K
- bytes of resident memory by hooking
- INT 21h and INT 1Ch. 3) It infects
- files when they are executed.
-
- Damage: None.
-
- Detecting Method: Infected files increase 927--
- 1000 Bytes.
-
-
- Note: Multi-2 hooks INT 24h when infecting files.
- It omits I/O errors (such as write protect).
-
- [BOGUS]
- Virus Name: BOGUS
-
- Virus Type: Partition table Infector and File
- Infector Virus
-
- Virus Length: No change.
-
-
- PC Vectors Hooked: INT 21h, INT 24h, INT 13h.
-
- Executing Procedure:
- 1) The Virus decreases the total system
- memory by 4K Bytes, when the system
- is booted from an infected disk.
- 2) The virus loads itself in to the last
- 4K Bytes of resident memory.
- 3) It then hooks INT 13h.
- 4) It continues to infect any executed
- program.
-
- Damage: When the number of infected files is
- larger than 2710, then it destroys all the
- data on the hard disk.
-
- Detecting Method: Check whether the file head is
- INT 13h(AX=90 or 91).
-
- Note: 1) BOGUS hooks INT 24h when infecting files
- . It omits I/O errors (such as write
- protect).
- 2) If the computer is booted from a
- diskette, you will not be able to view
- the hard drive.
-
-
- [FRIDAY_13TH]
- Virus Name: Friday the 13th
-
- Other names: Virus 1813, Israelian, Jerusalem
-
- Virus Type: File Infector Virus
-
- Virus Length: Approx.1813 bytes
-
- PC Vectors Hooked: Int 21
-
- Executing Procedure:
- 1) The virus checks whether it is
- already loaded resident in memory.
- If "No", it then loads itself into
- resident memory by hooking INT 21h.
- 2) It then executes the original file.
- 3) With itself loaded into resident
- memory it will infect any uninfected
- file that is executed.
-
- Damage: In the year 1987, the virus does no damage
- . It proceeds only to infect other files.
- Every Friday the 13th, excluding the year
- 1987, virus deletes every executed program
- . All other days, excluding the year 1987,
- the virus spreads. About half an hour
- after the virus is installed in memory it
- scrolls up by two linesa small window with
- coordinates (5, 5), (16, 16) and slows
- down computer speed. Delay loop repeats
- 18.5 times per second.
-
- Detecting Method: Increases the file length by
- 1813 bytes
-
- Note: Loads itself resident in memory. An error
- message occurs if there is an I/O error
- (such as write protect).
-
- [DEVIL's DANCE]
- Virus Name: Devil's Dance
-
- Other names: Virus 941
-
- Virus Type: File Infector Virus
-
- Virus Length: 941 bytes
-
- PC Vectors Hooked: Int 21
-
- Executing Procedure:
- 1) The virus checks whether it is
- already loaded resident in memory.
- If "No", it then loads itself into
- resident memory by hooking INT 21h.
- 2) It then executes the original file.
- 3) With itself loaded into resident
- memory it will infect any uninfected
- file that is executed.
-
- Damage: The DevilÆs Dance virus monitors the Int 9
- (keyboard). A routine for cursor
- manipulation is activated when 5 keys
- other than the Alt key have been depressed
- . Furthermore, if the ôAlt" key is not
- depressed, attributes of the cursor in
- Video-RAM are changed after any other key
- is pressed. The new attributes are as
- follows: 09h (bright blue), 0ah (bright
- green), obh (bright cyan), 0ch (bright
- red), 0dh (bright violet), oeh (bright
- yellow). If the above five keys are not
- pressed, the virus will not manifest
- itself. If "Del" is depressed, the virus
- will display characters using the color
- white. The virus displays the following
- message: Have you ever danced with the
- devil under the weak light of the moon?
- .... Pray for your disk...The Joker
- HAHAHAHAHAHAHAHAHAHA."
-
- The virus will finally test whether any
- keys were pressed 2500 times. If yes, the
- virus overwrites the Disk Partition Table
- of the first hard disk and proceeds to
- crash the system.
-
- Note: Loads itself resident in memory. An error
- message occurs if there is an I/O error
- (such as write protect).
-
-
- [CHRISTMAS_TREE]
- Virus Name: Christmas
-
- Other names: Virus 600, Xmas In Japan, Japanese
- Christmas
-
- Virus Type:File Infector Virus
-
- Virus Length: 600 bytes.
-
- Damage: On December 25th, when an infected.COM
- file is executed, the following message
- will be displayed: "A Merry christmas to
- you" or "Jingo Bell, jingo bell, jingo all
- the way."
-
- Detecting Method: The COMMAND.COM file increases
- by 600 Bytes. Infected.COM
- files increase by 600 bytes.
-
- [DATA CRIME]
- Virus Name: Datacrime
-
- Other names: 1168, Columbus Day
-
- Virus Type: File Infector Virus
-
- Virus Length: 1168 bytes.
-
- Executing Procedure:
- 1) The virus checks whether it is
- already loaded resident in memory.
- If "No", it then loads itself into
- resident memory by hooking INT 21h.
- 2) It then executes the original file.
- 3) With itself loaded into resident
- memory it will infect any uninfected
- file that is executed.
- 4) It doesn't infect .EXE files.
-
- Damage: Virus will lowlevel format your hard disk
- after October 12th.
-
- Detecting Method: Virus infects all .COM files
- between April 1st-October 12th.
- After October 12th, it willl
- display the following message:
- "DATACRIME VIRUS Released:1
- March 1989." And it will low
- level format your hard disk.
-
- Note: Loads itself resident in memory. An error
- message occurs if there is an I/O error
- (such as write protect).
-
- [SUNDAY]
- Virus Name: Sunday
-
- Other names: None
-
- Virus Type: Boot Strap Sector Virus (Memory
- Resident)
-
- Virus Length: 1636 bytes.
-
- Damage: On Sunday, the virus will prevent computer
- user.
-
- Detecting Method: On Sunday, the virus will
- display the following message:
- "Today is Sunday! Why do you
- work so hard? All work and no
- play makes you a dull boy! Come
- on! Let's go out and have some
- fun!"
-
- [MARAUDER]
- Virus Name: Marauder
-
- Other names: None
-
- Virus Type: File Infector Virus
-
- Virus Length: Increases .COM file by 860 bytes.
-
- Executing Procedure:
- 1) The virus searches the current
- directory for a .COM file. Once it
- locates a file it checks whether it
- is already infected by the Marauder
- virus. If "No", it then it infects
- the file.
- 2) If "Yes" then it searches for another
- .COM file to infect.
- 3) It doesn't infect .EXE files.
- 4) It then executes the original file.
-
- Damage: The Marauder virus will overwrite your
- files, on every February 2nd with the
- string "=[Marauder] 1992 Hellraiser -
- Phalcon/Skism."
-
- Detecting Method: When the infected file is
- executed, the virus will infect
- the first uninfected .COM file
- in current directory. On every
- February 2nd, the virus will
- overwrite all executed files by
- following characters one by one
- "=[Aarauder] 1992 Hellraiser -
- Phalcon/skism."
-
-
- [OROPAX]
- Virus Name: Oropax
-
- Other names: None
-
- Virus Type: File Infector Virus
-
- Virus Length: 2756-2800 bytes
-
- Executing Procedure:
- 1) The virus checks whether it is
- already loaded resident in memory.
- If "No", it then loads itself into
- resident memory by hooking INT 21h.
- 2) It then executes the original file.
- 3) With itself loaded into resident
- memory it will infect any uninfected
- file that is executed.
- 4) It doesn't infect .EXE files.
-
- Damage: Infected .COM file sizes increase by 2756
- -2800 bytes.
-
- Detecting Method: Virus will hook the interrupt
- 20h, 21h, 27h. If the system
- date is after May 1, 1987 and it
- is an IBM compatible computer,
- interrupt 8h will be hooked.
- When the virus is triggered, it
- will play the "Stars", "Blue"
- and "Forty" songs one by one
- every eight minutes.
-
- Note: Loads itself resident in memory. An error
- message occurs if there is an I/O error
- (such as write protect).
-
- [DBASE]
- Virus Name: dBASE
-
- Other names: None
-
- Virus Type: File Infector Virus
-
- Virus Length: 1864 bytes
-
- Executing Procedure:
- 1) The virus checks whether it is
- already loaded resident in memory.
- If "No", it then loads itself into
- resident memory by hooking INT 21h.
- 2) It then executes the original file.
- 3) With itself loaded into resident
- memory it will infect any uninfected
- file that is executed.
- 4) It doesn't infect .EXE files.
-
- Damage: Every executed .COM files increases by
- 1864 bytes. Virus will sometimes cause
- system to halt.
-
- Detecting Method: Virus will hook the interrupt
- 21h. When virus is actived, it
- will switch high-byte and low-
- byte of every opened .DBF data
- files. Virus will also create
- a hidden file - "BUG.DAT" in
- root directory to record very
- infected .DBF file's name.
-
- Note: Loads itself resident in memory. An error
- message occurs if there is an I/O error
- (such as write protect).
-
- [HOLLOWEEN]
- Virus Name: Halloween
-
- Other names: Happy Halloween
-
- Virus Type: File Infector Virus
-
- Virus Length: N/A
-
- Executing Procedure:
- 1) The virus checks whether it is
- already loaded resident in memory.
- If "No", it then loads itself into
- resident memory by hooking INT 21h.
- 2) It then executes the original file.
- 3) With itself loaded into resident
- memory it will infect any uninfected
- file that is executed.
-
- Damage: Virus finds an executable file (first .EXE
- file then .COM) in current directory and
- proceeds to infect it. It will display
- "Runtime error 002 at 0000:0511" on screen
- if no uninfected files are found.
-
- Detecting Method: On every Oct 31, virus will
- create a 10KB-long file and
- display "Runtime error 150 at
- 0000:0AC8."
-
- Note: 1) Loads itself resident in memory. An error
- message occurs if there is an I/O error
- (such as write protect).
-
- [TAIWAN]
- Virus Name: Taiwan
-
- Other names: None
-
- Virus Type: File Infector Virus
-
- Virus Length: .EXE 1300-1503 bytes
-
- Executing Procedure:
- 1) The virus checks whether it is
- already loaded resident in memory.
- If "No", it then loads itself into
- resident memory by hooking INT 21h.
- 2) It then executes the original file.
- 3) With itself loaded into resident
- memory it will infect any uninfected
- file that is executed.
-
- Damage: This virus has several variants. While
- some variants have no damage routine, some
- will slow down the system performance and
- variants of the Mummy virus will have a
- Random Number counter. When the counter
- reaches zero, virus will overwrite first
- part of hard disk and cause severe data
- loss.
-
- Detecting Method: Increases infected file size by
- 1300-1503 bytes. Virus
- ocassionally hangs the system
- when the virus is resident in
- memory. Encrypted text strings
- inside the virus code as
- follows: "Mummy Version x.xxx",
- "Kaohsiung Senior School",
- "Tzeng Jau Ming presents",
- "Series Number=[xxxxx]."
-
- Note: 1) Loads itself resident in memory. An error
- message occurs if there is an I/O error
- (such as write protect).
-
- [JOSHI]
- Virus Name: Joshi
-
- Other names: Happy Birthday Joshi
-
- Virus Type: File Infector Virus
-
- Virus Length: N/A
-
- Executing Procedure:
- 1) The virus checks whether it is
- already loaded resident in memory.
- If "No", it then loads itself into
- resident memory by hooking INT 21h.
- 2) It then executes the original file.
- 3) With itself loaded into resident
- memory it will infect any uninfected
- file that is executed.
-
- Damage: Infects every executable files.
-
- Detecting Method: The first ôJoshi" virus was
- founded in India in June 1990.
- It is a very popular virus in
- India. Virus remains resident
- in boot sector or in FAT area.
- Every January 5, the virus
- displays: Type Happy Birthday
- Joshi." All will return to
- normal if user types above
- message. System memory decreases
- by 6KB when virus is resident.
-
- Note: Loads itself resident in memory. An error
- message occurs if there is an I/O error
- (such as write protect).
-
- [NOV17]
- Virus Name: November 17th
-
- Other names: None
-
- Virus Type: Parasitic Virus
-
- Virus Length: 885 bytes
-
- Executing Procedure:
- 1) The virus checks whether it is
- already loaded resident in memory.
- If "No", it then loads itself into
- resident memory by hooking INT 21h.
- 2) It then executes the original file.
- 3) With itself loaded into resident
- memory it will infect any uninfected
- file that is executed.
-
- Damage: Infects every executable file.
-
- Detecting Method: It will be resident in memory
- , and infects all .COM files.
-
- Note: Loads itself resident in memory. An error
- message occurs if there is an I/O error
- (such as write protect).
-
- [PRUDENTS]
- Virus Name: Prudent
-
- Other names: 1210
-
- Virus Type: File Infector Virus
-
- Virus Length: .EXE 1210 bytes
-
- Executing Procedure:
- 1) The virus checks whether it is
- already loaded resident in memory.
- If "No", it then loads itself into
- resident memory by hooking INT 21h.
- 2) It then executes the original file.
- 3) With itself loaded into resident
- memory it will infect any uninfected
- file that is executed.
- 4) It doesn't infect .COM files.
-
- Damage: Overwrites the original file.
-
- Detecting Method: From May 1-4, virus will
- frequently check the disk.
-
- Note: 1) Loads itself resident in memory. An error
- message occurs if there is an I/O error
- (such as write protect).
-
- [LEHIGH]
- Virus Name: Lehigh
-
- Other names: None
-
- Virus Type: Parasitic Virus (infects COMMAND.COM
- only)
-
- Virus Length: 555 bytes
-
- Executing Procedure:
- 1) The virus checks whether it is
- already loaded resident in memory.
- If "No", it then loads itself into
- resident memory by hooking INT 21h.
- 2) Then when a disk is accessed if the
- COMMAND.COM is un-infected it will
- immediately infect it.then executes
- the original file.
- 3) With itself loaded into resident
- memory it searches for the infect
- any uninfected file that is executed.
- 4) It doesn't infect .EXE files.
-
- Damage: 1) Infects the diskette .COMMAND.COM file
- and increases it by 555 bytes.
- 2) After the count of infection passes
- over four times the current disk will
- be trashed.
-
- [GP1]
- Virus Name:Gp1
-
- Virus Type: Network Specific Virus
-
- Virus Length: .EXE 1557 bytes. .COM 1845 bytes.
-
- Executing Procedure:
- 1) The virus checks whether it is
- already loaded resident in memory.
- If "No", it then loads itself into
- resident memory by hooking INT 21h.
- 2) It then executes the original file.
- 3) With itself loaded into resident
- memory it will infect any uninfected
- file that is executed.
-
- Symptoms: If the virus is active in memory and if
- the first character on the command line
- is NOT the letter "i", the virus will
- remove itself from the operating memory
- (this will work only if the virus is the
- last TSR to change interrupt vector 21h)
- . The virus even displays the message
- "GP1 Removed from memory."
-
- Damage: The virus is the only LAN virus to ever be
- discovered. This unique virus is a
- modification of the Jerusalem virus and
- was created for one special purpose: to
- penetrate. Novell security features and
- to spread inside the network. The virus
- does not contain any manipulation (if we
- do not count the monitoring of Novell
- LOGIN and the attempts to break the
- Novell security features).
-
- [4096]
- Virus Name: Virus 4096
-
- Virus Type: File Infector Virus
-
- Virus Length: 4096 bytes
-
- Executing Procedure:
- A boot sector should be modified if the
- system date is greater than September
- 21. The text "FRODO LIVES" should then
- appear on the screen after booting from
- a modified disk. The virus code is
- corrupted, so when you run the infected
- file after September 21, the system
- areas will not be modified, but the
- virus will cause the system to crash.
-
- Damage: Virus infects .COM files which are shorter
- than 61440 bytes and .EXE files. As a flag
- virus, it uses the year in the fileÆs time
- stamp and increases it by 100 years. (DOS
- reports only last two digits, so it can
- not be easily recognized when for example
- "DIR" command is executed).
-
- Detection Method: The virus Increases infected
- file size by 4096 bytes. The
- operating memory is decreased
- by about 6 KB.
-
- [USSR-516]
- Virus Name: USSR
-
- Other Names: 570, 8-17-88, 2:08a
-
- Virus Type: Parasitic Virus
-
- Virus Length: 570 bytes
-
- Symptom: Infects .EXE files. Increases file size
- by 570 to 585 (570+15) bytes. (The next
- multiple of 16 of the original file size
- plus 570). The date and time in the files
- directory entry is set to 8-17-88 and
- 2:08a.
-
- Damage: Writes one sector to the boot sector of
- driver C: then halts the system.
-
- [Vienna]
- Virus Name: Vienna
-
- Other Names: 648, PC Boot, Austrian virus
-
- Virus Type: Parasitic Virus
-
- Virus Length: 648 bytes
-
- Symptoms: Increases infected file sizes by 648
- bytes and files containing string
- "*.COM" and "PATH=". Destroyed programs
- will cause computer to reboot while in
- operation.
-
- Damage: With the probability of 1:7 the virus will
- not infect other files. Virus writes the
- instruction JMP F000:FFF0 (computer reboot
- ) at the start of such a program. Original
- content is destroyed, length of file is
- not changed, and destroyed program
- contains virus flag.
-
- [V2000]
- Virus Name: V2000
-
- Other Names: 21 century virus
-
- Virus Type: Parasitic Virus
-
- Virus Length: 2000 bytes
-
- Symptoms: Increases infected .COM and .EXE file
- sizes by 2000 bytes. Decreases size of
- free RAM memory by 4KB. Infected files
- contain the following strings: "(C) 1989
- by Vesselin Bontchev".
-
- Damage: No damage.
-
- [Bur-560h]
- Virus Name: Bur-560h
-
- Virus Type: Parasitic Virus
-
- Virus Length: Infected COM files do not increase
- (Does not infect EXE files).
-
- PC Vectors Hooked: None
-
- Executing Procedure:
- 1) The virus searches for COM files
- through the current path.
- 2) The virus checks whether the file is
- infected. If the file has been
- infected, the virus continues to
- search till an uninfected file is
- found and then infects it (It infects
- only one file each time).
-
- Damage: The virus infects the files by covering up
- the original files, so the lengths of the
- files do not increase and the functions of
- the original files can not be executed.
-
- Remarks: 1) Non memory resident.
- 2) When infecting files, the virus does
- not hook INT 24h. And the error
- information appears when I/O errors
- occur.
-
- [Dooms-715]
- Virus Name: Dooms-715
-
- Virus Type: Parasitic Virus
-
- Virus Length: Infected COM file sizes increase by
- 715 Bytes (Does not infect EXE files
- ).
-
- PC Vectors Hooked: None
-
- Executing Procedure:
- 1) Searches for a COM file in the root
- directory.
- 2) Checks whether the file is infected.
- If yes, continues to search.
- 3) If an uninfected file is found,
- infects it (infects only one file
- each time).
-
- Damage: None
-
- Detecting Method: Detectable if the lengths of
- files increase by 715 Bytes.
-
- Remarks: 1) Non memory resient.
- 2) When infecting files, the virus does
- not hook INT 24h. Error message will
- appear when I/O errors occur.
-
- [JOKER]
- Virus Name: Joker3
-
- Virus Type: Parasitic Virus.
-
- Virus Length: Infected COM file sizes increase by
- 1084 bytes (Does not infect EXE
- files).
-
- PC Vectors Hooked: INT 21h
-
- Executing Procedure:
- 1) Checks if it resides in memory. If
- not, hooks INT 21h, installs itself
- as memory resident and then executes
- the host program.
- 2) If it already resides in memory,
- proceeds to execute the host program
- directly.
-
- Infecting Procedure: The virus infects files by
- INT 21h. When INT 21h is
- executed, all the COM files
- in the current directory will
- be infected. When infecting
- files, the virus does not
- hook INT 24h. Error message
- will appear when I/O errors
- occur.
-
- Damage: None
-
- Detecting Method: Detectable if the files increase
- by 1084 bytes.
-
-
- [Friday_13th]
- Virus Name: Fri-13-D
-
- Virus Type: COM File infector
-
- Virus Length: 416 bytes
-
- Executing Procedure:
- When an infected program executed, it
- will infect all COM files (except
- COMMAND.COM) on current directory (it
- does not infect same file again). Then
- check whether current day is 13 and it
- is Friday. If it is, delete itself and
- then go back to the original routine.
-
- Damage: An infected program will delete itself
- when you run it on 13th,Friday.
-
- Detecting Method: 1) Date and time of infected
- files changed.
- 2) Infected files will increase
- from 416-431 bytes.
-
- [PCBB]
- Virus Name: Pcbb
-
- Virus Type: Memory resident, COM File infector
-
- Virus Length: 3+(1675-1687) bytes
-
- Executing Procedure:
- It will decode its later half section
- first. Then check whether it has stayed
- in memory. If not, it will move itself
- to high memory. Then hook INT 21h,INT
- 09h,INT 1Ch and go back to run original
- routine. The infection happens when
- executing program, copying file,
- changing file's attribute, opening file,
- closing file, and renaming file(AH=56h).
- When it infects a file, it will check
- what day of the week is it today first.
- There are seven encoding modes according
- to the judgment. It does not infect same
- file again, and length of infectable
- files must between 16 bytes and 61440
- bytes.
-
- Symptom: When virus breaks out, screens display
- nothing every time the counter of hitting
- keys is equal to 957. This time, it will
- reset the counter to count continually.
- You can press down all Alt, Control,
- Shift of left & right together to make
- screen displaying again.
-
- Damage: None
-
- Note: It stays resident in memory (It will take
- 4K bytes).
-
- Detecting Method: 1) Date and time of infected
- files changed.
- 2) Infected files will increase
- by 1675,1677,1679,1679,1680,
- 1683,1687 bytes according to
- what day of the week is it
- today (From Sunday to
- Saturday).
- 3) "PCBB" is attached to the end
- of infected file.
-
- [SILENT_LAMB]
- Virus Name: The Silence Of The Lamb!
-
- Virus Type: Memory resident, COM File infector
-
- Virus Length: 555 bytes
-
- Executing Procedure:
- 1) Checks whether it is still in the
- last memory block. If not, it will
- stay resident in high memory and
- returns to original routine. The
- method of infection is: First,
- encodes first 200h bytes of original
- file and attaches them and decoded
- codes to the end of the file. Then
- encodes virus code and writes them
- into first 200h bytes of the file.
-
- 2) Vectors hooked: Hooks INT 21H(AH=4Bh)
- to infect files. Firsts, it will hang
- INT 24h to prevent divulging its
- trace when writing, then checks
- whether the program to be executed is
- an uninfected COM file (Length is
- between 0400h and FA00h bytes). If it
- is, infect it. Finally, virus
- restores INT 24h.
-
- Damage: None
-
- Note: Date and time of infected files do not
- change.
-
- Detecting Method:
- 1) Call INT21h (AH=2Dh,CH=FFh,DH=FFh) to
- return value AH. If AH=00h, memory
- has been infected. If AH=FFh, memory
- has not been infected.
- 2) If word at address 0002 of COM file
- is 5944h, memory has been infected.
- After virus code have decoded, there
- is a text in address from 01E6h to
- 01EFh. The text is "The Silence of
- The Lamb!$".
- 3) Total memory decreases by 1568 bytes.
-
- [WOLF_MAN]
- Virus Name: Wolf-Man
-
- Virus Type: Memory Resident, COM & EXE File
- infector
-
- Virus Length: 2064 bytes
-
- Executing Procedure:
- 1) Checks whether it remains resident in
- memory. If not, it will stay resident
- in memory. Then checks whether
- current calendar day is 15. If it is,
- virus will manifest itself.Otherwise,
- hooks INT 09H, INT 10H, INT 16H, INT
- 21H and goes back to the original
- routine.
-
- Vectors hooked: Hooks INT 21H to infect files. It
- will check whether the program to
- be executed is an infectable file
- (Except COMMAND.COM), and then
- proceeds to infect it (The
- infectable file length must be
- larger than 1400 bytes). Hooks INT
- 9h, INT 10h to check whether
- something in program has changed.
- If it has, virus will manifest
- itself.
-
- Symptoms: Displays a message. Overwrites current
- diskette with virus code until there is
- no more free space. Delays 30 seconds
- and proceeds to reboot system.
-
- Damage: Destroys all data on current diskette.
-
- Note: 1) Procedure for displaying the virus
- message is designed for Herc display
- card. Therefore, system halts if is
- run on a color display card. This, in
- turn, can prevent destruction of the
- hard disk.
- 2) Virus procedure contains "WOLFMAN" text.
-
- Detecting Method:
- 1) Infected file sizes increase by 143
- bytes.
- 2) Checks whether an executed program
- remains resident in memory (it will
- occupy approx. 65.6K bytes) by using
- MEM.EXE program.
-
- [Story]
- Virus Name: Story-A
-
- Virus Type: COM File infector
-
- Virus Length: 1117 bytes
-
- Executing Procedure:
- 1) Searches from root directory and all
- subdirectory to find 3 uninfected COM
- (Except COMMAND.COM) files, and then
- infects them (It does not infect same
- file twice). Then holds the order of
- every infected file. Then checks if
- the order of current infected file is
- larger than 7, or if current date is
- July 9. If either of these two
- conditions are met, virus will be
- triggered.
-
- Vectors hooked: Hooks INT 08H to accumulate system
- time.
-
- Symptoms: Does not execute infection procedure,
- stays resident in memory. Then hooks INT
- 08h. 290 seconds later, a message
- displays in inverse mode repeatedly in
- 22-second cycles.
-
- Note: Date and time of infected files do not
- change.
-
- Detecting Method:
- 1) Memory: a) Total system memory
- decreases. b) Virus might be
- triggered if first 4 bytes of segment
- (Before free memory) are FFh,26h,04h,
- 01h.
- 2) File: a) Infected file sizes increase
- by 1117 bytes. b) First 4 bytes of
- infection are FFh,26h,04h,01h.
-
- [MS-DOS_3.00]
- Virus Name: Ms-Dos3.0
-
- Virus Type: COM File infector
-
- Virus Length: 953 bytes
-
- Executing Procedure:
- 1) Checks whether it has remained
- resident in memory. If not, it will
- stay resident in high memory. Then
- hooks INT 21h and returns to the
- original routine.
-
- Vectors hooked: Hooks INT 21H (AH=3Dh,AX=4B00h) to
- infect files. If the program to be
- executed or opened is an
- uninfected COM file (Except
- COMMAND.COM) and its length is not
- larger than FB00h, virus proceeds
- to infect it. The method of
- infection is: writes a total of
- 35Dh bytes (1Ch bytes are its head
- , first 3B9h bytes of file) to the
- end of file, then overwrites its
- first 3B9h bytes with virus codes.
- If the program to be executed or
- opened is an uninfected EXE file
- and its length is not larger than
- 4000h, virus infects it. The
- method of infection is: after
- filling the left bytes of segment,
- it will attach a total of 3F1h
- bytes (virus codes(3B9h)+data in
- original file(1Ch)+head of
- file(1Ch)) to the end of file,
- then changes the pointer in head
- to virus procedure.
-
- Damage: None
-
- Note: 1) Date and time of infected files do not
- change.
- 2) Stealth type virus: restores infected
- file information when virus is in system
- memory.
- Detecting Method:
- 1) Memory: a) Total system memory
- decreases by 7A0h bytes. b) Memory
- might be infected if AX=9051h (AX is
- a return value when INT 21h(AH=B3h)
- called).
- 2) File: a) Infected COM file sizes
- increase by 500 bytes. b) Infected
- EXE file sizes increase by 1009-1024
- bytes. c) Use DEBUG to load an
- infected file.
-
- [EVILGEN]
- Virus Name: Evilgen
-
- Virus Type: COM & EXE File infector
-
- Virus Length: 955 bytes(Version 1.1) , 963
- bytes(Version 2.0)
-
- Executing Procedure:
- 1) Checks whether it has remained
- resident in memory. If not, it will
- stay resident in high memory. Then
- hooks INT 21h, INT 09h and goes back
- to the original routine. It will
- check if current day is 24 and if the
- 'Del' key is being pushed down. If so,
- virus will be triggered.
-
- Vectors hooked: Hooks INT 21H(AX=4B00h) to infect
- files. If the program to be
- executed is an uninfected EXE or
- COM file, virus proceeds to infect
- it. Hooks INT 09h to check whether
- the 'Del' key is being pushing
- down.
-
- Symptom: Selects a sector, then formats the sector
- from head 0,track 0 to head 0, track 20h
- on C diskette.
-
- Damage: Virus will sometimes destroy C diskette.
-
- Note: 1) Date and time of infected files do not
- change.
- 2) While memory has been infected, typing
- "Dir" does not reveal changes in file
- length.
- Detecting Method:
- 1) Memory: a) Total system memory
- decreases. b) COMMAND.COM on root
- directory on C diskette has been
- infected if BX=9051h(BX is a return
- value when INT 21h(AX=7BCDh) called).
- c) The pointers of INT 21h and INT
- 09h are the same.
- 2) File: Infected file sizes increase by
- 955 bytes (Version 1.1) or 963 bytes
- (Version 2.0.) Changes in file sizes
- are apparent only when memory has not
- been infected.
-
- [PCBB11]
- Virus Name: Pcbb11
-
- Virus Type: EXE & COM File infector
-
- Virus Length: 3052 bytes
-
- Executing Procedure:
- 1) Checks whether it has remained
- resident in memory. If not, it will
- stay resident in high memory. Then
- hooks INT 21h and goes back to
- original routine.
-
- Vectors hooked: Hooks INT 21H(AH=4Bh)to infect
- files. First, it will hang INT 24h
- to prevent divulging its trace
- when writing. If the program to be
- executed is an uninfected COM or
- EXE file, virus proceeds to infect
- it.
-
- Damage: ?
-
- Detecting Method: Infected file sizes increase by
- 3052 bytes.
-
-
- [PCBB-3072]
- Virus Name: Pcbb3072
-
- Virus Type: EXE & COM File infector
-
- Virus Length: 3072 bytes
-
- Executing Procedure:
- 1) Checks whether it has remained
- resident in memory. If not, it will
- stay resident in high memory. Then
- hooks INT 21h and goes back to
- original routine.
-
- Vectors hooked: Hooks INT 21H(AH=4Bh)to infect
- files. First, it will hang INT 24h
- to prevent divulging its trace
- when writing. If the program to be
- executed is an uninfected COM or
- EXE file, virus proceeds to infect
- it.
-
- Damage: ?
-
- Detecting Method: Infected file sizes increase by
- 3072 bytes.
-
-
- [INVISIBLE_MAN]
- Virus Name: INVISIBLE MAN
-
- Virus Type: Virus infects .COM and .EXE files,
- Partition record, and the Boot record.
- Virus is a Memory Block Resident.
-
- Virus Length: 2926 Bytes on file and D80h Bytes in
- memory.
-
- Interrupt Vectors Hooked: INT 21h
-
- Infection Process:
- This virus can spread by executing an
- infected program or by booting the
- system from an infected Disk. There
- are several different methods of
- infection:
-
- 1) When an INVISIBLE MAN infected
- program is executed it will;
-
- A. Infect the hard disk partition
- table :
-
- (i) Write the virus body to the last
- 7 sectors of the active hard disk.
-
- (ii) The ending location of the active
- hard disk will be decreased by 7
- sectors.
-
- (iii) Write the virus loader to the
- partiton sector. This sector will
- be encrypted.
-
- B. Modify the boot sector: It will
- change the total sector numbers
- message, which will be seven less
- than the original figure.
-
-
- Damage: Virus displays message and plays music on
- system speaker.
-
- Symptoms: Loss of data stored in the last 7
- sectors of the hard disk; increased file
- sizes. File sizes increase by 2926 bytes
- . Virus displays the following message:
- "I'm the invisible man, I'm the
- invisible man, Incredible how you can
- See right through me." Virus also plays
- music on system speaker.
-
- Note:
-
-
- [Fish-1100]
- Virus Name: Fish-1100
-
- Virus Type: COM File infector
-
- Virus Length: 1100 bytes
-
- Executing Procedure:
- 1) Virus checks whether it has stayed
- resident in memory. If not, it will
- stay resident in high memory. Then
- hooks INT 21h and goes back to
- original routine.
-
- Vectors hooked: Hooks INT 21H(AH=4Bh) to infect
- files. First, it will hang INT 24h
- to prevent divulging its trace
- when writing. If the program to be
- executed is an uninfected COM file
- , virus proceeds to infect it.
-
- Damage: None
-
- Detecting Method: Infected file sizes increase by
- 1100 bytes.
-
- [Fish-2420]
- Virus Name: Fish-2420
-
- Virus Type: COM File infector
-
- Virus Length: 2420 bytes
-
- Executing Procedure:
- 1) Virus checks whether it has stayed
- resident in memory. If not, it will
- stay resident in high memory. Then
- hooks INT 21h and goes back to
- original routine.
-
- Vectors hooked: Hooks INT 21H(AH=4Bh) to infect
- files. First, it will hang INT 24h
- to prevent divulging its trace
- when writing. If the program to be
- executed is an uninfected COM file
- , virus proceeds to infect it.
-
- Damage: None
-
- Detecting Method: Infected file sizes increase by
- 2420 bytes.
-
- [JULY_4]
- Virus Name: July 4, Stupid 1
-
- Virus Type: COM File infector
-
- Virus Length: 743 bytes
-
- Executing Procedure:
- 1) If word at address 0000:01FEh is
- FFFFh, virus will not infect any
- file.
- 2) When virus infects files, it will
- infect all uninfected COM files on
- current directory. If number of
- infection is less than 2, it will go
- on infecting all COM files on upper
- directory until the number is larger
- then 2 or it has reached root
- directory. It will check whether
- current date is July 4 and that
- current time is either 0:00am,
- 1:00am, 2:00am, 3:00am, 4:00am, or
- 5:00am. If any of these times are
- met, virus will proceed to destroy
- data on current diskette.
-
- Detecting Method:
- 1) Date and time of infected files
- changed.
- 2) Byte at 0003h of infected COM file
- is 1Ah.
- 3) Infected COM file displays the
- following message: "Abort, Retry,
- Ignore, Fail?" , "Fail on INT 24"
- (2) - "Impotence error reading users
- disk" (0) - "Program too big to fit
- in memory" (1) - "Cannot load COMMAND
- , system halted" (3)"Joker!" and
- "*.com."
- 4) Virus will display the above message
- when executing an infected file. 1)
- If word at address 0000:01FEh is
- FFFFh, virus will not infect any
- file.
-