PC World Komputer 1998 September

home *** CD-ROM | disk | FTP | other *** search

/ PC World Komputer 1998 September / PC_World-1998_09-CD2.iso / Win95adv / W95ADV.2 / COMMON.VIR < prev next >

Wrap

Text File | 1995-07-21 | 66.1 KB | 2,152 lines

[DEFINE] Virus Name: Define-1 Virus Type: File Infector Virus (infects .EXE & .COM files) Virus Length: No change PC Vectors Hooked: None Executing Procedure: 1) Searches for an .EXE or .COM file in the current directory. 2) Once it locates a file it checks whether it has been infected by Define-1. If "Yes", it continues to look for another uninfected .COM or .EXE file. 3) It infects only one file at a time. Damage: Overwrites original file, so the length of infected file won't increase. Note: 1) Doesn't stay resident in memory. 2) Define-1 doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect). [DISMEMBER] Virus Name: Dismember Virus Type: File Infector Virus (infects .COM files) Virus Length: 288 Bytes(COM) PC Vectors Hooked: None Executing Procedure: 1) Searches for a .COM file in the current directory. 2) Once it locates a .COM file it checks whether it has been infected by Dismember. If "Yes", it continues to search for an uninfected .COM file. 3) It then infects all .COM files in the directory. 4) Finally, it executes the originally called file. Damage: None Detecting Method: Infected files will increase by 288 Bytes. Note: 1) Doesn't stay resident in memory. 2) Dismember doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect). [TIMID] Virus Name: Timid Virus Type: File Infector Virus (infects .COM files) Virus Length: 306 Bytes(COM) PC Vectors Hooked: None Executing Procedure: 1) Searches for a .COM file in the current directory. 2) Once it locates a file it checks whether it has been infected by Timid. If "Yes", it continues to search for a uninfected .COM file. 3) It then infects one file at a time and displays the infected file name on the screen. 4) Once the file is executed the system will halt. Damage: Damages original file. Detecting Method: 1) Infected files will increase by 306 Bytes. 2) Other file names are shown on the screen. Note: 1) Doesn't stay resident in memory. 2) Timid doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error of (such as write protect). [ITTI-A] Virus Name: Itti-A Virus Type: File Infector Virus (infects .COM files) Virus Length: No change PC Vectors Hooked: None Executing Procedure: 1) Searches for a .COM file in the current directory. 2) Once it locates a .COM file it checks whether it has been infected by ITTI -A. If "Yes", it continues to look for any uninfected .COM file. 3) It infect only one file at a time. Then when the file is executed the message "EXEC FAILURE" will show on the screen. 4) It will finally damage all data on current disk if no .COM file is infected. Damage: 1) Overwrites original file, so the length of infected file won't increase. 2) Damages all data on current disk if no .COM file is infected. Note: 1) Doesn't stay resident in memory. 2) ITTI-A doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as writing protect). [BURGER_560] Virus Name: Burger Virus Type: File Infector Virus (infects .COM files) Virus Length: No change PC Vectors Hooked: None Executing Procedure: 1) Search for a COM file in current directory. 2) Check whether it has been infected by Burger. If "Yes", continue to look for a uninfected com file. 3) Infect only an uninfected file at one time. 4) Damage all data of current disk if no com file is infected. Damage: 1) Overwrite original file, so the length of infected file won't increase. 2) Damage all data of current disk if no com file is infected. Note: 1) Don't stay resident in memory. 2) Burger don't hook INT 24h when infecting files. Error message occurs if there is an error of I/O(such as writing protect). [WHY] Virus Name: Why Virus Type: File Infector Virus (infects .COM files) Virus Length: 457 Bytes(COM) PC Vectors Hooked: None Executing Procedure: 1) Searches for a .COM file in the current directory. 2) Once it locates a file it checks whether it has been infected by Why. If "Yes", it continues to look for any uninfected .COM file. 3) It will infect only one file at a time. 4) It then checks the system date. If the date is the 12th of May or the 25th of February, the virus will damage all files on the hard disk. Damage: If system date is May 12th or February 25th,the virus will damage all files on the hard disk. Detecting Method: 1)Infected files will increase by 457 Bytes. Note: 1) Doesn't stay resident in memory. 2) "Why" doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect). [BROTHERS-2] Virus Name: Brothers-2 Virus Type: File Infector Virus (infects .COM files) Virus Length: 693 Bytes(COM) PC Vectors Hooked: None Executing Procedure: 1) Checks whether the system date is between the 11th and 25th, November or December, if "Yes", show the message: "Brotherhood... I am seeking my brothers "DEICIDE" and "MORGOTH", then execute original file. 2) If "NO', then it searches for a .COM file in the current directory. 3) Once it locates a file it checks whether it has been infected by Brothers-2. If "Yes", it continues to look for any uninfected .COM file. 4) It will check whether the second word of the .COM file is "0xADDE", if "yes", it will show such message: 'Found my brother "MORGOTH"!!!. then execute original file. 5) It will also check whether the second word of the .COM file is "0x0D90",if "yes", it will show such message: 'Found my brother "DEIGOTH"!!!. then execute original file. 5) If "NO", then it will infect .COM files one at a time. 6) It will execute original file. Damage: None Detecting Method: 1) Infected files will increase by 693 Bytes. Note: 1) Doesn't stay resident in memory. 2) Brothers-2 doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect). [DEST2] Virus Name: DEST2 Virus Type: File Infector Virus (infects .COM files only) Virus Length: 478 Bytes PC Vectors Hooked: INT 24h Executing Procedure: 1) Searches for a COM file in the current directory. 2) It checks whether it has been infected by Dest2. If "Yes", it continues to look for an uninfected .COM file. 3) It then infects the .COM file. 4)It finally executes the original file. Damage: If kill-flag=-1, then deletes a file. Detecting Method: Infected files will increase by 478 Bytes. Note: 1) Doesn't stay resident in memory. 2) Dest2 hook INT 24h when infecting files. Omits an I/O error (such as write protect). [AIRCOP] Virus Name: AIR-COP Virus Type: Boot Infector Virus Length: None PC Vectors Hooked: None Executing Procedure: When you execute the program, it will write the virus to boot sector of "A:" Damage: Overwrites boot sector of "A:". Detecting Method: None. [BURGER_560] Virus Name: BURGER_560-8 Virus Type: File Infector Virus (infects .COM files) Virus Length: No change PC Vectors Hooked: None Executing Procedure: 1) Searches for a .COM file in "A:". 2) It checks whether it has been infected by Burger_560-8. If "Yes", it continues to look for an uninfected .COM file. 3) It then infects an uninfected file one at a time. 4) If no .COM file is infected, it will continue to look for an .EXE file in "A:". 5) It finally rename the .EXE file to .COM , then it infects the .COM file. Damage: Overwrites the original file, so the length of infected file won't increase. Detecting Method: 1) Changes .EXE file into a .COM file Note: 1) Doesn't stay resident in memory. 2) Burger_560-8 don't hooks INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect). [BOYS] Virus Name: BOYS Virus Type: File Infector Virus (infects .COM files) Virus Length: 500 Bytes(COM) PC Vectors Hooked: None Executing Procedure: 1) It searches for an .EXE file, it then changes the attributes into "SYSTEM". 2) It searches for a .COM file in the current directory. 3) It then checks whether it has been infected by Boys. If "Yes", it continues to look for an uninfected .COM file. 4) It infects only an uninfected file at one time, and changes the attribute into "READ-ONLY". 5) Finally it executes the original file. Damage: None. Detecting Method: Infected files will increase by 500 Bytes. Note: 1) Doesn't stay resident in memory. 2) Boys doesn't hook INT 24h when infecting files. An error message occurs if there is an I/O error (such as write protect). [NULL] Virus Name: NULL Virus Type: File Infector Virus (infects .COM files) Virus Length: 733 Bytes(COM) PC Vectors Hooked: None Executing Procedure: 1) It first decodes. 2) Then it searches for a .COM file in the current directory. 3) It checks whether it has been infected by Null. If "Yes", it continues to look for an uninfected .COM file. 4) It infects only one file at a time. 5) It then executes the original file. 6) If it can not infect a .COM file, then it checks whether the DAY =30. If "yes", it destroys all the data on the disk, then shows the message: "Your disk is dead! long life doomsday 1.0 " Damage: IF DAY = 30 , then destroy all data on current disk. Detecting Method: Infected files will increase by 733 Bytes. Note: 1) Doesn't stay resident in memory. 2) Null doesn't hook INT 24h when infecting files. An error message occurs if there is an I/O error (such as write protect). [BIT_ADDICT] Virus Name: BIT-ADDICT Virus Type: Memory Resident, File Infector Virus (infects .COM files). Virus Length: 477 Bytes (COM) PC Vectors Hooked: INT 21h Infecting Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself into resident memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded into resident memory it will infect any uninfected file that is executed. 4) It doesn't infect .EXE files. Damage: When the virus infects 100 files, it will destroy all data on the hard disk, then show the message: "BIT ADDICTMZ> .... The Bit Addict says: You have a good tasting hard disk, it was delicious !!!" Detecting Method: Infected files increase by 477 Bytes. Note: The Bit-Addict virus doesn't hook INT 24h when infecting files. An error message occurs if there is an I/O error (such as write protect). [NOV17] Virus Name: NOV_17-1 Virus Type: Highest Memory Resident, File Infector Virus (infects .COM & .EXE files). Virus Length: 768 Bytes (COM & EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program) Infecting Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself into resident memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded into resident memory it will infect any uninfected file that is executed. Damage: None. Detecting Method: 1) Infected files increase by 768 Bytes. Note: The NOV_17-1 virus doesn't hook INT 24h when infecting files. An error message occurs if there isan I/O error (such as write protect). [SANDWICH] Virus Name: SANDWICH Virus Type: Highest Memory Resident, File Infector Virus (infects .COM files). Virus Length: 1172 Bytes (COM) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program) Infecting Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself into resident memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded into resident memory it will infect any uninfected file that is executed. b) It doesn't infect .EXE files. Damage: None. Detecting Method: 1) Infected files increase by 1172 Bytes. Note: The Sandwich virus doesn't hook INT 24h when infecting files. An error message occurs if there is an I/O error (such as write protect ). [GOTCHA] Virus Name: GOTCHA Virus Type: Highest Memory Resident, File Infector Virus (infects .COM & .EXE files). Virus Length: 906 Bytes (COM & EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Infecting Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself into resident memory (highest memory) by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded into resident memory it will infect any uninfected file that is executed. 4) It also infects when a file is renamed, file attributes are set, search for a matching file or deleting a file. Damage: None. Detecting Method: Infected files increase by 906 Bytes. Note: The Gotcha virus hooks INT 24h when infecting files. Omits I/O error (such as write protect). [PCBB] Virus Name: PCBB-B Virus Type: Highest Memory Resident, File Infector Virus (infects .COM & .EXE files). Virus Length: 3072 Bytes (COM & EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Infecting Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself into resident memory (highest memory) by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded into resident memory it will infect any uninfected file that is executed. Damage: None. Detecting Method: Infected files increase by 3072 Bytes. Note: The PCBB virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect). [CANNA615] Virus Name: CANNA615 Virus Type: Highest Memory Resident, File Infector Virus (infects .COM & .EXE files). Virus Length: 1568 Bytes (COM & EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Infecting Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself into resident memory by hooking INT 21h. 2) It then checks whether system date is Friday, and the seconds of the system time is zero, if "Yes", then a message and a picture appear on the screen: "LEGALIZE CANNA615" and a picture of a hemp leaf. 3) It then executes the original file. 4) With itself loaded into resident memory it will infect any uninfected file that is executed. Damage: None. Detecting Method: Infected files increase by 1568 Bytes. Note: The Canna615 virus hooks INT 24h when infecting files. It omits I/O error (such as write protect). [BRAIN] Virus Name: BRAIN2 Virus Type: Memory Resident, File Infector Virus (infects .COM & .EXE files). Virus Length: 1935 Bytes (COM & EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h, INT 1Ch Infecting Procedure: 1) It checks whether the system date is the 17th of November or the 6th of February, if "Yes", it will show some messages and play music. 2) The virus then checks whether it is already loaded resident in memory. If "No", it then loads itself into resident memory by hooking INT 21h. 3) It then executes the original file. 4) It then checks whether the system date is the 1st of February, July, September or December, If "yes", the virus will show a flash square by hooking INT 1Ch.. 5) With itself loaded into resident memory it will infect any uninfected file that is executed. Damage: None. Detecting Method: Infected files increase by 1935 Bytes. Note: The Brain2 virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect). [FIRE] Virus Name: Fire Virus Type: Trojan Virus Length: 4304 Bytes PC Vectors Hooked: INT 24h Damage: Destroys all data on all disks if drives are ready, then it makes a sound. Detecting Method: Check whether there are files with 4304 Bytes. Note: 1) Doesn't stay resident in memory. 2) Doesn't infect any files or partition or boot sector. 3) The Fire virus hooks INT 24h when destroying, it omits I/O errors ( such as write protect). [YONYU] Virus Name: YONYU Virus Type: Boot Sector and Partition Infector Virus Length: None. PC Vectors Hooked: INT 13h Executing Procedure: 1) A decrease of 1K Bytes in total system memory when the system is booted from an infected disk. 2) It will load itself in the last 1K bytes of resident memory. 3) It then hooks INT 13h. 4) When you boot the machine as usual and you READ and WRITE" to a file the YONYU virus will hook INT 13H and infect the diskette. Damage: None. Detecting Method: Decreases total memory size, 1K Bytes. Note: 1) YONYU doesn't hook INT 24h when infecting files. It omits I/O errors (such as write protect). [Dir2_910] Virus Name: DIR2-910 Virus Type: File Infector Virus (infects .COM & .EXE files) Virus Length: 1024 Bytes PC Vectors Hooked: None Executing Procedure: 1) When the virus loads itself resident in memory it will change the directory structure data, so that certain executable files are link to itself. 2) This makes it so that when you execute a file that the DIR2-910 virus has linked to it also is executed. At this point it can begin to infect other files. 3) The virus stays resident in memory but doesn't hook any interrupts. It uses another function to infect files . It infects .COM &.EXE files when they are "READ & WRITE". Damage: When all the .COM & .EXE files been infected on a disk, then it will not be possible to execute any files from the disk. Detecting Method: Check the disk by using "CHKDSK.EXE", if some files are crossed -- linked to the same position, then these files must be infected. Note: DIR2-910 doesn't hook INT 24h when infecting files. It omits I/O errors (such as write protect). [FLIP] Virus Name: FLIP Virus Type: Multi-partite. An infector of all programs being used, either .EXE or .COM., when .COM original file length is not greater than 63,046 (F646h) bytes. Virus Length: 2672 bytes Interrupt Vectors Hooked: INT 21h Infection Process: This virus can be spread by executing an infected program or from booting the system with an infected disk. There are several methods of infection. 1) Infection of a clean system by an infected program. When an infected program is executed in a clean system, the virus will copy itself in the last side of the last cylinder, beginning from the 5th last sector to the 1st last sector and the virus will subtract the DOS boot sector at offset 0x13h (Number of logical sectors )with 6. Finally, virus writes the virus body to partition sector. 2) Spreading the infection through a disk that has been infected. If a PC is booted from an infected disk, the spreading of the infection is complete. The boot code, previously overwritten by the virus on the disk partition sector, reads the main core of the virus from the last 5 sectors to the last 1 sector,and loads it as a TSR in RAM, occupying 3 Kb of the higher part of system memory. As soon as it is installed as a TSR, the virus takes control of Int 1Ch (Timer Interrupt) to verify, with a frequency of 18.2 times per second, if the DOS COMMAND.COM is loaded. If DOS is present, the virus restores the timer and takes control of Int 21h. Damage: Loss of data stored in the 6th last to 1st last sectors of the disk. Virus also increases file sizes. Symptoms: Virus turns screen display upside down (rotates 180 degrees). File sizes increase by 2153 bytes Note: The virus uses a smart technique to avoid anti-virus detection programs, when modifying the partition sector, that is hooking int 01h, it will turn on a single step flag to get the original entry of DOS hooked of INT 13h . The virus will then move itself to the top of the MCB (memory control block), and decrease available memory in the MCB by 2672 (A70h) bytes. It will hook Int 21h with the same method as for INT 13h and then proceeds to run the original program. [MULTI-2] Virus Name: Multi-2 Virus Type: Partition table Infector and File Infector Virus (infects .COM & .EXE files) Virus Length: Not Applicable PC Vectors Hooked: INT 21h, INT 24h, INT 1Ch, INT 13h. Executing Procedure: 1) The Virus will decrease the total system memory by 3K Bytes when the system is booted from an infected disk. 2) It then checks whether it has is loaded in resident memory, if "No", then it will load to the last 3K bytes of resident memory by hooking INT 21h and INT 1Ch. 3) It infects files when they are executed. Damage: None. Detecting Method: Infected files increase 927-- 1000 Bytes. Note: Multi-2 hooks INT 24h when infecting files. It omits I/O errors (such as write protect). [BOGUS] Virus Name: BOGUS Virus Type: Partition table Infector and File Infector Virus Virus Length: No change. PC Vectors Hooked: INT 21h, INT 24h, INT 13h. Executing Procedure: 1) The Virus decreases the total system memory by 4K Bytes, when the system is booted from an infected disk. 2) The virus loads itself in to the last 4K Bytes of resident memory. 3) It then hooks INT 13h. 4) It continues to infect any executed program. Damage: When the number of infected files is larger than 2710, then it destroys all the data on the hard disk. Detecting Method: Check whether the file head is INT 13h(AX=90 or 91). Note: 1) BOGUS hooks INT 24h when infecting files . It omits I/O errors (such as write protect). 2) If the computer is booted from a diskette, you will not be able to view the hard drive. [FRIDAY_13TH] Virus Name: Friday the 13th Other names: Virus 1813, Israelian, Jerusalem Virus Type: File Infector Virus Virus Length: Approx.1813 bytes PC Vectors Hooked: Int 21 Executing Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself into resident memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded into resident memory it will infect any uninfected file that is executed. Damage: In the year 1987, the virus does no damage . It proceeds only to infect other files. Every Friday the 13th, excluding the year 1987, virus deletes every executed program . All other days, excluding the year 1987, the virus spreads. About half an hour after the virus is installed in memory it scrolls up by two linesa small window with coordinates (5, 5), (16, 16) and slows down computer speed. Delay loop repeats 18.5 times per second. Detecting Method: Increases the file length by 1813 bytes Note: Loads itself resident in memory. An error message occurs if there is an I/O error (such as write protect). [DEVIL's DANCE] Virus Name: Devil's Dance Other names: Virus 941 Virus Type: File Infector Virus Virus Length: 941 bytes PC Vectors Hooked: Int 21 Executing Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself into resident memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded into resident memory it will infect any uninfected file that is executed. Damage: The DevilÆs Dance virus monitors the Int 9 (keyboard). A routine for cursor manipulation is activated when 5 keys other than the Alt key have been depressed . Furthermore, if the ôAlt" key is not depressed, attributes of the cursor in Video-RAM are changed after any other key is pressed. The new attributes are as follows: 09h (bright blue), 0ah (bright green), obh (bright cyan), 0ch (bright red), 0dh (bright violet), oeh (bright yellow). If the above five keys are not pressed, the virus will not manifest itself. If "Del" is depressed, the virus will display characters using the color white. The virus displays the following message: Have you ever danced with the devil under the weak light of the moon? .... Pray for your disk...The Joker HAHAHAHAHAHAHAHAHAHA." The virus will finally test whether any keys were pressed 2500 times. If yes, the virus overwrites the Disk Partition Table of the first hard disk and proceeds to crash the system. Note: Loads itself resident in memory. An error message occurs if there is an I/O error (such as write protect). [CHRISTMAS_TREE] Virus Name: Christmas Other names: Virus 600, Xmas In Japan, Japanese Christmas Virus Type:File Infector Virus Virus Length: 600 bytes. Damage: On December 25th, when an infected.COM file is executed, the following message will be displayed: "A Merry christmas to you" or "Jingo Bell, jingo bell, jingo all the way." Detecting Method: The COMMAND.COM file increases by 600 Bytes. Infected.COM files increase by 600 bytes. [DATA CRIME] Virus Name: Datacrime Other names: 1168, Columbus Day Virus Type: File Infector Virus Virus Length: 1168 bytes. Executing Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself into resident memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded into resident memory it will infect any uninfected file that is executed. 4) It doesn't infect .EXE files. Damage: Virus will lowlevel format your hard disk after October 12th. Detecting Method: Virus infects all .COM files between April 1st-October 12th. After October 12th, it willl display the following message: "DATACRIME VIRUS Released:1 March 1989." And it will low level format your hard disk. Note: Loads itself resident in memory. An error message occurs if there is an I/O error (such as write protect). [SUNDAY] Virus Name: Sunday Other names: None Virus Type: Boot Strap Sector Virus (Memory Resident) Virus Length: 1636 bytes. Damage: On Sunday, the virus will prevent computer user. Detecting Method: On Sunday, the virus will display the following message: "Today is Sunday! Why do you work so hard? All work and no play makes you a dull boy! Come on! Let's go out and have some fun!" [MARAUDER] Virus Name: Marauder Other names: None Virus Type: File Infector Virus Virus Length: Increases .COM file by 860 bytes. Executing Procedure: 1) The virus searches the current directory for a .COM file. Once it locates a file it checks whether it is already infected by the Marauder virus. If "No", it then it infects the file. 2) If "Yes" then it searches for another .COM file to infect. 3) It doesn't infect .EXE files. 4) It then executes the original file. Damage: The Marauder virus will overwrite your files, on every February 2nd with the string "=[Marauder] 1992 Hellraiser - Phalcon/Skism." Detecting Method: When the infected file is executed, the virus will infect the first uninfected .COM file in current directory. On every February 2nd, the virus will overwrite all executed files by following characters one by one "=[Aarauder] 1992 Hellraiser - Phalcon/skism." [OROPAX] Virus Name: Oropax Other names: None Virus Type: File Infector Virus Virus Length: 2756-2800 bytes Executing Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself into resident memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded into resident memory it will infect any uninfected file that is executed. 4) It doesn't infect .EXE files. Damage: Infected .COM file sizes increase by 2756 -2800 bytes. Detecting Method: Virus will hook the interrupt 20h, 21h, 27h. If the system date is after May 1, 1987 and it is an IBM compatible computer, interrupt 8h will be hooked. When the virus is triggered, it will play the "Stars", "Blue" and "Forty" songs one by one every eight minutes. Note: Loads itself resident in memory. An error message occurs if there is an I/O error (such as write protect). [DBASE] Virus Name: dBASE Other names: None Virus Type: File Infector Virus Virus Length: 1864 bytes Executing Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself into resident memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded into resident memory it will infect any uninfected file that is executed. 4) It doesn't infect .EXE files. Damage: Every executed .COM files increases by 1864 bytes. Virus will sometimes cause system to halt. Detecting Method: Virus will hook the interrupt 21h. When virus is actived, it will switch high-byte and low- byte of every opened .DBF data files. Virus will also create a hidden file - "BUG.DAT" in root directory to record very infected .DBF file's name. Note: Loads itself resident in memory. An error message occurs if there is an I/O error (such as write protect). [HOLLOWEEN] Virus Name: Halloween Other names: Happy Halloween Virus Type: File Infector Virus Virus Length: N/A Executing Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself into resident memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded into resident memory it will infect any uninfected file that is executed. Damage: Virus finds an executable file (first .EXE file then .COM) in current directory and proceeds to infect it. It will display "Runtime error 002 at 0000:0511" on screen if no uninfected files are found. Detecting Method: On every Oct 31, virus will create a 10KB-long file and display "Runtime error 150 at 0000:0AC8." Note: 1) Loads itself resident in memory. An error message occurs if there is an I/O error (such as write protect). [TAIWAN] Virus Name: Taiwan Other names: None Virus Type: File Infector Virus Virus Length: .EXE 1300-1503 bytes Executing Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself into resident memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded into resident memory it will infect any uninfected file that is executed. Damage: This virus has several variants. While some variants have no damage routine, some will slow down the system performance and variants of the Mummy virus will have a Random Number counter. When the counter reaches zero, virus will overwrite first part of hard disk and cause severe data loss. Detecting Method: Increases infected file size by 1300-1503 bytes. Virus ocassionally hangs the system when the virus is resident in memory. Encrypted text strings inside the virus code as follows: "Mummy Version x.xxx", "Kaohsiung Senior School", "Tzeng Jau Ming presents", "Series Number=[xxxxx]." Note: 1) Loads itself resident in memory. An error message occurs if there is an I/O error (such as write protect). [JOSHI] Virus Name: Joshi Other names: Happy Birthday Joshi Virus Type: File Infector Virus Virus Length: N/A Executing Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself into resident memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded into resident memory it will infect any uninfected file that is executed. Damage: Infects every executable files. Detecting Method: The first ôJoshi" virus was founded in India in June 1990. It is a very popular virus in India. Virus remains resident in boot sector or in FAT area. Every January 5, the virus displays: Type Happy Birthday Joshi." All will return to normal if user types above message. System memory decreases by 6KB when virus is resident. Note: Loads itself resident in memory. An error message occurs if there is an I/O error (such as write protect). [NOV17] Virus Name: November 17th Other names: None Virus Type: Parasitic Virus Virus Length: 885 bytes Executing Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself into resident memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded into resident memory it will infect any uninfected file that is executed. Damage: Infects every executable file. Detecting Method: It will be resident in memory , and infects all .COM files. Note: Loads itself resident in memory. An error message occurs if there is an I/O error (such as write protect). [PRUDENTS] Virus Name: Prudent Other names: 1210 Virus Type: File Infector Virus Virus Length: .EXE 1210 bytes Executing Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself into resident memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded into resident memory it will infect any uninfected file that is executed. 4) It doesn't infect .COM files. Damage: Overwrites the original file. Detecting Method: From May 1-4, virus will frequently check the disk. Note: 1) Loads itself resident in memory. An error message occurs if there is an I/O error (such as write protect). [LEHIGH] Virus Name: Lehigh Other names: None Virus Type: Parasitic Virus (infects COMMAND.COM only) Virus Length: 555 bytes Executing Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself into resident memory by hooking INT 21h. 2) Then when a disk is accessed if the COMMAND.COM is un-infected it will immediately infect it.then executes the original file. 3) With itself loaded into resident memory it searches for the infect any uninfected file that is executed. 4) It doesn't infect .EXE files. Damage: 1) Infects the diskette .COMMAND.COM file and increases it by 555 bytes. 2) After the count of infection passes over four times the current disk will be trashed. [GP1] Virus Name:Gp1 Virus Type: Network Specific Virus Virus Length: .EXE 1557 bytes. .COM 1845 bytes. Executing Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself into resident memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded into resident memory it will infect any uninfected file that is executed. Symptoms: If the virus is active in memory and if the first character on the command line is NOT the letter "i", the virus will remove itself from the operating memory (this will work only if the virus is the last TSR to change interrupt vector 21h) . The virus even displays the message "GP1 Removed from memory." Damage: The virus is the only LAN virus to ever be discovered. This unique virus is a modification of the Jerusalem virus and was created for one special purpose: to penetrate. Novell security features and to spread inside the network. The virus does not contain any manipulation (if we do not count the monitoring of Novell LOGIN and the attempts to break the Novell security features). [4096] Virus Name: Virus 4096 Virus Type: File Infector Virus Virus Length: 4096 bytes Executing Procedure: A boot sector should be modified if the system date is greater than September 21. The text "FRODO LIVES" should then appear on the screen after booting from a modified disk. The virus code is corrupted, so when you run the infected file after September 21, the system areas will not be modified, but the virus will cause the system to crash. Damage: Virus infects .COM files which are shorter than 61440 bytes and .EXE files. As a flag virus, it uses the year in the fileÆs time stamp and increases it by 100 years. (DOS reports only last two digits, so it can not be easily recognized when for example "DIR" command is executed). Detection Method: The virus Increases infected file size by 4096 bytes. The operating memory is decreased by about 6 KB. [USSR-516] Virus Name: USSR Other Names: 570, 8-17-88, 2:08a Virus Type: Parasitic Virus Virus Length: 570 bytes Symptom: Infects .EXE files. Increases file size by 570 to 585 (570+15) bytes. (The next multiple of 16 of the original file size plus 570). The date and time in the files directory entry is set to 8-17-88 and 2:08a. Damage: Writes one sector to the boot sector of driver C: then halts the system. [Vienna] Virus Name: Vienna Other Names: 648, PC Boot, Austrian virus Virus Type: Parasitic Virus Virus Length: 648 bytes Symptoms: Increases infected file sizes by 648 bytes and files containing string "*.COM" and "PATH=". Destroyed programs will cause computer to reboot while in operation. Damage: With the probability of 1:7 the virus will not infect other files. Virus writes the instruction JMP F000:FFF0 (computer reboot ) at the start of such a program. Original content is destroyed, length of file is not changed, and destroyed program contains virus flag. [V2000] Virus Name: V2000 Other Names: 21 century virus Virus Type: Parasitic Virus Virus Length: 2000 bytes Symptoms: Increases infected .COM and .EXE file sizes by 2000 bytes. Decreases size of free RAM memory by 4KB. Infected files contain the following strings: "(C) 1989 by Vesselin Bontchev". Damage: No damage. [Bur-560h] Virus Name: Bur-560h Virus Type: Parasitic Virus Virus Length: Infected COM files do not increase (Does not infect EXE files). PC Vectors Hooked: None Executing Procedure: 1) The virus searches for COM files through the current path. 2) The virus checks whether the file is infected. If the file has been infected, the virus continues to search till an uninfected file is found and then infects it (It infects only one file each time). Damage: The virus infects the files by covering up the original files, so the lengths of the files do not increase and the functions of the original files can not be executed. Remarks: 1) Non memory resident. 2) When infecting files, the virus does not hook INT 24h. And the error information appears when I/O errors occur. [Dooms-715] Virus Name: Dooms-715 Virus Type: Parasitic Virus Virus Length: Infected COM file sizes increase by 715 Bytes (Does not infect EXE files ). PC Vectors Hooked: None Executing Procedure: 1) Searches for a COM file in the root directory. 2) Checks whether the file is infected. If yes, continues to search. 3) If an uninfected file is found, infects it (infects only one file each time). Damage: None Detecting Method: Detectable if the lengths of files increase by 715 Bytes. Remarks: 1) Non memory resient. 2) When infecting files, the virus does not hook INT 24h. Error message will appear when I/O errors occur. [JOKER] Virus Name: Joker3 Virus Type: Parasitic Virus. Virus Length: Infected COM file sizes increase by 1084 bytes (Does not infect EXE files). PC Vectors Hooked: INT 21h Executing Procedure: 1) Checks if it resides in memory. If not, hooks INT 21h, installs itself as memory resident and then executes the host program. 2) If it already resides in memory, proceeds to execute the host program directly. Infecting Procedure: The virus infects files by INT 21h. When INT 21h is executed, all the COM files in the current directory will be infected. When infecting files, the virus does not hook INT 24h. Error message will appear when I/O errors occur. Damage: None Detecting Method: Detectable if the files increase by 1084 bytes. [Friday_13th] Virus Name: Fri-13-D Virus Type: COM File infector Virus Length: 416 bytes Executing Procedure: When an infected program executed, it will infect all COM files (except COMMAND.COM) on current directory (it does not infect same file again). Then check whether current day is 13 and it is Friday. If it is, delete itself and then go back to the original routine. Damage: An infected program will delete itself when you run it on 13th,Friday. Detecting Method: 1) Date and time of infected files changed. 2) Infected files will increase from 416-431 bytes. [PCBB] Virus Name: Pcbb Virus Type: Memory resident, COM File infector Virus Length: 3+(1675-1687) bytes Executing Procedure: It will decode its later half section first. Then check whether it has stayed in memory. If not, it will move itself to high memory. Then hook INT 21h,INT 09h,INT 1Ch and go back to run original routine. The infection happens when executing program, copying file, changing file's attribute, opening file, closing file, and renaming file(AH=56h). When it infects a file, it will check what day of the week is it today first. There are seven encoding modes according to the judgment. It does not infect same file again, and length of infectable files must between 16 bytes and 61440 bytes. Symptom: When virus breaks out, screens display nothing every time the counter of hitting keys is equal to 957. This time, it will reset the counter to count continually. You can press down all Alt, Control, Shift of left & right together to make screen displaying again. Damage: None Note: It stays resident in memory (It will take 4K bytes). Detecting Method: 1) Date and time of infected files changed. 2) Infected files will increase by 1675,1677,1679,1679,1680, 1683,1687 bytes according to what day of the week is it today (From Sunday to Saturday). 3) "PCBB" is attached to the end of infected file. [SILENT_LAMB] Virus Name: The Silence Of The Lamb! Virus Type: Memory resident, COM File infector Virus Length: 555 bytes Executing Procedure: 1) Checks whether it is still in the last memory block. If not, it will stay resident in high memory and returns to original routine. The method of infection is: First, encodes first 200h bytes of original file and attaches them and decoded codes to the end of the file. Then encodes virus code and writes them into first 200h bytes of the file. 2) Vectors hooked: Hooks INT 21H(AH=4Bh) to infect files. Firsts, it will hang INT 24h to prevent divulging its trace when writing, then checks whether the program to be executed is an uninfected COM file (Length is between 0400h and FA00h bytes). If it is, infect it. Finally, virus restores INT 24h. Damage: None Note: Date and time of infected files do not change. Detecting Method: 1) Call INT21h (AH=2Dh,CH=FFh,DH=FFh) to return value AH. If AH=00h, memory has been infected. If AH=FFh, memory has not been infected. 2) If word at address 0002 of COM file is 5944h, memory has been infected. After virus code have decoded, there is a text in address from 01E6h to 01EFh. The text is "The Silence of The Lamb!$". 3) Total memory decreases by 1568 bytes. [WOLF_MAN] Virus Name: Wolf-Man Virus Type: Memory Resident, COM & EXE File infector Virus Length: 2064 bytes Executing Procedure: 1) Checks whether it remains resident in memory. If not, it will stay resident in memory. Then checks whether current calendar day is 15. If it is, virus will manifest itself.Otherwise, hooks INT 09H, INT 10H, INT 16H, INT 21H and goes back to the original routine. Vectors hooked: Hooks INT 21H to infect files. It will check whether the program to be executed is an infectable file (Except COMMAND.COM), and then proceeds to infect it (The infectable file length must be larger than 1400 bytes). Hooks INT 9h, INT 10h to check whether something in program has changed. If it has, virus will manifest itself. Symptoms: Displays a message. Overwrites current diskette with virus code until there is no more free space. Delays 30 seconds and proceeds to reboot system. Damage: Destroys all data on current diskette. Note: 1) Procedure for displaying the virus message is designed for Herc display card. Therefore, system halts if is run on a color display card. This, in turn, can prevent destruction of the hard disk. 2) Virus procedure contains "WOLFMAN" text. Detecting Method: 1) Infected file sizes increase by 143 bytes. 2) Checks whether an executed program remains resident in memory (it will occupy approx. 65.6K bytes) by using MEM.EXE program. [Story] Virus Name: Story-A Virus Type: COM File infector Virus Length: 1117 bytes Executing Procedure: 1) Searches from root directory and all subdirectory to find 3 uninfected COM (Except COMMAND.COM) files, and then infects them (It does not infect same file twice). Then holds the order of every infected file. Then checks if the order of current infected file is larger than 7, or if current date is July 9. If either of these two conditions are met, virus will be triggered. Vectors hooked: Hooks INT 08H to accumulate system time. Symptoms: Does not execute infection procedure, stays resident in memory. Then hooks INT 08h. 290 seconds later, a message displays in inverse mode repeatedly in 22-second cycles. Note: Date and time of infected files do not change. Detecting Method: 1) Memory: a) Total system memory decreases. b) Virus might be triggered if first 4 bytes of segment (Before free memory) are FFh,26h,04h, 01h. 2) File: a) Infected file sizes increase by 1117 bytes. b) First 4 bytes of infection are FFh,26h,04h,01h. [MS-DOS_3.00] Virus Name: Ms-Dos3.0 Virus Type: COM File infector Virus Length: 953 bytes Executing Procedure: 1) Checks whether it has remained resident in memory. If not, it will stay resident in high memory. Then hooks INT 21h and returns to the original routine. Vectors hooked: Hooks INT 21H (AH=3Dh,AX=4B00h) to infect files. If the program to be executed or opened is an uninfected COM file (Except COMMAND.COM) and its length is not larger than FB00h, virus proceeds to infect it. The method of infection is: writes a total of 35Dh bytes (1Ch bytes are its head , first 3B9h bytes of file) to the end of file, then overwrites its first 3B9h bytes with virus codes. If the program to be executed or opened is an uninfected EXE file and its length is not larger than 4000h, virus infects it. The method of infection is: after filling the left bytes of segment, it will attach a total of 3F1h bytes (virus codes(3B9h)+data in original file(1Ch)+head of file(1Ch)) to the end of file, then changes the pointer in head to virus procedure. Damage: None Note: 1) Date and time of infected files do not change. 2) Stealth type virus: restores infected file information when virus is in system memory. Detecting Method: 1) Memory: a) Total system memory decreases by 7A0h bytes. b) Memory might be infected if AX=9051h (AX is a return value when INT 21h(AH=B3h) called). 2) File: a) Infected COM file sizes increase by 500 bytes. b) Infected EXE file sizes increase by 1009-1024 bytes. c) Use DEBUG to load an infected file. [EVILGEN] Virus Name: Evilgen Virus Type: COM & EXE File infector Virus Length: 955 bytes(Version 1.1) , 963 bytes(Version 2.0) Executing Procedure: 1) Checks whether it has remained resident in memory. If not, it will stay resident in high memory. Then hooks INT 21h, INT 09h and goes back to the original routine. It will check if current day is 24 and if the 'Del' key is being pushed down. If so, virus will be triggered. Vectors hooked: Hooks INT 21H(AX=4B00h) to infect files. If the program to be executed is an uninfected EXE or COM file, virus proceeds to infect it. Hooks INT 09h to check whether the 'Del' key is being pushing down. Symptom: Selects a sector, then formats the sector from head 0,track 0 to head 0, track 20h on C diskette. Damage: Virus will sometimes destroy C diskette. Note: 1) Date and time of infected files do not change. 2) While memory has been infected, typing "Dir" does not reveal changes in file length. Detecting Method: 1) Memory: a) Total system memory decreases. b) COMMAND.COM on root directory on C diskette has been infected if BX=9051h(BX is a return value when INT 21h(AX=7BCDh) called). c) The pointers of INT 21h and INT 09h are the same. 2) File: Infected file sizes increase by 955 bytes (Version 1.1) or 963 bytes (Version 2.0.) Changes in file sizes are apparent only when memory has not been infected. [PCBB11] Virus Name: Pcbb11 Virus Type: EXE & COM File infector Virus Length: 3052 bytes Executing Procedure: 1) Checks whether it has remained resident in memory. If not, it will stay resident in high memory. Then hooks INT 21h and goes back to original routine. Vectors hooked: Hooks INT 21H(AH=4Bh)to infect files. First, it will hang INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM or EXE file, virus proceeds to infect it. Damage: ? Detecting Method: Infected file sizes increase by 3052 bytes. [PCBB-3072] Virus Name: Pcbb3072 Virus Type: EXE & COM File infector Virus Length: 3072 bytes Executing Procedure: 1) Checks whether it has remained resident in memory. If not, it will stay resident in high memory. Then hooks INT 21h and goes back to original routine. Vectors hooked: Hooks INT 21H(AH=4Bh)to infect files. First, it will hang INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM or EXE file, virus proceeds to infect it. Damage: ? Detecting Method: Infected file sizes increase by 3072 bytes. [INVISIBLE_MAN] Virus Name: INVISIBLE MAN Virus Type: Virus infects .COM and .EXE files, Partition record, and the Boot record. Virus is a Memory Block Resident. Virus Length: 2926 Bytes on file and D80h Bytes in memory. Interrupt Vectors Hooked: INT 21h Infection Process: This virus can spread by executing an infected program or by booting the system from an infected Disk. There are several different methods of infection: 1) When an INVISIBLE MAN infected program is executed it will; A. Infect the hard disk partition table : (i) Write the virus body to the last 7 sectors of the active hard disk. (ii) The ending location of the active hard disk will be decreased by 7 sectors. (iii) Write the virus loader to the partiton sector. This sector will be encrypted. B. Modify the boot sector: It will change the total sector numbers message, which will be seven less than the original figure. Damage: Virus displays message and plays music on system speaker. Symptoms: Loss of data stored in the last 7 sectors of the hard disk; increased file sizes. File sizes increase by 2926 bytes . Virus displays the following message: "I'm the invisible man, I'm the invisible man, Incredible how you can See right through me." Virus also plays music on system speaker. Note: [Fish-1100] Virus Name: Fish-1100 Virus Type: COM File infector Virus Length: 1100 bytes Executing Procedure: 1) Virus checks whether it has stayed resident in memory. If not, it will stay resident in high memory. Then hooks INT 21h and goes back to original routine. Vectors hooked: Hooks INT 21H(AH=4Bh) to infect files. First, it will hang INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file , virus proceeds to infect it. Damage: None Detecting Method: Infected file sizes increase by 1100 bytes. [Fish-2420] Virus Name: Fish-2420 Virus Type: COM File infector Virus Length: 2420 bytes Executing Procedure: 1) Virus checks whether it has stayed resident in memory. If not, it will stay resident in high memory. Then hooks INT 21h and goes back to original routine. Vectors hooked: Hooks INT 21H(AH=4Bh) to infect files. First, it will hang INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file , virus proceeds to infect it. Damage: None Detecting Method: Infected file sizes increase by 2420 bytes. [JULY_4] Virus Name: July 4, Stupid 1 Virus Type: COM File infector Virus Length: 743 bytes Executing Procedure: 1) If word at address 0000:01FEh is FFFFh, virus will not infect any file. 2) When virus infects files, it will infect all uninfected COM files on current directory. If number of infection is less than 2, it will go on infecting all COM files on upper directory until the number is larger then 2 or it has reached root directory. It will check whether current date is July 4 and that current time is either 0:00am, 1:00am, 2:00am, 3:00am, 4:00am, or 5:00am. If any of these times are met, virus will proceed to destroy data on current diskette. Detecting Method: 1) Date and time of infected files changed. 2) Byte at 0003h of infected COM file is 1Ah. 3) Infected COM file displays the following message: "Abort, Retry, Ignore, Fail?" , "Fail on INT 24" (2) - "Impotence error reading users disk" (0) - "Program too big to fit in memory" (1) - "Cannot load COMMAND , system halted" (3)"Joker!" and "*.com." 4) Virus will display the above message when executing an infected file. 1) If word at address 0000:01FEh is FFFFh, virus will not infect any file.