Liren Large Software Subsidy 15

home *** CD-ROM | disk | FTP | other *** search

/ Liren Large Software Subsidy 15 / 15.iso / s / s045 / 3.img / VIRINFO.LS_ / VIRINFO.bin

Wrap

Text File | 1993-12-21 | 95.5 KB | 2,225 lines

Descriptions of some known DOS viruses _____________________________________ This section briefly describes some of the DOS viruses analyzedby IBM.It includes all of the viruses that are widespread inthe world as of this writing.It also includes many viruses that are not widespread,but that we have analyzed in order to help stay ahead of the problem. These descriptions are based on IBM's detailed analysis of thecode of each virus.Each virus has been carefully tested to verify its actual behavior. All of these viruses can be detected when checking disks and diskettes.Viruses that are similar to these viruses will be detected as well.In many cases, even viruses that are not similar to these willbe detected as "suspicious" by IBM AntiVirus/DOS. The Aircop Virus _______________ Name Aircop Alias(es) Virus Family Classification Diskette boot record infector Length of Virus Boot record and one additional hard disk or diskette sector Behavior Summary When booted from an infected diskette, the virus loads into memoryand infects diskettes used in A: or B: later.Every eight or so times that it infects a new diskette, itdisplays the message"RED STATE, Germ offensing --Aircop"(presumably an attempt to say "Condition red, virus attack"). The April 1st COM Virus ______________________ Name April 1st COM Alias(es) April 1st, sURIV 1.01 Virus Family 1813 Classification Resident COM infector Length of Virus Approximately 381 bytes Behavior Summary When an infected program is run, the virus installs itself inmemory and any COM files run later become infected.If the date is April 1st of any year, executing any program whilethe virus is in memory will display the message"APRIL 1ST HA HA HA YOU HAVE A VIRUS",and will hang the machine. If the date is after April 1st, 1988, the message"YOU HAVE A VIRUS"will be displayed whenever any program is executedBecause infection is so obvious, this virus is probably extinct. The April 1st EXE Virus ______________________ Name April 1st EXE Alias(es) April 1st, sURIV 2, sURIV 2.01 Virus Family 1813 Classification Resident EXE infector Length of Virus 1488 bytes Behavior Summary This virus infects any EXE files that are run, prints a message on April 1st,and sometimes causes the system to hang on Wednesdays. The Azusa Virus ______________ Name Azusa Alias(es) Virus Family Classification Diskette and hard disk boot infector Length of Virus Boot record only Behavior Summary This virus infects diskette and hard disk master boot record.Sometimes the virus zeros out the BIOS tables for COM and printer ports,making printers and serial ports unavailable. The Bouncing Ball Virus ______________________ Name Bouncing Ball Alias(es) Bouncing Dot, Italian, Ping-Pong, Vera Cruz Virus Family Bouncing Ball Classification Diskette and hard disk boot infector Length of Virus Approximately 975 bytes Behavior Summary This virus infects diskettes and the hard disk partition (non-master)boot record. It sometimes produces a bouncing dot on the screen afterbooting. The Bouncing Ball / 286 Virus ____________________________ Name The Bouncing Ball / 286 Virus Alias(es) Virus Family Bouncing Ball Classification Diskette and hard-disk boot infector Length of Virus Approximately 975 bytes Behavior Summary This virus infects diskettes and the hard disk partition (non-master)boot record. It sometimes produces a bouncing dot on the screen afterbooting. The Brain Virus ______________ Name Brain Alias(es) Pakistani, Pakistani Brain, (c) Brain Virus Family Brain Classification Diskette boot infector Length of Virus Boot record and 6 additional sectors on hard disk or diskette Behavior Summary This virus changes some diskette volume labels to"(c) Brain" The Brunswick Virus __________________ Name Brunswick Alias(es) Virus Family Classification Resident diskette and hard disk master boot infector Length of Virus Boot record and one additional hard disk or diskette sector Behavior Summary When you boot from an infected diskette, it infects the firstphysical hard disk in the system.When you boot from an infected hard disk or diskette, the virus loads intomemory and infects diskettes used in drive A or B later.When booting from an infected hard disk, it sometimesoverwrites the master boot record with useless data, renderingthe disk unbootable. Also, the data becomes inaccessible without technical help.As well as the intentional damage, on some systems the virusoverlays user data and possibly part of the file allocation tablewhen it saves the original boot record in the data section of the hard disk. The Burger-405 Virus ___________________ Name Burger-405 Alias(es) 405 Virus Family Burger Classification COM overwriting virus for IBM DOS Length of Virus Overwrites first 405 bytes of victim Behavior Summary This virus is very buggy, apparently based on a published example.When an infected file is run it overlays the first405 bytes of every file with an extension of COM in the current directoryof various hard disks with a copy of itself.The original (pre infection) program does not run.Running an infected program often hangs the machine orotherwise malfunctions. The Campana Virus ________________ Name Campana Alias(es) Telefonica, Anti-Telefonica, Telefon, ANTI-CTNE Virus Family Campana Classification Resident infector of diskette boot records and hard disk master boot records Length of Virus Boot record and one additional hard disk or diskette sector Behavior Summary When a machine is booted from an infected hard disk or diskette, the virusloads itself into high memory and reduces available memory by 1024 bytes.The machine's hard disk (if any) and any diskettes used in drive Aor B while the virus is in memory are infected.After a certain number of boots from an infected hard disk or diskette, thevirus writes random data to the boot hard disk or diskette and other hard disksin the system and displays a message beginning with the word "Campana".While the virus is in memory, it intercepts most attempts to read theboot record and returns an image of an uninfected boot record to theprogram making the request. The Campana-B Virus __________________ Name Campana-B Alias(es) Telefonica, Anti-Telefonica, Telefon, ANTI-CTNE Virus Family Campana Classification Resident infector of diskette boot records and hard disk master boot records Length of Virus Boot record and one additional hard disk or diskette sector Behavior Summary When a machine is booted from an infected hard disk or diskette, the virusloads itself into high memory and reduces available memory by 1024 bytes.The machine's hard disk (if any) and any diskettes used in drive Aor B while the virus is in memory are infected (unlessthey are already infected with the Stone d virus).After a certain number of boots from an infected hard disk or diskette, thevirus writes random data to the boot hard disk or diskette and other hard disksin the system and display a message beginning with the word "Campana".While the virus is in memory, it intercepts most attempts to read the harddisk boot record and returns an image of an uninfected boot record to theprogram making the request. The Cansu Virus ______________ Name Cansu Alias(es) V-Sign Virus Family Classification Resident diskette and hard disk master boot infector Length of Virus Boot record and 2 additional sectors on hard disk or diskette Behavior Summary When you boot from an infected hard disk or diskette, the virus loads intomemory and infects diskettes used in drive A or B later;Also, it infects the first two physical hard disks in the system when they areused.In approximately one-in-eight-boots, the virus displays a V-shaped symbolon the display.The virus does no intentional damage; but, on some systems, itoverlays your data and perhaps part of the file allocation tablewhen it writes its two sectors to the data section of the hard disk. The Dark Avenger Virus _____________________ Name Dark Avenger Alias(es) Eddie Virus Family Classification Resident COM and EXE file virus for IBM DOS Length of Virus 1800 bytes in infected COM files; some additional padding bytesin infected EXE files. Behavior Summary When an infected program is run, the virus installs itselfin memory. It might infect any EXE or COM file run, opened,renamed, or operated on in some way. So any operationthat examines many files can spread the virus very quickly if it isactive in memory at th e time.Approximately every 16 times an infected program is run,it overwrites a random sector of the disk the program was run fromwith the string"Eddie lives...somewhere in time!"followed by part of the body of the virus. The DataCrime II Virus _____________________ Name DataCrime II Alias(es) 1514, Columbus Day Virus Family DataCrime Classification Non-resident COM and EXE infector for IBM DOS Length of Virus 1514 bytes in infected COM files; some additional padding bytesin infected EXE files. Behavior Summary This virus spreads between COM files. If an infected program is runbetween October 13th and December 31st, inclusive, in any year,it will display the message"* DATACRIME II VIRUS",and erase part of the hard disk, renderingdata inaccessible. The DataCrime II B Virus _______________________ Name DataCrime II B Alias(es) 1480, Columbus Day Virus Family DataCrime Classification Non-resident COM and EXE infector for IBM DOS Length of Virus 1480 bytes in infected COM files; some additional padding bytesin infected EXE files. Behavior Summary This virus spreads between COM files. If an infected program is runbetween October 13th and December 31st, inclusive, in any year,it will display the message"* DATACRIME II VIRUS",and erase part of the hard disk, rendering data inaccessible. The DataCrime-1168 Virus _______________________ Name DataCrime-1168 Alias(es) 1168, Columbus Day, DataCrime, DataCrime I Virus Family DataCrime Classification Non-resident COM infector for IBM DOS Length of Virus 1168 bytes Behavior Summary This virus spreads between COM files. If an infected program is runbetween October 13th and December 31st, inclusive, in any year,it will display the message"DATACRIME VIRUS RELEASED: 1 MARCH 1989",and erase part of the hard disk, renderingdat a inaccessible. The DataCrime-1280 Virus _______________________ Name DataCrime-1280 Alias(es) 1280, Columbus Day, DataCrime, DataCrime I Virus Family DataCrime Classification Non-resident COM infector for IBM DOS Length of Virus 1280 bytes Behavior Summary This virus spreads between COM files. If an infected program is runbetween October 13th and December 31st, inclusive, in any year,it will display the message"DATACRIME VIRUS RELEASED: 1 MARCH 1989",and erase part of the hard disk, renderingdat a inaccessible. The December 24th Virus ______________________ Name December 24th Alias(es) Disk Crunching, Iceland, Iceland III, Icelandic, Saratoga Virus Family Iceland/Saratoga Classification Resident EXE infector Length of Virus Approximately 848 bytes Behavior Summary When an infected program is run, the virus installs itself inmemory; later, if any file with an extension beginning with "EX"is run, it may be infected. Approximately every tenth filerun is infected.The basic code of the virus is similar to the others in the family.This version infects every tenth file run and does not marksectors as bad. If an infected file is run on December 24th,any attempt to run a program after that will print the message"Gledileg jol",(which is a Christmas greeting in Icelandic) rather than runningthe program. The Den Zuk Virus ________________ Name Den Zuk Alias(es) Den Zuko Virus Family Ohio Classification Diskette boot record infector Length of Virus Boot record and 8 additional sectors on hard disk or diskette Behavior Summary When you boot from an infected diskette, the virus loads into memoryand infects diskettes used in drive A or B later.If the virus finds signs of the Brain virus on a diskette, it willremove the Brain infection before installing itself.If the virus is in memory and a color display is active when youpress Ctrl+Alt+Del, the virus will sometimes display a movinggraphic "logo" containing the letters "Den Zuk" and a sphere. The Devil Virus ______________ Name Devil's Dance-941 Alias(es) 941, Devil's Dance Virus Family Devil's Dance Classification Resident COM infector for IBM DOS Length of Virus 941 bytes Behavior Summary This virus infects all COM files in the current directory whenfirst invoked. The virus's resident part then infects any file thatis run whose extension begins with "C".Sometimes the virus changes the colors of characters typed on a colordisplay. Also, when Ctrl+Alt+Del is pressed it sometimes displaysthe message"Have you ever danced with the devil underthe weak light of the moon? Pray for your disk! The_Joker...Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha"Then the virus sometimes overlays themaster boot record of the first hard disk with random data. The DIR II Virus _______________ Name DIR II Alias(es) DIR 2, Cluster Virus Family Classification Cluster virus; resident EXE and COM infector Length of Virus 1024 bytes(but see below) Behavior Summary When an infected program is run, the virus installs itselfin the DOS device driver chain and infects any hard diskor diskette used later.When the virus infects a disk, it writes one copy of itself toa usually unused part of the disk and redirects the directoryentries for all the programs on the disk to point to that copy.The virus does not appear to be destructive; but because itinstalls itself in the system at a very low level, it ofteninteracts badly with other software, sometimes leading tomalfunctions and data loss. The Disk Killer Virus ____________________ Name Disk Killer Alias(es) Computer Ogre, Disk Ogre, Ogre Virus Family Disk Killer Classification Diskette and hard -disk (DOS) boot infector Length of Virus Boot record and 4 additional sectors on hard disk or diskette Behavior Summary This virus infects diskette boot records and hard disk non-master(DOS) boot records.About 48 hours after booting from an infected hard disk ordiskette, the message"Disk Killer -- Version 1.00 by COMPUTER OGRE04/01/89 Warning!!! Don't turn off the power or remove thediskette while Disk Killer is Processing!"is displayed, anddata on the disk booted from (or whatever disk is in thediskette you drive booted from) is scrambled. The EDV Virus ____________ Name EDV Alias(es) Virus Family Classification Diskette and fixed disk master boot infector Length of Virus Boot record and one additional hard disk or diskette sector Behavior Summary When booted from an infected disk or diskette, the virus loads intomemory and infects any other disks or diskettes used later.When an internal counter reaches a threshold, the virus overwriteareas on various fixed disks and diskettes with random data.Due to bugs in the virus, and code that attempts to hang the machinewhen memory is scanned, infected machines sometimes malfunction(not boot, or hang sometime after booting).If a machine with an infected fixed disk is booted from a cleandiskette, the fixed disk partitions will often be unreadable by DOS. The Flip-2153 Virus __________________ Name Flip-2153 Alias(es) Flip 2, Omicron Virus Family Flip Classification IBM DOS EXE, COM, and master boot record infector Length of Virus Approximately 2153 bytes Behavior Summary When an infected file is executed on a machine with a harddisk, the hard disk's master boot record is altered to reinstall thevirus in memory even if all infected files are removed.While the virus is i n memory, any file executed becomes infected.On some second days of the monthbetween 10:00 and 11:00 a.m., the screen (including theindividual characters) turns upside-down if an EGA-compatible displayis in use. The Flip-2343 Virus __________________ Name Flip-2343 Alias(es) Flip 1, Flip Virus Family Flip Classification IBM DOS EXE, COM, and master boot record infector Length of Virus Approximately 2343 bytes Behavior Summary When an infected file is executed on a machine with a harddisk, the hard disk's master boot record is altered to re install thevirus in memory even if all infected files are removed.When a system is booted from an infected hard disk, the nextprogram executed (typically COMMAND.COM) is patched.In at least some versions of COMMAND.COM, the patch causes theDIR command to "lie" about the lengths of infected files.While the virus is in memory, any file executed becomes infected.On some second days of the monthbetween 10:00 and 11:00 a.m., the screen (including theindividual characters) turns upside-down if an EGA-compatibledisplay is in use. The FORM Virus _____________ Name FORM Alias(es) Virus Family Classification Resident diskette and hard disk DOS boot infector Length of Virus Boot record and one additional hard disk or diskette sector Behavior Summary When you boot from an infected diskette or hard disk, the virusinfects the bootable partition on thefirst hard disk if it exists and if is not already infected. Also, itwrites part of itself to one additional sector marked "bad"in the File Allocation Table.The virus remains resident in memory and infects essentially anydiskette used later.On the 18th of the month, in machines with a normal real time clock,the virus causes a slight clicking when keys are pressed whichoften goes unnoticed. If you boot an OS/2 system with HPFS on the boot drive from aninfected diskette, some of the data can become corrupted andthe system will no longer boot from the hard disk. The Friday the 13th COM Virus ____________________________ Name Friday the 13th COM Alias(es) COM, Friday the 13th, Miami, Munich, South African, Virus-B Virus Family Classification Non-resident COM infector Length of Virus Approximately 540 bytes Behavior Summary When an infected program is run, it infects all COM files inthe current directory.On Friday the 13th, infected files attempt to erase themselveswhe n executed.This virus has an indefinite history. It might have been writtenonly as an experiment and not released "into the wild."The sample we have contains code that prints a warning messagewhenever an infected program is run. The Grain of Sand Virus ______________________ Name Grain of Sand Alias(es) Irish, Maltese Amoeba Virus Family Classification Resident EXE and COM infector Length of Virus Approximately 2520 bytes Behavior Summary When an infected program is executed, the virus installs itselfin memory and infects files that are later executed or opened.When the date is November 1 or March 15, it also overwrites the bootareas of the first hard disk and any diskettes with a programthat displays a poem (containing the words"grain of sand")instead of booting the machine.Data on infected disks and diskettes is not easy to recover.After it overwrites the boot areas, it hangs the machine, sometimeswith a flashing screen-effect on the display.The virus is loosely related to the Casino virus, whichdoes not install itself if the Grain of Sand is active. Ifthe Grain of Sand finds the Casino present in memory, it willattempt to remove it. The Guppy Virus ______________ Name Guppy. Alias(es) None. Virus Family Tiny. Classification Resident COM and EXE file virus for PC DOS Length of Virus 152 bytes Behavior Summary When an infected program is executed, the virus loads into memoryand infects COM files that are run later. The Haifa Virus ______________ Name Haifa Alias(es) Virus Family Haifa Classification Resident COM and EXE infector for IBM DOS Length of Virus Approximately 2350 bytes Behavior Summary When an infected file is run, the virus loads into memoryand infects COM and EXE files found in directories that are usedlater.Also, it hangs the machine periodically, prints a message on August 24thand on April 8th, and inserts text strings into certain types offiles found.It inserts a text string containing"mov dx,80h"into files with an extension of ASM. It inserts a text string containing"CONST VIRUS="into files with an extension of PAS. It inserts a text string beginning"OOPS! Hope I"into files with an extension of DOC or TXT. The Haifa-Motzkin Virus ______________________ Name Haifa-Motzkin Alias(es) Motzkin, Mozkin Virus Family Haifa Classification Resident COM and EXE infector for IBM DOS Length of Virus Approximately 2350 bytes Behavior Summary When an infected file is run, the virus loads into memory,and infects COM and EXE files found in directories that are usedlater.Hangs the machine periodically, prints a message on May 7th,and inserts text strings into certain types offiles found; it might also sometimes cause unexpected screen printing.It inserts a text string containing"What are backups"into files with an extension of BAK. It also inserts a text string containing"DES of USA"into files with an extension of ARJ. It also inserts a text string containing"Instead of reading this"into files with an extension of DOC or TXT. The Iceland II Virus ___________________ Name Iceland II Alias(es) Iceland, Icelandic, Icelandic II, Saratoga, Saratoga 3, System Virus Family Iceland/Saratoga Classification Resident EXE infector Length of Virus Approximately 632 bytes Behavior Summary When an infected program is run, the virus installs itself inmemory; later, if any file with an extension beginning with "EX"is run it will be infected.This virus differs from the Saratoga 1 in that it does not marksectors as bad. It avoids using INT 21 to call DOS by findingthe "true" DOS function-request entry point and therebyavoiding detection by any anti-virus program that relies onintercepting INT 21. The Joshi Virus ______________ Name Joshi Alias(es) Virus Family Joshi Classification Resident diskette and hard disk master boot infector Length of Virus Boot record and 8 additional sectors on hard disk or diskette Behavior Summary On January 5th, infected machinesdisplay the message"Type Happy Birthday Joshi!",and freeze until"happy birthday joshi"is typed on the keyboard.When an infected hard disk or diskette is booted, the virus loadsitself into high memory and intercepts the keyboard, timer, disk,and (a bit later) DOS service call vectors.The viral disk I/O handler infects the boot record ofBIOS drives 00, 01, 80 and 81 (drives A, B, and the first twophysical hard disks) when I/O is done to those drives.It also hides the viral boot record from normal reads,returning an image of the original boot record.The keyboard handler is used by the virus to remainin memory when a soft (Ctrl+Alt+Del) reboot is done.The DOS service call handler is used to choose a goodtime to activate if the date is January 5th. On infected diskettes, the virus resides in the bootrecord and in a specially formatted extra track that thevirus creates.Using DISKCOPY or other normal disk-imaging or disk-copyingtools does not make a true image of the infecteddiskette (most of the virus and the original boot recordwill be missing).Virus verification tools tell you that such a disketteis not infected with the normal Joshi virus. If a hard disk that was partitioned bya version of FDISK prior to DOS version 3.0 becomes infected, thevirus will overwrite part of the File Allocation Table with partof itself. This istrue regardless of the version of DOS actually installedon the disk at the time of infection. The only determiningfactor is the version of FDISK last used to partition the drive.When the disk is not very full, this does not cause noticeablesymptoms for some time. When the disk is full, it causesextensive file cross-linking and corruption. The Joshi-00 Virus _________________ Name Joshi-00 Alias(es) Virus Family Joshi Classification Resident diskette and hard disk master boot infector Length of Virus Boot record and 8 additional sectors on hard disk or diskette Behavior Summary On January 5th, infected machinesdisplay the message"Type Happy Birthday Joshi!",and freeze until"happy birthday joshi"is typed on the keyboard.When an infected hard disk or diskette is booted, the virus loadsitself into high memory and intercepts the keyboard, timer, disk,and (a bit later) DOS service call vectors.The viral disk I/O handler infects the boot record ofBIOS drives 00, 01, 80 and 81 (drives A, B, and the first twophysical hard disks) when I/O is done to those drives.It also hides the viral boot record from normal reads,returning an image of the original boot record.Although this version of the virus is slightly damagedand it might be possible to read the viral boot record witha clever use of VERIFY, this has not been tested.The keyboard handler is used by the virus to remainin memory when a soft (Ctrl+Alt+Del) reboot is done.The DOS service call handler is used to choose a goodtime to activate if the date is January 5th. On infected diskettes, the virus resides in the bootrecord and in a specially formatted extra track that thevirus creates.Using DISKCOPY or other normal disk-imaging or disk-copyingtools does not make a true image of the infecteddiskette (most of the virus and the original boot recordwill be missing).Virus verification tools tell you that such a disketteis not infected with the normal Joshi virus. If a hard disk that was partitioned bya version of FDISK prior to DOS version 3.0 becomes infected, thevirus will overwrite part of the File Allocation Table with partof itself. This istrue regardless of the version of DOS actually installedon the disk at the time of infection. The only determiningfactor is the version of FDISK last used to partition the drive.When the disk is not very full, this does not cause noticeablesymptoms for some time. When the disk is full, it causesextensive file cross-linking and corruption. The Joshi-00 is a variant of the Joshi virus. Oneword has been overwritten with binary zeros, whichhas little or no effect on the function of the virus. The Kennedy-163 Virus ____________________ Name Kennedy-163 Alias(es) Tiny-163 Virus Family Kennedy Classification Non-resident COM file virus for IBM DOS Length of Virus 163 bytes Behavior Summary This virus does nothing except infect COM files. The Keypress Virus _________________ Name Keypress Alias(es) Turku Virus Family Classification Resident COM and EXE file virus for IBM DOS Length of Virus Approximately 1232 bytes Behavior Summary When an infected file is executed, the virus loads into memory.If the active version of DOS is 3.0 or later, it will infect all filesexecuted later.If the active version of DOS is earlier than 3.0, it infects all fileshaving an extension of COM or EXE that are opened, except system files.At intervals of 10minutes, the virus causes spurious simulated keystrokesfor a period of 2 seconds and causes the keyboard to appear "stuck". The Lao Doung Virus __________________ Name Lao Doung Alias(es) Loa Doung, Lao Duong Virus Family Classification Resident diskette and hard disk system (non-master) boot infector Length of Virus Boot record and one additional hard disk or diskette sector Behavior Summary When an infected disk or diskette is booted, the virusinstalls itself in memory.When booted from diskette, itattempts to infect the boot record of thefirst partition on the first fixed disk.When the virus is in memory, it occasionally plays "music"through the PC speaker (our correspondants in Thailand tell usthat the tune is an old folk song called Lao Doung Duen). Due to assumptions made about the setup of hard disks,the virus might fail to infect and/or might damage data onsome hard disks. The Lehigh I Virus _________________ Name Lehigh I Alias(es) Virus Family Lehigh Classification Resident COMMAND.COM infector (IBM DOS) Length of Virus Approximately 530 bytes Behavior Summary This virus spreads between COMMAND.COM files. On the fourth infection,it writes random data to lower the 32 sectors of the disk, making fileson them inaccessible.Infected COMMAND.COM files do not change in length because thevirus writes itself over buffer space within the file. The Liberty Virus ________________ Name Liberty Alias(es) Mystic Virus Family Liberty Classification Resident COM, EXE, and diskette boot infector for IBM DOS Length of Virus Approximately 2857 bytes Behavior Summary When an infected file is run, the virus loads into memoryand infects EXE and COM files that are later executed.Rarely does the virus also infect the boot record of a diskette.When you boot from an infected diskette the virus installsitself in memory to infect COM and EXE files, and alsoinstalls a number of "prank" routines that sometimesreplace text sent to the screen, the printer, or the asynchronouscommunication ports with the word"MAGIC".Also on rare occasions displays"M A G I C ! ! !"on the first line of the screen momentarily. The Liberty-B Virus __________________ Name Liberty-B Alias(es) Mystic Virus Family Liberty Classification Resident COM, EXE, and diskette boot infector for IBM DOS. Length of Virus Approximately 2867 bytes Behavior Summary When an infected file is run, the virus loads into memoryand infects EXE and COM files that are later run.Rarely does the virus infect the boot record of a diskette.When you boot with an infected diskette, the virusinstalls itself in memory to infect COM and EXE files and alsoinstalls a number of "prank" routines.This is a slight, functionally identical variant of the Liberty virus. The Liberty-X Virus __________________ Name Liberty-X Alias(es) Mystic Virus Family Liberty Classification Resident COM and EXE infector for IBM DOS Length of Virus Approximately 2857 bytes Behavior Summary When an infected file is run,the virus loads into memoryand infects EXE and COM files that are later run.This is a damaged variant of the Liberty virus, which cannotinfect diskettes, and does not contain the "prank"code from the Liberty virus.In circumstances where the Liberty would infect a diskette,the Liberty-X malfunctions, generally hanging the system. The Live After Death Virus _________________________ Name Live After Death Alias(es) V810 Virus Family V800 Classification Resident COM infector for IBM DOS Length of Virus 810 bytes Behavior Summary This virus infects only COM files of specific lengths.It attempts to intercept DOS requests at a low level in orderto avoid detection by security programs. The Michelangelo Virus _____________________ Name Michelangelo Alias(es) Virus Family Classification Diskette and hard disk master boot-record infector Length of Virus Boot record and one additional hard disk or diskette sector Behavior Summary When booted from diskette, this virus infects the master boot recordof the first hard disk (if any) and installs the virus in memory.When booted from an infected hard disk, it only installs the viru s inmemory.While the virus is in memory, diskettes used in drive A becomeinfected.If the date is March 6th when you boot from an infected disk or diskette isthe virus will overwrite parts of the boot disk with random data. The Microbe Virus ________________ Name Microbe Alias(es) Microbes Virus Family Classification Resident diskette boot infector Length of Virus Boot record and 8 additional sectors on hard disk or diskette Behavior Summary When you boot from an infected diskette, the virusinstalls itself in memory and infects any writeable disketteused in drives A or B later.If a diskette is infected with the Brain virus, it will removethe Brain infection before installing itself.While the virus is active in memory, attempts to read or write toan infected boot record are redirected to the saved originalboot record instead.The virus uses eight sectors (four clusters) on diskette, whichit marks as "bad" in the DOS File Allocation Table.If the virus has been booted a large number of times,it will display during the boot process a message that begins"This MICROBE is dedicated to...". The MIX1 Virus _____________ Name MIX1 Alias(es) Virus Family Iceland/Saratoga Classification Resident EXE infector Length of Virus Approximately 1618 bytes Behavior Summary When an infected program is run, the virus installs itself inmemory; later, if any file with an extension beginning with "EX"is run, it will be infected.This virus differs from the Saratoga 1 in that it does not marksectors as bad, and it contains code to cause errors (charactersubstitutions) in serial and printer output using BIOS, and tocause a bouncing ball to appear on the screen in some conditions.The bouncing ball code appears to have a bug that sometimes hangs themachine. The MIX1-B Virus _______________ Name MIX1-B Alias(es) Virus Family Iceland/Saratoga Classification Resident EXE infector Length of Virus Approximately 1618 bytes Behavior Summary When an infected program is run, the virus installs itself inmemory; later, if any file with an extension beginning with "EX"is run, it will be infected.The virus contains code to cause errors (charactersubstitutions) in serial and printer output using BIOS and tocause a bouncing ball to appear on the screen in some conditions.Some of the errors in the MIX1 virus seem to be fixed in this variant. The Noint Virus ______________ Name Noint Alias(es) Virus Family Classification Diskette and hard disk master boot record infector. Length of Virus Approximately 420 bytes Behavior Summary When booted from diskette, the virus infects the master boot record of thefirst hard disk (if any) and installs the virus in memory.When booted from an infected hard disk, it only installs the viru s inmemory.While the virus is in memory, any (not write protected)diskettes read from become infected.If the virus is active in memory, attempts to read the infected bootrecord from the first hard disk will see the original uninfectedboot record instead.The virus has no intentional side-effects, destructive orotherwise. The Ohio Virus _____________ Name Ohio Alias(es) Virus Family Ohio Classification Diskette boot record infector Length of Virus Boot record and 5 additional sectors on hard disk or diskette Behavior Summary When you boot from an infected diskette, the virus loads into memoryand infects diskettes used in drive A or B later.If the virus finds signs of the Brain virus on a diskette, it willremove the Brain infection before installing itself.If the virus is in memory and a color display is active when the userpresses Ctrl+Alt+Del, the virus will sometimes hang th e machine.It seems to be designed to display a graphic, similar to the Den Zuk virus towhich it is closely related. In all samples seen so far, thegraphic code is missing and the system hangs. The OROPAX Virus _______________ Name OROPAX Alias(es) Virus Family Classification Resident COM infector for IBM DOS Length of Virus Approximately 2765 bytes Behavior Summary When an infected file is executed, the virus installs itselfin memory.At certain times later (such as creation of a file or subdirectory.And renaming of a file), the virus infects one additionalfile having an extension of COM.Infected files can grow by as much as 2815 bytes.Under some circumstances, the virus causes music to playfrom the PC's speaker (although on some machines the music isnever played, in spite of the infection). The Perfume-765 Virus ____________________ Name Perfume-765 Alias(es) 4711 Virus Family Classification Resident COM infector for IBM DOS Length of Virus Approximately 765 bytes Behavior Summary When an infected file is run, the virus installs itself in memory,and any file with an extension of COM that is run later is infected.After a certain number of files have been infected, running an infectedprogram causes a message to be displayed, and execution continuesonly if you type "4711".In the sample of the virus we have, the message area has been overlayedwith zeros and other binary values. There are text variants wherethe message says something intelligible. The Plastique-Danube Virus _________________________ Name Plastique-Danube Alias(es) Plastique, Invader, Anticad 4.Danube Virus Family Plastique, 1813 Classification Resident COM, EXE, diskette, and partition boot sector infector for IBM DOS Length of Virus Approximately 4096 bytes Behavior Summary When an infected file is run, the virus loads into memoryand infects EXE and COM files that are later run or opened as read-only,and infects the partition (DOS) boot sector on diskettes and hard disks thatare later read from.When the virus is active in memory, it sometimes slows down the machine,sometimes plays the Blue Danube Waltz through the PC speaker,and sometimes causes hard disk and diskette writes to fail(after a certain number of keystrokes without a hard disk or diskette write).Under various circumstances involving whether or not you haverun ACAD.EXE, the number of keystrokes sincethe last hard disk write, and the user pressing Ctrl+Alt+Del,the virus hangs the system, sometimes after writing garbageto the first two diskettes or the first two physical hard disks.This virus is closely related to the other members of the Plastiquefamily, especially the Plastique 5.21 and the Plastique-Invader viruses. The virus also removes the "Disk Killer" virus from hard disks anddiskettes that it infects and attempts to disable that virusif it is resident in memory. The Plastique-Invader Virus __________________________ Name Plastique-Invader Alias(es) Plastique, Invader, Anticad 4.Mozart Virus Family Plastique, 1813 Classification Resident COM, EXE, diskette, and partition boot sector infector for IBM DOS Length of Virus Approximately 4096 bytes Behavior Summary When an infected file is run, the virus loads into memoryand infects EXE and COM files that are later run or opened as read-only,and infects the partition (DOS) boot sector on diskettes and hard disks thatare later read from.When the virus is active in memory, it sometimes slows down the machine,sometimes plays the theme from the first movement of Mozart's 40ththrough the PC speaker,and sometimes causes hard disk or diskette writes to fail(after a certain number of keystrokes without a hard disk or diskette write).Under various circumstances involving whether or not you haverun ACAD.EXE, the number of keystrokes sincethe last disk write, and wether you press Ctrl+Alt+Del,the virus hangs the system, sometimes after writing garbageto the first two diskettes or to the first two physical hard disks.This virus is closely related to the other members of the Plastiquefamily, especially the Plastique 5.21 and the Plastique-Danube viruses. The virus also removes the "Disk Killer" virus from hard disks anddiskettes that it infects and attempts to disable that virusif it is resident in memory. The Plastique-2576 Virus _______________________ Name Plastique-2576 Alias(es) Plastique, Anticad, Anticad 5, Taiwan 4 Virus Family Plastique, 1813 Classification Resident COM and EXE infector for IBM DOS Length of Virus Approximately 2576 bytes Behavior Summary When an infected file is run the virus loads into memoryand infects EXE and COM files that are later run.When the virus is active in memory, it will sometimes slows down the machine,and sometimes plays music through the PC speaker.If you run a file called ACAD.EXE,it will be overwritten with garbage and erased instead.Much of the code in this virus is taken from the 1813 virus,but many of the 1813 virus's symptoms (such as EXE re-infection, file erasureon Friday the 13th, black boxes) have been removed. The Plastique-2900 Virus _______________________ Name Plastique-2900 Alias(es) Plastique, Anticad, Anticad 2, Taiwan 3 Virus Family Plastique, 1813 Classification Resident COM and EXE infector for IBM DOS Length of Virus Approximately 2900 bytes Behavior Summary When an infected file is run the virus loads into memoryand infects EXE and COM files that are later run or opened as read-only.When the virus is active in memory, it sometimes slows down the machine,sometimes plays music through the PC speaker,and sometimes causes hard disk and diskette writes to fail(after a certain number of keystrokes without a hard disk and diskette write).If you execute a file called ACAD.EXE,or press Ctrl+Alt+Del under certain circumstances,the virus hangs the system, sometimes after writing garbageto the first two diskettes and the first two physical hard disks.Much of the code in this virus is taken from the Plastique-2576 virus. The Plastique 4.51 Virus _______________________ Name Plastique 4.51 Alias(es) Plastique, Anticad, Anticad 3.a Virus Family Plastique, 1813 Classification Resident COM and EXE infector for IBM DOS Length of Virus Approximately 3012 bytes Behavior Summary When an infected file is run, the virus loads into memoryand infects EXE and COM files that are later run or open as read-only.When the virus is active i n memory, it sometimes slows down the machine,sometimes plays music through the PC speaker,and sometimes causes hard disk and diskette writes to fail(after a certain number of keystrokes without a hard disk and diskette write).Under various circumstances involving whether or not you haverun a file called ACAD.EXE, the number of keystrokes sincethe last disk write, and wether you press Ctrl+Alt+Del,the virus hangs the system, sometimes after writing garbageto the first two diskette or the first two physical hard disks.Much of the code in this virus is taken from the Plastique-2900 virus. The Plastique 4.51-b Virus _________________________ Name Plastique 4.51-b Alias(es) Plastique, Anticad, Anticad 3.b Virus Family Plastique, 1813 Classification Resident COM and EXE infector for IBM DOS Length of Virus Approximately 3004 bytes Behavior Summary When an infected file is run, the virus loads into memoryand infects EXE and COM files that are later run or opened as read-only.When the virus is active in memory, it sometimes slows down the machine,sometimes plays music through the PC speaker,and sometimes causes hard disk and diskette writes to fail(after a certain number of keystrokes without a hard disk and diskette write).Under various circumstances involving whether or not you haverun a file called ACAD.EXE, the number of keystrokes sincethe last hard disk write, and wether you press Ctrl+Alt+Del,the virus hangs the system, sometimes after writing garbageto the first two diskettes or the first two physical hard disks.This virus is nearly identical to the Plastiqu e 4.51 virus. The Plastique 5.21 Virus _______________________ Name Plastique 5.21 Alias(es) Plastique, Anticad, Anticad 1.b Virus Family Plastique, 1813 Classification Resident COM, EXE, diskette, and partition boot sector infector for IBM DOS Length of Virus Approximately 4096 bytes Behavior Summary When an infected file is run, the virus loads into memoryand infects EXE and COM files that are later run or opened as read-only,and the partition (DOS) boot sector on diskettes and hard disks thatare later read from.When the virus is active in memory, it sometimes slows down the machine,sometimes plays music through the PC speaker,and sometimes causes hard disk and diskette writes to fail(after a certain number of keystrokes without a hard disk and diskette write).If the you run a program called ACAD.EXE, the virus will printa warning message.Under various circumstances involving whether or not you haverun ACAD.EXE, the number of keystrokes sincethe last hard disk write, and wether you press Ctrl+Alt+Del,the virus hangs the system, sometimes after writing garbageto the first two diskettes or the first two physical hard disks.Much of the code in this virus is taken from the Plastique-2900 virus. The virus also removes the "Disk Killer" virus from hard disks anddiskettes that it infects, and attempts to disable that virusif it is resident in memory. The PrtSc Virus ______________ Name PrtSc Alias(es) Print Screen Virus Family Classification Resident diskette and hard disk system (non-master) boot infector Length of Virus Boot record only Behavior Summary When you boot from an infected hard disk or diskette, the virusinstalls itself in memory and infects any disketteand the boot sector of the first partition of any hard diskread later.At intervals, the virus causes a false INT 5 thatusually causes the contents of the screen to be printed on the localprinter (the same as pressing the Print Screen key). Because of assumptions made about the setup of hard disks,the virus can fail to infect or damage data onsome hard disks. The Saratoga 1 Virus ___________________ Name Saratoga 1 Alias(es) Disk Crunching, Iceland, Icelandic, Saratoga Virus Family Iceland/Saratoga Classification Resident EXE infector Length of Virus Approximately 642 bytes Behavior Summary When an infected program is run, the virus installs itself inmemory; later, if any file with an extension beginning with "EX"is run it will be infected.On certain types of hard disks, randomly chosen sectorsare marked gradually as "bad". The Saratoga 2 Virus ___________________ Name Saratoga 2 Alias(es) Disk Crunching, Iceland, Icelandic, Saratoga Virus Family Iceland/Saratoga Classification Resident EXE infector Length of Virus Approximately 656 bytes Behavior Summary When an infected program is run, the virus installs itself inmemory; later, if any file with an extension beginning with "EX"is run it will be infected.On certain types of hard disks, randomly chosen sectors aremarked gradually as "bad".This virus differs from the Saratoga 1 in that it does notinstall itself if any program has intercepted the BIOS disk I/Orequest. The SBC Virus ____________ Name SBC Alias(es) Virus Family Classification Resident EXE and COM infector Length of Virus Approximately 2845 bytes Behavior Summary When an infected program is executed, the virus installs itselfin memory and infects files that are later executed or opened.The length changes caused by the virus are not obvious if thevirus is active in memory. The output of the DIR command showsthe original uninfected lengths. The Slow-1721 Virus __________________ Name Slow-1721 Alias(es) Slow Virus Family Slow, 1813 Classification Resident COM and EXE infector for IBM DOS Length of Virus Approximately 1721 bytes Behavior Summary When an infected file is run, the virus loads into memory and infectsfiles that are later run.On some Fridays, the virus sets to zero the timestamps of fileswritten to. The Solano Virus _______________ Name Solano Alias(es) Dyslexia V2.01 Virus Family Classification Resident COM infector for IBM DOS Length of Virus 2000 bytes Behavior Summary When an infected file is run, the virus loads into memory and infectsCOM files (except COMMAND.COM) that are later run.While the virus is resident in memory, on rare occasions it swaps a pairof adjacent digits on the display screen. The StarDot-600 Virus ____________________ Name StarDot-600 Alias(es) Virus Family StarDot Classification Non-resident EXE infector for IBM DOS Length of Virus 600 bytes in infected COM files; some additional padding bytesin infected EXE files. Behavior Summary When an infected file is run, the virus chooses from the files on thedefault drive an uninfected EXE filewith the "archive" bit on and infects that file.If the day of the week is equal to the value of an internal counter, thevirus will also overwrite random areas on the current disk drive and willsend random bytes to the I/O ports associated with system devices,such as printers and displays. The StarDot-789 Virus ____________________ Name StarDot-789 Alias(es) Virus Family StarDot Classification Non-resident COM and EXE infector for IBM DOS Length of Virus Approximately 789 bytes Behavior Summary When an infected file is run, the virus chooses from the files on thedefault drive an uninfected EXE or COM filewith the "archive" bit on and infects that file.If the date is February 13th and the time is after 1 p.m. when an infected fileis run, it will overwrite the beginning of every hard disk in the systemstarting with Z.This virus is functionally identical to the StarDot-801 virus. The StarDot-801 Virus ____________________ Name StarDot-801 Alias(es) Virus Family StarDot Classification Non-resident COM and EXE infector for IBM DOS Length of Virus Approximately 801 bytes Behavior Summary When an infected file is run, the virus chooses from the files on thedefault drive an uninfected EXE or COM filewith the "archive" bit on and infects that file.If the date is February 13th and the time is after 1 p.m. when an infected fileis run, it will overwrite the beginning of every hard disk in the system,starting with Z.This virus is functionally identical to the StarDot-789 virus. The Stoned Virus _______________ Name Stoned Alias(es) Hawaii, Marijuana, New Zealand, San Diego, Smithsonian Virus Family Classification Diskette and hard disk boot infector Length of Virus Boot record and one additional hard disk or diskette sector Behavior Summary When a computer is booted from an infected diskette, thevirus infects the master boot record of the first physical hard disk,installs itself in memory, and sometimes displays the message"Your PC is now Stoned!"When a computer is booted from an infected hard disk, the virusalso installs itself in memory but does not display the message.When the virus is in memory, any diskette used in drive Amay becom e infected.The virus has no intentionally destructive features but causesFAT damage and possible data loss on hard disks partitioned incertain ways. The Stoned-C Virus _________________ Name Stoned-C Alias(es) Hawaii, Marijuana, New Zealand, San Diego, Smithsonian Virus Family Stoned Classification Diskette and hard-disk boot infector Length of Virus Boot record and one additional hard disk or diskette sector Behavior Summary This virus infects diskettes and hard disk master boot record.There are no obvious symptoms. This is a variant of the Stoned viruswith the message removed. The Sunday Virus _______________ Name Sunday Alias(es) Virus Family 1813 Classification Resident COM and EXE file virus for IBM DOS Length of Virus 1636 bytes in infected COM files; some additional padding bytesin infected EXE files. Behavior Summary This virus is similar to the 1813 virus, except the file-erasing trickis done only on Sundays after 1989. The slow-down and box-scrollingare replaced with a routine that sometimes prints a message aboutgoing out and having some fun. This message is displayed only on Sundaysafter 1989. The Sunday 2 Virus _________________ Name Sunday 2 Alias(es) Virus Family 1813 Classification Resident COM and EXE file virus for IBM DOS Length of Virus 1733 bytes in infected COM files; some additional padding bytesin infected EXE files. Behavior Summary This virus is similar to the 1813 virus except the file-erasing trickis done only on Sundays after 1989. The slow-down and box-scrollingare replaced with a routine that sometimes prints a message aboutgoing out and having some fun. This message is displayed only on Sundaysafter 1989. Also, the virus sometimes writes the word"PLAY"in the upper-left corner of the display. The sURIV 3.00 Virus ___________________ Name sURIV 3.00 Alias(es) Jerusalem-2E Virus Family 1813 Classification Resident COM and EXE file virus for IBM DOS Length of Virus 1813 bytes in infected COM files; some additional padding bytesin infected EXE files. Behavior Summary This virus erases files executed on Fridaysand causes some odd system behavior.It is similar to the 1813 virus. The Sylvia Virus _______________ Name Sylvia Alias(es) Holland Girl Virus Family Classification Non-resident COM infector for IBM DOS Length of Virus Approximately 1332 bytes Behavior Summary When an infected file is run, it infects up to 5 files with anextension of COM in the current directories on the current drive and ondrive C.The virus has no known side effects.It gets its name from the presence of an unused text area containinga name and address of someone named Sylvia from the Netherlands plusa suggestion to send her a funny postcard. The SYSLOCK Virus ________________ Name Syslock Alias(es) Macho, Macho-A, 3551 Virus Family Syslock Classification Non-resident COM and EXE infector for IBM DOS Length of Virus 3551 bytes Behavior Summary When an infected file is run, the virus looks through the directorytree on the current drive and infects one EXE or COM file at random.Sometimes (approximately every fifth time it runs), it picks arandom sector on the current disk and changes all occurrences ofthe string "Microsoft" to "MACROSOFT".Also a text variant exists that uses "MACHOSOFT" instead of "MACROSOFT." The Tequila Virus ________________ Name Tequila Alias(es) Virus Family Classification Resident EXE and hard disk master boot infector for IBM DOS Length of Virus Approximately 2470 bytes Behavior Summary When an infected file is run, it infects the master bootrecord of the first hard disk.When a system is booted from an infected hard disk, the virus loadsinto memory and infects any EXE files subsequently run.The virus displays a low-resolution Mandelbrot set(a vaguely circular pattern of colors) on the monitor.The virus has a number of complex, but basically uninteresting,features having to do with not infecting files with certain names,trying to escape detection by making each infected file slightlydifferent, and so on. From your point of view, though,detection is not difficult. The TP16VIR Virus ________________ Name TP16VIR Alias(es) Virus Family TPxxVIR Classification Resident EXE-converter and COM infector for IBM DOS Length of Virus Approximately 1339 bytes Behavior Summary This virus converts EXE-formatted files to COM format and infectsCOM-formatted files. The virus becomes resident when the first infectedfile is run and converts or infects any files that are run later.This virus is similar to the VACSINA virus. The TP45VIR Virus ________________ Name TP45VIR Alias(es) Yankee Doodle, TP45 Virus Family Yankee Doodle (TPxxVIR) Classification Resident COM and EXE infector for IBM DOS Length of Virus Approximately 2901 bytes Behavior Summary When an infected program is run, this virus loads into memory andinfects any program run later.At 5:00 p.m. infected systems sometimes play "Yankee Doodle"through the speaker.This virus also has complex (but basically uninteresting)interactions with previous viruses in the same family, andwith the Bouncing Ball virus.From your point of view, this virus is essentially identical tothe Yankee Doodle-2885 virus (and some other members of this family). The Traceback-2930 Virus _______________________ Name Traceback-2930 Alias(es) Traceback II Virus Family Traceback Classification Resident COM and EXE infector Length of Virus Approximately 2930 bytes Behavior Summary When an infected program is run, the virus installs itself inmemory and also looks for a file to infect on the current disk.Any files executed later can also become infected.Approximately one hour after executing the first infected program,a "falling letters" display, similar to that produced bythe 17xx family of viruses, will occur.At the first keystroke after the display, the screen returnsto normal; this performance is repeated periodically.This virus is very similar to the 3066 virus. The Traceback-3066 Virus _______________________ Name Traceback-3066 Alias(es) Traceback Virus Family Traceback Classification Resident COM and EXE infector Length of Virus Approximately 3066 bytes Behavior Summary When an infected program is run, the virus installs itself inmemory and also looks for a file to infect on the current disk.Any files run later can also become infected.Approximately one hour after running the first infected program,a "falling letters" display, similar to that produced bythe 17xx family of viruses, occurs.At the first keystroke after the display, the screen returnsto normal. This performance is repeated periodically.This virus is very similar to the 2930 virus. The VACSINA Virus ________________ Name VACSINA Alias(es) Virus Family TPxxVIR Classification Resident EXE-converter and COM infector for IBM DOS Length of Virus Approximately 1206 bytes Behavior Summary This virus converts EXE-formatted files to COM format,and infects COM-format files.The virus becomes resident when the first infected file is runand converts or infects any files that are run later.The system might "beep" when new files are infected. The Vienna-Ghost Virus _____________________ Name Vienna-Ghost Alias(es) Ghostballs Virus Family Vienna, Bouncing Ball Classification Non-resident COM infector / boot modifier Length of Virus 2351 bytes Behavior Summary This virus infects COM files exactly as the Vienna-648 virus does,except it does not do the file damage of the Vienna-648 virus.When an infected file is run, the virus (as well as spreading)writes to drive A a boot sector that resembles the Bouncing Ball/286boot sector in all functions except spreading.That is, the new boot sector sometimes produces a bouncing ballon the screen after booting and is detected as infected bythe Bouncing Ball virus by some detectors, but it will not spreaditself to other diskettes (only COM files infected with the Ghostvirus spread it). The Vienna-Lisbon Virus ______________________ Name Vienna-Lisbon Alias(es) Lisbon Virus Family Vienna Classification Non-resident COM file virus for IBM DOS Length of Virus 648 bytes Behavior Summary This virus overlays some COM files with the string "@AIDS",rendering them nonfunctional. The Vienna-648 Virus ___________________ Name Vienna-648 Alias(es) Austrian, DOS-62, DOS-68, One-In-Eight, Reboot, Unesco, Vienna Virus Family Vienna Classification Non-resident COM file virus for IBM DOS Length of Virus 648 bytes Behavior Summary When an infected program is run, this virus looks for one uninfectedCOM file along the DOS PATH and infects it.It overlays some COM files with code that reboots the machine. The W13-A Virus ______________ Name W13-A Alias(es) Polish Virus Family W13 Classification Non-resident COM file virus for IBM DOS Length of Virus 534 bytes Behavior Summary Infected COM files infect other COM files when they are run.No other effects. The W13-B Virus ______________ Name W13-B Alias(es) Polish Virus Family W13 Classification Non-resident COM file virus for IBM DOS Length of Virus 507 bytes Behavior Summary Infected COM files infect other COM files when they are run.No other effects. The Yale Virus _____________ Name Yale Alias(es) Alameda, Merritt, Peking, Seoul, Yale Boot Virus Family Yale Classification Diskette boot infector Length of Virus Boot record and one additional hard disk or diskette sector Behavior Summary This virus has no obvious damage or symptoms; spreads when Ctrl+Alt+Delis pressed in an infected machine with an uninfected diskette indrive A. The Yankee Doodle-2772 Virus ___________________________ Name Yankee Doodle-2772 Alias(es) Yankee Doodle, 2772, TP39VIR, Yankee Doodle-B Virus Family Yankee Doodle (TPxxVIR) Classification Resident COM and EXE infector for IBM DOS Length of Virus Approximately 2772 bytes Behavior Summary When an infected program is run, the virus loads into memory andinfects any program run later.At 5:00 p.m. infected systems sometimes play "Yankee Doodle"through the speaker.This virus also has complex (but basically uninteresting)interactions with previous viruses in the same family andwith the Bouncing Ball virus.From your point of view, this virus is essentially identical tothe Yankee Doodle-2885 (and some other members of this family). The Yankee Doodle-2885 Virus ___________________________ Name Yankee Doodle-2885 Alias(es) Yankee Doodle, 2885, TP44VIR Virus Family Yankee Doodle (TPxxVIR) Classification Resident COM and EXE infector for IBM DOS Length of Virus Approximately 2885 bytes Behavior Summary When an infected program is run, the virus loads into memory andinfects any program run later.At 5:00 p.m. infected systems sometimes play "Yankee Doodle"through the speaker.This virus also has complex (but basically uninteresting)interactions with previous viruses in the same family andwith the Bouncing Ball virus.From your point of view, this virus is essentially identical tothe Yankee Doodle-2772 (and some other members of this family). The 1381 Virus _____________ Name 1381 Alias(es) Internal Virus Family Classification Non-resident EXE infector for IBM DOS Length of Virus Approximately 1381 bytes Behavior Summary When an infected file is run, the virus looks for an uninfectedfile with an extension of EXE on the current disk (it looks randomly throughsubdirectories) and infects it.If an infected file is run more than about 90 days after itbecame infected, it will display random-looking charactersacross the screen, along with the message"INTERNAL ERROR 02CH.PLEASE CONTACT YOUR HARDWARE MANUFACTURER IMMEDIATELY ! DO NOT FORGETTO REPORT THE ERROR CODE !"The virus then removes itself from the infected file andyou are returned to DOS. The 1392 Virus _____________ Name 1392 Alias(es) Amoeba, Khetapunk Virus Family Classification Resident COM and EXE infector for IBM DOS Length of Virus Approximately 1392 bytes Behavior Summary When an infected file is run, the virus installs itselfin memory.While in memory, the virus attempts to infect files that arerun, and COMMAND.COM files on any disk while a free-spacecheck is made. The DIR command, for instance, does a free-space check.When the virus has gone about four minutes without infecting a fileand the display is a CGA (in text mode), the virus talks to the CRTcontroller to create a 26th line on the display and writes the words"SMA KHETAPUNK - NOUVEL Band A.M.O.E.B.A. by PrimeSoft Inc"in yellow on purple background. The virus contains a serious bug that causes it to replicate imperfectly,and only early generations of the virus are likely to function. The 1536 Virus _____________ Name 1536 Alias(es) Zero Bug, Palette Virus Family Classification Resident COM infector for PC DOS Length of Virus 1536 bytes Behavior Summary This virus infects COMMAND.COM and other COM files that arecopied. Under some conditions, a "face" appears on the screen,and "eats" displayed characters. The 1575 Virus _____________ Name 1575 Alias(es) Green Caterpillar Virus Family Classification Resident COM and EXE infector for IBM DOS Length of Virus Approximately 1575 bytes Behavior Summary When an infected file is run, it attempts to infectthe COMMAND.COM file in the root directory of drive Cand loads itself into memory if it is not already present.It then infects files with an extension of COM or EXE that are foundby various file-search calls (a DIR, for instance, often causesfiles found to be infected).At times, the virus displays a small horizontal green caterpillarrunning across your color display, moving characters around on thescreen and changing their color. The 1701 Virus _____________ Name 1701 Alias(es) 170x, 17xx, Austrian 2, Autumn, Blackjack, Cascade, Fall, Falling Tears Virus Family 17xx Classification Resident COM infector for IBM DOS Length of Virus 1701 bytes Behavior Summary When an infected program is run, the virus loadsinto memory and infects COM-formatted files run later.The virus occasionally causesletters on the screen to fall into a pile at the bottom of the display screen,while causing "clicks" on the speaker.Due to complex date interactions, it is possible to have an active1701 infection without this symptom ever appearing. The 1701-NoDate Virus ____________________ Name 1701-NoDate Alias(es) Virus Family 17xx Classification Resident COM infector for IBM DOS Length of Virus 1701 bytes Behavior Summary This virus spreads between COM files in IBM DOS. Occasionally the viruscauses letters on the screen to fall into a pile at the bottom of the screen.It is a minor variant of the 1701 virus. The 1704 Virus _____________ Name 1704 Alias(es) 170x, 17xx, Austrian 2, Autumn, Blackjack, Fall, Second Austrian Virus Family 17xx Classification Resident COM infector for IBM DOS Length of Virus 1704 bytes Behavior Summary This virus spreads among COM files in IBM DOS. Occasionally the viruscauses letters on the screen to fall into a pile at the bottom. The 1704-B Virus _______________ Name 1704-B Alias(es) 170x, 17xx, Cascade-B Virus Family 17xx Classification Resident COM infector for IBM DOS Length of Virus 1704 bytes Behavior Summary This virus spreads among COM files in IBM DOS. Occasionally the viruscauses letters on the screen to fall into a pile at the bottom. The 1704-C Virus _______________ Name 1704-C Alias(es) 170x, 17xx Virus Family 17xx Classification Resident COM infector for IBM DOS Length of Virus 1704 bytes Behavior Summary This virus spreads among COM files in IBM DOS. Occasionally this viruscauses letters on the screen to fall into a pile at the bottom. The 1704-Format Virus ____________________ Name 1704-Format Alias(es) 170x, 17xx Virus Family 17xx Classification Resident COM infector for IBM DOS Length of Virus 1704 bytes Behavior Summary This virus spreads among COM files in IBM DOS. Under some conditions,the virus renders data on drive C unreadable. The 1704-Y Virus _______________ Name 1704-Y Alias(es) 170x, 17xx Virus Family 17xx Classification Resident COM infector for IBM DOS Length of Virus 1704 bytes Behavior Summary This virus spreads among COM files in IBM DOS. Occasionally this viruscauses letters on the screen to fall into a pile at the bottom.Infected programs often malfunction.This is a damaged variant of the 170 4 virus. The 1813 Virus _____________ Name 1813 Alias(es) Black Friday, Black Hole, Hebrew University, Israeli, Jerusalem, JV,Morbus Waiblingen, PLO, Russian, sUMsDos Virus Family 1813 Classification Resident COM and EXE file virus for IBM DOS Length of Virus 1813 bytes in infected COM files; some additional padding bytesin infected EXE files. Behavior Summary When an infected program is run, the virus loadsinto memory and infects any program run later.Because of a bug in the virus, EXE-formatted files are infectedeach time they are run. Frequently used files eventuallybecome too large to run.Because of another bug, some files (including OS/2 and WindowsEXE files and very large COM files) do not run correctlyafter being infected.The virus intentionaly causes slowing down of themachine at intervals. Also, causes the appearance of "black boxes" onthe display, and erases any file executed on any Fridaythe 13th. The 1813-00 Virus ________________ Name 1813-00 Alias(es) Virus Family 1813 Classification Resident COM and EXE infector for IBM DOS Length of Virus 1813 bytes in infected COM files; some additional padding bytesin infected EXE files. Behavior Summary This virus is a "mutation" (either accidental or intentional) ofthe standard 1813 virus.One byte of the virus has been changed to a zero. The main effectis if an uninfected program is run from a write-protected diskettewhile the virus is active in memory, the program often does notrun at all and simply exits back to the DOS command prompt.With this exception, the virus is almost identical to the standard 1813virus. The 1813-ANARKIA Virus _____________________ Name 1813-ANARKIA Alias(es) Virus Family 1813 Classification Resident COM and EXE file virus for IBM DOS Length of Virus 1813 bytes in infected COM files; some additional padding bytesin infected EXE files. Behavior Summary This virus erases files run on Friday the 13th andcauses some odd system behavior.This virus is a slight variant of the 1813 virus. It never causes the 1813virus's "black box," and has a more drastic system slowdown at times. The 1813-Discom Virus ____________________ Name 1813-Discom Alias(es) Discom Virus Family 1813 Classification Resident COM and EXE infector for IBM DOS Length of Virus 2053 bytes in infected COM files; some additional padding bytesin infected EXE files. Behavior Summary Like the 1813 virus, the Discom virus loads into memory and infectsCOM and EXE files that are later run.But, unlike the 1813, it does not infect EXE files multiple timesand will not infect files with names ending in the letters "acad".Rather than erasing files run on Friday the 13th, theDiscom virus has a number of side effects, such as slowing downthe system, sending random data out the serial I/O ports,and sometimes overlaying data on the hard drive. The 1813-Not-13 Virus ____________________ Name 1813-Not-13 Alias(es) Payday Virus Family 1813 Classification Resident COM and EXE file virus for IBM DOS Length of Virus 1813 bytes in infected COM files; some additional padding bytesin infected EXE files. Behavior Summary This virus erases files run on Fridays that are not the 13th of the monthand causes some odd system behavior.This virus is an almost-identical variant of the 1813 virus. The 1813-Swiss Virus ___________________ Name 1813-Swiss Alias(es) Virus Family 1813 Classification Resident COM and EXE file virus for IBM DOS Length of Virus 1813 bytes in infected COM files; some additional padding bytesin infected EXE files. Behavior Summary This virus erases files run on Friday the 13thand causes some odd system behavior.This virus is a functionally identical code variant of the 1813 virus. The 1813-Tuesday-the-13th Virus ______________________________ Name 1813-Tuesday-the-13th Alias(es) Virus Family 1813 Classification Resident COM and EXE file virus for IBM DOS Length of Virus 1813 bytes in infected COM files; some additional padding bytesin infected EXE files. Behavior Summary This virus erases files executed on Tuesdays that are alsothe 13th of the month and causes some odd system behavior.It is an almost identical variant of the 1813 virus. The 2086 Virus _____________ Name 2086 Alias(es) Fu Manchu Virus Family 1813 Classification Resident COM and EXE file virus for IBM DOS Length of Virus 2086 bytes in infected COM files; some additional padding bytesin infected EXE files.(More precisely, 2080 bytes of code and 6 bytes of virusself-recognition string in COM files, and 0-15 bytes of paddingfollowed by 2080 bytes of code in EXE files.) Behavior Summary This virus hooks the keyboard interrupts, waits for any of the names"Fu Manchu, Reagan, Thatcher, Botha, or Waldeim"to be typed in upper case or lower case letters followed by a space,and adds its own remarks about them in the keyboard buffer so theyare entered as the rest of the text.Also this virus slowly displays a message when the systemis restarted by pressing Ctrl+Alt+Del. The 4096 Virus _____________ Name 4096 Alias(es) Stealth, Century Virus Family Classification Resident EXE and COM infector for IBM DOS Length of Virus 4096 bytes Behavior Summary When an infected program is run, the virus becomes residentin memory and infects any files run and any executable filesopened and closed later.If the date is between September 22 and December 31 of any year,the virus will generally hang the machine (due to bugs in codethat seem to be intended to overwrite the boot record with aprogram to display the message"Frodo Lives"when the machine boots). The 555 Virus ____________ Name 555 Alias(es) QUIT1992 Virus Family 555 Classification Resident COM and EXE infector for IBM DOS Length of Virus 555 bytes in infected COM files; some additional padding bytesin infected EXE files. Behavior Summary When an infected file is run, the virus loads into memoryand infects EXE and COM files that are later run.If the year is 1992 or greater when an infected file is executed,the virus will install itself and exit immediately to DOS, withoutrunning the original victim program. The 555-B Virus ______________ Name 555-B Alias(es) QUIT1992 Virus Family 555 Classification Resident COM and EXE infector for IBM DOS Length of Virus 555 bytes in infected COM files; some additional padding bytesin infected EXE files. Behavior Summary When an infected file is run, the virus loads into memoryand infects EXE and COM files that are later run.If the year is 1992 or later when an infected file is run,the virus will install itself and will exit immediately to DOS, withoutrunning the origina l program.This virus is almost identical to the 555 virus.