Liren Large Software Subsidy 16

home *** CD-ROM | disk | FTP | other *** search

/ Liren Large Software Subsidy 16 / 16.iso / t / t170 / 1.img / README.DOC < prev next >

Wrap

Text File | 1990-06-08 | 63.6 KB | 1,356 lines

────────────────────────────────────────────────────────────────────────────── CARMEL Software Engineering is proud to present: Turbo Anti-Virus v6.80A ────────────────────────────────────────────────────────────────────────────── New Features in Version 6.80A 1. At last, we have an INSTALL utility. It is VERY user friendly and does everything automatically for you. Just type INSTALL. 2. All executable files of Turbo Anti-Virus will check and validate themselves before running. But this is not all. In case of any virus infection - the files will cure and clean themselves. 3. New command line parameters were added to TSAFE: A. The '/Ax' parameter allows specification of the hot-key used to activate the control window. If TSAFE is activated, the hot key will be <Alt-x> instead of the default <Alt-T>. For example, To set the hot key to <Alt-S> type: TSAFE /AS B. The /X parameter will Disable / Enable the write protection of executable files (COM & EXE). This feature will warn the user of any attempt to change an executable file, (e.g. When a virus is trying to infect it). The default for this warning is ON. 4. A new option in the WARNING window of TSAFE allows the user to simulate an error and cause the operation to FAIL. For Example: If a virus tries to write to the boot sector - TSAFE will open the warning window. Pressing the 'F' key (FAIL) will cause the termination of the writing routine causing the virus to "think" that the disk is write protected (Smart ah...). 5. TSAFE will open a window after every program termination and prompt the user of the virus scan which has been carried out in the memory. 6. In TNTVIRUS, new options have been added to the Options menu and command line. A. The Check All Files option (/A from the command line) was added due to the fact that there are some new viruses (100 Years - 4096), which also infect data files. The virus can not be executed in data files but the file is corrupted after infection and Turbo Anti-Virus will rebuild it's original state. B. The Automatic Loop option (/L from the command line) will cause the automatic pilot to check more than one disk instead of checking once and then exiting to DOS - This is intended for use in checking several floppy disks. 7. Many more viruses are now identified and cleaned by Turbo Anti-Virus(tm). Just keep on reading to understand why it is so important to use Turbo Anti- Virus(tm). 8. The BOOTSAFE utility: CARMEL Software Engineering Turbo Anti-Virus software package The * BOOTSAFE * module The complete boot sector and partition table security system GENERAL DESCRIPTION ─────────────────────────────────────────────────────────────────────────── BOOTSAFE is a security utility for the boot sector and partition table of hard and floppy disks. This utility will create clean images of the boot sector and partition table of the drives requested. Before creating the images - BOOTSAFE will make sure that these areas are currently clean and free of any known viruses, and then it will create images of these boot areas. It will also enable the saving of the images to a floppy disk which can later be used in order to recover from a total loss of the disk boot areas. As soon as these images are created and saved, BOOTSAFE will be able to compare them to all boot areas currently being used. In case any difference is found between the images and the current boot areas - BOOTSAFE will report this, and will provide the opportunity to restore the original boot areas from the file images. This solution will actually solve two common problems: 1) ANY virus which attempts to place itself instead of, or together with the boot areas, will be found and eliminated. 2) ANY damage or changes will be fixed and the boot areas will be restored to their original form. It is most recommended to run BOOTSAFE from the AUTOEXEC.BAT file, since this method does not occupy space in the memory, and its execution-time is only a matter of seconds. BOOTSAFE will also check the memory for all known viruses, and eliminate any virus which is found - allowing for the continuation of work as if nothing had happened. HOW TO INSTALL BOOTSAFE IN THE AUTOEXEC.BAT FILE? ─────────────────────────────────────────────────────────────────────────── BOOTSAFE can be installed by the INSTALL utility contained in the original Turbo Anti-Virus package. While booting up the system, the INSTALL utility asks which drives to check. It then creates the images for these drives. BOOTSAFE can always be uninstalled by the same INSTALL utility. HOW TO RUN BOOTSAFE FROM THE DOS COMMAND LINE (INSTEAD OF THE AUTOEXEC)? ─────────────────────────────────────────────────────────────────────────── Very Simple! BOOTSAFE offers several options - the following is a description of each, and a few examples: In order to verify that the boot areas are OK: ─────────────────────────────────────────────────────────────────────────── Just type: BOOTSAFE and it will check the default drive boot areas. or BOOTSAFE D: and it will check the D drive boot areas. or BOOTSAFE C: D: and it will check both C & D drives boot areas. etc..... If BOOTSAFE finds any changes in the boot areas - it will enable restoration of the original boot areas from the images. In order to create new images for the boot areas... ─────────────────────────────────────────────────────────────────────────── The /M option is used: E.G. BOOTSAFE D:/M and it will generate a new image file for drive D boot areas. It will then provide the option to save the images on a seperate floppy disk. (This will be usefull in case of a total loss of the boot areas, for whatever reason.) In order to restore the boot areas from a floppy disk, the floppy disk containing the saved images is inserted to drive A and... ─────────────────────────────────────────────────────────────────────────── The /R option is used: E.G. BOOTSAFE D:/R and it will read the original boot areas of drive D which were previously saved as image files on drive A, and will copy them to drive D. By using BOOTSAFE, worry about boot sector viruses will be a thing of the past. ────────────────────────────────────────────────────────────────────────────── Description of Known Viruses Files Infecting Viruses The Friday 13th viruses (7 varieties). ────────────────────────────────────────────────────────────────────────────── *Also known as the Jerusalem B ,Israeli virus and PLO virus. *There are many variations of this virus: Jerusalem A,B,B (new),B-2,C,D, and E. *This type of virus was released in Israel and was first discovered by CARMEL Software Engineering in Kiryat Hamachshev LTD in July 1987, and 2 weeks later at the Hebrew University of Jerusalem (causing much panic). *The size of the virus is 1808 bytes, or 1813 bytes including the last 5 bytes, which are the signature of this infection, and it infects EXE, COM and some overlay files. *Due to a bug in the virus, when it infects EXE files it does not add it's signature at the end of the file, therefor the virus does not stop after the first infection but continues infecting further EXE files. *The Friday 13th is a resident virus and uses INT 21H function 31H in order to remain in the memory. Then it infects every COM or EXE file which is executed. The virus slows down the computer, black "boxes" appear on the screen and on any Friday which is the 13th of the month it will erase the files being executed. The Saturday 14th viruses (2 varieties). ────────────────────────────────────────────────────────────────────────────── *Also known as the Durban virus. *The size of the virus is 681 (+0-15 Bytes for Paragraph alignement). *Remains resident in Memory (not using Int 21H or 27H). *Infects EXE & COM files (excluding COMMAND.COM). *On every Saturday which falls on the 14th day of the month the virus will destroy the disk by writing to the first 100 sectors of the disk - eliminating the Boot sectors, FAT & Directory areas. The Tuesday 1st viruses (2 varieties). ────────────────────────────────────────────────────────────────────────────── * This virus is almost identical to the Friday 13th virus but with two major differences. * The activation date is every Tuesday which is the 1st day of the month. * The identification signature of the virus was changed from MsDos to MsDns. * This virus was sent to us by the virus hunter Mr. Szegedi Imre from Budapest, Hungary. The Friday 13th Destructive viruses (2 varieties). ────────────────────────────────────────────────────────────────────────────── * This virus is almost identical to the Friday 13th virus but with one major difference. * Infected files are not working after the infection took place and this makes reconstruction - impossible. * This virus was sent to us by the virus hunter Mr. Szegedi Imre from Budapest, Hungary. The Jerusalem 3 virus (2 varieties). ────────────────────────────────────────────────────────────────────────────── *Almost the same as the Friday 13th varieties with a few slight changes. The Suriv 3.00 viruses (2 varieties). ────────────────────────────────────────────────────────────────────────────── *Also known as a variety of the Jerusalem B/E or Israeli virus. *The size of the virus is 1813 bytes, including the last 5 bytes which are the signature of this infection, and it infects both EXE and COM files (SURIV). *The Suriv 3.00 is a resident virus and uses INT 21H function 31H in order to remain in the memory. Then it infects every COM or EXE file which is executed. *The virus slows down the computer, black "boxes" appear on the screen and on any Friday which is the 13th of the month it will erase the files being executed. The Sunday viruses (2 varieties). ────────────────────────────────────────────────────────────────────────────── *Also known as the 1636 virus. *The size of the virus is 1636 bytes including the last 5 bytes which are the signature of this infection and it infects both EXE and COM files. *The Sunday virus is a resident virus and uses INT 21H function 31H in order to remain in the memory. Then it infects every COM or EXE file which is executed. *Every Sunday the virus will print on the screen: Today is SunDay ! Why do you work so hard ? All work and no play make you a dull boy ! Come on ! Let's go out and have some fun ! *This virus also steals Int 8 and may corrupt the FAT. The April 1st viruses (Type A and B) (4 varieties). ────────────────────────────────────────────────────────────────────────────── *The April 1st virus is also known as the TSR virus and the SURIV 1 - it only infects COM files. *The size of the virus is 897 bytes. *Discovered in Israel in July 1987. *It will remain resident in the memory, like the Friday 13th virus, but will not infect EXE files. *The virus is very easy to identify and therefore it is not very widespread - evry time the virus infects a new file it writes on the screen: YOU HAVE A VIRUS. on April 1st it writes: HA HA HA IT'S APRIL 1ST - YOU HAVE A VIRUS. *There are two types of April 1st virus, with slight differences in their codes. The April 1st D viruses (SURIV 2 & 3) (2 varieties). ────────────────────────────────────────────────────────────────────────────── *The April 1st D virus is also known as the SURIV 2, SURIV 3 or Jerusalem D virus, and it infects only EXE files. *The size of the virus is 1488 bytes. *It does not remain resident in the memory, like the other April 1st viruses, but operates using MCB's (Memory Control Blocks). *There are two types of virus with only slight differences in the first 16 bytes of the virus: SURIV 2.01 or SURIV 3.00. The rest of the code is exactly the same. The Typo COM files virus (1 variety). ────────────────────────────────────────────────────────────────────────────── *The Typo virus infects only COM files. *The size of the virus is 867 bytes. *It will remain resident in the memory using INT 21 function 31. *When an infected file is executed, the virus will search through all COM files in the current directory and infect every clean file. *This virus will mix some keystrokes at random, replacing the original keystroke with that which is immediately adjacent to it on the right. E.g. ';' instead of 'l', 's' instead of 'a' etc... *Very annoying!.... The Amstrad COM files virus (1 variety). ────────────────────────────────────────────────────────────────────────────── The Amstrad virus infects only COM files. Size: 850 Bytes (including 3 null bytes at the end). It will not stay resident and will not infect COMMAND.COM. When an infected file is being executed, the virus will search through all COM files in the current directory and infect a clean file. Inside the virus code there is an advertisement for AMSTRAD computers but a few varieties which were sent to us contaid various messages. The Oropax virus (1 variety). ────────────────────────────────────────────────────────────────────────────── *Also called the Music virus. *The Oropax virus infects only COM files. *The sizeof the virus is 2756-2806 bytes. *Infected files will always be divisible by 51. *The virus will infect COM files which are not divisible by 51 - except COMMAND. COM. *It will remain resident in the memory, and will infect files in the default directory when Int 21 functions: 13H, 16H, 17H, 39H, 3AH, 3CH, 3DH, 41H, 43H, 46H are called up. *These functions are called up by standard DOS commands (COPY, RD, MD, DEL, REN). *After a few minutes, randomly, ("decided" by the virus) the virus will play 3 different melodies with a 7 minute delay between them. The 640K COM files virus (1 variety). ────────────────────────────────────────────────────────────────────────────── *The 640K virus infects only COM files. *Also called the Stupid virus and the Do-nothing virus. *The size of the virus is 583 bytes. *It will stay in the memory by copying itself at the location 9800:0000. *For this reason the virus works on 640K systems only. *When an infected file is executed, the virus will search through all COM files in the current directory and infect one clean file. *This virus causes no harm to the computer itself. The MIXER 1 viruses (A & B) (2 varieties). ────────────────────────────────────────────────────────────────────────────── *The size of the virus is 1615 bytes, version A, or 1635 bytes, version B, (plus 0-15 bytes for paragraph alignment). *The MIXER 1 virus was discovered in Israel in August 1989. The name probably indicates that there are more MIXER viruses to come. *CARMEL Software Engineering was the first to find a complete solution to this virus. The virus was written in Israel and was found on Bulletin Boards. *This virus infects only EXE files. *Unlike the April 1st and the Friday 13th viruses it does not uses the INT 21H function 31H to remain in the computer's memory. *When executing a program it will mix the information being transferred through the parallel and serial ports (e.g. Ç instead of Æ,[ instead of ]). *At the end of the infected file the string MIX1 can be found. *When the CHKDSK program is executed, if the virus is in the memory the amount of memory reported is 2K less than the actual amount. The Alabama virus (1 variety). ────────────────────────────────────────────────────────────────────────────── *Also known as the 1560 virus. *One of the smartest and most destructive file viruses. *Discovered in Israel by CARMEL Software Engineering in September 1989. *Infects EXE files only. *The size of the virus is 1560 bytes exactly. *Like the MIXER 1 it does not use INT 21H function 31H to load itself in the memory. *Unlike the MIXER 1 it loads itself 30K below the highest memory location reported by DOS, BUT IT DOES NOT LOWER THE AMOUNT OF MEMORY reported by BIOS or DOS (this may cause big problems). *This virus steals INT 9 and checks the keyboard for the RESET combination keys (CTRL + ALT + DEL). It uses IN and OUT commands so that only experienced programmers know how to deal with this virus. *When it identifies this combination it will boot the computer using the Bootstrap routine and will keep lurking in the computer's memory. *After an hour of operation (the virus checks the hour in every INT 9 or 21 call) the following flashing boxed message will appear: SOFTWARE COPIES PROHIBITED BY INTERNATIONAL LAW Box 1055 Tuscambia ALABAMA USA. *Now for the worst part. The infection system is one of the smartest of all. *This virus does not infect the file which is currently being executed. First it checks the current directory for other uninfected files. If it finds a clean file it will infect it. Then when no further clean files remain, it will infect the file that is being executed. *Sometimes, when the virus finds a clean file, instead of infecting it, it will exchange it for the file that is currently being executed, but will not rename it. For example, the user may think that he is executing a DISKCOPY program but instead he is executing a FORMAT program. The 100 Years virus (COM & EXE) (2 varieties). ────────────────────────────────────────────────────────────────────────────── * Also known as the 4K, 4096, Frodo, hiding, and Century virus. * The smartest file viruses. * Discovered in Israel by CARMEL Software Engineering in October 1989. * Infects COM, EXE, Overlay and DATA files as well as COMMAND.COM. * The size of the virus is exactly 4096 bytes. * It does not use INT 21H function 31H to load itself in the memory. * It loads itself into the highest memory location reported by DOS, BUT IT DOES NOT LOWER THE AMOUNT OF MEMORY reported by BIOS. DOS reports about 6K less than BIOS (try CHKDSK). * When the virus is loading itself into the memory it looks for COMMAND.COM in the COMSPEC PATH and infects it. * The virus reports the infected files as their original size (4K less than they are). * The header of the infected files is changed - but when the virus is in memory it will show you the original data which is actualy at the end of the file where the virus begins. * It adds 100 years to the year stored in the directory. This does not appear in the DOS dir which shows only the 2 last digits of the year. * In this way the virus "knows" which file is infected and will reduce its size by 4K when executing a DIR command and will show the original file header instead of the current header. * This "hiding" trick is very very smart and it makes all the Anti-Virus utilities which look for changes in the files worthless. * Interrupt stealing is very smart and cannot be detected by any mapping utility (SMAP, SNOOP, PCTOOLS etc.). This will also bypass any warning utility which checks the interrupts for illegal viral actions. * The virus makes a single step in order to find the lowest memory location and to put itself before any other programs which are hooked to the interrputs which are used by it.. * The virus is encrypted and smart anti-debugging tricks are used. * In order to avoid detection by resident warning utilities, it takes a single step through INT 21 and checks for the lowest memory location that the system calls. It then hooks itself to the original 21 Interrupt. (It didn't have much success trying to "fool" TSAFE). * This virus may cause serious damage to infected files. The problem is that due to a bug - sometimes the virus infects files but does not update the directory information - year, size etc. This causes DOS to report a message : ERROR in EXE File. * This problem can be solved only by running CHKDSK/F and then performing the Turbo Anti-Virus cleaning procedure. * This virus also infects Data files (Lotus 123 SET file, DBASE DBF files etc.) which can be restored by the regular cleaning procedure of Turbo Anti-Virus. Just use the /A option in order to check all files in your disks - also data files. * From September 22nd 1990 - all infected program will hang the computer immediatlly after loading into memory. The Vienna viruses (versions A, B, C & D) (4 varieties). ────────────────────────────────────────────────────────────────────────────── *Also known as the DOS 62 seconds virus and the 648 virus. *Discovered in Israel by CARMEL Software Engineering in November 1989. *Infects COM files only, including COMMAND.COM. *The size of the virus is 648 bytes. *Unlike other file viruses, this one will not load itself into the memory. *When an infected file is executed - the virus searches in the current PATH for a clean file and infects it. An infected file can be identified as the seconds are switched to 62. *This virus will destroy files randomly by removing the first 5 bytes, and replacing them with a jump which will reboot the computer. *This will happen whenever the 7 AND (assembler command) System time in seconds equals zero. The Lisbon virus (1 variety). ────────────────────────────────────────────────────────────────────────────── *Also known as the DOS 62 (Lisbon). *Infects COM files only, including COMMAND.COM. *The size of this virus is 648 bytes. *This virus is almost the same as the Vienna virus. The Pretoria virus (1 variety). ────────────────────────────────────────────────────────────────────────────── * Also known as the South Africa and the June 16th virus. * Infects COM files only, including COMMAND.COM and even IBMBIO.COM. * If the virus infect SYSTEM files such as the IBMBIO.COM the disk will no longer be bootble and it is necessery to run the SYS utility in order to fix the system files again. * The size of this virus is 879 bytes. * It will not load itself into the memory. * On June 16th all files in the ROOR directory will be renamed to ZAPPED. The Christmas virus (1 variety). ────────────────────────────────────────────────────────────────────────────── * Also known as the XA1 virus. * Infects COM files only. * The size of this virus is 1539 bytes. * It will not load itself into the memory. * On April 1st it will destroy the FAT. * From December 24th to January 1st it will draw a picture of a Christmas Tree. The Sylvia virus. (1 variety) ────────────────────────────────────────────────────────────────────────────── *Also known as the Netherlands Girl virus. *Infects COM files only (excluding COMMAND.COM). *The size of the virus is 1332/1301 bytes. *It loads itself into the memory with MCB's. *The virus changes the current drive to drive 'C:'.It infects all the files in the C root directory, current directory and files being executed. *Some of the files may be destroyed and only the virus program (1332 bytes) will remain in place of the lost file. *The virus will disable write-protect messages. *A girl's name (Sylvia) and her address are in the virus asking you to send a funny postcard and in return you will be sent an anti-virus (for this virus). *We didn't try - we didn't have to! The DataCrime A virus (1 variety). ────────────────────────────────────────────────────────────────────────────── *Also known as the 1168 virus and Columbus day virus. *Infects COM files only. *The size of the virus is 1168 bytes. *It loads itself into the memory with MCB's. *On October the 12th it will write on the screen: 1 MARCH 1989, DATACRIME VIRUS and then will format your hard disk (first track - that is enough!). *A very nasty virus which has caused much trouble and panic all over the world. The DataCrime B virus (1 variety). ────────────────────────────────────────────────────────────────────────────── *Also known as the 1280 virus and Columbus day virus. *Almost the same as DATACRIME A. *Beware of other anti-viruses which identify only the DATACRIME A, they might crash your files 'thinking' DATACRIME B is DATACRIME A. The DataCrime C virus (COM & EXE) (2 varieties). ────────────────────────────────────────────────────────────────────────────── *Also known as the Columbus day virus and DataCrime II-A. *Infects COM & EXE files. *The size of the virus is 1514 bytes. *This virus is encrypted, it will stick to any executable file (including COMMAND.COM) which is smaller than 60K (approx.). *It will infect files on drives A, B and C only; other drives are safe. *Every time an infected file is executed, the virus will look through all the directories for clean files in drives A, B and C and will infect the first clean file it finds. *When the virus infects a file it will perform a sector alignment - leaving garbage at the end of the file. *On October the 12th it will write on the screen: ┌───────────────────────────────┐ │ 1 MARCH 1989, DATACRIME VIRUS │ └───────────────────────────────┘ and then will format your hard disk (first track -that is enough!). *A very nasty virus which has caused much trouble and panic all over the world. The Syslock (COM) (1 variety). ────────────────────────────────────────────────────────────────────────────── *Also known as the 3551 virus. *Infects COM files. *The size of the virus is 3551 (+0-15 paragraph alignment) bytes. *This virus is encrypted, it will stick to any executable COM file (including COMMAND.COM). *It will not load into the memory. *It will infect files on the default drive only, other drives are safe. *Every time an infected file is executed, the virus will look through all the directories for clean files in the default drive and will infect a clean COM file, at random. *When the virus infects a file it will perform a paragraph alignment - leaving garbage at the end of the file. *At random it will cause a DOS error alarm: Error writing to device AUX The MachoSoft virus (COM) (1 variety). ────────────────────────────────────────────────────────────────────────────── *Infects COM files. *The size of the virus is 3551 (+0-15 paragraph alignment) bytes. *This virus is encrypted, it will stick to any executable COM file (including COMMAND.COM). *The structure and encryption method are the same as in the Syslock virus. *It will not load into the memory. *It will infect files on the default drive only, other drives are safe. *Executing the command VIRUS=OFF will stop the virus action and infection unless the COMMAND.COM file is infected. In this case every time the system boots and loads COMMAND.COM another file will be infected. *Every time an infected file is executed, the virus will look through all the directories for clean files in the default drive, and will infect a clean COM file at random. *When the virus infects a file it performs a paragraph alignment - leaving garbage at the end of the file. *The virus will create a "hidden/read only" file which is called IBMIONET.SYS. *When an infection takes place, the virus reads 20 sectors (using int 25) and stores the number of the last sector in the file. *Then it looks for the string "Microsoft" inside the sectors and changes the "Microsoft" into "Machosoft". After that it writes the 20 sectors back with the changes. *This virus has big problems with DOS 4. The Ghost File virus (1 variety). ────────────────────────────────────────────────────────────────────────────── *Also known as the 2351 virus. *Infects COM files only. *The size of the virus is 2351 bytes. *This virus will stick to any executable COM file (excluding COMMAND.COM). *The seconds in the time field of the file are changed to 62 as in the Vienna viruses. *Every 8th file will be permanently damaged. *Every time an infected file is executed, the virus will look for clean files in the default directory and will infect a clean COM file. *When an infected file is executed the virus will look for a 360K floppy in drive A and will infect the boot sector of this disk with a Boot virus which is very similar to the Ping-Pong virus but does not have an infection routine. The 1260 File virus (1 variety). ────────────────────────────────────────────────────────────────────────────── *Infects COM files only. *The size of this virus is 1260 bytes. *This virus is a variety of the Vienna (62 Seconds) virus. *It changes the seconds in the directory to 31 (instead of 62), in order to identify an infected file. Every file with 31 seconds in the directory time field will not become infected. *The virus looks for clean files to infect through the DOS PATH. *This virus does not remain in the memory. *This virus will stick to any executable COM file (excluding COMMAND.COM). *It is encrypted and the description routine is changed at random in order to confuse the search routines. (It didn't have any success with us,but it certainly gave us a good fight. We consider it the hardest virus to search for, since there is nothing constant in the virus code). *Simple Anti-Debugging tricks can be found but not as clever as we found in the 100 Years virus. The 2930 File virus (2 varieties). ────────────────────────────────────────────────────────────────────────────── *Also called the Spanish virus. *Infects COM & EXE files including COMMAND.COM. *The size of the virus is 2930 bytes. *Steals INT 24H in order to avoid READ\WRITE error reports. *Looks for one executable file, infects it and then remains in the memory using INT21H function 31H. *While in the memory it will infect any file being executed. *Uses simple Anti-Debugging tricks. The Traceback File virus (2 varieties). ────────────────────────────────────────────────────────────────────────────── *Also called the 3066. *Infects COM & EXE files including COMMAND.COM. *The size of the virus is 3066 bytes. *This virus is almost identical to the 2930 virus and one of them was probably based on the other. *It steals INT 24H in order to avoid Read \ Write error reports. *It looks for one executable file, infects it and then remains resident using INT 21H function 31H. *While in the memory, it will infect any file which is executed. *Uses simple Anti-Debugging tricks. The 1720 File virus (2 varieties). ────────────────────────────────────────────────────────────────────────────── *Also called the Spanish II virus. *Infects COM & EXE files excluding COMMAND.COM. *The size of the virus is 1720 bytes including a 5 byte signature. *Signature at the end of the file is: "=PSQR" *When the signature is present - file will not be infected. *It looks for one executable file, infects it and then remains resident using INT 21H function 31H. *While in the memory, it will infect any file which is executed. *EXE files may be damaged immediately after infection - last 30 bytes are totaly destroyed. The ZeroBug File virus (2 varieties). ────────────────────────────────────────────────────────────────────────────── *Also called the Pallete and the 1536 virus. *Infects COM & EXE files excluding COMMAND.COM. *The size of the virus is 1536 bytes. *While in the memory, it will infect any file which is executed. *While in memory - infected files size is shown to be 1536 bytes less - as it was before the infection. *After a while - a bug will apear on the screen and will start eating all the zero characters. Very funny... The JOJO File virus (1 variety). ────────────────────────────────────────────────────────────────────────────── * Infects COM files only including COMMAND.COM. * The size of the virus is 1701 bytes. * This virus will stick to any executable COM file (including COMMAND.COM) which is smaller than 63800 bytes. * This virus randomly destroys the first tracks of every drive which it infects. * The virus remains in the memory by using memory control blocks. * Inside the virus the following strings can be found: Welcome to the JOJO virus. and Fuck the system (c) - 1990 * This virus was sent to us by Eran Livne from Israel who won a Regsitered version of Turbo Anti-Virus. Thank you Eran... The 1701 File virus (1 variety). ────────────────────────────────────────────────────────────────────────────── *Also known as the Cascade, Falling tears, Herbist, Autumn leaves virus. *Infects COM files only. *The size of the virus is 1701 bytes. *This virus will stick to any executable COM file (including COMMAND.COM) which is smaller than 63800 bytes. *This virus was designed to operste on IBM PC clones only and on IBM PC original systems. *However there is a bug in the program which causes the virus to be activated on any system. *The virus remains in the memory by using memory control blocks. *It is activated randomly and only in the years 1980 and 1988 in September, October, November and December (Autumn). *When the virus is activated - the letters start falling to the bottom of the screen (CGA, EGA, VGA cards & monitors only). *The virus is encrypted. *This virus was sent to us by Yuval Tal from Israel who won a Regsitered version of Turbo Anti-Virus. Thank you Yuval... The 1704-A File virus (1 variety). ────────────────────────────────────────────────────────────────────────────── *Also known as the Cascade, Blackjack ,Falling tears, Autumn leaves virus. *Infects COM files only. *The size of the virus is 1704 bytes. *This virus will stick to any executable COM file (including COMMAND.COM) which is smaller than 63800 bytes. *The bug in the virus program (which causes it to be activated on any system) has been fixed. *The virus remains in the memory by using memory control blocks. *It is activated randomly and only in the years 1980 and 1988 in September, October, November and December (Autumn). *When the virus is activated - the letters start falling to the bottom of the screen (CGA, EGA, VGA cards & monitors only). *The virus is encrypted. The 1704-B File virus (1 variety). ────────────────────────────────────────────────────────────────────────────── *Also known as the Cascade, Falling tears, Autumn leaves virus. *Infects COM files only. *The size of the virus is 1704 bytes. *This virus will stick to any executable COM file (including COMMAND.COM) which is smaller than 63800 bytes. *The bug in the virus program (which causes it to be activated on any system) has been fixed. *The virus remains in the memory by using memory control blocks. *It is activated randomly and only in the years 1980 and 1988 in September, October, November and December (Autumn). *When it is activated - the letters start falling to the bottom of the screen (CGA, EGA, VGA cards & monitors only). *The virus is encrypted. The 1704-C File virus (1 variety). ────────────────────────────────────────────────────────────────────────────── *Also known as the Cascade, Falling tears, Autumn leaves virus. *Infects COM files only. *The size of the virus is 1704 bytes. *Almost the same as the 1704-A. The 1704-Format File virus (1 variety). ────────────────────────────────────────────────────────────────────────────── *Also known as the Cascade, Falling tears, Autumn leaves virus. *Infects COM files only. *The size of the virus is 1704 bytes. *Almost the same as the 1704-A. *This virus will also format hard disks - be careful. *The virus is encrypted. The 17Y4 File virus (1 variety). ────────────────────────────────────────────────────────────────────────────── *Also known as the Cascade, Falling tears, Autumn leaves virus. *Infects COM files only. *The size of the virus is 1704 bytes. *Almost the same as the 1704-A. The Dark Avenger virus (COM & EXE) (2 varieties). ────────────────────────────────────────────────────────────────────────────── *Infects COM & EXE files. *The size of the virus is 1805 bytes (+0-15 bytes for paragraph alignment). *It loads itself into the memory with MCB's. *The virus writes to the boot sector and does other bad things with the FAT. *Uses simple Anti-Debbuging tricks. *The virus contains the message: Eddie lives somewhere in time. The FU-Manchu A virus (COM & EXE) (2 varieties) ────────────────────────────────────────────────────────────────────────────── *Also called the 2086 virus. *Infects COM & EXE files. *The size of the virus is 2086 bytes. *It loads itself into the memory with MCB's. *The funniest virus we have ever received. *It steals interrupts 21 (DOS), 9 (Keyboard), and 16 (Keybard). *Int 16 will be installed only after August 1989. *This virus will do the following things: -When CTRL+ALT+DEL are pressed it will write the message: The World will hear from me again !!! -When you type : 'fuck' it will be erased. -When you type : 'waldheim' it will continue - 'is a nazi.' -When you type : 'thacher' it will continue - 'is a cunt.' -When you type : 'reagen' it will continue - 'is an arshole.' -When you type : 'FuManchu' it will continue - 'virus date:' etc... *As you can see, the author of the virus didn't know English very well. The Icelandic viruses (2 varieties). ────────────────────────────────────────────────────────────────────────────── *Infects EXE files only. *The size of the virus is 652 bytes (+0-15 bytes for paragraph alignment). *It loads itself into the memory with MCB's. *The virus infection system is very much like the MIXER's viruses and probably the MIXER's author copied it from this virus since it is older. *It will copy itself at the end of the memory and lower the amount of memory reported by DOS by 2K (CHKDSK). *The first version of this virus will infect every 10th file executed which is the reason why it is not very popular; the second version will infect any file, but this is the only difference between them. *The virus will mark one bad cluster in the FAT of the infected disk. The Icelandic II viruses (1 varieties). ────────────────────────────────────────────────────────────────────────────── *Infects EXE files only. *The size of the virus is 632 bytes (+0-15 bytes for paragraph alignment). *It loads itself into the memory with MCB's. *The virus infection system is very much like the MIXER's viruses and probably the MIXER's author copied it from this virus since it is older. *It will copy itself at the end of the memory and lower the amount of memory reported by DOS by 2K (CHKDSK). *The first version of this virus will infect every 10th file executed which is the reason why it is not very popular; the second version will infect any file, but this is the only difference between them. *The virus will mark one bad cluster in the FAT of the infected disk. The Saratoga virus (1 variety). ────────────────────────────────────────────────────────────────────────────── *Infects EXE files only. *The size of the virus is 640 bytes (+0-15 bytes for paragraph alignment). *It loads itself into the memory with MCB's. *This virus is almost identical to the Icelandic virus. *It will copy itself at the end of the memory and lower the amount of memory reported by DOS by 2K (CHKDSK). *This version of the virus will infect every 2nd file executed. *The virus will mark one bad cluster in the FAT of the infected disk. The 405 virus (1 variety). ────────────────────────────────────────────────────────────────────────────── *Infects / Overwrites COM files only. *This virus will destroy the infected file and will replace it by 405 bytes of code. *More of a Trojan horse than a virus... The 512 virus (1 variety). ────────────────────────────────────────────────────────────────────────────── *Infects / Destroys COM files only. *The size of the virus is 512 bytes (the file size will not grow). *Remains in the memory. *This virus will overwrite itself (512 bytes) at the beginning of the file, destroying the previous code which was there. *More of a Trojan horse than a virus... The Aids virus (1 variety). ────────────────────────────────────────────────────────────────────────────── *Also known as the Hahaha and Taunt virus. *Infects / Overwrites COM and EXE files. *When activated the virus displays the message: Your computer now has AIDS, and hangs the computer. (That's it, stuck dead.) *The virus overwrites the first 13K of the infected file - destroying the original data with no way to rebuild the file. The Perfume virus (1 variety). ────────────────────────────────────────────────────────────────────────────── Size: 768 bytes. It infects only COM files (excluding COMMAND.COM). Stays resident by replicating itself to the end of memory (1024 bytes). While in memory - infects every file which is being executed. This virus was sent to us by Mr. Arieh Goretsky from MacAffe Co USA. The Yankee Doodle 1 virus (2 varieties EXE & COM). ────────────────────────────────────────────────────────────────────────────── * Size: 2890 (+0-15 bytes for paragraph alignement) bytes. * It infects COM & EXE files (excluding COMMAND.COM). * Stays resident in memory using MCB's . * While in memory - infects every file which is being executed. * At 17:00, if the virus is in memory - It will start playing the Yankee Doodle melody. * Staels interrupts 1,3,1CH,21H and 24H (during infection only). * Virus uses Sinlge step in order to locate the original INT 21H address. * Virus can repair it self if it finds that an Anti-Virus tried to disable it in memory (Didn't help it self much when we aliminated it). * This virus is a part of the family of other Doodles and Vacisnas viruses which are capable of identifing each other and remove an older version of the virus before infecting it with a new version. the number of version cam be seen at the end of the file. * This virus was delivered to us at the CeBIT 90' fair by Pavel Baudis from CZECHOSLOVAKIA who won a Registered version of Turbo Anti-Virus. Thank you Pavel... The Yankee Doodle 2 virus (2 varieties EXE & COM). ────────────────────────────────────────────────────────────────────────────── * Size: 2940 (+0-15 bytes for paragraph alignement) bytes. * It infects COM & EXE files (excluding COMMAND.COM). * Stays resident in memory using MCB's . * While in memory - infects every file which is being executed. * At 17:00, if the virus is in memory - It will start playing the Yankee Doodle melody. * Almost the same as the other Yankee Doodle viruses. The Yankee Doodle 3 virus (2 varieties EXE & COM). ────────────────────────────────────────────────────────────────────────────── * Size: 2772 (+0-15 bytes for paragraph alignement) bytes. * It infects COM & EXE files (excluding COMMAND.COM). * Stays resident in memory using MCB's . * While in memory - infects every file which is being executed. * At 16:59:57, if the virus is in memory - It will start playing the Yankee Doodle melody. * Almost the same as the other Yankee Doodle viruses. * This virus was delivered to us at the CeBIT 90' fair by users from East Europe. The Haloechen virus (2 varieties EXE & COM). ────────────────────────────────────────────────────────────────────────────── * Size: 2011 (+0-15 bytes for paragraph alignement) bytes. * It infects COM & EXE files (excluding COMMAND.COM). * Stays resident in memory using MCB's (not with Int 21H or 27H). * While in memory - infects every file which is being executed. The Vacsina v5 virus (2 varieties EXE & COM). ────────────────────────────────────────────────────────────────────────────── * Size: 1217 bytes ,EXE file - 132 additional bytes. * It infects COM & EXE files (excluding COMMAND.COM). * Stays resident in memory using MCB's . * While in memory - infects every file which is being executed. * Infects EXE files with Entry point of 0000:0000. * It infects EXE files in 2 stages: 132 bytes and than 1217 bytes. * EXE file are infected by placing a jump at the head of the file instead of the 'MZ' EXE file identifier. * At the end of the virus there is a number which indicates the version of the virus. * New versions wii identify old versions and will replace them instead of infecting the file again. * This virus is a part of the family of other Doodles and Vacisnas viruses which are capable of identifing each other and remove an older version of the virus before infecting it with a new version. the number of version cam be seen at the end of the file. * This virus was delivered to us at the CeBIT 90' fair by users from East Europe. The Vacsina v16 virus (2 varieties EXE & COM). ────────────────────────────────────────────────────────────────────────────── * Size: 1350 bytes, EXE file - 132 additional bytes. * Almost the same as Vacsina v5. The Vacsina v24 virus (2 varieties EXE & COM). ────────────────────────────────────────────────────────────────────────────── * Size: 1760 bytes bytes. * It infects COM & EXE files (excluding COMMAND.COM). * Stays resident in memory using MCB's . * While in memory - infects every file which is being executed. * EXE files larger than 62K will not be infected. * EXE file are infected by placing a jump at the head of the file instead of the 'MZ' EXE file identifier. * At the end of the virus there is a number which indicates the version of the virus. * New versions will identify old versions and will replace them instead of infecting the file again. * This virus is a part of the family of other Doodles and Vacisnas viruses which are capable of identifing each other and remove an older version of the virus before infecting it with a new version. the number of version cam be seen at the end of the file. * This version of vacsina steals INT 9 (keyboard) and when the ALT-CTRL-DEL combination is pressed - it plays the Yankee Doodle melody. * This virus was sent to us by the virus hunter Mr. Szegedi Imre from Budapest, Hungary. The Aids Information Trojan (1 variety). ────────────────────────────────────────────────────────────────────────────── * This hard disk "eater" is not a virus but a Trojan. * It was released on December 1989 and was spread by an unknown company named Cyborg from Panama. This company invested 150,000 U.S.$. in order to send thousands copies of the disk which contained the Trojan. * The disk contains two files. The first one is the file AIDS.EXE which is a big database of information about the Aids virus (not the computer virus). The other file is an INSTALL utility which must be executed to install the AIDS file on a computer system which includes a Hard-Disk, otherwise the AIDS file will not run. * During the installation, the AUTOEXEC.BAT file is changed to AUTO.BAT file and a new AUTOEXEC.BAT file is written by the INSTALL utility. * After 90 reboots of the system - the disk is reformated by the program. The Taiwan virus (1 variety). ────────────────────────────────────────────────────────────────────────────── * Also known as the sunny virus. * Infects COM files only, including COMMAND.COM. * Size: 743 bytes. * This virus will not load itself into memory. When an infected file is being executed - the virus searches in C drive a clean file and then infects it. * It will place itself instead of the 743 first bytes of the file and the code which was there before will be transfered to the end of the file. The DBASE virus (1 variety). ────────────────────────────────────────────────────────────────────────────── Size: 768 bytes. It infects only COM files (excluding COMMAND.COM). Stays resident by replicating itself to the end of memory (1024 bytes). While in memory - infects every file which is being executed. This virus was sent to us by Mr. Arieh Goretsky from MacAffe Co USA. The V2000 virus (2 varieties). ────────────────────────────────────────────────────────────────────────────── Size: 2000 bytes. It infects COM & EXE files (excluding COMMAND.COM). Stays resident by replicating itself to memory without using INT 21H. While in memory - infects every file which is being executed. This virus was sent to us by the virus hunter Mr. Szegedi Imre from Budapest, Hungary. The Victor virus (2 varieties). ────────────────────────────────────────────────────────────────────────────── * Also called the Ivan virus. * Size: 2442 bytes. * It infects COM & EXE files (excluding COMMAND.COM). * Stays resident by replicating itself to memory without using INT 21H. * While in memory - infects every file which is being executed. * This virus was sent to us by the virus hunter Mr. Szegedi Imre from Budapest, Hungary. The Friday 13th 1 COM virus (1 variety). ────────────────────────────────────────────────────────────────────────────── * Also known as the South Africa 2 and virus-B. * Infects COM files only, including COMMAND.COM and even IBMBIO.COM. * The size of this virus is 425 bytes. * It will not load itself into the memory. * Infects all clean files in the current directory. The Friday 13th 2 COM virus (1 variety). ────────────────────────────────────────────────────────────────────────────── * Also known as the South Africa 2 and virus-B. * Infects COM files only, including COMMAND.COM and even IBMBIO.COM. * The size of this virus is 549 bytes. * It will not load itself into the memory. * Infects all clean files in the current directory. The VP virus (1 variety). ────────────────────────────────────────────────────────────────────────────── * Infects COM files only, including COMMAND.COM and even IBMBIO.COM. * The size of this virus is 904 bytes. * It will not load itself into the memory. * In the first 16 bytes of the infected file - the 2 letters VP can be found. * The virus writes to the boot sector of every drive in the system thses 2 bytes (VP). The Barcelona virus (1 variety). ────────────────────────────────────────────────────────────────────────────── * Infects EXE files only. * The size of this virus is 1157 (+0-15 bytes for paragraph alignement). * It will not load itself into the memory. * Infects one clean file in the current directory. * If infection fails - the virus will delete the file. * The virus is encrypted. * The word Barcelona can be found after the decription. The Lehigh viruses (2 varieties). ────────────────────────────────────────────────────────────────────────────── * One of the first viruses for PC computers working under DOS. * Detected for the first time at the Lehigh University. * Infects only, COMMAND.COM. * COMMAND.COM file will not grow. * Virus locate the stack area inside the COMMAND.COM and put itself inside avoiding by this the growing of the file. * Load itself into the memory and steals INT 21 (using INT 44 instead). * Will look for the COMMAND.COM file at the current drive ROOR directory. * Version #2 of this virus is known as a DISK formatter. The 5120 virus (2 varieties). ────────────────────────────────────────────────────────────────────────────── * Also called the BASIC virus. * Infects COM & EXE files - excluding COMMAND.COM. * The size of this virus is 5120 (+0-15 bytes for paragraph alignement). * It will not load itself into the memory. * Infects all clean file in the current directory and looks for clean files on drive C through all directories. This action takes a lot of time. * From April 1st 1992 - All infected files will stop running and the message : "Access Denied" will be displayed. * Inside the virus code - the word BASRUN can be found. * This virus was sent to us by Alfred Manthy Rojan from West Germany, who got a registered Turbo Anti-Virus package free of any charge. Thank you Alfred... The 8 Tunes virus (2 varieties). ────────────────────────────────────────────────────────────────────────────── * Infects COM & EXE files - excluding COMMAND.COM. * The size of this virus is 1971 (+0-15 bytes for paragraph alignement). * It willload itself into the memory. * Infects every clean file which is being executed. * When the day comes it will play one of the 8 Tunes which it "knows" ────────────────────────────────────────────────────────────────────────────── These are the 108 types of file viruses (identification and safe elimination). ────────────────────────────────────────────────────────────────────────────── Boot Infecting Viruses ──────────────────────── The Ping-Pong virus (A, B, C, D) (4 varieties). ────────────────────────────────────────────────────────────────────────────── *The first Boot Sector virus to be discovered in Israel. *It is also called the Bouncing Ball, and the Italian virus. *This is a "nice" virus (in comparison with the others), which infects the DOS boot sector of floppy and hard disks. *Every time the computer is booted from an infected diskette the memory will retain the virus. *While booting, the virus loads itself at the end of the memory (as reported by BIOS) and lowers the amount of reported memory by 2K. *After a while, a bouncing ball will appear on the screen and will not stop until the computer is rebooted. *The infection is very quick and by simply executing a DIR command on a clean diskette it will become infected. *When mapping an infected disk (e.g. with PCTOOLS) one cluster is marked as bad whereas actually the original boot sector was placed there by the virus program. *A new variety of the Ping-Pong virus was identified in March 1990. *This variety will not lower the memory size (BIOS) by 2K but will set the size to a constant value. The MisSpeller virus (1 variety). ────────────────────────────────────────────────────────────────────────────── *Also known as the Typo virus. *The MisSpeller virus is an Israeli mutation of the Ping-Pong virus. *90% of the boot system is exactly the same as the Ping-Pong, which caused some Anti-Virus programs to destroy disks because they identified the virus as the Ping- Pong. *However, Turbo Anti-Virus(tm) recognized that it was a new virus and did not destroy the disk, due to smart and careful virus elimination and data recovery techniques. *The MisSpeller also infects the DOS Boot sector and loads itself at the end of the memory during booting. *The amount of memory is lowered by 2K exactly as with the Ping-Pong virus. *This virus, however, will not simply bounce a "nice" ball on your screen. *The minute it loads itself, it will start mixing the data which is being transferred through the parallel port. *English, Hebrew and digits are mixed up in order to cause great confusion (V is mixed with W, C with K, J with G, Ç with Æ, ç with ï, etc..). The Disk Killer virus (1 variety). ────────────────────────────────────────────────────────────────────────────── Also known as the Ogre virus. The Disk Killer infects the DOS Boot sector and loads itself to the end of memory during boot. The amount of memory is lowered by 8K. The virus size is 3 clusters which are marked as BAD in the FAT. Due to a BUG in the virus code other clusters are incorrectly marked as BAD instead of the right ones. The virus may also put himself on top of a file - destroying it while it does so. A counter inside the virus checks for the number of disks which it has infected and than formats the Hard-Disk. A very destructive virus. The Stoned virus (version A and B) (3 varieties). ────────────────────────────────────────────────────────────────────────────── *The stoned virus was discovered in Israel by CARMEL Software Engineering in September 1989. *Also known as the Marijuana virus and the New-Zealand virus. *It is a very destructive virus which infects the Boot Sector. *No bad clusters are marked when this virus infects a disk. *When booting from an infected disk - it will sometimes display the message: Your PC is Stoned - LEGALIZE MARIJUANA. *This little virus loads itself, while booting, at the end of the memory and lowers the amount of memory reported by BIOS by 2K (like the PING-PONG and MisSpeller viruses). *It will save the original boot sector in TRACK 0, SIDE 1, SECTOR 3 on floppies, and in TRACK 0, SIDE 0, SECTOR 7 on hard disks. *This virus will not save the data which was in that sector before the infection, causing great damage to the directory and FAT. *There are at least 5 versions of the Marijuana\Stoned virus. The Yale virus (2 varieties). ────────────────────────────────────────────────────────────────────────────── *Also known as the Alameda and Merritt virus. *This virus will infect 360K floppy disks only (not hard disks). *When a clean diskette is inserted in the drive and the computer is booted using CTRL+ALT+DEL the virus will infect it. *The virus stores the original boot sector at track 39 sector 8 head 0, destroying the data which was there before the infection occurred. *The virus will not cause any other damage. The Ghost Boot virus (1 variety). ────────────────────────────────────────────────────────────────────────────── *This virus is not a regular one. Actually it is not a virus at all. *The Ghost Boot virus is planted by the Ghost file virus on a 360K floppy disk which is situated in drive A at the time of execution. *It is very much like the ping-pong virus but it does not have an infection routine and therefore it will only load into the memory and will not infect other disks. *This virus can be found in 360K floppies only (not in hard disks). *The virus stores the original boot sector at track 39 sector 9 head 1, destroying the data which was there before infection occurred. *The virus will not cause any other damage. The Den-Zuk virus (1 variety). ────────────────────────────────────────────────────────────────────────────── *The Den-Zuk virus infects 360K floppy disks only. *It loads itself at the end of the memory and lowers the amount of memory reported by BIOS by 7K. *The virus stores the original boot sector at track 40 head 0, which it formats in a non-standard format (sectors 33-42 instead of 1-9). *This virus looks for the Brain virus in the boot sector before infection takes place. If it finds the Brain virus - it will save the Boot sector which was saved by the Brain virus and not the current boot sector. *When the virus is in the memory - any clean floppy disk which is inserted in disk drive A or B will become infected. *The virus steals interrupts 13 (DISK I/O) and 9 (Keyboard). *When the ALT-CTRL-DEL keys are used to boot the system,the virus will show the Den-Zuk logo, on a graphic screen only (a nice picture!). *The virus will not cause any other damage. The Pakistani Brain viruses (regular, version 9.00 and Ashar) (3 varieties). ────────────────────────────────────────────────────────────────────────────── *This virus was the second boot-sector virus discovered in Israel (after the Ping-Pong virus). It is a little bigger, and uses some smart tricks. *Like all boot-sector viruses, the Brain virus infects a disk by changing the boot-sector, so that when the system is booted from an infected diskette, the virus is loaded into the memory, even before the system is operated. The virus itself is located in sectors marked as "bad sectors" on the disk, which take 3K bytes from the free sectors of the disk. *The Brain virus can be easily recognized because the boot-sector of an infected disk contains a message dedicating it to "all the viruses which are no longer with us". Some versions of the Brain virus even contain the address and phone number of the authors who wrote the virus! *One of the easiest ways to recognize this virus is that on an infected system disk, the volume label is changed to "Brain". (You can see it with a simple 'dir' command on the infected disk). *To make it harder to destroy the Brain virus uses a very smart trick - If the virus is in the computer's memory (after being booted from an infected disk), each time the computer tries to read or write to the boot sector - the virus uses the original boot sector! This means that you cannot just write a normal boot-sector on the infected disk in order to destroy the virus, because the virus will not allow this! (This method will work on the Ping- Pong virus, but then the bad sectors on the disk will be lost, so it is not recommended). *In order for the computer's memory to become infected, it has to be booted from an infected disk. However once the virus is in the memory -any diskette that is inserted in the disk drive will become infected! It is enough to type "A:" or "DIR A:" to infect the diskette in drive A. ────────────────────────────────────────────────────────────────────────────── These are the 16 types of Boot Sector / Partition table viruses. ────────────────────────────────────────────────────────────────────────────── Turbo Anti-Virus will also detect the following file viruses: * Doodle B * Kennedy * AIDS II * Amoeba 1392 * Agiplan * Eddie 2 (Dark Avenger 2) * Pixel 1 * Pixel 2 * Polish virus * 1210 virus * 1559 virus * VComm virus * ItaVir * Solano * 12 Tricks Trojan A * 12 Tricks Trojan B * Joker * Icelandic 3 * Virus-90 * Jerusalem 1 (Friday 13th variety). * Jerusalem 2 (Friday 13th variety). * Vacsina X. * Devil's Dance * DataCrime D COM (DataCrime II-B) ────────────────────────────────────────────────────────────────────────────── These are the 24 FILE-Infecting viruses (identification - no elimination). ────────────────────────────────────────────────────────────────────────────── Turbo Anti-Virus will also detect the following boot viruses: * Korea * EDV * Pentagon. * Ohio. * Falling letters / Israeli BOOT. * Chaos ────────────────────────────────────────────────────────────────────────────── These are the 6 BOOT viruses (identification - no elimination). ────────────────────────────────────────────────────────────────────────────── ┌────────────────────────────────────────────────────────┐ │ Send us new viruses (including those viruses which │ │ are only identified) and win a FREE registered version │ │ of Turbo Anti- Virus with 12 months guarantee. │ └────────────────────────────────────────────────────────┘ Total Viruses 108 File viruses Identification & Elimination. 16 Boot viruses Identification & Elimination. 24 File viruses Identification. 6 Boot viruses Identification. Total of 154 viruses ────────────────────────────────────────────────────────────────────────────── For more details, or to place an order, please ask your local software dealer about Turbo Anti-Virus(tm). or Contact us directly. USA Main Office: CARMEL Software Engineering 177 Palisade Av. Cliffside Park. New-Jersey 07010 USA. TEL: 201-945-5751 FAX: 201-945-9029 Eli Shapira & Yuval Sherman CARMEL Software Engineering - END -