The Hacker's Encyclopedia 1998

home *** CD-ROM | disk | FTP | other *** search

/ The Hacker's Encyclopedia 1998 / hackers_encyclopedia.iso / pc / virus / msdvir.192 < prev next >

Wrap

Text File | 2003-06-11 | 62.6 KB | 1,070 lines

======================================================================= == Computer Virus Catalog Index == == *** 99 MsDos Viruses *** == == *** 4 MsDos Trojans *** == ======================================================================= == Status: January 31, 1992 (Format 1.2) == == Classified:15 MSDOS-Viruses (MSDOSVIR.A89: 62kByte): Nov. 15,1989 == == +17 MSDOS-Viruses (MSDOSVIR.290: 54kByte): Feb. 15,1990 == == +24 MSDOS-Viruses (MSDOSVIR.690: 51kByte): June 20,1990 == == + 7 MSDOS-Viruses == == + 2 MSDOS Trojans (MSDOSVIR.790: 28kByte): July 20,1990 == == + 9 MSDOS-Viruses == == + 1 MSDOS Trojan (MSDOSVIR.291: 43kByte): Feb. 14,1991 == == +12 MSDOS-Viruses (MSDOSVIR.791: 71kByte): July 15,1991 == == + 1 MSDOS Trojan == == =NEW=> +15 MSDOS-Viruses (MSDOSVIR.192: 64kByte): Jan. 31,1992 == ======================================================================= == MsDos: 99 Viruses and 4 Trojans in Computer Virus Catalog: =Doc= == ---------------------------------------------------------- =---= == 1) Advent Virus (Syslock Strain)=290= == 2) AIDS = AIDS Info Disk = PC Cyborg Trojan =291= == 3) Ambulance Car = REDX Virus =790= == + 4) Amilia Virus (Murphy Strain)=192= == 5) Amstrad Virus (Amstrad Strain)=690= == + 6) AntiCAD-4096 = Invader Virus (Jerusalem/AntiCAD Strain)=192= == 7) Anti Pascal = AP-605 = V605 Virus (Anti-Pascal Strain)=690= == 8) Autumn Leaves=Herbst=1704=Cascade A Virus(Cascade Strain)=A89= == 9) Autumn Leaves B= "1701"=Cascade B Virus (Cascade Strain)=A89= == 10) AZUSA Virus =791= == 11) Bouncing Ball = Italian = Ping Pong= Turin Virus =A89= == 12) Cancer Virus (Amstrad Strain)=690= == 13) Dark Avenger Virus (Dark Avenger Strain)=290= == 14) Dark Avenger 3 Virus (Dark Avenger Strain)=291= == 15) DATACRIME Ia = "1168" Virus (Datacrime Strain)=290= == 16) DATACRIME Ib = "1280" Virus (Datacrime Strain)=290= == 17) dBase Virus =290= == + 18) Dedicated Virus =192= == 19) Den Zuk = "Search" = Venezuelan Virus (Den Zuk Strain)=290= == 20) Devils Dance = "941" Virus =690= == 21) Do Nothing = Stupid = 640k Virus =290= == 22) Empire A/B Virus (Stoned Strain)=791= == + 23) FEXE 1.0 Virus (FichV Strain)=291= == + 24) FichV 2.0 Virus (FichV Strain)=291= == + 25) FichV 2.1 = 903 Virus (FichV Strain)=291= == 26) Fingers = 08/15 Virus =791= == 27) Fish 6 Virus (4096 = FroDo Strain)=291= == 28) Flash = 688 Virus =790= == 29) Form Virus =690= == 30) Friday 13th = South African Virus (Friday 13th Strain)=A89= == 31) Fu Manchu Virus (Israeli Strain)=290= == 32) GhostBalls Virus (Icelandic Strain)=A89= == 33) Green Caterpillar =791= == 34) G&H = DemoVirus G&H =791= == + 35) Hafenstrasse Virus =192= == 36) Headcrash = 1067 Virus =791= == 37) Hello Virus =291= == 38) Icelandic#1=DiskCrunching=1-in-10 Virus(Icelandic Strain)=A89= == 39) Icelandic#2 Virus (Icelandic Strain)=A89= == 40) Israeli = Jerusalem A Virus (Israeli Strain)=A89= == 41) Lehigh Virus =290= == 42) Lisbon Virus (Vienna Strain)=690= == 43) LoveChild Trojan (LoveChild Strain)=791= == 44) LoveChild Virus (LoveChild Strain)=791= == 45) Keypress Virus =291= == 46) MachoSoft Virus (Syslock Strain)=A89= == 47) Marijuana = Stoned = New Zealand Virus (Stoned Strain)=290= == 48) Merritt = Alameda A = Yale Virus (Alameda/Yale Strain)=A89= == + 49) Michelangelo Virus =192= == 50) Mirror = Flip Clone Virus =291= == 51) MIX1 = Mixer1 Virus =290= == 52) Murphy 1 Virus (Murphy Strain)=690= == 53) Murphy 2 Virus (Murphy Strain)=690= == 54) Nomenklatura Virus =791= == 55) Number of the Beasts = 512 Virus (512 Strain)=690= == 56) Ogre = Disk Killer 1.00 Virus =290= == 57) Oropax = Music Virus =A89= == 58) PERFUME ="4711" = 765 Virus =790= == + 59) Plovdiv 1.3 Virus (Plovdic Strain)=192= == 60) RPVS = TUQ = 453 Virus =791= == 61) Sadam = Saddam Virus =291= == 62) Saratoga Virus (Icelandic Strain)=A89= == 63) Scrambler = KEYBGR Trojan =790= == + 64) Semtex = Screen Trasher Virus =291= == 65) SHOE-B v9.0 Virus (Brain=Pakistani Strain)=A89= == 66) SUNDAY A Virus (Israeli Strain) =690= == 67) SUNDAY B Virus (Israeli Strain) =690= == 68) SURIV 1.01 Viruses (Israeli Strain) =290= == 69) sURIV 2.01 = April 1st Virus (Israeli Strain) =690= == 70) sURIV 3.00 = Israeli #3 Virus (Israeli Strain) =690= == 71) Swap = Israeli Boot Virus =290= == + 72) Sverdlov = Hymn of USSR Virus =192= == 73) Sylvia (V 2.1) = Holland Girl Virus =690= == 74) SYSLOCK Virus (Syslock Strain)=789= == 75) Tequila Virus =791= == 76) Thursday-12 Virus =791= == 77) Tiny = V613 Virus =790= == 78) Traceback = "3066" Virus (Traceback Strain)=690= == 79) VACSINA Virus (TP Strain)=A89= == 80) Vienna = Austrian = "648" Virus (Vienna Strain)=A89= == 81) Vienna 348 = "348" Virus (Vienna Strain)=690= == 82) Vienna 353 = "353" Virus (Vienna Strain)=690= == 83) Vienna 367 = "367" Virus (Vienna Strain)=690= == 84) Vienna 435 = "435" Virus (Vienna Strain)=690= == 85) Vienna 623 = "623" Virus (Vienna Strain)=690= == 86) Vienna 627 = "627" Virus (Vienna Strain)=690= == + 87) Violetta Virus =192= == 88) V-277 Virus (Amstrad Strain)=690= == 89) V-299 Virus (Amstrad Strain)=690= == 90) V-345 Virus (Amstrad Strain)=690= == 91) XA1 = V1539 Virus =790= == 92) Zero Bug = ZBug = Palette Virus =290= == + 93) ZeroHunt-415 = Minnow Virus (ZeroHunt Strain)=192= == + 94) ZeroHunt-411 = Minnow-1 Virus (ZeroHunt Strain)=192= == 95) VCS 1.0 = Virus Construction Set = VDV Virus =791= == + 96) VDV-853 Virus =192= == 97) "8-Tunes" = 1971 Virus =690= == 98) "12-Tricks" Trojan =790= == 99) 512 Virus (512 Strain)=690= == 100) 982 (=Klaeren) Virus =791= == 101) 1260 Virus =291= == 102) 4096 = 4K = "100 Years" = IDF = Stealth Virus (4K Strain)=690= == 103) 5120 Virus =690= == == ======================================================================= ======== Computer Virus Catalog 1.2: Amilia Virus (25-Jan-1992) ====== Entry...............: Amilia Virus Alias(es)...........: --- Virus Strain........: Murphy Virus Strain Virus detected when.: January 1992 where.: Classification......: Program (appending) virus, resident Length of Virus.....: 1,164 Bytes --------------------- Preconditions ---------------------------------- Operating System(s).: MS-DOS Version/Release.....: 2.xx upward Computer model(s)...: IBM - PC, XT, AT, upward and compatibles --------------------- Attributes ------------------------------------- Easy Identification.: Infected files will contain the string "AmiLia I Virii - [NukE] i99i By Rock Steady/NukE" Type of infection...: All *.COM and *.EXE files that are executed or opened will be infected if the files are bigger than 1,614 bytes. COM files must also be smaller than 64,000 bytes. Infection Trigger...: Any of the following operations on any *.COM or *.EXE file:Load/Execute, Open, Extended Open. Infection targets:..: All *.COM files with 1614<=length<=64000 bytes; All *.EXE files with 1614<=length and old header. Interrupts hooked...: INT 1C, INT 24 Interrupts used.....: INT 13, INT 21, INT 40, INT 41 Damage..............: 1) On sundays, when executing or opening an *.EXE file, the following message is displayed: "AmiLiA I Virii - [NukE] Released Dec91 Montreal (C) NukE Development Software Inc" Thereafter, the program terminates. 2) Upon each INT 21 call, the virus also checks system tick count for being above equivalent of about 16 hours; if this amount of on-time is reached, a green smiley face on black back- ground moves diagonally around the screen bouncing at edges and characters. Damage Trigger......: 1) For the message: day of the week = Sunday; 2) For the smiley: 16 hours of power on time. Similarities........: --- Particularities.....: This virus carefully looks for the correct INT 13 entry to avoid being trapped by a guardian. --------------------- Agents ----------------------------------------- Countermeasures.....: - ditto - successful: Removal: Not always possible: a 'NE' type EXE will not work anymore. Standard means......: --------------------- Acknowledgement -------------------------------- Location............: Micro-BIT Virus Center, Univ Karlsruhe, Germany Classification by...: Christoph Fischer Documentation by....: Christoph Fischer Date................: January 25, 1992 ===================== End of Amilia Virus ============================ ===== Computer Virus Catalog 1.2: AntiCAD Virus (31-January-1992) ==== Entry...............: AntiCAD Virus Alias(es)...........: AntiCAD-4096 = Invader Virus Virus Strain........: Jerusalem Virus Strain, ANTICAD Substrain Variants............: AntiCAD-A; -B; -C; Chinese; Danube (Donau); Mozart Viruses Virus detected when.: August 1990 where.: Australia Classification......: Program (COM, EXE) & System (Boot, Master Boot) infector; memory resident Length of Virus.....: 1) Length on media: 4,096 bytes on COM & BOOT; 4,096-4,111 bytes on EXE 2) Length in memory: 5,120 bytes --------------------- Preconditions ---------------------------------- Operating System(s).: MS-DOS and compatible OS Version/Release.....: MS-DOS 3.0 and upwards Computer model(s)...: IBM and compatible PCs --------------------- Attributes ------------------------------------- Easy Identification.: Virus contains text: "NO SYSTEMDISK...PLEASE INSERT..." Type of infection...: Depending on type of victim: COM: Prepending but COMMAND.COM not infected; EXE: Appending but ACAD.EXE not infected; BOOT: any diskette without write protection; Master-BOOT: all HD-Drives. Infection Trigger...: Any Load/Execute operation Media affected......: All kinds (disks, any diskette) Interrupts hooked...: 08h (Timer), 09h (Keybord), 13h (Disk), 21h (DOS-Calls), 24h (error handler). Damage..............: Transient: the virus plays some music (variants may play noise), and system is slowed down. This routine activates Permanent: If CTRL-ALT-DEL is pressed while music is playing or ACAD is loaded, *all in- formation on all disks will be overwritten*. CMOS-entries will be deleted. Damage Trigger......: Transient damage: in original ANTICAD virus, transient damage (playing music, system slow- down) is activated 30 minutes after virus' activation. In ANTICAD variants, activation of transient damage (music/noise) may be de- layed between 7 and 30 days. Permanent damage: one of the following activi- ties will activate permanent damage (over- writing disk media, deleting CMOS entries): P1) pressing CTRL-ALT-DEL when music/noise is played; P2) execution of ACAD; P3) after about 4000 keystrokes. These effects may not be activated every time as activation also depends on several internal triggers. Particularities.....: --- Similarities........: Viruses in same (Jerusalem) strain, and esp. those in same (AntiCAD) substrain. --------------------- Agents ----------------------------------------- Countermeasures.....: According to their documentation, many antivirus products claim recognise and eradicate virus. -ditto- successful..: Tested: Dr.Solomon's Toolkit, Fridrik Skulason's F-PROT. Standard means......: 1) Reboot from clean bootdisk. 2) Delete all infected files. 3) Use SYS-Command to reinstall BOOT sector. 4) Use FDISK /MBR to reinstall Master-BOOT sector (MS-DOS 5.0 only). --------------------- Acknowledgement -------------------------------- Location............: Virus-Test-Center, University Hamburg, Germany Classification by...: Matthias Jaenichen Documentation by....: Matthias Jaenichen Date................: 31-January-1992 Information Source..: Disassembly, "PC Viruses" by A.Solomon, "VSUM" (P.Hofmann) ===================== End of ANTICAD Virus ============================ ==== Computer Virus Catalog 1.2: Dedicated Virus (31-January 1992) === Entry...............: Dedicated Virus Alias(es)...........: --- Virus Strain........: --- Polymorphism engine.: Mutating Engine (ME) 0.9 Virus detected when.: UK where.: January 1992 Classification......: Polymorphic encrypted program (COM) infector, non-resident Length of Virus.....: 3,5 kByte (including Mutating Engine) --------------------- Preconditions ---------------------------------- Operating System(s).: MS-DOS Version/Release.....: 2.xx upward Computer model(s)...: IBM - PCs, XT, AT, upward and compatibles --------------------- Attributes ------------------------------------- Easy Identification.: COM file growth (no other direct detection means are known as virus encrypts itself, and due to the installed mutation engine, all occu- rences of this virus differ widely) Type of infection...: COM file infector: all COM files in current directory on current drive (disk,diskette) are infected upon executing an infected file. Infection Trigger...: Execution of an infected COM file. Media affected......: Hard disk, any floppy disk Interrupts hooked...: --- Crypto method.....: The virus encrypts itself upon infecting a COM file using its own encryption routine; upon execution, the virus decrypts itself using its own small algorithm. Polymorphic method..: After decryption, the virus' envelope consisting of Mutating Engine 0.9 will widely vary the virus' coding before newly infecting another COM file. Due to this method, common pieces of code of more than three bytes (=signatures) of any two instances of this virus are highly improbable. Remark: Mutating Engine 0.9 very probably was developped by the Bulgarian virus writer "Dark Avenger"; such a program was announced early 1991 as permutating more than 4 billion times, and it appeared in October 1991 or before. The class of permutating viruses is named "polymorphic" to indicate the changing structure which may not be identified with contemporary means. To indicate the relation to such common engine, the term "Polymorhic engine (method)" has been introduced. ME 0.9 was distributed via several Virus Exchange Bulletin Boards, so it is possible that other ME 0.9 related viruses appear. According to (non-validated) information, an- other ME 0.9 based virus (Pogue?) has been detected in North America: COM file infector, memory resident, length about 3,7 kBytes. Damage..............: Virus overwrites at random times random sectors (one at a time) with garbage (INT 26 used). Damage Trigger......: Random time Similarities........: --- Particularities.....: The virus contains a text greeting a US based female hacker; this text is visible after decryption. --------------------- Agents ----------------------------------------- Countermeasures.....: Contemporarily, no automatic method for reliable identification of polymorphic viruses known. - ditto - successful: --- Standard means......: --- --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, Germany Classification by...: Vesselin Bontchev, Klaus Brunnstein Documentation by....: Dr. Alan Solomon Date................: 31-January-1992 ===================== End of Dedicated Virus ========================= ====== Computer Virus Catalog 1.2: FEXE Virus (31-January-1992) ====== Entry...............: FEXE = FEXE 1.0 Virus Alias(es)...........: --- Virus Strain........: FICHV Virus Strain Virus detected when.: where.: Classification......: Program (EXE) infector, memory resident Length of Virus.....: 1. Length on media: 897 ($381) bytes; 2. Length in memory: 2,288 bytes. --------------------- Preconditions ----------------------------------- Operating System(s).: MS-DOS Version/Release.....: DOS 2 and upwards Computer model(s)...: IBM PC/AT & compatibles --------------------- Attributes -------------------------------------- Easy Identification.: Infected files are 897 bytes longer than clean EXE files. Free memory space was decreased by 2288 bytes. File time is set to 62 seconds. In memory, the text "** FEXE 1.0 vous a eu **" can be found (28 bytes below Int_21 entrypoint) Signature...........: AC 32 07 AA 43 3B DA 72 03 BB Remark: this string is a pert of the virus' decryption routine, but is rather unique due to its programming error. Type of infection...: The virus appends itself to the end of an EXE file and changes the EXE-header. Infection Trigger...: Whenever an infected file is executed, the virus will go resident and thereby infect the first uninfected EXE-file (found via "Search First", "Search Next"). Upon any "Execute" or "Open file" operation (INT 21, ah=$4B/$3D), virus will infect the first uninfected EXE-file in the same manner. Storage media affected: EXE files on any disk/diskette Interrupts hooked...: INT 21 (functions ah=$4B, ah=$3D) Damage..............: Virus will overwrite the first 6 sectors on both sides of each track, starting from track 0, with the text "** FEXE 1.0 vous a eu **". Damage Trigger......: Activating an infected file during April (any year). Particularities.....: Virus uses a simple self-encryption, which was possibly planned as a complex decryption, but due to a programming error operates only in a simple manner (XOR). It always uses standard INT 21 functions (including "Terminate/stay resident": ah=$31). Similarities........: FICHV viruses (which infect COM files only). --------------------- Agents ----------------------------------------- Countermeasures.....: No countermeasures known. Countermeasures successful: Dito. (Tested antivirus do not detect it) Standard means......: Delete infected EXE files & install clean ones. --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, Germany Classification by...: Toralv Dirro Documentation by....: Toralv Dirro Date................: 31-January-1992 Information Source..: In-depth analysis of virus code ===================== End of FEXE Virus ============================== ==== Computer Virus Catalog 1.2: FICHV 2.0 Virus (31-January-1992) === Entry...............: FICHV 2.0 Virus Alias(es)...........: --- Virus Strain........: FICHV Virus Strain Virus detected when.: where.: Classification......: Program (COM) infector, memopry resident Length of Virus.....: 1. Length on media: 896 ($380) bytes; 2. Length in memory: 1,248 bytes. --------------------- Preconditions ---------------------------------- Operating System(s).: MS-DOS Version/Release.....: DOS 2 and upwards Computer model(s)...: IBM PC/AT & compatibles --------------------- Attributes ------------------------------------- Easy Identification.: Infected files are 896 bytes longer than clean COM files. The amount of free RAM is decreased by 1248 bytes. File time is set to 62 seconds. In memory,the text "****FICHV 2.0 vous a eu**" can be found (690 Bytes below Int 21 entry point). Signature...........: AC 32 07 AA 43 3B DA 72 03 BB Remark: this string is a pert of the virus' decryption routine, but is rather unique due to its programming error. Type of infection...: The virus appends the first 896 bytes of an in- fected program to the end of the COM file, then overwriting the first 896 bytes. Infection Trigger...: Whenever an infected file is executed, the virus will go resident and thereby infect the first uninfected EXE-file (found via "Search First", "Search Next"), if the free disk space is >3,000 bytes and the file is longer than 1,500 bytes. When the virus is resident, whenever INT 21 "Execute" ($4B) is called, the virus will infect the first uninfected COM-file. Storage media affected: COM files on any disk/diskette Interrupts hooked...: INT 21 (function ah=$4B). Damage..............: Virus will overwrite the first 6 sectors on both sides of each track, starting from track 0, with the text "****FICHV 2.0 vous a eu**". Damage Trigger......: Execution of an infected program during March (any year). Particularities.....: Virus uses a simple self-encryption, which was possibly planned as a complex decryption, but due to a programming error operates only in a simple manner (XOR). It always uses standard INT 21 functions (including "Terminate/stay resident": ah=$31). Side effect #1: The virus does not check if the file to be infected is smaller than 64,640 bytes; therefore, an infected COM file may grow larger than 65,535 bytes and then cannot be executed any longer. Side effect #2: Virus overrides memory at location 6000:0; therefore, conflicts (crash) with other TSR's are possible. Similarities........: FICHV 2.1, FEXE virus --------------------- Agents ----------------------------------------- Countermeasures.....: F-Prot 2.02 suspects that virus be a new variant of the FICHV-Virus. Countermeasures successful: None at classification time. Standard means......: Delete infected files. --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, Germany Classification by...: Toralv Dirro Documentation by....: Toralv Dirro Date................: 31-January-1992 Information Source..: In-depth analysis of virus code ===================== End of FICHV 2.0 Virus ========================= ==== Computer Virus Catalog 1.2: FICHV 2.1 Virus (31-January-1992) === Entry...............: FICHV 2.1 Virus Alias(es)...........: 903 Virus Virus Strain........: FICHV Virus Strain Virus detected when.: where.: Classification......: Program (COM) infector, memopry resident Length of Virus.....: 1. Length on media: 903 ($387) bytes; 2. Length in memory: 1,264 bytes. Length of Virus.....: --------------------- Preconditions ---------------------------------- Operating System(s).: MS-DOS Version/Release.....: DOS 2 and upwards Computer model(s)...: IBM PC/AT & compatibles --------------------- Attributes ------------------------------------- Easy Identification.: Infected files are 903 bytes longer than clean COM files. The amount of free RAM is decreased by 1264 bytes. File time is set to 62 secons. In memory,the text "****FICHV 2.1 vous a eu**" can be found (693 Bytes below the Int 21 entry point). Signature...........: AC 32 07 AA 43 3B DA 72 03 BB Remark: this string is a pert of the virus' decryption routine, but is rather unique due to its programming error. Type of infection...: The virus appends the first 903 Bytes of an in- fected program to the end of the file, then overwriting the first 903 bytes. Infection Trigger...: Whenever an infected file is executed, the virus will go resident and thereby infect the first uninfected EXE-file (found via "Search First", "Search Next"), if the free disk space is >3,000 bytes and the file is longer than 1,500 bytes. When the virus is resident, whenever INT 21 "Execute" ($4B) or "Open a File" ($3D) is called, the virus will infect the first uninfected COM-file. Storage media affected: COM files on any disk/diskette. Interrupts hooked...: INT 21 (functions ah=$4B and ah=$3D). Damage..............: Virus will overwrite the first 6 sectors on both sides of each track, starting from track 0, with the text "****FICHV 2.1 vous a eu**". Damage Trigger......: Execution of an infected program during March (nay year). Particularities.....: Virus uses a simple self-encryption, which was possibly planned as a complex decryption, but due to a programming error operates only in a simple manner (XOR). It always uses standard INT 21 functions (including "Terminate/stay resident": ah=$31). Side effect #1: The virus does not check for a maximum length of the file to be infected, so the infected files might grow bigger than 65,535 bytes and then cannot be executed any longer. Side effect #2: Virus overrides memory at location 6000:0; therefore, conflicts (crash) with other TSR's are possible. Similarities........: FICHV 2.0, FEXE virus --------------------- Agents ----------------------------------------- Countermeasures.....: F-Prot v 2.02 recognizes the virus as "FICHV virus"; Scan v85 recognizes it as "903 virus". Countermeasures successful: Dito. Standard means......: Delete infected files. --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, Germany Classification by...: Toralv Dirro Documentation by....: Toralv Dirro Date................: 31-January-1992 Information Source..: In-depth analysis of virus code ===================== End of FICHV 2.1 Virus ========================= ==== Computer Virus Catalog 1.2: Hafenstrasse Virus (20-Nov-1991) ==== Entry...............: Hafenstrasse Virus Alias(es)...........: --- Virus Strain........: --- Virus detected when.: 22-October-1991 where.: Hamburg, Germany Classification......: Program virus, non-resident, EXE-infector Length of Virus.....: 809 Bytes --------------------- Preconditions ---------------------------------- Operating System(s).: MS-DOS Version/Release.....: 2.xx upward Computer model(s)...: IBM - PC, XT, AT and compatibles --------------------- Attributes ------------------------------------- Easy Identification.: --- Type of infection...: The virus infects only EXE files. The virus is not memory-resident. Infection Trigger...: The virus infects in direct action; when an in- fected program is run, virus tries 5 times to find a file to infect, but will only in- fect one file at a time. Interrupts hooked...: --- Damage..............: The message "Hafenstrasse bleibt !" is written to a hidden file. The name of the file is composed of 4 randomly-chosen letters. Even though this seems to be fairly harmless, this will eventually fill the disk, or the capacity of the directory may be exceeded. Remark: the text "Hafenstrasse bleibt!" (=har- bour street remains) is a slogan which some inhabitants (belonging to an "alternative scene") of Hamburg's "harbour street" use to publicly withstand local government plans to replace their old houses by new ones. Damage Trigger......: A new file is created every time an infected file is run. Particularities.....: The text is encrypted (only the text). --------------------- Agents ----------------------------------------- Countermeasures.....: --- - ditto - successful: --- Standard means......: --- --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, Germany Classification by...: Morton Swimmer Documentation by....: Morton Swimmer Date................: 20-November-1991 ===================== End of Hafenstrasse Virus ====================== == Computer Virus Catalog 1.2: Michelangelo Virus (31-January-1992) == Entry...............: Michelangelo Virus Alias(es)...........: Nina Turtle Virus (in Taiwan) Virus Strain........: Stoned Virus Strain Virus detected when.: Summer 1991 where.: Classification......: System virus (boot, partition table), resident Length of Virus.....: Fits well into code space of partition table Memory: 2,048 bytes just below end of DOS --------------------- Preconditions ---------------------------------- Operating System(s).: MS-DOS Version/Release.....: 2.xx upward Computer model(s)...: IBM - PC, XT, AT, upward and compatibles --------------------- Attributes ------------------------------------- Easy Identification.: --- Direct Detection....: Original partition table or original boot sector can be found in sector 7 of a hard disk and specific sectors of 5.25"/3.5" diskette. CHKDSK "total memory bytes" shows that available memory is reduced by 2,048 bytes. Type of infection...: Upon booting from an infected floppy, virus will make itself memory resident and infect par- tition table. Any INT13 is intercepted there- after. Any floppy A: operation will infect disk in drive A: provided the motor was off; this reduces excessive infection testing. Infection Trigger...: Booting from an infected disk will infect a com- puter. Usage of the floppy A: drive (read, write, or format) can cause an infection of that medium. Infection targets:..: Partition table of harddisks and bootsectors of floppy disks. Interrupts hooked...: INT 13 Damage..............: Data destruction by overwriting the medium, from which system was booted from: on harddisks, virus will overwrite sector 1-17 on head 0-3 of all tracks; on floppies, virus will over- write sector 1-9 or 1-14 (depending on FAT type) on both heads and all tracks. Damage Trigger......: Data destruction occurs when system's date equals March 6 of any year. This is birthdate of Michelangelo Buonarotti, Italian artist, architect and engineer (born March 6, 1475 in Caprese, died February 18, 1564 in Rome) Remark: there is *no evidence* in the virus that it's programmer related March 6 to Michelangelo B.; the name probably is the interpretation of the first person to (possibly partially) analyse this virus. Similarities........: Virus seems to be an enhanced Stoned virus Particularities.....: 1) Virus uses BIOS directly. 2) As virus overwrites hard disk sector 7, it may also affect other operating systems which use an infected disk. --------------------- Agents ----------------------------------------- Countermeasures.....: - ditto - successful: Fridrik Skulason's F-PROT and Dr. Solomon's FINDVIRU detect and eradicate this virus. Standard means......: Boot from a clean disk and move original sector to its proper location (sector 1, head 0, track 0). On systems where an early FDISK (no hidden sectors) was used to low-level format hard disk, FAT copy 1 might be damaged; an additional copying of FAT 2 onto FAT 1 might then be necessary. --------------------- Acknowledgement -------------------------------- Location............: Micro-BIT Virus Center, Univ.Karlsruhe, Germany Classification by...: Christoph Fischer Documentation by....: Christoph Fischer Date................: 17-September-1991 Update..............: Padgett Patterson, Orlando/Florida (31-Jan-1992) ===================== End of Michelangelo Virus ====================== ===== Computer Virus Catalog 1.2: Plovdiv 1.3 Virus (31-Jan-1992) ==== Entry...............: Plovdiv 1.3 Virus Alias(es)...........: Damage 1.3 Virus Virus Strain........: Damage Virus Strain Virus detected when.: September 1991 where.: Plovdiv, Bulgaria Classification......: Program virus, Extending, Resident Length of Virus.....: 1,000 in files, 1,328 bytes in memory --------------------- Preconditions ---------------------------------- Operating System(s).: MS-DOS Version/Release.....: 2.xx and upward, special support for 3.30 Computer model(s)...: IBM-PC, XT, AT and compatibles --------------------- Attributes ------------------------------------- Easy identification.: The virus contains the string "(c)Damage inc. Ver 1.3 1991 Plovdiv S.A.". Type of infection...: Self-Identification: The virus identifies infection by seconds field in file time. Executable Files: Size increased by 1,000 bytes. System infection: RAM-resident. Allocates a memory block at high end of memory by 1,344 bytes. If MS-DOS version is 3.30, virus finds original address of INT 21h and INT 13h handlers, thus bypassing active monitors. Infection Trigger...: Programs are infected at load time (using the function Load/Execute of MS-DOS), and when- ever a *.COM or *.EXE file is Opened. Media affected......: Any logical drive that is the "current" drive. Interrupts hooked...: INT 21h functions 4Bh, 3Dh are used to infect files. Functions 11h and 12h are used to hide virus infection in files. INT 24h and INT 13h are temporary captured to mask out errors. INT 32h contains original INT 21h handler. Damage..............: The virus formats all available tracks on the current drive. Damage trigger......: The virus carries an evolution counter that is decreased every time the virus is executed. Upon counter = 0, the virus reads the system timer. If the value of hundreds is greater than 50, the virus will format all available tracks on the current drive (effectively a 50% chance of destruction). "Current" drive is any logical drive on which file is opened, executed or searched thru FindFirst/FindNext. Particularities.....: The virus knocks out the transient part of COMMAND.COM forcing it to be reloaded and thereby infected. Similarities........: Damage 1.1 Virus --------------------- Agents ----------------------------------------- Countermeasures.....: VirusClinic 2.00.007+ (Ivan Trifonoff) Countermeasures successful: VirusClinic 2.00.007+ (Ivan Trifonoff) Standard means......: text search of string "Damage" --------------------- Acknowledgement -------------------------------- Location............: Laboratory of Computer Virology, Bulgarian Academy of Sciences, Sofia Classification by...: Ivan Trifonoff Documentation by....: Ivan Trifonoff Date................: 2-October-1991 Information Source..: --- ===================== End of Plovdiv 1.3 - Virus ===================== ======= Computer Virus Catalog 1.2: Semtex Virus (31-Jan-1992) ======= Entry...............: Semtex Virus Alias(es)...........: Screen Trasher Virus Virus Strain........: Virus detected when.: September 1991 where.: Germany Classification......: Program (appending) virus, resident Length of Virus.....: 1,000 Bytes --------------------- Preconditions ---------------------------------- Operating System(s).: MS-DOS Version/Release.....: 1.xx upward Computer model(s)...: IBM - PC, XT, AT, upward and compatibles --------------------- Attributes ------------------------------------- Direct Detection....: Every hour, the screen is overwritten by trash. Easy Identification.: Infected files will contain the string: " S E M T E X by Dusan Toman, CZECHOSLOVAKIA" " (7)213-040 or (804)212-23 " Type of infection...: All *.COM that are executed or opened will be infected if their length <= 61,000 Bytes. COMMAND.COM will also be infected; there is explicit code in the virus that exploits the comspec. Infection Trigger...: Any Load/Execute or Open of a *.COM file. Infection targets:..: All *.COM files with length <= 61,000 Bytes. Interrupts hooked...: INT 08 (hooked); INT 10, INT 21 (used); INT 61 (occupied) Damage..............: At an hourly intervall, virus will trash screen contents by overwriting with garbage. Damage Trigger......: A Counter that counts the timer tics. Similarities........: --- Particularities.....: 1) This virus does not intercept INT 24, so a write error will occur upon each infection attempt. 2) Windows 3.0 will not like what virus does to the memory allocation. 3) INT 61 usage will render the following pro- ducts inoperative: Atari Portfolio (system management) HP 95LX System (system management) JPI topspeed modula (procedure exit trap) FTP PC/TCP (function calls) Adaptec and Omti controller Banyan Vines (network) Sangoma CCIP (CCPOP3270) --------------------- Agents ----------------------------------------- Countermeasures.....: - ditto - successful: Standard means......: --------------------- Acknowledgement -------------------------------- Location............: Micro-BIT Virus Center, Univ Karlsruhe, Germany Classification by...: Christoph Fischer Documentation by....: Christoph Fischer Date................: 31-January-1992 ===================== End of Semtex Virus ============================ ==== Computer Virus Catalog 1.2: Sverdlov Virus (31-January-1992) ==== Entry................: Sverdlov Virus Alias(es)............: Hymn = Hymn of USSR Virus Virus Strain.........: 1990 Virus detected when..: USSR where..: September 1991 Classification.......: Program virus, postfix, memory resident Length of Virus......: On media: 1,974 bytes ---------------------- Preconditions --------------------------------- Operating System(s)..: MS-DOS and compatible Version/Release......: 3.0 and upwards Computer model(s)....: IBM and compatible PC/XT/AT upwards ---------------------- Attributes ------------------------------------ Easy Identification..: Infected files grows by 1,971 bytes. Type of infection....: Program infector: The virus will make itself memory-resident and infect infect every program which uses INT21 (functions 3c, 3d, 3e, 43, 4b) Infection Trigger....: At any time but not if system date's Day=Month Media affected.......: Any (hard disk, floppy disk) Interrupts hooked....: INT 21h, INT 1Ch, INT 24h Damage...............: Permanent: --- Transient: The virus shows a nice spectacle on the screen, in displaying a V-shaped window in different colors; inside the window you, the text is displayed: " USSR (c) 1991 ". Moreover, the national anthem of USSR is played. Damage Trigger.......: When becoming memory resident, virus sets a random number. When random number=1, damage is triggered. Particularities......: --- Similarities.........: --- --------------------- Agents ------------------------------------------ Countermeasures......: --- - dito - successful: Tested: Fridrik Skulason's F-PROT Standard means.......: --- --------------------- Acknowledgement --------------------------------- Location............: Virus Test Center, University Hamburg, Germany and Technical University Dresden, Germany Classification by...: Frank Schwarz Documentation by....: Frank Schwarz Date................: 31-January-1992 Information Source..: --- ===================== End of Sverdlov Virus ========================== ===== Computer Virus Catalog 1.2: VDV-853 Virus (31-January-1992) ==== Entry................. VDV-853 Virus (VDV = "Verband Deutscher Virenliebhaber"; = "community of German virus lovers") Alias(es)............. --- Strain................ VCS Virus Strain Detected: when........ December 1991 where....... Hamburg, Germany Classification........ Program (COM) infector, encrypted, appending, direct action; not memory resident Length of Virus....... on media: 853 bytes ---------------------- Preconditions --------------------------------- Operating System(s)... MS/PC-DOS 2.x upwards Computer models....... All IBM PC/AT compatibles with CPU > 8088. ---------------------- Attributes ------------------------------------ Easy identification... --- Signature............. Search string at offset 00h: E8 14 00 8A A4 4F 04 8D BC 20 01 B9 2F 03 89 FE Type of infection..... Self-identification: files containing C350h at offset 03h regarded as infected. EXE files: no infection. COM files: are infected only once. Files are randomly infected in the current directory or in root directory and below if word at offset 03h of file doesnot contain C350h. File size is increased by 853 bytes. Virus is not RAM resident; files can only be in- fected when an infected host is started. Infection trigger..... Any time an infected file is run, the virus infects up to 10 files, but only if the INT 26h (=absolute-disk-write-vector) is not hooked. Affected media........ Files on hard disk or any diskette. Interrupts hooked..... --- Damage................ Permanent damage: when triggered, all files in the root directory will be overwritten with 273 bytes of text including a Christmas tree and message (see Particularities). Transient Damage: when the file has been over- written, message (see: Particularities) will be displayed until a key is pressed. Damage trigger........ Permanent or transient damage is activated when month of system date = December and day of system date = 24, 25 or 26 (Christmas). Particularities....... 1) Virus is encrypted; upon each infection, en- cryption key is changed. 2) Virus uses opcode 68h (push constant on stack) which isnot defined on 8088 processors; so, virus will not work on such machines. 3) Files with ReadOnly attribute will not be infected. 4) VDV-853 virus was written by some "Verband Deutscher Virenliebhaber" (=community of German virus lovers). This virus is realated to VCS virus (see Catalog edition July 91) but may have been created before the release of the VCS 1.0. The following message can be found in over- written (damaged) files and will be display- ed under damage trigger conditions: "Froehliche Weihnachten wuenscht der Verband Deutscher Virenliebhaber Ach ja, und dann wuenschen wir auch noch viel Spasz beim Suchen nach den Daten von der Festplatte! gez. VDV, Dezember 1990." Translation: "Happy Christmas wishes the community of German virus lovers Oh yes, and then we wish you a lot of fun, by searching for your data on your harddisk!" Yours VDV, December 1990."; On the left side of the message, a stylized Christmas tree is displayed in textgraphic. Similarities........... 1) Virus is similar to VCS 1.0 virus and uses the same code, except that damage routine and some address functions are changed. 2) In distinction to VCS 1.0 virus, VDV-853 has no generation counter and a different damage routine. Probably, is was not created with Virus Construction Set 1.0 ---------------------- Agents ---------------------------------------- Countermeasures....... - ditto - successful. Solomon's Findviru V4.01 detects as VDV-853. Skulason's F-PROT V2.02 detects as VDV-853. Tode's NTI-VDV.EXE is an antivirus that only looks for VDV-853 virus, and if requested will restore the original file. - ditto - unsuccessful. McAfee's Scan version 86b and below Standard Means........ Notice file length. Use ReadOnly attribute. Or use FLU-Shot or another program, which monitors INT 26h. ---------------------- Acknowledgements ------------------------------ Location.............. Virus Test Center, University Hamburg, Germany Classification by..... Stefan Tode Documentation by...... Stefan Tode Date.................. 31-January-1992 Information source.... --- ====================== End of VDV-853 Virus ========================== ======= Computer Virus Catalog 1.2: Violetta Virus (25-Jan-1992) ===== Entry...............: Violetta Virus Alias(es)...........: --- Virus Strain........: --- Virus detected when.: January 1992 where.: Classification......: Program virus, resident Length of Virus.....: 3,840 Bytes --------------------- Preconditions ---------------------------------- Operating System(s).: MS-DOS Version/Release.....: 2.xx upward Computer model(s)...: IBM - PC, XT, AT, upward and compatibles --------------------- Attributes ------------------------------------- Easy Identification.: Infected files will contain the string "VIOLETTA" twice (offset 2H and 202H in file) Type of infection...: All *.COM files except COMMAND.COM when executed will be infected. The virus saves the first 3,840 bytes of the host to the end of the file and overwrites the first 3,840 bytes with the virus code. Files smaller than 3,840 bytes are first enlarged to 3,840 bytes. Infection Trigger...: Load and Execute of a *.COM file. Infection targets:..: All *.COM files except COMMAND.COM Interrupts hooked...: INT 21 Interrupts used.....: INT F1, INT FF both used, but not chained; this might cause trouble with Zenith Z100 warm boot procedure. Damage..............: No active payload Damage Trigger......: --- Similarities........: --- Particularities.....: Unusual coding, much dead code, several code sections overwritten with NOPs. --------------------- Agents ----------------------------------------- Countermeasures.....: - ditto - successful: Removal: Not always possible: correct size of files smaller than 3,840 cannot be restored. Standard means......: --------------------- Acknowledgement -------------------------------- Location............: Micro-BIT Virus Center, Univ Karlsruhe, Germany Classification by...: Christoph Fischer Documentation by....: Christoph Fischer Date................: January 25, 1992 ===================== End of Violetta Virus ========================== ==== Computer Virus Catalog 1.2: ZeroHunt Virus (31-January-1992) ==== Entry................. ZeroHunt Virus Clones................ ZeroHunt-415, ZeroHunt-411 (minor variations) Alias(es)............. Minnow, Minnow-1 Virus Strain................ Zero-Hunt Virus Strain Detected: when........ where....... Classification........ Program (COM) infector, but not increasing; stealth, indirect action, memory resident Length of Virus....... 1) Length on media: no increase in file length 2) Virus code in memory/inside file: Length (ZeroHunt-411) = 411 bytes; Length (ZeroHunt-415) = 415 bytes; ---------------------- Preconditions --------------------------------- Operating System(s)... MS/PC-DOS 2.x and upwards Computer models....... All IBM PC compatibles. ---------------------- Attributes ------------------------------------ Easy identification... --- Type of infection..... EXE files: not infected; COM files: are infected only once. Self-identification: files containing F5E9h at begin of file, and containing E8h at memory address 0:021Ch are regarded as infected. Virus searches for 411/415 bytes, depending on the clone, for 00h's; if found (typic- ally a buffer), virus copies itself into this part of file: therefore, size of in- fected files do not increase! Virus makes itself RAM resident and copies itself into the interrupt table (in low memory at location 0:021Ch, INT 87h). Files are infected when executed. Infection trigger..... Any file, which is executed via function 4B00h of INT 21h, will be infected, only if 1st byte of file is E9h and if 411/415 bytes containing 00h's are found. Interrupts hooked..... INT 21h (always pointing to 0:02D5h); INT 24h (during infection); INT 8Bh (points to EE83:019Bh for ZH-411 virus, and to EE83:019Fh for ZH-415 virus). Damage................ No intentional damage. Side effect: system or programs may hang, if they are using the interrupt table as a buffer or if they are using Interrupts > INT 87h (possibly BASIC or LAN Adapters). Moreover, files may get corrupted if one variant tries to infect a file while the other vari- ant is yet active in memory. If ZeroHunt-415 is active in memory, 4 bytes of a file in- fected with ZeroHunt-411 will be corrupted (4 bytes overwritten with 00h). Damage trigger........ --- Particularities....... Stealth method: Virus cannot be found in an infected file, because it monitors all DOS read access functions and may temper them (detail: INT 21h fct. 14h not monitored), thus removing itself from an infected file. Virus may also hook Interrupts > 87h (due to the location of virus). Similarities.......... ZeroHunt-411 is an optimized version of ZeroHunt-415; due to this optimization, some code/data differs. ---------------------- Agents ---------------------------------------- Countermeasures....... - ditto - successful.. McAfee's Scan version 85+ (both variants) Solomon's FindViru V4.01+ ( " " ) Skulasons F-PROT V.2.02 recognizes: ZeroHunt.415 correctly, disinfects wrongly; ZeroHunt.411 as new variant. Standard Means........ Easy disinfection (only if virus is active in memory): copy all *.COM files to different extension (maybe *.MOC), then reboot system from an clean disk and then rename all *.MOC files back to *.COM. ---------------------- Acknowledgements ------------------------------ Location.............. Virus Test Center, University Hamburg, Germany Classification by..... Stefan Tode Documentation by...... Stefan Tode Date.................. 31-January-1992 Information source.... Full reverse engineering of both viruses ====================== End of Zerohunt Virus ========================= ====================================================================== == Critical and constructive comments as well as additions are == == appreciated. Descriptions of new viruses are appreaciated. == ====================================================================== == The Computer Virus Catalog may be copied free of charges provided = == that the source is properly mentioned at any time and location == == of reference. == ====================================================================== == Editor: Virus Test Center, Faculty for Informatics == == University of Hamburg == == Vogt-Koelln-Str.30, D2000 Hamburg 54, FR Germany == == Prof. Dr. Klaus Brunnstein, Vesselin Bontchev, == == Simone Fischer-Huebner, Wolf-Dieter Jahn == == Tel: (+40) 54715-406 (KB), -225 (Bo/Ja), -405(Secr.) == == Fax: (+40) 54 715 - 226 == == Email (EAN/BITNET): brunnstein@rz.informatik.uni-hamburg.dbp.de == == bontchev@rz.informatik.uni-hamburg.de> == == FTP site: ftp.informatik.uni-hamburg.de == == Adress: 134.100.4.42 == == login anonymous; password: your-email-adress; == == directory: pub/virus/texts/catalog == ====================================================================== == End of MSDOSVIR.192 document == == (1,068 Lines, 64 kBytes) == ======================================================================