|
A list of all active virii
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
VIRUS INFORMATION SUMMARY LIST
February 14, 1991
Copyright (C) 1990-1991 by Patricia M. Hoffman. All Rights Reserved.
This document contains the compiled information from a continuing
research effort by the author into the identification, detection and
removal of MS-DOS Computer Viruses. Hopefully, this listing will
provide some assistance to those who wish to know more about a particular
computer virus. It is not intended to provide a very detailed technical
description, but to allow the reader to understand what a virus
generally does, how it activates, what it is doing to their system, and
most importantly, how to get rid of it.
The user of this listing needs to keep in mind that the
information provided is up-to-date only to the date of the listing
itself. If the listing is one month old, some items may not be
accurate. Also, with the wide dispersion of researchers and the
various names that the same virus may be known by, some of the
information may not be entirely accurate. Lastly, as new variants
of known viruses are isolated, some of the characteristics of the
variant may be different.
There are five sections to the listing. The first section is
an introduction which explains the format of the information in
the listing and includes the code information used in some fields.
The second section is the actual virus information listing.
The third section is a cross-reference of common names for MS-DOS
computer viruses and indicates what name to use for the virus in the
second section. The fourth section, added with the July 1990 release
and in the works for many months, is a chart showing relationships
between various viruses and variants. Lastly, there is a fifth section
which is a revision history of the listing.
Anti-Viral products mentioned in the listing are either commonly
available shareware or public domain programs, or they are commercial
products which have been submitted for evaluation and review by the product's
author with "no strings attached". All Anti-Viral products are reviewed at
the most recent release level available to the author. In some cases, this
may not be the most recent release. All testing is done against the author's
virus collection, results using a different collection of viruses and
variants may differ.
Special thanks go to John McAfee for reviewing the listing before
it is distributed, and to numerous others who have sent their comments,
suggestions, and encouraging support.
The Virus Information Summary List may be freely distributed by
non-commercial systems and non-profit organizations, as long as the
distribution file is not altered, and no more than a reasonable
cost-of-duplication fee is charged. The author of this document does not
consider the United States Government or any of its numerous entities to be
a "non-profit organization", therefore they are expressly prohibited from
using or distributing this document without the author's permission.
CompuServe, and Genie are also expressly permitted to carry this file for
distribution purposes only, they are not to be construed as being licensed
for internal use of the document.
The Virus Information Summary List may not be used in a business,
corporation, organization, government, or agency environment without
a negotiated site license. While this document may be referenced in the
documentation for some anti-viral products, the document is not to be
construed as being included in any site license not negotiated with
the author, Patricia M. Hoffman, or Roger Aucoin.
Licensing information for the Virus Information Summary List can be
requested from the author via US Mail from the address, or by voice or FAX
at the phone numbers below:
Patricia M. Hoffman
1556 Halford Avenue, #127
Santa Clara, CA 95051
Voice: 1-408-246-3915
FAX : 1-408-246-3915
Roger Aucoin can be contacted for United States and Canadian site
licensing information via US Mail from the address, or by voice or FAX as
indicated below:
Roger Aucoin
Vacci Virus
84 Hammond Street
Waltham, MA 02154
Voice: 1-617-893-8282
FAX : 1-617-969-0385
For sites outside of the United States and Canada, or for information
about becoming a VSUM agent, Jim Lynch should be contacted as indicated
below:
Jim Lynch, International Marketing Manager
c/o Patricia M. Hoffman
1556 Halford Avenue, #127
Santa Clara, CA 95051
Direct Voice: 1-408-727-7966
Direct FAX : 1-408-727-7967
I can also be reached through my Bulletin Board System, Excalibur! BBS,
at 1-408-244-0813. Future versions of this listing may also be obtained
through Excalibur!.
Patricia M. Hoffman
-------------------------------------------------------------------------------
Virus Information Summary List
Introduction & Entry Format
Each of the entries in the list consists of several fields.
Below is a brief description of what is indicated in each of the
fields. For fields where codes may appear, the meaning of each
code in indicated.
Virus Name: Field contains one of the more common names for the
virus. The listing is alphabetized based on this
field.
Aliases: Other names that the same virus may be referred to by.
These names are aliases or A.K.A.'s.
V Status: This field contains one of the following values which indicate
how common the virus is in the public domain.
Common: The virus is one of the most common viruses reported to
various groups which gather virus infection statistics.
Most of these groups are in the United States. Where a
virus has had many reports from a specific geographic area,
the V Status field will contain "Common - xxxxxxxxx" where
xxxxxxxxx is an indicator of geographic location.
Endangered: The "Endangered" classification of viruses are
viruses that are very uncommon and were fairly recently
discovered or isolated. Due to some characteristics of
these viruses, it is highly unlikely that they will ever
become a widespread problem. It doesn't mean that they
don't exist, just that the probability of someone getting
these viruses is fairly low.
Extinct: The "Extinct" classification is for viruses which at
one time may have been widespread (ie. they are not a
research virus which was never released into the public
domain), but have not had a reported infection in at least
one year. "Extinct" viruses will also include "viruses"
which were submitted which actually don't replicate due to
a flaw in their viral code, but if the flaw were corrected
they might be successful. It is still possible that someone
could become infected with one of these viruses, but the
probability is extremely low.
Myth: "Myth" viruses are viruses which have been discussed among
various groups for some time (in excess of one year), but are
not known to actually exist as either a public domain or
research virus. Probably the best case of a "Myth" virus
is the Nichols Virus.
Rare: "Rare" viruses are viruses which were recently (within the
last year) isolated but which do not appear to be widespread.
These viruses, as a general rule, will be viruses which
have characteristics that would make them a possible
future problem. "Rare" viruses have a higher probability
of someone becoming infected than Endangered or Extinct
viruses, but are much less likely to be found than a
"Common" virus.
Research: A "Research" virus is a virus which was originally
received by at least one anti-viral researcher directly
from its source or author. These viruses are not known
to have been released into the public domain, so they are
highly unlikely to be detected on computer systems other
than researchers.
Rumored: The "Rumored" virus classification are for viruses
which the author has received information about, but that
no sample of the virus has been made available for analysis.
Any viruses in this classification should be considered with
a grain of salt, they may not actually exist.
Unknown: The "Unknown" classification is for those viruses where
the original submission of the virus to anti-viral researchers
is suspect for any number of reasons, or that there is
very little information known about the origin of the
virus.
New: The "New" category is for viruses which were recently
received by the author but cannot at the present time be
researched in depth. Instead of leaving these viruses out
of the listing all together, they will be listed but with
a "New" status.
Discovery: First recorded discovery date.
Origin: Author/country of origin
Symptoms: Changes to system that may be noticed by users: messages,
growth in files, TSRs/ Resident TOM (change in CHKDSK
return), BSC - boot sector change (may require cold boot
from known-good protected floppy to find), corruption of
system or files, frequent re-boots, slowdowns.
Origin: Either credited or assumed to be in country of discovery.
Eff Length: The length of the viral code after it has infected
a program or system component. For boot-sector infectors,
the length is indicated as N/A, for not applicable.
Type Code: The type codes indicated for a virus indicate general
behavior characteristics. Following the type code(s) is
a brief text description. The type codes used are:
A = Infects all program files (COM & EXE)
B = Boot virus
C = Infects COM files only
D = Infects DOS boot sector on hard disk
E = Infects EXE files only
F = Floppy (360K) only
K = Infects COMMAND.COM
M = Infects Master boot sector on hard disk
N = Non-resident (in memory)
O = Overwriting virus
P = Parasitic virus
R = Resident (in memory)
(below 640k - segment A000)
a - in unused portion of allocated memory
(does not change free memory, such as virus resident
in CLI stack space or unused system memory)
Example: LeHigh
f - in free (user) memory below TOM
(does not prevent overwriting)
Example: Icelandic
h - in high memory but below TOM
(Resides in high system memory, right below TOM.
Memory is allocated so it won't be accidently
overwritten.)
Example: Flash
s - in low (system/TSR) memory
(reduces free memory, typically uses a normal
Int 21/Int 28 TSR)
Example: Jerusalem
t - above TOM but below 640k (moves Int 12 return)
(Reduces total memory size and free memory)
Example: Pakistani Brain
(above 640k)
b - in BIOS/Video/Shadow RAM area (segment A000 - FFFF)
e - in extended/expanded memory (above 1 Meg)
S = Spawning or companion file virus
(This type of virus creates another file on the disk which
contains the actual viral code. Example: Aids II)
T = Manipulation of the File Allocation Table (FAT)
X = Manipulation/Infection of the Partition Table
Detection Method:
This entry indicates how to determine if a program or
system has been infected by the virus. Where the virus
can be detected with a shareware, public domain, or
readily available commercial program, it is indicated.
Note that a "+" after the anti-viral product's version number
indicates that versions of the product from the indicated version
forward are applicable.
Programs referenced in the listing are:
AVTK - Dr. Solomon's Anti-Virus Toolkit <commercial>
F-PROT - Fridrik Skulason's F-Prot detector/disinfector
IBM Scan - IBM's Virus Scanning Program <commercial>
Pro-Scan - McAfee Associates' Pro-Scan Program <commercial>
VirexPC - MicroCom's VirexPC Program <commercial>
VirHunt - Digital Dispatch Inc's VirHunt Program <commercial>
ViruScan - McAfee Associates' ViruScan Program
ViruScan/X- McAfee Associates' ViruScan Program with /X switch
Removal Instructions:
Brief instructions on how to remove the virus. Where
a shareware, public domain, or readily available
commercial program is available which will remove the
virus, it is indicated. Programs referenced in the
listing are:
AntiCrim - Jan Terpstra's AntiCrime program
CleanUp - John McAfee's CleanUp universal virus
disinfector.
Note: CleanUp is only indicated for a virus
if it will disinfect the file, rather than
delete the infected file.
DOS COPY - Use the DOS COPY command to copy files from
infected non-bootable disks to newly formatted,
uninfected disks. Note: do NOT use the
DOS DISKCOPY command on boot sector infected
disks, or the new disk will also be infected!
DOS SYS - Use the DOS SYS command to overwrite the boot
sector on infected hard disks or diskettes.
Be sure you power down the system first, and
boot from a write protected master diskette,
or the SYS command will copy the infected
boot sector.
F-PROT - Fridrik Skulason's F-Prot detector/disinfector,
Version 1.07.
M-3066 - Traceback virus disinfector.
MDisk - MD Boot Virus Disinfector. Be sure to use the
program which corresponds to your DOS release.
Pro-Scan - Pro-Scan Virus Identifier/Disinfector <Commercial>.
Saturday - European generic Jerusalem virus disinfector.
Scan/D - ViruScan run with the /D option.
Scan/D/A - ViruScan run with the /D /A options.
Scan/D/X - ViruScan run with the /D /X options.
UnVirus - Yuval Rakavy's disinfector for Brain, Jerusalem,
Ping Pong, Ping Pong-B, Typo Boot, Suriv 1.01,
Suriv 2.01, and Suriv 3.00 viruses.
VirexPC - MicroCom's VirexPC Detector/Disinfector
Note: VirexPC is only indicated if it will actually
disinfect the virus, not just delete the infected
file.
VirHunt - Digital Dispatch Inc's VirHunt Detector/Disinfector
Note: VirHunt is only indicated if it will actually
disinfect the virus on all major variants.
Virus Buster - Yuval Tal's Virus Buster Detector/Disinfector
General Comments:
This field includes other information about the virus,
including but not limited to: historical information,
possible origin, possible damage the virus may cause,
and activation criteria.
-------------------------------------------------------------------------------
Virus Information Summary List
MS-DOS Virus Information
Virus Name: 382 Recovery Virus
Aliases: 382
V Status: Rare
Discovery: July, 1990
Symptoms: first 382 bytes of .COM files overwritten, system hangs,
spurious characters on system display, disk drive spinning
Origin: Taiwan
Eff Length: N/A
Type Code: ONAK - Overwriting Non-Resident .COM & .EXE Infector
Detection Method: ViruScan V66+, Pro-Scan 2.01+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The 382 Recovery Virus was isolated in July 1990 in Taiwan. It is
a non-resident generic infector of .COM and .EXE files, including
COMMAND.COM.
Each time a program infected with the 382 Recovery Virus is executed,
the virus will check the current directory for a .COM files that has
not been infected with the virus. If it finds an uninfected .COM
file, it will infect it. If the original file was less than 382 bytes
in length, the infected file will now be 382 bytes in length. Files
which were originally greater than 382 bytes in length will not show
any increase in length. Infected files always have the first 382
bytes of the file overwritten to contain the virus's code.
Once all .COM files in the current directory are infected, the next
time an infected .COM file is executed the virus will rename all .EXE
files to .COM files. These renamed files, however, may or may not
later become infected.
Symptoms of the 382 Recovery Virus being present on a file are that
the program will not execute properly. In some cases, the program will
hang upon execution requiring the system to be rebooted. In other
cases, spurious characters will appear on the system display and the
program will not run. Lastly, the system may do nothing but leave the
disk drive spinning, requiring the system to be powered off and
rebooted.
Since the first 382 bytes of infected files have been overwritten,
the infected files cannot be recovered. The original 382 bytes of
the file are permanently lost. Infected files should be deleted or
erased and replaced with backup copies known to be free of infection.
Virus Name: 405
Aliases:
V Status: Extinct
Discovery: 1987
Symptoms: .COM files fail to run, first 405 bytes of .COM files
overwritten
Origin: Austria or Germany
Eff Length: N/A
Type Code: ONC - Overwriting Non-Resident .COM Infector
Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan 1.4+,
VirexPC 1.1+, VirHunt 2.0+
Removal Instructions: Scan/D/X, F-Prot, or delete infected files
General Comments:
The 405 virus is an overwriting virus which infects only .COM
files in the current directory. If the length of the .COM file
was originally less than 405 bytes, the resulting infected file
will have a length of 405 bytes. This virus currently cannot
recognize .COM files that are already infected, so it will
attempt to infect them again.
The 405 Virus doesn't carry an activation date, and doesn't do
anything but replicate in the current directory. However, since
it overwrites the first 405 bytes of .COM files, infected files
are not recoverable except by replacing them from uninfected
backups or master distribution disks.
Virus Name: 512
Aliases: 512-A, Number of the Beast Virus, Stealth Virus
V Status: Rare
Discovery: November, 1989
Origin: Bulgaria
Symptoms: Program crashes, system hangs, TSR.
Eff Length: 512 Bytes
Type Code: PRCK - Parasitic Resident .COM Infector
Detection Method: ViruScan V58+, VirexPC 1.1+
Removal Instructions: CleanUp V58+
General Comments:
The 512 virus is not the same as the Original Friday The 13th COM
virus. The 512 virus was originally isolated in Bulgaria in
November, 1989, by Vesselin Bontchev. It infects .COM files,
including COMMAND.COM, installing itself memory resident when the
first infected program is run. After becoming memory resident, any
.COM file openned for any reason will become infected if its
uninfected length is at least 512 bytes.
Systems infected with the 512 virus may experience program crashes
due to unexpected errors, as well as system hangs. Damage may occur
to infected files if the system user runs CHKDSK with the /F
parameter as the length of the program in the directory entry will not
match the actual disk space used. CHKDSK will then adjust the file
allocation resulting in damaged files.
The virus's alias of "Number of the Beast" Virus is because the
author of the virus used a signature of text 666 near the end of the
virus to determine if the file is already infected. Since 512 adds
its viral code to the end of infected files, it is easy to verify
that a file is infected by the 512 virus by checking for this
signature.
Known variant(s) of the 512 Virus are:
512-B : Similar to the 512 Variant, except that the DOS version check
in the original virus has been omitted. The author's
signature of '666' has been omitted.
512-C : Similar to the 512-B Variant, minor code changes.
512-D : Similar to the 512-C Variant, except that the virus no longer
checks to see if a file has the System Attribute on it before
infecting it.
Virus Name: 646
Aliases: Vienna C
V Status: Rare
Discovery: October, 1990
Symptoms: COMMAND.COM & .COM growth
Origin: Unknown
Eff Length: 646 Bytes
Type Code: PNCK - Parasitic Non-Resident COM Infector
Detection Method: ViruScan V71+, Pro-Scan 2.01+
Removal Instructions: Pro-Scan 2.01+, Scan/D, or Delete infected files
General Comments:
The 646 Virus was discovered in October, 1990. Its origin is unknown.
This virus is a non-resident infector of .COM files, including
COMMAND.COM.
When a file infected with the 646 Virus is executed, the virus will
infect one other .COM file in the current directory. Infected files
will increase in size by 646 bytes, with the virus being located at
the end of the infected file.
Infected files can be easily identified as they will always end with
the hex string: "EAF0FFFFFF".
This virus appears to do nothing except replicate.
Virus Name: 903
Aliases:
V Status: New
Discovery: January, 1991
Symptoms: .COM file growth; TSR; System hangs
Origin: France
Eff Length: 903 Bytes
Type Code: PRsCK - Parasitic Resident COM Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The 903 Virus was discovered France in January, 1991. This virus is
not a particularly viable virus since replicated samples will not
further replicate. It is possible that the original sample is
corrupted. This virus infects .COM program, including COMMAND.COM.
When the original sample of 903 is executed, this virus will install
itself memory resident as a 1,216 byte low system memory TSR. It will
hook interrupt 21. At that time, it will infect COMMAND.COM, adding
903 bytes to the beginning of the program. The following message is
then displayed:
"Fichier introuvable"
Once memory resident, this virus will infect up to three .COM programs
in the current directory if the original sample is again executed.
Later execution of infected files (other than the original) will not
result in the virus spreading to other files. The virus will also
infect files when the DOS Copy command is used, but only if the source
and target files are in the current directory.
Infected .COM programs will have a file size increase of 903 bytes,
the virus will be located at the beginning of the infected program.
The file date and time in the disk directory will not be altered by
the virus.
If 903 becomes memory resident from other than the original sample, it
will not replicate to other .COM programs. The "Fichier introuvable"
message is not displayed with other than the original sample.
Some programs may hang when they are executed on infected systems.
It is unknown if 903 does anything destructive.
Virus Name: 1008
Aliases: Suomi, Oulu
V Status: Rare
Discovery: June, 1990
Symptoms: COMMAND.COM growth, Internal Stack Errors,
System Halt on Boot
Origin: Helsinki, Finland
Eff Length: 1,008 Bytes
Type Code: PRCK - Parasitic Resident COM Infector
Detection Method: ViruScan V64+, F-Prot 1.12+, Pro-Scan 2.01+
Removal Instructions: Scan/D, F-Prot 1.12+, Pro-Scan 2.01+,
or delete infected files
General Comments:
The 1008 Virus was discovered in June, 1990 by Petteri Jarvinen of
Helsinki, Finland. It is a memory resident .COM infector, and will
infect COMMAND.COM. This virus is also sometimes referred to as
the Suomi Virus.
The first time a program infected with the 1008 virus is executed,
the virus will install itself memory resident. COMMAND.COM is also
infected at this time, resulting in its length increasing by 1,008
Bytes. The increase in file size of COMMAND.COM cannot be seen by
doing a directory listing if the virus is present in memory.
Booting a system with an infected copy of COMMAND.COM may result in
an internal stack error, and the system being halted. This effect
was noted on the author's test machine which is a 640K XT-clone
running Microsoft MS-DOS Version 3.30.
After the virus is memory resident, it will infect any .COM file which
is executed, adding 1,008 bytes to the file length. The file length
increase cannot be seen by doing a directory listing if the virus is
present in memory.
Virus Name: 1210
Aliases: Prudents Virus
V Status: Rare
Discovery: December, 1989
Symptoms: .EXE growth, disk write failure, TSR
Origin: Spain
Eff Length: 1,210 Bytes
Type Code: PRE - Parasitic Resident .EXE Infector
Detection Method: ViruScan V61+, Pro-Scan 1.4+, F-Prot 1.12+, VirHunt 2.0+
Removal Instructions: Scan/D, F-Prot 1.12+, VirHunt 2.0+,
or delete infected files
General Comments:
The 1210, or Prudents Virus, was first isolated in Barcelona, Spain,
in December 1989. The 1210 is a memory resident virus, infecting
.EXE files when they are executed.
This virus activates between May 1st and May 4th of any year,
causing disk writes to be changed to disk verifies, so writes to
the disk never occur between these dates.
Virus Name: 1226
Aliases: V1226
V Status: Rare
Discovery: July 1990
Symptoms: .COM growth, decrease in system and free memory, system hangs,
spurious characters displayed in place of program executing,
disk drive spinning
Origin: Bulgaria
Eff Length: 1,226 Bytes
Type Code: PRhC - Parasitic Resident .COM Infector
Detection Method: ViruScan V66+, Pro-Scan 2.01+
Removal Instructions: Scan/D, or delete infected files
General Comments:
The 1226 Virus was isolated in Bulgaria in July 1990 by Vesselin
Bontchev. This virus is a memory resident generic .COM infector,
though it does not infect COMMAND.COM. The 1226 Virus is a self-
encrypting virus, and simple search string algorithms will not work
to detect its presence on a system.
The first time a program infected with the 1226 virus is executed,
the virus will install itself memory resident, reserving 8,192 bytes
of memory at the top of free memory. Interrupt 2A will be hooked.
Once 1226 is memory resident, the virus will attempt to infect any
.COM file that is executed that is at least 1,226 bytes in length
before infection. The virus is rather "buggy" and the infection
process is not always entirely successful. Successfully infected
files will increase in length by 1,226 bytes.
This virus will infect .COM files multiple times, it is unable to
determine that the file is already infected. Each time the file
is infected it will grow in length by another 1,226 bytes. Eventually,
the .COM files will grow too large to fit into memory.
Systems infected with the 1226 virus may experience unexpected system
hangs when attempting to execute programs. Another affect is that
instead of a program executing, a line or two of spurious characters
will appear on the system display. Lastly, infected systems will always
indicate that they have 8,192 less bytes of total system and free
memory available than is actually on the machine.
There are two later versions of this virus, 1226D and 1226M, which are
much better replicators than the original 1226 virus. These two
variants are documented as 1226D in this document due to their
different characteristics.
Also see: 1226D
Virus Name: 1226D
Aliases: V1226D
V Status: Rare
Discovery: July 1990
Symptoms: .COM growth, decrease in system and free memory
Origin: Bulgaria
Eff Length: 1,226 Bytes
Type Code: PRhC - Parasitic Resident .COM Infector
Detection Method: ViruScan V66+, Pro-Scan 2.01+
Removal Instructions: Scan/D, or delete infected files
General Comments:
The 1226D Virus was isolated in Bulgaria in July 1990 by Vesselin
Bontchev. This virus is a memory resident generic .COM infector,
though it does not infect COMMAND.COM. The 1226D Virus is a self-
encrypting virus, and simple search string algorithms will not work
to detect its presence on a system.
The 1226D Virus is based on the 1226 Virus, in fact it is a decrypted
version of the 1226 Virus. It is a better replicator, infecting
successfully on file opens as well as when .COM files are executed.
The first time a program infected with the 1226 virus is executed,
the virus will install itself memory resident, reserving 8,192 bytes
of memory at the top of free memory. Total system and free memory
are decreased by 8,192 bytes. Interrupt 2A will be hooked.
Once 1226 is memory resident, the virus will attempt to infect any
.COM file that is executed that is at least 1,226 bytes in length
before infection. Infected files will increase in length by 1,226
bytes. As with the original 1226 Virus, a .COM file may be infected
multiple times by the 1226D Virus as the virus is unable to determine
that the file was previously infected. Each infection will result in
another 1,226 bytes being added to the infected file's length.
Eventually, the .COM files will grow too large to fit into memory.
In addition to infecting .COM files when they are executed, the 1226D
Virus will infect .COM files with a length of at least 1,226 bytes
when they are openned for any reason. The simple act of copying a
.COM file with the virus memory resident will result in both the
source and target files being infected.
Unlike the 1226 Virus, systems infected with the 1226D virus will not
experience the system hangs or spurious characters symptomatic of the
1226 virus. Infected system will still indicate that they have 8,192
bytes less of total system memory than is installed on the machine.
Known variant(s) of 1226D are:
1226M/V1226M : Similar to the 1226D virus, except that files are not
infected on file open, only when they are executed.
Also see: 1226
Virus Name: 1253
Aliases: AntiCad, V-1
V Status: Rare
Discovery: August, 1990
Symptoms: TSR; BSC; COMMAND.COM & .COM file growth; partition table change
Origin: Austria
Eff Length: 1,253 Bytes
Type Code: PRsBCKX - Parasitic Resident .COM & Partition Table Infector
Detection Method: ViruScan V66+, Pro-Scan 2.01+
Removal Instructions: Pro-Scan 2.01+, Scan/D plus MDisk/P
General Comments:
The 1253 Virus was submitted in August 1990. It is believed to have
originated in (or at least to have been first isolated in) Austria.
1253 is a generic infector of .COM files, including COMMAND.COM.
It also infects the boot sector of diskettes and the partition table
of hard disks.
The first time a program infected with the 1253 Virus is executed, the
virus will install itself memory resident as a low system memory TSR.
The TSR will be 2,128 bytes in length, hooking interrupts 08, 13, 21,
and 60. Total system memory will remain unchanged, and free memory
will decrease by 2,128 bytes. At this time, the partition table of
the system's hard disk is infected with the 1253 virus. If the
infected program was executed from a diskette, the diskette's boot
sector will also be infected.
Each time a .COM file is executed with the virus resident in memory,
the .COM file will be infected if it hasn't previously been infected.
The 1253 Virus appends its viral code to the end of the .COM file, and
then changes the first few bytes of the program to be a jump to the
appended code. Infected files increase in length by 1,253 bytes, and
the virus makes no attempt to hide the increase when the directory
is displayed. Infected files will also have their fourth thru sixth
bytes set to "V-1" (hex 562D31).
Any diskettes which are accessed while the virus is present in memory
will have their boot sector infected with this virus. Newly formatted
diskettes, likewise, will be infected immediately.
The 1253 virus is destructive when it activates. The author of this
listing was able to get it to activate by setting the system date to
December 24 and then executing an infected program on drive A:. The
virus promptly went and overwrote the entire diskette in drive
A: with a pattern of 9 sectors of what appears to be a program
fragment. Once the virus has started to overwrite a diskette, the
only way to stop the disk activity is to power off the system.
The virus in the partition table and/or diskette boot sector is of
special note. When the system is booted from the hard disk or diskette
with the virus in the partition table or boot sector, the virus will
install itself memory resident. At this time, the virus resides above
the top of system memory but below the 640K DOS boundary. The change
in total system memory and available free memory will be 77,840 bytes.
It can be seen with the CHKDSK command. At this time, any .COM program
executed will be infected with the 1253 virus, even though no programs
on the hard disk may contain this virus before the system boot occurred.
One effect of this virus, once the system has been booted from an
infected hard drive or floppy is that the FORMAT command may result
in unexpected disk activity to inactive drives. For example, on the
author's system, when formatting a diskette in drive A: with the
current drive being drive C:, there was always disk activity to drive
B:.
Disinfecting the 1253 virus required that besides disinfecting or
deleting infected .COM programs, the hard disks partition table and the
boot sector of any diskettes exposed to the infected system must be
disinfected. The virus can be removed safely from the partition table
and diskette boot sectors by using MDisk with the /P option after
powering off the system and rebooting from a write-protected uninfected
boot diskette. If the partition table and diskette boot sectors are
not disinfected, the system will promptly experience reinfection of
.COM files with the virus following a system boot from the hard disk
or diskette. Disinfecting the partition table and boot sectors, when
done properly, will also result in the system's full memory again being
available.
It is unknown if there are other activation dates for this virus, or
if it will overwrite the hard disk if an infected program is executed
on December 24 from the hard disk.
Virus Name: 1260
Aliases: V2P1
V Status: Research
Discovery: January, 1990
Symptoms: .COM file growth
Origin: Minnesota, USA
Eff Length: 1,260 Bytes
Type Code: PNC - Parasitic Encrypting Non-Resident .COM Infector
Detection Method: ViruScan V57+, IBM Scan, Pro-Scan 1.4+, F-Prot 1.12+,
AVTK 3.5+, VirHunt 2.0+
Removal Instructions: CleanUp V57+, Pro-Scan 1.4+, F-Prot 1.12+, VirHunt 2.0+
General Comments:
The 1260 virus was first isolated in January, 1990. This
virus does not install itself resident in memory, but is it
extremely virulent at infecting .COM files. Infected files
will have their length increased by 1,260 bytes, and the
resulting file will be encrypted. The encryption key changes
with each infection which occurs.
The 1260 virus is derived from the original Vienna Virus, though
it is highly modified.
This virus was developed as a research virus by Mark Washburn, who
wished to show the anti-viral community why identification string
scanners do not work in all cases. The encryption used in 1260 is
one of many possible cases of the encryption which may occur with
Washburn's later research virus, V2P2.
Also see: V2P2, V2P6, V2P6Z
Virus Name: 1381 Virus
Aliases:
V Status: Rare
Discovery: June, 1990
Symptoms: .EXE growth
Origin:
Eff Length: 1,381 Bytes
Type Code: PNE - Parasitic Non-Resident .EXE Infector
Detection Method: ViruScan V64+, Pro-Scan 2.01+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The 1381 Virus was isolated in June, 1990. It is a non-resident
generic .EXE infector.
Each time a program infected with the 1381 Virus is executed, the
virus will attempt to infect one other .EXE file on the current
drive. An .EXE file will only be infected if it is greater than
1,300 bytes in length before infection. After infection, files
will have increased in length by between 1,381 and 1,389 bytes.
The virus can be found at the end of infected files. Infected
files will also contain the following text strings:
"INTERNAL ERROR 02CH.
PLEASE CONTACT YOUR HARDWARE MANUFACTURER IMMEDIATELY !
DO NOT FORGET TO REPORT THE ERROR CODE !"
It is currently unknown what the 1381 Virus does, or what prompts
it to display the above message.
Virus Name: 1392
Aliases: Amoeba Virus
V Status: Rare
Discovery: March, 1990
Symptoms: TSR, .COM & .EXE growth, dates modified
Origin: Indonesia
Eff Length: 1,392 Bytes
Type Code: PRA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V61+, VirexPC 1.1+, F-Prot 1.12+, VirHunt 2.0+
Removal Instructions: Scan/D, F-Prot 1.12+, VirHunt 2.0+,
or delete infected files
General Comments:
The 1392, or Amoeba, Virus was first isolated in Indonesia in
March 1990. The 1392 virus is a memory resident virus that infects
.COM and .EXE files, including COMMAND.COM. As files are infected,
their creation/modification date is changed to the date the files
were infected.
This virus does not appear to cause any destructive damage.
The following message appears in the virus, which is where its
alias of Amoeba was derived from:
"SMA KHETAPUNK - Nouvel Band A.M.O.E.B.A"
Virus Name: 1554
Aliases: Ten Bytes, 9800:0000 Virus, V-Alert, 1559
V Status: Rare
Discovery: February, 1990
Symptoms: .COM & .EXE growth, TSR, linkage corruption, system hang
Origin:
Eff Length: 1,554 Bytes
Type Code: PRfAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V58+, IBM Scan, Pro-Scan 1.4+, VirexPC 1.1+,
AVTK 3.5+, F-Prot 1.12+, VirHunt 2.0+
Removal Instructions: Scan/D, F-Prot 1.12+, VirHunt 2.0+, Pro-Scan 2.01+
General Comments:
The 1554 virus was accidently sent out over the VALERT-L network
on February 13, 1990 to approximately 600 subscribers. When a
program is executed that is infected with the 1554 virus, the
virus installs itself memory resident. It will then proceed to
infect .COM over 1000 bytes in length and .EXE files over 1024 bytes
in length, including COMMAND.COM, increasing their length after
infection by 1,554 to 1,569 bytes.
The 1554 virus activates in September, October, November, or
December of any year. Upon activation, any files which are written
will be missing the first ten bytes. At the end of these files,
ten bytes of miscellaneous characters will appear. In effect, both
programs and data files will be corrupted.
If the 1554 Virus is executed on a system with less than 640K of
system memory, the virus will hang the system.
Virus Name: 1575
Aliases: 1577, 1591
V Status: New
Discovery: January, 1991
Symptoms: .COM & .EXE growth; decrease in total system & available memory;
Sluggishness of DIR commands; file date/time changes
Origin: Taiwan
Isolated: Ontario, Canada
Eff Length: 1,575 Bytes
Type Code: PRfAk - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, Clean-Up V74+, or Delete infected files
General Comments:
The 1575 virus was first isolated in Ontario, Canada, in January, 1991.
This virus has been widely reported, and is believed to be from the Far
East, probably Taiwan. It is a memory resident infector of .COM and
.EXE files, and will infect COMMAND.COM.
When the first program infected with the 1575 Virus is executed, the
virus will install itself memory resident in 1,760 to 1,840 bytes at
the top of system memory, but below the 640K DOS boundary. This
memory is not reserved, and may be overwritten later by another
program. Interrupt 21 will be hooked by the virus. COMMAND.COM on
the system C: drive root directory will also be infected at this
time.
Once the 1575 Virus is memory resident, it will infect one .COM and
one .EXE program on the current drive whenever a DOS Dir or Copy
command is executed. This virus does not spread when programs are
executed.
Infected files will have their file date and time in the DOS directory
updated to the system date and time when the infection occurred.
Their file lengths will also show an increase of between 1,577 and
1,591 bytes. This virus will be located at the end of infected files.
It is not know if 1575 does anything besides replicate.
Known variant(s) of the 1575 Virus are:
1575-B : This variant is functionally similar to the 1575 Virus
described above. The major difference is that this variant
reserves the memory it occupies at the top of system memory,
though the interrupt 12 return is not moved.
Virus Name: 1605
Aliases:
V Status: Rare
Discovery: September, 1990
Symptoms: .COM & .EXE growth; TSR; system slowdown
Origin: Unknown
Eff Length: 1,605 Bytes
Type Code: PRsA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V67+, Pro-Scan 2.01+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The 1605 Virus was uploaded to John McAfee's Homebase BBS by an
anonymous user in September, 1990. The origin of this virus is
unknown. The 1605 Virus is a memory resident infector of .COM
and .EXE files, and it does not infect COMMAND.COM. It is based
roughly on the Jerusalem B Virus.
The first time a program infected with the 1605 Virus is executed,
the virus will install itself memory resident as a low system memory
TSR of 1,728 bytes. Interrupts 13 and 21 will be hooked by the
virus. At this time, the system will slowdown by approximately
15-20%.
After becoming memory resident, any .COM or .EXE file executed will
be infected by the virus. .COM files will increase in size by
1,605 bytes in all cases with the virus's code being located at the
beginning of the file. .EXE files will increase in size by between
1,601 and 1,610 bytes with the virus's code being located at the
end of the infected file.
Other than replicating, it is unknown if this virus carries any
damage potential.
Virus Name: 1704 Format
Aliases:
V Status: Rare
Discovery: January, 1989
Symptoms: TSR, Falling letters, .COM growth, formatted disk
Origin:
Eff Length: 1,704 Bytes
Type Code: PRC - Parasitic Encrypting Resident .COM Infector
Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC,
AVKT 3.5+, VirHunt 2.0+
Removal Instructions: CleanUp, Scan/D, F-Prot, Pro-Scan, VirexPC, VirHunt 2.0+
General Comments:
Like the Cascade Virus, but the disk is formatted when the
virus activates. Activation occurs during the months of
October, November, and December of any year except 1993.
Virus Name: 1720
Aliases: PSQR Virus
V Status: Rare
Discovery: March, 1990
Symptoms : TSR, .COM & .EXE growth, partition table damage on activation,
programs on diskette deleted on Friday The 13ths
Origin: Spain
Eff Length: 1,720 Bytes
Type Code: PRsA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V61+, VirexPC 1.1+, F-Prot 1.12+, VirHunt 2.0+,
Pro-Scan 2.01+
Removal Instructions: Scan /D, VirHunt 2.0+, or delete infected files
General Comments:
The 1720, or PSQR Virus, is a variant of the Jerusalem Virus which
was first isolated in Barcelona, Spain, in March 1990. This virus,
infects .COM and .EXE files, though unlike Jerusalem, it does not
infect Overlay files. COMMAND.COM will also not be infected.
The first time an infected file is executed, the virus will install
itself memory resident, and then infect each executable file as it
is run.
On Friday The 13ths, the 1720 Virus will activate the first time an
infected program is executed. When the program is executed, it will
be deleted from disk. More damaging, however, is that the 1720 virus
will check to see if the system has a hard disk drive. If a hard
disk drive is present, the virus will overwrite the boot sector and
partition table resulting in all data on the hard disk becoming
unavailable. The system will also appear to hang.
Virus Name: 4096
Aliases: Century Virus, FroDo, IDF Virus, Stealth Virus, 100 Years Virus
V Status: Common
Discovery: January, 1990
Symptoms: .COM, .EXE, & overlay file growth; TSR hides growth; crosslinks;
corruption of data files
Origin: Israel
Eff Length: 4,096 Bytes
Type Code: PRsA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V53+, F-Prot, IBM Scan, Pro-Scan, VirexPC 1.1+,
AVTK 3.5+, VirHunt 2.0+
Removal Instructions: CleanUp V62+, Pro-Scan 1.4+, F-Prot, VirHunt 2.0+,
or see note below
General Comments:
The 4096 virus was first isolated in January, 1990. This virus
is considered a Stealth virus in that it is almost invisible
to the system user.
The 4096 virus infects .COM, .EXE, and Overlay files, adding
4,096 bytes to their length. Once the virus is resident in
system memory, the increase in length will not appear in a
directory listing. Once this virus has installed itself into
memory, it will infect any executable file that is opened,
including if it is opened with the COPY or XCOPY command.
This virus is destructive to both data files and executable
files, as it very slowly crosslinks files on the system's
disk. The crosslinking occurs so slowly that it appears there
is a hardware problem, the virus being almost invisible. The
crosslinking of files is the result of the virus manipulating
the FATs, changing the number of available sectors, as well as
the user issuing CHKDSK/F commands which will think that the
files have lost sectors or crosslinking if the virus is in
memory.
As a side note, if the virus is present in memory and you
attempt to copy infected files, the new copy of the file will
not be infected with the virus if the new copy does not have
an executable file extension. Thus, one way to disinfect
a system is to copy off all the infected files to diskettes with a
non-executable file extension (ie. don't use .EXE, .COM, .SYS, etc)
while the virus is active in memory, then power off the system
and reboot from a write protected (uninfected) system disk.
Once rebooted and the virus is not in memory, delete the
infected files and copy back the files from the diskettes to the
original executable file names and extensions.
The above will disinfect the system, if done correctly, but
will still leave the problem of cross-linked files which are
permanently damaged.
On or after September 22 of any year, the 4096 virus will hang
infected systems. This appears to be a "bug" in the virus in that
it goes into a time consuming loop.
The 4096 virus also contains a boot-sector within its code, however,
it is never written out to the disk's boot sector. Moving this
boot sector to the boot sector of a diskette and rebooting the
system will result in the message "FRODO LIVES" being displayed.
September 22 is Bilbo and Frodo Baggin's birthday in the Lord Of
The Rings trilogy.
An important note on the 4096 virus: this virus will also infect some
data files. When this occurs, the data files will appear to be fine
on infected systems. However, after the system is later disinfected,
these files will now be corrupted and unpredictable results may occur.
Known variant(s) of the 4096 virus include:
4096-B : Similar to the 4096 virus, the main change is that the
encryption mechanism has been changed in order to avoid
detection.
4096-C : Isolated in January, 1991, this variant of 4096 is similar
to the original virus. The major difference is that the
DOS ChkDsk command will not show any cross-linking of files
or lost clusters. A symptom of infection by this variant
is that the disk space available according to a DIR command
will be more than the disk space available according to the
DOS ChkDsk program.
Virus Name: 4870 Overwriting
Aliases:
V Status: New
Discovery: February, 1991
Origin: Unknown
Symptoms: Programs fail to execute; Program corruption
Eff Length: 4,870 Bytes
Type Code: ONAK - Overwriting Non-Resident .COM & .EXE Infector
Detection Method:
Removal Instructions: Delete infected files
General Comments:
The 4870 Overwriting Virus was isolated in February, 1991. It's origin
or isolation point is not known. This virus is a non-resident direct
action virus that infects .COM and .EXE programs, including
COMMAND.COM.
When a program infected with the 4870 Overwriting Virus is executed,
the virus will search the current directory for an uninfected .COM or
.EXE file. The first such uninfected file located will be infected
by the virus. Infected programs will have the first 4,870 bytes of
the candidate program overwritten by the virus. If the program's
original length was 4,870 bytes or more, there will be no increase in
the file length in the DOS directory. If the program's original
length was less than 4,870 bytes, then the program's length in the DOS
directory will now be 4,870 bytes. The file's date and time in the
directory will not be altered.
Programs infected with the 4870 Overwriting Virus will not execute
properly. Once the virus checked for a program to infect, and infected
the candidate program if one was found, the virus will terminate and
return the user to a DOS prompt.
A side note on this virus: the virus itself is compressed with the
LZEXE utility, which accounts for much of the 4,870 bytes of viral code.
Programs infected with this virus will have the markers of LZEXE version
.91 found in the first 4,870 bytes of the infected program.
It is not possible to disinfect programs infected with the 4870
Overwriting Virus as the first 4,870 bytes of the original program
are lost. Infected programs must be deleted or erased, then replaced
with clean copies.
Virus Name: 5120
Aliases: VBasic Virus, Basic Virus
V Status: Rare
Discovery: May, 1990
Origin: West Germany
Symptoms: .COM & .EXE growth, file corruption, unexpected disk activity
Eff Length: 5,120 Bytes
Type Code: PNAK - Parasitic Non-Resident .COM & .EXE Infector
Detection Method: ViruScan/X V67+, Pro-Scan 1.4+, F-Prot 1.12+
Removal Instructions: Scan/D/X, Pro-Scan 1.4+, F-Prot 1.12+, Pro-Scan 2.01+,
or Delete infected files
General Comments:
The 5120 Virus was first isolated in May, 1990. It is a non-
resident generic file infector, infecting .COM and .EXE files,
including COMMAND.COM. This virus is was written in compiled Turbo
Basic with some assembly language.
When an infected file is executed, the 5120 virus will infect one
.COM and one .EXE file on the current drive and directory, followed
by attempting to infect one randomly selected .COM or .EXE file in
each directory on the system's C: drive. Infected .COM files increase
in length by 5,120 bytes. .EXE files infected by the 5120 Virus will
increase in length by between 5,120 and 5,135 bytes.
Unlike most of the MS-DOS viruses, the 5120 Virus does not intercept
disk write errors when attempting to infect programs. Thus, infected
systems may notice disk write error messages when no access should be
occurring for a drive, such as the C: hard disk partition.
Data files may become corrupted on infected systems, as well as
crosslinking of files may occur.
The following text strings can be found in files infected with the
5120 virus. These strings will appear near the end of the file:
"BASRUN"
"BRUN"
"IBMBIO.COM"
"IBMDOS.COM"
"COMMAND.COM"
"Access denied"
There is one variant of the 5120 Virus which does not contain the
above strings, but behaves in a very similar manner. This second
variant is not indicated here as the author does not have a copy.
Virus Name: AIDS
Aliases: Hahaha, Taunt, VGA2CGA
V Status: Endangered
Discovery: 1989
Symptoms: Message, .COM file corruption
Origin:
Eff Length: N/A
Type Code: ONC - Overwriting Non-Resident .COM Infector
Detection Method: ViruScan/X V67+, Pro-Scan, VirexPC 1.1+, AVTK 3.5+
Removal Instructions: Scan/D/X, or delete infected .COM files
General Comments:
The AIDS virus, also known as the Hahaha virus in Europe and
referred to as the Taunt virus by IBM, is a generic .COM and
.EXE file infector. When the virus activates, it displays the
message "Your computer now has AIDS", with AIDS covering
about half of the screen. The system is then halted, and
must be powered down and rebooted to restart it. Since this
virus overwrites the first 13,952 bytes of the executable program, the
files must be deleted and replaced with clean copies in order
to remove the virus. It is not possible to recover the
overwritten portion of the program.
Note: this is NOT the Aids Info Disk/PC Cyborg Trojan.
Known variant(s) of Aids are:
Aids B : Very similar to the original Aids Virus, this variant is also
13,952 bytes in length. Unlike the original virus, it will
only infect .COM files, as well as COMMAND.COM, and does not
activate as the original virus did. Instead, this variant
will occasionally issue the following error message:
"I/O error 99, PC=2EFD
Program aborted".
This variant was received in January, 1991, origin unknown.
Virus Name: Aids II Virus
Aliases: Companion Virus
V Status: Endangered
Discovery: April, 1990
Symptoms: Creates .COM files, melody, message
Origin:
Eff Length: 8,064 Bytes
Type Code: SNA - Spawning Non-Resident .COM & .EXE Infector
Detection Method: ViruScan/X V67+, Pro-Scan 1.4+
Removal Instructions: Scan/D/X, or delete corresponding .COM files
General Comments:
The Aids II Virus, or Companion Virus, was isolated for the first
time in April 1990. Unlike other generic file infectors, the
Aids II Virus is the first known virus to employ what could be
termed a "corresponding file technique" of infection so that the
original target .EXE file is never changed. The virus takes
advantage of the DOS feature where if a program exists in both
.COM and .EXE form, the .COM file will be executed.
The Aids II Virus does not directly infect .EXE files, instead it
stores a copy of the virus in a corresponding .COM file which will
be executed when the user tries to execute one of his .COM files.
The .EXE file, and the .COM file containing the viral code will
both have the same base file name.
The method of infection is as follows: when an "infected"
program is executed, since a corresponding .COM file exists, the
.COM file containing the viral code is executed. The virus
first locates an uninfected .EXE file in the current directory and
creates a corresponding (or companion) .COM file with the viral
code. These .COM files will always be 8,064 Bytes in length with
a file date/time of the date/time of infection. The .EXE file is
not altered at all. After creating the new .COM file, the virus
then plays a melody and displays the following message, the "*"
indicated below actually being ansi heart characters:
"Your computer is infected with ...
* Aids Virus II *
- Signed WOP & PGT of DutchCrack -"
The Aids II Virus then spawns to the .EXE file that was attempting
to be executed, and the program runs without problem. After
completion of the program, control returns to the Aids II Virus.
The melody is played again with the following message displayed:
"Getting used to me?
Next time, use a Condom ....."
Since the original .EXE file remains unaltered, CRC checking
programs cannot detect this virus having infected a system.
One way to manually remove the Aids II Virus is to check the
disk for programs which have both a .EXE and a .COM file, with
the .COM file having a length of 8,064 bytes. The .COM files
thus identified should be erased.
The displayed text strings do not appear in the viral code.
Virus Name: AirCop
Aliases:
V Status: Rare
Discovery: July, 1990
Isolated: Washington, USA
Symptoms: BSC; System Halt; Message; decrease in system and free memory
Origin: Taiwan
Eff Length: N/A
Type Code: FR - Resident Floppy Boot Sector Infector
Detection Method: ViruScan V66+, Pro-Scan 2.01+
Removal Instructions: MDisk or DOS SYS command
General Comments:
The AirCop Virus was discovered in the State of Washington in the
United States in July, 1990. Some early infections of this virus,
however, have been traced back to Taiwan, and Taiwan is probably where
it originated. AirCop is a boot sector infector, and it will only
infect 360K 5.25" floppy diskettes.
When a system is booted from a diskette which is infected with the
AirCop virus, the virus will install itself memory resident. The
AirCop Virus installs itself memory resident at the top of high system
memory. The system memory size and available free memory will
decrease by 1,024 bytes when the AirCop virus is memory resident.
AirCop hooks interrupt 13.
Once AirCop is memory resident, any non-write protected diskettes
which are then accessed will have their boot sector infected with
the AirCop virus. AirCop will copy the original disk boot sector
to sector 719 (Side 1, Cyl 39, Sector 9 on a normal 360K 5.25"
diskette) and then replace the boot sector at sector 0 with a copy
of the virus. If a boot sector of a diskette infected with the
AirCop virus is viewed, it will be missing almost all of the messages
which normally appear in a normal boot sector. The only message
remaining will be:
"Non-system..."
This will be located just before the end of the boot sector.
The AirCop Virus will do one of two things on infected systems,
depending on how compatible the system's software and hardware is
with the virus. On most systems, the virus will display the following
message at random intervals:
"Red State, Germ Offensive.
AIRCOP."
On other systems, the virus being present will result in the system
receiving a Stack Overflow Error and the system being halted. In this
case, you must power off the system in order to be able to reboot.
AirCop currently does not infect hard disk boot sectors or partition
tables.
AirCop can be removed from infected diskettes by first powering
off the system and rebooting from a known clean write protected
DOS master diskette. The DOS SYS command should then be used to
replace the infected diskette's boot sector. Alternately, MDisk
can be used following the power-down and reboot.
Virus Name: Akuku
Aliases:
V Status: New
Discovery: January, 1991
Symptoms: .COM & .EXE growth; "Error in EXE file" message;
Unexpected drive accesses
Origin: USSR
Eff Length: 891 Bytes
Type Code: PNAK - Parasitic Non-Resident .COM & .EXE Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Akuku Virus was isolated in January, 1991, and comes from the
USSR. This virus is a non-resident direct action infector of .COM and
.EXE files, including COMMAND.COM.
When a program infected with Akuku is executed, the virus will infect
three programs in the current directory. If three uninfected programs
cannot be found in the current directory, the virus will search the
disk directory of the current drive, as well as of the C: drive.
Both .COM and .EXE programs may become infected, as well as COMMAND.COM.
Programs smaller than 1K will not be infected by this virus. Infected
programs will increase in length by 891 to 907 bytes, the virus will be
located at the end of the infected file. The file date and time in the
disk directory will not be altered by the virus.
The following text string is contained within the virus's code, and
can be found in all infected programs:
"A kuku, Nastepny komornik !!!"
Some .EXE programs will fail to execute properly after infection by the
Akuku Virus. These programs may display an "Error in EXE file"
message and terminate when the user attempts to execute them.
Virus Name: Alabama
Aliases:
V Status: Endangered
Discovery: October, 1989
Symptoms: .EXE growth, Resident (see text), message, FAT corruption
Origin: Israel
Eff Length: 1,560 bytes
Type Code: PRfET - Parasitic Resident .EXE infector
Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, AVTK 3.5+,
VirHunt 2.0+
Removal Instructions: CleanUp, F-Prot, Pro-Scan 1.4+, Scan/D/X, VirHunt 2.0+,
or delete infected files
General Comments:
The Alabama virus was first isolated at Hebrew University in
Israel by Ysrael Radai in October, 1989. Its first known
activation was on October 13, 1989. The Alabama virus will
infect .EXE files, increasing their size by 1,560 bytes. It
installs itself memory resident when the first program infected
with the virus is executed, however it doesn't use the normal
TSR function. Instead, this virus hooks Int 9 as well as making
use of IN and OUT commands. When a CTL-ALT-DEL combination is
detected, the virus causes an apparent boot but remains in RAM.
The virus loads itself 30K under the highest memory location
reported by DOS, and does not lower the amount of memory
reported by BIOS or DOS.
After the virus has been memory resident for one hour, the
following message will appear in a flashing box:
"SOFTWARE COPIES PROHIBITED BY INTERNATIONAL LAW..............
Box 1055 Tuscambia ALABAMA USA."
The Alabama virus uses a complex mechanism to determine whether
or not to infect the current file. First, it checks to see if
there is an uninfected file in the current directory, if there
is one it infects it. Only if there are no uninfected files
in the current directory is the program being executed
infected. However, sometimes instead of infecting the
uninfected candidate file, it will instead manipulate the FATs
to exchange the uninfected candidate file with the currently
executed file without renaming it, so the user ends up thinking
he is executing one file when in effect he is actually
executing another one. The end result is that files are
slowly lost on infected systems. This file swapping occurs
when the virus activates on ANY Friday.
Virus Name: Alameda
Aliases: Merritt, Peking, Seoul, Yale
V Status: Rare
Discovery: 1987
Symptoms: Floppy boot failures, Resident-TOM, BSC
Origin: California, USA
Eff Length: N/A
Type Code: RtF - Resident Floppy Boot Sector Infector
Detection Method: ViruScan, F-Prot, IBM Scan, AVTK 3.5+, VirHunt 2.0+
Removal Instructions: MDisk, CleanUp, F-Prot, or DOS SYS
General Comments:
The Alameda virus was first discovered at Merritt college in
Alameda, California in 1987. The original version of this virus
caused no intentional damage, though there is now at least 1
variant of this virus that now causes floppy disks to become
unbootable after a counter has reached its limit (Alameda-C
virus).
The Alameda virus, and its variants, all replicate when the
system is booted with a CTL-ALT-DEL and infect only 5 1/4"
360K diskettes. These viruses do stay in memory thru a warm
reboot, and will infect both system and non-system disks.
System memory can be infected on a warm boot even if Basic is
loaded instead of DOS.
The virus saves the real boot sector at track 39, sector 8,
head 0. The original version of the Alameda virus would only
run on a 8086/8088 machine, though later versions can now run
on 80286 systems.
Also see: Golden Gate, SF Virus
Virus Name: Ambulance Car Virus
Aliases: RedX
V Status: Rare
Discovery: June, 1990
Symptoms: .COM growth, graphic display & sound
Origin: West Germany
Eff Length: 796 Bytes
Type Code: PNC - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V64+, F-Prot 1.12+, Pro-Scan 2.01+
Removal Instructions: Scan/D, Pro-Scan 2.01+, or Delete infected files
General Comments:
The Ambulance Car Virus was isolated in West Germany in June, 1990.
This virus is a non-resident .COM infector.
When a program infected with the Ambulance Car Virus is executed,
the virus will attempt to infect one .COM file. The .COM file to
be infected will be located on the C: drive. This virus only infects
one .COM file in any directory, and never the first .COM file in
the directory. It avoids infecting COMMAND.COM as that file is
normally the first .COM file in the root directory.
On a random basis, when an infected file is executed it will
have the affect of a graphics display of an ASCII block drawing of
an ambulance moving across the bottom of the system display. This
graphics display will be accompanied with the sound of a siren
played on the system's speaker. Both of these effects only occur
on systems with a graphics capable display adapter.
Virus Name: Amstrad
Aliases:
V Status: Endangered
Discovery: November, 1989
Symptoms: .COM growth, message
Origin: Portugal
Eff Length: 847 Bytes
Type Code: PNC - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC 1.1+,
AVTK 3.5+, VirHunt 2.0+
Removal Instructions: Scan/D/X, F-Prot, Pro-Scan 1.4+, or
delete infected files
General Comments:
The Amstrad virus was first reported in November, 1989, by
Jean Luz of Portugal, however it has been known of in Spain
and Portugal for a year prior to that. The virus is a generic
.COM infector, but is not memory resident nor does it infect
COMMAND.COM.
The virus carries a fake advertisement for the Amstrad computer.
The Amstrad virus appears to cause no other damage to the
system other than replicating and infecting files.
Known variants of the Amstrad Virus are:
Pixel/V-345 - Similar to the Amstrad virus described above, except
that the virus is 345 Bytes in length, can now infect
COMMAND.COM, and contains the message:
"=!= Program sick error:Call doctor or by PIXEL for
cure description". This message is not displayed.
The Pixel virus was originally distributed in Greece
by Pixel magazine. The Pixel Virus can only infect
programs in the current directory. This variant may
in fact be the original virus in this family, it is
rumored that it was released one year before the
appearance of the virus in Portugal.
Origin: Greece
V-277 - Similar to the Pixel/V-345 virus described above, except
that the virus is now 277 Bytes in length, and does not
contain any message text. The original message text
has been replaced with code to produce a parity error
approximately 50% of the time when an infected program
is executed.
Origin: Bulgaria
V-299 - Similar to Pixel, except that the length of the virus
is 299 Bytes.
Origin: Bulgaria
V-847 - Similar to Pixel, except that the length of the virus
is 847 Bytes.
Origin: Bulgaria
V-847B - Similar to V-847, except that the message in the virus
is now in Spanish and is:
"=!= En tu PC hay un virus RV1, y esta es su quinta
generacion".
This variant was originally distributed by a magazine
in Spain in file NOCARGAR.COM.
Origin: Spain
V-852 - Similar to the V-847 variant, this variant does not
contain any message. It infects all .COM files in the
current directory whenever an infected program is
executed. If the current directory contains COMMAND.COM,
it will be infected as well. The original sample of this
variant received by the author did not contain any text,
however after replicating on a test system, all infected
files then contained text from the video buffer, which
implies the submitted sample was the original distribution
of the virus. This variant checks byte 4 of .COM files
to determine if the file was previously infected, if
bytes 4-5 are 'SS', the virus assumes the file is already
infected. All infected programs will start with the
following hex string, with the nn indicated being a
generation number:
"EB14905353nn2A2E434F4D004F040000"
Origin: Bulgaria
Virus Name: Anthrax
Aliases:
V Status: Rare
Discovery: July, 1990
Symptoms: .COM & .EXE growth
Origin: Bulgaria
Isolated: Netherlands
Eff Length: 1040 - 1279 Bytes
Type Code: PRAKX - Parasitic Resident .COM, .EXE, & Partition Table Infector
Detection Method: ViruScan V66+, Pro-Scan 2.01+
Removal Instructions: Scan/D + MDisk/P, Pro-Scan 2.01+
General Comments:
The Anthrax Virus was isolated in July 1990 in the Netherlands after
it was uploaded onto several BBSes in a trojan anti-viral program,
USCAN.ZIP. It is the second virus to be found in a copy of UScan
during July 1990, the first virus being V2100. Anthrax is a memory
resident generic infector of .COM and .EXE files, including
COMMAND.COM.
The first time a program infected with the Anthrax virus is executed
on the system's hard disk, the virus will infect the hard disk's
partition table. At this point, the virus is not memory resident. It
will also write a copy of itself on the last few sectors of the
system's hard disk. If data existed on those last few sectors of the
hard disk, it will be destroyed.
When the system is booted from the hard disk, the Anthrax virus
will install itself memory resident. It will remain memory resident
until the first program is executed. At that time, it will deinstall
itself from being resident and infect one .COM or .EXE file. This
virus does not infect files in the current directory first, but
instead starts to infect files at the lowest level of the disk's
directory tree.
Later, when an infected program is executed, Anthrax will infect one
.COM or .EXE file, searching the directory structure from the lowest
level of the directory tree. If the executed infected program
was located on the floppy drive, a .COM or .EXE file may or may not
be infected.
The Anthrax Virus's code is 1,024 bytes long, but infected programs
will increase in length by 1,040 to 1,279 bytes. On the author's test
system, the largest increase in length experienced was 1,232 bytes.
Infected files will always have an infected file length that is a
multiple of 16.
The following text strings can be found in files infected with the
Anthrax virus:
"©Damage, Inc."
"ANTHRAX"
A third text string occurs in the viral code, but it is in Cyrillics.
Per Vesselin Bontchev, this third string translates to: "Sofia 1990".
Since Anthrax infects the hard disk partition tables, infected systems
must have the partition table disinfected or rebuilt in order to
remove the virus. This disinfection can be done with either a low-
level format or use of the MDisk/P program for the correct DOS
version after powering off and rebooting from a write-protected boot
diskette for the system. Any .COM or .EXE files infected with
Anthrax must also be disinfected or erased. Since a copy of the virus
will exist on the last few sectors of the drive, these must also be
located and overwritten.
Anthrax interacts with another virus: V2100. If a system which was
previously infected with Anthrax should become infected with the V2100
virus, the V2100 virus will check the last few sectors of the hard
disk for the spare copy of Anthrax. If the spare copy is found, then
Anthrax will be copied to the hard disk's partition table.
It is not known if Anthrax carries any destructive capabilities or
trigger/activation dates.
Virus Name: Anti-Pascal
Aliases: Anti-Pascal 605 Virus, AP-605, C-605, V605
V Status: Research
Discovery: June, 1990
Symptoms: .COM growth, .BAK and .PAS file corruption
Origin: Bulgaria
Isolated: Sofia, Bulgaria
Eff Length: 605 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan/X V67+, Pro-Scan 2.01+
Removal Instructions: Pro-Scan 2.01+, Scan/D/X, or delete infected files
General Comments:
The Anti-Pascal Virus, V605 or C-605, was isolated in Sofia,
Bulgaria in June 1990 by Vesselin Bontchev. Originally, it was
thought that the Anti-Pascal virus was from the USSR or Poland,
but it has since been determined to have been a research virus
written in Bulgaria over one year before it was isolated. The
author was not aware that it had "escaped" until July, 1990.
The Anti-Pascal Virus is a generic .COM file infector, including
COMMAND.COM. While this virus is not memory resident, when it is
in the process of infecting files, interrupt 24 will be hooked.
When a program infected with the Anti-Pascal virus is executed,
the virus will attempt to infect two other .COM files on the
current drive or on drive D: which are between 605 and 64,930
bytes in length. These files must not have the read only
attribute set. If an uninfected .COM file meeting the virus's
selection criteria is found, the first 605 bytes of the program
is overwritten with the viral code. The original 605 bytes of
the program is then appended to the end of the infected file.
Infected files will have increased in length by 605 bytes, and
they will also begin with the text string "PQVWS" as well as
contain the string "combakpas???exe" at offset 0x17. Infected
files will also have had their file date/time stamps in the
directory updated to the date/time that the infection occurred.
If the Anti-Pascal Virus cannot find two .COM files to infect,
it will check the current drive and directory for .BAK and .PAS
files. If these files exist, they will be overwritten with the
virus's code. If the overwritten files were .PAS files, the
system's user has now lost some of their Pascal source code.
After overwriting .BAK and .PAS files, the virus will attempt to
rename them to .COM files, or .EXE files if a .COM file already
exists. This rename does not work due to a bug in the virus.
Known variant(s) of the Anti-Pascal Virus are:
AP-529 : Similar to the 605 byte Anti-Pascal Virus, the major
differences are that AP-529 will only infect .COM files
over 2,048 bytes in length. Infected files increase in
length by 529 bytes. Additionally, instead of overwriting
the .BAK and .PAS files, one .BAK and .PAS file will be
deleted if there are no uninfected .COM files with a
length of at least 2,048 bytes on the current drive.
.COM files on the C: drive root directory may also be
infected by AP-529 when it is executed from the A: or B:
drive. This variant should be considered a "Research
Virus", it is not believed to have been publicly
released.
Also see: Anti-Pascal II
Virus Name: Anti-Pascal II
Aliases: Anti-Pascal 400, AP-400
V Status: Research
Discovery: June, 1990
Symptoms: .COM growth; .BAK, .BAT and .PAS file deletion, boot sector
alteration on hard disk
Origin: Bulgaria
Isolated: Sofia, Bulgaria
Eff Length: 400 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan/X V67+, Pro-Scan 2.01+
Removal Instructions: Pro-Scan 2.01+, Scan/D/X, or delete infected files
General Comments:
The Anti-Pascal II Virus, or AP-400, was isolated in Sofia,
Bulgaria in June 1990 by Vesselin Bontchev. It is one of five
viruses/variants in the Anti-Pascal family. Two of the earlier
variants, Anti-Pascal/AP-605 and AP-529, are documented under
the name "Anti-Pascal". The variants listed under Anti-Pascal II
have been separated due to some of their characteristics differing
from the 605 byte and 529 byte viruses.
The Anti-Pascal II Virus is a generic .COM file infector, including
COMMAND.COM. While this virus is not memory resident, when it is
in the process of infecting files, interrupt 21 will be hooked.
The first time a program infected with the Anti-Pascal II virus is
executed on a system, the virus will attempt to infect one (1)
.COM file in the root directory of each drive accessible on the
system. Files are only infected if their length is at least 2,048
bytes, and the resulting infected file will be less than 64K in
length. Since COMMAND.COM is usually the first .COM file on a
drive, it will immediately become infected. One additional .COM
file will also be infected on the current drive. The mechanism used
to infect the file is to write the virus's code to the end of the
file. A jump is used to execute the virus's code before the original
program is executed. Infected files do not have their date/time
stamps in the directory updated to the system date and time when the
infection occurred.
If the Anti-Pascal Virus cannot find a .COM file to infect on a
given drive, or two .COM files to infect on the current drive,
it will check for the existence of .BAK, .PAS, or .BAT files. If
found, these files will be deleted. These deletions only occur in
root directories and on the current drive's current directory. Since
each root directory (as well as the current directory) will typically
not have all of its .COM files infected at the same time, the deletes
will occur on different drives and directories at different times.
Symptoms of infection of the Anti-Pascal II Virus include file length
increases of 400 bytes, unexpected disk access to drives other than
the current drive, and disappearing .BAK, .PAS, and .BAT files. One
other symptom of an Anti-Pascal II infection is that the hard disk's
boot sector will be slightly altered by the virus. Anti-viral programs
which CRC-check the boot sector will indicate that a boot sector
infection may have occurred. The boot sector alteration does not
contain a live virus, but will throw the system user off into thinking
their problem is from a boot sector virus instead of a file infector,
and if the disk as a bootable disk, it will not be unbootable.
The Anti-Pascal II Virus and its variants indicated below are not
believed to have been publicly released. As such, they have been
classified as "Research Viruses".
Known variant(s) of the Anti-Pascal II Virus are:
AP-440 : Very similar to the 400 byte version of the Anti-Pascal II
Virus, the major characteristic change is that this
variant has a length of 440 bytes. The boot sector is no
longer altered by the virus. This variant is an
intermediary between AP-480 and the 400 byte version
documented above.
AP-480 : Similar to the Anti-Pascal II virus, this variant is the
version which is 480 bytes in length. It does not
delete .BAT files, but only .BAK and .PAS. This variant
is the latest variant of the Anti-Pascal II grouping.
Also see: Anti-Pascal
Virus Name: Armagedon
Aliases: Armagedon The First, Armagedon The Greek
V Status: Rare
Discovery: June, 1990
Symptoms: text string intermittently sent to COM ports
Origin: Athens, Greece
Eff Length: 1,079 Bytes
Type Code: PRC - Parasitic Resident .COM Infector
Detection Method: ViruScan V64+, F-Prot 1.12+, Pro-Scan 2.01+
Removal Instructions: Scan/D, F-Prot 1.12+, or Delete infected files
General Comments:
The Armagedon virus was isolated on June 2, 1990, by George
Spiliotis of Athens, Greece. Armagedon is a memory resident
virus which infects .COM files, increasing their length by 1,079
bytes.
The first time an infected program is executed on a system, the
virus installs itself memory resident, hooking interrupts 8 and 21.
Any .COM files which are later executed are then infected by the
resident virus.
Infected systems will experience the text string "Armagedon the GREEK"
being sent to COM ports 1 - 4 at time intervals. Between 5:00 and
7:00, the virus will attempt to use the system's COM ports to make
a phone call to Local Time Information in Crete, Greece. If a
connection is made, the phone line will remain open until the user
notices that the phone line is in use. (Needless to say, this
doesn't work if the system is located outside of Greece as dialing
codes are considerably different between countries.)
This virus otherwise is not destructive.
Virus Name: Ashar
Aliases: Shoe_Virus, UIUC Virus
V Status: Common
Discovery:
Symptoms: BSC, Resident TOM
Origin:
Eff Length: N/A
Type Code: BRt - Resident Boot Sector Infector
Detection Method: ViruScan V41+, F-Prot, IBM Scan, Pro-Scan 1.4+, AVTK 3.5+,
VirHunt 2.0+
Removal Instructions: MDisk, CleanUp, Pro-Scan 1.4+, F-Prot or
DOS SYS command
General Comments:
The Ashar virus is a resident boot sector infector which is
a variant of the Brain virus. It differs from the Brain
virus in that it can infect both floppies and hard disk, and
the message in the virus has been modified to be:
"VIRUS_SHOE RECORD, v9.0. Dedicated to the dynamic
memories of millions of virus who are no longer with us
today".
However, the above message is never displayed. The
identification string "ashar" is normally found at offset
04a6 hex in the virus.
A variant of the Ashar virus exists, Ashar-B or Shoe_Virus-B,
which has been modified so that it can no longer infect hard
drives. The v9.0 in the message has also been altered to v9.1.
Also see: Brain
Virus Name: Attention!
Aliases: USSR 394
V Status: Rare
Discovery: December, 1990
Symptoms: .COM file growth; decrease in system and available memory;
clicking emitted from system speaker on keypress; file date/time
changes
Origin: USSR
Eff Length: 394 Bytes
Type Code: PRhCK - Parasitic Resident .COM Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Attention! Virus was submitted in December, 1990 and was originally
isolated in the USSR. This virus is a memory resident infector of COM
files, including COMMAND.COM.
The first time a program infected with the Attention! Virus is executed,
the virus will reserve 416 bytes at the top of system memory but below
the 640K DOS boundary. The virus becomes memory resident in this area,
and hooks interrupt 21. Total system memory and available free memory
returned by the DOS ChkDsk command will decrease by 416 bytes. The
interrupt 12 return is not moved.
After the virus is memory resident, a clicking sound will be emitted
by the system speaker each time a key is pressed on the keyboard. Some
programs, such as the Edlin program supplied with MS-DOS, will receive
an "Invalid drive or file name" message when they are attempted to be
executed.
Attention! will infect COM files, including COMMAND.COM, when they are
executed. The exception is that very small COM files will not become
infected. Infected files will increase in length by 394 bytes with the
virus being located at the end of the file. Infected programs will also
contain the text string: "ATTENTION !" near the beginning of the
program.
Virus Name: Best Wishes
Aliases: Best Wish
V Status: Rare
Discovery: December, 1990
Symptoms: .COM file growth; decrease in system and available free memory;
system hangs; file date/time changes; file not found errors;
boot sector modification
Origin: USSR
Eff Length: 970 Bytes
Type Code: PRtCK - Parasitic Resident .COM Infector
Detection Method: ViruScan V74+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Best Wishes Virus was submitted in December, 1990 and is believed
to be from the USSR. Best Wishes is a memory resident infector of
COM files, including COMMAND.COM. There is a variant of this virus,
Best Wishes B, which is 1,024 bytes in length.
The first time a program infected with the Best Wishes Virus is
executed, the virus will install itself memory resident in system high
memory, but below the 640K DOS boundary. The interrupt 12 return will
be moved. Total system memory will decrease by 61,440 bytes, available
free memory will decrease by 61,360 bytes. COMMAND.COM will become
infected at this time, and the disk's boot sector will also be modified.
Disks with the boot sector modification and infected COMMAND.COM will
still boot properly.
After Best Wishes is resident, the virus will infect COM files as they
are executed with a probability of 50%. Infected COM files will
increase in length by 970 bytes with the virus being located at the
end of the infected file. Infected programs will also have the following
text string located near the end of the file:
"This programm ... With Best Wishes!"
Best Wishes does not restore the original file date and time in the
directory when it infects programs, so all infected programs will have
their date/time stamps set to the system date and time when infection
occurred.
Two additional symptoms of a Best Wishes infection are that the user
may experience "File not found" errors when the file is actually on
disk, as well as system hangs on every fourth program execution.
Known variant(s) of Best Wishes are:
Best Wishes B - An earlier version of Best Wishes, this variant is
1,024 bytes in length. The major differences are that infected
disks will not boot if COMMAND.COM has been modified. Execution
of a COM program once the virus is memory resident will result in
the program most likely being infected, but the system will also
become hung.
Virus Name: Black Monday
Aliases:
V Status: Rare
Discovery: September, 1990
Symptoms: .COM & .EXE file growth; TSR; file timestamp changes
Origin: Kuala Lumpur, Malaysia
Eff Length: 1,055 Bytes
Type Code: PRsAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V67+, Pro-Scan 2.01+
Removal Instructions: Pro-Scan 2.01+, Scan/D, or Delete infected files
General Comments:
The Black Monday Virus was isolated in Fiji in September, 1990. It
is reported to be widespread in Fiji and other locations in the Far
East and Asia. This virus is a memory resident generic infector of
.COM and .EXE files, including COMMAND.COM.
The first time a program infected with the Black Monday Virus is
executed, the virus will install itself memory resident as a low
system memory TSR of 2,048 bytes. Interrupt 21 will be hooked by
the virus.
Once the virus is memory resident, any program which is executed
will become infected with the Black Monday Virus. .COM files will
increase in length by 1,055 bytes with the virus's code located at
the end of the infected files. .EXE files will also increase in
length by 1,055 bytes with the virus's code added to the end of
the file. This virus does not infect .EXE files multiple times.
The virus does not hide the change in file length when the directory
is displayed, though a directory display will indicated that the
infected file's date/timestamp have been updated to the system date
and time when the file was infected.
The following text string can be found in all infected files near
the beginning of the virus's code:
"Black Monday 2/3/90 KV KL MAL"
It is unknown when Black Monday activates, or what it does at
activation.
Virus Name: Blood
Aliases: Blood2
V Status: Rare
Discovery: August, 1990
Symptoms: .COM file length increase, system reboots and/or hangs,
cascading screen effect
Origin: Natal, Republic of South Africa
Eff Length: 418 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: Pro-Scan 2.0+
Removal Instructions: Delete infected files
General Comments:
The Blood Virus was submitted by Fridrik Skulason in August, 1990.
It was originally isolated in Natal, Republic of South Africa. There
are two variants of this virus, Blood and Blood2. This virus is a
non-resident infector of .COM files, including COMMAND.COM.
When a program infected with the Blood virus is executed, it will
infect one .COM file located in the C: drive root directory. The
newly infected file will have increased in length by 418 bytes. If
the program just infected is COMMAND.COM, a system reboot will
occur. Following the system reboot, executing an infected program
will result in a cascading effect of the cursor down the screen. The
next .COM file executed will then result in the hard disk being
accessed followed by the system hanging. Spurious characters from
memory may also appear on the screen on the line below the command
line.
After August 15, execution of an infected program will result in a
system hang.
Known variant(s) of Blood are:
Blood2 : Similar to Blood, with the major difference being that
system reboots, system hangs, and the cascading cursor
effect no longer occur. This variant also does not hang
the system after August 15.
Virus Name: Bloody!
Aliases:
V Status: Rare
Discovery: December, 1990
Symptoms: Extended boot time; decrease in system & available memory;
message on boot; boot sector & partition table changes
Origin: Taiwan
Eff Length: N/A
Type Code: BRtX - Resident Boot Sector & Partition Table Infector
Detection Method: ViruScan V72+
Removal Instructions: See below
General Comments:
The Bloody! Virus was submitted in December 1990, and infection
reports were received from Europe, Taiwan, and the United States. This
virus is a memory resident infector of floppy diskette boot sectors as
well as the hard disk partition table.
When a system is booted from a floppy or hard disk infected with the
Bloody! Virus, the virus will install itself memory resident at the
top of system memory but below the 640K DOS boundary. Total system
memory and available free memory will decrease by 2,048 bytes. The
interrupt 12 return will be moved. The system boot will also take
much longer than expected. The system's hard disk's partition table
will become infected immediately if it was not the source of the
system boot.
At the time of system boot, the virus also maintains a counter of how
many times the infected diskette or hard drive has been booted. Once
128 boots have occurred, the virus will display the following message
during the boot:
"Bloody! Jun. 4, 1989"
June 4, 1989 is the date of the the confrontation in Beijing, China
between Chinese students and the Chinese Army in which many students
were killed.
This message will later be displayed on every sixth boot once the
128 boot limit has been reached. The text message is encrypted within
the viral code, so it is not visible in the boot sector.
Once Bloody! is memory resident, the virus will infect any diskette
or hard disk when a file or program is accessed. Listing a disk
directory will not be enough to cause the virus to infect the disk.
Infected diskette boot sectors will be missing all of the normal
DOS error messages which are normally found in the boot sector. The
original boot sector will have been moved to sector 11 on 360K diskettes,
a part of the root directory. If there were previously root directory
entries in that sector, those files will be lost.
On the hard disk, the original partition table will have been moved
to side 0, cylinder 0, sector 6.
For floppies of other sizes then 360K, they may become unusable or
corrupted as the virus does not take into account the existence of these
disk types.
For diskettes, Bloody! can be removed by powering the system off and
then booting from a known-clean, write protected original DOS diskette.
The DOS SYS command should then be executed on each of the infected
diskettes.
To remove the Bloody! Virus from the hard disk's partition table, the
original partition table should be located and then copied back to
its original position. The other option is to backup the files on
the hard disk and low level format the drive.
Virus Name: Brain
Aliases: Pakistani, Pakistani Brain
V Status: Common
Discovery: 1986
Symptoms: Extended boot time, Volume label change, Resident TOM,
Three contiguous bad sectors (floppy only), BSC
Origin: Pakistan
Eff Length: N/A
Type Code: BRt - Resident Boot Sector Infector
Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, AVTK 3.5+,
VirHunt 2.0+
Removal Instructions: MDisk, CleanUp, F-Prot, Pro-Scan, or DOS SYS command
General Comments:
The Pakistani Brain virus originated in Lahore, Pakistan and
infects disk boot sectors by moving the original contents of the
boot sector to another location on the disk, marking those 3
clusters (6 sectors) bad in the FAT, and then writing the virus
code in the disk boot sector.
One sign of a disk having been infected, at least with the
original virus, is that the volume label will be changed
to "© Brain". Another sign is that the label "© Brain" can
be found in sector 0 (the boot sector) on an infected disk.
This virus does install itself resident on infected systems,
taking up between 3K and 7K of RAM. The Brain virus is able to
hide from detection by intercepting any interrupt that might
interrogate the boot sector and redirecting the read to the
original boot sector located elsewhere on the disk, thus some
programs will be unable to see the virus.
The original Brain virus only infected floppies, however variants
to the virus can now infect hard disks. Also, some variants
have had the "© Brain" label removed to make them harder to
detect.
Known variants of the Brain virus include:
Brain-B/Hard Disk Brain/Houston Virus - hard disk version.
Brain-C - Brain-B with the "© Brain" label removed.
Clone Virus - Brain-C but restores original boot copyright label.
Clone-B - Clone Virus modified to destroy the FAT after 5/5/92.
Also see: Ashar
Virus Name: Burger
Aliases: 541, 909090h, CIA
V Status: Extinct
Discovery: 1986
Symptoms: Programs will not run after infection
Origin: West Germany
Eff Length: 560 Bytes
Type Code: ONAK - Overwriting Non-Resident .COM & .EXE Infector
Detection Method: ViruScan V67+, Pro-Scan 2.01+
Removal Instructions: Scan /D, or delete infected files
General Comments:
The Burger, or 909090h, Virus was written and copyrighted in 1986 by
Ralf Burger of West Germany. This virus is extinct in the "public
domain". This virus is a non-resident overwriting virus, infecting
.COM and .EXE files, including COMMAND.COM.
When a program infected with the Burger Virus is executed, the virus
will attempt to infect one previously uninfected .COM file located in
the C: drive root directory. To determine if the program was previously
infected, the virus checks to see if the first three bytes of the .COM
file are three NOP instructions (909090h). If the first three bytes are
the NOP instructions, the virus goes on checking until it finds an
uninfected .COM file. If no uninfected .COM file exists, the virus
then renames all the .EXE files in the root directory to .COM files and
checks those files. Once it finds a .COM file to infect, it overwrites
the first 560 bytes of the uninfected program with the virus code. At
this point, the program the user was attempting to run will either
end or hang the system. Infected programs will never execute properly
as the first portion of the program has been destroyed.
Systems which have been infected with the Burger Virus will fail to
boot once the virus has infected the hard disk boot partition's
COMMAND.COM, or the copy of COMMAND.COM on their boot diskette.
Infected files can be easily identified by the "909090B8000026A245"
hex sequence located in the first nine bytes of all infected files.
Infected files cannot be disinfected, they must be replaced from a
clean source.
Known variant(s) of the Burger virus include:
CIA : Discovered in the United States in October, 1990, this virus
is similar to the Burger Virus described above. The first
nine bytes of all infected files in hex will be:
"909090B8000026A3A5". The actual length of this variant
is 541 bytes, though the first 560 bytes of infected programs
are overwritten.
505 : Similar to the Burger virus, this variant's actual code length
is 505 bytes, though the first 560 bytes of infected files
will be overwritten. Infected files will have their first
nine bytes contain the hex string: "909090B8000026A3A0".
509 : Similar to the Burger virus, this variant's actual code length
is 509 bytes, though the first 560 bytes of infected files
will be overwritten. Infected files will have their first
nine bytes contain the hex string: "909090B8000026A3A4".
541 : Similar to the Burger virus, this variant overwrites the
first 560 bytes of infected programs, though the virus's
length is actually 541 bytes. Infected programs will start
with the hex sequence: "909090B8000026A3A4".
Also see: VirDem
Virus Name: Carioca
Aliases:
V Status: Rare
Discovery: November, 1990
Symptoms: TSR; .COM growth
Origin:
Eff Length: 951 Bytes
Type Code: PRsC - Parasitic Resident .COM Infector
Detection Method: ViruScan V71+, Pro-Scan 2.01+
Removal Instructions: Scan/D, Pro-Scan 2.01+, or Delete Infected Files
General Comments:
The Carioca Virus was submitted in November, 1990. This virus is a
memory resident infector of .COM files, it does not infect COMMAND.COM.
The first time a program infected with the Carioca Virus is executed,
the virus will install itself memory resident as a 1,280 byte low
system memory TSR. Interrupt 21 will be hooked by the virus. The
system's available free memory will decrease by 1,312 bytes.
After the virus is memory resident, any .COM file executed (with the
exception of COMMAND.COM) will become infected with the Carioca
Virus. Infected .COM files will show an increase in size of 951 bytes
with the virus being located at the end of the infected file. Infected
files will have the following hex character string located at the
very end of the file: "2EFF1E1A010203CD21".
It is unknown if Carioca contains any damage potential.
Virus Name: Cascade
Aliases: Fall, Falling Letters, 1701, 1704
V Status: Common
Discovery: October, 1987
Symptoms: TSR, Falling letters, .COM file growth
Origin: Germany
Eff Length: 1,701 or 1,704 bytes
Type Code: PRsC - Parasitic Resident Encrypting .COM Infector
Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+,
VirHunt 2.0+
Removal Instructions: CleanUp, F-Prot, VirexPC, VirHunt 2.0+, Pro-Scan 2.01+
General Comments:
Originally, this virus was a trojan horse which was disguised
as a program which was supposed to turn off the number-lock
light when the system was booted. The trojan horse instead
caused all the characters on the screen to fall into a pile
at the bottom of the screen. In late 1987, the trojan horse
was changed by someone into a memory resident .COM virus.
While the original virus had a length of 1,701 bytes and would
infect both true IBM PCs and clones, a variation exists of
this virus which is 3 bytes longer than the original virus
and does not infect true IBM PCs. Both viruses are
functionally identical in all other respects.
Both of the viruses have some fairly unique qualities: Both
use an encryption algorithm to avoid detection and complicate
any attempted analysis of them. The activation mechanisms
are based on a sophisticated randomization algorithm
incorporating machine checks, monitor types, presence or
absence of a clock card, and the time or season of the year.
The viruses will activate on any machine with a CGA or VGA
monitor in the months of September, October, November, or
December in the years 1980 and 1988.
Known variants of the Cascade virus are:
1701-B : Same as 1701, except that it can activate in the
fall of any year.
1704-D : Same as the 1704, except that the IBM selection
has been disabled so that it can infect true IBM
PCs.
17Y4 : Similar to the Cascade 1704 virus, the only difference is
one byte in the virus which has been altered.
Cunning: Based on the Cascade virus, a major change to the virus
is that it now plays music.
Also see: 1704 Format
Virus Name: Cascade-B
Aliases: Blackjack, 1704-B
V Status: Common
Discovery:
Symptoms: .COM file growth, TSR, random reboots
Origin: Germany
Eff Length: 1,704 bytes
Type Code: PRsC - Parasitic Resident Encrypting .COM Infector
Detection Method: ViruScan, F-Prot, IBM Scan, VirexPC, AVTK 3.5+, Pro-Scan,
VirHunt 2.0+
Removal Instructions: CleanUp, F-Prot, VirexPC, VirHunt 2.0+
General Comments:
The Cascade-B virus is similar to the Cascade virus, except
that the cascading display has been replaced with a system
reboot which will occur at random time intervals after the
virus activates.
Other variation(s) which have been documented are:
1704-C : Same as 1704-B except that the virus can activate in
December of any year.
Virus Name: Casper
Aliases:
V Status: Rare
Discovery: August, 1990
Symptoms: .COM file growth, April 1st disk corruption (see below)
Origin:
Eff Length: 1,200 bytes
Type Code: PNCK - Parasitic Non-Resident Encrypting .COM Infector
Detection Method: ViruScan V67+, Pro-Scan 2.01+
Removal Instructions: Scan/D, or Delete infected files
General Comments:
The Casper Virus was isolated in August, 1990 by Fridrik Skulason of
Iceland. The origin of this virus is unknown at this time. Casper
is |
