VIRUS INFORMATION SUMMARY LIST August 10, 1990 Copyright (C) 1990 by Patricia M. Hoffman. All Rights Reserved. This document contains the compiled information from a continuing research effort by the author into the identification, detection and removal of MS-DOS Computer Viruses. Hopefully, this listing will provide some assistance to those who wish to know more about a particular computer virus. It is not intended to provide a very detailed technical description, but to allow the reader to understand what a virus generally does, how it activates, what it is doing to their system, and most importantly, how to get rid of it. The user of this listing needs to keep in mind that the information provided is up-to-date only to the date of the listing itself. If the listing is one month old, some items may not be accurate. Also, with the wide dispersion of researchers and the various names that the same virus may be known by, some of the information may not be entirely accurate. Lastly, as new variants of known viruses are isolated, some of the characteristics of the variant may be different. There are five sections to the listing. The first section is an introduction which explains the format of the information in the listing and includes the code information used in some fields. The second section is the actual virus information listing. The third section is a cross-reference of common names for MS-DOS computer viruses and indicates what name to use for the virus in the second section. The fourth section, added with the July 1990 release and in the works for many months, is a chart showing relationships between various viruses and variants. Lastly, there is a fifth section which is a revision history of the listing. Anti-Viral products mentioned in the listing are either commonly available shareware or public domain programs, or they are commercial products which have been submitted for evaluation and review by the product's author with "no strings attached". All Anti-Viral products are reviewed at the most recent release level available to the author. In some cases, this may not be the most recent release. All testing is done against the author's virus collection, results using a different collection of viruses and variants may differ. Special thanks go to John McAfee for reviewing the listing before it is distributed, as well Padgett Peterson of Orlando, Florida who volunteered several hours of his time to assist in formatting the listing and breaking out additional information. The Virus Information Summary List may be freely distributed by non-commercial systems and non-profit organizations, as long as the distribution file is not altered, and no more than a reasonable cost-of-duplication fee is charged. CompuServe, Genie, and the SIMTEL20 archives are also expressly permitted to carry this file for distribution purposes. The Virus Information Summary List may not be used in a business, corporation, organization, government, or agency environment without a negotiated site license. While this document may be referenced in the documentation for some anti-viral products, the document is not to be construed as being included in any site license not negotiated with the author, Patricia M. Hoffman. Licensing information for the Virus Information Summary List can be requested from the author via US Mail from the address below: Patricia M. Hoffman 1556 Halford Avenue, #127 Santa Clara, CA 95051 I can also be reached through my Bulletin Board System, Excalibur! BBS, at 1-408-244-0813. Future versions of this listing may also be obtained thru Excalibur!. Patricia M. Hoffman ------------------------------------------------------------------------------- Virus Information Summary List Introduction & Entry Format Each of the entries in the list consists of several fields. Below is a brief description of what is indicated in each of the fields. For fields where codes may appear, the meaning of each code in indicated. Virus Name: Field contains one of the more common names for the virus. The listing is alphabetized based on this field. Aliases: Other names that the same virus may be referred to by. These names are aliases or A.K.A.'s. V Status: This field contains one of the following values which indicate how common the virus is in the public domain. Common: The virus is one of the most common viruses reported to various groups which gather virus infection statistics. Most of these groups are in the United States. Where a virus has had many reports from a specific geographic area, the V Status field will contain "Common - xxxxxxxxx" where xxxxxxxxx is an indicator of geographic location. Endangered: The "Endangered" classification of viruses are viruses that are very uncommon and were fairly recently discovered or isolated. Due to some characteristics of these viruses, it is highly unlikely that they will ever become a widespread problem. It doesn't mean that they don't exist, just that the probability of someone getting these viruses is fairly low. Extinct: The "Extinct" classification is for viruses which at one time may have been widespread (ie. they are not a research virus which was never released into the public domain), but have not had a reported infection in at least one year. "Extinct" viruses will also include "viruses" which were submitted which actually don't replicate due to a flaw in their viral code, but if the flaw were corrected they might be successful. It is still possible that someone could become infected with one of these viruses, but the probability is extremely low. Myth: "Myth" viruses are viruses which have been discussed among various groups for some time (in excess of one year), but are not known to actually exist as either a public domain or research virus. Probably the best case of a "Myth" virus is the Nichols Virus. Rare: "Rare" viruses are viruses which were recently (within the last year) isolated but which do not appear to be widespread. These viruses, as a general rule, will be viruses which have characteristics that would make them a possible future problem. "Rare" viruses have a higher probability of someone becoming infected than Endangered or Extinct viruses, but are much less likely to be found than a "Common" virus. Research: A "Research" virus is a virus which was originally received by at least one anti-viral researcher directly from its source or author. These viruses are not known to have been released into the public domain, so they are highly unlikely to be detected on computer systems other than researchers. Rumored: The "Rumored" virus classification are for viruses which the author has received information about, but that no sample of the virus has been made available for analysis. Any viruses in this classification should be considered with a grain of salt, they may not actually exist. Unknown: The "Unknown" classification is for those viruses where the original submission of the virus to anti-viral researchers is suspect for any number of reasons, or that there is very little information known about the origin of the virus. New: The "New" category is for viruses which were recently received by the author but cannot at the present time be researched in depth. Instead of leaving these viruses out of the listing all together, they will be listed but with a "New" status. Discovery: First recorded discovery date. Origin: Author/country of origin Symptoms: Changes to system that may be noticed by users: messages, growth in files, TSRs/ Resident TOM (change in CHKDSK return), BSC - boot sector change (may require cold boot from known-good protected floppy to find), corruption of system or files, frequent re-boots, slowdowns. Origin: Either credited or assumed to be in country of discovery. Eff Length: The length of the viral code after it has infected a program or system component. For boot-sector infectors, the length is indicated as N/A, for not applicable. Type Code: The type codes indicated for a virus indicate general behavior characteristics. Following the type code(s) is a brief text description. The type codes used are: A = Infects all program files (COM & EXE) B = Boot virus C = Infects COM files only D = Infects DOS boot sector on hard disk E = Infects EXE files only F = Floppy (360K) only K = Infects COMMAND.COM M = Infects Master boot sector on hard disk N = Non-resident (in memory) O = Overwriting virus P = Parasitic virus R = Resident (in memory) (below 640k - segment A000) a - in unused portion of allocated memory (does not change free memory, such as virus resident in CLI stack space or unused system memory) Example: LeHigh f - in free (user) memory below TOM (does not prevent overwritting) Example: Icelandic h - in high memory but below TOM (Resides in high system memory, right below TOM. Memory is allocated so it won't be accidently overwritten.) Example: Flash s - in low (system/TSR) memory (reduces free memory, typically uses a normal Int 21/Int 28 TSR) Example: Jerusalem t - above TOM but below 640k (moves Int 12 return) (Reduces total memory size and free memory) Example: Pakistani Brain (above 640k) b - in BIOS/Video/Shadow RAM area (segment A000 - FFFF) e - in extended/expanded memory (above 1 Meg) S = Spawning virus T = Manipulation of the File Allocation Table (FAT) X = Manipulation/Infection of the Partition Table Detection Method: This entry indicates how to determine if a program or system has been infected by the virus. Where the virus can be detected with a shareware, public domain, or readily available commercial program, it is indicated. Programs referenced in the listing are: F-PROT - Fridrik Skulason's F-Prot detector/disinfector IBM Scan - IBM's Virus Scanning Program Pro-Scan - McAfee Associates' Pro-Scan Program VirexPC - MicroCom's VirexPC Program ViruScan - McAfee Associates' ViruScan Program Removal Instructions: Brief instructions on how to remove the virus. Where a shareware, public domain, or readily available commercial program is available which will remove the virus, it is indicated. Programs referenced in the listing are: AntiCrim - Jan Terpstra's AntiCrime program CleanUp - John McAfee's CleanUp universal virus disinfector. Note: CleanUp is only indicated for a virus if it will disinfect the file, rather than delete the infected file. DOS COPY - Use the DOS COPY command to copy files from infected non-bootable disks to newly formatted, uninfected disks. Note: do NOT use the DOS DISKCOPY command on boot sector infected disks, or the new disk will also be infected! DOS SYS - Use the DOS SYS command to overwrite the boot sector on infected hard disks or diskettes. Be sure you power down the system first, and boot from a write protected master diskette, or the SYS command will copy the infected boot sector. F-PROT - Fridrik Skulason's F-Prot detector/disinfector, Version 1.07. M-1704 - Cascade/Cascade-B disinfector. M-1704C - Cascade-C disinfector. M-3066 - Traceback virus disinfector. M-DAV - use Dark Avenger Disinfector M-DAV and follow instructions carefully, this virus is extremely prolific. M-JRUSLM - Jerusalem B disinfector. M-VIENNA - Vienna, Vienna B Virus disinfector. MDisk - MD Boot Virus Disinfector. Be sure to use the program which corresponds to your DOS release. Pro-Scan - Pro-Scan Virus Identifier/Disinfector . Saturday - European generic Jerusalem virus disinfector. Scan/D - ViruScan run with the /D option. Scan/D/A - ViruScan run with the /D /A options. UnVirus - Yuval Rakavy's disinfector for Brain, Jerusalem, Ping Pong, Ping Pong-B, Typo Boot, Suriv 1.01, Suriv 2.01, and Suriv 3.00 viruses. VirexPC - MicroCom's VirexPC Detector/Disinfector Note: VirexPC is only indicated if it will actually disinfect the virus, not just delete the infected file. Virus Buster - Yuval Tal's Virus Buster Detector/Disinfector General Comments: This field includes other information about the virus, including but not limited to: historical information, possible origin, possible damage the virus may cause, and activation criteria. ------------------------------------------------------------------------------- Virus Information Summary List MS-DOS Virus Information Virus Name: 382 Recovery Virus Aliases: 382 V Status: Rare Discovery: July, 1990 Symptoms: first 382 bytes of .COM files overwritten, system hangs, spurious characters on system display, disk drive spinning Origin: Taiwan Eff Length: N/A Type Code: ONAK - Overwriting Non-Resident .COM & .EXE Infector Detection Method: ViruScan V66+ Removal Instructions: Scan/D delete infected files General Comments: The 382 Recovery Virus was isolated in July 1990 in Taiwan. It is a non-resident generic infector of .COM and .EXE files, including COMMAND.COM. Each time a program infected with the 382 Recovery Virus is executed, the virus will check the current directory for a .COM files that has not been infected with the virus. If it finds an uninfected .COM file, it will infect it. If the original file was less than 382 bytes in length, the infected file will now be 382 bytes in length. Files which were originally greater than 382 bytes in length will not show any increase in length. Infected files always have the first 382 bytes of the file overwritten to contain the virus's code. Once all .COM files in the current directory are infected, the next time an infected .COM file is executed the virus will rename all .EXE files to .COM files. These renamed files, however, may or may not later become infected. Symptoms of the 382 Recovery Virus being present on a file are that the program will not execute properly. In some cases, the program will hang upon execution requiring the system to be rebooted. In other cases, spurious characters will appear on the system display and the program will not run. Lastly, the system may do nothing but leave the disk drive spinning, requiring the system to be powered off and rebooted. Since the first 382 bytes of infected files have been overwritten, the infected files cannot be recovered. The original 382 bytes of the file are permanently lost. Infected files should be deleted or erased and replaced with backup copies known to be free of infection. Virus Name: 405 Aliases: V Status: Extinct Discovery: 1987 Symptoms: .COM files fail to run, first 405 bytes of .COM files overwritten Origin: Austria or Germany Eff Length: N/A Type Code: ONC - Overwriting Non-Resident .COM Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan 1.4+, VirexPC 1.1+ Removal Instructions: Scan/D, F-Prot, or delete infected files General Comments: The 405 virus is an overwriting virus which infects only .COM files in the current directory. If the length of the .COM file was originally less than 405 bytes, the resulting infected file will have a length of 405 bytes. This virus currently cannot recognize .COM files that are already infected, so it will attempt to infect them again. The 405 Virus doesn't carry an activation date, and doesn't do anything but replicate in the current directory. However, since it overwrites the first 405 bytes of .COM files, infected files are not recoverable except by replacing them from uninfected backups or master distribution disks. Virus Name: 512 Aliases: 512-A, Number of the Beast Virus, Stealth Virus V Status: Rare Discovery: November, 1989 Origin: Bulgaria Symptoms: Program crashes, system hangs, .COM file growth, TSR. Eff Length: 512 Bytes Type Code: PRCK - Parasitic Resident .COM Infector Detection Method: ViruScan V58+, Pro-Scan 1.4+, VirexPC 1.1+ Removal Instructions: CleanUp V58+, Pro-Scan 1.4+ General Comments: The 512 virus is not the same as the Original Friday The 13th COM virus. The 512 virus was originally isolated in Bulgaria in January, 1990, by Vesselin Bontchev. It infects .COM files, including COMMAND.COM, installing itself memory resident when the first infected program is run. After becoming memory resident, any .COM file openned for any reason will become infected if its uninfected length is at least 512 bytes. Systems infected with the 512 virus will experience program crashes due to unexpected errors, as well as system hangs. This virus also will destroy some file linkages when it infects files. The virus's alias of "Number of the Beast" Virus is because the author of the virus used a signature of text 666 near the end of the virus to determine if the file is already infected. Since 512 adds its viral code to the end of infected files, it is easy to verify that a file is infected by the 512 virus by checking for this signature. Known variant(s) of the 512 Virus are: 512-B : Similar to the 512 Variant, except that the DOS version check in the original virus has been omitted. The author's signature of '666' has been omitted. 512-C : Similar to the 512-B Variant, minor code changes. 512-D : Similar to the 512-C Variant, except that the virus no longer checks to see if a file has the System Attribute on it before infecting it. Author's signature is the hex string BE10 located at the end of infected files. Virus Name: 1008 Aliases: V Status: Rare Discovery: June, 1990 Symptoms: COMMAND.COM growth, Internal Stack Error and System Halt on Boot Origin: Eff Length: 1,008 Bytes Type Code: PRK - Parasitic Resident COMMAND.COM Infector Detection Method: ViruScan V64+ Removal Instructions: Scan/D, or delete infected files General Comments: The 1008 Virus was discovered in June, 1990. It is a memory resident COMMAND.COM infector. It does not infect other .COM files. The first time a program infected with the 1008 virus is executed, the virus will install itself memory resident. COMMAND.COM is also infected at this time, resulting in its length increasing by 1,008 Bytes. The increase in file size of COMMAND.COM cannot be seen by doing a directory listing if the virus is present in memory. Booting a system with an infected copy of COMMAND.COM may result in an internal stack error, and the system being halted. This effect was noted on the author's test machine which is a 640K XT-clone running Microsoft MS-DOS Version 3.30. Virus Name: 1210 Aliases: Prudents Virus V Status: Rare Discovery: December, 1989 Symptoms: .EXE growth, disk write failure, TSR Origin: Spain Eff Length: 1,210 Bytes Type Code: PRE - Parasitic Resident .EXE Infector Detection Method: ViruScan V61+, Pro-Scan 1.4+ Removal Instructions: Scan/D, or delete infected files General Comments: The 1210, or Prudents Virus, was first isolated in Barcelona, Spain, in December 1989. The 1210 is a memory resident virus, infecting .EXE files when they are executed. This virus activates between May 1st and May 4th of any year, causing disk writes to be changed to disk verifies, so writes to the disk never occur between these dates. Virus Name: 1226 Aliases: V1226 V Status: Rare Discovery: July 1990 Symptoms: .COM growth, decrease in system and free memory, system hangs, spurious characters displayed in place of program executing, disk drive spinning Origin: Bulgaria Eff Length: 1,226 Bytes Type Code: PRhC - Parasitic Resident .COM Infector Detection Method: ViruScan V66+ Removal Instructions: Scan/D, or delete infected files General Comments: The 1226 Virus was isolated in Bulgaria in July 1990 by Vesselin Bontchev. This virus is a memory resident generic .COM infector, though it does not infect COMMAND.COM. The 1226 Virus is a self- encrypting virus, and simple search string algorithms will not work to detect its presence on a system. The first time a program infected with the 1226 virus is executed, the virus will install itself memory resident, reserving 8,192 bytes of memory at the top of free memory. Interrupt 2A will be hooked. Once 1226 is memory resident, the virus will attempt to infect any .COM file that is executed that is at least 1,226 bytes in length before infection. The virus is rather "buggy" and the infection process is not always entirely successful. Successfully infected files will increase in length by 1,226 bytes. This virus will infect .COM files multiple times, it is unable to determine that the file is already infected. Each time the file is infected it will grow in length by another 1,226 bytes. Eventually, the .COM files will grow too large to fit into memory. Systems infected with the 1226 virus may experience unexpected system hangs when attempting to execute programs. Another affect is that instead of a program executing, a line or two of spurious characters will appear on the system display. Lastly, infected systems will always indicate that they have 8,192 less bytes of total system and free memory available than is actually on the machine. There are two later versions of this virus, 1226D and 1226M, which are much better replicators than the original 1226 virus. These two variants are documented as 1226D in this document due to their different characteristics. Also see: 1226D Virus Name: 1226D Aliases: V1226D V Status: Rare Discovery: July 1990 Symptoms: .COM growth, decrease in system and free memory Origin: Bulgaria Eff Length: 1,226 Bytes Type Code: PRhC - Parasitic Resident .COM Infector Detection Method: ViruScan V66+ Removal Instructions: Scan/D, or delete infected files General Comments: The 1226D Virus was isolated in Bulgaria in July 1990 by Vesselin Bontchev. This virus is a memory resident generic .COM infector, though it does not infect COMMAND.COM. The 1226D Virus is a self- encrypting virus, and simple search string algorithms will not work to detect its presence on a system. The 1226D Virus is based on the 1226 Virus, and has had several bugs in the 1226 Virus fixed. It is a much better replicator, infecting successfully on file opens as well as when .COM files are executed. The first time a program infected with the 1226 virus is executed, the virus will install itself memory resident, reserving 8,192 bytes of memory at the top of free memory. Total system and free memory are decreased by 8,192 bytes. Interrupt 2A will be hooked. Once 1226 is memory resident, the virus will attempt to infect any .COM file that is executed that is at least 1,226 bytes in length before infection. Infected files will increase in length by 1,226 bytes. As with the original 1226 Virus, a .COM file may be infected multiple times by the 1226D Virus as the virus is unable to determine that the file was previously infected. Each infection will result in another 1,226 bytes being added to the infected file's length. Eventually, the .COM files will grow too large to fit into memory. In addition to infecting .COM files when they are executed, the 1226D Virus will infect .COM files with a length of at least 1,226 bytes when they are openned for any reason. The simple act of copying a .COM file with the virus memory resident will result in both the source and target files being infected. Unlike the 1226 Virus, systems infected with the 1226D virus will not experience the system hangs or spurious characters symptomatic of the 1226 virus. Infected system will still indicate that they have 8,192 bytes less of total system memory than is installed on the machine. Known variant(s) of 1226D are: 1226M/V1226M : Similar to the 1226D virus, except that files are not infected on file open, only when they are executed. Also see: 1226 Virus Name: 1253 Aliases: AntiCad, V-1 V Status: New Discovey: August, 1990 Symptoms: TSR; BSC; COMMAND.COM & .COM file growth; partition table change Origin: Austria Eff Length: 1,253 Bytes Type Code: PRstBCKX - Parasitic Resident .COM & Partition Table Infector Detection Method: ViruScan V66+ Removal Instructions: Scan/D plus MDisk/P General Comments: The 1253 Virus was submitted in August 1990. It is believed to have originated in (or at least to have been first isolated in) Austria. 1253 is a generic infector of .COM files, including COMMAND.COM. It also infects the boot sector of diskettes and the partition table of hard disks. The first time a program infected with the 1253 Virus is executed, the virus will install itself memory resident as a low system memory TSR. The TSR will be 2,128 bytes in length, hooking interrupts 08, 13, 21, and 60. Total system memory will remain unchanged, and free memory will decrease by 2,128 bytes. At this time, the partition table of the system's hard disk is infected with the 1253 virus. If the infected program was executed from a diskette, the diskette's boot sector will also be infected. Each time a .COM file is executed with the virus resident in memory, the .COM file will be infected if it hasn't previously been infected. The 1253 Virus appends its viral code to the end of the .COM file, and then changes the first few bytes of the program to be a jump to the appended code. Infected files increase in length by 1,253 bytes, and the virus makes no attempt to hide the increase when the directory is displayed. Infected files will also have their fourth thru sixth bytes set to "V-1" (hex 562D31). Any diskettes which are accessed while the virus is present in memory will have their boot sector infected with this virus. Newly formatted diskettes, likewise, will be infected immediately. The 1253 virus is destructive when it activates. The author of this listing was able to get it to activate by setting the system date to December 24 and then executing an infected program on drive A:. The virus promptly went and overwrote the entire diskette in drive A: with a pattern of 9 sectors of what appears to be a program fragment. Once the virus has started to overwrite a diskette, the only way to stop the disk activity is to power off the system. The virus in the partition table and/or diskette boot sector is of special note. When the system is booted from the hard disk or diskette with the virus in the partition table or boot sector, the virus will install itself memory resident. At this time, the virus resides above the top of system memory but below the 640K DOS boundary. The change in total system memory and available free memory will be 77,840 bytes. It can be seen with the CHKDSK command. At this time, any .COM program executed will be infected with the 1253 virus, even though no programs on the hard disk may contain this virus before the system boot occurred. One effect of this virus, once the system has been booted from an infected hard drive or floppy is that the FORMAT command may result in unexpected disk activity to inactive drives. For example, on the author's system, when formatting a diskette in drive A: with the current drive being drive C:, there was always disk activity to drive B:. Disinfecting the 1253 virus required that besides disinfecting or deleting infected .COM programs, the hard disks partition table and the boot sector of any diskettes exposed to the infected system must be disinfected. The virus can be removed safely from the partition table and diskette boot sectors by using MDisk with the /P option after powering off the system and rebooting from a write-protected uninfected boot diskette. If the partition table and diskette boot sectors are not disinfected, the system will promptly experience reinfection of .COM files with the virus following a system boot from the hard disk or diskette. Disinfecting the partition table and boot sectors, when done properly, will also result in the system's full memory again being available. It is unknown if there are other activation dates for this virus, or if it will overwrite the hard disk if an infected program is executed on December 24 from the hard disk. Virus Name: 1260 Aliases: V Status: Research Discovey: January, 1990 Symptoms: .COM file growth Origin: Minnesota, USA Eff Length: 1,260 Bytes Type Code: PNC - Parasitic Encrypting Non-Resident .COM Infector Detection Method: ViruScan V57+, IBM Scan, Pro-Scan 1.4+ Removal Instructions: CleanUp V57+, Pro-Scan 1.4+ General Comments: The 1260 virus was first isolated in January, 1990. This virus does not install itself resident in memory, but is it extremely virulent at infecting .COM files. Infected files will have their length increased by 1,260 bytes, and the resulting file will be encrypted. The encryption key changes with each infection which occurs. The 1260 virus is derived from the original Vienna Virus, though it is highly modified. The 1260 virus can infect a local area network, including the file server and all workstations. Virus Name: 1381 Virus Aliases: V Status: Rare Discovery: June, 1990 Symptoms: .EXE growth Origin: Eff Length: 1,381 Bytes Type Code: PNE - Parasitic Non-Resident .EXE Infector Detection Method: ViruScan V64+ Removal Instructions: Scan/D, or Delete infected files General Comments: The 1381 Virus was isolated in June, 1990. It is a non-resident generic .EXE infector. Each time a program infected with the 1381 Virus is executed, the virus will attempt to infect one other .EXE file on the current drive. An .EXE file will only be infected if it is greater than 1,300 bytes in length before infection. After infection, files will have increased in length by between 1,381 and 1,389 bytes. The virus can be found at the end of infected files. Infected files will also contain the following text strings: "INTERNAL ERROR 02CH. PLEASE CONTACT YOUR HARDWARE MANUFACTURER IMMEDIATELY ! DO NOT FORGET TO REPORT THE ERROR CODE !" It is currently unknown what the 1381 Virus does, or what prompts it to display the above message. Virus Name: 1392 Aliases: Amoeba Virus V Status: Rare Discovery: March, 1990 Symptoms: TSR, .COM & .EXE growth, dates modified Origin: Indonesia Eff Length: 1,392 Bytes Type Code: PRA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V61+, VirexPC 1.1+ Removal Instructions: Scan/D, or delete infected files General Comments: The 1392, or Amoeba, Virus was first isolated in Indonesia in March 1990. The 1392 virus is a memory resident virus that infects .COM and .EXE files, including COMMAND.COM. As files are infected, their creation/modification date is changed to the date the files were infected. This virus does not appear to cause any destructive damage. The following message appears in the virus, which is where its alias of Amoeba was derived from: "SMA KHETAPUNK - Nouvel Band A.M.O.E.B.A" Virus Name: 1554 Aliases: Ten Bytes, 1559, 9800:0000 Virus, V-Alert V Status: Rare Discovery: February, 1990 Symptoms: .COM & .EXE growth, TSR, linkage corruption, system hang Origin: Eff Length: 1,554 Bytes Type Code: PRfAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V58+, IBM Scan, Pro-Scan 1.4+, VirexPC 1.1+ Removal Instructions: Scan/D General Comments: The 1554 virus was accidently sent out over the VALERT-L network on February 13, 1990 to approximately 600 subscribers. When a program is executed that is infected with the 1554 virus, the virus installs itself memory resident. It will then proceed to infect .COM over 1000 bytes in length and .EXE files over 1024 bytes in length, including COMMAND.COM, increasing their length after infection by 1,554 to 1,569 bytes. The 1554 virus activates in September, October, November, or December of any year. Upon activation, any files which are written will be missing the first ten bytes. At the end of these files, ten bytes of miscellaneous characters will appear. In effect, both programs and data files will be corrupted. If the 1554 Virus is executed on a system with less than 640K of system memory, the virus will hang the system. Virus Name: 1704 Format Aliases: V Status: Rare Discovery: January, 1989 Symptoms: TSR, Falling letters, .COM growth, formatted disk Origin: Eff Length: 1,704 Bytes Type Code: PRC - Parasitic Encrypting Resident .COM Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: M-1704, CleanUp, Scan/D, F-Prot, VirexPC, Pro-Scan 1.4+ General Comments: Like the Cascade Virus, but the disk is formatted when the virus activates. Activation occurs during the months of October, November, and December of any year except 1993. Virus Name: 1720 Aliases: PSQR Virus V Status: Rare Discovery: March, 1990 Symptoms : TSR, .COM & .EXE growth, partition table damage on activation, programs on diskette deleted on Friday The 13ths Origin: Spain Eff Length: 1,720 Bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V61+, VirexPC 1.1+ Removal Instructions: Scan /D, or delete infected files General Comments: The 1720, or PSQR Virus, is a variant of the Jerusalem Virus which was first isolated in Barcelona, Spain, in March 1990. This virus, infects .COM and .EXE files, though unlike Jerusalem, it does not infect Overlay files. COMMAND.COM will also not be infected. The first time an infected file is executed, the virus will install itself memory resident, and then infect each executable file as it is run. On Friday The 13ths, the 1720 Virus will activate the first time an infected program is executed. When the program is executed, it will be deleted from disk. More damaging, however, is that the 1720 virus will check to see if the system has a hard disk drive. If a hard disk drive is present, the virus will overwrite the boot sector and partition table resulting in all data on the hard disk becoming unavailable. The system will also appear to hang. Virus Name: 4096 Aliases: Century Virus, IDF Virus, Stealth Virus, 100 Years Virus V Status: Common Discovery: January, 1990 Symptoms: .COM, .EXE, & overlay file growth; TSR hides growth; crosslinks Origin: Israel Eff Length: 4,096 Bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V53+, F-Prot, IBM Scan, Pro-Scan, VirexPC 1.1+ Removal Instructions: CleanUp V62+, Pro-Scan 1.4+, F-Prot, or see note below General Comments: The 4096 virus was first isolated in January, 1990. This virus is considered a "Phase II" virus in that it is almost invisible to the system user. The 4096 virus infects .COM, .EXE, and Overlay files, adding 4,096 bytes to their length. Once the virus is resident in system memory, the increase in length will not appear in a directory listing. Once this virus has installed itself into memory, it will infect any executable file that is opened, including if it is opened with the COPY or XCOPY command. This virus is destructive to both data files and executable files, as it very slowly crosslinks files on the system's disk. The crosslinking occurs so slowly that it appears there is a hardware problem, the virus being almost invisible. The crosslinking of files is the result of the virus manipulating the FATs, changing the number of available sectors, as well as the user issuing CHKDSK/F commands which will think that the files have lost sectors or crosslinking if the virus is in memory. As a side note, if the virus is present in memory and you attempt to copy infected files, the new copy of the file will not be infected with the virus if the new copy does not have an executable file extension. Thus, one way to disinfect a system is to copy off all the infected files to diskettes with a non-executable file extension (ie. don't use .EXE, .COM, .SYS, etc) while the virus is active in memory, then power off the system and reboot from a write protected (uninfected) system disk. Once rebooted and the virus is not in memory, delete the infected files and copy back the files from the diskettes to the original executable file names and extensions. The above will disinfect the system, if done correctly, but will still leave the problem of cross-linked files which are permanently damaged. On or after September 22 of any year, the 4096 virus will hang infected systems. This appears to be a "bug" in the virus in that it goes into a time consuming loop. The 4096 virus also contains a boot-sector within its code, however, it is never written out to the disk's boot sector. Moving this boot sector to the boot sector of a diskette and rebooting the system will result in the message "FRODO LIVES" being displayed. September 22 is Bilbo and Frodo Baggin's birthday in the Lord Of The Rings trilogy. Known variant(s) of the 4096 virus include: 4096-B : Similar to the 4096 virus, the main change is that the encryption mechanism has been changed in order to avoid detection. Virus Name: 5120 Aliases: VBasic Virus, Basic Virus V Status: Rare Discovery: May, 1990 Origin: West Germany Symptoms: .COM & .EXE growth, file corruption, unexpected disk activity Eff Length: 5,120 Bytes Type Code: PNAK - Parasitic Non-Resident .COM & .EXE Infector Detection Method: ViruScan V63+, Pro-Scan 1.4+ Removal Instructions: Scan/D, Pro-Scan 1.4+, or Delete infected files General Comments: The 5120 Virus was first isolated in May, 1990. It is a non- resident generic file infector, infecting .COM and .EXE files, including COMMAND.COM. This virus is was written in Turbo Basic. When an infected file is executed, the 5120 virus will infect one .COM and one .EXE file on the current drive and directory, followed by attempting to infect one randomly selected .COM or .EXE file in each directory on the system's C: drive. Infected .COM files increase in length by 5,120 bytes. .EXE files infected by the 5120 Virus will increase in length by between 5,120 and 5,135 bytes. Unlike most of the MS-DOS viruses, the 5120 Virus does not intercept disk write errors when attempting to infect programs. Thus, infected systems may notice disk write error messages when no access should be occurring for a drive, such as the C: hard disk partition. Data files may become corrupted on infected systems, as well as crosslinking of files may occur. The following text strings can be found in files infected with the 5120 virus. These strings will appear near the end of the file: "BASRUN" "BRUN" "IBMBIO.COM" "IBMDOS.COM" "COMMAND.COM" "Access denied" There is one variant of the 5120 Virus which does not contain the above strings, but behaves in a very similar manner. Virus Name: AIDS Aliases: Hahaha, Taunt, VGA2CGA V Status: Endangered Discovery: 1989 Symptoms: Message, .COM file corruption Origin: Eff Length: N/A Type Code: ONC - Overwriting Non-Resident .COM Infector Detection Method: ViruScan V40+, Pro-Scan, VirexPC 1.1+ Removal Instructions: Scan/D, or delete infected .COM files General Comments: The AIDS virus, also known as the Hahaha virus in Europe and referred to as the Taunt virus by IBM, is a generic .COM and .EXE file infector. When the virus activates, it displays the message "Your computer now has AIDS", with AIDS covering about half of the screen. The system is then halted, and must be powered down and rebooted to restart it. Since this virus overwrites the first 13K of the executable program, the files must be deleted and replaced with clean copies in order to remove the virus. It is not possible to recover the overwritten portion of the program. Note: this is NOT the Aids Info Disk/PC Cyborg Trojan. Virus Name: Aids II Virus Aliases: Companion Virus V Status: Endangered Discovery: April, 1990 Symptoms: Creates .COM files, melody, message Origin: Eff Length: 8,064 Bytes Type Code: SNA - Spawning Non-Resident .COM & .EXE Infector Detection Method: ViruScan V62+, Pro-Scan 1.4+ Removal Instructions: Scan/D, or delete corresponding .COM files General Comments: The Aids II Virus, or Companion Virus, was isolated for the first time in April 1990. Unlike other generic file infectors, the Aids II Virus is the first known virus to employ what could be termed a "corresponding file technique" of infection so that the original target .EXE file is never changed. The virus takes advantage of the DOS feature where if a program exists in both .COM and .EXE form, the .COM file will be executed. The Aids II Virus does not directly infect .EXE files, instead it stores a copy of the virus in a corresponding .COM file which will be executed when the user trys to execute one of his .COM files. The .EXE file, and the .COM file containing the viral code will both have the same base file name. The method of infection is as follows: when an "infected" program is executed, since a corresponding .COM file exists, the .COM file containing the viral code is executed. The virus first locates an uninfected .EXE file in the current directory and creates a corresponding (or companion) .COM file with the viral code. These .COM files will always be 8,064 Bytes in length with a file date/time of the date/time of infection. The .EXE file is not altered at all. After creating the new .COM file, the virus then plays a melody and displays the following message, the "*" indicated below actually being ansi heart characters: "Your computer is infected with ... * Aids Virus II * - Signed WOP & PGT of DutchCrack -" The Aids II Virus then spawns to the .EXE file that was attempting to be executed, and the program runs without problem. After completion of the program, control returns to the Aids II Virus. The melody is played again with the following message displayed: "Getting used to me? Next time, use a Condom ....." Since the original .EXE file remains unaltered, CRC checking programs cannot detect this virus having infected a system. One way to manually remove the Aids II Virus is to check the disk for programs which have both a .EXE and a .COM file, with the .COM file having a length of 8,064 bytes. The .COM files thus identified should be erased. The displayed text strings do not appear in the viral code. Virus Name: AirCop Aliases: V Status: New Discovery: July, 1990 Isolated: Washington, USA Symptoms: BSC; System Halt; Message; decrease in system and free memory Origin: Taiwan Eff Length: N/A Type Code: FR - Resident Floppy Boot Sector Infector Detection Method: ViruScan V66+ Removal Instructions: MDisk or DOS SYS command General Comments: The AirCop Virus was discovered in the State of Washington in the United States in July, 1990. Some early infections of this virus, however, have been traced back to Taiwan, and Taiwan is probably where it originated. AirCop is a boot sector infector, and it will only infect 360K 5.25" floppy diskettes. When a system is booted from a diskette which is infected with the AirCop virus, the virus will install itself memory resident. The AirCop Virus installs itself memory resident at the top of high system memory. The system memory size and available free memory will decrease by 1,024 bytes when the AirCop virus is memory resident. AirCop hooks interrupt 13. Once AirCop is memory resident, any non-write protected diskettes which are then accessed will have their boot sector infected with the AirCop virus. AirCop will copy the original disk boot sector to sector 719 (Side 1, Cyl 39, Sector 9 on a normal 360K 5.25" diskette) and then replace the boot sector at sector 0 with a copy of the virus. If a boot sector of a diskette infected with the AirCop virus is viewed, it will be missing almost all of the messages which normally appear in a normal boot sector. The only message remaining will be: "Non-system..." This will be located just before the end of the boot sector. The AirCop Virus will do one of two things on infected systems, depending on how compatible the system's software and hardware is with the virus. On most systems, the virus will display the following message at random intervals: "Red State, Germ Offensive. AIRCOP." On other systems, the virus being present will result in the system receiving a Stack Overflow Error and the system being halted. In this case, you must power off the system in order to be able to reboot. AirCop currently does not infect hard disk boot sectors or partition tables. AirCop can be removed from infected diskettes by first powering off the system and rebooting from a known clean write protected DOS master diskette. The DOS SYS command should then be used to replace the infected diskette's boot sector. Alternately, MDisk can be used following the power-down and reboot. Virus Name: Alabama Aliases: V Status: Rare Discovery: October, 1989 Symptoms: .EXE growth, Resident (see text), message, FAT corruption Origin: Israel Eff Length: 1,560 bytes Type Code: PRfET - Parasitic Resident .EXE infector Detection Method: ViruScan V43+, F-Prot, IBM Scan, Pro-Scan Removal Instructions: CleanUp, F-Prot, Pro-Scan 1.4+, delete infected files General Comments: The Alabama virus was first isolated at Hebrew University in Israel by Ysrael Radai in October, 1989. Its first known activation was on October 13, 1989. The Alabama virus will infect .EXE files, increasing their size by 1,560 bytes. It installs itself memory resident when the first program infected with the virus is executed, however it doesn't use the normal TSR function. Instead, this virus hooks Int 9 as well as IN and OUT commands. When a CTL-ALT-DEL combination is detected, the virus causes an apparent boot but remains in RAM. The virus loads itself 30K under the highest memory location reported by DOS, and does not lower the amount of memory reported by BIOS or DOS. After the virus has been memory resident for one hour, the following message will appear in a flashing box: "SOFTWARE COPIES PROHIBITED BY INTERNATIONAL LAW.............. Box 1055 Tuscambia ALABAMA USA." The Alabama virus uses a complex mechanism to determine whether or not to infect the current file. First, it checks to see if there is an uninfected file in the current directory, if there is one it infects it. Only if there are no uninfected files in the current directory is the program being executed infected. However, sometimes instead of infecting the uninfected candidate file, it will instead manipulate the FATs to exchange the uninfected candidate file with the currently executed file without renaming it, so the user ends up thinking he is executing one file when in effect he is actually executing another one. The end result is that files are slowly lost on infected systems. This file swapping occurs when the virus activates on ANY Friday. Virus Name: Alameda Aliases: Merritt, Peking, Seoul, Yale V Status: Rare Discovery: 1987 Symptoms: Floppy boot failures, Resident-TOM, BSC Origin: California, USA Eff Length: N/A Type Code: RtF - Resident Floppy Boot Sector Infector Detection Method: ViruScan, F-Prot, IBM Scan Removal Instructions: MDisk, CleanUp, F-Prot, or DOS SYS General Comments: The Alameda virus was first discovered at Merritt college in Alameda, California in 1987. The original version of this virus caused no intentional damage, though there is now at least 1 variant of this virus that now causes floppy disks to become unbootable after a counter has reached its limit (Alameda-C virus). The Alameda virus, and its variants, all replicate when the system is booted with a CTL-ATL-DEL and infect only 5 1/4" 360K diskettes. These viruses do stay in memory thru a warm reboot, and will infect both system and non-system disks. System memory can be infected on a warm boot even if Basic is loaded instead of DOS. The virus saves the real boot sector at track 39, sector 8, head 0. The original version of the Alameda virus would only run on a 8086/8088 machine, though later versions can now run on 80286 systems. Also see: Golden Gate, SF Virus Virus Name: Ambulance Car Virus Aliases: RedX V Status: Rare Discovery: June, 1990 Symptoms: .COM growth, graphic display & sound Origin: West Germany Eff Length: 796 Bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V64+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Ambulance Car Virus was isolated in West Germany in June, 1990. This virus is a non-resident .COM infector. When a program infected with the Ambulance Car Virus is executed, the virus will attempt to infect one .COM file. The .COM file to be infected will be located on the C: drive. This virus only infects one .COM file in any directory, and never the first .COM file in the directory. It avoids infecting COMMAND.COM as that file is normally the first .COM file in the root directory. On a random basis, when an infected file is executed it will have the affect of a graphics display of an ASCII block drawing of an ambulance moving across the bottom of the system display. This graphics display will be accompanied with the sound of a siren played on the system's speaker. Both of these effects only occur on systems with a graphics capable display adapter. Virus Name: Amstrad Aliases: V Status: Rare Discovery: November, 1989 Symptoms: .COM growth, message Origin: Portugal Eff Length: 847 Bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V51+, F-Prot, IBM Scan, Pro-Scan, VirexPC 1.1+ Removal Instructions: Scan/D, F-Prot, Pro-Scan 1.4+, or erase infected files General Comments: The Amstrad virus was first reported in November, 1989, by Jean Luz of Portugal, however it has been known of in Spain and Portugal for a year prior to that. The virus is a generic .COM infector, but is not memory resident nor does it infect COMMAND.COM. The virus carries a fake advertisement for the Amstrad computer. The Amstrad virus appears to cause no other damage to the system other than replicating and infecting files. Known variants of the Amstrad Virus are: Pixel/V-345 - Similar to the Amstrad virus described above, except that the virus is 345 Bytes in length, can now infect COMMAND.COM, and contains the message: "=!= Program sick error:Call doctor or by PIXEL for cure description". This message is not displayed. The Pixel virus was originally distributed in Greece by Pixel magazine. The Pixel Virus can only infect programs in the current directory. Origin: Greece V-277 - Similar to the Pixel/V-345 virus described above, except that the virus is now 277 Bytes in length, and does not contain any message text. The original message text has been replaced with code to produce a parity error approximately 50% of the time when an infected program is executed. Origin: Bulgaria V-299 - Similar to Pixel, except that the length of the virus is 299 Bytes. Origin: Bulgaria V-847 - Similar to Pixel, except that the length of the virus is 847 Bytes. Origin: Bulgaria V-847B - Similar to V-847, except that the message in the virus is now in Spanish and is: "=!= En tu PC hay un virus RV1, y esta es su quinta generacion". This variant was originally distributed by a magazine in Spain in file NOCARGAR.COM. Origin: Spain Virus Name: Anthrax Aliases: V Status: Rare Discovery: July, 1990 Symptoms: .COM & .EXE growth Origin: Eastern Europe Isolated: Netherlands Eff Length: 1040 - 1232 Bytes Type Code: PRAKX - Parasitic Resident .COM, .EXE, & Partition Table Infector Detection Method: ViruScan V66+ Removal Instructions: Scan/D + MDisk/P General Comments: The Anthrax Virus was isolated in July 1990 in the Netherlands after it was uploaded onto several BBSes in a trojan anti-viral program, USCAN.ZIP. It is the second virus to be found in a copy of UScan during July 1990, the first virus being V2100. Anthrax is a memory resident generic infector of .COM and .EXE files, including COMMAND.COM. The first time a program infected with the Anthrax virus is executed on the system's hard disk, the virus will infect the hard disk's partition table. At this time, it will also install itself memory resident. Anthrax does not start to infect files immediately. Instead it will sit in memory watching what is occurring on the system. After some pre-defined event occurs, it will then infect one .COM or .EXE file each time an infected program is executed. It appears that the pre-determined event is related to the number of keystrokes that occur on the system's keyboard. Programs are selected for infection by the virus by infecting the C: drive first, working its way thru the directory structure of the drive. Programs infected with Anthrax will increase in length by at least 1,040 bytes. On the author's test system, the largest increase in length experienced was 1,232 bytes. The following text strings can be found in files infected with the Anthrax virus: "(c)Damage, Inc." "ANTHRAX" It is not known if Anthrax carries any destructive capabilities or trigger/activation dates. Since Anthrax infects the hard disk partition tables, infected systems must have the partition table disinfected or rebuilt in order to remove the virus. This disinfection can be done with either a low- level format or use of the MDisk/P program for the correct DOS version after powering off and rebooting from a write-protected boot diskette for the system. Any .COM or .EXE files infected with Anthrax must also be disinfected or erased. Virus Name: Anti-Pascal Aliases: Anti-Pascal 605 Virus, AP-605, C-605, V605 V Status: Rare Discovery: June, 1990 Symptoms: .COM growth, .BAK and .PAS file corruption Origin: Bulgaria Isolated: Sofia, Bulgaria Eff Length: 605 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V66+ Removal Instructions: Scan/D, or delete infected files General Comments: The Anti-Pascal Virus, V605 or C-605, was isolated in Sofia, Bulgaria in June 1990 by Vesselin Bontchev. Originally, it was thought that the Anti-Pascal virus was from the USSR or Poland, but it has since been determined to have been a research virus written in Bulgaria over one year before it was isolated. The author was not aware that it had "escaped" until July, 1990. The Anti-Pascal Virus is a generic .COM file infector, including COMMAND.COM. While this virus is not memory resident, when it is in the process of infecting files, interrupt 21 will be hooked. When a program infected with the Anti-Pascal virus is executed, the virus will attempt to infect two other .COM files on the current drive or on drive D: which are between 605 and 64,930 bytes in length. These files must not have the read only attribute set. If an uninfected .COM file meeting the virus's selection criteria is found, the first 605 bytes of the program is overwritten with the viral code. The original 605 bytes of the program is then appended to the end of the infected file. Infected files will have increased in length by 605 bytes, and they will also begin with the text string "PQVWS" as well as contain the string "COMBAKPAS???EXE" at offset 0x17. Infected files will also have had their file date/time stamps in the directory updated to the date/time that the infection occurred. If the Anti-Pascal Virus cannot find two .COM files to infect, it will check the current drive and directory for .BAK and .PAS files. If these files exist, they will be overwritten with the virus's code. If the overwritten files were .PAS files, the system's user has now lost some of their Pascal source code. After overwriting .BAK and .PAS files, the virus will attempt to rename them to .COM files, or .EXE files if a .COM file already exists. This rename does not work due to a bug in the virus. Known variant(s) of the Anti-Pascal Virus are: AP-529 : Similar to the 605 byte Anti-Pascal Virus, the major differences are that AP-529 will only infect .COM files over 2,048 bytes in length. Infected files increase in length by 529 bytes. Additionally, instead of overwriting the .BAK and .PAS files, one .BAK and .PAS file will be deleted if there are no uninfected .COM files with a length of at least 2,048 bytes on the current drive. .COM files on the C: drive root directory may also be infected by AP-529 when it is executed from the A: or B: drive. This variant should be considered a "Research Virus", it is not believed to have been publicly released. Also see: Anti-Pascal II Virus Name: Anti-Pascal II Aliases: Anti-Pascal 400, AP-400 V Status: Research Discovery: June, 1990 Symptoms: .COM growth; .BAK, .BAT and .PAS file deletion, boot sector alteration on hard disk Origin: Bulgaria Isolated: Sofia, Bulgaria Eff Length: 400 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V66+ Removal Instructions: Scan/D, or delete infected files General Comments: The Anti-Pascal II Virus, or AP-400, was isolated in Sofia, Bulgaria in June 1990 by Vesselin Bontchev. It is one of five viruses/variants in the Anti-Pascal family. Two of the earlier variants, Anti-Pascal/AP-605 and AP-529, are documented under the name "Anti-Pascal". The variants listed under Anti-Pascal II have been separated due to some of their characteristics differing from the 605 byte and 529 byte viruses. The Anti-Pascal II Virus is a generic .COM file infector, including COMMAND.COM. While this virus is not memory resident, when it is in the process of infecting files, interrupt 21 will be hooked. The first time a program infected with the Anti-Pascal II virus is executed on a system, the virus will attempt to infect one (1) .COM file in the root directory of each drive accessible on the system. Files are only infected if their length is at least 2,048 bytes, and the resulting infected file will be less than 64K in length. Since COMMAND.COM is usually the first .COM file on a drive, it will immediately become infected. One additional .COM file will also be infected on the current drive. The mechanism used to infect the file is to write the virus's code to the end of the file. A jump is used to execute the virus's code before the original program is executed. Infected files do not have their date/time stamps in the directory updated to the system date and time when the infection occurred. If the Anti-Pascal Virus cannot find a .COM file to infect on a given drive, or two .COM files to infect on the current drive, it will check for the existance of .BAK, .PAS, or .BAT files. If found, these files will be deleted. These deletions only occur in root directories and on the current drive's current directory. Since each root directory (as well as the current directory) will typically not have all of its .COM files infected at the same time, the deletes will occur on different drives and directories at different times. Symptoms of infection of the Anti-Pascal II Virus include file length increases of 400 bytes, unexpected disk access to drives other than the current drive, and disappearing .BAK, .PAS, and .BAT files. One other symptom of an Anti-Pascal II infection is that the hard disk's boot sector will be slightly altered by the virus. Anti-viral programs which CRC-check the boot sector will indicate that a boot sector infection may have occurred. The boot sector alteration does not contain a live virus, but will throw the system user off into thinking their problem is from a boot sector virus instead of a file infector. The Anti-Pascal II Virus and its variants indicated below are not believed to have been publicly released. As such, they have been classified as "Research Viruses". Known variant(s) of the Anti-Pascal II Virus are: AP-440 : Very similar to the 400 byte version of the Anti-Pascal II Virus, the major characteristic change is that this variant has a length of 440 bytes. This variant is an intermediary between AP-480 and the 400 byte version documented above. AP-480 : Similar to the Anti-Pascal II virus, this variant is an earlier version which is 480 bytes in length. It does not delete .BAT files, but only .BAK and .PAS. This variant is the earliest variant of the Anti-Pascal II grouping. Also see: Anti-Pascal Virus Name: Armagedon Aliases: Armagedon The First, Armagedon The Greek V Status: Rare Discovery: June, 1990 Symptoms: text string intermittently sent to COM ports Origin: Athens, Greece Eff Length: 1,079 Bytes Type Code: PRC - Parasitic Resident .COM Infector Detection Method: ViruScan V64+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Armagedon virus was isolated on June 2, 1990, by George Spiliotis of Athens, Greece. Armagedon is a memory resident virus which infects .COM files, increasing their length by 1,079 bytes. The first time an infected program is executed on a system, the virus installs itself memory resident, hooking interrupts 8 and 21. Any .COM files which are later executed are then infected by the resident virus. Infected systems will experience the text string "Armagedon the GREEK" being sent to COM ports 1 - 4 at time intervals. Between 5:00 and 7:00, the virus will attempt to use the system's COM ports to make a phone call to Local Time Information in Crete, Greece. If a connection is made, the phone line will remain open until the user notices that the phone line is in use. (Needless to say, this doesn't work if the system is located outside of Greece as dialing codes are considerably different between countries.) This virus otherwise is not destructive. Virus Name: Ashar Aliases: Shoe_Virus, UIUC Virus V Status: Common Discovery: Symptoms: BSC, Resident TOM Origin: Eff Length: N/A Type Code: BRt - Resident Boot Sector Infector Detection Method: ViruScan V41+, F-Prot, IBM Scan, Pro-Scan 1.4+ Removal Instructions: MDisk, CleanUp, Pro-Scan 1.4+, F-Prot or DOS SYS command General Comments: The Ashar virus is a resident boot sector infector which is a variant of the Brain virus. It differs from the Brain virus in that it can infect both floppies and hard disk, and the message in the virus has been modified to be: "VIRUS_SHOE RECORD, v9.0. Dedicated to the dynamic memories of millions of virus who are no longer with us today". However, the above message is never displayed. The identification string "ashar" is normally found at offset 04a6 hex in the virus. A variant of the Ashar virus exists, Ashar-B or Shoe_Virus-B, which has been modified so that it can no longer infect hard drives. The v9.0 in the message has also been altered to v9.1. Also see: Brain Virus Name: Brain Aliases: Pakistani, Pakistani Brain V Status: Common Discovery: 1986 Symptoms: Extended boot time, Volume label change, Resident TOM, Three contiguous bad sectors (floppy only), BSC Origin: Pakistan Eff Length: N/A Type Code: BRt - Resident Boot Sector Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan Removal Instructions: MDisk, CleanUp, F-Prot, Pro-Scan, or DOS SYS command General Comments: The Pakistani Brain virus originated in Lahore, Pakistan and infects disk boot sectors by moving the original contents of the boot sector to another location on the disk, marking those 3 clusters (6 sectors) bad in the FAT, and then writing the virus code in the disk boot sector. One sign of a disk having been infected, at least with the original virus, is that the volume label will will be changed to "(c) Brain". Another sign is that the label "(c) Brain" can be found in sector 0 (the boot sector) on an infected disk. This virus does install itself resident on infected systems, taking up between 3K and 7K of RAM. The Brain virus is able to hide from detection by intercepting any interrupt that might interrogate the boot sector and redirecting the read to the original boot sector located elsewhere on the disk, thus some programs will be unable to see the virus. The original Brain virus only infected floppies, however variants to the virus can now infect hard disks. Also, some variants have had the "(c) Brain" label removed to make them harder to detect. Known variants of the Brain virus include: Brain-B/Hard Disk Brain/Houston Virus - hard disk version. Brain-C - Brain-B with the "(c) Brain" label removed. Clone Virus - Brain-C but restores original boot copyright label. Clone-B - Clone Virus modified to destroy the FAT after 5/5/92. Also see: Ashar Virus Name: Cascade Aliases: Fall, Falling Letters, 1701, 1704 V Status: Common Discovery: October, 1987 Symptoms: TSR, Falling letters, .COM file growth Origin: Germany Eff Length: 1,701 or 1,704 bytes Type Code: PRsC - Parasitic Resident Encrypting .COM Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: M-1704, CleanUp, F-Prot, Pro-Scan 1.4+, or VirexPC General Comments: Originally, this virus was a trojan horse which was disguised as a program which was supposed to turn off the number-lock light when the system was booted. The trojan horse instead caused all the characters on the screen to fall into a pile at the bottom of the screen. In late 1987, the trojan horse was changed by someone into a memory resident .COM virus. While the original virus had a length of 1,701 bytes and would infect both true IBM PCs and clones, a variation exists of this virus which is 3 bytes longer than the original virus and does not infect true IBM PCs. Both viruses are functionally identical in all other respects. Both of the viruses have some fairly unique qualities: Both use an encryption algorithm to avoid detection and complicate any attempted analysis of them. The activation mechanisms are based on a sophisticated randomization algorithm incorporating machine checks, monitor types, presence or absence of a clock card, and the time or season of the year. The viruses will activate on any machine with a CGA or VGA monitor in the months of September, October, November, or December in the years 1980 and 1988. Known variants of the Cascade virus are: 1701-B : Same as 1701, except that it can activate in the fall of any year. 1704-D : Same as the 1704, except that the IBM selection has been disabled so that it can infect true IBM PCs. Cunning: Based on the Cascade virus, a major change to the virus is that it now plays music. Also see: 1704 Format Virus Name: Cascade-B Aliases: Blackjack, 1704-B V Status: Common Discovery: Symptoms: .COM file growth, TSR, random reboots Origin: Germany Eff Length: 1,704 bytes Type Code: PRsC - Parasitic Resident Encrypting .COM Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: M-1704, M-1704C, CleanUp, F-Prot, Pro-Scan 1.4+, VirexPC General Comments: The Cascade-B virus is similar to the Cascade virus, except that the cascading display has been replaced with a system reboot which will occur at random time intervals after the virus activates. Other variation(s) which have been documented are: 1704-C : Same as 1704-B except that the virus can activate in December of any year. (Note: the disinfector for 1704-C is M-1704C.) Virus Name: Chaos Aliases: V Status: Rare Discovery: December, 1989 Symptoms: Message, TSR, Bad sectors, BSC Origin: England Eff Length: N/A Type Code: BR - Resident Boot Sector Infector Detection Method: ViruScan V53+ Removal Instructions: MDisk, CleanUp, or DOS SYS Command General Comments: First reported in December, 1989 by James Berry of Kent, England, the Chaos virus is a memory resident boot sector infector of floppy and hard disks. When the Chaos virus infects a boot sector, it overwrites the original boot sector without copying it to another location on the disk. Infected boot sectors will contain the following messages: "Welcome to the New Dungeon" "Chaos" "Letz be cool guys" The Chaos virus will flag the disk as being full of bad sectors upon activation, though most of the supposed bad sectors are still readable. It is unknown what the activation criteria is. Virus Name: Christmas Virus Aliases: XA1, 1539 V Status: Endangered Discovery: March, 1990 Symptoms: .COM file growth, display, Partition table destruction Origin: Germany Eff Length: 1,539 Bytes Type Code: PNCX - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V61+, VirexPC Removal Instructions: Scan/D or delete infected files General Comments: The Christmas Tree, or XA1, Virus was first isolated in March 1990 by Christoff Fischer of West Germany. This virus is an encrypting virus which will only infect .COM files. On April 1st of any year, the Christmas Tree virus will activate, destroying the partition table of infected hard disks the first time an infected program is executed. During the period from December 24 until January 1st of any year, when an infected program is executed, the virus will display a full screen picture of a christmas tree. Virus Name: Dark Avenger Aliases: Black Avenger, Eddie, Diana V Status: Common Discovery: September, 1989 Symptoms: TSR; .COM, .EXE, .SYS file growth; File/Disk Corruption Origin: Bulgaria Isolated: Davis, California, USA Eff Length: 1,800 bytes Type Code: PRsAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V36+, F-Prot, IBM Scan, Pro-Scan Removal Instructions: M-DAV, CleanUp, Pro-Scan 1.4+, F-Prot General Comments: Dark Avenger was first isolated in the United States at the University of California at Davis. It infects .COM, .EXE, and overlay files, including COMMAND.COM. The virus will install itself into system memory, becoming resident, and is extremely prolific at infecting any executable files that are openned for any reason. This includes using the DOS COPY and XCOPY commands to copy uninfected files, both the source and the target files will end up being infected. Infected files will have their lengths increased by 1,800 bytes. The Dark Avenger Virus does perform malicious damage. The virus maintains a counter in the disk's boot sector. After each sixteenth file is infected, the virus will randomly overwrite a sector on the disk with a copy of the disk's boot sector. If the randomly selected sector is a portion of a program or datafile, the program or datafile will be corrupted. Programs and datafiles which have been corrupted by a sector being overwritten are permanently damaged and cannot be repaired since the original sector is lost. If you are infected with Dark Avenger, shutdown your computer and reboot from a Write Protected boot diskette for the system, then carefully use a disinfector, following all instructions. Be sure to rescan the system for infection once you have finished disinfecting it. The Dark Avenger virus contains the words: "The Dark Avenger, copyright 1988, 1989", as well as the message: "This program was written in the city of Sofia. Eddie lives.... Somewhere in Time!". This virus bears no resemblance or similarity to the Jerusalem viruses, even though they are similar in size. Also see: V2000, V1024, V651 Virus Name: Datacrime Aliases: 1168, Columbus Day V Status: Extinct Discovery: April, 1989 Symptoms: .COM file growth, floppy disk access; formats hard disk, message any day from Oct 13 to Dec 31. Origin: Holland Eff Length: 1,168 bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: AntiCrim, Scan/D, Pro-Scan 1.4+, VirexPC, or F-Prot General Comments: The Datacrime virus is a parasitic virus, and is also known as the 1168 virus. The Datacrime virus is a non-resident virus, infecting .COM files. The virus was originally discovered in Europe shortly after its release in March, 1989. The virus will attach itself to the end of a .COM file, increasing the file's length by 1168 bytes. The first 5 bytes of the host program are stored off in the virus's code and then replaced by a branch instruction so that the virus code will be executed before the host program. In order to propagate, the virus searches thru directories for .COM files, other than COMMAND.COM and attaches to any found .COM files (except for where the 7th letter is a D). Hard drive partitions are searched before the floppy drives are checked. The virus will continue to propagate until the date is after October 12 of any year, then when it is executed it will display a message. The de-crypted message is something like: "DATACRIME VIRUS" "RELEASED: 1 MARCH 1989". Note: only this ASCII message is encrypted in this version. A low-level format of the hard disk is then done. Errors in the code will make .COM file infection appear random and will often make the system crash following infection. Unlike the other variants of Datacrime, the original Datacrime virus does not replicate, or infect files, until after April 1 of any year. Lastly, if the computer system is using an RLL, SCSI, or PC/AT type hard disk controller, all variants of the Datacrime virus are not able to successfully format the hard disk, according to Jan Terpstra of the Netherlands. Also see: Datacrime II, Datacrime IIB, Datacrime-B Virus Name: Datacrime II Aliases: 1514, Columbus Day V Status: Endangered Discovered: September, 1989 Symptoms: .EXE & .COM file growth, formats disk Origin: Netherlands Eff Length: 1,514 bytes Type Code: PNAK - Non-Resident Encrypting .COM & .EXE Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: AntiCrim, Scan/D, Pro-Scan 1.4+, VirexPC, or F-Prot General Comments: The Datacrime II virus is a variant of the Datacrime virus, the major characteristic changes are that the effective length of the virus is 1,514 bytes, and that it can now infect both .COM and .EXE files, including COMMAND.COM. There is also an encryption mechanism in the Datacrime II virus. The Datacrime II virus will not format disks on Mondays. Also see: Datacrime, Datacrime IIB, Datacrime-B Virus Name: Datacrime IIB Aliases: 1917, Columbus Day V Status: Endangered Discovered: November, 1989 Symptoms: .EXE & .COM growth, formats disk, floppy disk access. Origin: Netherlands Eff Length: 1,917 bytes Type Code: PNAK - Non-Resident Encrypting .COM & .EXE Infector Detection Method: ViruScan V51+, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: AntiCrim, Scan/D, F-Prot, VirexPC General Comments: The Datacrime IIB virus is a variant of the Datacrime II virus, and was isolated by Jan Terpstra of the Netherlands in November, 1989. This virus, as with Datacrime II, infects generic .COM & .EXE files, including COMMAND.COM, adding 1,917 bytes to the file length. The virus differs from Datacrime II in that the encryption method used by the virus to avoid detection has been changed. The Datacrime IIB virus will not format disks on Mondays. Also see: Datacrime, Datacrime II, Datacrime-B Virus Name: Datacrime-B Aliases: 1280, Columbus Day V Status: Extinct Discovered: April, 1989 Symptoms: .EXE file growth, formats MFM/RLL hard drives, odd floppy disk access. Origin: Netherlands Eff Length: 1,280 bytes Type Code: PNE - Parasitic Non-Resident Generic .EXE Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: AntiCrim, Scan/D, VirexPC, Pro-Scan 1.4+, or F-Prot General Comments: The Datacrime-B virus is a variant of the Datacrime virus, the differences being that the effective length of the virus is 1,280 bytes, and instead of infecting .COM files, .EXE files are infected. Also see: Datacrime, Datacrime II, Datacrime II-B Virus Name: dBASE Aliases: DBF Virus V Status: Endangered Discovered: September, 1988 Symptoms: .COM & .OVL file growth, corrupt .DBF files, TSR, FAT and root directory overwritten Origin: New York, USA Eff Length: 1,864 bytes Type Code: PRC - Parasitic Resident .COM and Overlay Infector Detection Method: ViruScan V47+, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: Scan/D, Pro-Scan 1.4+, or F-Prot General Comments: The dBASE virus was discovered by Ross Greenberg of New York. This virus infects .COM & .OVL files, and will corrupt data in .DBF files by randomly transposing bytes in any open .DBF file. It keeps track of which files and bytes were transposed in a hidden file (BUG.DAT) in the same directory as the .DBF file(s). The virus restores these bytes if the file is read, so it appears that nothing is wrong. Once the BUG.DAT file is 90 days old or more, the virus will overwrite the FAT and root directory on the disk. After this virus has been detected, if you remove the infected dBASE program and replace it with a clean copy, your DBF files that were openned during the period that you were infected will be useless since they are garbled on the disk even though they would be displayed as expected by the infected dBASE program. Virus Name: Den Zuk Aliases: Search, Venezuelan V Status: Common Discovered: September, 1988 Symptoms: Message, floppy format, TSR, BSC Origin: Indonesia Eff Length: N/A Type Code: RtF - Resident Floppy Boot Sector Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: MDisk, CleanUp, F-Prot, Pro-Scan 1.4+, or DOS SYS command General Comments: The Den Zuk virus is a memory-resident, boot sector infector of 360K 5 1/4" diskettes. The virus can infect any diskette in a floppy drive that is accessed, even if the diskette is not bootable. If an attempt is made to boot the system with an infected non-system disk, Den Zuk will install itself into memory even though the boot failed. After the system is booted with an infected diskette, a purple "DEN ZUK" graphic will appear after a CTL-ALT-DEL is performed if the system has a CGA, EGA, or VGA monitor. While the original Den Zuk virus did not cause any damage to the system, some variants maintain a counter of how many times the system has been rebooted, and after the counter reaches its limit, the floppy in the disk drive is reformatted. The counter in these variants of the virus is usually in the range of 5 to 10. The following text strings can be found in the viral code on diskettes which have been infected with the Den Zuk virus: "Welcome to the C l u b --The HackerS-- Hackin' All The Time The HackerS" The diskette volume label of infected diskettes may be changed to Y.C.1.E.R.P., though this change only occurs if the Den Zuk virus removed a Pakistani Brain infection before infecting the diskette with Den Zuk. The Den Zuk virus will also remove an Ohio virus infection before infecting the diskette with Den Zuk. The Den Zuk virus is thought to be written by the same person or persons as the Ohio virus. The "Y.C.1.E.R.P." string is found in the Ohio virus, and the viral code is similar in many respects. Also see: Ohio Virus Name: Devil's Dance Aliases: Mexican V Status: Rare Discovered: December, 1989 Symptoms: Message, .COM growth, FAT corruption, TSR Origin: Mexico Eff Length: 941 Bytes Type Code: PRCT - Parasitic Resident .COM Infector Detection Method: ViruScan V52+, IBM Scan, Pro-Scan, VirexPC Removal Instructions: Scan/D, Pro-Scan 1.4+, or delete infected files General Comments: The Devil's Dance virus was first isolated in December, 1989, by Mao Fragoso of Mexico City. The Devil's Dance virus increases the size of infected .COM files by 941 bytes, and will infect a file multiple times until the file becomes too large to fit in available system memory. Once an infected program has been run, any subsequent warm- reboot (CTL-ALT-DEL) will result in the following message being displayed: "DID YOU EVER DANCE WITH THE DEVIL IN THE WEAK MOONLIGHT? PRAY FOR YOUR DISKS!! The Joker" The Devil's Dance virus is destructive. After the first 2,000 keystrokes, the virus starts changing the colors of any text displayed on the system monitor. After the first 5,000 keystrokes, the virus erases the first copy of the FAT. At this point, when the system is rebooted, it will display the message above and again destroy the first copy of the FAT, then allow the boot to proceed. Virus Name: Disk Killer Aliases: Computer Ogre, Disk Ogre, Ogre V Status: Common Discovered: April, 1989 Symptoms: Bad blocks, message, BSC, TSR, encryption of disk Origin: Taiwan Isolated: Milpitas, California, USA Eff Length: N/A Type Code: BRtT - Resident Boot Sector Infector Detection Method: ViruScan V39+, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: MDisk, CleanUp, Pro-Scan 1.4+, F-Prot, or DOS COPY & SYS General Comments: The Disk Killer virus is a boot sector infector that spreads by writing copies of itself to 3 blocks on either a floppy or hard disk. The virus does not care if these blocks are in use by another program or are part of a file. These blocks will then be marked as bad in the FAT so that they cannot be overwritten. The boot sector is patched so that when the system is booted, the virus code will be executed and it can attempt to infect any new disks exposed to the system. The virus keeps track of the elasped disk usage time since initial infection, and does no harm until it has reached a predetermined limit. The predetermined limit is approximately 48 hours. (On most systems, Disk Killer will reach its limit within 1 - 6 weeks of its initial hard disk infection.) When the limit is reached or exceeded and the system is rebooted, a message is displayed identifying COMPUTER OGRE and a date of April 1. It then says to leave alone and proceeds to encrypt the disk by alternately XORing sectors with 0AAAAh and 05555h, effectively destroying the information on the disk. The only recourse after Disk Killer has activated and encrypted the entire disk is to reformat. The message text that is displayed upon activation, and can be found in the viral code is: "Disk Killer -- Version 1.00 by COMPUTER OGRE 04/01/89 Warning!! Don't turn off the power or remove the diskette while Disk Killer is Processing! PROCESSING Now you can turn off the power. I wish you Luck!" It is important to note that when the message is displayed, if the system is turned off immediately it may be possible to salvage some files on the disk using various utility programs as this virus first destroys the boot, FAT, and directory blocks. Disk Killer can be removed by using McAfee Associate's MDisk or CleanUp utility, or the DOS SYS command, to overwrite the boot sector on hard disks or bootable floppies. On non-system floppies, files can be copied to non-infected floppies, followed by reformat- ting the infected floppies. Be sure to reboot the system from a write protected master diskette before attempting to remove the virus first or you will be reinfected by the virus in memory. Note: Disk Killer may have damaged one or more files on the disk when it wrote a portion of its viral code to 3 blocks on the disk. Once the boot sector has been disinfected as indicated above, these corrupted files cannot reinfect the system, however they should be replaced with backup copies since the 3 blocks were overwritten. Note: Do not use the DOS DiskCopy program to backup infected diskettes as the new backup diskettes will contain the virus as well. Virus Name: Do-Nothing Virus Aliases: The Stupid Virus V Status: Rare Discovered: October, 1989 Symptoms: .COM file growth, TSR (see text) Origin: Israel Eff Length: 608 Bytes Type Code: PRfC - Parasitic Resident .COM Infector Detection Method: ViruScan V49+, F-Prot, Pro-Scan, VirexPC Removal Instructions: Scan/D, Pro-Scan 1.4+, or F-Prot General Comments: This virus was first reported by Yuval Tal of Israel in October, 1989. The virus will infect .COM files, but only the first one in the current directory, whether it was previously infected or not. The Do-Nothing virus is also memory resident, always installing itself to memory address 9800:100h, and can only infect systems with 640K of memory. The virus does not protect this area of memory in any way, and other programs which use this area will overwrite it in memory, removing the program from being memory resident. The Do-Nothing virus does no apparent damage, nor does it affect operation of the system in any observable way, thus its name. Virus Name: EDV Aliases: Stealth Virus V Status: Rare Discovered: January, 1990 Symptoms: BSC, TSR, unusual crashes Origin: Eff Length: N/A Type Code: BRX - Resident Boot Sector/Partition Table Infector Detection Method: ViruScan V58+, IBM Scan, Pro-Scan 1.4+ Removal Instructions: MDisk/P, or Pro-Scan 1.4+ General Comments: The EDV virus first identified in January, 1990. This virus infects the boot sector of floppy diskettes, as well as the boot sector and partition table of hard disks. After a system is booted from an infected diskette or hard disk, the virus makes itself memory resident. The EDV virus will cause some programs to crash, as well as destroying some data. The following identification string appears at the very end of the boot sector on infected floppy disks: "MSDOS Vers. E.D.V." Virus Name: Eight Tunes Aliases: 1971 V Status: Rare Discovered: April, 1990 Symptoms: file growth, music, decrease in available memory Origin: West Germany Eff Length: 1,971 Bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V62+, Pro-Scan 1.4+, VirexPC Removal Instructions: Scan/D, or delete infected files General Comments: The Eight Tunes, or 1971, Virus was originally isolated in April 1990 by Fridrik Skulason of Iceland. This virus is a memory resident generic file infector of .COM, .EXE, and overlay files. The virus will not infect COMMAND.COM, or .COM files which are smaller than 8K. After the virus is memory resident, programs are infected as they are executed. Infected files will increase in length by between 1,971 - 1,985 bytes. Available memory will decrease by 1,984 bytes when the virus is present. This virus does not cause system damage, however it is disruptive. When the virus is memory resident, it will play 8 German folk songs at random intervals thirty minutes after the virus becomes memory resident. Virus Name: Fellowship Aliases: 1022 V Status: New Discovered: July, 1990 Symptoms: TSR, .COM & .EXE file growth Origin: West Germany Eff Length: 1,022 Bytes Type Code: PRsE - Parasitic Resident .EXE Infector Detection Method: ViruScan V66+ Removal Instructions: Scan/D, or delete infected files General Comments: The Fellowship or 1022 Virus was isolated in Australia in July 1990. Fellowship is a memory resident generic infector of .EXE files. It does not infect .COM or overlay files. The first time a program infected with the Fellowship Virus is executed, the virus will install itself memory resident as a 2,048 byte TSR in low system memory. Available free memory will be decreased by a corresponding 2,048 bytes. Interrupt 21 will also now be controlled by the virus. After the virus is memory resident, the virus will infect .EXE files when they are executed. Infected .EXE files will increase in size by between 1,019 and 1,027 bytes. The virus's code will be located at the end of infected files. Infected files will contain the following text strings very close to the end of the file: "This message is dedicated to all fellow PC users on Earth Toward A Better Tomorrow And a better Place To Live In" "03/03/90 KV KL MAL" Virus Name: Fish Virus Aliases: European Fish Viruses, Fish 6, Stealth Virus V Status: Rare Discovered: May 1990 Symptoms: .COM & .EXE growth, monitor/display flickering, system memory decrease Origin: West Germany Eff Length: 3,584 Bytes Type Code: PRsAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V63+, Pro-Scan 1.4+, VirexPC Removal Instructions: Scan/D, CleanUp V66+, Pro-Scan 1.4+, or delete infected files General Comments: The Fish Virus was isolated in May 1990. At the time of isolation, it was reported to be widespread in Europe, and it is thought to have originated in West Germany. It is a generic resident .COM and .EXE infector, and will infect COMMAND.COM. This virus will remain memory resident thru a warm reboot, or Ctrl-Alt-Del. The virus is encrypted, though infected programs can be found by searching for the text string "FISH FI" appearing near the end of the program. The "FISH FI" string may later disappear from the program. The first time a program infected with the Fish Virus is executed, the virus will go memory resident, installing itself into the low available free memory. If interrupt 13 has not been hooked by another program, it will hook interrupt 13. If it can hook interrupt 13, it will take up 8,192 bytes in memory. If the virus cannot hook interrupt 13 because another program is already using it, it will be 4,096 bytes in memory. When interrupt 13 is not hooked, and the virus is memory resident, the virus will cause a random warm reboot, thus allowing it to infect COMMAND.COM and hook interrupt 13. Warm reboots do not appear to randomly occur after interrupt 13 has been hooked. After the virus is memory resident, all .COM and .EXE programs which are openned for any reason will be infected. Infected programs increase in length by 3,584 bytes. The increase in program size cannot be seen by listing the disk directory if the virus is in memory. Also, if a CHKDSK command is run on an infected system, it will detect file allocation errors on infected files. If CHKDSK is run with the /F option, it will result in lost clusters and cross-linking of files. The virus slows down video writes, and flickering of the monitor display can be noticed on an infected system. Anti-viral programs which perform CRC checking cannot detect the infection of the program by the Fish Virus if the virus is memory resident. This virus can also bypass software write protect mechanisms used to protect a hard drive. The Fish Virus is a modified version of the 4096 Virus, though it is more sophisticated in that it constantly re-encrypts itself in system memory. Viewing system memory with the virus resident will show that the names of several fish are present. It is unknown what the Fish virus does when it activates, though it does appear to check to determine if the year of the system time is 1991. Virus Name: Flash Aliases: V Status: Rare Discovered: July 1990 Symptoms: .COM & .EXE growth, decrease in available free memory Origin: Eff Length: 688 Bytes Type Code: PRfA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V64+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Flash Virus was discovered in July 1990 in West Germany. Flash is a memory resident generic file infector, and will infect .COM and .EXE files, but not COMMAND.COM. The first time a program infected with the Flash Virus is executed, the virus will install itself memory resident. 976 bytes will be allocated in high memory, and available free memory will decrease by a corresponding 976 bytes. A mapping of memory will also indicate that when Flash is resident in memory, interrupts 00, 23, 24, 30, ED, F5, and FB are now in free memory. Total system memory reported by DOS, as well as low memory used by the operating system and TSRs will not have changed. Once Flash is memory resident, each time a .COM or .EXE program is executed it is a candidate for infection. An uninfected .EXE program will always be infected upon execution. Uninfected .COM files are only infected if they are greater than approximately 500 bytes in length. Infected files will always increase in length by 688 bytes. Virus Name: Flip Aliases: V Status: New Discovered: July 1990 Symptoms: .COM & .EXE growth, decrease in system and free memory, boot sector and partition table altered, file allocation errors Origin: West Germany Eff Length: 2,343 Bytes Type Code: PRhA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V66+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Flip Virus was discovered in West Germany in July 1990. It is a generic file infector, and will infect .COM, .EXE, and overlay files. This virus will also infect COMMAND.COM, as well as alter the partition table and boot sector of hard disks. The first time a program infected with the Flip Virus is executed, it installs itself memory resident in high memory. System memory as reported by the CHKDSK command as well as free memory will have decreased by 3,064 bytes. At this time, the copy of COMMAND.COM located in the C: drive root directory will be infected, though no file length change will be apparent with the virus in memory. The system's hard disk partition table and boot sector will also be slightly modified. If the infected program was executed from a floppy, COMMAND.COM on the floppy will be infected, though the size change will be noticeable. After Flip becomes memory resident, any .COM or .EXE files executed will become infected. Infected programs will show a file length increase of 2,343 bytes. If a program is executed which uses an overlay file, the overlay file will also become infected. Systems infected Flip may experience file allocation errors resulting in file linkage errors. Some data files may become corrupted. Virus Name: FORM-Virus Aliases: Form, Form Boot V Status: Rare Discovered: June 1990 Symptoms: BSC Origin: Switzerland Eff Length: N/A Type Code: BR - Resident Boot Sector Infector Detection Method: ViruScan V64+ Removal Instructions: MDisk, or DOS SYS command General Comments: The Form, or Form Boot, Virus is a memory resident infector of floppy and hard disk boot sectors. It was originally isolated in Switzerland. When a system is first booted with a diskette infected with the Form Boot virus, the virus will infect system memory as well as seek out and infect the system's hard disk. The floppy boot may or may not be successful, on the author's test system, a boot from floppy diskette infected with Form Boot never succeeded, instead the system would hang. It should be noted that the virus was received by the author of this document as a binary file, and it may have been damaged in some way. The following text message is contained in the Form Boot virus binary code as received by the author of this document: "The FORM-Virus sends greetings to everyone who's reading this text.FORM doesn't destroy data! Don't panic! Fuckings go to Corinne." These messages, however, may not appear in all cases. For example, I did not find these messages anywhere on a hard disk infected with Form Boot. This virus can be removed with the same technique as used with many boot sector infectors. First, power off the system and then boot from a known clean write-protected boot diskette. The DOS SYS command can then be used to recreate the boot sector. Alternately, MDisk from McAfee Associates may be used to recreate the boot sector. Virus Name: Frere Jacques Aliases: Frere Virus V Status: Rare Discovered: May 1990 Symptoms: .COM & .EXE growth, available memory decreases, system hangs, music (Frere Jacques) on Fridays Origin: California, USA Eff Length: 1,808 Bytes Type Code: PRA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V63+, Pro-Scan 1.4+ Removal Instructions: Scan/D, Pro-Scan 1.4+, or Delete infected files General Comments: The Frere Jacques Virus was isolated in May, 1990. It is a memory resident generic file infector, infecting .COM, .EXE, and Overlay files. It does not infect COMMAND.COM. This virus is based on the Jerusalem B Virus. The first time an infected program is executed, the virus will install itself memory resident in low available free memory. The memory resident virus occupies 2,064 bytes, and attaches itself to interrupt 21. After becoming memory resident, Frere Jacques will infect any program which is then executed. Infected programs will increase in size by between 1,808 bytes and 1,819 bytes, though .COM files always increase in size by 1,813 bytes. Systems infected with Frere Jacques will experience a decrease in available free memory, as well as executable files increasing in size. System hangs will also intermittently occur when the virus attempts to infect programs, thus resulting in the possible loss of system data. On Fridays, the Frere Jacques virus activates, and will play the tune Frere Jacques on the system speaker. Also see: Jerusalem B Virus Name: Friday The 13th COM Virus Aliases: COM Virus, Miami, Munich, South African, 512 Virus V Status: Endangered Discovered: November, 1987 Symptoms: .COM growth, floppy disk access, file deletion Origin: Republic of South Africa Eff Length: 512 Bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan Removal Instructions: Scan/D, Pro-Scan 1.4+, or F-Prot General Comments: The original Friday The 13th COM virus first appeared in South Africa in 1987. Unlike the Jerusalem (Friday The 13th) viruses, it is not memory resident, nor does it hook any interrupts. This virus only infects .COM files, but not COMMAND.COM. On each execution of an infected file, the virus looks for two other .COM files on the C drive and 1 on the A drive, if found they are infected. This virus is extremely fast, and the only indication of propagation occurring is the access light being on for the A drive, if the current default drive is C. The virus will only infect a .COM file once. The files, after infection, must be less than 64K in length. On every Friday the 13th, if the host program is executed, it is deleted. Known variants of the Friday The 13th COM virus are: Friday The 13th-B: same, except that it will infect every file in the current subdirectory or in the system path if the infected .COM program is in the system path. Friday The 13th-C: same as Friday The 13th-B, except that the message "We hope we haven't inconvenienced you" is displayed whenever the virus activates. Author's note: All samples of this virus that are available were created by reassembling a disassembly of this virus. These viruses may not actually exist "in the wild". Virus Name: Fu Manchu Aliases: 2080, 2086 V Status: Rare Discovered: March, 1988 Symptoms: .SYS, .BIN, .COM & .EXE growth, messages Origin: Eff Length: 2,086 (COM files) & 2,080 (EXE files) bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: Scan/D, F-Prot, Pro-Scan 1.4+, VirexPC General Comments: The Fu Manchu virus attaches itself to the beginning of .COM files or the end of .EXE files. This virus will infect any executable program, including overlay, .SYS, and .BIN files as well. It appears to be a rewritten version of the Jerusalem virus, with a possible creation date of 3/10/88. A marker or id string usually found in this virus is 'sAXrEMHOr', though the virus only uses the 'rEMHOr' portion of the string to identify infected files. One out of sixteen infections will result in a timer being installed, and after a random amount of time, the message "The world will hear from me again!" is displayed and the system reboots. This message will also be displayed on an infected system after a warm reboot, though the virus doesn't survive in memory. After August 1, 1989, the virus will monitor the keyboard buffer, and will add derogatory comments to the names of various politicians. These comments go to the keyboard buffer, so their effect is not limited to the display. The messages within the virus are encrypted. This virus is very rare in the United States. Also see: Jerusalem B, Taiwan 3 Virus Name: Ghostballs Aliases: Ghost Boot, Ghost COM V Status: Rare Discovered: October, 1989 Symptoms: moving graphic display, .COM file growth, file corruption, BSC. Origin: Iceland Eff Length: 2,351 bytes Type Code: PNCB - Parasitic Non-Resident .COM & Boot Sector Infector Detection Method: ViruScan V46+, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: MDisk or DOS SYS and erase infected .COM files, or CleanUp, F-Prot, Pro-Scan 1.4+, VirexPC General Comments: The Ghostball virus (Ghost Boot and Ghost COM) were discovered in October, 1989 by Fridrik Skulason of Iceland. The Ghostballs Virus virus infects generic .COM files, increasing the file size by 2,351 bytes. It also alters the disk boot sector, replacing it with viral code similar to the Ping Pong virus. This altered boot sector, however, will not replicate. Symptoms of this virus are very similar to the Ping Pong virus, and random file corruption may occur on infected systems. The Ghostballs virus was the first known virus that could infect both files (.COM files in this case) and disk boot sectors. After the boot sector is infected, the system experiences the bouncing ball effect of the Ping Pong virus. If the boot sector is overwritten to remove the boot viral infection, it will again become corrupted the next time an infected .COM file is executed. The Ghostballs Virus is based on the code of two other viruses. The .COM infector portion consists of a modified version of the Vienna virus. The boot sector portion of the virus is based on the Ping Pong virus. To remove this virus, turn off the computer and reboot from a write protected master diskette for the system. Then use either MDisk or the DOS SYS command to replace the boot sector on the infected disk. Any infected .COM files must also be erased and deleted, then replaced with clean copies from your original distribution diskettes. Virus Name: Golden Gate Aliases: Mazatlan, 500 Virus V Status: Extinct Discovered: 1988 Symptoms: BSC, disk format, Resident TOM Origin: California, USA Eff Length: N/A Type Code: BRt - Resident Boot Sector Infector Detection Method: ViruScan (identifies as Alameda) Removal Instructions: MDisk, F-Prot, or DOS SYS command General Comments: The Golden Gate virus is a modified version of the Alameda virus which activates when the counter in the virus has determined that it is infected 500 diskettes. The virus replicates when a CTL-ALT-DEL is performed, infecting any diskette in the floppy drive. Upon activation, the C: drive is formatted. The counter in the virus is reset on each new floppy or hard drive infected. Known Variants of this virus are: Golden Gate-B: same as Golden Gate, except that the counter has been changed from 500 to 30 infections before activation, and only diskettes are infected. Golden Gate-C: same as Golden Gate-B, except that the hard drive can also be infected. This variant is also known as the Mazatlan Virus, and is the most dangerous of the Golden Gate viruses. Also see: Alameda Virus Name: Halloechen Aliases: V Status: Rare Discovered: October, 1989 Symptoms: TSR, .COM & .EXE growth, garbled keyboard input. Origin: West Germany Eff Length: 2,011 Bytes Type Code: PRsA - Resident Parasitic .COM &.EXE Infector Detection Method: ViruScan V57+, Pro-Scan 1.4+, VirexPC Removal Instructions: Scan/D or delete infected files General Comments: The Halloechen virus was reported by Christoff Fischer of the University of Karlsruhe in West Germany. The virus is a memory resident generic .COM & .EXE file infector which is reported to be widespread in West Germany. The Halloechen virus installs itself memory resident when the first infected program is executed. Thereafter, the virus will infect any .EXE or .COM file which is run unless the resulting infected file would be greater than 64K in size, or the file's date falls within the system date's current month and year. Once a file has been determined to be a candidate for infection, and is less than approximately 62K in size as well as having a date outside of the current month and year, it is infected. In the process of infecting the file, the files size is first increased so that it is a multiple of 16 (ends on a paragraph boundary), then the 2,011 bytes of viral code are added. When infected files are run, input from the keyboard is garbled. Virus Name: Holland Girl Aliases: Sylvia V Status: Rare Discovered: December, 1989 Symptoms: .COM growth, TSR Origin: Netherlands Eff Length: 1,332 Bytes Type Code: PRsC - Resident Parasitic .COM Infector Detection Method: ViruScan V50+, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: F-Prot, Pro-Scan 1.4+, or Scan/D General Comments: The Holland Girl or Sylvia Virus was first reported by Jan Terpstra of the Netherlands. This virus is memory resident and infects only .COM files, increasing their size by 1,332 bytes. The virus apparently does no other damage, and does not infect COMMAND.COM. The virus's name is due to the fact that the virus code contains the name and phone number of a girl named Sylvia in Holland, along with her address, requesting that post cards be sent to her. The virus is believed to have been written by her ex-boyfriend. Virus Name: Icelandic Aliases: 656, One In Ten, Disk Crunching Virus V Status: Extinct Discovered: June, 1989 Symptoms: .EXE growth, Resident TOM, bad sectors, FAT corruption Origin: Iceland Eff Length: 656 bytes Type Code: PRfE - Resident Parasitic .EXE Infector Detection Method: ViruScan, F-Prot, Pro-Scan, VirexPC Removal Instructions: Scan/D, Pro-Scan 1.4+, or F-Prot General Comments: The Icelandic, or "Disk Crunching Virus", was originally isolated in Iceland in June 1989. This virus only infects .EXE files, with infected files growing in length between 656 and 671 bytes. File lengths after infection will always be a multiple of 16. The virus attaches itself to the end of the programs it infects, and infected files will always end with hex '4418,5F19'. The Icelandic virus will copy itself to the top of free memory the first time an infected program is executed. Once in high memory, it hides from memory mapping programs. If a program later tries to write to this area of memory, the computer will crash. If the virus finds that some other program has "hooked" Interrupt 13, it will not proceed to infect programs. If Interrupt 13 has not been "hooked", it will attempt to infect every 10th program executed. On systems with only floppy drives, or 10 MB hard disks, the virus will not cause any damage. However, on systems with hard disks larger than 10 MB, the virus will select one unused FAT entry and mark the entry as a bad sector each time it infects a program. Also see: Icelandic-II, Icelandic-III, Mix/1, Saratoga Virus Name: Icelandic-II Aliases: System Virus, One In Ten V Status: Extinct Discovered: July, 1989 Symptoms: .EXE growth, Resident TOM, FAT corruption date changes, loss of Read-Only Origin: Iceland Eff Length: 632 Bytes Type Code: PRfE - Parasitic Resident .EXE Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: Scan/D, Pro-Scan 1.4+, or F-Prot General Comments: The Icelandic-II Virus is a modified version of the Icelandic Virus, and was isolated for the first time in July 1989 in Iceland. These two viruses are very similar, so only the changes to this variant are indicated here, refer to Icelandic for the base virus information. Each time the Icelandic-II virus infects a program, it will modify the file's date, thus making it fairly obvious that the program has been changed. The virus will also remove the read-only attribute from files, but does not restore it after infecting the program. The Icelandic-II virus can infect programs even if the system is running an anti-viral TSR that monitors interrupt 21, such as FluShot+. On hard disks larger than 10 MB, there are no bad sectors marked in the FAT as there is with the Icelandic virus. Also see: Icelandic, Icelandic-III, Mix/1, Saratoga Virus Name: Icelandic-III Aliases: December 24th V Status: Rare Discovered: December, 1989 Symptoms: .EXE growth, Resident TOM, bad sectors, FAT corruption, Dec 24 message. Origin: Iceland Eff Length: 853 Bytes Type Code: PRfE - Parasitic Resident .EXE Infector Detection Method: ViruScan V57+, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: F-Prot, Scan/D, Pro-Scan 1.4+, or delete infected files General Comments: The Icelandic-III Virus is a modified version of the Icelandic Virus, and was isolated for the first time in December 1989 in Iceland. These two viruses are very similar, so only the changes to this variant are indicated here, refer to Icelandic for the base virus information. The Icelandic-III virus's id string in the last 2 words of the program is hex '1844,195F', the bytes in each word being reversed from the id string ending the Icelandic and Icelandic-II viruses. There are also other minor changes to the virus from the previous Icelandic viruses, including the addition of several NOP instructions. Before the virus will infect a program, it checks to see if the program has been previously infected with Icelandic or Icelandic-II, if it has, it does not infect the program. Files infected with the Icelandic-III virus will have their length increased by between 848 and 863 bytes. If an infected program is run on December 24th of any year, programs subsequently run will be stopped, later displaying the message "Gledileg jol" ("Merry Christmas" in Icelandic) instead. Also see: Icelandic, Icelandic-II, Mix/1, Saratoga Virus Name: Itavir Aliases: 3880 V Status: Endangered Discovered: March, 1990 Symptoms: .EXE growth, .OMMAND.COM file, Boot sector corruption Origin: Italy Eff Length: 3,880 Bytes Type Code: PNE - Parasitic Non-Resident .EXE Infector Detection Method: ViruScan V60+, Pro-Scan 1.4+ Removal Instructions: Scan/D, or delete infected files General Comments: The Itavir virus was isolated in March 1990 by a group of students at the Milan Politechnic in Milan, Italy. The Itavir virus is a non-resident generic .EXE Infector. Infected files will increase in length by 3,880 bytes. Infected systems, besides having files which have increased in length, will usually have a file with the name .OMMAND.COM somewhere on the disk. The first character of this file name is an unprintable character. The .OMMAND.COM file contains the pure virus code and is used for appending to files as they are infected. The Itavir virus activates at some time periood after the system has been running for more than 24 hours. When it activates, the boot sector is corrupted, rendering the system unbootable. The virus also displays a message in Italian and writes ansi values from 0 thru 255 to all available I/O ports, thus confusing any attached peripheral devices. Some monitors may show a flickering effect when this occurs, while some VGA monitors may actually "hiss". Virus Name: Jerusalem Aliases: PLO, Israeli, Friday 13th, Russian, 1813(COM), 1808(EXE) V Status: Common Discovered: October, 1987 Symptoms: TSR, .EXE & .COM growth, system slowdown, deleted files on Friday 13th, "Black WIndow" Origin: Israel Eff Length: 1,813 (COM files) & 1,808 (EXE files) bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC 1.1+ Removal Instructions: Scan/D/A, Saturday, CleanUp, UnVirus, F-Prot, VirexPC 1.1+, Pro-Scan 1.4+ General Comments: The Jerusalem Virus was originally isolated at Hebrew University in Israel in the Fall of 1987. The virus is memory resident and can survive a warm reboot (CTL-ALT-DEL). .COM and .EXE files are infected, with .EXE files being reinfected each time they are executed due to a bug in the virus. This virus redirects interrupt 8, and 1/2 hour after execution of an infected program the system will slow down by a factor of 10. Additionally, some Jerusalem Virus variants will have a "Black Window" or "Black Box" appear on the lower left side of the screen which will scroll up the screen as the screen scrolls. On Friday The 13ths, after the virus is installed in memory, every program executed will be deleted from disk. The identifier for some strains is "sUMsDos", however, this identifier is usually not found in the newer variants of Jerusalem. The Jerusalem Virus is thought to have been based on the Suriv 3.00 Virus, though the Suriv 3.00 Virus was isolated after the Jerusalem Virus. Also see: Jerusalem B, New Jerusalem, Payday, Suriv 3.00 Virus Name: Jerusalem B Aliases: Arab Star, Black Box, Black Window, Hebrew University V Status: Common Discovered: January, 1988 Symptoms: TSR, .EXE & .COM growth, system slowdown, deleted files on Friday 13th, "Black WIndow" Origin: Israel Eff Length: 1,813 (.COM files) & 1,808 (.EXE files) bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC 1.1+ Removal Instructions: F-Prot, Saturday, CleanUp, M-JRUSLM, UnVirus, VirexPC 1.1+, Pro-Scan 1.4+ General Comments: Identical to the Jerusalem virus, except that in some cases it does not reinfect .EXE files. Jerusalem B is the most common of all PC viruses, and can infect .SYS and program overlay files in addition to .COM and .EXE files. Not all variants of the Jerusalem B virus slow down the system after an infection has occurred. Known variants of Jerusalem B are: A-204 : Jerusalem B with the sUMsDos text string changed to *A-204*, and a couple of instructions changed in order to avoid detection. This variant will slow down the system after being memory resident for 30 minutes, as well as having a black box appear at that time. Origin: Delft, The Netherlands Anarkia : Jerusalem B with the timer delay set to slow down the system to a greater degree, though this effect doesn't show until a much longer time has elasped. No Black Box is never displayed. The sUMsDos id-string has been changed to ANARKIA. Lastly, the virus's activation date has been changed to Tuesday The 13ths, instead of Friday The 13ths. Origin: Spain Anarkia-B : Similar to Anarkia, with the exception that the virus now activates on any October 12th instead of on Tuesday The 13ths. Jerusalem-C: Jerusalem B without the timer delay to slow down the processor. Jerusalem-D: Jerusalem C which will destroy both copies of the FAT on any Friday The 13th after 1990. Jerusalem-E: Jerusalem D but the activation is in 1992. Mendoza : Based on the Jerusalem B virus, this variant does not reinfect .EXE files. It is also missing the black box effect. Mendoza activates in the second half of the year (July - December), at which time any day will have a 10% chance of having all programs executed deleted. Origin: Argentina Puerto : Isolated in June, 1990 in Puerto Rico, this variant is very similar to the Mendoza variant, the virus contains the sUMsDos id-string. .EXE files may be infected multiple times. Spanish JB : Similar to Jerusalem, it reinfects .EXE files. The increased file size on .COM files is always 1,808 bytes. On .EXE files, the increased file size may be either 1,808 or 1,813, with reinfections always adding 1,808 bytes to the already infected file. No "Black Box" appears. The characteristic sUMsDos id-string does not appear in the viral code. This variant is also sometimes identified as Jerusalem E2. Origin: Spain Also see: Jerusalem, Frere Jacques, New Jerusalem, Payday, Suriv 3.00 Virus Name: JoJo Aliases: V Status: Rare Discovered: May, 1990 Symptoms: .COM growth, system hangs Origin: Israel Eff Length: 1,701 Bytes Type Code: PRaC - Parasitic Resident .COM Infector Detection Method: ViruScan V63+, Pro-Scan 1.4+, VirexPC Removal Instructions: Scan/D, or delete infected files General Comments: The JoJo virus was discovered in Israel in May, 1990. The virus' name comes from a message within the viral code: "Welcome to the JOJO Virus." One other message appears within the virus, indicating that it was written in 1990. This message is: "Fuck the system (c) - 1990". Both messages within the viral code are never displayed. When the first file infected with the JoJo Virus is executed on a system, the virus will install itself memory resident. The method used is to alter the Command Interpreter in memory, expanding its size. As an example, on my test system, the Command Interpreter in memory increased in size from 3,536 bytes to 5,504 bytes. One block of 48 bytes is also reserved in available free memory. The change in free memory will be a net decrease of 2,048 bytes. The JoJo Virus will not infect files if interrupt 13 is in use by any other program. Instead the virus will clear the screen, and the system will be hung. If the user performs a warm reboot (Ctrl-Alt-Del), the virus will remain in memory. Once the virus is able to become memory resident with interrupt 13 hooked, any .COM file executed will be infected by the virus. Infected files will increase in length by 1,701 bytes. While this virus has the same length as the Cascade/1701 Virus, it is not a variant of Cascade. Virus Name: Joker Aliases: Jocker V Status: Rare Discovered: December, 1989 Symptoms: Messages, .EXE/.DBF growth Origin: Poland Eff Length: ??? Bytes Type Code: PNE - Parasitic Non-Resident .EXE Infector Detection Method: ViruScan V57+, Pro-Scan, VirexPC Removal Instructions: Scan/D, or delete infected files General Comments: The Joker Virus was isolated in Poland in December, 1989. This virus is a generic .EXE file infector, and is a poor replicator (ie. it does not quickly infect other files). Programs which are infected with the Joker virus will display bogus error messages and comments. These messages and comments can be found in the infected files at the beginning of the viral code. Here are some of the messages and comments that may be displayed: "Incorrect DOS version" "Invalid Volume ID Format failure" "Please put a new disk into drive A:" "End of input file" "END OF WORKTIME. TURN SYSTEM OFF!" "Divide Overflow" "Water detect in Co-processor" "I am hungry! Insert HAMBURGER into drive A:" "NO SMOKING, PLEASE!" " Thanks." "Don't beat me !!" "Don't drink and drive." "Another cup of cofee ?" " OH, YES!" "Hard Disk head has been destroyed. Can you borow me your one?" "Missing light magenta ribbon in printer!" "In case mistake, call GHOST BUSTERS" "Insert tractor toilet paper into printer." This virus may also alter .DBF files, adding messages to them. The sample in the author of this listing possession does not replicate on an 8088 based system. This entry has been included since the sample may have been damaged before its receipt by the author. At best, there is a serious bug in the replication portion of this virus which prevents it from replicating. Virus Name: Joshi Aliases: Happy Birthday Joshi, Stealth Virus V Status: Common Discovered: June, 1990 Symptoms: BSC, machine hangs and message Origin: India Eff Length: N/A Type Code: BRX - Resident Boot Sector/Partition Table Infector Detection Method: ViruScan V64+, Pro-Scan 1.4+ Removal Instructions: CleanUp V66+, Pro-Scan 1.4+, RmJoshi, or Low-Level Format Harddisk and DOS SYS floppies General Comments: The Joshi Virus was isolated in India in June 1990. At the time it was isolated, it was reported to be widespread in India as well as portions of the continent of Africa. Joshi is a memory resident boot sector infector of 5.25" diskettes. It will also infect hard disks, though in the case of hard disks it infects the partition table or master boot sector rather than the boot sector (sector 0). After a system has been booted from a Joshi-infected diskette, the virus will be resident in memory. Joshi takes up approximately 6K of system memory, and infected systems will show that total system memory is 6K less than is installed if the DOS CHKDSK program is run. Joshi has some similarities to two other boot sector infectors. Like the Stoned virus, it infects the partition table of hard disks. Similar to the Brain virus's method of redirecting all attempts to read the boot sector to the original bootsector, Joshi does this with the partition table. On January 5th of any year, the Joshi virus activates. At that time, the virus will hang the system while displaying the message: "type Happy Birthday Joshi" If the system user then types "Happy Birthday Joshi", the system will again be usable. This virus may be recognized on infected systems by powering off the system and then booting from a known-clean write-protected DOS diskette. Using a sector editor or viewer to look at the boot sector of suspect diskettes, if the first two bytes of the boot sector are hex EB 1F, then the disk is infected. The EB 1F is a jump instruction to the rest of the viral code. The remainder of the virus is stored on track 41, sectors 1 thru 5 on 360K 5.25 inch Diskettes. For 1.2M 5.25 inch diskettes, the viral code is located at track 81, sectors 1 thru 5. To determine if a system's hard disk is infected, you must look at the hard disk's partition table. If the first two bytes of the partition table are EB 1F hex, then the hard disk is infected. The remainder of the virus can be found at track 0, sectors 2 thru 6. The original partition table will be a track 0, sector 9. The Joshi virus can be removed from an infected system by first powering off the system, and then booting from a known-clean, write- protected master DOS diskette. If the system has a hard disk, the hard disk should have data and program files backed up, and the the disk must be low-level formatted. As of July 15, 1990, there are no known utilities which can disinfect the partition table of the hard disk when it is infected with Joshi. Diskettes are easier to remove Joshi from, the DOS SYS command can be used, or a program such as MDisk from McAfee Associates, though this will leave the viral code in an unexecutable state on track 41. Virus Name: July 13TH Aliases: V Status: Endangered Discovered: April, 1990 Symptoms: .EXE file growth, screen effects on July 13 Origin: Madrid, Spain Eff Length: 1,201 Bytes Type Code: PNE - Parasitic Non-Resident .EXE Infector Detection Method: ViruScan V64+, VirexPC Removal Instructions: Scan/D, or delete infected files General Comments: The July 13TH Virus was isolated in Madrid, Spain, in April 1990 by Guillermo Gonzalez Garcia. This virus is a generic .EXE file infector, and is not memory resident. When a program infected with the July 13TH Virus is executed, the virus will attempt to infect a .EXE file. Files are only infected if they are greater in length than 1,201 bytes. Infected files increase in size by 1,201 to 1,209 bytes. The July 13TH Virus activates on July 13th of any year. At that time, a bouncing ball effect occurs on the system monitor's screen similar to the bouncing ball effect of the Ping Pong virus. While this virus is disruptive, it does not cause any overt damage to files other than infecting them. The bouncing ball effect is buggy in this virus, it will occasionally leave dots on the screen where it was passing if the screen has been scrolled for any reason. Virus Name: June 16TH Aliases: Pretoria V Status: Endangered Discovered: April, 1990 Symptoms: .COM file growth, long disk accesses, June 16th FAT alteration Origin: Republic of South Africa Eff Length: 879 Bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V62+, Pro-Scan 1.4+, VirexPC Removal Instructions: delete infected files General Comments: The June 16TH, or Pretoria, virus was discovered in April 1990. This virus is a non-resident generic .COM file infector, and is encrypted. The first time an infected file is executed, the virus will search the current drive (all directories) and infect all .COM files found. The search period can be quite long, and it is very obvious on hard disk based systems that the program is taking too long to load. On June 16TH of any year, the first time an infected file is executed the virus will activate. On activation, the virus will change all entries in the root directory and the file allocation table to "ZAPPED". The June 16TH virus is thought to have originated in South Africa. Virus Name: Kennedy Aliases: Dead Kennedy V Status: Endangered Discovered: April, 1990 Symptoms: .COM growth, message on trigger dates (see text), crosslinking of files, lost clusters, FAT corruption Origin: Denmark Eff Length: 333 Bytes Type Code: PNCKF - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V62+, Pro-Scan 1.4+, VirexPC Removal Instructions: delete infected files General Comments: The Kennedy Virus was isolated in April 1990. It is a generic infector of .COM files, including COMMAND.COM. This virus has three activation dates: June 6 (assasination of Robert Kennedy 1968), November 18 (death of Joseph Kennedy 1969), and November 22 (assasination of John F. Kennedy 1963) of any year. On activation, the virus will display a message the following message: "Kennedy is dead - long live 'The Dead Kennedys'" The following text strings can be found in the viral code: "\command.com" "The Dead Kennedys" Systems infected with the Kennedy Virus will experience crosslinking of files, lost clusters, and file allocation table errors (including messages that the file allocation table is bad). Virus Name: Korea Aliases: LBC Boot V Status: Common - Korea Discovered: March, 1990 Symptoms: BSC - 360k disks Origin: Seoul, Korea Eff Length: N/A Type Code: RF - Resident Floppy Boot Sector Infector Detection Method: ViruScan V61+ Removal Instructions: M-Disk, or DOS SYS Command General Comments: The Korea, or LBC Boot, Virus was isolated in March 1990 in Seoul, Korea. This virus is a memory resident boot sector infector for 5.25" 360K diskettes. The Korea virus is not intentionally destructive, it does nothing in its current form except for replicating. In some instances, when Korea infects a diskette it will damage the root directory as it moves the original boot sector to sector 11, the last sector of the root directory. If sector 11 previously contained directory entries, they will be lost. Virus Name: Lehigh Aliases: V Status: Rare Discovered: November, 1987 Symptoms: Corrupts boot sector & FAT Origin: Pennsylvania, USA Eff Length: N/A Type Code: ORaKT - Overwriting Resident COMMAND.COM Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: MDisk & replace COMMAND.COM with clean copy, or F-Prot General Comments: The Lehigh virus infects only the COMMAND.COM file on both floppies and hard drives. The infection mechanism is to over- write the stack space. When a disk which contains an uninfected copy of COMMAND.COM is accessed, that disk is then infected. A infection count is kept in each copy of the virus, and after 4 infections, the virus overwrites the boot sector and FATs. A variation of the Lehigh virus, Lehigh-2, exists which maintains its infection counter in RAM and corrupts the boot sector and FATs after 10 infections. Known variants of the Lehigh virus are: Lehigh-2 : Similar to Lehigh, but the infection counter is maintained in RAM, and the corruption of the boot sector and FATs occurs after 10 infections. Lehigh-B : Similar to Lehigh, the virus has been modified to avoid detection. Virus Name: Leprosy Aliases: Leprosy 1.00 V Status: New Discovered: August, 1990 Symptoms: unusual messages; program corruption Origin: California, USA Eff Length: 666 Bytes Type Code: ONAK - Overwriting Non-Resident .COM & .EXE Infector Detection Method: ViruScan V66+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Leprosy Virus was discovered in the San Francisco Bay Area of California on August 1, 1990. This virus is a non-resident overwriting virus infecting .COM and .EXE files, including COMMAND.COM. Its original carrier file is suspected to be a file called 486COMP.ZIP which was uploaded to several BBSes. When you execute a program infected with the Leprosy virus, the virus will overwrite the first 666 bytes of all .COM and .EXE files in the current directory. If COMMAND.COM is located in the current director, it will also be overwritten. Infected files will show no file length increase unless they were originally less than 666 bytes in length, in which case their length will become 666 bytes. After the virus has infected the .COM and .EXE files, it will display a message. The message will be either: "Program to big to fit in memory" or: "NEWS FLASH!! Your system has been infected with the incurable decay of LEPROSY 1.00, a virus invented by PCM2 in June of 1990. Good luck!" The second message will only be displayed by one out of every seven .COM and .EXE files that the program infects. Since Leprosy is an overwriting virus, the programs which are infected with it will not function properly. In fact, once they are infected with this virus they will run for awhile (while the virus is infecting other files) and then display one of the two messages. The program execution will then end. If the system is booted from a diskette or hard drive that has Leprosy in its COMMAND.COM file, one of the above two messages will be displayed followed by: "Bad or missing Command Interpreter" This boot problem occurs because COMMAND.COM is no longer really COMMAND.COM. The boot will not proceed until a system boot diskette is inserted into the system and another boot is attempted. While Leprosy's messages are encrypted in the virus, infected files can be found by checking for the following hex string near the beginning of the file: 740AE8510046FE06F002EB08 Infected files must be deleted and replaced with clean, uninfected copies. There is no way to disinfect this virus since the first 666 bytes of the file have been overwritten, the virus does not store those bytes anywhere else. Virus Name: Liberty Aliases: V Status: Rare Discovered: May, 1989 Symptoms: .COM, .EXE, .OVL growth Origin: Sydney, Australia Eff Length: 2,862 Bytes Type Code: PRfAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V63+, Pro-Scan 1.4+, VirexPC Removal Instructions: Scan/D, or Delete infected files General Comments: The Liberty Virus was isolated in Sydney, Australia in May, 1990. Liberty is a memory resident generic file infector, infecting .COM, .EXE, and overlay files. COMMAND.COM may also become infected. The Liberty Virus gets its name from the text string "Liberty" which will appear in all infected files in the last 3K of the file. The first time a file infected with the Liberty Virus is executed, the virus will become memory resident. Liberty installs itself resident in high free memory, resulting in a decrease of 8K of available free memory. It also directly changes the interrupt map page in memory so that interrupt 21 will put the virus in control. Total system memory does not change. After becoming memory resident, programs which are executed may be infected by the virus. All .EXE files will be infected, but only .COM files over 2K in length will become infected. Overlay files will also become infected. Infected files will increase in size between 2,862 and 2,887 bytes. Liberty is a self-encrypting virus. It is not yet known if it is destructive. Virus Name: Lisbon Aliases: V Status: Rare Discovered: November, 1989 Symptoms: .COM growth, Unusable files (see text) Origin: Lisbon, Portugal Eff Length: 648 bytes Type Code: PNC - Parasitic Non-Resident COM Infector Detection Method: ViruScan V49+, F-Prot, IBM Scan, Pro-Scan Removal Instructions: Scan/D, Pro-Scan 1.4+, VirexPC, or F-Prot General Comments: The Lisbon virus is a strain of the Vienna virus first isolated by Jean Luz in Portugal in November, 1989. The virus is very similar to Vienna, except that almost every word in the virus has been shifted 1-2 bytes in order to avoid virus identification/detection programs which could identify the Vienna virus. 1 out of every 8 infected files will have the 1st 5 bytes of the 1st sector changed to "@AIDS", thus rendering the program unusable. Also see: Vienna Virus Name: Mardi Bros Aliases: V Status: New Discovered: July, 1990 Symptoms: BSC; volume label change; decrease in system and free memory Origin: France Eff Length: N/A Type Code: FR - Floppy Boot Sector Infector Detection Method: ViruScan V66+ Removal Instructions: M-Disk, or DOS SYS Command General Comments: The Mardi Bros Virus was isolated in July 1990 in France. This virus is a memory resident infector of floppy disk boot sectors. It does not infect hard disk boot sectors or partition tables. When a system is booted from a diskette infected with the Mardi Bros Virus, the virus will install itself memory resident. It resides in 7,168 bytes above the top of memory, but below the 640K DOS Boundary. The decrease in system and free memory can be seen using the DOS CHKDSK command, or several other memory mapping utilities. Mardi Bros will infect any non-write protected diskette which is exposed to the system. Infected diskettes can be easily identified as their volume label will be changed to "Mardi Bros". The CHKDSK program will show the following for the diskette's Volume label information: "Volume Mardi Bros created ira 0, 1980 12:00a" While the infected boot sector on the diskette will have the DOS messages still remaining, it will also include the following phrase near the end: "Sudah ada vaksin" It is unknown if Mardi Bros is destructive, it appears to do nothing but spread. Mardi Bros can be removed from infected diskettes by first powering off the system and rebooting from a known clean write protected DOS master diskette. The DOS SYS command should then be used to replace the infected diskette's boot sector. Alternately, MDisk can be used following the power-down and reboot. Virus Name: Microbes Aliases: V Status: Common - India Discovered: June, 1990 Symptoms: BSR Origin: Bombay, India Eff Length: N/A Type Code: BR - Floppy and Hard Disk Boot Sector Infector Detection Method: ViruScan V64+, Pro-Scan 1.4+ Removal Instructions: M-Disk, Pro-Scan 1.4+, or DOS SYS Command General Comments: The Microbes virus was isolated in June, 1990 in India. It is a memory resident boot sector infector of both floppy diskettes and hard disks. The Microbes virus becomes memory resident when a system is booted from a disk infected with the Microbes virus. The system may hang on this boot, and inserted a diskette to boot from will result in this new diskette becoming infected. At least on the author's XT test system, the system could not successfully boot with the Microbes virus present without powering off the system and rebooting from a write protected master boot diskette. As with other boot sector infectors, Microbes can be disinfected from diskettes and hard drives by powering off the system and booting from a known clean write protected master boot diskette for the system. The DOS SYS command can then be used to recreate the boot sector on the diskette. Virus Name: MIX/1 Aliases: MIX1 V Status: Rare Discovered: August, 1989 Symptoms: TSR, .EXE growth, location 0:33C = 77h, garbled output Origin: Israel Eff Length: 1,618 Bytes Type Code: PRsE - Parasitic Resident .EXE Infector Detection Method: ViruScan V37+, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: Scan/D, Virus Buster, Pro-Scan 1.4+, or F-Prot General Comments: The MIX1 Virus was originally isolated on August 22, 1989, on several BBSs in Israel. This virus is a parasitic memory- resident .EXE file infector. Once an infected program has been executed, the virus will take up 2,048 bytes in RAM. Each .EXE file then executed will grow in length between 1,618 and 1,634 bytes, depending on the original file size. The virus will not, however, infect files of less than 8K in size. Infected files can be manually identified by a characteristic "MIX1" always being the last 4 bytes of an infected file. Using Debug, if byte 0:33C equals 77h, then the MIX1 virus is in memory. This virus will cause garbled output on both serial and parallel devices, as well as the the num-lock being constantly on. After the 6th infection, booting the system will crash the system due to a bug in the code, and a ball will start bouncing on the system monitor. There is a variant of this virus which does not have the problem of system crashes occurring, and will only infect files that are greater than 16K in length. Mix/1 has several code similarilities to Icelandic, which it may have been derived from. Also see: Icelandic Virus Name: Murphy Aliases: Murphy-1, V1277, Stealth Virus V Status: Common - Bulgaria Discovered: April, 1990 Symptoms: .COM & .EXE growth, system hangs, speaker noise, system drops into ROM Basic on the hour (see Murphy-2 below) Origin: Sofia, Bulgaria Eff Length: 1,277 Bytes Type Code: PRA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V63+, Pro-Scan 1.4+ Removal Instructions: Scan/D, Pro-Scan 1.4+, or Delete infected files General Comments: The Murphy Virus was isolated in Bulgaria in April, 1990. It is a memory resident generic .COM & .EXE infector, and will infect COMMAND.COM. The first time an infected program is executed on a system, the virus installs itself memory resident. After it is memory resident, if a file is executed, or openned for any reason, it is infected by the Murphy Virus. When the first non-infected program is executed with the virus in memory, the virus will attempt to infect COMMAND.COM. The program being executed will also be infected at that time. Infected programs will increase in length by 1,277 Bytes. Programs which are less than 1,277 Bytes in length will not be infected. The Murphy Virus watchs the system time. When the system time is between 10AM and 11AM, the virus will turn on the system speaker and send a 61h to it. At any other time, the virus will not attempt to use the system speaker. The following text message is contained within the Murphy Virus, giving an idea of when it was written and by whom, though they are not displayed: "Hello, I'm Murphy. Nice to meet you friend. I'm written since Nov/Dec. Copywrite (c)1989 by Lubo & Ian, Sofia, USM Laboratory." Systems infected by the Murphy Virus may also experience system hangs when the virus attempts to infect .EXE files. Known variant(s) of the Murphy Virus are: Murphy-2 or V1521 - Similar to the Murphy Virus, its length is 1,521 Bytes. The non-displayed messages in the virus are now: "It's me - Murphy. Copywrite (c)1990 by Lubo & Ian, Sofia, USM Laboratory." The Murphy-2 will infect any .EXE file, as well as any .COM file over 900 Bytes. Instead of turning the system speaker on between 10AM and 11AM, this variant waits for the system time to have the minutes set to 00, then it will use int 18 to put the user into ROM Basic. Virus Name: New Jerusalem Aliases: V Status: Rare Discovered: October, 1989 Symptoms: TSR; .EXE, .COM, etc. (see below) growth; system slowdown; deleted files on Friday 13th Origin: Holland Eff Length: 1,813 Bytes (.COM) & 1,808 Bytes (.EXE) Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V45+, F-Prot, Pro-Scan 1.4+ Removal Instructions: Saturday, CleanUp, F-Prot, Pro-Scan 1.4+ General Comments: New Jerusalem is a variation of the original Jerusalem virus which has been modified to be undetectable by ViruScan versions prior to V45 as well as IBM's VIRSCAN product as of October 20, 1989. The virus was first detected when it was uploaded to several BBSs in Holland beginning on October 14, 1989. It infects both .EXE and .COM files and activates on any Friday The 13th, deleting infected programs when they are attempted to be run. This virus is memory resident, and as with other Jerusalem viruses, may infect overlay, .SYS, .BIN, and .PIF files. Also see: Jerusalem, Jerusalem B, Payday, Suriv 3.00 Virus Name: Ohio Aliases: V Status: Common Discovered: June, 1988 Symptoms: BSC, Resident TOM Origin: Indonesia Eff Length: N/A Type Code: RtF - Resident Floppy Boot Sector Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: MDisk, F-Prot, VirexPC, Pro-Scan 1.4+, or DOS SYS Command General Comments: The Ohio virus is a memory resident boot sector infector, only infecting 360K floppy disks. The Ohio virus is similar in many respects to the Den Zuk virus, and is believed to possibly be the earlier version of Den Zuk. A diskette infected with Ohio will be immune to infection by the Pakistani Brain virus. The following text strings appear in the Ohio virus: "V I R U S b y The Hackers Y C 1 E R P D E N Z U K 0 Bandung 40254 Indonesia (C) 1988, The Hackers Team...." Also see: Den Zuk Virus Name: Ontario Aliases: V Status: New Discovered: July, 1990 Symptoms: .COM & .EXE growth; decrease in system and free memory; hard disk errors in the case of extreme infections Origin: Ontario, Canada Eff Length: 512 Bytes Type Code: PRtAK - Parasitic Encrypted Resident .COM & .EXE Infector Detection Method: ViruScan V66+ Removal Instructions: SCAN /D, or Delete infected files General Comments: The Ontario Virus was isolated by Mike Shields in Ontario, Canada in July, 1990. The Ontario virus is a memory resident infector of .COM, .EXE, and overlay files. It will infect COMMAND.COM. The first time a program infected with the Ontario Virus is executed, it will install itself memory resident above the top of system memory but below the 640K DOS boundary. Total system memory and free memory will be decreased by 2,048 bytes. At this time, the virus will infect COMMAND.COM on the C: drive, increasing its length by 512 bytes. Each time an uninfected program is executed on the system with the virus memory resident, the program will become infected with the viral code located at the end of the file. For .COM files, they will increase by 512 bytes in all cases. For .EXE and overlay files, the file length increase will be 512 - 1023 bytes. The difference in length for .EXE and overlay files is because the virus will fill out the unused space at the end of the last sector of the uninfected file with random data (usually a portion of the directory) and then append itself to the end of the file at the next sector. Systems using a sector size of more than 512 bytes may notice larger file increases for infected files. Infected files will always have a file length that is a multiple of the sector size on the disk. In the case of extreme infections of the Ontario Virus, hard disk errors may be noticed. Ontario uses a complex encryption routine, and a simple identification string will not identify this virus. Virus Name: Oropax Aliases: Music Virus, Musician V Status: Rare Discovered: December, 1989 Symptoms: .COM growth, tunes Origin: Eff Length: 2,756 - 2,806 bytes, but usually 2,773 bytes Type Code: PRC - Parasitic Resident .COM Infector Detection Method: ViruScan V53+, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: SCAN /D, F-Prot, VirexPC, Pro-Scan 1.4+, or delete infected files General Comments: The Oropax virus has had several reports, but wasn't first isolated until December 1989. It infects .COM files, increasing their length by between 2,756 bytes and 2,806 bytes. Infected files will always have a length divisible by 51. The virus may become active (on a random basis) five minutes after infection of a file, playing three different tunes with a seven minute interval in between. One variant recently reported in Europe plays six different tunes at seven minute intervals. Virus Name: Payday Aliases: V Status: Rare Discovered: November, 1989 Symptoms: TSR, .EXE & .COM growth, system slowdown, deleted files on Friday EXCEPT 13th, "Black WIndow" Origin: Netherlands Eff Length: 1,808 Bytes (.EXE) & 1,813 Bytes (.COM) Type Code: PRA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V51+, F-Prot, Pro-Scan 1.4+ Removal Instructions: M-JRUSLM, UnVirus, Saturday, CleanUp, F-Prot, Pro-Scan 1.4+ General Comments: The Payday virus was isolated by Jan Terpstra of the Netherlands in November, 1989. It is a variant of the Jerusalem B virus, the major difference being that the activation criteria to delete files has been changed from every Friday The 13th to any Friday but Friday The 13ths. Also see: Jerusalem, Jerusalem B, New Jerusalem, Suriv 3.00 Virus Name: Pentagon Aliases: V Status: Extinct Discovered: January, 1988 Symptoms: TSR, BSC 360k floppys, file (see text) Origin: USA Eff Length: N/A Type Code: RF - Resident Floppy Boot Sector Infector Detection Method: ViruScan, F-Prot, VirexPC Removal Instructions: MDisk, CleanUp, or DOS SYS Command General Comments: The Pentagon virus consists of a normal MS-DOS 3.20 boot sector where the name 'IBM' has been replaced by 'HAL', along with two files. The first file has a name of the hex character 0F9H, and contains the portion of the virus code which would not fit into the boot sector, as well as the original boot sector of the infected disk. The second file is named PENTAGON.TXT and does not appear to be used or contain any data. The 0F9H file is accessed by its absolute storage address. Portions of this virus are encrypted. The Pentagon virus only infects 360K floppies, and will look for and remove the Brain virus from any disk that it infects. It is memory resident, occupying 5K of RAM, and can survive a warm reboot or CTL-ALT-DEL. Virus Name: Perfume Aliases: 765, 4711 V Status: Endangered Discovered: December, 1989 Symptoms: .COM growth, messages Origin: Germany Eff Length: 765 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V57+, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: F-Prot, Pro-Scan 1.4+, or delete infected files General Comments: The Perfume virus is of German origin, and has also been isolated in Poland in December, 1989. This virus infects .COM files, and will look for COMMAND.COM and infect it if it isn't already infected. Infected files always grow in length by 765 bytes. The virus will sometimes ask the system user a question, and then not run the infected program unless the system user responds by typing 4711, the name of a German perfume. In the most common variant of this virus, however, the questions have been overwritten with miscellaneous characters. Also see: Sorry Virus Name: Phoenix Aliases: P1 V Status: Rare Discovered: July, 1990 Symptoms: .COM growth, system reboots, CHKDSK program failure, COMMAND.COM header change Origin: Bulgaria Eff Length: 1,704 Bytes Type Code: PRhCK - Parasitic Resident .COM Infector Detection Method: ViruScan V66+ Removal Instructions: Scan/D, or delete infected files General Comments: The Phoenix virus is of Bulgarian origin, and was submitted to the author of this document in July, 1990 by Vesselin Bontchev. This virus is one of a family of three (3) viruses which may be referred to as the P1 or Phoenix Family. Each of these viruses is being documented separately due to their varying characteristics. The Phoenix virus is a memory resident, generic infector of .COM files, and will infect COMMAND.COM. The first time a program infected with the Phoenix virus is executed, the virus will install itself memory resident in free high memory, reserving 8,192 bytes. Interrupt 2A will be hooked by the virus. System total memory and free memory will decrease by 8,192 bytes. If the program was executed from a floppy drive, and COMMAND.COM was not present on the diskette, the virus will request that a diskette with \COMMAND.COM present be inserted in the drive. Phoenix will immediately infect COMMAND.COM by overwriting part of the binary zero portion of the program, and changing the program's header information. COMMAND.COM will not change in file length. The virus will then similarly infect COMMAND.COM residing in the C: drive root directory. After becoming memory resident, the virus will attempt to infect any .COM file executed. Most of its attempts, however, will not result in a file being infected. Phoenix is a fairly poor replicator. If the virus is successful in infecting the file, it will append its viral code to the end of the file, increasing the file's length by 1,704 bytes. Phoenix is not able to recognize when it has previously infected a file, so it may reinfect .COM files several times. Each infection will result in another 1,704 bytes of viral code being appended to the file. Systems infected with the Phoenix virus will experience problems with executing CHKDSK.COM. Attempts to execute this program with Phoenix memory resident will result in a warm reboot of the system occurring, however the memory resident version of Phoenix will not survive the reboot. If an autoexec.bat file is not present on the drive being booted from, the system will prompt for the user to enter Date and Time. The Phoenix Virus employs a complex encryption mechanism, and virus scanners which are only able to look for simple hex strings will not be able to detect it. There is no simple hex string in this virus that is common to all infected samples. This virus is not related to the Cascade (1701/1704) Virus. Also see: PhoenixD, V1701New Virus Name: PhoenixD Aliases: P1 V Status: Rare Discovered: July, 1990 Symptoms: .COM growth, system reboots, CHKDSK program failure, COMMAND.COM header change Origin: Bulgaria Eff Length: 1,704 Bytes Type Code: PRhCK - Parasitic Resident .COM Infector Detection Method: ViruScan V66+ Removal Instructions: Scan/D, or delete infected files General Comments: The PhoenixD virus is of Bulgarian origin, and was submitted to the author of this document in July, 1990 by Vesselin Bontchev. This virus is one of a family of three (3) viruses which may be referred to as the P1 or Phoenix Family. Each of these viruses is being documented separately due to their varying characteristics. The PhoenixD virus is a memory resident, generic infector of .COM files, and will infect COMMAND.COM. The PhoenixD Virus is a "bug fixed" version of the Phoenix virus. The first time a program infected with the PhoenixD virus is executed, the virus will install itself memory resident in free high memory, reserving 8,192 bytes. Interrupt 2A will be hooked by the virus. System total memory and free memory will decrease by 8,192 bytes. PhoenixD will then check to see if the current drive's root directory contains a copy of COMMAND.COM. If a copy of COMMAND.COM is found, it will be infected by PhoenixD by overwriting part of the binary zero portion of the program, and changing the program's header information. COMMAND.COM will not change in file length. The virus will then similarly infect COMMAND.COM residing in the C: drive root directory. After becoming memory resident, the virus will attempt to infect any .COM file executed. PhoenixD is a much better replicator than the original Phoenix Virus, and is usually able to infect files. Infected files will increase in length by 1,704 bytes. PhoenixD is not able to recognize when it has previously infected a file, so it may reinfect .COM files several times. Each infection will result in another 1,704 bytes of viral code being appended to the file. A characteristic present in the PhoenixD Virus which is not found in the original Phoenix Virus is that in addition to it infecting .COM files as they are executed, .COM files will be infected when they are openned for any reason. The simple act of copying a .COM file with PhoenixD present in memory will result in both the source and target files being infected. Systems infected with the PhoenixD virus will experience problems with executing CHKDSK.COM. Attempts to execute this program with Phoenix memory resident will result in a warm reboot of the system occurring. If an autoexec.bat file is not present on the drive being booted from, the system will prompt for the user to enter Date and Time. The PhoenixD Virus employs a complex encryption mechanism, and virus scanners which are only able to look for simple hex strings will not be able to detect it. There is no simple hex string in this virus that is common to all infected samples. This virus is not related to the Cascade (1701/1704) virus. Also see: Phoenix, V1701New Virus Name: Ping Pong Aliases: Bouncing Ball, Bouncing Dot, Italian, Vera Cruz V Status: Extinct Discovered: March, 1988 Symptoms: Graphic display (see text), TSR, BSC Origin: Eff Length: N/A Type Code: RsF - Resident Floppy Boot Sector Infector Detection Method: ViruScan, F-Prot, IBM Scan, VirexPC, Pro-Scan Removal Instructions: MDisk, CleanUp, F-Prot, Pro-Scan 1.4+, VirexPC, or DOS SYS command General Comments: The Ping Pong virus is a boot sector virus which was first reported in March 1988. The original Ping Pong virus only infects Floppy Disks. When the virus activates, which is on a random basis, a bouncing ball or dot appears on the screen. This display can only be stopped thru a system reboot. No other damage is apparently done. The Ping Pong Virus is extinct, though the hard disk variant, Ping Pong-B listed below, is one of the most common MS-DOS viruses. Virus Name: Ping Pong-B Aliases: Bouncing Ball Boot V Status: Common Discovered: May, 1988 Symptoms: Graphic display (see text), TSR, BSC Origin: Eff Length: N/A Type Code: BRs - Resident Boot Sector Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: CleanUp, MDisk, Pro-Scan 1.4+, F-Prot, VirexPC or DOS SYS Command General Comments: The Ping Pong-B virus is a variant of the Ping Pong virus. The major difference is that Ping Pong-B can infect hard disks as well as floppies. Known variants of Ping Pong-B include: Ping Pong-C : Similar to Ping Pong-B, though this variant does not have the bouncing ball screen effect. Origin: Argentina, June 1990. Virus Name: Plastique Aliases: Plastic Bomb, Plastique 3012 V Status: New Discovered: July, 1990 Symptoms: TSR, .COM & .EXE growth Origin: Taiwan Eff Length: 3,012 Bytes Type Code: PRsA - Parasitic Resident Boot Sector Infector Detection Method: ViruScan V66+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Plastique, or Plastic Bomb, Virus was submitted in July 1990, it comes to us from Taiwan. Plastique is a memory resident generic infector of .COM and .EXE files, though it does not infect COMMAND.COM. The first time a program infected with Plastique is executed, the virus will install itself memory resident as a TSR in low system memory. The TSR is 3,264 bytes in length, and hooks interrupt 21. After the virus is memory resident, it will attempt to infect any .COM or .EXE file which is executed. This virus is rather "buggy", and it is not always successful in infecting files when they are executed. When it is successful infecting the file, the file's length will increase. For infected .COM files, the length will increase by 3,012 bytes. For infected .EXE files, their length will increase between 3,012 and 3,020 bytes. Plastique will also attempt to infect files when they are openned for any reason, though again, it is not always successful. Known variant(s) of Plastique are: HM2 : The earliest known version of this virus, it does not replicate. Executing an "infected file results in the system hanging requiring a reboot. Origin: Taiwan, May 1990. Plastique 4.51 : A variant of the Plastique virus described above, the only real difference is that the encryption of the virus is slightly different. Otherwise it behaves exactly the same as Plastique. Origin: Taiwan, July 1990. Also see: Plastique-B Virus Name: Plastique-B Aliases: Plastic Bomb, Plastique 5.21 V Status: New Discovered: July, 1990 Symptoms: TSR, .COM & .EXE file growth Origin: Taiwan Eff Length: 4,096 Bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V66+ Removal Instructions: Scan/D, or Delete Infected Files General Comments: The Plastique-B, or Plastique 5.21, virus is a later version of the Plastique virus. Like Plastique, it is a memory resident generic infector of .COM and .EXE files. It does not infect COMMAND.COM. The first time a program infected with Plastique-B is executed, the virus will install itself memory resident as a TSR in low system memory. The TSR is 5,120 bytes in length. Interrupts 08, 09, 13, 21, and ED are hooked by the virus. After the virus is memory resident, it will attempt to infect any .COM or .EXE file which is executed or openned for any reason. It has had many of the "bugs" fixed that were in Plastique, and is usually successful in infecting files. Infected .COM and .EXE files will increase in length by 4,096 bytes. It is not known what damage this virus may do, or if it carries an activation date. Also see: Plastique Virus Name: Print Screen Aliases: EB 21, 8290, PRTSC Virus V Status: Rare Discovered: November, 1989 Symptoms: BSC, hard disk access slowdown Origin: Bombay, India Eff Length: N/A Type Code: BR - Resident Boot Sector Infector Detection Method: ViruScan V64+, Pro-Scan 1.4+, VirexPC Removal Instructions: M-Disk, Pro-Scan 1.4+, or DOS SYS Command General Comments: The Print Screen Virus was isolated in Bombay, India in November, 1989 by Neville Bulsara. It is the first virus to have originated in India. There are two versions of Print Screen, the later version having had some bugs fixed. When a system is booted from a Print Screen infected diskette or hard drive, the virus will install itself memory resident in the top of memory. The virus then adjusts the amount of memory DOS thinks is installed. Infected systems will show that total system memory is 2K less than is installed. On floppy disks, the original boot sector of the diskette will be copied to sector 11. After becoming memory resident, the virus will infect any hard disk or floppy diskette which is accessed by the system. Infected system users will notice that hard disk accesses done for any reason will be much slower than expected. In some cases, listing the root directory will show apparently garbage entries in it. These entries are actually part of the virus's code. The first version of the Print Screen virus is buggy, and as such it doesn't actually accomplish anything having to do with printing screens. This virus appears to have been based on the Ping Pong Virus, and some anti-viral programs will identify it as such. Known variant(s) of Print Screen are: Print Screen-2: Print Screen-2 is the later, bug fixed version of the Print Screen Virus. This version will attempt to perform a screen print or dump to the system's printer after every 255 disk I/Os have occurred. Virus Name: RPVS Aliases: 453 V Status: New Discovery: August, 1990 Symptoms: .COM growth Origin: West Germany Eff Length: 453 Bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V??+ Removal Instructions: Delete infected files General Comments: The RPVS, or 453, Virus was discovered in West Germany in early August, 1990. This virus is a non-resident infector of .COM files. The RPVS is named for an unusual string that appears in a file dump of the virus - "TUQ.RPVS" - this in not really a text string, but a series of PUSH instructions. The RPVS Virus is rather unsophisticated virus. Whenever a .COM program infected with the RPVS or 453 virus is executed, the virus will look for an uninfected .COM file in the current directory. The virus determines if the .COM file has been previously infected by checking to see if the last two bytes of the file are 9090h. If the last two bytes are not 9090h, the file will be infected, appending 453 bytes of viral code to the end of the file. One .COM file is infected each time an infected program is executed. COMMAND.COM will not normally be infected. This virus does not contain any logic to activate and cause damage in its current state. It does contain many NOP instructions and odd jumps which leave plenty of space for later additions. Known variant(s) of RPVS are: RPVS-B : The RPVS virus after additional bytes have been added to the end of an infected program. When this occurs, the virus will act differently. It will not be able to determine that it has already infected a .COM file, so it will reinfect the first .COM file it finds in the current directory over and over again. Virus Name: Saratoga Aliases: 642, One In Two V Status: Extinct Discovery: July, 1989 Symptoms: .EXE growth, Resident, bad sectors, FAT corruption Origin: California, USA Eff Length: 642 Bytes Type Code: PRsE - Resident Parasitic .EXE Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan 1.4+, VirexPC Removal Instructions: Scan/D, F-Prot, VirexPC, Pro-Scan 1.4+, or delete infected files General Comments: The Saratoga Virus was first isolated in California in July 1989. This virus is very similar to the Icelandic and Icelandic-II viruses, so only the differences from the Icelandic viruses are indicated here. Please refer back to the description of the Icelandic virus for the base information. The Saratoga virus's main difference from the Icelandic virus is that when it copies itself to memory, it modifies the memory block so that it appears to belong to the operating system, thus avoiding another program reusing the block. Similar to the Icelandic-II virus, the Saratoga can infect programs even if the system has installed an anti-viral TSR which "hooks" interrupt 21, such as FluShot+. Also like Icelandic-II is that this virus can infect programs which have been marked Read-Only, though it does not restore the Read-Only attribute to the file afterwards. Also see: Icelandic, Icelandic-II Virus Name: Saturday The 14TH Aliases: Durban V Status: Rare Discovered: March, 1990 Symptoms: TSR;.COM, .EXE, .OV? growth; corrupts boot sector, FAT. & partition table on Saturday 14th Origin: Republic of South Africa Eff Length: 685 Bytes Type Code: PRA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V61+, Pro-Scan 1.4+, VirexPC Removal Instructions: Scan/D, or delete infected files General Comments: The first reports of the Saturday The 14TH virus came from South Africa in March 1990. The Saturday The 14TH, or Durban Virus, is a memory resident generic file infector, infecting .COM, .EXE, and overlay files, but not COMMAND.COM. Infected files will increase in length by between 669 and 684 bytes. The Saturday The 14TH virus activates on any Saturday that falls on the 14TH of any month, at which time it will overwrite the first 100 logical sectors of the C: drive, B: drive, and A: drive. In effect, on drive C:, the virus destroys the hard disk boot sector, partition table, and file allocation table (FAT). Virus Name: SF Virus Aliases: V Status: Extinct Discovered: December, 1987 Symptoms: BSC 360k floppys, Resident TOM, formatted disks Origin: California, USA Eff Length: N/A Type Code: RtF - Resident Floppy Boot Sector Infector Detection Method: ViruScan (identifies as Alameda) Removal Instructions: MDisk, CleanUp, F-Prot, or DOS SYS command General Comments: The SF Virus is a modified version of the Alameda virus which activates when the counter in the virus has determined that it is infected 100 diskettes. The virus replicates when a CTL-ALT-DEL is performed, infecting the disk in the floppy drive. Upon activation, the diskette in the floppy drive is reformatted. The SF Virus only infects 5 1/4" 360K floppies. Also see: Alameda Virus Name: Shake Virus Aliases: V Status: Rare Discovered: May, 1990 Symptoms: .COM growth, message, change in COMMAND.COM memory allocation Origin: Bulgaria Eff Length: 476 Bytes Type Code: PRCK - Resident Parasitic .COM Infector Detection Method: ViruScan V63+, Pro-Scan 1.4+, VirexPC Removal Instructions: Scan/D, or Delete Infected Files General Comments: The Shake Virus was first isolated in Bulgaria in May, 1990. It is a memory resident generic .COM infector, and will infect COMMAND.COM. The first time an infected program is executed, the Shake Virus will install itself memory resident, altering the image of COMMAND.COM in memory. The Shake Virus infects .COM files, infecting them as they are accessed. Infected files increase in size by 476 Bytes, though the size increase cannot be seen using a DIR (list directory) command if the virus is memory resident. While the virus is not destructive, it will occasionally display the message: "Shake well before use !" when an infected file is attempted to be run. When this message is displayed, the program terminates rather than executes. A second attempt to run the same program result in it running successfully. Virus Name: Slow Aliases: V Status: Rare Discovered: May, 1990 Symptoms: .COM & .EXE growth Origin: Australia Eff Length: 1,701 Bytes Type Code: PRsA - Resident Parasitic .COM & .EXE Infector Detection Method: ViruScan V63+, Pro-Scan 1.4+ Removal Instructions: Scan/D, or Delete Infected Files General Comments: The Slow Virus was discovered in Australia in May 1990. It is a memory resident generic file infector, infected .COM, .EXE, and overlay files. COMMAND.COM is not infected by this virus. The first time an infected file is executed on a system, the virus installs itself memory resident, taking up approximately 2K of free memory. Then, as executable programs are openned for any reason, they are infected with the virus. In the process of infecting some .EXE files, the virus may hang the system, causing the user to have to reboot. The Slow Virus is based on the Jerusalem B virus. It is unknown what else the Slow virus does. Virus Name: Solano 2000 Aliases: Dyslexia 2.01 V Status: Rare Discovered: March, 1990 Symptoms: .COM growth, TSR, unusual file errors Origin: California, USA Eff Length: 2,000 Bytes Type Code: PRsC - Resident Parasitic .COM Infector Detection Method: ViruScan V60+, Pro-Scan 1.4+, VirexPC Removal Instructions: Scan/D, or Delete Infected Files General Comments: The Solano 2000 Virus was first isolated in Solano County, California in mid-March 1990 by Edward Winters. The virus may also be known by the name Dyslexia Virus V2.01, which can be produced by negating some null terminated bytes within the viral code. Using the same technique, what appears to be the creation date of the virus, 08FEB90, can be produced. The information regarding the information produced by negation of bytes was determined by Jay Parangalan of Solano County. The Solano 2000 Virus is a generic .COM file infector. The first time an infected .COM file is executed on the system, the virus installs itself memory resident, then proceeds to infect every .COM file that is executed. Infected programs can be manually identified by using a sector editor to view the file. Bytes 1168 thru 1952 will consist of '(' or 28h characters. Some programs, such as DiskCopy.COM which is included on all DOS diskettes, will not run after being infected with this virus, instead an "invalid drive specification" message will be displayed. This message is not in the viral code, but is due to an error condition now existing in the DiskCopy program. The virus-induced error in the DiskCopy program was how the virus was first spotted. This particular virus, in its current state, does not survive a system warm reboot (CTL-ALT-DEL). When it is memory resident, it takes up 3K bytes of RAM. The Solano 2000 Virus does no apparent system damage, however it does check the video buffer occasionally, and may transpose numbers if they are found in certain locations. This effect, however, was not experienced on the author's system in researching this virus. There have also been reports that instead of transposing numeric characters, the Solano virus may change color attributes on the display screen when it is active in memory. Known variants of the Solano 2000 virus: Solano 2000-B: same as Solano 2000, except the 28h characters have been changed to DAh characters, and are located in bytes 1168 thru 1912 in infected files. Dyslexia 2.00: same as Solano 2000, except that the 28h characters are now binary zeros. The attempted transposing of numeric characters in video memory has also been slowed down. The creation date appears to be 22JAN90 instead of 08FEB90. Also see: Subliminal 1.10 Virus Name: Sorry Aliases: G-Virus V1.3 V Status: Rare Discovered: June, 1990 Symptoms: .COM growth, decrease in system and free memory Origin: Eff Length: 731 Bytes Type Code: PRNCK - Parasitic Resident .COM Infector Detection Method: ViruScan V64+, F-Prot Removal Instructions: Scan/D, or delete infected files General Comments: The Sorry Virus was isolated in June, 1990. Its name comes from a german phrase in the virus: "Tut mir Leid !". This virus is based on the Perfume Virus from West Germany, and some anti-viral programs will identify it as Perfume or 4711. The first time a program infected with the Sorry Virus is executed, the virus will install itself memory resident in high memory. Total system memory and free memory will both decrease by 1,024 bytes. Interrupt 21 will be hooked by the virus. COMMAND.COM is immediately infected by the virus, thus insuring on later system boots that the virus becomes memory resident immediately. After the virus is memory resident, it will infect any .COM file which is executed, increaseing the file's length by 731 bytes. The viral code is located at the end of infected files. The Sorry Virus contains the following text strings: "G-VIRUS V1.3" "Bitte gebe den G-Virus Code ein" "Tut mir Leid !" It is unknown what the Sorry Virus does when it activates. Also see: Perfume Virus Name: Stoned Aliases: Hawaii, Marijuana, New Zealand, San Diego, Smithsonian V Status: Common Discovered: February, 1988 Symptoms: BSC, TSR, messages, RLL controller hangs Origin: New Zealand Eff Length: N/A Type Code: BRX - Resident Boot Sector Infector Detection Method: ViruScan, CleanUp, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: CleanUp, MDisk, F-Prot, Pro-Scan 1.4+ General Comments: The Stoned virus was first reported in Wellington, New Zealand in early 1988. The original virus only infected 360KB 5 1/4" diskettes, doing no overt damage. There are, however, two known variants which can infect hard disks. This virus becomes memory resident following the system being booted from an infected disk. It will infect any diskette inserted into the system and accessed. On one out of every eight system bootup, the virus will display the message: "Your computer is now stoned. Legalize Marijuana" The Stoned virus can be removed from 360KB diskettes by using either the MDisk, CleanUp, or F-Prot programs. It can also be removed from diskettes by using the DOS SYS command. Known variants of the Stoned Virus are: Stoned-B : same as Stoned, but can also infect hard disks via the hard disk's partition table. Infected systems with RLL controllers will frequently hang. Stoned-C : same as Stoned, except that the message has been removed. Stoned-D : same as Stoned, with the exception that this variant can infect high density 3.5" and 5.25" diskettes. For variants Stoned-B and Stoned-C, removal instructions are the same for diskettes. However, an infected hard disk must be disinfected by using MDisk with the /P parameter or CleanUp. The reason for the different hard disk instructions is due to Stoned infecting the partition table on the hard disk. Virus Name: Subliminal 1.10 Aliases: V Status: Rare Discovered: May, 1990 Symptoms: .COM growth, TSR, unusual file errors, video display flicker Origin: California, USA Eff Length: 1,496 Bytes Type Code: PRsC - Resident Parasitic .COM Infector Detection Method: ViruScan V64+, Pro-Scan 1.4+ Removal Instructions: Scan/D, Pro-Scan 1.4+, or Delete Infected Files General Comments: The Subliminal 1.10 Virus was first isolated in Solano County, California in May 1990 by Jay Parangalan. The name of the virus can be produced by negating (XORing with FF) some null terminated bytes in the viral code. Using this technique, the creation date of the virus appears to be 02OCT89. The Subliminal 1.10 Virus appears to be a very early version of the Solano 2000 Virus, and has only been reported at Solano Community College. The first time a program infected with the Subliminal 1.10 Virus is executed, the virus installs itself memory resident. Any .COM files which are then executed are infected. Infected programs will increase in length by 1,496 bytes. With the virus memory resident, the system monitor will appear to flicker. What is occurring is that the virus is attempting to flash the message "LOVE, REMEMBER?" in the lower left portion of the display for a subliminal duration. The actual amount of time the message displays on the screen varies between systems due to CPU speed. Also see: Solano 2000 Virus Name: Sunday Aliases: V Status: Common Discovered: November, 1989 Symptoms: TSR, executable file growth, messages, FAT corruption Origin: Washington (state), USA Eff Length: 1,636 Bytes Type Code: PRsAT - Parasitic Resident .COM, .EXE. & .OV? Infector Detection Method: ViruScan V49+, F-Prot, IBM Scan, Pro-Scan, VirexPC 1.1+ Removal Instructions: CleanUp, Scan/D, F-Prot, Pro-Scan 1.4+, or VirexPC General Comments: The Sunday virus was discovered by many users in the Seattle, Washington area in November, 1989. This virus activates on any Sunday, displaying the message: "Today is Sunday! Why do you work so hard? All work and no play make you a dull boy! Come on! Let's go out and have some fun!" The Sunday virus appears to have been derived from the Jerusalem virus, the viral code being similar in many respects. Damage to the file allocation table or FAT has been reported from a number of infected users. Known variants of the Sunday Virus are: Sunday-B : Similar to the Sunday Virus, this variant does not activate on any day of the week due to an error in the day of the week checking routine. The message in the virus is never displayed, and no damage is done to the file allocation table. Sunday-C : Similar to Sunday-B, this variant also never activates. It has, however, been modified so that it differs from both the Sunday and Sunday-B viruses. Functionally, it is the same as Sunday-B. Virus Name: Suriv 1.01 Aliases: April 1st, Israeli, Suriv01 V Status: Extinct Discovered: April, 1987 Symptoms: TSR, .COM growth, messages, system lock April 1st Origin: Israel Eff Length: 897 bytes Type Code: PRsC - Parasitic Resident .COM Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: Scan/D, F-Prot, Pro-Scan 1.4+, or UnVirus General Comments: The Suriv 1.01 virus is a memory resident .COM infector. It will activate on April 1st after memory is infected by running an infected file and then a uninfected .COM file is executed. On activation, it will display the message: "APRIL 1ST HA HA HA YOU HAVE A VIRUS". The system will then lock up, requiring it to be powered off and then back on. The text "sURIV 1.01" can be found in the viral code. Virus Name: Suriv 2.01 Aliases: April 1st-B, Israeli, Suriv02 V Status: Extinct Discovered: 1987 Symptoms: TSR, .EXE growth, messages, system lock April 1st Origin: Israel Eff Length: 1,488 bytes Type Code: PRsE - Parasitic Resident .EXE Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: Scan/D, F-Prot, or UnVirus General Comments: The Suriv 2.01 virus is a memory resident .EXE infector. It will activate on April 1st after memory is infected by running an infected file, displaying the same message as Suriv 1.01 and locking up the system. The virus will cause a similar lockup, though no message, 1 hour after an infected .EXE file is executed on any day on which the system default date of 01-01-80 is used. The virus will only infect the file once. Virus Name: Suriv 3.00 Aliases: Israeli, Suriv03 V Status: Extinct Discovered: 1988 Symptoms: TSR, .COM, .EXE, & .SYS growth; Black Window; system slowdown Origin: Israel Eff Length: 1,813 (COM files) & 1,808 (EXE files) bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, F-Prot, Pro-Scan, VirexPC Removal Instructions: CleanUp, Scan/D, F-Prot, Pro-Scan 1.4+, or Unvirus General Comments: May be a variant of the Jerusalem virus. The string "sUMsDos" has been changed to "sURIV 3.00". The Suriv 3.00 virus activates on Friday The 13ths when an infected program is run or if it is already present in system memory, however files are not deleted due to a bug in the viral code. Other than on Friday The 13ths, after the virus is memory resident for 30 seconds, an area of the screen is turned into a "black window" and a time wasting loop is executed with each timer interrupt. As with the Jerusalem B viruses, this virus can also infect overlay, .SYS, and other executable files besides .EXE and .COM files, though it does not infect COMMAND.COM itself. Also see: Jerusalem, Jerusalem B Virus Name: Swap Aliases: Falling Letters Boot, Israeli Boot V Status: Rare Discovered: August, 1989 Symptoms: Graphic display, BSC (floppy only), TSR, bad cluster, Origin: Israel Eff Length: N/A Type Code: RsF - Resident Floppy Boot Sector Infector Detection Method: ViruScan, F-Prot, IBM Scan, VirexPC Removal Instructions: MDisk, CleanUp, F-Prot, or DOS SYS Command General Comments: The Swap Virus, or Israeli Boot Virus, was first reported in August 1989. This virus is a memory resident boot sector infector that only infects floppies. The floppy's boot sector is infected the first time it is accessed. One bad cluster will be written on track 39, sectors 6 and 7 with the head unspecified. If track 39, sectors 6 and 7, are not empty, the virus will not infect the disk. Once the virus is memory resident, it uses 2K or RAM. The actual length of the viral code is 740 bytes. The Swap virus activates after being memory resident for 10 minutes. A cascading effect of letters and characters on the system monitor is then seen, similar to the cascading effect of the Cascade and Traceback viruses. The virus was named the Swap virus because the first isolated case had the following phrase located at bytes 00B7-00E4 on track 39, sector 7: "The Swapping-Virus. (C) June, 1989 by the CIA" However, this phrase is not found on diskettes which have been freshly infected by the Swap virus. A diskette infected with the Swap virus can be easily identified by looking at the boot sector with a sector editor, such as Norton Utilities. The error messages which normally occur at the end of the boot sector will not be there, instead the start of the virus code is present. The remainder of the viral code is located on track 39, sectors 6 and 7. Virus Name: SysLock Aliases: 3551, 3555 V Status: Endangered Discovered: November, 1988 Symptoms: .COM & .EXE growth, data file corruption Origin: Eff Length: 3,551 Bytes Type Code: PNA - Encrypting Non-Resident .COM & .EXE Infector Detection Method: ViruScan, F-Prot, Pro-Scan Removal Instructions: Scan/D, or F-Prot General Comments: The SysLock virus is a parasitic encrypting virus which infects both .COM and .EXE files, as well as damaging some data files on infected systems. This virus does not install itself memory resident, but instead searches through the .COM and .EXE files and subdirectories on the current disk, picking one at executable file at random to infect. The infected file will have its length increased by approximately 3,551 bytes, though it may vary slightly depending on file infected. The SysLock virus will damage files by searching for the word "Microsoft" in any combination of upper and lower case characters, and when found replace the word with "MACROSOFT". If the SysLock virus finds that an environment variable "SYSLOCK" exists in the system and has been set to "@" (hex 40), the virus will not infect any programs or perform string replacements, but will instead pass control to its host immediately. Known variant(s) of SysLock are: Macho-A : same as the SysLock virus, except that "Microsoft" is replaced with "MACHOSOFT". Virus Name: Taiwan Aliases: Taiwan 2 V Status: Endangered Discovered: January, 1990 Symptoms: .COM growth, 8th day any month corrupts BOOT, FAT, & Partition tables. Origin: Taiwan Eff Length: 743 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V56+, F-Prot, Pro-Scan 1.4+, VirexPC Removal Instructions: Scan/D, or delete infected files General Comments: The Taiwan virus was first isolated in January, 1990 in Taiwan, R.O.C. This virus infects .COM files, including COMMAND.COM, and does not install itself into system memory. Each time a program infected with the Taiwan virus is executed, the virus will attempt to infect up to 3 .COM files. The current default directory is not first infected, instead the virus will start its search for candidate files in the C: drive root directory. Once an uninfected .COM file is located, the virus infects the file by copying the viral code to the first 743 bytes of the file, the original first 743 bytes of the file is relocated to the end of the .COM file. A bug exists in this virus, if the uninfected .COM file is less than 743 bytes in length, the resulting infected .COM file will always be 1,486 bytes in length. This effect is due to the virus not checking to see if it read less than 743 bytes of the original file before infecting it. The Taiwan virus is destructive. On the 8th day of any month, when an infected program is run the virus will perform an absolute disk write for 160 sectors starting at logical sector 0 on the C: and D: drives. In effect, this logical write will result in the FATs and root directory being overwritten. Virus Name: Taiwan 3 Aliases: V Status: Rare Discovered: June, 1990 Symptoms: .COM & .EXE growth, decrease in available free memory, system hangs Origin: Taiwan Eff Length: 2,900 Bytes Type Code: PRA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V64+ Removal Instructions: Scan/D, or delete infected files General Comments: The Taiwan 3 Virus was isolated in June, 1990 in Taiwan, R.O.C. It was dubbed the Taiwan 3 Virus by John McAfee because it is the third virus from Taiwan, the other two are Taiwan and Disk Killer. This virus is not related to either of these two viruses. The first time a program infected with the Taiwan 3 Virus is executed on a system, the virus will install itself memory resident in low system free memory. Available free memory will decrease by 3,152 bytes. The virus hooks interrupt 21. After becoming memory resident, Taiwan 3 will infect any program which is executed. .COM files will increase in length by 2,900 bytes, .EXE files will increase by between 2,900 and 2,908 bytes. Overlay files may also become infected as well. It is unknown what the activation criteria is for this virus, or what it does besides spreading. Also see: Fu Manchu Virus Name: TCC Aliases: V Status: New Discovery: August, 1990 Symptoms: .COM & .EXE file growth; slow program loads upon execution Origin: Paris, France Eff Length: 4,909 Bytes Type Code: PNAK - Parasitic Non-Resident .COM & .EXE Infector Detection Method: ViruScan V66+ Removal Instructions: Scan/D, or Delete infected files General Comments: The TCC Virus was isolated in Paris, France, in early August, 1990. This virus is a generic infector of .COM, .EXE and overlay files, and will infect COMMAND.COM. It is not memory resident. When a program infected with the TCC Virus is executed, the virus will infect all .COM, .EXE and overlay files on the current drive and directory, with the exception of very small .COM files. It will also check to see if COMMAND.COM on the C: drive is uninfected, if it has not previously been infected it will become infected. Infected files will increase in length by between 4,909 - 4, 25 bytes, with the virus located at the end of the infected file. It is unknown what this virus might do when and if it activates. Virus Name: Tiny Family Aliases: Tiny-158, Tiny-159, Tiny-160, Tiny-167, Tiny-198 V Status: Rare Discovery: July, 1990 Symptoms: .COM file growth Origin: Bulgaria Eff Length: 158 - 198 Bytes (see below) Type Code: PRC - Parasitic Resident .COM Infector Detection Method: ViruScan V66+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Tiny Family of Viruses was received by the author in July 1990 from Vesselin Bontchev of Bulgaria. All the viruses in this grouping share the same characteristics, with the only real difference is the effective length of the viral code. There are five (5) viruses included in the "family" at the present time: Tiny-158, Tiny-159, Tiny-160, Tiny-167, and Tiny-198. The first time a file infected with one of the Tiny Family viruses is executed on a system, the virus will install itself memory resident in system free memory. The memory used by the resident virus is not reserved, and may be overwritten later by another program. Interrupt 21 will be hooked by the virus. After the virus is memory resident, the virus will infect any .COM program that is executed. Infected programs will have a file length increase of between 158 - 198 bytes, depending on which variant is present on the system. The file's date and time in the directory will also have been updated to the system date and time when the infection occurred. The Tiny Family of Viruses currently does not do anything but replicate. The viruses in this "family" may or may not be related to the Tiny Virus documented below. Known members of the Tiny Family are: Tiny-158 : Same as above, effective length is 158 bytes. Tiny-159 : Same as above, effective length is 159 bytes. Tiny-160 : Same as above, effective length is 160 bytes. Tiny-167 : Same as above, effective length is 167 bytes. Tiny-198 : Same as above, effective length is 198 bytes. Also see: Tiny Virus Virus Name: Tiny Virus Aliases: 163 COM Virus, Tiny 163 Virus V Status: Rare Discovery: June, 1990 Symptoms: COMMAND.COM & .COM file growth Origin: Iceland Eff Length: 163 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V64+, VirexPC Removal Instructions: Scan/D, or Delete infected files General Comments: The 163 COM Virus, or Tiny Virus, was isolated by Fridrik Skulason of Iceland in June 1990. This virus is a non-resident generic .COM file infector, and it will infect COMMAND.COM. The first time a file infected with the 163 COM Virus is executed, the virus will attempt to infect the first .COM file in the current directory. On bootable diskettes, this file will normally be COMMAND.COM. After the first .COM file is infected, each time an infected program is executed another .COM file will attempt to be infected. Files are infected only if their original length is greater than approximately 1K bytes. Infected .COM files will increase in length by 163 bytes, and have date/time stamps in the directory changed to the date/time the infection occurred. Infected files will also always end with this hex string: '2A2E434F4D00'. This virus currently does nothing but replicate, and is the smallest MS-DOS virus known as of its isolation date. The Tiny Virus may or may not be related to the Tiny Family documented elsewhere in this listing. Also see: Tiny Family Virus Name: Traceback Aliases: 3066 V Status: Endangered Discovered: October, 1988 Symptoms: .COM & .EXE growth, TSR, graphic display 1 hour after boot Origin: Eff Length: 3,066 bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: M-3066, VirClean, F-Prot, VirexPC, Pro-Scan 1.4+ or delete infected files General Comments: The Traceback virus infects both .COM and .EXE files, adding 3,066 bytes to the length of the file. After an infected program is executed, it will install itself memory resident and infect other programs that are opened. Additionally, if the system date is after December 5, 1988, it will attempt to infect one additional .COM or .EXE file in the current directory. If an uninfected file doesn't exist in the current directory, it will search the entire disk, starting at the root directory, looking for a candidate. This search process terminates if it encounters an infected file before finding a candidate non-infected file. This virus derives its name from two characteristics. First, infected files contain the directory path of the file causing the infection within the viral code, thus is it possible to "trace back" the infection thru a number of files. Second, when it succeeds in infected another file, the virus will attempt to access the on-disk copy of the program that the copy of the virus in memory was loaded from so that it can update a counter in the virus. The virus takes over disk error handling while trying to update the original infected program, so if it can't infect it, the user will be unaware that an error occurred. The primary symptom of the Traceback virus having infected the system is that if the system date is after December 28, 1988, the memory resident virus will produce a screen display with a cascading effect similar to the Cascade/1701/1704 virus. The cascading display occurs one hour after system memory is infected. If a keystroke is entered from the key- board during this display, a system lockup will occur. After one minute, the display will restore itself, with the characters returning to their original positions. This cascade and restore display are repeated by the virus at one hour intervals. Known variant(s) of the Traceback virus are: Traceback-B : Similar to the Traceback virus, the major differences are that Traceback-B will infect COMMAND.COM and there is no cascading display effect after the virus has been resident for one (1) hour. Infected files will also not contain the name of the file from which the virus originally became memory resident, but instead the name of the current file. A text string: "MICRODIC MSG" can be found in files infected with Traceback-B. If the system is booted from a diskette whose copy of COMMAND.COM is infected, attempting to execute any program will result in a memory allocation error and the system being halted. Origin: Spain, March 1990. Traceback-B2: Similar to Traceback-B2, this variant has the cascading display effect after the virus has been resident in memory for one (1) hour. The text string " XPO DAD " replaces the "MICRODIS MSG" text string in Traceback-B. Origin: Spain, May 1990. Also see: Traceback II Virus Name: Traceback II Aliases: 2930 V Status: Endangered Discovered: October, 1988 Symptoms: .COM & .EXE growth, TSR, graphic display 1 hour after boot Origin: Eff Length: 2,930 Bytes Type Code: PRA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V41+, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: Scan/D, F-Prot, VirexPC, Pro-Scan 1.4+, or delete infected files. General Comments: The Traceback II virus is a variant of the Traceback (3066) virus. It is believed that Traceback II predates the Traceback virus, however the Traceback virus was isolated and reported first. As with the Traceback virus, the Traceback II virus is memory resident and infects both .COM & .EXE files. The comments indicated for the Traceback virus generally apply to the Traceback II virus, with the exception that the file length increase is 2,930 bytes instead of 3,066 bytes. Known variant(s) of the Traceback II Virus are: Traceback II-B: Similar to Traceback II, this variant will infect COMMAND.COM. When the cascading effect occurs, the screen will not be restored, instead the system will be hung requiring it to be powered off and rebooted. Also see: Traceback Virus Name: Typo Boot Aliases: Mistake V Status: Rare Discovered: June, 1989 Symptoms: BSC, Resident TOM, garbled printout. Origin: Israel Eff Length: N/A Type Code: BRt - Resident Boot Sector Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan Removal Instructions: MDisk, Pro-Scan 1.4+, F-Prot, or DOS SYS Command General Comments: The Typo Boot virus was first isolated in Israel by Y. Radai in June, 1989. This virus is a memory resident boot sector infector, taking up 2K at the upper end of system memory once it has installed itself memory resident. The major symptom that will be noticed on systems infected with the Typo Boot virus is that certain characters in printouts are always replaced with other phonetically similar characters. Since the virus also substitutes hebrew letters for other hebrew letters, the virus was most likely written by someone in Israel. Digits in numbers may also be transposed or replaced with other numbers. The substitutions impact printouts only, the screen display and data in files are not affected. The Typo Boot virus is similar structurally to the Ping Pong virus, and may be a variant of Ping Pong. It can be removed from a disk by using MDisk, CleanUp, DOS SYS command, or just about any Ping Pong disinfector. Virus Name: Typo COM Aliases: Fumble, 867 V Status: Rare Discovered: November, 1989 Symptoms: .COM growth, Resident TOM, garbled printout (see text). Origin: England Eff Length: 867 Bytes Type Code: PRtC - Parasitic Resident .COM Infector Detection Method: ViruScan V48+, F-Prot, IBM Scan, Pro-Scan Removal Instructions: Scan/D, F-Prot, Pro-Scan 1.4+, or delete infected files General Comments: The Typo COM virus is similar to the Typo Boot virus in that it will garble data that is sent to the parallel port once it has activated. Unlike the Boot virus, the COM virus infects generic .COM files. This virus was first reported by Joe Hirst of Brighton, UK, in November, 1989. The Typo COM virus only infects .COM files on even-numbered days. Virus Name: V651 Aliases: Eddie 3, Stealth Virus V Status: Rare Discovered: April, 1990 Symptoms: .COM & .EXE growth, decrease in system and free memory, file allocation errors Origin: Sofia, Bulgaria Eff Length: 651 Bytes Type Code: PRtA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V66+ Removal Instructions: Scan/D, Delete infected files General Comments: The V651, or Eddie 3, Virus was isolated in Sofia, Bulgaria in April 1990 by Vesselin Bontchev. V651 is believed to have been written by the same author as Dark Avenger, V1024, and V2000. This virus is a generic infector for .COM and .EXE files. The first time a program infected with V651 is executed, the virus will install itself memory resident. Using the DOS CHKDSK program, total system memory, as well as available free memory, will be decreased by 688 bytes. Later, as programs with a length of 651 bytes or greater are executed, they will be infected by the virus. Infected files increase in length by 651 bytes, though the increase in file length will not be seen by performing a directory command with the virus present in memory. The total available disk space will also be adjusted by the virus so that the decrease in available disk space due to the virus's activities cannot be seen. Powering off the system and booting from a known clean boot diskette, followed by issuing a directory command will result in the correct infected file lengths being displayed as well as the actual available space on the disk. Infected files can be easily identified as the text string "Eddie Lives." appears near the end of the infected file. These files will also be 651 bytes longer than expected when the virus is not present in memory. A side effect of the V651 virus is that lost clusters may occur on infected systems if the CHKDSK /F command is used. While this does not occur for all infected files, the number of errors reported by CHKDSK will be much higher statistically when V651 is present. Unlike Dark Avenger and V2000, this virus does not infect files on any file open. It only infects when programs are executed. Also see: Dark Avenger, V1024, V2000 Virus Name: V800 Aliases: Live after Death Virus, Stealth Virus V Status: Unknown - Eastern Block (Bulgaria) Discovered: May, 1990 Symptoms: .COM growth, decrease in total system and available memory Origin: Bulgaria Eff Length: 800 Bytes Type Code: PRC - Parasitic Resident .COM Infector Detection Method: ViruScan V63+ , Pro-Scan 1.4+ Removal Instructions: CleanUp V64+, Scan/D, or delete infected files General Comments: The V800, or Live after Death, Virus was isolated in Bulgaria by Vesselin Bontchev in May, 1990. The V800 is a self-encrypting memory resident .COM infector, and it does not infect COMMAND.COM. This virus is thought to have been written by the same person as the Dark Avenger virus since many of the same techniques are used. The virus has received an alias of the Live after Death Virus as the virus contains the "Live after Death" string, though it cannot be seen in infected files as the virus is encrypted. The first time an infected program is run on a system, the V800 Virus will install itself memory resident. In the process of installing itself resident, it will decrease available system memory by 16K, using 8,192 Bytes for itself in the top of available free memory. It will also hook interrupt 2A. Once in memory, every time a .COM file is attempted to be executed, the virus will check to see if it is a candidate for infection. Whether the file will be infected depends on the size of the .COM file when it is attempted to be executed. In no event is a .COM file smaller than 1024 bytes infected, but not all .COM files over 1024 bytes are infected either. The V800 Virus will reinfect .COM files, with the file's size increasing by 800 bytes with each infection. Known variant(s) of the V800 Virus include: V800M : Very similar to V800, the major difference is that V800M will infect files on both file open and file execute, putting this variant into the "Stealth" virus category. When the virus becomes memory resident, total system and free memory will decrease by only 8,192 bytes. This variant does not have the "Live after Death" string in it. Virus Name: V1024 Aliases: Dark Avenger III, Stealth Virus V Status: Rare Discovered: May, 1990 Symptoms: TSR; decrease in available free memory Origin: Bulgaria Eff Length: 1,024 Bytes Type Code: PRA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V64+ Removal Instructions: Scan/D, or Delete infected files General Comments: The V1024, or Dark Avenger III, Virus was discovered in Bulgaria in April 1990. V1024 is a memory resident generic infector of .COM and .EXE files. It is believed to have been written by the same person that wrote Dark Avenger and V2000. This virus may actually be an earlier version of the Dark Avenger virus, it has many of the same characteristics, though it does not infect all files when they are openned for any reason. The first time a program infected with V1024 is executed, the virus will install itself memory resident. At this time, it checks to see if several interrupts are being monitored, including interrupts 1 and 3. If interrupts 1 and 3 are monitored, V1024 allow the current program to run, but any subsequent program executed will hang the system and V1024 will not replicate. When V1024 is memory resident, infected systems will experience a decrease in free memory by 1,072 bytes. Total system memory will not have changed. The virus will have remapped several interrupts by altering their location in the interrupt map page in memory. These interrupts will now be controlled by V1024. After V1024 becomes memory resident, the virus will infect any program executed which is greater in length than 1,024 bytes. Both .COM and .EXE files are infected, COMMAND.COM is not infected. Infected files increase in length by 1,024 bytes, though this increase will not appear if the virus is present in memory and a DIR listing is done. V1024 infected files can be identified by a text string which appears very close to the end of infected files. The text string is: '7106286813'. V1024 does not appear contact any activation date. Also see: Dark Avenger, V2000, V651 Virus Name: V1701New Aliases: P1 V Status: Rare Discovered: July, 1990 Symptoms: .COM growth, system reboots, CHKDSK program failure, COMMAND.COM header change Origin: Bulgaria Eff Length: 1,701 Bytes Type Code: PRhCK - Parasitic Resident .COM Infector Detection Method: ViruScan V66+ Removal Instructions: Scan/D, or delete infected files General Comments: The V1701New virus is of Bulgarian origin, and was submitted to the author of this document in July, 1990 by Vesselin Bontchev. This virus is one of a family of three (3) viruses which may be referred to as the P1 or Phoenix Family. Each of these viruses is being documented separately due to their varying characteristics. The V1701New virus is a memory resident, generic infector of .COM files, and will infect COMMAND.COM. It is the most advanced of the three viruses in the Phoenix Family. The V1701New Virus is a later version of the PhoenixD virus. The first time a program infected with the V1701New virus is executed, the virus will install itself memory resident in free high memory, reserving 8,192 bytes. Interrupt 2A will be hooked by the virus. System total memory and free memory will decrease by 8,192 bytes. V1701New will then check to see if the current drive's root directory contains a copy of COMMAND.COM. If a copy of COMMAND.COM is found, it will be infected by V1701New by overwriting part of the binary zero portion of the program, and changing the program's header information. COMMAND.COM will not change in file length. The virus will then similarly infect COMMAND.COM residing in the C: drive root directory. After becoming memory resident, the virus will attempt to infect any .COM file executed. V1701New is a better replicator than either the original Phoenix Virus or PhoenixD, and was successful in infected .COM Infected files in all cases on the author's system. Infected files will increase in size by 1,701 bytes. V1701New is not able to recognize when it has previously infected a file, so it may reinfect .COM files several times. Each infection will result in another 1,701 bytes of viral code being appended to the file. Like PhoenixD, V1701New will infect files when they are openned for any reason in addition to when they are executed. The simple act of copying a .COM file will result in both the source and target .COM files being infected. Systems infected with the V1701New virus will experience problems with executing CHKDSK.COM. Attempts to execute this program with Phoenix memory resident will result in a warm reboot of the system occurring. The system, however, will not perform either a RAM memory check or request Date and Time if an autoexec.bat file is not present. This virus is not related to the Cascade (1701/1704) virus. The V1701New Virus employs a complex encryption mechanism, and virus scanners which are only able to look for simple hex strings will not be able to detect it. There is no simple hex string in this virus that is common to all infected samples. Known variant(s) of V1701New are: V1701New-B : This is a earlier version of V1701New, and is a rather poor replicator. It also has not to viable as infected programs will hang when they are executed, with the exception of the Runme.Exe file which the author received. The Runme.Exe file was probably the original release file distributed by the virus's author. Also see: Phoenix, PhoenixD Virus Name: V2000 Aliases: Dark Avenger II, Stealth Virus, Travel Virus V Status: Rare Discovered: 1989 Symptoms: TSR; .COM, .EXE, .OV? growth (see text); crashes; crosslinked files following CHKDSK. Origin: Bulgaria Eff Length: 2,000 Bytes Type Code: PRA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V59+, Pro-Scan 1.4+ Removal Instructions: Scan/D, Pro-Scan 1.4+, or delete infected files General Comments: The V2000, or Dark Avenger II, virus is a memory resident generic file infector. The first isolated samples of this virus were received from Bulgaria, where it is thought to have originated. V2000 will infect .COM, .EXE, and Overlay files, as well as COMMAND.COM. When the first infected file is executed, the virus installs itself memory resident, and then infected COMMAND.COM if it has not already been infected. Then, when an executable file is openned for any reason, it is infected if it hasn't been previously infected. Increased file lengths will not be shown if the V2000 virus is present in memory when a DIR command is issued. Issuing a CHKDSK /F command on infected systems may result in crosslinking of files since the directory information may not appear to match the entries in the file allocation table (FAT). Systems infected with the V2000 virus will experience unexpected system crashes, resulting in lost data. Some systems may also become unbootable due to the modification of COMMAND.COM or the hidden system files. One of the following two text strings will appear in the viral code in infected files, thus accounting for the alias of Travel Virus used in Bulgaria: "Zopy me - I want to travel" "Copy me - I want to travel" There are reports from Bulgaria that the V2000 virus looks for and hangs the system if programs written by Vesselin Bontchev are attempted to be executed. This would explain the presence of the following copyright notice within the viral code: "(c) 1989 by Vesselin Bontchev" Known variants of the V2000 virus include: V2000-B/Die Young : Similar to the V2000 virus, the main difference is that the text string "Zopy me - I want to travel" is now "Only the Good die young..." or "Mnly the Good die young..." and the encryption used by the virus is different. This variant is actually the original virus, predating V2000. Also see: Dark Avenger, V1024, V651 Virus Name: V2100 Aliases: 2100, Stealth Virus, UScan Virus V Status: New Discovered: July, 1990 Symptoms: file allocation errors, decrease in system and free memory Origin: Bulgaria Eff Length: 2,100 Bytes Type Code: PRtA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V66+ Removal Instructions: Scan/D, or delete infected files General Comments: The V2100, or 2100, Virus was first isolated in Sofia, Bulgaria by Vesselin Bontchev in July 1990. It is a resident generic infector of .COM, .EXE, and overlay files. It will also infect COMMAND.COM. This virus appears to have been originally released into the public domain on an anti-viral program named UScan which was uploaded to several BBSes in Europe. While not all copies of UScan are carriers of this virus, there was one version which exists that has the virus embedded in its program code. The virus cannot be detected on this trojan version using search algorithms for this virus. V2100 is believed to have been written by the author of Dark Avenger. The first time a program infected with V2100 is executed, the virus will install itself memory resident above top of memory but below the 640K boundary. The top of memory returned by interrupt 12 will be lower than expected by 4,288 bytes. Likewise, free memory will have decreased by 4,288 bytes. At this same point, V2100 will infect COMMAND.COM though the change in file length will be hidden by the virus. Once the virus is memory resident, it will infect any .COM, .EXE, or overlay file with a file length of at least 2100 bytes that is executed or openned for any reason. The simple act of copying an executable file will result in both the source and target files becoming infected. Infected files will be 2,100 bytes longer, though the virus will hide the change in file length so that it isn't noticeable when directories are listed. In some cases, infected files will appear to be 2,100 bytes smaller than expected if the virus is present in memory. Systems infected with the V2100 virus will notice file allocation errors occurring, along with crosslinking of files. Due to these errors, some files may become corrupted. These file allocation errors are truely errors, they exist whether or not the virus is present in memory. Virus Name: Vacsina Aliases: V Status: Endangered Discovered: November, 1989 Symptoms: TSR; .COM, .EXE, .BIN, & .SYS growth; "beeps" Origin: Bulgaria Eff Length: 1,206 bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, F-Prot, Pro-Scan 1.4+, VirexPC Removal Instructions: CleanUp V64+, Scan/D/A, F-Prot, or delete infected files General Comments: The Vacsina virus is approximately 1200 bytes in length and can be found in memory on infected systems. There are at least 48 variants of the Vacsina virus, also known as the TP virus family, though not all of them have been isolated. Later versions of this virus are included in this listing under the name "Yankee Doodle". Generally, the Vacsina Virus infects both .COM and .EXE files, as well as .SYS and .BIN files. This virus, when infecting a .EXE file, will first convert it into .COM format by changing the MZ or ZM identifier in the first two bytes of the file to a JMP instruction and then adding a small piece of relocator code, so that the .EXE file can be infected as though it were originally a .COM file. One sign of a Vacsina infection is that programs which have been infected may "beep" when executed. Infected programs will also have their date/time in the disk directory changed to the date and time they were infected. Known Vacsina Variants Include: TP04VIR - Infects .EXE files, changing them internally into .COM files. Infected programs may beep when executed, and may be identified by searching for the text string "VACSINA" along with the second byte from the end of the file containing a 04h. This version of Vacsina is a poor replicator, and while it will always convert a .EXE file to .COM file format, adding 132 bytes, it does not always infect executed files. TP05VIR - Similar to TP04VIR, except that the second to the last byte in the file is now a 05h. System hangs may also be experienced. TP06VIR - Similar to TP05VIR, except the second to the last byte in the file is now a 06h. TP16VIR - Similar to TP06VIR, the second to the last byte in the infected file is now 10h. TP23VIR - Similar to TP16VIR, the second to the last byte in the infected file is now 17h. The text "VACSINA" no longer appears in the virus. TP24VIR - Similar to TP23VIR, the second to the last byte in the infected file is now 18h. TP25VIR - Similar to TP24VIR, the second to the last byte in the infected file is now 19h. Also see: Yankee Doodle Virus Name: VComm Aliases: 637 V Status: Rare Discovered: December, 1989 Symptoms: .EXE growth, TSR, write failures Origin: Poland Eff Length: 637 Bytes Type Code: PRaE - Parasitic Resident .EXE Infector Detection Method: F-Prot, ViruScan V60+, IBM Scan, Pro-Scan, VirexPC Removal Instructions: F-Prot, Scan/D, VirexPC, or delete infected files General Comments: The Vcomm virus is of Polish origin, first isolated in December, 1989. The virus is a .EXE file infector. When an infected file is run, the virus will attempt to infect one .EXE file in the current directory. It will also infect the memory resident version of the system's command interpreter. When Vcomm infects a file, it first pads the file so that the files length is a multiple of 512 bytes, then it adds its 637 bytes of virus code to the end of the file. The memory resident portion of the virus intercepts any disk writes that are attempted, and changes them into disk reads. Virus Name: VHP Aliases: VHP-348, VHP-353, VHP-367, VHP-435 V Status: Endangered Discovered: July 1989 Symptoms: .COM growth, system hangs Origin: Bulgaria Eff Length: 348 - 435 Bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V64+ Removal Instructions: Scan/D, or Delete infected files General Comments: The VHP Virus is actually a small group or "family" of viruses that was discovered in Bulgaria in early 1990. There are currently four identified variants to the VHP Virus, with the VHP-435 variant being the one with the most potential for spreading. These viruses were originally based on the Vienna virus. The progression of the variants shows each variant to be a slightly better replicator. The VHP Viruses are: VHP-348 : This variant does not replicate due to bugs in the virus code. If it did replicate, it would infect .COM files. The virus's effective length is 348 bytes. VHP-353 : VHP-348 fixed so that it will infected COMMAND.COM, increasing its size by 353 bytes. It does not infect other .COM files. This variant is still buggy, and it will occasionally hang systems when attempting to find a .COM file to infect. VHP-367 : VHP-353 which will now infect .COM files besides COMMAND.COM. Infected files increase in size by 367 bytes. Very rarely, this virus will reinfect an infected .COM file. VHP-353 does not always infect a .COM file when an infected program is executed, it will sometimes not infect any .COM file, though it has in effect immunized the file from infection. This effect is probably a bug in this variant. VHP-435 : Isolated in July, 1989, this variant is 435 bytes in length and is not destructive, all it does is spread. VHP-435 will attempt to infect 1 file each time an infected program is executed. COMMAND.COM and .EXE files are not infected. After infecting all of the .COM files on the current drive and directory, it will attempt to infect drive C:. VHP-435 is the VHP-367 virus with some modifications to make it less likely to be noticed. Also see: Vienna, VHP2 Virus Name: VHP2 Aliases: VHP-623 V Status: Endangered Discovered: March, 1990 Symptoms: .COM growth, reboots or system hangs Origin: Bulgaria Eff Length: 623 bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V64+, Pro-Scan 1.4+ Removal Instructions: Scan/D, Pro-Scan 1.4+, or Delete infected files General Comments: The VHP2 Virus was isolated in Bulgaria in March, 1990. This virus is based on the Vienna Virus, and has many of the same characteristics of the VHP-435 variant of the VHP virus. It's major difference is that every 8 infected programs will perform a system warm reboot of effective length. VHP2 is 623 bytes long, infecting only .COM files but not COMMAND.COM. Known variants of the Vienna Virus include: VHP-627 : Similar to VHP-623, except that its length is 627 bytes. Also see: VHP, Vienna Virus Name: Victor Aliases: V Status: Rare Discovered: May, 1990 Symptoms: .COM &.EXE growth, data file corruption, file linkage errors, and unexpected system reboots Origin: USSR Eff Length: 2,458 bytes Type Code: PRAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V63+, Pro-Scan 1.4+, VirexPC Removal Instructions: Scan/D, Pro-Scan 1.4+, or Delete infected files General Comments: The Victor Virus was first isolated in May, 1990. It is believed to have originated in the USSR due to messages which appear within the viral code: "Victor V1.0 The Incredible High Performance Virus Enhanced versions available soon. This program was imported from USSR. Thanks to Ivan." The above message can be found at the end of infected files, but does not appear to ever be displayed. The first time a program infected with the Victor Virus is executed, the virus will install itself memory resident, occuping 3,072 bytes at the top of free memory. Interrupt 21 will be intercepted by the virus. After becoming memory resident, Victor will then seek out and infect COMMAND.COM. Victor is a very slow file infector, only infected approximately 1 in every 10 programs executed after it becomes memory resident. Infected programs will increase in length by between 2,443 and 2,458 bytes. The increase in file size is not hidden by the virus. Occasionally in the process of infecting a file, the virus will hang the system, which may result in data file corruption. Overlay files may also be infected, resulting in file linkage errors. Virus Name: Vienna Aliases: Austrian, Unesco, DOS-62, DOS-68, 1-in-8, 648 V Status: Endangered Discovered: April, 1988 Symptoms: .COM growth, reboots or system hangs Origin: Austria Eff Length: 648 bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: M-Vienna, CleanUp V66+, VirClean, F-Prot, Pro-Scan 1.4+, or VirexPC General Comments: The Vienna virus was first isolated in April, 1988, in Moscow at a UNESCO children's computer summer camp. The virus will infect 1 .COM file whenever a program infected with the virus is run. 1 in every 8 infected programs will perform a system warm reboot whenever the viral code is executed. Some .COM programs infected with this virus may not run. The Vienna virus was written by a high school student in Vienna Austria as an experiment. Its large number of variants can be accounted for as its source code has been published many times. Known variants of the Vienna Virus include: Vienna-B : Similar to Vienna, except that instead of a warm reboot, the program being executed will be deleted. Vienna-B 645 : Similar to the Vienna-B variant, this variant's effective length is 645 bytes. It does not perform either a warm reboot or delete executed programs. It does, however, infect COMMAND.COM Origin: United States Vien6 : Similar to Vienna, except that the warm reboot has been removed. Effective length of the virus is still 648 bytes. After 7 files have become infected on the current drive, the virus will then start infecting .COM files on drive C:. Also see: 1260, Ghostballs, Lisbon, W13, VHP, VHP-2 Virus Name: VirDem Aliases: V Status: Endangered Discovered: 1986-1987 Symptoms: .COM growth, Messages Origin: Germany Eff Length: 1,236 Bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: VirexPC Removal Instructions: General Comments: The VirDem Virus was written in 1986-1987 by Ralf Burger of Germany. The virus was originally distributed in Europe as a demonstration virus, to assist computer users in understanding how a computer virus operates. The VirDem virus is not memory resident, and only infects .COM files on the A: drive. It will always skip the first .COM file in the root directory, so normally it will not infect COMMAND.COM. It will also not infect .COM files past the second subdirectory on the disk. Infected files that were originally less than approximately 1,500 bytes will be 2,616 bytes after infection. .COM files which were greater than 1,500 bytes will increase in size by approximately 1,236 bytes. When an infected program is executed, VirDem will infect the next candidate .COM file. Infected files will contain the viral code, followed by the original program. After infecting the .COM file, the virus will play a "game" with you, starting with the following text being displayed: " VirDem Ver.: 1.06 (Generation #) aktive. Copyright by R.Burger 1986,1987 Phone.: D - xxxxx/xxxx This is a demoprogram for computerviruses. Please put in a number now. If you're right, you'll be able to continue. The number is between 0 and # " (Note: I have removed the phone number here, but it appears where xxxxx/xxxx is above. Where # is, the virus's generation number appears.) At this point, you must guess the correct number and enter it. If you put in the wrong number, you get the following message and your program is not run: " Sorry, you're wrong More luck at next try .... " If you guess the correct number, you receive the following message and your program then executes: " Famous. You're right. You'll be able to continue. " Finally, after all the candidate .COM files on the A: drive are infected, the following message is displayed: " All your programs are struck by VIRDEM.COM now." VIRDEM.COM was the original distribution file containing the virus, and had a VIRDEM.DOC file included with it. VirDem is not widespread, and is not distructive. Virus Name: Virus-90 Aliases: V Status: Research Discovered: December, 1989 Symptoms: .COM growth, TSR Origin: District of Columbia, USA Eff Length: 857 bytes Type Code: PRC - Parasitic Resident .COM Infector Detection Method: ViruScan V53+, F-Prot, IBM Scan, Pro-Scan 1.4+, VirexPC Removal Instructions: Scan/D, F-Prot, Pro-Scan 1.4+, or delete infected files General Comments: The Virus-90 virus was originally distributed in December, 1989 by Patrick Toulme as an "educational tool", with the virus source also available for sale. In January, 1990, the author contacted the sites where he had uploaded the virus requesting that they remove it from their systems, his having decided a live virus was not a "good idea" for an educational tool after being contacted by several viral authorities. Also see: Virus101 Virus Name: Virus101 Aliases: V Status: Research Discovered: January, 1990 Symptoms: TSR, BSC, .COM growth (floppy only) Origin: District of Columbia, USA Eff Length: 2,560 Bytes Type Code: PRAFK - Parasitic Resident Infector Detection Method: ViruScan V57+, Pro-Scan 1.4+ Removal Instructions: Scan/D or delete infected files General Comments: The Virus101 is the "big brother" of Virus-90, also written by Patrick Toulme as an "educational tool" in January 1990. This virus is memory resident, and employs an encryption scheme to avoid detection on files. It infects COMMAND.COM, and all other executable file types. Once it has infected all the files on a diskette, it will infect the diskette's boot sector. It only infects floppy diskettes in its current version. Also see: Virus-90 Virus Name: VP Aliases: V Status: Rare Discovered: May 1990 Symptoms: COMMAND.COM & .COM file growth, system slowdown Origin: England Eff Length: 913 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V64+, Pro-Scan 1.4+ Removal Instructions: Scan/D, Pro-Scan 1.4+, or Delete infected files General Comments: The VP Virus was first isolated in May, 1990. It is a non-resident generic .COM infector, and will infect COMMAND.COM. When an infected program is run, the virus will attempt to locate and infect another .COM file. In some cases, such as COMMAND.COM, the virus will display the contents of the program being infected. In other cases, the virus may attempt to execute the program being infected. Infected files increase in length by 913 bytes, and can be identified as the following hex string will appear near both the beginning and the end of an infected program: '4503EB1808655650'. Virus Name: W13 Aliases: Toothless Virus, W13-A V Status: Endangered Discovered: December, 1989 Symptoms: .COM growth Origin: Poland Eff Length: 534 Bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V63+, F-Prot, IBM Scan, Pro-Scan 1.4+, VirexPC Removal Instructions: Scan/D, F-Prot, Pro-Scan 1.4+, or delete infected files General Comments: The W13 virus is a .COM file infector that doesn't do much except for infect files. The virus was isolated in December 1989 in Poland. While W13 is based on the Vienna virus, it does not damage files or have some of the other side effects of the Vienna virus. It contains a number of bugs which prevent it from being a good replicator. Known variant(s) of W13 include: W13-B : The original W13 Virus with several bugs fixed. This variants length is 507 bytes instead of 534 bytes. Virus Name: Wolfman Aliases: V Status: New Discovered: July, 1990 Symptoms: TSR; .COM & .EXE growth Origin: Taiwan Eff Length: 2,064 Bytes Type Code: PRsAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V66+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Wolfman Virus was discovered in Taiwan in July, 1990. It is a memory resident generic infector of .COM and .EXE files, including COMMAND.COM. The first time a program infected with the Wolfman Virus is executed, the virus will install itself memory resident as a TSR with 2 blocks of memory reserved. The first block of memory reserved is 68,032 bytes in length, the second block of reserved memory is 4,544 bytes in length. The total 72,640 bytes of memory is in low system memory, and available free memory is decreased by a corresponding amount. The virus hooks interrupts 09, 10, 16, 21, 2F, ED, and F5. Once the virus is memory resident, the virus will infect any .COM or .EXE file which is executed if the pre-infection file length is greater than or equal to 2,064 bytes. Infected files increase in length by 2,064 bytes. .COM files which are infected will have the virus's code located at the beginning of the .COM file, .EXE files will have the virus located at the end. It is unknown when Wolfman activates, or if it is destructive. Virus Name: Yankee Doodle Aliases: TP44VIR, Five O'clock Virus V Status: Common - Europe Discovered: September, 1989 Symptoms: .COM & .EXE growth, melody @ 5 p.m. Origin: Austria or Bulgaria Eff Length: 2,885 or 2,899 Bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V42+, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: CleanUp V64+, Scan/D, VirClean, F-Prot, or delete infected files General Comments: The Yankee Doodle virus was isolated by Alexander Holy of the North Atlantic Project in Vienna, Austria, on September 30, 1989. It was also isolated in Bulgaria shortly thereafter, where it is known as TP44VIR. This virus is a parasitic virus which infects both .COM and .EXE files, and installs itself memory resident. After installing itself memory resident, it will play Yankee Doodle on the system speaker at 17:00. Infected programs will be increased in length by 2,899 bytes. Other than being disruptive by playing Yankee Doodle, this virus currently does nothing else harmful besides infecting files. As a side note, some variants of the Yankee Doodle Virus will seek out and modify Ping Pong viruses, changing them so that they self- destruct after 100 infections. Known variants of the Yankee Doodle Virus are: TP33VIR - This variant disables interrupts 1 and 3, thus interfering with using debuggers to isolate it. The behavior of the virus also has been changed so that it infected programs will play Yankee Doodle at 5PM. The second to the last byte in infected files is the virus's "version number", in the case of TP33VIR, it is 21h (33 in hex). TP34VIR - Similar to TP33VIR, except that this variant is memory resident, and infects programs as they are executed. The second to the last byte in infected files is 22h. TP38VIR - Similar to TP34VIR, except that .COM and .EXE files are handled in a different way, and this variant will disinfect itself if it is loaded with CodeView active in memory. The second to the last byte in infected files is 26h. TP38VIR was first isolated in Bulgaria in July 1988, and is the oldest virus known in Bulgaria. TP41VIR - Similar to TP38VIR, except the second to the last byte in infected files is 29h. TP42VIR - This variant of Vacsina tests to determine if the system is infected with the Ping Pong virus, and if it is, will attempt to disable the Ping Pong virus by modifying it. The second to the last byte in infected files is now 2Ah. TP44VIR - Similar to TP42VIR, the second to the last byte of infected files is 2Ch. TP45VIR - Similar to TP44VIR, the second to the last byte of infected files is 2Dh. TP46VIR - Similar to TP45VIR, except that this variant can detect and kill the Cascade (1701) Virus. The second to the last byte of infected files is now 2Eh. Yankee Doodle-B: Very similar to the Yankee Doodle virus, except the length of the viral code is 2,772 bytes. Also see: Vacsina Virus Name: Yankee 2 Aliases: Yankee Virus, 1961 V Status: Endangered Discovered: September, 1989 Symptoms: .EXE growth, Yankee Doodle Origin: Bulgaria Eff Length: 1,961 Bytes Type Code: PNE - Parasitic Non-Resident .EXE Infector Detection Method: ViruScan V62+, Pro-Scan 1.4+, Virex PC Removal Instructions: Scan/D, or delete infected files General Comments: The Yankee 2, or Yankee Virus, was isolated in Bulgaria in 1989. Unlike the Yankee Doodle Virus, the Yankee 2 Virus is not memory resident. It also only infects .EXE files, adding 1,961 bytes to their length. The virus will attempt to infect an .EXE file in the current directory whenever an infected program is executed. If it is successful in locating an uninfected .EXE file, and infects it, Yankee Doodle will be played on the system speaker. Infected files will have the hex string '6D6F746865726675636B6572' at the end. The Yankee 2 Virus will not infect CodeView. Virus Name: Zero Bug Aliases: Palette, 1536 V Status: Rare Discovered: September, 1989 Symptoms: .COM growth (see text), TSR, graphics display Origin: Netherlands Eff Length: 1,536 bytes Type Code: PRsC - Parasitic Resident .COM Infector Detection Method: Viruscan V38+, F-Prot, Pro-Scan 1.4+, VirexPC Removal Instructions: Scan/D, CleanUp V66+, F-Prot, Pro-Scan 1.4+, or delete infected files General Comments: The Zero Bug virus was first isolated in the Netherlands by Jan Terpstra in September, 1989. This virus is a memory resident .COM file infector. Infected .COM files will increase in size by 1,536 bytes, however the increase in file length will not show up when the disk directory is displayed. The virus's main objective is to infect the copy of COMMAND.COM indicated by the environment variable COMSPEC. If COMSPEC doesn't point to anything, the Zero Bug virus will install itself memory resident using INT 21h. After the virus has either infected COMMAND.COM or become memory resident, it will infect all .COM files that are accessed, including those accessed by actions such as COPY or XCOPY. Any .COM file created on an infected system will also be infected. If the currently loaded COMMAND.COM is infected, the virus will hook into the timer interrupt 1Ch, and after a certain amount of time has past, a smiley face character (ASCII 01) will appear and eat all the zeros it can find on the screen. The virus does not delete files or format disks in its present form. ------------------------------------------------------------------------------- Virus Information Summary List Virus Common Name Cross-Reference The following is a cross-reference of common virus names back to the name they are listed by in the virus information section. Hopefully, this cross-reference will alleviate some confusion when different anti-viral software packages refer to different names for the same virus. Virus Name Refer To Virus(es) In VirusSum.Doc: ---------------------- ----------------------------------------------- 62-B Vienna 100 Years Virus 4096 163 COM Virus Tiny Virus 382 382 Recovery Virus 382 Recovery Virus 382 Recovery Virus 405 405 453 RPVS 500 Virus Golden Gate 512 512 512-A 512 512-B 512 512-C 512 512-D 512 512 Virus Friday The 13th COM Virus 632 Saratoga 637 Vcomm 642 Icelandic 648 Vienna 765 Perfume 867 Typo COM 1008 1008 1022 Fellowship 1168 Datacrime-B 1210 1210 1226 1226 1226D 1226D 1226M 1226D 1253 1253 1260 1260 1280 Datacrime 1381 Virus 1381 Virus 1392 1392 1514 Datacrime II 1536 Zero Bug 1539 Christmas Virus 1554 1554 1559 1554 1701 Cascade 1704 Cascade, Cascade-B 1704 Format 1704 Format 1704-B Cascade B 1720 1720 1808 Jerusalem 1813 Jerusalem 1917 Datacrime IIB 1961 Yankee 2 1971 Eight Tunes 2080 Fu Manchu 2086 Fu Manchu 2100 V2100 2930 Traceback II 2930-B Traceback II 3012 Plastique 3066 Traceback 3066-B Traceback 3066-B2 Traceback 3551 SysLock 3555 SysLock 3880 Itavir 4096 4096 4096-B 4096-B 4711 Perfume 5120 5120 8920 Print Screen 9800:0000 Virus 1554 A-204 Jerusalem B AIDS AIDS AIDS II AIDS II AirCop AirCop Alabama Alabama Alameda Alameda Ambulance Car Ambulance Car Amoeba Virus 1392 Amstrad Amstrad Anarkia Jerusalem B Anarkia-B Jerusalem B Anthrax Anthrax AntiCad 1253 Anti-Pascal Anti-Pascal Anti-Pascal 400 Anti-Pascal II Anti-Pascal 440 Anti-Pascal II Anti-Pascal 480 Anti-Pascal II Anti-Pascal 529 Anti-Pascal Anti-Pascal 605 Anti-Pascal Anti-Pascal II Anti-Pascal II AP-400 Anti-Pascal II AP-440 Anti-Pascal II AP-480 Anti-Pascal II AP-529 Anti-Pascal AP-605 Anti-Pascal April 1st Suriv 1.01 April 1st-B Suriv 2.01 Arab Star Jerusalem B Armagedon Armagedon Armagedon The First Armagedon Armagedon The Greek Armagedon Ashar Ashar Austrian Vienna Basic Virus 5120 Black Avenger Dark Avenger Black Friday Jerusalem Blackjack Cascade-B Boot Ping Pong-B Bouncing Ball Ping Pong Bouncing Dot Ping Pong C-605 Anti-Pascal Cascade Cascade Cascade-B Cascade-B Century Virus 4096 Chaos Chaos Christmas Virus Christmas Virus Columbus Day Datacrime, Datacrime II, Datacrime IIB, Datacrime-B COM Virus Friday The 13th COM Virus Computer Ogre Disk Killer Cunning Cascade Dark Avenger Dark Avenger Dark Avenger II V2000 Dark Avenger III V1024 Datacrime Datacrime Datacrime II Datacrime II Datacrime IIB Datacrime IIB Datacrime-B Datacrime-B DBase DBase DBF Virus DBase Dead Kennedy Kennedy December 24th Icelandic-III Den Zuk Den Zuk Devil's Dance Devil's Dance Diana Dark Avenger Die Young Virus V2000 Disk Crunching Virus Icelandic, Saratoga Disk Killer Disk Killer Disk Ogre Disk Killer Do-Nothing Virus Do-Nothing Virus DOS-62 Vienna DOS-68 Vienna Doom Doom II Doom II Doom II Durban Saturday The 14TH Dyslexia Solano 2000 Dyslexia 2.00 Solano 2000 Dyslexia 2.01 Solano 2000 EB 21 Print Screen Eddie Dark Avenger Eddie Virus Dark Avenger Eddie 3 V651 EDV EDV Eight Tunes Eight Tunes European Fish Viruses Fish Virus Fall Cascade Falling Letters Cascade, Ping Pong-B Falling Letters Boot Swap Boot Fellowship Fellowship Fish 6 Fish Virus Fish Virus Fish Virus Five O'Clock Virus Yankee Doodle Flash Flash Flip Flip Form FORM-Virus Form Boot FORM-Virus FORM-Virus FORM-Virus Frere Virus Frere Jacques Frere Jacques Frere Jacques Friday 13th Jerusalem Friday 13th COM Virus Friday The 13th COM Virus Friday 13th-B Friday The 13th COM Virus Friday 13th-C Friday The 13th COM Virus Fu Manchu Fu Manchu Fumble Typo COM G-Virus V1.3 Sorry Ghost Boot Ghostballs Ghost COM Ghostballs Ghostballs Ghostballs Golden Gate Golden Gate Hahaha AIDS Halloechen Halloechen Happy Birthday Joshi Joshi Hawaii Stoned Hebrew University Jerusalem B Hemp Virus Stoned HM2 Plastique Holland Girl Holland Girl Icelandic Icelandic Icelandic-II Icelandic-II Icelandic-III Icelandic-III IDF Virus 4096 Israeli Jerusalem, Suriv 1.01, Suriv 2.01, Suriv 3.00 Israeli Boot Swap Italian Ping Pong Itavir Itavir Jerusalem Jerusalem Jerusalem A Jerusalem Jerusalem B Jerusalem B Jerusalem C Jerusalem B Jerusalem D Jerusalem B Jerusalem E Jerusalem B Jerusalem E2 Jerusalem B Jocker Joker JoJo JoJo Joker Joker Joshi Joshi July 13TH July 13TH June 13TH July 13TH June 16TH June 16TH Kennedy Kennedy Korea Korea LBC Boot Korea Lehigh Lehigh Lehigh-2 Lehigh Lehigh-B Lehigh Leprosy Leprosy Leprosy 1.00 Leprosy Liberty Liberty Lisbon Lisbon Live after Death Virus V800 Mardi Bros Mardi Bros Marijuana Stoned Mazatlan Golden Gate Merritt Alameda Mendoza Jerusalem B Mexican Devil's Dance Miami Friday The 13th Microbes Microbes Mistake Typo Boot MIX1 MIX1 MIX/1 MIX1 Munich Friday The 13th COM Virus Murphy Murphy Murphy-1 Murphy Murphy-2 Murphy Music Virus Oropax Musician Oropax New Jerusalem New Jerusalem New Zealand Stoned Number of the Beast 512 Virus Ogre Disk Killer Ohio Ohio One In Eight Vienna One In Ten Icelandic, Icelandic-II One In Two Saratoga Ontario Ontario Oropax Oropax P1 Phoenix, PhoenixD, V1701New Pakistani Brain Pakistani Brain Brain Palette Zero Bug Payday Payday Peking Alameda Pentagon Pentagon Perfume Perfume Phoenix Phoenix PhoenixD PhoenixD Ping Pong Ping Pong Ping Pong-B Ping Pong-B Ping Pong-C Ping Pong-C Pixel Amstrad Plastique Plastique Plastique 4.51 Plastique Plastique 5.21 Plastique-B Plastique-B Plastique-B PLO Jerusalem Pretoria June 16TH Print Screen Print Screen Print Screen-2 Print Screen PRTSC Virus Print Screen Prudents Virus 1210 PSQR Virus 1720 Puerto Jerusalem B RedX Ambulance Car RPVS RPVS RPVS-B RPVS Russian Jerusalem San Diego Stoned Saturday The 14th Saturday The 14th Saratoga Saratoga Seoul Alameda SF Virus SF Virus Shake Virus Shake Virus Shoe_Virus Ashar Shoe_Virus-B Ashar-B Slow Slow Smithsonian Stoned Solano 2000 Solano 2000 Sorry Sorry South African Friday The 13th COM Virus Stoned Stoned Stealth Viruses EDV, Fish, Joshi, Murphy, V651, V800, V1024, V2000, V2100, 512, 4096 Stupid Virus Do-Nothing Subliminal 1.10 Subliminal 1.10 Sunday Sunday Sunday-B Sunday Sunday-C Sunday Suriv 1.01 Suriv 1.01 Suriv 2.01 Suriv 2.01 Suriv 3.00 Suriv 3.00 Suriv A Suriv 1.01, Suriv 2.01 Suriv B Suriv 3.00 Suriv01 Suriv 1.01 Suriv02 Suriv 2.01 Suriv03 Suriv 3.00 Swap Swap Sylvia Holland Girl SysLock Syslock System Virus Icelandic-II Taiwan Taiwan Taiwan 3 Taiwan 3 Taunt AIDS TCC TCC Ten Bytes 1554 Tiny Family Tiny Family Tiny Virus Tiny Virus Tiny 158 Virus Tiny Family Tiny 159 Virus Tiny Family Tiny 160 Virus Tiny Family Tiny 163 Virus Tiny Virus Tiny 169 Virus Tiny Family Tiny 198 Virus Tiny Family Toothless Virus W13 TP04VIR Virus Vacsina TP05VIR Virus Vacsina TP06VIR Virus Vacsina TP16VIR Virus Vacsina TP23VIR Virus Vacsina TP24VIR Virus Vacsina TP25VIR Virus Vacsina TP33VIR Virus Yankee Doodle TP34VIR Virus Yankee Doodle TP38VIR Virus Yankee Doodle TP41VIR Virus Yankee Doodle TP42VIR Virus Yankee Doodle TP44VIR Virus Yankee Doodle TP45VIR Virus Yankee Doodle TP46VIR Virus Yankee Doodle Traceback Traceback Traceback II Traceback II Traceback II-B Traceback II Traceback-B Traceback Traceback-B2 Traceback Travel Virus V2000 Typo Boot Typo Boot Typo COM Typo COM UIUC Virus Ashar UIUC Virus-B Ashar Unesco Vienna UScan Virus V2100 V-1 1253 V-277 Amstrad V-299 Amstrad V-345 Amstrad V-847 Amstrad V-847B Amstrad V-Alert 1554 V605 Anti-Pascal V651 V651 V800 V800 V800M V800 V1024 V1024 V1226 1226 V1226D V1226D V1226M V1226D V1277 Murphy V1521 Murphy V1701New V1701New V1701New-B V1701New V2000 V2000 V2000-B V2000 V2100 V2100 Vacsina Vacsina VBasic Virus 5120 Vcomm Vcomm Vera Cruz Ping Pong VGA2CGA AIDS VHP VHP VHP2 VHP2 VHP-348 VHP VHP-353 VHP VHP-367 VHP VHP-435 VHP VHP-623 VHP2 VHP-627 VHP2 Victor Victor Vien6 Vienna Vienna Vienna Vienna-B Vienna Vienna-B 645 Vienna VirDem VirDem Virus-90 Virus-90 Virus-B Friday The 13th COM Virus Virus101 Virus101 VP VP W13 W13 W13-A W13 W13-B W13 Wolfman Wolfman XA1 Christmas Tree Yale Alameda Yankee 2 Yankee 2 Yankee Doodle Yankee Doodle Yankee Virus Yankee 2 Zero Bug Zero Bug ------------------------------------------------------------------------------- Virus Information Summary List Virus Relationship Chart 512 Virus --> 512-B --> 512-C --> 512-D 1226 --> 1226M --> 1226D 4096 --> 4096-B --> Fish Alameda --> Alameda-2 --> Golden Gate --> Golden Gate-B --> Golden Gate-C --> SF Virus Anti-Pascal --> AP-529 --> AP-480 --> AP-440 --> AP-400 Note: AP-480, AP-440, and AP-400 are grouped together in the listing as Anti-Pascal II Brain --> Ashar --> Clone --> Chaos Cascade/1701 --> 1701-B --> 1704 --> 1704 Format --> 1704-B --> 17Y4 --> Cunning Datacrime --> Datacrime-B --> Datacrime II --> Datacrime IIB Fri 13th COM --> Fri 13th-B --> Fri 13th-C --> Virus-B HM2 --> Plastique --> Plastique 4.21 --> Plastique 5.21 Icelandic --> Saratoga --> Iceland II --> Icelandic III --> Dec 24th --> Mix1 --> Mix1-B Murphy-1 --> Murphy-2 Ohio --> Den Zuk Perfume --> Sorry Phoenix --> PhoenixD --> V1701New-B --> V1701New Ping Pong --> Ping Pong-B --> Ping Pong-C --> Big Italian --> Typo --> Print Screen --> Print Screen-2 --> Ghostballs Pixel --> Amstrad --> V-847B --> V-345 --> V-299 --> V-277 Stoned --> Stoned-B --> Stoned-C --> Stoned-D --> Stoned II Suriv 3.00 --> Jerusalem --> Fu Manchu --> Taiwan 3 --> Jerusalem B --> New Jerusalem --> Payday --> Sunday --> Sunday-B --> Sunday-C --> Jerusalem C --> Jerusalem D --> Jerusalem E --> Jerusalem F (Spanish) --> 1720/PSQR --> 1210/Prudents --> Frere Jacques --> Anarkia --> Anarkia-B --> Slow Syslock --> Macho --> Macho-B --> Advent Tiny-198 --> Tiny-167 --> Tiny-160 --> Tiny-159 --> Tiny-158 Note: The Tiny-nnn Viruses indicated above are grouped together in the listing as "Tiny Family". The Tiny-163 virus may or may not be related to the above. Traceback II --> Traceback --> Traceback-B --> Traceback-B2 --> Traceback II-B V1024 --> Dark Avenger --> V651 --> V800 --> V800M --> V2000 --> V2000-B --> V2100 Vienna --> Lisbon --> Ghostballs --> 1260 --> W13/V-534 --> W13-B/V-507 --> Wien (Poland) --> Vien6 --> Vienna-B --> Vienna-B 645 --> VHP-348 --> VHP-353 --> VHP-367 --> VHP-435 --> VHP-623 --> VHP-627 Note: VHP-348, VHP-353, VHP-367, and VHP-435 are listed as VHP. VHP-623 and VHP-627 are listed as VHP2. Virus-90 --> Virus101 ------------------------------------------------------------------------------- Virus Information Summary List Revision History 10 August, 1990 - VSUM9008.ZIP The following virus descriptions have been updated, or new variants added: 1720 - Activation information added Anti-Pascal - Anti-Pascal 529/AP-529 Variant Sunday - Sunday-B Variant - Sunday-C Variant Tiny Virus - previously in VSUM9007 as 163 COM Virus Traceback - Traceback-B Variant - Traceback-B2 Variant Traceback II - Traceback II-B Variant V800 - V800M Variant Vienna - Vienna-B 645 Variant The following new viruses have been added to the listing: 382 Recovery Virus 1226 - 1226 Virus 1226D - 1226D Variant - 1226M Variant 1253/V-1 AirCop Anthrax Anti-Pascal II - Anti-Pascal 400/AP-400 - Anti-Pascal 440/AP-440 - Anti-Pascal 480/AP-480 Fellowship Flip Leprosy Mardi Bros Ontario Phoenix/P1 PhoenixD/P1 Plastique - HM2 - Plastique - Plastique 4.51 Plastique-B - Plastique 5.21 RPVS/453 - RPVS - RPVS-B Variant TCC Tiny Family - Tiny 158 Virus - Tiny 159 Virus - Tiny 160 Virus - Tiny 167 Virus - Tiny 198 Virus V1701New/P1 - V1701New - V1701New-B (earlier version) V2100 Wolfman Information on the following anti-viral products was updated or added to this release: CleanUp - Version V66 Pro-Scan - Version 1.4 VirexPC - Version 1.1 ViruScan - Version V66 The following viruses have not been included in the listing at this time, for the reason indicated: Advent - No Sample Available Big Italian - No Sample Available Stoned II - No Sample Available 15 July, 1990 - VSUM9007.ZIP Added Virus Relationship Chart section to document, as well as new data field "V Status" to all entries (see introduction and format information for description). The following viruses have been updated, or new variants added: 1554 Amstrad Cascade - Cunning Variant Disk Killer Ghostballs - combined Ghost COM and Ghost Boot Jerusalem B - Puerto Variant Kennedy Lehigh - Lehigh-B Variant Vienna - VHP-627 Variant - Vien6 Variant W13 The following new viruses were added to the listing: 1008 Virus 1381 Virus Ambulance Car Anti-Pascal Virus Armagedon Flash FORM-Virus Joshi July 13th Microbes Print Screen Print Screen - Print Screen-2 Variant Sorry Taiwan 3 V651/Eddie 3 V1024/Dark Avenger 3 VHP - VHP-348 Variant - VHP-353 Variant - VHP-367 Variant - VHP-435 Variant VHP2 - VHP-623 Variant - VHP-627 Variant 15 June, 1990 - VSUM9006.ZIP Many viruses had their descriptions updated, the ones listed below receiving updates for variants or major changes: 163 COM Virus 512 - 512-B Variant - 512-C Variant - 512-D Variant 1554 Virus 4096 - 4096-B Variant Amstrad - Pixel/V-345 Variant - V-277 Variant - V-299 Variant - V-847 Variant - V-847B Variant Jerusalem B - A-204 Variant - Anarkia Variant - Anarkia-B Variant - Mendoza Variant Ping Pong-B - Ping Pong-C Variant Solano 2000 - Dyslexia 2.01 Variant V2000 - V2000-B/Die Young Variant Vacsina - TP04VIR Variant - TP05VIR Variant - TP06VIR Variant - TP16VIR Variant - TP23VIR Variant - TP24VIR Variant - TP25VIR Variant Yankee Doodle - TP33VIR Variant - TP34VIR Variant - TP38VIR Variant - TP41VIR Variant - TP42VIR Variant - TP44VIR Variant - TP45VIR Variant - TP46VIR Variant Vienna - VHP-435 - VHP-623 The Vienna-B variant has been moved under the Vienna entry. The following new viruses were added to the listing: 5120 Eight Tunes Fish Virus Frere Jacques JoJo Liberty Murphy - 2 variants (Murphy-1 and Murphy-2) Shake Virus Slow Subliminal 1.10 V800 Victor VirDem VP Yankee 2 4 May, 1990 - VSUM9005.ZIP (Not publicly distributed.) Added listings for Discovered, Symptoms, Origin, Subdivided memory-resident classe, Aligned data entry blocks, placed files in ASCII order, placed revision history in decending order. Information on the following virii was updated: 1168/Datacrime 1280/Datacrime Kennedy 18 April, 1990 - VSUM9004.ZIP Information on the following viruses was updated: Friday The 13th Original COM Virus Halloechen Jerusalem Jerusalem B Stoned Sunday VComm 4096 The 1559 virus has been renamed to the 1554 virus in order to accurately reflect the virus's effective length. The following new viruses were added to the listing: AIDS II Anarkia (see Jerusalem B) Christmas Virus Itavir June 16TH Kennedy Korea Saturday The 14th Solano 2000 Spanish Jerusalem B (see Jerusalem B) V2000 1210 1392 1720 McAfee Associates' PRO-SCAN commercial anti-viral program, has been added, as well as the information for IBM's VirScan program updated to reflect IBM's March 1990 program release. 22 February, 1990 - Not publicly distributed. Information on the following viruses was updated: Disk Killer The following new viruses were added to the listing: EDV 512 1559 18 February, 1990 - VSUM9003.ZIP Change to Copyright notice to reflect author's full name. Information on the following viruses has been updated: Taiwan 4096 04 February, 1990 - VSUM9002.ZIP Second release of listing, which now includes updated information for the following viruses: Alabama Chaos Den Zuk Datacrime II, Datacrime IIB Do-Nothing Icelandic, Icelandic-II Ohio Saratoga Stoned Swap SysLock Traceback, Traceback II (was 2930 in previous release) Typo Boot The following new Ms-Dos computer viruses were added to the listing: Halloechen Icelandic-III Joker Perfume Vcomm Virus101 W13 1260 15 January, 1990 - VSUM9001.ZIP First release of listing, which contained 52 of 61 known Ms-Dos computer viruses. Of the 9 known viruses which were not completed, they contained very basic information, though no detailed description, those viruses were: Chaos Swap Icelandic Taiwan Icelandic-II Typo Boot Ohio 2930 Saratoga