A description of PC viruses and their symptoms - June '90 This document lists the file viruses recognized by F-PROT at the time of writing. Since new viruses are continually appearing, this document will never be completely up to date. A short description of the viruses follows, but it is far from complete. The .EXE and .COM infecting viruses known today are: 405 512 --> Number of the beast 800 1260 1392 --> Amoeba 2930 --> Traceback 4096 --> Frodo 5120 8-tunes A-204 --> Jerusalem Advent --> Syslock Agiplan Alabama Amoeba Anarkia --> Jerusalem Amstrad April 1st Armagedon Cancer --> Amstrad Cascade Century --> Jerusalem Dark Avenger --> Eddie DataCrime DataCrime II dBase December 24th Devil's Dance Do-Nothing --> Stupid Durban Eddie Eddie II Frere --> Jerusalem Fish 6 --> Frodo Frodo Fumble Fu Manchu Ghost Hall”chen Holland Girl --> Sylvia Icelandic Icelandic II Jerusalem Jo-Jo July 13th Kennedy Lehigh Liberty Lisbon --> Vienna Macho --> Syslock Mendoza --> Jerusalem MIX1 Murphy Mystic -> Liberty New Jerusalem --> Jerusalem New Vienna --> Vienna Number of the Beast Old Yankee Oropax Palette --> Zero Bug Payday --> Jerusalem Perfume Pixel --> Amstrad Pretoria Prudents PSQR (1720) --> Jerusalem Saratoga --> Icelandic Shake South African "Friday 13." Stupid Sunday --> Jerusalem Svir Sylvia SysLock Taiwan Tenbyte Tiny --> Kennedy Traceback Vacsina Vcomm Victor Vienna Virdem Virus-90 Virus-101 --> Virus-90 Virus-B --> South African VP W13 XA1 Yankee Doodle --> Vacsina Zero Bug A few additional viruses have been reported, but are not recognized by the F-PROT package. They are: AIDS and several other related Pascal viruses. These viruses are very rare and not a serious threat. They overwrite the programs they infect, so they simply are much too obvious. The AIDS virus is not to be confused with the AIDS Trojan, which is totally unrelated. Jocker This program may be a virus, but so far almost all virus-researchers have been unable to make it replicate. Screen. A program virus that has been reported, but I have not yet been able to obtain a sample of it, as the person who reported it is not willing to give copies to other researchers. It must be noted here, that F-PROT will provide some protection against viruses not yet written. The programs in the package will not, however, be able to remove unknown viruses. Now, let's have a look at the viruses mentioned above. In some castes the descriptions are very short, perhaps only a couple of lines. This indicates a new virus, which has not yet been fully dissected. In those cases the effects of the virus may be only partially known. 1260 This virus is based on the Vienna virus, but the author has made considerable modifications to it. The most significant change is that the virus is now encrypted. As the name indicates, the virus adds 1260 bytes to the files it infects. The first 39 bytes contain a simple decryption routine, similar to the one used by the Cascade virus. There is one important difference, however. A variable number of short (1- or 2-byte) instructions are added between the decoding instructions. The extra instructions do not affect the operation of the virus - they are only placed there in an attempt to prevent virus scanners from using identification strings. This makes it a little harder to detect the virus, but F-FCHK is nevertheless able to do it. 405 Unlike most other program viruses, this one will not increase the length of infected programs (unless they are shorter than 405 bytes). It will overwrite the first 405 bytes in the files it infects. As this primitive method causes the destruction of many programs, the virus is easily found, and therefore not a serious threat. The "405" virus will only infect .COM files, but it it unable to recognize a file already infected. 5120 This is one of the largest viruses known, 5120 bytes. It will infect both .COM and .EXE files, but its effects have not been fully determined yet. Parts of the virus seem to have been written in a high-level language, possibly compiled BASIC. 800 One of the Bulgarian viruses - 800 bytes long. It bears some resemblance to the Dark Avenger. It seems to overwrite directories, but has not been fully dissected yet. 8-tunes Just as most other "music" viruses, this one is from Germany. It infects .COM files as well as .EXE files. When it activates it will play one out of 8 different tunes. The length of the virus code is 1971 bytes. Agiplan This virus has only been reported once. The person who reported it published a search string, but has not responded to requests for a sample of the virus. The report said that the Agiplan virus added 1536 bytes to the front of .COM file, just like the "Zero Bug" virus. The two viruses may be related, but it is not certain. Since I do not have a sample of the virus, I do not guarantee that the programs will be able to stop it or remove it, but they should be able to find it. If you ever find a program reported by F-FCHK to be infected with AGIPLAN, I would appreciate a copy of it. Alabama This virus was first reported in Israel, but a text string inside it says: SOFTWARE COPIES PROHIBITED BY INTERNATIONAL LAW.............. Box 1055 Tuscambia ALABAMA USA. This message will also appear on the screen in a box on the screen one hour after an infected program is run. Like a few other viruses this one cannot be removed from memory by pressing Ctrl-Alt-Del. It will simply fake a "reboot" and remain in RAM. Alabama will only infect .EXE files, increasing their size by 1560 bytes. Unlike most other resident viruses, it will not automatically infect every new program executed. When a program is run, Alabama will instead search for some other program to infect - probably so the program being executed will get the blame. It will only be infected if no uninfected file is found in the current directory. Occasionally it will do something odd. It will search for a file to infect as described above, and execute it instead of the file the user was planning to execute. A bit weird ...! Amoeba This is a 1392 byte .EXE and .COM infecting virus, but little is yet known about it. Amstrad/Pixel This virus is rather interesting. It is a direct-action virus, that will add 847 bytes to the front of any .COM file it finds in the current directory. The virus code is only around 334 bytes, which makes this one of the shortest PC virus known today. The rest contains zeros and an advertisement for Amstrad computers which is occasionally displayed. Until the virus reaches the 5th generation, no effects are visible, but in generation 5 or later there is a 50% chance that the message will appear. It has been reported that this virus was also published in a Greek magazine named "Pixel" in the form of a BASIC program that would create an infected program when run. This program contained a different message: "Program sick error: Call doctor or buy PIXEL for cure description" A disinfection program, written by the virus author was then published in the next issue of Pixel. Four other variants of this virus are now known, all from Bulgaria. The major difference is in the length - 740, 345, 299 and 277 bytes. The 740 byte variant is also known as 'Cancer'. It seems that some virus writers there are competing with each other to create the shortest possible version of the virus. The shortest variant, with a length of 277 displays a different message, "PARITY ERROR", simulating a hardware failure. April 1. Here we actually have not one virus, but two different viruses, probably written by the same author, somewhere in Israel. One of them infects .EXE files, the other .COM files. The two viruses have the same effect, however. On April 1st an infected computer will display the following message: APRIL 1ST HA HA HA YOU HAVE A VIRUS. The .COM virus is 897 bytes long, but the .EXE virus is a bit longer, 1488 bytes. Those two viruses were later combined into one, called SURIV 3, which evolved into the Jerusalem virus. Armagedon This virus originated in Greece. It is 1079 byte long, infects .COM files, other than COMMAND.COM, by adding itself in front of the original program. This virus has an interesting effect if a Hayes compatible modem is installed in the computer, including dialing the number 081-141. This is a number on the island of Crete, which gives the time of day when it is called. The virus has not been fully analyzed yet. Cascade The Cascade virus, also known as 1701 or 1704, is probably one of the most common viruses around. The problem is just that it is often not detected, because it produces no obvious effects. In the original version, the virus contained code that was set to "go off" between Oct 1. and Dec 31. 1988, shortly after an infected program is run. The effect is actually quite amusing - the characters on the screen fall down and end in a heap on the bottom. There is a bug in some versions of the virus - it seems that the author intended the virus to infect all computers, except those from IBM. However, it did not work as planned - the virus would also infect "true" IBM machines. There is one variant of this virus, reported as 17Y4, which is almost identical to the most common 1704 variant. One byte has been changed, probably due to a random "mutation". This, however, has resulted in a "bug" in the virus. Another mutated variant is also known - it infects the same file over and over. DataCrime The DataCrime virus was probably written in W. Germany or the Netherlands. It caused much panic around Oct. 13th 1989 when it was set to go off. Any infected program run on Oct. 13 or later in the year would format the first nine tracks of the hard disk and display the message DATACRIME VIRUS RELEASED: 1 MARCH 1989 Since this virus is currently very rare, it is not a serious threat, but it could become a problem in the future. The two variants of this virus, 1280 and 1168 were practically equivalent, but another virus, called "DataCrime II" also exists. It infects .EXE and .COM files, but the original "DataCrime" could only infect .COM files. DataCrime 2 is also a bit larger, 1514 bytes long and more complicated than the original virus. The latest variant, called DataCrime II-B is very similar to DataCrime II, but is only 1480 bytes long. dBase The dBase virus is very rare, but rather curious. It is clearly intended to garble dBase files, or rather any file with a name that ends in .DBF. If the virus is active in memory when a program writes to a .DBF file, it will garble all the outgoing data. However, when the data is read back later, the virus will correct the garbled data. There is just one problem. If the virus is detected and removed, the data will be useless because the virus will not be present to "de-garble" it when it is read back. There is a more harmful side to this virus. If an attempt is made to write to a .DBF file that is more that three months old, the virus will try to destroy the FAT and root directory on drives D:, E: .... Z: There is a bug in the code, however, so the destruction will be rather unpredictable. The dBase virus will only infect .COM files, increasing their size by 1864 bytes. December 24th This virus was discovered in Iceland on Dec. 24th 1989. Several computers refused to run any programs at all on that date, but simply displayed the message "Gledileg j¢l" ("Merry Christmas") instead. The virus is a variant of the Icelandic-2 virus, but with several minor corrections and modifications. One out of every ten programs run is checked to see if it is a non-infected .EXE file. If so, the virus adds 848-863 bytes to the file. Devil's Dance A .COM infector reported to have originated in Spain or Mexico. It adds 951 bytes to the end of any file it infects. It will infect the same file over and over until it become too large to fit in memory. The virus traps INT 9 (the keyboard interrupt) and when CTRL-ALT-DEL is pressed it will display the message: DID YOU EVER DANCE WITH THE DEVIL IN THE WEAK MOONLIGHT ? PRAY FOR YOUR DISKS!! The Joker The virus also monitors any keystrokes, activating when 2000 are reached. It will then change the colors of any text displayed on the screen. When 5000 keystrokes are reached the virus will trash the first copy of the FAT. Durban (Saturday the 14th) This virus infects both .EXE and .COM files. It first adds 1-16 bytes to the files it infects length, so they end on a paragraph boundary. Then 669 additional bytes, containing the virus itself are written to the end. Durban is a resident virus, using a method similar to that used by Jerusalem to check if it already installed. On any Saturday the 14th, the first 100 logical sectors of drive C, then B, then A are overwritten with rubbish. Eddie This virus contains two interesting text strings: "Eddie lives...somewhere in time" and "This program was written in the city of Sofia (C) 1988-89 Dark Avenger" "Eddie" is probably the skeleton mascot of the heavy metal band "Iron Maiden". This was the first virus reported to have originated in Bulgaria, but it was soon followed by many other. There is only one thing unusual about this virus. It remains resident, just as many other viruses, but it will not only infect a program when it is run, but also when the program file is read. This means that a harmless program that opened each .EXE and .COM file in turn, for example to check them for infection, could easily cause an "epidemic". The virus will infect .EXE and .COM files, adding 1800 bytes to the length. COMMAND.COM will be one of the first programs to become infected. When an infected program is run, there is a 1-in-16 chance that the virus will trash a random disk sector. One 2000 byte variant is known. It is also from Bulgaria, probably written by the same author as the original one. It has been improved a bit - you won't see an increase in file length when you issue a DIR command. Inside the virus one finds the following string Copy me - I want to travel or, in some versions Only the Good die young... The virus author also included the following string in the virus: Copyright (C) 1989 by Vesselin Bontchev Vesselin Bontchev, however, is a Bulgarian author of anti-virus programs, and has has nothing to do with the creation of the virus. The reason this message appears is that the virus searches for it in every program executed, and halts the computer when it is found. Eddie II A fairly harmless virus from Bulgaria - called "Eddie II" because it contains the string "Eddie lives". This string is similar to the string contained in the original "Eddie" virus. Eddie II can infect .EXE files as well as .COM files, but unlike most other .EXE infecting viruses, it does not pad them so their length becomes a multiple of 16 bytes, before they are infected. Infected files are marked with a value of 62 in the "seconds" field of the timestamp, which makes them immune to infection by Vienna or Zero Bug. Infected files grow by 651 bytes, but this increase will not be seen if a "DIR" command is given, because the virus intercepts the "find-first" and "find-next" functions, and if the "seconds" field contains 62, the virus will decrement the file length by 651. Apart from this the virus does nothing of interest. Frodo (4096) The Frodo virus infects both .EXE and .COM files. It is very advanced in some ways, being able to hide the infection by using a method similar to that used by the "Zero Bug" virus. If the virus is active in memory and you look at the directory, the virus will show you the original length of any infected program. The length of infected files increases by 4096 bytes. This virus is also known as "IDF" (Israeli Defense Forces). It activates on Sept. 22. when it may attempt to place a Trojan on boot sectors. This Trojan will display the message "FRODO LIVES" in large letters on the screen, surrounded by a moving pattern. The code to write the Trojan to the disk seems to be garbled in all known versions of the virus and will probably "hang" the computer. A variant "Fish 6", 3584 bytes long was recently reported. Fu Manchu The author of the Fu Manchu virus seems to have intended to write one of the most humorous viruses around. He started with the Jerusalem virus, removed the harmful part of it and added several new features: The virus will censor the text the user types, deleting two four letter words. It will also take action if the user types "Thatcher", "Reagan", "Botha", or "Waldheim". In those cases it will add comments to the text. When Ctrl-Alt-Del is pressed, the virus will display the message The world will hear from me again! In other respects the virus is similar to the Jerusalem virus. It will infect both .EXE and .COM files, making them grow by about 2086 bytes. Fumble The "Fumble" virus is a small, memory resident .COM infecting virus that will generate typing errors, every now and then. That is, if you press the "R" key for example, it will occasionally insert another letter like "E" in the text instead. The only unusual feature of this virus is that it will only infect programs on odd-numbered days. Infected .COM files grow by 867 bytes. GhostBalls This virus was written in Iceland and first discovered there in October 1989. It contains the following text strings: GhostBalls, Product of Iceland Copyright (c) 1989, 4418 and 5F19 It will infect .COM files, making them grow in size by 2351 bytes. Basically it is just the Vienna virus - the variant in the book by Ralf Burger to be specific, with an extra twist. When an infected program is run, the virus will search for other programs to infect, but also try to place a modified copy of the Ping-Pong virus on the diskette in drive A, provided it is a 360K diskette. This Ping-Pong variant has been changed, so that it is not infectious, but it will also work on a '286 machine. This modified boot sector is not a virus, but F-DISINF will remove it. Hall”chen This is a .COM and .EXE infector, probably written in W-Germany. It contains two text strings: Hall”chen !!!!!!, Here I'm.. Acrivate Level 1.. This virus is a bit unusual in some ways - for example it will not infect "old" files. If the value of the "month" or "year" fields in the timestamp is different from the current date, the file will not be infected. The virus does not modify the creation date when it infects the virus, and like most other viruses it is easily able to defeat the read-only attribute. It will only infect files larger than 5000 bytes, increasing their length by 2011 bytes. Icelandic This virus was first found in Iceland in June '89. If only infects files with names ending in .EXE. When an infected program is run, it will hide in memory by directly manipulating the Memory Control Blocks. Programs that watch out for any program "going TSR" will therefore not be able to catch it. This virus will mark one cluster on the hard disk as bad, every time it infects a file. A minor variant of this virus was later found in Saratoga, and a radically modified version appeared in Iceland in July '89. This new version (Icelandic-2) does not use INT 21 calls like the original, but instead makes direct JMPs into the operating systems. This means that many protection programs will be unable to catch it. Icelandic-1 is 656 bytes long, Saratoga is 642 bytes but Icelandic-2 adds 632 bytes to any file it infects. Actually the file may grow a bit more because all the viruses will first pad the file so the length becomes a multiple of 16 bytes. Jerusalem (Israeli "Friday 13.") The Jerusalem virus is one of the oldest and most common viruses around. As a result there are numerous variants of it. It will infect both .EXE and .COM files, but the first version of the virus contained a bug, causing it to infect .EXE files over and over, until they became too large for the computer. Needless to say, this has been fixed in later releases, including one called "New Jerusalem". Infected files grow by 1808 bytes or so. The original Jerusalem virus would activate on every Friday the 13th, deleting programs run on that day. 30 minutes after an infected program is run, the virus will also cause a general slowdown of the computer and make a part of the screen scroll up two lines. This has been disabled in some variants of the virus, which makes them much harder to detect. The first variant of the virus (sURIV 3.00) produced the side-effects described above 30 seconds after an infected program was run. One variant, "Century" will become active on Jan 1. 2000. It will try to delete everything that can be deleted and then display the message Welcome to the 21st Century The programmer does not seem to have known that the 21st century does not start until a year later. The "Sunday" virus is another variant of the Jerusalem virus. Instead of activating on Friday the 13th, it will activate if the current day of the week is Sunday and display the message: Today is SunDay! Why do you work so hard? All work and no play make you a dull boy! Come on! Let's go out and have some fun! Apart from this the viruses are very similar. Other variants include Payday, Anarkia, PSQR, Mendoza and A-204. Perhaps the most unusual variant is "Frere", which is reported to play a tune when it activates. Jo-Jo This virus is a 1701 byte, memory resident .COM infector, which is basically a patched, non-encrypted variant of the Cascade virus. It is reported to have originated in Barcelona. It contains a check for the IBM copyright message at address F000:E008, just like Cascade. The virus contains two text strings: Welcome to the JOJO virus. Fuck the system (c) - 1990 xxxxxxxxxxxxxx zzz July 13th This virus is designed to activate on July 13th - as other "Friday the 13th" viruses do. It is a 1201 byte encrypted .EXE file infector, which has not been fully dissected yet. Kennedy A simple .COM infecting virus, probably from Denmark. When an infected file is run, it will infect a single .COM file in the current directory, adding 333 bytes to the end of the file. The virus activates on three dates - June 6th, November 18th and November 22nd. On those dates it will display the message: Kennedy er d›d - l‘nge leve "The Dead Kennedys" A variant, "Tiny" is also known - which is currently the shortest virus known - only 163 bytes long. This variant seems to do nothing but replicate. Lehigh The Lehigh virus is rather unusual in that it only infects one program, COMMAND.COM. It does not increase the size of the program, because it overwrites the stack space. This virus is rather badly written - it can be defeated by simply making COMMAND.COM read-only. It is, however, very destructive. "Lehigh" contains an infection counter and when it has reached a specific number of infections it will trash the disk. This means that the virus never got a chance to spread much outside Lehigh University. Liberty Liberty originated in Indonesia. It is a resident .EXE and .COM infecting file, 2857 byte long. The virus code is placed at the end of the file, but the virus also overwrites the first 120 bytes with code and the following message: - M Y S T I C - COPYRIGHT (C) 1989-2000, by SsAsMsUsEsL The effects of this virus are not fully known yet. MIX1 MIX1 was probably written in Israel, but it is derived from the Icelandic virus. There are two versions known, MIX1 and MIX1-B, practically identical. MIX1 displays a bouncing ball on the screen, and garbles all output going to the printer. It will also disable the NumLock key. MIX1 is larger than the Icelandic virus - 1618 or 1636 bytes, depending on the version. One unusual "feature" of MIX1 is that it will only infect files 8192 bytes long or larger. Murphy The authors of this virus are known. They are Lubomir Mateev Mateev and Iani Lubomirov Brankov, both in Bulgaria. Murphy is a 1277 byte long, resident .COM and .EXE infecting virus. It is based on the Dark Avenger, but is not harmful. Inside it the following message can be found. Hello, I'm Murphy. Nice to meet you friend. I'm written since Nov/Dec. Copywrite (c)1989 by Lubo & Ian, Sofia, USM Laboratory. Another variant is also known. It is a bit longer, 1521 bytes, and the message is different: It's me - Murphy. Copywrite (c)1990 by Lubo & Ian, Sofia, USM Laboratory. This virus can cause loss of data, as it jumps into ROM basic every exact hour, possibly causing some clones to "hang". Number of the Beast Like quite a few other viruses, this one was first reported in Bulgaria. It is 512 bytes long, but the length of infected files does not appear to increase. This is because the virus overwrites the first 512 bytes of the programs it infects with itself, and stores the original 512 bytes in the unused space after the end of the file. This is possible because DOS allocates file space in "clusters", which are usually 1024 or 2048 bytes long. In addition, if a program attempts to read from an infected file, while the virus is active in memory, the read operation will be intercepted and instead of finding the virus, the original code will be read instead. This means that the virus will be able to fool any checksum program, as well as any virus-scanning program if it is active in memory when the program is run. It does not matter how sophisticated the checksum algorithm is - if the virus is active in memory, no infected program can be detected. F-DRIVER will, however, stop the virus. At the end of the virus code, the string "666" appears - hence the name. Several new variants are also known in Bulgaria, where this string is missing, but they are functionally identical. Old Yankee There is some confusion regarding the various "Yankee Doodle" viruses. They all originated in Bulgaria and play the tune "Yankee Doodle", but their structure is different. This is the first one. It only infects .EXE files, increasing their length by 1961 bytes. When an infected program is run, the virus will search for a non-infected file. When it has been infected, the virus plays the melody, before the original program is executed. At the very end of the virus, the word "motherfucker" appears. Another version of the same virus is also known. The main difference is the length - the variant is only 1624 bytes long. Oropax This virus probably originated in W. Germany. It is not very harmful - when it activates it will just repeatedly play three melodies. The virus infects .COM files, other than COMMAND.COM. Infected files grow by 2756-2806 bytes, becoming a multiple of 51 bytes in length. This virus stays resident in memory, but it will not infect other programs when they are executed. Instead it will search for a file to infect when files are created or deleted, a subdirectory is created or the access mode of a file is changed. A few other functions may also trigger an infection. The virus uses a random number generator to decide when to become active, and if it does, it will start playing 5 minutes after an infected program is run. Perfume A .COM infecting virus of German origin, that will sometimes ask the user a question and not run the infected file unless the answer is "4711", which is the name of a perfume. This virus will look for COMMAND.COM and infect it unless it is already infected. Infected files grow by 765 bytes. In the most common variant of the virus the questions have been overwritten with garbage. Pretoria (June 16th) Pretoria is a direct-action, .COM infecting virus from South Africa. It overwrites the first 879 bytes of infected files with itself, and stores the original 879 bytes at the end of the file. This makes it impossible to fully restore programs shorter than 879 bytes, as their original length is not stored anywhere. When an infected program is executed, the virus searches the entire current directory for .COM files to infect. As it uses a full-depth recursive directory search, this may take considerable time on an XT-class machine. On June 16th the execution of an infected file will cause all entries in the root directory to be changed to 'ZAPPED'. June 16th is the day when the Soweto riots first broke out. The virus uses a simple substitution encryption. Prudents This is a Direct-Action Spanish virus, 1205 bytes long, which infects .EXE files. It is probably written by the same author as the PSQR variant of the Jerusalem virus, as it checks if that virus is present, when it is run. This virus will overwrite the last 32 bytes of any file it infects, possibly destroying the victim. Shake Thake is a primitive 476 byte .COM infecting virus. It may infect the same program over and over, and infected programs may cause a reboot when executed. The name is derived from a string which is found inside the virus: Shake well before use ! South African "Friday 13." This is one of the oldest viruses around, but it is still very rare. It is a "direct action" virus, that will seek out one or more programs to infect, every time an infected program is run. It will only infect .COM files, which grow by 415-544 bytes, depending on the variant in question. The original virus is 419 bytes long. Like the Lehigh virus it can be stopped simply by making .COM files read-only. Most other viruses are not bothered by this, however. A version of this virus, called "Virus-B", where the destructive part has been disabled has been distributed for demonstration purposes. Stupid (Do-Nothing) The "Do-Nothing" or "Stupid" virus is not a well written one. In fact it is so badly written that in many cases it will simply cause the system to "hang", instead of properly infecting it. It seems that this virus was created by a lousy programmer, somewhere in Israel. It is not a serious threat. It will only work on machines with at least 640K of memory, because it always tries to hide itself at the same address, starting at 9000:0000. This virus infects .COM files, which grow by 583 bytes. The original infected program distributed by the author contained the string: (c)Stupid 1989 Virushmock! Svir This is an unremarkable 512 byte direct-action .EXE file virus. Its effects (if any) are not yet known. Sylvia This virus is a bit unusual, to say the least. It contains the following message: This program is infected by a HARMLESS Text-Virus V2.1 Send a FUNNY postcard to : Sylvia Verkade, Duinzoom 36b, 3235 CD Rockanje The Netherlands. You might get an ANTIVIRUS program..... It will display this message when an infected program is executed, but if the above text is tampered with, the following message, (which is stored in an encrypted form) will appear instead: FUCK YOU LAMER !!!! system halted...$ Some people have a weird sense of humor... As the text above indicates, the virus originated in the Netherlands. When an infected program is run, the virus will seek out up to 5 .COM files to infect. It will search drive C: and the current drive. The three system files, COMMAND.COM, IBMBIO.COM and IBMDOS.COM are not infected. The virus adds 1301 bytes to the beginning of the files it infects (and also 31 bytes to the end), but does no other damage. The girl mentioned above exists, but she says that she has no idea who the author is. It is very likely that he knows her, though. SysLock The SysLock virus infects .EXE and .COM files. It is a "Direct Action" virus that will search for files to infect when an infected program is executed. The virus will first modify the length of any program it infects, so it becomes a multiple of 16 bytes. Then the virus code, 3551 bytes is appended to the file. One unusual "feature" of this virus is that it will search the disk for the string "Microsoft" and change it into "MACROSOFT". The virus will not infect programs if the environment contains SYSLOCK=@. Three other variants of this virus are known. Two are called "Macho", since they both will change the string "Microsoft" into "MACHOSOFT". One is very close to the original virus, the other a bit different. The third variant, "Advent" will activate in December and then play "Oh, Tannenbaum". Taiwan This virus seems to have appeared in Jan '90. It is a direct-action .COM infector, which activates on the 8th day of any month, overwriting the FAT and root directory of drives C: and D: Two variants are known, one is 708 bytes, but the other one is 743. Infected programs sometimes "hang", for some unknown reason. Tenbyte This is a 1554 byte long .COM and .EXE infecting virus that was by accident posted to the V-ALERT electronic mailing list, which is intended for urgent messages regarding virus infections. Just like the "Stupid" virus, it will only work on machines with at least 640K memory. Traceback The "Traceback" virus produces a screen display similar to that produced by the Cascade virus. There are of course differences, since the viruses are totally unrelated. Every file infected with "Traceback" contains the name of the file that infected it. This makes it possible to trace the path of the infection. Another difference is that it is possible to make the characters "jump" back up, by pressing keys on the keyboard, after all the characters on the screen have fallen down. There are two variants known of this virus, but the size is the only significant difference. The original virus is 3066 bytes long, but the variants are 2930 and 3031 bytes long. Vacsina and Yankee Doodle A programmer in Bulgaria has written a number of viruses - 50 different variants or so. Two of the variants, number 5 and 39 "escaped" to the West in 1989. One of the features of virus in this family is that they contain a version number system, similar to that used in the "Den Zuk" virus. If a virus in the family finds a file infected with an older version of itself, it will remove the infection and re-infect with the new version. A number of the variants play the tune "Yankee Doodle", but the viruses are not to be confused with the original "Yankee Doodle" virus, which is called "Old Yankee" by the F-FCHK program. This family can be divided into two groups, one consisting of versions numbered below 38, but the other one versions 38 and upwards. The first group is identified as "Vacsina" variants by F-FCHK, and the second one as "Yankee Doodle" variants. However, this division is based on differences in the internal structure of the viruses - several of the "Vacsina" viruses also play "Yankee Doodle". The "Vacsina" viruses seem to have been written originally to infect only .COM files. .EXE files are also infected, but that is done in two steps. First a short piece of code is added to the end of the file. Then a JMP command is added at the front of the file. This code seems to be based on the code used in FORMAT.COM and CHKDSK.COM in some versions of MS-DOS. When executed it will relocate the .EXE file. This makes the .EXE file structurally equivalent to a .COM file, so it can be infected as one. The second group (versions 38 and upwards) infects .EXE files in a "ordinary" way. Compared to most other viruses, these are fairly harmless. In the first versions a beep (BELL) is heard, every time a .COM-type file is successfully infected. As mentioned before, some of them play "Yankee Doodle", sometimes at 5 o'clock, but other variants play the tune when the computer is rebooted by pressing Ctrl-Alt-Del. The latest versions of the viruses contain several advanced features - including self-correcting Hamming code, disabling of debugging tools, and the ability to search for and remove the Ping-Pong and Cascade viruses. Vcomm An .EXE infecting virus that came from Poland. It is not very well written, but easy to study because the commented source code was included in the sample that arrived from there. When an infected program is run, it will infect one .EXE file in the current directory. Infected programs are first padded so their length becomes a multiple of 512 bytes. Then the virus adds 637 bytes to the end of the file. It will also install a resident part that will intercept any disk write and change it into a disk read. Victor This is a 2442 byte .EXE and .COM virus from the USSR, at least according to the text found inside it: Victor V1.0 The Incredible High Performance Virus Enhanced versions available soon. This program was imported from USSR. Thanks to Ivan Little is yet known about its effects. Vienna This virus, also called DOS-62, UNESCO and 648 will only infect .COM files. When an infected file is run, the virus will search for an uninfected file and infect it. One out of eight files infected is destroyed, by overwriting the first few bytes with instructions that will cause a restart when the program is run. Infected files can be easily found because they contain an "impossible" value (62) in the "seconds" field of the time stamp. Unfortunately the source code to this virus has been published in a book: "Computer viruses: A High-Tech Disease", so it will probably become very common in the future. This version was modified slightly, in order to make it a little less harmful - it would only infect files in the current directory. The virus appends 648 bytes to the files it infects. One variant of this virus, "Lisbon", has been found in Portugal, but the Ghost virus is also closely related. Several other variants have been reported in Bulgaria. Some of them are so different that they have received a new name, "New Vienna". The Bulgarian variants are similar to the original virus, but the changes include: Different length - 435,367,354 and 348 bytes. Different damage function - formatting of hard disk. Critical error handler added. Virdem This 1336-byte, direct action .COM-infecting virus was written in 1986, which makes it one of the oldest viruses in existence. It was written by R. Burger, the author of "Computer Viruses: A High-Tech Disease". It will not spread unless modified, because the virus makes it quite clear that the program has been infected. Virdem overwrites the first part of the program and appends itself to the end of the file. Virus-90 The most interesting fact regarding this virus is that the author of it is known. He uploaded the virus to a number of BBS, saying that the source code was available for around $20. The virus itself is not very remarkable, a simple .COM infector that adds 857 bytes to any file it infects. The virus will only infect files on drive A: and B: but it would of course be very easy to "fix" that. An infected program will display the message "Infected!" when it is executed, but otherwise the virus does nothing at all. A "new and improved" version, Virus-101 is written by the same person. It infects .EXE files as well as .COM files, and is somewhat variable. The author, Patrick Toulme, has made some feeble attempts to make it difficult to disassemble or modify the virus, but this "protection" is of course easily defeated. The virus is fairly harmless, but it could be turned into a harmful one, but as it is rather badly written, I doubt anyone will bother. The virus contains one unusual feature, though - it infects COMMAND.COM by overwriting it, in the same manner as the Lehigh virus does, so no change in length is visible. VP First reported in April '90, this virus is of the direct-action .COM infecting kind. It contains one unusual feature - at the beginning of the virus a variable number of NOP instructions (0-15 in number) are added. This is probably done in order to confuse "on-the-fly" virus scanners. The virus then appends 909 bytes containing the virus code. W13 This is a rather primitive .COM infecting virus. Two variants are known, the first one is 534 bytes long, but the second, with some bugs corrected, is only 507 bytes long. The variants are both of the "Direct Action" type and do nothing interesting. They are based on the Vienna virus, but mark infected files by setting the "month" field to 13, instead of setting the "seconds" field to 62. This virus originated in the Soviet Union. XA1 The XA1 virus overwrites the first 1539 bytes of infected .COM files with itself and stores the original code at the end of the file. On April 1st, a part of the virus will activate - overwriting the boot sector with code that will cause the computer to "hang" on next boot-up. The virus will also activate on December 21st and stay active until the end of the year. It will then display a Christmas tree, and the text: Und er lebt doch noch: Der Tannenbaum! Frohe Weihnachten Zero Bug The "Zero Bug" will mark infected files in the same way as the Vienna virus, placing 62 in the "seconds" field of the timestamp of the .COM files it infects. Apart from this, the viruses are very dissimilar. This virus will search for COMMAND.COM, using the value of the COMSPEC environment variable to locate the file. Then it will remain resident, hook INT 60 and infect every .COM file run. The virus seems not too well written - containing some unreachable code, but it is unusual in some ways. When it infects a file, it will add 1536 bytes in front of the original code, just like the Agiplan virus. It also contains one "feature" that will probably be more used in the future - if the virus is active in memory and you look at a directory containing infected files, the virus will make the directory entries appear as they were before the infection. That is, you will not see any increase in file length. This method is also used by some of the latest viruses from Bulgaria.