%%File: VIRS0001.TXT %%Name/Aliases: Brain, Pakistani, Ashar, Shoe, Shoe_Virus, Shoe_Virus_B, Ashar_B, UIUC, UIUC-B, @BRAIN, Jork, Shoe B %%Platform: PC/MS-DOS %%Type: Boot sector., %%Disk Location: Floppy disk boot sector. %%Features: Memory resident; TSR. %%Damage: Corrupts boot sector, Interferes with a running application., Corrupts a data file., Corrupts the file linkages or the FAT. %%Size: Overlays boot sector, no increase %%See Also: %%Notes: This virus only infects the boot sectors of 360 KB floppy disks. It does no malicious damage, but bugs in the virus code can cause loss of data by scrambling data on diskette files or by scrambling the File Allocation Table. It does not tend to spread in a hard disk environment. Diskette volume labels changeto "(c) Brain". %%File: VIRS0002.TXT %%Name/Aliases: Merritt, Alameda, Yale, Golden Gate, 500 Virus, Mazatlan, Peking, Seoul, SF Virus %%Platform: PC/MS-DOS %%Type: Boot sector., %%Disk Location: Floppy disk boot sector. %%Features: Memory resident; TSR. %%Damage: Corrupts boot sector, Corrupts the file linkages or the FAT. %%Size: Overlays boot sector, no increase %%See Also: %%Notes: Track 39 sector 8 is used to save the original boot record, and any file there will be overwritten. Destroys the FAT after some length of time. It spreads when the Ctrl-Alt-Del sequence is used with an uninfected diskette in the boot drive. The Golden Gate variation will reformat drive C: after n infections. Infects Floppies Only. Spreads between floppy disks. Unbootable disks, destroyed files. 80286 systems crash. Compare boot sector of infected disk with a "real" system disk. If different: check track 39, sector 8; if this contains the real boot blocks. Execute a SYS command to reinstall real boot block and system file from a clean disk. %%File: VIRS0003.TXT %%Name/Aliases: Friday 13 th COM, South African, 512 Virus, COM Virus, Friday The 13th-B, Friday The 13th-C, Miami, Munich, Virus-B, ENET 37 %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application. %%Features: Direct acting. %%Damage: Corrupts a program or overlay files. %%Size: 419, 613 - ENET 37 variant %%See Also: number of the beast, Compiler.1, Darth Vader %%Notes: Infects all .COM files except COMMAND.COM, and deletes the host program if run on Friday the 13th. Beast: SCAN 97 still says that "number of the beast" is the 512 virus, also says that Compiler.1 and Darth Vader viruses are also 512 virus (erroneously) Files disappear on Friday the 13th. Text "INFECTED" found near start of virus. %%File: VIRS0004.TXT %%Name/Aliases: Lehigh, Lehigh-2, Lehigh-B %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COMMAND.COM %%Features: Memory resident; TSR. %%Damage: Corrupts a program or overlay files., Corrupts the file linkages or the FAT., Corrupts boot sector %%Size: Overlays application, no increase, 555 bytes inserted in stack area of COMMAND.COM. %%See Also: %%Notes: Spreads between copies of COMMAND.COM. After spreading four or ten times, it overwrites critical parts of a disk with random data. Displaying junk on the screen. Alters the contents and the date of COMMAND.COM. Spread will be detected by any good modification detector. %%File: VIRS0005.TXT %%Name/Aliases: Vienna, 648, Lisbon, Vienna-B, Austrian, Dos-62, Unesco, The 648 Virus, The One-in-Eight Virus, 62-B, DOS-68, Vien6, Vienna-B645, 648-B %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application. %%Features: Direct acting. %%Damage: Corrupts a program or overlay files., Deletes or moves files. %%Size: 648 %%See Also: %%Notes: The virus infects one .COM file every time it is run. 7/8 of the time it infects the .COM file and 1/8 of the time it inserts a jump to the BIOS initialitation routines that reboot the machine. To mark a file as infected, the virus sets the seconds field of the timestamp to 62 which most utilities (including DIR) skip. Damaged files, file lengths increase. The second-entry of the time stamp of an infected file is set to 62 dec. %%File: VIRS0006.TXT %%Name/Aliases: Jerusalem, Jerusalem A, Black Hole, Blackbox, 1808, 1813, Israeli, Hebrew University, Black Friday, Friday 13th, PLO, Russian, Kylie (variant), Scott's Valley, Mule, Slow,Timor %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., EXE application., Program overlay files. %%Features: Memory resident; TSR. %%Damage: Interferes with a running application., Corrupts a program or overlay files., Deletes or moves files. %%Size: 1813 Change in size of .COM files, 1808-1823 .EXE files: length mod 16 is 0, Multiple infections of .EXE files are possible %%See Also: %%Notes: Spreads between executable files (.COM or .EXE). On Friday the 13th, it erases any file that is executed, and on other days a two line black rectangle will appear at the bottom of the screen. Once this virus installs itself (once an infected COM or EXE file is executed), any other COM or EXE file executed will become infected. Kylie is difficult to spread. Mule variant uses encryption. EXE files too large to run, odd screen behavior and general slowdown, works well on LANs 1. "MsDos" and "COMMAND.COM" in the Data area of the virus 2. "MsDos" are the last 5 bytes if the infected program is a .COM file. %%File: VIRS0007.TXT %%Name/Aliases: Suriv-01, April-1-COM, April 1st, Suriv A, sURIV 1.01 %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application. %%Features: Memory resident; TSR. %%Damage: Interferes with a running application., Corrupts a program or overlay files. %%Size: 897 %%See Also: %%Notes: Spreads between COM files. On April 1st, 1988, writes the message: "APRIL 1ST HA HA HA HA YOU HAVE A VIRUS" and hangs the system. After that, simply writes a message every time any program is run. If day is greater than 1st April, only "YOU HAVE A VIRUS !!!" is displayed. Typical text in Virus body (readable with HexDump- utilities): "sURIV 1.01" %%File: VIRS0008.TXT %%Name/Aliases: Suriv-03, Suriv03, Suriv 3.00,Suriv 3.00, Suriv B, Jerusalem (B), Israeli #3 %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., EXE application. %%Features: Memory resident; TSR. %%Damage: Interferes with a running application., Corrupts a program or overlay files. %%Size: 1813 bytes increase in length of .COM files, 1808-1823 bytes increase in length of .EXE files %%See Also: %%Notes: The system is infected if function E0h of INT 21h returns value 0300h in the AX-register. .Com files: program length increases by 1813; files are infected only once; COMMAND.COM is not infected. .EXE files: program length increases by 1808 - 1823 bytes, and no identification is used; therefore, .EXE files can be infected more than once. Programs are infected at load time. 30 seconds after the 1st infected program was run, the virus scrolls up 2 Lines in a small window of the screen ( left corner 5,5; right corner 16,16). The virus slows down the system by about 10 %. Suriv 3.00 compares the system-date with "Friday 13th", but is not able to recognize "Friday 13th", because of a "bug"; if it correctly recognized this date, it would delete any program started on "Friday 13th". Increase in the length of .EXE files. Lines scrolling in a small window. General slowdown of a machine. Typical texts in Virus body (readable with HexDump facilities): "sURIV 3.00" %%File: VIRS0009.TXT %%Name/Aliases: Ping Pong, Bouncing Ball, Italian, Bouncing Dot, Vera Cruz, Turin Virus %%Platform: PC/MS-DOS %%Type: Boot sector., %%Disk Location: Floppy disk boot sector., Hard disk boot sector. %%Features: Memory resident; TSR. %%Damage: Interferes with a running application., Corrupts boot sector %%Size: Overlays boot sector, no increase %%See Also: %%Notes: Bouncing dot appears on screen. No other intentional damage. Spreads between disks by infecting the boot sectors. The bootsector contains at the offset 01FCh the word 1357h. Enter TIME 0, then immediately press any key and Enter; if the virus is present, the bouncing dot will be triggered %%File: VIRS0010.TXT %%Name/Aliases: Ping Pong B, Boot, Falling Letters %%Platform: PC/MS-DOS %%Type: Boot sector., %%Disk Location: Floppy disk boot sector., Hard disk boot sector. %%Features: Memory resident; TSR. %%Damage: Interferes with a running application., Corrupts boot sector %%Size: Overlays boot sector, no increase %%See Also: %%Notes: Bouncing dot appears on screen. No other intentional damage. Spreads between disks by infecting the boot sectors. %%File: VIRS0011.TXT %%Name/Aliases: Stoned, Marijuana, Hawaii,New Zealand, Australian, Hemp, San Diego, Smithsonian, Stoned-B, Stoned-C, Zapper (variant) %%Platform: PC/MS-DOS %%Type: Boot sector., %%Disk Location: Floppy disk boot sector., Hard disk boot sector., Hard disk partition table. %%Features: Memory resident; TSR. %%Damage: Interferes with a running application., Corrupts boot sector, Corrupts the file linkages or the FAT. %%Size: Overlays boot sector, no increase, 440 bytes %%See Also: Michaelangelo %%Notes: Spreads between boot sectors of both fixed and floppy disks. May overlay data. Sometimes displays message "Your PC is now Stoned!" when booted from floppy. Affects partition record on hard disk. No intentional damage is done. When Stoned and Michaelangelo both infect a disk, problems occur because they both try to hide the partition table in the same place. 'Your PC is now Stoned!.....LEGALISE MARIJUANA!' in the bootsector at offset 18Ah %%File: VIRS0012.TXT %%Name/Aliases: Zero Bug, Agiplan, 1536, Palette, ZBug %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application. %%Features: Memory resident; TSR. %%Damage: Interferes with a running application., Corrupts a program or overlay files. %%Size: 1536 %%See Also: Dark Avenger %%Notes: Infects .COM files. All characters "0" (zero) will be exchanged with other characters. Exchange characters are 01h, 2Ah, 5Fh, 3Ch, 5Eh, 3Eh and 30h, in which case the attribute is set to back- ground color (i.e. the character is invisible). This routine uses about 10% of CPU- time (system is slowed down accordingly). The Dark Avenger may be a descendant of this virus. Typical text in Virus body (readable with HexDump-utilities): "ZE","COMSPEC=C:", "C:\COMMAND.COM". In infected .COM files the "seconds" field of the timestamp is changed to 62 sec (similar to GhostBalls original Vienna viruses). %%File: VIRS0013.TXT %%Name/Aliases: Cascade, 1704, 17Y4, 1704 B, 1704 C, Cascade A, Falling Tears, The Second Austrian Virus, Autumn, Blackjack, Falling Leaves, Cunning, Fall, Falling Letters, Herbst, Cascade YAP, YAP,Jo-Jo, Formiche %%Platform: PC/MS-DOS %%Type: Program., Encrypted/Stealth The virus actively hides., %%Disk Location: COM application. %%Features: Encrypted, Stealth, Direct acting. %%Damage: Interferes with a running application., Corrupts a program or overlay files. %%Size: 1704, 1701 %%See Also: 1701 %%Notes: Spreads between COM files. Occasionally causes odd screen behavior (the characters on the screen fall into a heap at the bottom of the screen!). One rare variant can destroy data on hard disks. see also 1701 Two different Cascade variants were called Cascade YAP. can be called YAP as well. Uses variable encryption, not polymorphic (virus-l, v5-097) The characters on the screen fall into a heap at the bottom of the screen! %%File: VIRS0014.TXT %%Name/Aliases: 1704-Format, Cascade Format %%Platform: PC/MS-DOS %%Type: Program., Encrypted/Stealth The virus actively hides., %%Disk Location: COM application. %%Features: Encrypted, Stealth, Direct acting. %%Damage: Interferes with a running application., Corrupts a program or overlay files., Attempts to format the disk. %%Size: 1704 %%See Also: %%Notes: Spreads between COM files. Occasionally causes odd screen behavior (the characters on the screen fall into a heap at the bottom of the screen!). One rare variant can destroy data on hard disks. %%File: VIRS0015.TXT %%Name/Aliases: Oropax, Music, Musician %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application. %%Features: Memory resident; TSR. %%Damage: Interferes with a running application., Corrupts a program or overlay files. %%Size: 2756 -2806 Increase is divisible by 51 %%See Also: %%Notes: Infects .COM files. After 5 minutes, the virus will start to play three melodies repeatly with a 7 minute interval in between. This can only be stopped with a reset. After 5 minutes, the virus will start to play three melodies repeatly with a 7 minute interval in between. This can only be stopped with a reset. Typical texts in Virus body (readable with HexDump facilities): "????????COM" and "COMMAND.COM" %%File: VIRS0016.TXT %%Name/Aliases: DenZuk, Venezuelan, Search, DenZuc B, Den Zuk, Mardi Bros, Sudah ada vaksin, Denzuko, Ohio, Hacker %%Platform: PC/MS-DOS %%Type: Boot sector., %%Disk Location: Floppy disk boot sectors. %%Features: Memory resident; TSR above TOM. %%Damage: Interferes with a running application., Corrupts boot sector %%Size: Overlays boot sector, no increase, Uses1 boot sector and 9 sectors on track 40 %%See Also: %%Notes: Infects floppy disk boot sectors, and displays a purple DEN ZUK graphic on a CGA, EGA or VGA screen when Ctrl-Alt-Del is pressed. F-Prot calls it Mardi Bros (virus-l, v5-072), but viruSafe says it is a different virus Discovered July 1990 in France, this virus installs itself 7168 bytes above high memory. Infected diskettes have their volume lable changed to "Mardi Bros" Boot sector will contain the following message "Sudah ada vaksin" The label on an infected disk will read: "Y.C.1.E.R.P", where the "." is the F9h character. %%File: VIRS0017.TXT %%Name/Aliases: Dbase, DBF virus %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application. %%Features: Memory resident; TSR. %%Damage: Corrupts a data file., Interferes with a running application., Corrupts a program or overlay files., Corrupts the file linkages or the FAT. %%Size: 1864 %%See Also: %%Notes: Infects COM files. Registers all new .DBF files in a hidden file c:\BUGS.DAT. When any of those files are written, it reverses the order of adjacent bytes. When any of those files are read, it again reverses the bytes, making the file appear to be OK, unless it is read on an uninfected system or the file name is changed. When a file that is more than 3 months old is accessed, the virus attempts to destroy the FAT and root directory on drives D:, E;, ...Z:. Typical text in Virus body (readable with HexDump-utilities): "c:\bugs.dat" %%File: VIRS0018.TXT %%Name/Aliases: Datacrime, 1280, Columbus Day, DATACRIME Ib, Crime %%Platform: PC/MS-DOS %%Type: Program., Direct acting. Activates when run., %%Disk Location: COM application. %%Features: Encrypted, Direct acting. %%Damage: Corrupts a program or overlay files., Attempts to format the disk., Corrupts the file linkages or the FAT. %%Size: 1280 %%See Also: %%Notes: Spreads between COM files. After October 12th, it displays the message "DATACRIME VIRUS RELEASE: 1 MARCH 1989", and then the first hard disk will be formatted (track 0, all heads). When formatting is finished the speaker will beep (end-less loop). %%File: VIRS0019.TXT %%Name/Aliases: Datacrime-B, 1168, Columbus Day, Datacrime Ia %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application. %%Features: Encrypted, Direct acting. %%Damage: Corrupts a program or overlay files., Attempts to format the disk., Corrupts the file linkages or the FAT. %%Size: 1168 %%See Also: Datacrime II %%Notes: Spreads between COM files. After October 12th, it displays the message "DATACRIME VIRUS RELEASE: 1 MARCH 1989", and then the first hard disk will be formatted (track 0, all heads). When formatting is finished the speaker will beep (end-less loop). %%File: VIRS0020.TXT %%Name/Aliases: Datacrime II, 1514, Columbus Day %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., EXE application. %%Features: Encrypted, Direct acting. %%Damage: Corrupts a program or overlay files., Attempts to format the disk., Corrupts the file linkages or the FAT. %%Size: 1514 %%See Also: 1168,1280 %%Notes: Spreads between both COM and EXE files. After October 12th, displays the message "* DATACRIME II VIRUS *", and damages the data on hard disks by attempting to reformat them. %%File: VIRS0021.TXT %%Name/Aliases: Datacrime II-B, 1917, Columbus Day, Crime-2B %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., EXE application., COMMAND.COM %%Features: Encrypted, Direct acting. %%Damage: Corrupts a program or overlay files., Attempts to format the disk. %%Size: 1917 %%See Also: %%Notes: Spreads between both COM and EXE files. After October 12th, displays the message "* DATACRIME II VIRUS *", and damages the data on hard disks by attempting to reformat them. %%File: VIRS0022.TXT %%Name/Aliases: 405 %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application. %%Features: Direct acting. %%Damage: Corrupts a program or overlay files. %%Size: Overwrites first 405 bytes of a .COM file. %%See Also: %%Notes: The virus spreads itself by overwriting the first 405 bytes of a .COM file. One file is infected each time an infected file is executed. %%File: VIRS0023.TXT %%Name/Aliases: Fu Manchu, 2086, 2080, Fumanchu %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., EXE application., Program overlay files. %%Features: Memory resident; TSR. %%Damage: Interferes with a running application., Corrupts a program or overlay files. %%Size: 2086 Increase of .COM files, 2080-2095 Increase of .EXE files length mod 16 equals 0 %%See Also: Jerusalem, 1813 %%Notes: Infects .COM and .EXE files. The message 'The world will hear from me again! ' is displayed on every warmboot, and inserts insults into the keyboard buffer when the names of certain world leaders are typed at the keyboard. Occasionally causes the system to spontaneously reboot. Deletes certain 4 letter words when typed at the keyboard. %%File: VIRS0024.TXT %%Name/Aliases: Ohio, Den-Zuk 2, Den Zuk 2 %%Platform: PC/MS-DOS %%Type: Boot sector., %%Disk Location: Floppy disk boot sectors. %%Features: Memory resident; TSR. %%Damage: Corrupts boot sector %%Size: Overlays boot sector, no increase %%See Also: %%Notes: %%File: VIRS0025.TXT %%Name/Aliases: Icelandic, Disk Eating Virus, Disk Crunching Virus, One In Ten, Saratoga 2 %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: EXE application. %%Features: Memory resident; TSR. %%Damage: Interferes with a running application., Corrupts a program or overlay files., Corrupts the file linkages or the FAT. %%Size: 656 -671 Length MOD 16 will always be 0. %%See Also: %%Notes: Infects every 10th .EXE file run, and if the current drive is a hard disk larger than10M bytes, the virus will select one cluster and mark it as bad in the first copy of the FAT. Diskettes and 10M byte disks are not affected. File length increases. Decreasing usable hard disk space. Infected .EXE files end in 18 44 19 5F (hex). System: Byte at 0:37F contains FF (hex) %%File: VIRS0026.TXT %%Name/Aliases: Icelandic II, One In Ten, System Virus, 642 %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: EXE application. %%Features: Memory resident; TSR. %%Damage: Interferes with a running application., Corrupts a program or overlay files. %%Size: 632-647 Length MOD 16 will always be 0. %%See Also: %%Notes: Every tenth program run is checked, and if it is an uninfected .EXE file it will be infected. The virus modifies the MCBs in order to hide from detection. This virus is a version of the Icelandic-1 virus, modified so that it does not use INT 21 calls to DOS services. This is done to bypass monitoring programs. EXE Files: Infected files end in 18 44 19 5F (hex). System: Byte at 0:37F contains FF (hex) %%File: VIRS0027.TXT %%Name/Aliases: Saratoga, 632, Disk Eating Virus, One In Two %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: EXE application. %%Features: Memory resident; TSR. %%Damage: Interferes with a running application., Corrupts a program or overlay files., Corrupts the file linkages or the FAT. %%Size: 642 to 657 Length MOD 16 will always be 0. %%See Also: %%Notes: Infects every 10th .EXE file run, and if the current drive is a hard disk larger than10M bytes, the virus will select one cluster and mark it as bad in the first copy of the FAT. Diskettes and 10M byte disks are not affected. Disk space on hard drives shrinking. .EXE files increasing in length. EXE Files: Infected files end in "PooT". System: Byte at 0:37F contains FF (hex) %%File: VIRS0028.TXT %%Name/Aliases: Icelandic III, December 24th %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: EXE application. %%Features: Memory resident; TSR. %%Damage: Interferes with a running application., Corrupts a program or overlay files. %%Size: 848 - 863 %%See Also: %%Notes: It infects one out of every ten .EXE files run. If an infected file is run on December 24th it will stop any other program run later, displaying the message "Gledileg jol" %%File: VIRS0029.TXT %%Name/Aliases: Israeli Boot, Swap %%Platform: PC/MS-DOS %%Type: Boot sector., %%Disk Location: Floppy disk boot sectors. %%Features: Memory resident; TSR. %%Damage: Corrupts boot sector %%Size: Overlays boot sector, no increase %%See Also: %%Notes: It infects floppy disk boot sectors and reverses the order of letters typed creating typographical errors. %%File: VIRS0030.TXT %%Name/Aliases: Typo, Type Boot %%Platform: PC/MS-DOS %%Type: Boot sector., %%Disk Location: Floppy disk boot sectors., Hard disk boot sectors. %%Features: Memory resident; TSR. %%Damage: Corrupts boot sector, Interferes with a running application. %%Size: Overlays boot sector, no increase %%See Also: %%Notes: Infects floppy and hard disk boot sectors. Infects data disks as well as system disks. Attempting to boot with an infected data disk in the drive loads the virus then asks for a system disk. Every 50 printed characters, the virus inserts a typo. Typos in printed output. 80286 and 80386 machines hang when booted with an infected disk. You can detect infected diskettes by running Chkdsk . If you get 1k of bad sectors, that's a good sign of Typo (or Italian virus), as FORMAT marks an entire track (5k on a 360k diskette) as bad if it finds a defect. Treatment consists of simply copying all the files off an infected diskette (using "COPY *.*"; do not use Diskcopy or any image copier), and reformatting the diskette %%File: VIRS0031.TXT %%Name/Aliases: Traceback II, 2930, 2930-B, Traceback II-B %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., EXE application. %%Features: Memory resident; TSR. %%Damage: Corrupts a program or overlay files. %%Size: 2930 %%See Also: %%Notes: This appears to be an earlier version of Traceback. Spreads between .COM and .EXE files. Based on a rather complicated set of criteria, it will sometimes cause the text displayed on the screen to fall to the bottom, and then rise back up. Text falls down the screen. %%File: VIRS0032.TXT %%Name/Aliases: Disk Killer, Computer Ogre, Disk Ogre %%Platform: PC/MS-DOS %%Type: Boot sector., %%Disk Location: Floppy disk boot sectors., Hard disk boot sectors. %%Features: Memory resident; TSR. %%Damage: Corrupts boot sector, Interferes with a running application., Corrupts a program or overlay files., Corrupts a data file., Encrypts the data on the disk. %%Size: Overlays boot sector, no increase %%See Also: %%Notes: Infects floppy and hard disk boot sectors and after 48 hours of work time, it displays the following message Disk Killer -- Version 1.00 by COMPUTER OGRE 04/01/1989 Warning !! Don't turn off the power or remove the diskette while Disk Killer is Processing! PROCESSING It then encrypts everything on the hard disk. The encryption is reversable. Word at offset 003Eh in the boot sector will contain the value 3CCBh. %%File: VIRS0033.TXT %%Name/Aliases: Vacsina, TP04VIR, TP05VIR, TP06VIR, TP16VIR, TP23VIR, TP24VIR, TP25VIR %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., EXE application., Program overlay files. %%Features: Memory resident; TSR. %%Damage: Interferes with a running application., Corrupts a program or overlay files. %%Size: 1206 - 1221 Added to a .COM file length mod 16 equals 0, 132+ Added to .EXE file then like a com file. %%See Also: Yankee Doodle %%Notes: It infects .COM and .EXE files when they are loaded, old versions of the virus will be replaced by newer ones. System beep when running a program. The string 'VACSINA' in the virus code the last 4 bytes of an infected file show F4 7A 05 00 %%File: VIRS0034.TXT %%Name/Aliases: Mix1, MIX1, MIX/1, Mixer1 %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: EXE application. %%Features: Memory resident; TSR. %%Damage: Interferes with a running application., Corrupts a program or overlay files. %%Size: 1618-1634 length mod 16 equals 0 %%See Also: %%Notes: The output is garbled on parallel and serial connections, after 6th level of infection booting the computer will crash the system (a bug), num-lock is constantly on, a ball will start bouncing on the screen. Garbled data from the serial or parallel ports. Bouncing ball on the screen. "MIX1" are the last 4 bytes of the infected file. %%File: VIRS0035.TXT %%Name/Aliases: Macho, MachoSoft, 3555, 3551 %%Platform: PC/MS-DOS %%Type: Program., Encrypted/Stealth The virus actively hides., %%Disk Location: COM application., EXE application., COMMAND.COM. %%Features: Encrypted, Direct acting. %%Damage: Corrupts a program or overlay files., Corrupts a data file. %%Size: 3550-3560 bytes are appended on a paragraph boundary %%See Also: %%Notes: Spreads between .COM and .EXE files. It scans through data on the hard disk, changing the string "Microsoft" (in any mixture of upper and lower case) to "MACHOSOFT". If the environment variable "VIRUS=OFF" is set, the virus will not infect. Use this as a temporary protection. Microsoft changes to MACHOSOFT Search for the string: 50,51,56,BE,59,00,B9,26,08,90,D1,E9,8A,E1,8A,C1,33,06,14,00,31,04,46,46, E2,F2,5E,59 %%File: VIRS0036.TXT %%Name/Aliases: Pentagon %%Platform: PC/MS-DOS %%Type: Boot sector., %%Disk Location: Floppy disk boot sectors. %%Features: Memory resident; TSR. %%Damage: Corrupts boot sector %%Size: Overlays boot sector, no increase %%See Also: %%Notes: It infects floppy disk boot sectors, and removes the Brain virus from any disk it finds. The virus can survive a warmboot. It appears that no anti-viral researchers can get this virus to replicate. %%File: VIRS0037.TXT %%Name/Aliases: Dark Avenger, Dark Avenger-B, Black Avenger, Diana, Eddie, Rapid Avenger, Apocalypse-2, CB-1530, Milana, MIR, Outland, Ps!ko, Zeleng, Rabid %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., EXE application., Program overlay files., COMMAND.COM %%Features: Memory resident; TSR. %%Damage: Corrupts a program or overlay files., Overwrites sectors on the Hard Disk. %%Size: 1800 %%See Also: Zero Bug %%Notes: Infects every executable file that is opened, .COM and EXE files are corrupted on any read attempt even when VIEWING!!! Every 16th infection, it overwrites a block of the hard disk with a copy of the boot block. The virus construction kit may have used the Dark Avenger as a basis. This virus may have been based upon the Zero Bug virus. Copies of the virus source code appear to have been passed out to others, resulting in the different variants. The Rabid virus swapped 2 instructions, located in the center of a search string used by a well known scanner. Damaged files with "Eddie lives...somewhere in time" in them. "Eddie lives...somewhere in time" at beginning and "This Program was written in the City of Sofia (C) 1988-89 Dark Avenger" near end of file %%File: VIRS0038.TXT %%Name/Aliases: AIDS, Hahaha, Taunt, VGA2CGA %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application. %%Features: Direct acting. %%Damage: Corrupts a program or overlay files. %%Size: Overlays application, no increase %%See Also: %%Notes: It infects .COM files. %%File: VIRS0039.TXT %%Name/Aliases: Yankee Doodle, Five O'Clock, TP33VIR, TP34VIR, TP38VIR, TP41VIR, TP42VIR, TP44VIR, TP45VIR, TP46VIR, Yankee Doodle 44, Enigma, Old Yankee %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., EXE application. %%Features: Memory resident; TSR. %%Damage: Interferes with a running application., Corrupts a program or overlay files. %%Size: 1961, 1624, 1755, 2772 Yankee Doodle-B %%See Also: vacsina %%Notes: One day in about 8 at 5 pm it can play the "Yankee Doodle" tune This virus also uses hamming codes to check itself and repair itself if someone had modified it. TP44 virus: at 15 seconds before 5 pm it plays the Yankee Doodle tune Yankee Doodle coming from the computer's speakers. One of the easier viruses to disinfect, lots of softwar will do it. %%File: VIRS0040.TXT %%Name/Aliases: Alabama, Alabama-B %%Platform: PC/MS-DOS %%Type: Program., Encrypted/Stealth The virus actively hides., %%Disk Location: EXE application. %%Features: Encrypted, Direct acting. %%Damage: Corrupts the file linkages or the FAT., Interferes with a running application., Corrupts a program or overlay files. %%Size: 1560 %%See Also: %%Notes: The Alabama virus is a memory resident, encrypting, .EXE file infector. The virus contains the string, SOFTWARE COPIES PROHIBITED BY INTERNATIONAL LAW. Box 1055 Tuscambia ALABAMA USA. which is displayed after an hour of use on an infected machine. It hooks Crtl-Alt-Del and fakes a reboot when they are pressed, staying in memory. On Fridays, it does strange things like executing different files from those you selected. The following text on the screen, SOFTWARE COPIES PROHIBITED BY INTERNATIONAL LAW. Box 1055 Tuscambia ALABAMA USA. Executing one file and having a different one start running. %%File: VIRS0041.TXT %%Name/Aliases: Ghost %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application. %%Features: Direct acting. %%Damage: Corrupts boot sector, Corrupts a program or overlay files. %%Size: 2351 %%See Also: %%Notes: Infects .COM files. %%File: VIRS0042.TXT %%Name/Aliases: GhostBalls, Ghost Boot, Ghost COM, Vienna, DOS-62 %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application. %%Features: Direct acting. %%Damage: Corrupts boot sector, Interferes with a running application., Corrupts a program or overlay files. %%Size: 2351 %%See Also: %%Notes: Variant of Vienna that puts a patched copy of the Ping Pong virus in the boot of drive A. It may infect floppy and hard disk boot sectors, sources differ on this. It contains the following text strings: GhostBalls, Product of Iceland Copyright (c) 1989, 4418 and 5F19 Bouncing ball on screen. COM files: "seconds" field of the timestamp changed to 62, as in the original Vienna virus. Infected files end in a block of 512 zero bytes. The string "GhostBalls, Product of Iceland" in the virus. %%File: VIRS0043.TXT %%Name/Aliases: Typo, Fumble, Typo COM, 867, Mistake %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., COMMAND.COM. %%Features: Direct acting. %%Damage: Interferes with a running application., Corrupts a program or overlay files. %%Size: 867 %%See Also: %%Notes: Infects .COM files. The virus replaces the keyboard handler, and if it is in place, it occasionally replaces the key that is typed, with the key immediately to the right. The fumble only activates if you type at better than six characters per second (approximately 60 wpm). If you type at that speed, after not using the keyboard for five seconds, you get a fumble. Typed characters are not what you pressed. %%File: VIRS0044.TXT %%Name/Aliases: Sunday, Sunday-B, Sunday-C %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., EXE application., Program overlay files. %%Features: Memory resident; TSR. %%Damage: Interferes with a running application., Corrupts a program or overlay files. %%Size: 1636, 1644, 1631, uses INT 21 subfunction FF to check for prior infections %%See Also: Jerusalem %%Notes: Infects .OVL, .COM and .EXE files. It is a memory resident virus. It can affect system run-time operations. It appears to be a "Jerusalem" variant, with modifications at the source code level to make this a separate and distinct virus (i.e. not a mutation of Jerusalem). First discovered in Seattle, WA in November 1989. Three variants exist. FAT damage has been reported, but not confirmed. Each of the three variants adds a different amount of bytes to files, it is not yet known which size is for which variant. One variant only is damaging; it activates on Sundays and displays a message. The other two variants have a bug which stops this action, and do not cause FAT damage. Works well on LANs Activation on Sundays and displays message "Today is Sunday! Who do you work so hard? All work and no play make you a dull boy. C'mon let's go out and have fun!" then may cause FAT damage Find with standard detection/eradication packages FPROT 2.00, probably earlier versions, most commercial scanners. %%File: VIRS0045.TXT %%Name/Aliases: Do Nothing, Stupid Virus, 640K Virus %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application. %%Features: Memory resident; TSR. %%Damage: Corrupts a program or overlay files. %%Size: 583 %%See Also: %%Notes: Infects .COM files. The virus copies itself to 9800:100h, which means that only computers with 640KB can be infected. Many programs also load themselves to this area and erase the virus from the memory. %%File: VIRS0046.TXT %%Name/Aliases: Sylvia V2.1,Holland Girl %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application. %%Features: Memory resident; TSR. %%Damage: Corrupts a program or overlay files. %%Size: 1332 %%See Also: %%Notes: The virus infects only COM-files with less than 30 KB; it does not infect COMMAND.COM, IBMBIO.COM, IBMDOS.COM. 1301 bytes of the virus-code are written in front of and 31 bytes are written behind the original code; files are only infected once, because the virus checks the existence of its signature (808h) at the beginning of the file. When an infected file is started, the virus tries to infect 5 COM-files on default drive. The virus displays the following message : "FUCK YOU LAMER !!!! (CRLF) system halted..." and stops system by jumping into an endless loop. The message is encoded in the program. In this version (V2.1), the message typical for original Sylvia virus ("This program is infected by a HARMLESS ... ") is NOT displayed. After being activated, the virus checks itself by creating a check-sum of the first 144 words. When the check-sum is incorrect (# 46A3h) the damaging part of the virus is activated. "FUCK YOU LAMER !!!! (CRLF) system halted", displayed on screen. Typical texts in Virus body (readable with Hexdump-facilities) : 1. "39 38 39 38 4F 45 4F 52 61 59 1E 56 5D 5A 52 61 62" (encoded text) 2. 'Text-Virus V2.1' 3. 'Sylvia Verkade' 808h at beginning of file. %%File: VIRS0047.TXT %%Name/Aliases: Amstrad, Pixel, V-847, 847, V-847B, V-852 %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application. %%Features: Direct acting. %%Damage: Corrupts a program or overlay files. %%Size: 847 %%See Also: %%Notes: Adds code to front of any .COM file in the current directory. The virus contains an advertisement for Amstrad computers. The program prints "Program sick error:Call doctor or buy PIXEL for cure description" with a 50-50 chance after the 5th infection. The virus contains the string "Program sick error:Call doctor or buy PIXEL for cure description". The string "IV" is at offset 3 in the COM file. %%File: VIRS0048.TXT %%Name/Aliases: Devil's Dance, Mexican, 941, 951 %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application. %%Features: Memory resident; TSR. %%Damage: Interferes with a running application., Corrupts a program or overlay files., Corrupts a data file., Corrupts the file linkages or the FAT., Overwrites sectors on the Hard Disk. %%Size: 941, 951? %%See Also: %%Notes: Infects all .COM files in the current directory multiple times. Pressing Ctrl-Alt-Del displays DID YOU EVER DANCE WITH THE DEVIL IN THE WEAK MOONLIGHT ? PRAY FOR YOUR DISKS!! The Joker The virus counts keystrokes. After 2000 it activates, and and changes the screen colors, after 5000 it destroys the FAT The file date/time is set to the date/time of the infection (i.e. multiple infected files have the same file date/time). All characters typed will be displayed in a different color on a color card. If ++ is pressed, the following message is displayed: "Have you ever danced with", "the devil under the weak light of the moon? ", "Pray for your disk! The_Joker...", "Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha". Typical text in Virus body, readable with hexdump-utilities: "Drk", "*.com". If the high- bit of the displayed code is stripped, the message displayed at system reset time can be read. .COM files: the first three bytes (jmp) and the last three bytes are identical. The file date/time is set to the date/time of the infection (i.e. multiple infected files have the same file date/time). %%File: VIRS0049.TXT %%Name/Aliases: 4096, Century, Century Virus,100 Years Virus, Frodo, IDF, Stealth %%Platform: PC/MS-DOS %%Type: Program., Encrypted/Stealth The virus actively hides., %%Disk Location: COM application., EXE application., Program overlay files., COMMAND.COM %%Features: Encrypted, Direct acting. %%Damage: Interferes with a running application., Corrupts a program or overlay files., Corrupts a data file., Corrupts the file linkages or the FAT. %%Size: 4096 bytes increase in length, but hidden from the DIR cmd. %%See Also: %%Notes: It infects both .COM or .EXE applications. It is nearly impossible to detect once it has been installed since it actively hides itself from the scanning packages. Whenever an application such as a scanner accesses an infected file, the virus disinfects it on the fly. DIR will also not show the change in length. virus-l, v5-063: tries to place a new boot sector over the orig. on Sept 21 but the code to do this is garbled, so the computer will hang. v6-084: Frodo can infect certain types of non-executable files Almost none. The computer will hang at a Get Dos Version call when the date is after 9/22 and before 1/1 of next year. virus-l, v5-063: report that this virus will Activate on Sept 21. Compare file lengths with DIR and a Disk editor like Norton utilities. If they differ by 4096 you have the virus. If the date of the file is 20XX (XX being the last 2 digits of the original date) then the file has probably been infected by the 4096 virus Copying a file to a file with a non-executable extension results in a disinfected file because the virus removes itself when the file is copyed by COMMAND.COM. A Do-it-yourself way: Infect system by running an infected file, ARC/ZIP/LHARC/ZOO all infected .COM and .EXE files, boot from uninfected floppy, and UNARC/UNZIP/LHARC E etc. all files. Pay special attention to disinfection of COMMAND.COM. %%File: VIRS0050.TXT %%Name/Aliases: Chaos %%Platform: PC/MS-DOS %%Type: Boot sector., %%Disk Location: Floppy disk boot sectors., Hard disk boot sectors. %%Features: Memory resident; TSR. %%Damage: Corrupts boot sector, Interferes with a running application., Corrupts a program or overlay files., Corrupts the file linkages or the FAT. %%Size: Overlays boot sector, no increase %%See Also: Brain %%Notes: Derivative of Brain %%File: VIRS0051.TXT %%Name/Aliases: Toothless, W13, W13-A, W13-B %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application. %%Features: Memory resident; TSR. %%Damage: Corrupts a program or overlay files. %%Size: 534, 507 %%See Also: %%Notes: Infects .COM files. Infected programs are first padded so their length becomes a multiple of 512 bytes, and then the 637 bytes of virus code is added to the end. It then intercepts any disk writes and changes them into disk reads. %%File: VIRS0052.TXT %%Name/Aliases: Vcomm, 637 %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: EXE application. %%Features: Memory resident; TSR. %%Damage: Corrupts a program or overlay files. %%Size: 637 %%See Also: %%Notes: %%File: VIRS0053.TXT %%Name/Aliases: Perfume, 765, 4711 %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., COMMAND.COM. %%Features: Memory resident; TSR. %%Damage: Corrupts a program or overlay files., Interferes with a running application. %%Size: 765 %%See Also: %%Notes: It infects .COM files, and after 80 executions, it demands a password to run the application. The password is 4711 (the name of a perfume). A password request for a program that does not need one, or the printing of code on the screen when a program is run, much like using the DOS TYPE command with an excutable file. One version contains the following strings: "G-VIRUS V2.0",0Ah,0Dh, "Bitte gebe den G-Virus Code ein : $" 0Ah,0Dh,"Tut mir Leid !",0Ah,0Dh,"$"; (translated 2nd and 3rd strings: "please input G-virus code"; "sorry") Another version has a block of 88(dec) bytes containing 00h. %%File: VIRS0054.TXT %%Name/Aliases: Virus-90 %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application. %%Features: Memory resident; TSR. %%Damage: Corrupts a program or overlay files. %%Size: 857 %%See Also: %%Notes: %%File: VIRS0055.TXT %%Name/Aliases: Jerusalem-B, Jerusalem-C, Jerusalem-D, Jerusalem-DC, Jerusalem-E, Jerusalem-E2, New Jerusalem, Payday, Skism-1, Anarkia, Anarkia-B, A-204, Arab Star, Mendoza, Park ESS, Puerto %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., EXE application., Program overlay files. %%Features: Direct acting. %%Damage: %%Size: 1808 %%See Also: %%Notes: Works well on LANs %%File: VIRS0056.TXT %%Name/Aliases: Traceback, 3066, 3066-B, 3066-B2, Traceback-B, Traceback-B2 %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., EXE application. %%Features: Memory resident; TSR. %%Damage: Corrupts a program or overlay files., Interferes with a running application. %%Size: 3066 %%See Also: %%Notes: Spreads between COM and EXE fles. Based on a rather complicated set of criteria, it will sometimes cause the text displayed on the screen to fall to the bottom, and then rise back up. One hour after system infection, the characters will fall down the screen. After 1 minute, screen is automaticly restored. During damage, INT 09h will be hooked. Characters typed during damage will move "fallen-down" characters back to their start position. Damage repeats every hour. Typical text in Virus body (readable with hex-dump-utilities): 1. "VG1" in the data area of the virus 2. "VG1" is found at offset of near-jmp- displacement if program is a .COM file. 3. The complete name of the file, which infected the currently loaded file, is in the code. 4. Search the last 16 bytes of a .COM or .EXE files for the hex-string: 58,2B,C6,03,C7,06,50,F3,A4,CB,90,50,E8,E2,03, 8B %%File: VIRS0057.TXT %%Name/Aliases: Peace, MacMag virus, Drew, Brandow, Aldus %%Platform: Macintosh %%Type: Bogus INIT., %%Disk Location: Hypercard stack., System program. %%Features: %%Damage: Corrupts a program or overlay files., Interferes with a running application. %%Size: INIT ID#6 on System %%See Also: %%Notes: First virus on the Macintosh. Displays "Peace on Earth" message on March 2, 1988 and removes itself the next day. Distributed via a HyperCard stack. Its presence causes problems with some programs. Rumored that a writer for the current show "Star Trek: The Next Generation" wrote it and was being accused in court and being sued: this info came out in late 1992 Unexplained program crashes. "Peace on Earth" message on March 2, 1988 INIT number ?? found on system file. VirusDetective search string: "Resource INIT & Size<2000 & WData 494E#37A#86700 ; For finding Peace" SAM search string: Remove the INIT from the System File. %%File: VIRS0058.TXT %%Name/Aliases: nVIR, nVIR A, nVIR B, AIDS, Hpat, MEV#, FLU, Jude, J- nVIR %%Platform: Macintosh %%Type: Patched CODE resource., %%Disk Location: Application programs and Finder., System program. %%Features: %%Damage: Corrupts a program or overlay files., Interferes with a running application. %%Size: nVIR In system ID #0,1,4,5,6,7; In application ID#1,2,3,6,7, CODE In applciation ID#256, INIT In system ID#32, Hpat, MEV#,AIDS,FLU Varations of nVIR resource name in other mutations %%See Also: %%Notes: It infects the System file and applications. nVIR begins spreading to other applications immediately. Whenever a new application is run, it is infected. Symptoms include unexplained crashes and problems printing. Works on Atari ST's in MAC emualtion mode. Unexplained system crashes, problems printing. There are two Virus Detective search strings, one for applications and one for the System file: "Resource Start & Size<800 & WData 2F3A#F00#C80#B00 ; For finding nVIR, etc. in Appl's/Finder" "Filetype=ZSYS & Resource INIT & Size<800 & WData 2F3A#F00#C80#B00 ; For finding nVIR, etc. (System)" %%File: VIRS0059.TXT %%Name/Aliases: Dukakis %%Platform: Macintosh %%Type: Program., %%Disk Location: Hypercard stack., NEWAPP.STK stack %%Features: Direct acting. %%Damage: Corrupts a program or overlay files., Interferes with a running application. %%Size: %%See Also: %%Notes: Written in HyperTalk on a HyperCard stack called "NEWAPP.STK". Adds itself to Home Card and other stacks. Flashes a message saying, "Dukakis for President in 88, Peace on Earth, and have a nice day." This virus can be eliminated by using the Hypertalk editor and removing the well commented virus code. %%File: VIRS0060.TXT %%Name/Aliases: Scores, NASA %%Platform: Macintosh %%Type: Patched CODE resource., %%Disk Location: Application program., System program. %%Features: %%Damage: Corrupts a program or overlay files., Interferes with a running application. %%Size: INIT ID#6, 10, and 15 on the System, Notepad, Desktop, and Scrapbook files, atpl ID#128 on system, DATA ID#400 on the System, CODE ID# n+1 on applications, n is the first unused CODE resource ID. %%See Also: %%Notes: Infects applications and the system, and attempts to destroy files with creator types: VULT, and ERIC. Causes problems with other programs, including unexplained crashes and pronting errors. Changes the icons of the NotePad and Scrapbook files to the blank document icon. Check the icons for the Note Pad and Scrapbook files. They should look like little Macintoshes. If they both look like blank sheets of paper with turned-down corners, your software may have been infected by Scores There are two Virus Detective search strings, one for the Finder and Applications, and one for the System file: Resource Start & Size<8000 & WData FD38#FBA#5A3 ; For finding Scores in Appl's/Finder Filetype­APPL & Resource INIT & Size<1100 & WData FD38#FBA#5A3 ; For finding Scores in System, etc. %%File: VIRS0061.TXT %%Name/Aliases: Sexy Ladies Trojan %%Platform: Macintosh %%Type: Trojan., %%Disk Location: Sexy Ladies application %%Features: %%Damage: Attempts to erase all mounted disks. %%Size: %%See Also: %%Notes: Not a virus, but a Trojan Horse. Given away at 1988 San Fransisco MacWorld Expo, erased whatever hard disk or floppy disk it was on when it was lanched. An application named Sexy Ladies that erases the disk that contains it. Presence of the Application Sexy Ladies Delete the application %%File: VIRS0062.TXT %%Name/Aliases: INIT29 %%Platform: Macintosh %%Type: Bogus INIT., %%Disk Location: Application programs and Finder., Document file., INIT program. %%Features: %%Damage: Corrupts a program or overlay files., Interferes with a running application., Corrupts a data file. %%Size: INIT ID#29 %%See Also: %%Notes: It infects any file with resources, including documents. It damages files with legitimate INIT#29 resources. If you see the following alert whenever you insert a locked floppy, it is a good indication that your system is infected by INIT 29. The disk "xxxxx" needs minor repairs. Do you want to repair it? Also, printing problems and unexplained crashes If you find an INIT ID=29 on an application or the System file, you may have this virus. There are two Virus Detective search strings, one for the Finder and Applications, and one for nonapplications: Resource Start & Size<800 & WData 41FA#92E#797 ; For finding INIT29 in Appl's/Finder Filetype­APPL & Resource INIT & Size<800 & WData 41FA#92E#797 ; For finding INIT29 in non-Appl's Removing the INIT repairs the files. %%File: VIRS0063.TXT %%Name/Aliases: WDEF, WDEF-A, WDEF-B %%Platform: Macintosh %%Type: Bogus resource., WDEF %%Disk Location: Desktop file. %%Features: %%Damage: %%Size: WDEF ID = 0 in Desktip file %%See Also: CDEF %%Notes: WDEF only infects the invisible "Desktop" files used by the Finder. It can spread as soon as a disk is inserted into a machine. An application need not be run to cause infection. Does not infect System 7 and above versions of the operating system due to changes in the O/S VirusDetective search string: Creator=ERIK & Executables ; For finding executables in the Desktop Find WDEF ID=0 in the Desktop file. Rebuild the Desktop - Hold down Command and Option while inserting the disk. %%File: VIRS0064.TXT %%Name/Aliases: Mosaic Trojan %%Platform: Macintosh %%Type: Trojan., %%Disk Location: Mosaic program %%Features: %%Damage: Corrupts a program or overlay files., Corrupts a data file., Attempts to erase all mounted disks. %%Size: %%See Also: %%Notes: Imbedded in a program called 'Mosaic', when launched, it immediately destroys the directories of all available physically unlocked hard and floppy disks, including the one it resides on. The attacked disks are renamed 'Gotcha!'. VirusDetective search string: Filetype=APPL & Resource Start & WData 4E76#84EBA#E30#76702 ; For finding Mosaic/FontFinder Trojans %%File: VIRS0065.TXT %%Name/Aliases: FontFinder Trojan %%Platform: Macintosh %%Type: Trojan., %%Disk Location: FontFinder program %%Features: %%Damage: Corrupts a program or overlay files., Corrupts a data file., Attempts to erase all mounted disks. %%Size: %%See Also: %%Notes: Trojan found in the Public Domain program called 'FontFinder'. Before Feb. 10, 1990, the application simply displays a list of the fonts and point sizes in the System file. After that date, it immediately destroys the directories of all available physically unlocked hard and floppy disks, including the one it resides on. VirusDetective search string: Filetype=APPL & Resource Start & WData 4E76#84EBA#E30#76702 ; For finding Mosaic/FontFinder Trojans %%File: VIRS0066.TXT %%Name/Aliases: ANTI, ANTI-ANGE, ANTI A, ANTI B %%Platform: Macintosh %%Type: Patched CODE resource., %%Disk Location: Application programs and Finder. %%Features: %%Damage: Interferes with a running application. %%Size: %%See Also: %%Notes: Attacks only application files, and causes some problems with infected applications. VirusDetective search string: Resource Start & Pos -1100 & WData 000FA146#90F#80703 ; For finding ANTI A & B SAM def: Name=ANTI, Resource type=CODE, Resource ID=1, Resource Size=any, Search String=000A317CFFFF000CA033303C0997A146, String Offset=any %%File: VIRS0067.TXT %%Name/Aliases: ZUC, ZUC 1, ZUC 2 %%Platform: Macintosh %%Type: Patched CODE resource., %%Disk Location: Application programs and Finder. %%Features: %%Damage: %%Size: %%See Also: %%Notes: It infects only applications files. Before March 2, 1990 or less than two weeks after an application becomes infected, it only spreads from application to application. After that time, approximately 90 seconds after an infected application is run, the cursor begins to behave unusually whenever the mouse button is held down. The cursor moves diagonally across the screen, changing direction and bouncing like a billiard ball whenever it reaches any of the four sides of the screen. The cursor stops moving when the mouse button is released. Wild shifts in cursor position. Changes in the background pattern VirusDetective search string: Filetype=APPL & Resource CODE & ID=1 & WData A746*A038#31E*A033; For finding ZUC.Virus 1&2 SAM def: Name=ZUC A, Resource type=CODE, Resource ID=1, Resource Size=any, Search String=4E56FF74A03641FA04D25290, String Offset=any SAM def: Name=ZUC B, Resource type=CODE, Resource ID=1, Resource Size=any, Search String=7002A2604E752014A0552240, String Offset=any %%File: VIRS0068.TXT %%Name/Aliases: MDEF, MDEF A, Garfield, MDEF B, Top Cat, MDEF C %%Platform: Macintosh %%Type: Bogus resource., MBDF %%Disk Location: System program., Application programs and Finder., Desktop file., Document file. %%Features: %%Damage: Interferes with a running application. %%Size: MDEF ID#0 %%See Also: %%Notes: MDEF infects applications, the System file, other system files, and Finder Desktop files. The System file is infected as soon as an infected application is run. Other applications become infected as soon as they are run on an infected system. MDEF's only purpose is to spread itself, and does not intentionally attempt to do any damage, yet it can be harmful. Odd menu behavior. VirusDetective search string: Resource MDEF & ID=0 & WData 4D44#A6616#64546#6A9AB ; For finding MDEF A & MDEF B SAM def: Name=Garfield, Resource type=MDEF, Resource ID=0, Resource Size=314, Search String=2F3C434F44454267A9A0, String Offset=42 SAM def: Name=GARFIELD-2, Resource type=MDEF, Resource ID=0, Resource Size=532, Search String=2F3C4D4445464267487A, String Offset=304 SAM def: Name=MDEF C, Resource type=MDEF, Resource ID=0, Resource Size=556, Search String=4D4445464267487A005EA9AB, String Offset=448 %%File: VIRS0069.TXT %%Name/Aliases: Frankie %%Platform: Atari %%Type: , %%Disk Location: Applications and the Finder %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0070.TXT %%Name/Aliases: CDEF %%Platform: Macintosh %%Type: Bogus resource., CDEF %%Disk Location: The Desktop file %%Features: %%Damage: No damage, only replicates. %%Size: CDEF ID#1 in Desktop File %%See Also: WDEF %%Notes: It only infects the invisible "Desktop" files used by the Finder. Infection can occur as soon as a disk is inserted into a computer. An application does not have to be run to cause an infection. It does not infect applications, document files, or other system files. The virus does not intentionally try to do any damage, but still causes problems with running applications. Like WDEF, does not infect System 7 (virus-l, v4-223) VirusDetective search string: Creator=ERIK & Executables ; For finding executables in the Desktop Find CDEF ID=1 in the Desktop file. SAM def: Name=CDEF, Resource type=CDEF, Resource ID=1, Resource Size=510, Search String=45463F3C0001487A0046A9AB, String Offset=420 Rebuild the Desktop - Hold down Command and Option while inserting the disk. %%File: VIRS0071.TXT %%Name/Aliases: Steroid Trojan %%Platform: Macintosh %%Type: Trojan., %%Disk Location: Steroid INIT program, INIT program. %%Features: %%Damage: Attempts to erase all mounted disks. %%Size: Steroid INIT inserted in the System Folder. %%See Also: %%Notes: The steroid INIT is claimed to speed up QuickDraw on Macintoshes with 9 inch screens. The INIT has code that checks for dates after June 30, 1989, and is active every year thereafter from July through December. When it is activated, it attempts to erase all mounted drives. All mounted drives are erased. You may be able to save them with a disk editor like SUM or MacTools. Find the Steroid INIT in the System file VirusDetective search string: Resource INIT & Size<1200 & WData FE680C6E#E4EBA#F60 ; For finding Steroid Trojan SAM def: Name=Steroid Trojan, Resource type=INIT, Resource ID=148, Resource Size=1080, Search String=ADE9343C000A4EFAFFF24A78, String Offset=96 Remove the Steroid INIT from the System file. %%File: VIRS0072.TXT %%Name/Aliases: Virus Info Trojan %%Platform: Macintosh %%Type: Trojan., %%Disk Location: Virus Info Program %%Features: %%Damage: %%Size: %%See Also: %%Notes: This application has not been sighted outside of the Edmonton, Province of Alberta, Canada area where it was discovered. When activated, destroys the directory structure VirusDetective search string: Filetype=APPL & dataFork & Size < 10000 & WData A003#24E94 ; For finding Virus Info Trojan %%File: VIRS0073.TXT %%Name/Aliases: Dark Avenger 3, Dark Avenger II, V2000, Die Young, Travel, V2000-B, Eddie 3, v1024, Dark Avenger III %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., EXE application., COMMAND.COM. %%Features: Direct acting. %%Damage: Corrupts a program or overlay files., Corrupts a data file., Interferes with a running application. %%Size: 2000 %%See Also: %%Notes: Every 16 executions of an infected file, the virus will overwrite a new random data sector on disk; the last overwritten sector is stored in boot sector. The system hangs-up, if a program is loaded that contains the string "(c) 1989 by Vesselin Bontchev"; V.Bonchev is a Bulgarian author of anti-virus programs. Hex dump strings in code, Two Strings : 1) "Copy me - I want to travel" (at beginning of virus- code) 2) "(c) 1989 by Vesselin Bontchev" (near end of virus code; but V.Bontchev is not the author!) %%File: VIRS0074.TXT %%Name/Aliases: Turbo 448, @ Virus, Turbo @, Polish 2 %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0075.TXT %%Name/Aliases: Tiny virus, Tiny 134, Tiny 138, Tiny 143, Tiny 154, Tiny 156, Tiny 158, Tiny 159, Tiny 160, Tiny 169, Tiny 198, Tiny 133 %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: tiny %%Notes: see tiny %%File: VIRS0076.TXT %%Name/Aliases: Polish 217, 217, Polish Stupid %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0077.TXT %%Name/Aliases: Kennedy, 333, Dead Kennedy, Danish Tiny, Stigmata, Brenda %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application. %%Features: Direct acting. %%Damage: Corrupts the file linkages or the FAT. %%Size: 333, 163, 1000 (Stigmata Variant), 256 (Brenda Variant) %%See Also: %%Notes: When an infected file is run, it infects a single .COM file in the current directory. On June 6th, November18th and November 22nd it displays the message: Kennedy er d¢d - l¾nge leve "The Dead Kennedys" The Brenda variant contains the text: (C) '92, Stingray/VIPER Luv, Brenda %%File: VIRS0078.TXT %%Name/Aliases: Recovery Virus, 382, 382 Recovery Virus %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0079.TXT %%Name/Aliases: VFSI, 437 %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0080.TXT %%Name/Aliases: RPVS, 453, RPVS-B, TUQ %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application. %%Features: Direct acting. %%Damage: Corrupts a program or overlay files., Interferes with a running application. %%Size: 453 %%See Also: %%Notes: Whenever an infected application is run, at least one other .COM file in the default directory is infected. %%File: VIRS0081.TXT %%Name/Aliases: Polish 529, 529 %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0082.TXT %%Name/Aliases: VHP2, 623, VHP-623, VHP-627 %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0083.TXT %%Name/Aliases: Dot Killer, 944, Point Killer %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0084.TXT %%Name/Aliases: Burger, 505, 509, 541, 909090H, CIA, Virdem 792, Virdem 2 %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., EXE application. %%Features: Direct acting. %%Damage: %%Size: %%See Also: %%Notes: Not widespread at all %%File: VIRS0085.TXT %%Name/Aliases: 512, 512-A, 512-B, 512-C, 512-D %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application. %%Features: Memory resident; TSR. %%Damage: %%Size: %%See Also: %%Notes: The virus hides in the first 512 bytes of free space in the last cluster of a .COM file. When RAM-Resident, it hides in the disk buffer space for code in order not to take-up memory. Files do not appear to change in length, because the virus removes itself on the fly when the file is accessed by another program. virus-l, v4-131 says that a variant of the 512 and Doom-II virus can put executable code into video memory. "666" at offset 509. A Do-it-yourself way: Infect system by running an infected file, ARC/ZIP/LHARC/ZOO all infected COM and EXE files, boot from uninfected floppy, and UNARC/UNZIP/LHARC E etc. all files. Pay special attention to disinfection of COMMAND.COM. %%File: VIRS0086.TXT %%Name/Aliases: 646, Vienna C %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0087.TXT %%Name/Aliases: Oulu, 1008, Suomi %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., EXE application. %%Features: Direct acting., Polymorphic %%Damage: %%Size: Polymorphic: each infection different %%See Also: %%Notes: Not very widespread in Finland %%File: VIRS0088.TXT %%Name/Aliases: Fellowship, Better World %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: EXE application. %%Features: Memory resident; TSR. %%Damage: Corrupts a program or overlay files. %%Size: 1019 %%See Also: %%Notes: The virus contains the text: This message is dedicated to all fellow PC users on Earth Towards A Better Tomorrow And A Better Place To Live In The virus is actually not very friendly %%File: VIRS0089.TXT %%Name/Aliases: Nomenklatura, 1024-B, %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: Diamond %%Notes: Diamond is a relative of this virus %%File: VIRS0090.TXT %%Name/Aliases: Prudents Virus, 1210 %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0091.TXT %%Name/Aliases: 1226, 1226D, 1226M, V1226, V1226D, V1226DM, (Phoenix related) %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: Polymorphic %%Damage: %%Size: Polymorphic: each infection different %%See Also: %%Notes: %%File: VIRS0092.TXT %%Name/Aliases: 1260, V2P1, Variable, Chameleon, Camouflage, Stealth %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., COMMAND.COM. %%Features: Encrypted, Direct acting., Polymorphic %%Damage: Corrupts a program or overlay files., Interferes with a running application. %%Size: 1260, Polymorphic: each infection different %%See Also: Vienna %%Notes: This appears to be related to the Vienna virus. The virus infects any COM file in the current directory. Uses variable encryption techniques The seconds field of the timestamp of any infected program will be 62 seconds. %%File: VIRS0093.TXT %%Name/Aliases: 1381 %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0094.TXT %%Name/Aliases: Maltese Amoeba, Irish, Grain of Sand %%Platform: PC/MS-DOS %%Type: Program., Memory resident - TSR, %%Disk Location: COM application., EXE application. %%Features: Memory resident; TSR., Polymorphic %%Damage: Overwrites MBR/prints msg on 11/1 & 3/15 %%Size: Variable, dur to variable length of encryption header, Polymorphic: each infection different %%See Also: %%Notes: widespread in Ireland& UK, a dangerous polymorphic multi- partite fast infector (virus-l, v5-006) On Nov 1 or March 15 it replaces MBR of hard drive and displays a message that says something like "Amoeba virus by Hacker Twins...Just wait for Amoeba 2". The message refers to he University of Malta. This virus was probably very aware (or wrote) the Casino virus, as when it initially infects, it checks for the existance of the Casino, and if its there, it takes over INT 21 from it (thereby eradicating Casino) and places itself there instead. Signature scans don't work for this virus, an algorithmic check is the best way to locate it. None until activation date, at which point much text (see below) gets printed to the screen and the computer hangs. Not many anti-viral programs as of March 6, 1992. Data Physician Plus! v3.0D %%File: VIRS0095.TXT %%Name/Aliases: Christmas, 1539, Father Christmas, Choinka, Tannenbaum, Christmas Tree, XA1, V1539 %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., COMMAND.COM. %%Features: Encrypted, Direct acting. %%Damage: Interferes with a running application., Corrupts boot sector %%Size: 1539 %%See Also: %%Notes: The virus infects .COM files when an infected application is executed. When an infected program is run between December 24th and 31st (any year), the virus displays a full screen image of a christmas tree and German seasons greetings. When an infected program is run on April 1st (any year), it drops a code into the boot- sectors of floppy A: and B: as well as into the partition table of the hard disk. The old partition sectors are saved but most likely destroyed since running another infected file will save the modified partition table to the same location. On any boot attempt from an infected hard disk or floppy, the text "April April" will be displayed and the PC will hang. "April April" printed at boot time then the machine hangs. A Christmas tree and German seasons greetings printed between 12/24 and 12/31. The virus contains the following German string: "Und er lebt doch noch : Der Tannenbaum !",0Dh, 0Ah,00h, "Frohe Weihnachten ...",0Dh,0Ah,07h, 00h (translated in English: "And he lives: the Christmas tree", "Happy Christmas") %%File: VIRS0096.TXT %%Name/Aliases: Ten Bytes, 1554, 1559, 9800:0000, V-Alert %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0097.TXT %%Name/Aliases: 1605 %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0098.TXT %%Name/Aliases: Yankee 2, 1624, 1961, Yankee go Home %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0099.TXT %%Name/Aliases: PSQR, 1720 %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0100.TXT %%Name/Aliases: Eight Tunes, 1971, 8-Tunes %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., EXE application. %%Features: Memory resident; TSR. %%Damage: Interferes with a running application., Corrupts a program or overlay files. %%Size: 1971-1986 .COM applications bytes: (length -3) mod 16 = 0., 1971-1986 .EXE applications bytes: (length -3) mod 16 = 0. %%See Also: %%Notes: During load procedure, .COM and .EXE files are infected. 90 days after the infection, after 30 minutes, the virus will play one of eigth melodies (random selection). After a short time, the virus will play a melody again. The virus looks for and deactivates "BOMBSQAD.COM", an antivirus-tool controlling accesses to disks. The virus looks for "FSP.COM" (Flushot+), an antivirus tool controlling accesses to disks, files etc., and stops the infection if it is found. Your computer is randomly playing short tunes. Typical texts in Virus body (readable with HexDump-facilities):"COMMAND.COM" in the data area of the virus .Com files: the bytes 007h,01fh,05fh, 05eh,05ah,059h,05bh,058h,02eh,0ffh,02eh,00bh, 000h are found 62 bytes before end of file . .EXE files: the bytes 007h,01fh, 05fh,05eh,05ah,059h,05bh,058h,02eh,0ffh,02eh, 00bh,000h are found 62 bytes before end of file. %%File: VIRS0101.TXT %%Name/Aliases: UScan Virus, V2100, 2100 %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0102.TXT %%Name/Aliases: 2131 %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0103.TXT %%Name/Aliases: Taiwan, Taiwan 2, Taiwan-B, Taiwan 3, Taiwan 4, 2576 %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0104.TXT %%Name/Aliases: Plastique, 3012, HM2, Plastique 1, Plastique 4.51 %%Platform: PC/MS-DOS %%Type: Boot sector., %%Disk Location: COM application., EXE application., Hard disk boot sectors. %%Features: Memory resident; TSR. %%Damage: %%Size: %%See Also: %%Notes: Most variants play a melody, if you press Ctrl-Alt-del while melody is being played, it overwrites the beginning of the hard disk. %%File: VIRS0105.TXT %%Name/Aliases: Itavir, 3880 %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0106.TXT %%Name/Aliases: The Basic Virus, 5120, V Basic Virus %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., EXE application. %%Features: Direct acting. %%Damage: %%Size: 5120-5135 bytes change in length. Code added at a paragraph boundary. %%See Also: %%Notes: The virus infects programs at run time (it is not memory resident) by searching through the directories recursively starting on paths "C:\", "F:\" as well as the current drive. All .EXE and .COM files it can find are infected. EXE files will be infected if the length as reported by DOS is less that the file length as reported by the EXE header plus one page. COM files will be infected if the file length is less than 60400 bytes. The virus will infect any time it is executed after the 6th of July 1989. However, an infected file will infect before this date, if it has already been executed once. On any date after the 1st of June, 1992, any infected file will terminate with the message "Access denied" (this comes from the virus, not from DOS). After 1/1/92, executed programs terminate with an "Access denied" error. The following texts are contained in the virus: "BASRUN", "BRUN", "IBMBIO.COM", "IBMDOS.COM", "COMMAND.COM", "Access denied" %%File: VIRS0107.TXT %%Name/Aliases: Print Screen, 8920, EB-21, Print Screen 2, PrtSc %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0108.TXT %%Name/Aliases: AIDS II, AIDS %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: AIDS Information Introductory Diskette %%Features: %%Damage: Encrypts the file directory. %%Size: Adds File REM#.EXE 146188 bytes (hidden file), Adds File AIDS.EXE 172562 bytes %%See Also: %%Notes: On Monday, 11th December 1989, several thousand diskettes named "AIDS Information Introductory Diskette Version 2.0" were mailed out containing a program that purported to give you information about AIDS. These diskettes actually contained a trojan that will encrypt the file names on your hard disk after booting your computer about 90 times. If you have installed this program, you should copy any important data files (no executables) and reformat your hard disk. All your file names are encrypted and the disk is full. In the root directory, files named: AIDS.EXE, AUTO.BAT, AUTOEXEC.BAK Two hidden subdirectories called # and ###### The # subdirectory contains a readonly, hidden file called REM#.EXE. The ###### subdirectory contains a hidden subdirectory called ###### The ###### subdirectory contains a hidden subdirectory called ###### The ###### subdirectory also contains a subdirectory called ERRORIN.THE, and five files named ____.__, _._, ___._, _._ and _.__ (where _ is the underline character,  is the space character, and # is Ascii 255). The minimum required to disable the virus is to remove the AUTOEXEC.BAT file that runs the program REM#.EXE and to remove all the hidden directories. This will not insure removal of the virus. It would be better backup any needed data files (no applications) and to do a low level format of the hard disk. If the virus has already been activated, you can recover the encrypted file names using the table below in the summary, and then reformat the disk. %%File: VIRS0109.TXT %%Name/Aliases: Aircop %%Platform: PC/MS-DOS %%Type: Boot sector., %%Disk Location: Hard disk boot sectors., Floppy disk boot sectors. %%Features: Memory resident; TSR. %%Damage: Corrupts boot sector %%Size: %%See Also: %%Notes: from a report in virus-l, v4-220: Causes FPROT 2.01 to hang, while FPROT 1.15 sometimes says its cured (but it never is) CLEAN 7.9v84 says "Virus cannot be safely removed from boot sector" DOS/SYS says "Not able to SYS to .3L File System" The virus may display Red State, Germ Offensive AIRCOP when booting with an infected disk. %%File: VIRS0110.TXT %%Name/Aliases: Ambulance Car, REDX, Red Cross %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., COMMAND.COM. %%Features: Direct acting. %%Damage: Corrupts a program or overlay files., Interferes with a running application. %%Size: 796 to .COM files %%See Also: %%Notes: When an infected application is run, the virus tries to find two .COM file victims which it randomly selects in the current directory or via the PATH variable in the environment. After some number of executions (110b), an ambulance car with a flashing light runs along the bottom of the screen accompanied by siren sounds. A flag is set, so the car will not run again until the next bootup. An ambulance car running along the bottom of the screen accompanied by siren sounds. almost every anti virus program almost every anti virus program %%File: VIRS0111.TXT %%Name/Aliases: Anthrax, Anthrax PT %%Platform: PC/MS-DOS %%Type: Boot sector., %%Disk Location: COM application., EXE application., Floppy disk boot sector., Hard disk boot sector. %%Features: %%Damage: Trashes the hard disk %%Size: 1024 %%See Also: %%Notes: Infects both boot sectors and files. Trashes hard disks. MS-DOS 6's antivirus routine detects some, but not all infections by Anthrax. %%File: VIRS0112.TXT %%Name/Aliases: Anti Pascal, Anti Pascal 529, Anti Pascal 605, AP 529, AP 605, C 605, V-605 %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application. %%Features: Direct acting. %%Damage: Deletes or moves files., Interferes with a running application., Corrupts a program or overlay files. %%Size: 605 %%See Also: %%Notes: May overwrite .BAK and .PAS files if not enough .COM files are available in a directory for it to infect. Infected files begin with "PQVWS". They also contain the string "combakpas???exe" at offset 0x17.0 VIRSCAN string....... BF00018B360C0103F7B95D021E07EA00, scan COM files only. %%File: VIRS0113.TXT %%Name/Aliases: AntiPascal %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., COMMAND.COM. %%Features: Memory resident; TSR. %%Damage: %%Size: 605, 529 %%See Also: %%Notes: This virus is supposed to have been written to take revenge against the former employer of the virus author. %%File: VIRS0114.TXT %%Name/Aliases: Armagedon, Armagedon the first, Armagedon the Greek %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., COMMAND.COM. %%Features: Memory resident; TSR. %%Damage: %%Size: 1079 %%See Also: %%Notes: If a Hayes modem is installed, the virus dials 081-141, which is the number of the "speaking clock" on the island of Crete. %%File: VIRS0115.TXT %%Name/Aliases: Attention, Attention! %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., COMMAND.COM. %%Features: Memory resident; TSR. %%Damage: %%Size: %%See Also: %%Notes: This virus gets its name from the string "ATTENTION" which is near the beginning of infected files. %%File: VIRS0116.TXT %%Name/Aliases: Best Wishes, Best Wishes-B, Best Wishes-970 %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., COMMAND.COM. %%Features: Memory resident; TSR. %%Damage: %%Size: 1024, 970 %%See Also: %%Notes: The virus contains the following text: This programm ... With Best Wishes! COMMAND.COM, will not work properly when infected. The variant Best Wishes-970 , or Best Wishes-B is shorter and damages .EXE files trying to infect them. %%File: VIRS0117.TXT %%Name/Aliases: Black Monday, Borderline %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., EXE application., COMMAND.COM %%Features: Memory resident; TSR. %%Damage: %%Size: 1055, 781 - Borderline veriant %%See Also: %%Notes: The virus contains the text, Black Monday 2/3/90 KV KL MAL The variant, Borderline can only infect .COM files. %%File: VIRS0118.TXT %%Name/Aliases: Blood, Blood 2 %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., COMMAND.COM. %%Features: Direct acting. %%Damage: %%Size: 418 %%See Also: %%Notes: Infected programs may occasionally display the following message when they are executed. File infected by BLOOD VIRUS version 1.20 The variant, Blood-2, probably does not exist. %%File: VIRS0119.TXT %%Name/Aliases: Bloody!, Beijing, June 4th %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: Corrupts boot sector %%Size: %%See Also: %%Notes: The Bloody! virus (aka Beijing or June 4th) is a boot sector virus. You cannot get it by downloading files - you must try to boot from an infected diskette. %%File: VIRS0120.TXT %%Name/Aliases: Carioca %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., COMMAND.COM. %%Features: Memory resident; TSR. %%Damage: %%Size: 951 %%See Also: Faust %%Notes: May be related to Faust %%File: VIRS0121.TXT %%Name/Aliases: Casper %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: %%Features: Encrypted, Direct acting., Polymorphic %%Damage: %%Size: Polymorphic: each infection different %%See Also: %%Notes: uses variable encryption %%File: VIRS0122.TXT %%Name/Aliases: Christmas in Japan, Xmas in Japan %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0123.TXT %%Name/Aliases: Cursy %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0124.TXT %%Name/Aliases: Datalock, Datalock 1.00, V920, Datalock 2, Datalock-1043 %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., EXE application., Only .COM files > 22999 bytes long %%Features: Memory resident; TSR. %%Damage: Corrupts a program or overlay files. %%Size: 920, 1043 - Datalock-1043 variant %%See Also: %%Notes: It infects all EXE files but COM files must be greater than 22999 bytes long. If a file is opened that matches the selector *.?BF (.DBF files) is will give the message "Too many files open" and prevent access to the file. From a report in virus-l, v4-220: system lock-ups, drop out of application with no messages. Some programs would display the message "overlay not found" prior to dropping to DOS, a .EXE file grew by 920 bytes during first execution and after re-installation. Using debugger, found string "DataLock version 1.0". Datalock 2 variant found in wild in DC area that is buggy(virus-l, v5- 092) DATALOCK 2 does NOT contain string "Datalock version 1.0" SCAN 89b and FPROT 2.03a don't find Datalock 2 variant in EXE files, but original datalock signatures are valid and can be used to identify this variant. For DATALOCK 2: C3 1E A1 2C 00 50 8C D8 48 8E D8 81 2E 03 00 80 00 40 8E D8 %%File: VIRS0125.TXT %%Name/Aliases: Wisconsin, Death to Pascal %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0126.TXT %%Name/Aliases: Doom, Doom II, Doom-2B %%Platform: PC/MS-DOS %%Type: Program., Encrypted/Stealth The virus actively hides., %%Disk Location: COM application., EXE application. %%Features: Encrypted, Direct acting. %%Damage: %%Size: 1252 %%See Also: %%Notes: virus-l, v4-131 says that a variant of the 512 and Doom-II virus can put executable code into video memory. The virus code contains the text, DOOM II (c) Dr.Jones, NCU. %%File: VIRS0127.TXT %%Name/Aliases: Durban, Saturday the 14th %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0128.TXT %%Name/Aliases: Solano 2000, Dyslexia, Dyslexia 2.00, Dyslexia 2.01 %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0129.TXT %%Name/Aliases: Eddie 3, V651 %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0130.TXT %%Name/Aliases: EDV %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: brain %%Notes: Derivative of Brain, with the eighth bit set, using the ISO 8859-1 character table it will result in the swedish/finnish national characters in their major form and in alphabetical order. (virus-l, v5- 73). This is just a coincidence, in the the EDV virus is French. %%File: VIRS0131.TXT %%Name/Aliases: Fish, European Fish,Fish 6 %%Platform: PC/MS-DOS %%Type: Program., Encrypted/Stealth The virus actively hides., %%Disk Location: COM application., EXE application., COMMAND.COM. %%Features: Encrypted, Direct acting. %%Damage: Corrupts a program or overlay files., Interferes with a running application., Corrupts a data file. %%Size: 3584 %%See Also: %%Notes: If (system date>1990) and a second infected .COM file is executed, a message is displayed: "FISH VIRUS #6 - EACH DIFF - BONN 2/90 '~Knzyvo}'" and then the processor stops (HLT instruction). The virus will attempt to infect some data files, corrupting them in the process. This is a variant of the 4096 virus. There is another virus named FISH that is a boot sector virus. (kp 2/26/93) %%File: VIRS0132.TXT %%Name/Aliases: F-Word, Fuck You, F-you %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., EXE application - 593 and 635 variants %%Features: Memory resident; TSR. %%Damage: Unknown, not analyzed yet. %%Size: 417, 593, 635 %%See Also: %%Notes: The virus contains the text, Fuck You %%File: VIRS0133.TXT %%Name/Aliases: Swap Boot, Falling Letters Boot %%Platform: PC/MS-DOS %%Type: Boot sector., %%Disk Location: Floppy disk boot sectors. %%Features: Memory resident; TSR. %%Damage: Corrupts boot sector %%Size: Overlays boot sector, no increase %%See Also: %%Notes: The virus overwrites the boot with a loader that loade the rest of the virus stored near the end of track 39. The virus makes letters fall down the screen. %%File: VIRS0134.TXT %%Name/Aliases: Flash, 688, Gyorgy %%Platform: PC/MS-DOS %%Type: Program., Encrypted/Stealth The virus actively hides., %%Disk Location: COM application., EXE application., COMMAND.COM %%Features: Encrypted, Direct acting. %%Damage: Corrupts a program or overlay files., Interferes with a running application. %%Size: 688 %%See Also: %%Notes: The memory resident virus infects applications when they are run. After June 1990, the virus makes the screen flash. This flash can only be seen on MDA, Hercules, and CGA adapters, but not on EGA and VGA cards. The Gyorgy variant contains the text "I LOVE GY…RGYI". A flashing screen. %%File: VIRS0135.TXT %%Name/Aliases: Flip, Omicron, Omicron PT %%Platform: PC/MS-DOS %%Type: Boot sector., %%Disk Location: COM application., EXE application., Hard disk boot sector. %%Features: Polymorphic %%Damage: %%Size: 2153 and 2343 strains exist, Polymorphic: each infection different/some strains %%See Also: %%Notes: Multi-partite virus. (infects both boot sectors and files) FProt finds Flip on two files of Central Point Anti-Virus: this is a false positive. The 2343 strain (the rarer one) patches COMMAND.COM 2nd Day of every month activates on a system with an EGA or VGA display between 1600 and 1659 and reverses the screen and characters. %%File: VIRS0136.TXT %%Name/Aliases: Form, Form Boot, FORM-Virus, Forms %%Platform: PC/MS-DOS %%Type: Boot sector., %%Disk Location: Floppy disk boot sectors., Hard disk boot sectors. %%Features: Memory resident; TSR. %%Damage: Corrupts a program or overlay files., Deletes or moves files. %%Size: Overlays boot sector, no increase %%See Also: %%Notes: A boot sector virus that randomly destroys files. Dual acting; Attempts to infect the hard disk at boot time. Attempts to infect a floppy whenever the floppy is read. Does not infect the Master Boot Record (Partition table), but the boot record of the first logical drive (C:). It is also marks a cluster as bad, and stores the rest of the virus there. The command FDISK/MBR is ineffective against FORM because it is not in the MBR (v5-190) Versions of FPROT prior to 2.06a can't remove the virus. The SYS command removes the virus by rewriting the disks boot sector. It does not remobe the part stored in the bad sector, but that part won't hurt anything without the part in the boot sector. The virus makes the keys click and delays key action slightly. The boot sector will contain the following text(amongst others): "The FORM-Virus sends greetings to everyone who's read this text.". To remove it, boot from a clean disk and rewrite the boot sectors of an infected disk with the SYS command. Repeat for all infected disks. May have been on demo diskette of Clipper product. (virus-l V4-213) %%File: VIRS0137.TXT %%Name/Aliases: Fere Jacques, Fere %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0138.TXT %%Name/Aliases: Sorry, G-Virus V1.3 %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0139.TXT %%Name/Aliases: Groen, Groen Links, Green Left %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0140.TXT %%Name/Aliases: Guppy %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application. %%Features: Direct acting. %%Damage: Unknown, not analyzed yet. %%Size: %%See Also: %%Notes: Only infects files that start with a JMP instruction. %%File: VIRS0141.TXT %%Name/Aliases: Halloechen, Hello_1a, Hello, Halloechn %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., EXE application. %%Features: Memory resident; TSR. %%Damage: Interferes with a running application., Corrupts a data file. %%Size: 2011 %%See Also: %%Notes: The virus slows the system down, and corrupts keyboard-entries (pressing an "A" produces a "B"). Does not infect files older than a month. The virus contains the text strings: "Hallšchen !!!!!!, Here I'm.. ", and " Acrivate Level 1.. " %%File: VIRS0142.TXT %%Name/Aliases: Joshi, Happy Birthday Joshi %%Platform: PC/MS-DOS %%Type: Boot sector., %%Disk Location: Hard disk boot sectors., Floppy disk boot sectors. %%Features: %%Damage: Infects Master BooT record %%Size: %%See Also: %%Notes: A new variant seems to be able to intercept BIOS calls. Will infect a second physical hard drive if it is present. FDISK/MBR will only clean up the first physical hard drive. on Jan 5 will ask you to type "happy birthday joshi" and only after you type it you can continue maybe came from India Virus exists in the partition table on HD, on Floppies it resides in the boot sector and on an additionally formatted tract (number 40 or 80, depending on diskette size) %%File: VIRS0143.TXT %%Name/Aliases: Holocaust %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0144.TXT %%Name/Aliases: Hymn %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: v5-101: The Murphy and Hymn viruses are considered to be from separate families, although they include sections of code from the Dark Avenger (Eddie) virus. %%File: VIRS0145.TXT %%Name/Aliases: Invader, Plastic Boot %%Platform: PC/MS-DOS %%Type: Boot sector., %%Disk Location: COM application., EXE application., Hard disk boot sector., Floppy disk boot sector. %%Features: Memory resident; TSR. %%Damage: Corrupts boot sector, Corrupts a program or overlay files. %%Size: %%See Also: %%Notes: A multipartite virus: infects both files and boot area once the virus has become installed in memory The V101 virus is a multipartite virus too. %%File: VIRS0146.TXT %%Name/Aliases: Jeff %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application. %%Features: Direct acting. %%Damage: Corrupts a program or overlay files. %%Size: %%See Also: %%Notes: non resident com infector %%File: VIRS0147.TXT %%Name/Aliases: Joker, Jocker %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: EXE application., DBF files %%Features: Direct acting. %%Damage: Corrupts a program or overlay files. %%Size: Overlays application, length changes %%See Also: %%Notes: Joker is a non-resident .EXE infector. It may also infect .DBF files. It overwrites the attacked file with the virus code. It was discovered in Poland in 1989. It is a poor replicator, and is probably extinct. There are many strange strings at the beginning of the file that are printed on the screen. It may cause system hangs. Some of the strings are: "END OF WORKTIME. TURN SYSTEM OFF!", "Water detect in Co-processor.", "I am hungry! Insert HAMBURGER into drive A:" Strange messages. .EXE files change length. File length changes, strange messages delete files %%File: VIRS0148.TXT %%Name/Aliases: JOJO %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0149.TXT %%Name/Aliases: July 13th %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0150.TXT %%Name/Aliases: June 16th, Pretoria %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0151.TXT %%Name/Aliases: Kamikazi %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: EXE application. %%Features: Direct acting. %%Damage: Corrupts a program or overlay files. %%Size: %%See Also: %%Notes: Rare virus. Overwrites the beginning of an infected file Damages the first four bytes of an infected file %%File: VIRS0152.TXT %%Name/Aliases: Kemerovo %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0153.TXT %%Name/Aliases: Keypress %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., EXE application. %%Features: Memory resident; TSR. %%Damage: %%Size: 1232-1247 in .COM file., 1472-1487 in .EXE file. %%See Also: %%Notes: Every 10 minutes, the virus looks at INT 09h (keyboard interrupt) for 2 seconds; if a keystroke is recognized during this time, it is repeated depending on how long the key is pressed; it thus appears as a "bouncing key" %%File: VIRS0154.TXT %%Name/Aliases: Korea, LBC Boot %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0155.TXT %%Name/Aliases: Kukac,Turbo Kukac, Polish 2 %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0156.TXT %%Name/Aliases: Leprosy, Leprosy 1.00, Leprosy-B, News Flash %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0157.TXT %%Name/Aliases: Liberty, Liberty-B, Liberty-C %%Platform: PC/MS-DOS %%Type: Program., Encrypted/Stealth The virus actively hides., %%Disk Location: COM application., EXE application., Program overlay files. %%Features: Encrypted, Direct acting. %%Damage: Corrupts a program or overlay files., Corrupts boot sector %%Size: 2862 bytes %%See Also: %%Notes: Self-encrypting, not known if destructive floppy boot infection occurs rather rarely and is possible on PC XTs only Scanners don't seem to report an infection when tested against an infected floppy. INT 1CH is used to trigger. When triggered, the virus changes all characters being sent/received via INT 14H, printer via INT 17H and displayed via INT 10H (AH=09 or AH=0AH) toomake a string "MAGIC!!" for 512 timer ticks (approx 28 secs). After 10th triggering the virus swaps the upper line of a screen for blinking yellow-on-red sign "M A G I C ! ! !" (won't work on monochromes) then passes cotrol to ROM Basic. PCs without ROM Basic will either hang or reboot. On self-encrypting: only self-encryps small piece of code used to infect COM files. Also encrypts first 120 bytes of infected COM file but this is NOT SELF-encrypting %%File: VIRS0158.TXT %%Name/Aliases: Live After Death, V800, V800M %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0159.TXT %%Name/Aliases: Lozinsky %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0160.TXT %%Name/Aliases: MGTU %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0161.TXT %%Name/Aliases: Microbes %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0162.TXT %%Name/Aliases: ZeroHunt, Minnow %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: v6-084: preserves the file's date, time, attributes, AND file length. Will not be detected by the integrity checking of MSAV or VSafe. %%File: VIRS0163.TXT %%Name/Aliases: Mirror, Flip Clone %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: EXE application. %%Features: Memory resident; TSR. %%Damage: Interferes with a running application., Corrupts a program or overlay files. %%Size: 925, 933 %%See Also: %%Notes: When the virus is triggered, the screen will flip horizontally character for character. %%File: VIRS0164.TXT %%Name/Aliases: Monxla A, Monxla B, Time Virus, Vienna variant, VHP %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., EXE application. %%Features: Memory resident; TSR. %%Damage: %%Size: %%See Also: %%Notes: A virus with a time bomb: on the 13th of any month it damages the files it tries to infect on that day only. It is a Vienna variant, it infects only files in the current directory and in the directories inthe path variable. Also can be identified as Vienna [VHP] virus %%File: VIRS0165.TXT %%Name/Aliases: Whale, Mother Fish, Z The Whale %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: Polymorphic %%Damage: %%Size: Polymorphic: each infection different %%See Also: %%Notes: %%File: VIRS0166.TXT %%Name/Aliases: Murphy-1, Murphy, V1277, April 15, Swami, Exterminator, Demon, Goblin, Patricia, Smack, Stupid Jack, Crackpot-272, Crackpot-1951 %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., EXE application. %%Features: Memory resident; TSR. %%Damage: Interferes with a running application. %%Size: 1277 %%See Also: %%Notes: Murphy is a program virus that appends itself to any COM or EXE file larger than 1277 bytes. COM files must be smaller than 64226 bytes, however if a COM file larger than 64003 is infected, it will not run. The virus also locates the original INT 13 handler and unhooks any other routines that have been hooked onto this interrupt and restores the interrupt to the original handler. It infects files on execution and opening. Between 10 and 11 AM, the speaker is turned on and off which produces a clicking noise. See Summary below for comments on some of the abovementioned aliases Between 10 and 11 AM, the speaker is turned on and off which produces a clicking noise. The virus contains the string: "Hello, I'm Murphy. Nice to meet you friend. I'm written since Nov/Dec. Copywrite (c)1989 by Lubo & Ian, Sofia, USM Laboratory." %%File: VIRS0167.TXT %%Name/Aliases: Music, Music Bug, Music Boot %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0168.TXT %%Name/Aliases: Number 1, Number One %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0169.TXT %%Name/Aliases: Ontario %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: Polymorphic %%Damage: %%Size: Polymorphic: each infection different, It toggles one bit only %%See Also: %%Notes: %%File: VIRS0170.TXT %%Name/Aliases: Phoenix, P1 %%Platform: PC/MS-DOS %%Type: Program., Encrypted/Stealth The virus actively hides., %%Disk Location: COM application., COMMAND.COM. %%Features: Memory resident; TSR above TOM., Encrypted, Polymorphic %%Damage: %%Size: 1704 All .COM files but COMMAND.COM, It overlays part of COMMAND.COM, Multiple infections are possible., Polymorphic: each infection different %%See Also: %%Notes: The Phoenix virus is of Bulgarian origin. This virus is one of a family of three (3) viruses which may be referred to as the P1 or Phoenix Family. The Phoenix virus is a memory resident, generic infector of .COM files, and will infect COMMAND.COM. Phoenix infects COMMAND.COM by overwriting part of the binary zero portion of the program, and changing the program's header information. COMMAND.COM will not change in file length. Phoenix is not able to recognize when it has previously infected a file, so it may reinfect .COM files several times. Each infection of a .COM file will result in another 1,704 bytes of viral code being appended to the file. Systems infected with the Phoenix virus will experience problems with executing CHKDSK.COM. Attempts to execute this program with Phoenix memory resident will result in a warm reboot of the system occurring, however the memory resident version of Phoenix will not survive the reboot. The Phoenix Virus employs a complex encryption mechanism, and virus scanners which are only able to look for simple hex strings will not be able to detect it. There is no simple hex string in this virus that is common to all infected samples. Also see: PhoenixD, V1701New A warmboot occurs when CHKDSK.COM is run. ViruScan V66+ Scan/D, or delete infected files %%File: VIRS0171.TXT %%Name/Aliases: Paris, France %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., EXE application. %%Features: Direct acting. %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0172.TXT %%Name/Aliases: Ping Pong-C %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0173.TXT %%Name/Aliases: AntiCAD, Plastique-B, Plastique 2, Plastique 5.21, Plastique, Invader, HM2 %%Platform: PC/MS-DOS %%Type: Boot sector., %%Disk Location: COM application., EXE application., COMMAND.COM. , Floppy disk boot sectors., Hard disk boot sectors. %%Features: Memory resident; TSR. %%Damage: %%Size: 2576, 2900, 3004, 3012, 4096 %%See Also: Jerusalem %%Notes: Story on first sighting May 1990 in virus-l, v5-059 plays tunes, infects both boot sectors and executable files. Derived from the Jerusalem virus. Targeted against the AutoCAD program. When ACAD.EXE is run the viruses will activate, overwriting data on floppy disks and hard disks, as well as garbling the contents of the CMOS. %%File: VIRS0174.TXT %%Name/Aliases: Polimer, Polimat Tapeworm %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0175.TXT %%Name/Aliases: Polish 529 %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0176.TXT %%Name/Aliases: Polish 583 %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0177.TXT %%Name/Aliases: Polish 961, Stone '90 %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0178.TXT %%Name/Aliases: Proud, V1302, Phoenix related %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: Polymorphic %%Damage: %%Size: Polymorphic: each infection different %%See Also: %%Notes: %%File: VIRS0179.TXT %%Name/Aliases: Red Diavolyata %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0180.TXT %%Name/Aliases: Shake %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0181.TXT %%Name/Aliases: Slow, Slowdown %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0182.TXT %%Name/Aliases: Spyer %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0183.TXT %%Name/Aliases: Subliminal 1.10 %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0184.TXT %%Name/Aliases: Sverdlov %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0185.TXT %%Name/Aliases: SVir, SVir-A, SVir-B %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0186.TXT %%Name/Aliases: USSR, USSR 516, USSR 600, USSR 707, USSR 711, USSR 948, USSR 1049, USSR 1689, USSR 2144, USSR 1594 %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: Polymorphic %%Damage: %%Size: Polymorphic: each infection different, (USSR-1594 only alters one byte) %%See Also: %%Notes: %%File: VIRS0187.TXT %%Name/Aliases: V2P2 %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: Polymorphic %%Damage: %%Size: Polymorphic: each infection different %%See Also: %%Notes: %%File: VIRS0188.TXT %%Name/Aliases: V2P6, Vienna Variant, V2P6 Trash, V2P6Z, Adolph\ %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application. %%Features: Direct acting., Polymorphic %%Damage: %%Size: Polymorphic: each infection different %%See Also: %%Notes: A polymorphic virus, the decryption routine and infection length vary lots, so its hard to locate all infected files. Otherwise, it is a vienna-related virus, non-resident, and infects only COM files in the current directory and in the directories listed in the PATH. VIRx has reported some false positives for this virus, in older versions of mem.com, popdrop.com, and HP.com. Virx21.zip should have fixed these false positives: reported in virus-l, v5-065 MS-DOS 6's antivirus routine detects some, but not all infections by V2P6. %%File: VIRS0189.TXT %%Name/Aliases: VHP, VHP-348, VHP-353, VHP-367, VHP-435, Faggot %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., EXE application. %%Features: Direct acting. %%Damage: %%Size: %%See Also: %%Notes: File infector, Faggot is somewhat of a virus/trojan, if its the first infection, it trashes the hard disk, but if it's not the first infection, it just sits there. May be related to VHP. It is probably a hack on the Vienna, but very poorly written. %%File: VIRS0190.TXT %%Name/Aliases: Victor %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0191.TXT %%Name/Aliases: Violator, Violator Strain B %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0192.TXT %%Name/Aliases: Voronezh, Voronezh B, Voronezh-1600 %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., EXE application. %%Features: Direct acting. %%Damage: Corrupts a program or overlay files. %%Size: %%See Also: %%Notes: Voronezh-1600 places a Far CALL to its body at the EXE file's entry point This virus does not change the file entry point, as does Leapfrog and Brainy %%File: VIRS0193.TXT %%Name/Aliases: VP %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0194.TXT %%Name/Aliases: Westwood %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0195.TXT %%Name/Aliases: Wolfman %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: %%Notes: %%File: VIRS0196.TXT %%Name/Aliases: Clone %%Platform: PC/MS-DOS %%Type: , %%Disk Location: %%Features: %%Damage: %%Size: %%See Also: Brain %%Notes: Derivative of Brain %%File: VIRS0197.TXT %%Name/Aliases: Tiny 163, V 163, V-163 %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., COMMAND.COM. %%Features: Direct acting. %%Damage: %%Size: 163 Added to .COM files. that start with a JMP instruction %%See Also: %%Notes: When an infected file is executed, the virus attempts to infect other .COM files in the local directory. Files increase in length. %%File: VIRS0198.TXT %%Name/Aliases: 3X3SHR %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: 3X3SHR.??? %%Features: %%Damage: Erases the Hard Disk. %%Size: 78848 bytes 3X3SHR file %%See Also: %%Notes: *TROJAN* Time Bomb type trojan wipes the Hard Drive clean. %%File: VIRS0199.TXT %%Name/Aliases: ANTI-PCB %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: ANTI-PCB.COM %%Features: %%Damage: %%Size: %%See Also: %%Notes: Apparently one RBBS-PC sysop and one PC-BOARD sysop started feuding about which BBS system is better, and in the end the PC-BOARD sysop wrote a trojan and uploaded it to the rbbs SysOp under ANTI- PCB.COM. Of course the RBBS-PC SysOp ran it, and that led to quite a few accusations and a big mess in general. %%File: VIRS0200.TXT %%Name/Aliases: ARC513.EXE, ARC514.COM %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: ARC513.EXE, ARC514.COM %%Features: %%Damage: Corrupts boot sector, Corrupts the file linkages or the FAT. %%Size: %%See Also: %%Notes: ARC513.EXE This hacked version of ARC appears normal, so beware! It will write over track 0 of your [hard] disk upon usage, destroying the disk. ARC514.COM This is totally similar to ARC version 5.13 in that it will overwrite track 0 (FAT Table) of your hard disk. Also, I have yet to see an .EXE version of this program. %%File: VIRS0201.TXT %%Name/Aliases: ARC533 %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: COMMAND.COM, ARC533.EXE %%Features: %%Damage: %%Size: %%See Also: %%Notes: ARC533.EXE This is a new Virus program designed to emulate Sea's ARC program. It infects the COMMAND.COM %%File: VIRS0202.TXT %%Name/Aliases: BACKTALK %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: BACKTALK.??? %%Features: %%Damage: Overwrites sectors on the Hard Disk. %%Size: %%See Also: %%Notes: This program used to be a good PD utility, but someone changed it to be trojan. Now this program will write/destroy sectors on your [hard] disk drive. Use this with caution if you acquire it, because it's more than likely that you got a bad copy. %%File: VIRS0203.TXT %%Name/Aliases: CDIR %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: CDIR.??? %%Features: %%Damage: Corrupts the file linkages or the FAT. %%Size: %%See Also: %%Notes: This program is supposed to give you a color directory of files on your disk, but it in fact will scramble your disk's FAT table. %%File: VIRS0204.TXT %%Name/Aliases: D-XREF60.COM %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: D-XREF60.COM %%Features: %%Damage: Corrupts boot sector, Corrupts the file linkages or the FAT. %%Size: %%See Also: %%Notes: A Pascal Utility used for Cross-Referencing, written by the infamous `Dorn Stickel. It eats the FAT and BOOT sector after a time period has been met and if the Hard Drive is more than half full. %%File: VIRS0205.TXT %%Name/Aliases: DANCERS, DANCERS.BAS %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: DANCERS.BAS %%Features: %%Damage: Corrupts the file linkages or the FAT. %%Size: %%See Also: %%Notes: This trojan shows some animated dancers in color, and then proceeds to wipe out your [hard] disk's FAT table. There is another perfectly good copy of DANCERS.BAS on BBSs around the country. %%File: VIRS0206.TXT %%Name/Aliases: DISKSCAN, SCANBAD, BADDISK %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: DISKSCAN.EXE, , SCANBAD.EXE, BADDISK.EXE %%Features: %%Damage: Overwrites sectors on the Hard Disk. %%Size: %%See Also: %%Notes: This was a PC-MAGAZINE program to scan a [hard] disk for bad sectors, but then a joker edited it to WRITE bad sectors. Also look for this under other names such as SCANBAD.EXE and BADDISK.EXE. A good original copy is availble on SCP Business BBS. %%File: VIRS0207.TXT %%Name/Aliases: DMASTER %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: DMASTER.??? %%Features: %%Damage: Corrupts the file linkages or the FAT. %%Size: %%See Also: %%Notes: This is yet another FAT scrambler. %%File: VIRS0208.TXT %%Name/Aliases: DOSKNOWS %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: DOSKNOWS.EXE %%Features: %%Damage: Corrupts the file linkages or the FAT. %%Size: 5376 Size of the real DOSKNOWS.EXE %%See Also: %%Notes: Apparently someone wrote a FAT killer and renamed it DOSKNOWS.EXE, so it would be confused with the real, harmless DOSKNOWS system-status utility. %%File: VIRS0209.TXT %%Name/Aliases: DOS-HELP %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: DOS-HELP.??? %%Features: Memory resident; TSR. %%Damage: Attempts to format the disk. %%Size: %%See Also: %%Notes: This trojan, when made memory-resident, is supposed to display a DOS command for which the User needs help with. Works fine on a Diskette system but on a HARD DRIVE system tries to format the Hard Disk with every access of DOS-HELP. %%File: VIRS0210.TXT %%Name/Aliases: DPROTECT %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: DPROTECT.??? %%Features: %%Damage: Corrupts the file linkages or the FAT. %%Size: %%See Also: %%Notes: Apparently someone tampered with the original, legitimate version of DPROTECT and turned it into a FAT-table eater. A good version is available on SCP Business BBS. %%File: VIRS0211.TXT %%Name/Aliases: DRAIN2 %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: DRAIN2.??? %%Features: %%Damage: Attempts to format the disk. %%Size: %%See Also: %%Notes: There really is DRAIN program, but this revised program goes out does Low Level Format while it is playing the funny program. %%File: VIRS0212.TXT %%Name/Aliases: DROID %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: DROID.EXE %%Features: %%Damage: %%Size: 54272 Size of DROID.EXE %%See Also: %%Notes: This trojan appears under the guise of a game. You are supposedly an architect that controls futuristic droids in search of relics. In fact, PC-Board sysops, if they run this program from C:\PCBOARD, will find that it copies C:\PCBOARD\PCBOARD.DAT to C:\PCBOARD\HELP\HLPX. %%File: VIRS0213.TXT %%Name/Aliases: DRPTR, WIPEOUT %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: DRPTR.??? %%Features: %%Damage: Deletes or moves files. %%Size: %%See Also: %%Notes: After running unsuspected file, the only things left in the root directory are the subdirectories and two of the three DOS System files, along with a 0-byte file named WIPEOUT.YUK. COMMAND.COM was located in a different directory; the file date and CRC had not changed. %%File: VIRS0214.TXT %%Name/Aliases: EGABTR %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: EGABTR.??? %%Features: %%Damage: Deletes or moves files. %%Size: %%See Also: %%Notes: BEWARE! Description says something like "improve your EGA display," but when run, it deletes everything in sight and prints, "Arf! Arf! Got you!" %%File: VIRS0215.TXT %%Name/Aliases: FILES.GBS %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: FILES.GBS %%Features: %%Damage: Bypasses OPUS BBS's security. %%Size: %%See Also: %%Notes: When an OPUS BBS system is installed improperly, this file could spell disaster for the Sysop. It can let a user of any level into the system. Protect yourself. Best to have a sub-directory in each upload area called c:\upload\files.gbs (this is an example only). This would force Opus to rename a file upload of files.gbs and prevent its usage. %%File: VIRS0216.TXT %%Name/Aliases: FLUSHOT4, FLU4TXT %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: FLUSHOT4.ARC %%Features: %%Damage: %%Size: %%See Also: %%Notes: This Trojan was inserted into the FLUSHOT4.ARC and uploaded to many BBS's. FluShot is a protector of your COMMAND.COM. As to date, 05/14/88 FLUSHOT.ARC FluShot Plus v1.1 is the current version, not the FLUSHOT4.ARC which is Trojaned. %%File: VIRS0217.TXT %%Name/Aliases: FUTURE %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: FUTURE.??? %%Features: %%Damage: Attempts to erase all mounted disks. %%Size: %%See Also: %%Notes: This "program" starts out with a very nice color picture and then proceeds to tell you that you should be using your computer for better things than games and graphics. After making that point, it trashes your A: drive, B:, C:, D:, and so on until it has erased all drives. %%File: VIRS0218.TXT %%Name/Aliases: GATEWAY, GATEWAY2 %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: GATEWAY.??? %%Features: %%Damage: Corrupts the file linkages or the FAT. %%Size: %%See Also: %%Notes: Someone tampered with the version 2.0 of the CTTY monitor GATEWAY. What it does is ruin the FAT. %%File: VIRS0219.TXT %%Name/Aliases: GRABBER %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: GRABBER.COM %%Features: Memory resident; TSR. %%Damage: Deletes or moves files. %%Size: 2583 Size of GRABBER.COM %%See Also: %%Notes: This program is supposed to be SCREEN CAPTURE program that copies the screen to a .COM file to be later run from a DOS command line. As a TSR it will attempt to do a DISK WRITE to your hard drive when you do not want it to. It will wipe out whole Directories when doing a normal DOS command. One sysop who ran it lost all of his ROOT DIR including his SYSTEM files. %%File: VIRS0220.TXT %%Name/Aliases: G-MAN %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: G-MAN.??? %%Features: %%Damage: Corrupts the file linkages or the FAT. %%Size: %%See Also: %%Notes: Another FAT killer. %%File: VIRS0221.TXT %%Name/Aliases: MAP, FAT EATER %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: MAP.??? %%Features: %%Damage: Corrupts the file linkages or the FAT. %%Size: %%See Also: %%Notes: This is another trojan horse written by the infamous "Dorn Stickel." Designed to display what TSR's are in memory and works on FAT and BOOT sector. FAT EATER %%File: VIRS0222.TXT %%Name/Aliases: MATHKIDS, FIXIT %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: FIXIT.ARC %%Features: %%Damage: Cracks/opens a BBS to nonprivileged users. %%Size: %%See Also: %%Notes: This trojan is designed to crack a BBS system. It will attemp to copy the USERS file on a BBS to a file innocently called FIXIT.ARC, which the originator can later call in and download. Believed to be designed for PCBoard BBS's. %%File: VIRS0223.TXT %%Name/Aliases: NOTROJ %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: NOTROJ.??? %%Features: %%Damage: Corrupts the file linkages or the FAT., Attempts to format the disk. %%Size: %%See Also: %%Notes: All outward appearances indicate that the program is a useful utility used to FIGHT other trojan horses. Actually, it is a time bomb that erases any hard disk FAT table that IT can find on hard drives that are more than 50% full, and at the same time, it warns: "another program is attempting a format, can't abort! After erasing the FAT(s), NOTROJ then proceeds to start a low level format. Delete the NOTROJ.COM Application. %%File: VIRS0224.TXT %%Name/Aliases: PACKDIR %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: PACKDIR.??? %%Features: %%Damage: Corrupts the file linkages or the FAT. %%Size: %%See Also: %%Notes: This utility is supposed to "pack" (sort and optimize) the files on a [hard] disk, but apparently it scrambles FAT tables. %%File: VIRS0225.TXT %%Name/Aliases: PCW271, PC-WRITE 2.71 %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: PCW271.??? %%Features: %%Damage: Corrupts the file linkages or the FAT. %%Size: 98274 Size of bogus PC-WRITE normal is 98644 bytes. %%See Also: %%Notes: A modified version of the popular PC-WRITE word processor (v. 2.71) that scrambles FAT tables. The bogus version of PC-WRITE version 2.71can be identified by its size; it uses 98,274 bytes whereas the good version uses 98,644. %%File: VIRS0226.TXT %%Name/Aliases: PKX35B35, PKB35B35 %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: PKX35B35.ARC, PKB35B35.ARC %%Features: %%Damage: Corrupts the file linkages or the FAT. %%Size: %%See Also: %%Notes: PKX35B35.ARC, PKB35B35.ARC This was supposed to be an update to PKARC file compress utility - which when used *EATS your FATS* and is or at least RUMORED to infect other files so it can spread - possible VIRUS? %%File: VIRS0227.TXT %%Name/Aliases: PKPAK/PKUNPAK 3.61, PK362, PK363 %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: PK362.EXE, PK363.EXE, PKPAK/PKUNPAK v. 3.61 %%Features: %%Damage: %%Size: %%See Also: %%Notes: PKPAK/PKUNPAK *TROJAN* There is a TAMPERED version of 3.61 that when used interfers with PC's interupts. PK362.EXE This is a NON-RELEASED version and is suspected as being a *TROJAN* - not verified. PK363.EXE This is a NON-RELEASED version and is suspected as being a *TROJAN* - not verified. %%File: VIRS0228.TXT %%Name/Aliases: PKFIX361 %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: PKFIX361.EXE %%Features: %%Damage: Attempts to format the disk. %%Size: %%See Also: %%Notes: PKFIX361.EXE *TROJAN* Supposed patch to v3.61 - what it really does is when extracted from the .EXE does a DIRECT access to the DRIVE CONTROLLER and does Low-Level format. Thereby bypassing checking programs. (This would be only XT type disk drive cards. w.j.o.) %%File: VIRS0229.TXT %%Name/Aliases: QUIKRBBS %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: QUIKRBBS.??? %%Features: %%Damage: Corrupts the file linkages or the FAT. %%Size: %%See Also: %%Notes: This Trojan horse advertises that it will install program to protect your RBBS but it does not. It goes and eats away at the FAT. %%File: VIRS0230.TXT %%Name/Aliases: QUIKREF %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: ARC513.COM %%Features: %%Damage: Cracks/opens a BBS to nonprivileged users. %%Size: %%See Also: %%Notes: This ARChive contains ARC513.COM. Loads RBBS-PC's message file into memory two times faster than normal. What it really does is copy RBBS-PC.DEF into an ASCII file named HISCORES.DAT. %%File: VIRS0231.TXT %%Name/Aliases: RCKVIDEO %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: RCKVIDEO.??? %%Features: %%Damage: Attempts to erase all mounted disks. %%Size: %%See Also: %%Notes: After showing some simple animation of a rock star, the program erases every file it can find. After about a minute of this, it creates three ascii files that say "You are stupid to download a video about rock stars". %%File: VIRS0232.TXT %%Name/Aliases: SECRET %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: SECRET.??? %%Features: %%Damage: Attempts to format the disk. %%Size: %%See Also: %%Notes: BEWARE!! This may be posted with a note saying it doesn't seem to work, and would someone please try it; when you do, it formats your disks. %%File: VIRS0233.TXT %%Name/Aliases: SIDEWAYS, SIDEWAYS.COM %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: SIDEWAYS.COM %%Features: %%Damage: Corrupts boot sector %%Size: 3 KB SIDEWAYS.COM, 30 KB The legitimate SIDEWAYS.EXE application. %%See Also: %%Notes: Both the trojan and the good version of SIDEWAYS advertise that they can print sideways, but SIDEWAYS.COM trashes a [hard] disk's boot sector instead. %%File: VIRS0234.TXT %%Name/Aliases: STAR, STRIPES %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: STAR.EXE, STRIPES.EXE %%Features: %%Damage: Cracks/opens a BBS to nonprivileged users. %%Size: %%See Also: %%Notes: STAR.EXE Beware RBBS-PC SysOps! This file puts some stars on the screen while copying RBBS-PC.DEF to another name that can be downloaded later! STRIPES.EXE Similar to STAR.EXE, this one draws an American flag (nice touch), while it's busy copying your RBBS-PC.DEF to another file (STRIPES.BQS). %%File: VIRS0235.TXT %%Name/Aliases: SUG %%Platform: PC/MS-DOS %%Type: Trojan., Encrypted/Stealth The virus actively hides., %%Disk Location: SUG.??? %%Features: Encrypted %%Damage: Erases a Floppy Disk %%Size: %%See Also: %%Notes: This program is supposed to unprotect copy protected program disks protectedby Softguard Systems, Inc. It trashes the disk and displays: "This destruction constitutes a prima facie evidence of your violation. If you attempt to challenge Softguard Systems Inc..., you will be vigorously counter-sued for copyright infringement and theft of services." It encrypts the Gotcha message so no Trojan checker can scan for it. %%File: VIRS0236.TXT %%Name/Aliases: TIRED %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: TIRED.??? %%Features: %%Damage: Corrupts the file linkages or the FAT. %%Size: %%See Also: %%Notes: Another scramble the FAT trojan by Dorn W. Stickel. %%File: VIRS0237.TXT %%Name/Aliases: TOPDOS %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: TOPDOS.??? %%Features: %%Damage: Attempts to format the disk. %%Size: %%See Also: %%Notes: This is a simple high level [hard] disk formatter. %%File: VIRS0238.TXT %%Name/Aliases: TSRMAP %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: TSRMAP.??? %%Features: %%Damage: Corrupts boot sector %%Size: %%See Also: %%Notes: TSRMAP *TROJAN* This program does what it's supposed to do: give a map outlining the location (in RAM) of all TSR programs, but it also erases the boot sector of drive "C:". %%File: VIRS0239.TXT %%Name/Aliases: ULTIMATE %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: ULTIMATE.ARC, ULTIMATE.EXE %%Features: %%Damage: Corrupts the file linkages or the FAT. %%Size: 3090 size of ULTIMATE.EXE, 2432 Size of ULTIMATE.ARC %%See Also: %%Notes: Another FAT eater %%File: VIRS0240.TXT %%Name/Aliases: VDIR %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: VDIR.??? %%Features: %%Damage: Attempts to erase all mounted disks. %%Size: %%See Also: %%Notes: This is a disk killer that Jerry Pournelle wrote about in BYTE Magazine. %%File: VIRS0241.TXT %%Name/Aliases: Scrambler, KEYBGR Trojan %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: KEYBGR.COM %%Features: Memory resident; TSR. %%Damage: Interferes with a running application. %%Size: %%See Also: %%Notes: About 60 minutes after the trojan KEYBGR.COM is started a smiley face moves in a random fashion about the screen displacing characters as it moves. The Trojan contains many copies of the string "nothing". %%File: VIRS0242.TXT %%Name/Aliases: 12-TRICKS Trojan, Twelve Tricks Trojan, Tricks %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: CORETEST.COM, , Hard disk boot sectors. %%Features: %%Damage: Corrupts the file linkages or the FAT., Attempts to format the disk., Interferes with a running application., Corrupts boot sector %%Size: %%See Also: %%Notes: Contained in "CORETEST.COM", a file that tests the speed of a hard disk. It installs itself in the boot sector of the hard disk. Every time the computer boots, one entry in the FAT will be changed. With a probability of 1/4096, the hard disk will be formatted (Track 0, Head 1, Sector 1, 1 Sector) followed by the message: "SOFTLoK+ V3.0 SOFTGUARD SYSTEMS,INC, 2840 St.Thomas Expwy,suite 201, Santa Clara,CA 95051 (408)970-9420". The following printed on the screen: "SOFTLoK+ V3.0 SOFTGUARD SYSTEMS,INC,2840 St.Thomas Expwy,suite 201, Santa Clara,CA 95051 (408)970-9420" Damaged FATs and directories. All sorts of strange changes to typed or printed characters. Strange things happening when keys are typed. Text within the program CORETEST.COM, readable with HexDump-utilities:"MEMORY$" Text within the boot sector of the hard disk:"SOFTLoK+ V3.0 SOFTGUARD SYSTEMS,INC,2840 St.Thomas Expwy,suite 201, Santa Clara,CA 95051 (408)970-9420" %%File: VIRS0243.TXT %%Name/Aliases: Advent, 2761 %%Platform: PC/MS-DOS %%Type: Program., Encrypted/Stealth The virus actively hides., %%Disk Location: COM application., EXE application., COMMAND.COM. %%Features: Encrypted, Direct acting. %%Damage: Interferes with a running application. %%Size: 2761-2776 Byte