======================================================================= == Computer Virus Catalog Index == == *** 58 MsDos Viruses *** == ======================================================================= == Status: June 12, 1990 (Format 1.2) == == Classified:15 MSDOS-Viruses (MSDOSVIR.A89: 62kByte): Nov. 15,1989 == == +17 MSDOS-Viruses (MSDOSVIR.290: 54kByte): Feb. 15,1990 == == NEW ==> +26 MSDOS-Viruses (MSDOSVIR.690: 51kByte): June 20,1990 == ======================================================================= == List of MsDos Viruses/Trojans: =Doc= == ------------------------------ =---= == 1) Advent Virus =290= == + 2) Amstrad Virus (Amstrad Strain)=690= == 3) Autumn Leaves=Herbst="1704"=Cascade A Virus =A89= == 4) Autumn Leaves B= "1701"=Cascade B Virus (Cascade Strain)=A89= == 5) Bouncing Ball = Italian = Ping Pong= Turin Virus =A89= == + 6) Cancer Virus (Amstrad Strain)=690= == 7) Dark Avenger =290= == 8) DATACRIME Ia = "1168" Virus =290= == 9) DATACRIME Ib = "1280" Virus =290= == 10) dBase Virus =290= == 11) Denzuk = "Search" = Venezuellan Virus =290= == + 12) Devils Dance = "941" Virus =690= == 13) Do Nothing = Stupid = 640k Virus =290= == + 14) Form Virus =690= == 15) "Friday 13th" = South African Virus =A89= == 16) Fu Manchu Virus =290= == 17) GhostBalls Virus (Icelandic Strain)=A89= == 18) Hello Virus =290= == 19) Icelandic#1=DiskCrunching=1-in-10 Virus(Icelandic Strain)=A89= == 20) Icelandic#2 Virus (Icelandic Strain)=A89= == 21) Israeli = Jerusalem A Virus (Israeli Strain)=A89= == U 22) Lehigh Virus =290= == + 23) Lisbon Virus (Vienna Strain)=690= == 24) MachoSoft Virus (Syslock Strain)=A89= == 25) Marijuana = Stoned = New Zealand Virus =290= == 26) Merritt = Alameda A = Yale Virus (Alameda/Yale Strain)=A89= == 27) MIX1 = Mixer1 Virus =290= == + 28) Murphy 1 Virus (Murphy Strain)=690= == + 29) Murphy 2 Virus (Murphy Strain)=690= == 30) Ogre = Disk Killer 1.00 Virus =290= == 31) Oropax = Music Virus =A89= == 32) Saratoga Virus (Icelandic Strain)=A89= == 33) SHOE-B v9.0 Virus =A89= == + 34) SUNDAY A Virus (Israeli Strain) =690= == + 35) SUNDAY B Virus (Israeli Strain) =690= == 36) SURIV 1.01 Viruses (Israeli Strain) =290= == + 37) sURIV 2.01 = April 1st Virus (Israeli Strain) =690= == + 38) sURIV 3.00 = Israeli #3 Virus (Israeli Strain) =690= == 39) Swap = Israeli Boot Virus =290= == + 40) Sylvia (V 2.1) = Holland Girl Virus =690= == 41) SYSLOCK Virus (Syslock Strain)=789= == + 42) Traceback = "3066" Virus =690= == 43) VACSINA Virus =A89= == 44) Vienna = Austrian = "648" Virus (Vienna Strain)=A89= == + 45) Vienna 348 = "348" Virus (Vienna Strain)=690= == + 46) Vienna 353 = "353" Virus (Vienna Strain)=690= == + 47) Vienna 367 = "367" Virus (Vienna Strain)=690= == + 48) Vienna 435 = "435" Virus (Vienna Strain)=690= == + 49) Vienna 623 = "623" Virus (Vienna Strain)=690= == + 50) Vienna 627 = "627" Virus (Vienna Strain)=690= == + 51) V-277 Virus (Amstrad Strain)=690= == + 52) V-299 Virus (Amstrad Strain)=690= == + 53) V-345 Virus (Amstrad Strain)=690= == 54) Zero Bug = ZBug = Palette Virus =290= == + 55) "8-Tunes" = "1971" Virus =690= == + 56) "512" Virus =690= == + 57) "4096" = "100 Years" = IDF = Stealth Virus =690= == + 58) "5120" Virus =690= == == == Remark: The following MSDOS-Viruses are presently examined, == == classification will be published in next edition: == == about 50 Bulgarian Viruses: TPxx, VHPyy, Yankees etc, == == AIDS, BRAIN A, DATACRIME II, Pentagon, Perfume, Type/Fumble, == == Vcomm, W13 A&B = Polish, XA1, Yankee Doodle, "405" Viruses == ======================================================================= ===== Computer Virus Catalog 1.2: "Amstrad" Virus (11-June-1990)====== Entry.................. "Amstrad" Virus Alias(es).............. Pixel, V-847 Virus Strain................. Amstrad Virus Strain Detected: when......... Fall 1989 where........ Reported to have been published in PIXEL magazine Classification......... Program virus, direct action, prefix Length of Virus........ COM files increase by 847 bytes, but the actual length of the virus is 591 bytes (the rest is garbage). ------------------------ Preconditions-------------------------------- Operating System(s).... MS-DOS Version/Release........ 2.xx and upward Computer models........ IBM-PC's and compatibles -------------------------- Attributes--------------------------------- Easy identification.... The virus contains the string "Program sick error:Call doctor or buy PIXEL for cure description". The virus identifies infection by checking for the string "IV" at offset 3 in the COM file. Type of infection...... A program virus that infects all COM files in the current directory by prepending itself to its victim. The virus will not spread very quickly. Infection trigger...... As it is a direct action virus, it will only infect on run-time, but will do this at any time. Media affected......... Any logical drive that is the "current" drive Interrupts hooked...... --- Damage................. Denial of access Damage trigger......... The virus carries an evolution counter that is increased every time the virus is executed. When the counter is above or equal to 5, the virus reads the system timer. If the value is odd, the virus will terminate with the message described above. (This is effectively a 50% chance of termination.) Particularities........ This is a rare example of a prefix program virus. Similarities........... V-345, V-299, Cancer Viruses ---------------------------- Agents----------------------------------- Countermeasures........ Checksumming programs will detect the changes to the files. - ditto - successful.. V847clr by Vesselin Bontchev will successfully search and clear the Amstrad, V-345 and V-299 viruses, and find the Cancer virus. Standard Means......... Believe it or not, write protecting programs with ATTR will prevent the virus from spreading to them. ----------------------- Acknowledgements------------------------------ Location............... Bulgarian Academy of Science and Virus Test Center, University of Hamburg Classification by...... Vesselin Bontchev Documentation by....... Morton Swimmer Date................... 11-June-1990 Information source..... --- ======================= End of "Amstrad" Virus ======================= ====== Computer Virus Catalog 1.2: "CANCER" Virus (11-June-1990) ===== Entry.................. "CANCER" Virus Alias(es).............. --- Strain................. Amstrad Virus Strain Detected: when......... Fall 1989 where........ Bulgaria Classification......... Program virus, direct action, prefix Length of Virus........ COM file will be increased by multiples of 740 bytes, but the actual virus is only 228 bytes long! ------------------------ Preconditions-------------------------------- Operating System(s).... MS-DOS Version/Release........ 2.xx and upward Computer models........ IBM-PC's and compatibles -------------------------- Attributes--------------------------------- Easy identification.... An infected file will contain the string "IV" at offset 3 in the COM file. Unlike the other variants of Amstrad, this is never used by this virus. Type of infection...... A program virus that infects all COM files in the current directory by prepending itself to its victim. The virus will not spread very quickly. Infection trigger...... As it is a direct action virus, it will only infect on run-time, but will do this at any time. Media affected......... Any logical drive that is the "current" drive. Interrupts hooked...... --- Damage................. The virus will repeatedly infect a file, until it is no longer loadable (hence its name). Damage trigger......... none, its damage is its infection and the resulting file length increase. Particularities........ --- Similarities........... Cancer is a variant of Amstrad. ---------------------------- Agents----------------------------------- Countermeasures........ Checksumming programs will detect the changes to the files. - ditto - successful.. V847clr will find Cancer as a possible variant of Amstrad, but can not destroy it. Standard Means......... Believe it or not, write protecting programs with ATTR will prevent the virus from spreading to them. ----------------------- Acknowledgements------------------------------ Location............... Bulgarian Academy of Science and University of Hamburg, Virus Test Center Classification by...... Vesselin Bontchev Documentation by....... Morton Swimmer Date................... 11-June-1990 Information source..... --- ======================= End of "CANCER" Virus ======================== === Computer Virus Catalog 1.2: "Devil's Dance" Virus (5-June-1990) === Entry...............: "Devil's Dance" Alias(es)...........: "Devil","941 Virus" Virus Strain........: Virus detected when.: Spring 1990 where.: Mexico City Classification......: .COM - file: extending, RAM-resident, link virus Length of Virus.....: .COM - Files: increased by 941 bytes --------------------- Preconditions ---------------------------------- Operating System(s).: MS-DOS Version/Release.....: 2.xx upward Computer model(s)...: IBM - PC, XT, AT and compatibles --------------------- Attributes ------------------------------------- Easy Identification.: Typical text in Virus body, readable with hexdump-utilities: "Drk", "*.com". If the high- bit of the displayed code is stripped, the mes- sage displayed at system reset time can be read. .COM files: the first three bytes (jmp) and the last three bytes are identical. The file date/time is set to the date/time of the infection (i.e. multiple infected files have the same file date/time). Type of infection...: System virus: RAM-resident: infected if at the location 3 bytes before INT 21-adress the string "Drk" is found. .COM file: infected by hooking LOAD-function; adds 941 bytes to the end of the file. Only files with extension .COM will be infected. A file will be infected more than once. At first execution of the virus, all .COM files in the current directory will be infected. .EXE File: no infection. Infection Trigger...: .COM file will be infected, when function 4B00H (LOAD/EXEC) of INT 21H is called. Interrupts hooked...: INT 21H (functions 4B00H and 49H). INT 09H only for damage. Damage..............: Permanent Damage: 1. Every .COM file executed in an infected system will be infected. 2. After pressing 2,500 keys and reset= ++, the first sector of the hardisk C: will be overwritten. Transient Damage: 1. All characters typed will be displayed in a different color on a color card. 2. If reset=++ is pressed, the following message is displayed: "Have you ever danced with" "the devil under the weak light of the moon? " "Pray for your disk! The_Joker..." "Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha". Damage Trigger......: Keyboard input (characters typed) and reset=++ Particularities.....: - The message "Have you ... Ha Ha" is encrypted. - All files with .COM extension will be infected (i.e also exe-files with .COM extension). - .COM files with exe-header-id "MZ" will not run after infection. - Virus does not use a self-identification on .COM files; files will be infected many times. - In case of multiple infections of .COM files, system is slowed down on first execution of the virus in a clean system; if, e.g., a file has been infected 10 times, then it will try to infect any accessible .COM file 10 times. - All file attributes are cleared/not restored. - Multiple files have the same date/time. - Programs longer than 64,337 bytes are not exe- cuted correctly after infection. --------------------- Agents ------------------------------------------ Countermeasures.....: Category 3: NTIDEVIL.EXE (VTC Hamburg) - ditto - successful: NTIDEVIL.EXE finds and restores infected programs. Standard means......: Notice .COM file length, file date/time/attribute. Typical text in virus body: "*.com", "Drk" . Search for hex bytes: E4,E1,EE,E3,E5,E4,A0,F7,E8, F4,E8.Don't use ++ if your screen has been colored; use power-off- or reset-switch to reboot your computer. --------------------- Acknowledgement --------------------------------- Location............: Virus Test Center, University Hamburg, FRG Classification by...: Stefan Tode Documentation by....: Stefan Tode Date................: 5-June-1990 ===================== End of "Devil's Dance"-Virus ==================== ======== Computer Virus Catalog 1.2: "Form" Virus (5-June-1990) ======= Entry.................. "Form" Virus Alias(es).............. --- Strain................. --- Detected: when......... February 1990 where........ Zuerich, Switzerland (reported to be very widely spread amongst the Swiss schools in canton Zug) Classification......... Boot sector virus Length of Virus........ Exactly 03F9h bytes (approx. 2 sectors) ------------------------ Preconditions--------------------------------- Operating System(s).... MS-DOS Version/Release........ Any Computer models........ IBM-PS and compatibles -------------------------- Attributes---------------------------------- Easy identification.... The boot sector will contain the following text (amongst others): "The FORM-Virus sends greetings to everyone who's read this text.". (See also: Damage) Type of infection...... Direct action: at boot time the virus will attempt to infect the hard disk. Indirect: At every read from a floppy, an attempt will be made to infect it. Infection trigger...... Every read any time. Media affected......... Any floppy and the first active partition on a harddisk. Interrupts hooked...... Int 13 (disk) and Int 9 (keyboard) on every 24th of the month. Damage................. The virus makes the keys click and delays key action slightly. Particularities........ Economically programed. It is a rare example of both direct and indirect action in the same virus. Similarities........... --- ---------------------------- Agents------------------------------------ Countermeasures........ - ditto - successful.. Most checksumming programs that check the boot sector. Standard Means......... The text mentioned above will be found in a cluster marked as bad. Disks can usually be disinfected by booting from a write protected clean boot disk, and using the SYS command on any infected disk. ----------------------- Acknowledgements------------------------------- Location............... Virus Test Center, University of Hamburg, FRG Classification by...... Morton Swimmer Documentation by....... Morton Swimmer Date................... 5-June-1990 Information source..... Ralf Brown's interrupt list. ======================= End of "FORM" Virus =========================== ===== Computer Virus Catalog 1.2: "Lehigh" Virus (30-June-1990) ====== Entry...............: "Lehigh" Virus Alias(es)...........: --- Virus strain........: --- Virus detected when.: November 1987 where.: Lehigh University (Bethlehem/USA) Classification......: System virus (COMMAND.COM), RAM-resident Length of virus.....: 555 bytes --------------------- Preconditions ---------------------------------- Operating system(s).: MS-DOS Version/release.....: 2.0 and higher Computer model(s)...: All MS-DOS machines --------------------- Attributes ------------------------------------- Easy identification.: Last two bytes of COMMAND.COM = A9h 65h; text found: ":\command.com". Type of infection...: COMMAND.COM only (stack space at end of file overwritten); RAM resident (no check if RAM infected before). Infection trigger...: Uninfected COMMAND.COM in the root directory of used or current drive (checked by INT 21h) Storage media affected: Any COMMAND.COM on hard disk or diskette. Interrupts hooked...: INT 21h; INT 44h (Set as old INT 21h). Damage..............: If A: or B: selected (if it is not the current drive), then sector 1 to 32 are overwritten with garbage read from BIOS and print-text (also from BIOS). Damage trigger......: Infection counter = 4 Particularities.....: Not hardware-dependent: INT 21h, 26h used only Similarities........: --- --------------------- Agents ----------------------------------------- Countermeasures.....: --- Countermeasures successful: Several antiviruses (McAfee, Solomon, Skulason et.al.) successfully detect and eradicate this virus. Standard means......: --- --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, FRG Classification by...: Daniel Loeffler (disassembly by Joe Hirst) Documentation by....: Daniel Loeffler Date................: June 30, 1990 Information Source..: --- ========================= End of "Lehigh"-Virus ====================== ======= Computer Virus Catalog 1.2: "Lisbon Virus" (5-June-1989) ====== Entry...............: "Lisbon" Virus Alias(es)...........: --- Virus strain........: Vienna Virus strain Virus detected when.: --- where.: --- Classification......: Program virus (extending), direct action Length of virus.....: 648 bytes --------------------- Preconditions ---------------------------------- Operating system(s).: MS-DOS Version/release.....: 2.0 and higher Computer model(s)...: All MS-DOS machines --------------------- Attributes ------------------------------------- Easy identification.: Last five bytes of file = "@AIDS" (Ascii) Type of infection...: Self-Identification: The time stamp of an infected file is changed: the seconds are set to 62 (= 2 * 1Fh). When infected file is executed, .COM-files in the current directory as well as in the directories in the DOS-PATH are extended by appending the viral code; no infection if the file size<10 or file size>64000 bytes. Infection trigger...: A selected .COM-file is infected by "random" IF (system seconds AND 58h) <> 0 ELSE damaged! Storage media affected: Current media and media accessed via DOS-PATH. Interrupts hooked...: -- Damage..............: A selected .COM-file is damaged permanently: Overwriting the first five bytes by "@AIDS" Damage trigger......: IF (system seconds AND 58h) = 0, ELSE infection! Particularities.....: The virus ignores READ-ONLY and HIDDEN attributes. Similarities........: Dissimilarities to Vienna: Different trigger byte (7); the five damage bytes are changed. --------------------- Agents ----------------------------------------- Countermeasures.....: Category 3: ANTI!LIS.EXE (d:) (/f) Countermeasures successful: My Antivirus ANTI!LIS.EXE looks for infected files on a given drive (d:) and optionally removes the virus (if /f given). Standard means......: --- --------------------- Acknowledgement --------------------------------- Location............: Virus Test Center, University Hamburg, FRG Classification by...: Daniel Loeffler Documentation by....: Daniel Loeffler Date................: June 5, 1990 Information Source..: --- ===================== End of "Lisbon"-Virus =========================== ===== Computer Virus Catalog 1.2: "Murphy-1" Virus (12-June-1990) ==== Entry.................. "Murphy-1" Virus Alias(es).............. --- Strain................. Murphy Virus Strain Detected: when......... December, 1989 where........ Sofia, Bulgaria Classification......... Program virus, indirect action Length of Virus........ 1277 bytes added to EXE and COM files. ------------------------ Preconditions ------------------------------- Operating System(s).... MS-DOS Version/Release........ 3.xx and upward Computer models........ IBM-PC's and compatibles -------------------------- Attributes--------------------------------- Easy identification.... The virus contains the string: "Hello, I'm Murphy. Nice to meet you friend. I'm written since Nov/Dec. Copywrite (c)1989 by Lubo & Ian, Sofia, USM Laboratory." See also damage. Type of infection...... Murphy is a program virus that appends itself to any COM or EXE file larger than 1277 bytes. COM files must be smaller than 64226 bytes, however if a COM file larger than 64003 is infected, it will not run. A file is judged as infected if the length between program entry and end of file is the same as the virus length. The virus also locates the original INT 13 handler and unhooks any other routines that have been hooked onto this interrupt and restores the interrupt to the original handler. Murphy installs itself into memory by modifying the MCB chain. It determines whether it is already in memory by executing INT 21 function 4B59h. If the carry flag is not set on return, then the memory is assumed to be not infected. Infection trigger...... Infects file on execution and opening. Media affected......... Any logical drive. Interrupts hooked...... INT 21 functions 4B, 3D00, 6C00 (bl=0) are used to infect files, and INT 24 and 13 are captured to mask out errors. Damage................. The speaker is turned on and off which produces a clicking noise. Damage trigger......... This happens between 10:00 and 11:00 (AM). Particularities........ INT 21 function 6C00 is the DOS 4.xx extended open/create function. This makes Murphy-1 one of the first viruses to make use of DOS 4.xx The virus knocks out the transient part of COMMAND.COM forcing it to be reloaded and thereby infected. Similarities........... Much of the code was taken from Eddie-1 /Dark Avenger. This is the precursor to Murphy-2. ---------------------------- Agents ---------------------------------- Countermeasures........ Checksumming programs will detect the virus, but have the side-effect of infecting every file on the disk if the virus is in memory. F-DLOCK in Fridrik Skulason's F-PROT package prevents files from being infected. - ditto - successful.. --- Standard Means......... --- ----------------------- Acknowledgements ----------------------------- Location............... Bulgarian Academy of Science and University of Hamburg, Virus Test Center Classification by...... Vesselin Bontchev Documentation by....... Morton Swimmer Date................... 12-June-1990 Information source..... --- ======================= End of "Murphy 1" Virus ====================== ===== Computer Virus Catalog 1.2: "Murphy-2" Virus (12-June-1990) ==== Entry.................. "Murphy-2" Virus Alias(es).............. --- Strain................. Murphy Virus Strain Detected: when......... April, 1990 where........ Sofia, Bulgaria Classification......... Program virus, indirect action Length of Virus........ 1521 bytes added to EXE and COM files. ------------------------ Preconditions ------------------------------- Operating System(s).... MS-DOS Version/Release........ 3.xx and upward Computer models........ IBM-PC's and compatibles -------------------------- Attributes -------------------------------- Easy identification.... The virus contains the string: "It's me - Murphy. Copywrite (c)1989 by Lubo & Ian, Sofia, USM Laboratory." See also damage. Type of infection...... Murphy is a program virus that appends itself to any COM or EXE file larger than 1521 bytes. COM files must be smaller than 63982 bytes. A file is judged as infected if the length between program entry and end of file is the same as the virus length. The virus also locates the original INT 13 handler and unhooks any other routines that have been hooked onto this interrupt and restores the interrupt to the original handler. Murphy installs itself into memory by modifying the MCB chain. It determines whether it is already in memory by executing INT 21 function 4B59h. If the carry flag is not set on return, then the memory is assumed to be not infected. Infection trigger...... Infects file on execution and opening. Media affected......... Any logical drive. Interrupts hooked...... INT 21 functions 4B, 3D00, 6C00 (bl=0) are used to infect files, and INT 24 and 13 are captured to mask out errors. Damage................. A ball (character 07) bounces over the screen. Damage trigger......... This happens if the virus is active between 10:00 and 11:00 (AM). Particularities........ INT 21 function 6C00 is the DOS 4.xx extended open/create function. This makes Murphy (1/2) one of the first viruses to make use of DOS 4.xx The virus knocks out the transient part of COMMAND.COM forcing it to be reloaded and thereby infected. Similarities........... This virus was derived from Murphy-1. The code has been cleaned up a bit, but the main difference is in the damage. Much of the code was taken from Eddie-1 /Dark Avenger. The bouncing ball effect looks very much like the Italian-virus, but the code shows no similarities. ---------------------------- Agents ---------------------------------- Countermeasures........ Checksumming programs will detect the virus, but have the side-effect of infecting every file on the disk if the virus is in memory.F-DLOCK in Fridrik Skulason's F-PROT package prevents files from being infected. (It was loaded before the virus was.) - ditto - successful.. --- Standard Means......... --- ----------------------- Acknowledgements ----------------------------- Location............... Virus Test Center, University of Hamburg Classification by...... Morton Swimmer. The source listing came from Lubomir Mateev, one of the "authors" of this virus. It was nicely commented in Bulgarian. Documentation by....... Morton Swimmer Date................... 12-June-1990 Information source..... --- ======================= End of "Murphy-2" Virus ====================== === Computer Virus Catalog 1.2: Sunday A&B Viruses (15-June-1990) === Entry...............: Sunday A & B Viruses Alias(es)...........: --- Virus Strain........: Israeli-Virus Classification......: Program Virus (extending), RAM-resident Length of Virus.....: .COM files: length increases by 1636 bytes. .EXE files: length increases by 1638-1647 bytes. .OVL files: length increases by 1638-1647 bytes. --------------------- Preconditions ---------------------------------- Operating System(s).: MS-DOS,PC-DOS Version/Release.....: 2.xx upward Computer model(s)...: IBM-PC, XT, AT and compatibles --------------------- Attributes ------------------------------------- Easy Identification.: Typical texts in Virus body (readable with HexDump-facilities): "Today is SunDay" (Part of Message) Type of infection...: System: infected if function FFh of INT 21h returns value 0400h in the AX-register. Files : The virus infects .COM, .EXE and overlay files. Generaly, files only infected once. Infection Trigger...: Programs are infected at load time (using the function Load/Execute of MS-DOS). Interrupts hooked...: INT21h, INT08h Damage..............: Sunday Version A: 30 minutes after the FIRST infected programm was run, the virus displays this message: "Today is SunDay! Why do you work so hard? All work and no play make you a dull boy! Come on! Let's go out and have some fun!" Sunday Version B: If the first infected file was run, every loaded program is deleted. Damage Trigger......: Every Sunday, if year of date not equal 1989 Particularities.....: The version of the SUNDAY that we have named "B" includes version "A", except that the typical message is not displayed on Sunday. --------------------- Agents ----------------------------------------- Countermeasures.....: The virus will be detected by : VIRSUCH 2.15 (D. Hoppenrath) SCAN 3.1 (McAfee) --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, FRG Classification by...: J”rg Steindecker Documentation by....: J”rg Steindecker Date................: June 15, 1990 Updates by..........: --- ===================== End of Sunday A&B Viruses ====================== ======== Computer Virus Catalog 1.2: "SURIV 2.01" (5-June-1990) ======= Entry...............: "SURIV 2.01" Alias(es)...........: "APRIL 1ST" Virus Strain........: Jerusalem-Virus Virus detected when.: --- where.: --- Classification......: Link - Virus (extending), RAM - resident Length of Virus.....: .EXE - Files: Program length increases by 1488 bytes --------------------- Preconditions ----------------------------------- Operating System(s).: MS-DOS Version/Release.....: 2.xx upward Computer model(s)...: IBM - PC, XT, AT and compatibles --------------------- Attributes -------------------------------------- Easy Identification.: Typical text in Virus body (readable with HexDump-utilities): "sURIV 2.01" Type of infection...: System: RAM-resident. .EXE file: extended by using EXEC-function; files will not be infected more than once. .COM File: no infection. Infection Trigger...: When function 4B00H of INT 21H (EXEC) is called. Interrupts hooked...: INT 1C, INT 21H, INT 24H Damage..............: Permanent Damage: -- Transient Damage: The virus examines the current date. On every 1st April, the virus will display the message "APRIL 1ST HA HA HA YOU HAVE A VIRUS", and the computer will hang in an endless loop. In 1980 and on every Wednesday after 1. April 1988, the computer will hang at latest 55 minutes after system infection in an endless loop. Particularities.....: One function (0DEH) used by Novell - Netware 4.0 can't be used. --------------------- Agents ------------------------------------------ Countermeasures.....: --- - ditto - successful: --- Standard means......: Notice .EXE file length. Typical text in virus body: "sURIV 2.01" --------------------- Acknowledgement --------------------------------- Location............: Virus Test Center, University Hamburg, FRG Classification by...: Thomas Lippke Documentation by....: Thomas Lippke Date................: 5-June-1990 ===================== End of "SURIV 2.01"-Virus ======================= ==== Computer Virus Catalog 1.2: "Suriv 3.00" Virus (5-June-1990) ===== Entry...............: Suriv 3.00 Alias(es)...........: Jerusalem (B) = Israeli #3 Virus Virus Strain........: Israeli-Virus Classification......: Program Virus (extending), RAM-resident Length of Virus.....: .COM files: length increases by 1813 bytes. .EXE files: length increases by 1808-1823 bytes. (.EXE file length must be a multiple of 16 bytes, as in any .EXE file) --------------------- Preconditions ----------------------------------- Operating System(s).: MS-DOS,PC-DOS Version/Release.....: 2.xx upward Computer model(s)...: IBM-PC, XT, AT and compatibles --------------------- Attributes -------------------------------------- Easy Identification.: Typical texts in Virus body (readable with HexDump facilities): "sURIV 3.00". Type of infection...: System: infected if function E0h of INT 21h returns value 0300h in the AX-register. .Com files: program length increases by 1813; files are infected only once; COMMAND.COM will not be infected. .EXE files: program length increases by 1808 - 1823 bytes, and no identification is used; therefore, .EXE files can be infected more than once. Infection Trigger...: Programs are infected at load time (using the function Load/Execute of MS-DOS). Interrupts hooked...: INT21h, INT08h Damage..............: 1. 30 seconds after the 1st infected program was run, the virus scrolls up 2 Lines in a small window of the screen ( left corner 5,5; right corner 16,16). 2. The virus slows down the system by about 10 %. Damage Trigger......: Every time when the system is infected. Particularities.....: 1. The version of the Suriv 3.00 which we have analyzed compares the system-date with "Friday 13th", but is not able to recognize "Friday 13th", because of a "bug"; if it cor- rectly recognized this date, it would delete any program started on "Friday 13th". 2. .EXE files can be infected many times. 3. Novell Netware 4.0 functions, esp. "Print Spooling" (INT21h/E0h), "Set Error Mode" (INT21h/DDh) and "Set Broadcast Mode" (INT21/DEh) cannott be used. --------------------- Agents ----------------------------------------- Countermeasures.....: The virus will be detected by : VIRSUCH 2.15 (D. Hoppenrath) as Israeli #3 F-FCHK 1.08 (F. Skulason) as Israeli/Jerusalem SCAN 3.1 (McAfee) as Jerusalem Ver. B FINDVIRU 6.04 (Solomon) as Suriv 3 Several Antiviruses do not work safely. --------------------- Acknowledgement --------------------------------- Location............: Virus Test Center, University Hamburg, FRG Classification by...: J”rg Steindecker Documentation by....: J”rg Steindecker, Joe Hirst (BCVRC) Date................: 5-June-1990 Updates by..........: --- ===================== End of Suriv 3.00 =============================== ========= Computer Virus Catalog 1.2: "Sylvia 2.1" (5-June-1990) ====== Entry...............: Sylvia V2.1 Alias(es)...........: Holland Girl Virus Virus Strain........: Sylvia Classification......: File Virus (Not RAM-resident), infects COM-files Length of Virus.....: 1332 bytes --------------------- Preconditions ----------------------------------- Operating System(s).: PCDOS/MSDOS Version/Release.....: 2.xx upward Computer model(s)...: IBM-PC, XT, AT and compatibles --------------------- Attributes -------------------------------------- Easy Identification.: Typical texts in Virus body (readable with Hexdump-facilities) : 1. "39 38 39 38 4F 45 4F 52 61 59 1E 56 5D 5A 52 61 62" (encoded text) 2. 'Text-Virus V2.1' 3. 'Sylvia Verkade' Type of infection...: The virus infects only COM-files with less than 30 KB; it does not infect COMMAND.COM, IBMBIO.COM, IBMDOS.COM. 1301 bytes of the virus-code are written in front of and 31 bytes are written behind the original code; files are only infected once, because the virus checks the existence of its signature (808h) at the beginning of the file. Infection Trigger...: When an infected file is started, the virus tries to infect 5 COM-files on default drive. Interrupts hooked...: INT24h Damage..............: The virus displays the following message : "FUCK YOU LAMER !!!! (CRLF) system halted..." and stops system by jumping into an endless loop. The message is encoded in the program. In this version (V2.1), the message typical for original Sylvia virus ("This program is infected by a HARMLESS ... ") is NOT displayed. Damage Trigger......: After being activated, the virus checks itself by creating a check-sum of the first 144 words. When the check-sum is incorrect (# 46A3h) the damaging part of the virus is activated. --------------------- Agents ------------------------------------------ Countermeasures.....: The virus will be detected by : VIRSUCH 2.15 (D. Hoppenrath) F-FCHK 1.08 (F. Skulason) SCAN 2.3 & 3.1 (McAfee) Countermeasures successful: F-FCHK 1.08 successful disinfects programs --------------------- Acknowledgement --------------------------------- Location............: Virus Test Center, University Hamburg, FRG Classification by...: J”rg Steindecker Documentation by....: J”rg Steindecker Date................: 5-June-1990 ===================== End of Sylvia V2.1 Virus ======================== ===== Computer Virus Catalog 1.2: "Traceback" Virus (5-June-1990) ===== Entry...............: "Traceback" Virus Alias(es)...........: "3066" Virus Virus Strain........: Traceback Virus detected when.: June 1989 where.: --- Classification......: Program extending, RAM-resident Length of Virus.....: .COM and .EXE files increased by 3066 bytes. --------------------- Preconditions ------------------------------------ Operating System(s).: MS-DOS Version/Release.....: 2.xx upward Computer model(s)...: IBM-PC, XT, AT and compatibles --------------------- Attributes -------------------------------------- Easy Identification.: Typical text in Virus body (readable with hex-dump-utilities): 1. "VG1" in the data area of the virus 2. "VG1" is found at offset of near-jmp- displacement if program is a .COM file. 3. The complete name of the file, which infected the currently loaded file, is in the code. 4. Search .COM or .EXE files for the hex-string: 58,2B,C6,03,C7,06,50,F3,A4,CB,90,50,E8,E2,03, 8B (the last 16 bytes of an infected program). Type of infection...: System: infected if signature string "VG1" is found in specific location in memory. .COM files: program length increased by 3,066 bytes if it is infected. Infects files up to 62,218 bytes. The first byte of an infec- ted file is a near-jump (E9h,XXh,YYh) to the virus code; program is infected if the string "VG1" is at offset (viruscode_entry)-03h. .Com files are infected only once. .EXE files: program length increased by 3066 bytes string "VG1" is used for identification. .EXE files are infected only once. Infection Trigger...: Programs are infected the first time the virus is run, and at load time (using the function Load/Execute (4Bh) of MS-DOS). Interrupts hooked...: INT 21h, INT 1Ch, INT 09h, INT 20h, INT 27h, (INT 24h only during infection of a file). Damage..............: Transient Damage: One hour after system infection, the characters will fall down the screen. Af- ter 1 minute, screen is automaticly restored. During damage, INT 09h will be hooked. Characters typed during damage will move "fallen-down" characters back to their start position. Damage repeats every hour. Permanent Damage: --- Damage Trigger......: Every time an infected file is run, system date is checked; apart from diverse conditions before Dec.28 1988, the relevant routine checks: If (system date >= 28th of December 1988) then "cascade damage" (same as Autumn Virus). Particularities.....: - The virus infects all files, which will be loaded via INT 21h (function 04Bh, including .EXE, .COM and other files as .APP(GEM),.OVL). - Some files will not run after infection. Similarities........: There are some variants of this virus. --------------------- Agents ------------------------------------------ Countermeasures.....: Category 3: NTI3066.EXE (VTC Hamburg) Countermeasures successful: NTI3066.EXE is an antivirus that only looks for the Traceback-3066 Virus and, if requested, will restore the file. Standard means......: Notice file-length and search after the strings. --------------------- Acknowledgement --------------------------------- Location............: Virus Test Center, University Hamburg, FRG Classification by...: Stefan Tode Documentation by....: Stefan Tode Date................: 5-June-1990 Information source... PC VIRUS LISTING (Joe Hirst) ===================== End of "Traceback" Virus ======================== ==== Computer Virus Catalog 1.2: "Vienna 348 Virus" (28-June-1990) === Entry...............: "Vienna 348" Virus Alias(es)...........: --- Virus strain........: Vienna Virus strain Virus detected when.: --- where.: --- Classification......: Program virus (extending), direct action Length of virus.....: 348 bytes --------------------- Preconditions ---------------------------------- Operating system(s).: MS-DOS Version/release.....: 2.0 and higher Computer model(s)...: All MS-DOS machines --------------------- Attributes ------------------------------------- Easy identification.: Bytes found in virus = EAh,06h,00h,00h,C8h; text found: "*.COM",00h,"PATH=". Type of infection...: Self-Identification: The time stamp of an infected file is changed: the seconds are set to 62 (= 2 * 1Fh). When infected file is executed, .COM-files in the current directory as well as in the directories in the DOS-PATH are extended by appending the viral code; no infection if the filesize<10 or filesize>64000 bytes. Infection trigger...: A selected .COM-file is infected by "random" IF (system seconds AND 7) <> 0 ELSE damaged! Storage media affected: Current media and media accessed via DOS-PATH. Interrupts hooked...: INT 24h diverted to own error-handler only during virus-runtime to suppress error-messages send out by DOS. Damage..............: A selected .COM-file is damaged permanently: Overwriting the first five bytes with a far jump to the HD-low-level-format- routine (XT only). Damage trigger......: IF (system seconds AND 7) = 0, ELSE infection! Particularities.....: The virus ignores READ-ONLY and HIDDEN attributes; The PATH-search is corrected! Similarities........: Dissimilarities to Vienna (648 bytes): Code optimized and length decreased; the five damage-bytes are changed. --------------------- Agents ----------------------------------------- Countermeasures.....: --- Countermeasures successful: --- Standard means......: Do not execute .COM files with time stamp seconds equal 62; restore them from a backup-disk. --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, FRG Classification by...: Uwe Ellermann, Daniel Loeffler Documentation by....: Daniel Loeffler, Uwe Ellermann Date................: June 28, 1990 Information Source..: --- =================== End of "Vienna 348 Virus" ======================== ==== Computer Virus Catalog 1.2: "Vienna 353 Virus" (28-June-1990) === Entry...............: "Vienna 353" Virus Alias(es)...........: --- Virus strain........: Vienna Virus strain Virus detected when.: --- where.: --- Classification......: Program virus (extending), direct action Length of virus.....: 353 bytes --------------------- Preconditions ---------------------------------- Operating system(s).: MS-DOS Version/release.....: 2.0 and higher Computer model(s)...: All MS-DOS machines --------------------- Attributes ------------------------------------- Easy identification.: Bytes found in virus = EAh,06h,00h,00h,C8h; text found: "*.COM",00h,"PATH=". Type of infection...: Self-Identification: The time stamp of an infected file is changed: the seconds are set to 62 (= 2 * 1Fh). When infected file is executed, .COM-files in the current directory as well as in the directories in the DOS-PATH are extended by appending the viral code; no infection if the filesize<10 or filesize>64000 bytes. Infection trigger...: A selected .COM-file is infected by "random" IF (system seconds AND 7) <> 0 ELSE damaged! Storage media affected: Current media and media accessed via DOS-PATH. Interrupts hooked...: INT 24h diverted to own error-handler only during virus-runtime to suppress error-messages send out by DOS. Damage..............: A selected .COM-file is damaged permanently: Overwriting the first five bytes with a far jump to the HD-low-level-format- routine (XT only). Damage trigger......: IF (system seconds AND 7) = 0, ELSE infection! Particularities.....: The virus ignores READ-ONLY and HIDDEN attributes; The PATH-search is corrected! Similarities........: Dissimilarities to Vienna (648 bytes): Code optimized and length decreased; the five damage-bytes are changed. --------------------- Agents ----------------------------------------- Countermeasures.....: --- Countermeasures successful: --- Standard means......: Do not execute .COM files with time stamp seconds equal 62; restore them from a backup-disk. --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, FRG Classification by...: Uwe Ellermann, Daniel Loeffler Documentation by....: Daniel Loeffler, Uwe Ellermann Date................: June 28, 1990 Information Source..: --- =================== End of "Vienna 353 Virus" ======================== ==== Computer Virus Catalog 1.2: "Vienna 367 Virus" (28-June-1990) === Entry...............: "Vienna 367" Virus Alias(es)...........: --- Virus strain........: Vienna Virus strain Virus detected when.: --- where.: --- Classification......: Program virus (extending), direct action Length of virus.....: 367 bytes --------------------- Preconditions ---------------------------------- Operating system(s).: MS-DOS Version/release.....: 2.0 and higher Computer model(s)...: All MS-DOS machines --------------------- Attributes ------------------------------------- Easy identification.: Bytes found in virus = EAh,06h,00h,00h,C8h; text found: "*.COM",00h,"PATH=". Type of infection...: Self-Identification: The time stamp of an infected file is changed: the seconds are set to 62 (= 2 * 1Fh). When infected file is executed, .COM-files in the current directory as well as in the directories in the DOS-PATH are extended by appending the viral code; no infection if the filesize<10 or filesize>64000 bytes. Infection trigger...: A selected .COM-file is infected by "random" IF (system seconds AND 7) <> 0 ELSE damaged! Storage media affected: Current media and media accessed via DOS-PATH. Interrupts hooked...: INT 24h diverted to own error-handler only during virus-runtime to suppress error-messages send out by DOS. Damage..............: A selected .COM-file is damaged permanently: Overwriting the first five bytes with a far jump to the HD-low-level-format- routine (XT only). Damage trigger......: IF (system seconds AND 7) = 0, ELSE infection! Particularities.....: The virus ignores READ-ONLY and HIDDEN attributes; The PATH-search is corrected! Similarities........: Dissimilarities to Vienna (648 bytes): Code optimized and length decreased; the five damage-bytes are changed. --------------------- Agents ----------------------------------------- Countermeasures.....: --- Countermeasures successful: --- Standard means......: Do not execute .COM files with time stamp seconds equal 62; restore them from a backup-disk. --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, FRG Classification by...: Uwe Ellermann, Daniel Loeffler Documentation by....: Daniel Loeffler, Uwe Ellermann Date................: June 28, 1990 Information Source..: --- =================== End of "Vienna 367 Virus" ======================== ==== Computer Virus Catalog 1.2: "Vienna 435 Virus" (28-June-1990) === Entry...............: "Vienna 435" Virus Alias(es)...........: --- Virus strain........: Vienna Virus strain Virus detected when.: --- where.: --- Classification......: Program virus (extending), direct action Length of virus.....: 435/367/353/348 bytes --------------------- Preconditions ---------------------------------- Operating system(s).: MS-DOS Version/release.....: 2.0 and higher Computer model(s)...: All MS-DOS machines --------------------- Attributes ------------------------------------- Easy identification.: Bytes found in virus = EAh,05h,00h,00h,C8h; text found: "*.COM",00h,"PATH=". Type of infection...: Self-Identification: The time stamp of an infected file is changed: the seconds are set to 62 (= 2 * 1Fh). When infected file is executed, .COM-files in the current directory as well as in the directories in the DOS-PATH are extended by appending the viral code; no infection if the filesize<10 or filesize>64000 bytes. Infection trigger...: A selected .COM-file is infected by "random" IF (system seconds AND 7) <> 0 ELSE damaged! Storage media affected: Current media and media accessed via DOS-PATH. Interrupts hooked...: INT 24h diverted to own error-handler only during virus-runtime to suppress error-messages send out by DOS. Damage..............: A selected .COM-file is damaged permanently: Overwriting the first five bytes with a far jump to the HD-low-level-format- routine (XT only). Damage trigger......: IF (system seconds AND 7) = 0, ELSE infection! Particularities.....: The virus ignores READ-ONLY and HIDDEN attributes; The PATH-search is corrected! Similarities........: Dissimilarities to Vienna (648 bytes): Code optimized and length decreased; the five damage-bytes are changed. --------------------- Agents ----------------------------------------- Countermeasures.....: --- Countermeasures successful: --- Standard means......: Do not execute .COM files with time stamp seconds equal 62; restore them from a backup-disk. --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, FRG Classification by...: Uwe Ellermann, Daniel Loeffler Documentation by....: Daniel Loeffler, Uwe Ellermann Date................: June 28, 1990 Information Source..: --- =================== End of "Vienna 435 Virus" ======================== ==== Computer Virus Catalog 1.2: "Vienna 623 Virus" (28-June-1990) === Entry...............: "Vienna 623" Virus Alias(es)...........: --- Virus strain........: Vienna Virus strain Virus detected when.: --- where.: --- Classification......: Program virus (extending), direct action Length of virus.....: 623 bytes --------------------- Preconditions ---------------------------------- Operating system(s).: MS-DOS Version/release.....: 2.0 and higher Computer model(s)...: All MS-DOS machines --------------------- Attributes ------------------------------------- Easy identification.: Bytes found in virus = EAh,00h,00h,00h,C8h; text found: "*.COM" and "PATH=". Type of infection...: Self-Identification: The time stamp of an infected file is changed: the seconds are set to 62 (= 2 * 1Fh). When infected file is executed, .COM-files in the current directory as well as in the directories in the DOS-PATH are extended by appending the viral code; no infection if the filesize<10 or filesize>64000 bytes. Infection trigger...: A selected .COM-file is infected by "random" IF (system seconds AND 7) <> 0 ELSE damaged! Storage media affected: Current media and media accessed via DOS-PATH. Interrupts hooked...: INT 24h diverted to own error-handler only during virus-runtime to suppress error-messages send out by DOS. Damage..............: A selected .COM-file is damaged permanently: Overwriting the first five bytes with a far jump to the HD-low-level-format- routine (XT only). Damage trigger......: IF (system seconds AND 7) = 0, ELSE infection! Particularities.....: The virus ignores READ-ONLY and HIDDEN attributes; The PATH-search is not correct: First xxxPATH=C:\xxx in environment is found. Similarities........: Dissimilarities to Vienna (648 bytes): Code optimized and length decreased; the five damage-bytes are changed. --------------------- Agents ----------------------------------------- Countermeasures.....: --- Countermeasures successful: --- Standard means......: Do not execute .COM files with time stamp seconds equal 62; restore them from a backup-disk. --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, FRG Classification by...: Uwe Ellermann, Daniel Loeffler Documentation by....: Daniel Loeffler, Uwe Ellermann Date................: June 28, 1990 Information Source..: --- =================== End of "Vienna 623 Virus" ======================== ==== Computer Virus Catalog 1.2: "Vienna 627 Virus" (28-June-1990) === Entry...............: "Vienna 627" Virus Alias(es)...........: --- Virus strain........: Vienna Virus strain Virus detected when.: --- where.: --- Classification......: Program virus (extending), direct action Length of virus.....: 627 bytes --------------------- Preconditions ---------------------------------- Operating system(s).: MS-DOS Version/release.....: 2.0 and higher Computer model(s)...: All MS-DOS machines --------------------- Attributes ------------------------------------- Easy identification.: Last five bytes of file = EAh,0Bh,02h,13h,58h; text found: "*.COM" and "PATH=". Type of infection...: Self-Identification: The time stamp of an infected file is changed: the seconds are set to 62 (= 2 * 1Fh). When infected file is executed, .COM-files in the current directory as well as in the directories in the DOS-PATH are extended by appending the viral code; no infection if the filesize<10 or filesize>64000 bytes. Infection trigger...: A selected .COM-file is infected by "random" IF (system seconds AND 7) <> 0 ELSE damaged! Storage media affected: Current media and media accessed via DOS-PATH. Interrupts hooked...: -- Damage..............: A selected .COM-file is damaged permanently: Overwriting the first five bytes with an jump somewhere into the RAM. Damage trigger......: IF (system seconds AND 7) = 0, ELSE infection! Particularities.....: The virus ignores READ-ONLY and HIDDEN attributes; The PATH-search is not correct: First xxxPATH=C:\xxx in environment is found. Similarities........: Dissimilarities to Vienna (648 bytes): Code optimized and length decreased; the five damage-bytes are changed. --------------------- Agents ----------------------------------------- Countermeasures.....: --- Countermeasures successful: --- Standard means......: Do not execute .COM files with time stamp seconds equal 62; restore them from a backup-disk. --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, FRG Classification by...: Uwe Ellermann, Daniel Loeffler Documentation by....: Daniel Loeffler, Uwe Ellermann Date................: June 28, 1990 Information Source..: --- =================== End of "Vienna 627 Virus" ======================== ====== Computer Virus Catalog 1.2: "V-277" Virus (11-June-1990) ====== Entry.................. "V-277" Virus Alias(es).............. "Viki" Virus Strain................. Amstrad Virus Strain Detected: when......... Spring 1990 where........ Bulgaria Classification......... Program virus, direct action, prefix Length of Virus........ 277 bytes ------------------------ Preconditions ------------------------------- Operating System(s).... MS-DOS Version/Release........ 2.xx and upward Computer models........ IBM-PC's and compatibles -------------------------- Attributes -------------------------------- Easy identification.... The virus identifies infection by checking for the string "UM" at offset 3 in the COM file Type of infection...... A program virus that infects all COM files in the current directory by prepending itself to its victim. Infection trigger...... As it is a direct action virus, it will only infect on run-time, but will do this at any time. Media affected......... Any logical drive that is the "current" drive. Interrupts hooked...... --- Damage................. Denial of access. It also similates a RAM parity error. This doesn't mean however that it has destroyed the hardware. Damage trigger......... The virus carries an evolution counter that is increased every time the virus is executed. When the counter is above or equal to 5, the virus reads the system timer. If the value is odd, the virus will terminate with parity error. (This is effectively a 50% chance of termination.) Particularities........ This is a variant of the V-299 virus. It is now vying for recognition as the smallest known virus. Similarities........... Amstrad, V-345, V-299, Cancer Viruses. I don't know why anyone would bother to modify such a stupid virus as the Amstrad. ---------------------------- Agents ---------------------------------- Countermeasures........ Checksumming programs will detect the changes to the files. - ditto - successful.. --- Standard Means......... Believe it or not, write protecting programs with ATTR will prevent the virus from spreading to them. ----------------------- Acknowledgements ----------------------------- Location............... Bulgarian Academy of Science and University of Hamburg, Virus Test Center Classification by...... Morton Swimmer, VTC Documentation by....... Vesselin Bontchev Date................... 11-June-1990 Information source..... --- ======================= End of "V-277" Virus ========================= ====== Computer Virus Catalog 1.2: "V-299" Virus (11-June-1990) ====== Entry.................. "V-299" Virus Alias(es).............. --- Strain................. Amstrad Virus Strain Detected: when......... Winter 1989 where........ Bulgaria Classification......... Program virus, direct action, prefix Length of Virus........ 299 bytes ------------------------ Preconditions ------------------------------- Operating System(s).... MS-DOS Version/Release........ 2.xx and upward Computer models........ IBM-PC's and compatibles -------------------------- Attributes -------------------------------- Easy identification.... The virus contains the string "Program sick error:Call doctor or buy PIXEL for cure description". The virus identifies infection by checking for the string "IV" at offset 3 in the COM file. Type of infection...... A program virus that infects all COM files in the current directory by prepending itself to its victim. The virus will not spread very quickly. Infection trigger...... As it is a direct action virus, it will only infect on run-time, but will do this at any time. Media affected......... Any logical drive that is the "current" drive Interrupts hooked...... --- Damage................. Denial of access Damage trigger......... The virus carries an evolution counter that is increased every time the virus is executed. When the counter is above or equal to 5, the virus reads the system timer. If the value is odd, the virus will terminate with the message described above. (This is effectively a 50% chance of termination.) Particularities........ This is an optimized variant of the V-345 virus. At the time of its creation it was the smallest known virus. Similarities........... Amstrad, V-345, Cancer Viruses ---------------------------- Agents ---------------------------------- Countermeasures........ Checksumming programs will detect the changes to the files. - ditto - successful.. V847clr by Vesselin Bontchev will successfully search and clear the Amstrad, V-345 and V-299 viruses, and find the Cancer virus. Standard Means......... Believe it or not, write protecting programs with ATTR will prevent the virus from spreading to them. ----------------------- Acknowledgements ----------------------------- Location............... Bulgarian Academy of Science and University of Hamburg, Virus Test Center Classification by...... Morton Swimmer Documentation by....... Vesselin Bontchev Date................... 11-June-1990 Information source..... --- ======================= End of "V-299" Virus ========================= ====== Computer Virus Catalog 1.2: "V-345" Virus (11-June-1990) ====== Entry.................. "V-345" Virus Alias(es).............. --- Strain................. Amstrad Virus Strain Detected: when......... Winter 1989 where........ Bulgaria Classification......... Program virus, direct action, prefix Length of Virus........ 345 bytes ------------------------ Preconditions ------------------------------- Operating System(s).... MS-DOS Version/Release........ 2.xx and upward Computer models........ IBM-PC's and compatibles -------------------------- Attributes -------------------------------- Easy identification.... The virus contains the string "Program sick error:Call doctor or buy PIXEL for cure description". The virus identifies infection by checking for the string "IV" at offset 3 in the COM file. Type of infection...... A program virus that infects all COM files in the current directory by prepending itself to its victim. The virus will not spread very quickly. Infection trigger...... As it is a direct action virus, it will only infect on run-time, but will do this at any time. Media affected......... Any logical drive that is the "current" drive Interrupts hooked...... --- Damage................. Denial of access Damage trigger......... The virus carries an evolution counter that is increased every time the virus is executed. When the counter is above or equal to 5, the virus reads the system timer. If the value is odd, the virus will terminate with the message described above. (This is effectively a 50% chance of termination.) Particularities........ This is an optimized variant of Amstrad virus Similarities........... Amstrad, V-299, Cancer Viruses ---------------------------- Agents ---------------------------------- Countermeasures........ Checksumming programs will detect the changes to the files. - ditto - successful.. V847clr by Vesselin Bontchev will successfully search and clear the Amstrad, V-345 and V-299 viruses, and find the Cancer virus. Standard Means......... Believe it or not, write protecting programs with ATTR will prevent the virus from spreading to them. spreading to them. ----------------------- Acknowledgements ----------------------------- Location............... Bulgarian Academy of Science and University of Hamburg, Virus Test Center Classification by...... Morton Swimmer Documentation by....... Vesselin Bontchev Date................... 11-June-1990 Information source..... --- ======================= End of "V-345" Virus ========================= ====== Computer Virus Catalog 1.2: "8-Tunes" Virus (11-June-1990) ==== Entry...............: "8-Tunes" Virus Alias(es)...........: "1971" Virus Virus Strain........: --- Virus detected when.: --- where.: --- Classification......: Link-virus (extending), RAM-resident Length of Virus.....: .COM files: program length increases by 1971-1986 bytes: (length -3) mod 16 = 0. .EXE files: program length increases by 1971-1986 bytes: (length -3) mod 16 = 0. --------------------- Preconditions ----------------------------------- Operating System(s).: MS-DOS Version/Release.....: 2.xx upward Computer model(s)...: IBM-PC, XT, AT and compatibles --------------------- Attributes -------------------------------------- Easy Identification.: Typical texts in Virus body (readable with HexDump-facilities):"COMMAND.COM" in the data area of the virus; increased filelength if the file is infected. Type of infection...: System: infected if function E00Fh of INT 21h returns the value 4C31h in the AX-register. .Com files: program length increases by 1971-1986 bytes; if infected, the bytes 007h,01fh,05fh, 05eh,05ah,059h,05bh,058h,02eh,0ffh,02eh,00bh, 000h are found 62 bytes before end of file; a .COM file will only be infected once. .COM files will not be infected if filelength<8177 and filelength>63296; virus will be linked to the end of the program. .EXE files: program length increases by 1971-1987 bytes. If it is infected the bytes 007h,01fh, 05fh,05eh,05ah,059h,05bh,058h,02eh,0ffh,02eh, 00bh,000h are found 62 bytes before end of file; an .EXE file will only be infected once; .EXE files will not be infected if filelength<8177; virus will be linked to the end of the program. Infection Trigger...: Programs are infected during load procedure (Load/Execute-function of Ms-Dos). Interrupts hooked...: INT21h, INT08h (only if triggered), INT24h (only while infecting a file) Damage..............: Transient Damage: After 30 minutes, the virus will play one of eigth melodies (random selection). After a short time, the virus will play a melody again. Damage Trigger......: Damage occurs 90 days after the file infection. Particularities.....: 1. COMMAND.COM will not be infected. 2. Normally, the virus will stay resident at the end of the available memory; only if the memory is fragmented by special software, the virus may become resident (via Dos- function 31h). 3. One function (0E00Fh) used by Novell- Netware 4.0 can't be accessed anymore. 4. The damage occurs immediately when processing a file with creation date before 1984. 5. During a file infection, the virus looks for "BOMBSQAD.COM", an antivirus-tool control- ling accesses to disks; if found, the virus will deactivate it (tested with BOMBSQAD V. 1.2). 6. During a file infection, the virus looks for "FSP.COM" (Flushot+), an antivirus tool controlling accesses to disks, files etc. If found, the virus will stop file infection (tested with FLUSHOT V. 1.4). --------------------- Acknowledgement --------------------------------- Location............: Virus Test Center, University Hamburg, FRG Classification by...: Thomas Lippke, Michael Reinschmiedt Documentation by....: Michael Reinschmiedt, Thomas Lippke Date................: 11-JUN-1990 ===================== End of "8-TUNES"-Virus ========================== ======== Computer Virus Catalog 1.2: "512" Virus (5-June-1990) ======== Entry...............: "512" Virus Alias(es)...........: --- Virus Strain........: --- Virus detected when.: January 1990 where.: Bulgaria Classification......: COM overwriting/extending/resident. Length of Virus.....: 512 bytes --------------------- Preconditions ----------------------------------- Operating System(s).: PC/MS-DOS Version/Release.....: Computer model(s)...: IBM PC/XT/AT/PS and compatibles --------------------- Attributes -------------------------------------- Easy Identification.: "666" at offset 509. Type of infection...: Executable file infection: Overwriting/extending; resident; first 512 bytes placed at free space on last cluster of file, and replaced with the virus code. System infection: RAM-Resident, uses disk buffer space for code in order not to take-up memory. Infection Trigger...: Any close file (INT 21, Service 3e) or Execute (INT 21, Service 4b) on a .COM file. Storage media affected: Any Drive Interrupts hooked...: Int 21 DOS-services Int 13 and Int 24 while infecting. Damage..............: --- Damage Trigger......: --- Particularities.....: If virus is in memory, files are read as unin- fected. Directory never shows size increase, even if the virus is not in memory. Under DOS 3.3, software write protections are bypassed. Similarities........: --- --------------------- Agents ------------------------------------------ Countermeasures.....: Monitoring the INT 21 vector. Countermeasures successful: --- Standard means......: A Do-it-yourself way: Infect system by running an infected file, ARC/ZIP/LHARC/ZOO all infected COM and EXE files, boot from uninfected floppy, and UNARC/UNZIP/LHARC E etc. all files. Pay special attention to disinfection of COMMAND.COM. --------------------- Acknowledgement --------------------------------- Location............: Weizmann Institute Of Science, Rehovot, Israel Classification by...: Ori Berger Documentation by....: Yuval Tal (NYYUVAL@WEIZMANN.BITNET), Ori Berger Date................: 6-March-1990 Information Source..: --- ===================== End of "512" Virus ============================== ======== Computer Virus Catalog 1.2: "4096" Virus (5-June-1990) ======= Entry...............: "4096" virus Alias(es)...........: "100 years" Virus = IDF Virus = Stealth Virus. Virus Strain........: --- Virus detected when.: October 1989. where.: Haifa, Israel. Classification......: Program Virus (extending), RAM-resident. Length of Virus.....: .COM files: length increased by 4096 bytes. .EXE files: length increased by 4096 bytes. --------------------- Preconditions ----------------------------------- Operating System(s).: MS-DOS Version/Release.....: 2.xx upward Computer model(s)...: IBM-PC, XT, AT and compatibles --------------------- Attributes -------------------------------------- Easy Identification.: --- Type of infection...: System: Allocates a memory block at high end of memory. Finds original address (inside DOS) of Int 21h handler. Finds original address (inside BIOS) of Int 13h handler, therefore bypasses all active monitors. Inserts a JMP FAR to virus code inside original DOS handler. .COM files: program length increased by 4096 .EXE files: program length increased by 4096 Infection Trigger...: Programs are infected at load time (using the function Load/Execute of MS-DOS), and whenever a file Access is done to a file with the exten- sion of .COM or .EXE, (Open file AH=3D, Create file AH=3C, File attrib AH=43, File time/date AH=57, etc.) Interrupts hooked...: INT21h, through a JMP FAR to virus code inside DOS handler; INT01h, during virus installation & execution of DOS's load/execute function (AH=4B); INT13h, INT24h during infection. Damage..............: The computer usually hangs up. Damage Trigger......: A Get Dos Version call when the date is after the 22th of September and before 1/1 of next year. Particularities.....: Infected files have their year set to (year+100) of the un-infected file. If the system is infected, the virus redirects all file accesses so that the virus itself can not be read from the file. Also, find first/next function returns are tampered so that files with (year>100) are reduced by 4096 bytes in size. --------------------- Agents ------------------------------------------ Countermeasures.....: Cannot be detected while in memory, so no monitor/file change detector can help. Countermeasures successful: 1) A Do-it-yourself way: Infect system by running an infected file, ARC/ZIP/LHARC/ZOO all in- fected .COM and .EXE files, boot from unin- fected floppy, and UNARC/UNZIP/LHARC E etc. all files. Pay special attention to disin- fection of COMMAND.COM. 2) The JIV AntiVirus Package (by the author of this contribution) 3) F. Skulason's F-PROT package. Standard means......: --- --------------------- Acknowledgement --------------------------------- Location............: Weizmann Institute, Israel. Classification by...: Ori Berger Documentation by....: Ori Berger Date................: 26-February-1990 ===================== End of "4096" Virus ============================= ======== Computer Virus Catalog 1.2: "5120" Virus (5-June-1990) ======= Entry.................. "5120" virus Alias(es).............. --- Strain................. --- Detected: when......... January 1990 where........ Wuerzburg, West Germany Classification......... Program virus Length of Virus........ 5120-5135 for EXE and COM files (virus resides on a paragraph boundery) ------------------------ Preconditions--------------------------------- Operating System(s).... MS-DOS Version/Release........ 2.00 and upwards Computer models........ IBM PCs and compatibles -------------------------- Attributes---------------------------------- Easy identification.... The following texts are contained in the virus: "BASRUN", "BRUN", "IBMBIO.COM", "IBMDOS.COM", "COMMAND.COM", "Access denied" Type of infection...... Program virus. The virus infects in direct action (ie. it only infects on run time), by searching through the directories recursively starting on paths "C:\", "F:\" as well as the current drive an EXE and a COM file to infect. It will infect all files it can find. EXE files will be infected if the length as reported by DOS is less that the file length as reported by the EXE header plus one page. COM files will be infected if the file length is less than 60400 bytes. The virus turns Ctrl-C checking and verify off while in operation. Infection trigger...... The virus will infect any time it is executed after the 6th of July 1989. However, if an infected file will infect before this date, if it has already been executed once. It doesn't load itself memory resident. Media affected......... Any logical drive Interrupts hooked...... --- Damage................. Any infected file will terminate with the message "Access denied" (this comes from the virus, not from DOS). The file is NOT deleted in any way. Damage trigger......... Any date after the 1st of June 1992 Particularities........ It seems to be written in a HLL, but I haven't found out which. Similarities........... --- ---------------------------- Agents------------------------------------ Countermeasures........ --- - ditto - successful.. Most checksumming programs will find this virus. The program NTI5120 (Virus Test Center) will find and destroy any 5120 virus found. Standard Means......... Do a string search for any of the strings mentioned above. ----------------------- Acknowledgements------------------------------- Location............... Virus Test Center, University of Hamburg Classification by...... Morton Swimmer Documentation by....... Morton Swimmer Date................... 5-June-1990 Information source..... --- ======================= End of "5120" Virus =========================== ======================================================================= == For their outstanding support and continued help, we wish to == == David Ferbrache (Edinburgh), Christoph Fischer (Karlsruhe), == == Yisrael Radai (Jerusalem), Fridrik Skulason (Rejkjavik) and == == Yuval Tal (Rehovot). == == Critical and constructive comments as well as additions are == == appreciated. Especially, descriptions of new viruses will be of == == general interest. To receive the Virus Catalog Format, containing== == entry descriptions, please contact the above address. == ======================================================================= == The Computer Virus Catalog may be copied free of charges provided == == that the source is properly mentioned at any time and location == == of reference. == ======================================================================= == Editor: Virus Test Center, Faculty for Informatics == == University of Hamburg == == Schlueterstr. 70, D2000 Hamburg 13, FR Germany == == Prof. Dr. Klaus Brunnstein, Simone Fischer-Huebner == == Tel: (040) 4123-4158 (KB), -4175 (SFH), -4162(Secr.) == == Email (EAN/BITNET): brunnstein@rz.informatik.uni-hamburg.dbp.de == ======================================================================= == End of MSDOSVIR.690 document == == (1.594 Lines, 93 kBytes) == =======================================================================