Type File virus
Date Discovered 1988.04
Place of Origin Vienna, Austria
Source Language Assembly
Platform DOS
File Type(s) .com
Infection Length 648 bytes
Reported Costs

Vienna is a DOS .com-infecting virus from the late 1980's. Its source code was published many times, accounting for its hundreds of variants. It was also an extremely simple virus and became a template for more complex and innovative viruses like Ghostballs, Chameleon and (possibly) Zerobug.


Vienna is a non-resident, direct-action .com infector. When a file infected with the virus is run, it searches for .com files on the system and infects one of them. The seconds on the infected file's timestamp will read "62", an impossible value, making them easy to find. One of six to eight of the files will be destroyed when Vienna tries to infect them by overwriting the first five bytes with the hex character string "EAF0FF00F0", instructions that will cause a warm reboot when the program is run. These files will not actually contain the Vienna virus, they are just corrupted by it.


The creator of the Vienna virus has never been revealed. Some sources say that the virus was created by a Vienna high school student as an experiment. The first person to detect the virus was Franz Swoboda. Information was leaked that Swoboda received the virus from Ralf Burger, but Burger claimed that he received the virus from Swoboda. Ralf Burger did create a variant that caused the computer to hang rather than a reboot.



This variant, sometimes also known as '''Father Christmas''' is 1,881 bytes long and possibly comes from Poland. It also contains a Christmas greeting that takes up a greater part of its length.


This variant likely comes from Slovakia, as it contains text in the Slovak language that says, "Gympel je tycka." (Highschool is a throw-up.) It may sometimes be detected as Vienna.843, or 833.

Iraqui Warrior

This variant contains an error that prevents it from reproducing beyond the first generation. It is 777 bytes long and contains the message:

I come to you from The Ayatollah! (c)1990, VirusMasters
An Iraqui Warrior is in your computer


The Lisbon variant was discovered in Portugal. It was likely reassembled to throw off some antivirus programs. When this variant destroys a file, it overwrites the beginning with "@AIDS".


Monxla and Interceptor (one or both of them may also go by the alias '''Time''') have different effects on the computer depending on the time that they are executed. The Monxla.A subvariant is 939 bytes long, Monxla.B is 535 bytes long and Interceptor is 1,014.


This variant comes from Bulgaria. It has a shorter infection than the original and has a payload that formats the hard drive.


This is the largest file-infecting virus currently known. Aside from that, there is nothing really different about it from other Vienna variants.


This variant overwrites .com files with a program that causes the computer to reboot when the file is run. Such files cannot be cleaned, they need to be deleted and reinstalled.

Vienna.Violator/Arf/Christmas Violator/Baby

These variants are likely coded the same creator, as they have a great deal of code in common. The 1,055-byte '''Violator''' variant contains text that says:

TransMogrified (TM) 1990 by RABID N'tnl Development Corp.
Copyright (C) 1990 RABID !
Activation Date: 08/15/90 - Violator Strain B
(Field Demo Test Version) *NOT TO BE DISTRIBUTED*

While the words "Violator Strain B" may indicate a previous variant, none has yet been found. A later variant weighing in at 5,302 bytes known as Christmas Violator displays a Christmas greeting:

Violator Strain B4 - Written by The RABID Nat'nl Development Corp. RABID would like to take this
opportunity to extend it's sincerest holiday wishes to all Pir8 lamers around the world! If you   
are reading this, then you are lame!!! Anyway, to John McAffe! Have a Merry Christmas and a
virus filled new year. Go ahead! Make our day! Remember! In the festive season, Say NO to
drugs!!! They suck shit! (Bah! We make a virus this large, might as well have something

Another variant, Arf, displays the text "Arf, Arf! Got you!", when it activates. Baby, which is about 1,000 bytes long, allows the user to specify the activation date and the text message to display.


The Vienna.W13 variant marks infected files with a month number of 13 rather than a seconds value of 62.

Other Variants

  • Vienna.Ambalama
  • Vienna.Angel
  • Vienna.BboDong
  • Vienna.Bloodspill
  • Vienna.BNB
  • Vienna.Born
  • Vienna.Bua
  • Vienna.BY
  • Vienna.ByteWarrior
  • Vienna.DDrUS
  • Vienna.DearUser
  • Vienna.Dr. Q
  • Vienna.Ender
  • Vienna.Feliz
  • Vienna.Grither
  • Vienna.Gustav
  • Vienna.Hybryd
  • Vienna.IRA
  • Vienna.Kuzmitch
  • Vienna.Norilsk
  • Vienna.Oscar
  • Vienna.Parasite
  • Vienna.Pivi
  • Vienna.Saigon
  • Vienna.SDI
  • Vienna.Sector
  • Vienna.Skate
  • Vienna.SPb
  • Vienna.Sunday
  • Vienna.TheseDays
  • Vienna.Viperize
  • Vienna.Westmont


The Vienna virus was very simple and became the template for other viruses. Damage done by this virus was probably minimal regardless of how widespread it became, given it had little in the way of a destructive payload. It came installed in vendor software at least once, in a Shimadzu SPD-M6A photo array diode detector.

Other facts

The Vienna virus source code was published in many places, including Ralf Burger's book "Computer Viruses: A High-Tech Disease", giving rise to its many variants.

Vienna became the first virus to be destroyed by an antivirus program. Ralf Burger sent a copy of the virus to Bernt Fix, who managed to neutralize the virus.


F-Secure ComputerVirus Information Pages, Vienna

McAfee Antivirus. Vienna

Virus List, "History of Malware, 1987".

Computer Knowledge, Dr. Solomon: 1986-1987 - The Prologue Vienna

Ralf Burger. Computer Viruses: A High-Tech Disease. 1988 Abacus (United Kingdom). ISBN 1557550433

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License