VIRUS INFORMATION SUMMARY LIST
February 03, 1990
Copyright (C) 1990 by Merry Hughes
The information in this file is a compilation of information that
I have collected on Ms-Dos Computer Viruses over the past 16 months.
With the number of known viruses increasing, it has become more and
more difficult for one to keep all the information in one's head.
Hopefully this listing will provide some assistance to those who wish
to know more about a particular computer virus....it is not
intended to provide a very detailed technical description, but to
allow the reader to understand what a virus generally does, how it
activates, what it is doing to their system, and most importantly,
how to get rid of it.
The user of this listing needs to keep in mind that the
information provided is up-to-date only to the date of the listing
itself. If the listing is one month old, some items may not be
accurate. Also, with the wide dispersion of researchers and the
various names that the same virus may be known by, some of the
information may not be entirely accurate. Lastly, as new variants
of known viruses are isolated, some of the characteristics of the
variant may be different...
There are four sections to the listing. The first section is
an introduction which explains the format of the information in
the listing and includes the code information used in some fields.
The second section is the actual virus information summary listing.
The third section is a cross-reference of common names for Ms-Dos
computer viruses and indicates what name to use for the virus in the
second section. Lastly, there is a fourth section which is a
revision history of the listing.
Special thanks go to John McAfee for reviewing the listing before
it was distributed, as well as to Jim Goodwin for producing his
original ALLVIRUS.LST last April which inspired this updated listing.
The Virus Information Summary List may be freely distributed by
non-commercial systems and non-profit organizations, as long as the
distribution file is not altered, and no more than a reasonable
cost-of-duplication fee is charged. Any other usage of the listing
requires the approval and authorization of the copyright holder.
If you find an error or omission in the listing, please feel
free to contact me via Excalibur! BBS in Sunnyvale, CA at
1-408-244-0813 (1200/2400/9600 HST), which is FidoNet 1:204/869.
I can also be reached on Homebase/CVIA BBS at 1-408-988-4004 in
Santa Clara, CA as Merry Hughes.
Merry Hughes
------------------------------------------------------------------------
Introduction & Entry Format
Each of the entries in the list consists of several fields.
Below is a brief description of what is indicated in each of the
fields. For fields where codes may appear, the meaning of each
code in indicated.
Virus Name: Field contains one of the more common names for the
virus. The listing is alphabetized based on this
field.
Aliases: Other names that the same virus may be referred to by.
These names are aliases or A.K.A.'s.
Effective Length: The length of the viral code after it has infected
a program or system component. For boot-sector infectors,
the length is indicated as N/A, for not applicable.
Type Code(s): The type codes indicated for a virus indicate general
behavior characteristics. Following the type code(s) is
a brief text description. The type codes used are:
A = Infects all program files (COM & EXE)
B = Boot virus
C = Infects COM files only
D = Infects DOS boot sector on hard disk
E = Infects EXE files only
F = Floppy (360K) only
K = Infects COMMAND.COM
M = Infects Master boot sector on hard disk
N = Non-resident (in memory)
O = Overwriting
P = Parasitic virus
R = Resident (in memory)
T = Manipulation of the File Allocation Table (FAT)
X = Manipulation/Infection of the Partition Table
Detection Method:
This entry indicates how to determine if a program or
system has been infected by the virus. Where the virus
can be detected with a shareware, public domain, or
readily available commercial program, it is indicated.
Programs referenced in the listing are:
F-PROT - Fridrik Skulason's F-Prot detector/disinfector
IBM Scan - IBM's Virus Scanning Program <commercial>
ViruScan - McAfee Associates' ViruScan program
Removal Instructions:
Brief instructions on how to remove the virus. Where
a shareware, public domain, or readily available
commercial program is available which will remove the
virus, it is indicated. Programs referenced in the
listing are:
AntiCrim - Jan Terpstra's AntiCrime program
CleanUp - John McAfee's CleanUp universal virus
disinfector. <commercial product>
Note: CleanUp is only indicated for a virus
if it will disinfect the file, rather than
delete the infected file.
DOS COPY - Use the DOS COPY command to copy files from
infected non-bootable disks to newly formatted,
uninfected disks. Note: do NOT use the
DOS DISKCOPY command on boot sector infected
disks, or the new disk will also be infected!
DOS SYS - Use the DOS SYS command to overwrite the boot
sector on infected hard disks or diskettes.
Be sure you power down the system first, and
boot from a write protected master diskette,
or the SYS command will copy the infected
boot sector.
F-PROT - Fridrik Skulason's F-Prot detector/disinfector
M-1704 - Cascade/Cascade-B disinfector.
M-1704C - Cascade-C disinfector.
M-3066 - Traceback virus disinfector.
M-DAV - use Dark Avenger Disinfector M-DAV and follow
instructions carefully, this virus is
extremely prolific.
M-JRUSLM - Jerusalem B disinfector.
M-VIENNA - Vienna, Vienna B Virus disinfector.
MDisk - MD Boot Virus Disinfector. Be sure to use the
program which corresponds to your DOS release.
Saturday - European generic Jerusalem virus disinfector.
Scan/D - ViruScan run with the /D option.
Scan/D/A - ViruScan run with the /D /A options.
UnVirus - Yuval Rakavy's disinfector for Brain, Jerusalem,
Ping Pong, Ping Pong-B, Typo Boot, Suriv 1.01,
Suriv 2.01, and Suriv 3.00 viruses.
Virus Buster - Yuval Tal's Virus Buster Detector/Disinfector
General Comments:
This field includes other information about the virus,
including but not limited to: historical information,
possible origin, possible damage the virus may cause,
and activation criteria.
------------------------------------------------------------------------
Virus Name: AIDS
Aliases: Hahaha, Taunt, VGA2CGA
Effective Length: N/A
Type Code(s): ONC - Overwriting Non-Resident .COM Infector
Detection Method: ViruScan V40+
Removal Instructions: Scan/D, or delete infected .COM files
General Comments:
The AIDS virus, also known as the Hahaha virus in Europe and
referred to as the Taunt virus by IBM, is a generic .COM and
.EXE file infector. When the virus activates, it displays the
message "Your computer now has AIDS", with AIDS covering
about half of the screen. The system is then halted, and
must be powered down and rebooted to restart it. Since this
virus overwrites the first 13K of the executable program, the
files must be deleted and replaced with clean copies in order
to remove the virus. It is not possible to recover the
overwritten portion of the program.
Note: this is NOT the Aids Info Disk/PC Cyborg Trojan.
Virus Name: Alabama
Aliases:
Effective Length: 1,560 bytes
Type Code(s): PRET - Parasitic Resident .EXE infector
Detection Method: ViruScan V43+, F-Prot
Removal Instructions: CleanUp, F-Prot, or delete infected files
General Comments:
The Alabama virus was first isolated at Hebrew University in
Israel by Ysrael Radai in October, 1989. Its first known
activation was on October 13, 1989. The Alabama virus will
infect .EXE files, increasing their size by 1,560 bytes. It
installs itself memory resident when the first program infected
with the virus is executed, however it doesn't use the normal
TSR function. Instead, this virus hooks Int 9 as well as
IN and OUT commands. When a CTL-ALT-DEL combination is
detected, the virus causes an apparent boot but remains in RAM.
The virus loads itself 30K under the highest memory location
reported by DOS, and does not lower the amount of memory
reported by BIOS or DOS.
After the virus has been memory resident for one hour, the
following message will appear in a flashing box:
"SOFTWARE COPIES PROHIBITED BY INTERNATIONAL LAW..............
Box 1055 Tuscambia ALABAMA USA."
The Alabama virus uses a complex mechanism to determine whether
or not to infect the current file. First, it checks to see if
there is an uninfected file in the current directory, if there
is one it infects it. Only if there are no uninfected files
in the current directory is the program being executed
infected. However, sometimes instead of infecting the
uninfected candidate file, it will instead manipulate the FATs
to exchange the uninfected candidate file with the currently
executed file without renaming it, so the user ends up thinking
he is executing one file when in effect he is actually
executing another one. The end result is that files are
slowly lost on infected systems. This file swapping occurs
when the virus activates on ANY Friday.
Virus Name: Alameda
Aliases: Merritt, Peking, Seoul, Yale
Effective Length: N/A
Type Code(s): BRF - Resident Floppy Boot Sector Infector
Detection Method: ViruScan, F-Prot, IBM Scan
Removal Instructions: MDisk, CleanUp, F-Prot, or DOS SYS
General Comments:
The Alameda virus was first discovered at Merritt college in
Alameda, California in 1987. The original version of this virus
caused no intentional damage, though there is now at least 1
variant of this virus that now causes floppy disks to become
unbootable after a counter has reached its limit (Alameda-C
virus).
The Alameda virus, and its variants, all replicate when the
system is booted with a CTL-ATL-DEL and infect only 5 1/4"
360K diskettes. These viruses do stay in memory thru a warm
reboot, and will infect both system and non-system disks.
System memory can be infected on a warm boot even if Basic is
loaded instead of DOS.
The virus saves the real boot sector at track 39, sector 8,
head 0. The original version of the Alameda virus would only
run on a 8086/8088 machine, though later versions can now run
on 80286 systems.
Virus Name: Amstrad
Aliases:
Effective Length: 847 Bytes
Type Code(s): PNC - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V51+, F-Prot
Removal Instructions: Scan/D, F-Prot, or erase infected files
General Comments:
The Amstrad virus was first reported in November, 1989, by
Jean Luz of Portugal, however it has been known of in Spain
and Portugal for a year prior to that. The virus is a generic
.COM infector, but is not memory resident nor does it infect
COMMAND.COM.
The virus carries a fake advertisement for the Amstrad computer.
The Amstrad virus appears to cause no other damage to the
system other than replicating and infecting files.
Virus Name: Ashar
Aliases: Shoe_Virus, UIUC Virus
Effective Length: N/A
Type Code(s): BR - Resident Boot Sector Infector
Detection Method: ViruScan V41+, F-Prot
Removal Instructions: MDisk, CleanUp, F-Prot or DOS SYS command
General Comments:
The Ashar virus is a resident boot sector infector which is
a variant of the Brain virus. It differs from the Brain
virus in that it can infect both floppies and hard disk, and
the message in the virus has been modified to be:
"VIRUS_SHOE RECORD, v9.0. Dedicated to the dynamic
memories of millions of virus who are no longer with us
today".
However, the above message is never displayed. The
identification string "ashar" is normally found at offset
04a6 hex in the virus.
A variant of the Ashar virus exists, Ashar-B or Shoe_Virus-B,
which has been modified so that it can no longer infect hard
drives. The v9.0 in the message has also been altered to v9.1.
Virus Name: Brain
Aliases: Pakistani, Pakistani Brain
Effective Length: N/A
Type Code(s): BR - Resident Boot Sector Infector
Detection Method: ViruScan, F-Prot, IBM Scan
Removal Instructions: MDisk, CleanUp, F-Prot, or DOS SYS command
General Comments:
The Pakistani Brain virus originated in Lahore, Pakistan and
infects disk boot sectors by moving the original contents of the
boot sector to another location on the disk, marking those 3
clusters (6 sectors) bad in the FAT, and then writing the virus
code in the disk boot sector.
One sign of a disk having been infected, at least with the
original virus, is that the volume label will will be changed
to "(c) Brain". Another sign is that the label "(c) Brain" can
be found in sector 0 (the boot sector) on an infected disk.
This virus does install itself resident on infected systems,
taking up between 3K and 7K of RAM. The Brain virus is able to
hide from detection by intercepting any interrupt that might
interrogate the boot sector and redirect the read to the original
boot sector located elsewhere on the disk, thus some programs
will be unable to see the virus.
The original Brain virus only infected floppies, however variants
to the virus can now infect hard disks. Also, some variants
have had the "(c) Brain" label removed to make them harder to
detect.
Known variants of the Brain virus include:
Brain-B/Hard Disk Brain/Houston Virus - hard disk version.
Brain-C - Brain-B with the "(c) Brain" label removed.
Clone Virus - Brain-C but restores original boot copyright label.
Clone-B - Clone Virus modified to destroy the FAT after 5/5/92.
Virus Name: Cascade
Aliases: Fall, Falling Letters, 1701, 1704
Effective Length: 1,701 or 1,704 bytes
Type Code(s): PRC - Parasitic Resident Encrypting .COM Infector
Detection Method: ViruScan, F-Prot, IBM Scan
Removal Instructions: M-1704, CleanUp, or F-Prot
General Comments:
Originally, this virus was a trojan horse which was disguised
as a program which was supposed to turn off the number-lock
light when the system was booted. The trojan horse instead
caused all the characters on the screen to fall into a pile
at the bottom of the screen. In late 1987, the trojan horse
was changed by someone into a memory resident .COM virus.
While the original virus had a length of 1,701 bytes and would
infect both true IBM PCs and clones, a variation exists of
this virus which is 3 bytes longer than the original virus
and does not infect true IBM PCs. Both viruses are
functionally identical in all other respects.
Both of the viruses have some fairly unique qualities: Both
use an encryption algorithm to avoid detection and complicate
any attempted analysis of them. The activation mechanisms
are based on a sophisticated randomization algorithm
incorporating machine checks, monitor types, presence or
absence of a clock card, and the time or season of the year.
The viruses will activate on any machine with a CGA or VGA
monitor in the months of September, October, November, or
December in the years 1980 and 1988.
Known variants of the Cascade virus are:
1701-B : Same as 1701, except that it can activate in the
fall of any year.
1704-D : Same as the 1704, except that the IBM selection
has been disabled so that it can infect true IBM
PCs.
Also see: 1704 Format
Virus Name: Cascade-B
Aliases: Blackjack, 1704-B
Effective Length: 1,704 bytes
Type Code(s): PRC - Parasitic Resident Encrypting .COM Infector
Detection Method: ViruScan, F-Prot, IBM Scan
Removal Instructions: M-1704, M-1704C, CleanUp, F-Prot
General Comments:
The Cascade-B virus is similar to the Cascade virus, except
that the cascading display has been replaced with a system
reboot which will occur at random time intervals after the
virus activates.
Other variation(s) which have been documented are:
1704-C : Same as 1704-B except that the virus can activate in
December of any year. (Note: the disinfector for
1704-C is M-1704C.)
Virus Name: Chaos
Aliases:
Effective Length: N/A
Type Code(s): BR - Resident Boot Sector Infector
Detection Method: ViruScan V53+
Removal Instructions: MDisk, CleanUp, or DOS SYS Command
General Comments:
First reported in December, 1989 by James Berry of Kent,
England, the Chaos virus is a memory resident boot sector
infector of floppy and hard disks.
When the Chaos virus infects a boot sector, it overwrites the
original boot sector without copying it to another location
on the disk. Infected boot sectors will contain the
following messages:
"Welcome to the New Dungeon"
"Chaos"
"Letz be cool guys"
The Chaos virus will flag the disk as being full of bad
sectors upon activation, though most of the supposed bad
sectors are still readable. It is unknown what the
activation criteria is.
Virus Name: Dark Avenger
Aliases: Black Avenger
Effective Length: 1,800 bytes
Type Code(s): PRAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V36+, F-Prot
Removal Instructions: M-DAV, CleanUp, F-Prot
General Comments:
Dark Avenger was first isolated in the United States at U C Davis.
It infects .COM, .EXE, and overlay files, including COMMAND.COM.
The virus will install itself into system memory, becoming resident,
and is extremely prolific at infecting any executable files
that are openned for any reason. This includes using the DOS
COPY and XCOPY commands to copy uninfected files, both the source
and the target files will end up being infected. Infected files
will have their lengths increased by 1,800 bytes.
If you are infected with Dark Avenger, shutdown your computer
and reboot from a Write Protected boot diskette for the system,
then carefully use a disinfector, following all instructions.
Be sure to rescan the system for infection once you have finished
disinfecting it.
The Dark Avenger virus contains the words: "The Dark Avenger,
copyright 1988, 1989", as well as the message: "This program
was written in the city of Sofia. Eddie lives.... Somewhere in
Time!".
This virus bears no resemblance or similarity to the Jerusalem
viruses, even though they are similar in size.
Virus Name: Datacrime
Aliases: 1280, Columbus Day
Effective Length: 1,280 bytes
Type Code(s): PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan, F-Prot, IBM Scan
Removal Instructions: AntiCrim, Scan/D, or F-Prot
General Comments:
The Datacrime virus is a parasitic virus, and is also known as
the 1280 virus. The Datacrime virus is a non-resident
virus, infecting .COM files. The virus was originally
discovered in Europe shortly after its release in March, 1989.
The virus will attach itself to the end of a COM file, increasing
the file's length by 1280 bytes. The first 3 bytes of the host
program are stored off in the virus's code and then replaced by
a branch instruction so that the virus code will be executed
before the host program. In order to propagate, the virus
searches thru directories for .COM files, other than
COMMAND.COM and attaches to any found .COM files (except for
where the 7th letter is a D). Hard drive partitions are
searched before the floppy drives are checked. The virus will
continue to propagate until the date is after October 12 of any
year, then when it is executed it will display a message. The
message is something like:
"DATACRIME VIRUS"
"RELEASED: 1 MARCH 1989".
A low-level format of the hard disk is then done. Most likely
the system will also crash shortly afterwards due to errors in
the virus code.
Unlike the other variants of Datacrime, the original Datacrime
virus does not replicate, or infect files, until after April 1
of any year.
Lastly, if the computer system is using an RLL, SCSI, or PC/AT
type harddisk controller, all variants of the Datacrime virus
are not able to successfully format the hard disk, according
to Jan Terpstra of the Netherlands.
Virus Name: Datacrime II
Aliases: 1514, Columbus Day
Effective Length: 1,514 bytes
Type Code(s): PNAK - Non-Resident Encrypting .COM & .EXE Infector
Detection Method: ViruScan, F-Prot, IBM Scan
Removal Instructions: AntiCrim, Scan/D, or F-Prot
General Comments:
The Datacrime II virus is a variant of the Datacrime virus, the
major characteristic changes are that the effective length of
the virus is 1,514 bytes, and that it can now infect both
.COM and .EXE files. There is also an encryption mechanism
in the Datacrime II virus.
The Datacrime II virus will not format disks on Mondays.
Virus Name: Datacrime IIB
Aliases: 1917, Columbus Day
Effective Length: 1,917 bytes
Type Code(s): PNAK - Non-Resident Encrypting .COM & .EXE Infector
Detection Method: ViruScan V51+, F-Prot
Removal Instructions: AntiCrim, Scan/D, F-Prot
General Comments:
The Datacrime IIB virus is a variant of the Datacrime II virus,
and was isolated by Jan Terpstra of the Netherlands in
November, 1989. This virus, as with Datacrime II, infects
generic .COM & .EXE files, including COMMAND.COM, adding 1,917
bytes to the file length. The virus differs from Datacrime II
in that the encryption method used by the virus to avoid
detection has been changed.
The Datacrime IIB virus will not format disks on Mondays.
Virus Name: Datacrime-B
Aliases: 1168, Columbus Day
Effective Length: 1,168 bytes
Type Code(s): PNE - Parasitic Non-Resident Generic .EXE Infector
Detection Method: ViruScan, F-Prot, IBM Scan
Removal Instructions: AntiCrim, Scan/D, or F-Prot
General Comments:
The Datacrime-B virus is a variant of the Datacrime virus, the
differences being that the effective length of the virus is
1,168 bytes, and instead of infecting .COM files, .EXE files
are infected.
Virus Name: DBASE
Aliases:
Effective Length: 1,864 bytes
Type Code(s): PRC - Parasitic Resident .COM and Overlay Infector
Detection Method: ViruScan V47+, F-Prot
Removal Instructions: Scan/D, or F-Prot
General Comments:
The DBASE virus was discovered by Ross Greenberg of New York.
This virus infects .COM & .OVL files, and will corrupt data in
.DBF files by randomly transposing bytes in any open .DBF file.
It keeps track of which files and bytes were transposed in a
hidden file (BUG.DAT) in the same directory as the .DBF file(s).
The virus restores these bytes if the file is read, so it
appears that nothing is wrong. Once the BUG.DAT file is 90
days old or more, the virus will overwrite the FAT and root
directory on the disk.
After this virus has been detected, if you remove the infected
DBase program and replace it with a clean copy, your DBF files
that were openned during the period that you were infected
will be useless since they are garbled on the disk even
though they would be displayed as expected by the infected
Dbase program.
Virus Name: Den Zuk
Aliases: Search, Venezuelan
Effective Length: N/A
Type Code(s): BRF - Resident Floppy Boot Sector Infector
Detection Method: ViruScan, F-Prot, IBM Scan
Removal Instructions: MDisk, F-Prot, or DOS SYS command
General Comments:
The Den Zuk virus is a memory-resident, boot sector infector of
360K 5 1/4" diskettes. The virus can infect any diskette
in a floppy drive that is accessed, even if the diskette is
not bootable. If an attempt is made to boot the system with an
infected non-system disk, Den Zuk will install itself into
memory even though the boot failed. After the system is booted
with an infected diskette, a purple "DEN ZUK" graphic will appear
after a CTL-ALT-DEL is performed if the system has a CGA, EGA, or
VGA monitor. While the original Den Zuk virus did not cause any
damage to the system, some variants maintain a counter of how
many times the system has been rebooted, and after the counter
reaches its limit, the floppy in the disk drive is reformated.
The counter in these variants of the virus is usually in the
range of 5 to 10.
The following text strings can be found in the viral code on
diskettes which have been infected with the Den Zuk virus:
"Welcome to the
C l u b
--The HackerS--
Hackin'
All The Time
The HackerS"
The diskette volume label of infected diskettes may be changed
to Y.C.1.E.R.P., though this change only occurs if the Den Zuk
virus removed a Pakistani Brain infection before infecting the
diskette with Den Zuk. The Den Zuk virus will also remove
an Ohio virus infection before infecting the diskette with
Den Zuk.
The Den Zuk virus is thought to be written by the same person
or persons as the Ohio virus. The "Y.C.1.E.R.P." string is
found in the Ohio virus, and the viral code is similar in
many respects.
Virus Name: Devil's Dance
Aliases: Mexican
Effective Length: 941 Bytes
Type Code(s): PRCT - Parasitic Resident .COM Infector
Detection Method: ViruScan V52+
Removal Instructions: Scan/D, or delete infected files
General Comments:
The Devil's Dance virus was first isolated in December, 1989,
by Mao Fragosso of Mexico City. The Devil's Dance virus
increases the size of infected .COM files by 941 bytes, and
will infect a file multiple times until the file becomes too
large to fit in available system memory.
Once an infected program has been run, any subsequent warm-
reboot (CTL-ALT-DEL) will result in the following message
being displayed:
"DID YOU EVER DANCE WITH THE DEVIL IN THE WEAK MOONLIGHT?
PRAY FOR YOUR DISKS!!
The Joker"
The Devil's Dance virus is destructive. After the first 2,000
keystrokes, the virus starts changing the colors of any text
displayed on the system monitor. After the first 5,000
keystrokes, the virus erases the first copy of the FAT. At
this point, when the system is rebooted, it will display the
message above and again distroy the first copy of the FAT, then
allow the boot to proceed.
Virus Name: Disk Killer
Aliases: Computer Ogre, Disk Ogre, Ogre
Effective Length: N/A
Type Code(s): BRT - Resident Boot Sector Infector
Detection Method: ViruScan V39+, F-Prot
Removal Instructions: MDisk, CleanUp, F-Prot, or DOS COPY & SYS
General Comments:
The Disk Killer virus is a boot sector infector that spreads by
writing copies of itself to 3 unused block on either a floppy or
hard disk. These blocks will then be marked as bad in the FAT
so that they cannot be overwritten. The boot sector is patched
so that when the system is booted, the virus code will be
executed and it can attempt to infect any new disks exposed to
the system. The virus counts the number of disks it has
infected and does no harm until it has reached a predetermined
limit. When the limit is reached or exceeded and the system is
rebooted, a message is displayed identifying COMPUTER OGRE and
a date of April 1. It then says to leave alone and proceeds to
write full blocks of a single character randomly all over the
disk, effectively trashing it. Once this has occurred, the only
recourse is to reformat the disk. Backup copies of files from
the disk can be restored following the reformat, but if they were
infected as well, all will appear to be fine until the limit
is again reached. It is important to note that when the message
is displayed, if the system is turned off immediately it may
be possible to salvage some files on the disk using various
utility programs as this virus first destroys the boot, FAT,
and directory blocks.
Disk Killer can be removed by using McAfee Associate's MDisk
utility, or the DOS SYS command, to overwrite the boot sector
on hard disk or bootable floppies. On non-system floppies,
files can be copied to non-infected floppies, followed by
reformatting the infected floppies. Be sure to reboot the
system from a write protected master diskette before
attempting to remove the virus first or you will be
reinfected by the virus in memory.
Virus Name: Do-Nothing Virus
Aliases: The Stupid Virus
Effective Length: 608 Bytes
Type Code(s): PRC - Parasitic Resident .COM Infector
Detection Method: ViruScan V49+, F-Prot
Removal Instructions: Scan/D or F-Prot
General Comments:
This virus was first reported by Yuval Tal of Israel in
October, 1989. The virus will infect .COM files, but only the
first one in the current directory, whether it was previously
infected or not. The Do-Nothing virus is also memory
resident, always installing itself to memory address
9800:100h, and can only infect systems with 640K of memory.
The virus does not protect this area of memory in any way,
and other programs which use this area will overwrite it in
memory, removing the program from being memory resident.
The Do-Nothing virus does no apparent damage, nor does it
affect operation of the system in any observable way, thus
its name.
Virus Name: Friday The 13th COM Virus
Aliases: COM Virus, Miami, Munich, South African, 512 Virus
Effective Length: 512 Bytes
Type Code(s): PNC - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan, F-Prot
Removal Instructions: Scan/D, or F-Prot
General Comments:
The original Friday The 13th COM virus first appeared in
South Africa in 1987. Unlike the Jerusalem (Friday The 13th)
viruses, it is not memory resident, nor does it hook any
interrupts. This virus only infects .COM files, but not
COMMAND.COM. On each execution of an infected file, the
virus looks for two other .COM files on the C drive and 1
on the A drive, if found they are infected. This virus is
extremely fast, and the only indication of propagation occuring
is the access light being on for the A drive, if the current
default drive is C. The virus will only infect a .COM file
once. The files, after infection, must be less than 64K in
length.
On every Friday the 13th, if the host program is executed, it
is deleted.
Known variants of the Friday The 13th COM virus are:
Friday The 13th-B: same, except that it will infect every
file in the currect subdirectory or in the system path if
the infected .COM program is in the system path.
Friday The 13th-C: same as Friday The 13th-B, except that the
message "We hope we haven't inconvenienced you" is
displayed whenever the virus activates.
Virus Name: Fu Manchu
Aliases: 2080, 2086
Effective Length: 2,086 (COM files) & 2,080 (EXE files) bytes
Type Code(s): PRA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, F-Prot
Removal Instructions: Scan/D, or F-Prot
General Comments:
The Fu Manchu virus attaches itself to the beginning of .COM
files or the end of .EXE files. It appears to be a rewritten
version of the Jerusalem virus, with a possible creation date
of 3/10/88. A marker usually found in this virus is
A marker or id string usually found in this virus is
'sAXrEMHOr'.
One out of sixteen infections will result in a timer being
installed, and after a random amount of time, the message
"The world will hear from me again!" is displayed and
the system reboots. This message will also be displayed on
an infected system after a warm reboot, though the virus doesn't
survive in memory.
After August 1, 1989, the virus will monitor the keyboard buffer,
and will add derogatory comments to the names of various
politicians. These comments go to the keyboard buffer, so
their effect is not limited to the display. The messages within
the virus are encrypted.
Some variants of the Fu Manchu virus can infect overlay, .SYS,
and .BIN files.
This virus is very rare in the United States.
Virus Name: Ghost Boot
Aliases: Ghostballs
Effective Length: N/A
Type Code(s): B - Non-Resident Boot Sector Infector
Detection Method: ViruScan V46+, F-Prot
Removal Instructions: MDisk, CleanUp, F-Prot, or DOS SYS Command
General Comments:
The Ghost viruses (both boot and COM) were discovered at
Icelandic University by Fridrik Skulason. The Ghost Boot
virus infects boot sectors of hard disks and floppies, and is
similar to the Ping Pong virus.
Random file corruption may occur on systems infected with
this virus.
Note: if you have the Ghost Boot virus, more likely than not
you also have the Ghost COM virus. If you disinfect the Boot
Sector to get rid of the Boot virus, unless you also remove
the COM virus, your boot sectors will again have the Ghost
Boot virus.
Virus Name: Ghost COM
Aliases: Ghostballs
Effective Length: 2,351 bytes
Type Code(s): PNC - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V46+, F-Prot
Removal Instructions: MDisk or DOS SYS and erase infected .COM files,
or CleanUp, F-Prot
General Comments:
The Ghost viruses (both boot and COM) were discovered at
Icelandic University by Fridrik Skulason. The Ghost COM
virus infects generic .COM files, increasing the file size by
2,351 bytes.
Symptoms of this virus are very similar to the Ping Pong
virus, and random file corruption may occur on infected
systems.
The Ghost COM virus is the first known virus that can infect
both files (.COM files in this case) and disk boot sectors.
After the boot sector is infected, it also acts as a virus
(see Ghost BOOT virus).
To remove this virus, turn off the computer and reboot from
a write protected master diskette for the system. Then
use either MDisk or the DOS SYS command to replace the boot
sector on the infected disk. Any infected .COM files must
also be erased and deleted, then replaced with clean copies
from your original distribution diskettes.
Virus Name: Golden Gate
Aliases: Mazatlan, 500 Virus
Effective Length: N/A
Type Code(s): BR - Resident Boot Sector Infector
Detection Method: ViruScan (identifies as Alameda)
Removal Instructions: MDisk, F-Prot, or DOS SYS command
General Comments:
The Golden Gate virus is a modified version of the Alameda virus
which activates when the counter in the virus has determined
that it is infected 500 diskettes. The virus replicates when
a CTL-ALT-DEL is performed, infecting any diskette in the floppy
drive. Upon activation, the C: drive is formatted. The
counter in the virus is reset on each new floppy or hard drive
infected.
Known Variants of this virus are:
Golden Gate-B: same as Golden Gate, except that the counter
has been changed from 500 to 30 infections before
activation, and only diskettes are infected.
Golden Gate-C: same as Golden Gate-B, except that the hard
drive can also be infected. This variant is also known
as the Mazatlan Virus, and is the most dangerous of the
Golden Gate viruses.
Virus Name: Halloechen
Aliases:
Effective Length: ??? Bytes
Type Code(s): P_A - Parasitic .COM &.EXE Infector
Detection Method: ViruScan V57+
Removal Instructions: Scan/D or delete infected files
General Comments:
The Halloechen virus was reported by Christoff Fischer of
the University of Karlsruhe in West Germany. The virus is
reported to be a generic .COM & .EXE infector which is
widespread in West Germany. When infected files are run,
input from the keyboard is garbled. No sample is available,
so it is not possible to determine its length or what else
it might do at this time.
Virus Name: Holland Girl
Aliases: Sylvia
Effective Length: 1,332 Bytes
Type Code(s): PRC - Resident Parasitic .COM Infector
Detection Method: ViruScan V50+, F-Prot
Removal Instructions: F-Prot, or Scan/D
General Comments:
The Holland Girl or Sylvia Virus was first reported by Jan
Terpstra of the Netherlands. This virus is memory resident
and infects only .COM files, increasing their size by 1,332
bytes. The virus apparently does no other damage, and
does not infect COMMAND.COM.
The virus's name is due to the fact that the virus code
contains the name and phone number of a girl named Sylvia
in Holland, along with her address, requesting that post cards
be sent to her. The virus is believed to have been written
by her ex-boyfriend.
Virus Name: Icelandic
Aliases: 656, One In Ten, Disk Crunching Virus
Effective Length: 656 bytes
Type Code(s): PRE - Resident Parasitic .EXE Infector
Detection Method: ViruScan, F-Prot
Removal Instructions: Scan/D, or F-Prot
General Comments:
The Icelandic, or "Disk Crunching Virus", was originally
isolated in Iceland in June 1989. This virus only infects
.EXE files, with infected files growing in length between
656 and 671 bytes. File lengths after infection will always
be a multiple of 16. The virus attaches itself to the end
of the programs it infects, and infected files will always
end with hex '4418,5F19'.
The Icelandic virus will copy itself to the top of free memory
the first time an infected program is executed. Once in high
memory, it hides from memory mapping programs. If a program
later tries to write to this area of memory, the computer will
crash. If the virus finds that some other program has "hooked"
Interrupt 13, it will not proceed to infect programs. If
Interrupt 13 has not been "hooked", it will attempt to infect
every 10th program executed.
On systems with only floppy drives, or 10 MB hard disks, the
virus will not cause any damage. However, on systems with
hard disks larger than 10 MB, the virus will select one unused
FAT entry and mark the entry as a bad sector each time it
infects a program.
Virus Name: Icelandic-II
Aliases: System Virus, One In Ten
Effective Length: 632 Bytes
Type Code(s): PRE - Parasitic Resident .EXE Infector
Detection Method: ViruScan, F-Prot
Removal Instructions: Scan/D, or F-Prot
General Comments:
The Icelandic-II Virus is a modified version of the Icelandic
Virus, and was isolated for the first time in July 1989 in
Iceland. These two viruses are very similar, so only the
changes to this variant are indicated here, refer to Icelandic
for the base virus information.
Each time the Icelandic-II virus infects a program, it will
modify the file's date, thus making it fairly obvious that
the program has been changed. The virus will also remove
the read-only attribute from files, but does not restore it
after infecting the program.
The Icelandic-II virus can infect programs even if the system
is running an anti-viral TSR that monitors interrupt 21, such
as FluShot+.
On hard disks larger than 10 MB, there are no bad sectors
marked in the FAT as there is with the Icelandic virus.
Virus Name: Icelandic-III
Aliases: December 24th
Effective Length: 853 Bytes
Type Code(s): PRE - Parasitic Resident .EXE Infector
Detection Method: ViruScan V57+, F-Prot
Removal Instructions: F-Prot, Scan/D, or delete infected files
General Comments:
The Icelandic-III Virus is a modified version of the Icelandic
Virus, and was isolated for the first time in December 1989 in
Iceland. These two viruses are very similar, so only the
changes to this variant are indicated here, refer to Icelandic
for the base virus information.
The Icelandic-III virus's id string in the last 2 words of the
program is hex '1844,195F', the bytes in each word being
reversed from the id string ending the Icelandic and
Icelandic-II viruses. There are also other minor changes to
the virus from the previous Icelandic viruses, including the
addition of several NOP instructions.
Before the virus will infect a program, it checks to see if the
program has been previously infected with Icelandic or
Icelandic-II, if it has, it does not infect the program.
Files infected with the Icelandic-III virus will have their
length increased by between 848 and 863 bytes.
If an infected program is run on December 24th of any year,
programs subsequently run will be stopped, later displaying
the message "Gledileg jol" ("Merry Christmas" in icelandic)
instead.
Virus Name: Jerusalem
Aliases: PLO, Israeli, Friday 13th, Russian, 1813(COM), 1808(EXE)
Effective Length: 1,813 (COM files) & 1,808 (EXE files) bytes
Type Code(s): PRA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, F-Prot, IBM Scan
Removal Instructions: Scan/D/A, Saturday, CleanUp, UnVirus, F-Prot
General Comments:
The Jerusalem Virus was originally isolated at Hebrew
University in Israel in the Fall of 1987. The virus is
memory resident and can survive a warm reboot (CTL-ALT-DEL).
.COM and .EXE files are infected, with .EXE files being
reinfected each time they are executed due to a bug in the
virus.
This virus redirects interrupt 8 and 1/2 hour after execution
of an infected program the system will slow down by a factor
of 10.
On Friday The 13ths, after the virus is installed in memory,
every program executed will be deleted from disk.
The identifier for some strains is "sUMsDos", however,
this identifer is usually not found in the newer variants of
Jerusalem.
Also see: Jerusalem B, New Jerusalem, Payday, Suriv 3.00
Virus Name: Jerusalem B
Aliases:
Effective Length: 1,813 (.COM files) & 1,808 (.EXE files) bytes
Type Code(s): PRA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, F-Prot, IBM Scan
Removal Instructions: F-Prot, Saturday, CleanUp, M-JRUSLM, UnVirus
General Comments:
Identical to the Jerusalem virus, except that in some cases
it does not reinfect .EXE files. Jerusalem B is the most
common of all PC viruses, and can infect .SYS and program
overlay files in addition to .COM and .EXE files.
Not all variants of the Jerusalem B virus slow down the
system after an infection has occurred.
Known variants of Jerusalem B are:
Jerusalem-C: Jerusalem B without the timer delay to slow
down the processor.
Jerusalem-D: Jerusalem C which will destroy both copies of
the FAT on any Friday The 13th after 1990.
Jerusalem-E: Jerusalem D but the activation is in 1992.
Also see: Jerusalem, New Jerusalem, Payday, Suriv 3.00
Virus Name: Joker
Aliases:
Effective Length: ??? Bytes
Type Code(s): PNE - Parasitic Non-Resident .EXE Infector
Detection Method: ViruScan V57+
Removal Instructions: Scan/D, or delete infected files
General Comments:
The Joker Virus was isolated in Poland in December, 1989.
This virus is a generic .EXE file infector, and is a poor
replicator (ie. it does not quickly infect other files).
Programs which are infected with the Joker virus will
display bogus error messages and comments. These messages
and comments can be found in the infected files at the
beginning of the viral code. Here are some of the
messages and comments that may be displayed:
"Incorrect DOS version"
"Invalid Volume ID Format failure"
"Please put a new disk into drive A:"
"End of input file"
"END OF WORKTIME. TURN SYSTEM OFF!"
"Divide Overflow"
"Water detect in Co-processor"
"I am hungry! Insert HAMBURGER into drive A:"
"NO SMOKING, PLEASE!"
" Thanks."
"Don't beat me !!"
"Don't drink and drive."
"Another cup of cofee ?"
" OH, YES!"
"Hard Disk head has been destroyed. Can you borow me your one?"
"Missing light magenta ribbon in printer!"
"In case mistake, call GHOST BUSTERS"
"Insert tractor toilet paper into printer."
This virus may also alter .DBF files, adding messages to
them.
Virus Name: Lehigh
Aliases:
Effective Length: N/A
Type Code(s): ORKT - Overwriting Resident COMMAND.COM Infector
Detection Method: ViruScan, F-Prot, IBM Scan
Removal Instructions: MDisk & replace COMMAND.COM with clean copy, or
F-Prot
General Comments:
The Lehigh virus infects only the COMMAND.COM file on both
floppies and hard drives. The infection mechanism is to over-
write the stack space. When a disk which contains an
uninfected copy of COMMAND.COM is accessed, that disk is then
infected. A infection count is kept in each copy of the virus,
and after 4 infections, the virus overwrites the boot sector and
FATs.
A variation of the Lehigh virus, Lehigh-2, exists which
maintains its infection counter in RAM and corrupts the boot
sector and FATs after 10 infections.
Virus Name: Lisbon
Aliases:
Effective Length: 648 bytes
Type Code(s): PNC - Parasitic Non-Resident COM Infector
Detection Method: ViruScan V49+, F-Prot
Removal Instructions: Scan/D, or F-Prot
General Comments:
The Lisbon virus is a strain of the Vienna virus first
isolated by Jean Luz in Portugal in November, 1989. The virus
is very similar to Vienna, except that almost every word in
the virus has been shifted 1-2 bytes in order to avoid virus
identification/detection programs which could identify the
Vienna virus.
1 out of every 8 infected files will have the 1st 5 bytes of
the 1st sector changed to "@AIDS", thus rendering the
program unusable.
Virus Name: MIX/1
Aliases: MIX1
Effective Length: 1,618 Bytes
Type Code(s): PRE - Parasitic Resident .EXE Infector
Detection Method: ViruScan V37+, F-Prot
Removal Instructions: Scan/D, Virus Buster, or F-Prot
General Comments:
The MIX1 Virus was originally isolated on August 22, 1989, on
several BBSs in Israel. This virus is a parasitic memory-
resident .EXE file infector. Once an infected program has been
executed, the virus will take up 2,048 bytes in RAM. Each
.EXE file then executed will grow in length between 1,618 and
1,634 bytes, depending on the original file size. The virus
will not, however, infect files of less than 8K in size.
Infected files can be manually identified by a characteristic
"MIX1" always being the last 4 bytes of an infected file.
Using Debug, if byte 0:33C equals 77h, then the MIX1 virus is
in memory.
This virus will cause garbled output on both serial and
parallel devices, as well as the the num-lock being constantly
on. After the 6th infection, booting the system will crash
the system due to a bug in the code, and a ball will start
bouncing on the system monitor.
There is a variant of this virus which does not have the
problem of system crashs occurring, and will only infect files
that are greater than 16K in length.
Virus Name: New Jerusalem
Aliases:
Effective Length: 1,813 Bytes (.COM) & 1,808 Bytes (.EXE)
Type Code(s): PRA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V45+, F-Prot
Removal Instructions: Saturday, CleanUp, F-Prot
General Comments:
New Jerusalem is a variation of the original Jerusalem virus
which has been modified to be undetectable by ViruScan versions
prior to V45 as well as IBM's VIRSCAN product as of October 20,
1989. The virus was first detected when it was uploaded to
several BBSs in Holland beginning on October 14, 1989. It
infects both .EXE and .COM files and activates on any Friday The
13th, deleting infected programs when they are attempted to be
run.
This virus is memory resident, and as with other Jerusalem
viruses, may infect overlay, .SYS, .BIN, and .PIF files.
Also see: Jerusalem, Jerusalem B, Payday, Suriv 3.00
Virus Name: Ohio
Aliases:
Effective Length: N/A
Type Code(s): BF - Resident Floppy Boot Sector Infector
Detection Method: ViruScan, F-Prot
Removal Instructions: MDisk, F-Prot, or DOS SYS Command
General Comments:
The Ohio virus is a memory resident boot sector infector, only
infecting 360K floppy disks. The Ohio virus is similar in
many respects to the Den Zuk virus, and is believed to possibly
be the earlier version of Den Zuk. A diskette infected with
Ohio will be immune to infection by the Pakistani Brain virus.
The following text strings appear in the Ohio virus:
"V I R U S
b y
The Hackers
Y C 1 E R P
D E N Z U K 0
Bandung 40254
Indonesia
(C) 1988, The Hackers Team...."
Virus Name: Oropax
Aliases: Music Virus, Musician
Effective Length: 2,756 - 2,806 bytes, but usually 2,773 bytes
Type Code(s): PRC - Parasitic Resident .COM Infector
Detection Method: ViruScan V53+, F-Prot
Removal Instructions: SCAN /D, F-Prot, or delete infected files
General Comments:
The Oropax virus has had several reports, but no samples of
the virus are available. It is supposed to infect .COM files,
increasing their length by between 2,756 bytes and 2,806 bytes.
Infected files will always have a length divisible by 51. The
virus may become active (on a random basis) five minutes after
infection of a file, playing three different tunes with a
seven minute interval in between.
One variant recently reported in Europe pleays six different
tunes at seven minute intervals.
Virus Name: Payday
Aliases:
Effective Length: 1,808 Bytes (.EXE) & 1,813 Bytes (.COM)
Type Code(s): PRA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V51+, F-Prot
Removal Instructions: M-JRUSLM, UnVirus, Saturday, CleanUp, F-Prot
General Comments:
The Payday virus was isolated by Jan Terpstra of the Netherlands
in November, 1989. It is a variant of the Jerusalem B virus,
the major difference being that the activation criteria to
delete files has been changed from every Friday The 13th to
any Friday but Friday The 13ths.
Also see: Jerusalem, Jerusalem B, New Jerusalem, Suriv 3.00
Virus Name: Pentagon
Aliases:
Effective Length: N/A
Type Code(s): BRF - Resident Floppy Boot Sector Infector
Detection Method: ViruScan, F-Prot
Removal Instructions: MDisk, CleanUp, or DOS SYS Command
General Comments:
The Pentagon virus consists of a normal Ms-Dos 3.20 boot
sector where the name 'IBM' has been replaced by 'HAL', along
with two files. The first file has a name of the hex
character 0F9H, and contains the portion of the virus code
which would not fit into the boot sector, as well as the
original boot sector of the infected disk. The second file
is named PENTAGON.TXT and does not appear to be used or contain
any data. The 0F9H file is accessed by its absolute storage
address. Portions of this virus are encrypted.
The Pentagon virus only infects 360K floppies, and will look
for and remove the Brain virus from any disk that it infects.
It is memory resident, occupying 5K of RAM, and can survive
a warm reboot or CTL-ALT-DEL.
Virus Name: Perfume
Aliases: 765, 4711
Effective Length: 765 Bytes
Type Code(s): PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V57+, F-Prot
Removal Instructions: F-Prot, or delete infected files
General Comments:
The Perfume virus is of German origin, and has also been
isolated in Poland in December, 1989. This virus infects
.COM files, and will look for COMMAND.COM and infect it if
it isn't already infected. Infected files always grow in
length by 765 bytes.
The virus will sometimes ask the system user a question,
and then not run the infected program unless the system
user types in 4711, the name of a German perfume.
In the most common variant of this virus, however, the
questions have been overwritten with miscellaneous
characters.
Virus Name: Ping Pong
Aliases: Bouncing Ball, Bouncing Dot, Italian, Vera Cruz
Effective Length: N/A
Type Code(s): BRF - Resident Floppy Boot Sector Infector
Detection Method: ViruScan, F-Prot, IBM Scan
Removal Instructions: MDisk, CleanUp, F-Prot, or DOS SYS command
General Comments:
The Ping Pong virus is a boot sector virus which was first
reported in March 1988. The original Ping Pong virus only
infects Floppy Disks.
When the virus activates, which is on a random basis, a
bouncing ball or dot appears on the screen. This display
can only be stoppy thru a system reboot. No other damage
is apparently done.
Virus Name: Ping Pong-B
Aliases: Falling Letters, Boot
Effective Length: N/A
Type Code(s): BR - Resident Boot Sector Infector
Detection Method: ViruScan, F-Prot, IBM Scan
Removal Instructions: CleanUp, MDisk, F-Prot, or DOS SYS Command
General Comments:
The Ping Pong-B virus is a variant of the Ping Pong virus. The
major difference is that Ping Pong-B can infect hard disks as
well as floppies.
Virus Name: Saratoga
Aliases: 642, One In Two
Effective Length: 642 Bytes
Type Code(s): PRE - Resident Parasitic .EXE Infector
Detection Method: ViruScan, F-Prot
Removal Instructions: Scan/D, F-Prot, or delete infected files
General Comments:
The Saratoga Virus was first isolated in California in July 1989.
This virus is very similar to the Icelandic and Icelandic-II
viruses, so the differences from the Icelandic virus only
are indicated here. Please refer back to the description of
the Icelandic virus for the base information.
The Saratoga virus's main difference from the Icelandic virus
is that when it copies itself to memory, it modifies the memory
block so that it appears to belong to the operating system,
thus avoiding anyone reusing the block.
Similar to the Icelandic-II virus, the Saratoga can infect
programs even if the system has installed an anti-viral TSR
which "hooks" interrupt 21, such as FluShot+. Also like
Icelandic-II is that this virus can infect programs which have
been marked Read-Only, though it does not restore the Read-Only
attribute to the file afterwards.
Virus Name: SF Virus
Aliases:
Effective Length: N/A
Type Code(s): BRF - Resident Floppy Boot Sector Infector
Detection Method: ViruScan (identifies as Alameda)
Removal Instructions: MDisk, CleanUp, F-Prot, or DOS SYS command
General Comments:
The SF Virus is a modified version of the Alameda virus
which activates when the counter in the virus has determined
that it is infected 100 diskettes. The virus replicates when
a CTL-ALT-DEL is performed, infecting the disk in the floppy
drive. Upon activation, the diskette in the floppy drive is
reformated. The SF Virus only infects 5 1/4" 360K floppys.
Virus Name: Stoned
Aliases: Hawaii, Marijuana, New Zealand, San Diego, Smithsonian
Effective Length: N/A
Type Code(s): BRX - Resident Boot Sector Infector
Detection Method: ViruScan, CleanUp, F-Prot, IBM Scan
Removal Instructions: CleanUp, MDisk, F-Prod
General Comments:
The Stoned virus was first reported in Wellington, New
Zealand in early 1988. The original virus only infected
360KB 5 1/4" diskettes, doing no overt damage. There are,
however, two known variants which can infect hard disks.
This virus is memory resident following the system being
booted from an infected disk. It will infect any diskette
inserted into the system and accessed.
On one out of every eight system bootup, the virus will
display the message:
"Your computer is now stoned. Legalize Marijuana"
The Stoned virus can be removed from 360KB diskettes by
using either the MDisk, CleanUp, or F-Prot programs. It
can also be removed from diskettes by using the DOS SYS
command.
Known variants of the Stoned Virus are:
Stoned-B : same as Stoned, but can also infect hard disks via
the hard disk's partition table. Infected
systems with RLL controllers will frequently hang.
Stoned-C : same as Stoned, except that the message has been
removed.
For variants Stoned-B and Stoned-C, removal instructions are
the same for diskettes. However, an infected hard disk must
be disinfected by using MDisk with the /P parameter or
CleanUp. The reason for the different hard disk
instructions is due to Stoned infecting the partition
table on the hard disk.
Virus Name: Sunday
Aliases:
Effective Length: 1,636 Bytes
Type Code(s): PRAT - Parasitic Resident .COM, .EXE. & .OV? Infector
Detection Method: ViruScan V49+, F-Prot
Removal Instructions: CleanUp, Scan/D, or F-Prot
General Comments:
The Sunday virus was discovered by many users in the Seattle,
Washington area in November, 1989. This virus activates on
any Sunday, displaying the message:
"Today is Sunday, why do you work so hard?"
The Sunday virus appears to have been derived from the
Jerusalem virus, the viral code being similar in many
respects.
Damage to the file allocation table or FAT has been reported
from a number of infected users.
Virus Name: Suriv 1.01
Aliases: April 1st, Israeli, Suriv01
Effective Length: 897 bytes
Type Code(s): PRC - Parasitic Resident .COM Infector
Detection Method: ViruScan, F-Prot, IBM Scan
Removal Instructions: Scan/D, F-Prot, or UnVirus
General Comments:
The Suriv 1.01 virus is a memory resident .COM infector. It
will activate on April 1st after memory is infected by running
an infected file and then a uninfected .COM file is executed.
On activation, it will display the message:
"APRIL 1ST HA HA HA YOU HAVE A VIRUS".
The system will then lock up, requiring it to be powered off and
then back on.
The text "sURIV 1.01" can be found in the viral code.
Virus Name: Suriv 2.01
Aliases: April 1st-B, Israeli, Suriv02
Effective Length: 1,488 bytes
Type Code(s): PRE - Parasitic Resident .EXE Infector
Detection Method: ViruScan, F-Prot, IBM Scan
Removal Instructions: Scan/D, F-Prot, or UnVirus
General Comments:
The Suriv 2.01 virus is a memory resident .EXE infector. It
will activate on April 1st after memory is infected by running
an infected file, displaying the same message as Suriv 1.01
and locking up the system. The virus will cause a similar
lockup, though no message, 1 hour after an infected .EXE file
is executed on any day on which the system default date of
01-01-80 is used. The virus will only infect the file once.
Virus Name: Suriv 3.00
Aliases: Israeli, Suriv03
Effective Length: 1,813 (COM files) & 1,808 (EXE files) bytes
Type Code(s): PRA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, F-Prot
Removal Instructions: Scan/D, F-Prot, or Unvirus
General Comments:
May be a variant of the Jerusalem virus. The string "sUMsDos"
has been changed to "sURIV 3.00". The Suriv 3.00 virus
activates on Friday The 13ths when an infected program is
run or if it is already present in system memory, however
files are not deleted due to a bug in the viral code. Other
Other than on Friday The 13ths, after the virus is memory
resident for 30 seconds, an area of the screen is turned into
a "black window" and a time wasting loop is executed with
each timer interrupt.
As with the Jerusalem B viruses, this virus can also infect
overlay, .SYS, and other executable files besides .EXE and
.COM files, though it does not infect COMMAND.COM itself.
Virus Name: Swap
Aliases: Falling Letters Boot, Israeli Boot
Effective Length: N/A
Type Code(s): BRF - Resident Floppy Boot Sector Infector
Detection Method: ViruScan, F-Prot
Removal Instructions: MDisk, CleanUp, F-Prot, or DOS SYS Command
General Comments:
The Swap Virus, or Israeli Boot Virus, was first reported in
August 1989. This virus is a memory resident boot sector
infector that only infects floppies. The floppy's boot
sector is infected the first time it is accessed. One bad
cluster will be written on track 39, sectors 6 and 7 with the
head unspecified. If track 39, sectors 6 and 7, are not
empty, the virus will not infect the disk. Once the virus
is memory resident, it uses 2K or RAM. The actual length of
the viral code is 740 bytes.
The Swap virus activates after being memory resident for 10
minutes. A cascading effect of letters and characters on the
system monitor is then seen, similar to the cascading effect
of the Cascade and Traceback viruses.
The virus was named the Swap virus because the first isolated
case had the following phrase located at bytes 00B7-00E4 on
track 39, sector 7:
"The Swapping-Virus. (C) June, 1989 by the CIA"
However, this phrase is not found on diskettes which have been
freshly infected by the Swap virus.
A diskette infected with the Swap virus can be easily identified
by looking at the boot sector with a sector editor, such as
Norton Utilities. The error messages which normally occur at
the end of the boot sector will not be there, instead the start
of the virus code is present. The remainder of the viral code
is located on track 39, sectors 6 and 7.
Virus Name: SysLock
Aliases: 3551, 3555
Effective Length: 3,551 Bytes
Type Code(s): PNA - Encrypting Non-Resident .COM & .EXE Infector
Detection Method: ViruScan, F-Prot
Removal Instructions: Scan/D, or F-Prot
General Comments:
The SysLock virus is a parasitic encrypting virus which
infects both .COM and .EXE files, as well as damaging some
datafiles on infected systems. This virus does not install
itself memory resident, but instead searchs through the
.COM and .EXE files and subdirectories on the current disk,
picking one at executable file at random to infect. The
infected file will have its length increased by approximately
3,551 bytes, though it may vary slightly depending on file
infected.
The SysLock virus will damage files by searching for the word
"Microsoft" in any combination of upper and lower case
characters, and when found replace the word with either
"MACROSOFT".
If the SysLock virus finds that an environment variable
"SYSLOCK" exists in the system and has been set to "@" (hex 40),
the virus will not infect any programs or perform string
replacements, but will instead pass control to its host
immediately.
Known variant(s) of SysLock are:
Macho-A : same as the SysLock virus, except that "Microsoft"
is replaced with "MACHOSOFT".
Virus Name: Taiwan
Aliases:
Effective Length: 708 Bytes
Type Code(s): PNC - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V56+, F-Prot
Removal Instructions: Scan/D, or delete infected files
General Comments:
The Taiwan virus was first isolated in January, 1989 in
Taiwan, R.O.C. This virus is a non-resident generic .COM
infector.
Virus Name: Traceback
Aliases: 3066
Effective Length: 3,066 bytes
Type Code(s): PRA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, F-Prot, IBM Scan
Removal Instructions: M-3066, VirClean, F-Prot, or delete infected files
General Comments:
The Traceback virus infects both .COM and .EXE files, adding
3,066 bytes to the length of the file. After an infected
program is executed, it will install itself memory resident
and infect other programs that are openned. Additionally, if
the system date is after December 5, 1988, it will attempt to
infect one additional .COM or .EXE file in the current
directory. If an uninfected file doesn't exist in the current
directory, it will search the entire disk, starting at the
root directory, looking for a candidate. This search
process terminates if it encounters an infected file before
finding a candidate non-infected file.
This virus derives its name from two characteristics. First,
infected files contain the directory path of the file causing
the infection within the viral code, thus is it possible
to "trace back" the infection thru a number of files. Second,
when it succeeds in infected another file, the virus will
attempt to access the on-disk copy of the program that the
copy of the virus in memory was loaded from so that it can
update a counter in the virus. The virus takes over disk
error handling while trying to update the original infected
program, so if it can't infect it, the user will be unaware
that an error occurred.
The primary symptom of the Traceback virus having infected
the system is that if the system date is after December 28,
1988, the memory resident virus will produce a screen display
with a cascading effect similar to the Cascade/1701/1704
virus. The cascading display occurs one hour after system
memory is infected. If a keystroke is entered from the key-
board during this display, a system lockup will occur. After
one minute, the display will restore itself, with the characters
returning to their original positions. This cascade and
restore display are repeated by the virus at one hour
intervals.
Also see: Traceback II
Virus Name: Traceback II
Aliases: 2930
Effective Length: 2,930 Bytes
Type Code(s): PRA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V41+, F-Prot
Removal Instructions: Scan/D, F-Prot, or delete infected files.
General Comments:
The Traceback II virus is a variant of the Traceback (3066)
virus. It is believed that Traceback II predates the
Traceback virus, however the Traceback virus was isolated
and reported first. As with the Traceback virus, the
Traceback II virus is memory resident and infects both .COM
& .EXE files.
The comments indicated for the Traceback virus generally
apply to the Traceback II virus, with the exception that the
file length increase is 2,930 bytes instead of 3,066 bytes.
Virus Name: Typo Boot
Aliases: Mistake
Effective Length: N/A
Type Code(s): BR - Resident Boot Sector Infector
Detection Method: ViruScan, F-Prot
Removal Instructions: MDisk, F-Prot, or DOS SYS Command
General Comments:
The Typo Boot virus was first isolated in Israel by Y. Radai
in June, 1989. This virus is a memory resident boot sector
infector, taking up 2K at the upper end of system memory once
it has installed itself memory resident.
The major symptom that will be noticed on systems infected
with the Typo Boot virus is that certain characters in
printouts are always replaced with other phonetically
similar characters. Since the virus also substitutes hebrew
letters for other hebrew letters, the virus was most likely
written by someone in Israel. Digits in numbers may also
be transposed or replaced with other numbers. The substitutions
impact printouts only, the screen display and data in files is
not affected.
The Typo Boot virus is similar structurally to the Ping Pong
virus, and may be a variant of Ping Pong. It can be removed
from a disk by using MDisk, CleanUp, DOS SYS command, or
just about any Ping Pong disinfector.
Virus Name: Typo COM
Aliases: Fumble, 867
Effective Length: 867 Bytes
Type Code(s): PRC - Parasitic Resident .COM Infector
Detection Method: ViruScan V48+, F-Prot
Removal Instructions: Scan/D, F-Prot, or delete infected files
General Comments:
The Typo COM virus is similar to the Typo Boot virus in that
it will garble data that is sent to the parallel port once it
has activated. Unlike the Boot virus, the COM virus infects
generic .COM files. This virus was first reported by Joe
Hirst of Brighton, UK, in November, 1989.
The Typo COM virus only infects .COM files on even-numbered
days.
Virus Name: Vacsina
Aliases:
Effective Length: 1,206 bytes
Type Code(s): PRA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, F-Prot
Removal Instructions: Scan/D/A, F-Prot, or delete infected files
General Comments:
The Vacsina virus is approximately 1200 bytes in length and can
be found in the memory control block (MCB) of infected systes.
Vacsina infects both .COM and .EXE files, as well as .SYS and
.BIN files. One sign of a Vacsina infection is that programs
which have been infected may "beep" when executed.
Virus Name: Vcomm
Aliases:
Effective Length: 637 Bytes
Type Code(s): PRE - Parasitic Resident .EXE Infector
Detection Method: F-Prot
Removal Instructions: F-Prot, or delete infected files
General Comments:
The Vcomm virus is of Polish origin, first isolated in
December, 1989. The virus is a .EXE file infector. When an
infected file is run, the virus will attempt to infect one
.EXE file in the current directory.
When Vcomm infects a file, it first pads the file so that the
files length is a multiple of 512 bytes, then it adds its
637 bytes of virus code to the end of the file.
The memory resident portion of the virus intercepts any
disk writes that are attempted, and changes them into disk
reads.
Virus Name: Vienna
Aliases: Austrian, Unesco, DOS-62, DOS-68, 1-in-8, 648
Effective Length: 648 bytes
Type Code(s): PNC - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan, F-Prot
Removal Instructions: M-Vienna, CleanUp, VirClean, F-Prot
General Comments:
The Vienna virus was first isolated in April, 1988, in Moscow at
a UNESCO children's computer summer camp. The virus will infect
1 .COM file whenever a program infected with the virus is run.
1 in every 8 infected programs will perform a system warm reboot
whenever the viral code is executed. Some .COM programs
infected with this virus may not run.
Virus Name: Vienna-B
Aliases: 62-B
Effective Length: 648 bytes
Type Code(s): PNC - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan, F-Prot
Removal Instructions: M-Vienna, CleanUp, VirClean, F-Prot
General Comments:
The Vienna-B virus is a variant of the Vienna virus, the major
difference being that instead of a warm reboot, the program
being executed will be deleted.
Virus Name: Virus-90
Aliases:
Effective Length: 857 bytes
Type Code(s): PRC - Parasitic Resident .COM Infector
Detection Method: ViruScan V53+, F-Prot
Removal Instructions: Scan/D, F-Prot, or delete infected files
General Comments:
The Virus-90 virus was originally distributed in December, 1989
by Patrick Toulme as an "educational tool", with the virus
source also available for sale. In January, 1990, the
author contacted the sites where he had uploaded the virus
requesting that they remove it from their systems, he having
decided a live virus was not a "good idea" for an educational
tool after being contacted by several viral authorities.
Virus Name: Virus101
Aliases:
Effective Length: 2,560 Bytes
Type Code(s): PRAFK - Parasitic Resident Infector
Detection Method: ViruScan V57+
Removal Instructions: Scan/D or delete infected files
General Comments:
The Virus101 is the "big brother" of Virus-90, also written by
Patrick Toulme as an "educational tool" in January 1990.
This virus is memory resident, and employs an encryption scheme
to avoid detection on files. It infects COMMAND.COM, and all
other executable file types. Once it has infected all the
files on a diskette, it will infect the diskette's boot
sector. It only infects floppy diskettes in its current
version.
Virus Name: W13
Aliases:
Effective Length: 534 Bytes
Type Code(s): PNC - Parasitic Non-Resident .COM Infector
Detection Method: F-Prot
Removal Instructions: F-Prot, or delete infected files
General Comments:
The W13 virus is a .COM file infector that doesn't do much
except for infect files. The virus was isolated in December
1989 in Poland.
There are two variants of the W13 virus, one is 534 bytes
in length, and the second is 507 bytes long. The 507 byte
variant has some bugs in the original virus corrected.
Virus Name: Yankee Doodle
Aliases:
Effective Length: 2,885 or 2,899 Bytes
Type Code(s): PRA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V42+, F-Prot
Removal Instructions: Scan/D, VirClean, F-Prot, or delete infected files
General Comments:
The Yankee Doodle virus was discovered by Alexander Holy of
the North Atlantic Project in Vienna, Austria, on
September 30, 1989. This virus is a parasitic virus which
infects both .COM and .EXE files, and installs itself
memory resident. After installing itself memory resident, it
will play Yankee Doodle on this system speaker at 17:00.
Infected programs will be increased in length by 2,899 bytes.
Other than being disruptive by playing yankee doodle, this
virus currently does nothing else harmful besides infecting
files. As a side note, the Yankee Doodle Virus will seek out
and modify Ping Pong viruses, changing them so that they self-
destruct after 100 infections.
Virus Name: Zero Bug
Aliases: Palette, 1536
Effective Length: 1,536 bytes
Type Code(s): PRC - Parasitic Resident .COM Infector
Detection Method: Viruscan V38+, F-Prot
Removal Instructions: Scan/D, F-Prot, or delete infected files
General Comments:
The Zero Bug virus was first isolated in the Netherlands by
Jan Terpstra in September, 1989. This virus is a memory
resident .COM file infector. Infected .COM files will
increase in size by 1,536 bytes, however the increase in file
length will not show up when the disk directory is displayed.
The virus's main objective is to infect the copy of
COMMAND.COM indicated by the environment variable COMSPEC.
If COMSPEC doesn't point to anything, the Zero Bug virus will
install itself memory resident using INT 21h.
After the virus has either infected COMMAND.COM or become
memory resident, it will infect all .COM files that are
accessed, including those access by actions such as COPY or
XCOPY. Any .COM file created on an infected system will also
be infected.
If the currently loaded COMMAND.COM is infected, the virus
will hook into the timer interrupt 1Ch, and after a certain
amount of time has past, a smiley face character (ASCII 01)
will appear and eat all the zeros it can find on the screen.
The virus does not delete files or format disks in its present
form.
Virus Name: 405
Aliases:
Effective Length: N/A
Type Code(s): ONC - Overwriting Non-Resident .COM Infector
Detection Method: ViruScan, F-Prot, IBM Scan
Removal Instructions: Scan/D, F-Prot, or delete infected files
General Comments:
The 405 virus is an overwriting virus which infects only .COM
files in the current directory. If the length of the .COM file
was originally less than 405 bytes, the resulting infected file
will have a length of 405 bytes. This virus currently cannot
recognize .COM files that are already infected, so it will
attempt to infect them again. No info on what else this
particular virus does....
Virus Name: 1260
Aliases:
Effective Length: 1,260 Bytes
Type Code(s): PNC - Parasitic Encrypting Non-Resident .COM Infector
Detection Method: ViruScan V57+
Removal Instructions: CleanUp V57+
General Comments:
The 1260 virus was first isolated in January, 1990. This
virus does not install itself resident in memory, but is it
extremely virulent at infecting .COM files. Infected files
will have their length increased by 1,260 bytes, and the
resulting file will be encrypted. The encryption key changes
with each infection which occurs.
The 1260 virus can infect a local area network, including the
file server and all workstations.
Virus Name: 1704 Format
Aliases:
Effective Length: 1,704 Bytes
Type Code(s): PRC - Parasitic Encrypting Resident .COM Infector
Detection Method: ViruScan, F-Prot, IBM Scan
Removal Instructions: M-1704, CleanUp, Scan/D, F-Prot
General Comments:
Like the Cascade Virus, but the disk is formatted when the
virus activates.
Virus Name: 4096
Aliases:
Effective Length: 4,096 Bytes
Type Code(s): PRA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V53+, F-Prot
Removal Instructions: Scan/D, F-Prot, or see note below
General Comments:
The 4096 virus was first isolated in January, 1990. This virus
has been classified as the worse virus seen by most experts,
and no one has successfully recovered their system from it.
The 4096 virus infects .COM, .EXE, and Overlay files, adding
4,096 bytes to their length. Once the virus is resident in
system memory, the increase in length will not appear in a
directory listing. Once this virus has installed itself into
memory, it will infect any executable file that is openned,
including if it is openned with the COPY or XCOPY command.
This virus is destructive to both data files and executable
files, as it very slowly crosslinks files on the system's
disk. The crosslinking occurs so slowly that it appears there
is a hardware problem, the virus being almost invisible.
As a side note, if the virus is present in memory and you
attempt to copy infected files, the new copy of the file will
not be infected with the virus. Thus, one way to disinfect
a system is to copy off all the infected files to diskettes
while the virus is active in memory, then power off the system
and reboot from a write protected (uninfected) system disk.
Once rebooted and the virus is not in memory, delete the
infected files and copy back the files from the diskettes.
The above will disinfect the system, if done correctly, but
will still leave the problem of cross-linked files which are
permanently damaged.
-----------------------------------------------------------------------
The following is a cross-reference of common virus names back to
the name they are listed by in the virus information section.
Hopefully, this cross-reference will alleviate some confusion when
different anti-viral software packages refer to different names for
the same virus.
Virus Name Refer To Virus(es) In VirusSum.Txt:
---------------------- -----------------------------------------------
AIDS AIDS
Alabama Alabama
Alameda Alameda
Amstrad Amstrad
April 1st Suriv 1.01
April 1st-B Suriv 2.01
Ashar Ashar
Austrian Vienna
Black Avenger Dark Avenger
Black Friday Jerusalem
Blackjack Cascade-B
Boot Ping Pong-B
Bouncing Ball Ping Pong
Bouncing Dot Ping Pong
Cascade Cascade
Cascade-B Cascade-B
Chaos Chaos
Columbus Day Datacrime, Datacrime II, Datacrime IIB, Datacrime-B
COM Virus Friday The 13th COM Virus
Computer Ogre Disk Killer
Dark Avenger Dark Avenger
Datacrime Datacrime
Datacrime II Datacrime II
Datacrime IIB Datacrime IIB
Datacrime-B Datacrime-B
DBase DBase
December 24th Icelandic-III
Den Zuk Den Zuk
Devil's Dance Devil's Dance
Disk Crunching Virus Icelandic, Saratoga
Disk Killer Disk Killer
Disk Ogre Disk Killer
Do-Nothing Virus Do-Nothing Virus
DOS-62 Vienna
DOS-68 Vienna
Fall Cascade
Falling Letters Cascade, Ping Pong-B
Falling Letters Boot Swap Boot
Friday 13th Jerusalem
Friday 13th COM Virus Friday The 13th COM Virus
Fu Manchu Fu Manchu
Fumble Typo COM
Ghost Boot Ghost Boot
Ghost COM Ghost COM
Ghostballs Ghost Boot, Ghost COM
Golden Gate Golden Gate
Hahaha AIDS
Halloechen Halloechen
Hawaii Stoned
Holland Girl Holland Girl
Icelandic Icelandic
Icelandic-II Icelandic-II
Icelandic-III Icelandic-III
Israeli Jerusalem, Suriv 1.01, Suriv 2.01, Suriv 3.00
Israeli Boot Swap
Italian Ping Pong
Jerusalem Jerusalem
Jerusalem A Jerusalem
Jerusalem B Jerusalem
Jerusalem C Jerusalem
Jerusalem D Jerusalem
Jerusalem E Jerusalem
Joker Joker
Lehigh Lehigh
Lisbon Lisbon
Marijuana Stoned
Mazatlan Golden Gate
Merritt Alameda
Mexican Devil's Dance
Miami Friday The 13th
Mistake Typo Boot
MIX1 MIX1
MIX/1 MIX1
Munich Friday The 13th COM Virus
Music Virus Oropax
Musician Oropax
New Jerusalem New Jerusalem
New Zealand Stoned
Ogre Disk Killer
Ohio Ohio
One In Eight Vienna
One In Ten Icelandic, Icelandic-II
One In Two Saratoga
Oropax Oropax
Pakistani Brain
Pakistani Brain Brain
Palette Zero Bug
Payday Payday
Peking Alameda
Pentagon Pentagon
Perfume Perfume
Ping Pong Ping Pong
Ping Pong-B Ping Pong-B
PLO Jerusalem
Russian Jerusalem
San Diego Stoned
Saratoga Saratoga
Seoul Alameda
SF Virus SF Virus
Shoe_Virus Ashar
Shoe_Virus-B Ashar-B
Smithsonian Stoned
South African Friday The 13th COM Virus
Stoned Stoned
Stupid Virus Do-Nothing
Sunday Sunday
Sylvia Holland Girl
System Virus Icelandic-II
Suriv 1.01 Suriv 1.01
Suriv 2.01 Suriv 2.01
Suriv 3.00 Suriv 3.00
Suriv01 Suriv 1.01
Suriv02 Suriv 2.01
Suriv03 Suriv 3.00
Swap Swap
SysLock Syslock
Taiwan Taiwan
Taunt AIDS
Traceback Traceback
Traceback II Traceback II
Typo Boot Typo Boot
Typo COM Typo COM
UIUC Virus Ashar
UIUC Virus-B Ashar
Unesco Vienna
Vacsina Vacsina
Vcomm Vcomm
Vera Cruz Ping Pong
VGA2CGA AIDS
Vienna Vienna
Vienna-B Vienna-B
Virus-90 Virus-90
Virus101 Virus101
W13 W13
Yale Alameda
Yankee Doodle Yankee Doodle
Zero Bug Zero Bug
62-B Vienna-B
405 405
500 Virus Golden Gate
632 Saratoga
512 Virus Friday The 13th COM Virus
642 Icelandic
648 Vienna
765 Perfume
867 Typo COM
1168 Datacrime-B
1260 1260
1280 Datacrime
1514 Datacrime II
1536 Zero Bug
1701 Cascade
1704 Cascade, Cascade-B
1704 Format 1704 Format
1704-B Cascade B
1808 Jerusalem
1813 Jerusalem
1917 Datacrime IIB
2080 Fu Manchu
2086 Fu Manchu
2930 Traceback II
3066 Traceback
3551 SysLock
3555 SysLock
4096 4096
4711 Perfume
------------------------------------------------------------------------
Virus Information Summary List
Revision History
January 15, 1990 -
First release of listing, which contained 52 of 61 known Ms-Dos
computer viruses. Of the 9 known viruses which were not
completed, they contained very basic information, though no
detailed description, those viruses were:
Chaos Swap
Icelandic Taiwan
Icelandic-II Typo Boot
Ohio 2930
Saratoga
February 03, 1990 -
Second release of listing, which now includes updated information
for the following viruses:
Alabama
Chaos
Den Zuk
Datacrime II, Datacrime IIB
Do-Nothing
Icelandic, Icelandic-II
Ohio
Saratoga
Stoned
Swap
SysLock
Traceback, Traceback II (was 2930 in previous release)
Typo Boot
The following new Ms-Dos computer viruses were added to the
listing:
Halloechen
Icelandic-III
Joker
Perfume
Vcomm
Virus101
W13
1260
------------------------------------------------------------------------
Comments
Post a Comment