Common Viruses List by Stiller Research
(modified by Matthias Kannengiesser - Original Zip
packed)
4096
Aliases: Frodo, 4K, 100 year, Stealth virus, IDF
Synopsis: Resident, stealth infector of .COM, .EXE and overlay files.
Damage: Corrupts files and hangs the PC.
Symptoms: Cross-linked and damaged files.
Details:
This virus damages your files in at least two ways. First, it will accidentally infect
data files causing irreparable damage to those files. Second, it will cross-link files on
your disk, working very slowly so the damage is generally not obvious until an enormous
number of files have been corrupted. This damage is frequently mistaken for hardware
problems. 4096 will set the date of infected files 100 years from the original file date.
This is how it determines that it has already infected these files. Simply doing a
directory listing will not reveal the fact that these dates have changed since only two
digits of the year are normally displayed in a directory listing. All infected files grow
by 4096 bytes but the virus hides these changes by using its stealth capabilities. If you
attempt to read an infected file with 4096 resident in memory, you will see only the
original uninfected file. It also locates the original interrupt 21 hex and 13 hex
addresses in order to bypass resident monitor programs. Programs will be infected when
they are executed or read. You can use 4096's stealth capabilities to make it disinfect
itself by copying executable files to non-executable file names (e.g., COPY Z.EXE Z.XEX).
Do not depend on this, since future variants may not share this property.
1575
Aliases: Green Caterpillar, 1591
Synopsis: Resident infector of .COM and .EXE files
Symptoms: Green caterpillar, slow response to the DIR command and time
stamp changes.
Details:
Two months after this virus first infects your PC this virus will produce a crude graphic
of a green caterpillar moving across your screen. It is not known to cause any deliberate
damage to your PC beyond infecting your files. 1575 will infect additional files when you
issue a DIR or COPY command. It was first detected in January of 1991 in Canada.
AirCop
Synopsis: Resident infector of floppy DOS boot
sectors
Damage: Inadvertent damage to some files on diskettes
Symptoms: Messages, damaged files, less total memory and PC hangs
Details:
Aircop infects only DOS boot sectors on diskettes. It saves the original boot sector near
the end of the disk, causing loss of data if this space is in use by a file or directory.
It decreases free memory by 1024 bytes and will at random intervals display the message:
"Red State, Germ Offensive. AIRCOP." or (variant B) simply "This is
Aircop." This virus is fairly buggy and will frequently hang your PC.
Alameda
Aliases: Yale, Merritt
Variants: Golden Gate, SF
Synopsis: Resident infector of floppy DOS boot sectors
Damage: File corruption
Symptoms: Decrease in total memory and possible damaged files
Details:
Alameda was not written to be deliberately destructive. The original version damaged files
when it would relocate the original DOS boot sector to track 39, sector 8 on 360K
diskettes. This would damage any file already using this location. There are now
deliberately destructive variants of this virus known as Golden Gate and SF that will
deliberately format your hard disk after infecting enough diskettes.
AntiCMOS
Aliases: ReadIOSYS, Lixi
Synopsis: Resident DOS boot sector and partition sector virus
Damage: Corruption of CMOS
Symptoms: Less total memory and PC hangs
Details:
AntiCMOS is memory resident and will infect any floppy accessed. Unlike Stoned, it does
not save a copy of the original boot sector. It contains the string "I am Li
Xibin!"
AntiEXE
Aliases: D3
Synopsis: Destructive, resident DOS boot sector and partition sector
virus
Damage: Inadvertent damage to diskette files and deliberate damage to
.EXE files
Symptoms: Damaged files, less total memory and PC hangs
Details:
AntiEXE deliberately damages .EXE files by changing the first byte of the file. Like
Stoned, it will cause damage to any infected floppy that contains more than just a few
files. This virus is memory resident and will infect any floppy accessed. AntiEXE remaps
the disk interrupt (Int 13h) to avoid resident monitoring programs but has no stealth
capabilities.
Appder
Aliases:WM/Appder,WordMacro.Appder,WM/NTTHNTA
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Deletes files
Details:
This virus infects users of MS Word. It infects the global macros (file NORMAL.DOT)
placing macros Appder and AutoClose in this file. Any document opened or saved will become
infected with Appder. Appder also copies the Appder macro to AutoOpen in infected
documents (but not the global template). Appder creates an "NTTHNTA=##" line in
the "[MicroSoft Word" section in WINWORD.INI. This "##" value is a
counter that is incremented until 20 files have been infected at which point Appder
deletes: a number of files (*.EXE, *.COM, *.TTF, and *.FOT)from the C:\Windows and C:\DOS
directories.
Atom
Aliases:WM/Atom,WordMacro.Atom
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Encrypts documents and deletes files
Details:
This virus infects users of MS Word. It infects the global macros (file NORMAL.DOT). Any
document opened or saved will become infected with Atom. Atom contains the macros Atom,
AutoOpen, FileOpen, and FileSaveAS (there are also German variants of Atom that use the
German names for the macros AutoOpen, FileOpen, and FileSaveAS.) If the system clock shows
13 seconds, Atom will set the document password to ATOM#1. When opening an infected
ducment on December 13th of any year, Atom will delete all files in the current directory.
Avispa
Synopsis: Destructive, resident infector of .EXE
files
Damage: Random corruption of data read from hard disk
Symptoms: Damaged files and PC hangs
Details:
Avispa infects .EXE files when they are executed. It will (based on a timer related
trigger) replace data in the DOS disk buffers with its own text (containing references to
Elijah Baley and Republica Argentina). Avsipa sets the seconds field of infected files to
zero.
Azusa
Aliases: Hong Kong
Synopsis: Resident infector of floppy DOS boot sectors and hard disk
partition sectors.
Damage: File corruption, failure of serial ports or printer
Symptoms: Damaged files, 1024 fewer bytes total memory, failure of COM1
and LPT1.
Details:
Azusa will infect any diskette upon which you attempt to write and immediately infect any
hard disk. Azusa does not deliberately damage data but because (like Stoned) it does not
understand current diskette formats it will corrupt anything other than a 360K floppy. On
a diskette, this virus will attempt to locate the original DOS boot sector on sector 8 of
track 40. The last track on 360K diskette is normally track 39. On larger capacity
diskettes, track 40 may be in use by the files, so on these diskettes, Azusa is likely to
cause damage. On hard disks, Azusa does not save the original partition sector at all. The
most common variant of Azusa will disable COM1 and LPT1 after counting 32 boots. This
means that your serial port (e.g., modem or mouse) and printer will suddenly quit working.
Cross-linked files and system hangs are symptoms of some less common versions of Azusa.
BackForm
Aliases: Backformat
Synopsis: Resident infector of .EXE and .COM files
Damage: Random corruption data corruption
Symptoms: Unreadable diskettes
Details:
Backform infects .COM and .EXE files when they are executed. It will infect COMMAND.COM
without increasing its length. Backform modifies the SFT of floppies so that sectors are
written in reverse order when the floppy is formatted.
Bandung
Aliases:WM/Bandung,WordMacro.Bandung,Concept.J,Tedius
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Deletes files on drive C:
Details:
This virus infects users of MS Word. It infects the global macros (file NORMAL.DOT). Any
document opened will become infected with Bandung. After 11 AM on the 20th and later days
of the month, Bandung will delete files on drive C:. Bandung overrides the Tools/Customize
and Tools/Macro menu items. The code to handle these menu items causes error messages but
Bandung will change the "a" characters in the document to "#@".
Bandung contains AutoExec, AutoOpen, FileSave, FileSaveAs, ToolsMacro and ToolsCustomize
macros.
Barrotes
Synopsis: Destructive resident infector of .EXE and
.COM files
Damage: Overwrite the partition sector
Symptoms: Apparent disk failure, PC hangs
Details:
This is a family of memory resident .COM and .EXE infectors. The most common variant
overwrites the partition sector on January 5th. This causes the hard disk to appear to be
unreadable but simply replacing the partition sector will correct the problem.
Bloody!
Synopsis: Resident infector of floppy DOS boot
sectors and hard disk
Aliases: Beijing, June 4th
Damage: File corruption
Symptoms: Damaged files, 2048 fewer bytes total memory and message
Details:
After counting 128 boots, Bloody! will display the message: "Bloody! Jun. 4,
1989" This is the date that Chinese Students were killed in a confrontation with the
Chinese Army in Beijing. On hard disks, Bloody! will save the original partition sector in
cylinder zero, track zero, sector six. On floppies, it will overlay part of the directory
with the original boot sector, thereby potentially damaging existing files.
Boom
Aliases:WM/Boom,WordMacro.Boom
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Renames menus used by MS Word
Details:
This virus infects users of German MS Word. It infects on opening documents (using the
AutoOpen macro) and on saving documents (DateiSpeichernUnter). Boom contains an AutoExec
macro that is triggered at time 13:13:13; it renames the menus and displays the text
"Mr. Boombastic and Sir WIXALOT"
Boot-437
Aliases: 437, Bad div
Synopsis: Resident infector of DOS boot sectors
Damage: Floppy file corruption
Symptoms: Damaged files, and fewer bytes total memory
Details:
Boot-437 infects DOS boot sectors on first access. On the hard disk it moves the original
boot sector to sector six of track zero; on floppies it does not save the original boot
sector.
Bootexe
Aliases: BFD-451,BootExe-396/451/Stalker
Synopsis: Resident infector of .EXE files and boot sectors
Damage: File corruption
Symptoms: Damaged files, PC hangs, GPFs, and fewer bytes total memory
Details:
BootEXE is a family of related viruses that infect .EXE files as well as partition sectors
and floppy DOS boot sectors. The virus works by intercepting the BIOS disk interrupt (Int
13h) and infecting files at the sector level. It will infect when a sector begins with the
"MZ" .EXE file signature. It overwrites the .exe file header (essentially
converting the file to a COM type executable) with its own code. There is no change to the
file name or length as a result of this infection. BootExe-451 is the most common variant.
Brain
Aliases: Pakistani-Brain
Variants: Shoe, Ashar, Nipper
Synopsis: Resident, stealth infector of floppy boot sectors
Damage: File corruption
Symptoms: Bad clusters, changes to the volume label
Details:
Brain is one of the oldest known PC viruses (discovered in 1986). The original brain virus
infected only floppy DOS boot sectors and was not intended to cause any harm. The bulk of
the virus code along with the original boot sector are written to several clusters that
are marked as bad in the FAT. (If you do a CHKDSK, you will see additional bad clusters.)
Brain also changes the volume label to be "(c) Brain". This will show up anytime
you do a "DIR" on an infected diskette. There are now variants of brain that do
not change the diskette label or change it to something else (e.g., "(c)
Ashar"). Brain is the first stealth virus; if you try to read the infected boot
sector, Brain will return the original boot sector so the PC appears uninfected. There are
now variants of Brain that will also infect the hard disk and occasionally do deliberate
damage. The original Brain virus contained this message:
Welcome to the Dungeon
(c) 1986 Basit & Amjad (pvt) Ltd.
Brain Computer Services
730 NIZAB BLOCK ALLAMA IQBAL TOWN
LAHORE-PAKISTAN
PHONE :430791,442348,280530
Beware of this VIRUS
Contact us for vaccination
Buero
Aliases:WM/Buero,WordMacro.Buero
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Renames IO.SYS to IIO.SYS
Details:
This virus infects users of German MS Word. It infects the global macros (file
NORMAL.DOT). Any document opened will become infected with Buero. Buero will rename the
DOS system file IO.SYS to IIO.SYS preventing the system from booting. Buero also deletes
*.DOC files.
Byway
Aliases: HndV,TheHnd,Dir2.Byway
Synopsis: Resident polymorphic infector of .COM and .EXE files
Symptoms: CHKDSK errors, music and a message
Details:
This is a resident 2048 byte polymorphic virus that infects files using the same technique
used by DIR2. It spreads very quickly. If the virus is not resident in memory, Scandisk or
CHKDSK will show severe errors. Byway creates a hidden system file in the root directory
containing the virus code called: "CHKLIST .MS" where the blank is actually a
hex FF character. This filename is similar to that used by MicroSoft anti-virus. Depending
upon a generation counter, the virus activates on one day of every month and plays a tune
and then displays:
TRABAJEMOS TODOS POR VENEZUELA !!!'
Cansu
Aliases: Sigalit,V-Sign
Synopsis: Resident DOS boot sector and partition sector virus
Damage: Inadvertent damage to diskette files.
Symptoms: Damaged files, less total memory, "V" shaped graphic
Details:
Cansu will display a "V" shaped ASCII graphic and hang the PC after infecting 64
diskettes. Cansu will cause damage to any infected floppy that contains more than just a
few files. Unlike most other boot sector viruses, Cansu does not save a copy of the
original boot sectors.
CAP
Aliases:WM/Cap,WordMacro.CAP
Synopsis: Infector of MS Word Documents/Templates
Details:
CAP consists of one macro named "CAP" and a variable number of other macros
(e.g., AutoExec, AutoClose, AutoOpen, FileClose, FileOpen, FileSave, FileSaveAs,
FileTemplates, and ToolsMacro) which may or may not be present in any particular
infection. This makes it difficult to determine exactly which macros are part of the
virus. When CAP infects a document CAP deletes any macros present in the global template
(NORMAL.DOT) and then copies its own macros to the global template. CAP determines the
names used the MS Word menus and creates macros to override some of these menu items.
(This creates different macro names in English and non-English version of MS Word.) CAP
identifies its own set of basic macros by looking for "F%" at the beginning of
each macro's description field. In spite of this precaution, CAP sometimes drags along
non-viral macros along with its own macros. CAP removes the Tools/Customize and
Tools/Macro menu items.
Cascade
Aliases: Falling letters, 1701, 1704
Variants: Cascade-Format
Synopsis: Resident infector of .COM files.
Damage: No deliberate damage except for the "Format" variant
Symptoms: System hangs and letters fall from top to bottom of the screen
Details:
There are quite a few known variants of Cascade. They all go resident in memory and infect
programs that are executed. The trigger for the cascading letters effect is complex and
depends upon random numbers, the date and, optionally, the video adapter. The original
Cascade was designed to trigger between October and December 1988. Most Cascade variants
are not designed to be harmful but they will occasionally crash the PC and are known to
damage files with a length of more than 63576 bytes. The Cascade-format variant will
format your disk when it activates in October through December of any year. Most Cascade
variants add either 1701 or 1704 bytes to infected files.
Chinese Fish
Aliases: ChnFish, Fish Boot
Synopsis: Resident stealth DOS boot sector and partition sector virus
Symptoms: Less total memory, messsage display, frequent hangs and GPFs.
Details:
A run-of-the-mill Stoned style boot sector virus with stealth capability. On activation
the virus displays a message announcing "Hello! I am FISH, please don't kill me.
Congratulate 80th year of the Republic Of China Building"
Clock
Aliases:WM/Clock,WordMacro.Clock
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Time date display
Details:
This virus infects users of German MS Word. It infects the global macros (file
NORMAL.DOT). Clock contains eleven encrypted macros. Any document opened or saved will
become infected with Clock. At certain times Clock will display a box containing the time
and date.
Colors
Aliases:WM/Colors,WordMacro.Color,Colours,
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Change in colors used by Windows
Details:
This virus infects users of MS Word. It contains the following encrypted macros:
AutoClose,AutoExec,AutoOpen,FileExit,FileExit,FileNew,FileSaveAs and ToolsMacro. Colors
keeps a counter called "countersu" in the "[windows]" section of the
WIN.INI file. After the counter reaches 300, Colors will alter the "[colors]"
section in the WIN.INI file to set random colors for the windows components. These new
colors appear after Windows is restarted. Colors disables the Tools/Macros command in MS
Word.
Concept
Aliases:
WM/Concept,WordMacro.Concept,Prank,Parasite
Synopsis: MS Word Macro virus
Symptoms: Box with "1" AAAXFS and other extra maxros
Details:
This is the very first macro based virus to spread in the wild.
Crazy Boot
Synopsis: Resident stealth DOS boot sector and
partition sector virus
Damage: Corrupted files on floppies
Symptoms: Less total memory, messsage display
Details:
Yet another Stoned style boot sector virus with stealth capability. This virus will cause
damage to files on floppies. On activation the virus displays a message announcing:
Don't play with the PC !
Otherwise you will get in 'DEEP,DEEP' Trouble !....
Crazy Boot Ver. 1.0
DA'BOYS
Aliases: Da_Boys
Synopsis: Resident infector of DOS boot sectors
Details:
This virus infects DOS boot sectors on both floppies and hard disks. This virus causes
crashes on some PCs but works smoothly on most PCs. It is a single sector virus and does
not save the original DOS boot sector.
Dark Avenger
Aliases: Eddie, Black Avenger
Synopsis: Damaging, resident infector of .COM and .EXE files
Damage: Potential damage to all data
Symptoms: Damaged files, CHKDSK errors
Details:
This Bulgarian virus was written to deliberately cause serious damage to your data. It
will write garbage to random sectors on your disk. The most common variant will write a
random sector after every 16th file it infects. It contains the message "Eddie
lives...somewhere in time!" and "This program was written in the city of
Sofia".
Delwin
Synopsis: Resident stealth infector of .EXE files
and partition sectors
Symptoms: Reduced maximum memory, trembling screen display.
Details:
This memory resident virus infects partition sectors and .EXE files. It will infect any
.EXE files larger than 3072 bytes upon file open and will infect the partition sector when
upon execution of an infected file. Delwin marks infected programs by setting the seconds
field of the time stamp to 62. Upon activation Delwin will cause vertical trembling of the
display and it will sometimes deny execution to WIN.COM (actually any WI*.* program).,
Diehard
Aliases: Die_Hard,DH2,Die Hard 2
Synopsis: Resident stealth infector of .COM and .EXE files
Symptoms: Screen display and disk errors
Details:
This memory resident virus infects .COM and .EXE files. It will infect any file opened or
executed. It will overwrite .PAS or .ASM files with a small program which would display
D1h, A5h on the screen. It refuses to write to files on certain days and displays the
message "SW Error". It sometmes displays "SW" in big violet sliding
letters at the center of the screen.
Disk Killer
Aliases: Ogre, Computer Ogre
Synopsis: Destructive, resident infector of DOS boot sectors
Damage: Damage to individual files and entire disk
Symptoms: Bad clusters, file damage, message
Details:
Disk Killer will activate about 48 hours after infecting a disk. At this point it will
display a message announcing itself as "Disk Killer" by "Computer
Ogre" and it asks you not to turn off your PC. It then trashes your disk by
encrypting your data using an exclusive-or. Once resident, Disk Killer will immediately
infect any disk that you access by replacing the boot sector and locating the remainder of
the virus code in several clusters that it will mark as bad in the FAT. This will damage
any files that were using these clusters on your disk.
Divina
Aliases:WM/Divina,WordMacro.Divina,Infeczione
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Message box
Details:
This virus infects users of MS Word. It infects the global macros (file NORMAL.DOT). It
contains one encrypted macro (AutoClose). Depending upon the system clock, Divina will
display one of several message boxes with references to: "DIVINA" or
"ROBERTA" The virus also suggests that the hard disk is damaged and doing a low
level format. (Both statements are untrue.)
Espejo
Aliases: 15_Years,Mongolian
Synopsis: Destructive,resident DOS boot sector and partition sector virus
Damage: Overwrites disk
Symptoms: PC Hangs, keyboard errors
Details:
Yet another virus very similar to Stoned but with destructive activation. It contains code
to change keyboard input and on April 7th, it overwrites disk sectors with the string:
Esto te pasa por programas que a nosotros nos cuesta tanto
trabajo hacer. Que te quede de Expeiencia, Mexico,1994.
EXEbug
Aliases: CMOS virus,Swiss Boot,EXE_Bug
Synopsis: Destructive,resident DOS boot sector and partition sector virus
Damage: Loss of all data on hard disk and data corruption on diskettes
Symptoms: CMOS corruption, damaged files, less total memory and PC hangs
Details:
EXEbug uses stealth techniques to hide its presence. It also changes CMOS so that the A
drive is not present in an attempt to force your PC to boot from your hard drive (where
the partition sector is infected by the virus). This technique fails on most PCs but does
corrupt the CMOS. If the PC is booted from diskette, the hard drive will appear to be
inaccessible since the partition sector does not appear to be valid. EXEbug will cause
damage to any infected floppy that contains more than just a few files. It will infect any
floppy accessed. EXEbug will modify some .EXE files so that when they are executed, they
will overwrite the hard disk.
Flip
Synopsis: Resident stealth infector of partition
sectors and files
Damage: Causes file corruption if "CHKDSK /F" used
Symptoms: Horizontal flip of screen, CHKDSK errors
Details:
On EGA or VGA systems, Flip uses an alternate character set to make the screen appear to
flip horizontally. For the most common variant this occurs on the second day of the month
between four and five PM. Flip attempts to make infected files appear to have their
original length; this causes CHKDSK (and similar programs such NDD or DISKFIX) to report
errors. If you ask one of these programs to fix the problems that it is reporting (e.g.,
"CHKDSK /F"), it will cause file linkage errors and file corruption . This is
not a problem if you boot from a diskette with a clean copy of DOS before running one of
these programs. Scanners frequently detect this virus in Central Point's Anti-virus
because this product contains an unencrypted fragment of Flip.
Form
Synopsis: Resident infector of DOS boot sectors
Damage: Occasional damage
Symptoms: Clicking sounds from PC
Details:
On the 18th day of any month, Form will cause a clicking sound and slow response to key
presses. Form stores the original boot sector on the last track of the disk damaging any
file which might be using that sector. On floppies, it stores the original boot sector in
a cluster marked as bad in the FAT. The boot sector will contain the text:
"The FORM-Virus sends greetings to everyone who's read this text."
Hellween
Alias: Helloween
Synopsis: Resident, infector of .COM and .EXE files.
Symptoms: Display of messages and file growth
Details:
This virus infects .COM and .EXE files upon execution. The most common variant adds 1376
bytes to infected file and displays a message on November 1st.
Helper
Aliases:WM/Helper,WordMacro.Helper
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Encrypts documents
Details:
This virus infects users of MS Word. It contains only one macro (encrypted) AutoClose. It
infects documents and NORMAL.DOT when a document is closed. On some dates, it sets the
document password to "help".
Hot
Aliases:WM/Hot,WordMacro.Hot
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Deletes documents
Details:
This virus infects users of MS Word 6 only. It contains the encrypted macros: AutoOpen,
DrawBrubgUbFrIytm FileSaveAs, InsertPBreak, and ToolsRepaginat. Hot inserts
"QLHOt=nnnn" (where nnnn is a numeric trigger value) into the WINWORD6.INI file.
Depending upon the current day and the trigger value Hot will delete files.
Hybrid
Aliases:WM/Hybrid,WordMacro.Hybrid
Synopsis: Infector of MS Word Documents/Templates
Details:
This virus infects users of MS Word. It contains three macros: AutoOpen, AutoClose and
FileSaveAs (infecting documents on opening and saving).
Imposter
Aliases:WM/Imposter,WordMacro.Imposter
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Message box
Details:
This virus infects users of MS Word. It infects the global macros (file NORMAL.DOT). Any
document saved will become infected with Imposter. Imposter is contained in macros called
AutoClose and FileSaveAS that execute when a user saves a document. Imposter will display
a message box containing "DMV". Concept contains code from the Concept virus.
Invader
Aliases: AntiCAD.4096.Mozart
Synopsis: Destructive, resident, infector of programs, DOS boot sectors/partition
sectors.
Damage: Overwrites low tracks on disk
Symptoms: Music or noise from speaker
Details:
Invader installs itself as a resident program in low memory occupying a little over 5000
bytes. The most common variant will start to play music 30 minutes after becoming
resident. If you boot your PC while it is playing music, Invader will overwrite the first
track on your disk. Some variants will do this after a specific number of keystrokes or if
you execute the ACAD program (a computer-aided design program).
J&M
Alias: Jimi,Hasita,Stoned.J&M
Synopsis: Destructive, resident infector of DOS boot sectors on diskettes/partition
sectors
Damage: Overwrites low tracks on the hard disk
Details:
Yet another destructive virus based on Stoned. On November 15th, J&M will overwrite
the low tracks on the hard disk.
Jerusalem
Aliases: 1813, Israeli, Friday 13th, Black Box
Variants: Anarkia, Apocalypse, Barcelona, Captain Trips, Discom, GP1,
Messina, Mule, Nemesis, Payday, Slow, Zerotime
Synopsis: Resident infector of programs and overlays
Damage: Deletes files on activation
Symptoms: Black box appears and PC slows dramatically
Details:
Jerusalem is the most common file-infecting virus according to our reports. A tremendous
number of variants have been created to fool scanners and to change the effects of this
virus. It commonly installs itself as a resident program (TSR) in low memory occupying
slightly less than 2000 bytes. The most common variants will delete any program that you
execute on Friday the 13th. One variant (Payday) will delete programs on any Friday but
the 13th. Some variants (e.g., Clipper, Discom, GP1) will damage uninfected files.
Infected .COM files will grow by 1813 bytes while .EXE files may be infected multiple
times, sometimes overwriting parts of the original program. Jerusalem also damages .COM
files larger than 63,466 bytes. Slow (Zerotime) is an encrypted version of Jerusalem that
causes frequent system hangs.
Johnny
Aliases:WM/Johnny,WordMacro.Johnny,Go Johnny
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Message on status line
Details:
This virus infects users of MS Word. It infects the global template through its AutoOpen
macro. Any document saved (Using the virus FileSave and FileSaveAs macros) will become
infected with Johnny. Johnny will display "Starting AutoSave"on the Word status
line. The virus contains the comment:
Our Devise - A copy of "Go Johnny Go" on every computer !
Joshi
Synopsis: Resident, stealth infector of DOS boot
sectors and partition sectors
Symptoms: Message and decreased total memory
Details:
CHKDSK will report over 6000 fewer bytes total memory when Joshi is resident. Joshi will
use stealth techniques to make partition sectors appear to be uninfected. On January 5,
Joshi will display the message: "Type Happy Birthday Joshi" and wait for you to
type this phrase. There is one variant (Joshi-B) that does not display this message. Joshi
carefully stores the bulk of its code by formatting an additional track at the end of
diskettes. On a 360K diskette, it will create a 41st track (known as track 40) on what
would normally be a 40 track diskette. On hard disks, Joshi stores the original partition
sector in Sector nine of track zero, cylinder zero. This causes problems on a few hard
disks that utilize this sector.
Jumper
Alias: 2K, SilllyBop, French Boot, EE
Synopsis: Resident infector of DOS boot sectors on diskettes and
partition sectors
Damage: Occasional file corruption
Details:
A resident infector of DOS boot sectors on floppies and hard disk partition sectors. It
will display the epsilon character (hex EE) on the screen and can cause file corruption on
floppies.
Junkie
Synopsis: Resident infector of boot sectors and
.COM files
Symptoms: 3K less memory, failure to load and growth in .COM files
Details:
Junkie is a Swedish memory resident infector of hard disk partition sectors, floppy DOS
boot sectors and .COM files larger than 5,000 bytes. Junkie will damage EXE type files
that end with the .COM extension. Some infected .COM files will fail to execute (program
too big to fit into memory).
Keypress
Synopsis: Resident infector of .COM and .EXE files
Symptoms: Repeated keys, loss of total memory, file time and date changes
Details:
At intervals (generally 30 minutes), Keypress will repeat any key that you press, giving
the appearance of a stuck key. This effect generally lasts for only two seconds. Keypress
allows DOS to update the time and date stamp of any file that it infects. It will damage
any .COM file larger than 64,032 bytes that it infects. Total memory will be decreased by
approximately 1000 bytes when Keypress is resident.
Laroux
Aliases: ExcelMacro.Laroux,XM/Laroux
Synopsis: MS Excel Macro virus
Details:
This is the very first Excel macro based virus to spread in the wild. It is still not very
common but we are including it here because we get so many questions regarding it.
Leandro
Synopsis: Resident DOS boot sector and partition
sector virus
Symptoms: Message appears, reduced memory
Details:
Another Stoned-like infector of hard disk partition sectors and floppy boot sectors. It is
very common in South America. It reduces maximum memory by 4K and on October 21 displays:
Leandro and Kelly ! GV-MG-Brazil
You have this virus since mm-dd-yyyy
where mm-dd-yyyy is the date Leandro infected your PC.
Little Red
Aliases: LRed,Red Book, Mao
Synopsis: Stealth resident infector of .COM and .EXE files
Symptoms: Music, system slowdown and crashes
Details:
Infects .COM or .EXE programs on any access. It plays two chinese tunes; one on Dec. 26th
(Mao's birthday) and one on Sept. 9th (Mao's death). It reduces available memory by
slightly less than 2K. It uses stealth techniques to hide its file changes.
Liberty
Aliases: Mystic
Synopsis: Resident infector of .COM and .EXE files.
Symptoms: Decrease in total system memory
Details:
CHKDSK will report over 8000 fewer bytes total memory with Liberty resident. Liberty is
reported to also infect overlay files and boot sectors. Infected files contain the text
"Liberty" and infected .COM files commonly contain the text "- M Y S T I C
-".
Maltese Amoeba
Aliases: Irish, Grain of Sand, Amoeba (mistakenly)
Synopsis: Destructive, polymorphic, resident infector of .COM and .EXE
files
Damage: Overwrites low tracks on disk on November 1 and March 15
Symptoms: Sluggish response to the DIR command, less memory, file time
stamp changes.
Details:
This virus did considerable damage when it first activated on November of 1991 in the UK
(illustrating the danger of depending upon scanners for anti-virus protection). It will
infect files on either a DOS open or a load and execute (it infects any programs read or
executed) but it avoids infecting COMMAND.COM. CHKDSK will report 4096 fewer bytes total
memory if the virus is resident. Maltese Amoeba will refuse to infect if a couple of well
known resident monitor programs or the PSQR virus are present. On Nov 1 or March 15, it
will overwrite low numbered tracks on the hard disk and any diskettes, and hang the PC. On
a subsequent boot, it will greet you with a display of the first four lines of Blake's
"Auguries of Innocence" from the Pickering Manuscripts:
To see a world in a grain of sand
And a heaven in a wild flower,
Hold infinity in the palm of your hand
And eternity in a hour.
The Virus 16/3/91
The damaged partition sector will then contain this text:
AMOEBA virus by the Hacker Twins (C) 1991 This is
nothing, wait for the release of AMOEBA II - The
Universal infector, hidden to any eye but ours!
Dedicated to the University of Malta - the worst
educational system in the universe, and the
destroyer of 5X2 years of human life.
Integrity Master will detect the Maltese Amoeba as
"Irish1" through "Irish6."
Mange_Toute.1099
Aliases: 1099
Synopsis: Resident infector of .COM and .EXE files
Symptoms: Occasional crashes
Damage: File damage
Details:
This is a memory resident infector of .COM or .EXE programs. The body of the virus is
encrypted and contains anti-debug armoring.
Manzon
Synopsis: Polymorphic resident infector of .COM and
.EXE files
Symptoms: Less available memory and obvious file growth
Details:
Manzon is a polymorphic memory resident infector of .COM or .EXE programs. Changes to
infected files are obvious (no stealth at all) as date changes and growth of 1430 to 1500
bytes.
MDMA
Aliases:WM/MDMA,WordMacro.MDMA,StickyKeys
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Message box
Details:
This virus infects users of MS Word. It infects the global macros (file NORMAL.DOT). Any
document saved will become infected with MDMA. MDMA contains only one macro (encrypted)
AutoClose. On the first day of any month, MDMA will display a message box announcing that
you are infected with "MDMA_DMV. Brought to you by MDMA (Many Delinquent Modern
Anarchists)." At the same time MDMA tries to corrupt the system files. It does this
in different ways depending upon the version of the operating environment. Under Windows,
it replaces the AUTOEXEC.BAT file with commands to delete all directories.
Michelangelo
Synopsis: Destructive, resident infector of boot
sectors on diskettes/partition sectors on HD.
Damage: On March 6, it writes garbage over beginning of the disk
Details:
On March 6, the Michelangelo virus (named after Michelangelo Buonarroti the Italian
Renaissance artist, born March 6, 1475) will destroy all data on infected disks. It will
store the original partition sector in sector seven of cylinder zero, track zero. On
diskettes, Michelangelo will inadvertently damage the directory structure by hiding the
original boot sector in the last sector occupied by the directory. Michelangelo reduces
the amount of total memory on your PC by 2048 bytes.
Microbes
Synopsis: Resident infector of floppy DOS boot
sectors
Symptoms: Hang during attempted boot
Details:
The Microbes virus developed in India infects only floppy boot sectors and does not appear
to cause any deliberate damage.
Monkey
Synopsis: Resident, stealth infector of floppy boot
sectors and partition sectors
Symptoms: Inaccessible hard disk after floppy boot, 1K less available
memory
Details:
Monkey is unusual in that it completely replaces the partition sector with its own code.
If you boot from a floppy the hard disk will be inaccessible since there is no valid
partition table in the partition sector. If the virus is resident in memory, it will use
stealth techniques to return the original unmodified partition sector.
MusicBug
Aliases: Music Boot, Music bug
Synopsis: Resident infector of DOS boot sectors and partition sectors
Damage: Inadvertent damage to some disks
Symptoms: Music and clicking sounds, lost clusters, decreased total
memory
Details:
MusicBug generally waits about four months before it starts randomly playing music. When
it infects your PC it will create lost clusters where it locates the bulk of the virus
code. CHKDSK will report the existence of these lost clusters. These clusters will contain
the text "MusicBug v1.06 MacroSoft Corp.". Since MusicBug does not correctly
understand FAT structure, it will corrupt some disks.
Natas
Synopsis: Destructive polymorphic resident stealth
infector of boot sectors and files
Symptoms: Reduced free memory
Deamage: Overwrites the hard disk
Details:
Natas (by the author of Satan Bug) infects partition sectors on hard disks, floppy DOS
boot sectors as well as both .COM and .EXE files. Natas uses stealth to hide its presence
but unlike other stealth viruses it will disable the stealth when a known archiver (e.g.,
PKzip) is used. This prevents it from disinfecting itself when someone archives an
infected file. Natas activates (overwriting the hard disk) when it detects a debugger or
with a 1/512 probability when an infected file is executed.
Neuroquila
Aliases: Havoc, Wedding
Synopsis: Higly polymorphic resident stealth infector of boot sectors and
.EXE files
Symptoms: Screen display, occasional crashes.
Details:
This virus infects partition sectors on hard disks, floppy DOS boot sectors and .EXE
files. The original partition sector is encrypted so if the PC is booted from a clean
diskette, the hard disk will not be accessible. On floppies the virus formats an extra
track for its code. The virus uses stealth to hide its changes to the files and boot
sectors. Neuroquila contains code to directly attack several anti-virus products. On
activation, it displays the message:
<HAVOC> by Neurobasher'93/Germany-GRIPPED-BY-FEAR-UNTIL-DEATH-US-DO-PART-
Nightfall
Aliases: N8fall
Synopsis: Higly polymorphic resident stealth infector of .COM and .EXE
files
Damage: Random corruption of files
Symptoms: Screen display, occasional crashes.
Details:
This virus is by the author of Neuroquila and is similar to that virus except it does not
infect boot sectors. Integrity Master detects this virus as Neuroquila in files. On
activation it displays its name as "N 8 F A L L"
Nomenklatura
Synopsis: Destructive resident infector of .COM and
.EXE files
Damage: Severe random corruption of all areas of the disk.
Symptoms: CHKDSK errors, damaged files, less total memory
Details:
Nomenklatura deliberately causes random corruption to your disk. This damage could affect
any location on your disk including the boot sector. It decreases total memory by 1024
bytes and increases the size of all infected files by this amount. This increase is not
concealed.
NOP
Aliases:WM/NOP,WordMacro.NOP
Synopsis: Infector of MS Word Documents/Templates
Details:
NOP infects users of German MS Word. These are very simple viruses containing the macros
DateiSpeichern and AutoOpen. Files (and NORMAL.DOT) are infected when opening a document.
Nov 17
Aliases: November 17
Synopsis: Resident infector of .COM and .EXE files
Damage: Loss of all data on hard disk
Symptoms: Occasional system hangs
Details:
The most common variant of Nov 17 infects any .COM or .EXE program that is executed or
opened. It adds 855 bytes to the end of the program but preserves the original time and
date stamps. On November 17th of any year, the virus will write garbage to the hard disk.
NPad
Aliases:WM/Npad,WordMacro.Npad,Jakarta
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Message "D0EUNPAD94" appears.
Details:
This virus infects users of MS Word. It infects the global macros (file NORMAL.DOT). Any
document opened will become infected with Npad. Npad contains one encrypted macro
"AutoOpen". Once out of twenty-three infections Npad will display the scrolling
text "D0EUNPAD94 v.2.21 (c) Maret 1996, Bandung, Indonesia" in the status line.
NiceDay
Aliases:WM/NiceDay,WordMacro.NiceDay
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Message "Have a Nice Day" appears.
Details:
This virus infects users of MS Word. It is very closely based on Concept. It infects the
global macros (file NORMAL.DOT). Any document opened will become infected with NiceDay.
NiceDay contains four macros: Payload, AutoExit, AutoOpen (stored as Vopen in NORMAL.DOT),
and AutoClose (stored as Vclose in infected files).
NYB
Aliases: B1
Synopsis: Resident, stealth, DOS boot sector and partition sector virus
Damage: Diskette corruption
Symptoms: Reduced total memory, message and system hang
Details:
NYB infects floppy DOS boot sectors and hard disk partitions sectors. NYB will hide from
inspection using stealth techniques. NYB contains no messages or destructive payload
although it may cause file damage on floppies.
Ohio
Synopsis: Resident infector of floppy boot sectors
Damage: Inadvertently damages 1.2mb and 3.5 inch diskettes
Symptoms: Reduced total memory, slow disk accesses
Details:
Ohio will only correctly infect 360K diskettes, resulting in damage to all other types of
disks. If Ohio finds the Brain virus present on a diskette, it will remove it and replace
it with itself.
One_Half
Aliases: 1/2,Slovak Bomber
Synopsis: Destructive polmorphic resident stealth infector of partition
sectors and files
Damage: Encryption of disk
Symptoms: PC freezes, reduced available memory and message display
Details:
One_Half infects .COM and .EXE files in addition to hard disk partition sectors. It is
highly polymorphic and some widely used scanners fail to detect all files infected by this
virus. As soon as an infected program is run, the virus will infect the partition sector.
After each boot from an infected partition sector, One_Half encrypts two cylinders
beginning with the back of the disk. When the virus is in memory it decrypts on the fly
but without the virus active in memory the data appears in its encrypted form. When the
virus thinks it has encrypted one_half of the disk, it displays: "Dis is one
half".
Parity Boot
Synopsis: Resident, stealth, DOS boot sector and
partition sector virus
Damage: Diskette corruption
Symptoms: Reduced total memory, message and system hang
Details:
Another typical boot sector virus. Parity Boot will hide from inspection using stealth
techniques and displays the message "PARITY CHECK" with a subsequent system
hang. Any diskettes accessed with the virus resident in memory will be infected.
Pathogen
Aliases: SMEG
Related: Queeg
Synopsis: Polymorphic, destructive, resident infector of programs
Damage: Random sectors overwritten
Symptoms: Program growth, less available memory, disk corruption, message
display
Details:
Pathogen is spreading rapidly world-wide but most reports are coming from the UK. This
virus claims to use a toolkit called SMEG. Integrity Master identifies Pathogen and Queeg
as SMEG and should identify any other viruses (e.g., QUEEG) which would use the SMEG
tool-kit. Some scanners can not detect Pathogen. The virus marks infected files by adding
100 years to the file date. On any Monday at 5PM this virus will write garbage to random
sectors on the hard disk and then display this message:
Your hard-disk is being corrupted, courtesy of PATHOGEN!
Programmed in the U.K. (Yes, NOT Bulgaria!) [C] The Black Baron 1993-4
Featuring SMEG v0.1: Simulated Metamorphic Encryption Generator!
'Smoke me a kipper, I`ll be back for breakfast.....'
Unfortunately some of your data won`t!!!!!
Ping Pong
Aliases: Italian, Bouncing Ball, Bouncing Dot
Synopsis: Resident infector of boot sectors and partition sectors.
Symptoms: A bouncing ball appears, reduced total memory
Details:
The bouncing ball effect is triggered randomly a second after the system clock reaches a
multiple of 30 minutes. The ball itself is the ASCII seven character that resembles a
small rhombus. The original Ping Pong virus was discovered in March of 1988 and would only
infect floppy disks. The version that is common today will also infect hard disk partition
sectors. There is also a variant that does not have the bouncing ball effect. The virus
will hide some of its code in an unused cluster that it marks as bad.
Predator
Synopsis: Resident stealth infector of boot sectors
and files.
Symptoms: Unexpected reboots and program crashes.
Details:
This is a family of related viruses. Early predator variants were simple resident .COM
infectors. The most common variant, Predator.2448 is multipartite and infects hard disk
partition sectors and floppy DOS boot sectors as well as .EXE and .COM files. It uses
stealth to hide its boot sector changes but only hides time/date stamp and length changes
in files.
Quicky
Aliases: Quicksilver
Synopsis: Resident infector of .EXE files
Symptoms: Reduced total memory
Details:
When resident in memory, Quicky infects by adding 1,376 bytes to any .EXE file that is
executed from the hard disk.
Quox
Synopsis: Resident stealth floppy DOS boot sector
and hard disk partition sector virus
Symptoms: Unreadable floppies
Details:
Quox uses stealth to hide its changes to the boot sector. Infected floppies are unreadable
(but will still infect the hard disk if boot from) and may cause DOS to crash.
Rapi
Aliases:WM/Rapi,WordMacro.Rapi
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Message box
Details:
This virus infects users of MS Word. It infects the global macros (file NORMAL.DOT). Any
document opened or save will become infected with Rapi. Rapi is a modified form of the
Bandung macro virus. Rapi also overrides the MS Word Tools/Customise and Tools/Macro
menus. It displays a message box with the text "@RAPI.KOM" and "Thank you
for joining us!". Rapi has the Bandung payload of replacing "a" with
"#@" in some infected documents. The Rapi contains as series of macros beginging
with RP (e.g. RpAe,RpFO,RpFS,RpTC, etc.) as well as AutoOpen but because Rapi tends to
lose some of its macros, we now have a large number of variants, most of which still
replicate.
Ripper
Aliases: Jripper, Jack the Ripper
Synopsis: Destructive stealth resident DOS boot sector and hard disk
partition sector virus
Damage: Slow file and directory corruption
Details:
Ripper uses stealth to hide its changes to the boot sector. The body of Ripper virus is
encrypted. Ripper causes random disk writes to be corrupted. It swaps two words in the
disk write buffer. This type of corruption is only usually not noticed (until damage is
severe) unless an integrity checker is used.
S-Bug
Aliases: Sbug, Satan-Bug
Variants: FruitFly
Synopsis: Polymorphic, resident, infector .COM and .EXE files
Damage: Some programs are corrupted
Symptoms: Reduced total memory, file growth, and system hangs
Details:
This is a memory resident polymorphic file infector. It reduces available memory by about
9K. S-Bug is very buggy and will hang on many PCs. Many S-bug infected programs will also
hang. S-bug removes the validation codes added to files by McAfee scan and Central Point's
"immunize" function. FruitFly is another (totally different) virus that uses
almost the same polymorphic encryption/decryption code as that used by S-bug. Integrity
Master will identify FruitFly as S-bug.
Sampo
Aliases: 69,Turbo,Wllop
Synopsis: Resident DOS boot sector and hard disk partition sector virus
Symptoms: Reduced maximum memory, message display
Damage: File damage on floppies
Details:
Another Stoned-like boot sector virus. Sampo's payload consists of displaying a box of
text in the upper right hand corner of the screen revealing the name of the virus.
Stealth Boot
Aliases: Stelboo,Stealth_Boot
Variants: Stealth_Boot.A/B/C
,AMS
Synopsis: Resident, Stealth, DOS boot sector and partition sector virus
Damage: Inadvertent disk corruption
Symptoms: Message appears, reduced memory
Details:
This has become one of the most common viruses (the B and C variants) in the US. It is
based on virus source code published in a book by a US company. Beyond its ability to
conceal its presence on an infected system, this is a very non-exceptional boot sector
virus similar to Stoned. When resident, it reduces total system memory by four thousand
bytes. While it does not cause damage to the hard disk, we have numerous reports of
corrupted files on infected floppies.
Stoned
Aliases: New Zealand, Marijuana
Variants: Angelina,Bravo,Bunny,Daniela,Dinamo,Donald Duck,Hawaii,LZR
No_Int,Rostov,Sex Revolution,W_Boot
Synopsis: Resident DOS boot sector and partition sector virus
Damage: Inadvertent disk corruption
Symptoms: Message appears, reduced memory
Details:
Stoned (and its variants) is one of the most common viruses. There are countless variants
of the Stoned virus and numerous "new" viruses have been written using
"Stoned" as a base including such viruses as Bloody! and Michelangelo. Stoned
was not intended to do any damage but because it writes the original boot sector into the
area occupied by the directory (head one, track zero, sector three), it will damage most
diskettes. It can infect 360K floppies with no harm unless the diskette contains more than
96 files in the root directory. Other types of diskettes are immediately damaged by
Stoned. On hard disks, it saves the original partition sector to head zero, track zero,
sector seven. Stoned most commonly displays a message along the lines of "Your PC is
now Stoned." There are many variants that contain different messages (e.g.,
"Donald Duck is a lie" and "Sex Revolution") but essentially function
the same way. CHKSK will report 2048 less bytes of total memory with Stoned resident. Some
PCs will occasionally hang.
Sunday
Synopsis: Destructive resident infector of programs
and overlays
Damage: File corruption
Symptoms: Message appearing on Sundays and reduced total memory
Details:
This appears to be a variant of Jerusalem that was modified to display this message on
Sundays: "Today is Sunday! Why do you work so hard? All work and no play make you a
dull boy! Come on! Let's go out and have some fun!"
SVC
Variants: SVC 3.1, SVC 4, SVC 5, SVC 6
Synopsis: Resident, infector .COM and .EXE files and of partition sectors
(SVC 6 only)
Damage: Some programs are corrupted
Symptoms: Reduced total memory, file growth, and system hangs
Details:
These are memory resident file infecting viruses. With the virus resident in memory, any
program executed will become infected. SVC 6, in addition to infecting programs, will
infect the partition sector of your hard disk.
Telecom
Aliases: Spanish Telecom, Telefonica, Campana,
Kampana
Synopsis: Destructive, resident, stealth infector of boot sectors,
partition sectors and .COM files.
Damage:Overwrites hard disks
Symptoms: Message, reduced total memory
Details:
This is a family of three related viruses that were written to protest the Spanish
telephone company. The .COM infecting virus will deposit the partition sector virus onto
your hard disk. The .COM infecting virus is relatively rare but the other system sector
virus has spread rather widely. After 400 boots, it will overwrite your hard disks and
display the message: "VIRUS ANTITELIFONICA." The .COM infecting virus marks
infected files by setting the year of the file's date stamp ahead 100 years.
Tai-Pan
Aliases: Taipan
Variants: Tai-pan.438:Whisper,Tai-Pan.666:Doom2
Synopsis: Resident infector of .EXE files
Symptoms: Reduced available memory and file growth.
Details:
These are simple resident infectors of .EXE files smaller than 64K. Infected files grow by
438 or 666 bytes (no stealth). The 666 byte variant contains messages saying you have an
illegal version of Doom2 and "Say bye-bye HD" but it is not deliberately
destructive.
Tequila
Synopsis: Resident, stealth infector of partition
sectors and .EXE files
Damage: Random corruption of files
Symptoms: Colorful display and reduced total memory
Details:
Tequila was written by two young brothers in Switzerland, who were later arrested for
their efforts. Tequila infects both .EXE files and hard disk partition sectors. As soon as
an infected program is run, the virus will infect the partition sector. It reduces total
memory by approximately 3000 bytes. Tequila will cause file corruption on many systems but
this seems to be a bug rather than deliberate. Four months after infecting the PC, Tequila
will display a crude but colorful character-based Mandelbrot image. Infected files will
grow by 2468 bytes and high sectors of a hard disk will contain some virus code including
this text:
Welcome to T.TEQUILA's latest production.
Contact T.TEQUILA/P.o.Box 543/6312 St'hausen/Switzerland.
Loving thoughts to L.I.N.D.A
BEER and TEQUILA forever !
Tremor
Synopsis: Resident, stealth infector of partition
sectors and .EXE files
Damage: Random corruption of files
Symptoms: File date changes, screen tremor effect, reduced total memory
Details:
Tremor will infect primarily .EXE files (but also COMMAND.COM). Tremor marks files it
infects by adding 100 years to their date. Tremor is highly polymorphic, uses stealth, and
will disable memory resident anti-virus products. Tremor directly disables the resident
virus protection provided by MS DOS 6.0 (Vsafe) and Central Point Anti-virus. Upon
activation, Tremor creates a tremor effect by making the characters on your screen appear
to shake. At this point the PC usually hangs. Tremor waits about three months before it
displays this behavior. Tremor contains the text:
-=> T.R.E.M.O.R was done by NEUROBASHER /
May-June'92, Germany <=-
and also the message:
.MOMENT.OF.TERROR.IS.THE.BEGINNING.OF.LIFE.
Friday 14th of May 1993 TREMOR was sent out in an infected
PKUNZIP.EXE together with McAfee's Scan on Channel Videodat (the PRO-7 TV-program received
primarily in Europe) via Astra Satellite, terrestrial broadcast and via cable. Thousands
of people may have downloaded the virus from this broadcast. Since their PC would become
infected when they used the infected PKunzip to extract Scan, this enabled TREMOR to
spread quite widely in very little time.
TWNO
Aliases:WM/TWNO:TW,WordMacro.TWNO:TW, "Taiwan
No. 1"
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Deleted files and message boxes
Details:
TWNO was written in Taiwan and infects (exclusively) users of Chinese MS Word. It infects
the global macros (file NORMAL.DOT). It contains only one macro, AutoOpen but it copies
this macro to two others: AutoNew and AutoClose, so a total of three (identical) viral
macros will be found in infected documents. Any document created, opened or saved will
become infected with TWNO. On the 13th of any month TWNO, inserts Chinese text and the
text "NO.1 Macro Virus" into infected documents. On the 25th of any month, TWNO
deletes the files in the \DOS and \Windows directories and displays the message
"MERRY CHRISTMAS". On the 15th, TWNO deletes: AUTOEXEC.BAT, COMMAND.COM,
CONFIG.SYS, IO.SYS, and MSDOS.SYS, making the system unbootable.
Urkel
Aliases: Nwait
Synopsis: Resident, stealth infector of floppy boot sectors and partition
sectors
Symptoms: Inaccessible hard disk, screen display, 2K less available
memory
Details:
Urkel (like Monkey) completely replaces and encrypts the partition sector. If you boot
from a floppy the hard disk will be inaccessible since there is no valid partition table
in the partition sector. Urkel uses stealth techniques to return the original unmodified
boot sector. At midnight Urkel reveals itself by displaying "Urkel".
Vacsina
Variants: The TP##VIR series of viruses, Yankee
Doodle
Synopsis: Resident infector of programs
Symptoms: Beeps and music
Details:
Vacsina has over 50 known variants. Yankee Doodle, TP04VIR, TP06VIR, TP16VIR, and TP23VIR
are among the variants. Early versions of this virus only infected .COM files and sounded
a beep whenever a file was infected. Later versions now infect .EXE files as well as other
executable file types. Some later versions, such as Yankee Doodle, play music. Yankee
Doodle will often play at 5PM or when the PC is booted. An interesting aspect of Vacsina
viruses is that they contain a version number system; if Vacsina detects an earlier
version of itself in a file, it will remove that version and replace it with itself. It's
also remarkable that Vacsina will also search out and remove copies of the Ping Pong and
Cascade viruses!
Vienna
Aliases: Austrian, DOS62, UNESCO
Variants: Lisbon, Dr.Q, Parasite, Violator, Viperize, Arf, and many more
Synopsis: Nonresident infector of .COM files
Symptoms: System hangs and unexpected reboots
Details:
Vienna viruses typically add between 600 to 3000 bytes to each infected .COM file although
one variant (C-23693) is one of the largest viruses known. There are an overwhelming
number of Vienna variants since the source code for this virus was printed in a book and
widely distributed. Each time an infected program is executed, the virus will look for an
uninfected program and infect that program before allowing the initial program to execute.
To avoid reinfecting the same program, Vienna marks infected programs by setting the
seconds field of the time stamp to 62. Since the seconds portion of the time stamp is not
displayed by a DOS directory listing, this change usually goes unnoticed. Early Vienna
versions damage (rather than infect) one of every six or eight programs by inserting
instructions to force a reboot. When these programs are executed, the PC will reboot or
hang and the program will never be executed. Since these programs are not infected by the
virus but simply damaged, many people have no way of correcting or detecting this damage.
Wazzu
Aliases:WM/Wazzu,WordMacro.Wazzu
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Moved words within documents. The text "wazzu"
inserted.
Details:
This virus infects users of MS Word. It infects the global macros (file NORMAL.DOT). Any
document opened will become infected with Wazzu. Wazzu is contained in a macro called
AutoOpen that executes whenever MS Word opens a new document. Wazzu has a dual payload; it
rearranges one to three words within some infected documented and in one of every four
infections it inserts the text "wazzu" into the infected document. Some Wazzu
variants (i.e. Wazzu.C) have omitted this payload. The ShareFun virus is a Wazzu variant
with an unusual payload that tries to spread the virus via MS Mail.
UPDATE:
We have seen variants of Wazzu converted to the Word97 form. These
have been reported in the wild but our tests do not confirm that these are actively
spreading (yet). We do expect to see other Word97 viruses very shortly.
WelcomB
Aliases: Bupt_Boot
Synopsis: Resident infector of floppy boot sectors and partition sectors
Symptoms: Maximum memory reduced
Details:
Yet another Stoned-like boot sector virus. It contains the unencrypted text: "Welcome
to BUPT 9146,Beijing!".
WXYC
Synopsis: Resident, infector of DOS boot sectors
Symptoms: Maximum memory reduced by 2K and message display
Damage: Corrupted files on floppy
Details:
Like Form, WXYC infects DOS boot sectors (but not partition sectors). WXYC damages the
directory by writing the original floppy boot sector to part of the floppy's root
directory. At certain times, WXYC displays the message: "WXYC rules this
roost!". |
