The following pages of this bulletin contain three tables of information, one for the PC-DOS/MS-DOS platform, one for the Macintosh platform, and one for the names of viruses currently being investigated. There is a two-line entry for each item in each table.
The first line gives the name, transmission vector (explained below), method of infection, and possible damage. The second line gives an overview of the operation of each virus. The fields include:
As with any software you obtain, you should exercise caution and scan individual software packages before using the software for the first time. All software on FELIX has been scanned for known viruses, but it is advisable to scan it again using the most recent version of a virus scanning tool such as DDI's Virhunt package (available to all DOE sites - contact your operations office for details). Be sure to scan archived applications after they have been extracted from the .ZIP,.ARC, or SIT archive, as scanning software cannot currently detect a virus within an application until it is in an executable form (.EXE or .COM file).
Access FELIX at speeds up to 2400 baud may be obtained by using a modem to call (415) 423-4753 or (FTS) 543-4753 (8 bit, no parity, 1 stop bit). High speed access can be obtained at the Lawrence Livermore National Laboratory, and the Lawrence Berkeley National Laboratory using 423-9885. Downloadable PC-DOS/MS-DOS files are either text files (.TXT), zip archives (.ZIP) or executables (.COM or .EXE). Text files and executables can be downloaded directly and used. Be sure to use a binary downloading capability such as XMODEM for the executable files. Files in ZIP archives must be extracted after downloading with PKUNZIP (available on FELIX) before they can be used. Macintosh files in SIT archives must be extracted with Stuffit before they can be used. When downloading Macintosh files, be sure to use MacBinary format (such as MacBinary XMODEM) rather than plain binary format, if your terminal emulator allows this.
If you are using a shareware package downloaded from FELIX or any other source, be sure to follow the instructions in the package for compensating the author. The cost is generally minimal ($10 to $50), for some very useful applications.
For additional information or assistance, please contact CIAC
This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
PC-DOS/MS-DOS Viruses:
__________________________________________________ NAME(S): ANTI, ANTI-ANGE, ANTI A, ANTI B TRANSMISSION VECTOR: Applications MODE OF INFECTION CODES: TYP1, APP POTENTIAL DAMAGE CODES: RUN OVERVIEW: Attacks only application files, and causes some problems with infected applications. __________________________________________________ NAME(S): CDEF TRANSMISSION VECTOR: DeskTop files MODE OF INFECTION CODES: DTOP POTENTIAL DAMAGE CODES: OVERVIEW: It only infects the invisible Desktop files used by the Finder. Infection can occur as soon as a disk is inserted into a computer. An application does not have to be run to cause an infection. It does not infect applications, document files, or other system files. The virus does not intentionally try to do any damage, but still causes problems with running applications. __________________________________________________ NAME(S): Dukakis TRANSMISSION VECTOR: HyperCard Stacks MODE OF INFECTION CODES: POTENTIAL DAMAGE CODES: PROG, RUN OVERVIEW: Written in HyperTalk on a HyperCard stack called "NEWAPP.STK". Adds itself to Home Card and other stacks. Flashes a message saying, "Dukakis for President in 88, Peace on Earth, and have a nice day." __________________________________________________ NAME(S): FontFinder Trojan TRANSMISSION VECTOR: FontFinder Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: PROG, DATA, ERASE OVERVIEW: Trojan found in the Public Domain program called 'FontFinder'. Before Feb. 10, 1990, the application simply displays a list of the fonts and point sizes in the System file. After that date, it immediately destroys the directories of all available physically unlocked hard and floppy disks, including the one it resides on. __________________________________________________ NAME(S): INIT29 TRANSMISSION VECTOR: Applications, Document files MODE OF INFECTION CODES: TYP1 POTENTIAL DAMAGE CODES: PROG, RUN, DATA OVERVIEW: It infects any file with resources, including documents. It damages files with legitimate INIT#29 resources. __________________________________________________ NAME(S): MDEF, MDEF A, Garfield, MDEF B, Top Cat, MDEF C TRANSMISSION VECTOR: Applications MODE OF INFECTION CODES: APP, SYS, DTOP, DOCS POTENTIAL DAMAGE CODES: RUN OVERVIEW: MDEF infects applications, the System file, other system files, and Finder Desktop files. The System file is infected as soon as an infected application is run. Other applications become infected as soon as they are run on an infected system. MDEF's only purpose is to spread itself, and does not intentionally attempt to do any damage, yet it can be harmful. __________________________________________________ NAME(S): Mosaic Trojan TRANSMISSION VECTOR: Mosaic Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: PROG, DATA, ERASE OVERVIEW: Imbedded in a program called 'Mosaic', when launched, it immediately destroys the directories of all available physically unlocked hard and floppy disks, including the one it resides on. The attacked disks are renamed 'Gotcha!'. __________________________________________________ NAME(S): nVIR, nVIR A, nVIR B, AIDS, Hpat, MEV#, FLU, Jude, J-nVIR TRANSMISSION VECTOR: Applications MODE OF INFECTION CODES: TYP1, APP, SYS POTENTIAL DAMAGE CODES: PROG, RUN OVERVIEW: It infects the System file and applications. nVIR begins spreading to other applications immediately. Whenever a new application is run, it is infected. Symptoms include unexplained crashes and problems printing. __________________________________________________ NAME(S): Peace, MacMag virus, Drew, Brandow, Aldus TRANSMISSION VECTOR: HyperCard Stacks, System files MODE OF INFECTION CODES: INIT POTENTIAL DAMAGE CODES: PROG, RUN OVERVIEW: First virus on the Macintosh. Displays Peace on Earth message on March 2, 1988 and removes itself the next day. Distributed via a HyperCard stack. Its presence causes problems with some programs. __________________________________________________ NAME(S): Scores, NASA TRANSMISSION VECTOR: Applications MODE OF INFECTION CODES: TYP1 POTENTIAL DAMAGE CODES: PROG, RUN OVERVIEW: Infects applications and the system, and attempts to destroy files with creator types: VULT, and ERIC. Causes problems with other programs, including unexplained crashes and pronting errors. Changes the icons of the NotePad and Scrapbook files to the blank document icon. __________________________________________________ NAME(S): Sexy Ladies Trojan TRANSMISSION VECTOR: Sexy Ladies Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: ERASE OVERVIEW: Not a virus, but a Trojan Horse. Given away at 1988 San Fransisco MacWorld Expo, erased whatever hard disk or floppy disk it was on when it was lanched. __________________________________________________ NAME(S): Steroid Trojan TRANSMISSION VECTOR: Steroid INIT MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: ERASE OVERVIEW: The steroid INIT is claimed to speed up QuickDraw on Macintoshes with 9 inch screens. The INIT has code that checks for dates after June 30, 1989, and is active every year thereafter from July through December. When it is activated, it attempts to erase all mounted drives. __________________________________________________ NAME(S): Virus Info Trojan TRANSMISSION VECTOR: Virus Info Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: OVERVIEW: This application has not been sighted outside of the Edmonton, Province of Alberta, Canada area where it was discovered. __________________________________________________ NAME(S): WDEF, WDEF-A, WDEF-B TRANSMISSION VECTOR: DeskTop files MODE OF INFECTION CODES: TYP1, DTOP POTENTIAL DAMAGE CODES: OVERVIEW: WDEF only infects the invisible Desktop files used by the Finder. It can spread as soon as a disk is inserted into a machine. An application need not be run to cause infection. __________________________________________________ NAME(S): ZUC, ZUC 1, ZUC 2 TRANSMISSION VECTOR: Applications MODE OF INFECTION CODES: APP POTENTIAL DAMAGE CODES: OVERVIEW: It infects onlu applications files. Before March 2, 1990 or less than two weeks after an application becomes infected, it only spreads from application to application. After that time, approximately 90 seconds after an infected application is run, the cursor begins to behave unusually whenever the mouse button is held down. The cursor moves diagonally across the screen, changing direction and bouncing like a billiard ball whenever it reaches any of the four sides of the screen. The cursor stops moving when the mouse button is released.
__________________________________________________
NAME(S): 12-TRICKS Trojan
TRANSMISSION VECTOR: CORETEST.COM
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FAT, FMT, RUN, BOOT
OVERVIEW: Contained in "CORETEST.COM", a file that tests the speed of a
hard disk. Every time the computer boots, one entry in the FAT will be
changed. With a probability of 1/4096, the hard disk will be formatted
(Track 0, Head 1, Sector 1, 1 Sector) followed by the message: "SOFTLoK+
V3.0 SOFTGUARD SYSTEMS,INC, 2840 St.Thomas Expwy,suite 201, Santa
Clara,CA 95051 (408)970-9420".
__________________________________________________
NAME(S): 1260, V2P1, Variable, Chameleon, Camouflage, Stealth
TRANSMISSION VECTOR: COMMAND.COM, .COM applications
MODE OF INFECTION CODES: COM, CC, ENC
POTENTIAL DAMAGE CODES: PROG, RUN
OVERVIEW: This appears to be related to the Vienna virus. The virus
infects any COM file in the current directory.
__________________________________________________
NAME(S): 1704-Format, Cascade Format
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: ENC, RES, COM
POTENTIAL DAMAGE CODES: RUN, PROG, FMT
OVERVIEW: Spreads between COM files. Occasionally causes odd screen
behavior (the characters on the screen fall into a heap at the bottom of
the screen!). One rare variant can destroy data on hard disks.
__________________________________________________
NAME(S): 3X3SHR
TRANSMISSION VECTOR: 3X3SHR Application?
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: ERHD
OVERVIEW: *TROJAN* Time Bomb type trojan wipes the Hard
Drive clean. (Is this an application? .EXE or .COM file?)
__________________________________________________
NAME(S): 405
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: COM
POTENTIAL DAMAGE CODES: PROG
OVERVIEW: The virus spreads itself by overwriting the first 405 bytes
of a .COM file. One file is infected each time an infected file is
executed.
__________________________________________________
NAME(S): 4096, Century, Century Virus,100 Years Virus, Frodo, IDF
TRANSMISSION VECTOR: .COM or .EXE applications
MODE OF INFECTION CODES: RES, CC, COM, OVR, EXE
POTENTIAL DAMAGE CODES: RUN, PROG, DATA, FAT
OVERVIEW: It infects both .COM or .EXE applications. It is nearly
impossible to detect once it has been installed since it actively hides
itself from the scanning packages. Whenever an application such as a
scanner accesses an infected file, the virus disinfects it on the fly.
__________________________________________________
NAME(S): Advent, 2761
TRANSMISSION VECTOR: .COM or .EXE applications
MODE OF INFECTION CODES: COM, EXE, ENC, CC
POTENTIAL DAMAGE CODES: RUN
OVERVIEW: Spreads between .COM and .EXE files. Beginning on every
"Advent"(the 4th Sunday before Christmas until Christmas eve), the virus
displays after every "Advent Sunday" one more lit candle in a wreath of
four, together with the string "Merry Christmas" and plays the melody
of the German Christmas song "Oh Tannenbaum". By Christmas all four
candles are lit. This happens until the end of December, whenever an
infected file is run. If the environment variable "VIRUS=OFF" is set,
the virus will not infect.
__________________________________________________
NAME(S): AIDS, Hahaha, Taunt, VGA2CGA
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: COM
POTENTIAL DAMAGE CODES: PROG
OVERVIEW: It infects .COM fo;es.
__________________________________________________
NAME(S): AIDS II, AIDS
TRANSMISSION VECTOR: AIDS Information Introductory Diskette Version 2.0
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: ENDIR
OVERVIEW: On Monday, 11th December, several thousand diskettes named
"AIDS Information Introductory Diskette Version 2.0" were mailed out
containing a program that purported to give you information about AIDS.
These diskettes actually contained a trojan that will encrypt the file
names on your hard disk after booting your computer about 90 times. If
you have installed this program, you should copy any important data
files (no executables) and reformat your hard disk.
__________________________________________________
NAME(S): Ambulance Car, REDX
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: COM, CC
POTENTIAL DAMAGE CODES: PROG, RUN
OVERVIEW: When an infected application is run, the virus tries to find
two .COM file victims which it randomly selects in the current directory
or via the PATH variable in the environment. After some number of
executions, an ambulance car runs along the bottom of the screen
accompanied by siren sounds.
__________________________________________________
NAME(S): Amstrad, Pixel, V-277, V-299, V-345, V-847, V-847B, V-852
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: COM
POTENTIAL DAMAGE CODES: PROG
OVERVIEW: Adds code to front of any .COM file in the current directory.
The virus contains an advertisement for Amstrad computers.
__________________________________________________
NAME(S): Anti Pascal, Anti Pascal 529, Anti Pascal 605, AP 529, AP 605,
C 605, V-605
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: COM
POTENTIAL DAMAGE CODES: FILES, RUN, PROG
OVERVIEW: May overwrite .BAK and .PAS files if not enough .COM files
are available in a directory for it to infect.
__________________________________________________
NAME(S): ANTI-PCB
TRANSMISSION VECTOR: ANTI-PCB.COM Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES:
OVERVIEW: The story behind this trojan horse is sickening. Apparently
one RBBS-PC sysop and one PC-BOARD sysop started feuding about which BBS
system is better, and in the end the PC-BOARD sysop wrote a trojan and
uploaded it to the rbbs SysOp under ANTI-PCB.COM. Of course the RBBS-PC
SysOp ran it, and that led to quite a few accusations and a big mess in
general. Let's grow up! Every SysOp has the right to run the type of
BBS that they please, and the fact that a SysOp actually wrote a trojan
intended for another simply blows my mind.
__________________________________________________
NAME(S): ARC513.EXE, ARC514.COM
TRANSMISSION VECTOR: ARC513.EXE, ARC514.COM
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: BOOT, FAT
OVERVIEW: ARC513.EXE This hacked version of ARC appears normal,
so beware! It will write over track 0 of your [hard] disk upon usage,
destroying the disk.
ARC514.COM This is totally similar to ARC version 5.13 in that it
will overwrite track 0 (FAT Table) of your hard disk. Also, I have yet
to see an .EXE version of this program.
__________________________________________________
NAME(S): ARC533
TRANSMISSION VECTOR:
MODE OF INFECTION CODES: CC
POTENTIAL DAMAGE CODES:
OVERVIEW: This is a new Virus program designed to emulate Sea's ARC
program.
__________________________________________________
NAME(S): BACKTALK
TRANSMISSION VECTOR: BACKTALK Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: WRHD
OVERVIEW: This program used to be a good PD utility, but someone
changed it to be trojan. Now this program will write/destroy sectors on
your [hard] disk drive. Use this with caution if you acquire it,
because it's more than likely that you got a bad copy.
__________________________________________________
NAME(S): Brain, Pakistani, Ashar, Shoe, Shoe_Virus, Shoe_Virus_B,
Ashar_B, UIUC, UIUC-B, @BRAIN, Jork, Shoe B
TRANSMISSION VECTOR: Floppy boot sector
MODE OF INFECTION CODES: FDB, RES
POTENTIAL DAMAGE CODES: BOOT, RUN, DATA, FMT
OVERVIEW: This virus only infects the boot sectors of 360 KB
floppy disks. It does no malicious damage, but bugs in the virus code
can cause loss of data by scrambling data on diskette files or by
scrambling the File Allocation Table. It does not tend to spread in a
hard disk environment.
__________________________________________________
NAME(S): Cascade, 1701, 1704, 17Y4, 1704 B, 1704 C, Cascade A, Cascade
B, Falling Tears, The Second Austrian Virus, Autumn, Blackjack, Falling
Leaves, Cunning, Fall, Falling Letters, Herbst
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: ENC, RES, COM
POTENTIAL DAMAGE CODES: RUN, PROG
OVERVIEW: Spreads between COM files. Occasionally causes odd screen
behavior (the characters on the screen fall into a heap at the bottom of
the screen!). One rare variant can destroy data on hard disks.
__________________________________________________
NAME(S): CDIR
TRANSMISSION VECTOR: CDIR.COM Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FAT
OVERVIEW: This program is supposed to give you a color directory of
files on your disk, but it in fact will scramble your disk's FAT table.
__________________________________________________
NAME(S): Chaos
TRANSMISSION VECTOR: Floppy/hard disk boot sectors
MODE OF INFECTION CODES: RES, FDB, HDB
POTENTIAL DAMAGE CODES: BOOT, RUN, PROG, FAT
OVERVIEW: Derivative of Brain
__________________________________________________
NAME(S): Christmas, 1539, Father Christmas, Choinka, Tannenbaum,
Christmas Tree, XA1, V1539
TRANSMISSION VECTOR: .COM applications, COMMAND.COM
MODE OF INFECTION CODES: COM, CC, ENC
POTENTIAL DAMAGE CODES: RUN, BOOT
OVERVIEW: The virus infects .COM files when an infected application is
executed. When an infected program is run between December 24th and 31st
(any year), the virus displays a full screen image of a christmas tree
and German seasons greetings. When an infected program is run on April
1st (any year), it drops a code into the boot- sectors of floppy A: and
B: as well as into the partition table of the hard disk. The old
partition sectors are saved but most likely destroyed since running
another infected file will save the modified partition table to the
same location. On any boot attempt from an infected harddisk or floppy,
the text "April April" will be displayed and the PC will hang.
__________________________________________________
NAME(S): Clone
TRANSMISSION VECTOR:
MODE OF INFECTION CODES:
POTENTIAL DAMAGE CODES:
OVERVIEW: Derivative of Brain
__________________________________________________
NAME(S): D-XREF60.COM
TRANSMISSION VECTOR: D-XREF60.COM Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: BOOT, FAT
OVERVIEW: A Pascal Utility used for Cross-Referencing, written by the
infamous `Dorn Stickel. It eats the FAT and BOOT sector after a time
period has been met and if the Hard Drive is more than half full.
__________________________________________________
NAME(S): DANCERS, DANCERS.BAS
TRANSMISSION VECTOR: DANCERS.BAS Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FAT
OVERVIEW: This trojan shows some animated dancers in color, and then
proceeds to wipe out your [hard] disk's FAT table. There is another
perfectly good copy of DANCERS.BAS on BBSs around the country.
__________________________________________________
NAME(S): Dark Avenger, Dark Avenger-B, Black Avenger, Diana, Eddie
TRANSMISSION VECTOR: .COM or .EXE applications
MODE OF INFECTION CODES: RES, CC, EXE, COM, OVR
POTENTIAL DAMAGE CODES: PROG, WRHD
OVERVIEW: Infects every executable file that is opened.
__________________________________________________
NAME(S): Dark Avenger 3, Dark Avenger II, V2000, Die Young, Travel,
V2000-B, Eddie 3
TRANSMISSION VECTOR: .COM applications, .EXE applications
MODE OF INFECTION CODES: EXE, COM, CC
POTENTIAL DAMAGE CODES: PROG, DATA, RUN
OVERVIEW: Every 16 executions of an infected file, the virus will
overwrite a new random data sector on disk; the last overwritten sector
is stored in boot sector. The system hangs-up, if a program is loaded
that contains the string "(c) 1989 by Vesselin Bontchev"; V.Bonchev is
a Bulgarian author of anti-virus programs.
__________________________________________________
NAME(S): Datacrime, 1280, Columbus Day, DATACRIME Ib
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: COM, ENC
POTENTIAL DAMAGE CODES: PROG, FMT, FAT
OVERVIEW: Spreads between COM files. After October 12th, it displays
the message "DATACRIME VIRUS RELEASE: 1 MARCH 1989", and then the
first hard disk will be formatted (track 0, all heads). When formatting
is finished the speaker will beep (end-less loop).
__________________________________________________
NAME(S): Datacrime II, 1514, Columbus Day
TRANSMISSION VECTOR: .COM or .EXE applications
MODE OF INFECTION CODES: COM, EXE, ENC
POTENTIAL DAMAGE CODES: PROG, FMT, FAT
OVERVIEW: Spreads between both COM and EXE files. After October 12th,
displays the message "* DATACRIME II VIRUS *", and damages the data on
hard disks by attempting to reformat them.
__________________________________________________
NAME(S): Datacrime II-B, 1917, Columbus Day
TRANSMISSION VECTOR: .COM or .EXE applications
MODE OF INFECTION CODES: ENC, COM, EXE, CC
POTENTIAL DAMAGE CODES: PROG, FMT
OVERVIEW: Spreads between both COM and EXE files. After October 12th,
displays the message "* DATACRIME II VIRUS *", and damages the data on
hard disks by attempting to reformat them.
__________________________________________________
NAME(S): Datacrime-B, 1168, Columbus Day, Datacrime Ia
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: COM, ENC
POTENTIAL DAMAGE CODES: PROG, FMT, FAT
OVERVIEW: Spreads between COM files. After October 12th, it displays
the message "DATACRIME VIRUS RELEASE: 1 MARCH 1989", and then the
first hard disk will be formatted (track 0, all heads). When formatting
is finished the speaker will beep (end-less loop).
__________________________________________________
NAME(S): Dbase, DBF virus
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: RES, COM
POTENTIAL DAMAGE CODES: DATA, RUN, PROG
OVERVIEW: Infects COM files. Registers all new .DBF files in a hidden
file c:\BUGS.DAT. When any of those files are written, it reverses the
order of adjacent bytes. When any of those files are read, it again
reverses the bytes, making the file appear to be OK, unless it is read
on an uninfected system or the file name is changed.
__________________________________________________
NAME(S): DenZuk, Venezuelan, Search, DenZuc B
TRANSMISSION VECTOR: Floppy boot sector
MODE OF INFECTION CODES: RES, FDB
POTENTIAL DAMAGE CODES: RUN, BOOT
OVERVIEW: Infects floppy disk boot sectors, and displays a purple DEN
ZUK graphic on a CGA, EGA or VGA screen when Ctrl-Alt-Del is pressed.
__________________________________________________
NAME(S): Devil's Dance, Mexican
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: RES, COM
POTENTIAL DAMAGE CODES: RUN, PROG, DATA, FAT
OVERVIEW: Infects .COM files.
__________________________________________________
NAME(S): Disk Killer, Computer Ogre, Disk Ogre
TRANSMISSION VECTOR: Floppy/hard disk boot sectors
MODE OF INFECTION CODES: RES, FDB, HDB
POTENTIAL DAMAGE CODES: BOOT, RUN, PROG, DATA
OVERVIEW: Infects floppy and hard disk boot sectors and after 48 hours
of work time, it encrypts everything on the hard disk. The encryption is
reversable.
__________________________________________________
NAME(S): DISKSCAN, SCANBAD, BADDISK
TRANSMISSION VECTOR: DISKSCAN.EXE Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: WRHD
OVERVIEW: This was a PC-MAGAZINE program to scan a [hard] disk for bad
sectors, but then a joker edited it to WRITE bad sectors. Also look for
this under other names such as SCANBAD.EXE and BADDISK.EXE. A good
original copy is availble on SCP Business BBS.
__________________________________________________
NAME(S): DMASTER
TRANSMISSION VECTOR: DMASTER Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FAT
OVERVIEW: This is yet another FAT scrambler.
__________________________________________________
NAME(S): Do Nothing, Stupid Virus, 640K Virus
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: COM, RES
POTENTIAL DAMAGE CODES: PROG
OVERVIEW: Infects .COM files. The virus copies itself to 9800:100h,
which means that only computers with 640KB can be infected. Many
programs also load themselves to this area and erase the virus from the
memory.
__________________________________________________
NAME(S): DOSKNOWS
TRANSMISSION VECTOR: DOSKNOWS.EXE
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FAT
OVERVIEW: Apparently someone wrote a FAT killer and renamed it
DOSKNOWS.EXE, so it would be confused with the real, harmless DOSKNOWS
system-status utility.
__________________________________________________
NAME(S): DRAIN2
TRANSMISSION VECTOR:
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FMT
OVERVIEW: There really is DRAIN program, but this revised program goes
out does Low Level Format while it is playing the funny program.
__________________________________________________
NAME(S): DROID
TRANSMISSION VECTOR: DROID.EXE
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES:
OVERVIEW: This trojan appears under the guise of a game. You are
supposedly an architect that controls futuristic droids in search of
relics. In fact, PC-Board sysops, if they run this program from
C:\PCBOARD, will find that it copies C:\PCBOARD\PCBOARD.DAT to
C:\PCBOARD\HELP\HLPX.
__________________________________________________
NAME(S): DRPTR, WIPEOUT
TRANSMISSION VECTOR: DRPTR.ARC
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FILES
OVERVIEW: After running unsuspected file, the only things left in the
root directory are the subdirectories and two of the three DOS System
files, along with a 0-byte file named WIPEOUT.YUK. COMMAND.COM was
located in a different directory; the file date and CRC had not changed.
__________________________________________________
NAME(S): EDV
TRANSMISSION VECTOR:
MODE OF INFECTION CODES:
POTENTIAL DAMAGE CODES:
OVERVIEW: Derivative of Brain
__________________________________________________
NAME(S): EGABTR
TRANSMISSION VECTOR: EGABTR Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FILES
OVERVIEW: BEWARE! Description says something like "improve your EGA
display," but when run, it deletes everything in sight and prints, "Arf!
Arf! Got you!"
__________________________________________________
NAME(S): FILES.GBS
TRANSMISSION VECTOR: FILES.GBS Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES:
OVERVIEW: When an OPUS BBS system is installed improperly, this file
could spell disaster for the Sysop. It can let a user of any level into
the system. Protect yourself. Best to have a sub-directory in each
upload area called c:\upload\files.gbs (this is an example only). This
would force Opus to rename a file upload of files.gbs and prevent its
usage.
__________________________________________________
NAME(S): Fish, European Fish,Fish 6
TRANSMISSION VECTOR: COMMAND.COM, .COM applications, .EXE applications
MODE OF INFECTION CODES: EXE, COM, RES, ENC, CC
POTENTIAL DAMAGE CODES: PROG, RUN, DATA
OVERVIEW: If (system date>1990) and a second infected .COM file is
executed, a message is displayed: FISH VIRUS #6 - EACH DIFF - BONN 2/90
'~Knzyvo} and then the processor stops (HLT instruction). The virus will
attempt to infect some data files, corrupting them in the process. This
is a variant of the 4096 virus.
__________________________________________________
NAME(S): Flash, 688
TRANSMISSION VECTOR: .COM applications, .EXE applications
MODE OF INFECTION CODES: EXE, COM, RES, ENC, CC
POTENTIAL DAMAGE CODES: PROG, RUN
OVERVIEW: The memory resident virus infects applications when they are
run. After June 1990, the virus makes the screen flash. This flash can
only be seen on MDA, Hercules, and CGA adapters, but not on EGA and VGA
cards.
__________________________________________________
NAME(S): FLUSHOT4, FLU4TXT
TRANSMISSION VECTOR: FLUSHOT4.ARC Archive
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES:
OVERVIEW: This Trojan was inserted into the FLUSHOT4.ARC and uploaded
to many BBS's. FluShot is a protector of your COMMAND.COM. As to
date, 05/14/88 FLUSHOT.ARC FluShot Plus v1.1 is the current version,
not the FLUSHOT4.ARC which is Trojaned.
__________________________________________________
NAME(S): Friday 13 th COM, South African, 512 Virus, COM Virus, Friday
The 13th-B, Friday The 13th-C, Miami, Munich, Number of the Beast,
Virus-B
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: COM
POTENTIAL DAMAGE CODES: PROG
OVERVIEW: Infects all .COM files except COMMAND.COM, and deletes the
host program if run on Friday the 13th.
__________________________________________________
NAME(S): Fu Manchu, 2086, 2080, Fumanchu
TRANSMISSION VECTOR: .COM or .EXE applications
MODE OF INFECTION CODES: RES, COM, EXE, OVR
POTENTIAL DAMAGE CODES: RUN, PROG
OVERVIEW: Infects .COM and .EXE files. The message 'The world will hear
from me again! ' is displayed on every warmboot, and inserts insults
into the keyboard buffer when the names of certain world leaders are
typed at the keyboard. Occasionally causes the system to spontaneously
reboot.
__________________________________________________
NAME(S): FUTURE
TRANSMISSION VECTOR: FUTURE.BAS Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: ERASE
OVERVIEW: This "program" starts out with a very nice color picture and
then proceeds to tell you that you should be using your computer for
better things than games and graphics. After making that point, it
trashes your A: drive, B:, C:, D:, and so on until it has erased all
drives.
__________________________________________________
NAME(S): G-MAN
TRANSMISSION VECTOR: G-MAN Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FAT
OVERVIEW: Another FAT killer.
__________________________________________________
NAME(S): GATEWAY, GATEWAY2
TRANSMISSION VECTOR: GATEWAY
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FAT
OVERVIEW: Someone tampered with the version 2.0 of the CTTY monitor
GATEWAY. What it does is ruin the FAT.
__________________________________________________
NAME(S): Ghost
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: COM
POTENTIAL DAMAGE CODES: BOOT, PROG
OVERVIEW: Infects .COM files.
__________________________________________________
NAME(S): GhostBalls, Ghost Boot, Ghost COM
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: RES, COM
POTENTIAL DAMAGE CODES: BOOT, RUN, PROG
OVERVIEW: Infects floppy and hard disk boot sectors.
__________________________________________________
NAME(S): GRABBER
TRANSMISSION VECTOR: GRABBER.COM Application
MODE OF INFECTION CODES: TRJ, RES
POTENTIAL DAMAGE CODES: FILES
OVERVIEW: This program is supposed to be SCREEN CAPTURE program that
copies the screen to a .COM file to be later run from a DOS command
line. As a TSR it will attempt to do a DISK WRITE to your hard drive
when you do not want it to. It will wipe out whole Directories when
doing a normal DOS command. One sysop who ran it lost all of his ROOT
DIR including his SYSTEM files.
__________________________________________________
NAME(S): Halloechn, Hello_1a, Hello
TRANSMISSION VECTOR: .COM applications, .EXE applications
MODE OF INFECTION CODES: COM, EXE
POTENTIAL DAMAGE CODES: RUN, DATA
OVERVIEW: The virus slows the system down, and corrupts keyboard-
entries (pressing an "A" produces a "B").
__________________________________________________
NAME(S): Icelandic, Disk Eating Virus, Disk Crunching Virus, One In
Ten, Saratoga 2
TRANSMISSION VECTOR: .EXE applications
MODE OF INFECTION CODES: RES, EXE
POTENTIAL DAMAGE CODES: RUN, PROG, FAT
OVERVIEW: Infects every 10th .EXE file run, and if the current drive is
a hard disk larger than10M bytes, the virus will select one cluster and
mark it as bad in the first copy of the FAT. Diskettes and 10M byte
disks are not affected.
__________________________________________________
NAME(S): Icelandic II, One In Ten, System Virus, 642
TRANSMISSION VECTOR: .EXE applications
MODE OF INFECTION CODES: RES, EXE
POTENTIAL DAMAGE CODES: RUN, PROG
OVERVIEW: Every tenth program run is checked, and if it is an
uninfected .EXE file it will be infected. The virus modifies the MCBs in
order to hide from detection. This virus is a version of the Icelandic-1
virus, modified so that it does not use INT 21 calls to DOS services.
This is done to bypass monitoring programs.
__________________________________________________
NAME(S): Icelandic III, December 24th
TRANSMISSION VECTOR: .EXE applications
MODE OF INFECTION CODES: RES, EXE
POTENTIAL DAMAGE CODES: RUN, PROG
OVERVIEW: It infects one out of every ten .EXE files run. If an
infected file is run on December 24th it will stop any other program run
later, displaying the message "Gledileg jol"
__________________________________________________
NAME(S): Israeli Boot, Swap
TRANSMISSION VECTOR: Floppy boot sector
MODE OF INFECTION CODES: RES, FDB
POTENTIAL DAMAGE CODES: BOOT
OVERVIEW: It infects floppy disk boot sectors and reverses the order of
letters typed creating typographical errors.
__________________________________________________
NAME(S): Jerusalem, Jerusalem A, Black Hole, Blackbox, 1808, 1813,
Israeli, Hebrew University, Black Friday, Friday 13th, PLO, Russian
TRANSMISSION VECTOR: .COM or .EXE applications
MODE OF INFECTION CODES: RES, COM, EXE, OVR
POTENTIAL DAMAGE CODES: RUN, PROG, FILES
OVERVIEW: Spreads between executable files (.COM or .EXE). On Friday
the 13th, it erases any file that is executed, and on other days a two
line black rectangle will appear at the bottom of the screen. Once this
virus installs itself (once an infected COM or EXE file is executed),
any other COM or EXE file executed will become infected.
__________________________________________________
NAME(S): Keypress
TRANSMISSION VECTOR: .COM applications, .EXE applications
MODE OF INFECTION CODES: COM, EXE
POTENTIAL DAMAGE CODES:
OVERVIEW: Every 10 minutes, the virus looks at INT 09h (keyboard
interrupt) for 2 seconds; if a keystroke is recognized during this time,
it is repeated depending on how long the key is pressed; it thus appears
as a "bouncing key"
__________________________________________________
NAME(S): Lehigh, Lehigh-2, Lehigh-B
TRANSMISSION VECTOR: COMMAND.COM
MODE OF INFECTION CODES: RES, CC
POTENTIAL DAMAGE CODES: PROG, FAT, BOOT
OVERVIEW: Spreads between copies of COMMAND.COM. After spreading four
or ten times, it overwrites critical parts of a disk with random data.
__________________________________________________
NAME(S): Macho, MachoSoft, 3555, 3551
TRANSMISSION VECTOR: .COM or .EXE applications
MODE OF INFECTION CODES: COM, EXE, ENC
POTENTIAL DAMAGE CODES: PROG, DATA
OVERVIEW: Spreads between .COM and .EXE files. It scans through data
on the hard disk, changing the string "Microsoft" (in any mixture of
upper and lower case) to "MACHOSOFT". If the environment variable
"VIRUS=OFF" is set, the virus will not infect.
__________________________________________________
NAME(S): MAP, FAT EATER
TRANSMISSION VECTOR: MAP Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FAT
OVERVIEW: This is another trojan horse written by the infamous "Dorn
Stickel." Designed to display what TSR's are in memory and works on FAT
and BOOT sector. FAT EATER
__________________________________________________
NAME(S): MATHKIDS, FIXIT
TRANSMISSION VECTOR: MATHKIDS.ARC Archive
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: CBBS
OVERVIEW: This trojan is designed to crack a BBS system. It will
attemp to copy the USERS file on a BBS to a file innocently called
FIXIT.ARC, which the originator can later call in and download.
Believed to be designed for PCBoard BBS's.
__________________________________________________
NAME(S): Merritt, Alameda, Yale, Golden Gate, 500 Virus, Mazatlan,
Peking, Seoul
TRANSMISSION VECTOR: Floppy boot sector
MODE OF INFECTION CODES: RES, FDB
POTENTIAL DAMAGE CODES: BOOT, FAT
OVERVIEW: Track 39 sector 8 is used to save the original boot record,
and any file there will be overwritten. Destroys the FAT after some
length of time. It spreads when the Ctrl-Alt-Del sequence is used with
an uninfected diskette in the boot drive. The Golden Gate variation will
reformat drive C: after n infections. Infects Floppies Only. Spreads
between floppy disks.
__________________________________________________
NAME(S): Mirror, Flip Clone
TRANSMISSION VECTOR: .EXE applications
MODE OF INFECTION CODES: EXE, RES
POTENTIAL DAMAGE CODES: RUN, PROG
OVERVIEW: When the virus is triggered, the screen will flip
horizontally character for character.
__________________________________________________
NAME(S): Mix1, MIX1, MIX/1, Mixer1
TRANSMISSION VECTOR: .EXE applications
MODE OF INFECTION CODES: RES, EXE
POTENTIAL DAMAGE CODES: RUN, PROG
OVERVIEW: The output is garbled on parallel and serial connections,
after 6th level of infection booting the computer will crash the system
(a bug), num-lock is constantly on, a ball will start bouncing on the
screen.
__________________________________________________
NAME(S): NOTROJ
TRANSMISSION VECTOR: NOTROJ.COM Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FAT, FMT
OVERVIEW: All outward appearances indicate that the program is a useful
utility used to FIGHT other trojan horses. Actually, it is a time bomb
that erases any hard disk FAT table that IT can find on hard drives
that are more than 50% full, and at the same time, it warns: "another
program is attempting a format, can't abort! After erasing the FAT(s),
NOTROJ then proceeds to start a low level format.
__________________________________________________
NAME(S): Oropax, Music, Musician
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: RES, COM
POTENTIAL DAMAGE CODES: RUN, PROG
OVERVIEW: Infects .COM files and plays musical melodies repeatedly.
__________________________________________________
NAME(S): PACKDIR
TRANSMISSION VECTOR: PACKDIR Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FAT
OVERVIEW: This utility is supposed to "pack" (sort and optimize) the
files on a [hard] disk, but apparently it scrambles FAT tables.
(Possibly a bug rather than a deliberate trojan?? w.j.o.)
__________________________________________________
NAME(S): PCW271, PC-WRITE 2.71
TRANSMISSION VECTOR: PCW271xx.ARC Archive
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FAT
OVERVIEW: A modified version of the popular PC-WRITE word processor (v.
2.71) that scrambles FAT tables. The bogus version of PC-WRITE version
2.71can be identified by its size; it uses 98,274 bytes whereas the good
version uses 98,644.
__________________________________________________
NAME(S): Pentagon
TRANSMISSION VECTOR: Floppy boot sector
MODE OF INFECTION CODES: FDB, RES
POTENTIAL DAMAGE CODES: BOOT
OVERVIEW: It infects floppy disk boot sectors, and removes the Brain
virus from any disk it finds. The virus can survive a warmboot.
__________________________________________________
NAME(S): Perfume, 765, 4711
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: RES, COM, CC
POTENTIAL DAMAGE CODES: PROG, RUN
OVERVIEW: It infects .COM files, and after 80 executions, it demands a
password to run the application. The password is 4711 (the name of a
perfume).
__________________________________________________
NAME(S): Ping Pong, Bouncing Ball, Italian, Bouncing Dot, Vera Cruz,
Turin Virus
TRANSMISSION VECTOR: Floppy boot sector
MODE OF INFECTION CODES: RES, FDB, HDB
POTENTIAL DAMAGE CODES: RUN, BOOT
OVERVIEW: Bouncing dot appears on screen. No other intentional damage.
Spreads between disks by infecting the boot sectors.
__________________________________________________
NAME(S): Ping Pong B, Boot, Falling Letters
TRANSMISSION VECTOR: Floppy/hard disk boot sectors
MODE OF INFECTION CODES: RES, FDB, HDB
POTENTIAL DAMAGE CODES: RUN, BOOT
OVERVIEW: Bouncing dot appears on screen. No other intentional damage.
Spreads between disks by infecting the boot sectors.
__________________________________________________
NAME(S): PKFIX361
TRANSMISSION VECTOR: PKFIX361.EXE Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FMT
OVERVIEW:
PKFIX361.EXE *TROJAN* Supposed patch to v3.61 - what it really does
is when extracted from the .EXE does a DIRECT access to the DRIVE
CONTROLLER and does Low-Level format. Thereby bypassing checking
programs. (This would be only XT type disk drive cards. w.j.o.)
__________________________________________________
NAME(S): PKPAK/PKUNPAK 3.61, PK362, PK363
TRANSMISSION VECTOR: PKPAK/PKUNPAK V. 3.61 Applications, PK362.EXE
Application, PK363.EXE Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES:
OVERVIEW: PKPAK/PKUNPAK *TROJAN* There is a TAMPERED version of
3.61 that when used interfers with PC's interupts.
PK362.EXE This is a NON-RELEASED version and is suspected as being a
*TROJAN* - not verified.
PK363.EXE This is a NON-RELEASED version and is suspected as being a
*TROJAN* - not verified.
__________________________________________________
NAME(S): PKX35B35, PKB35B35
TRANSMISSION VECTOR: PKX35B35.ARC Archive, PKB35B35.ARC Archive
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FAT
OVERVIEW: PKX35B35.ARC, PKB35B35.ARC This was supposed to be an
update to PKARC file compress utility - which when used *EATS your FATS*
and is or at least RUMORED to infect other files so it can spread -
possible VIRUS?
__________________________________________________
NAME(S): QUIKRBBS
TRANSMISSION VECTOR: QUIKRBBS.COM Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FAT
OVERVIEW: This Trojan horse advertises that it will install
program to protect your RBBS but it does not. It goes and eats away at
the FAT.
__________________________________________________
NAME(S): QUIKREF
TRANSMISSION VECTOR: QUIKREF.ARC Archive
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: CBBS
OVERVIEW: This ARChive contains ARC513.COM. Loads RBBS-PC's message
file into memory two times faster than normal. What it really does is
copy RBBS-PC.DEF into an ASCII file named HISCORES.DAT.
__________________________________________________
NAME(S): RCKVIDEO
TRANSMISSION VECTOR: RCKVIDEO Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: ERASE
OVERVIEW: After showing some simple animation of a rock star, the
program erases every file it can find. After about a minute of this, it
creates three ascii files that say "You are stupid to download a video
about rock stars".
__________________________________________________
NAME(S): RPVS, 453, RPVS-B, TUQ
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: COM
POTENTIAL DAMAGE CODES: PROG, RUN
OVERVIEW: Whenever an infected application is run, at least one other
.COM file in the default directory is infected.
__________________________________________________
NAME(S): Saddam
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: COM, RES
POTENTIAL DAMAGE CODES: PROG
OVERVIEW: This appears to be a variant of the Stupid virus. On
every eigth infection, the string: "HEY SADAM"{LF}{CR} "LEAVE QUEIT
BEFORE I COME" is displayed. The virus copies itself to [0:413]*40h-
867h, which means that only computers with 640KB can be infected. Many
large programs also load themselves to this area and erase the virus
from the memory, or hang the system.
__________________________________________________
NAME(S): Saratoga, 632, Disk Eating Virus, One In Two
TRANSMISSION VECTOR: .EXE applications
MODE OF INFECTION CODES: RES, EXE
POTENTIAL DAMAGE CODES: RUN, PROG, FAT
OVERVIEW: Infects every 10th .EXE file run, and if the current drive is
a hard disk larger than10M bytes, the virus will select one cluster and
mark it as bad in the first copy of the FAT. Diskettes and 10M byte
disks are not affected.
__________________________________________________
NAME(S): Scrambler, KEYBGR Trojan
TRANSMISSION VECTOR: KEYBGR.COM Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: RUN
OVERVIEW: About 60 minutes after the trojan KEYBGR.COM is started a
smiley face moves in a random fashion about the screen displacing
characters as it moves.
__________________________________________________
NAME(S): SECRET
TRANSMISSION VECTOR: SECRET.BAS Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FMT
OVERVIEW: BEWARE!! This may be posted with a note saying it doesn't
seem to work, and would someone please try it; when you do, it formats
your disks.
__________________________________________________
NAME(S): SIDEWAYS, SIDEWAYS.COM
TRANSMISSION VECTOR: SIDEWAYS.COM Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: BOOT
OVERVIEW: Both the trojan and the good version of SIDEWAYS advertise
that they can print sideways, but SIDEWAYS.COM trashes a [hard] disk's
boot sector instead.
__________________________________________________
NAME(S): STAR, STRIPES
TRANSMISSION VECTOR: STAR.EXE Application, STRIPES.EXE Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: CBBS
OVERVIEW: STAR.EXE Beware RBBS-PC SysOps! This file puts some
stars on the screen while copying RBBS-PC.DEF to another name that can
be downloaded later!
STRIPES.EXE Similar to STAR.EXE, this one draws an American flag (nice
touch), while it's busy copying your RBBS-PC.DEF to another file
(STRIPES.BQS).
__________________________________________________
NAME(S): Stoned, Marijuana, Hawaii,New Zeland, Australian, Hemp, San
Diego, Smithsonian, Stoned-B, Stoned-C, Stoned-C
TRANSMISSION VECTOR: Floppy/hard disk boot sectors
MODE OF INFECTION CODES: RES, FDB, HDB, HDP
POTENTIAL DAMAGE CODES: RUN, BOOT, FAT
OVERVIEW: Spreads between boot sectors of both fixed and floppy disks.
May overlay data. Sometimes displays message "Your PC is now Stoned!"
when booted from floppy. Affects partition record on hard disk. No
intentional damage is done.
__________________________________________________
NAME(S): SUG
TRANSMISSION VECTOR: SUG.COM Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: ERFD
OVERVIEW: This program is supposed to unprotect copy protected program
disks protectedby Softguard Systems, Inc. It trashes the disk and
displays: "This destruction constitutes a prima facie evidence of your
violation. If you attempt to challenge Softguard Systems Inc..., you
will be vigorously counter-sued for copyright infringement and theft
of services." It encrypts the Gotcha message so no Trojan checker can
scan for it.
__________________________________________________
NAME(S): Sunday, Sunday-B, Sunday-C
TRANSMISSION VECTOR: .COM or .EXE applications
MODE OF INFECTION CODES: RES, COM, EXE, OVR
POTENTIAL DAMAGE CODES: RUN, PROG
OVERVIEW: Infects .COM and .EXE files.
__________________________________________________
NAME(S): Suriv-01, April-1-COM, April 1st, Suriv A, sURIV 1.01
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: RES, COM
POTENTIAL DAMAGE CODES: RUN, PROG
OVERVIEW: Spreads between COM files. On April 1st, 1988, writes the
message: "APRIL 1ST HA HA HA HA YOU HAVE A VIRUS" and hangs the system.
After that, simply writes a message every time any program is run.
__________________________________________________
NAME(S): Suriv-02, APRIL-1-EXE, April 1st-B, Suriv02, Suriv 2.01,
Suriv A
TRANSMISSION VECTOR: .EXE applications
MODE OF INFECTION CODES: RES, EXE
POTENTIAL DAMAGE CODES: RUN, PROG
OVERVIEW: Spreads between .EXE files. On April 1st,1988 and later,
writes the message: "APRIL 1ST HA HA HA HA YOU HAVE A VIRUS" and hangs
the system.
__________________________________________________
NAME(S): Sylvia, Holland
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: RES, COM
POTENTIAL DAMAGE CODES: PROG
OVERVIEW: Infects .COM files.
__________________________________________________
NAME(S): Syslock, Macrosoft
TRANSMISSION VECTOR: .COM or .EXE applications
MODE OF INFECTION CODES: COM, EXE, ENC
POTENTIAL DAMAGE CODES: PROG, DATA
OVERVIEW: Spreads between .COM and .EXE files. It scans through data
on the hard disk, changing the string "Microsoft" (in any mixture of
upper and lower case) to "MACROSOFT". If the environment variable
"SYSLOCK=@" is set, the virus will not infect. A variant of Advent.
__________________________________________________
NAME(S): Tiny 163
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: COM, CC
POTENTIAL DAMAGE CODES:
OVERVIEW: When an infected file is executed, the virus attempts to
infect other .COM files in the local directory.
__________________________________________________
NAME(S): TIRED
TRANSMISSION VECTOR: TIRED Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FAT
OVERVIEW: Another scramble the FAT trojan by Dorn W. Stickel.
__________________________________________________
NAME(S): Toothless, W13, W13-A, W13-B
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: RES, COM
POTENTIAL DAMAGE CODES: PROG
OVERVIEW: Infects .COM files. Infected programs are first padded so
their length becomes a multiple of 512 bytes, and then the 637 bytes of
virus code is added to the end. It then intercepts any disk writes and
changes them into disk reads.
__________________________________________________
NAME(S): TOPDOS
TRANSMISSION VECTOR: TOPDOS Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FMT
OVERVIEW: This is a simple high level [hard] disk formatter.
__________________________________________________
NAME(S): Traceback, 3066, 3066-B, 3066-B2, Traceback-B, Traceback-B2
TRANSMISSION VECTOR: .COM or .EXE applications
MODE OF INFECTION CODES: RES, COM, EXE
POTENTIAL DAMAGE CODES: PROG
OVERVIEW: Spreads between COM and EXE fles. Based on a rather
complicated set of criteria, it will sometimes cause the text displayed
on the screen to fall to the bottom, and then rise back up.
__________________________________________________
NAME(S): Traceback II, 2930, 2930-B, Traceback II-B
TRANSMISSION VECTOR: .COM or .EXE applications
MODE OF INFECTION CODES: RES, COM, EXE
POTENTIAL DAMAGE CODES: PROG
OVERVIEW: Spreads between .COM and .EXE files. Based on a rather
complicated set of criteria, it will sometimes cause the text displayed
on the screen to fall to the bottom, and then rise back up.
__________________________________________________
NAME(S): TSRMAP
TRANSMISSION VECTOR: TSRMAP Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: BOOT
OVERVIEW: TSRMAP *TROJAN* This program does what it's
supposed to do: give a map outlining the location (in RAM) of all TSR
programs, but it also erases the boot sector of drive "C:".
__________________________________________________
NAME(S): Typo, Type Boot
TRANSMISSION VECTOR: Floppy/hard disk boot sectors
MODE OF INFECTION CODES: RES, FDB, HDB
POTENTIAL DAMAGE CODES: BOOT, RUN
OVERVIEW: Infects floppy and hard disk boot sectors.
__________________________________________________
NAME(S): Typo, Fumble, Typo COM, 867, Mistake
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: RES, COM
POTENTIAL DAMAGE CODES: RUN, PROG
OVERVIEW: Infects .COM files.
__________________________________________________
NAME(S): ULTIMATE
TRANSMISSION VECTOR: ULTIMATE.EXE Application, ULTIMATE.ARC Archive
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FAT
OVERVIEW: Another FAT eater
__________________________________________________
NAME(S): Vacsina, TP04VIR, TP05VIR, TP06VIR, TP16VIR, TP23VIR, TP24VIR,
TP25VIR
TRANSMISSION VECTOR: .COM or .EXE applications
MODE OF INFECTION CODES: RES, COM, EXE, OVR
POTENTIAL DAMAGE CODES: RUN, PROG
OVERVIEW: It infects .COM and .EXE files when they are loaded, old
versions of the virus will be replaced by newer ones.
__________________________________________________
NAME(S): VDIR
TRANSMISSION VECTOR: VDIR.COM Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: ERASE
OVERVIEW: This is a disk killer that Jerry Pournelle wrote about in
BYTE Magazine.
__________________________________________________
NAME(S): Vienna, 648, Lisbon, Vienna-B, Austrian, Dos-62, Unesco, The
648 Virus, The One-in-Eight Virus, 62-B, DOS-68, Vien6, Vienna-B645
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: COM
POTENTIAL DAMAGE CODES: PROG
OVERVIEW: The virus infects one .COM file every time it is run. 7/8 of
the time it infects the .COM file and 1/8 of the time it inserts a jump
to the BIOS initialitation routines that reboot the machine. To mark a
file as infected, the virus sets the seconds field of the timestamp to
62 which most utilities (including DIR) skip.
__________________________________________________
NAME(S): Zero Bug, Agiplan, 1536, Palette, ZBug
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: RES, COM
POTENTIAL DAMAGE CODES: RUN, PROG
OVERVIEW: Infects .COM files. All characters "0" (zero) will be
exchanged with other characters. Exchange characters are 01h, 2Ah, 5Fh,
3Ch, 5Eh, 3Eh and 30h, in which case the attribute is set to back-
ground color (i.e. the character is invisible). This routine uses about
10% of CPU-time (system is slowed down accordingly).