======================================================================= == Computer Virus Catalog Index == ======================================================================= == Status: February 15, 1990 (Format 1.2) == == Classified: 15 MSDOS-Viruses (MSDOSVIR.A89): Nov.15,1989 == == ---> +15 MSDOS-Viruses (MSDOSVIR.290): Feb.15,1990 <-- == == 24 AMIGA-Viruses (AMIGAVIR.A89): Nov.15,1989 == == 6 Atari-Viruses (ATARIVIR.A89): Nov.15,1989 == == Next edition planned: April 1990 == ======================================================================= == To minimize problems with network restrictions (some of which == == limit e-mail to packages of less than 100 kBytes), the list of == == totally 30 MS-DOS viruses is partitioned, due to the first pub- == == lication, in 2 partitions (indicated at each entry): == == October 1989: Document MSDOSVIR.A89: 1.138 Lines, 62 kBytes == == + February 1990: Document MSDOSVIR.290: 928 Lines, 54 kBytes == ======================================================================= == List of classified MS-DOS Viruses: =Doc= == ---------------------------------- = = == + 1) Advent Virus =290= == 2) Autumn Leaves=Herbst="1704"=Cascade A Virus =A89= == 3) "1701" = Cascade B = Autumn Leaves B = Herbst B Virus =A89= == 4) Bouncing Ball = Italian = Ping Pong= Turin Virus =A89= == + 5) Dark Avenger =290= == + 6) DATACRIME Ia = "1168" Virus =290= == + 7) DATACRIME Ib = "1280" Virus =290= == + 8) dBase Virus =290= == + 9) Denzuk = "Search" = Venezuellan Virus =290= == + 10) Do Nothing = Stupid = 640k Virus =290= == 11) "Friday 13th" = South African Virus =A89= == + 12) Fu Manchu Virus =290= == 13) GhostBalls Virus =A89= == 14) Icelandic#1 = Disk Crunching = One-in-Ten Virus =A89= == 15) Icelandic#2 Virus =A89= == 16) Israeli = Jerusalem A Virus =A89= == + 17) Lehigh Virus =290= == 18) MachoSoft Virus =A89= == + 19) Marijuana = Stoned = New Zealand Virus =290= == 20) Merritt = Alameda A = Yale Virus =A89= == + 21) MIX1 = Mixer1 Virus =290= == + 22) Ogre = Disk Killer 1.00 Virus =290= == 23) Oropax = Music Virus =A89= == 24) Saratoga Virus =A89= == 25) SHOE-B v9.0 Virus =A89= == + 26) Swap = Israeli Boot Virus =290= == + 27) SYSLOCK Virus =290= == + 28) VACSINA #1,#2 Virus =A89= == 29) Vienna = Austrian = "648" Virus =A89= == + 30) Zero Bug = ZBug = Palette Virus =290= == == == Remark: The following 20 MSDOS-Viruses are presently examined, == == classification will be published in next edition (April,1989): == == .) AIDS Virus (!not the Trojan AIDS INFO program!)== == .) Brain A = Pakistani A-Virus (Pakistani Virus Strain)== == .) April 1st Virus (EXE/COM variants) (Jerusalem Virus Strain)== == .) DATACRIME II = "1514" Virus (DATACRIME Virus Strain)== == .) Devils Dance Virus == == .) Hello Virus == == .) Lisbon Virus (Vienna Virus Strain)== == .) Pentagon Virus == == .) Perfume Virus == == .) SURIV 1.01, 2.01, 3.00 Viruses (Jerusalem Virus Strain)== == .) Traceback = "3066" Virus == == .) Typo = Fumble Virus == == .) Vcomm Virus == == .) W13 (Variants A,B) = Polish Viruses == == .) Yankee Doodle Virus == == .) "405" Virus == == .) "4096" Virus == ======================================================================= ====== Computer Virus Catalog 1.2: "Advent" Virus (15-Feb-1990) ======= Entry.................. "Advent" Virus Alias(es).............. --- Strain................. Syslock/Macho Virus Strain Detected: when......... Autumn 1988 where........ Federal Country of Rheinhessen, FR Germany Classification......... Program Virus (Link virus) Length of Virus........ 2761 - 2776 (dec) bytes appended on paragraph boundary ------------------------ Preconditions-------------------------------- Operating System(s).... MS/PC-DOS Version/Release........ 3.00 and upwards Computer models........ All IBM PC compatibles. -------------------------- Attributes--------------------------------- Easy identification.... Beginning on every "Advent" (the time period beginning at the 4th sunday before Christmas until Christmas eve), the virus displays after every "advent sunday" one more lit candle in a wreath of four, together with the string "Merry Christmas" and plays the melody of the German Christmas song "Oh Tannen- baum". By Christmas all four candles are lit. This happens until the end of Decem- ber, when an infected file is run. Type of infection...... The virus infects both COM and EXE files. EXE files: it checks the checksum in the EXE header for 7CB6h, in which case no in- fection will occure. COM files: are checked by looking for the string 39,28,46,03,03,01 (hex) at offset 10h. The virus is not RAM resident, therefore it will only infect when the host is run. It infects by searching through the directories on the current drive and randomly choosing files and directories to infect or search. It will not infect any other drive. It will infect COMMAND.COM. Infection trigger...... Virus will infect any time it is run. Media affected......... All disks that are addressable using standard DOS functions, as long as it is the current drive. Interrupts hooked...... --- Damage................. Transient damage: displayed picture, melody (see Easy Identification) Damage trigger......... Every time the host is run. Particularities........ The virus checks for the environment variable "VIRUS=OFF", in which case it will not infect. The virus encrypts itself using a variable key. The virus will only do its transient damage after 1-Nov-1988. Similarities........... Macho/Syslock: much of the code is identical, including the startup code. This means that Advent will be identified as Syslock by many scanning programs. Advent seems to be the precursor to Macho and Syslock (though detected later). ---------------------------- Agents----------------------------------- Countermeasures........ Use the environment variable described above as a first aid measure only. If your COMMAND.COM in infected, that wont stop the virus much. Resetting the date will only stop the damage, not the infection. Here's one of the few strings that can safely be searched for: 50,51,56,BE,59,00,B9,26,08,90,D1,E9,8A,E1, 8A,C1,33,06,14,00,31,04,46,46,E2,F2,5E,59; it should be noted, however, that this string will also identify Syslock and Macho. There is no scanning method that will tell the 3 apart. "NTIADVEN" uses a checksum. - ditto - successful.. For proper treatment, my Anti-Virus "NTIADNEN" is highly recommended (in all humility). Treatment by hand is very tedious and only recommendable for experts. Standard Means......... Booting from a write-protected disk and resto- ring all COM and EXE files from the ori- ginal disks. ----------------------- Acknowledgements------------------------------ Location............... Virus Test Center, University of Hamburg, FRG Classification by...... Morton Swimmer Documentation by....... Morton Swimmer Date................... December 10, 1989 Information source..... "The Peter Norton Programmer's Guide to the IBM PC" (1985), and members of our group. Also thanks to V-COMM for producing "Sourcer" and making my life easier. ======================= End of "Advent" Virus ======================== === Computer Virus Catalog 1.2: "Dark Avenger" Virus (15-Feb-1990) === Entry...............: Dark Avenger Alias(es)...........: --- Virus Strain........: Dark Avenger Virus detected when.: November 1989 where.: USA Classification......: February 1990 Length of Virus.....: about 1800 Bytes --------------------- Preconditions ----------------------------------- Operating System(s).: DOS Version/Release.....: Computer model(s)...: IBM-compatible --------------------- Attributes -------------------------------------- Easy Identification.: Two Texts: "Eddie lives...somewhere in time" at beginning and "This Program was written in the City of Sofia (C) 1988-89 Dark Avenger" near end of file Type of infection...: Link-virus COM-files: appends to the program and installs a short jump EXE-files: appends to the program at the beginning of the next paragraph Infection Trigger...: COM and EXE files are corrupted on any read attempt even when VIEWING!!! Storage media affected: Any Drive Interrupts hooked...: Int 21 DOS-services Int 27 Terminate and Stay Resident Damage..............: Overwrites a random sector with bootblock Damage Trigger......: each 16th infection; counter located in Bootblock Particularities.....: - Similarities........: - --------------------- Agents ------------------------------------------ Countermeasures.....: NONE! All data can be destroyed !!!! There is no way in retrieving lost data. Backups will most probably be destroyed too. Countermeasures successful: install McAfee's SCANRES. Standard means......: Good luck! Hopefully the virus did not destroy too many of your programs and data. --------------------- Acknowledgement --------------------------------- Location............: VTC Uni Hamburg Classification by...: Matthias Jaenichen Documentation by....: Matthias Jaenichen Date................: 31.01.1990 Information Source..: --- ===================== End of "Dark Avenger" Virus ==================== === Computer Virus Catalog 1.2: "DATACRIME Ia" Virus (15-Feb-1990) === Entry...............: DATACRIME Ia Alias(es)...........: DATACRIME 1168-Version = "1168 Virus" Virus Strain........: DATACRIME Virus detected when.: where.: Classification......: Link-virus (extending), direct action Length of Virus.....: .COM file: file length increases by 1168 byte --------------------- Preconditions ---------------------------------- Operating System(s).: MS-DOS Version/Release.....: 2.xx upward Computer model(s)...: IBM-PC, XT, AT and compatibles --------------------- Attributes ------------------------------------- Easy Identification.: --- Type of infection...: System: no infection. .COM file: Link-virus, increases COM files by 1168 Bytes. A .COM- File is recognized as being infected if the time entry of the last program modification shows the fol- lowing particularities: the last signifi- cant three bytes of the minutes are the same as the seconds. Bit 4,5 of the seconds will be set to zero. For example (H=Hours, M=Minutes, S=Seconds) H H H H H M M M M M M S S S S S ? ? ? ? ? ? ? ? 1 0 1 ? ? ? ? ? will be changed to H H H H H M M M M M M S S S S S ? ? ? ? ? ? ? ? 1 0 1 0 0 1 0 1 .EXE file: no infection. Infection Trigger...: Every time the virus run it looks for another uninfected .COM- file using the DOS-func- tions Findfirst/Findnext in the current directory or any lower directory. If there is no file that can be infected the virus looks at the drive C: D: A: B: (in this order). Interrupts hooked...: Int 24 (only when infecting a file) Damage..............: Permanent Damage: the virus shows the message "DATACRIME VIRUS RELEASED: 1 MARCH 1989" then the first hard disk will be format- ted (track 0, all heads). When formatting is finished the speaker will beep (end- less loop). Damage Trigger......: if the clock device is October the 13th or later (any year). Particularities.....: 1. The message "DATACRIME... 1989" is encrypted. 2. The virus detects a hard disk if the segment of Int 41 is not zero. 3. Cause of a mistake in the code the virus will not use it's format buffer. 4. Cause of a missing segment override Int 24 can not be restored every time. 5. If the 7th letter of the programname is a 'D', the program will not be infected (e.g. COMMAND.COM). Similarities........: The differences between Datacrime Ia and Ib are minimal. --------------------- Agents ----------------------------------------- Countermeasures.....: --- - ditto - successful: --- Standard means......: --- --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, FRG Classification by...: Michael Reinschmiedt Documentation by....: Michael Reinschmiedt Date................: 14-Feb-1990 ===================== End of "DATACRIME Ia" Virus ==================== ==== Computer Virus Catalog 1.2: DATACRIME Ib Virus (15-Feb-1990) ==== Entry...............: DATACRIME Ib Alias(es)...........: DATACRIME 1280-Version = "1280" Virus Virus Strain........: DATACRIME Virus detected when.: --- where.: --- Classification......: Link-virus (extending), direct action Length of Virus.....: .COM file: filelength increases by 1280 byte --------------------- Preconditions ---------------------------------- Operating System(s).: MS-DOS Version/Release.....: 2.xx upward Computer model(s)...: IBM-PC, XT, AT and compatibles --------------------- Attributes ------------------------------------- Easy Identification.: --- Type of infection...: System: no infection. .COM file: Link-virus, increases COM files by 1280 Byte. A .COM- File is recognized as being infected if the time entry of the last program modification shows the fol- lowing particularities: the last signi- ficant three bytes of the minutes are the same as the seconds. Bit 4,5 of the seconds will be set to zero. For example: (H=Hours, M=Minutes, S=Seconds) H H H H H M M M M M M S S S S S ? ? ? ? ? ? ? ? 1 0 1 ? ? ? ? ? will be changed to H H H H H M M M M M M S S S S S ? ? ? ? ? ? ? ? 1 0 1 0 0 1 0 1 .EXE file: no infection. Infection Trigger...: Every time the virus runs it looks for one other uninfected .COM- file using the DOS-func- tions Findfirst/Findnext in the current directory or any lower directory. If there is no file that can be infected the virus looks at the drive C: D: A: B: (in this order). Interrupts hooked...: Int 24 (only when infecting a file) Damage..............: Permanent Damage: the virus shows the message "DATACRIME VIRUS RELEASED: 1 MARCH 1989" then the first hard disk will be formatted (track 0, all heads). If formatting is finished the speaker will beep (endless loop). Damage Trigger......: if the Clock device is October the 13th or later (any year). Particularities.....: 1. The message "DATACRIME... 1989" is encrypted. 2. The virus detects a hard disk if the segment of INT 41 is not zero. 3. Cause of a mistake in the code the virus will not use it's format buffer. 4. Cause of a missing segment override the INT24 can not be restored every time. 5. If the 7th letter of the programname is a 'D', the program will not be infected (e.g. COMMAND.COM). Similarities........: The differences between Datacrime Ia and Ib are minimal. --------------------- Agents ----------------------------------------- Countermeasures.....: --- - ditto - successful: --- Standard means......: --- --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, FRG Classification by...: Michael Reinschmiedt Documentation by....: Michael Reinschmiedt Date................: 14-Feb-1990 ===================== End of DATACRIME Ib Virus ====================== ====== Computer Virus Catalog 1.2: "dBase" Virus (15-Feb-1990) ======= Entry...............: "dBase" Virus Alias(es)...........: --- Virus Strain........: --- Virus detected when.: October 1989 where.: --- Classification......: Link - Virus (extending), RAM - resident Length of Virus.....: .COM - Files: Program length increases by 1864 bytes --------------------- Preconditions ---------------------------------- Operating System(s).: MS-DOS Version/Release.....: 2.xx upward Computer model(s)...: IBM - PC, XT, AT and compatibles --------------------- Attributes ------------------------------------ Easy Identification.: Typical text in Virus body (readable with HexDump-utilities): "c:\bugs.dat" Type of infection...: System: RAM-resident, infected if function FB0AH of INT 21H returns with 0AFBH in AX register. .COM file: extended by using EXEC-function. A file will only be infected once. .EXE File: no infection. Infection Trigger...: When function 4B00H of INT 21H (EXEC) is called. Interrupts hooked...: INT 21H Damage..............: Permanent Damage: 1. Every time a .DBF file is created in an infected system with function 3CH, 5BH or 6CH of INT 21H, the complete filename of the new .DBF file will be inserted in the hidden file "c:\bugs.dat". 2. On every write operation to a file registered in "bugs.dat", all neighboring bytes will be interchanged (e.g.: "01 02 03 04" changed to "02 01 04 03"). 3. On every read operation from a file regis- tered in "bugs.dat", the bytes will be interchanged again, so that no modifi- cation is visible. 4. If the filename of the .DBF file is modified, so that it does not correspond to the filename registered in "bugs.dat", or read/write operations happen in a non- infected system, the bytes will no longer be modified by the virus and they appear defective. Transient Damage: Every time a new .DBF file is created, the virus examines the age of "bugs.dat". If the difference between the month of creation and the current month is greater than 2, the computer will hang in an end- less loop. Particularities.....: - In case of a program error in the virus, single bytes in the .DBF file could be over- written incorrectly by write operations! - Programs longer than 63415 bytes are no longer loadable. Special remark......: The original virus contains code which erases (INT 21) the infected DBF file structure after a certain time; Ross Greenberg who detec- ted this virus patched the essential instruc- tion with INT 03 such that the destructive part does no longer work; the rest of the code was not changed. Unfortunately, the changed code escaped one virus expert's computer. --------------------- Agents ------------------------------------------------- Countermeasures.....: Category 3: ANTI_DBS.EXE (VTC Hamburg) - ditto - successful: ANTI_DBS.EXE finds and restores infected programs (only for DBASE). Standard means......: Notice .COM file length. Typical text in virus body: "c:\bugs.dat", which is also created in the root directory. --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, FRG Classification by...: Thomas Lippke Documentation by....: Thomas Lippke Date................: January 20, 1990 ===================== End of "DBase"-Virus =========================== ====== Computer Virus Catalog 1.2: "den Zuk" Virus (15-Feb-90) ======= Entry.................. den Zuk (B) Alias(es).............. Venezuellan, "The Search" Strain................. den Zuk Detected: when......... --- where........ --- Classification......... System (Boot) virus, RAM resident Length of Virus........ 1 boot sector and 9 sectors on track 40 ----------------------- Preconditions -------------------------------- Operating System(s).... MS/PC-DOS Version/Release........ Computer models........ All IBM PC and AT compatibles. ----------------------- Attributes ----------------------------------- Easy identification.... The label on an infected disk will read: "Y.C.1.E.R.P", where the "." is the F9h character. Type of infection...... System: the virus resides on the boot sector and at track 40, head 0, sectors 1 - 9. If an infected disk is booted, the virus will load itself into the top of memory. From there it will infect any floppy that is written to. Infection trigger...... Will infect at any time. Media affected......... Only floppies. The virus does not identify other types of floppies larger than 360kb. This means that, for instance, the track 40 of a 1,2kb disk will be overwritten, and data can be lost, if these sectors were in use. Interrupts hooked...... Int 13h, Int 9 Damage................. A graphical "DEN ZUK" will stream in from the sides on CGA and EGA screens. (nice effect!) Damage trigger......... The graphics will appear on every Ctrl- Alt-Delete (reset). Particularities........ Den Zuk - B will replace an occurance of den Zuk - A (Ohio) as well as the Brain strains of viruses. The virus will mascarade a clean boot sector. Similarities........... It is a slightly improved version of den Zuk - A. ---------------------------- Agents----------------------------------- Countermeasures........ --- - ditto - successful.. --- Standard Means......... Boot from a clean disk and use SYS to over- write the infected boot sector. It is, however, always better to format the disk. ----------------------- Acknowledgements------------------------------ Location............... Virus Test Center, University of Hamburg, FRG Classification by...... Morton Swimmer Documentation by....... Morton Swimmer Date................... 15-Feb-1990 Information source..... --- ======================= End of den Zuk (B) Virus ===================== ==== Computer Virus Catalog 1.2: "Do Nothing" Virus (15-Feb-1990) ==== Entry...............: The "Do Nothing" Virus Alias(es)...........: The Stupid Virus, 640K Virus Virus strain........: --- Virus detected when.: 22-October-1989 where.: BBSs in Israel Classifications.....: COM file infecting virus/extending, resident. Length of virus.....: Infected files grow biggen in 583 bytes. --------------------- Preconditions ----------------------------------- Operating system(s).: MS-DOS Version/release.....: 2.0 or higher Computer model(s)...: IBM PC,XT,AT and compatibles --------------------- Attributes -------------------------------------- Identification......: .COM files: The first 3 bytes of the infected files are changed. Type of infection...: System: The virus copies itself to 9800:100h. This means that only computers with 640KB can be infected. Infects other programs by scanning the directory until it finds a .COM file. .COM files: Extends .COM files. Adds 583 bytes to the end of the file. .EXE files: Not infected. Infection trigger...: The first .COM file of the current directory is infected whether the file is infected or not. Interrupts hooked...: 21h, 70h. Damage..............: None. Damage trigger......: --- Particularities.....: 1. Many programs load themself to this area and erase the virus from the memory. 2. The virus can work only on 640K systems. 3. It changes interrupt 70h to be the same as interrupt 21. In the virus only interrupt 70h is used and not interrupt 21h. --------------------- Agents ------------------------------------------ Countermeasures.....: Virus Buster and more commercial, Israeli anti viral software (JIV, Turbo Anti-Virus). Countermeasures successful: Virus Buster will locate the virus and upon request, will remove it. Standard means......: --- --------------------- Acknowledgement --------------------------------- Classification by...: Yuval Tal (NYYUVAL@WEIZMANN.BITNET) Documentation by....: Yuval Tal (NYYUVAL@WEIZMANN.BITNET) Date................: December 19, 1989 ===================== Donothing" Virus ================================ ===== Computer Virus Catalog 1.2: "Fumanchu-Virus" (15-Feb-1990) ====== Entry...............: "Fumanchu- Virus" Alias(es)...........: Virus Strain........: Jerusalem-Virus Strain Virus detected when.: where.: Classification......: Program-virus (extending), RAM- resident Length of Virus.....: .COM files: program length increases by 2086 bytes .EXE files: program length increases by 2080 - 2095 bytes --------------------- Preconditions ---------------------------------- Operating System(s).: MS-DOS Version/Release.....: 2.xx upward Computer model(s)...: IBM-PC, XT, AT and compatibles --------------------- Attributes ------------------------------------- Easy Identification.: Typical texts in Virus body (readable with HexDump-facilities): 1. "sAXrEMHOr" and "COMMAND.COM" in the data area of the virus and 2. "rEMHOr" are the last 6 bytes if the infected program is a .COM file. Type of infection...: System: infected if function E1h of INT 21h returns the value 0400h in the AX - register. .COM files: program length increases by 2086 bytes if it is infected and the last 6 bytes are "rEMHOr" (identification); a .COM file will not be infected more than once. .EXE files: program length increases by 2080 - 2095 bytes; if it is infected, the word checksum in the EXE-header is "1988"; an EXE file will not be infected more than once. Infection Trigger...: Programs are infected when loaded (using the function Load/Execute of Ms-Dos) Interrupts hooked...: INT08h, INT09, INT16, INT21 (INT24 only while infecting a file). Damage..............: Transient Damage: 1. The message 'The world will hear from me again! ' is displayed on every warmboot. 2. The virus watches the keyboard input and appends slanders about politicians in the keyboard buffer. Damage Trigger......: Every time the system is infected. Damage 1: always Damage 2: from august 89 Particularities.....: 1. .COM files larger than 63193 bytes are no longer loadable after infection. 2. .COM files larger than 63449 bytes are destroyed by overwriting. 3. Three functions used by Novell- Netware 4.0 cannot be used. 4. The virus code contains a routine that will automaticly reboot the system between 1 and 16 hours. This code is never activated due to a programming mistake. 5. All strings are encrypted. --------------------- Agents ----------------------------------------- Countermeasures.....: Category 3: ANTIFUMN.EXE (VTC Hamburg) Countermeasures successful: ANTIFUMN.EXE is an antivirus that only looks for the Fumanchu Virus and, if requested, will restore the file. Standard means......: Filelength increased if a program is infected. --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, FRG Classification by...: Michael Reinschmiedt Documentation by....: Michael Reinschmiedt Morton Swimmer Date................: December 15,1989 ===================== End of "Fumanchu" Virus ======================== ====== Computer Virus Catalog 1.2: Lehigh Virus (15-Feb-1990) ======== Entry...............: Lehigh Virus Alias(es)...........: --- Virus strain........: --- Virus detected when.: November 1987 where.: Lehigh University (Bethlehem/USA) Classification......: System virus (COMMAND.COM), RAM-resident Length of virus.....: 555 bytes --------------------- Preconditions ---------------------------------- Operating system(s).: MS-DOS Version/release.....: 2.0 and higher Computer model(s)...: All MS-DOS machines --------------------- Attributes ------------------------------------- Easy identification.: Last two bytes of COMMAND.COM = A9h 65h, COMMAND.COM grows by 555 bytes. Type of infection...: COMMAND.COM only (stack space at end of file overwritten); RAM resident (no check if RAM infected before). Infection trigger...: Uninfected COMMAND.COM in the root directory of used or current drive (checked by INT 21h) Storage media affected: Any COMMAND.COM on hard disk or diskette. Interrupts hooked...: INT 21h: Ah = 4Bh(load) and Ah = 4E(find file) INT 44H: Set as old INT 21h Damage..............: If A: or B: selected (if it is not the current drive), then sector 1 to 32 are overwritten with garbage read from BIOS and print-text (also from BIOS). Damage trigger......: Infection counter = 4 Particularities.....: Not hardware-dependent: INT 21h, 26h used only Similarities........: --- --------------------- Agents ----------------------------------------- Countermeasures.....: --- Countermeasures successful: Several antiviruses (McAfee, Solomon, Skulason et.al.) successfully detect and eradicate this virus. Standard means......: --- --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, FRG Classification by...: Daniel Loeffler (disassembly by Joe Hirst) Documentation by....: Daniel Loeffler Date................: December 18, 1989 Information Source..: --- ========================= End of "Lehigh"-Virus ====================== ====== Computer Virus Catalog 1.2: Marijuana Virus (15-Feb-1990) ===== Entry...............: Marijuana Virus Alias(es)...........: Stoned Virus, New Zeeland Virus Classification......: System Virus (= Bootsector virus) Length of Virus.....: 440 bytes (occupies one sector on storage medium) 2 kbyte in RAM --------------------- Preconditions ----------------------------------- Operating System(s).: MS-DOS, Version/Release.....: 2.xx and upward Computer model(s)...: IBM-PC/XT/AT --------------------- Attributes -------------------------------------- Easy Identification.: 'Your PC is now Stoned!.....LEGALISE MARIJUANA!' in the bootsector at offset 18Ah Type of infection...: Self-identification: The virus regards a disk as infected if the bootsector starts with EA 05 00 C0. The virus installs itself 2 kbyte below the end of available memory, removes that space from DOS, and infects the first hard disk when booting from an infected floppy disk. It captures all read and write calls to drive A:, checks for infection and if not present, infects the disk. Infection occurs by transferring the original bootsector on a floppy drive to head 1, track 0, sector 3 or on a hard disk to head 0, track 0, sector 7, and the original bootsector is replaced with the virus bootsector. When the virus installs itself from a floppy drive and the last three bits of the system clock counter are all zero, the PC beeps and the message 'Your PC is now Stoned!' is printed on the screen. Infection Trigger...: Infection of drive A: disks at any activity that invokes an int 13h read or write call (e.g. DIR, TYPE) Infection of the hard disk: when booting from an infected floppy disk. Storage media affected: Infects only disks in drive A: (media type doesn't matter) and the first hard disk Interrupts hooked...: Int 13h functions 2, 3 (read, write) Damage..............: Indirect damage through infection: 1. Floppy disks: The overwritten sector is usually a part of the root directory, so directory entries may be destroyed. 2. Hard disk: Overwrites sector 7. Usually this sector is not used, but in some non-standard cases the hard disk may become inaccessible. Damage Trigger......: Infection, booting Particularities.....: Normal formating will not remove the virus from an infected hard disk --------------------- Agents ------------------------------------------ Countermeasures.....: Category 3: ANTIMARI.COM (VTC Hamburg) Countermeasures successful: ANTIMARI.COM deactivates the resident Marijuana-Virus in RAM and restores the bootsector to it's correct place --------------------- Acknowledgement --------------------------------- Location............: Virus Test Center, University Hamburg, FRG Classification by...: Rainer Anscheit Documentation by....: Rainer Anscheit Date................: Jan. 14, 1990 ===================== End of Marijuana-Virus ========================== ======= Computer Virus Catalog 1.2: "MIX1" Virus (15-Feb-1990) ======= Entry...............: MIX1 Virus Alias(es)...........: Mixer1 Virus strain........: Icelandic Virus Virus detected when.: August 22, 1989 where.: BBSs in Israel Classification......: Program virus (.EXE files) - Extending, RAM-resident. Length of virus.....: 1. Infected .EXE files enlarged by 1618-1634 bytes (depends on the original file size). 2. 2048 bytes in RAM. --------------------- Preconditions ---------------------------------- Operating system(s).: PC/MS DOS version Version/Release.....: 2.0 or later. Computer model(s)...: IBM-PC, XT, AT and compatibles --------------------- Attributes ------------------------------------- Easy Identification.: 1. "MIX1" are the last 4 bytes of the infected file. 2. In DEBUG to check byte 0:33C. If this equals 77h, then the virus is in memory. Type of infection...: System: Infected if byte 0:33C equals 77h. .EXE files: Only files which do not have a signature at their end are infected. File length is increased by 1618 - 1634 bytes. Infection trigger...: When executing/load .EXE files through interrupt 21h service 4bh. Interrupt hooked....: 21h, 14h, 17h, optionally 8,9 (after 6th level of infection). Damage..............: Garbled output on parallel and serial connec- tions, after 6th level of infection boot will crash the system (a bug), num-lock is constantly on, a ball will start boun- cing. Damage trigger......: After executing and infected file is executed Particularities.....: 1. Booting may crash the computer (possibly a bug). 2. Memory allocation is done through direct MCB control. 3. Does not allocate stack, and therefore makes some files unusable. 4. Infects only files which are bigger than 8K. --------------------- Agents ----------------------------------------- Countermeasures.....: Virus Buster and more commercial, Israeli anti viral software (JIV, Turbo Anti-Virus). Countermeasures successful: Virus Buster will locate the virus and upon request, will remove it. Standard means......: Check byte 0:33C (cf: Easy identifications). --------------------- Acknowledgement -------------------------------- Classification by...: Yuval Tal (NYYUVAL@WEIZMANN.BITNET), Ori Berger Documentation by....: Yuval Tal (NYYUVAL@WEIZMANN.BITNET), Ori Berger Date................: December 19, 1989 ===================== End of MIX1 Virus ============================= ====== Computer Virus Catalog 1.2: "Ogre" Virus (15-Feb-1990) ======= Entry.................. Ogre Virus Alias(es).............. Disk Killer 1.00 Strain................. --- Detected: when......... --- where........ --- Classification......... Boot sector virus, RAM resident Length of Virus........ 2560 bytes of code, 5 sectors on disk (+1 where original bootsector is saved) ------------------------ Preconditions-------------------------------- Operating System(s).... MS-DOS Version/Release........ not relevant Computer models........ IBM-PC/AT and compatibles -------------------------- Attributes--------------------------------- Easy identification.... Word at offset 003Eh in the boot sector will contain the value 3CCBh. Type of infection...... System virus: Ogre will infect any boot sector it comes in contact with. On flop- pies the virus will reserve 5 sectors by marking them as bad. On hard disks the "Special Reserved Sectors" are used, if sufficiently abundent. Infection trigger...... Any read to a drive will provoke an infection. Media affected......... Floppies and hard disks Interrupts hooked...... Int 13 function 2, Int 9, Int 8. Damage................. It will destroy (encode) the entire disk. Damage trigger......... The virus has a counter hooked to the timer interrupt. The counter is updated on any infected disk that is found. After about 48 hours of work time, damage is done if within that hour a read to disk is done, else the virus must wait an- other 255 hours. Particularities........ An disk detroyed (encoded) by Ogre can be restored by an appropriate decoding routine. Similarities........... --- ----------------------- Agents---------------------------------------- Countermeasures........ FindViru in Dr. Solomon's Toolkit will find Ogre. - ditto - successful.. AntiOgre will identify and restore an infected disk. RestOgre will restore a destroyed disk. Standard Means......... Boot from a clean disk and use the SYS command ----------------------- Acknowledgements------------------------------ Location............... Virus Test Center, University of Hamburg Classification by...... Morton Swimmer Documentation by....... Morton Swimmer Date................... 2-Feb-1990 Information source..... --- ======================= End of "Ogre" Virus ========================== ====== Computer Virus Catalog 1.2: "Swap" Virus (15-Feb-1990) ======== Entry...............: Swap Virus Alias(es)...........: = Israeli Boot Virus Virus Strain........: --- Virus detected when.: June, 1989 where.: Israel Classification......: Boot Sector infection, resident in RAM Length of Virus.....: 1. 740 Byte on storage medium 2. 2.048 Byte in RAM --------------------- Preconditions ----------------------------------- Operating System(s).: MS-DOS Version/Release.....: versions 2.0 or later Computer model(s)...: --- --------------------- Attributes ------------------------------------- Easy Identification.: A) Boot sector: A1) Bytes from $16A in boot sector are: 31 C0 CD 13 B8 02 02 B9 06 27 BA 00 01 CD 13 9A 00 01 00 20 E9 XX XX A2) First 3 bytes in boot sector are: JMP 0196 (this is, the boot sector was loaded to CS:0) B) FAT: track 39 sector 6-7 are marked as bad. C) The message: "The Swapping-Virus. (C) June, by the CIA" located in bytes 02B5-02E4 on track 39,sector 7. Type of infection...: Resident in RAM. A diskette is infected when it is inserted into the drive and ANY command that reads from or writes to the diskette is executed. Infection Trigger...: Virus starts to work after 10 minutes. Storage media affected: Infects diskettes; hard disks are NOT infected. Interrupts hooked...: Int $8 Timer-Tick: responsible for letter-dropping Int $13 Disk Drive: Infects! Damage..............: Permanent Damage: track 39 sector 6-7 will be marked as bad. Damage Trigger......: Whenever a diskette is infected. Particularities.....: A diskette will be infected only if track 39 sectors 6-7 are empty. Similarities........: --- --------------------- Agents ------------------------------------------ Countermeasures.....: Category 1: .1 Monitoring Files: --- .2 Monitoring System Vectors: --- .3 Monitoring System Areas: --- Category 2: Alteration Detection: --- Category 3: Eradication: --- Category 4: Vaccine: --- Category 5: Hardware Methods: --- Category 6: Cryptographic Methods: --- Countermeasures successful: --- Standard means......: --- --------------------- Acknowledgement --------------------------------- Location............: Weizmann Institute, Rehovot Classification by...: Yuval Tal Documentation by....: Yuval Tal Date................: August 1989 Information Source..: ===================== End of "Swap"-Virus ============================= ====== Computer Virus Catalog 1.2: "Syslock" Virus (15-Feb-1990) ====== Entry.................. Syslock Alias(es).............. --- Strain................. Advent/Macho/Syslock family Detected: when......... July 1989 (?) where........ USA Classification......... Program Virus (postfix) Length of Virus........ 3550-3560 (dec) bytes appended on paragraph boundary ------------------------ Preconditions-------------------------------- Operating System(s).... MS/PC-DOS Version/Release........ 3.00 and upwards Computer models........ All IBM PC compatibles. ----------------------- Attributes------------------------------------ Easy identification.... Any string "MICROSOFT" is replaced with "MACROSOFT". Type of infection...... The virus infects both COM and EXE files. EXE files: the virus checks the checksum in the EXE header for 7CB6h, in which case no infection will occure. COM files: are checked by looking for the string 39,28,46,03,03,01 (hex) at offset 10h. The virus is not RAM resident, therefore it will only infect when the host is run. It infects by searching through the directories on the current drive and randomly choosing files and directories to infect or search. It will not infect any other drive than the current one. It will infect COMMAND.COM. Infection trigger...... Virus will infect any time it is run. Media affected......... All disks that are addressable using standard DOS functions. Interrupts hooked...... --- Damage................. Will replace any occurance of "MICROSOFT" with "MACROSOFT". It does this by using the DOS (not BIOS) interrupts 25h and 26h, and searching the disk from beginning to end, sector by sector. It tries 20h sectors at a time, and stores the last sector infected in the file "\DOS\KEYB.PCM", which is marked "system" and "hidden". After reaching the last sector, it will start from the beginning again. Damage trigger......... Every time the host is run, after 1-Jan-1985. Particularities........ The virus checks for the environment variable "SYSLOCK=@" (therefore its name), in which case it will not infect. The virus is encrypted using a variable key. The functions of DOS interrupts 25h and 26h have been changed in DOS 4.0. Similarities........... See Macho virus documentation ----------------------- Agents---------------------------------------- Countermeasures........ Use the environment variable described above as a first aid measure only. Here's one of the few strings that can safely be searched for: 50,51,56,BE,59,00,B9,26,08,90,D1,E9,8A,E1, 8A,C1,33,06,14,00,31,04,46,46,E2,F2,5E,59 This string will however identify Advent and Macho as well. - ditto - successful.. For proper treatment, my antivirus "NTISYSL" is highly recommended (in all humility). Treatment by hand is very tedious and only for experts. Standard Means......... Booting from a write-protected disk and restoring all COM and EXE files from the original disks is the only way. ----------------------- Acknowledgements------------------------------ Location............... Virus Test Center, University of Hamburg, FRG Classification by...... Morton Swimmer Documentation by....... Morton Swimmer Date................... 1-Dec-1989 Information source..... --- ======================= End of "Syslock" Virus ======================= === Computer Virus Catalog 1.2: Vacsina (1,2) Virus (15-Feb-1990) ==== Entry...............: "Vacsina Virus" (#1/#2) Alias(es)...........: Virus Strain........: Virus detected when.: August 1989 where.: University of Cologne, FRG Classification......: Link-virus (extending), RAM- resident Length of Virus.....: .COM files: program length increases by 1206-1221 bytes .EXE files: program length increases by 132 bytes --------------------- Preconditions ---------------------------------- Operating System(s).: MS-DOS Version/Release.....: 2.xx upward Computer model(s)...: IBM-PC, XT, AT and compatibles --------------------- Attributes ------------------------------------- Easy Identification.: 1. Typical texts in Virus body (readable with HexDump-facilities): "VACSINA" in data area of the virus. 2. The length of an infected file is increased. 2. The date/time of the last program modification is different between an infected program and its original version. Type of infection...: System: infected if the segment:offset of INT31h points to 0539h:7fxxh. .Com files: with a program length of 1207-62866 bytes will be infected if the first instruc- tion is a JMP_DISP_16 (Opcode E9) and the program length increases by 1206-1221 bytes. The last 4 bytes are 0F4h,07Ah,005h,000h (identification); therefore, a .COM file will not be infected more than once. .EXE files: with a program length up to 64946 bytes will not be infected, but converted in a COM-format and the program length increases by 132 bytes. The virus adds code to the EXE-file that is able to relocate the file while loading it. If a converted EXE-file is started again in an infected system, it will be infected like a COM-file. Infection Trigger...: Programs are infected when they are run (using the function Load/Execute of Ms-Dos). Interrupts hooked...: INT21h, INT24h (only while infecting a file). INT31 (identification that system is infected) Damage..............: Transient damage: every time a file is infected, the loudspeaker will beep. Damage Trigger......: --- Particularities.....: The date/time of the last program modification will not be restored. --------------------- Agents ----------------------------------------- Countermeasures.....: Category 3: ANTIVACS.EXE (VTC Hamburg) - ditto - successful: ANTIVACS.EXE is an antivirus that specifically looks for the VACSINA virus and, if re- quested, will restore the file. Standard means......: --- --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, FRG Classification by...: Michael Reinschmiedt Documentation by....: Michael Reinschmiedt Date................: January 3, 1990 ===================== End of "VACSINA" (#1,#2) Virus ================= ===== Computer Virus Catalog 1.2: "Zero Bug" Virus (15-Feb-1990) ===== Entry...............: "Zero Bug" Alias(es)...........: "ZBug","Palette" Virus Strain........: Virus detected when.: October 1989 where.: Classification......: Link-Virus (extending), RAM - resident Length of Virus.....: .COM-Files increased by 1536 bytes in RAM : 1792 bytes + environment --------------------- Preconditions ---------------------------------- Operating System(s).: MS-DOS Version/Release.....: 2.xx upward Computer model(s)...: IBM - PC, XT, AT and compatibles --------------------- Attributes ------------------------------------- Easy Identification.: Typical text in Virus body (readable with HexDump-utilities): "ZE","COMSPEC=C:", "C:\COMMAND.COM". .COM files: "seconds" field of the timestamp changed to 62 sec (similar to GhostBalls original Vienna viruses). Type of infection...: System: RAM-resident, infected if string "ZE" is found at offset 0103h (INT 60h). .COM file: extended by using CREATE-function. Adds 1536 bytes to the beginning of the file; a file will not be infected more than once. .EXE File: no infection. Infection Trigger...: When function 3C00h (CREATE) and 4000h (WRITE) of INT 21h is called (e.g. if you use "COPY *.COM ", then every destination-file will be infected). Interrupts hooked...: INT 60h, INT 21h, INT 1Ch Damage..............: Permanent Damage: 1. Every time a .COM file is created in an infected system with function 3Ch of INT 21h, the file will be infected. Transient Damage: 1. If INT 1Ch is hooked, every 14 sec INT 21h will be set to the viruscode (programs which hooked INT 21h will be unhooked and hang). 2. All characters "0" (zero) will be exchanged with other characters. Exchange characters are 01h, 2Ah, 5Fh, 3Ch, 5Eh, 3Eh and 30h, in which case the attribute is set to back- ground color (i.e. the character is invi- sible). This routine uses about 10% of CPU- time (system is slowed down accordingly). 3. Modifies the filelength in the Disk Transfer Area (DTA): files doesnot appear as infected. The length of the files with seconds field of timestamp set to 62 sec will be modified in DTA accordingly: filelength := filelength - viruslength. Damage Trigger......: Only if "C:\COMMAND.COM" is infected, INT 1Ch is hooked and damage is done. After 240 reboots of system, the first damage occurs. The next damage occurs after every fifth reboot. Particularities.....: In case of MS-DOS error in 2.xx, system can hang by infection of "C:\COMMAND.COM". Programs longer than 63728 bytes are not executed correctly after infection. --------------------- Agents ----------------------------------------- Countermeasures.....: Category 3: ANTI_ZBG.EXE (VTC Hamburg) - ditto - successful: ANTI_ZBG.EXE finds and restores infected programs. unsuccessful: Programs which check only the filelength of infected files in an infected system may fail. Standard means......: Notice .COM file length. --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, FRG Classification by...: Stefan Tode Documentation by....: Stefan Tode Date................: January 20, 1990 ===================== End of "Zero Bug"-Virus ======================== ======================================================================= == For their outstanding support and continued help, we wish to == == David Ferbrache (Edinburgh), Christoph Fischer (Karlsruhe), == == Yisrael Radai (Jerusalem), Fridrik Skulason (Rejkjavik) and == == Yuval Tal (Rehovot). == == Critical and constructive comments as well as additions are == == appreciated. Especially, descriptions of new viruses will be of == == general interest. To receive the Virus Catalog Format, containing== == entry descriptions, please contact the above address. == ======================================================================= == The Computer Virus Catalog may be copied free of charges provided == == that the source is properly mentioned at any time and location == == of reference. == ======================================================================= == Editor: Virus Test Center, Faculty for Informatics == == University of Hamburg == == Schlueterstr. 70, D2000 Hamburg 13, FR Germany == == Prof. Dr. Klaus Brunnstein, Simone Fischer-Huebner == == Tel: (040) 4123-4158 (KB), -4715 (SFH), -4162(Secr.) == == Email (EAN/BITNET): brunnstein@rz.informatik.uni-hamburg.dbp.de == ======================================================================= ======================================================================= == End of MSDOSVIR.290 document == == (1.127 Lines, 65 kBytes) == =======================================================================