Category : Recently Uploaded Files
Archive   : MSDOSVIR.ZIP
Filename : MSDOSVIR.792

 
Output of file : MSDOSVIR.792 contained in archive : MSDOSVIR.ZIP
=======================================================================
== Computer Virus Catalog Index ==
== *** 119 MsDos Viruses *** ==
== *** 5 MsDos Trojans *** ==
=======================================================================
== Status: July 25, 1992 (Format 1.2) ==
== Classified:15 MSDOS-Viruses (MSDOSVIR.A89: 62kByte): Nov. 15,1989 ==
== +17 MSDOS-Viruses (MSDOSVIR.290: 54kByte): Feb. 15,1990 ==
== +24 MSDOS-Viruses (MSDOSVIR.690: 51kByte): June 20,1990 ==
== + 7 MSDOS-Viruses ==
== + 2 MSDOS Trojans (MSDOSVIR.790: 28kByte): July 20,1990 ==
== + 9 MSDOS-Viruses ==
== + 1 MSDOS Trojan (MSDOSVIR.291: 43kByte): Feb. 14,1991 ==
== +12 MSDOS-Viruses (MSDOSVIR.791: 71kByte): July 15,1991 ==
== + 1 MSDOS Trojan ==
== +15 MSDOS-Viruses (MSDOSVIR.192: 64kByte): Jan. 31,1992 ==
== =NEW=> +20 MSDOS-Viruses (MSDOSVIR.792: 88kByte): July 25,1992 ==
== =NEW=> + 1 MSDOS-Trojan ==
=======================================================================
== MsDos:119 Viruses and 5 Trojans in Computer Virus Catalog: =Doc=
== ---------------------------------------------------------- =---=
== 1) Advent Virus (Syslock Strain)=290=
== 2) AIDS = AIDS Info Disk = PC Cyborg Trojan =291=
== + 3) Akuku = Akuku.completely = Russian-A (Akuku Strain)=792=
== 4) Ambulance Car = REDX Virus =790=
== 5) Amilia Virus (Murphy Strain)=192=
== + 6) (Maltese) Amoeba=Family-N=Irish=Grain of Sand Virus =792=
== 7) Amstrad Virus (Amstrad Strain)=690=
== + 8) Anthrax Virus =792=
== 9) AntiCAD-4096 = Invader Virus (Jerusalem/AntiCAD Strain)=192=
== 10) Anti Pascal = AP-605 = V605 Virus (Anti-Pascal Strain)=690=
== +11) Armagedon (the Greek) = Greek Virus =792=
== 12) Autumn Leaves=Herbst=1704=Cascade A Virus(Cascade Strain)=A89=
== 13) Autumn Leaves B= "1701"=Cascade B Virus (Cascade Strain)=A89=
== 14) AZUSA Virus =791=
== +15) BFD = BootEXE.452 = Sector Eleven Virus (BootEXE Strain)=792=
== 16) Bouncing Ball = Italian = Ping Pong= Turin Virus =A89=
== 17) Cancer Virus (Amstrad Strain)=690=
== 18) Dark Avenger Virus (Dark Avenger Strain)=290=
== 19) Dark Avenger 3 Virus (Dark Avenger Strain)=291=
== 20) DATACRIME Ia = "1168" Virus (Datacrime Strain)=290=
== 21) DATACRIME Ib = "1280" Virus (Datacrime Strain)=290=
== 22) dBase Virus =290=
== 23) Dedicated Virus (MtE-related)=192=
== 24) Den Zuk = "Search" = Venezuelan Virus (Den Zuk Strain)=290=
== 25) Devils Dance = "941" Virus =690=
== 26) Do Nothing = Stupid = 640k Virus =290=
== 27) Empire A/B Virus (Stoned Strain)=791=
== 28) FEXE 1.0 Virus (FichV Strain)=291=
== 29) FichV 2.0 Virus (FichV Strain)=291=
== 30) FichV 2.1 = 903 Virus (FichV Strain)=291=
== 31) Fingers = 08/15 Virus =791=
== 32) Fish 6 Virus (4096 = FroDo Strain)=291=
== 33) Flash = 688 Virus =790=
== 34) Form Virus =690=
== 35) Friday 13th = South African Virus (Friday 13th Strain)=A89=
== 36) Fu Manchu Virus (Israeli Strain)=290=
== 37) GhostBalls Virus (Icelandic Strain)=A89=
== 38) Green Caterpillar =791=
== +39) Groove = MtE_0_90.Groove Virus (MtE related)=792=
== 40) G&H = DemoVirus G&H =791=
== 41) Hafenstrasse VCS 1.0 Virus (Hafenstrasse Strain)=192=
== +42) Hafenstrasse-2/-1641/e=Red-X-EXE (Hafenstrasse Strain =792=
== AND Ambulance Strain)= =
== +43) Hafenstrasse-3/-1191 (Hafenstrasse Strain)=792=
== +44) Halloween Virus =792=
== 45) Headcrash = 1067 Virus =791=
== 46) Hello Virus =291=
== 47) Icelandic#1=DiskCrunching=1-in-10 Virus(Icelandic Strain)=A89=
== 48) Icelandic#2 Virus (Icelandic Strain)=A89=
== 49) Israeli = Jerusalem A Virus (Israeli Strain)=A89=
== +50) Joshi = Joshua Virus =792=
== 51) Lehigh Virus =290=
== +52) Leningrad-543=SOV1=SOV/USSR/C-543=Paniker (Leningrad Str)=792=
== 53) Lisbon Virus (Vienna Strain)=690=
== 54) LoveChild Trojan (LoveChild Strain)=791=
== 55) LoveChild Virus (LoveChild Strain)=791=
== 56) Keypress Virus =291=
== 57) MachoSoft Virus (Syslock Strain)=A89=
== 58) Marijuana = Stoned = New Zealand Virus (Stoned Strain)=290=
== 59) Merritt = Alameda A = Yale Virus (Alameda/Yale Strain)=A89=
== 60) Michelangelo Virus =192=
== 61) Mirror = Flip Clone Virus =291=
== 62) MIX1 = Mixer1 Virus =290=
== +63) Mummy 1.2 = Jerusalem.Mummy1_2 Virus (Jerusalem/MummyStr)=792=
== 64) Murphy 1 Virus (Murphy Strain)=690=
== 65) Murphy 2 Virus (Murphy Strain)=690=
== 66) Nomenklatura Virus =791=
== 67) Number of the Beasts = 512 Virus (512 Strain)=690=
== 68) Ogre = Disk Killer 1.00 Virus =290=
== 69) Oropax = Music Virus =A89=
== +70) P-Check Virus =792=
== +71) Peach Virus =792=
== 72) PERFUME ="4711" = 765 Virus =790=
== 73) Plovdiv 1.3 Virus (Plovdic Strain)=192=
== 74) RPVS = TUQ = 453 Virus =791=
== 75) Sadam = Saddam Virus =291=
== 76) Saratoga Virus (Icelandic Strain)=A89=
== 77) Scrambler = KEYBGR Trojan =790=
== 78) Semtex = Screen Trasher Virus =291=
== +79) Seventh Son = Seventh_Son.284 Virus =792=
== +80) Silly Willy Trojan (Silly Willy Strain)=792=
== +81) Silly Willy Virus/Trojan Dropper (Silly Willy Strain)=792=
== 82) SHOE-B v9.0 Virus (Brain=Pakistani Strain)=A89=
== 83) SUNDAY A Virus (Israeli Strain) =690=
== 84) SUNDAY B Virus (Israeli Strain) =690=
== 85) SURIV 1.01 Viruses (Israeli Strain) =290=
== 86) sURIV 2.01 = April 1st Virus (Israeli Strain) =690=
== 87) sURIV 3.00 = Israeli #3 Virus (Israeli Strain) =690=
== 88) Swap = Israeli Boot Virus =290=
== 89) Sverdlov = Hymn of USSR Virus =192=
== 90) Sylvia (V 2.1) = Holland Girl Virus =690=

== 91) SYSLOCK Virus (Syslock Strain)=789=
== 92) Tequila Virus =791=
== 93) Thursday-12 Virus =791=
== 94) Tiny = V613 Virus =790=
== 95) Traceback = "3066" Virus (Traceback Strain)=690=
== 96) VACSINA Virus (TP Strain)=A89=
== 97) VCS 1.0 = Virus Construction Set = VDV Virus (VCS Strain)=791=
== +98) VCS 1.0 MANTA = VCS.Manta Virus (VCS Strain)=792=
== +99) VCS 1.1a Virus (VCS Strain)=792=
== +100) VCS 1.3 = VCS.RUF Virus (VCS Strain)=792=
== 101) VDV-853 Virus =192=
== 102) Vienna = Austrian = "648" Virus (Vienna Strain)=A89=
== 103) Vienna 348 = "348" Virus (Vienna Strain)=690=
== 104) Vienna 353 = "353" Virus (Vienna Strain)=690=
== 105) Vienna 367 = "367" Virus (Vienna Strain)=690=
== 105) Vienna 435 = "435" Virus (Vienna Strain)=690=
== 105) Vienna 623 = "623" Virus (Vienna Strain)=690=
== 105) Vienna 627 = "627" Virus (Vienna Strain)=690=
== 109) Violetta Virus =192=
== 110) V-277 Virus (Amstrad Strain)=690=
== 111) V-299 Virus (Amstrad Strain)=690=
== 112) V-345 Virus (Amstrad Strain)=690=
== 113) XA1 = V1539 Virus =790=
== +114) XREH-4016 = CHREN-4016 Virus (XPEH strain)=792=
== 115) Zero Bug = ZBug = Palette Virus =290=
== 116) ZeroHunt-415 = Minnow Virus (ZeroHunt Strain)=192=
== 117) ZeroHunt-411 = Minnow-1 Virus (ZeroHunt Strain)=192=
== 118) "8-Tunes" = 1971 Virus =690=
== 119) "12-Tricks" Trojan =790=
== 120) 512 Virus (512 Strain)=690=
== 121) 982 (=Klaeren) Virus =791=
== 122) 1260 Virus =291=
== 123) 4096 = 4K = "100 Years" = IDF = Stealth Virus (4K Strain)=690=
== 124) 5120 Virus =690=
== ==
== Remark: with next edition (fall 1992), a machine readable form ==
== of the Computer Virus Catalog will be available; in dBase III, ==
== a program will be available (free of charge) to assist in ==
== retrieving entries in the Virus description database directly. ==
== Moreover, the format 1.2 will be updated to recent developments, ==
== such as multipartite, polymorphic and tunelling methods. Naming ==
== conventions will be adapted to the Standard CARO naming scheme, ==
== a specification of which is available from VTCs FTP-server. The ==
== editors welcome any suggestion for further improvement. ==
=======================================================================

======== Computer Virus Catalog 1.2: Akuku Virus (25-July-1992) ======
Entry...............: Akuku virus
Standard CARO name..: Akuku.completely
Alias(es)...........: Russian-A
Virus Strain........: Akuku virus strain
Virus detected when.: ---
where.: ---
Classification......: Program (COM,EXE) virus, non memory resident
Length of Virus.....: 1. Length in RAM: 1108 bytes
2. Length in program: 1111-1114 bytes
--------------------- Preconditions -----------------------------------
Operating System(s).: MS-DOS, PC-DOS
Version/Release.....: version 2.xx and higher
Computer model(s)...: IBM-PC, XT, AT and compatibles
--------------------- Attributes --------------------------------------
Easy Identification.: Virus contains string "Sorry, I'm completely dead."
Seconds field in file's time set to 62.
Type of infection...: Installs itself memory-resident when infected
program is run. Infects both .EXE and .COM
files, including COMMAND.COM, by appending
itself to end of file. EXE files are increased
by 1114 (45Ah) bytes, COM files by 1111 (457h)
bytes, but this amount may increase by up to
15 (0Fh) bytes as padding for paragraph align-
ment.
Infection Trigger...: Upon running infected file, disk must have 3000
(BB8h) bytes of free space. EXE files must be
larger than 1000 (3E8h) bytes; COM files must
be larger than 1000 (3E8h), but smaller than
64000 (FA00h) bytes.
Self Identification.: On disk, virus checks if seconds field of file
is set to 62.
Damage..............: Transient damage: virus will display message
"Sorry, I'm completely dead.". Virus installs
payload in memory, which plays a song.
Permanent damage: ---
Damage Trigger......: Trigger for damage is the current time at in-
fection time. If the minutes field is one of:
32, 33, 34 or 35, the virus displays "Sorry,
I'm completely dead, installs the song and
plays it every 14 seconds.
Particularities.....: 1. The file date and time will not be altered
in the disk directory, except for the seconds,
which will be set to 62.
2. The drive to be infected is selected according
to this rule: if the current time's seconds
is =0, select drive A:; if it is >0, but <=22
the current drive is selected, and if it is
>22, C: is selected.
3. Virus will search the whole current directory
for files to infect, as well as the first
level of all of it's subdirectories. It will
infect the first 3 files found. Default
drive is reset to the correct drive.
4. Virus installs the whole virus body in memory,
although only the song is active.
Similarities........: Very similar to Akuku.3 and Cop-Mpl viruses.
All Akuku viruses try to infect three files
in directory of current disk, but differ on
what happens if they cannot be found.
The identification by 62 seconds field is similar
to Vienna viruses.
--------------------- Agents ------------------------------------------
Countermeasures.....: F-Prot, Anti-Virus Toolkit, ViruScan
Countermeasures successful: F-Prot, Anti-Virus Toolkit
Standard means......: ---
--------------------- Acknowledgement ---------------------------------
Location............: Virus Test Center, University Hamburg, Germany
Classification by...: Christopher G. Street (guest from Brown Univ)
Documentation by....: Christopher G. Street (guest from Brown univ)
Date................: June 14, 1992
Information Source..: Original virus code
===================== End of Akuku Virus ==============================

======= Computer Virus Catalog 1.2: Amoeba Virus (25-July-1992) ======
Entry...............: (Maltese) Amoeba Virus
Standard CARO name..: Amoeba
Alias(es)...........: Family-N, Irish, Grain of Sand Virus
Virus Strain........: ---
Virus detected when.: UK
where.: November 1st, 1991 (upon first triggered damage)
Classification......: Program (COM,EXE) infector, variable encryption,
memory resident
Length of Virus.....: 1) Length on media: 2 kByte
2) Length in memory: 2 kByte
--------------------- Preconditions ----------------------------------
Operating System(s).: MS-DOS
Version/Release.....: 2.xx upward
Computer model(s)...: IBM - PCs, XT, AT, upward and compatibles
--------------------- Attributes -------------------------------------
Easy Identification.: 1) Enlarged file size: using DIR, compare actual
file size with original file size.
2) Reduction of available memory by 2k Bytes,
using CHKDSK.
3) Unencrypted text (AMOEBA) in partition sector.
Type of infection...: Upon executing an infected file, the virus makes
itself memory resident in highest available
2 kByte. Thereafter, upon reading or executing
a non-infected file this will be infected.
Self-identification: Virus inspects memory (using
a Set Date call with invalid date) whether
it is in memory; moreover, it checks whether
some antivirus programs (Ross Greenberg's
FluShot+ or Virex-PC) or PSQR virus are in
memory. If any of these are found, virus does
not infect any program. There are unconfirmed
reports that this virus checks and deactivates
Murphy virus.
Infection Trigger...: Any DOS read or load/execute operation.
Media affected......: Any hard disk and floppy disk.
Interrupts hooked...: INT 24
Crypto method.......: Decryption uses variations of several patterns
of instructions, differing for COM and EXE
files.
Polymorphic method..: ---
Damage..............: Permanent damage: upon trigger condition, it will
overwrite low tracks of a hard disk and any
diskette, accompanied by a flashing display,
and subsequently hang-up the system. In the
overwritten partition sector, the following
encrypted text (from Pickering Manuscripts:
Blake's Auguries of Innocence, first 4 lines)
can be found:
"To see a world in grain of sand
And a heaven in wild flower,
Hold infinity in the palm of your hand
And eternity in a hour."
The Virus 16/3/91
When an infected system is booted, this text
is displayed and the system hangs.
Moreover, partition sector contains also un-
encrypted texts: "AMOEBA", and the message
that University of Malta "destroyed 5X2
years of human life".
Transient damage: ---
Damage Trigger......: November 1st and March 15th, any year.
Similarities........: En/Decryption method similar to V2PX.
Particularities.....: 1) Virus replaces critical error handler INT 24;
if virus tries to infect a write-protected
diskette, the prompt "Abort, Retry, Fail" is
suppressed.
2) There is speculation that the uncrypted text
may be related to an unhappy fate of 2
students of University of Malta, having left
after 5 years.
--------------------- Agents -----------------------------------------
Countermeasures.....: McAfee Scan, Skulason F-PROT, Solomon FINDVIRU
and some others
Standard means......: Boot from clean system and delete infected files.
--------------------- Acknowledgement --------------------------------
Location............: Virus Test Center, University Hamburg, Germany
Classification by...: Klaus Brunnstein
Documentation by....: Virus Bulletin (Dec.91), Stiller's Virus Report
(see: Virus-L Vol.5 Issue 30: Feb.14, 1992)
Date................: 15-February-1992
===================== End of (Maltese) Amoeba Virus ==================

====== Computer Virus Catalog 1.2: Anthrax Virus (25-July-1992) ======
Entry...............: ANTHRAX Virus
Standard CARO Name..: Anthrax Virus
Alias(es)...........: ---
Virus Strain........: ---
Virus detected when.: July 1990
where.: Netherlands
Classification......: Program virus: COM, EXE and partition record
(MBR) infector, memory-resident
Length of Virus.....: 1040-1096 Bytes
--------------------- Preconditions ----------------------------------
Operating System(s).: MS-DOS
Version/Release.....:
Computer model(s)...: IBM-PC, XT, AT and upwards, and compatibles
--------------------- Attributes -------------------------------------
Easy Identification.: The following strings can be found in virus body:
"(c) Damage Inc", "1990", "ANTHRAX"
Type of infection...: Virus infects COM, EXE and partition record
(MBR). After execution of virus' code, it
immediately infects MBR but does NOT stay
resident. A second copy of the virus is
stored in the last 3 sectors of the hard disk,
thus overwriting any data stored there.
After having been started from the MBR, virus
becomes memory-resident until it has infected
one file. It infects a file in the lowest
branch of the current directory.
Anthrax does NOT infect the Bootrecord of a
floppy or hard disk.
Infection Trigger...: Execution of infected program.
Storage media affected: Floppies and hard disks.
Interrupts hooked...: INT13h, INT 1Ah, INT 20h, INT 21h, INT 24h
Damage..............: Transient damage: ---
Permanent damage: virus overwrites last 3 sec-
tors of hard disk (with it's 2nd copy).
Damage Trigger......: ---
Particularities.....: Virus V2100 installs ANTHRAX in the MBR, if
it finds the second copy of ANTHRAX in
last 3 sectors of the hard disk.
Similarities........: ---
--------------------- Agents -----------------------------------------
Countermeasures.....: F-PROT, SCAN, FindViru
Standard means......: It is very important to clean the last 3 sectors
of the harddsik.
--------------------- Acknowledgement --------------------------------
Location............: Virus Test Center, University Hamburg, Germany
Classification by...: Matthias Jaenichen
Documentation by....: Andrzej Kadlof, Virus Information Bank (Poland)
Date................: 14-July-1992
Information Source..: Reverse engineering of virus code
====================== End of ANTHRAX Virus ==========================

===== Computer Virus Catalog 1.2: Armagedon Virus (26-July-1992) =====
Entry...............: Armagedon Virus
Standard CARO Name..: Armagedon Virus
Alias(es)...........: Greek Virus
Virus Strain........: ---
Virus detected when.: Mai 1990
where.: Greece
Classification......: Programm/Link (COM) virus
Length of Virus.....: 1079 Bytes
--------------------- Preconditions ----------------------------------
Operating System(s).: MSDOS
Version/Release.....:
Computer model(s)...: IBM-PC, XT, AT and upwards, and compatibles
--------------------- Attributes -------------------------------------
Easy Identification.: Text in virus body: "Armagedon the GREEK"
Type of infection...: Infects COM files only (Int 21h function 4Bh)
by prepending the virus before COM file.
Infection Trigger...: Load and execute File by Subfuction 4Bh of Int21h
Storage media affected: diskettes, hard disk
Interrupts hooked...: Int 21h DOS-Services:
- function 4Bh changed for infection;
- function E0h, returns DADAh;
- function E1h, returns the Int21h-Segment;
Int08h Timer-Interrupt: Damage-routine added.
Damage..............: Virus sends a string to all 4 COM-ports. This
string advises any connected hayes-modem to
drop the line and to dial "081141".
In Greece, this would be the time-annouce-
ment in Iraklion. Any other device connected
to a COM-port would output the String
"+++aTh0m0s7=35dp081,,,,141"
Damage Trigger......: If time is between 05:00 and 06:00 hours (am)
Similarities........: ---
--------------------- Agents -----------------------------------------
Counterm. successful: McAfee Scan, Skulason F-PROT, Solomon FindViru
Standard means......: Deleting the first 1079 Bytes will disinfect the
Programm.
--------------------- Acknowledgement --------------------------------
Location............: Virus Test Center, University Hamburg, germany
Classification by...: Matthias Jaenichen, VTC Hamburg
Documentation by....: Yuval Tal, Weizmann-Institute, Rehovot, Israel
Date................: June 26, 1990
Information Source..: Yuval Tal
===================== End of Armagedon Virus =========================

========= Computer Virus Catalog 1.2: BFD Virus (25-July-1992) =======
Entry...............: BFD Virus
Standard CARO Name..: BootEXE.452 Virus
Alias(es)...........: BootEXE-452 = Sector Eleven Virus
Virus Strain........: BootEXE Virus Strain
Virus detected when.: July 7, 1992
where.: U.S.
Classification......: Multipartite (=Program & System) Virus: Resident
EXE file (converts EXE format to COM format),
diskette boot and system boot infector
Length of Virus.....: System infection: 1 sector on infected disks
File infection: 0x01C3h bytes (but files do
NOT grow in length)
--------------------- Preconditions -----------------------------------
Operating System(s).: PC-DOS
Version/Release.....: Any?
Computer model(s)...: Any?
--------------------- Attributes --------------------------------------
Easy Identification.: Infected EXE files begin with EB 39 rather than
with "MZ".
Self Identification.: 1) If virus is active in memory, INT13 with F0
in AH returns 19 in AH.
2) Infected files do not begin with "MZ".
3) Infected disks/diskettes contain virus in
boot records (compares).
Type of infection...: Any file that begins with "MZ", contains fewer
than 0x80 512-bytes pages, has not too many
relocation items in the table, has FFFF in
the Max Req Para field, and a header size
of 0x20 paragraphs. Any diskette read from,
and the first partition on the first hard
disk, if it starts on a head other than zero.
Infection Trigger...: Any INT13 that reads the first sector of the file.
Storage media affected: Any diskette can be infected, but only 360K 5.25"
diskettes will boot properly. Any hard disk.
Interrupts hooked...: INT13 only.
Damage..............: No apparent intentional damage
Damage Trigger......: ---
Particularities.....: An unusual infection method; the virus installs
itself in unused EXE header space when the
start of the EXE file is read via INT13.
Similarities........: ---
--------------------- Agents -----------------------------------------
Countermeasures.....: Not stealthed, so scanners with a signature, and
modification detectors, should have no trouble.
INT21-based monitors won't notice it.
Countermeasures successful: ?
Standard means......: Infected files can be made to work again by
changing the first two bytes back to "MZ"
(zeroing out the virus code in the unused
header space is also a good idea).
--------------------- Acknowledgement --------------------------------
Location............: IBM High Integrity Computing Laboratory, USA
Classification by...: David Chess
Documentation by....: David Chess
Date................: 9-July-1992
Information Source..: Analysis of original virus
===================== End of BFD Virus ===============================

======== Computer Virus Catalog 1.2: Groove Virus (25-July-1992) ======
Entry...............: Groove Virus
Standard CARO Name..: MtE_0_90.Groove Virus
Alias(es)...........: ---
Virus Strain........: MtE-based
Virus detected when.: USA
where.: June 1992
Classification......: Polymorphic, memory-resident program (COM and
EXE, appending) virus
Length of Virus.....: 1. In RAM: 140 paragraphs;
2. on file: variable on disk due to MtE.
--------------------- Preconditions -----------------------------------
Operating System(s).: MS/PC DOS
Version/Release.....: 3.0+ ???
Computer model(s)...: All 80x86-based PCs
--------------------- Attributes --------------------------------------
Easy Identification.: Programs stop running as expected if at all.
Self Identification.: In memory: AX=0FBA0h, INT 21h -> AX = 0ABFh
if resident.
On files: EXE header checksum = 0FBAh
COM 5th byte = 0BAh, 6th byte = 0Fh
Type of infection...: COM & EXE programs (not based on extension)
Infection Trigger...: Execution using INT 21h function 4B.
Storage media affected: All (diskettes,,hard disk)
Interrupts hooked...: INT 21h, INT 24h
Damage..............: Transient damage: the following message will
either be displayed after 12:30 midnight
based on the tick count returned by INT 1Ah
on systems with a RTC, or it is displayed
every time when a file is infected:
"Dont wory, you are not alone at this hour...
This Virus is NOT dedicated to Sara
its dedicated to her Groove
(...Thats my name)
This virus is only a test virus therefore
be ready for my Next Test .."
This message is not readable in most mutations
due to encryption.
Permanent damage:
Virus will delete the following files upon
activation: C:\NAV_._NO
C:\NOVIRCVR.CTS
C:\NOVIPERF.DAT
C:\CPAV\CHKLIST.CPS
C:\TOOLKIT\FILES.LST
C:\UNTOUCH\UT.UT1
C:\UNTOUCH\UT.UT2
Damage Trigger......: Execution of an infected file
Particularities.....: Virus does not check file extension to determine
its type, but rather checks for "MZ" or "ZM"
at the start of a file and assumes EXE-type
if a match is found; otherwise, it infects
as a COM-type file.
Infected files will not run properly.
Similarities........: ---
--------------------- Agents -----------------------------------------
Countermeasures.....: CatchMtE 1.0, VDSFSCAN 2.10, VDS 2.10, Gobbler-II
Countermeasures successful: Same as above, but all antivirals that can
detect MtE-based viruses 100% of the time
should be effective.
Standard means......: Delete infected files and restore clean copies.
--------------------- Acknowledgement --------------------------------
Location............: Baltimore, MD, U.S.A.
Classification by...: Tarkan Yetiser, VDS Advanced Research Group
Documentation by....: Tarkan Yetiser
Date................: 29-June-1992
Information Source..: ---
===================== End of Groove Virus ============================

== Computer Virus Catalog 1.2: Hafenstrasse-2 Virus. (25-July-1992) ==
Entry...............: Hafenstrasse-2 Virus
Standard CARO name..: Hafenstrasse.1641
Alias(es)...........: Hafenstrasse.e, Red-X-Exe
Virus Strain........: Both Hafenstrasse & Ambulance (Red-X) strains
Virus detected when.: June 92
where.: Hamburg
Classification......: Direct action EXE- and COM-infector
Length of Virus.....: 1637-1652 Bytes appended to files
--------------------- Preconditions ----------------------------------
Operating System(s).: IBM & Compatibles
Version/Release.....: DOS 2.x and above
Computer model(s)...: IBM PC, XT, AT and higher, and compatibles
--------------------- Attributes -------------------------------------
Easy Identification.: Heavily increased time to access disk, when
starting an infected program.
Search string.......: String 3D 00 10 73 1B FE 84 D9 04 06 E8 can be
found at about 600 bytes offset from the end.
Type of infection...: EXE-files: standard ways of infecting EXE-files.
COM-files: virus behaves as trojan dropper in
releasing Ambulance=Red X virus.
Infection Trigger...: Starting an infected file: virus will search
for 1 EXE- and 1 COM-file in path to infect.
Storage media affected: Only files in subdirectories included in the
path are infected.
Interrupts hooked...: ---
Damage..............: Permanent damage: system may hang when nearly
all files are infected (see Particularities)
Transient damage: on COM-files, virus will cause
an ambulance car to cross the screen.
Damage Trigger......: On COM files: first time on 6th, then every 8th
execution of virus (infection counter).
Particularities.....: 1) First virus to drop a virus from another
virus strain (Ambulance car=Red X).
2) Virus will check, if the INT-26-vector points
to an adress with a segment above $1000; in
this case, it will not activate (trying to
undergo some online detectors, e.g. Flushot).
3) If the files in the PATH are (almost) all
infected, the system may hang, because it
continues to search for infected files and
uses a random function to determine, whether
to infect a yet uninfected file.
4) No exact match is done do recognize COM- and
EXE-files.
5) File date and time is not altered.
Similarities........: Hafenstrasse variants, Ambulance car variants
(both virus strains use very similar ways to
search for a file, to infect; they may come
from related authors).
--------------------- Agents -----------------------------------------
Countermeasures successful: F-PROT 2.04a, Antivir from H&B-EDV
Standard means......: Delete and replace infected files.
--------------------- Acknowledgement --------------------------------
Location............: Virus Test Center, University Hamburg, Germany
Classification by...: Toralv Dirro
Documentation by....: Toralv Dirro
Date................: 07-July-1992
Information Source..: Original virus analysis
===================== End of Hafenstrasse-2 Virus ====================

=== Computer Virus Catalog 1.2: Hafenstrasse-3 Virus (25-July-1992) ==
Entry...............: Hafenstrasse-3 Virus
Standard CARO name..: Hafenstrasse.1191
Alias(es)...........: ---
Virus Strain........: Hafenstrasse virus strain
Virus detected when.: July 1992
where.: Hamburg
Classification......: Direct action EXE-infector
Length of Virus.....: 1187-1202 Bytes appended to files
--------------------- Preconditions -----------------------------------
Operating System(s).: IBM PC & Compatibles
Version/Release.....: DOS 2.x and above
Computer model(s)...: IBM PC, XT, AT and hiogher, and compatibles
--------------------- Attributes --------------------------------------
Easy Identification.: ---
Scan signature......: String: 3d 00 10 73 14 fe 84 03 01 e8 28 02 e8
1f 00 may be found at an offset of about
1150 bytes from the end of the file.
Type of infection...: Virus uses standard methods of infecting EXE
files searched for in the current path.
Infection Trigger...: Upon starting an infected program, virus
searches for an EXE file.
Storage media affected: Only files in subdirectories included in
path are affected.
Interrupts hooked...: ---
Damage..............: Permanent damage: ---
Transient damage: the first time an infected
program is started, virus will display an
ambulance car crossing the screen until it
reaches the right border, where it will
crash against a wall displaying texts
"BOOM" and "no more RedX !!!"
Damage Trigger......: The first time an infected program is started.
Particularities.....: 1) This virus does not infect COM files with an
Ambulance car dropper, as does the previous-
ly found Hafenstrasse-2. Instead, this
variant contains a modied ambulance car
routine.
2) The vector of INT 26 is tested, whether it
points to a segment above $1000 or not.
As in all (known) Hafentrasse viruses, file
and date will not be changed on infection.
Similarities........: Hafenstrasse variants, Ambulance (RedX) variants.
--------------------- Agents -----------------------------------------
Countermeasures.....: ---
Countermeasures successful: F-PROT 2.04a
Standard means......: Delete and replace infected files.
--------------------- Acknowledgement --------------------------------
Location............: Virus Test Center, University Hamburg, Germany
Classification by...: Toralv Dirro
Documentation by....: Toralv Dirro
Date................: 21-July-92
Information Source..: Original virus analysis.
===================== End of Hafenstrasse-3 Virus ====================

===== Computer Virus Catalog 1.2: Halloween Virus (25-July-1992) =====
Entry...............: Halloween Virus
Standard CARO Name..: Halloween Virus
Alias(es)...........: ---
Virus Strain........: ---
Virus detected when.: December 1991
where.: British Columbia, Canada
Classification......: Program virus (COM&EXE infector, including
COMMAND.COM), non-resident
Length of Virus.....: Infected file length: 10,000 bytes (exactly)
--------------------- Preconditions ----------------------------------
Operating System(s).: PC/MS-DOS
Version/Release.....: Any?
Computer model(s)...: Any IBM PC and compatibles?
--------------------- Attributes -------------------------------------
Easy Identification.: 1) Significant file growth: 10 kByte (exactly).
2) Text "Happy HalloweenU" appears near start
of infected programs.
Type of infection...: Virus infects COM & EXE programs in the current
directory only, but only files with length
>= 10,000 (2710h) bytes will be infected.
Infection is done through prepending virus to
EXE and COM files to be infected file. Date
and time of infected file will match the
original one's, however the file's position
in the directory may change.
Infection Trigger...: Execution of infected program.
Storage media affected: All
Interrupts hooked...: ---
Damage..............: Permanent/transient damage: On October 31
(Halloween), infected files will be
truncated to 666 bytes and the message
"All Gone Happy Halloween"
will appear.
Damage Trigger......: October 31 (Halloween), any year since 1992.
Particularities.....: 1) Search for uninfected files is proceeding
from top directory, and each executable file
is inspected for previous infection/length.
2) During infection, virus holds original code
in a temporary file. Moreover, it traps the
original file's return code for use when the
virus terminates (possibly for tunneling).
Similarities........: ---
--------------------- Agents -----------------------------------------
Countermeasures.....: McAfee Scan, Skulason F-PROT, Solomon FindViru
Countermeasures successful:
Standard means......: On identification, virus may be removed from most
programs (both COM & EXE) by simply stripping
off the first 10k bytes.
--------------------- Acknowledgement --------------------------------
Location............: Orlando/Florida, USA
Virus Test Center, University Hamburg, Germany
Classification by...: Padgett Patterson (USA), Klaus Brunnstein (VTC)
Documentation by....: Klaus Brunnstein (VTC)
Date................: 15-July-1992
Information Source..: Padgett Patterson's report on Halloween virus
===================== End of Halloween Virus =========================

======= Computer Virus Catalog 1.2: Joshi Virus (25-July-1992) =======
Entry...............: Joshi Virus
Alias(es)...........: Joshua Virus
Virus Strain........: ----
Virus detected when.: ?
where.: India, Germany
Classification......: Master Bootsector and Bootsector Virus,
memory resident, stealth
Length of Virus.....: 4 KByte
--------------------- Preconditions ----------------------------------
Operating System(s).: MS-DOS
Version/Release.....: any
Computer model(s)...: IBM - PC, XT, AT, upward and compatibles
--------------------- Attributes -------------------------------------
Easy Identification.: CHKDSK will report 6KB memory less than
installed.
On hard disks, the Master Bootsector contains
EB 1F 90 as first Bytes; at end of sector 3
and beginning of sector 4 on track 0, string
"Type Happy Birthday Joshi" can be found.
Type of infection...: Hard disk: Master Bootsector will be infected;
the original Master-Bootsector will be saved
in sector 9. The virus resides on track 0,
sectors 1-8.
Floppy-Disk: Bootsector will be infected; the
original Bootsector will be saved on additio-
nal track 40/80 in sector 9. Virus resides
on track 40/80 in sectors 2 to 6. On 720 kB
diskettes, virus will overwrite original
data on track 40.
Infection Trigger...: Actions: Read, write, verify track 0/sector 1
Storage Media affected: Any hard disk, any floppy
Infection targets:..: Hard disk Master Bootrecord; Floppy Bootrecord
Interrupts hooked...: INT 8, INT 9, INT 13h, INT 21h
Interrupts used.....: INT 8, INT 9, INT 10H, INT 13h, INT 19h
Damage..............: Permanent damage: on 720 kByte floppies,
original data on track 40 will be overwrit-
ten during infection.
Transient damage: virus displays message
"Type Happy Birthday Joshi".
Damage Trigger......: On January 5th, a DOS call (INT 21h) of any
of the following functions
- 48h (memory allocation)
- 49h (free allocated memory block)
- 4Ah (resize allocated memory block)
- 2Ah (get date)
- 2Bh (set date)
- 2Ch (get time)
- 2Dh (set time)
Particularities.....: 1) Joshi prevents being overwritten by the
STONED-virus
2) With Hercules graphic cards, problems may
occur as JOSHI does not save Hercules screen
memory.
--------------------- Agents -----------------------------------------
Countermeasures.....: According to their documentation, many antivirus
products claim to recognise/eradicate virus.
-ditto- successful..: Tested: Dr.Solomon's Toolkit 4.15,
Fridrik Skulason's F-PROT 2.04a,
H&B-EDV Antivir-IV 4.03 and McAfee Scan93.
Standard means......: 1) Reboot from clean bootdisk.
2) Use SYS-Command to reinstall BOOT sector on
floppies.
3) Use FDISK /MBR to reinstall Master-BOOT
sector on Harddisk (MS-DOS 5.0 only).
--------------------- Acknowledgement --------------------------------
Location............: Virus Test Center Hamburg, Univ Hamburg, Germany
Classification by...: Torsten Dargers, Ulf Heinemann
Documentation by....: Torsten Dargers, Ulf Heinemann
Date................: 26-June-1992
===================== End of JOSHI Virus =============================

==== Computer Virus Catalog 1.2: Leningrad.543 Virus (25-07-1992) ====
Entry...............: Leningrad.543 Virus
Standard CARO name..: Leningrad.543
Alias(es)...........: Sov1, Sov-543, USSR-543, C-543, PANIKER
Virus Strain........: Leningrad virus strain
Virus detected when.: Mid 1990
where.: Leningrad (St.Petersburg), Russia (ex USSR)
Classification......: Non-resindent program (COM) infector
Length of Virus.....: COM files increased by 543 bytes
--------------------- Preconditions ----------------------------------
Operating System(s).: MS-DOS
Version/Release.....: 2.xx upward
Computer model(s)...: IBM-PC, XT, AT and compatibles
--------------------- Attributes -------------------------------------
Wasy Identification.: Infected files contain strings "*.COM", "PATH="
and "That could be a crash, crash, crash !".
Type of infection...: Virus searches path and current directory. It
infects using standard DOS INT 21h calls.
Infection Trigger...: Any start of an infected file.
Storage media affected: Hard disk, any floppy disk
Interrupts hooked...: ---
Damage..............: Transient damage: Upon starting an infected pro-
gram on a Friday 13th, the virus will display
"That could be a crash, crash, crash !"
Permanent damage: an infected files may grow
> 64KB, so it cannot be started afterwards.
Damage Trigger......: Any Friday 13th.
Particularities.....: ---
Similarities........: Leningrad.600 = Sov2 virus
--------------------- Agents ------------------------------------------
Countermeasures successful:McAfee Scan,Skulason F-PROT,Solomon FINDVIRU
Standard means......: Delete infected COM files, copy uninfected
versions from original write protected disk.
--------------------- Acknowledgement ---------------------------------
Location............: Virus Test Center, University Hamburg, Germany
Classification by...: Torsten Dargers
Documentation by....: Dr. Eldar Musaev, Leningrad, Russia
Date................: 07-July-1992
Information Source..: ----
===================== End of Leningrad-543 Virus =====================

===== Computer Virus Catalog 1.2: Mummy 1.2 Virus (25-July-1992) =====
Entry...............: Mummy 1.2 Virus
Standard CARO Name..: Jerusalem.Mummy.1_2 Virus
Alias(es)...........: ---
Virus Strain........: Jerusalem Virus strain, Mummy substrain
Virus detected when.: Spring 1992
where.: Germany
Classification......: Program (EXE) virus (appending), memory resident
Length of Virus.....: Appends 1399-1414 bytes
--------------------- Preconditions -----------------------------------
Operating System(s).: MS-DOS
Version/Release.....: All versions above 2
Computer model(s)...: PC and all compatibles
--------------------- Attributes --------------------------------------
Easy Identification.: File growth; no plain text in files visible.
Virus self-identification: EXE header checksum
(file offset 12h) contains 0C0Bh.
Type of infection...: All files starting with "MZ" (normal EXE header)
that are executed or opened will be infected
provided there is enough space left on volume.
Infection Trigger...: Load & Execute or Open of a file containing "MZ"
as first two bytes.
Storage media affected: All (diskettes, hard disks)
Interrupts hooked...: INT 24 (hooked); INT 21 and 26 (used)
Damage..............: Transient damaga: there is an encrypted text in
the virus, that is decrypted when the virus
goes memory resident. This text is never
displayed!
Memory dump (typical text!):
0D 0A 20 04 20 4D 75 6D .. . Mum
6D 79 20 56 65 72 73 69 my Versi
6F 6E 20 31 3E 32 20 04 on 1.2 .
20 0D 0A 0A 4B 61 6F 68 ...Kaoh
73 69 75 6E 67 20 53 65 siung Se
6E 69 6F 72 20 53 63 68 nior Sch
6F 6F 6C 0D 0A 0A 54 7A ool...Tz
65 6E 67 20 4A 61 75 20 eng Jau
4D 69 6E 67 20 70 72 65 Ming pre
73 65 6E 74 73 0D 0A 0A sents...
53 65 72 69 65 73 20 4E Series N
75 6D 62 65 72 20 3D 20 umber =
5B 78 78 78 78 78 5D 0D [xxxxx].
0A 24 .$
Permanent damage: virus contains a counter
(16bit) being decremented upon every loading
or opening of an infected file; this counter
is reset to zero every time an OEM call to
DOS is made (INT 21 AH=FFh and AL<>FFh) (this
function is used by several programs).
Upon each attemted infection, this counter is
checked whether having reached zero; if so,
the current logical drive is overwritten with
the virus code and memory garbage. 99 sectors
are being overwritten starting with the
bootsector (logical sector 0). This acitivity
destroys the bootsector, FAT 1 and FAT 2, and
the root directory as well as some data.
Damage Trigger......: If trigger counter becomes zero.
Particularities.....: Trigger counter is forced to zero if DOS INT 21h
is invoked, e.g. by specific programs or an-
other virus. New infection sinherit trigger
counter in infecting file.
Similarities........: Jerusalem/Mummy virus strain
--------------------- Agents ------------------------------------------
Countermeasures.....: McAfee Scan, Skulason F-PROT, Solomon FindViru
Removal not recommended, might not work on special
EXE files!
Standard means......: Replace infected file with uninfected original.
--------------------- Acknowledgement --------------------------------
Location............: Micro-BIT Virus Center, Univ Karlsruhe, Germany
Classification by...: Christoph Fischer (Klaus Brunnstein, VTC)
Documentation by....: Christoph Fischer
Date................: April-1992
Information Source..: ---
===================== End of Mummy 1.2 Virus =========================

====== Computer Virus Catalog 1.2: P-Check Virus (25-July-1992) ======
Entry...............: P-Check Virus
Alias(es)...........: ---
Virus Strain........: ---
Virus detected when.: April 1992
where.:
Classification......: System (bootsector/partition table (MBR)) virus,
stealth
Length of Virus.....: Length on medium: 512 Bytes (=1 sector)
--------------------- Preconditions -----------------------------------
Operating System(s).: MS-DOS
Version/Release.....:
Computer model(s)...: IBM PC and compatibles
--------------------- Attributes --------------------------------------
Easy Identification.: Memory decreased by 1 kBytes after infection;
no plain text in bootsector or MBR, like
"Non system disk..." or "Bad partition....".
Type of infection...: Boot sectors and partition table of media.
Infection Trigger...: Booting from an infected disk will infect the
hard disk; from this time, all read accesses
to the boot sector of any physical drive will
infect the medium in this drive.
Storage media affected: All media: Floppy disk, hard disk.
Interrupts hooked...: INT 09, INT 13.
Damage..............: Transient/Permanent damage:
Some built-in mechanism simulates a parity error
message on the screen after 1 hour of opera-
tion plus an additional hour for each infec-
tion: the more infections, the longer till
the parity check display.
The parity error simulation switches to 40 x 25
mode, displays 'PARITY CHECK' and then halts
the processor.
Virus constantly garbles the INT01&INT03 entries,
so that debug will not work; this is not tied
to a trigger.
Damage Trigger......: The internal timer tick (not the CMOS clock) is
used for timing. Trigger= 1+n hours after
boot up (n=number of infections since booting)
Particularities.....: ---
Similarities........: ---
--------------------- Agents ------------------------------------------
Countermeasures.....: Up-to-date antiviral products.
Removal: SYS on floppies; FDISK /MBR (DOS 5.0)
Standard means......:
--------------------- Acknowledgement --------------------------------
Location............: Micro-BIT Virus Center, Univ Karlsruhe, Germany
Classification by...: Christoph Fischer (Klaus Brunnstein, VTC)
Documentation by....: Christoph Fischer
Date................: April-1992
Information Source..: ---
===================== End of P-Check Virus ===========================

======== Computer Virus Catalog 1.2: Peach Virus (25-July-1992) ======
Entry...............: Peach Virus
Standard CARO Name..: Peach Virus
Alias(es)...........: ---
Virus Strain........: ---
Virus detected when.:
where.:
Classification......: Program (COM&EXE) Virus (appending), resident
Length of Virus.....: On media: 887 Bytes.
--------------------- Preconditions ----------------------------------
Operating System(s).: MS-DOS
Version/Release.....: 2.00 and above
Computer model(s)...:
--------------------- Attributes -------------------------------------
Easy Identification.: The following text can be found in infected files:
"Roy XuatroNo 2 Peach GardenMeyer Rd. Spore 1543"
Self Identification.: In memory: at position 0040:00fc, the string
"Roy" can be found.
In file: in the EXE header, the IP field will con-
tain 01fch at position 14h; in COM file, virus
compares the COM startup code it inserts.
Type of infection...: Virus infects COM and EXE files. It identifies
EXE files by looking for "Z" at position 1.
Virus goes memory-resident.
Infection Trigger...:Load and Execute (Int 21h function 4B00)
Storage media affected:Anything that can be addressed using DOS calls
(floppy diskettes, hard disks)
Interrupts hooked...: Int 21h, Int 23h and Int 24h (Control-C and
Critical Error Handler) during infection.
Damage..............: Transient Damage: ---
Permanent Damage: if file "chklist.cps" (crea-
ted by Central Point AntiVirus) is found,
this file is deleted.
Damage Trigger......: If file "chklist.cps" is found.
Particularities.....: ---
Similarities........: ---
--------------------- Agents -----------------------------------------
Countermeasures.....: Skulason F-PROT 2.02, Solomon FindViru 3.5
Standard means......: ---
--------------------- Acknowledgement --------------------------------
Location............: Virus Test Center, University Hamburg, Germany
S&S International (Deutschland)
Classification by...: Morton Swimmer
Documentation by....: Morton Swimmer
Date................: 7-July-1992
Information Source..: Original virus
===================== End of Peach Virus =============================

===== Computer Virus Catalog 1.2: Seventh Son Virus (25-07-1992) =====
Entry...............: Seventh Son Virus
Standard CARO name..: Seventh_Son.284 Virus
Alias(es)...........: Seventh Son-284 Virus
Virus Strain........: Seventh Son virus strain
Virus detected when.: October 1991
where.: Eastern Europe
Classification......: File (COM) virus
Length of Virus.....: 284 Bytes
--------------------- Preconditions -----------------------------------
Operating System(s).: DOS
Version/Release.....:
Computer model(s)...: IBM compatibles
--------------------- Attributes --------------------------------------
Easy Identification.: The displayed text "Seventh son of a seventh son"
can be found in infected programs.
Type of infection...: Infects only COM files
Infection Trigger...: Execution of an infected program.
Storage media affected: Infects any diskette and hard disks
Interrupts hooked...: ---
Damage..............: Permanent damage: ---
Transient damage: displays the text
"Seventh son of a seventh son"
Damage Trigger......: Permanent damage: ---
Transient damage: executing an infected program
Particularities.....: ---
Similarities........: Seventh Son variants (.332, .350)
--------------------- Agents -----------------------------------------
Countermeasures.....: McAfee Scan,Skulason F-PROT,Solomon FINDVIRU
Standard means......: Delete infected files and replace with un-
infected originals or backups.
--------------------- Acknowledgement --------------------------------
Location............: Virus Test Center, University Hamburg, Germany
Classification by...: Michaela Schroeder, Peter Liem, Doerte Hachfeld,
Holger Prescher
Documentation by....: Holger Prescher, Doerte Hachfeld, Peter Liem,
Michaela Schroeder
Date................: 20-July-1992
Information Source..: Reverse-Engineering of virus code
===================== End of Seventh Son Virus =======================

===== Computer Virus Catalog 1.2: Silly Willy Trojan (25-07-1992) ====
Entry...............: Silly Willy Trojan
Standard CARO Name..: Silly_Willy Trojan
Alias(es)...........: ---
Virus Strain........: Silly Willy (Trojan/Virus) Strain
Virus detected when.: March 92
where.: Munich, Germany
Classification......: Trojan
Length of Virus.....: 803 Bytes
--------------------- Preconditions ----------------------------------
Operating System(s).: IBM PC & Compatibles
Version/Release.....: DOS 2.x and above
Computer model(s)...: IBM PC, XT, AT and upwards, and compatibles
--------------------- Attributes -------------------------------------
Easy Identification.: ---
Scan signature......: The string: 0e 1f b0 49 be 11 00 b9 24 03 2b ce
28 04 can be found at begin of an trojanized
file.
Type of infection...: ---
Infection Trigger...: ---
Storage media affected: Any floppy diskette, hard disk
Interrupts hooked...: ---
Damage..............: Transient/Permanent damage: The trojan displays
a face, telling that he is Silly Willy and
right now formatting the hard disk. But
instead, it writes a hidden file, so the
user observes some hard disk activities. The
hidden file has a length between 154,622 and
459,952 bytes and contains the text
"The User of This Computer Is Stupid!".
After some time, another message will appear:
"ERROR: o SYSTEM found!
No Files on drive C:
Insert SYSTEM diskette in drive A:
and push a key!"
After pushing a key, the first 9 sectors on
the first five tracks will be overwritten
with the text
"The User of This Computer Is Stupid!"
Then, the system hangs.
Damage Trigger......: Starting a trojanized EXE-file
Particularities.....: Silly Willy Trojan is dropped by Silly Willy
Virus which overwrites EXE files with trojan.
Similarities........: ---
--------------------- Agents -----------------------------------------
Countermeasures.....: Solomon FindViru 4.23, Antivir from H&B-EDV
Standard means......: Delete/replace trojanized files with clean ones.
--------------------- Acknowledgement --------------------------------
Location............: Virus Test Center, University Hamburg, Germany
Siemens Nixdorf AG (SNI), Munich
Classification by...: Toralv Dirro (VTC), Ralph Dombach (SNI)
Documentation by....: Toralv Dirro
Date................: 16-July-92
Information Source..: Original virus analysis
===================== End of Silly Willy Trojan ======================

===== Computer Virus Catalog 1.2: Silly Willy Virus (25-07-1992) =====
Entry...............: Silly Willy Virus
Standard CARO Name..: Silly_Willy Virus
Alias(es)...........: ---
Virus Strain........: Silly Willy (Trojan/Virus) Strain
Virus detected when.: March 91
where.: Munich, Germany
Classification......: Direct action COM-infector, Trojan dropper (EXE)
Length of Virus.....: Length in COM-files: 2261-2314 bytes
--------------------- Preconditions -----------------------------------
Operating System(s).: IBM PC & Compatibles
Version/Release.....: DOS 2.x and above
Computer model(s)...: IBM PC, XT, AT and upward, and compatibles
--------------------- Attributes --------------------------------------
Easy Identification.: Increased file size; unusual long loading time.
Scan signature......: The string : BE 15 00 8B 1A B9 D0 08 81 E9 can be
found at about 2300 bytes offset from the end
of an infected file.
Type of infection...: COM-files will be searched via FindFirst,FindNext,
starting with root directory, and in sub-
directories, if no uninfected files are found
in the root.
EXE-files will be overwritten with Silly Willy
Trojan (see separate Virus Catalog entry).
Infection Trigger...: Starting an infected file; virus will search
for one COM-file to infect and for one EXE-
file to trojanize.
Storage media affected: Only files on drive C: will be affected.
Interrupts hooked...: ---
Damage..............: Transient damage: ---
Permanent damage: EXE-files are overwritten
with Silly Willy Trojan (see separate Virus
Catalog entry).
Damage Trigger......: Start of an infected program
Particularities.....: 1) The virus uses polymorphic methods to hide
from detection in COM-files. At offset 0,
16 Bytes are inserted in COM-files; these
can hold 16 different values of code. The
virus merges two 8 byte strings, and each
string has four different values; moreover,
a random number of bytes is inserted, too.
Due to a very simple decryption algorithm
(XOR) and some unincrypted code, the poly-
morphic routine is rather ineffective.
2) Date and time of infected programs will not
be changed.
3) Only COM-files with a length between 1087
and 58,932 bytes will be infected.
4) No exact match to recognize EXE and COM
files is performed.
Similarities........: ---
--------------------- Agents -----------------------------------------
Countermeasures.....: Checksums, etc.
Countermeasures successful: Solomon FindViru 4.23, H&B-EDV AntiVir
Standard means......: Delete and replace infected files.
--------------------- Acknowledgement --------------------------------
Location............: Siemens Nixdorf AG (SNI), Munich, Germany
Virus Test Center, University Hamburg, Germany
Classification by...: Ralph Dombach (SNI), Toralv Dirro (VTC)
Documentation by....: Toralv Dirro
Date................: 16--July-1992
Information Source..: Orignal virus analysis
===================== End of SILLY WILLY Virus =======================

=== Computer Virus Catalog 1.2: VCS V1.0 Manta Virus (25-July-1991) ==
Entry................. VCS V1.0 Manta Virus
Standard CARO Name.... VCS.Manta Virus
Alias(es)............. ---
Strain................ VCS Virus Strain
Detected: when........ Summer 1992
where....... Bulletin Board, Hamburg, Germany
Classification........ Clone of VCS V1.0 Virus
Program Virus, direct action; overwriting
AUTOEXEC and CONFIG.SYS; encrypted.
Length of Virus....... Increase of file length: 1077 bytes
---------------------- Preconditions ---------------------------------
Operating System(s)... MS/PC-DOS
Computer models....... All IBM PC compatibles with CPU > 8088
---------------------- Attributes ------------------------------------
Easy identification... Same as VCS V1.0 virus:
Files containing C350h at offset 03h regarded
as infected (self identification)
Search string at offset 00h:
E8 14 00 8A A4 2F 05 8D BC 20 01 B9 0F 04 89 FE
Type of infection..... Same as VCS V1.0 virus
Infection trigger..... Same as VCS V1.0 virus
Interrupts hooked..... ---
Damage................ Same as VCS V1.0 virus:
Permanent damage: when triggered, the files
'C:\AUTOEXEC.BAT' and 'C:\CONFIG.SYS' will
be overwritten with 512 bytes of text.
Transient Damage: when AUTOEXEC and CONFIG.SYS
have been overwritten, a text which was
deliberately choosen by the installator
(see: Particularities:Generating the virus)
may be displayed.
Damage trigger........ Same as VCS V1.0 virus
Particularities....... Same as VCS V1.0 virus
Particularities/Generating this virus: VCS V1.0 Manta was generated
with the VCS V1.0 (see catalog entry VCS V1.0).
In addition to the characteristics of VCS V1.0,
the following text will be displayed until
a key is pressed:
"RAM Parity Error at 0F67:1B2C"
"(C)ontinue (S)hut off NMI (R)eboot ".
The files C:\AUTOEXEC.BAT and C:\CONFIG.SYS will
be overwritten with this text, as well as with
the following text referring to popular jokes
about some people which drive a special Opel
car type called "Manta". The text is:
"Ein Mantafahrer haelt an einer Ampel. Neben ihm
haelt ein Porsche. Beide kurbeln die Scheiben
runter, und der Porschefahrer fragt: 'Was hat
vier Beine und ist unheimlich bloed?'
Mantafahrer: 'Keine Ahnung'
Porschefahrer: 'Du und deine Freundin'
An der naechsten Ampel haelt ein Golf neben dem
Manta. Mantafahrer: 'Was hat vier Beine und ist
unheimlich doof ?' Golffahrer: 'Keine Ahnung'
Mantafahrer: 'Meine Freundin und ich'."
Translation:
"A Manta driver stops at a traffic lights.
A Porsche stops beside him. Both of them open
the window and the Porsche driver asks:
'What has four legs and is very very mad?'
Says Manta driver: 'I do not know'
Says Porsche driver: 'You and your girlfriend'
At next traffic lights, a Golf stops beside the

Manta. Says Manta driver: 'What has four legs
and is very very mad ?'
Says Golf driver: 'I do not know'
Says Manta driver:'My girlfriend and me.' "
Moreover, VCS V1.0 Manta uses opcode 68h (push
constant on stack) which is not defined on
8088 processors; so, virus will not work on
such systems.
Similarities........... ---
---------------------- Agents ----------------------------------------
Countermeasures....... Searchstring at offset 00h of virus:
E8 14 00 8A A4 2F 05 8D BC 20 01 B9 0F 04 89 FE
- ditto - successful. Actual versions of McAfee Scan, Skulason
F-PROT, Solomon FindViru.
Tode's NTI-VCS.EXE is an antivirus that
only looks for VCS virus, and if requested
will restore the file.
Standard Means........ Notice file length. Use ReadOnly attribute.
---------------------- Acknowledgements ------------------------------
Location.............. Virus Test Center, University Hamburg, Germany
Classification by..... Stefan Tode
Documentation by...... Stefan Tode and Matthias Jaenichen
Date.................. 15-July-1991
Information source.... ---
====================== End of VCS V1.0 Manta Virus ===================

===== Computer Virus Catalog 1.2: VCS V1.1a Virus (21-July-1992) ======
Entry................. VCS V1.1a Virus
Alias(es)............. Virus-Construction-Set V1.1a
Strain................ VCS Virus Strain
Detected: when........ JAN 1992
where....... Bulletin Board, Hamburg, Germany
Classification........ Clone of VCS V1.0 Virus
Program Virus, direct action; overwriting,
AUTOEXEC.BAT and CONFIG.SYS; encrypted.
Length of Virus....... Increased File Length: 1077 bytes
---------------------- Preconditions ---------------------------------
Operating System(s)... MS/PC-DOS
Computer models....... All IBM PC compatibles with CPU > 8088.
---------------------- Attributes ------------------------------------
Easy identification... Files containing C390h at offset 03h regarded
as infected (self identification).
Scan signature........ Searchstring at offset 00h (same as VCS V1.0):
E8 14 00 8A A4 2F 05 8D BC 20 01 B9 0F 04 89 FE
same as VCS V1.0
Type of infection..... same as VCS V1.0
Infection trigger..... same as VCS V1.0
Interrupts hooked..... ---
Damage................ same as VCS V1.0
Particularities....... same as VCS V1.0
Particularities/Generating as VCS 1.0, generated by Virus Construction
Set Version 1.0
DisSimilarities....... Virus is similar to VCS V1.0 virus and uses the
same code, except the self identification
routine. Only the version number is changed, so
the following string can be found in VCS V1.1a:
"Virus Construction Set V1.1a"
---------------------- Agents ----------------------------------------
Countermeasures....... Searchstring at offset 00h of virus:
E8 14 00 8A A4 2F 05 8D BC 20 01 B9 0F 04 89 FE
- ditto - successful. Skulason's F-PROT V2.04 detects as VCS variant.
McAfee's Scan version 93 as Manta
Tode's NTI-VCS.EXE is an antivirus that
only looks for VCS viruses, and if requested
will restore the file.
Standard Means........ Notice file length. Use ReadOnly attribute.
---------------------- Acknowledgements ------------------------------
Location.............. Virus Test Center, University Hamburg, Germany
Classification by..... Stefan Tode
Documentation by...... Stefan Tode
Date.................. 21-July-1992
Information source.... ---
====================== End of VCS V1.1a Virus ========================

===== Computer Virus Catalog 1.2: VCS V1.3 Virus (25-July-1992) ======
Entry................. VCS V1.3 Virus
Standard CARO Name.... VCS.RUF
Alias(es)............. Virus-Construction-Set V1.3 Virus=VCS1.3.RUF
Strain................ VCS Virus Strain
Detected: when........ March 1992
where....... Bulletin Board, Hamburg, Germany
Classification........ Clone of VCS V1.0 Virus;
Program Virus, direct action; overwriting
AUTOEXEC and CONFIG.SYS; encrypted.
Length of Virus....... Increase of file length: 1077 bytes
---------------------- Preconditions ---------------------------------
Operating System(s)... MS/PC-DOS
Computer models....... on IBM PC compatibles with CPU > 8086.
---------------------- Attributes ------------------------------------
Easy identification... Files containing C350h at offset 03h regarded
as infected (self identification)
Search string at offset 00h:
E8 14 00 8A 9C 2F 05 8D BC 20 01 B9 0F 04 89 FE
Type of infection..... same as VCS V1.0
Infection trigger..... same as VCS V1.0
Interrupts hooked..... ---
Damage................ same as VCS V1.0
Particularities....... same as VCS V1.0
Particularities/Generating
VCS1.3 = VCS.RUF is a virus which was generated
by the Virus Construction Set V1.3.
The textbuffer in the damage routine contains
the strings "Deutsche Bundespost" (=German
Post Office) and "Telekom". A blockgraphics
displaed consists of a telephone icon and
the German Telecom's slogan:
"RUF DOCH MAL AN" (=You should call").
Similarities........... 1) Virus is similar to VCS 1.0 virus and uses
the same code, except for the encrypt-
ion routine.
2) VCS 1.3 is a patched version of VCS 1.0.
It was created by someone who calls
himself "Hanswurst".
3) The textstrings of VCS.EXE are also
patched. The following strings can be
found in the VCS.EXE:
"(C) 1991 by VDV, 1992 by Hanswurst"
"Virus Construction Set V1.3, gepatcht"
" von Hanswurst 1992"
---------------------- Agents ----------------------------------------
Countermeasures....... Searchstring at offset 00h of virus:
E8 14 00 8A 9C 2F 05 8D BC 20 01 B9 0F 04 89 FE
- ditto - successful. Tode's NTI-VCS.EXE is an antivirus that only
looks for VCS viruses, and if requested will
restore the file.
- ditto - unsuccessful. Presently, no AV product identifies VCS V1.3.
Standard Means........ Notice file length. Use ReadOnly attribute.
---------------------- Acknowledgements ------------------------------
Location.............. Virus Test Center, University Hamburg, Germany
Classification by..... Stefan Tode
Documentation by...... Stefan Tode
Date.................. 21-July-1992
Information source.... ---
====================== End of VCS V1.3 Virus =========================

======== Computer Virus Catalog 1.2: XREH Virus (25-July-1992) =======
Entry...............: XPEH-4016 Virus in (kyrillic letters)
CHREN-4016 Virus (in Latin letters)
Alias(es)...........: ---
Virus Strain........: XREH Virus Strain
Virus detected when.: ?
where.: Russia
Classification......: Program (COM & EXE) Virus, memory-resident
Length of Virus.....: 1. Length on media: 4016 bytes (appended)
2. Length in memory: 3872 bytes.
--------------------- Preconditions -----------------------------------
Operating System(s).: MS-DOS
Version/Release.....: DOS 2.x and above
Computer model(s)...: IBM & Compatibles
--------------------- Attributes --------------------------------------
Easy Identification.: Total memory size decreased by 4032 bytes, disk
access slows down, when virus is active.
Scan signature......: The following bytes can be found at the INT-21-
entrypoint: 80 FC 4E 74 12 80 FC 4F 74 0D 2E 3A
Type of infection...: a) COM-files : The virus appends itself to the
end of the file, changing the first
32 Bytes of the victim (restored later).
b) EXE-Files : Virus uses standard ways of
infecting EXE-files.
Infection Trigger...: Execution of COM & EXE files, when month>March
and year>1991.
Usage of INT 21, AH=4E/4F (FindFirst/FindNext),
when the date is above March and 1991. (For
details ).
Storage media affected: Files on all accessible media are affected.
Interrupts hooked...: INT 21, functions: AH=4E (FindFirst),
AH=4F (FindNext), AH=4B (Load&Execute)
INT 1C (Timer),
INT 01 (Trace) and INT 03 are hooked temporarily
(For details see Particularities)
Damage..............: Files with the Extension ". ", ".LEX", ".TXT",
".BAK" can be garbled, during September-December
of any year above 1991.
Damage Trigger......: System-date (see Damage).
Particularities.....: The virus hooks INT 21, AH=4E/4F for infecting
files and encrypting files (damage!), as well
as subtracting his length from COM/EXE with
filetime 30 seconds. Filetime will be set
to 30 sec, when it has been infected or garb-
led.
This routine will garble files, in months
>=September of any year above 1991 and in-
fecting COM and EXE files in months >=March
of any year above 1991, using a 1:4 random-
routine to determine whether to be active.
The virus uses the EXE-signature (MZ/ZM) to
recognize EXE-files.
COM files will only be infected, when their size
is >=288 and <=61,815 bytes. As the maximum
size of COM-files seems to have been forgotten
to be changed, while writing a new version of
the virus (there are shorter versions!), COM-
files can get bigger than 65k and won't run.
If the date is >=September and >1991, ". ",
".LEX", ".TXT", ".BAK" files can be garbled,
decrypting up to 64k of them with the kyrillic
letters XPEH (hex: 95 80 85 8D) (xor).
The INT 1C (Timer) is used to check, wether the
entrance of INT 1 and INT 3 (Trace/Breakpoint)
is an IRET-instruction; if not, the entrypoint
is overwritten with a CALL FAR into the virus.
Here the virus determines, from where the INT
has been called, and if it was a INT 1 or INT 3.
After that, it is decided whether only the
Trace-flag is disabled, or if it should hang
the system.
The virus copies itself to the top of RAM, de-
creasing the total amount of memory by 4032
bytes.
When the virus installs itself into memory, it
uses a kind of TRACER, to find the original
INT 21 entry (decission is made via the seg-
ment: if it is below 200, virus assumes that
original INT 21 entry has been reached).
While running, the virus constantly de/encrypts
parts of it to disable reassembling of itself,
making analysis very difficult.
Similarities........: XREH variants
--------------------- Agents -----------------------------------------
Countermeasures.....: F-PROT 2.02D in Quick-scan recognises the virus as
a new variant of Cascade.
Countermeasures successful: The Antiviral Package v. 4.6 from Kaspersky
(Moscow) recognizes and removes the virus.
Standard means......: Delete and replace infected files.
--------------------- Acknowledgement --------------------------------
Location............: Virus Test Center, University Hamburg, Germany
Classification by...: Toralv Dirro
Documentation by....: Toralv Dirro
Date................: 05-May-1992
Information Source..: Original virus analysis
===================== End of XREH Virus ==============================

======================================================================
== Critical and constructive comments as well as additions are ==
== appreciated. Descriptions of new viruses are appreaciated. ==
======================================================================
== The Computer Virus Catalog may be copied free of charges provided =
== that the source is properly mentioned at any time and location ==
== of reference. ==
======================================================================
== Editor: Virus Test Center, Faculty for Informatics ==
== University of Hamburg ==
== Vogt-Koelln-Str.30, D2000 Hamburg 54, FR Germany ==
== Prof. Dr. Klaus Brunnstein, Vesselin Bontchev, ==
== Dr.Simone Fischer-Huebner, Wolf-Dieter Jahn ==
== Tel: (+40) 54715-406 (KB), -225 (Bo/Ja), -405(Secr.) ==
== Fax: (+40) 54 715 - 226 ==
== Email (EAN/BITNET): [email protected] ==
== [email protected]> ==
== FTP site: ftp.informatik.uni-hamburg.de ==
== Adress: 134.100.4.42 ==
== login anonymous; password: your-email-adress; ==
== directory: pub/virus/texts/catalog ==
======================================================================
== End of MSDOSVIR.792 document ==
== (1,487 Lines, 88 kBytes) ==
======================================================================



  3 Responses to “Category : Recently Uploaded Files
Archive   : MSDOSVIR.ZIP
Filename : MSDOSVIR.792

  1. Very nice! Thank you for this wonderful archive. I wonder why I found it only now. Long live the BBS file archives!

  2. This is so awesome! 😀 I’d be cool if you could download an entire archive of this at once, though.

  3. But one thing that puzzles me is the “mtswslnkmcjklsdlsbdmMICROSOFT” string. There is an article about it here. It is definitely worth a read: http://www.os2museum.com/wp/mtswslnk/