Category : Recently Uploaded Files
Archive   : MSDOSVIR.ZIP
Filename : MSDOSVIR.A89

========================================================================
== Computer Virus Catalog (Version 1.2) ==
========================================================================
== Status: October 31, 1989 ==
== Classified: 15 MSDOS-Viruses (MSDOSVIR.A89: this document) ==
== 24 AMIGA-Viruses (AMIGAVIR.A89) ==
== 6 Atari-Viruses (ATARIVIR.A89) ==
========================================================================
== This document contains the classifications of the following viruses:=
== (+=: additions to/ U=: Updates of last addition: July 31, 1989) ==
== ==
== 1) Autumn Leaves=Herbst="1704"=Cascade A Virus ==
== 2) "1701" = Cascade B Virus ==
== 3) Bouncing Ball = Italian = Ping Pong= Turin Virus =U=
== 4) "Friday 13th" = South African Virus =+=
== 5) GhostBalls Virus
== 6) Icelandic#1 = Disk Crunching = One-in-Ten Virus =U=
== 7) Icelandic#2 Virus =+=
== 8) Israeli = Jerusalem A Virus =U=
== 9) MachoSoft Virus =+=
== 10) Merritt = Alameda A = Yale Virus ==
== 11) Oropax = Music Virus ==
== 12) Saratoga Virus =+=
== 13) SHOE-B v9.0 Virus ==
== 14) VACSINA Virus =+=
== 15) Vienna = Austrian = "648" Virus =U=
========================================================================
== Remark: The following 13 MS-DOS-Viruses are presently being classi-==
== fied and will be published in the next edition (December 31,1989): ==
== .) Brain A = Pakistani A-Virus (Pakistani Virus Strain) ==
== .) Datacrime I = 1168 Virus (Datacrime Virus Strain) ==
== .) Datacrime II = 1280 Virus (Datacrime Virus Strain) ==
== .) Den Zuk Virus (Venezuela/Search Virus Strain) ==
== .) Lehigh Virus ==
== .) FuManchu Virus (Israeli Virus Strain) ==
== .) NewZeeland= Marijuana= Stoned Virus (NewZealand Virus Strain) ==
== .) Pentagon Virus ==
== .) SURIV 1.01,2.01,3.00 Viruses (Israeli Virus Strain) ==
== .) Traceback Virus ==
== .) 405 Virus ==
========================================================================

========================================================================
== The Computer Virus Catalog may be copied free of charges provided ==
== that the source is properly mentioned at any time and location ==
== of reference. ==
== ==
== Editor: Virus Test Center, Faculty for Informatics ==
== University of Hamburg ==
== Schlueterstr. 70, D2000 Hamburg 13, FR Germany ==
== Prof. Dr. Klaus Brunnstein, Simone Fischer-Huebner ==
== Tel: (040) 4123-4158 (KB), -4715 (SFH), -4162(Secr.) ==
== Email (EAN/BITNET): [email protected] ==
========================================================================
== For essential updates (marked "U="), we wish to thank D.Ferbrache,==
== Y.Radai and F.Skulason for their continued help and support. New ==
== Catalog entries (MARKED "=+=") have been added by Ch.Fischer, ==
== University of Karlsruhe (VACSINA) and F.Skulason; thank you. ==
========================================================================
== Critical and constructive comments as well as additions are ==
== appreciated. Especially, descriptions of recently detected viruses =
== will be of general interest. To receive the Virus Catalog Format, ==
== please contact the above address. ==
========================================================================


===== Computer Virus Catalog 1.2: Autumn Virus (July 15, 1989) =========
Entry...............: Autumn (Leaves) Virus
Alias(es)...........: Blackjack =1704- =Herbst(laub)= Cascade A-Virus
Virus Strain........: Cascade- = Autumn- =Herbst-Virus
Virus detected when.: September 1988
where.: University of Konstanz, FRG
Classification......: Program Virus (extending .COM), RAM resident
Length of Virus.....: .COM filelength increases by 1704 byte
--------------------- Preconditions ------------------------------------
Operating System(s).: MS-DOS
Version/Release.....: 2.xx upward
Computer model(s)...: IBM-PC, XT, AT and compatibles
--------------------- Attributes ---------------------------------------
Easy Identification.: ---
Type of infection...: System: is infected if the call of interrupt 21h
with function 4Bh and subfunction FFh is possible
and without error and 55AAh is returned in DI-
register.
.COM file: Program virus, increases COM files by
1704 Byte. A .COM file is infected if the
first instruction is a three byte jump with
DISP16 = (filelength minus viruslength).
.EXE file: no infection.
Infection Trigger...: Infects all files that are loaded via the function
4Bh and subfunction 00h of the interrupt 21h
(MS-DOS uses this function to start any program)
Interrupts hooked...: Int21h, Int28h (only if Clockdevice Year = 1980),
Int1Ch (only if damage is triggered)
Damage..............: Transient Damage: Modifies screen by making the
characters on the screen "fall down" on the screen
in connection with clicking noises.
Damage Trigger......: IF function GetDate returns with
1. ( year=1988 AND month>= 10 ) OR
2. ( year=1980 AND
2.1. clock is changed by user to year=1988
month>=10 OR
2.2. clock is changed by user to year>1988 )
AND a random number generator activates damage.
Particularities.....: 1. If the system is _not_ infected, the invocation
of an infected program produces errors (system
crash is possible).
2. COM-files up to a length of 63800 bytes will
be infected, but files with a length of more
than 63576 bytes are not loadable after
infection.
3. The virus-program is encoded, dependent of
the .COM-filelength.
4. The distinction between .EXE and .COM files is
made by testing the "magic number (MZ)" in the
.EXE-Header.
--------------------- Agents -------------------------------------------
Countermeasures.....: Category 3: ANTIHBST.EXE (VTC Hamburg)
Countermeasures successful: ANTIHBST.EXE is an antivirus that only looks
for the HERBST-virus and, if requested, will
restore the file.
Standard means......: ---
--------------------- Acknowledgement ----------------------------------
Location............: Virus Test Center, University Hamburg, FRG
Classification by...: Michael Reinschmiedt
Documentation by....: Michael Reinschmiedt
Morton Swimmer
Date................: July 15, 1989
===================== End of Autumn-Virus ==============================


===== Computer Virus Catalog 1.2: 1701-Virus (July 30, 1989 ) ==========
Entry...............: 1701-Virus
Alias(es)...........: =Cascade B-Virus
Virus Strain........: Cascade =Autumn =Herbst(laub)-Virus
Virus detected when.:
where.:
Classification......: Program Virus (extending .COM), RAM resident
Length of Virus.....: .COM-file length increases by 1701 byte
--------------------- Preconditions -----------------------------------
Operating System(s).: MS-DOS
Version/Release.....: 2.xx upward
Computer model(s)...: IBM-PC, XT, AT and compatibles
--------------------- Attributes -------------------------------------
Easy Identification.: ---
Type of infection...: System: is infected if the call of interrupt 21h
with function 4Bh and subfunction FFh is possible
and without error and 55AAh is returned in DI-
register.
.COM file: Program virus: increases COM files by
1701 Byte; a .COM file is infected if the
first instruction is a three byte jump with
DISP16 = (filelength minus viruslength).
.EXE file: no infection.
Infection Trigger...: Infects all files that are loaded via the function
4Bh and subfunction 00h of the interrupt 21h
(MS-DOS uses this function to start any program)
Interrupts hooked...: Int21h, Int28h (only if Clockdevice Year = 1980),
Int1Ch (only if damage is triggered)
Damage..............: Transient Damage: Modifies the screen by making the
characters on the screen "fall down" on the screen
in connection with clicking noises.
Damage Trigger......: IF function GetDate returns with
1. ( year=1988 AND month>=10 ) OR
2. ( year=1980 AND
2.1 clock is changed by user to year=1988,
month>=10 OR
2.2 clock is changed by user to year>1988 )
AND a random number generator activates damage.
Similarities........: The 1701-Virus is a patch of the Autumn Virus
(=1704-Virus), with the following changes:
1) The Filelength will increase by 1701 Bytes.
2) The analysis of the BIOS-Copyright string is
not active.
3) COM-Files up to a length of 63803 will be
infected.
Particularities.....: 1. If the system is _not_ infected, the invocation
of an infected programm produces errors (system
crash is possible).
2. COM-files up to a length of 63803 bytes will be
infected, but files with a length of more than
63576 bytes are not loadable after infection.
3. The virus-program is encoded, dependent of
the .COM-filelength.
4. The distinction between .EXE and .COM files is
made by testing the "magic number (MZ)" in the
.EXE-Header.
--------------------- Agents ------------------------------------------
Countermeasures.....: Category 3: ANTI1701.EXE (VTC Hamburg)
Countermeasures successful: ANTI1701.EXE is an antivirus that only looks
for the 1701-Virus and, if requested, will restore
the file.
Standard means......: ---
--------------------- Acknowledgement ---------------------------------
Location............: Virus Test Center, University Hamburg, FRG
Classification by...: Michael Reinschmiedt
Documentation by....: Michael Reinschmiedt
Morton Swimmer
Date................: July 30, 1989
===================== End of 1701-Virus ================================


===== Computer Virus Catalog 1.2: Bouncing-Ball (Serptember 10, 1989) ===

Entry.................. Bouncing-Ball Virus
Alias(es).............. Italian = Ping Pong = Turin-Virus
Strain................. ---
Detected: when......... March 1988
where........ University of Turin, Italy
Classification......... Bootsector/resident; loads to high-memory.
Length of Virus........ Length on disk: 2 Sectors of 512 Bytes
length plus original bootsector = 3 Sectors.
Length in RAM: 1024 Byte.

----------------------- Preconditions-----------------------------------

Operating System(s).... MS-DOS
Version/Release........ ---
Computer models........ IBM-PC, XT, AT and compatible

----------------------- Attributes--------------------------------------

Easy identification.... 1.The bootsector contains at the offset
01FCh the word 1357h. This is how the
virus identifies itself.
2.Enter TIME 0, then immediately press any
key and Enter; if the virus is present, the
bouncing dot will be triggered
(->Damage Trigger).

Type of infection...... Infects disk media as follows:
1. Determines whether infection is possible
2. Secures original bootsector
3. Copy the virus's first sector to the
bootsector
4. Copy the virus's second sector to the
first free cluster
5. Mark the cluster as bad
6. Load and jump to the original boot sector.
Infection trigger...... Every disk that is _read_ using the BIOS
function 13h will be infected. (As all read
and write operations use this interrupt,
any disk operation can lead to infection.)
Media affected......... Infects floppy disks as well as hard disks.
The media must fulfill the following criteria:
1. 512 bytes per sector (standard)
2. There must one free cluster
3. A cluster must be at least 2 sectors long.
For hard disks: The master boot block (which
contains disk and partition data) must conform
to the standard.
Interrupts hooked...... BIOS Int 13h

Damage................. Permanent: the boot block is overwritten
Transient: A small rhombus (IBM character set:
07h) moves like a "bouncing ball" (or
ping pong ball) over the screen.
Damage trigger......... Triggered randomly after a disk access within
1 second after the system clock reaches a
multiple of 30 minutes (e.g, 00:00, 00:30,
01:00, etc.).

Particularities........ 1. The virus loads itself to high memory and
reduces the memory available to the operating
system by modifying a BIOS variable.
2. The virus cannot always tell if the hard disk
is non-standard, and terminates. Should the
virus try to infect a non-standard disk, data
may be destroyed on the disk.
Similarities........... ---

-------------------------- Agents---------------------------------------

Countermeasures........ Infected system disks can be cleaned by using
the DOS program "SYS.COM". (You must boot from
a clean disk.) The "bad" cluster will, however,
remain.
Countermeasures successful ---
Standard Means......... The DOS program "CHKDSK.COM" shows clusters,
that contain bad sectors.

----------------------- Acknowledgements -------------------------------

Location............... Virus Test Center, University Hamburg, FRG
Classification by...... Michael Reinschmiedt
Documentation by....... Michael Reinschmiedt
Date................... July 30, 1989
Updated by............. Y.Radai, Hebrew University, August 31, 1989
Information source..... ---

================= End of Bouncing Ball-Virus ==========================


===== Computer Virus Catalog 1.2: "GhostBalls" Virus (Nov 2, 1989) ======

Entry...............: "GhostBalls"
Alias(es)...........: Ghost
Virus Strain........: Vienna (Dos-62)
Virus detected when.: Oct. '89
where.: Iceland
Classification......: .COM file infecting virus/Extending/Direct/Non-Resident
Length of Virus.....: 2351 bytes added to file

--------------------- Preconditions ------------------------------------
Operating System(s).: MS-DOS
Version/Release.....: 2.0 or higher
Computer model(s)...: IBM PC,XT,AT and compatibles

--------------------- Attributes ---------------------------------------
Easy Identification.: .COM files: "seconds" field of the timestamp
changed to 62, as in the original Vienna virus.
Infected files end in a block of 512 zero bytes.
Type of infection...: Extends .COM files. Adds 2531 bytes to the end
of the file and places a JMP instruction at the
beginning.
When an infected program is run, it will search for
a program to infect, and also try to place a modified
copy of the Ping-Pong virus on the boot sector in
drive A.
The virus will remove the Read-Only attribute from
programs in order to infect them. It is replaced
afterwards.
Infection Trigger...: One .COM file in the current directory with the
"seconds" field not equal to 62 will be infected
each time an infected program is run.
Storage media affected: Boot sectors on diskettes.
Interrupts hooked...:
Damage..............: .COM files and boot sectors modified. No permanent
damage.
Damage Trigger......:
Particularities.....: The destruction of 1 program in 8 in the original
Vienna virus has been disabled. The Ping-Pong
copy placed on drive A: has been modified in two ways:
It will work on a '286 machine but has been patched
so it will not infect other diskettes. Virus contains
the text string:

"GhostBalls, Product of Iceland"
Similarities........:

--------------------- Agents -------------------------------------------
Countermeasures.....: Any program that identifies the Vienna virus by
using signatures should be able to find infected files.
VIRSCAN (46) will identify infected files.
F-FCHK (by the author of this article) will
identify infected files and remove the infection.
Countermeasures successful:
Standard means......:

--------------------- Acknowledgement ----------------------------------
Location............: University of Iceland/Computing Services
Classification by...: Fridrik Skulason ([email protected])
Documentation by....: Fridrik Skulason
Date................: November 2, 1989
Information Source..:
========================= End of GhostBalls =============================


===== Computer Virus Catalog 1.2: Icelandic#1 Virus (Sept 20, 1989)====
Entry...............: "Icelandic virus" (Version #1)
Alias(es)...........: Disk-eating virus
Virus Strain........: Icelandic Virus
Virus detected when.: Mid-June '89
where.: Iceland
Classification......: .EXE file infecting virus/Extending/Resident
Length of Virus.....: 1. 656-671 bytes added to file
2. 2048 bytes in RAM
--------------------- Preconditions ------------------------------------
Operating System(s).: MS-DOS
Version/Release.....: 2.0 or higher
Computer model(s)...: IBM PC,XT,AT and compatibles
--------------------- Attributes ---------------------------------------
Easy Identification.: .EXE Files: Infected files end in 18 44 19 5F (hex).
System: Byte at 0:37F contains FF (hex)
Type of infection...: Extends .EXE files. Adds 656-671 bytes to the end
of the file. Length MOD 16 will always be 0.
Stays resident in RAM, hooks INT 21 and infects
other programs when they are executed via function
4B. It will remove the Read-Only attribute if
necessary, but it is not replaced. .COM files are
not infected.
Infection Trigger...: Every tenth program run is checked. If it is an
uninfected .EXE file it will be infected.
Storage media affected: ---
Interrupts hooked...: INT 21
Damage..............: If the current drive is a hard disk larger than
10M bytes, the virus will select one cluster and
mark it as bad in the first copy of the FAT.
Diskettes and 10M byte disks are not affected.
Damage Trigger......: The damage is done whenever a file is infected.
Particularities.....: The virus modifies the MCBs in order to hide
from detection. It will not be activated if INT 13
contains something other than 0070:xxxx or
F000:xxxx when an infected program is run.
Similarities........: ---
--------------------- Agents -------------------------------------------
Countermeasures.....: All programs which check for .EXE file length
changes will detect infections.
Any virus prevention program that changes INT 13
will prevent the activation of the virus.
F-SYSCHK (by the author of this article) will
detect the system infection.
F-FCHK (by the author of this article) will
identify infected files.
Countermeasures successful: F-SYSCHK, F-FCHK (from F.Skulason's
ANTIVIRUS package)
Standard means......: Use DEBUG to check the byte at 0:37F.
Running any program which stays resident and
modifies INT 13 (like PRINT) will prevent the
virus from being activated.
--------------------- Acknowledgement ----------------------------------
Location............: University of Iceland/Computing Services
Classification by...: Fridrik Skulason ([email protected])
Documentation by....: Fridrik Skulason
Date................: July 8, 1989
Information Source..:
===================== End of Icelandic#1-Virus =========================


===== Computer Virus Catalog 1.2: Icelandic#2 Virus (Sept. 20, 1989)======
Entry...............: "Icelandic virus" (Version #2)
Alias(es)...........:
Virus Strain........: Icelandic Virus
Virus detected when.: July 20 1989
where.: Iceland
Classification......: .EXE file infecting virus/Extending/Resident
Length of Virus.....: 1. 632-647 bytes added to file
2. 2048 bytes in RAM
--------------------- Preconditions ------------------------------------
Operating System(s).: MS-DOS
Version/Release.....: 2.0 or higher
Computer model(s)...: IBM PC,XT,AT and compatibles
--------------------- Attributes ---------------------------------------
Easy Identification.: .EXE Files: Infected files end in 18 44 19 5F (hex).
System: Byte at 0:37F contains FF (hex)
Type of infection...: Extends .EXE files. Adds 632-647 bytes to the end
of the file. Stays resident in RAM, hooks INT 21 and
infects other programs when they are executed via
function 4B. It will remove the Read-Only attribute if
necessary, but it is not restored.
.COM files are not infected.
Infection Trigger...: Every tenth program run is checked. If it is an
uninfected .EXE file it will be infected.
Storage media affected: ---
Interrupts hooked...: INT 21
Damage..............: none
Damage Trigger......:
Particularities.....: The virus modifies the MCBs in order to hide from
detection. The INT 13 checking in the Icelandic-1
has been removed. The virus uses the name of the
file to determine if it is an .EXE file, but not
the true type, as determined by the first 2 bytes.
The virus assumes the program reserves all available
memory (FFFF paragraphs needed). Programs that donot
will cause a system crash when infected and run.
This virus is a version of the Icelandic-1 virus,
modified so that it does not use INT 21 calls to
DOS services. This is done to bypass monitoring
programs.
Similarities........:
--------------------- Agents -------------------------------------------
Countermeasures.....: All programs which check for .EXE file length
changes will detect infections.
Countermeasures successful:
Detection of infection:
F-FCHK (from F.Skulason's F-PROT package)
VIRUSCAN
Prevention of infection: F-FCHK
Removal: F-FCHK
Standard means......: Use DEBUG to check the byte at 0:37F.
--------------------- Acknowledgement ----------------------------------
Location............: University of Iceland/Computing Services
Classification by...: Fridrik Skulason ([email protected])
Documentation by....: Fridrik Skulason
Date................: Sept 20, 1989
Information Source..:
===================== End of Icelandic#2-Virus =========================


===== Computer Virus Catalog 1.2: Israeli-Virus (July 15, 1989) ========

Entry...............: Israeli-Virus
Alias(es)...........: Jerusalem (A) ="Friday 13th" Virus
Virus Strain........: Israeli-Virus
Virus detected when.: December 1987
where.: Hebrew University, Jerusalem, Israel
Classification......: Program Virus (extending), RAM-resident
overwriting under certain conditions.
Length of Virus.....: .COM files: length increases by 1813 bytes.
.EXE files: length increases by 1808-1823 bytes.
(.EXE file length must be a multiple of
16 bytes, as in any .EXE file)

--------------------- Preconditions ------------------------------------

Operating System(s).: MS-DOS
Version/Release.....: 2.xx upward
Computer model(s)...: IBM-PC, XT, AT and compatibles

--------------------- Attributes ---------------------------------------

Easy Identification.: Typical texts in Virus body (readable
with HexDump-facilities):
1. "MsDos" and "COMMAND.COM" in the Data area
of the virus and
2. "MsDos" are the last 5 bytes if the infected
program is a .COM file.

Type of infection...: System: infected if function E0h of INT 21h
returns value 0300h in the AX-register.
.Com files: program length increases by 1813
bytes if it is infected and the last 5
bytes are "MsDos" (identification). .COM
files are infected only once; COMMAND.COM
will not be infected.
.EXE files: program length increases by 1808
- 1823 bytes, and no identification is
used; therefore, .EXE files can be
infected more than once.
The virus uses the file length in the EXE
header to decide where to copy itself;
if this field contains a value smaller
than the actual length of the file,
then the virus will *overwrite* the file
instead of extending it!

Infection Trigger...: Programs are infected at load time (using the
function Load/Execute of MS-DOS).

Interrupts hooked...: INT21h, INT08h

Damage..............: Permanent Damage: On every "Friday the 13th",
every loaded program is deleted.
Transient Damage: On every other day, after 30
minutes a loop is bound into the
operating system, which slows the
system; At this moment, a 12-by-12
region of the screen is scrolled up by
two lines, leaving a black 2-by-12
rectangle on the screen.

Damage Trigger......: Every time the system is infected, one of the
damages will be used.

Particularities.....: 1. .COM files larger than 63.466 bytes are no
longer loadable after infection.
2. .COM files larger than 63.723 bytes are
destroyed by overwriting.
3. .EXE files can be infected many times.
4. Three functions used by Novell Netware 4.0
can't be used.

--------------------- Agents -------------------------------------------

Countermeasures.....: Category 3: ANTIIS#1.EXE (VTC Hamburg)
Remark: 1) The well-known UnVirus (developed at
Hebrew University) safely detects and
disinfects this virus (plus 5 more).
2) Several Antiviruses do not work safe,
e.g. M-JRUSLM (McAfee) destroys 10%
of the .EXE-files during disinfection.

Countermeasures successful: ANTIIS#1.EXE is an antivirus that only
looks for the Israeli Virus and, if requested,
will restore the file.


Standard means......: ---

--------------------- Acknowledgement ----------------------------------

Location............: Virus Test Center, University Hamburg, FRG
Classification by...: Thomas Lippke, Michael Reinschmiedt
Documentation by....: Michael Reinschmiedt, Thomas Lippke
Morton Swimmer
Date................: July 15, 1989
Updates by..........: Y.Radai, Hebrew University, August 31, 1989

===================== End of Israeli-Virus ============================


======= Computer Virus Catalog 1.2: MachoSoft-Virus (1-Nov-89) =======

Entry.................. Macho (=MachoSoft) Virus
Alias(es).............. ---
Strain................. ---

Detected: when......... September 1989
where........ Wilhelmshaven, West Germany

Classification......... Program Virus (Link virus)
Length of Virus........ 3550-3560 (dec) bytes appended on
paragraph boundary

------------------------ Preconditions---------------------------------

Operating System(s).... MS/PC-DOS
Version/Release........ 3.00 and upwards
Computer models........ All IBM PC compatibles.

-------------------------- Attributes---------------------------------

Easy identification.... Any string "Microsoft" is replaced with
"Machosoft" on the hard disk.

Type of infection...... The virus infects both COM and EXE files.
In the case of EXE files, it checks the
checksum in the EXE header for 7CB6h, in
which case no infection will occure. COM
files are checked by looking for the
string 39,28,46,03,03,01 (hex) at offset
10h. The virus is not RAM resident,
therefore it will only infect when the
host is run. It infects by searching
through the directories on the current
drive and randomly choosing files and
directories to infect or search. It will
not infect any other drive. It will infect
COMMAND.COM.

Infection trigger...... None, it will infect any time it is run.

Media affected......... All disks that are addressable using
standard DOS functions.

Interrupts hooked...... ---

Damage................. Will replace any occurance of "MicroSoft"
with "Machosoft". It does this by using
the DOS (not BIOS) interrupts 25h and 26h,
and searching the disk from beginning to
end, sector by sector. It tries 20h
sectors at a time, and stores the last
sector infected in the file
"\IBMNETIO.SYS", which is marked "system"
and "hidden". After reaching the last sector,
it will start from the beginning again.

Damage trigger......... Every time the host is run.

Particularities........ The virus checks for the environment
variable "VIRUS=OFF", in which case it
will not infect. The virus in encrypted
using a variable key.
The virus will only do damage after January 1,
1985.
The virus has some trouble searching the
directories. Most of the effort go into
infecting the beginning of the disk. Macho
may not even reach the end of the disk on
larger systems.
As the programmer was otherwise very
professional in his programming, we may
see a version with a better directory
searching algorithm soon.
I've been told that DOS interrupts 25h and
26h are no longer supported by Microsoft
in DOS 4.0. This would obviously have its
consequences.

Similarities........... ---

---------------------------- Agents-----------------------------------

Countermeasures........ Use the environment variable described
above as a first aid measure only. If your
COMMAND.COM in infected, that wont stop
the virus much. Resetting the date will
only stop the damage, not the infection.
Here's one of the few strings that can
safely be searched for:
50,51,56,BE,59,00,B9,26,08,90,D1,E9,8A,E1,
8A,C1,33,06,14,00,31,04,46,46,E2,F2,5E,59

- ditto - successful... For proper treatment, my Anti-Virus
"NTIMACHO" is highly recommended (in all
humility). Treatment by hand is very
tedious and only for experts.

Standard Means......... Booting from a write-protected disk and
restoring all COM and EXE files from the
original disks is the only way.

----------------------- Acknowledgements------------------------------

Location............... Virus Test Center, University of Hamburg, FRG
Classification by...... Morton Swimmer
Documentation by....... Morton Swimmer
Date................... 1-Nov-1989
Information source..... "The Peter Norton Programmer's Guide to
the IBM PC" (1985), and the members of our
group.
======================= End of MachoSoft-Virus =======================


===== Computer Virus Catalog 1.2: Merritt Virus (June 5, 1989) =========
Entry...............: Merritt
Alias(es)...........: =Yale =Alameda (A) -Virus
Virus Strain........: Merritt/Alameda-Strain
Virus detected when.: November 24, 1988
where: University of New Brunswick, Fredericton, CANADA
First detection: Merritt College, California, 1987
Classification......: System Virus (= BootSector-Virus)
Length of Virus.....: 512 Bytes
--------------------- Preconditions ------------------------------------
Operating System(s).: MS-DOS
Version/Release.....:
Computer Models.....: IBM PCs and Compatibles (not ATs=80286).
--------------------- Typical Attributes -------------------------------
Easy Identification.: No characteristic text (in code, Vol-labels etc).
Type of infection...: Boots when infected disk is inserted and system
is booted. Installs itself in high memory, removes
that memory from DOS. Installs itself as the
Warm-start (CTRL+ALT+DEL) interrupt handler
(actually the keyboard handler); spreads by
CTRL+ALT+DEL interrupt handler. Moves "real" boot
sector to track 39, sector 8. Does not infect
.COM or .EXE files.
Damage..............: Permanent Damage: moves boot block to track 39,
sector 8 (if there was a file, it is corrupted).
This sector is not marked as bad, so a file may
overwrite the real boot block so that the disk may
become "NOT bootable". It will count to 39 and
Blast the FAT (`0'). It counts a certain key
stroke (there is also code for decrementing the
count by another keystroke).
Particularities.....: Hangs-up 80286-systems.
Similarities........: With other members of Merritt/Alameda-strain.
--------------------- Agents -------------------------------------------
Tested vaccines.....: Michael MacDonalds own vaccine, which identifies
virus and overwrites the boot block.
Vaccines successful.: Michael MacDonald's own vaccine.
Standard means......: Compare boot sector of infected disk with a
"real" system disk. If different: check track 39,
sector 8; if this contains the real boot block,
execute a SYS command to reinstall real boot block
and system files.
--------------------- Classification -----------------------------------
Location............: School of Computer Science,
University of New Brunswick
Classification by...: Michael J. MacDonald
Documentation by....: Michael J. MacDonald, Software Specialist
University of New Brunswick, P.O.Box 4400
Fredericton, New Brunswick, CANADA E3B 5A3
BITNET: [email protected]
Date of Entry.......: June 5, 1989
Information Source..: ---
===================== End of Merritt Virus =============================


===== Computer Virus Catalog 1.2: OROPAX-Virus (July 15, 1989) =========
Entry...............: OROPAX Virus
Alias(es)...........: Music Virus
Virus Strain........: ---
Virus detected when.: February 1989
Classification......: Program Virus (extending), Direct Action,
RAM-resident
Length of Virus.....: COM-files: length increased by 2756-2806 Byte,
always divisable by 51.
--------------------- Preconditions ------------------------------------
Operating System(s).: MS-DOS
Version/Release.....: 2.xx upward
Computer model(s)...: IBM-PC, XT, AT and compatibles
--------------------- Attributes ---------------------------------------
Easy Identification.: Typical texts in Virus body (readable with HexDump
facilities): "????????COM" and "COMMAND.COM"
Type of infection...: System: RAM-resident, infected if function 33E0h
of interrupt 21h returns 33E0h in AX-register.
.COM File: extending by using FindFirst/FindNext-
function in the home directory until a COM File
is encountered with a different Attribute than
N or A. Files are only infected once.
The following .COM-files will not be infected:
- COMMAND.COM,
- COM files with length divisible by 51,
- COM file with an attribute other than N or A,
- COM files longer than 61980 Bytes.
.EXE File: no infection.
Infection Trigger...: When any of the following INT 21h functions: 39h,
3Ah, 3Ch, 3D01h, 41h, 43h, 46h, 13h, 16h, or 17h
are called; these functions are also used by other
resident DOS commands, e.g. MD, RD, DEL, REN,
and COPY.
Interrupts hooked...: INT08h, INT20h, INT21h, INT27h
Damage..............: Transient Damage: After 5 minutes, the virus will
start to play three melodies repeatly with a
7 minute interval in between. This can only be
stopped with a reset. OROPAX and earcaps can be
used to avoid "music overload".
Damage Trigger......: Using a random number generator, the virus decides
whether to become active.
--------------------- Agents -------------------------------------------
Countermeasures.....: Category 3: ANTIORO.EXE (VTC Hamburg)
Countermeasures successful: ANTIORO.EXE finds and restores infected
programs (only for OROPAX).
Standard means......: notice .COM file length
--------------------- Acknowledgement ----------------------------------
Location............: Virus Test Center, University Hamburg, FRG
Classification by...: Thomas Lippke
Documentation/Translation: Morton Swimmer
Date................: July 15, 1989
===================== End of OROPAX-Virus ==============================


== Computer Virus Catalog 1.2: South African Friday 13. (Sept.20,1989)==
Entry...............: "South African Friday the 13th" virus
Alias(es)...........: Miami, Munich
Virus Strain........:
Virus detected when.: 1987
where.: South Africa
Classification......: .COM file infecting virus/Extending/Direct
Length of Virus.....: 419 bytes
--------------------- Preconditions ------------------------------------
Operating System(s).: MS-DOS
Version/Release.....: 2.0 or higher
Computer model(s)...: IBM PC,XT,AT and compatibles
--------------------- Attributes ---------------------------------------
Easy Identification.: Text "INFECTED" found near start of virus.
Type of infection...: Virus adds itself to end of file and places a
three-byte jump at the beginning.
Infection Trigger...: When an infected file is run, it will infect every
.COM file in the current directory, with the excep-
tion of COMMAND.COM.
Storage media affected:
Interrupts hooked...: ---
Damage..............: Every infected file run on a Friday the 13th will
be deleted.
Damage Trigger......: Current date, as reported by DOS.
Particularities.....: ----
Similarities........: The effect is similar to that of other, unrelated
viruses. VIRUS-B is a modified variant of this
virus.
--------------------- Agents -------------------------------------------
Countermeasures.....: All programs which check for .COM file length
changes will detect infections.
Simply making all .COM files read-only is effective
against this virus.
Countermeasures successful:
Detection of infection:
F-FCHK (from F.Skulason's F-PROT package)
VIRUSCAN
Removal: F-FCHK
Standard means......: Write-protect every .COM file with "attrib +r *.COM".
--------------------- Acknowledgement ----------------------------------
Location............: University of Iceland/Computing Services
Classification by...: Fridrik Skulason ([email protected])
Documentation by....: Fridrik Skulason
Date................: Sept 20, 1989
Information Source..: ---
===================== End of South-African virus =======================


===== Computer Virus Catalog 1.2: Saratoga Virus (Sept. 20, 1989)======
Entry...............: "Saratoga virus"
Alias(es)...........:
Virus Strain........: Icelandic Virus
Virus detected when.: July '89
where.: Saratoga (California)
Classification......: .EXE file infecting virus/Extending/Resident
Length of Virus.....: 1. 642-657 bytes added to file
2. 2048 bytes in RAM
--------------------- Preconditions ------------------------------------
Operating System(s).: MS-DOS
Version/Release.....: 2.0 or higher
Computer model(s)...: IBM PC,XT,AT and compatibles
--------------------- Attributes ---------------------------------------
Easy Identification.: .EXE Files: Infected files end in "PooT".
System: Byte at 0:37F contains FF (hex)

Type of infection...: Extends .EXE files. Adds 642-657 bytes to the end
of the file. Stays resident in RAM, hooks INT 21 and
infects other programs when they are executed via
function 4B. It will remove the Read-Only attribute if
necessary, but it is not restored.
.COM files are not infected.
Infection Trigger...: One out of every two programs run is checked. If it is
an uninfected .EXE file it will be infected.
Storage media affected: ---
Interrupts hooked...: INT 21
Damage..............: If the current drive is a hard disk larger than
10M bytes, the virus will select one cluster and
mark it as bad in the first copy of the FAT.
Diskettes and 10M byte disks are not affected.
Damage Trigger......: The damage is done whenever a file is infected.
Particularities.....: The virus modifies the MCBs in order to hide
from detection. The INT 13 checking in the original
version has been removed.
The virus uses the name of the file to determine
if it is an .EXE file, but not the true type, as
determined by the first two bytes.
The virus assumes the program reserves all available
memory (FFFF paragraphs needed). Programs that donot
will cause a system crash when infected and run.
Similarities........: This virus is just a minor variant of Icelandic-1.
--------------------- Agents -------------------------------------------
Countermeasures.....: All programs which check for .EXE file length
changes will detect infections.
Countermeasures successful:
Detection of infection:
F-FCHK (from F.Skulason's F-PROT package)
VIRUSCAN
Removal: F-FCHK
Standard means......:
--------------------- Acknowledgement ----------------------------------
Location............: University of Iceland/Computing Services
Classification by...: Fridrik Skulason ([email protected])
Documentation by....: Fridrik Skulason
Date................: Sept 20, 1989
Information Source..: ---
======================= End of Saratoga Virus =========================


===== Computer Virus Catalog 1.2: SHOE-B v9.0 (July 10, 1989) ==========
Entry.................. SHOE-B v9.0
Alias(es).............. ---
Strain................. Brain/Pakistani
Detected: when......... November 1988
where........ Houston University
Classification......... System (Boot sector) virus
Length of Virus........ approx. 3k (not all is actually used)
------------------------ Preconditions----------------------------------
Operating System(s).... MS-DOS
Version/Release........ Should work with all versions
Computer models........ IBM-PC's and compatibles
-------------------------- Attributes-----------------------------------
Easy identification.... The volume label of the infected disk will
read: "(c) Brain"
Type of infection...... The virus installs itself in high memory after
booting with an infected disk. It captures all
read and write calls to the disk, checks for
infection and, if not yet present, infects the
disk. Infection occurs by flagging five blocks
as bad, copying itself and the original boot
sector into those five blocks, and replacing the
boot sector with its own. The virus identifies
itself by checking the boot sector for the
word 1234h at position 0004h in the boot sector.
Infection trigger...... Counter: will attempt to infect initially
after 31 read/write calls, subsequently after
every fourth call.
Media affected......... Only floppy disks; Hard disks not infected.
Interrupts hooked...... Int 13h functions 2,3 (read,write).
Damage................. Destroys five blocks (as well as the boot
sector) upon infection, otherwise nothing.
Damage trigger......... ---
Particularities........ The virus looks whether attempts are made to
read the boot sector; in this case, the virus
transfers the original boot sector. The virus
can therefore not be identified with utilities
such as PC-TOOLS or NORTON UTILITIES.
An infected boot sector contains the following
typical text: "Welcome to the Dungeon
(c) 1986 Basit & Amjads (pvt) Ltd
VIRUS_SHOE RECORD v9.0 Dedicated to the dynamic
memories of millions of virus who are no longer
with us today - Thanks GOODNESS!! BEWARE OF THE
er..VIRUS: \this program is catching program
follows after these messeges..... $#%$!! ";
this text is never displayed.
Similarities........... Similar to all viruses of Pakistani/Brain strain.
----------------------- Agents -----------------------------------------
Countermeasures........ ----
Countermeasures successful ---
Standard Means......... The DOS command "SYS n:" (where n is the drive
of the infected disk) will disinfect the disk
IF AND ONLY IF you have booted from a clean disk.
You will have to use utilities such as PC-TOOLS
to recover the "bad" sectors.
----------------------- Acknowledgements--------------------------------
Location............... VTC Hamburg, FRG
Classification by...... Morton Swimmer
Documentation by....... Morton Swimmer
Date................... June 29, 1989
Information source..... PC VIRUS LISTING (Jim Goodwin)
======================= End of SHOE-B v9.0 Virus =======================


===== Computer virus catalog: VACSINA Rev. 2 (Nov. 14, 1989) ========
Entry.................. VACSINA virus
Alias(es).............. ---
Strain................. ---
Detected: when......... Early August 1989
where........ University of Cologne, West-Germany
Classification......... Filevirus/resident with update facility
Length of virus........ length added to a COM-type file 1206-1221 bytes
length added to a EXE-type file 132 bytes and
then like a COM-type file

----------------------- Preconditions-----------------------------------

Operating System(s).... MS-DOS
Version/Release........ ---
Computer models........ IBM-PC, XT, AT, PS/2 and compatibles

----------------------- Attributes--------------------------------------

Easy identification.... The string 'VACSINA' in the viruscode
the last 4 bytes of an infected file show
F4 7A 05 00
memorysegment 0000:00C5 contains 7F 39 05
when VACSINA is resident.
The bytes 05 00 at the end of the file and
the 05 in memory 0000:00C7 are version-
numbers of VACSINA (see below).

Type of infection...... VACSINA installs a TSR that trapps INT 21H
function 4BH (load & execute). Every file
that is loaded via this function will be
infected (provided some constraints are met
see below)
VACSINA checks the version number (current is
0005) and will remove earlier versions of itself
and substitute with the newer virus code!

Infection trigger...... Executing an uninfected file after an infected
file was used.

Media affected......... Any via INT 21H funtion 4BH loadable file,
that either starts with E9H (jump) or 'MZ'
(EXE header). This includes COM, EXE, OVL, and
APP (GEM) files.
Files with the leading E9 must be bigger
than 1206 and smaller than 62867
Files with a EXE-Header must not be bigger
than 64947 for the 132 loader attachment.
after that they have to meet the constraints
of a E9H headed file.

Interrupts hooked...... INT 21H (function 4BH), INT 24H
The INT 31 table entry is used as the VACSINA
present flag.

Damage................. After a successfull infection of a COM-type file
a beep (DOS-BELL) is issued.
NO OTHER PAYLOAD !
This looks like test code for the infection-
mechanism.

Damage trigger......... The beep is triggered when a COM-Type file is
successfully infected.

Particularities........ Probably a testversion that prematurely escaped
since there is no payload, the beep when
infecting another file, and some incomplete
codesections.
The virus opens a file 'VACSINA' and closes it
after a while, never writing or reading from it.
The returncodes of the open and close operations
are ignored.
The words for vaccine are written with two Cs in
all languages that use latin letters except for
norvegian (they write vaksine).
The virus has an update facility and will replac
old versions with new versions of itself!

Similarities........... ---

-------------------------- Agents---------------------------------------

Countermeasures........ ANTI-VD of the MVC (University of Karlsruhe)
detects and removes the virus from any file.
EXE-headers are reconstructed!

Countermeasures successful ---
Standard Means......... The DEL command after booting from a clean
systemdisk.

----------------------- Acknowledgements -------------------------------

Location............... Micro-BIT Virus Center University of Karlsruhe
West-Germany
Classification by...... C. Fischer, T. Boerstler, R. Stober
Documentation by....... C. Fischer, T. Boerstler, R. Stober
Date................... Nov. 13, 1989
Information source..... The update feature was first discovered by
David M. Chess, Yorktown Heights
================= END OF VACSINA VIRUS =================================


===== Computer Virus Catalog 1.2: Vienna Virus (October 31, 1989) ======

Entry...............: Vienna Virus
Alias(es)...........: "648 Virus", Austrian Virus
Classification......: Programm Virus (Extending), Direct Action
Length of Virus.....: 648 Bytes

--------------------- Preconditions ------------------------------------
Operating System(s).: PC-DOS, MS-DOS
Version/ Release....: 2.xx and upward
Computer model(s)...: IBM-PC XT AT

--------------------- Attributes ---------------------------------------
Type of infection...: Self-Identification: The second-entry of the
time stamp of an infected file is set to 62 dec.
Infects .COM-files (with length between 10 and
64.000 bytes) in the current directory of the
current drive and in all directories that are
accessible via the PATH-definition.
Virus code is appended at the end of the file.

Infection Trigger...: Execution of an infected file.

Storage media affected: Hard and Floppy disks.

Damage..............: The first five bytes of the selected file will
be overwritten a long jump to the BIOS
initialisation routine.

Damage Trigger......: IF (7 AND second-bits of system-time) equals 0.

Particularities.....: For infection, the virus selects an appropriate
file and, depending on the value of the damage
trigger, either infects that file or overwrites
the first five bytes. The attribute, time- and
date-stamp of an infected file remains unchanged
with exception of the seconds-bits. The READ-ONLY
and HIDDEN attributes do not protect against
infection.

--------------------- Agents: ------------------------------------------
Countermeasures.....: ----
Countermeasures successful: ---

Standard Means......: ----

--------------------- Acknowledgements: --------------------------------
Location............: Virus Test Center. University Hamburg, FRG
Classification by...: Rainer Anscheit (July 4, 1989)
Documentation by....: Rainer Anscheit (July 4,1989)
Updated by..........: Klaus Brunnstein
Date................: October 31, 1989
===================== End of Vienna Virus ==============================


========================================================================
== End of MSDOSVIR.A89 document ==
== (1.138 Lines, 6.271 Words, 62 kBytes) ==
========================================================================