b-16.ciac-mac-dos-virus-catalog
3ed761826cbbf30fbcbe0cbb9e4b2f33a9386f4de4d41239a25e796bf63af946
________________________________________________________________________
THE COMPUTER INCIDENT ADVISORY CAPABILITY
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
INFORMATION BULLETIN
________________________________________________________________________
Virus Information Update
March 1, 1991, 1100 PST Number B-16
CIAC periodically issues bulletins about specific computer viruses.
These bulletins, however, do not cover all the computer viruses that
affect the PC-DOS/MS-DOS and Macintosh platforms. The purpose of this
bulletin is to identify most of the known viruses for these platforms,
and give an overview of the effects of each virus. This bulletin
supersedes CIAC Bulletin A-15 issued last year, and includes (at least
by name) more than 100 new viruses. As we continue to gather more
information, we will add it to future editions of this document.
The following pages of this bulletin contain three tables of
information, one for the PC-DOS/MS-DOS platform, one for the Macintosh
platform, and one for the names of viruses currently being investigated.
There is a two-line entry for each item in each table.
The first line gives the name, transmission vector (explained below),
method of infection, and possible damage. The second line gives an
overview of the operation of each virus. The fields include:
* The name field gives the different names by which the virus is
known, including different names for the same virus, and the names of
any nearly identical variants (clones).
* The transmission vector field describes the vehicle by which the
virus is transferred to a different machine). In most cases, this is an
executable application, though there are cases where documents or
invisible system files can transmit the virus.
* The method of infection field describes where and how the virus
inserts or attaches itself to a new machine. The potential damage field
describes the damage that the virus may do. (In most cases, damage
caused by viruses appears to be unintentional, i.e., most viruses do not
appear to be programmed to cause damage.)
* Finally, the overview field contains general comments describing
the virus and its effects.
PC-DOS/MS-DOS users desiring additional information can read the file
"Coping with Computer Viruses and Related Problems" by IBM (filename:
IBMPAPER.ZIP available from CIAC). For Macintosh users, help file built
into Disinfectant and the Virus Encyclopedia Hyper-Card stack are good
sources of additional information. All of these and more are available
from FELIX, CIAC's bulletin board service.
__________________________________
The FELIX Virus Bulletin Board
FELIX, a bulletin board operated by CIAC, is available to the DOE
community and contains all the CIAC bulletins, descriptions of other
viruses, and public domain virus detection/protection software. For
example, one available file named CIACDB.TXT contains a more detailed
version of the tables contained in this bulletin with details on some
additional viruses to the viruses described in this summary.
As with any software you obtain, you should exercise caution and scan
individual software packages before using the software for the first
time. All software on FELIX has been scanned for known viruses, but it
is advisable to scan it again using the most recent version of a virus
scanning tool such as DDI's Virhunt package (available to all DOE sites
- contact your operations office for details). Be sure to scan archived
applications after they have been extracted from the .ZIP,.ARC, or SIT
archive, as scanning software cannot currently detect a virus within an
application until it is in an executable form (.EXE or .COM file).
Access FELIX at speeds up to 2400 baud may be obtained by using a modem
to call (415) 423-4753 or (FTS) 543-4753 (8 bit, no parity, 1 stop bit).
High speed access can be obtained at the Lawrence Livermore National
Laboratory, and the Lawrence Berkeley National Laboratory using 423-
9885. Downloadable PC-DOS/MS-DOS files are either text files (.TXT),
zip archives (.ZIP) or executables (.COM or .EXE). Text files and
executables can be downloaded directly and used. Be sure to use a binary
downloading capability such as XMODEM for the executable files. Files in
ZIP archives must be extracted after downloading with PKUNZIP (available
on FELIX) before they can be used. Macintosh files in SIT archives must
be extracted with Stuffit before they can be used. When downloading
Macintosh files, be sure to use MacBinary format (such as MacBinary
XMODEM) rather than plain binary format, if your terminal emulator
allows this.
If you are using a shareware package downloaded from FELIX or any other
source, be sure to follow the instructions in the package for
compensating the author. The cost is generally minimal ($10 to $50), for
some very useful applications.
For additional information or assistance, please contact CIAC
William Orvis
(415) 422-8649 or (FTS) 532-8649
During working hours call CIAC at (415) 422-8193 or
(FTS) 532-8193. For non-working hour emergencies, call
(415) 422-7222 or (FTS) 532-7222 and ask for CIAC
******(this is a new emergency number)******.
Send FAX messages to: (415) 423-0913 or (FTS) 543-0913
This document was prepared as an account of work sponsored by an agency
of the United States Government. Neither the United States Government
nor the University of California nor any of their employees, makes any
warranty, express or implied, or assumes any legal liability or
responsibility for the accuracy, completeness, or usefulness of any
information, apparatus, product, or process disclosed, or represents
that its use would not infringe privately owned rights. Reference herein
to any specific commercial products, process, or service by trade name,
trademark, manufacturer, or otherwise, does not necessarily constitute
or imply its endorsement, recommendation or favoring by the United
States Government or the University of California. The views and
opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government or the University of California,
and shall not be used for advertising or product endorsement purposes.
__________________________________
About the CIAC Virus Database and Bulletin
This database is compiled and maintained by CIAC, the Computer Incident
Advisory Capability. The authors are William J. Orvis, and David S.
Brown. Information in this bulletin has been gathered from many
sources, and we thank them all for their efforts. A partial listing of
our sources is given here, and we will correct any omissions in the next
release.
AIDS Technical Info, By Dr Alan Solomon, Barry Nielson and Simon
Meldrum.
David Chess - IBM.
Computer Virus Catalog, by Dr. Klaus Brunnstein, and Simone Fischer-
Huebner, Virus Test Center, Faculty for Informatics, University of
Hamburg
The Dirty Dozen -- An Uploaded Trojan/Virus Program Alert List, compiled
by Tom Sirianni of FidoNet 105 Node 301.
Disinfectant, by John Norstad, Academic Computing and Network Services,
Northwestern University.
Joe Hirst, British Computer Virus Research Centre.
Bill Kenny - Digital Dispatch Inc.
John McAfee - McAfee Associates'
Jim Molini - Johnson Spacecraft Center
Mike Odawa - Simple Software
VIRUS-L - The virus news service moderated by Ken Van Wick.
__________________________________
Codes Used in the Virus Tables
The following codes are used in the Method of Infection field.
PC-DOS/MS-DOS Viruses
EXE Infects .EXE files.
COM Infects .COM files.
OVR Infects program overlay files.
CC Infects COMMAND.COM.
HDB Infects hard disk boot sectors.
HDP Infects hard disk partition tables.
FDB Infects floppy disk boot sectors.
RES Memory resident. The virus goes memory resident and infects disks
when they are inserted or programs when they are run.
ENC Encrypted. The virus code encrypts itself to make it difficult to
scan for.
TRJ A Trojan horse, not a virus.
WRM A Worm, not a virus.
Macintosh Viruses
TYP1 Adds viral code as a new code segment , and patches the jump table
to point to the new segment. For example when an application is infected
with nVIR, the virus attaches a CODE 256 resource to the end of the
application and changes the CODE 0 resource (the jump table) to jump to
and execute the CODE 256 resource before executing the application.
Most Macintosh viruses (today) are of this type for example: Scores,
nVIR, INIT29.
TYP2 Adds their new viral code to the end of the main code segment, and
patches the jump table to point to the new viral code.
TYP3 Adds their new viral code to the end of the main code segment, and
patches the first program instruction to jump or return jump to the new
viral code. They do not patch the jump table.
TYP4 Adds their new viral code to the end of the main code segment, and
patches the first program instruction to jump or return jump to the new
viral code. This is a variant of type 3 viruses, except they have a bug.
Instead of adding their code to and patching the first instruction in
the main code segment, they make the incorrect assumption that the main
code segment is some constant k. ANTI is a type 4 virus with k=1.
INIT Adds viral code as an INIT resource on the system file.
APP Infects Applications and the Finder
SYS Infects the system file.
DTOP Infects the Desktop file
DOCS Infects document files.
The following codes are used in the Potential Damage field.
BOOT Overwrites or corrupts a disk's boot sector.
PROG Corrupts a program or overlay files.
FMT Attempts to format the disk.
RUN Interferes with a running application.
DATA Corrupts a data file.
FAT Corrupts the file linkages or the file allocation table (FAT).
ERASE Attempts to erase all mounted disks.
__________________________________
DISTRIBUTION*
No change from previous bulletin.
* - Provided to CIAC by the Department of Energy; for changes, please
contact your operations office.
CIAC BULLETINS ISSUED
SUN 386i authentication bypass vulnerability
nVIR virus alert
/dev/mem vulnerability
tftp/rwalld vulnerability
"Little Black Box" (Jerusalem) virus alert
restore/dump vulnerability
rcp/rdist vulnerability
Internet trojan horse alert
NCSA Telnet vulnerability
Columbus Day (DataCrime) virus alert
Columbus Day (DataCrime) virus alert (follow-up notice)
Internet hacker alert (notice A-1)
HEPnet/SPAN network worm alert (notice A-2)
HEPnet/SPAN network worm alert (follow-up, notice A-3)
HEPnet/SPAN network worm alert (follow-up, notice A-4)
rcp vulnerability (second vulnerability, notice A-5)
Trojan horse in Norton Utilities (notice A-6)
UNICOS vulnerability (limited distribution, notice A-7)
UNICOS problem (limited distribution, notice A-8)
WDEF virus alert (notice A-9)
PC CYBORG (AIDS) trojan horse alert (notice A-10)
Problem in the Texas Instruments D3 Process Control System (notice A-11)
DECnet hacker attack alert (notice A-12)
Vulnerability in DECODE alias (notice A-13)
Additional information on the vulnerability in the UNIX DECODE alias
(notice A-14)
Virus information update (notice A-15)
Vulnerability in SUN sendmail program (notice A-16)
Eradicating WDEF using Disinfectant 1.5 or 1.6 (notice A-17)
Notice of availability of patch for SmarTerm 240 (notice A-18)
UNIX Internet Attack Advisory (notice A-19)
The Twelve Tricks Trojan Horse (notice A-20)
Additional information on Current UNIX Internet Attacks (notice A-21)
Logon Messages and Hacker/Cracker Attacks (notice A-22)
New Internet Attacks (notice A-23)
Password Problems with Unisys U5000 /etc/passwd (notice A-24)
The MDEF or Garfield Virus on Macintosh Computers (notice A-25)
A New Macintosh Trojan Horse Threat--STEROID (notice A-26)
The Disk Killer (Ogre) Virus on MS DOS Computers (notice A-27)
The Stoned (Marijuana or New Zealand) Virus on MS DOS Computers
(notice A-28)
The 4096 (4k, Stealth, IDF, etc.) Virus on MS DOS
Computers (notice A-29)
Apollo Domain/OS suid_exec Problem (notice A-30)
DECnet (Wollongong) Hacker Activity (notice A-31)
SunView/SunTools selection_svc Vulnerability (notice A-32)
Virus Propagation in Novell and Other Networks (notice A-33)
End of FY90 Update (notice A-34)
Security Problems on the NeXT Operating System (notice B-1)
Unix Security Problem with Silicon Graphics Mail (notice B-2)
Threat to Computers on ESnet (notice B-3)
VMS Security Problem with ANALYZE/PROCESS_DUMP (notice B-4)
HP-UX Trusted Systems 6.5 or 7.0, Authorization Problem (notice B-5)
Additional VMS/DECnet Attacks (notice B-6)
BITNET Worm (notice B-7)
Detection/Eradication Procedures for VMSCRTL Trojan Horse (notice B-8)
Update on Internet Activity (notice B-9)
Patch for TOCCON in SunOS 4.1 and 4.1.1 Available (notice B-10)
OpenWindows 2.0 selection_svc Vulnerability (notice B-11)
GAME2 MODULE RWormS on BITNET (notice B-12)
UNIX Security Problem with /bin/mail in SunOS (notice B-13)
Additional Information about UNIX Security Problem with /bin/mail in
SunOS (notice B-14)
Network Intrustions through TCP/IP and DECnet Vulnerability
Gateways (notice B-15)
Virus information update (notice B-16)
**************************************************
The Computer Incident Advisory Capability: Macintosh Computer Viruses
__________________________________________________
NAME(S): ANTI, ANTI-ANGE, ANTI A, ANTI B
TRANSMISSION VECTOR: Applications
MODE OF INFECTION CODES: TYP1, APP
POTENTIAL DAMAGE CODES: RUN
OVERVIEW: Attacks only application files, and causes some problems with
infected applications.
__________________________________________________
NAME(S): CDEF
TRANSMISSION VECTOR: DeskTop files
MODE OF INFECTION CODES: DTOP
POTENTIAL DAMAGE CODES:
OVERVIEW: It only infects the invisible Desktop files used by the
Finder. Infection can occur as soon as a disk is inserted into a
computer. An application does not have to be run to cause an infection.
It does not infect applications, document files, or other system files.
The virus does not intentionally try to do any damage, but still causes
problems with running applications.
__________________________________________________
NAME(S): Dukakis
TRANSMISSION VECTOR: HyperCard Stacks
MODE OF INFECTION CODES:
POTENTIAL DAMAGE CODES: PROG, RUN
OVERVIEW: Written in HyperTalk on a HyperCard stack called
"NEWAPP.STK". Adds itself to Home Card and other stacks. Flashes a
message saying, "Dukakis for President in 88, Peace on Earth, and have a
nice day."
__________________________________________________
NAME(S): FontFinder Trojan
TRANSMISSION VECTOR: FontFinder Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: PROG, DATA, ERASE
OVERVIEW: Trojan found in the Public Domain program called
'FontFinder'. Before Feb. 10, 1990, the application simply displays a
list of the fonts and point sizes in the System file. After that date,
it immediately destroys the directories of all available physically
unlocked hard and floppy disks, including the one it resides on.
__________________________________________________
NAME(S): INIT29
TRANSMISSION VECTOR: Applications, Document files
MODE OF INFECTION CODES: TYP1
POTENTIAL DAMAGE CODES: PROG, RUN, DATA
OVERVIEW: It infects any file with resources, including documents. It
damages files with legitimate INIT#29 resources.
__________________________________________________
NAME(S): MDEF, MDEF A, Garfield, MDEF B, Top Cat, MDEF C
TRANSMISSION VECTOR: Applications
MODE OF INFECTION CODES: APP, SYS, DTOP, DOCS
POTENTIAL DAMAGE CODES: RUN
OVERVIEW: MDEF infects applications, the System file, other system
files, and Finder Desktop files. The System file is infected as soon as
an infected application is run. Other applications become infected as
soon as they are run on an infected system. MDEF's only purpose is to
spread itself, and does not intentionally attempt to do any damage, yet
it can be harmful.
__________________________________________________
NAME(S): Mosaic Trojan
TRANSMISSION VECTOR: Mosaic Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: PROG, DATA, ERASE
OVERVIEW: Imbedded in a program called 'Mosaic', when launched, it
immediately destroys the directories of all available physically
unlocked hard and floppy disks, including the one it resides on. The
attacked disks are renamed 'Gotcha!'.
__________________________________________________
NAME(S): nVIR, nVIR A, nVIR B, AIDS, Hpat, MEV#, FLU, Jude, J-nVIR
TRANSMISSION VECTOR: Applications
MODE OF INFECTION CODES: TYP1, APP, SYS
POTENTIAL DAMAGE CODES: PROG, RUN
OVERVIEW: It infects the System file and applications. nVIR begins
spreading to other applications immediately. Whenever a new application
is run, it is infected. Symptoms include unexplained crashes and
problems printing.
__________________________________________________
NAME(S): Peace, MacMag virus, Drew, Brandow, Aldus
TRANSMISSION VECTOR: HyperCard Stacks, System files
MODE OF INFECTION CODES: INIT
POTENTIAL DAMAGE CODES: PROG, RUN
OVERVIEW: First virus on the Macintosh. Displays Peace on Earth
message on March 2, 1988 and removes itself the next day. Distributed
via a HyperCard stack. Its presence causes problems with some programs.
__________________________________________________
NAME(S): Scores, NASA
TRANSMISSION VECTOR: Applications
MODE OF INFECTION CODES: TYP1
POTENTIAL DAMAGE CODES: PROG, RUN
OVERVIEW: Infects applications and the system, and attempts to destroy
files with creator types: VULT, and ERIC. Causes problems with other
programs, including unexplained crashes and pronting errors. Changes the
icons of the NotePad and Scrapbook files to the blank document icon.
__________________________________________________
NAME(S): Sexy Ladies Trojan
TRANSMISSION VECTOR: Sexy Ladies Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: ERASE
OVERVIEW: Not a virus, but a Trojan Horse. Given away at 1988 San
Fransisco MacWorld Expo, erased whatever hard disk or floppy disk it was
on when it was lanched.
__________________________________________________
NAME(S): Steroid Trojan
TRANSMISSION VECTOR: Steroid INIT
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: ERASE
OVERVIEW: The steroid INIT is claimed to speed up QuickDraw on
Macintoshes with 9 inch screens. The INIT has code that checks for dates
after June 30, 1989, and is active every year thereafter from July
through December. When it is activated, it attempts to erase all
mounted drives.
__________________________________________________
NAME(S): Virus Info Trojan
TRANSMISSION VECTOR: Virus Info Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES:
OVERVIEW: This application has not been sighted outside of the
Edmonton, Province of Alberta, Canada area where it was discovered.
__________________________________________________
NAME(S): WDEF, WDEF-A, WDEF-B
TRANSMISSION VECTOR: DeskTop files
MODE OF INFECTION CODES: TYP1, DTOP
POTENTIAL DAMAGE CODES:
OVERVIEW: WDEF only infects the invisible Desktop files used by the
Finder. It can spread as soon as a disk is inserted into a machine. An
application need not be run to cause infection.
__________________________________________________
NAME(S): ZUC, ZUC 1, ZUC 2
TRANSMISSION VECTOR: Applications
MODE OF INFECTION CODES: APP
POTENTIAL DAMAGE CODES:
OVERVIEW: It infects onlu applications files. Before March 2, 1990 or
less than two weeks after an application becomes infected, it only
spreads from application to application. After that time, approximately
90 seconds after an infected application is run, the cursor begins to
behave unusually whenever the mouse button is held down. The cursor
moves diagonally across the screen, changing direction and bouncing like
a billiard ball whenever it reaches any of the four sides of the screen.
The cursor stops moving when the mouse button is released.
**************************************************
The Computer Incident Advisory Capability: PC-DOS/MS-DOS Computer Viruses
__________________________________________________
NAME(S): 12-TRICKS Trojan
TRANSMISSION VECTOR: CORETEST.COM
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FAT, FMT, RUN, BOOT
OVERVIEW: Contained in "CORETEST.COM", a file that tests the speed of a
hard disk. Every time the computer boots, one entry in the FAT will be
changed. With a probability of 1/4096, the hard disk will be formatted
(Track 0, Head 1, Sector 1, 1 Sector) followed by the message: "SOFTLoK+
V3.0 SOFTGUARD SYSTEMS,INC, 2840 St.Thomas Expwy,suite 201, Santa
Clara,CA 95051 (408)970-9420".
__________________________________________________
NAME(S): 1260, V2P1, Variable, Chameleon, Camouflage, Stealth
TRANSMISSION VECTOR: COMMAND.COM, .COM applications
MODE OF INFECTION CODES: COM, CC, ENC
POTENTIAL DAMAGE CODES: PROG, RUN
OVERVIEW: This appears to be related to the Vienna virus. The virus
infects any COM file in the current directory.
__________________________________________________
NAME(S): 1704-Format, Cascade Format
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: ENC, RES, COM
POTENTIAL DAMAGE CODES: RUN, PROG, FMT
OVERVIEW: Spreads between COM files. Occasionally causes odd screen
behavior (the characters on the screen fall into a heap at the bottom of
the screen!). One rare variant can destroy data on hard disks.
__________________________________________________
NAME(S): 3X3SHR
TRANSMISSION VECTOR: 3X3SHR Application?
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: ERHD
OVERVIEW: *TROJAN* Time Bomb type trojan wipes the Hard
Drive clean. (Is this an application? .EXE or .COM file?)
__________________________________________________
NAME(S): 405
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: COM
POTENTIAL DAMAGE CODES: PROG
OVERVIEW: The virus spreads itself by overwriting the first 405 bytes
of a .COM file. One file is infected each time an infected file is
executed.
__________________________________________________
NAME(S): 4096, Century, Century Virus,100 Years Virus, Frodo, IDF
TRANSMISSION VECTOR: .COM or .EXE applications
MODE OF INFECTION CODES: RES, CC, COM, OVR, EXE
POTENTIAL DAMAGE CODES: RUN, PROG, DATA, FAT
OVERVIEW: It infects both .COM or .EXE applications. It is nearly
impossible to detect once it has been installed since it actively hides
itself from the scanning packages. Whenever an application such as a
scanner accesses an infected file, the virus disinfects it on the fly.
__________________________________________________
NAME(S): Advent, 2761
TRANSMISSION VECTOR: .COM or .EXE applications
MODE OF INFECTION CODES: COM, EXE, ENC, CC
POTENTIAL DAMAGE CODES: RUN
OVERVIEW: Spreads between .COM and .EXE files. Beginning on every
"Advent"(the 4th Sunday before Christmas until Christmas eve), the virus
displays after every "Advent Sunday" one more lit candle in a wreath of
four, together with the string "Merry Christmas" and plays the melody
of the German Christmas song "Oh Tannenbaum". By Christmas all four
candles are lit. This happens until the end of December, whenever an
infected file is run. If the environment variable "VIRUS=OFF" is set,
the virus will not infect.
__________________________________________________
NAME(S): AIDS, Hahaha, Taunt, VGA2CGA
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: COM
POTENTIAL DAMAGE CODES: PROG
OVERVIEW: It infects .COM fo;es.
__________________________________________________
NAME(S): AIDS II, AIDS
TRANSMISSION VECTOR: AIDS Information Introductory Diskette Version 2.0
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: ENDIR
OVERVIEW: On Monday, 11th December, several thousand diskettes named
"AIDS Information Introductory Diskette Version 2.0" were mailed out
containing a program that purported to give you information about AIDS.
These diskettes actually contained a trojan that will encrypt the file
names on your hard disk after booting your computer about 90 times. If
you have installed this program, you should copy any important data
files (no executables) and reformat your hard disk.
__________________________________________________
NAME(S): Ambulance Car, REDX
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: COM, CC
POTENTIAL DAMAGE CODES: PROG, RUN
OVERVIEW: When an infected application is run, the virus tries to find
two .COM file victims which it randomly selects in the current directory
or via the PATH variable in the environment. After some number of
executions, an ambulance car runs along the bottom of the screen
accompanied by siren sounds.
__________________________________________________
NAME(S): Amstrad, Pixel, V-277, V-299, V-345, V-847, V-847B, V-852
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: COM
POTENTIAL DAMAGE CODES: PROG
OVERVIEW: Adds code to front of any .COM file in the current directory.
The virus contains an advertisement for Amstrad computers.
__________________________________________________
NAME(S): Anti Pascal, Anti Pascal 529, Anti Pascal 605, AP 529, AP 605,
C 605, V-605
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: COM
POTENTIAL DAMAGE CODES: FILES, RUN, PROG
OVERVIEW: May overwrite .BAK and .PAS files if not enough .COM files
are available in a directory for it to infect.
__________________________________________________
NAME(S): ANTI-PCB
TRANSMISSION VECTOR: ANTI-PCB.COM Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES:
OVERVIEW: The story behind this trojan horse is sickening. Apparently
one RBBS-PC sysop and one PC-BOARD sysop started feuding about which BBS
system is better, and in the end the PC-BOARD sysop wrote a trojan and
uploaded it to the rbbs SysOp under ANTI-PCB.COM. Of course the RBBS-PC
SysOp ran it, and that led to quite a few accusations and a big mess in
general. Let's grow up! Every SysOp has the right to run the type of
BBS that they please, and the fact that a SysOp actually wrote a trojan
intended for another simply blows my mind.
__________________________________________________
NAME(S): ARC513.EXE, ARC514.COM
TRANSMISSION VECTOR: ARC513.EXE, ARC514.COM
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: BOOT, FAT
OVERVIEW: ARC513.EXE This hacked version of ARC appears normal,
so beware! It will write over track 0 of your [hard] disk upon usage,
destroying the disk.
ARC514.COM This is totally similar to ARC version 5.13 in that it
will overwrite track 0 (FAT Table) of your hard disk. Also, I have yet
to see an .EXE version of this program.
__________________________________________________
NAME(S): ARC533
TRANSMISSION VECTOR:
MODE OF INFECTION CODES: CC
POTENTIAL DAMAGE CODES:
OVERVIEW: This is a new Virus program designed to emulate Sea's ARC
program.
__________________________________________________
NAME(S): BACKTALK
TRANSMISSION VECTOR: BACKTALK Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: WRHD
OVERVIEW: This program used to be a good PD utility, but someone
changed it to be trojan. Now this program will write/destroy sectors on
your [hard] disk drive. Use this with caution if you acquire it,
because it's more than likely that you got a bad copy.
__________________________________________________
NAME(S): Brain, Pakistani, Ashar, Shoe, Shoe_Virus, Shoe_Virus_B,
Ashar_B, UIUC, UIUC-B, @BRAIN, Jork, Shoe B
TRANSMISSION VECTOR: Floppy boot sector
MODE OF INFECTION CODES: FDB, RES
POTENTIAL DAMAGE CODES: BOOT, RUN, DATA, FMT
OVERVIEW: This virus only infects the boot sectors of 360 KB
floppy disks. It does no malicious damage, but bugs in the virus code
can cause loss of data by scrambling data on diskette files or by
scrambling the File Allocation Table. It does not tend to spread in a
hard disk environment.
__________________________________________________
NAME(S): Cascade, 1701, 1704, 17Y4, 1704 B, 1704 C, Cascade A, Cascade
B, Falling Tears, The Second Austrian Virus, Autumn, Blackjack, Falling
Leaves, Cunning, Fall, Falling Letters, Herbst
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: ENC, RES, COM
POTENTIAL DAMAGE CODES: RUN, PROG
OVERVIEW: Spreads between COM files. Occasionally causes odd screen
behavior (the characters on the screen fall into a heap at the bottom of
the screen!). One rare variant can destroy data on hard disks.
__________________________________________________
NAME(S): CDIR
TRANSMISSION VECTOR: CDIR.COM Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FAT
OVERVIEW: This program is supposed to give you a color directory of
files on your disk, but it in fact will scramble your disk's FAT table.
__________________________________________________
NAME(S): Chaos
TRANSMISSION VECTOR: Floppy/hard disk boot sectors
MODE OF INFECTION CODES: RES, FDB, HDB
POTENTIAL DAMAGE CODES: BOOT, RUN, PROG, FAT
OVERVIEW: Derivative of Brain
__________________________________________________
NAME(S): Christmas, 1539, Father Christmas, Choinka, Tannenbaum,
Christmas Tree, XA1, V1539
TRANSMISSION VECTOR: .COM applications, COMMAND.COM
MODE OF INFECTION CODES: COM, CC, ENC
POTENTIAL DAMAGE CODES: RUN, BOOT
OVERVIEW: The virus infects .COM files when an infected application is
executed. When an infected program is run between December 24th and 31st
(any year), the virus displays a full screen image of a christmas tree
and German seasons greetings. When an infected program is run on April
1st (any year), it drops a code into the boot- sectors of floppy A: and
B: as well as into the partition table of the hard disk. The old
partition sectors are saved but most likely destroyed since running
another infected file will save the modified partition table to the
same location. On any boot attempt from an infected harddisk or floppy,
the text "April April" will be displayed and the PC will hang.
__________________________________________________
NAME(S): Clone
TRANSMISSION VECTOR:
MODE OF INFECTION CODES:
POTENTIAL DAMAGE CODES:
OVERVIEW: Derivative of Brain
__________________________________________________
NAME(S): D-XREF60.COM
TRANSMISSION VECTOR: D-XREF60.COM Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: BOOT, FAT
OVERVIEW: A Pascal Utility used for Cross-Referencing, written by the
infamous `Dorn Stickel. It eats the FAT and BOOT sector after a time
period has been met and if the Hard Drive is more than half full.
__________________________________________________
NAME(S): DANCERS, DANCERS.BAS
TRANSMISSION VECTOR: DANCERS.BAS Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FAT
OVERVIEW: This trojan shows some animated dancers in color, and then
proceeds to wipe out your [hard] disk's FAT table. There is another
perfectly good copy of DANCERS.BAS on BBSs around the country.
__________________________________________________
NAME(S): Dark Avenger, Dark Avenger-B, Black Avenger, Diana, Eddie
TRANSMISSION VECTOR: .COM or .EXE applications
MODE OF INFECTION CODES: RES, CC, EXE, COM, OVR
POTENTIAL DAMAGE CODES: PROG, WRHD
OVERVIEW: Infects every executable file that is opened.
__________________________________________________
NAME(S): Dark Avenger 3, Dark Avenger II, V2000, Die Young, Travel,
V2000-B, Eddie 3
TRANSMISSION VECTOR: .COM applications, .EXE applications
MODE OF INFECTION CODES: EXE, COM, CC
POTENTIAL DAMAGE CODES: PROG, DATA, RUN
OVERVIEW: Every 16 executions of an infected file, the virus will
overwrite a new random data sector on disk; the last overwritten sector
is stored in boot sector. The system hangs-up, if a program is loaded
that contains the string "(c) 1989 by Vesselin Bontchev"; V.Bonchev is
a Bulgarian author of anti-virus programs.
__________________________________________________
NAME(S): Datacrime, 1280, Columbus Day, DATACRIME Ib
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: COM, ENC
POTENTIAL DAMAGE CODES: PROG, FMT, FAT
OVERVIEW: Spreads between COM files. After October 12th, it displays
the message "DATACRIME VIRUS RELEASE: 1 MARCH 1989", and then the
first hard disk will be formatted (track 0, all heads). When formatting
is finished the speaker will beep (end-less loop).
__________________________________________________
NAME(S): Datacrime II, 1514, Columbus Day
TRANSMISSION VECTOR: .COM or .EXE applications
MODE OF INFECTION CODES: COM, EXE, ENC
POTENTIAL DAMAGE CODES: PROG, FMT, FAT
OVERVIEW: Spreads between both COM and EXE files. After October 12th,
displays the message "* DATACRIME II VIRUS *", and damages the data on
hard disks by attempting to reformat them.
__________________________________________________
NAME(S): Datacrime II-B, 1917, Columbus Day
TRANSMISSION VECTOR: .COM or .EXE applications
MODE OF INFECTION CODES: ENC, COM, EXE, CC
POTENTIAL DAMAGE CODES: PROG, FMT
OVERVIEW: Spreads between both COM and EXE files. After October 12th,
displays the message "* DATACRIME II VIRUS *", and damages the data on
hard disks by attempting to reformat them.
__________________________________________________
NAME(S): Datacrime-B, 1168, Columbus Day, Datacrime Ia
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: COM, ENC
POTENTIAL DAMAGE CODES: PROG, FMT, FAT
OVERVIEW: Spreads between COM files. After October 12th, it displays
the message "DATACRIME VIRUS RELEASE: 1 MARCH 1989", and then the
first hard disk will be formatted (track 0, all heads). When formatting
is finished the speaker will beep (end-less loop).
__________________________________________________
NAME(S): Dbase, DBF virus
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: RES, COM
POTENTIAL DAMAGE CODES: DATA, RUN, PROG
OVERVIEW: Infects COM files. Registers all new .DBF files in a hidden
file c:\BUGS.DAT. When any of those files are written, it reverses the
order of adjacent bytes. When any of those files are read, it again
reverses the bytes, making the file appear to be OK, unless it is read
on an uninfected system or the file name is changed.
__________________________________________________
NAME(S): DenZuk, Venezuelan, Search, DenZuc B
TRANSMISSION VECTOR: Floppy boot sector
MODE OF INFECTION CODES: RES, FDB
POTENTIAL DAMAGE CODES: RUN, BOOT
OVERVIEW: Infects floppy disk boot sectors, and displays a purple DEN
ZUK graphic on a CGA, EGA or VGA screen when Ctrl-Alt-Del is pressed.
__________________________________________________
NAME(S): Devil's Dance, Mexican
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: RES, COM
POTENTIAL DAMAGE CODES: RUN, PROG, DATA, FAT
OVERVIEW: Infects .COM files.
__________________________________________________
NAME(S): Disk Killer, Computer Ogre, Disk Ogre
TRANSMISSION VECTOR: Floppy/hard disk boot sectors
MODE OF INFECTION CODES: RES, FDB, HDB
POTENTIAL DAMAGE CODES: BOOT, RUN, PROG, DATA
OVERVIEW: Infects floppy and hard disk boot sectors and after 48 hours
of work time, it encrypts everything on the hard disk. The encryption is
reversable.
__________________________________________________
NAME(S): DISKSCAN, SCANBAD, BADDISK
TRANSMISSION VECTOR: DISKSCAN.EXE Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: WRHD
OVERVIEW: This was a PC-MAGAZINE program to scan a [hard] disk for bad
sectors, but then a joker edited it to WRITE bad sectors. Also look for
this under other names such as SCANBAD.EXE and BADDISK.EXE. A good
original copy is availble on SCP Business BBS.
__________________________________________________
NAME(S): DMASTER
TRANSMISSION VECTOR: DMASTER Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FAT
OVERVIEW: This is yet another FAT scrambler.
__________________________________________________
NAME(S): Do Nothing, Stupid Virus, 640K Virus
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: COM, RES
POTENTIAL DAMAGE CODES: PROG
OVERVIEW: Infects .COM files. The virus copies itself to 9800:100h,
which means that only computers with 640KB can be infected. Many
programs also load themselves to this area and erase the virus from the
memory.
__________________________________________________
NAME(S): DOSKNOWS
TRANSMISSION VECTOR: DOSKNOWS.EXE
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FAT
OVERVIEW: Apparently someone wrote a FAT killer and renamed it
DOSKNOWS.EXE, so it would be confused with the real, harmless DOSKNOWS
system-status utility.
__________________________________________________
NAME(S): DRAIN2
TRANSMISSION VECTOR:
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FMT
OVERVIEW: There really is DRAIN program, but this revised program goes
out does Low Level Format while it is playing the funny program.
__________________________________________________
NAME(S): DROID
TRANSMISSION VECTOR: DROID.EXE
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES:
OVERVIEW: This trojan appears under the guise of a game. You are
supposedly an architect that controls futuristic droids in search of
relics. In fact, PC-Board sysops, if they run this program from
C:\PCBOARD, will find that it copies C:\PCBOARD\PCBOARD.DAT to
C:\PCBOARD\HELP\HLPX.
__________________________________________________
NAME(S): DRPTR, WIPEOUT
TRANSMISSION VECTOR: DRPTR.ARC
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FILES
OVERVIEW: After running unsuspected file, the only things left in the
root directory are the subdirectories and two of the three DOS System
files, along with a 0-byte file named WIPEOUT.YUK. COMMAND.COM was
located in a different directory; the file date and CRC had not changed.
__________________________________________________
NAME(S): EDV
TRANSMISSION VECTOR:
MODE OF INFECTION CODES:
POTENTIAL DAMAGE CODES:
OVERVIEW: Derivative of Brain
__________________________________________________
NAME(S): EGABTR
TRANSMISSION VECTOR: EGABTR Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FILES
OVERVIEW: BEWARE! Description says something like "improve your EGA
display," but when run, it deletes everything in sight and prints, "Arf!
Arf! Got you!"
__________________________________________________
NAME(S): FILES.GBS
TRANSMISSION VECTOR: FILES.GBS Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES:
OVERVIEW: When an OPUS BBS system is installed improperly, this file
could spell disaster for the Sysop. It can let a user of any level into
the system. Protect yourself. Best to have a sub-directory in each
upload area called c:\upload\files.gbs (this is an example only). This
would force Opus to rename a file upload of files.gbs and prevent its
usage.
__________________________________________________
NAME(S): Fish, European Fish,Fish 6
TRANSMISSION VECTOR: COMMAND.COM, .COM applications, .EXE applications
MODE OF INFECTION CODES: EXE, COM, RES, ENC, CC
POTENTIAL DAMAGE CODES: PROG, RUN, DATA
OVERVIEW: If (system date>1990) and a second infected .COM file is
executed, a message is displayed: FISH VIRUS #6 - EACH DIFF - BONN 2/90
'~Knzyvo} and then the processor stops (HLT instruction). The virus will
attempt to infect some data files, corrupting them in the process. This
is a variant of the 4096 virus.
__________________________________________________
NAME(S): Flash, 688
TRANSMISSION VECTOR: .COM applications, .EXE applications
MODE OF INFECTION CODES: EXE, COM, RES, ENC, CC
POTENTIAL DAMAGE CODES: PROG, RUN
OVERVIEW: The memory resident virus infects applications when they are
run. After June 1990, the virus makes the screen flash. This flash can
only be seen on MDA, Hercules, and CGA adapters, but not on EGA and VGA
cards.
__________________________________________________
NAME(S): FLUSHOT4, FLU4TXT
TRANSMISSION VECTOR: FLUSHOT4.ARC Archive
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES:
OVERVIEW: This Trojan was inserted into the FLUSHOT4.ARC and uploaded
to many BBS's. FluShot is a protector of your COMMAND.COM. As to
date, 05/14/88 FLUSHOT.ARC FluShot Plus v1.1 is the current version,
not the FLUSHOT4.ARC which is Trojaned.
__________________________________________________
NAME(S): Friday 13 th COM, South African, 512 Virus, COM Virus, Friday
The 13th-B, Friday The 13th-C, Miami, Munich, Number of the Beast,
Virus-B
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: COM
POTENTIAL DAMAGE CODES: PROG
OVERVIEW: Infects all .COM files except COMMAND.COM, and deletes the
host program if run on Friday the 13th.
__________________________________________________
NAME(S): Fu Manchu, 2086, 2080, Fumanchu
TRANSMISSION VECTOR: .COM or .EXE applications
MODE OF INFECTION CODES: RES, COM, EXE, OVR
POTENTIAL DAMAGE CODES: RUN, PROG
OVERVIEW: Infects .COM and .EXE files. The message 'The world will hear
from me again! ' is displayed on every warmboot, and inserts insults
into the keyboard buffer when the names of certain world leaders are
typed at the keyboard. Occasionally causes the system to spontaneously
reboot.
__________________________________________________
NAME(S): FUTURE
TRANSMISSION VECTOR: FUTURE.BAS Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: ERASE
OVERVIEW: This "program" starts out with a very nice color picture and
then proceeds to tell you that you should be using your computer for
better things than games and graphics. After making that point, it
trashes your A: drive, B:, C:, D:, and so on until it has erased all
drives.
__________________________________________________
NAME(S): G-MAN
TRANSMISSION VECTOR: G-MAN Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FAT
OVERVIEW: Another FAT killer.
__________________________________________________
NAME(S): GATEWAY, GATEWAY2
TRANSMISSION VECTOR: GATEWAY
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FAT
OVERVIEW: Someone tampered with the version 2.0 of the CTTY monitor
GATEWAY. What it does is ruin the FAT.
__________________________________________________
NAME(S): Ghost
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: COM
POTENTIAL DAMAGE CODES: BOOT, PROG
OVERVIEW: Infects .COM files.
__________________________________________________
NAME(S): GhostBalls, Ghost Boot, Ghost COM
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: RES, COM
POTENTIAL DAMAGE CODES: BOOT, RUN, PROG
OVERVIEW: Infects floppy and hard disk boot sectors.
__________________________________________________
NAME(S): GRABBER
TRANSMISSION VECTOR: GRABBER.COM Application
MODE OF INFECTION CODES: TRJ, RES
POTENTIAL DAMAGE CODES: FILES
OVERVIEW: This program is supposed to be SCREEN CAPTURE program that
copies the screen to a .COM file to be later run from a DOS command
line. As a TSR it will attempt to do a DISK WRITE to your hard drive
when you do not want it to. It will wipe out whole Directories when
doing a normal DOS command. One sysop who ran it lost all of his ROOT
DIR including his SYSTEM files.
__________________________________________________
NAME(S): Halloechn, Hello_1a, Hello
TRANSMISSION VECTOR: .COM applications, .EXE applications
MODE OF INFECTION CODES: COM, EXE
POTENTIAL DAMAGE CODES: RUN, DATA
OVERVIEW: The virus slows the system down, and corrupts keyboard-
entries (pressing an "A" produces a "B").
__________________________________________________
NAME(S): Icelandic, Disk Eating Virus, Disk Crunching Virus, One In
Ten, Saratoga 2
TRANSMISSION VECTOR: .EXE applications
MODE OF INFECTION CODES: RES, EXE
POTENTIAL DAMAGE CODES: RUN, PROG, FAT
OVERVIEW: Infects every 10th .EXE file run, and if the current drive is
a hard disk larger than10M bytes, the virus will select one cluster and
mark it as bad in the first copy of the FAT. Diskettes and 10M byte
disks are not affected.
__________________________________________________
NAME(S): Icelandic II, One In Ten, System Virus, 642
TRANSMISSION VECTOR: .EXE applications
MODE OF INFECTION CODES: RES, EXE
POTENTIAL DAMAGE CODES: RUN, PROG
OVERVIEW: Every tenth program run is checked, and if it is an
uninfected .EXE file it will be infected. The virus modifies the MCBs in
order to hide from detection. This virus is a version of the Icelandic-1
virus, modified so that it does not use INT 21 calls to DOS services.
This is done to bypass monitoring programs.
__________________________________________________
NAME(S): Icelandic III, December 24th
TRANSMISSION VECTOR: .EXE applications
MODE OF INFECTION CODES: RES, EXE
POTENTIAL DAMAGE CODES: RUN, PROG
OVERVIEW: It infects one out of every ten .EXE files run. If an
infected file is run on December 24th it will stop any other program run
later, displaying the message "Gledileg jol"
__________________________________________________
NAME(S): Israeli Boot, Swap
TRANSMISSION VECTOR: Floppy boot sector
MODE OF INFECTION CODES: RES, FDB
POTENTIAL DAMAGE CODES: BOOT
OVERVIEW: It infects floppy disk boot sectors and reverses the order of
letters typed creating typographical errors.
__________________________________________________
NAME(S): Jerusalem, Jerusalem A, Black Hole, Blackbox, 1808, 1813,
Israeli, Hebrew University, Black Friday, Friday 13th, PLO, Russian
TRANSMISSION VECTOR: .COM or .EXE applications
MODE OF INFECTION CODES: RES, COM, EXE, OVR
POTENTIAL DAMAGE CODES: RUN, PROG, FILES
OVERVIEW: Spreads between executable files (.COM or .EXE). On Friday
the 13th, it erases any file that is executed, and on other days a two
line black rectangle will appear at the bottom of the screen. Once this
virus installs itself (once an infected COM or EXE file is executed),
any other COM or EXE file executed will become infected.
__________________________________________________
NAME(S): Keypress
TRANSMISSION VECTOR: .COM applications, .EXE applications
MODE OF INFECTION CODES: COM, EXE
POTENTIAL DAMAGE CODES:
OVERVIEW: Every 10 minutes, the virus looks at INT 09h (keyboard
interrupt) for 2 seconds; if a keystroke is recognized during this time,
it is repeated depending on how long the key is pressed; it thus appears
as a "bouncing key"
__________________________________________________
NAME(S): Lehigh, Lehigh-2, Lehigh-B
TRANSMISSION VECTOR: COMMAND.COM
MODE OF INFECTION CODES: RES, CC
POTENTIAL DAMAGE CODES: PROG, FAT, BOOT
OVERVIEW: Spreads between copies of COMMAND.COM. After spreading four
or ten times, it overwrites critical parts of a disk with random data.
__________________________________________________
NAME(S): Macho, MachoSoft, 3555, 3551
TRANSMISSION VECTOR: .COM or .EXE applications
MODE OF INFECTION CODES: COM, EXE, ENC
POTENTIAL DAMAGE CODES: PROG, DATA
OVERVIEW: Spreads between .COM and .EXE files. It scans through data
on the hard disk, changing the string "Microsoft" (in any mixture of
upper and lower case) to "MACHOSOFT". If the environment variable
"VIRUS=OFF" is set, the virus will not infect.
__________________________________________________
NAME(S): MAP, FAT EATER
TRANSMISSION VECTOR: MAP Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FAT
OVERVIEW: This is another trojan horse written by the infamous "Dorn
Stickel." Designed to display what TSR's are in memory and works on FAT
and BOOT sector. FAT EATER
__________________________________________________
NAME(S): MATHKIDS, FIXIT
TRANSMISSION VECTOR: MATHKIDS.ARC Archive
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: CBBS
OVERVIEW: This trojan is designed to crack a BBS system. It will
attemp to copy the USERS file on a BBS to a file innocently called
FIXIT.ARC, which the originator can later call in and download.
Believed to be designed for PCBoard BBS's.
__________________________________________________
NAME(S): Merritt, Alameda, Yale, Golden Gate, 500 Virus, Mazatlan,
Peking, Seoul
TRANSMISSION VECTOR: Floppy boot sector
MODE OF INFECTION CODES: RES, FDB
POTENTIAL DAMAGE CODES: BOOT, FAT
OVERVIEW: Track 39 sector 8 is used to save the original boot record,
and any file there will be overwritten. Destroys the FAT after some
length of time. It spreads when the Ctrl-Alt-Del sequence is used with
an uninfected diskette in the boot drive. The Golden Gate variation will
reformat drive C: after n infections. Infects Floppies Only. Spreads
between floppy disks.
__________________________________________________
NAME(S): Mirror, Flip Clone
TRANSMISSION VECTOR: .EXE applications
MODE OF INFECTION CODES: EXE, RES
POTENTIAL DAMAGE CODES: RUN, PROG
OVERVIEW: When the virus is triggered, the screen will flip
horizontally character for character.
__________________________________________________
NAME(S): Mix1, MIX1, MIX/1, Mixer1
TRANSMISSION VECTOR: .EXE applications
MODE OF INFECTION CODES: RES, EXE
POTENTIAL DAMAGE CODES: RUN, PROG
OVERVIEW: The output is garbled on parallel and serial connections,
after 6th level of infection booting the computer will crash the system
(a bug), num-lock is constantly on, a ball will start bouncing on the
screen.
__________________________________________________
NAME(S): NOTROJ
TRANSMISSION VECTOR: NOTROJ.COM Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FAT, FMT
OVERVIEW: All outward appearances indicate that the program is a useful
utility used to FIGHT other trojan horses. Actually, it is a time bomb
that erases any hard disk FAT table that IT can find on hard drives
that are more than 50% full, and at the same time, it warns: "another
program is attempting a format, can't abort! After erasing the FAT(s),
NOTROJ then proceeds to start a low level format.
__________________________________________________
NAME(S): Oropax, Music, Musician
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: RES, COM
POTENTIAL DAMAGE CODES: RUN, PROG
OVERVIEW: Infects .COM files and plays musical melodies repeatedly.
__________________________________________________
NAME(S): PACKDIR
TRANSMISSION VECTOR: PACKDIR Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FAT
OVERVIEW: This utility is supposed to "pack" (sort and optimize) the
files on a [hard] disk, but apparently it scrambles FAT tables.
(Possibly a bug rather than a deliberate trojan?? w.j.o.)
__________________________________________________
NAME(S): PCW271, PC-WRITE 2.71
TRANSMISSION VECTOR: PCW271xx.ARC Archive
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FAT
OVERVIEW: A modified version of the popular PC-WRITE word processor (v.
2.71) that scrambles FAT tables. The bogus version of PC-WRITE version
2.71can be identified by its size; it uses 98,274 bytes whereas the good
version uses 98,644.
__________________________________________________
NAME(S): Pentagon
TRANSMISSION VECTOR: Floppy boot sector
MODE OF INFECTION CODES: FDB, RES
POTENTIAL DAMAGE CODES: BOOT
OVERVIEW: It infects floppy disk boot sectors, and removes the Brain
virus from any disk it finds. The virus can survive a warmboot.
__________________________________________________
NAME(S): Perfume, 765, 4711
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: RES, COM, CC
POTENTIAL DAMAGE CODES: PROG, RUN
OVERVIEW: It infects .COM files, and after 80 executions, it demands a
password to run the application. The password is 4711 (the name of a
perfume).
__________________________________________________
NAME(S): Ping Pong, Bouncing Ball, Italian, Bouncing Dot, Vera Cruz,
Turin Virus
TRANSMISSION VECTOR: Floppy boot sector
MODE OF INFECTION CODES: RES, FDB, HDB
POTENTIAL DAMAGE CODES: RUN, BOOT
OVERVIEW: Bouncing dot appears on screen. No other intentional damage.
Spreads between disks by infecting the boot sectors.
__________________________________________________
NAME(S): Ping Pong B, Boot, Falling Letters
TRANSMISSION VECTOR: Floppy/hard disk boot sectors
MODE OF INFECTION CODES: RES, FDB, HDB
POTENTIAL DAMAGE CODES: RUN, BOOT
OVERVIEW: Bouncing dot appears on screen. No other intentional damage.
Spreads between disks by infecting the boot sectors.
__________________________________________________
NAME(S): PKFIX361
TRANSMISSION VECTOR: PKFIX361.EXE Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FMT
OVERVIEW:
PKFIX361.EXE *TROJAN* Supposed patch to v3.61 - what it really does
is when extracted from the .EXE does a DIRECT access to the DRIVE
CONTROLLER and does Low-Level format. Thereby bypassing checking
programs. (This would be only XT type disk drive cards. w.j.o.)
__________________________________________________
NAME(S): PKPAK/PKUNPAK 3.61, PK362, PK363
TRANSMISSION VECTOR: PKPAK/PKUNPAK V. 3.61 Applications, PK362.EXE
Application, PK363.EXE Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES:
OVERVIEW: PKPAK/PKUNPAK *TROJAN* There is a TAMPERED version of
3.61 that when used interfers with PC's interupts.
PK362.EXE This is a NON-RELEASED version and is suspected as being a
*TROJAN* - not verified.
PK363.EXE This is a NON-RELEASED version and is suspected as being a
*TROJAN* - not verified.
__________________________________________________
NAME(S): PKX35B35, PKB35B35
TRANSMISSION VECTOR: PKX35B35.ARC Archive, PKB35B35.ARC Archive
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FAT
OVERVIEW: PKX35B35.ARC, PKB35B35.ARC This was supposed to be an
update to PKARC file compress utility - which when used *EATS your FATS*
and is or at least RUMORED to infect other files so it can spread -
possible VIRUS?
__________________________________________________
NAME(S): QUIKRBBS
TRANSMISSION VECTOR: QUIKRBBS.COM Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FAT
OVERVIEW: This Trojan horse advertises that it will install
program to protect your RBBS but it does not. It goes and eats away at
the FAT.
__________________________________________________
NAME(S): QUIKREF
TRANSMISSION VECTOR: QUIKREF.ARC Archive
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: CBBS
OVERVIEW: This ARChive contains ARC513.COM. Loads RBBS-PC's message
file into memory two times faster than normal. What it really does is
copy RBBS-PC.DEF into an ASCII file named HISCORES.DAT.
__________________________________________________
NAME(S): RCKVIDEO
TRANSMISSION VECTOR: RCKVIDEO Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: ERASE
OVERVIEW: After showing some simple animation of a rock star, the
program erases every file it can find. After about a minute of this, it
creates three ascii files that say "You are stupid to download a video
about rock stars".
__________________________________________________
NAME(S): RPVS, 453, RPVS-B, TUQ
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: COM
POTENTIAL DAMAGE CODES: PROG, RUN
OVERVIEW: Whenever an infected application is run, at least one other
.COM file in the default directory is infected.
__________________________________________________
NAME(S): Saddam
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: COM, RES
POTENTIAL DAMAGE CODES: PROG
OVERVIEW: This appears to be a variant of the Stupid virus. On
every eigth infection, the string: "HEY SADAM"{LF}{CR} "LEAVE QUEIT
BEFORE I COME" is displayed. The virus copies itself to [0:413]*40h-
867h, which means that only computers with 640KB can be infected. Many
large programs also load themselves to this area and erase the virus
from the memory, or hang the system.
__________________________________________________
NAME(S): Saratoga, 632, Disk Eating Virus, One In Two
TRANSMISSION VECTOR: .EXE applications
MODE OF INFECTION CODES: RES, EXE
POTENTIAL DAMAGE CODES: RUN, PROG, FAT
OVERVIEW: Infects every 10th .EXE file run, and if the current drive is
a hard disk larger than10M bytes, the virus will select one cluster and
mark it as bad in the first copy of the FAT. Diskettes and 10M byte
disks are not affected.
__________________________________________________
NAME(S): Scrambler, KEYBGR Trojan
TRANSMISSION VECTOR: KEYBGR.COM Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: RUN
OVERVIEW: About 60 minutes after the trojan KEYBGR.COM is started a
smiley face moves in a random fashion about the screen displacing
characters as it moves.
__________________________________________________
NAME(S): SECRET
TRANSMISSION VECTOR: SECRET.BAS Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FMT
OVERVIEW: BEWARE!! This may be posted with a note saying it doesn't
seem to work, and would someone please try it; when you do, it formats
your disks.
__________________________________________________
NAME(S): SIDEWAYS, SIDEWAYS.COM
TRANSMISSION VECTOR: SIDEWAYS.COM Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: BOOT
OVERVIEW: Both the trojan and the good version of SIDEWAYS advertise
that they can print sideways, but SIDEWAYS.COM trashes a [hard] disk's
boot sector instead.
__________________________________________________
NAME(S): STAR, STRIPES
TRANSMISSION VECTOR: STAR.EXE Application, STRIPES.EXE Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: CBBS
OVERVIEW: STAR.EXE Beware RBBS-PC SysOps! This file puts some
stars on the screen while copying RBBS-PC.DEF to another name that can
be downloaded later!
STRIPES.EXE Similar to STAR.EXE, this one draws an American flag (nice
touch), while it's busy copying your RBBS-PC.DEF to another file
(STRIPES.BQS).
__________________________________________________
NAME(S): Stoned, Marijuana, Hawaii,New Zeland, Australian, Hemp, San
Diego, Smithsonian, Stoned-B, Stoned-C, Stoned-C
TRANSMISSION VECTOR: Floppy/hard disk boot sectors
MODE OF INFECTION CODES: RES, FDB, HDB, HDP
POTENTIAL DAMAGE CODES: RUN, BOOT, FAT
OVERVIEW: Spreads between boot sectors of both fixed and floppy disks.
May overlay data. Sometimes displays message "Your PC is now Stoned!"
when booted from floppy. Affects partition record on hard disk. No
intentional damage is done.
__________________________________________________
NAME(S): SUG
TRANSMISSION VECTOR: SUG.COM Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: ERFD
OVERVIEW: This program is supposed to unprotect copy protected program
disks protectedby Softguard Systems, Inc. It trashes the disk and
displays: "This destruction constitutes a prima facie evidence of your
violation. If you attempt to challenge Softguard Systems Inc..., you
will be vigorously counter-sued for copyright infringement and theft
of services." It encrypts the Gotcha message so no Trojan checker can
scan for it.
__________________________________________________
NAME(S): Sunday, Sunday-B, Sunday-C
TRANSMISSION VECTOR: .COM or .EXE applications
MODE OF INFECTION CODES: RES, COM, EXE, OVR
POTENTIAL DAMAGE CODES: RUN, PROG
OVERVIEW: Infects .COM and .EXE files.
__________________________________________________
NAME(S): Suriv-01, April-1-COM, April 1st, Suriv A, sURIV 1.01
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: RES, COM
POTENTIAL DAMAGE CODES: RUN, PROG
OVERVIEW: Spreads between COM files. On April 1st, 1988, writes the
message: "APRIL 1ST HA HA HA HA YOU HAVE A VIRUS" and hangs the system.
After that, simply writes a message every time any program is run.
__________________________________________________
NAME(S): Suriv-02, APRIL-1-EXE, April 1st-B, Suriv02, Suriv 2.01,
Suriv A
TRANSMISSION VECTOR: .EXE applications
MODE OF INFECTION CODES: RES, EXE
POTENTIAL DAMAGE CODES: RUN, PROG
OVERVIEW: Spreads between .EXE files. On April 1st,1988 and later,
writes the message: "APRIL 1ST HA HA HA HA YOU HAVE A VIRUS" and hangs
the system.
__________________________________________________
NAME(S): Sylvia, Holland
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: RES, COM
POTENTIAL DAMAGE CODES: PROG
OVERVIEW: Infects .COM files.
__________________________________________________
NAME(S): Syslock, Macrosoft
TRANSMISSION VECTOR: .COM or .EXE applications
MODE OF INFECTION CODES: COM, EXE, ENC
POTENTIAL DAMAGE CODES: PROG, DATA
OVERVIEW: Spreads between .COM and .EXE files. It scans through data
on the hard disk, changing the string "Microsoft" (in any mixture of
upper and lower case) to "MACROSOFT". If the environment variable
"SYSLOCK=@" is set, the virus will not infect. A variant of Advent.
__________________________________________________
NAME(S): Tiny 163
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: COM, CC
POTENTIAL DAMAGE CODES:
OVERVIEW: When an infected file is executed, the virus attempts to
infect other .COM files in the local directory.
__________________________________________________
NAME(S): TIRED
TRANSMISSION VECTOR: TIRED Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FAT
OVERVIEW: Another scramble the FAT trojan by Dorn W. Stickel.
__________________________________________________
NAME(S): Toothless, W13, W13-A, W13-B
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: RES, COM
POTENTIAL DAMAGE CODES: PROG
OVERVIEW: Infects .COM files. Infected programs are first padded so
their length becomes a multiple of 512 bytes, and then the 637 bytes of
virus code is added to the end. It then intercepts any disk writes and
changes them into disk reads.
__________________________________________________
NAME(S): TOPDOS
TRANSMISSION VECTOR: TOPDOS Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FMT
OVERVIEW: This is a simple high level [hard] disk formatter.
__________________________________________________
NAME(S): Traceback, 3066, 3066-B, 3066-B2, Traceback-B, Traceback-B2
TRANSMISSION VECTOR: .COM or .EXE applications
MODE OF INFECTION CODES: RES, COM, EXE
POTENTIAL DAMAGE CODES: PROG
OVERVIEW: Spreads between COM and EXE fles. Based on a rather
complicated set of criteria, it will sometimes cause the text displayed
on the screen to fall to the bottom, and then rise back up.
__________________________________________________
NAME(S): Traceback II, 2930, 2930-B, Traceback II-B
TRANSMISSION VECTOR: .COM or .EXE applications
MODE OF INFECTION CODES: RES, COM, EXE
POTENTIAL DAMAGE CODES: PROG
OVERVIEW: Spreads between .COM and .EXE files. Based on a rather
complicated set of criteria, it will sometimes cause the text displayed
on the screen to fall to the bottom, and then rise back up.
__________________________________________________
NAME(S): TSRMAP
TRANSMISSION VECTOR: TSRMAP Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: BOOT
OVERVIEW: TSRMAP *TROJAN* This program does what it's
supposed to do: give a map outlining the location (in RAM) of all TSR
programs, but it also erases the boot sector of drive "C:".
__________________________________________________
NAME(S): Typo, Type Boot
TRANSMISSION VECTOR: Floppy/hard disk boot sectors
MODE OF INFECTION CODES: RES, FDB, HDB
POTENTIAL DAMAGE CODES: BOOT, RUN
OVERVIEW: Infects floppy and hard disk boot sectors.
__________________________________________________
NAME(S): Typo, Fumble, Typo COM, 867, Mistake
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: RES, COM
POTENTIAL DAMAGE CODES: RUN, PROG
OVERVIEW: Infects .COM files.
__________________________________________________
NAME(S): ULTIMATE
TRANSMISSION VECTOR: ULTIMATE.EXE Application, ULTIMATE.ARC Archive
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: FAT
OVERVIEW: Another FAT eate
__________________________________________________
NAME(S): Vacsina, TP04VIR, TP05VIR, TP06VIR, TP16VIR, TP23VIR, TP24VIR,
TP25VIR
TRANSMISSION VECTOR: .COM or .EXE applications
MODE OF INFECTION CODES: RES, COM, EXE, OVR
POTENTIAL DAMAGE CODES: RUN, PROG
OVERVIEW: It infects .COM and .EXE files when they are loaded, old
versions of the virus will be replaced by newer ones.
__________________________________________________
NAME(S): VDIR
TRANSMISSION VECTOR: VDIR.COM Application
MODE OF INFECTION CODES: TRJ
POTENTIAL DAMAGE CODES: ERASE
OVERVIEW: This is a disk killer that Jerry Pournelle wrote about in
BYTE Magazine.
__________________________________________________
NAME(S): Vienna, 648, Lisbon, Vienna-B, Austrian, Dos-62, Unesco, The
648 Virus, The One-in-Eight Virus, 62-B, DOS-68, Vien6, Vienna-B645
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: COM
POTENTIAL DAMAGE CODES: PROG
OVERVIEW: The virus infects one .COM file every time it is run. 7/8 of
the time it infects the .COM file and 1/8 of the time it inserts a jump
to the BIOS initialitation routines that reboot the machine. To mark a
file as infected, the virus sets the seconds field of the timestamp to
62 which most utilities (including DIR) skip.
__________________________________________________
NAME(S): Zero Bug, Agiplan, 1536, Palette, ZBug
TRANSMISSION VECTOR: .COM applications
MODE OF INFECTION CODES: RES, COM
POTENTIAL DAMAGE CODES: RUN, PROG
OVERVIEW: Infects .COM files. All characters "0" (zero) will be
exchanged with other characters. Exchange characters are 01h, 2Ah, 5Fh,
3Ch, 5Eh, 3Eh and 30h, in which case the attribute is set to back-
ground color (i.e. the character is invisible). This routine uses about
10% of CPU-time (system is slowed down accordingly).
**************************************************
The Computer Incident Advisory Capability: Virus Descriptions In Process
____________________________________________________________
Suriv-03, Ohio, Yankee Doodle, Alabama, Vcomm, Virus-90, Jerusalem-B,
Frankie, Dark Avenger III, Turbo 448, Tiny virus, Polish 217, Kennedy,
Recovery Virus, VFSI, Polish 529, VHP2, Dot Killer, Burger, 512, 646,
Oulu, Fellowship, Nomenklatura, Prudents Virus, 1226, Anticad, 1381,
1392, Ten Bytes, 1605, Yankee 2, PSQR, Eight Tunes, UScan Virus, 2131,
Taiwan, Plastique, Itavir, 4096-B, The Basic Virus, Print Screen,
Aircop, Anthrax, Anti-pascal II, Armagedon, Attention!, Best Wishes,
Black Monday, Blood, Bloody!, Carioca, Casper, Christmas in Japan,
Cursy, Datalock, Wisconsin, Doom, Durban, Solano 2000, Eddie 3, Evil, F-
Word Virus, Swap Boot, Flip, Form, Fere Jacques, Sorry, Groen, Guppy,
Joshi, Holocaust, Hymn, Invader, Jeff, Joker, JOJO, July 13th, June
16th, Kamikazi, Kemerovo, Korea, Kukac, Leprosy, Liberty, Live After
Death, Lozinsky, Mardi Bros, MGTU, Microbes, ZeroHunt, Monxla, Whale,
Murphy, Music, Number 1, Ontario, Phoenix, Paris, Ping Pong-C,
Plastique-B, Polimer, Polish 529, Polish 583, Polish 961, Proud, Red
Diavolyata, Scott's Valley, SF Virus, Shake, Slow, Spyer, Stoned-II,
Subliminal 1.10, Sverdlov, SVir, USSR, V2P2, V2P6, V2P6Z, VHP, Victor,
Violator, Virdem, Virus101, Voronezh, VP, Westwood, Wolfman
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed