________________________________________________________________________ THE COMPUTER INCIDENT ADVISORY CAPABILITY ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ INFORMATION BULLETIN ________________________________________________________________________ Virus Information Update March 1, 1991, 1100 PST Number B-16 CIAC periodically issues bulletins about specific computer viruses. These bulletins, however, do not cover all the computer viruses that affect the PC-DOS/MS-DOS and Macintosh platforms. The purpose of this bulletin is to identify most of the known viruses for these platforms, and give an overview of the effects of each virus. This bulletin supersedes CIAC Bulletin A-15 issued last year, and includes (at least by name) more than 100 new viruses. As we continue to gather more information, we will add it to future editions of this document. The following pages of this bulletin contain three tables of information, one for the PC-DOS/MS-DOS platform, one for the Macintosh platform, and one for the names of viruses currently being investigated. There is a two-line entry for each item in each table. The first line gives the name, transmission vector (explained below), method of infection, and possible damage. The second line gives an overview of the operation of each virus. The fields include: * The name field gives the different names by which the virus is known, including different names for the same virus, and the names of any nearly identical variants (clones). * The transmission vector field describes the vehicle by which the virus is transferred to a different machine). In most cases, this is an executable application, though there are cases where documents or invisible system files can transmit the virus. * The method of infection field describes where and how the virus inserts or attaches itself to a new machine. The potential damage field describes the damage that the virus may do. (In most cases, damage caused by viruses appears to be unintentional, i.e., most viruses do not appear to be programmed to cause damage.) * Finally, the overview field contains general comments describing the virus and its effects. PC-DOS/MS-DOS users desiring additional information can read the file "Coping with Computer Viruses and Related Problems" by IBM (filename: IBMPAPER.ZIP available from CIAC). For Macintosh users, help file built into Disinfectant and the Virus Encyclopedia Hyper-Card stack are good sources of additional information. All of these and more are available from FELIX, CIAC's bulletin board service. __________________________________ The FELIX Virus Bulletin Board FELIX, a bulletin board operated by CIAC, is available to the DOE community and contains all the CIAC bulletins, descriptions of other viruses, and public domain virus detection/protection software. For example, one available file named CIACDB.TXT contains a more detailed version of the tables contained in this bulletin with details on some additional viruses to the viruses described in this summary. As with any software you obtain, you should exercise caution and scan individual software packages before using the software for the first time. All software on FELIX has been scanned for known viruses, but it is advisable to scan it again using the most recent version of a virus scanning tool such as DDI's Virhunt package (available to all DOE sites - contact your operations office for details). Be sure to scan archived applications after they have been extracted from the .ZIP,.ARC, or SIT archive, as scanning software cannot currently detect a virus within an application until it is in an executable form (.EXE or .COM file). Access FELIX at speeds up to 2400 baud may be obtained by using a modem to call (415) 423-4753 or (FTS) 543-4753 (8 bit, no parity, 1 stop bit). High speed access can be obtained at the Lawrence Livermore National Laboratory, and the Lawrence Berkeley National Laboratory using 423- 9885. Downloadable PC-DOS/MS-DOS files are either text files (.TXT), zip archives (.ZIP) or executables (.COM or .EXE). Text files and executables can be downloaded directly and used. Be sure to use a binary downloading capability such as XMODEM for the executable files. Files in ZIP archives must be extracted after downloading with PKUNZIP (available on FELIX) before they can be used. Macintosh files in SIT archives must be extracted with Stuffit before they can be used. When downloading Macintosh files, be sure to use MacBinary format (such as MacBinary XMODEM) rather than plain binary format, if your terminal emulator allows this. If you are using a shareware package downloaded from FELIX or any other source, be sure to follow the instructions in the package for compensating the author. The cost is generally minimal ($10 to $50), for some very useful applications. For additional information or assistance, please contact CIAC William Orvis (415) 422-8649 or (FTS) 532-8649 During working hours call CIAC at (415) 422-8193 or (FTS) 532-8193. For non-working hour emergencies, call (415) 422-7222 or (FTS) 532-7222 and ask for CIAC ******(this is a new emergency number)******. Send FAX messages to: (415) 423-0913 or (FTS) 543-0913 This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. __________________________________ About the CIAC Virus Database and Bulletin This database is compiled and maintained by CIAC, the Computer Incident Advisory Capability. The authors are William J. Orvis, and David S. Brown. Information in this bulletin has been gathered from many sources, and we thank them all for their efforts. A partial listing of our sources is given here, and we will correct any omissions in the next release. AIDS Technical Info, By Dr Alan Solomon, Barry Nielson and Simon Meldrum. David Chess - IBM. Computer Virus Catalog, by Dr. Klaus Brunnstein, and Simone Fischer- Huebner, Virus Test Center, Faculty for Informatics, University of Hamburg The Dirty Dozen -- An Uploaded Trojan/Virus Program Alert List, compiled by Tom Sirianni of FidoNet 105 Node 301. Disinfectant, by John Norstad, Academic Computing and Network Services, Northwestern University. Joe Hirst, British Computer Virus Research Centre. Bill Kenny - Digital Dispatch Inc. John McAfee - McAfee Associates' Jim Molini - Johnson Spacecraft Center Mike Odawa - Simple Software VIRUS-L - The virus news service moderated by Ken Van Wick. __________________________________ Codes Used in the Virus Tables The following codes are used in the Method of Infection field. PC-DOS/MS-DOS Viruses EXE Infects .EXE files. COM Infects .COM files. OVR Infects program overlay files. CC Infects COMMAND.COM. HDB Infects hard disk boot sectors. HDP Infects hard disk partition tables. FDB Infects floppy disk boot sectors. RES Memory resident. The virus goes memory resident and infects disks when they are inserted or programs when they are run. ENC Encrypted. The virus code encrypts itself to make it difficult to scan for. TRJ A Trojan horse, not a virus. WRM A Worm, not a virus. Macintosh Viruses TYP1 Adds viral code as a new code segment , and patches the jump table to point to the new segment. For example when an application is infected with nVIR, the virus attaches a CODE 256 resource to the end of the application and changes the CODE 0 resource (the jump table) to jump to and execute the CODE 256 resource before executing the application. Most Macintosh viruses (today) are of this type for example: Scores, nVIR, INIT29. TYP2 Adds their new viral code to the end of the main code segment, and patches the jump table to point to the new viral code. TYP3 Adds their new viral code to the end of the main code segment, and patches the first program instruction to jump or return jump to the new viral code. They do not patch the jump table. TYP4 Adds their new viral code to the end of the main code segment, and patches the first program instruction to jump or return jump to the new viral code. This is a variant of type 3 viruses, except they have a bug. Instead of adding their code to and patching the first instruction in the main code segment, they make the incorrect assumption that the main code segment is some constant k. ANTI is a type 4 virus with k=1. INIT Adds viral code as an INIT resource on the system file. APP Infects Applications and the Finder SYS Infects the system file. DTOP Infects the Desktop file DOCS Infects document files. The following codes are used in the Potential Damage field. BOOT Overwrites or corrupts a disk's boot sector. PROG Corrupts a program or overlay files. FMT Attempts to format the disk. RUN Interferes with a running application. DATA Corrupts a data file. FAT Corrupts the file linkages or the file allocation table (FAT). ERASE Attempts to erase all mounted disks. __________________________________ DISTRIBUTION* No change from previous bulletin. * - Provided to CIAC by the Department of Energy; for changes, please contact your operations office. CIAC BULLETINS ISSUED SUN 386i authentication bypass vulnerability nVIR virus alert /dev/mem vulnerability tftp/rwalld vulnerability "Little Black Box" (Jerusalem) virus alert restore/dump vulnerability rcp/rdist vulnerability Internet trojan horse alert NCSA Telnet vulnerability Columbus Day (DataCrime) virus alert Columbus Day (DataCrime) virus alert (follow-up notice) Internet hacker alert (notice A-1) HEPnet/SPAN network worm alert (notice A-2) HEPnet/SPAN network worm alert (follow-up, notice A-3) HEPnet/SPAN network worm alert (follow-up, notice A-4) rcp vulnerability (second vulnerability, notice A-5) Trojan horse in Norton Utilities (notice A-6) UNICOS vulnerability (limited distribution, notice A-7) UNICOS problem (limited distribution, notice A-8) WDEF virus alert (notice A-9) PC CYBORG (AIDS) trojan horse alert (notice A-10) Problem in the Texas Instruments D3 Process Control System (notice A-11) DECnet hacker attack alert (notice A-12) Vulnerability in DECODE alias (notice A-13) Additional information on the vulnerability in the UNIX DECODE alias (notice A-14) Virus information update (notice A-15) Vulnerability in SUN sendmail program (notice A-16) Eradicating WDEF using Disinfectant 1.5 or 1.6 (notice A-17) Notice of availability of patch for SmarTerm 240 (notice A-18) UNIX Internet Attack Advisory (notice A-19) The Twelve Tricks Trojan Horse (notice A-20) Additional information on Current UNIX Internet Attacks (notice A-21) Logon Messages and Hacker/Cracker Attacks (notice A-22) New Internet Attacks (notice A-23) Password Problems with Unisys U5000 /etc/passwd (notice A-24) The MDEF or Garfield Virus on Macintosh Computers (notice A-25) A New Macintosh Trojan Horse Threat--STEROID (notice A-26) The Disk Killer (Ogre) Virus on MS DOS Computers (notice A-27) The Stoned (Marijuana or New Zealand) Virus on MS DOS Computers (notice A-28) The 4096 (4k, Stealth, IDF, etc.) Virus on MS DOS Computers (notice A-29) Apollo Domain/OS suid_exec Problem (notice A-30) DECnet (Wollongong) Hacker Activity (notice A-31) SunView/SunTools selection_svc Vulnerability (notice A-32) Virus Propagation in Novell and Other Networks (notice A-33) End of FY90 Update (notice A-34) Security Problems on the NeXT Operating System (notice B-1) Unix Security Problem with Silicon Graphics Mail (notice B-2) Threat to Computers on ESnet (notice B-3) VMS Security Problem with ANALYZE/PROCESS_DUMP (notice B-4) HP-UX Trusted Systems 6.5 or 7.0, Authorization Problem (notice B-5) Additional VMS/DECnet Attacks (notice B-6) BITNET Worm (notice B-7) Detection/Eradication Procedures for VMSCRTL Trojan Horse (notice B-8) Update on Internet Activity (notice B-9) Patch for TOCCON in SunOS 4.1 and 4.1.1 Available (notice B-10) OpenWindows 2.0 selection_svc Vulnerability (notice B-11) GAME2 MODULE RWormS on BITNET (notice B-12) UNIX Security Problem with /bin/mail in SunOS (notice B-13) Additional Information about UNIX Security Problem with /bin/mail in SunOS (notice B-14) Network Intrustions through TCP/IP and DECnet Vulnerability Gateways (notice B-15) Virus information update (notice B-16) ************************************************** The Computer Incident Advisory Capability: Macintosh Computer Viruses __________________________________________________ NAME(S): ANTI, ANTI-ANGE, ANTI A, ANTI B TRANSMISSION VECTOR: Applications MODE OF INFECTION CODES: TYP1, APP POTENTIAL DAMAGE CODES: RUN OVERVIEW: Attacks only application files, and causes some problems with infected applications. __________________________________________________ NAME(S): CDEF TRANSMISSION VECTOR: DeskTop files MODE OF INFECTION CODES: DTOP POTENTIAL DAMAGE CODES: OVERVIEW: It only infects the invisible Desktop files used by the Finder. Infection can occur as soon as a disk is inserted into a computer. An application does not have to be run to cause an infection. It does not infect applications, document files, or other system files. The virus does not intentionally try to do any damage, but still causes problems with running applications. __________________________________________________ NAME(S): Dukakis TRANSMISSION VECTOR: HyperCard Stacks MODE OF INFECTION CODES: POTENTIAL DAMAGE CODES: PROG, RUN OVERVIEW: Written in HyperTalk on a HyperCard stack called "NEWAPP.STK". Adds itself to Home Card and other stacks. Flashes a message saying, "Dukakis for President in 88, Peace on Earth, and have a nice day." __________________________________________________ NAME(S): FontFinder Trojan TRANSMISSION VECTOR: FontFinder Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: PROG, DATA, ERASE OVERVIEW: Trojan found in the Public Domain program called 'FontFinder'. Before Feb. 10, 1990, the application simply displays a list of the fonts and point sizes in the System file. After that date, it immediately destroys the directories of all available physically unlocked hard and floppy disks, including the one it resides on. __________________________________________________ NAME(S): INIT29 TRANSMISSION VECTOR: Applications, Document files MODE OF INFECTION CODES: TYP1 POTENTIAL DAMAGE CODES: PROG, RUN, DATA OVERVIEW: It infects any file with resources, including documents. It damages files with legitimate INIT#29 resources. __________________________________________________ NAME(S): MDEF, MDEF A, Garfield, MDEF B, Top Cat, MDEF C TRANSMISSION VECTOR: Applications MODE OF INFECTION CODES: APP, SYS, DTOP, DOCS POTENTIAL DAMAGE CODES: RUN OVERVIEW: MDEF infects applications, the System file, other system files, and Finder Desktop files. The System file is infected as soon as an infected application is run. Other applications become infected as soon as they are run on an infected system. MDEF's only purpose is to spread itself, and does not intentionally attempt to do any damage, yet it can be harmful. __________________________________________________ NAME(S): Mosaic Trojan TRANSMISSION VECTOR: Mosaic Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: PROG, DATA, ERASE OVERVIEW: Imbedded in a program called 'Mosaic', when launched, it immediately destroys the directories of all available physically unlocked hard and floppy disks, including the one it resides on. The attacked disks are renamed 'Gotcha!'. __________________________________________________ NAME(S): nVIR, nVIR A, nVIR B, AIDS, Hpat, MEV#, FLU, Jude, J-nVIR TRANSMISSION VECTOR: Applications MODE OF INFECTION CODES: TYP1, APP, SYS POTENTIAL DAMAGE CODES: PROG, RUN OVERVIEW: It infects the System file and applications. nVIR begins spreading to other applications immediately. Whenever a new application is run, it is infected. Symptoms include unexplained crashes and problems printing. __________________________________________________ NAME(S): Peace, MacMag virus, Drew, Brandow, Aldus TRANSMISSION VECTOR: HyperCard Stacks, System files MODE OF INFECTION CODES: INIT POTENTIAL DAMAGE CODES: PROG, RUN OVERVIEW: First virus on the Macintosh. Displays Peace on Earth message on March 2, 1988 and removes itself the next day. Distributed via a HyperCard stack. Its presence causes problems with some programs. __________________________________________________ NAME(S): Scores, NASA TRANSMISSION VECTOR: Applications MODE OF INFECTION CODES: TYP1 POTENTIAL DAMAGE CODES: PROG, RUN OVERVIEW: Infects applications and the system, and attempts to destroy files with creator types: VULT, and ERIC. Causes problems with other programs, including unexplained crashes and pronting errors. Changes the icons of the NotePad and Scrapbook files to the blank document icon. __________________________________________________ NAME(S): Sexy Ladies Trojan TRANSMISSION VECTOR: Sexy Ladies Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: ERASE OVERVIEW: Not a virus, but a Trojan Horse. Given away at 1988 San Fransisco MacWorld Expo, erased whatever hard disk or floppy disk it was on when it was lanched. __________________________________________________ NAME(S): Steroid Trojan TRANSMISSION VECTOR: Steroid INIT MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: ERASE OVERVIEW: The steroid INIT is claimed to speed up QuickDraw on Macintoshes with 9 inch screens. The INIT has code that checks for dates after June 30, 1989, and is active every year thereafter from July through December. When it is activated, it attempts to erase all mounted drives. __________________________________________________ NAME(S): Virus Info Trojan TRANSMISSION VECTOR: Virus Info Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: OVERVIEW: This application has not been sighted outside of the Edmonton, Province of Alberta, Canada area where it was discovered. __________________________________________________ NAME(S): WDEF, WDEF-A, WDEF-B TRANSMISSION VECTOR: DeskTop files MODE OF INFECTION CODES: TYP1, DTOP POTENTIAL DAMAGE CODES: OVERVIEW: WDEF only infects the invisible Desktop files used by the Finder. It can spread as soon as a disk is inserted into a machine. An application need not be run to cause infection. __________________________________________________ NAME(S): ZUC, ZUC 1, ZUC 2 TRANSMISSION VECTOR: Applications MODE OF INFECTION CODES: APP POTENTIAL DAMAGE CODES: OVERVIEW: It infects onlu applications files. Before March 2, 1990 or less than two weeks after an application becomes infected, it only spreads from application to application. After that time, approximately 90 seconds after an infected application is run, the cursor begins to behave unusually whenever the mouse button is held down. The cursor moves diagonally across the screen, changing direction and bouncing like a billiard ball whenever it reaches any of the four sides of the screen. The cursor stops moving when the mouse button is released. ************************************************** The Computer Incident Advisory Capability: PC-DOS/MS-DOS Computer Viruses __________________________________________________ NAME(S): 12-TRICKS Trojan TRANSMISSION VECTOR: CORETEST.COM MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FAT, FMT, RUN, BOOT OVERVIEW: Contained in "CORETEST.COM", a file that tests the speed of a hard disk. Every time the computer boots, one entry in the FAT will be changed. With a probability of 1/4096, the hard disk will be formatted (Track 0, Head 1, Sector 1, 1 Sector) followed by the message: "SOFTLoK+ V3.0 SOFTGUARD SYSTEMS,INC, 2840 St.Thomas Expwy,suite 201, Santa Clara,CA 95051 (408)970-9420". __________________________________________________ NAME(S): 1260, V2P1, Variable, Chameleon, Camouflage, Stealth TRANSMISSION VECTOR: COMMAND.COM, .COM applications MODE OF INFECTION CODES: COM, CC, ENC POTENTIAL DAMAGE CODES: PROG, RUN OVERVIEW: This appears to be related to the Vienna virus. The virus infects any COM file in the current directory. __________________________________________________ NAME(S): 1704-Format, Cascade Format TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: ENC, RES, COM POTENTIAL DAMAGE CODES: RUN, PROG, FMT OVERVIEW: Spreads between COM files. Occasionally causes odd screen behavior (the characters on the screen fall into a heap at the bottom of the screen!). One rare variant can destroy data on hard disks. __________________________________________________ NAME(S): 3X3SHR TRANSMISSION VECTOR: 3X3SHR Application? MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: ERHD OVERVIEW: *TROJAN* Time Bomb type trojan wipes the Hard Drive clean. (Is this an application? .EXE or .COM file?) __________________________________________________ NAME(S): 405 TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: COM POTENTIAL DAMAGE CODES: PROG OVERVIEW: The virus spreads itself by overwriting the first 405 bytes of a .COM file. One file is infected each time an infected file is executed. __________________________________________________ NAME(S): 4096, Century, Century Virus,100 Years Virus, Frodo, IDF TRANSMISSION VECTOR: .COM or .EXE applications MODE OF INFECTION CODES: RES, CC, COM, OVR, EXE POTENTIAL DAMAGE CODES: RUN, PROG, DATA, FAT OVERVIEW: It infects both .COM or .EXE applications. It is nearly impossible to detect once it has been installed since it actively hides itself from the scanning packages. Whenever an application such as a scanner accesses an infected file, the virus disinfects it on the fly. __________________________________________________ NAME(S): Advent, 2761 TRANSMISSION VECTOR: .COM or .EXE applications MODE OF INFECTION CODES: COM, EXE, ENC, CC POTENTIAL DAMAGE CODES: RUN OVERVIEW: Spreads between .COM and .EXE files. Beginning on every "Advent"(the 4th Sunday before Christmas until Christmas eve), the virus displays after every "Advent Sunday" one more lit candle in a wreath of four, together with the string "Merry Christmas" and plays the melody of the German Christmas song "Oh Tannenbaum". By Christmas all four candles are lit. This happens until the end of December, whenever an infected file is run. If the environment variable "VIRUS=OFF" is set, the virus will not infect. __________________________________________________ NAME(S): AIDS, Hahaha, Taunt, VGA2CGA TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: COM POTENTIAL DAMAGE CODES: PROG OVERVIEW: It infects .COM fo;es. __________________________________________________ NAME(S): AIDS II, AIDS TRANSMISSION VECTOR: AIDS Information Introductory Diskette Version 2.0 MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: ENDIR OVERVIEW: On Monday, 11th December, several thousand diskettes named "AIDS Information Introductory Diskette Version 2.0" were mailed out containing a program that purported to give you information about AIDS. These diskettes actually contained a trojan that will encrypt the file names on your hard disk after booting your computer about 90 times. If you have installed this program, you should copy any important data files (no executables) and reformat your hard disk. __________________________________________________ NAME(S): Ambulance Car, REDX TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: COM, CC POTENTIAL DAMAGE CODES: PROG, RUN OVERVIEW: When an infected application is run, the virus tries to find two .COM file victims which it randomly selects in the current directory or via the PATH variable in the environment. After some number of executions, an ambulance car runs along the bottom of the screen accompanied by siren sounds. __________________________________________________ NAME(S): Amstrad, Pixel, V-277, V-299, V-345, V-847, V-847B, V-852 TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: COM POTENTIAL DAMAGE CODES: PROG OVERVIEW: Adds code to front of any .COM file in the current directory. The virus contains an advertisement for Amstrad computers. __________________________________________________ NAME(S): Anti Pascal, Anti Pascal 529, Anti Pascal 605, AP 529, AP 605, C 605, V-605 TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: COM POTENTIAL DAMAGE CODES: FILES, RUN, PROG OVERVIEW: May overwrite .BAK and .PAS files if not enough .COM files are available in a directory for it to infect. __________________________________________________ NAME(S): ANTI-PCB TRANSMISSION VECTOR: ANTI-PCB.COM Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: OVERVIEW: The story behind this trojan horse is sickening. Apparently one RBBS-PC sysop and one PC-BOARD sysop started feuding about which BBS system is better, and in the end the PC-BOARD sysop wrote a trojan and uploaded it to the rbbs SysOp under ANTI-PCB.COM. Of course the RBBS-PC SysOp ran it, and that led to quite a few accusations and a big mess in general. Let's grow up! Every SysOp has the right to run the type of BBS that they please, and the fact that a SysOp actually wrote a trojan intended for another simply blows my mind. __________________________________________________ NAME(S): ARC513.EXE, ARC514.COM TRANSMISSION VECTOR: ARC513.EXE, ARC514.COM MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: BOOT, FAT OVERVIEW: ARC513.EXE This hacked version of ARC appears normal, so beware! It will write over track 0 of your [hard] disk upon usage, destroying the disk. ARC514.COM This is totally similar to ARC version 5.13 in that it will overwrite track 0 (FAT Table) of your hard disk. Also, I have yet to see an .EXE version of this program. __________________________________________________ NAME(S): ARC533 TRANSMISSION VECTOR: MODE OF INFECTION CODES: CC POTENTIAL DAMAGE CODES: OVERVIEW: This is a new Virus program designed to emulate Sea's ARC program. __________________________________________________ NAME(S): BACKTALK TRANSMISSION VECTOR: BACKTALK Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: WRHD OVERVIEW: This program used to be a good PD utility, but someone changed it to be trojan. Now this program will write/destroy sectors on your [hard] disk drive. Use this with caution if you acquire it, because it's more than likely that you got a bad copy. __________________________________________________ NAME(S): Brain, Pakistani, Ashar, Shoe, Shoe_Virus, Shoe_Virus_B, Ashar_B, UIUC, UIUC-B, @BRAIN, Jork, Shoe B TRANSMISSION VECTOR: Floppy boot sector MODE OF INFECTION CODES: FDB, RES POTENTIAL DAMAGE CODES: BOOT, RUN, DATA, FMT OVERVIEW: This virus only infects the boot sectors of 360 KB floppy disks. It does no malicious damage, but bugs in the virus code can cause loss of data by scrambling data on diskette files or by scrambling the File Allocation Table. It does not tend to spread in a hard disk environment. __________________________________________________ NAME(S): Cascade, 1701, 1704, 17Y4, 1704 B, 1704 C, Cascade A, Cascade B, Falling Tears, The Second Austrian Virus, Autumn, Blackjack, Falling Leaves, Cunning, Fall, Falling Letters, Herbst TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: ENC, RES, COM POTENTIAL DAMAGE CODES: RUN, PROG OVERVIEW: Spreads between COM files. Occasionally causes odd screen behavior (the characters on the screen fall into a heap at the bottom of the screen!). One rare variant can destroy data on hard disks. __________________________________________________ NAME(S): CDIR TRANSMISSION VECTOR: CDIR.COM Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FAT OVERVIEW: This program is supposed to give you a color directory of files on your disk, but it in fact will scramble your disk's FAT table. __________________________________________________ NAME(S): Chaos TRANSMISSION VECTOR: Floppy/hard disk boot sectors MODE OF INFECTION CODES: RES, FDB, HDB POTENTIAL DAMAGE CODES: BOOT, RUN, PROG, FAT OVERVIEW: Derivative of Brain __________________________________________________ NAME(S): Christmas, 1539, Father Christmas, Choinka, Tannenbaum, Christmas Tree, XA1, V1539 TRANSMISSION VECTOR: .COM applications, COMMAND.COM MODE OF INFECTION CODES: COM, CC, ENC POTENTIAL DAMAGE CODES: RUN, BOOT OVERVIEW: The virus infects .COM files when an infected application is executed. When an infected program is run between December 24th and 31st (any year), the virus displays a full screen image of a christmas tree and German seasons greetings. When an infected program is run on April 1st (any year), it drops a code into the boot- sectors of floppy A: and B: as well as into the partition table of the hard disk. The old partition sectors are saved but most likely destroyed since running another infected file will save the modified partition table to the same location. On any boot attempt from an infected harddisk or floppy, the text "April April" will be displayed and the PC will hang. __________________________________________________ NAME(S): Clone TRANSMISSION VECTOR: MODE OF INFECTION CODES: POTENTIAL DAMAGE CODES: OVERVIEW: Derivative of Brain __________________________________________________ NAME(S): D-XREF60.COM TRANSMISSION VECTOR: D-XREF60.COM Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: BOOT, FAT OVERVIEW: A Pascal Utility used for Cross-Referencing, written by the infamous `Dorn Stickel. It eats the FAT and BOOT sector after a time period has been met and if the Hard Drive is more than half full. __________________________________________________ NAME(S): DANCERS, DANCERS.BAS TRANSMISSION VECTOR: DANCERS.BAS Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FAT OVERVIEW: This trojan shows some animated dancers in color, and then proceeds to wipe out your [hard] disk's FAT table. There is another perfectly good copy of DANCERS.BAS on BBSs around the country. __________________________________________________ NAME(S): Dark Avenger, Dark Avenger-B, Black Avenger, Diana, Eddie TRANSMISSION VECTOR: .COM or .EXE applications MODE OF INFECTION CODES: RES, CC, EXE, COM, OVR POTENTIAL DAMAGE CODES: PROG, WRHD OVERVIEW: Infects every executable file that is opened. __________________________________________________ NAME(S): Dark Avenger 3, Dark Avenger II, V2000, Die Young, Travel, V2000-B, Eddie 3 TRANSMISSION VECTOR: .COM applications, .EXE applications MODE OF INFECTION CODES: EXE, COM, CC POTENTIAL DAMAGE CODES: PROG, DATA, RUN OVERVIEW: Every 16 executions of an infected file, the virus will overwrite a new random data sector on disk; the last overwritten sector is stored in boot sector. The system hangs-up, if a program is loaded that contains the string "(c) 1989 by Vesselin Bontchev"; V.Bonchev is a Bulgarian author of anti-virus programs. __________________________________________________ NAME(S): Datacrime, 1280, Columbus Day, DATACRIME Ib TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: COM, ENC POTENTIAL DAMAGE CODES: PROG, FMT, FAT OVERVIEW: Spreads between COM files. After October 12th, it displays the message "DATACRIME VIRUS RELEASE: 1 MARCH 1989", and then the first hard disk will be formatted (track 0, all heads). When formatting is finished the speaker will beep (end-less loop). __________________________________________________ NAME(S): Datacrime II, 1514, Columbus Day TRANSMISSION VECTOR: .COM or .EXE applications MODE OF INFECTION CODES: COM, EXE, ENC POTENTIAL DAMAGE CODES: PROG, FMT, FAT OVERVIEW: Spreads between both COM and EXE files. After October 12th, displays the message "* DATACRIME II VIRUS *", and damages the data on hard disks by attempting to reformat them. __________________________________________________ NAME(S): Datacrime II-B, 1917, Columbus Day TRANSMISSION VECTOR: .COM or .EXE applications MODE OF INFECTION CODES: ENC, COM, EXE, CC POTENTIAL DAMAGE CODES: PROG, FMT OVERVIEW: Spreads between both COM and EXE files. After October 12th, displays the message "* DATACRIME II VIRUS *", and damages the data on hard disks by attempting to reformat them. __________________________________________________ NAME(S): Datacrime-B, 1168, Columbus Day, Datacrime Ia TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: COM, ENC POTENTIAL DAMAGE CODES: PROG, FMT, FAT OVERVIEW: Spreads between COM files. After October 12th, it displays the message "DATACRIME VIRUS RELEASE: 1 MARCH 1989", and then the first hard disk will be formatted (track 0, all heads). When formatting is finished the speaker will beep (end-less loop). __________________________________________________ NAME(S): Dbase, DBF virus TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: RES, COM POTENTIAL DAMAGE CODES: DATA, RUN, PROG OVERVIEW: Infects COM files. Registers all new .DBF files in a hidden file c:\BUGS.DAT. When any of those files are written, it reverses the order of adjacent bytes. When any of those files are read, it again reverses the bytes, making the file appear to be OK, unless it is read on an uninfected system or the file name is changed. __________________________________________________ NAME(S): DenZuk, Venezuelan, Search, DenZuc B TRANSMISSION VECTOR: Floppy boot sector MODE OF INFECTION CODES: RES, FDB POTENTIAL DAMAGE CODES: RUN, BOOT OVERVIEW: Infects floppy disk boot sectors, and displays a purple DEN ZUK graphic on a CGA, EGA or VGA screen when Ctrl-Alt-Del is pressed. __________________________________________________ NAME(S): Devil's Dance, Mexican TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: RES, COM POTENTIAL DAMAGE CODES: RUN, PROG, DATA, FAT OVERVIEW: Infects .COM files. __________________________________________________ NAME(S): Disk Killer, Computer Ogre, Disk Ogre TRANSMISSION VECTOR: Floppy/hard disk boot sectors MODE OF INFECTION CODES: RES, FDB, HDB POTENTIAL DAMAGE CODES: BOOT, RUN, PROG, DATA OVERVIEW: Infects floppy and hard disk boot sectors and after 48 hours of work time, it encrypts everything on the hard disk. The encryption is reversable. __________________________________________________ NAME(S): DISKSCAN, SCANBAD, BADDISK TRANSMISSION VECTOR: DISKSCAN.EXE Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: WRHD OVERVIEW: This was a PC-MAGAZINE program to scan a [hard] disk for bad sectors, but then a joker edited it to WRITE bad sectors. Also look for this under other names such as SCANBAD.EXE and BADDISK.EXE. A good original copy is availble on SCP Business BBS. __________________________________________________ NAME(S): DMASTER TRANSMISSION VECTOR: DMASTER Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FAT OVERVIEW: This is yet another FAT scrambler. __________________________________________________ NAME(S): Do Nothing, Stupid Virus, 640K Virus TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: COM, RES POTENTIAL DAMAGE CODES: PROG OVERVIEW: Infects .COM files. The virus copies itself to 9800:100h, which means that only computers with 640KB can be infected. Many programs also load themselves to this area and erase the virus from the memory. __________________________________________________ NAME(S): DOSKNOWS TRANSMISSION VECTOR: DOSKNOWS.EXE MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FAT OVERVIEW: Apparently someone wrote a FAT killer and renamed it DOSKNOWS.EXE, so it would be confused with the real, harmless DOSKNOWS system-status utility. __________________________________________________ NAME(S): DRAIN2 TRANSMISSION VECTOR: MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FMT OVERVIEW: There really is DRAIN program, but this revised program goes out does Low Level Format while it is playing the funny program. __________________________________________________ NAME(S): DROID TRANSMISSION VECTOR: DROID.EXE MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: OVERVIEW: This trojan appears under the guise of a game. You are supposedly an architect that controls futuristic droids in search of relics. In fact, PC-Board sysops, if they run this program from C:\PCBOARD, will find that it copies C:\PCBOARD\PCBOARD.DAT to C:\PCBOARD\HELP\HLPX. __________________________________________________ NAME(S): DRPTR, WIPEOUT TRANSMISSION VECTOR: DRPTR.ARC MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FILES OVERVIEW: After running unsuspected file, the only things left in the root directory are the subdirectories and two of the three DOS System files, along with a 0-byte file named WIPEOUT.YUK. COMMAND.COM was located in a different directory; the file date and CRC had not changed. __________________________________________________ NAME(S): EDV TRANSMISSION VECTOR: MODE OF INFECTION CODES: POTENTIAL DAMAGE CODES: OVERVIEW: Derivative of Brain __________________________________________________ NAME(S): EGABTR TRANSMISSION VECTOR: EGABTR Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FILES OVERVIEW: BEWARE! Description says something like "improve your EGA display," but when run, it deletes everything in sight and prints, "Arf! Arf! Got you!" __________________________________________________ NAME(S): FILES.GBS TRANSMISSION VECTOR: FILES.GBS Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: OVERVIEW: When an OPUS BBS system is installed improperly, this file could spell disaster for the Sysop. It can let a user of any level into the system. Protect yourself. Best to have a sub-directory in each upload area called c:\upload\files.gbs (this is an example only). This would force Opus to rename a file upload of files.gbs and prevent its usage. __________________________________________________ NAME(S): Fish, European Fish,Fish 6 TRANSMISSION VECTOR: COMMAND.COM, .COM applications, .EXE applications MODE OF INFECTION CODES: EXE, COM, RES, ENC, CC POTENTIAL DAMAGE CODES: PROG, RUN, DATA OVERVIEW: If (system date>1990) and a second infected .COM file is executed, a message is displayed: FISH VIRUS #6 - EACH DIFF - BONN 2/90 '~Knzyvo} and then the processor stops (HLT instruction). The virus will attempt to infect some data files, corrupting them in the process. This is a variant of the 4096 virus. __________________________________________________ NAME(S): Flash, 688 TRANSMISSION VECTOR: .COM applications, .EXE applications MODE OF INFECTION CODES: EXE, COM, RES, ENC, CC POTENTIAL DAMAGE CODES: PROG, RUN OVERVIEW: The memory resident virus infects applications when they are run. After June 1990, the virus makes the screen flash. This flash can only be seen on MDA, Hercules, and CGA adapters, but not on EGA and VGA cards. __________________________________________________ NAME(S): FLUSHOT4, FLU4TXT TRANSMISSION VECTOR: FLUSHOT4.ARC Archive MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: OVERVIEW: This Trojan was inserted into the FLUSHOT4.ARC and uploaded to many BBS's. FluShot is a protector of your COMMAND.COM. As to date, 05/14/88 FLUSHOT.ARC FluShot Plus v1.1 is the current version, not the FLUSHOT4.ARC which is Trojaned. __________________________________________________ NAME(S): Friday 13 th COM, South African, 512 Virus, COM Virus, Friday The 13th-B, Friday The 13th-C, Miami, Munich, Number of the Beast, Virus-B TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: COM POTENTIAL DAMAGE CODES: PROG OVERVIEW: Infects all .COM files except COMMAND.COM, and deletes the host program if run on Friday the 13th. __________________________________________________ NAME(S): Fu Manchu, 2086, 2080, Fumanchu TRANSMISSION VECTOR: .COM or .EXE applications MODE OF INFECTION CODES: RES, COM, EXE, OVR POTENTIAL DAMAGE CODES: RUN, PROG OVERVIEW: Infects .COM and .EXE files. The message 'The world will hear from me again! ' is displayed on every warmboot, and inserts insults into the keyboard buffer when the names of certain world leaders are typed at the keyboard. Occasionally causes the system to spontaneously reboot. __________________________________________________ NAME(S): FUTURE TRANSMISSION VECTOR: FUTURE.BAS Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: ERASE OVERVIEW: This "program" starts out with a very nice color picture and then proceeds to tell you that you should be using your computer for better things than games and graphics. After making that point, it trashes your A: drive, B:, C:, D:, and so on until it has erased all drives. __________________________________________________ NAME(S): G-MAN TRANSMISSION VECTOR: G-MAN Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FAT OVERVIEW: Another FAT killer. __________________________________________________ NAME(S): GATEWAY, GATEWAY2 TRANSMISSION VECTOR: GATEWAY MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FAT OVERVIEW: Someone tampered with the version 2.0 of the CTTY monitor GATEWAY. What it does is ruin the FAT. __________________________________________________ NAME(S): Ghost TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: COM POTENTIAL DAMAGE CODES: BOOT, PROG OVERVIEW: Infects .COM files. __________________________________________________ NAME(S): GhostBalls, Ghost Boot, Ghost COM TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: RES, COM POTENTIAL DAMAGE CODES: BOOT, RUN, PROG OVERVIEW: Infects floppy and hard disk boot sectors. __________________________________________________ NAME(S): GRABBER TRANSMISSION VECTOR: GRABBER.COM Application MODE OF INFECTION CODES: TRJ, RES POTENTIAL DAMAGE CODES: FILES OVERVIEW: This program is supposed to be SCREEN CAPTURE program that copies the screen to a .COM file to be later run from a DOS command line. As a TSR it will attempt to do a DISK WRITE to your hard drive when you do not want it to. It will wipe out whole Directories when doing a normal DOS command. One sysop who ran it lost all of his ROOT DIR including his SYSTEM files. __________________________________________________ NAME(S): Halloechn, Hello_1a, Hello TRANSMISSION VECTOR: .COM applications, .EXE applications MODE OF INFECTION CODES: COM, EXE POTENTIAL DAMAGE CODES: RUN, DATA OVERVIEW: The virus slows the system down, and corrupts keyboard- entries (pressing an "A" produces a "B"). __________________________________________________ NAME(S): Icelandic, Disk Eating Virus, Disk Crunching Virus, One In Ten, Saratoga 2 TRANSMISSION VECTOR: .EXE applications MODE OF INFECTION CODES: RES, EXE POTENTIAL DAMAGE CODES: RUN, PROG, FAT OVERVIEW: Infects every 10th .EXE file run, and if the current drive is a hard disk larger than10M bytes, the virus will select one cluster and mark it as bad in the first copy of the FAT. Diskettes and 10M byte disks are not affected. __________________________________________________ NAME(S): Icelandic II, One In Ten, System Virus, 642 TRANSMISSION VECTOR: .EXE applications MODE OF INFECTION CODES: RES, EXE POTENTIAL DAMAGE CODES: RUN, PROG OVERVIEW: Every tenth program run is checked, and if it is an uninfected .EXE file it will be infected. The virus modifies the MCBs in order to hide from detection. This virus is a version of the Icelandic-1 virus, modified so that it does not use INT 21 calls to DOS services. This is done to bypass monitoring programs. __________________________________________________ NAME(S): Icelandic III, December 24th TRANSMISSION VECTOR: .EXE applications MODE OF INFECTION CODES: RES, EXE POTENTIAL DAMAGE CODES: RUN, PROG OVERVIEW: It infects one out of every ten .EXE files run. If an infected file is run on December 24th it will stop any other program run later, displaying the message "Gledileg jol" __________________________________________________ NAME(S): Israeli Boot, Swap TRANSMISSION VECTOR: Floppy boot sector MODE OF INFECTION CODES: RES, FDB POTENTIAL DAMAGE CODES: BOOT OVERVIEW: It infects floppy disk boot sectors and reverses the order of letters typed creating typographical errors. __________________________________________________ NAME(S): Jerusalem, Jerusalem A, Black Hole, Blackbox, 1808, 1813, Israeli, Hebrew University, Black Friday, Friday 13th, PLO, Russian TRANSMISSION VECTOR: .COM or .EXE applications MODE OF INFECTION CODES: RES, COM, EXE, OVR POTENTIAL DAMAGE CODES: RUN, PROG, FILES OVERVIEW: Spreads between executable files (.COM or .EXE). On Friday the 13th, it erases any file that is executed, and on other days a two line black rectangle will appear at the bottom of the screen. Once this virus installs itself (once an infected COM or EXE file is executed), any other COM or EXE file executed will become infected. __________________________________________________ NAME(S): Keypress TRANSMISSION VECTOR: .COM applications, .EXE applications MODE OF INFECTION CODES: COM, EXE POTENTIAL DAMAGE CODES: OVERVIEW: Every 10 minutes, the virus looks at INT 09h (keyboard interrupt) for 2 seconds; if a keystroke is recognized during this time, it is repeated depending on how long the key is pressed; it thus appears as a "bouncing key" __________________________________________________ NAME(S): Lehigh, Lehigh-2, Lehigh-B TRANSMISSION VECTOR: COMMAND.COM MODE OF INFECTION CODES: RES, CC POTENTIAL DAMAGE CODES: PROG, FAT, BOOT OVERVIEW: Spreads between copies of COMMAND.COM. After spreading four or ten times, it overwrites critical parts of a disk with random data. __________________________________________________ NAME(S): Macho, MachoSoft, 3555, 3551 TRANSMISSION VECTOR: .COM or .EXE applications MODE OF INFECTION CODES: COM, EXE, ENC POTENTIAL DAMAGE CODES: PROG, DATA OVERVIEW: Spreads between .COM and .EXE files. It scans through data on the hard disk, changing the string "Microsoft" (in any mixture of upper and lower case) to "MACHOSOFT". If the environment variable "VIRUS=OFF" is set, the virus will not infect. __________________________________________________ NAME(S): MAP, FAT EATER TRANSMISSION VECTOR: MAP Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FAT OVERVIEW: This is another trojan horse written by the infamous "Dorn Stickel." Designed to display what TSR's are in memory and works on FAT and BOOT sector. FAT EATER __________________________________________________ NAME(S): MATHKIDS, FIXIT TRANSMISSION VECTOR: MATHKIDS.ARC Archive MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: CBBS OVERVIEW: This trojan is designed to crack a BBS system. It will attemp to copy the USERS file on a BBS to a file innocently called FIXIT.ARC, which the originator can later call in and download. Believed to be designed for PCBoard BBS's. __________________________________________________ NAME(S): Merritt, Alameda, Yale, Golden Gate, 500 Virus, Mazatlan, Peking, Seoul TRANSMISSION VECTOR: Floppy boot sector MODE OF INFECTION CODES: RES, FDB POTENTIAL DAMAGE CODES: BOOT, FAT OVERVIEW: Track 39 sector 8 is used to save the original boot record, and any file there will be overwritten. Destroys the FAT after some length of time. It spreads when the Ctrl-Alt-Del sequence is used with an uninfected diskette in the boot drive. The Golden Gate variation will reformat drive C: after n infections. Infects Floppies Only. Spreads between floppy disks. __________________________________________________ NAME(S): Mirror, Flip Clone TRANSMISSION VECTOR: .EXE applications MODE OF INFECTION CODES: EXE, RES POTENTIAL DAMAGE CODES: RUN, PROG OVERVIEW: When the virus is triggered, the screen will flip horizontally character for character. __________________________________________________ NAME(S): Mix1, MIX1, MIX/1, Mixer1 TRANSMISSION VECTOR: .EXE applications MODE OF INFECTION CODES: RES, EXE POTENTIAL DAMAGE CODES: RUN, PROG OVERVIEW: The output is garbled on parallel and serial connections, after 6th level of infection booting the computer will crash the system (a bug), num-lock is constantly on, a ball will start bouncing on the screen. __________________________________________________ NAME(S): NOTROJ TRANSMISSION VECTOR: NOTROJ.COM Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FAT, FMT OVERVIEW: All outward appearances indicate that the program is a useful utility used to FIGHT other trojan horses. Actually, it is a time bomb that erases any hard disk FAT table that IT can find on hard drives that are more than 50% full, and at the same time, it warns: "another program is attempting a format, can't abort! After erasing the FAT(s), NOTROJ then proceeds to start a low level format. __________________________________________________ NAME(S): Oropax, Music, Musician TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: RES, COM POTENTIAL DAMAGE CODES: RUN, PROG OVERVIEW: Infects .COM files and plays musical melodies repeatedly. __________________________________________________ NAME(S): PACKDIR TRANSMISSION VECTOR: PACKDIR Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FAT OVERVIEW: This utility is supposed to "pack" (sort and optimize) the files on a [hard] disk, but apparently it scrambles FAT tables. (Possibly a bug rather than a deliberate trojan?? w.j.o.) __________________________________________________ NAME(S): PCW271, PC-WRITE 2.71 TRANSMISSION VECTOR: PCW271xx.ARC Archive MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FAT OVERVIEW: A modified version of the popular PC-WRITE word processor (v. 2.71) that scrambles FAT tables. The bogus version of PC-WRITE version 2.71can be identified by its size; it uses 98,274 bytes whereas the good version uses 98,644. __________________________________________________ NAME(S): Pentagon TRANSMISSION VECTOR: Floppy boot sector MODE OF INFECTION CODES: FDB, RES POTENTIAL DAMAGE CODES: BOOT OVERVIEW: It infects floppy disk boot sectors, and removes the Brain virus from any disk it finds. The virus can survive a warmboot. __________________________________________________ NAME(S): Perfume, 765, 4711 TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: RES, COM, CC POTENTIAL DAMAGE CODES: PROG, RUN OVERVIEW: It infects .COM files, and after 80 executions, it demands a password to run the application. The password is 4711 (the name of a perfume). __________________________________________________ NAME(S): Ping Pong, Bouncing Ball, Italian, Bouncing Dot, Vera Cruz, Turin Virus TRANSMISSION VECTOR: Floppy boot sector MODE OF INFECTION CODES: RES, FDB, HDB POTENTIAL DAMAGE CODES: RUN, BOOT OVERVIEW: Bouncing dot appears on screen. No other intentional damage. Spreads between disks by infecting the boot sectors. __________________________________________________ NAME(S): Ping Pong B, Boot, Falling Letters TRANSMISSION VECTOR: Floppy/hard disk boot sectors MODE OF INFECTION CODES: RES, FDB, HDB POTENTIAL DAMAGE CODES: RUN, BOOT OVERVIEW: Bouncing dot appears on screen. No other intentional damage. Spreads between disks by infecting the boot sectors. __________________________________________________ NAME(S): PKFIX361 TRANSMISSION VECTOR: PKFIX361.EXE Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FMT OVERVIEW: PKFIX361.EXE *TROJAN* Supposed patch to v3.61 - what it really does is when extracted from the .EXE does a DIRECT access to the DRIVE CONTROLLER and does Low-Level format. Thereby bypassing checking programs. (This would be only XT type disk drive cards. w.j.o.) __________________________________________________ NAME(S): PKPAK/PKUNPAK 3.61, PK362, PK363 TRANSMISSION VECTOR: PKPAK/PKUNPAK V. 3.61 Applications, PK362.EXE Application, PK363.EXE Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: OVERVIEW: PKPAK/PKUNPAK *TROJAN* There is a TAMPERED version of 3.61 that when used interfers with PC's interupts. PK362.EXE This is a NON-RELEASED version and is suspected as being a *TROJAN* - not verified. PK363.EXE This is a NON-RELEASED version and is suspected as being a *TROJAN* - not verified. __________________________________________________ NAME(S): PKX35B35, PKB35B35 TRANSMISSION VECTOR: PKX35B35.ARC Archive, PKB35B35.ARC Archive MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FAT OVERVIEW: PKX35B35.ARC, PKB35B35.ARC This was supposed to be an update to PKARC file compress utility - which when used *EATS your FATS* and is or at least RUMORED to infect other files so it can spread - possible VIRUS? __________________________________________________ NAME(S): QUIKRBBS TRANSMISSION VECTOR: QUIKRBBS.COM Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FAT OVERVIEW: This Trojan horse advertises that it will install program to protect your RBBS but it does not. It goes and eats away at the FAT. __________________________________________________ NAME(S): QUIKREF TRANSMISSION VECTOR: QUIKREF.ARC Archive MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: CBBS OVERVIEW: This ARChive contains ARC513.COM. Loads RBBS-PC's message file into memory two times faster than normal. What it really does is copy RBBS-PC.DEF into an ASCII file named HISCORES.DAT. __________________________________________________ NAME(S): RCKVIDEO TRANSMISSION VECTOR: RCKVIDEO Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: ERASE OVERVIEW: After showing some simple animation of a rock star, the program erases every file it can find. After about a minute of this, it creates three ascii files that say "You are stupid to download a video about rock stars". __________________________________________________ NAME(S): RPVS, 453, RPVS-B, TUQ TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: COM POTENTIAL DAMAGE CODES: PROG, RUN OVERVIEW: Whenever an infected application is run, at least one other .COM file in the default directory is infected. __________________________________________________ NAME(S): Saddam TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: COM, RES POTENTIAL DAMAGE CODES: PROG OVERVIEW: This appears to be a variant of the Stupid virus. On every eigth infection, the string: "HEY SADAM"{LF}{CR} "LEAVE QUEIT BEFORE I COME" is displayed. The virus copies itself to [0:413]*40h- 867h, which means that only computers with 640KB can be infected. Many large programs also load themselves to this area and erase the virus from the memory, or hang the system. __________________________________________________ NAME(S): Saratoga, 632, Disk Eating Virus, One In Two TRANSMISSION VECTOR: .EXE applications MODE OF INFECTION CODES: RES, EXE POTENTIAL DAMAGE CODES: RUN, PROG, FAT OVERVIEW: Infects every 10th .EXE file run, and if the current drive is a hard disk larger than10M bytes, the virus will select one cluster and mark it as bad in the first copy of the FAT. Diskettes and 10M byte disks are not affected. __________________________________________________ NAME(S): Scrambler, KEYBGR Trojan TRANSMISSION VECTOR: KEYBGR.COM Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: RUN OVERVIEW: About 60 minutes after the trojan KEYBGR.COM is started a smiley face moves in a random fashion about the screen displacing characters as it moves. __________________________________________________ NAME(S): SECRET TRANSMISSION VECTOR: SECRET.BAS Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FMT OVERVIEW: BEWARE!! This may be posted with a note saying it doesn't seem to work, and would someone please try it; when you do, it formats your disks. __________________________________________________ NAME(S): SIDEWAYS, SIDEWAYS.COM TRANSMISSION VECTOR: SIDEWAYS.COM Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: BOOT OVERVIEW: Both the trojan and the good version of SIDEWAYS advertise that they can print sideways, but SIDEWAYS.COM trashes a [hard] disk's boot sector instead. __________________________________________________ NAME(S): STAR, STRIPES TRANSMISSION VECTOR: STAR.EXE Application, STRIPES.EXE Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: CBBS OVERVIEW: STAR.EXE Beware RBBS-PC SysOps! This file puts some stars on the screen while copying RBBS-PC.DEF to another name that can be downloaded later! STRIPES.EXE Similar to STAR.EXE, this one draws an American flag (nice touch), while it's busy copying your RBBS-PC.DEF to another file (STRIPES.BQS). __________________________________________________ NAME(S): Stoned, Marijuana, Hawaii,New Zeland, Australian, Hemp, San Diego, Smithsonian, Stoned-B, Stoned-C, Stoned-C TRANSMISSION VECTOR: Floppy/hard disk boot sectors MODE OF INFECTION CODES: RES, FDB, HDB, HDP POTENTIAL DAMAGE CODES: RUN, BOOT, FAT OVERVIEW: Spreads between boot sectors of both fixed and floppy disks. May overlay data. Sometimes displays message "Your PC is now Stoned!" when booted from floppy. Affects partition record on hard disk. No intentional damage is done. __________________________________________________ NAME(S): SUG TRANSMISSION VECTOR: SUG.COM Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: ERFD OVERVIEW: This program is supposed to unprotect copy protected program disks protectedby Softguard Systems, Inc. It trashes the disk and displays: "This destruction constitutes a prima facie evidence of your violation. If you attempt to challenge Softguard Systems Inc..., you will be vigorously counter-sued for copyright infringement and theft of services." It encrypts the Gotcha message so no Trojan checker can scan for it. __________________________________________________ NAME(S): Sunday, Sunday-B, Sunday-C TRANSMISSION VECTOR: .COM or .EXE applications MODE OF INFECTION CODES: RES, COM, EXE, OVR POTENTIAL DAMAGE CODES: RUN, PROG OVERVIEW: Infects .COM and .EXE files. __________________________________________________ NAME(S): Suriv-01, April-1-COM, April 1st, Suriv A, sURIV 1.01 TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: RES, COM POTENTIAL DAMAGE CODES: RUN, PROG OVERVIEW: Spreads between COM files. On April 1st, 1988, writes the message: "APRIL 1ST HA HA HA HA YOU HAVE A VIRUS" and hangs the system. After that, simply writes a message every time any program is run. __________________________________________________ NAME(S): Suriv-02, APRIL-1-EXE, April 1st-B, Suriv02, Suriv 2.01, Suriv A TRANSMISSION VECTOR: .EXE applications MODE OF INFECTION CODES: RES, EXE POTENTIAL DAMAGE CODES: RUN, PROG OVERVIEW: Spreads between .EXE files. On April 1st,1988 and later, writes the message: "APRIL 1ST HA HA HA HA YOU HAVE A VIRUS" and hangs the system. __________________________________________________ NAME(S): Sylvia, Holland TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: RES, COM POTENTIAL DAMAGE CODES: PROG OVERVIEW: Infects .COM files. __________________________________________________ NAME(S): Syslock, Macrosoft TRANSMISSION VECTOR: .COM or .EXE applications MODE OF INFECTION CODES: COM, EXE, ENC POTENTIAL DAMAGE CODES: PROG, DATA OVERVIEW: Spreads between .COM and .EXE files. It scans through data on the hard disk, changing the string "Microsoft" (in any mixture of upper and lower case) to "MACROSOFT". If the environment variable "SYSLOCK=@" is set, the virus will not infect. A variant of Advent. __________________________________________________ NAME(S): Tiny 163 TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: COM, CC POTENTIAL DAMAGE CODES: OVERVIEW: When an infected file is executed, the virus attempts to infect other .COM files in the local directory. __________________________________________________ NAME(S): TIRED TRANSMISSION VECTOR: TIRED Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FAT OVERVIEW: Another scramble the FAT trojan by Dorn W. Stickel. __________________________________________________ NAME(S): Toothless, W13, W13-A, W13-B TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: RES, COM POTENTIAL DAMAGE CODES: PROG OVERVIEW: Infects .COM files. Infected programs are first padded so their length becomes a multiple of 512 bytes, and then the 637 bytes of virus code is added to the end. It then intercepts any disk writes and changes them into disk reads. __________________________________________________ NAME(S): TOPDOS TRANSMISSION VECTOR: TOPDOS Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FMT OVERVIEW: This is a simple high level [hard] disk formatter. __________________________________________________ NAME(S): Traceback, 3066, 3066-B, 3066-B2, Traceback-B, Traceback-B2 TRANSMISSION VECTOR: .COM or .EXE applications MODE OF INFECTION CODES: RES, COM, EXE POTENTIAL DAMAGE CODES: PROG OVERVIEW: Spreads between COM and EXE fles. Based on a rather complicated set of criteria, it will sometimes cause the text displayed on the screen to fall to the bottom, and then rise back up. __________________________________________________ NAME(S): Traceback II, 2930, 2930-B, Traceback II-B TRANSMISSION VECTOR: .COM or .EXE applications MODE OF INFECTION CODES: RES, COM, EXE POTENTIAL DAMAGE CODES: PROG OVERVIEW: Spreads between .COM and .EXE files. Based on a rather complicated set of criteria, it will sometimes cause the text displayed on the screen to fall to the bottom, and then rise back up. __________________________________________________ NAME(S): TSRMAP TRANSMISSION VECTOR: TSRMAP Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: BOOT OVERVIEW: TSRMAP *TROJAN* This program does what it's supposed to do: give a map outlining the location (in RAM) of all TSR programs, but it also erases the boot sector of drive "C:". __________________________________________________ NAME(S): Typo, Type Boot TRANSMISSION VECTOR: Floppy/hard disk boot sectors MODE OF INFECTION CODES: RES, FDB, HDB POTENTIAL DAMAGE CODES: BOOT, RUN OVERVIEW: Infects floppy and hard disk boot sectors. __________________________________________________ NAME(S): Typo, Fumble, Typo COM, 867, Mistake TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: RES, COM POTENTIAL DAMAGE CODES: RUN, PROG OVERVIEW: Infects .COM files. __________________________________________________ NAME(S): ULTIMATE TRANSMISSION VECTOR: ULTIMATE.EXE Application, ULTIMATE.ARC Archive MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FAT OVERVIEW: Another FAT eate __________________________________________________ NAME(S): Vacsina, TP04VIR, TP05VIR, TP06VIR, TP16VIR, TP23VIR, TP24VIR, TP25VIR TRANSMISSION VECTOR: .COM or .EXE applications MODE OF INFECTION CODES: RES, COM, EXE, OVR POTENTIAL DAMAGE CODES: RUN, PROG OVERVIEW: It infects .COM and .EXE files when they are loaded, old versions of the virus will be replaced by newer ones. __________________________________________________ NAME(S): VDIR TRANSMISSION VECTOR: VDIR.COM Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: ERASE OVERVIEW: This is a disk killer that Jerry Pournelle wrote about in BYTE Magazine. __________________________________________________ NAME(S): Vienna, 648, Lisbon, Vienna-B, Austrian, Dos-62, Unesco, The 648 Virus, The One-in-Eight Virus, 62-B, DOS-68, Vien6, Vienna-B645 TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: COM POTENTIAL DAMAGE CODES: PROG OVERVIEW: The virus infects one .COM file every time it is run. 7/8 of the time it infects the .COM file and 1/8 of the time it inserts a jump to the BIOS initialitation routines that reboot the machine. To mark a file as infected, the virus sets the seconds field of the timestamp to 62 which most utilities (including DIR) skip. __________________________________________________ NAME(S): Zero Bug, Agiplan, 1536, Palette, ZBug TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: RES, COM POTENTIAL DAMAGE CODES: RUN, PROG OVERVIEW: Infects .COM files. All characters "0" (zero) will be exchanged with other characters. Exchange characters are 01h, 2Ah, 5Fh, 3Ch, 5Eh, 3Eh and 30h, in which case the attribute is set to back- ground color (i.e. the character is invisible). This routine uses about 10% of CPU-time (system is slowed down accordingly). ************************************************** The Computer Incident Advisory Capability: Virus Descriptions In Process ____________________________________________________________ Suriv-03, Ohio, Yankee Doodle, Alabama, Vcomm, Virus-90, Jerusalem-B, Frankie, Dark Avenger III, Turbo 448, Tiny virus, Polish 217, Kennedy, Recovery Virus, VFSI, Polish 529, VHP2, Dot Killer, Burger, 512, 646, Oulu, Fellowship, Nomenklatura, Prudents Virus, 1226, Anticad, 1381, 1392, Ten Bytes, 1605, Yankee 2, PSQR, Eight Tunes, UScan Virus, 2131, Taiwan, Plastique, Itavir, 4096-B, The Basic Virus, Print Screen, Aircop, Anthrax, Anti-pascal II, Armagedon, Attention!, Best Wishes, Black Monday, Blood, Bloody!, Carioca, Casper, Christmas in Japan, Cursy, Datalock, Wisconsin, Doom, Durban, Solano 2000, Eddie 3, Evil, F- Word Virus, Swap Boot, Flip, Form, Fere Jacques, Sorry, Groen, Guppy, Joshi, Holocaust, Hymn, Invader, Jeff, Joker, JOJO, July 13th, June 16th, Kamikazi, Kemerovo, Korea, Kukac, Leprosy, Liberty, Live After Death, Lozinsky, Mardi Bros, MGTU, Microbes, ZeroHunt, Monxla, Whale, Murphy, Music, Number 1, Ontario, Phoenix, Paris, Ping Pong-C, Plastique-B, Polimer, Polish 529, Polish 583, Polish 961, Proud, Red Diavolyata, Scott's Valley, SF Virus, Shake, Slow, Spyer, Stoned-II, Subliminal 1.10, Sverdlov, SVir, USSR, V2P2, V2P6, V2P6Z, VHP, Victor, Violator, Virdem, Virus101, Voronezh, VP, Westwood, Wolfman