VIRUS INFORMATION SUMMARY LIST August 10, 1990 Copyright (C) 1990 by Patricia M. Hoffman. All Rights Reserved. This document contains the compiled information from a continuing research effort by the author into the identification, detection and removal of MS-DOS Computer Viruses. Hopefully, this listing will provide some assistance to those who wish to know more about a particular computer virus. It is not intended to provide a very detailed technical description, but to allow the reader to understand what a virus generally does, how it activates, what it is doing to their system, and most importantly, how to get rid of it. The user of this listing needs to keep in mind that the information provided is up-to-date only to the date of the listing itself. If the listing is one month old, some items may not be accurate. Also, with the wide dispersion of researchers and the various names that the same virus may be known by, some of the information may not be entirely accurate. Lastly, as new variants of known viruses are isolated, some of the characteristics of the variant may be different. There are five sections to the listing. The first section is an introduction which explains the format of the information in the listing and includes the code information used in some fields. The second section is the actual virus information listing. The third section is a cross-reference of common names for MS-DOS computer viruses and indicates what name to use for the virus in the second section. The fourth section, added with the July 1990 release and in the works for many months, is a chart showing relationships between various viruses and variants. Lastly, there is a fifth section which is a revision history of the listing. Anti-Viral products mentioned in the listing are either commonly available shareware or public domain programs, or they are commercial products which have been submitted for evaluation and review by the product's author with "no strings attached". All Anti-Viral products are reviewed at the most recent release level available to the author. In some cases, this may not be the most recent release. All testing is done against the author's virus collection, results using a different collection of viruses and variants may differ. Special thanks go to John McAfee for reviewing the listing before it is distributed, as well Padgett Peterson of Orlando, Florida who volunteered several hours of his time to assist in formatting the listing and breaking out additional information. The Virus Information Summary List may be freely distributed by non-commercial systems and non-profit organizations, as long as the distribution file is not altered, and no more than a reasonable cost-of-duplication fee is charged. CompuServe, Genie, and the SIMTEL20 archives are also expressly permitted to carry this file for distribution purposes. The Virus Information Summary List may not be used in a business, corporation, organization, government, or agency environment without a negotiated site license. While this document may be referenced in the documentation for some anti-viral products, the document is not to be construed as being included in any site license not negotiated with the author, Patricia M. Hoffman. Licensing information for the Virus Information Summary List can be requested from the author via US Mail from the address below: Patricia M. Hoffman 1556 Halford Avenue, #127 Santa Clara, CA 95051 I can also be reached through my Bulletin Board System, Excalibur! BBS, at 1-408-244-0813. Future versions of this listing may also be obtained thru Excalibur!. Patricia M. Hoffman ------------------------------------------------------------------------------- Virus Information Summary List Introduction & Entry Format Each of the entries in the list consists of several fields. Below is a brief description of what is indicated in each of the fields. For fields where codes may appear, the meaning of each code in indicated. Virus Name: Field contains one of the more common names for the virus. The listing is alphabetized based on this field. Aliases: Other names that the same virus may be referred to by. These names are aliases or A.K.A.'s. V Status: This field contains one of the following values which indicate how common the virus is in the public domain. Common: The virus is one of the most common viruses reported to various groups which gather virus infection statistics. Most of these groups are in the United States. Where a virus has had many reports from a specific geographic area, the V Status field will contain "Common - xxxxxxxxx" where xxxxxxxxx is an indicator of geographic location. Endangered: The "Endangered" classification of viruses are viruses that are very uncommon and were fairly recently discovered or isolated. Due to some characteristics of these viruses, it is highly unlikely that they will ever become a widespread problem. It doesn't mean that they don't exist, just that the probability of someone getting these viruses is fairly low. Extinct: The "Extinct" classification is for viruses which at one time may have been widespread (ie. they are not a research virus which was never released into the public domain), but have not had a reported infection in at least one year. "Extinct" viruses will also include "viruses" which were submitted which actually don't replicate due to a flaw in their viral code, but if the flaw were corrected they might be successful. It is still possible that someone could become infected with one of these viruses, but the probability is extremely low. Myth: "Myth" viruses are viruses which have been discussed among various groups for some time (in excess of one year), but are not known to actually exist as either a public domain or research virus. Probably the best case of a "Myth" virus is the Nichols Virus. Rare: "Rare" viruses are viruses which were recently (within the last year) isolated but which do not appear to be widespread. These viruses, as a general rule, will be viruses which have characteristics that would make them a possible future problem. "Rare" viruses have a higher probability of someone becoming infected than Endangered or Extinct viruses, but are much less likely to be found than a "Common" virus. Research: A "Research" virus is a virus which was originally received by at least one anti-viral researcher directly from its source or author. These viruses are not known to have been released into the public domain, so they are highly unlikely to be detected on computer systems other than researchers. Rumored: The "Rumored" virus classification are for viruses which the author has received information about, but that no sample of the virus has been made available for analysis. Any viruses in this classification should be considered with a grain of salt, they may not actually exist. Unknown: The "Unknown" classification is for those viruses where the original submission of the virus to anti-viral researchers is suspect for any number of reasons, or that there is very little information known about the origin of the virus. New: The "New" category is for viruses which were recently received by the author but cannot at the present time be researched in depth. Instead of leaving these viruses out of the listing all together, they will be listed but with a "New" status. Discovery: First recorded discovery date. Origin: Author/country of origin Symptoms: Changes to system that may be noticed by users: messages, growth in files, TSRs/ Resident TOM (change in CHKDSK return), BSC - boot sector change (may require cold boot from known-good protected floppy to find), corruption of system or files, frequent re-boots, slowdowns. Origin: Either credited or assumed to be in country of discovery. Eff Length: The length of the viral code after it has infected a program or system component. For boot-sector infectors, the length is indicated as N/A, for not applicable. Type Code: The type codes indicated for a virus indicate general behavior characteristics. Following the type code(s) is a brief text description. The type codes used are: A = Infects all program files (COM & EXE) B = Boot virus C = Infects COM files only D = Infects DOS boot sector on hard disk E = Infects EXE files only F = Floppy (360K) only K = Infects COMMAND.COM M = Infects Master boot sector on hard disk N = Non-resident (in memory) O = Overwriting virus P = Parasitic virus R = Resident (in memory) (below 640k - segment A000) a - in unused portion of allocated memory (does not change free memory, such as virus resident in CLI stack space or unused system memory) Example: LeHigh f - in free (user) memory below TOM (does not prevent overwritting) Example: Icelandic h - in high memory but below TOM (Resides in high system memory, right below TOM. Memory is allocated so it won't be accidently overwritten.) Example: Flash s - in low (system/TSR) memory (reduces free memory, typically uses a normal Int 21/Int 28 TSR) Example: Jerusalem t - above TOM but below 640k (moves Int 12 return) (Reduces total memory size and free memory) Example: Pakistani Brain (above 640k) b - in BIOS/Video/Shadow RAM area (segment A000 - FFFF) e - in extended/expanded memory (above 1 Meg) S = Spawning virus T = Manipulation of the File Allocation Table (FAT) X = Manipulation/Infection of the Partition Table Detection Method: This entry indicates how to determine if a program or system has been infected by the virus. Where the virus can be detected with a shareware, public domain, or readily available commercial program, it is indicated. Programs referenced in the listing are: F-PROT - Fridrik Skulason's F-Prot detector/disinfector IBM Scan - IBM's Virus Scanning Program Pro-Scan - McAfee Associates' Pro-Scan Program VirexPC - MicroCom's VirexPC Program ViruScan - McAfee Associates' ViruScan Program Removal Instructions: Brief instructions on how to remove the virus. Where a shareware, public domain, or readily available commercial program is available which will remove the virus, it is indicated. Programs referenced in the listing are: AntiCrim - Jan Terpstra's AntiCrime program CleanUp - John McAfee's CleanUp universal virus disinfector. Note: CleanUp is only indicated for a virus if it will disinfect the file, rather than delete the infected file. DOS COPY - Use the DOS COPY command to copy files from infected non-bootable disks to newly formatted, uninfected disks. Note: do NOT use the DOS DISKCOPY command on boot sector infected disks, or the new disk will also be infected! DOS SYS - Use the DOS SYS command to overwrite the boot sector on infected hard disks or diskettes. Be sure you power down the system first, and boot from a write protected master diskette, or the SYS command will copy the infected boot sector. F-PROT - Fridrik Skulason's F-Prot detector/disinfector, Version 1.07. M-1704 - Cascade/Cascade-B disinfector. M-1704C - Cascade-C disinfector. M-3066 - Traceback virus disinfector. M-DAV - use Dark Avenger Disinfector M-DAV and follow instructions carefully, this virus is extremely prolific. M-JRUSLM - Jerusalem B disinfector. M-VIENNA - Vienna, Vienna B Virus disinfector. MDisk - MD Boot Virus Disinfector. Be sure to use the program which corresponds to your DOS release. Pro-Scan - Pro-Scan Virus Identifier/Disinfector . Saturday - European generic Jerusalem virus disinfector. Scan/D - ViruScan run with the /D option. Scan/D/A - ViruScan run with the /D /A options. UnVirus - Yuval Rakavy's disinfector for Brain, Jerusalem, Ping Pong, Ping Pong-B, Typo Boot, Suriv 1.01, Suriv 2.01, and Suriv 3.00 viruses. VirexPC - MicroCom's VirexPC Detector/Disinfector Note: VirexPC is only indicated if it will actually disinfect the virus, not just delete the infected file. Virus Buster - Yuval Tal's Virus Buster Detector/Disinfector General Comments: This field includes other information about the virus, including but not limited to: historical information, possible origin, possible damage the virus may cause, and activation criteria. ------------------------------------------------------------------------------- Virus Information Summary List MS-DOS Virus Information Virus Name: 382 Recovery Virus Aliases: 382 V Status: Rare Discovery: July, 1990 Symptoms: first 382 bytes of .COM files overwritten, system hangs, spurious characters on system display, disk drive spinning Origin: Taiwan Eff Length: N/A Type Code: ONAK - Overwriting Non-Resident .COM & .EXE Infector Detection Method: ViruScan V66+ Removal Instructions: Scan/D delete infected files General Comments: The 382 Recovery Virus was isolated in July 1990 in Taiwan. It is a non-resident generic infector of .COM and .EXE files, including COMMAND.COM. Each time a program infected with the 382 Recovery Virus is executed, the virus will check the current directory for a .COM files that has not been infected with the virus. If it finds an uninfected .COM file, it will infect it. If the original file was less than 382 bytes in length, the infected file will now be 382 bytes in length. Files which were originally greater than 382 bytes in length will not show any increase in length. Infected files always have the first 382 bytes of the file overwritten to contain the virus's code. Once all .COM files in the current directory are infected, the next time an infected .COM file is executed the virus will rename all .EXE files to .COM files. These renamed files, however, may or may not later become infected. Symptoms of the 382 Recovery Virus being present on a file are that the program will not execute properly. In some cases, the program will hang upon execution requiring the system to be rebooted. In other cases, spurious characters will appear on the system display and the program will not run. Lastly, the system may do nothing but leave the disk drive spinning, requiring the system to be powered off and rebooted. Since the first 382 bytes of infected files have been overwritten, the infected files cannot be recovered. The original 382 bytes of the file are permanently lost. Infected files should be deleted or erased and replaced with backup copies known to be free of infection. Virus Name: 405 Aliases: V Status: Extinct Discovery: 1987 Symptoms: .COM files fail to run, first 405 bytes of .COM files overwritten Origin: Austria or Germany Eff Length: N/A Type Code: ONC - Overwriting Non-Resident .COM Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan 1.4+, VirexPC 1.1+ Removal Instructions: Scan/D, F-Prot, or delete infected files General Comments: The 405 virus is an overwriting virus which infects only .COM files in the current directory. If the length of the .COM file was originally less than 405 bytes, the resulting infected file will have a length of 405 bytes. This virus currently cannot recognize .COM files that are already infected, so it will attempt to infect them again. The 405 Virus doesn't carry an activation date, and doesn't do anything but replicate in the current directory. However, since it overwrites the first 405 bytes of .COM files, infected files are not recoverable except by replacing them from uninfected backups or master distribution disks. Virus Name: 512 Aliases: 512-A, Number of the Beast Virus, Stealth Virus V Status: Rare Discovery: November, 1989 Origin: Bulgaria Symptoms: Program crashes, system hangs, .COM file growth, TSR. Eff Length: 512 Bytes Type Code: PRCK - Parasitic Resident .COM Infector Detection Method: ViruScan V58+, Pro-Scan 1.4+, VirexPC 1.1+ Removal Instructions: CleanUp V58+, Pro-Scan 1.4+ General Comments: The 512 virus is not the same as the Original Friday The 13th COM virus. The 512 virus was originally isolated in Bulgaria in January, 1990, by Vesselin Bontchev. It infects .COM files, including COMMAND.COM, installing itself memory resident when the first infected program is run. After becoming memory resident, any .COM file openned for any reason will become infected if its uninfected length is at least 512 bytes. Systems infected with the 512 virus will experience program crashes due to unexpected errors, as well as system hangs. This virus also will destroy some file linkages when it infects files. The virus's alias of "Number of the Beast" Virus is because the author of the virus used a signature of text 666 near the end of the virus to determine if the file is already infected. Since 512 adds its viral code to the end of infected files, it is easy to verify that a file is infected by the 512 virus by checking for this signature. Known variant(s) of the 512 Virus are: 512-B : Similar to the 512 Variant, except that the DOS version check in the original virus has been omitted. The author's signature of '666' has been omitted. 512-C : Similar to the 512-B Variant, minor code changes. 512-D : Similar to the 512-C Variant, except that the virus no longer checks to see if a file has the System Attribute on it before infecting it. Author's signature is the hex string BE10 located at the end of infected files. Virus Name: 1008 Aliases: V Status: Rare Discovery: June, 1990 Symptoms: COMMAND.COM growth, Internal Stack Error and System Halt on Boot Origin: Eff Length: 1,008 Bytes Type Code: PRK - Parasitic Resident COMMAND.COM Infector Detection Method: ViruScan V64+ Removal Instructions: Scan/D, or delete infected files General Comments: The 1008 Virus was discovered in June, 1990. It is a memory resident COMMAND.COM infector. It does not infect other .COM files. The first time a program infected with the 1008 virus is executed, the virus will install itself memory resident. COMMAND.COM is also infected at this time, resulting in its length increasing by 1,008 Bytes. The increase in file size of COMMAND.COM cannot be seen by doing a directory listing if the virus is present in memory. Booting a system with an infected copy of COMMAND.COM may result in an internal stack error, and the system being halted. This effect was noted on the author's test machine which is a 640K XT-clone running Microsoft MS-DOS Version 3.30. Virus Name: 1210 Aliases: Prudents Virus V Status: Rare Discovery: December, 1989 Symptoms: .EXE growth, disk write failure, TSR Origin: Spain Eff Length: 1,210 Bytes Type Code: PRE - Parasitic Resident .EXE Infector Detection Method: ViruScan V61+, Pro-Scan 1.4+ Removal Instructions: Scan/D, or delete infected files General Comments: The 1210, or Prudents Virus, was first isolated in Barcelona, Spain, in December 1989. The 1210 is a memory resident virus, infecting .EXE files when they are executed. This virus activates between May 1st and May 4th of any year, causing disk writes to be changed to disk verifies, so writes to the disk never occur between these dates. Virus Name: 1226 Aliases: V1226 V Status: Rare Discovery: July 1990 Symptoms: .COM growth, decrease in system and free memory, system hangs, spurious characters displayed in place of program executing, disk drive spinning Origin: Bulgaria Eff Length: 1,226 Bytes Type Code: PRhC - Parasitic Resident .COM Infector Detection Method: ViruScan V66+ Removal Instructions: Scan/D, or delete infected files General Comments: The 1226 Virus was isolated in Bulgaria in July 1990 by Vesselin Bontchev. This virus is a memory resident generic .COM infector, though it does not infect COMMAND.COM. The 1226 Virus is a self- encrypting virus, and simple search string algorithms will not work to detect its presence on a system. The first time a program infected with the 1226 virus is executed, the virus will install itself memory resident, reserving 8,192 bytes of memory at the top of free memory. Interrupt 2A will be hooked. Once 1226 is memory resident, the virus will attempt to infect any .COM file that is executed that is at least 1,226 bytes in length before infection. The virus is rather "buggy" and the infection process is not always entirely successful. Successfully infected files will increase in length by 1,226 bytes. This virus will infect .COM files multiple times, it is unable to determine that the file is already infected. Each time the file is infected it will grow in length by another 1,226 bytes. Eventually, the .COM files will grow too large to fit into memory. Systems infected with the 1226 virus may experience unexpected system hangs when attempting to execute programs. Another affect is that instead of a program executing, a line or two of spurious characters will appear on the system display. Lastly, infected systems will always indicate that they have 8,192 less bytes of total system and free memory available than is actually on the machine. There are two later versions of this virus, 1226D and 1226M, which are much better replicators than the original 1226 virus. These two variants are documented as 1226D in this document due to their different characteristics. Also see: 1226D Virus Name: 1226D Aliases: V1226D V Status: Rare Discovery: July 1990 Symptoms: .COM growth, decrease in system and free memory Origin: Bulgaria Eff Length: 1,226 Bytes Type Code: PRhC - Parasitic Resident .COM Infector Detection Method: ViruScan V66+ Removal Instructions: Scan/D, or delete infected files General Comments: The 1226D Virus was isolated in Bulgaria in July 1990 by Vesselin Bontchev. This virus is a memory resident generic .COM infector, though it does not infect COMMAND.COM. The 1226D Virus is a self- encrypting virus, and simple search string algorithms will not work to detect its presence on a system. The 1226D Virus is based on the 1226 Virus, and has had several bugs in the 1226 Virus fixed. It is a much better replicator, infecting successfully on file opens as well as when .COM files are executed. The first time a program infected with the 1226 virus is executed, the virus will install itself memory resident, reserving 8,192 bytes of memory at the top of free memory. Total system and free memory are decreased by 8,192 bytes. Interrupt 2A will be hooked. Once 1226 is memory resident, the virus will attempt to infect any .COM file that is executed that is at least 1,226 bytes in length before infection. Infected files will increase in length by 1,226 bytes. As with the original 1226 Virus, a .COM file may be infected multiple times by the 1226D Virus as the virus is unable to determine that the file was previously infected. Each infection will result in another 1,226 bytes being added to the infected file's length. Eventually, the .COM files will grow too large to fit into memory. In addition to infecting .COM files when they are executed, the 1226D Virus will infect .COM files with a length of at least 1,226 bytes when they are openned for any reason. The simple act of copying a .COM file with the virus memory resident will result in both the source and target files being infected. Unlike the 1226 Virus, systems infected with the 1226D virus will not experience the system hangs or spurious characters symptomatic of the 1226 virus. Infected system will still indicate that they have 8,192 bytes less of total system memory than is installed on the machine. Known variant(s) of 1226D are: 1226M/V1226M : Similar to the 1226D virus, except that files are not infected on file open, only when they are executed. Also see: 1226 Virus Name: 1253 Aliases: AntiCad, V-1 V Status: New Discovey: August, 1990 Symptoms: TSR; BSC; COMMAND.COM & .COM file growth; partition table change Origin: Austria Eff Length: 1,253 Bytes Type Code: PRstBCKX - Parasitic Resident .COM & Partition Table Infector Detection Method: ViruScan V66+ Removal Instructions: Scan/D plus MDisk/P General Comments: The 1253 Virus was submitted in August 1990. It is believed to have originated in (or at least to have been first isolated in) Austria. 1253 is a generic infector of .COM files, including COMMAND.COM. It also infects the boot sector of diskettes and the partition table of hard disks. The first time a program infected with the 1253 Virus is executed, the virus will install itself memory resident as a low system memory TSR. The TSR will be 2,128 bytes in length, hooking interrupts 08, 13, 21, and 60. Total system memory will remain unchanged, and free memory will decrease by 2,128 bytes. At this time, the partition table of the system's hard disk is infected with the 1253 virus. If the infected program was executed from a diskette, the diskette's boot sector will also be infected. Each time a .COM file is executed with the virus resident in memory, the .COM file will be infected if it hasn't previously been infected. The 1253 Virus appends its viral code to the end of the .COM file, and then changes the first few bytes of the program to be a jump to the appended code. Infected files increase in length by 1,253 bytes, and the virus makes no attempt to hide the increase when the directory is displayed. Infected files will also have their fourth thru sixth bytes set to "V-1" (hex 562D31). Any diskettes which are accessed while the virus is present in memory will have their boot sector infected with this virus. Newly formatted diskettes, likewise, will be infected immediately. The 1253 virus is destructive when it activates. The author of this listing was able to get it to activate by setting the system date to December 24 and then executing an infected program on drive A:. The virus promptly went and overwrote the entire diskette in drive A: with a pattern of 9 sectors of what appears to be a program fragment. Once the virus has started to overwrite a diskette, the only way to stop the disk activity is to power off the system. The virus in the partition table and/or diskette boot sector is of special note. When the system is booted from the hard disk or diskette with the virus in the partition table or boot sector, the virus will install itself memory resident. At this time, the virus resides above the top of system memory but below the 640K DOS boundary. The change in total system memory and available free memory will be 77,840 bytes. It can be seen with the CHKDSK command. At this time, any .COM program executed will be infected with the 1253 virus, even though no programs on the hard disk may contain this virus before the system boot occurred. One effect of this virus, once the system has been booted from an infected hard drive or floppy is that the FORMAT command may result in unexpected disk activity to inactive drives. For example, on the author's system, when formatting a diskette in drive A: with the current drive being drive C:, there was always disk activity to drive B:. Disinfecting the 1253 virus required that besides disinfecting or deleting infected .COM programs, the hard disks partition table and the boot sector of any diskettes exposed to the infected system must be disinfected. The virus can be removed safely from the partition table and diskette boot sectors by using MDisk with the /P option after powering off the system and rebooting from a write-protected uninfected boot diskette. If the partition table and diskette boot sectors are not disinfected, the system will promptly experience reinfection of .COM files with the virus following a system boot from the hard disk or diskette. Disinfecting the partition table and boot sectors, when done properly, will also result in the system's full memory again being available. It is unknown if there are other activation dates for this virus, or if it will overwrite the hard disk if an infected program is executed on December 24 from the hard disk. Virus Name: 1260 Aliases: V Status: Research Discovey: January, 1990 Symptoms: .COM file growth Origin: Minnesota, USA Eff Length: 1,260 Bytes Type Code: PNC - Parasitic Encrypting Non-Resident .COM Infector Detection Method: ViruScan V57+, IBM Scan, Pro-Scan 1.4+ Removal Instructions: CleanUp V57+, Pro-Scan 1.4+ General Comments: The 1260 virus was first isolated in January, 1990. This virus does not install itself resident in memory, but is it extremely virulent at infecting .COM files. Infected files will have their length increased by 1,260 bytes, and the resulting file will be encrypted. The encryption key changes with each infection which occurs. The 1260 virus is derived from the original Vienna Virus, though it is highly modified. The 1260 virus can infect a local area network, including the file server and all workstations. Virus Name: 1381 Virus Aliases: V Status: Rare Discovery: June, 1990 Symptoms: .EXE growth Origin: Eff Length: 1,381 Bytes Type Code: PNE - Parasitic Non-Resident .EXE Infector Detection Method: ViruScan V64+ Removal Instructions: Scan/D, or Delete infected files General Comments: The 1381 Virus was isolated in June, 1990. It is a non-resident generic .EXE infector. Each time a program infected with the 1381 Virus is executed, the virus will attempt to infect one other .EXE file on the current drive. An .EXE file will only be infected if it is greater than 1,300 bytes in length before infection. After infection, files will have increased in length by between 1,381 and 1,389 bytes. The virus can be found at the end of infected files. Infected files will also contain the following text strings: "INTERNAL ERROR 02CH. PLEASE CONTACT YOUR HARDWARE MANUFACTURER IMMEDIATELY ! DO NOT FORGET TO REPORT THE ERROR CODE !" It is currently unknown what the 1381 Virus does, or what prompts it to display the above message. Virus Name: 1392 Aliases: Amoeba Virus V Status: Rare Discovery: March, 1990 Symptoms: TSR, .COM & .EXE growth, dates modified Origin: Indonesia Eff Length: 1,392 Bytes Type Code: PRA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V61+, VirexPC 1.1+ Removal Instructions: Scan/D, or delete infected files General Comments: The 1392, or Amoeba, Virus was first isolated in Indonesia in March 1990. The 1392 virus is a memory resident virus that infects .COM and .EXE files, including COMMAND.COM. As files are infected, their creation/modification date is changed to the date the files were infected. This virus does not appear to cause any destructive damage. The following message appears in the virus, which is where its alias of Amoeba was derived from: "SMA KHETAPUNK - Nouvel Band A.M.O.E.B.A" Virus Name: 1554 Aliases: Ten Bytes, 1559, 9800:0000 Virus, V-Alert V Status: Rare Discovery: February, 1990 Symptoms: .COM & .EXE growth, TSR, linkage corruption, system hang Origin: Eff Length: 1,554 Bytes Type Code: PRfAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V58+, IBM Scan, Pro-Scan 1.4+, VirexPC 1.1+ Removal Instructions: Scan/D General Comments: The 1554 virus was accidently sent out over the VALERT-L network on February 13, 1990 to approximately 600 subscribers. When a program is executed that is infected with the 1554 virus, the virus installs itself memory resident. It will then proceed to infect .COM over 1000 bytes in length and .EXE files over 1024 bytes in length, including COMMAND.COM, increasing their length after infection by 1,554 to 1,569 bytes. The 1554 virus activates in September, October, November, or December of any year. Upon activation, any files which are written will be missing the first ten bytes. At the end of these files, ten bytes of miscellaneous characters will appear. In effect, both programs and data files will be corrupted. If the 1554 Virus is executed on a system with less than 640K of system memory, the virus will hang the system. Virus Name: 1704 Format Aliases: V Status: Rare Discovery: January, 1989 Symptoms: TSR, Falling letters, .COM growth, formatted disk Origin: Eff Length: 1,704 Bytes Type Code: PRC - Parasitic Encrypting Resident .COM Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: M-1704, CleanUp, Scan/D, F-Prot, VirexPC, Pro-Scan 1.4+ General Comments: Like the Cascade Virus, but the disk is formatted when the virus activates. Activation occurs during the months of October, November, and December of any year except 1993. Virus Name: 1720 Aliases: PSQR Virus V Status: Rare Discovery: March, 1990 Symptoms : TSR, .COM & .EXE growth, partition table damage on activation, programs on diskette deleted on Friday The 13ths Origin: Spain Eff Length: 1,720 Bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V61+, VirexPC 1.1+ Removal Instructions: Scan /D, or delete infected files General Comments: The 1720, or PSQR Virus, is a variant of the Jerusalem Virus which was first isolated in Barcelona, Spain, in March 1990. This virus, infects .COM and .EXE files, though unlike Jerusalem, it does not infect Overlay files. COMMAND.COM will also not be infected. The first time an infected file is executed, the virus will install itself memory resident, and then infect each executable file as it is run. On Friday The 13ths, the 1720 Virus will activate the first time an infected program is executed. When the program is executed, it will be deleted from disk. More damaging, however, is that the 1720 virus will check to see if the system has a hard disk drive. If a hard disk drive is present, the virus will overwrite the boot sector and partition table resulting in all data on the hard disk becoming unavailable. The system will also appear to hang. Virus Name: 4096 Aliases: Century Virus, IDF Virus, Stealth Virus, 100 Years Virus V Status: Common Discovery: January, 1990 Symptoms: .COM, .EXE, & overlay file growth; TSR hides growth; crosslinks Origin: Israel Eff Length: 4,096 Bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V53+, F-Prot, IBM Scan, Pro-Scan, VirexPC 1.1+ Removal Instructions: CleanUp V62+, Pro-Scan 1.4+, F-Prot, or see note below General Comments: The 4096 virus was first isolated in January, 1990. This virus is considered a "Phase II" virus in that it is almost invisible to the system user. The 4096 virus infects .COM, .EXE, and Overlay files, adding 4,096 bytes to their length. Once the virus is resident in system memory, the increase in length will not appear in a directory listing. Once this virus has installed itself into memory, it will infect any executable file that is opened, including if it is opened with the COPY or XCOPY command. This virus is destructive to both data files and executable files, as it very slowly crosslinks files on the system's disk. The crosslinking occurs so slowly that it appears there is a hardware problem, the virus being almost invisible. The crosslinking of files is the result of the virus manipulating the FATs, changing the number of available sectors, as well as the user issuing CHKDSK/F commands which will think that the files have lost sectors or crosslinking if the virus is in memory. As a side note, if the virus is present in memory and you attempt to copy infected files, the new copy of the file will not be infected with the virus if the new copy does not have an executable file extension. Thus, one way to disinfect a system is to copy off all the infected files to diskettes with a non-executable file extension (ie. don't use .EXE, .COM, .SYS, etc) while the virus is active in memory, then power off the system and reboot from a write protected (uninfected) system disk. Once rebooted and the virus is not in memory, delete the infected files and copy back the files from the diskettes to the original executable file names and extensions. The above will disinfect the system, if done correctly, but will still leave the problem of cross-linked files which are permanently damaged. On or after September 22 of any year, the 4096 virus will hang infected systems. This appears to be a "bug" in the virus in that it goes into a time consuming loop. The 4096 virus also contains a boot-sector within its code, however, it is never written out to the disk's boot sector. Moving this boot sector to the boot sector of a diskette and rebooting the system will result in the message "FRODO LIVES" being displayed. September 22 is Bilbo and Frodo Baggin's birthday in the Lord Of The Rings trilogy. Known variant(s) of the 4096 virus include: 4096-B : Similar to the 4096 virus, the main change is that the encryption mechanism has been changed in order to avoid detection. Virus Name: 5120 Aliases: VBasic Virus, Basic Virus V Status: Rare Discovery: May, 1990 Origin: West Germany Symptoms: .COM & .EXE growth, file corruption, unexpected disk activity Eff Length: 5,120 Bytes Type Code: PNAK - Parasitic Non-Resident .COM & .EXE Infector Detection Method: ViruScan V63+, Pro-Scan 1.4+ Removal Instructions: Scan/D, Pro-Scan 1.4+, or Delete infected files General Comments: The 5120 Virus was first isolated in May, 1990. It is a non- resident generic file infector, infecting .COM and .EXE files, including COMMAND.COM. This virus is was written in Turbo Basic. When an infected file is executed, the 5120 virus will infect one .COM and one .EXE file on the current drive and directory, followed by attempting to infect one randomly selected .COM or .EXE file in each directory on the system's C: drive. Infected .COM files increase in length by 5,120 bytes. .EXE files infected by the 5120 Virus will increase in length by between 5,120 and 5,135 bytes. Unlike most of the MS-DOS viruses, the 5120 Virus does not intercept disk write errors when attempting to infect programs. Thus, infected systems may notice disk write error messages when no access should be occurring for a drive, such as the C: hard disk partition. Data files may become corrupted on infected systems, as well as crosslinking of files may occur. The following text strings can be found in files infected with the 5120 virus. These strings will appear near the end of the file: "BASRUN" "BRUN" "IBMBIO.COM" "IBMDOS.COM" "COMMAND.COM" "Access denied" There is one variant of the 5120 Virus which does not contain the above strings, but behaves in a very similar manner. Virus Name: AIDS Aliases: Hahaha, Taunt, VGA2CGA V Status: Endangered Discovery: 1989 Symptoms: Message, .COM file corruption Origin: Eff Length: N/A Type Code: ONC - Overwriting Non-Resident .COM Infector Detection Method: ViruScan V40+, Pro-Scan, VirexPC 1.1+ Removal Instructions: Scan/D, or delete infected .COM files General Comments: The AIDS virus, also known as the Hahaha virus in Europe and referred to as the Taunt virus by IBM, is a generic .COM and .EXE file infector. When the virus activates, it displays the message "Your computer now has AIDS", with AIDS covering about half of the screen. The system is then halted, and must be powered down and rebooted to restart it. Since this virus overwrites the first 13K of the executable program, the files must be deleted and replaced with clean copies in order to remove the virus. It is not possible to recover the overwritten portion of the program. Note: this is NOT the Aids Info Disk/PC Cyborg Trojan. Virus Name: Aids II Virus Aliases: Companion Virus V Status: Endangered Discovery: April, 1990 Symptoms: Creates .COM files, melody, message Origin: Eff Length: 8,064 Bytes Type Code: SNA - Spawning Non-Resident .COM & .EXE Infector Detection Method: ViruScan V62+, Pro-Scan 1.4+ Removal Instructions: Scan/D, or delete corresponding .COM files General Comments: The Aids II Virus, or Companion Virus, was isolated for the first time in April 1990. Unlike other generic file infectors, the Aids II Virus is the first known virus to employ what could be termed a "corresponding file technique" of infection so that the original target .EXE file is never changed. The virus takes advantage of the DOS feature where if a program exists in both .COM and .EXE form, the .COM file will be executed. The Aids II Virus does not directly infect .EXE files, instead it stores a copy of the virus in a corresponding .COM file which will be executed when the user trys to execute one of his .COM files. The .EXE file, and the .COM file containing the viral code will both have the same base file name. The method of infection is as follows: when an "infected" program is executed, since a corresponding .COM file exists, the .COM file containing the viral code is executed. The virus first locates an uninfected .EXE file in the current directory and creates a corresponding (or companion) .COM file with the viral code. These .COM files will always be 8,064 Bytes in length with a file date/time of the date/time of infection. The .EXE file is not altered at all. After creating the new .COM file, the virus then plays a melody and displays the following message, the "*" indicated below actually being ansi heart characters: "Your computer is infected with ... * Aids Virus II * - Signed WOP & PGT of DutchCrack -" The Aids II Virus then spawns to the .EXE file that was attempting to be executed, and the program runs without problem. After completion of the program, control returns to the Aids II Virus. The melody is played again with the following message displayed: "Getting used to me? Next time, use a Condom ....." Since the original .EXE file remains unaltered, CRC checking programs cannot detect this virus having infected a system. One way to manually remove the Aids II Virus is to check the disk for programs which have both a .EXE and a .COM file, with the .COM file having a length of 8,064 bytes. The .COM files thus identified should be erased. The displayed text strings do not appear in the viral code. Virus Name: AirCop Aliases: V Status: New Discovery: July, 1990 Isolated: Washington, USA Symptoms: BSC; System Halt; Message; decrease in system and free memory Origin: Taiwan Eff Length: N/A Type Code: FR - Resident Floppy Boot Sector Infector Detection Method: ViruScan V66+ Removal Instructions: MDisk or DOS SYS command General Comments: The AirCop Virus was discovered in the State of Washington in the United States in July, 1990. Some early infections of this virus, however, have been traced back to Taiwan, and Taiwan is probably where it originated. AirCop is a boot sector infector, and it will only infect 360K 5.25" floppy diskettes. When a system is booted from a diskette which is infected with the AirCop virus, the virus will install itself memory resident. The AirCop Virus installs itself memory resident at the top of high system memory. The system memory size and available free memory will decrease by 1,024 bytes when the AirCop virus is memory resident. AirCop hooks interrupt 13. Once AirCop is memory resident, any non-write protected diskettes which are then accessed will have their boot sector infected with the AirCop virus. AirCop will copy the original disk boot sector to sector 719 (Side 1, Cyl 39, Sector 9 on a normal 360K 5.25" diskette) and then replace the boot sector at sector 0 with a copy of the virus. If a boot sector of a diskette infected with the AirCop virus is viewed, it will be missing almost all of the messages which normally appear in a normal boot sector. The only message remaining will be: "Non-system..." This will be located just before the end of the boot sector. The AirCop Virus will do one of two things on infected systems, depending on how compatible the system's software and hardware is with the virus. On most systems, the virus will display the following message at random intervals: "Red State, Germ Offensive. AIRCOP." On other systems, the virus being present will result in the system receiving a Stack Overflow Error and the system being halted. In this case, you must power off the system in order to be able to reboot. AirCop currently does not infect hard disk boot sectors or partition tables. AirCop can be removed from infected diskettes by first powering off the system and rebooting from a known clean write protected DOS master diskette. The DOS SYS command should then be used to replace the infected diskette's boot sector. Alternately, MDisk can be used following the power-down and reboot. Virus Name: Alabama Aliases: V Status: Rare Discovery: October, 1989 Symptoms: .EXE growth, Resident (see text), message, FAT corruption Origin: Israel Eff Length: 1,560 bytes Type Code: PRfET - Parasitic Resident .EXE infector Detection Method: ViruScan V43+, F-Prot, IBM Scan, Pro-Scan Removal Instructions: CleanUp, F-Prot, Pro-Scan 1.4+, delete infected files General Comments: The Alabama virus was first isolated at Hebrew University in Israel by Ysrael Radai in October, 1989. Its first known activation was on October 13, 1989. The Alabama virus will infect .EXE files, increasing their size by 1,560 bytes. It installs itself memory resident when the first program infected with the virus is executed, however it doesn't use the normal TSR function. Instead, this virus hooks Int 9 as well as IN and OUT commands. When a CTL-ALT-DEL combination is detected, the virus causes an apparent boot but remains in RAM. The virus loads itself 30K under the highest memory location reported by DOS, and does not lower the amount of memory reported by BIOS or DOS. After the virus has been memory resident for one hour, the following message will appear in a flashing box: "SOFTWARE COPIES PROHIBITED BY INTERNATIONAL LAW.............. Box 1055 Tuscambia ALABAMA USA." The Alabama virus uses a complex mechanism to determine whether or not to infect the current file. First, it checks to see if there is an uninfected file in the current directory, if there is one it infects it. Only if there are no uninfected files in the current directory is the program being executed infected. However, sometimes instead of infecting the uninfected candidate file, it will instead manipulate the FATs to exchange the uninfected candidate file with the currently executed file without renaming it, so the user ends up thinking he is executing one file when in effect he is actually executing another one. The end result is that files are slowly lost on infected systems. This file swapping occurs when the virus activates on ANY Friday. Virus Name: Alameda Aliases: Merritt, Peking, Seoul, Yale V Status: Rare Discovery: 1987 Symptoms: Floppy boot failures, Resident-TOM, BSC Origin: California, USA Eff Length: N/A Type Code: RtF - Resident Floppy Boot Sector Infector Detection Method: ViruScan, F-Prot, IBM Scan Removal Instructions: MDisk, CleanUp, F-Prot, or DOS SYS General Comments: The Alameda virus was first discovered at Merritt college in Alameda, California in 1987. The original version of this virus caused no intentional damage, though there is now at least 1 variant of this virus that now causes floppy disks to become unbootable after a counter has reached its limit (Alameda-C virus). The Alameda virus, and its variants, all replicate when the system is booted with a CTL-ATL-DEL and infect only 5 1/4" 360K diskettes. These viruses do stay in memory thru a warm reboot, and will infect both system and non-system disks. System memory can be infected on a warm boot even if Basic is loaded instead of DOS. The virus saves the real boot sector at track 39, sector 8, head 0. The original version of the Alameda virus would only run on a 8086/8088 machine, though later versions can now run on 80286 systems. Also see: Golden Gate, SF Virus Virus Name: Ambulance Car Virus Aliases: RedX V Status: Rare Discovery: June, 1990 Symptoms: .COM growth, graphic display & sound Origin: West Germany Eff Length: 796 Bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V64+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Ambulance Car Virus was isolated in West Germany in June, 1990. This virus is a non-resident .COM infector. When a program infected with the Ambulance Car Virus is executed, the virus will attempt to infect one .COM file. The .COM file to be infected will be located on the C: drive. This virus only infects one .COM file in any directory, and never the first .COM file in the directory. It avoids infecting COMMAND.COM as that file is normally the first .COM file in the root directory. On a random basis, when an infected file is executed it will have the affect of a graphics display of an ASCII block drawing of an ambulance moving across the bottom of the system display. This graphics display will be accompanied with the sound of a siren played on the system's speaker. Both of these effects only occur on systems with a graphics capable display adapter. Virus Name: Amstrad Aliases: V Status: Rare Discovery: November, 1989 Symptoms: .COM growth, message Origin: Portugal Eff Length: 847 Bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V51+, F-Prot, IBM Scan, Pro-Scan, VirexPC 1.1+ Removal Instructions: Scan/D, F-Prot, Pro-Scan 1.4+, or erase infected files General Comments: The Amstrad virus was first reported in November, 1989, by Jean Luz of Portugal, however it has been known of in Spain and Portugal for a year prior to that. The virus is a generic .COM infector, but is not memory resident nor does it infect COMMAND.COM. The virus carries a fake advertisement for the Amstrad computer. The Amstrad virus appears to cause no other damage to the system other than replicating and infecting files. Known variants of the Amstrad Virus are: Pixel/V-345 - Similar to the Amstrad virus described above, except that the virus is 345 Bytes in length, can now infect COMMAND.COM, and contains the message: "=!= Program sick error:Call doctor or by PIXEL for cure description". This message is not displayed. The Pixel virus was originally distributed in Greece by Pixel magazine. The Pixel Virus can only infect programs in the current directory. Origin: Greece V-277 - Similar to the Pixel/V-345 virus described above, except that the virus is now 277 Bytes in length, and does not contain any message text. The original message text has been replaced with code to produce a parity error approximately 50% of the time when an infected program is executed. Origin: Bulgaria V-299 - Similar to Pixel, except that the length of the virus is 299 Bytes. Origin: Bulgaria V-847 - Similar to Pixel, except that the length of the virus is 847 Bytes. Origin: Bulgaria V-847B - Similar to V-847, except that the message in the virus is now in Spanish and is: "=!= En tu PC hay un virus RV1, y esta es su quinta generacion". This variant was originally distributed by a magazine in Spain in file NOCARGAR.COM. Origin: Spain Virus Name: Anthrax Aliases: V Status: Rare Discovery: July, 1990 Symptoms: .COM & .EXE growth Origin: Eastern Europe Isolated: Netherlands Eff Length: 1040 - 1232 Bytes Type Code: PRAKX - Parasitic Resident .COM, .EXE, & Partition Table Infector Detection Method: ViruScan V66+ Removal Instructions: Scan/D + MDisk/P General Comments: The Anthrax Virus was isolated in July 1990 in the Netherlands after it was uploaded onto several BBSes in a trojan anti-viral program, USCAN.ZIP. It is the second virus to be found in a copy of UScan during July 1990, the first virus being V2100. Anthrax is a memory resident generic infector of .COM and .EXE files, including COMMAND.COM. The first time a program infected with the Anthrax virus is executed on the system's hard disk, the virus will infect the hard disk's partition table. At this time, it will also install itself memory resident. Anthrax does not start to infect files immediately. Instead it will sit in memory watching what is occurring on the system. After some pre-defined event occurs, it will then infect one .COM or .EXE file each time an infected program is executed. It appears that the pre-determined event is related to the number of keystrokes that occur on the system's keyboard. Programs are selected for infection by the virus by infecting the C: drive first, working its way thru the directory structure of the drive. Programs infected with Anthrax will increase in length by at least 1,040 bytes. On the author's test system, the largest increase in length experienced was 1,232 bytes. The following text strings can be found in files infected with the Anthrax virus: "(c)Damage, Inc." "ANTHRAX" It is not known if Anthrax carries any destructive capabilities or trigger/activation dates. Since Anthrax infects the hard disk partition tables, infected systems must have the partition table disinfected or rebuilt in order to remove the virus. This disinfection can be done with either a low- level format or use of the MDisk/P program for the correct DOS version after powering off and rebooting from a write-protected boot diskette for the system. Any .COM or .EXE files infected with Anthrax must also be disinfected or erased. Virus Name: Anti-Pascal Aliases: Anti-Pascal 605 Virus, AP-605, C-605, V605 V Status: Rare Discovery: June, 1990 Symptoms: .COM growth, .BAK and .PAS file corruption Origin: Bulgaria Isolated: Sofia, Bulgaria Eff Length: 605 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V66+ Removal Instructions: Scan/D, or delete infected files General Comments: The Anti-Pascal Virus, V605 or C-605, was isolated in Sofia, Bulgaria in June 1990 by Vesselin Bontchev. Originally, it was thought that the Anti-Pascal virus was from the USSR or Poland, but it has since been determined to have been a research virus written in Bulgaria over one year before it was isolated. The author was not aware that it had "escaped" until July, 1990. The Anti-Pascal Virus is a generic .COM file infector, including COMMAND.COM. While this virus is not memory resident, when it is in the process of infecting files, interrupt 21 will be hooked. When a program infected with the Anti-Pascal virus is executed, the virus will attempt to infect two other .COM files on the current drive or on drive D: which are between 605 and 64,930 bytes in length. These files must not have the read only attribute set. If an uninfected .COM file meeting the virus's selection criteria is found, the first 605 bytes of the program is overwritten with the viral code. The original 605 bytes of the program is then appended to the end of the infected file. Infected files will have increased in length by 605 bytes, and they will also begin with the text string "PQVWS" as well as contain the string "COMBAKPAS???EXE" at offset 0x17. Infected files will also have had their file date/time stamps in the directory updated to the date/time that the infection occurred. If the Anti-Pascal Virus cannot find two .COM files to infect, it will check the current drive and directory for .BAK and .PAS files. If these files exist, they will be overwritten with the virus's code. If the overwritten files were .PAS files, the system's user has now lost some of their Pascal source code. After overwriting .BAK and .PAS files, the virus will attempt to rename them to .COM files, or .EXE files if a .COM file already exists. This rename does not work due to a bug in the virus. Known variant(s) of the Anti-Pascal Virus are: AP-529 : Similar to the 605 byte Anti-Pascal Virus, the major differences are that AP-529 will only infect .COM files over 2,048 bytes in length. Infected files increase in length by 529 bytes. Additionally, instead of overwriting the .BAK and .PAS files, one .BAK and .PAS file will be deleted if there are no uninfected .COM files with a length of at least 2,048 bytes on the current drive. .COM files on the C: drive root directory may also be infected by AP-529 when it is executed from the A: or B: drive. This variant should be considered a "Research Virus", it is not believed to have been publicly released. Also see: Anti-Pascal II Virus Name: Anti-Pascal II Aliases: Anti-Pascal 400, AP-400 V Status: Research Discovery: June, 1990 Symptoms: .COM growth; .BAK, .BAT and .PAS file deletion, boot sector alteration on hard disk Origin: Bulgaria Isolated: Sofia, Bulgaria Eff Length: 400 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V66+ Removal Instructions: Scan/D, or delete infected files General Comments: The Anti-Pascal II Virus, or AP-400, was isolated in Sofia, Bulgaria in June 1990 by Vesselin Bontchev. It is one of five viruses/variants in the Anti-Pascal family. Two of the earlier variants, Anti-Pascal/AP-605 and AP-529, are documented under the name "Anti-Pascal". The variants listed under Anti-Pascal II have been separated due to some of their characteristics differing from the 605 byte and 529 byte viruses. The Anti-Pascal II Virus is a generic .COM file infector, including COMMAND.COM. While this virus is not memory resident, when it is in the process of infecting files, interrupt 21 will be hooked. The first time a program infected with the Anti-Pascal II virus is executed on a system, the virus will attempt to infect one (1) .COM file in the root directory of each drive accessible on the system. Files are only infected if their length is at least 2,048 bytes, and the resulting infected file will be less than 64K in length. Since COMMAND.COM is usually the first .COM file on a drive, it will immediately become infected. One additional .COM file will also be infected on the current drive. The mechanism used to infect the file is to write the virus's code to the end of the file. A jump is used to execute the virus's code before the original program is executed. Infected files do not have their date/time stamps in the directory updated to the system date and time when the infection occurred. If the Anti-Pascal Virus cannot find a .COM file to infect on a given drive, or two .COM files to infect on the current drive, it will check for the existance of .BAK, .PAS, or .BAT files. If found, these files will be deleted. These deletions only occur in root directories and on the current drive's current directory. Since each root directory (as well as the current directory) will typically not have all of its .COM files infected at the same time, the deletes will occur on different drives and directories at different times. Symptoms of infection of the Anti-Pascal II Virus include file length increases of 400 bytes, unexpected disk access to drives other than the current drive, and disappearing .BAK, .PAS, and .BAT files. One other symptom of an Anti-Pascal II infection is that the hard disk's boot sector will be slightly altered by the virus. Anti-viral programs which CRC-check the boot sector will indicate that a boot sector infection may have occurred. The boot sector alteration does not contain a live virus, but will throw the system user off into thinking their problem is from a boot sector virus instead of a file infector. The Anti-Pascal II Virus and its variants indicated below are not believed to have been publicly released. As such, they have been classified as "Research Viruses". Known variant(s) of the Anti-Pascal II Virus are: AP-440 : Very similar to the 400 byte version of the Anti-Pascal II Virus, the major characteristic change is that this variant has a length of 440 bytes. This variant is an intermediary between AP-480 and the 400 byte version documented above. AP-480 : Similar to the Anti-Pascal II virus, this variant is an earlier version which is 480 bytes in length. It does not delete .BAT files, but only .BAK and .PAS. This variant is the earliest variant of the Anti-Pascal II grouping. Also see: Anti-Pascal Virus Name: Armagedon Aliases: Armagedon The First, Armagedon The Greek V Status: Rare Discovery: June, 1990 Symptoms: text string intermittently sent to COM ports Origin: Athens, Greece Eff Length: 1,079 Bytes Type Code: PRC - Parasitic Resident .COM Infector Detection Method: ViruScan V64+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Armagedon virus was isolated on June 2, 1990, by George Spiliotis of Athens, Greece. Armagedon is a memory resident virus which infects .COM files, increasing their length by 1,079 bytes. The first time an infected program is executed on a system, the virus installs itself memory resident, hooking interrupts 8 and 21. Any .COM files which are later executed are then infected by the resident virus. Infected systems will experience the text string "Armagedon the GREEK" being sent to COM ports 1 - 4 at time intervals. Between 5:00 and 7:00, the virus will attempt to use the system's COM ports to make a phone call to Local Time Information in Crete, Greece. If a connection is made, the phone line will remain open until the user notices that the phone line is in use. (Needless to say, this doesn't work if the system is located outside of Greece as dialing codes are considerably different between countries.) This virus otherwise is not destructive. Virus Name: Ashar Aliases: Shoe_Virus, UIUC Virus V Status: Common Discovery: Symptoms: BSC, Resident TOM Origin: Eff Length: N/A Type Code: BRt - Resident Boot Sector Infector Detection Method: ViruScan V41+, F-Prot, IBM Scan, Pro-Scan 1.4+ Removal Instructions: MDisk, CleanUp, Pro-Scan 1.4+, F-Prot or DOS SYS command General Comments: The Ashar virus is a resident boot sector infector which is a variant of the Brain virus. It differs from the Brain virus in that it can infect both floppies and hard disk, and the message in the virus has been modified to be: "VIRUS_SHOE RECORD, v9.0. Dedicated to the dynamic memories of millions of virus who are no longer with us today". However, the above message is never displayed. The identification string "ashar" is normally found at offset 04a6 hex in the virus. A variant of the Ashar virus exists, Ashar-B or Shoe_Virus-B, which has been modified so that it can no longer infect hard drives. The v9.0 in the message has also been altered to v9.1. Also see: Brain Virus Name: Brain Aliases: Pakistani, Pakistani Brain V Status: Common Discovery: 1986 Symptoms: Extended boot time, Volume label change, Resident TOM, Three contiguous bad sectors (floppy only), BSC Origin: Pakistan Eff Length: N/A Type Code: BRt - Resident Boot Sector Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan Removal Instructions: MDisk, CleanUp, F-Prot, Pro-Scan, or DOS SYS command General Comments: The Pakistani Brain virus originated in Lahore, Pakistan and infects disk boot sectors by moving the original contents of the boot sector to another location on the disk, marking those 3 clusters (6 sectors) bad in the FAT, and then writing the virus code in the disk boot sector. One sign of a disk having been infected, at least with the original virus, is that the volume label will will be changed to "(c) Brain". Another sign is that the label "(c) Brain" can be found in sector 0 (the boot sector) on an infected disk. This virus does install itself resident on infected systems, taking up between 3K and 7K of RAM. The Brain virus is able to hide from detection by intercepting any interrupt that might interrogate the boot sector and redirecting the read to the original boot sector located elsewhere on the disk, thus some programs will be unable to see the virus. The original Brain virus only infected floppies, however variants to the virus can now infect hard disks. Also, some variants have had the "(c) Brain" label removed to make them harder to detect. Known variants of the Brain virus include: Brain-B/Hard Disk Brain/Houston Virus - hard disk version. Brain-C - Brain-B with the "(c) Brain" label removed. Clone Virus - Brain-C but restores original boot copyright label. Clone-B - Clone Virus modified to destroy the FAT after 5/5/92. Also see: Ashar Virus Name: Cascade Aliases: Fall, Falling Letters, 1701, 1704 V Status: Common Discovery: October, 1987 Symptoms: TSR, Falling letters, .COM file growth Origin: Germany Eff Length: 1,701 or 1,704 bytes Type Code: PRsC - Parasitic Resident Encrypting .COM Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: M-1704, CleanUp, F-Prot, Pro-Scan 1.4+, or VirexPC General Comments: Originally, this virus was a trojan horse which was disguised as a program which was supposed to turn off the number-lock light when the system was booted. The trojan horse instead caused all the characters on the screen to fall into a pile at the bottom of the screen. In late 1987, the trojan horse was changed by someone into a memory resident .COM virus. While the original virus had a length of 1,701 bytes and would infect both true IBM PCs and clones, a variation exists of this virus which is 3 bytes longer than the original virus and does not infect true IBM PCs. Both viruses are functionally identical in all other respects. Both of the viruses have some fairly unique qualities: Both use an encryption algorithm to avoid detection and complicate any attempted analysis of them. The activation mechanisms are based on a sophisticated randomization algorithm incorporating machine checks, monitor types, presence or absence of a clock card, and the time or season of the year. The viruses will activate on any machine with a CGA or VGA monitor in the months of September, October, November, or December in the years 1980 and 1988. Known variants of the Cascade virus are: 1701-B : Same as 1701, except that it can activate in the fall of any year. 1704-D : Same as the 1704, except that the IBM selection has been disabled so that it can infect true IBM PCs. Cunning: Based on the Cascade virus, a major change to the virus is that it now plays music. Also see: 1704 Format Virus Name: Cascade-B Aliases: Blackjack, 1704-B V Status: Common Discovery: Symptoms: .COM file growth, TSR, random reboots Origin: Germany Eff Length: 1,704 bytes Type Code: PRsC - Parasitic Resident Encrypting .COM Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: M-1704, M-1704C, CleanUp, F-Prot, Pro-Scan 1.4+, VirexPC General Comments: The Cascade-B virus is similar to the Cascade virus, except that the cascading display has been replaced with a system reboot which will occur at random time intervals after the virus activates. Other variation(s) which have been documented are: 1704-C : Same as 1704-B except that the virus can activate in December of any year. (Note: the disinfector for 1704-C is M-1704C.) Virus Name: Chaos Aliases: V Status: Rare Discovery: December, 1989 Symptoms: Message, TSR, Bad sectors, BSC Origin: England Eff Length: N/A Type Code: BR - Resident Boot Sector Infector Detection Method: ViruScan V53+ Removal Instructions: MDisk, CleanUp, or DOS SYS Command General Comments: First reported in December, 1989 by James Berry of Kent, England, the Chaos virus is a memory resident boot sector infector of floppy and hard disks. When the Chaos virus infects a boot sector, it overwrites the original boot sector without copying it to another location on the disk. Infected boot sectors will contain the following messages: "Welcome to the New Dungeon" "Chaos" "Letz be cool guys" The Chaos virus will flag the disk as being full of bad sectors upon activation, though most of the supposed bad sectors are still readable. It is unknown what the activation criteria is. Virus Name: Christmas Virus Aliases: XA1, 1539 V Status: Endangered Discovery: March, 1990 Symptoms: .COM file growth, display, Partition table destruction Origin: Germany Eff Length: 1,539 Bytes Type Code: PNCX - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V61+, VirexPC Removal Instructions: Scan/D or delete infected files General Comments: The Christmas Tree, or XA1, Virus was first isolated in March 1990 by Christoff Fischer of West Germany. This virus is an encrypting virus which will only infect .COM files. On April 1st of any year, the Christmas Tree virus will activate, destroying the partition table of infected hard disks the first time an infected program is executed. During the period from December 24 until January 1st of any year, when an infected program is executed, the virus will display a full screen picture of a christmas tree. Virus Name: Dark Avenger Aliases: Black Avenger, Eddie, Diana V Status: Common Discovery: September, 1989 Symptoms: TSR; .COM, .EXE, .SYS file growth; File/Disk Corruption Origin: Bulgaria Isolated: Davis, California, USA Eff Length: 1,800 bytes Type Code: PRsAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V36+, F-Prot, IBM Scan, Pro-Scan Removal Instructions: M-DAV, CleanUp, Pro-Scan 1.4+, F-Prot General Comments: Dark Avenger was first isolated in the United States at the University of California at Davis. It infects .COM, .EXE, and overlay files, including COMMAND.COM. The virus will install itself into system memory, becoming resident, and is extremely prolific at infecting any executable files that are openned for any reason. This includes using the DOS COPY and XCOPY commands to copy uninfected files, both the source and the target files will end up being infected. Infected files will have their lengths increased by 1,800 bytes. The Dark Avenger Virus does perform malicious damage. The virus maintains a counter in the disk's boot sector. After each sixteenth file is infected, the virus will randomly overwrite a sector on the disk with a copy of the disk's boot sector. If the randomly selected sector is a portion of a program or datafile, the program or datafile will be corrupted. Programs and datafiles which have been corrupted by a sector being overwritten are permanently damaged and cannot be repaired since the original sector is lost. If you are infected with Dark Avenger, shutdown your computer and reboot from a Write Protected boot diskette for the system, then carefully use a disinfector, following all instructions. Be sure to rescan the system for infection once you have finished disinfecting it. The Dark Avenger virus contains the words: "The Dark Avenger, copyright 1988, 1989", as well as the message: "This program was written in the city of Sofia. Eddie lives.... Somewhere in Time!". This virus bears no resemblance or similarity to the Jerusalem viruses, even though they are similar in size. Also see: V2000, V1024, V651 Virus Name: Datacrime Aliases: 1168, Columbus Day V Status: Extinct Discovery: April, 1989 Symptoms: .COM file growth, floppy disk access; formats hard disk, message any day from Oct 13 to Dec 31. Origin: Holland Eff Length: 1,168 bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: AntiCrim, Scan/D, Pro-Scan 1.4+, VirexPC, or F-Prot General Comments: The Datacrime virus is a parasitic virus, and is also known as the 1168 virus. The Datacrime virus is a non-resident virus, infecting .COM files. The virus was originally discovered in Europe shortly after its release in March, 1989. The virus will attach itself to the end of a .COM file, increasing the file's length by 1168 bytes. The first 5 bytes of the host program are stored off in the virus's code and then replaced by a branch instruction so that the virus code will be executed before the host program. In order to propagate, the virus searches thru directories for .COM files, other than COMMAND.COM and attaches to any found .COM files (except for where the 7th letter is a D). Hard drive partitions are searched before the floppy drives are checked. The virus will continue to propagate until the date is after October 12 of any year, then when it is executed it will display a message. The de-crypted message is something like: "DATACRIME VIRUS" "RELEASED: 1 MARCH 1989". Note: only this ASCII message is encrypted in this version. A low-level format of the hard disk is then done. Errors in the code will make .COM file infection appear random and will often make the system crash following infection. Unlike the other variants of Datacrime, the original Datacrime virus does not replicate, or infect files, until after April 1 of any year. Lastly, if the computer system is using an RLL, SCSI, or PC/AT type hard disk controller, all variants of the Datacrime virus are not able to successfully format the hard disk, according to Jan Terpstra of the Netherlands. Also see: Datacrime II, Datacrime IIB, Datacrime-B Virus Name: Datacrime II Aliases: 1514, Columbus Day V Status: Endangered Discovered: September, 1989 Symptoms: .EXE & .COM file growth, formats disk Origin: Netherlands Eff Length: 1,514 bytes Type Code: PNAK - Non-Resident Encrypting .COM & .EXE Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: AntiCrim, Scan/D, Pro-Scan 1.4+, VirexPC, or F-Prot General Comments: The Datacrime II virus is a variant of the Datacrime virus, the major characteristic changes are that the effective length of the virus is 1,514 bytes, and that it can now infect both .COM and .EXE files, including COMMAND.COM. There is also an encryption mechanism in the Datacrime II virus. The Datacrime II virus will not format disks on Mondays. Also see: Datacrime, Datacrime IIB, Datacrime-B Virus Name: Datacrime IIB Aliases: 1917, Columbus Day V Status: Endangered Discovered: November, 1989 Symptoms: .EXE & .COM growth, formats disk, floppy disk access. Origin: Netherlands Eff Length: 1,917 bytes Type Code: PNAK - Non-Resident Encrypting .COM & .EXE Infector Detection Method: ViruScan V51+, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: AntiCrim, Scan/D, F-Prot, VirexPC General Comments: The Datacrime IIB virus is a variant of the Datacrime II virus, and was isolated by Jan Terpstra of the Netherlands in November, 1989. This virus, as with Datacrime II, infects generic .COM & .EXE files, including COMMAND.COM, adding 1,917 bytes to the file length. The virus differs from Datacrime II in that the encryption method used by the virus to avoid detection has been changed. The Datacrime IIB virus will not format disks on Mondays. Also see: Datacrime, Datacrime II, Datacrime-B Virus Name: Datacrime-B Aliases: 1280, Columbus Day V Status: Extinct Discovered: April, 1989 Symptoms: .EXE file growth, formats MFM/RLL hard drives, odd floppy disk access. Origin: Netherlands Eff Length: 1,280 bytes Type Code: PNE - Parasitic Non-Resident Generic .EXE Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: AntiCrim, Scan/D, VirexPC, Pro-Scan 1.4+, or F-Prot General Comments: The Datacrime-B virus is a variant of the Datacrime virus, the differences being that the effective length of the virus is 1,280 bytes, and instead of infecting .COM files, .EXE files are infected. Also see: Datacrime, Datacrime II, Datacrime II-B Virus Name: dBASE Aliases: DBF Virus V Status: Endangered Discovered: September, 1988 Symptoms: .COM & .OVL file growth, corrupt .DBF files, TSR, FAT and root directory overwritten Origin: New York, USA Eff Length: 1,864 bytes Type Code: PRC - Parasitic Resident .COM and Overlay Infector Detection Method: ViruScan V47+, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: Scan/D, Pro-Scan 1.4+, or F-Prot General Comments: The dBASE virus was discovered by Ross Greenberg of New York. This virus infects .COM & .OVL files, and will corrupt data in .DBF files by randomly transposing bytes in any open .DBF file. It keeps track of which files and bytes were transposed in a hidden file (BUG.DAT) in the same directory as the .DBF file(s). The virus restores these bytes if the file is read, so it appears that nothing is wrong. Once the BUG.DAT file is 90 days old or more, the virus will overwrite the FAT and root directory on the disk. After this virus has been detected, if you remove the infected dBASE program and replace it with a clean copy, your DBF files that were openned during the period that you were infected will be useless since they are garbled on the disk even though they would be displayed as expected by the infected dBASE program. Virus Name: Den Zuk Aliases: Search, Venezuelan V Status: Common Discovered: September, 1988 Symptoms: Message, floppy format, TSR, BSC Origin: Indonesia Eff Length: N/A Type Code: RtF - Resident Floppy Boot Sector Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: MDisk, CleanUp, F-Prot, Pro-Scan 1.4+, or DOS SYS command General Comments: The Den Zuk virus is a memory-resident, boot sector infector of 360K 5 1/4" diskettes. The virus can infect any diskette in a floppy drive that is accessed, even if the diskette is not bootable. If an attempt is made to boot the system with an infected non-system disk, Den Zuk will install itself into memory even though the boot failed. After the system is booted with an infected diskette, a purple "DEN ZUK" graphic will appear after a CTL-ALT-DEL is performed if the system has a CGA, EGA, or VGA monitor. While the original Den Zuk virus did not cause any damage to the system, some variants maintain a counter of how many times the system has been rebooted, and after the counter reaches its limit, the floppy in the disk drive is reformatted. The counter in these variants of the virus is usually in the range of 5 to 10. The following text strings can be found in the viral code on diskettes which have been infected with the Den Zuk virus: "Welcome to the C l u b --The HackerS-- Hackin' All The Time The HackerS" The diskette volume label of infected diskettes may be changed to Y.C.1.E.R.P., though this change only occurs if the Den Zuk virus removed a Pakistani Brain infection before infecting the diskette with Den Zuk. The Den Zuk virus will also remove an Ohio virus infection before infecting the diskette with Den Zuk. The Den Zuk virus is thought to be written by the same person or persons as the Ohio virus. The "Y.C.1.E.R.P." string is found in the Ohio virus, and the viral code is similar in many respects. Also see: Ohio Virus Name: Devil's Dance Aliases: Mexican V Status: Rare Discovered: December, 1989 Symptoms: Message, .COM growth, FAT corruption, TSR Origin: Mexico Eff Length: 941 Bytes Type Code: PRCT - Parasitic Resident .COM Infector Detection Method: ViruScan V52+, IBM Scan, Pro-Scan, VirexPC Removal Instructions: Scan/D, Pro-Scan 1.4+, or delete infected files General Comments: The Devil's Dance virus was first isolated in December, 1989, by Mao Fragoso of Mexico City. The Devil's Dance virus increases the size of infected .COM files by 941 bytes, and will infect a file multiple times until the file becomes too large to fit in available system memory. Once an infected program has been run, any subsequent warm- reboot (CTL-ALT-DEL) will result in the following message being displayed: "DID YOU EVER DANCE WITH THE DEVIL IN THE WEAK MOONLIGHT? PRAY FOR YOUR DISKS!! The Joker" The Devil's Dance virus is destructive. After the first 2,000 keystrokes, the virus starts changing the colors of any text displayed on the system monitor. After the first 5,000 keystrokes, the virus erases the first copy of the FAT. At this point, when the system is rebooted, it will display the message above and again destroy the first copy of the FAT, then allow the boot to proceed. Virus Name: Disk Killer Aliases: Computer Ogre, Disk Ogre, Ogre V Status: Common Discovered: April, 1989 Symptoms: Bad blocks, message, BSC, TSR, encryption of disk Origin: Taiwan Isolated: Milpitas, California, USA Eff Length: N/A Type Code: BRtT - Resident Boot Sector Infector Detection Method: ViruScan V39+, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: MDisk, CleanUp, Pro-Scan 1.4+, F-Prot, or DOS COPY & SYS General Comments: The Disk Killer virus is a boot sector infector that spreads by writing copies of itself to 3 blocks on either a floppy or hard disk. The virus does not care if these blocks are in use by another program or are part of a file. These blocks will then be marked as bad in the FAT so that they cannot be overwritten. The boot sector is patched so that when the system is booted, the virus code will be executed and it can attempt to infect any new disks exposed to the system. The virus keeps track of the elasped disk usage time since initial infection, and does no harm until it has reached a predetermined limit. The predetermined limit is approximately 48 hours. (On most systems, Disk Killer will reach its limit within 1 - 6 weeks of its initial hard disk infection.) When the limit is reached or exceeded and the system is rebooted, a message is displayed identifying COMPUTER OGRE and a date of April 1. It then says to leave alone and proceeds to encrypt the disk by alternately XORing sectors with 0AAAAh and 05555h, effectively destroying the information on the disk. The only recourse after Disk Killer has activated and encrypted the entire disk is to reformat. The message text that is displayed upon activation, and can be found in the viral code is: "Disk Killer -- Version 1.00 by COMPUTER OGRE 04/01/89 Warning!! Don't turn off the power or remove the diskette while Disk Killer is Processing! PROCESSING Now you can turn off the power. I wish you Luck!" It is important to note that when the message is displayed, if the system is turned off immediately it may be possible to salvage some files on the disk using various utility programs as this virus first destroys the boot, FAT, and directory blocks. Disk Killer can be removed by using McAfee Associate's MDisk or CleanUp utility, or the DOS SYS command, to overwrite the boot sector on hard disks or bootable floppies. On non-system floppies, files can be copied to non-infected floppies, followed by reformat- ting the infected floppies. Be sure to reboot the system from a write protected master diskette before attempting to remove the virus first or you will be reinfected by the virus in memory. Note: Disk Killer may have damaged one or more files on the disk when it wrote a portion of its viral code to 3 blocks on the disk. Once the boot sector has been disinfected as indicated above, these corrupted files cannot reinfect the system, however they should be replaced with backup copies since the 3 blocks were overwritten. Note: Do not use the DOS DiskCopy program to backup infected diskettes as the new backup diskettes will contain the virus as well. Virus Name: Do-Nothing Virus Aliases: The Stupid Virus V Status: Rare Discovered: October, 1989 Symptoms: .COM file growth, TSR (see text) Origin: Israel Eff Length: 608 Bytes Type Code: PRfC - Parasitic Resident .COM Infector Detection Method: ViruScan V49+, F-Prot, Pro-Scan, VirexPC Removal Instructions: Scan/D, Pro-Scan 1.4+, or F-Prot General Comments: This virus was first reported by Yuval Tal of Israel in October, 1989. The virus will infect .COM files, but only the first one in the current directory, whether it was previously infected or not. The Do-Nothing virus is also memory resident, always installing itself to memory address 9800:100h, and can only infect systems with 640K of memory. The virus does not protect this area of memory in any way, and other programs which use this area will overwrite it in memory, removing the program from being memory resident. The Do-Nothing virus does no apparent damage, nor does it affect operation of the system in any observable way, thus its name. Virus Name: EDV Aliases: Stealth Virus V Status: Rare Discovered: January, 1990 Symptoms: BSC, TSR, unusual crashes Origin: Eff Length: N/A Type Code: BRX - Resident Boot Sector/Partition Table Infector Detection Method: ViruScan V58+, IBM Scan, Pro-Scan 1.4+ Removal Instructions: MDisk/P, or Pro-Scan 1.4+ General Comments: The EDV virus first identified in January, 1990. This virus infects the boot sector of floppy diskettes, as well as the boot sector and partition table of hard disks. After a system is booted from an infected diskette or hard disk, the virus makes itself memory resident. The EDV virus will cause some programs to crash, as well as destroying some data. The following identification string appears at the very end of the boot sector on infected floppy disks: "MSDOS Vers. E.D.V." Virus Name: Eight Tunes Aliases: 1971 V Status: Rare Discovered: April, 1990 Symptoms: file growth, music, decrease in available memory Origin: West Germany Eff Length: 1,971 Bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V62+, Pro-Scan 1.4+, VirexPC Removal Instructions: Scan/D, or delete infected files General Comments: The Eight Tunes, or 1971, Virus was originally isolated in April 1990 by Fridrik Skulason of Iceland. This virus is a memory resident generic file infector of .COM, .EXE, and overlay files. The virus will not infect COMMAND.COM, or .COM files which are smaller than 8K. After the virus is memory resident, programs are infected as they are executed. Infected files will increase in length by between 1,971 - 1,985 bytes. Available memory will decrease by 1,984 bytes when the virus is present. This virus does not cause system damage, however it is disruptive. When the virus is memory resident, it will play 8 German folk songs at random intervals thirty minutes after the virus becomes memory resident. Virus Name: Fellowship Aliases: 1022 V Status: New Discovered: July, 1990 Symptoms: TSR, .COM & .EXE file growth Origin: West Germany Eff Length: 1,022 Bytes Type Code: PRsE - Parasitic Resident .EXE Infector Detection Method: ViruScan V66+ Removal Instructions: Scan/D, or delete infected files General Comments: The Fellowship or 1022 Virus was isolated in Australia in July 1990. Fellowship is a memory resident generic infector of .EXE files. It does not infect .COM or overlay files. The first time a program infected with the Fellowship Virus is executed, the virus will install itself memory resident as a 2,048 byte TSR in low system memory. Available free memory will be decreased by a corresponding 2,048 bytes. Interrupt 21 will also now be controlled by the virus. After the virus is memory resident, the virus will infect .EXE files when they are executed. Infected .EXE files will increase in size by between 1,019 and 1,027 bytes. The virus's code will be located at the end of infected files. Infected files will contain the following text strings very close to the end of the file: "This message is dedicated to all fellow PC users on Earth Toward A Better Tomorrow And a better Place To Live In" "03/03/90 KV KL MAL" Virus Name: Fish Virus Aliases: European Fish Viruses, Fish 6, Stealth Virus V Status: Rare Discovered: May 1990 Symptoms: .COM & .EXE growth, monitor/display flickering, system memory decrease Origin: West Germany Eff Length: 3,584 Bytes Type Code: PRsAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V63+, Pro-Scan 1.4+, VirexPC Removal Instructions: Scan/D, CleanUp V66+, Pro-Scan 1.4+, or delete infected files General Comments: The Fish Virus was isolated in May 1990. At the time of isolation, it was reported to be widespread in Europe, and it is thought to have originated in West Germany. It is a generic resident .COM and .EXE infector, and will infect COMMAND.COM. This virus will remain memory resident thru a warm reboot, or Ctrl-Alt-Del. The virus is encrypted, though infected programs can be found by searching for the text string "FISH FI" appearing near the end of the program. The "FISH FI" string may later disappear from the program. The first time a program infected with the Fish Virus is executed, the virus will go memory resident, installing itself into the low available free memory. If interrupt 13 has not been hooked by another program, it will hook interrupt 13. If it can hook interrupt 13, it will take up 8,192 bytes in memory. If the virus cannot hook interrupt 13 because another program is already using it, it will be 4,096 bytes in memory. When interrupt 13 is not hooked, and the virus is memory resident, the virus will cause a random warm reboot, thus allowing it to infect COMMAND.COM and hook interrupt 13. Warm reboots do not appear to randomly occur after interrupt 13 has been hooked. After the virus is memory resident, all .COM and .EXE programs which are openned for any reason will be infected. Infected programs increase in length by 3,584 bytes. The increase in program size cannot be seen by listing the disk directory if the virus is in memory. Also, if a CHKDSK command is run on an infected system, it will detect file allocation errors on infected files. If CHKDSK is run with the /F option, it will result in lost clusters and cross-linking of files. The virus slows down video writes, and flickering of the monitor display can be noticed on an infected system. Anti-viral programs which perform CRC checking cannot detect the infection of the program by the Fish Virus if the virus is memory resident. This virus can also bypass software write protect mechanisms used to protect a hard drive. The Fish Virus is a modified version of the 4096 Virus, though it is more sophisticated in that it constantly re-encrypts itself in system memory. Viewing system memory with the virus resident will show that the names of several fish are present. It is unknown what the Fish virus does when it activates, though it does appear to check to determine if the year of the system time is 1991. Virus Name: Flash Aliases: V Status: Rare Discovered: July 1990 Symptoms: .COM & .EXE growth, decrease in available free memory Origin: Eff Length: 688 Bytes Type Code: PRfA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V64+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Flash Virus was discovered in July 1990 in West Germany. Flash is a memory resident generic file infector, and will infect .COM and .EXE files, but not COMMAND.COM. The first time a program infected with the Flash Virus is executed, the virus will install itself memory resident. 976 bytes will be allocated in high memory, and available free memory will decrease by a corresponding 976 bytes. A mapping of memory will also indicate that when Flash is resident in memory, interrupts 00, 23, 24, 30, ED, F5, and FB are now in free memory. Total system memory reported by DOS, as well as low memory used by the operating system and TSRs will not have changed. Once Flash is memory resident, each time a .COM or .EXE program is executed it is a candidate for infection. An uninfected .EXE program will always be infected upon execution. Uninfected .COM files are only infected if they are greater than approximately 500 bytes in length. Infected files will always increase in length by 688 bytes. Virus Name: Flip Aliases: V Status: New Discovered: July 1990 Symptoms: .COM & .EXE growth, decrease in system and free memory, boot sector and partition table altered, file allocation errors Origin: West Germany Eff Length: 2,343 Bytes Type Code: PRhA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V66+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Flip Virus was discovered in West Germany in July 1990. It is a generic file infector, and will infect .COM, .EXE, and overlay files. This virus will also infect COMMAND.COM, as well as alter the partition table and boot sector of hard disks. The first time a program infected with the Flip Virus is executed, it installs itself memory resident in high memory. System memory as reported by the CHKDSK command as well as free memory will have decreased by 3,064 bytes. At this time, the copy of COMMAND.COM located in the C: drive root directory will be infected, though no file length change will be apparent with the virus in memory. The system's hard disk partition table and boot sector will also be slightly modified. If the infected program was executed from a floppy, COMMAND.COM on the floppy will be infected, though the size change will be noticeable. After Flip becomes memory resident, any .COM or .EXE files executed will become infected. Infected programs will show a file length increase of 2,343 bytes. If a program is executed which uses an overlay file, the overlay file will also become infected. Systems infected Flip may experience file allocation errors resulting in file linkage errors. Some data files may become corrupted. Virus Name: FORM-Virus Aliases: Form, Form Boot V Status: Rare Discovered: June 1990 Symptoms: BSC Origin: Switzerland Eff Length: N/A Type Code: BR - Resident Boot Sector Infector Detection Method: ViruScan V64+ Removal Instructions: MDisk, or DOS SYS command General Comments: The Form, or Form Boot, Virus is a memory resident infector of floppy and hard disk boot sectors. It was originally isolated in Switzerland. When a system is first booted with a diskette infected with the Form Boot virus, the virus will infect system memory as well as seek out and infect the system's hard disk. The floppy boot may or may not be successful, on the author's test system, a boot from floppy diskette infected with Form Boot never succeeded, instead the system would hang. It should be noted that the virus was received by the author of this document as a binary file, and it may have been damaged in some way. The following text message is contained in the Form Boot virus binary code as received by the author of this document: "The FORM-Virus sends greetings to everyone who's reading this text.FORM doesn't destroy data! Don't panic! Fuckings go to Corinne." These messages, however, may not appear in all cases. For example, I did not find these messages anywhere on a hard disk infected with Form Boot. This virus can be removed with the same technique as used with many boot sector infectors. First, power off the system and then boot from a known clean write-protected boot diskette. The DOS SYS command can then be used to recreate the boot sector. Alternately, MDisk from McAfee Associates may be used to recreate the boot sector. Virus Name: Frere Jacques Aliases: Frere Virus V Status: Rare Discovered: May 1990 Symptoms: .COM & .EXE growth, available memory decreases, system hangs, music (Frere Jacques) on Fridays Origin: California, USA Eff Length: 1,808 Bytes Type Code: PRA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V63+, Pro-Scan 1.4+ Removal Instructions: Scan/D, Pro-Scan 1.4+, or Delete infected files General Comments: The Frere Jacques Virus was isolated in May, 1990. It is a memory resident generic file infector, infecting .COM, .EXE, and Overlay files. It does not infect COMMAND.COM. This virus is based on the Jerusalem B Virus. The first time an infected program is executed, the virus will install itself memory resident in low available free memory. The memory resident virus occupies 2,064 bytes, and attaches itself to interrupt 21. After becoming memory resident, Frere Jacques will infect any program which is then executed. Infected programs will increase in size by between 1,808 bytes and 1,819 bytes, though .COM files always increase in size by 1,813 bytes. Systems infected with Frere Jacques will experience a decrease in available free memory, as well as executable files increasing in size. System hangs will also intermittently occur when the virus attempts to infect programs, thus resulting in the possible loss of system data. On Fridays, the Frere Jacques virus activates, and will play the tune Frere Jacques on the system speaker. Also see: Jerusalem B Virus Name: Friday The 13th COM Virus Aliases: COM Virus, Miami, Munich, South African, 512 Virus V Status: Endangered Discovered: November, 1987 Symptoms: .COM growth, floppy disk access, file deletion Origin: Republic of South Africa Eff Length: 512 Bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan Removal Instructions: Scan/D, Pro-Scan 1.4+, or F-Prot General Comments: The original Friday The 13th COM virus first appeared in South Africa in 1987. Unlike the Jerusalem (Friday The 13th) viruses, it is not memory resident, nor does it hook any interrupts. This virus only infects .COM files, but not COMMAND.COM. On each execution of an infected file, the virus looks for two other .COM files on the C drive and 1 on the A drive, if found they are infected. This virus is extremely fast, and the only indication of propagation occurring is the access light being on for the A drive, if the current default drive is C. The virus will only infect a .COM file once. The files, after infection, must be less than 64K in length. On every Friday the 13th, if the host program is executed, it is deleted. Known variants of the Friday The 13th COM virus are: Friday The 13th-B: same, except that it will infect every file in the current subdirectory or in the system path if the infected .COM program is in the system path. Friday The 13th-C: same as Friday The 13th-B, except that the message "We hope we haven't inconvenienced you" is displayed whenever the virus activates. Author's note: All samples of this virus that are available were created by reassembling a disassembly of this virus. These viruses may not actually exist "in the wild". Virus Name: Fu Manchu Aliases: 2080, 2086 V Status: Rare Discovered: March, 1988 Symptoms: .SYS, .BIN, .COM & .EXE growth, messages Origin: Eff Length: 2,086 (COM files) & 2,080 (EXE files) bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: Scan/D, F-Prot, Pro-Scan 1.4+, VirexPC General Comments: The Fu Manchu virus attaches itself to the beginning of .COM files or the end of .EXE files. This virus will infect any executable program, including overlay, .SYS, and .BIN files as well. It appears to be a rewritten version of the Jerusalem virus, with a possible creation date of 3/10/88. A marker or id string usually found in this virus is 'sAXrEMHOr', though the virus only uses the 'rEMHOr' portion of the string to identify infected files. One out of sixteen infections will result in a timer being installed, and after a random amount of time, the message "The world will hear from me again!" is displayed and the system reboots. This message will also be displayed on an infected system after a warm reboot, though the virus doesn't survive in memory. After August 1, 1989, the virus will monitor the keyboard buffer, and will add derogatory comments to the names of various politicians. These comments go to the keyboard buffer, so their effect is not limited to the display. The messages within the virus are encrypted. This virus is very rare in the United States. Also see: Jerusalem B, Taiwan 3 Virus Name: Ghostballs Aliases: Ghost Boot, Ghost COM V Status: Rare Discovered: October, 1989 Symptoms: moving graphic display, .COM file growth, file corruption, BSC. Origin: Iceland Eff Length: 2,351 bytes Type Code: PNCB - Parasitic Non-Resident .COM & Boot Sector Infector Detection Method: ViruScan V46+, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: MDisk or DOS SYS and erase infected .COM files, or CleanUp, F-Prot, Pro-Scan 1.4+, VirexPC General Comments: The Ghostball virus (Ghost Boot and Ghost COM) were discovered in October, 1989 by Fridrik Skulason of Iceland. The Ghostballs Virus virus infects generic .COM files, increasing the file size by 2,351 bytes. It also alters the disk boot sector, replacing it with viral code similar to the Ping Pong virus. This altered boot sector, however, will not replicate. Symptoms of this virus are very similar to the Ping Pong virus, and random file corruption may occur on infected systems. The Ghostballs virus was the first known virus that could infect both files (.COM files in this case) and disk boot sectors. After the boot sector is infected, the system experiences the bouncing ball effect of the Ping Pong virus. If the boot sector is overwritten to remove the boot viral infection, it will again become corrupted the next time an infected .COM file is executed. The Ghostballs Virus is based on the code of two other viruses. The .COM infector portion consists of a modified version of the Vienna virus. The boot sector portion of the virus is based on the Ping Pong virus. To remove this virus, turn off the computer and reboot from a write protected master diskette for the system. Then use either MDisk or the DOS SYS command to replace the boot sector on the infected disk. Any infected .COM files must also be erased and deleted, then replaced with clean copies from your original distribution diskettes. Virus Name: Golden Gate Aliases: Mazatlan, 500 Virus V Status: Extinct Discovered: 1988 Symptoms: BSC, disk format, Resident TOM Origin: California, USA Eff Length: N/A Type Code: BRt - Resident Boot Sector Infector Detection Method: ViruScan (identifies as Alameda) Removal Instructions: MDisk, F-Prot, or DOS SYS command General Comments: The Golden Gate virus is a modified version of the Alameda virus which activates when the counter in the virus has determined that it is infected 500 diskettes. The virus replicates when a CTL-ALT-DEL is performed, infecting any diskette in the floppy drive. Upon activation, the C: drive is formatted. The counter in the virus is reset on each new floppy or hard drive infected. Known Variants of this virus are: Golden Gate-B: same as Golden Gate, except that the counter has been changed from 500 to 30 infections before activation, and only diskettes are infected. Golden Gate-C: same as Golden Gate-B, except that the hard drive can also be infected. This variant is also known as the Mazatlan Virus, and is the most dangerous of the Golden Gate viruses. Also see: Alameda Virus Name: Halloechen Aliases: V Status: Rare Discovered: October, 1989 Symptoms: TSR, .COM & .EXE growth, garbled keyboard input. Origin: West Germany Eff Length: 2,011 Bytes Type Code: PRsA - Resident Parasitic .COM &.EXE Infector Detection Method: ViruScan V57+, Pro-Scan 1.4+, VirexPC Removal Instructions: Scan/D or delete infected files General Comments: The Halloechen virus was reported by Christoff Fischer of the University of Karlsruhe in West Germany. The virus is a memory resident generic .COM & .EXE file infector which is reported to be widespread in West Germany. The Halloechen virus installs itself memory resident when the first infected program is executed. Thereafter, the virus will infect any .EXE or .COM file which is run unless the resulting infected file would be greater than 64K in size, or the file's date falls within the system date's current month and year. Once a file has been determined to be a candidate for infection, and is less than approximately 62K in size as well as having a date outside of the current month and year, it is infected. In the process of infecting the file, the files size is first increased so that it is a multiple of 16 (ends on a paragraph boundary), then the 2,011 bytes of viral code are added. When infected files are run, input from the keyboard is garbled. Virus Name: Holland Girl Aliases: Sylvia V Status: Rare Discovered: December, 1989 Symptoms: .COM growth, TSR Origin: Netherlands Eff Length: 1,332 Bytes Type Code: PRsC - Resident Parasitic .COM Infector Detection Method: ViruScan V50+, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: F-Prot, Pro-Scan 1.4+, or Scan/D General Comments: The Holland Girl or Sylvia Virus was first reported by Jan Terpstra of the Netherlands. This virus is memory resident and infects only .COM files, increasing their size by 1,332 bytes. The virus apparently does no other damage, and does not infect COMMAND.COM. The virus's name is due to the fact that the virus code contains the name and phone number of a girl named Sylvia in Holland, along with her address, requesting that post cards be sent to her. The virus is believed to have been written by her ex-boyfriend. Virus Name: Icelandic Aliases: 656, One In Ten, Disk Crunching Virus V Status: Extinct Discovered: June, 1989 Symptoms: .EXE growth, Resident TOM, bad sectors, FAT corruption Origin: Iceland Eff Length: 656 bytes Type Code: PRfE - Resident Parasitic .EXE Infector Detection Method: ViruScan, F-Prot, Pro-Scan, VirexPC Removal Instructions: Scan/D, Pro-Scan 1.4+, or F-Prot General Comments: The Icelandic, or "Disk Crunching Virus", was originally isolated in Iceland in June 1989. This virus only infects .EXE files, with infected files growing in length between 656 and 671 bytes. File lengths after infection will always be a multiple of 16. The virus attaches itself to the end of the programs it infects, and infected files will always end with hex '4418,5F19'. The Icelandic virus will copy itself to the top of free memory the first time an infected program is executed. Once in high memory, it hides from memory mapping programs. If a program later tries to write to this area of memory, the computer will crash. If the virus finds that some other program has "hooked" Interrupt 13, it will not proceed to infect programs. If Interrupt 13 has not been "hooked", it will attempt to infect every 10th program executed. On systems with only floppy drives, or 10 MB hard disks, the virus will not cause any damage. However, on systems with hard disks larger than 10 MB, the virus will select one unused FAT entry and mark the entry as a bad sector each time it infects a program. Also see: Icelandic-II, Icelandic-III, Mix/1, Saratoga Virus Name: Icelandic-II Aliases: System Virus, One In Ten V Status: Extinct Discovered: July, 1989 Symptoms: .EXE growth, Resident TOM, FAT corruption date changes, loss of Read-Only Origin: Iceland Eff Length: 632 Bytes Type Code: PRfE - Parasitic Resident .EXE Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: Scan/D, Pro-Scan 1.4+, or F-Prot General Comments: The Icelandic-II Virus is a modified version of the Icelandic Virus, and was isolated for the first time in July 1989 in Iceland. These two viruses are very similar, so only the changes to this variant are indicated here, refer to Icelandic for the base virus information. Each time the Icelandic-II virus infects a program, it will modify the file's date, thus making it fairly obvious that the program has been changed. The virus will also remove the read-only attribute from files, but does not restore it after infecting the program. The Icelandic-II virus can infect programs even if the system is running an anti-viral TSR that monitors interrupt 21, such as FluShot+. On hard disks larger than 10 MB, there are no bad sectors marked in the FAT as there is with the Icelandic virus. Also see: Icelandic, Icelandic-III, Mix/1, Saratoga Virus Name: Icelandic-III Aliases: December 24th V Status: Rare Discovered: December, 1989 Symptoms: .EXE growth, Resident TOM, bad sectors, FAT corruption, Dec 24 message. Origin: Iceland Eff Length: 853 Bytes Type Code: PRfE - Parasitic Resident .EXE Infector Detection Method: ViruScan V57+, F-Prot, IBM Scan, Pro-Scan, VirexPC Removal Instructions: F-Prot, Scan/D, Pro-Scan 1.4+, or delete infected files General Comments: The Icelandic-III Virus is a modified version of the Icelandic Virus, and was isolated for the first time in December 1989 in Iceland. These two viruses are very similar, so only the changes to this variant are indicated here, refer to Icelandic for the base virus information. The Icelandic-III virus's id string in the last 2 words of the program is hex '1844,195F', the bytes in each word being reversed from the id string ending the Icelandic and Icelandic-II viruses. There are also other minor changes to the virus from the previous Icelandic viruses, including the addition of several NOP instructions. Before the virus will infect a program, it checks to see if the program has been previously infected with Icelandic or Icelandic-II, if it has, it does not infect the program. Files infected with the Icelandic-III virus will have their length increased by between 848 and 863 bytes. If an infected program is run on December 24th of any year, programs subsequently run will be stopped, later displaying the message "Gledileg jol" ("Merry Christmas" in Icelandic) instead. Also see: Icelandic, Icelandic-II, Mix/1, Saratoga Virus Name: Itavir Aliases: 3880 V Status: Endangered Discovered: March, 1990 Symptoms: .EXE growth, .OMMAND.COM file, Boot sector corruption Origin: Italy Eff Length: 3,880 Bytes Type Code: PNE - Parasitic Non-Resident .EXE Infector Detection Method: ViruScan V60+, Pro-Scan 1.4+ Removal Instructions: Scan/D, or delete infected files General Comments: The Itavir virus was isolated in March 1990 by a group of students at the Milan Politechnic in Milan, Italy. The Itavir virus is a non-resident generic .EXE Infector. Infected files will increase in length by 3,880 bytes. Infected systems, besides having files which have increased in length, will usually have a file with the name .OMMAND.COM somewhere on the disk. The first character of this file name is an unprintable character. The .OMMAND.COM file contains the pure virus code and is used for appending to files as they are infected. The Itavir virus activates at some time periood after the system has been running for more than 24 hours. When it activates, the boot sector is corrupted, rendering the system unbootable. The virus also displays a message in Italian and writes ansi values from 0 thru 255 to all available I/O ports, thus confusing any attached peripheral devices. Some monitors may show a flickering effect when this occurs, while some VGA monitors may actually "hiss". Virus Name: Jerusalem Aliases: PLO, Israeli, Friday 13th, Russian, 1813(COM), 1808(EXE) V Status: Common Discovered: October, 1987 Symptoms: TSR, .EXE & .COM growth, system slowdown, deleted files on Friday 13th, "Black WIndow" Origin: Israel Eff Length: 1,813 (COM files) & 1,808 (EXE files) bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC 1.1+ Removal Instructions: Scan/D/A, Saturday, CleanUp, UnVirus, F-Prot, VirexPC 1.1+, Pro-Scan 1.4+ General Comments: The Jerusalem Virus was originally isolated at Hebrew University in Israel in the Fall of 1987. The virus is memory resident and can survive a warm reboot (CTL-ALT-DEL). .COM and .EXE files are infected, with .EXE files being reinfected each time they are executed due to a bug in the virus. This virus redirects interrupt 8, and 1/2 hour after execution of an infected program the system will slow down by a factor of 10. Additionally, some Jerusalem Virus variants will have a "Black Window" or "Black Box" appear on the lower left side of the screen which will scroll up the screen as the screen scrolls. On Friday The 13ths, after the virus is installed in memory, every program executed will be deleted from disk. The identifier for some strains is "sUMsDos", however, this identifier is usually not found in the newer variants of Jerusalem. The Jerusalem Virus is thought to have been based on the Suriv 3.00 Virus, though the Suriv 3.00 Virus was isolated after the Jerusalem Virus. Also see: Jerusalem B, New Jerusalem, Payday, Suriv 3.00 Virus Name: Jerusalem B Aliases: Arab Star, Black Box, Black Window, Hebrew University V Status: Common Discovered: January, 1988 Symptoms: TSR, .EXE & .COM growth, system slowdown, deleted files on Friday 13th, "Black WIndow" Origin: Israel Eff Length: 1,813 (.COM files) & 1,808 (.EXE files) bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC 1.1+ Removal Instructions: F-Prot, Saturday, CleanUp, M-JRUSLM, UnVirus, VirexPC 1.1+, Pro-Scan 1.4+ General Comments: Identical to the Jerusalem virus, except that in some cases it does not reinfect .EXE files. Jerusalem B is the most common of all PC viruses, and can infect .SYS and program overlay files in addition to .COM and .EXE files. Not all variants of the Jerusalem B virus slow down the system after an infection has occurred. Known variants of Jerusalem B are: A-204 : Jerusalem B with the sUMsDos text string changed to *A-204*, and a couple of instructions changed in order to avoid detection. This variant will slow down the system after being memory resident for 30 minutes, as well as having a black box appear at that time. Origin: Delft, The Netherlands Anarkia : Jerusalem B with the timer delay set to slow down the system to a greater degree, though this effect doesn't show until a much longer time has elasped. No Black Box is never displayed. The sUMsDos id-string has been changed to ANARKIA. Lastly, the virus's activation date has been changed to Tuesday The 13ths, instead of Friday The 13ths. Origin: Spain Anarkia-B : Similar to Anarkia, with the exception that the virus now activates on any October 12th instead of on Tuesday The 13ths. Jerusalem-C: Jerusalem B without the timer delay to slow down the processor. Jerusalem-D: Jerusalem C which will destroy both copies of the FAT on any Friday The 13th after 1990. Jerusalem-E: Jerusalem D but the activation is in 1992. Mendoza : Based on the Jerusalem B virus, this variant does not reinfect .EXE files. It is also missing the black box effect. Mendoza activates in the second half of the year (July - December), at which time any day will have a 10% chance of having all programs executed deleted. Origin: Argentina Puerto : Isolated in June, 1990 in Puerto Rico, this variant is very similar to the Mendoza variant, the virus contains the sUMsDos id-string. .EXE files may be infected multiple times. Spanish JB : Similar to Jerusalem, it reinfects .EXE files. The increased file size on .COM files is always 1,808 bytes. On .EXE files, the increased file size may be either 1,808 or 1,813, with reinfections always adding 1,808 bytes to the already infected file. N