Virus Name: Lep-0736 Virus Type: File Infector Virus (infects .COM & .EXE files.) Virus Length: No change PC Vectors Hooked: None Executing Procedure: 1) Searches for uninfected .COM and .EXE files in the current directory and infects them (4 at a time). 2) It then outputs to the screen:"Program too big to fit in memory" Damage: Overwrites the original files, so the length of the files won't increase. Detecting Method: 1) Check for the erroneous screen message "Program too big to fit in memory." Note: 1) Doesn't stay resident in memory. 2) LEP-0736 doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).
Virus Name: Lct-762 Virus Type: File Infector Virus (infects .COM files) Virus Length: 762 Bytes
PC Vectors Hooked: None Executing Procedure: 1) Finds and infects all uninfected .COM files in the current directory. Damage: None Detecting Method: Infected files will increase by 762 Bytes. Note: 1) Doesn't stay resident in memory. 2) LCT-762 doesn't hook INT 24h when infecting files. An error message occurs if there is an I/O error (such as write.)
Virus Name: Lep-562 Virus Type: File Infector Virus (infects .COM & .EXE files) Virus Length: No change
PC Vectors Hooked: None Executing Procedure: 1) Searches for uninfected .COM and .EXE files in the current directory and infects them (4 at a time). 2) It then outputs to the screen: "Program too big to fit in memory." Damage: Overwrite the original files, so the length of the files won't increase. Detecting Method: 1) Check whether the message: "Program too big to fit in memory" occurs on the screen. Note: 1) Doesn't stay resident in memory. 2) LEP-562 doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).
Virus Name: Les Virus Type: File Infector Virus (infects .EXE files) Virus Length: 358 Bytes
PC Vectors Hooked: None Executing Procedure: 1) Infects all uninfected .EXE files in the current directory. Damage: None Detecting Method: Infected files will increase by 358 Bytes.
Note: 1) Doesn't stay resident in memory. 2) LES doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).
Virus Name: Ib-Demonic Virus Type: File Infector Virus (infects .COM files) Virus Length: No change PC Vectors Hooked: None Executing Procedure: 1) Infects all uninfected .COM files in the current directory. 2) When the file is executed this screen message will appear: "EXEC FAILURE" 3) It will check the system data. If it is Tuesday, then the virus will rename "C:command.com" to "command.c0m" ("c" "zero" "m"). 4) It will then show this screen message: "Error reading drive C:\ ... BillMeTuesday Damage: 1) Renames "command.com" to "command.c0m", so the disk can't start machine. 2) Overwrites original files, so the length of the files won't increase. Note: 1) Doesn't stay resident in memory. 2) IB-Demonic doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).
Virus Name: LEP-FVHS Virus Type: File Infector Virus (infects .COM & .EXE files) Virus Length: NO change.
PC Vectors Hooked: None Executing Procedure: 1) Shows the message: "allocating memory..... Please wait..... Hard time accessing memory, please turn off all RAM resident programs and press>>Enter<< to continu...." 2) The virus searches for an .EXE or .COM file in the current directory. 3) It checks whether it has been infected by LEP-FVHS. If "Yes", it continues to look for an uninfected .EXE or .COM file. 4) It then infects any four .EXE & .COM files at a time in the current directory. 5) Shows the message:"Program too big to fit in memory." Damage: Overwrites original files, so the length of infected files won't increase. Note: 1) Doesn't stay resident in memory. 2) LEP-FVHS doesn't hook INT 24h when infecting files. An error message occurs if there is an I/O error (such as write protect).
Virus Name: LYCEE Virus Type: Memory Resident, File Infector Virus (infects .COM & .EXE files). Virus Length: 1788 Bytes (COM & EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h, INT 8h, INT 9h Executing Procedure: 1) Checks whether it resides in memory. If not, it hooks INT 21h, INT 8h and INT 9h, installs itself as memory resident, and then executes the host program. 2) If the virus already resides in memory, it will proceed to execute the host program directly. Infecting Procedure: 1) The virus Infects files by AH=4B in INT 21h. When an uninfected progran is executed, it will get infected. 2) Lycee will hook INT 24h before infecting files to ignore I/O errors. Damage: If you haven't pressed any key for a few minutes, a small window will appear on the screen until you press a key. Detecting Method: 1) Infected files increase by 1788 Bytes. Note: 1) The Lycee virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect). Remarks: The virus does timing by INT 8h.
Virus Name: Leech Virus Type: Highest Memory Resident, File Infector Virus (infects .COM files). Virus Length: 1024 Bytes (COM) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Executing Procedure: 1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h. 2) It then executes the original file. 3a) Once in resident memory it will infect any uninfected file that is executed. 3b) It doesn't infect .EXE files. Damage: None. Detecting Method: 1) Infected files increase by 1024 Bytes. Note: 1) The Leech virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: Little_Brother Virus Type: Memory Resident, File Infector Virus (Companion Virus). Virus Length: 250 Bytes (EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Executing Procedure: 1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h. 2) It then executes the original file. 3a) Once in resident memory it will infect any uninfected file that is executed. 3b) It doesn't infect .COM files. Damage: When an uninfected file is executed, the virus will create a .COM file with the same name as the .EXE file (example: If you run "AAA.EXE", "AAA.COM" will be created by Little_Brother). Detecting Method: 1) Infected files increase by 250 Bytes. Note: 1) The Little_Brother virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: Lehigh Other names: None Virus Type: Parasitic Virus (infects COMMAND.COM only) Virus Length: 555 bytes Executing Procedure: 1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h. 2) It makes sure COMMAND.COM is infected, and then executes the original file. 3) Once in resident memory it will infect any uninfected file that is executed. Damage: 1) Infects the disk's .COMMAND.COM file and increases it by 555 bytes. 2) After the infection counter passes four, the current disk will be trashed.
Virus Name: Lct Virus Type: Parasitic Virus Virus Length: Infected COM files sizes increase by 599 Bytes . PC Vectors Hooked: None Executing Procedure: 1) Searches for and infects all uninfected .COM files in the current directory. Damage: 1) If the system date is Dec. 25, only the virus portion of infected files will execute. Detecting Method: 1) Detectable if the lengths of files increase by 599 Bytes. Remarks: 1) Not memory resident. 2) When infecting files, the virus does not hook INT 24h. And the error information appears when I/O errors occur.
Virus Name: Lanc Virus Type: EXE File infector Virus Length: 7376 Executing Procedure: 1) Searches for an uninfected EXE file in the current directory. 2) Then it creates a new COM file with the same file name as the original EXE file. This new COM file is the virus. Damage: None Note: 1) Does not stay in memory. 2) You will see an error message when writing because INT 24h has not been hanged. 3) This virus is written with an advanced language. Detecting Method: Check whether the file length is 7376 bytes.
Virus Name: Lv Virus Type: COM File infector Executing Procedure: 1) Checks whether it has remained resident in memory. If not, it will reside in high memory. 2) Then it hooks INT 21h, and infects COMMAND.COM. 3) It then returns to the original routine. Vectors hooked: 1) Hooks INT 21H (AH=4Bh) to infect files. 2) First, it will hang INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: It will overwrite original files with virus code. Original files are destroyed.
Virus Name: Lip-286 Virus Type: COM File infector Virus Length: 286 bytes Executing Procedure: 1) Searches for an uninfected COM file in the current directory and infects it. 2) It can infect two or three files at a time. Damage: 1) There is a counter in the virus procedure (Every infected file has a different flag). The counter decreases by 1 every time the virus infects a file. When the counter is equal to zero, it will destroy all data on the hard disk. Note: 1) Does not stay in memory. 2) You will see an error message when writing because INT 24h has not been hanged. Detecting Method: Infected file sizes increase by 286 bytes.
Virus Name: L1 Virus Type: COM File infector Virus Length: 140 bytes Executing Procedure: 1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory. 2) Then it hooks INT 21h and goes back to the original routine. Vectors hooked: 1) Hooks INT 21H(AH=4Bh) to infect files. 2) If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Note: You will see an error message when writing because INT 24h has not been hanged. Detecting Method: Infected file sizes increase by 140 bytes.
Virus Name: Leper Virus Type: COM & EXE File infector Executing Procedure: 1) Searches for uninfected COM files in the current directory and infects them (Infects four files at a time). Damage: It will overwrite original files with virus code. Original files are destroyed. Note: 1) It does not stay resident in memory. 2) You will see an error message when writing because INT 24h has not been hanged.
Virus Name: Lz2 Virus Type: EXE File infector Virus Length: 3000-8000 bytes Executing Procedure: 1) Searches for an uninfected COM file in the current directory and infects it (Infects only one file at a time). 2) It does this by creating a new COM file with the same name as the EXE file. This new COM file is the virus. Its length is 3000-8000 bytes. Damage: None Note: 1) It does not stay resident in memory. 2) You will see an error message when writing because INT 24h has not been hanged. 3) The procedure at the beginning of virus is encrypted in LZEXE mode. PCSCAN cannot scan this virus.
Virus Name: Los-693 Virus Type: COM File infector Virus Length: 693 bytes Executing Procedure: 1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory. 2) Then it hooks INT 21h and goes back to the original routine. Vectors hooked: 1) Hooks INT 21H (AH=4Bh) to infect files. 2) First, it will hang INT 24h to prevent divulging its trace when writing. 3) If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: 1) The virus has a flag (Initial value is zero). The value will increase by 1 every time the virus infects a file. 2) When the value of the flag is larger than 223, it will hook INT 08h. A minute later, characters on the screen fall down. Then, the virus halts system. Detecting Method: Infected file sizes increase by 693 bytes.
Virus Name: Little Virus Type: COM File infector Virus Length: 665 bytes Executing Procedure: 1) Searches for an uninfected COM file in the current directory, then infects it (It infects only one file at a time). Damage: None Note: 1) It does not stay resident in memory. 2) You will see an error message when writing because INT 24h has not been hanged. Detecting Method: Infected file sizes increase by 665 bytes.
Virus Name: Lpt-Off Virus Type: COM File infector Virus Length: 256 bytes Executing Procedure: 1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory. 2) Then it hooks INT 21h and goes back to the original routine. Vectors hooked: 1) Hooks INT 21H(AH=4Bh) to infect files. 2) If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Note: You will see an error message when writing because INT 24h has not been hanged. Detecting Method: Infected file sizes increase by 256 bytes.
Virus Name: L-933 Virus Type: COM File infector Virus Length: 933-950 bytes Executing Procedure: 1) Searches for an uninfected COM file in the current directory and infects it (Infects only one file at a time). 2) If the system date is March 8, the virus destroys all data on the hard disk. 2) If it is September 1, the virus deletes itself. Damage: The virus will sometimes destroy all data on the hard disk. Note: 1) It does not stay resident in memory. 2) You will see an error message when writing because INT 24h has not been hanged. Detecting Method: Infected file sizes increase by 933-950 bytes.
Virus Name: Love-Child-2710 Virus Type: COM File infector Virus Length: 2710 bytes Executing Procedure: 1) Checks whether current date is one of the following dates: November 5, February 22, June 23, August 24, or October 6, or that the system is not DOS 3.3. 2) If any of these conditions are met, it destroys the Partition and parts of the FAT. 3) If conditions are not met, virus checks whether it has stayed resident in memory. If not, it will stay resident in high memory. Then it hooks INT 13h and goes back to original routine. Vectors hooked: 1) Hooks INT 13H to infect files. 2) First, it will hang INT 24h to prevent divulging its trace when writing. 3) If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: Sometimes destroys the Partition and parts of the FAT. Detecting Method: Infected file sizes increase by 2710 bytes.
Virus Type: File Virus
Virus Length: 1465 bytes
Virus Infect Type: n/a
Trigger Condition: Year < 1994, Date = Sept. 9, Dec. 26
Virus Re-infect: n/a
Virus Memory Type: High Memory Resident
Place of Origin:
Int Vector Hooked: INT 1C,21,24
Infection Procedure:
The virus first decrypts a part of its code and then executes it which turns out to be a "Get DOS Version" function. The virus uses this function because it directly controls DOS' resources. Then it encrypts this part again. Then it modifies Allocated Memory and it allocates 2048 bytes in the High memory Area. It is now ready to transfer the virus code into the High Memory Area with a size of 1465 bytes. In the high memory area, the virus hooks INT 1C, 21 and 24. After doing this, the virus opens the file being executed at that time and checks if it is a .COM file; if it is, then it checks if it is already infected; if not, then it will try to infect it. After that procedure, it will change the attribute of the file "C:\COMMAND.COM" from "read-only" and "system" to "archive".
Virus Type : File Virus
Other Name :
Virus Length :
Place of Origin :
Virus Memory Type : High Memory type
Int. Vectors Hooked : Int 21
Loads itself from 11B0:0110 to 9DEE:0110h, with 2858 bytes. Then it encrypts the data from 11B0:[0115] with CX value = 3Ch. In this, "LIBERTY" can be found but after encrypting it the data in that address will become "Me BC.". The virus then encrypts the message again from 11B0:0113h to 114C:0100h and produces :
"- M Y S T I C - COPYRIGHT (c) 1989-2000, by SsAsMsUsEsL"
After it is loaded in the high memory, it waits for an EXE or COM file to be executed to infect it.
Virus Type: Polymorphic, File Type
Virus Length: 1,224-1,253 bytes
Virus Infect Type: .EXE files
Virus Memory Type: Non-memory resident
Int Vector Hooked: INT 24H
The virus only infects .EXE files. It increases an infected file's size by 1,224-1,253 bytes. The virus infects the host file by attaching itself at the end of the file. As a polymorphic virus, it first decrypts its program using XOR 1410H to each encrypted word. Then it hooks to INT 24H to disable the disk write error display when it is infecting its host file. Then it checks the current disk directory and searches for .EXE files. After finding a file it changes its attribute to archive. Then it checks for the current time. If it is between 7th-60th minute of an hour, and between 30th-60th second of a minute, then the virus will just close the file and not infect. Any time beyond that, the virus will infect every .EXE file in all the subdirectories of the current drive. The virus is not memory resident. It will be only activated upon loading and executing an infected file. It will be noticeable when the virus infects .EXE files in the current drive because it takes a long time, depending on the number of .EXE files in the current drive, to load a file.
Damage:
It slows down the loading of executable files.
Symptom:
Increases the host's file size by 1,224-1,253 bytes. Very slow loading of executable files.
Virus Memory Type : Non resident type
Encrypts data from 114C:[SI+BP],XOR to 49h producing a message that reads:
"TBDRV SP" "The Rise and Fall of ThunderByte-1994-Australia" "You will Never Trust Anti-Virus Software Again!!" "[LEMMING] ver .99" "TBAVTBSCANNAVVSAFEFPROT" "COMcomEXEexe"
Then it gets the dos variable and it points to
"[LEMMING] ver .99"
When the virus is loaded and a user tries to execute some EXE and/or COM files, a write-protect error will appear when the disk is write protected.