VCL9

Virus Name: Vcl9

Virus Type: File Infector Virus (infects .EXE & .COM files)

Virus Length: No change

PC Vectors Hooked: None

Executing Procedure:
1) Searches for .COM or .EXE files in the current directory.
2) It checks whether the first file found has been infected by VCL9. If it has, it continues looking for any uninfected .COM or .EXE file.
3) It then infects only two files at a time.

Damage: Overwrites original files. The length of infected files won't increase.

Note:
1) Doesn't stay resident in memory.
2) VCL9 doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).


V-Sign

Virus Name: V-sign

Alias Name: Cansu, Sigalet, Sigalit

Virus Type: Boot Virus

Virus Length: N/A

Description: This virus infects floppy boot sectors.

Interrupt vectors hooked: INT 13h.

Infection method:
1) When an infected disk is booted, the virus loads itself in memory.
2) While loaded, it infects any accessed disk.

Detecting method:
1) The DOS CHKDSK program will show a "total bytes memory" decrease of 2 KB.

Damage: After infecting 64 disks, the virus displays a large V and hangs the machine.


V2P6

Virus Name: V2P6

Alias Name:

Virus Type: File Virus

Virus Length: 1,946 to 2,111 bytes

Description: This virus infectes *.COM files.

When an infected file is executed, the virus will infect the first *.COM file in the same directory that is not already infected. Infected files will experience a file length increase of 1,946 to 2,111 bytes in length with the virus being located at the end of the file.


VCL-2-B

Virus Name: Vcl-2-B

Virus Type: File Infector Virus (infects .COM files)

Virus Length: 663 Bytes(COM)

PC Vectors Hooked: None

Executing Procedure:
1) Searches for a .COM file in the current directory.
2) Once it locates a file it checks whether it has been infected by VCL-2. If it has, it continues to look for any uninfected .COM file.
3) It will infect only two files at a time.

Damage: None

Detecting Method:
1)Infected files will increase by 663 Bytes.

Note:
1) Doesn't stay resident in memory.
2) VCL-2 doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).


VDV-853

Virus Name: Vdv-853

Virus Type: File Infector Virus (infects .COM files)

Virus Length: 853 Bytes(COM)

PC Vectors Hooked: None

Executing Procedure:
1) Checks whether system date is between the 24th and 26th of December. If it is, the virus will delete all files in the current directory, then create a file with 273 bytes and show the message:"Frhliche Weihnachten wnscht der Verband Deutscher Virenliebhaber Ach ja, und dann wnschen wir auch noch viel Spab beim Suchen nach den Daten von der Festplatte! Hello - Copyright S&S International, 1990".
2a) If it isn't, then it will search for a .COM file in the current directory.
2b) Once it locates a file, it checks whether it has been infected by VDV-853. If it has, continue to look for an uninfected .COM file.
2c) It will infect only four files at a time.

Damage:
1) If the system date is between the 24th and 26th of the December, the virus will delete all files in current directory.

Detecting Method:
1)Infected files will increase by 853 Bytes.

Note:
1) Doesn't stay resident in memory.
2) VDV-853 doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).
3) Virus pattern is the same as "SON_OF_VSC_2."


Virus 9

Virus Name: Virus9

Virus Type: File Infector Virus (infects .COM files)

Virus Length: 256 Bytes(COM)

PC Vectors Hooked: None

Executing Procedure:
1) Searches for a .COM file in the current directory.
2) It infects all uninfected files until all files in the current and the "mother" directory have been infected.

Damage: None

Detecting Method: Infected files will increase by 256 Bytes.

Note:
1) Doesn't stay resident in memory.
2) Virus9 doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect). 3) Infected files will not be further damaged or infected.


Vienna 11

Virus Name: VIENNA-11

Virus Type: File Infector Virus (infects .COM files)

Virus Length: 943 Bytes(COM)

PC Vectors Hooked: None

Executing Procedure:
1) Checks whether the system's clock seconds are equal to SECOND=.0004, If "yes," then the following message will appear on the screen: "Sorry this computer is no longer operational due to an outbreak of Bush is hero, Have a Nice day. . . "
2) Next it will check as to whether the time is equal to TIME = 7:45 on March 24th. If "yes," then the following message will appear on the screen:"VIPERizer, Strain B (c) 1992, Stin gray/VIPER Happy Valentines Day !" It then destroys all the data on all of the disks ( including the hard disk).
3) If "no," it searches for a .COM file in the current directory.
4) Checks whether it has been infected by Vienna-11. If "yes," it continues to look for an uninfected .COM file.
5) Then it infects only one file at a time. Afterwards, it executes the original file.

Damage: Destroys all of the data on all of the disks.

Detecting Method: Infected files will increase by 943 Bytes.

Note:
1) Doesn't stay resident in memory.
2) Vienna-11 doesn't hook INT 24h when infecting files. An error message occurs if there is an I/O error (such as write protect).


Voronezh-2

Virus Name: VORONEZH-2

Virus Type: Highest Memory Resident, File Infector Virus (infects .COM & .EXE files).

Virus Length: 1600 Bytes (COM & EXE)

PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h

Infecting Procedure:
1) The virus checks whether it is already loaded resident in memory. If not, it then loads itself into resident memory by hooking INT 21h.
2) It then executes the original file.
3) With itself loaded into resident memory it will infect any uninfected file that is executed.

Damage: None.

Detecting Method: Infected files increase by 1600 Bytes.

Note: The Voronezh-2 virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect).


Vacsina-V16h

Virus Name: Vacsina V16h

Other names: Virus 1339

Virus Type: Parasitic Virus, RAM resident

Virus Length: Approx. 1339 bytes

Executing Procedure:
1) The virus checks whether it is already loaded resident in memory. If not, it then loads itself into resident memory by hooking INT 21h.
2) It then executes the original file.
3) With itself loaded into resident memory, it will infect any uninfected file that is executed.

Damage: The virus modifies the Ping-Pong virus in memory. The virus changes two bytes, jumps, and adds one subroutine. It is interesting that the Ping-Pong virus is ready to change in this way. After 255 reboots, the infected disk is deactivated in memory returning original interrupt vector to 13h with the value of 0:413h. The virus proceeds to play the "Yankee Doodle" song.

Note: Loads itself resident in memory. An error message occurs if there is an I/O error (such as write protect).


VVF34

Virus Name: VVF34

Other names: None

Virus Type: File Infector Virus

Virus Length:.EXE 1614-1624 bytes and .COM 1614 bytes.

Executing Procedure:
1) The virus checks whether it is already loaded resident in memory. If not, it then loads itself into resident memory by hooking INT 21h.
2) It then executes the original file.
3) With itself loaded into resident memory, it will infect any uninfected file that is executed.

Damage: The virus hooks 1Ch. After the virus has resided in memory for 5 minutes and 15 files have been infected, the virus will proceed to draw a portrait in the center of the screen. The virus will also hook the interrupt 9h (keyboard interrupt). The virus will then display the following message when the user presses any key: "Bu, Bu, Bu..."

Detecting Method: Increases infected file size by 1614/1624 bytes

Note: Loads itself resident in memory. An error message occurs if there is an I/O error (such as write protect).


Violator

Virus Name: Violator

Other names: Violator Strain B, Violator BT

Virus Type: File Infector Virus

Virus Length: .COM 1055 bytes

Executing Procedure:
1) The virus checks whether it is already loaded resident in memory. If not, it then loads itself into resident memory by hooking INT 21h.
2) It then executes the original file.
3a) With itself loaded into resident memory it will infect any uninfected file that is executed.
3b) It doesn't infect .EXE files.

Damage:
1) Infected .COM files increase by 1055 bytes.
2) If the system date is after Aug 15, 1990, virus will format the first cylinder of current drive.

Note:
1) Loads itself resident in memory. An error message occurs if there is an I/O error (such as write protect).


Virus-90

Virus Name: Virus-90

Other names: None

Virus Type: File Infector Virus

Virus Length: .COM 857 bytes

Executing Procedure:
1) The virus checks whether it is already loaded resident in memory. If not, it then loads itself into resident memory by hooking INT 21h.
2) It then executes the original file.
3a) With itself loaded into resident memory it will infect any uninfected file that is executed.
3b) It doesn't infect .EXE files.

Damage: Infected .COM files increase by 857 bytes.

Detecting Method Virus displays: "Infected" when a file is infected.

Note:
1) Loads itself resident in memory. An error message occurs if there is an I/O error (such as write protect).


Vienna

Virus Name: Vienna

Other Names: 648, PC Boot, Austrian virus

Virus Type: Parasitic Virus

Virus Length: 648 bytes

Symptoms: Increases infected file sizes by 648 bytes and files containing string "*.COM" and "PATH=". Destroyed programs will cause the computer to reboot while in operation.

Damage: With a 1 in 7 chance, the virus will not infect other files. The virus writes the instruction JMP F000:FFF0 (computer reboot) at the start of such a program. Original content is destroyed, length of file is not changed, and destroyed programs contain a virus flag.


V2000

Virus Name: V2000

Other Names: 21 century virus

Virus Type: Parasitic Virus

Virus Length: 2000 bytes

Symptoms:
1) Increases infected .COM and .EXE file sizes by 2000 bytes.
2) Decreases size of free RAM memory by 4KB.
3) Infected files contain the following strings: "(C) 1989 by Vesselin Bontchev".

Damage: No damage.


VCL-2

Virus Name: Vcl-2

Virus Type: Parasitic Virus.

Virus Length: Infected COM file sizes increase by 663 bytes (Does not infect EXE files).

PC Vectors Hooked: None

Executing Procedure:
1) Searches for a COM file in the current directory.
2) Checks if the file is infected. If it is, continues to search.
3) If an uninfected file is found, it proceeds to infect it (infects only two files each time).

Damage: None.

Detecting Method: Detectable if the files increase by 663 bytes

Note:
1) Not memory resident.
2) When infecting files, the virus does not hook INT 24h. Error message will appear when I/O errors occur.


V-66

Virus Name: V-66

Virus Type: File infector (*.*)

Virus Length: 66 bytes

Executing Procedure:
1) Infects all files on current directory.
2) Method: changes all files' attributes, making them writable.
3) Proceeds to overwrite first 66 bytes of each file with virus code.

Damage: It will overwrite original files with virus code. Original files are destroyed.

Detecting Method: Date and time of infected files changed.


VCL-408

Virus Name: Vcl408

Virus Type: Overwrites, EXE & COM File infector

Virus Length: 408 bytes

Executing Procedure:
1) Searches for one uninfected COM or EXE file on each directory and infects it.
2) Virus records whether initial infection is successful or not. Subsequent record will overwrite original. Last record is record of last infection. Virus checks this record before terminating. If record fails, virus halts system.

Damage:
1) Files destroyed after becoming infected.
2) Halts system on occasion.

Note:
1) Date and time of infected files do not change.
2) Length of infected files does not change unless the length of original files is less than 408. If so, the length of infected files becomes 408 bytes.


V-550

Virus Name: V-550

Virus Type: Memory Resident, EXE File infector

Virus Length: 550 bytes

Executing Procedure:
1) Checks whether it has not stayed resident in memory, and whether the block of memory of the current program during execution is the last MCB.
2) If so, it will move itself to high memory, then hook INT21h and go back to the original routine.

Vectors hooked:
1)Hook INT 21 to check whether it has stayed resident in memory.
2)Hook INT 21 to check whether the program to be executed is an uninfected EXE file. If it is, infect it.

Damage: None

Detecting Method:
1)Date and time of infected files changed.
2)Infected files will increase by about 550 bytes.
3)The total memory decreased 39 pares after virus has stayed resident in memory.


Version

Virus Name: Version

Virus Type: Memory resident, COM File infector

Virus Length: 708 bytes

Executing Procedure:
1) First, It will decode its first 3 bytes.
2) Then it will check whether it has stayed resident in memory. If it has, it will go back to the original routine directly. Otherwise, it will stay resident in high memory, then hook INT21h and go back to the original routine.

Vectors hooked:
1)Hook INT 21h(AH=30h) to make the result of getting DOS Version is not right.
2)Hook INT 21h(AX=4203h) to verify that memory has been infected by returning AX=6969h.
3)Hook INT 21h(AX=4B00h)to infect COM files.

Damage: The call of getting DOS Version could not run correctly.

Note: This virus can not run correctly. That means it is just a half finished product.

Detecting Method:
1)Date and time of infected files changed.
2)Infected files will increase by 705 bytes.


Versikee-1326

Virus Name: Versikee-1326

Virus Type: EXE File infector

Virus Length: 1326 bytes

Executing Procedure:
1) Searches for an uninfected EXE file and infects it (It infects only one file once a time). It searches the root directory and all of its subdirectories.  
2) If there is an infectable file, it will check system time. If the current second is a multiple of 8, it destroys the first 5 bytes of the file. Otherwise, it infects it.
3) At last, it goes back to the original routine.

Damage: Sometimes the first 5 bytes of files are destroyed.

Note: Date and time of infected files do not change.

Detecting Method: Length of infected files would increase. The algorithm is: First, add original length to let it became a multiple of 16, and then increase it by 1326 bytes.


Vengence-A

Virus Name: Vengence-A

Other Name: Vengence-194

Virus Type: *.C* File infector

Virus Length: 194 bytes

Executing Procedure: It will infect all *.C* files on current directory. The method of infection is: Overwrite files's first 194 bytes by virus code. So if the original file is less than 194 bytes, it will be 194 bytes after being infected. Otherwise, size of file does not change.

Damage: It will overwrite first 194 bytes of original files by virus code. So original files are destroyed.

Detecting Method:
1)Date and time of infected files changed.
2)There is text at the end of infected files. The text is:
"Vengence-A virus. Lastest release from Swedish Virus Association. Released: 7th of May 1992. Happy hacking and greetings to all Virus writers..."


Vengence-B

Virus Name: Vengence-B

Other Name: Vengence-252

Virus Type: *.C* (Mainly COM) File infector

Virus Length: 252 bytes

Executing Procedure: It will infect first *.C* file on current directory. The method of infection is: Overwrite file's first 252 bytes by virus code. So if original file is less than 252 bytes, it will be 252 bytes after been infected. Otherwise, size of it does not change.

Damage: It will overwrite first 252 bytes of original files by virus code. So original files are destroyed.

Note: Date and time of infected files do not change.

Detecting Method: There text at the end of infected files. The text is:
"Vengence-B virus. Lastest release from Swedish Virus Association. Released: 8th of May 1992. Satan will come and rule his world and his people!"


Vengence-C

Virus Name: Vengence-C

Other Name: Vengence-390

Virus Type: *.C* (Mainly COM) File infector

Virus Length: 390 bytes

Executing Procedure: It will infect first *.C* file on current directory. The method of infection is: Overwrite file's first 390 bytes by virus code. So if original file is less than 390 bytes, it will be 390 bytes after been infected. Otherwise, size of it does not change.

Damage: It will overwrite first 390 bytes of original files by virus code. So the original files are destroyed.

Note:
1)Date and time of infected files do not change.
2)When the virus is executed, it will check if there is virus scanning software like F-LOCK, F-POPUP, F-FCHK, F-DLOCK, ThunderByte, TBSCANX. If any of these softwares is found, stop executing.

Detecting Method: There is text at the end of infected files. The text is:
"Vengence-C virus. Lastest release from Swedish Virus Association. Released: 8th of May 1992. Satan will come and rule his world and his people!"


Vengence-D

Virus Name: Vengence-D

Other Name: Vengence-435

Virus Type: *.C* (Mainly COM) File infector

Virus Length: 435 bytes

Executing Procedure: First, it will check whether current time is 12:00(AM). if it is, display a message and then increase system time by an hour. The message is:
"Vengence-D virus. Lastest release from Swedish Virus Association. Released: 8th of May 1992. Satan will come and rule his world and his people!"
Then it will infect first *.C* file on current directory. The method of infection is: Overwrite file's first 435 bytes by virus code. So if original file is less than 435 bytes, it will be 435 bytes after been infected. Otherwise, size of it does not change.

Damage: It will overwrite first 435 bytes of original files by virus code. So original files are destroyed.

Note:
1)Date and time of infected files do not change.
2)When the virus is executed, it will check whether there is virus scanning software like F-LOCK, F-POPUP, F-FCHK, F-DLOCK, ThunderByte, TBSCANX . If any of these is found, it will stop executing.

Detecting Method: The text listed above is at the end of infected files.


Vengence-F

Virus Name: Vengence-F

Other Name: Vengence-656

Virus Type: *.C* (Mainly COM) File infector

Virus Length: 656 bytes

Executing Procedure: First, it will check whether current time is 12:00(AM). if it is, display a message and then increase system time by an hour. The message is:
"Vengence-F virus. Debugging session unlimited."
Then it will infect the first *.C* file on the current directory and all its parent directories. The method of infection is: Move first 656 bytes of original file to the end, then write virus code into first 656 bytes. Then attach "SVC" to the end of it.

Damage: Infected programs cannot be executed.

Note:
1)Date and time of infected files do not change.
2)When the virus is executed, it will check :
(1)whether it is being traced by Debug. If it is, halt system.
(2)whether there is virus scanning software like F-LOCK, F-POPUP, F-FCHK, F-DLOCK, ThunderByte, TBSCANX. If any of these softwares is found, stop executing.

Detecting Method:
1)The text listed above is at the back of infected files.
2) There is a message at the back of infected files. The message is "SVC".
3)Infected files will increase by 656 bytes.

Cleaning Method: First, omit first 656 bytes from infected files, then omit "SVC" from the end.  If length of current file is larger than 656 bytes, move latest 656 bytes to the beginning.


V-500

Virus Name: V500

Virus Type: Memory Resident(OS), COM File infector

Virus Length: 500 bytes

Executing Procedure: Virus checks whether the DOS Version is 3.3. If not, goes back to original routine directly. Otherwise, it will stay resident in memory (OS area). Then, when an interrupt among INT 00h to INT 0CH is called, the system will call INT 86h automatically to infect COM files executed (Length must be between 200h bytes and F600h) and goes back to the original routine. A file can be infected many times. The method of infection is: First, move first 500 bytes of original file to the end. Then write virus code into first 500 bytes of the file.

Vectors hooked:
1) Hook INT 21H(AH=4Bh) to infect files.
2) It will check whether the program to be executed is a COM file. If it is, the virus proceeds to infect it.

Damage: None

Note: Date and time of infected files do not change.

Detecting Method: Infected file sizes increase by 500 bytes.


Variety

Virus Name: Variety

Virus Type: COM File infector

Virus Length: 625 bytes

Executing Procedure:
1) The virus decodes first.
2) Then it infects a COM file on the current directory (It only infects one file at a time).
3) The method of infection is: Encode the virus code, then attach it to the end of the original file.

Damage: None

Note:
1) If DOS Version is not above 2.0, it will not infect any files.
2) Time and date of infected files do not change.

Detecting Method: Infected file sizes increase by 625 bytes.


V-388

Virus Name: V-388

Virus Type: COM File infector

Virus Length: 394 bytes

Executing Procedure:
1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory.
2) Then it hooks INT 21h and goes back to original routine.

Vectors hooked:
1) Hooks INT 21H(AH=4Bh) to infect files.
2) First, it will hang INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file, and this program ends with INT 21(AH=4Ch), the virus proceeds to infect it.

Damage: None

Detecting Method: Infected file sizes increase by 394 bytes.


Vinchuca

Virus Type: File Type Virus

Virus Length: Encrypted code size is 912 bytes

Virus Memory Type: High Memory

INT Vectors Hooked: Int 21, Int 27

Place of Origin:

Infection Procedure:

Loads itself to high memory. Loads approximately 1328 bytes in memory. Infects *.COM files. Copies virus code to host program. Code size added is 912 bytes. Loads the virus first before running the host program. While in memory, COM files opened will be infected. Virus code is transferred to the allocated memory space using Int 21 (4A). Executes actual virus code immediately upon meeting the requirements. The virus is TSR, using Int 27. Basically, the virus reacts by transferring its code to high memory before actually attaching it to the code itself.

Symptom:

May display:

"Saludos para Satanic Brain y Patoruzi"
"Virus Vinchaca v.1,0 1993"
"Creado por Murdock."
"Buenos Aires, Argentina"
"Su PC tiene mal chagas....jajaja...."

which appears in the virus code.

Detection method:

Decrypt virus code before detection. Look for the above strings.

Note:

The virus code contains Int 13 (16) which tests for the disk change information.

 


V-BCIV-1

Other Name: VIENREBO

Virus Type: File Type Virus

Virus Length: Approximately 648 bytes

Virus Re-infect: Does not re-infect, infected file size is consistent. If the file is already corrupted it skips, and looks for another COM file.

Virus Memory Type: Non Resident, Direct Infector

INT Vectors Hooked: Int 21

Place of Origin:

Infection Procedure:

Directly infects *.COM files if source virus file is executed. Copies virus code to host program. Adding approximately 648 bytes. Loads the virus first before running the host program.

The virus first task is to get and set DTA for transfer purposes. The virus then searches for *.COM files within the directory using Int 21 (4E & 4F). If the search is successful, the virus gets the file's attribute using Int 21 (43). It changes its attribute to enable itself to write on it, (especially for the COMMAND.COM). It takes note of the file time and date using Int 21 (51) so that when it accomplishes its task of altering the code, it can save it using the original file time and date. This therefore deceives the user that the file was never been changed.

Every time an infected file is executed, one COM file is infected within the same directory.

Damage:

Increase in file size. Adds approximately 648 bytes. Corrupts COMMAND.COM, making it unusable. Other COM files run normally.

Symptom:

Delay in program execution due to virus activity.

 


VLamiX

Virus Type: File Type Virus

Virus Length: Approximately 1062 bytes

Virus Memory Type: High Memory

INT Vectors Hooked: Int 21, Int 10

Place of Origin:

Infection Procedure:

Loads itself to high memory. Loads approximately 1,136 bytes in memory. Infects *.EXE files. Copies virus code to host program, adding approximately 1091-1106 bytes. Loads the virus first before running the host program. While in memory, EXE files opened will be infected.

Virus code is decrypted. The virus reacts ordinarily by allocating space in memory before infecting files. Nothing extraordinary happens. It just attaches its code to the host program.

Symptom:

May display:

"Smartc*.cps chklist*"
"-=* Die-lamer *=-"
"chklist ???"
"chklist.cps"
"Vlamix-1"

which appears in the decrypted code.

Detection method:

Decrypt virus code before detection. Look for the above strings.

 


Vacsina_2

Other Name: VACSINA

Place of Origin:

Virus Type: File Type Virus

Virus Length:

Virus Re-infect: Does not reinfect

Virus Memory Type: MCB Type

INT Vectors Hooked: Int 21

Infection Procedure:

Loads itself to high memory. Loads 1216 bytes in memory. Infects *.COM and *.EXE files. Copies virus code to host program. Loads first the virus before running the host program. While in memory, files opened will be infected.

Virus tries to create a new segment address for it to run its code. This one is used primarily to switch between the host program and the virus itself. Using Int 21, Function 50. What it does basically is to tell the operating system that the TSR code is the primary process rather than the interrupted process of the program. This creates an initial execution rather than executing the original code first. In this way, the virus is able to run, then it can copy itself to the host using Int 21, functions 35 and 25. The copying process is finalized when the virus code sets the DTA. In this effect the virus can stick to the host program and run in the future.

 


Vampiro.A

Virus Type: File Type Virus

Virus Length:

Virus Memory Type: High Memory

INT Vectors Hooked: Int 21

Place of Origin:

Infection method:

Gets system date and time. It executes virus code if the current month is earlier than June, or the time is earlier than 10 pm. If so, it runs the virus directly.

Damage:

The virus infects files in the subdirectory. If trigger date and time are not satisfied, it displays:

"Zarathustra & Drako les comunican que llego la hora de ir a
dormir. Shh! Vampiro Virus."

Notes:

Non-resident virus. Does not use memory allocation. Runs directly. Virus infects *.COM files not in the root directory. It opens and searches sub-directories where it looks for *.COM files to infect. It attaches itself to the host program.

Symptom:

Some word strings can be found in the code:

"Zarathustra & Drako les comunican que llego la hora de ir a dormir. Shh!
Vampiro Virus."
"Command.com all xray, memory allocation error."
"Cannot uninstall xray, it has not been installed."
"???????????"