X-1-B

Virus Name: X-1-B

Virus Type: File Infector Virus (infects .EXE files)

Virus Length: 555 Bytes(EXE)

PC Vectors Hooked: None

Executing Procedure:
1) If it is March 5, it displays the message: "ICE-9 Present In Association with.. The ARcV [X-1] Michelangelo activates. . --", then the system halts.
2) Otherwise, it searches for and infects one uninfected .EXE file in the current directory.
3) Then it executes the original file.

Detecting Method: Infected files will increase by 555 Bytes.

Note:
1) Doesn't stay resident in memory.
2) X-1 doesn't hook INT 24h when infecting files. An error message occurs if there is an I/O error (such as write protect).


XPEH

Virus Name: XPEH

Alias Name: 4-B, Yankee Doodle.XPEH.4928, Micropox

Virus Type: File Virus

Virus Length: 4,016 bytes

Description: This virus infects *.COM and *.EXE files.

Interrupt vectors hooked: INT 1Ch, INT 21h.

Infection method:
1) When an infected file runs, the virus loads itself in memory.
2) While loaded, it infects any accessed, executable files.
3) The DOS CHKDSK program will show a "total bytes memory" decrease of 4032 bytes.
4) Infected files increase by 4016 bytes.

Damage: Under analysis.


XQR

Virus Name: XQR

Virus Type: Partition table Infector and File Infector Virus.

Virus Length: Not Applicable

PC Vectors Hooked: INT 21h, INT 24h, INT 13h, INT 8h.

Executing Procedure:
1) The Virus decreases the total system memory by 4K Bytes when the system is booted from an infected disk.
2) The virus loads itself into the last 4K Bytes of resident memory.
3) It then hooks INT 13h.
4) When the computer is turned on normally and the system date is May 4th, this will appear on the screen: " XQR: Wherever, I love you Forever and ever! The beautiful memory for ours in that summer time has been recorded in Computer history . Bon voyage, My dear XQR! "
5) It continues to infect any executed program.

Damage: When it is Sunday, the virus will change the setting of the keyboard.

Detecting Method:
1) Check if the keyboard is normal.
2)When system start from hard disk, the virus will hook INT 21h by INT 13h.
3) If somebody tries to read sector #1, the virus shows the original values.
4) When somebody tries to overwrite "XQR" in the hard disk, it omits the calling.
5) When INT 21h is called, it hooks it again.

Note: XQR hooks INT 24h when infecting files. It omits I/O errors (such as write protect).


XQR-B

Virus Name: XQR-B

Virus Type: File Infector Virus (infects .COM & .EXE files) and Partition Table Infector

Virus Length: No change.

PC Vectors Hooked: INT 21h, INT 24h, INT 13h , INT 8h.

Executing Procedure:
1) When you execute the infected file, it will infect sector #1
2) It then checks whether it has loaded itself resident in memory. If  not, it loads itself resident in memory by hooking INT 21h, INT 8h and INT 13h,.
3) If the system date is May 4th, then this message appears on the screen:" XQR: Wherever, I love you Forever and ever! The beautiful memory for ours in that summer time has been recorded in Computer history . Bon voyage, My dear XQR! " 5) It then infects every uninfected file that is executed.

Damage: When it is Sunday, the virus will change the setting of the keyboard.

Detecting Method: Check whether the keyboard is normal.

Note:
1) XQR hooks INT 24h when infecting files. It omits I/O errors (such as write protect).


X-3B

Virus Name: X-3b

Virus Type: COM & EXE File infector

Virus Length: 1060 bytes

Executing Procedure:
1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory.
2) Then it hooks INT 21h and goes back to the original routine.

Vectors hooked:
1) Hooks INT 21H(AH=4Bh) to infect files.
2) If the program to be executed is an uninfected COM or EXE file, the virus proceeds to infect it.

Damage: None

Detecting Method: Infected file sizes increase by 1060 bytes.


Xoana

Virus Name: Xoana

Virus Type: EXE File infector

Virus Length: 1670 bytes

Executing Procedure:
1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory.
2) Then it hooks INT 21h and goes back to the original routine.

Vectors hooked:
1) Hooks INT 21H(AH=4Bh) to infect files.
2) If the program to be executed is an uninfected EXE file, the virus proceeds to infect it.

Damage: None

Note: You will see an error message when writing because INT 24h has not been hanged.

Detecting Method: Infected file sizes increase by 1670 bytes.


Xpeh.4928

Other Name: YANKXPEH

Virus Type: File Type Virus

Virus Length: Approximately, 4768 bytes.

INT Vectors Hooked: Int 21

Place of Origin:

Run Directly: Loads virus code to high memory.

Infection Procedure:

Loads itself to high memory. Allocates 4944 bytes in memory. Moves 4768 bytes to memory. Infects *.COM and *.EXE files. Copies virus code to host program. Loads the virus first before running the host program.

 


Xuxa.1984.C

Other Name: XUXA1984

Virus Type: File Type Virus

Virus Length: Approximately 1984 bytes

Virus Memory Type: High Memory

INT Vectors Hooked: Int 21

Place of Origin:

Infection Procedure:

Loads itself to high memory, allocating 4016 bytes (using MEM.EXE). After loading itself resident in memory, the virus infects *.COM and *.EXE files executed. It adds 1984 bytes to the host program but if the virus is resident in memory, the file increase is not seen when the user types DIR. The virus subtracts 1984 bytes to the displayed file size.

The virus does not do anything special. It only replicates when a file is executed while the virus is memory resident. Any file executed afterwards will be infected.

Damage:

Free high memory space decreases by approximately 4016 bytes. Infected file size increase by 1984 bytes.

Symptom:

Delay in program execution.