Virus Name: J-Infect Virus Type: Memory Resident, File Infector Virus (.COM and .EXE files) Virus Length: 12080 bytes PC Vectors Hooked: INT 21h Executing Procedure: 1) This is similar to the "JERUSALEM" virus in that it infects the same kinds of files. Detection Method: Infected file length will increase by 10280 bytes.
Virus Type : File Virus Virus Length : 2000 bytes Trigger Condition :Year must be 1992 up, Day must be Friday Virus Reinfect Type :doesn't reinfect Virus Memory Type : MCB Type Int. Vectors Hooked : Int 21h Infection Procedure: The virus obviously is a softmice type, having to encrypt CS:[SI] or 114C:[11E] to 114C:[7AD] by XOR it to 0Eh, then encrypt CS:[SI] again but this time it's from 115C:[EB] to 115C:[159], XOR it from 1Eh, IEh increments by 1, it loops until 6Fh. Then it saves the ES which is 114C to 4 different locations. Then it adds 10h to 114Ch and saves it in CS:[0115] by adding what is stored in it and also in CS:[0111]. Then it replaces the data stored in DS:SI to ES:DI which are the same. No replacement were made. Then it modifies the allocated memory, BX=9Bh and ES=114Ch. Gets interrupt vector hooking Int. 21, then sets it. Gets Date having to check if the year is 1992 up and the day is Friday; next, it frees allocated memory then gets child process; lastly, it terminates and stays resident. In memory, the virus infects any COM and/or EXE files. Doesn't load itself when the virus is already in memory.
Virus Name: Jerusalem Aliases: Israeli, Jerusalem.1808.Standard, 1808, Israeli, 1813 Jeru-3-3, Jerusalem.1808.Critical. Virus Type: File Infector (.COM and .EXE files) Virus Length: 1,808 to 1,822 bytes Interrupt vectors hooked: INT 21h, INT 08h Infection method: When an infected file runs, the virus loads itself in memory and infects any file that executes, except the .COMMAND.COM file. The virus increases the size of .EXE files by 1,808-1,822 bytes on the first infection and 1,808 bytes with each reinfection. Infected .COM files increase by 1813 bytes. Damage: On a Friday the 13th, after the virus has been resident for 30 minutes, it deletes files that are executed. On other days, the virus slows down the system 30 minutes after each infection. It also wipes out an area of the screen, although nothing is displayed. A bug in the virus can cause .EXE files to be infected repeatedly until they become too large to execute.
Virus Type : File Virus Virus Length : 1456 bytes Virus Reinfect Type : doesn't reinfect Virus Memory Type : MCB Type Int. Vectors Hooked : Int 21h, Int 8h
Infection Procedure: 1) Modifies the allocated memory, BX=5Eh and ES=114Ch then gets the interrupt vector, hooking int 21h, sets it and get interrupt vector, this time hooking int 8h then sets it. 2) It gets the date and checks whether the date is January 1; if date is January 1 it moves a value of 0h to DS:[0003]; if not, just compare it immediately to DS:[0003]. 3) It gives back the address 114ch to ES then gets the data stored in ES:[2C] placed in ES. Then it frees allocated memory, ES=1043 paragraph address of the start of the memory block. Lastly, it gets child's return code and terminate and stay resident.
Virus Type : File Virus Virus Length : 2160 bytes Virus Reinfect Type :doesn't reinfect Virus Memory Type : MCB Type Int. Vectors Hooked : Int 21h Infection Procedure: It sets a new date for the system but the specified date is an incorrect value. Then it modifies the allocated memory BX=80h and ES=114Ch.
Virus Type : File Virus Virus Infect Type : MBR Infection Procedure: It first moves 21CDh in DS:[FE], 14EBh in DS:[100] and 17h in DS:[11E]. Then it loads/executes a program having the control block = 114C:11E and ASCIIZ command line = 114C:0. Upon doing this, the execution is unsuccessful. Then it writes character in teletype mode having 1Eh as the graphics mode, page 1. Displaying : "Beware the Jabberwock, my son!" "The jaws that bite, the claw that catch!" "And hast thou slain the Jabberwock!" "Come to my arms, my beamish boy!" Then it loops with FFFFh as the value of CX, just a delay. Then performs these codes: MOV GS,DX CLI CLD IN AL,64 TEST AL,04 JNZ D840 D840: SMSW AX TEST AL,01 JZ D84F CLI MOV AL,FE OUT 64,AL After performing these codes the machine performs a warm boot. Symptom : A message can be seen in address = 114C:0239h : "JABBERW OCKY (.) the first Romanian Political Virussian Dhohoho$ Released Date 12-22-1990"
Virus Name: Jumper Aliases: 2kb Virus Type: File Infector (.COM and .EXE files, including .COMMAND.COM) Virus Length: 2,048 bytes When an infected file is first executed in a clean system, the virus will load itself into memory. Total memory will have decreased by 8,336 bytes. Once the virus is memory resident, it will infect .COM and .EXE files as they are executed. Infected files will have a file length increase of 2,048 bytes. The date and time information on infected files will not change. The text string "BIOS" is located in infected programs.
Virus Name: Junkie.A-1 Aliases: Junkie Virus Type: File Infector (.COM and .EXE files) Virus Length: N/A Interrupt vectors hooked: INT 1Ch and INT 21h Infection method: The first time an infected file runs, the virus overwrites the hard disk's master boot record. When the system rebooted (or when it is booted from an infected diskette), the virus loads itself in memory. While loaded, the virus infects any .COM file that executes and any accessed diskettes. The DOS CHKDSK program will show a "total bytes memory" decrease of 3,072 bytes. Infected file length increases by just over 1,000 bytes. Damage: None known
Virus Name: JOANNA Aliases: None Virus Type: File Infector Virus Length: 986 bytes Executing Procedure: 1) If, after checking, the virus finds that it is not already loaded resident in memory, it loads itself by hooking INT 21h. 2) It then executes the original file. 3) Once it's loaded into resident memory it will infect any uninfected file that is executed. Damage: Virus displays the message "I love you Joanna, Apache...." Detection Method: Increases infected files size by 986 bytes. Note: Loads itself resident in memory. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: JUMP4JOY Aliases: None Virus Type: File Infector (.COM files) Virus Length: 1273 bytes Executing Procedure: 1) If, after checking, the virus finds that it is not already loaded resident in memory, it loads itself by hooking INT 21h. 2) It then executes the original file. 3) Once it's loaded into resident memory it will infect any uninfected .COM file that is executed. Damage: None Detection Method: Increases infected file size by 1273 bytes. Note: Loads itself as resident in memory. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: Joshi Aliases: Happy Birthday Joshi Virus Type: File Infector Virus Length: N/A Executing Procedure: 1) If, after checking, the virus finds that it is not already loaded resident in memory, it loads itself by hooking INT 21h. 2) It then executes the original file. 3) Once it's loaded into resident memory it will infect any uninfected file that is executed. Damage: Joshi infects every executable file. Detection Method: The Joshi virus originated in India in June of 1990. It is a very popular virus in India. Joshi remains resident in the boot sector or in the FAT area. Every January 5, the virus displays the message "Type Happy Birthday Joshi." All will return to normal if the user types this message. System memory decreases by 6KB when the virus is resident. Note: Loads itself resident in memory. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: Joker3 Virus Type: Parasitic Virus (infects .COM files) Virus Length: 1084 bytes. PC Vectors Hooked: INT 21h Executing Procedure: 1) If, after checking, the virus finds that it is not already loaded resident in memory, it loads itself by hooking INT 21h and then executes the host program. 2) If it already resides in memory, it executes the host program directly. Infecting Procedure: The virus infects files by hooking INT 21h. When INT 21h is executed, all .COM files in the current directory will be infected. When infecting files, the virus does not hook INT 24h so an error message will appear when I/O errors occur. Damage: None Detection Method: Infected file length increases by 1084 bytes.
Virus Name: James Virus Type: File Infector (.COM files) Virus Length: 356 bytes Executing Procedure: James checks to see whether it is resident in memory. If it is not, the virus stays resident in high memory, then hooks INT 21h and goes back to the original routine. Vectors Hooked: Hooks INT 21H (AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing, then checks to see whether the program to be executed is an uninfected .COM file. If it is, virus proceeds to infect it. Finally, James restores INT 24h. Damage: None Detection Method: Infected file size increases by 356 bytes.
Virus Name: Junkie Virus Type: Memory-Resident Multipartite Virus Length: 512 bytes Interrupt Vectors Hooked: INT 21h Infection Process: Once a virus-infected program is run, the virus installs itself in memory as a terminate-and-stay-resident program. On the system area of the hard disk, the virus copies two, 512-byte sectors of code into the first track of the hard disk. The virus then modifies the existing master boot record of the hard disk to read the extra sectors and execute them upon boot-up. Damage: Junkie adds approximately 1,024 bytes of virus code to the end of the infected file. Note: The Junkie virus can be detected by VIRUSCAN's /EXT switch with the following string: "26 81 34 ?? 46 46 E2 F7."
Virus Name: July 4, Stupid 1 Virus Type: File Infector (.COM files) Virus Length: 743 bytes Executing Procedure: 1) If the word at address 0000:01FEh is FFFFh, the virus will not infect any file. 2) When it does infect files, it will infect all uninfected .COM files on the current directory. If the number of infections is less than 2, it will go on to infect .COM files on the upper directory until more than 2 files are infected or until it has reached the root directory. If the current date is July 4 and current time is either 0:00am, 1:00am, 2:00am, 3:00am, 4:00am, or 5:00am, the virus will destroy data on the current diskette. Detection Method: 1) The date and time of infected files are changed. 2) The byte at 0003h of infected .COM file is 1Ah. 3) Infected .COM files displays one of the following messages: "Abort, Retry, Ignore, Fail?" , "Fail on INT 24" (2) - "Impotence error reading users disk" (0) - "Program too big to fit in memory" (1) - "Cannot load .COMMAND, system halted" (3) - "Joker!" and "*.com."
Virus Name: Jeff Virus Type: File Infector (.COM files) Virus Length: 815-820 bytes Executing Procedure: Jess searches for an uninfected .COM file on current directory, then infects it. It only infects one file each time. Damage: None Notes: 1) Does not stay in memory. 2) You will see an error message when writing because INT 24h has not been hanged. Detection Method: Infected file size increases by 815-820 bytes.
Virus Type : File Virus
Other Name :
Virus Length :
Virus Infect Type : EXE &COM files
Trigger Condition : June 12
Place of Origin :
Virus Memory Type : MCB Type
Int. Vectors Hooked : Int 21h
Infection Procedure:
The virus is a TSR program. After the virus is executed it immediately loads itself into the memory, where it waits for an EXE and/or COM files to infect except COMMAND.COM. It adds approximately 2660 bytes or more. The infected file, when executed, runs normally. But a special date, June 12 of any year, displays a message and plays a tune (i.e., tune of the Philippine National Anthem). After playing the tune the system resumes normal operation. When infecting on June 12, the same message will be seen and same tune can be heard.
Damage :
When infecting a file and/or executing an infected file this message can be seen:
"June 12 - the Independence Day of the Philippines"
The Philippine flag can be seen here with the official color
"MABUHAY ANG PILIPINAS" "Dedicated to Manong Eddie"
At the same time the Philippine National Anthem can be heard.
The tune can't be stop even pressing Ctrl+Break or Ctrl+C.
Note :
The virus makes a smart move by hooking Int 1 and 3 to fool the one debugging it.
Virus Infect Type : COM files
including COMMAND.COM
Trigger Condition :
Int. Vectors Hooked : Int 21h & 1Ch
First it encrypts the data from address 114C:[2CCF] to 114C:[30B6] by XORing it to D818h, forming a message:
"Dr White - Sweden 1994" "VS" "Junkie Virus - Written in Malmo M01D"
Then it hooks interrupt 1Ch and 21h and infects the master boot record, reading one sector in drive C. When the infected file is executed, the virus first infects COMMAN.COM. After rebooting the system, the virus infects COM files. A virus message can be seen at the end of the file. Approximately 1030 bytes are added to infected files.
Diskettes accessed in an infected system will automatically get infected.