Virus Name: Deiced Virus Type: File Infector, Highest Memory Resident ( .COM files only) Virus Length: 2333 bytes PC Vectors Hooked: INT 21h, INT 24h Executing Process: Checks to see whether or not the virus has been loaded resident in high memory. If it hasn't, then it will load itself into highest memory by hooking INT 21h . Next, it looks to see whether the file "COMMAND.COM" has been infected. If it hasn't, then the virus will infect it. Deices checks the system date and, if it is the 15th of January, April or August, the virus will damage all files on the system disk. INT 21h: The virus infects a .COM file by hooking call of AX=4B00h if the file has not been infected. When the command "DIR" is executed, the virus will look for all uninfected files in the directory and proceed to infect them. Deices hooks INT 24h to hide itself while infecting. Damage: If system date is the 15th of January, April or August, the virus will damage all files on the system disk. Detection Method: Infected files will increase in size by 2333 bytes.
!$#Computer Virus Encyclopedia Version 1.1 Copyright 1995 Trend Micro Devices, Inc. !$#Behavior Monitoring Monitoring for the abnormal behavior of viruses within a computer environment is usually accomplished by installing a program resident in memory. This program is a TSR (terminate-stay-resident) program for one reason it must monitor requests that are passed to the interrupt table. A virus behaves in an abnormal way to most applications, this abnormal behavior is called "virus activity." Virus activity might be a request to write to a boot sector, opening an executable program for writing, or placing itself resident in memory. Based on certain common actions of viruses a set of rules can be established for discerning between virus activity and normal application activity. Rule-based monitoring is a very effective way to detect all known and unknown viruses. It makes it possible to stop infection of a file by a virus before it has a chance to damage the file. Consequently, rule-based virus traps have a great advantage: They can prevent any kind of malicious program from damaging your system. This includes: Viruses (both known and unknown) Trojan Horses Logic Bombs A minor disadvantage to rule-based virus traps lies in their inability to identify the virus. The trap can prevent the virus from damaging your system, but it cannot identify the virus by name. For identification, only a virus scanner will work. !$#Integrity Checking Integrity checking or Checksumming, depends on the ablility to continually monitor and check the status of executables for any changes. You must initially run a checks to seeum of all the executables when they are clean and update the checks to seeum database everytime the system is changed or some software is added An example might be: imagine that you just purchased a new car. Unfortunately, your brother also likes your car and he sometimes takes your keys without your knowledge and goes for a drive. When you ask your brother if he has used the car, he denies it. But how can you check to see if your car has been used or not? Simple. Just check the distance your car has travelled by looking at the odometer. Each time you finish using your car, you write down the current odometer reading. ("000942" for example). Then, the next time you get into the car, you check the odometer again. If the reading isn't "000942," you know that someone has been driving your car. This is exactly what Integrity Checking does -- it records the status of every application file on your hard drive and then later checks to see the status to see if changes have been made. If the status has changed, the integrity checker tells you that you have a virus. The main drawback of integrity checkers is that they don't prevent the action. Checking the status of a file doesn't prevent a virus from infecting it. Integrity checkers only operate after the fact. They only tell you what happened when it's too late for you to take action. In addition, integrity checkers cannot identify what caused the status change. Any change, even programs that modify themselves during installation, will cause the typical integrity checker to set off an alarm. Integrity checkers used alone cannot provide effective virus protection. !$#Scanning Virus scanning relies on the a virus pattern for detecting and locating viruses. The virus pattern is a unique piece of code that identifies the virus. It's the "fingerprint" for that particular virus. When a new virus appears on the scene it is extracted from the original host program, analysed and recorded. Then scanning program opens a program and begins scanning down the code, comparing the contents of every executable file with a bank of virus patterns. If a match is found the file is declared to be infected. If no match is found it is concluded that the file is uninfected. Quality scanners will check file areas and the boot sector. One difficulty with virus scanners is that if a new virus that hasn't been yet analysed infects your computer the scanner has no way of detecting it. Thus, if a file is infected with a new virus that isn't in the virus pattern bank , the scanner won't be able to detect it. Asking a scanner to find unknown viruses would be like handing someone a telephone book and asking, "Can you find all the criminals in this phone book?" Without specific names, it's an impossible task. Scanning, therefore, is a great method for finding known viruses in files. Some scanners on the market today compromise on one point or another. For example, many scanners have a "turbo mode" which scans faster because it only scans the beginning and ending sections of files. Unfortunately, they also give you a false sense of security because many viruses today insert themselves into the middle of a host file. Scanning in turbo mode is like trying to find the name in the phone book by only looking at "A" and "Z" -- while skipping "B" through "Y"!
Virus Name: Dark_Avenger Alias: Eddie Virus Type: File Infector (.COM and .EXE files) Virus Length: 1,800 bytes Interrupt Vectors Hooked: INT 21h. Infection method: When an infected file runs, the virus loads itself in memory. While loaded, it infects accessed, executable files. Infected files increase in size by 1800 bytes. Damage: The virus reads the disk's boot sector and marks the number of programs executed from the disk. After every 16 programs, it overwrites a random cluster on the disk with part of its own code. The infected files contain these strings: "Eddie lives...somewhere in time! Diana P." "This program was written in the city of Sofia (C) 1988-89 Dark Avenger."
Virus Name: DataLock Alias: Datalock.920.A, V920 Virus Type: File Infector (.COM and .EXE files) Virus Length: 920 bytes Interrupt Vectors Hooked: INT 21h. Infection Process: When an infected file runs, the virus loads itself in memory. While loaded, it infects any file that executes. Infected files increase in size by 920 bytes. Damage: After August 1990, the virus won't allow files with the extension .?BF to be opened. When an attempt is made, it displays the erroneous error message "Too many files open."
Virus Name: Denzuko Alias: Den Zuk Virus Type: Boot Virus Virus Length: N/A Infection method: When the system attempts to boot from an infected diskette, the virus loads itself into memory--even if the boot fails. While loaded, the virus attempts to infect any accessed diskette. Damage: When is pressed, the message Den Zuk is displayed and the system seems to reboot. However, the virus remains in memory. Because the virus was designed for 360 KB diskettes, it unintentionally destroys data on 3.5 inch or 1.2 MB diskettes.
Virus Name: Die_Hard_2 Alias: DH2 Virus Type: File Infector (.COM and .EXE files) Virus Length: 4,000 bytes Interrupt Vectors Vooked: INT 21h. Infection method: When an infected file runs, the virus loads itself in memory. While loaded, it infects accessed, executable files. Infected files increase in size by 4,000 bytes. Damage: Under analysis.
Virus Name: Dir Alias: DIR Virus Type: File Infector Virus Length: 691 bytes Description: See Dir-2
Virus Name: Dir-2 Alias: Dir-II, Creeping Death Virus Type: File Infector (.COM and .EXE files) Virus Length: 1,024 bytes PC Vectors Hooked: None Executing Process: 1) When the virus loads itself resident in memory it will change the directory structure data so that certain executable files are linked to it. The result is that when you execute a file that the DIR2-910 virus has linked to, it also is executed. At this point it can begin to infect other files. 2) The virus stays resident in memory but doesn't hook any interrupts. It uses another function to infect files. It infects .COM and .EXE files when they are "READ & WRITE". Damage: When all the .COM and .EXE files on a disk have been infected, it will not be possible to execute any files from the disk. Detection Method: Check the disk by using "CHKDSK.EXE". If some files are cross- linked to the same position, they are infected. Notes: DIR2-910 doesn't hook INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: Disk_Killer Alias: Ogre Virus Type: Boot Virus Virus Length: N/A Description: This virus infects boot sectors. Infection method: When the system is booted from an infected disk, the virus loads itself in memory. Damage: After the computer has been on for 48 hours, the virus displays the message below and then encrypts all the data on the hard disk: "Disk Killer -- Version 1.00 by .COMPUTER OGRE 04/01/1989 Warning!! Don't turn off the power or remove the diskette while Disk Killer is processing. Processing. Now you can turn off the power. I wish you luck."
Virus Name: Dutch Virus Type: File Infector (.COM files) Virus Length: 358 bytes PC Vectors Hooked: None Executing Process: 1) Dutch searches for a .COM file in the current directory. If the file has already been infected by Dutch, the virus continues looking for any uninfected .COM file. It infects only one file at a time. Damage: None Detection Method: Infected files will increase in size by 358 bytes. Notes: 1) Doesn't stay resident in memory. 2) Dutch doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: Define-1 Virus Type: File Infector ( .EXE and .COM files) Virus Length: No change PC Vectors Hooked: None Executing Process: 1) Searches for an .EXE or .COM file in the current directory. If the found file has been infected by Define-1, it continues to look for another uninfected .COM or .EXE file. It infects only one file at a time. Damage: Define-1 overwrites the original file, so the file length won't increase. Notes: 1) Doesn't stay resident in memory. 2) Define-1 doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: Dismember Virus Type: File Infector (.COM files) Virus Length: 288 bytes PC Vectors Hooked: None Executing Process: 1) Searches for a .COM file in the current directory. If the file it finds has already been infected by Dismember, it continues to search for uninfected .COM files. When it finds them, it proceeds to infect all .COM files in the directory. 2) Finally, it executes the file originally called. Damage: None Detection Method: Infected files will increase in size by 288 bytes. Notes: 1) Doesn't stay resident in memory. 2) Dismember doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: Druid Virus Type: File Infector (.COM files) Virus Length: No change PC Vectors Hooked: None Executing Process: Druid searches for .COM files in the current directory until it finds all those that haven't already been infected. It then infects all .COM files in the directory. Damage: Druid overwrites the original file, so the length of infected file won't change. Notes: 1) Doesn't stay resident in memory. 2) Druid doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: Diogenes Virus Type: File Infector (.COM files) Virus Length: 946 bytes PC Vectors Hooked: None Executing Process: 1) If the system date is the 31st of a month, Diogenes damages all files on the hard disk, then displays the following message on the screen: "DIOGENES 2.0 has visited your hard drive....... This has been another fine product of the Lehigh Valley...Watch (out) for future 'upgrades'.. ... The world's deceit has raped my soul. We melt the plastic people down, then we melt their plastic town." 2) If the system dates does not coincide with the 31st, Diogenes searches for a .COM file in the current directory. 3) Once it locates any uninfected .COM file, the virus infects it. It will infect only one file at a time. Damage: If the system date is the 31th, then it damages all files on the hard disk. Detection Method: Infected files will increase in size by 946 bytes. Notes: 1) Doesn't stay resident in memory. 2) Diogenes doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: DEST1 Virus Type: File Infector (.COM files) Virus Length: 323 bytes PC Vectors Hooked: INT 24h Executing Process: 1) Dest1 searches for a .COM file in the current directory. If the file it finds has been infected by Dest1, it continues to look for an uninfected .COM file. 2) It then infects any uninfected .COM files it finds, one file at a time. 3) Finally, it executes the original file. Damage: None Detection Method: Infected files will increase in size by 323 bytes. Notes: 1) Doesn't stay resident in memory. 2) Dest1 hooks INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: DEST2 Virus Type: File Infector (.COM files ) Virus Length: 478 bytes PC Vectors Hooked: INT 24h Executing Process: 1) Dest2 searches for a .COM file in the current directory. 2) If the file it finds has been infected by Dest2, the virus continues to look for an uninfected .COM file and, when it finds one, infects it. 3) Finally, Dest2 executes the original file. Damage: If kill-flag=-1, then the virus deletes a file. Detection Method: Infected files will increase in size by 478 bytes. Notes: 1) Doesn't stay resident in memory. 2) Dest2 hooks INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: DROPPER-4 Virus Type: File Infector (.COM and .EXE files) Virus Length: 1125 bytes PC Vectors Hooked: INT 24h Executing Process: 1) The virus searches for a .COM or .EXE file in the current directory. If the found file has already been infected by Dropper-4, the virus continues to look for an uninfected .COM or .EXE file. 2) It then infects any .COM and .EXE files in the current directory, two at a time. 3) Finally, it executes the original file. Damage: None Detection Method: Infected files will increase in size by 1125 bytes. Notes: 1) Doesn't stay resident in memory. 2) Dropper-4 hooks INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: D-TINY Virus Type: Memory Resident, File Infector (.COM files) Virus Length: 126 bytes PC Vectors Hooked: INT 21h Infecting Process: 1) If it isn't already loaded resident in memory, D-Tiny loads itself by hooking INT 21h. 2) Next, it then executes the original file. 3) Once it's loaded into resident memory it will infect any uninfected file that is executed. It doesn't infect .EXE files. Damage: None Detection Method: Infected .COM files increase in size by 126 bytes. Notes: D-TINY doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: Dame Virus Type: Memory Resident, File Infector (Mutation Engine. Virus Length: None. PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Executing Process: 1) The virus checks to see whether it is already loaded as resident in memory and, if it isn't, it loads itself by hooking INT 21h. 2) Next, it executes the original file. 3) Once it's loaded into resident memory it will infect any uninfected file that is executed. 4) After infecting files, it will check the system time. If the time is between 00:00h and 00:30h, the following message appears: "Don't worry, you are not alone at this hour.... This Virus is NOT dedicated to Sara.. its dedicated to her Groove (...That's my name).. This Virus is only a test therefore .. be ready for my Next Test...". Damage: None. Detection Method: None. Notes: 1) The Dame virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect). 2) The virus will encode itself, before it infects files. The method of encoding depends on the time, so it will be different in every file.
Virus Name: Dropper Virus Type: Trojan Virus Length: 3103 bytes PC Vectors Hooked: None Damage: Deletes all files on disks. Detection Method: Check to see whether there are files 3103 bytes long. Notes: 1) Doesn't stay resident in memory. 2) Doesn't infect any files, partition or boot sector. 3) Dropper doesn't hook INT 24h when destroying. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: Daisy Virus Type: File Infector (.EXE files) Virus Length: No change. PC Vectors Hooked: None Executing Process: 1) Daisy displays a smilie face along with the message "Hi, I'm Crazy Daisy!... I'll format your HARD DISK! ... Say goodbye to your files!" 2) The virus then searches for an .EXE file in A:\ drive. 3) When Daisy finds an uninfected .EXE file, it infects it and continues this process until all .EXE files on the A:\ drive are infected. 4) Once all .EXE files are infected, the system halts. Damage: 1) When all of the .EXE files on the A:\ drive are infected, the system halts. 2) Overwrites original files, so the length of infected files won't increase. 3) When an infected file is executed, it randomly displays one of the following messages: "1. Pretty day today - isn't it? 2. Don't worry - sing a song! 3. Life isn't easy! 4. Don't halt your computer! -Let's be friends!" Detection Method: None. Notes: 1) Doesn't stay resident in memory. 2) Daisy doesn't hook INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: DIR2-910 Virus Type: File Infector (.COM and .EXE files) Virus Length: 1024 bytes PC Vectors Hooked: None Executing Process: 1) When the virus loads itself resident in memory it will change the directory structure data so that certain executable files are link edto it. The result is that when you execute a file that the DIR2-910 virus has linked to, the virus is also executed. At this point it can begin to infect other files. 2) The virus stays resident in memory but doesn't hook any interrupts. It uses another function to infect files. It infects .COM and .EXE files when they are "READ & WRITE". Damage: When all the .COM and .EXE files on a disk have been infected, it will not be possible to execute any files from the disk. Detection Method: Check the disk by using "CHKDSK.EXE". If some files are cross- linked to the same position, you know these files are infected. Notes: DIR2-910 doesn't hook INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: Devil's Dance Other names: Virus 941 Virus Type: File Infector Virus Virus Length: 941 bytes PC Vectors Hooked: Int 21 Executing Process: 1) The virus checks to see whether it is already loaded resident in memory. If "No", it then loads itself into resident memory by hooking INT 21h. 2) It then executes the original file. 3) Once it's loaded into resident memory it will infect any uninfected file that is executed. Damage: The Devil's Dance virus monitors the Int 9 (keyboard). A routine for cursor manipulation is activated when 5 keys other than the "Alt" key have been depressed. Furthermore, if the "Alt" key is not depressed, attributes of the cursor in Video-RAM are changed after any other key is pressed. The new attributes are as follows: 09h (bright blue), 0ah (bright green), obh (bright cyan), 0ch (bright red), 0dh (bright violet), oeh (bright yellow). If the above five keys are not pressed, the virus will not manifest itself. If "Del" is depressed, the virus will display characters using the color white. The virus displays the following message: "Have you ever danced with the devil under the weak light of the moon?.... Pray for your disk...The Joker HAHAHAHAHAHAHAHAHAHA." The virus will finally test whether any keys were pressed 2500 times. If yes, the virus overwrites the Disk Partition Table of the first hard disk and proceeds to crash the system. Notes: Loads itself resident in memory. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: DAMAGE-B Other names: None Virus Type: Parasitic Virus Virus Length: 1110 bytes. Executing Process: 1) The virus checks to see whether it is already loaded resident in memory. If "No", it then loads itself into resident memory by hooking INT 21h. 2) It then executes the original file. 3) Once it's loaded into resident memory it will infect any uninfected file that is executed. Damage: Virus checks to see system date. If it is Tuesday, it will format the harddisk. Detection Method Increases infected file size by 1110 bytes Notes: Loads itself resident in memory. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: Datacrime Other names: 1168, Columbus Day Virus Type: File Infector Virus Virus Length: 1168 bytes. Executing Process: 1) The virus checks to see whether it is already loaded resident in memory. If "No", it then loads itself into resident memory by hooking INT 21h. 2) It then executes the original file. 3) Once it's loaded into resident memory it will infect any uninfected file that is executed. b) It doesn't infect .EXE files. Damage: Virus will lowlevel format your hard disk after October 12th. Detection Method Virus infects all .COM files between April 1st-October 12th. After October 12th, it willl display the following message: "DATACRIME VIRUS Released:1 March 1989." And it will low level format your hard disk. Notes: Loads itself resident in memory. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: Datacrime II Other names: None Virus Type: File Infector Virus Virus Length: Increases .COM and .EXE files by 1514 bytes. Damage: Virus will low level format the cylinder 0 of your hard disk after October 12th. Detection Method Between October 12th-31st, excluding Mondays, the virus willl display the following message: "DATACRIME-2 VIRUS." The virus will proceed to low level format cylinder 0 of the hard disk. Then the system will hang.
Virus Name: Datacrime II b Other names: None Virus Type: File Infector Virus Virus Length: 1460 bytes. Damage: Virus will lowlevel format the cylinder 0 of your harddisk after October 12th. Detection Method Between October 12th-31st, excluding Mondays, the virus willl display the following message: "DATACRIME-2 VIRUS". The virus will then low level format your cylinder 0 of the harddisk. System will then halt.
Virus Name: Drop Virus. Type: Parasitic Virus. Virus Length: Infected exe file sizes increase by 1130-1155 bytes and .COM files increase by 1131 bytes. PC Vectors Hooked: INT 21h Executing Process: 1) Checks whether it resides in memory or not. If not, hooks INT 21h and resides in the highest memory, and then executes the host program (If it already resides in the highest memory, the host program will be executed directly). 2) Then checks to see system date. It will hook INT 21h if the date is "the sixth day of the month". The characters on the screen will drop and the system will hang when any program is executed. Infecting Process: 1) The virus infects files by AH=4B in INT 21h. The non-infected files will be infected when they are executed. 2) Before infecting files Drop will not hook INT 24h. An error message appears if an I/O error (such as write protect) occurs. Damage: Refer to Executing Process 2). Detection Method: Detectable if the lengths of files increase by 1130-1155 bytes.
Virus Name: Dos7 Virus Type: Parasitic Virus Virus Length: Infected .COM file sizes increase by 342 bytes (Does not infect .EXE files). PC Vectors Hooked: None Executing Process: 1) Searches for a .COM file in the current direcotry. 2) Checks whether the file is infected. If yes, it continues to search. 3) If an uninfected file is found, the virus proceeds to infect it (Infects only one file each time). Damage: None Detection Method: Detectable if the lengths of files increase by 342 bytes. Remarks: 1) Non memory resident. 2) When infecting files, the virus does not hook INT 24h. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: Dooms-715 Virus Type: Parasitic Virus Virus Length: Infected .COM file sizes increase by 715 bytes (Does not infect .EXE files). PC Vectors Hooked: None Executing Process: 1) Searches for a .COM file in the root directory. 2) Checks whether the file is infected. If yes, continues to search. 3) If an uninfected file is found, infects it (infects only one file each time). Damage: None Detection Method: Detectable if the lengths of files increase by 715 bytes. Remarks: 1) Non memory resident. 2) When infecting files, the virus does not hook INT 24h. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: Dir-522 Virus Type: Parasitic Virus. Virus Length: Infected .COM file sizes increase by 1268 bytes (Does not infect .EXE files). PC Vectors Hooked: INT 21h and INT 24h Executing Process: 1) Checks whether it resides in memory. If not, hooks INT 21h and implants itself in memory, and then executes the host program. 2) If it already resides in memory, the host program will be executed directly. Infecting Process: 1) The virus infects files by "dir" command. When "dir" command is executed, the virus searches for an uninfected file and then infects it. 2) Before infecting files, the virus hooks INT 24h in order to ignore the I/O errors. Damage: None Detection Method: Detectable if the lengths of files increase by 522 bytes.
Virus Name: Dwi Virus Type: Parasitic Virus. Virus Length: Infected .EXE file sizes increase by 1050-1070 bytes (Does not infect .COM files). PC Vectors Hooked: INT 21h and INT 24h Executing Process: 1) Checks if it resides in memory. If not, hooks INT 21h, installs itself as memory resident and proceeds to execute the host program. 2) If it already resides in memory, proceeds to execute the host program directly. Infecting Process: The virus infects files by AH=4B in INT 21h. When an uninfected program is executed, it becomes infected. 2) Before infecting, the virus will hook INT 24h first to ignore I/O errors. Damage: None Detection Method: Detectable if the files increase by 1050-1070 bytes.
Virus Name: Dennis (Has at least two variations) Virus Type: Parasitic Virus. PC Vectors Hooked: INT 21h Executing Process: 1) Checks if it resides in memory. If not, hooks INT 21h, installs itself as memory resident and then executes the host program. 2) If it already resides in memory, proceeds to execute the host program directly. Infecting Process: The virus infects files by AH=4B in INT 21h. When an uninfected program is executed, it becomes infected. 2) When infecting files, Dennis does not hook INT 24h. Error message will appear when I/O errors occur. Damage: None
Virus Name: Dm-330 Virus Type: Memory Resident, .COM File infector Virus Length: 330 bytes Executing Process: The virus will decode first, then check whether it has stayed resident in memory. If not, it will move itself to absolute address from 0000:0208h to 0000:0351h. Then hook INT21h and go back to the original routine. Vectors hooked: 1)Hook INT 5Fh. Point to the address which pointed of original INT 21h 2)Hook INT 21h to infect files. Virus aroused when system calls INT 21h to execute a program(AH=4Bh), change file's attribute(AH=43h), change file name(AH=56h), or open file(AH=3Dh). The virus will check whether the program to be executed is an uninfected .COM file. If it is, infect it. Damage: None Notes: 1)Virus stayed in the area of interrupt vectors. This will cause conflicting between virus routine and interrupts vectors (address from 0000:0208h to 0000:0351h). 2)Date and time of infected files do not change.
Virus Name: Dosvir Virus Type: TROJAN Virus Length: 3004 bytes Executing Process: Virus creates a batch file, and then executes this batch file. Therefore, this virus is just like a batch file Content of batch file is as follows: CLS echo Cracked by Cracking Kr .e 20 2 echo Loading game. .Please Wait.... c: CD\ DEL autoexec.bat DEL *.exe DEL *.com DEL *.exe DEL *.com DEL *.sys ATTRIB..-r ibmbio.com ATTRIB..-r ibmdos.com ATTRIB..-r ibmbio.sys ATTRIB..-r ibmdos.sys DEL ibmbio.com DEL ibmdos.com DEL ibmbio.sys DEL ibmdos.sys CD\bbs DEL *.exe DEL *.com CD\dos DEL *.exe DEL *.com d: CD\ DEL autoexec.bat DEL *.exe DEL *.com CD\dos DEL *.exe DEL *.com CD\bbs DEL *.exe DEL *.com CLS
Virus Name: Deranged Virus Type: .EXE File infector Virus Length: 419 bytes Executing Process: Searches for all uninfected .EXE files on current directory, and then proceeds to infect them. Damage: None Notes: 1) Because the virus procedure is not well written, system halts when an infected file is executed. 2) Does not stay in memory. 3) You will see an error message when writing because INT 24h has not been hanged. Detection Method: Infected file sizesincrease by 419 bytes.
Virus Name: Darkend Virus Type: .EXE File infector Virus Length: 1188 bytes Executing Process: Checks whether it has remained resident in memory. If not, it will stay resident in high memory. Then hooks INT 21h and goes back to original routine. This virus will check whether current date is October 15. If it is, virus destroys all data on hard diskette. Vectors hooked: Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected .EXE file, virus proceeds to infect it directly. Damage: Virus will sometimes destroy all data on hard diskette. Detection Method: Infected file sizes increase by 1188 bytes.
Virus Name: Decide-2 Virus Type: .COM File infector Virus Length: 1335 bytes Executing Process: Searches for an uninfected .COM file on current directory, and then infects it (It only infects each file once). No matter whether it has infected a file or not, it will check whether current calendar month is September or October, and current day is between 3 and 18. If it is, virus displays the following: "As the good times of DECIDE will be remembered, I started to make a new virus. You are not facing the dark tombs of "Morgoth". Humble regards to :Pazuzu, Kingu, Absu Mummu Tiamat, Baxaxaxa Baxaxaxa, Yog Sothoth Iak Sakkath, Kutulu, Humwawa Xaztur, Hubbur Shub Niggurath Also my lovely regards go to Stephanie, the only one who makes my heart beat stronger. Want to make love with a Moribid Angel? Glenn greets ya. Press a key to start the program... Damage: None Notes: 1) Does not remain in memory. 2) You will see an error message when writing because INT 24h has not been hanged. Detection Method: Infected file sizes increase by 1335 bytes.
Virus Name: Dima Virus Type: .COM & .EXE File infector Virus Length: 1024 bytes Executing Process: Searches for all uninfected .COM & .EXE files on all directories, and infectes them. Vectors hooked: Hooks INT 24H to prevent divulging its trace when writing. Detection Method: Infected file sizes increase by 1024 bytes.
Virus Name: Digger Virus Type: .COM & .EXE File infector Virus Length: 1472-1482 bytes Executing Process: Searches for an uninfected .COM or .EXE file on current directory, and then infects it (It only infects each file once). Damage: None Notes: 1) Does not stay in memory. 2) You will see an error message when writing because INT 24h has not been hanged. Detection Method: Infected file sizes increase by 1472-1482 bytes.
Virus Name: DIE LAMER Virus Type: Resident at the top of the MCB (Memory Control Block). Virus Length: 1,136 bytes Interrupt Vectors Hooked: INT 21h. Infection Process: This virus is spread by executing an infected program. When a DIE LAMER infected program is executed, it will first check to see if it is already resident in memory by checking if address 0:4f2h contains the value 3232h. If it is already in memory it will execute the infected program. If it is not in memory, it will perform the following functions: Damage: Loss of some data stored in the floppy diskette. Symptoms: Garbage in floppy disk. Increased file sizes. Screen displays "-=*@DIE_LAMER@*=-." Notes: The method used by the virus is very dangerous, because if an anti-virus program catches this virus in memory and displays the message: "found '-=*@DIE_LAMER@*=-' in memory", the virus will only write garbage to the floppy diskette, but the virus program can be easily modified to execute more destructive routines (such as formatting the hard disk etc...).
Virus Name: Data-Rape-2.0 Virus Type: .COM & .EXE File infector Virus Length: 1875-1890 bytes Executing Process: Virus checks to see whether it has stayed resident in memory. If not, it will stay resident in high memory. Then hooks INT 21h and goes back to original routine. Vectors hooked: Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected .COM or .EXE file, virus proceeds to infect it. Damage: None Detection Method: Infected file sizes increase by 1875-1890 bytes.
Virus Name: Dennis-2 Virus Type: .COM & .EXE File infector Virus Length: 897 bytes Executing Process: Virus checks to see whether it has stayed resident in memory. If not, it will stay resident in high memory. Then hooks INT 21h and goes back to original routine. Vectors hooked: Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected .COM or .EXE file, virus proceeds to infect it. Damage: None Detection Method: Infected file sizes increase by 897 bytes.
Virus Type: Polymorphic, File Type
Virus Length: 1,710-1,713 bytes
Virus Infect Type: .COM and .EXE files
Virus Re-infect: No
Virus Memory Type: High memory resident
Place of Origin:
Int Vector Hooked: INT 21H
Infection Procedure:
The virus infects .COM and .EXE files. It increases an infected file's size by 1,710 bytes for .COM file and 1,713 bytes for .EXE file. The virus infects the host file by attaching itself at the end of the file. The virus can become memory resident upon loading and executing an infected file. When memory resident the virus can infect executable files when it is opened. The virus uses complex method of decryption. After decryption the virus allocates 1,776 bytes in the high memory and copies its program there to stay resident. Then it hooks INT 21H by changing its vector to point to its program in the high memory at 9F92:017A. It uses this interrupt to attach itself to the host file. Before attaching to the host file, the virus encrypts its code again and then writes itself to the host file. During infection, the virus checks for the current day. If it is the 13th day of the month it checks for another condition by decrypting and comparing data from its data area whose condition is possibly known only by the author of the virus. If the 2 conditions are satisfied it will execute the payload of overwriting the Master Boot Sector of drive C:\ with its own program and replacing the original Interrupt Vector Table with its own table. As a result the system will only hang up during bootup. The date and time attributes of the host file after infection are not changed.
Damage:
Corrupts the Master Boot Sector and Interrupt Vector Table.
Symptom:
Hangs up the system during bootup. Increases the file size by 1,710 for .COM files and 1,713 for .EXE files.
Other Name:
Virus Length: 1163 bytes
Original Name: DELTA
Trigger Condition: November 4
Virus Re-infect: no
Discovery Date: February 1996
Place of Origin: Brazil
As a polymorphic virus it first decrypts its main program using XOR C0H to each byte. It infects its host by attaching itself to the end of the file. It adds 1,163 bytes to an infected file. Then it copies its program in the high memory at 9F69:0000 and jumps there. It hooks INT 21H by pointing its vectors to 9F69:01C5. The virus can become memory resident upon loading and executing an infected file. Being memory resident it can attach itself to an executable file when the file uses service 4BH of the hooked INT 21H. During infection the virus checks if the current month is November and the current day is 4. At this time the virus resets the drive C:\ BIOS configuration and change the boot sequence to search drive C:\ first upon bootup. Then waits for 30 sec. before making a warm boot. It is indicated when it displays these strings:
"Good bytes from (DEL)ta Virus!!!" " Reset in 30 seconds. "
After which, the hard disk will be disabled, as if it already has a corrupted partition table. Upon infecting an executable file it makes its second infection to COMMAND.COM in drive A:\; thus, corrupting it and disabling proper bootup. The effect of the payload can be easily solved by reconfiguring the hard disk in the BIOS and replacing the infected COMMAND.COM with a new one since the virus doesn't write to the MBR. Other text string can be seen inside the virus code besides the one displayed upon execution of the payload which is:
"Brazil - 02/96"
Resets the hard disk BIOS configuration. Corrupts COMMAND.COM.
Increases the infected file by 1163 bytes.
Virus Type: Polymorphic, Boot/File type
Virus Length: 2048 bytes
Discovery Date:
Int Vector Hooked: INT 13H, INT 21H,
INT 1CH
Infection Procedure: Infecting the Master Boot Sector:
The virus primarily infects the Master Boot Sector of drive C:\. As a polymorphic virus it first decrypts 1,714 bytes of its code using XOR 9B. Then it reads the boot sector of drive C:\ in its program. It saves a copy of this sector to head 0, cylinder 0, sector 2 of drive C:\. Then in makes a byte output twice to port 70H whose purpose is unknown due to unavailability of hardware port reference. The virus makes a copy of its program, occupying 4 sectors, to head 0, cylinder 0, sector 3 of drive C:\. Then the virus modifies the first 46 bytes of the boot sector copied in its program and writes it back to the boot sector of drive C:\
Infecting Executable Files:
Once the virus infected the boot sector of drive C:\ it becomes memory resident upon system bootup. Upon bootup it first allocates space in the high memory starting at 9E70:0000. Then it reads its program, which occupies 4 sectors, from the infected drive C:\ starting from sector 3, cylinder 0, head 0 to its allocated space in the high memory (9E70:0100). From there it hooks to INT 13H and INT 21H to point to its program in the high memory which will enable the virus to attach itself to any loading and executing .COM or .EXE file. Then after hooking to the interrupts it retrieves the original boot sector from head 0, cylinder 0, sector 2 of drive C:\ to resume normal bootup. At this point the virus is already memory resident and can infect executable files when loaded, executed and copied. It first searches for COMMAND.COM to infect. The virus infects the file by attaching itself at the end of the host file. However, its attachment most of the time is not complete and sometimes just corrupts the program so the size added to the infected file is not definite. No trigger or payload exists.
Corrupts executable files.
Slows down file loading and execution time.
Virus Length: 2,406-2,409 bytes
Int Vector Hooked: INT 21H, INT 24H
The virus infects .COM and .EXE files. It increases an infected file's size by 2,406 bytes for .COM file and 2,409 for .EXE files. The virus infects the host file by attaching itself at the end of the file. The virus can become memory resident upon loading and executing an infected .COM or .EXE file. As a polymorphic virus, it first decrypts its code, then the virus allocates space in the high memory starting at 9E80:0000. Then it copies its code there to stay resident. Once resident it hooks to INT 21H by pointing its vector to its program in the high memory at 9E80:01BC. The virus uses this interrupt to be able to attach itself to the loading and executing files using service 4BH of the interrupt. During infection it will first hook to INT 24H (Critical Error Handler) to disable the error display during a host file write error, thus, the infection will not be obvious. Then it will search for COMMAND.COM in the root directory of the current drive and infect it if it is still not infected. Thus, after the next bootup in the same drive, the virus will immediately become resident, infecting the executable files that will be loaded in the memory. Then finally, it will infect the current file that has been loaded in the memory. The virus sometimes cannot attach itself completely to its host file, and thus, just corrupting it. There is no payload or trigger.
Corrupts COMMAND.COM and executable files which can cause the system to hang.
Increases the host's file size by 2,409 bytes for .COM file and 2,406 bytes for .EXE file.
Virus Length: 3,547 bytes
Virus Infect Type: .COM and .EXE file
Int Vector Hooked: INT 21H, INT 13H, INT 1CH
The virus infects both .EXE and .COM files. It infects its host file by attaching itself at the end of the file. It increases an infected file's size by 3,547 bytes. The virus can become memory resident upon loading and executing an infected file. As a polymorphic virus it first decrypts 3,422 bytes of its code. Then it allocates 5,120 bytes in the high memory starting at 9EB0:0000. From there it hooks to INT 21H by pointing its vector to its program in the high memory. It uses service 4BH of the interrupt to be able to attach itself to loading and executing files. It also uses service 4EH and 4FH to hide the actual increase in file size of the infected files once the virus has become memory resident; thus, the infection is unnoticeable. Once the virus has attached itself to the host file the virus encrypts its code again and writes them to a new file. No payloads or trigger were seen. The virus just replicates itself to .COM and .EXE files.
Increases the size of the infected file by 3,547 bytes.