Virus Name: Banana Virus Type: .COM File Infector Virus Virus Length: No change PC Vectors Hooked: None Infection Process: 1) Searches for and infects all uninfected .COM files in the current directory. Damage: Overwrites original file, so the length of infected file won't increase. Notes: 1) Doesn't stay resident in memory. 2) Banana doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error of (such as write protect).
Virus Name: Butterfly Alias Name: Butterflies Virus Type: File Virus Virus Length: 302 bytes Description: This virus infectes .COM files. When an infected file is executed, the virus will infect all the .COM files located in the same directory. Infected files will increase in size by 302 bytes, with the virus being located at the end of the infected file. Infected files will not have their date and time records altered. The following text string is located in the virus: "Goddamn Butterflies"
Virus Name: Burger Virus Type: File Infector Virus (.COM files) Virus Length: No change PC Vectors Hooked: None Infection Process: 1) Searches for a .COM file in current directory. 2) Check whether it has been infected by Burger. If it has, the virus continues to look for an uninfected .COM file. Only one file at a time is infected. 3) Damages all data on current disk if no .COM file is infected. Damage: 1) Burger overwrites the original file, so the length of infected file won't increase. 2) Damage all data of current disk if no .COM file is infected. Notes: 1) Doesn't remain resident in memory. 2) Burger doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: Bloodlust Virus Type: .COM File Infector Virus Virus Length: No change PC Vectors Hooked: None Infection Process: 1) Searches for a .COM file in the current directory. 2) Once it locates a .COM file it checks to see whether it has been infected by Bloodlust. If it has, it continues to look for uninfected files. 3) Once it locates an uninfected file it infects it and continues doing this until all .COM files are infected. Damage: Bloodlust overwrites the original file, so that the length of the infected file won't increase. Notes: 1) Doesn't stay resident in memory. 2) Bloodlust doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: Brothers-2 Virus Type: .COM File Infector Virus Virus Length: 693 bytes (.COM) PC Vectors Hooked: None Infection Process: 1) Brothers-2 checks to see whether the system date is between the 11th and 25th of November or December. If it is, the messages "Brotherhood... I am seeking my brothers "DEICIDE" and "MORGOTH" are displayed, then the virus executes the original file. 2) If the date does not fall between the 11th and 25th of November or December, then Brothers-2 searches for a .COM file in the current directory. 3) Once it locates a file it checks to see whether it has been infected by Brothers-2. If it has, Brothers-2 continues to look for any uninfected .COM file. 4) If the second word of the .COM file is "0xADDE", the virus displays the message "Found my brother "MORGOTH"!!!. ", then executes the original file. 5) If the second word of the .COM file is "0x0D90", the virus displays the message "Found my brother "DEIGOTH"!!!. " then executes the original file. 6) If the second word is neither of these, then it will infect .COM files one at a time and then execute the original file. Damage: None Detection Method: Infected file size will increase by 693 bytes. Notes: 1) Doesn't stay resident in memory. 2) Brothers-2 doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: BAMESTRA Virus Type: . EXE File Infector Virus Virus Length: 530 bytes PC Vectors Hooked: INT 24h Infection Process: 1) The virus searches for an .EXE file in the current directory. 2) It checks to see whether the file has been infected by Bamestra. If it has, the virus continues to look for an uninfected .EXE file. 3) It then infects any .EXE file in the current directory, two at a time. 4) Finally, it executes the original file. Damage: None Detection Method: Infected file size will increase by 530 bytes. Notes: 1) Doesn't stay resident in memory. 2) Bamestra hooks INT 24h when infecting files. Omits an I/O error (such as write protect).
Virus Name: BUBBLES-2 Virus Type: File Infector Virus (.COM and .EXE files) Virus Length: 927 bytes (.COM and .EXE) PC Vectors Hooked: INT 24h Infection Process: 1) The virus searches for an .EXE or .COM file in the current directory and checks to see whether it has been infected by Bubbles-2. If it has, the virus continues to look for an uninfected .EXE or .COM file. 2) It then infects all .EXE and .COM files in the current directory. 3) If the system date coincides with the 13th of the month and the year is 1993 or later, the message "Bubbles 2 : Its back and better then ever Is it me or does that Make no sense at all? [IVP]" is displayed on screen. Damage: Infected files can't be executed. Detection Method: Infected file size will increase by 927 bytes. Notes: 1) Doesn't stay resident in memory. 2) Bubbles-2 hooks INT 24h when infecting files. Omits an I/O error (such as write protect).
Virus Name: BURGER_560-8 Virus Type: File Infector Virus (.COM files) Virus Length: No change PC Vectors Hooked: None Infection Process: 1) Searches for a .COM file in A: and checks to see whether it has been infected by Burger_560-8. If it has, the virus continues to look for an uninfected .COM file. 2) It then infects uninfected files one at a time. 3) If no .COM file is infected, it will look for an .EXE file in A:. 5) It finally renames the .EXE file to .COM , then it infects the .COM file. Damage: Overwrites the original file, so that the length of infected file won't increase. Detection Method: Changes an .EXE file into a .COM file. Notes: 1) Doesn't stay resident in memory. 2) Burger_560-8 doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: BOYS Virus Type: File Infector Virus (.COM files) Virus Length: 500 bytes PC Vectors Hooked: None Infection Process: 1) It searches for an .EXE file, it changes the attributes into "SYSTEM". 2) Boys searches for a .COM file in the current directory, then checks to see whether it has been infected by Boys. If it has, Boys continues to look for an uninfected .COM file. 3) It infects uninfected files one at one time, and changes the attribute into "READ-ONLY". 4) Finally, it executes the original file. Damage: None. Detection Method: Infected file size will increase by 500 bytes. Notes: 1) Doesn't stay resident in memory. 2) Boys doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: BOOJUM Virus Type: Highest Memory Resident, File Infector Virus (.EXE files) Virus Length: 340 bytes PC Vectors Hooked: INT 21h Infection Process: 1) The virus checks to see whether it is already loaded resident in memory. If it isn't, it loads itself into memory (highest memory) by hooking INT 21h. 2) Next, it executes the original file. 3) Once it's loaded into memory it will infect any uninfected file that is executed. b) It doesn't infect .COM files. Damage: None Detection Method: Infected .EXE file size increases by 340 bytes. Notes: The BOOJUM virus doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: BIT-ADDICT Virus Type: Memory Resident, File Infector Virus (.COM files) Virus Length: 477 bytes PC Vectors Hooked: INT 21h Infection Process: 1) The virus checks to see whether it is already loaded resident in memory. If it isn't, it loads itself by hooking INT 21h. 2) Next, it executes the original file. 3) Once it's loaded into resident memory it will infect any uninfected file that is executed. (It doesn't infect .EXE files.) Damage: When the virus infects 100 files, it will destroy all data on the hard disk, then display the message "BIT ADDICTMZ> .... The Bit Addict says: You have a good tasting hard disk, it was delicious !!!" Detection Method: Infected file size increases by 477 bytes. Notes: The Bit-Addict virus doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: BRAIN2 Virus Type: Memory Resident, File Infector Virus (.COM and .EXE files) Virus Length: 1935 bytes PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h, INT 1Ch Infection Process: 1) If the system date is November 17 or February 6, the virus will display some messages and play music. 2) The virus then checks to see whether it is already loaded resident in memory. If it isn't, it loads itself by hooking INT 21h. 3) It then executes the original file. 4) If the system date is the 1st day of February, July, September or December, Brain2 will display a flash square by hooking INT 1Ch. 5) Once it's loaded into resident memory it will infect any uninfected file that is executed. Damage: None. Detection Method: Infected file size increases by 1935 bytes. Notes: The Brain2 virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: B3 Virus Type: Memory Resident, File Infector Virus (.COM files) Virus Length: 483 bytes PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Infection Process: 1) If the system date is June 26, the B3 virus will destroy all data on the hard disk. On other dates, the virus checks to see whether it is already loaded resident in memory and, if it's not, loads itself by hooking INT 21h. 2) Next, B3 executes the original file. 3) Once it's loaded into resident memory it will infect any uninfected file that is executed. (It doesn't infect .EXE files.) Damage: If the system date is June 26, the virus will destroy all data on the hard disk. Detection Method: Infected file size increases by 483 bytes. Notes: The B3 virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: Bob Virus Type: File Infector Virus (.COM files) Virus Length: 1117 bytes PC Vectors Hooked: INT 8h Infection Process: 1) Searches for a .COM file in the current directory. 2) It checks to see whether the file has been infected by Bob. If it has, Bob continues to look for uninfected .COM files. It infects three files at a time. 3) If the system date is September 7, the virus hooks INT 8h and, after about 5 minutes, a message like the following appears on screen: "1 Bob Ross lives! 2 Bob Ross is watching! 3 Maybe he lives here....." and so on. Damage: On September 7, a message appears on the screen. Detection Method: Infected file size increases by 1117 bytes. Notes: 1) Doesn't stay resident in memory. 2) Bob doesn't hook INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: BFD Virus Type: Boot sector Infector and File Infector Virus Virus Length: No change PC Vectors Hooked: INT 13h, INT 24h. Infection Process: 1) BFD loads itself in the last 4K bytes of resident memory by hooking INT 13h. When you turn on the computer the resident memory virus infects the boot sector and files when "READING and WRITING" uninfected disks or programs. Damage: The BFD virus decreases total system memory by 2K bytes when the system is booted from an infected disk. It overwrites original files, so the length of infected files won't incease. Detection Method: None. Notes: 1) BFD hooks INT 24h when infecting files or Boot Sector. It omits I/O errors (such as write protect).
Virus Name: BFD-B Virus Type: File Infector Virus and Boot Sector Infector (multi-partite) Virus Length: No change. PC Vectors Hooked: INT 13h, INT 24h Infection Process: 1) When you execute the file, BFD-B will check to see whether the Boot Sector of the hard disk has been infected, if it hasn't, it will infect the boot sector. 2) If the virus finds that it is not already resident in memory, it loads itself by hooking INT 21h and INT 13h . Once it's in resident memory it will infect boot sectors and files while "READING and WRITING" uninfected disks or programs. Damage: Overwrites original files, so the length of infected files won't increase. Detection Method: None. Notes: BFD hooks INT 24h when infecting files or boot sector. It omits I/O errors (such as write protect).
Virus Name: BOGUS Virus Type: Partition table Infector and File Infector Virus Virus Length: No change. PC Vectors Hooked: INT 21h, INT 24h, INT 13h. Infection Process: 1) The virus loads itself in to the last 4K bytes of resident memory and then hooks INT 13h. 2) It continues to infect any executed program. Damage: The BOGUS virus decreases the total system memory by 4K bytes,when the system is booted from an infected disk. When the number of infected files exceeds 2710, BOGUS destroys all the data on the hard disk. Detection Method: Check to see whether the file head is INT 13h(AX=90 or 91). Notes: 1) BOGUS hooks INT 24h when infecting files. It omits I/O errors (such as write protect). 2) If the computer is booted from a diskette, you will not be able to view the hard drive.
Virus Name: BOGUS-B Virus Type: File Infector Virus (.COM and .EXE files) and Partition Table Infector Virus Length: No change PC Vectors Hooked: INT 21h, INT 24h, INT 13h Infection Process: 1) When you execute a file infected with the Bogus-B virus, it will check to see whether Sector #1 has been infected. If it hasn't, BOGUS-b will go ahead and infect sector #1. 2) Next, it checks to see whether it is loaded resident in memory. If it isn't, it loads itself by hooking INT 21h and INT 13h, and then executes the original file. 3) Once it's resident in memory, the BOGUS-B virus can infect any executable programs. Damage: When the number of infected files exceeds 2710h, BOGUS-B destroys all data on the hard disk. Detection Method: Check to see if the file head is INT 13h(AX=90 or 91). If it is, check whether hook INT 21h. a) When start system, make 21_flag=3. b) Check whether INT 21h is called by other program, if "yes", then 21_flag decrease 1. c) When 21_flag=0, BOGUS hook INT 21h to infect other files. 2) Check whether someone want to read sector #1, if "yes," then give original datas of sector #1 to be saw. 3) Check whether AX=90 or 91, if "yes", then execute the real interrupt Notes: BOGUS hooks INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: BKMonday Other Names: Virus 1055 Virus Type: File Infector Virus Virus Length: 1055 bytes PC Vectors Hooked: Int 21 Damage: Formats first 240 cylinders of the first hard drive. Detection Method: Overwrites the original file in order to hide changes to the file after infection. Notes: Loads itself resident in memory. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: Bulgarian Virus Other Names: Virus 1800, Sofia virus, Dark Avenger Virus Type: Parasitic Virus and Boot Strap Sector Virus Virus Length: Approx. 1800 bytes PC Vectors Hooked: Int 21 Infection Process: 1) The virus checks to see whether it is already loaded resident in memory. If it's not, it loads itself by hooking INT 21h. 2) Bulgarian Virus then executes the original file. 3) Once it's loaded into resident memory Bulgarian Virus will infect any uninfected file that is executed. Damage: Virus reads boot sector of the disk, and (offset 10, OEM decimal version) marks the number of programs which were executed from the disk MOD 16. If it is zero (after every 16 programs!!), it overwrites a random cluster on the disk with part of its own code. The cluster number is then stored in boot sector at the position offset 8 (OEM main version). Modified boot sector is then written back onto the disk. Detection Method: Infected file size increases by 1800 bytes. Notes: 1) Loads itself resident in memory. 2) Bulgarian Virus doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: Bur-560h Virus Type: Parasitic Virus (.COM files affected) Virus Length: No change PC Vectors Hooked: None Infection Process: 1) The virus searches for .COM files through the current path. 2) The virus checks to see whether the file is infected. If the file has been infected, the virus continues to search till an uninfected file is found and then infects it. (It infects only one file each time.) Damage: The virus infects the files by covering up the original files, so the lengths of the files do not increase and the functions of the original files can not be executed. Remarks: 1) Non memory resident. 2) When infecting files, the virus does not hook INT 24h. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: Benoit Virus Type: Parasitic Virus Virus Length: 1183 bytes (Does not infect .EXE files) PC Vectors Hooked: INT 21h Infection Process: 1) Benoit checks to see whether it resides in memory. If it's not there, the virus hooks INT 21h and resides in high memory and then runs the host program. 2) If the virus already resides in memory, Benoit will execute the host programs directly. Benoit infects the file by "AH=4B" in INT 21h. When an uninfected file is executed, it will be infected (does not infect .COM files). When infecting files, the virus does not hook INT 24h. Error information will appear when I/O errors occur. Damage: None Detection method: Infected file size increases by 1183 bytes.
Virus Name: Bljec-1 Virus Type: .COM File infector Virus Length: 301 bytes Infection Process: If the current month is September, Bljec-1 will format the first 16 sectors of the current disk, then infects all .COM files on the current directory. Damage: Format the first 16 sectors of the current disk if the current month is September. Notes: Date and time of infected files do not change. Detection Method: Infected file size increases by 301 bytes.
Virus Name: Bow Virus Type: .EXE and .COM File infector Virus Length: 5856 bytes Infection Process: The Bow virus checks to see whether it is resident in memory. If not, it will stay resident in high memory. Next, it hooks INT 21h and goes back to the original routine. Vectors hooked: Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected .COM or .EXE file, the virus proceeds to infect it. Damage: None Notes: 1) You will see an error message when writing because INT 24h has not been hanged. 2) This virus is written with an advanced language. Detection Method: Infected file size increases by 5856 bytes.
Virus Name: Brother-300 Virus Type: .EXE File infector Virus Length: 300 bytes Infection Process: First determines whether it has stayed resident in memory. If not, it will stay resident in high memory. Next, it will hook INT 21h and go back to the original routine. Vectors hooked: Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected .EXE file, the virus creates a new .COM file with the same name as the .EXE file. This new .COM file is the virus. Damage: None Detection Method: Infected file size increases by 300 bytes.
Virus Name: Bert Virus Type: .COM and .EXE File infector Virus Length: 2294 bytes Infection Process: First, Bert determines whether it has stayed resident in memory. If it's not there, it will stay resident in high memory. Next, it hooks INT 21h and goes back to the original routine. Vectors hooked: Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected .COM or .EXE file, the virus proceeds to infect it. Damage: None Detection Method: Infected file size increases by 2294 bytes.
Virus Name: BLOODY_WARRIOR Virus Type: Resident at the top of the MCB (memory control block) Virus Length: 1344 bytes in the file and 2768 bytes in memory PC Vectors Hooked: Infection Process: Virus infects .EXE files and .COM files smaller than EA60h bytes. It will not infect the following files: "SCAN", "STOP", "SHIELD", "CLEAN", "CV", "DEBUG", "TD." This virus can spread only by executing an infected program. Damage: BLOODY_WARRIOR destroys disk sectors 1 through 256. It progressively writes garbage to the current disk from sectors 1 to 256 when it is the fourth day or later in the month of July. Detection Method: Length of the infected file increases by 1344 bytes. Symptoms: When a BLOODY_WARRIOR infected program is executed it will be: 1. Resident at the top of system memory but below the 640k DOS boundary. The available free memory will be decreased by 2768 bytes. 2. Interrupt 21h will be hooked. When the BLOODY_WARRIOR virus is memory resident, in order to infect the files the virus will control the following functions: - loading and executing (AX=4B00h) - opening (AH=3Dh) - get and set file attribute (AH=43h) - rename a file (AH = 56h) It will infect .COM files of less than EA60h bytes and .EXE files when they are executed, opened, when getting file attributes, or when renaming files. Infected programs will increase in size by 1344 bytes, with the virus being located at the end of the file. If file header is "SCAN", "STOP", "SHIELD", "CLEAN", "CV", "DEBUG", or "TD" the virus will not infect them but will instead restore int 21h to the original interrupt vector so these files will not be able to detect the virus. 3. This virus will only activate in July, on the 4th or later. It will write garbage to the current disk from sectors 1 to 256. The garbage data includes the message: "Hello, world! I am the Bloody Warrior. Nice to meet you. What about this virus ? Funny ? There is no hope for you. This virus was released in Milan 1993." Notes: There is a possibility of detection when using DOS commands.
Virus Name: Bung-1422 Virus Type: .COM File infector Virus Length: 1442 bytes Infection Process: Bung-1422 first checks to see whether it has stayed resident in memory. If it hasn't, it will stay resident in high memory. Then it hooks INT 21h and goes back to the original routine. If the current date is September 20, Bung-1422 displays the message: "Jonhan Bonhn - September 20 1980 - L E D Z E P P E L I N -" Vectors hooked: Hooks INT 21H(AH=4Bh). First, it will hang INT 24h so that it won't divulge its trace when writing. If the program to be executed is an uninfected .COM file, the virus infects it directly. If the program to be executed is an .EXE file, the virus will search for an uninfected .COM file and infect this .COM file. Finally, virus restores INT 24h. Damage: None Detection Method: Infected file size increases by 1422 bytes.
Virus Name: Beer Virus Type: File infector Virus Length: Infection Process: Virus checks to see whether it is already resident in memory. If it isn't, it will stay resident in high memory, then hook INT 21h and go back to the original routine. Vectors hooked: Hooks INT 21H(AH=4Bh) to infect files. First, it will hang INT 24h so that it won't divulge its trace when writing. If the program to be executed is an uninfected file, the virus proceeds to infect it. Damage: None Notes: This virus has at least three variants.
Virus Name: Basedrop Virus Type: .EXE file infector Virus Length: Infection Process: 1) There is a 25% chance that the virus will search for an uninfected .EXE file on current directory, then infect it. (It infects only one file at a time.) 2) There is a 25% chance that the virus will search for an uninfected .EXE file on current directory, then infect it and then display a message asking user to input the word "SLOVAKIA." The virus will wait until user inputs this word, then terminate. 3) There is a 50% chance that virus program will not infect files. Damage: None
Virus Name: BURG1150
Virus Type: File type
Virus Length: 1,150 bytes
Virus Infect Type: .EXE files
Trigger Condition: 14th minute
Virus Re-infect: No
Virus Memory Type: High Memory Resident
Place of Origin:
Int Vector Hooked: INT 21H, INT 22H, INT 23H, INT 24H
Infection Procedure:
The virus only infects .EXE files. It adds 1,150 byte to an infected file. It encrypts the host's SS, SP, IP, and CS registers in its header and saves it somewhere in the virus program so that it will be difficult for anti-virus programs to clean them. It copies its program in the high memory at 9FAA:0000. Then it hooks to interrupt 21H by pointing it to its program in the high memory at 9FAA:0058 to be able to infect loading and executing .EXE programs. During infection it checks the current time. If it is the 14th minute of the hour, it dumps the string "Burglar/H" to the textmode screen (B800:0000) with blinking attribute. There are other text strings that can be seen inside the viral code which is "AT THE GRAVE OF GRANDMA". It also hooks to Ctrl C handler INT 23H and points it to 9FAA:016D. Upon pressing Ctrl C, it tries to infect COMMAND.COM in the current drive. It also hooks to the critical error handler INT 24 in order to hide the file infection whenever there's a virus write error to the host (if the disk is write protected).
Symptom:
Increase by 1,159 bytes in the host's file length.
Virus Name: BYWAY-A
Virus Type: Polymorphic type
Virus Length: 3,216 bytes
Virus Infect Type: .COM, .EXE files, MBR
Virus Memory Type: Memory resident, MCB type
Int Vector Hooked: INT 21H
The virus is an encrypting type and can infect both .COM and .EXE files. It corrupts the Master Boot Sector. It hooks INT 21H such that it cannot be seen in the interrupt vector table, but hooks to their routines directly. It infects the host by corrupting the file and sometimes overwriting its viral code to the host and erasing the host's program. It allocates its program in the low memory with the DOS resident programs. Once resident it infects a file when it is loaded, executed or copied. Most of the time an infected file will not display the change in its size, time and date attributes once it is infected. Once infected the files cannot be overwritten by its own or other programs, and cannot be deleted directly unless the subdirectory where it is located is deleted. Encrypted trigger dates were seen but the payload is unknown. The following are the trigger dates:
JAN 4 JUL 16 FEB 6 AUG 18 MAR 8 SEP 20 APR 10 OCT 22 MAY 12 NOV 24 JUN 14 DEC 26 On these dates, the virus will not overwrite the Master Boot Sector which will render the current drive unbootable. Decrypted text string can be seen in the viral code:
"<by:Wai-Chan,Aug94,UCV>"
Variant:
Like BYWAY-A, on the trigger dates, the virus will not overwrite the Master Boot Sector which will render the current drive unbootable. The decrypted viral code contains the following text strings:
"The-HndV" "By:W.Chan-N"
Damage:
Corrupts the Master Boot Sector.
Infected files cannot be overwritten or deleted in the their current directories.
Virus Length: 1855 bytes
Virus Infect Type: .COM files
Virus Memory Type: Non-memory resident
Int Vector Hooked:
The virus first searches for COMMAND.COM in drive C. If the search fails the virus program just terminates. If the file is present it checks if its first byte is a jump instruction (E9H). If it is, it infects it, and if it's not, the virus program just terminates leaving no harm to the file. Thus, the virus infects an infected COMMAND.COM first. After attaching itself to the file the virus is executed every time the system boots up. It checks whether the current month is June. If it is, then it searches and infects .COM files in drive A.
Detection method: Increase in .EXE file size by 2051 bytes.
Virus Name: BADS3428
Virus Type: Parasitic, File Type
Virus Length: 3,434 bytes
Original Name: BAD SECTOR 1.2
Virus Memory Type: High memory resident
Int Vector Hooked: INT 8H, INT 16H, INT 26H, INT 21H, INT 25H
The virus only infects .COM files. It increases an infected file's size by 3,434 bytes. The virus infects the host file by attaching itself at the end of the file. The virus becomes memory resident upon loading and executing an infected file. While being memory resident it can corrupt other .COM files on the disk when a file is opened or copied, and sometimes causes a memory allocation error. It can also hide the change in the size of infected files when resident. The virus replicates its code in the high memory at 9EC0:0000 and stays resident there. It hooks to INT 21 and changes its vector to point to its program in the high memory at 9EC0:002A. It uses this interrupt to attach itself to the host program. It also hooks to other interrupts such as INT 8H (9EC0:0876), INT 16H (9EC0:08A5), INT 25H (9EC0:0FBC), and INT 26H (9EC0:0FC6), but no payload is seen. The virus just replicates itself and corrupts existing .COM files. Text strings can be seen inside the virus code which is:
"Bad Sectors 1.2" "COMEXE"
Damage: Corrupts executable files.
Detection method: Increases the host file size by 3,434 bytes.
Virus Type: File Virus Type, Soft Mice
Other Name: Major BBS
Virus Length: 1642-1644 bytes
Virus Infect Type: EXE files only
Int Vector Hooked: INT 21, INT 8
This virus will first decrypt 1595 bytes of its virus code. Then it will check if the file executed is already infected, if it is not then it will copy its encrypted code to it. Then it will copy its 1644 bytes of code to the high memory but will allocate 30384 bytes in memory. Then it will get the DOS Re-entrancy Flag which DOS looks up if an INT 21 is used. It will then hook INT 21 and INT 8 and then it will just terminate.
Damage: There is no evident damage this virus can do but will decrypt this message:
"The Major BBS Virus" "created by Major tomTugger"
Detection method: This virus will prompt a write protect error when you are trying to execute a read command like in opening a file.
Virus Name: BARR1310
Other Name:
Virus Length: 1310 bytes
Virus Infect Type: .COM & .EXE files
Trigger Condition: January 5
Int Vector Hooked: INT 1CH, INT 21H,
The virus is a file type virus that infects both .COM and .EXE files. It adds 1303 bytes to an infected file. It copies its program to the high memory at 9F9C:0100; thus, overlapping with the video adapter memory. It hooks to INT 21H by changing its vector to point to its program at 9F9C:017B. This will allow the virus to infect loading and executing files. Once it becomes resident in the memory it checks the date. If it is January 5, it will change the interrupt vector of INT 1CH to point to its program in the high memory at 9F9C:049F. Then it overwrites the MBR of drive C; thus, destroying its partition. Since INT 1CH is a clock tick interrupt, the program it is pointing to is executed 18.2 times per second. The program at this interrupt displays: "Virus BARROTES pro OSoft" on a blue background, and four vertical, flickering bars across the screen. At this point the user can still use the machine if they can tolerate the eye straining bars.
Destroys drive C: MBR and partition table. Corrupts video display.