Virus Name: Vcl9 Virus Type: File Infector Virus (infects .EXE & .COM files) Virus Length: No change
PC Vectors Hooked: None Executing Procedure: 1) Searches for .COM or .EXE files in the current directory. 2) It checks whether the first file found has been infected by VCL9. If it has, it continues looking for any uninfected .COM or .EXE file. 3) It then infects only two files at a time. Damage: Overwrites original files. The length of infected files won't increase. Note: 1) Doesn't stay resident in memory. 2) VCL9 doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).
Virus Name: V-sign Alias Name: Cansu, Sigalet, Sigalit Virus Type: Boot Virus Virus Length: N/A Description: This virus infects floppy boot sectors. Interrupt vectors hooked: INT 13h. Infection method: 1) When an infected disk is booted, the virus loads itself in memory. 2) While loaded, it infects any accessed disk. Detecting method: 1) The DOS CHKDSK program will show a "total bytes memory" decrease of 2 KB. Damage: After infecting 64 disks, the virus displays a large V and hangs the machine.
Virus Name: V2P6 Alias Name: Virus Type: File Virus Virus Length: 1,946 to 2,111 bytes Description: This virus infectes *.COM files. When an infected file is executed, the virus will infect the first *.COM file in the same directory that is not already infected. Infected files will experience a file length increase of 1,946 to 2,111 bytes in length with the virus being located at the end of the file.
Virus Name: Vcl-2-B Virus Type: File Infector Virus (infects .COM files) Virus Length: 663 Bytes(COM)
PC Vectors Hooked: None Executing Procedure: 1) Searches for a .COM file in the current directory. 2) Once it locates a file it checks whether it has been infected by VCL-2. If it has, it continues to look for any uninfected .COM file. 3) It will infect only two files at a time. Damage: None Detecting Method: 1)Infected files will increase by 663 Bytes.
Note: 1) Doesn't stay resident in memory. 2) VCL-2 doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).
Virus Name: Vdv-853 Virus Type: File Infector Virus (infects .COM files) Virus Length: 853 Bytes(COM)
PC Vectors Hooked: None Executing Procedure: 1) Checks whether system date is between the 24th and 26th of December. If it is, the virus will delete all files in the current directory, then create a file with 273 bytes and show the message:"Frhliche Weihnachten wnscht der Verband Deutscher Virenliebhaber Ach ja, und dann wnschen wir auch noch viel Spab beim Suchen nach den Daten von der Festplatte! Hello - Copyright S&S International, 1990". 2a) If it isn't, then it will search for a .COM file in the current directory. 2b) Once it locates a file, it checks whether it has been infected by VDV-853. If it has, continue to look for an uninfected .COM file. 2c) It will infect only four files at a time. Damage: 1) If the system date is between the 24th and 26th of the December, the virus will delete all files in current directory. Detecting Method: 1)Infected files will increase by 853 Bytes.
Note: 1) Doesn't stay resident in memory. 2) VDV-853 doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect). 3) Virus pattern is the same as "SON_OF_VSC_2."
Virus Name: Virus9 Virus Type: File Infector Virus (infects .COM files) Virus Length: 256 Bytes(COM) PC Vectors Hooked: None Executing Procedure: 1) Searches for a .COM file in the current directory. 2) It infects all uninfected files until all files in the current and the "mother" directory have been infected. Damage: None Detecting Method: Infected files will increase by 256 Bytes.
Note: 1) Doesn't stay resident in memory. 2) Virus9 doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect). 3) Infected files will not be further damaged or infected.
Virus Name: VIENNA-11 Virus Type: File Infector Virus (infects .COM files) Virus Length: 943 Bytes(COM) PC Vectors Hooked: None Executing Procedure: 1) Checks whether the system's clock seconds are equal to SECOND=.0004, If "yes," then the following message will appear on the screen: "Sorry this computer is no longer operational due to an outbreak of Bush is hero, Have a Nice day. . . " 2) Next it will check as to whether the time is equal to TIME = 7:45 on March 24th. If "yes," then the following message will appear on the screen:"VIPERizer, Strain B (c) 1992, Stin gray/VIPER Happy Valentines Day !" It then destroys all the data on all of the disks ( including the hard disk). 3) If "no," it searches for a .COM file in the current directory. 4) Checks whether it has been infected by Vienna-11. If "yes," it continues to look for an uninfected .COM file. 5) Then it infects only one file at a time. Afterwards, it executes the original file. Damage: Destroys all of the data on all of the disks. Detecting Method: Infected files will increase by 943 Bytes.
Note: 1) Doesn't stay resident in memory. 2) Vienna-11 doesn't hook INT 24h when infecting files. An error message occurs if there is an I/O error (such as write protect).
Virus Name: VORONEZH-2 Virus Type: Highest Memory Resident, File Infector Virus (infects .COM & .EXE files). Virus Length: 1600 Bytes (COM & EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Infecting Procedure: 1) The virus checks whether it is already loaded resident in memory. If not, it then loads itself into resident memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded into resident memory it will infect any uninfected file that is executed. Damage: None. Detecting Method: Infected files increase by 1600 Bytes. Note: The Voronezh-2 virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: Vacsina V16h Other names: Virus 1339 Virus Type: Parasitic Virus, RAM resident Virus Length: Approx. 1339 bytes Executing Procedure: 1) The virus checks whether it is already loaded resident in memory. If not, it then loads itself into resident memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded into resident memory, it will infect any uninfected file that is executed. Damage: The virus modifies the Ping-Pong virus in memory. The virus changes two bytes, jumps, and adds one subroutine. It is interesting that the Ping-Pong virus is ready to change in this way. After 255 reboots, the infected disk is deactivated in memory returning original interrupt vector to 13h with the value of 0:413h. The virus proceeds to play the "Yankee Doodle" song. Note: Loads itself resident in memory. An error message occurs if there is an I/O error (such as write protect).
Virus Name: VVF34 Other names: None Virus Type: File Infector Virus Virus Length:.EXE 1614-1624 bytes and .COM 1614 bytes. Executing Procedure: 1) The virus checks whether it is already loaded resident in memory. If not, it then loads itself into resident memory by hooking INT 21h. 2) It then executes the original file. 3) With itself loaded into resident memory, it will infect any uninfected file that is executed. Damage: The virus hooks 1Ch. After the virus has resided in memory for 5 minutes and 15 files have been infected, the virus will proceed to draw a portrait in the center of the screen. The virus will also hook the interrupt 9h (keyboard interrupt). The virus will then display the following message when the user presses any key: "Bu, Bu, Bu..." Detecting Method: Increases infected file size by 1614/1624 bytes Note: Loads itself resident in memory. An error message occurs if there is an I/O error (such as write protect).
Virus Name: Violator Other names: Violator Strain B, Violator BT Virus Type: File Infector Virus Virus Length: .COM 1055 bytes Executing Procedure: 1) The virus checks whether it is already loaded resident in memory. If not, it then loads itself into resident memory by hooking INT 21h. 2) It then executes the original file. 3a) With itself loaded into resident memory it will infect any uninfected file that is executed. 3b) It doesn't infect .EXE files. Damage: 1) Infected .COM files increase by 1055 bytes. 2) If the system date is after Aug 15, 1990, virus will format the first cylinder of current drive. Note: 1) Loads itself resident in memory. An error message occurs if there is an I/O error (such as write protect).
Virus Name: Virus-90 Other names: None Virus Type: File Infector Virus Virus Length: .COM 857 bytes Executing Procedure: 1) The virus checks whether it is already loaded resident in memory. If not, it then loads itself into resident memory by hooking INT 21h. 2) It then executes the original file. 3a) With itself loaded into resident memory it will infect any uninfected file that is executed. 3b) It doesn't infect .EXE files. Damage: Infected .COM files increase by 857 bytes. Detecting Method Virus displays: "Infected" when a file is infected. Note: 1) Loads itself resident in memory. An error message occurs if there is an I/O error (such as write protect).
Virus Name: Vienna Other Names: 648, PC Boot, Austrian virus Virus Type: Parasitic Virus Virus Length: 648 bytes Symptoms: Increases infected file sizes by 648 bytes and files containing string "*.COM" and "PATH=". Destroyed programs will cause the computer to reboot while in operation. Damage: With a 1 in 7 chance, the virus will not infect other files. The virus writes the instruction JMP F000:FFF0 (computer reboot) at the start of such a program. Original content is destroyed, length of file is not changed, and destroyed programs contain a virus flag.
Virus Name: V2000 Other Names: 21 century virus Virus Type: Parasitic Virus Virus Length: 2000 bytes Symptoms: 1) Increases infected .COM and .EXE file sizes by 2000 bytes. 2) Decreases size of free RAM memory by 4KB. 3) Infected files contain the following strings: "(C) 1989 by Vesselin Bontchev". Damage: No damage.
Virus Name: Vcl-2 Virus Type: Parasitic Virus. Virus Length: Infected COM file sizes increase by 663 bytes (Does not infect EXE files). PC Vectors Hooked: None Executing Procedure: 1) Searches for a COM file in the current directory. 2) Checks if the file is infected. If it is, continues to search. 3) If an uninfected file is found, it proceeds to infect it (infects only two files each time). Damage: None. Detecting Method: Detectable if the files increase by 663 bytes Note: 1) Not memory resident. 2) When infecting files, the virus does not hook INT 24h. Error message will appear when I/O errors occur.
Virus Name: V-66 Virus Type: File infector (*.*) Virus Length: 66 bytes Executing Procedure: 1) Infects all files on current directory. 2) Method: changes all files' attributes, making them writable. 3) Proceeds to overwrite first 66 bytes of each file with virus code. Damage: It will overwrite original files with virus code. Original files are destroyed. Detecting Method: Date and time of infected files changed.
Virus Name: Vcl408 Virus Type: Overwrites, EXE & COM File infector Virus Length: 408 bytes Executing Procedure: 1) Searches for one uninfected COM or EXE file on each directory and infects it. 2) Virus records whether initial infection is successful or not. Subsequent record will overwrite original. Last record is record of last infection. Virus checks this record before terminating. If record fails, virus halts system. Damage: 1) Files destroyed after becoming infected. 2) Halts system on occasion. Note: 1) Date and time of infected files do not change. 2) Length of infected files does not change unless the length of original files is less than 408. If so, the length of infected files becomes 408 bytes.
Virus Name: V-550 Virus Type: Memory Resident, EXE File infector Virus Length: 550 bytes Executing Procedure: 1) Checks whether it has not stayed resident in memory, and whether the block of memory of the current program during execution is the last MCB. 2) If so, it will move itself to high memory, then hook INT21h and go back to the original routine. Vectors hooked: 1)Hook INT 21 to check whether it has stayed resident in memory. 2)Hook INT 21 to check whether the program to be executed is an uninfected EXE file. If it is, infect it. Damage: None Detecting Method: 1)Date and time of infected files changed. 2)Infected files will increase by about 550 bytes. 3)The total memory decreased 39 pares after virus has stayed resident in memory.
Virus Name: Version Virus Type: Memory resident, COM File infector Virus Length: 708 bytes Executing Procedure: 1) First, It will decode its first 3 bytes. 2) Then it will check whether it has stayed resident in memory. If it has, it will go back to the original routine directly. Otherwise, it will stay resident in high memory, then hook INT21h and go back to the original routine. Vectors hooked: 1)Hook INT 21h(AH=30h) to make the result of getting DOS Version is not right. 2)Hook INT 21h(AX=4203h) to verify that memory has been infected by returning AX=6969h. 3)Hook INT 21h(AX=4B00h)to infect COM files. Damage: The call of getting DOS Version could not run correctly. Note: This virus can not run correctly. That means it is just a half finished product. Detecting Method: 1)Date and time of infected files changed. 2)Infected files will increase by 705 bytes.
Virus Name: Versikee-1326 Virus Type: EXE File infector Virus Length: 1326 bytes Executing Procedure: 1) Searches for an uninfected EXE file and infects it (It infects only one file once a time). It searches the root directory and all of its subdirectories. 2) If there is an infectable file, it will check system time. If the current second is a multiple of 8, it destroys the first 5 bytes of the file. Otherwise, it infects it. 3) At last, it goes back to the original routine. Damage: Sometimes the first 5 bytes of files are destroyed. Note: Date and time of infected files do not change. Detecting Method: Length of infected files would increase. The algorithm is: First, add original length to let it became a multiple of 16, and then increase it by 1326 bytes.
Virus Name: Vengence-A Other Name: Vengence-194 Virus Type: *.C* File infector Virus Length: 194 bytes Executing Procedure: It will infect all *.C* files on current directory. The method of infection is: Overwrite files's first 194 bytes by virus code. So if the original file is less than 194 bytes, it will be 194 bytes after being infected. Otherwise, size of file does not change. Damage: It will overwrite first 194 bytes of original files by virus code. So original files are destroyed. Detecting Method: 1)Date and time of infected files changed. 2)There is text at the end of infected files. The text is: "Vengence-A virus. Lastest release from Swedish Virus Association. Released: 7th of May 1992. Happy hacking and greetings to all Virus writers..."
Virus Name: Vengence-B Other Name: Vengence-252 Virus Type: *.C* (Mainly COM) File infector Virus Length: 252 bytes Executing Procedure: It will infect first *.C* file on current directory. The method of infection is: Overwrite file's first 252 bytes by virus code. So if original file is less than 252 bytes, it will be 252 bytes after been infected. Otherwise, size of it does not change. Damage: It will overwrite first 252 bytes of original files by virus code. So original files are destroyed. Note: Date and time of infected files do not change. Detecting Method: There text at the end of infected files. The text is: "Vengence-B virus. Lastest release from Swedish Virus Association. Released: 8th of May 1992. Satan will come and rule his world and his people!"
Virus Name: Vengence-C Other Name: Vengence-390 Virus Type: *.C* (Mainly COM) File infector Virus Length: 390 bytes Executing Procedure: It will infect first *.C* file on current directory. The method of infection is: Overwrite file's first 390 bytes by virus code. So if original file is less than 390 bytes, it will be 390 bytes after been infected. Otherwise, size of it does not change. Damage: It will overwrite first 390 bytes of original files by virus code. So the original files are destroyed. Note: 1)Date and time of infected files do not change. 2)When the virus is executed, it will check if there is virus scanning software like F-LOCK, F-POPUP, F-FCHK, F-DLOCK, ThunderByte, TBSCANX. If any of these softwares is found, stop executing. Detecting Method: There is text at the end of infected files. The text is: "Vengence-C virus. Lastest release from Swedish Virus Association. Released: 8th of May 1992. Satan will come and rule his world and his people!"
Virus Name: Vengence-D Other Name: Vengence-435 Virus Type: *.C* (Mainly COM) File infector Virus Length: 435 bytes Executing Procedure: First, it will check whether current time is 12:00(AM). if it is, display a message and then increase system time by an hour. The message is: "Vengence-D virus. Lastest release from Swedish Virus Association. Released: 8th of May 1992. Satan will come and rule his world and his people!" Then it will infect first *.C* file on current directory. The method of infection is: Overwrite file's first 435 bytes by virus code. So if original file is less than 435 bytes, it will be 435 bytes after been infected. Otherwise, size of it does not change. Damage: It will overwrite first 435 bytes of original files by virus code. So original files are destroyed. Note: 1)Date and time of infected files do not change. 2)When the virus is executed, it will check whether there is virus scanning software like F-LOCK, F-POPUP, F-FCHK, F-DLOCK, ThunderByte, TBSCANX . If any of these is found, it will stop executing. Detecting Method: The text listed above is at the end of infected files.
Virus Name: Vengence-F Other Name: Vengence-656 Virus Type: *.C* (Mainly COM) File infector Virus Length: 656 bytes Executing Procedure: First, it will check whether current time is 12:00(AM). if it is, display a message and then increase system time by an hour. The message is: "Vengence-F virus. Debugging session unlimited." Then it will infect the first *.C* file on the current directory and all its parent directories. The method of infection is: Move first 656 bytes of original file to the end, then write virus code into first 656 bytes. Then attach "SVC" to the end of it. Damage: Infected programs cannot be executed. Note: 1)Date and time of infected files do not change. 2)When the virus is executed, it will check : (1)whether it is being traced by Debug. If it is, halt system. (2)whether there is virus scanning software like F-LOCK, F-POPUP, F-FCHK, F-DLOCK, ThunderByte, TBSCANX. If any of these softwares is found, stop executing. Detecting Method: 1)The text listed above is at the back of infected files. 2) There is a message at the back of infected files. The message is "SVC". 3)Infected files will increase by 656 bytes. Cleaning Method: First, omit first 656 bytes from infected files, then omit "SVC" from the end. If length of current file is larger than 656 bytes, move latest 656 bytes to the beginning.
Virus Name: V500 Virus Type: Memory Resident(OS), COM File infector Virus Length: 500 bytes Executing Procedure: Virus checks whether the DOS Version is 3.3. If not, goes back to original routine directly. Otherwise, it will stay resident in memory (OS area). Then, when an interrupt among INT 00h to INT 0CH is called, the system will call INT 86h automatically to infect COM files executed (Length must be between 200h bytes and F600h) and goes back to the original routine. A file can be infected many times. The method of infection is: First, move first 500 bytes of original file to the end. Then write virus code into first 500 bytes of the file. Vectors hooked: 1) Hook INT 21H(AH=4Bh) to infect files. 2) It will check whether the program to be executed is a COM file. If it is, the virus proceeds to infect it. Damage: None Note: Date and time of infected files do not change. Detecting Method: Infected file sizes increase by 500 bytes.
Virus Name: Variety Virus Type: COM File infector Virus Length: 625 bytes Executing Procedure: 1) The virus decodes first. 2) Then it infects a COM file on the current directory (It only infects one file at a time). 3) The method of infection is: Encode the virus code, then attach it to the end of the original file. Damage: None Note: 1) If DOS Version is not above 2.0, it will not infect any files. 2) Time and date of infected files do not change. Detecting Method: Infected file sizes increase by 625 bytes.
Virus Name: V-388 Virus Type: COM File infector Virus Length: 394 bytes Executing Procedure: 1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory. 2) Then it hooks INT 21h and goes back to original routine. Vectors hooked: 1) Hooks INT 21H(AH=4Bh) to infect files. 2) First, it will hang INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file, and this program ends with INT 21(AH=4Ch), the virus proceeds to infect it. Damage: None Detecting Method: Infected file sizes increase by 394 bytes.
Virus Type: File Type Virus
Virus Length: Encrypted code size is 912 bytes
Virus Memory Type: High Memory
INT Vectors Hooked: Int 21, Int 27
Place of Origin:
Infection Procedure:
Loads itself to high memory. Loads approximately 1328 bytes in memory. Infects *.COM files. Copies virus code to host program. Code size added is 912 bytes. Loads the virus first before running the host program. While in memory, COM files opened will be infected. Virus code is transferred to the allocated memory space using Int 21 (4A). Executes actual virus code immediately upon meeting the requirements. The virus is TSR, using Int 27. Basically, the virus reacts by transferring its code to high memory before actually attaching it to the code itself.
Symptom:
May display:
"Saludos para Satanic Brain y Patoruzi" "Virus Vinchaca v.1,0 1993" "Creado por Murdock." "Buenos Aires, Argentina" "Su PC tiene mal chagas....jajaja...." which appears in the virus code.
Detection method:
Decrypt virus code before detection. Look for the above strings.
Note:
The virus code contains Int 13 (16) which tests for the disk change information.
Other Name: VIENREBO
Virus Length: Approximately 648 bytes
Virus Re-infect: Does not re-infect, infected file size is consistent. If the file is already corrupted it skips, and looks for another COM file.
Virus Memory Type: Non Resident, Direct Infector
INT Vectors Hooked: Int 21
Directly infects *.COM files if source virus file is executed. Copies virus code to host program. Adding approximately 648 bytes. Loads the virus first before running the host program.
The virus first task is to get and set DTA for transfer purposes. The virus then searches for *.COM files within the directory using Int 21 (4E & 4F). If the search is successful, the virus gets the file's attribute using Int 21 (43). It changes its attribute to enable itself to write on it, (especially for the COMMAND.COM). It takes note of the file time and date using Int 21 (51) so that when it accomplishes its task of altering the code, it can save it using the original file time and date. This therefore deceives the user that the file was never been changed.
Every time an infected file is executed, one COM file is infected within the same directory.
Damage:
Increase in file size. Adds approximately 648 bytes. Corrupts COMMAND.COM, making it unusable. Other COM files run normally.
Delay in program execution due to virus activity.
Virus Length: Approximately 1062 bytes
INT Vectors Hooked: Int 21, Int 10
Loads itself to high memory. Loads approximately 1,136 bytes in memory. Infects *.EXE files. Copies virus code to host program, adding approximately 1091-1106 bytes. Loads the virus first before running the host program. While in memory, EXE files opened will be infected.
Virus code is decrypted. The virus reacts ordinarily by allocating space in memory before infecting files. Nothing extraordinary happens. It just attaches its code to the host program.
"Smartc*.cps chklist*" "-=* Die-lamer *=-" "chklist ???" "chklist.cps" "Vlamix-1"
which appears in the decrypted code.
Other Name: VACSINA
Virus Length:
Virus Re-infect: Does not reinfect
Virus Memory Type: MCB Type
Loads itself to high memory. Loads 1216 bytes in memory. Infects *.COM and *.EXE files. Copies virus code to host program. Loads first the virus before running the host program. While in memory, files opened will be infected.
Virus tries to create a new segment address for it to run its code. This one is used primarily to switch between the host program and the virus itself. Using Int 21, Function 50. What it does basically is to tell the operating system that the TSR code is the primary process rather than the interrupted process of the program. This creates an initial execution rather than executing the original code first. In this way, the virus is able to run, then it can copy itself to the host using Int 21, functions 35 and 25. The copying process is finalized when the virus code sets the DTA. In this effect the virus can stick to the host program and run in the future.
Infection method:
Gets system date and time. It executes virus code if the current month is earlier than June, or the time is earlier than 10 pm. If so, it runs the virus directly.
The virus infects files in the subdirectory. If trigger date and time are not satisfied, it displays:
"Zarathustra & Drako les comunican que llego la hora de ir a dormir. Shh! Vampiro Virus."
Notes:
Non-resident virus. Does not use memory allocation. Runs directly. Virus infects *.COM files not in the root directory. It opens and searches sub-directories where it looks for *.COM files to infect. It attaches itself to the host program.
Some word strings can be found in the code:
"Zarathustra & Drako les comunican que llego la hora de ir a dormir. Shh! Vampiro Virus." "Command.com all xray, memory allocation error." "Cannot uninstall xray, it has not been installed." "???????????"