Virus Name: Cheesy Virus Type: File Infector Virus (.EXE files) Virus Length: 381 bytes PC Vectors Hooked: None Executing Process: 1) Searches for an .EXE file in the current directory. and when it locates one, checks to see whether it has been infected by CHEESY. 2) If the file is already infected, it continues to look for an uninfected .EXE file. 3) It then proceeds to infect all uninfected .EXE files in the directory. 4) Once a file is executed the system halts. Damage: System halt Detection Method: Infected file will increase in size by 381 bytes. Notes: 1) Doesn't stay resident in memory. 2) CHEESY doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: Cascade Alias Name: Black Jack, Falling Virus Type: File Virus Virus Length: 1,701 or 1,704 bytes Description: This virus infects .COM files. When an infected file is executed, the virus installs itself into memory. Once the virus is memory resident, it will cause the characters on the screen to fall to the bottom of the screen.
Virus Name: Connie Alias Name: None Virus Type: File Virus Virus Length: 1,761 bytes Description: This virus infects .COM files, including COMMAND.COM. When an infected file is executed, the virus installs itself into memory. Total available memory will have decreased by 3,520 bytes. Once the virus is memory resident, it will infect .COM files when they are executed, opened, or copied. Infected files will increase in size by 1,761 bytes, with the virus being located at the end of the infected file. Date and time information of infected files will not be altered. The following text string can be found in the virus: "This is Written by Dark Slayer in Keelung TAIWAN P:\COMMAND.COM"
Virus Name: Como-B Virus Type: File Infector Virus (.EXE files) Virus Length: 2020 bytes PC Vectors Hooked: None Executing Process: 1) Searches for an .EXE file in the current directory and, once it locates one, it checks to see whether it has been infected by COMO-B. If the file is already infected, the virus continues to look for any uninfected .EXE file. 2) COMO-B infects uninfected files only one file at a time. 3) When a total of three files has been infected, a screen message appears: "This is the ...COMO-LAKE .. virus(rel . 1 1).........I'm a non-destructive virus developed to study the worldwide diffusion rate. I was released in September 1990 by a software group resident near Como lake (north Italy) .....Don't worry about your data on disk. My activity is limited only .. to auto-transferring into other program files. Perhaps you've got .. many files infected. Press a key to execute the prompt. Damage: None Detection Method: Infected files will increase in size by 2020 bytes. Notes: 1) Doesn't stay resident in memory. 2) COMO doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: Casper Virus Type: File Infector Virus (.COM files) Virus Length: 1200 bytes PC Vectors Hooked: None Executing Process: 1) If the system date is April 1, Casper formats the current disk. If the date is not April 1, then it searches for a .COM file in the current directory. 2) Once it locates a file it checks to see whether it has been infected by FCB. If the file is already infected, Casper continues to look for any uninfected .COM file. 3) It will infect one file at a time, then execute the original file. Damage: If the system date is April 1, Casper formats the current disk. Detection Method: Infected file will increase in size by 1200 bytes. Notes: 1) Doesn't stay resident in memory. 2) Casper doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: CYBER101 Virus Type: File Infector Virus (infects .COM & .EXE files) Virus Length: 946 bytes(COM &.EXE) PC Vectors Hooked: INT 24h Executing Process: 1) The virus finds any .COM or .EXE file in the current directory and checks to see whether it has been infected by Cyber101. If it has, the virus continues to look for an uninfected .COM and .EXE file. 2) It then infects any .COM or .EXE files in the current directory, two at a time. 3) Finally, it executes the original file. Damage: None Detection Method: Infected files will increase in size by 946 bytes. Notes: 1) Doesn't stay resident in memory. 2) Cyber101 hooks INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: CYBER Virus Type: File Infector Virus (.COM and .EXE files) Virus Length: 1092 bytes PC Vectors Hooked: INT 24h Executing Process: 1) The virus searches for an .EXE or .COM file in the current directory, then checks to see whether it has been infected by Cyber. If the file is infected, the virus continues to look for an uninfected .COM or .EXE file. 2) It then infects any .COM or .EXE file in the current directory, two at a time. 3) Finally, it executes the original file. Damage: None Detection Method: Infected files will increase in size by 1092 bytes. Notes: 1) Doesn't stay resident in memory. 2) Cyber hooks INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: CRUMBLE Virus Type: File Infector Virus (.COM and .EXE files) Virus Length: 778 bytes PC Vectors Hooked: INT 24h Executing Process: 1) The virus searches for an .EXE or .COM file in the current directory, then checks to see whether it has been infected by Crumble. If the file is already infected, the virus continues to look for an uninfected .EXE or .COM file. 2) It then infects any .EXE and .COM files in the current directory, two files at a time. 3) Finally, it checks the system date. If it is a Friday, the message "falling letter" occurs on screen, after which a letter on the screen falls every 5 seconds. Damage: If it is a Friday, the system will run "falling letter". Detection Method: Infected files will increase in size by 778 bytes. Notes: 1) Doesn't stay resident in memory. 2) Crumble hooks INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: COL_MAC Virus Type: File Infector Virus (.COM and .EXE files) Virus Length: 1022 bytes PC Vectors Hooked: INT 24h Executing Process: 1) The virus searches for an .EXE or .COM file in the current directory, then checks to see whether it has been infected by COL_MAC. If the found file is already infected, the virus continues to look for an uninfected .EXE or .COM file. 2) Next, it infects any two .EXE and .COM files in the current directory. 3) Finally, it displays random letters on the screen until the user presses the ENTER key. Damage: None Detection Method: Infected files will increase in size by 1022 bytes. Notes: 1) Doesn't stay resident in memory. 2) COL_MAC hooks INT 24h when infecting files. Omits an I/O error (such as write protect).
Virus Name: CYBERTECH Virus Type: File Infector Virus (.COM files) Virus Length: 1076 bytes PC Vectors Hooked: INT 24h Executing Process: 1) It checks whether the system date is earlier than 1993. If it is, then the virus searches for a .COM file in the current directory and checks to see whether the file has already been infected by Cybertech. If the found file is already infected, it continues to look for an uninfected .COM file. 2) It next infects all .COM files in the current directory, one at a time. 3) If "no", then information appears on the screen:"The previous year you have been infected by a virus without knowing or removing it. To be gentle to you I decided to remove myself from your system . I suggest you better buy ViruScan of McAfee to ensure youself complete security of your precious data. Next time you could be infected with a malevolent virus. May I say goodbye to you for now... CyberTech Virus-Strain A (c) 1992 John Tardy of Trident". It finally restores the current file as before. Damage: None Detection Method: Infected files will increase in size by 1076 bytes. Notes: 1) Doesn't stay resident in memory. 2) Cybertech hooks INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: CRAZY Virus Type: Boot Strap Sector Virus Virus Length: 4006 bytes PC Vectors Hooked: None Executing Process: This virus infects no file, partition or boot sector. When it is executed, it will create 50 subdirectories in every directory. Damage: None Detection Method: None. Notes: 1) Doesn't stay resident in memory. 2) Crazy doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: CVIRUS Virus Type: File Infector Virus (.COM and .EXE files) Virus Length: No change. PC Vectors Hooked: None Executing Process: 1) The virus searches for an .EXE or .COM file larger than 10K in the current directory. It checks the found file to see whether it has been infected by Cvirus. If the file is already infected, the virus continues to look for an uninfected .EXE or .COM file. 2) Next, it infects all .EXE and .COM files in the current directory, one at a time. 3) It then executes the original file. 4) If it infects no file at this time, the virus will destroy the boot sector and FAT table of the hard disk. Damage: Destroys boot sector and FAT table of hard disk. Detection Method: None. Notes: 1) Doesn't stay resident in memory. 2) Cvirus doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs. 3) Infected files can't be executed.
Virus Name: CSL-2 Virus Type: Highest Memory Resident, File Infector Virus (.COM files) Virus Length: 709 bytes PC Vectors Hooked: INT 21h (AX=4B00h) (execute program) Infecting Process: 1) The virus checks to see whether it is already loaded as resident in memory. If it is not, it loads itself by hooking INT 21h. 2) It then executes the original file. 3) Once it's loaded into resident memory CSL-2 will infect any uninfected file that is executed. It doesn't infect .EXE files. Damage: None. Detection Method: Infected files will increase in size by 709 bytes. Notes: The CSL-2 virus doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: CMDR Virus Type: Memory Resident, File Infector Virus (.COM files) Virus Length: 4096 bytes PC Vectors Hooked: INT 21h (AX=4B00h) (execute program) Infecting Process: 1) The virus checks to see whether it is already loaded resident in memory. If it's not it then loads itself by hooking INT 21h. 2) Next, the virus executes the original file. 3) Once it's loaded into resident memory it will infect any uninfected file that is executed. It doesn't infect .EXE files. Damage: None. Detection Method: Infected files will increase in size by 4096 bytes. Notes: The CMDR virus doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: CK Virus Type: Memory Resident, File Infector Virus (.COM and .EXE files). Virus Length: 1163 bytes PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h, INT 13h Infecting Process: 1) The virus checks to see whether it is already loaded resident in memory. If it is not, it loads itself by hooking INT 21h. 2) It then executes the original file. 3) Once it's loaded into resident memory it will infect any uninfected file that is executed. Damage: Some time after the virus hooks INT 13h, system will make a sound. Detection Method: Infected files will increase in size by 1163 bytes. Notes: The CK virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: CASTEGGI Virus Type: Highest Memory Resident, File Infector Virus (.COM and .EXE files). Virus Length: 2881 bytes PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h, INT 1Ch Infecting Process: 1) The virus checks to see whether it is already loaded resident in memory. If it isn't, it loads itself by hooking INT 21h and then executes the original file. 2) Once it's loaded into resident memory it will infect any uninfected file that is executed. Damage: When it is the 11th day of the month or later, the virus will count time by hooking INT 1Ch. About 6 minutes later, the screen image will be destroyed. Detection Method: Infected file will increase in size by 2881 bytes. Notes: The Casteggi virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: CANNA615 Virus Type: Highest Memory Resident, File Infector Virus (.COM and .EXE files). Virus Length: 1568 bytes PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Infecting Process: 1) The virus checks to see whether it is already resident in memory. If it's not, it loads itself by hooking INT 21h. 2) If the system date is a Friday, and the system time shows zero seconds, the message "LEGALIZE CANNA615" appears on the screen along with a picture of a hemp leaf. 3) Next, the virus executes the original file. 4) Once it's loaded into resident memory it will infect any uninfected file that is executed. Damage: None. Detection Method: Infected files will increase in size by 1568 bytes. Notes: The Canna615 virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: Civilwar Virus Type: Highest Memory Resident, File Infector Virus (.COM files) Virus Length: 599 bytes PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Executing Process: 1) The virus checks to see whether it is already resident in memory. If it isn't, it loads itself into highest memory by hooking INT 21h. 2) It then executes the original file. 3) Once it's loaded into resident memory it will infect any uninfected file that is executed. It doesn't infect .EXE files. Damage: None. Detection Method: Infected file will increase in size by 599 bytes. Notes: The Civilwar virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: Civil510 Virus Type: Highest Memory Resident, File Infector Virus (.COM files) Virus Length: 2080 bytes PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Executing Process: 1) The Civil510 virus checks to see whether it is already resident in memory. If it isn't, it loads itself by hooking INT 21h. 2) It then executes the original file. 3) Once it's loaded into resident memory it will infect any uninfected file that is executed. It doesn't infect .EXE files. Damage: None. Detection Method: Infected files increase in size by 2080 bytes. Notes: The Civil510 virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: Cmoskill Virus Type: Trojan Virus Length: 29 bytes PC Vectors Hooked: None Damage: Deletes all the "CMOS" data. Detection Method: None. Notes: 1) Doesn't stay resident in memory. 2) Doesn't infect any files or partition or boot sector.
Virus Name: Cannabis Virus Type: Floppy Boot Infector Virus Length: None. PC Vectors Hooked: INT 13h Executing Process: 1) When the system is booted from an infected disk, there will be a 1K bytes decrease in total system memory. 2) It then hooks INT 13h so that when you switch on the computer, the disk will be infecting by hooking INT 13h. Damage: None. Detection Method: Decreases total memory size by 1K bytes. Notes: 1) Cannabis doesn't hook INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: Cannabis-B Virus Type: File Infector Virus Length: None. PC Vectors Hooked: None Executing Process: When you execute the infected file, it will write a boot virus: "Cannabis" to the boot sector of the A: drive. Damage: When you execute the file, it will write the boot virus "Cannabis" to the boot sector of the A: drive. Detection Method: None Notes: Cannabis doesn't hook INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: Christmas Other Namess: Virus 600, Xmas In Japan, Japanese Christmas Virus Type: File Infector Virus (.COM files) Virus Length: 600 bytes Damage: On December 25th, when an infected .COM file is executed, the following message will be displayed: "A Merry christmas to you" or "Jingo Bell, jingo bell, jingo all the way." Detection Method: The .COMMAND.COM file increases in size by 600 bytes and infected .COM files increase in size by 600 bytes.
Como Virus Name: Como Virus Type: File Infector Virus (.EXE files) Virus Length: .EXE 2020/2030 bytes PC Vectors Hooked: None. Executing Process: Como searches for an .EXE file in the current directory. If the found file has been infected, the virus continues to search. If an uninfected file is found, there is a 50 percent chance that it will be infected. Infecting Process: 1) The virus infects files by AH=4B in INT 21h. When an uninfected programis run, it will get infected. 2) Before infecting files, the virus hooks INT 24h so that I/O errors are ignored. 3) Whenever a total of three files becomes infected, the virus will display the following message on the screen: "This is the.COMO-LAKE virus (rel . 1.1).......... I'm a non-destructive virus developed to study the worldwide diffusion rate. I was released in September 1990 by a software group resident near Como lake (north Italy).....Don't worry about your data on disk. My activity is limited only to auto-transferring into another program file. Perhaps you've got many files infected. It's your task to find and delete them, best wishes. Press a key to excute the prompt." Damage: None. Detection Method: File length increases by 2020/2030 bytes. Notes: 1) Non-memory resident. 2) Before infecting files, the virus hooks INT 24h in order to omit I/O error messages.
Virus Name: Comp-3351 Virus Type: Parasitic Virus Virus Length: 3351 bytes Executing Process: Comp-3351 searches for an .EXE file in the current directory. It then creates a .COM file (hidden file). The file is the virus itself and its length is 3351 bytes. Damage: None Detection Method: Length of the file is 3351 bytes. Remarks: 1) Non-memory resident. 2) The virus file has been compressed and cannot be recognized before being decompressed (similar to PKLITE).
Virus Name: Compan-83 Virus Type: Parasitic Virus. Virus Length: 83 bytes PC Vectors Hooked: INT 21h Executing Process: 1) Checks to determine whether it resides in memory. If it doesn't, it hooks INT 21h and implants itself in memory, then executes the host program. 2) If it already resides in memory, the program will be executed directly. Infecting Process: 1) The virus infects files by AH=4B in INT 21h. When an infected .EXE file is executed, the virus will create an 83-byte .COM file. The content of the .COM file is the virus itself (hidden file). 2) When infecting files, the virus does not hook INT 24h. An error message appears if an I/O error (such as write protect) occurs. Damage: None Detection Method: Detectable if the file length is 83 bytes.
Virus Name: Chipshit Virus Type: Parasitic Virus Virus Length: 877 bytes PC Vectors Hooked: None Executing Process: 1) When the system date is later than February 11, 1993, the virus displays the message "Hej! Tu wirus chipshit! Co........" on screen. 2) When system date falls before Feb. 11, 1993, the virus a) searches for a .COM file in the current directory. b) Checks to see whether the file is infected and, if it is, continues to search. c) When it finds an uninfected file, it proceeds to infect it (infects only one file at a time). Damage: None Detection Method: Detectable if file length increases by 877 bytes. Remarks: 1) Non-memory resident. 2) When infecting files, the virus does not hook INT 24h. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: Carbuncl Virus Type: Parasitic Virus Virus Length: 622 bytes PC Vectors Hooked: None Executing Process: 1) There is an 84% chance that the virus will search for an .EXE file in the current directory, rename it *.CRP, and then create a *.BAT file with the following contents: @ECHO OFF CARBUNCL RENAME JEXE.CRP JEXE.EXE JEXE.EXE RENAME JEXE.EXE JEXE.CRP CARBBUNCL
(JEXE.EXE is the infected file, and CARBUNCL is the virus) It will then repeat the above procedure until all .EXE files are infected. 2) There is a 16% chance that the virus will infect five(5) .CRP files. Damage: None Detection Method: Detectable if the lengths of files increase by 877 bytes. Remarks: 1) Non memory resident. 2) When infecting files, the virus does not hook INT 24h. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: Comsysexe (there are several variants) Virus Type: Parasitic Virus (infects .EXE, .COM and .SYS files) PC Vectors Hooked: INT 21h Executing Process: Comsysexe checks to see if it resides in memory. If it doesn't, the virus hooks INT 21h, installs itself and then executes the host program. If it already resides in memory, Comsysexe proceeds to execute the host program directly. Infecting Process: 1) The virus infects files through AH=4B in INT 21h. When an uninfected program is executed, it becomes infected (infects .EXE, .COM or SYS files). 2) When infecting files, Comsysexe does not hook INT 24h. An error message appears if an I/O error (such as write protect) occurs. Damage: None
Virus Name: Cruncher Virus Type: Parasitic Virus PC Vectors Hooked: INT 21h and INT 24h Executing Process: 1) If the virus finds that it isn't resident in memory, it hooks INT 21h, installs itself, and then executes the host program. 2) If it already resides in memory, Cruncher proceeds to execute the host program directly. Infecting Process: The virus infects files by AH=4B in INT 21h. When an uninfected program is executed, it becomes infected. Before infecting files, the virus will hook INT 24h first so that I/O errors are ignored. Damage: None
Virus Name: Cls Virus Type: Memory Resident, File infector (.COM and .EXE files) Virus Length: 835 bytes Executing Process: If C1s finds that it is not resident in memory, it will move itself to high memory (taking 70 pares). Next, it will hook INT21h, INT 08h, INT 13h and then go back to the original routine. Vectors hooked: INT 21h: 1) C1s hooks INT21h to see if it is resident in memory. 2) It hooks INT21h to infect files. The virus is aroused when the system calls INT21h to execute a program(AH=4Bh). C1s will check to see whether the program to be executed is an uninfected .COM file between 129 bytes and 64512 bytes in size. If it is, the virus proceeds to infect it. INT 08h: C1s hooks INT 08h (time interrupt, executed every 1/18 second). Every time this interrupt executed, value of a counter increases by 1. When the counter value reaches 65520 (about an hour later), C1s cleans screen. It has no effect on monochrome monitors because the cleaning method is to write 00 into the address from B800:0000h to B800:0FA0h. INT 13h: C1s hooks INT 13h. This is an assistant to the virus's writing. Damage: It will clean the color screen once an hour. Notes: Date and time of infected files do not change. Detection Method: Infected files will increase in size by 853 bytes.
Virus Name: Cas-927 Virus Type: Memory Resident (High Memory), .COM File Infector Virus Length: 3+927 bytes Executing Process: The virus will decode first, then check to see whether it is resident in memory. If it's not, it will stay resident in high memory, then hook INT21h, INT 1Ch, INT 28h and go back to the original routine. Vectors hooked: INT 21h: 1) Cas-927 hooks INT 21h in order to see whether it is resident in memory. 2) It hooks INT 21h(AX=4B00h) to infect files. If the program to be executed is an uninfected .COM file not larger than 63500 bytes, Cas-927 infects it. INT 28h: Cas-927 hooks INT 28h to see if the current month is an even numbered month, if the current day is a Sunday, Tuesday, Thursday, or Saturday, and if the current time is 11:11:11. If all these conditions are satisfied, it will set a damage_flag used by INT 1Ch later. INT 1Ch: Cas-927 hooks INT 1Ch to cooperate with INT 28h. When the damage_flag set, it will change all capital characters on screen to small case characters. Damage: None Notes: 1) This virus stays resident in high memory (taking 7A pares). 2) Infected files will increase in size by 855 bytes. 3) Date and time of infected files do not change.
Virus Name: Cfsk Virus Type: Memory Resident (MCB), File Infector (.COM files) Virus Length: 5+918 bytes Executing Process: The virus will decode first. Then see whether it is resident in memory. If it is not, it stays resident in high memory, then hooks INT21h and goes back to the original routine. Vectors hooked: 1) Cfsk hooks INT 21h to determine if it is resident in memory. 2) The virus hooks INT 21(AH=4Bh) to infect files. If the program to be executed is an uninfected .COM file of between 25 and 63500 bytes, Cfsk infects it. Damage: None Notes: 1) This virus stays resident in memory (MCB) taking 6A pares. 2) Infected files will increase by 918 bytes. 3) Date and time of infected files do not change.
Virus Name: Commy Virus Type: File Infector (.COM files) Virus Length: 998 bytes Executing Process: The virus first decodes, then looks at the system clock. If the minute is less than 10, and the current DOS version is later than 3.0, Commy will search for a .COM program of between 4567 bytes and 64520 bytes, and infect it. It infects only one file at a time. Then the virus goes back to the original routine. The search path is the path set by the current PATH. In addition, when this virus infects a program, it encodes its time to verify that this file infected. Damage: None
Detection Method: Infected files will increase in size by 998 bytes.
Notes: 1) The dates of infected files do not change. 2) The time of infected files is changed because the original time is encoded.
Virus Name: Comspec Virus Type: File Infector Virus Length: 3424 bytes Executing Process: Comspec will execute .COMMAND.COM to create six(6) copies of the virus file by using six file names in C:\DOS directory (the copies saved in the current directory). If there is no C:\DOS directory, it will create a file named "COMSPEC". Damage: It overwrites six files if executed on the C:\DOS directory. Detection Method: Length of infected files is 3424 bytes.
Virus Name: Crazy-I15 Virus Type: Memory Resident(HiMem),.COM File infector Virus Length: 1402 bytes Executing Process: Crazy-I15 first checks to see whether it resides in memory. If it doesn't, it will stay resident in high memory, then hook INT 21h and go back to the original routine. Vectors hooked: Hooks INT 21H(AH=4Bh) to infect files. First, it will hang INT 24h to prevent divulging its trace when writing, then checks to see whether the program to be executed is an uninfected .COM file. If it is, the virus proceeds to infect it. Finally, Crazy-I15 restores INT 24h. Damage: None Detection Method: Infected files increase in size by 1402 bytes.
Virus Name: Cossiga Virus Type: File infector (.EXE files) Executing Process: Searches for an uninfected .EXE file on current directory, and then infects it. (It only infects one file at a time.) Regardless of whether it has infected files or not, it will check the current date. If the date falls after October 17, 1991, Cossiga displays the message: "COSSIGA ?! NO GRAZZIE ! By Amissi dee Panoce (c) 1991" Damage: It overwrites original files with virus code, destroying them. Notes: 1) Does not stay in memory. 2) You will see an error message when writing because INT 24h has not been hanged.
Virus Name: Cuban Virus Type: File Infector (.COM files) Virus Length: 1501 bytes Executing Process: Cuban checks to see whether it is resident in memory. If it isn't, it will stay resident in high memory, then hook INT 21h and go back to the original routine. If the current calendar day is the 30th of any month, the virus proceeds to destroy all data on the hard disk. Vectors hooked: Hooks INT 21H(AH=4Bh) to infect files. First, it will hang INT 24h to make sure its trace isn't divulged when writing. If a program to be executed is an uninfected .COM file, the virus infects it directly. If the program to be executed is an .EXE file, it will search for an uninfected .COM file and infect it. Finally, the virus restores INT 24h. Damage: Virus will sometimes destroy all data on the hard drive. Detection Method: Infected files increase in size by 1501 bytes.
Virus Name: Cccp Virus Type: File Infector (.COM files) Virus Length: 510 bytes Executing Process: Searches for an uninfected .COM file on current directory, then infects it. It can infect two or three files at a time. Damage: There is a flag (value from 0 to 25) in the virus procedure (each infected file has a different flag). When an infected file with flag of 25 is executed, it will destroy all data on the hard drive. Detection Method: Infected file size increases by 510 bytes. Notes: 1) Does not stay in memory. 2) You will see an error message when writing because INT 24h has not been hanged.
Virus Name: Crepate Virus Type: Memory Block Resident, Infects .COM files of between 400 and 62000 bytes and .EXE files smaller than 589824 bytes. Virus Length: 2910 bytes on file and 4K bytes in memory Interrupt Vectors Hooked: INT 21h Infection Process: Every infected file becomes 2910 bytes longer, with the virus code at the end and some kind of a header created by the virus. The second group of bytes, indicating the time that the file was created, is set to 31 (1Fh). In every subsequent file infection, the virus resets the system memory from address 0:413 to 280h (640 K). Damage: Virus formats hard disk. Symptoms: Loss of data stored in last 7 sectors of diskette, loss of data stored in last cylinder+1, first side, first 7 sectors increased file size. To detect the virus in the boot sector one can look for: - a byte with a value of FFh in the offset 4 in floppy disks. - a word with a value of 2128h in the offset 4 in hard disks. Furthermore, at the end of each infected file, the text string "Crepa (C) bye R.T." can be found. This text can be easily modified. The DOS Chkdsk command, when the virus is resident, reveals a 4K bytes decrease in available memory. Notes: This virus doesn't infect files named with "*AN.???" or "*LD.???"
Virus Name: Cv4 Virus Type: File Infector (.COM) Virus Length: 321 bytes Executing Process: Virus displays the message "This file infected with.COMVIRUS 1.0." Cv4 then searches for an uninfected.COM file on current directory and proceeds to infect it. (Infects only one file at a time.) Damage: None Notes: 1) It does not stay resident in memory. 2) You will see an error message when writing because INT 24h has not been hanged. Detection Method: 1) Infected file size increases by 321 bytes. 2) Virus displays above message when infected file is executed.
Virus Name: Copyr-Ug Virus Type: File Infector (.COM and .EXE) Virus Length: 766 bytes Executing Process: Checks whether it has stayed resident in memory. If it hasn't, it will stay resident in high memory, then hook INT 21h and go back to the original routine. Vectors hooked: Cv4 hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected .COM or.EXE file, the virus proceeds to infect it. Damage: None Notes: You will see an error message when writing because INT 24h has not been hanged. Detection Method: Infected file size increases by 766 bytes.
Virus Name: Chuang Virus Type: File Infector (.COM and .EXE) Virus Length: 970 bytes Executing Process: The Chuang virus searches for an uninfected .COM file on the current directory, then infects it (infects only one file at a time). Regardless of whether it has infected a file or not, it will check the current system calendar. If it the the 13th or later of any month, and the current time is 22:00 or later, the virus destroys all data on the hard disk. Damage: Chuang will sometimes destroy all data on the hard disk. Notes: 1) It does not stay resident in memory. 2) You will see an error message when writing because INT 24h has not been hanged. Detection Method: Infected files increase in size by 970 bytes.
Virus Name: Clint Virus Type: File Infector (.COM and .EXE) Executing Process: The Clint virus searches for uninfected .COM or .EXE files on the current directory and infects them four files at a time. The virus then displays the message "memory allocation error !" Damage: It will overwrite original files with a virus code so that they are destroyed. Notes: 1) It does not stay resident in memory. 2) You will see an error message when writing because INT 24h has not been hanged. Detection Method: Infected files display the above message when executed.
Virus Type: Boot, File Type
Virus Length: 6656 bytes
Original Name: CIVIL DEFENSE
Virus Infect Type: .COM and .EXE files
Virus Re-infect: no
Virus Memory Type: Non-memory resident
Place of Origin:
Infection Procedure:
The virus primarily infects the Master Boot Sector of drive C:\. It first reads the boot sector of drive C:\ and the following sector (head 0, cylinder 0, sector 2) in its program. Then it reads 1 sector from head 0, cylinder 87, sector 65 of drive C:\. The virus sets this up by copying other data from the original boot record, and then writes this to the boot sector of drive C:\; thus, replacing the original one. Then it copies its 6,656 bytes program (13 sectors) to sector 66, cylinder 87, head 0 of drive C:\. During the analysis it was seen that it infected the virus program file CIV6672.EXE by opening it, copying its own header to the file, moving the file pointer to the end of the host file (CIV6672.EXE), and then performing INT 40H (Write to file) with the size of memory to write equals 0 (CX=0000). Thus, it just corrupts the virus program file. It was not seen how the infected boot sector loads its program from sector 66, cylinder 87, head 0 of drive C:\ which may be the reason why the infected boot sector doesn't infect the loaded and executed files. There was also no interrupt hook, memory allocation to make it resident, and trigger seen. As verified from DOS CHKDSK, there was no changed in the memory allocation after loading the virus program CIV6672.EXE. Therefore, it was just concluded that the virus infects the boot sector by directly running the virus program file without knowing how the virus can replicate itself in other executable files that can infect the Master Boot Sector of drive C:\ upon loading and execution of the files.
Symptom:
Slows down the file loading and execution time.
Virus Type: Polymorphic, File Type
Virus Length: 3,333 bytes
Virus Infect Type: .EXE files
Virus Memory Type: Memory resident, MCB type
Int Vector Hooked: INT 21H
The virus only infects .EXE files. The virus infects the host file by attaching itself at the end of the file. As a polymorphic virus, it first decrypts its code. The virus has a complicated way of decrypting its code. Then the virus allocates 4,128 bytes in the low memory starting at 1806:0000 and copies its 3,333 bytes program there to stay resident. From there it hooks INT 21H by pointing its vector to its program in the low memory at 1816:0BAB. It uses this interrupt to attach itself to the loading and executing .EXE files. Once activated by loading and executing infected files the virus checks for the current month and day. If it is August 10 then this is the time that the virus will infect. Aside from infecting .EXE files, it will also search for AUTOEXEC.BAT in drive C:\ and append the following:
@Echo Virus "EL MOSTRO CORDOBES" @Echo No tema por sus datos. Que pase un buen @Echo. @Pause
Thus, upon system bootup in drive C:\ the text string above will be displayed and will pause until a key is pressed. The same string can be seen inside the viral code. Sometimes the virus cannot attach to .EXE files completely so the increase in the size of the host file after infection is indefinite, and cannot become memory resident. The corrupted files will not finish loading and will display "Error in EXE file."
Damage:
Corrupts .EXE files.
Will add the above text to the AUTOEXEC.BAT file in drive C:\.
Virus Length: 1,527 bytes
Virus Infect Type: .EXE and .COM file
Virus Re-infect: No
Discovery Date: 1992
Virus Memory Type: High memory resident
Place of Origin: Chile
The virus infects both .EXE and .COM files. It infects its host file by attaching itself at the end of the file. It increases an infected file's size by 1,527 bytes. The virus can become memory resident upon loading and executing an infected file. As a polymorphic virus it first decrypts its code. Then it allocates 1,984 bytes in the high memory starting at 9F84:0000. It hooks INT 21H by pointing its vector to its program in the high memory at 9F84:0258 to be able to attach itself to loading .EXE and .COM files upon opening it. Before infecting a loading executable file, it first deletes CHKLIST.CPS file, which is an anti-virus file, if it exists. Then it infects the COMMAND.COM in drive C:\ by attaching itself to the file. After infecting C:\COMMAND.COM, it finally infects the loading executable file. During infection, the virus checks for the current month, day, and hour. If the current date is September 11 or December 28 then it checks for the current hour. The following hour of the day will trigger the payload:
0th hour.......(12:00 am) 1st hour.......(1:00 am) 4th hour.......(4:00 am) 6th hour.......(6:00 am) 7th hour.......(7:00 am) 10th hour.......(10:00 am) 11th hour.......(11:00 am) 13th hour.......(1:00 pm) 16th hour.......(4:00 pm) 18th hour.......(6:00 pm) 19th hour.......(7:00 pm) 21st hour.......(9:00 pm) The payload deletes the first file entry in the current directory until it deletes the currently loaded file. Even though the currently loaded file that activated the virus was deleted, the virus still remains memory resident, and will continue its payload. The deleting occurs every time an executable file is loaded, given that the virus is already memory resident. Not all .COM files are infected by the virus. Only those that have large file sizes will be infected. As checked from DOS CHKDSK the virus occupies 1,792 bytes in the memory or decreases the available memory by that size. The following text strings can be seen within the virus code:
"CPW fue becho en Chile en 1992," "VIVA CHILE MIERDA!"
Virus Type: Polymorphic
Virus Length: 2010 bytes
Int Vector Hooked:
The virus is a polymorphic type that first decrypts its decryptor using 63 bytes of data in its viral code. Each byte, as stored in the AX register, is decrypted using SHL AX,1 and is added to the BP register. The final result stored in BP after 63 decryptions will be the decryptor. Then the virus decrypts its 2,010 bytes code using XOR AX,BP, where AX contains a word of the encrypted virus code. How it allocates memory to make itself memory resident was not seen and its hook to any interrupts. There is also no infect trigger.
Virus Type: Parasitic, File Type
Virus Length: 3,072-3,091 bytes
Trigger Condition: Sunday
Discovery Date: 1991
Place of Origin: Changsha China
Int Vector Hooked: INT 8H, INT 13H, INT 21H
The virus infects both .COM and .EXE files. It increases the infected file's size by 3,072 for .COM and 3,091 for .EXE. It infects its host by attaching itself to the end of the file. The virus allocates its memory resident code in the low memory after the DOS resident programs. The virus code will become memory resident upon loading, executing, and copying an infected file. While being resident in the memory it can infect executable files by doing the same. It hooks INT 21H by pointing its vector to its program in the low memory at 17F8:01C0. A hook to this interrupt will enable the virus to attach itself to the host. It also hooks INT 8H (changed to 17F8:02E1) and INT 13H (changed to 17F8:0BED) but the payload is not seen. In its hook to INT 21H it gets the current date and if the current day is Sunday, it will load itself and infect all the executable files in the current directory. It will be noticed that the date and time attributes of the infected files at this day will be set to 1-1-94 and 1:15a. The infected files at this day will also be corrupted and will not run properly. Other than Sunday the virus will just replicate itself to the file. If checked from DOS CHKDSK.EXE the memory occupied by the virus is 3,344 bytes. The following text strings can be seen inside the virus code:
"Auto-Copy Deluxe R3.00" "(C) Copyright 1991. Mr YaQi. Changsha China" "No one can Beyond me!"
Corrupts COM and EXE files.
Increases the host's file size by 3,072-3,091 bytes. Sets the time and date attributes to 1-1-94, 1:15a.
Virus Length: 1,241-1,247 bytes
Original Name: CHAOS
Int Vector Hooked: INT 21H, INT 13H, INT 24H
The virus infects both .COM and .EXE files. It can become memory resident upon loading and executing an infected file. It increases the size of an infected file by 1,241 bytes for .COM file and 1,247 bytes for .EXE file. Upon activation the virus stays resident in the low memory, after the DOS resident programs. It hooks INT 21H by pointing its vector to its program in the low memory at 1808:020E to enable it to attach to executing files using the 4BH service of the interrupt. It also hooks INT 24H (Critical Error Handler) to disable the error message display during a host file write error. After the virus has loaded itself in the memory it first checks the current date. If it is September 13 the payload will be executed. The following trigger dates were also seen:
Every 9th day of 1997
" 10th " " 1998 " 11th " " 1999 .... and so on
The following formula describes how to determine the trigger day for the current year:
Trigger Day = (Current Year - 1988)
The payload executed by the virus during the date of trigger just hangs the system after infecting the loading and executing file, and then clears the screen and displays:
"I see, I come, I conquer...Trojan horse - CHAOS v2.0 by Faust".
The virus occupies 1,840 bytes of memory as checked using DOS CHKDSK.
Hangs up the system.
Increases an infected file by 1,241 for .COM and 1,247 for .EXE
Virus Length: 544 bytes
Virus Infect Type: .COM files
The virus only infects .COM files. It increases an infected file's size by 544 bytes. The virus infects the host file by attaching itself at the end of the file. As a polymorphic virus, it first decrypts its 544 bytes code using XOR 6AH to each byte. Then the virus allocates 1200 bytes in the high memory (9FB4:0000) and copies its code there to stay resident. Then it hooks INT 21H by changing its vector to point to its program in the high memory (9FB4:00B9). The virus will become memory resident upon loading and execution of an infected file. Once it has become resident it will infect other .COM files when it is loaded and executed because it uses the altered service 4BH of INT 21H which first attaches the virus code into the host file before giving control to the host. It also sets the date attribute of the infected file to 01-01-94.
Damage: None
Symptom: Increases the host's file size by 544 bytes.