Alien 1

Virus Name: Alien-1

Virus Type: File Infector Virus (infects .COM and .EXE files)

Virus Length: 571 bytes (COM and EXE)

PC Vectors Hooked: INT 21h

Executing Procedure: Checks to see if it already resident in high memory. If it's not, it loads itself into resident memory (highest memory) by hooking INT 21, then executes the originally called file. If it finds it is already resident in high memory, it directly executes the originally called file.

Damage: None

Characteristics:

1) The virus infects files by hooking INT 21h(AX=4B), when an uninfected file is executed, that file will be infected.

2) Alien-1 doesn't hook INT 24h when infecting files. Error messages appear if an I/O error such as write protect occurs.

Detection Method: Infected files will increase in size by 571 bytes.

 


Avispa

Virus Name: AVISPA-D

Virus Type: Polymorphic type

Virus Length: 2051 bytes

Virus Infect Type: .EXE files

Virus Re-infect: No

Virus Memory Type: Memory Resident, MCB type

Place of Origin:

Int Vector Hooked: INT 21H

Infection Procedure:

The virus infects .EXE files. It infects the host file by attaching its program at the end of the file. It adds 2051 bytes to the infected file. Since the virus is polymorphic, its encrypted program is decrypted using XOR E491H to each byte. You can see after decrypting in the data area of the virus program a string "Virus Avispa-Buenos Aires-Noviembre 1993". After decrypting it allocates 2304 bytes (144 paragraphs) of memory after the resident part of the COMMAND.COM to make itself resident. Then it hooks to INT 21H by changing its vector to point to its program at 17F8:030A, and infects other loading and executing .EXE programs. It attempts to open and infect files XCOPY.EXE, MEM.EXE, SETVER.EXE, and EMM386.EXE in C:\DOS, if they exist.

Symptom:

Increase in .EXE file size by 2051 bytes.


Alien 3

Virus Name: Alien-3

Virus Type: File Infector Virus (infects .COM and .EXE files)

Virus Length: 625 bytes (COM and EXE)

PC Vectors Hooked: INT 21h

Executing Procedure:

1) The virus checks to see whether it has been loaded resident in high memory. If it is not already loaded, it loads itself into resident memory (highest memory portion) by hooking INT 21h.

2) Next, the virus will check the system time. If the number of minutes passed in the hour are between 33 to 60, it will display parentheses characters (" ") on the screen.

3) After infection, it will execute the original file.

Damage: None

Charactristics:

1) The virus infects files by hooking INT 21h(AX=4B), when an uninfected file is executed, that file will be infected.

2) Alien-3 doesn't hook INT 24h when infecting files. An error message appears if an I/O error such as write protect occurs.

Detection Method: Infected files will increase by 625 bytes.


Alameda

Virus Name: Alameda

Alias Name: Alemeda

Virus Type: Boot Virus

Virus Length: N/A

Description: This virus infects boot sectors.

When the system is booted from a disk infected by the virus, the virus will install itself as memory resident.

Once the virus is memory resident, all unprotected 5-1/4" 360 diskettes will be infected when it activates through a warm boot (CTRL-ALT-DEL). The virus remains in memory after a warm boot.


Ambulance

Virus Name: Ambulance

Alias Name: Ambulance Car, RedX

Virus Type: File Virus

Virus Length: 796 bytes

Description: This virus infects .COM files.

When an infected file is executed, the virus will attempt to infect one .COM file.

Symptoms includes the display of a moving ambulance at the bottom of the screen, as well as the sound of a siren.


AntiEXE

Virus Name: AntiEXE

Alias Name: D3, NewBug, CMOS4

Virus Type: Boot Virus

Virus Length: N/A

Description: This virus infects boot sectors.

When the system is booted from a disk infected by the virus, the virus will install itself as memory resident. Total available memory will have decreased by 1,024 bytes. The virus will also overwrite the Master Boot Sector with a copy of itself.

Once the virus is memory resident, it will infect all unprotected diskettes.


Austr_Parasite

Virus Name: Austr_Parasite

Alias Name: Aussie Parasite

Virus Type: File Virus

Virus Length: 292 bytes

Description: This virus infects .COM files, including COMMAND.COM.

When an infected file is executed, the virus installs itself into memory. The total available memory will have decreased by 320 bytes.

Once the virus is memory resident, all executing .COM files will be infected. Infected files will increase in size by 292 bytes, with the virus located at the end of the infected file. Date and time records for infected files will not be altered.

Symptoms include system hang.

The text string "Australian Parasite" is visible in the virus.



Anna

Virus Name: Anna

Virus Type: File Infector Virus (infects .COM files)

Virus Length: 742 Bytes(COM)

PC Vectors Hooked: None

Executing Procedure:

1) Searches for a .COM file in the current directory.

2) Once it locates a file it checks to see whether it has been infected by ANNA. If it has, the virus continues to look for any uninfected .COM files. It will infect only one file at a time.

3) If no uninfected file is found in the current directory, it will continue looking in another directory.

4) The virus will then check system date. If it is December, then the message "Yole from the ARcV................" will appear on the screen:

Damage: None

Detection Method:

1) Infected files will increase in size by 742 bytes.

2) If it is December, the message "Yole from the ARcV........." will appear on screen.


Notes:

1) Doesn't remain resident in memory.
2) ANNA doesn't hook INT 24h when infecting files. An error message appears if an I/O error such as writing protect occurs.


Arcv-Fri

Virus Name: Arcv-Fri

Virus Type: File Infector Virus (infects .COM files)

Virus Length: 839 bytes (COM)

PC Vectors Hooked: None

Executing Procedure:

1) Arcv-Fri checks the system date. If it is April 12th, it searches for a .COM file in the current directory, then damages it.

2) If the date is other than April 12, it searches for a .COM file in current directory and checks to see whether it has been infected by ARCV-FRI. If the file is infected, the virus continues to look for any uninfected .COM file. It infects only one file at a time.

3) Finally, it then executes the original file.

Damage: If the system date is April 12, it searches for a .COM file in the current directory, then damages it.

Detection Method:

1) Infected files will increase in size by 839 bytes.

Notes:
1) ARCV-FRI doesn't remain resident in memory.
2) It doesn't hook INT 24h when infecting files. An error message appears if an I/O error such as write protect occurs.


Agent B

Virus Name: Agent-B

Virus Type: File Infector Virus (infects .EXE and .COM files)

Virus Length: 763 bytes (COM and EXE)

PC Vectors Hooked: INT 24h

Executing Procedure:
1) Searches for a .COM file in the current directory.
2) Once it locates a file, it checks to see whether it has been infected by Agent-B. If it finds the file is infected, it continues to look for any uninfected .COM file.
3) It will infect only two files at a time.

Damage: None

Detection Method:  Infected files will increase in size by 763 bytes.

Notes:
1) Doesn't stay resident in memory.
2) Agent hooks INT 24h when infecting files. Omits I/O errors such as write protect.


Arcv-670

Virus Name: Arcv-670

Virus Type: File Infector Virus (infects .COM files)

Virus Length: 670 bytes (COM)

PC Vectors Hooked: None

Executing Procedure:
1) Searches for a .COM file in the current directory.
2) Once it locates a file it checks to see whether it has been infected by ARCV-670. If the file is infected, it continues to look for any uninfected .COM file. It will infect only one file at a time.
3) Finally, the virus checks the system date and, if the date is between December 20 and 25, and the year is later than 1992, it displays the message "Happy Xmas from the ARCV", and the system halts.

Damage: If the system date falls between December 20 and 25 and the year is later than 1992, "Happy Xmas from the ARCV" appears on screen and then the system halts.

Detection Method: Infected files will increase in size by 670 bytes.


Notes: 1) Doesn't stay resident in memory. 2) ARCV-670 doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).


Acme

Virus Name: Acme

Virus Type: File Infector Virus (Companion Virus)

Virus Length: 932 bytes

PC Vectors Hooked: None

Executing Procedure:
1) Checks whether the current system time falls between 16:00h and 24:00h, in which case a sound is emitted and the system halts.
2) If system time falls outside of this window, the virus searches for an .EXE file in the current directory.
3) It will then create a 923-bytes "hidden & read-only" .COM file with the .EXE file's name.

Damage: If the system time falls between 16:00h and 24:00h, a sound is made, then the system halts.

Detection Method: Check for "hidden" .COM files with a size of 923 bytes.

Notes:
1) Doesn't remain as resident in memory.
2) ACME doesn't hook INT 24h when infecting files. An error message appears in case of an I/O error such as write protect.


Abraxas

Virus Name: ABRAXAS

Virus Type: File Infector Virus (infects .COM and .EXE files)

Virus Length: 546 bytes (COM and EXE)

PC Vectors Hooked: INT 24h

Executing Procedure:
1) The virus searches for an .EXE or .COM file in the current directory and checks  to see whether it has been infected by Abraxas. If the file is infected, the virus continues to look for an uninfected .EXE or .COM file.
2) Next, it infects all .EXE and .COM files in the current directory.
3) Finally, it executes the original file.

Damage: None

Detection Method: Infected files will increase by 546 Bytes.

Notes:
1) Abraxas doesn't stay resident in memory.
2) It hooks INT 24h when infecting files. Omits I/O errors such as write protect.


Air Cop

Virus Name: AIR-COP

Virus Type: Boot Infector

Virus Length: None

PC Vectors Hooked: None

Executing Procedure:
When you execute the program,  AIR-COP writes the virus to the boot sector of A:.

Damage: Overwrites boot sector of  A:.

Detection Method: None.


Arka

Virus Name: ARKA

Virus Type: Memory Resident, File Infector Virus (infects .COM files).

Virus Length: 1905 bytes (COM)

PC Vectors Hooked: INT 21h (AX=4B00h) (execute program)

Infection Procedure:
1) The virus checks to see whether it is already loaded as resident in memory. If it is not, it loads itself into resident memory by hooking INT 21h.
2) It then executes the original file.
3) Now loaded into resident memory, it will infect any executed file that is not already infected with the ARKA virus.

Damage: None.

Detection Method: Infected .COM files increase in size by 1905 bytes.


Aids 552

Virus Name: AIDS552

Virus Type: Highest Memory Resident, File Infector Virus (infects .EXE files)

Virus Length: 552 bytes (EXE)

PC Vectors Hooked: INT 21h

Infection Procedure:
1) The virus checks to see whether it is already loaded into resident memory. If it is not, it loads itself into memory (highest memory) by hooking INT 21h.
2) It then executes the original file.
3) AIDS552 infects when the command "DEGUG FILE_NAME.EXE" is executed. It does not infect .COM files.

Damage: None

Detection Method: Infected .EXE file size increases by 552 bytes.

Notes: The AIDS552 virus doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.


Amilia

Virus Name: AMILIA

Virus Type: Memory Resident, File Infector Virus (infects .COM and .EXE files).

Virus Length: 1614 bytes (COM and EXE)

PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h

Infection Procedure:
1) The virus checks  to see whether it is already loaded as resident in memory. If is not, it loads itself by hooking INT 21h.
2) It then executes the original file.
3) Once it's in resident memory, it will infect any uninfected file that is executed.

Damage:

1) If it is Sunday, the message "Amilia I virii - [NUKE] 1991 By Rock Steady/NUKE" is displayed on the screen, after which the system halts.
2) If it is between 16:00h and 1700h , a smiling face appears on the screen.

Detection Method:
1) Infected files increase in size by 1614 bytes.
2) A smiling face appears on screen.

Notes: The Amilia virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect).


Antiprnt

Virus Name: ANTIPRNT

Virus Type: Highest Memory Resident, File Infector Virus (infects .EXE files)

Virus Length: 593 bytes (EXE)

PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h

Infection Procedure:
1) The virus checks to see whether it is already loaded resident in memory. If it is not, it loads itself into resident memory (highest memory) by hooking INT 21h.
2) Next, the virus executes the original file.
3) Once it's loaded into resident memory it will infect any uninfected file that is executed.

Damage: If the DOS Version is later than 3.0, and "PRINTER" is installed, then the virus will destroy data on the current disk.

Detection Method: Infected files increase in size by 593 bytes.

Notes: The ANTIPRNT virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect).


ABC

Virus Name: ABC

Virus Type: Highest Memory Resident, File Infector Virus (infects .EXE files)

Virus Length: 2912 bytes (EXE)

PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h, INT 1Ch,
INT 16h

Infecting Procedure:
1) The virus checks to see whether it is already loaded resident in memory. If it isn't, it then loads itself as resident in memory (highest memory) by hooking INT 21h, INT 1Ch, INT 16h.
2) It then executes the original file.
3) Once it's loaded into resident memory it will infect any uninfected file that is executed. It doesn't infect COM files and EXE files with a length shorter than 20K.

Damage: When the system date falls on the 14th of the month, and the virus has been in memory for 55 minutes, it will destroy the data on the hard disk.

Detection Method: Infected files increase in size by 2912 bytes.

Notes: The ABC virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect).


ARCV-9

Virus Name: ARCV-9

Virus Type: Highest Memory Resident, File Infector Virus (infects .COM files)

Virus Length: 771 bytes (COM)

PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h

Executing Procedure:
1) The virus checks to see whether it is already loaded resident in memory. If it's not, it loads itself by hooking INT 21h.
2) It then executes the original file.
3) Once it's loaded into resident memory it will infect any uninfected file that is executed. It doesn't infect .EXE files.

Damage: None.

Detection Method: Infected files increase in size by 771 bytes.

Notes: The ARCV-9 virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect).


August 16th

Virus Name: August-16th

Other  Names: Iron maiden

Virus Type: Parasitic Virus (infects .COM files)

Virus Length: 636 bytes

PC Vectors Hooked: Int 21

Executing Procedure:
1) The virus checks to see whether it has already infected the first two .COM files in the current directory. If it hasn't it will proceed to infect them.
2) If it finds the files are already infected, it checks the current directory on the C:\drive to see whether it has two .COM files.
3) If the virus finds them, it will proceed to infect them.
4) Finally, the original file is executed.

Damage:
1) August 16th overwrites the original file to hide changes to the file's date and time in the directory listing.
2) It adds two text strings "*.com AA", "=!=IRON MAIDEN" to infected files.

Detection Method:

1) .COM file growth
2) Unexpected access to C:\drive

Notes: August 16th doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.


Autumn

Virus Name: Autumn

Other Names: Virus 1701, Cascade-B

Virus Type: Parasitic Virus, RAM resident

Virus Length: 1701 bytes

PC Vectors Hooked: Int 21

Executing Procedure:
1) The virus checks to see whether it is already loaded resident in memory. If it isn't, it loads itself by hooking INT 21h.
2) Next, it executes the original file.
3) Once it's loaded into resident memory it will infect any uninfected file that is executed.

Damage: The Autumn virus causes characters to "fall down" the screen (Video-RAM modification). This does not happen frequently at the beginning but, as time goes by, the frequency of both the "fall down" and sound effects will increase. Semigraphic characters do not fall. Characters cannot fall over different video attributes. It doesn't work on monochrome monitors. The virus sometimes causes the computer to crash.

Detection Methods: Infected files increase in size by 1701 bytes.

Notes: Loads itself resident in memory. An error message appears if an I/O error (such as write protect) occurs.


Aragorn

Virus Name: ARAGORN

Other Names: None

Virus Type: Boot Strap Sector Virus

Damage: None

Detection Method: Only the floppy diskette in drive A: will be infected.


April 1st

Virus Name: April 1st

Other Names: None

Virus Type: File Infector Virus

Virus Length: 1488 bytes

Executing Procedure:
1) The virus checks to see whether it is already loaded resident in memory. If it is not, it loads itself by hooking INT 21h.
2) Next, it then executes the original file.
3) Once it's loaded into resident memory it will infect any uninfected file that is executed.

Damage: On April 1, the virus displays the message "APRIL 1ST HA HA HA YOU HAVE A VIRUS." After displaying the message, the virus halts the system.

Detection Method: April 1st increases the size of .EXE files by 1488 bytes. Infected file contains the string "SURIV." Check to see if the file named "BUG.DAT" exists hidden in the C:\ directory.

Notes: Loads itself as resident in memory. An error message appears if an I/O error (such as write protect) occurs.


Allerbmu

Virus Name: Allerbmu

Virus Type: Parasitic Virus

Virus Length: Infected .COM file size increases by 359 bytes. It does not infect .EXE files.

PC Vectors Hooked: None

Executing Procedure:
1) Allerbmu searches for a .COM file in the current directory.
2) When it finds one, it finds out whether the file is infected. If it is, the virus continues to search.
3) When an uninfected file is found, the virus will proceed to infect it. (The virus infects only one file at a time).
4) Allerbmu checks the system date regardless of whether an uninfected .COM file is found. When the date is Monday, the virus destroys all the files on hard disk, and then displays the message "+ ALLERBMU NORI + (c) 1991........................."

Damage: When the date is Monday, the virus destroys all the files on hard disk, and then displays the message "+ ALLERBMU NORI + (c) 1991........................."

Detection Method: .COM file size increases by 359 bytes.

Remarks:
1) Non-memory resident.
2) When infecting files, the virus does not hook INT 24h. An error message will appear when I/O errors occur.


ARCV-2

Virus Name: Arcv-2

Virus Type: Parasitic Virus

Virus Length: Infected .EXE file sizes increase by 693 bytes (Does not infect COM files).

PC Vectors Hooked: INT 24h

Executing Procedure:
1) Searches for an .EXE file in the current directory.
2) Checks to see whether the file is infected. If it is, the virus continues to search.
3) If  it finds an uninfected file, the virus will proceed to infect it (infects only one file at a time).
4) Regardless of whether an uninfected EXE file is found or not, the virus will check the system date. When the date is April or the sixth of any month, the virus will display "Help .. Help .. I'm Sinking ........" on the screen.

Damage: None

Detection Method:  Infected .EXE files increase in size by 693 bytes (Arcv-2 does not infect .COM files).

Remarks:
1) The infection was badly written. Most of the infected files cannot be executed normally (also, the virus is not able to infect and damage).
2) Arcv-2 is a non-memory resident.
3) When infecting files, the virus does not hook INT 24h. An error message will appear when I/O errors occur.


Atomic-2A

Virus Name: Atomic-2a

Virus Type: Parasitic Virus

Virus Length: Infected .COM file size increases by 350 bytes (does not infect .EXE files)

PC Vectors Hooked: None

Executing Procedure:
1) Atomic-2a searches for a .COM file in the currrent directory and, when it finds one, checks to see whether the file is infected. If it is, Atomic-2a continues to search until an uninfected file is found and then infects it. It infects only one file at a time.

Damage: None

Detection Method: Detectable if file lengths increase by 350 bytes.

Remarks:
1) Atomic-2A is non-memory resident.
2) When infecting files, the virus does not hook INT 24h. Error message will appear when I/O errors occur.


Atomic-1B

Virus Name: Atomic-1B

Virus Type: Parasitic Virus

Virus Length: The length of infected .COM files does not increase (does not infect .EXE files).

PC Vectors Hooked: None

Executing Procedure:
1) When the system date is the 1st of the month, the virus will display "The Atomic Dustbin--YOUR PHUCKED !" and hang the system.
2) When the system date is the 26th, the message "The Atomic Dustbin 1B -- This is almost the second step !" will be displayed and the virus will hang the system.
3) When the system date is neither the 1st nor the 26th of the month: i) Virus proceeds to search for all .COM files in the current directory and check to see if each is infected. If it is, Atomic-1B continues to search. If an uninfected file is found, the virus proceeds to infect it (it infects only two files at a time). After infecting, Atomic-1B displays "Program execution terminated."

Damage: None

Detection Method: Detectable if the string "Program execution terminated" is displayed when a program is executed.

Remarks:

1) Atomic-1B is non-memory resident.
2) When infecting files, the virus does not hook INT 24h. An error message will appear when I/O errors occur.


Atomic-1A

Virus Name: Atomic-1A

Virus Type: Parasitic Virus

Virus Length: The length of the infected .COM files does not increase. (Does not infect .EXE files.)

PC Vectors Hooked: None

Executing Procedure:
1) When the system date is the 25th of the month, the virus displays the string "The Atomic Dustbin 1A -- This is almost the first step !" and hangs the system.
2) When the system date is other than the 25th, Atomic-1A searches for a .COM file in the current directory and checks to see whether the file is infected. If it is, the virus continues to search and, if  it finds an uninfected file, the virus will proceed to infect it (infects only two files at a time). After infecting, Atomic-1A displays the string "Bad command or file name."

Damage: None

Detection Method: Detectable if the string "bad command or file name" is displayed when a file is executed.

Remarks:
1) Atomic-1A is a non-memory resident.
2) When infecting files, the virus does not hook INT 24h. An error message will appear when I/O errors occur.


Arusiek

Virus Name: Arusiek

Virus Type: Parasitic Virus

Virus Length: Infected .EXE and .COM files increase in size by 817 bytes.

PC Vectors Hooked: INT 21h and INT 24h

Executing Procedure:
1) Arusiek checks to see whether it already resides in the memory. If it doesn't, it hooks INT 21h and implants itself in memory, and then executes the host program.
2) If it already resides in memory, the host program will be executed directly.

Infection Procedure:
1) Infects files by hooking AH=4B in INT 21h. Uninfected files will be infected when they are executed.
2) Before infecting files, the virus will hook INT 24h so that I/O errors are ignored.

Damage: None

Detection Method: File length increases by 817 bytes.


Atas-3

Virus Name: Atas-3

Virus Type: Parasitic Virus

Virus Length: 1268 bytes

PC Vectors Hooked: INT 21h and INT 24h

Executing Procedure:
1) Checks  to see whether it resides in the memory. If it doesn't, the virus hooks INT 21h and implants itself in memory, and then executes the host program.
2) If it already resides in memory, it will execute the host program directly.

Infection Procedure:
1) Infects files by AH=4B in INT 21h. Uninfected files will be infected upon execution.
2) Before infecting files, the virus will hook INT 24h so that I/O errors will be ignored.

Damage: None

Detection Method: File length increases by 1268 bytes.


ARCV-570

Virus Name: Arcv-570

Virus Type: Parasitic Virus

Virus Length: Infected .EXE file length increases by 570-585 bytes. (Does not infect .COM files.)

PC Vectors Hooked: None

Executing Procedure:
1) Searches for an .EXE file in the current directory and checks to see whether the file is infected. If it is, Arcv-570 continues to search until it finds an uninfected file, which it then infects (infects only one file at a time).

Damage: None

Detection Method: File length increases by 570-585 bytes.

Remarks:
1) Arcv-570 is a non-memory resident.
2) When infecting files, it does not hook INT 24h. An error message appears when I/O errors occur.


Atas-3215

Virus Name: Atas-3215

Virus Type: Parasitic Virus

Virus Length: About 3215 bytes (there are several variants)

PC Vectors Hooked: INT 21h

Executing Procedure: (The virus only infects files in DOS 3.3)
1) Atas-3215 checks to see whether it already resides in memory. If it doesn't, the virus hooks INT 21h and implants itself in memory, then proceeds to execute the original program.
2) If it already resides in the memory, Atas-3215 executes the host program directly.

Infection Procedure: Infects files through AH=4B in INT 21h. Uninfected files will be infected upon execution.


Andromda

Virus Name: Andromda

Virus Type: Parasitic Virus

Virus Length: Infected .COM files increase by 1140 bytes (does not infect .EXE files).

PC Vectors Hooked: None

Executing Procedure:
1) Searches for a .COM files in the current directory.
2) It checks to see whether the file is infected. If it is, Andromda continues to search until it finds an uninfected file, then infects it (infects only two files at a time).

Damage: None

Detection Method: File length increases by 1140 bytes.

Remarks:
1) Andromda is a non-memory resident.
2) When infecting files, the virus does not hook INT 24h. An error message will appear when I/O errors occur.


Atas-400

Virus Name: Atas-400

Virus Type: .COM file infector

Virus Length: 400 bytes

Vectors Hooked: INT 24h

Executing Procedure: The virus will decode first, then hang INT 24h to prevent divulging its trace when writing, then change the head of it. After that, Atas-400 searches for a file to infect on the current directory. (The file must be an uninfected .COM file larger than 255 bytes and smaller than 64256 bytes.) Finally, Atas-400 will check the system time. If the current second is less than 03, a message such as: "I like to travel ..." appears on screen. Atas-400 then restores INT 24h and goes back to the original routine.

Damage: None

Notes:
1) Only infects one file at a time.
2) Changes date and time of infected files.
3) Nullifies the function of dealing with severe mistakes.


Angarsk

Virus Name: Angarsk

Virus Type: .COM File infector

Virus Length: 238 bytes

Executing Procedure: Searces the current drive or all it's father directories for uninfected .COM files smaller than 32768 bytes and infects them .

Damage: None

Detection Method:
1) Date and time of infected files changed.
2) Infected file length increases by about 238 bytes.


Ash

Virus Name: Ash

Virus Type: .COM file infector

Virus Length: 4+276 bytes

Executing Procedure: Ash infects all infectable .COM files on the current directory .(It won't infect the same file twice, and won't infect files larger than 64768 bytes). If it finds fewer than two infected files, it will search for and infect infectable files on the parent directory.

Damage: None

Notes: Date and time of infected files are changed.

Detection Method: Infected file lengths will increase by 280 bytes.


Athens

Virus Name: Athens

Virus Type: Memory Resident (HiMem) Infects .COM and .EXE files.

Virus Length: 1463 bytes

Executing Procedure: The virus decodes first, then checks to see whether it has stayed resident in memory. If it has not, it will remain resident in high memory, then hook INT21h and go back to the original routine.

Vectors hooked:
1) Hooks INT 21h to determine whether it has stayed resident in memory.
2) Hooks INT 21h(AX=4B00h) to infect files. If the program to be executed is an uninfected .EXE or .COM (other than COMMAND.COM) file, Athens infects it.
3) Hooks INT 21h (AX=4Eh,4Fh,11h,12h) to determine whether the current program has been infected. If it has, Athens changes the file length and date data in DTA to their original readings so that you can't detect the changes in the infected file's length and date.

Damage: None

Notes:
1) Athens stays resident in high memory. (It will take DFh pairs.)
2) Infected file size increases by 1463 bytes. You can't detect this increase while Athens is in current memory.
3) The date and time of infected files are changed. You can't see the changes while Athens is in current memory.


Arriba

Virus Name: Arriba

Virus Type: Memory Resident, Infects .COM and .EXE files

Virus Length: 1590 bytes

Executing Procedure: Checks to see if it has stayed resident in memory. If it has, it will go directly back to the original routine. Otherwise, it move itself into high memory, then hooks INT21h and checks the current date. If the date is November 20, Arriba hooks INT 08h and goes back to the original routine.

Vectors hooked:
Arriba hooks INT 08h to display a message and then halts the system.
It hooks INT 21h (AX=4B00) to determine whether the program being executed has been infected. If it has not, Arriba will infect it in different ways, depending on file type.
If it is a .COM file, Arriba writes virus code onto the beginning of the original file, and attaches 2 bytes of identified code to the end of the file to verify that this file has been infected. If it is a .EXE file, Arriba appends virus code to the end of the original code, then changse the head of file and attaches identified code to the end.

Damage: Halts the system when INT 08h is called.

Notes:
1) The date and time of infected files do not change.
2) The method the virus uses to move code is special. First, it tests to see whether the address A0000h is writeable. If it isn't, Arriba continues to move 1000 bytes of this area to a lower address until it finds a writeable address. Then it moves virus code into this area. You won't see any changes in the MEM program because Arriba does not change the size of memory blocks. This method may damage the virus code, and even halt system.

Detection Method: Infected files will increase by 1590 bytes.


AST-976

Virus Name: Ast-976

Virus Type: Memory Resident,  Infects .COM files.

Virus Length: 976 bytes

Executing Procedure: The virus first decodes, then check s to see whether it has stayed resident in memory. If it hasn't, it remains resident in high memory, then hooks INT21h and infects all .COM files on the current directory. (It does not reinfect the same file.) Finally, Ast-976 checks the system clock. If it is 17 minutes after the hour, the virus makes a slight change in PARTITION  so that the system can't boot up correctly.

Vectors hooked:
1) Hooks INT 21h to determine whether it has stayed resident in memory.
2) Hooks INT 21 (AX=4B00h) to infect files. If the program to be executed is an uninfected .COM file, Ast-976 infects it.

Damage: When virus breaks out, the screen first flashes once. Then some data PARTITION data are changed. The change achieved by XOR every fourth byte of four PARTITION records with 55. (The PARTITION table contains four PARTITION records.)

Notes: Date and time of infected files are unchanged.

Detection Method: Infected file size increases by 976 bytes.


AST-1010

Virus Name: Ast-1010

Virus Type: Memory Resident, Infects .COM and .EXE files.

Virus Length: 1010 bytes

Executing Procedure: Ast-1010 first decodes, then checks to see whether it has stayed resident in memory. If it hasn't, it stays in high memory, then hooks INT21h and infects all .COM and .EXE files on the current directory. (It does not reinfect the same file.) Finally, Ast-1010 checks the system date. If it is the 16th day of the month, the virus makes a slight change in the PARTITION so that the system can't boot up correctly.

Vectors hooked:
1) Ast-101 hooks INT 21h to determine whether it has stayed resident in memory.
2) It hooks INT 21(AX=4B00h) to infect files. If the program to be executed is an uninfected .COM or .EXE file, Ast-101 infects it.

Damage: When the virus breaks out, the screen will flash once. Next PARTITION data change. This is achieved by XOR every fourth byte of four partition records with 55. (The partition table contains four partition records.)

Notes:
1) Date and time of infected files do not change.
2) Ast-1010 uses the same method as the AST-976 virus for determining whether it has stayed resident in memory. Therefore, these two viruses can't both reside in memory at the same time.

Detection Method: Infected file size increases by 1010 bytes.


Akuku-649

Virus Name: Akuku-649

Virus Type: Infect .COM files.

Virus Length: 649 bytes

Executing Procedure: Akuku-649 searches for all uninfected .COM files on the current directory (it won't infect the same file twice) and then proceeds to infect them. Regardless of whether or not it has infected files, the virus checks to see if it is 1995 or later, the current month is July or later, it is the 7th day of the month or later, and if the current time is later than 15:00h. If all these conditions are met, Akuku-649 displays the message "A kuku frajerze."

Damage: None

Notes:
1) Akuku-649 does not stay in memory.
2) Before infecting files, it will hang INT 24h so that it doesn't divulge its trace when writing.

Detection Method: Infected file size increases by 649 bytes.


Abraxas-3

Virus Name: Abraxas-3

Virus Type: Infects .EXE files.

Virus Length: 1200 bytes

Executing Procedure: First, Abraxas-3 plays the song "Do Re Mi Fa So La Ti Do Re......" Then it displays the message "abraxas" in large font size. Next, it searches the current directory for an uninfected .EXE file. When it finds one, it proceeds to infect it. (Abraxas-3 only infects one file at a time.)

Damage: It overwrites original files with virus code.

Detection Method: Infected file length is 1200 bytes.


Animus

Virus Name: Animus

Virus Type: Infects .COM and .EXE files.

Virus Length: 7360 or 7392 bytes

Executing Procedure: Animus searches for an uninfected .COM or .EXE file on the current directory, and when it finds one, infects it. It can infect two or three files at a time.

Damage: None

Notes:
1) Does not stay in memory.
2) You will see an error message when writing because INT 24h has not been hanged.
3) This virus is written with an advanced language.

Detection Method: Infected file size increases by 7360 or 7392 bytes.


Arcv-7

Virus Name: Arcv-7

Virus Type: Infects .EXE files.

Virus Length: 541 bytes

Executing Procedure: Arcv-7 searches for an uninfected .EXE file on the current directory and infects it. (It infects only one file at a time.)

Damage: None

Notes:
1) Because the virus infection program is not written well, the system will halt when an infected program is executed.
2) It does not stay resident in memory.
3) You will see an error message when writing because INT 24h has not been hanged.

Detection Method: Infected file size increases by 541 bytes.


Arcv-6

Virus Name: Arcv-6

Virus Type: Infects .COM files.

Virus Length: 335 bytes

Executing Procedure: Virus searches for an uninfected .COM file on the current directory, then infects it. (It infects only one file at a time.)

Damage: None

Notes:
1) It does not stay resident in memory.
2) You will see an error message when writing because INT 24h has not been hanged.

Detection Method: Infected file size increases by 335 bytes.


Arcv-5

Virus Name: Arcv-5

Virus Type: .COM file infector

Virus Length: 475 bytes

Executing Procedure: Arcv-5 searches the current directory for an uninfected .COM file, then infects it. (It infects only one file at a time.)

Damage: None

Notes:
1) It does not stay resident in memory.
2) You will see an error message when writing because INT 24h has not been hanged.

Detection Method: Infected file size increases by 475 bytes.


Ash-B

Virus Name: Ash-B

Virus Type: COM File infector

Virus Length: 280 bytes

Executing Procedure: Ash-B searches for all uninfected .COM files on current directory, then infects them.

Damage: None

Notes:
1) It does not stay resident in memory.
2) You will see an error message when writing because INT 24h has not been hanged.

Detection Method: Infected file size increases by 280 bytes.


Arcv-3A

Virus Name: Arcv-3a

Virus Type: .COM File infector

Virus Length: 657 bytes

Executing Procedure: Virus searches for all uninfected .COM files on current directory, then infects them. Next it checks to see whether current calendar month. If it is February, the virus displays the message "I've just Found a Virus.. Oops..
Sorry I'm the virus...Well let me introduce myself..
I am ARCV-3 Virus, by Apache Warrior...
Long Live The ARCV and What's an Hard ECU?..
Vote Yes to the Best Vote ARCV..."

Damage: None

Notes:
1) It does not stay resident in memory.
2) You will see an error message when writing because INT 24h has not been hanged.

Detection Method: Infected file size increases by 657 bytes.


Anti-DAF

Virus Name: Anti-Daf

Virus Type: .COM file infector

Virus Length: 561 bytes

Executing Procedure: Anti-Daf searches for an uninfected .COM file on current directory, then infects it. (It infects only one file at a time.) Then it checks the system calendar If the current month is November, and the current day is Monday, the virus displays a message, and then destroys all data on the hard disk. The Anti-Daf message is:
"The Anti-DAF virus.. DAF-TRUCKSE indhoven..
Hugo vd Goeslaan 1..postbus 90063..6500 PREindhoven,
The Netherlands. .. DAF sucks.....
(c) 1992 Dark Helmet & The Virus Research Centre."

Damage: The virus can destroy all data on the hard disk.

Notes:
1) It does not stay resident in memory.
2) You will see an error message when writing because INT 24h has not been hanged.

Detection Method: Infected file size increases by 561 bytes.


April 998

Virus Name: April 998

Virus Type: A memory resident that infects .EXE files greater than 10h.

Virus Length: 998 bytes on file and 1104 bytes in memory

Interrupt Vectors Hooked: INT 21h.

Infection Process: This virus is spread by executing an infected program. When an April 998-infected program is executed, it will check to see if it already resident in memory. If it is, it will execute the infected program. The April 998 virus stays resident at the top of the MCB (memory control block) but below the DOS 640k boundary.

Damage: Virus writes garbage to the C: drive from relative sector 0 to sector Feh when the system date is April of any year.

Symptoms: The available free memory will decrease by 1104 bytes.

Notes:
This virus doesn't infect files named as: "SCAN*", "CLEA*", "VIRS*", "F-PR*" OR "CPAV*."


Ancient


Virus Name: Ancient

Virus Type: .COM file infector

Virus Length: 783 bytes

Executing Process: Virus searches for an uninfected .COM file on the current directory, then infects it . (It infects only one file at a time.) The screen will then clear or will display the '*' character in various colors until a key is depressed. At that time, a strange sound will emit for approximately 5 minutes. Next, the virus will return to the original program.

Damage: None

Notes:
1) It does not stay resident in memory.
2) You will see an error message when writing because INT 24h has not been hanged.
3) Infected files can be reinfected.

Detection Method: Infected file size increases by 783 bytes.


Adolf-Hitler


Virus Name: Adolf-Hitler

Virus Type: .COM file infector

Virus Length: 475 bytes

Executing Procedure: Adolf-Hitler checks to see whether it has stayed resident in memory. If not, it will stay in high memory. Next, it hooks INT 21h and goes back to the original routine.

Vectors hooked: It hooks INT 21H (AH=4Bh) to infect files. First, it hangs INT 24h so that it doesn't divulge its trace when writing. If the program to be executed is an uninfected .COM file, the virus proceeds to infect it.

Damage: None

Detection Method: Infected file size increases by 475 bytes.


Atte-629


Virus Name: Atte-629

Virus Type: .COM file infector

Virus Length: 629 bytes

Executing Procedure: Atte-629 virus searches for an uninfected .COM file on current directory, then infects it. (It infects only one file at a time.)

Damage: None

Notes:
1) It does not stay resident in memory.
2) You will see an error message when writing because INT 24h has not been hanged.

Detection Method: Infected file size increases by 629 bytes.


A&A

Virus Name: A&A

Virus Type: .COM file infector

Virus Length: 506 bytes

Executing Procedure: The A&A virus checks to see whether it has stayed resident in memory. If it hasn't, it will stay resident in high memory. Next, it hooks INT 21h and goes back to original routine.

Vectors hooked: Hooks INT 21H (AH=4Bh) to infect files. It first hangs INT 24h so that it doesn't divulge its trace when writing. If the program to be executed is an uninfected .COM file, the virus proceeds to infect it.

Damage: None

Detection Method: Infected file size increases by 506 bytes.


Atas-3321

Virus Name: Atas-3321

Virus Type: .COM file infector

Virus Length: 3321 bytes

Executing Procedure: The Atas-3321virus checks to see whether it has stayed resident in memory. If it hasn't, it will stay resident in high memory. Next, it hooks INT 21h and goes back to the original routine. (Virus can only execute its program on DOS 3.3.)

Vectors hooked: Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h so that it doesn't divulge its trace when writing. If the program to be executed is an uninfected .COM file, the virus proceeds to infect it.

Damage: None

Detection Method: Infected file size increases by 3321 bytes.


Arcv-718

Virus Name: Arcv-718

Virus Type: .COM and .EXE file infector

Virus Length: 718 bytes

Executing Procedure: Virus checks to see whether it has stayed resident in memory. If it hasn't, it will stay resident in high memory. Next, it hooks INT 21h and goes back to original routine. It will check to see whether current date is between January 1 and 7. If it is, the virus will display the following message and proceed to hang the system:
"Hello Dr Sol
&
Fido
Lurve U lots
.... "

Vectors hooked: Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected .COM or .EXE file, the virus proceeds to infect it.

Damage: Virus will sometimes halt the system.

Detection Method: Infected file sizes increases by 718 bytes.


Alpha743


Virus Name: Alpha743

Virus Type: .COM file infector

Virus Length: 743 bytes

Executing Procedure: Virus searches for an uninfected .COM file on current directory, then infects it. (Infects only one file at a time.) Regardless of whether it has infected a file or not, it will check the current date. If it is 1993 or later, the month is March or later, and it is the 5th of the month, virus will display the message:
"Your PC has ALPHA virus.
Brought to you by the ARCV
Made in ENGLAND."

Damage: None

Notes:
1) It does not stay resident in memory.
2) You will see an error message when writing because INT 24h has not been hanged.

Detection Method: Infected file size increases by 743 bytes.


Arianna

Virus Name: ARIANNA

Virus Type: Multi-partite virus

1. High memory resident file infector. The ARIANNA virus will only infect .EXE files which are between 1771H and 69999H bytes long.
2. Partition sector infector. This virus overwrites the last 9 sectors of the hard drive.

Virus Length: Virus length in .EXE files is 3426 bytes and 3586 bytes in memory.

Interrupt Vectors Hooked: INT 21h.

Infection Process: This virus spreads by executing an infected program or a computer with an infected partition. When a file infected with the ARIANNA virus is executed, the virus will check to see if it is already resident in memory by looking to see if the return value of ax is equal to 0 after int 2f(ax=FE01). If the virus is already in memory it will execute the infected program. Virus code remains resident in high memory.

Damage: Decreases available memory.

Symptoms: While the ARIANNA virus is resident in memory you cannot alter the HD partition to cause any damage to the partition sector by cleaning it. The way to clean the ARIANNA virus from the system is to boot up the computer with a clean bootable system diskette and overwrite the infected partition sector with the No.9.

Notes: Virus code remains resident in high memory.

Detection Method: Infected file size increases by 3426 bytes.

 

 


Alfon

Virus Name: ALFO1344

Virus Type: File type

Virus Length: 1344-1426 bytes

Virus Infect Type: .COM and .EXE files

Virus Re-infect: No

Virus Memory Type: Memory resident, MCB type

Place of Origin:

Int Vector Hooked: INT 21H

Infection Procedure:

The virus infects both .COM and .EXE files. It infects .COM files by moving the host program lower and attaching the whole virus program at the beginning of the file. It's opposite with the .EXE file infection wherein the attachment of the virus program is normal or attaches its program at the end of the host program. The host program's file size increases by 1344 bytes for .EXE files while 1426 bytes for .COM files after infection. The virus first detects if a file is already infected. If it is, it leaves the file behind. If it isn't, it infects it by allocating memory after the resident part of COMMAND.COM and copying its program to that location. It then hooks INT 21H by changing its vector to its program at 17F8:01CF. Upon executing the interrupt's service 4BH, it attaches its program through the interrupt services of INT 3H which holds the original vector of INT 21H. After attaching its program to the host it returns to its memory resident program at 17F7:0000 to infect other loading and executing files.

Symptom:

Increase in file size by 1344 bytes (for .EXE) and 1426 bytes (for .COM).

 


Ant4096B

Virus Name: ANT4096B

Virus Type: File type

Virus Length: 4096 bytes

Original Name: INVADER

Virus Infect Type: .COM and .EXE files

Virus Re-infect: No

Virus Memory Type: Memory resident, MCB type

Place of Origin:

Int Vector Hooked: INT 21H, INT 8H, INT 9H, INT 13H

Infection Procedure:

The virus infects both .COM and .EXE files. It infects .COM files by moving the host program lower and attaching the whole virus program at the beginning of the file. It's opposite with the .EXE file infection wherein the attachment of the virus program is normal or attaches its program at the end of the host program. The host program's file size increases by 4096 bytes after infection. The virus program allocates 320 paragraphs (5120 bytes) in the low part of the memory, after the resident part of COMMAND.COM, specifically at 17F8:0000. It decrypts 424 bytes of its program using XOR 46H. After decrypting it can be seen in the data area of the virus program a string saying "by Invader, Feng Chiu U., Warning: Don't run ACAD.EXE". Then it hooks INT 21H by changing its vectors to 1808:05DF, INT 08H to 1808:01F9, INT 09H to 1808:02B8, and INT 13H to 1808:0435. No payload was seen in the interrupt hooks, but only to infect the loaded and executed files.

Symptom:

Increases the file size by 4096 bytes.