Enola

Virus Name: ENOLA

Virus Type: Memory Resident, File Infector (.COM and .EXE files)

Virus Length: 1865--1875 bytes

PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h, INT 8h

Infecting Process:
1) The virus checks whether it is already loaded resident in memory. If it isn't, it loads itself by hooking INT 21h.
2) Next, it executes the original file.
3) Once it's loaded into resident memory it will infect any uninfected file that is executed.

Damage: When the virus has stayed resident for 140 minutes and INT 21h has been called more than 72 times, all data on the hard disk will be destroyed.

Detection Method: Infected files increase in size in size by 1865-1875 bytes.

Notes: The Enola virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect).


Elvis

Virus Name: Elvis

Virus Type: File Infector (.COM files)

Virus Length: 1250 bytes

PC Vectors Hooked: INT 8h

Executing Process:
1) The Elvis virus searches for a .COM file in the current directory. If the file it finds has already been infected, it continues to look for other uninfected .COM files and infects all of them, three files at a time.
2) Finally, it hooks INT 8h and executes the original file.

Damage: About eight (8) minutes after the virus is executed, one of these messages appears on the screen: 1) "Elvis lives! 2) ELVIS is watching! 3) Don maybe he lives here!.....," and so on.

Detection Method: Infected files will increase in size by 1250 bytes.

Notes:
1) Doesn't stay resident in memory.
2) Elvis doesn't hook INT 24h when infecting files. It omits I/O errors (such as write protect).


EDV

Virus Name: EDV

Alias: Cursy

Virus Type: Boot Sector Virus

Virus Length: N/A

When the system is booted from an infected disk, the virus installs itself into memory.

Once resident in memory, the virus infects floppy disks accessed. It moves the original boot sector, replacing it with a copy of itself.

After infecting six disks,  EDV will disable the keyboard and corrupt all disks in the system. Finally, the message "That rings a bell, no? From Cursy" is displayed on the screen:

Detection Methods: The string "MSDOS Vers. E.D.V." can be found in infected boot sectors.


Exebug

Virus Name: Exebug

Aliases: Swiss Boot, CMOS killer

Virus Type: Boot Sector Virus

Virus Length: N/A

Interrupt Vectors Hooked: INT 13h.

Infection method: When the system is booted from an Exebug-infected diskette, Exebug installs itself as resident at the top of system memory but below the 640K DOS boundary, moving interrupt 12's return. Total system and available free memory will have decreased by 1,024 bytes. At this time, the virus will infect the system hard disk's master boot sector.

Damage: Master boot sector corruption; decrease in total system and available free memory; inability to access drive C: after diskette boot.


Ear

Virus Name: EAR

Virus Type: File Infector (.COM and .EXE files)

Virus Length: 1024 bytes

PC Vectors Hooked: None

Executing Process:
1) The virus searches for an uninfected .EXE or .COM file in the current directory.
2) When the virus finds them, it continues to infect all .COM and .EXE files in the current and parent directories until they have all been infected.
3) EAR then checks the system date. If it is the 1st day of any month, the virus displays the message:

" PHALON/SKISM 1992 [Ear-6] Alert! Where is the Auditory Canal located? 1. External Ear 2. Middle Ear 3. Inner Ear ",

then waits for your choice.

4) If you press "1" or "3", the message "Wow, you know your ears! Please resume work."  appears and then the virus executes the original file.
5) If you press "2" the message "You obviously know nothing about ears. Try again after some study."  appears. Then the program ends without executing the original file.

Damage: If  it is the 1st day of any month, a message will appear on the screen.

Detection Method: Infected files will increase in size by 1024 bytes.

Notes:
1) Doesn't stay resident in memory.
2) EAR doesn't hook INT 24h when infecting files. It omits I/O errors (such as write protect).


Ell

Virus Name: ELL

Other names: None

Virus Type: File Infector (.COM and .EXE files)

Virus Length: .EXE files, 1237-1246 bytes;.COM files, 1237 bytes

Executing Process:
1) If the ELL virus finds that it is not already loaded resident in memory it loads itself by hooking INT 21h.
2) It then executes the original file.
3) Once it's loaded into resident memory it will infect any uninfected file that is executed.

Damage: None

Detection Method: Increases infected file size by 1237/1246 bytes.

Notes:
Loads itself as memory resident. An error message appears if there is an I/O error (such as write protect).


Ein-Volk

Virus Name: Ein-Volk

Virus Type: Parasitic Virus (infects .COM files)

Virus Length: 482 bytes

PC Vectors Hooked: None

Executing Process:
Searches for uninfected .COM files in the current directory and, when it finds one, proceeds to infect it. It continues until all .COM files in the directory are infected.

Damage: None

Detection Method: Files infected increase in size by 482 bytes.

Remarks:
1) Non memory resident.
2) When infecting files, the virus does not hook INT 24h. An error message appears if an I/O error (such as write protect) occurs.


Eagl-7705

Virus Name: Eagl-7705

Virus Type: Parasitic Virus

Virus Length: 7705 bytes

Executing Process:
1)  Eagl-7705 searches for an .EXE file in the current directory and, when it finds one, creates a 7705-byte .COM file. The content of the .COM file is the encrypted virus itself.
2) The virus repeats the procedure until all .EXE files in the current directory are infected.

Damage: None

Detection Method: File length increases by 7705 bytes.

Notes:
Non memory resident.


Eno-2430

Virus Name: Eno-2430

Virus Type: Parasitic Virus (infects .COM and .EXE files)

Virus Length: 2430- 2445 bytes

PC Vectors Hooked: INT 21h and INT24h

Executing Process:
1) If Eno-2430 finds that it doesn't already reside in memory, it hooks INT 21h and installs itself, then executes the host program.
2) If it already resides in memory, it executes the host program directly.

Infecting Process:
1) The virus infects files through AH=4B in INT 21h. When an uninfected program is executed, it becomes infected.
2) Before infecting files, Eno-2430 will hook INT 24h first so that I/O errors are ignored.

Damage: The virus has a counter. After infecting a file, it subtracts 1 from the counter. When the counter value is 0, the virus will destroy all the data on hard disk.

Detection Method: Infected files increase in size by 2430-2445 bytes.


Exper-755

Virus Name: Exper-755

Virus Type: Parasitic Virus (infects .EXE files)

Virus Length: 755 bytes

PC Vectors Hooked: INT 24h

Executing Process:
1) Exper-755 searches for uninfected .EXE files in the current directory and, once it finds one, proceeds to infect it. Exper-755 continues this process until all .EXE files in the directory are infected.

Damage: None

Detection Method: Infected file size increases by 755 bytes.

Remarks:
1) Non memory resident.
2) Before infecting, the virus hooks INT 24h so that I/O errors are ignored.


Encroach-2

Virus Name: Encroach 2

Virus Type: Parasitic Virus (infects .COM files)

PC Vectors Hooked: INT 24h

Executing Process:
1) Encroach-2 searches for an uninfected .COM file in the current directory.
2) When it finds one, it proceeds to infect the file (infects only one file each time).

Damage: None

Remarks:
1) Non memory resident.
2) Before infecting, the virus will hook INT 24h so that I/O errors are ignored.


Encroach

Virus Name: Encroach

Virus Type: Parasitic Virus (infects .COM files)

PC Vectors Hooked: INT 24h

Executing Process:
1) Encroach searches for an uninfected .COM file in the current directory.
2) If it finds an uninfected file, it infects it (infects one file each time).

Damage: None

Remarks:
1) Non memory resident.
2) Before infecting, the virus will first hook INT 24h so that I/O errors are ignored.


Enet-613

Virus Name: Enet-613

Virus Type: File Infector (.COM files)

Virus Length: 613-628 bytes

Executing Process:
1) Enet-613 infects all .COM files on the current directory. (It will not reinfect the same file.)
2) If the current system date is a Sunday, the virus displays a message and waits until the user presses a key, then changes the word at address 4000:0013h of RAM to 0200h, and calls INT 19h to reboot the system.

Damage: None

Notes:
1) Date and time of infected files do not change.
2) Infected files will increase in size by between 613 and 628 bytes.


Ekoterror

Virus Name: Ekoterror

Virus Type: Memory Resident (infects High Memory, .COM files and Partition)

Virus Length: 2048 bytes

Executing Process:
1) When an infected program executed, Ekoterror will write virus code into Partition. It will not check to see whether Partition has already been infected when it invades because this would cause data in Partition to be lost after infected programs are executed.
2) If the virus invades the system when booting up from hard disk, it will hook INT 08h, INT 13h, and call INT 08h to check to see whether DOS has been loaded. If DOS is loaded, Ekoterror will hook INT 21h.

Vectors hooked:
It hooks INT 08h to determine whether DOS is loaded. If it is, the virus hooks INT 21h.
It hooks INT 13h to determine whether the Partition sector being loaded. If it is, the virus will deliver back or change the original Partition data.
It hooks INT 21h to infect .COM files during file reading or writing.

Damage: Partition is destroyed.

Notes:
1) If the virus has invaded Partition and if the system was booted up from a floppy disk, you won't be able to load or save data on hard disk (because the data in Partition has been changed).
2) If the DOS Version is not suitable, or the code of INT 08h does not comform with the DOS loading process, the virus can't hook INT 21 and cannot infect any files.

Cleaning Method: Boot the system up from an uninfected diskette and use a program (like Debug) that can read or write to hard disk to write the original Partition data back.


Evilgen

Virus Name: Evilgen

Virus Type: File Infector (.COM and .EXE files)

Virus Length: 955 bytes (Version 1.1), 963 bytes (Version 2.0)

Executing Process:
1) If Evilgen finds that it is not resident in memory, it will stay resident in high memory.
2) Next, it hooks INT 21h, INT 09h and goes back to the original routine.
3) If the system calender indicates that the current date is the 24th of any month, and if the Delete key is pushed down, the virus will be triggered.

Vectors hooked:
Evilgen hooks INT 21H(AX=4B00h) to infect files. If the program to be executed is an uninfected .EXE or .COM file, the virus proceeds to infect it.
Evilgen hooks INT 09h to determine whether the Delete key is being pushed down.

Damage:  Evilgen selects a sector, then formats it from head 0, track 0 to head 0, track 20h on C:\ drive. The virus will sometimes destroy the C:\ drive.

Notes:
1) The date and time of infected files do not change.
2) While memory is infected, typing "Dir" does not reveal changes in file length.

Detection Method:
1) Total system memory decreases.
2) COMMAND.COM on the root directory on the C:\ drive has been infected if BX=9051h (BX is a return value when INT 21h(AX=7BCDh) is called).
3) The pointers of INT 21h and INT 09h are the same.
4) Infected files increase in size by 955 bytes (Version 1.1) or 963 bytes (Version 2.0). Changes in file size are apparent only when memory has not been infected.


ED

Virus Name: Ed

Virus Type: File Infector (.COM and .EXE files)

Virus Length: 775-785 bytes

Executing Process:
1) If Ed determines that it is not resident in memory, it will stay resident in high memory.
2) Next, the virus hooks INT 21h and goes back to the original routine.

Vectors Hooked: It hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to ensure that its trace is not divulged during writing. If the program to be executed is an uninfected .COM or .EXE file, the virus proceeds to infect it.

Damage: There is a flag in the virus procedure and every infected file has a different flag. The flag decreases by one (1) each time the virus infects a new file. When the flag is equal to zero, Ed destroys all data on the hard disk.

Detection Method: Infected files increase in size by 775-785 bytes.


Egg

Virus Name: Egg

Virus Type: File Infector (.EXE files)

Virus Length: 1000-1005 bytes

Executing Process:
If Egg finds that it is not resident in memory, it will stay resident in high memory, then hook INT 21h and go back to the original routine.

Vectors Hooked: Egg hooks INT 21h (AH=4Bh) to infect files. First, it hangs INT 24h so that its trace isn't divulged during writing. If the program to be executed is an uninfected .EXE file, the virus proceeds to infect it.

Damage: None

Detection Method: Infected files increase in size by 1000-1005 bytes.


Exper-416

Virus Name: Exper-416

Virus Type: File Infector (.COM files)

Virus Length: 416 bytes

Executing Process:
The Exper-416 virus searches for all uninfected .COM files on current directory, and infects those it finds.

Damage: None

Notes:
1) It does not stay resident in memory.
2) You will see an error message when writing because INT 24h has not been hanged.

Detection Method: Infected files increase in size by 416 bytes.


Explode

Virus Name: Explode

Virus Type: File Infector (.COM files)

Executing Process:
Explode searches for all uninfected .COM files on current directory and infects those it finds. Regardless of whether it has infected a file or not, it will check the system calendar and, if the current month is April or May, the virus will display the message "Your hard drive is about to explode!" Explode then destroys all data the on hard disk. If the system calendar indicates a month other than April or May, the message "Program too big to fit in memory." appears on the screen.

Damage:
1) It sometimes destroys all data on the hard disk.
2) It overwrites original files with virus code so that they are destroyed.

Notes:
1) It does not stay resident in memory.
2) You will see an error message when writing because INT 24h has not been hanged.


End-Of

Virus Name: End-Of

Virus Type: File Infector (.COM files)

Virus Length: 783 bytes

Executing Process: If Endo-Of finds that it is not resident in memory, it will stay resident in high memory, then hook INT 21h and go back to the original routine.

Vectors Hooked: End-Of hooks INT 21H(AH=3Bh) to infect files. When it accesses other directories, all uninfected .COM files on the original directory will be infected.

Damage: None

Notes: You will see an error message when writing because INT 24h has not been hanged.

Detection Method: Infected files increase in size by 783 bytes.


Ecu

Virus Name: Ecu

Virus Type: File Infector (.EXE files)

Virus Length: 711 bytes

Executing Process: If the Ecu virus finds that it is not resident in memory, it will stay resident in high memory, then hook INT 21h and go back to the original routine. (It can only execute its program in DOS 3.3.)

Vectors Hooked: Ecu hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h so that it doesn't divulge its trace when writing. If the program to be executed is an uninfected .EXE file, the virus infects it.

Damage: Most infected files cannot be executed.

Detection Method: Infected files increase in size by 711 bytes.