Virus Name: Alien-1 Virus Type: File Infector Virus (infects .COM and .EXE files) Virus Length: 571 bytes (COM and EXE) PC Vectors Hooked: INT 21h Executing Procedure: Checks to see if it already resident in high memory. If it's not, it loads itself into resident memory (highest memory) by hooking INT 21, then executes the originally called file. If it finds it is already resident in high memory, it directly executes the originally called file. Damage: None Characteristics:
1) The virus infects files by hooking INT 21h(AX=4B), when an uninfected file is executed, that file will be infected.
2) Alien-1 doesn't hook INT 24h when infecting files. Error messages appear if an I/O error such as write protect occurs. Detection Method: Infected files will increase in size by 571 bytes.
Virus Name: AVISPA-D
Virus Type: Polymorphic type
Virus Length: 2051 bytes
Virus Infect Type: .EXE files
Virus Re-infect: No
Virus Memory Type: Memory Resident, MCB type
Place of Origin:
Int Vector Hooked: INT 21H
Infection Procedure:
The virus infects .EXE files. It infects the host file by attaching its program at the end of the file. It adds 2051 bytes to the infected file. Since the virus is polymorphic, its encrypted program is decrypted using XOR E491H to each byte. You can see after decrypting in the data area of the virus program a string "Virus Avispa-Buenos Aires-Noviembre 1993". After decrypting it allocates 2304 bytes (144 paragraphs) of memory after the resident part of the COMMAND.COM to make itself resident. Then it hooks to INT 21H by changing its vector to point to its program at 17F8:030A, and infects other loading and executing .EXE programs. It attempts to open and infect files XCOPY.EXE, MEM.EXE, SETVER.EXE, and EMM386.EXE in C:\DOS, if they exist.
Symptom:
Increase in .EXE file size by 2051 bytes.
Virus Name: Alien-3 Virus Type: File Infector Virus (infects .COM and .EXE files) Virus Length: 625 bytes (COM and EXE) PC Vectors Hooked: INT 21h Executing Procedure:
1) The virus checks to see whether it has been loaded resident in high memory. If it is not already loaded, it loads itself into resident memory (highest memory portion) by hooking INT 21h.
2) Next, the virus will check the system time. If the number of minutes passed in the hour are between 33 to 60, it will display parentheses characters (" ") on the screen.
3) After infection, it will execute the original file. Damage: None Charactristics:
2) Alien-3 doesn't hook INT 24h when infecting files. An error message appears if an I/O error such as write protect occurs. Detection Method: Infected files will increase by 625 bytes.
Virus Name: Alameda Alias Name: Alemeda Virus Type: Boot Virus Virus Length: N/A
Description: This virus infects boot sectors. When the system is booted from a disk infected by the virus, the virus will install itself as memory resident. Once the virus is memory resident, all unprotected 5-1/4" 360 diskettes will be infected when it activates through a warm boot (CTRL-ALT-DEL). The virus remains in memory after a warm boot.
Virus Name: Ambulance Alias Name: Ambulance Car, RedX Virus Type: File Virus Virus Length: 796 bytes Description: This virus infects .COM files. When an infected file is executed, the virus will attempt to infect one .COM file. Symptoms includes the display of a moving ambulance at the bottom of the screen, as well as the sound of a siren.
Virus Name: AntiEXE Alias Name: D3, NewBug, CMOS4 Virus Type: Boot Virus Virus Length: N/A Description: This virus infects boot sectors. When the system is booted from a disk infected by the virus, the virus will install itself as memory resident. Total available memory will have decreased by 1,024 bytes. The virus will also overwrite the Master Boot Sector with a copy of itself. Once the virus is memory resident, it will infect all unprotected diskettes.
Virus Name: Austr_Parasite Alias Name: Aussie Parasite Virus Type: File Virus Virus Length: 292 bytes Description: This virus infects .COM files, including COMMAND.COM. When an infected file is executed, the virus installs itself into memory. The total available memory will have decreased by 320 bytes. Once the virus is memory resident, all executing .COM files will be infected. Infected files will increase in size by 292 bytes, with the virus located at the end of the infected file. Date and time records for infected files will not be altered. Symptoms include system hang. The text string "Australian Parasite" is visible in the virus.
Virus Name: Anna Virus Type: File Infector Virus (infects .COM files) Virus Length: 742 Bytes(COM)
PC Vectors Hooked: None Executing Procedure:
1) Searches for a .COM file in the current directory.
2) Once it locates a file it checks to see whether it has been infected by ANNA. If it has, the virus continues to look for any uninfected .COM files. It will infect only one file at a time.
3) If no uninfected file is found in the current directory, it will continue looking in another directory.
4) The virus will then check system date. If it is December, then the message "Yole from the ARcV................" will appear on the screen: Damage: None Detection Method:
1) Infected files will increase in size by 742 bytes.
2) If it is December, the message "Yole from the ARcV........." will appear on screen. Notes:
1) Doesn't remain resident in memory. 2) ANNA doesn't hook INT 24h when infecting files. An error message appears if an I/O error such as writing protect occurs.
Virus Name: Arcv-Fri Virus Type: File Infector Virus (infects .COM files) Virus Length: 839 bytes (COM) PC Vectors Hooked: None Executing Procedure:
1) Arcv-Fri checks the system date. If it is April 12th, it searches for a .COM file in the current directory, then damages it.
2) If the date is other than April 12, it searches for a .COM file in current directory and checks to see whether it has been infected by ARCV-FRI. If the file is infected, the virus continues to look for any uninfected .COM file. It infects only one file at a time.
3) Finally, it then executes the original file. Damage: If the system date is April 12, it searches for a .COM file in the current directory, then damages it. Detection Method:
1) Infected files will increase in size by 839 bytes. Notes: 1) ARCV-FRI doesn't remain resident in memory. 2) It doesn't hook INT 24h when infecting files. An error message appears if an I/O error such as write protect occurs.
Virus Name: Agent-B Virus Type: File Infector Virus (infects .EXE and .COM files) Virus Length: 763 bytes (COM and EXE) PC Vectors Hooked: INT 24h Executing Procedure: 1) Searches for a .COM file in the current directory. 2) Once it locates a file, it checks to see whether it has been infected by Agent-B. If it finds the file is infected, it continues to look for any uninfected .COM file. 3) It will infect only two files at a time. Damage: None Detection Method: Infected files will increase in size by 763 bytes. Notes: 1) Doesn't stay resident in memory. 2) Agent hooks INT 24h when infecting files. Omits I/O errors such as write protect.
Virus Name: Arcv-670 Virus Type: File Infector Virus (infects .COM files) Virus Length: 670 bytes (COM) PC Vectors Hooked: None Executing Procedure: 1) Searches for a .COM file in the current directory. 2) Once it locates a file it checks to see whether it has been infected by ARCV-670. If the file is infected, it continues to look for any uninfected .COM file. It will infect only one file at a time. 3) Finally, the virus checks the system date and, if the date is between December 20 and 25, and the year is later than 1992, it displays the message "Happy Xmas from the ARCV", and the system halts. Damage: If the system date falls between December 20 and 25 and the year is later than 1992, "Happy Xmas from the ARCV" appears on screen and then the system halts. Detection Method: Infected files will increase in size by 670 bytes. Notes: 1) Doesn't stay resident in memory. 2) ARCV-670 doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).
Virus Name: Acme Virus Type: File Infector Virus (Companion Virus) Virus Length: 932 bytes PC Vectors Hooked: None Executing Procedure: 1) Checks whether the current system time falls between 16:00h and 24:00h, in which case a sound is emitted and the system halts. 2) If system time falls outside of this window, the virus searches for an .EXE file in the current directory. 3) It will then create a 923-bytes "hidden & read-only" .COM file with the .EXE file's name. Damage: If the system time falls between 16:00h and 24:00h, a sound is made, then the system halts. Detection Method: Check for "hidden" .COM files with a size of 923 bytes. Notes: 1) Doesn't remain as resident in memory. 2) ACME doesn't hook INT 24h when infecting files. An error message appears in case of an I/O error such as write protect.
Virus Name: ABRAXAS Virus Type: File Infector Virus (infects .COM and .EXE files) Virus Length: 546 bytes (COM and EXE) PC Vectors Hooked: INT 24h Executing Procedure: 1) The virus searches for an .EXE or .COM file in the current directory and checks to see whether it has been infected by Abraxas. If the file is infected, the virus continues to look for an uninfected .EXE or .COM file. 2) Next, it infects all .EXE and .COM files in the current directory. 3) Finally, it executes the original file. Damage: None Detection Method: Infected files will increase by 546 Bytes. Notes: 1) Abraxas doesn't stay resident in memory. 2) It hooks INT 24h when infecting files. Omits I/O errors such as write protect.
Virus Name: AIR-COP Virus Type: Boot Infector Virus Length: None PC Vectors Hooked: None Executing Procedure: When you execute the program, AIR-COP writes the virus to the boot sector of A:. Damage: Overwrites boot sector of A:. Detection Method: None.
Virus Name: ARKA Virus Type: Memory Resident, File Infector Virus (infects .COM files). Virus Length: 1905 bytes (COM) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program) Infection Procedure: 1) The virus checks to see whether it is already loaded as resident in memory. If it is not, it loads itself into resident memory by hooking INT 21h. 2) It then executes the original file. 3) Now loaded into resident memory, it will infect any executed file that is not already infected with the ARKA virus. Damage: None. Detection Method: Infected .COM files increase in size by 1905 bytes.
Virus Name: AIDS552 Virus Type: Highest Memory Resident, File Infector Virus (infects .EXE files) Virus Length: 552 bytes (EXE) PC Vectors Hooked: INT 21h Infection Procedure: 1) The virus checks to see whether it is already loaded into resident memory. If it is not, it loads itself into memory (highest memory) by hooking INT 21h. 2) It then executes the original file. 3) AIDS552 infects when the command "DEGUG FILE_NAME.EXE" is executed. It does not infect .COM files. Damage: None Detection Method: Infected .EXE file size increases by 552 bytes. Notes: The AIDS552 virus doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: AMILIA Virus Type: Memory Resident, File Infector Virus (infects .COM and .EXE files). Virus Length: 1614 bytes (COM and EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Infection Procedure: 1) The virus checks to see whether it is already loaded as resident in memory. If is not, it loads itself by hooking INT 21h. 2) It then executes the original file. 3) Once it's in resident memory, it will infect any uninfected file that is executed. Damage:
1) If it is Sunday, the message "Amilia I virii - [NUKE] 1991 By Rock Steady/NUKE" is displayed on the screen, after which the system halts. 2) If it is between 16:00h and 1700h , a smiling face appears on the screen. Detection Method: 1) Infected files increase in size by 1614 bytes. 2) A smiling face appears on screen. Notes: The Amilia virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: ANTIPRNT Virus Type: Highest Memory Resident, File Infector Virus (infects .EXE files) Virus Length: 593 bytes (EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Infection Procedure: 1) The virus checks to see whether it is already loaded resident in memory. If it is not, it loads itself into resident memory (highest memory) by hooking INT 21h. 2) Next, the virus executes the original file. 3) Once it's loaded into resident memory it will infect any uninfected file that is executed. Damage: If the DOS Version is later than 3.0, and "PRINTER" is installed, then the virus will destroy data on the current disk. Detection Method: Infected files increase in size by 593 bytes. Notes: The ANTIPRNT virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: ABC Virus Type: Highest Memory Resident, File Infector Virus (infects .EXE files) Virus Length: 2912 bytes (EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h, INT 1Ch, INT 16h Infecting Procedure: 1) The virus checks to see whether it is already loaded resident in memory. If it isn't, it then loads itself as resident in memory (highest memory) by hooking INT 21h, INT 1Ch, INT 16h. 2) It then executes the original file. 3) Once it's loaded into resident memory it will infect any uninfected file that is executed. It doesn't infect COM files and EXE files with a length shorter than 20K. Damage: When the system date falls on the 14th of the month, and the virus has been in memory for 55 minutes, it will destroy the data on the hard disk. Detection Method: Infected files increase in size by 2912 bytes. Notes: The ABC virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: ARCV-9 Virus Type: Highest Memory Resident, File Infector Virus (infects .COM files) Virus Length: 771 bytes (COM) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Executing Procedure: 1) The virus checks to see whether it is already loaded resident in memory. If it's not, it loads itself by hooking INT 21h. 2) It then executes the original file. 3) Once it's loaded into resident memory it will infect any uninfected file that is executed. It doesn't infect .EXE files. Damage: None. Detection Method: Infected files increase in size by 771 bytes. Notes: The ARCV-9 virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: August-16th Other Names: Iron maiden Virus Type: Parasitic Virus (infects .COM files) Virus Length: 636 bytes PC Vectors Hooked: Int 21 Executing Procedure: 1) The virus checks to see whether it has already infected the first two .COM files in the current directory. If it hasn't it will proceed to infect them. 2) If it finds the files are already infected, it checks the current directory on the C:\drive to see whether it has two .COM files. 3) If the virus finds them, it will proceed to infect them. 4) Finally, the original file is executed. Damage: 1) August 16th overwrites the original file to hide changes to the file's date and time in the directory listing. 2) It adds two text strings "*.com AA", "=!=IRON MAIDEN" to infected files. Detection Method:
1) .COM file growth 2) Unexpected access to C:\drive Notes: August 16th doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: Autumn Other Names: Virus 1701, Cascade-B Virus Type: Parasitic Virus, RAM resident Virus Length: 1701 bytes PC Vectors Hooked: Int 21 Executing Procedure: 1) The virus checks to see whether it is already loaded resident in memory. If it isn't, it loads itself by hooking INT 21h. 2) Next, it executes the original file. 3) Once it's loaded into resident memory it will infect any uninfected file that is executed. Damage: The Autumn virus causes characters to "fall down" the screen (Video-RAM modification). This does not happen frequently at the beginning but, as time goes by, the frequency of both the "fall down" and sound effects will increase. Semigraphic characters do not fall. Characters cannot fall over different video attributes. It doesn't work on monochrome monitors. The virus sometimes causes the computer to crash. Detection Methods: Infected files increase in size by 1701 bytes. Notes: Loads itself resident in memory. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: ARAGORN Other Names: None Virus Type: Boot Strap Sector Virus Damage: None Detection Method: Only the floppy diskette in drive A: will be infected.
Virus Name: April 1st Other Names: None Virus Type: File Infector Virus Virus Length: 1488 bytes Executing Procedure: 1) The virus checks to see whether it is already loaded resident in memory. If it is not, it loads itself by hooking INT 21h. 2) Next, it then executes the original file. 3) Once it's loaded into resident memory it will infect any uninfected file that is executed. Damage: On April 1, the virus displays the message "APRIL 1ST HA HA HA YOU HAVE A VIRUS." After displaying the message, the virus halts the system. Detection Method: April 1st increases the size of .EXE files by 1488 bytes. Infected file contains the string "SURIV." Check to see if the file named "BUG.DAT" exists hidden in the C:\ directory. Notes: Loads itself as resident in memory. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: Allerbmu Virus Type: Parasitic Virus Virus Length: Infected .COM file size increases by 359 bytes. It does not infect .EXE files. PC Vectors Hooked: None Executing Procedure: 1) Allerbmu searches for a .COM file in the current directory. 2) When it finds one, it finds out whether the file is infected. If it is, the virus continues to search. 3) When an uninfected file is found, the virus will proceed to infect it. (The virus infects only one file at a time). 4) Allerbmu checks the system date regardless of whether an uninfected .COM file is found. When the date is Monday, the virus destroys all the files on hard disk, and then displays the message "+ ALLERBMU NORI + (c) 1991........................." Damage: When the date is Monday, the virus destroys all the files on hard disk, and then displays the message "+ ALLERBMU NORI + (c) 1991........................." Detection Method: .COM file size increases by 359 bytes. Remarks: 1) Non-memory resident. 2) When infecting files, the virus does not hook INT 24h. An error message will appear when I/O errors occur.
Virus Name: Arcv-2 Virus Type: Parasitic Virus Virus Length: Infected .EXE file sizes increase by 693 bytes (Does not infect COM files). PC Vectors Hooked: INT 24h Executing Procedure: 1) Searches for an .EXE file in the current directory. 2) Checks to see whether the file is infected. If it is, the virus continues to search. 3) If it finds an uninfected file, the virus will proceed to infect it (infects only one file at a time). 4) Regardless of whether an uninfected EXE file is found or not, the virus will check the system date. When the date is April or the sixth of any month, the virus will display "Help .. Help .. I'm Sinking ........" on the screen. Damage: None Detection Method: Infected .EXE files increase in size by 693 bytes (Arcv-2 does not infect .COM files). Remarks: 1) The infection was badly written. Most of the infected files cannot be executed normally (also, the virus is not able to infect and damage). 2) Arcv-2 is a non-memory resident. 3) When infecting files, the virus does not hook INT 24h. An error message will appear when I/O errors occur.
Virus Name: Atomic-2a Virus Type: Parasitic Virus Virus Length: Infected .COM file size increases by 350 bytes (does not infect .EXE files) PC Vectors Hooked: None Executing Procedure: 1) Atomic-2a searches for a .COM file in the currrent directory and, when it finds one, checks to see whether the file is infected. If it is, Atomic-2a continues to search until an uninfected file is found and then infects it. It infects only one file at a time. Damage: None Detection Method: Detectable if file lengths increase by 350 bytes. Remarks: 1) Atomic-2A is non-memory resident. 2) When infecting files, the virus does not hook INT 24h. Error message will appear when I/O errors occur.
Virus Name: Atomic-1B Virus Type: Parasitic Virus Virus Length: The length of infected .COM files does not increase (does not infect .EXE files). PC Vectors Hooked: None Executing Procedure: 1) When the system date is the 1st of the month, the virus will display "The Atomic Dustbin--YOUR PHUCKED !" and hang the system. 2) When the system date is the 26th, the message "The Atomic Dustbin 1B -- This is almost the second step !" will be displayed and the virus will hang the system. 3) When the system date is neither the 1st nor the 26th of the month: i) Virus proceeds to search for all .COM files in the current directory and check to see if each is infected. If it is, Atomic-1B continues to search. If an uninfected file is found, the virus proceeds to infect it (it infects only two files at a time). After infecting, Atomic-1B displays "Program execution terminated." Damage: None Detection Method: Detectable if the string "Program execution terminated" is displayed when a program is executed. Remarks:
1) Atomic-1B is non-memory resident. 2) When infecting files, the virus does not hook INT 24h. An error message will appear when I/O errors occur.
Virus Name: Atomic-1A Virus Type: Parasitic Virus Virus Length: The length of the infected .COM files does not increase. (Does not infect .EXE files.) PC Vectors Hooked: None Executing Procedure: 1) When the system date is the 25th of the month, the virus displays the string "The Atomic Dustbin 1A -- This is almost the first step !" and hangs the system. 2) When the system date is other than the 25th, Atomic-1A searches for a .COM file in the current directory and checks to see whether the file is infected. If it is, the virus continues to search and, if it finds an uninfected file, the virus will proceed to infect it (infects only two files at a time). After infecting, Atomic-1A displays the string "Bad command or file name." Damage: None Detection Method: Detectable if the string "bad command or file name" is displayed when a file is executed. Remarks: 1) Atomic-1A is a non-memory resident. 2) When infecting files, the virus does not hook INT 24h. An error message will appear when I/O errors occur.
Virus Name: Arusiek Virus Type: Parasitic Virus Virus Length: Infected .EXE and .COM files increase in size by 817 bytes. PC Vectors Hooked: INT 21h and INT 24h Executing Procedure: 1) Arusiek checks to see whether it already resides in the memory. If it doesn't, it hooks INT 21h and implants itself in memory, and then executes the host program. 2) If it already resides in memory, the host program will be executed directly. Infection Procedure: 1) Infects files by hooking AH=4B in INT 21h. Uninfected files will be infected when they are executed. 2) Before infecting files, the virus will hook INT 24h so that I/O errors are ignored. Damage: None Detection Method: File length increases by 817 bytes.
Virus Name: Atas-3 Virus Type: Parasitic Virus Virus Length: 1268 bytes PC Vectors Hooked: INT 21h and INT 24h Executing Procedure: 1) Checks to see whether it resides in the memory. If it doesn't, the virus hooks INT 21h and implants itself in memory, and then executes the host program. 2) If it already resides in memory, it will execute the host program directly. Infection Procedure: 1) Infects files by AH=4B in INT 21h. Uninfected files will be infected upon execution. 2) Before infecting files, the virus will hook INT 24h so that I/O errors will be ignored. Damage: None Detection Method: File length increases by 1268 bytes.
Virus Name: Arcv-570 Virus Type: Parasitic Virus Virus Length: Infected .EXE file length increases by 570-585 bytes. (Does not infect .COM files.) PC Vectors Hooked: None Executing Procedure: 1) Searches for an .EXE file in the current directory and checks to see whether the file is infected. If it is, Arcv-570 continues to search until it finds an uninfected file, which it then infects (infects only one file at a time). Damage: None Detection Method: File length increases by 570-585 bytes. Remarks: 1) Arcv-570 is a non-memory resident. 2) When infecting files, it does not hook INT 24h. An error message appears when I/O errors occur.
Virus Name: Atas-3215 Virus Type: Parasitic Virus Virus Length: About 3215 bytes (there are several variants) PC Vectors Hooked: INT 21h Executing Procedure: (The virus only infects files in DOS 3.3) 1) Atas-3215 checks to see whether it already resides in memory. If it doesn't, the virus hooks INT 21h and implants itself in memory, then proceeds to execute the original program. 2) If it already resides in the memory, Atas-3215 executes the host program directly. Infection Procedure: Infects files through AH=4B in INT 21h. Uninfected files will be infected upon execution.
Virus Name: Andromda Virus Type: Parasitic Virus Virus Length: Infected .COM files increase by 1140 bytes (does not infect .EXE files). PC Vectors Hooked: None Executing Procedure: 1) Searches for a .COM files in the current directory. 2) It checks to see whether the file is infected. If it is, Andromda continues to search until it finds an uninfected file, then infects it (infects only two files at a time). Damage: None Detection Method: File length increases by 1140 bytes. Remarks: 1) Andromda is a non-memory resident. 2) When infecting files, the virus does not hook INT 24h. An error message will appear when I/O errors occur.
Virus Name: Atas-400 Virus Type: .COM file infector Virus Length: 400 bytes Vectors Hooked: INT 24h Executing Procedure: The virus will decode first, then hang INT 24h to prevent divulging its trace when writing, then change the head of it. After that, Atas-400 searches for a file to infect on the current directory. (The file must be an uninfected .COM file larger than 255 bytes and smaller than 64256 bytes.) Finally, Atas-400 will check the system time. If the current second is less than 03, a message such as: "I like to travel ..." appears on screen. Atas-400 then restores INT 24h and goes back to the original routine. Damage: None Notes: 1) Only infects one file at a time. 2) Changes date and time of infected files. 3) Nullifies the function of dealing with severe mistakes.
Virus Name: Angarsk Virus Type: .COM File infector Virus Length: 238 bytes Executing Procedure: Searces the current drive or all it's father directories for uninfected .COM files smaller than 32768 bytes and infects them . Damage: None Detection Method: 1) Date and time of infected files changed. 2) Infected file length increases by about 238 bytes.
Virus Name: Ash Virus Type: .COM file infector Virus Length: 4+276 bytes Executing Procedure: Ash infects all infectable .COM files on the current directory .(It won't infect the same file twice, and won't infect files larger than 64768 bytes). If it finds fewer than two infected files, it will search for and infect infectable files on the parent directory. Damage: None Notes: Date and time of infected files are changed. Detection Method: Infected file lengths will increase by 280 bytes.
Virus Name: Athens Virus Type: Memory Resident (HiMem) Infects .COM and .EXE files. Virus Length: 1463 bytes Executing Procedure: The virus decodes first, then checks to see whether it has stayed resident in memory. If it has not, it will remain resident in high memory, then hook INT21h and go back to the original routine. Vectors hooked: 1) Hooks INT 21h to determine whether it has stayed resident in memory. 2) Hooks INT 21h(AX=4B00h) to infect files. If the program to be executed is an uninfected .EXE or .COM (other than COMMAND.COM) file, Athens infects it. 3) Hooks INT 21h (AX=4Eh,4Fh,11h,12h) to determine whether the current program has been infected. If it has, Athens changes the file length and date data in DTA to their original readings so that you can't detect the changes in the infected file's length and date. Damage: None Notes: 1) Athens stays resident in high memory. (It will take DFh pairs.) 2) Infected file size increases by 1463 bytes. You can't detect this increase while Athens is in current memory. 3) The date and time of infected files are changed. You can't see the changes while Athens is in current memory.
Virus Name: Arriba Virus Type: Memory Resident, Infects .COM and .EXE files Virus Length: 1590 bytes Executing Procedure: Checks to see if it has stayed resident in memory. If it has, it will go directly back to the original routine. Otherwise, it move itself into high memory, then hooks INT21h and checks the current date. If the date is November 20, Arriba hooks INT 08h and goes back to the original routine. Vectors hooked: Arriba hooks INT 08h to display a message and then halts the system. It hooks INT 21h (AX=4B00) to determine whether the program being executed has been infected. If it has not, Arriba will infect it in different ways, depending on file type. If it is a .COM file, Arriba writes virus code onto the beginning of the original file, and attaches 2 bytes of identified code to the end of the file to verify that this file has been infected. If it is a .EXE file, Arriba appends virus code to the end of the original code, then changse the head of file and attaches identified code to the end. Damage: Halts the system when INT 08h is called. Notes: 1) The date and time of infected files do not change. 2) The method the virus uses to move code is special. First, it tests to see whether the address A0000h is writeable. If it isn't, Arriba continues to move 1000 bytes of this area to a lower address until it finds a writeable address. Then it moves virus code into this area. You won't see any changes in the MEM program because Arriba does not change the size of memory blocks. This method may damage the virus code, and even halt system. Detection Method: Infected files will increase by 1590 bytes.
Virus Name: Ast-976 Virus Type: Memory Resident, Infects .COM files. Virus Length: 976 bytes Executing Procedure: The virus first decodes, then check s to see whether it has stayed resident in memory. If it hasn't, it remains resident in high memory, then hooks INT21h and infects all .COM files on the current directory. (It does not reinfect the same file.) Finally, Ast-976 checks the system clock. If it is 17 minutes after the hour, the virus makes a slight change in PARTITION so that the system can't boot up correctly. Vectors hooked: 1) Hooks INT 21h to determine whether it has stayed resident in memory. 2) Hooks INT 21 (AX=4B00h) to infect files. If the program to be executed is an uninfected .COM file, Ast-976 infects it. Damage: When virus breaks out, the screen first flashes once. Then some data PARTITION data are changed. The change achieved by XOR every fourth byte of four PARTITION records with 55. (The PARTITION table contains four PARTITION records.) Notes: Date and time of infected files are unchanged. Detection Method: Infected file size increases by 976 bytes.
Virus Name: Ast-1010 Virus Type: Memory Resident, Infects .COM and .EXE files. Virus Length: 1010 bytes Executing Procedure: Ast-1010 first decodes, then checks to see whether it has stayed resident in memory. If it hasn't, it stays in high memory, then hooks INT21h and infects all .COM and .EXE files on the current directory. (It does not reinfect the same file.) Finally, Ast-1010 checks the system date. If it is the 16th day of the month, the virus makes a slight change in the PARTITION so that the system can't boot up correctly. Vectors hooked: 1) Ast-101 hooks INT 21h to determine whether it has stayed resident in memory. 2) It hooks INT 21(AX=4B00h) to infect files. If the program to be executed is an uninfected .COM or .EXE file, Ast-101 infects it. Damage: When the virus breaks out, the screen will flash once. Next PARTITION data change. This is achieved by XOR every fourth byte of four partition records with 55. (The partition table contains four partition records.) Notes: 1) Date and time of infected files do not change. 2) Ast-1010 uses the same method as the AST-976 virus for determining whether it has stayed resident in memory. Therefore, these two viruses can't both reside in memory at the same time. Detection Method: Infected file size increases by 1010 bytes.
Virus Name: Akuku-649 Virus Type: Infect .COM files. Virus Length: 649 bytes Executing Procedure: Akuku-649 searches for all uninfected .COM files on the current directory (it won't infect the same file twice) and then proceeds to infect them. Regardless of whether or not it has infected files, the virus checks to see if it is 1995 or later, the current month is July or later, it is the 7th day of the month or later, and if the current time is later than 15:00h. If all these conditions are met, Akuku-649 displays the message "A kuku frajerze." Damage: None Notes: 1) Akuku-649 does not stay in memory. 2) Before infecting files, it will hang INT 24h so that it doesn't divulge its trace when writing. Detection Method: Infected file size increases by 649 bytes.
Virus Name: Abraxas-3 Virus Type: Infects .EXE files. Virus Length: 1200 bytes Executing Procedure: First, Abraxas-3 plays the song "Do Re Mi Fa So La Ti Do Re......" Then it displays the message "abraxas" in large font size. Next, it searches the current directory for an uninfected .EXE file. When it finds one, it proceeds to infect it. (Abraxas-3 only infects one file at a time.) Damage: It overwrites original files with virus code. Detection Method: Infected file length is 1200 bytes.
Virus Name: Animus Virus Type: Infects .COM and .EXE files. Virus Length: 7360 or 7392 bytes Executing Procedure: Animus searches for an uninfected .COM or .EXE file on the current directory, and when it finds one, infects it. It can infect two or three files at a time. Damage: None Notes: 1) Does not stay in memory. 2) You will see an error message when writing because INT 24h has not been hanged. 3) This virus is written with an advanced language. Detection Method: Infected file size increases by 7360 or 7392 bytes.
Virus Name: Arcv-7 Virus Type: Infects .EXE files. Virus Length: 541 bytes Executing Procedure: Arcv-7 searches for an uninfected .EXE file on the current directory and infects it. (It infects only one file at a time.) Damage: None Notes: 1) Because the virus infection program is not written well, the system will halt when an infected program is executed. 2) It does not stay resident in memory. 3) You will see an error message when writing because INT 24h has not been hanged. Detection Method: Infected file size increases by 541 bytes.
Virus Name: Arcv-6 Virus Type: Infects .COM files. Virus Length: 335 bytes Executing Procedure: Virus searches for an uninfected .COM file on the current directory, then infects it. (It infects only one file at a time.) Damage: None Notes: 1) It does not stay resident in memory. 2) You will see an error message when writing because INT 24h has not been hanged. Detection Method: Infected file size increases by 335 bytes.
Virus Name: Arcv-5 Virus Type: .COM file infector Virus Length: 475 bytes Executing Procedure: Arcv-5 searches the current directory for an uninfected .COM file, then infects it. (It infects only one file at a time.) Damage: None Notes: 1) It does not stay resident in memory. 2) You will see an error message when writing because INT 24h has not been hanged. Detection Method: Infected file size increases by 475 bytes.
Virus Name: Ash-B Virus Type: COM File infector Virus Length: 280 bytes Executing Procedure: Ash-B searches for all uninfected .COM files on current directory, then infects them. Damage: None Notes: 1) It does not stay resident in memory. 2) You will see an error message when writing because INT 24h has not been hanged. Detection Method: Infected file size increases by 280 bytes.
Virus Name: Arcv-3a Virus Type: .COM File infector Virus Length: 657 bytes Executing Procedure: Virus searches for all uninfected .COM files on current directory, then infects them. Next it checks to see whether current calendar month. If it is February, the virus displays the message "I've just Found a Virus.. Oops.. Sorry I'm the virus...Well let me introduce myself.. I am ARCV-3 Virus, by Apache Warrior... Long Live The ARCV and What's an Hard ECU?.. Vote Yes to the Best Vote ARCV..." Damage: None Notes: 1) It does not stay resident in memory. 2) You will see an error message when writing because INT 24h has not been hanged. Detection Method: Infected file size increases by 657 bytes.
Virus Name: Anti-Daf Virus Type: .COM file infector Virus Length: 561 bytes Executing Procedure: Anti-Daf searches for an uninfected .COM file on current directory, then infects it. (It infects only one file at a time.) Then it checks the system calendar If the current month is November, and the current day is Monday, the virus displays a message, and then destroys all data on the hard disk. The Anti-Daf message is: "The Anti-DAF virus.. DAF-TRUCKSE indhoven.. Hugo vd Goeslaan 1..postbus 90063..6500 PREindhoven, The Netherlands. .. DAF sucks..... (c) 1992 Dark Helmet & The Virus Research Centre." Damage: The virus can destroy all data on the hard disk. Notes: 1) It does not stay resident in memory. 2) You will see an error message when writing because INT 24h has not been hanged. Detection Method: Infected file size increases by 561 bytes.
Virus Name: April 998 Virus Type: A memory resident that infects .EXE files greater than 10h. Virus Length: 998 bytes on file and 1104 bytes in memory Interrupt Vectors Hooked: INT 21h. Infection Process: This virus is spread by executing an infected program. When an April 998-infected program is executed, it will check to see if it already resident in memory. If it is, it will execute the infected program. The April 998 virus stays resident at the top of the MCB (memory control block) but below the DOS 640k boundary. Damage: Virus writes garbage to the C: drive from relative sector 0 to sector Feh when the system date is April of any year. Symptoms: The available free memory will decrease by 1104 bytes. Notes: This virus doesn't infect files named as: "SCAN*", "CLEA*", "VIRS*", "F-PR*" OR "CPAV*."
Virus Name: Ancient Virus Type: .COM file infector Virus Length: 783 bytes Executing Process: Virus searches for an uninfected .COM file on the current directory, then infects it . (It infects only one file at a time.) The screen will then clear or will display the '*' character in various colors until a key is depressed. At that time, a strange sound will emit for approximately 5 minutes. Next, the virus will return to the original program. Damage: None Notes: 1) It does not stay resident in memory. 2) You will see an error message when writing because INT 24h has not been hanged. 3) Infected files can be reinfected. Detection Method: Infected file size increases by 783 bytes.
Virus Name: Adolf-Hitler Virus Type: .COM file infector Virus Length: 475 bytes Executing Procedure: Adolf-Hitler checks to see whether it has stayed resident in memory. If not, it will stay in high memory. Next, it hooks INT 21h and goes back to the original routine. Vectors hooked: It hooks INT 21H (AH=4Bh) to infect files. First, it hangs INT 24h so that it doesn't divulge its trace when writing. If the program to be executed is an uninfected .COM file, the virus proceeds to infect it. Damage: None Detection Method: Infected file size increases by 475 bytes.
Virus Name: Atte-629 Virus Type: .COM file infector Virus Length: 629 bytes Executing Procedure: Atte-629 virus searches for an uninfected .COM file on current directory, then infects it. (It infects only one file at a time.) Damage: None Notes: 1) It does not stay resident in memory. 2) You will see an error message when writing because INT 24h has not been hanged. Detection Method: Infected file size increases by 629 bytes.
Virus Name: A&A Virus Type: .COM file infector Virus Length: 506 bytes Executing Procedure: The A&A virus checks to see whether it has stayed resident in memory. If it hasn't, it will stay resident in high memory. Next, it hooks INT 21h and goes back to original routine. Vectors hooked: Hooks INT 21H (AH=4Bh) to infect files. It first hangs INT 24h so that it doesn't divulge its trace when writing. If the program to be executed is an uninfected .COM file, the virus proceeds to infect it. Damage: None Detection Method: Infected file size increases by 506 bytes.
Virus Name: Atas-3321 Virus Type: .COM file infector Virus Length: 3321 bytes Executing Procedure: The Atas-3321virus checks to see whether it has stayed resident in memory. If it hasn't, it will stay resident in high memory. Next, it hooks INT 21h and goes back to the original routine. (Virus can only execute its program on DOS 3.3.) Vectors hooked: Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h so that it doesn't divulge its trace when writing. If the program to be executed is an uninfected .COM file, the virus proceeds to infect it. Damage: None Detection Method: Infected file size increases by 3321 bytes.
Virus Name: Arcv-718 Virus Type: .COM and .EXE file infector Virus Length: 718 bytes Executing Procedure: Virus checks to see whether it has stayed resident in memory. If it hasn't, it will stay resident in high memory. Next, it hooks INT 21h and goes back to original routine. It will check to see whether current date is between January 1 and 7. If it is, the virus will display the following message and proceed to hang the system: "Hello Dr Sol & Fido Lurve U lots .... " Vectors hooked: Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected .COM or .EXE file, the virus proceeds to infect it. Damage: Virus will sometimes halt the system. Detection Method: Infected file sizes increases by 718 bytes.
Virus Name: Alpha743 Virus Type: .COM file infector Virus Length: 743 bytes Executing Procedure: Virus searches for an uninfected .COM file on current directory, then infects it. (Infects only one file at a time.) Regardless of whether it has infected a file or not, it will check the current date. If it is 1993 or later, the month is March or later, and it is the 5th of the month, virus will display the message: "Your PC has ALPHA virus. Brought to you by the ARCV Made in ENGLAND." Damage: None Notes: 1) It does not stay resident in memory. 2) You will see an error message when writing because INT 24h has not been hanged. Detection Method: Infected file size increases by 743 bytes.
Virus Name: ARIANNA Virus Type: Multi-partite virus 1. High memory resident file infector. The ARIANNA virus will only infect .EXE files which are between 1771H and 69999H bytes long. 2. Partition sector infector. This virus overwrites the last 9 sectors of the hard drive. Virus Length: Virus length in .EXE files is 3426 bytes and 3586 bytes in memory. Interrupt Vectors Hooked: INT 21h. Infection Process: This virus spreads by executing an infected program or a computer with an infected partition. When a file infected with the ARIANNA virus is executed, the virus will check to see if it is already resident in memory by looking to see if the return value of ax is equal to 0 after int 2f(ax=FE01). If the virus is already in memory it will execute the infected program. Virus code remains resident in high memory. Damage: Decreases available memory. Symptoms: While the ARIANNA virus is resident in memory you cannot alter the HD partition to cause any damage to the partition sector by cleaning it. The way to clean the ARIANNA virus from the system is to boot up the computer with a clean bootable system diskette and overwrite the infected partition sector with the No.9. Notes: Virus code remains resident in high memory.
Detection Method: Infected file size increases by 3426 bytes.
Virus Name: ALFO1344
Virus Type: File type
Virus Length: 1344-1426 bytes
Virus Infect Type: .COM and .EXE files
Virus Memory Type: Memory resident, MCB type
The virus infects both .COM and .EXE files. It infects .COM files by moving the host program lower and attaching the whole virus program at the beginning of the file. It's opposite with the .EXE file infection wherein the attachment of the virus program is normal or attaches its program at the end of the host program. The host program's file size increases by 1344 bytes for .EXE files while 1426 bytes for .COM files after infection. The virus first detects if a file is already infected. If it is, it leaves the file behind. If it isn't, it infects it by allocating memory after the resident part of COMMAND.COM and copying its program to that location. It then hooks INT 21H by changing its vector to its program at 17F8:01CF. Upon executing the interrupt's service 4BH, it attaches its program through the interrupt services of INT 3H which holds the original vector of INT 21H. After attaching its program to the host it returns to its memory resident program at 17F7:0000 to infect other loading and executing files.
Increase in file size by 1344 bytes (for .EXE) and 1426 bytes (for .COM).
Virus Name: ANT4096B
Virus Length: 4096 bytes
Original Name: INVADER
Int Vector Hooked: INT 21H, INT 8H, INT 9H, INT 13H
The virus infects both .COM and .EXE files. It infects .COM files by moving the host program lower and attaching the whole virus program at the beginning of the file. It's opposite with the .EXE file infection wherein the attachment of the virus program is normal or attaches its program at the end of the host program. The host program's file size increases by 4096 bytes after infection. The virus program allocates 320 paragraphs (5120 bytes) in the low part of the memory, after the resident part of COMMAND.COM, specifically at 17F8:0000. It decrypts 424 bytes of its program using XOR 46H. After decrypting it can be seen in the data area of the virus program a string saying "by Invader, Feng Chiu U., Warning: Don't run ACAD.EXE". Then it hooks INT 21H by changing its vectors to 1808:05DF, INT 08H to 1808:01F9, INT 09H to 1808:02B8, and INT 13H to 1808:0435. No payload was seen in the interrupt hooks, but only to infect the loaded and executed files.
Increases the file size by 4096 bytes.