101

Virus Name: 101

Virus Type: File Infector Virus

Virus Length: 2560 bytes

Executing Procedure: When all the files (COM and EXE) have been infected in the current drive, the virus will check the system date to determine whether it is a multiple of 9 (for example 9th, 18th, 27th). If "yes," all the text on the screen will be confused and down-shifted. If not the virus will modify the Boot Sector and continue to infect another drive.

Damage: All the files (COM and EXE) will be infected and increased by 2560 Bytes. Infected file contains the string "VIRUS 101".


1339

Virus Name: 1339

Other Names: Vacsina virus

Virus Type: Parasitic Virus

Virus Length: 1339 bytes

Symptoms: Increases infected .COM file sizes by 1339 bytes, .EXE files by 1471 bytes. Infected files contain the word "VACSINA". Decreases the size of free RAM memory.

Damage: No damage, no manipulation.

Note: First the virus tests to determine if it is already in memory (it uses interrupt vector 31h for this purpose). If it is not in memory yet, it installs itself before the infected program (using MCB modification, it allocates 1344 bytes). After installation the virus monitors DOS EXEC function and infects all uninfected programs. This virus is one of a group of viruses which cooperates with each other. This group has every virus of its own level, a virus can remove some other Vacsina with lower level 10h. It can remove viruses with level less than 10h. To spread, a Vacsina virus uses direct interrupt 21h.


1701/1704

Virus Name: 1701/1704

Other Names: Raindrop virus

Virus Type: Parasitic Virus

Virus Length: 1701/1704 bytes

Symptoms: Increases infected .COM file sizes by 1701/1704 bytes when the system date is between October and December, 1988. Five minutes after installation, virus will scan all the characters on screen and down-shift one by one as if it were raining.

Damage: No damage. System will halt after virus is activated.


1800

Virus Name: 1800

Other Names: Bulgarian virus, Sofia virus, Dark Avenger

Virus Type: Parasitic Virus

Virus Length: cca 1800 bytes

Symptoms: Increases infected file sizes by cca 1800 bytes (in the case of EXE files it performs paragraph alignment). Decreases the size of free RAM memory. Infected files contain the following strings: "Eddie lives...somewhere in time!", "Diana P." a "This program was written in the city of Sofia (C) 1988-89 Dark Avenger".

Damage: Virus reads the boot sector of the disk, and (offset 10, OEM decimal version) marks the number of programs in it which are run from the given disk MOD 16. If it is zero (after every 16 programs!!), it overwrites random cluster on the disk with part of its own code. The cluster number is then stored in the boot sector at the position at offset 8 (OEM main version). Modifies boot sector, then writes back on the disk.


163

Virus Name: 163

Virus Type: COM File infector

Virus Length: 163 bytes

Executing Procedure: It will infect first uninfected COM file on current directory. If there are no COM files on the current directory or it has infected one, go back to original routine.

Damage: None

Note:

The method of infection is:
(1) Move the first 163 bytes of original file to the end.
(2) Write virus codes into its first 163 bytes so that the original file is destroyed if it is less than 163 bytes.
2) Does not infect same file again.
3) Date and time of infected files do not change.

Detection Method:

1) Infected files will increase by 163 bytes.
2) Check for the presence of "*.COM" in the 19Dh byte of a file.


17690

Virus Name: 17690

Virus Type: EXE File infector

Virus Length: 17690 bytes

Executing Procedure:
1) There is a 10% chance that the virus will infect a file. The method of infection is: Virus searches for an EXE file on diskette A. Next, it renames this file and creates a new COM file with the same name as the original EXE file. This new COM file is the virus.
2) When the virus does not infect files, it will execute the program that has been renamed. The user will not see any unusual manifestation.

Damage: None

Detecting Method: Infected file size increases by 17690 bytes.


1720

Virus Name: 1720

Virus Type: COM File infector

Virus Length: 1723 bytes

Executing Procedure: Virus checks to see whether it is resident in memory. If not, it will stay resident in high memory. Next, it hooks INT 21h and goes back to the original routine.

Vectors hooked: Hooks INT 21H(AH=4Bh) to infect files. First, it will hang INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file, the virus proceeds to infect it.

Damage: None

Detection Method: The infected file size increases by 1723 bytes.


17-768

Virus Name: 17-768

Virus Type: Virus Infects .COM and .EXE files shorter than 59920 bytes. Memory resident.

Virus Length: 768 (300h) bytes on File and . 800 (320h) bytes in memory.

Interrupt Vectors Hooked: INT 09h and 21h.

Infection Process: This virus is a variant of the November-17th virus.
If the system date is equal to 17 November, and the value of [40:46E] is not the same as the virus backup value of [40:46E] when the virus resident, it will destroy the current disk beginning from sector 1 to sector 8. The first time a program infected with November 17th is executed, the virus will install itself as memory resident at the top of system memory but below the 640K DOS boundary.

Damage: Virus destroys sectors 1 through 8 in the current disk. By progressive action, the virus will insert garbage into these sectors when the date is the November 17.

Symptoms: File size increase of 855 bytes. Available free memory decreases by 896 bytes.

Note: The November 17th virus was received in January, 1992. Its origin or point of original isolation was originally unknown, but it has since been reported as being widespread in Rome, Italy in December 1991. November 17th is a memory resident infector of .COM and .EXE programs, including COMMAND.COM.


1241


Virus Name: 1241

Virus Type: COM & EXE File infector

Virus Length: 1560-1570 bytes

Executing Procedure: Virus checks to see whether current calendar date is later than November 13, 1990 . If it is, the virus displays the following message: "St Cruz, Dili, 1991 Nov 12. Lusitania Expresso, Freedom for East Timor !", then reboots system. Otherwise, it will check to see whether it has stayed resident in memory. If not, it will stay resident in high memory. Then it hooks INT 21h and goes back to original routine.

Vectors hooked: Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected .COM or .EXE file, the virus proceeds to infect it.

Damage: None

Detection Method: Infected file size increases by 1560-1570 bytes.


104


Virus Name: 104

Virus Type: COM File infector

Virus Length: 400 bytes

Executing Procedure: Checks to see if it has stayed resident in memory. If not, it will stay resident in high memory. Then it hooks INT 21h and goes back to the original routine.

Vectors hooked: Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected COM file, the virus proceeds to infect it.

Damage: None

Note: You will see an error message when writing because INT 24h has not been changed.

Detection Method: Infected file size increases by 400 bytes.