USSR

Virus Name: USSR

Other Names: 570, 8-17-88, 2:08a

Virus Type: Parasitic Virus

Virus Length: 570 bytes

Symptom:
1) Infects .EXE files. Increases file size by 570 to 585 (570+15) bytes. (The next multiple of 16 of the original file size plus 570).
2) The date and time in the file's directory entry is set to 8-17-88 and 2:08a.

Damage: Writes one sector to the boot sector of the C drive, then halts the system.


Ultrasik-1967

Virus Name: Ultrasik-1967

Virus Type: EXE File infector

Virus Length: 1967 bytes

Executing Procedure: Search for an uninfected EXE file and infect it. The search path is from current directory to all subdirectories, then to the root directory and all its subdirectories. Next, it returns to the original routine. If it can't infect a file, it halts the system (The original plan is to format the C drive, but if it can't, it halts the system with an imbedded instruction).

Damage: None

Note: Date and time of infected files do not change.

Detecting Method:
1) Length of infected files are increased.
2) The algorithm is: First, increase original length to make it become a multiple of 16. Then increase it by 1967 bytes.


Uruk-Hai

Virus Name: Uruk-Hai

Virus Type: COM File infector

Virus Length: 394 bytes

Executing Procedure:
1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory.
2) Then it hooks INT 21h and goes back to the original routine.

Vectors hooked:
1) Hooks INT 21H(AH=4Bh) to infect files. First, it will hang INT 24h to prevent divulging its trace when writing.
2) If the program to be executed is an uninfected COM file, the virus proceeds to infect it.

Damage: None

Detecting Method: Infected file sizes increase by 394 bytes.


Unsnared

Virus Type: File Type Virus

Virus Length: Approximately 814 bytes

Virus Memory Type: High Memory

INT Vectors Hooked: Int 21

Place of Origin:

Infection Procedure:

Loads itself to high memory. Allocates 1024 bytes (9FC0:0000) in memory. Moves approximately 814 bytes (032EH) in high memory. Infects *.EXE files. Copies virus code to host program, adding approximately 814 (032EH) bytes. Loads the virus first before running the host program. While in memory, EXE files opened will be infected.

The virus reacts ordinarily by allocating space in memory before infecting files. Nothing extraordinary happens. It just attaches its code to the host program after it is loaded from memory.

Damage:

Memory free space decreases. Increase in file size.