FCB

Virus Name: Fcb

Virus Type: File Infector Virus (.EXE and .COM files)

Virus Length: No change

PC Vectors Hooked: None

Executing Procedure:
1) Fcb searches for an uninfected.COM file in the current directory and, when it finds one, infects it. (It will infect only one file at a time.)
2) The virus continues to search and infect uninfected .COM files.
3) Next, it searches for an .EXE file in the current directory and, when it finds one, infects it. (It will infect only one file at a time.)
4) The virus continues to search and infect uninfected .EXE files.

Damage: 1) Overwrites original file so that the length of infected file won't change.

Notes:
1) Doesn't stay resident in memory. 2) FCB doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).


F3

Virus Name: F3

Virus Type: Memory Resident, File Infector Virus (.COM and .EXE files).

Virus Length: 50406 bytes

PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h

Infecting Procedure:
1) If F3 finds that it is not already loaded resident in memory, it loads itself (into highest memory) by hooking INT 21h.
2) If the system date is April 1st, two lines of code will appear on the screen.
3) F3 next executes the original file.
4) Once it's loaded into resident memory it will infect any uninfected file that is executed.

Damage: None.

Detection Method: Infected files increase by 50406 bytes.

Notes: The F3 virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect).


Form.A

Virus Name: Form.A

Aliases: FORM, Form, Form 18, Generic

Virus Type: Boot Sector Virus

Virus Length: N/A

Interrupt vectors hooked: INT 13h, INT 09h.

Infection method: When the system is booted from an infected diskette, Form.A infects the DOS boot sector and loads itself in memory. While loaded, it infects any accessed, non-protected disks. The DOS CHKDSK program will indicate 653,312 bytes of free memory.

Damage: On the 18th day of any month, the virus will emit a clicking sound whenever keys are pressed. The system may hang when a read error occurs, and parts of the original boot sector may be overwritten, making the partition unbootable.


Frodo.Frodo.A

Virus Name: Frodo.Frodo.A

Aliases: 4096, IDF, 4096-1, Frodo, 100 Year

Virus Type: File Infector Virus (.COM and .EXE files)
 
Virus Length: 4,096 bytes

Interrupt vectors hooked: INT 21h, INT 13h.

Infection method: When an infected file runs, Frodo.Frodo.A loads itself in memory. While loaded, it infects accessed, executable files. The virus increases the size of infected files by 4096 bytes.

Damage: After September 21, the virus tries to modify the boot sector to display "FRODO LIVES." However, the virus code is corrupted, so instead of modifying the system areas, it crashes the system.

Notes: While the virus is in memory, it hides the increase in infected file size.


Fire

Virus Name: Fire

Virus Type: Trojan Horse Virus

Virus Length: 4304 bytes

PC Vectors Hooked: INT 24h

Damage: Destroys all data on all disks if drives are ready, then emits a sound.

Detection Method: Infected file size increases by 4304 bytes.

Notes:
1) Doesn't stay resident in memory.
2) Doesn't infect any files, partition or boot sector.
3) Fire hooks INT 24h when destroying data so that I/O errors (such as write protect) are omitted.


Flip

Virus Name: FLIP

Virus Type: Multi-partite Virus (Infects all programs being used, either .EXE or .COM., when the .COM file's original length <= 63,046 (F646h) bytes.

Virus Length: 2672 bytes

Interrupt Vectors Hooked: INT 21h

Infection Process: Variable

1. Infection of a clean system by an infected program.

When an infected program is executed in a clean system, the virus copies itself in the last side of the last cylinder, from the 5th last sector to the 1st last sector. The virus will reduce the DOS boot sector at offset 0x13h (number of logical sectors) by 6. Finally, Flip writes the virus body to the partition sector.

2. Infection through an infected disk.

If a PC is booted from an infected disk, the infection will completely spread. The boot code, previously overwritten by the virus on the disk partition sector, reads the main core of the virus from the last 5 sectors to the last 1 sector. It loads as a TSR in RAM, occupying 3 Kb of the higher part of system memory. Once installed as a TSR, Flip takes control of Int 1Ch (Timer Interrupt) to verify, with a frequency of 18.2 times per second, if the DOS COMMAND.COM is loaded. If DOS is present, the virus restores the timer and takes control of Int 21h.

Damage: Loss of data stored in the 6th last to 1st last sectors of the disk.

Symptoms: Virus turns screen display upside down (rotates 180 degrees). File sizes increase by 2153 bytes

Notes: To avoid detection by anti-virus programs when it is modifying the partition sector that hooks int 01h, the Flip virus turns
on a single step flag to get the original entry of DOS hooked on INT 13h. The virus then moves itself to the top of the MCB (memory control block),
where it decreases available memory by 2672 (A70h) bytes. It hooks Int 21h with the same method it uses for INT 13h, and then runs the original program.


Flip-B

Virus Name: Flip-B

Virus Type: File and Partition Table Infector Virus

Virus Length: 2153 bytes

PC Vectors Hooked: INT 21h, INT 24h, INT 1Ch

Executing Procedure:
1) When you execute a file infected by Flip-B, the virus checks to see whether Sector #1 on the hard drive is infected. If it is not, Flip-B infects it.
2) If the virus fnds that it is not already resident in memory, it loads itself by hooking INT 21h and INT 1Ch.
3) It infects files when they are executed.

Damage: You may not be able to boot up the machine from the hard disk.

Detection Method: Infected files increase in size by 2153 bytes.

INT 1Ch: Detects whether INT 21h is constantly hooked by another program.

Notes: Flip-B hooks INT 24h when infecting files, omitting I/O errors such as write protect.


Friday the 13th

Virus Name: Friday the 13th

Aliases: Virus 1813, Israelian, Jerusalem

Virus Type: File Infector Virus

Virus Length: Approimately 1813 bytes

PC Vectors Hooked: Int 21

Executing Procedure:
1) If the virus finds that it is not already resident in memory it loads itself by hooking INT 21h.
2) It then executes the original file.
3) Once it's loaded into resident memory it infects any uninfected file that is executed.

Damage: In the year 1987, the virus did no damage. However, on Friday the 13th each year (except 1987) the virus deletes every program executed. On all other days (except in 1987), the virus spreads. About half an hour after the virus is loaded in memory, it scrolls up by two lines a small window with coordinates (5, 5), (16, 16) and slows down computer speed. Delay loop repeats 18.5 times per second.

Detection Method: Increases the infected file length by 1813 bytes.

Notes: Loads itself as resident in memory. An error message appears if an I/O error (such as write protect) occurs.


Fam-1

Virus Name: FAM1

Aliases: None

Virus Type: File Infector Virus

Virus Length: 1063 bytes

Executing Procedure:
1) If FAM1 finds that it is not already resident in memory, it loads itself by hooking INT 21h.
2) It then executes the original file.
3) Once it's loaded into resident memory it infects any uninfected file that is executed.

Damage: None.

Detection Method: Increases infected file size by 1036 bytes. This occurs only with the MONO display card.

Notes:
1) Resident in memory.
2) An error message appears if an I/O error (such as write protect) occurs.


Findm-608

Virus Name: Findm-608

Virus Type: Parasitic Virus (.COM files)

Virus Length: 608-623 bytes

PC Vectors Hooked: None

Executing Procedure:
Findm-608 searches for uninfected .COM files in the current directory and infects those it finds.

Damage: None

Detection Method: Infected files increase in size by 608-623 bytes.

Notes:
1) The virus was badly writtten so most of the infected files can not be executed normally.
2) Non memory resident.
3) When infecting files, the virus does not hook INT 24h. An error message appears when I/O errors occur.


Findm-695

Virus Name: Findm-695

Virus Type: Parasitic Virus (infects .COM files)

Virus Length: 695-710 bytes

PC Vectors Hooked: None

Executing Procedure:
Searches the current directory for uninfected .COM files and infects those it finds.

Damage: None

Detection Method: Infected files increase in size by 695-710 bytes.

Notes:
1)The infecting part of the virus was badly written so most of the infected files can not be executed normally.
2) Non memory resident.
3) When infecting files, the virus does not hook INT 24h.  An error message will appear when I/O errors occur.


FR-1013

Virus Name: FR-1013

Virus Type: Parasitic Virus (infects .COM and .EXE files)

Virus Length: 1013 - 1028 bytes

PC Vectors Hooked: INT 21h

Executing Procedure:
1) If FR-1013 finds that it does not already reside in memory, it hooks INT 21h, installs itself as memory resident and then executes the host program.
2) If FR-1013 finds that it already resides in memory, it executes the host program directly.

Infecting Procedure:
The virus infects files through AH=4B in INT 21h. When an uninfected program is executed, it becomes infected.

Damage: None

Detection Method: Detectable if the files increase by 1013-1028 bytes.

Notes:
The virus does not hook INT 24h. An error message appears when I/O errors occur.


Fattable

Virus Name: Fattable

Virus Type: Parasitic Virus

Virus Length: 6542 bytes

PC Vectors Hooked: None

Executing Procedure:
1) Fattable searches for a '*.*' file in the current directory and then creates a file of the same name to overwrite the original. The new file is 15 bytes long, and contains "FAT TABLE ERROR."(text file). The virus continues to search and infect until all the files in the current directory are overwritten.

Notes:

1) Non memory resident.

2) The virus does not hook INT 24h when infecting files. An error message appears when I/O errors occur
.


Fri-13D

Virus Name: Fri-13-D

Virus Type: File Infector (.COM files)

Virus Length: 416 bytes

Executing Procedure: When an infected program is executed,  Fri-13D infects all .COM files but the COMMAND.COM file on the current directory (it will not reinfect the same file). If the current system date is a Friday the 13th, the .COM files delete themselves and then go back to the original routine.

Damage: An infected program will delete itself when you run it on a Friday coincident with the 13th day of the month.

Detection Method:
1) Date and time of infected files are changed.
2) Infected files will increase in size by 416-431 bytes.


Filler

Virus Name: Filler

Virus Type: File Infector

Executing Procedure:
While it is being executed, Filler writes some rubbish into some sectors on A diskette. It does no other damage.

Damage: Destroys some sectors on A disk (from 0 side, 28 track, 1 sector, damages 8 sectors).


Flower

Virus Name: Flower

Virus Type: File Infector (.EXE files)

Virus Length: 883 bytes

Executing Procedure:
Flower first decodes its encoded section.
2) If the current date is November 11, Flower destroys the original program and goes back to run the original routine.
3) On other dates, it searches for the first uninfected program on the current directory and infects it.
4) It next searches for the first uninfected program on a root subdirectory and infects the one it finds, then goes back to run the original routine.

Damage: When the virus breaks out, it will attach a little procedure to the original procedure to display a message (An English poem whose title is "FLOWER"). Then it destroys the original procedure by overwriting its front data.

Notes:
Date of infected files does not change but its time changes because the virus encoses the time to verify that this file is infected.


FVHS

Virus Name: Fvhs

Virus Type: File Infector (.COM and .EXE  files)

Executing Procedure:
Infects all uninfected .COM and .EXE files on current and parent directories. It can infect three files at a time.

Damage: It overwrites the original files with virus code.

Notes:
1) Does not stay resident in memory.
2) An error message will appear when you write because INT 24h has not been hanged.


Freddy

Virus Name: Freddy

Virus Type: File Infector (.COM and .EXE  files)

Virus Length: 1870-1880 bytes

Executing Procedure:
1) If, after checking, Freddy finds that it is not already resident in memory, it will stay resident in high memory, then hook INT 21h and go back to  the original routine.

Vectors Hooked: INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected .COM or .EXE file, Freddy proceeds to infect it. It sometimes searches concurrently for other uninfected files to infect.

Damage: None

Notes: You will see an error message when writing because INT 24h has not been hanged.

Detection Method: Infected file size increases by 1870 to 1880 bytes.


Fame

Virus Name: Fame

Virus Type: File Infector (.EXE files)
 
Virus Length: 896 bytes

Executing Procedure:
If, after checking, Fame finds that it is not resident in memory, it will stay resident in high memory, then hook INT 21h and go back to the original routine.

Vectors Hooked: Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected .EXE file, Fame proceeds to infect it.

Damage: None

Detection Method: Infected file size increases by 896 bytes.


Fax Free

Virus Name: FAXFREE

Virus Type: Infects .COM and .EXE files between 32 and 131,072 bytes long on the Partition record.

Virus Length: 3 Kb

Interrupt Vectors Hooked: INT 21h

Infection Process:
This virus can spread when you execute an infected program or boot the system with an infected disk. There are several methods of infection.

When an infected program is executed in a clean system, the virus first
removes the contents of the original partition sector of the hard disk to
the last sector of the last side of the last cylinder. Then the virus
copies itself in the last side of the last cylinder, beginning from the 9th
last sector to the 6th last sector. These sectors are not marked as "bad
sectors" and get overwritten by the virus.

Damage: Hangs the system. Infected files will increase in length by 2048 bytes.

Symptoms: When the virus wants to replace the original partition sector, it needs
to decrypt some data which, after decryption, display the text string "PISello tenere
fuori dalla portata dei bambini. PaxTibiQuiLegis.FaxFree!!"

Notes: This virus doesn't infect files named as :

"*AN.???" , "*OT.???" or "*ND.???"

If the system date is between the 25th and 30th of April, the virus will hang
the system.

The virus uses a smart technique to avoid anti-virus Detection programs.
When modifying the partition sector that is hooking int 01h, it will turn
on a single step flag to get the original entry of DOS hooked. The virus
then moves itself to the top of the MCB (Memory Control Block), and
there decreases available memory by 3Kb. Fianlly, it hooks Int 13h and
Int 21h and then run the original program.



Fish 1100

Virus Name: Fish-1100

Virus Type: File Infector (.COM files)

Virus Length: 1100 bytes

Executing Procedure: If, after checking, the virus finds that it is not resident in memory, it will stay resident in high memory, then hook INT 21h and go back to the original routine.

Vectors Hooked: Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected .COM file, the virus proceeds to infect it.

Damage: None

Detection Method: Infected file size increases by 1100 bytes.


Fish 2420

Virus Name: Fish-2420

Virus Type: File Infector (.COM files)

Virus Length: 2420 bytes

Executing Procedure: If, after checking, the virus finds that it is not resident in memory, it will stay resident in high memory, then hook INT 21h and go back to the original routine.

Vectors hooked: Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected .COM file, the virus proceeds to infect it.

Damage: None

Detection Method: Infected file size increases by 2420 bytes.


Flagyll

Virus Name: Flagyll

Virus Type: File Infector (.EXE files)

Executing Procedure: If, upon checking, the virus finds that it is not resident in memory, it will stay resident in high memory, then hook INT 21h and go back to the original routine.

Vectors hooked: Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected .EXE file, the virus proceeds to infect it.

Damage: It will overwrite original files with a virus code.

Notes: You will see an error message when writing because INT 24h has not been hanged.


Finnish-357

Virus Name: Finnish-357

Virus Type: File Infector (.COM  files)

Virus Length: 709 bytes

Executing Procedure: If, after checking, the virus finds that it is not resident in memory, it will stay resident in high memory, then hook INT 21h.If the COMMAND.COM file that booted up the system has not been infected, Finnish-357 infects it and then goes back to the original routine.

Vectors Hooked: Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected .COM file, the virus proceeds to infect it.

Detection Method: Infected file size increases by 709 bytes.


Fob


Virus Name: Fob

Virus Type: File Infector (.COM files)

Virus Length: 1750-1950 bytes

Executing Procedure: Fob searches for an uninfected .COM file on current directory, then infects it (infects only one file at a time). There is a 50% chance that virus will display a message asking the user to input the word "SLOVAKIA." The virus program will wait until the user inputs this word and then terminates the program.

Damage: None

Notes:
1) It does not stay resident in memory.
2) You will see an error message when writing because INT 24h has not been hanged.

Detection Method: Infected files will ask the user to input words like "SLOVAKIA", and does not end until user has done so.

 


Freddy.2.1

Virus Type : File Virus

Other Name :

Virus Length :

Place of Origin :

Int. Vectors Hooked : Int 21h

Infection Procedure:

The virus encrypts a data to 11D2:0059h to 937h reading : "COMMAND.COM *.COM *.EXE Freddy KRueGer 2.1 Hi Fridrik!", thus copying data from 11D2:0059 to 114D:0 to 13FFh, hooking interrupt 21. The virus infects Command.com, COM and EXE files. When the virus is loaded it hangs because it searches for the host to infect it. Infecting the host, it destroys the file.

 

 


Fich-1

Virus Type : File Virus

Other Name :

Virus Length :

Virus Infect Type : COM files

including COMMAND.COM

Place of Origin :

Virus Memory Type : MCB Type

Int. Vectors Hooked : Int 21h

Infection Procedure:

The virus is a TSR program. After the virus is executed it immediately infects COMMAND.COM. Then it waits for another file to be executed to infect it. This virus only infects COM files. When one uninfected file is executed another COM file will be infected. Also, the virus doesn't re-infect infected files. Before the virus loads itself to memory, it checks first whether the virus is already in the memory.

Note :

The virus makes a smart move by hooking int 1 and 3 to fool the one debugging it.