Twin Peak

Virus Name: Twin-Peak

Virus Type: File Infector Virus (infects .COM files)

Virus Length: No change

PC Vectors Hooked: None

Executing Procedure:
1) Search for a .COM file in the current directory.
2) Check to see whether it has been infected by TWIN-PEAK. If  it has, continue to look for any uninfected .COM file.
3) It infects only one file at at time.

Damage: Overwrites original file, so the length of an infected file won't increase.

Note:
1) Doesn't stay resident in memory.
2) TWIN-PEAK doesn't hook INT 24h when infecting files.
3) Error message occurs if there is an I/O error (such as write protect).


Telecom

Virus Name: Telecom

Alias Name: Telefonica

Virus Type: File Virus

Virus Length: 3,700 bytes

Description: This virus infects *.COM files

When an infected file is executed, the virus installs itself into memory. Total available memory will have decreased by 3,984 bytes.

Once the virus is memory resident, it will infect *.COM files that are larger than 1,000 bytes when they are executed. Infected files will increase in size by 3,700 bytes. Date and time information of infected files will be altered with 100 being added to the year.


Tequila

Virus Name: Tequila

Alias Name: Stealth

Virus Type: File Virus

Virus Length: 2,468 bytes

Description: This virus infects *.EXE files as well as boot sectors.

Interrupt vectors hooked: INT 13h, INT 21h.

Infection method: The first time an infected file runs, the virus infects the master boot record. When the system is booted from the infected hard disk, the virus loads itself in memory. While loaded, it infects any .EXE file that executes. The DOS CHKDSK program will show a "total bytes memory" decrease of 3,072 bytes. Infected .EXE files increase by 2,468 bytes. The virus won't infect files starting with "V" or "SC."

Damage: Several months after the initial infection, the virus becomes active. Each month afterward, if an infected program is run on the same day of the first infection, a graphic and this message will be displayed.

Welcome to T.TEQUILA'S latest production.
Contact T.TEQUILA/P.o.Box 543/6312
St'hausen/Switzerland
Loving thoughts to L.I.N.D.A
BEER and TEQUILA forever !

Note: The virus hides the infected partition record and increases the size of infected files.


Traveller

Virus Name: Traveller

Alias Name: Bupt

Virus Type: File Virus

Virus Length: 1,220 to 1,237 bytes

Description: This virus infectes *.COM and *.EXE files as well as COMMAND.COM.

When an infected file is executed, the virus installs itself into memory. Total available memory will have decreased by 1,840 bytes.

Once the virus is memory resident, it will infect *.COM and *.EXE files when they are executed. This virus will also infect when the DIR command is used. Infected files will increase in size by 1,220 to 1,237 bytes, with the virus located at the end of the infected file. Date and time information of infected files will not be altered.

The following text string can be found in the virus:
"Traveller (C) BUPT 1991.4"
"Don't panic I'm harmless <<---!!!!!!!" "*.* COMEXE"


Trivial

Virus Name: Trivial

Alias Name: Minimal, Mini-45

Virus Type: File Virus

Virus Length: 45 bytes

Description: This virus infectes *.COM files as well as COMMAND.COM.

When an infected file is executed, the virus will infect all *.COM files in the same directory. The first 45 bytes of infected files will be overwritten by the virus. The date and time information of infected files will be updated to the time of infection.

All infected files will be permanently corrupted.


Torm 263

Virus Name: Torm-263

Virus Type: File Infector Virus (infects .COM files)

Virus Length: 263 Bytes(COM)


PC Vectors Hooked: None

Executing Procedure:
1) Searches for a .COM file in the current directory.
2) It then checks whether it has been infected by TORM-263. If it has, it continues to look for any uninfected .COM files. 3) It then infects all uninfected files in the dircetory.
4) Finally, it executes the original file.

Damage: None

Detecting Method: Infected files will increase by 263 Bytes.

Note:
1) Doesn't stay resident in memory.
2) TORM-263 doesn't hook INT 24h when infecting files.
3) Error message occurs if there is an I/O error (such as write protect).


Timid

Virus Name: Timid

Virus Type: File Infector Virus (infects .COM files)

Virus Length: 306 Bytes(COM)

PC Vectors Hooked: None

Executing Procedure:
1) Searches for a .COM file in the current directory.
2) Once it locates a file, it checks whether it has been infected by Timid. If it has, it continues to search for an uninfected .COM file.
3) It then infects one file at a time and displays the infected file name on the screen.
4) Once the file is executed, the system will halt.

Damage: Damages original files.

Detecting Method:
1) Infected files will increase by 306 Bytes.
2) Other file names are shown on the screen.

Note:
1) Doesn't stay resident in memory.
2) Timid doesn't hook INT 24h when infecting files.
3) Error message occurs if there is an I/O error of (such as write protect).


Trash

Virus Name: TRASH

Other names: None

Virus Type: Boot Strap Sector Virus

Virus Length: 1241 bytes.

Damage: Virus will overwrite the Partition Table.

Detecting Method: The virus will not infect any files. It will display the following message: "Warning!!! This program will zero (DESTROY) the master boot record of your first hard disk. The purpose of this is to test the antivirus software, so be sure you have installed your favorite protecting program before running this one! It's almost certain that it will fail to protect you anyway. Press any key to abort, or press Ctrl-Alt-Right Shift- F5 to proceed at your own risk." Virus will proceed to overwrite the Partition Table if user presses "Ctrl-Alt-Right Shift- F5."


Taiwan

Virus Name: Taiwan

Other names: None

Virus Type: File Infector Virus

Virus Length: .EXE 1300-1503 bytes

Executing Procedure:
1) The virus checks if it is resident in memory. If not, it loads itself into resident memory by hooking INT 21h.
2) It then executes the original file.
3) Once loaded into resident memory, it will infect any uninfected file that is executed.

Damage: This virus has several variants. While some variants have no damage routine, some will slow down the system performance and variants of the Mummy virus will have a Random Number counter. When the counter reaches zero, the virus will overwrite the first part of the hard disk and cause severe data loss.

Detecting Method: Increases infected file size by 1300-1503 bytes. The virus occasionally hangs the system when the virus is resident in memory . Encrypted text strings inside the virus code appear as follows: "Mummy Version x.xxx", "Kaohsiung Senior School", "Tzeng Jau Ming presents", "Series Number=[xxxxx]."

Note:
1) Loads itself resident in memory. An error message occurs if there is an I/O error (such as write protect).


Tiny-143

Virus Name: Tiny-143

Virus Type: Memory Resident (OS), COM File infector

Virus Length: 143 bytes

Executing Procedure:
1) Checks whether it is in resident memory. If not, it will copy itself to absolute address 0060:0000h.
2) Then it hooks INT21h and goes back to the original routine.

Vectors hooked:
1) Hooks INT 21H(AH=4Bh) to infect files.
2) If the program to be executed is an uninfected COM file, the virus proceeds to infect it.

Damage: None

Detecting Method:
1)Date and time of infected files are changed.
2)Infected file sizes increase by 143 bytes.


Tiny-124

Virus Name: Tiny-124

Virus Type: Memory Resident(OS), COM File infector

Virus Length: 124 bytes

Executing Procedure:
1) Checks if it is in resident memory. If not, the virus copies itself to absolute address 0050:0103h.
2) Then it hooks INT21h and goes back to the original routine.

Vectors hooked:
1) Hooks INT 21H(AX=4B00h) to infect files.
2) If the program to be executed is an uninfected COM file and its first byte is not E9h, the virus proceeds to infect it.

Damage: EXE files are destroyed because of the subsequent head damaged.

Note: Some interrupts cannot run correctly because the virus has stayed resident in vector area.

Detecting Method:
1)Date and time of infected files changed.
2)Infected file sizes increase by 124 bytes.


Troi-2

Virus Name: Troi2

Virus Type: Memory Resident(OS), EXE File infector

Virus Length: 512 bytes

Executing Procedure: Checks whether the current date is before 5/1/1992. If it is, it returns to the original routine directly. Otherwise, checks whether it is residing in memory. If not, the virus copies itself to absolute address 0000:0200h (The area of interrupts vectors), hooks INT 21h and goes back to the original routine.

Vectors hooked:
1)Hooks INT 21h to check whether it is residing in memory.
2)Hooks INT 21H (AH=4Bh) to infect files. If the program to be executed is an uninfected EXE file, the virus proceeds to infect it.

Damage: None

Note: Date and time of infected files do not change.

Detecting Method: Infected file sizes increase by 512 bytes.


Tver

Virus Name: Tver

Virus Type: Memory Resident(OS), COM File infector

Virus Length: 308 bytes

Executing Procedure:
1) Checks whether it is residing in memory.
2) If not, the virus copies itself to absolute address 0000:0200h (the area of interrupt vectors), hooks INT 21h and goes back to the original routine.

Vectors hooked:
1)Hooks INT 21h to check whether it is residing in memory.
2)Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected COM file and its first byte is E9h, virus proceeds to infect it.

Damage: None

Note: Many infected files' first byte is E9h. In most cases, the virus corrects each file's first byte if it is not E9h.

Detecting Method:
1)Date and time of infected files changed.
2)Infected file sizes increase by 308 bytes.


T-1000

Virus Name: T-1000

Virus Type: COM File infector

Virus Length: 128 bytes

Executing Procedure:
1) It will decode its later half section first, then infect all COM files on current directory.
2) The method of infection is: Get system time and encode it with its original procedure, then overwrite its first 128 bytes by virus code. If it is less than 128 bytes, it will be 128 bytes after being infected. Otherwise, its size does not change.

Damage: It will overwrite first 127 bytes of original files by virus code. So original files are destroyed.

Detecting Method: Date and time of infected files changed.


The Silence of the Lamb!

Virus Name: The Silence Of The Lamb!

Virus Type: Memory resident, COM File infector

Virus Length: 555 bytes

Executing Procedure:
1) Checks whether it is still in the last memory block.
2) If not, it will stay resident in high memory and return to the original routine.
3) The method of infection is: First, encode first 200h bytes of original file and attach them and decoded codes to the end of the file. Then encode virus code and write them into first 200h bytes of the file.

Vectors hooked:
1) Hooks INT 21H(AH=4Bh) to infect files.
2) Firsts, it will hang INT 24h to prevent divulging its trace when writing, then check whether the program to be executed is an uninfected COM file (Length is between 0400h and FA00h bytes). If it is, infect it. Finally, the virus restores INT 24h.

Damage: None

Note: Date and time of infected files do not change.

Detecting Method:
1) Call INT21h (AH=2Dh,CH=FFh,DH=FFh) to return value AH. If AH=00h, memory has been infected. If AH=FFh, memory has not been infected.
2) If word at address 0002 of COM file is 5944h, memory has been infected.
After the virus code has decoded, there is text in the address from 01E6h to 01EFh. The text is "The Silence Of The Lamb!$".
3) Total memory decreases by 1568 bytes.


Terminal

Virus Name: Terminal

Virus Type: EXE & COM File infector

Virus Length:

Executing Procedure: Virus searches for an uninfected EXE file on current directory from diskette C, then infects it.

Damage: It will overwrite original files with a virus code. Original files are destroyed.

Note:
1) Does not stay in memory.
2) You will see an error message when writing because INT 24h has not been hanged.
3) This virus is written with an advanced language.
4) This virus is encrypted by a program like PKLITE. Although it has a pattern, we cannot scan it.


Triple Shot

Virus Name: Triple-shot

Virus Type: EXE File infector

Virus Length: 6610

Executing Procedure:
1) Searches for an uninfected EXE file in the current directory and creates a new hidden COM file with the same name as the EXE file.
2) This new COM file is the virus. Its length is 6610 bytes.

Damage: None

Note: 1) Does not stay in memory.
2) You will see an error message when writing because INT 24h has not been hanged.

Detecting Method: Checks whether the file's length is 6610 bytes.


Thule

Virus Name: THULE

Virus Type: Virus infects .COM files shorter than 61,054 bytes. Virus is memory resident.

Virus Length: Virus infects COM files 309 bytes and 68 bytes in memory.

Interrupt Vectors Hooked: INT 21h.

Infection Process:
1) This virus will move virus code to 0:200h-0:243h and hook int 21h in order to delete a file named "THULE.COM."
2) When DOS changes the current directory , it will try to open "THULE.COM" in the current directory. When found, this file will be deleted.

Damage: The file named "THULE.COM" will be deleted.

Symptoms: Increased file sizes. A file is deleted.


Topa 1.20

Virus Name: TOPA 1.20

Virus Type: Virus infects .COM files between 2712 and 60000 bytes. Infects .EXE files between 5424 and 524288 bytes. Virus is memory resident.

Virus Length: EXE files: 2456 - 2471 bytes and COM files: 2456 bytes. 5536 bytes in memory.

Interrupt Vectors Hooked: INT 1Ch and INT 21h.

Infection Process:
1) When a TOPA_1.2 infected program is executed, it will check to see if AX= 4290h in INT 21 and return AX = 9047 to indicate it is already resident in memory.
2) If it is in memory, it will execute the infected program. If it is not in memory, it will perform the following functions:
 A) It will change its memory allocation strategy to low memory's last fit, then stay resident at the MCB (memory control block).The available free memory will have decreased by 5536 (15A0H) bytes.
 B) Once the TOPA_1.2 virus is memory resident, it will hook int 1Ch and int 21h in order to infect files.

Damage: Decreased available memory.

Symptoms: Increased file sizes.


Topo

Virus Name: TOPO

Virus Type: Virus infects .EXE files shorter than 524288 bytes. Virus is memory resident.

Virus Length: EXE files: 1536 - 1552 bytes and 3616 bytes in memory.

Interrupt Vectors Hooked: INT 21h.

Infection Process: This virus is spread by executing an infected program. When a TOPO infected program is executed, first it will hook INT 3 then use this interrupt to deceive the virus body. The virus will then check to see if it is already resident in memory by checking to see if address 0:3feh contains the value 0011h. If the virus is already in memory it will execute the infected program. The virus will not include files names such as: "*AN.EXE" , "*LD.EXE" with '*' being a wild card.

Damage: Virus destroys diskette parameter (00:525h - 0:52Ch) and displays the following message: "R(etry), I(gnore), F(ail), or A(bort) ?"

Symptoms: Increased file sizes and the inability to read certain files. Decreased available memory.

Note: If the system date is equal to the 25 or 26 of any month, the above message will manifest.


TU-482

Virus Name: Tu-482

Virus Type: COM File infector

Virus Length: 482 bytes

Executing Procedure:
1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory.
2) Then it hooks INT 21h and goes back to the original routine.

Vectors hooked:
1) Hooks INT 21H(AH=4Bh) to infect files.
2) If the program to be executed is an uninfected COM file, the virus proceeds to infect it.

Damage: None

Note:
1) You will see an error message when writing because INT 24h has not been hanged.
2) When virus is executed, it will jump to the end of the program. It will then jump back to the beginning making it difficult to locate.

Detecting Method: Infected file sizes increase by 482 bytes.


Timemark

Virus Name: Timemark

Virus Type: EXE File infector

Virus Length: 1060-1080 bytes

Executing Procedure:
1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory.
2) Then it hooks INT 21h and goes back to the original routine.

Vectors hooked:
1) Hooks INT 21H(AH=4Bh) to infect files.
2) If the program to be executed is an uninfected EXE file, the virus proceeds to infect it.

Damage: None

Detecting Method: Infected file sizes increase by 1060-1080 bytes.


T-1000-B

Virus Name: T-1000-B

Virus Type: COM File infector

Virus Length:

Executing Procedure:
1) Virus searches for all uninfected COM files on current directory, then infects them (Infects only one file at a time).

Damage: It will overwrite original files with virus code. Original files are destroyed.

Note:
1) It does not stay resident in memory.
2) You will see an error message when writing because INT 24h has not been hanged.


Toys

Virus Name: Toys

Virus Type: COM & EXE File infector

Virus Length: 773 bytes

Executing Procedure:
1) Searches for uninfected COM files in the current directory, then infects them (Infects two files at a time).

Damage: None

Note:
1) It does not stay resident in memory.
2) You will see an error message when writing because INT 24h has not been hanged.

Detecting Method: Infected file sizes increase by 773 bytes.


Tankard

Virus Name: Tankard

Virus Type: COM File infector

Virus Length: 493 bytes

Executing Procedure:
1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory.
2) Then it hooks INT 21h and goes back to the original routine.

Vectors hooked:
1) Hooks INT 21H (AH=4Bh) to infect files.
2) First, it will hang INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file, the virus proceeds to infect it.

Damage: None

Detecting Method: Infected file sizes increase by 493 bytes.


Trident

Virus Name: Trident

Virus Type: COM & EXE File infector

Virus Length: 2385-2395 bytes

Executing Procedure:
1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory.
2) Then it hooks INT 21h and goes back to the original routine.

Vectors hooked:
1) Hooks INT 21H(AH=4Bh) to infect files.
2) First, it will hang INT 24h to prevent divulging its trace when writing.
3) Then when you type the "Dir" command (like DIR H*.*), the virus infects all uninfected COM & EXE files accessed through the "Dir" command.

Damage: None

Detecting Method: Infected file sizes increase by 2385-2395 bytes.


Tp39vir

Other Name: YANK-39

Virus Type: File Type Virus

Virus Length: Approximately, 2768 bytes.

Virus Memory Type:

INT Vectors Hooked: Int 21

Trigger: Triggers if time is 5:00 pm of any day. Plays a part of the song:
"Jack and Jill."

Run Directly: Loads virus code to high memory.

Infection Procedure:

Loads itself to high memory. Allocates 2896 bytes in memory. Moves 2768 bytes to memory. Infects *.COM and *.EXE files. Copies virus code to host program. Loads the virus first before running the host program.

 


Tanpro.5241

Virus Name: TANPRO

Virus Type: File Type Virus

Virus Length: Approximately 524 bytes

Virus Memory Type: High Memory

INT Vectors Hooked: Int 21, Int 27

Place of Origin:

Infection Procedure:

Uses TSR, Int 27. Allocates 3104 bytes (using MEM) of memory. Creates a hidden un-named file within the root directory with a size of 10000 bytes. Within the code is the string "This file is infected..." Executes this program, deletes it afterwards then calls Int 27, to retain its possession in memory for further infection of other files. Infects *.COM and *.EXE files. Copies virus code to host program. Adding approximately 524 bytes. Loads the virus first before running the host program.

The virus when resident in memory, will infect any executed *.COM and *.EXE files. It does not do anything special. It just replicates when it is resident in memory. Infects file only if it is executed.

Damage:

Free memory decreases by approximately 3104 bytes. Increases file size. Adds approximately 524 bytes.

Symptom:

Delay in program execution due to virus activity.
Text string: "(c) tanpro'94"
appears within the virus code.

Detection method:

Locate mentioned text string.

 


Tecla

Virus Name: BARR1303

Virus Type: Polymorphic type

Other Name: TECLA

Virus Length: 2051 bytes

Virus Infect Type: .COM and .EXE files

Trigger Condition: September 23

Virus Re-infect: No

Virus Memory Type: High Memory Resident

Place of Origin:

Int Vector Hooked: INT 16H, INT 21H, INT 24H

Infection Procedure:

The virus is a polymorphic type and infects both .COM and .EXE files. It adds 1303 bytes to an infected file. It first decrypts its code, which is attached to the host, using SUB 75H to each byte. It can be seen from the decrypted data area of the virus code string "SSta Tecla(MAD1)" which gives another name to the virus. It copies its program (1033 bytes) to the high memory, 9F9A:0100; thus, overlaps the video adapter memory. Once resident in the memory it checks if the date is September 23. If it is, then it activates its payload by hooking to INT 16H (change to vector 9F9A:017C) and changes the keyboard ASCII table. It increments all the unextended keyboard input by 1 ASCII character. Thus, a keyboard input of "A" will display "B", or an input of "." will display "/", and so on. Without the trigger date it still hooks to INT 21H by changing its vector to its program in the high memory 9F9A:016C to infect every loading and executing program. It also hooks to INT 24H and changes its vector to 9F9A:0107 which is seen to give no payload.

Damage:

Changes unextended keyboard input to an increment of 1 ASCII character.

 


Teraz.2717

Virus Type: File Type Virus

Virus Length: Approximately 2717 bytes

Virus Re-infect: Does not re-infect, infected file size is consistent

Virus Memory Type: Non Resident

INT Vectors Hooked: Int 21

Place of Origin:

Infection Procedure:

Directly infects *.COM and *.EXE files. Copies virus code to host program. Adding approximately 2717 bytes. Loads first the virus before running the host program.

The virus, when executed, infects any executed *.COM and *.EXE files. It does not do anything special. It just replicates when it is resident in memory. Infects a file only if it is executed.

Damage:

Increase in file size. Adds approximately 2717 bytes.

Symptom:

Delay in program execution due to virus activity.

 


Three_Tunes

Virus Type:

Virus Length: Approximately 1784 bytes

Virus Re-infect: Does not re-infect, infected file size is consistent

Virus Memory Type: High Memory

INT Vectors Hooked: Int 21, Int 1C

Place of Origin:

Infection Procedure:

Loads itself to high memory. Allocates 2304 bytes (9F70:0000) of memory. Infects *.EXE files. Copies virus code to host program, adding approximately 1784 bytes. Loads first the virus before running the host program.

The virus when resident in memory, will infect any executed *.EXE files. It does not do anything special. It just replicates when it is resident in memory. Infects file only if it is executed.

Damage:

Free memory decreases by approximately 2304 bytes. Increase in file size. Adds approximately 1784 bytes.

Virus checks first if the current month is June using Int 21 (2A). If it is, it triggers the virus code; otherwise, it just exits the program. Then, the virus checks for the system time using Int 21 (2C). It has a special formula which it uses to specify which payload should be executed. There are 4 possible payloads which will be discussed later. But first, the formula:

Int 21 (2C):
Significant register CX,
Adds CH to CL and returns the sum to CL (Add CL,CH)
uses the AND boolean between CL,03 (And CL,03)
clears CH to 00 (XOR CH,CH)
compares Cl to 4 possibilities (CMP CL,+03)

The virus uses this procedure to get 00, 01, 02, 03 as values for CL. Each value corresponds to a certain tune. (03 doesn't have a tune to play) When the infected file is run a specific tune depending on the time and the result after manipulating the time, a specific tune is played. A total of three tunes are played. whatever tune is played, infection remains the same, even if it plays nothing.

Symptom:

Delay in program execution due to virus activity. Plays various tunes.

 


Trakia.1070

[TRAKIA.1070]

Virus Type: File Type Virus

Virus Length: Approximately 1076-1084 bytes

Virus Infect Type: Mutation Virus

Virus Memory Type: High Memory

INT Vectors Hooked: Int 21

Place of Origin:

Infection Procedure:

Loads itself to high memory. Allocates 1360 bytes (9FAB:0000) in memory. Moves 1357 (054DH) bytes to high memory. Infects *.COM and *.EXE files. Copies virus code to host program, adding approximately 1076 - 1084 bytes. Loads the virus first before running the host program.

This virus is a mutation virus. When an infected file is executed, it will search for *.COM and *.EXE files using Int 21 (4E & 4F), and will infect when DTA is set. It only infects files within the current directory.

Damage:

Free memory decreases. Increase in file size. Adds approximately 1076-1084 bytes.

Symptom:

Delay in program execution due to file search.

Text string: "Files Only (No symbols) .SYM - Load symbol file only. No extension - Load program & symbols" appears within the virus code.

 


Tremor-1

Virus Type: File Type Virus

Virus Length:

Virus Memory Type: High Memory

Place of Origin:

INT Vectors Hooked: Int 21, Int 15, Int 2F

Trigger Condition:

Checks if date is above April 13, or if the year is above or equal to 1993. If so it executes the virus code directly.

Infection Procedure:

Loads itself to high memory. Loads approximately 4272-4288 bytes in memory. Infects *.EXE files. Copies virus code to host program, adding approximately 4003 bytes. Loads the virus first before running the host program. While in memory, EXE files opened will be infected.

Virus checks for system date and time, after virus code is decrypted. The code then checks for the DOS version with the reason unknown. It continues by getting the process ID of the program, to enable itself to set the kind of allocation strategy it wants to do, Int 21 (58). After this, the virus checks for extended memory, Int 21 (43). If all needed requirements are set, it begins to modify memory allocation, Int 21 (4A). The virus code is then transferred to high memory, at a size approximately 4003 bytes. When in memory, the virus now sets the DTA to which it will copy its code.

Symptom:

Displays: "-=> T.R.E.M.O.R was done by NEUROBASHER
/May-June '92, Germany <=-
-MOMENT-OF-TERROR-IS-THE-BEGINNING-OF-LIFE-"

However, infected file runs normally. Increase in file size, and occupies memory space.

Detection method:

Decrypt virus code before detection.

 


Troj.1463

Virus Type:

Virus Length: Approximately 1463 bytes

Virus Memory Type: High Memory

INT Vectors Hooked: Int 21

Place of Origin:

Infection Procedure:

Loads itself to high memory after decryption. Allocates 3536 bytes (9F23:0100) in memory. Moves 1463 (05B7H) bytes to high memory. Does not actually infect files, what it does is load itself resident in high memory and messes up the execution of files. (see Damage below)

Damage:

When a source virus file is executed and the virus code is loaded in memory, two payloads can be detected.

1. COM files:

When *.COM files are executed while the virus is in memory, those files will not run.

2. EXE files:

When *.EXE files are executed while the virus is in memory, those files will not run, like what happens with COM files. But this will only happen once. The second execution of an EXE file will result to a same display, but this time the COMMAND.COM becomes invalid. System becomes useless afterwards.

Note:

Executing a COM file will not suspend itself. But when an EXE file is executed after a COM file has been executed, the system will then suspend.

Symptom:

Text string: "Trojector II, (c) Armagedon Utilities, Athens 1992" appears within the decrypted code.

 


Troj.1561

Virus Type:

Virus Length: Approximately 1561 bytes

Virus Memory Type: High Memory

INT Vectors Hooked: Int 21

Place of Origin:

Infection Procedure:

Loads itself to high memory after decryption. Allocates 3744 bytes (9F16:0100) in memory. Moves 1561 (0619H) bytes to high memory. Does not actually infect any file, but the file executed will not run.

Damage:

While virus is resident in memory, files executed will not run.

Symptom:

Text string: "Trojector ]I[, (c) Armagedon Utilities, Athe@" appears within the decrypted code.

 


Tai-Pan.438.A

Virus Type: File Type Virus

Virus Length: Size of approximately 438 bytes.

Virus Memory Type: High Memory

INT Vectors Hooked: Int 21

Place of Origin:

Infection Procedure:

Loads itself to high memory. Loads approximately 512 bytes in memory. Infects *.EXE files. Copies virus code to host program. Adding approximately 438 (01B6H) bytes. Loads the virus first before running the host program. While in memory, EXE files opened will be infected. The virus reacts ordinarily by allocating space in memory before infecting files, using Int 21 (48). Nothing extraordinary happens. It just attaches its code to the host program after it is loaded from memory.

Symptom: Free memory decreases. Increase in file size.

May display:

"[Whisper Presenterar Tai-Pan]"
which appears in the virus code.

Detection method: Look for the said display strings, and detect from there.

 


Tai-Pan.666

Virus Type: File Type Virus

Virus Length: Size of approximately 666 bytes.

Virus Memory Type: High Memory

INT Vectors Hooked: Int 21

Place of Origin:

Infection Procedure:

Loads itself to high memory. Loads approximately 710 bytes in memory. Infects *.EXE files. Copies virus code to host program, adding approximately 666 (029AH) bytes. Loads the virus first before running the host program. While in memory, EXE files opened will be infected. The virus reacts ordinarily by allocating space in memory before infecting files, using Int 21 (48). Nothing extraordinary happens. It just attaches its code to the host program after it is loaded from memory.

Symptom: Free memory decreases. Increase in file size.

May display:

"DOOM2,EXE. Illegal DOOM II signature"
"Your version of DOOM2.EXE matches the illegal RAZOR release of DOOM2"
"Say bye-bye HD"
"The programmer of DOOM II DEATH is in no way affiliated with ID Software."
"ID Software is in no way affiliated with DOOM II DEATH."

which appears in the virus code.

Detection method: Look for the said display strings, and detect from there.