Grunt 2

Virus Name: Grunt2

Virus Type: File Infector Virus (.COM files)

Virus Length: 427 bytes

PC Vectors Hooked: None

Executing Procedure:
1) Searches for an uninfected .COM file in the current directory and, wehn it finds one, infects it. It will infect only one file at a time.
2) If, upon checking, Grunt2 finds that the system date September 3,and later than 1993, it will delete a file on the current disk and then display the screen message"S[GRUNT-2] -=> Agent Orange '92 ."<=- Rock of the Marne Sir!.......".

Damage: If system date is September 3 and later than 1993, the virus will delete a file from the current disk.

Detection Method: Infected file size increases by 427 bytes.


Notes:
1) It doesn't stay resident in memory.
2) GRUNT2 doesn't hook INT 24h when infecting files. An error message appears when I/O errors (such as write protect) occur.


Generic_408

Virus Name: Generic_408

Aliases: NYB, B1

Virus Type: Boot Sector Virus

Virus Length: N/A

Infection Procedure:
When the system is booted from an infected diskette, the virus infects the master boot record and loads itself into memory. While loaded, it infects any accessed, unprotected disks.

Damage: None known.


Generic_437

Virus Name: Generic_437

Aliases: Boot-437

Virus Type: Boot  Sector Virus

This virus will only infect hard drives when you attempt to boot from an infected diskette. Once the virus has infected the hard drive, all unprotected floppies you use in the machine will be infected.

Unlike most other boot sector viruses (except Form), Boot-437 infects the DOS boot sector on hard drives instead of the Master Boot Record.


GreenCat

Virus Name: GreenCat

Aliases: Green Caterpillar, Green_Caterpillar.1575.A, Find, 1591, 1575

Virus Type: File Virus (.COM and .EXE files)

Virus Length: 1,991 to 2,005 bytes

Interrupt Vectors Hooked: INT 21h

Infection method: When an infected file runs, the virus loads itself in memory.

Damage: After a specified time period has elapsed, the execution of an infected file causes a green caterpillar to run across the screen, excreting the screen contents as it goes. There is no permanent damage.


Galileo

Virus Name: GALILEO

Virus Type: File Infector (.COM and .EXE files)

Virus Length: 760 bytes

Vectors Hooked: INT 24h

Executing Procedure:
1) If the system date is a Monday, Galileo will damage all files on the hard disk.
2) It searches for uninfected .COM and .EXE files in current directory and infects all of them.

Damage: If it is Monday, the virus will damage all files on the hard disk.

Detection Method: Infected file size increases by 760 bytes.

Notes:
1) Doesn't stay resident in memory.
2) Galileo hooks INT 24h when infecting files, thereby omitting I/O errors (such as write protect).


Gotcha

Virus Name: GOTCHA

Virus Type: Highest Memory Resident, File Infector Virus (.COM and .EXE files).

Virus Length: 906 bytes

Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h

Infecting Procedure:
1) If, after checking, GOTCHA finds it is not resident in memory, it loads itself (into highest memory) by hooking INT 21h.
2) It then executes the original file.
3) Once it's loaded into resident memory it infecst any uninfected file that is executed. It also infects when you rename a file, set file attributes, search for a matching file or delete a file.

Damage: None.

Detection Method: Infected file size increases by 906 bytes.

Notes: The GOTCHA virus hooks INT 24h when infecting files, thus omitting I/O error (such as write protect).


Gotcha-2

Virus Name: GOTCHA-2

Virus Type: Highest Memory Resident, File Infector Virus (.COM and .EXE files)

Virus Length: 627 bytes (.COM), 527 bytes (.EXE)

Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h

Infecting Procedure:
1) If, after checking, GOTCHA finds it is not resident in memory, it loads itself (into highest memory) by hooking INT 21h.
2) It next executes the original file.
3) Once it's loaded into resident memory it will infect any uninfected file that is executed. Before it infects a file, it will check the file name.

Damage: None.

Detection Method: Infected .COM file size increases by 627 bytes and .EXE file size increases by 527 bytes.

Notes: The GOTCHA-2 virus hooks INT 24h and closes the "control_break" function when infecting files. It omits I/O errors (such as write protect).


Geoff

Virus Name: Geoff

Virus Type: Trojan Horse

Virus Length: 5952 bytes

Vectors Hooked: INT 24h

Executing Procedure:
1) Doesn't infect any file or partition or boot sector.
2) It begins by displaying the message "Search And Destroy Loading v1.0 Bringing The Best And Latest Warex....... Press [ENTER] to Start The Game."
3) It then destroys all data on all disks if the drives are ready.
4) Next, it displays the message " Hey Geoff You know what happened a few days ago? Some friend asked me to get rid of you,........ P.S. I have nothing personal against you! You just FUCKED with the Cold Brother and I had to take you down, again."

Damage: Destroys all data on all disks if the drives are ready.

Detection Method: Infected files will be 5952 bytes longer.

Notes:
1) Doesn't stay resident in memory.
2) Geoff hooks INT 24h when destroying files. It omits I/O errors (such as write protect).


Ghost-A

Virus Name: GHOST-A

Aliases: None

Virus Type: File Infector Virus

Virus Length: 330 bytes

Executing Procedure:
1) If, after checking, Ghost-A finds it is not resident in memory, it loads itself (into highest memory) by hooking INT 21h.
2) Next, it executes the original file.
3) Once loaded into resident memory it will infect any uninfected file that is executed.

Damage: The executed file will be deleted after the virus is resident in memory and the system date is a Friday. Then the virus halts the system.

Detection Method: It increases infected file size by 330 bytes.

Notes: Ghost-A loads itself as resident in memory. An error message appears when I/O errors (such as write protect) occur.


Gp 1

Virus Name: Gp1

Virus Type: Network Specific Virus

Virus Length: In .EXE files, 1557 bytes; in .COM files, 1845 bytes

Executing Procedure:
1) If, after checking, Gp-1 finds it is not resident in memory, it loads itself (into highest memory) by hooking INT 21h.
2) It next executes the original file.
3) Once it's loaded into resident memory it will infect any uninfected file that is executed.

Symptoms: If the virus is active in memory and if the first character on the command line any letter other than "i", the virus removes itself from the operating memory (this will work only if the virus is the last TSR to change interrupt vector 21h) and displays the message "GP1 Removed from memory."

Damage: None. Gp1 is the only known LAN virus. This unique virus is a modification of the Jerusalem virus and was created for one special purpose: to penetrate Novell security features and spread inside the network. The virus does not contain any manipulation (if we do not count the monitoring of Novell LOGIN and the attempts to break the Novell security features).


Grunt-529

Virus Name: Grunt-529

Virus Type: Parasitic Virus (infects .COM files)

Virus Length: 529 bytes

PC Vectors Hooked: None

Executing Procedure:
1) Searches for an uninfected .COM file in the current directory and if it finds one, infects it. (Grunt-529 infects only one file each time.)
2) Regardless of whether an uninfected .COM file is found or not, if the system date is a Friday and  later than 1993, the virus displays the message "Nothing like the smell of napalm in the morning!"

Damage: None

Detection Method: Detectable if file lengths increase by 529 bytes.

Notes:
1) Non memory resident.
2) When infecting files, the virus does not hook INT 24h. An error message appears when I/O errors occur.


Grog-31

Virus Name: Grog31

Virus Type: Parasitic Virus (infects .COM files)

Virus Length: 1200 bytes

PC Vectors Hooked: INT 21h and INT 24h

Executing Procedure:
1) If, after checking, Grog-31 finds it is not resident in memory, it loads itself by hooking INT 21h and executes the host program.
2) If it already resides in memory, the virus executes the host program directly, then, if the COMMAND.COM file on the boot is not infected, Grog-31 infects it and then executes the host program.

Infection Mechanism: Grog-31 infects files through AH=4B in INT 21h. When an uninfected program is executed, it becomes infected
Before infecting files, the virus hooks INT 24h first so that I/O errors are ignored.

Damage: None

Detection Method: Infected files increase in size by 1200 bytes.


Grunt-3

Virus Name: Grunt-3

Virus Type: File Infector (.COM  files)

Virus Length: 473 bytes

Executing Procedure: Grunt-1 first decodes its later half section, then looks for an uninfected .COM or .EXE file on the current directory and all parent directories. If the system date is a Friday during 1993 or a later year, it will display the message "This is a hot LZ ... Eradicating the Enemy!" Otherwise, Grunt-3 infects the uninfected file. (It infects only one file a time.)

Damage: None

Notes:
1) The virus does not stay resident in memory.
2) The date and time of infected files do not change.

Detection Method: Infected file size will increase by 473 bytes.


Gorlovka

Virus Name: Gorlovka

Virus Type: Memory Resident, File Infector (.COM and .EXE files)

Vectors Hooked: Hooks INT 21H(AH=4Bh)

Executing Procedure:
If Gorlovka finds that it already resides in memory, it displays the message "Tracing mode has been destroyed." Otherwise, it will stay resident in high memory, hook INT 21h and then display the message "Tracing mode has been destroyed."

First, it hangs INT 24h to prevent divulging its trace when writing, then checks whether the program to be executed is an uninfected .COM or .EXE file. If it is, the virus proceeds to infect it. Finally, the virus restores INT 24h.

Damage: It will overwrite original files with virus code.

Detection Method: When an infected file is executed, it will display the above message.


Gomb

Virus Name: Gomb

Virus Type: File Infector (.COM files)

Virus Length: 4093 bytes

Executing Procedure: If Gomb finds that it is not already resident in memory, it will stay resident in high memory. Then it hooks INT 21h and goes back to the original routine.

Vectors hooked: Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected .COM file, Gomb infects it.

Damage: None

Detection Method: Infected file size increases by 4093 bytes.


Ghost Player

Virus Name: GHOST PLAYER

Virus Type: Memory Block Resident (Infects .EXE files)

Virus Length: 1200 bytes

Interrupt Vectors Hooked: INT 21h

Infection Process: This virus is spread when an infected program is executed. If the DOS version is greater than 3 and the serial number of the default disk equals zero, GHOST PLAYER will execute the program. Otherwise it stays resident at the top of the MCB (memory control block) but below the DOS 640k boundary. The available free memory will decrease by 1200 (4B0H) bytes.

Damage: It decreases available free memory.

Symptoms: If a random value is equal to FF00, the virus displays the message" ! y Bumpy~ (R) Ghost Player" and the screen shakes up and down.

Notes: GHOST PLAYER doesn't infect files named as :

"TB*.???" , "F-*.???" , "CP*.???" , "NA*.???" , "SC*.???"
"CL*.???" or "V*.???".




Gold Bug

Virus Name: GOLD-BUG

Virus Type: SBERaRbReX - Spawning Color Video Resident and Extended HMA, Memory Resident Boot-Sector and Master-Sector Infector

Virus Length: 1,024 bytes

Interrupt Vectors Hooked: INT 21h, INT 13h

Infection Process: GOLD-BUG is a memory-resident, multipartite, polymorphic, stealthing, boot-sector spawning, anti-antivirus virus that works with DOS 5 and DOS 6 in the HIMEM.SYS memory. When an .EXE program infected with GOLD-BUG is run, it determines if it is running on an 80186 or better. If it isn't, it will terminate and not install. If it is on an 80186 or better, it will copy itself to the partition table of the hard disk and remain resident in the HMA (High Memory Area) if the HMA is available (i.e., DOS=HIGH in the CONFIG.SYS file,or else no infection will occur). The old partition table is moved to sector 14 and the remainder of the virus code is copied to sector 13. The virus then executes the spawned associated file, if it is present. INT 13 and
INT 2F (but not INT 21) are hooked at this time. The spawning feature of this virus is not active now.

Damage: The GOLD-BUG virus also has an extensive anti-antivirus routine. It writes to the disk using the original BIOS INT 13 and not the INT 13 chain that these types of programs have hooked into. It hooks into the bottom of the interrupt chain rather than changing and hooking interrupts. If the
GOLD-BUG virus is resident in memory, any attempts to run most virus scanners will be aborted. GOLD-BUG stops any large .EXE file (greater than 64k) with the last two letters with a range of "AN" to "AZ". It will stop SCAN.EXE, CLEAN.EXE, NETSCAN.EXE, CPAV.EXE, MSAV.EXE, TNTAV.EXE,etc. The SCAN program will either be deleted or an execution error will return. Also, GOLD-BUG will cause a CMOS checksum failure to occur the next time the system boots. GOLD-BUG also erases "CHKLIST.???" created by CPAV.EXE and MSAV.EXE. Programs that do an internal checksum on themselves will not detect any changes.

Symptoms: CMOS checksum failure. Creates files with no extension. The modem answers on the 7th ring. Most virus scanners fail to run or are deleted. And CHKLIST.??? files are deleted.

Notes: The GOLD-BUG virus is also polymorphic. Each .EXE file it creates has only 2 bytes that remain constant. It can mutate into 128 different decription patterns. It uses a double decription technique that involves INT 3, making it very difficult to decrypt using a debugger. The assembly code allows for 512 different front-end decrypters. Each of these can mutate 128 different ways.


Gold


Virus Name: Gold

Virus Type: File Infector (.COM and .EXE files)

Virus Length: 612 bytes

Executing Procedure: If Gold finds that it is not already resident in memory, it will stay resident in high memory, then hook INT 21h and return to  the original routine.

Vectors Hooked: Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected .COM or .EXE file, Gold proceeds to infect it. After it has infected the file, there is a 50% chance that the virus will return to the original routine. Otherwise, the virus will display random characters and end without executing the original routine.

Damage: None

Notes: You will see an error message when writing because INT 24h has not been hanged.

Detection Method: Infected file size increases by 612 bytes.


Ginger.2774

Virus Type : File Virus

Other Name :

Virus Length :

Place of Origin :

Virus Memory Type : OS Memory Type

after rebooting=High Mem.

Int. Vectors Hooked : Int 21h, 13h

Infection Procedure:

The virus is an OS type, hooking int 13 and 21h. The virus infects the boot record first, so when the machine is reset, the virus will be loaded in the high memory. From there it will infect. It allocates 4096 bytes in the memory. The problem is whenever the virus is executed and the machine is reset, after rebooting, the keyboard doesn't work due to the use of Int 15h. Because of this no infection will occur.