Lep-0736

Virus Name: Lep-0736

Virus Type: File Infector Virus (infects .COM & .EXE files.)

Virus Length: No change

PC Vectors Hooked: None

Executing Procedure:
1) Searches for uninfected .COM and .EXE files in the current directory and infects them (4 at a time).
2) It then outputs to the screen:"Program too big to fit in memory"

Damage: Overwrites the original files, so the length of the files won't increase.

Detecting Method:
1) Check for the erroneous screen message "Program too big to fit in memory."

Note:
1) Doesn't stay resident in memory.
2) LEP-0736 doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).


Lct 762

Virus Name: Lct-762

Virus Type: File Infector Virus (infects .COM files)

Virus Length: 762 Bytes

PC Vectors Hooked: None

Executing Procedure:
1) Finds and infects all uninfected .COM files in the current directory.

Damage: None

Detecting Method: Infected files will increase by 762 Bytes.

Note:
1) Doesn't stay resident in memory.
2) LCT-762 doesn't hook INT 24h when infecting files. An error message occurs if there is an I/O error (such as write.)


Lep 562

Virus Name: Lep-562

Virus Type: File Infector Virus (infects .COM & .EXE files)

Virus Length: No change

PC Vectors Hooked: None

Executing Procedure:
1) Searches for uninfected .COM and .EXE files in the current directory and infects them (4 at a time).
2) It then outputs to the screen: "Program too big to fit in memory."

Damage: Overwrite the original files, so the length of the files won't increase.

Detecting Method:
1) Check whether the message: "Program too big to fit in memory" occurs on the screen.

Note:
1) Doesn't stay resident in memory.
2) LEP-562 doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).


Les

Virus Name: Les

Virus Type: File Infector Virus (infects .EXE files)

Virus Length: 358 Bytes

PC Vectors Hooked: None

Executing Procedure:
1) Infects all uninfected .EXE files in the current directory.

Damage: None

Detecting Method: Infected files will increase by 358 Bytes.

Note:
1) Doesn't stay resident in memory.
2) LES doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).


LB-Demonic

Virus Name: Ib-Demonic

Virus Type: File Infector Virus (infects .COM files)

Virus Length: No change

PC Vectors Hooked: None

Executing Procedure:
1) Infects all uninfected .COM files in the current directory.
2) When the file is executed this screen message will appear: "EXEC FAILURE"
3) It will check the system data. If it is Tuesday, then the virus will rename "C:command.com" to "command.c0m" ("c" "zero" "m").
4) It will then show this screen message: "Error reading drive C:\ ... BillMeTuesday

Damage:
1) Renames "command.com" to "command.c0m", so the disk can't start machine.
2) Overwrites original files, so the length of the files won't increase.

Note:
1) Doesn't stay resident in memory.
2) IB-Demonic doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).


Lep-FVHS

Virus Name: LEP-FVHS

Virus Type: File Infector Virus (infects .COM & .EXE files)

Virus Length: NO change.

PC Vectors Hooked: None

Executing Procedure:
1) Shows the message: "allocating memory..... Please wait..... Hard time accessing memory, please turn off all RAM resident programs and press>>Enter<< to continu...." 2) The virus searches for an .EXE or .COM file in the current directory. 3) It checks whether it has been infected by LEP-FVHS. If "Yes", it continues to look for an uninfected .EXE or .COM file. 4) It then infects any four .EXE & .COM files at a time in the current directory. 5) Shows the message:"Program too big to fit in memory.
"
Damage: Overwrites original files, so the length of infected files won't increase.

Note:
1) Doesn't stay resident in memory.
2) LEP-FVHS doesn't hook INT 24h when infecting files. An error message occurs if there is an I/O error (such as write protect).


Lycee

Virus Name: LYCEE

Virus Type: Memory Resident, File Infector Virus (infects .COM & .EXE files).

Virus Length: 1788 Bytes (COM & EXE)

PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h, INT 8h, INT 9h

Executing Procedure:
1) Checks whether it resides in memory. If not, it hooks INT 21h, INT 8h and INT 9h, installs itself as memory resident, and then executes the host program.
2) If the virus already resides in memory, it will proceed to execute the host program directly.

Infecting Procedure:
1) The virus Infects files by AH=4B in INT 21h. When an uninfected progran is executed, it will get infected.
2) Lycee will hook INT 24h before infecting files to ignore I/O errors.

Damage: If you haven't pressed any key for a few minutes, a small window will appear on the screen until you press a key.

Detecting Method:
1) Infected files increase by 1788 Bytes.

Note:
1) The Lycee virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect).

Remarks: The virus does timing by INT 8h.


Leech

Virus Name: Leech

Virus Type: Highest Memory Resident, File Infector Virus (infects .COM files).

Virus Length: 1024 Bytes (COM)

PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h

Executing Procedure:
1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h.
2) It then executes the original file.
3a) Once in resident memory it will infect any uninfected file that is executed.
3b) It doesn't infect .EXE files.

Damage: None.

Detecting Method:
1) Infected files increase by 1024 Bytes.

Note:
1) The Leech virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect).


Little Brother

Virus Name: Little_Brother

Virus Type: Memory Resident, File Infector Virus (Companion Virus).

Virus Length: 250 Bytes (EXE)

PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h

Executing Procedure:
1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h.
2) It then executes the original file.
3a) Once in resident memory it will infect any uninfected file that is executed.
3b) It doesn't infect .COM files.

Damage: When an uninfected file is executed, the virus will create a .COM file with the same name as the .EXE file        (example: If you run "AAA.EXE", "AAA.COM" will be created by Little_Brother).

Detecting Method:
1) Infected files increase by 250 Bytes.

Note:
1) The Little_Brother virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect).


Lehigh

Virus Name: Lehigh

Other names: None

Virus Type: Parasitic Virus (infects COMMAND.COM only)

Virus Length: 555 bytes

Executing Procedure:
1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h.
2) It makes sure COMMAND.COM is infected, and then executes the original file.
3) Once in resident memory it will infect any uninfected file that is executed.

Damage:
1) Infects the disk's .COMMAND.COM file and increases it by 555 bytes.
2) After the infection counter passes four,  the current disk will be trashed.


LCT

Virus Name: Lct

Virus Type: Parasitic Virus

Virus Length: Infected COM files sizes increase by 599 Bytes .

PC Vectors Hooked: None

Executing Procedure:
1) Searches for and infects all uninfected .COM files in the current directory.

Damage:
1) If the system date is Dec. 25, only the virus portion of infected files will execute.

Detecting Method:
1) Detectable if the lengths of files increase by 599 Bytes.

Remarks:
1) Not memory resident.
2) When infecting files, the virus does not hook INT 24h. And the error information appears when I/O errors occur.


Lanc

Virus Name: Lanc

Virus Type: EXE File infector

Virus Length: 7376

Executing Procedure:
1) Searches for an uninfected EXE file in the current directory.
2) Then it creates a new COM file with the same file name as the original EXE file. This new COM file is the virus.

Damage: None

Note:
1) Does not stay in memory.
2) You will see an error message when writing because INT 24h has not been hanged.
3) This virus is written with an advanced language.

Detecting Method: Check whether the file length is 7376 bytes.


LV

Virus Name: Lv

Virus Type: COM File infector

Executing Procedure:
1) Checks whether it has remained resident in memory. If not, it will reside in high memory.
2) Then it hooks INT 21h, and infects COMMAND.COM.
3) It then returns to the original routine.

Vectors hooked:
1) Hooks INT 21H (AH=4Bh) to infect files.
2) First, it will hang INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file, the virus proceeds to infect it.

Damage: It will overwrite original files with virus code. Original files are destroyed.


Lip-286

Virus Name: Lip-286

Virus Type: COM File infector

Virus Length: 286 bytes

Executing Procedure:
1) Searches for an uninfected COM file in the current directory and infects it.
2) It can infect two or three files at a time.

Damage:
1) There is a counter in the virus procedure (Every infected file has a different flag). The counter decreases by 1 every time the virus infects a file. When the counter is equal to zero, it will destroy all data on the hard disk.

Note:
1) Does not stay in memory.
2) You will see an error message when writing because INT 24h has not been hanged.

Detecting Method: Infected file sizes increase by 286 bytes.


L1

Virus Name: L1

Virus Type: COM File infector

Virus Length: 140 bytes

Executing Procedure:
1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory.
2) Then it hooks INT 21h and goes back to the original routine.

Vectors hooked:
1) Hooks INT 21H(AH=4Bh) to infect files.
2) If the program to be executed is an uninfected COM file, the virus proceeds to infect it.

Damage: None

Note: You will see an error message when writing because INT 24h has not been hanged.

Detecting Method: Infected file sizes increase by 140 bytes.


Leper

Virus Name: Leper

Virus Type: COM & EXE File infector

Executing Procedure:
1) Searches for uninfected COM files in the current directory and infects them (Infects four files at a time).

Damage: It will overwrite original files with virus code. Original files are destroyed.

Note:
1) It does not stay resident in memory.
2) You will see an error message when writing because INT 24h has not been hanged.


LZ2

Virus Name: Lz2

Virus Type: EXE File infector

Virus Length: 3000-8000 bytes

Executing Procedure:
1) Searches for an uninfected COM file in the current directory and infects it (Infects only one file at a time).
2) It does this by creating a new COM file with the same name as the EXE file. This new COM file is the virus. Its length is 3000-8000 bytes.

Damage: None

Note:
1) It does not stay resident in memory.
2) You will see an error message when writing because INT 24h has not been hanged.
3) The procedure at the beginning of virus is encrypted in LZEXE mode. PCSCAN cannot scan this virus.


Los-693

Virus Name: Los-693

Virus Type: COM File infector

Virus Length: 693 bytes

Executing Procedure:
1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory.
2) Then it hooks INT 21h and goes back to the original routine.

Vectors hooked:
1) Hooks INT 21H (AH=4Bh) to infect files.
2) First, it will hang INT 24h to prevent divulging its trace when writing.
3) If the program to be executed is an uninfected COM file, the virus proceeds to infect it.

Damage:
1) The virus has a flag (Initial value is zero). The value will increase by 1 every time the virus infects a file.
2) When the value of the flag is larger than 223, it will hook INT 08h. A minute later, characters on the screen fall down. Then, the virus halts system.

Detecting Method: Infected file sizes increase by 693 bytes.


Little

Virus Name: Little

Virus Type: COM File infector

Virus Length: 665 bytes

Executing Procedure:
1) Searches for an uninfected COM file in the current directory, then infects it (It infects only one file at a time).

Damage: None

Note:
1) It does not stay resident in memory.
2) You will see an error message when writing because INT 24h has not been hanged.

Detecting Method: Infected file sizes increase by 665 bytes.


Lpt-Off

Virus Name: Lpt-Off

Virus Type: COM File infector

Virus Length: 256 bytes

Executing Procedure:
1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory.
2) Then it hooks INT 21h and goes back to the original routine.

Vectors hooked:
1) Hooks INT 21H(AH=4Bh) to infect files.
2) If the program to be executed is an uninfected COM file, the virus proceeds to infect it.

Damage: None

Note: You will see an error message when writing because INT 24h has not been hanged.

Detecting Method: Infected file sizes increase by 256 bytes.


L-933

Virus Name: L-933

Virus Type: COM File infector

Virus Length: 933-950 bytes

Executing Procedure:
1) Searches for an uninfected COM file in the current directory and infects it (Infects only one file at a time).
2) If the system date is March 8, the virus destroys all data on the hard disk.
2) If it is September 1, the virus deletes itself.

Damage: The virus will sometimes destroy all data on the hard disk.

Note:
1) It does not stay resident in memory.
2) You will see an error message when writing because INT 24h has not been hanged.

Detecting Method: Infected file sizes increase by 933-950 bytes.


Love-Child-2710

Virus Name: Love-Child-2710

Virus Type: COM File infector

Virus Length: 2710 bytes

Executing Procedure:
1) Checks whether current date is one of the following dates: November 5, February 22, June 23, August 24, or October 6, or that the system is not DOS 3.3.
2) If any of these conditions are met, it destroys the Partition and parts of the FAT.
3) If conditions are not met, virus checks whether it has stayed resident in memory. If not, it will stay resident in high memory. Then it hooks INT 13h and goes back to original routine.

Vectors hooked:
1) Hooks INT 13H to infect files.
2) First, it will hang INT 24h to prevent divulging its trace when writing.
3) If the program to be executed is an uninfected COM file, the virus proceeds to infect it.

Damage: Sometimes destroys the Partition and parts of the FAT.

Detecting Method: Infected file sizes increase by 2710 bytes.


Little-Red

Virus Type: File Virus

Virus Length: 1465 bytes

Virus Infect Type: n/a

Trigger Condition: Year < 1994, Date = Sept. 9, Dec. 26

Virus Re-infect: n/a

Virus Memory Type: High Memory Resident

Place of Origin:

Int Vector Hooked: INT 1C,21,24

Infection Procedure:

The virus first decrypts a part of its code and then executes it which turns out to be a "Get DOS Version" function. The virus uses this function because it directly controls DOS' resources. Then it encrypts this part again. Then it modifies Allocated Memory and it allocates 2048 bytes in the High memory Area. It is now ready to transfer the virus code into the High Memory Area with a size of 1465 bytes. In the high memory area, the virus hooks INT 1C, 21 and 24. After doing this, the virus opens the file being executed at that time and checks if it is a .COM file; if it is, then it checks if it is already infected; if not, then it will try to infect it. After that procedure, it will change the attribute of the file "C:\COMMAND.COM" from "read-only" and "system" to "archive".

 


Liberty.2857.A

Virus Type : File Virus

Other Name :

Virus Length :

Place of Origin :

Virus Memory Type : High Memory type

Int. Vectors Hooked : Int 21

Infection Procedure:

Loads itself from 11B0:0110 to 9DEE:0110h, with 2858 bytes. Then it encrypts the data from 11B0:[0115] with CX value = 3Ch. In this, "LIBERTY" can be found but after encrypting it the data in that address will become "Me BC.". The virus then encrypts the message again from 11B0:0113h to 114C:0100h and produces :

"- M Y S T I C - COPYRIGHT (c) 1989-2000, by SsAsMsUsEsL"

After it is loaded in the high memory, it waits for an EXE or COM file to be executed to infect it.

 


Leon.1217

Virus Type: Polymorphic, File Type

Virus Length: 1,224-1,253 bytes

Virus Infect Type: .EXE files

Virus Memory Type: Non-memory resident

Place of Origin:

Int Vector Hooked: INT 24H

Infection Procedure:

The virus only infects .EXE files. It increases an infected file's size by 1,224-1,253 bytes. The virus infects the host file by attaching itself at the end of the file. As a polymorphic virus, it first decrypts its program using XOR 1410H to each encrypted word. Then it hooks to INT 24H to disable the disk write error display when it is infecting its host file. Then it checks the current disk directory and searches for .EXE files. After finding a file it changes its attribute to archive. Then it checks for the current time. If it is between 7th-60th minute of an hour, and between 30th-60th second of a minute, then the virus will just close the file and not infect. Any time beyond that, the virus will infect every .EXE file in all the subdirectories of the current drive. The virus is not memory resident. It will be only activated upon loading and executing an infected file. It will be noticeable when the virus infects .EXE files in the current drive because it takes a long time, depending on the number of .EXE files in the current drive, to load a file.

Damage:

It slows down the loading of executable files.

Symptom:

Increases the host's file size by 1,224-1,253 bytes. Very slow loading of executable files.

 


Lemming.2160

Virus Type : File Virus

Place of Origin :

Virus Memory Type : Non resident type

Int. Vectors Hooked : Int 21

Infection Procedure:

Encrypts data from 114C:[SI+BP],XOR to 49h producing a message that reads:

"TBDRV SP"
"The Rise and Fall of ThunderByte-1994-Australia"
"You will Never Trust Anti-Virus Software Again!!"
"[LEMMING] ver .99"
"TBAVTBSCANNAVVSAFEFPROT"
"COMcomEXEexe"

Then it gets the dos variable and it points to

"[LEMMING] ver .99"

When the virus is loaded and a user tries to execute some EXE and/or COM files, a write-protect error will appear when the disk is write protected.