Virus Name: Twin-Peak Virus Type: File Infector Virus (infects .COM files) Virus Length: No change PC Vectors Hooked: None Executing Procedure: 1) Search for a .COM file in the current directory. 2) Check to see whether it has been infected by TWIN-PEAK. If it has, continue to look for any uninfected .COM file. 3) It infects only one file at at time. Damage: Overwrites original file, so the length of an infected file won't increase. Note: 1) Doesn't stay resident in memory. 2) TWIN-PEAK doesn't hook INT 24h when infecting files. 3) Error message occurs if there is an I/O error (such as write protect).
Virus Name: Telecom Alias Name: Telefonica Virus Type: File Virus Virus Length: 3,700 bytes Description: This virus infects *.COM files When an infected file is executed, the virus installs itself into memory. Total available memory will have decreased by 3,984 bytes. Once the virus is memory resident, it will infect *.COM files that are larger than 1,000 bytes when they are executed. Infected files will increase in size by 3,700 bytes. Date and time information of infected files will be altered with 100 being added to the year.
Virus Name: Tequila Alias Name: Stealth Virus Type: File Virus Virus Length: 2,468 bytes Description: This virus infects *.EXE files as well as boot sectors. Interrupt vectors hooked: INT 13h, INT 21h. Infection method: The first time an infected file runs, the virus infects the master boot record. When the system is booted from the infected hard disk, the virus loads itself in memory. While loaded, it infects any .EXE file that executes. The DOS CHKDSK program will show a "total bytes memory" decrease of 3,072 bytes. Infected .EXE files increase by 2,468 bytes. The virus won't infect files starting with "V" or "SC." Damage: Several months after the initial infection, the virus becomes active. Each month afterward, if an infected program is run on the same day of the first infection, a graphic and this message will be displayed. Welcome to T.TEQUILA'S latest production. Contact T.TEQUILA/P.o.Box 543/6312 St'hausen/Switzerland Loving thoughts to L.I.N.D.A BEER and TEQUILA forever ! Note: The virus hides the infected partition record and increases the size of infected files.
Virus Name: Traveller Alias Name: Bupt Virus Type: File Virus Virus Length: 1,220 to 1,237 bytes Description: This virus infectes *.COM and *.EXE files as well as COMMAND.COM. When an infected file is executed, the virus installs itself into memory. Total available memory will have decreased by 1,840 bytes. Once the virus is memory resident, it will infect *.COM and *.EXE files when they are executed. This virus will also infect when the DIR command is used. Infected files will increase in size by 1,220 to 1,237 bytes, with the virus located at the end of the infected file. Date and time information of infected files will not be altered. The following text string can be found in the virus: "Traveller (C) BUPT 1991.4" "Don't panic I'm harmless <<---!!!!!!!" "*.* COMEXE"
Virus Name: Trivial Alias Name: Minimal, Mini-45 Virus Type: File Virus Virus Length: 45 bytes Description: This virus infectes *.COM files as well as COMMAND.COM. When an infected file is executed, the virus will infect all *.COM files in the same directory. The first 45 bytes of infected files will be overwritten by the virus. The date and time information of infected files will be updated to the time of infection. All infected files will be permanently corrupted.
Virus Name: Torm-263 Virus Type: File Infector Virus (infects .COM files) Virus Length: 263 Bytes(COM) PC Vectors Hooked: None Executing Procedure: 1) Searches for a .COM file in the current directory. 2) It then checks whether it has been infected by TORM-263. If it has, it continues to look for any uninfected .COM files. 3) It then infects all uninfected files in the dircetory. 4) Finally, it executes the original file. Damage: None Detecting Method: Infected files will increase by 263 Bytes.
Note: 1) Doesn't stay resident in memory. 2) TORM-263 doesn't hook INT 24h when infecting files. 3) Error message occurs if there is an I/O error (such as write protect).
Virus Name: Timid Virus Type: File Infector Virus (infects .COM files) Virus Length: 306 Bytes(COM)
PC Vectors Hooked: None Executing Procedure: 1) Searches for a .COM file in the current directory. 2) Once it locates a file, it checks whether it has been infected by Timid. If it has, it continues to search for an uninfected .COM file. 3) It then infects one file at a time and displays the infected file name on the screen. 4) Once the file is executed, the system will halt. Damage: Damages original files. Detecting Method: 1) Infected files will increase by 306 Bytes. 2) Other file names are shown on the screen. Note: 1) Doesn't stay resident in memory. 2) Timid doesn't hook INT 24h when infecting files. 3) Error message occurs if there is an I/O error of (such as write protect).
Virus Name: TRASH Other names: None Virus Type: Boot Strap Sector Virus Virus Length: 1241 bytes. Damage: Virus will overwrite the Partition Table. Detecting Method: The virus will not infect any files. It will display the following message: "Warning!!! This program will zero (DESTROY) the master boot record of your first hard disk. The purpose of this is to test the antivirus software, so be sure you have installed your favorite protecting program before running this one! It's almost certain that it will fail to protect you anyway. Press any key to abort, or press Ctrl-Alt-Right Shift- F5 to proceed at your own risk." Virus will proceed to overwrite the Partition Table if user presses "Ctrl-Alt-Right Shift- F5."
Virus Name: Taiwan Other names: None Virus Type: File Infector Virus Virus Length: .EXE 1300-1503 bytes Executing Procedure: 1) The virus checks if it is resident in memory. If not, it loads itself into resident memory by hooking INT 21h. 2) It then executes the original file. 3) Once loaded into resident memory, it will infect any uninfected file that is executed. Damage: This virus has several variants. While some variants have no damage routine, some will slow down the system performance and variants of the Mummy virus will have a Random Number counter. When the counter reaches zero, the virus will overwrite the first part of the hard disk and cause severe data loss. Detecting Method: Increases infected file size by 1300-1503 bytes. The virus occasionally hangs the system when the virus is resident in memory . Encrypted text strings inside the virus code appear as follows: "Mummy Version x.xxx", "Kaohsiung Senior School", "Tzeng Jau Ming presents", "Series Number=[xxxxx]." Note: 1) Loads itself resident in memory. An error message occurs if there is an I/O error (such as write protect).
Virus Name: Tiny-143 Virus Type: Memory Resident (OS), COM File infector Virus Length: 143 bytes Executing Procedure: 1) Checks whether it is in resident memory. If not, it will copy itself to absolute address 0060:0000h. 2) Then it hooks INT21h and goes back to the original routine. Vectors hooked: 1) Hooks INT 21H(AH=4Bh) to infect files. 2) If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Detecting Method: 1)Date and time of infected files are changed. 2)Infected file sizes increase by 143 bytes.
Virus Name: Tiny-124 Virus Type: Memory Resident(OS), COM File infector Virus Length: 124 bytes Executing Procedure: 1) Checks if it is in resident memory. If not, the virus copies itself to absolute address 0050:0103h. 2) Then it hooks INT21h and goes back to the original routine. Vectors hooked: 1) Hooks INT 21H(AX=4B00h) to infect files. 2) If the program to be executed is an uninfected COM file and its first byte is not E9h, the virus proceeds to infect it. Damage: EXE files are destroyed because of the subsequent head damaged. Note: Some interrupts cannot run correctly because the virus has stayed resident in vector area. Detecting Method: 1)Date and time of infected files changed. 2)Infected file sizes increase by 124 bytes.
Virus Name: Troi2 Virus Type: Memory Resident(OS), EXE File infector Virus Length: 512 bytes Executing Procedure: Checks whether the current date is before 5/1/1992. If it is, it returns to the original routine directly. Otherwise, checks whether it is residing in memory. If not, the virus copies itself to absolute address 0000:0200h (The area of interrupts vectors), hooks INT 21h and goes back to the original routine. Vectors hooked: 1)Hooks INT 21h to check whether it is residing in memory. 2)Hooks INT 21H (AH=4Bh) to infect files. If the program to be executed is an uninfected EXE file, the virus proceeds to infect it. Damage: None Note: Date and time of infected files do not change. Detecting Method: Infected file sizes increase by 512 bytes.
Virus Name: Tver Virus Type: Memory Resident(OS), COM File infector Virus Length: 308 bytes Executing Procedure: 1) Checks whether it is residing in memory. 2) If not, the virus copies itself to absolute address 0000:0200h (the area of interrupt vectors), hooks INT 21h and goes back to the original routine. Vectors hooked: 1)Hooks INT 21h to check whether it is residing in memory. 2)Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected COM file and its first byte is E9h, virus proceeds to infect it. Damage: None Note: Many infected files' first byte is E9h. In most cases, the virus corrects each file's first byte if it is not E9h. Detecting Method: 1)Date and time of infected files changed. 2)Infected file sizes increase by 308 bytes.
Virus Name: T-1000 Virus Type: COM File infector Virus Length: 128 bytes Executing Procedure: 1) It will decode its later half section first, then infect all COM files on current directory. 2) The method of infection is: Get system time and encode it with its original procedure, then overwrite its first 128 bytes by virus code. If it is less than 128 bytes, it will be 128 bytes after being infected. Otherwise, its size does not change. Damage: It will overwrite first 127 bytes of original files by virus code. So original files are destroyed. Detecting Method: Date and time of infected files changed.
Virus Name: The Silence Of The Lamb! Virus Type: Memory resident, COM File infector Virus Length: 555 bytes Executing Procedure: 1) Checks whether it is still in the last memory block. 2) If not, it will stay resident in high memory and return to the original routine. 3) The method of infection is: First, encode first 200h bytes of original file and attach them and decoded codes to the end of the file. Then encode virus code and write them into first 200h bytes of the file. Vectors hooked: 1) Hooks INT 21H(AH=4Bh) to infect files. 2) Firsts, it will hang INT 24h to prevent divulging its trace when writing, then check whether the program to be executed is an uninfected COM file (Length is between 0400h and FA00h bytes). If it is, infect it. Finally, the virus restores INT 24h. Damage: None Note: Date and time of infected files do not change. Detecting Method: 1) Call INT21h (AH=2Dh,CH=FFh,DH=FFh) to return value AH. If AH=00h, memory has been infected. If AH=FFh, memory has not been infected. 2) If word at address 0002 of COM file is 5944h, memory has been infected. After the virus code has decoded, there is text in the address from 01E6h to 01EFh. The text is "The Silence Of The Lamb!$". 3) Total memory decreases by 1568 bytes.
Virus Name: Terminal Virus Type: EXE & COM File infector Virus Length: Executing Procedure: Virus searches for an uninfected EXE file on current directory from diskette C, then infects it. Damage: It will overwrite original files with a virus code. Original files are destroyed. Note: 1) Does not stay in memory. 2) You will see an error message when writing because INT 24h has not been hanged. 3) This virus is written with an advanced language. 4) This virus is encrypted by a program like PKLITE. Although it has a pattern, we cannot scan it.
Virus Name: Triple-shot Virus Type: EXE File infector Virus Length: 6610 Executing Procedure: 1) Searches for an uninfected EXE file in the current directory and creates a new hidden COM file with the same name as the EXE file. 2) This new COM file is the virus. Its length is 6610 bytes. Damage: None Note: 1) Does not stay in memory. 2) You will see an error message when writing because INT 24h has not been hanged. Detecting Method: Checks whether the file's length is 6610 bytes.
Virus Name: THULE Virus Type: Virus infects .COM files shorter than 61,054 bytes. Virus is memory resident. Virus Length: Virus infects COM files 309 bytes and 68 bytes in memory. Interrupt Vectors Hooked: INT 21h. Infection Process: 1) This virus will move virus code to 0:200h-0:243h and hook int 21h in order to delete a file named "THULE.COM." 2) When DOS changes the current directory , it will try to open "THULE.COM" in the current directory. When found, this file will be deleted. Damage: The file named "THULE.COM" will be deleted. Symptoms: Increased file sizes. A file is deleted.
Virus Name: TOPA 1.20 Virus Type: Virus infects .COM files between 2712 and 60000 bytes. Infects .EXE files between 5424 and 524288 bytes. Virus is memory resident. Virus Length: EXE files: 2456 - 2471 bytes and COM files: 2456 bytes. 5536 bytes in memory. Interrupt Vectors Hooked: INT 1Ch and INT 21h. Infection Process: 1) When a TOPA_1.2 infected program is executed, it will check to see if AX= 4290h in INT 21 and return AX = 9047 to indicate it is already resident in memory. 2) If it is in memory, it will execute the infected program. If it is not in memory, it will perform the following functions: A) It will change its memory allocation strategy to low memory's last fit, then stay resident at the MCB (memory control block).The available free memory will have decreased by 5536 (15A0H) bytes. B) Once the TOPA_1.2 virus is memory resident, it will hook int 1Ch and int 21h in order to infect files. Damage: Decreased available memory. Symptoms: Increased file sizes.
Virus Name: TOPO Virus Type: Virus infects .EXE files shorter than 524288 bytes. Virus is memory resident. Virus Length: EXE files: 1536 - 1552 bytes and 3616 bytes in memory. Interrupt Vectors Hooked: INT 21h. Infection Process: This virus is spread by executing an infected program. When a TOPO infected program is executed, first it will hook INT 3 then use this interrupt to deceive the virus body. The virus will then check to see if it is already resident in memory by checking to see if address 0:3feh contains the value 0011h. If the virus is already in memory it will execute the infected program. The virus will not include files names such as: "*AN.EXE" , "*LD.EXE" with '*' being a wild card. Damage: Virus destroys diskette parameter (00:525h - 0:52Ch) and displays the following message: "R(etry), I(gnore), F(ail), or A(bort) ?" Symptoms: Increased file sizes and the inability to read certain files. Decreased available memory. Note: If the system date is equal to the 25 or 26 of any month, the above message will manifest.
Virus Name: Tu-482 Virus Type: COM File infector Virus Length: 482 bytes Executing Procedure: 1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory. 2) Then it hooks INT 21h and goes back to the original routine. Vectors hooked: 1) Hooks INT 21H(AH=4Bh) to infect files. 2) If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Note: 1) You will see an error message when writing because INT 24h has not been hanged. 2) When virus is executed, it will jump to the end of the program. It will then jump back to the beginning making it difficult to locate. Detecting Method: Infected file sizes increase by 482 bytes.
Virus Name: Timemark Virus Type: EXE File infector Virus Length: 1060-1080 bytes Executing Procedure: 1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory. 2) Then it hooks INT 21h and goes back to the original routine. Vectors hooked: 1) Hooks INT 21H(AH=4Bh) to infect files. 2) If the program to be executed is an uninfected EXE file, the virus proceeds to infect it. Damage: None Detecting Method: Infected file sizes increase by 1060-1080 bytes.
Virus Name: T-1000-B Virus Type: COM File infector Virus Length: Executing Procedure: 1) Virus searches for all uninfected COM files on current directory, then infects them (Infects only one file at a time). Damage: It will overwrite original files with virus code. Original files are destroyed. Note: 1) It does not stay resident in memory. 2) You will see an error message when writing because INT 24h has not been hanged.
Virus Name: Toys Virus Type: COM & EXE File infector Virus Length: 773 bytes Executing Procedure: 1) Searches for uninfected COM files in the current directory, then infects them (Infects two files at a time). Damage: None Note: 1) It does not stay resident in memory. 2) You will see an error message when writing because INT 24h has not been hanged. Detecting Method: Infected file sizes increase by 773 bytes.
Virus Name: Tankard Virus Type: COM File infector Virus Length: 493 bytes Executing Procedure: 1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory. 2) Then it hooks INT 21h and goes back to the original routine. Vectors hooked: 1) Hooks INT 21H (AH=4Bh) to infect files. 2) First, it will hang INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Detecting Method: Infected file sizes increase by 493 bytes.
Virus Name: Trident Virus Type: COM & EXE File infector Virus Length: 2385-2395 bytes Executing Procedure: 1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory. 2) Then it hooks INT 21h and goes back to the original routine. Vectors hooked: 1) Hooks INT 21H(AH=4Bh) to infect files. 2) First, it will hang INT 24h to prevent divulging its trace when writing. 3) Then when you type the "Dir" command (like DIR H*.*), the virus infects all uninfected COM & EXE files accessed through the "Dir" command. Damage: None Detecting Method: Infected file sizes increase by 2385-2395 bytes.
Other Name: YANK-39
Virus Type: File Type Virus
Virus Length: Approximately, 2768 bytes.
Virus Memory Type:
INT Vectors Hooked: Int 21
Trigger: Triggers if time is 5:00 pm of any day. Plays a part of the song: "Jack and Jill."
Run Directly: Loads virus code to high memory.
Infection Procedure:
Loads itself to high memory. Allocates 2896 bytes in memory. Moves 2768 bytes to memory. Infects *.COM and *.EXE files. Copies virus code to host program. Loads the virus first before running the host program.
Virus Name: TANPRO
Virus Length: Approximately 524 bytes
Virus Memory Type: High Memory
INT Vectors Hooked: Int 21, Int 27
Place of Origin:
Uses TSR, Int 27. Allocates 3104 bytes (using MEM) of memory. Creates a hidden un-named file within the root directory with a size of 10000 bytes. Within the code is the string "This file is infected..." Executes this program, deletes it afterwards then calls Int 27, to retain its possession in memory for further infection of other files. Infects *.COM and *.EXE files. Copies virus code to host program. Adding approximately 524 bytes. Loads the virus first before running the host program.
The virus when resident in memory, will infect any executed *.COM and *.EXE files. It does not do anything special. It just replicates when it is resident in memory. Infects file only if it is executed.
Damage:
Free memory decreases by approximately 3104 bytes. Increases file size. Adds approximately 524 bytes.
Symptom:
Delay in program execution due to virus activity. Text string: "(c) tanpro'94" appears within the virus code.
Detection method:
Locate mentioned text string.
Virus Name: BARR1303
Virus Type: Polymorphic type
Other Name: TECLA
Virus Length: 2051 bytes
Virus Infect Type: .COM and .EXE files
Trigger Condition: September 23
Virus Re-infect: No
Virus Memory Type: High Memory Resident
Int Vector Hooked: INT 16H, INT 21H, INT 24H
The virus is a polymorphic type and infects both .COM and .EXE files. It adds 1303 bytes to an infected file. It first decrypts its code, which is attached to the host, using SUB 75H to each byte. It can be seen from the decrypted data area of the virus code string "SSta Tecla(MAD1)" which gives another name to the virus. It copies its program (1033 bytes) to the high memory, 9F9A:0100; thus, overlaps the video adapter memory. Once resident in the memory it checks if the date is September 23. If it is, then it activates its payload by hooking to INT 16H (change to vector 9F9A:017C) and changes the keyboard ASCII table. It increments all the unextended keyboard input by 1 ASCII character. Thus, a keyboard input of "A" will display "B", or an input of "." will display "/", and so on. Without the trigger date it still hooks to INT 21H by changing its vector to its program in the high memory 9F9A:016C to infect every loading and executing program. It also hooks to INT 24H and changes its vector to 9F9A:0107 which is seen to give no payload.
Changes unextended keyboard input to an increment of 1 ASCII character.
Virus Length: Approximately 2717 bytes
Virus Re-infect: Does not re-infect, infected file size is consistent
Virus Memory Type: Non Resident
Directly infects *.COM and *.EXE files. Copies virus code to host program. Adding approximately 2717 bytes. Loads first the virus before running the host program.
The virus, when executed, infects any executed *.COM and *.EXE files. It does not do anything special. It just replicates when it is resident in memory. Infects a file only if it is executed.
Increase in file size. Adds approximately 2717 bytes.
Delay in program execution due to virus activity.
Virus Type:
Virus Length: Approximately 1784 bytes
INT Vectors Hooked: Int 21, Int 1C
Loads itself to high memory. Allocates 2304 bytes (9F70:0000) of memory. Infects *.EXE files. Copies virus code to host program, adding approximately 1784 bytes. Loads first the virus before running the host program.
The virus when resident in memory, will infect any executed *.EXE files. It does not do anything special. It just replicates when it is resident in memory. Infects file only if it is executed.
Free memory decreases by approximately 2304 bytes. Increase in file size. Adds approximately 1784 bytes.
Virus checks first if the current month is June using Int 21 (2A). If it is, it triggers the virus code; otherwise, it just exits the program. Then, the virus checks for the system time using Int 21 (2C). It has a special formula which it uses to specify which payload should be executed. There are 4 possible payloads which will be discussed later. But first, the formula:
Int 21 (2C): Significant register CX, Adds CH to CL and returns the sum to CL (Add CL,CH) uses the AND boolean between CL,03 (And CL,03) clears CH to 00 (XOR CH,CH) compares Cl to 4 possibilities (CMP CL,+03)
The virus uses this procedure to get 00, 01, 02, 03 as values for CL. Each value corresponds to a certain tune. (03 doesn't have a tune to play) When the infected file is run a specific tune depending on the time and the result after manipulating the time, a specific tune is played. A total of three tunes are played. whatever tune is played, infection remains the same, even if it plays nothing.
Delay in program execution due to virus activity. Plays various tunes.
[TRAKIA.1070]
Virus Length: Approximately 1076-1084 bytes
Virus Infect Type: Mutation Virus
Loads itself to high memory. Allocates 1360 bytes (9FAB:0000) in memory. Moves 1357 (054DH) bytes to high memory. Infects *.COM and *.EXE files. Copies virus code to host program, adding approximately 1076 - 1084 bytes. Loads the virus first before running the host program.
This virus is a mutation virus. When an infected file is executed, it will search for *.COM and *.EXE files using Int 21 (4E & 4F), and will infect when DTA is set. It only infects files within the current directory.
Free memory decreases. Increase in file size. Adds approximately 1076-1084 bytes.
Delay in program execution due to file search.
Text string: "Files Only (No symbols) .SYM - Load symbol file only. No extension - Load program & symbols" appears within the virus code.
Virus Length:
INT Vectors Hooked: Int 21, Int 15, Int 2F
Trigger Condition:
Checks if date is above April 13, or if the year is above or equal to 1993. If so it executes the virus code directly.
Loads itself to high memory. Loads approximately 4272-4288 bytes in memory. Infects *.EXE files. Copies virus code to host program, adding approximately 4003 bytes. Loads the virus first before running the host program. While in memory, EXE files opened will be infected.
Virus checks for system date and time, after virus code is decrypted. The code then checks for the DOS version with the reason unknown. It continues by getting the process ID of the program, to enable itself to set the kind of allocation strategy it wants to do, Int 21 (58). After this, the virus checks for extended memory, Int 21 (43). If all needed requirements are set, it begins to modify memory allocation, Int 21 (4A). The virus code is then transferred to high memory, at a size approximately 4003 bytes. When in memory, the virus now sets the DTA to which it will copy its code.
Displays: "-=> T.R.E.M.O.R was done by NEUROBASHER /May-June '92, Germany <=- -MOMENT-OF-TERROR-IS-THE-BEGINNING-OF-LIFE-"
However, infected file runs normally. Increase in file size, and occupies memory space.
Decrypt virus code before detection.
Virus Length: Approximately 1463 bytes
Loads itself to high memory after decryption. Allocates 3536 bytes (9F23:0100) in memory. Moves 1463 (05B7H) bytes to high memory. Does not actually infect files, what it does is load itself resident in high memory and messes up the execution of files. (see Damage below)
When a source virus file is executed and the virus code is loaded in memory, two payloads can be detected.
1. COM files:
When *.COM files are executed while the virus is in memory, those files will not run.
2. EXE files:
When *.EXE files are executed while the virus is in memory, those files will not run, like what happens with COM files. But this will only happen once. The second execution of an EXE file will result to a same display, but this time the COMMAND.COM becomes invalid. System becomes useless afterwards.
Note:
Executing a COM file will not suspend itself. But when an EXE file is executed after a COM file has been executed, the system will then suspend.
Text string: "Trojector II, (c) Armagedon Utilities, Athens 1992" appears within the decrypted code.
Virus Length: Approximately 1561 bytes
Loads itself to high memory after decryption. Allocates 3744 bytes (9F16:0100) in memory. Moves 1561 (0619H) bytes to high memory. Does not actually infect any file, but the file executed will not run.
While virus is resident in memory, files executed will not run.
Text string: "Trojector ]I[, (c) Armagedon Utilities, Athe@" appears within the decrypted code.
Virus Length: Size of approximately 438 bytes.
Loads itself to high memory. Loads approximately 512 bytes in memory. Infects *.EXE files. Copies virus code to host program. Adding approximately 438 (01B6H) bytes. Loads the virus first before running the host program. While in memory, EXE files opened will be infected. The virus reacts ordinarily by allocating space in memory before infecting files, using Int 21 (48). Nothing extraordinary happens. It just attaches its code to the host program after it is loaded from memory.
Symptom: Free memory decreases. Increase in file size.
May display:
"[Whisper Presenterar Tai-Pan]" which appears in the virus code.
Detection method: Look for the said display strings, and detect from there.
Virus Length: Size of approximately 666 bytes.
Loads itself to high memory. Loads approximately 710 bytes in memory. Infects *.EXE files. Copies virus code to host program, adding approximately 666 (029AH) bytes. Loads the virus first before running the host program. While in memory, EXE files opened will be infected. The virus reacts ordinarily by allocating space in memory before infecting files, using Int 21 (48). Nothing extraordinary happens. It just attaches its code to the host program after it is loaded from memory.
"DOOM2,EXE. Illegal DOOM II signature" "Your version of DOOM2.EXE matches the illegal RAZOR release of DOOM2" "Say bye-bye HD" "The programmer of DOOM II DEATH is in no way affiliated with ID Software." "ID Software is in no way affiliated with DOOM II DEATH."
which appears in the virus code.