Virus Name: USSR Other Names: 570, 8-17-88, 2:08a Virus Type: Parasitic Virus Virus Length: 570 bytes Symptom: 1) Infects .EXE files. Increases file size by 570 to 585 (570+15) bytes. (The next multiple of 16 of the original file size plus 570). 2) The date and time in the file's directory entry is set to 8-17-88 and 2:08a. Damage: Writes one sector to the boot sector of the C drive, then halts the system.
Virus Name: Ultrasik-1967 Virus Type: EXE File infector Virus Length: 1967 bytes Executing Procedure: Search for an uninfected EXE file and infect it. The search path is from current directory to all subdirectories, then to the root directory and all its subdirectories. Next, it returns to the original routine. If it can't infect a file, it halts the system (The original plan is to format the C drive, but if it can't, it halts the system with an imbedded instruction). Damage: None Note: Date and time of infected files do not change. Detecting Method: 1) Length of infected files are increased. 2) The algorithm is: First, increase original length to make it become a multiple of 16. Then increase it by 1967 bytes.
Virus Name: Uruk-Hai Virus Type: COM File infector Virus Length: 394 bytes Executing Procedure: 1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory. 2) Then it hooks INT 21h and goes back to the original routine. Vectors hooked: 1) Hooks INT 21H(AH=4Bh) to infect files. First, it will hang INT 24h to prevent divulging its trace when writing. 2) If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Detecting Method: Infected file sizes increase by 394 bytes.
Virus Type: File Type Virus
Virus Length: Approximately 814 bytes
Virus Memory Type: High Memory
INT Vectors Hooked: Int 21
Place of Origin:
Infection Procedure:
Loads itself to high memory. Allocates 1024 bytes (9FC0:0000) in memory. Moves approximately 814 bytes (032EH) in high memory. Infects *.EXE files. Copies virus code to host program, adding approximately 814 (032EH) bytes. Loads the virus first before running the host program. While in memory, EXE files opened will be infected.
The virus reacts ordinarily by allocating space in memory before infecting files. Nothing extraordinary happens. It just attaches its code to the host program after it is loaded from memory.
Damage:
Memory free space decreases. Increase in file size.