Virus Name: 2570 Virus Type: File Infector Virus (infects .COM files only) Virus Length: 2570 bytes PC Vectors Hooked: None Executing Procedure: Searches for a .COM file in the current directory. Checks first to see if a file has been previously infected by 2570. If it has, the virus continues to look for an uninfected .COM file. It infects only one .COM file at a time. At infection, messages such following will appear on the infected computer screen:
a) Cycle sluts from hell.. b) Virus Mania IV.. c) 2 Live Crew is fucking cool.. d) Like Commentator I, HIP-HOP sucks.. e) Dr. Ruth is a first-class lady!.. f) Don't be a wimp, Be dead!.. and so on.
Then the originally called program will be executed. Damage: None Detecting Method: Infected files will increase by 2570 Bytes. Note: Doesn't stay resident in memory. 2570 doesn't hook INT 24h when infecting files. An error message appears if there is an I/O error (such as write protect.)
Virus Name: 205 Virus Type: File Infector Virus (infects .COM files) Virus Length: 205 bytes(.COM)
PC Vectors Hooked: None Executing Procedure:
1) Searches for a .COM file in the current directory.
2) When it locates a .COM file it checks to see if the file has been previously infected by 205. If the file has been infected, it continues to look for an uninfected .COM file.
3) It then proceeds to infect all the .COM files in the directory.
4) Finally, it executes the originally called file. Damage: None Detecting Method: Infected files will increase by 205 Bytes. Note: 1) Doesn't stay resident in memory. 2) 205 doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: 2136 Virus Type: Highest Memory Resident, File Infector Virus (infects .COM and .EXE files). Virus Length: 2136 bytes (.COM and .EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Infecting Procedure:
1) The virus checks to see whether it is already loaded resident in memory. If it isn't, it loads itself into resident memory by hooking INT 21h.
2) It then executes the original file.
3) After loading itself into resident memory it will infect any uninfected file that is executed. Damage: None. Detection Method: Infected file size increases by 2136 bytes. Note: The 2136 virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: 2343 Other Names: Flip virus Virus Type: Multi-partite Virus Virus Length: 2343 bytes Symptoms: Increases infected .COM and .EXE file sizes by 2343 bytes and decreases the size of free RAM memory by 2864 bytes. The new DOS function 0FE01h is implemented and, when the virus is active in memory, it returns 01FEh in AX. Word 028h in DPT sector contains the value 0FE01h. Flip virus has the same virus flag as the viruses 648, 1560 (ALABAMA) and 512; it sets the number of seconds in the file's time stamp to the nonsense value of 62. Infected files contain the string: "OMICRON by PsychoBlast". Damage: Under certain conditions the virus "flips" the screen. If the damage routine is active, the virus contains bit reversed of screen font 8*14 and monitors the interrupt 10h. When video mode is changed to mode 2 or 3, the special routine for interrupt 1Ch is activated. All other video modes are interrupt vector 1Ch set to IRET instruction. For video modes 2 and 3, the video start address is set to 1000h. The memory at segment 0BA00h is used as video memory rather than 0B800h. On every call of interrupt, 1Ch (18.2 times per second) virus copies 500 words (characters and their attributes) from memory segment 0B800h into memory segment 0BA00h with inversion of rows and columns.
Virus Name: 2881 Other Names: Yankee Doodle virus Virus Type: Parasitic Virus Virus Length: 2881 bytes Symptoms: Increases infected file size by approximately 2881 bytes and decreases the size of free RAM memory. Infected .COM files display 7A4Fh and 2Ch as their end words (flagf for other viruses, for example: for Vacsina virus). Virus will play "Yankee Doodle" when some conditions are met (see damage). Damage: Ping-Pong virus modification: it modifies the Ping-Pong virus in memory. It changes two bytes, one jump and adds one subroutine. It is very interesting that Ping-Pong virus is ready for this change. After this reboot (it writes this count to all disks) and after 255 reboots, the Ping-Pong virus immediately deactivates into the memory (it returns original interrupt vector 13h and the value of 0:413h). Subsequently, "Yankee Doodle" is played.
Virus Name: 2928 Other Names: Yankee Doodle virus Virus Type: Parasitic Virus Virus Length: 2928 bytes Symptoms: Increases infected file size by approximately 2928 bytes and decreases the size of free RAM memory. Infected .COM files display 7A4Fh and 29h as their end words (flagf for other viruses, for example: for Vacsina virus). Virus will play "Yankee Doodle" when some conditions are met (see damage). Damage: Ping-Pong virus modification: it modifies Ping-Pong virus in memory. It changes two bytes, one jump and adds one subroutine. (It's interesting that Ping-Pong virus is ready for this change.) After this reboot (it writes this count to all disks), and after 255 reboots, the Ping-Pong virus immediately deactivates into memory (it returns original interrupt vector 13h and the value of 0:413h). Subsequently, "Yankee Doodle" is played. Special features: It seems that this virus is an older version of the 2881 virus. It is also one of a large virus group. With its level 29h it is one of the previous releases of the same virus. It has the same mechamism, causes the same damage (except that virus 2881 doesn't play the melody every day, so it cannot be detected as early). The code of virus 2881 is optimized, so the new version is shorter (about 47 bytes).
Virus Name: 203 Virus Type: COM File infector Virus Length: 203 bytes Executing Procedure: Virus searches for an uninfected .COM file on the current directory, then infects it. (It infects only one file at a time.) Damage: None Note:
1) It does not stay resident in memory. 2) You will see an error message when writing because INT 24h has not been hanged. Detecting Method: Infected file size increases by 203 bytes.
Virus Name: 2560 Virus Type: .COM and .EXE File Infector Virus Length: 2560 bytes Executing Procedure: Virus checks to see whether it has stayed resident in memory. If it hasn't, it will stay resident in high memory. Then it hooks INT 21h and goes back to the original routine.
Vectors hooked: Hooks INT 21H(AH=4Bh) to infect files. First, it will hang INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected .COM or .EXE file, the virus proceeds to infect it. Damage: None Detection Method: Infected file size increases by 2560 bytes.