Simple

Virus Name: Simple

Virus Type: File Infector Virus (infects .COM files only.)

Virus Length: No change

PC Vectors Hooked: None

Executing Procedure:
Infects all COM files in the current directory, and no file is infected twice.

Damage: Overwrites the original files, so the length of the original files won't increase.

Note:
Doesn't stay resident in memory.
SIMPLE doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error present (such as write protect).


Slayer

Virus Name: Slayer

Alias Name: 5120, Vbasic

Virus Type: File Virus

Virus Length: 5,120 bytes

Description: This virus infectes *.COM and *.EXE files.

When an infected file is executed, the virus will infect all *.COM and *.EXE files located in the same directory. Infected files will increase in size from 5,120 to 5,135 bytes with the virus located at the end of the file. Date and time information of infected files will not be altered.


Stealth_Boot.C

Virus Name: Stealth_Boot.C

Alias Name: Amse, Nops, STELBOO, STB

Virus Type: Boot Virus

Virus Length: N/A

Description: This virus infects boot sectors.

Interrupt vectors hooked: INT 13h.

Infection method: When the system is booted from an infected diskette, the virus loads itself into memory and infects the master boot record. While loaded, it infects any accessed, non-protected diskettes. The DOS CHKDSK program will show a "total bytes memory" decrease of 4,000 bytes.

Damage: No intentional damage.
Note: If you attempt to examine the infected hard disk sectors while the virus is in memory, it will return a zero-filled buffer.


Stoned

Virus Name: Stoned

Alias Name: Marijuana, New Zealand, Stoned.Standard.A

Virus Type: Boot Virus

Virus Length: N/A

Description: This virus infects boot sectors

Interrupt vectors hooked: INT 13h.

Infection method: When the system is booted from an infected floppy, the virus loads itself intto memory and infects the hard disk. While loaded, it infects any accessed diskettes. The DOS CHKDSK program will show a "total bytes memory" decrease of 2,048 bytes.

Damage: No intentional damage. Displays the text string:

"Your PC is now Stoned!"


Stoned.Azusa

Virus Name: Stoned.Azusa

Alias Name: Azusa, Hong Kong

Virus Type: Boot Virus

Virus Length: N/A

Description: This virus infects boot sectors.

Interrupt vectors hooked: INT 13h.

Infection method: When a system is booted from an infected disk, the virus loads itself into memory. While loaded, it attempts to infect any accessed disks. Unlike most boot sector viruses, it does not preserve a copy of the original master boot record. Instead it overwrites it and takes over its functions. The DOS CHKDSK program will show a "total bytes memory" decrease of 1,024 bytes.

Damage: After a specified number of reboots, the virus temporarily disables the serial and parallel ports.


Spanz

Virus Name: Spanz

Virus Type: File Infector Virus (infects .COM files)

Virus Length: 639 Bytes

PC Vectors Hooked: None

Executing Procedure:
1) Searches for and infects one uninfected .COM file in the current directory.
Damage: None

Detecting Method: Infected files will increase by 639 Bytes.

Note:
1) Doesn't stay resident in memory.
2) Spanz doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).


Small 115

Virus Name: Small115

Virus Type: File Infector Virus (infects .COM files)

Virus Length: 115 Bytes

PC Vectors Hooked: None

Executing Procedure:
1) Searches for a .COM file in the current directory.
2) It then checks whether it has been infected by Small115. If it has, it continues to look for any uninfected .COM file.
3) It eventually infects all the .COM files in the directory.

Damage: Infected files won't be able to execute.

Detecting Method: Infected files will increase by 115 Bytes.

Note:
1) Doesn't stay resident in memory.
2) Small115 doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error of (such as write protect).


Shirley

Virus Name: SHIRLEY

Virus Type: Memory Resident, File Infector Virus (infects .EXE files).

Virus Length: 4110 Bytes (EXE)

PC Vectors Hooked: INT 21h

Infecting Procedure:
1) The virus checks whether it is already loaded resident in memory. If not, it then loads itself into resident memory (highest memory) by hooking INT 21h.
2) It then executes the original file.
3) Once in resident memory it will infect any uninfected file that is executed.
4) It doesn't infect .COM files.

Damage: None

Detecting Method: Infected EXE files increase by 4110 Bytes.

Note: The Shirley virus doesn't hook INT 24h when infecting files. An error message occurs if there is an I/O error (such as write protect).


SBC-1

Virus Name: SBC-1

Virus Type: Highest Memory Resident, File Infector Virus (infects .COM files).

Virus Length: No change

PC Vectors Hooked: INT 21h (AX=4B00h) (execute program)

Infecting Procedure:
1) The virus checks whether it is already loaded resident in memory. If not, it then loads itself into resident memory (highest memory) by hooking INT 21h.
2) It then checks whether the "COMMAND.COM" file has been infected. If not, it infects the file.
3) It then executes the original file.
4) Once loaded into resident memory it will infect any uninfected file that is executed.
5) It doesn't infect .EXE files.

Damage: Overwrites original files, so infected file sizes won't increase.

Detecting Method: None

Note: The SBC-1 doesn't hook INT 24h when infecting files. An error message occurs if there is an I/O error (such as write protect).


Sandwich

Virus Name: SANDWICH

Virus Type: Highest Memory Resident, File Infector Virus (infects .COM files).

Virus Length: 1172 Bytes (COM)

PC Vectors Hooked: INT 21h (AX=4B00h) (execute program)

Infecting Procedure:
1) The virus checks if it is in resident memory. If not, it then loads itself into resident memory by hooking INT 21h.
2) It then executes the original file.
3) With itself loaded into resident memory it will infect any uninfected file that is executed.
4) It doesn't infect .EXE files.

Damage: None.

Detecting Method: Infected files increase by 1172 Bytes.

Note: The Sandwich virus doesn't hook INT 24h when infecting files. An error message occurs if there is an I/O error (such as write protect).


Secto

Virus Name: Secto

Virus Type: Trojan

Virus Length: 487 Bytes

PC Vectors Hooked: None

Damage: Destroys data on the boot sector of "A:\".

Detecting Method: None.

Note:
1) Doesn't stay resident in memory.
2) Doesn't infect any files or partition.
3) Doesn't hook INT 24h when destroying, An error message occurs if there are I/O errors (such as write protect).


Son of PSMPC

Virus Name: SON_OF_PSMPC

Virus Type: Virus Generator

Virus Length: 17741 Bytes.

PC Vectors Hooked: None

Executing Procedure:
1) This is a "virus generator." When you execute "PC-MPC A.CFG B.CFG...," then "A.ASM B.ASM..." are generated. These will be viruses after compiling and linking.

Detecting Method: None.

Note:
1) Doesn't stay resident in memory.
2) SON_OF_PSMPC doesn't hook INT 24h when infecting files. It omits I/O errors (such as write protect).
3) These generated files can have different functions such as encoding or infecting the "COMMAND.COM" file.


Sunday

Virus Name: Sunday

Other names: None

Virus Type: Boot Strap Sector Virus (Memory Resident)

Virus Length: 1636 bytes.

Damage: On Sunday, the virus will prevent computer use.

Detecting Method: On Sunday, the virus will display the following message: "Today is Sunday! Why do you work so hard? All work and no play makes you a dull boy! Come on! Let's go out and have some fun!"


Scythe-2d

Virus Name: Scythe-2d

Virus Type: Boot

PC Vectors Hooked: INT 13h

Executing procedure:
1) Modifies memory size, decreasing the real memory size by 1K.
2) Installs itself in resident memory in the last 1K of the memory.
3) Hook INT 13h.
4) Returns the control to DOS and the system boots normally. (Note: If booting the system with a floppy disk, the virus will first check whether the hard disk is infected. If not, the virus will infect it.)

Damage: None

Note: The content of INT 13h: checks if the contents of the boot sector or the partition table of the hard disk is requested. If so, the virus will return the uninfected original contents.


Smal-122B

Virus Name: Smal-122b

Virus Type: Memory Resident(OS), COM & EXE File infector

Virus Length: 122 bytes

Executing Procedure:
Checks whether it resides in memory. If not, the virus copies itself to absolute address 0000:0103h. Then it hooks INT21h and goes back to the original routine.

Vectors hooked: Hooks INT 21h (AX=4B00h) to infect files. If the program to be executed is an uninfected COM or EXE file and its first byte is not E9h, the virus proceeds to infect it.

Damage: EXE files are destroyed because of the subsequent head damaged.

Note: Some interrupts cannot run correctly because the virus has stayed resident in vector area.

Detecting Method:
1) Date and time of infected files changed.
2) Infected file sizes increase by 122 bytes.


Smal-124

Virus Name: Smal-124

Virus Type: Memory Resident(OS), COM File infector

Virus Length: 124 bytes

Executing Procedure:
Checks whether it is residing in memory. If not, it copies itself to absolute address 0050:0103h. Then it hooks INT21h and goes back to the original routine.

Vectors hooked:
Hooks INT 21H(AX=4B00h) to infect files. If the program to be executed is an uninfected COM file, the virus proceeds to infect it.

Damage: None

Note: Some interrupts cannot run correctly because the virus has stayed resident in vector area.

Detecting Method:
1)Date and time of infected files changed.
2)Infected file sizes increase by 124 bytes.


Sun Devil

Virus Name: Sundevil

Virus Type: COM File infector

Virus Length: 691 bytes

Executing Procedure: Checks if the date is MAY 8. If it is, it destroys the first sector (Boot sector) on the current diskette. Then it displays a message and repeats calling INT 05h. The message is:
"There is no America.
There is no Demoracy.
There is only IBM, ITT, and AT&T.

This virus is dedicated to all that have been busted for computer-hacking activities.

The SunDevil Virus (C) 1993 by Crypt Keepr
[SUNDEVIL] "
Otherwise, the virus copies itself to absolute address 9000:0000h then hooks INT21h and returns to the original routine.

Vectors hooked: Hooks INT 21h (AH=3D,3E,56, AX=4300,4B00,4B01) to infect files. If the program to be executed is an uninfected COM file, the virus proceeds to infect it.

Damage: Destroys the boot sector of the current diskette if the current date is MAY 8.

Note: Date and time of infected files do not change.

Detecting Method:
1) Infected file sizes increase by 691 bytes.
2) Above message will manifest when you use the "Type" command.


Skew-469

Virus Name: Skew-469

Virus Type: Memory Resident(OS), EXE File infector

Virus Length: 469 bytes

Executing Procedure: Checks whether it resides in memory. If not, copies itself to absolute address 0000:0200h, then hooks INT21h and goes back to the original routine.

Vectors hooked:
1) Hooks INT 21h (AX=4B00h or AH=3Dh) to infect files. First, hangs INT 24h to prevent divulging its trace when writing. Then checks whether the program to be executed is an uninfected EXE file. If it is, proceeds to infect it. Finally, restores INT 24h.
2) Hooks INT 1Ch. Increases value of an address by 1 overtime this interrupt called. After the value equals FFFFh, it writes the current value to the video card, making the screen move up and down or from side to side.

Damage: Causes the screen to move up and down or from side to side.

Detecting Method:
1) Date and time of infected files change.
2) Infected file sizes increase by 469-469+15 bytes.


Seneca

Virus Name: Seneca

Virus Type: EXE File infector

Virus Length: 392 bytes

Executing Procedure: It will get the system date & time. There are three conditions for infection:
(1)Current year is not larger than 1980 and current minute is less than 30, or current year is larger than 1980 and current day is not November 25:
It will infect all EXE files on current and parent directories.
(2)Current year is not larger than 1980 and current minute is not less 30:
It will display a message as:"You shouldn't use your computer so much, its bad for you and your computer." Then it destroys the current diskette.
(3)current year is larger than 1980 and current day is November 25:
It will display a message as:
"HEY EVERYONE!!!"
"Its Seneca's B-Day ! Let's Party!"
Then it destroys the current diskette.
The method of destroying a diskette for (2) & (3) is: Write some data into the first 255 sectors of diskette. This effectively destroys lots of important data on the diskette.

Damage: In condition (1), infected files are destroyed because their first 392 bytes overwritten. In condition (2) & (3), the damage is listed above.

Note: Date and time of infected files do not change.

Detecting Method: You can see messages listed above by using "TYPE" on an infected file.


Story-A

Virus Name: Story-A

Virus Type: COM File infector

Virus Length: 1117 bytes

Executing Procedure: Searches from the root directory to all subdirectories to find 3 uninfected COM (Except COMMAND.COM) files, and then infects them (It does not infect same file twice). Next, it holds the order of every infected file. Then it checks if the number of current infected files is larger than 7, or if the current date is July 9. If either of these two conditions is met, the virus will be triggered.

Vectors hooked: Hooks INT 08H to accumulate system time.

Symptoms: Does not execute infection procedure, stays resident in memory, then hooks INT 08h. 290 seconds later, a message displays in inverse mode repeatedly in 22-second cycles.

Note: Date and time of infected files do not change.

Detecting Method:
1) Memory:
a) Total system memory decreases.
b) Virus might be triggered if first 4 bytes of segment (Before free memory) are FFh,26h,04h,01h.
2) File:
a) Infected file sizes increase by 1117 bytes.
b) First 4 bytes of infection are FFh,26h,04h,01h.


Story-B

Virus Name: Story-B

Virus Type: COM File infector

Virus Length: 1168 bytes

Executing Procedure: Searches from the root directory to all subdirectories to find 3 uninfected COM (Except COMMAND.COM) files, and then infects them (It does not infect the same file twice). Next, it holds the order of infected files. Then it checks if the number of current infected files is larger than 7, or whether the current month is December. If either of these two conditions is met, the virus will be triggered.

Vectors hooked: Hooks INT 08H to accumulate system time.

Symptoms: Does not execute infection procedure, stays resident in memory, then hooks INT 08h. 290 seconds later, a message displays in inverse mode repeatedly in 22-second cycles.

Note: Date and time of infected files do not change.

Detecting Method:
1) Memory:
a) Total system memory decreases.
b) Virus might be triggered if first 4 bytes of segment (Before free memory) are FFh,26h,04h,01h.
2) File:
a) Infected file sizes increase by 1168 bytes.
b) First 4 bytes of infection are FFh,26h,04h,01h.


Suicide

Virus Name: Suicide

Virus Type: COM & EXE File infector

Virus Length: 2048 bytes

Executing Procedure:
1) Searches for uninfected COM or EXE files in the current directory, then infects them.
2) It can infect four files at a time.

Damage: None

Note:
1) Does not stay in memory.
2) You will see an error message when writing because INT 24h has not been hanged.

Detecting Method: Infected file sizes increase by 2048 bytes.


Star Dot

Virus Name: STARDOT

Virus Type: Virus infects .EXE files. File Infector Virus.

Virus Length: 592 - 608 bytes on file.

Interrupt Vectors Hooked: INT21h.

Infection Process: Virus only infects .EXE programs when they are executed. There will be a file length increase of 592 - 608 bytes with the virus located at the end of the file. When the virus infects another clean program, it adds a counter and writes the value and virus body into a clean program, so the virus will get the day of the week and compare with the lowest 3 bits of the counter. If the value is equal, it will randomly destroy the current disk sector 8 times. If the counter value is equal to 63 (3Fh), it will send the random data to system I/O port (from 380h to 3DFh).

Damage: Virus destroys current disk sector and sends random data to system I/O port.

Symptoms: Lost disk data and increased file sizes.


Stunning Blow

Virus Name: STUNNING BLOW

Virus Type: Virus infects .EXE files but not the following headed names: "TB","F-","CP","NA","SC","CL","V." Virus is memory resident.

Virus Length: 1237 bytes on file and 1392 bytes in memory.

Interrupt Vectors Hooked: INT 21h.

Infection Process: This virus will activate on the 4, 8, 12, 16, 20, 24, and 28 of each month
after the initial delay period of one month. Upon activation the virus will:

(1) Hook interrupt 08h, counter = FFD0h

(2) Decrease the counter by 18.2 every second, and

(3) When the counter reaches zero it will start to play music on the speaker.
This virus also activates when a random seed = -1, and it will display the following message:

" Stunning Blow (R) Ghost Player Italy."

Damage: Virus deletes "*.CPS" files.

Symptoms: Loss of some files named as "*.CPS" and increased file sizes. Decreased available memory.


Sunrise

Virus Name: SUNRISE

Virus Type: Virus infects .EXE files. File Infector Virus.

Virus Length: 1033 bytes on file and 80 bytes in memory after activation.

Interrupt Vectors Hooked: INT 21h

Infection Process: From the root directory of the current disk, virus searches for the last subdirectory then changes to that subdirectory and all subsequent last subdirectories. The virus then searches to infect an "*.EXE" that has not been infected. It then checks the disk serial number. If the number is equal to zero and one memory word is equal to 2Dh, it will display the following message:

"* Sun Rise * EpidemicWare G.I.P.Po oct-93."

Interrupt 08h will be hooked:
If the month when the executed file was infected is not equal to the current
month, the virus will hook int 08h, which will:

(i) Be resident at the top of memory but below the 640k boundary.

(ii) Decrease available memory by 80 bytes.

(iii) Assign a value BDD8h to a counter and decrease the counter by 18.2
every second. When the counter reaches zero the screen will blank
and the original screen contents will then scroll up. After this
you can continue as normal.

(iv) Assign a value 1518h to the counter and repeat step (ii), (iii) (iv).

Damage: Virus hooks int 8h and at certain intervals the screen goes blank and scrolls up.

Symptoms: Increased file sizes. Decreased available memory.


Small 178

Virus Name: Small-178

Virus Type: COM File infector

Virus Length: 178 bytes

Executing Procedure:
1) Virus checks whether it has stayed resident in memory. If not, it will stay resident in high memory.
2) Then it hooks INT 21h and goes back to the original routine.

Vectors hooked:
1) Hooks INT 21H(AH=4Bh)to infect files.
2) If the program to be executed is an uninfected COM file, the virus proceeds to infect it.

Damage: None

Note: You will see an error message when writing because INT 24h has not been hanged.

Detecting Method: Infected file sizes increase by 178 bytes.


Shiny-Happy

Virus Name: Shiny-Happy

Virus Type: EXE File infector

Virus Length: 921 bytes

Executing Procedure:
1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory.
2) Then it hooks INT 21h and goes back to the original routine.

Vectors hooked:
1) Hooks INT 21H(AH=4Bh) to infect files.
2) If the program to be executed is an uninfected EXE file, the virus proceeds to infect it.

Damage: None

Detecting Method: Infected file sizes increase by 921 bytes.


Sucker

Virus Name: Sucker

Virus Type: EXE File infector

Virus Length: 572 bytes

Executing Procedure:
1) Virus checks whether it has stayed resident in memory. If not, it will stay resident in high memory.
2) Then it hooks INT 21h and goes back to the original routine.

Vectors hooked:
1) Hooks INT 21H(AH=4Bh) to infect files.
2) If the program to be executed is an uninfected EXE file, the virus proceeds to infect it.

Damage: None

Note:
1) You will see an error message when writing because INT 24h has not been hanged.
2) This virus can be cleared with Soft-Mice. This virus will make a mistake in clearing SUCKER.CO.

Detecting Method: Infected file sizes increase by 572 bytes.


Semtex

Virus Name: Semtex

Virus Type: COM File infector

Virus Length: 1000 bytes

Executing Procedure:
1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory.
2) Then it hooks INT 21h and INT 8h and goes back to the original routine.

Vectors hooked:
1) Hooks INT 21H(AH=4Bh) to infect files.
2) If the program to be executed is an uninfected COM file, the virus proceeds to infect it.

Damage: None

Note:
1) You will see an error message when writing because INT 24h has not been hanged.
2) The sentence at the beginning of infected file is:
MOV BP,XXXX
JMP BP

Detecting Method: Infected file sizes increase by 1000 bytes.


Sergant

Virus Name: Sergant

Virus Type: COM File infector

Virus Length: 108 bytes

Executing Procedure:
1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory then hook INT 21h and go back to the original routine.

Vectors hooked:
1) Hooks INT 21H(AH=4Bh) to infect files.
2) If the program to be executed is an uninfected COM file, it proceeds to infect it.

Damage: None

Note: You will see an error message when writing because INT 24h has not been hanged.

Detecting Method: Infected file sizes increase by 108 bytes.


Seacat

Virus Name: Seacat

Virus Type: COM File infector

Virus Length: 1600 bytes

Executing Procedure:
1) Searches for an uninfected COM file in the current directory, then infects it (Infects only one file at a time).

Damage: None

Note:
1) It does not stay resident in memory.
2) You will see an error message when writing because INT 24h has not been hanged.

Detecting Method: Infected file sizes increase by 1600 bytes.


Soupy

Virus Name: Soupy

Virus Type: COM File infector

Virus Length: 1072 bytes

Executing Procedure:
1) Virus searches for an uninfected COM file on current directory, then infects it (Infects only one file at a time).

Damage: None

Note:
1) It does not stay resident in memory.
2) You will see an error message when writing because INT 24h has not been hanged.

Detecting Method: Infected file sizes increase by 1072 bytes.


Small-Exe

Virus Name: Small-Exe

Virus Type: EXE File infector

Virus Length: 349 bytes

Executing Procedure:
1) Search for an uninfected EXE file in the current directory, then infect it (Infects only one file at a time).
2) After infection, halt system.

Damage: Virus will halt system every time it infects a file.

Note:
1) It does not stay resident in memory.
2) You will see an error message when writing because INT 24h has not been hanged.

Detecting Method: Infected file sizes increase by 349 bytes.


Scribble

Virus Name: Scribble

Virus Type: COM & EXE File infector

Virus Length:

Executing Procedure: Searches for all uninfected COM & EXE files in the current directory, then infects them.

Damage: It will overwrite original files with virus code. Original files are destroyed.

Note:
1) It does not stay resident in memory.
2) You will see an error message when writing because INT 24h has not been hanged.


Simple 1992

Virus Name: Simple-1992

Virus Type: COM File infector

Virus Length: 424 bytes

Executing Procedure:
1)  Searches for all uninfected COM files in the current directory and infects them (will infect COMMAND.COM).

Damage: None

Note:
1) It does not stay resident in memory.
2) You will see an error message when writing because INT 24h has not been hanged.

Detecting Method: Infected file sizes increase by 424 bytes.


Schrunch

Virus Name: Schrunch

Virus Type: COM File infector

Virus Length: 420 bytes

Executing Procedure:
1) Displays the following message: "S C H R U N C H E M U P T I M E."
2) Searches for all uninfected COM files in the current directory, then proceeds to infect them.

Damage: None

Note:
1) It does not stay resident in memory.
2) You will see an error message when writing because INT 24h has not been hanged.

Detecting Method:
1) Infected file sizes increase by 420 bytes.
2) Virus will display above message when a file is executed.


Seneca-A

Virus Name: Seneca-A

Virus Type: EXE File infector

Executing Procedure:
1) Searches for all uninfected EXE files in the current directory, then infects them.
2) It will check whether the current date is November 25.
3) If it is, the virus displays the following message and destroys all of the data on the hard diskette:
"Its Seneca's B_DAY
let's party !!!"

Damage: Will sometimes destroy all of the data on the hard diskette.

Note:
1) It does not stay resident in memory.
2) You will see an error message when writing because INT 24h has not been hanged.


Seneca-B

Virus Name: SENECA-B

Virus Type: File infector

Executing Procedure:
1) Virus searches for all (*.*) uninfected files on current directory, then infects them.
2) It will check whether the current date is November 25.
3) If it is, the virus displays the following message and destroys all of the data on the hard diskette:
"Its Seneca's B_DAY
let's party !!!"

Damage: Virus will sometimes destroy all data on hard diskette.

Note:
1) It does not stay resident in memory.
2) You will see an error message when writing because INT 24h has not been hanged.


Silver-3D

Virus Name: Silver-3d

Virus Type: COM & EXE File infector

Executing Procedure:
1) Searches for an uninfected COM or EXE file on current directory, then infects it.
2) It will infect four files at a time.
3) It then displays the following message: "Program too big to fit in memory."

Damage:
1) It will overwrite original files with virus code. Original files are destroyed.
2) If it cannot find an uninfected file, it will display "PLO VIRUS RESEARCH TEAM" in enlarged font.
3) It then halts system.

Detecting Method:
1) The length of infected COM files is 8101 bytes.
2) Executed infected files will display the following message: "Program too big to fit in memory" or "PLO VIRUS RESEARCH TEAM."


Silly-Willy

Virus Name: Silly-Willy

Virus Type: COM & EXE File infector

Executing Procedure:
1) When executing an infected COM program, it will infect files only when the current year is between 1988 and 1992. When infecting files, it will search for all uninfected COM and EXE files in the current directory, then infects them. It will infect only one COM file and EXE file at a time.
2) Executing an infected EXE program will not infect other files. At this time, a smiling face is displayed on the screen. Furthermore, when any key is depressed, the following message will be displayed:
"Hello ! I'm Silly-Willy .
Now, I'm formating your HARDDISK.........."
(It does not really format hard disk). If there is a diskette in drive A, all data on this diskette will be destroyed and the virus will proceed to hang the system.

Damage: It will sometimes destroy all data in drive A and halt system.


Stupid 1

Virus Name: Stupid 1, July 4

Virus Type: COM File infector

Virus Length: 743 bytes

Executing Procedure:
1) If the word at address 0000:01FEh is FFFFh, virus will not infect any file.
2) When the virus infects files, it will infect all uninfected COM files on the current directory. If the number of infected files is less than 2, it will go on infecting all COM files on upper directory until the number is larger then 2 or it has reached the root directory. It will check if the current date is July 4 and that the current time is either 0:00am, 1:00am, 2:00am, 3:00am, 4:00am, or 5:00am. If any of these times are met, the virus will proceed to destroy data on the current diskette.

Detecting Method:
1) Date and time of infected files changed.
2) Byte at 0003h of infected COM file is 1Ah.
3) Infected COM file displays the following message:
"Abort, Retry, Ignore, Fail?" , "Fail on INT 24"
(2) - "Impotence error reading users disk"
(0) - "Program too big to fit in memory"
(1) - "Cannot load COMMAND, system halted"
(3)"Joker!" and "*.com."
4) Virus will display the above message when executing an infected file.


Src-377

Virus Name: Src-377

Virus Type: COM File infector

Virus Length: 377 bytes

Executing Procedure: Virus searches for all uninfected COM files on all directories, and proceeds to infect them.

Damage:
1) When the hard disk divides into more than one partition, and the system is booted up from second partition (D drive), all data on this drive will be destroyed.

Note:
1) Does not stay in memory.
2) You will see an error message when writing because INT 24h has not been hanged.

Detecting Method: Infected file sizes increase by 377 bytes.


Squisher

Virus Name: Squisher

Virus Type: COM File infector

Executing Procedure:
1) This virus checks whether it has stayed resident in memory. If not, it will stay resident in high memory.
2) Then it hooks INT 21h, and checks whether COMMAND.COM has been infected.
3) If it is uninfected, the virus infects it and goes back to the original routine.

Vectors hooked: Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected COM file, the virus proceeds to infect it.

Damage: It will overwrite original files with a virus code. Original files are destroyed.


Signs

Virus Name: Signs

Virus Type: COM File infector

Virus Length: 720 bytes

Executing Procedure:
1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory.
2) Then it hooks INT 21h and goes back to the original routine.
3) It will check whether it is Friday. If it is, the screen will roll up once per minute.

Vectors hooked:
1) Hooks INT 21H(AH=4Bh) to infect files.
2) First, it will hang INT 24h to prevent divulging its trace when writing.
3) If the program to be executed is an uninfected COM file, the virus proceeds to infect it.

Damage: None

Detecting Method: Infected file sizes increase by 720 bytes.


Shield

Virus Name: Shield

Virus Type: COM File infector

Virus Length: 172 bytes

Executing Procedure:
1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory.
2) Then it hooks INT 21h and goes back to the original routine.

Vectors hooked:
1) Hooks INT 21H(AH=4Bh) to infect files.
2) If the program to be executed is an uninfected COM file, the virus proceeds to infect it.

Damage: None

Note:
1) You will see an error message when writing because INT 24h has not been hanged.
2) The function of the infected program is different from the original. Infected files have no ability to infect other files, but they can display a message when the current month is February. The message is the following:
"I greet you user .
I am COM-CHILD, son of The Breeder Virus.
Look out for the RENAME-PROBLEM !"

Detecting Method: Infected file sizes increase by 172 bytes.


Screaming_Fist

Other Name: SFIST696

Virus Type: File Type Virus

Virus Length: Approximately 675 bytes (moves 696 bytes to memory)

Virus Memory Type: High Memory

INT Vectors Hooked: Int 21

Place of Origin:

Infection Procedure:

Loads itself to high memory. Loads approximately 2,048 (9F80:0000) bytes in memory. Infects *.COM and *.EXE files. Copies virus code to host program, adding approximately 696 (02B8H) bytes. Loads first the virus before running the host program. While in memory, opened COM and EXE files are infected.

Virus code is decrypted. The virus reacts ordinarily by allocating space in the memory before infecting files. Nothing extraordinary happens. It just attaches its code to the host program after it is loaded from memory.

Symptom:

Free memory decreases. Increase in file size. May display:

"Screaming Fist IIV"

which appears in the decrypted code.

Actual recognizable string: "C:\COMMAND>COM.Screaming Fist IIV"

Detection method:

Decrypt virus code before detection. Check for the above strings.

 


Sibylle.853

Virus Type: File Type Virus

Virus Length: Approximately 867 bytes

Virus Memory Type: High Memory

Place of Origin:

INT Vectors Hooked: Int 21, Int 2F

Trigger Condition:

Activates only if the millionth of a second is less than 32. If not, then it just exits the code without loading itself to memory.

Infection Procedure:

Loads itself to high memory. Allocates 928 bytes (using MEM) of memory. Moves 904 (01C4H x 2) bytes to high memory. Infects *.EXE files. Copies virus code to host program, adding approximately 867 bytes. Loads first the virus before running the host program.

The virus when resident in memory, will infect any executed *.EXE files. It does not do anything special. It just replicates when it is resident in memory. Infects file only if it is executed.

Damage:

Free memory decreases by approximately 928 bytes. Using MEM.EXE 928 bytes will be used by MSDOS (tricky). Increase in file size. Adds approximately 867 bytes.

Symptom:

Delay in program execution due to virus activity.

Detection method:

Locate virus text strings.

 


Sleepwalker

Virus Type: File Type Virus

Virus Length: At the range between 1268-1282

Virus Memory Type: High Memory

INT Vectors Hooked: Int 21, Int 1C

Place of Origin:

Infection Procedure:

Loads itself to high memory. Loads approximately 1552 bytes in memory. Infects *.COM files. Copies virus code to host program. Loads the virus first before running the host program. While in memory, COM files opened will be infected.

Virus code is transferred to the allocated memory space using Int 21 (4A). The setting of allocation space is determined by checking memory from high to low using Int 21 (5801). The virus also uses the Int 1c handler to take note of the timer tick, possibly using it for some payload. Basically, the virus reacts by transferring its code to high memory before actually attaching it to the code itself. The virus calls string "STAC," but it is uncertain if the other strings are displayed.

Symptom:

May display:

"STAC"
"Sleepwalker. (c) Optus 1993."

which appears in the virus code.

Detection method:

Look for the above string.

 


Svc-1-s

Virus Type: File Type Virus

Virus Length: Approximately 3103 bytes

Virus Memory Type: High Memory

INT Vectors Hooked: Int 21

Place of Origin:

Infection Procedure:

Loads itself to high memory, allocating 3120 bytes (using MEM). Moves 3104 (0C20H) bytes to high memory. Infects *.COM and *.EXE files. Copies virus code to host program, adding approximately 3103 bytes. Loads the virus first before running the host program.

The virus, when resident in memory, infects any executed *.COM and *.EXE files. It does not do anything special. It just replicates when it is resident in memory. Infects file only if it is executed.

While the virus is resident in memory, increase in the size of the infected file will not be visible.

Damage:

Free memory decreases by approximately 3120 bytes. Increase in file size. Adds approximately 3103 bytes.

Symptom:

Delay in program execution due to virus activity.

Text string: "(c) 1990 by SVC, Vers. 5.0" appears within the virus code.

Detection method:

Check for the above text string.

 


Sarampo.b

Origin :

Eff Length : 1371 bytes

Type Code :

Virus Status:

Symptoms :

Increase in the size of infected COM and EXE files by 1371 bytes and decrease in available memory by 1664 bytes. Executing programs may slow down due to the infection procedure of the virus.

General Comments:

The SARAMPO Virus, on first infection will allocate 1664 bytes in memory and will transfer its code to the High Memory Area. It will also hook INT 21 and INT 24. It will also rebuild the carrier program while it is in memory so it can still run the host program.

This virus will infect all opened, executed and copied COM and EXE files. It will also change the file's time to 1:13pm.

SARAMPO will display some garbage on your screen if the system date is April 25, December 25 or October 12 and the virus is already resident for about 2 minutes.

This text is found in the virus code:

"Do you like this Screen Saver ? I hope so."
"Created by Sarampo virus"


S_bug.A

Alias:

Origin :

Eff Length : 3500-5500 bytes

Type Code : Polymorphic Virus

Virus Status:

Symptoms :

Increase in the size of infected COM and EXE files by 3500-5500 bytes and decrease in available memory by 10272 bytes. Executing programs may slow down due to the infection procedure of the virus.

General Comments:

This virus is a very complex and highly polymorphic virus. It will first decrypt 3504 bytes of its virus code and then allocate 10 kbytes of memory. It will then be resident in the High Memory Area. It will also hook INT 21h with infection triggers with services 3D, 4B and 6C.

Files infected by the virus are more likely to have file sizes as this virus randomly assigns codes for decryption of the real virus code which is 3504 bytes. File sizes may be from 3500 bytes to 5500 bytes. All COM and EXE files that are opened, executed or copied, will be infected if the following condition is satisfied COMSPEC=COMMAND.COM. This condition is also the trigger of the virus if it is resident or not.

This message is found in the virus code:

"Satan Bug Virus - Little Loc"

 


Smeg.Pathogen

Alias: SMEG v0.1

Origin : United Kingdom

Eff Length : 4432-4447 bytes

Type Code :

Symptoms :

Increase in file size of EXE and COM programs with a size of 4432-4447 bytes and decrease of 7872 in available memory.

General Comments:

On the first infection, this virus will first allocate 7872 bytes in the High Memory Area and then transfer 3700 bytes of its code to that area. It will then hook INT 21, INT 13, INT 20 and will make INT 3 as INT 21.

Pathogen is very complex and it is a polymorphic type of virus. This virus will infect COM and EXE files that are opened, executed and copied. It will also display a "Memory allocation Error" when an infected file attempts to be memory resident.

The danger Pathogen brings is that when the system date is Monday and the time is 5:00 - 5:59 PM then it will write zeroes to sectors of the hard disk randomly, thus destroying some, if not all, of the data in your hard drive. It will also trash or reset the BIOS of the computer.

This message will also be shown on the screen:

"Your hard-disk is being corrupted, courtesy of PATHOGEN!"
"Programmed in the U.K. (Yes, NOT Bulgaria) (c) The Black Baron 1993-4"
"Featuring SMEG v0.1 : Simulated Metamorphic Encryption Generator"
" 'Smoke me a kipper, I'll be back for breakfast.....!"
"Unfortunately some of your data won`t!!!!!"

 


Sayha

Trigger Condition:

Virus Type: File Type Virus

Virus Length:

Virus Re-infect: Does not reinfect

Virus Memory Type: High Memory

INT Vectors Hooked: Int 21

Place of Origin:

Infection Procedure:

Loads itself to high memory. Loads approximately 9040 bytes in high memory. Infects *.COM and *.EXE files by attaching itself to the host program. Moves virus code by batches, copying its code 2 bytes at a time in different locations.

Damage:

Increases file size. Occupies space in high memory.

Symptom:

Delay in program execution.

 


Scitzo

Virus Type: File Type Virus

Virus Length: Size of approximately 1329 bytes.

Virus Memory Type: High Memory

INT Vectors Hooked: Int 21

Place of Origin:

Infection Procedure:

Loads itself to high memory. Allocates 1360 bytes (using MEM) in memory. Moves 1329 (0531H) bytes to high memory. Infects *.COM and *.EXE files. Copies virus code to host program. Adding approximately 1329 bytes. Loads the virus first before running the host program.

The virus when resident in memory, will infect any executed *.COM and *.EXE files. It does not do anything special. It just replicates when it is resident in memory. Infects file only if it is executed.

Damage:

Free memory decreases. Increase in file size. Adds approximately 1329 bytes.

Symptom:

Delay in program execution due to virus activity.

Detection method:

Locate virus text strings.