Virus Name: Fcb Virus Type: File Infector Virus (.EXE and .COM files) Virus Length: No change PC Vectors Hooked: None Executing Procedure: 1) Fcb searches for an uninfected.COM file in the current directory and, when it finds one, infects it. (It will infect only one file at a time.) 2) The virus continues to search and infect uninfected .COM files. 3) Next, it searches for an .EXE file in the current directory and, when it finds one, infects it. (It will infect only one file at a time.) 4) The virus continues to search and infect uninfected .EXE files. Damage: 1) Overwrites original file so that the length of infected file won't change. Notes: 1) Doesn't stay resident in memory. 2) FCB doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).
Virus Name: F3 Virus Type: Memory Resident, File Infector Virus (.COM and .EXE files). Virus Length: 50406 bytes PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Infecting Procedure: 1) If F3 finds that it is not already loaded resident in memory, it loads itself (into highest memory) by hooking INT 21h. 2) If the system date is April 1st, two lines of code will appear on the screen. 3) F3 next executes the original file. 4) Once it's loaded into resident memory it will infect any uninfected file that is executed. Damage: None. Detection Method: Infected files increase by 50406 bytes. Notes: The F3 virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: Form.A Aliases: FORM, Form, Form 18, Generic Virus Type: Boot Sector Virus Virus Length: N/A Interrupt vectors hooked: INT 13h, INT 09h. Infection method: When the system is booted from an infected diskette, Form.A infects the DOS boot sector and loads itself in memory. While loaded, it infects any accessed, non-protected disks. The DOS CHKDSK program will indicate 653,312 bytes of free memory. Damage: On the 18th day of any month, the virus will emit a clicking sound whenever keys are pressed. The system may hang when a read error occurs, and parts of the original boot sector may be overwritten, making the partition unbootable.
Virus Name: Frodo.Frodo.A Aliases: 4096, IDF, 4096-1, Frodo, 100 Year Virus Type: File Infector Virus (.COM and .EXE files) Virus Length: 4,096 bytes Interrupt vectors hooked: INT 21h, INT 13h. Infection method: When an infected file runs, Frodo.Frodo.A loads itself in memory. While loaded, it infects accessed, executable files. The virus increases the size of infected files by 4096 bytes. Damage: After September 21, the virus tries to modify the boot sector to display "FRODO LIVES." However, the virus code is corrupted, so instead of modifying the system areas, it crashes the system. Notes: While the virus is in memory, it hides the increase in infected file size.
Virus Name: Fire Virus Type: Trojan Horse Virus Virus Length: 4304 bytes PC Vectors Hooked: INT 24h
Damage: Destroys all data on all disks if drives are ready, then emits a sound. Detection Method: Infected file size increases by 4304 bytes. Notes: 1) Doesn't stay resident in memory. 2) Doesn't infect any files, partition or boot sector. 3) Fire hooks INT 24h when destroying data so that I/O errors (such as write protect) are omitted.
Virus Name: FLIP Virus Type: Multi-partite Virus (Infects all programs being used, either .EXE or .COM., when the .COM file's original length <= 63,046 (F646h) bytes. Virus Length: 2672 bytes Interrupt Vectors Hooked: INT 21h Infection Process: Variable 1. Infection of a clean system by an infected program. When an infected program is executed in a clean system, the virus copies itself in the last side of the last cylinder, from the 5th last sector to the 1st last sector. The virus will reduce the DOS boot sector at offset 0x13h (number of logical sectors) by 6. Finally, Flip writes the virus body to the partition sector. 2. Infection through an infected disk. If a PC is booted from an infected disk, the infection will completely spread. The boot code, previously overwritten by the virus on the disk partition sector, reads the main core of the virus from the last 5 sectors to the last 1 sector. It loads as a TSR in RAM, occupying 3 Kb of the higher part of system memory. Once installed as a TSR, Flip takes control of Int 1Ch (Timer Interrupt) to verify, with a frequency of 18.2 times per second, if the DOS COMMAND.COM is loaded. If DOS is present, the virus restores the timer and takes control of Int 21h. Damage: Loss of data stored in the 6th last to 1st last sectors of the disk. Symptoms: Virus turns screen display upside down (rotates 180 degrees). File sizes increase by 2153 bytes Notes: To avoid detection by anti-virus programs when it is modifying the partition sector that hooks int 01h, the Flip virus turns on a single step flag to get the original entry of DOS hooked on INT 13h. The virus then moves itself to the top of the MCB (memory control block), where it decreases available memory by 2672 (A70h) bytes. It hooks Int 21h with the same method it uses for INT 13h, and then runs the original program.
Virus Name: Flip-B Virus Type: File and Partition Table Infector Virus Virus Length: 2153 bytes PC Vectors Hooked: INT 21h, INT 24h, INT 1Ch Executing Procedure: 1) When you execute a file infected by Flip-B, the virus checks to see whether Sector #1 on the hard drive is infected. If it is not, Flip-B infects it. 2) If the virus fnds that it is not already resident in memory, it loads itself by hooking INT 21h and INT 1Ch. 3) It infects files when they are executed. Damage: You may not be able to boot up the machine from the hard disk. Detection Method: Infected files increase in size by 2153 bytes. INT 1Ch: Detects whether INT 21h is constantly hooked by another program. Notes: Flip-B hooks INT 24h when infecting files, omitting I/O errors such as write protect.
Virus Name: Friday the 13th Aliases: Virus 1813, Israelian, Jerusalem Virus Type: File Infector Virus Virus Length: Approimately 1813 bytes PC Vectors Hooked: Int 21 Executing Procedure: 1) If the virus finds that it is not already resident in memory it loads itself by hooking INT 21h. 2) It then executes the original file. 3) Once it's loaded into resident memory it infects any uninfected file that is executed. Damage: In the year 1987, the virus did no damage. However, on Friday the 13th each year (except 1987) the virus deletes every program executed. On all other days (except in 1987), the virus spreads. About half an hour after the virus is loaded in memory, it scrolls up by two lines a small window with coordinates (5, 5), (16, 16) and slows down computer speed. Delay loop repeats 18.5 times per second. Detection Method: Increases the infected file length by 1813 bytes. Notes: Loads itself as resident in memory. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: FAM1 Aliases: None Virus Type: File Infector Virus Virus Length: 1063 bytes Executing Procedure: 1) If FAM1 finds that it is not already resident in memory, it loads itself by hooking INT 21h. 2) It then executes the original file. 3) Once it's loaded into resident memory it infects any uninfected file that is executed. Damage: None. Detection Method: Increases infected file size by 1036 bytes. This occurs only with the MONO display card. Notes: 1) Resident in memory. 2) An error message appears if an I/O error (such as write protect) occurs.
Virus Name: Findm-608 Virus Type: Parasitic Virus (.COM files) Virus Length: 608-623 bytes PC Vectors Hooked: None Executing Procedure: Findm-608 searches for uninfected .COM files in the current directory and infects those it finds. Damage: None Detection Method: Infected files increase in size by 608-623 bytes. Notes: 1) The virus was badly writtten so most of the infected files can not be executed normally. 2) Non memory resident. 3) When infecting files, the virus does not hook INT 24h. An error message appears when I/O errors occur.
Virus Name: Findm-695 Virus Type: Parasitic Virus (infects .COM files) Virus Length: 695-710 bytes PC Vectors Hooked: None Executing Procedure: Searches the current directory for uninfected .COM files and infects those it finds. Damage: None Detection Method: Infected files increase in size by 695-710 bytes. Notes: 1)The infecting part of the virus was badly written so most of the infected files can not be executed normally. 2) Non memory resident. 3) When infecting files, the virus does not hook INT 24h. An error message will appear when I/O errors occur.
Virus Name: FR-1013 Virus Type: Parasitic Virus (infects .COM and .EXE files) Virus Length: 1013 - 1028 bytes PC Vectors Hooked: INT 21h Executing Procedure: 1) If FR-1013 finds that it does not already reside in memory, it hooks INT 21h, installs itself as memory resident and then executes the host program. 2) If FR-1013 finds that it already resides in memory, it executes the host program directly. Infecting Procedure: The virus infects files through AH=4B in INT 21h. When an uninfected program is executed, it becomes infected. Damage: None Detection Method: Detectable if the files increase by 1013-1028 bytes. Notes: The virus does not hook INT 24h. An error message appears when I/O errors occur.
Virus Name: Fattable Virus Type: Parasitic Virus Virus Length: 6542 bytes PC Vectors Hooked: None Executing Procedure: 1) Fattable searches for a '*.*' file in the current directory and then creates a file of the same name to overwrite the original. The new file is 15 bytes long, and contains "FAT TABLE ERROR."(text file). The virus continues to search and infect until all the files in the current directory are overwritten. Notes:
1) Non memory resident.
2) The virus does not hook INT 24h when infecting files. An error message appears when I/O errors occur .
Virus Name: Fri-13-D Virus Type: File Infector (.COM files) Virus Length: 416 bytes Executing Procedure: When an infected program is executed, Fri-13D infects all .COM files but the COMMAND.COM file on the current directory (it will not reinfect the same file). If the current system date is a Friday the 13th, the .COM files delete themselves and then go back to the original routine. Damage: An infected program will delete itself when you run it on a Friday coincident with the 13th day of the month. Detection Method: 1) Date and time of infected files are changed. 2) Infected files will increase in size by 416-431 bytes.
Virus Name: Filler Virus Type: File Infector Executing Procedure: While it is being executed, Filler writes some rubbish into some sectors on A diskette. It does no other damage. Damage: Destroys some sectors on A disk (from 0 side, 28 track, 1 sector, damages 8 sectors).
Virus Name: Flower Virus Type: File Infector (.EXE files) Virus Length: 883 bytes Executing Procedure: Flower first decodes its encoded section. 2) If the current date is November 11, Flower destroys the original program and goes back to run the original routine. 3) On other dates, it searches for the first uninfected program on the current directory and infects it. 4) It next searches for the first uninfected program on a root subdirectory and infects the one it finds, then goes back to run the original routine. Damage: When the virus breaks out, it will attach a little procedure to the original procedure to display a message (An English poem whose title is "FLOWER"). Then it destroys the original procedure by overwriting its front data. Notes: Date of infected files does not change but its time changes because the virus encoses the time to verify that this file is infected.
Virus Name: Fvhs Virus Type: File Infector (.COM and .EXE files) Executing Procedure: Infects all uninfected .COM and .EXE files on current and parent directories. It can infect three files at a time. Damage: It overwrites the original files with virus code. Notes: 1) Does not stay resident in memory. 2) An error message will appear when you write because INT 24h has not been hanged.
Virus Name: Freddy Virus Type: File Infector (.COM and .EXE files) Virus Length: 1870-1880 bytes Executing Procedure: 1) If, after checking, Freddy finds that it is not already resident in memory, it will stay resident in high memory, then hook INT 21h and go back to the original routine. Vectors Hooked: INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected .COM or .EXE file, Freddy proceeds to infect it. It sometimes searches concurrently for other uninfected files to infect. Damage: None Notes: You will see an error message when writing because INT 24h has not been hanged. Detection Method: Infected file size increases by 1870 to 1880 bytes.
Virus Name: Fame Virus Type: File Infector (.EXE files) Virus Length: 896 bytes Executing Procedure: If, after checking, Fame finds that it is not resident in memory, it will stay resident in high memory, then hook INT 21h and go back to the original routine. Vectors Hooked: Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected .EXE file, Fame proceeds to infect it. Damage: None Detection Method: Infected file size increases by 896 bytes.
Virus Name: FAXFREE Virus Type: Infects .COM and .EXE files between 32 and 131,072 bytes long on the Partition record. Virus Length: 3 Kb Interrupt Vectors Hooked: INT 21h Infection Process: This virus can spread when you execute an infected program or boot the system with an infected disk. There are several methods of infection. When an infected program is executed in a clean system, the virus first removes the contents of the original partition sector of the hard disk to the last sector of the last side of the last cylinder. Then the virus copies itself in the last side of the last cylinder, beginning from the 9th last sector to the 6th last sector. These sectors are not marked as "bad sectors" and get overwritten by the virus. Damage: Hangs the system. Infected files will increase in length by 2048 bytes. Symptoms: When the virus wants to replace the original partition sector, it needs to decrypt some data which, after decryption, display the text string "PISello tenere fuori dalla portata dei bambini. PaxTibiQuiLegis.FaxFree!!" Notes: This virus doesn't infect files named as : "*AN.???" , "*OT.???" or "*ND.???" If the system date is between the 25th and 30th of April, the virus will hang the system. The virus uses a smart technique to avoid anti-virus Detection programs. When modifying the partition sector that is hooking int 01h, it will turn on a single step flag to get the original entry of DOS hooked. The virus then moves itself to the top of the MCB (Memory Control Block), and there decreases available memory by 3Kb. Fianlly, it hooks Int 13h and Int 21h and then run the original program.
Virus Name: Fish-1100 Virus Type: File Infector (.COM files) Virus Length: 1100 bytes Executing Procedure: If, after checking, the virus finds that it is not resident in memory, it will stay resident in high memory, then hook INT 21h and go back to the original routine. Vectors Hooked: Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected .COM file, the virus proceeds to infect it. Damage: None Detection Method: Infected file size increases by 1100 bytes.
Virus Name: Fish-2420 Virus Type: File Infector (.COM files) Virus Length: 2420 bytes Executing Procedure: If, after checking, the virus finds that it is not resident in memory, it will stay resident in high memory, then hook INT 21h and go back to the original routine. Vectors hooked: Hooks INT 21H(AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected .COM file, the virus proceeds to infect it. Damage: None Detection Method: Infected file size increases by 2420 bytes.
Virus Name: Flagyll Virus Type: File Infector (.EXE files) Executing Procedure: If, upon checking, the virus finds that it is not resident in memory, it will stay resident in high memory, then hook INT 21h and go back to the original routine. Vectors hooked: Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected .EXE file, the virus proceeds to infect it. Damage: It will overwrite original files with a virus code. Notes: You will see an error message when writing because INT 24h has not been hanged.
Virus Name: Finnish-357 Virus Type: File Infector (.COM files) Virus Length: 709 bytes Executing Procedure: If, after checking, the virus finds that it is not resident in memory, it will stay resident in high memory, then hook INT 21h.If the COMMAND.COM file that booted up the system has not been infected, Finnish-357 infects it and then goes back to the original routine. Vectors Hooked: Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected .COM file, the virus proceeds to infect it. Detection Method: Infected file size increases by 709 bytes.
Virus Name: Fob Virus Type: File Infector (.COM files) Virus Length: 1750-1950 bytes Executing Procedure: Fob searches for an uninfected .COM file on current directory, then infects it (infects only one file at a time). There is a 50% chance that virus will display a message asking the user to input the word "SLOVAKIA." The virus program will wait until the user inputs this word and then terminates the program. Damage: None Notes: 1) It does not stay resident in memory. 2) You will see an error message when writing because INT 24h has not been hanged. Detection Method: Infected files will ask the user to input words like "SLOVAKIA", and does not end until user has done so.
Virus Type : File Virus
Other Name :
Virus Length :
Place of Origin :
Int. Vectors Hooked : Int 21h
Infection Procedure:
The virus encrypts a data to 11D2:0059h to 937h reading : "COMMAND.COM *.COM *.EXE Freddy KRueGer 2.1 Hi Fridrik!", thus copying data from 11D2:0059 to 114D:0 to 13FFh, hooking interrupt 21. The virus infects Command.com, COM and EXE files. When the virus is loaded it hangs because it searches for the host to infect it. Infecting the host, it destroys the file.
Virus Infect Type : COM files
including COMMAND.COM
Virus Memory Type : MCB Type
The virus is a TSR program. After the virus is executed it immediately infects COMMAND.COM. Then it waits for another file to be executed to infect it. This virus only infects COM files. When one uninfected file is executed another COM file will be infected. Also, the virus doesn't re-infect infected files. Before the virus loads itself to memory, it checks first whether the virus is already in the memory.
Note :
The virus makes a smart move by hooking int 1 and 3 to fool the one debugging it.