Virus Name: 101 Virus Type: File Infector Virus Virus Length: 2560 bytes Executing Procedure: When all the files (COM and EXE) have been infected in the current drive, the virus will check the system date to determine whether it is a multiple of 9 (for example 9th, 18th, 27th). If "yes," all the text on the screen will be confused and down-shifted. If not the virus will modify the Boot Sector and continue to infect another drive. Damage: All the files (COM and EXE) will be infected and increased by 2560 Bytes. Infected file contains the string "VIRUS 101".
Virus Name: 1339 Other Names: Vacsina virus Virus Type: Parasitic Virus Virus Length: 1339 bytes Symptoms: Increases infected .COM file sizes by 1339 bytes, .EXE files by 1471 bytes. Infected files contain the word "VACSINA". Decreases the size of free RAM memory. Damage: No damage, no manipulation. Note: First the virus tests to determine if it is already in memory (it uses interrupt vector 31h for this purpose). If it is not in memory yet, it installs itself before the infected program (using MCB modification, it allocates 1344 bytes). After installation the virus monitors DOS EXEC function and infects all uninfected programs. This virus is one of a group of viruses which cooperates with each other. This group has every virus of its own level, a virus can remove some other Vacsina with lower level 10h. It can remove viruses with level less than 10h. To spread, a Vacsina virus uses direct interrupt 21h.
Virus Name: 1701/1704 Other Names: Raindrop virus Virus Type: Parasitic Virus Virus Length: 1701/1704 bytes Symptoms: Increases infected .COM file sizes by 1701/1704 bytes when the system date is between October and December, 1988. Five minutes after installation, virus will scan all the characters on screen and down-shift one by one as if it were raining. Damage: No damage. System will halt after virus is activated.
Virus Name: 1800 Other Names: Bulgarian virus, Sofia virus, Dark Avenger Virus Type: Parasitic Virus Virus Length: cca 1800 bytes Symptoms: Increases infected file sizes by cca 1800 bytes (in the case of EXE files it performs paragraph alignment). Decreases the size of free RAM memory. Infected files contain the following strings: "Eddie lives...somewhere in time!", "Diana P." a "This program was written in the city of Sofia (C) 1988-89 Dark Avenger". Damage: Virus reads the boot sector of the disk, and (offset 10, OEM decimal version) marks the number of programs in it which are run from the given disk MOD 16. If it is zero (after every 16 programs!!), it overwrites random cluster on the disk with part of its own code. The cluster number is then stored in the boot sector at the position at offset 8 (OEM main version). Modifies boot sector, then writes back on the disk.
Virus Name: 163 Virus Type: COM File infector Virus Length: 163 bytes Executing Procedure: It will infect first uninfected COM file on current directory. If there are no COM files on the current directory or it has infected one, go back to original routine. Damage: None Note:
The method of infection is: (1) Move the first 163 bytes of original file to the end. (2) Write virus codes into its first 163 bytes so that the original file is destroyed if it is less than 163 bytes. 2) Does not infect same file again. 3) Date and time of infected files do not change. Detection Method:
1) Infected files will increase by 163 bytes. 2) Check for the presence of "*.COM" in the 19Dh byte of a file.
Virus Name: 17690 Virus Type: EXE File infector Virus Length: 17690 bytes Executing Procedure: 1) There is a 10% chance that the virus will infect a file. The method of infection is: Virus searches for an EXE file on diskette A. Next, it renames this file and creates a new COM file with the same name as the original EXE file. This new COM file is the virus. 2) When the virus does not infect files, it will execute the program that has been renamed. The user will not see any unusual manifestation. Damage: None Detecting Method: Infected file size increases by 17690 bytes.
Virus Name: 1720 Virus Type: COM File infector Virus Length: 1723 bytes Executing Procedure: Virus checks to see whether it is resident in memory. If not, it will stay resident in high memory. Next, it hooks INT 21h and goes back to the original routine. Vectors hooked: Hooks INT 21H(AH=4Bh) to infect files. First, it will hang INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Detection Method: The infected file size increases by 1723 bytes.
Virus Name: 17-768 Virus Type: Virus Infects .COM and .EXE files shorter than 59920 bytes. Memory resident. Virus Length: 768 (300h) bytes on File and . 800 (320h) bytes in memory. Interrupt Vectors Hooked: INT 09h and 21h. Infection Process: This virus is a variant of the November-17th virus. If the system date is equal to 17 November, and the value of [40:46E] is not the same as the virus backup value of [40:46E] when the virus resident, it will destroy the current disk beginning from sector 1 to sector 8. The first time a program infected with November 17th is executed, the virus will install itself as memory resident at the top of system memory but below the 640K DOS boundary. Damage: Virus destroys sectors 1 through 8 in the current disk. By progressive action, the virus will insert garbage into these sectors when the date is the November 17. Symptoms: File size increase of 855 bytes. Available free memory decreases by 896 bytes. Note: The November 17th virus was received in January, 1992. Its origin or point of original isolation was originally unknown, but it has since been reported as being widespread in Rome, Italy in December 1991. November 17th is a memory resident infector of .COM and .EXE programs, including COMMAND.COM.
Virus Name: 1241 Virus Type: COM & EXE File infector Virus Length: 1560-1570 bytes Executing Procedure: Virus checks to see whether current calendar date is later than November 13, 1990 . If it is, the virus displays the following message: "St Cruz, Dili, 1991 Nov 12. Lusitania Expresso, Freedom for East Timor !", then reboots system. Otherwise, it will check to see whether it has stayed resident in memory. If not, it will stay resident in high memory. Then it hooks INT 21h and goes back to original routine. Vectors hooked: Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected .COM or .EXE file, the virus proceeds to infect it. Damage: None Detection Method: Infected file size increases by 1560-1570 bytes.
Virus Name: 104 Virus Type: COM File infector Virus Length: 400 bytes Executing Procedure: Checks to see if it has stayed resident in memory. If not, it will stay resident in high memory. Then it hooks INT 21h and goes back to the original routine. Vectors hooked: Hooks INT 21H(AH=4Bh) to infect files. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Note: You will see an error message when writing because INT 24h has not been changed. Detection Method: Infected file size increases by 400 bytes.