       A description of PC viruses and their symptoms - Jan. '90

This document lists the viruses recognized by F-PROT at the time of writing.
Since new viruses are continually appearing, this document will never be
completely up to date.  A short description of the viruses follows, but
it is far from complete.

As described in VIRDOC.TXT, there are two different types of viruses.
The list of known Boot Sector Viruses (BSV) now includes:

                 Alameda (Yale)
                 Brain
                 Den Zuk/Ohio
                 Disk Killer (Ogre)
                 E.D.V.
                 New-Zealand (Stoned)
                 Pentagon
                 Ping-Pong/Typo
                 Swap (Fallboot)

Then we have the following program viruses:

                 1260
                 405
                 4096
                 Agiplan
                 Alabama
                 Amstrad/Pixel
                 April 1.
                 Cascade
                 Dark Avenger (Eddie)
                 DataCrime
                 DataCrime II/DataCrime II-B
                 dBase
                 December 24th
                 Devil's Dance
                 Eddie II
                 Fumble
                 Fu Manchu
                 Ghost
                 Hallchen
                 Icelandic/Icelandic II/Saratoga
                 Jerusalem/New Jerusalem/Century/Sunday
                 Lehigh
                 MIX1
                 Number of the Beast
                 Old Yankee
                 Oropax
                 Perfume
                 South African "Friday 13."
                 Stupid (Do-Nothing)
                 Sylvia
                 SysLock/Macho/Advent
                 Taiwan
                 Traceback/2930
                 Vacsina and Yankee Doodle
                 Valert
                 Vcomm
                 Vienna/Lisbon/New Vienna
                 Virus-90
                 W13
                 Zero Bug (Palette)

My description of some of the viruses is very short, simply because I
have not examined them in detail.

A few additional viruses have been reported, but are not recognized by
the F-PROT package.  They are:

AIDS and several other related Pascal viruses.  These viruses are very
        rare and not a serious threat.  They overwrite the programs they
        infect, so they simply are much too obvious. The AIDS virus is
        not to be confused with the AIDS Trojan, which is totally
        unrelated.

Nichols and Missouri. Two boot sector viruses that I have not been able
        to obtain a copy of yet.  As a matter of fact, it is not even
        certain that they exist at all.  F-DRIVER should be able to stop them,
        but I will update F-DISINF to recognize them as soon as possible.

Screen. A program viruses that has been reported, but I have not yet been
        able to obtain a sample of it.

It must be noted here, that F-PROT will provide some protection against
viruses not yet written.  The programs in the package will not, however,
be able to remove unknown viruses.

Now, let's have a look at the viruses mentioned above.


                        Alameda (Yale)

One of the oldest viruses around.  It was first found in California in April
'87.  It replaces the original boot sector with itself and stores the original
boot sector on track 39, head 0, sector 8.  This sector is generally not
used unless the diskette is almost full.

The first version of the virus contained a POP CS instruction, which
only exists on 8088 and 8086 machines.  This was "fixed" later, so the
virus worked correctly on '286 and '386 machines.

Since this virus is so old, several variants have been reported.  Some of
them are reported to format the hard disk, when they have infected a
predetermined number of diskettes.

All variants of the Alameda virus replicate only when Ctrl-Alt-Del is
pressed.

Alameda was probably written on an old IBM PC, by a rather lousy programmer,
using the A86 assembler.


                                Brain

This is the oldest PC virus known, first detected in January '86. Several
variants of this virus are known, but most of them are fairly harmless.  This
virus is rather large and most of it is located in sectors that are marked as
"bad" in the FAT.

Before this virus infects diskettes, it looks for a "signature".  This
makes it possible to "inoculate" against it, just by putting the
signature in the correct place in the boot sector.  F-INOC does just that.

The Brain virus tries to hide from detection by hooking into INT 13.  When
an attempt is made to read an infected boot sector, Brain will just show
you the original boot sector instead.  This means that if you look at the
boot sector using F-BOOT or any similar program, everything will look normal,
if the virus is active in memory.

The major effect of this virus is a (fairly harmless) change of the
volume label.  It usually becomes

                        (c) Brain

but one variant of the virus changes the text into

                        (c) ashar

One of the most interesting details regarding the Brain virus is the
following text, which appears inside it:

        Welcome to the Dungeon
        (c) 1986 Basit & Amjad (pvt) Ltd.
        BRAIN COMPUTER SERVICES
        730 NIZAB BLOCK ALLAMA IQBAL TOWN
        LAHORE-PAKISTAN
        PHONE :430791,443248,280530.
        Beware of this VIRUS....
        Contact us for vaccination............  $#@%$@!!

In another version of the virus, the text looks like this:

        Welcome to the Dungeon
        (c) 1986  Brain & Amjads (pvt) Ltd.
        VIRUS_SHOE RECORD v9.0
        Dedicated to the dynamic memories
        of millions of virus who are no longer with us today -
        Thanks GOODNESS!!
        BEWARE OF THE er..VIRUS :This program is catching
        program follows after these messeges.....  $#@%$@!!

These messages have led to considerable speculation regarding the
possible author(s) of the virus.

One harmful variant has been reported, which will attack on May 5. 1992.


                             Den Zuk

This virus seems to have been originally written as an anti-virus,
designed to seek out and destroy copies of the Brain virus.  If it finds a
Brain-infected diskette, it will remove the infection, and replace it
with a copy of itself.  This virus hides on track 40 on diskettes, but
normally 360K diskettes only have tracks numbered 0 to 39.  This virus
does not infect 1.2M or 3.5" diskettes correctly, but will destroy data
on them.  The volume label "(c) Brain" on an infected diskette would be
changed to "YC1ERP".  A mysterious string, but with a simple
explanation.  YC1ERP is the call sign of a Radio Amateur in Indonesia
who is suspected of being the author of "Den Zuk" and "Ohio".

On a computer infected with this virus, pressing Ctrl-Alt-Del will not
result in a simple reboot.  Instead the text "DEN ZUK" will appear on the
screen for a fraction of a second.  Then the computer will appear to
reboot, but the virus will remain in memory.

Pressing Ctrl-Alt-F5 will produce a "true" reboot.

The Ohio virus is presumably an older version of this virus and seems to
be written by the same person.  Den Zuk will also remove the "Ohio" virus
if it is found.


                            Disk Killer

A recent, rather nasty virus that seems to have originated in the U.S.
It contains an infection counter that is incremented each time a new
diskette is infected.  When a certain number of infections is reached, the
following message will be displayed:

Disk Killer -- Version 1.00 by COMPUTER OGRE 04/01/1989

Warning !!

Don't turn off the power or remove the diskette while Disk Killer is Processing!

PROCESSING

I hope you will never see this message - it sure means trouble, namely
that the virus has started to encrypt all the data on the hard disk (using a
simple XOR method).  When it has finished, it will display this message: 

Now you can turn off the power

I wish you luck !

If you see this message, start looking for a recovery program.  You can
of course reformat the disk and restore everything from a backup, but it
is not necessary because the virus only encrypts everything on the disk,
but does not destroy anything.

Like many other viruses, Disk Killer hides in sectors it marks as "bad"
in the FAT.  The infection/replication mechanism is very similar to that
used by other boot sector viruses - despite some early reports that this
virus was somehow more advanced than the rest.  On a hard disk, the virus
will hide in the sectors just before the boot record.


                                 E.D.V.

Most boot sector viruses hide by lowering the amount of RAM visible to the
operating system and hiding in the free space they create. E.D.V. is
different. It searches for free RAM, starting at E800 and searching
downwards.  It is also unusual on one other way - on every timer tick it
will check if ES or DS point to it - which is possibly the case if a
virus-scanning program like F-SYSCHK is running.  In this case a HLT
instruction is executed - which halts the computer.

Aside from this, the virus is fairly usual. It marks infected diskettes
with a "EV" at the end of the boot sector and stores the original boot
sector code in the last sector of the last track on 360K diskettes, just
like the Yale virus.

One encrypted text string is stored inside the virus code:

                    That rings a bell,no ? from Cursy


                            New Zealand (Stoned)

Some boot sector viruses, like Den Zuk, can only infect diskettes, but
other, like New Zealand, can also infect hard disks, where it replaces
the Partition Boot Record, instead of the Boot Sector.

A computer infected with this virus will sometimes display the following
message when it starts.

                     Your computer is now stoned.

This virus seems to have been designed to be harmless, but due to a
mistake, it did not quite work out that way.  On an infected diskette, the
original boot sector is stored on track 0, head 1, sector 3.  This is the
last sector of the root directory on a 360K diskette, so this will work
unless the root directory contains more than 96 files, which is rather
unlikely.  Overwriting this sector on a 1.2M diskette is, however, much
more likely to cause damage.


                             Pentagon

This virus does not work, so it will not be described here.  It originated
in the Philippines and was sent to the US and UK from there.


                             Ping-Pong

The Ping-Pong virus (also called "Bouncing Ball" or "Italian") is probably
the most common and best known boot sector virus.  This virus was first found
in Italy in March 1988, but now it is known all over the world.

An infected diskette will contain 1K in "bad clusters".

When this virus activates, a small "ball" starts bouncing around the
screen, but in most cases no serious damage occurs.

There is one small bug in the virus code, which causes a crash on '286
machines (and also V20, '386 and '486).  The reason is that the author
used the "MOV CS,AX" instruction, which only exists on '88 and '86
processors.  However, this has recently been "fixed".

One variant of this virus ("Typo") appeared in Israel.  There the effect of
the virus has been drastically changed.  Instead of displaying a bouncing
ball, the virus introduces typing errors in all text going out to the
printer.


                               Swap

The Swap virus does not really swap anything, so the name is a bit
misleading.  This boot virus from Israel is unusual in that it does not
store the original boot sector anywhere, but instead it just overwrites
the original boot sector with a short piece of code to load the rest of
the virus, which is stored on one of the last sectors on track 39.  A
similar method is used by the Alameda virus.

When this virus activates it is said to produce a display of falling
letters on the screen - similar to the Cascade virus, but I have not yet
seen this effect yet.


Now the program viruses.....
                    

                                    1260

This virus is based on the Vienna virus, but the author has made considerable
modifications to it.  The most significant change is that the virus is now
encrypted.  As the name indicates, the virus adds 1260 bytes to the files it
infects. The first 39 bytes contain a simple decryption routine, similar
to the one used by the Cascade virus. There is one important difference,
however.  A variable number of short (1- or 2-byte) instructions is added
between the decoding instructions.  The extra instructions do not affect the
operation of the virus - they are only placed there in an attempt to prevent
virus scanners from using identification strings.  This makes it a little
harder to detect the virus, but F-FCHK is nevertheless able to do it.


                                     405

Unlike most other program viruses, this one will not increase the length
of infected programs, unless they are shorter than 405 bytes.  It will
overwrite the first 405 bytes in the files it infects.  Since this causes
the destruction of many programs, this virus is easily found, and therefore
not a serious threat.  The "405" virus will only infect .COM files, but
it it unable to recognize a file already infected.


                                     4096

The 4096 virus infects both .EXE and .COM files.  It is very advanced in
some ways, being able to hide the infection by using a method similar to
that used by the "Zero Bug" virus.  If the virus is active in memory and
you look at the directory, the virus will show you the original length of
any infected program. 

The length of infected files increases by 4096 bytes. This virus is also
known as "IDF" (Israeli Defense Forces).


                                     Agiplan

This virus has only been reported once. The person who reported it published
a search string, but has not responded to requests for a sample of the virus.
The report said that the Agiplan virus added 1536 bytes to the front of .COM
file, just like the "Zero Bug" virus.  The two viruses may be related, but it
is not certain.  Since I do not have a sample of the virus, I do not guarantee
that the programs will be able to stop it or remove it, but they should
be able to find it.

If you ever find a program reported by F-FCHK to be infected with AGIPLAN, I
would appreciate a copy of it.


                                     Alabama

This virus was first reported in Israel, but a text string inside it says:

    SOFTWARE COPIES PROHIBITED BY INTERNATIONAL LAW..............
    Box 1055 Tuscambia ALABAMA USA.

This message will also appear on the screen in a box on the screen one
hour after an infected program is run.

Like a few other viruses this one cannot be removed from memory by
pressing Ctrl-Alt-Del.  It will simply fake a "reboot" and remain in RAM.

Alabama will only infect .EXE files, increasing their size by 1560 bytes.

Unlike most other resident viruses, it will not automatically infect
every new program executed.  When a program is run, Alabama will instead
search for some other program to infect - probably so the program being
executed will get the blame....

Occasionally it will do something odd.  It will search for a file to
infect as described above, and execute it instead of the file the user was
planning to execute.  A bit weird ...!


                                Amstrad/Pixel

This virus is rather interesting.  It is a direct-action virus, that will add
847 bytes to the front of any .COM file it finds in the current directory.
The the virus code is only around 334 bytes, which makes this one of the
shortest PC virus known today.  The rest contains zeros and an advertisement
for Amstrad computers, that is occasionally displayed.  Until the virus
reaches the 5th generation, no effects are visible, but in generation 5
or later there is a 50% chance that the message will appear.  It has been
reported that this virus was also published in a magazine named "Pixel" in
the form of a BASIC program that would create an infected program when run.
This program contained a different message:

     "Program sick error: Call doctor or buy PIXEL for cure description"

Two other variants of this virus are now known, both from Bulgaria. The
major difference is in the length - 345 and 299 bytes.


                                April 1.

Here we actually have not one virus, but two different viruses, probably
written by the same author, somewhere in Israel.  One of them infects .EXE
files, the other .COM files.  The two viruses have the same effect, however.
On April 1st an infected computer will display the following message:

                 APRIL 1ST HA HA HA YOU HAVE A VIRUS.

The .COM virus is 897 bytes long, but the .EXE virus is a bit longer,
1488 bytes.

Those two viruses were later combined into one, called SURIV 3, which
evolved into the Jerusalem virus.


                                Cascade

The Cascade virus, also known as 1701 or 1704, is probably one of the
most common viruses around.  The problem is just that it is often not
detected, because it produces no obvious effects.  In the original
version, the virus contained code that was set to "go off" between
Oct 1. and Dec 31. 1988, shortly after an infected program is run.
The effect is actually quite amusing - the characters on the screen fall
down and end in a heap on the bottom.  

There is a bug in some versions of the virus - it seems that the author
intended the virus to infect all computers, except those from IBM.
However, it did not work as planned - the virus would also infect "true"
IBM machines.

There is one variant of this virus, reported as 17Y4, which is almost
identical to the most common 1704 variant.  One byte has been changed,
probably due to a random "mutation".  This, however, has resulted in a
"bug" in the virus.  Another mutated variant is also known - it infects
the same file over and over.


                                  Dark Avenger

This virus contains two interesting text strings:

                     "Eddie lives...somewhere in time"
and

   "This program was written in the city of Sofia (C) 1988-89 Dark Avenger"

"Eddie" is probably the skeleton mascot of the heavy metal band "Iron Maiden".
Since the first reports of the virus came from Bulgaria, the second statement
is probably true.

Apart from this, there is only one thing unusual about this virus.  It
remains resident, like many other viruses, but it will not only infect a
program when it is run, but also when the program file is read.  This
means that a harmless program that opened each .EXE and .COM file in
turn, for example to check them for infection, could easily cause an
"epidemic".

The virus will infect .EXE and .COM files, adding 1800 bytes to the
length.  COMMAND.COM will be one of the first programs to become
infected.

When an infected program is run, there is a 1-in-16 chance that the virus
will trash a random disk sector. 

One 2000 byte variant is known. It is also from Bulgaria, probably
written by the same author as the original one.  It has been improved a
bit - you won't see an increase in file length when you issue a DIR
command.

Inside the virus one finds the string:

                      Copy me - I want to travel

The virus author also included the following string in the virus:

                 Copyright (C) 1989 by Vesselin Bontchev

Vesselin Bontchev, however, is a Bulgarian author of anti-virus programs,
and has has nothing to do with the creation of the virus.  The reason
this message appears is that the virus searches for it in every program
executed, and halts the computer when it is found.


                                   DataCrime

The DataCrime virus was probably written in W. Germany or the Netherlands.
It caused much panic around Oct. 13th 1989 when it was set to go off.  Any
infected program run on Oct. 13 or later in the year would format the
first nine tracks of the hard disk and display the message

                 DATACRIME VIRUS RELEASED: 1 MARCH 1989

Since this virus is currently very rare, it is not a serious threat, but
it could become a problem in the future.

The two variants of this virus, 1280 and 1168 were practically equivalent,
but another virus, called "DataCrime II"  also exists.  It infects .EXE and
.COM files, but the original "DataCrime" could only infect .COM files.
DataCrime 2 is also a bit larger, 1514 bytes long and more complicated
than the original virus.  The latest variant, called DataCrime II-B is
very similar to DataCrime II, but is only 1480 bytes long.


                               dBase

The dBase virus is very rare, but rather curious.  It is clearly intended
to garble dBase files, or rather any file with a name that ends in .DBF.

If the virus is active in memory when a program writes to a .DBF file, it
will garble all the outgoing data.  However, when the data is read back
later, the virus will correct the garbled data.

There is just one problem.  If the virus is detected and removed, the data
will be useless because the virus will not be present to "de-garble"
it when it is read back.

There is a more harmful side to this virus.  If an attempt is made to
write to a .DBF file that is more that three months old, the virus will
try to destroy the FAT and root directory on drives D:, E: ....  Z:
There is a bug in the code, however, so the destruction will be rather
unpredictable.

The dBase virus will only infect .COM files, increasing their size by
1864 bytes.


                                December 24th

This virus was discovered in Iceland on Dec. 24th 1989. Several computers
refused to run any programs at all on that date, but simply displayed the
message "Gleileg jl" ("Merry Christmas") instead.  The virus is a variant
of the Icelandic-2 virus, but with several minor corrections and modifications.

One out of every ten programs run is checked to see if it is a non-infected
.EXE file. If so, the virus adds 848-863 bytes to the file.


                                 Devil's Dance

A simple .COM infector reported to have originated in Spain or Mexico. It
adds 951 bytes to the end of any file it infects.


                                  Eddie II

A fairly harmless virus from Bulgaria - called "Eddie II" because it
contains the string "Eddie lives". This string is similar to the string
contained in the "Dark Avenger" virus.  Eddie II can infect .EXE files
as well as .COM files, but unlike most other .EXE infecting files, it
does not pad them so their length becomes a multiple of 16 bytes, before
they are infected.  Infected files are marked with a value of 62 in the
"seconds" field of the timestamp, which makes them immune to infection by
Vienna or Zero Bug.  Infected files grow by 651 bytes, but this increase
will not be seen if a "DIR" command is given, because the virus intercepts
the "find-first" and "find-next" functions, and if the "seconds" field
contains 62, the virus will decrement the file length by 651.  Apart
from this the virus does nothing of interest.


                                  Fu Manchu

The author of the Fu Manchu virus seems to have intended to write one of
the most humorous viruses around.  He started with the Jerusalem virus,
removed the harmful part of it and added several new features:

The virus will censor the text the user types, deleting two four letter
words.

It will also take action if the user types "Thatcher", "Reagan", "Botha",
or "Waldheim".  In those cases it will add comments to the text.

When Ctrl-Alt-Del is pressed, the virus will display the message

                 The world will hear from me again!

In other respects the virus is similar to the Jerusalem virus.  It will
infect both .EXE and .COM files, making them grow by about 2086 bytes.

 
                                   Fumble
 
The "Fumble" virus is a small, memory resident .COM infecting virus that
will generate typing errors, every now and then.  That is, if you press
the "R" key for example, it will occasionally insert another letter like
"E" in the text instead.  The only unusual feature of this virus is that it
will only infect programs on odd-numbered days.

Infected .COM files grow by 867 bytes.


                                   GhostBalls

This virus was written in Iceland and first discovered there in October
1989.  It contains the following text strings:

                   GhostBalls, Product of Iceland
                   Copyright (c) 1989, 4418 and 5F19

It will infect .COM files, making them grow in size by 2351 bytes.
Basically it is just the Vienna virus - the variant in the book by Ralf
Burger to be specific, with an extra twist.  When an infected program is
run, the virus will search for other programs to infect, but also try to
place a modified copy of the Ping-Pong virus on the diskette in drive A,
provided it is a 360K diskette.  This Ping-Pong variant has been changed,
so that it is not infectious, but it will also work on a '286 machine.


                               Hallchen

This is a .COM and .EXE infector, probably written in W-Germany. It
contains two text strings:

                     Hallchen !!!!!!, Here I'm..

                         Acrivate Level 1..

This virus is a bit unusual in some ways - for example it will not infect
"old" files.  If the value of the "month" or "year" fields in the
timestamp is different from the current date, the file will not be
infected.

The virus does not modify the creation date when it infects the virus,
and like most other viruses it is easily able to defeat the read-only
attribute.  It will only infect files larger than 5000 bytes, increasing
their length by 2011 bytes.


                               Icelandic

This virus was first found in Iceland in June '89.  If only infects files
with names ending in .EXE.  When an infected program is run, it will hide
in memory by directly manipulating the Memory Control Blocks.  Programs
that watch out for any program "going TSR" will therefore not be able
to catch it.  

This virus will mark one cluster on the hard disk as bad, every time it
infects a file.

A minor variant of this virus was later found in Saratoga, and a radically
modified version appeared in Iceland in July '89.  This new version
(Icelandic-2) does not use INT 21 calls like the original, but instead
makes direct JMPs into the operating systems.  This means that many
protection programs will be unable to catch it.  Icelandic-1 is 642 bytes
long, Saratoga is 632 bytes but Icelandic-2 adds 661 bytes to any file it
infects.  Actually the file may grow a bit more because all the viruses
will first pad the file so the length becomes a multiple of 16 bytes.


                      Jerusalem (Israeli "Friday 13.")

The Jerusalem virus is one of the oldest and most common viruses around.
As a result there are numerous variants of it.  It will infect both .EXE
and .COM files, but the first version of the virus contained a bug,
causing it to infect .EXE files over and over, until they became too
large for the computer.  Needless to say, this has been fixed in later
releases, including one called "New Jerusalem".  Infected files grow by
1808 bytes or so.

The original Jerusalem virus would activate on every Friday the 13th,
deleting programs run on that day.  30 minutes after an infected program is
run, the virus will also cause a general slowdown of the computer and make a
part of the screen scroll up two lines.  This has been disabled in some
variants of the virus, which makes them much harder to detect.

The first variant of the virus (sURIV 3.00) produced the side-effects
described above 30 seconds after an infected program was run. 

One variant, "Century" will become active on Jan 1. 2000.  It will try to
delete everything that can be deleted and then display the message

                        Welcome to the 21st Century

The programmer does not seem to have known that the 21st century does not
start until a year later.

The "Sunday" virus is another variant of the Jerusalem virus.  Instead of
activating on Friday the 13th, it will activate if the current day of the
week is Sunday and display the message:

                Today is SunDay! Why do you work so hard?
                All work and no play make you a dull boy!
                Come on! Let's go out and have some fun!

Apart from this the viruses are very similar.


                                Lehigh

The Lehigh virus is rather unusual in that it only infects one program,
COMMAND.COM.  It does not increase the size of the program, because it
overwrites the stack space.  This virus is rather badly written - it can
be defeated by simply making COMMAND.COM read-only.  It is, however, very
destructive.  "Lehigh" contains an infection counter and when it has reached
a specific number of infections it will trash the disk.  This means that the
virus never got a chance to spread much outside Lehigh University.


                                  MIX1

MIX1 was probably written in Israel, but it is derived from the Icelandic
virus. There are two versions known, MIX1 and MIX1-B, practically identical.
MIX1 displays a bouncing ball on the screen, and garbles all output going
to the printer.  It will also disable the NumLock key. MIX1 is larger than
the Icelandic virus - 1618 or 1636 bytes, depending on the version.  

One unusual "feature" of MIX1 is that it will only infect files 8192 bytes
long or larger.


                         Number of the Beast

Like quite a few other viruses, this one was first reported in Bulgaria.
It is 512 bytes long, but the length of infected files does not appear
to increase.  This is because the virus overwrites the first 512 bytes of
the programs it infects with itself, and stores the original 512 bytes
in the unused space after the end of the file.  This is possible because
DOS allocates file space in "clusters", which are usually 1024 or 2048
bytes long.

In addition, if a program attempts to read from an infected file, while
the virus is active in memory, the read operation will be intercepted and
instead of finding the virus, the original code will be read instead.

This means that the virus will be able to fool any checksum program, as
well as any virus-scanning program if it is active in memory when the
program is run.  It does not matter how sophisticated the checksum
algorithm is - if the virus is active in memory, no infected program
can be detected.  F-DRIVER will, however, stop the virus.

At the end of the virus code, the string "666" appears - hence the name.


                              Old Yankee

There is some confusion regarding the various "Yankee Doodle" viruses.
They all originated in Bulgaria and play the tune "Yankee Doodle", but their
structure is different.  This is the first one.  It only infects .EXE files, 
increasing their length by 1961 bytes.  When an infected program is run,
the virus will search for a non-infected file.  When it has been
infected, the virus plays the melody, before the original program is
executed.  At the very end of the virus, the word "motherfucker" appears.


                                Oropax

This virus probably originated in W. Germany.  It is not very harmful -
when it activates it will just repeatedly play three melodies. The virus
infects .COM files, other than COMMAND.COM.  Infected files grow by
2756-2806 bytes, becoming a multiple of 51 bytes in length.  This virus
stays resident in memory, but it will not infect other programs when they
are executed.  Instead it will search for a file to infect when files are
created or deleted, a subdirectory is created or the access mode of a
file is changed.  A few other functions may also trigger an infection.

The virus uses a random number generator to decide when to become active,
and if it does, it will start playing 5 minutes after an infected program
is run.

                             Perfume

A .COM infecting virus of German origin, that will sometimes ask the user a
question and not run the infected file unless the answer is "4711", which
is the name of a perfume.  This virus will look for COMMAND.COM and infect it
unless it is already infected.  Infected files grow by 765 bytes.  In the
most common variant of the virus the questions have been overwritten with
garbage.


                      South African "Friday 13."

This is one of the oldest viruses around, but it is still very rare.  It
is a "direct action" virus, that will seek out one or more programs to
infect, every time an infected program is run.  It will only infect .COM
files, which grow by 415-544 bytes, depending on the variant in question.
The original virus is 419 bytes long.  Like the Lehigh virus it can be
stopped simply by making .COM files read-only.  Most other viruses are not
bothered by this, however.


                           Stupid (Do-Nothing)

The "Do-Nothing" or "Stupid" virus is not a well written one.  In fact it
is so badly written that in many cases it will simply cause the system to
"hang", instead of properly infecting it.  It seems that this virus was
created by a lousy programmer, somewhere in Israel.  It is not a serious
threat.  It will only work on machines with at least 640K of memory,
because it always tries to hide itself at the same address, starting at
9000:0000.  This virus infects .COM files, which grow by 583 bytes.  The
original infected program distributed by the author contained the string:

                        (c)Stupid 1989 Virushmock!


                               Sylvia

This virus is a bit unusual, to say the least.  It contains the following
message:

              This
                 program
                        is
                          infected
                                  by
                                    a
                                     HARMLESS
                                             Text-Virus V2.1

             Send a FUNNY postcard to : Sylvia Verkade,
                                        Duinzoom 36b,
                                        3235 CD Rockanje
                                        The Netherlands.

             You might get an ANTIVIRUS program.....

It will display this message when an infected program is executed, but if
the above text is tampered with, the following message, (which is stored in
an encrypted form) will appear instead:

                     FUCK YOU LAMER !!!!

                     system halted...$

Some people have a weird sense of humor...

As the text above indicates, the virus originated in the Netherlands.
When an infected program is run, the virus will seek out up to 5 .COM files
to infect.  It will search drive C: and the current drive.  The three system
files, COMMAND.COM, IBMBIO.COM and IBMDOS.COM are not infected.  The virus
adds 1301 bytes to the beginning of the files it infects (and also 31 bytes
to the end), but does no other damage.  The girl mentioned above exists,
but she says that she has no idea who the author is.  It is very likely that
he knows her, though.


                               SysLock

The SysLock virus infects .EXE and .COM files.  It is a "Direct Action"
virus that will search for files to infect when an infected program is
executed.  The virus will first modify the length of any program it
infects, so it becomes a multiple of 16 bytes.  Then the virus code, 3551
bytes is appended to the file.

One unusual "feature" of this virus is that it will search the disk for
the string "Microsoft" and change it into "MACROSOFT". The virus will not
infect programs if the environment contains SYSLOCK=@.

Three other variants of this virus are known.  Two are called "Macho",
since they both will change the string "Microsoft" into "MACHOSOFT".  One
is very close to the original virus, the other a bit different.  The third
variant, "Advent" will activate in December and then play "Oh, Tannenbaum".


                                 Taiwan

This virus seems to have appeared in Jan '90. It is a direct-action .COM
infector, that adds 708 bytes to the front of any file it infects, but it
also adds 395 bytes to the end.  This virus often destroys the files it
infects, making infected programs "hang" when run, so it is easily
detected.


                                Traceback

The "Traceback" virus produces a screen display similar to that produced
by the Cascade virus.

There are of course differences, since the viruses are totally unrelated.
Every file infected with "Traceback" contains the name of the file that
infected it.  This makes it possible to trace the path of the infection.

Another difference is that it is possible to make the characters "jump"
back up, by pressing keys on the keyboard, after all the characters on
the screen have fallen down.

There are two variants known of this virus, but the size is the only
significant difference.  The original virus is 3066 bytes long, but the
variants are 2930 and 3031 bytes long.


                        Vacsina and Yankee Doodle

A programmer in Bulgaria has written a number of viruses - 50 different
variants or so. Two of the variants, number 5 and 39 "escaped" to the
West in 1989.  One of the features of virus in this family is that they
contain a version number system, similar to that used in the "Den Zuk"
virus. If a virus in the family finds a file infected with an older version
of itself, it ill remove the infection and re-infect with the new version.  

A number of the variants play the tune "Yankee Doodle", but the viruses
are not to be confused with the original "Yankee Doodle" virus, which is
called "Old Yankee" by the F-FCHK program.

This family can be divided into two groups, one consisting of versions
numbered below 38, but the other one versions 38 and upwards.  The first
group is identified as "Vacsina" variants by F-FCHK, and the second one
as "Yankee Doodle" variants.  However, this division is based on
differences in the internal structure of the viruses - several of the
"Vacsina" viruses also play "Yankee Doodle".

The "Vacsina" viruses seem to have been written originally to infect only
.COM files.  .EXE files are also infected, but that is done in two steps.  
First a short piece of code is added to the end of the file. Then a JMP
command is added at the front of the file.  This code seems to be based on
the code used in FORMAT.COM and CHKDSK.COM in some versions of MS-DOS.
When executed it will relocate the .EXE file.  This makes the .EXE file
structurally equivalent to a .COM file, so it can be infected as one.

The second group (versions 38 and upwards) infects .EXE files in a
"ordinary" way.

Compared to most other viruses, these are fairly harmless. In the first
versions a beep (BELL) is heard, every time a .COM-type file is successfully
infected.  As mentioned before, some of them play "Yankee Doodle", sometimes
at 5 o'clock, but other variants play the tune when the computer is rebooted
by pressing Ctrl-Alt-Del. 

The latest versions of the viruses contain several advanced features -
including self-correcting Hamming code, disabling of debugging tools, and
the ability to search for and remove the Ping-Pong and Cascade viruses.


                                      Valert

This is a 1554 byte long .OM and .EXE infecting virus that was by
accident posted to the V-ALERT electronic mailing list, which is intended
for urgent messages regarding virus infections.  Just like the "Stupid"
virus, it will only work on machines with at least 640K memory.


                                      Vcomm

An .EXE infecting virus that came from Poland.  It is not very well written, but
easy to study because the commented source code was included in the sample
that arrived from there.  When an infected program is run, it will infect one
.EXE file in the current directory.  Infected programs are first padded so
their length becomes a multiple of 512 bytes.  Then the virus adds 637 bytes
to the end of the file.  It will also install a resident part that will
intercept any disk write and change it into a disk read.


                                     Vienna

This virus, also called DOS-62, UNESCO and 648 will only infect .COM files.
When an infected file is run, the virus will search for an uninfected file
and infect it.  One out of eight files infected is destroyed, by overwriting
the first few bytes with instructions that will cause a restart when the
program is run.

Infected files can be easily found because they contain an "impossible"
value (62) in the "seconds" field of the time stamp.

Unfortunately the source code to this virus has been published in a book:
"Computer viruses: A High-Tech Disease", so it will probably become very
common in the future.  This version was modified slightly, in order to
make it a little less harmful - it would only infect files in the current
directory.

The virus appends 648 bytes to the files it infects.

One variant of this virus, "Lisbon", has been found in Portugal, but the
Ghost virus is also closely related.  Several other variants have been
reported in Bulgaria. Some of them are so different that they have received
a new name, "New Vienna".  The Bulgarian variants are similar to the original
virus, but the changes include:

        Different length - 435,367,354 and 348 bytes.
        Different damage function - formatting of hard disk.
        Critical error handler added.


                                    Virus-90

The most interesting fact regarding this virus is that the author of it
is known. He uploaded the virus to a number of BBS, saying that the
source code was available for around $20. The virus itself is not very
remarkable, a simple .COM infector that adds 857 bytes to any file it
infects. The virus will only infect files on drive A: and B: but it
would of course be very easy to "fix" that. An infected program will
display the message "Infected!" when it is executed, but otherwise the
virus does nothing at all.

A "new and improved" version, Virus-101 is written by the same person.
I have only received a preliminary copy, which does not work, but when 
I receive a fully functioning one, I will update the programs to detect
and remove it, just like any other virus.


                                      W13

This is a rather primitive .COM infecting virus. Two variants are known,
the first one is 534 bytes long, but the second, with some bugs corrected,
is only 507 bytes long. The variants are both of the "Direct Action" type and
do nothing interesting. 


                                  Zero Bug

The "Zero Bug" will mark infected files in the same way as the Vienna
virus, placing 62 in the "seconds" field of the timestamp of the .COM
files it infects.  Apart from this, the viruses are very dissimilar.

This virus will search for COMMAND.COM, using the value of the COMSPEC
environment variable to locate the file.  Then it will remain resident,
hook INT 60 and infect every .COM file run.

The virus seems not too well written - containing some unreachable code,
but it is unusual in some ways.

When it infects a file, it will add 1536 bytes in front of the original code,
just like the Agiplan virus.  It also contains one "feature" that will
probably be more used in the future - if the virus is active in memory and
you look at a directory containing infected files, the virus will make
the directory entries appear as they were before the infection. That is,
you will not see any increase in file length. This method is also used by 
some of the latest viruses from Bulgaria.

