       A description of PC viruses and their symptoms - June '91
		
This document lists the file viruses recognized by F-PROT at the time of
writing.  Since new viruses are continually appearing, this document will
never be completely up to date.  A short description of the viruses follows,
but it is far from complete.

The .EXE and .COM infecting viruses known by F-PROT are:

                 10 past 3               
                 217
                 268-plus
                 382 --> Burger
                 405 --> Burger
                 417 --> F-word
                 440
                 483
                 492
                 512 --> Number of the beast
                 516
                 600 --> Voronezh
                 696
                 699
                 707
                 800
                 905
                 948
                 1024 --> Diamond
                 1024PrScr
                 1028 --> Eddie
                 1049 --> Yankee
                 1067 --> Ambulance
                 1075 --> DBF blank
                 1226 --> Phoenix
                 1260 --> V2P1
                 1392 --> Amoeba
                 1575
                 1600
                 2144
                 2930 --> Traceback
                 4096 --> Frodo
                 5120
                 8-tunes
                 A-204 --> Jerusalem
                 Advent --> Syslock
                 Agiplan
                 AIDS
                 AIDS-2
                 Alabama
                 Ambulance
                 Amoeba
                 Amstrad --> Pixel
                 Anarkia --> Jerusalem
                 AntiCAD --> Plastique
                 AntiPascal
                 AntiPascal-2
                 Apocalypse --> Jerusalem
                 Apocalypse-2 --> Ediie
                 April 1st
                 Arf --> Vienna
                 Armagedon
                 Australian 403
                 Attention
                 Backtime
                 Bad Boy
                 Bandit --> Old Yankee
                 Bebe
                 Best Wishes
                 Black Monday
                 Bljec
                 Blood
                 Boys
                 Bulgarian Tiny
                 Burger
                 Cancer --> Amstrad
                 CARA
                 Carfield --> Jerusalem
                 Carioca
                 Casper --> 1260
                 Cascade
                 Casino
                 Century --> Jerusalem
                 Choinka --> Vienna
                 Christmas in Japan
                 Christmas Violator --> Vienna
                 Cinderella
                 Cookie --> Syslock
                 Crew-2480
                 Damage --> Diamond
                 Dark Avenger --> Eddie
                 Dark Lord --> Terror
                 DataCrime
                 DataCrime II
                 Datalock
                 David --> Diamond
                 dBASE
                 DBF blank
                 December 24th
                 Demon
                 Destructor
                 Devil's Dance
                 Diabolik --> Murphy
                 Diamond
                 DIR
                 Discom --> Jerusalem
                 Do-Nothing --> Stupid
                 Doom2
                 Doteater
                 Durban
                 Dutch-555
                 Dyslexia --> Solano
                 Eddie
                 Eddie II
                 Enigma --> Old Yankee
                 Erasmus --> Murphy
                 ETC
                 Evil --> Phoenix
                 Father Christmas --> Vienna
                 Faust
                 Fellowship
                 Fichv
                 Finger --> Murphy
                 Fish 6 --> Frodo
                 Flash
                 Flip 
                 Formiche --> Cascade
                 Frere --> Jerusalem
                 Frodo
                 Frog
                 Fuck You --> F-word
                 Fumble
                 Fu Manchu
                 G-virus
                 Gergana
                 GhostBalls
                 Goblin --> Murphy
                 Greemlin --> Diamond
                 Grither --> Vienna
                 Groen Links --> Jerusalem
                 Guppy
                 Guru --> Murphy
                 Hallchen
                 Happy --> VFSI
                 Hero
                 HIV --> Murphy
                 Holland Girl --> Sylvia
                 Horse 
                 Hybryd --> Vienna
                 Hymn --> Eddie
                 Icelandic
                 Icelandic II
                 IDF --> Frodo
                 Incom
                 Internal
                 Invader --> Plastique
                 Iraqui Warrior --> Vienna
                 Itavir
                 Jeff
                 Jerusalem
                 Jo-Jo --> Cascade
                 Joker
                 Joker-01
                 July 13th
                 Kemerovo
                 Kennedy
                 Keypress
                 Kiev
                 Klaeren
                 Kylie --> Jerusalem
                 Lehigh
                 Leprosy
                 Liberty
                 Lisbon --> Vienna
                 Little Pieces
                 Lozinsky
                 Lucifer --> Diamond
                 Macho --> Syslock
                 Magnitogorsk
                 Mendoza --> Jerusalem
                 MG
                 MGTU
                 Micro-128
                 Minimal
                 Minnow --> Zero Hunt
                 MIR --> Eddie
                 Mirror
                 MIX1
                 MLTI
                 Monxla --> Vienna
                 Mother Fish -> Whale
                 Murphy
                 Mystic -> Liberty
                 Naughty Hacker --> Horse
                 New Jerusalem --> Jerusalem
                 New Vienna --> Vienna
                 Nina
                 Nomenklatura
                 Number of the Beast
                 Old Yankee
                 Oropax
                 Palette --> Zero Bug
                 Paris
                 Parity
                 Payday --> Jerusalem
                 PcVrsDs
                 Perfume --> G-virus
                 Pest --> Murphy
                 Phantom
                 Phenome --> Jerusalem
                 Phoenix
                 Piter
                 Pixel 
                 Plague --> Leprosy
                 Plastique
                 Polimer
                 Pretoria
                 Proud
                 Prudents
                 PSQR (1720) --> Jerusalem
                 Puerto --> Jerusalem
                 Raubkopi
                 Saddam --> Stupid
                 Saratoga --> Icelandic
                 Scottish Murphy --> Superhack
                 Scott's Valley --> Slow
                 September 18th
                 Shake
                 Slow
                 Solano
                 South African "Friday 13."
                 Sparse
                 Spyer --> Faust
                 Staf
                 Striker #1
                 Stupid
                 Subliminal --> Solano
                 Sunday --> Jerusalem
                 Suomi
                 Superhack
                 SVC
                 Sverdlov
                 Svir
                 Swiss-143
                 Sylvia
                 SysLock
                 Taiwan
                 Tenbyte
                 Tequila
                 Terror
                 Testvirus
                 Time --> Vienna
                 Tiny --> Kennedy
                 Tiny Family --> Bulgarian Tiny
                 Traceback
                 TUQ
                 Turbo Kukac
                 USSR-311
		 V-1 --> see BOOTVIR.TXT for description
                 V2P1
                 V2P2 --> V2P1
                 V2P6 --> V2P1
                 V2P6Z --> V2P1
                 Vacsina 
                 Vcomm
                 Victor
                 Vienna
                 Violator --> Vienna
                 Virdem
                 Virus-90
                 Virus-101 --> Virus-90
                 Virus-B --> South African
                 Voronezh
                 VP
                 W13
                 Warrior
                 Westwood --> Jerusalem
                 Whale
                 Wisconsin
                 Wolfman
                 XA1
                 Yankee Doodle --> Vacsina
                 Yaunch
                 Yukon
                 Zeleng --> Eddie
                 Zero Bug 
                 Zero Hunt
                 ZK-900

In addition there may be some recently discovered viruses, which have not
yet become available to the author.

It must be noted here, that F-PROT will provide some protection against
viruses not yet written.  The programs in the package will generally not
be able to remove unknown viruses, unless they are (very minor) variants
of known viruses.

Now, let's have a look at the viruses mentioned above.  In some cases
the descriptions are very short, perhaps only a couple of lines.  This
indicates a new virus, which has not yet been fully dissected.  In those
cases the effects of the virus may be only partially known.  The
description will be expanded as better information becomes available.


                              10 past 3

A 748 byte .COM-virus, which has not been analyzed yet.

                                 217

This is a small, not very interesting virus from Poland, which only
infects .COM files.


                                 268

A small virus, with an interesting encryption algorithm, and a strange
twist: when it is run it will infect all programs in the current
directory, but the length of the first one increases by 268 bytes, the
next one by 269 bytes, then 270 and so on.

                  
                                  440

A 440 byte, direct-action .COM infecting virus. Awaiting analysis.


                                  483

This virus appears not to work, as it will corrupt all programs it
infects.  This corruption does not appear to be intentional, and may be
corrected in a later release.


                                  492

This virus from eastern Europe would not be remarkable, if it was not for
the fact that it will not work on the 8088 or 8086 processor.  The reason
is the use of an instruction (PUSH-immediate) which only exist of
later-generation processors.  The virus only infects COM files.


                                  516

This simple, Russian COM virus is interesting in one way - it is the
first virus which does not modify the beginning of the programs it
infects.  The virus code is located at the end of infected programs, but
the jump to the virus is inside the program, not at the beginning, as is
usual.


                                  696

This is a simple direct-action Russian COM virus, which has not been
analyzed yet.


                                  699

This virus adds 699 bytes to the files it infects, but in addition it may
add several "garbage" bytes.  As a result disinfected files will often not
be of exactly the same length as the original file.


                                  707

This is a Russian, 707 byte COM virus, which is awaiting analysis.


                                  905

This Russian virus has not been analyzed fully, but it appears to change
the font on EGA/VGA displays when it activates.


                                  948
 
This Russian virus seems related to the Yankee virus, or at least it is
identified as "Yankee" by F-DRIVER, although F-FCHK will identify and
remove it correctly.  It infects EXE and COM files, including
COMMAND.COM, which is infected by overwriting, and should be replaced if
infected.  


                               1024PrScr

A 1024 byte virus, which will occasionally produce a "Print Screen"
effect.


                                  1575

This virus is awaiting analysis.  It is also known as 'Greencat', but I
have not yet seen why.

                                  1600

According to reports from Bulgaria, the author of this virus is the same
as the one who wrote the Nina virus, and inside the 1600 virus the
following message can be found:

        Dear Nina, you make me write this virus; Happy new year!

The 1600 virus infects .EXE and .COM files, increasing their length by
1600 bytes, but COMMAND.COM is overwritten.  At least some versions of
COMMAND.COM will not work if infected, and infected COMMAND.COM files
should be replaced, not disinfected.


                                 2144

This Russian virus appears to be related to the Voronezh virus - perhaps
having the same author. It is an encrypted COM and EXE infector, which
has not been fully analyzed yet, but is reported to have a similar effect
as the Sverdlov virus.

                                    
                                    5120

This is one of the largest viruses known, 5120 bytes.  It will infect
both .COM and .EXE files, selecting one file of each type to infect,
when an infected program is run.  Parts of the virus seem to have been
written in a high-level language, probably compiled BASIC, but the
initialization code is written in assembly language.


                                     800

One of the Bulgarian viruses - 800 bytes long.  It bears some resemblance
to the Dark Avenger.  It seems to overwrite directories, but has not been
fully dissected yet. 


                                   8-tunes

Just as most other "music" viruses, this one is from Germany. It infects
.COM files as well as .EXE files.  When it activates it will play one out
of 8 different tunes.  The length of the virus code is 1971 bytes.


                                     Agiplan

This virus was first reported in the German AGIPLAN company, but then it
disappeared for nearly two years, until a sample appeared in South
Africa.  Structurally the virus is similar to the Zero Bug virus, as both
add 1536 bytes to the beginning of the programs they infect.  The virus
will not have any serious effects until it has been active on an infected
machine for several months, but then it will start corrupting writes.


                                   AIDS

This is a long virus, over 12K, written in Pascal, which overwrites the
files it infects.  It is therefore easily detected, and not a serious
threat.

				   AIDS-2

This is a "companion" virus, in the form of a .COM file, which will
locate a .EXE file and create a corresponding .COM file, exploiting the
fact that DOS will first execute the .COM file, containing the virus.
The virus will then later execute the .EXE file.


                                     Alabama

This virus was first reported in Israel, but a text string inside it says:

    SOFTWARE COPIES PROHIBITED BY INTERNATIONAL LAW..............
    Box 1055 Tuscambia ALABAMA USA.

This message will also appear on the screen in a box on the screen one
hour after an infected program is run.

Like a few other viruses this one cannot be removed from memory by
pressing Ctrl-Alt-Del.  It will simply fake a "reboot" and remain in RAM.

Alabama will only infect .EXE files, increasing their size by 1560 bytes.

Unlike most other resident viruses, it will not automatically infect
every new program executed.  When a program is run, Alabama will instead
search for some other program to infect - probably so the program being
executed will get the blame.  It will only be infected if no uninfected 
file is found in the current directory.

Every Friday the virus will do something odd.  It searches for a file to
infect as described above, and executes it instead of the file the user was
planning to execute.  A bit weird ...!

One variant of this virus, Alabama-B is also known.  It has been
distributed in the form of a modified SDIR.COM file, but normally Alabama
will not infect .COM files.


                                 Ambulance

As the name indicates, the ambulance virus displays an ambulance on the
screen.  It is a 796 byte .COM infecting virus.  A related virus, 1067
byte long is also known, but it has not been analyzed yet.


                                   Amoeba

This is a 1392 byte .EXE and .COM infecting virus, but little is yet
known about it.  It overwrites the first 1089 bytes of .COM files, placing
the original code at the end and then it appends another 303 bytes.
The name of the virus is derived from the following text found inside it.

                    SMA KHETAPUNK - Nouvel Band A.M.O.E.B.A

The virus was first reported in Indonesia.


                              AntiPascal

Two viruses, probably from Bulgaria, 605 and 529 byt long, designed to
corrupt .PAS and .BAK files.  They are said to have been written as a
revenge against a former employer of the virus author.   The viruses are
added to the front of infected programs.


                              AntiPascal-2

A group of three viruses, 400, 440 and 480 bytes long, which are similar
to the AntiPascal viruses, but somewhat different structurally - for
example they add the virus code to the end of the programs they infect,
rather than the beginning.


                                April 1.

Here we actually have not one virus, but two different viruses, probably
written by the same author, somewhere in Israel.  One of them infects .EXE
files, the other .COM files.  The two viruses have the same effect, however.
On April 1st an infected computer will display the following message:

                 APRIL 1ST HA HA HA YOU HAVE A VIRUS.

The .COM virus is 897 bytes long, but the .EXE virus is a bit longer,
1488 bytes.

Those two viruses were later combined into one, called SURIV 3, which
evolved into the Jerusalem virus.


                               Armagedon

This virus originated in Greece.  It is 1079 byte long, infects .COM files, 
other than COMMAND.COM, by adding itself in front of the original program.
This virus has an interesting effect if a Hayes compatible modem is
installed in the computer, including dialing the number 081-141.  This is
the number of the "speaking clock" on the island of Crete.


                              Attention

This 394 byte Russian virus gets its name from the string "ATTENTION"
which is written near the beginning of infected files.  Like most of the
other recent Eastern Europe viruses it has not been analyzed yet.


                              Australian 403

An overwriting 403 byte virus of no particular interest.  Reported to
have originated in Australia.  Infected programs must be deleted.


                               Backtime

A 528 byte .COM virus. Awaiting analysis.


                                Bad boy

A 1000 or 1001 byte virus, which contains the following text:

           Make me better!
           The Bad Boy virus, Version 2.0, Copyright (C) 1991.

The virus has not been fully analysed yet.


                                 Bebe

This Russian virus contains the following pieces of text:

	 VIRUS!      Skagi "bebe"    Fig Tebe !

A translation is not yet available.   This is a 1004 byte virus, which
only infects COM files.


                              Best Wishes

A 1024 byte .COM infecting virus, containing the text

                  This programm ... With Best Wishes!

The virus has not been analyzed yet, but many programs, including
COMMAND.COM, will not work properly when infected.


                              Black Monday

The name of this virus is derived from a text string found inside it:

                     Black Monday 2/3/90 KV KL MAL

This is a 1055 byte virus, which will infect .EXE and .COM files.  It is
not possible to restore infected .EXE files, as the virus may overwrite
some bytes at the end of the file.


                                Bljec

This is a family of 7 small, non-interesting viruses, which add 231-369
bytes in front of any .COM files they infect.


                                Blood

A very simple 418 byte non-resident virus from Natal in South-Africa.  It
was written by a student, who claims to have no knowledge of how it
"escaped". This virus, just like Kennedy, will only infect .COM files
starting with a JMP statement (E9).  Infected programs may occasionally
display the following message when they are executed.

                  File infected by BLOOD VIRUS version 1.20

Reports of a Blood-2 virus are based on a misunderstanding.


                               Boys

A 500-byte virus which only infects .COM files.  When it finds no more
.COM files to infect, it will start deleting .EXE files.


                            Bulgarian Tiny

This family of viruses currently contains the smallest viruses known -
198, 167, 160, 159, 158, 156, 154, 143, 138, 134 and 133 byte long.  They
do nothing of particular interest, but appear to be written in an
attempt to write the smallest virus possible.


                                Burger

This virus was written by R. Burger, author of the Virdem virus.  The
virus is not a serious threat - a 560 byte destructive/overwriting virus,
As the infection causes the destruction of the "host" the virus is easily
found, and therefore not a serious threat.  The "405" virus is closely
related, but it it unable to recognize a file already infected.  One
variant '382' was reported in Taiwan, but it has been modified somewhat.


                                 CARA

A 1025 byte virus, which is one of the many viruses which have not been
fully analysed yet.


                                Carioca

This is a 951 byte .COM virus, which has not been analyzed yet.  It
appears to be related to a 1181 byte virus, known as 'Faust', which is
also able to infect .EXE files. This latter cariant is also known as
'Chaos', as it contains the following (encrypted) text:

              CHAOS!!! Another Masterpiece of Faust...


                                Cascade

The Cascade virus, also known as 1701 or 1704, is probably one of the
most common viruses around.  The problem is just that it is often not
detected, because it produces no obvious effects.  In the original
version, the virus contained code that was set to "go off" between
Oct 1. and Dec 31. 1988, shortly after an infected program is run.
The effect is actually quite amusing - the characters on the screen fall
down and end in a heap on the bottom.  

There is a bug in some versions of the virus - it seems that the author
intended the virus to infect all computers, except those from IBM.
However, it did not work as planned - the virus would also infect "true"
IBM machines.

There is one variant of this virus, reported as 17Y4, which is almost
identical to the most common 1704 variant.  One byte has been changed,
probably due to a random "mutation".  This, however, has resulted in a
"bug" in the virus.  Another mutated variant is also known - it infects
the same file over and over.  In the "YAP" variant, somebody has swithed
two instructions in the decryption routine - which does not affect the
operation of the virus, and seems to be done to prevent detection by some
particular scanner.  The Jo-Jo virus is basically a patched, non-encrypted
variant of the Cascade virus.  It is reported to have originated in
Barcelona or Israel.  It contains a check for the IBM copyright message at
address F000:E008, just like Cascade.  The virus contains two text
strings:

                       Welcome to the JOJO virus.

                       Fuck the system (c) - 1990

One other variant is also known - it is much longer than the others, over
6000 bytes.  This variant, known as 'Formiche' has not been analysed yet.


                                   Casino

A 2330 byte virus from Malta.  The virus is highly destructive, and may
trash the FAT.  Before doing so, however, it will offer the user to play
a game - if he wins, the virus will restore the FAT.


                               Christmas in Japan

This is a 600 byte virus from Japan, reported to activate on Dec. 25.
It only infects .COM files, but has not been fully analyzed yet.


                                 Cinderella

A 390 byte virus, which can be fout at the beginning of COM files.  Not
analysed yet.


                                  Crew-2480

This virus is not a serious threat on most systems, as it only spreads if
the year is set to 1988.  It was found in Finland, and has not yet been
reported elsewhere.  It only infects .COM files, and as the name
indicates, it is 2480 bytes long.


                                   DataCrime

The DataCrime virus was probably written in W. Germany or the Netherlands.
It caused much panic around Oct. 13th 1989 when it was set to go off.  Any
infected program run on Oct. 13 or later in the year would format the
first nine tracks of the hard disk and display the message

                 DATACRIME VIRUS RELEASED: 1 MARCH 1989

Since this virus is currently very rare, it is not a serious threat, but
it could become a problem in the future.

The two variants of this virus, 1280 and 1168 are practically equivalent,
but another virus, called "DataCrime II" exists as well.  It infects .EXE
and .COM files, but the original "DataCrime" could only infect .COM files.
DataCrime 2 is also a bit larger, 1514 bytes long and more complicated
than the original virus.  The latest variant, called DataCrime II-B is
very similar to DataCrime II, but is only 1480 bytes long.


                             Datalock

A new, 920 byte virus, which has not been fully analyzed yet.  It will
infect .EXE files, but only some .COM files including COMMAND.COM.


                               dBASE

The dBase virus is very rare, but rather curious.  It is clearly intended
to garble dBase files, or rather any file with a name that ends in .DBF.

If the virus is active in memory when a program writes to a .DBF file, it
will garble all the outgoing data.  However, when the data is read back
later, the virus will correct the garbled data.

There is just one problem.  If the virus is detected and removed, the data
will be useless because the virus will not be present to "de-garble"
it when it is read back.

There is a more harmful side to this virus.  If an attempt is made to
write to a .DBF file that is more that three months old, the virus will
try to destroy the FAT and root directory on drives D:, E: ....  Z:
There is a bug in the code, however, so the destruction will be rather
unpredictable.

The dBase virus will only infect .COM files, increasing their size by
1864 bytes.


                              DBF blank

This Russian virus does not seem to work on the 8088 IBM-PC I use for testing
viruses - infected programs simply hang the machine.  The virus seems to
be able to infect EXE and COM files, but has not been fully analyzed yet.
It is reported to interfere with operations on dBASE .DBF files,
resulting in corruption of data.


                                December 24th

This virus was discovered in Iceland on Dec. 24th 1989. Several computers
refused to run any programs at all on that date, but simply displayed the
message "Gledileg jol" ("Merry Christmas") instead.  The virus is a variant
of the Icelandic-2 virus, but with several minor corrections and modifications.

One out of every ten programs run is checked to see if it is a non-infected
.EXE file. If so, the virus adds 848-863 bytes to the file.


                                  Deicide

A primitive 666 byte overwriting virus. When it activates, it wipes out the
first 80 sectors on drive C:. The virus contains the following text:

        DEICIDE!
        Glenn (666) says : BYE BYE HARDDISK!!
        Next time be carufull with illegal stuff.

        This experimental virus was written by Glenn Benton to see
        if I can make a virus while learning machinecode for 2,5 months.
        (C) 10-23-1990 by Glenn. I keep on going making virusses.


                                   Demon

A primitive 272 byte overwriting virus written by the person calling
himself "Cracker Jack".


                                  Destructor

The name of this virus is derived from the following string which is
stored inside it:           
                       DESTRUCTOR  V4.00  (c) 1990 by ATA

This is a 1150 byte wirus, which infects COM as well as EXE files.


                                 Devil's Dance

A .COM infector reported to have originated in Spain or Mexico. It adds
951 bytes to the end of any file it infects.  It will infect the same file
over and over until it become too large to fit in memory.  The virus traps
INT 9 (the keyboard interrupt) and when CTRL-ALT-DEL is pressed it will
display the message:

        DID YOU EVER DANCE WITH THE DEVIL IN THE WEAK MOONLIGHT ?
                         PRAY FOR YOUR DISKS!!
                               The Joker

The virus also monitors any keystrokes, activating when 2000 are reached.
It will then change the colors of any text displayed on the screen.  When
5000 keystrokes are reached the virus will trash the first copy of the
FAT.

                                Diamond

This is a 1024 byte virus from Bulgaria, which has been reported as
bearing some resemblance to the "Eddie" virus, possibly written by the
"Dark Avenger" as well. The virus makes some effort to disable any
debugger program used to monitor it, but does not seem to do anything of
particular interest. Several variants are known, including Greemlin, David,
Lucifer, Damage and Damage-2.


                                     DIR

This Bulgarian virus will infect files when the DIR command is given,
hence the name.  It is 691 bytes long, and will only infect .COM files.
no destructive code has been found in the virus.


                                   Doom2

A very badly written 1252 byte virus, which usually hangs after infecting
a program. The virus is encrypted, and contains the following message:

                           DOOM II (c) Dr.Jones, NCU.

A slightly different variant is also known, called Doom-2B


                                   Doteater

A rather primitive 944 byte virus, probably written in Poland.  It infects
only .COM files, and when it activates it will remove all dots (.) from
the screen.


                             Durban (Saturday the 14th)

This virus infects both .EXE and .COM files.  It first adds 1-16 bytes to
the files it infects length, so they end on a paragraph boundary.  Then 669
additional bytes, containing the virus itself are written to the end.

Durban is a resident virus, using a method similar to that used by Jerusalem
to check if it already installed.

On any Saturday the 14th, the first 100 logical sectors of drive C, then B,
then A are overwritten with rubbish.


                                 Dutch 555

As the name implies, this is a 555 byte virus, which infects EXE and COM
files.  Awaiting analysis.


                                  Eddie

This virus contains two interesting text strings:

                     "Eddie lives...somewhere in time"
and

   "This program was written in the city of Sofia (C) 1988-89 Dark Avenger"

"Eddie" is probably the skeleton mascot of the heavy metal band "Iron Maiden".
This was the first virus reported to have originated in Bulgaria, but
it was soon followed by many other.

There is only one thing unusual about this virus.  It remains resident,
just as many other viruses, but it will not only infect a program when it
is run, but also when the program file is read.  This means that a harmless
program that opened each .EXE and .COM file in turn, for example to check
them for infection, could easily cause an "epidemic".

The virus will infect .EXE and .COM files, adding 1800 bytes to the
length.  COMMAND.COM will be one of the first programs to become infected.

When an infected program is run, there is a 1-in-16 chance that the virus
will trash a random disk sector. 

One 2000 byte variant is known. It is also from Bulgaria, probably
written by the same author as the original one.  It has been improved a
bit - you won't see an increase in file length when you issue a DIR
command.  A third variant, also by "Dark Avenger" is 2100 bytes long.
It is possible that a 1028 byte variant is the earliest version of the
virus, but this is not certain.

Inside the virus one finds the following string

                      Copy me - I want to travel
or, in some versions
                      Only the Good die young...

The virus author also included the following string in the virus:

                 Copyright (C) 1989 by Vesselin Bontchev

Vesselin Bontchev, however, is a Bulgarian author of anti-virus programs,
and has has nothing to do with the creation of the virus.  The reason
this message appears is that the virus searches for it in every program
executed, and halts the computer when it is found.

The author of the virus - Dark Avenger - has distributed the source to
the virus, and several new viruses have now been derived from it,
including Apocalypse-2, Hymn, MIR and Zeleng.


                                  Eddie II

A fairly harmless virus from Bulgaria - called "Eddie II" because it
contains the string "Eddie lives". This string is similar to the string
contained in the original "Eddie" virus.  Eddie II can infect .EXE files
as well as .COM files, but unlike most other .EXE infecting viruses, it
does not pad them so their length becomes a multiple of 16 bytes, before
they are infected.  Infected files are marked with a value of 62 in the
"seconds" field of the timestamp, which makes them immune to infection by
Vienna or Zero Bug.  Infected files grow by 651 bytes, but this increase
will not be seen if a "DIR" command is given, because the virus intercepts
the "find-first" and "find-next" functions, and if the "seconds" field
contains 62, the virus will decrement the file length by 651.  Apart
from this the virus does nothing of interest.


                                  ETC

A simple 700 byte virus containing the text:

      E.T.C. VIRUS, Version 3.0, Copyright (c) 1989 by E.T.C. Co.

It seems to have no interesting effects.


                                 F-word

This is a simple 417 byte virus from Eastern Europe.  The only text
message inside the virus are the words "Fuck You".  The virus has not
been fully analyzed yet.

 
                               Fellowship

The name of this virus is derived from the following text, which can be
found inside it:

                        This message is dedicated to
                        all fellow PC users on Earth
                        Towards A Better Tomorrow
                        And A Better Place To Live In

The virus is actually not very friendly - it attaches it to the end of
.EXE files, but may overwrite the last 20 bytes or so of the original
file.  The virus itself is 1019 bytes long.  It may cause further damage,
but it has not yet been analyzed.


                                Fichv

This 903 byte encrypted virus contains the text 

                      ***FICHV 2.1 vous a eu*****.....

When it activates it will overwrite the first 6 sectors of the track 0,
head 1 of the current drive.


                                Flash

This virus probably originated in Germany. It adds 688 bytes to any .COM
or .EXE file it infects.  The virus is still awaiting full analysis.


                                 Flip

The Flip virus is 2343 bytes long, and infects both .EXE and .COM files
as well as boot sectors of hard disks.  When the virus activates on a
computer with an EGA or VGA display adapter, it will "flip" the screen
horizontally and switch to a special character set, which reverses each
character.  This effect only happens on the second day of each month,
between 16:00 and 16:59.  The method used to infect boot sector is
similar to that used by the V-1 virus, except the Flip virus will only
infect hard disks, not diskettes. One variant is known, but it is only
2153 bytes long.


                            Frodo (4096, IDF)

The Frodo virus infects both .EXE and .COM files.  It is very advanced in
some ways, being able to hide the infection by using a method similar to
that used by the "Zero Bug" virus.  If the virus is active in memory and
you look at the directory, the virus will show you the original length of
any infected program.  The virus seems to be able to cause damage to data,
as files may become crosslinked when it is active

It activates on Sept. 22. when it may attempt to place a Trojan on boot
sectors.  This Trojan will display the message "FRODO LIVES" in large
letters on the screen, surrounded by a moving pattern.  The code to write
the Trojan to the disk seems to be garbled in all known versions of the
virus and will probably "hang" the computer.

The length of infected files increases by 4096 bytes, but a variant "Fish 6",
3584 bytes long was recently reported.  The effects of this variants are
not known yet.


                                    Frog

A 1500 byte virus which has bot been analysed yet.  It infects files when
the DIR command is given and contains the (encrypted) text:

 AIDS R.2A - Welcome to Frog's Alley !, (c) STPII Laboratory - Jan 1990..


                                  Fu Manchu

The author of the Fu Manchu virus seems to have intended to write one of
the most humorous viruses around.  He started with the Jerusalem virus,
removed the harmful part of it and added several new features:

The virus will censor the text the user types, deleting two four letter
words.

It will also take action if the user types "Thatcher", "Reagan", "Botha",
or "Waldheim".  In those cases it will add comments to the text.

When Ctrl-Alt-Del is pressed, the virus will display the message

                 The world will hear from me again!

In other respects the virus is similar to the Jerusalem virus.  It will
infect both .EXE and .COM files, making them grow by about 2086 bytes.

 
                                   Fumble
 
The "Fumble" virus is a small, memory resident .COM infecting virus that
will generate typing errors, every now and then.  That is, if you press
the "R" key for example, it will occasionally insert another letter like
"E" in the text instead.  The only unusual feature of this virus is that it
will only infect programs on odd-numbered days.

Infected .COM files grow by 867 bytes.


                                G-virus

A .COM infecting virus of German origin, that will sometimes ask the user a
question and not run the infected file unless the answer is "4711", which
is the name of a perfume.  This virus will look for COMMAND.COM and infect it
unless it is already infected.  Infected files grow by 765 bytes.  In the
most common variant of the virus the questions have been overwritten with
garbage.  An earlier variant, 731 bytes long is also known.


                                Gergana

A simple 182 byte non-resident virus of no particular interest.  It is
not able to infect programs smaller than itself, and will destroy them.


                               GhostBalls

This virus was written in Iceland and first discovered there in October
1989.  It contains the following text strings:

                   GhostBalls, Product of Iceland
                   Copyright (c) 1989, 4418 and 5F19

It will infect .COM files, making them grow in size by 2351 bytes.
Basically it is just the Vienna virus - the variant in the book by Ralf
Burger to be specific, with an extra twist.  When an infected program is
run, the virus will search for other programs to infect, but also try to
place a modified copy of the Ping-Pong virus on the diskette in drive A,
provided it is a 360K diskette.  This Ping-Pong variant has been changed,
so that it is not infectious, but it will also work on a '286 machine.
This modified boot sector is not a virus, but F-DISINF will remove it.


                                 Guppy

This is simple, 152 byte virus, which only infects .COM files, and may
infect the same file over and over.  Like the Kennedy virus, it will only
infect files starting with a JMP.


                               Hallchen

This is a .COM and .EXE infector, probably written in W-Germany. It
contains two text strings:

                     Hallchen !!!!!!, Here I'm..

                         Acrivate Level 1..

This virus is a bit unusual in some ways - for example it will not infect
"old" files.  If the value of the "month" or "year" fields in the
timestamp is different from the current date, the file will not be
infected.

The virus does not modify the creation date when it infects the virus,
and like most other viruses it is easily able to defeat the read-only
attribute.  It will only infect files larger than 5000 bytes, increasing
their length by 2011 bytes.

The major effect is reported to be garbling of keyboard input.


                                Hero

A primitive 506 byte virus, which is not a serious threat, as infected
programs are not able to replicate, as they are corrupted because of an
error. This might be corrected in a later version, though.


                           Horse (Naughty Hacker)

This is a family of 8 viruses from Bulgaria, reported to be written by
a person named Martin Harizanov.  The viruses can be divided into two
groups, the first containing variants 1,2,2B and 7 but the other group
contains variants 3,4,5 and 6.  The viruses have not been analysed fully,
but do not appear to be particularly interesting.


                               Icelandic

This virus was first found in Iceland in June '89.  If only infects files
with names ending in .EXE.  When an infected program is run, it will hide
in memory by directly manipulating the Memory Control Blocks.  Programs
that watch out for any program "going TSR" will therefore not be able
to catch it.  

This virus will mark one cluster on the hard disk as bad, every time it
infects a file.

A minor variant of this virus was later found in Saratoga, and a radically
modified version appeared in Iceland in July '89.  This new version
(Icelandic-2) does not use INT 21 calls like the original, but instead
makes direct JMPs into the operating systems.  This means that many
protection programs will be unable to catch it.  Icelandic-1 is 656 bytes
long, Saratoga is 642 bytes but Icelandic-2 adds 632 bytes to any file it
infects.  Actually the file may grow a bit more because all the viruses
will first pad the file so the length becomes a multiple of 16 bytes.


                              Incom

This is a 648 byte encrypted virus, which contains the string "INCOM".
Not yet analysed.


                             Internal

A 1381 byte .EXE-infecting virus, which may occasionally garble the
screen and display a fake error message.


                              Itavir

This is a fairly long, 3880 byte, Italian EXE file infector.  The virus
is reported to activate after the system has been left running for at
least 24 hours  It will then corrupt the boot sector, write out a message
in Italian, and start writing random values to all I/O ports.  This is
reported to cause a "hissing" sound from some VGA monitors.


                              Jeff

Thiss virus may be related to the 'Klaeren' virus - at least it contains
the same "bug", which prevents it from successfully infecting any file
larger than around 4000 bytes.  Otherwise this 812 byte virus is not
remarkable in any way.
