Virus Screenshots

Common Viruses

4096

Aliases: Frodo, 4K, 100 year, Stealth virus, IDF
Synopsis: Resident, stealth infector of .COM, .EXE and overlay files.
Damage: Corrupts files and hangs the PC.
Symptoms: Cross-linked and damaged files.
Details:
This virus damages your files in at least two ways. First, it will accidentally infect data files causing irreparable damage to those files. Second, it will cross-link files on your disk, working very slowly so the damage is generally not obvious until an enormous number of files have been corrupted. This damage is frequently mistaken for hardware problems. 4096 will set the date of infected files 100 years from the original file date. This is how it determines that it has already infected these files. Simply doing a directory listing will not reveal the fact that these dates have changed since only two digits of the year are normally displayed in a directory listing. All infected files grow by 4096 bytes but the virus hides these changes by using its stealth capabilities. If you attempt to read an infected file with 4096 resident in memory, you will see only the original uninfected file. It also locates the original interrupt 21 hex and 13 hex addresses in order to bypass resident monitor programs. Programs will be infected when they are executed or read. You can use 4096's stealth capabilities to make it disinfect itself by copying executable files to non-executable file names (e.g., COPY Z.EXE Z.XEX). Do not depend on this, since future variants may not share this property.

1575

Aliases: Green Caterpillar, 1591
Synopsis: Resident infector of .COM and .EXE files
Symptoms: Green caterpillar, slow response to the DIR command and time stamp changes.
Details:
Two months after this virus first infects your PC this virus will produce a crude graphic of a green caterpillar moving across your screen. It is not known to cause any deliberate damage to your PC beyond infecting your files. 1575 will infect additional files when you issue a DIR or COPY command. It was first detected in January of 1991 in Canada.

AirCop

Synopsis: Resident infector of floppy DOS boot sectors
Damage: Inadvertent damage to some files on diskettes
Symptoms: Messages, damaged files, less total memory and PC hangs
Details:
Aircop infects only DOS boot sectors on diskettes. It saves the original boot sector near the end of the disk, causing loss of data if this space is in use by a file or directory. It decreases free memory by 1024 bytes and will at random intervals display the message: "Red State, Germ Offensive. AIRCOP." or (variant B) simply "This is Aircop." This virus is fairly buggy and will frequently hang your PC.

Alameda

Aliases: Yale, Merritt
Variants: Golden Gate, SF
Synopsis: Resident infector of floppy DOS boot sectors
Damage: File corruption
Symptoms: Decrease in total memory and possible damaged files
Details:
Alameda was not written to be deliberately destructive. The original version damaged files when it would relocate the original DOS boot sector to track 39, sector 8 on 360K diskettes. This would damage any file already using this location. There are now deliberately destructive variants of this virus known as Golden Gate and SF that will deliberately format your hard disk after infecting enough diskettes.

AntiCMOS

Aliases: ReadIOSYS, Lixi
Synopsis: Resident DOS boot sector and partition sector virus
Damage: Corruption of CMOS
Symptoms: Less total memory and PC hangs
Details:
AntiCMOS is memory resident and will infect any floppy accessed. Unlike Stoned, it does not save a copy of the original boot sector. It contains the string "I am Li Xibin!"Error! Bookmark not defined.

AntiEXE

Aliases: D3
Synopsis: Destructive, resident DOS boot sector and partition sector virus
Damage: Inadvertent damage to diskette files and deliberate damage to .EXE files
Symptoms: Damaged files, less total memory and PC hangs
Details:
AntiEXE deliberately damages .EXE files by changing the first byte of the file. Like Stoned, it will cause damage to any infected floppy that contains more than just a few files. This virus is memory resident and will infect any floppy accessed. AntiEXE remaps the disk interrupt (Int 13h) to avoid resident monitoring programs but has no stealth capabilities. Error! Bookmark not defined.

Appder

Aliases:WM/Appder,WordMacro.Appder,WM/NTTHNTA
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Deletes files
Details:
This virus infects users of MS Word. It infects the global macros (file NORMAL.DOT) placing macros Appder and AutoClose in this file. Any document opened or saved will become infected with Appder. Appder also copies the Appder macro to AutoOpen in infected documents (but not the global template). Appder creates an "NTTHNTA=##" line in the "[MicroSoft Word" section in WINWORD.INI. This "##" value is a counter that is incremented until 20 files have been infected at which point Appder deletes: a number of files (*.EXE, *.COM, *.TTF, and *.FOT)from the C:\Windows and C:\DOS directories.

Atom

Aliases:WM/Atom,WordMacro.Atom
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Encrypts documents and deletes files
Details:
This virus infects users of MS Word. It infects the global macros (file NORMAL.DOT). Any document opened or saved will become infected with Atom. Atom contains the macros Atom, AutoOpen, FileOpen, and FileSaveAS (there are also German variants of Atom that use the German names for the macros AutoOpen, FileOpen, and FileSaveAS.) If the system clock shows 13 seconds, Atom will set the document password to ATOM#1. When opening an infected ducment on December 13th of any year, Atom will delete all files in the current directory.

Avispa

Synopsis: Destructive, resident infector of .EXE files
Damage: Random corruption of data read from hard disk
Symptoms: Damaged files and PC hangs
Details:
Avispa infects .EXE files when they are executed. It will (based on a timer related trigger) replace data in the DOS disk buffers with its own text (containing references to Elijah Baley and Republica Argentina). Avsipa sets the seconds field of infected files to zero.

Azusa

Aliases: Hong Kong
Synopsis: Resident infector of floppy DOS boot sectors and hard disk partition sectors.
Damage: File corruption, failure of serial ports or printer
Symptoms: Damaged files, 1024 fewer bytes total memory, failure of COM1 and LPT1.
Details:
Azusa will infect any diskette upon which you attempt to write and immediately infect any hard disk. Azusa does not deliberately damage data but because (like Stoned) it does not understand current diskette formats it will corrupt anything other than a 360K floppy. On a diskette, this virus will attempt to locate the original DOS boot sector on sector 8 of track 40. The last track on 360K diskette is normally track 39. On larger capacity diskettes, track 40 may be in use by the files, so on these diskettes, Azusa is likely to cause damage. On hard disks, Azusa does not save the original partition sector at all. The most common variant of Azusa will disable COM1 and LPT1 after counting 32 boots. This means that your serial port (e.g., modem or mouse) and printer will suddenly quit working. Cross-linked files and system hangs are symptoms of some less common versions of Azusa.Error! Bookmark not defined.

BackForm

Aliases: Backformat
Synopsis: Resident infector of .EXE and .COM files
Damage: Random corruption data corruption
Symptoms: Unreadable diskettes
Details:
Backform infects .COM and .EXE files when they are executed. It will infect COMMAND.COM without increasing its length. Backform modifies the SFT of floppies so that sectors are written in reverse order when the floppy is formatted.

Bandung

Aliases:WM/Bandung,WordMacro.Bandung,Concept.J,Tedius
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Deletes files on drive C:
Details:
This virus infects users of MS Word. It infects the global macros (file NORMAL.DOT). Any document opened will become infected with Bandung. After 11 AM on the 20th and later days of the month, Bandung will delete files on drive C:. Bandung overrides the Tools/Customize and Tools/Macro menu items. The code to handle these menu items causes error messages but Bandung will change the "a" characters in the document to "#@". Bandung contains AutoExec, AutoOpen, FileSave, FileSaveAs, ToolsMacro and ToolsCustomize macros.

Barrotes

Synopsis: Destructive resident infector of .EXE and .COM files
Damage: Overwrite the partition sector
Symptoms: Apparent disk failure, PC hangs
Details:
This is a family of memory resident .COM and .EXE infectors. The most common variant overwrites the partition sector on January 5th. This causes the hard disk to appear to be unreadable but simply replacing the partition sector will correct the problem.

Bloody!

Synopsis: Resident infector of floppy DOS boot sectors and hard disk
Aliases: Beijing, June 4th
Damage: File corruption
Symptoms: Damaged files, 2048 fewer bytes total memory and message
Details:
After counting 128 boots, Bloody! will display the message: "Bloody! Jun. 4, 1989" This is the date that Chinese Students were killed in a confrontation with the Chinese Army in Beijing. On hard disks, Bloody! will save the original partition sector in cylinder zero, track zero, sector six. On floppies, it will overlay part of the directory with the original boot sector, thereby potentially damaging existing files.

Boom

Aliases:WM/Boom,WordMacro.Boom
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Renames menus used by MS Word
Details:
This virus infects users of German MS Word. It infects on opening documents (using the AutoOpen macro) and on saving documents (DateiSpeichernUnter). Boom contains an AutoExec macro that is triggered at time 13:13:13; it renames the menus and displays the text "Mr. Boombastic and Sir WIXALOT"

Boot-437

Aliases: 437, Bad div
Synopsis: Resident infector of DOS boot sectors
Damage: Floppy file corruption
Symptoms: Damaged files, and fewer bytes total memory
Details:
Boot-437 infects DOS boot sectors on first access. On the hard disk it moves the original boot sector to sector six of track zero; on floppies it does not save the original boot sector.

Bootexe

Aliases: BFD-451,BootExe-396/451/Stalker
Synopsis: Resident infector of .EXE files and boot sectors
Damage: File corruption
Symptoms: Damaged files, PC hangs, GPFs, and fewer bytes total memory
Details:
BootEXE is a family of related viruses that infect .EXE files as well as partition sectors and floppy DOS boot sectors. The virus works by intercepting the BIOS disk interrupt (Int 13h) and infecting files at the sector level. It will infect when a sector begins with the "MZ" .EXE file signature. It overwrites the .exe file header (essentially converting the file to a COM type executable) with its own code. There is no change to the file name or length as a result of this infection. BootExe-451 is the most common variant.

Brain

Aliases: Pakistani-Brain
Variants: Shoe, Ashar, Nipper
Synopsis: Resident, stealth infector of floppy boot sectors
Damage: File corruption
Symptoms: Bad clusters, changes to the volume label
Details:
Brain is one of the oldest known PC viruses (discovered in 1986). The original brain virus infected only floppy DOS boot sectors and was not intended to cause any harm. The bulk of the virus code along with the original boot sector are written to several clusters that are marked as bad in the FAT. (If you do a CHKDSK, you will see additional bad clusters.) Brain also changes the volume label to be "(c) Brain". This will show up anytime you do a "DIR" on an infected diskette. There are now variants of brain that do not change the diskette label or change it to something else (e.g., "(c) Ashar"). Brain is the first stealth virus; if you try to read the infected boot sector, Brain will return the original boot sector so the PC appears uninfected. There are now variants of Brain that will also infect the hard disk and occasionally do deliberate damage. The original Brain virus contained this message:

Welcome to the Dungeon

(c) 1986 Basit & Amjad (pvt) Ltd.

Brain Computer Services

730 NIZAB BLOCK ALLAMA IQBAL TOWN

LAHORE-PAKISTAN

PHONE :430791,442348,280530

Beware of this VIRUS

Contact us for vaccination

Buero

Aliases:WM/Buero,WordMacro.Buero
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Renames IO.SYS to IIO.SYS
Details:
This virus infects users of German MS Word. It infects the global macros (file NORMAL.DOT). Any document opened will become infected with Buero. Buero will rename the DOS system file IO.SYS to IIO.SYS preventing the system from booting. Buero also deletes *.DOC files.

Byway

Aliases: HndV,TheHnd,Dir2.Byway
Synopsis: Resident polymorphic infector of .COM and .EXE files
Symptoms: CHKDSK errors, music and a message
Details:
This is a resident 2048 byte polymorphic virus that infects files using the same technique used by DIR2. It spreads very quickly. If the virus is not resident in memory, Scandisk or CHKDSK will show severe errors. Byway creates a hidden system file in the root directory containing the virus code called: "CHKLIST .MS" where the blank is actually a hex FF character. This filename is similar to that used by MicroSoft anti-virus. Depending upon a generation counter, the virus activates on one day of every month and plays a tune and then displays:

TRABAJEMOS TODOS POR VENEZUELA !!!'

Cansu

Aliases: Sigalit,V-Sign
Synopsis: Resident DOS boot sector and partition sector virus
Damage: Inadvertent damage to diskette files.
Symptoms: Damaged files, less total memory, "V" shaped graphic
Details:
Cansu will display a "V" shaped ASCII graphic and hang the PC after infecting 64 diskettes. Cansu will cause damage to any infected floppy that contains more than just a few files. Unlike most other boot sector viruses, Cansu does not save a copy of the original boot sectors.

CAP

Aliases:WM/Cap,WordMacro.CAP
Synopsis: Infector of MS Word Documents/Templates
Details:
CAP consists of one macro named "CAP" and a variable number of other macros (e.g., AutoExec, AutoClose, AutoOpen, FileClose, FileOpen, FileSave, FileSaveAs, FileTemplates, and ToolsMacro) which may or may not be present in any particular infection. This makes it difficult to determine exactly which macros are part of the virus. When CAP infects a document CAP deletes any macros present in the global template (NORMAL.DOT) and then copies its own macros to the global template. CAP determines the names used the MS Word menus and creates macros to override some of these menu items. (This creates different macro names in English and non-English version of MS Word.) CAP identifies its own set of basic macros by looking for "F%" at the beginning of each macro's description field. In spite of this precaution, CAP sometimes drags along non-viral macros along with its own macros. CAP removes the Tools/Customize and Tools/Macro menu items.

Cascade

Aliases: Falling letters, 1701, 1704
Variants: Cascade-Format
Synopsis: Resident infector of .COM files.
Damage: No deliberate damage except for the "Format" variant
Symptoms: System hangs and letters fall from top to bottom of the screen
Details:
There are quite a few known variants of Cascade. They all go resident in memory and infect programs that are executed. The trigger for the cascading letters effect is complex and depends upon random numbers, the date and, optionally, the video adapter. The original Cascade was designed to trigger between October and December 1988. Most Cascade variants are not designed to be harmful but they will occasionally crash the PC and are known to damage files with a length of more than 63576 bytes. The Cascade-format variant will format your disk when it activates in October through December of any year. Most Cascade variants add either 1701 or 1704 bytes to infected files.

Chinese Fish

Aliases: ChnFish, Fish Boot
Synopsis: Resident stealth DOS boot sector and partition sector virus
Symptoms: Less total memory, messsage display, frequent hangs and GPFs.
Details:
A run-of-the-mill Stoned style boot sector virus with stealth capability. On activation the virus displays a message announcing "Hello! I am FISH, please don't kill me. Congratulate 80th year of the Republic Of China Building" Error! Bookmark not defined.

Clock

Aliases:WM/Clock,WordMacro.Clock
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Time date display Details:
This virus infects users of German MS Word. It infects the global macros (file NORMAL.DOT). Clock contains eleven encrypted macros. Any document opened or saved will become infected with Clock. At certain times Clock will display a box containing the time and date.

Colors

Aliases:WM/Colors,WordMacro.Color,Colours,
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Change in colors used by Windows Details:
This virus infects users of MS Word. It contains the following encrypted macros: AutoClose,AutoExec,AutoOpen,FileExit,FileExit,FileNew,FileSaveAs and ToolsMacro. Colors keeps a counter called "countersu" in the "[windows]" section of the WIN.INI file. After the counter reaches 300, Colors will alter the "[colors]" section in the WIN.INI file to set random colors for the windows components. These new colors appear after Windows is restarted. Colors disables the Tools/Macros command in MS Word.

Concept

Aliases: WM/Concept,WordMacro.Concept,Prank,Parasite
Synopsis: MS Word Macro virus
Symptoms: Box with "1" AAAXFS and other extra maxros
Details:
This is the very first macro based virus to spread in the wild. Read the complete report on Concept and other Macro Viruses: Error! Bookmark not defined.

Crazy Boot

Synopsis: Resident stealth DOS boot sector and partition sector virus
Damage: Corrupted files on floppies
Symptoms: Less total memory, messsage display
Details:
Yet another Stoned style boot sector virus with stealth capability. This virus will cause damage to files on floppies. On activation the virus displays a message announcing:

Don't play with the PC !

Otherwise you will get in 'DEEP,DEEP' Trouble !....

Crazy Boot Ver. 1.0

Error! Bookmark not defined.

DA'BOYS

Aliases: Da_Boys
Synopsis: Resident infector of DOS boot sectors
Details:
This virus infects DOS boot sectors on both floppies and hard disks. This virus causes crashes on some PCs but works smoothly on most PCs. It is a single sector virus and does not save the original DOS boot sector.

Dark Avenger

Aliases: Eddie, Black Avenger
Synopsis: Damaging, resident infector of .COM and .EXE files
Damage: Potential damage to all data
Symptoms: Damaged files, CHKDSK errors
Details:
This Bulgarian virus was written to deliberately cause serious damage to your data. It will write garbage to random sectors on your disk. The most common variant will write a random sector after every 16th file it infects. It contains the message "Eddie lives...somewhere in time!" and "This program was written in the city of Sofia".

Delwin

Synopsis: Resident stealth infector of .EXE files and partition sectors
Symptoms: Reduced maximum memory, trembling screen display.
Details:
This memory resident virus infects partition sectors and .EXE files. It will infect any .EXE files larger than 3072 bytes upon file open and will infect the partition sector when upon execution of an infected file. Delwin marks infected programs by setting the seconds field of the time stamp to 62. Upon activation Delwin will cause vertical trembling of the display and it will sometimes deny execution to WIN.COM (actually any WI*.* program).,

Diehard

Aliases: Die_Hard,DH2,Die Hard 2
Synopsis: Resident stealth infector of .COM and .EXE files
Symptoms: Screen display and disk errors
Details:
This memory resident virus infects .COM and .EXE files. It will infect any file opened or executed. It will overwrite .PAS or .ASM files with a small program which would display D1h, A5h on the screen. It refuses to write to files on certain days and displays the message "SW Error". It sometmes displays "SW" in big violet sliding letters at the center of the screen.

Disk Killer

Aliases: Ogre, Computer Ogre
Synopsis: Destructive, resident infector of DOS boot sectors
Damage: Damage to individual files and entire disk
Symptoms: Bad clusters, file damage, message
Details:
Disk Killer will activate about 48 hours after infecting a disk. At this point it will display a message announcing itself as "Disk Killer" by "Computer Ogre" and it asks you not to turn off your PC. It then trashes your disk by encrypting your data using an exclusive-or. Once resident, Disk Killer will immediately infect any disk that you access by replacing the boot sector and locating the remainder of the virus code in several clusters that it will mark as bad in the FAT. This will damage any files that were using these clusters on your disk.

Divina

Aliases:WM/Divina,WordMacro.Divina,Infeczione
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Message box
Details:
This virus infects users of MS Word. It infects the global macros (file NORMAL.DOT). It contains one encrypted macro (AutoClose). Depending upon the system clock, Divina will display one of several message boxes with references to: "DIVINA" or "ROBERTA" The virus also suggests that the hard disk is damaged and doing a low level format. (Both statements are untrue.)

Espejo

Aliases: 15_Years,Mongolian
Synopsis: Destructive,resident DOS boot sector and partition sector virus
Damage: Overwrites disk
Symptoms: PC Hangs, keyboard errors
Details:
Yet another virus very similar to Stoned but with destructive activation. It contains code to change keyboard input and on April 7th, it overwrites disk sectors with the string:

Esto te pasa por programas que a nosotros nos cuesta tanto

trabajo hacer. Que te quede de Expeiencia, Mexico,1994.

Error! Bookmark not defined.

EXEbug

Aliases: CMOS virus,Swiss Boot,EXE_Bug
Synopsis: Destructive,resident DOS boot sector and partition sector virus
Damage: Loss of all data on hard disk and data corruption on diskettes
Symptoms: CMOS corruption, damaged files, less total memory and PC hangs
Details:
EXEbug uses stealth techniques to hide its presence. It also changes CMOS so that the A drive is not present in an attempt to force your PC to boot from your hard drive (where the partition sector is infected by the virus). This technique fails on most PCs but does corrupt the CMOS. If the PC is booted from diskette, the hard drive will appear to be inaccessible since the partition sector does not appear to be valid. EXEbug will cause damage to any infected floppy that contains more than just a few files. It will infect any floppy accessed. EXEbug will modify some .EXE files so that when they are executed, they will overwrite the hard disk.

Flip

Synopsis: Resident stealth infector of partition sectors and files
Damage: Causes file corruption if "CHKDSK /F" used
Symptoms: Horizontal flip of screen, CHKDSK errors
Details:
On EGA or VGA systems, Flip uses an alternate character set to make the screen appear to flip horizontally. For the most common variant this occurs on the second day of the month between four and five PM. Flip attempts to make infected files appear to have their original length; this causes CHKDSK (and similar programs such NDD or DISKFIX) to report errors. If you ask one of these programs to fix the problems that it is reporting (e.g., "CHKDSK /F"), it will cause file linkage errors and file corruption . This is not a problem if you boot from a diskette with a clean copy of DOS before running one of these programs. Scanners frequently detect this virus in Central Point's Anti-virus because this product contains an unencrypted fragment of Flip.

Form

Synopsis: Resident infector of DOS boot sectors
Damage: Occasional damage
Symptoms: Clicking sounds from PC
Details:
On the 18th day of any month, Form will cause a clicking sound and slow response to key presses. Form stores the original boot sector on the last track of the disk damaging any file which might be using that sector. On floppies, it stores the original boot sector in a cluster marked as bad in the FAT. The boot sector will contain the text:
"The FORM-Virus sends greetings to everyone who's read this text."

Hellween

Alias: Helloween
Synopsis: Resident, infector of .COM and .EXE files.
Symptoms: Display of messages and file growth
Details:
This virus infects .COM and .EXE files upon execution. The most common variant adds 1376 bytes to infected file and displays a message on November 1st.

Helper

Aliases:WM/Helper,WordMacro.Helper
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Encrypts documents
Details:
This virus infects users of MS Word. It contains only one macro (encrypted) AutoClose. It infects documents and NORMAL.DOT when a document is closed. On some dates, it sets the document password to "help".

Hot

Aliases:WM/Hot,WordMacro.Hot
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Deletes documents
Details:
This virus infects users of MS Word 6 only. It contains the encrypted macros: AutoOpen, DrawBrubgUbFrIytm FileSaveAs, InsertPBreak, and ToolsRepaginat. Hot inserts "QLHOt=nnnn" (where nnnn is a numeric trigger value) into the WINWORD6.INI file. Depending upon the current day and the trigger value Hot will delete files.

Hybrid

Aliases:WM/Hybrid,WordMacro.Hybrid
Synopsis: Infector of MS Word Documents/Templates
Details:
This virus infects users of MS Word. It contains three macros: AutoOpen, AutoClose and FileSaveAs (infecting documents on opening and saving).

Imposter

Aliases:WM/Imposter,WordMacro.Imposter
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Message box
Details:
This virus infects users of MS Word. It infects the global macros (file NORMAL.DOT). Any document saved will become infected with Imposter. Imposter is contained in macros called AutoClose and FileSaveAS that execute when a user saves a document. Imposter will display a message box containing "DMV". Concept contains code from the Concept virus.Read the complete report on Concept and other Macro Viruses: Error! Bookmark not defined.

Invader

Aliases: AntiCAD.4096.Mozart
Synopsis: Destructive, resident, infector of programs, DOS boot sectors and partition sectors.
Damage: Overwrites low tracks on disk
Symptoms: Music or noise from speaker
Details:
Invader installs itself as a resident program in low memory occupying a little over 5000 bytes. The most common variant will start to play music 30 minutes after becoming resident. If you boot your PC while it is playing music, Invader will overwrite the first track on your disk. Some variants will do this after a specific number of keystrokes or if you execute the ACAD program (a computer-aided design program).

J&M

Alias: Jimi,Hasita,Stoned.J&M
Synopsis: Destructive, resident infector of DOS boot sectors on diskettes and partition sectors
Damage: Overwrites low tracks on the hard disk
Details:
Yet another destructive virus based on Stoned. On November 15th, J&M will overwrite the low tracks on the hard disk. Error! Bookmark not defined.

Jerusalem

Aliases: 1813, Israeli, Friday 13th, Black Box
Variants: Anarkia, Apocalypse, Barcelona, Captain Trips, Discom, GP1, Messina, Mule, Nemesis, Payday, Slow, Zerotime
Synopsis: Resident infector of programs and overlays
Damage: Deletes files on activation
Symptoms: Black box appears and PC slows dramatically
Details:
Jerusalem is the most common file-infecting virus according to our reports. A tremendous number of variants have been created to fool scanners and to change the effects of this virus. It commonly installs itself as a resident program (TSR) in low memory occupying slightly less than 2000 bytes. The most common variants will delete any program that you execute on Friday the 13th. One variant (Payday) will delete programs on any Friday but the 13th. Some variants (e.g., Clipper, Discom, GP1) will damage uninfected files. Infected .COM files will grow by 1813 bytes while .EXE files may be infected multiple times, sometimes overwriting parts of the original program. Jerusalem also damages .COM files larger than 63,466 bytes. Slow (Zerotime) is an encrypted version of Jerusalem that causes frequent system hangs.

Johnny

Aliases:WM/Johnny,WordMacro.Johnny,Go Johnny
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Message on status line
Details:
This virus infects users of MS Word. It infects the global template through its AutoOpen macro. Any document saved (Using the virus FileSave and FileSaveAs macros) will become infected with Johnny. Johnny will display "Starting AutoSave"on the Word status line. The virus contains the comment:

Our Devise - A copy of "Go Johnny Go" on every computer !

Joshi

Synopsis: Resident, stealth infector of DOS boot sectors and partition sectors
Symptoms: Message and decreased total memory
Details:
CHKDSK will report over 6000 fewer bytes total memory when Joshi is resident. Joshi will use stealth techniques to make partition sectors appear to be uninfected. On January 5, Joshi will display the message: "Type Happy Birthday Joshi" and wait for you to type this phrase. There is one variant (Joshi-B) that does not display this message. Joshi carefully stores the bulk of its code by formatting an additional track at the end of diskettes. On a 360K diskette, it will create a 41st track (known as track 40) on what would normally be a 40 track diskette. On hard disks, Joshi stores the original partition sector in Sector nine of track zero, cylinder zero. This causes problems on a few hard disks that utilize this sector.

Jumper

Alias: 2K, SilllyBop, French Boot, EE
Synopsis: Resident infector of DOS boot sectors on diskettes and partition sectors
Damage: Occasional file corruption
Details:
A resident infector of DOS boot sectors on floppies and hard disk partition sectors. It will display the epsilon character (hex EE) on the screen and can cause file corruption on floppies.

Junkie

Synopsis: Resident infector of boot sectors and .COM files
Symptoms: 3K less memory, failure to load and growth in .COM files
Details:
Junkie is a Swedish memory resident infector of hard disk partition sectors, floppy DOS boot sectors and .COM files larger than 5,000 bytes. Junkie will damage EXE type files that end with the .COM extension. Some infected .COM files will fail to execute (program too big to fit into memory).

Keypress

Synopsis: Resident infector of .COM and .EXE files
Symptoms: Repeated keys, loss of total memory, file time and date changes
Details:
At intervals (generally 30 minutes), Keypress will repeat any key that you press, giving the appearance of a stuck key. This effect generally lasts for only two seconds. Keypress allows DOS to update the time and date stamp of any file that it infects. It will damage any .COM file larger than 64,032 bytes that it infects. Total memory will be decreased by approximately 1000 bytes when Keypress is resident.

Laroux

Aliases: ExcelMacro.Laroux,XM/Laroux
Synopsis: MS Excel Macro virus
Details:
This is the very first Excel macro based virus to spread in the wild. It is still not very common but we are including it here because we get so many questions regarding it. Read the complete report on Laroux and other Excel Macro Viruses: Error! Bookmark not defined.

Leandro

Synopsis: Resident DOS boot sector and partition sector virus
Symptoms: Message appears, reduced memory
Details:
Another Stoned-like infector of hard disk partition sectors and floppy boot sectors. It is very common in South America. It reduces maximum memory by 4K and on October 21 displays:

Leandro and Kelly ! GV-MG-Brazil

You have this virus since mm-dd-yyyy

where mm-dd-yyyy is the date Leandro infected your PC.

Error! Bookmark not defined.

Little Red

Aliases: LRed,Red Book, Mao
Synopsis: Stealth resident infector of .COM and .EXE files
Symptoms: Music, system slowdown and crashes
Details:
Infects .COM or .EXE programs on any access. It plays two chinese tunes; one on Dec. 26th (Mao's birthday) and one on Sept. 9th (Mao's death). It reduces available memory by slightly less than 2K. It uses stealth techniques to hide its file changes.

Liberty

Aliases: Mystic
Synopsis: Resident infector of .COM and .EXE files.
Symptoms: Decrease in total system memory
Details:
CHKDSK will report over 8000 fewer bytes total memory with Liberty resident. Liberty is reported to also infect overlay files and boot sectors. Infected files contain the text "Liberty" and infected .COM files commonly contain the text "- M Y S T I C -".

Maltese Amoeba

Aliases: Irish, Grain of Sand, Amoeba (mistakenly)
Synopsis: Destructive, polymorphic, resident infector of .COM and .EXE files
Damage: Overwrites low tracks on disk on November 1 and March 15
Symptoms: Sluggish response to the DIR command, less total memory, and file time stamp changes.
Details:
This virus did considerable damage when it first activated on November of 1991 in the UK (illustrating the danger of depending upon scanners for anti-virus protection). It will infect files on either a DOS open or a load and execute (it infects any programs read or executed) but it avoids infecting COMMAND.COM. CHKDSK will report 4096 fewer bytes total memory if the virus is resident. Maltese Amoeba will refuse to infect if a couple of well known resident monitor programs or the PSQR virus are present. On Nov 1 or March 15, it will overwrite low numbered tracks on the hard disk and any diskettes, and hang the PC. On a subsequent boot, it will greet you with a display of the first four lines of Blake's "Auguries of Innocence" from the Pickering Manuscripts:

To see a world in a grain of sand

And a heaven in a wild flower,

Hold infinity in the palm of your hand

And eternity in a hour.

The Virus 16/3/91

The damaged partition sector will then contain this text:

AMOEBA virus by the Hacker Twins (C) 1991 This is

nothing, wait for the release of AMOEBA II - The

Universal infector, hidden to any eye but ours!

Dedicated to the University of Malta - the worst

educational system in the universe, and the

destroyer of 5X2 years of human life.

Integrity Master will detect the Maltese Amoeba as "Irish1" through "Irish6."

Mange_Toute.1099

Aliases: 1099
Synopsis: Resident infector of .COM and .EXE files
Symptoms: Occasional crashes
Damage: File damage
Details:
This is a memory resident infector of .COM or .EXE programs. The body of the virus is encrypted and contains anti-debug armoring.

Manzon

Synopsis: Polymorphic resident infector of .COM and .EXE files
Symptoms: Less available memory and obvious file growth
Details:
Manzon is a polymorphic memory resident infector of .COM or .EXE programs. Changes to infected files are obvious (no stealth at all) as date changes and growth of 1430 to 1500 bytes.

MDMA

Aliases:WM/MDMA,WordMacro.MDMA,StickyKeys
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Message box
Details:
This virus infects users of MS Word. It infects the global macros (file NORMAL.DOT). Any document saved will become infected with MDMA. MDMA contains only one macro (encrypted) AutoClose. On the first day of any month, MDMA will display a message box announcing that you are infected with "MDMA_DMV. Brought to you by MDMA (Many Delinquent Modern Anarchists)." At the same time MDMA tries to corrupt the system files. It does this in different ways depending upon the version of the operating environment. Under Windows, it replaces the AUTOEXEC.BAT file with commands to delete all directories.

Michelangelo

Synopsis: Destructive, resident infector of boot sectors on diskettes and partition sectors on hard disks.
Damage: On March 6, it writes garbage over beginning of the disk Details:
On March 6, the Michelangelo virus (named after Michelangelo Buonarroti the Italian Renaissance artist, born March 6, 1475) will destroy all data on infected disks. It will store the original partition sector in sector seven of cylinder zero, track zero. On diskettes, Michelangelo will inadvertently damage the directory structure by hiding the original boot sector in the last sector occupied by the directory. Michelangelo reduces the amount of total memory on your PC by 2048 bytes.

Microbes

Synopsis: Resident infector of floppy DOS boot sectors
Symptoms: Hang during attempted boot
Details:
The Microbes virus developed in India infects only floppy boot sectors and does not appear to cause any deliberate damage.

Monkey

Synopsis: Resident, stealth infector of floppy boot sectors and partition sectors
Symptoms: Inaccessible hard disk after floppy boot, 1K less available memory
Details:
Monkey is unusual in that it completely replaces the partition sector with its own code. If you boot from a floppy the hard disk will be inaccessible since there is no valid partition table in the partition sector. If the virus is resident in memory, it will use stealth techniques to return the original unmodified partition sector.

MusicBug

Aliases: Music Boot, Music bug
Synopsis: Resident infector of DOS boot sectors and partition sectors
Damage: Inadvertent damage to some disks
Symptoms: Music and clicking sounds, lost clusters, decreased total memory
Details:
MusicBug generally waits about four months before it starts randomly playing music. When it infects your PC it will create lost clusters where it locates the bulk of the virus code. CHKDSK will report the existence of these lost clusters. These clusters will contain the text "MusicBug v1.06 MacroSoft Corp.". Since MusicBug does not correctly understand FAT structure, it will corrupt some disks.

Natas

Synopsis: Destructive polymorphic resident stealth infector of boot sectors and files
Symptoms: Reduced free memory
Deamage: Overwrites the hard disk
Details:
Natas (by the author of Satan Bug) infects partition sectors on hard disks, floppy DOS boot sectors as well as both .COM and .EXE files. Natas uses stealth to hide its presence but unlike other stealth viruses it will disable the stealth when a known archiver (e.g., PKzip) is used. This prevents it from disinfecting itself when someone archives an infected file. Natas activates (overwriting the hard disk) when it detects a debugger or with a 1/512 probability when an infected file is executed.

Neuroquila

Aliases: Havoc, Wedding
Synopsis: Higly polymorphic resident stealth infector of boot sectors and .EXE files
Symptoms: Screen display, occasional crashes.
Details:
This virus infects partition sectors on hard disks, floppy DOS boot sectors and .EXE files. The original partition sector is encrypted so if the PC is booted from a clean diskette, the hard disk will not be accessible. On floppies the virus formats an extra track for its code. The virus uses stealth to hide its changes to the files and boot sectors. Neuroquila contains code to directly attack several anti-virus products. On activation, it displays the message:

<HAVOC> by Neurobasher'93/Germany-GRIPPED-BY-FEAR-UNTIL-DEATH-US-DO-PART-

Nightfall

Aliases: N8fall
Synopsis: Higly polymorphic resident stealth infector of .COM and .EXE files
Damage: Random corruption of files
Symptoms: Screen display, occasional crashes.
Details:
This virus is by the author of Neuroquila and is similar to that virus except it does not infect boot sectors. Integrity Master detects this virus as Neuroquila in files. On activation it displays its name as "N 8 F A L L"

Nomenklatura

Synopsis: Destructive resident infector of .COM and .EXE files
Damage: Severe random corruption of all areas of the disk.
Symptoms: CHKDSK errors, damaged files, less total memory
Details:
Nomenklatura deliberately causes random corruption to your disk. This damage could affect any location on your disk including the boot sector. It decreases total memory by 1024 bytes and increases the size of all infected files by this amount. This increase is not concealed.

NOP

Aliases:WM/NOP,WordMacro.NOP
Synopsis: Infector of MS Word Documents/Templates
Details:
NOP infects users of German MS Word. These are very simple viruses containing the macros DateiSpeichern and AutoOpen. Files (and NORMAL.DOT) are infected when opening a document.

Nov 17

Aliases: November 17
Synopsis: Resident infector of .COM and .EXE files
Damage: Loss of all data on hard disk
Symptoms: Occasional system hangs
Details:
The most common variant of Nov 17 infects any .COM or .EXE program that is executed or opened. It adds 855 bytes to the end of the program but preserves the original time and date stamps. On November 17th of any year, the virus will write garbage to the hard disk.

NPad

Aliases:WM/Npad,WordMacro.Npad,Jakarta
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Message "D0EUNPAD94" appears.
Details:
This virus infects users of MS Word. It infects the global macros (file NORMAL.DOT). Any document opened will become infected with Npad. Npad contains one encrypted macro "AutoOpen". Once out of twenty-three infections Npad will display the scrolling text "D0EUNPAD94 v.2.21 (c) Maret 1996, Bandung, Indonesia" in the status line.

NiceDay

Aliases:WM/NiceDay,WordMacro.NiceDay
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Message "Have a Nice Day" appears.
Details:
This virus infects users of MS Word. It is very closely based on Concept (See Error! Bookmark not defined.) It infects the global macros (file NORMAL.DOT). Any document opened will become infected with NiceDay. NiceDay contains four macros: Payload, AutoExit, AutoOpen (stored as Vopen in NORMAL.DOT), and AutoClose (stored as Vclose in infected files).

Nuclear

Aliases:WM/ShareTheFun,WordMacro.Nuclear
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Text inserted about French Nuclear testing
Details:
Read our report on Nuclear as part of our report on Concept: Error! Bookmark not defined.

NYB

Aliases: B1
Synopsis: Resident, stealth, DOS boot sector and partition sector virus
Damage: Diskette corruption
Symptoms: Reduced total memory, message and system hang
Details:
NYB infects floppy DOS boot sectors and hard disk partitions sectors. NYB will hide from inspection using stealth techniques. NYB contains no messages or destructive payload although it may cause file damage on floppies.

Ohio

Synopsis: Resident infector of floppy boot sectors
Damage: Inadvertently damages 1.2mb and 3.5 inch diskettes
Symptoms: Reduced total memory, slow disk accesses
Details:
Ohio will only correctly infect 360K diskettes, resulting in damage to all other types of disks. If Ohio finds the Brain virus present on a diskette, it will remove it and replace it with itself.

One_Half

Aliases: 1/2,Slovak Bomber
Synopsis: Destructive polmorphic resident stealth infector of partition sectors and files
Damage: Encryption of disk
Symptoms: PC freezes, reduced available memory and message display
Details:
One_Half infects .COM and .EXE files in addition to hard disk partition sectors. It is highly polymorphic and some widely used scanners fail to detect all files infected by this virus. As soon as an infected program is run, the virus will infect the partition sector. After each boot from an infected partition sector, One_Half encrypts two cylinders beginning with the back of the disk. When the virus is in memory it decrypts on the fly but without the virus active in memory the data appears in its encrypted form. When the virus thinks it has encrypted one_half of the disk, it displays: "Dis is one half".

Parity Boot

Synopsis: Resident, stealth, DOS boot sector and partition sector virus
Damage: Diskette corruption
Symptoms: Reduced total memory, message and system hang
Details:
Another typical boot sector virus. Parity Boot will hide from inspection using stealth techniques and displays the message "PARITY CHECK" with a subsequent system hang. Any diskettes accessed with the virus resident in memory will be infected.

Pathogen

Aliases: SMEG
Related: Queeg
Synopsis: Polymorphic, destructive, resident infector of programs
Damage: Random sectors overwritten
Symptoms: Program growth, less available memory, disk corruption, message display
Details:
Pathogen is spreading rapidly world-wide but most reports are coming from the UK. This virus claims to use a toolkit called SMEG. Integrity Master identifies Pathogen and Queeg as SMEG and should identify any other viruses (e.g., QUEEG) which would use the SMEG tool-kit. Some scanners can not detect Pathogen. The virus marks infected files by adding 100 years to the file date. On any Monday at 5PM this virus will write garbage to random sectors on the hard disk and then display this message:

Your hard-disk is being corrupted, courtesy of PATHOGEN!

Programmed in the U.K. (Yes, NOT Bulgaria!) [C] The Black Baron 1993-4

Featuring SMEG v0.1: Simulated Metamorphic Encryption Generator!

'Smoke me a kipper, I`ll be back for breakfast.....'

Unfortunately some of your data won`t!!!!!

Ping Pong

Aliases: Italian, Bouncing Ball, Bouncing Dot
Synopsis: Resident infector of boot sectors and partition sectors.
Symptoms: A bouncing ball appears, reduced total memory
Details:
The bouncing ball effect is triggered randomly a second after the system clock reaches a multiple of 30 minutes. The ball itself is the ASCII seven character that resembles a small rhombus. The original Ping Pong virus was discovered in March of 1988 and would only infect floppy disks. The version that is common today will also infect hard disk partition sectors. There is also a variant that does not have the bouncing ball effect. The virus will hide some of its code in an unused cluster that it marks as bad.

Predator

Synopsis: Resident stealth infector of boot sectors and files.
Symptoms: Unexpected reboots and program crashes.
Details:
This is a family of related viruses. Early predator variants were simple resident .COM infectors. The most common variant, Predator.2448 is multipartite and infects hard disk partition sectors and floppy DOS boot sectors as well as .EXE and .COM files. It uses stealth to hide its boot sector changes but only hides time/date stamp and length changes in files.

Quicky

Aliases: Quicksilver
Synopsis: Resident infector of .EXE files
Symptoms: Reduced total memory
Details:
When resident in memory, Quicky infects by adding 1,376 bytes to any .EXE file that is executed from the hard disk.

Quox

Synopsis: Resident stealth floppy DOS boot sector and hard disk partition sector virus
Symptoms: Unreadable floppies
Details:
Quox uses stealth to hide its changes to the boot sector. Infected floppies are unreadable (but will still infect the hard disk if boot from) and may cause DOS to crash.

Rapi

Aliases:WM/Rapi,WordMacro.Rapi
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Message box
Details:
This virus infects users of MS Word. It infects the global macros (file NORMAL.DOT). Any document opened or save will become infected with Rapi. Rapi is a modified form of Error! Bookmark not defined.. Rapi also overrides the MS Word Tools/Customise and Tools/Macro menus. It displays a message box with the text "@RAPI.KOM" and "Thank you for joining us!". Rapi has the Bandung payload of replacing "a" with "#@" in some infected documents. The Rapi contains as series of macros beginging with RP (e.g. RpAe,RpFO,RpFS,RpTC, etc.) as well as AutoOpen but because Rapi tends to lose some of its macros, we now have a large number of variants, most of which still replicate.

Ripper

Aliases: Jripper, Jack the Ripper
Synopsis: Destructive stealth resident DOS boot sector and hard disk partition sector virus
Damage: Slow file and directory corruption
Details:
Ripper uses stealth to hide its changes to the boot sector. The body of Ripper virus is encrypted. Ripper causes random disk writes to be corrupted. It swaps two words in the disk write buffer. This type of corruption is only usually not noticed (until damage is severe) unless an integrity checker is used.

S-Bug

Aliases: Sbug, Satan-Bug
Variants: FruitFly
Synopsis: Polymorphic, resident, infector .COM and .EXE files
Damage: Some programs are corrupted
Symptoms: Reduced total memory, file growth, and system hangs
Details:
This is a memory resident polymorphic file infector. It reduces available memory by about 9K. S-Bug is very buggy and will hang on many PCs. Many S-bug infected programs will also hang. S-bug removes the validation codes added to files by McAfee scan and Central Point's "immunize" function. FruitFly is another (totally different) virus that uses almost the same polymorphic encryption/decryption code as that used by S-bug. Integrity Master will identify FruitFly as S-bug.

Sampo

Aliases: 69,Turbo,Wllop
Synopsis: Resident DOS boot sector and hard disk partition sector virus
Symptoms: Reduced maximum memory, message display
Damage: File damage on floppies
Details:
Another Stoned-like boot sector virus. Sampo's payload consists of displaying a box of text in the upper right hand corner of the screen revealing the name of the virus. Error! Bookmark not defined.

ShareFun

Aliases:WM/ShareTheFun,WordMacro.ShareFun
Synopsis: Infector of MS Word Documents/Templates
Details:
See our full report on Error! Bookmark not defined.

Stealth Boot

Aliases: Stelboo,Stealth_Boot
Variants: Stealth_Boot.A/B/C
,AMS
Synopsis: Resident, Stealth, DOS boot sector and partition sector virus
Damage: Inadvertent disk corruption
Symptoms: Message appears, reduced memory
Details:
This has become one of the most common viruses (the B and C variants) in the US. It is based on virus source code published in a book by a US company. Beyond its ability to conceal its presence on an infected system, this is a very non-exceptional boot sector virus similar to Stoned. When resident, it reduces total system memory by four thousand bytes. While it does not cause damage to the hard disk, we have numerous reports of corrupted files on infected floppies.

Stoned

Aliases: New Zealand, Marijuana
Variants: Angelina,Bravo,Bunny,Daniela,Dinamo,Donald Duck,Hawaii,LZR No_Int,Rostov,Sex Revolution,W_Boot
Synopsis: Resident DOS boot sector and partition sector virus
Damage: Inadvertent disk corruption
Symptoms: Message appears, reduced memory
Details:
Stoned (and its variants) is one of the most common viruses. There are countless variants of the Stoned virus and numerous "new" viruses have been written using "Stoned" as a base including such viruses as Bloody! and Michelangelo. Stoned was not intended to do any damage but because it writes the original boot sector into the area occupied by the directory (head one, track zero, sector three), it will damage most diskettes. It can infect 360K floppies with no harm unless the diskette contains more than 96 files in the root directory. Other types of diskettes are immediately damaged by Stoned. On hard disks, it saves the original partition sector to head zero, track zero, sector seven. Stoned most commonly displays a message along the lines of "Your PC is now Stoned." There are many variants that contain different messages (e.g., "Donald Duck is a lie" and "Sex Revolution") but essentially function the same way. CHKSK will report 2048 less bytes of total memory with Stoned resident. Some PCs will occasionally hang.

Sunday

Synopsis: Destructive resident infector of programs and overlays
Damage: File corruption
Symptoms: Message appearing on Sundays and reduced total memory
Details:
This appears to be a variant of Jerusalem that was modified to display this message on Sundays: "Today is Sunday! Why do you work so hard? All work and no play make you a dull boy! Come on! Let's go out and have some fun!"

SVC

Variants: SVC 3.1, SVC 4, SVC 5, SVC 6
Synopsis: Resident, infector .COM and .EXE files and of partition sectors (SVC 6 only)
Damage: Some programs are corrupted
Symptoms: Reduced total memory, file growth, and system hangs
Details:
These are memory resident file infecting viruses. With the virus resident in memory, any program executed will become infected. SVC 6, in addition to infecting programs, will infect the partition sector of your hard disk.

Telecom

Aliases: Spanish Telecom, Telefonica, Campana, Kampana
Synopsis: Destructive, resident, stealth infector of boot sectors, partition sectors and .COM files.
Damage:Overwrites hard disks
Symptoms: Message, reduced total memory
Details:
This is a family of three related viruses that were written to protest the Spanish telephone company. The .COM infecting virus will deposit the partition sector virus onto your hard disk. The .COM infecting virus is relatively rare but the other system sector virus has spread rather widely. After 400 boots, it will overwrite your hard disks and display the message: "VIRUS ANTITELIFONICA." The .COM infecting virus marks infected files by setting the year of the file's date stamp ahead 100 years.

Tai-Pan

Aliases: Taipan
Variants: Tai-pan.438:Whisper,Tai-Pan.666:Doom2
Synopsis: Resident infector of .EXE files
Symptoms: Reduced available memory and file growth.
Details:
These are simple resident infectors of .EXE files smaller than 64K. Infected files grow by 438 or 666 bytes (no stealth). The 666 byte variant contains messages saying you have an illegal version of Doom2 and "Say bye-bye HD" but it is not deliberately destructive.

Tequila

Synopsis: Resident, stealth infector of partition sectors and .EXE files
Damage: Random corruption of files
Symptoms: Colorful display and reduced total memory
Details:
Tequila was written by two young brothers in Switzerland, who were later arrested for their efforts. Tequila infects both .EXE files and hard disk partition sectors. As soon as an infected program is run, the virus will infect the partition sector. It reduces total memory by approximately 3000 bytes. Tequila will cause file corruption on many systems but this seems to be a bug rather than deliberate. Four months after infecting the PC, Tequila will display a crude but colorful character-based Mandelbrot image. Infected files will grow by 2468 bytes and high sectors of a hard disk will contain some virus code including this text:

Welcome to T.TEQUILA's latest production.

Contact T.TEQUILA/P.o.Box 543/6312 St'hausen/Switzerland.

Loving thoughts to L.I.N.D.A

BEER and TEQUILA forever !

Tremor

Synopsis: Resident, stealth infector of partition sectors and .EXE files
Damage: Random corruption of files
Symptoms: File date changes, screen tremor effect, reduced total memory
Details:
Tremor will infect primarily .EXE files (but also COMMAND.COM). Tremor marks files it infects by adding 100 years to their date. Tremor is highly polymorphic, uses stealth, and will disable memory resident anti-virus products. Tremor directly disables the resident virus protection provided by MS DOS 6.0 (Vsafe) and Central Point Anti-virus. Upon activation, Tremor creates a tremor effect by making the characters on your screen appear to shake. At this point the PC usually hangs. Tremor waits about three months before it displays this behavior. Tremor contains the text:

-=> T.R.E.M.O.R was done by NEUROBASHER /

May-June'92, Germany <=-

and also the message:

.MOMENT.OF.TERROR.IS.THE.BEGINNING.OF.LIFE.

Friday 14th of May 1993 TREMOR was sent out in an infected PKUNZIP.EXE together with McAfee's Scan on Channel Videodat (the PRO-7 TV-program received primarily in Europe) via Astra Satellite, terrestrial broadcast and via cable. Thousands of people may have downloaded the virus from this broadcast. Since their PC would become infected when they used the infected PKunzip to extract Scan, this enabled TREMOR to spread quite widely in very little time.

TWNO

Aliases:WM/TWNO:TW,WordMacro.TWNO:TW, "Taiwan No. 1"
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Deleted files and message boxes
Details:
TWNO was written in Taiwan and infects (exclusively) users of Chinese MS Word. It infects the global macros (file NORMAL.DOT). It contains only one macro, AutoOpen but it copies this macro to two others: AutoNew and AutoClose, so a total of three (identical) viral macros will be found in infected documents. Any document created, opened or saved will become infected with TWNO. On the 13th of any month TWNO, inserts Chinese text and the text "NO.1 Macro Virus" into infected documents. On the 25th of any month, TWNO deletes the files in the \DOS and \Windows directories and displays the message "MERRY CHRISTMAS". On the 15th, TWNO deletes: AUTOEXEC.BAT, COMMAND.COM, CONFIG.SYS, IO.SYS, and MSDOS.SYS, making the system unbootable.

Urkel

Aliases: Nwait
Synopsis: Resident, stealth infector of floppy boot sectors and partition sectors
Symptoms: Inaccessible hard disk, screen display, 2K less available memory
Details:
Urkel (like Monkey) completely replaces and encrypts the partition sector. If you boot from a floppy the hard disk will be inaccessible since there is no valid partition table in the partition sector. Urkel uses stealth techniques to return the original unmodified boot sector. At midnight Urkel reveals itself by displaying "Urkel".

Vacsina

Variants: The TP##VIR series of viruses, Yankee Doodle
Synopsis: Resident infector of programs
Symptoms: Beeps and music
Details:
Vacsina has over 50 known variants. Yankee Doodle, TP04VIR, TP06VIR, TP16VIR, and TP23VIR are among the variants. Early versions of this virus only infected .COM files and sounded a beep whenever a file was infected. Later versions now infect .EXE files as well as other executable file types. Some later versions, such as Yankee Doodle, play music. Yankee Doodle will often play at 5PM or when the PC is booted. An interesting aspect of Vacsina viruses is that they contain a version number system; if Vacsina detects an earlier version of itself in a file, it will remove that version and replace it with itself. It's also remarkable that Vacsina will also search out and remove copies of the Ping Pong and Cascade viruses!

Vienna

Aliases: Austrian, DOS62, UNESCO
Variants: Lisbon, Dr.Q, Parasite, Violator, Viperize, Arf, and many more
Synopsis: Nonresident infector of .COM files
Symptoms: System hangs and unexpected reboots
Details:
Vienna viruses typically add between 600 to 3000 bytes to each infected .COM file although one variant (C-23693) is one of the largest viruses known. There are an overwhelming number of Vienna variants since the source code for this virus was printed in a book and widely distributed. Each time an infected program is executed, the virus will look for an uninfected program and infect that program before allowing the initial program to execute. To avoid reinfecting the same program, Vienna marks infected programs by setting the seconds field of the time stamp to 62. Since the seconds portion of the time stamp is not displayed by a DOS directory listing, this change usually goes unnoticed. Early Vienna versions damage (rather than infect) one of every six or eight programs by inserting instructions to force a reboot. When these programs are executed, the PC will reboot or hang and the program will never be executed. Since these programs are not infected by the virus but simply damaged, many people have no way of correcting or detecting this damage.

W_Boot

Aliases: Wboot
Synopsis: Resident infector of floppy boot sectors and partition sectors
Symptoms: Maximum memory reduced
Details:
Yet another Stoned-like boot sector virus.Error! Bookmark not defined.

Wazzu

Aliases:WM/Wazzu,WordMacro.Wazzu
Synopsis: Infector of MS Word Documents/Templates
Symptoms: Moved words within documents. The text "wazzu" inserted.
Details:
This virus infects users of MS Word. It infects the global macros (file NORMAL.DOT). Any document opened will become infected with Wazzu. Wazzu is contained in a macro called AutoOpen that executes whenever MS Word opens a new document. Wazzu has a dual payload; it rearranges one to three words within some infected documented and in one of every four infections it inserts the text "wazzu" into the infected document. Some Wazzu variants (i.e. Wazzu.C) have omitted this payload. Error! Bookmark not defined.is a Wazzu variant with an unusual payload that tries to spread the virus via MS Mail.

UPDATE:

We have seen variants of Wazzu converted to the Word97 form. These have been reported in the wild but our tests do not confirm that these are actively spreading (yet). We do expect to see other Word97 viruses very shortly.

WelcomB

Aliases: Bupt_Boot
Synopsis: Resident infector of floppy boot sectors and partition sectors
Symptoms: Maximum memory reduced
Details:
Yet another Stoned-like boot sector virus. It contains the unencrypted text: "Welcome to BUPT 9146,Beijing!". Error! Bookmark not defined.

WXYC

Synopsis: Resident, infector of DOS boot sectors
Symptoms: Maximum memory reduced by 2K and message display
Damage: Corrupted files on floppy
Details:
Like Form, WXYC infects DOS boot sectors (but not partition sectors). WXYC damages the directory by writing the original floppy boot sector to part of the floppy's root directory. At certain times, WXYC displays the message: "WXYC rules this roost!".

Last modified: March 20 2004 00:14:10.