💾 Archived View for spam.works › mirrors › textfiles › virus › allvirus.vir captured on 2023-11-04 at 15:59:28.

View Raw

More Information

⬅️ Previous capture (2023-06-16)

-=-=-=-=-=-=-

PC VIRUS LISTING
By Jim Goodwin
          This document is copyrighted, 1989, by Jim Goodwin.  It
          may be freely distributed provided no changes,
          additions or deletions are made, and providing this
          copyright notice accompanies all copies.  I would like
          to thank John McAfee and the entire HomeBase users
          group for providing the raw materials for this
          document.


     It is difficult to name, identify and classify PC viruses. 
Everyone who first discovers a virus will name it and describe
what they think of it.  In most cases, the virus is not new and
has been named and described dozens of times before.  None of the
names and few of the descriptions will match.  While I'm writing
this, for example, I feel certain that someone, somewhere has
just been infected by the Jerusalem virus and they are telling
their co-workers and friends about it as if it were newborn - and
for them perhaps it is.  It will be impossible to verify the
strain and variety of the infection, however, unless we can get a
living sample of the virus to analyze and compare with other
strains of this same virus.  So problem number one is filtering
the reports of infection and collecting samples that can be
placed under the knife.
     Problem number two is - where do you draw the line between
an original virus and a true variation of the virus?  The
original Brain virus, for example, could only infect a floppy
diskette.  Do the varieties of the Brain that can infect hard
disks (but in every other respect are identical) deserve to be
called new viruses, or are they still the Brain?  What about
further modifications that destroy data?  Is this now a new
virus?  What if someone extracts a segment of the Brain code and
uses it as a basis for a new virus?  What if nothing changes but
the imbedded text data, so that the virus is in every way
functionally identical, but the volume label changes to "SMURF"
instead of BRAIN.  All of these modifications to the Brain have
been discovered and logged.  How do we deal with them?
     I choose to deal with these modifications in the simplest
way I know.  If the virus differs in any way from the original
(assuming that the "original" can in fact be identified), then I
log it as a new strain.  This relieves me from having to make
decisions.  Those of you who see the world differently can merely
take this listing and lump together all of the different strains
that you like.  That way we'll all be happy.

     This will be, by the way, my last virus document.  I have
worked double time for the past eighteen months helping John
McAfee and his Homebase folks and, while I have thouroughly
enjoyed myself, I have finally burned out.  It has been great fun
and I've learned a lot, and hopefully some of my works, like the
product review with Sankary and Marsh, will end up being somehow
useful to the world.  But now I have the irresistible urge to go
fishing, and, perhaps afterwards, to contemplate my navel for a
few years.  In-between times I intend to write a book on the
craziness in this industry and about the unique personalities
I've had the pleasure to work with in the Virus Marine Corps. 
It's been quite an adventure.  Thank you all.

Jim Goodwin    From the Homebase BBS  408 988 4004




                    THE VIRUSES

     I have arranged these viruses so that similar varieties are
described in the sequence in which they appeared within the virus
sub-group (to the best of my knowledge).  Not everyone agrees
with my groupings.  Many people believe, for instance, that the
Golden Gate-C (Mazatlan Virus) is a distinctly original virus and
is not a variation of the Alameda.  I think differently and have
endeavored to show how the Golden Gate evolved from the Alameda,
through each precursor virus.  I cannot prove, of course, that
the sequence of appearances is the correct sequence, and in many
cases I have had to guess.  If anyone wishes to re-order
these virus, I will not be offended.
     I have not included any of the specific application trojans
in this list.  There has been a lot of discussion about the Lotus
123 and DBASE "viruses", for example.  These are not replicating
programs and I do not classify them as viruses.  I had originally
intended a separate list to include these non-replicating trojans
but Time caught up with me.



1. ALAMEDA VIRUS
     (Also called: Yale; Merritt; Pecking; Seoul)
     
     This is a boot sector infector.  First discovered at Merritt
     college in California (1987).  Original version caused no   
     intentional damage.  Replicates at boot time <ctrl>-<alt>-  
     <del> and infects only 5 1/4" 360KB floppies.  It saves the
     real boot sector at track 39, sector 8, head 0.  Contains a
     count of the number of times it has infected other
     diskettes, although it is referenced for write only and is
     not used as part of an activation algorithm.  The virus
     remains resident at all times after it is booted, even if no
     floppy is booted and BASIC is loaded.  Contains a rare POP
     CS instruction that makes it incapable of infecting 286
     systems.

2. ALAMEDA-B
     (Also called Sacramento Virus)

     This is the original Alameda Virus that has the POP CS
     removed.  Relocation is accomplished through a long jump
     instruction.  All other characteristics are identical.  This
     version runs OK on a 286. 

3. ALAMEDA-C
     
     This is the Alameda-B virus that has been modified to
     disable the boot function after 100 infections.  The
     counter in the original Alameda virus has been re-activated
     and is interrogated at each bootup.  When it reaches 100 the
     virus disconnects from the original boot sector (control is
     no longer passed) and the diskette will no longer boot.  At
     infection time, the counter is zeroed on the host diskette.

4. SF VIRUS
     
     This is the Alameda-C that has been modified to format the
     boot diskette when the counter runs out.  

5. GOLDEN GATE VIRUS
     (Also called The 500 Virus)

     This is the SF Virus that has been modified to format the C
     drive when the counter runs out.  The activation occurs
     after 500 infections, instead of 100 infections.  Note that
     in all three of these strains, the counter is zeroed on the
     host diskette at infection time.  Thus, the activation
     period on this virus will on the average stretch into many
     years.  No corruption will occur until 500 new diskettes
     have been infected from within a given machine.  Since the
     infection can only occur when the system is booted with a
     new diskette, infection is not frequent with this virus.  I
     expect that the overwhelming majority of infections will
     never activate.  The IBM PC will have long since been
     supplanted by another architecture in most environments.

6. GOLDEN GATE-B

     This virus is the Golden Gate virus that has had the
     activation delay reset to 30 infections.  This virus should
     activate within a couple of years in most environments.  

7. GOLDEN GATE-C
     (Also called the Mazatlan Virus)

     This virus is the Golden Gate virus that is able to infect a
     hard disk.   It is a nasty virus, since it has more of an
     opportunity to do damage than previous versions.  Prior
     versions were limited since systems with hard disks are only
     infrequently booted from floppy and booting from hard disk
     overwrote earlier versions.

8. GOLDEN GATE-D

     This virus is identical to number 7, except the counter has
     been disabled (similar to original Alameda).

9. THE BRAIN
     (Also called, Pakistani Brain; Basit Virus)  

     This virus originated in January, 1986, in Lahore Pakistan. 
     It is the only virus yet discovered that includes the valid
     names address and phone numbers of the original
     perpetrators.  The Brain is a boot sector infector,
     approximately 3K in length, that infects 5 1/4" floppies. 
     It cannot infect hard disks.  It will infect a diskette
     whenever the diskette is referenced.  For example, a
     Directory command, executing a program from the diskette,
     copying a file from or to the diskette or any other access
     will cause the infection to occur.  The virus stores the
     original boot sector, and six extension sectors, containing
     the main body of the virus, in available sectors which are
     then flagged as bad sectors.

     The virus is able to hide from detection by intercepting any
     interrupt that might interrogate the boot sector and re-
     directing the read to the original boot sector.  Thus,
     programs like the Norton Utilities will be unable to see the
     virus.  

     Infected diskettes are noticeable by "@BRAIN" displayed in
     the volume label.

10. BRAIN-B
     (Also called Brain-HD; the Hard Disk Brain; Houston Virus)

     This virus is identical in every respect to the original
     Brain, with the single exception that it can infect the C
     drive.  

11. BRAIN-C
     
     This virus is the Brain-B that has the volume label code
     removed.  The volume label of infected diskettes does not
     change with this virus.  This virus was difficult to detect
     since it does nothing overt in the system.

12. CLONE VIRUS

     This virus is the Brain-C that saves the original boot
     copyright label and restores it to the infected boot.  The
     Basit & Mjad original Brain messages have been replaced with
     non-printable garbage that looks like instructions if viewed
     through Norton or other utility.  Even if the system is
     booted from a clean diskette, it is virtually impossible to
     tell, by visual inspection, whether the hard disk is
     infected. 

13. SHOE_VIRUS
     (Also called UIUC Virus)

     This virus is the Brain-B Virus that has been modified to
     include the message - "VIRUS_SHOE RECORD, v9.0.  Dedicated
     to the dynamic memories of millions of virus who are no
     longer with us today".  The message is never displayed.

14. SHOE_VIRUS-B

     This is the Shoe_Virus that has been modified to so that it
     can no longer infect hard disks.  The v9.0 has been changed
     to v9.1.

15. ClONE-B

     This is the Clone virus that has been modified to corrupt
     the FAT when it is booted after May 5, 1992.  There are no
     other apparent modifications.

16. DOS-62
     (Also called the UNESCO Virus)

     This virus is a COM infector.  It was first discovered in
     Moscow in April, 1988.  It was first publicized in August
     1988 when it cropped up at a children's computer Summer camp
     run by UNESCO.  When a program infected by this virus is
     executed, it infects one other COM file in the system.  On a
     random basis, infected programs will perform a system re-
     boot when they are executed.

17. 62-B

     This virus is similar to DOS-62 except the re-boot is
     replaced by deleting the executed program.

18. FRIDAY THE 13th
     (Also called COM Virus; 512 virus)

     This virus is a non-resident COM infector that first
     appeared in South Africa in 1987.  At each execution of an
     infected program the virus seeks out two other COM files on
     the C drive and one COM file on the A drive and infects
     them.  The virus is extremely fast and the only indication
     of infection occurring is the access light on the A drive
     (if the current drive is C).  The virus will only infect a
     file once.

     On every Friday 13 the virus deletes the host program if it
     is executed on that day (similar to the Jerusalem).

19. Friday 13th-B

     This virus is identical to the original except that it
     infects every file in the current subdirectory.  The only
     way this virus can spread beyond the current subdirectory is
     if an infected program ends up in the system PATH.  Then
     every COM file in the currently selected subdirectory will
     get infected.

20. Friday 13th-C

     This is the 13th-B except a message has been added that
     displays - "We hope we haven't inconvenienced you" appears
     whenever the virus activates.

21. JERUSALEM
     (Also called Israeli; Friday the 13th; PLO)

     This virus is a memory resident COM and EXE infector.  It
     was first discovered at the Hebrew University in Jerusalem
     in the fall of 1987.  It contains a flaw which makes it re-
     infect EXE files over and over until the files become too
     big to fit into memory.  The virus re-directs interrupt 8
     (among others) and one-half hour after an infected program
     loads, the new timer interrupt introduces a delay which
     slows down the processor by a factor of about 10.  On every
     Friday the 13, the virus deletes every program executed
     during the day.

22. JERUSALEM-B

     This virus is identical to the Jerusalem except it is able
     to successfully identify pre-existing infections in EXE
     files and will only infect them once.

23.  JERUSALEM-C
     (Also called the New Jerusalem)

     This virus is identical to Jerusalem-B except that the timer
     interrupt delay code has been bypassed.  This virus is
     virtually invisible until it activates.

24.  BLACK HOLE
     (Also called the Russian Virus)

     This virus is the Jerusalem-C that has odd text and
     additional code that is never referenced.  A new interrupt
     eight routine is added to the non referenced area and a
     number of interrupt 21 calls which appear meaningless.  The
     additional text includes - "ANTIVIRUS".  It appears that
     this virus is a modified version of some previous variety of
     the Jerusalem which we have not yet seen.  

25.  JERUSALEM-D

     This is the Jerusalem-C that destroys both versions of the
     FAT on any Friday the 13th after 1990.  The code that
     originally deleted executed programs has been overwritten
     with the FAT destructive code.

26.  JERUSALEM-E

     This is identical to the D variety except the activation is
     any Friday the 13th after 1992.

27.  CENTURY VIRUS
     (Also called the Oregon Virus)

     This is similar to the Jerusalem-C except the activation
     date is January 1, 2000.  When the virus activates, it
     erases both FATs on all connected drives and then begins
     writing zeroes to every sector on every attached device.  If
     allowed to continue to completion, it displays the message -
      " Welcome to the 21st Century".

28.  CENTURY-B

     This virus is similar to the original Century virus with the
     following exception:

     It waits for BACKUP.COM to be executed and then garbles all
     program writes.  After BACKUP terminates, the output
     functions return to normal.

29.  1701
     (Also called Cascade; Falling Tears)

     This virus evolved from a trojan horse disguised as a
     utility to automatically turn off the num-lock light at
     system boot.  The trojan horse caused the characters on the
     screen to fall to the bottom of the screen in systems with
     CGA monitors.  In late 1977 this trojan horse was turned
     into a memory resident COM virus.  It gets it's name from
     the size increase of infected COM files - 1701 bytes.  The
     virus has some unique qualities:
          -    It uses an encryption algorithm to avoid detection
               and complicate any attempted analysis.
          -    It contains a sophisticated activation algorithm
               that is based on randomizations, machine types,
               monitor type, presence or absence of clock cards,
               and time of year.
          -    It was designed to infect only IBM clones.  True
               IBM systems would be spared.
     The virus has a bug that causes the machine selection
     algorithm to fail.  The virus activates on any machine with
     a CGA or VGA monitor, in the months of September, October,
     November or December in the year 1980 or 1988 (systems
     without clock cards will often have a date set to 1980).  

30.  1701-B

     This virus is identical to the 1701 except that it activates
     in the fall of any year.

31.  1704
     (Also called Cascade; Falling Tears)

     I would prefer to classify this virus as a variety of the
     1701 but it has been universally referred to as a separate
     virus, so I will go along with the crowd on this one.  It is
     functionally identical to the 1701 except that the IBM
     selection bug has been repaired.  The new virus is three
     bytes longer.  In every other respect it is the same.

32.  1704-B

     This virus is identical to the 1704, except the cascade
     display has been replaced with a system re-boot when the
     virus activates.  The activation uses the same interrupt 8
     randomization algorithm, so the reboot will occur at a
     random time interval after executing an infected program on
     or after the activation date.

33.  1704-C

     This virus is the same as the 1704-B, except the activation
     date has been changed to occur in December of any year.

34.  1704-D

     This virus is the same as the 1704, except the IBM selection
     has been disabled (the virus infects true IBM PCs).

35.  LEHIGH

     This is a COMMAND.COM infector that first surfaced at Lehigh
     University in late 1987.  It is the widest known virus, the
     most discussed and the most analyzed of all the viruses, so
     I won't waste any more time on it.

36.  SEARCH
     (Also called Den Zuk; Venezuelan)

     This is a boot sector infector that infects 360KB 5 1/4"
     floppies.  It infects through any access to the host
     diskette.  It can survive a warm reboot.  It will infect
     data (non-system) diskettes, which in turn can pass on the
     infection if an accidental attempt to boot from the data
     disk occurs.  It has a bug which causes it incorrectly
     attempt to infect 3.5" diskettes.  This will overwrite the
     diskette's FAT and cause a read (or write) failure.  It
     cannot infect a hard disk, and will not attempt to do so. 
     If an infected system is rebooted from the hard disk, the
     virus will de-activate.  This is not the case with rebooting
     from a clean floppy - which will become infected.

     The virus causes CGA, EGA and VGA screens to display a
     purple "DEN ZUK" graphic to appear after a <ctrl>-<alt>-
     <del>.  It causes no damage.

37.  SEARCH-HD

     This virus is identical to the Search Virus, except it's
     able to infect hard disks.

38.  SEARCH-B

     This virus is identical to the Search virus, but
     unsuccessful modifications have been made to fix the 3.5"
     diskette problem.  The 3.5" infection still fails, plus
     unsuccessful attempts to infect the hard disk will occur
     which result in system failure in some systems.

39.  SYS VIRUS

     This virus is really a modification of the Search-HD virus. 
     The display code has been replaced (no display occurs on
     reboot) by code that disables the SYS program.  The SYS
     program itself is not modified, but any attempt to execute
     SYS will result in the program not being loaded.  Instead,
     multiple reads to the source and target drives will occur
     (to simulate the SYS activity).  The normal SYS message
     output is displayed by the virus at the appropriate time. 
     This virus will successfully avoid being removed by SYS.
     The virus does no damage.

40.  SYS-B

     This is similar to the SYS virus, but it performs a hard
     disk format on any Friday 13th after 1990.  This virus, and
     its precursor virus both still contain the 3.5" bug, so that
     they are easily detected on systems using 3.5" drives.  They
     are difficult to detect on other systems.

41.  SYS-C

     Similar to the SYS virus but performs random reboots
     beginning 2 hours after power-on or initial boot.

42.  648 VIRUS
     (Also called the Austrian Virus)

     This is a COM infector that increases the size of the
     infected file by 648 bytes.  It was first reported in London
     in the fall of 1988.  It is not a memory resident virus.  It
     infects the next uninfected COM file in the current
     directory (similar to the original Friday 13th).  It does no
     overt damage.

43.  648-B

     This is similar to the 648, but it causes infrequent errors
     in the infected COM file so that the file will not execute. 
     Approximately one file in ten will be corrupted.

44.  STONED
     (Also called New Zealand Virus)

     This is a boot sector infector that infects 360 KB 5 1/4"
     floppies.  It was first reported in Wellington, New Zealand
     in early 1988).  It displays - "Your computer is now stoned.

     Legalize Marijuana" every 8th bootup.  No overt damage. 
     Unable to infect hard disk.

45.  STONED-B

     Variation of Stoned.  Has been changed to be able to infect
     hard disks.  The hard disk is infected as soon as an
     infected floppy is booted.  No intentional damage done,
     except systems with RLL controllers will frequently hang.  

46.  STONED-C

     This is the Stoned-B virus that no longer displays the
     "Stoned" message.  This virus is difficult to detect.

47.  VERA CRUZ
     (Also Called Bouncing Ball; Italian Virus)

     This is a boot sector virus that was first reported in March
     1988.  It is a floppy-only infector.

     When this virus activates (randomly) a bouncing dot appears
     on the screen and can only be removed through reboot.  No
     other damage is done.

48.  VERA CRUZ-B

     This is a variation of the Vera Cruz that is able to infect
     Hard disks.