Please find enclosed a list of known viruses in the UK prepared by Joe Hirst of the BCVRC, he is happy that it be distributed as widely as possible. Of great interest is the new Fu Manchu variant of the Israeli virus, a virus with a slightly embarassing manipulation task! Ps. Joe doesn't have a mail box to date but I will relay any requests, comments or information you pass on. D.Ferbrache European co-ordinator Comp.Virus IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM; : Joe Hirst British Computer Virus Research Centre : : 12 Guildford Street, Brighton, East Sussex, BN1 3LS, England : : Telephone: Domestic 0273-26105, International +44-273-26105 : : : : List of known PC viruses : : : : This list is intended to give enough information to identify a virus : : or a variant form of a virus. It is not intended by itself to supply : : enough information for a programmer to deal with a virus. If any virus : : is found which does not exactly match any of the following descriptions : : the Centre requests that a copy of the virus be sent to us, or to a : : local researcher known to be in contact with us. : HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM< 1. 405 Parasitic virus - overwriting Type description: Virus occurs overwriting the first 405 bytes of a COM file. The virus will attempt to infect one COM file on a different disk to the current one. If the length of the file to be infected is less than 405 bytes, the length will be increased to 405. Due to mistakes in the code it is not able to infect other than in the current directory, nor is it able to recognise an infected file. ----------- 2. Brain Boot virus - floppy only Type description: This virus consists of a boot sector and three clusters (6 sectors) marked as bad in the FAT. The first of these sectors contains the original boot sector, and the rest contain the rest of the virus. It only infects 360K floppies, and it occupies 7K of memory. It creates a label on an infected disk of ' (c) Brain '. There are a number of unused character strings which can be used to identify it: Offset 0010H: ' Welcome to the Dungeon ' ' (c) 1986 Basit & Amjad (pvt) Lt' 'd. BRAIN COMPUTER SERVICES..730 NI' 'ZAM BLOCK ALLAMA IQBAL TOWN LAHOR' 'E-PAKISTAN..PHONE :430791,443248,280530. ' ' Beware of this VIRUS.....Contact us for vaccin' 'ation............... $#@%$@!! ' Offset 0202H '(c) 1986 Basit & Amjads (pvt) Ltd ' Offset 0355H ' (c) 1986 Basit & Amjads (pvt) Ltd' Offset 04A6H ' (c) Brain $' Variations: All the variations we have so far seen have only involved changes to these character strings. (1) Offset 0010H: 'Welcome to the Dungeon (c) 1986 D.C.L', 17H, '&' ' Amjads (pvt) Ltd VIRUS_SHOE RECORD v9.0 ' 'Dedicated to the dynamic memories of millions of' ' virus who are no longer with us today - Thanks ' 'GOODNESS!! BEWARE OF THE er..VIRUS : \thi' 's program is catching program follows after' ' these messeges..... $#@%$@!! ' Offset 0202H '(c) 1986 Brain & Amjads (pvt) Ltd ' Offset 0355H ' (c) 1986 Brain & Amjads (pvt) Ltd' Offset 04A6H ' (c) ashar $' (2) As variation 1 except 'D.C.L' is changed to 'Brain' in string at offset 0010H (3) As variation 2 except 'Brain' is changed to 'Jork ' in string at offset 0202H ----------- 3. Cascade - AKA 1701, 1704 Parasitic virus - resident Type description: The virus occurs attached to the end of a COM file. COM files increase in length by 1701 bytes. The first three bytes of the program are stored in the virus, and replaced by a branch to the beginning of the virus. The virus is encrypted (apart from the first 35 bytes) using an algorithm that includes the length of the host program, so every sample looks different. It becomes memory-resident when the first infected program is run, and it will then infect every COM file run (even if the file has an EXE extension). If the system date is between October and December 1988 the cascade display will be activated at random intervals. The virus tests the BIOS for the string 'COPR. IBM', and will not infect if it finds this - however there are errors in the code which prevent it from working. Because recognition depends on the length of the virus, it will infect programs already infected by variants with different lengths. Variations: (1) COM files increase in length by 1704 bytes. The only differences are the removal of a conditional jump (which would never have been taken), and some necessary segment overrides on the BIOS tests missing in the previous version. There is still a mistake preventing an IBM machine from being recognised. ----------- 4. Datacrime - AKA 1168 Parasitic virus - non-resident Type description: The virus occurs attached to the end of a COM file. COM files increase in length by 1168 bytes. The first three bytes of the program are stored in the virus, and replaced by a branch to the beginning of the virus. The virus will search through full directory structure of the disks (in the order C, D, A, B) for a COM file other than COMMAND.COM. It will also ignore any COM file if the 7th letter of the name is a D. If the date is after 12 October (any year) it will display the message: 'DATACRIME VIRUS' 'RELEASED: 1 MARCH 1989' and do a low level format on track zero, all heads, of the hard disk. Due to mistakes in the code the system is almost certain to crash the first time the critical error handler is invoked after the virus terminates. ----------- 5. Dbase [report only - no sample] Parasitic virus - resident Type description: Infects COM and EXE files. Transposes random bytes of any open .DBF file, keeping a record of which bytes in a hidden file (BUG.DAT) in the same directory. The virus restores these bytes if the file is read. If the BUG.DAT file is 90 days old or more the FAT and root directory are overwritten. ----------- 6. Den Zuk - AKA Search [report only - no sample] Boot virus - floppy only Type description: Graphics display of 'DEN ZUK', together with the AT&T logo, slides in from the sides of the screen on bootup. After five such bootups the disk is trashed - no details of how. ----------- 7. Fu Manchu Parasitic virus - resident Type description: The virus occurs attached to the beginning of a COM file, or the end of an EXE file. It is a rewritten version of the Jerusalem virus, and most of what is said for that virus applies here with the following changes: a. The code to delete programs, slow down the machine, and display the black 'window' has been removed, as has the dead area at the end of the virus and some sections of unused code. b. The marker is now 'rEMHOr' (six bytes), and the preceeding 'sU' is now 'sAX' (Sax Rohmer - creator of Fu Manchu). c. COM files now increase in length by 2086 bytes & EXE files 2080 bytes. EXE files are now only infected once. d. One in sixteen times on infection a timer is installed which runs for a random number of half-hours (maximum 7.5 hours). At the end of this time the message 'The world will hear from me again!' is displayed in the centre of the screen and the machine reboots. This message is also displayed every time Ctrl-Alt-Del is pressed on an infected machine, but the virus does not survive the reboot. e. There is further code which activates on or after the first of August 1989. This monitors the keyboard buffer, and makes derogatory additions to the names of politicians (Thatcher, Reagan, Botha & Waldheim), censors out two four-letter words, and to 'Fu Manchu ' adds 'virus 3/10/88 - latest in the new fun line!' All these additions go into the keyboard buffer, so their effect is not restricted to the VDU. All messages are encryted. ----------- 8. Italian - AKA Pingpong Boot virus - DOS boot sector Type description: This virus consists of a boot sector and 1 cluster (2 sectors used) marked as bad in the first copy of the FAT. The first of these sectors contains the rest of the virus, and the second contains the original boot sector. It infects all disks which have at least two sectors per cluster, and it occupies 2K of memory. It displays a single character 'bouncing ball' which interacts with some characters on the screen. It will not run on an 80286 or an 80386 machine. ----------- 9. Jerusalem - AKA 1813, Friday the 13th, PLO, Israeli Parasitic virus - resident Type description: The virus occurs attached to the beginning of a COM file, or the end of an EXE file. A COM file also has the five-byte 'marker' attached to the end. This marker is usually (but not always) 'MsDos', and is preceeded in the virus by 'sU'. COM files increase in length by 1813 bytes. EXE files usually increase by 1808 bytes, but the displacement at which to write the virus is taken from the length in the EXE header and not the actual length. This means that part or all of this 1808 bytes may be overwritten on the end of the host program. It becomes memory-resident when the first infected program is run, and it will then infect every program run except COMMAND.COM. COM files are infected once only, EXE files are re-infected each time they are run. After the system has been infected for thirty minutes an area of the screen from row 5 column 5 to row 16 column 16 is scrolled up two lines creating a black two line 'window'. From this point a time-wasting loop is executed with each timer interrupt. If the system was infected with a system date of Friday the thirteenth, every program run will be deleted instead. This will continue irrespective of the system date until the machine is rebooted. The end of the virus, from offset 0600H, is rubbish and will vary from sample to sample. Variations: (1) [report only - no sample] This is almost certainly an earlier variant. The string 'sUMsDos' in the type version is 'sURIV 3.00' in this version, the 30 minute delay is here 30 seconds, and there is a bug in the program delete. (2) [report only - no sample] This is probably the first version. Only COM files are infected, and the target date is 1st April. When target date is reached, the trojan element is triggered the first time an uninfected file is infected by the memory-resident virus. This produces the message 'APRIL 1ST HA HA HA YOU HAVE A VIRUS', and the machine locks. Identifying string is 'sURIV 1.01'. (3) [report only - no sample] As variation 2, but only infects EXE files. Trojan is triggered first time an infected file is run on 1st April. Additionally, machine locks one hour after infection if default date of 1-1-80 is used. Virus infects file only once. Identifying string is 'sURIV 2.01'. ----------- 10. Lehigh [report only - no sample] Parasitic virus - overwriting Type description: Infects only COMMAND.COM, where it overwrites the stack space. If a disk which contains an uninfected copy of COMMAND.COM is accessed, that copy is also infected. A count of infections is kept within each copy of the virus, and when this count reaches 4 every disk (including hard disks) currently in the computer is trashed by overwriting the initial tracks (boot sector & FAT). Infection changes the date and time of the infected file. If a floppy with an uninfected COMMAND.COM is write- protected, there will be a 'WRITE PROTECT ERROR' message from DOS. ----------- 11. New Zealand - AKA Stoned, Marijuana Boot virus - master boot sector Type description: This virus consists of a boot sector only. It infects all disks, and it occupies 1K of memory. The original boot sector is held in track zero, head one, sector three on a floppy disk, and track zero head zero, sector two on a hard disk. The boot sector contains two character strings: 'Your PC is now Stoned!' & 'LEGALISE MARIJUANA!'. The first of these is only displayed one in eight times when booting from an infected floppy, the second is unreferenced. Variations: (1) Much of the code has been reorganised. The only significant change is that the original boot sector is stored at track zero, head zero, sector seven on a hard disk. The second string is not transfered when infecting a hard disk. ----------- 12. Oropax - AKA Music virus [report only - no sample] Parasitic virus - resident Type description: Infects COM files, length increases by 2756-2806 bytes, so that total length is divisible by 51. Becomes active (randomly) five minutes after infection, playing three different tunes with a seven minute interval. ----------- 13. Pentagon Boot virus - floppy only Type description: Virus is possibly an honorary term, at least for this sample, as all attempts to run it have so far failed. The following describes what would happen if it did work (as future samples might). This virus consists of a boot sector and two files. The boot sector is a normal PCDOS 3.20 boot sector with three changes: 1. The OEM name 'IBM' has been changed to 'HAL'. 2. The first part of the virus code overwrites 036H to 0C5H. 3. 100H-122H has been overwritten by a character string. The name of the first file is the hex character 0F9H. This file contains the rest of the virus code followed by the original boot sector. The name of the second file is PENTAGON.TXT. This file does not appear to be used in any way or contain any meaningful data. Both files are created without the aid of DOS, and the first file is accessed by its stored absolute location. Four different sections of the virus are separately encrypted: 1. 004AH - 004BH, key 0ABCDH - load decryption key 2. 0059H - 00C4H, key 0FCH - rest of virus code in boot sector. 3. 0791H - 07DFH, key 0AAH - the file name and copyright message. 4. 0800H - 09FFH, key 0FCH - the original boot sector. The virus will survive a warm boot (Ctrl-Alt-Del). It only infects 360K floppies, and it will look for and remove Brain from any disk that it infects. It occupies 5K in memory. ----------- 14. Vienna - AKA 648, Austrian, Unesco Parasitic virus - non-resident Type description: The virus occurs attached to the end of a COM file. COM files increase in length by 648 bytes. The first three bytes of the program are stored in the virus, and replaced by a branch to the beginning of the virus. The virus looks for, and infects, one COM file - either in the current directory or in one of the directories on the PATH. One in eight files 'infected' does not get a copy of the virus. Instead the first five bytes of the program are replaced by a far jump to the BIOS initialization routine. Variations: (1) This is the version published in Ralf Burger's book 'Computer Viruses: A High-Tech Disease'. An error has been introduced which disables the virus's ability to search through the PATH, and the far jump has been replaced by five spaces. ----------- 15. Yale - AKA Alameda, Merritt Boot virus - floppy only Type description: This virus consists of a boot sector only. It infects floppies in the A-drive only and it occupies 1K of memory. The original boot sector is held in track thirty-nine, head zero, sector eight. It hooks into INT 9, and only infects when Ctrl-Alt-Del is pressed. It will not run on an 80286 or an 80386 machine, although it will infect on such a machine. It has been assembled using A86. It contains code to format track thirty-nine, head zero, but this has been disabled. -----------