-- Common Viruses: F to M: _________________________________________________________________ FLIP Synopsis: Resident stealth infector of partition sectors and files Damage: Causes file corruption if "CHKDSK /F" used Symptoms: Horizontal flip of screen, CHKDSK errors Details: On EGA or VGA systems, Flip uses an alternate character set to make the screen appear to flip horizontally. For the most common variant this occurs on the second day of the month between four and five PM. Flip attempts to make intercepted files appear to have their original length; this causes CHKDSK (and similar programs such NDD or DISKFIX) to report errors. If you ask one of these programs to fix the problems that it is reporting (e.g., "CHKDSK /F"), it will cause file linkage errors and file corruption . This is not a problem if you boot from a diskette with a clean copy of DOS before running one of these programs. Scanners frequently detect this virus in Central Point's Anti-virus because this product contains an unencrypted fragment of Flip. FORM Synopsis: Resident infector of boot sectors Damage: Occasional damage Symptoms: Clicking sounds from PC Details: On the 18th day of any month, Form will cause a clicking sound and slow response to key presses. Form stores the original boot sector on the last sector of the diskette damaging any file which might be using that sector. The boot sector will contain the text: "The FORM-Virus sends greetings to everyone who's read this text." INVADER Aliases: AntiCAD Synopsis: Destructive, resident, infector of programs, DOS boot sectors and partition sectors. Damage: Overwrites low tracks on disk Symptoms: Music or noise from speaker Details: Invader installs itself as a resident program in low memory occupying a little over 5000 bytes. The most common variant will start to play music 30 minutes after becoming resident. If you boot your PC while it is playing music, Invader will overwrite the first track on your disk. Some variants will do this after a specific number of keystrokes or if you execute the ACAD program (a computer-aided design program). JERUSALEM Aliases: 1813, Israeli, Friday 13th, Black Box Variants: Anarkia, Apocalypse, Barcelona, Captain Trips, Discom, GP1, Messina, Mule, Nemesis, Payday, Slow, Zerotime Synopsis: Resident infector of programs and overlays Damage: Deletes files on activation Symptoms: Black box appears and PC slows dramatically Details: Jerusalem is the most common file-infecting virus according to our reports. A tremendous number of variants have been created to fool scanners and to change the effects of this virus. It commonly installs itself as a resident program (TSR) in low memory occupying slightly less than 2000 bytes. The most common variants will delete any program that you execute on Friday the 13th. One variant (Payday) will delete programs on any Friday but the 13th. Some variants (e.g., Clipper, Discom, GP1) will damage uninfected files. Infected .COM files will grow by 1813 bytes while .EXE files may be infected multiple times, sometimes overwriting parts of the original program. Jerusalem also damages .COM files larger than 63,466 bytes. Slow (Zerotime) is an encrypted version of Jerusalem that causes frequent system hangs. JOSHI Synopsis: Resident, stealth infector of DOS boot sectors and partition sectors Symptoms: Message and decreased total memory Details: CHKDSK will report over 6000 fewer bytes total memory when Joshi is resident. Joshi will use stealth techniques to make partition sectors appear to be uninfected. On January 5, Joshi will display the message: "Type Happy Birthday Joshi" and wait for you to type this phrase. There is one variant (Joshi-B) that does not display this message. Joshi carefully stores the bulk of its code by formatting an additional track at the end of diskettes. On a 360K diskette, it will create a 41st track (known as track 40) on what would normally be a 40 track diskette. On hard disks, Joshi stores the original partition sector in Sector nine of track zero, cylinder zero. This causes problems on a few hard disks that utilize this sector. KEYPRESS Synopsis: Resident infector of .COM and .EXE files Symptoms: Repeated keys, loss of total memory, file time and date changes Details: At intervals (generally 30 minutes), Keypress will repeat any key that you press, giving the appearance of a stuck key. This effect generally lasts for only two seconds. Keypress allows DOS to update the time and date stamp of any file that it infects. It will damage any .COM file larger than 64,032 bytes that it infects. Total memory will be decreased by approximately 1000 bytes when Keypress is resident. LIBERTY Aliases: Mystic Synopsis: Resident infector of .COM and .EXE files. Symptoms: Decrease in total system memory Details: CHKDSK will report over 8000 fewer bytes total memory with Liberty resident. Liberty is reported to also infect overlay files and boot sectors. Infected files contain the text "Liberty" and infected .COM files commonly contain the text "- M Y S T I C -". MALTESE AMOEBA Aliases: Irish, Grain of Sand, Amoeba (mistakenly) Synopsis: Destructive, polymorphic, resident infector of .COM and .EXE files Damage: Overwrites low tracks on disk on November 1 and March 15 Symptoms: Sluggish response to the DIR command, less total memory, and file time stamp changes. Details: This virus did considerable damage when it first activated on November of 1991 in the UK (illustrating the danger of depending upon scanners for anti-virus protection). It will infect files on either a DOS open or a load and execute (it infects any programs read or executed) but it avoids infecting COMMAND.COM. CHKDSK will report 4096 fewer bytes total memory if the virus is resident. Maltese Amoeba will refuse to infect if a couple of well known resident monitor programs or the PSQR virus are present. On Nov 1 or March 15, it will overwrite low numbered tracks on the hard disk and any diskettes, and hang the PC. On a subsequent boot, it will greet you with a display of the first four lines of Blake's "Auguries of Innocence" from the Pickering Manuscripts: To see a world in a grain of sand And a heaven in a wild flower, Hold infinity in the palm of your hand And eternity in a hour. The Virus 16/3/91 The damaged partition sector will then contain this text: AMOEBA virus by the Hacker Twins (C) 1991 This is nothing, wait for the release of AMOEBA II - The Universal infector, hidden to any eye but ours! Dedicated to the University of Malta - the worst educational system in the universe, and the destroyer of 5X2 years of human life. Integrity Master will detect the Maltese Amoeba as "Irish1" through "Irish6." MICHELANGELO Synopsis: Destructive, resident infector of boot sectors on diskettes and partition sectors on hard disks. Damage: On March 6, it writes garbage over all data on disk Details: On March 6, the Michelangelo virus (named after Michelangelo Buonarroti the Italian Renaissance artist, born March 6, 1475) will destroy all data on infected disks. It will store the original partition sector in sector seven of cylinder zero, track zero. On diskettes, Michelangelo will inadvertently damage the directory structure by hiding the original boot sector in the last sector occupied by the directory. Michelangelo reduces the amount of total memory on your PC by 2048 bytes. MICROBES Synopsis: Resident infector of floppy DOS boot sectors Symptoms: Hang during attempted boot Details: The Microbes virus developed in India infects only floppy boot sectors and does not appear to cause any deliberate damage. MONKEY Synopsis: Resident, stealth infector of floppy boot sectors and partition sectors Symptoms: Inaccessible hard disk after floppy boot, 1K less available memory Details: Monkey is unusual in that it completely replaces the partition sector with its own code. If you boot from a floppy the hard disk will be inaccessible since there is no valid partition table in the partition sector. If the virus is resident in memory, it will use stealth techniques to return the original unmodified partition sector. MUSICBUG Aliases: Music Boot, Music bug Synopsis: Resident infector of DOS boot sectors and partition sectors Damage: Inadvertent damage to some disks Symptoms: Music and clicking sounds, lost clusters, decreased total memory Details: MusicBug generally waits about four months before it starts randomly playing music. When it infects your PC it will create lost clusters where it locates the bulk of the virus code. CHKDSK will report the existence of these lost clusters. These clusters will contain the text "MusicBug v1.06 MacroSoft Corp.". Since MusicBug does not correctly understand FAT structure, it will corrupt some disks. _________________________________________________________________ -- Write to Stiller Research: 74777.3004@compuserve.com -- Back To The Stiller Research Home Page Copyright © 1995 Stiller Research. Document Last Modified 6/09/95.