-- Common Viruses: A to E: _________________________________________________________________ 4096 Aliases: Frodo, 4K, 100 year, Stealth virus, IDF Synopsis: Resident, stealth infector of .COM, .EXE and overlay files. Damage: Corrupts files and hangs the PC. Symptoms: Cross-linked and damaged files. Details: This virus damages your files in at least two ways. First, it will accidentally infect data files causing irreparable damage to those files. Second, it will cross-link files on your disk, working very slowly so the damage is generally not obvious until an enormous number of files have been corrupted. This damage is frequently mistaken for hardware problems. 4096 will set the date of infected files 100 years from the original file date. This is how it determines that it has already infected these files. Simply doing a directory listing will not reveal the fact that these dates have changed since only two digits of the year are normally displayed in a directory listing. All infected files grow by 4096 bytes but the virus hides these changes by using its stealth capabilities. If you attempt to read an infected file with 4096 resident in memory, you will see only the original uninfected file. It also locates the original interrupt 21 hex and 13 hex addresses in order to bypass resident monitor programs. Programs will be infected when they are executed or read. You can use 4096's stealth capabilities to make it disinfect itself by copying executable files to non-executable file names (e.g., COPY Z.EXE Z.XEX). Do not depend on this, since future variants may not share this property. 1575 Aliases: Green Caterpillar, 1591 Synopsis: Resident infector of .COM and .EXE files Symptoms: Green caterpillar, slow response to the DIR command and time stamp changes. Details: Two months after this virus first infects your PC this virus will produce a crude graphic of a green caterpillar moving across your screen. It is not known to cause any deliberate damage to your PC beyond infecting your files. 1575 will infect additional files when you issue a DIR or COPY command. It was first detected in January of 1991 in Canada. AIRCOP Synopsis: Resident infector of floppy DOS boot sectors Damage: Inadvertent damage to some files on diskettes Symptoms: Messages, damaged files, less total memory and PC hangs Details: Aircop infects only DOS boot sectors on diskettes. It saves the original boot sector near the end of the disk, causing loss of data if this space is in use by a file or directory. It decreases free memory by 1024 bytes and will at random intervals display the message: "Red State, Germ Offensive. AIRCOP." or (variant B) simply "This is Aircop." This virus is fairly buggy and will frequently hang your PC. ALAMEDA Aliases: Yale, Merritt Variants: Golden Gate, SF Synopsis: Resident infector of floppy DOS boot sectors Damage: File corruption Symptoms: Decrease in total memory and possible damaged files Details: Alameda was not written to be deliberately destructive. The original version damaged files when it would relocate the original DOS boot sector to track 39, sector 8 on 360K diskettes. This would damage any file already using this location. There are now deliberately destructive variants of this virus known as Golden Gate and SF that will deliberately format your hard disk after infecting enough diskettes. ANTIEXE Aliases: D3 Synopsis: Destructive, resident DOS boot sector and partition sector virus Damage: Inadvertent damage to diskette files and deliberate damage to .EXE files Symptoms: Damaged files, less total memory and PC hangs Details: AntiEXE deliberately damages .EXE files by changing the first byte of the file. Like Stoned, it will cause damage to any infected floppy that contains more than just a few files. This virus is memory resident and will infect any floppy accessed. AntiEXE remaps the disk interrupt (Int 13h) to avoid resident monitoring programs but has no stealth capabilities. AZUSA Aliases: Hong Kong Synopsis: Resident infector of floppy DOS boot sectors and hard disk partition sectors. Damage: File corruption, failure of serial ports or printer Symptoms: Damaged files, 1024 fewer bytes total memory, failure of COM1 and LPT1. Details: Azusa will infect any diskette upon which you attempt to write and immediately infect any hard disk. Azusa does not deliberately damage data but because (like Stoned) it does not understand current diskette formats it will corrupt anything other than a 360K floppy. On a diskette, this virus will attempt to locate the original DOS boot sector on sector 8 of track 40. The last track on 360K diskette is normally track 39. On larger capacity diskettes, track 40 may be in use by the files, so on these diskettes, Azusa is likely to cause damage. On hard disks, Azusa does not save the original partition sector at all. The most common variant of Azusa will disable COM1 and LPT1 after counting 32 boots. This means that your serial port (e.g., modem or mouse) and printer will suddenly quit working. Cross-linked files and system hangs are symptoms of some less common versions of Azusa. BLOODY! Synopsis: Resident infector of floppy DOS boot sectors and hard disk Aliases: Beijing, June 4th Damage: File corruption Symptoms: Damaged files, 2048 fewer bytes total memory and message Details: After counting 128 boots, Bloody! will display the message: "Bloody! Jun. 4, 1989" This is the date that Chinese Students were killed in a confrontation with the Chinese Army in Beijing. On hard disks, Bloody! will save the original partition sector in cylinder zero, track zero, sector six. On floppies, it will overlay part of the directory with the original boot sector, thereby potentially damaging existing files. BRAIN Aliases: Pakistani-Brain Variants: Shoe, Ashar, Nipper Synopsis: Resident, stealth infector of floppy boot sectors Damage: File corruption Symptoms: Bad clusters, changes to the volume label Details: Brain is one of the oldest known PC viruses (discovered in 1986). The original brain virus infected only floppy DOS boot sectors and was not intended to cause any harm. The bulk of the virus code along with the original boot sector are written to several clusters that are marked as bad in the FAT. (If you do a CHKDSK, you will see additional bad clusters.) Brain also changes the volume label to be "(c) Brain". This will show up anytime you do a "DIR" on an infected diskette. There are now variants of brain that do not change the diskette label or change it to something else (e.g., "(c) Ashar"). Brain is the first stealth virus; if you try to read the infected boot sector, Brain will return the original boot sector so the PC appears uninfected. There are now variants of Brain that will also infect the hard disk and occasionally do deliberate damage. The original Brain virus contained this message: Welcome to the Dungeon (c) 1986 Basit & Amjad (pvt) Ltd. Brain Computer Services 730 NIZAB BLOCK ALLAMA IQBAL TOWN LAHORE-PAKISTAN PHONE :430791,442348,280530 Beware of this VIRUS Contact us for vaccination CANSU Aliases: Sigalit,V-Sign Synopsis: Resident DOS boot sector and partition sector virus Damage: Inadvertent damage to diskette files. Symptoms: Damaged files, less total memory, "V" shaped graphic Details: Cansu will display a "V" shaped ASCII graphic and hang the PC after infecting 64 diskettes. Cansu will cause damage to any infected floppy that contains more than just a few files. Unlike most other boot sector viruses, Cansu does not save a copy of the original boot sectors. CASCADE Aliases: Falling letters, 1701, 1704 Variants: Cascade-Format Synopsis: Resident infector of .COM files. Damage: No deliberate damage except for the "Format" variant Symptoms: System hangs and letters fall from top to bottom of the screen Details: There are quite a few known variants of Cascade. They all go resident in memory and infect programs that are executed. The trigger for the cascading letters effect is complex and depends upon random numbers, the date and, optionally, the video adapter. The original Cascade was designed to trigger between October and December 1988. Most Cascade variants are not designed to be harmful but they will occasionally crash the PC and are known to damage files with a length of more than 63576 bytes. The Cascade-format variant will format your disk when it activates in October through December of any year. Most Cascade variants add either 1701 or 1704 bytes to infected files. DARK AVENGER Aliases: Eddie, Black Avenger Synopsis: Damaging, resident infector of .COM and .EXE files Damage: Potential damage to all data Symptoms: Damaged files, CHKDSK errors Details: This Bulgarian virus was written to deliberately cause serious damage to your data. It will write garbage to random sectors on your disk. The most common variant will write a random sector after every 16th file it infects. It contains the message "Eddie lives...somewhere in time!" and "This program was written in the city of Sofia". DISK KILLER Aliases: Ogre, Computer Ogre Synopsis: Destructive, resident infector of DOS boot sectors Damage: Damage to individual files and entire disk Symptoms: Bad clusters, file damage, message Details: Disk Killer will activate about 48 hours after infecting a disk. At this point it will display a message announcing itself as "Disk Killer" by "Computer Ogre" and it asks you not to turn off your PC. It then trashes your disk by encrypting your data using an exclusive-or. Once resident, Disk Killer will immediately infect any disk that you access by replacing the boot sector and locating the remainder of the virus code in several clusters that it will mark as bad in the FAT. This will damage any files that were using these clusters on your disk. EXEBUG Aliases: CMOS virus,Swiss Boot Synopsis: Destructive,resident DOS boot sector and partition sector virus Damage: Loss of all data on hard disk and data corruption on diskettes Symptoms: CMOS corruption, damaged files, less total memory and PC hangs Details: EXEbug uses stealth techniques to hide its presence. It also changes CMOS so that the A drive is not present in an attempt to force your PC to boot from your hard drive (where the partition sector is infected by the virus). This technique fails on most PCs but does corrupt the CMOS. If the PC is booted from diskette, the hard drive will appear to be inaccessible since the partition sector does not appear to be valid. EXEbug will cause damage to any infected floppy that contains more than just a few files. It will infect any floppy accessed. EXEbug will modify some .EXE files so that when they are executed, they will overwrite the hard disk. _________________________________________________________________ -- Write to Stiller Research: 74777.3004@compuserve.com -- Back To The Stiller Research Home Page Copyright © 1995 Stiller Research. Document Last Modified 6/09/95.