info/mirror-textfiles.com
1
0
Fork 0
mirror of https://github.com/opsxcq/mirror-textfiles.com.git synced 2025-08-08 12:56:57 +02:00
Code Issues Releases Wiki Activity

update

Browse Source
This commit is contained in:
OPSXCQ
2018-03-16 11:16:46 -03:00
parent b0b4ae6434
commit 88a2076a38
223 changed files with 55648 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

115
textfiles.com/virus/NCSA/ncsa009.txt Normal file
View File

@@ -0,0 +1,115 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> 1704 Format <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: Blackjack, 1704, Falling Letters.
Date of Origin: September, 1988.
Place of Origin: Germany.
Host Machine: PC compatibles.
Host Files: Remains resident. Infects COM files.
Increase in Size of Infected Files: 1704 bytes.
Nature of Damage: Affects system run-time
operation. Corrupts program or overlay files. Formats or erases
all/part of the hard disk upon activation.
Detected by: Scanv56+, F-Prot, IBM Scan, Pro
-Scan.
Removed by: CleanUp, M-1704, Scan/D, F-Prot.
Derived from: 1701 (Cascade) virus.
Scan Code: Uses self-encryption. FA 8B EC E8
00 00 5B 81 EB 31 01 2E F6 87 2A 01 01 74 0F 8D B7 4D 01 BC
85 06 31 34 31 24 46 4C 75 F8.
The code for the 1704 virus is identical to the 1701 except for a
single instruction. The only differences are the removal of a
conditional jump from the 1701 (which would never have been taken), and
some necessary segment overrides on the BIOS tests missing in the
previous version. The virus was designed to not infect micros
manufactured by IBM, but errors in coding enable it to infect any PC,
regardless of origin. The virus tests the BIOS for the string "COPR.
IBM", and contains code to not infect if it finds this - however there
are errors in the code which prevent it from working.
As with the 1701, the 1704 can recognize if it has previously
infected a file. However, because recognition depends on the length of
the virus, it will infect programs already infected by variants with
different lengths. (1701 will infect COM files infected with 1704, and
vice versa.)
The encryption of this virus is different in each instance of the
virus, being dependent on the size of the host file.
The hard disk is formatted when the virus activates.
This virus has been termed "Blackjack", which is a pun on the German
name "17+4" of a popular card game.
Blackjack infects only COM-files which are at least 3 bytes long, and
it does so only once for any given file. It overwrites the first three
bytes with a JMP to the beginning of the viral code, which is appended to
the file. The 2 byte address of this JMP instruction is probably the
reason why only COM files are susceptible to infection. Blackjack
retains the file's time stamp. It even infects read-only files; on
write-protected floppy disks, it attempts writing 5 times per file, thus
revealing its activity.
In the infected file, the viral code is cryptographically encoded,
using a simple Vigenere code depending on the length of the file; only
the instructions for decoding the encrypted part of the code are in plain
machine-language. This is obviously intended as a impediment against
disassembling. Hence, every copy of the virus looks different
(depending on the length of the file).
On invocation of an infected program, Blackjack installs itself in
RAM (if no copy is already installed), then replaces the JMP instruction
with its former contents and resumes normal program operation.
The storage map shows that Blackjack has tinkered with the free
storage pointer-chain to hide the fact that it has hooked interrupt 21.
Hence, only a minor part of Blackjack is visible in the storage map.
In every year, from October to December, Blackjack will interfere
with CGA or EGA operated screens, moving randomly chosen characters
down, like falling leaves in autumn. After a while, you'll have a big
heap of characters at the bottom of your screen, and as you cannot see
anymore what the computer is trying to display, you'll probably have to
restart the system. This behaviour has been predicted by two people, who
have disassembled Blackjack, and has later been observed on many
EGA-equipped ATs.<Note: Contributions to this section by Otto Stolz.>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

50
textfiles.com/virus/NCSA/ncsa010.txt Normal file
View File

@@ -0,0 +1,50 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> 1720 Virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: PSQR Virus
Date of Origin: March, 1990.
Place of Origin: Barcelona, Spain.
Host Machine: PC compatibles.
Host Files: COM, EXE, and overlay files.
Becomes memory resident.
Increase in Size of Infected Files: n/a.
Detected by: Scanv61+
Removed by: Scan/D, or delete the infected files.
Derived from: Jerusalem.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

52
textfiles.com/virus/NCSA/ncsa011.txt Normal file
View File

@@ -0,0 +1,52 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> 2930 <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: Traceback II
Host Machine: PC compatibles.
Host Files: Remains resident. Infects COM, EXE
files.
Increase in Size of Infected Files: 2930 bytes.
Nature of Damage: Corrupts program or overlay files.
Detected by: Scanv41+, F-Prot, IBM Scan, Pro-Scan.
Removed by: CleanUp, Scan/D, F-Prot, or delete infected files.
Derived from: may be original. See 3066/Traceback.
Traceback II may be the predecessor of the Traceback (3066) virus,
though the latter was discovered first. They are similar in function,
but produce differences in the size of infected files.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

84
textfiles.com/virus/NCSA/ncsa012.txt Normal file
View File

@@ -0,0 +1,84 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> 3066 <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: Traceback.
Host Machine: PC compatibles.
Host Files: Remains resident. Infects COM, EXE files.
OnScreen Symptoms: Cascading display one hour after activation, lasting
one minute, followed by restoration of screen to condition prior to
cascade.
Increase in Size of Infected Files: 3066 bytes.
Nature of Damage: Corrupts COM and EXE files.
Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan.
Removed by: M-3066, VirClean, F-Prot, or delete any infected files.
Derived from: Traceback II/2930.
Scan Code: E8 71 06 E8 28 06 B4 19 CD 21 89 B4 51 01 81 84 51 01 84 08 8C
8C 53 01. You can also search at 108H for 89 B4 51 01 81 84 51 01 84 08.
After an infected program is run, Traceback becomes memory resident,
infecting every COM or EXE that is run. Additionally, if the system date
is after December 5, 1988, it will attempt to infect one additional COM
or EXE file in the current directory. If no uninfected file are available
in the current directory, it searches the entire disk, starting at the
root directory, looking for a victim. This search terminates if it
encounters an infected file before finding a candidate non-infected
file.
This virus derives its name from two characteristics:
* Infected files contain the directory path of the file causing the
infection within the viral code. Consequently, it is possible to
"trace back" the infection through a number of files.
* When Traceback succeeds in infecting a program, it attempts to
update a counter in the program from which Traceback was
activated in that session. Because Traceback takes over disk error
handling while trying to update the original infected program, the
user will be unaware that an error occurred if Traceback can't
update its counter.
The primary symptom of the Traceback virus having infected the
system is that it will produce a screen display with a cascading effect
similar to the Cascade/1701/1704 virus. The cascading display occurs one
hour after system memory is infected, and lasts one minute, after which
the display is restored. Any keystroke during this interval will hang up
the system. The cascade/restore sequence is repeated at one hour
intervals. See also 2930.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

63
textfiles.com/virus/NCSA/ncsa013.txt Normal file
View File

@@ -0,0 +1,63 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> 3551 Virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: Syslock, 3555
Host Machine: PC compatibles.
Host Files: Encrypting, non-resident. Infects COM, EXE files.
Increase in Size of Infected Files: 3551-3555 bytes.
Nature of Damage: Corrupts COM and EXE files. May corrupt data files.
Detected by: Scanv56+, F-Prot, Pro-Scan.
Removed by: CleanUp, Scan/D, or F-Prot.
Scan Code: Uses self-encryption.
When an infected program is run, SysLock searchs through the COM and
EXE files and subdirectories on the current disk, picking one executable
file at random to infect. The infected file will have its length
increased by about 3,551 bytes.
The SysLock virus will damage files by searching for the word
"Microsoft" in any combination of upper and lower case characters, and
when found replace the word with either "MACROSOFT". If it finds an
environment variable of "SYSLOCK" has been set to "@" (hex 40), the virus
will not infect any programs or perform string replacements, but will
instead pass control to its host immediately. The author may have used
this during the creation of the virus.
One known variant is called Macho-A. It is identical to the SysLock
virus, except that "Microsoft" is replaced with "MACHOSOFT".
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

44
textfiles.com/virus/NCSA/ncsa014.txt Normal file
View File

@@ -0,0 +1,44 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> 3555 <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Host Machine: PC compatibles.
Host Files: COMMAND.COM, COM files.
Increase in Size of Infected Files: 3555 bytes.
Scan Code: encrypted.
It does not appear to be memory resident, and infects COM files at
the time that an infected program is loaded. It does not appear to be
memory resident. It sometimes causes the message -"Error Writing to
Device AUX1" to occur at the time an infected program is executed.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

82
textfiles.com/virus/NCSA/ncsa015.txt Normal file
View File

@@ -0,0 +1,82 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> 4096 virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: Century Virus, IDF Virus, Stealth Virus, 100 Years Virus
Date of Origin: January, 1990.
Host Machine: PC compatibles.
Increase in Size of Infected Files: 4096 bytes.
Nature of Damage: Remains resident. Infects COMMAND.COM, COM, EXE,
overlay files.
Detected by: Scanv53+, F-Prot, IBM Scan, Pro-Scan.
Removed by: CleanUp, Scan/D, F-Prot. See below.
This virus is one of the most brutal ever developed, and no one seems
to successfully recover from it. It infects COM, EXE, and overlay files,
adding 4,096 bytes to their length. Once the virus is resident in memory,
the increase in length will not appear in a directory listing, and it
will infect any executable file that is opened, including those opened
with the COPY or XCOPY command.
Through FAT manipulation, the virus destroys files through a slow
crosslinking process that would seem to be a hardware problem.
If the virus is present in memory and you attempt to copy infected
files, the new copy of the file will not be infected if the extension is
neither COM nor EXE. Thus, one way to disinfect a system is as follows:
* copy all the infected files to diskettes with a non-executable file
extension. For instance, you might COPY *.EXE *.E and COPY
*.COM *.C.
* Shut the system off. Reboot from an uninfected and write-protected
disk.
* Delete any infected files and restore the backed up files to the
original executable file names and extensions. (COPY *.C *.COM; COPY
*.E *.EXE)
This procedure will not save any cross-linked files, however.
Some notes:
* Systems infected with this virus may hang after September 22 of any
year, due to a bug. This is the birthday of Bilbo and Frodo Baggin, in
the Lord of the Rings.
* The virus contains an unused boot sector, which if copied to the boot
sector of a diskette, will produce the message "FRODO LIVES".
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

67
textfiles.com/virus/NCSA/ncsa016.txt Normal file
View File

@@ -0,0 +1,67 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> AIDS <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: VGA2CGA, Taunt, Hahaha.
Host Machine: PC compatibles.
Host Files: COM files.
OnScreen Symptoms: When activated, displays "Your computer now has
AIDS". The word "AIDS" covers about half the screen. Following display
of this message, the system halts and must be rebooted..
Increase in Size of Infected Files: n/a.
Nature of Damage: Overwrites first 13K of infected programs. Not memory-
resident.
Detected by: Scanv40+, Pro-Scan.
Removed by: CleanUp, or Scan/D, or delete infected .COM files.
The AIDS virus was first reported attached to a program called
VGA2CGA. It is known as "Hahaha" in Europe, and IBM refers to it as the
"Taunt" virus. When it activates, it displays the message "Your computer
now has AIDS". After the message display, the system is halted. You will
need to turn it off and reboot to restart it.
The only protection against the AIDs virus is full backups of your
.COM files. Written in Turbo C, it copies itself over the first 13K bytes
of a .COM file. The original function of the .COM program is lost, and
any other .COM files locatable by the program are also overwritten in
this manner. It evidently has a minimum size which it will not infect,
but it also totally loses all the data at the beginning of the programs.
Recovery of a damage program is not possible.
This virus should not be confused with the AIDS Information Disk
Trojan. See also the Lisbon virus.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

65
textfiles.com/virus/NCSA/ncsa017.txt Normal file
View File

@@ -0,0 +1,65 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> AIDS II Virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: Companion Virus
Date of Origin: April, 1990.
Place of Origin: The Netherlands?
Host Machine: PC compatibles.
Host Files: non-resident. Infects COM and EXE files.
OnScreen Symptoms: See messages below. Also a melody is played.
Increase in Size of Infected Files: 8,064 bytes.
Nature of Damage: none.
Detected by: on-screen message.
Removed by: delete COM files created by the virus. They will bear the
date and time of infection.
This virus does not infect files, but rather creates a 8,064 byte COM
file of the same name as an existing EXE file. When a user enters the
first name of the EXE file, the COM file runs, a melody is played, and
the COM file displays the message: "Your computer is infected with...
(heart character) Aids Virus II. - Signed WOP & PGT of DutchCrack - ".
The COM file then "spawns" the EXE file's process -- permits the normal,
uninfected EXE to run, after which control is returned to the COM file.
At this time, the melody is played again, and the message displayed is
"Getting used to me? Next time, use a condom..."
The virus is significant in that it "infects" a file without touching
it at all, and thus escapes detection by CRC examination programs.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

77
textfiles.com/virus/NCSA/ncsa018.txt Normal file
View File

@@ -0,0 +1,77 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Alabama Virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Date of Origin: October 13, 1989.
Place of Origin: Israel.
Host Machine: PC compatibles.
Host Files: Remains resident. Infects EXE files.
OnScreen Symptoms: One hour after activation, the virus displays this
message in a flashing box:
"SOFTWARE COPIES PROHIBITED BY INTERNATIONAL LAW
Box 1055 Tuscambia ALABAMA USA."
Increase in Size of Infected Files: 1560 bytes.
Nature of Damage: Affects system run-time operation. Corrupts program or
overlay files. Directly or indirectly corrupts file linkage.
Detected by: Scanv43+, F-Prot, IBM Scan, Pro-Scan.
Removed by: CleanUp, F-Prot, or delete infected files.
This virus was isolated by Ysrael Radai at Hebrew University. It
manipulates the file allocation table and swaps file names so that files
are slowly lost.
The Alabama virus will infect .EXE files, increasing their size by
1,560 bytes. It moves into memory when any EXE containing the virus is
executied. Unlike most other memory-resident viruses, the Alabama does
not use the normal TSR function, but rather hooks interrupt 9 as well as
IN and OUT commands. Upon detecting a Control-Alt-Delete, the virus
generates what appears to be a warm boot, but remains in memroy. The
virus loads to the top 30K of memory, unlike other memory-resident
programs, and does not reduce the available memory reported by DOS.
The Alabama virus uses a complex procedure during infection. It will
first infect an EXE in the current directory, providing there is one
which is uninfected. If all EXEs in the current directory are infected,
then the Alabama virus will infect the program being executed --
provided the system date is not Friday. On Fridays, the Alabama virus
will swap entries in the FAT so that when the user attempts to execute an
uninfected file, an infected file executes instead. Over time, files
will be lost through this process.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

115
textfiles.com/virus/NCSA/ncsa019.txt Normal file
View File

@@ -0,0 +1,115 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Alameda Virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: Yale, Merritt, Peking, Seoul virus.
Date of Origin: Spring, 1987.
Place of Origin: Merritt College, Alameda, California.
Host Machine: PC compatibles. Does not run on 80286.
Host Files: Remains resident. Infects floppy disk boot sector.
Increase in Size of Infected Files: n/a.
Nature of Damage: Resident. Corrupts or overwrites floppy boot sector.
Detected by: Scanv56+, F-Prot, IBM Scan.
Removed by: CleanUp, MDisk, F-Prot, or DOS SYS command..
Scan Code: BB 40 00 8E DB A1 13 00 F7 E3 2D E0 07 8E C0 0E 1F 81 FF 56 34
75 04 FF 0E F8 7D. You can also search at offset 00EH for A1 13 00 F7 E3
2D E0 07.
History: First discovered at Merritt college in California in the Spring
of 1987. In February, 1988, it popped up at Alameda College, where it
received large publicity. In October, 1988, it surfaced at Yale
University, where it became known as the Yale virus. The original
version caused no intentional damage.
The original Alameda would only run on an 8088/8086, and was
presumably assembled using A86 on such a machine. Because it does not
infect hard disks, we may presume that the author's machine did not have
one. The original version would not run on an 80286 or an 80386 machine,
although it will infect on such a machine. Later versions of the virus
can run on an 80286.
Description of Operation: The Alameda virus spends its life in the boot
sector of 5.25" 360K floppy disks. When the machine boots from an
infected 360K floppy, the Alameda becomes memory resident, occupying 1K
of memory. It infects 360K floppies in the A: drive only. Pressing
Ctrl-Alt-Del activates the virus, rather than removing it from memory.
At this point, it looks for a floppy in drive A: to infect. It will
infect any 360K disk in that drive, whether or not it is a bootable disk.
The original boot sector is held in track thirty-nine, head zero,
sector eight. It does not map this sector bad in the FAT (unlike the
Brain) and should that area be used by a file, the virus will die. It
apparently uses head 0, sector 8 and not head 1 sector 9 because this is
common to both single sided and double sided formats and common to both
8-sectored and 9-sectored formats (both the old 160K single sided and
later 180K single sided formats).
Alameda redirects the keyboard interrupt (INT 09H) to look for
Ctrl-Alt-Del sequences. When it detects Ctrl-Alt-Del, it will attempt to
infect any floppy it finds in drive A:.
The virus is not malevolent. It contains code to format track
thirty-nine, head zero, but this has been disabled. It also contains a
count of the number of times it has infected other diskettes, although it
is referenced for write only and is not used as part of an activation
algorithm. The virus remains resident at all times after it is booted,
even if the user removes the floppy from a machine having no bootable
hard disk, and reboots with Ctrl-Alt-Del. When Ctrl-Alt-Del is pressed
from inside Cassette Basic, it activates and infects the floppy from
which the user is attempting to boot.
Alameda contains no anti-detection mechanisms as does the Brain
virus.
The Alameda contains a rare POP CS instruction that is not understood
by 80286 systems, and hangs the system up. The POP CS command is used to
pass control to itself in upper memory. When such a machine hangs, the
virus has already installed itself in high RAM and hooked the keyboard
interrupt, so that the infection can spread if a warm boot is then
performed.<Note: In fact, the way the virus is most often discovered is
that a 286 won't boot from an infected disk.>
Removal: Alameda can not only live through an Ctrl-Alt-Del reboot
command, but this is its only means of reproduction to other floppy
diskettes. The only way to remove it from an infected system is to turn
the machine off and reboot with an uninfected copy of DOS. The Norton
utilities can be used to identify infected diskettes by looking at the
boot sector and the DOS SYS utility can be used to remove it <197> unlike
the Brain.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

42
textfiles.com/virus/NCSA/ncsa020.txt Normal file
View File

@@ -0,0 +1,42 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Alameda-B <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: Sacramento Virus, Yale C
Host Machine: PC compatibles.
Derived from: Alameda
This is the original Alameda Virus that has the POP CS removed.
Relocation is accomplished through a long jump instruction. All other
characteristics are identical. This version, unlike the original
Alameda, runs on a 286.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

42
textfiles.com/virus/NCSA/ncsa021.txt Normal file
View File

@@ -0,0 +1,42 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Alameda-C <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Host Machine: PC compatibles.
Derived from: Alameda-B
This is the Alameda-B virus that has been modified to disable the
boot function after 100 infections. The counter in the original Alameda
virus has been re-activated and is interrogated at each bootup. When it
reaches 100, the virus disconnects from the original boot sector
(control is no longer passed) and the diskette will no longer boot. At
infection time, the counter is zeroed on the host diskette.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

54
textfiles.com/virus/NCSA/ncsa022.txt Normal file
View File

@@ -0,0 +1,54 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Amstrad Virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Date of Origin: Reported in November, 1989 by Jean Luz, an NCSA member.
Known for about one year prior to that in Spain and Portugal.
Place of Origin: Spain and Portugal
Host Machine: PC compatibles.
Host Files: COM files other than COMMAND.COM. Not memory resident.
OnScreen Symptoms: Displays a fake advertisement for the Amstrad
computer.
Increase in Size of Infected Files: 847 bytes.
Nature of Damage: May corrupt program or overlay files.
Detected by: Scanv51+, F-Prot, IBM Scan, Pro-Scan.
Removed by: CleanUp, Scan/D, F-Prot, or simply erase the infected files.
This virus appears to cause no damage beyond replication, which may
occasionally damage a COM file.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

44
textfiles.com/virus/NCSA/ncsa023.txt Normal file
View File

@@ -0,0 +1,44 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Anarkia <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Host Machine: PC compatibles.
Host Files: COM and EXE files.
Increase in Size of Infected Files: n/a.
Nature of Damage: Progressively slows CPU operations -- a bit at first,
more over time during the session.
Derived from: Jerusalem B.
Scan Code: "ANARKIA" replaces "sUMsDos" of the Jerusalem B.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

43
textfiles.com/virus/NCSA/ncsa024.txt Normal file
View File

@@ -0,0 +1,43 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Apple Virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Date of Origin: Fall, 1989.
Host Machine: Macintosh.
The Apple virus is a "RESET" instruction followed by a "NOP"
instruction. The unusual sequence of statements (normally one would put
the "NOP" before the "RESET") makes it a surprisingly hard to detect and
disassemble. To propagate, the user must use Apple's Resource Editor
(ResEdit) to cut and paste this virus into every program that they want
it to infect. The virus seems to be more a tool for virus planters than
something that will be causing widespread damage directly.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

44
textfiles.com/virus/NCSA/ncsa025.txt Normal file
View File

@@ -0,0 +1,44 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> April 1st-B <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Host Machine: PC compatibles.
Host Files: EXE files.
Scan Code: 2E A3 17 00 BB 17 00 0E 1F B4 DE CD 21 B4 2A CD 21 81 FA 01 04
74 22 81 F9 BC 07 75 06 E8 C5 04.
An .EXE-infecting version of .COM which will display the
characteristic message on execution of any infected .EXE file on April
1st, with associated lockup. A similar lockup will occur 1 hour after
infection of memory on any day on which the default date 1-1-80 is used.
See sURiV.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

58
textfiles.com/virus/NCSA/ncsa026.txt Normal file
View File

@@ -0,0 +1,58 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Ashar Virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: Shoe_Virus, UIUC Virus
Host Machine: PC compatibles.
Host Files: Infects floppy disk boot sector. Remains resident.
Increase in Size of Infected Files: n/a.
Nature of Damage: Resident. Corrupts or overwrites boot sector.
Detected by: Scanv41+, F-Prot, IBM Scan.
Removed by: CleanUp, MDisk, F-Prot, or the DOS SYS command.
Derived from: Brain
Scan Code: "ashar", found at offset 04A6 hex in the virus.
Modifies the Brain virus message to read:
VIRUS_SHOE RECORD, v9.0. Dedicated to the dynamic memories of millions
of virus who are no longer with us today
This message is never displayed.
Unlike the Brain, this virus can infect both floppies and hard disks.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

56
textfiles.com/virus/NCSA/ncsa027.txt Normal file
View File

@@ -0,0 +1,56 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Ashar-B Virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: Shoe_Virus-B
Host Machine: PC compatibles.
Host Files: Infects floppy disk boot sector. Cannot infect hard disks.
Remains resident.
OnScreen Symptoms: none.
Increase in Size of Infected Files: n/a.
Nature of Damage: Resident. Corrupts or overwrites boot sector.
Detected by: Scanv41+, F-Prot, IBM Scan.
Removed by: CleanUp, MDisk, F-Prot, or the DOS SYS command.
Derived from: Ashar
Scan Code: "ashar", found at offset 04A6 hex in the virus.
Modifies the Ashar virus message, changing "v9.0" to "v9.1" This
message is never displayed. Unlike the original Ashar virus, this
version can only infect floppies.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

53
textfiles.com/virus/NCSA/ncsa028.txt Normal file
View File

@@ -0,0 +1,53 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Austrian Virus And Variants <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: 648 Virus.
Date of Origin: Fall, 1988.
Place of Origin: London, England.
Host Machine: PC compatibles.
Host Files: COM files.
Increase in Size of Infected Files: 648 bytes.
Scan Code: FC 8B F2 81 C6 0A 00 BF 00 01 B9 03 00 F3 A4 8B F2 B4 30 CD 21
3C 00 75 03 E9 C7 01.
This is a COM infector that increases the size of the infected file
by 648 bytes without changing date/time or attributes. Intentional
damage: one infected file in eight (at random) is changed in such a way
that the program will not run. No known unintentional damage. It is not
a memory resident virus. It infects the next uninfected COM file in the
current directory (similar to the original Friday 13th).
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

39
textfiles.com/virus/NCSA/ncsa029.txt Normal file
View File

@@ -0,0 +1,39 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Austrian-B <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: 648-B.
Host Machine: PC compatibles.
This is similar to the original, but it causes infrequent errors in
the infected COM file so that the file will not execute. Approximately
one file in ten will be corrupted.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

47
textfiles.com/virus/NCSA/ncsa030.txt Normal file
View File

@@ -0,0 +1,47 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Black Hole <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: the Russian Virus.
Host Machine: PC compatibles.
Derived from: Jerusalem-C
This virus is the Jerusalem-C that has odd text and additional code
that is never referenced. A new interrupt eight routine is added to the
non-referenced area and a number of interrupt 21 calls which appear
meaningless. The additional text includes "ANTIVIRUS". It appears that
this virus is a modified version of the Jerusalem-C/New Jerusalem.
Note that because of the difference in EGA and CGA int 10 usage,
Jerusalem A has been observed with the blackhole effect noted on an EGA
screen.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

134
textfiles.com/virus/NCSA/ncsa031.txt Normal file
View File

@@ -0,0 +1,134 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Brain Virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: Pakistani, Pakistani Brain, Basit Virus.
Date of Origin: January, 1986.
Place of Origin: Lahore Pakistan.
Host Machine: PC compatibles.
Host Files: Remains resident. Infects floppy disk boot sector.
OnScreen Symptoms: None. Use DIR to find a volume label on an infected
floppy: "(c) Brain". Using a sector editor, you should be able to find
"(c) Brain" in sector 0, as well.
Increase in Size of Infected Files: n/a.
Nature of Damage: Resident, taking 3-7K of RAM. Corrupts or overwrites
boot sector.
Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan.
Removed by: CleanUp, MDisk, F-Prot, or DOS SYS command.
Derived from: This virus appears to be "an original."
Scan Code: 8C C8 8E D8 8E D0 BC 00 F0 FB A0 06 7C A2 09 7C 8B 0E 07 7C 89
0E 0A 7C E8 57 00. You can also search at 15EH for 8B 0E 07 7C 89 0E 0A 7C
E8 57.
This virus originated in January, 1986, in Lahore Pakistan, but the
first noticeable infection problems did not surface until 1988<Note: In
the spring of 1988, for instance, 100 machines at The Providence
Journal-Bulletin were infected with it.>.
The Brain is unusual in that it includes the valid names, address and
phone numbers of the original perpetrators. It was written by two
brothers running a computer store in Lahore Pakistan. According to some
sources, Basit Farooq Alvi (one of the brothers) wrote the virus so that
it would infect machines running bootleg copies of a program he was
selling for physicians. The original Brain put a copyright notice in the
directory of floppy disks, but did no other damage to floppy disks, and
would not infect hard disks.
This virus consists of a boot sector and three clusters (6 sectors)
marked as bad in the FAT. The first of these sectors contains the
original boot sector, and the rest contain the rest of the virus. It
only infects 360K floppies, and it occupies 7K of memory.
The original Brain will infect a diskette whenever the diskette is
referenced. For example, a DIR command, executing a program from the
diskette, copying a file from or to the diskette or any other access will
cause the infection to occur. The virus stores the original boot sector,
and six extension sectors, containing the main body of the virus, in
available sectors which are then flagged as bad sectors. Diskettes have
3K of bad sectors (possibly more, if there are genuinely bad sectors, as
well.)
The Brain causes no known intentional damage. However, it can slow
diskette access a bit, and may cause time-outs, which can make some
diskette drives unusable.
Any attempts to examine the boot sector are likely to be intercepted
by the Brain when it is memory resident, redirecting the "view" to the
relocated boot sector. Thus, programs like the Norton Utilities will be
unable to "see" the virus.
There are a number of unused character strings which can be used to
identify it:
Offset 0010H:
Welcome to the Dungeon
(c) 1986 Basit & Amjad (pvt) Lt
d. BRAIN COMPUTER SERVICES..730 NI
ZAM BLOCK ALLAMA IQBAL TOWN LAHOR
E-PAKISTAN..PHONE :430791,443248,280530.
Beware of this VIRUS.....Contact us for vaccin
ation............... $#@%
Offset 0202H:
(c) 1986 Basit & Amjads (pvt) Ltd
Offset 0355H:
(c) 1986 Basit & Amjads (pvt) Ltd
Offset 04A6H:
(c) Brain $
Infected diskettes are noticeable by "@BRAIN" or "(c) BRAIN"
displayed in the volume label. Derivations can infect hard disks, and
some have had the "(c) Brain" label removed, to make detection more
difficult.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

49
textfiles.com/virus/NCSA/ncsa032.txt Normal file
View File

@@ -0,0 +1,49 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Brain-B <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: Brain-HD, the Hard Disk Brain, Houston Virus.
Host Machine: PC compatibles.
OnScreen Symptoms: none.
Nature of Damage: Resident, taking 3-7K of RAM. Corrupts or overwrites
boot sector.
Detected by: Scanv56+, F-Prot, IBM Scan.
Removed by: CleanUp, MDisk, F-Prot, or DOS SYS command.
Derived from: original Brain virus.
This virus is identical in every respect to the original Brain, with
the single exception that it can infect the C drive.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

48
textfiles.com/virus/NCSA/ncsa033.txt Normal file
View File

@@ -0,0 +1,48 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Brain-C <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Host Machine: PC compatibles.
OnScreen Symptoms: none.
Nature of Damage: Resident, taking 3-7K of RAM. Corrupts or overwrites
boot sector.
Detected by: Scanv56+, F-Prot, IBM Scan.
Removed by: CleanUp, MDisk, F-Prot, or DOS SYS command.
Derived from: Brain-B.
This virus is the Brain-B that has the volume label code removed. The
volume label of infected diskettes does not change with this virus. This
virus is difficult to detect since it does nothing overt in the system.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

111
textfiles.com/virus/NCSA/ncsa034.txt Normal file
View File

@@ -0,0 +1,111 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Cascade Virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: 1701, Falling Letters, Falling Tears, Fall virus, Autumn
Leaves.
Date of Origin: late 1987.
Place of Origin: Switzerland?
Host Machine: The 1701 version will infect both true IBM PC's and PC
compatibles; the 1704 version will only affect PC compatibles. This is
the only difference between the two versions.
Host Files: Remains resident. Infects COM files. Uses self-encryption.
OnScreen Symptoms: If the system month is between September and
December, and the system year is either 1980 or 1988, and the monitor is
either CGA or VGA, the cascade display will be activated at random
intervals.
Increase in Size of Infected Files: 1701 or 1704 bytes (two different
versions).
Nature of Damage: Affects system run-time operation. Corrupts program or
overlay files.
Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan.
Removed by: M-1704, CleanUp, or F-Prot. You may also follow the
instructions for removing the Jerusalem virus.
Derived from: A NumLock utility Trojan horse.
Scan Code: Uses self-encryption. FA 8B EC E8 00 00 5B 81 EB 31 01 2E F6
87 2A 01 01 74 0F 8D B7 4D 01 BC 82 06 31 34 31 24 46 4C 75 F8. You can
also search at offset 01BH for 31 34 31 24 46 4C 75 F8.
This virus was adapted from a Trojan utility which was claimed to
turn of the Num Lock light and mode. The Trojan caused characters on CGA
screens to "fall" to the bottom of the screen. In late 1987 this Trojan
was turned into a memory resident COM virus, and reported by Rudolf
Rindler of Switzerland.
Two version of the virus exist.
* The 1701 version increases the size of COM files by 1,701 bytes, and
infect both machines containing an IBM copyright notice in the ROM
and clones.
* The 1704 version increases the size of COM files by 1,704 bytes, and
infects only clones.
The virus occurs attached to the end of a COM file. The first three
bytes of the program are stored in the virus, and replaced by a branch to
the beginning of the virus. It becomes memory-resident when the first
infected program is run, and it will then infect every COM file run (even
if the file has an EXE extension).
The virus is unique in several ways:
* The virus is encrypted (apart from the first 35 bytes) using an
algorithm that includes the length of the host program, so every
sample looks different.
* The mechanics of its activation are complex, being based on
randomizations, machine types, monitor type, presence or absence of
clock cards, and time of year. The virus activates on any machine
with a CGA or VGA monitor, in the months of September, October,
November or December, in the year 1980 or 1988 (systems without clock
cards will often have a date set to 1980).
* Occasionally, 1701 triggers a "hailstorm". The characters on the
screen behave as if the were pinned to the screen, and someone is
removing the pins one at a time <197> it looks a bit like a hailstorm,
and has appropriate sound effects. In fact, it is a purely
audio-visual effect - nothing is happening to your data. But over
-reaction at this point -- turning the machine off -- may result in
lost clusters and file damage.
To remove the virus, either run M-1704 or follow the instructions
offered for the Jerusalem virus.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

76
textfiles.com/virus/NCSA/ncsa035.txt Normal file
View File

@@ -0,0 +1,76 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Cascade-B <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: 1704-B, 1701-B, Blackjack virus
Host Machine: PC compatibles.
Host Files: Remains resident. Infects COM files.
OnScreen Symptoms: There is no cascade display on the screen for this
version. The system will reboot at random intervals after activation.
Increase in Size of Infected Files: 1701 bytes (will infect both PCs and
compatibles) or 1704 bytes (will infect only PC compatibles).
Nature of Damage: Affects system run-time operation. Corrupts program or
overlay files.
Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan.
Removed by: M-1704, M-1704C, CleanUp, or F-Prot. You may also follow the
instructions for removing the Jerusalem virus.
Derived from: Cascade.
Scan Code: Uses self-encryption. FA 8B EC E8 00 00 5B 81 EB 31 01 2E F6
87 2A 01 01 74 0F 8D B7 4D 01 BC 85 06 31 34 31 24 46 4C 75 F8. You can
also search at offset 01BH for 31 34 31 24 46 4C 77 F8.
This virus is identical to the Cascade except for these two changes:
* it activates in the fall of any year;
* the cascading display has been replaced with a system re-boot when
the virus activates.
The activation uses the same interrupt 8 randomization algorithm, so
the reboot will occur at a random time interval after executing an
infected program on or after the activation date.
This virus has the ability to infect a file more than once. Cleanup
works well at removing the virus, even from files infected multiple
times (Cleanup will have to be run the same number of times that the file
is infected). Be warned though, if you find a file has been infected more
than once, remove the virus and delete the file, as files infected more
than once will hang your computer. Files infected only once by this virus
seem to run OK after removing the virus.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

49
textfiles.com/virus/NCSA/ncsa036.txt Normal file
View File

@@ -0,0 +1,49 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Cascade-C <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: 1704-C
Host Machine: PC compatibles. True IBM PCs won't be infected.
Host Files: COM files.
Increase in Size of Infected Files: 1704 bytes.
Removed by: M-1704C.
Derived from: Cascade-B
Scan Code: F6 87 2A 01 01 74 0F 8D B7 4D 01 BC or F6 87 2A 01 01 74 0F 8D
B7 4D 01 BC 85 06 31 34 31 24 46 4C 77 F8.
This virus is the same as the Cascade-B/1704-B, except the
activation date has been changed to occur in December of any year.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

42
textfiles.com/virus/NCSA/ncsa037.txt Normal file
View File

@@ -0,0 +1,42 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Cascade-D <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: 1704-D
Host Machine: PC compatibles.
Derived from: Cascade
Scan Code: F6 87 2A 01 01 74 0F 8D B7 4D 01 BC.
This virus is the same as the Cascade/1704, except that it is able to
infect machines with an IBM copyright notice in the ROM.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

41
textfiles.com/virus/NCSA/ncsa038.txt Normal file
View File

@@ -0,0 +1,41 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Century Virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: the Oregon Virus.
Host Machine: PC compatibles.
This is similar to the Jerusalem-C except the activation date is
January 1, 2000. When the virus activates, it erases both FATs on all
connected drives and then begins writing zeroes to every sector on every
attached device. If allowed to continue to completion, it displays the
message - " Welcome to the 21st Century".
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

40
textfiles.com/virus/NCSA/ncsa039.txt Normal file
View File

@@ -0,0 +1,40 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Century-B <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Host Machine: PC compatibles.
Derived from: Century virus.
This virus is similar to the original Century virus with the
following exception: It waits for BACKUP.COM to be executed and then
garbles all program writes. After BACKUP terminates, the output
functions return to normal.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

57
textfiles.com/virus/NCSA/ncsa040.txt Normal file
View File

@@ -0,0 +1,57 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Chaos <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Date of Origin: First reported by James Berry in December, 1989.
Place of Origin: Possibly Kent, England
Host Machine: PC compatibles.
Host Files: hard disk and floppy disk boot sectors.
OnScreen Symptoms: None. Infected boot sectors will contain these
messages: "Welcome to the New Dungeon", "Chaos", and "Letz be cool
guys".
Increase in Size of Infected Files: n/a
Nature of Damage: Remains resident. Corrupts or overwrites boot sector,
affects system run-time operation, corrupts data files, formats or
erases all/part of disk.
Detected by: Scanv53+.
Removed by: MDisk, Cleanup, or the DOS SYS command.
Chaos overwrites the boot sector, and flags the disk as being full of
bad sectors upon activation, though these bad sectors are still
readable. The activation criteria are unknown.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

51
textfiles.com/virus/NCSA/ncsa041.txt Normal file
View File

@@ -0,0 +1,51 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Christmas Card <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Date of Origin: December, 1987.
Host Machine: IBM E-mail system.
This virus circulated a Christmas greeting throughout IBM's
worldwide E-mail system in December, 1987. The virus overloaded the
network, forcing IBM to shut it down temporarily.<Note: Knight-Ridder
News Service, "For Many Users, `Viruses' are Nothing New" reprinted in
The Washington Post, November 28, 1988, p. F25.> The virus was sent by
a West German law student to friends through a local European academic
research network. The virus told the receiver's computer to display the
greeting, then quietly send the virus and message to everyone on the
recipient's regular electronic mailing list. It turned out that someone
on the list had special, restricted access to IBM's E-mail network of
several thousand computers in 145 countries. IBM has since modified
their system to make repetition improbable.<Note: Philip J. Hilts,
"Computers Face Epidemic of `Information Diseases'; Malicious
Programmers Spread Destructive Bits of Bogus Instructions Across the
World" The Washington Post, May 8, 1988, p. A3.>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

60
textfiles.com/virus/NCSA/ncsa042.txt Normal file
View File

@@ -0,0 +1,60 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Christmas Tree Virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: XA1, 1539 virus
Date of Origin: March, 1990.
Place of Origin: West Germany.
Host Machine: PC compatibles.
Host Files: COM files. Non-resident.
OnScreen Symptoms: Between 12/24 and 1/1 will display a Christmas tree
on the screen.
Increase in Size of Infected Files: 1,539 bytes.
Nature of Damage: On April 1, running an infected program will destroy
the hard disk partition table.
Detected by: Scan v61+.
Removed by: Scan/D, or delete the infected files.
Derived from: apparently an original.
Discovered by Christoff Fischer, this virus displays the Christmas
tree on the screen when the system date is between December 24 and
January 1 and an infected program is executed. On April 1, it destroys
the partition table of the hard disk.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

39
textfiles.com/virus/NCSA/ncsa043.txt Normal file
View File

@@ -0,0 +1,39 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Chroma <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Date of Origin: October, 1989.
Host Machine: PC compatibles.
Chroma appears to display a face and talk. While doing so, it places
itself throughout the hard disk and marks the sectors as unmovable
during de-fragmentation.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

50
textfiles.com/virus/NCSA/ncsa044.txt Normal file
View File

@@ -0,0 +1,50 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Clone Virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Host Machine: PC compatibles.
Host Files: boot sector infector.
OnScreen Symptoms: none.
Increase in Size of Infected Files: n/a
Nature of Damage: destroys the FAT after May 5, 1992.
Derived from: Brain-C
This virus is the Brain-C that saves the original boot copyright
label and restores it to the infected boot. The Basit & [A]mjad original
Brain messages have been replaced with non-printable garbage that looks
like instructions if viewed through Norton or another utility. Even if
the system is booted from a clean diskette, it is virtually impossible to
tell, by visual inspection, whether the hard disk is infected.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

39
textfiles.com/virus/NCSA/ncsa045.txt Normal file
View File

@@ -0,0 +1,39 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Clone-B <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Host Machine: PC compatibles.
Derived from: Clone virus.
This is the Clone virus that has been revised to corrupt the FAT when
when your machine is booted after May 5, 1992. There are no other
apparent modifications.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

124
textfiles.com/virus/NCSA/ncsa046.txt Normal file
View File

@@ -0,0 +1,124 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Dark Avenger <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: Black Avenger
Date of Origin: September, 1989.
Place of Origin: Sofia, Bulgaria. First isolated at U.C. Davis.
Host Machine: PC compatibles.
Host Files: Remains resident. Infects COMMAND.COM, EXE, COM, overlay
files.
Increase in Size of Infected Files: 1800 bytes.
Nature of Damage: Affects system run-time operation. Corrupts program or
overlay files. Directly or indirectly corrupts file linkage.
Detected by: Scanv36+, F-Prot, IBM Scan, Pro-Scan.
Removed by: M_DAV, CleanUp, F-Prot.
The Dark Avenger originated in Sofia, Bulgaria, and was probably
imported to the U.S. in September, 1989 by some visiting math professors
at U.C. Davis. It was first reported by Randy Dean at the U.C. Davis
bookstore.
It not only infects generic COM and EXE files, but will also infect
COMMAND.COM. Only files larger than 1,774 bytes will be infected<Note:
Most of the technical information in this section was provided by Daniel
Kalchev, of Bulgaria>. Once in COMMAND.COM, the virus will even
replicate through the DOS COPY and XCOPY commands, with both the source
and destination files being infected in the COPY process. The virus has
been named the Dark Avenger because this code appears within the virus.
The virus contains the words <197> "The Dark Avenger, copyright 1988,
1989" and the message <197> "This program was written in the city of
Sofia. Eddie lives.... Somewhere in Time!"
The Dark Avenger increases the length of infected COM files by 1,800
bytes. EXE files are rounded up to the next "paragraph", and the virus
is appended.
The Dark Avenger stays resident in memory (via manipulation of
memory control blocks) and infects files via many DOS functions (such as
open, close, exec). For this reason, a file may become infected not only
when it is executed but even when viewed with PC Tools, when located with
some "FileFind" program, or when copied with COPY or XCOPY. During copy
commands, both source and target files become infected.
When the Dark Avenger loads into memory, it begins by destroying the
resident portion of COMMAND.COM, which causes reloading of the transient
portion. At this time, the virus has already hooked the necessary
interrupt and COMMAND.COM is infected first.
Although it stays resident, the Dark Avenger can't be detected by
many programs such as MAPMEM, MI, SMAP, and others. This is because when
a such a program is executed, the virus finds the program's own memory
control block (MCB) and changes it in a way that it looks like the last
of the chain of the MCBs (originally the MCB points to the next MCB in
which virus is located). This hint is especially designed to deceive
programs such as MAPMEM.
In addition, in the boot sector, two variables are maintained (at
offset 0x08 and 0x0A). The latter is a counter to 15 (initialized to
major version of current PC/MS-DOS). It is incremented each time an
infected program is executed. When the counter reaches 16, the number
from the first variable is used to select a random disk sector, which is
then overwritten by the virus. If this sector is used by a file, the file
is destroyed. Should the directory sector be selected and overwritten,
the results are most unpleasant.
When the Dark Avenger installs itself, it scans the ROMs of
additional controllers to find the address of the INT 0x13 handler (the
virus knows how it begins and looks for its own first bytes). After that,
it directly calls this address. As a result, it can't be detected by a
program waiting for INT 0x13. The Dark Avenger uses INT 0x26 for this,
and is detected by many antivirus programs (such as ANTI4US) with this
interrupt. The virus affects functions of PC/MS-DOS such as "SetVector"
and "Terminate And Stay Resident".
If anti-virus software attempts to set some of the virus's vital
interrupts via "SetVector", the Dark Avenger will prohibit this. If the
anti-virus software directly changes the vector table, when the software
terminates (via "Terminate And Stay Resident"), the virus restores its
vectors.
As an extremely infectious virus, treat it cautiously. Power down
the system with the on/off switch. Re-boot from a write-protected system
master diskette. Run SCAN or some other scanner to determine the extent
of infection. The virus could conceivably be widespread. A disinfector
(M_DAV), written by Morgan Schweers, is available on the National
Computer Security Association's BBS that can remove this virus.<Note:
The board number is 202 364-1304.> Be sure to re-scan the disk after you
think you are finished with disinfection.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

107
textfiles.com/virus/NCSA/ncsa047.txt Normal file
View File

@@ -0,0 +1,107 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Datacrime <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: 1280 virus, Columbus Day, October 12th, October 13th, Friday
13th, Munich Virus, Miami Virus
Date of Origin: March, 1989.
Place of Origin: Europe.
Host Machine: PC compatibles.
Host Files: non-resident. Infects COM files.
OnScreen Symptoms: No screen symptoms during propagation. After October
12 of any year, it will display the message "DATACRIME VIRUS RELEASED 1
MARCH 1989".
Increase in Size of Infected Files: 1280 bytes.
Nature of Damage: Corrupts program or overlay files. Formats or erases
all/part of disk.
Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan.
Removed by: AntiCrim, Scan/D, F-Prot, or CleanUp.
Scan Code: 00 56 8D B4 30 05 CD 21 or 8B 36 01 01 83 EE 03 8B C6 3D 00 00
75 03 E9 02 01. Uses self-encryption. You can also search at offset 000H
for 2E 8B 36 01 01 83 EE 03 8B C6.
The 1280 version of Datacrime is the earliest version, followed by
the 1168 version. Both versions infect COM files, preserving the COM
file's date and time. This virus saves the first three bytes of its host
to a "save area" inside the virus shell, replacing them with a branch to
the beginning of the virus. It appends the shell to the end of the .COM
file on a paragraph boundary. The resulting file apparently must not
exceed 64K <197> the stack is at the top of the 64K file, where the shell
resides. The stack must have room for virus use. It is not
memory-resident.
All versions of Datacrime activate after October 12th (hence the
name October 12). In 1989 <197> its year of release <197> the day after
October 12 was Friday the 13th (hence that name). Turning off your
computer on that day will not provide any protection against it. The
first time an infected program is run on or after Oct. 13, the virus will
search through hard drive partitions (C:, then D:, etc.), then the
directories of the A: and B: drives (in that order) for an uninfected COM
file other than COMMAND.COM. It will ignore any COM file with a D as the
seventh letter of its name (as in COMMAND.COM). It will then display the
message: "Datacrime virus released 1 March 1989" and do a low-level
format of cylinder 0 of the hard disk.
Due to mistakes in the code, the system is almost certain to crash if
the DOS critical error handler is called (caused by a disk missing from a
drive, for example). If the computer has an ESDI, RLL, or SCSI
controller, the virus may be unsuccessful in formatting the hard disk.
The effect of this formatting is to wipe out the FAT (file allocation
table) and the root directory, making the disk unreadable, except by
special utilities.
Detection:
* The original version of the Datacrime will not infect files until
after April 1st of the year (April Fool's Day).
* The virus, depending on its variant, appends itself to .COM files
(except for COMMAND.COM), increasing the .COM file by either 1168 or
1280 bytes. In addition, the Datacrime II variant can infect .EXE
files, increasing their size by 1514 bytes.
* The 1168 byte version contains the hex string EB00B40ECD21B4.
* The 1280 byte version contains the hex string 00568DB43005CD21. In
this version, you can also look for this ten-byte hex pattern:
2E8B36010183EE038BC6. Note: the text message is encrypted, so it can't
be identified by a text string search or a disk utility.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

60
textfiles.com/virus/NCSA/ncsa048.txt Normal file
View File

@@ -0,0 +1,60 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Datacrime-B <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: 1168 virus.
Host Machine: PC compatibles.
Host Files: EXE files.
Increase in Size of Infected Files: 1168 bytes.
Nature of Damage: Corrupts program or overlay files. Formats or erases
all/part of disk.
Detected by: Scanv56+, F-Prot, IBM Scan.
Removed by: CleanUp, AntiCrim, Scan/D, or F-Prot.
Derived from: Datacrime (1280).
Scan Code: EB 00 B4 0E CD 21 B4 or 8B 36 01 01 83 EE 03 8B C6 3D 00 00 75
03 E9 FE 00. Uses self-encryption.
This is the second version of the Datacrime virus. Differences
between this version and the original Datacrime:
* EXE files are infected, COM files are not.
* Files grow by 1168 bytes, rather than 1280 bytes.
See the discussion of 1280/Datacrime above for major facts.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

64
textfiles.com/virus/NCSA/ncsa049.txt Normal file
View File

@@ -0,0 +1,64 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Datacrime II (1514 variant) <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: 1514 virus, Columbus Day.
Host Machine: PC compatibles.
Host Files: COM (including COMMAND.COM) and EXE files.
Increase in Size of Infected Files: 1514 bytes.
Nature of Damage: Corrupts program or overlay files. Formats part of
hard disk on any date up to and including October 12, of any year, except
Sunday.
Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan.
Removed by: CleanUp, AntiCrim, Scan/D, or F-Prot.
Derived from: Datacrime.
Scan Code: Uses self-encryption. 5E 81 EE 03 01 83 FE 00 74 2A 2E 8A 94.
You can also search at offset 022H for 2E 8A 07 2E C6 05 22 32 C2 D0.
The major differences between this version and its predecessor:
* the virus will add 1,514 bytes to infected files;
* both COM and EXE files are infected;
* the virus now uses self-encryption.
* the virus will not format disks on Mondays.
See the discussion of 1184 below.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

58
textfiles.com/virus/NCSA/ncsa050.txt Normal file
View File

@@ -0,0 +1,58 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Datacrime II (1184 variant) <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: 1184 virus.
Host Machine: PC compatibles.
Host Files: COM files.
OnScreen Symptoms: none.
Increase in Size of Infected Files: 1184 bytes.
Nature of Damage: Corrupts program or overlay files. Formats or erases
all/part of disk.
Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan.
Removed by: CleanUp, AntiCrim, Scan/D, F-Prot.
Derived from: DataCrime.
This version is encrypted, so the hex pattern is not visible, but the
program can be detected by looking for COM files that are increased in
size by 1184 bytes.
Datacrime 2 can be detected by running a good debugger and
single-stepping to find the end of the encryption routine (10 or 20
instructions with obvious XOR's and a branch condition in front).
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

63
textfiles.com/virus/NCSA/ncsa051.txt Normal file
View File

@@ -0,0 +1,63 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Datacrime II-B <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: 1917 virus, Columbus Day
Date of Origin: November, 1989.
Place of Origin: Europe. Isolated by Jan Terpstra of the Netherlands.
Host Machine: PC compatibles.
Host Files: Non resident. Infects COMMAND.COM, EXE, COM files.
OnScreen Symptoms: none.
Increase in Size of Infected Files: 1917 bytes.
Nature of Damage: Corrupts program or overlay files. Also formats or
erases part/all of the disk.
Detected by: Scanv51+, F-Prot.
Removed by: CleanUp, AntiCrim, Scan/D, F-Prot.
Derived from: Datacrime II.
Scan Code: encrypted.
Differences between this virus and the Datacrime II virus:
* Files increase in length by 1,917 bytes, rather than 1,184 bytes.
* The encryption method used by the virus to escape detection is
different.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

70
textfiles.com/virus/NCSA/ncsa052.txt Normal file
View File

@@ -0,0 +1,70 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> dBASE Virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: DBF virus
Place of Origin: New York.
Host Machine: PC compatibles.
Host Files: Remains resident. Infects COM files and overlay files. May
infect EXE files.
Increase in Size of Infected Files: 1864 bytes.
Nature of Damage: Corrupts DBF files. Affects system run-time operation.
Corrupts program or overlay files.
Detected by: Scanv47+, F-Prot, IBM Scan, Pro-Scan.
Removed by: CleanUp, Scan/D, or F-Prot.
Discovered by Ross Greenburg of New York, this is a memory resident
.COM/.OVL virus, which attempts to infect the dBASE program. When an
infected application is executed, the virus installs in memory, looking
for an open operation on .DBF files. Any writes to this file have two
bytes transposed at random. The virus keeps track of which files and
bytes have been altered using a file called BUG.DAT in the same directory
as the .DBF files. Reads of data are corrected by the resident portion of
the virus, thus data appear correct. However, when BUG.DAT is 90 days
old, the virus overwrites/nulls the root directory and FAT structures.
If the DBF file can be recovered, it will be recovered with non-obvious
errors.
After this virus has been detected, if you remove the infected DBase
program and replace it with a clean copy, your DBF files that were opened
during the period that you were infected will be useless since they are
garbled on the disk even though they would be displayed as expected by
the infected Dbase program. To avoid file damage, keep multiple backups,
and keep hard copy of your transactions. Running a program such as
Deskview will permit you to look in your dBASE directory for BUG.DAT
during dBASE operations.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

117
textfiles.com/virus/NCSA/ncsa053.txt Normal file
View File

@@ -0,0 +1,117 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Den Zuk <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: Venezuelan, The Search.
Place of Origin: Indonesia?
Host Machine: PC compatibles.
Host Files: Remains resident. Infects floppy disk boot sector.
OnScreen Symptoms: a purple "DEN ZUK" graphic will appear after a
CTRL-ALT-DEL is performed if the system has a CGA, EGA, or VGA monitor
and an infected floppy in drive A:. The rather pretty graphic slides in
from the sides of the screen.
Increase in Size of Infected Files: n/a.
Nature of Damage: Affects system run-time operation. Corrupts or
overwrites boot sector of 360K floppies. The original causes no
intentional damage. Some variations may reformat a floppy disk after a
counter reaches a value of 5 to 10 (depending on the version.)
Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan.
Removed by: MDisk, F-Prot, or the DOS SYS command.
Derived from: Ohio virus
Scan Code: FA 8C C8 8E D8 8E D0 BC 00 F0 FB B8 78 7C 50 C3. You can also
search at 03EH for BB 90 7C 53 C3 B9 B0 7C 51 C3.
Den Zuk (translation: "The Search") was written as an anti-virus
virus. Its target: Brain infections. When this virus finds a
Brain-infected diskette, it removes Brain and puts a copy of itself in
place. It also looks for old versions of itself and "upgrades" them if
necessary. The virus resides on track 40 on diskettes (normally 360K
diskettes only have tracks numbered 0-39), and thus takes up no usable
space.
The virus was designed as a boot sector infector that infects 360KB 5
1/4" floppies. It infects through any access to the host diskette. It can
survive a warm reboot. It will infect data (non-system) diskettes, which
in turn can pass on the infection if an accidental attempt to boot from
the data disk occurs.
Den Zuk has a bug which causes it to attempt to infect 3.5"
diskettes. This will overwrite the diskette's FAT and cause a read (or
write) failure. It cannot infect a hard disk, and will not attempt to do
so. If an infected system is rebooted from the hard disk, the virus will
de-activate. This is not the case with rebooting from a clean floppy -
which will become infected.
Den Zuk demonstrates what can (and will) go wrong with
anti-virus-viruses. The programmer did not anticipate 1.2M or 3.5"
diskettes. When the virus infects a disk of that type, it will destroy
data. Also, several "hacked" versions of this virus have been reported:
* One variant will disable the SYS command and destroy all data on
drive C: on (Friday) September 13, 1991.
* Another variant uses a counter which keeps track of how many times
the system has been rebooted. When the limit is reached (usually 5 to
10 reboots), the drive A: floppy is reformatted.
You may find the following text strings on infected disks:
Welcome to the
C l u b
<197>The HackerS<197>
Hackin'
All The Time
The HackerS
If the virus has successfully removed the Brain, the volume label of
infected diskettes may be changed to "Y.C.1.E.R.P.". The Den Zuk virus
will also remove an Ohio virus infection before infecting the diskette
with Den Zuk, presumably because the Ohio is the first draft and a bit
cruder than Den Zuk.
The Den Zuk virus was probably written by the same person as the Ohio
virus: the "Y.C.1.E.R.P." string is found in the Ohio virus, and the
viral code is similar in many respects.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

70
textfiles.com/virus/NCSA/ncsa054.txt Normal file
View File

@@ -0,0 +1,70 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Devil's Dance <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: Mexican virus
Date of Origin: December, 1989.
Place of Origin: Reported by Mau Fragoso of Mexico City.
Host Machine: PC compatibles.
Host Files: Remains resident, infects COM files.
OnScreen Symptoms: After a warm reboot, you will see the message "DID YOU
EVER DANCE WITH THE DEVIL IN THE WEAK MOONLIGHT? PRAY FOR YOUR DISKS!!
The Joker" Also, after your first 2,000 keystrokes, screen colors will
begin to change.
Increase in Size of Infected Files: 941 bytes.
Nature of Damage: Corrupts data files, program or overlay files, affects
system run-time operation, corrupts file linkage.
Detected by: Scanv52+.
Removed by: CleanUp, Scan/D, or delete infected files.
This virus will infect a file multiple times until the file becomes
too large to fit in available memory. Once an infected program has been
run, any subsequent warm boot (CTRL-ALT-DEL) will result in the message
noted above.
The Devil's Dance virus is destructive.
* After the first 2,000 keystrokes, the virus starts changing the
colors of text displayed on the monitor.
* After the first 5,000 keystrokes, the virus erases the first copy of
the FAT. At this point, whenever the system is rebooted, it will
display the message above, destroy the first copy of the FAT, then
proceed with the boot process.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

101
textfiles.com/virus/NCSA/ncsa055.txt Normal file
View File

@@ -0,0 +1,101 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Disk Killer <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: Ogre, Disk Ogre, Computer Ogre.
Date of Origin: Spring, 1989.
Host Machine: PC compatibles.
Host Files: Remains resident. Infects both floppy and hard disk boot
sectors.
Increase in Size of Infected Files: n/a.
Nature of Damage: Corrupts or overwrites boot sector. Affects system
run-time operation. Corrupts program or overlay files. Corrupts data
files. Formats or erases all/part of disk.
Detected by: Scanv39+, F-Prot, IBM Scan, Pro-Scan.
Removed by: MDISK, CleanUp, F-Prot, or DOS COPY and SYS commands.
The Disk Killer is a boot sector virus that infects both hard disks
and floppies.
The first organization to report this virus was Birchwood systems in
San Jose in early Summer, 1989. Additional reports were received from
Washington, Oklahoma, Minnesota and Arizona. It was finally isolated at
Wedge Systems in Milpitas, California. Disk Killer was isolated on
September 26, 1989.
The virus spreads by writing copies of itself to three unused
clusters on either a floppy or hard disk, marking them as "bad" in the
FAT to prevent overwriting. The boot sector is modified to execute the
virus code during the boot, permitting it to infect any new disks exposed
to the system.
The virus counts the number of disks it has infected and does no harm
until it has reached a predetermined limit. When the limit is reached or
exceeded and the system is rebooted, this message is displayed:
"Disk Killer <197> Version 1.00 by COMPUTER OGRE. Don't turn off the
power or remove the diskettes while Disk Killer is processing! ...
PROCESSING ... Now you can turn off the power. I wish you luck."
During "processing", it writes clusters of a single character
randomly all over the disk, effectively trashing it.
Note that when the message is displayed, if the system is turned off
immediately it may be possible to salvage some files on the disk using
various utility programs, as this virus first destroys the boot sector,
FATs, and root directory.
The internal messages do not appear in sector zero, but are stored in
sector 152 on floppy disks and an as yet undetermined location on hard
disks. This had always added to the confusion over the virus because
message remnants were sometimes discovered in the middle of executable
files, and it was assumed that the virus was a COM or EXE infector.
If your boot sector does not contain the standard DOS error messages,
then immediately power down and clean out the boot. Infected boot
sectors begin with FAEB. You can check boot sectors with a tool such as
Norton's NU. If the DOS messages are not there (non-system disk; etc.),
then the system is infected. MDISK will remove the virus.
Disk Killer can be removed by using MDisk, or the DOS SYS command, to
overwrite the boot sector on your hard disk or bootable floppies. On
non-system floppies, files can be copied to non-infected floppies,
followed by reformatting the infected floppies. Be sure to turn the
system off, then reboot the system from a write-protected master
diskette before attempting to remove the virus, or you will be
reinfected by the virus in memory.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

73
textfiles.com/virus/NCSA/ncsa056.txt Normal file
View File

@@ -0,0 +1,73 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Do Nothing Virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: Stupid virus
Date of Origin: October, 1989.
Place of Origin: Israel.
Host Machine: PC compatibles.
Host Files: Resident. Infects COM files.
Increase in Size of Infected Files: 608 bytes.
Nature of Damage: Corrupts program files. Does no apparent damage.
Detected by: Scanv49+, F-Prot, Pro-Scan.
Removed by: CleanUp, Scan/D, or F-Prot.
This virus was first reported in October, 1989 by Uval Tal in Israel.
It infects the first COM file in the current directory, and will
re-infect it again and again. It infects no other files, and causes no
other damage.
It has been called the "stupid" virus because it is so ineffectual
compared to other viruses. For instance:
* It always installs in memory in the same location, at address
9800:100H
* Any program which attempts to use this memory location destroys the
memory-resident copy of the virus.
* It can only infect systems with 640K of memory.
* It can not reach across directories.
* It cannot determine if the file it is infecting has previously been
infected.
* It does no apparent damage to anything but the first COM file in a
directory.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

54
textfiles.com/virus/NCSA/ncsa057.txt Normal file
View File

@@ -0,0 +1,54 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> EDV <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Date of Origin: January, 1990.
Host Machine: PC compatibles.
Host Files: Remains resident. Infects boot sector of both floppies and
hard disks, and infects hard disk partition tables.
Increase in Size of Infected Files: n/a
Nature of Damage: Corrupts or overwrites boot sector. Affects system
run-time operation.
Detected by: Scanv58+, IBM Scan.
Removed by: MDisk/P.
Scan Code: "MSDOS Vers. E.D.V." appears at the end of the boot sector on
infected floppies.
The EDV virus was first reported by David Chess at IBM. It is a boot
sector and partition table virus. Troublesome, it causes program crashes
and some data destruction.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

52
textfiles.com/virus/NCSA/ncsa058.txt Normal file
View File

@@ -0,0 +1,52 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Eight Tunes Virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: 1971 virus
Date of Origin: January, 1990.
Place of Origin: Germany.
Host Machine: PC compatibles.
Host Files: Remains resident. Infects COM and EXE files.
OnScreen Symptoms: Plays one of eight German folk songs on the speaker.
Increase in Size of Infected Files: 1,975 bytes increase (about).
Nature of Damage: Corrupts COM and EXE files. Affects system run-time
operation. Contains no destructive code.
Detected by: Scanv62+.
Scan Code:
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

46
textfiles.com/virus/NCSA/ncsa060.txt Normal file
View File

@@ -0,0 +1,46 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Friday 13th-B <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Host Machine: PC compatibles.
Host Files: COM files.
Nature of Damage: Corrupts COM files.
Derived from: Friday 13th.
This virus is identical to the original except that it infects every
file in the current subdirectory. It will also infect every COM file in
the system path if the infected COM program is in the path. The only way
this virus can spread beyond the current subdirectory is if an infected
program ends up in the system PATH. Then every COM file in the currently
selected subdirectory will get infected.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

44
textfiles.com/virus/NCSA/ncsa061.txt Normal file
View File

@@ -0,0 +1,44 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Friday 13th-C <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Host Machine: PC compatibles.
OnScreen Symptoms: The message "We hope we haven't inconvenienced you"
appears upon activation.
Nature of Damage: Corrupts COM files.
Derived from: Friday 13th-B.
This is the Friday the 13th-B except a message has been added that
displays - "We hope we haven't inconvenienced you" appears whenever
the virus activates.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

92
textfiles.com/virus/NCSA/ncsa062.txt Normal file
View File

@@ -0,0 +1,92 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Fu Manchu <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: 2080, 2086
Date of Origin: March 10, 1988.
Place of Origin: written by Sax Rohmer.
Host Machine: PC compatibles.
Host Files: Remains resident. Infects COM, EXE, overlay files.
OnScreen Symptoms: You may see the message "You will hear from me again!"
Increase in Size of Infected Files: 2086 bytes for COM files, 2080 bytes
for EXE files.
Nature of Damage: Affects system run-time operation. Corrupts COM and
EXE files. Some versions corrupt overlay, SYS, and BIN files.
Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan.
Removed by: CleanUp, Scan/D, or F-Prot.
Derived from: Jerusalem.
Scan Code: encrypted. You may be able to find the marker "sAXrEMHOr" in
infected files. You can also search at offset 1EEH for FC B4 E1 CD 21 80
FC E1 73 16.
The virus occurs attached to the beginning of a COM file, or the end
of an EXE file. It is a rewritten ("improved") version of the Jerusalem
virus, and most of what is said for that virus applies here with the
following changes:
* The code to delete programs, slow down the machine, and display the
black window has been removed, as has the dead area at the end of the
virus and some sections of unused code.
* The marker is now 'rEMHOr' (six bytes), and the preceeding 'sU' is
now 'sAX' (Sax Rohmer - creator of Fu Manchu).
* COM files now increase in length by 2086 bytes & EXE files 2080
bytes. EXE files are now only infected once.
* One in sixteen times on infection a timer is installed which runs for
a random number of half-hours (maximum 7.5 hours). At the end of this
time the message "The world will hear from me again!" is displayed in
the center of the screen and the machine reboots. This message is
also displayed every time Ctrl-Alt-Del is pressed on an infected
machine, but the virus does not survive the reboot.
* There is further code which activates on or after the first of August
1989. This monitors the keyboard buffer, and makes derogatory
additions to the names of politicians (Thatcher, Reagan, Botha &
Waldheim), censors out two four-letter words, and to "Fu Manchu" adds
"virus 3/10/88 - latest in the new fun line!" All these additions go
into the keyboard buffer, so their effect is not restricted to the
monitor. All messages are encrypted.
Some versions of this virus can infect overlay, SYS, and BIN files.
It is still rare in the U.S.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

61
textfiles.com/virus/NCSA/ncsa063.txt Normal file
View File

@@ -0,0 +1,61 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Ghost Virus (boot version) <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: Ghostballs
Date of Origin: September, 1989.
Place of Origin: Iceland.
Host Machine: PC compatibles.
Host Files: hard disk and floppy disk boot sectors.
Increase in Size of Infected Files: n/a.
Nature of Damage: Corrupts or overwrites boot sector.
Detected by: Scanv46+, F-Prot.
Removed by: CleanUp, MDisk, F-Prot, or use the DOS SYS command.
This virus was discovered in September, 1989 by Fridrik Skulason at
Icelandic University. The virus infects the boot sectors of hard disks
and floppies. The virus replaces the boot sector of infected systems
with a boot virus similar to Ping Pong. Random file corruption by this
virus has been reported.
The Ghost Boot virus is usually discovered along with the Ghost COM
virus. If you disinfect the boot sector to get rid of the Boot virus,
unless you also remove the COM virus, your boot sectors will again have
the Ghost Boot virus. It appears that the two viruses assist in the
propagation of each other.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

67
textfiles.com/virus/NCSA/ncsa064.txt Normal file
View File

@@ -0,0 +1,67 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Ghost Virus (COM version) <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: Ghostballs.
Date of Origin: September, 1989.
Place of Origin: Iceland.
Host Machine: PC compatibles.
Host Files: COM files.
Increase in Size of Infected Files: 2351 bytes.
Nature of Damage: Corrupts or overwrites boot sector; corrupts COM
files.
Detected by: Scanv46+, F-Prot, IBM Scan, Pro-Scan.
Removed by: MDisk or DOS SYS command (accompanied by erasing infected
COM files), or use CleanUp or F-Prot.
The Ghost viruses (both boot and COM) were discovered at Icelandic
University by Fridrik Skulason. The Ghost COM virus infects generic COM
files, increasing the file size by 2,351 bytes.
Symptoms of this virus are very similar to the Ping Pong virus, and
random file corruption may occur on infected systems.
The Ghost COM virus may be the first virus to infect both files (COM
files in this case) and boot sectors. After the boot sector is infected,
it also acts as a virus (see Ghost BOOT virus).
To remove this virus, turn off the computer and reboot from a
write-protected disk. Then use MDisk, NDD, or the DOS SYS command to
replace the boot sector on the infected disk. Any infected .COM files
must also be replaced with clean copies.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

60
textfiles.com/virus/NCSA/ncsa065.txt Normal file
View File

@@ -0,0 +1,60 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Golden Gate Virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: the 500 Virus, Mazatlan.
Host Machine: PC compatibles.
Host Files: boot sector.
Increase in Size of Infected Files: n/a
Nature of Damage: Infects boot sector of floppies, may eventually
reformat the hard disk.
Detected by: ScanV60+. (Identifies it as the Alameda).
Removed by: MDisk, F-Prot, or the DOS SYS command.
Derived from: Alameda.
This is the Alameda or SF Virus that has been modified to format the
C: drive when the counter runs out. The activation occurs after 500
infections, instead of 100 infections. Note that in all three of these
strains, the counter is zeroed on the host diskette at infection time.
Thus, the activation period on this virus will on the average stretch
into many years. No corruption will occur until 500 new diskettes have
been infected from within a given machine. Since the infection can only
occur when the system is booted with a new diskette, infection is not
frequent with this virus. The majority of infections will probably never
activate. The IBM PC will have long since been supplanted by another
architecture in most environments.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

45
textfiles.com/virus/NCSA/ncsa066.txt Normal file
View File

@@ -0,0 +1,45 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Golden Gate-B <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Host Machine: PC compatibles.
Host Files: infects the boot sector of floppy disks.
Increase in Size of Infected Files: n/a.
Nature of Damage: May only infect floppies. May do no other damage.
Derived from: Golden Gate virus.
This virus is the Golden Gate virus that has had the activation delay
reset to 30 infections. This virus should activate within a couple of
years in most environments.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

50
textfiles.com/virus/NCSA/ncsa067.txt Normal file
View File

@@ -0,0 +1,50 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Golden Gate-C <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: Mazatlan virus.
Host Machine: PC compatibles.
Host Files: boot sector of floppies and hard disk.
Increase in Size of Infected Files: n/a.
Nature of Damage: infects both floppies and hard disks. May reformat
hard disks.
Derived from: Golden Gate-B virus.
This virus is the Golden Gate virus that is able to infect a hard
disk. It is a nasty virus, since it has more of an opportunity to do
damage than previous versions. Prior versions were limited since systems
with hard disks are only infrequently booted from floppy and booting
from the hard disk overwrote earlier versions.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

38
textfiles.com/virus/NCSA/ncsa068.txt Normal file
View File

@@ -0,0 +1,38 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Golden Gate-D <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Host Machine: PC compatibles.
Derived from: Golden Gate-C.
This virus is identical to Golden Gate-C, except the counter has been
disabled (similar to original Alameda).
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

54
textfiles.com/virus/NCSA/ncsa069.txt Normal file
View File

@@ -0,0 +1,54 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Halloechen Virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Place of Origin: West Germany
Host Machine: PC compatibles.
Host Files: COM and EXE files. Memory resident.
OnScreen Symptoms: keyboard input will appear garbled.
Increase in Size of Infected Files: 2,011 bytes.
Detected by: Scanv57+.
Removed by: delete infected files or run Scan/D.
First reported by Christoff Fischer of the University of Karlsruhe,
West Germany. It is now widespread in West Germany.
When an infected program is run, Halloechen installs in memory. From
memory, it infects any EXE or COM which is run, providing the program is
less than about 62K in size, and has a file date outside the current
system date's month. During the infection, the file's size is increased
to a multiple of 16, then the 2,011 bytes of virus code are added to it.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

57
textfiles.com/virus/NCSA/ncsa070.txt Normal file
View File

@@ -0,0 +1,57 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Holland Girl <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: 1332 virus, Sylvia.
Place of Origin: the Netherlands.
Host Machine: PC compatibles.
Host Files: COM files. Remains resident.
Increase in Size of Infected Files: 1332 bytes.
Nature of Damage: Corrupts program or overlay files.
Detected by: Scanv50+, F-Prot, IBM Scan, Pro-Scan.
Removed by: CleanUp, F-Prot, or Scan/D.
This virus was first reported by Jan Terpstra in the Netherlands. It
infects COM files (but not COMMAND.COM), increasing their size by 1332
bytes.
It contains the name, address, and phone number of a Dutch woman
named Sylvia, and requests that post cards be sent to her. It may have
been written by an ex-boyfriend.
Potential damage from this virus is not yet known.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

82
textfiles.com/virus/NCSA/ncsa071.txt Normal file
View File

@@ -0,0 +1,82 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Icelandic 1 <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: Saratoga 1, Icelandic, One in Ten, Disk Crunching Virus.
Date of Origin: June, 1989.
Place of Origin: Iceland.
Host Machine: PC compatibles.
Host Files: Remains resident. Infects EXE files.
Increase in Size of Infected Files: 642 bytes. A variant adds 656 bytes.
Another grows by 671 bytes. File lengths after infection are divisible
by 16.
Nature of Damage: Affects system run-time operation. Corrupts program
files.
Detected by: Scanv56+, F-Prot, Pro-Scan.
Removed by: CleanUp, Scan/D, or F-Prot.
Scan Code: Infected files always end with 44 18 5F 19. You can also
search at offset 0C6H for 2E C6 06 87 02 0A 90 50 53 51.
The Icelandic virus was first detected in June, 1989, disassembled a
week later, and the disassembly was made available around the beginning
of July. The basic Icelandic virus is a resident EXE-file infector that
infects every second EXE file executed, and sometimes will mark a free
cluster on a hard disk as bad (the "damage" routine).
The Icelandic virus will copy itself to the top of free memory the
first time an infected program is executed. Once in high memory, it hides
from memory mapping programs. If a program later tries to write to this
area of memory, the computer will crash. If the virus finds that some
other program has "hooked" Interrupt 13, it will not proceed to infect
programs. If Interrupt 13 has not been "hooked", it will attempt to
infect every 10th program executed.
The virus attaches itself to the end of the programs it infects, and
infected files will always end with "4418,5F19"H.
On systems with 12-bit FATs (floppy drives or 10 MB hard disks), the
virus will not cause any damage. However, on systems with 16-bit FATs
(hard disks larger than 10 MB), the virus will select one unused FAT
entry and mark the entry as a bad sector each time it infects a program.
It is likely that as of this writing, the virus has not been detected
outside of Iceland. Several variants are known, including Saratoga 2,
Icelandic Virus Version 2, and MIX1. See also the table.<Note: Prepared
by Y. Radai, Hebrew University of Jerusalem.><$&3 Icelandic>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

73
textfiles.com/virus/NCSA/ncsa072.txt Normal file
View File

@@ -0,0 +1,73 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Icelandic Virus Version 2 <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: System Virus, One in Ten virus
Date of Origin: July, 1989.
Place of Origin: Iceland.
Host Machine: PC compatibles.
Host Files: Remains resident. Infects EXE files.
Increase in Size of Infected Files: 632 or 661 bytes.
Nature of Damage: Affects system run-time operation. Corrupts program or
overlay files.
Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan.
Removed by: CleanUp, Scan/D, or F-Prot.
Derived from: Icelandic virus.
Scan Code: You can search at offset 0B8H for 2E C6 06 79 02 02 90 50 53
51.
This version of the Icelandic virus differs from the Icelandic in
that it bypasses INT21 and doesn't have the code to mark a cluster bad.
It doesn't have the INT13 check that the second version does.
Each time the Icelandic-II virus infects a program, it will modify
the file's date, thus making it fairly obvious that the program has been
changed. The virus will also remove the read-only attribute from files,
but does not restore it after infecting the program.
The Icelandic-II virus can infect programs even if the system is
running an anti-viral TSR that monitors interrupt 21, such as FluShot+.
On hard disks larger than 10 MB, there are no bad sectors marked in
the FAT as there is with the Icelandic virus.
Although this version has been called version 2, it may actually have
been the first released draft, and the Icelandic 1 may be the second.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

69
textfiles.com/virus/NCSA/ncsa073.txt Normal file
View File

@@ -0,0 +1,69 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Icelandic Virus Version 3 <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: December 24th virus
Date of Origin: December, 1989.
Place of Origin: Iceland.
Host Machine: PC compatibles.
Host Files: Remains resident. Infects EXE files.
OnScreen Symptoms: The message "Gledelig jol" may appear on December 24.
Increase in Size of Infected Files: 843, 853, or 863 bytes.
Nature of Damage: Affects system run-time operation. Corrupts program
files.
Detected by: Scanv57+, F-Prot, IBM Scan, Pro-Scan.
Removed by: CleanUp, Scan/D, or F-Prot, or delete infected files.
Derived from: Icelandic virus.
Scan Code: May be identified by the last four bytes of an infected
program, "1844,195F"H -- a reversal of the ID of Icelandic I and II. You
can also search at offset 106H for 2E C6 06 6F 02 0A 90 50 53 51.
The Icelandic-III virus is very similar to the Icelandic Virus, from
which it was adapted. There are minor changes including the addition of
several NOP instructions.
This virus will not infect any program previously infected by
Icelandic or Icelandic-II.
If an infected program is run on December 24th of any year, programs
subsequently run will be stopped, later displaying the message "Gledileg
jol" ("Merry Christmas" in Icelandic) instead.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

41
textfiles.com/virus/NCSA/ncsa074.txt Normal file
View File

@@ -0,0 +1,41 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> IRQ Ver 41.0 Virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Host Machine: PC compatibles.
The IRQ virus attacks the file C:dir as well as the first executable
file that it finds listed in your startup-sequence files. It is to your
advantage to check all your disks startup files and the first executable
file referenced once infected with the IRQ virus.
KV (KillVirus) will detect the IRQ Ver 41.0 virus in an executable file
and remove the virus from the file.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

87
textfiles.com/virus/NCSA/ncsa075.txt Normal file
View File

@@ -0,0 +1,87 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Italian Virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: Bouncing Ball, Vera Cruz, Ping-Pong, Bouncing Dot, Missouri
virus.
Date of Origin: March, 1988.
Host Machine: PC compatibles. Original version won't infect 80286 or
80386 computers or hard disks.
Host Files: Remains resident. Infects boot sector on any disk with at
least two sectors per cluster.
OnScreen Symptoms: A bouncing ball or dot may appear on the screen upon
activation.
Increase in Size of Infected Files: n/a.
Nature of Damage: Affects system run-time operation. Corrupts or
overwrites boot sector. Does no apparent damage.
Detected by: Scanv56+, F-Prot, IBM Scan.
Removed by: CleanUp, MDisk, F-Prot, or DOS SYS command.
Scan Code: 8E D8 A1 13 04 2D 02 00 A3 13 04 B1 06 D3 E0 2D C0 07 8E C0 BE
00 7C 8B FE B9 00. You can also search at offset 07CH for C7 06 4C 00 D0
7C 8C 0E 4E 00.
Description of Operation: This is a boot sector virus. Some forms infect
only floppies, others will also infect the boot sector of hard disks.
This virus consists of a boot sector and 1 cluster (2 sectors used)
marked as bad in the first copy of the FAT. The first of these sectors
contains the rest of the virus, and the second contains the original boot
sector. It infects all disks which have at least two sectors per
cluster, and it occupies 2K of memory.
When this virus activates (randomly) a bouncing dot/bouncing diamond
(ASCII 4) /bouncing smiley face (ASCII 2)<Note: Depends on the strain
which is running. There are at least three strains.> appears on the
screen and can only be removed through reboot. The virus can be triggered
by a disk access, should one occur during a one second window that occurs
about every half hour. When triggered, the dot bounces off the edges of
the screen, and passes through any text, with replacement after it.
Sometime, this doesn't work properly, the bouncing character interacts
with the characters on the screen, and screen displays are messed up.
Infected diskettes have 1K in bad sectors, infected hard disks have 2K
(and other numbers of bad sectors are possible). No known intentional
damage. Unintentional damage - the two copies of the FAT are left
different; DOS might not like this. Attempts to infect diskettes slows
them down, and some computers won't read floppies, due to time-outs. No
other damage is done.
Recovery: Recover by powering down the system, and then using a
write-protected DOS disk to boot. Use the SYS command from the floppy to
attempt to re-create a good boot sector. Alternatively, use the program
MD.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

71
textfiles.com/virus/NCSA/ncsa076.txt Normal file
View File

@@ -0,0 +1,71 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Italian-B <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: Bouncing Ball, Vera Cruz, Ping-Pong-B, Bouncing Dot.
Host Machine: PC compatibles.
Host Files: Remains resident. Infects floppy and hard disk boot sectors.
(The original infected only floppy disks).
Increase in Size of Infected Files: n/a.
Nature of Damage: Affects system run-time operation. Corrupts program or
overlay files.
Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan.
Removed by: CleanUp, MDisk, F-Prot, or DOS SYS command.
Derived from: Italian.
This is a variation of Italian that is able to infect hard disks.
Some of the characteristics are:
* Fairly long time before activation (a number of minutes at least)
* It displays a ball character, not the Diamond Character
* Once activated, the ball bounces around the screen until the system
is shut off.
* Formatted system & non-system disks are infected and have the one bad
spot created by the virus.
* When a user attempts to format the hard disk, format scans the disk OK
and then reports that track 0 is bad.
* Formatted system floppy disks tend to lock up the PC on boot, and warm
reboot doesn't work.
* The main problem is re-infection and spreading to other machines.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

58
textfiles.com/virus/NCSA/ncsa077.txt Normal file
View File

@@ -0,0 +1,58 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> ItaVir <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: 3880 virus
Date of Origin: March, 1990.
Place of Origin: Milan, Italy.
Host Machine: PC compatibles.
Host Files: EXE files. Non-resident.
Increase in Size of Infected Files: 3,880 bytes
Detected by: Scan v.60+.
Removed by: Scan/D, or delete whatever is infected.
Recognition of this virus is straightforward. EXE files will grow in
length by 3,880 bytes, and a file named ?OMMAND.COM (where ? is a non-
printing character) will be found on the disk. This file contains the
virus, and is used as a source of the code during infection.
Itavir won't activate until it has been in the system for 24 hours or
more. Upon activation, it corrupts the boot sector, so that the system
will not boot after power down. A message (in Italian) is displayed, and
ASCII codes 0-255 are sent to all ports. Some monitors will flicker or
(if VGA) will hiss when this occurs.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

170
textfiles.com/virus/NCSA/ncsa078.txt Normal file
View File

@@ -0,0 +1,170 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Jerusalem Virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: Israeli, Friday the 13th, Black Hole, Black Box, PLO, 1808
(EXE), 1813 (COM), sUMsDos, Russian.
Date of Origin: December 24, 1987 (date first detected in Israel).
Place of Origin: Israel.
Host Machine: PC compatibles.
Host Files: Remains resident. Infects COM, EXE, overlay files.
Increase in Size of Infected Files: 1808 bytes for EXE files (usually),
1813 bytes for COM files.
Nature of Damage: Affects system run-time operation. Corrupts program or
overlay files.
Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan.
Removed by: CleanUp, UNVIRUS, IMMUNE, M-J, Scan/D/A, Saturday, F-Prot.
Derived from: Suriv03
Scan Code: 8E D0 BC 00 07 50 B8 C5 00 50 CB FC 06 2E 8C 06 31 00 2E 8C 06
39 00 2E 8C 06 3D 00 2E 8C 06 41 00 8C C0. You can also search at offset
095H for FC B4 E0 CD 21 80 FC E0 73 16.
History: The Jerusalem virus was first discovered at the Hebrew
University in Jerusalem on December 24, 1987, and reported to the virus
research community by Y. Radai of the Hebrew University of Jerusalem. My
personal suspicion is that the virus was written by a Palestinian, or
other enemy of Israel, and planted within Israel. Israel was declared an
independent state on May 14, 1948. Friday, May 13, 1988 would have been
40 years in which Palestine was no longer sovereign. Although it was
detected in late 1987, it contained code to prevent it from going off
until May 13, 1988. Other viruses set to go off on Friday the 13th are
likely copy-cats, whose authors simply thought that Friday the 13th was
unlucky, wanted a trigger date, and thought this would do fine.
Operation: This virus is a memory resident infector. Any "clean
program" run after an infected program is run will become infected. Both
COM and EXE files are infected. The virus occurs attached to the
beginning of a COM file, or the end of an EXE file. A COM file also has
the five-byte marker attached to the end. This marker is usually (but
not always) "MsDos", and is preceeded in the virus by "sU". "sUMsDos" is
not usually found in newer varieties of this virus. COM files increase
in length by 1813 bytes. EXE files usually increase by 1808 bytes, but
the displacement at which to write the virus is taken from the length in
the EXE header and not the actual length. This means that part or all of
this 1808 bytes may be overwritten on the end of the host program.
It becomes memory-resident when the first infected program is run,
and it will then infect every program run except COMMAND.COM. COM files
are infected once only, EXE files are re-infected each time they are run.
Interrupt 8 is redirected. After the system has been infected for
thirty minutes (by running an infected program), an area of the screen
from row 5 column 5 to row 16 column 16 is scrolled up two lines creating
a black two line "window". From this point a time-wasting loop is
executed with each timer interrupt, slowing the system down by a factor
of 10.
If the system was infected with a system date of Friday the
thirteenth, every program run will be deleted instead. This will
continue irrespective of the system date until the machine is rebooted.
The end of the virus, from offset 0600H, is rubbish and will vary from
sample to sample.
Jerusalem contains a flaw which makes it re-infect EXE (but not COM)
files over and over (up to five times or until the file becomes too big
to fit into memory, whichever comes first.)
The names 1808 and 1813 come from the fact that files grow by 1808 or
1813 bytes, without changing their date and time or read/write/hidden
attributes. COMMAND.COM does not grow, to help it avoid detection. In
fact, it seems likely that the disk version of COMMAND.COM is not
modified, but that the in-memory copy of COMMAND.COM is modified when an
infected program is run.
The virus causes some intentional damage:
* there is code in the virus for deleting each program that you run on
every Friday 13th. On January 13 (Friday), 1989, this virus made a
shambles of hundreds of PC-compatibles in Britain<Note: Jonathan
Randal, "Friday the 13th is Unlucky for British Computer Users;
Software Virus Disrupts IBM PC Programs" The Washington Post,
January 14, 1989, p. D10.>
* The virus re-directs interrupt 8 (among others) and one-half hour
after an infected program loads, the new timer interrupt introduces a
delay which slows down the processor by a factor of 10. (see figure).
It is difficult to estimate the total dollar value of damage done by
this virus to date. In just one case, reported in the Israeli newspaper
Maariv, it destroyed $15,000 worth of software and two disks in which
7,000 hours of work had been invested.<Note: Reported by Jonathan
Randal, "Friday the 13th is Unlucky for British Computer Users; Software
Virus Disrupts IBM PC Programs" The Washington Post, January 14, 1989,
p. D10.>
Disinfection can be a complex process. UNVIRUS will easily
eradicate this virus and 5-6 others as well. IMMUNE will prevent further
infection.
Alternatively, shareware programs written by Dave Chamber and
distributed through bulletin boards under the name M-J may be used. M-J
removes the virus from hard disks; M-JFA removes the virus from floppy
disks that are inserted into the system's A drive; M-JFB removes the
virus from floppy disks that are inserted into the system's B
drive.<Note: The M-J disinfector is successful in removing the Jerusalem
virus in virtually all instances. However, it will destroy, on the
average, one EXE file in ten during the disinfection attempt. It will not
harm COM files. It is recommended that every infected program be
executed after the disinfection process. Programs that have been
disabled during the disinfection process will not execute.>
Alternatively, here is the process for removal:
* power down the system.
* Boot from a write-protected, clean system master diskette.
* Delete all of the infected programs as indicated by VIRUSCAN.
* Replace the programs from original write-protected program
distribution diskettes.
* Do not execute any program from the infected hard disk until the
disinfection process is complete.
* After cleaning all hard drives in the infected system, all floppies
that have come into contact with the system should be SCANned and
disinfected in the same manner.
Another means of detection: using PCtools or another text search
utility, search for the ASCII string "sUMsDos". This string is present
in all copies of this particular virus strain.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

59
textfiles.com/virus/NCSA/ncsa079.txt Normal file
View File

@@ -0,0 +1,59 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Jerusalem-B <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: Arab Star, Black Box, Black Window, Hebrew University
Host Machine: PC compatibles.
Host Files: Remains resident. Infects SYS, COM, EXE, overlay files.
Increase in Size of Infected Files: 1808 bytes (EXE files), 1813 bytes
(COM files). Sometimes does not re-infect EXE files.
Nature of Damage: Affects system run-time operation. Corrupts program
files.
Detected by: Scanv56+, F-Prot, IBM Scan.
Removed by: CleanUp, F-Prot, Saturday, M-Jruslm, UnVirus.
Derived from: Jerusalem virus.
This virus is identical to the Jerusalem except:
* it is sometimes able to successfully identify pre-existing
infections in EXE files and may only infect them once.
* It may not slow the system after infection.
It is easily the most common of all PC viruses. It can infect SYS,
COM, EXE, and overlay files.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

66
textfiles.com/virus/NCSA/ncsa080.txt Normal file
View File

@@ -0,0 +1,66 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Jerusalem-C <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: the New Jerusalem.
Date of Origin: October 14, 1989.
Place of Origin: first reported in the Netherlands by Fidonet SYSOPS Jan
Terpstra and Ernst Raedecker. May have originated elsewhere in Europe.
Host Machine: PC compatibles.
Host Files: Remains resident. Infects COM, EXE, SYS, BIN, PIF, overlay
files.
Increase in Size of Infected Files: 1808 bytes (EXE), 1813 bytes (COM).
Nature of Damage: Affects system run-time operation. Corrupts program or
overlay files.
Detected by: Scanv45+, F-Prot.
Removed by: CleanUp, Saturday, F-Prot.
Derived from: Jerusalem-B.
This virus seems to be a special version designed to elude virus
detectors, including McAfee's Scan versions prior to 45 and IBM's
VIRSCAN of October 20, 1989 and earlier.
This virus is identical to Jerusalem-B except that the timer
interrupt delay code has been bypassed. That is, it will not slow your
computer when it has activated. This virus is virtually invisible until
it activates. It infects both .EXE and .COM files and activates on any
Friday the 13th, deleting infected programs when you attempt to run
them. This virus is memory resident, and as with the other Jerusalem
viruses, may infect overlay, .SYS, .BIN, and .PIF files.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

39
textfiles.com/virus/NCSA/ncsa081.txt Normal file
View File

@@ -0,0 +1,39 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Jerusalem-D <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Host Machine: PC compatibles.
Derived from: Jerusalem-C.
This is the Jerusalem-C that destroys both versions of the FAT on any
Friday the 13th after 1990. The code that originally deleted executed
programs has been overwritten with the FAT destructive code.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

38
textfiles.com/virus/NCSA/ncsa082.txt Normal file
View File

@@ -0,0 +1,38 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Jerusalem-E <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Host Machine: PC compatibles.
Derived from: Jerusalem-D.
This is identical to the Jerusalem-D variety except the activation
is any Friday the 13th after 1992.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

97
textfiles.com/virus/NCSA/ncsa083.txt Normal file
View File

@@ -0,0 +1,97 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Joker <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: Jocker
Date of Origin: December, 1989.
Place of Origin: Poland.
Host Machine: PC compatibles.
Host Files: Non resident. Infects EXE files.
OnScreen Symptoms: Infected programs display bogus error messages.
Nature of Damage: Damages program files.
Detected by: Scanv57+, Pro-Scan.
Removed by: CleanUp, Scan/D, or delete infected files.
The Joker was isolated in Poland in December, 1989. This virus is a
generic .EXE file infector, and is a poor replicator (ie. it does not
quickly infect other files).<Note: Note that reports are mixed on this
virus. Some claim that it is resident, and infects COM and COMMAND.COM,
but not EXE files.>
Infected programs will display bogus error messages and comments,
which cam be found in the infected files at the beginning of the viral
code. Some of the messages and comments include:
Incorrect DOS version
Invalid Volume ID Format failure
Please put a new disk into drive A:
End of input file
END OF WORKTIME. TURN SYSTEM OFF!
Divide Overflow
Water detect in Co-processor
I am hungry! Insert HAMBURGER into drive A:
NO SMOKING, PLEASE!
Thanks.
Don't beat me !!
Don't drink and drive.
Another cup of cofee ?
OH, YES!
Hard Disk head has been destroyed. Can you borrow me your one?
Missing light magenta ribbon in printer!
In case mistake, call GHOST BUSTERS
Insert tractor toilet paper into printer.
This virus may also alter .DBF files, adding messages to them.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

55
textfiles.com/virus/NCSA/ncsa084.txt Normal file
View File

@@ -0,0 +1,55 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Jork Virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Host Machine: PC compatibles.
Host Files: Remains resident. Infects floppy disk boot sector.
Increase in Size of Infected Files: n/a.
Nature of Damage: Corrupts or overwrites boot sector.
Derived from: Shoe_virus (Ashar).
This virus is exactly the same as the Shoe_virus (Ashar) in
operation. It was patched to replace offset 0202H, which reads as
follows in the Shoe virus:
(c) 1986 Brain & Amjads (pvt) Ltd
with
(c) 1986 Jork & Amjads (pvt) Ltd
Another patch the author made to the Shoe_virus was to reduce the
identifying text at offset 0010H to "Welcome to the Dungeon (c) 1986
Brain".
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

51
textfiles.com/virus/NCSA/ncsa085.txt Normal file
View File

@@ -0,0 +1,51 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> June 16th Virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: Pretoria virus
Date of Origin: April, 1990
Place of Origin: South Africa.
Host Machine: PC compatibles.
Host Files: COM files including COMMAND.COM. Non-resident.
OnScreen Symptoms: A large hard disk may slow down during infection.
Increase in Size of Infected Files: 879 bytes.
Nature of Damage: Infects all COM files on the hard disk when an infected
program is first run. Erases all entries in root directory on any June
16. All FAT entries are replaced with tye word "ZAPPED".
Scan Code: encrypted.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

52
textfiles.com/virus/NCSA/ncsa086.txt Normal file
View File

@@ -0,0 +1,52 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Kennedy Virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: Dead Kennedy
Date of Origin: April, 1990
Host Machine: PC compatibles.
Host Files: COM files other than COMMAND.COM
Increase in Size of Infected Files: 333 bytes.
Nature of Damage: not destructive.
Removed by: delete any infected files.
Scan Code: In the virus, you can find the following text strings:
"\command.com" and "The Dead Kennedys".
This virus activates on three dates: June 6, November 18, and
November 22. November 22 is the date of the assassination of John F.
Kennedy.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

49
textfiles.com/virus/NCSA/ncsa087.txt Normal file
View File

@@ -0,0 +1,49 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Korea Virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: LBC boot.
Date of Origin: March, 1990
Place of Origin: Seoul, Korea.
Host Machine: PC compatibles.
Host Files: boot sectors of 360K floppies. Memory resident.
Increase in Size of Infected Files: n/a.
Detected by: Scanv61+.
Removed by: M-Disk, or DOS SYS command.
In its current version, this virus does nothing but spread.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

133
textfiles.com/virus/NCSA/ncsa088.txt Normal file
View File

@@ -0,0 +1,133 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Lehigh <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Date of Origin: late 1987.
Place of Origin: Lehigh University, Pennsylvania.
Host Machine: PC compatibles.
Host Files: Remains resident. Infects COMMAND.COM.
Increase in Size of Infected Files: overwrites files.
Nature of Damage: Corrupts program or overlay files. Overwrites the FAT
and boot sector after infecting four floppies.
Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan.
Removed by: CleanUp, or use MDisk and replace COMMAND.COM with a clean
copy, or use F-Prot.
Scan Code: 50 53 80 FC 4B 74 08 80 FC 4E 74 03 E9 77 01 8B DA 80 7F 01 3A
75 05 8A 07 EB 07. You can also search at offset 01CH for B4 19 CD 44 04
61 1E 51 52 57.
History: This is a COMMAND.COM infector that first surfaced at Lehigh
University in late 1987. It is one of the best known of viruses, and
widely discussed and analyzed.
Description of Operation: Infects only COMMAND.COM, where it overwrites
the stack space. If a disk which contains an uninfected copy of
COMMAND.COM is accessed, that copy is also infected. A count of
infections is kept within each copy of the virus, and when this count
reaches 4, every disk (including hard disks) currently in the computer
is trashed by overwriting the initial tracks (boot sector & FAT).
Infection changes the date and time of the infected file. If a floppy
with an uninfected COMMAND.COM is write-protected, there will be a
"WRITE PROTECT ERROR" message from DOS.
I have reprinted below the warning that Kenneth van Wyk distributed
on this virus.
"WARNING: MS-DOS COMMAND.COM "virus" program will
reformat your disks!!
"Last week, some of our student consultants discovered a virus
program that's been spreading rapidly throughout Lehigh University. I
thought I'd take a few minutes and warn as many of you as possible
about this program since it has the chance of spreading much farther
than just our University. We have no idea where the virus started, but
some users have told me that other universities have recently had
similar problems.
"The virus: the virus itself is contained within the stack space of
COMMAND.COM. When a PC is booted from an infected disk, all a
user need do to spread the virus is to access another disk via TYPE,
COPY, DIR, etc. If the other disk contains COMMAND.COM, the virus
code is copied to the other disk. Then, a counter is incremented on the
parent. When this counter reaches a value of 4, any and every disk in
the PC is erased thoroughly. The boot tracks are nulled, as are the FAT
tables, etc. All Norton's horses couldn't put it back together again... :-)
This affects both floppy and hard disks. Meanwhile, the four children
that were created go on to tell four friends, and then they tell four
friends, and so on, and so on.
"Detection: while this virus appears to be very well written, the
author did leave behind a couple footprints. First, the write date of the
COMMAND.COM changes. Second, if there's a write protect tab on an
uninfected disk, you will get a WRITE PROTECT ERROR... So, boot up
from a suspected virus'd disk and access a write protected disk - if an
error comes up, then you're sure. Note that the length of
COMMAND.COM does not get altered.
"I urge anyone who comes in contact with publicly accessible disks
to periodically check their own disks. Also, exercise safe computing -
always wear a write protect tab.
"This is not a joke. A large percentage of our public site disks has
been gonged by this virus in the last couple days."<Note: Kenneth R. van
Wyk, User Services Senior Consultant, Lehigh University Computing
Center, (215)-758-4988>
The Lehigh original virus has been sporadically reported at dozens
of installations outside of the university for over a year. It is not a
particulary successful replicator <197> probably because of the
extremely short activation fuse - and it is difficult to detect and
report because there are few symptoms prior to activation. But there
should certainly be no surprise that it's in the public domain.
John McAfee has written: "The belief that viruses can be contained by
early counter-action is belied by the Lehigh University experience. I
have spoken to a number of individuals at the University who belived
that the virus had somehow been contained because "no copies of the
virus were distributed to outside organizations". This assumed, of
course, that the original virus writer gave up after being foiled at
Lehigh and did not insert the virus at any other location, and that all
copies of the virus at Lehigh had indeed been accounted for. The first
issue rests solely in the hands of the perpetrator and is beyond any
containment controls. The second issue relies on an error-free
containment process - allowing no possibility for overlooking, losing or
mistaking an infected diskette. In any case, the Lehigh virus was by no
means contained. I received a copy, as did virtually every virus
researcher, in mid-1988, and infection reports issued throughout the
year from universities, corporations and individual computer users."
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

54
textfiles.com/virus/NCSA/ncsa089.txt Normal file
View File

@@ -0,0 +1,54 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Lehigh-2 <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Host Machine: PC compatibles.
Host Files: Remains resident. Infects COMMAND.COM only.
Increase in Size of Infected Files: overwrites files.
Nature of Damage: Corrupts program or overlay files. Overwrites the FAT
and boot sector after infecting four floppies.
Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan.
Removed by: CleanUp, or use MDisk and replace COMMAND.COM with a clean
copy, or use F-Prot.
Derived from: Lehigh virus.
Scan Code: 50 53 80 FC 4B 74 08 80 FC 4E 74 03 E9 77 01 8B DA 80 7F 01 3A
75 05 8A 07 EB 07.
A version of the Lehigh virus modified to retain its infection
counter in RAM. After 10 infections, it corrupts the boot sector and
FATs.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

60
textfiles.com/virus/NCSA/ncsa090.txt Normal file
View File

@@ -0,0 +1,60 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Lisbon virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Date of Origin: November, 1989.
Place of Origin: Lisbon, Portugal.
Host Machine: PC compatibles.
Host Files: COM files.
Increase in Size of Infected Files: 648 bytes.
Nature of Damage: Corrupts one out of eight COM programs by overwriting.
Detected by: Scanv49+, F-Prot, IBM Scan, Pro-Scan.
Removed by: CleanUp, Scan/D, or F-Prot.
Derived from: Vienna
This virus was discovered by Jean Luz, an NCSA member in Lisbon,
Portugal, in November, 1989. It infects COM files and increases the size
of infected programs by 648 bytes. It destroys 1 out of 8 infected
programs by overwriting "@AIDS" on top of the first five bytes of the
infected program.
The virus is very similar to Vienna, except that almost every word in
the virus has been shifted 1-2 bytes in order to avoid virus
identification/detection programs which could identify the Vienna
virus.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

69
textfiles.com/virus/NCSA/ncsa091.txt Normal file
View File

@@ -0,0 +1,69 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> LodeRunner <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: Load Runner, Apple II GS Virus
Date of Origin: July, 1989.
Place of Origin: France.
Host Machine: Apple II GS.
Host Files: Boot block virus
Increase in Size of Infected Files: n/a
Nature of Damage: Erases boot blocks of disk in slot 5, drive 1. No
files are damaged.
The damage done by this virus is minimal --it destroys only the boot
blocks of a 3.5" disk (5.25" disks and hard disks seem to be immune),
leaving all the files and directories intact (it can, however, render
some copy-protected games unusable). LOAD RUNNER has a finite life-span
built in -- at the same time it starts damaging, it also stops
propagating, and being a boot block virus, it destroys copies of itself
when it destroys the boot blocks.
Virus copies itself to $E1/BC00 thru $E1/BFFF. Virus resides in the
boot blocks of a 3.5" disk. Copies itself to $E1/BC00 when disk is
booted. Copies itself to disk in slot 5, drive 1 when
CONTROL-APPLE-RESET is pressed. Propagation routine gains control by
patching undocumented system vector in Memory Manager. Original boot
blocks are not saved --virus contains code to emulate standard boot
process. Infects disks in slot 5, drive 1 only. Infection of disks
occurs when CONTROL-APPLE-RESET is pressed. Infection of host machine
occurs when an infected disk is booted.
Triggered by any date between Oct. 1 and Dec. 31 inclusive, of any
year. Damage occurs when an infected disk is booted. If damage occurs,
further infection will not occur. (Note that the damage process wipes
the virus off of the infected disk.)
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

75
textfiles.com/virus/NCSA/ncsa092.txt Normal file
View File

@@ -0,0 +1,75 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> MacMag <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: Peace virus.
Date of Origin: February, 1988.
Place of Origin: Montreal, Canada.
Host Machine: Macintosh.
MacMag may hold the record for the virus that achieved the greatest
notoriety in the shortest period of time. Thousands of machines were
infected in less than a month! A Macintosh virus, it was planted by
Richard Brandow, publisher of MacMag, a Canadian Macintosh magazine.
The message it displayed was "Richard Brandow, publisher of MacMag, and
its entire staff would like to take the opportunity to convey their
universal message of peace to all Macintosh users around the world." The
"universal message of peace" flashed on the screens of thousands of
Macintosh owners on March 2, 1988, did no other damage, then erased its
own instructions.
The author, Drew Davidson, "thought we'd release it and it would be
kind of neat."<Note: Philip Elmer-DeWitt, "Invasion of the Data
Snatchers!", Time Magazine, September 26, 1988, p. 62 ff.>
This was probably the first virus to find its way into commercial
software. Richard Brandow, a collaborator with Davidson and publisher
of a Canadian computer magazine, distributed the virus with game
software called "Mr. Potato Head" at a February, 1988 meeting of the
Montreal Macintosh users group. Marc Canter, who was speaking at the
meeting, worked for MacroMind Inc. of Chicago, a firm doing consulting
work for Aldus. He brought the game home, tried it on his Mac, then began
to review software to be shipped to Aldus. The virus infected the disk
sent to Seattle, which was reproduced. About 3,000<Note: Knight-Ridder
new service, "For Many Users, `Viruses' are Nothing New" reprinted in
The Washington Post, November 28, 1988, p. F25.> to 5,000<Note: George
Tibbits "New Computer `Virus' Giving Software Firms a Headache" The
Washington Post, March 17, 1988, p. C11.> copies of an infected Aldus
Freehandteaching disk were made with a disk duplicating machine, then
shipped to computer stores around the country. Aldus recalled all of the
copies.
MacMag can be ignored. If there is still a copy left, it will destroy
itself after displaying its message. Nevertheless, it can be detected
and killed with Disinfectant.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

38
textfiles.com/virus/NCSA/ncsa093.txt Normal file
View File

@@ -0,0 +1,38 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Madonna <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Place of Origin: Brazil.
Host Machine: PC compatibles.
While Madonna sings in your video, you lose your disk. Reported in
Brazil.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

38
textfiles.com/virus/NCSA/ncsa094.txt Normal file
View File

@@ -0,0 +1,38 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Mailson <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Place of Origin: Brazil.
Host Machine: PC compatibles.
Produces an inversion of characters on the screen and and printer.
Named after a Brazilian politician.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

130
textfiles.com/virus/NCSA/ncsa095.txt Normal file
View File

@@ -0,0 +1,130 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> MIX1 <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: MIX/1
Date of Origin: First reported on August 22, 1989.
Place of Origin: First detected in Israel. May have been written
elsewhere.
Host Machine: PC compatibles.
Host Files: Remains resident. Infects EXE files larger than 8K only in
one version, 16K in another version.
OnScreen Symptoms: You will see a bouncing ball after a crash, which will
occur after the sixth infection. (A variant will not crash the system.)
Increase in Size of Infected Files: 1618 bytes.
Nature of Damage: Affects system run-time operation. Corrupts program or
overlay files.
Detected by: Scanv37+, F-Prot, IBM Scan, Pro-Scan.
Removed by: CleanUp, Scan/D, Virus Buster, or F-Prot.
Derived from: Icelandic-1.
Scan Code: "MIX1" will be the last four bytes of any infected EXE.
MIX1 is a variant of the Icelandic-1 virus, like the Saratoga. The
Icelandic virus was first detected in June, 1989, disassembled a week
later, and the disassembly was made available around the beginning of
July. The MIX1 virus appeared on several BBSs in Israel on August 22, and
may have been written in any country, and then sent via modem to Israeli
boards.
The virus is put at the end of the .EXE file and the header is changed
to point to the virus. Infected files can be manually identified by a
characteristic "MIX1" always being the last 4 bytes of an infected file.
Using Debug, if byte 0:33C equals 77h, then the MIX1 virus is in memory.
EXE file execution through interrupt 21h service 4bh triggers the virus.
The infected .EXE files grow by 1618-1634 bytes, depending on its
original size. It will not infect files smaller than 8K. Once an infected
program is run, the virus occupies 2,048 bytes of memory.
Some peculiarities include:
* All output through vectors 14h and 17h -- the serial and parallel
ports -- is garbled.
* The NumLock key/light stays on.
* After the 6th infection, booting may crash the computer due to a bug,
and a bouncing ball may appear on the monitor.
* Memory allocation is done through direct MCB control.
* It does not allocate stack space, and therefore makes some files
unusable.
* It infects only files which are bigger than 16K, which makes
disassembly very hard.<Note: Portions of the description contributed
by Yuval Tal.>
The modifications to Icelandic I appear to be intended to fool virus
detection programs. The changes include replacing instructions with
other equivalent ones. For example,
XOR AX,AX
has been replaced with:
MOV AX,0000
and
MOV ES,AX
has been replaced with:
PUSH AX
POP ES
Also, NOP instructions have been inserted in several places,
including inside the identification strings used by VIRUSCAN and most
other similar programs. This seems to be a response by virus writers to
anti-virus programs that look for infection by using identification
strings. This method has been used in the '286 variant of the Ping-Pong
virus.
Apart from these changes, parts of the virus are almost identical to
other variants of the Icelandic virus. In the installation part, the
code to check INT 13 has been removed (as in Saratoga and Icelandic-2).
In a variant, the infection routine has been modified to infect every
file (instead of every tenth program run), and to not infect a program
unless it is at least 16K long. A variant of the virus will not crash the
system.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

85
textfiles.com/virus/NCSA/ncsa096.txt Normal file
View File

@@ -0,0 +1,85 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> New Zealand Virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: Stoned Virus, Australian Virus, Hawaii, Marijuana, San Diego
virus, Smithsonian virus.
Date of Origin: early 1988.
Place of Origin: Wellington, New Zealand.
Host Machine: PC compatibles.
Host Files: Remains resident. Infects boot sector of 360K floppy disk.
OnScreen Symptoms: The screen will sometimes display "Your PC is now
stoned!"
Increase in Size of Infected Files: n/a.
Nature of Damage: Affects system run-time operation. Corrupts or
overwrites boot sector. Directly or indirectly corrupts file linkage.
Detected by: Scanv56+, CleanUp, F-Prot, IBM Scan, Pro-Scan.
Removed by: CleanUp, MDisk, F-Prot.
Scan Code: 1E 50 80 FC 02 72 17 80 FC 04 73 12 0A D2 75 0E 33 C0 8E D8 A0
3F 04 A8 01 75 03 E8 07 00. You can also search at offset 045H for B8 01
02 0E 07 BB 00 02 B9 01.
History: This virus was first reported in Wellington, New Zealand in
early 1988.
Description of Operation: This virus consists of a boot sector only. It
infects any disk inserted in a drive after it becomes activated during a
boot, and it occupies 1K of memory. The original boot sector is held in
track zero, head one, sector three on a floppy disk, and track zero, head
zero, sector two on a hard disk. The boot sector contains two character
strings: "Your PC is now Stoned!" and "LEGALISE MARIJUANA!". The first
of these messages is only displayed one in eight times when booting from
an infected floppy, the second is unreferenced. In some variations, the
message is displayed on every 32nd boot.
In the original version of this virus, only 360 KB 5 1/4" floppies
were infected. While the original version was unable to infect a hard
disk, other versions (such as New Zealand B) are capable of doing so.
The virus can (unintentionally) trash 1.2 Mb floppies if they have
more than 32 files, and trashes about 5% of hard disks.<Note: Dr. Alan
Solomon. "The Information Center - PC Security", 1989.>
Removal: The Stoned virus can be removed from 360KB diskettes by using
either the MDisk, CleanUp, or F-Prot programs. It can also be removed
from diskettes by using the DOS SYS command. Be sure to power down your
system and reboot from a clean, write-protected floppy prior to
attempting disinfection.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

71
textfiles.com/virus/NCSA/ncsa097.txt Normal file
View File

@@ -0,0 +1,71 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> New Zealand-B <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: Stoned-B.
Host Machine: PC compatibles.
Host Files: Remains resident. Infects boot sector of floppy disk and
partition table of hard disk.
OnScreen Symptoms: The screen will sometimes display "Your PC is now
stoned!"
Increase in Size of Infected Files: n/a.
Nature of Damage: Affects system run-time operation. Corrupts or
overwrites boot sector. Directly or indirectly corrupts file linkage.
Detected by: Scanv56+, CleanUp, F-Prot, IBM Scan, Pro-Scan.
Removed by: CleanUp, MDisk, F-Prot.
Derived from: New Zealand.
Scan Code: You can search at offset 043H for B8 01 02 0E 07 BB 00 02 33
C9.
This is a variation of New Zealand. Much of the code has been
reorganized. The only significant change in function, however, is that
the original boot sector is stored at track zero, head zero, sector seven
on a hard disk. The second string ("Legalise Marijuana!") is not
transferred when infecting a hard disk. The virus occupies space in the
hard disk's partition table.
The hard disk is infected as soon as an infected floppy is booted. No
intentional damage is done by New Zealand-B, except systems with RLL
controllers will frequently hang.
Removal instructions are the same as for the original New Zealand
virus for diskettes. However, an infected hard disk must be disinfected
by using MDisk with the /P parameter, with CleanUp, or NDD, because the
partition table has been infected.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

59
textfiles.com/virus/NCSA/ncsa098.txt Normal file
View File

@@ -0,0 +1,59 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> New Zealand-C <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: Stoned-C.
Host Machine: PC compatibles.
Host Files: Remains resident. Infects boot sector of floppy disk and
partition table of hard disk.
OnScreen Symptoms: The screen will not display any message.
Increase in Size of Infected Files: n/a.
Nature of Damage: Affects system run-time operation. Corrupts or
overwrites boot sector. Directly or indirectly corrupts file linkage.
Detected by: Scanv56+, CleanUp, F-Prot, IBM Scan, Pro-Scan.
Removed by: CleanUp, MDisk, F-Prot.
Derived from: New Zealand-B
This is the Stoned-B virus that no longer displays the "Stoned"
message. This virus is difficult to detect.
Removal instructions are the same as for the original New Zealand
virus for diskettes. However, an infected hard disk must be disinfected
by using MDisk with the /P parameter or CleanUp, because the partition
table has been infected.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

53
textfiles.com/virus/NCSA/ncsa099.txt Normal file
View File

@@ -0,0 +1,53 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> New Zealand-D <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Host Machine: PC compatibles.
Host Files: Remains resident. Infects boot sector of 360K, 1.2M, and
1.44M disk.
OnScreen Symptoms: The screen will sometimes display "Your PC is now
stoned!"
Increase in Size of Infected Files: n/a.
Nature of Damage: Affects system run-time operation. Corrupts or
overwrites boot sector. Directly or indirectly corrupts file linkage.
Detected by: Scanv56+, CleanUp, F-Prot, IBM Scan, Pro-Scan.
Removed by: CleanUp, MDisk, F-Prot.
Derived from: New Zealand (original)
Scan Code: 1E 50 80 FC 02 72 17 80 FC 04 73 12 0A D2 75 0E 33 C0 8E D8 A0
3F 04 A8 01 75 03 E8 07 00.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

87
textfiles.com/virus/NCSA/ncsa100.txt Normal file
View File

@@ -0,0 +1,87 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> nVIR <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Host Machine: Macintosh.
nVIR is a Macintosh virus that has now led to numerous strains,
including MEV#, AIDS, nFLU, and nVIR A and B.
When you run an application infected with nVIR A or B on a clean
system, the infection spreads from the application to the system file.
After rebooting, the infection in turn spreads from the system to other
applications, as they are run. The effect can be devastating (see
sidebar).
At first, nVIR A and B only replicate. When the system file is first
infected, a counter is initialized to 1000. The counter is decremented
by 1 each time the system is booted, and it is decremented by 2 each time
an infected application is run.
When the counter reaches 0, nVIR A will sometimes either say "Don't
Panic" (if MacinTalk is installed in the system folder) or beep (if
MacinTalk is not installed in the system folder). This will happen on a
system boot with a probability of 1/16. It will also happen when an
infected application is launched with a probability of 31/256. In
addition, when an infected application is launched, nVIR A may say
"Don't Panic" twice or beep twice, with a probability of 1/256.
When the counter reaches 0, nVIR B will sometimes beep. nVIR B does
not call MacinTalk. The beep will happen on a system boot with a
probability of 1/8. A single beep will happen when an infected
application is launched with a probability of 15/64. A double beep will
happen when an infected application is launched with a probability of
1/64.
It is possible for nVIR A and nVIR B to mate and sexually reproduce,
resulting in new viruses combining parts of their parents.
For example, if a system is infected with nVIR A, and if an
application infected with nVIR B is run on that system, part of the nVIR
B infection in the application is replaced by part of the nVIR A
infection from the system. The result contains part from each of its
parents, and behaves like nVIR A.
Similarly, if a system is infected with nVIR B, and if an application
infected with nVIR A is run on that system, part of the nVIR A infection
in the application is replaced by part of the nVIR B infection from the
system. The result is very similar to its sibling described in the
previous paragraph, except that it has the opposite "sex" - each part is
from the opposite parent. It behaves like nVIR B.
These offspring are new viruses. If they are taken to a clean system
they will infect that system, which will in turn infect other
applications. The descendents are identical to the original offspring.
Incestual matings of these children with each other and with their
parents produce results that contain various combinations of parts from
their parents.<Note: This material prepared by John Norstad, Academic
Computing and Network Services.>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

82
textfiles.com/virus/NCSA/ncsa101.txt Normal file
View File

@@ -0,0 +1,82 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Ohio <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Date of Origin: May, 1989.
Place of Origin: First reported at Ohio State University. May have
originated in Indonesia.
Host Machine: PC compatibles.
Host Files: Remains resident. Infects 360K floppy boot sector.
Increase in Size of Infected Files: n/a.
Nature of Damage: Corrupts or overwrites boot sector.
Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan.
Removed by: MDisk, F-Prot, or DOS SYS command.
Derived from: May be an original. Den Zuk may have been derived from it.
Scan Code: see below.
The Ohio virus is a boot sector virus first discovered at Ohio State
University by Terry Reeves in May, 1989. It only infects 360K floppies.
It will infect any new diskette as soon as the diskette is accessed
(COPY, DIR, DEL, program load, etc.), similar to the Brain. The virus
will freeze the system if a <<Ctrl>><<Alt>><<Del>> is pressed and a cold
boot is then required. When the virus activates, the first copy of the
FAT becomes corrupted. No other symptoms have been reported.
The Ohio virus is similar in many respects to the Den Zuk virus, and
may be an early version of Den Zuk. A diskette infected with Ohio will be
immune to infection by the Pakistani Brain virus.
The following text strings appear in the Ohio virus:
V I R U S
b y
The Hackers
Y C 1 E R P
D E N Z U K 0
Bandung 40254
Indonesia
(C) 1988, The Hackers Team....
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

64
textfiles.com/virus/NCSA/ncsa102.txt Normal file
View File

@@ -0,0 +1,64 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Oropax Virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: Music virus, Musician virus.
Date of Origin: December, 1989.
Host Machine: PC compatibles.
Host Files: Remains resident; infects COM files.
Increase in Size of Infected Files: length increases by 2756-2806 bytes,
so that total length is evenly divisible by 51. Most common length
increase is 2,773 bytes.
Nature of Damage: Affects system run-time operation; corrupts program
files.
Detected by: Scanv53+, F-Prot, IBM Scan, Pro-Scan.
Removed by: CleanUp, SCAN/D, F-Prot, or delete infected files.
A memory resident virus infecting COM files. When an infected
application is executed, the virus installs in memory trapping the DOS
21h interrupt. Thereafter, when a program attempts to create a
subdirectory, remove a subdirectory, create a file, open a file, delete
a file, get/set file attributes, rename a file, delete a file (with FCB),
create file (with FCB) or rename a file (with FCB), one COM file is
infected in the home directory. COMMAND.COM, COM files with length
divisible by 51, COM files with an attribute other than normal or
archive, or COM files with a length of 61980 bytes will not be infected.
The virus seems to activate randomly after infecting a file. If
activated, five minutes after infection it will play 3 or 6 melodies
(depending on version) repeatedly with a 7 minute interval in between
each.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

84
textfiles.com/virus/NCSA/ncsa103.txt Normal file
View File

@@ -0,0 +1,84 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Palette Virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: Zero Bug virus, 1536 virus
Date of Origin: September, 1989.
Place of Origin: The Netherlands
Host Machine: PC compatibles.
Host Files: COM files. Memory resident.
Increase in Size of Infected Files: 1536 bytes.
Detected by: Scanv38+, F-Prot.
Removed by: Scan/D, F-Prot, or delete the infected files.
Scan Code: EB 2B 90 5A 45 CD 60 2E C6 06 25 06 01 90 2E 80 3E 26 06 00 8D
3E 08 06 0E 07 75 5E 2E C6 06 26 06 05 90.
This virus infects .COM files, causing them to grow by 1536 bytes,
but its main mission is to infect the copy of COMMAND.COM that is pointed
to by the environment variable COMSPEC. If COMSPEC does not point to
anything useful, the virus will install itself as a resident extension,
taking over INT 21h.
From the moment the virus has infected COMMAND.COM or has installed
itself as a TSR, the virus will intercept DOS INT 21h, function calls 11h
(find first file), 12h (find next file), 57 (get/set file date & time),
3Eh (close file), 40h (write to file or device) and 3Ch (create file).
All COM files that are accessed via function calls 3Ch, 3Eh and 40h
(by DOS itself or from any other program) will be infected by the virus.
This includes actions like COPY and XCOPY. Any COM file you create by
yourself via a compiler, linker, DEBUG or EXE2BIN will also be infected.
The extra 1536 bytes in infected files will not show up when you
display a directory of your disk. The virus intercepts DOS function
calls Find First, Find Next and Get/Set file date & time. If a COM file
found by these DOS functions has been infected by the virus, the
information in the DTA (Disk Transfer Area) will be changed to show the
actual filesize minus 1536 bytes. DIR and most full-screen file
utilities (Like Norton and PCTOOLS) will be fooled by this trick. This
makes it very hard to detect the virus by simply checking the size of COM
files, because infected files will show up with their ORIGINAL size!
If (and only if) the currently loaded COMMAND.COM is infected, the
virus will also hook the timer interrupt 1Ch. After a while a smiley face
(ASCII character 01) will move over your screen and "eat" all zeroes it
can find. Hence the name "Zero Bug" for this virus. The virus does not
format disks or erase files.
The virus seems not to be spread very widely and may be rather new.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

53
textfiles.com/virus/NCSA/ncsa104.txt Normal file
View File

@@ -0,0 +1,53 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Payday Virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Date of Origin: November, 1989.
Place of Origin: First isolated in the Netherlands.
Host Machine: PC compatibles.
Host Files: Remains resident; infects COM, EXE files.
Increase in Size of Infected Files: 1808 bytes (EXE files) and 1813 bytes
(COM files).
Nature of Damage: Corrupts program or overlay files.
Detected by: Scanv51+, F-Prot.
Removed by: CleanUp, M-JRUSLM, UnVirus, Saturday, F-Prot.
Derived from: Jerusalem-B.
This virus provides a simple change in the Jerusalem B, activating on
any Friday except Friday the 13th, hence the name "Payday".
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

64
textfiles.com/virus/NCSA/ncsa105.txt Normal file
View File

@@ -0,0 +1,64 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Pentagon Virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Place of Origin: Washington, D.C.
Host Machine: PC compatibles.
Host Files: Resident. 360K floppy disk boot sector.
Increase in Size of Infected Files: n/a.
Nature of Damage: Corrupts or overwrites boot sector.
Detected by: Scanv56+, F-Prot.
Removed by: MDisk, CleanUp, or DOS SYS command.
Scan Code: You can search at offset 03EH for 8E D8 FB BD 44 7C 81 76 06.
The Pentagon virus consists of:
* a normal MS-DOS 3.20 boot sector where the name "IBM" has been
replaced by "HAL".
* A file with the name of the hex character 0F9H. This file contains the
portion of the virus code which would not fit into the boot sector, as
well as the original boot sector of the infected disk. This file is
addressed by its absolute address, rather than name.
* A file named PENTAGON.TXT that does not appear to be used or contain
any data. Portions of this virus are encrypted.
The Pentagon virus will look for and remove the Brain virus from any
disk that it infects. It is memory resident, occupying 5K of RAM, and can
survive a warm reboot.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

54
textfiles.com/virus/NCSA/ncsa106.txt Normal file
View File

@@ -0,0 +1,54 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Perfume Virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: 765, 4711
Date of Origin: December, 1989 or earlier.
Place of Origin: Poland or Germany.
Host Machine: PC compatibles.
Host Files: Non-resident. Infects COM files including COMMAND.COM
Increase in Size of Infected Files: 765 bytes.
Detected by: Scanv57+, F-Prot, IBM Scan, Pro-Scan.
Removed by: F-Prot or delete infected files.
Derived from: Jerusalem
The virus may ask you a question, and not infect should you answer
the question with "4711", the name of a German perfume. In the most
common version of this virus, however, the questions have been
overwritten with meaningless characters.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

64
textfiles.com/virus/NCSA/ncsa107.txt Normal file
View File

@@ -0,0 +1,64 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Saratoga Virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: 642, One in Two
Date of Origin: July, 1989
Place of Origin: Calfornia
Host Machine: PC compatibles.
Host Files: Memory resident. Infects EXE files.
Increase in Size of Infected Files: 642 bytes.
Detected by: Scanv56+, F-Prot, IBM Scan.
Removed by: CleanUp, Scan/D, F-Prot, or delete infected files.
Derived from: Icelandic II?
This virus appears to be derived from the Icelandic-II viruses.
Modifications include:
* When Saratoga copies itself to memory, it modifies the memory block
so that it appears to belong to the operating system, thus preventing
reuse of the block.
* Like Icelandic-II, this virus can infect programs which have been
marked Read-Only, though it does not restore the Read-Only attribute
to the file afterwards.
Similar to the Icelandic-II virus, the Saratoga can infect programs
even if the system has installed an anti-viral TSR which "hooks"
interrupt 21, such as FluShot+.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

53
textfiles.com/virus/NCSA/ncsa108.txt Normal file
View File

@@ -0,0 +1,53 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> Saturday the 14th virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Synonyms: Durban
Date of Origin: March, 1990
Place of Origin: Durban, South Africa.
Host Machine: PC compatibles.
Host Files: COM (but not COMMAND.COM), EXE, and overlay files. Remains
resident.
Increase in Size of Infected Files: 669-685 bytes.
Nature of Damage: Overwrites the first 100 sectors of A:, B:, and C:,
destroying the boot sector, partition table, and FATs.
Detected by: Scan v61+.
Removed by: Scan/D, or delete whatever is infected.
Activates on any Saturday the 14th.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

52
textfiles.com/virus/NCSA/ncsa109.txt Normal file
View File

@@ -0,0 +1,52 @@
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<20> VIRUS REPORT <20>
<20> SF Virus <20>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Date of Origin: April, 1989.
Place of Origin: California
Host Machine: PC compatibles.
Host Files: Memory resident. Infects floppy disk boot sector.
Increase in Size of Infected Files: n/a
Detected by: Scanv56+ (identifies it as the Alameda).
Removed by: CleanUp, MDisk, F-Prot, or use the DOS SYS command.
Derived from: Alameda
A modification of the Alameda, the SF Virus activates when the
counter indicates it has infected 100 diskettes. The virus replicates
with each warm boot, infecting and reformatting any 360K disk in the
floppy drive.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD> This document was adapted from the book "Computer Viruses", <20>
<EFBFBD> which is copyright and distributed by the National Computer <20>
<EFBFBD> Security Association. It contains information compiled from <20>
<EFBFBD> many sources. To the best of our knowledge, all information <20>
<EFBFBD> presented here is accurate. <20>
<EFBFBD> <20>
<EFBFBD> Please send any updates or corrections to the NCSA, Suite 309, <20>
<EFBFBD> 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS <20>
<EFBFBD> and upload the information: (202) 364-1304. Or call us voice at <20>
<EFBFBD> (202) 364-8252. This version was produced May 22, 1990. <20>
<EFBFBD> <20>
<EFBFBD> The NCSA is a non-profit organization dedicated to improving <20>
<EFBFBD> computer security. Membership in the association is just $45 per <20>
<EFBFBD> year. Copies of the book "Computer Viruses", which provides <20>
<EFBFBD> detailed information on over 145 viruses, can be obtained from <20>
<EFBFBD> the NCSA. Member price: $44; non-member price: $55. <20>
<EFBFBD> <20>
<EFBFBD> The document is copyright (c) 1990 NCSA. <20>
<EFBFBD> <20>
<EFBFBD> This document may be distributed in any format, providing <20>
<EFBFBD> this message is not removed or altered. <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253

Some files were not shown because too many files have changed in this diff Show More