 Virus Name:  Vienna
 Aliases:     Austrian, Unesco, DOS-62, DOS-68, 1-in-8, 648
 V Status:    Common
 Discovered:  April, 1988
 Symptoms:    .COM growth; system reboots; system hangs
 Origin:      Austria
 Eff Length:  648 bytes
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan, F-Prot, IBM Scan, VirexPC, AVTK, NAV, Novi,
                    CPAV, Sweep, UTScan, Gobbler2, VBuster, AllSafe, Trend,
                    ViruSafe, Iris, VNet, Panda, VET, Detect+, IBMAV,
                    Vi-Spy, NShld, LProt, CPAV/N, Sweep/N
 Removal Instructions:  CleanUp, F-Prot, VirexPC, NAV, or
                        delete infected files
 General Comments:
       The Vienna virus was first isolated in April, 1988, in Moscow at a
       UNESCO children's computer summer camp.  The Vienna virus is a
       non-resident, direct action infector of .COM programs, including
       COMMAND.COM.

       When a program infected with the Vienna virus is executed, the
       virus will select a .COM program in the current directory which as
       previously not been modified by the virus.  Usually, the Vienna
       virus will infect this file and set the seconds in the file's time
       in the disk directory to 62.  Infected programs will have a file
       length increase of 648 bytes with the virus being located at the
       end of the infected program.

       One out of every six programs which Vienna selects will not be
       actively infected by the virus.  Instead, the first five bytes of
       the selected .COM program will be changed to the hex character
       string "EAF0FF00F0", and the seconds field in the file time will be
       set to 62.  When these programs are later executed, a system warm
       boot may occur.  Since these corrupted programs do not actually
       contain the Vienna virus, and most anti-viral programs cannot
       detect them, systems which have been infected by Vienna will
       continue to experience unexpected reboots until all of the
       corrupted .COM programs have been replaced with clean copies.

       Some programs will hang upon execution after they have been
       infected by the Vienna virus.

       The Vienna virus was written by a high school student in Vienna
       Austria as an experiment.  Its large number of variants, as well as
       other viruses which are in part based on Vienna code, can be
       accounted for as its source code has been published many times.

       Due to the large number of variants, Vienna infections may not
       exhibit exactly the symptoms indicated above.

       Known variant(s) of Vienna are:
       Cracky: Submitted in June, 1992, Cracky is a 546 byte variant of
             the Vienna virus which will only replicate on 8088 based
             systems.  On 286 and higher based systems, execution of an
             infected program will result in a system hang, or the text
             "Cracky !" being displayed in the upper left hand corner of
             the screen and a system hang when the next program, command,
             or .BAT file is executed.  On XT based systems, Cracky will
             infect one .COM file each time an infected program is
             executed.  Infected programs will have a file length increase
             of 546 bytes with the virus being located at the end of the
             infected file.  The seconds field in the file time in the
             DOS disk directory entry will have been set to 22, the virus'
             infection marker.  The display of the text "Cracky !" may
             also occur on 286 and higher systems, along with the system
             hang.  The following text strings can be found within the
             viral code in all infected files:
             "Cracky !"
             "*.com"
             Origin:  Unknown  June, 1992
       DOS 625: DOS 625 is a 625 byte variant of the Vienna virus.  It
             contains the text strings "????????COM", "PATH=", and "om OM".
             It is similar in behavior to the original Vienna virus, though
             it does not do anything besides replicate.
             Origin: Unknown  February, 1992
       Dr Q:   Dr Q is a 1,161 byte variant of the Vienna virus.  It
             contains the text string "(C) DOCTOR QUMAK" within the viral
             code in all infected programs.
             Origin: Unknown  November, 1991
       Dr Q-1028:   Dr Q-1028 is a 1,028 byte variant of the Dr Q
             virus described above.  It contains the text string
             "(C) DOCTOR QUMAK" within the viral code in all infected
             programs, as well as the following encrypted text strings:
             "Hello world from my virus !"
             "Infecks"
             "stuff that should be here"
             This variant infects one .COM program in the current directory
             each time an infected program is executed.  Infected programs
             will increase in size by 1,028 bytes and have no change in the
             file's date and time in the DOS disk directory listing.
             Occassionally, execution of an infected program will result
             in the display of the "Hello world from my virus !" message.
             Origin: Unknown  September, 1992
       Genny-648: Genny-648 is a 648 byte variant of the Vienna virus.
             It either infects or trojanizes one .COM program each time
             an infected program is executed.  Infected programs will
             have a file length increase of 648 bytes with the virus
             being located at the end of the infected file.  Trojanized
             programs will be altered so that they reboot the system when
             they are executed, the first five bytes having been altered.
             Like the original Vienna, this variant sets the seconds in
             the file's timestamp to 62 to indicate infection.
             Origin: Unknown  March, 1992
       Kuzmitch: Kuzmitch is a 1,064 byte variant of the Vienna virus.
             It will infect one .COM file in the current directory, but
             not COMMAND.COM, each time an infected program is executed.
             Infected files will have a file length increase of 1,064 -
             1,222 bytes with the virus being located at the end of the
             infected file.  It is unknown if it does anything besides
             replicate.
             Origin: Unknown  February, 1992
       New Generation: New Generation is a 1,054 byte variant of the
             Vienna virus.  It will infect one .COM file in the current
             directory, including COMMAND.COM, each time an infected
             program is executed.  Infected files will have a file length
             increase of 1,054 bytes with the virus being located at the
             end of the infected file.  On every 20th generation of the
             virus, it will display the following message on the system
             monitor:
             "         New Generation Virus 1.0 by NET CRASHER,
              a PROUD member in Hyper.  This message appears in a generation
              that is devided by 20. Please don't remove this virus, it
                       was created for research purposes only.
                                                              Get a Life!"
             The above message is encrypted within the viral code, as are
             the following two additional text strings:
             "*.com PATH="
             "?????????COM"
             Infected files will have the seconds field in the file time
             in the DOS disk directory set to 62.
             Origin: Israel  October, 1992
       Twer-1000: Twer-1000 is a 1,000 byte variant of the Vienna virus.
             It will infect one .COM file in the current directory each
             time an infected program is executed.  Infected files will have
             a file length increase of 1,000 bytes with the virus being
             located at the end of the infected file.  The file's date and
             time in the DOS disk directory listing will appear to be
             unaltered, but the seconds field has actually been changed to
             "60".  The following text strings can be found within the
             viral code in all Twer-1000 infected programs:
             "Twer 1991"
             "*.COM"
             "PATH="
             "????????COM"
             Origin: Unknown  December, 1992
       Vienna 822: Vienna 822 is similar to Vienna-B 645 in behavior.
                   This variant will infect .COM programs, including
                   COMMAND.COM, increasing their length by 822 bytes.
                   It does not perform either a warm reboot or delete
                   executed programs.
                   Origin: Europe  May, 1991
       Vienna-415: Vienna-415 is a 415 byte variant of the Vienna
                   virus which infects .COM programs located in the C:
                   drive root directory.  It adds 415 bytes to the .COM
                   programs it infects, including COMMAND.COM.  It sets
                   the seconds in the file's time in the DOS disk directory
                   to 62 to indicate the file is infected.
                   Origin:  Unknown  August, 1992
       Vienna-618: Vienna-618 is a 618 byte variant of the Vienna
                   virus.  It adds 618 bytes to the .COM programs it
                   infects, including COMMAND.COM.  It sets the seconds
                   in the file's time in the DOS disk directory to 62
                   to indicate the file is infected.  Once all the
                   programs in the current directory have become infected,
                   execution of an infected program will result in a
                   system hang.
                   Origin:  Unknown  April, 1992
       Vienna-621: Vienna-621 is functionally similar to the Vienna-618
                   virus.  It adds 621 bytes to the .COM programs,
                   including COMMAND.COM, which it infects.  Like
                   Vienna-618, it sets the seconds in the file's time to
                   62 to indicate infection.
                   Origin:  Unknown  April, 1992
       Vienna-634 Reboot: Vienna-634 Reboot is a 634 byte variant of
                   the Vienna virus described above.  It infects one .COM
                   file, including COMMAND.COM, each time an infected
                   program is executed.  Approximately 25% of the time
                   when an infected program is executed, a program will
                   be altered instead of infected.  The alteration will
                   result in the system being rebooted the next time the
                   program is executed.
                   Origin:  Europe  November, 1991.
       Vienna-645: Similar to the Vienna-B 645 variant, this variant
                   adds 645 bytes to the .COM programs it infects.  It does
                   not trojanize some programs to perform a warm reboot.
                   It contains the text strings "*.COM", "PATH=", and
                   "????????COM".
                   Origin:  Unknown  April, 1992.
       Vienna-648E: Based on the original Vienna virus, this variant
                   adds 648 bytes to the .COM programs it infects.  It
                   alters some .COM files, rather then infecting them, by
                   overwriting the first five bytes with hex 20 characters.
                   The seconds field in the file time will be set to 62 on
                   all trojanized and infected programs.  It contains the
                   text strings "*.COM", "PATH=", and "????????COM".
                   Origin:  Unknown  October, 1992.
       Vienna-656: Vienna-656 is a 656 byte variant of the Vienna virus.
                   When an infected program is executed, it will infect one
                   .COM file in the current directory, as well as accessing
                   the C: drive.  It doesn't infect anything on the C:
                   drive, but may crosslink the C: drive's file allocation
                   table.
                   Origin:  Europe  November, 1991.
       Vienna-712: Vienna-712 is a 712 byte variant of the Vienna
                   virus.  This variant will occasionally trojanize a
                   program instead of infecting it.  When these trojanized
                   programs are executed, a warm system reboot will
                   occur.
                   Origin:  Unknown  April, 1992.
       Vienna-716: Vienna-716 is 716 byte variant of the Vienna virus.
                   Execution of programs infected with this variant may
                   result in "Divide overflow" errors occurring, or possible
                   system hangs.
                   Origin:  Europe  November, 1991.
       Vienna-726: Vienna-726 is a 726 byte variant of the Vienna virus.
                   Like Vienna, it infects one .COM file in the current
                   directory each time an infected program is executed.
                   Approximately 50% of the time when an infected program
                   is executed, a warm reboot will occur following a long
                   disk access.  The following text strings can be found
                   in infected files:
                   ".COM"
                   "(c) Copyright IBM Corp 1981, 1987 Licensed Material"
                   "- Program Property of IBM"
                   Origin: Europe  November, 1991
       Vienna-726B: Similar to Vienna-726, this variant has six bytes
                    which differ.
                    Origin: Europe  November, 1991
       Vienna-943: Based on the Vienna virus, this variant adds 943
                   bytes to the .COM programs it infects.  Like Vienna, it
                   infects one .COM program each time an infected program
                   is executed, locating the virus at the end of the
                   infected program.  The following text strings can be
                   found in the viral code: "PATH=", "????????COM", and
                   "*.COM".  System hangs frequently occur when infected
                   programs are executed.  The following message may also
                   be occassionally displayed:
                   "Have a NICE day...r is no longer operational due to an
                    outbreak of".
                   Origin:  Unknown  March, 1992.
       Vien6: Similar to Vienna, except that the warm reboot has been
              removed.  Effective length of the virus is still 648 bytes.
              After 7 files have become infected on the current drive, the
              virus will then start infecting .COM files on drive C:.
       Vienna-B: Similar to Vienna, except that instead of a warm reboot,
                 the program being executed will be deleted.
       Vienna-B 645: Similar to the Vienna-B variant, this variant's
                     effective length is 645 bytes.  It does not perform
                     either a warm reboot or delete executed programs.  It
                     does, however, infect COMMAND.COM
                     Origin: United States
       Vienna-Beta Boys: Received from Sweden in August, 1992, this
              variant of Vienna adds 679 bytes to the .COM programs it
              infects, including COMMAND.COM, and sets the seconds field
              in the file time to 62.  The following text strings can be
              found in all infected programs:
              "-+[BetaBoys]+-"
              "*.COM"
              "PATH="
              "????????COM"
              Beta Boys activates when an infected program is executed in
              February of any year, overwritting the beginning of drives
              C:, D:, and E:.
              Origin:  Sweden  August, 1992
       Vienna-Beta Boys 730: Received from Sweden in October, 1992,
              this variant of Vienna adds 730 bytes to the .COM programs it
              infects, including COMMAND.COM, and sets the seconds field
              in the file time to 62.  The following text strings can be
              found in all infected programs:
              "BetaBoys Present:  Memo v2.0 /MaZ"
              "*.COM"
              "PATH="
              "????????COM"
              Origin:  Sweden  October, 1992
       Vienna-CDM.A: Received from Poland in December, 1992, this
              variant of Vienna adds 642 bytes to the .COM programs it
              infects, including COMMAND.COM, and sets the seconds field
              in the file time to 58.  The following text strings can be
              found in all infected programs:
              "*.COM"
              "PATH="
              "COULD DO MORE ...."
              "????????COM"
              "YOU COULD D"
              Vienna-CDM.A only replicates when the system date is set to
              January 1st thru May 5th of any year.  It doesn't appear to
              do anything besides replicate.
              Origin:  Poland  December, 1992
       Vienna-CDM.B: Based on the Vienna-CDM.A variant, this is a minor
              variant.
              Origin:  Poland  December, 1992
       Vienna-CDM.C: Based on the Vienna-CDM.A variant, this is a minor
              variant.
              Origin:  Poland  December, 1992
       Vienna-Nag: Received in August, 1992, Vienna-Nag is a 648
              byte variant of the Vienna virus.  Like the original, it
              adds 648 bytes to the .COM programs it infects, including
              COMMAND.COM.  It also sets the seconds field in the file
              time to 62.  It contains the following text strings:
              "*.COM"
              "PATH="
              "????????COM"
              Origin:  Unknown  August, 1992
       Vienna-Refresh: Received in October, 1992, Vienna-Refresh is a
              648 byte variant of the Vienna virus.  Like the original, it
              adds 648 bytes to the .COM programs it infects, including
              COMMAND.COM.  It sets the seconds field in the file time to
              32.  It contains the following text strings:
              "*.COM"
              "PATH="
              "????????COM"
              Origin:  Unknown  October, 1992
       Vienna-Yam 92: Received in October, 1992, Vienna-Yam 92 adds 849
              bytes to the .COM programs it infects, including COMMAND.COM,
              and sets the seconds field in the file time to 56.  The
              following text strings can be found in all infected programs:
              'Matthew Stolarski - "A Loser in deep trouble...."'
              "Matthew Stolarski is a born loser..."
              "Let's kill him!!!!"
              "YAM '92.  Remember that name."
              "*.COM"
              "PATH="
              "????????COM"
              Origin:  United States  October, 1992
       Wien: Functionally similar to Vienna in all details, this minor
             variant which was discovered in 1990 had been altered to
             avoid detection.
             Origin: Poland

       See:   1260   Arf   Ghostballs   Grither   Lisbon   Mexican Mud
              Parasite   Rattle   Sicilian Mob   TSoft   VHP   VHP2
              Violator   W13   Incom   Viperize






















































HyperText VSUM Copyright (c) 1990-93 by Patricia M. Hoffman (408)988-3773
                                     Vienna                                    
 
 Virus Name:  Vienna
 Aliases:     Austrian, Unesco, DOS-62, DOS-68, 1-in-8, 648
 V Status:    Common
 Discovered:  April, 1988
 Symptoms:    .COM growth; system reboots; system hangs
 Origin:      Austria
 Eff Length:  648 bytes
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan, F-Prot, IBM Scan, VirexPC, AVTK, NAV, Novi,
                    CPAV, Sweep, UTScan, Gobbler2, VBuster, AllSafe, Trend,
                    ViruSafe, Iris, VNet, Panda, VET, Detect+, IBMAV,
                    Vi-Spy, NShld, LProt, CPAV/N, Sweep/N
 Removal Instructions:  CleanUp, F-Prot, VirexPC, NAV, or
                        delete infected files
 General Comments:
       The Vienna virus was first isolated in April, 1988, in Moscow at a
       UNESCO children's computer summer camp.  The Vienna virus is a
       non-resident, direct action infector of .COM programs, including
       COMMAND.COM.

       When a program infected with the Vienna virus is executed, the
       virus will select a .COM program in the current directory which as
       previously not been modified by the virus.  Usually, the Vienna
       virus will infect this file and set the seconds in the file's time
       in the disk directory to 62.  Infected programs will have a file
       length increase of 648 bytes with the virus being located at the
       end of the infected program.

       One out of every six programs which Vienna selects will not be
       actively infected by the virus.  Instead, the first five bytes of
       the selected .COM program will be changed to the hex character
       string "EAF0FF00F0", and the seconds field in the file time will be
       set to 62.  When these programs are later executed, a system warm
       boot may occur.  Since these corrupted programs do not actually
       contain the Vienna virus, and most anti-viral programs cannot
       detect them, systems which have been infected by Vienna will
       continue to experience unexpected reboots until all of the
       corrupted .COM programs have been replaced with clean copies.

       Some programs will hang upon execution after they have been
       infected by the Vienna virus.

       The Vienna virus was written by a high school student in Vienna
       Austria as an experiment.  Its large number of variants, as well as
       other viruses which are in part based on Vienna code, can be
       accounted for as its source code has been published many times.

       Due to the large number of variants, Vienna infections may not
       exhibit exactly the symptoms indicated above.

       Known variant(s) of Vienna are:
       Cracky: Submitted in June, 1992, Cracky is a 546 byte variant of
             the Vienna virus which will only replicate on 8088 based
             systems.  On 286 and higher based systems, execution of an
             infected program will result in a system hang, or the text

HyperText VSUM Copyright (c) 1990-93 by Patricia M. Hoffman (408)988-3773
Vienna (continued...)
 
             "Cracky !" being displayed in the upper left hand corner of
             the screen and a system hang when the next program, command,
             or .BAT file is executed.  On XT based systems, Cracky will
             infect one .COM file each time an infected program is
             executed.  Infected programs will have a file length increase
             of 546 bytes with the virus being located at the end of the
             infected file.  The seconds field in the file time in the
             DOS disk directory entry will have been set to 22, the virus'
             infection marker.  The display of the text "Cracky !" may
             also occur on 286 and higher systems, along with the system
             hang.  The following text strings can be found within the
             viral code in all infected files:
             "Cracky !"
             "*.com"
             Origin:  Unknown  June, 1992
       DOS 625: DOS 625 is a 625 byte variant of the Vienna virus.  It
             contains the text strings "????????COM", "PATH=", and "om OM".
             It is similar in behavior to the original Vienna virus, though
             it does not do anything besides replicate.
             Origin: Unknown  February, 1992
       Dr Q:   Dr Q is a 1,161 byte variant of the Vienna virus.  It
             contains the text string "(C) DOCTOR QUMAK" within the viral
             code in all infected programs.
             Origin: Unknown  November, 1991
       Dr Q-1028:   Dr Q-1028 is a 1,028 byte variant of the Dr Q
             virus described above.  It contains the text string
             "(C) DOCTOR QUMAK" within the viral code in all infected
             programs, as well as the following encrypted text strings:
             "Hello world from my virus !"
             "Infecks"
             "stuff that should be here"
             This variant infects one .COM program in the current directory
             each time an infected program is executed.  Infected programs
             will increase in size by 1,028 bytes and have no change in the
             file's date and time in the DOS disk directory listing.
             Occassionally, execution of an infected program will result
             in the display of the "Hello world from my virus !" message.
             Origin: Unknown  September, 1992
       Genny-648: Genny-648 is a 648 byte variant of the Vienna virus.
             It either infects or trojanizes one .COM program each time
             an infected program is executed.  Infected programs will
             have a file length increase of 648 bytes with the virus
             being located at the end of the infected file.  Trojanized
             programs will be altered so that they reboot the system when
             they are executed, the first five bytes having been altered.
             Like the original Vienna, this variant sets the seconds in
             the file's timestamp to 62 to indicate infection.
             Origin: Unknown  March, 1992
       Kuzmitch: Kuzmitch is a 1,064 byte variant of the Vienna virus.
             It will infect one .COM file in the current directory, but
             not COMMAND.COM, each time an infected program is executed.
             Infected files will have a file length increase of 1,064 -
             1,222 bytes with the virus being located at the end of the
             infected file.  It is unknown if it does anything besides
             replicate.

HyperText VSUM Copyright (c) 1990-93 by Patricia M. Hoffman (408)988-3773
Vienna (continued...)
 
             Origin: Unknown  February, 1992
       New Generation: New Generation is a 1,054 byte variant of the
             Vienna virus.  It will infect one .COM file in the current
             directory, including COMMAND.COM, each time an infected
             program is executed.  Infected files will have a file length
             increase of 1,054 bytes with the virus being located at the
             end of the infected file.  On every 20th generation of the
             virus, it will display the following message on the system
             monitor:
             "         New Generation Virus 1.0 by NET CRASHER,
              a PROUD member in Hyper.  This message appears in a generation
              that is devided by 20. Please don't remove this virus, it
                       was created for research purposes only.
                                                              Get a Life!"
             The above message is encrypted within the viral code, as are
             the following two additional text strings:
             "*.com PATH="
             "?????????COM"
             Infected files will have the seconds field in the file time
             in the DOS disk directory set to 62.
             Origin: Israel  October, 1992
       Twer-1000: Twer-1000 is a 1,000 byte variant of the Vienna virus.
             It will infect one .COM file in the current directory each
             time an infected program is executed.  Infected files will have
             a file length increase of 1,000 bytes with the virus being
             located at the end of the infected file.  The file's date and
             time in the DOS disk directory listing will appear to be
             unaltered, but the seconds field has actually been changed to
             "60".  The following text strings can be found within the
             viral code in all Twer-1000 infected programs:
             "Twer 1991"
             "*.COM"
             "PATH="
             "????????COM"
             Origin: Unknown  December, 1992
       Vienna 822: Vienna 822 is similar to Vienna-B 645 in behavior.
                   This variant will infect .COM programs, including
                   COMMAND.COM, increasing their length by 822 bytes.
                   It does not perform either a warm reboot or delete
                   executed programs.
                   Origin: Europe  May, 1991
       Vienna-415: Vienna-415 is a 415 byte variant of the Vienna
                   virus which infects .COM programs located in the C:
                   drive root directory.  It adds 415 bytes to the .COM
                   programs it infects, including COMMAND.COM.  It sets
                   the seconds in the file's time in the DOS disk directory
                   to 62 to indicate the file is infected.
                   Origin:  Unknown  August, 1992
       Vienna-618: Vienna-618 is a 618 byte variant of the Vienna
                   virus.  It adds 618 bytes to the .COM programs it
                   infects, including COMMAND.COM.  It sets the seconds
                   in the file's time in the DOS disk directory to 62
                   to indicate the file is infected.  Once all the
                   programs in the current directory have become infected,
                   execution of an infected program will result in a

HyperText VSUM Copyright (c) 1990-93 by Patricia M. Hoffman (408)988-3773
Vienna (continued...)
 
                   system hang.
                   Origin:  Unknown  April, 1992
       Vienna-621: Vienna-621 is functionally similar to the Vienna-618
                   virus.  It adds 621 bytes to the .COM programs,
                   including COMMAND.COM, which it infects.  Like
                   Vienna-618, it sets the seconds in the file's time to
                   62 to indicate infection.
                   Origin:  Unknown  April, 1992
       Vienna-634 Reboot: Vienna-634 Reboot is a 634 byte variant of
                   the Vienna virus described above.  It infects one .COM
                   file, including COMMAND.COM, each time an infected
                   program is executed.  Approximately 25% of the time
                   when an infected program is executed, a program will
                   be altered instead of infected.  The alteration will
                   result in the system being rebooted the next time the
                   program is executed.
                   Origin:  Europe  November, 1991.
       Vienna-645: Similar to the Vienna-B 645 variant, this variant
                   adds 645 bytes to the .COM programs it infects.  It does
                   not trojanize some programs to perform a warm reboot.
                   It contains the text strings "*.COM", "PATH=", and
                   "????????COM".
                   Origin:  Unknown  April, 1992.
       Vienna-648E: Based on the original Vienna virus, this variant
                   adds 648 bytes to the .COM programs it infects.  It
                   alters some .COM files, rather then infecting them, by
                   overwriting the first five bytes with hex 20 characters.
                   The seconds field in the file time will be set to 62 on
                   all trojanized and infected programs.  It contains the
                   text strings "*.COM", "PATH=", and "????????COM".
                   Origin:  Unknown  October, 1992.
       Vienna-656: Vienna-656 is a 656 byte variant of the Vienna virus.
                   When an infected program is executed, it will infect one
                   .COM file in the current directory, as well as accessing
                   the C: drive.  It doesn't infect anything on the C:
                   drive, but may crosslink the C: drive's file allocation
                   table.
                   Origin:  Europe  November, 1991.
       Vienna-712: Vienna-712 is a 712 byte variant of the Vienna
                   virus.  This variant will occasionally trojanize a
                   program instead of infecting it.  When these trojanized
                   programs are executed, a warm system reboot will
                   occur.
                   Origin:  Unknown  April, 1992.
       Vienna-716: Vienna-716 is 716 byte variant of the Vienna virus.
                   Execution of programs infected with this variant may
                   result in "Divide overflow" errors occurring, or possible
                   system hangs.
                   Origin:  Europe  November, 1991.
       Vienna-726: Vienna-726 is a 726 byte variant of the Vienna virus.
                   Like Vienna, it infects one .COM file in the current
                   directory each time an infected program is executed.
                   Approximately 50% of the time when an infected program
                   is executed, a warm reboot will occur following a long
                   disk access.  The following text strings can be found

HyperText VSUM Copyright (c) 1990-93 by Patricia M. Hoffman (408)988-3773
Vienna (continued...)
 
                   in infected files:
                   ".COM"
                   "(c) Copyright IBM Corp 1981, 1987 Licensed Material"
                   "- Program Property of IBM"
                   Origin: Europe  November, 1991
       Vienna-726B: Similar to Vienna-726, this variant has six bytes
                    which differ.
                    Origin: Europe  November, 1991
       Vienna-943: Based on the Vienna virus, this variant adds 943
                   bytes to the .COM programs it infects.  Like Vienna, it
                   infects one .COM program each time an infected program
                   is executed, locating the virus at the end of the
                   infected program.  The following text strings can be
                   found in the viral code: "PATH=", "????????COM", and
                   "*.COM".  System hangs frequently occur when infected
                   programs are executed.  The following message may also
                   be occassionally displayed:
                   "Have a NICE day...r is no longer operational due to an
                    outbreak of".
                   Origin:  Unknown  March, 1992.
       Vien6: Similar to Vienna, except that the warm reboot has been
              removed.  Effective length of the virus is still 648 bytes.
              After 7 files have become infected on the current drive, the
              virus will then start infecting .COM files on drive C:.
       Vienna-B: Similar to Vienna, except that instead of a warm reboot,
                 the program being executed will be deleted.
       Vienna-B 645: Similar to the Vienna-B variant, this variant's
                     effective length is 645 bytes.  It does not perform
                     either a warm reboot or delete executed programs.  It
                     does, however, infect COMMAND.COM
                     Origin: United States
       Vienna-Beta Boys: Received from Sweden in August, 1992, this
              variant of Vienna adds 679 bytes to the .COM programs it
              infects, including COMMAND.COM, and sets the seconds field
              in the file time to 62.  The following text strings can be
              found in all infected programs:
              "-+[BetaBoys]+-"
              "*.COM"
              "PATH="
              "????????COM"
              Beta Boys activates when an infected program is executed in
              February of any year, overwritting the beginning of drives
              C:, D:, and E:.
              Origin:  Sweden  August, 1992
       Vienna-Beta Boys 730: Received from Sweden in October, 1992,
              this variant of Vienna adds 730 bytes to the .COM programs it
              infects, including COMMAND.COM, and sets the seconds field
              in the file time to 62.  The following text strings can be
              found in all infected programs:
              "BetaBoys Present:  Memo v2.0 /MaZ"
              "*.COM"
              "PATH="
              "????????COM"
              Origin:  Sweden  October, 1992
       Vienna-CDM.A: Received from Poland in December, 1992, this

HyperText VSUM Copyright (c) 1990-93 by Patricia M. Hoffman (408)988-3773
Vienna (continued...)
 
              variant of Vienna adds 642 bytes to the .COM programs it
              infects, including COMMAND.COM, and sets the seconds field
              in the file time to 58.  The following text strings can be
              found in all infected programs:
              "*.COM"
              "PATH="
              "COULD DO MORE ...."
              "????????COM"
              "YOU COULD D"
              Vienna-CDM.A only replicates when the system date is set to
              January 1st thru May 5th of any year.  It doesn't appear to
              do anything besides replicate.
              Origin:  Poland  December, 1992
       Vienna-CDM.B: Based on the Vienna-CDM.A variant, this is a minor
              variant.
              Origin:  Poland  December, 1992
       Vienna-CDM.C: Based on the Vienna-CDM.A variant, this is a minor
              variant.
              Origin:  Poland  December, 1992
       Vienna-Nag: Received in August, 1992, Vienna-Nag is a 648
              byte variant of the Vienna virus.  Like the original, it
              adds 648 bytes to the .COM programs it infects, including
              COMMAND.COM.  It also sets the seconds field in the file
              time to 62.  It contains the following text strings:
              "*.COM"
              "PATH="
              "????????COM"
              Origin:  Unknown  August, 1992
       Vienna-Refresh: Received in October, 1992, Vienna-Refresh is a
              648 byte variant of the Vienna virus.  Like the original, it
              adds 648 bytes to the .COM programs it infects, including
              COMMAND.COM.  It sets the seconds field in the file time to
              32.  It contains the following text strings:
              "*.COM"
              "PATH="
              "????????COM"
              Origin:  Unknown  October, 1992
       Vienna-Yam 92: Received in October, 1992, Vienna-Yam 92 adds 849
              bytes to the .COM programs it infects, including COMMAND.COM,
              and sets the seconds field in the file time to 56.  The
              following text strings can be found in all infected programs:
              'Matthew Stolarski - "A Loser in deep trouble...."'
              "Matthew Stolarski is a born loser..."
              "Let's kill him!!!!"
              "YAM '92.  Remember that name."
              "*.COM"
              "PATH="
              "????????COM"
              Origin:  United States  October, 1992
       Wien: Functionally similar to Vienna in all details, this minor
             variant which was discovered in 1990 had been altered to
             avoid detection.
             Origin: Poland

       See:   1260   Arf   Ghostballs   Grither   Lisbon   Mexican Mud

HyperText VSUM Copyright (c) 1990-93 by Patricia M. Hoffman (408)988-3773
Vienna (continued...)
 
              Parasite   Rattle   Sicilian Mob   TSoft   VHP   VHP2
              Violator   W13   Incom   Viperize






















































HyperText VSUM Copyright (c) 1990-93 by Patricia M. Hoffman (408)988-3773
                                      1008                                     
 
 Virus Name:  1008
 Aliases:     Suomi, Oulu
 V Status:    Rare
 Discovery:   June, 1990
 Symptoms:    COMMAND.COM growth; internal stack errors; system halt on
              boot
 Origin:      Helsinki, Finland
 Eff Length:  1,008 Bytes
 Type Code:   PRCK - Parasitic Resident COM Infector
 Detection Method:  ViruScan, F-Prot, NAV, IBM Scan, AVTK, Novi, Sweep,
                    VirexPC, CPAV, Gobbler2, VBuster, AllSafe, ViruSafe,
                    UTScan, Trend, Iris, VNet, Panda, Detect+, IBMAV,
                    Vi-Spy, NShld, LProt, CPAV/N, Sweep/N
 Removal Instructions:  F-Prot, NAV, or delete infected files

 General Comments:
       The 1008 virus was discovered in June, 1990 by Petteri Jarvinen of
       Helsinki, Finland.  It is a memory resident .COM infector, and will
       infect COMMAND.COM.  This virus is also sometimes referred to as
       the Suomi virus.

       The first time a program infected with the 1008 virus is executed,
       the virus will install itself memory resident.  COMMAND.COM is also
       infected at this time, resulting in its length increasing by 1,008
       Bytes.  The increase in file size of COMMAND.COM cannot be seen by
       doing a directory listing if the virus is present in memory.

       Booting a system with an infected copy of COMMAND.COM may result
       in an internal stack error, and the system being halted.  This
       effect was noted on the author's test machine which is a 640K
       XT-clone running Microsoft MS-DOS Version 3.30.

       After the virus is memory resident, it will infect any .COM file
       which is executed, adding 1,008 bytes to the file length.  The file
       length increase cannot be seen by doing a directory listing if the
       virus is present in memory.




















HyperText VSUM Copyright (c) 1990-93 by Patricia M. Hoffman (408)988-3773
                                   Fellowship                                  
 
 Virus Name:  Fellowship
 Aliases:     1022, Better World, Fellow
 V Status:    Rare
 Discovered:  July, 1990
 Isolated:    Australia
 Symptoms:    TSR; .COM & .EXE file growth
 Origin:      Malaysia
 Eff Length:  1,019 - 1,027 Bytes
 Type Code:   PRsE - Parasitic Resident .EXE Infector
 Detection Method:  ViruScan, F-Prot, NAV, IBM Scan, AVTK, Novi, Sweep,
                    CPAV, UTScan, VirexPC, Gobbler2, VBuster, AllSafe,
                    ViruSafe, UTScan, Trend, Iris, VNet, Panda, VET,
                    Detect+, IBMAV, DrVirus, Vi-Spy,
                    NShld, LProt, CPAV/N, Sweep/N
 Removal Instructions:  CleanUp, F-Prot, NAV, or delete infected files

 General Comments:
       The Fellowship or 1022 virus was isolated in Australia in July 1990.
       Fellowship is a memory resident generic infector of .EXE files.  It
       does not infect .COM or overlay files.

       The first time a program infected with the Fellowship virus is
       executed, the virus will install itself memory resident as a 2,048
       byte TSR in low system memory.  Available free memory will be
       decreased by a corresponding 2,048 bytes.  Interrupt 21 will also
       now be controlled by the virus.

       After the virus is memory resident, the virus will infect .EXE files
       when they are executed.  Infected .EXE files will increase in size
       by between 1,019 and 1,027 bytes.  The virus's code will be located
       at the end of infected files.

       Infected files will contain the following text strings very close to
       the end of the file:

             "This message is dedicated to
              all fellow PC users on Earth
              Toward A Better Tomorrow
              And A Better Place To Live In"

             "03/03/90 KV KL MAL"

       This virus is believed to have originated in Kuala Lumpur, Malaysia.

       Known variant(s) of Fellowship are:
       Fellowship-B: Based on the Fellowship virus described above,
               this variant adds 1,019 to 1,034 bytes to the .EXE files
               it infects.  The virus will be located at the end of the
               program, and the file's date and time in the DOS disk
               directory listing will have been updated to the current
               system date and time when infection occurred.  The text
               strings found in the original virus also occur in this
               variant.
               Origin:  Malaysia  December, 1992.


HyperText VSUM Copyright (c) 1990-93 by Patricia M. Hoffman (408)988-3773
                                      1575                                     
 
 Virus Name:  1575
 Aliases:     1577, 1591, Green Caterpillar
 V Status:    Common
 Discovery:   January, 1991
 Symptoms:    .COM & .EXE growth; decrease in total system & available
              memory; sluggishness of DIR commands; file date/time changes,
              "green caterpillar" appears on display
 Origin:      Taiwan
 Isolated:    Ontario, Canada
 Eff Length:  1,575 Bytes
 Type Code:   PRfAk - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan, IBM Scan, AVTK, F-Prot, NAV, CPAV, Novi, Iris,
                    Sweep, UTScan, VirexPC, Gobbler2, VBuster, AllSafe, VET,
                    ViruSafe, Trend, VNet, Panda, Detect+, IBMAV, DrVirus,
                    Vi-Spy, LProt, CPAV/N, Sweep/N
 Removal Instructions:  CleanUp, or delete infected files

 General Comments:
       The 1575 virus was first isolated in Ontario, Canada, in January,
       1991. This virus has been widely reported, and is believed to be
       from the Far East, probably Taiwan.  It is a memory resident
       infector of .COM and .EXE files, and will infect COMMAND.COM.

       When the first program infected with the 1575 virus is executed, the
       virus will install itself memory resident in 1,760 to 1,840 bytes at
       the top of system memory, but below the 640K DOS boundary.  This
       memory is not reserved, and may be overwritten later by another
       program.  Interrupt 21 will be hooked by the virus.  COMMAND.COM on
       the system C: drive root directory will also be infected at this
       time.

       Once the 1575 virus is memory resident, it will infect one .COM and
       one .EXE program on the current drive whenever a DOS DIR or COPY
       command is executed.  This virus does not spread when programs are
       executed.

       Infected files will have their file date and time in the DOS
       directory updated to the system date and time when the infection
       occurred. Their file lengths will also show an increase of between
       1,577 and 1,591 bytes.  This virus will be located at the end of
       infected files.

       Some variants of this virus will have a green caterpillar appear on
       the system display, similar to the original Centipede game creature.

       Known variant(s) of 1575 are:
       1575-B: This variant is functionally similar to the 1575 virus
               described above.  The major difference is that this variant
               reserves the memory it occupies at the top of system memory,
               though the interrupt 12 return is not moved.
       1575-C: Similar to the 1575-B, this variant will infect files as
               they are executed in addition to when a DOS DIR or COPY
               command is issued.  System may hang when this variant
               infects COMMAND.COM.
       1575-D: Execution of an infected program will result in the C:

HyperText VSUM Copyright (c) 1990-93 by Patricia M. Hoffman (408)988-3773
1575 (continued...)
 
               drive COMMAND.COM program becoming infected.  Later booting
               the system from the C: drive will result in the virus
               becoming memory resident, with programs being infected when
               they are copied (both source and target), or when a DIR
               command is issued.  This variant is also known as Green
               Caterpillar due to the graphic caterpillar which sometimes
               will appear and eat all the characters from the system
               display.
       1575-E: Execution of an infected program will result in the C:
               drive COMMAND.COM program becoming infected.  The virus will
               then become memory resident the next time an infected program
               is executed.  Its size at the top of system memory but below
               the 640K DOS boundary is 1,840 bytes, hooking interrupt 21.
               1575-E infects .COM and .EXE programs when a DOS DIR command
               is executed, or a program is executed.  Infected programs
               increase in size by 1,575 - 1,591 bytes with the virus being
               located at the end of the file.  The file's date and time in
               the DOS disk directory listing will have been updated to the
               System date and time when infection occurred.  This variant
               has been altered to avoid detection by some anti-viral
               programs.
               Origin:  Australia  October, 1992.


































HyperText VSUM Copyright (c) 1990-93 by Patricia M. Hoffman (408)988-3773
                                   Skism 1992                                  
 
 Virus Name:  Skism 1992
 Aliases:     1992B
 V Status:    Viron
 Discovered:  January, 1992
 Symptoms:    .EXE program corruption
 Origin:      United States
 Eff Length:  1,992 Bytes
 Type Code:   ONE - Overwriting Non-Resident .EXE Infector
 Detection Method:  ViruScan, CPAV, Trend, Iris, Panda, Novi 1.15a+, IBMAV,
                    Detect+, AVTK 6.00+, Sweep 2.43a+, UTScan 25.10+,
                    F-Prot 2.07+, NShld, LProt, CPAV/N, Sweep/N
 Removal Instructions:  Delete infected files

 General Comments:
       The Skism 1992 virus was isolated in the United States in January,
       1992.  This virus is a non-resident overwriting virus which infects
       .EXE programs.

       When a program infected with Skism 1992 is executed, this virus
       will look for an uninfected .EXE program to infect in the second
       subdirectory from the current drive's root directory.  If an
       uninfected .EXE program is not found, the virus will continue
       reading down through the drives directory structure looking for
       an uninfected .EXE program.  Once an uninfected .EXE program is
       located, Skism 1992 will infect it, overwriting the first 1,992
       bytes of the host file.  There will be no change to the file's
       length unless it was originally smaller than 1,992 bytes, in
       which case it will become 1,992 bytes in length.  The file's
       date and time will not be altered.

       Once Skism 1992 has completed infecting a file, it will return
       the user to the DOS prompt.  The program the user was attempting
       to execute will not function.

       Skism 1992 contains the following text strings which are encrypted
       within the viral code:

               "The man who brought you"
               "622, Skism One, Captain"
               "Trips, and Sub-Zero now"
               "shanks you again,  with"
               "his latest..."
               "Skism 1992 - Virus"
               "Get a late pass!"
               "* *.EXE"
               "????????EXE"

       It is unknown if Skism 1992 does anything besides replicate,
       corrupting the files it infects.

       Known variant(s) of Skism 1992 are:
       Skism 1992-B: Functionally equivalent to the original virus,
                     this variant's encryption has been slightly
                     modified.
                     Origin:  United States  April, 1992.

HyperText VSUM Copyright (c) 1990-93 by Patricia M. Hoffman (408)988-3773
Skism 1992 (continued...)
 
       Skism-808: Based on the Skism 1992 virus, this virus infects
                  one .EXE file in the current directory when an infected
                  program is executed only if more than two subdirectories
                  are present on the current drive.  Infected files will
                  have the first 808 bytes overwritten.  The viral code
                  contains the following encrypted text strings which are
                  not visible in infected files:
                  "Skism Rythem Stack Virus-808."
                  "Smart Kids Into Sick Methods"
                  "Dont alter this code into your own strain, faggit."
                  "HR/SSS NYCity, this is the fifth of many, many more...."
                  "You sissys....."
                  "* *.EXE *.*"
                  "????????EXE"
                  On the last Friday of any month, the virus will attempt
                  to destroy all files in the current directory.
                  Origin:  United States  May, 1992.







































HyperText VSUM Copyright (c) 1990-93 by Patricia M. Hoffman (408)988-3773
                                      2623                                     
 
 Virus Name:  2623
 Aliases:   
 V Status:    Rare
 Discovery:   May, 1992
 Symptoms:    .EXE file growth; decrease in total system & available free
              memory
 Origin:      Unknown
 Eff Length:  2,623 - 2,633 Bytes
 Type Code:   PRhE - Parasitic Resident .EXE Infector
 Detection Method:  ViruScan, F-Prot, Novi 1.15a+, Sweep, AVTK 6.00+,
                    IBMAV, NShld, Sweep/N
 Removal Instructions:  Delete infected files

 General Comments:
       The 2623 virus was received in May, 1992.  Its origin and point of
       isolation are unknown.  The 2623 virus is a memory resident infector
       of .EXE programs.

       The first time a program infected with the 2623 virus is executed,
       this virus will install itself memory resident at the top of system
       memory but below the 640K DOS boundary.  Total system and available
       free memory, as indicated by the DOS CHKDSK program, will have
       decreased by 2,864 bytes.  Interrupts 21, 22, and 2F will be hooked
       by the virus.  Interrupt 12's return will not have been moved.  Also
       at this time, the 2623 virus will infect a randomly selected .EXE
       program located in the current directory.

       Once the 2623 virus is memory resident, it will intermittently
       infect one .EXE program located in the current directory when any
       program is executed.  Programs infected with the 2623 virus will
       have a file length increase of 2,623 to 2,633 bytes with the virus
       being located at the end of the infected file.  The program's
       date and time in the DOS disk directory listing will not have been
       altered.  There are no text strings visible within the viral code
       in 2623 infected programs.

       It is unknown what the 2623 virus does besides replicate.



















HyperText VSUM Copyright (c) 1990-93 by Patricia M. Hoffman (408)988-3773
                                   Traceback                                   
 
 Virus Name:  Traceback
 Aliases:     3066, TB
 V Status:    Extinct
 Discovered:  October, 1988
 Symptoms:    .COM & .EXE growth; TSR; graphic display 1 hour after boot
 Origin:
 Eff Length:  3,066 bytes
 Type Code:   PRsA - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan, F-Prot, IBM Scan, VirexPC, AVTK, NAV, Novi,
                    CPAV, Sweep, UTScan, Gobbler2, VBuster, AllSafe, IBMAV,
                    ViruSafe, Trend, Iris, VNet, Panda, VET, Detect+,
                    DrVirus, Vi-Spy, NShld, LProt, CPAV/N, Sweep/N
 Removal Instructions:  F-Prot, VirexPC, NAV, CleanUp, or delete infected
                        files
 General Comments:
       The Traceback virus infects both .COM and .EXE files, adding 3,066
       bytes to the length of the file.  After an infected program is
       executed, it will install itself memory resident and infect other
       programs that are opened.  Additionally, if the system date is
       after December 5, 1988, it will attempt to infect one additional
       .COM or .EXE file in the current directory.  If an uninfected file
       doesn't exist in the current directory, it will search the entire
       disk, starting at the root directory, looking for a candidate.
       This search process terminates if it encounters an infected file
       before finding a candidate non-infected file.

       This virus derives its name from two characteristics.  First,
       infected files contain the directory path of the file causing the
       infection within the viral code, thus is it possible to "trace
       back" the infection through a number of files.  Second, when it
       succeeds in infected another file, the virus will attempt to access
       the on-disk copy of the program that the copy of the virus in
       memory was loaded from so that it can update a counter in the
       virus.  The virus takes over disk error handling while trying to
       update the original infected program, so if it can't infect it, the
       user will be unaware that an error occurred.

       The primary symptom of the Traceback virus having infected the
       system is that if the system date is after December 28, 1988, the
       memory resident virus will produce a screen display with a
       cascading effect similar to the Cascade (1701/1704) virus.  The
       cascading display occurs one hour after system memory is infected.
       If a keystroke is entered from the keyboard during this display,
       a system lockup will occur.  After one minute, the display will
       restore itself, with the characters returning to their original
       positions.  This cascade and restore display are repeated by the
       virus at one hour intervals.

       Known variant(s) of Traceback are:
       Traceback-B: Similar to the Traceback virus, the major differences
                    are that Traceback-B will infect COMMAND.COM and there
                    is no cascading display effect after the virus has
                    been resident for one hour.  Infected files will
                    also not contain the name of the file from which the
                    virus originally became memory resident, but instead

HyperText VSUM Copyright (c) 1990-93 by Patricia M. Hoffman (408)988-3773
Traceback (continued...)
 
                    the name of the current file.  A text string:
                    "MICRODIC MSG" can be found in files infected with
                    Traceback-B.  If the system is booted from a diskette
                    whose copy of COMMAND.COM is infected, attempting to
                    execute any program will result in a memory allocation
                    error and the system being halted.
                    Origin: Spain, March 1990.
       Traceback-B2: Similar to Traceback-B2, this variant has the
                     cascading display effect after the virus has been
                     resident in memory for one (1) hour.  The text string
                     " XPO DAD    " replaces the "MICRODIS MSG" text
                     string in Traceback-B.
                     Origin: Spain, May 1990.

       See:   Spanish   Traceback 3029   Traceback II









































HyperText VSUM Copyright (c) 1990-93 by Patricia M. Hoffman (408)988-3773
                                  Darth Vader                                  
 
 Virus Name:  Darth Vader
 Aliases:     Darth-1, Darth-2, Darth-3, Darth-4, Darth-5
 V Status:    Research
 Discovery:   May, 1991
 Symptoms:    .COM programs corruption
 Origin:      Bulgaria
 Eff Length:  200 - 345 Bytes
 Type Code:   ORCK - Overwriting Resident .COM Infector
 Detection Method:  ViruScan, AVTK, F-Prot, Novi, Sweep, UTScan, CPAV, VNet,
                    VirexPC, Gobbler2, VBuster, AllSafe, ViruSafe, Trend,
                    NAV 2.1+, Panda, VET, Detect+, IBMAV, Vi-Spy,
                    NShld, LProt, CPAV/N, Sweep/N
 Removal Instructions:  Delete infected files

 General Comments:
       The Darth Vader viruses were received in May, 1991 from Bulgaria.
       Darth Vader is actually a family of four viruses which are very
       similar.  All of these viruses are memory resident overwriting
       viruses which only infect .COM programs when they are copied.

       When a program infected with a Darth Vader virus is executed,
       Darth Vader will install itself memory resident.  Latter, as .COM
       programs are copied, the target .COM program may become infected.
       Depending on the particular Darth Vader virus, the target program
       may have either the beginning of the program overwritten, or an
       area of hex 00 characters overwritten by the virus.  There will be
       no increase in file size in the disk directory, and the program's
       date and time will not be altered.

       Darth Vader viruses do not perform any malicious damage, though
       infected programs are usually damaged and will not execute
       properly.

       Known variant(s) of Dark Avenger are:
       Darth-1: The first Darth Vader virus submitted, Darth-1 is
                270 bytes in length.  It overwrites the first 270 bytes
                of .COM files when they are copied with the virus
                memory resident.  Darth-1 will not infect COMMAND.COM.
                The following text string can be found in the first 270
                bytes of infected programs: "COMMCOMDarth Vad".
       Darth-2: Darth-2 is a 345 byte variant of Darth-1.  Unlike
                Darth-1, it overwrites 345 bytes of hex 00 characters
                in copied .COM programs.  Infected programs will contain
                the text string: "COMDarth Vader".  Darth-2 and later
                variants will infect COMMAND.COM.
       Darth-3: Darth-3 is similar to Darth-2, but it is 255 bytes in
                length.  When Darth-3 infects programs, it overwrites 255
                bytes of hex 00 characters.  Infected programs will contain
                the text string: "Darth Vader".
       Darth-4: Darth-4 is a shorter version of Darth-4, it is 200
                bytes in length and does not contain any text strings.
       Darth-5: Darth-5 is very similar to Darth-4.  Like Darth-4, it
                is 200 bytes in length and does not contain any text
                strings.  Darth-5 only infects .COM files when they are
                copied if the original file contained at least 200

HyperText VSUM Copyright (c) 1990-93 by Patricia M. Hoffman (408)988-3773
Darth Vader (continued...)
 
                bytes of hex 00 characters.























































HyperText VSUM Copyright (c) 1990-93 by Patricia M. Hoffman (408)988-3773
                                  Seventh Son                                  
 
 Virus Name:  Seventh Son
 Aliases:     7th Son, Seventh Son-284, Seventh Son-350
 V Status:    Rare
 Discovered:  October, 1991
 Isolated:    The Netherlands
 Symptoms:    .COM file growth
 Origin:      Eastern Europe
 Eff Length:  284 or 350 Bytes, depending on variant
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan, VirexPC, CPAV, Novi, IBM Scan, Sweep,
                    F-Prot, VBuster, Iris, VNet, Panda, UTScan, VET, IBMAV,
                    Vi-Spy, NShld, CPAV/N, Sweep/N
 Removal Instructions:  Delete infected files

 General Comments:
       The Seventh Son virus is actually two viruses which are similar in
       behavior which were isolated in the Netherlands in October, 1991.
       They are believed to have actually originated in Eastern Europe.
       The Seventh Son viruses are direct action infectors of .COM
       programs, including COMMAND.COM.

       When a program infected with a Seventh Son virus is executed, the
       Seventh Son virus will search the current drive and directory for
       uninfected .COM files to infect.  Each uninfected .COM file
       encountered will be infected with the virus.  Infected .COM
       programs will increase in size by either 284 or 350 bytes, depending
       on which of the Seventh Son viruses has infected the system.
       There will be no change in the file's date and time in the DOS
       disk directory.  The following text strings can be found within
       infected programs:

               "Seventh son of a seventh son"
               "*.COM"

       Seventh Son does not appear to do anything besides replicate.

       Known variant(s) of Seventh Son are:    
       Seventh Son-284: Seventh Son-284 is a 284 byte version of this
                        virus.
       Seventh Son-332: Seventh Son-332 is a 332 byte virus based on
                        the Seventh Son virus.  It infects all .COM programs
                        in the current directory when an infected program is
                        executed.  Infected programs will have a file length
                        increase of 332 bytes with the virus being located
                        at the end of the file.  The program's date and time
                        in the DOS disk directory listing will not be
                        altered.  The text strings found in the original
                        Seventh Son viruses are also found in this variant.
                        Origin:  The Netherlands  December, 1992.
       Seventh Son-350: Seventh Son-350 is a 350 byte version of this
                        virus.
       Seventh Son-Kernel: Seventh Son-Kernel, or Kernel, is a 610
                        byte virus based on the Seventh Son virus.  This
                        virus becomes memory resident at the top of system
                        memory but below the 640K DOS boundary when the

HyperText VSUM Copyright (c) 1990-93 by Patricia M. Hoffman (408)988-3773
Seventh Son (continued...)
 
                        first infected program is executed, decreasing
                        total system and available free memory by 8,448
                        bytes.  It hooks interrupt 21.  Once resident, it
                        will infect .COM programs when they are executed.
                        Infected programs will have a file length
                        increase of 610 to 624 bytes with the virus
                        being located at the end of the file.  There will
                        be no change to the file's date and time in the
                        DOS disk directory listing.  One text string can
                        be found within the viral code in all infected
                        files:
                        "KERNEL"
                        Origin:  Unknown  July, 1992.











































HyperText VSUM Copyright (c) 1990-93 by Patricia M. Hoffman (408)988-3773
                                      981                                      
 
 Virus Name:  981
 Aliases:     Joe's Demise
 V Status:    Rare
 Discovery:   May, 1992
 Symptoms:    .COM & .EXE file growth; decrease in total system and
              available free memory
 Origin:      Unknown
 Eff Length:  981 - 1,932 Bytes
 Type Code:   PRhA - Parasitic Resident COM & .EXE Infector
 Detection Method:  ViruScan, AVTK, Sweep, VBuster, VNet, VET, Panda,
                    F-Prot, UTScan, Novi 1.15a+, CPAV 1.4+, IBMAV, Vi-Spy,
                    NShld, Sweep/N, LProt 1.53S+
 Removal Instructions:  Delete infected files

 General Comments:
       The 981 virus was discovered in the United States in May, 1992.  Its
       origin is unknown.  This virus is a memory resident infector of
       .COM and .EXE files, but not COMMAND.COM.

       When the first 981 infected program is executed, the 981 virus will
       install itself memory resident at the top of system memory but
       below the 640K DOS boundary.  Interrupt 12's return will not be
       moved.  Total system and available free memory, as indicated by the
       DOS CHKDSK program, will have decreased by 1,952 bytes.  Interrupts
       21 and 22 will be hooked by the virus in memory.

       Once memory resident, the 981 virus will infect .COM and .EXE
       programs when they are executed or opened for any reason.  .COM
       files increase in size by 981 bytes, though if the file was
       originally smaller than 981 bytes, they will become 1,934 bytes in
       length.  .EXE files increase in size by 1,015 to 1,025 bytes.  In
       both cases the virus will be located at the end of the program.
       This virus will sometimes reinfect previously infected programs,
       adding an additional 981 bytes to the file.  The infected program's
       date and time in the DOS disk directory listing will not be
       altered.

       One text string can be found in all 981 infected programs:

               "This program requires MS-DOS 3.00 or later"

       It is unknown what the 981 virus may do besides replicate.

       Known variant(s) of 981 are:
       Joe's Demise: Functionally similar to the original virus, this
                     variant has 11 bytes which differ.
                     Origin:  Unknown  June, 1992.









HyperText VSUM Copyright (c) 1990-93 by Patricia M. Hoffman (408)988-3773
                                      981                                      
 
 Virus Name:  981
 Aliases:     Joe's Demise
 V Status:    Rare
 Discovery:   May, 1992
 Symptoms:    .COM & .EXE file growth; decrease in total system and
              available free memory
 Origin:      Unknown
 Eff Length:  981 - 1,932 Bytes
 Type Code:   PRhA - Parasitic Resident COM & .EXE Infector
 Detection Method:  ViruScan, AVTK, Sweep, VBuster, VNet, VET, Panda,
                    F-Prot, UTScan, Novi 1.15a+, CPAV 1.4+, IBMAV, Vi-Spy,
                    NShld, Sweep/N, LProt 1.53S+
 Removal Instructions:  Delete infected files

 General Comments:
       The 981 virus was discovered in the United States in May, 1992.  Its
       origin is unknown.  This virus is a memory resident infector of
       .COM and .EXE files, but not COMMAND.COM.

       When the first 981 infected program is executed, the 981 virus will
       install itself memory resident at the top of system memory but
       below the 640K DOS boundary.  Interrupt 12's return will not be
       moved.  Total system and available free memory, as indicated by the
       DOS CHKDSK program, will have decreased by 1,952 bytes.  Interrupts
       21 and 22 will be hooked by the virus in memory.

       Once memory resident, the 981 virus will infect .COM and .EXE
       programs when they are executed or opened for any reason.  .COM
       files increase in size by 981 bytes, though if the file was
       originally smaller than 981 bytes, they will become 1,934 bytes in
       length.  .EXE files increase in size by 1,015 to 1,025 bytes.  In
       both cases the virus will be located at the end of the program.
       This virus will sometimes reinfect previously infected programs,
       adding an additional 981 bytes to the file.  The infected program's
       date and time in the DOS disk directory listing will not be
       altered.

       One text string can be found in all 981 infected programs:

               "This program requires MS-DOS 3.00 or later"

       It is unknown what the 981 virus may do besides replicate.

       Known variant(s) of 981 are:
       Joe's Demise: Functionally similar to the original virus, this
                     variant has 11 bytes which differ.
                     Origin:  Unknown  June, 1992.









HyperText VSUM Copyright (c) 1990-93 by Patricia M. Hoffman (408)988-3773
                                  African 109                                  
 
 Virus Name:  African 109
 Aliases:     109
 V Status:    Rare
 Discovery:   January, 1992
 Symptoms:    .COM file growth; file date/time change
 Origin:      Republic of South Africa
 Eff Length:  109 Bytes
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector
 Detection Method:  ViruScan, Novi, F-Prot, Sweep, Trend, AVTK, VNet, Iris,
                    CPAV, NAV 2.1+, VBuster, Panda, UTScan, VET, IBMAV,
                    Vi-Spy, NShld, LProt, CPAV/N, Sweep/N
 Removal Instructions:  Delete infected files

 General Comments:
       The African 109 virus was isolated in January, 1992 in the
       Republic of South Africa by Oliver Steudler and Peter Stoffberg
       of the Virus Resource Centre.  African 109 is a non-resident,
       direct action infector of .COM files, including COMMAND.COM.

       When a program infected with African 109 is executed, the African
       109 virus will infect all previously uninfected .COM files in the
       current directory.  If COMMAND.COM happens to be in this directory,
       it will be infected as well.

       Programs infected with African 109 will have a file length increase
       of 109 bytes.  The virus will be located at the beginning of the
       infected file.  The file's date and time in the DOS disk directory
       will have been updated to the current system date and time when
       infection occurred.  One text string can be found in the viral code
       in infected files:

               "*.COM"

       African 109 doesn't do anything besides replicate.






















HyperText VSUM Copyright (c) 1990-93 by Patricia M. Hoffman (408)988-3773
                                    AIDS II                                    
 
 Virus Name:  AIDS II
 Aliases:     Companion Virus
 V Status:    Endangered
 Discovery:   April, 1990
 Symptoms:    Creates .COM files; melody; message
 Origin:    
 Eff Length:  8,064 Bytes
 Type Code:   SNA - Spawning Non-Resident .COM & .EXE Infector
 Detection Method:  ViruScan, NAV, F-Prot, AVTK, CPAV, Sweep, UTScan,
                    VBuster, VirexPC, AllSafe, ViruSafe, IBM Scan, Trend,
                    VNet, Panda, VET, Detect+, IBMAV, Vi-Spy,
                    NShld, LProt, CPAV/N, Sweep/N
 Removal Instructions:  Delete corresponding .COM files

 General Comments:
       The AIDS II virus, or Companion virus, was isolated for the first
       time in April 1990.  Unlike other generic file infectors, the AIDS
       II virus is the first known virus to employ what could be called a
       "corresponding file technique" of infection so that the original
       target .EXE file is never changed.  The virus takes advantage of the
       DOS feature where if a program exists in both .COM and .EXE form,
       the .COM file will be executed.

       The AIDS II virus does not actually infect .EXE files, instead it
       stores a copy of the virus in a corresponding .COM file which will
       be executed when the user tries to execute one of his .EXE files.
       The .EXE file and the .COM file will both have the same base file
       name.

       The method of infection is as follows:  when an "infected" program
       is executed, since a corresponding .COM file exists, the .COM file
       containing the viral code is executed.  The virus first locates an
       uninfected .EXE file in the current directory and creates a
       corresponding (or companion) .COM file with the viral code.  These
       .COM files will always be 8,064 Bytes in length with a file
       date/time of the date/time of infection.  The .EXE file is not
       altered at all.  After creating the new .COM file, the virus then
       plays a melody and displays the following message:

                 "Your computer is infected with ...

                            Aids Virus II 

                  - Signed WOP & PGT of DutchCrack -"

       The AIDS II virus then spawns to the .EXE file that was attempting
       to be executed, and the program runs without problem.  After
       completion of the program, control returns to the AIDS II virus. The
       melody is played again with the following message displayed:

                        "Getting used to me?

                    Next time, use a Condom ....."

       Since the original .EXE file remains unaltered, CRC checking

HyperText VSUM Copyright (c) 1990-93 by Patricia M. Hoffman (408)988-3773
AIDS II (continued...)
 
       programs cannot detect this virus having infected a system.

       One way to manually remove the AIDS II virus is to check the disk
       for programs which have both an .EXE and a .COM file, with the .COM
       file having a length of 8,064 bytes.  The .COM files thus identified
       should be erased.

       The displayed text strings do not appear in the viral code.
















































HyperText VSUM Copyright (c) 1990-93 by Patricia M. Hoffman (408)988-3773
                                     AirCop                                    
 
 Virus Name:  AirCop
 Aliases:
 V Status:    Common
 Discovery:   July, 1990
 Isolated:    Washington, United States
 Symptoms:    BSC; system halt; message; decrease in system and free
              memory
 Origin:      Taiwan
 Eff Length:  N/A
 Type Code:   FR - Resident Floppy Boot Sector Infector
 Detection Method:  ViruScan, IBM Scan, VirexPC, F-Prot, NAV, Novi, Sweep,
                    CPAV, AVTK, UTScan, Gobbler2, VBuster, AllSafe, IBMAV,
                    ViruSafe, Trend, Iris, VNet, Panda, VET, Detect+,
                    DrVirus, Vi-Spy
 Removal Instructions:  CleanUp, MDisk, or DOS SYS command

 General Comments:
       The AirCop virus was discovered in the State of Washington in the
       United States in July, 1990.  Some early infections of this virus,
       however, have been traced back to Taiwan, and Taiwan is probably
       where it originated.  AirCop is a boot sector infector, and it will
       only infect 360K 5.25" floppy diskettes.

       When a system is booted from a diskette which is infected with the
       AirCop virus, the virus will install itself memory resident.  The
       AirCop virus installs itself memory resident at the top of high
       system memory.  The system memory size and available free memory
       will decrease by 1,024 bytes when the AirCop virus is memory
       resident.  AirCop hooks interrupt 13.

       Once AirCop is memory resident, any non-write protected diskettes
       which are then accessed will have their boot sector infected with
       the AirCop virus.  AirCop will copy the original disk boot sector to
       sector 719 (Side 1, Cyl 39, Sector 9 on a normal 360K 5.25"
       diskette) and then replace the boot sector at sector 0 with a copy
       of the virus.  If a boot sector of a diskette infected with the
       AirCop virus is viewed, it will be missing almost all of the
       messages which normally appear in a normal boot sector.  The only
       message remaining will be:

               "Non-system..."

       This will be located just before the end of the boot sector.

       The AirCop virus will do one of two things on infected systems,
       depending on how compatible the system's software and hardware is
       with the virus.  On most systems, the virus will display the
       following message at random intervals:

               "Red State, Germ Offensive.
                AIRCOP."

       On other systems, the virus being present will result in the system
       receiving a Stack Overflow Error and the system being halted.  In
       this case, you must power off the system in order to be able to

HyperText VSUM Copyright (c) 1990-93 by Patricia M. Hoffman (408)988-3773
AirCop (continued...)
 
       reboot.

       AirCop currently does not infect hard disk boot sectors or partition
       tables.

       AirCop can be removed from infected diskettes by first powering off
       the system and rebooting from a known clean, write-protected DOS
       master diskette.  The DOS SYS command should then be used to replace
       the infected diskette's boot sector.  Alternately, MDisk can be used
       following the power-down and reboot.

       Known variant(s) of AirCop are:
       AirCop-B: Submitted in May, 1991 from the United States, AirCop-B is
                 a variant of the original AirCop virus.  Like the original
                 virus, it only infects floppy disk boot sectors.  The
                 Stack Overflow Error and system halt which occurred on
                 some systems no longer occur with this variant.  AirCop-B
                 activates during the month of September, and booting from
                 an infected floppy will result in a flashing, scrolling
                 display of the message:

                         "This is Aircop"

                 The boot will then proceed.  AirCop-B has also been
                 altered to avoid detection by anti-viral utilities.
                 Utilities which can detect AirCop may not be able to
                 detect this variant.





























HyperText VSUM Copyright (c) 1990-93 by Patricia M. Hoffman (408)988-3773
                                    Alameda                                    
 
 Virus Name:  Alameda
 Aliases:     Mazatlan, Merritt, Peking, Seoul, Yale
 V Status:    Common
 Discovery:   1987
 Symptoms:    Floppy boot failures; resident-TOM; BSC
 Origin:      California, United States
 Eff Length:  N/A
 Type Code:   RtF - Resident Floppy Boot Sector Infector
 Detection Method:  ViruScan, F-Prot, IBM Scan, AVTK, NAV, Novi, Sweep, VET,
                    CPAV, UTScan, VirexPC, Gobbler2, VBuster, AllSafe, VNet,
                    ViruSafe, Trend, Iris, Panda, Detect+, IBMAV, DrVirus,
                    Vi-Spy
 Removal Instructions:  MDisk, CleanUp, F-Prot, NAV, or DOS SYS

 General Comments:
       The Alameda virus was first discovered at Merritt college in
       Alameda, California in 1987.  The original version of this virus
       caused no intentional damage, though there is now at least one
       variant of this virus that now causes floppy disks to become
       unbootable after a counter has reached its limit (Alameda-C virus).

       The Alameda virus, and its variants, all replicate when the system
       is booted with a CTL-ALT-DEL and infect only 5-1/4" 360K diskettes.
       These viruses do stay in memory through a warm reboot, and will
       infect both system and non-system disks.  System memory can be
       infected on a warm boot even if BASIC is loaded instead of DOS.

       The virus saves the real boot sector at track 39, sector 8, head 0.
       The original version of the Alameda virus would only run on a
       8086/8088 machine, though later versions can now run on 80286
       systems.

       Known variant(s) of Alameda are:
       Alameda 1.2M: Isolated in the United States in April, 1992,
                    this variant of Alameda is able to infect 1.2M
                    5.25 inch diskettes in addition to 360K 5.25 inch
                    diskettes.  The virus will hang computers using
                    other than an 8088 processor when the system is
                    booted from an infected diskette.  This virus is
                    memory resident, allocating 1,024 bytes of memory
                    at the top of system memory but below the 640K DOS
                    boundary.  Interrupt 12's return will have been
                    moved.  It only infects diskettes in the A: drive
                    when the user performs a CTL-ALT-DEL key combination.
                    Origin:  United States  April, 1992.
       Golden Gate: The Alameda virus will a modification so that it
                    activates when the counter in the virus has determined
                    that it has infected 500 diskettes.  Upon activation,
                    the C: drive is formatted.  The counter in the virus
                    is reset on each new diskette or hard drive infection.
                    Origin:  California, United States  1988
       Golden Gate-B: Same as Golden Gate, except that the counter has
                      changed from 500 to 30 infections before activation,
                      and only diskettes are infected.
       Golden Gate-C: Same as Golden Gate-B, except that the hard disk

HyperText VSUM Copyright (c) 1990-93 by Patricia M. Hoffman (408)988-3773
Alameda (continued...)
 
                      can also be infected.  This variant is also known as
                      the Mazatlan virus, and is the most dangerous of the
                      Alameda family.
       SF Virus: A modified version of the Alameda virus which
                 activates when the counter in the virus has determined
                 that it has infected 100 diskettes.  Upon activation, the
                 diskette in the floppy drive is reformatted.  The SF
                 virus only infects 5-1/4" diskettes.
                 Origin:  California, United States  December, 1987















































HyperText VSUM Copyright (c) 1990-93 by Patricia M. Hoffman (408)988-3773
                                     V2000                                     
 
 Virus Name:  V2000
 Aliases:     Dark Avenger II, Stealth Virus, Travel Virus, Eddie 2000,
              Apocalypse II
 V Status:    Rare
 Discovered:  1989
 Symptoms:    TSR; .COM, .EXE, .OV? growth (see text); crashes;
              cross-linked files following CHKDSK.
 Origin:      Bulgaria
 Eff Length:  2,000 Bytes
 Type Code:   PRA - Parasitic Resident .COM & .EXE Infector
 Detection Method:  ViruScan, AVTK, NAV, IBM Scan, F-Prot, Novi, CPAV, Iris,
                    Sweep, UTScan, VirexPC, Gobbler2, VBuster, AllSafe, VET,
                    ViruSafe, Trend, VNet, Panda, Detect+, IBMAV, DrVirus,
                    Vi-Spy, NShld, LProt, CPAV/N, Sweep/N
 Removal Instructions:  NAV, or delete infected files

 General Comments:
       The V2000, or Dark Avenger II, virus is a memory resident generic
       file infector.  The first isolated samples of this virus were
       received from Bulgaria, where it was isolated by Daniel Kalchev and
       Niki Spahiev.

       V2000 will infect .COM, .EXE, and Overlay files, as well as
       COMMAND.COM.  When the first infected file is executed, the virus
       installs itself memory resident, and then infected COMMAND.COM if
       it has not already been infected.  Then, when an executable file is
       opened for any reason, it is infected if it hasn't been previously
       infected.

       Increased file lengths will not be shown if the V2000 virus is
       present in memory when a DIR command is issued.  Issuing a CHKDSK
       /F command on infected systems may result in cross-linking of files
       since the directory information may not appear to match the entries
       in the file allocation table (FAT).

       Systems infected with the V2000 virus will experience unexpected
       system crashes, resulting in lost data.  Some systems may also
       become unbootable due to the modification of COMMAND.COM or the
       hidden system files.

       One of the following two text strings will appear in the viral code
       in infected files, thus accounting for the alias of Travel virus
       used in Bulgaria:

              "Zopy me - I want to travel"
              "Copy me - I want to travel"

       There are reports from Bulgaria that the V2000 virus looks for and
       hangs the system if programs written by Vesselin Bontchev are
       attempted to be executed.  This would explain the presence of the
       following copyright notice within the viral code:

              "(c) 1989 by Vesselin Bontchev"

       Known variant(s) of V2000 are:

HyperText VSUM Copyright (c) 1990-93 by Patricia M. Hoffman (408)988-3773
V2000 (continued...)
 
       V2000-B: (Die Young) Similar to the V2000 virus, the main
                difference is that the text string "Zopy me - I want to
                travel" is now "Only the Good die young..." or "Mnly the
                Good die young..." and the encryption used by the virus is
                different.  This variant is actually the original virus,
                predating V2000.
       Apocalypse II: Apocalypse II was received from Europe in May,
                      1991.  It is similar to V2000 and V2000-B, the
                      major change being that it no longer crashes
                      the system, and the text string "Zopy me - I want
                      to travel" is now "Apocalypse II begin!!".  This
                      variant also modifies the boot sector, but not with
                      an infectious copy of the virus.

       See:   Dark Avenger   V651   V1024









































HyperText VSUM Copyright (c) 1990-93 by Patricia M. Hoffman (408)988-3773
                                      Ash                                      
 
 Virus Name:  Ash
 Aliases:   
 V Status:    Rare
 Discovery:   July, 1992
 Symptoms:    .COM file growth; file date/time changes
 Origin:      Unknown
 Eff Length:  280 Bytes
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector
 Detection Method:  AVTK, Sweep, VNet, ViruScan, Panda, VET, F-Prot, IBMAV,
                    Novi 1.15a+, CPAV 1.4+, VBuster 3.93+, UTScan 25.10+,
                    Vi-Spy, NAV 2.1.4+, NShld, Sweep/N
 Removal Instructions:  Delete infected files

 General Comments:
       The Ash virus was submitted in July, 1992.  Ash is a non-resident,
       direct action infector of .COM programs, including COMMAND.COM.
       Its origin or point of isolation is unknown.

       When a program infected with the Ash virus is executed, the Ash
       virus will infect all of the .COM programs located in the current
       directory.  Infected programs will have a file length increase
       of 280 bytes with the virus being located at the end of the
       infected file.  The program's date and time in the DOS disk
       directory listing will have been updated to the current system
       date and time when infection occurred.  One text string is visible
       within the Ash viral code in infected programs:

               "*.COM"

       Ash doesn't do anything besides replicate.

       See:   Green Joker
























HyperText VSUM Copyright (c) 1990-93 by Patricia M. Hoffman (408)988-3773
d of the
       infected file.  The program's date and time in the DOS disk
       directory listing will have been updated to the current system
       date and time when infection occurred.  One text string is visible
       within the Ash viral code in infected programs:

               "*.COM"

       Ash doesn't do anything besides replicate.

      
