ANTIVIRUS
LIST
A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z
ANTIVIRUS
LIST
1Adolph
Aliases: Adolf Hitler
Infection length: 475 bytes
Area of infection: COMMAND.COM files, .COM
files
Likelihood: Rare
Region reported: Unknown
Characteristics: Encrypted, polymorphic
Target platform: DOS
Trigger date: None
Description:
Adolf is a virus that changes the infected program’s
time and date stamp to the date and time of infection. The infection code
contains the string:
Adolf Hitler
2.Alabama
Aliases: Ala
Infection length: 1560 bytes
Area of infection: .EXE files
Likelihood: Rare
Region reported: Israel, U.S.A.
Characteristics: Memory resident, encrypted,
triggered event
Target platform: DOS
Trigger date: None
Description:
Alabama is a memory-resident virus. One hour
after it becomes active in memory, Alabama displays the following message:
SOFTWARE COPIES PROHIBITED BY LAW...
Special routines enable Alabama to survive a
warm-boot (Ctrl+Alt+Del). To remove Alabama from memory completely, you
must cold-boot (power off or use the Reset button).
3.Ambulance
Aliases: Ambulance Car, RedX, Red Cross
Infection length: 796 bytes
Area of infection: COMMAND.COM files, .COM
files
Likelihood: Rare
Region reported: Europe
Characteristics: Direct infection
Target platform: DOS
Trigger date: None
Description:
Ambulance is a virus that displays a moving ambulance
and plays a siren sound when it activates
4.AOL4Free Trojan Horse
Aliases: None
Infection Length: Trojan Horse
Area of Infection: Trojan Horse
Likelihood: Common
Region Reported: America Online e-mail
Characteristics: Trojan Horse
Target Platform: DOS, Windows 3.1, Windows
95
Trigger Date: Immediate
Description:
This trojan horse program should not be confused with the AOL4Free virus hoax message, which was distributed under the same name in the same timeframe (March 1997).
The AOL4Free trojan horse program was first reported as being distributed through America Online e-mail in early March 1997. Attached to the e-mail message is the archive file named AOL4FREE.COM, which is actually converted from a batch file using the DOS utility BAT2EXEC version 1.5. This utility is commonly used for converting large batch files to enhance speed.
This trojan horse first searches for the DOS program DELTREE.EXE in various directories, and then uses DELTREE.EXE to delete all files from your C drive. After deleting your files, it produces the DOS error message "Bad Command or file name" and continuously displays an obscene message. AOL4FREE can't delete your files if it is unable to find DELTREE.EXE, but the obscene message will always display.
This works on both DOS and Windows 95 environments as long as DELTREE.EXE is present and accessible.
For more information see: http://ciac.llnl.gov/ciac/bulletins/h-47a.shtml
5.AntiCMOS
Aliases: Lenart
Infection length: 512 bytes
Area of infection: Floppy boot sectors,
master boot records
Likelihood: Common
Region reported: Europe, Hong Kong, U.S.A.
Characteristics: Wild, memory resident
Target platform: DOS
Trigger date: None
Description:
AntiCMOS is a simple virus that infects master
boot records (MBRs) and DOS boot sectors (DBSs). AntiCMOS spreads only
when you attempt to boot a system from an infected floppy disk. There is
little difference between the .A and .B strains of AntiCMOS. Other than
the triggered event, they are identical.
During the start of the boot process, AntiCMOS first reduces the total amount of conventional memory by 2K (CHKDSK reports 653,312 on infected systems), loads itself into memory, redirects the BIOS Disk I/O Services Interrupt 13h, and returns control to the system for further processing of the boot strap.
With AntiCMOS now active in memory, all disk reads of exactly one sector using the BIOS Disk I/O services are filtered out. Upon request of such a service, the AntiCMOS first checks to see if the trigger requirements of its payload have been met.
AntiCMOS.A
If the trigger conditions hold true, AntiCMOS.A makes modifications to the system’s CMOS data. (A bug within the program all but guarantees the trigger routine will never be executed.) However, if the trigger condition is not met, the MBR (when dealing with the hard drives) or the DBS (when dealing with floppy disks) is read into memory, infected, and then written back to the drive.
AntiCMOS.B
If the trigger conditions hold true, AntiCMOS.B
generates sounds from the PC speaker. (A bug within the program all but
guarantees the trigger routine will never be executed.) However, if the
trigger condition is not met, the MBR (when dealing with the hard drives)
or the DBS (when dealing with floppy disks) is read into memory, infected,
and then written back to the drive.
6.Arianna.3375
Aliases:
Infection length: 3,375 bytes
Area of infection: .EXE files, master boot
record
Likelihood: Common
Region reported: USA, UK, Italy
Characteristics: Wild, memory-resident,
encrypting, multipartite, stealthing
Target platform: DOS
Trigger date: None
Description:
The Arianna.3375 virus is a encrypted memory-resident virus which infects both .EXE files and the master boot record (MBR) of hard drive. When infection of the master boot record occurs, the virus stores a copy of the original MBR at the physical location:
The last cylinder of the first partition - 1
The last side of the first partition
The last sector of the first partition - 9
Due to this virus’s stealthing (the ability to hide itself from the user), any attempt to read an infected area while the virus is active in memory will result in only the clean version of the area being displayed and not the virus infected area.
One other interesting aspect of this virus is the following text that appears within the encrypted body of the virus:
Coded in BARI ThanX to DOS UNDOCUMENTED See you for a new virus release. Bye
7.Anthrax
Aliases: None
Infection length: 1024 bytes (files) and
512 bytes (MBR)
Area of infection: .COM files, .EXE files,
floppy boot sectors, master boot records
Likelihood: Rare
Region reported: Bulgaria
Characteristics: Multipartite, memory resident
Target platform: DOS
Trigger date: None
Description:
Anthrax is a virus that writes its viral code
to the last few sectors of the hard drive. Any data stored there is overwritten
and destroyed.
Infected host programs contain the following encrypted
text strings:
Anthrax
(c) Damage Inc.
8.Avalon
Aliases:
Infection length: 814 bytes
Area of infection: .COM, .EXE files
Likelihood: Rare
Region reported: Unknown
Characteristics: Wild, memory-resident,
trigger
Target platform: DOS
Trigger date: Any 31 st of the month after
the year 1992
Description:
This virus is a simple memory-resident .COM and .EXE file infector with only one special attribute. On the 31 st of any month after the year 1992, the virus’s destructive payload will trigger by first overwriting the first physical sector of the first hard drive (80h) with garbage data, making the drive unbootable and inaccessible to DOS. Next, the words AVALON por Osoft are displayed in a light blue color in the upper right hand corner of the display screen.
9.Baby New Year Virus Hoax
Aliases: None
Infection length: Hoax
Area of infection: Hoax
Likelihood: Hoax
Region reported: E-Mail
Characteristics: Hoax
Target platform: Hoax
Trigger date: Hoax
Description:
This "virus" does not exist.
"Baby News Year" is not a virus; it is a complete hoax. The "virus" does not exist. There is currently no virus that has the characteristics ascribed to "Baby New Year." It is a sham, meant only to panic new or inexperienced computer users.
The message includes the following "warning":
IMPORTANT!!! YOUR COMPUTER IS PROBABLY INFECTED WITH A VIRUS. IN TURN, YOU HAVE SPREAD THIS VIRUS TO FRIENDS, FAMILY, AND CO-WORKERS JUST BY SENDING THEM EMAIL.
PLEASE READ AND PASS ON TO ANYONE TO WHOM YOU HAVE SENT EMAIL SINCE SEPTEMBER 11.
----------------------------------------------------------------
The latest run of the Center for Internet Security's most advanced virus detection software has revealed a new security threat, Baby New Year Virus, which, by CIS estimates, has already infected up to 42 million computers worldwide. If you have received any email since September 11, your computer has most likely already been infected. The BNY virus apparently originated in Washington State on or around September 7th of this year. It made its initial appearance at the Internet's central server on September 11 through an email message.
Simply by passing through, the email message infected the server, which in turn passed the virus on to every message that it has sent since September 11. Low estimates on the number of infected messages hover around 460 million.
The lifecycle of the virus will prove to be one of the most devastating since the Michaelangelo scare. It begins by attaching itself to email files. If your computer is infected, the virus will then attach itself to word processing documents, spreadsheets, and virtually anything else that may in turn be opened on other computers. After infecting a computer, the virus will lay dormant until 11:59 and 30 seconds pm on Dec 31 of this year. At that point, it will reset the year on your computer's internal clock to 1999. Half a minute later, the year on your clock will flip to 2000 rather than 1998 - unleashing the wrath of the millenium bug two years early.
So how does this affect you? The millenium bug is a great example of how programmers let seemingly minor issues slip through the cracks. Computers keep track of the year only in double digit intervals - 97, 98, 99 - rather than 1997, 1998, 1999. The problem is that "19" is the default for the first two digits. As a result, at the dawn of the new millenium, the year on computers worldwide will switch to 00 and your computer, and your bank's computer, and the IRS, and everyone else will think it's 1900! Difficulties will run the gamut from a personal computer freezing no longer allowing installations or document editing to the interest rates controlled by Wall Street giants plummeting to 1900's rates. Luckily, an antidote to this potentially devastating virus has been written.
You can disinfect your computer directly from the web at http://www.geocities.com/SiliconValley/Bay/7466. You can also email babynewyear@geocities.com to receive the latest update.
It is CRUCIAL that you send this email to EVERYONE you have sent mail to since September 11. This bug can be squashed ONLY if everyone who has received email from the infected server is notified and downloads the antidote. Everyone the initial infectants sent mail to must then be notified, and everyone THEY sent mail to, etc., etc. This is the only BENEFICIAL chain letter you will ever receive. Recipients will be thanking you come January 1. We promise.
GeoCities worked swiftly with the Symantec AntiVirus
Research Center on this issue. They issued the following statement regarding
this hoax:
--------------------------------------------------------------------------------
Dear Internet Community Members,
GeoCities guidelines have been carefully crafted to promote the free flowing exchange of ideas about your interests, activities and hobbies and at the same time maintain standards consistent with the Online community and the societies of the world at large.
In this case, our former community member whose homepage was at http://www.geocities.com/SiliconValley/Bay/7466 was involved in spreading malicious e-mail about a Baby New Year Virus. Fortunately, the virus turned out to be a hoax but the effects felt because of this mass e-mail were not.
GeoCities acted swiftly when alerted of this situation. After a thorough investigation was completed, we promptly removed the member's homepage, which was being used as part of this virus hoax, as well as their GeoCitites e-mail account to prevent further such abuse.
10.BackDoor.G
Aliases: Backdoor.Trojan
Area of Infection: \Windows directory
Likelihood: Rare
Trigger Dates: None
Description
This trojan works in a similar manner to other backdoor trojans.
The trojan is distributed as a single executable, the installer.
When the installer is run, it does the following:
Drops an executable loader program in the \Windows
directory.
Drops a server DLL in the \Windows\System directory.
Modifies either WIN.INI or the Registry so that
the loader will be executed when the system boots up.
When the loader is run, it loads the server into
memory. Once the server is in memory, it can allow unauthorized access
to the user's computer. A client program can then be run from a remote
location to make use of this access.
The researchers at SARC have determined that there is very little risk associated with this trojan. In order for an intruder to gain unauthorized access to a user's computer, the intruder must know that the server has been loaded and is running properly.
The researchers at SARC have analyzed two variants
of BackDoor.G. Norton AntiVirus currently provides protection against the
first variant. Only one sample of the second variant has been submitted
to SARC. Protection against the second variant will be available in the
June 3 virus definitions update. However, if you believe that your system
has already been attacked, please submit any suspicious files.
#1
installer: DATA2.EXE
loader: TINURAK.EXE
server: WATCHING.DLL
Adds a value named KERNEL16 to the registry key:
HKLM/Software/Microsoft/Windows/CurrentVersion/RunServices
#2
installer: WINDOW.EXE
loader: NODLL.EXE
server: LMDRKI_33.DLL
Adds a line "run=nodll" to WIN.INI.
Both versions of BackDoor.G listen on the following 3 ports:
1243
6711
6776
12.Be My Valentine
Hoax Name: Be My Valentine
Region Reported: Email
Description
The following message has been sent out by email. It is a hoax. This "virus" does not exist.
The hoax message includes the following "warning":
Warning on February 14, 2000 you may
receive an email called, "Be My Valentine"...
do not open it, it contains a deadly virus...
it will erase your windows along with many
other program files. Pass this on as soon
as you can to get the WORD out!!!!....this
was reported on the CBS morning news
January 7, 2000.
13.BAT911.Worm
BAT911.Worm is an Internet worm that uses .bat
files to search through a range of IP addresses of known ISPs to find an
accessible computer. If an accessible computer shares its C drive, it copies
its files onto the other computer.
Also known as: BAT.Chode.Worm, Chode, Foreskin, BAT911, 911 Worm, W95.Firkin, Worm.Firkin, BAT/Firkin.Worm
Category: Worm
Infection length: Several batch files and .pif files
Virus definitions: April 1, 2000
Threat assessment:
Damage:
HIGH Distribution:
MEDIUM Wildness:
LOW
Wild
Number of infections: 0-50
Number of sites: 2
Geographic distribution: Low
Threat containment: Medium
Removal: Medium
Damage
Payload:
Triggers event: 19th of the month
Deletes files: From C:\Windows, C:\Windows\System,
C:\Windows\Command, C:\
Modifies files: Autoexec.bat to call 911 using
the computer modem
Degrades performance: Performs continuous IP
searching in the background
Distribution
Shared drives: Copy its files onto unprotected
shared drive
Target of infection: Windows 9x system with unprotected
shared drive that connects to certain ISPs
Technical description
BAT.Chode.Worm uses several .bat files and some system programs to spread itself through an Internet connection. It searches through a range of IP addresses of known ISPs to find an accessible computer. If an accessible computer has a shared drive that is not password protected, the worm checks for the presence of the file C:\Windows\Win.com. If this file exists, it assumes the shared drive is the C drive of the other computer. It then copies its files onto the other computer in the C:\Progra~1\chode directory.
The main batch file assumes it is running from C:\Progra~1\Chode directory. When launched, it searches for an accessible subnet on several ISPs:
att.net (ATT Worldnet)
bellsouth.net (BellSouth Net)
level3.net (Level3 Net)
aol.com (America Online)
mindspring.com (Mindspring)
earthlink.net (Earthlink)
air.on.ca (Air.Internet in Canada)
psi.net (PSInet)
Note: Connecting to one of these ISPs does not
make your computer vulnerable to this worm. Your computer is vulnerable
to this worm (and other intrusions) if your computer's shared resources
are not properly protected. This worm can only spread to a computer that
has a shared drive without password protection for write-access.
Once the worm finds an accessible subnet, it searches for an accessible shared drive. If there is no accessible shared drive in the subnet, it repeats the subnet search.
Once the worm finds an accessible shared drive, it checks to see if the drive is the C drive. If so, it maps the shared drive.
After mapping the drive, it makes sure that it hasn't infected this mapped drive. While performing the check, it also searches and removes VBS.Network, a worm that uses VBS script. Then, it verifies the writability of the drive and copies its files to the other computer.
While copying its files to the other computer, it does the following:
Adds a call to a batch file that dials 911 using
the computer modem into the C:\Autoexec.bat. This modification is done
one out of five times.
Adds Ashield.pif into the Program Startup of
the infected machine. This PIF file hides the worm when it is launched.
Adds Netstat.pif into the Program Startup of
the infected machine. This PIF file hides the netstat utility that it uses.
Adds Winsock.vbs into the Program Startup of
the infected machine. This VBS carries its payload.
Logs the infection in the file C:\Program files\Chode\Chode.txt
of the source computer.
The worm also uses a freeware utility to hide
its activity. The freeware utility is a win32 program that the worm names
Ashield.exe. NortonAntiVirus does not detect this utility.
Payload
Winsock.vbs is lauched when Windows starts on an infected computer. On the 19th of the month, this VBS script deletes files from the following directories:
C:\windows
C:\windows\system
C:\windows\command
C:\
Then, it displays two message boxes:
You Have Been Infected By Chode
You may now turn this piece of sh*t off!
Removal
Delete the C:\Program Files\Chode or C:\Program
Files\Foreskin directory
Delete C:\Windows\Start menu\Programs\Startup\Ashield.pif
Delete C:\Windows\Start menu\Programs\Startup\Netstat.pif
Delete C:\Windows\Start menu\Programs\Startup\Winsock.vbs
14.Burglar.1150.A
Aliases: GranGrave.1150, GranGrave
Infection length: 1,150 bytes
Area of infection: .EXE files
Likelihood: Common
Region reported: New Zealand, Hong Kong,
Norway, USA, UK, Iceland, Sweden, Finland, Poland, Czech Republic, Taiwan,
Netherlands, South Africa
Characteristics: Wild, memory-resident,
encrypting, stealthing
Target platform: DOS
Trigger date: The 14 th minute of any hour
of any day
Description
Burglar.1150 is an encrypted memory-resident virus which only infects .EXE files that do not contain a V or an S in the file name.
Besides infecting files when they are accessed or executed, Burglar will look for files to infect whenever a file attribute change function is performed on a file (such as those done with ATTRIB), and whenever a get free disk space function (called during the DIR command, among others) is used.
Due to the virus’s stealthing routines, the file size increase caused by virus infection is not visible while the virus is active in memory.
An interesting item to note is that while the virus is infecting and when the system timer’s minute value matches 14, Burglar will display in the upper right hand corner of the screen the following white text:
Burglar/H
Also, contained within the body of the virus in unencrypted format is the following text:
AT THE GRAVE OF GRANDMA
and in encrypted format, the text below is stored within the body of the virus:
CLHWTBF-WCTK
Burglar/H*.*
15. Blue Mountain Virus Hoax
VirusName: Blue Mountain Hoax
Aliases: None
Infection Length: Hoax
Area of Infection: Hoax
Likelihood: Hoax
Region Reported: Internet
Characteristics: Hoax
Target Platform: Hoax
Target Date: Hoax
Description:
The rumours circulating that Blue Mountain electronic
greeting cards
contain a virus is a hoax. It is a sham, meant
only to panic new or
inexperienced computer users.
The hoax email message includes a "warning" similar to the following:
"Just received a call from family. A friend of theirs opened a card from Blue Mountain Cards and system crashed. Do not open Blue Mountain Cards until further notice. Virus has infiltrated their system..pass it on....."
There are now several variations of this message circulating on the Internet2. There is no way that bluemountain.com can spread a virus. The Blue Mountain electronic greeting cards are merely web pages with graphical images that are viewed with your browser; as anti-virus researchers have known for years, computer viruses cannot be distributed in graphical images. Furthermore, when a user receives a Blue Mountain greeting notification in e-mail, there is also no way the user can get a virus; these e-mail messages contain strictly text messages and cannot contain a virus. When you send or receive cards from this site, you do not actually download to your computer any files that may contain a virus.
Please ignore any messages regarding this "hoax"
and do not pass on any messages regarding it. Passing on messages about
this hoax serves only to further propagate it.
16.California IBM
Hoax Name: California IBM
Region Reported: Email
Description
The following message has been sent out by email. It is a hoax. This "virus" does not exist.
The hoax message includes the following "warning":
Another new virus has been discovered.
It arrives in an e-mail titled
"California IBM". Microsoft has
announced that it is very bad, worse
than "Love Letter". There is no
remedy or cure. It will consume all
the information in the hard
drive, and will destroy Netscape
Navigator and Microsoft Internet
Explorer. Do not open anything with
this title, and pass this message on
to your e-mail contacts. Right now
not many people know about this, so
please pass it on as quickly as
possible.
Thank you.
17.Chill
Aliases: Chill Touch
Infection length: 544 bytes
Area of infection: Command, .COM files
Likelihood: Common
Region reported: USA, Australia
Characteristics: Wild, memory-resident,
encrypting
Target platform: DOS
Trigger date: None
Description:
Chill is a common .COM infecting file that contains a destructive routine designed to format parts of the first physical hard drive (80h); however, this routine never seems to execute. Upon execution of an infected file, the virus loads itself into memory and stays there.
This virus will spread to other files when any of the following attempts are made:
Load/Execute a file (run)
Open a file
Change the attributes of a file
Rename a file.
Contained within the body of the virus is the
following text in encrypted format:
[CHiLL TOUCH] You cannot touch these phantoms
18ChinaTalk
Aliases: None
Infection length: Trojan horse
Area of infection: Trojan horse system
extension
Likelihood: Common (System 6.0.x only)
Region reported: Unknown
Characteristics: Wild, trojan horse
Target platform: Macintosh
Trigger date: None
Description:
ChinaTalk is a trojan horse system extension.
Masquerading as a female voice sound driver that is MacInTalk-compatible (MacInTalk is a software-based speech synthesizer), ChinaTalk is actually a system extension that erases directories on hard disks.
19Civil_Defence.6672
Aliases: Civil.mp.6672.a, Cvil_Defense,
Shifter, Datos, PL
Infection length: 7,168 bytes in master
boot record / 6,672 bytes in .EXE files
Area of infection: Master boot record,
.EXE files
Likelihood: Common
Region reported: USA, Poland, Czech Republic
Characteristics: Wild, memory-resident,
multipartite, encrypting, stealthing
Target platform: DOS
Trigger date: ???
Description:
Upon execution of an infected file, the Civil_Defence.6672 virus will first infect the master boot record (writing it’s code from physical position cylinder 0 side 0 sector 2 to physical position cylinder 0 side 0 sector 15) and then remove itself from the infected file that is being run. Once this is done, the virus waits for the next system reset before becoming active in memory.
Because this virus uses stealthing routines, infected areas can not be viewed while the virus is active in memory. When a disk editing program is used, the system will report that 129 sectors can not be found.
Civil_Defence.6672 virus contains the following encrypted text:
MS-DOS version
Pissed off
Kick any key
CDV 3.B (Civil Defence Virus)
PREFOR.COM
(c) 1993 Modified by Civilizator
Civil Defence Virus ( CDV ver 3.B ) (c) 1992
20Concept.Fr.B
Aliases: French Concept
Infection length: Four macros
Area of infection: Microsoft Word documents
Likelihood: Common
Region reported: North America, Europe
Characteristics: Wild, macro
Target platform: Macro
Trigger date: None
Description:
Concept.Fr.B is a macro virus that originated
in France, shortly after WM.Concept.A, the first macro virus, appeared.
This is a version of WM.Concept modified to work with French-language versions
of Microsoft Word. It is functionality identical to the original WM.Concept.A
virus
21CellSaver Virus Hoax
Aliases: None
Infection Length: Hoax
Area of Infection: Hoax
Likelihood: Hoax
Region Reported: Email
Characteristics: Hoax
Description:
The following message has been sent out by email.
It is a hoax. This "virus" does not exist.
The hoax message includes the following "warning":
If you receive any CELCOM Screen Saver. Pls. do
not install it!!!!!! This screensaver is very
cool. It shows a NOKIA handphone, with time
messages.
After it is activated, the PC cannot boot up at
all. It goes very slow. It destroys your hard
disk. The filename is CELLSAVER.EXE
Please ignore any messages regarding this "hoax" and do not pass on any messages regarding it. Passing on messages about this hoax serves only to further propagate it.
Write-up by: Motoaki Yamamura
August 26, 1999
22Crazy_Boot
Aliases: None
Infection length: 1536 bytes
Area of infection: Floppy boot sectors,
master boot records
Likelihood: Common
Region reported: U.S.A., Europe, Japan
Characteristics: Wild, memory resident,
stealthing, triggered event
Target platform: DOS
Trigger date: None
Description:
Crazy_Boot is a virus that causes no intentional,
permanent damage. However, if the host computer is booted from an infected
floppy disk, Crazy_Boot makes it appear that all physical hard drives have
been lost. Crazy_Boot spreads to unprotected disks easily. It spreads only
on diskettes, not by file distribution.
Crazy_Boot resides in memory. It infects the master boot records of all physical hard disks and infects the boot sectors of floppy disks. If Crazy_Boot is in memory, any access to the boot record is rerouted to a copy of the original boot sector.
When Crazy_Boot infects a hard drive, it makes a copy of the partition table (an important part of the system area), writes the copy of the partition table to decimal-offset by 256 (100 hexadecimal), and deletes the original partition table. To read the partition information (and see the drive), Crazy_Boot must be active in memory. If users boot from a virus-free floppy disk to avoid Crazy_Boot, all physical hard drives are inaccessible by normal means. In addition, Crazy_Boot writes portions of its viral code to cylinder 0, side 0, sectors 4 and 5.
After 8,995 disk reads, the following text string
is printed to the screen:
Dont PLAY with the PC! Otherwise you will get in DEEP,DEEP trouble. Crazy Boot Ver. 1.0
23Cri-Cri
Aliases: None
Infection length: 4616 bytes
Area of infection: .COM files, .EXE Files
Likelihood: Common
Region reported: U.S.A.
Characteristics: Wild, memory resident,
stealthing, encrypted, polymorphic, triggered event
Target platform: DOS
Trigger date: June 4th
Description:
Cri-Cri is a polymorphic virus that infects several
files at a time, and can rapidly infect most of the executables on a user’s
disk. The virus does not, however, infect files with the letter "V" or
files with digits 0 to 9 in their filenames. Cri-Cri becomes resident and
begins infecting other files when an infected file is run. The virus searches
the directories on the user’s disk to find files to infect, and also infects
files as they are executed.
On June 4th, Cri-Cri locks up the user’s system
and prints the following message:
"Cri-Cri" ViRuS by Griyo96 ...Tried, tested, not
approved.
No damage is done when the system locks up. Damage
is done by an endless loop in the viral code.
Apparently, due to a bug in the virus, .EXE files are also frequently mangled beyond repair by Cri-Cri. Mangled hosts are not infectious, and code is random garbage that cannot be detected.
Cri-Cri was first discovered in the U.S. in October 1996.
24Cruel.A
Aliases: Cruel, Cruel (mp)
Area of Infection: Master Boot Record and Floppy
Boot Sectors
Likelihood: Common
Region Reported: Hungary
Characteristics: Wild, Memory Resident
Technical Notes:
This virus infects the master boot records of
hard drives and the boot sectors of floppy disks. When a system is booted
from an infected floppy disk, the virus loads itself into memory and infects
the master boot record of the hard drive. After booting up from an infected
hard drive, the virus infects floppy disks that are accessed by the system.
It does not display any messages. It hooks interrupt 13h to infect floppy
disk boot sectors.
Payload:
The virus will reset the CMOS on an infected system.
The settings will be erased.
Repair Notes:
To repair an infected system, boot to a clean
DOS floppy disk. Then, run Norton AntiVirus to scan and repair the master
boot record. Also, scan all floppy disks for infection.
Norton AntiVirus users can protect themselves from this virus by downloading the current virus definitions either through LiveUpdate or from the following webpage:
http://www.symantec.com/avcenter/download.html
Write-up by: Wason Han
August 5, 1999
25CS.Galadriel Virus
Aliases: None
Known Variants: None
Infection Length: 1576 bytes
Area of Infection: Corel Script (.CSC) Files
Likelihood: Rare
Region Reported: None
Characteristics: Corel Script, Corel Draw
Description:
CS.Galadriel is a Corel Script virus.
When an infected script is run, CS.Galadriel checks to see if the current date is June 6th, with the intent of displaying a dialog box on that date containing the message:
Ai! laurië lantar lassi súrinen!.
Yéni únótime ve rámar
aldaron,
yéni ve linte yuldar vánier
mi oromardi lisse-miruvóreva
Andúne pella Vardo tellumar
nu luini yassen tintilar i eleni
ómaryo airetári-lirinen.
....
The date check is flawed, however, so it is unlikely that this will be seen.
Regardless of the date, Galadriel will scan the current directory (the directory containing the infected script) for uninfected scripts, and will attempt to write itself to the beginning of the first script it finds.
Galadriel will unintentionally insert "garbage" characters into the script it is trying to infect. As a result, it is unlikely that a newly infected script will be able to spread the virus itself, or even run, without editing the script and removing the "garbage" characters first.
An infected script can be repaired using the Corel Script Editor or any application capable of editing text files. To repair a script, delete the viral code at the beginning of the file, delete any "garbage" characters, and save the file.
Write-up by: Peter Pak
Updated: May 14, 1999
26Cuartango Office97 Exploit
Aliases: ODBCJT32.DLL Driver Exploit, Jet 3.5
Exploit
Infection Length: N/A
Area of Infection: Office 97/2000 documents,
spreadsheets, databases
Likelihood: Rare
Region Reported: None
Characteristics: Ability to secretly run malicious
code
Target Platform: Office 97/2000 on Windows 95/98/NT/2000
Description:
A new exploit, discovered by Juan Carlos G. Cuartango,
utilizes Office data files such as Excel spreadsheets and Word documents
to embed malicious code which can be run unknowingly by the user.
The details of the vulnerability and a fix from Microsoft have now been released at
http://www.microsoft.com/security/bulletins/ms99-030.asp
The exploit can run shell commands performing basically any function on your computer. In Excel spreadsheets, the commands will be activated as soon as the user opens the Excel spreadsheet and are not contained in macros, but in the normal cells of the spreadsheet. The user will not receive the macro warning dialog box.
Verifying and upgrading your version of the 'ODBCJT32.DLL' supplied with Office97 will solve this vulnerability. If the version of your Jet Driver (ODBCJT32.DLL) is 3.5.xxx, then you are affected (to check the version, right-click on 'OBDCJT32.DLL', select 'Properties', 'Version'). Customers may upgrade their .DLL by visiting
http://officeupdate.microsoft.com/articles/mdac_typ.htm
This vulnerability has been reported with a previously known vulnerability of posting Excel spreadsheets to a website. An Excel spreadsheet may be posted to the web and launched on the user's computer without prompting the user with the appropriate notification. The .XLS file may be placed in a hidden .HTML frame, further obscuring the presence of potentially malicious code. However, this additional vulnerability may also be resolved by selecting "Confirm open after download", by double-clicking on 'My Computer', selecting 'View', '(Folder) Options', 'File Types; and 'Edit'… for all files associated with Excel (XL?).
Currently, there are no known reports of either vulnerability being exploited in a malicious manner. We encourage our users to update the vulnerable .DLL to prevent the execution of potentially malicious code.
Write-up by: Eric Chien
July 30, 1999
Updated: August 20, 1999
27 Dark Avenger
Aliases: Amilia, Black Avenger, Boroda,
Eddie, Eddie-1, Diana, Rabid Avenger, VAN Soft, PS!KO, Evil Men, Dark Quest
Infection length: 1,800 bytes
Area of infection: .COM files, .EXE files
Likelihood: Common
Region reported: Europe, U.S.A., Australia
Characteristics: Wild, memory resident
Target platform: DOS
Trigger date: None
Description:
Dark Avenger is a virus that overwrites a random
sector on the hard disk. It destroys any program or data residing there
after every 16 file infections.
The virus contains the following text:
Eddie lives...somewhere in time!
This program was written in the city of Sofia
(C) 1988-89 Dark Avenger
28.Desperado
Aliases:
Infection length: 2,403 bytes
Area of infection: Command, .COM, .EXE
files
Likelihood: Common
Region reported: USA, Sweden
Characteristics: Wild, memory-resident,
encrypting, polymorphic
Target platform: DOS
Trigger date: None
Description:
The Desperado virus is an advanced memory-resident virus that will not only infect .COM and .EXE files greater than 5000 bytes, but will also target the file COMMAND.COM.
Due to this virus’s polymorphic code (code that enables the virus code to change itself each time it spreads), infected files will not be infected exactly in the same way; however, they will have the same size.
During the infection process this virus will check the filename of the file being infected to ensure that it does not contain any of the following ASCII strings (the ASCII strings below are contained within the virus body in encrypted format):
SCAN
CLEA
VSHI
TOOL
MSAV
CPAV
VSAF
F-PR
VIRS
TBAV
TBSC
TBCL
TBUT
-V
UTSC
UT
This virus also contains code that will delete
the file CHKLIST.MS should it be found.
Also among the encrypted text mentioned above, the following text can be found:
Desperado Virus - Written in Malmo F02E
As a final note, this virus will not function if the DOS version in use is 3.x or lower
29. DeepThroat.Trojan
DeepThroat.Trojan has no visual indicators of
infection. When executed, this Trojan horse modifies the system registry
to enable itself to run as a service. When installed on a Microsoft Windows
system, it lets others gain full access to the system through a network
connection.
Also known as: Backdoor.deepthroat.b
Category: Trojan horse
Infection length:Approximately 200 Kbytes (size
may vary)
Virus definitions: May 15, 2000
Threat assessment:
Damage:
Low Distribution:
Low Wildness:
Low
Wild
Number of infections: 0-49
Number of sites: 0-2
Geographic distribution: Low
Threat containment: Easy
Removal: Moderate
30. Disk_Killer
Aliases: Computer Ogre, Disk Ogre, Ogre
Infection length: 512 bytes
Area of infection: Boot sectors
Likelihood: Common
Region reported: U.S.A., United Kingdom,
Russia, Sweden
Characteristics: Wild, memory resident,
triggered event
Target platform: DOS
Trigger date: None
Description:
Disk_Killer is a virus that quietly resides on
the hard drive for 48 hours of disk usage and then encrypts the entire
hard drive, using an XOR routine with a randomly changing byte value. All
data is irrevocably lost if Disk_Killer is allowed to finish.
The virus displays the following text upon activation:
Disk Killer -- Version 1.00 by COMPUTER OGRE 04/01/1989
Warning !!
Dont turn off the power or remove the diskette
while Disk Killer is Processing!
PROCESSING
The virus displays the following text upon completion:
Now you can turn off the power. I wish you luck!
31.DonaldD.Trojan
Area of Infection: Microsoft Windows 9x and NT
Region Reported: US
Characteristics: Backdoor Trojan Horse
Detected on: Sept 28, 1999
Description
DonaldD.Trojan is something similar to BackOrifice.Trojan. When installed on a Microsoft Windows system, this backdoor trojan horse program allows others to gain full access to the system through a network connection. It consists of two pieces: a server and a client application. Both applications are capable of running under Windows 95, 98, and NT 4.0. The client application, running on one machine, may be used to monitor and control a second machine running the server application.
The port number through which the client controls the server is configurable. However, as long as the port is blocked by a firewall, this trojan horse will not be able to infiltrate the server. It does not matter whether the TCP or SPX protocol is implemented. There have not been any reports of this program being able to break through a firewall.
Technical Notes
The server application may be configured with several different options.
The networking protocol may be TCP or SPX. Any port number between 1 and 65535 may be selected for communication. The default port number for TCP is 23476, and an additional default port is 23477. For SPX, it is 0x9014 and an additional default port is 0x9015.
A password may be specified to limit the access on a server. However, there is a bug with version 1.52 of the trojan. In the client GUI, the password typed in is initially hashed using MD5 and is converted to a 32-byte string which is the hex representation. Then the result is sent to the server. For the command-line version of the client, the password is sent without using any type of encryption. Thus, if a user sets the password of the server using the command-line client, he cannot re-access it by using the GUI client with the same password.
Here are some of the bugs found in version 1.52 of this trojan. When the client attempts to play a WAV file to the server, and the client does not specify a filename in this field, the client program will crash. The same situation occurs when the client user forgets to specify the pathname for the server upgrade command.
The following is a list of commands the client program may send to the server program:
Create and delete directories
Copy, delete, rename, upload and download files
View, terminate, set priorities for processes
Suspend and resume threads
Execute programs
Create and delete registry keys
Set registry values
Modify system date and time
Perform a shutdown, log-off, restart, and power-off
Obtain a list of windows opened
Get a snapshot of the whole screen or just for
a specific window
Send messages to a specific window
Modify CMOS (however, this only works in Windows
95/98 for now)
Look at the contents of the buffer where the
keyboard input is stored
Re-map and disable keys off the keyboard
Simulate certain keystrokes (only works in Windows
95/98)
Open and close the CD-ROM tray
Turn the monitor on and off
Send message boxes with a few sets of buttons
to choose from
Play wave (WAV) files
Chat with other people
Obtain CMOS and screensaver passwords
Query a list of shared resources
Repair Notes
Windows 9x Systems with NAV Installed
Reboot the machine to a clean DOS boot or Windows Startup floppy disk. Go to the \WINDOWS\SYSTEM directory on the drive where Windows is installed. Delete the file NAV detected as the DonaldD.Trojan. Remove the floppy disk and restart the system. Edit the Windows registry using REGEDIT.EXE. Go to the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\
Delete the folder named VMLDR.
Windows NT Systems with NAV Installed
Note the names of all the files NAV detects as the DonaldD.Trojan.
Edit the Windows registry using REGEDIT.EXE. You need to have Administrator access. Go to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager
On the right-side of the window, look for the
registry with BootExecute inside its Name field. Right-click on BootExecute,
select Modify. Here, you will see some hexadecimal numbers and some ASCII
text beside them. Look for bootexec. To its left where all the hexadecimal
numbers are, you'll see the following numbers: 00 62 6F 6F 74 65 78 65
63. Highlight these numbers, and press the backspace key to erase them.
Make sure that you erase NO MORE or NO LESS of these numbers. Click Ok.
Scroll down the window, and you will find two registry keys with Pdata0
and Pdata1 as their name fields. They are just next to each other. Right-click
on each of them, then select Delete. This should delete the registry keys
from all ControlSet registry keys (i.e., ControlSet01, ControlSet02, etc.).
Then, restart the system. Once Windows has started, go into the Command
Prompt in the Start/Programs... menu, and delete the file NAV detected
as the DonaldD.Trojan. Check the registry again to make sure the trojan
did not reinstall itself.
Windows 9x Systems without NAV Installed
If you do not have an antivirus product that detects this trojan, you must do the following. Reboot the system to a clean DOS boot or Windows Startup floppy disk. Go to the \WINDOWS\SYSTEM directory on the drive where Windows is installed. Delete the following files: PNPMGR.PCI, OLEPROC.EXE, VMLDR.VXD.
Remove the floppy disk and restart the system. Go to the following Windows 9x registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\
Delete the folder named VMLDR.
Restart the machine again, look at the registry, and make sure that the trojan did not re-install itself.
Windows NT Systems without NAV Installed
If you do not have an anti-virus product that detects this trojan, you must delete the files manually. Edit the Windows registry using REGEDIT.EXE. You need to have Administrator access. Go to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager
On the right-side of the window, look for the
registry with BootExecute inside its Name field. Right-click on BootExecute,
select Modify. Here, you will see some hexadecimal numbers and some ASCII
text beside them. Look for bootexec. To its left where all the hexadecimal
numbers are, you'll see the following numbers: 00 62 6F 6F 74 65 78 65
63. Highlight these numbers, and press the backspace key to erase them.
Make sure that you erase NO MORE or NO LESS of these numbers. Click Ok.
Scroll down the window, and you will find two registry keys with Pdata0
and Pdata1 as their name fields. They are just next to each other. Right-click
on each of them, then select Delete. This should delete the registry keys
from all ControlSet registry keys (i.e., ControlSet01, ControlSet02, etc.).
Then, restart the system. Once Windows has started, go into the Command
Prompt in the Start/Programs... menu, and delete the following files inside
\WINNT\SYSTEM32 directory with these names: BOOTEXEC.EXE, PMSS.EXE, and
OLEPROC.EXE. Restart the system, and check the registry again to make sure
the trojan did not reinstall itself. Contact your administrator to check
if the trojan horse program was installed with Administrator access.
Norton Anti-Virus users can protect themselves from this virus by downloading the current virus definitions either through LiveUpdate or from the following webpage:
http://www.symantec.com/avcenter/download.html
Write-up by: Cary Ng
September 28, 1999
32 .Dr Watson
VirusName: Dr Watson
Aliases: Dr.Watson, Dr W, DrWatson.1503, Dr W.1503
Infection Length: 1503
Likelihood: rare
Target Platform: COM Files
Description:
It infects DOS .COM files. The Dr Watson virus
can spread through intranets, the Internet, or other e-mail. This virus
has never been encountered by our customers. It is 1503 bytes long. This
virus installs itself as a memory-resident program. This virus does not
contain a destructive payload. It is not encrypted in any way. It does
not exhibit multipartite behavior. In other words, it is incapable of infecting
floppy disk or hard drive boot records. It virus does not try to actively
conceal itself. This virus infects files in a manner that makes disinfection
impossible.
Additional Comments:
The virus creates a file called C:\DRWATSON.COM
and adds the line "@drwatson" to C:\AUTOEXEC.BAT. May display the message
"Tracing mode has been destroyed." Please also note that Windows does have
a tool called Dr Watson(DRWATSON.EXE) which is usually located in the WINDOWS
directory. The virus probably uses this file name to confuse the user and
make this file (C:\DRWATSON.COM) less suspicious.
33 .Dzino
Detected as:
Dzino
Aliases:
Area of Infection:
.COM Files
Characteristics:
No additional information.
Norton AntiVirus users can protect themselves
from this virus by downloading the current virus definitions either through
LiveUpdate or from the following webpage:
http://www.symantec.com/avcenter/download.html
34.Emperor
Aliases: None
Known Variants: None
Infection Length: 5826
Area of Infection: DOS, COM and EXE files
Likelihood: Rare
Characteristics: Memory resident, polymorphic,
encrypted, multi-partite, floppy infector, stealth, trigger
Description:
The Emperor virus carries a payload that displays
the following message when triggered:
EMPEROR
I will grind my hatred upon the loved ones.
Despair will be brought upon the hoping childs of happiness. Wherever there is joy the hordes of the eclipse will pollute sadness and hate under the reign of fear.
While this message is on the screen, the virus starts writing data to the hard drive beginning at the first sector (Master Boot Record). Data that is overwritten by the virus is not recoverable. After overwriting the hard drive, the virus alters code in the Flash BIOS. This is an attempt to kill the Flash BIOS in the same manner as the W95.CIH virus.
Once the MBR is infected, the virus must be running in order to access the hard drive. The same also applies to infected floppy disks. An infected floppy cannot be read from or written to by a clean system. The data on the hard drive and floppy are still intact. If the virus finds specific bytes present in the MBR during infection, it will zero out the CMOS RAM. If this happens, the current CMOS settings are lost.
If the payload has not been triggered, restoring the infected MBR with a clean one can repair the hard drive. Similarly, restoring the infected boot record with a clean one can repair floppy disks. After restoring the MBR and boot record, the data can be accessed. The infected files still need to be repaired.
An infected hard drive may not always boot up even to a clean boot floppy. In this case, the MBR has been corrupted beyond the PC's ability to recognize the hard drive. To fix this problem, you can boot to an early version of DOS, like 3.x. Then, you can use disk utility programs to repair the hard drive.
Write-up by:Wason Han
May 26, 1999
35. Edwin
Infection Length: 512 bytes
Area of Infection: Floppy MBR
Likelihood: Common
Region Reported: US
Characteristics: Resident, Wild, Boot
Technical Notes:
This is a boot virus that goes resident by hooking
the interrupt 13h. It infects the boot records of the floppy disk and the
hard disk. Upon booting from an infected floppy disk, the virus displays
the following message:
Non-system disk or disk error.
Payload:
After infecting approximately 63 times, the virus
displays a string "JB", and halts the system.
Norton AntiVirus users can protect themselves
from this virus by downloading the current virus definitions either through
LiveUpdate or from the following webpage:
http://www.symantec.com/avcenter/download.html
Write-up by: David A. Le
August 2, 1999
36. EVIL THE CAT Virus Hoax
Aliases: None
Known Variants: Hoax
Infection Length: Hoax
Area of Infection: Hoax
Likelihood: Hoax
Region Reported: Email
Characteristics: Hoax
Description:
This information is a hoax and should be ignored.
Sample of hoax message:
ANNOUNCED YESTERDAY BY IBM: If you receive an
email with a file called "EVIL THE CAT" do not open the file. The file
Contains the "EVIL THE CAT" virus. IBM reports that... "this is a very
dangerous virus, much worse than "Melissa" and there is NO remedy for it
at this time. Some very sick, geeky individual has succeeded in using the
reformat function from Norton Utilities using it to completely erase all
documents on the hard drive. It has been designed to work with Netscape
Navigator and Microsoft Internet explorer. It destroys Macintosh and IBM
Compatible computers. This is a new, very malicious virus and not many
people know about it at this time. Please pass this warning to everyone
in your address book and share it with all your online friends ASAP so
that the Destruction it can cause may be minimized."
Please ignore any messages regarding this "hoax"
and do not pass on any messages regarding it. Passing on messages about
this hoax serves only to further propagate it.
Write-up by:Motoaki Yamamura
July 19, 1999
37 Exe_Bug.A
Aliases: CMOS Killer, Hooker, Int_0B, CMOS-1
Infection length: 512 bytes
Area of infection: Master boot record,
floppy boot sector
Likelihood: Common
Region reported: USA, UK, Belgium, Hungary,
Iceland, France, Portugal, Sweden, Mexico, Ireland, Germany, South Africa
Characteristics: Wild, memory-resident,
size stealth, read stealth
Target platform: DOS
Trigger date: None
Description:
The EXE_Bug.A virus is a mildly complicated virus that infects the master boot record of hard drives and the floppy boot sector. It uses several advanced techniques to both spread itself and hide itself from the user. To spread, this virus makes modifications to the systems CMOS drive values, making the system look as if it does not have any floppy drives.
Due to the size of this virus within the master boot record, when a system is booted without this virus in memory any attempt to access the hard drive will result in the following error message:
Invalid drive specification
During infection a copy of the original master boot record is stored at physical location cylinder 0 side 0 sector 17.
38.Exe_Bug.C
Aliases: CMOS Killer, Hooker, Int_0B, CMOS-1
Infection length: 512 bytes
Area of infection: Master boot record,
floppy boot sector
Likelihood: Common
Region reported: Norway, USA, South Africa
Characteristics: Wild, memory-resident,
trigger, size stealth, read stealth
Target platform: DOS
Trigger date: Any day in March
Description:
The EXE_Bug.C virus is a mildly complicated virus that infects the master boot record of hard drives and the floppy boot sector. It uses several advanced techniques to both spread itself and hide itself from the user. To spread, the virus makes modifications to the systems CMOS drive values, making the system look as if it does not have any floppy drives.
Due to the size of this virus within the master boot record, when a system is booted without this virus in memory any attempt to access the hard drive will result in the following error message:
Invalid drive specification
During infection a copy of the original master boot record is stored at physical location cylinder 0, side 0, sector 17. Upon activation of the trigger, 11 sectors of the hard drive are overwritten with garbage.
39.Exe_Bug.Hooker
Aliases: CMOS Killer, Hooker, Int_0B, CMOS-1
Infection length: 512 bytes
Area of infection: Master boot record,
floppy boot sector
Likelihood: Common
Region reported: Finland, USA, South Africa
Characteristics: Wild, memory-resident,
size stealth, read stealth
Target platform: DOS
Trigger date: None
Description:
The EXE_Bug.Hooker virus is mildly complicated virus which infects the master boot record of hard drives and the floppy boot sector. This virus uses advanced techniques to both spread itself and hide itself from the user. To help it spread, this virus makes modifications to the systems CMOS drive values, making the system look as if it does not have any floppy drives.
An interesting characteristic of this virus is that it will trojanize some .EXE files and turn them into droppers of this virus. The trojanized .EXE files will then display the text "HOOKER" to the screen.
During infection a copy of the original master boot record is stored at physical location cylinder 0 side 0 sector 17.
40. Easy.200 (1)
Detected as:
Easy.200 (1)
Aliases:
Area of Infection:
.COM Files
Characteristics:
Memory Resident
No additional information.
Norton AntiVirus users can protect themselves
from this virus by downloading the current virus definitions either through
LiveUpdate or from the following webpage
Damage
Payload: Modifies registry keys
Releases confidential information: Dial-up passwords
and system information
Compromises security settings: Unauthorized users
may have access to your system
Distribution
Target of infection: Microsoft Windows 9x and
NT Machines
Technical description:
This Trojan horse opens a large number of ports
for listening. It can be used to allow unauthorized access to your computer.
The file name of the attachment might vary. When
executed, the Trojan horse sets the path and file name of the attachment
(usually c:\windows\temp\filename.exe) equal to the "SystemDLL32" value
in following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Removal:
Scan your computer with Norton AntiVirus.
Restart your computer in MS-DOS mode.
Delete any files detected by Norton AntiVirus
as DeepThroat.Trojan.
Restart the system.
Edit the Windows registry using Regedit.exe.
Go to the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
On the right side of the window, look for the
registry entry with SystemDLL32 as its name field. Right-click SystemDLL32
and click Delete.
Restart the machine again, look at the registry,
and make sure that the Trojan horse did not reinstall itself.
Write-up by: Edric Ta
Updated: May 17, 2000
Virus Name: GAP Email Tracking Hoax
Aliases: None
Known Variants: Hoax
Infection Length: Hoax
Area of Infection: Hoax
Likelihood: Hoax
Region Reported: Email
Characteristics: Hoax
Description:
This information is a hoax and should be ignored.
Sample of hoax message:
Abercrombie & Fitch have recently merged to form the largest hottie outfitter company in the world! In an effort to remain at pace with this giant, the GAP has introduced a new email tracking system to determine who has the most loyal followers. This email is a beta test of the new clothing line and GAP has generously offered to compensate those who participate in the testing process. For each person you send this e-mail to, you will be given a pair of cargo pants. For every person they give it to, you will be given an additional Hawaiian print T-shirt, for every person they send it to, you will recieve a fishermans hat!
GAP will tally all the emails produced under your name over a two week period and then email you with more instructions.
This beta test is only for Microsoft Windows users because the email trackingbdevice that contacts GAP is embedded into the code of Windows 95 and 98. If you wish to speed up the "clothes receiving process" then you can email the GAP's P.R. rep for a free list of email addresses to try, at...."gollygap@yahoo.com"
(this was forwarded to me, it's not me saying this...)
I know you guys hate forwards, but I started this a month ago because I was naked and couldn't get a date. A week ago, I got an email from the GAP asking me for my address I gave it to them yesterday and I got a box load of mechandise in the mail from the GAP!!!!! It really works! I wanted you to get a piece of the action, you won't regret it!
Please ignore any messages regarding this "hoax" and do not pass on any messages regarding it. Passing on messages about this hoax serves only to further propagate it.
Write-up by:Motoaki Yamamura
June 21, 1999
43.Ghost
Aliases: Ghost.exe
Infection length: Hoax
Area of infection: Hoax
Likelihood: Hoax
Region reported: Worldwide
Characteristics: Hoax
Target platform: Hoax
Trigger date: Hoax
Description:
Ghost is not a virus. It is a hoax. The “virus”
does not exist.
The Ghost screen saver program was originally distributed as a freeware product. When activated, the display window shows a Halloween setting with ghosts flying around. If activated on any Friday the 13th, the title screen changes and the ghosts fly around the entire screen, beyond the boundaries of the display window.
Word spread that this program was a virus or trojan horse, probably as a result of the program’s change in behavior on Friday the 13th. The Symantec AntiVirus Research Center (SARC) has analyzed, in exacting detail, the original files in question and determined that the program is innocent of all accusations. It is neither a trojan horse nor a virus.
Please ignore any messages regarding this “virus”
and do not pass on any messages regarding it. Passing on messages about
this hoax serves only to further propagate it.
44.Hoax Name: Gift from Microsoft
Aliases: Hoax
Infection Length: Hoax
Area of Infection: Hoax
Likelihood: Hoax
Region Reported: Email
Characteristics: Hoax
Target Platform: Hoax
Target Date: Hoax
Description
The following message has been sent out by email. It is a hoax. This "virus" does not exist.
The hoax message includes the following "warning":
There is a deadly virus out there!
It is called : "Gift from Microsoft" or
something like that! DO NOT OPEN!!!
It will do Major damage! I am telling
you this from first hand account!
Please ignore any messages regarding this "hoax" and do not pass on any messages regarding it. Passing on messages about this hoax serves only to further propagate it.
Write-up by: Patrick Martin
Dec 28, 1999
45.Giggle.Trojan
Detected as: Giggle.Trojan
Infection Length: 536,739 bytes
Likelihood: Rare
Detected on: March 17, 2000
Characteristics: Trojan, WinBatch
Norton AntiVirus users can protect themselves
from this trojan by downloading the current virus definitions either through
LiveUpdate or from the Download Virus Definition Updates page.
Description
Giggle.Trojan is a Trojan horse, which means that unlike a virus, it cannot spread on its own. It's a malicious program that displays messages and deletes files.
When the program is executed, it searches to see if the file Wbdbs32i.dll already exists on your computer. If not, it drops this file into the same directory and displays the following series of message boxes:
First message:
Spectacular Displays Present - The Giggle Box
Close all applications BEFORE clicking OK
Second message:
The Giggle Box
Are you ready to laugh?
Third message:
The Giggle Box
Was it good for you too?
In the background, the Trojan horse deletes files that have the .doc or .xls extensions from the My Documents folder. It also deletes all files in the following directories:
C:\Lotus\Work\123
C:\Lotus\Work\123w
C:\Lotus\Work\Wordpro
C:\Notes\Data
C:\Lotus\Notes\Data
Norton AntiVirus users can protect themselves from this trojan by downloading the current virus definitions either through LiveUpdate or from the Download Virus Definition Updates page.
Write-up by: Motoaki Yamamura
March 17, 2000
46.Ginger
Aliases: Bad Seed, Gingerbread, Gingerbread
Man
Infection length: 2774 bytes
Area of infection: .COM files, .EXE files,
master boot records
Likelihood: Common
Region reported: Australia, U.S.A.
Characteristics: Wild, multipartite, memory
resident, stealthing
Target platform: DOS
Trigger date: None
Description:
Ginger is a memory-resident virus. Although Ginger
is introduced into memory by infected files, infected host files do not
infect other files. Host files serve only to drop the virus to the master
boot record (MBR) of the hard drive. Once the system is booted from an
infected MBR, the virus becomes memory resident again and begins infecting
host files when open, close, or copy commands are executed. As the virus
installs itself into low memory, a CHKDSK or MEM reports the normal amount
of memory available.
The virus body is stored, unencrypted, on side 0, track 0, sector 2 of the hard drive. Ginger stealths the infected MBR if it is in memory. If the MBR is accessed with the virus in memory, a clean MBR is displayed. Infected files grow by 2,774 bytes, but the change in size is stealthed if the virus is in memory.
The following text strings can be found in the
virus body on side 0, track 0, sector 2 of the hard drive:
PTT (You cant catch the Gingerbread Man!) Bad Seed - Made in OZ!
47.Good Times
Aliases: Email
Infection length: Hoax
Area of infection: Hoax
Likelihood: Hoax
Region reported: Worldwide
Characteristics: Hoax
Target platform: Hoax
Trigger date: Hoax
Description:
This "virus" does not exist.
Good Times is not a virus; it is a complete hoax. There is currently no virus that has the characteristics ascribed to Good Times. The e-mail Good Times "warning" was written by a couple of pranksters on America Online (AOL) sometime in 1994. Since then, it has traveled the Internet electronic mail system, spreading fear wherever it crops up. The message is just convincing enough that people spread the news to all of their friends. Needless to say, it has propagated itself well over the years.
Several times a year, our AV Research Center receives calls or e-mail regarding the Good Times "virus." Reports crop up most often around the major holidays when e-mail and letter mail usage is highest.
Please ignore any messages regarding this "virus" and do not pass on any messages regarding it. Passing on messages about this hoax on serves only to further propagate it.
48.Green_Caterpillar
Aliases: 1575, 1577, 1591, Find
Infection length: 1575 bytes
Area of infection: .COM files, .EXE files
Likelihood: Common
Region reported: Canada, Europe, U.S.A.,
India, Mexico, Australia, Japan
Characteristics: Wild, memory resident,
triggered event
Target platform: DOS
Trigger date: None
Description:
Green_Caterpillar is a virus that infects one
command (.COM) and one executable (.EXE) file on the current drive every
time a DIR or COPY command is executed. As a result, those commands take
much longer than normal to run.
Green_Caterpillar also produces an animated caterpillar that munches text on the screen, similar to the Centipede arcade game.
49.Guts to Say Jesus Hoax
Virus Name:
Guts to Say Jesus Hoax
Aliases:
RETURNED OR UNABLE TO DELIVER
Region:
EMail
Description:
This information is a hoax and should be ignored.
Sample of hoax message:
WARNING
If you receive an email titled "It Takes
Guts to Say 'Jesus', DO NOT OPEN IT.
It will erase everything on your hard
drive. This information was announced
on 21 April by IBM stating that this is
a very dangerous virus, much worse than
"Melissa", and that there is NO remedy
for it this time.
Some very sick individual has succeeded
in using the reformat function from Norton
Utilities causing it to completely erase
all documents on the hard drive. It has
been designed to work with Netscape
Navigator and microsoft Internet Explorer.
It destroys Macintosh and IBM compatible
computers. This is a new, very malicious
virus and not many people know about it.
Pass this warning along to EVERYONE in your
address book and please share it with all
your online friends ASAP so that this threat
may be stopped.
Please practice cautionary measures and tell
anyone that may have access to your computer.
Forward this warning to everyone that might
access the Internet.
Sample of hoax message:
VIRUS WARNING !!!!!!!
If you receive an email titled "It Takes
Guts to Say 'Jesus'" DO NOT open it. It
will erase everything on your hard drive.
Forward this letter out to as many people
as you can. This is a new, very malicious
virus and not many people know about it.
This information was announced yesterday
morning from IBM; please share it with
everyone that might access the internet.
Once again, pass this along to EVERYONE
in your address book so that this may be
stopped. Also, do not open or even look
at any mail that says "RETURNED OR UNABLE
TO DELIVER." This virus will attach itself
to your computer components and render
them useless. Immediately delete any mail
items that say this. AOL has said that
this is a very dangerous virus and that
there is NO remedy for it at this time.
Please practice cautionary measures and
forward this to all your online friends
ASAP.
Sample of hoax message:
If you receive an email titled "It Takes
Guts to Say 'Jesus' DO NOT OPEN IT. It
will erase everything on your hard drive.
This information was announced yesterday
morning from IBM; AOL states that this is
a very dangerous virus, much worse than
"Melissa", and that there is NO remedy for
it at this time. Some very sick individual
has succeeded in using the re-format
function from Norton Utilities causing it
to completely erase all documents on the
hard drive. It has been designed
to work
with Netscape Navigator and Microsoft
Internet Explorer. It destroys MacIntosh
and IBM compatible computers. This is a
new, very malicious virus and not many people
know about it. Pass this warning along
to
EVERYONE in your address book and please
share it with all your online friends ASAP
so that this threat may be stopped. Please
practice cautionary measures and tell anyone
that may have access to your computer.
Forward this warning to everyone that might
access the internet.
Please ignore any messages regarding this "hoax" and do not pass on any messages regarding it. Passing on messages about this hoax serves only to further propagate it.
Write-up by: Motoaki Yamamura
May 6, 1999
50.Hacky Birthday Virus Hoax
Aliases: none
Infection Length: Hoax
Likelihood: Hoax
Region Reported: EMail
Characteristics: Hoax
Target Platform: Hoax
Target Date: Hoax
Description:
This "virus" does not exist.
"Hacky Birthday" is not a virus; it is a complete hoax. The "virus" does not exist. There is currently no virus that has the characteristics ascribed to "Hacky Birthday." It is a sham, meant only to panic new or inexperienced computer users. The hoax has been seen in multiple languages including English and Spanish.
The message includes the following "warning:"
PLEASE SEND THIS MESSAGE URGENTLY BEFORE JULY-31-98!!
G.I.S.V.I. - UBA Net
ATTENTION TO ALL INTERNET & E-MAIL USERS
====================================================
Ref: VIRUS "HACKY BIRTHDAY!"
============================
This message is being distributed by the Investigation
Group for Viruses
from the Buenos Aires University.
There has been a trojan (trojan= virus that is
executed by certain
conditions) sent to 3 principle suppliers of
e-mail and Internet in our
country.
All e-mail that has been sent through these suppliers
have been infected
with this trojan to all of those computers that
have access to these
suppliers.
This virus, luckily, still hasn't activated yet
and will do so
this July 31, '98. This date seems to be the
birthday of a well- known
argentine hacker who has entered ilegally into
government institutions,
banks, Internet suppliers whose nickname was
found in the virus program
with the phrase: "Hacky Birthday"!
Having a very complex programming technique it
isn't possible to be
detected with any known antivirus.
The following antivirus programs (and without
efective eliminative
results): ThunderByte, Scan, Norton Antivirus,
MSAV, F-Prot, and the Panda
Antivirus.
If the virus were to become activated on the date
indicated, it would
transmit an Internet address not identified (maybe
that of the virus'
author) the login, password, DNS addresses and
telephone access to Internet
that resides within the infected computer destroying
previously the FAT
(File Alocation Table) Primary and Secondary
of the hard disk leaving it
paralized and without possibilities of recovery.
So in the meanwhile, due to the closeness of the
date indicated in which
the virus will activated itself, and until the
Investigacion Group for
Viruses from the Buenos Aires University finds
a way to eliminate the
offensive virus, OUR RECOMMENDATION IS TO LEAVE
THE COMPUTERS TURNED OFF
ON JULY 31, '98, TO PREVENT THIS TROJAN FROM
ACTIVATING ITSELF.
Unfortunately this virus has its own countdown
that starts once infected
in the computer, which means that IT DOESN'T
WORK IF YOU CHANGE THE DATE
OF THE COMPUTER TO ESCAPE FROM IT ACTIVATING
ITSELF.
Please ignore any messages regarding this "virus" and do not pass on any messages regarding it. Passing on messages about this hoax serves only to further propagate it.
51.Halloween Virus Hoax
Infection Length: Hoax
Area of Infection: Hoax
Likelihood: Hoax
Region Reported: Email
Characteristics: Hoax
Target Platform: Hoax
Target Date: Hoax
Description
The following message has been sent out by email. It is a hoax. This "virus" does not exist.
The hoax message includes the following "warning":
A friend of mine recently received a file
"Trickor1.exe". When he opened the file, a
halloween cartoon greeting appeared and asked
"trick or treat". He thought it was cute
until
he found out the trick was really on him! This
is a very dangerous virus. His entire harddrive
was wiped out and could not be re-formatted.
Unfortunately he had access to a network and
the
entire network was also wiped out! The virus
then attached a unknown remote server line to
his company's network and phone lines. All of
these lines were immediately clogged up as the
unknown server used their phonelines to make
out-of-country calls and call various pornlines.
This could happen on a regular home modem, or
a
company server. The amount of charges that
could be applied to your line depends on the
number of lines and size of your company's
server. This little email greeting could cost
you or your company lots of money and time, so
please be on the lookout!! I checked into and
it
has a few alternate names. It can be known as
(could be in .exe or .zip format):
Trickor1.exe
Trickortreat.exe
Hallogreeting.exe
happyhalloween.exe
H20.exe
TorT.exe
Please be on the lookout for any of these files
attached to emails. There could be various subjects
on the email title but an example is: Trick or
Treat,
you make the call. There usually isn't any content
in the body of the email, but there could be.
Pass this along to everyone you know!!!
Please ignore any messages regarding this "hoax" and do not pass on any messages regarding it. Passing on messages about this hoax serves only to further propagate it.
Write-up by: Motoaki Yamamura
Oct 29, 1999
52.Happy New Year Virus Hoax
Aliases: Hoax
Infection Length: Hoax
Area of Infection: Hoax
Likelihood: Hoax
Region Reported: Email
Characteristics: Hoax
Target Platform: Hoax
Target Date: Hoax
Description
The following message has been sent out by email. It is a hoax. This "virus" does not exist.
The hoax message includes the following "warning":
Warning on December 31, 1999 you may receive an
email
called, Happy New Year...do not open it, it contains
a deadly virus...it will erase windows from your
computer along with many other program files.
Pass this on as soon as you can to get the WORD
out!!!
This is not a hoax....this was reported on CNN
on
Tuesday the 2nd November 1999!
Please ignore any messages regarding this "hoax" and do not pass on any messages regarding it. Passing on messages about this hoax serves only to further propagate it.
Write-up by: Motoaki Yamamura
Nov 18, 1999
53.Happy99.Worm
When executed, the infected program opens a window
entitled "Happy New Year 1999 !!" and shows a firework display to disguise
its installation. This worm sends itself to other users when the infected
computer is online.
Also known as: Trojan.Happy99, I-Worm.Happy, W32.Ska, Happy00
Category: Worm
Infection length: 10,000 bytes
Virus definitions: January 28, 1999
Threat assessment:
Damage:
LOW
Distribution:
HIGH
Wild:
HIGH
Wild
Number of infections: More than 1000
Number of sites: More than 10
Geographic distribution: High
Threat containment: High
Removal: Medium
Damage
Payload: The worm sends itself to other users
when the infected system sends email or posts to a newsgroup.
Payload Trigger: Online connection allows the
worm to propagate.
Large scale emailing: The happy99.exe file is
attached as a separate email sent in conjunction with an outgoing email.
Modifies files: WSOCK32.DLL
Distribution
Name of attachment: Happy99.exe, Happy00.exe
Size of attachment: 10,000 bytes
Technical description
HAPPY99.EXE is a worm program, not a virus. This program has reportedly been received through email spamming and USENET newsgroup posting. The file is usually named HAPPY99.EXE and appears as an attachment to an email or article.
When executed, the program opens a window entitled "Happy New Year 1999 !!" and shows a fireworks display to disguise its other actions. The program copies itself as SKA.EXE and extracts a DLL that it carries as SKA.DLL into the WINDOWS\SYSTEM directory. It also modifies WSOCK32.DLL in WINDOWS\SYSTEM directory and copies the original WSOCK32.DLL into WSOCK32.SKA.
WSOCK32.DLL handles internet connectivity in Windows 95 and 98. The modification to WSOCK32.DLL allows the worm routine to be triggered when a connect or send activity is detected. When such online activity occurs, the modified code loads the worm's SKA.DLL. This SKA.DLL creates a new email or a new article with UUENCODED HAPPY99.EXE inserted into the email or article. It then sends this email or posts this article.
If WSOCK32.DLL is in use when the worm tries to modify it (i.e., a user is online), the worm adds a registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunOnce=SKA.EXE
The registry entry loads the worm the next time Windows start.
Removal:
Click here to download the Happy99.Worm removal
tool
Manual removal:
All file renaming and deletions can be performed via Windows Explorer.
Delete WINDOWS\SYSTEM\SKA.EXE.
Delete WINDOWS\SYSTEM\SKA.DLL.
In the WINDOWS\SYSTEM\ directory, rename WSOCK32.DLL
to WSOCK32.BAK.
In the WINDOWS\SYSTEM\ directory, rename WSOCK32.SKA
to WSOCK32.DLL.
Delete the downloaded file, usually named HAPPY99.EXE.
Windows prevents you from doing steps 3 and 4
above if the machine is still connected to the Internet. The file "windows\system\wsock32.dll"
is used whenever the machine is connected to the Internet (through dial-up
or LAN connection).
If you are using dial-up connection (i.e. America Online), you need to do the following:
Terminate internet connection.
Delete WINDOWS\SYSTEM\SKA.EXE.
Delete WINDOWS\SYSTEM\SKA.DLL.
In the WINDOWS\SYSTEM\ directory, rename WSOCK32.DLL
to WSOCK32.BAK.
In the WINDOWS\SYSTEM\ directory, rename WSOCK32.SKA
to WSOCK32.DLL.
Delete the downloaded file, usually named HAPPY99.EXE.
If you are connected to Internet through LAN
(i.e. in the office or cable modem), you need to do the following:
On the Windows taskbar, click START > Shut Down
> Restart in DOS mode.
At the DOS promt type CD \windows\system.
Type RENAME WSOCK32.DLL WSOCK32.BAK.
Type RENAME WSOCK32.SKA WSOCK32.DLL.
Type DEL SKA.EXE.
Type DEL SKA.DLL.
Write-up by: Raul K. Elnitiarta
Updated: Jan 18, 2000
54.HD Trojan
Aliases: Happy Days Trojan
Infection length: Trojan
Area of infection: Trojan
Likelihood: Rare
Region reported: America Online e-mail
Characteristics: Trojan, wild
Target platform: DOS
Trigger date: None
Description:
HD Trojan is a trojan horse program that was
first reported as being distributed through America Online electronic mail
(approximately February 1, 1996). The accompanying mail text suggested
that it was a utility to streamline and improve the performance of PCs.
The file included in the distribution was a compressed file named HAPPYDAY.ZIP
(4,701). This compressed archive contained several individual programs
and text files.
Filenames and sizes of the compressed archive
are listed below:
INSTALL.EXE (3,232 bytes)
NECUSER3.TYE (113 bytes)
README.TXT (401 bytes)
RUNMENOW.COM (1,926 bytes)
The README.TXT file contains the following text:
Hello, you are running Happy Days (R).
version 2.0
This program is a miracle b/c of its
size and its effectiveness. Run any
day, any time, and it increases your
productivity on the computer. Now we
all know how unproductive our sessions
at the computer can be, and this nifty
program will cure them all. Have a
Happy Day! with Happy Days (R) v2.0.
RUN the file RUNMENOW.COM in DOS only!!
If the RUNMENOW.COM file is executed, the following
message is displayed:
This program is this ultimate in home entertainment.
55 Help Poor Dog Virus Hoax
VirusName: Help Poor Dog Virus Hoax
Aliases: Win A Holiday
Infection Length: Hoax
Area of Infection: Hoax
Likelihood: Hoax
Region Reported: Email
Characteristics: Hoax
Target Platform: Hoax
Target Date: Hoax
Description:
This information is a hoax and should be ignored.
Sample of hoax message:
FYI. Be careful when opening new messages.
Subject: NEW VIRUS - THIS IS SERIOUS
Please take note ......
If you receive an e-mail titled "PLEASE HELP POOR DOG.Win A Holiday"
DO NOT OPEN IT ! ! ! It will erase everything on your hard drive. Forward this letter out to as many people as you can. This is a new, very malicious virus and not many people know about it. This information was announced yesterday morning from Microsoft, please share it with everyone who might access the Internet.
Please ignore any messages regarding this "hoax" and do not pass on any messages regarding it. Passing on messages about this hoax serves only to further propagate it.
Write-up by: Motoaki Yamamura
Updated: May 5, 1999
56.Hitler Virus Hoax
VirusName: Hitler Virus Hoax
Aliases: None
Infection Length: Hoax
Area of Infection: Hoax
Likelihood: Hoax
Region Reported: Email
Characteristics: Hoax
Target Platform: Hoax
Target Date: Hoax
Description:
This information is a hoax and should be ignored.
Sample of hoax message:
Heads up everybody. I appears that the Hitler virus is on the loose.
The Hitler virus doesn't crash your system or wipe out your hard drive. No, it takes over your computer and sets out to conquer the world -- starting with you! Yes, the Hitler virus is designed to bend you to its aims. It will use your PC as a power base to enslave you and put you to work duplicating the Hitler virus on your neighbor's PC. The Hitler virus will not harm you until you are no longer necessary to it's goals. Your life will be a living hell once your PC is infected. Your PC will first access the Hitler virus web site and download a gigabyte of support files. You say you don't have a gigabyte of free space? Hah! You'll be marching down to the store to buy a new hard drive! Once the gigabyte of support files are downloaded, your PC will be playing a lot of milaristic music and it will be shouting orders at you. And if you try to leave the house against orders, your PC will phone the police and have you arrested. I bet you're thinking that you will never become the stooge of your PC. Hah again! The Hitler is unprincipled in the extreme. It will grab your bank balance and your nest egg and every other asset it can lay its electronic hands on. When your PC shows you what it's got and what it can do to you, you'll march. Yeah, you'll march and you'll follow and your PC will lead. You think the Michelangelo virus was bad? What did the Michelangelo virus ever do to you? Sure it downloaded all that pornography from the same sex newsgroup. But the Hitler virus is _mean_ and I do mean _mean_.
I hope your PC isn't infected. Because the only way to remove the Hitler virus is to bomb your house into rubble...
Please ignore any messages regarding this "hoax" and do not pass on any messages regarding it. Passing on messages about this hoax serves only to further propagate it.
Write-up by: Motoaki Yamamura
April 26, 1999
57.HLL.Termite.5000
VirusName: HLL.Termite.5000
Aliases: None
Infection Length: 5000 bytes
Area of Infection: Files with COM or EXE extensions
Likelihood: Common
Region Reported: USA
Characteristics: Improved over writer, encrypts
original host
Target Platform: DOS
Target Date: Random
Description:
Termite is a 5000 byte improved over writing
virus written in a high level language. The virus moves the first 5000
bytes of the original host to the end of the infected program and encrypts
them. It places the virus code at the top of the program, over writing
the original bytes.
The virus is a direct action infector (not memory resident) that has a fairly standard infection scheme. When run it first decrypts the virus code then searches for files to infect in the current directory. If no suitable files are found it will search other directories on the hard disk. When a suitable candidate for infection is found it will rename that file to a new file with a different extension (usually some random characters). The virus code is copied byte for byte from the infected program instead of being re-encrypted, so the encryption does little to fool any antivirus programs. The original 5000 bytes are encrypted and then placed at the end of the newly infected host.
The encryption scheme is fairly simple, but is quite easily prone to rendering the file inoperable and unrepairable. The virus generates the initial key that it will use from the time/date stamp of the host file. The virus does not save this key anywhere, but instead recreates it each time the original host bytes need to be decrypted. If the time/date stamp is changed at all after infection, then the key is lost forever. If this happens the original host will not run after the virus executes, and you will not be able to repair the file.
The virus has a randomly triggering payload that can erase the data from your hard disk. The payload will be triggered if the virus is run from an infected host as opposed to the pure first generation virus. After the payload triggers it will print the message "Oops! I've got such terrible munchies. TERMiTE v1.0 RAiD[SLAM]". The virus also deletes the following files every time that it runs: anti-vir.dat chklist.ms chklist.cps vs.vsn ivb.ntz.
Write-up by: Christopher Formulak
Date of write-up: December 16, 1998
58.HTML.Enel.3787
VirusName: HTML.Enel.3787
Aliases: None
Infection Length: 3787 bytes
Area of Infection: Files with HTM, HTML, or HTT
extensions
Likelihood: Rare
Region Reported: None
Characteristics: Prepends VBScript code to HTML
files
Target Platform: Windows with Internet Explorer
4.0 or greater
Target Date: None
Description:
The HTML.Enel.3787 virus is a VBScript virus
that can infect HTML files. The virus requires Internet Explorer 4.0 or
greater. The virus targets any file with a HTM, HTML, or HTT extension
in C:\WINDOWS\WEB, C:\InetPub\wwwroot, and C:\MyDocu~1 (usually My Documents)
directories.
One can contract this virus by browsing a webpage
via the Internet; however, using default Internet Explorer security settings,
one must first approve a pop-up Security Alert. The virus first disables
your Internet Zone security settings by changing the registry keys:
Software\\Microsoft\\Windows\\CurrentVersion\\Internet
Settings\\Zones\\3\\1201
Software\\Microsoft\\Windows\\CurrentVersion\\Internet
Settings\\Zones\\1\\1201
Software\\Microsoft\\Windows\\CurrentVersion\\Internet
Settings\\Zones\\0\\1201
in both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER.
Default security settings will never run the code which changes the above
registry keys from a remote webpage. However, using an Internet Explorer
buffer overflow exploit, the code is assumed to be on the local machine
giving the user the option of running the malicious code via the pop-up
Security Alert. Approving this security alert then turns off future ActiveX
object warnings and allows the virus to run malicious VBScript in remote
webpages that infect local HTML files.
The virus checks to see if the files have been infected already before attempting infection. If the files have not yet been infected, the virus makes a temporary copy of the host file. The virus then overwrites the host file with viral code. After overwriting the host file, the virus then appends the original host data from the temporary file. This successfully prepends the viral code. The temporary file is then deleted.
Payload affects include the status bar being changed to "HTML.Worm v0.2 /1nternal" and with a 1/15 chance, redirection to the author's webpage.
Norton AntiVirus users can protect themselves
from the HTML.Enel.3787 virus by downloading the current virus definitions
either through LiveUpdate or from the following web page:
http://www.symantec.com/avcenter/download.html
Write-up by: Eric Chien
Date of write-up: December 4, 1998
59HTML.Prepend
VirusName: HTML.Prepend
Aliases: HTML.Internal
Infection Length: 1670 bytes
Area of Infection: Files with HTM or HTML extensions
Likelihood: Rare
Region Reported: None
Characteristics: Prepends VBScript code to HTML
files
Target Platform: Windows with VBScript capable
Browser
Target Date: None
Description:
The HTML.Prepend virus is a Windows script virus
that will replicate by appending Visual Basic Script to other HTML files.
This virus is not the first HTML virus, but the third known HTML virus,
all of which are written by the same author.
In order for the virus to infect, the virus requires Internet Explorer 4.0 or greater or a Visual Basic Script capable browser. The virus targets any file with a HTM or HTML extension in the current or parent directories.
Please note that you can not get infected with this virus by browsing an infected web page via the Internet. The infected file must be viewed locally. This requires one to download or save an infected HTML file onto their local machine and then load that infected file into a Visual Basic Script capable browser with the appropriate security settings disabled. The virus will only infect 1 in 6 times and only infect files on the local machine. Internet Explorer 4.0 with default settings will prompt one with a Security Alert before allowing the virus to infect. The virus will not infect if it is in the root directory.
When opening a locally infected HTML file with a Visual Basic Script capable browser, the virus code is executed. A check is made to verify that file is a local HTML file (URL begins with file://). The infection will then only continue with a 1 in 6 probability.
The virus attempts to infect each file in the same or parent directories that have the extension HTM or HTML (case-insensitive). The virus checks to see if the files have been infected already. If the files have not yet been infected, the virus makes a temporary copy of the host file. The virus then overwrites the host file with viral code. After overwriting the host file, the virus then appends the original host data from the temporary file. This successfully prepends the viral code. The temporary file is then deleted.
Finally, the status bar on the browser will be
set to "HTML.Prepend /1nternal".
Norton AntiVirus users can protect themselves
from the HTML.Prepend virus by downloading the current virus definitions
either through LiveUpdate or from the following web page:
http://www.symantec.com/avcenter/download.html
Write-up by: Eric Chien
Date of write-up: November 9, 1998
60Independence Day
VirusName: Independence Day
Aliases: None
Infection Length: 5303 bytes
Area of Infection: HyperCard stacks
Likelihood: Rare
Region Reported: Worldwide Web
Characteristics: N/A
Target Platform: Macintosh, PowerMac
Target Date: None
Description:
This virus replicates successfully between HyperCard
stacks but the malignant portion (which attempts to delete lines of code
from stack scripts) does not function as intended.
Write-up by: Lee Gummerman
Date of write-up: October 29, 1998
61INFILTER Virus Hoax
VirusName: INFILTER Virus Hoax
Aliases: none
Known Variants: Hoax
Infection Length: Hoax
Area of Infection: Hoax
Likelihood: Hoax
Region Reported: email
Keys: Hoax
Description:
This information is a hoax and should be ignored.
Sample of hoax message:
DESCOBERTO NOVO VIRUS POR E-MAIL!!! MUITO CUIDADO!!!
Cuidado:
A Novell identificou na ?ltima quinta-feira a noite, em parceria com a Symantec, o mais destruidor v?rus conhecido por e-mail! Ele primeiramente come?u a atacar os sistemas NetWare, mas seus criadores conseguiram transport?-lo para a plataforma Windows, onde ele conseguiu um auto poder de destrui?o!
As mensagens foram enviadas para milhares de internautas indianos, que ap?s terem lido o e-mail, tiveram todo o equipamento de seu computador comprometido. A rapidez com que o v?rus ataca ·tremenda. Se voc·por acaso receber um e-mail com o t?tulo: NICE DAY, GOOD MORNING, NEW LINUX VERSION ou HELP, nao abra! Ele ir? destruir todo o seu winchester e comprometer todo o seu equipamento!!!
A Novell, a Microsoft, a IBM e a Symantec, recomendam cautela para qualquer mensagem estranha. ·poss?vel que outras mensagens, com outros t?tulos, contenham o v?rus. Por isso, muito cuidado! A Andrade & Associados Ltda., empresa de inform?tica de Salvador, j? localizou dois poss?veis ataques desse novo v?rus na Bahia. Por isso, tome muito cuidado para qualquer mensagem estranha!!!
Avise o m?ximo de pessoas poss?veis, antes que o v?rus se espalhe! Ele pode comprometer todo o seu equipamento!
Mande essa mensagem para todos que voc·conhece e usam a internet!
Nao se tem certeza por enquanto da maneira pela qual o v?rus ataca. Apelidado de INFILTER, sabe-se que ele come? atacando arquivos b?sicos para a execu?o de softwares, e ap?s isso, ataca todo o seu hard-disk!!! Muito cuidado!!!
A Symantec disponibilizou em seu site, informa?es sobre o INFILTER. Ela est? desenvolvendo por enquanto, uma prote?o b?sica, mas nao total!!! Por isso, fique alerta e avise a todos!!!
Nunca abra e-mails com esses t?tulo: NICE DAY, GOOD MORNING, NEW LINUX VERSION ou HELP!!! O efeito pode ser devastador!!!
Please ignore any messages regarding this "hoax" and do not pass on any messages regarding it. Passing on messages about this hoax serves only to further propagate it.
Write-up by: Motoaki Yamamura
Updated: May 24, 1999
62Information on "W95.Roma" False Positive
SARC has learned the 9/21/99 virus definition update for Norton AntiVirus detects some shareware programs as infected with "W95.Roma" virus. Symantec AntiVirus Research Center has confirmed this is a false positive.
A new virus definition update for Norton AntiVirus dated 9/22/1999 has been posted. This definition set corrects the false-positive. The new virus definition set can be obtained by using the LiveUpdate feature in Norton AntiVirus or by downloading them from the following web site.
http://www.symantec.com/avcenter/download.html
We apologize for any inconvenience this may have caused.
Updated: September 24, 1999
64Information on Back Orifice and NetBus
The following document provides a detailed technical
explanation of the Back Orifice tool. There is another existing tool called
NetBus which has capabilities similar to Back Orifice. However, NetBus
Pro version 2.1 has been redesigned such that it is not hidden by default.
This allows the program to be used as a legitimate remote control tool,
although unscrupulous users might still attempt to use it for illegitmate
purposes. The currently available definitions of Norton AntiVirus detect
both Back Orifice and NetBus. To download these definitions, please go
to:
http://www.symantec.com/avcenter/download.html
Back Orifice Overview
Back Orifice is a tool consisting of two main
pieces, a client application and a server application. The client application,
running on one machine, can be used to monitor and control a second machine
running the server application. The operations that the client application
can perform on the target machine (e.g., the machine running the server
application) include the following:
Execute any application on the target machine.
Log keystrokes from the target machine.
Restart the target machine.
Lockup the target machine.
View the contents of any file on the target machine.
Transfer files to and from the target machine.
Display the screen saver password of the current
user of the target machine. The creators of Back Orifice also claim to
be able to display "cached passwords" for the current user, but no other
passwords were displayed during our analysis.
Technical Details
Server application installation
In order for Back Orifice to work, the server
application must be installed on the target machine. This involves executing
the server application on the target machine. The server application is
a single executable file with a size just over 122 kilobytes. The application
creates a copy of itself in the Windows system directory and adds a value
containing its filename to the Windows registry under the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunServices
The specific registry value which points to the server application is configurable (see section below on configuration). By doing so, the server application always starts whenever Windows starts, and thus is always active. The application will not appear in the Windows task list.
Target machine requirements
The target machine must be running either Windows
95 or Windows 98. The server application will not run on Windows NT. The
target machine must have TCP/IP network capabilities.
Communication
The client application communicates with the
server application using TCP with encrypted UDP packets.
Configuration of the server application
The server application can be configured with
the following parameters:
Its installed filename
The communication port
The name of the value it will add to the registry
A password for encrypting the client/server packets
used for communication
A custom plugin DLL to run with the server application
Default configuration
By default, if the server application has not
been otherwise configured, the installed filename is ".exe" (e.g., that's
a space followed by ".exe"), the communication port is 31337, the registry
value name is empty (e.g., the default registry value entry is used), and
no password is used (although the communication is still encrypted).
Is Back Orifice a Threat?
Potentially, the tool can be used by an unscrupulous
user (e.g., the attacker) to compromise the security of a computer running
Windows 95 or Windows 98, for example, to steal secret documents, destroy
data, etc. However, the following are obstacles limiting the threat:
The server application must be installed on the
target machine. This requires the user of the machine to either deliberately
install this application or be tricked into doing so.
The attacker must know the IP address of the
target machine. Although, the attacker can use the client application to
perform a search through a range of IP addresses, this is infeasible if
the attacker can not narrow the range to a small subset because there are
four billion possible IP addresses.
A firewall between the target machine and the
attacker virtually makes it impossible for the attacker to communicate
with the target machine. Most corporations have firewalls in place.
By following safe computing practices, for example,
not downloading or running applications from unknown sources, users can
protect themselves from the potential threat.
Write-up by: Motoaki Yamamura
June, 1999
65.Information on PWSteal.Trojan
Description
PWSteal.Trojan is a trojan which attempts to steal login names and passwords. These passwords are often sent to an anonymous email address.
Norton AntiVirus definitions dated 12/27/1999
incorrectly identified some Shockwave programs as containing PWSteal.Trojan.
This false positive has been corrected in the latest definitions.
Norton AntiVirus users can protect themselves from this virus and correct the false positive by downloading the current virus definitions either through LiveUpdate or from the Download Virus Definition Updates page.
66.INIT 17
Aliases: None
Infection length: N/A
Area of infection: Applications, System
files
Likelihood: Common
Region reported: Unknown
Characteristics: Wild
Target platform: Macintosh
Trigger date: October 31
Description:
INIT 17 is a virus discovered in Canada in April
1993. The virus is designed to “trigger” (become active) the first time
users restart their machines on or after October 31, 1993. At that time,
a message is displayed in a window entitled “From the depths of Cyberspace.”
After showing this message once on an infected Macintosh, the virus does
not display it again.
INIT 17 infects the System file and application files.
Although not intended to be destructive, INIT 17 contains errors in its viral code that may cause crashes, especially on older 68000-based Macintosh computers, such as the Plus, SE, and Classic.
67.Irina
Aliases: none
Infection length: Hoax
Area of infection: Hoax
Likelihood: Hoax
Region reported: Worldwide
Characteristics: Hoax
Target platform: Hoax
Trigger date: Hoax
Description:
This "virus" does not exist.
In September 1996, Penguin Books published a press release, announcing the launch of an interactive novel called Irina. Various part of this press release led some readers to believe that a new virus was spreading over the Internet and World Wide Web.
Penguin Books published a second press release soon after, but the word had already spread beyond recall.
Please ignore any messages regarding this "virus"
and do not pass on any messages regarding it. Passing on messages about
this hoax on serves only to further propagate it.
68Irok.Trojan.Worm
Irok.Trojan.Worm is a malicious worm that spreads
itself using Microsoft Outlook email and Internet Relay Chat (IRC). The
worm is sent as an email attachment. The message contains the following
text:
Subject: I thought you might like to see this
and the body of the email message
I thought you might like this.
I got it from paramount pictures website.
It's a startrek screen saver.
Category: Virus, Trojan horse, Worm
Infection length: 10001 Bytes
Virus definitions: March 27, 2000
Threat assessment:
Damage:
High Distribution:
High Wild:
High
Wild
Number of infections: More than 1000
Number of sites: More than 10
Geographic distribution: High
Threat containment: High
Removal: Medium
Damage
Payload: Modifies executable files and corrupts
them.
Payload trigger: Email attachment Irok.exe is
executed.
Large scale emailing: List of up to 60 locations,
using MS Outlook.
Modifies files: Prepends itself to executable
files.
Degrades performance: Corrupts executable files
such as Norton AntiVirus scanners to function improperly.
Causes system instability: System might not be
able to restart.
Distribution
Subject of email: I thought you might like this
Name of attachment: Irok.exe
Size of attachment: 10001 Bytes
Target of infection: .Exe and .com files
Shared drives: Shared network drives and partitioned
drives
Technical description:
When Irok.exe is run, a black screen appears. Press Esc or the Spacebar to quit the application. It prepends itself to executable files and has been known to corrupt its host.
In the background, the worm copies itself to C:\Windows\System directory and inserts the Irokrun.vbs file into C:\Windows\StartMenu\Startup. The Irokrun.VBS script uses Microsoft Outlook to send the same email to the first 60 entries in the user's address book.
The third file to be dropped into an infected computer is called Winrde.dll in C:\Windows\System. From this point on, all executable files are infected and won't run properly.
When users restart, the Irokrun.vbs file is executed
on computers with a Windows Sripting Host installed. Windows 98 users are
vulnerable to this while Windows 95 users would need the Scripting Host
installed. The Irokrun.vbs script uses Microsoft Outlook to send the same
email to the first 60 entries in the user's address book. It attaches Irok.exe
from C:\Windows\System directory.
Removal:
The infectious files Irok.exe, Irokrun.vbs, and Winrde.dll should be deleted. Users should also delete all files detected as Irok.Trojan.Worm(G1) and Irok.Trojan.Worm(G2).
Irok has been reported to infect systems so that they will not restart. In this case, users need to restore the system from backup.
Norton AntiVirus users can protect themselves from this virus by downloading the current virus definitions either through LiveUpdate or from the following Web site:
http://www.symantec.com/avcenter/download.html
Write-up by: Edric Ta
Updated: April 17, 2000
69Istanbul.1349
Aliases:
Infection length: 1,357 bytes - 1,349 bytes
Area of infection: .COM, .EXE files
Likelihood: Common
Region reported: UK, Poland
Characteristics: Wild, memory-resident,
trigger
Target platform: DOS
Trigger date: December 21 st , 2000
Description:
The Istanbul virus is a rather simple .COM and .EXE file infecting virus with one interesting characteristic. When this virus goes to infect a file and the system date matches the trigger date (Dec 21 st , 2000), and the file is not already infected, the virus will not spread to the file. If the file is already infected, the virus will first issue a system beep via the PC speaker and then remove itself from the infected file.
When viewed with a hex editor, infected files contain the following text:
P.u.P Anti-Virus?? Written in the city of Istanbul (c)1993
Installed
70.J&M
Aliases: Jimi, Jimmy, Ha, Hasita
Infection length: 512 bytes
Area of infection: Master boot record,
floppy boot sector
Likelihood: Common
Region reported: Hong Kong, Slovokia, Norway,
USA, Israel, Hungary, Iceland, Romania, UK, Sweden, Finland, Poland, Czech
Republic, Japan
Characteristics: Wild, memory-resident,
encrypting, trigger
Target platform: DOS
Trigger date: Any November 15 th
Description:
The J&M virus is a slightly complex virus which infects the master boot records of hard disks and the floppy boot sector. Besides having a destructive payload routine, this virus uses encryption in attempts to hide it’s own virus code.
Upon activation of the payload on November 15th , the virus enters an infinite loop and formats the first track of the first hard drive.
On hard disks this virus stores a copy of the original master boot record at physical location cylinder 0 side 0 sector 6. On floppy disks the original boot sector is stored at physical location cylinder 0 side 1 sector 14
71Jan1st20.exe Virus Hoax
Aliases: None
Area of Infection: Hoax
Likelihood: Common
Region Reported: Europe, Africa
Characteristics: Hoax
Description
The following message has been sent out by email. It is a hoax. This "virus" does not exist.
Attached to this hoax message is a joke program, which vertically flips the image on your computer screen when executed. The attached file is called JAN1ST20.EXE and is 4,128 bytes in length. The file's PKZIP CRC-32 value is 0x6bc4c900.
The hoax message includes the following "warning":
Guys if u get this mail and your eyes are all
funny Thats cause u are infected with the Year
2000 Virus!!!! BE AFRAID!!! BE VERY AFRAID!!!
Please ignore any messages regarding this "hoax" and do not pass on any messages regarding it. Passing on messages about this hoax serves only to further propagate it.
Write-up by: Eric Chien
August 26, 1999
72JavaApp.BeanHive
VirusName: JavaApp.BeanHive
Aliases: BeanHive
Area of Infection: Java applets, Java applications
Likelihood: Rare
Target Platform: All platforms that support Java
Target Date: None
Description:
The BeanHive virus was discovered on Jan 8, 1999
and is the second known Java virus ever developed. While this virus attempts
to use a number of interesting new technologies to spread itself, it functions
incorrectly under many circumstances and is not likely to constitute a
threat to users. This paper describes the intended functionality of the
BeanHive virus.
This virus was designed to infect both Java applets as well as Java applications. Java applets are Java programs that can be posted on World Wide Web sites and which can be used during typical web surfing. Java applications are stand-alone applications written in Java that are typically used on desktop PCs. Java applications are used infrequently, so during the rest of this paper, we will limit our discussion of this virus and its effects on Java applets.
When a user follows a link to a web site that contains one or more Java applets, these applets are downloaded to the surfer's computer and executed in a sandbox or virtual machine. This virtual machine allows the Java applet to run and ensures that the user's computer is protected from any accidental or malicious activity by the Java applet. Specifically, the virtual machine prevents applets from accessing local files, the Registry and other components of the user's computer. These security features have made Java one of the safest ways to get exciting interactive content over the web.
While the Java virtual machine affords great security to users, it also prevents Java applets from performing many useful tasks. For instance, if someone wanted to build a Java applet that legitimately searched the files on the user's computer, this applet would immediately be terminated for violating the Java virtual machine's security. The designers of Java recognized that it would be difficult to build many useful Java applets because of the security model and decided to loosen the Java protection.
If specifically designed to do so, a Java applet can make a request of the Java virtual machine and ask for greater access to the system. Such a Java applet, for instance, could request access to the local files on the computer. When it makes such a request, the user's web browser will inform and allow the user to either grant or deny the request. The BeanHive virus uses such a technique to obtain access to the users local files; this is the first distinguishing characteristic of this virus. The first Java virus, Strange Brew, would attempt to infect files on the user's computer without properly requesting access and consequently failed to work in the Java virtual machine as an applet.
The BeanHive virus is also noteworthy because it is one of the few viruses that has its logic distributed across many files. In contrast, most computer viruses are entirely self contained; when they infect a new file, all of the virus' replication logic is copied from the old file and inserted into the new file. The virus author has placed seven of the nine files that comprise this virus in an archive file (Called either BeanHive.JAR or BeanHive.CAB. The JAR file is used with Netscape Navigator; the CAB file is used with Internet Explorer).
A user can catch this virus by surfing to a designated web page on the virus author's web-site; when the user reaches this page, the entire JAR (or CAB) file, which contains seven of the virus modules, is automatically downloaded to the user's computer. The virus' main Java component (called BeanHiveFrame.class) then runs on the user's computer within the Java virtual machine. This component first makes a request to obtain access to the local system (as described above). If the user decides to disallow this action, the virus will fail to work and will immediately be terminated. However, if the user decides to grant access to the virus, it continues to run. It is important to note that if the user grants access to the virus, they are essentially granting access to any and all Java programs written by the virus author! (For more information on this, you can search the world wide web for Java code signing.)
After obtaining access, the virus will pop-up a standard dialog box and allow the user to choose a Java file which they would like to infect with the virus. Clearly, this main Java module was intended as a demonstration; most viruses do not allow users to select which files are to be infected. Furthermore, this main Java module is only used to deliver the virus to the user's computer. It is never used again by the virus. In anti-virus lingo, this main Java module is called a virus dropper because it "drops" the virus onto the host computer and is not used during subsequent infections.
After the user selects a file to infect, the virus will employ four additional Java modules contained in the JAR (or CAB) file to infect the suspect file. The first module (called e89a763c.class) contains the main virus infection routine. It contains logic to examine a target Java program and determine whether or not it is suitable for infection by the virus. If this module determines that the selected Java file is appropriate for infection, it calls upon three other Java modules ( c8f67b45.class, dc98e742.class and be93a29f.class) to infect the target Java program. Each of these three files work together to insert the eighth component of the BeanHive virus into the target Java file. At this point, the target Java program has been modified to contain a small subset of the virus' logic. The virus also updates the target Java program so that when the user runs it, the virus logic will execute first, followed by the program's original logic.
If and when the user runs the just-infected Java program, the virus will immediately take control. The virus in the actual infected file contains very simple logic. Basically it only attempts to locate the ninth and final component of the virus (a file called BeanHive.class) and then run it. The virus author has dubbed this ninth viral component the Queen. This file is not contained in the BeanHive.JAR (or BeanHive.CAB) archive and is no where to be found on the user's computer the first time the virus runs. The virus first attempts to locate this file on the user's system and consequently fails. Next, the virus attempts to locate and download this file over the world wide web.
If the infected Java program finds the BeanHive.class file, it immediately downloads and runs it. The BeanHive.class module contains the logic to search the user's current directory for additional Java files to infect. It will attempt to find and infect up to three Java program files before returning control to the host program. This BeanHive.class module employs the same four virus modules used during the original infection: e89a763c.class, c8f67b45.class, dc98e742.class and be93a29f.class. Once again, the BeanHive.class module will call upon these four modules to insert the eighth component of the infection into subsequent Java program files. If these subsequent infections are to spread, they again require both the BeanHive.class component and all components contained in the BeanHive.JAR (BeanHive.CAB) file to be present on the user's computer. If an infected Java file is sent by itself to another computer, or if the other eight components of the BeanHive virus are deleted from the computer, the infected file will be wholly unable to spread on its own.
During extensive testing at the Symantec AntiVirus Research Center, Symantec researchers were unable to make this virus work properly. It contains numerous bugs, which prevent it from properly spreading. Consequently, we do not consider this virus a threat to corporate or home users. Nevertheless, users should not experiment with this virus as it can cause damage to Java files and potentially open other security holes.
New virus definitions for Norton AntiVirus which will support the detection of this virus will be posted on Jan 28,1999.
Write-up by: Carey Nachenberg
January 22, 1999
74.Jerusalem.1244
Aliases: 1244
Infection length: 1,244 bytes
Area of infection: Command, .COM, .EXE
files
Likelihood: Common
Region reported: UK, Italy, USA
Characteristics: Wild, memory-resident
Target platform: DOS
Trigger date: None
Description:
The Jerusalem.1244 virus is a rather simple .COM and .EXE file infecting virus that will also infect the Command.com file; it does not, however, specifically target Command.com for infection.
75Jerusalem.1808
Aliases: 1813, Arab Star, Friday 13th,
Hebrew University, Israeli, PLO, Russian
Infection length: 1808 bytes (.EXE files),
1813 bytes (.COM files)
Area of infection: .COM files, .EXE files
Likelihood: Common
Region reported: Eastern Asia, Europe,
U.S.A., Peru, Japan
Characteristics: Wild, memory resident,
triggered event
Target platform: DOS
Trigger date: Every Friday the 13th
Description:
Jerusalem.1808 is a virus that becomes active
every Friday the 13th. Once active, Jerusalem.1808 deletes any program
run on that day. Thirty minutes after the first deletion, the computer
slows down and the screen scrolls up two lines
76Jerusalem.Zero_Time.Aust
Aliases: Slow
Infection length: 1,721 bytes in .COM files
and 1,716 bytes in .EXE files
Area of infection: .COM, .EXE files
Likelihood: Common
Region reported: UK, Portugal, Australia,
USA, Japan
Characteristics: Wild, memory-resident,
encrypting
Target platform: DOS
Trigger date: None
Description:
The Jerusalem.Zero_Time.Aust virus is a simple memory-resident .COM and .EXE infecting virus. Besides using encryption within the body of the virus, it does nothing more than replicate.
77John Kennedy Jr Trojan Hoax
Hoax Name: John Kennedy Jr Trojan
Infection Length: Hoax
Area of Infection: Hoax
Likelihood: Hoax
Region Reported: Hoax
Characteristics: Hoax
Target Platform: Hoax
Target Date: Hoax
Description
The following message has been sent out by email. It is a hoax. This "virus" does not exist.
The hoax message includes the following "warning":
CAROS COLEGAS ......
ATENCAO!!!!
MUITO CUIDADO!!!!
ESTÁ CIRCULANDO PELA INTERNET UMA
SCREEN SAVER, ENTITULADO...
"O LAP TOP DO JOHN KENNEDY JR" NÃO ABRA
DE JEITO NENHUM.
AO ABRIR ESSE ARQUIVO, A SUA AREA DE TRABALHO
FICA PARECENDO UM AQUÁRIO. NESTE MOMENTO,
UM
PERIGOSÍSSIMO TROJAN ESTARÁ SENDO
INSTALADO PARA
QUE NO DIA 01/01/2000, O SEU COMPUTADOR SEJA
TOTALMENTE
FORMATADO.
NAO ABRA ESTE ARQUIVO DE JEITO NENHUM!!!!!!!!!
Please ignore any messages regarding this "hoax" and do not pass on any messages regarding it. Passing on messages about this hoax serves only to further propagate it.
Write-up by: Motoaki Yamamura
Dec 20, 1999
78Join the Crew
Aliases: Hoax
Infection length: Hoax
Area of infection: Hoax
Likelihood: Hoax
Region reported: Online
Characteristics: Hoax
Target platform: Hoax
Trigger date: Hoax
Description:
Join the Crew is not a virus. It is a hoax. The
"virus" does not exist. There is currently no virus that has the characteristics
ascribed to "Join the Crew." It is a sham, meant only to panic new or inexperienced
computer users.
The hoax message includes the following "warning" seen in multiple forms:
Form 1
If you ever get an e-mail titled "JOIN THE CREW", do not open it because it will wipe everything on your hard disk. This is the newest virus not many people know about it. So e-mail it to everyone you know!!!!!!
Form 2
Please do not open up any mail that has this title. It will erase your whole hard drive. This is a new e-mail virus and not a lot of people know about it, just let everyone know, so they won't be a victim. Please forward this e-mail to you friends!!! Remember the title: JOIN THE CREW
Form 3
We have just had notice of an E:Mail virus doing the rounds. Apparently the virus is so new most virus checkers do not recognise it. If you receive an E:Mail titled 'JOIN THE CREW' do not open it as it will:
1. Delete your hard-disk
2. Delete your E:Mail directories
3. The nastiest part is that before deleting
your E:Mail directories it copies the message/virus and forwards it to
everyone on your directory
If your techies haven't already warned you it
might be worth letting your colleagues know.
Form 4
VIRUS WARNING !!!!!!!
If you receive an email titled "JOIN THE CREW" DO NOT open it. It will erase everything on your hard drive. Forward this letter out to as many people as you can. This is a new, very
malicious virus and not many people know about it. This information was announced yesterday morning from IBM; please share it with everyone that might access the internet. Once again, pass this along to EVERYONE in your address book so that this may be stopped. Also, do not open or even look at any mail that says "RETURNED OR UNABLE TO DELIVER." This virus will attach itself to your computer components and render them useless. Immediately delete any mail items that say this. AOL has said that this is a very dangerous virus and that there is NO remedy for it at this time. Please practice cautionary measures and forward this to all your online friends ASAP.
Please ignore any messages regarding this "virus" and do not pass on any messages regarding it. Passing on messages about this hoax serves only to further propagate it.
Form 5
VIRUS ALERT!!!!! ZEER BELANGRIJK !!!!
if you receive an e-mail titiled..JOIN THE CREW/for
PENPALS, DO NOT open it! It will erase EVERYTHING on your hard drive!
Send this letter out to as many people as you
can. This is a new virus and not many people know about it!
This information was received this morning by
IBM, Please share it with anyone that might acccess the internet!!
PENPAL appears to be a friendly letter asking you if you are interested in a penpal, but by the time you read this letter it is TOO late.
The Trojan horse virus will have already infected the boot sector of your hard drive, destroying all the data present. It is a self-replicating virus, and once the message is read it will AUTOMATICALLY forward itself to anyone who's e-mail address is present in your box! This virus will destroy your hard drive and whose mail is in your box and whose mail is in their box and so on and on!
So delete any message titled PENPAL or JOIN THE
CREW. This virus can do major DAMAGE to worldwide networks!
PLEASE PASS THIS ALONG TO ALL YOUR FRIENDS AND
PEOPLE IN YOUR MAILBOXES.
AOL HAS SAID THIS IS A VERY DANGEROUS VIRUS AND
THERE IS NO REMEDY FOR THIS.
FORWARD IT TO ALL YOUR ON-LINE FRIENDS A.S.A.P.!
Please ignore any messages regarding this "virus" and do not pass on any messages regarding it. Passing on messages about this hoax serves only to further propagate it
79Joke.Doh
Detected as: Joke.Doh
Aliases: Joke.Small, NE_Small.Joke
Likelihood: Common
Characteristics: Joke
Description
This program is NOT a virus and will not perform any malicious actions on your computer. This program is a "joke program." Joke programs attempt to display something humorous or pretend to perform a malicious action.
When run, this program will display the message:
Windows has detected that you may suffer
from having a small penis.
Is this correct?
Displayed in the message box are "Yes" and "No" buttons however, one is forced to click "Yes".
After clicking "Yes", a black window with the text
SMALL PENIS ALERT
is displayed. To close this window, click on the close window button (the "X") in the upper right hand corner.
The Symantec AntiVirus Research Center (SARC)
has decided not to detect Joke Programs due to overwhelming customer requests.
Such programs are NOT malicious and detecting them only leads to unnecessary
alerting of the computer user. Detecting non-malicious programs such as
joke programs can cause users to believe they have run or received a dangerous
program when in fact they have not. SARC recommends deleting such programs.
Write-up by: Eric C. Chien
Nov 5, 1999
80Joke.Idioma
Detected as: Joke.Idioma
Likelihood: Common
Characteristics: Joke
Description
This program is NOT a virus and will not perform malicious actions on your computer. This program is a "joke program." Joke programs are programs, which attempt to display something humorous or pretend to perform a malicious action.
The Symantec AntiVirus Research Center (SARC)
has decided not to detect Joke Programs due to overwhelming customer requests.
Such programs are NOT malicious and detecting them only leads to unnecessary
alerting of the computer user. Detecting non-malicious programs such as
joke programs can cause users to believe they have run or received a dangerous
program when in fact they have not. SARC recommends one simply delete such
programs.
Write-up by: Eric C. Chien
Nov 5, 1999
81Joker
Aliases: Joke, Jocker, Wabik
Infection length: 11,000 bytes
Area of infection: .EXE files
Likelihood: Rare
Region reported: Poland
Characteristics: Encrypting
Target platform: DOS
Trigger date: None
Description:
Joker is an overwriting file-infector virus.
When it infects a file, Joker replaces the original with itself instead
of moving the original information. This replacement makes removal difficult
to impossible. Joker randomly displays joke error messages.
Sample messages displayed are:
You have water in your co-processor
Hard drive has been destroyed
82.Joshi
Aliases: Happy Birthday Joshi, Stealth
Virus
Infection length: 512 bytes
Area of infection: Floppy boot sectors,
master boot records
Likelihood: Common
Region reported: U.S.A., India, Africa,
Europe, South America, Australia, Japan, Taiwan
Characteristics: Wild, memory resident,
encrypting, triggered event
Target platform: DOS
Trigger date: January 5
Description:
Joshi is a virus that displays the following
message if the infected computer is booted on January 5 of any year:
type Happy Birthday Joshi
It then halts the computer. The system continues
normally if the user responds appropriately and enters the following:
Happy Birthday Joshi
If not, the system hangs. Joshi can survive a
warm boot (Ctrl+Alt+Del). To clear the virus from memory, the user must
shut the system down (power off) or use the Reset button. Joshi stores
infectious code to side 0, track 0, sectors 2 through 6. The original master
boot record is copied to side 0, track 0, sector 9
83.Jumper
Aliases: 2kb, EE, French Boot, Neuville,
Sillybob, Touche
Infection length: 512 bytes
Area of infection: Floppy boot sectors,
master boot records
Likelihood: Common
Region reported: Europe, U.S.A., South
America, Japan
Characteristics: Wild, memory resident
Target platform: DOS
Trigger date: None
Description:
Jumper is a fairly generic master boot record
and floppy boot sector infector. It becomes resident, but does not destroy
anything intentionally. Jumper is highly prolific in Europe.
84.Junkie
Aliases: Junkie-1027
Infection length: 1039 bytes
Area of infection: .COM files, floppy boot
sectors, master boot records
Likelihood: Common
Region reported: Worldwide
Characteristics: Wild, multipartite, memory
resident, encrypting
Target platform: DOS
Trigger date: None
Description:
Junkie is a virus that infects .COM files, the
DOS boot sector on floppies, and the master boot record (MBR) on the first
physical hard disk (drive 80h, the C: drive). The file form of Junkie does
not become memory-resident. It simply checks the MBR or floppy boot sector
for infection. If the sector is not infected, the virus infects the drive
and returns control to the infected host file. The file form of the virus
also contains code to target and remove the anti-virus TSR (VSafe), shipped
with MS-DOS 6.x, from memory. The virus code is two sectors in length and
reserves 3K of memory. Thus, on a 640k machine, MEM would report 637K and
CHKDSK would report 652,288 bytes of free memory.
The virus body is stored and encrypted on 2 sectors, starting at side 0, cylinder 0, sector 4 of the hard drive.
When the system is booted from an infected drive, Junkie loads into the top of memory and decrypts itself. From memory the virus infects .COM files as they are executed or loaded. It contains code to bypass virus monitoring software.
Infected files grow by a variable length just over 1K. Since Junkie has neither intermediate nor advanced stealth capability, file growth is clearly visible. File times and dates are not changed.
Junkie contains two messages, which are encrypted along with the virus body and thus not visible in files or disk sectors.
They are, however visible in memory:
Dr White - Sweden 1994
Junkie Virus - Written in Malmo
The virus decryptor is not polymorphic. It does contain four variable data bytes. These variables are two words: One represents the location to start decryption. The other is a variable key.
85K2PS.EXE Trojan
VirusName: K2PS.EXE Trojan
Aliases: Trojan Horse, TX-500
Infection Length: 7680 bytes
Region Reported: Japan
Characteristics: Trojan, Steals Password
Description:
K2PS.EXE is a Trojan Horse that was distributed
as an email attachment with the filename of "K2PS.EXE" to users of Fujitsu's
InfoWeb Internet account users in Japan. The email stated that a new virus
called TX-500 has recently been discovered and the attachment was an antivirus
program to eradicate the TX-500 virus and users should execute this on
their systems. The attachment was not an antivirus program of any sort.
K2PS.EXE was a malicious Trojan Horse program designed to steal your dial
up network password information and secretly send them to an email account
in Japan. Once the creator of this trojan has received this information,
it is possible to take over the users Internet account, access the users
email, run up the Internet access bill and even change the password to
the Internet account. If you received this file and have executed this
file, it is important to change all your passwords on your dialup network
accounts.
More Information:
1) K2PS.EXE is a 32-bit Windows executable and designed to work under Windows 95/98. It will not work under Windows NT because of specific API it uses to retrieve the password information.
2) When the file is executed, it will copy itself to the "WINDOWS\SYSTEM" directory.
3) The following registry key will be modified to execute K2PS.EXE program automatically every time Windows is launched: \\HKEY_LOCAL_MACHINE\Software\Microsoft\Window\CurrentVersion\Run
4) When Windows is re-launched, the K2PS.EXE program will automatically execute and a hidden file called K2PS.CFG will be created in the \WINDOWS\SYSTEM directory.
5) If you are connected to the Internet, the trojan will automatically connect to an email server in Brazil and try to send the dialup information from the computer including login name and password. It is not possible to see this script with in the executable since it has been encrypted with a simple "ROR" algorithm.
6) The information is sent to a "free mail" email user account in Japan with the email address of "back@trynet.co.jp", so it is difficult to trace the owner of the email account.
Manual Removal of the Trojan:
If you have not executed K2PS.EXE, simply delete the file. If you have executed the file, follow the following steps to clean up your system.
1) Delete K2PS.EXE
2) Delete K2PS.EXE from \WINDOWS\SYSTEM directory.
3) Delete a hidden file called K2PS.CFG from \WINDOWS\SYSTEM directory. You will have to change the "hidden" attribute to delete the file by using a command such as "attrib -hr k2ps.cfg".
4) Use regedit.exe and delete the following registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Window\CurrentVersion\Run\K2ps.tasks C:\WINDOWS\SYSTEM\K2PS.EXE
5) Lastly and most importantly, change your password for all of the dialup network accounts you have registered on your computer. If you do not know how to change your password for the dialup network accounts, you should contact the support center of your Internet provider.
Norton AntiVirus users can protect themselves from this trojan by downloading the current virus definitions either through LiveUpdate of from the following web page: http://www.symantec.com/avcenter/download.html
Write-up by: Motoaki Yamamura
Updated: May 12, 1999
86Kampana
Aliases: Anti-Tel, Campana, Drug, Holo,
Holocaust, Holokausto, Kampana Boot, Spanish Telecom, Spanish Trojan, Telecom,
Telecom PT1, Telefonica, Telephonica
Infection length: 512 bytes
Area of infection: Floppy boot sectors,
master boot records
Likelihood: Common
Region reported: U.S.A., Europe, Russia,
Japan
Characteristics: Wild, memory resident,
stealthing, polymorphic, encrypting, triggered event
Target platform: DOS
Trigger date: None
Description:
Kampana is a boot virus that infects the DOS
boot sector of floppy disks and the master boot record (MBR) of the first
hard drive (80h). The boot virus code is two sectors in length and reserves
1K of memory by modifying the available-memory word at 40:13. Thus, on
a 640k machine, CHKDSK would report 654,336 bytes of free memory.
On the hard drive, the second virus sector and original MBR is stored on physical sectors six and seven of the infected drive. The virus stores the second virus sector and original DOS boot sector in the last two sectors of the root directory. Unlike Stoned, Kampana very methodically calculates the correct sectors for floppy disks ranging from 160K to 1.44 MB. If Kampana is active in memory, the virus sectors and original MBR sectors are all stealthed on the hard drive. Floppy disk sectors are not stealthed.
Kampana is often classified as multipartite, which means it infects program files and boot sectors. However, this is not strictly correct. Kampana is a stealth virus and does not infect files, but is dropped by a file virus. For example, there is a file virus strain, Kampana.3700, that infects .COM files and drops the Kampana boot sector virus. However, the Kampana boot virus, in turn, does not infect .COM files, as do true multipartite viruses. Moreover, the Kampana file virus is not at all common, while the Kampana boot sector virus is very common.
Each time an infected hard drive is booted, a
counter is incremented. When the counter reaches 401, the virus triggers.
The virus then overwrites all sectors on the first and second hard disks
with garbage. As each head on each drive is overwritten, the following
message (encrypted on the disk and in memory) is displayed:
Campana Anti-TELEFONICA (Barcelona)
The original Kampana file virus contains more
encrypted text that credits a Grupo Holokausto in Barcelona, Spain with
programming the virus, and gives date of 23-8-90 along with a copyright
notice. A message in the virus also demands lower phone rates and more
service.
Kampana.3445 has three known strains:
Kampana.3445 - Drops the Kampana boot virus.
Kampana.3770 - Uses polymorphic technology and drops the Kampana boot virus.
Kampana.3784 - Drops the Kampana boot virus.
87Kaos4.697
Aliases:
Infection length: 697 bytes
Area of infection: .COM, .EXE files
Likelihood: Common
Region reported: USA, Poland, South Africa
Characteristics: Wild
Target platform: DOS
Trigger date: None
Description:
Upon execution of an infected file, the virus searches out and infects the first non-infected .COM file and the first non-infected .EXE file that it finds within the current working directory. If the virus does not find an uninfected .EXE or .COM file within the current working directory, it will search through the directories listed in the system’s PATH=statement, looking for such a file to infect.
Infected files contain the following ASCII strings:
KAOS4 / Köhntark
88Karnivali.1971
Aliases:
Infection length: 512 bytes in DOS boot
sector / 2,002 bytes in .EXE files
Area of infection: Hard disk boot record,
.EXE files
Likelihood: Common
Region reported: UK, USA
Characteristics: Wild, memory-resident,
multipartite
Target platform: DOS
Trigger date: None
Description:
The Karnivali.1971 virus is a simple multipartite virus that infects both the hard disk boot record and .EXE files. It uses an undocumented system call to attempt to bypass the CPAV antivirus program, and does nothing more then replicate.
Due to the lack of stealth code, infected files are easy to spot using the DIR command. Their file size increase is noticeable and the files date/time stamp is changed to the current systems date/time settings.
89Karnivali.1971
Aliases:
Infection length: 512 bytes in DOS boot
sector / 2,002 bytes in .EXE files
Area of infection: Hard disk boot record,
.EXE files
Likelihood: Common
Region reported: UK, USA
Characteristics: Wild, memory-resident,
multipartite
Target platform: DOS
Trigger date: None
Description:
The Karnivali.1971 virus is a simple multipartite virus that infects both the hard disk boot record and .EXE files. It uses an undocumented system call to attempt to bypass the CPAV antivirus program, and does nothing more then replicate.
Due to the lack of stealth code, infected files are easy to spot using the DIR command. Their file size increase is noticeable and the files date/time stamp is changed to the current systems date/time settings.
90Kill98.Trojan
This trojan has been distributed in illegal copies
of Windows98. The trojan is disguised as INSTALAR.EXE and has a file size
of 5,682 bytes. Once the trojan is activated, it copies itself to C:\KEYB.EXE.
The trojan then copies C:\Windows\Command\KEYB.COM to SORT.COM. The next
time the machine is rebooted, the trojan makes another copy of itself as
C:\Windows\Command\KEYB.EXE. It then redirects any call to KEYB.COM to
use SORT.COM instead, and use a Spanish keyboard map.
Also known as: Trojan.Kill_Inst98, Trojan Horse
Category: TROJAN
Infection length: 5682 Bytes
Virus definitions: January 6, 2000
Threat assessment:
Damage:
LOW Distribution:
LOW Wild:
LOW
Wild
Number of infections: 1
Number of sites: 1
Geographical distribution: 1
Threat containment: High
Removal: Easy
Damage
Payload: Once the computer clock rolls over to
Year 2000, the virus calls a routine to delete all files from the infected
computer's C drive.
Deletes files: All files on computer's C drive.
Distribution
Name of attachment: INSTALAR.EXE
Size of attachment: 5682 bytes
Target of infection: Computer's C drive
Removal:
Infected users should delete all files detected as "Kill98.Trojan" and rename:
C:\Windows\Command\SORT.COM
to its original file name of
C:\Windows\Command\KEYB.COM
Write-up by: Andy Cianciotto
Dec 31, 1999
91Let's Watch TV
Hoax Name: Let's Watch TV
Aliases: None
Region Reported: Email
Description
The following message has been sent out by email. It is a hoax. This "virus" does not exist.
The hoax message includes the following "warning":
OFFICIAL IBM VIRUS WARNING.
PASS THIS ON TO ANYONE YOU HAVE AN
E-MAIL ADDRESS FOR.
***** THIS IS NO JOKE - PAY ATTENTION:
********
If you receive an email titled "Lets watch TV"
DO NOT OPEN IT. It will erase everything on your
hard drive. This information was announced
yesterday morning from IBM; AOL states that "KALI"
is a very dangerous virus, much worse than
"Melissa," and that there is NO remedy for it
at
this time. Some very sick individual has succeeded
in using the reformat function from Norton Utilities
causing it to completely erase all documents
on
the hard drive. It has been designed to work
with
Netscape Navigator and Microsoft Internet Explorer.
It destroys Macintosh and IBM compatible computers.
This is a new, very malicious virus and not many
people know about it. Pass this warning along
to
EVERYONE in your address book and please share
it
with all your online friends ASAP so that this
threat
may be stopped. Please practice cautionary measures
and tell anyone that may have access to your
computer.
Forward this warning to everyone that might
access the Internet.
Please ignore any messages regarding this "hoax" and do not pass on any messages regarding it. Passing on messages about this hoax serves only to further propagate it.
Write-up by: Patrick Martin
Feb 8, 2000
92Liberty.2857.A
Aliases: Mystic, Magic
Infection length: 2,865 bytes to 2,873
bytes
Area of infection: .COM, .EXE files
Likelihood: Common
Region reported: USA, Columbia
Characteristics: Wild, memory-resident
Target platform: DOS
Trigger date: None
Description:
This virus is a simple memory-resident .COM and .EXE file infecting virus, which does nothing more then replicate. Due to the lack of stealth code, infected files are easy to spot using the DIR command as their file size increase is noticeable and the files date/time stamp is changed to the current systems date/time settings.
Contained within the virus body is the following encrypted text (this text is never displayed):
Liberty
- M Y S T I C -
COPYRIGHT © 1989-2000, by SsAsMsUsEsL
92Little_Red.1465
Aliases: Red Book, Mao
Infection length: 1,465 bytes
Area of infection: Command, .COM, .EXE
files
Likelihood: Common
Region reported: USA, UK, Iceland, India,
Poland, Japan, Germany, South Africa
Characteristics: Wild, memory-resident,
encryption, size stealthing, trigger
Target platform: DOS
Trigger date: Any December 16 th or September
09 th after the year 1994
Description:
The Little_Red virus is a .COM and .EXE file infecting virus that specifically targets the COMMAND.COM file and uses encrypting when storing itself within a file. While this virus is active in memory, it will spread to other files during any attempt to execute a file or whenever a DIR command is issued. In the case of the DIR command, all the files in the current working directory become infected.
In attempts to hide itself from the user, this virus uses size stealthing whenever the DIR command is issued.
On either December 16th or September 09th when the systems date’s year value is greater than 1994, the virus will trigger at a random time and play a song.
93Londhouse Virus Hoax
Aliases: AltaVista
Infection Length: Hoax
Likelihood: Hoax
Region Reported: EMail
Characteristics: Hoax
Target Platform: Hoax
Target Date: Hoax
Description:
This "virus" does not exist.
The "Londhouse" virus is a complete hoax. The "virus" does not exist. There is currently no virus that has the characteristics ascribed to "Londhouse." It is a sham, meant only to panic new or inexperienced computer users.
The message includes the following "warning:"
I've just got news which are very important if
you use Altavista search
engine. The computers which control Altavistas
files has got virus
infection. The virus has got the name "Londhouse"
and it's very dangerous.
So don't use the Altavista because it's a very
big possibility that you
get virus infection to your own computer. You
have to understand how big
risk this is to everybody who use the internet.
Please, warn your friends about this risk.
Today interfax news by editor Jhon Karlson.
Internationale interfax office: [[address and numbers removed]]
Please ignore any messages regarding this "virus" and do not pass on any messages regarding it. Passing on messages about this hoax serves only to further propagate it.
94Lump of Coal Virus Hoax
Aliases: None
Known Variants: Hoax
Infection Length: Hoax
Area of Infection: Hoax
Likelihood: Hoax
Region Reported: Email
Characteristics: Hoax
Description:
The following message has been sent out by email.
It is a hoax. This "virus" does not exist.
The hoax message includes the following "warning":
Warning on December 25, 1999 you may receive an
email called, Lump of Coal...Don't open it, it
contains a deadly virus...it will erase Windows
along with many other program files. Pass
this
on as soon as you can to get the WORD out!!!
This
is not a hoax....this was reported on the CBS
morning news August 20,1999.
Please ignore any messages regarding this "hoax" and do not pass on any messages regarding it. Passing on messages about this hoax serves only to further propagate it.
Write-up by: Motoaki Yamamura
Sept 7, 1999
95L'amour.3420
Detected as:
L'amour.3420
Aliases:
Area of Infection:
.EXE Files
Characteristics:
Memory Resident, Encrypting, Polymorphic
No additional information.
96Lamer_Surprize (Gen1)
Detected as:
Lamer_Surprize (Gen1)
Aliases:
Area of Infection:
.EXE Files
Characteristics:
Memory Resident, Encrypting, Polymorphic
No additional information.
97Lazarus.1457 (2)
Detected as:
Lazarus.1457 (2)
Aliases:
Area of Infection:
.COM Files, .EXE Files
Characteristics:
Memory Resident
No additional information.
98Leonard.1179
Detected as:
Leonard.1179
Aliases:
Area of Infection:
.COM Files, .EXE Files
Characteristics:
Memory Resident, Encrypting, Wild
This virus loads itself into memory and appends its code to COM and EXE files that are executed. It contains the text "(c) Leonard. Constanta, Romania"
99Leprosy.6820 (2)
Detected as:
Leprosy.6820 (2)
Aliases:
Area of Infection:
.COM Files, .EXE Files, .SYS Files
Characteristics:
No additional information.
100.MacMag
Aliases: Aldus, Brandow, Drew, Peace
Infection length: N/A
Area of infection: System files
Likelihood: Common
Region reported: Unknown
Characteristics: Wild, HyperCard
Target platform: Macintosh
Trigger date: None
Description:
MacMag is a rare virus that originated in a HyperCard
stack. It displays a message of universal peace when triggered. After displaying
the message, the virus deletes itself. Discovered in December of 1987 in
a HyperCard stack called “New Apple Products,” MacMag infects System files
only. Although MacMag is apparently not designed to be malicious, infected
systems can display a variety of problems. Infection is spread either from
the original HyperCard stack (“New Apple Products”) or from contact with
an infected system
101Melissa
March 26, 1999
Information and Protection for W97M.Mailissa.A released.
Full detection and repair available for the W97M.Mailissa.A
(W97M.Melissa.A) virus. Norton AntiVirus users can receive this protection
through LiveUpdate, or by visiting the Symantec AntiVirus Research Center
(SARC)download page.
March 29, 1999
X97M.Papa.A.Intended
A new excel macro worm called X97M.Papa.A.Intended was posted in an Internet newsgroup which was intended to do a similar payload as W97M.Melissa.A was found. Through analysis of the worm, it was determined that this worm is non-functional. A new detection and repair has been created by SARC to detect X97M.Papa.A.Intended and also new variant detection was implemented for this worm. This is especially important since this worm is non-functional and there is a threat that a functional version may be released in the future.
W97M.Ping.A
Another macro virus was found on the Internet newsgroup today. This virus has no similarities to W97M.Melissa.A or X97M.Papa.A.Intended except for the fact that it was also found in the same Internet newgroup today. Detection and repair for this virus has been created by SARC to detect W97M.Ping.A and also new variant detection was implemented for this virus.
W97M.Melissa.A
SARC has renamed the W97M.Mailissa.A virus to W97M.Melissa.A to confine with AV naming standards.
SARC has posted new virus definitions for all antivirus products supported by Symantec.
Norton AntiVirus product line
Norton AntiVirus for Macintosh product line
Symantec AntiVirus for Macintosh product line
LanDesk Virus Protection product line
Symantec-IBM AntiVirus product line
The latest virus definitions posted on March
30, 1999 will support the detection and repair of all these new viruses.
The new virus definition can be downloaded via LiveUpdate. The virus definitions
can also be obtained from the Symantec AntiVirus Research Center (SARC)download
page.
April 9, 1999
W97M.Melissa.Intended
A new variant of W97M.Melissa was discovered.
These variants are unable to infect, but still can execute its payload
of sending out 50 emails. You can detect and repair these variants with
new virus definitions posted on April 8, 1999.
Norton AntiVirus Command Line Scanner
Symantec AntiVirus Research Center is providing
a free Command Line Scanner to detect and repair the 'W97M.Melissa.A','X97M.Papa.A',
and W97M.Ping.A' viruses. Click here to proceed to the download page.
Symantec AntiVirus Research Center (SARC)
SARC is the industry's largest dedicated team of virus experts. With offices located in the United States, Japan, Australia, and the Netherlands, the sun never sets on SARC. The center's mission is to provide swift, global responses to computer virus threats, proactively research and develop technologies that eliminate such threats, and educate the public on safe computing practices. As new computer viruses appear, SARC develops identification and detection for these viruses, and provides either a repair or delete operation, thus keeping users protected against the latest virus threats
102Matrix Virus Hoax
Aliases: Hoax
Infection Length: Hoax
Area of Infection: Hoax
Likelihood: Hoax
Region Reported: Email
Characteristics: Hoax
Description:
The following message has been sent out by email.
It is a hoax. This "virus" does not exist.
The hoax message includes the following "warning":
VIRUS ALERT
Read On This Maybe Another Hit !!
Virus name: MATRIX_99.MTX triggered on every
PC on the 4th Sep starting this year.DELETE
immediately if u rec'd an e-mail that looks
like this:
Subject: "Believe The Unbelievable - Win a Nokia
handphone 8110i"
Content: as follows.
A Nokia 8110i Matrix model is yours if your are
THE ONE. How to be THE ONE? You are 3 steps away
from being THE ONE.
First - Click on this site
http://www.matrix.com
Secondly - Answer 5 simple questions
Thirdly - Wait n See, we will send a notification
email if you are THE ONE.
-------------------------------------------------
HOW THE VIRUS WORK
Once you open the email above, it will infect
your
Boot Sector Memory and lay low in there while
infecting any EXE and INI files you open scan.
It
will first download itself to your window 95
system register so that each time you load your
PC, this virus will be upload again to your Memory
Boot Sector. It will infect your files by coding
itself into your files which will make your files
an extra 124bytes larger than it suppose to be.
It also using 'STEALTH' technic to hide from
any
resent virus utilities.On every FRIDAY, the virus
will decode into smaller fractions and encode
again
to a new virus coding. Therefore it's hard to
know
what coding was this virus actually use, hence
creating an anti-virus for this one is a bit
IMPOSSIBLE.
DESTRUCTIVE LOAD
On every 4th Sept starting this year, exactly
at
12am, each virus in every effected files in your
PC will decode into smaller fraction and it will
combine all together and encode again into 1
single
virus and program itself into a file name
'Matrix.mtx'. Each individual virus is 124bytes
in
size, therefore it will only infected a max of
20
files making the original virus 'Matrix.mtx'
is a
2480bytes in size. This file is actually the
original
virus which in unknown to anyone until 4th Sept
1999.
Therefore, not until 4th Sept 1999, there is
no cure
for this virus.Once Matric.mtx created, the virus
will start by disfunctioning your mouse and keyboard
driver. It will delete your system files and
it will
delete all partitions you have created. Making
your
PC unbootable and in another word your harddisk
will
no longer exist. The only CURE you have later
is by
formating your harddisk. It can never infect
thru
CD-ROM and FLOPPY DISK. What is the MATRIX? ,
is a
big question which we will only know on the 4th
Sept
1999.
Please ignore any messages regarding this "hoax" and do not pass on any messages regarding it. Passing on messages about this hoax serves only to further propagate it.
Write-up by: Motoaki Yamamura
August 31, 1999
103MOBILE PHONE Virus Hoax
Name: MOBILE PHONE Virus Hoax
Aliases: none
Known Variants: Hoax
Infection Length: Hoax
Area of Infection: Hoax
Likelihood: Hoax
Region Reported: email
Keys: Hoax
Description
This information is a hoax and should be ignored.
Sample of hoax message:
Dear all mobile phone's owners,
ATTENTION!!!
NOW THERE IS A VIRUS ON MOBILE PHONE SYSTEM..
All mobile phone in DIGITAL system can be
infected by this virus..If you receive a
phone call and your phone display "UNAVAILABLE"
on the screen (for most of digital mobile phones
with a function to display in-coming call
telephone number), DON'T ANSWER THE CALL.
END THE CALL IMMEDIATELY!!!BECAUSE IF YOU
ANSWER THE CALL, YOUR PHONE WIL L BE INFECTED
BY
THIS VIRUS.. This virus will erase all
IMIE and
IMSI information from both your phone and your
SIM card which will make your phone unable to
connect with the telephone network. You
will have
to buy a new phone.
This information has been confirmed by both Motorola
and Nokia..
For more information, please visit Motorola or
Nokia
web sites:
http://www.mot.com
http://www.mot.com or http://www.nokia.com
There are over 3 million mobile phone being infected
by this virus in USA now. You can also
check this
news in CNN web site: http://www.cnn.com..
Please forward this information to all your friends
who have digital mobile phones..
Please ignore any messages regarding this "hoax"
and do not pass on any messages regarding it. Passing on messages about
this hoax serves only to further propagate it.
Write-up by: Motoaki Yamamura
Updated: May 18, 1999
104Millennium Time Bomb
VirusName: Millennium Time Bomb
Aliases: Year 2000, Y2K, Millennium Bug
Infection Length: Hoax
Likelihood: Hoax
Region Reported: Email
Target Platform: Hoax
Target Date: Hoax
Symantec firmly believes that the Year 2000 issue
is very serious, but it has nothing to do with computer viruses or the
hoax message provided below. The message outlined below is overstated and
inflammatory regarding Year 2000 issues. This hoax alert was posted specifically
to counter the virus warning included in the body of the message and is
not meant to infer that Symantec doesn't support fixing potential Year
2000 problems.
Description:
Millennium Time Bomb is not a virus. It is a
hoax. The "virus" does not exist. There is currently no virus that has
the characteristics ascribed to Millennium Time Bomb.
The hoax message includes the following "warning":
We've got a problem. It may be the BIGGEST PROBLEM the modern world has ever faced. After January 1, 2000, most of the world's mainframe computers will either SHUT DOWN or begin spewing out BAD DATA, along with most of the world's desktop PCs. Millions of pre-programmed computer chips will begin to shut down the systems they automatically control. This will create a NIGHTMARE for every area of life in every region of the industrialized world. It's called the Year 2000 (Y2K) problem, or the Millennium Bug, or the Millennium Time Bomb. It's a date-code TIME-BOMB VIRUS built into embedded chips over 30 years ago by programmers saving memory, and now UNALTERABLY set to go off January 1, 2000.
Think what would happen of the following areas go down and stay down for months or even years: BANKS; RAILROADS; AIRLINES; POWER GRID; TELEPHONE LINES; MILITARY COMMUNICATIONS; FINANCIAL MARKETS. Consider Social Security, Medicare and Welfare. If they go down it will affect millions of people. Yet these programs are at risk.
Is it REALLY possible that this could happen? It's FAR MORE than merely possible. One of America's senior mainframe computer programmers believes that SERIOUS DISRUPTIONS are very likely, and WARNS programmers that it may soon be TIME TO QUIT their big city jobs and head for safer places. If the exodus of programmers begins, there will be NO SOLUTION for the Y2K problem by 2000.
Months before January 1, 2000, the world's stock markets will have CRASHED. Who would leave their money in the bank if the bank's computer is not 2000 compliant, and therefore not reliable? A worldwide RUN ON BANKS will create havoc in the investment markets. People who have placed their retirement hopes in stocks and mutual funds will see their DREAMS VANISH. If the banking system closes down because their mainframe computers have shut down, how reliable will stocks and mutual funds be? How will you ever get paid? How will your employer get paid? How will governments get paid?
Our first response when hearing about this problem is DENIAL. Most people will stay in denial, including the business managers of companies whose responsibility it is to get the problem fixed. Everyone in authority will DENY that time has run out to get the problem fixed, right up until December 31, 1999. They are PAID to deny this. The facts are that it CANNOT be fixed, and the Time-Bomb Virus will bite us. The debate now is how hard, and what you are to do about it.
The Y2K problem is the most important problem ever faced by Western civilization, yet it is not taken seriously. Why? Because people do not want to consider the consequences of a COLLAPSE of the social division of labor, which is the basis of our wealth. In the cities, it's the basis of our VERY LIVES. The social division of labor depends on the existence of a payment system, or money, and money is computerized. If computers become untrustworthy, there will be a worldwide RUN on banks NEVER SEEN BEFORE. Not even during the Great Depression.
DON'T COUNT on governments to save the day. Their worldwide strategy is to talk the problem to death, form committees, and send out PR sheets that they make it--without any evidence.
Anyone who says that Y2K is not a big problem needs to understand just how many systems are at risk. That is the purpose of a COMPREHENSIVE REPORT now available to be sent to you. Not to bury you in information, but to give you a sense of the MAGNITUDE of the problem. The domino effect of a computer-driven breakdown in supply delivery systems, through failure of the electronic means of payment, will be HUGE. You will need to evaluate your own personal vulnerability and make serious decisions, including the hardest one of all--to assess your geographic situation such that it may require relocation to a safer area.
This report will save you HOURS of searching the Internet, and WEEKS of compiling all the information into an equivalent document that is as comprehensive and organized. It covers ALL ASPECTS of the Y2K problem and what to do NOW to protect yourself and your family. The cost is just $10, plus $3 for shipping. For your copy, send $13 cash, check or money order to:
[address deleted]
Your report will be sent to you by first-class mail. Take action now--TIME IS RUNNING OUT.
Please ignore any messages regarding this "virus" and do not pass on any messages regarding it. Passing on messages about this hoax serves only to further propagate it.
105 Mirea.1788
Aliases: Lyceum.1778, Ly
Infection length: 1,788 bytes
Area of infection: Command, .COM, .EXE
files
Likelihood: Common
Region reported: Israel, Russia, Peru
Characteristics: Wild, memory-resident,
trigger, size stealth
Target platform: DOS
Trigger date: 30 minutes of no keyboard
activity
Description:
Mirea.1778 is a memory-resident virus which infects .COM and .EXE files as they are either executed (run), opened, or having their file attributes changed. It uses size stealthing to hide itself. After a file has been infected, the change in file size is not visible to the user when a DIR command is issued. The virus also performs a check of the filename of the file that it is going to infect and does not infect files with filename starting with the characters AI.
Once this virus is active in memory, it waits
for a non-keyboard activity duration of 30 minutes. At the end of the non-activity
period it displays unreadable text in a box with white borders and a red
background (this box is centered on the screen). The box will disappear
after the next keystroke.
106Music_Bug
Aliases: Music Boot
Infection length: 512 bytes
Area of infection: Boot sectors
Likelihood: Common
Region reported: U.S.A.
Characteristics: Wild, memory resident,
triggered event
Target platform: DOS
Trigger date: Four months after infection
Description:
Music_Bug is a virus that lays dormant for four
months after infection. During this dormancy period, it still infects floppy
disks. After four months, Music_Bug activates and plays a random tune when
a floppy disk in accessed.
The infected areas have the following text:
MusicBug v1.06 MacroSoft Corp. -- Made in Taiwan --
106Music_Bug
Aliases: Music Boot
Infection length: 512 bytes
Area of infection: Boot sectors
Likelihood: Common
Region reported: U.S.A.
Characteristics: Wild, memory resident,
triggered event
Target platform: DOS
Trigger date: Four months after infection
Description:
Music_Bug is a virus that lays dormant for four
months after infection. During this dormancy period, it still infects floppy
disks. After four months, Music_Bug activates and plays a random tune when
a floppy disk in accessed.
The infected areas have the following text:
MusicBug v1.06 MacroSoft Corp. -- Made in Taiwan
--
107 Mosaic
Aliases: None
Infection length: Trojan horse
Area of infection: Trojan horse application
Likelihood: Common
Region reported: Unknown
Characteristics: Wild, trojan horse
Target platform: Macintosh
Trigger date: None
Description:
Mosaic is a trojan horse virus that can destroy
the directory structure of any disks mounted while it is run.
Mosaic is a non-infectious, self-contained application
program that claims to paint pictures but instead destroys the directory
of any disks mounted when it is opened.
108 Mr. D
Aliases: None
Infection length: 1,441 bytes
Area of infection: .COM files, .EXE files
Likelihood: Common
Region reported: Unknown
Characteristics: Wild, memory resident
Target platform: DOS
Trigger date: None
Description:
Mr. D is a virus that changes the infected program’s
time and date stamp to the date and time of infection. Mr. D does little
more than replicate itself. The following text can be found within viral
code:
Mr. D
109 NASTYFRIEND99 Virus Hoax
VirusName: NASTYFRIEND99 Virus Hoax
Aliases: none
Known Variants: Hoax
Infection Length: Hoax
Area of Infection: Hoax
Likelihood: Hoax
Region Reported: Email
Keys: Hoax
Description:
This information is a hoax and should be ignored.
Sample of hoax message:
Well, just another virus warning... Better be
safe than sorrie.
C Copyrighted By the WinTerGaL
ATTENTION VIRUS NASTYFRIEND99
There is a new virus which will be infecting
computers on may 15.
This virus will take all your email contacts and icq contacts and sent to those contacts.
Please forward this email to everyone you know and do not open any email with the subject "HI MY FRIEND!!!"
Please ignore any messages regarding this "hoax" and do not pass on any messages regarding it. Passing on messages about this hoax serves only to further propagate it.
Write-up by: Motoaki Yamamura
Updated: May 10, 1999
110 Neuroquila
Aliases: Havoc, Wedding
Infection length: 4644 bytes
Area of infection: .EXE files, master boot
records, floppy boot sectors
Likelihood: Common
Region reported: UK. U.S.A.
Characteristics: Wild, multipartite, memory
resident, full stealthing, encrypting, polymorphic, triggered event
Target platform: DOS
Trigger date: Three months or more after
infection
Description:
Neuroquila is an extremely infectious, highly
polymorphic virus. After hooking Interrupt 13 and Interrupt 21, it becomes
resident in High Memory Areas (HMA). The polymorphic routine used is based
on the current system date and time.
Infected host files drop the virus to the master boot record (MBR) and become memory resident, hooking Interrupt 13. Neuroquila encrypts the original MBR, partition table, and its own viral code, storing them on the first physical drive on side 0, track 0, sectors 7 through 16. To read the real partition (and see the drive), the Neuroquila must be active in memory. If the user boots from a virus-free floppy disk, thus avoiding the virus, the hard drive is not accessible by normal means. In addition, Neuroquila encrypts the hard drive boot sector, although it does not move it. The MBR, boot sector, and infected host files are fully stealthed when the virus is active in memory.
Host file infection size increases according to
the following formula:
infection size = 4675 - ((file_size + 4) mod 32)
Therefore, the resulting increase in host size
is between 4644 and 4675 bytes. Three months and some disk usage from infection,
Neuroquila displays the following text:
by Neurobasher Germany '93/Germany -GRIPPED-BY-FEAR-UNTIL-DEATH-US-DO-PART-
Neuroquila specifically targets the ThunderByte
anti-virus package. If it determines that the disk monitoring features
are enabled, it attempts to disable them. It even goes so far as to alter
some of the inoculation information stored by ThunderByte. In addition,
there are references to Central Point Anti-Virus integrity files.
111 Nomenklatura
Aliases: 1024-B, Nomen
Infection length: 1,024 bytes
Area of infection: .COM,.EXE files
Likelihood: Common
Region reported: UK, Finland
Characteristics: Wild, memory-resident
Target platform: DOS
Trigger date: None
Description:
The Nomenklatura virus is a simple memory-resident, .COM and .EXE infecting virus that intentionally causes damage (the corruption of data) by making modifications to the File Allocation Table (FAT).
Contained within the body of this virus is the following text:
Nomenklatura
112Norman Virus Hoax
Hoax Name: Norman Virus Hoax
Aliases: None
Infection Length: Hoax
Area of Infection: Hoax
Likelihood: Hoax
Region Reported: Germany, Email
Characteristics: Hoax, Norman AntiVirus
Description:
The following hoax is being distributed via e-mail.
Attached to the letter is a non-malicious program. The program is a known
clean client for the Distributed.Net project. The attached file is NOT
an update for the program Norman AntiVirus as stated in the letter.
In addition, a group known as Norman AntiVirus Research Center does not exist. The letter is a spoof on Norton AntiVirus and the Symantec AntiVirus Research Center. More information on the Distributed.Net project may be found at http://www.distributed.net.
Please do not forward this letter, as this will only propagate the hoax. In addition, Symantec does NOT recommend running the attached file in accordance with safe computing practices. Symantec will not send non-requested attachments. Legitimate copies of the Distributed.Net program may be found on Distributed.Net's website and copies of Symantec software may always be found at http://www.symantec.com.
Sample of the 'hoax' message:
Von: Norman AntiVirus Cop. [mailto:norton@mhs.ch]
Gesendet: Samstag, 24. Juli 1999 21:47
An: Internet Benutzer
Betreff: 365 Tage Gratis Norman Antivirus nützen!!
Lieber Internet Benützer,
Sie haben mit dieser Email, und der angehängten
Datei die Möglichkeit NormanAntivirus mit
den
aktuellsten Virenupdates für ein Jahr kostenlos
zu nutzen.
Sie dürfen diese Datei auch weitersenden,
jedoch
nur mit dem kompletten Email!
Diese spezielle Version überprüft ob
eine ältere
Version bereits installiert ist, und kopiert
in
diesem Falle nur die neuen Updates.
Jede Woche untersuchen die NARC-Forscher über
150
potentielle Viren, die sie im Internet finden
oder
die ihnen Anwender aus der ganzen Welt zuschicken.
Durchschnittlich entpuppen sich rund die Hälfte
als mehr oder minder gefährliche Viren,
davon rund
zehn Prozent bislang unbekannte. Binnen maximal
48
Stunden ist jede verdächtige Datei analysiert,
identifiziert und der Einsender erhält eine
Anleitung,
wie er den Eindringling bekämpfen kann.
Norman engagiert sich seit Mitte der 80er Jahre
in
der Erforschung und Bekämpfung von Computerviren
und
gründete 1989 das erste Norman AntiVirus
Research
Center (NARC) in den USA. Das Forschungslabor
beschäftigt
heute mehr als 30 Mitarbeiter und verfügt
über einen
jährlichen Etat von über vier Millionen
Dollar.
Norman hat es sich zur Aufgabe gemacht, mit
Niederlassungen des NARC in den USA, Australien,
Japan und den Niederlanden rund um die Uhr und
weltweit
bekannte wie neue Viren aufzuspüren, zu
analysieren, zu
dokumentieren und entsprechende Gegenmittel bereitzustellen.
Norman setzt die dabei entwickelten Technologien
und neuen
Virendefinitionen sofort in Norman AntiVirus
um und stellt
sie damit weltweit den heute über 17 Millionen
Benutzern von
Norman AntiVirus-Software zur Verfügung.
Systemanforderungen
Windows NT 4.0 Workstation, Windows 95/98
IBM PC oder 100% kompatibel
Windows NT 4.0: 16 MB RAM (32 MB RAM empfohlen)
Windows 95/98: 8 MB RAM (16 MB empfohlen)
24 MB freien Festplattenspeicherplatz
CD-ROM Laufwerk
Isoliert infizierte Dateien
Mit der Quarantäne Funktion können
mit einem Virus
infizierte Dateien sicher isoliert werden. So
können
diese Dateien entweder lokal oder auf einem
"Quarantäne" Server zentral abgelegt werden,
ohne
daß sie weiteren Schaden anrichten können.
Diese
Dateien können dann vom Benutzer oder System
Administrator an das NARC zur näheren Untersuchung
weitergeleitet werden.
Direkte Unterstützung durch das Norman AntiVirus
Research Center (NARC) Falls ein Virus entdeckt
worden ist, der nicht unschädlich gemacht
werden kann,
oder eine Datei vermeintlich von einem Virus
befallen
worden ist, kann diese Datei einfach an das NARC
übermittelt werden. Wenn das NARC feststellt,
daß es
sich um einen neuen unbekannten Virus handelt,
werden
die Mitarbeiter des NARC eine neue Virendefinition
erstellen
und diese umgehend zur erfolgreichen Bekämpfung
dieses
Virus an den Einsender zurück senden.
Mikro-Virendefinitionen
Durch diese neuartigen Virendefinitionen werden
nur die
neuesten Vireninformationen per UpdateNow übertragen.
Es ist nicht notwendig jedesmal die gesamten
Virendefinitionen herunterzuladen. Dadurch werden
Zeit
und Kommunikationskosten eingespart. Diese
Virendefinitionen stehen wöchentlich zur
Verfügung.
Schutz vor schädlichem Programm-Code
Norman AntiVirus schützt nun auch gegen
schädliche
ActiveX, Java Applets und Trojanische Pferde.
Ständig aktuelle Virendefinitionen mit UpdateNow
Bietet den schnellsten und einfachsten Weg, um
Virendefinitionen auf dem neuesten Stand zu halten.
Dazu werden kostenlos für 1 Jahr über
das Internet die
neuesten Virendefinitionen und Programmupdates
heruntergeladen und automatisch installiert.
Bei
durchschnittlich 10-15 neuen Viren pro Tag sind
aktuelle
Virendefinitionen zum Schutz des Rechners von
entscheidender
Bedeutung.
Heuristische Bloodhound Technologie
Ermittelt einen neuen unbekannten Virus mit Hilfe
einer
Technologie, die auf Heuristik basiert. Bloodhound,
eine
Form von künstlicher Intelligenz, ist ein
revolutionäres
Verfahren, welches nicht auf traditionellen Virendefinitionen
basiert, sondern die gesamte Struktur, die Instruktionen
und andere Informationen der Datei analysiert.
Auf Basis
dieser Analyse erkennt dann Norman AntiVirus
Dateien, die
aufgrund der gewonnenen Informationen höchst
wahrscheinlich
einen Virus enthalten.
Unterstützung für die wichtigsten Komprimierungsformate
Neben zip Dateien werden jetzt auch weitere
Kompressionsstandards unterstützt: MIME/UU,
HTTP, LHA/LZH,
ARJ, CAB, PKLite, LZEXE.
Schutz gegen Makroviren
Die heute am schnellsten wachsende Zahl von neuen
Viren sind
Makroviren. Durch moderne Kommunikation wie E-Mail
finden sie
sehr schnell weltweite Verbreitung. Norman AntiVirus
5.0
schützt den Rechner erfolgreich vor Makroviren.
AutoProtect direkt im Hintergrund
AutoProtect schützt den Rechner automatisch
im Hintergrund vor
Virenbefall. Es werden alle Dateien überprüft,
die Viren
enthalten können. Dazu zählen Dateien,
die an E-Mails angehängt
sind, Dateien, die aus dem Internet heruntergeladen
werden,
Dateien von Netzwerklaufwerken usw ...
Please ignore any messages regarding this "hoax"
and do not pass on any messages regarding it. Passing on messages about
this hoax serves only to further propagate it.
Write-up by:Eric Chien
August 5th, 1999
113 Norton anti - virus v5 Hoax
VirusName: Norton anti - virus v5
Aliases: navsupp
Infection Length: Hoax
Area of Infection: Hoax
Likelihood: Hoax
Region Reported: newsgroup (alt.comp.virus)
Characteristics: Hoax
Target Platform: Hoax
Target Date: Hoax
On Jan 3, 1999, the following information was posted on alt.comp.virus newsgroup on the Internet. This information is a hoax and should be ignored.
There is a problem with the version of Norton anti - virus v5 available for download from the Symantec site, when purchasing on-line you receive an electronic license certificate, this is then used to release the anti - virus program from the ziplock elc container,
With some .elc files this does not happen correctly and the scanner gets damaged, although it will still seem to work o.k. the scanner will not detect virus such as back orifice , cookie , cap and satan , For more information e - mail navsupp@yahoo.com our temporary e - mail technical support service ( its just while we upgrade our servers ) and state your name and when you purchased the product on - line.
Please ignore any messages regarding this "hoax" and do not pass on any messages regarding it. Passing on messages about this hoax serves only to further propagate it.
Write-up by: Motoaki Yamamura
Date of write-up: January 5, 1999
114 November_17th.800.A
Aliases: Jan1, Int83.800, BigMouse, November,
800
Infection length: 800 bytes
Area of infection: .COM, .EXE files
Likelihood: Common
Region reported: USA, Hungary, Italy
Characteristics: Wild, memory-resident,
trigger
Target platform: DOS
Trigger date: Any November 17 th thru 30
th
Description:
The November_17th .800.A virus is a rather simple .COM and .EXE file infector that infects files as they are either executed, opened, or in the process of having their file attributes changed. This virus contains a routine to prevent itself from infecting any file with the name of SCAN or CLEAN, system files, and .COM files with a size greater than 60,000 bytes.
When the virus activates, it will overwrite the first 8 sectors of the current drive. Contained within the body of this virus is the following text:
SCAN
CLEAN
COMEXE
115 NVP Trojan
Aliases: New Look
Infection length: Trojan horse
Area of infection: System file
Likelihood: Common
Region reported: Unknown
Characteristics: Wild, trojan horse
Target platform: Macintosh
Trigger date: None
Description:
NVP Trojan is a trojan horse virus discovered
in December 1994. NVP Trojan modifies the System file so that, when text
is typed, vowels (a, e, i, o, and u) do not appear.
NVP Trojan was first encountered masquerading
as a program called “New Look,” which lets users redesign their display.
Under System 7, NVP Trojan modifies the System file so that, after the
next restart, users cannot type vowels. Except for this mischievous behavior,
existing files are not damaged. Under System 6, the System file is modified,
but typing is not affected.
116NVIR
Aliases: None
Infection length: N/A
Area of infection: System, Finder, applications
Likelihood: Common
Region reported: Unknown
Characteristics: Wild
Target platform: Macintosh
Trigger date: None
Description:
nVIR is probably the most prolific and highly
infectious of all Macintosh viruses. nVIR has two basic strains, A and
B, and nine known variants (clones). It first appeared in Europe in 1987.
When nVIR finds its way into a Macintosh computer through an infected application, it normally infects the System file first. Once the computer is infected, nVIR becomes memory-resident every time the computer starts up, infecting any applications it comes in contact with.
To announce its presence, after every eight to sixteen restarts (or after four to eight infected application launches), nVIR causes the system to beep. At least one known strain of nVIR can utilize the MacIntalk sound driver (MacInTalk is a software-based speech synthesizer) and, instead of beeping, speak the words “Don't panic.”
117 NYB
Aliases: B1
Infection length: 512 bytes
Area of infection: Floppy boot sectors,
master boot records
Likelihood: Common
Region reported: Hong Kong, U.S.A., Europe,
Russia, South America, India, Canada, Japan, South Africa
Characteristics: Wild, memory resident,
stealthing
Target platform: DOS
Trigger date: None
Description:
NYB is a simple virus that infects master boot
records (MBRs) and DOS boot sectors (DBSs). NYB spreads to a system only
when there is an attempt to boot the system from an infected floppy disk.
During the boot process, NYB loads the MBR into memory and checks for infection. After determining that the MBR is not infected, the NYB stores the non-infected MBR at cylinder 0, side 0, sector 17 on the hard disk. NYB then places it’s virus code into the MBR and writes the infected MBR back to the hard drive at cylinder 0, side 0, sector 1.
Once the boot process is complete and the NYB virus is active in memory, the virus displays its stealthing capabilities by redirecting any disk reads of the infected MBR or DBS to their clean counterpart. (On floppy disks, the original DBS is stored in the last sector of the root directory.)
NYB is highly prolific.
118 One_Half
Aliases: Dis, Free Love, One_half, One
Half.3544
Infection length: 3544 bytes (files) and
512 bytes (MBR)
Area of infection: .COM files, master boot
records
Likelihood: Common
Region reported: Europe, U.S.A., India,
Mexico, Hong Kong, Israel, South Africa, South America, Taiwan
Characteristics: Wild, multipartite, memory
resident, stealthing, encrypting, polymorphic, triggered event
Target platform: DOS
Trigger date: None
Description:
One_Half is an advanced multipartite virus. It
infects the master boot record (MBR) on the first physical hard disk (drive
80h, the C: drive) and .EXE and .COM files. One_Half uses stealth techniques
to hide the MBR infection and polymorphic techniques to make file detection
and removal difficult to impossible. When the virus is in memory, a clean
copy of the MBR is displayed and the infection size is hidden when files
are displayed.
The MBR infection routine is rather generic. After
initial infection, One_Half uses the last eight sectors of side 0, track
0 to store its additional infection code and a clean copy of the MBR and
partition table. A major concern is that One_Half slowly encrypts any hard
drive that it infects. When an infected hard drive is cold booted, One_Half
encrypts two cylinders at the end of the hard drive with an XOR routine
and a random key (it does not encrypt the diagnostic cylinder). Each successive
cold boot from the hard drive results in two more cylinders becoming encrypted
. These encrypted cylinders are available to the user only as long as One_Half
remains in memory. When it has encrypted approximately one-half of the
hard drive, One_Half displays the following message:
Dis is one half.
Press any key to continue...
One_Half poses a significant problem for anti-virus
programs that use generic repair or inoculation techniques. Although a
generic repair successfully removes One_Half from an infected MBR, all
data in the encrypted areas is lost. For example, running FDISK/MBR removes
the virus, but all data in the encrypted area of the drive is lost.
One_Half only infect files with a .COM or .EXE extension. During the file infection routine, One_Half first scans the filename for text strings relating to anti-virus software. If it finds SCAN, CLEAN, FINDVIRU, GUARD, NOD, VSAFE, or MSAV in the filename, it does not infect. If infection is successful, One_Half inserts portions of itself into random points within the host file and appends the bulk of the encrypted infectious code.
One_Half appears to be generally compatible with
most versions of DOS and Windows 3.1. Some Windows configurations do not
load when One_Half is memory.
119 Ontario
Aliases: 1024 SBC, SBC, Ontario_II, 1024
Infection length: 512 bytes, 1024 bytes
(depending on strain))
Area of infection: .COM files, .EXE files.
Likelihood: Common
Region reported: Canada, U.S.A., Australia
Characteristics: Wild, memory resident,
encrypting, polymorphic
Target platform: DOS
Trigger date: None
Description:
Ontario is a virus that uses encryption to prevent
detection and removal (it toggles a bit in the decryption routine).
Infection size of .EXE files is between 512 and 1024 bytes.
Ontario.1024 Identical to Ontario.512, except
stealthing techniques are added. Printing problems have been reported when
this virus is in memory.
120 O97M.Tristate
Aliases: O97M.Triplicate
Infection Length: one VBA5 module (and one AutoShape
in MS PowerPoint)
Area of Infection: MS Word 97, MS Excel 97, MS
PowerPoint 97 file
Likelihood: Common
Region Reported: US
Characteristics: Macro
Description
Creating a macro virus that can cross-infect different MS Office 97 applications (MS Word, MS Excel, MS Access, or MS PowerPoint) is becoming trendy among virus writers. Fortunately, most of these viruses never go in-the-wild. O97M.Tristate is another one of this type of MS Office 97 macro virus that has been found in-the-wild. Symantec AntiVirus Research Center has recently received report of O97M.Tristate infection through our Scan & Deliver system.
O97M.Tristate infects MS Word 97 documents, MS Excel 97 spreadsheets, and MS PowerPoint slides. The infection routine in each MS Office application is triggered differently, as described in detail in the following paragraphs.
From an infected MS Word 97 document:
Similar to W97M.Class, the virus does not add a new Visual Basic Application (VBA) module but inserts its viral code into the default VBA module "ThisDocument". The following viral routine is activated upon closing an infected MS Word document:
Crossing to MS Excel:
If there is no "BOOK1. " file in MS Excel startup
directory (usually XLSTART), it turns off MS Excel macro virus protection
(can be found in Tools-Option-General). Then, it creates a viral workbook
"BOOK1. " in MS Excel startup directory.
Crossing to MS PowerPoint:
If there is no "Triplicate" module in "Blank
Presentation.POT" PowerPoint template (usually in TEMPLATES directory),
it turns off MS PowerPoint macro virus protection (can be found in Tools-Option-General).
Then, it adds a viral module "Triplicate" into "Blank Presentation.POT"
and a basic AutoShape object that covers the entire slide. The viral module
is "linked" to the AutoShape object.
Re-infecting the MS Word document being closed
if necessary:
If "ThisDocument" of the document to be closed
does not match what the virus expects, the virus replaces the content of
"ThisDocument" module with its viral code. Thus, user's VBA code in "ThisDocument"
module will be replaced by the viral code.
From an infected MS Excel 97 spreadsheet:
The virus does not add a new Visual Basic Application (VBA) module but inserts its viral code into the default VBA module "ThisWorkbook". The following viral routine is activated when the infected workbook is deactivated (as in editing other workbook, or opening a new one):
Crossing to MS Word:
If there is no "BOOK1. " file in MS Excel startup
directory (usually XLSTART), it turns off MS Excel and MS PowerPoint macro
virus protection (can be found in Tools-Option-General). Then, the virus
replaces the content of MS Word Normal Template (usually NORMAL.DOT)'s
"ThisDocument" with its viral code. Thus, user's VBA code in Normal Template's
"ThisDocument" module will be replaced by the viral code.
Crossing to MS PowerPoint:
If there is no "BOOK1. " file in MS Excel startup
directory (usually XLSTART), and there is no "Triplicate" module in "Blank
Presentation.POT" PowerPoint template (usually in TEMPLATES directory),
it adds a viral module "Triplicate" into "Blank Presentation.POT" and a
basic AutoShape object that covers the entire slide. The viral module is
"linked" to the AutoShape object.
Re-infecting the MS Excel spreadsheet being closed
if necessary:
If "ThisWorkbook" of the active spreadsheet does
not match what the virus expects, the virus inserts its viral code into
the "ThisWorkbook" module.
From an infected MS PowerPoint 97 presentation:
In MS PowerPoint slide, the virus adds a new Visual Basic Application (VBA) module named "Triplicate". With 1/7 chance, the following viral routine is activated when an infected slide is clicked in a slide show view:
Crossing to MS Word:
If there is no "BOOK1. " file in MS Excel startup
directory (usually XLSTART), it turns off MS Excel and MS PowerPoint macro
virus protection (can be found in Tools-Option-General). Then, the virus
replaces the content of MS Word Normal Template (usually NORMAL.DOT)'s
"ThisDocument" with its viral code. Thus, user's VBA code in Normal Template's
"ThisDocument" module will be replaced by the viral code.
Crossing to MS Excel:
If there is no "BOOK1. " file in MS Excel startup
directory (usually XLSTART), it turns off MS Excel macro virus protection
(can be found in Tools-Option-General). Then, it creates a viral workbook
"BOOK1. " in MS Excel startup directory.
Re-infecting the MS PowerPoint template if necessary:
If there is no "BOOK1. " file in MS Excel startup
directory (usually XLSTART), and there is no "Triplicate" module in "Blank
Presentation.POT" PowerPoint template (usually in TEMPLATES directory),
it adds a viral module "Triplicate" into "Blank Presentation.POT" and a
basic AutoShape object that covers the entire slide. The viral module is
"linked" to the AutoShape object.
In MS PowerPoint, the virus does not directly
infect a PowerPoint slide. It simply infects "Blank Presentation.POT" template.
Once the template is infected, every new PowerPoint slide that is based
on this "Blank Presentation" template has the viral module and AutoShape
in it.
Infected MS Word Document Repair Notes:
In infected MS Word document/template, the virus has already replaced any previously written VBA code in "ThisDocument" module. Although Norton Anti Virus (NAV)'s repair removes the viral code from "ThisDocument" module, it is not possible to restore the overwritten VBA code.
MS PowerPoint Blank Presentation Template File:
You also need to scan and repair the "Blank Presentation.POT".
This file is usually in the TEMPLATES directory of Microsoft Office. You
may need to turn on ALL-FILE scanning in NAV Option.
Norton AntiVirus users can protect themselves
from this virus by downloading the current virus definitions either through
LiveUpdate or from the following webpage:
121 O97M.Shiver.A
VirusName: O97M.Shiver.A
Aliases: W97M/X97M.Shiver.A
Known Variants: A, B
Infection Length: one to two VBA5 modules
Area of Infection: Microsoft Word and Excel documents
Likelihood: rare
Region Reported: none
Keys: Macro
Description:
The basic set of modules is:
Module1
Macro1
Sentry
It contains several sub-functions to intercept MS Word and MS Excel menu:
AutoOpen
AutoExec
AutoExit
ToolsMacro
ToolsOptions
FileTemplates
ViewVBCode
Auto_Open
Auto_Close
The infection mechanism is rather similar to O97M.Teocatl. AutoOpen performs the infection in MS Word while Auto_Open performs the infection in MS Excel. The other sub-functions simply intercept MS Word and MS Excel menu without doing anything. The cross-infection routine works as described below.
While exiting from MS Word, the virus checks if MS Excel is running. If MS Excel is not running, it minimizes MS Word, deletes PERSONAL.XLS from XLSTART directory, and loads MS Excel in minimized state. This is quite noticeable in slower system since both MS Word and MS Excel are shown in the taskbar while the virus does its cross-infection routine. The virus then creates a Macro1 module in a new PERSONAL.XLS.
Similarly, while closing an infected MS Excel
file, it checks if MS Word is running, loads MS Word in minimized state,
and creates Module1 into NORMAL.DOT.
Payload:
One of the variants randomly modifies the MS
Word command bar caption or creates and loads a text file named SISTER.DLL.
In MS Excel it adds a comment to randomly selected range of cells.
Write-up by: Raul K. Elnitiarta
September 3, 1998
122 O97M.Teocatl
VirusName: O97M.Teocatl
Aliases: StrangeDays
Known Variants: A
Infection Length: 1 VBA5 Module
Area of Infection: Microsoft Word and Excel documents
Likelihood: rare
Region Reported: None
Keys: Macro
Description:
The basic set of VBA5 module is:
StrangeDays
It contains several sub functions to intercept
MS Word and MS Excel menu:
AutoClose
AutoOpen
AutoExit
ToolsMacro
ToolsOptions
FileTemplates
ViewVBCode
Auto_Open
AutoClose and AutoExit do the infection in MS
Word while Auto_Open does the infection in MS Excel. The others simply
intercept MS Word and MS Excel menu without doing anything. The infection
routine works as follow:
While closing an infected MS Word document, the virus deletes PERSONAL.XLS from MS Excel 97's XLSTART directory. Then, it creates an infected PERSONAL.XLS in the XLSTART directory. The virus infects MS Word Global Template and document on closing a document or exiting from MS Word.
The infection in MS Excel is pretty obvious since PERSONAL.XLS is not hidden. After launching MS Excel, a user can see PERSONAL.XLS being opened. Opening any Excel spreadsheet will trigger the infection routine. This time, the virus deletes existing NORMAL.DOT from MSOFFICE\TEMPLATE directory. Then, it creates an infected NORMAL.DOT in TEMPLATE directory.
Since both MS Word and MS Excel uses VBA5 in MS
Office 97, this virus is able to use one VBA5 module to infect both MS
Word 97 and MS Excel 97 files.
Payload:
On the 26th of the month, it deletes all files
from the current directory and displays a message box Strange Days by Reptile/29A:
Strange days have found us
Strange days have tracked us down
They're going to destroy...
Write-up by: Raul K. Elnitiarta
June 14, 1998
123 Pandemic Computer Virus Hoax
VirusName: Pandemic Computer Virus Hoax
Aliases: None
Infection Length: Hoax
Area of Infection: Hoax
Likelihood: Hoax
Region Reported: Email
Characteristics: Hoax
Target Platform: Hoax
Target Date: Hoax
Description:
This information is a hoax and should be ignored.
Sample of hoax message:
Pandemic Computer Virus Discovered
(A ZDNet Exclusive)
April 4 Cupertino, CA
Yesterday, the anti-virus programming group at Symantec, the Cupertino California-based maker of the Norton brand of anti-virus software, announced the discovery of a unique computer virus which, though extremely widespread, has managed to elude detection for more than three years.
Most computer viruses clandestinely reproduce on a host computer or computer network, and then destroy data or cause performance irregularities. According to Symantec's anti-virus experts, this previously unknown breed of virus, christened "Microshaft" by its creator, wreaks havoc by mimicking the Microsoft Windows 95 and Windows 98 operating systems. News of the virus has rocked the computer industry in Silicon Valley. Emergency meetings of top executives and programmers were convened yesterday at leading industry firms here and around the world. Since most personal computers are pre-installed with the Windows operating system, it is possible that tens of millions of computers have been infected. "The genius of the virus' creators is truly amazing," said a visibly exhausted Chuck Wagner, senior programmer in charge of the anti-virus lab at Symantec. "This is the first virus ever found "in the wild" which is capable of mimicking all the major functions of an operating system, and that's why nobody caught it until now. It's extremely sophisticated, and almost impossible to pin down. But if you've experienced crashes, disk errors and data loss, or have had problems installing new hardware devices, you've probably got it."
It seems that in August of 1995 a security breach of unprecedented gravity occurred at the Redmond, Washington-based Microsoft Corporation. As the debut version of Windows 95 was being prepared for public release, Microshaft virus was grafted onto the top-secret shared network files of the popular Microsoft Windows 95 operating system, probably by a person or persons working inside the company.
By encoding itself in the kernel-the all-but-indecipherable crux of the Windows 95 and Windows 98 operating systems-the prevaricating virus has outfoxed technical analysts at Microsoft, and other leading software development firms and computer manufacturers, for more than forty months. The source of Windows 95's infamous unreliability, previously thought to be the fault of Microsoft's lack of strict programming standards, is now believed to be none other than the Microshaft virus.
The virus was reported to Symantec's elite cadre of anti-virus experts by Guillermo Puertas, a computer programmer in San Diego, California. In a telephone interview, Mr. Puertas-a self-described "amateur computer virologist"-said that he might never have suspected the existence of the Microshaft virus, had he not installed a second operating system, Linux, on his computer.
With Linux -- a Unix clone downloadable for free over the Internet-Mr. Puertas noticed that his system was suddenly free of the crashes and other performance flaws which had been plaguing his Windows programs. When he subjected the computer to a barrage of customized tests, Mr. Puertas discovered "incontrovertible" evidence that the portion of his hard drive allocated to Windows was infected by a "viropsys", or operating system-mimicking virus. Mr. Puertas claims that "the Microshaft virus...can also mimic some common programs like Internet Explorer and [Microsoft] Word...You think you're word processing or browsing the Internet, but in fact you're playing right into its hands. Every time you run a program, open a file or install a new application, you're feeding it more raw data, which increases the likelihood of reduced performance, hardware conflicts and crashes leading to loss of crucial data."
According to Mr. Puertas, since the virus has insinuated itself into the kernel of the Windows operating system, it might be extremely difficult, if not impossible, to eliminate the virus without destroying the functionality of Windows altogether. "It's like inoperable cancer," he said. "You can't remove the cancer without killing the patient."
Mr. Puertas speculated that the virus has managed to elude detection until now because of the extreme secrecy surrounding the Windows 95/98 kernel, the entire contents of which is known to few (if any) Microsoft programmers other than Microsoft Chairman Bill Gates. "Basically," says Puertas, "Microsoft's Windows programmers have been kept in the dark about each others' work, in order to protect proprietary source code. Some disgruntled programmer must have slipped the virus in through a crack", thus allowing it to lodge in the heart of the Windows operating system. Ralph Lederer, a legal consultant on intellectual property law in the computer industry and a business partner of Mr. Puertas, said that "because what appears on the user's screen as Internet Explorer is very likely a clever front for the virus, Microsoft's claim that Internet Explorer cannot be removed from Windows 98 without crippling Windows' functionality might actually have some truth to it."
In the past year, litigators in the Federal Government's anti-trust case against Microsoft have contested the company's claim that its Internet Explorer web browser is an integral part of the Windows operating system. "It's ironic, but the Microshaft virus could be a godsend for Bill Gates," noted Mr. Lederer. Asked what measures might be taken to neutralize the virus, Mr. Wagner said that Symantec's anti-virus unit would be working around the clock with top Microsoft programmers to develop commercial software capable of detecting and disabling the virus. "For the moment, we're going to have to live with it," he said with a sigh. "And somehow we've already managed do so for three and a half years. In any case, pretty soon users will have the option to upgrade to Windows 2000, which should be virus-free."
In a related story, on Monday Microsoft announced a bid to acquire a controlling share of Symantec, whose stock has gained seventeen points since the offer. Meanwhile, Microsoft stock has taken a five-percent plunge on news of the virus, but most market analysts and fund managers are sitting tight. According to several Wall Street sources, the Symantec deal, plus the expected stampede of computer users desperate to upgrade to a virus-free Windows 2000, will ensure better-than-expected profits for Microsoft during the next fiscal year.
At a Redmond press conference last evening, a Microsoft spokesman said that although company programmers had been unaware of the virus' existence, emergency measures were being taken to rectify the problem. When asked whether Microsoft would reveal its Windows operating system code so that programmers around the world could help root out the virus, he answered "That's not gonna happen", and declined to answer any further questions.
Please ignore any messages regarding this "hoax"
and do not pass on any messages regarding it. Passing on messages about
this hoax serves only to further propagate it.
124Parity_Boot
Aliases: Generic-1
Infection length: 512 bytes
Area of infection: Floppy boot sectors,
master boot records
Likelihood: Common
Region reported: Europe, U.S.A., South
America, India, Japan, South Africa
Characteristics: Wild, memory resident,
stealthing
Target platform: DOS
Trigger date: None
Description:
Parity_Boot is a virus that checks every hour
to see if it has infected a floppy disk. If it has not infected a floppy
disk in that time, it prints the following message to the screen and hangs
the computer:
PARITY CHECK
The original master boot record (MBR) is copied
to side 0, track 0, sector 14. On 5¼-inch, 360K floppy disks, the
boot sector is copied to logical sector 11 and on 5¼-inch, 1.2 MB
floppy disks, the boot sector is moved to logical sector 28.
Parity_Boot can survive a warm boot (Ctrl+Alt+Del). To clear Parity_Boot virus from memory, you must shut the system down (power off) or use the Reset button.
125Penpal Greetings
Aliases: E-mail, Good Times.Penpal_Greetings
Infection length: Hoax
Area of infection: Hoax
Likelihood: Hoax
Region reported: Worldwide
Characteristics: Hoax
Target platform: Hoax
Trigger date: Hoax
Description:
Penpal Greetings is not a virus. It is a hoax.
The virus does not exist. There is currently no virus that has the characteristics
ascribed to Penpal Greetings.
The e-mail message describing the virus is similar to the original Good Times virus e-mail hoax. It could even be described as a virus hoax strain.
The Penpal Greetings hoax message includes one of the following warnings:
Form 1
This is a warning for all internet users - there is a dangerous virus propagating across the internet through an e-mail message entitled "PENPAL GREETINGS!" DO NOT DOWNLOAD ANY MESSAGE ENTITLED "PENPAL GREETINGS!"
This message appears to be a friendly letter asking you if you are interested in a penpal, but by the time you read this letter, it is too late. The "trojan horse" virus will have already infected the boot sector of your hard drive, destroying all of the data present. It is a self-replicating virus, and once the message is read, it will AUTOMATICALLY forward itself to anyone who's e-mail address is present in YOUR mailbox!
Form 2
VIRUS ALERT!!!!! ZEER BELANGRIJK !!!!
if you receive an e-mail titiled..JOIN THE CREW/for
PENPALS, DO NOT open it! It will erase EVERYTHING on your hard drive!
Send this letter out to as many people as you
can. This is a new virus and not many people know about it!
This information was received this morning by
IBM, Please share it with anyone that might acccess the internet!!
PENPAL appears to be a friendly letter asking you if you are interested in a penpal, but by the time you read this letter it is TOO late.
The Trojan horse virus will have already infected the boot sector of your hard drive, destroying all the data present. It is a self-replicating virus, and once the message is read it will AUTOMATICALLY forward itself to anyone who's e-mail address is present in your box! This virus will destroy your hard drive and whose mail is in your box and whose mail is in their box and so on and on!
So delete any message titled PENPAL or JOIN THE
CREW. This virus can do major DAMAGE to worldwide networks!
PLEASE PASS THIS ALONG TO ALL YOUR FRIENDS AND
PEOPLE IN YOUR MAILBOXES.
AOL HAS SAID THIS IS A VERY DANGEROUS VIRUS AND
THERE IS NO REMEDY FOR THIS.
FORWARD IT TO ALL YOUR ON-LINE FRIENDS A.S.A.P.!
Please ignore any messages regarding this "virus" and do not pass on any messages regarding it. Passing on messages about this hoax serves only to further propagate it.
126QRry
Aliases: Essex, Quarry, Query
Infection length: 512 bytes
Area of infection: Floppy boot sectors,
master boot records
Likelihood: Uncommon
Region reported: U.S.A., South America
Characteristics: Wild, memory resident,
triggered event
Target platform: DOS
Trigger date: December of every year
Description:
QRry is a rather generic virus that infects master
boot records (MBRs) and floppy boot sectors. QRry does, however, carry
a destructive payload. In December of every year, QRry triggers and overwrites
portions of the current drive of the infected computer.
The virus contains the following string:
QRry
127 Perrin.exe Virus Hoax
Virus Name: Perrin.exe Virus Hoax
Aliases: None
Known Variants: Hoax
Infection Length: Hoax
Area of Infection: Hoax
Likelihood: Hoax
Region Reported: Email
Characteristics: Hoax
Description:
This information is a hoax and should be ignored.
Sample of hoax message:
Si reciben un mail titulado "up-grade internet2
" NO LO ABRAN ,ya que contiene un ejecutable con un ?cono muy gracioso
,el ejecutable se llama PERRIN.EXE. Este virus borrar? toda la infomaci?n
del disco duro ,y de alguna manera se refugia en la memoria del computadora
,por lo que cada vez que carguen informaci?n en el disco duro ,este lo
borrar? De nuevo ,dejando practicamente inservible la computadora. Esta
informaci?n fu? publicada ayer en la p?gina Web de la CNN.Se ha dicho que
este virus es muy peligroso y que a?n no existe antivirus para el. Reenvien
este mensaje a toda la gente que puedan ,ya que si bien es cierto no puede
ser detenido ,al menos que salga perjudicada la menor cantidad de gente
posible.
Please ignore any messages regarding this "hoax"
and do not pass on any messages regarding it. Passing on messages about
this hoax serves only to further propagate it.
Write-up by:Motoaki Yamamura
June 21, 1999
Please ignore any messages regarding this "hoax"
and do not pass on any messages regarding it. Passing on messages about
this hoax serves only to further propagate it.
128Quandary
Aliases: Parity_Boot.Enc, Newboot
Infection length: 512 bytes
Area of infection: Master boot record,
floppy boot sector
Likelihood: Common
Region reported: New Zealand, UK, Iceland,
USA, Sweden, Finland, Poland, Canada, Japan, Germany
Characteristics: Wild, memory-resident,
encrypting, read stealth
Target platform: DOS
Trigger date: None
Description:
The Quandary virus is a simple master boot record, floppy boot sector infecting virus that uses two common techniques to hide itself. First, the body of the virus is encrypted. Second, this virus tries to hide itself using a technique called stealthing, which causes the system to point to a clean copy of the infected area rather then the infected area itself (you would see this activity when you try to view the hard drive with a disk editing program when the virus is active in memory).
On infected hard drives a copy of the original master boot record is stored at physical location cylinder 0 side 0 sector 15.
129Quiver
Aliases: Qvr, LP
Infection length: 512 bytes
Area of infection: Hard disk boot record,
floppy boot sector
Likelihood: Common
Region reported: Colombia, Finland
Characteristics: Wild, memory-resident,
read stealth
Target platform: DOS
Trigger date: None
Description:
The Quiver virus is a simple hard disk boot record, floppy boot sector infecting virus with one annoying feature: While the virus is active in memory, random garbage is displayed to the screen during each issued command.
Besides performing the above mentioned trickery on the screen, this virus tries to hide itself using a technique called stealthing, which causes the system to point to a clean copy of the infected area rather then the infected area itself (you would see this activity when you try to view the hard drive with a disk editing program when the virus is active in memory).
On infected hard drives a copy of the original boot sector is stored at physical location cylinder 0 side 0 sector 5
130 Phantom Menace Hoax
Aliases: None
Known Variants: Hoax
Infection Length: Hoax
Area of Infection: Hoax
Likelihood: Hoax
Region Reported: Email
Characteristics: Hoax
Description:
The following message has been sent out by email.
It is a hoax. This "virus" does not exist.
The hoax message includes the following "warning":
Existe la posibilidad de que recibas un mail con
el Subject: The Phantom Menace, que es el nombre
de la pelicula de el Episodio I. Por favor NO
ABRAS
ese mail, ya que es uno de los virus mas poderosos
conocidos hasta hoy. Apenas tiene 3 dias rondando
en la red, pero segun Microsoft este virus generara
perdidas de hasta 100 mil millones de dolares
antes de que exista una vacuna. Es un virus gusano,
que se mete en los hoyos de los programas de
Microsoft a traves de la red. Manda esta informacion
a todos tus conocidos por favor.
English Translation:
Maybe you will receive an email with Subject:
The
Phantom Menace, the name of the movie Episode
I.
Please DO NOT OPEN this email, because it is
one of
the most powerful virus known until now.
This virus
only has 3 days over the Web, but Micrsoft said
this
virus will cause losses around 100 billion dollars
before it can be repaired by any Antivirus. This
is a
Worm, that will insert itself on the holes of
the
Microsoft programs trough the Web. Please send
this
information to all the people you know.
Please ignore any messages regarding this "hoax"
and do not pass on any messages regarding it. Passing on messages about
this hoax serves only to further propagate it.
131 Quox
Aliases: Stealth 2
Infection length: 512 bytes
Area of infection: Floppy boot sectors,
master boot records
Likelihood: Common
Region reported: U.S.A., Europe, Japan
Characteristics: Wild, memory resident,
stealthing
Target platform: DOS
Trigger date: None
Description:
Quox is a fairly generic virus that infects master
boot records (MBRs) and floppy boot sectors. Quox becomes resident, but
does not destroy anything intentionally. When resident, Quox attempts to
infect any disk accessed.
132PictureNote.Trojan
Virus Name: PictureNote.Trojan
Aliases: Trojan Horse, Backdoor.Note, Picture.exe,
URLSnoop
Likelihood: Common
Region Reported: USA
Characteristics: Trojan Horse
Description
PictureNote.Trojan a malicious program, which is identified and referred to often as a trojan horse program. Please note that PictureNote.Trojan does not have the capability to spread like a virus. This program has been sent to many Internet users through Internet email anonymously. This Trojan (Picture.exe) was reported late December 1998. The file attached to an email was usually named PICTURE.EXE.
When PICTURE.EXE is executed it would copy itself into the WINDOWS directory as NOTE.EXE. It would also modify a file called WIN.INI in the WINDOWS directory and would change the "run" parameter to execute NOTE.EXE. When Windows is rebooted, NOTE.EXE is then automatically executed and then begins to search for America Online user information on the computer, which could automatically get emailed to a specific email address. Hence, this trojan may steal your American Online password information.
Norton AntiVirus users can protect themselves
from this trojan horse by downloading the current virus definitions either
through LiveUpdate or from the following webpage:
http://www.symantec.com/avcenter/download.html
Please note that definitions released on Jan 8, 1999 will detect this trojan as "Trojan Horse" and will not be able to find "PictureNote.Trojan" name in the NAV's virus list feature. New Definitions posted after Jan 14, 1999 will detect this trojan as PictureNote.Trojan and the name will also appear in the virus list.
133Ravage (b)
Aliases: Dodgy, Ravage
Infection Length: 1024
Area of Infection: Floppy MBR
Likelihood: Common
Region Reported: US
Characteristics: MBR, Resident, RP&muRphy
Description:
Ravage is a stealth boot virus. The virus is
memory resident and resides in two sectors. Ravage will infect the MBR
of a hard drive and the boot sector of a floppy diskette. The virus stores
the original MBR and additional viral code at sector 14, head 0, track
1 on a hard drive. On a floppy diskette, the information is stored on the
last sectors of the diskette.
When infecting the hard drive, the virus attempts
to bypass BIOS anti-virus protection by modifying the CMOS and sending
the letter 'Y' to the keyboard buffer.
Payload:
While in memory, if any program with a filename matching 'RAV*' is executed, there is a 1 in 256 chance the virus will display the message:
RAVage is wiping data! RP&muRphy
The virus then begins erasing sectors of the
hard drive. If one is currently in Windows, this action does not occur
until exiting Windows. This payload routine is also triggered three months
after infecting the disk.
In addition, the virus deletes the file SYSTEM\IOSUBSYS\HSFLOP.PDR. This file should be replaced with a known clean backup.
Write-up by:Eric Chien
August 16, 1999
134 Ping_Pong
Aliases: Bouncing-Ball, Italian, Vera Cruz,
Mistake, Typo, Turin
Infection length: 512 bytes
Area of infection: Boot sectors
Likelihood: Common
Region reported: U.S.A., United Kingdom,
France
Characteristics: Wild, memory resident
Target platform: DOS
Trigger date: None
Description:
Ping_Pong is a virus that randomly activates
and sends a Pong-like white ball bouncing around the screen of the infected
computer. Ping_Pong work only on 8086 and 8088 CPU types.
Ping_Pong has two known strains:
Ping_Pong.Standard
Infects hard drives and floppy disks.
Ping_Pong.Typo
Introduces a variety of typographical errors
on all documents sent to the printer. No messages or graphics are displayed.
135 Red Alert
Aliases: none
Infection length: Hoax
Area of infection: Hoax
Likelihood: Hoax
Region reported: Online
Characteristics: Hoax
Target platform: Hoax
Trigger date: Hoax
Description:
This "virus" does not exist.
In November of 1996, a false warning was posted to several sites on the Internet that the Microsoft home page was distributing a virus. The creator of the message quoted a well known anti-virus developer, Mikko Hypponen of Data Fellows, to lend credibility to the false claims.
The following statement was issued by Mikko Hypponen:
This is a warning on a nasty hoax that has been
distributed on several mailing lists and in usenet news. The hoax message
is falsely attributed to me (Mikko.Hypponen@datafellows.com).
This false warning urges people to stay off Microsoft's
home page and not to use Microsoft Internet Explorer, because the 'Microsoft
home page is possibly infected by a virus'. This is nonsense.
If you have seen this warning, please pass on this message, and please do not redistribute the original warning any more.
Please ignore any messages regarding this "virus"
and do not pass on any messages regarding it. Passing on messages about
this hoax serves only to further propagate it.
136PrettyPark.Worm
This worm program behaves similarly to Happy99
Worm. It was originally spread by email spamming from a French email address.
The first report of this worm was submitted through our exclusive Scan
& Deliver system on May 28, 1999 from France. When the attached program
file, PrettyPark.exe, is executed, it may display the 3D pipe screen saver.
Also known as: Trojan Horse, W32.PrettyPark, Trojan.PSW.CHV, CHV, W32/Pretty.worm.unp
Category: Worm
Infection length: 37,376 bytes
Virus definitions: June 4, 1999
Threat assessment:
Damage:
LOW Distribution:
HIGH Wild:
HIGH
Wild
Number of infections: More than 1000
Number of sites: More than 10
Geographic distribution: High
Threat containment: Medium
Removal: Easy
Damage
Payload:
Releases confidential information: Dial-up Passwords,
System Information, ICQ Information
Compromises security settings: Allows remote
receipt, creation, deletion, and execution of files.
Distribution
Subject of email: C:\CoolProgs\Pretty Park.exe
Name of Attachment: PrettyPark.EXE
Size of Attachment: 37,376 bytes
Target of infection: Windows Registry
Technical description
Once the worm program is executed, it tries to email itself automatically every 30 minutes (or 30 minutes after it is loaded) to email addresses registered in your Internet address book.
It also tries to connect to an IRC server and join a specific IRC channel. The worm sends information to IRC every 30 seconds to keep itself connected, and to retrieve any commands from the IRC channel.
Via IRC, the author or distributor of the worm can obtain system information, including the computer name, product name, product identifier, product key, registered owner, registered organization, system root path, version, version number, ICQ identification numbers, ICQ nicknames, victim's email address, and Dial Up Networking username and passwords. In addition, being connected to IRC opens a security hole in which the client can potentially be used to receive and execute files.
It creates a file called files32.vxd in the Windows\System directory and modifies the following registry entry value from "%1" %* to files32.vxd "%1" %* without your knowledge:
HKEY_LOCAL_MACHINE\Software\Classes\
exefile\shell\open\command
Automatic removal instructions:
Download PrettyPark.Worm removal tool
Description of the PrettyPark.Worm removal tool
Manual removal instructions:
On the Windows taskbar, click Start > Run.
Type REGEDIT, then click OK.
Modify the following Registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\
Classes\exefile\shell\open\command
and change
files32.vxd "%1" %*
to
"%1" %*
For clarity, these seven characters are the following:
double quote, percent sign, the numeral one, double quote, space, percent
sign, and asterisk. Don't forget the space.
Delete the PrettyPark.exe file.
Restart your computer.
Using Windows Explorer delete the \Windows\System\Files32.vxd
file.
Write-up by: Raul K. Elnitiarta & Eric Chien
June 1, 1999
Updated: February 28, 2000
137Reizfaktor
Aliases: W97M.Reizfaktor, Reizfaktor (inf), Reizfaktor
(bat)
Area of Infection: C drive
Likelihood: Rare
Characteristics: Macro, Trojan, Windows
Description:
Reizfaktor is a trojan horse consisting of three
parts - a word macro, a Windows Autoplay file and a batch file.
The Word document with Reizfaktor will contains a Document_Open macro that installs AUTORUN.INF and AUTOEXEK.BAT in the root directory of the C drive. After the installation, the macro deletes its original code and replaces it with an AutoOpen macro containing only a comment.
AUTORUN.INF contains a single instruction for running AUTOEXEK.BAT. The next time Windows is started, Autoplay will be enabled for the C drive, and remain enabled until Windows is restarted without AUTORUN.INF present.
Upon opening the C drive, AUTOEXEK.BAT uses DELTREE
to delete the root directory, and displays the following message in a console
window:
Updating! This May Take A While...
Please Wait...
The results of the DELTREE operation are saved
in C:\Reizfaktor.txt
Norton AntiVirus users can protect themselves from this trojan by downloading the current virus definitions either through LiveUpdate of from the following web page:
http://www.symantec.com/avcenter/download.html
Write-up by:Peter Pak
June 2, 1999
138 Promail.Trojan
VirusName: Promail.Trojan
Aliases: None
Infection Length: 583,168 bytes
Area of Infection: Does not infect. This is a
Trojan Horse.
Likelihood: Common
Region Reported: None
Characteristics: Steals POP account Username
and Password
Target Platform: Windows
Target Date: None
Description:
The Promail.Trojan is a Trojan Horse. The Promail.Trojan
is a full function POP client which allows you to obtain your email from
your designated POP server(s). However, in addition to the documented functions,
the program also sends your account information including your password
to an anonymous email address.
The program Promail has been widely distributed on freeware and shareware repositories. The file is generally distributed as a zip file named proml121.zip. This program is touted as a completely free POP client that provides many standard email client functions. This zip file uncompresses into the file promail.exe. This is the executable that provides POP client services. These POP client services include the ability to retrieve mail from multiple POP servers.
Each time one configures new POP account information in the client, the client creates a file called promail.pml in the Promail program directory. This is a zero byte file. The next time Promail is started and mail is checked, Promail verifies the existence of the promail.pml file. If this file exists, in addition to checking for mail, Promail sends all POP account information (including the password) of each account setup with Promail to an anonymous email address. The host administrators have been contacted about this email account.
This type of data export may compromise your system. This data export will allow the author or anyone with access to the anonymous email address mailbox to check, delete, and read your POP mail.
To fix this threat, one should discontinue the use of Promail. Promail should be uninstalled or all Promail files should be deleted.
Norton AntiVirus users can protect themselves from this trojan horse by downloading the current virus definitions either through LiveUpdate or from the following webpage:
http://www.symantec.com/avcenter/download.html
Write-up by:Eric Chien
March 22nd, 1999
139Reverse.948
Aliases: Red Spider, Reverse.A, Reverse.B
Infection length: 964 bytes
Area of infection: .COM, .EXE files
Likelihood: Common
Region reported: Poland, South Africa
Characteristics: Wild, memory-resident
Target platform: DOS
Trigger date: None
Description:
The Reverse.948 virus is a simple memory-resident, .COM and .EXE file infecting virus that does nothing more then replicate. It contains code to ensure that it does not infect the file command.com.
Located within the body of the virus is the following text (this text is stored in an encrypted format):
Red Spider Virus created by Garfield from Zielona Gora in Feb 1993
moc.dnammocexe.niamcn
140Predator.2448
Aliases: 2448
Infection length: 3,072 bytes in master
boot record / 2,448 bytes in files
Area of infection: Master boot record,
.COMMAND, .COM, .EXE files
Likelihood: Common
Region reported: USA, Iceland, Sweden,
Canada
Characteristics: Wild, memory-resident,
encrypting, size stealth, read stealth, multipartite
Target platform: DOS
Trigger date: None
Description:
The Predator.2448 virus is a fairly complicated virus, which uses encrypting and stealthing techniques to hide itself. Upon execution of an infected file, this virus writes itself to the master boot record of the hard drive and then begins to infect files as they are executed. Contained within the body of the virus is the following encrypted text:
Predator virus #2 © 1993 Priest - Phalcon/Skism
Systems infected with this virus will report a loss of 6k in total conventional memory.
On infected hard drives a copy of the original master boot record is stored at physical location cylinder 0 side 0 sector 02 in encrypted format.
This virus corrupts floppy disks after it infects them, making them unreadable by DOS when the virus is not active in memory.
141RingZero.Trojan
Aliases: RingZero.gen Trojan
Likelihood: Uncommon
Characteristics: Packed by Petite
Description
This trojan runs as a hidden process on the target system. It sends and retrieves data over an Internet connection. There are three versions of this trojan horse.
One version, ITS.EXE, will copy itself to the \WINDOWS\SYSTEM directory when executed for the first time on a system. It also drops a RING0.VXD file in the same directory. ITS.EXE is executed upon the next startup of Windows. At this time, it creates another file to hold its data: ITS.DAT. It appears to try to reach two hosts - MEMBERS.ZOOM.COM and PHZFORUM.VIRTUALAVE.NET. The program contains strings that attempt to send mail to an address at PAGER.MIRABILIS.COM through the mail server at WWW.MIRCOSOFT.COM.
Another version, PST.EXE, installs itself in the same manner as ITS.EXE. It also inserts RING0.VXD, and creates ITS.DAT. This version appears to try to connect to WWW.RUSFTPSEARCH.NET.
TELNET23.EXE is yet another version that appears to steal Windows cached passwords. It contains strings in order to reach PHZ.FAITHWEB.COM and send e-mails.
These applications can be packed within other host programs. When a user runs the host program, these trojan applications are installed on the system.
The RingZero trojan hides its process by registering itself as a Windows service. Thus, it is not visible in the Windows task manager. It also hides its entry in the Windows registry. If the trojan is not running, the startup call in the registry is visible.
Repair Notes
If RingZero.Trojan is detected on your system, restart the system in DOS mode or boot to a clean DOS boot floppy. Delete the detected files from the \WINDOWS\SYSTEM directory. Delete the ITS.DAT and RING0.VXD files from the same directory. Then, restart Windows and run the REGEDIT.EXE utility. Go to the following registry key:
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Run
Delete the following values if they are present:
DK32 support PST "pst.exe"
DK32 support ITS "its.exe"
Description of EPS II "telnet23.exe"
Norton AntiVirus users can protect themselves from this virus by downloading the current virus definitions either through LiveUpdate or from the following webpage:
ttp://www.symantec.com/avcenter/download.html
Write-up by: Wason Han
Oct 28, 1999
142Ripper
Aliases: Jack Ripper
Infection length: 512 bytes
Area of infection: Floppy boot sectors,
master boot records
Likelihood: Common
Region reported: Europe, Australia/New
Zealand, Hong Kong, Taiwan, Canada, Japan, South Africa
Characteristics: Wild, memory resident,
stealthing
Target platform: DOS
Trigger date: Random
Description:
Ripper is a virus that randomly corrupts disk
writes when active in memory. Approximately 1 in every 1,000 disk writes
is affected, making the information written invalid.
The virus contains two encrypted strings. One
is a profane message. The other reads as follows:
(C)1992 Jack Ripper
143 Russian New Year Exploit
VirusName: Russian New Year Exploit
Aliases: RNY
Infection Length: None
Area of Infection: None
Likelihood: Rare
Region Reported: None
Characteristics: Exploit
Description:
A network security firm announced the Russian
New Year Exploit in early January 1999. However, the exploits were well
known prior to the announcement in January. This exploit is actually two
different security risks combined together. Computer systems can be configured
or patched to prevent both security holes.
When viewing a Microsoft Excel spreadsheet (locally or remotely) using Internet Explorer or Netscape Navigator (prior to version 4.5), Microsoft Excel is launched automatically. One expects a confirmation dialog box; however, both browsers do not display a confirmation dialog box before launching Microsoft Excel. This allows one to unknowingly open Microsoft Excel spreadsheets, which can contain macro viruses or other malicious code.
To enable your system to prompt whenever viewing any Microsoft Excel spreadsheets via Internet Explorer or Netscape Navigator, double-click on the My Computer icon. Select View | Options or View | Folder Options depending on your operating system version. Next, select the File Types tab. Scroll down the "Registered file types" window until you see Microsoft Excel. For each entry, select Edit and verify "Confirm open after download" is selected. This should be done for each Excel type, which consists of all files with the XL? extension. This same security risk occurs with Microsoft Word files. It is recommended the same procedure is done with all Microsoft Word file types.
The second security risk is the availability of CALL statements in Microsoft Excel spreadsheets. CALL statements allow one to reference functionality in system DLLs. This allows one to perform potentially malicious tasks on your computer system when you open a Microsoft Excel spreadsheet. CALL statements can be included in macro sheets as well as in spreadsheet cells as a formula. Prior to the announcement of the Russian New Year exploit, Microsoft released a patch to disable the CALL functionality that can be found at http://officeupdate.microsoft.com/downloadDetails/xl97cfp.htm
A network security firm combined these two exploits and dubbed them the Russian New Year exploit since, one could potentially direct a computer user to a website with a Microsoft Excel spreadsheet that contained malicious CALL statements. The computer user would not be warned before their computer system automatically launched Microsoft Excel and executed the malicious CALL statements.
Enterprises should also work with their firewall vendors to explore specific solutions to enable any network filtering of Microsoft Excel spreadsheets via HTTP.
There are no currently known Microsoft Excel spreadsheets that take advantage of this exploit. Any future threats using this technique will be easily handled by Norton AntiVirus.
Write-up by:Eric Chien
January 6, 1999
Norton AntiVirus definitions dated 12/27/1999 incorrectly identified the free computer game "Santa's Cows", which was produced by Crystal Sky Productions, as being infected with the trojan horse PWSteal.Trojan.
This game is not infected with this trojan horse. This false positive has been corrected in the latest virus definitions.
This game is available as either SantasCows-PC.exe (Windows 95/98 version), SantasCows-W2K.exe (Windows NT/2000 version), or SantasCows-Mac.hqx (Macintosh version).
To keep from getting an infection warning from Norton AntiVirus, SARC recommends users update their virus defintions via LiveUpdate.
145Russian_Flag
Aliases: Slydell, Ekater, Antiexe.C
Infection length: 512 bytes
Area of infection: Master boot record,
floppy boot sector
Likelihood: Common
Region reported: USA, UK, Netherlands,
Japan, South Africa
Characteristics: Wild, memory-resident,
trigger
Target platform: DOS
Trigger date: Any August 19 th
Description:
The Russian_Flag virus is a simple master boot record, floppy boot sector infecting virus that tries to hide itself using a technique called stealthing, which causes the system to point to a clean copy of the infected area rather then the infected area itself (you would see this activity when you try to view the hard drive with a disk editing program when the virus is active in memory). Upon activation of the viruses payload, a Russian flag is displayed on the screen and the system waits for a key to be pressed before the boot process is continued.
On infected hard drives, a copy of the original boot sector is stored at physical location cylinder 0 side 0 sector 9
146Sampo
Aliases: Turbo, Wllop, Sanpo
Infection Length: 512 bytes
Area of Infection: Boot sectors
Likelihood: Common
Characteristics: Wild, Memory Resident
Description:
The Sampo virus is capable of infecting the MBR
of a hard drive or the boot record of a floppy disk. When a boot record
infected with this specific virus is loaded, it replicates to other boot
sectors by using INT 13. When a user initiates a soft-boot on his system,
the virus intercepts this interrupt call, and does its own performance
of a computer rebooting. The purpose of this action is to enable the virus
to remain in memory while giving customers the notion that they are able
to reboot successfully.
On the 30th of November, the virus prints out the following text on the screen:
S A M P O
Project X
Copyright (c) 1991 by the
SAMPO X-Team. All rights reserved.
University of the East
Manila
Norton AntiVirus users can protect themselves from this virus by downloading the current virus definitions either through LiveUpdate or from the following webpage:
http://www.symantec.com/avcenter/download.html
Write-up by: Cary Ng
August 5, 1999
147Sarampo.1371
Aliases:
Infection length: 1,371 bytes
Area of infection: Command, .COM, .EXE
files
Likelihood: Common
Region reported: UK, Portugal, USA
Characteristics: Wild, memory-resident,
trigger
Target platform: DOS
Trigger date: Any April 25 th , December
25 th , October 25 th
Description:
The Sarampo.1371 virus is a rather simple .COM and .EXE file infecting virus which infects files as they are executed. It specifically targets the C:\COMMAND.COM file.
When the virus loads itself into memory, it performs a date check to look for a system date setting that matches any one of this virus’s trigger dates. Should the system date match one of the trigger dates, the screen fills with random garbage and displays the following text:
Do you like this Screen Saver ? I hope so.
Created by Sarampo virus.
Since this virus does not use any stealthing techniques, infected files are easily spotted: The file size changes and the time stamp changes to 1:13pm.
Contained within the body of the virus is the following text:
c:\command.com
Do you like this Screen Saver? I hope so
Created by Sarampo virus
MZ
148Sandman Hoax
Aliases: Hoax
Infection Length: Hoax
Area of Infection: Hoax
Likelihood: Hoax
Region Reported: Email
Characteristics: Hoax
Description
The following message has been sent out by email. It is a hoax. This "virus" does not exist.
The hoax message includes the following "warning":
Beware! if someone named asks you to
check out his page. DO NOT! It is at
www.geocities.com/vienna/6318 This
page hacks into your C:\drive.DO NOT GO THERE...
FOWARD THIS MAIL TO EVERYONE YOU KNOW.
Please ignore any messages regarding this "hoax" and do not pass on any messages regarding it. Passing on messages about this hoax serves only to further propagate it.
Write-up by: Motoaki Yamamura
Nov 5, 1999
149Satria.A
Aliases: July 4th, ILove
Infection length: 512 bytes
Area of infection: Master boot record,
floppy boot sector
Likelihood: Common
Region reported: USA, Germany
Characteristics: Wild, memory-resident,
trigger
Target platform: DOS
Trigger date: Any July 4th
Description:
The Satria.A virus is a simple master boot record, floppy boot sector infecting virus which besides having a graphical payload, does nothing more then replicate. When the system is booted on any July 4th, this virus displays to the screen a graphical letter L (in the color green), a heart shaped picture (in red) that is flashing, and a graphical letter U (in the color green).
Located within the body of this virus is the text (this text is never displayed):
(SAT)
My Honey B’day
Satria
During infection a copy of the original master
boot record is stored at physical location cylinder 0 side 0 sector 08.
On floppy disks, a copy of the original boot sector is stored within the
last sector of the root directory (this will cause data loss on full floppy
disks).