20A05.TXT - Description file for 20A05.DEF Technical Support, SYMANTEC/Peter Norton Product Group June 4, 1992 ********************************NOTE************************************** * THE DEFINITION FILE 20A05.DEF IS IDENTICAL TO 20404.DEF WITH THE * * EXCEPTION OF THE WONDER-2 VIRUS, WHICH HAS BEEN REMOVED FOR FURTHER * * INVESTIGATION. * ************************************************************************** OVERVIEW Form (aka Form Boot, FORM-18) This is a repairable boot sector infector of floppies and hard disks. The system speaker may produce clicking sounds on the 24th of each month. Vienna (aka MONXLA, Austrian, Unesco, DOS-62, DOS-68, 1-in-8, 648) This is a repairable common infector of .COM files. Infected files will grow by 650 (648) bytes and may have a timestamp with a seconds field of 62. Every few instances, instead of infecting other files, it destroys files by overwriting the first 6 characters with an instruction to reboot the machine. A large number of variants exist because the source code for this virus is published. I-B (aka BadGuy, BadGuy 2, Crackpot, Demon, or Exterminator) These are a family of .COM file infectors. Program files which have grown approximately 200 to 250 bytes will activate Mondays or Tuesdays to show messages on screen. The Demon (272) and Exterminator (451) variants will overwrite hard disks! R-10 (aka DataRape-10, Rape-10) This is a repairable memory resident .COM file infector. Infected files will grow approximately 500 bytes in length and memory resources will be consumed. When activated, this virus destroys the system hard disk. R-11 Similar to R-10, including associated aliases. .COM file growth is closer to 750 (747) bytes. Troi This is a repairable memory resident infector of .COM files. Infected files grow 300 (322) bytes. File output and keyboard input may be lost. African 109 This is a .COM file infector. Infected files would grow 100 (109) bytes. Barcelona This is a memory resident infector of .COM files. Infected files will grow 1800 (1792) bytes. Caz This is a memory resident infector of .COM and .EXE files. Infected files will grow 1200 (1204) bytes, COMMAND.COM being a favored target. Infected systems will hide the size increase. Large infected programs may hang. System memory as reported by CHKDSK will be reduced by 2,048 bytes. Finally, CHKDSK will show many of the infected files as having file allocation errors. Creeper (aka Tormentor) This is a memory resident infector of .COM files. Infected files will grow 500 (475) bytes. Total system memory as shown by CHKDSK will be lowered by 1024 bytes. CSL (aka MicroElephant, CSL-Beta, CSL-V4, CSL-V5) This is a memory resident infector of .COM files. Infected files will grow 450 (457) bytes. The false message "Bad Command or file name" may appear when executing large .EXE files. Darth Vader (aka Darth-1, Darth-2, Darth-3) This is a destroyer/infector of .COM files. The first approximately 300 (270, 345, 255) bytes of the infected file is overwritten by the virus. DM-400 This is a memory resident infector of .COM files. Infected files grow 400 bytes. Execution of programs from write-protected diskettes once this virus becomes resident will result in the diskette drive spinning forever. Users of CGA monitors may find the "snow" effect occurring on their screens. Dodo (aka Dodo-Pig) This is a memory resident infector of .COM files. Infected files grow 400 (408) bytes. Hafen Strass (aka Hafen) This is an infector of .EXE files. Infected files will grow 800 (809) bytes. This virus will create hidden files containing the following text: Hafenstaáe bleibt! Jerk (aka Talentless Jerk, SuperHacker, 1077, Jerk-B) This is an infector of .COM and .EXE files. Infected files grow 1100 (1077) bytes. The hard disk will be accessed whether the infected program is executed from the hard disk or floppy drive. A message displaying a name may appear (note aka line above). Jerusalem 11-30 (aka JERU1130, 1130) This is a memory resident infector of .COM and .EXE files. Infected files grow 2000 bytes. On November 30, "1130" will appear on the screen in reverse video. Kalah This is a memory resident infector of .COM files. Infected files grow 400 (390) bytes. Keypress This is a repairable memory resident infector of .COM and .EXE files. Infected .COM files would grow about 1250 bytes. Infected .EXE files would grow about 1500 bytes. When activated, single keystrokes may be interpreted as multiple occurences of the same keystroke. This is a revision of a previously available definition. The new definition can detect and repair more versions of this virus. Macedonia This is a memory resident infector of .COM files. Infected files will grow 400 bytes. Manola This is a memory resident infector of .COM files favoring FORMAT.COM and KEYB.COM in C:\DOS. Infected files grow 950 (957) bytes. Maximum system memory as shown by CHKDSK will be decreased nearly 1K bytes. Micro128 (aka Tiny-128) This is a memory resident infector of .COM files. Infected files will grow 150 (128) bytes. Mini-45 (aka Minimal, Short-45, Mini-35, Mini-44, Mini-46, Mini-97, Mini-99) This is a destroyer/infector of .COM files which should only exist in research locations. The first 45 bytes of the of all .COM files in the present directory are overwritten by the virus. Mirror This is a memory resident infector of .EXE files. Infected files will grow 950 bytes. Maximum system memory as shown by CHKDSK will be decreased nearly 1K bytes. The virus will occasionally mess up the video image by translating it to be a mirror image. Mosquito This is a memory resident infector of .EXE files. In an attempt to hide from virus detection software, it does not infect programs with "scan" in its name. Infected files will grow 1050 bytes. As infected files are executed, total system memory is slowly usurped by the virus. MPS-3.1, MPS-3.2 This is an infector of .COM files. Infected files will grow 650 bytes. File access will be slowed as the virus tries to infect all programs on the disk. MSTU This is an infector of .COM and .EXE files. Infected files will grow 550 bytes. Multi (aka Multi-123) This is a memory resident virus infecting all .COM files in the directory. Infected files will grow 100 (123) bytes per iteration. System infection is characterized by long waits per disk access as the virus infects the whole directory. The virus does not look for previous copies of itself and will continue to attach multiple copies of itself to infected files. Parasite, Parasite-2, Parasite-2B These are .COM file infectors. The system may print a message and may occassionally reboot by itself. Files infected by this virus would grow approximately 1000 (1132, 901, 903) bytes. Phantom This is a memory resident infector of .COM files. Infected files will grow 2300 (2274) bytes. Maximum system memory as shown by CHKDSK will be decreased nearly 3K bytes. A message may appear on the computer starting with "HI ROOKIE! ..." Finally, the virus may shift column 0 on the video display to be the center of the screen. Platinum This is a memory resident infector of .EXE files. Infected files will grow 1500 bytes. Maximum system memory as shown by CHKDSK will be decreased nearly 2K bytes. Plovdiv 1.1, Plovdiv 1.3, Plovdiv x.x This is a family of memory resident infectors of .COM files. Infected files will grow 800 bytes but the virus will hide this fact if it is resident in memory. This is a memory resident infector of .COM files. Infected files will grow 400 bytes. 400 bytes. Pregnant This is a repairable memory resident infector of .COM files. Infected files grow 1200 (1199) bytes. However, when activated in memory, the file size increase is altered to show the original size. This virus will reduce the maximum system memory as shown by CHKDSK by 2048 bytes. Relzfu (aka 233, FakeVirx) This is an infector of .COM files. Infected files will grow 250 (233) bytes. If COMMAND.COM is infected, may print the message: "Specified COMMAND search directory bad". Scream (aka Fist, Screaming Fist, Scream 2) This is a memory resident infector of .COM and .EXE files. Infected .COM files will have grown approximately 700 (711) bytes, COMMAND.COM being a favored target. Infected .EXE files may grow by up to 1200 bytes. Total system memory as reported by CHKDSK will be reduced by 2,048 bytes. Shadow (aka ShadowByte, Shadow-2) This is an infector of .COM files. Infected files will grow 700 bytes. Striker #1 (aka Striker, QD335) This is an infector of .COM files. Infected files will grow 450 (461) bytes. Thimble This is a memory resident infector of .COM files. Infected files grow anywhere from 1K to 2K bytes. Tokyo This is an infector of .EXE files. Infected files will grow 1250 bytes. The system may experience occasional hangs. USSR 311 (aka V-311, USSR-311, Com2Con) This is an infector of .COM files. Infected files grow 300 (311) bytes. COMMAND.COM may randomly be renamed to COMMAND.CON. All infected files will have a timestamp of 11:19:32 and certain file attributes are reset. V801 This is an infector of .COM and .EXE files. Infected files will grow 800 (801) bytes. When activated, the system may suddenly hang. Were Here This is an infector of .COM files. Infected files will grow 850 bytes. The message "We're Here" may be presented on the display when an infected file is executed. Additionally, the name of the virus previously called PNG-001 has been to New-Unknown. (Note: File size growth is given in approximate numbers. If a number is enclosed in parentheses, that number would be the growth of one of the more common variants. As it is too easy for a virus writer to alter this number without changing the virus significantly, do not depend on the more precise number. It is provided for your confidence should you encounter it, which we hope never happens.)