21A01.TXT - Description file for 21A01.DEF
AntiVirus Lab, SYMANTEC/Peter Norton Product Group
November 1, 1992
******************************************************************

Instructions for loading virus definitions, using Norton AntiVirus
2.1:

1)   Run Virus Clinic by typing NAV at the DOS prompt.

2)   If you are in DOS, press <Enter> to accept the Welcome screen.

3)   Select "Cancel," or press <Esc> to bypass the "Scan Drives"
Screen.

4)   Select the "Definitions" menu.

5)   Select "Load from File..."

6)   If the name of the drive and directory to which you loaded the
definition file does not appear on the "Directory:" line, change to
the proper drive and directory name and press <Enter>.	The name of
the definition file should appear in the "Files" window.

7)   Select the definition file, select "OK," and press <Enter>.

8)   After the definitions have loaded, press <Enter> to exit from the
"Load Definition File Results" screen.

9)   Select "Exit" from the "Scan" menu.

10)  Reboot your computer to activate the new definitions.

********************************************************************************

Reboot Patcher
Reboot Patcher appears to be a virus written in a high level language.	It
is an overwriting infector of COM and EXE files.  The infection criteria also
looks for ARC and ZIP filetypes.  The virus will search all subdirectories on
the present drive as well as D:, B:, and A:.  The virus does not appear to do
anything other than propagate.

Cascade 1621
Cascade 1621 is an encrypted version of the classic Cascade virus.  It is a
memory resident infector of COM files.	Infected files are able to be repaired
by NAV.  This virus intercepts INT 21h, function 4Bh and infects on execution.
On the 25th of each month, the virus will display the classic Cascade symptoms
and drop letters on the screen to the bottom of the screen.  At this time, the
virus will have also intercepted INT 28h and 1Ch.  The virus does not spread
if the DOS level is less than 2.0.

V439
V439 is a memory resident infector of COM files.  The virus intercepts INT 21h.
To check if it has already infected the system, it checks if INT 21h is
pointing at the value E8.  Thus, this virus may not spread in combination of
certain other viruses.	The virus places itself near the high memory mark
(640K).  Files are infected on both file open and execution.  During the
process of infection, the virus will intercept the DOS error interrupt so you
won't be aware that it has tried and failed to infect write-protected media.
The virus does not appear to do anything but spread.  Infected files can be
repaired by NAV.

Shhs
Shhs has the potential to wipe out diskettes and disk drives!  If the virus
cannot find a suitable candidate file to infect, it will overwrite the first
35 sectors of the current drive.  (The virus will also reset keyboard typamatic
but that will seem insignificant to the damage it will have done.)  Normally,
Shhs is a direct action overwriting infector of COM and EXE files.  On each
execution, it will try to infect 3 EXE files in the current working directory.
If it cannot, it will try to infect 3 COM files.  Infected files are converted
to always printing:

	program too big to fit in memory

even the smallest files.  Files do not grow in size unless they were smaller
than 585 bytes before infection in which case they will grow to 585 bytes.
As an overwriting virus, any infected file must be deleted.

Mini-42
This is someone's attempt at writing the shortest virus.  The virus will try
to infect every COM file in the current directory by overwriting the first 42
bytes with the viral code.  If no COM files can be found, the virus still
attempts to infect but with invalid file pointers.  As an overwriting virus,
any infected file must be deleted, which is plentiful damage since that may
likely be every COM file on your system.

FUNE-921
FUNE-921 is a memory resident infector of COMs and EXEs.  The memory resident
portion loads itself near the top of memory (640K).  If the DOS level is less
than 2.0, this virus will cause a machine crash.  Interrupts 8, 21h, and 24h
are intercepted.  21h is intercepted to propagate.  Files are infected on file
open and on execution.	Files must be between 100 and 64279 bytes in order to
to infected.  24h is intercepted to prevent users from seeing error messages
should an attempt be made to infect write-protected media.  And 8 is
intercepted to count up to FFFFh clock ticks.  After 65535 clock ticks
(approximately 1 hr), the machine will play the funeral march or death march.

Prime
Prime is a direct action, encrypting, prepending infector of COM files.  The
actual infection parameter is all files that fit the pattern "*.C*".  So, it
also has the capability of destroying any other files that happen to have a
filetype starting with C.  The first 580 bytes of the original file are
encrypted and attached to the end of the file.	Those bytes are replaced by the
encrypted viral code.  On the first of the month, some text will show up on the
screen and the screen will be rotated to the left.  Because of the encryption,
files that are infected must be deleted.

Leprosy A (aka PPT)
Leprosy A is a overwriting direct action infector of COM and EXE files.
Claims are made within the viral code that it was written at CU-Boulder.  It
tries to infect all COMs and EXEs in the current directory and will convert
all EXE files to COM format (wipe out the EXE header but maintain the EXE
name).	After infection of other files has occurred, it prints the message

	Program too big to fit in memory

References to Irving Berlin's music are visible in the viral code.

Les2, Les2-B
Les2 is a direct action infector of EXE files (actually, any file that starts
with the letter M; EXE files start with MZ, M is the instruction PUSH AX for
COM files, and any text file that starts with the letter M).  File size growth
will be approximately 360 bytes.  Infected files can be repaired by NAV.
Viral code contains the text:

(c) 1992 Tormentor / Demoralized Youth
Rather first in hell, than second in heaven

Does not appear to do anything other than propagate.

Quake
Quake is a memory resident infector of COM and EXE files.  When an infected
file is executed, it will attempt to infect all COM and EXE files in the
current directory.  Infected files will grow approximately 960 bytes.  With
the virus in memory, the screen may appear to shake.  After the screen shaking
occurs, characters on the screen will be shifted to the left by some number of
bytes causing the DOS prompt to appear as if starting on the previous line.
Quake will INT 3, the breakpoint interrupt, and generally make the virus very
difficult to trace.  The virus contains the signature of PHALCON/SKISM which
also appears of a number of other viruses.  Because of similarities between
viruses from this same source, this definition may call out some of the other
viruses by these same authors.

Dossound Joke Program
As the name implies, this is not a virus.  However, it prints the following
message on the screen when executed:

       Super Virus Ver 1.0 By Pest inc. @88

       Hi glad you could provide a disk for my comfort
       you already have infected this machine and like aids
       I am terminate and stay resident until popup time

       Please do not press andy key during Virus Attack
       to do so will destroy all fat_tables on your hard_disk
       as you have noticed the hard disk is active so be
       extra carefull how you treat the machine and data
       you have been warned !!!!

Just reboot the machine and delete the program.

Pif-Paf
Pif-Paf is a memory resident infector of COM and EXE files.  Files are
infected when executed.  Infected files grow approximately 760 bytes and can
be repaired by NAV.  The virus does not appear to do anything except propagate.

Little Brother (307), Little Brother (299)
These Little Brother viruses are memory resident companion viruses.  These
companion viruses create COM files where EXE files exist.  Created files are
of the size 307 or 300 bytes.  When resident, the contents of the files are
located in low memory.	All that is needed to clean a system that is infected
with these viruses is to delete the files called out as being infected.  No
damage is done to EXE files.

The viruses intercept INT 21h to propagate and for use in self-identification.
INT 24h is intercepted to hide errors during the infection process.  Infections
occur on execution and only requires that the filetype be EXE.	Thus an EXE
type file with its name changed to COM will not be infected!  Little Brother
(299) checks for itself in memory by issuing an INT 21h, AX=DEDE.  This may
cause an incompatibility in Novell environments.

Infected systems may find that the ESC and BackSpace keys no longer function.

Vienna-744
Vienna-744 is a direct action infector of COM files.  On each execution, one
COM file in the current directory is infected.	Infected files grow by
approximately 750 (744) bytes.	Timestamps on the files do not change.	Files
with the ReadOnly attribute set can still be infected.

Yankee (2971)
Yankee (2971) is a memory resident infector of COM and EXE files.  Files are
infected upon execution.  Infected files will grow approximately 2975 (2971)
bytes.	The memory resident portion of the virus is approximately 3.2K and
resides just below the 640K mark.  The virus uses INT 21h, function C603h to
identify itself and thus may cause an incompatibility in Novell networks.
This virus hooks a number of interrupts (9, 1Ch, 21h, and 28h) but is buggy
and thus will cause system hangs, divide overflows, and cause garbage to be
displayed on the screen.

Yankee (3840)
Yankee (3840) is an encrypting memory resident infector of COM and EXE files.
Files are infected on execution though there is code in the virus body to do
find first and find next functions.  Infected files will grow approximately
3850 (3840) bytes.  The memory resident portion of the virus is approximately
4K and resides just below the 640K mark.  These files cannot be recovered and
must be retrieved from trusted backups.

The following is text taken from the October 2.0 update files.	These
following viruses have now been included in the November 2.1 definition set:

Groove memory detection
Pogue memory detection
The October update include memory detection signatures for Groove and Pogue.
These are two of the first viruses to use the Mutation Engine.	As such, you
must use NAV 2.1 to detect infected files on disk.  However, with the memory
detection signatures in place, you will be notified if you have a problem.
Infected files cannot be repaired.

Groove is a memory resident infector of COM and EXE files.  Infections occur
when a program is executed (DOS Interrupt 21, function 4B).  Infections to EXE
files are based on whether an MZ or ZM is present in the first two bytes.
Otherwise, a file is infected assuming it is a COM file.  No check of the
actual extension is ever made.

Groove tries to determine if it is memory resident by issuing FBA0 to INT 21
and checking the return value.	This may conflict with certain configurations
as function FB is reserved by Microsoft for OEM use.  Apart from this conflict,
the Groove virus is poorly written and will likely cause all infected programs
to crash.  Thus the capability of spread is not great as you will be alarmed by
the fact that many programs will no longer function.

Groove reserves approximately 5K out of DOS' memory.  Groove is unique through
its intention.	It is the first virus to have been designed to attack anti-virus
software.  Code present in the virus will delete the following files, whether
they are set as read-only or not:
	C:\NAV_._NO
	C:\NOVIRCVR.CTS
	C:\NOVIPERF.DAT
	C:\CPAV\CHKLIST.CPS
	C:\TOOLKIT\FILES.LST
	C:\UNTOUCH\UT.UT1
	C:\UNTOUCH\UT.UT2
	C:\VS.VS

Based on the existence of a real-time clock, which most PCs have, the
following message will be displayed at about 12:30am:

	This Virus is NOT dedicated to Sara
	its dedicated to her Groove (...Thats my name)
	This Virus is only a test Virus therefor
	be ready for my   Next	Test ..

Without the real-time clock, the message is displayed upon each new infection.

Pogue infects files on execute and close.  Pogue will not function properly on
Novell networks as it uses Novell's INT 21 function DA to look for itself in
memory.  It requires that the system be of DOS version 3 or greater, supposedly
to fool some anti-virus programs into thinking the program is a natural file.
The Pogue virus does not seem to contain system destructive code.  However, on
May 1 all day, or each day before 7am, the system will generate noises from the
speaker.

Como Lake
Como Lake is a non-resident infector of EXE files.  File size growth ranges
somewhere near 2020 bytes.  It appears not to have any nasty intentions except
to spread.  Although a repair is provided, the repair may not always function
correctly.

Stoned (Whit)
This is yet another form of the Stoned boot sector infectors.  Whit intercepts
INT 13 (disk/diskette I/O) and on each call to INT 13, will check the system
timer.	At random times, an intercepted command to read the disk or diskette
will result in a single byte being XOR'ed before the buffer is returned to the
system, yielding unpredictable or inconsequential results.  This virus steals
2K of conventional ram.

Geek
Geek is a resident infector of EXE and COM files of approximately 450 bytes.
Files are infected on execution.  The virus loads itself into the interrupt
vector table and thus may be incompatible with certain hardware and software
combinations.  By doing so, it may also seem to you that all the upper set of
interrupts have changed.  If an infected file is executed on the 29th of any
month, a random sector of data will be overwritten.

PS-MPC.644
PS-MPC.644 is the first virus to be seen that obviously comes from a virus
creation package known as PS-MPC.  This is a self-encrypting virus which
infects EXEs and COMs when it an infected file is run.	The encryption key
will change with each iteration.  If no files can be infected in the present
directory, it will attempt to change directories to the parent directory.
However, COMMAND.COM will be avoided.  The read-only attribute has no effect.
Files grow by 644 bytes, thus its name.  If the day of the week is Friday,
the first three sectors of the hard disk is overwritten with garbage.

Boojum
Boojum is a repairable memory resident infector of EXE files.  A small number
of files having a 2 in the high byte of the minimum paragraphs required field
of the EXE header will not be infected.  File size and date are changed.  The
file size growth is approximately 350 bytes.

(Note: File size growth is given in approximate numbers.  If a number is
enclosed in parentheses, that number would be the growth of one of the more
common variants.  As it is too easy for a virus writer to alter this number
without changing the virus significantly, do not depend on the more precise
number.  It is provided for your confidence should you encounter it, which
we hope never happens.)