1.
Kiryanov
Boot Viruses
This is a benign memory resident boot virus. It hooks INT 13h, and writes itself to the boot sector of hard drive and boot sectors of floppy diskettes being accessed. On the 25th day of each month, the virus displays the following message: TSCU RGF Kiryanov Niklaus'99 (c)In_sAnE The virus also...
2.
Stoned Family
Boot Viruses
"Stoned" family. At midnight, this virus displays the following message: IT'S MID NIGH Stoned.Military In November, this virus tries to format hard drive sectors. Stoned.Million This virus does not save the original floppy Boot sector and types "Non-System disk" while booting from an infected...
3.
Animals family
File Viruses, DOS
These are benign memory resident polymorphic parasitic viruses. They do not install themselves memory resident if TBAV anti-virus TSR drivers are installed. The viruses hook INT 8 and 21h, and write themselves to the end of COM and EXE files that are executed. The viruses do not infect files if the...
4.
Brackets.1367
File Viruses, DOS
This is a benign memory resident parasitic virus. It hooks INT 21h, and writes itself to the end of .COM and .EXE files that are accessed by FindFirst/Next FCB DOS functions (DIR command). On Sundays, the virus also hooks INT 1Ch to play a tune, but this code has a bug, and the virus halts the...
5.
DirDropper Family
File Viruses, DOS
These are dangerous, non-memory resident parasitic viruses. They search for .COM files (except COMMAND.COM) and write themselves to their beginnings. They search for other executable files also, and replace them with a copy of the DIR_II virus. In October, these viruses erase disk sectors and halt...
6.
Elvira family
File Viruses, DOS
These are relatively harmless, non-memory resident parasitic viruses. They search for .COM files in the current directory, then write themselves to the end of the file. The viruses replicate themselves only in October and November. In December, they disinfect host files and display the following...
7.
FaxFree Family
File Viruses, DOS
These are dangerous memory resident parasitic encrypted viruses. They hook INT 21h, and write themselves to the end of EXE-files (except SCAN.EXE and VSHIELD.EXE) that are executed. FaxFree.1536 On the 25th and 26th of every month, "FaxFree.1536" erases part of the DOS data. In some cases, it...
8.
Frodo
File Viruses, DOS
This is a memory-resident stealth virus, 4096 (1000h) bytes long. It infects files upon execution or closing. Contamination of data-files is also possible. The virus completes its copy in such a way that the size of an infected file will grow exactly by 4096 bytes (see "Eddie.2000"). In infected...
9.
Jasio.666
File Viruses, DOS
Jasio.666 is a relatively harmless memory resident parasitic virus. It hooks INT 21h, and depending on its internal counter, searches for .COM-files, then writes itself to the end of the file. On the 13th and 25th of any month, the virus also hooks INT 9 (keyboard), and "eats" the SPACE key. The...
10.
Jerusalem family
File Viruses, DOS
Jerusalem family. This virus hooks INT 9, 16h, and 21h. Upon a 'warm' reboot (Alt-Ctrl-Del), according to the current time, the virus decrypts (XOR AFh) and displays the following text: The world will hear from me again! Depending on the date, it corrects the text entered from a keyboard. If a user...
11.
Koder.1024
File Viruses, DOS
This is a dangerous memory resident partly encrypted parasitic virus. It hooks INT 21h, and writes itself to the end of EXE files that are executed. While opening an infected file, or while accessing to an infected file with FindFirst/Next DOS functions, the virus decreases the file length....
12.
MS.748
File Viruses, DOS
This is a very dangerous non-memory resident parasitic virus. It searches for .COM files, and writes itself to the end of the files. On Saturday at 5 a.m., it overwrites .EXE files with a little program that erases random sectors of the hard drive, and displays randomly selected letters. The...
13.
Maca.1000
File Viruses, DOS
This is a relatively harmless memory resident parasitic virus. It hooks INT 21h, and writes itself to the end of COM and EXE files that are executed. While installing a memory resident, the virus infects the C:\COMMAND.COM file. During even months (February, April, etc.) on the 4th, 8th, and 12th,...
14.
Markiz Family
File Viruses, DOS
These are dangerous memory resident encrypted parasitic viruses. They trace and hook INT 21h, then they infect COM and EXE files. The viruses contain the text strings: "Markiz.1972": MARKIZ-4/³1995 [note displayed in HTML version) "Markiz.2620": [-DEDiCA+ED-Ï0-MARKiZ-] Markiz.1972 This virus uses a...
15.
Murphy Family
File Viruses, DOS
"Murphy" family. This is a dangerous memory resident virus. It hooks INT 8 and 21h, and infects COM, EXE and OVL files that are executed. Some time after activation, the virus "launches" several balls of different colors randomly moving around the screen (the effect is similar to the ball movement...
16.
Olga.4448
File Viruses, DOS
This is a very dangerous memory resident parasitic virus. It hooks INT 21h, and writes itself to the beginning of COM files when their attributes are modified (some utilities, including anti-viruses, do this while processing files). In October, the virus erases sectors on the current drive...
17.
Puppets.960
File Viruses, DOS
This is a relatively harmless memory resident parasitic virus. It hooks INT 9, 10h, and 21h, and writes itself to the end of COM- and EXE-files that are executed or opened. When Alt-Ctrl-Del is pressed (warm rebooting), the virus tries to stay memory resident. It displays the following: Phoenix ROM...
18.
Sova.4060
File Viruses, DOS
It is a dangerous memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are accessed. On January, 29th and October, 25th the virus destroys the directory entries that contain the WIN string. The virus contains the text strings:...
19.
Ugrad.1145
File Viruses, DOS
This is a benign memory resident parasitic virus. It hooks INT 21h, and writes itself to the end of COM and EXE files that are executed or created and then closed (copied, restored from backup or archives). On the weekend, the virus also hooks INT 8, and in time, disables the keyboard and video...
20.
Weekend.866
File Viruses, DOS
This is a benign non-memory resident parasitic virus. It searches for COM files, then writes itself to the end of the file. On Saturdays and Sundays, the virus displays a message in Russian ("Weekend is for rest"), and halts the computer.
21.
I-Worm.FireBurn
Internet Worms
This is Internet worm spreading as VBS file attached to email messages. To send infected messages the worm uses MS Outlook. The worm also is able to send its copies to IRC channels by affecting mIRC client. When the worm file is activated (by double click on attached file in infected messages, or...
22.
I-Worm.Trood
Internet Worms
This is Internet worm that spreads attached to e-mails. The worm itself is a Windows application (EXE file) about 10K in length. The worm is able to infect Win9x/ME systems only. When the worm is activated (executed by a user from a attached file), it installs itself to the system and displays a...
23.
Macro.Excel.Emperor
Macro Viruses (Word, Excel, Access, PowerPoint, Amipro and Visio)
These viruses infect Excel sheets. They contain one macro (module) with the name "Emperor" that contains five functions: "Emperor.a": Aut
pen, keyplus, check_file, write_virus, run_virus. "Emperor.b": Auto_Close, CheckFile, WriteVirus, ScreenTool, MenuDelete. Upon opening (closing), the infected...
24.
Macro.Excel.SW
Macro Viruses (Word, Excel, Access, PowerPoint, Amipro and Visio)
This virus infects Excel sheets. It contains three functions in one module "sw": Autpen, Auto_Close, no. While loading an infected document, Excel executes the auto function "auto_open", and the virus takes control. The virus "auto_open" function redirects its "no" function as activated upon...
25.
Macro.Excel.Uedasun
Macro Viruses (Word, Excel, Access, PowerPoint, Amipro and Visio)
This is an Excel macro-virus containing eight procedures in the module "A-TDK": Save, auto_open, scan, Status, DO_EVERYTHING, DO_SOMETHING, nexts, and check. The virus infects workbooks upon workbook opening or activating any of its sheets. The infection procedure creates an infected workbook with...
26.
Macro.Excel97.SW
Macro Viruses (Word, Excel, Access, PowerPoint, Amipro and Visio)
This Excel macro virus is related to "Macro.Excel.Laroux". It intercepts a sheet's activation routine, and infects Excel worksheets. It contains three macros in the module "sw": Autpen, no, Auto_Close. The virus deletes all menu items, shortcut menus and hot key used to view macros or related to...
27.
Macro.Word.Emperor
Macro Viruses (Word, Excel, Access, PowerPoint, Amipro and Visio)
These are encrypted Chinese macro-viruses that replicate themselves only under the Chinese Word version. Emperor.a This virus contains five macros: AutoOpen, Emperor, VirusMessage, FileTemplates, ToolsMacro (stealth). Upon opening an infected document (AutoOpen), the virus infects all current Word...
28.
Macro.Word.Giggle
Macro Viruses (Word, Excel, Access, PowerPoint, Amipro and Visio)
This is an encrypted macro-virus containing three macros: AutoOpen, FileSaveAs, OhYes. It replicates itself when documents are opened or saved with a new name. It identifies itself in documents according to the document variable "Giggle=OhMyGod". On each day except Tuesday, the virus, depending on...
29.
Macro.Word.Katty
Macro Viruses (Word, Excel, Access, PowerPoint, Amipro and Visio)
This is a very dangerous macro-virus containing only one macro AutoOpen and infecting the global macro area upon opening an infected document. It writes itself to other documents when they are being opened. On May 11th, it displays the following message: Happy Birthday My Dear Katty! I Love You! On...
30.
Macro.Word.Veneno
Macro Viruses (Word, Excel, Access, PowerPoint, Amipro and Visio)
This is an encrypted Word macro-virus containing 12 macros: Veneno, Travel1, Travel2, AutoExec, AutoOpen, Trinitron, ArchivoAbrir, ArchivoSalir, InsertVeneno, ArchivoImprimir, ArchivoGuardarComo, and ArchivoImprimirPredeter. The virus infects the global macros area (NORMAL.DOT) upon the opening of...
31.
Macro.Word.Waverley
Macro Viruses (Word, Excel, Access, PowerPoint, Amipro and Visio)
This virus contains only one macro, AutoClose, and infects files upon closing. It then checks the system date and time and starting from October, if the seconds are 45 or more, the virus appends the following to the end of a document: We are citizens of Australia. We are youth of Victoria. We are...
32.
Oeur.3072
Multipartite (File and Boot) Viruses
This is a dangerous memory resident multipartite virus. Upon loading from an infected file, it hits the hard-drive MBR, and upon installation in a system memory, it hooks INT 13h, 21h, and F5h. Upon loading from an infected MBR, it also hooks INT 1Ch, which summons an installation routine when DOS...
33.
Win32.HLLW.Showgame
NewExe Viruses
This is a very dangerous memory resident Win32 virus worm. It doesn't infect files; but spreads "as-is" - as a 70K Win32 application that can be found in three files: in the Windows system directory with WINDOWS.EXE name in the Windows directory with WINXYZ.EXE name on an A: drive with SHOWGAME.EXE...
34.
Win32.Halen
NewExe Viruses
This is a benign non-memory resident parasitic polymorphic Win32 virus. It searches for PE EXE and SCR files in Windows, the Windows system and current directories, then writes itself to the end of the file. On Saturdays at 19:00 Greenich Mean Time(GMT), the virus displays a message box, and then...
35.
Trojan.Win32.Filecoder
Trojan horses
Filecoder is a trojan program that renames and encrypts files into subdirectories of local and network drives. It is written in Delphi and compressed by the UPX utility. The compressed size is 137 KB; the uncompressed size is 353 KB. This virus program is sent via e-mail, proclaiming...
Kiryanov
Boot Viruses
This is a benign memory resident boot virus. It hooks INT 13h, and writes itself to the boot sector of hard drive and boot sectors of floppy diskettes being accessed. On the 25th day of each month, the virus displays the following message: TSCU RGF Kiryanov Niklaus'99 (c)In_sAnE The virus also...
2.
Stoned Family
Boot Viruses
"Stoned" family. At midnight, this virus displays the following message: IT'S MID NIGH Stoned.Military In November, this virus tries to format hard drive sectors. Stoned.Million This virus does not save the original floppy Boot sector and types "Non-System disk" while booting from an infected...
3.
Animals family
File Viruses, DOS
These are benign memory resident polymorphic parasitic viruses. They do not install themselves memory resident if TBAV anti-virus TSR drivers are installed. The viruses hook INT 8 and 21h, and write themselves to the end of COM and EXE files that are executed. The viruses do not infect files if the...
4.
Brackets.1367
File Viruses, DOS
This is a benign memory resident parasitic virus. It hooks INT 21h, and writes itself to the end of .COM and .EXE files that are accessed by FindFirst/Next FCB DOS functions (DIR command). On Sundays, the virus also hooks INT 1Ch to play a tune, but this code has a bug, and the virus halts the...
5.
DirDropper Family
File Viruses, DOS
These are dangerous, non-memory resident parasitic viruses. They search for .COM files (except COMMAND.COM) and write themselves to their beginnings. They search for other executable files also, and replace them with a copy of the DIR_II virus. In October, these viruses erase disk sectors and halt...
6.
Elvira family
File Viruses, DOS
These are relatively harmless, non-memory resident parasitic viruses. They search for .COM files in the current directory, then write themselves to the end of the file. The viruses replicate themselves only in October and November. In December, they disinfect host files and display the following...
7.
FaxFree Family
File Viruses, DOS
These are dangerous memory resident parasitic encrypted viruses. They hook INT 21h, and write themselves to the end of EXE-files (except SCAN.EXE and VSHIELD.EXE) that are executed. FaxFree.1536 On the 25th and 26th of every month, "FaxFree.1536" erases part of the DOS data. In some cases, it...
8.
Frodo
File Viruses, DOS
This is a memory-resident stealth virus, 4096 (1000h) bytes long. It infects files upon execution or closing. Contamination of data-files is also possible. The virus completes its copy in such a way that the size of an infected file will grow exactly by 4096 bytes (see "Eddie.2000"). In infected...
9.
Jasio.666
File Viruses, DOS
Jasio.666 is a relatively harmless memory resident parasitic virus. It hooks INT 21h, and depending on its internal counter, searches for .COM-files, then writes itself to the end of the file. On the 13th and 25th of any month, the virus also hooks INT 9 (keyboard), and "eats" the SPACE key. The...
10.
Jerusalem family
File Viruses, DOS
Jerusalem family. This virus hooks INT 9, 16h, and 21h. Upon a 'warm' reboot (Alt-Ctrl-Del), according to the current time, the virus decrypts (XOR AFh) and displays the following text: The world will hear from me again! Depending on the date, it corrects the text entered from a keyboard. If a user...
11.
Koder.1024
File Viruses, DOS
This is a dangerous memory resident partly encrypted parasitic virus. It hooks INT 21h, and writes itself to the end of EXE files that are executed. While opening an infected file, or while accessing to an infected file with FindFirst/Next DOS functions, the virus decreases the file length....
12.
MS.748
File Viruses, DOS
This is a very dangerous non-memory resident parasitic virus. It searches for .COM files, and writes itself to the end of the files. On Saturday at 5 a.m., it overwrites .EXE files with a little program that erases random sectors of the hard drive, and displays randomly selected letters. The...
13.
Maca.1000
File Viruses, DOS
This is a relatively harmless memory resident parasitic virus. It hooks INT 21h, and writes itself to the end of COM and EXE files that are executed. While installing a memory resident, the virus infects the C:\COMMAND.COM file. During even months (February, April, etc.) on the 4th, 8th, and 12th,...
14.
Markiz Family
File Viruses, DOS
These are dangerous memory resident encrypted parasitic viruses. They trace and hook INT 21h, then they infect COM and EXE files. The viruses contain the text strings: "Markiz.1972": MARKIZ-4/³1995 [note displayed in HTML version) "Markiz.2620": [-DEDiCA+ED-Ï0-MARKiZ-] Markiz.1972 This virus uses a...
15.
Murphy Family
File Viruses, DOS
"Murphy" family. This is a dangerous memory resident virus. It hooks INT 8 and 21h, and infects COM, EXE and OVL files that are executed. Some time after activation, the virus "launches" several balls of different colors randomly moving around the screen (the effect is similar to the ball movement...
16.
Olga.4448
File Viruses, DOS
This is a very dangerous memory resident parasitic virus. It hooks INT 21h, and writes itself to the beginning of COM files when their attributes are modified (some utilities, including anti-viruses, do this while processing files). In October, the virus erases sectors on the current drive...
17.
Puppets.960
File Viruses, DOS
This is a relatively harmless memory resident parasitic virus. It hooks INT 9, 10h, and 21h, and writes itself to the end of COM- and EXE-files that are executed or opened. When Alt-Ctrl-Del is pressed (warm rebooting), the virus tries to stay memory resident. It displays the following: Phoenix ROM...
18.
Sova.4060
File Viruses, DOS
It is a dangerous memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are accessed. On January, 29th and October, 25th the virus destroys the directory entries that contain the WIN string. The virus contains the text strings:...
19.
Ugrad.1145
File Viruses, DOS
This is a benign memory resident parasitic virus. It hooks INT 21h, and writes itself to the end of COM and EXE files that are executed or created and then closed (copied, restored from backup or archives). On the weekend, the virus also hooks INT 8, and in time, disables the keyboard and video...
20.
Weekend.866
File Viruses, DOS
This is a benign non-memory resident parasitic virus. It searches for COM files, then writes itself to the end of the file. On Saturdays and Sundays, the virus displays a message in Russian ("Weekend is for rest"), and halts the computer.
21.
I-Worm.FireBurn
Internet Worms
This is Internet worm spreading as VBS file attached to email messages. To send infected messages the worm uses MS Outlook. The worm also is able to send its copies to IRC channels by affecting mIRC client. When the worm file is activated (by double click on attached file in infected messages, or...
22.
I-Worm.Trood
Internet Worms
This is Internet worm that spreads attached to e-mails. The worm itself is a Windows application (EXE file) about 10K in length. The worm is able to infect Win9x/ME systems only. When the worm is activated (executed by a user from a attached file), it installs itself to the system and displays a...
23.
Macro.Excel.Emperor
Macro Viruses (Word, Excel, Access, PowerPoint, Amipro and Visio)
These viruses infect Excel sheets. They contain one macro (module) with the name "Emperor" that contains five functions: "Emperor.a": Aut
pen, keyplus, check_file, write_virus, run_virus. "Emperor.b": Auto_Close, CheckFile, WriteVirus, ScreenTool, MenuDelete. Upon opening (closing), the infected...24.
Macro.Excel.SW
Macro Viruses (Word, Excel, Access, PowerPoint, Amipro and Visio)
This virus infects Excel sheets. It contains three functions in one module "sw": Aut
pen, Auto_Close, no. While loading an infected document, Excel executes the auto function "auto_open", and the virus takes control. The virus "auto_open" function redirects its "no" function as activated upon...25.
Macro.Excel.Uedasun
Macro Viruses (Word, Excel, Access, PowerPoint, Amipro and Visio)
This is an Excel macro-virus containing eight procedures in the module "A-TDK": Save, auto_open, scan, Status, DO_EVERYTHING, DO_SOMETHING, nexts, and check. The virus infects workbooks upon workbook opening or activating any of its sheets. The infection procedure creates an infected workbook with...
26.
Macro.Excel97.SW
Macro Viruses (Word, Excel, Access, PowerPoint, Amipro and Visio)
This Excel macro virus is related to "Macro.Excel.Laroux". It intercepts a sheet's activation routine, and infects Excel worksheets. It contains three macros in the module "sw": Aut
pen, no, Auto_Close. The virus deletes all menu items, shortcut menus and hot key used to view macros or related to...27.
Macro.Word.Emperor
Macro Viruses (Word, Excel, Access, PowerPoint, Amipro and Visio)
These are encrypted Chinese macro-viruses that replicate themselves only under the Chinese Word version. Emperor.a This virus contains five macros: AutoOpen, Emperor, VirusMessage, FileTemplates, ToolsMacro (stealth). Upon opening an infected document (AutoOpen), the virus infects all current Word...
28.
Macro.Word.Giggle
Macro Viruses (Word, Excel, Access, PowerPoint, Amipro and Visio)
This is an encrypted macro-virus containing three macros: AutoOpen, FileSaveAs, OhYes. It replicates itself when documents are opened or saved with a new name. It identifies itself in documents according to the document variable "Giggle=OhMyGod". On each day except Tuesday, the virus, depending on...
29.
Macro.Word.Katty
Macro Viruses (Word, Excel, Access, PowerPoint, Amipro and Visio)
This is a very dangerous macro-virus containing only one macro AutoOpen and infecting the global macro area upon opening an infected document. It writes itself to other documents when they are being opened. On May 11th, it displays the following message: Happy Birthday My Dear Katty! I Love You! On...
30.
Macro.Word.Veneno
Macro Viruses (Word, Excel, Access, PowerPoint, Amipro and Visio)
This is an encrypted Word macro-virus containing 12 macros: Veneno, Travel1, Travel2, AutoExec, AutoOpen, Trinitron, ArchivoAbrir, ArchivoSalir, InsertVeneno, ArchivoImprimir, ArchivoGuardarComo, and ArchivoImprimirPredeter. The virus infects the global macros area (NORMAL.DOT) upon the opening of...
31.
Macro.Word.Waverley
Macro Viruses (Word, Excel, Access, PowerPoint, Amipro and Visio)
This virus contains only one macro, AutoClose, and infects files upon closing. It then checks the system date and time and starting from October, if the seconds are 45 or more, the virus appends the following to the end of a document: We are citizens of Australia. We are youth of Victoria. We are...
32.
Oeur.3072
Multipartite (File and Boot) Viruses
This is a dangerous memory resident multipartite virus. Upon loading from an infected file, it hits the hard-drive MBR, and upon installation in a system memory, it hooks INT 13h, 21h, and F5h. Upon loading from an infected MBR, it also hooks INT 1Ch, which summons an installation routine when DOS...
33.
Win32.HLLW.Showgame
NewExe Viruses
This is a very dangerous memory resident Win32 virus worm. It doesn't infect files; but spreads "as-is" - as a 70K Win32 application that can be found in three files: in the Windows system directory with WINDOWS.EXE name in the Windows directory with WINXYZ.EXE name on an A: drive with SHOWGAME.EXE...
34.
Win32.Halen
NewExe Viruses
This is a benign non-memory resident parasitic polymorphic Win32 virus. It searches for PE EXE and SCR files in Windows, the Windows system and current directories, then writes itself to the end of the file. On Saturdays at 19:00 Greenich Mean Time(GMT), the virus displays a message box, and then...
35.
Trojan.Win32.Filecoder
Trojan horses
Filecoder is a trojan program that renames and encrypts files into subdirectories of local and network drives. It is written in Delphi and compressed by the UPX utility. The compressed size is 137 KB; the uncompressed size is 353 KB. This virus program is sent via e-mail, proclaiming...
