frisk@rhi.hi.is (Fridrik Skulason) (01/03/90)
Several new PC viruses have appeared recently. This short note
contains a preliminary description of some of them, including the new
viruses in the package from Poland.
I have updated my anti-virus programs to detect, stop and remove the
viruses listed below (as well as the other 40 PC viruses known), and
unless somebody sends me a new virus today, I will start sending the
programs out tomorrow or the day after that.
The Amstrad virus.
This virus is rather interesting. It is a direct-action virus, that
will add 847 bytes to the front of any .COM file it finds in the
current directory. The virus is very primitive, because the virus
code is only around 334 bytes long, which makes this the shortest PC
virus known today. The rest contains zeros and the string:
"Hello, John Mcafee,please uprade me.Bests regards,Jean Luz."
One note: I feel the name "Amstrad" is totally inappropriate, since
the virus seems to have nothing to do with Amstrad computers
whatsoever.
The Payday virus
This is not a new virus, just a YAVJV (Yet Another Variant of the Jerusalem
Virus). It seems to be very close (or perhaps identical) to Jerusalem-B.
Musician
One of the viruses from Poland. As reported earlier, it is the same virus as
the "Oropax" virus reported several months ago in W-Germany.
Perfume (alias 765 or "4711")
A .COM infecting virus of German origin, that will sometimes ask the
user a question and not run the infected file unless the answer is
"4711", which is the name of a perfume. This virus will look for
COMMAND.COM and infect it unless it is already infected. Infected
files grow by 765 bytes. In the most common variant of the virus, the
questions have been overwritten with garbage.
W13
This is a rather primitive .COM infecting virus. Two variants are
known, the first one is 534 bytes long, but the second (with some bugs
corrected) is only 507 bytes long. The virus is of the "Direct
Action" type does nothing interesting.
Vcomm
An .EXE infecting virus that came from Poland. It is not very well
written, but easy to study, since the commented source code was
included. When an infected program is run, it will infect one .EXE
file in the current directory. Infected programs are first padded so
their length becomes a multiple of 512 bytes. Then the virus adds 637
bytes to the end of the file. It will also install a resident part
that will intercept any disk write and change it into a disk read.
December 24th
An Icelandic variant of the Icelandic-2 virus. It will infect one out
of every ten .EXE files run. Infected files grow by 848-863 bytes. If
an infected file is run on December 24th it will stop any other
program run later, displaying the message "Gledileg jol" ("Merry
Christmas") instead. The virus also contains a number of minor changes
and extra NOP instructions.frisk@rhi.hi.is (Fridrik Skulason) (01/31/91)
Well, folks - we now have around 400 PC viruses - currently we get on the average one new virus per day, and the rate is increasing...maybe we will have 1000 before the end of the year. Anyhow - for users of F-PROT 1.14 - please add the following encrypted signatures to the SIGN.TXT, to provide detection of the viruses I have received since Jan 15th. Hybryd iglMWj8jKMNAUHcZbj2AgYSdg9nmFsp7Ueys-pc3-ha7Iv Akuku 3Ux5pMu5858HMj5MgXdA19n8x4ybN5YtMmkm6PpykupSZ6 SVC3.1 3Hxnv5u5uM749Lydm-SnY4PoYnOwIt7V5fUuMFxBWfZa9j Paris iH15v5umAmruKeV504HK8eHKjrG8wEEjT5m2M5DsdwO+UO Doom2 zU1MCmKMA5m8UVPmT5Xpp3cMgB7jUE0MTmURMVc5zv5nOk Wolfman ZUo5pjKmujwA5fwOvjMMxl08fifY55pip5JWdwxhDU1eA7 MIX2 zw1NW58mAjwH4AuFV51rm6AtQlj5j62fXXjXFujf8gQelB 403 zHTkvju5AmvVgbS8Jl75nmwlrKxNc5N5gbED3mk5GKlYYn ACAD-2576 3g6jpmKMAMa62XAcz5hkFSwRqqUNd0m5HNimvOSWGrAHYb Ontario ZHJnWM-MimyuCuAwkj-28UnjxYjLwlMEWm1vRgKqE47UYK Leprosy iHNjpjKmumoXO8rHxotuxiWmtHW5mK4bD51CMK4Em5tnCG Perfume-731 Zwbjvju585fhqt5jjm7YpyNufwmMWj1jhOFtM53cOrmNYW Spyer ZgJnC58Mu5O8JVTjTmEmih4YV+vPmo74O810TMkjYd3tFW Ussr-1594 iUCTpmSMzmUkiMt26N5MURjKz7jaVpT8thP0bjfZcqbLHQ Sentinel zHJkpM8mum4YIPgBEPjMNMfPgBRsB5NmauFwe6At5j+8ol Monxla-B zHbmvjujKMSKWaQTjjWdfBe4Nb5uQg35XiMNWtMvSdIsbE Xmas Viol 3HRmvjuMAjnN4saOj5m8BhgDStp5MMFPUD6i9UBHDhTVHV