Alan_J_Roberts@Sun.COM (11/16/89)
The following list was put together by John McAfee. The naming
conventions follow the ViruScan conventions. Many thanks to David Chess
for the concept for the list's format.
VIRUS CHARACTERISTICS LIST
Copyright 1989, McAfee Associates
408 988 3832
The following list outlines the critical characteristics of the known
IBM PC and compatible viruses. Comments and suggestions welcomed.
==========================================================================]
Infects Fixed Disk Partition Table-------------+
Infects Fixed Disk Boot Sector---------------+ |
Infects Floppy Diskette Boot --------------+ | |
Infects Overlay Files--------------------+ | | |
Infects EXE Files----------------------+ | | | |
Infects COM files--------------------+ | | | | |
Infects COMMAND.COM----------------+ | | | | | |
Virus Remains Resident-----------+ | | | | | | |
Virus Uses Self-Encryption-----+ | | | | | | | |
| | | | | | | | |
| | | | | | | | | Increase in
| | | | | | | | | Infected
| | | | | | | | | Program's
| | | | | | | | | Size
| | | | | | | | | |
| | | | | | | | | |
Virus V V V V V V V V V V Damage
- --------------------------------------------------------------------------
Do-Nothing . . . x . . . . . 608 p
Sunday . x . x x x . . . 1636 O,P
Lisbon . . . x . . . . . 648 P
Typo/Fumble . x . x . . . . . 867 O,P
Dbase . x . x . . . . . 1864 D,O,P
Ghost Boot Version . x . . . . x x . N/A B,O
Ghost COM Version . . . x . . . . . 2351 B,P
New Jerusalem . x . x x x . . . 1808 O,P
Alabama . x . . x . . . . 1560 O,P,L
Yankee Doodle . x . x x . . . . 2885 O,P
2930 . x . x x . . . . 2930 P
Ashar . x . . . . x . . N/A B
AIDS . . . x . . . . . Overwrites Program
Disk Killer . x . . . . x x . N/A B,O,P,D,F
1536/Zero Bug . x . x . . . . . 1536 O,P
MIX1 . x . . x . . . . 1618 O,P
Dark Avenger . x x x x x . . . 1800 O,P,L
3551/Syslock x . . x x . . . . 3551 P,D
VACSINA . x . x x x . . . 1206 O,P
Ohio . x . . . . x . . N/A B
Typo (Boot Virus) . x . . . . x x . N/A O,B
Swap/Israeli Boot . x . . . . x . . N/A B
1514/Datacrime II x . . x x . . . . 1514 P,F
Icelandic II . x . . x . . . . 661 O,P
Pentagon . . . . . . x . . N/A B
3066/Traceback . x . x x . . . . 3066 P
1168/Datacrime-B x . . x . . . . . 1168 P,F
Icelandic . x . . x . . . . 642 O,P
Saratoga . x . . x . . . . 632 O,P
405 . . . x . . . . . Overwrites Program
1704 Format x x . x . . . . . 1704 O,P,F
Fu Manchu . x . x x x . . . 2086 O,P
1280/Datacrime x . . x . . . . . 1280 P,F
1701/Cascade x x . x . . . . . 1701 O,P
1704/CASCADE-B x x . x . . . . . 1704 O,P
Stoned/Marijuana . x . . . . x . x N/A O,B,L
1704/CASCADE x x . x . . . . . 1704 O,P
Ping Pong-B . x . . . . x x . N/A O,B
Den Zuk . x . . . . x . . N/A O,B
Ping Pong . x . . . . x . . N/A O,B
Vienna-B . . . x . . . . . 648 P
Lehigh . x x . . . . . . Overwrites P,F
Vienna/648 . . . x . . . . . 648 P
Jerusalem-B . x . x x x . . . 1808 O,P
Yale/Alameda . x . . . . x . . N/A B
Friday 13th COM Virus . . . x . . . . . 512 P
Jerusalem . x . x x x . . . 1808 O,P
SURIV03 . x . x x x . . . O,P
SURIV02 . x . . x . . . . 1488 O,P
SURIV01 . x . x . . . . . 897 O,P
Pakistani Brain . x . . . . x . . N/A B
Legend:
Damage Fields - B - Corrupts or overwrites Boot Sector
O - Affects system run-time operation
P - Corrupts program or overlay files
D - Corrupts data files
F - Formats or erases all/part of disk
L - Directly or indirectly corrupts file linkage
Size Increase - The length, in bytes, by which an infected
program or overlay file will increase
Characteristics - x - Yes
. - NoCHESS@YKTVMV.BITNET (David.M..Chess) (11/20/89)
Quite welcome for the format, and thanks for the acknowledgement!
A few small notes/questions:
- I notice the "Missouri" and "Nichols" viruses aren't
listed. Did they turn out not to really exist, or
to be viruses that are known under some other name?
- For completeness, you might want to include the 1704-C,
as well as the 1701, 1704, 1704-B and 1704-format?
(The 1704-C has the same in-clear section as the
1704-format, but doesn't have the disk-formatting
code.) I know you have a sample! *8)
- Suspect you didn't mean to mark "Self-Encryption" for
the 1168 and 1280 viruses? They don't do it in the same
sense that the DataCrime II, the Syslock, or the 17xx
series do; the only thing that's "encrypted" in the
1168/1280 is the logo string, and that's just stored
XORed with hex 55. That's not the -interesting- kind of
self-garbling: the kind that makes the invariant part of
the virus smaller.
Nice list!
DCfrisk@rhi.hi.is (Fridrik Skulason) (11/22/89)
A few comments:
- since the boot part of the ghost virus does not spread,
it can not properly be called a virus, so I do not think it should be
included.
- The Pentagon virus does not work. Why include it ?
- Why not include Agiplan, Oropax, Missouri, Macho and Nichols ?
- Do-nothing Remains resident
- 1168/1280 do not use self-encryption.
Apart from this it's a good list.
- -frisknyenhuis@idca.tds.PHILIPS.nl (G. Nijenhuis) (11/23/89)
CHESS@YKTVMV.BITNET (David.M..Chess) writes: >Quite welcome for the format, and thanks for the acknowledgement! > >Nice list! Was there a complete Virus list posted to this group ? If so, I missed it. We had some troubles with the net news over here and missed a lot. I am very interested in this list, so would somebody please be so kind to send it (or post it) to me ? Many thanks in advance. - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # Gerrit Nijenhuis Internet : nyenhuis@idca.tds.PHILIPS.nl # # Philips TDS, Dept. SSP UUCP : ...!mcvax!philapd!nyenhuis # # Apeldoorn, The Netherlands Phone : +31 55 433327 #