RADAI1%HBUNOS.BITNET@VMA.CC.CMU.EDU (Y. Radai) (10/02/89)
On May 16 I submitted a list of 20 PC viruses to VIRUS-L. Since
then, the Terrible Twenty have become the Threatening Thirty (Plus
Two). Here's the list updated to the present (well, actually, only
to yesterday; at the current rate there'll probably be at least five
more today :-) ).
PC-DOS/MS-DOS Viruses
=====================
No. of First
Names Strains Type Appearance
----- ------- ---- ----------
1. Brain, Pakistani, Ashar 8 Boot sector 7K F Jan? 86
2. Merritt, Alameda, Yale 8 Boot sector 1K F Apr? 87
3. South African, Friday 13th 2 COM D ? 87
4. Lehigh 2 COMMAND.COM RO 0 Nov 87
5. Vienna, Austrian, Dos-62, Unesco 3 COM D 648 Dec? 87
6. Israeli, Friday-13, Jerusalem 12 COM/EXE R 1813/1808 Dec 87
7. April-1-Com, Suriv-1 1 COM R 897 Jan 88
8. April-1-Exe, Suriv-2 1 EXE R 1488 Jan 88
9. Ping-Pong, Bouncing-Ball, Italian 3 Boot sector 2K Mar 88
10. Marijuana, Stoned, New Zealand, 2 Boot sector 1K; Early 88
Australian partition record on hard disk
11. Nichols 1 Boot sector Apr 88
12. Missouri 1 Boot sector May 88 (89?)
13. Agiplan 1 COM R 1536 Jul 88
14. Cascade, Autumn, Blackjack 6 COM R 1701/1704 Sep 88 (87?)
15. Oropax, Music 1 COM RD 2756 to 2806 Feb 89
16. DenZuk, Venezuelan, Search 6 Boot sector 7K F Early 89?
17. Dbase 1 COM/EXE R Mar? 89
18. DataCrime 2 COM D 1168/1280 Mar 89
19. 405 1 COM DO 405 Apr? 89
20. Screen 1 COM R May? 89
21. FuManchu 1 COM/EXE R 2086/2080 May? 89
22. Ohio 1 Boot sector May 89
23. Icelandic, Saratoga 3 EXE R 656/642/632 Jun? 89
24. Typo 1 Boot sector 2K Jun 89
25. Traceback 1 COM/EXE RD 3066 Jun 89
26. Disk Killer 1 Boot sector Jun? 89
27. Swap 1 Boot sector 2K Jul 89
28. DataCrime II 1 COM/EXE D 1514 Jul 89
29. Vacsina 1 COM/EXE R 1206 Aug 89
30. Mix1 1 EXE R 1618 Aug 89
31. Syslock, 3555 1 COM D 3555 Sep 89
32. Dark Avenger 1 COM/EXE 1800 Sep 89
--
Total no. of strains 77
Summary by type:
Boot = 11, COM = 10, EXE = 3, COM/EXE = 7, COMMAND.COM = 1.
Among file viruses,
Resident = 12, Direct = 6, Resident-Direct = 2.
Notes:
1. In the "Type" column, "COM" or "EXE" indicates the type of files
infected. "R" stands for "resident", meaning that when an infected
program is run the virus makes itself RAM-resident (hooking one or
more interrupts); usually such a virus infects subsequently executed
programs of the appropriate type, e.g. COM files. "D" stands for
"direct", meaning that it searches the disk for an uninfected file and
infects it; normally such a virus does not stay resident. (However,
it is possible for a virus to be both resident and direct in this
sense.) "O" indicates that the virus overwrites the beginning of the
file instead of appending or prepending itself to it. The number(s)
after the "R" or "D" indicate the number of bytes by which the virus
extends files which it infects (however, in the case of EXE files, the
total size of the file after infection will get rounded up to the next
multiple of 16 if it is not already such a multiple). The number
after the "O" is the number of bytes overwritten. In the case of a
boot-sector virus, the number of the form "nK" indicates the amount of
RAM which the virus occupies. "F" means that the virus infects only
diskettes.
2. I include only those viruses which have spread publicly, as
opposed to localized test viruses (of which there may be hundreds).
(The "Pentagon virus" is deliberately excluded since as far as I know
it has not spread publicly; in fact, in the form it was received in
the UK, it cannot spread at all.)
3. By definition of "virus", this list does not include non-replica-
ting software.
4. Questionable cases:
(a) I suspect that the "Lotus 123 virus" and the "Cookie virus" repor-
ted recently in VIRUS-L may not be true viruses, and I have therefore
decided not to include them, at least for the time being.
(b) Although I have included the Dbase and Screen viruses reported by
Ross Greenberg, no one else currently on VIRUS-L seems to have encoun-
tered them. Jim Goodwin claimed that Dbase does not replicate and
hence is not a virus, though it's possible that Jim and Ross were
talking about two different things.
(c) In May 88 I read about a "retro-virus" which infects 3 specific
programs and is capable of reinfecting files after apparently being
eradicated. Does anyone have any further info on this virus?
(d) I have heard of spreadsheet viruses which occasionally change a
value by a small amount, but I have not included them in the table.
Further info would be appreciated.
We frequently find new viruses which have evidently been created by
using an existing virus as a starting point and then modifying it.
When should the new creature be considered a new virus and when should
it be considered as merely a new strain of the same virus? The cri-
terion I have tried to follow (though I probably haven't been entirely
consistent) is as follows:
If the "damage" part of the virus has been qualitatively altered, or
if a virus has been altered to infect additional files (e.g. EXE files
where the original infected only COM files), then I classify it as a
separate virus. (E.g. although FuManchu, Typo, DataCrime-2, and Mix1
are based on Israeli-Friday13, Ping-Pong, DataCrime-1 and Icelandic-1,
resp., I consider these as separate viruses.)
If code has been altered, but only by something minor, such as
changing a target date or the number of infections required to trigger
the damage, or if the alteration seems to be merely an attempt on
the author's part to *improve* the code of an existing virus without
adding new features, then I regard it as a different strain of the
same virus.
If the only difference is that only strings (e.g. messages or volume
labels) have been modified, then I do not consider it as even a sepa-
rate strain.
Corrections and additions to this list are welcome. (I'm particu-
larly curious about those questionable dates.) Please send your cor-
rections directly to me; I'll post an updated version of this table
from time to time.
I have received suggestions to include additional info in the table,
such as the symptoms and damage caused by each virus, what types of
disks it infects, etc. While I agree that such information would be
very useful, it is beyond the intended scope of this table, both be-
cause of the difficulty of describing this information in such a short
space and because the answers often depend on the particular strain
of the virus. This would make the table much more complicated than it
was intended to be. Those interested in further information on the
viruses listed here will eventually find it in various catalogs under
preparation, e.g. one by David Ferbrache and another by the Virus Test
Center at the Univ. of Hamburg (these include non-PC viruses as well).
Acknowledgments: I have drawn on information provided by many
people. Postings in VIRUS-L are too numerous to mention individual
names, but among those who have corresponded with me personally, I
would like to thank Dave Ferbrache, Dr. Alan Solomon, Joe Hirst, Prof.
Klaus Brunnstein, Fridrik Skulason, John McAfee, Bernd Fix, Otto
Stolz, and David Chess.
Y. Radai
Hebrew Univ. of Jerusalem