RADAI1%HBUNOS.BITNET@VMA.CC.CMU.EDU (Y. Radai) (10/02/89)
On May 16 I submitted a list of 20 PC viruses to VIRUS-L. Since then, the Terrible Twenty have become the Threatening Thirty (Plus Two). Here's the list updated to the present (well, actually, only to yesterday; at the current rate there'll probably be at least five more today :-) ). PC-DOS/MS-DOS Viruses ===================== No. of First Names Strains Type Appearance ----- ------- ---- ---------- 1. Brain, Pakistani, Ashar 8 Boot sector 7K F Jan? 86 2. Merritt, Alameda, Yale 8 Boot sector 1K F Apr? 87 3. South African, Friday 13th 2 COM D ? 87 4. Lehigh 2 COMMAND.COM RO 0 Nov 87 5. Vienna, Austrian, Dos-62, Unesco 3 COM D 648 Dec? 87 6. Israeli, Friday-13, Jerusalem 12 COM/EXE R 1813/1808 Dec 87 7. April-1-Com, Suriv-1 1 COM R 897 Jan 88 8. April-1-Exe, Suriv-2 1 EXE R 1488 Jan 88 9. Ping-Pong, Bouncing-Ball, Italian 3 Boot sector 2K Mar 88 10. Marijuana, Stoned, New Zealand, 2 Boot sector 1K; Early 88 Australian partition record on hard disk 11. Nichols 1 Boot sector Apr 88 12. Missouri 1 Boot sector May 88 (89?) 13. Agiplan 1 COM R 1536 Jul 88 14. Cascade, Autumn, Blackjack 6 COM R 1701/1704 Sep 88 (87?) 15. Oropax, Music 1 COM RD 2756 to 2806 Feb 89 16. DenZuk, Venezuelan, Search 6 Boot sector 7K F Early 89? 17. Dbase 1 COM/EXE R Mar? 89 18. DataCrime 2 COM D 1168/1280 Mar 89 19. 405 1 COM DO 405 Apr? 89 20. Screen 1 COM R May? 89 21. FuManchu 1 COM/EXE R 2086/2080 May? 89 22. Ohio 1 Boot sector May 89 23. Icelandic, Saratoga 3 EXE R 656/642/632 Jun? 89 24. Typo 1 Boot sector 2K Jun 89 25. Traceback 1 COM/EXE RD 3066 Jun 89 26. Disk Killer 1 Boot sector Jun? 89 27. Swap 1 Boot sector 2K Jul 89 28. DataCrime II 1 COM/EXE D 1514 Jul 89 29. Vacsina 1 COM/EXE R 1206 Aug 89 30. Mix1 1 EXE R 1618 Aug 89 31. Syslock, 3555 1 COM D 3555 Sep 89 32. Dark Avenger 1 COM/EXE 1800 Sep 89 -- Total no. of strains 77 Summary by type: Boot = 11, COM = 10, EXE = 3, COM/EXE = 7, COMMAND.COM = 1. Among file viruses, Resident = 12, Direct = 6, Resident-Direct = 2. Notes: 1. In the "Type" column, "COM" or "EXE" indicates the type of files infected. "R" stands for "resident", meaning that when an infected program is run the virus makes itself RAM-resident (hooking one or more interrupts); usually such a virus infects subsequently executed programs of the appropriate type, e.g. COM files. "D" stands for "direct", meaning that it searches the disk for an uninfected file and infects it; normally such a virus does not stay resident. (However, it is possible for a virus to be both resident and direct in this sense.) "O" indicates that the virus overwrites the beginning of the file instead of appending or prepending itself to it. The number(s) after the "R" or "D" indicate the number of bytes by which the virus extends files which it infects (however, in the case of EXE files, the total size of the file after infection will get rounded up to the next multiple of 16 if it is not already such a multiple). The number after the "O" is the number of bytes overwritten. In the case of a boot-sector virus, the number of the form "nK" indicates the amount of RAM which the virus occupies. "F" means that the virus infects only diskettes. 2. I include only those viruses which have spread publicly, as opposed to localized test viruses (of which there may be hundreds). (The "Pentagon virus" is deliberately excluded since as far as I know it has not spread publicly; in fact, in the form it was received in the UK, it cannot spread at all.) 3. By definition of "virus", this list does not include non-replica- ting software. 4. Questionable cases: (a) I suspect that the "Lotus 123 virus" and the "Cookie virus" repor- ted recently in VIRUS-L may not be true viruses, and I have therefore decided not to include them, at least for the time being. (b) Although I have included the Dbase and Screen viruses reported by Ross Greenberg, no one else currently on VIRUS-L seems to have encoun- tered them. Jim Goodwin claimed that Dbase does not replicate and hence is not a virus, though it's possible that Jim and Ross were talking about two different things. (c) In May 88 I read about a "retro-virus" which infects 3 specific programs and is capable of reinfecting files after apparently being eradicated. Does anyone have any further info on this virus? (d) I have heard of spreadsheet viruses which occasionally change a value by a small amount, but I have not included them in the table. Further info would be appreciated. We frequently find new viruses which have evidently been created by using an existing virus as a starting point and then modifying it. When should the new creature be considered a new virus and when should it be considered as merely a new strain of the same virus? The cri- terion I have tried to follow (though I probably haven't been entirely consistent) is as follows: If the "damage" part of the virus has been qualitatively altered, or if a virus has been altered to infect additional files (e.g. EXE files where the original infected only COM files), then I classify it as a separate virus. (E.g. although FuManchu, Typo, DataCrime-2, and Mix1 are based on Israeli-Friday13, Ping-Pong, DataCrime-1 and Icelandic-1, resp., I consider these as separate viruses.) If code has been altered, but only by something minor, such as changing a target date or the number of infections required to trigger the damage, or if the alteration seems to be merely an attempt on the author's part to *improve* the code of an existing virus without adding new features, then I regard it as a different strain of the same virus. If the only difference is that only strings (e.g. messages or volume labels) have been modified, then I do not consider it as even a sepa- rate strain. Corrections and additions to this list are welcome. (I'm particu- larly curious about those questionable dates.) Please send your cor- rections directly to me; I'll post an updated version of this table from time to time. I have received suggestions to include additional info in the table, such as the symptoms and damage caused by each virus, what types of disks it infects, etc. While I agree that such information would be very useful, it is beyond the intended scope of this table, both be- cause of the difficulty of describing this information in such a short space and because the answers often depend on the particular strain of the virus. This would make the table much more complicated than it was intended to be. Those interested in further information on the viruses listed here will eventually find it in various catalogs under preparation, e.g. one by David Ferbrache and another by the Virus Test Center at the Univ. of Hamburg (these include non-PC viruses as well). Acknowledgments: I have drawn on information provided by many people. Postings in VIRUS-L are too numerous to mention individual names, but among those who have corresponded with me personally, I would like to thank Dave Ferbrache, Dr. Alan Solomon, Joe Hirst, Prof. Klaus Brunnstein, Fridrik Skulason, John McAfee, Bernd Fix, Otto Stolz, and David Chess. Y. Radai Hebrew Univ. of Jerusalem