036/109 24 Sep 89 15:00:00 From: Samson Luk To: All Subj: Viruses Pattern Update Attr: ------------------------------------------------ Follow is a list of KNOWN virus affecting IBM PCs and compatibles, including XTs, ATs and PS/2. The hexadecimal pattern can be used to detect the presence of the virus by using any pattern searching software such as Norton Utilities. Additions to the table this time are Datacrime II and a new variant of Icelandic(listed last time as Saratoga with (1) and (2) in reverse order). There is also a new "REPORTED" section added at the end of this message which most of the viruses list there are not yet disassemble. - Seen and disassembled viruses Name Aliases / Type Offset Hexadecimal Infective Pattern Lenght 405 0 POC 00AH 26 A2 49 02 26 A2 4B 02 26 A2 Brain Pakistani BF 15EH 8B 0E 07 7C 89 0E 0A 7C E8 57 Cascade (1) Fall,1701,1704 PRC 01BH 31 34 31 24 46 4C 75 F8 Cascade (2) 1704 PRC 01BH 31 34 31 24 46 4C 77 F8 Datacrime 1280 or 1168 PNC 000H 2E 8B 36 01 01 83 EE 03 8B C6 Datacrime II 1514 PNA 022H 2E 8A 07 2E C6 05 22 32 C2 D0 Den Zuk Search BF 03EH BB 90 7C 53 C3 B9 B0 7C 51 C3 Fu Manchu 2086(COM), PRA 1EEH FC B4 E1 CD 21 80 FC E1 73 16 2080(EXE) Icelandic (1) Saratoga,656 PRE 0C6H 2E C6 06 87 02 0A 90 50 53 51 Icelandic (2) Saratoga,642 PRE 0B8H 2E C6 06 79 02 02 90 50 53 51 Icelandic (3) Saratoga,632 PRE 106H 2E C6 06 6F 02 0A 90 50 53 51 Italian Pingpong BD 07CH C7 06 4C 00 D0 7C 8C 0E 4E 00 Jerusalem PLO, Israeli, PRA 095H FC B4 E0 CD 21 80 FC E0 73 16 Friday 13th 1813(COM), 1808(EXE) Lehigh 0 PRO 01CH B4 19 CD 44 04 61 1E 51 52 57 New Zealand (1) Stoned, BM 045H B8 01 02 0E 07 BB 00 02 B9 01 New Zealand (2) Marijuana BM 043H B8 01 02 0E 07 BB 00 02 33 C9 Pentagon BF 03EH 8E D8 FB BD 44 7C 81 76 06 Suriv 1.01 Israeli, 897 PRC 30AH 81 F9 C4 07 72 1B 81 FA 01 04 Suriv 2.01 Israeli, 1488 PRE 05EH 81 F9 C4 07 72 28 81 FA 01 04 Suriv 3.00 Israeli, PRA 099H FC B4 E0 CD 21 80 FC E0 73 16 1813(COM) 1808(EXE) Traceback 3066 PRA 108H 89 B4 51 01 81 84 51 01 84 08 Vienna (1) Austrian, 648 PNC 005H 8B F2 83 C6 0A 90 BF 00 01 B9 Vienna (2) Unesco 648 PNC 005H 8B F2 81 C6 0A 00 BF 00 01 B9 Yale Alameda, BF 00EH A1 13 00 F7 E3 2D E0 07 Merritt - Description for New Added: Datacrime II - Virus is encrypted. Infected a COM or EXE file each time an infected program is run. Will infect COMMAND.COM. Formats part of hard disk on any date up to and including 12 October (any year) except on Sunday. Icelandic - Momory resident copy infect once in ten (or one in two for the Saratoga variant) EXE files executed. Date and time are changed. Clusters are flagged as bad on hard disk. There is a variant which does not flag clusters. - Reported only Name Aliases Type Description 2730 B Agiplan PRC Infective length 1536, attachs to beginning of COM file. Dbase PRA Transposes random bytes in dBase files (.DBF). Trashes disk after 90 days. Missouri ? Mistake ? Exchanges letters for phonetically similar once (ie 'C' and 'K') while they are being output to the printer. Nichols B Oropax Music virus PRC Infected files increase by between 2756 & 2806 bytes. Total length becomes divisible by 51. Plays three different tunes with a seven minute interval. Screen PRC Infect all COM files in current directory, including any already infected, before going resident. Every few minutes it transposes two digits in any block of four on the screen. Swap BF Does not infect until ten minutes after boot. One bad culster on track 39, sector 6 & 7 (head unspecified). Uses 2K of RAM. Type Code: A = Infects all program files (COM & EXE) B = Boot virus C = Infects COM files only D = Infects DOS boot sector on hard disk E = Infects EXE files only F = Floppy (360K) only M = Infects Master boot sector on hard disk N = Non-resident (in memory) O = Overwriting P = Parasitic virus R = Resident (in memory) --- FD 2.00 * Origin: TAIC OPUS - HONG KONG, WOCing through the Blazer at 19.2K (3:700/1) SEEN-BY: 1/2 3 5 28/6 105/3 4 10 15 16 21 42 68 103 300 301 306 469 496 SEEN-BY: 105/502 622 124/4115 138/108 152/17 204/557 869 280/16 343/6 SEEN-BY: 700/1