PS-MPC Virus
Virus Name: PS-MPC
Aliases: see Viruses listed below
V Status: Rare
Discovery: August, 1992
Symptoms: Varies depending on virus present
Origin: United States
Eff Length: Varies depending on virus present
Type Code: PONAK - Parasitic & Overwriting Non-Resident Program Infector
Detection Method: F-Prot, AVTK, Sweep, IBMAV, ViruScan, NAV,
NAVDX, VAlert, PCScan, ChAV,
Sweep/N, AVTK/N, NShld, NAV/N, NProt, IBMAV/N, Innoc,
LProt
Removal Instructions: Delete infected files
General Comments:
PS-MPC is a virus code generation program developed by Phalcon/Skism
during the summer of 1992. It appears to be their response to the
VCL virus generator from Nowhere Man of Nuke.
The viruses listed below are viruses which were submitted that
appear to have been originally generated, at least in part, with
the PS-MPC generator.
The 644 and Walkabout viruses below have been found in the
wild in the United States and Canada.
Known viruses which were created with PS-MPC are:
7% Solution: Received in October, 1993, this virus is a 599 byte
memory resident infector of .COM and .EXE programs,
including COMMAND.COM. It becomes memory resident at the
top of system memory but below the 640K DOS boundary when
the first infected program is executed, hooking interrupt
21. Total system and available free memory, as indicated
by the DOS CHKDSK program, will have decreased by 2,048
bytes. Once resident, it infects .COM and .EXE programs
when they are executed. Infected programs will have a file
length increase of 599 bytes with the virus being located
at the end of the file. The following text string is
encrypted within the viral code:
"The 7% Solution"
The 7% Solution virus may corrupt system CMOS.
Origin: Unknown October, 1993.
7% Solution 2.0: Received in February, 1994, this virus is a 672
byte memory resident infector of .COM and .EXE programs,
including COMMAND.COM. It becomes memory resident at the
top of system memory but below the 640K DOS boundary when
the first infected program is executed, hooking interrupt
21. Total system and available free memory, as indicated by
the DOS CHKDSK program, will have decreased by 2,048 bytes.
Once resident, it infects .COM and .EXE programs when they
are executed. Infected programs will have a file length
increase of 672 bytes with the virus being located at the
end of the file. The following text string is encrypted
within the viral code:
"The 7% Solution 2.0"
This virus may corrupt system CMOS, resulting in all devices
and the system date/time being uninstalled, disabled, or
reset to a default value.
Origin: Sweden February, 1994.
7% Solution 3.0: Received in December, 1993, this virus is a 918
byte memory resident infector of .COM and .EXE programs,
including COMMAND.COM. It becomes memory resident at the
top of system memory but below the 640K DOS boundary when
the first infected program is executed, hooking interrupts
01 and 03. Total system and available free memory, as
indicated by the DOS CHKDSK program, will have decreased by
1,024 bytes. Once resident, it infects .COM and .EXE
programs when they are executed. Infected programs will
have a file length increase of 918 bytes with the virus
being located at the end of the file, though the file length
increase will be hidden when the virus is memory resident.
The following text strings are encrypted within the viral
code:
"The root directory of the current drive has"
"been destroyed by the 7% Solution 3.0 virus"
Origin: Unknown December, 1993.
203: The 203 virus was received in October, 1992. Its origin is
unknown. The 203 virus is a non-resident, direct action
infector of .COM programs, including COMMAND.COM. When a
program infected with the 203 virus is executed, this virus will
infect one .COM program in the current directory. Infected
programs will have a file length increase of 203 bytes with the
virus being located at the end of the file. The program's date
and time in the DOS disk directory listing will not be altered.
One text string is visible within the viral code:
"*.com"
The 203 virus doesn't do anything besides replicate.
Origin: Unknown October, 1992.
644: The 644 virus was received in September, 1992. It is
a non-resident, direct action infector of .COM and .EXE
files, but not COMMAND.COM. Execution of an infected program
will result in all .COM and .EXE programs other than COMMAND.COM
located in the current directory becoming infected. Programs
infected with the 644 virus will have a file length increase of
644 bytes with the virus being located at the end of the file.
The file's date and time in the DOS disk directory listing will
not be altered. The following text string is encrypted within
the viral code: "*.exe *.com"
Origin: United States September, 1992.
696: The 696 virus was received in November, 1992. It is
a non-resident, direct action infector of .COM and .EXE files,
including COMMAND.COM. Execution of an infected program will
result in three .EXE or .COM programs located in the current
directory becoming infected, with preference to .EXE files.
Programs infected with the 696 virus will have a file length
increase of 696 bytes with the virus being located at the end of
the file. The file's date and time in the DOS disk directory
listing will not be altered. The following text strings are
encrypted within the viral code:
"c:\autoexec.com"
"*.exe *.com"
Origin: United States November, 1992.
Abraxas: Received in September, 1992, Abraxas is a 546 byte
non-resident direct action infector of .COM and .EXE
programs, including COMMAND.COM. It infects one program
in the current directory each time an infected program
is executed, with a preference for .EXE programs. Infected
programs will have a file length increase of 546 bytes with
the virus being located at the end of the file. Abraxas
will not always recognize a previously infected program,
and reinfect the file. When this occurs, it adds an
additional 546 bytes. The program's date and time in the
DOS disk directory listing will not be altered. The
following text strings are encrypted within infected
programs:
"*.exe *.com"
"[Z10] Abraxas"
Infected programs will not function properly, returning
the user to the DOS prompt when executed. Boot failures
will occur once COMMAND.COM has become infected.
Origin: United States September, 1992.
Abraxas-1520: Received in October, 1993, Abraxas-1520 is a 1,520
byte non-resident direct action infector of .COM programs,
but not COMMAND.COM. It infects up to four .COM programs
in the current directory each time an infected program
is executed. Infected programs will have a file length
increase of 1,520 bytes with the virus being located at the
end of the file. The program's date and time in the
DOS disk directory listing will not be altered. The
following text strings are visible within infected programs:
"Ich bin ein Geschenk von dem Teufel"
".. *.com \"
Systems infected with the Abraxas-1520 virus may experience
system hangs when infected programs are executed.
Origin: Unknown October, 1993.
Alien-1: Received in February, 1993, Alien-1 is a 571 byte
memory resident infector of .COM and .EXE programs,
including COMMAND.COM. It becomes memory resident at the
top of system memory but below the 640K DOS boundary when
the first infected program is executed, hooking interrupt
21. Total system and available free memory, as indicated
by the DOS CHKDSK program, will have decreased by 1,216
bytes. Once resident, it infects .COM and .EXE programs
when they are executed. Infected programs will have a file
length increase of 571 bytes with the virus being located
at the end of the file. The following text string is
encrypted within the viral code:
"ALiEN 1 Leviathan =VC"
Origin: Unknown February, 1993.
Alien-3: Received in February, 1993, Alien-3 is a 625 byte
memory resident infector of .COM and .EXE programs,
including COMMAND.COM. It becomes memory resident at the
top of system memory but below the 640K DOS boundary when
the first infected program is executed, hooking interrupt
21. Total system and available free memory, as indicated
by the DOS CHKDSK program, will have decreased by 1,328
bytes. Once resident, it infects .COM and .EXE programs
when they are executed. Infected programs will have a file
length increase of 625 bytes with the virus being located
at the end of the file. The following text string is
encrypted within the viral code:
"ALiEN 3 - Demon Spawn Leviathan =VC"
Origin: Unknown February, 1993.
Anathema: Received in November, 1992, Anathema is a 588 byte
memory resident infector of .COM and .EXE programs,
including COMMAND.COM. It becomes memory resident at the
top of system memory but below the 640K DOS boundary when
the first infected program is executed, moving interrupt
12's return. Total system and available free memory, as
indicated by the DOS CHKDSK program, will have decreased by
2,048 bytes. Interrupt 21 will be hooked by Anathema in
memory. Once resident, it infects .COM and .EXE programs
when they are executed. Infected programs will have a file
length increase of 588 bytes with the virus being located
at the end of the file. The following text string is
encrypted within the viral code:
"[ANATHEMA] THE STRANGER"
Infected systems may experience corruption of file
allocation table 1, including file allocation errors and
cross-linking of programs and data files. Boot failures
will also occur once the boot copy of COMMAND.COM becomes
infected.
Origin: United States November, 1992.
Armana-564: Received in September, 1993, Armana-564 is a 564 byte
non-resident direct action infector of .COM and .EXE
programs. It infects two .EXE files in the current
directory each time an infected program is executed. Once
all of the .EXE files in the current directory have become
infected, it will infect two .COM files in the current
directory. Infected programs will have a file length
increase of 564 bytes with the virus being located at the
end of the file. The program's date and time in the DOS
disk directory listing will not be altered. The following
text strings are encrypted within the Armana-564 viral
code:
"[MPC]"
"rx3"
"*.exe *.com"
Once all of the .EXE files, and four non-COMMAND.COM .COM
files have been infected in the current directory, a system
hang will occur when an infected program is executed.
Origin: Unknown September, 1993.
Bamestra 1: Received in June, 1993, Bamestra 1 is a 530 byte
non-resident direct action infector of .EXE programs. It
infects two .EXE files in the current directory each time
an infected program is executed. Infected programs will
have a file length increase of 530 bytes with the virus
being located at the end of the file. The program's date
and time in the DOS disk directory listing will not be
altered. The following text strings are encrypted within
the Bamestra viral code:
"[MPC] [Bamestra] Frans Veldman"
"*.exe"
Origin: Unknown June, 1993.
Bamestra 2: Received in June, 1993, Bamestra 2 is a 535 byte
minor variant of Bamestra 1.
Origin: Unknown June, 1993.
Bamestra 3: Received in June, 1993, Bamestra 3 is a 531 byte
minor variant of Bamestra 1.
Origin: Unknown June, 1993.
Bamestra 4: Received in June, 1993, Bamestra 4 is a 536 byte
minor variant of Bamestra 1.
Origin: Unknown June, 1993.
Bamestra 5: Received in June, 1993, Bamestra 5 is a very minor
variant of Bamestra 2.
Origin: Unknown June, 1993.
Bamestra 6: Received in June, 1993, Bamestra 6 is a very minor
variant of Bamestra 1, adding 530 bytes to the files it
infects.
Origin: Unknown June, 1993.
Bamestra 7: Received in June, 1993, Bamestra 7 is a 529 byte
minor variant of Bamestra 1.
Origin: Unknown June, 1993.
Bamestra 8: Received in June, 1993, Bamestra 8 is a 534 byte
minor variant of Bamestra 1.
Origin: Unknown June, 1993.
Bamestra 9: Received in June, 1993, Bamestra 9 is a very minor
variant of Bamestra 1, adding 530 bytes to the files it
infects.
Origin: Unknown June, 1993.
Bamestra 10: Received in June, 1993, Bamestra 10 is a minor
variant of Bamestra 1, adding 530 bytes to the files it
infects.
Origin: Unknown June, 1993.
Birthday: Received in July, 1993, Birthday is a 1,104 byte
non-resident direct action infector of .EXE programs. It
infects one .EXE file on the C: and B: drives each time
an infected program is executed. Infected programs will
have a file length increase of 1,104 bytes with the virus
being located at the end of the file. The program's date
and time in the DOS disk directory listing will not be
altered. The following text strings are encrypted within
the viral code in all Birthday infected programs:
"This is the birthday of the great one."
"There will be no computer usage today."
"This is the second release of the weak virii, It is weak
virii version % *.EXE .."
If the B: drive does not contain a diskette, a system hang
will occur when the virus attempts to infect a file there.
Origin: Unknown July, 1993.
Cheesy: Received in January, 1993, Cheesy is a 381 byte
non-resident direct action infector of .EXE programs. It
infects one .EXE file in the current directory each time
an infected program is executed. Infected programs will
have a file length increase of 381 bytes with the virus
being located at the end of the file. The program's date
and time in the DOS disk directory listing will not be
altered. The following text strings are visible within the
viral code in all Cheesy infected programs:
"[MPC] Dark Angel of PHALCON/SKISM"
"[DemoEXE] for 40Hex"
"*.exe"
Origin: United States January, 1993.
Chuang Tzu: Received in January, 1993, Chuang Tzu is a 970 byte
non-resident direct action infector of .COM and .EXE
programs, but not COMMAND.COM. It infects two .EXE or .COM
programs in the current directory each time an infected
program is executed. Infected programs will have a file
length increase of 970 bytes with the virus being located
at the end of the file. The program's date and time in the
DOS disk directory listing will not be altered. The
following text strings are encrypted within the Chuang Tzu
viral code in infected programs:
"No one has lived longer than a dead child,
and Methusula died young."
"Heaven and Earth are as old as I,
and ten thousand things are one."
"-- Chuang Tzu, 300 B.C."
"[MPC]
Origin: Unknown January, 1993.
Cinco de Mayo: Received in February 1993, Cinco de Mayo is an
885 byte non-resident direct action infector of .COM
programs, but not COMMAND.COM. It infects three .COM
programs in the current directory each time an infected
program is executed. Infected programs will have a file
length increase of 885 bytes with the virus being located
at the end of the file. The program's date and time in the
DOS disk directory listing will not be altered. The
following text strings are encrypted within the Cinco de
Mayo viral code in infected programs:
"** Cinco de Mayo **"
"No trabajas hoy."
"[MPC] [VCL] [Cinco de Mayo]"
"Danzig Tanks to Dark Angel and Nowhere Man for their
excellent Virus creation programs! more to follow"
"*.exe *.com .. US"
Origin: Unknown February, 1993.
Cinco EXE: Similar to the Cinco de Mayo virus described above,
this virus is a version which infects three .EXE programs
when an infected program is executed. Its size, location,
and file date effect are the same as the original virus.
The following text strings are encrypted within the viral
code:
"**Cinco de Mayo**"
"No trabajas hoy."
"Bebe mas cerveza!!"
"[MPC] [VCL] [Cinco de Mayo]"
"Danzig Thanks to Dark Angel and Nowhere Man for their
excellent Virus creation programs! more to follow"
"*.exe *.com .. US"
Origin: Unknown July, 1993.
Clint: Received in November, 1992, Clint is a 1,076 byte
memory resident infector of .COM and .EXE programs,
including COMMAND.COM. It becomes memory resident at the
top of system memory but below the 640K DOS boundary when
the first infected program is executed, moving interrupt
12's return. Total system and available free memory, as
indicated by the DOS CHKDSK program, will have decreased by
3,072 bytes. Interrupt 21 will be hooked by Clint in
memory. Once resident, it infects .COM and .EXE programs
when they are executed. Infected programs will have a file
length increase of 1,076 bytes with the virus being located
at the end of the file. The following text string is
encrypted within the viral code:
"[CLINT] (c) Copyright 1992 THE STRANGER"
"THIS VIRUS PROUDLY MADE IN THE USA!"
Origin: United States November, 1992.
Crumble: Received in August, 1992, Crumble is a 778 byte
non-resident direct action infector of .COM and .EXE
programs, including COMMAND.COM. It infects two programs
in the current directory each time an infected program
is executed. Infected programs will have a file length
increase of 778 bytes with the virus being located at
the end of the file. The program's date and time in the
DOS disk directory listing will not be altered. The
following text strings are encrypted within infected
programs:
"*.exe *.com"
"[MPC]"
"[CrumblKouch] Kouch"
Origin: United States August, 1992.
DataDeath: Received in July, 1993, DataDeath is a 1,060 byte
non-resident direct action infector of .COM and .EXE
programs, including COMMAND.COM. It infects four or five
programs in the current directory each time an infected
program is executed, with preference for .EXE programs.
Infected programs will have a file length increase of 1,060
bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory will
not be altered. The following text strings are encrypted
within infected programs:
"Hello I am Absolute Sector of DataDeath"
"I am in your computer now... I have magic"
"powers..."
"DataDeath - Taking The World By Storm!!!"
"Now your hard disk will pay for your stupidity!"
"Hi to: Aristotle, Apocalypse, Vengeance, and YOU!"
"Love You Joslyn"
"HACKERS, VIRUSES, AND ANARCHY FOREVER..."
"-Absolute Sector (DataDeath)"
"Your hard drive has now felt my magic lightning"
"PS-MPC produced (with modifications of course!)"
"*.exe *.com"
Origin: Unknown July, 1993.
Death 2: Received in September, 1992, Death 2 is a 671 byte
non-resident direct action infector of .COM and .EXE
programs, but not COMMAND.COM. It infects one program
in the current directory each time an infected program
is executed, with preference to .EXE files. Infected
programs will have a file length increase of 671 bytes with
the virus being located at the end of the file. The
program's date and time in the DOS disk directory listing
will not be altered. The following text strings are
encrypted within infected programs:
"*.exe *.com"
"[MPC] The Virus Of Death 2"
"The Happy Hacker"
Origin: United States September, 1992.
Eclypse: Received in November, 1992, Eclypse is a 641 byte
non-resident direct action infector of .COM and .EXE
programs, including COMMAND.COM. It infects one program
in the current directory each time an infected program
is executed, with preference to .EXE files. Infected
programs will have a file length increase of 641 bytes with
the virus being located at the end of the file. The
program's date and time in the DOS disk directory listing
will not be altered. The following text strings are
encrypted within infected programs:
"[MPC] [Eclypse] Abraxas"
"*.exe *.com"
Origin: United States November, 1992.
Grease: Received in June, 1993, Grease is an 856 byte
non-resident direct action infector of .COM and .EXE
programs, including COMMAND.COM. It infects five .EXE or
.COM programs in the current directory each time an
infected program is executed. Infected programs will have
a file length increase of 856 bytes with the virus being
located at the end of the file. The program's date and
time in the DOS disk directory listing will not be altered.
The following text strings are encrypted within the Grease
viral code in infected programs:
"You have been hit with the Grease Man virus."
"Listen to him on 92.3 or 94.1 FM in the NYC listening
area from 6-10PM"
"Monday-Friday. Give him a call at 1-800-544-9294 and
tell him the good news!"
"Ohhh Schweet ahhh!"
System hangs frequently occur when infected programs are
executed.
Origin: United States June, 1993.
Groovy: Received in August, 1993, Groovy is a 466 byte non-
resident direct action infector of .EXE programs. It
infects two .EXE files in the current directory each time
an infected program is executed. Infected programs will
have a file length increase of 466 bytes with the virus
being located at the end of the file. The program's date
and time in the DOS disk directory listing will not be
altered. The following text string is visible within the
viral code in all Groovy infected programs:
"GRooVYGRooVYGRooVYGRooVYGRooVYGRooVY stupid biquts *.exe"
Origin: Unknown August, 1993.
Helmet 1.0: Received in July, 1993, Helmet 1.0 is a 412 byte
non-resident direct action infector of .COM programs, but
not COMMAND.COM. It infects one program in the current
directory each time an infected program is executed.
Infected programs will have a file length increase of 412
bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory
will not be altered. The following text strings are
encrypted within infected programs:
"[MPC] [HELMET 1.0] Basher IV"
"*.com US"
Origin: Unknown July, 1993.
Hiccup: Received in March, 1993, Hiccup is a 533 byte memory
resident infector of .COM programs, including COMMAND.COM.
It becomes memory resident at the top of system memory but
below the 640K DOS boundary when the first infected program
is executed, hooking interrupt 21. Total system and
available free memory, as indicated by the DOS CHKDSK
program, will have decreased by 2,048 bytes. Once resident,
it infects .COM programs when they are executed. Infected
programs will have a file length increase of 533 bytes with
the virus being located at the end of the file. The
following text strings are encrypted within the viral code:
"[N.I.T is a waste of money!]"
"[Created at the National Institute of Technology]"
"[Hiccup]"
""May the world fear the hiccup! Created Feb.1993"
Origin: Unknown March, 1993.
Iron Hoof 1: Received in July, 1993, Iron Hoof 1 is a 459 byte
non-resident direct action infector of .EXE programs. It
infects three .EXE programs in the current or higher level
directory each time an infected program is executed.
Infected programs will have a file length increase of 459
bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory
will not be altered. The following text strings are
visible within the viral code in infected programs:
"[Iron Hoof] Nameless One -- ANARKICK SYSTEMS"
"*.exe .."
Origin: Unknown July, 1993.
Iron Hoof 2: Received in July, 1993, Iron Hoof 2 is a 462 byte
non-resident direct action infector of .EXE programs. It
infects three .EXE programs in the current or higher level
directory each time an infected program is executed.
Infected programs will have a file length increase of 462
bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory
will not be altered. The following text strings are
visible within the viral code in infected programs:
"[Iron Hoof v2] Nameless One -- ANARKICK SYSTEMS"
"*.exe .."
Origin: Unknown July, 1993.
Kersplat: Received in October, 1992, Kersplat is a 670 byte
memory resident infector of .COM and .EXE programs,
including COMMAND.COM. It becomes memory resident at the
top of system memory but below the 640K DOS boundary when
the first infected program is executed. Total system and
available free memory, as indicated by the DOS CHKDSK
program, will have decreased by 2,048 bytes. Interrupt 21
will be hooked by Kersplat in memory. Once resident, it
infects .COM and .EXE programs when they are executed.
Infected programs will have a file length increase of 670
bytes with the virus being located at the end of the file.
The following text string is encrypted within the viral
code:
"[KERSPLAT] THE STRANGER"
Origin: United States October, 1992.
Love Bink: Received in January, 1994, Love Bink is a 557 byte
memory resident infector of .COM programs, including
COMMAND.COM. It becomes memory resident at the top of
system memory but below the 640K DOS boundary when the first
infected program is executed. Total system and available
free memory, as indicated by the DOS CHKDSK program, will
have decreased by 1,184 bytes. Interrupt 21 will be hooked
by the virus in memory. Once resident, it infects .COM
programs when they are executed. Infected programs will
have a file length increase of 557 bytes with the virus
being located at the end of the file. The following text
strings are encrypted within the viral code:
"Today The Love Of Binky Started...
Your Computer Shall Celebrate!"
"[MPC] Binky Love Z-Boy"
Love Bink overwrites the system hard disk on November 24th
of any year.
Origin: Unknown January, 1994.
Math Test: Received in June, 1993, Math Test is a 1,136 byte
memory resident infector of .COM and .EXE programs,
including COMMAND.COM. It becomes memory resident at the
top of system memory but below the 640K DOS boundary when
the first infected program is executed, hooking interrupt
21. Total system and available free memory, as indicated by
the DOS CHKDSK program, will have decreased by 2,384 bytes.
Once resident, it infects .COM and .EXE programs when they
are executed. Infected programs will have a file length
increase of 1,163 bytes with the virus being located at the
end of the file. Math Test activates between 9:00 and 10:00
in the morning, at which time it may display the following
message requiring the user to respond when a program is
executed:
"It's time for a math test courtesy of YAM!
And the question is...
What is 00 + 00 ="
If the user types "00", then the program the user was
attempting to execute will run. If anything else is typed,
the following message is displayed, and the user is returned
to the DOS prompt:
"WRONG!!!! TRY AGAIN!"
The text strings from the above messages are encrypted
within the viral code, as is the following additional text
string:
"Admiral Bailey [MATH TEST VIRUS]"
Origin: United States June, 1993.
McWhale: Received in October, 1992, McWhale is a 1,125 byte
non-resident infector of .COM and .EXE programs, but not
COMMAND.COM. It infects two .EXE or .COM programs each
time an infected program is executed, with preference for
.EXE files. Infected files will have a file length increase
of 1,125 bytes with the virus being located at the end of
the file. The program's date and time in the DOS disk
directory listing will not be altered. Approximately 40%
of the time when an infected program is executed, the
following message will be displayed in the middle of the
system display, scrolling from right to left on one line:
"Beware!!!..............................
Anti-Virus.....Man.....John.....McAfee.....wrote.....the
WHALE.....virus!!..............................
HONEST!!!................"
Occassionally, the virus will follow this display with the
additional text:
"- (c) 1992 Abraxas Warez........"
The above text message is encrypted within the viral code,
as is the following text strings:
" ABRAXAS -"
"[MPC] [McAfee' Whale] [pAgE]"
"*.exe *.com .. US"
Unexpected system hangs may also occur on infected systems.
Origin: United States October, 1992.
McWhale-1022: Received in March, 1993, McWhale-1022 is a 1,022
byte non-resident infector of .COM and .EXE programs, but
not COMMAND.COM. It infects two .EXE or .COM programs each
time an infected program is executed, with preference for
.EXE files. Infected files will have a file length increase
of 1,022 bytes with the virus being located at the end of
the file. The program's date and time in the DOS disk
directory listing will not be altered. Approximately 40%
of the time when an infected program is executed, the
following message will be display in a scrolling, diagonal
formation on the system display:
"by McWhale - (c) 1992 McAfee Warez."
"McAfee, wrote the WHALE...."
"...and Solient Green is people"
Occassionally, the virus will also this the following
message:
"System reports appear"
The above text messages is encrypted within the viral code,
as is the following text string:
"*.exe *.com .. US"
Origin: Unknown March, 1993.
Mimic-Den Zuk: Received in September, 1992, Mimic-Den Zuk is
a 4,893 byte virus which infects two .COM programs each
time an infected program is executed. Infected programs
will have a file length increase of 4,893 bytes with
the virus being located at the end of the file. The
program's date and time in the DOS disk directory listing
will not be altered. Several text strings are encrypted
within the viral code, and are not visible in infected
.COM programs. Some of these strings are:
"DENZ-SIMCOM"
"This program requires DOS version 2.0 or later"
"DOS version 2.x -"
"Program is the wrong length"
"check for virus infection"
On Fridays, Mimic-Den Zuk activates. At this time,
execution of an infected .COM program will result in some
of the .EXE programs in the current directory being
overwritten by a trojan. This trojan will display a
"Den Zuk" logo on the system display when it is executed,
and then return the user to the DOS prompt. The virus
overwrites the first 4,243 bytes of trojanized .EXE
programs.
Origin: United States September, 1992.
Mimic-Jerusalem: Received in September, 1992, Mimic-Jerusalem
is a 2,832 byte infector of .COM and .EXE programs, but
not COMMAND.COM. It will infect either all .EXE or all
.COM programs in the current directory when an infected
program is executed. Infected programs will have a
file length increase of 2,832 bytes with the virus being
located at the end of the file. .EXE programs may be
reinfected, adding an additional 2,832 bytes. There will
be no change to the file's date and time in the DOS disk
directory listing. Mimic-Jerusalem is an encrypted virus.
Several text strings occur within the viral code, though
they will only be visible in some trojanized .EXE programs:
"JERU-SIM.COM V1.02"
"Written by URN KOUCH"
"Copyright (c) URN KOUCH 1992."
"This program requires DOS version 2.0 or later"
"DOS version 2.x -"
Mimic-Jerusalem activates on Fridays. Upon activation,
execution of an infected program will result in some of
the .EXE programs in the current directory being trojanized.
The virus will overwrite the beginning of the .EXE file with
a small program which mimics the behaviour of the Jerusalem
virus.
Origin: United States September, 1992.
Napolean Complex: Received in December, 1992, Napolean Complex
is a 729 byte non-resident direct action infector of .COM
programs, including COMMAND.COM. It infects three programs
in the current directory each time an infected program
is executed, with preference for .EXE files. Infected
programs will have a file length increase of 729 bytes with
the virus being located at the end of the file. The
program's date and time in the DOS disk directory listing
will not be altered. The following text strings are
encrypted within infected programs:
"LMluvsSI"
"Dynamite cums in small packages!"
"[NAPOLEAN COMPLEX v1.0] Nameless One -- ANARKICK SYSTEMS"
"*.exe *.com .."
System hangs will sometimes occur when infected programs
are executed, as well as the virus will sometimes write a
portion of its viral code to the system display.
Origin: Unknown December, 1992.
Nirvana: Received in September, 1993, Nirvana is an 835 byte
non-resident direct action infector of .EXE programs. It
infects all of the .EXE files in the current directory and
the C: drive root directory when an infected program
is executed. Infected programs will have a file length
increase of 835 bytes with the virus being located at the
end of the file. The program's date and time in the DOS
disk directory listing will not be altered. The following
text strings are encrypted within infected programs:
"YOU ARE DEAD. YOUR COMPUTER IS NOW EXPERIENCING NIRVANA"
"IT IS DELETING ALL EXECUTABLE FILES FROM YOUR HARD DRIVE"
"This is version &% of Nirvana released in 1993"
"*.EXE *.EXE .."
Origin: Unknown September, 1993.
No God: Received in February, 1994, No God is an 728 byte
non-resident direct action infector of .COM and .EXE
programs. It infects five .EXE or .COM files in the current
directory when an infected program is executed. Infected
programs will have a file length increase of 728 bytes with
the virus being located at the end of the file. The
program's date and time in the DOS disk directory listing
will not be altered. The following text strings are
encrypted within the viral code:
"[NOGOD]"
"*.exe *.com .."
"God is fake, He wouldn't let this happen."
Origin: Unknown February, 1994.
No Wednesday: Received in September, 1992, No Wednesday is a
520 byte non-resident direct action infector of .COM
programs, but not COMMAND.COM. It infects one program
in the current directory each time an infected program
is executed. Infected programs will have a file length
increase of 520 bytes with the virus being located at
the end of the file. The program's date and time in the
DOS disk directory listing will not be altered. The
following text strings are encrypted within infected
programs:
"*.com"
"[MPC] [No Wednesday]"
"* by Goethe *"
"for [AKL/4269]"
"File not found."
No Wednesday activates on any Wednesday, at which time
execution of an infected program will result in the fake
error message "File not found." and the user being returned
to the DOS prompt. The programs will run normally on any
other day of the week.
Origin: United States September, 1992.
Page: Received in November, 1992, Page is a 570 byte non-resident
direct action infector of .COM and .EXE programs, including
COMMAND.COM. When a infected program is executed, it will
infect all of the .EXE programs located in the current
directory. If the .EXE programs were previously infected,
it will instead infect all of the .COM programs in the
current directory. Infected programs will have a file
length increase of 570 bytes with the virus being located at
the end of the file. The program's date and time in the DOS
disk directory listing will not be altered. The following
text strings are visible within the viral code in infected
programs:
"C:\AUTOEXEC.COM"
"*.exe *.com \ [pAgE]"
Origin: United States November, 1992.
Page-B: Received in May, 1993, Page-B is a 780 byte non-resident
direct action infector of .COM programs, including
COMMAND.COM. When a infected program is executed, it will
infect the first .COM file located in the current directory,
regardless of whether it was previously infected. Each
infection of Page-B on the file will have added 780 bytes to
the file's length. The virus will be located at the end of
the file. The program's date and time in the DOS disk
directory listing will not be altered. The following text
strings are visible within the viral code in infected
programs:
"by-->>pAgE<<--(C)1992 TuRN-THE-pAgE"
"Ancient Sages"
"Is one of pAgEs"
"*.COM"
"????????COM"
The Page-B virus will sometimes display the following text
in a diagonal scroll using multi-colored letters:
"Ancient Sages Is one of pAgEs"
Origin: Unknown May, 1993.
PS-MPC.150.B: Received in January, 1995, PS-MPC.150.B is a 150
byte non-resident direct action infector of .COM files,
including COMMAND.COM. It infects all of the .COM files
in the current directory when an infected program is
executed. Infected files increase in size by 150 bytes with
the virus being located at the end of the file. The
program's date and time in the DOS disk directory listing
will have been updated to the current system date and time
when infection occurred, while the seconds field in the
file date time will be set to "12". The following text
string can be found in all infected files:
"*.com"
Origin: Unknown January, 1995.
PS-MPC.753: Received in January, 1997, PS-MPC.753 is a 753 byte
non-resident direct action infector of .COM and .EXE files,
including COMMAND.COM. It infects up to three .EXE or .COM
files in the current directory when an infected program is
executed. Infected files increase in size by 753 bytes with
the virus being located at the end of the file. The
program's date and time in the DOS disk directory listing
will not be altered. The following text strings are
encrypted within the viral code:
"[ASStral Zeuss] MUJA DIB ASStral Zeuss sucks DICK...Goodbye
HD!"
"Tim Andrews talks to rocks"
"Revenge is sweet assholes"
"*.exe *.com .."
Origin: Unknown January, 1997.
PS-MPC.Asstral: Received in January, 1995, PS-MPC.Asstral is a 753
byte non-resident direct action infector of .EXE files. It
infects three .EXE files in the current directory when an
infected program is executed. Infected files increase in
size by 753 bytes with the virus being located at the end of
the file. The program's date and time in the DOS disk
directory listing will not be altered. The following text
strings are encrypted within the viral code:
"[ASStral Zeuss] MUJA DIB ASStral Zeuss sucks DICK...Goodbye
HD!"
"Tim Andrews talks to rocks"
"Revenge is sweet assholes"
"*.exe *.com .."
Origin: Unknown January, 1995.
PS-MPC.DeathBoy: Received in December, 1994, PS-MPC.DeathBoy is a
893 byte non-resident direct action infector of .COM and
.EXE programs, including COMMAND.COM. When an infected
program is executed, the virus will infect one .COM and one
.EXE program located in the current directory. A system hang
will then occur. Programs infected with this virus will have
a file length increase of 893 bytes with the virus being
located at the end of the file. The program's date and time
in the DOS disk directory listing will not appear to be
altered, though the seconds field will be set to "58". The
following text strings are encrypted within the viral code:
"1994 virus=DeathBoy was here"
"*.COM *.EXE PATH="
"TINYPROG says, "Patched program!""
Execution of an infected program also results in the
system date being set to December 10, 1994. System hangs
do not occur once all of the .COM and .EXE files in the
current directory have become infected.
Origin: Unknown December, 1994.
PS-MPC.Fred: Received in May, 1995, PS-MPC.Fred is a 720 byte
non-resident direct action infector of .COM and .EXE files.
It infects three .EXE or .COM files in the current directory
when an infected program is executed. Infected files
increase in size by 720 bytes with the virus being located
at the end of the file. The program's date and time in the
DOS disk directory listing will not be altered. The
following text strings are encrypted within the viral code:
"In fond memory of Fred:We'll miss you..."
"*.exe *.com .."
Origin: Unknown May, 1995.
PS-MPC.Greetings: Received in July, 1994, this virus is a 1,118
byte memory resident infector of .COM and .EXE programs,
including COMMAND.COM. Its size in memory is 2,288 bytes,
hooking interrupts 08, 09, and 21. Once resident, it infects
.COM and .EXE programs when they are executed. Infected
programs will have a file length increase of 1,118 bytes with
the virus being located at the end of the file. The
following text strings are encrypted within the viral code:
"Admiral Bailey [YAM]"
"***[ Just wanna say Wa'Sup to: ]"
"The Carmel Massive"
"The Jamaican Posse and"
"Mad Cobra. Keep the FLEX alive!"
"By-The-Way John call this one "Greetings"."
Origin: United States July, 1994.
PS-MPC.Mom: Received in July, 1994, PS-MPC.Mom is a 974 byte
non-resident direct action infector of .COM and .EXE
programs, including COMMAND.COM. When an infected program
is executed, the virus will infect all of the .EXE programs
located in the current directory. If all of the .EXE
programs were previously infected, the virus will proceed
to infect all of the .COM programs in the directory.
Infected programs will have a file length increase of 974
bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory
listing will not be altered. The following text strings are
encrypted within the viral code:
"MoM#\/# () #\/#"
"You are hereby notified that your system has just
encountered"
"a very unusuall disk error."
"This error can be very fatal!!!"
"Please check your system for any further errors."
"DOS EXCEPTION ERROR #13"
"*.com *.exe .."
Origin: Unknown July, 1994.
PS-MPC.Powermen.717: Received in July, 1994, PS-MPC.Powermen.717
is a 717 byte non-resident direct action infector of .COM
and .EXE programs, including COMMAND.COM. When an infected
program is executed, the virus will infect up to five .EXE
programs located in the current directory. If all of the
.EXE programs were previously infected, the virus will
proceed to infect up to five .COM programs in the directory.
Infected programs will have a file length increase of 717
bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory
listing will not be altered. The following text strings are
encrypted within the viral code:
"[MPC] [PowerMEN] PowerMEN"
"*.exe *.com .."
System hangs may occur when an infected program is executed
and all of the .EXE programs in the current directory were
previously infected by the virus.
Origin: Unknown July, 1994.
PS-MPC.Projekt.897: Received in May, 1995, PS-MPC.Projekt.897 is
an 897 byte non-resident direct action infector of .COM and
.EXE files. It infects three .EXE or .COM files in the
current directory when an infected program is executed.
Infected files increase in size by 897 bytes with the virus
being located at the end of the file. The program's date
and time in the DOS disk directory listing will not be
altered. The following text strings are encrypted within
the viral code:
"If you can be a half-wit, so can I!"
"*.exe *.com .. US"
Origin: Unknown May, 1995.
PS-MPC.Projekt.918: Received in May, 1995, PS-MPC.Projekt.918 is
a 918 byte non-resident direct action infector of .COM and
.EXE files. It infects three .EXE or .COM files in the
current directory when an infected program is executed.
Infected files increase in size by 918 bytes with the virus
being located at the end of the file. The program's date
and time in the DOS disk directory listing will not be
altered. The following text strings are encrypted within
the viral code:
"[ProjeKt X]"
"*.exe *.com .. "
Origin: Unknown May, 1995.
PS-MPC.Snort: Received in May, 1995, PS-MPC.Snort is a memory
resident infector of .COM files, including COMMAND.COM.
It becomes memory resident at the top of system memory but
below the 640K DOS boundary, not moving interrupt 12's
return. Total system and available free memory, as
indicated by the DOS CHKDSK program, will have decreased
by 3,072 bytes. Interrupt 21 will be hooked by the virus
in memory. Once memory resident, this virus infects .COM
files when they are executed. Infected programs will have
a file length increase of 405 bytes with the virus being
located at the end of the file. The program's date and
time in the DOS disk directory listing will not be altered.
The following text strings are encrypted within the viral
code:
"MRMSNORT MRMSNORT"
"MRMSNORT-VIRUS-EASTGERMANY"
It is unknown what this virus may do besides replicate.
Origin: Germany May, 1995.
PS-MPC.Walt.311: Received in July, 1994, PS-MPC.Walt.311 is a 311
byte non-resident direct action infector of .COM programs.
It infects one .COM file in the current directory when
an infected program is executed. Infected programs will
have a file length increase of 311 bytes with the virus
being located at the end of the file. The program's date
and time in the DOS disk directory listing will not be
altered. The following text strings are visible within
the PS-MPC.Walt.311 viral code:
"[MPC]"
"[SHY_KOO]"
"[Walt Whittman]"
"*.com"
Origin: Unknown July, 1994.
PSMPC-331: Received in September, 1993, PSMPC-331 is a 331 byte
non-resident direct action infector of .COM programs. It
infects multiple .COM files in the current directory when
an infected program is executed. Infected programs will
have a file length increase of 331 bytes with the virus
being located at the end of the file. The program's date
and time in the DOS disk directory listing will not be
altered. The following text strings are visible within
the PSMPC-331 viral code:
"[MPC]"
"*.com"
Origin: Unknown September, 1993.
PSMPC-338: Received in September, 1993, PSMPC-338 is a 338 byte
non-resident direct action infector of .COM programs. It
infects one .COM file in the current directory when
an infected program is executed. Infected programs will
have a file length increase of 338 bytes with the virus
being located at the end of the file. The program's date
and time in the DOS disk directory listing will not be
altered. The following text strings are encrypted within
the PSMPC-338 viral code:
"[MPC]"
"*.com"
This virus will only infect the first four .COM files in a
directory.
Origin: Unknown September, 1993.
PSMPC-339: Received in September, 1993, PSMPC-339 is a 339 byte
non-resident direct action infector of .COM programs. It
infects one .COM file in the current directory when
an infected program is executed. Infected programs will
have a file length increase of 339 bytes with the virus
being located at the end of the file. The program's date
and time in the DOS disk directory listing will not be
altered. The following text strings are encrypted within
the PSMPC-339 viral code:
"[MPC]"
"*.com"
System hangs may occur when infected programs are executed.
Origin: Unknown September, 1993.
PSMPC-344: Received in September, 1993, PSMPC-344 is a 344 byte
non-resident direct action infector of .COM programs. It
infects one .COM file in the current directory when
an infected program is executed. Infected programs will
have a file length increase of 344 bytes with the virus
being located at the end of the file. The program's date
and time in the DOS disk directory listing will not be
altered. The following text strings are encrypted within
the PSMPC-344 viral code:
"[MPC]"
"*.com"
System hangs may occur when infected programs are executed.
Origin: Unknown September, 1993.
PSMPC-347: Received in September, 1993, PSMPC-347 is a 347 byte
non-resident direct action infector of .COM programs. It
infects one .COM file in the current directory when
an infected program is executed. Infected programs will
have a file length increase of 347 bytes with the virus
being located at the end of the file. The program's date
and time in the DOS disk directory listing will not be
altered. The following text strings are encrypted within
the PSMPC-347 viral code:
"[MPC]"
"*.com"
System hangs may occur when infected programs are executed.
Origin: Unknown September, 1993.
PSMPC-351: Received in September, 1993, PSMPC-351 is a 351 byte
non-resident direct action infector of .COM programs. It
infects one .COM file in the current directory when
an infected program is executed. Infected programs will
have a file length increase of 351 bytes with the virus
being located at the end of the file. The program's date
and time in the DOS disk directory listing will not be
altered. The following text strings are encrypted within
the PSMPC-351 viral code:
"[MPC]"
"*.com"
System hangs may occur when infected programs are executed.
Origin: Unknown September, 1993.
PSMPC-352: Received in September, 1993, PSMPC-352 is a 352 byte
non-resident direct action infector of .COM programs. It
infects one .COM file in the current directory when
an infected program is executed. Infected programs will
have a file length increase of 352 bytes with the virus
being located at the end of the file. The program's date
and time in the DOS disk directory listing will not be
altered. The following text strings are encrypted within
the PSMPC-352 viral code:
"[MPC]"
"*.com"
System hangs may occur when infected programs are executed.
Origin: Unknown September, 1993.
PSMPC-353: Received in September, 1993, PSMPC-353 is a 353 byte
non-resident direct action infector of .COM programs. It
infects one .COM file in the current directory when
an infected program is executed. Infected programs will
have a file length increase of 353 bytes with the virus
being located at the end of the file. The program's date
and time in the DOS disk directory listing will not be
altered. The following text strings are encrypted within
the PSMPC-353 viral code:
"[MPC]"
"*.com"
System hangs may occur when infected programs are executed.
Origin: Unknown September, 1993.
PSMPC-478: Received in September, 1993, PSMPC-478 is a 478 byte
non-resident direct action infector of .EXE and .COM
programs. It infects two .EXE or .COM files in the current
directory when an infected program is executed. Infected
programs will have a file length increase of 478 bytes with
the virus being located at the end of the file. The
program's date and time in the DOS disk directory listing
will not be altered. The following text strings are
visible within the PSMPC-478 viral code:
"[MPC]"
"*.exe *.com"
System hangs may occur when infected programs are executed.
Origin: Unknown September, 1993.
PSMPC-573: Received in September, 1993, PSMPC-573 is a 573 byte
non-resident direct action infector of .EXE and .COM
programs. It infects two .EXE or .COM files in the current
directory when an infected program is executed. Infected
programs will have a file length increase of 573 bytes with
the virus being located at the end of the file. The
program's date and time in the DOS disk directory listing
will not be altered. The following text strings are
encrypted within the PSMPC-573 viral code:
"[MPC]"
"*.exe *.com"
Approximately 30 seconds to 1 minute after an infected
program is executed, the virus will attempt to write to
device "PRN" (the system printer). If the device isn't
available, a system hang may occur.
Origin: Unknown September, 1993.
PSMPC-598: Received in September, 1993, PSMPC-598 is a 598 byte
non-resident direct action infector of .EXE and .COM
programs. It infects all of the .EXE or .COM files in the
current directory when an infected program is executed.
Infected programs will have a file length increase of 598
bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory
listing will not be altered. The following text strings
are encrypted within the PSMPC-598 viral code:
"[MPC]"
"*.exe *.com"
Origin: Unknown September, 1993.
PSMPC-603: Received in September, 1993, PSMPC-603 is a 603 byte
non-resident direct action infector of .EXE and .COM
programs. It infects all of the .EXE or .COM files in the
current directory when an infected program is executed.
Infected programs will have a file length increase of 603
bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory
listing will not be altered. The following text strings
are encrypted within the PSMPC-603 viral code:
"[MPC]"
"*.exe *.com"
System hangs accompanied by loud buzzing on the system
speaker may occur when infected programs are executed.
Origin: Unknown September, 1993.
PSMPC-611: Received in September, 1993, PSMPC-611 is a 611 byte
non-resident direct action infector of .EXE and .COM
programs. It infects all of the .EXE or .COM files in the
current directory when an infected program is executed.
Infected programs will have a file length increase of 611
bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory
listing will not be altered. The following text strings
are encrypted within the PSMPC-611 viral code:
"[MPC]"
"*.exe *.com"
Origin: Unknown September, 1993.
Pussy: Received in September, 1993, Pussy is a 493 byte memory
resident companion virus which infects .EXE programs by
creating a corresponding .COM file. It becomes memory
resident at the top of system memory but below the 640K
DOS boundary when the first infected program is executed.
Total system and available free memory, as indicated by the
DOS CHKDSK program, will have decreased by 4,096 bytes.
Interrupt 21 will be hooked by Pussy in memory. Once
resident, it infects .EXE programs when they are executed by
creating a .COM file with the same base file name. This
.COM file will be 493 bytes in length with the current
system date and time when infection occurred. It contains
the Pussy viral code. The Pussy virus may corrupt the
system hard disk file allocation table (FAT) when infected
programs are executed.
Origin: Unknown September, 1993.
Quadratic-986: Received in August, 1993, Quadratic-986 is a 986
byte non-resident virus. When an infected program is
executed, it will the copy of COMMAND.COM indicated by the
COMSPEC environmental variable. The virus will sometimes
overwrite 983 bytes of the hex 00 area within COMMAND.COM,
at other times it will increase the file length by 986
bytes with the viral code being located at the end of the
file. The program's date and time in the DOS disk
directory will have the seconds field set to "62". The
following text strings are visible within the viral code:
"Quadratic Equation"
"SD93"
System hangs, and thus boot failures, frequently occur
when infected programs are executed.
Origin: Unknown August, 1993.
Scarey: Received in February, 1993, Scarey is a 739 byte memory
resident infector of .COM and .EXE programs, including
COMMAND.COM. It becomes memory resident at the top of
system memory but below the 640K DOS boundary when the
first infected program is executed. Total system and
available free memory, as indicated by the DOS CHKDSK
program, will have decreased by 1,552 bytes. Interrupt 21
will be hooked by Scarey in memory. Once resident, it
infects .COM and .EXE programs when they are executed.
Infected programs will have a file length increase of 739
bytes with the virus being located at the end of the file.
Scarey contains code to emit a buzzing noise on the system
speaker while performing a read of the system hard disk.
Origin: Unknown February, 1993.
Schrunch: Received in November, 1992, Schrunch is a 458 byte
non-resident direct action infector of .COM programs,
including COMMAND.COM. It infects one program in the
current directory each time an infected program is executed.
Infected programs will have a file length increase of 458
bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory
listing will not be altered. The following text strings
are encrypted within infected programs:
"[ZEB (C) 1992] [SCHRUNCH[ Abraxas 2]"
"*.com"
On VGA systems, executing an infected program will result
in the system display being placed in 50 line mode, and
beeping may occur. On non-VGA systems, garbled characters
may appear on the display.
Origin: United States November, 1992.
Silent Killer: Received in January, 1994, Silent Killer is a
397 byte memory resident infector of .COM, including
COMMAND.COM. It becomes memory resident at the top of system
memory but below the 640K DOS boundary when the first
infected program is executed, hooking interrupt 21. Total
system and available free memory, as indicated by the
DOS CHKDSK program, will have decreased by 448 bytes. Once
resident, it infects .COM programs when they are executed.
Infected programs will have a file length increase of 397
bytes with the virus being located at the end of the file.
The following text string is visible within the viral code in
all Silent Killer infected programs:
"[ZRK] Silent Killer Z-Rock"
Origin: Unknown January, 1994.
Skeleton: Received in November, 1992, Skeleton is a 556 byte
non-resident direct action infector of .COM and .EXE
programs, including COMMAND.COM. It infects three programs
in the current directory each time an infected program
is executed, with preference to .EXE files. Infected
programs will have a file length increase of 556 bytes with
the virus being located at the end of the file. The
program's date and time in the DOS disk directory listing
will not be altered. The following text strings are
encrypted within infected programs:
"[MPC] [Skeleton] Deke"
"*.exe *.com"
System hangs may occur once the virus has run out of
non-infected programs to infect.
Origin: Germany November, 1992.
Sucker: Received in April, 1993, Sucker is a 572 byte memory
resident infector of .COM and .EXE programs, including
COMMAND.COM. It becomes memory resident at the top of system
memory but below the 640K DOS boundary when the first
infected program is executed. Total system and available
free memory, as indicated by the DOS CHKDSK program, will
have decreased by 2,048 bytes. Interrupt 21 will be hooked
by Sucker in memory. Once resident, it infects .COM and
.EXE programs when they are executed. Infected programs
will have a file length increase of 572 bytes with the virus
being located at the end of the file. The following text
string is encrypted within the viral code:
"[MPC] Sucker (C) 1993"
Origin: Unknown April, 1993.
Sunday Death: Received in November, 1992, Sunday Death is a
644 byte non-resident direct action infector of .COM and
.EXE programs, including COMMAND.COM. It infects all .COM
and .EXE programs in the current directory when an infected
program is executed. Infected programs will have a file
length increase of 644 bytes with the virus being located at
the end of the file. The program's date and time in the DOS
disk directory listing will not be altered. The following
text strings are encrypted within infected programs:
"[BCA]"
"Sunday Death -- 1992 (c)BCA"
"Raven"
"*.exe *.com"
On Sundays, execution of an infected program will result
in a system hang occurring.
Origin: United States November, 1992.
T-Rex: Received in September, 1993, T-Rex is a 410 byte memory
resident infector of .COM programs, including COMMAND.COM.
It becomes memory resident at the top of system memory but
below the 640K DOS boundary when the first infected program
is executed. Total system and available free memory, as
indicated by the DOS CHKDSK program, will have decreased by
approximately .5K. Interrupt 21 will be hooked by T-Rex
Once resident, it infects .COM programs when they are
executed. Infected programs will have a file length
increase of 410 bytes with the virus being located at the
end of the file. The following text string is visible in
the viral code in all T-Rex infected programs:
"[MPC] T-REX subcon"
Infected programs will frequently hang the system when they
are executed, and boot failures will occur once the boot
copy of COMMAND.COM becomes infected. Some infected
programs will simply return the user to the DOS prompt.
Origin: Unknown September, 1993.
Test 441: Received in December, 1992, Test 441 is a 441 byte
non-resident direct action infector of .EXE programs. It
infects three .EXE programs each time an infected program
is executed. Once all of the .EXE programs in the current
directory have become infected, it will move upward in the
directory structure. Infected programs will have a file
length increase of 441 bytes with the virus being located
at the end of the file. The program's date and time in the
DOS disk directory listing will not be altered. The
following text strings can be found within the viral code
in all infected programs as the virus is not encrypted:
"[MPC] [Test] Sam Hain"
"*.exe .."
Origin: United States December, 1992.
Tim 3: Received in June, 1993, Tim 3 is a 301 byte non-resident
direct action infector of .COM programs. It infects one
.COM file in the current directory each time an infected
program is executed. Infected programs will have a file
length increase of 301 bytes with the virus being located
at the end of the file. The program's date and time in
the DOS disk directory listing will not be altered. The
following text strings are visible within the virus:
"[MPC] [TIM] Abraxas"
"*.com"
Origin: Unknown June, 1993.
Tim 4: Received in June, 1993, Tim 4 is a 515 byte non-resident
direct action infector of .COM & .EXE programs. It
infects one .EXE or .COM file in the current directory
each time an infected program is executed. Infected
programs will have a file length increase of 515 bytes
with the virus being located at the end of the file. The
program's date and time in the DOS disk directory listing
will not be altered. The following text strings are
visible within the virus:
"[MPC] [TIM] Abraxas"
"*.exe *.com"
Origin: Unknown June, 1993.
Tim 5: Received in June, 1993, Tim 5 is a 401 byte non-resident
direct action infector of .COM programs. It infects one
.COM file in the current directory each time an infected
program is executed. Infected programs will have a file
length increase of 401 bytes with the virus being located
at the end of the file. The program's date and time in
the DOS disk directory listing will not be altered. The
following text strings are encrypted within the virus:
"[MPC] [TIM] Abraxas"
"*.com"
Origin: Unknown June, 1993.
Tongue: Received in November, 1992, Tongue is a 597 byte
non-resident direct action infector of .COM and .EXE
programs, including COMMAND.COM. It infects three programs
in the current directory each time an infected program
is executed, with preference to .EXE files. Infected
programs will have a file length increase of 597 bytes with
the virus being located at the end of the file. The
program's date and time in the DOS disk directory listing
will not be altered. The following text string is visible
within the viral code in all infected programs:
"*.exe *.com"
Origin: United States November, 1992.
Toys: Received in November, 1992, Toys is a 773 byte non-resident
direct action infector of .COM and .EXE programs, including
COMMAND.COM. It infects two .COM or .EXE programs in the
current directory when an infected program is executed, with
preference given to .EXE files. Infected programs will have
a file length increase of 773 bytes with the virus being
located at the end of the file. The program's date and time
in the DOS disk directory listing will not be altered. The
following text strings are encrypted within infected
programs:
"All my toys are broken"
"And so am I inside."
"The carnival has closed"
"Years ago..."
"[VCL/MPC]"
"*.exe *.com"
Origin: United States November, 1992.
Walkabout: Received in October, 1992, Walkabout is a 573 byte
memory resident infector of .COM and .EXE programs,
including COMMAND.COM. It becomes memory resident at the
top of system memory but below the 640K DOS boundary when
the first infected program is executed. Total system and
available free memory, as indicated by the DOS CHKDSK
program, will have decreased by 2,048 bytes. Interrupt 21
will be hooked by Walkabout in memory. Once resident, it
infects .COM and .EXE programs when they are executed.
Infected programs will have a file length increase of 573
bytes with the virus being located at the end of the file.
The following text string is encrypted within the viral
code:
"[WALKABOUT TSR VER 1.0] THE STRANGER"
Origin: United States October, 1992.
War Dork: Received in June, 1993, War Dork is a 553 byte
non-resident direct action infector of .EXE programs.
It infects three programs in the current directory each
time an infected program is executed. Infected programs
will have a file length increase of 553 bytes with the
virus being located at the end of the file. The program's
date and time in the DOS disk directory listing will not
be altered. The following text strings are encrypted
within infected programs:
"[MPC] War Dork A rombus"
"*.exe .."
Origin: Unknown June, 1993.
Warez D00d: Received in December, 1992, Warez D00d is a 1,803
byte non-resident direct action infector of .COM, .EXE,
and .OVR programs, including COMMAND.COM. It infects all
candidate programs in the current directory when an infected
program is executed. Infected programs will have a file
length increase of 1,803 bytes with the virus being
located at the end of the file. The program's date and time
in the DOS disk directory listing will not be altered. The
following text strings are encrypted within infected
programs:
"HEY!!! Blow ME, WaReZ FAGGOT"
"You got sorta lucky!!!"
"I am afraid that I am going to have to smash your
WaReZ, d00d!!!"
"Go ahead! Call the police and tell them"
"[NuKe]"
"paid you a visit!"
"*.exe *.ovr *.com"
Virus will occassionally display the following message in
graphics, and corrupt some .EXE programs located in the
current directory:
"DONT'T YOU KNOW THAT PIRACY IS ILLEGAL
I am afraid that I am going to have to smash your
Warez, d00d!!!
Go ahead! Call the police and tell them [NuKe] paid
you a visit!"
Origin: Unknown December, 1992.
Who Cares: Received in June, 1993, Who Cares is an 181 byte
non-resident direct action infector of .COM programs,
including COMMAND.COM. It infects all of the .COM programs
in the current directory when an infected program is
executed. Infected programs will have a file length
increase of 181 bytes, unless they were originally smaller
than 165 bytes, in which case their length will become 346
bytes. The virus will be located at the beginning of the
file. The program's date and time in the DOS disk directory
listing will have been updated to the current system date
and time when infection occurred. The following text string
can be found within the viral code in all infected programs:
"*.com"
Origin: Unknown June, 1993.
Z10: Received in September, 1992, Z10 is a 704 byte non-resident
direct action infector of .COM and .EXE programs, but not
COMMAND.COM. It infects two programs in the current
directory each time an infected program is executed, with
preference given to .EXE files. Infected programs will have
a file length increase of 704 bytes with the virus being
located at the end of the file. The program's date and time
in the DOS disk directory listing will not be altered. The
following text strings are encrypted within infected
programs:
"*.exe *.com"
"[PF] [Z_10] Paul Ferguson"
Origin: United States September, 1992.
Zeppelin: Received in September, 1992, Zeppelin is a 1,508 byte
non-resident direct action infector of .COM and .EXE
programs, including COMMAND.COM. It infects five programs
in the current directory each time an infected program is
executed, with preference given to .EXE files. Infected
programs will have a file length increase of 1,508 bytes
with the virus being located at the end of the file. .COM
programs may be reinfected by the virus, adding an
additional 1,508 bytes with each reinfection. The program's
date and time in the DOS disk directory listing will not be
altered. The following text strings are encrypted within
infected programs:
"*.exe *.com"
"Ripped this Motherfucker off"
"SHIT!!! Wont work...."
"[pAgE] [SwanSong] Gandolph"
The Zeppelin virus will activate when it infects .EXE
programs. After infecting five .EXE programs, the screen
will be cleared and a color graphic of a zeppelin will
appear, accompanied by tones being emitted on the system
speaker. On mono systems, the graphic may appear as a
series of screens of various characters. When the program
infects .COM files, a system hang usually follows.
Origin: United States September, 1992.
See: ARCV-n G2 Joshua Shock Therapy Warez-1341