Taiwan Virus


 Virus Name:  Taiwan 
 Aliases:     Taiwan 2, Taiwan-B, Doom I, Doom I-B 
 V Status:    Endangered 
 Discovered:  January, 1990 
 Symptoms:    .COM growth; 8th day of any month corrupts boot, FAT, 
              & Master boot sectors 
 Origin:      Taiwan 
 Eff Length:  743 Bytes 
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector 
 Detection Method:  ViruScan, F-Prot, NAV, AVTK, Sweep, IBMAV, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, 
                    NAV/N, IBMAV/N 
 Removal Instructions:  F-Prot, NAV, or delete infected files 
 
 General Comments: 
       The Taiwan virus was first isolated in January, 1990 in Taiwan, 
       R.O.C.  This virus infects .COM files, including COMMAND.COM, and 
       does not install itself into system memory. 
 
       Each time a program infected with the Taiwan virus is executed, the 
       virus will attempt to infect up to three .COM files.  The current 
       default directory is not first infected, instead the virus will 
       start its search for candidate files in the C: drive root 
       directory.  Once an uninfected .COM file is located, the virus 
       infects the file by copying the viral code to the first 743 bytes 
       of the file, the original first 743 bytes of the file is relocated 
       to the end of the .COM file.  A bug exists in this virus, if the 
       uninfected .COM file is less than 743 bytes in length, the 
       resulting infected .COM file will always be 1,486 bytes in length. 
       This effect is due to the virus not checking to see if it read less 
       than 743 bytes of the original file before infecting it. 
 
       The Taiwan virus is destructive.  On the 8th day of any month, when 
       an infected program is run the virus will perform an absolute disk 
       write for 160 sectors starting at logical sector 0 on the C: and D: 
       drives.  In effect, this logical write will result in the FATs and 
       root directory being overwritten. 
 
       Known variant(s) of Taiwan are: 
       Doom I: The variant of Taiwan that is between Taiwan-B and 
               Taiwan, Doom I adds 752 bytes to infected files with no 
               change in the file's date and time in the DOS disk 
               directory.  Doom I will infect four .COM files on the C: 
               drive when an infected program is executed.  It does not 
               reset the current drive and directory after infecting the 
               files, so if the user was not currently using the C: drive 
               as the current drive, they may notice the change.  Due to 
               a bug in the virus, when Doom I infects programs smaller 
               than 752 bytes, the infected program's length will become 
               1,488 bytes. 
      Doom I-B: Doom I-B is a later version of the Taiwan virus, and 
                increases the size of infected files by 677 bytes.  It 
                will infect three .COM files located on the C: drive 
                when an infected program is executed.  The current drive 
                and directory will be properly reset to the drive and 
                directory the user was currently located in once the 
                infection process is complete.  Unlike other variants of 
                Taiwan, this variant will not infect programs smaller 
                than itself. 
      Taiwan-B: Apparently an earlier version of the Taiwan virus, this 
                variant will hang the system when infected files are 
                executed, but after it has infected another file using 
                the selection mechanism indicated for the Taiwan virus.

Show viruses from discovered during that infect .

Main Page