Trident Virus


 Virus Name:  Trident 
 Aliases:     See below 
 V Status:    New 
 Discovered:  October, 1993 
 Symptoms:    .COM and/or .EXE growth; 
              possible decrease in total system and available free memory 
 Origin:      The Netherlands 
 Eff Length:  Depends on Virus Present 
 Type Code:   PNRAK- Parasitic Resident or Non-Resident Program Infectors 
 Detection Method:  ViruScan, IBMAV, F-Prot, AVTK, Sweep, PCScan, 
                    NAV, NAVDX, VAlert, ChAV, 
                    NProt, NShld, Sweep/N, AVTK/N, IBMAV/N, Innoc, NAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Trident entry represents a group of viruses which were written 
       by members of the Trident virus writing group in The Netherlands. 
       These viruses are .COM and/or .EXE file infectors, and may or may 
       not be memory resident.  At least one of the viruses in this group, 
       Trident 90210, is a memory resident stealth virus. 
 
       The viruses which are members of the Trident family are: 
       Trident 90210: Received in October, 1993, Trident 90210 is also 
               known as the 90210 BH virus.  It is a memory resident fast 
               infector of .COM programs, including COMMAND.COM.  Trident 
               90210 installs itself memory resident at the top of system 
               memory but below the 640K DOS boundary, hooking interrupts 1C 
               and 21.  Total system and available free memory, as indicated 
               by the DOS CHKDSK program, will have decreased by 896 bytes. 
               Once resident, it infects .COM programs when they are executed 
               or opened.  Infected programs have a file length increase of 
               647 bytes, though the file length increase will be hidden when 
               the virus is memory resident.  The virus is located at the end 
               of the file.  The program's date and time in the DOS disk 
               directory listing will not be altered.  The following text 
               strings are visible within the viral code: 
               "[90210 BH]" 
               "John Tardy / TridenT" 
               The DOS CHKDSK program will indicate file allocation errors on 
               all infected programs when the virus is memory resident. 
               Origin:  The Netherlands  October, 1993. 
       Trident.439: Received in July, 1994, Trident.439 is a non-resident 
               direct action infector of .COM programs, but not COMMAND.COM. 
               It infects one .COM program in the current directory when an 
               infected program is executed.  It does not infect programs 
               located on the A: diskette drive.  Programs infected with 
               Trident.439 will have a file length increase of 439 bytes with 
               the virus being located at the end of the file.  The program's 
               date and time in the DOS disk directory listing will not be 
               altered.  The following text strings are encrypted within the 
               viral code: 
               "[NoLimit2] ohn Tardy / Trident CAVAGUCO4DVSTB" 
               "*.CoM" 
               This variant limits itself to infecting only the first five 
               .COM files in any directory. 
               Origin:  The Netherlands  July, 1994. 
       Trident-444: Received in October, 1993, and also known as the 
               Servant virus, Trident-444 is a non-resident, direct action 
               infector of .COM programs, including COMMAND.COM.  It 
               infects one .COM program in the current directory when an 
               infected program is executed.  It does not infect programs 
               located on the A: diskette drive.  Programs infected with 
               Trident-444 will have a file length increase of 444 bytes with 
               the virus being located at the end of the file.  The program's 
               date and time in the DOS disk directory listing will not be 
               altered.  The following text strings are encrypted within the 
               viral code: 
               "CAVAGUCO4DVSTB" 
               "*.CoM" 
               "John Tardy / TridenT" 
               Some programs will not function properly once they become 
               infected with this virus. 
               Origin:  The Netherlands  October, 1993. 
       Trident.454: Received in July, 1994, Trident.454 is a non-resident 
               direct action infector of .COM programs, but not COMMAND.COM. 
               It infects one .COM program in the current directory when an 
               infected program is executed.  It does not infect programs 
               located on the A: diskette drive.  Programs infected with 
               Trident.454 will have a file length increase of 454 bytes with 
               the virus being located at the end of the file.  The program's 
               date and time in the DOS disk directory listing will not be 
               altered.  The following text strings are encrypted within the 
               viral code: 
               "[NoLimit2] ohn Tardy / Trident CAVAGUCO4DVSTB" 
               "*.CoM" 
               This variant limits itself to infecting only the first five 
               .COM files in any directory. 
               Origin:  The Netherlands  July, 1994. 
       Trident-611: Received in October, 1993, Trident-611 is also 
               known as the Bugfix 1.1 virus.  It is a memory resident 
               infector of .COM programs, including COMMAND.COM.  Trident-611 
               installs itself memory resident at the top of system memory 
               but below the 640K DOS boundary, hooking interrupts 1C and 21. 
               Total system and available free memory, as indicated by the 
               DOS CHKDSK program, will have decreased by 624 bytes.  Once 
               resident, it infects .COM programs when they are executed. 
               Infected programs have a file length increase of 611 bytes 
               with the virus being located at the end of the file.  The 
               program's date and time in the DOS disk directory listing 
               will not be altered.  The following text strings are visible 
               within the viral code: 
               "[TridenT]" 
               "{V1.1 Bugfix}" 
               "OROiOgOhOaOrOdO OZOwOiOeOnOeOnObOeOrOgO OmOaOdOeO OtOhOeO 
                ODOUOTOCOHO-O5O5O5O OVOiOrOuOsO!O!O!O" 
               It is unknown what Trident-611 does besides replicate. 
               Origin:  The Netherlands  October, 1993. 
       Trident.647: Received in January, 1996, Trident.647 is a memory 
               resident fast infector of .COM programs, including 
               COMMAND.COM.  Trident.647 installs itself memory resident at 
               the top of system memory but below the 640K DOS boundary, 
               hooking interrupt 21.  Available free memory, as indicated by 
               the DOS CHKDSK program from DOS 5.0, will have decreased by 
               880 bytes.  Once resident, it infects .COM programs when they 
               are executed or opened, but not when copied.  Infected 
               programs have a file length increase of 647 bytes, though the 
               file length increase will be hidden when the virus is memory 
               resident.  The virus is located at the end of the file.  The 
               program's date and time in the DOS disk directory listing will 
               not appear to be altered, though the seconds field will be set 
               to "62".  The following text strings are visible within the 
               viral code: 
               "Mad Satan." 
               "By [Mad Satan] V4.02" 
               Origin:  Unknown  January, 1996. 
       Trident.914: Received in July, 1994, Trident.914 is a memory 
               resident fast infector of .COM programs, including 
               COMMAND.COM.  Trident.914 installs itself memory resident at 
               the top of system memory but below the 640K DOS boundary, 
               hooking interrupts 1C and 21.  Total system and available free 
               memory, as indicated by the DOS CHKDSK program, will have 
               decreased by 2,080 bytes.  Once resident, it infects .COM 
               programs when they are executed, copied, or opened.  Infected 
               programs have a file length increase of 914 bytes, though the 
               file length increase will be hidden when the virus is memory 
               resident.  The virus is located at the end of the file.  The 
               program's date and time in the DOS disk directory listing will 
               not appear to be altered, though the seconds field will be set 
               to "62".  The following text strings are encrypted within the 
               viral code: 
               "[ John Tardy / Trident ]" 
               "Trapped in a spell of the Necromonicon" 
               The DOS CHKDSK program will indicate file allocation errors on 
               all infected programs when the virus is memory resident. 
               Origin:  Unknown  July, 1994. 
 
       See:   Darkray   Flue

Show viruses from discovered during that infect .

Main Page