Yankee Doodle Virus

Virus Name: Yankee Doodle Aliases: TP44VIR, Five O'clock Virus V Status: Common Discovered: September, 1989 Isolated: Vienna, Austria Symptoms: .COM & .EXE growth; melody @ 5 p.m. Origin: Bulgaria Eff Length: 2,885 or 2,899 Bytes Type Code: PRsA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, F-Prot, AVTK, NAV, Sweep, IBMAV, NAVDX, VAlert, PCScan, ChAV, NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N Removal Instructions: F-Prot, NAV, or delete infected files General Comments: The Yankee Doodle virus was isolated by Alexander Holy of the North Atlantic Project in Vienna, Austria, on September 30, 1989. It was also isolated in Bulgaria shortly thereafter, where it is known as TP44VIR. This virus is a parasitic virus which infects both .COM and .EXE files, and installs itself memory resident. After installing itself memory resident, it will play Yankee Doodle on the system speaker at 17:00. Infected programs will be increased in length by 2,899 bytes. Other than being disruptive by playing Yankee Doodle, this virus currently does nothing else harmful besides infecting files. As a side note, some variants of the Yankee Doodle virus will seek out and modify Ping Pong viruses, changing them so that they self- destruct after 100 infections. Known variant(s) of Yankee Doodle are: TP33VIR: This variant disables interrupts 1 and 3, thus interfering with using debuggers to isolate it. The behavior of the virus also has been changed so that infected programs will play Yankee Doodle at 5PM. The second to the last byte in infected files is the virus' "version number", in the case of TP33VIR, it is 21h (decimal 33). TP34VIR: Similar to TP33VIR, except that this variant is memory resident, and infects programs as they are executed. The second to the last byte in infected files is 22h. TP38VIR: Similar to TP34VIR, except that .COM and .EXE files are handled in a different way, and this variant will disinfect itself if it is loaded with CodeView active in memory. The second to the last byte in infected files is 26h. TP38VIR was first isolated in Bulgaria in July 1988, and is the oldest virus known in Bulgaria. TP41VIR: Similar to TP38VIR, except the second to the last byte in infected files is 29h. TP42VIR: This variant of Vacsina tests to determine if the system is infected with the Ping Pong virus, and if it is, will attempt to disable the Ping Pong virus by modifying it. The second to the last byte in infected files is now 2Ah. TP44VIR: Similar to TP42VIR, the second to the last byte of infected files is 2Ch. TP45VIR: Similar to TP44VIR, the second to the last byte of infected files is 2Dh. TP46VIR: Similar to TP45VIR, except that this variant can detect and kill the Cascade (1701) virus. The second to the last byte of infected files is now 2Eh. Yankee Doodle-1905: Based on the TP44VIR variant listed above, this variant decreases total system and available free memory by 30,464 bytes when it is resident. It hooks interrupts 1C and 21. When resident, it will infect .COM and .EXE programs, including COMMAND.COM, when they are executed. Infected programs will have a file length increase of 1,905 to 1,924 bytes with the virus being located at the end of the file. The text string "Zak!" can be found near the end of all infected files. Origin: Unknown July, 1992. Yankee Doodle.2167: A variant of the Yankee Doodle virus, this variant's size in memory is 2,192 bytes, hooking interrupts 08, 09, 10, and 21. When resident, it will infect .COM, .EXE, and overlay files, including COMMAND.COM, when they are executed. Infected programs will have a file length increase of 2,167 to 2,181 bytes with the virus being located at the end of the file. The file's date and time in the DOS disk directory listing will not be altered. The following text string can be found within the viral code: "Zuh&" Origin: Unknown February, 1995. Yankee Doodle-2189: Based on the TP44VIR variant listed above, this variant decreases total system and available free memory by 2,192 bytes when it is resident. It hooks interrupts 1C and 21. When resident, it will infect .COM and .EXE programs, including COMMAND.COM, when they are executed or opened for any reason. Infected programs will have a file length increase of 2,189 to 2,204 bytes with the virus being located at the end of the file. The file's date and time in the DOS disk directory listing will have been altered so that the file date month and year are set to "4-31". Origin: Unknown August, 1993. Yankee Doodle.2433: Received in July, 1995, this variant's size in memory is 2,560 bytes, hooking interrupts 1C and 21. It infects .COM and .EXE programs, including COMMAND.COM, when they are executed. Infected programs will have a file length increase of 2,433 to 2,448 bytes with the virus being located at the end of the file. The file's date and time in the DOS disk directory listing will not be altered. The following text strings are visible within the viral code: "TEST.EXE" "AIDSTEST.EXE TEST" Origin: Unknown July, 1995. Yankee Doodle-2505: Based on the TP44VIR variant listed above, this variant decreases total system and available free memory by 5,408 bytes when it is resident. It hooks interrupts 1C and 21. When resident, it will infect .COM and .EXE programs, including COMMAND.COM, when they are executed. Infected programs will have a file length increase of 2,505 to 2,524 bytes with the virus being located at the end of the file. The file's date and time in the DOS disk directory listing will not be altered. Origin: Unknown October, 1992. Yankee Doodle.2561: Based on the TP44VIR variant listed above, this variant decreases total system and available free memory by 2,688 bytes when it is resident. It hooks interrupts 1C and 21. When resident, it will infect .COM and .EXE programs, including COMMAND.COM, when they are executed. Infected programs will have a file length increase of 2,561 to 2,575 bytes with the virus being located at the end of the file. The file's date and time in the DOS disk directory listing will not be altered. Origin: Unknown July, 1995. Yankee Doodle.2895: Received in July, 1995, this is a 2,895 byte variant of the Yankee Doodle virus described above. It becomes memory resident as a low system memory TSR of 5,760 bytes, hooking interrupts 1C and 21. Once resident, it infects .COM and .EXE files, but not COMMAND.COM, when they are executed or opened. Infected files will have a file length increase of 2,895 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will not appear to be altered, though the seconds field will have been set to "62". The following text strings are encrypted within the viral code: "WARLOCK" "COMMAND.COM EXE" Origin: Unknown July, 1995. Yankee Doodle-2973: Based on the TP44VIR variant listed above, this variant decreases total system and available free memory by 3,232 bytes when it is resident. It hooks interrupts 09, 13, and 21. When resident, it will infect .COM and .EXE programs, including COMMAND.COM, when they are executed. Infected programs will have a file length increase of 2,973 to 2,986 bytes with the virus being located at the end of the file. The file's date and time in the DOS disk directory listing will not be altered. Origin: Unknown October, 1992. Yankee Doodle-B: Very similar to the Yankee Doodle virus, except the length of the viral code is 2,772 bytes. Yankee Doodle.Warlock: A variant of the Yankee Doodle virus, this variant may corrupt .DBF programs when it attempts to infect them. Its size in memory is 3,648 bytes, directly hooking interrupts so that no interrupts will be mapped to the virus in memory. When resident, it will infect .COM, .EXE, .DBF, and overlay files, but not COMMAND.COM, when they are executed or opened for any reason. Infected programs will have a file length increase of 1,817 to 1,832 bytes with the virus being located at the end of the file. The file's date and time in the DOS disk directory listing will not be altered. The following text strings are encrypted within the viral code: "Revenge of WARLOCK!" "COMMAND.COM EXE OVL DBF" Origin: Unknown May, 1994. YD Logon-D: Received in April, 1992, YD Logon-D is a 3,045 to 3,060 byte variant of the TP44VIR variant described above. Its size in memory is 3,312 bytes, hooking interrupts 1C and 21. It infects .COM and .EXE programs when they are executed. Infected programs will contain the text strings "LOGON.EXE" and "bbuG". Origin: Unknown May, 1992. YD Logon-E: Based on YD Logon-D, this is a minor variant, also adding 3,045 to 3,060 bytes to the .COM & .EXE programs it infects. Text strings found in this variant are "LOGIN.EXE" and "bb". Origin: Unknown May, 1992 YD Logon-X: Another TP44VIR variant, YD Logon-X is a 2,968 to 2,987 byte variant which infects .COM and .EXE programs when they are executed. It may corrupt programs and overlay files as well. Its size in memory is 3,232 bytes, hooking interrupts 09, 1C, 21, and 28. Origin: Unknown June, 1992. YD Logon-2967: Another TP44VIR variant, YD Logon-2967 is a 2,967 to 2,986 byte variant which infects .COM and .EXE programs when they are executed. Infected .COM programs increase in size by 2,973 to 2,986 bytes while .EXE programs increase in size by 2,967 to 2,981 bytes. Its size in memory is 3,232 bytes, hooking interrupts 09, 1C, 21, and 28. It contains the following unencrypted text string: "LOGIN.EXE" Origin: Unknown September, 1993. See: Vacsina