YB.Old Scribe Virus
Virus Name: YB.Old Scribe
Aliases:
V Status: New
Discovered: February, 1994
Symptoms: .COM file growth; programs fail to function properly;
screen cleared on mono systems; write protect errors
Origin: Sweden
Eff Length: 8,588 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: F-Prot, AVTK, IBMAV, ViruScan, Sweep, NAVDX, VAlert,
NAV, PCScan, ChAV,
AVTK/N, Sweep/N, IBMAV/N, NShld, NAV/N, LProt, Innoc 4.0+
Removal Instructions: Delete infected files
General Comments:
The YB.Old Scribe virus was submitted in February, 1994. It appears
to be from Sweden. This virus is a non-resident, direct action
infector of .COM programs, including COMMAND.COM.
When a program infected with the YB.Old Scribe virus is executed,
this virus will infect all of the .COM programs located in the
current directory. The user will then be returned to the DOS
prompt.
Programs infected with the YB.Old Scribe virus will have a file
length increase of 8,588 bytes with the virus being located at the
end of the file. The program's date and time in the DOS disk
directory listing will not be altered. The following text strings
are visible within the viral code in all infected programs:
"(c) MicroSoft 1994"
"Old Scribe by Nostradamus [NuKE''94]*.?OM"
"?????????OM?"
Needless to say, Microsoft Corporation is not connected with the
creation of this virus.
Known variant(s) of YB.Old Scribe are:
YB.299: Like the YB virus described above, YB.299 infects all of
the .COM programs in the current directory when an infected
program is executed. Infected programs will have a file
length increase of 299 bytes with the virus being located at
the end of the file. The program's date and time in the
DOS disk directory listing will not be altered. The following
text strings are visible within the viral code:
"INSERT YOUR NAME HERE *.?OM"
"?????????OM?"
Origin: Unknown July, 1995.
YB.299.B: Similar to the YB.299 variant, this variant is
functionally similar. Four bytes differ from the YB.299
variant.
Origin: Unknown January, 1996.
YB.316: Like the YB virus described above, YB.316 infects all of
the .COM programs in the current directory when an infected
program is executed. Infected programs will have a file
length increase of 316 bytes with the virus being located at
the end of the file. The program's date and time in the
DOS disk directory listing will not be altered. The following
text strings are visible within the viral code:
"Silent Runner by Nostradamus [NuKE'94]*.?OM"
"?????????OM?"
Origin: Unknown January, 1995.
YB.325: Like the YB virus described above, YB.325 infects all of
the .COM programs in the current directory when an infected
program is executed. Infected programs will have a file
length increase of 325 bytes with the virus being located at
the end of the file. The program's date and time in the
DOS disk directory listing will not be altered. The following
text strings are visible within the viral code:
"AV Funkware Evaluation League of [NuKE'94]*.c?m"
"????????C?M?"
Infected programs will not function properly, returning the
user to the DOS prompt.
Origin: Unknown January, 1996.
YB.425: Like the YB virus described above, YB.425 infects all of
the .COM programs in the current directory when an infected
program is executed. Infected programs will have a file
length increase of 425 bytes with the virus being located at
the end of the file. The program's date and time in the
DOS disk directory listing will not be altered. The following
text strings are visible within the viral code:
"YB-1 & Handsome Dick Manitoba / K”hntark*.COM"
"????????COM?"
Origin: Unknown January, 1996.
YB.426.B: Like the YB virus described above, YB.426.B infects
all of the .COM programs in the current directory when an
infected program is executed. Infected programs will have a
file length increase of 426 bytes with the virus being
located at the end of the file. The program's date and time
in the DOS disk directory listing will not be altered. The
following text strings are visible within the viral code:
"*.COM"
"????????COM?"
Origin: Unknown January, 1996.
YB.466: Like the YB virus described above, YB.466 infects all of
the .COM programs in the current directory when an infected
program is executed. Infected programs will have a file
length increase of 466 bytes with the virus being located at
the end of the file. The program's date and time in the
DOS disk directory listing will not be altered. The following
text strings are visible within the viral code:
"YB-1 & Handsome Dick Manitoba / K”hntark*.COM"
"????????COM?"
Origin: Sweden July, 1994.
YB.647: Like the YB virus described above, YB.647 infects all of
the .COM programs in the current directory when an infected
program is executed. Infected programs will have a file
length increase of 647 bytes with the virus being located at
the end of the file. The program's date and time in the
DOS disk directory listing will not be altered. The following
text strings are visible within the viral code:
"YB-2 / K”hntark*.COM"
"????????COM?"
Origin: Sweden July, 1994.