I-B Virus
Virus Name: I-B
Aliases: Milan
V Status: Viron
Discovered: May, 1991
Symptoms: .COM program corruption; system hangs; hard disk corruption;
message; file date/time change
Origin: Italy
Eff Length: 265, 272, or 451 Bytes
Type Code: ONCK - Overwriting Non-Resident .COM Infector
Detection Method: ViruScan, F-Prot, Sweep, AVTK, ChAV,
NAV, IBMAV, NAVDX, VAlert, PCScan,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
NAV/N, IBMAV/N
Removal Instructions: Delete infected files
General Comments:
The I-B virus is actually a group of three viruses which were
received from Europe in May, 1991. These viruses originated in
Italy, and are very closely related. All of them are non-resident
overwriting viruses which infect .COM files, including COMMAND.COM.
When an I-B virus is executed, it will infect all .COM programs in
the current directory. Programs which have been infected will
have the beginning of the program overwritten with the viral code.
The number of bytes overwritten will vary, depending on which
variant is present. Infected programs may also have their date
and time in the disk directory updated to the system date and time
when infection occurred. See below for specifics of each variant.
I-B viruses activate based on the day of the week. If all of the
.COM programs in the current directory are infected, and the
day of the week is the day being checked for by the virus, they
activate. Two of the variants will overwrite the first 160 sectors
of the C: drive, the third variant will just hang the system.
Known variant(s) of I-B are:
BadGuy: BadGuy is a 265 byte variant of I-B. It overwrites the
first 265 bytes of infected .COM programs. Infected
programs will have their file date and time in the disk
directory updated to the system date and time of infection.
BadGuy activates on Mondays, when it will hang the system.
Text strings found in programs infected with the BadGuy
variant of I-B are:
"BadGuy Virus (c) by Cracker Jack 1991 (IVRL)"
"Italian Virus Research Laboratory (C) 1990,1991"
"IVRL Head Quarter, Milan Italy"
"*.COM"
BadGuy 2: BadGuy 2, or Crackpot 208, virus is a 208 byte variant
of I-B. Basically, it is a bug-fix version of BadGuy,
having had the bug fixed which results in a system hang
when BadGuy activates. BadGuy 2 infects all .COM files in
the current directory when an infected program is executed,
overwriting the first 208 bytes. The infected files' date
and time in the disk directory will be updated to the
system date and time of infection. On Mondays, BadGuy 2
activates and will display the following message whenever
an infected program is executed:
"New BadGuy Virus - (c) by Cracker Jack 1991
IVRL Head Quarter Milan Italy"
This message cannot be found in infected programs as it
is encrypted.
Origin: Italy, August 1991
Demon: Demon is a 272 byte variant of I-B, and is the most
advanced of the known variants in this family. It overwrites
the first 272 bytes of infected .COM programs. Infected
programs will have no change to their date and time in the
DOS disk directory. Demon activates on Tuesday, at which
time it will display the following message and overwrite
the first 160 sectors of the system hard disk:
"Error eating drive C:"
Other text strings which can be found in programs infected
with Demon are:
"Demonhyak Viri X.X (c) by Cracker Jack 1991 (IVRL)
"*.COM"
Demon-B: Demon-B is a minor variant of the Demon variant of
I-B. It has five bytes which differ from the original
Demon variant.
Demon-C: Demon is a 263 byte variant of I-B, and is based on the
Demon virus. It overwrites the first 263 bytes of all .COM
programs in the current directory when an infected program
is executed. Demon-C contains the following text strings
within its viral code:
"*.COM"
"Error reading drive C:"
"BillMeTuesday!"
"EXEC failure"
"\COMMAND.C0M"
"\COMMAND.COM"
Origin: Unknown October, 1992.
Exterminator: Exterminator is a 451 byte variant of I-B, and
appears to be the earliest variant in this family.
Exterminator overwrites the first 451 bytes of infected
files. Infected programs will have their file date and time
updated to the system date and time when infection occurred.
Exterminator activates on Mondays, when it will display the
following message and overwrite the first 160 sectors of the
C: drive:
"Exterminator Virus 1.0 (c) by Cracker Jack 1991 (IVRL)
No panic...this is a Harmless Virus..."
Other text strings which can be found in infected programs
are:
"Exterminator 1.0 - (c) by Cracker Jack 1991 (IVRL)"
"Italian Virus Research Laboratory (C) 1990,1991"
"Message to Virus Researchers:
Non rompetemi le palle o mi arrabbio...
non so se sono stato abbastanza chiaro....."
Origin: Italy May, 1991.
Milan.Verbatim: Milan.Verbatim is a 289 byte variant of I-B
described above. It overwrites the first 289 bytes of
infected files. The infected file's date and time in the DOS
disk directory listing will not be altered. The following
text strings which can be found in infected programs:
"*.COM"
"Verbatim Corporation, Sunnyvale, California U.S.A. Bad
command or file name"
Verbatim Corporation is not connected with the writing or
release of this virus.
Origin: Unknown January, 1995.