IVP Virus
Virus Name: IVP
Aliases: Bubbles
V Status: Rare
Discovered: December, 1992
Symptoms: .COM & .EXE file growth; message
Origin: United States
Eff Length: 684 Bytes
Type Code: PNA - Parasitic Non-Resident .COM & .EXE Infector
Detection Method: F-Prot, ViruScan, AVTK, Sweep, IBMAV, NAV,
NAVDX, VAlert, PCScan,
NShld, Sweep/N, AVTK/N, IBMAV/N, NAV/N, NProt
Removal Instructions: Delete infected files
General Comments:
The IVP virus generation program was submitted in December, 1992,
along with the Bubbles virus, which was generated by the program.
IVP is not a virus, but a generator of non-resident direct action
viruses which can infect .COM and/or .EXE files, as well as
possibly COMMAND.COM. While the program was intended to also be
able to generate overwriting viruses, that function does not
produce working code. The IVP program can produce encrypted
viruses, with a random number of NOP instructions placed in two
areas of the decryption routine in an attempt to elude simple
search string scanning techniques. The NOPs aren't a real problem,
and it is very simple to generate a generic detection string for
viruses created with IVP. The information below is for the Bubbles
virus which was received with the IVP program. It may not match
copies of the Bubbles virus which are regenerated with the program.
The Bubbles virus is a non-resident, direct action infector
of .COM and .EXE programs, but not COMMAND.COM. It infects all
of the .COM and .EXE programs located in the current directory
when an infected program is executed. It also contains some code
to move up one directory in the disk directory structure. Programs
infected with the Bubbles virus will have a file length increase of
684 bytes with the virus being located at the end of the file. The
program's date and time in the DOS disk directory structure will
not be altered. The following text strings are encrypted within
the viral code:
"Bubbles Virus"
"Admiral Bailey"
"[IVP]"
"*.com *.exe .."
The first three of these text strings will be displayed by the
virus when an infected program is executed. Bubbles doesn't do
anything besides display its message and replicate to other files.
Known virus(es) created with IVP are:
Crystal: Received in June, 1993, Crystal is a 699 byte virus
which appears to have been created with the IVP program.
Crystal is a non-resident, direct action infector of .COM
and .EXE programs, including COMMAND.COM. It infects one to
many .COM and .EXE programs located in the current directory
when an infected program is executed. Infected programs will
have a file length increase of 699 bytes with the virus being
located at the end of the file. The program's date and time
in the DOS disk directory listing will not be altered. The
virus attempts to display the message indicated below when an
infected program is executed, however it usually display
jumbled characters accompanied by beeping on most systems:
"CrystalSoso ManLove is for suckers"
"[IVP]"
The above text is encrypted within the viral code, as is the
following additional text string:
"*.com *.exe .."
Origin: Oklahoma, USA June 1993.
IVP Example 1: Received in July, 1993, IVP Example 1 is a 351
byte virus which was created with the IVP program. It is a
non-resident, direct action infector of .COM programs, but not
COMMAND.COM. It infects all of the .COM programs located in
the current directory when an infected program is executed.
Infected programs will have a file length increase of 351
bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory listing
will not be altered. The virus displays the message
"Test Tim" with beeping on the system speaker. The following
text strings are visible within the viral code in all infected
programs:
"Test"
"Tim"
"[IVP]"
"*.com .."
Origin: Unknown July 1993.
IVP Example 2: Received in July, 1993, IVP Example 2 is a 544
byte virus which was created with the IVP program. It is a
non-resident, direct action infector of .EXE programs. It
infects all of the .EXE programs located in the current
directory when an infected program is executed. Infected
programs will have a file length increase of 544 bytes with
the virus being located at the end of the file. The program's
date and time in the DOS disk directory listing will not be
altered. The virus displays the message "Test Tim [IVP".
The following text strings are encrypted within the viral
code in all infected programs:
"Test"
"Tim"
"*.exe .."
"Disk full!"
Origin: Unknown July 1993.
IVP.365: Received in May, 1995, IVP.365 is a 365 byte overwriting
virus. It infects all of the .COM and .EXE files located in
the current directory when an infected program is executed.
Infected files will have the first 365 bytes overwritten by
the viral code. The file's date and time in the DOS disk
directory listing will have been changed to "08-03-0107 12:16a"
or "08-03-0107 12:16a". The following text strings are
encrypted within the viral code and are displayed on the
system monitor when an infected program is executed:
"DJ Conner - But, I Want To Be A Witch!
MuTaTiON INTERRUPT
[NOVEMBER 1994]
But: I want to be a Witch! - DJ Conner-"
Origin: Unknown May, 1995.
IVP.811: Received in May, 1995, IVP.811 is a 811 byte parasitic
virus. It infects all of the .COM and .EXE files located in
the current directory when an infected program is executed.
Infected files will have a file length increase of 811 bytes
with the virus being located at the end of the file. The
file's date and time in the DOS disk directory listing will
not be altered. The following text strings are encrypted
within the viral code:
"Skanky Soso ManBlow me you skanky bitch!"
"You got enough mold in that pussy to make bread!"
"*.com *.exe .."
Infected programs will not function properly, usually
displaying characters from memory on the system display,
accompanied by beeping.
Origin: Unknown May, 1995.
IVP.Angry Samoans: Received in July, 1994, IVP.Angry Samoans is a
668 byte virus which was created with the IVP program. It is
a non-resident, direct action infector of .EXE files. It
infects all of the .EXE programs located in the current
directory when an infected program is executed. Infected files
will have a file length increase of 668 bytes with the virus
being located at the end of the file. The program's date and
time in the DOS disk directory listing will not be altered.
The following text strings are visible within the viral code:
"tHE aNGrY SaMoANs !!!"
"RiverBoTToM"
"*.exe .."
Origin: Unknown July 1994.
IVP.April Showers: Received in June, 1994, IVP.April Showers is a
1,676 byte virus which was created with the IVP program. It is
a non-resident, direct action infector of .COM and .EXE files,
including COMMAND.COM. It infects all of the .EXE programs
located in the current directory when an infected program is
executed. If all of the .EXE programs were previously
infected, it will proceed to infect all of the .COM files in
the current directory. Infected programs will have a file
length increase of 1,676 bytes with the virus being located at
the end of the file. The program's date and time in the DOS
disk directory listing will not be altered. The virus attempts
to display a message, though it usually results in the display
of characters from memory. The following text strings are
encrypted within the viral code:
"Virii Production by a MoM Personell"
"Virus: April-Showers"
"Type: Appends *.Com *.Exe"
"Created: 03-08-1994"
"Effect: Destroys data"
"Size: Enlarges files by 1.6k"
Origin: Unknown June 1994.
IVP.Darlene: Received in May, 1995, IVP.Darlene is a 632 byte
parasitic virus which appears to have been created with the
IVP program. It infects all of the .COM and .EXE files in
the current directory, but not COMMAND.COM, when an infected
program is executed, as well as displaying the following
message:
"Darlene Conner - Basketball Anyone?
MuTaTiON INTERRUPT
[NOVEMBER 1994]"
Infected files will have a file length increase of 632 bytes
with the virus being located at the end of the file. The
program's date and time in the DOS disk directory listing
will not be altered. The text strings from the message
displayed by the virus are visible within the viral code as
is the following additional text string:
"*.com *.exe ..".
Origin: Unknown May, 1995.
IVP.DNA: Received in May, 1995, IVP.DNA is a 701 byte parasitic
virus which appears to have been created with the IVP program.
It infects all of the .COM and .EXE files in the current
directory, including COMMAND.COM, when an infected program is
executed. The following text strings are visible within the
viral code, and the first may be displayed as a message:
"DNA.V1Genetically altering Cyberspace..."
"*.com *.exe .."
Infected files will have a file length increase of 701 bytes
with the virus being located at the end of the file. The
program's date and time in the DOS disk directory listing
will not be altered.
Origin: Unknown May, 1995.
IVP.Executor.A: Received in May, 1995, IVP.Executor.A is a 429
byte parasitic virus which appears to have been created with
the IVP program. It infects all of the .EXE files in the
current directory when an infected program is executed, as
well as displaying the following message:
"Executor A Edition
Italian Viral Labs
[IVLK]"
Infected files will have a file length increase of 429 bytes
with the virus being located at the end of the file. The
program's date and time in the DOS disk directory listing
will not be altered. The text strings from the message
displayed by the virus are visible within the viral code as
is the following additional text string:
"*.exe".
Origin: Italy May, 1995.
IVP.Executor.B: Received in May, 1995, IVP.Executor.B is a 473
byte parasitic virus which appears to have been created with
the IVP program. It infects all of the .EXE files in the
current directory when an infected program is executed, as
well as displaying the following message:
"Executor B Edition
Italian Viral Labs
[IVLK]"
Infected files will have a file length increase of 473 bytes
with the virus being located at the end of the file. The
program's date and time in the DOS disk directory listing
will not be altered. The text strings from the message
displayed by the virus are visible within the viral code as
is the following additional text string:
"*.exe".
Origin: Italy May, 1995.
IVP.Executor.C: Received in May, 1995, IVP.Executor.C is a 507
byte parasitic virus which appears to have been created with
the IVP program. It infects all of the .EXE files in the
current directory when an infected program is executed, as
well as displaying the following message:
"Executor C Edition
Italian Viral Labs
[IVLK]"
Infected files will have a file length increase of 507 bytes
with the virus being located at the end of the file. The
program's date and time in the DOS disk directory listing
will not be altered. The text strings from the message
displayed by the virus are visible within the viral code as
is the following additional text string:
"*.exe".
Origin: Italy May, 1995.
IVP.Executor.D: Received in May, 1995, IVP.Executor.D is a 583
byte parasitic virus which appears to have been created with
the IVP program. It infects all of the .EXE files in the
current directory when an infected program is executed, as
well as displaying the following message:
"Executor D Edition
Italian Viral Labs
[IVLK]"
Infected files will have a file length increase of 583 bytes
with the virus being located at the end of the file. The
program's date and time in the DOS disk directory listing
will not be altered. The text strings from the message
displayed by the virus are encrypted within the viral code as
is the following additional text string:
"*.exe".
Origin: Italy May, 1995.
IVP.Executor.E: Received in May, 1995, IVP.Executor.E is a 460
byte parasitic virus which appears to have been created with
the IVP program. It infects all of the .EXE files in the
current directory when an infected program is executed, as
well as displaying the following message:
"Executor Delux Edition
Italian Viral Labs
[IVP]"
Infected files will have a file length increase of 460 bytes
with the virus being located at the end of the file. The
program's date and time in the DOS disk directory listing
will not be altered. The text strings from the message
displayed by the virus are visible within the viral code as
is the following additional text string:
"*.exe".
Origin: Italy May, 1995.
IVP.Hot Zone: Received in May, 1996, this is a 652 byte virus
which appears to have been created with the IVP program. It
infects all of the .EXE files in the current directory when
an infected program is executed. Infected programs will have
a file length increase of 652 bytes with the virus being
located at the end of the file. The program's date and time
in the DOS disk directory listing will not be altered. The
following text strings are visible within the viral code:
"HOT ZONE 4ceMpIrE-X"
"somehing is growing inside!"
"And your not going to like it!"
"[IVP]"
The last three text strings above are displayed by the virus
as a message, accompanied by a shooting sound being emitted on
the system speaker.
Origin: Unknown May, 1996.
IVP.Infesto.A: Received in May, 1995, IVP.Infesto.A is a 522
byte parasitic virus which appears to have been created with
the IVP program. It infects all of the .COM and .EXE files in
the current directory when an infected program is executed,
as well as displaying the following message:
"Infesto A Edition
Italian Viral Labs
[IVP]"
Infected files will have a file length increase of 522 bytes
with the virus being located at the end of the file. The
program's date and time in the DOS disk directory listing
will not be altered. The text strings from the message
displayed by the virus are visible within the viral code as
is the following additional text string:
"*.com *.exe".
This virus also infects COMMAND.COM.
Origin: Italy May, 1995.
IVP.Infesto.B: Received in May, 1995, IVP.Infesto.B is a 561
byte parasitic virus which appears to have been created with
the IVP program. It infects all of the .COM and .EXE files in
the current directory when an infected program is executed,
as well as displaying the following message:
"Infesto B Edition
Italian Viral Labs
[IVP]"
Infected files will have a file length increase of 561 bytes
with the virus being located at the end of the file. The
program's date and time in the DOS disk directory listing
will not be altered. The text strings from the message
displayed by the virus are visible within the viral code as
is the following additional text string:
"*.com *.exe ..".
This virus also infects COMMAND.COM.
Origin: Italy May, 1995.
IVP.Infesto.C: Received in May, 1995, IVP.Infesto.C is a 604
byte parasitic virus which appears to have been created with
the IVP program. It infects all of the .COM and .EXE files in
the current directory when an infected program is executed,
as well as displaying the following message:
"Infesto C Edition
Italian Viral Labs
[IVP]"
Infected files will have a file length increase of 604 bytes
with the virus being located at the end of the file. The
program's date and time in the DOS disk directory listing
will not be altered. The text strings from the message
displayed by the virus are visible within the viral code as
is the following additional text string:
"*.com *.exe ..".
This virus also infects COMMAND.COM.
Origin: Italy May, 1995.
IVP.Infesto.D: Received in May, 1995, IVP.Infesto.D is a 679
byte parasitic virus which appears to have been created with
the IVP program. It infects all of the .COM and .EXE files in
the current directory when an infected program is executed,
as well as displaying the following message:
"Infesto D Edition
Italian Viral Labs
[IVP]"
Infected files will have a file length increase of 679 bytes
with the virus being located at the end of the file. The
program's date and time in the DOS disk directory listing
will not be altered. The text strings from the message
displayed by the virus are encrypted within the viral code as
is the following additional text string:
"*.com *.exe ..".
This virus also infects COMMAND.COM.
Origin: Italy May, 1995.
IVP.Infesto.E: Received in May, 1995, IVP.Infesto.E is a 697
byte parasitic virus which appears to have been created with
the IVP program. It infects all of the .COM and .EXE files in
the current directory when an infected program is executed,
as well as displaying the following message:
"Infesto DeLuxe Edition
Italian Viral Labs
[IVP]"
Infected files will have a file length increase of 697 bytes
with the virus being located at the end of the file. The
program's date and time in the DOS disk directory listing
will not be altered. The text strings from the message
displayed by the virus are encrypted within the viral code as
is the following additional text string:
"*.com *.exe ..".
This virus does not infect COMMAND.COM.
Origin: Italy May, 1995.
IVP.Roseanne: Received in May, 1995, IVP.Roseanne is a 719
byte parasitic virus which appears to have been created with
the IVP program. It infects all of the .COM and .EXE files in
the current directory when an infected program is executed,
as well as displaying the following message:
"Roseanne Conner - Ya! Fuck You Too...
MuTaTiON INTERRUPT
[NOVEMBER 1994]"
Infected files will have a file length increase of 719 bytes
with the virus being located at the end of the file. The
program's date and time in the DOS disk directory listing
will not be altered. The text strings from the message
displayed by the virus are encrypted within the viral code as
is the following additional text string:
"*.com *.exe ..".
This virus does not infect COMMAND.COM.
Origin: Unknown May, 1995.
IVP.Taselhoff: Received in April, 1994, IVP.Taselhoff is a 375
byte virus which was created with the IVP program. It is a
non-resident, direct action infector of .COM programs,
including COMMAND.COM. It infects all of the .COM programs
located in the current directory when an infected program is
executed. Infected programs will have a file length increase
of 375 bytes with the virus being located at the end of the
file. The program's date and time in the DOS disk directory
listing will not be altered. The virus attempts to display
a message with beeping on the system speaker, though it usually
results in the display of characters from memory. The
following text strings are visible within the viral code in all
infected programs:
"Eddie has returned on tour (1993)"
"Author : Taselhoff"
"Fuck you arsehole c:\command.con *.com"
This virus will also create a file "COMMAND.CON" in the C:
drive root directory. This file will be 21 bytes in length
and will contain the following text string:
"c:\command.con *.com"
Origin: Unknown April 1994.
IVP-Ozzy: Received in January, 1994, IVP-Ozzy is a 426 byte virus
which appears to have been created with the IVP program.
IVP-Ozzy is a non-resident, direct action infector of .COM
programs, including COMMAND.COM. It infects all of the .COM
located in the current directory when an infected program is
executed. Infected programs will have a file length increase
of 426 bytes with the virus being located at the end of the
file. The program's date and time in the DOS disk directory
listing will not be altered. The following text string is
encrypted within the IVP-Ozzy viral code:
"*^ OZZY ^*^ -- Yeew duh-meE iTs ReeEl!! [kR]*.com"
Origin: Unknown January 1994.
IVP.Walky: Received in July, 1994, IVP.Walky is a 324 byte virus
which appears to have been created with the IVP program.
IVP.Walky is a non-resident, direct action infector of .COM
programs, but not COMMAND.COM. It infects all of the .COM
located in the current directory when an infected program is
executed. Infected programs will have a file length increase
of 324 bytes with the virus being located at the end of the
file. The program's date and time in the DOS disk directory
listing will not be altered. The following text strings are
visible within the viral code in all infected programs:
"Walky Virus Replicom Edition"
"Italian Viral Labs"
"[IVLK]"
"*.com"
Execution of infected programs may result in the first three
text strings indicated above being displayed as a message on
the system display.
Origin: Italy July 1994.
IVP-S2DD: Received in May, 1993, IVP-S2DD is a 763 byte virus
which appears to have been created with the IVP program.
IVP-S2DD is a non-resident, direct action infector of .COM
and .EXE programs, including COMMAND.COM. It infects all of
the .COM and .EXE programs located in the current directory
when an infected program is executed. Infected programs will
have a file length increase of 763 bytes with the virus being
located at the end of the file. The program's date and time
in the DOS disk directory listing will not be altered. The
IVP-S2DD virus will display the following message, along with
three beeps on the system speaker, when an infected program
is executed:
"Enjoy The Most Advanced Virus Known To Man!!!!!"
"[IVP]"
At this time, the virus may also trash the first few cylinders
of the system hard disk. The above text is encrypted within
the viral code, as are the following additional text strings"
"Slut2Death Dealer"
"*.com *.exe .."
Origin: Unknown May 1993.
IVP-Tuesday: Received in June, 1993, IVP-Tuesday is an 822 byte
virus which appears to have been created with the IVP
program. IVP-Tuesday is a non-resident, direct action
infector of .COM and .EXE programs, including COMMAND.COM. It
infects all of the .COM and .EXE programs located in the
current directory when an infected program is executed.
Infected programs will have a file length increase of 822
bytes with the virus being located at the end of the file.
The file's date and time in the DOS disk directory listing
will not be altered. The virus attempts to display the
message indicated below when an infected program is executed,
however it usually display jumbled characters on most systems:
"GOOD BYE RUBY TUESDAY, WHO COULD HANG A FAX ON YOU?"
"[IVP]"
The above text is encrypted within the viral code, as are the
following additional text strings:
"Tuesday Jesus"
"*JESUS* MAKER OF FINE VIRII
MEMBER OF JDIV (JESUS DIED IN VAIN)"
"*.com *.exe .."
Origin: Unknown June 1993.
Kubla Kahn: Received in January, 1994, Kubla Kahn is a 644 byte
virus which was created with the IVP program. It is a
non-resident, direct action infector of .COM and .EXE programs,
but not COMMAND.COM. It infects all of the .COM and .EXE
programs located in the current directory when an infected
program is executed. Infected programs will have a file length
increase of 644 bytes with the virus being located at the end
of the file. The program's date and time in the DOS disk
directory listing will not be altered. The virus displays
characters from memory, accompanied by beeping on the system
speaker, when some infected programs are executed. Other
programs will return the user to the DOS prompt, or receive
the message "Error in EXE file. The following text string
is encrypted within the viral code in all infected programs:
"*.com *.exe .."
Origin: Unknown January 1994.
SiloDeath: Received in April, 1993, SiloDeath is a 734 byte virus
which appears to have been created with the IVP program.
SiloDeath is a non-resident, direct action infector of .COM
and .EXE programs, including COMMAND.COM. It infects several
.COM and .EXE programs located in the current directory when
an infected program is executed. Infected programs will have
a file length increase of 734 bytes with the virus being
located at the end of the file. The program's date and time
in the DOS disk directory listing will not be altered. The
SiloDeath virus will attempt to display the following message,
followed by a system hang, when an infected program is
executed:
"Legalize Today-Get High Tonight"
"[IVP]"
At this time, the virus may also trash the first few cylinders
of the system hard disk. Besides the above text, the
following text strings can be found within the viral code in
SiloDeath infected programs:
"SiloDeath Dealer"
"*.com *.exe .."
Origin: Unknown April 1993.
Sleeper: Received in June, 1993, Sleeper is a 1,017 byte virus
which appears to have been created with the IVP program.
Sleeper is a non-resident, direct action infector of .COM
and .EXE programs, including COMMAND.COM. It infects all of
the .COM and .EXE programs located in the current directory
when an infected program is executed. Infected programs will
have a file length increase of 1,017 bytes with the virus
being located at the end of the file. The file's date and
time in the DOS disk directory listing will not be altered.
The following text is encrypted within the viral code:
"Sleeper"
"Dark Lord"
"I Just Fucked Your Hard Drive Over!!"
"Yet Another Victim Of The Sleeper!!"
"It is Amazing What a Student Of The Dark Avenger Can Do!!"
"Made In The City Of Sofia. Another Fine DOOM Product!!!"
"Amy Sucks My Dick Twice A Day!!"
"Erv Is a Pimp!"
"Stay Tuned Untill The Next Release By DOOM!!"
"Bye Bye!!"
"[DOOM]"
"*.com *.exe .."
Origin: Unknown June 1993.
Swank: Received in February, 1993, Swank is a 789 byte virus
which appears to have been created with the IVP program.
Swank is a non-resident, direct action infector of .COM and
.EXE programs, including COMMAND.COM. It infects all of the
.COM and .EXE programs located in the current directory when
an infected program is executed. Infected programs will have
a file length increase of 789 bytes with the virus being
located at the end of the file. The program's date and time
in the DOS disk directory listing will not be altered. The
Swank virus will attempt to display the following message,
followed by a system hang, when an infected program is
executed:
"Slut3Death Dealer"
"Enjoy The Most Advanced Virus Known To Man!!!!!"
"[IVP]"
The message is encrypted within the viral code, as is the
following additional text string:
"*.com *.exe .."
Origin: Unknown February 1993.
Yeah: Received in August, 1993, Yeah is a 663 byte virus which
appears to have been created with the IVP program. Yeah is
a non-resident, direct action infector of .COM and .EXE
programs, including COMMAND.COM. It infects all of the .COM
and .EXE programs located in the current directory when an
infected program is executed. Infected programs will have
a file length increase of 663 bytes with the virus being
located at the end of the file. The program's date and time
in the DOS disk directory listing will not be altered. The
Yeah virus will display the following message when an infected
program is executed:
"POOP"
"YEAH RIGHT"
"[IVP]"
The message is encrypted within the viral code, as is the
following additional text string:
"*.com *.exe .."
Programs infected with Yeah may not function properly.
Origin: Unknown August 1993.
See: Wild Thing 2