PS-MPC Virus


 Virus Name:  PS-MPC 
 Aliases:     see Viruses listed below 
 V Status:    Rare 
 Discovery:   August, 1992 
 Symptoms:    Varies depending on virus present 
 Origin:      United States 
 Eff Length:  Varies depending on virus present 
 Type Code:   PONAK - Parasitic & Overwriting Non-Resident Program Infector 
 Detection Method:  F-Prot, AVTK, Sweep, IBMAV, ViruScan, NAV, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    Sweep/N, AVTK/N, NShld, NAV/N, NProt, IBMAV/N, Innoc, 
                    LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       PS-MPC is a virus code generation program developed by Phalcon/Skism 
       during the summer of 1992.  It appears to be their response to the 
        VCL  virus generator from Nowhere Man of Nuke. 
 
       The viruses listed below are viruses which were submitted that 
       appear to have been originally generated, at least in part, with 
       the PS-MPC generator. 
 
       The 644 and Walkabout viruses below have been found in the 
       wild in the United States and Canada. 
 
       Known viruses which were created with PS-MPC are: 
       7% Solution: Received in October, 1993, this virus is a 599 byte 
                 memory resident infector of .COM and .EXE programs, 
                 including COMMAND.COM.  It becomes memory resident at the 
                 top of system memory but below the 640K DOS boundary when 
                 the first infected program is executed, hooking interrupt 
                 21.  Total system and available free memory, as indicated 
                 by the DOS CHKDSK program, will have decreased by 2,048 
                 bytes.  Once resident, it infects .COM and .EXE programs 
                 when they are executed.  Infected programs will have a file 
                 length increase of 599 bytes with the virus being located 
                 at the end of the file.  The following text string is 
                 encrypted within the viral code: 
                 "The 7% Solution" 
                 The 7% Solution virus may corrupt system CMOS. 
                 Origin:  Unknown  October, 1993. 
       7% Solution 2.0: Received in February, 1994, this virus is a 672 
                 byte memory resident infector of .COM and .EXE programs, 
                 including COMMAND.COM.  It becomes memory resident at the 
                 top of system memory but below the 640K DOS boundary when 
                 the first infected program is executed, hooking interrupt 
                 21.  Total system and available free memory, as indicated by 
                 the DOS CHKDSK program, will have decreased by 2,048 bytes. 
                 Once resident, it infects .COM and .EXE programs when they 
                 are executed.  Infected programs will have a file length 
                 increase of 672 bytes with the virus being located at the 
                 end of the file.  The following text string is encrypted 
                 within the viral code: 
                 "The 7% Solution 2.0" 
                 This virus may corrupt system CMOS, resulting in all devices 
                 and the system date/time being uninstalled, disabled, or 
                 reset to a default value. 
                 Origin:  Sweden  February, 1994. 
       7% Solution 3.0: Received in December, 1993, this virus is a 918 
                 byte memory resident infector of .COM and .EXE programs, 
                 including COMMAND.COM.  It becomes memory resident at the 
                 top of system memory but below the 640K DOS boundary when 
                 the first infected program is executed, hooking interrupts 
                 01 and 03.  Total system and available free memory, as 
                 indicated by the DOS CHKDSK program, will have decreased by 
                 1,024 bytes.  Once resident, it infects .COM and .EXE 
                 programs when they are executed.  Infected programs will 
                 have a file length increase of 918 bytes with the virus 
                 being located at the end of the file, though the file length 
                 increase will be hidden when the virus is memory resident. 
                 The following text strings are encrypted within the viral 
                 code: 
                 "The root directory of the current drive has" 
                 "been destroyed by the 7% Solution 3.0 virus" 
                 Origin:  Unknown  December, 1993. 
       203: The 203 virus was received in October, 1992.  Its origin is 
            unknown.  The 203 virus is a non-resident, direct action 
            infector of .COM programs, including COMMAND.COM.  When a 
            program infected with the 203 virus is executed, this virus will 
            infect one .COM program in the current directory.  Infected 
            programs will have a file length increase of 203 bytes with the 
            virus being located at the end of the file.  The program's date 
            and time in the DOS disk directory listing will not be altered. 
            One text string is visible within the viral code: 
            "*.com" 
            The 203 virus doesn't do anything besides replicate. 
            Origin:  Unknown  October, 1992. 
       644: The 644 virus was received in September, 1992.  It is 
            a non-resident, direct action infector of .COM and .EXE 
            files, but not COMMAND.COM.  Execution of an infected program 
            will result in all .COM and .EXE programs other than COMMAND.COM 
            located in the current directory becoming infected. Programs 
            infected with the 644 virus will have a file length increase of 
            644 bytes with the virus being located at the end of the file. 
            The file's date and time in the DOS disk directory listing will 
            not be altered.  The following text string is encrypted within 
            the viral code:   "*.exe *.com" 
            Origin:  United States  September, 1992. 
       696: The 696 virus was received in November, 1992.  It is 
            a non-resident, direct action infector of .COM and .EXE files, 
            including COMMAND.COM.  Execution of an infected program will 
            result in three .EXE or .COM programs located in the current 
            directory becoming infected, with preference to .EXE files. 
            Programs infected with the 696 virus will have a file length 
            increase of 696 bytes with the virus being located at the end of 
            the file.  The file's date and time in the DOS disk directory 
            listing will not be altered.  The following text strings are 
            encrypted within the viral code: 
            "c:\autoexec.com" 
            "*.exe *.com" 
            Origin:  United States  November, 1992. 
       Abraxas: Received in September, 1992, Abraxas is a 546 byte 
                non-resident direct action infector of .COM and .EXE 
                programs, including COMMAND.COM.  It infects one program 
                in the current directory each time an infected program 
                is executed, with a preference for .EXE programs.  Infected 
                programs will have a file length increase of 546 bytes with 
                the virus being located at the end of the file.  Abraxas 
                will not always recognize a previously infected program, 
                and reinfect the file.  When this occurs, it adds an 
                additional 546 bytes.  The program's date and time in the 
                DOS disk directory listing will not be altered.  The 
                following text strings are encrypted within infected 
                programs: 
                "*.exe *.com" 
                "[Z10] Abraxas" 
                Infected programs will not function properly, returning 
                the user to the DOS prompt when executed.  Boot failures 
                will occur once COMMAND.COM has become infected. 
                Origin:  United States  September, 1992. 
       Abraxas-1520: Received in October, 1993, Abraxas-1520 is a 1,520 
                byte non-resident direct action infector of .COM programs, 
                but not COMMAND.COM.  It infects up to four .COM programs 
                in the current directory each time an infected program 
                is executed.  Infected programs will have a file length 
                increase of 1,520 bytes with the virus being located at the 
                end of the file.  The program's date and time in the 
                DOS disk directory listing will not be altered.  The 
                following text strings are visible within infected programs: 
                "Ich bin ein Geschenk von dem Teufel" 
                ".. *.com \" 
                Systems infected with the Abraxas-1520 virus may experience 
                system hangs when infected programs are executed. 
                Origin:  Unknown  October, 1993. 
       Alien-1: Received in February, 1993, Alien-1 is a 571 byte 
                 memory resident infector of .COM and .EXE programs, 
                 including COMMAND.COM.  It becomes memory resident at the 
                 top of system memory but below the 640K DOS boundary when 
                 the first infected program is executed, hooking interrupt 
                 21.  Total system and available free memory, as indicated 
                 by the DOS CHKDSK program, will have decreased by 1,216 
                 bytes.  Once resident, it infects .COM and .EXE programs 
                 when they are executed.  Infected programs will have a file 
                 length increase of 571 bytes with the virus being located 
                 at the end of the file.  The following text string is 
                 encrypted within the viral code: 
                 "ALiEN 1 Leviathan =VC" 
                 Origin:  Unknown  February, 1993. 
       Alien-3: Received in February, 1993, Alien-3 is a 625 byte 
                 memory resident infector of .COM and .EXE programs, 
                 including COMMAND.COM.  It becomes memory resident at the 
                 top of system memory but below the 640K DOS boundary when 
                 the first infected program is executed, hooking interrupt 
                 21.  Total system and available free memory, as indicated 
                 by the DOS CHKDSK program, will have decreased by 1,328 
                 bytes.  Once resident, it infects .COM and .EXE programs 
                 when they are executed.  Infected programs will have a file 
                 length increase of 625 bytes with the virus being located 
                 at the end of the file.  The following text string is 
                 encrypted within the viral code: 
                 "ALiEN 3 - Demon Spawn Leviathan =VC" 
                 Origin:  Unknown  February, 1993. 
       Anathema: Received in November, 1992, Anathema is a 588 byte 
                 memory resident infector of .COM and .EXE programs, 
                 including COMMAND.COM.  It becomes memory resident at the 
                 top of system memory but below the 640K DOS boundary when 
                 the first infected program is executed, moving interrupt 
                 12's return.  Total system and available free memory, as 
                 indicated by the DOS CHKDSK program, will have decreased by 
                 2,048 bytes.  Interrupt 21 will be hooked by Anathema in 
                 memory.  Once resident, it infects .COM and .EXE programs 
                 when they are executed.  Infected programs will have a file 
                 length increase of 588 bytes with the virus being located 
                 at the end of the file.  The following text string is 
                 encrypted within the viral code: 
                 "[ANATHEMA] THE STRANGER" 
                 Infected systems may experience corruption of file 
                 allocation table 1, including file allocation errors and 
                 cross-linking of programs and data files.  Boot failures 
                 will also occur once the boot copy of COMMAND.COM becomes 
                 infected. 
                 Origin:  United States  November, 1992. 
       Armana-564: Received in September, 1993, Armana-564 is a 564 byte 
                 non-resident direct action infector of .COM and .EXE 
                 programs.  It infects two .EXE files in the current 
                 directory each time an infected program is executed.  Once 
                 all of the .EXE files in the current directory have become 
                 infected, it will infect two .COM files in the current 
                 directory.  Infected programs will have a file length 
                 increase of 564 bytes with the virus being located at the 
                 end of the file.  The program's date and time in the DOS 
                 disk directory listing will not be altered.  The following 
                 text strings are encrypted within the Armana-564 viral 
                 code: 
                 "[MPC]" 
                 "rx3" 
                 "*.exe *.com" 
                 Once all of the .EXE files, and four non-COMMAND.COM .COM 
                 files have been infected in the current directory, a system 
                 hang will occur when an infected program is executed. 
                 Origin:  Unknown  September, 1993. 
       Bamestra 1: Received in June, 1993, Bamestra 1 is a 530 byte 
                 non-resident direct action infector of .EXE programs.  It 
                 infects two .EXE files in the current directory each time 
                 an infected program is executed.  Infected programs will 
                 have a file length increase of 530 bytes with the virus 
                 being located at the end of the file.  The program's date 
                 and time in the DOS disk directory listing will not be 
                 altered.  The following text strings are encrypted within 
                 the Bamestra viral code: 
                 "[MPC] [Bamestra] Frans Veldman" 
                 "*.exe" 
                 Origin:  Unknown  June, 1993. 
       Bamestra 2: Received in June, 1993, Bamestra 2 is a 535 byte 
                 minor variant of Bamestra 1. 
                 Origin:  Unknown  June, 1993. 
       Bamestra 3: Received in June, 1993, Bamestra 3 is a 531 byte 
                 minor variant of Bamestra 1. 
                 Origin:  Unknown  June, 1993. 
       Bamestra 4: Received in June, 1993, Bamestra 4 is a 536 byte 
                 minor variant of Bamestra 1. 
                 Origin:  Unknown  June, 1993. 
       Bamestra 5: Received in June, 1993, Bamestra 5 is a very minor 
                 variant of Bamestra 2. 
                 Origin:  Unknown  June, 1993. 
       Bamestra 6: Received in June, 1993, Bamestra 6 is a very minor 
                 variant of Bamestra 1, adding 530 bytes to the files it 
                 infects. 
                 Origin:  Unknown  June, 1993. 
       Bamestra 7: Received in June, 1993, Bamestra 7 is a 529 byte 
                 minor variant of Bamestra 1. 
                 Origin:  Unknown  June, 1993. 
       Bamestra 8: Received in June, 1993, Bamestra 8 is a 534 byte 
                 minor variant of Bamestra 1. 
                 Origin:  Unknown  June, 1993. 
       Bamestra 9: Received in June, 1993, Bamestra 9 is a very minor 
                 variant of Bamestra 1, adding 530 bytes to the files it 
                 infects. 
                 Origin:  Unknown  June, 1993. 
       Bamestra 10: Received in June, 1993, Bamestra 10 is a minor 
                 variant of Bamestra 1, adding 530 bytes to the files it 
                 infects. 
                 Origin:  Unknown  June, 1993. 
       Birthday: Received in July, 1993, Birthday is a 1,104 byte 
                 non-resident direct action infector of .EXE programs.  It 
                 infects one .EXE file on the C: and B: drives each time 
                 an infected program is executed.  Infected programs will 
                 have a file length increase of 1,104 bytes with the virus 
                 being located at the end of the file.  The program's date 
                 and time in the DOS disk directory listing will not be 
                 altered.  The following text strings are encrypted within 
                 the viral code in all Birthday infected programs: 
                 "This is the birthday of the great one." 
                 "There will be no computer usage today." 
                 "This is the second release of the weak virii, It is weak 
                  virii version %	 *.EXE .." 
                 If the B: drive does not contain a diskette, a system hang 
                 will occur when the virus attempts to infect a file there. 
                 Origin:  Unknown  July, 1993. 
       Cheesy: Received in January, 1993, Cheesy is a 381 byte 
                 non-resident direct action infector of .EXE programs.  It 
                 infects one .EXE file in the current directory each time 
                 an infected program is executed.  Infected programs will 
                 have a file length increase of 381 bytes with the virus 
                 being located at the end of the file.  The program's date 
                 and time in the DOS disk directory listing will not be 
                 altered.  The following text strings are visible within the 
                 viral code in all Cheesy infected programs: 
                 "[MPC] Dark Angel of PHALCON/SKISM" 
                 "[DemoEXE] for 40Hex" 
                 "*.exe" 
                 Origin:  United States  January, 1993. 
       Chuang Tzu: Received in January, 1993, Chuang Tzu is a 970 byte 
                 non-resident direct action infector of .COM and .EXE 
                 programs, but not COMMAND.COM.  It infects two .EXE or .COM 
                 programs in the current directory each time an infected 
                 program is executed.  Infected programs will have a file 
                 length increase of 970 bytes with the virus being located 
                 at the end of the file.  The program's date and time in the 
                 DOS disk directory listing will not be altered.  The 
                 following text strings are encrypted within the Chuang Tzu 
                 viral code in infected programs: 
                 "No one has lived longer than a dead child, 
                  and Methusula died young." 
                 "Heaven and Earth are as old as I, 
                  and ten thousand things are one." 
                 "-- Chuang Tzu, 300 B.C." 
                 "[MPC] 
                 Origin:  Unknown  January, 1993. 
       Cinco de Mayo: Received in February 1993, Cinco de Mayo is an 
                 885 byte non-resident direct action infector of .COM 
                 programs, but not COMMAND.COM.  It infects three .COM 
                 programs in the current directory each time an infected 
                 program is executed.  Infected programs will have a file 
                 length increase of 885 bytes with the virus being located 
                 at the end of the file.  The program's date and time in the 
                 DOS disk directory listing will not be altered.  The 
                 following text strings are encrypted within the Cinco de 
                 Mayo viral code in infected programs: 
                 "** Cinco de Mayo **" 
                 "No trabajas hoy." 
                 "[MPC] [VCL] [Cinco de Mayo]" 
                 "Danzig Tanks to Dark Angel and Nowhere Man for their 
                  excellent Virus creation programs! more to follow" 
                 "*.exe *.com .. US" 
                 Origin:  Unknown  February, 1993. 
       Cinco EXE: Similar to the Cinco de Mayo virus described above, 
                 this virus is a version which infects three .EXE programs 
                 when an infected program is executed.  Its size, location, 
                 and file date effect are the same as the original virus. 
                 The following text strings are encrypted within the viral 
                 code: 
                 "**Cinco de Mayo**" 
                 "No trabajas hoy." 
                 "Bebe mas cerveza!!" 
                 "[MPC] [VCL] [Cinco de Mayo]" 
                 "Danzig Thanks to Dark Angel and Nowhere Man for their 
                  excellent Virus creation programs! more to follow" 
                 "*.exe *.com .. US" 
                 Origin:  Unknown  July, 1993. 
       Clint: Received in November, 1992, Clint is a 1,076 byte 
                 memory resident infector of .COM and .EXE programs, 
                 including COMMAND.COM.  It becomes memory resident at the 
                 top of system memory but below the 640K DOS boundary when 
                 the first infected program is executed, moving interrupt 
                 12's return.  Total system and available free memory, as 
                 indicated by the DOS CHKDSK program, will have decreased by 
                 3,072 bytes.  Interrupt 21 will be hooked by Clint in 
                 memory.  Once resident, it infects .COM and .EXE programs 
                 when they are executed.  Infected programs will have a file 
                 length increase of 1,076 bytes with the virus being located 
                 at the end of the file.  The following text string is 
                 encrypted within the viral code: 
                 "[CLINT]   (c) Copyright 1992 THE STRANGER" 
                 "THIS VIRUS PROUDLY MADE IN THE USA!" 
                 Origin:  United States  November, 1992. 
       Crumble: Received in August, 1992, Crumble is a 778 byte 
                non-resident direct action infector of .COM and .EXE 
                programs, including COMMAND.COM.  It infects two programs 
                in the current directory each time an infected program 
                is executed.  Infected programs will have a file length 
                increase of 778 bytes with the virus being located at 
                the end of the file.  The program's date and time in the 
                DOS disk directory listing will not be altered.  The 
                following text strings are encrypted within infected 
                programs: 
                "*.exe *.com" 
                "[MPC]" 
                "[CrumblKouch] Kouch" 
                Origin:  United States  August, 1992. 
       DataDeath: Received in July, 1993, DataDeath is a 1,060 byte 
                non-resident direct action infector of .COM and .EXE 
                programs, including COMMAND.COM.  It infects four or five 
                programs in the current directory each time an infected 
                program is executed, with preference for .EXE programs. 
                Infected programs will have a file length increase of 1,060 
                bytes with the virus being located at the end of the file. 
                The program's date and time in the DOS disk directory will 
                not be altered.  The following text strings are encrypted 
                within infected programs: 
                "Hello I am Absolute Sector of DataDeath" 
                "I am in your computer now... I have magic" 
                "powers..." 
                "DataDeath - Taking The World By Storm!!!" 
                "Now your hard disk will pay for your stupidity!" 
                "Hi to: Aristotle, Apocalypse, Vengeance, and YOU!" 
                "Love You Joslyn" 
                "HACKERS, VIRUSES, AND ANARCHY FOREVER..." 
                "-Absolute Sector (DataDeath)" 
                "Your hard drive has now felt my magic lightning" 
                "PS-MPC produced (with modifications of course!)" 
                "*.exe *.com" 
                Origin:  Unknown  July, 1993. 
       Death 2: Received in September, 1992, Death 2 is a 671 byte 
                non-resident direct action infector of .COM and .EXE 
                programs, but not COMMAND.COM.  It infects one program 
                in the current directory each time an infected program 
                is executed, with preference to .EXE files.  Infected 
                programs will have a file length increase of 671 bytes with 
                the virus being located at the end of the file.  The 
                program's date and time in the DOS disk directory listing 
                will not be altered.  The following text strings are 
                encrypted within infected programs: 
                "*.exe *.com" 
                "[MPC] The Virus Of Death 2" 
                "The Happy Hacker" 
                Origin:  United States  September, 1992. 
       Eclypse: Received in November, 1992, Eclypse is a 641 byte 
                non-resident direct action infector of .COM and .EXE 
                programs, including COMMAND.COM.  It infects one program 
                in the current directory each time an infected program 
                is executed, with preference to .EXE files.  Infected 
                programs will have a file length increase of 641 bytes with 
                the virus being located at the end of the file.  The 
                program's date and time in the DOS disk directory listing 
                will not be altered.  The following text strings are 
                encrypted within infected programs: 
                "[MPC] [Eclypse] Abraxas" 
                "*.exe *.com" 
                Origin:  United States  November, 1992. 
       Grease: Received in June, 1993, Grease is an 856 byte 
                 non-resident direct action infector of .COM and .EXE 
                 programs, including COMMAND.COM.  It infects five .EXE or 
                 .COM programs in the current directory each time an 
                 infected program is executed.  Infected programs will have 
                 a file length increase of 856 bytes with the virus being 
                 located at the end of the file.  The program's date and 
                 time in the DOS disk directory listing will not be altered. 
                 The following text strings are encrypted within the Grease 
                 viral code in infected programs: 
                 "You have been hit with the Grease Man virus." 
                 "Listen to him on 92.3 or 94.1 FM in the NYC listening 
                  area from 6-10PM" 
                 "Monday-Friday.  Give him a call at 1-800-544-9294 and 
                  tell him the good news!" 
                 "Ohhh Schweet ahhh!" 
                 System hangs frequently occur when infected programs are 
                 executed. 
                 Origin:  United States  June, 1993. 
       Groovy: Received in August, 1993, Groovy is a 466 byte non- 
                 resident direct action infector of .EXE programs.  It 
                 infects two .EXE files in the current directory each time 
                 an infected program is executed.  Infected programs will 
                 have a file length increase of 466 bytes with the virus 
                 being located at the end of the file.  The program's date 
                 and time in the DOS disk directory listing will not be 
                 altered.  The following text string is visible within the 
                 viral code in all Groovy infected programs: 
                 "GRooVYGRooVYGRooVYGRooVYGRooVYGRooVY stupid biquts *.exe" 
                 Origin:  Unknown  August, 1993. 
       Helmet 1.0: Received in July, 1993, Helmet 1.0 is a 412 byte 
                non-resident direct action infector of .COM programs, but 
                not COMMAND.COM.  It infects one program in the current 
                directory each time an infected program is executed. 
                Infected programs will have a file length increase of 412 
                bytes with the virus being located at the end of the file. 
                The program's date and time in the DOS disk directory 
                will not be altered.  The following text strings are 
                encrypted within infected programs: 
                "[MPC] [HELMET 1.0] Basher IV" 
                "*.com US" 
                Origin:  Unknown  July, 1993. 
       Hiccup: Received in March, 1993, Hiccup is a 533 byte memory 
                resident infector of .COM programs, including COMMAND.COM. 
                It becomes memory resident at the top of system memory but 
                below the 640K DOS boundary when the first infected program 
                is executed, hooking interrupt 21.  Total system and 
                available free memory, as indicated by the DOS CHKDSK 
                program, will have decreased by 2,048 bytes.  Once resident, 
                it infects .COM programs when they are executed.  Infected 
                programs will have a file length increase of 533 bytes with 
                the virus being located at the end of the file.  The 
                following text strings are encrypted within the viral code: 
                "[N.I.T is a waste of money!]" 
                "[Created at the National Institute of Technology]" 
                "[Hiccup]" 
                ""May the world fear the hiccup! Created Feb.1993" 
                 Origin:  Unknown  March, 1993. 
       Iron Hoof 1: Received in July, 1993, Iron Hoof 1 is a 459 byte 
                non-resident direct action infector of .EXE programs.  It 
                infects three .EXE programs in the current or higher level 
                directory each time an infected program is executed. 
                Infected programs will have a file length increase of 459 
                bytes with the virus being located at the end of the file. 
                The program's date and time in the DOS disk directory 
                will not be altered.  The following text strings are 
                visible within the viral code in infected programs: 
                "[Iron Hoof] Nameless One -- ANARKICK SYSTEMS" 
                "*.exe .." 
                Origin:  Unknown  July, 1993. 
       Iron Hoof 2: Received in July, 1993, Iron Hoof 2 is a 462 byte 
                non-resident direct action infector of .EXE programs.  It 
                infects three .EXE programs in the current or higher level 
                directory each time an infected program is executed. 
                Infected programs will have a file length increase of 462 
                bytes with the virus being located at the end of the file. 
                The program's date and time in the DOS disk directory 
                will not be altered.  The following text strings are 
                visible within the viral code in infected programs: 
                "[Iron Hoof v2] Nameless One -- ANARKICK SYSTEMS" 
                "*.exe .." 
                Origin:  Unknown  July, 1993. 
       Kersplat: Received in October, 1992, Kersplat is a 670 byte 
                 memory resident infector of .COM and .EXE programs, 
                 including COMMAND.COM.  It becomes memory resident at the 
                 top of system memory but below the 640K DOS boundary when 
                 the first infected program is executed.  Total system and 
                 available free memory, as indicated by the DOS CHKDSK 
                 program, will have decreased by 2,048 bytes.  Interrupt 21 
                 will be hooked by Kersplat in memory.  Once resident, it 
                 infects .COM and .EXE programs when they are executed. 
                 Infected programs will have a file length increase of 670 
                 bytes with the virus being located at the end of the file. 
                 The following text string is encrypted within the viral 
                 code: 
                 "[KERSPLAT] THE STRANGER" 
                 Origin:  United States  October, 1992. 
       Love Bink: Received in January, 1994, Love Bink is a 557 byte 
                 memory resident infector of .COM programs, including 
                 COMMAND.COM.  It becomes memory resident at the top of 
                 system memory but below the 640K DOS boundary when the first 
                 infected program is executed.  Total system and available 
                 free memory, as indicated by the DOS CHKDSK program, will 
                 have decreased by 1,184 bytes.  Interrupt 21 will be hooked 
                 by the virus in memory.  Once resident, it infects .COM 
                 programs when they are executed.  Infected programs will 
                 have a file length increase of 557 bytes with the virus 
                 being located at the end of the file.  The following text 
                 strings are encrypted within the viral code: 
                 "Today The Love Of Binky Started... 
                  Your Computer Shall Celebrate!" 
                 "[MPC] Binky Love Z-Boy" 
                 Love Bink overwrites the system hard disk on November 24th 
                 of any year. 
                 Origin:  Unknown  January, 1994. 
       Math Test: Received in June, 1993, Math Test is a 1,136 byte 
                memory resident infector of .COM and .EXE programs, 
                including COMMAND.COM.  It becomes memory resident at the 
                top of system memory but below the 640K DOS boundary when 
                the first infected program is executed, hooking interrupt 
                21.  Total system and available free memory, as indicated by 
                the DOS CHKDSK program, will have decreased by 2,384 bytes. 
                Once resident, it infects .COM and .EXE programs when they 
                are executed.  Infected programs will have a file length 
                increase of 1,163 bytes with the virus being located at the 
                end of the file.  Math Test activates between 9:00 and 10:00 
                in the morning, at which time it may display the following 
                message requiring the user to respond when a program is 
                executed: 
                "It's time for a math test courtesy of YAM! 
                 And the question is... 
                 What is 00 + 00 =" 
                If the user types "00", then the program the user was 
                attempting to execute will run.  If anything else is typed, 
                the following message is displayed, and the user is returned 
                to the DOS prompt: 
                "WRONG!!!! TRY AGAIN!" 
                The text strings from the above messages are encrypted 
                within the viral code, as is the following additional text 
                string: 
                "Admiral Bailey [MATH TEST VIRUS]" 
                 Origin:  United States  June, 1993. 
       McWhale: Received in October, 1992, McWhale is a 1,125 byte 
                non-resident infector of .COM and .EXE programs, but not 
                COMMAND.COM.  It infects two .EXE or .COM programs each 
                time an infected program is executed, with preference for 
                .EXE files.  Infected files will have a file length increase 
                of 1,125 bytes with the virus being located at the end of 
                the file.  The program's date and time in the DOS disk 
                directory listing will not be altered.  Approximately 40% 
                of the time when an infected program is executed, the 
                following message will be displayed in the middle of the 
                system display, scrolling from right to left on one line: 
                "Beware!!!.............................. 
                 Anti-Virus.....Man.....John.....McAfee.....wrote.....the 
                 WHALE.....virus!!.............................. 
                 HONEST!!!................" 
                Occassionally, the virus will follow this display with the 
                additional text: 
                "- (c) 1992 Abraxas Warez........" 
                The above text message is encrypted within the viral code, 
                as is the following text strings: 
                " ABRAXAS -" 
                "[MPC] [McAfee' Whale] [pAgE]" 
                "*.exe *.com .. US" 
                Unexpected system hangs may also occur on infected systems. 
                Origin:  United States  October, 1992. 
       McWhale-1022: Received in March, 1993, McWhale-1022 is a 1,022 
                byte non-resident infector of .COM and .EXE programs, but 
                not COMMAND.COM.  It infects two .EXE or .COM programs each 
                time an infected program is executed, with preference for 
                .EXE files.  Infected files will have a file length increase 
                of 1,022 bytes with the virus being located at the end of 
                the file.  The program's date and time in the DOS disk 
                directory listing will not be altered.  Approximately 40% 
                of the time when an infected program is executed, the 
                following message will be display in a scrolling, diagonal 
                formation on the system display: 
                "by McWhale - (c) 1992 McAfee Warez." 
                "McAfee, wrote the WHALE...." 
                "...and Solient Green is people" 
                Occassionally, the virus will also this the following 
                message: 
                "System reports appear" 
                The above text messages is encrypted within the viral code, 
                as is the following text string: 
                "*.exe *.com .. US" 
                Origin:  Unknown  March, 1993. 
       Mimic-Den Zuk: Received in September, 1992, Mimic-Den Zuk is 
                a 4,893 byte virus which infects two .COM programs each 
                time an infected program is executed.  Infected programs 
                will have a file length increase of 4,893 bytes with 
                the virus being located at the end of the file.  The 
                program's date and time in the DOS disk directory listing 
                will not be altered.  Several text strings are encrypted 
                within the viral code, and are not visible in infected 
                .COM programs.  Some of these strings are: 
                "DENZ-SIMCOM" 
                "This program requires DOS version 2.0 or later" 
                "DOS version 2.x -" 
                "Program is the wrong length" 
                "check for virus infection" 
                On Fridays, Mimic-Den Zuk activates.  At this time, 
                execution of an infected .COM program will result in some 
                of the .EXE programs in the current directory being 
                overwritten by a trojan.  This trojan will display a 
                "Den Zuk" logo on the system display when it is executed, 
                and then return the user to the DOS prompt.  The virus 
                overwrites the first 4,243 bytes of trojanized .EXE 
                programs. 
                Origin:  United States  September, 1992. 
       Mimic-Jerusalem: Received in September, 1992, Mimic-Jerusalem 
                is a 2,832 byte infector of .COM and .EXE programs, but 
                not COMMAND.COM.  It will infect either all .EXE or all 
                .COM programs in the current directory when an infected 
                program is executed.  Infected programs will have a 
                file length increase of 2,832 bytes with the virus being 
                located at the end of the file.  .EXE programs may be 
                reinfected, adding an additional 2,832 bytes.  There will 
                be no change to the file's date and time in the DOS disk 
                directory listing.  Mimic-Jerusalem is an encrypted virus. 
                Several text strings occur within the viral code, though 
                they will only be visible in some trojanized .EXE programs: 
                "JERU-SIM.COM V1.02" 
                "Written by URN KOUCH" 
                "Copyright (c) URN KOUCH 1992." 
                "This program requires DOS version 2.0 or later" 
                "DOS version 2.x -" 
                Mimic-Jerusalem activates on Fridays.  Upon activation, 
                execution of an infected program will result in some of 
                the .EXE programs in the current directory being trojanized. 
                The virus will overwrite the beginning of the .EXE file with 
                a small program which mimics the behaviour of the Jerusalem 
                virus. 
                Origin:  United States  September, 1992. 
       Napolean Complex: Received in December, 1992, Napolean Complex 
                is a 729 byte non-resident direct action infector of .COM 
                programs, including COMMAND.COM.  It infects three programs 
                in the current directory each time an infected program 
                is executed, with preference for .EXE files.  Infected 
                programs will have a file length increase of 729 bytes with 
                the virus being located at the end of the file.  The 
                program's date and time in the DOS disk directory listing 
                will not be altered.  The following text strings are 
                encrypted within infected programs: 
                "LMluvsSI" 
                "Dynamite cums in small packages!" 
                "[NAPOLEAN COMPLEX v1.0] Nameless One -- ANARKICK SYSTEMS" 
                "*.exe *.com .." 
                System hangs will sometimes occur when infected programs 
                are executed, as well as the virus will sometimes write a 
                portion of its viral code to the system display. 
                Origin:  Unknown  December, 1992. 
       Nirvana: Received in September, 1993, Nirvana is an 835 byte 
                non-resident direct action infector of .EXE programs.  It 
                infects all of the .EXE files in the current directory and 
                the C: drive root directory when an infected program 
                is executed.  Infected programs will have a file length 
                increase of 835 bytes with the virus being located at the 
                end of the file.  The program's date and time in the DOS 
                disk directory listing will not be altered.  The following 
                text strings are encrypted within infected programs: 
                "YOU ARE DEAD. YOUR COMPUTER IS NOW EXPERIENCING NIRVANA" 
                "IT IS DELETING ALL EXECUTABLE FILES FROM YOUR HARD DRIVE" 
                "This is version &% of Nirvana released in 1993" 
                "*.EXE *.EXE .." 
                Origin:  Unknown  September, 1993. 
       No God: Received in February, 1994, No God is an 728 byte 
                non-resident direct action infector of .COM  and .EXE 
                programs.  It infects five .EXE or .COM files in the current 
                directory when an infected program is executed.  Infected 
                programs will have a file length increase of 728 bytes with 
                the virus being located at the end of the file.  The 
                program's date and time in the DOS disk directory listing 
                will not be altered.  The following text strings are 
                encrypted within the viral code: 
                "[NOGOD]" 
                "*.exe *.com .." 
                "God is fake, He wouldn't let this happen." 
                Origin:  Unknown  February, 1994. 
       No Wednesday: Received in September, 1992, No Wednesday is a 
                520 byte non-resident direct action infector of .COM 
                programs, but not COMMAND.COM.  It infects one program 
                in the current directory each time an infected program 
                is executed.  Infected programs will have a file length 
                increase of 520 bytes with the virus being located at 
                the end of the file.  The program's date and time in the 
                DOS disk directory listing will not be altered.  The 
                following text strings are encrypted within infected 
                programs: 
                "*.com" 
                "[MPC] [No Wednesday]" 
                "* by Goethe *" 
                "for [AKL/4269]" 
                "File not found." 
                No Wednesday activates on any Wednesday, at which time 
                execution of an infected program will result in the fake 
                error message "File not found." and the user being returned 
                to the DOS prompt.  The programs will run normally on any 
                other day of the week. 
                Origin:  United States  September, 1992. 
       Page: Received in November, 1992, Page is a 570 byte non-resident 
                direct action infector of .COM and .EXE programs, including 
                COMMAND.COM.  When a infected program is executed, it will 
                infect all of the .EXE programs located in the current 
                directory.  If the .EXE programs were previously infected, 
                it will instead infect all of the .COM programs in the 
                current directory.  Infected programs will have a file 
                length increase of 570 bytes with the virus being located at 
                the end of the file.  The program's date and time in the DOS 
                disk directory listing will not be altered.  The following 
                text strings are visible within the viral code in infected 
                programs: 
                "C:\AUTOEXEC.COM" 
                "*.exe *.com \ [pAgE]" 
                Origin:  United States  November, 1992. 
       Page-B: Received in May, 1993, Page-B is a 780 byte non-resident 
                direct action infector of .COM programs, including 
                COMMAND.COM.  When a infected program is executed, it will 
                infect the first .COM file located in the current directory, 
                regardless of whether it was previously infected.  Each 
                infection of Page-B on the file will have added 780 bytes to 
                the file's length.  The virus will be located at the end of 
                the file.  The program's date and time in the DOS disk 
                directory listing will not be altered.  The following text 
                strings are visible within the viral code in infected 
                programs: 
                "by-->>pAgE<<--(C)1992 TuRN-THE-pAgE" 
                "Ancient Sages" 
                "Is one of pAgEs" 
                "*.COM" 
                "????????COM" 
                The Page-B virus will sometimes display the following text 
                in a diagonal scroll using multi-colored letters: 
                "Ancient Sages          Is one of pAgEs" 
                Origin:  Unknown  May, 1993. 
       PS-MPC.150.B: Received in January, 1995, PS-MPC.150.B is a 150 
                byte non-resident direct action infector of .COM files, 
                including COMMAND.COM.  It infects all of the .COM files 
                in the current directory when an infected program is 
                executed.  Infected files increase in size by 150 bytes with 
                the virus being located at the end of the file.  The 
                program's date and time in the DOS disk directory listing 
                will have been updated to the current system date and time 
                when infection occurred, while the seconds field in the 
                file date time will be set to "12".  The following text 
                string can be found in all infected files: 
                "*.com" 
                Origin:  Unknown  January, 1995. 
       PS-MPC.753: Received in January, 1997, PS-MPC.753 is a 753 byte 
                non-resident direct action infector of .COM and .EXE files, 
                including COMMAND.COM.  It infects up to three .EXE or .COM 
                files in the current directory when an infected program is 
                executed.  Infected files increase in size by 753 bytes with 
                the virus being located at the end of the file.  The 
                program's date and time in the DOS disk directory listing 
                will not be altered.  The following text strings are 
                encrypted within the viral code: 
                "[ASStral Zeuss] MUJA DIB ASStral Zeuss sucks DICK...Goodbye 
                 HD!" 
                "Tim Andrews talks to rocks" 
                "Revenge is sweet assholes" 
                "*.exe *.com .." 
                Origin:  Unknown  January, 1997. 
       PS-MPC.Asstral: Received in January, 1995, PS-MPC.Asstral is a 753 
                byte non-resident direct action infector of .EXE files.  It 
                infects three .EXE files in the current directory when an 
                infected program is executed.  Infected files increase in 
                size by 753 bytes with the virus being located at the end of 
                the file.  The program's date and time in the DOS disk 
                directory listing will not be altered.  The following text 
                strings are encrypted within the viral code: 
                "[ASStral Zeuss] MUJA DIB ASStral Zeuss sucks DICK...Goodbye 
                 HD!" 
                "Tim Andrews talks to rocks" 
                "Revenge is sweet assholes" 
                "*.exe *.com .." 
                Origin:  Unknown  January, 1995. 
       PS-MPC.DeathBoy: Received in December, 1994, PS-MPC.DeathBoy is a 
                 893 byte non-resident direct action infector of .COM and 
                 .EXE programs, including COMMAND.COM.  When an infected 
                 program is executed, the virus will infect one .COM and one 
                 .EXE program located in the current directory.  A system hang 
                 will then occur.  Programs infected with this virus will have 
                 a file length increase of 893 bytes with the virus being 
                 located at the end of the file.  The program's date and time 
                 in the DOS disk directory listing will not appear to be 
                 altered, though the seconds field will be set to "58".  The 
                 following text strings are encrypted within the viral code: 
                 "1994 virus=DeathBoy was here" 
                 "*.COM *.EXE PATH=" 
                 "TINYPROG says, "Patched program!"" 
                 Execution of an infected program also results in the 
                 system date being set to December 10, 1994.  System hangs 
                 do not occur once all of the .COM and .EXE files in the 
                 current directory have become infected. 
                 Origin:  Unknown  December, 1994. 
       PS-MPC.Fred: Received in May, 1995, PS-MPC.Fred is a 720 byte 
                non-resident direct action infector of .COM and .EXE files. 
                It infects three .EXE or .COM files in the current directory 
                when an infected program is executed.  Infected files 
                increase in size by 720 bytes with the virus being located 
                at the end of the file.  The program's date and time in the 
                DOS disk directory listing will not be altered.  The 
                following text strings are encrypted within the viral code: 
                "In fond memory of Fred:We'll miss you..." 
                "*.exe *.com .." 
                Origin:  Unknown  May, 1995. 
       PS-MPC.Greetings: Received in July, 1994, this virus is a 1,118 
                byte memory resident infector of .COM and .EXE programs, 
                including COMMAND.COM.  Its size in memory is 2,288 bytes, 
                hooking interrupts 08, 09, and 21.  Once resident, it infects 
                .COM and .EXE programs when they are executed.  Infected 
                programs will have a file length increase of 1,118 bytes with 
                the virus being located at the end of the file.  The 
                following text strings are encrypted within the viral code: 
                "Admiral Bailey [YAM]" 
                "***[ Just wanna say Wa'Sup to: ]" 
                "The Carmel Massive" 
                "The Jamaican Posse and" 
                "Mad Cobra. Keep the FLEX alive!" 
                "By-The-Way John call this one "Greetings"." 
                Origin:  United States  July, 1994. 
       PS-MPC.Mom: Received in July, 1994, PS-MPC.Mom is a 974 byte 
                 non-resident direct action infector of .COM and .EXE 
                 programs, including COMMAND.COM.  When an infected program 
                 is executed, the virus will infect all of the .EXE programs 
                 located in the current directory.  If all of the .EXE 
                 programs were previously infected, the virus will proceed 
                 to infect all of the .COM programs in the directory. 
                 Infected programs will have a file length increase of 974 
                 bytes with the virus being located at the end of the file. 
                 The program's date and time in the DOS disk directory 
                 listing will not be altered.  The following text strings are 
                 encrypted within the viral code: 
                 "MoM#\/# () #\/#" 
                 "You are hereby notified that your system has just 
                  encountered" 
                 "a very unusuall disk error." 
                 "This error can be very fatal!!!" 
                 "Please check your system for any further errors." 
                 "DOS EXCEPTION ERROR #13" 
                 "*.com *.exe .." 
                 Origin:  Unknown  July, 1994. 
       PS-MPC.Powermen.717: Received in July, 1994, PS-MPC.Powermen.717 
                 is a 717 byte non-resident direct action infector of .COM 
                 and .EXE programs, including COMMAND.COM.  When an infected 
                 program is executed, the virus will infect up to five .EXE 
                 programs located in the current directory.  If all of the 
                 .EXE programs were previously infected, the virus will 
                 proceed to infect up to five .COM programs in the directory. 
                 Infected programs will have a file length increase of 717 
                 bytes with the virus being located at the end of the file. 
                 The program's date and time in the DOS disk directory 
                 listing will not be altered.  The following text strings are 
                 encrypted within the viral code: 
                 "[MPC] [PowerMEN] PowerMEN" 
                 "*.exe *.com .." 
                 System hangs may occur when an infected program is executed 
                 and all of the .EXE programs in the current directory were 
                 previously infected by the virus. 
                 Origin:  Unknown  July, 1994. 
       PS-MPC.Projekt.897: Received in May, 1995, PS-MPC.Projekt.897 is 
                an 897 byte non-resident direct action infector of .COM and 
                .EXE files.  It infects three .EXE or .COM files in the 
                current directory when an infected program is executed. 
                Infected files increase in size by 897 bytes with the virus 
                being located at the end of the file.  The program's date 
                and time in the DOS disk directory listing will not be 
                altered.  The following text strings are encrypted within 
                the viral code: 
                "If you can be a half-wit, so can I!" 
                "*.exe *.com .. US" 
                Origin:  Unknown  May, 1995. 
       PS-MPC.Projekt.918: Received in May, 1995, PS-MPC.Projekt.918 is 
                a 918 byte non-resident direct action infector of .COM and 
                .EXE files.  It infects three .EXE or .COM files in the 
                current directory when an infected program is executed. 
                Infected files increase in size by 918 bytes with the virus 
                being located at the end of the file.  The program's date 
                and time in the DOS disk directory listing will not be 
                altered.  The following text strings are encrypted within 
                the viral code: 
                "[ProjeKt X]" 
                "*.exe *.com .. " 
                Origin:  Unknown  May, 1995. 
       PS-MPC.Snort: Received in May, 1995, PS-MPC.Snort is a memory 
                 resident infector of .COM files, including COMMAND.COM. 
                 It becomes memory resident at the top of system memory but 
                 below the 640K DOS boundary, not moving interrupt 12's 
                 return.  Total system and available free memory, as 
                 indicated by the DOS CHKDSK program, will have decreased 
                 by 3,072 bytes.  Interrupt 21 will be hooked by the virus 
                 in memory.  Once memory resident, this virus infects .COM 
                 files when they are executed.  Infected programs will have 
                 a file length increase of 405 bytes with the virus being 
                 located at the end of the file.  The program's date and 
                 time in the DOS disk directory listing will not be altered. 
                 The following text strings are encrypted within the viral 
                 code: 
                 "MRMSNORT MRMSNORT" 
                 "MRMSNORT-VIRUS-EASTGERMANY" 
                 It is unknown what this virus may do besides replicate. 
                 Origin:  Germany  May, 1995. 
       PS-MPC.Walt.311: Received in July, 1994, PS-MPC.Walt.311 is a 311 
                 byte non-resident direct action infector of .COM programs. 
                 It infects one .COM file in the current directory when 
                 an infected program is executed.  Infected programs will 
                 have a file length increase of 311 bytes with the virus 
                 being located at the end of the file.  The program's date 
                 and time in the DOS disk directory listing will not be 
                 altered.  The following text strings are visible within 
                 the PS-MPC.Walt.311 viral code: 
                 "[MPC]" 
                 "[SHY_KOO]" 
                 "[Walt Whittman]" 
                 "*.com" 
                 Origin:  Unknown  July, 1994. 
       PSMPC-331: Received in September, 1993, PSMPC-331 is a 331 byte 
                 non-resident direct action infector of .COM programs.  It 
                 infects multiple .COM files in the current directory when 
                 an infected program is executed.  Infected programs will 
                 have a file length increase of 331 bytes with the virus 
                 being located at the end of the file.  The program's date 
                 and time in the DOS disk directory listing will not be 
                 altered.  The following text strings are visible within 
                 the PSMPC-331 viral code: 
                 "[MPC]" 
                 "*.com" 
                 Origin:  Unknown  September, 1993. 
       PSMPC-338: Received in September, 1993, PSMPC-338 is a 338 byte 
                 non-resident direct action infector of .COM programs.  It 
                 infects one .COM file in the current directory when 
                 an infected program is executed.  Infected programs will 
                 have a file length increase of 338 bytes with the virus 
                 being located at the end of the file.  The program's date 
                 and time in the DOS disk directory listing will not be 
                 altered.  The following text strings are encrypted within 
                 the PSMPC-338 viral code: 
                 "[MPC]" 
                 "*.com" 
                 This virus will only infect the first four .COM files in a 
                 directory. 
                 Origin:  Unknown  September, 1993. 
       PSMPC-339: Received in September, 1993, PSMPC-339 is a 339 byte 
                 non-resident direct action infector of .COM programs.  It 
                 infects one .COM file in the current directory when 
                 an infected program is executed.  Infected programs will 
                 have a file length increase of 339 bytes with the virus 
                 being located at the end of the file.  The program's date 
                 and time in the DOS disk directory listing will not be 
                 altered.  The following text strings are encrypted within 
                 the PSMPC-339 viral code: 
                 "[MPC]" 
                 "*.com" 
                 System hangs may occur when infected programs are executed. 
                 Origin:  Unknown  September, 1993. 
       PSMPC-344: Received in September, 1993, PSMPC-344 is a 344 byte 
                 non-resident direct action infector of .COM programs.  It 
                 infects one .COM file in the current directory when 
                 an infected program is executed.  Infected programs will 
                 have a file length increase of 344 bytes with the virus 
                 being located at the end of the file.  The program's date 
                 and time in the DOS disk directory listing will not be 
                 altered.  The following text strings are encrypted within 
                 the PSMPC-344 viral code: 
                 "[MPC]" 
                 "*.com" 
                 System hangs may occur when infected programs are executed. 
                 Origin:  Unknown  September, 1993. 
       PSMPC-347: Received in September, 1993, PSMPC-347 is a 347 byte 
                 non-resident direct action infector of .COM programs.  It 
                 infects one .COM file in the current directory when 
                 an infected program is executed.  Infected programs will 
                 have a file length increase of 347 bytes with the virus 
                 being located at the end of the file.  The program's date 
                 and time in the DOS disk directory listing will not be 
                 altered.  The following text strings are encrypted within 
                 the PSMPC-347 viral code: 
                 "[MPC]" 
                 "*.com" 
                 System hangs may occur when infected programs are executed. 
                 Origin:  Unknown  September, 1993. 
       PSMPC-351: Received in September, 1993, PSMPC-351 is a 351 byte 
                 non-resident direct action infector of .COM programs.  It 
                 infects one .COM file in the current directory when 
                 an infected program is executed.  Infected programs will 
                 have a file length increase of 351 bytes with the virus 
                 being located at the end of the file.  The program's date 
                 and time in the DOS disk directory listing will not be 
                 altered.  The following text strings are encrypted within 
                 the PSMPC-351 viral code: 
                 "[MPC]" 
                 "*.com" 
                 System hangs may occur when infected programs are executed. 
                 Origin:  Unknown  September, 1993. 
       PSMPC-352: Received in September, 1993, PSMPC-352 is a 352 byte 
                 non-resident direct action infector of .COM programs.  It 
                 infects one .COM file in the current directory when 
                 an infected program is executed.  Infected programs will 
                 have a file length increase of 352 bytes with the virus 
                 being located at the end of the file.  The program's date 
                 and time in the DOS disk directory listing will not be 
                 altered.  The following text strings are encrypted within 
                 the PSMPC-352 viral code: 
                 "[MPC]" 
                 "*.com" 
                 System hangs may occur when infected programs are executed. 
                 Origin:  Unknown  September, 1993. 
       PSMPC-353: Received in September, 1993, PSMPC-353 is a 353 byte 
                 non-resident direct action infector of .COM programs.  It 
                 infects one .COM file in the current directory when 
                 an infected program is executed.  Infected programs will 
                 have a file length increase of 353 bytes with the virus 
                 being located at the end of the file.  The program's date 
                 and time in the DOS disk directory listing will not be 
                 altered.  The following text strings are encrypted within 
                 the PSMPC-353 viral code: 
                 "[MPC]" 
                 "*.com" 
                 System hangs may occur when infected programs are executed. 
                 Origin:  Unknown  September, 1993. 
       PSMPC-478: Received in September, 1993, PSMPC-478 is a 478 byte 
                 non-resident direct action infector of .EXE and .COM 
                 programs.  It infects two .EXE or .COM files in the current 
                 directory when an infected program is executed.  Infected 
                 programs will have a file length increase of 478 bytes with 
                 the virus being located at the end of the file.  The 
                 program's date and time in the DOS disk directory listing 
                 will not be altered.  The following text strings are 
                 visible within the PSMPC-478 viral code: 
                 "[MPC]" 
                 "*.exe *.com" 
                 System hangs may occur when infected programs are executed. 
                 Origin:  Unknown  September, 1993. 
       PSMPC-573: Received in September, 1993, PSMPC-573 is a 573 byte 
                 non-resident direct action infector of .EXE and .COM 
                 programs.  It infects two .EXE or .COM files in the current 
                 directory when an infected program is executed.  Infected 
                 programs will have a file length increase of 573 bytes with 
                 the virus being located at the end of the file.  The 
                 program's date and time in the DOS disk directory listing 
                 will not be altered.  The following text strings are 
                 encrypted within the PSMPC-573 viral code: 
                 "[MPC]" 
                 "*.exe *.com" 
                 Approximately 30 seconds to 1 minute after an infected 
                 program is executed, the virus will attempt to write to 
                 device "PRN" (the system printer).  If the device isn't 
                 available, a system hang may occur. 
                 Origin:  Unknown  September, 1993. 
       PSMPC-598: Received in September, 1993, PSMPC-598 is a 598 byte 
                 non-resident direct action infector of .EXE and .COM 
                 programs.  It infects all of the .EXE or .COM files in the 
                 current directory when an infected program is executed. 
                 Infected programs will have a file length increase of 598 
                 bytes with the virus being located at the end of the file. 
                 The program's date and time in the DOS disk directory 
                 listing will not be altered.  The following text strings 
                 are encrypted within the PSMPC-598 viral code: 
                 "[MPC]" 
                 "*.exe *.com" 
                 Origin:  Unknown  September, 1993. 
       PSMPC-603: Received in September, 1993, PSMPC-603 is a 603 byte 
                 non-resident direct action infector of .EXE and .COM 
                 programs.  It infects all of the .EXE or .COM files in the 
                 current directory when an infected program is executed. 
                 Infected programs will have a file length increase of 603 
                 bytes with the virus being located at the end of the file. 
                 The program's date and time in the DOS disk directory 
                 listing will not be altered.  The following text strings 
                 are encrypted within the PSMPC-603 viral code: 
                 "[MPC]" 
                 "*.exe *.com" 
                 System hangs accompanied by loud buzzing on the system 
                 speaker may occur when infected programs are executed. 
                 Origin:  Unknown  September, 1993. 
       PSMPC-611: Received in September, 1993, PSMPC-611 is a 611 byte 
                 non-resident direct action infector of .EXE and .COM 
                 programs.  It infects all of the .EXE or .COM files in the 
                 current directory when an infected program is executed. 
                 Infected programs will have a file length increase of 611 
                 bytes with the virus being located at the end of the file. 
                 The program's date and time in the DOS disk directory 
                 listing will not be altered.  The following text strings 
                 are encrypted within the PSMPC-611 viral code: 
                 "[MPC]" 
                 "*.exe *.com" 
                 Origin:  Unknown  September, 1993. 
       Pussy: Received in September, 1993, Pussy is a 493 byte memory 
                 resident companion virus which infects .EXE programs by 
                 creating a corresponding .COM file.  It becomes memory 
                 resident at the top of system memory but below the 640K 
                 DOS boundary when the first infected program is executed. 
                 Total system and available free memory, as indicated by the 
                 DOS CHKDSK program, will have decreased by 4,096 bytes. 
                 Interrupt 21 will be hooked by Pussy in memory.  Once 
                 resident, it infects .EXE programs when they are executed by 
                 creating a .COM file with the same base file name.  This 
                 .COM file will be 493 bytes in length with the current 
                 system date and time when infection occurred.  It contains 
                 the Pussy viral code.  The Pussy virus may corrupt the 
                 system hard disk file allocation table (FAT) when infected 
                 programs are executed. 
                 Origin:  Unknown  September, 1993. 
       Quadratic-986: Received in August, 1993, Quadratic-986 is a 986 
                 byte non-resident virus.  When an infected program is 
                 executed, it will the copy of COMMAND.COM indicated by the 
                 COMSPEC environmental variable.  The virus will sometimes 
                 overwrite 983 bytes of the hex 00 area within COMMAND.COM, 
                 at other times it will increase the file length by 986 
                 bytes with the viral code being located at the end of the 
                 file.  The program's date and time in the DOS disk 
                 directory will have the seconds field set to "62".  The 
                 following text strings are visible within the viral code: 
                 "Quadratic Equation" 
                 "SD93" 
                 System hangs, and thus boot failures, frequently occur 
                 when infected programs are executed. 
                 Origin:  Unknown  August, 1993. 
       Scarey: Received in February, 1993, Scarey is a 739 byte memory 
                 resident infector of .COM and .EXE programs, including 
                 COMMAND.COM.  It becomes memory resident at the top of 
                 system memory but below the 640K DOS boundary when the 
                 first infected program is executed.  Total system and 
                 available free memory, as indicated by the DOS CHKDSK 
                 program, will have decreased by 1,552 bytes.  Interrupt 21 
                 will be hooked by Scarey in memory.  Once resident, it 
                 infects .COM and .EXE programs when they are executed. 
                 Infected programs will have a file length increase of 739 
                 bytes with the virus being located at the end of the file. 
                 Scarey contains code to emit a buzzing noise on the system 
                 speaker while performing a read of the system hard disk. 
                 Origin:  Unknown  February, 1993. 
       Schrunch: Received in November, 1992, Schrunch is a 458 byte 
                non-resident direct action infector of .COM programs, 
                including COMMAND.COM.  It infects one program in the 
                current directory each time an infected program is executed. 
                Infected programs will have a file length increase of 458 
                bytes with the virus being located at the end of the file. 
                The program's date and time in the DOS disk directory 
                listing will not be altered.  The following text strings 
                are encrypted within infected programs: 
                "[ZEB (C) 1992] [SCHRUNCH[ Abraxas 2]" 
                "*.com" 
                On VGA systems, executing an infected program will result 
                in the system display being placed in 50 line mode, and 
                beeping may occur.  On non-VGA systems, garbled characters 
                may appear on the display. 
                Origin:  United States  November, 1992. 
       Silent Killer: Received in January, 1994, Silent Killer is a 
                397 byte memory resident infector of .COM, including 
                COMMAND.COM.  It becomes memory resident at the top of system 
                memory but below the 640K DOS boundary when the first 
                infected program is executed, hooking interrupt 21.  Total 
                system and available free memory, as indicated by the 
                DOS CHKDSK program, will have decreased by 448 bytes.  Once 
                resident, it infects .COM programs when they are executed. 
                Infected programs will have a file length increase of 397 
                bytes with the virus being located at the end of the file. 
                The following text string is visible within the viral code in 
                all Silent Killer infected programs: 
                "[ZRK] Silent Killer Z-Rock" 
                 Origin:  Unknown  January, 1994. 
       Skeleton: Received in November, 1992, Skeleton is a 556 byte 
                non-resident direct action infector of .COM and .EXE 
                programs, including COMMAND.COM.  It infects three programs 
                in the current directory each time an infected program 
                is executed, with preference to .EXE files.  Infected 
                programs will have a file length increase of 556 bytes with 
                the virus being located at the end of the file.  The 
                program's date and time in the DOS disk directory listing 
                will not be altered.  The following text strings are 
                encrypted within infected programs: 
                "[MPC] [Skeleton] Deke" 
                "*.exe *.com" 
                System hangs may occur once the virus has run out of 
                non-infected programs to infect. 
                Origin:  Germany  November, 1992. 
       Sucker: Received in April, 1993, Sucker is a 572 byte memory 
               resident infector of .COM and .EXE programs, including 
               COMMAND.COM.  It becomes memory resident at the top of system 
               memory but below the 640K DOS boundary when the first 
               infected program is executed.  Total system and available 
               free memory, as indicated by the DOS CHKDSK program, will 
               have decreased by 2,048 bytes.  Interrupt 21 will be hooked 
               by Sucker in memory.  Once resident, it infects .COM and 
               .EXE programs when they are executed.  Infected programs 
               will have a file length increase of 572 bytes with the virus 
               being located at the end of the file.  The following text 
               string is encrypted within the viral code: 
               "[MPC] Sucker (C) 1993" 
               Origin:  Unknown  April, 1993. 
       Sunday Death: Received in November, 1992, Sunday Death is a 
                644 byte non-resident direct action infector of .COM and 
                .EXE programs, including COMMAND.COM.  It infects all .COM 
                and .EXE programs in the current directory when an infected 
                program is executed.  Infected programs will have a file 
                length increase of 644 bytes with the virus being located at 
                the end of the file.  The program's date and time in the DOS 
                disk directory listing will not be altered.  The following 
                text strings are encrypted within infected programs: 
                "[BCA]" 
                "Sunday Death -- 1992 (c)BCA" 
                "Raven" 
                "*.exe *.com" 
                On Sundays, execution of an infected program will result 
                in a system hang occurring. 
                Origin:  United States  November, 1992. 
       T-Rex: Received in September, 1993, T-Rex is a 410 byte memory 
                 resident infector of .COM programs, including COMMAND.COM. 
                 It becomes memory resident at the top of system memory but 
                 below the 640K DOS boundary when the first infected program 
                 is executed.  Total system and available free memory, as 
                 indicated by the DOS CHKDSK program, will have decreased by 
                 approximately .5K.  Interrupt 21 will be hooked by T-Rex 
                 Once resident, it infects .COM programs when they are 
                 executed.  Infected programs will have a file length 
                 increase of 410 bytes with the virus being located at the 
                 end of the file.  The following text string is visible in 
                 the viral code in all T-Rex infected programs: 
                 "[MPC] T-REX subcon" 
                 Infected programs will frequently hang the system when they 
                 are executed, and boot failures will occur once the boot 
                 copy of COMMAND.COM becomes infected.  Some infected 
                 programs will simply return the user to the DOS prompt. 
                 Origin:  Unknown  September, 1993. 
       Test 441: Received in December, 1992, Test 441 is a 441 byte 
                non-resident direct action infector of .EXE programs.  It 
                infects three .EXE programs each time an infected program 
                is executed.  Once all of the .EXE programs in the current 
                directory have become infected, it will move upward in the 
                directory structure.  Infected programs will have a file 
                length increase of 441 bytes with the virus being located 
                at the end of the file.  The program's date and time in the 
                DOS disk directory listing will not be altered.  The 
                following text strings can be found within the viral code 
                in all infected programs as the virus is not encrypted: 
                "[MPC] [Test] Sam Hain" 
                "*.exe .." 
                Origin:  United States  December, 1992. 
       Tim 3: Received in June, 1993, Tim 3 is a 301 byte non-resident 
                 direct action infector of .COM programs.  It infects one 
                 .COM file in the current directory each time an infected 
                 program is executed.  Infected programs will have a file 
                 length increase of 301 bytes with the virus being located 
                 at the end of the file.  The program's date and time in 
                 the DOS disk directory listing will not be altered.  The 
                 following text strings are visible within the virus: 
                 "[MPC] [TIM] Abraxas" 
                 "*.com" 
                 Origin:  Unknown  June, 1993. 
       Tim 4: Received in June, 1993, Tim 4 is a 515 byte non-resident 
                 direct action infector of .COM & .EXE programs.  It 
                 infects one .EXE or .COM file in the current directory 
                 each time an infected program is executed.  Infected 
                 programs will have a file length increase of 515 bytes 
                 with the virus being located at the end of the file.  The 
                 program's date and time in the DOS disk directory listing 
                 will not be altered.  The following text strings are 
                 visible within the virus: 
                 "[MPC] [TIM] Abraxas" 
                 "*.exe *.com" 
                 Origin:  Unknown  June, 1993. 
       Tim 5: Received in June, 1993, Tim 5 is a 401 byte non-resident 
                 direct action infector of .COM programs.  It infects one 
                 .COM file in the current directory each time an infected 
                 program is executed.  Infected programs will have a file 
                 length increase of 401 bytes with the virus being located 
                 at the end of the file.  The program's date and time in 
                 the DOS disk directory listing will not be altered.  The 
                 following text strings are encrypted within the virus: 
                 "[MPC] [TIM] Abraxas" 
                 "*.com" 
                 Origin:  Unknown  June, 1993. 
       Tongue: Received in November, 1992, Tongue is a 597 byte 
                non-resident direct action infector of .COM and .EXE 
                programs, including COMMAND.COM.  It infects three programs 
                in the current directory each time an infected program 
                is executed, with preference to .EXE files.  Infected 
                programs will have a file length increase of 597 bytes with 
                the virus being located at the end of the file.  The 
                program's date and time in the DOS disk directory listing 
                will not be altered.  The following text string is visible 
                within the viral code in all infected programs: 
                "*.exe *.com" 
                Origin:  United States  November, 1992. 
       Toys: Received in November, 1992, Toys is a 773 byte non-resident 
                direct action infector of .COM and .EXE programs, including 
                COMMAND.COM.  It infects two .COM or .EXE programs in the 
                current directory when an infected program is executed, with 
                preference given to .EXE files.  Infected programs will have 
                a file length increase of 773 bytes with the virus being 
                located at the end of the file.  The program's date and time 
                in the DOS disk directory listing will not be altered.  The 
                following text strings are encrypted within infected 
                programs: 
                "All my toys are broken" 
                "And so am I inside." 
                "The carnival has closed" 
                "Years ago..." 
                "[VCL/MPC]" 
                "*.exe *.com" 
                Origin:  United States  November, 1992. 
       Walkabout: Received in October, 1992, Walkabout is a 573 byte 
                 memory resident infector of .COM and .EXE programs, 
                 including COMMAND.COM.  It becomes memory resident at the 
                 top of system memory but below the 640K DOS boundary when 
                 the first infected program is executed.  Total system and 
                 available free memory, as indicated by the DOS CHKDSK 
                 program, will have decreased by 2,048 bytes.  Interrupt 21 
                 will be hooked by Walkabout in memory.  Once resident, it 
                 infects .COM and .EXE programs when they are executed. 
                 Infected programs will have a file length increase of 573 
                 bytes with the virus being located at the end of the file. 
                 The following text string is encrypted within the viral 
                 code: 
                 "[WALKABOUT TSR VER 1.0] THE STRANGER" 
                 Origin:  United States  October, 1992. 
       War Dork: Received in June, 1993, War Dork is a 553 byte 
                 non-resident direct action infector of .EXE programs. 
                 It infects three programs in the current directory each 
                 time an infected program is executed.  Infected programs 
                 will have a file length increase of 553 bytes with the 
                 virus being located at the end of the file.  The program's 
                 date and time in the DOS disk directory listing will not 
                 be altered.  The following text strings are encrypted 
                 within infected programs: 
                 "[MPC] War Dork A rombus" 
                 "*.exe .." 
                 Origin:  Unknown  June, 1993. 
       Warez D00d: Received in December, 1992, Warez D00d is a 1,803 
                byte non-resident direct action infector of .COM, .EXE, 
                and .OVR programs, including COMMAND.COM.  It infects all 
                candidate programs in the current directory when an infected 
                program is executed.  Infected programs will have a file 
                length increase of 1,803 bytes with the virus being 
                located at the end of the file.  The program's date and time 
                in the DOS disk directory listing will not be altered.  The 
                following text strings are encrypted within infected 
                programs: 
                "HEY!!! Blow ME, WaReZ FAGGOT" 
                "You got sorta lucky!!!" 
                "I am afraid that I am going to have to smash your 
                 WaReZ, d00d!!!" 
                "Go ahead! Call the police and tell them" 
                "[NuKe]" 
                "paid you a visit!" 
                "*.exe *.ovr *.com" 
                Virus will occassionally display the following message in 
                graphics, and corrupt some .EXE programs located in the 
                current directory: 
                "DONT'T YOU KNOW THAT PIRACY IS ILLEGAL 
                 I am afraid that I am going to have to smash your 
                 Warez, d00d!!! 
                 Go ahead! Call the police and tell them [NuKe] paid 
                 you a visit!" 
                Origin:  Unknown  December, 1992. 
       Who Cares: Received in June, 1993, Who Cares is an 181 byte 
                non-resident direct action infector of .COM programs, 
                including COMMAND.COM.  It infects all of the .COM programs 
                in the current directory when an infected program is 
                executed.  Infected programs will have a file length 
                increase of 181 bytes, unless they were originally smaller 
                than 165 bytes, in which case their length will become 346 
                bytes.  The virus will be located at the beginning of the 
                file.  The program's date and time in the DOS disk directory 
                listing will have been updated to the current system date 
                and time when infection occurred.  The following text string 
                can be found within the viral code in all infected programs: 
                "*.com" 
                Origin:  Unknown  June, 1993. 
       Z10: Received in September, 1992, Z10 is a 704 byte non-resident 
                direct action infector of .COM and .EXE programs, but not 
                COMMAND.COM.  It infects two programs in the current 
                directory each time an infected program is executed, with 
                preference given to .EXE files.  Infected programs will have 
                a file length increase of 704 bytes with the virus being 
                located at the end of the file.  The program's date and time 
                in the DOS disk directory listing will not be altered.  The 
                following text strings are encrypted within infected 
                programs: 
                "*.exe *.com" 
                "[PF] [Z_10] Paul Ferguson" 
                Origin:  United States  September, 1992. 
       Zeppelin: Received in September, 1992, Zeppelin is a 1,508 byte 
                non-resident direct action infector of .COM and .EXE 
                programs, including COMMAND.COM.  It infects five programs 
                in the current directory each time an infected program is 
                executed, with preference given to .EXE files.  Infected 
                programs will have a file length increase of 1,508 bytes 
                with the virus being located at the end of the file.  .COM 
                programs may be reinfected by the virus, adding an 
                additional 1,508 bytes with each reinfection.  The program's 
                date and time in the DOS disk directory listing will not be 
                altered.  The following text strings are encrypted within 
                infected programs: 
                "*.exe *.com" 
                "Ripped this Motherfucker off" 
                "SHIT!!! Wont work...." 
                "[pAgE] [SwanSong] Gandolph" 
                The Zeppelin virus will activate when it infects .EXE 
                programs.  After infecting five .EXE programs, the screen 
                will be cleared and a color graphic of a zeppelin will 
                appear, accompanied by tones being emitted on the system 
                speaker.  On mono systems, the graphic may appear as a 
                series of screens of various characters. When the program 
                infects .COM files, a system hang usually follows. 
                Origin:  United States  September, 1992. 
 
       See:  ARCV-n   G2   Joshua   Shock Therapy   Warez-1341 

Show viruses from discovered during that infect .

Main Page