Slayer Family Virus
Virus Name: Slayer Family
Aliases: Brain Slayer, Slayer, Yankee Doodle Dropper, VBasic 2
V Status: Common
Discovered: March, 1991
Symptoms: .COM & .EXE growth; long disk accesses; disk directory
altered; disk accesses to unexpected drives
Origin: United States
Eff Length: 5,120 Bytes
Type Code: PNA - Resident Non-Parasitic .COM & .EXE Infector
Detection Method: ViruScan, AVTK, F-Prot, NAV, Sweep, IBMAV,
NAVDX, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N,
Removal Instructions: Delete infected files
The Slayer Family of Viruses was discovered in March, 1991. This
group of viruses currently consists of five known variants which
were submitted from different locations at approximately the same
time. All of the variants are non-resident direct action infectors
of .COM and .EXE files. They do not infect COMMAND.COM.
Below is a generic description of the viruses in this family.
Specifics for each variant are listed under "Known variants" at the
end of this entry. In some cases, the only difference between the
variants is a few bytes.
When a program infected with a Slayer Family virus is executed, it
will infect all .COM and .EXE programs in the current directory on
the current drive. Additionally, depending on the variant, it may
infect some programs on other drives as well.
Programs infected with a Slayer Family virus will increase in size
between 5,120 and 5,135 bytes with the virus being located at the
end of the infected file. The program's date and time in the disk
directory will not be altered.
Symptoms of Slayer Family viruses include long disk accesses when
attempting to execute an infected program, and possibly disk
accesses to unexpected drives. The order of the disk directory on
infected systems may also be altered so that .COM programs appear
first in the directory.
At least one member of this family, Slayer-E or Yankee Doodle
Dropper, carries the Yankee Doodle virus which it will later
release on infected systems. This Yankee Doodle is the TP45VIR
Members of the Slayer Family are:
Slayer-A: Slayer-A will infect up to nine programs in a directory,
other than the root directory, on the system C: drive in
addition to programs on the current drive when an
infected program is executed.
Slayer-B: Similar to Slayer-A, this variant will infect programs
located in the C: drive root directory in addition to
those located on the current drive and directory.
Slayer-C: Similar to Slayer-A and Slayer-B, Slayer-C will infect
all programs located on the current drive and all
programs located on the C: drive. The following text
strings can be found in samples of Slayer-C:
"KEYB*.COM KEYB*.EXE BASRUN BRUN COBRUN NET$OS *.COM"
"IBMDOS.COM COMMAND.COM *.* .. \ .. *.EXE"
Slayer-D: Slayer-D is similar to Slayer-C, the major difference
being that while it accesses the C: drive when an
infected program is executed, it will not infect any
programs on the C: drive unless the infected program was
being executed from C:. The text strings indicated for
Slayer-C also occur for this variant.
Slayer-E: Slayer-E is also known as the Yankee Doodle Dropper.
When an infected program is executed, it will infect all
the programs on the current drive and directory, and then
infect a few programs on the C: drive. After some period
of time has elapsed since the original infection, this
variant will release the Yankee Doodle virus onto the
system, resulting in an active Yankee Doodle infection.
If the system user successfully removes Yankee Doodle,
but doesn't remove the Slayer-E infection, Yankee Doodle
will promptly reinfect the system from the Slayer-E
infected programs which remain. This variant is known to
be in the public domain.