Virus Name: Violator
Aliases: Vienna.Violator, Violator Strain B
V Status: Endangered
Discovered: August, 1990
Isolated: United States
Symptoms: .COM growth; "Sector not found" error on drive B:; formats
Eff Length: 1,055 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan, NAV, AVTK, F-Prot, Sweep, ChAV,
IBMAV, NAVDX, VAlert, PCScan,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
Removal Instructions: Delete infected files
The Violator virus was submitted in August, 1990 by an anonymous
user of Homebase BBS. While originally isolated in the United
States, this virus is originally from Canada. This virus is a
non-resident parasitic virus which infects .COM files, including
When a program infected with the Violator virus is executed, what
happens depends on what the system date is set to. If the date is
prior to August 15, 1990, the virus will infect one .COM file
located in the current directory, adding 1,055 bytes to the
program. If the date is August 15, 1990 or after, the virus will
not infect any files, but will format the first track of the disk
Symptoms of an infection of the Violator virus include unexpected
attempts to access drive B:. If there is no diskette in drive B:,
or the diskette in drive B: is write-protected, a Sector not found
error will result.
The following message appears in the viral code located in infected
"TransMogrified (TM) 1990 by
RABID N'tnl Development Corp
Copyright (c) 1990 RABID!
Activation Date: 08/15/90
- Violator Strain B -
! (Field Demo Test Version) !
! * NOT TO BE DISTRIBUTED * !"
Known variant(s) of Violator are:
Baby: Baby is a 1,000 byte variant of Violator, its origin is
unknown. Baby infects one .COM file in the current directory
each time an infected program is executed. Infected programs
will have a file length increase of 1,000 bytes with the virus
being located at the end of the file. The program's date and
time in the DOS disk directory listing will appear to be
unaltered, however the seconds field will have been set to
"60". The following text strings are visible within the viral
code in all Baby infected programs:
"by by baby"
It is unknown what Baby may do besides replicate.
Origin: Unknown June, 1993.
Violator B1: Based on the Violator BT variant, this variant is 716
bytes in length. The major change is that Violator B1
activates on September 4, October 4, November 4, and
December 4. On these dates, when an infected program
is executed it will reformat track 0 of all drives.
The only text strings found in this variant are:
Violator B2: Violator B2 is a 1,000 byte variant of Violator, and
is also related to the Arf virus which appears to have
also been written by the same group. Violator B2 will
activate on October 31 and December 31 when the year
is 1990 or later. At that time, it will wipe out the
C: drive by overwriting the first 700h sectors with
random bytes. This variant contains the text strings:
"*.COM" "Arf Arf! Got you!" "????????COM" "-- RABID
'90" "down or DIE!" "--- RABID '90" Violator B2
infects one or two .COM programs each time an
infected program is executed, along with displaying
the message: "Arf Arf Got you! -- RABID '90"
Violator B2-969: Violator B2-969 is a 969 byte variant of the
Violator B2 virus indicated above. It contains the
text strings: "*.COM" "????????.COM" and
"Violator B2 (C) '90 RABID Nat'nl Development Corp."
Violator B3: Violator B3 is a 843 byte variant of Violator. Like
the other Violators, it infects a .COM file each time
an infected program is executed. Unlike the other
violators, it will also affect the C: drive,
overwriting the boot sector and file allocation table
immediately in some circumstances. Damage caused by
Violator B3 can be fixed with Norton Disk Doctor.
Violator B3 should activate on December 25, at which
time it will attempt to format the current drive.
Text strings found in Violator B3 are: "Violator
Strain B3 - RABID Nat'nl Development Corp. " "*. COM"
Violator BT: Very similar to the Violator virus described above,
this variant will replicate after August 15, 1990. It
includes the same text strings as indicated above for
Violator.707: Violator.707 is a 707 byte variant of Violator.
It infects a .COM file each time an infected program is
executed. Infected files will have a file length increase
of 707 bytes with the virus being located at the end of
the file. The seconds field of the file time in the DOS
disk directory will have been set to "62". The following
text strings are visible within the viral code:
"DDrUS (C) - 1990"
Origin: Unknown July, 1994.
Violator-C: Violator-C is a 821 byte variant of Violator. Like
the other Violators, it infects a .COM file each time
an infected program is executed. Infected files will
have a file length increase of 821 bytes with the virus
being located at the end of the file. The seconds field
of the file time in the DOS disk directory will have been
set to "56". The following text strings are contained
within the viral code, unencrypted:
"Violator Strain C -
(C) 1991 RABID Int'nl Development Corp."
"Violator strikes again..."
Violator-C activates in October thru November of any
year, at which time execution of an infected program
will result in the overwriting of the beginning of the
system hard disk, and the following message being
displayed: "Violator strikes again...".
Origin: Canada October, 1992.
See: Arf Vienna Violator B4 Violite