I-B Virus


 Virus Name:  I-B 
 Aliases:     Milan 
 V Status:    Viron 
 Discovered:  May, 1991 
 Symptoms:    .COM program corruption; system hangs; hard disk corruption; 
              message; file date/time change 
 Origin:      Italy 
 Eff Length:  265, 272, or 451 Bytes 
 Type Code:   ONCK - Overwriting Non-Resident .COM Infector 
 Detection Method:  ViruScan, F-Prot, Sweep, AVTK, ChAV, 
                    NAV, IBMAV, NAVDX, VAlert, PCScan, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, 
                    NAV/N, IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The I-B virus is actually a group of three viruses which were 
       received from Europe in May, 1991.  These viruses originated in 
       Italy, and are very closely related.  All of them are non-resident 
       overwriting viruses which infect .COM files, including COMMAND.COM. 
 
       When an I-B virus is executed, it will infect all .COM programs in 
       the current directory.  Programs which have been infected will 
       have the beginning of the program overwritten with the viral code. 
       The number of bytes overwritten will vary, depending on which 
       variant is present.  Infected programs may also have their date 
       and time in the disk directory updated to the system date and time 
       when infection occurred.  See below for specifics of each variant. 
 
       I-B viruses activate based on the day of the week.  If all of the 
       .COM programs in the current directory are infected, and the 
       day of the week is the day being checked for by the virus, they 
       activate.  Two of the variants will overwrite the first 160 sectors 
       of the C: drive, the third variant will just hang the system. 
 
       Known variant(s) of I-B are: 
       BadGuy: BadGuy is a 265 byte variant of I-B.  It overwrites the 
               first 265 bytes of infected .COM programs.  Infected 
               programs will have their file date and time in the disk 
               directory updated to the system date and time of infection. 
               BadGuy activates on Mondays, when it will hang the system. 
               Text strings found in programs infected with the BadGuy 
               variant of I-B are: 
               "BadGuy Virus (c) by Cracker Jack 1991 (IVRL)" 
               "Italian Virus Research Laboratory (C) 1990,1991" 
               "IVRL Head Quarter, Milan Italy" 
               "*.COM" 
       BadGuy 2: BadGuy 2, or Crackpot 208, virus is a 208 byte variant 
               of I-B.  Basically, it is a bug-fix version of BadGuy, 
               having had the bug fixed which results in a system hang 
               when BadGuy activates.  BadGuy 2 infects all .COM files in 
               the current directory when an infected program is executed, 
               overwriting the first 208 bytes.  The infected files' date 
               and time in the disk directory will be updated to the 
               system date and time of infection.  On Mondays, BadGuy 2 
               activates and will display the following message whenever 
               an infected program is executed: 
               "New BadGuy Virus - (c) by Cracker Jack 1991 
                IVRL Head Quarter Milan Italy" 
               This message cannot be found in infected programs as it 
               is encrypted. 
               Origin:  Italy, August 1991 
       Demon: Demon is a 272 byte variant of I-B, and is the most 
               advanced of the known variants in this family.  It overwrites 
               the first 272 bytes of infected .COM programs.  Infected 
               programs will have no change to their date and time in the 
               DOS disk directory.  Demon activates on Tuesday, at which 
               time it will display the following message and overwrite 
               the first 160 sectors of the system hard disk: 
               "Error eating drive C:" 
               Other text strings which can be found in programs infected 
               with Demon are: 
               "Demonhyak Viri X.X (c) by Cracker Jack 1991 (IVRL) 
               "*.COM" 
       Demon-B: Demon-B is a minor variant of the Demon variant of 
               I-B.  It has five bytes which differ from the original 
               Demon variant. 
       Demon-C: Demon is a 263 byte variant of I-B, and is based on the 
               Demon virus.  It overwrites the first 263 bytes of all .COM 
               programs in the current directory when an infected program 
               is executed.  Demon-C contains the following text strings 
               within its viral code: 
               "*.COM" 
               "Error reading drive C:" 
               "BillMeTuesday!" 
               "EXEC failure" 
               "\COMMAND.C0M" 
               "\COMMAND.COM" 
               Origin:  Unknown  October, 1992. 
       Exterminator: Exterminator is a 451 byte variant of I-B, and 
               appears to be the earliest variant in this family. 
               Exterminator overwrites the first 451 bytes of infected 
               files.  Infected programs will have their file date and time 
               updated to the system date and time when infection occurred. 
               Exterminator activates on Mondays, when it will display the 
               following  message and overwrite the first 160 sectors of the 
               C: drive: 
               "Exterminator Virus 1.0 (c) by Cracker Jack 1991 (IVRL) 
                No panic...this is a Harmless Virus..." 
               Other text strings which can be found in infected programs 
               are: 
               "Exterminator 1.0 - (c) by Cracker Jack 1991 (IVRL)" 
               "Italian Virus Research Laboratory (C) 1990,1991" 
               "Message to Virus Researchers: 
                Non rompetemi le palle o mi arrabbio... 
                non so se sono stato abbastanza chiaro....." 
               Origin:  Italy  May, 1991. 
       Milan.Verbatim: Milan.Verbatim is a 289 byte variant of I-B 
               described above.  It overwrites the first 289 bytes of 
               infected files.  The infected file's date and time in the DOS 
               disk directory listing will not be altered.  The following 
               text strings which can be found in infected programs: 
               "*.COM" 
               "Verbatim Corporation, Sunnyvale, California U.S.A. Bad 
                command or file name" 
               Verbatim Corporation is not connected with the writing or 
               release of this virus. 
               Origin:  Unknown  January, 1995. 

Show viruses from discovered during that infect .

Main Page