Putting Viruses Under the Scope

Compiled by Tina Lieu

Anti-CMOS
The Anti-CMOS virus resides in the boot sector of an infected disk. When the infected disk is accessed by an IBM-compatible, the virus moves to memory and monitors disk access, waiting to infect other disks. When the virus infects a system disk other than that of an IBM-compatible operating system, the disk will not start up. When the infection is on a data disk, the disk will "run wild."

Anti TELEFONICA
This boot sector infection virus is activated the 400th time the system is started up. It fills the greater part of the computer's hard disk with meaningless garbage, then crashes the system.

B1
The B1 virus resides in the boot sector of an infected disk. When an infected disk is accessed, the virus moves to memory and monitors disk access, waiting to infect other disks. When the virus resides in a sector of a disk, the contents of the infected disk will appear to be the same as before the infection (i.e., no new files or deletions). This is a "stealth-type" virus that spreads itself to other disks but shows no overt symptoms.

Beijing
This virus resides in the boot sector of an infected disk. When an infected disk is accessed, the virus moves to memory and monitors disk access, waiting to infect other disks. This virus does not show any symptoms, although when it infects a disk, it sometimes corrupts the disk contents.

Cascade (1701)
The Cascade virus infects .com files and, depending on the system date, causes text on the screen to "tumble down" in a cascade. When the virus appears on an IBM compatible running a domestic (Japanese) version of MS-DOS, it will "run wild."

D3
This virus rests in the boot sector of an infected disk. When an infected disk is accessed by an IBM compatible, the virus moves to memory and monitors disk access, waiting to infect other disks. When the virus infects a non-IBM-compatible system disk, the disk will not start up. If an .exe file is run while the virus is in memory, it may cause the system to "run wild."

DApm-2
This virus infects MS-DOS .com files, increasing the file size by 600 bytes. If the file is bigger than 30,720 bytes, the infected file will become corrupted, and on December 25th, the message "A merry christmas to you!" will appear.

ExcelMacro/Laroux
This is a macro virus that infects English Microsoft Excel (MS Excel) documents. When an infected MS Excel document is opened, a file called PERSONAL.XLS is created in the XLSTART directory, and virus macro called Laroux is registered in this file. When the user subsequently launches Excel, the program reads PERSONAL.XLS and runs the Laroux macro. This causes the Laroux macro virus to be added to the Excel document in use, infecting the file. This virus can also infect Japanese MS Excel documents, although it will not show any symptoms.

Form
This virus infects the boot sector of hard disks and floppy disks. On the 24th of every month, it produces a clicking noise over the system's speakers.

Genesis
This virus infects .com files. When an infected file is launched, other .com files on the disk will be infected. This virus only infects; it does not show any symptoms.

J&M
This virus resides in a disk's boot sector. When an infected disk is accessed, the virus moves to memory and monitors disk access, waiting to infect other disks. Every year on April 15, the hard disk of an infected system crashed on start up.

Jerusalem
The Jerusalem virus infects .exe and .com files. It causes the system to slow down, or causes square boxes to appear on the screen. On a Friday the 13th, an active infected file will be deleted, but because of a bug a reinfection occurs.

Lixi
This virus resides in the boot sector of an infected disk. When an infected disk is accessed, the virus moves to memory and monitors disk access waiting to infect other disks. When an infected data disk is opened, the disk "runs wild."

MBDF
This virus infects Macintosh system files and applications. In System 7.0.1, selecting a menu command item will cause the system to crash.

Monkey
The Monkey virus resides in the boot sector of an infected disk. When an infected IBM compatible disk is accessed, the virus moves to memory and monitors disk access, waiting to infect other disks. When the virus infects a non-IBM- compatible disk, the disk will not start up.

Nops
This virus resides in the boot sector of an infected disk. When an infected disk is accessed, the virus moves to memory and monitors disk access, waiting to infect other disks. This "stealth virus" does not show any overt symptoms, but each time an infected disk is checked, the disk contents will appear to be what they were prior to the infection.

Parity-BOOT
This virus resides in the boot sector of an infected disk. When an infected disk is accessed, the virus moves to memory and monitors disk access, waiting to infect other disks. When typing, the virus compares its saved counter against the system clock and, when they match, the screen display is corrupted and the computer freezes.

Repper
This virus resides in the boot sector of an infected disk. When an infected disk is accessed, the virus moves to memory and monitors disk access, waiting to infect other disks. On rare occasions, when an infected disk is copied, the copied data is corrupted. As a result, programs will sometimes "run wild." Also while the virus resides in a sector of a disk, the contents of the infected disk will appear to be what they were prior to the infection. This is another "stealth-type" virus.

Russian Flag
This Russian Flag virus rests in the boot sector of an infected disk. When an infected disk is accessed, the virus moves to memory and monitors disk access, waiting to infect other disks. Every year on August 19th, when the system is booted from an infected disk, a picture of the Russian flag will appear onscreen, and the computer will freeze.

Sampo
This virus rests in the boot sector of an infected disk. When an infected disk is accessed, the virus moves to memory and monitors disk access, waiting to infect other disks. Every year on November 30, when an infected disk is accessed, symptoms will appear after two hours and the message "SAMPO Project X Copyright (c) 1991...." will appear in the upper right of the screen.

Spirit
The Sprit virus resides in the boot sector of an infected disk. When an infected disk is accessed, the virus moves to memory and monitors disk access, waiting to infect other disks. This is a "stealth virus" that does not show overt symptoms, but each time an infected disk is checked, the disk contents will appear to be what they were prior to the infection.

Stoned
The Stoned virus infects the DOS boot sector. There are several versions. With early versions, the message "Your computer is now stoned" will appear. Sometimes, the virus will corrupt floppy disks or crash a hard disk.

Wonka
This virus resides in the boot sector of an infected disk. When an infected disk is accessed, the virus moves to memory and monitors disk access, waiting to infect other disks. This virus just infects the disk without showing any symptoms.

WordMacro/Appder
This macro virus is spread through Microsoft Word (MS Word) documents. When an infected MS Word document is loaded, that copy of the MS Word application becomes infected; all subsequent files and documents created or edited by the infected application will also become infected. When an infected MS Word file is opened for the 20th time, the files listed below will be deleted. (With the Japanese version of MS Word, the symptoms will occur but the infection will not be spread.)
Deleted files:
C:¥DOC¥*.exe
C:¥DOC¥*.com
C:¥Windows¥*.exe
C:¥Windows¥SYSTEM¥*.ttf
C:¥Windows¥SYSTEM¥*.fot

WordMacro/Bandung
This macro virus is spread through Microsoft Word (MS Word). When an infected MS Word document is loaded, that copy of the MS Word application becomes infected; all subsequent files and documents created or edited using the infected application also become infected. Following an infection, after 11 am on the 20th of each month, the following symptoms appear when MS Word is launched. The message "Reading menu... Please wait!" appears on the status bar, and the files in the directories listed below on drive C will all be deleted, while a file called PESAN.TXT will be created in the root of drive C. This virus does not infect or show any symptoms with the Japanese version of MS Word. Directories from which all files are deleted:
Windows
Winword
Winword6

WordMacro/Cap
This macro virus is spread through Microsoft Word (MS Word). When an infected MS Word document is loaded, that copy of the MS Word application becomes infected; all subsequent files and documents created or edited using the infected application also become infected. When an infected MS Word file is opened, all macros created and currently or previously used on the system will be deleted. Further, the menu choice Macro will disappear. This virus will infect and exhibit its symptoms the Japanese version of MS Word.

WordMacro/Colors
This macro virus is spread through Microsoft Word (MS Word). When an infected MS Word document is loaded, that copy of the MS Word application becomes infected; all subsequent files and documents created or edited using the infected application also become infected. After a file is infected, the format of the document will no longer be displayed on the template list every 300th time the document is opened or closed. On Windows 3.1, the window color setting is also ruined, and the Windows display turns a different color. The Japanese version of MS Word will display these symptoms, but it will not become infected.

WordMacro/Date
This macro virus is spread through Microsoft Word (MS Word). When an infected MS Word document is loaded, that copy of the MS Word application becomes infected; all subsequent files and documents created or edited using the infected application also become infected. When an infected MS Word application is used to open an MS Word document, the virus symptoms appear. The Auto Close for a standard template file or document will be erased. The Japanese version of MS Word will show the symptoms, but it will not be pass on the infection.

WordMacro/Divinia
This macro virus is spread through Microsoft Word (MS Word). When an infected MS Word document is loaded, that copy of the MS Word application becomes infected; all subsequent files and documents created or edited using the infected application also become infected. The virus symptoms appear only when a document is closed at 17 minutes past the hour. "ROBERTA TI AMO!" ("Roberta, I love you!") appears in a message box, followed by "Questo computer non * ben preotetto contro i virus... A presto!" ("This computer is not protected well against a virus... See you later!") Files will show these symptoms in the Japanese version of MS Word, but the infection will not be passed on.

WordMacro/Goldfish
This macro virus is spread through Microsoft Word (MS Word). When an infected MS Word document is loaded, that copy of the MS Word application becomes infected; all subsequent files and documents created or edited using the infected application also become infected. When an infected MS Word document is opened or closed, there is a 1 in 500 chance that the virus symptoms will occur. A dialog box with "I am the GoldFish, I am hungry, feed me." will appear. Unless the user enters one of the proper responses (see below), the dialog box will not disappear and the file cannot be closed. Files will show these symptoms in the Japanese version of MS Word, but the infection will not be passed on.
Proper responses:
fishfood
worms
worm
pryme
core

WordMacro/MDMA
This macro virus is spread through Microsoft Word (MS Word). When an infected MS Word document is loaded, that copy of the MS Word application becomes infected; all subsequent files and documents created or edited using the infected application also become infected. When an infected MS Word application is used to create or edit an MS Word document, the document becomes infected. An infected MS Word file causes the following symptoms when it is closed on the 1st of the month. The files below are deleted, and the Windows 95 registry file (the data file that records the computer operating environment) is changed. Because of this, user-made settings are changed, and sometimes the network cannot be used. This virus shows its symptoms in Japanese MS Word, but the infection will not be passed on.
Deleted files:
C:¥shmk (no extension)
C:¥Windows¥*.hlp
C:¥Windows¥SYSTEM¥*.cpl

WordMacro/Niceday
This macro virus is spread through Microsoft Word (MS Word). When an infected MS Word document is loaded, that copy of the MS Word application becomes infected; all subsequent files and documents created or edited using the infected application also become infected. When an infected MS Word application is used to create or edit an MS Word document, the document becomes infected. When the user quits an infected MS Word file, the dialog box "Have a Nice Day!" will appear. Files will show these symptoms in the Japanese version of MS Word, but the infection will not be passed on.

WordMacro/Npad
This macro virus is spread through Microsoft Word (MS Word). When an infected MS Word document is loaded, that copy of the MS Word application becomes infected; all subsequent files and documents created or edited using the infected application also become infected. When an infected file is opened for the 23rd time, the message shown below will scroll across the status bar from left to right. The Japanese version of MS Word will show these symptoms but will not spread the infection.
"DOEUNPAD94. v.2. 21. (c) Maret 1996, Bandung, Indonesia"

WordMacro/Rapi
This macro virus is spread through Microsoft Word (MS Word). When an infected MS Word document is loaded, that copy of the MS Word application becomes infected; all subsequent files and documents created or edited using the infected application also become infected. When an infected MS Word application is launched, file called BACALAH.TXT is created in the root directory of drive C. This file records the date and time the application was launched and various messages. Later, when an infected MS Word file is opened, a message box announcing "Thanks for joining us!" will appear. Also, selecting Macro or Customize from the Tool menu of MS Word will cause a message box to appear that says "Fail on step 29296." This virus will not infect or show any symptoms in the Japanese version of MS Word.

WordMacro/Wazzu
This virus is spread through Microsoft's Word (MS Word). When the English version of MS Word reads an infected MS Word document, the application becomes infected and in turn will infect any files it then creates or edits. When an infected file is opened, there is about a 20% chance that it will swap the position of some words three times. There is also about a 25% chance that the word "Wazzu" will be inserted randomly into the document. Japanese versions of MS Word do not become infected or show these symptoms. There are variations of this virus that do not exhibit these same symptoms.

Yankee Doodle
The Yankee Doodle virus infects .exe and .com files. When a file is infected, at 5 PM the system will play "Yankee Doodle." IBM compatibles will show the symptoms. NEC PC98 compatibles will become infected, but will not show the symptoms.

Yonyu
This virus resides in the boot sector of an infected disk. When an infected IBM compatible disk is accessed, the virus moves to the memory and monitors disk access, waiting to infect other disks. Sometimes, the files on an infected floppy disk will be corrupted. When disks other than those of IBM compatibles are infected, the disk may become inaccessible.

Calendar-based virus symptom appearances
It is best to catch a virus and remove it before any symptoms appear. The popular anti-virus programs on the market will catch and remove almost all known viruses. If you have questions on how to remove a virus, contact the IPA for information.

Virus:	Activated:
Argentina	every year on May 25, June 20, July 8, and August 17
DApm-12	every year on August 31
DApm-2	every year on December 25
DH2	on the 3rd, 11th, 15th or 28th if the day falls on a Tuesday
Flare Jack	on the 13th of every month or on Friday
Flip (2153)	on the 2nd of every month
Form	on the 24th of each month
J&M	every year on April 15
Russian Flag	every year on August 19
SAMPO	every year on November 30
Sunday	on Sundays
WordMacro/Bandung	every month after the 20th
WordMacro/Boom	from March through December
WordMacro/Helper	on the 10th of every month
WordMacro/MDMA	on the 1st of every month