Details
ShitMan.441

It is not a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the beginning of .COM files that are accessed. It displays the string:
SHIT MAN

Details
Shish.1142

It is a dangerous memory resident parasitic virus. It hooks INT 9, 21h and writes itself to the end of EXE files that are executed. Depending on the system month (before/after June) the virus stores original EXE data in different form, and restores it to original values also depending on the system date. As a result infected file do work correctly only if they were infected during the half of year (before/after June) and halt the system during another half of year. When user presses Alt-Ctrl-Del, the virus displays the message:
WARNING!
SYSTEM REPORT:
If your system does not work properly,
change the month of the current system date.
Error code #

The virus also contains the text:
[SHISH. Version 2.00]

Details
Shirley Family

These are memory resident harmless viruses. They hook INT 21h and write themselves to the end of .EXE files that are executed. “Shirley.4096″ contains the texts:
IWANTSHIRLEY
Marty McFly lives somewhere in time (Doc Brown)kFuck for Eddie!!There is only
one place to spend nice holidaysall CASAL BORSETTIin Italy… Fuck for John
McAfeeand all the other Vrs-Killers…We have a right to live
!!!!!!!!Greetings to the 1704… you were the first Virus, that infected my
System! Greetings to Jerusalem-B…You were the Second! But now its my turn.
Hope You have fun with the Shirley-Virus !!!!!!—————-Dies ist die
Geschichte einer Dreiecksbeziehung,könnte mann
sagen-A.C,L.C.und,natürlich,CHRISTINE. Aber sie sollten wissen,dass Christine
zuerst kam. Sie war Arnies erste Liebe, und obwohl ich nicht meine Hand dafür
ins Feuer legen moechte(denn mit 22 kann der Mensch sich ja noch
irren),möchte ich doch sagen,dass Christine seine einzige wahre Liebe gewesen
ist. Deshalb ist diese Liebesgeschichte für mich eine Tragödie

“Shirley.4096″ contains the text:
VIVALDI

Details
Shire Family

These are relatively harmless non-memory resident parasitic viruses. They search for .COM files of the current directory and infect them. “Shire.143 and 155″ write themselves to the beginning of the file, although other viruses write their code to the end of the file. “Shire.155, 210, 220, and 300″ are encrypted viruses.
On Thursdays, “Shire.149″ displays a message (see the strings below), “Shire.300″ runs itself by some video effect.
The viruses contain the following text strings:
“Shire.117″: *.com +TIME+
“Shire.143″: *.?Om
“Shire.149″: *.COM *LAVA*
“Shire.155″: *.CoM MrTiny
“Shire.199″: *.CTL
“Shire.210″: -Kiss-*.cOm
“Shire.220″: -Purple-*.cOm
“Shire.253″: *.com +TIME+ +Chemical Clock+
“Shire.300″: *EFIL*.COM

Details
Shiny Family

These are not dangerous memory resident parasitic viruses. They hook INT 1, 3, 9, then they trace INT 21h and patch the first byte of DOS part of INT 21h handler with CCh opcode (INT 3 call). On execution of COM and EXE files thise viruses write themselves to the end of these files. Sometimes they change the letters on the screen:
from to
———-
:-)
:=) :=(
;) ;(
|) |(

These viruses contain the text:
Shiny Happy Virus by Hellraiser and Dark Angel of Phalcon/Skism

Details
Shine.640

It is not a dangerous nonmemory resident encrypted parasitic virus. It searches for EXE files and writes itself to the end of the file. It contains/displays the text strings:
Eternal love, is like heaven,
sometimes like eternal rain,
sadness, deep inside pain !
[Shine Away] .oO 1995 by CoKe Oo.
Made in Luxembourg 1995

Details
Shin

It’s a not dangerous memory resident encrypted boot virus. It hooks INT 8, 13h and writes itself into the MBR of hard drive and floppy boot sectors. It contains the routine of executable files infection, but that routine never receives the control. INT 8 is used to disable debugging. The virus displays the message:
[DarkElf]v2.0 Shin

Details
Shimmer Family

These are dangerous memory resident multipartite viruses. They infect the boot sectors of the floppy disks, and create BAT and EXE worms with the virus body inside. To install their TSR copies the viruses use HMA and video memory.
The method of infection of the BAT files is the same as used in “Winstart” virus. The “Shimmer” virus creates the WINSTART.BAT file in the C:\WINDOWS directory and writes itself into there. While executing an infected WINSTART.BAT the virus creates INSTALL.EXE file, and executes that file. INSTALL.EXE contains the virus installator, its code hooks INT 2Fh,40h and overwrites with the virus code the boot sectors of the floppy disks that are accessed.
On loading from infected floppy the virus hooks INT 1Ah, waits for DOS loading, hooks INT 21h, and creates the C:\WINDOWS\WINSTART.BAT worm during the first call to INT 21h. Then the virus disables its infection routine.
The viruses have the bugs and may halt the system. “Shimmer.b” outputs the string “ATM0L0S0=1O1″ to the COM port. The viruses contain the text strings:
“Shimmer.a”
:yt
@echo.PKX>install.exe
@copy/b install.exe+%0.bat>nul
@install.exe
c:\windows\winstart.bat
New Shimmer

“Shimmer.b”
:y~ATM0L0S0=1O1
@ECHO PKX>INSTALL.EXE
@COPY/B INSTALL.EXE+%0.BAT>NUL
@INSTALL.EXE
C:\WINDOWS\WINSTART.BAT

Details
Shifter.983

This virus infects .OBJ files prepared to be compiled to COM files. The virus inserts itself into OBJ files so, that after linking to COM executable file the result contains the virus at the beginning of the file. When that file is executed, the virus receives the control, hooks INT 21h and installs itself memory resident.
The virus intercepts three INT 21h functions: FEADh for “Are you here?” call, DEADh for host program restoring and 3Eh (Close) for file infection. On file closing the virus checks the file name extension (by using undocumented System File Tables). If the extension is OBJ, the virus starts to infection.
The virus reads the three first bytes of each object records of the file, from the first record to the last one. These three bytes contain the record type and length. The virus checks the record type, and if it is Module End Record (type 8Ah), External Names Definition Record (type 8Ch) Logical Data Record (type A0h or A2h), the virus infection procedure calls corresponding routine. In another case the virus seeks to next record.
In case of Data Record (type A0h or A2h) the virus alters the data offset of it - the virus adds its length in COM files (983 bytes) to that offset. Then the virus calculates new checksum of the record and alters the checksum field as well as data offset field of the object record. As the result all the data record have new data offsets after infection, all binary data of these records will be placed 983 bytes down on linking. So the virus forces the linker to shift the contents of COM file down for 983 bytes and releases the space in the file beginning for virus code.
“Shifter” gives particular attention to the first Data Record of the OBJ file. If data offset of it is equal to 0100h (it’s normal to OBJ which is to be linked in COM file), the virus continues infection. If that offset is not 0100h (i.e. that OBJ looks like object file of some executable one which is not of COM format), the virus does not infect that OBJ file and returns control to host INT 21h handler.
By the way, the data offset of first data record of infected OBJ files is 04D7h (it is 0100h+983, offset 0100h plus virus length in COM files). It is not equal to 0100h and the virus does not infect such files. As the result OBJ files are not infected twice by “Shifter”.
If the type of next record is 8Ah (Module End Record), the virus reads this record into its internal buffer and writes new Data Record instead of original Module End Record. This new Data Record contains the virus body with data offset 0100h, so on linking that record will be placed at the file beginning. Of course, the virus calculates checksum of this record and stores it at the record end. Then the virus writes original Module End Record at the OBJ file end.
If on infection the type of next record is 8Ch (External Names Definition Record), the virus checks the system timer (the word at the address 0000:046C). If two low bits of that word are zero ones, the virus calls trigger routine. That routine shifts the screen and displays the message:
Shifting Objective .OBJ Virus (c) 1993 by Stormbringer
Kudos for The Nightmare for his ideas and coolness.
Greets go out to Phalcon/Skism, Urnst Kouch, Mark Ludwig, NuKE,
and everyone else in the community.

Then the virus waits for a keystroke and returns control to infection routine.
“Shifter” increases the files on different values on infection. The code of virus in linked COM file is 983 bytes, and the infected executable file grows on 983 bytes if it is linked from infected OBJ file instead of clear one. But the OBJ files grow on 990 bytes on infection. It is because the virus writes into OBJ not only its binary data (983 bytes), but the fields of record type, length, segment index, data offset and checksum (1+2+1+2+1=7 bytes).
“Shifter” infects the files which will be compiled to files of COM format. But the OBJ file has no flag that indicates the format of destination executable file. In some cases the virus infects OBJ files which can be compiled into multi-segment EXE files only. The first Data Record of EXE file can contain 0100h in data offset field as well as OBJ of COM file contains it. On execution of such EXE the system will hang up.
The other versions of this virus (”Shifter.758,760″) do not manifest themselves, they contain the text strings:
Shifting Objective Virus 3.0 (c) 1994 Stormbringer [Phalcon/Skism]
Kudos go to The Nightmare!

Details
Shift.2004

It is a dangerous memory resident parasitic virus. It hooks INT 16h, 21h and intercepts the DOS calls Open and FindFirst ASCII. On these calls the virus searches for the COM and EXE files except COMMAND.COM, then writes itself to the end of the file.
The virus has bugs and may corrupt the files while infecting them. Depending on its counters the virus disables Shift keys or displays the message:
Your computer is infected by SHIFT VIRUS
This virus is dedicated to PCC,
and was written by an PCC student.
ALEX

The virus also contains the string:
COMMANDCOMEXE

Details
Shengli.1024

It is not a dangerous memory resident parasitic virus. It writes itself to the end of .COM and .EXE files. When and infected file is executed, the virus hooks INT 21h, infects the C:\COMMAND.COM file, returns the control to the host program and then infects the files that are executed. On September 16th it displays the message and halts the computer:
Happy birthday to you
-SHENGLI OIL FIELD TXC

Details
Shel.983

It is a harmless memory resident encrypted parasitic virus. It hooks INT 21h and intercepts DOS calls Execute and ChangeDir. When such calls are performed, the virus searches for COM- and EXE- files, then writes itself to the end of the file. The virus does not infect the files: AI*.*, WP*.*, HI*.*, DO*.*, or KR*.*.
The virus contains the internal text string:
(?) Shel,NSTU,1994,v3.1
*.exe *.com
Sh

Details
Shaware.502

It is a harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM files that are executed or opened. It contains the text string:
This virus is Shaware!

Details
Shark.1283

This is a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of EXE files that are executed. It traces INT 13h. Depending on the number of virus generation this virus erases the random selected hard drive sectors. On February, 17th it displays the message:
The Tiny Shark II was hereallHappy Birthday Maria!
Then it erases the C: drive sectors. The virus contains the text strings:
Made in Italy
Prince&NPG
Billy Idol
I will kiss Maria’s lips…

Details
Shark.1027

This is a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of EXE files that are executed. Depending on the number of virus generation this virus erases the random selected hard drive sectors. On February, 17th it displays the message:
The Tiny Shark virus was hereall(C) Stefano Toria 1993 Rome
Then it erases the C: drive sectors. The virus contains the text strings:
Made in Italy
Prince&NPG
Billy Idol