Details
Shanghai_II.4077

It is a very dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed. On GetDiskSpace DOS calls (INT 21h AH=36h) virus searches for files and infects them. The virus also looks for files C:\COMMAND.COM, C:\DOS\COMMAND.COM and infects them. The virus checks file names and do not infect files with names that are finished with strings:
K3 PC 50 SM TM EA
FRAG COPY HINA V200 CDEX PLUS PROX CPAV ETUP TTTT IVER
MAIN INIT 0001 OUND S4GW WAR2 RIAN PC43 KE3D ORUN \WPS

On March, June, September and December 13th the virus erases the hard drive sectors and displays the message:
Shanghai No.1 2.0 PRO
Super Virus , designed by Microvirus , 09-13-1996 !

Details
Shanghai.848

It is a dangerous memory resident parasitic virus. It hooks INT 21h and intercepts the DOS functions 36h, 3Bh. On these calls the virus searches for .COM files and writes itself to the end of the file. On December, 20th it displays the message:
ShangHai Railway Institute
[high ASCII chars, not properly displayable]

and erases the hard drive sectors. It also contains the text string:
*.COM

Details
Shame.1455

It is a dangerous nonmemory resident encrypted parasitic virus. It searches for EXE files and writes itself to the end of the file. It deletes the TBSCAN.EXE, ANTI-VIR.DAT, CHKLIST.MS, CHKLIST.CPS, IVB.NTZ files. In some cases it erases the disk sectors and reboots the computer. The virus displays the messages:
Shame on you!
Where did I come from?
Dedicated to the people of Chung-Li, Tiawan.
I feel safe, don’t you?
Dope!
Tiwanese rise to the top while looking down at the empty bottomall
Wait for the departure of you life…
God loves you!
Ur virux protexion sux.
It’s a Shame.

Details
Shaman.251

This is a harmless nonmemory resident parasitic virus. It searches, then writes itself to the beginning of .COM files of the current directory. The body of the virus contains the number of the generation of the virus. If this number is greater than 6, the virus displays the string:
DemoVirus v1.0 Copyright (c) 20.8.1991 by Shaman

Details
Shaker.409

This is a benign memory resident parasitic infector. It hooks INT 21h, and infects COM files that are executed. On Fridays, it also hooks INT 1Ch, and from 11:00 until 11:20, ’shakes’ the screen.

Details
Shaker.373

This is a relatively harmless memory resident parasitic infector. It copies itself into the interrupt vector table, and hooks INT 1Ch and 21h. Then it infects COM or EXE files that are executed. Sometimes it ’shakes’ the screen.

Details
Shake

This is a very dangerous memory resident parasitic virus. It hooks INT 21h. On GetDiskSpace DOS calls (INT 21, ah=36h) the virus searches for .COM files of the current directory, then writes itself to the end of the file. In infected files it sets the time to 60 sec. The virus hooks and does not restore INT 24h. When an infected program is executed, the virus with the probability of 1/16 displays:
Shake well before use

Details
Shadowbyte.635

This is a very dangerous non-memory resident parasitic virus. It scans the subdirectory tree, and writes itself to the end of COM files. In July, it formats A: and C: drives, and displays the following message:
Shadowbyte Lives!
And then emits a sound on the speaker like a “dying” hard disk.

Details
Shadow Family

These are very dangerous memory resident parasitic encrypted viruses. They hook INT 21h and write themselves to the end of COM and EXE files that are executed or loaded as overlays. “Shadow.1702″ also intercepts FindFirst/Next DOS call (DIR command), and infects the files that are listed.
The viruses (except “Shadow.1702″) have an error in the infection routine, and as a result the infected COM files are not recoverable. These viruses also overwrite the ‘*BBS*.*’ files, “Shadow.1702″ writes a trojan program to there, that program “clears” the screen by using VGA tricks and halts PC.
The viruses contain the text strings:
“Shadow.1185,1200″: [Shadow] NecroSoft Enterprises-a division of BCA
Greets to SKISM
“Shadow.1702″: [Shadow-B/2] NecroSoft Enterprises - a division of BCA
Greets to SKISM

Details
SH.2062

It is a very dangerous memory resident parasitic virus. It hooks INT 8, 9, 13h, 21h and writes itself to the end of COM and EXE files that are executed.
While infecting a file the virus gets the system date, adds random value (0-15 days) to this date and saves the result as a trigger date. On trigger date the virus runs its effects: manifests itself by some video effect, beeps on INT 21h calls, depending on its random counter disables writing to disks via INT 13h (that may corrupt the data on disks), changes the keyboard flags and the data in keyboard buffer.
The virus contains the ID-string:
SH

Details
SG_Bomber family

These are harmless nonmemory resident encrypted parasitic viruses. They search for COM files, then write themselves to the end of the file. While infecting the viruses write several parts of code that pass control to the virus code. The first block passes control to the second one, second jumps to third and so on up to ten jumps. The same technology is used by “Bomber” parasitic virus.
This viruses contain the text strings:
(c) Copyright by Beast.
(c) Stealth Group Bishkek.
(c) Stealth Group World Wide.
Infection by Beast. v0.91
Stealth Group World Wide.
[Bomber v1.0] by Beast. Stealth Group World Wide.

Details
Sfrust.632

It is a very dangerous nonmemory resident parasitic virus. It searches for .COM files and writes itself to the end of the file. Sometimes it erases the FAT and displays:
Sfrustrowany student v.1.1 RevSoft K-ce.

Details
Sformat.699

This is a very dangerous memory resident parasitic virus. It hooks INT 21h, and writes itself to the end of .COM files that are executed. The virus contains a lot of bugs, so it can halt a computer while installing a memory resident. On Fridays, it formats the hard drive, and contains the text:
Sofia - Slow-Format/M 1992

Details
Sesc.448

It is not a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM files that are executed. The end of each infected file contains the ID-word “SESC”.

Details
Serbu family

These are not dangerous memory resident encrypted parasitic viruses. They use several levels of anti-debugging tricks in installation routine as well as in interrupt handlers. They write themselves to the end of COM and EXE files that are executed or opened, as well as to the end of .GIF and .JPG files (!!).
When an infected file is executed, the virus decrypts itself by using INT 1 and INT 3 hooks, then allocates block of DOS memory, copies itself to there, traces INT 21h, 2F and hooks them. To hook INT 2Fh the virus patches the DOS kernel.
Depending on the system date the viruses display the rectangle:
XXXXXXXX
XXXXXXXX

“Serbu.3493″ displays the text:
.. A_C_O: Dirgantara Jaya ..

The viruses also contain the text strings:
“Serbu.3493″: R-SERBU-1 (c)09-16H Emhaka
“Serbu.3493″: -SERBU-