Details
Star.486

It is a harmless memory resident parasitic virus. It copies itself into Video RAM at the address BB00:0000, copies its INT 21h handler to DOS data area at the address 0600:0000, hooks INT 21h and writes itself to the end of COM files that are executed. It contains the text string:
STAR5

Details
StalkerX Constructor

StalkerX is a virus constructor that generates simple NewEXE (Windows) viruses. The viruses are named after the text that is included in the distribution package:
Create your own Windows
virus! This is a EASY
to use Windows Virus
creation kit.
Written By Stalker X

These viruses search for NewEXE files, and write themselves to the end of the file. Depending on their “generation” these viruses fill the screen with random data.

Details
Stahlpla.750

It is not a dangerous nonmemory resident parasitic virus. It searches for .COM files of the current directory and writes itself to the beginning of the file. It also searches for the STAHLPLA.TTE file, and if that file exists, the virus displays:
Ich bin da!

Details
Staf.2083

It is not a dangerous nonmemory resident parasitic virus. It searches for .COM files and writes itself to the beginning of the file. While infecting a file the virus displays the messages:
Virus Demo Ver.: 1.1 - Handle with care!
By STAF (Tel.: (819) 595-0787)
Generation #
This program has been infected by:
VIRUS ERROR # - Aborting process.
Needs DOS version 2.0 and above.
Infecting:
Press any key to execute original programall
I have infected all your files in the current directory!
Have a nice day!

Details
SSTR.717

It is a dangerous nonmemory resident encrypted parasitic virus. It searches for COM files in the current directory, then writes itself to the end of the file. In 1997 the virus corrupts the host file (tries to disinfect it but fails?). It contains the text strings:
*.COM
(C) by SSTR

Details
SSR.736

This is a not dangerous nonmemory resident encrypted parasitic virus. It searches for COM files, then writes itself to the end of the file.
Starting from 1994 the virus disinfects the host file.
The virus contains the text strings:
(C) by Stainless Steel TechRat

Details
SSR.1945.a

This is a not dangerous nonmemory resident encrypted parasitic virus. It searches for COM files, then writes itself to the end of the file.
If the system date is 8th or 9th May 1995, the virus displays the messages in Russian and plays a tune.
The virus contains the text strings:
AntiFashist
by Stainless Steel Rat
S.S.R.S.S.R.S.S.R.S.S.R.S.S.R.S.S.R.S.S.R.S.S.R.S.S.R.S.S.R.S.S.R.

Details
SSR.18364

This is a very dangerous memory resident parasitic polymorphic virus. While installing into the memory the virus also encrypts its TSR code. The virus writes itself to the end of COM and EXE files that are accessed.
This virus are very complex. The infected file length grows exactly by 18364, but the actual code of the virus is about 11K of Assembler command (the length of its TSR code - total length minus the length of polymorphic decryption loops). The virus use a number of polymorphic, anti-debugging, and stealth tricks, and as a result its rather halts the system than infects the files. Moreover, in some cases its corrupts the files instead of infecting them.
Installation
The virus is encrypted with three different polymorphic engines, and as a result three are three decryption loops, the code of the virus is encrypted three times, the code of latest decryption loop is encrypted with two engines, the second engine is encrypted with previous one, and only the first decryption loop is “in clear” in the infected files. While decrypting these engines use different anti-debugging tricks as well as tons of junk commands, subroutines and branches.
When the actual virus code receives the control, the virus performs one more decryption loop - majority of virus code is encrypted with its internal (total - fourth) encryption routine. That routine is quite complex. It decrypts the virus by using INT 1 (tracing) tricks - the virus sets INT 1 to decryption routine, sets on the trace flag, and performs dummy loop. On each loop (i.e. INT 1 call) the decryption routine receives the control, and decrypts one byte of the virus code.
While decrypting the virus does not use some constant commands, but gets the necessary one from the list of command (SUB, ADD, XOR, ROL). As a result the following bytes of the virus code are encrypted with different commands. The number of the next command is calculated by the virus according to some algorithm that is based on a key. That algorithm is reverse with the encryption algorithm when the virus encrypts its code - while infecting the virus gets the random key (byte), stores it to the code of decryption routine and launches encrypting. While decrypting the virus uses initial value of that key, so the sequence of decryption commands is the same as the sequence of encryption ones.
Then the virus passes the control to the installing routine. First, the virus checks its ID-word at the address 0000:0198. If that word contains DEADh, the virus terminates installation routine. While installing the virus gets INT 1, 13h, 2Fh, traces INT 2Fh to get its original address, then gets the original INT 13h address by using undocumented INT 2Fh call, then the virus “cuts” a block of the system memory by patching MCB list and copy itself into there.
To hook INT 21h the virus gets and saves two bytes from the top of INT 21h handler, overwrites (patches) these bytes with the INT ACh call (CD AC) and hooks INT ACh (i.e. patched INT 21h). The virus also hooks INT 1Ch (timer) and sets INT ABh to its code, and uses that call to pass the control to infection routine while infecting the files.
Original INT 21h Virus
handler
+———+ +———+ <----+
?CDh ACh ?----+ ?all. ? ? encrypted
?.... ? ? ?INT AB ?<----+ ?
?.... ? ? ?infection? ? ?
?.... ? ? ?.... ? ? ?
?.... ? ? ?stealth ? ? ?
? ? ? ?.... ? ? <----+
? ? +---->?INT AC ? ?
? ? ?…. ? ?
? ? ?CDh ABh ?—–+
? ? ?…. ?
+———+ +———+

Then, to hide its code in the memory, the virus erases the memory area that was occupied by the virus code when the virus has been installing itself memory resident. As a result there is no decrypted virus code in the memory - the TSR copy is encrypted, and majority of original code is erased. Then the virus restores the code of the host program, and returns the control to it.
INT 21h handler
When patched INT 21h handler brings the control to the virus handler, the virus restores that patch, and gets the number of the called function. The virus intercepts five DOS functions: 4B00h (Execute), 43h (Get/Set File Attribute), 3Dh (Open), 4Eh and 4Fh (FindFirst/Next ASCII). On file access calls the virus performs infection routine, on FindFirst/Next calls it decreases the length of infected files (stealth routine).
In case of these calls the virus decrypts its main infection and stealth routine, executes it by INT ABh call, then encrypts it and returns the control to the original INT 21h handler.
To patch INT 21h code again, when the instruction flow passes that code, the virus temporary hook INT 2Ah, waits for any INT 2Ah call, then patches original INT 21h handler and releases INT 2Ah.
The virus also intercepts several other INT 21h functions that are “Installation checks” of different viruses and anti-virus software, it also checks the file names and extensions, see “Trigger Routines”.
Infecting
When the file is executed, opened, or file attributes are accessed, the virus calls infection routine. First, the virus checks the file name extension, and infects only *.COM and *.EXE files. Then the virus opens the file and checks its date and time stamp to prevent duplicate infection (see below), reads the file header, checks the internal file format (by MZ stamp), then the virus encrypts itself with its internal encryption routine and with three different polymorphic engines (engine by engine), and saves the result to the end of the file.
Then the virus modifies the header of the file. In EXE header these are initial values CS,IP,SS and SP registers, and the module length field. In COM files the virus overwrites the header with Jmp-Virus instruction (E9xxxx). Then the virus saves and overwrites the data at offset 0040h in COM files, and at offset 200h starting from EXE header in EXE files, I see no reason for such corruption, but only to prevent disinfection the files by using “disinfectable” CRC scanners. Then the virus closes the file and exits from the infection routine.
The virus also tries to process the COM files that begins with JMP NEAR or CALL NEAR instructions (E9h, E8h) and write Jmp-Virus instruction to the destination address of such call, but fails and writes Jmp-Virus to the beginning of the file.
Infecting PKLited Files
The virus pays special attention to the files (both COM and EXE) that are packed with PKLITE compressing utility, writes its encrypted code to the end of the file by the same method that described above, and writes Jmp-Virus routine into the middle of the file.
The virus patches the standard PKLITE unpacking routine so, that when such file is executed, the control is passed to termination routine that displays the message:
Not enough memory
and returns to DOS. The virus overwrites the code of that routine with Jmp-Virus command, and as a result being executed such files bring the control to the virus code. Being installed the virus restores the code of PKLITE unpacking routine, and passes the control to it, so the patched and then infected PKLITEd files do not display the error message, but unpack and execute the host file.
Features
While infecting the virus also hooks INT 24h to prevent the standard DOS error message, and temporary sets INT 13h to its original value, gets and restores the file attribute, date and time stamp.
When the virus opens the file to infect it, one more unusual trick is performed to fool anti-virus monitors and to hide the virus’ activity. Before opening the virus temporary hooks INT 2Ah, saves and sets to zero the first byte of the file name extension, and performs Open-ReadWrite call. As a result the virus opens not “Filename.Ext” file, but “Filename.0xt”, where ‘0′ is zero byte (00h), and anti-virus monitors do not pay attention to such call. When DOS receives that call, it performs undocumented INT 2Ah call from its kernel, the virus intercepts that call, restores the file name, releases INT 2Ah, and returns the control to the DOS kernel, and DOS opens the “Filename.Ext” file.
The virus separates the infected and not infected files by time and date stamp. While infecting the virus sets that stamp so, that number of seconds is equal to the number of month multiplied by two (22.05.96 12:00:10, for example). While infecting the virus checks that stamp, and does not infect such files.
Trigger Routines
There are several trigger routines in the virus code. While hooking INT 21h the virus also checks extra DOS function:
FFh - FLU-SHOT anti-virus monitor, “Jerusalem.Sunday”, “Tumen”, “Hero” viruses installation check,
ABCDh, “PME.Burglar” virus installation check,
4B53h - “Horse” and “OneHalf” viruses, installation check,
CCCCh - no idea,
DEADh - several different viruses, installation check
When the virus detects any of these functions, it calls the trigger routine that displays the message and manifest itself with sound effect. On PC-386 this effects sounds as a police alarm signal. The message is:
!!! ALARM WARNING DANGER APPROACHING !!!
Hacker-fucker TSR shit or Any Virus Detected !!!
!!! ALARM WARNING DANGER APPROACHING !!!
Hacker-fucker TSR shit or Any Virus Detected !!!
Anyone who wants to fuck Revenge is Naivnij Man
With best wishes & thanks to DialogScn
Emulation engine will have problems with this ZHOM
In future versions we will add :
1. Protected Mode Decryptor [VMME]
2. Adinf table Hacker-cracker
3. Destroy Files/Disks/CMOS/Printer/CDROM
4. Disk encryption and other BUGs,GLUKs & SHITs !
Dis is only BEGIN… Win95 & her lamers must die!
Searching… SEEK & DESTROY
There can be only one …
When the infection routine closes the file, the virus checks its internal counter that is increased on each INT 1Ch call, and depending on that counter the virus calls the second trigger routine. That routine displays the message, waits for ESC key, then clears the screen, overwrites random selected sector of C: drive, and halts PC.
Depending on the same counter the virus also “shakes” the screen.
The virus detects the tracing INT 21h handler’s code, displays the message in Russian, corrupts CMOS checksum field, and then halts PC.
While infecting a file the virus checks the file name, and does not infect the files:
DR*.* (DRWEB)
AI*.* (AIDSTEST)
AD*.* (ADINF)
CO*.* (COMMAND.COM)
HI*.* (HIEW)
AV*.* (AVP)
WI*.* (WIN)
KE*.* (KEY* ?)
US*.* ?
GD*.* ?

When the file with “?ID*.*” name (AIDSTEST) is executed, the virus displays the message in Russian, and halts the computer.
The virus also checks the extension of the file that is searched by FindFirst/Next DOS functions, and deletes the files with extensions:
PAR PIF ICO WEB ??? PAS BAS AVB FRQ
and then forces Find function to return the string “shit !” in Cyrillic coding instead of the file name.
The virus also contains lot of other text strings that are placed according to the routines. So, at the top of the virus code there is the string:
Hi Hacker! Welcome to Hell
The installation routine contains the text:
Move over, I said move over
Hey, hey, hey, clear the way
There’s no escape from my authority - I tell you -
Infection routine contains:
Gimme the prize, just gimme the prize
The code that writes the encrypted virus code to the files begins with the string:
Save me,save me
When processing the EXE header there is the text:
Don’t lose your header
The FindFirst/Next stealth routine is finished with:
I’m the invisible man
When the virus deletes the files:
Now you DiE !
When processing PKLITEd files:
Crazy Little Thing Called PkLite
The virus also contains the strings:
Give me your WEBs, let me squeeze them in my hands,
Your puny scaners,
Your so-called heuristics analyzers,
I’ll eat them whole before I’m done,
The battle’s fought and the game is won,
I am the one the only one,
I am the god of kingdom come,
- THERE CAN BE ONLY ONE -
I’M GOING SLIGHTLY MAD
Just very slightly mad !
All dead…
THIS IS OF STAINLESS STEEL RAT
Revenge virus v 1.02 released at 22.04.96
Copyright (c) 1996-97 2 Rats Techno Soft
Written by
Stainless Steel Rat
StealthedMetamorphicCrazyForcedSynthesatedRandom
MegaLayerEncryptionProgressionMutationEngineGenerator
S.S.R.
BUGS INSIDE
The polymorphic engines that are used by the virus contains the texts:
RandomEncryptionSynthezator n S.S.R. 1996-97
THE STAINLESS STEEL RAT MUTATION ENGINE v 1.21 beta
___(c) S.S.R. 1996-97___
Metamorphic Mutation Engine v 2.00 (C) Stainless Steel Rat 1996-97
It’s C00LEST Engine

Details
SSR.18273

This is a very dangerous memory resident parasitic polymorphic virus. While installing into the memory the virus also encrypts its TSR code. The virus writes itself to the end of COM and EXE files that are accessed.
This virus are very complex. The infected file length grows exactly by 18273, but the actual code of the virus is about 11K of Assembler command (the length of its TSR code - total length minus the length of polymorphic decryption loops). The virus use a number of polymorphic, anti-debugging, and stealth tricks, and as a result its rather halts the system than infects the files. Moreover, in some cases its corrupts the files instead of infecting them.
Installation
The virus is encrypted with three different polymorphic engines, and as a result three are three decryption loops, the code of the virus is encrypted three times, the code of latest decryption loop is encrypted with two engines, the second engine is encrypted with previous one, and only the first decryption loop is “in clear” in the infected files. While decrypting these engines use different anti-debugging tricks as well as tons of junk commands, subroutines and branches.
When the actual virus code receives the control, the virus performs one more decryption loop - majority of virus code is encrypted with its internal (total - fourth) encryption routine. That routine is quite complex. It decrypts the virus by using INT 1 (tracing) tricks - the virus sets INT 1 to decryption routine, sets on the trace flag, and performs dummy loop. On each loop (i.e. INT 1 call) the decryption routine receives the control, and decrypts one byte of the virus code.
While decrypting the virus does not use some constant commands, but gets the necessary one from the list of command (SUB, ADD, XOR, ROL). As a result the following bytes of the virus code are encrypted with different commands. The number of the next command is calculated by the virus according to some algorithm that is based on a key. That algorithm is reverse with the encryption algorithm when the virus encrypts its code - while infecting the virus gets the random key (byte), stores it to the code of decryption routine and launches encrypting. While decrypting the virus uses initial value of that key, so the sequence of decryption commands is the same as the sequence of encryption ones.
Then the virus passes the control to the installing routine. First, the virus checks its ID-word at the address 0000:0198. If that word contains DEADh, the virus terminates installation routine. While installing the virus gets INT 1, 13h, 2Fh, traces INT 2Fh to get its original address, then gets the original INT 13h address by using undocumented INT 2Fh call, then the virus “cuts” a block of the system memory by patching MCB list and copy itself into there.
To hook INT 21h the virus gets and saves two bytes from the top of INT 21h handler, overwrites (patches) these bytes with the INT ACh call (CD AC) and hooks INT ACh (i.e. patched INT 21h). The virus also hooks INT 1Ch (timer) and sets INT ABh to its code, and uses that call to pass the control to infection routine while infecting the files.
Original INT 21h Virus
handler
+———+ +———+ <----+
?CDh ACh ?----+ ?all. ? ? encrypted
?.... ? ? ?INT AB ?<----+ ?
?.... ? ? ?infection? ? ?
?.... ? ? ?.... ? ? ?
?.... ? ? ?stealth ? ? ?
? ? ? ?.... ? ? <----+
? ? +---->?INT AC ? ?
? ? ?…. ? ?
? ? ?CDh ABh ?—–+
? ? ?…. ?
+———+ +———+

Then, to hide its code in the memory, the virus erases the memory area that was occupied by the virus code when the virus has been installing itself memory resident. As a result there is no decrypted virus code in the memory - the TSR copy is encrypted, and majority of original code is erased. Then the virus restores the code of the host program, and returns the control to it.
INT 21h handler
When patched INT 21h handler brings the control to the virus handler, the virus restores that patch, and gets the number of the called function. The virus intercepts five DOS functions: 4B00h (Execute), 43h (Get/Set File Attribute), 3Dh (Open), 4Eh and 4Fh (FindFirst/Next ASCII). On file access calls the virus performs infection routine, on FindFirst/Next calls it decreases the length of infected files (stealth routine).
In case of these calls the virus decrypts its main infection and stealth routine, executes it by INT ABh call, then encrypts it and returns the control to the original INT 21h handler.
To patch INT 21h code again, when the instruction flow passes that code, the virus temporary hook INT 2Ah, waits for any INT 2Ah call, then patches original INT 21h handler and releases INT 2Ah.
The virus also intercepts several other INT 21h functions that are “Installation checks” of different viruses and anti-virus software, it also checks the file names and extensions, see “Trigger Routines”.
Infecting
When the file is executed, opened, or file attributes are accessed, the virus calls infection routine. First, the virus checks the file name extension, and infects only *.COM and *.EXE files. Then the virus opens the file and checks its date and time stamp to prevent duplicate infection (see below), reads the file header, checks the internal file format (by MZ stamp), then the virus encrypts itself with its internal encryption routine and with three different polymorphic engines (engine by engine), and saves the result to the end of the file.
Then the virus modifies the header of the file. In EXE header these are initial values CS,IP,SS and SP registers, and the module length field. In COM files the virus overwrites the header with Jmp-Virus instruction (E9xxxx). Then the virus saves and overwrites the data at offset 0040h in COM files, and at offset 200h starting from EXE header in EXE files, I see no reason for such corruption, but only to prevent disinfection the files by using “disinfectable” CRC scanners. Then the virus closes the file and exits from the infection routine.
The virus also tries to process the COM files that begins with JMP NEAR or CALL NEAR instructions (E9h, E8h) and write Jmp-Virus instruction to the destination address of such call, but fails and writes Jmp-Virus to the beginning of the file.
Infecting PKLited Files
The virus pays special attention to the files (both COM and EXE) that are packed with PKLITE compressing utility, writes its encrypted code to the end of the file by the same method that described above, and writes Jmp-Virus routine into the middle of the file.
The virus patches the standard PKLITE unpacking routine so, that when such file is executed, the control is passed to termination routine that displays the message:
Not enough memory
and returns to DOS. The virus overwrites the code of that routine with Jmp-Virus command, and as a result being executed such files bring the control to the virus code. Being installed the virus restores the code of PKLITE unpacking routine, and passes the control to it, so the patched and then infected PKLITEd files do not display the error message, but unpack and execute the host file.
Features
While infecting the virus also hooks INT 24h to prevent the standard DOS error message, and temporary sets INT 13h to its original value, gets and restores the file attribute, date and time stamp.
When the virus opens the file to infect it, one more unusual trick is performed to fool anti-virus monitors and to hide the virus’ activity. Before opening the virus temporary hooks INT 2Ah, saves and sets to zero the first byte of the file name extension, and performs Open-ReadWrite call. As a result the virus opens not “Filename.Ext” file, but “Filename.0xt”, where ‘0′ is zero byte (00h), and anti-virus monitors do not pay attention to such call. When DOS receives that call, it performs undocumented INT 2Ah call from its kernel, the virus intercepts that call, restores the file name, releases INT 2Ah, and returns the control to the DOS kernel, and DOS opens the “Filename.Ext” file.
The virus separates the infected and not infected files by time and date stamp. While infecting the virus sets that stamp so, that number of seconds is equal to the number of month multiplied by two (22.05.96 12:00:10, for example). While infecting the virus checks that stamp, and does not infect such files.
Trigger Routines
There are several trigger routines in the virus code. While hooking INT 21h the virus also checks extra DOS function:
FFh - FLU-SHOT anti-virus monitor, “Jerusalem.Sunday”, “Tumen”, “Hero” viruses installation check,
ABCDh, “PME.Burglar” virus installation check,
4B53h - “Horse” and “OneHalf” viruses, installation check,
CCCCh - no idea,
DEADh - several different viruses, installation check
When the virus detects any of these functions, it calls the trigger routine that displays the message and manifest itself with sound effect. On PC-386 this effects sounds as a police alarm signal. The message is:
!!! ALARM WARNING DANGER APPROACHING !!!
Hacker-fucker TSR shit or Any Virus Detected !!!
!!! ALARM WARNING DANGER APPROACHING !!!
Hacker-fucker TSR shit or Any Virus Detected !!!
Anyone who wants to fuck Revenge is Naivnij Man
With best wishes & thanks to DialogScn
Emulation engine will have problems with this ZHOM
In future versions we will add :
1. Protected Mode Decryptor [VMME]
2. Adinf table Hacker-cracker
3. Destroy Files/Disks/CMOS/Printer/CDROM
4. Disk encryption and other BUGs,GLUKs & SHITs !
Dis is only BEGIN… Win95 & her lamers must die!
Searching… SEEK & DESTROY
There can be only one …
When the infection routine closes the file, the virus checks its internal counter that is increased on each INT 1Ch call, and depending on that counter the virus calls the second trigger routine. That routine displays the message, waits for ESC key, then clears the screen, overwrites random selected sector of C: drive, and halts PC.
Depending on the same counter the virus also “shakes” the screen.
The virus detects the tracing INT 21h handler’s code, displays the message in Russian, corrupts CMOS checksum field, and then halts PC.
While infecting a file the virus checks the file name, and does not infect the files:
DR*.* (DRWEB)
AI*.* (AIDSTEST)
AD*.* (ADINF)
CO*.* (COMMAND.COM)
HI*.* (HIEW)
AV*.* (AVP)
WI*.* (WIN)
KE*.* (KEY* ?)
US*.* ?
GD*.* ?

When the file with “?ID*.*” name (AIDSTEST) is executed, the virus displays the message in Russian, and halts the computer.
The virus also checks the extension of the file that is searched by FindFirst/Next DOS functions, and deletes the files with extensions:
PAR PIF ICO WEB ??? PAS BAS AVB FRQ
and then forces Find function to return the string “shit !” in Cyrillic coding instead of the file name.
The virus also contains lot of other text strings that are placed according to the routines. So, at the top of the virus code there is the string:
Hi Hacker! Welcome to Hell
The installation routine contains the text:
Move over, I said move over
Hey, hey, hey, clear the way
There’s no escape from my authority - I tell you -
Infection routine contains:
Gimme the prize, just gimme the prize
The code that writes the encrypted virus code to the files begins with the string:
Save me,save me
When processing the EXE header there is the text:
Don’t lose your header
The FindFirst/Next stealth routine is finished with:
I’m the invisible man
When the virus deletes the files:
Now you DiE !
When processing PKLITEd files:
Crazy Little Thing Called PkLite
The virus also contains the strings:
Give me your WEBs, let me squeeze them in my hands,
Your puny scaners,
Your so-called heuristics analyzers,
I’ll eat them whole before I’m done,
The battle’s fought and the game is won,
I am the one the only one,
I am the god of kingdom come,
- THERE CAN BE ONLY ONE -
I’M GOING SLIGHTLY MAD
Just very slightly mad !
All dead…
THIS IS OF STAINLESS STEEL RAT
Revenge virus v 1.02 released at 22.04.96
Copyright (c) 1996-97 2 Rats Techno Soft
Written by
Stainless Steel Rat
StealthedMetamorphicCrazyForcedSynthesatedRandom
MegaLayerEncryptionProgressionMutationEngineGenerator
S.S.R.
BUGS INSIDE
The polymorphic engines that are used by the virus contains the texts:
RandomEncryptionSynthezator n S.S.R. 1996-97
THE STAINLESS STEEL RAT MUTATION ENGINE v 1.21 beta
___(c) S.S.R. 1996-97___
Metamorphic Mutation Engine v 2.00 (C) Stainless Steel Rat 1996-97
It’s C00LEST Engine

Details
SSH Family

These are not dangerous memory resident parasitic viruses. They hook INT 5, 8, 16h, 17h, 21h, 24h and on some DOS calls (INT 21h, AH=0Dh, 15h, 16h, 22h, 28h, 3Ch, 68h, 5Ah, 40h) they search for .COM files of current directory and write themselves to the beginning of the file. While infecting a file these viruses copy themselves and then the file body to the newly created file .SSH, delete original file and rename already infected .SSH file back to the original name. The viruses checks keyboard input for the string “My sister is SSH”, launch internal counter and depending on these and some other cases they manifest themselves by a video effect (on Hercules card), disable output to printer and the PrintScreen function.

Details
SRX.2304

It is a very dangerous memory resident parasitic virus. It hooks INT 21h and when files are created or executed, it searches for .COM and .EXE files and writes itself to the end of file. The virus has bugs and corrupts some files while infecting them. While infecting the virus also deletes the anti-virus data files CHKLIST.CPS and CHKLIST.MS.
On December 2nd it erases hard drive sectors, decrypts and displays the message:
25 WAYS TO PREVENT A VIRUS ATTACKall.
No.2 ALWAYS USE CONDOMS !!
No.25 SELL YOUR COMPUTER !

While installing memory resident from an infected EXE file the virus does not return control to the host program, but displays standard DOS error message “Bad command or file name” and returns to DOS. As a result infected EXE files do work only if the virus is already active in the system memory.
The virus contains the ID-string:
SRX

Details
Srp Family

These are not dangerous nonmemory resident parasitic viruses. They search for .EXE files and write themselves to the end of the file. “Srp.2248″ beeps after infection of the next file. While executing and infecting “Srp.2306″ displays the messages:
This is SRP !!! (c)Copyright 1993,1994 Y&Y corp. Moscow
Successfully

Details
Squeaker.1091

It is not a dangerous memory resident parasitic virus. It hooks INT 1Ch, 21h and writes itself to the end of COM, EXE and OVL files that are loaded to the memory. In some cases it ’squeaks’ by the PC speaker.

Details
Squawk.852

It is not a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed. It beeps by the PC speaker and contains the text:
Nguyen Van Cuong - Saigon IBM comppany.

Details
Squatter.9742

This is a dangerous memory resident parasitic highly polymorphic and stealth virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are accessed. Depending on their counters the virus also infects the “C:\DOS\KEYB.COM” file, if it exists. The virus does not infect the anti-virus programs SCAN, TBAV, F-PROT. It also deletes the anti-virus data files: ANTI-VIR.DAT, CHKLIST.MS.
Because of bugs in the polymorphic engine the virus often cannot decrypt itself and halts the computer. On May 24th the virus displays the messages:
Squattering your system has become by hobbie
-SQUATTER v1.2- Coded by The Mental Driller/29A
This virus also contains the text:
[MeDriPolEn v0.1]