Details
Tout.275
These are harmless nonmemory resident encrypted parasitic viruses. They search for COM files in the current directory, then write themselves to the end of the file. The viruses do not manifest themselves in any way, they contain the text strings:
<1994> f4ax
A tout le monde, a tout les amis
je vous aime, je dois partirall
Details
Tourist.1871
It is a dangerous nonmemory resident parasitic virus. It searches for COM files, then writes itself to the end of the file. The virus traces the file code and writes the JMP_Virus instruction into the middle of the file. The virus has bugs and may corrupt the files and halt the system. On June 9th the virus displays the message:
Do not be afraid , I will do no hurt with you . I am a lonely TOURIST , I
come here only because today is the birthday of my dear LITTLE WIND , on
this lovely day I am glad to say ‘ HAPPY BIRTHDAY ‘ to all the people with
my heart . and I want also to say: Thank you very much!
ABOUT ME:
1. Have been in 85.1.
2. Now in Chen du.
3. Some of my classmates: Hu wen shen, Liu lei ji, Wang bo, Wang tao, etc.
Details
TotalTrash.2169
These are harmless memory resident parasitic stealth viruses. They hook INT 21h and write themselves to the end of EXE files. The viruses do not infect the files in “standard” virus way - on executing, opening or closing, but do that only if a file is accessed by one of several file compressing or backup utilities such as PKZIP, LZEXE, LHA, RAR, ARJ, ZIP and so on (see the text string below). So, the viruses hide themselves - the files are infected only in archives, backup and if they are packed. To detect it anti-virus has to be able to scan inside of packed files and archives. Moreover, when an infected file is decompressed or extracted from an archive, the viruses run their stealth routines and the file looks as clean, if the virus is active in the system.
The viruses contain the text strings, the last one contains the list of utilities that trig virus to infect files:
[Total Trash] by Sepultura.
Immortal Riot/Genesis - Punishing Your Machine in ‘96
PK LL UC LZE LHA RAR ARJ ZIP TEL XCO BAC QMO MSBA CPBA
Details
TotalChaos.a
This is a memory-resident boot virus. It infects floppy disks boot sector as well as hard drive MBR. The virus is encrypted and uses stealth routines. It is very dangerous: under debugger, it erases data on the hard drive. To read/write hard drive sectors, the virus uses direct calls to a hard drive controller instead of INT 13h calls.
The virus hooks INT 13h and 76h. The INT 13h hook is used by the virus to detect a debugger (see above), and INT 76h hooker runs stealth and infection routines.
The virus contains the following text strings:
TOT4L CHAOS - ABS0LUTE FREEDOM
666
=[T2/IR]=
Details
Torpino
It is not a dangerous memory resident parasitic polymorphic virus. It has a large size (about than 11Kb of assembler code) and is encrypted with twelve encryption loops. The virus writes itself to the end of DOS COM and EXE files except COMMAND.COM
To install its TSR copy the virus patches the memory control blocks, patches them, and as a result reserves for its for its TSR copy a block of system memory that is out of DOS memory blocks. In case the virus is run from infected WIN.COM or KEYB.COM (that will stay in DOS memory till next reboot), the virus uses another way: it installs itself as a part of infected program and does not pay attention to DOS memory tables.
To complete the installation the virus hooks INT 9 (keyboard) INT 1Ch (timer), INT 21h (DOS functions) and then infects COM and EXE files that are accessed (executed, opened, closed, searched, e.t.c.). Before return control to host file the virus infects three disk files:
C:\WINDOWS\COMMAND\KEYB.COM
C:\DOS\KEYB.COM
C:\KEYB.COM
The virus uses several tricks to disable or bypass anti-virus scanners. While installing memory resident it scans the system memory for TBAV and SCAN anti-virus devices and disables their routines. The virus does not infect several anti-virus programs: VIRSTOP2, VIRSTOP, F-PROT, SCAN, TBAV, NAV. It also deletes the anti-virus data files: CHKLIST.MS, ANTI-VIR.DAT.
When the virus runs for the first time in the system, it creates the KEYB.SYS file in one of directories: C:\WINDOWS, C:\DOS or in the root directory of C: drive. The virus writes the text lines to there:
Do not modify this file!
keyboard=1,0,x
keyboard=1,0,x
keyboard=1,0,x
keyboard=1,0,x
keyboard=1,0,x
where ‘x’ is an ASCII characters, it is variable and depends on the virus generation. These data in the KEYB.SYS file are followed by a counter which is increased each time infected programs start - the virus uses this file only to store this counter.
Depending on this counter the virus activates its trigger routines. Starting from 1000th execution it enables INT 9 and INT 1Ch handlers that randomly select and runs one of several routines that display messages, change strings on the screen, change keyboard buffer, e.t.c.
Starting from 800th execution the virus depending on the system random counter appends to the C:\AUTOEXEC.BAT file instructions that display one of the messages:
Your keyboard has expired its evaluation period!
Please, register to Microsoft(c) Corporation.
Found hardware error on video card (code 23001):
Please, move your monitor and reboot the PC.
Found error: ah ah ah ahall eh eh eh eh…….
uh uh uh uh…. Dr.SCSI & Mr.IDE
Your Hard Disk is boring to live…
Youthanasia will start now… (formatting C:)
Found Boot error: replace the TORPINO Card
and reboot the system immediately !
This message is a property of F-PROT Antivirus:
Please, contact Fridrick for more info…
The virus checks some additional C:\TORPASS.DAT file and seems to use it as a kind of self-protection. If first four bytes of data in this file contains the disk C: serial number, the virus disables several its trigger and infection subroutines. If the fifth byte is not zero, the virus beeps each time it infects a file.
The virus contains the text strings, some of them are used in its effects:
TORPINO
You are a Torpiner
C O N G R A T U L A T I O N S !
Your PC is my new house !
I’m not a destroyer…
I’m the incredible Virus…
–> T O R P I N O (c) <–
Turn on Sound Blaster Speakers !
We Thank Very Much The F-PROT Antivirus For The Contribution
To The Spread Of This Virus… Have A Good Time !
By The Virus TORPINO (C) Ver. 2.0, Copyright(C) 1997 By DR.SCSI And Mr. IDE.
Total Rows Code: 3474, Coded In ITALY, Around MATERA, In July-December 1997.
Direct Support: Our Heads; Dave Mustaine; Billy (A Programmer Dog!).
Indirect Support: The Great Dark Avenger; N.R.L.G Team; Peter Norton
(Smack !); Our WorkStation: Two 486; The Obscure Author Of Tentacle.
Details
Tormentor.425
There are memory resident viruses. They hook INT 1Ch, 21h and write themselves to the beginning of the COM files that are executed. These viruses search for the text “TORMENTOR!” on the screen, and if this text presents, the viruses manifest themselves:
“Tormentor.425″ beeps
“Tormentor.475,476,478,482″ corrupt several disk sectors
Details
Torero.1427
These are dangerous memory resident parasitic viruses. They hook INT 13h, 21h and write themselves to the end of .COM files that are opened.
To recognize already infected files the viruses set 7th bit of file attributes (this bit means “shareable” for network) and check that bit before infecting files. The viruses do not save in their code the original bytes from COM file header, but write them to the reserved fields of file’s directory entry. Both these methods may corrupt the files while copying or accessing them.
If the viruses cannot get original COM header bytes from directory entry to restore the host program, they display the message and return to DOS:
This program requires Microsoft Windows.
The viruses also contain the text strings:
[Torero Ç:-) by Mister Sandman/29A]
Details
Topa.2520
This is a dangerous memory-resident parasitic encrypted virus. It hooks INT 1Ch, 21h and writes itself to the end of COM and EXE files that are executed or opened. It deletes CHKLIST.MS file. While infecting a file it checks the file name and does not infect the files from the list:
COMMAND
SCAN
CLEAN
VSHIELD
4DOS
NDOS
F-PROT
VIRSTOP
F-TEST
TBAV
TBSCAN
TBSETUP
TBGENSIG
TBCLEAN
TBUTIL
VPCSCAN
VIREX
MSAV
While installing memory resident, in some cases this virus displays:
TOPA 2.01 is active.
The virus writes to BAT, DOC, TXT and some other files with “text” extensions the string:
REM Chi non lecca la Figa il Signore lo castiga.
The virus also contains the text string:
dummy fcb
Details
Topa.2476
This is a dangerous memory-resident parasitic encrypted virus. It hooks INT 1Ch, 21h and writes itself to the end of COM and EXE files that are executed or opened. It deletes CHKLIST.MS file. While infecting a file it checks the file name and does not infect the files from the list:
COMMAND
SCAN
CLEAN
VSHIELD
4DOS
NDOS
F-PROT
VIRSTOP
F-TEST
TBAV
TBSCAN
TBSETUP
TBGENSIG
TBCLEAN
TBUTIL
VPCSCAN
VIREX
MSAV
The virus writes to BAT, DOC, TXT and some other files with “text” extensions the string:
REM Chi non lecca la Figa il Signore lo castiga.
The virus also contains the text string:
dummy fcb
Details
Topa.2456
This is a dangerous memory-resident parasitic encrypted virus. It hooks INT 1Ch, 21h and writes itself to the end of COM and EXE files that are executed or opened. It deletes CHKLIST.MS file. While infecting a file it checks the file name and does not infect the files from the list:
COMMAND
SCAN
CLEAN
VSHIELD
4DOS
NDOS
F-PROT
VIRSTOP
F-TEST
TBAV
TBSCAN
TBSETUP
TBGENSIG
TBCLEAN
TBUTIL
VPCSCAN
VIREX
MSAV
The virus writes to BAT, DOC, TXT and some other files with “text” extensions the string:
REM Chi non lecca la Figa il Signore lo castiga.
The virus also contains the text strings:
dummy fcb
TOPA 1.20 by Steve Cracker
Details
Tony.338
It is a very dangerous memory resident parasitic virus. It copies itself into the Interrupt Table, hooks INT 21h and infects COM files that are executed or loaded into the memory. While infecting a file it writes itself into the zero-bytes area in that file (if that area presents there). Under some conditions it can infect the files in incorrect way, these files are not recoverable and halt the system on execution. The virus contains the text string:
Tony
Details
Tony
It’s a memory resident harmless disk boot infector. It hooks INT 13h and write itself into the Boot-sector of the disk and the old Boot-sector is saved into the last sector of the disk. This virus contains the text “Tony”.
Details
Tongji.1535
It is not a dangerous memory resident encrypted parasitic virus, it hooks INT 21h. On accessing files and on GetDiskSpace DOS call the virus searches for .EXE files and writes itself to their end. On April 29 the virus displays the message:
Tongji University!
Details
Tomato.2156
It is not a dangerous memory resident parasitic virus. It is encrypted in EXE files. Being executed it hooks INT 9, 13h, 28h. By hooking INT 9 the virus manifest itself, by INT 13h the virus increases its internal counters, by INT 28h it runs its infection routine. On INT 28h calls depending on its internal counters the virus searches for .COM or .EXE files or for the COMMAND.COM file, then writes itself to the end of the file. When Alt-Ctrl-Del keys are pressed, the virus displays one of the messages:
Praise the tomato!
God save the tomato
Big tomato is watching you
Big Tomato says:
Fighting for peace
is like fucking for virginity
TOMATO says:
the pope suffers from AIDS
Big Tomato says:
NO MERCY
have you ever danced with the devil
under the red light of a big tomato ?
pray for your disks . . .
Call McAfee (408) 988-3832
if you experience problems with this new virus
from Tomato Systems Inc all.
The virus also contains the text strings:
TOMATO!!!!
\VIRUS
\DOS
*.EXE
*.COM
COMMAND.COM
tomato.tmp
Details
Tomalak
It is a very dangerous memory resident stealth boot virus. It hooks INT 13h and writes itself to the MBR of the hard drive and boot sectors of the floppy disks. Starting from generation 100 the virus erases floppy disk sectors. The virus contains the encrypted text string:
TOMALAK