Details
Tokyo Family

These are nonmemory resident harmless viruses. They search for .EXE files and write themselves to the end of the file. They contain the text string:
I am the virus x.

Details
Todor.1993

When an infected program is executed, control is passed to the virus code. The majority of the virus body is encrypted, so at the first time the virus decrypts its body. It uses not difficult method to do this, the method based on the most popular virus encryption instruction - XOR instruction. The virus decryption routine XORs the next virus body word (2 bytes) with the key that is changed by ROR operation for next encrypted word.
Then the virus sets the new Disk Transfer Address, INT 24h vector address (Fatal Error Handler) and starts to infection. As the first file to infection the virus searches for the file which is pointed by ENVIRONMENT string “COMSPEC=”. This string points to COMMAND.COM file at the most of cases, and so the COMMAND.COM file infected. Then the infector searches for the EXE files and then for the COM files of current directory and tries to infect them. It doesn’t infect the files twice. The virus uses the standard way while searching, it calls to FindFirst/Next ASCII DOS functions (INT 21h, AH=4Eh/4Fh). It stops the searching after the 8th file was found and infects the 5 files only. In all the infected files are the COMMAND.COM files and 5 files from the 8 first files of the current directory.
The Features
The virus hooks INT 24h (Fatal Error Handler) on its work time but that is not all that the virus does to avoid the DOS error messages upon writing to the files of write protected disks. The virus tries also to create and delete a temporary file on the selected directory before searching for the files for infection. If the error occurs while this file creation the virus takes this disk as write protected and do not infect the files of this disk.
The virus stores, clears and restores the file attributes while infection. It needs to store/restore the file data and time for the ‘good virus tone’. Yes, the virus does this, but it corrects the second part of the file time. The infector sets the file seconds to 22. The virus checks this value while searching for files and do not infects the files with 22 seconds in file time. It looks like a good indicator of infected files butall The standard DOS command DIR shows me all the information about the files except the files seconds. Another DOS utilities which I have do not show this also, and only the Microsoft Windows File Manager displays the full and true information:
todor.exe … x:xx:22pm

The virus checks the file header before infection. If the header contains the string “(C)Todor” at the offset 32 the virus skips this file and do not infect it. But the infected files do not contain that string. What is this? The virus author’s protection against the own child? This infector do not infect the file which contain the string “LZ9″ in the header at offset 28, i.e. all the files which are compressed by LZEXE packer.
The virus also checks the file length while infection. The length of EXE file must be equal to the length of EXE module, this value is calculated from the EXE header fields. And so the virus does not infect the EXE files that contains the internal overlay code or data. The virus checks the COM file length, this value must be greater than 11000 bytes.
Then the infector stores and modifies the file beginning. It changes the EXE header fields which contains the initial values of the CS, IP, SS, SP registers, the new EXE start address point to the virus code. The virus writes several assembler instructions into the COM file beginning. Those instructions pass the control to the virus body when the infected file executed: MOV SI,offset Virus / PUSH SI / RET. It is ordinary instructions but their 10 bytes of length opcodes are selected from 8 different variants which have as constant 5 bytes only.
Another virus feature is the virus destructive function. The virus checks the system date and on every month after August (inclusive) and on every day after 15th (inclusive) it encrypts the random selected logical sector of the current logical drive. The encryption algorithm is not difficult but the probability that this sector is the FAT sector or the sector of the root directory is very high. This makes the virus very dangerous, because it can destroy a lot of information by encryption of one sector. But the big logical disks ( >32M ) owners can not worry because this virus uses the old INT 25h / INT 26h format while absolute disk reading/writing, and so this virus can destroy only the disk with size lesser than 32M.
This virus also contains the text string which encrypted:
*.exe *.com COMSPEC=(C)TodorLZ9

The Self Encryption Routine
This virus uses the easy en/decryption method: the next virus word is XORed with the key and then this key is ROLed/RORed 1 time. It is an ordinary algorithm but the analysis of assembler instructions that execute this algorithm are not ordinary because this infector generate polymorphic self encryption routine. That routine can be divided on three blocks of code: PUSH-block, registers loading block and the encryption block.
PUSH-block PUSHes into the stack seven machine registers: PUSH AX, BX, CX, DX, DI, DS, ES. However those seven PUSH instruction (seven opcode bytes) are sparse between ‘dummy’ assembler instructions like NOP, CLC, STD etc in random order. The virus must to POP those registers in reverse order before it returns control to host program, and it do this by exchanging the POP instructions inside the virus code after decryption.
The register loading block loads the virus base offset into the machine SI register, and copies the value of CS register into the ES and DS registers. Those instructions are variable also, they can appear in several forms. The one of this forms contains a bug, but we will speak about this later.
The opcodes of the encryption block also are variable. The register that contains the key selected from DX or BX registers, the instruction of decryption can be random rearranged.
In the last analysis the number of the variant of the decryption routine (without the number of possible keys) is about
15
2.3×10 .

Bugs
Practically all the program contain the bug(s). The virus is the program, and it can contain the bugs. I found several algorithm and programming errors during analysis the virus code.
The first striking bug was found in the algorithm of COM file infection. The virus checks the COM file length before appending to the file, but it do this incorrect. As a result the length of infected COM file can be greater than 64K. Running this file can hangs the computer up. However the virus code contains the instruction which checks this condition, but those instructions never been called! It looks as the source virus code contains an error: the code and the label presents but this label never be exiled.
The second bug was placed into the algorithm of generation the decryption routine. One of variant of the decryption routine contains one superfluous POP instruction. As a result such infected file will hangs up on execution. This incorrect routine generated with probability 1/6, and approximately every 6th infected file will hang the system up.
Another bugs are appears in another viruses also, those are the ’standard virus errors’. One of this errors consist in incorrect detection COM and EXE files. The virus verifies the file before infection for the file name extension only but not for the inside file format (’MZ’ or ‘ZM’ at the EXE file beginning). As a result the COM files with the .EXE extension will be infected as EXE, and the EXE files with the .COM extension will be infected as COM files. Those files will hangs up immediately when the host program takes the control.
The last error that I found during analysis consist in order of writing to infected file. The virus modifies the file beginning at the first time and then appends the decryption routine and encrypted code to the file. If the write error appears during this procedure the file will be irreparable destroyed. The ‘good’ virus appends its body to the file at the first moment and only then modifies the file beginning.

Details
Today.477

It is not a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of .COM files that are executed or opened. On May and December, 13th and 31st the virus displays the message, and returns to DOS:
TODAY IS SOMETHING REALLY SPECIAL. LET YOUR PC REST IN PEACE

Details
Tobacco.1148

It is not a dangerous nonmemory resident partly encrypted parasitic virus. It searches for .COM files (except COMMAND.COM) in the current and in the C:\DOS directory, then writes itself to the end of the file. Depending on the system timer the virus disables disk access system functions and displays the message:
WELCOME SMOKING! (c)Copyright 1994.6 * Made in HEFEI INSTITUDE OF TOBACCO *

Details
TNSE family

These are memory resident encrypted parasitic viruses. They copy themselves to the Interrupt Vectors Table, hook INT 21h and then write themselves to the end of COM files that are executed.
TNSE.Eat.381
This is a very dangerous virus. Under pure DOS it corrupts files while infecting them, it replicates itself correctly when a memory manager like QEMM or Windows is run. The virus contains the text:
Signature:[EAT SPiCE & Die] by TNSe/LT

TNSE.Faen.450
It is a dangerous virus - under some conditions (under debugger? being cleaned by heuristic cleaner?) it tries to overwrite the A: drive boot sector with a program that displays on booting:
NO ROM BASIC

The virus fails to do that - there is INT 21h call instead INT 13h. The virus then reboots the computer.
The virus also contains the text:
[(FY) FAEN V1.0 BY TNSe / DC]

Details
Tmtm.441

It is not a dangerous nonmemory resident parasitic virus. It searches for .COM files and writes itself to the end of the file. Sometimes it displays:
Two Minutes to Midnight
[1258] by ICE-9
This virus was precision built in England.

Details
TME.643

It is a harmless nonmemory resident polymorphic worm. Being executed it creates and writes itself to the TME.COM file. Being executed from the TME.COM file, the virus overwrites it (renews its polymorphic code). The virus contains the string:
TME.COM

Details
TMC

It is a harmless memory resident partly encrypted parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are accessed. The virus infects the files on floppy disks only. The virus checks the file names and does not infect the files: NO*.*, WE*.*, TB*.*, AV*.*, F-*.*, SC*.*, CL*.*, CO*.*, WI*.*, KR*.*.
The virus uses uncommon polymorphic engine - each time the virus installs itself into the memory it mixes blocks of its code and data and inserts random data. The virus also changes data offsets in its assembler instructions, constants and so on. As a result, the virus is not 100% encrypted, but it has no constant parts of code and ever the length of virus is changed.
Being installed into the memory the virus does not changes its code anymore, and all its replications have constant set of instructions. After reboot the virus installs itself into the memory and generates new set of instruction and infects files with this new set.
The virus contains the text:
* TMC 1.0 by Ender *
Welcome to the Tiny Mutation Compiler!
Dis is level 6*9.
Greetings to virus makers: Dark Avenger, Vyvojar, SVL, Hell Angel
Personal greetings: K. K., Dark Punisher

Details
Titanium.844

It is a harmless nonmemory resident encrypted parasitic virus. It searches for COM files and writes itself to the beginning of the file. It contains the text string:
*.com
`rbase’ - Titanium

Details
Tiso.940

This is a harmless memory-resident multipartite encrypted (in files) virus. It infects COM files only. On execution of infected file it hits MBR of hard drive. On loading from infected disk it hooks INT 08h, waits for DOS loading and then hooks INT 21h. It writes itself at the end of files that are executed.
This virus is a stealth virus on accessing to infected hard drive, it hooks INT 13h to use that function.
Sometimes this virus decrypts and displays:
Nech zije Jozef Tiso, prvy slovensky prezident !

Details
Tiso.846

This is a harmless memory resident multipartite encrypted (in files) virus. The virus infects COM files only. On execution of infected file it hits MBR of hard drive. On loading from infected disk it hooks INT 08h, waits for DOS loading and then hooks INT 21h. It writes itself at the end of files that are executed.
Sometimes this virus decrypts and displays:
Nech zije Jozef Tiso, prvy slovensky prezident !

Details
Tiso.1279

This is a harmless memory resident multipartite encrypted (in files) virus. It infects both COM and EXE files. On execution of infected file it hits MBR of hard drive. On loading from infected disk it hooks INT 08h, waits for DOS loading and then hooks INT 21h. It writes itself at the end of files that are executed.
This is a stealth virus on accessing to infected hard drive, it hooks INT 13h to use that function.
Sometimes this virus decrypts and displays:
Nech zije Jozef Tiso, prvy slovensky prezident !

Details
Tired.1740

It is a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM, EXE and OVL files that are executed. Sometimes the virus decrypts and displays the message:
I think you’re tired to the bone. You’d better go home

Details
Tip.554

It is a harmless memory resident parasitic virus. It hooks INT 21h, and on DOS calls Execute, Delete, Create/Remove/Change Directory it searches for .COM files (except COMMAND.COM), then writes itself to the end of the file. The virus contains the text strings:
Virus program message from TIP to YSJ
*.COM COMMAND

Details
Tiny family

These are memory resident parasitic viruses. They copy themselves to DOS data area at the address 0000:0600 or 0000:0500 depending on the virus version, hook INT 21h and write themselves to the end of COM files that are executed or loaded as overlays.
When the AV.EXE or SCAN.* file is executed, “Tiny.330″ deletes them and displays:
This scan program can’t find me
I’m a GHOST in your machine!!

“Tiny.340″ writes itself into the zero-bytes area in the COM files. The file length does not grow.
“Tiny.Fred” contains the string “Fred”. This virus infects .EXE files as well as .COM, as a result these files are corrupted and halt computer on execution. Sometimes this virus formats the disk sectors.