Details
VD.568
It is not a dangerous nonmemory resident encrypted parasitic virus. It searches for .COM files and writes itself to the end of the file. It contains ID-word “VD”. Depending on the infected file length it displays the message:
[2J [10;25H [5;33m— Be careful VIRUS !! —
Details
VD.1664
It is a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of .EXE files that are executed. The virus has a bug and corrupts the files of small size while infecting them. These files halt the system. The virus puts the ID-word “VD” to the memory at the address 0000:0467.
Details
VCS Family
These are dangerous, non-memory resident encrypted parasitic viruses. They search for .COM files in the subdirectory tree of the current drive, and write themselves to the end of the file. These viruses contain the following text:
c:\autoexec.bat c:\config.sys
and overwrite the files C:\AUTOEXEC.BAT and C:\CONFIG.SYS with the following text:
“VCS.Manta”:
RAM Parity Error at 0F67:1B2C
(C)ontinue (S)hut off NMI (R)eboot
Mantafahrer hält an einer Ampel. Neben ihm hält ein Porsche. Beide kurbeln
die Scheiben runter und der Porschefahrer fragt:
“Was hat vier Beine und ist unheimlich blöd ?”
Mantafahrer: “Keine Ahnung”
Porschefahrer: “Du und deine Freundin”
An der nächsten Ampel haelt ein Golf neben dem Manta.
Mantafahrer: “Was hat vier Beine und ist unheimlich doof ?”
Golffahrer: “Keine Ahnung”
Mantafahrer: “Meine Freundin und ich”
“VCS.Ruf” (it displays this message also):
__________
___ _ _ ___ ____ _ _ ____ ____ ____ ____ _ _
________ _ _ _ _ ___ _ _ _ _ _ _ _
__________ ____ _ _ _ _ _ _ _ _ ____
__________ _ _ ____ _ ____ ____ ____ _ _
__________
__ __ ____ _ ____ __ _ _
Deutsche Bundespost _____ _ _ _ _ _ _____ _
_ _ ____ _ ____ _ __
Telekom _ _ _ _ ____ _ _ _ _ _
“VCS.Paranoimia” (it also displays this message):
You have just been infected with the Paranoimia Virus!!!
If you have gotten this, then the odds are that you pirated
software you shouldn’t haveall
Might as well press < Ctrl >-< Alt >-< Del > now…
“VCS.Manta” also displays:
RAM Parity Error at 0F67:1B2C
(C)ontinue (S)hut off NMI (R)eboot
Details
VCOMM family
These are nonmemory resident dangerous viruses. When an infected file is executed they search for the files in the current directory, and infect not more than one EXE file. While infecting a file they increase the file length to the block alignment (512 bytes), write themselves to the end of the file, and add one element to the relocation table in the EXE header. The viruses copy into video RAM (segment address BFFEh) a small memory-resident program that disables writing to the disk.
Details
VCode Family
VCode.1633
It is a harmless memory resident parasitic virus. It hooks INT 9, 21h and writes itself to the end of EXE files that are accessed. While installing memory resident the virus opens CONFIG.SYS file, searches for “SHELL” and “COMSPEC=” strings and infects the command interpreter. When Alt-Ctrl-Del keys are pressed it scans Environment area and also infects command interpreter. The virus contains the strings:
COMMAND.COM
SHELL
Program made in UV januar 93
CONFIG.SYS
COMSPEC=
VCode.1886,2540
These are dangerous nonmemory resident parasitic viruses. They search for .EXE files and write themselves to the end of the file. Depending on the current date they erase the disk sectors. They contain the text strings:
“VCode.1886″: .93 all………[[[ S C A N N E R ]]]
“VCode.2540″: COMMAND.COM X:\CONFIG.SYS
VCode.2246,2262
These are not dangerous memory resident parasitic viruses. They hook INT 21h and write themselves to the end of COM and EXE files that are accessed. While installing memory resident they open CONFIG.SYS file, search for “SHELL” string and infect the command interpreter. Depending on their internal counters these viruses hook INT 8 (timer) and sometimes change the keyboard flags.
Details
VCM.493
It is a dangerous nonmemory resident parasitic virus. It searches for .COM files and writes itself to the end of the file. Depending on the system timer it erases the disk sectors. It contains the text string:
V.C.M
Details
VCG
It is a family of DOS parasitic polymorphic viruses based on the so-called “VCG” polymorphic engine. There are several virus versions known: all they are nonmemory resident, search and infected COM files in the current directory, write themselves to the end or to the top of the file depending on the virus version. One of virus versions also writes the text “BELKA” to the infected files header. The viruses have bugs and often corrupt files while infecting them, or/and halt the computer.
The viruses use quite complex polymorphic engine that rebuild virus code each time the infection procedure is activated. In different infected files different assembler instructions or ever sets of instructions are used to do the same operations. The engine also mixes blocks of virus code, inserts junk instructions, etc. The virus also changes data offsets in its assembler instructions, constants and so on. As a result, the virus is not encrypted, but it has no constant parts of code and ever the length of virus is changed.
Details
VCC.571
The viruses that were written with the VCC (Virus Creation Centre) virus constructor are relatively harmless, parasitic, non-memory resident and encrypted. They search for .COM files, and write themselves to the end of the file. The viruses contain the following text strings:
DEBUGGING IS VERY ILLEGAL (NOT!)
I-EAS Virus Creation Centre v0.19ß
[IE-VCC v0.19ß]
The virus displays the following messages:
Your System DNA is mutating!
sPeCiEs A Virus pANdEMiC
[sA] [HH]
Details
VCC.408
The viruses that were written with the VCC (Virus Creation Centre) virus constructor are relatively harmless, parasitic, non-memory resident and encrypted. They search for .COM files, and write themselves to the end of the file. The viruses contain the following text strings:
DEBUGGING IS VERY ILLEGAL (NOT!)
I-EAS Virus Creation Centre v0.19ß
[IE-VCC v0.19ß]
The virus displays the following messages:
IT IS THEM!!!!!!!
Hope you like ants!
THEM! A Virus Thespian
[TA] [TP]
Details
VBScript.777
This is a very dangerous parasitic virus written in Windows Script language. When an infected script takes control, the virus searches for other scripts (.VBS files) and infects them in the current and Windows directories, then in the Windows directories:
\Profiles\All Users\Desktop
\Profiles\Administrator\Desktop
\Desktop
While infecting the virus shifts files down and writes its code to the beginning of the file. As a result the original contents of affected files is not damages. The virus detects already infected scripts by the “‘VBSv777″ identification string that is placed at the top of virus code.
On 2nd of each month from 9:00 till 10:00 if the virus is activated, it searches for all .DOC and .TXT files on the C: and D: drives and overwrites them with the picture:
_ _
|_| |_|
| | /^^^\ | |
_| |_ (| %o% |) _| |_
| | | | _ (_—_) _ | | | |_
| | | | |’ | _| |_ | `| | | | |
| | / \ | |
\ / / /(. .)\ \ \ /
\ / / / | . | \ \ \ /
\ \/ / ||Y|| \ \/ /
\__/ || || \__/
() ()
|| ||
ooO Ooo
Greetings From CTRL-ALT-DEL /CB + AVM
- http://www.codebreakers.org -
The virus then displays the MessageBox:
Greetings From CTRL-ALT-DEL /CB + AVM
- http://www.codebreakers.org -
Details
VBS.TripleSix
This is a worm written in Visual Basic Script language (VBS). This worm spreads via e-mail and IRC (Internet Relay Chat) channels.
Being executed the worm script displays the message:
Does your name add up to 666?
This handy little tool will tell you what your name adds up to in ASCII
characters (without including spaces and without converting numbers to
ASCII). It is just for fun, it does not mean you are going to go to hell
if you get a 666. You should probably read the bible if you are concerned
about that.
Then it asks user for names and counting sum of ASCII codes of characters in entered text:
Does your name add up to 666?
Enter your name. Also try names from your family and friends. And if you
want something interesting try BILL GATES 3 (Bill’s real name is Bill
Gates the third) and HOLY BIBLE. Press Cancel or Ok without entering any
name to exit.
When empty text is entered the worm proceed to its spreading routine. At first this routine creates zipped archive with itself inside. To create archive the worm uses “pkzip” utility stored inside worms body in text-based-encrypted format and decripts it before executing. Then the worm places created archive in Windows directory with name “666TEST.ZIP”.
Another file that the worm creates is “REGSVR.VBS” in the Windows system folder. The worm modifies system registry to execute this script every Windows startup.
Being executed this script enumerates all disk drives on the computer and checks following folders on them:
\MIRC
\MIRC32
\PIRCH
\PIRCH98
If inside checking folder or its subfolders where is MIRC or PIRCH (popular IRC clients) executable files, the worm creates script for found IRC client that sends 666TEST.ZIP file with worm inside to every joined to IRC channel.
It also checks system date and on fifth of every month changes desktop wallpaper with tiled cartoon picture of sad face.
At last the worm attepts to spread via e-mail using MS Outlook itn the same way as “Melissa” macro-virus do. The message infected with worm contains attached “666TEST.ZIP” archive with worm script inside. The message subject is “666 test”, and body is “> Does your name add up to 666 in ASCII characters? Are you going to go to hell?”.
The worm doesn’t spreads from one computer twice. To prevent duplicate spreading it creates key in system registry:
“HKEY_LOCAL_MACHINE\Software\MIRC/OUTLOOK/PIRCH.VanHouten\” = “True”
Details
VBS.Sling
The virus is written in Visual Basic Script (VBS). The body of the virus is approximately 2.5KB
On launching, the virus searches for files with the extension .vbs and .vbe on all accessible disks and infects them.
If the date is 16th June or 16th July, the virus deletes both itself and all similar files from the system.
Details
VBS.Redlof.a
VBS. Redlof is written in Visual Basic Script (VBS) and encrypted as VBE (Visual Basic encoded script). On first being run, it creates a file with its executable code in the Windows system directory under the name Kernel.dll.
The virus also creates files under the name kjwall.gif in the System32 and Web directories. The virus also copies itself to all directories on other disks of the infected computer as folder.htt, a file which configures images and folders in MS Explorer.
Replication of the virus
The infected file folder.htt gains control and copies itself to all directories when viewed or opened using MS Explorer. If a directory already contains folder.htt, the directory will not be infected.
The virus writes itself into all HTM files in the Windows\web directory and by doing so gains control over the following files when they are opened: iejit.htm, offline.htm, related.htm, tip.htm, folder.htm, wum.htm.
Details
VBS.Rabbit.c
This is a virus written in Windows Script language, and it is the first known virus of this type, appearing in October 1998. This virus are quite simple - just over 10 commands. It just searches for other script files in the current directory and overwrites them.
It uses File System Object (FSO) to locate and infect files. Because of this way of infection, it also able to infect JS (Java Script) files as well as VBS files.
This virus has a minor bug: when it is executed by a browser, the virus infects all files in the browser’s cache and copies them to the computer’s Desktop (since the browser’s default directory is the Desktop). When this happens, the computer’s Desktop becomes filled with the icons of the infected scripts (the virus replicates like a rabbit, which explains the basis for it’s name - “Rabbit”).
On the 15th of any month, the virus creates an URL file with the “CB.URL” or “The CodeBreakers.URL” name (depending on the virus version), and writes the URL reference there: “http://www.codebreakers.org”. The major virus versions then also run a browser with this URL. While this is occurring, the virus also displays the following Message Box:
VBSv v2.0
by Lord Natas/CodeBreakers
The virus also contains the comments:
VBSv Version 2.0 by Lord Natas/CodeBreakers
First Windows Scripting Virus
Details
VBS.Rabbit.b
This is a virus written in Windows Script language, and it is the first known virus of this type, appearing in October 1998. This virus are quite simple - just over 10 commands. It just searches for other script files in the current directory and overwrites them.
The virus do this by using DOS shell commands “find-and-copy-over” and overwriting all *.VBS (Visual Basic Script) files in the current directory.
This virus has a minor bug: when it is executed by a browser, the virus infects all files in the browser’s cache and copies them to the computer’s Desktop (since the browser’s default directory is the Desktop). When this happens, the computer’s Desktop becomes filled with the icons of the infected scripts (the virus replicates like a rabbit, which explains the basis for it’s name - “Rabbit”).
On the 15th of any month, the virus creates an URL file with the “CB.URL” or “The CodeBreakers.URL” name (depending on the virus version), and writes the URL reference there: “http://www.codebreakers.org”. The major virus versions then also run a browser with this URL. While this is occurring, the virus also displays the following Message Box:
VBSv v1.1
by Lord Natas/CodeBreakers
The virus also contains the comments:
VBSv Version 1.1 by Lord Natas/CodeBreakers
First Windows Scripting Virus