Details
Win95.Luna.2636

This is a dangerous memory resident polymorphic parasitic Windows virus. It replicates under Win95/98 only, and infects PE EXE files (Windows executables) that are opened or executed. While infecting, the virus increases the size of the last file section, and writes itself there. The virus does not infect the following anti-virus files:
AV*.*, DR*.*, F-*.*, AN*.*, CE*.*, PI*.*, TB*.*.

The virus contains the following text string:
Win9x.Luna Coded by Bumblebee

To stay memory resident, the virus allocates a block of Windows memory, copies itself there, and stays as a part of the Windows kernel. To gain control, the virus scans the KERNEL32.DLL exported funcitons, and hooks the CreateFileA calls. As a result, the virus gains access when files are opened and executed.
The virus has bugs, and in some cases, corrupts files while infecting them. On the 15th of odd months (January, March, May,all November) the virus changes the register of letters in all opened files: converts lowercase <-> uppercase. Upon the next file opening, the virus converts letters back, and so on.

Details
Win95.Lud family

This virus looks for a “cave” between first and second file sections and writes itself to there (see “Win95.CIH” virus). If there is no enough space in this cave, the virus does not infect the file. As a result of infection method, the virus does not increase the size of files while infecting them.
The virus contains the text string:
HILLARY

Lud.Jez
This virus infects the files by using one of standard ways: it creates new section at the end of the file and writes itself to there. This section is named “.jezzy”. The virus also contains the text:
The Jezebel Virus

Lud.Jadis, Lud.Yel
These viruses use more sophisticated method: while infecting a file they scan it for executable section, move all other sections down to allocate a “cave” of necessary size, write themselves to there and fix parameters of all modified sections: size, offset in file, e.t.c. The viruses also pay special attention for sections that contain relocation tables, export and import data tables. The viruses fix all necessary fields in them.
“Lud.Jadis” also scans for PE EXE files in subdirectory tree, not only in the current directory. It contains a bug: corrupts the Import Address table. This virus contains the text string:
Your computer has eaten my turkish delight! - Jadis, Queen of Charn.

Details
Win95.Lorez.1766.a

This virus infects Windows95 PE EXE files (Portable Executable) and KERNEL32.DLL system file. The infection way is similar to “Win95.Yurn”: “Win95.Lorez” writes itself to the end of the file and modifies the entry point address in case of executable files, and hooks GetFileAttributesA public routine in KERNEL32.DLL.
The virus has bugs and may corrupt files and halts the system while infecting. The virus contains the text strings:
* [LoRez] v1 by Virogen [NoP] *
\KERNEL32.dll
GetTickCount GetWindowsDirectoryA SetFileAttributesA CreateFileA
SetFilePointer ReadFile WriteFile CloseHandle GetSystemDirectoryA
CopyFileA GetFileTime SetFileTime ExitProcess GetFileAttributesA

Details
Win95.Lizard.1967

It is a very dangerous Win95/DOS virus. It infects DOS EXE files and creates VxD (Win95) droppers, it is encrypted in DOS EXE files. Depending on the system timer the virus erases EXE files instead of infecting them. The virus was named after the text string found inside of virus code:
Lizard by Reptile

When an infected DOS EXE file is executed, the virus creates its dropper in one of Windows directories:
c:\windows\system\iosubsys\lizard.vxd
c:\win95\system\iosubsys\lizard.vxd
c:\windows.000\system\iosubsys\lizard.vxd

If there are no such directories, the virus returns to the host program without any harm to the system. Otherwise Windows95 gets a virus dropper - VxD (EXE LE) file in auto-run directory SYSTEM\IOSUBSYS
When Windows is loading, it runs all VxD drivers from its auto-run directories. As a result the virus takes control and installs itself into the system (memory resident). It hooks Interrupt 21h V86 chain and intercepts five calls: Execute, Create, Open, Close and FindFirst. On any of these calls the virus searches for DOS EXE files in the current directory and writes itself to the end of the file.

Details
Win95.K32.1012

This is a benign memory resident parasitic virus. It infects the Windows95 system memory, and writes itself to the end of PE EXE files. On February 19th, it displays the following MessageBox:
nIgr0_lives_here!!!!
Virus K32 por nIgr0 all “Hazlo o no lo hagas pero no lo intentes”

When an infected file is executed, the virus scans the KERNEL32.DLL data, obtains necessary Windows functions addresses (CreateFile, SetFilePointer, ReadFile, WriteFile, CloseHandle, CreateProcessA, GetModuleHandleA, and GetProcAddress), copies itself into unused data in the Windows kernel and hooks CreateProcess function. To hook this function, the virus patches a Windows kernel with a Jmp_Virus instruction. While infecting a file, the virus increases the size of its last file section, and writes itself to there.

Details
Win95.Julus.1890

It is a harmless memory resident parasitic Windows virus. It infects Windows32 PE EXE files. When an infected program runs, the virus installs itself into Windows memory as a VxD driver, hooks IFS API (file access chain), and infects .EXE files that are opened or executed. To turn its code from application (Ring3) level to the kernel (Ring0) the virus uses direct access to protect mode memory descriptors.
Known version of this virus is a test one. It infect only files that have specific name: GOAT*.EXE. No other files are infected. This version has bugs and often halts the computer when the virus installs itself memory resident.
The virus contains the text string:
Manowar v.1.0 - a ring 0 virus
written by Lord Julus (c) 1999

Details
Win95.Jacky.1440

It is a harmless nonmemory resident parasitic Win95/NT virus 1440 bytes of length. Being executed, the virus scans Win95/NT kernel and gets undocumented addresses of system file access function (see the list below). Then it searches for NewEXE Portable Executable (Win95 and NT) files and writes itself to the end of the file. The virus aligns the file length to the section, so the file lengths grows more that 1440 bytes while infection.
This is the first known Win95/NT parasitic virus that does not add a new section to the file - while infecting a file the virus writes itself to the end of the file, increases the size of last section in the file, and modifies characteristics of this section. So, only the entry point address, size and characteristics of the last section are modified in infected files.
This is also first known to me Win95/NT infector that did work on my test computer (Windows95) without any problem. I did not try it under NT.
The virus contains encrypted strings, a part of these strings are names of system functions that are used during infection:
KERNEL32 GetModuleHandleA GetProcAddress
*.EXE
CreateFileA CreateFileMappingA CloseHandle UnmapViewOfFile
MapViewOfFile FindFirstFileA FindNextFileA FindClose
SetFileAttributesA SetFilePointer SetEndOfFile SetFileTime
To My d34d fRi3nD c4b4n4s..
A Win/NT/95 ViRuS v1.00.
By: j4cKy Qw3rTy / 29A.
jqw3rty@cryogen.com

Details
Win95.Invir.7051

This is a relatively harmless memory resident parasitic polymorphic Win9x virus. The virus uses Win9x specific calls, and infected files can’t work under WinNT, causing a standard message about an error in the application.
When the virus code gains control under Win9x, it switches from application level to Windows kernel (Ring3 -> Ring0), hooks file access functions (IFS API) and infects PE EXE files that are opened, renamed or file attributes are read or set.
While infecting a file, the virus encrypts and writes its code to the end of the last file section. The virus also writes two blocks of code and data to the end of the “code” and “data” sections. To the end of the “code” section, the virus-entry routine is written, and the end of the “data” section contains data that are used in the virus polymorphic decryption loop. This separating of the main virus code (encrypted), the entry routine and decryptor’s data are done to make the virus-detection and -disinfection routines mode difficult.
The virus’ polymorphic engine uses one more trick. To a build polymorphic decryption routine, it builds an Assembler-like source code, and then “compiles” it to binary executable code. It seems that the virus’ author used such a method for easily improving its polymorphic engine in the future.
The virus does not manifest itself in any way. It contains the following text strings:
You can not find what you can not see.
Invirsible by Bhunji (Shadow VX)

Details
Win95.Iced.2112

This is a benign non memory-resident Win95/98 encrypted parasitic virus. It infects Windows PE EXE files and writes itself to the end of the file. While infecting it increases the size of last file section, writes its body to there and modifies necessary PE header field.
When and infected program starts, the virus takes control and runs its infection routine. To get access to Windows functions the virus scans Windows kernel exported functions by a standard method used by Windows viruses. It then searches for EXE files in current, Windows and Windows system directories and infects first four not infected PE EXE files in each directory.
On June 6th this virus displays the message box:
[Win32.Paradise v1.00]
Late at night i found myself again
wondering and watching TV
I can’t believe what’s on the screen
something that i wouldn’t like to see
Many rare species will perish soon
and we’ll be short on food
Why do we have to be so selfish
we have to change our attitude
I know that i am not
the only one that’s worried
Why don’t we all
wake up, and and realize
Like the birds in the sky
we are flying so high
without making anykind of sacrifice
We’ve got so little time
to undo this crime
or we’ll lose our paradise
It seems to me that there’s no sense at all
nobody cares, it’s always the same
Mother nature’s crying out in pain
I know we are the ones to blame
It also contains the text string:
Paradise [ Stratovarius ] Copyright (c) 1999 by Billy Belcebu/iKX

Details
Win95.Iced.1617

This is a benign non memory-resident Win95/98 encrypted parasitic virus. It infects Windows PE EXE files and writes itself to the end of the file. While infecting it increases the size of last file section, writes its body to there and modifies necessary PE header field.
When and infected program starts, the virus takes control and runs its infection routine. To get access to Windows functions the virus scans Windows kernel exported functions by a standard method used by Windows viruses. It then searches for EXE files in current, Windows and Windows system directories and infects first four not infected PE EXE files in each directory.
This is an encrypted virus. It searches for anti-virus data files and deletes them: ANTI-VIR.DAT, CHKLIST.DAT, CHKLIST.TAV CHKLIST.MS, CHKLIST.CPS, AVP.CRC, IVB.NTZ, SMARTCHK.MS, SMARTCHK.CPS. It contains the “copyright” text:
[Iced Earth by Billy Belcebu/DDT]

Details
Win95.Iced.1412

This is a benign non memory-resident Win95/98 encrypted parasitic virus. It infects Windows PE EXE files and writes itself to the end of the file. While infecting it increases the size of last file section, writes its body to there and modifies necessary PE header field.
When and infected program starts, the virus takes control and runs its infection routine. To get access to Windows functions the virus scans Windows kernel exported functions by a standard method used by Windows viruses. It then searches for EXE files in current, Windows and Windows system directories and infects first four not infected PE EXE files in each directory.
This virus does not manifest itself in any way. It contains the text:
[Win32.Aztec v1.00]
Copyright (c) 1999 by Billy Belcebu/iKX

Details
Win95.HPS.5124

This 5124 bytes virus (aka Hanta) is a Windows95/98 infector that installs itself into the Windows kernel, hooks system events and then affects Portable Executable (PE) files that are accessed. The virus was named after its “copyright” string that is visible in decrypted virus code:
< Hantavirus Pulmonary Syndrome (HPS) Virus BioCoded by GriYo / 29A >

While infecting a file the virus increases size of last section, encrypts its code by polymorphic engine, writes encrypted result to the end of file into the last section and modifies the address of entry point. The size of polymorphic decryption loop is variable, as a result size of infected files grows by variable values.
The virus is slow polymorphic, that means the polymorphic decryption loop code is not changed each time the virus infects a file. Moreover, the same infected file will produce the same polymorphic code while infecting next files, and all files that are infected before rebooting will have the same decryption routine. Only next “generation” of the virus will produce polymorphic loop that differs with “parent” copy of the virus.
When an infected file is executed, the polymorphic decryption routine takes control, restores virus code in original form and jumps to installation routine. The virus then scans Windows kernel code to locate KERNEL32.DLL image, looks for export table in there and gets VxDCall routine address from there. The virus then uses this address to call disk access and other routines in case of need.
The virus then installs itself into the Windows kernel: allocates a block of memory by using undocumented Win32 VxD services provided by VMM (PageReserve and PageCommit), copies itself to there, scans the VxDCall handler in KERNEL32 code and patches it with address of its own handler. As a result the virus installs itself into the shared memory area and hooks VxDCall.
To prevent General Protection while scanning Windows memory for KERNEL32.DLL image (that can appear when the virus accesses a part of memory that is not available for applications) the virus protects itself by Structured Exception Handling (SEH). This also does its work as a anti-debugging trick.
The virus detects its already installed copy by a Are-You-Here? call by GetDate VxDCall with registers ESI=’HPS!’ and EDI=’TSR?’, the installed copy returns ‘YES!’ in ESI register.
The virus VxDCall handler monitors VWIN32_Int21Dispatch calls only and passes through any other calls. There are nine functions intercepted: GetDate, Open ReadOnly, Open WriteOnly, FindFirst/Next with LongNames, Rename with LongName, Create/Open with LongName. On file access calls (open, rename) the virus compares the file name extension with EXE, SRC and SYS and infects them, if they are not infected yet. After infecting a file the virus deletes the anti-virus data files ANTI-VIR.DAT, CHKLIST.MS, AVP.CRC, IVB.NTZ, if they exist.
On FindFirst/Next calls the virus “decreases” length of infected files. This is virus stealth ability: increasing length on infecting is not visible by Windows utilities. However the virus does not intercepts old-style DOS FindFirst/Next calls and new length of infected file is visible by good-old DOS tool including DOS command DIR.
The virus has a video trigger routine. When the virus installs itself into Windows memory, it gets the system date. If it is installing on Saturday, it then will affect any not compressed BMP files - the virus flips contents of BMP image and they will be displayed from right to left. The virus marks flipped images with DEADBABEh stamp and does not flip them twice back to original state.

Details
Win95.Harry.a

It is a dangerous memory resident (VxD driver) parasitic virus. It infects NewEXE PE files (Win95). When an infected file is executed, the virus scans the Win95 kernel for free space (in VMM driver), copies itself to there and hooks IFS API. Because of such installation algorithm the virus often halts the computer.
When NewEXE files are opened, the virus infects them. While infecting the virus writes itself to the end of the file and modifies the NewEXE header to take control when infected file is executed.
While installing memory resident the virus also changes the image of mouse cursor (loads an image of syringe). To do that the virus creates the C:\SYRINGE.CUR file and registers it in the system as a cursor’s image.
The virus contains the text strings:
Fuck Harry by Quantum / VLAD
\Control Panel\Cursors
Arrow

Details
Win95.Gara.917

This is a dangerous Windows9x memory resident parasitic virus. It writes itself to the end of Windows executable files (”Portable Executable” - PE EXE files). When an infected program is executed, it gets control and installs itself into Windows memory: by using a trick it jumps from the application level to Windows kernel, hooks file access Windows functions (IFS API) and stays in the system memory as a VxD driver.
The virus intercepts file opening, filters PE EXE files and infects them. While infecting it increases the size of last file section, writes its code to there and modifies necessary PE header fields.
It contains the “copyright” strings:
[Garaipena by Billy Belcebu/DDT]
On 31st of a month the virus tries to overwrite a block of system memory (VxD drivers area). On some system it will halt the computer, on other Windows will display an error in driver, on some of them the virus will erase video memory data.

Details
Win95.Frone.864

This is a relatively harmless, memory resident parasitic Win9x virus that remains in Win9x memory, hooks IFS API (system-file operations), and infects PE EXE files (Win32 applications) that are being opened.
While infecting, the virus writes itself to the end of the file. In some cases, the file length does not grow if file has overlay data at the end. The infection routine has a bug, and some files cannot be correctly disinfected because of this.
Depending on random conditions, the virus, upon file opening, erases a randomly selected sector on C: drive, and the erased sectors begins with “Fr1, 13″ text.