Details
HA.311

It is not a dangerous nonmemory resident parasitic virus. It searches for .COM files and writes itself to the end of the file. Depending on the system timer it displays the word “HA”.

Details
Ha!.1383

It is not a dangerous memory resident parasitic encrypted virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed. The virus contains the text string:
ha! version A

Every 8th day it also hooks INT 16h (keyboard) and exchanges the symbols ‘!’ and Space when they are entered. Every 16th day this virus hooks INT 9 and when Alt-Ctrl-Del keys are pressed, the virus displays:

version A

Details
H8.1171

These are harmless memory resident parasitic viruses. They hook INT 20h, 21h and write themselves to the beginning of COM files that are accessed. The viruses check the file names and do not infect some programs as well as the COMMAND.COM file. The viruses detect these files by using the string:
xtf-ndivskavcommand

The viruses also contain the text strings:
“H8.1173″: [H8YourNMEs] SÉpùL_ürÆ
“H8.1176″: > Joan 1.0 < by KiKo NoMo

Details
Girl.2273

It’s a dangerous memory resident virus. It only infects the files pointed to by the ‘COMSPEC=’ string. The virus checks the file format for COM- or EXE-files infection. This virus contains the file name list and erases the files from this list:
users.bbsfiles.bbs
ly-girl.lzh srcr301.arj wolf-1.arj arwlf.lzh arj205.exe

After infection the virus types “Runtime error 213 at 2BA7:0387.” and hangs up the computer.

Details
Gipro.504

It’s a harmless not memory resident parasitic virus. It searches for EXE-files and writes itself to their ends. It contains the internal text string:
-=_ G.I.Pro.V. _=-

Details
Gippo.901

These are not dangerous encrypted parasitic viruses. They are not memory resident (except “Gippo.1039,1234″) and search for .EXE-files and write themselves to the file end.
One month after infection these viruses display the message and leave small memory resident trigger routine which hooks INT 08h and “quakes” the screen. They display the message on installation of TSR trigger routine. See “Gippo.1242,1249″ also.
“Gippo.1039,1234″ hook INT 08, 21h and write themselves at the end of EXE-files are executed or opened.
“Gippo” viruses display:
“Gippo.901″: Fit of hysteria offered by G.I.P.Po.
“Gippo.944″: Wake up SUCKER! Gratuitous alarm by G.I.P.Po
“Gippo.1000″: Earth is quaking! Public*Domain GIPPo MCMXCIII
“Gippo.1030.a”: * SunRise * EpidemicWare G.I.P.Po. oct-93
“Gippo.1030.b”: SUNRISE * (C)opyItself 93 GIPPo
“Gippo.1039″: ! ? Bumpy~ (R) Ghost Player
“Gippo.1050″: CACOPHONY * EpidemicWare 93 G.I.P.Po.
“Gippo.1234″: Stunning Blow (R) Ghost Player Italy
“Gippo.1242″: AntiHeuristic GIPPO EpidemicWare
“Gippo.1249″: AntiHeuristic GIPPO EpidemicWare (I)

They also contain the internal texts:
“Gippo.901″: JumpingJack *.e?e \ *.* smartc*.cps
“Gippo.944″: cacophony *.e?e \ *.* smartc*.cps
“Gippo.1000″: Earthquake *.exe \ *.* smartchk.cps
“Gippo.1030.a,b”: sunrise *.exe \ *.* smartc*.cp?
“Gippo.1050″: Cacofonia *.EXE \ *.* smartchk.cp?
“Gippo.1242″: HAMMER *.exe \ *.*
“Gippo.1249″: HAMMER *.exe \ *.*

Gippo.1242,1249
This virus manifests itself by video effect.

Details
Ginger Family

These are harmless memory resident stealth multipartite viruses. While executing an infected file the viruses infect the MBR sector of the hard drive. While infecting the viruses correct only the physical address of the Active Boot Sector (from which DOS is loaded), the viruses set this address to 0/0/2 (cylinder/head/sector) and write their code and data to that and followed sectors. As a result the viruses correct only three bytes in the MBR. While loading from an infected sector the viruses hook INT 13h, 21h and write themselves to the end of COM and EXE files that are accessed. The viruses contain the text strings, several of them are in use when the viruses infect the files:
“Ginger.2774,2782″:
You can’t catch the Gingerbread Man!!
Bad Seed - Made in OZ
COMSPEC= \COMMAND.COM
CHKDSK MEM
10/23/92

“Ginger.Orsam.2624″:
Orsam - Made in OZ
You can’t catch the Gingerbread Man!!
COMMAND

Details
Gimon.2256

It is not a dangerous memory resident parasitic virus. When an infected file is executed, it installs itself into the system to activete itself each time DOS boots up. To do that the virus creates its dropper file (pure virus code) in the root of the C: drive and “registers” it in the C:\CONFIG.SYS file by “install=” instruction. The name of virus dropper file has four random selected letters, for example: AOCJ.ICG, APCF.KCG, e.t.c. The virus then installs itself memory resident.
When the virus dropper runs, it does not installs the virus into the system memory but just creates the C:\GBMONKEY.COM file and registers it in the C:\WINSTART.BAT file. The virus dropper then exits to DOS.
While installing memory resident the virus hooks INT 21h and hooks file searching functions. The virus then infects COM, EXE and SYS files that are accessed by these functions. While infecting files the virus writes itself to the end of files and modifies file header. The virus also tries to infect OBJ files, but fails because of bugs.
The infected SYS files on October 10th display the message and halts the computer:
Gibraltar Monkey!
(A)bort, (R)etry, (I)gnore?

On March 8th the virus overwrites all accessed GIF files with an image of Gibraltar flag.
The virus also contains the text strings:
[Gibraltar Monkey, by Mister Sandman]

Details
Gigi.1283

These are dangerous memory resident encrypted parasitic viruses. They hook INT 21h and write themselves to the end of .COM files that are executed. The viruses do not infect the files: VSAFE.COM, COMMAND.COM, WIN.COM. They have bugs and install themselves two and more times in the system memory, as a result in some time the system halts.
The viruses contain the text strings:
SUCKER
.COM VSAFE COMMAND WIN

“Gigi.1449″ contains the texts:
Gigi Euristicu’ v1.0 * RoMaNiA
Only COM infector but a new generation is comeing all
Copyright [C] 1996-97 Elecktronick RAT & Pink Phanter
Special thanks to GikuABS (Ps!ko)
Who’s General Failure and what’s he doing on your HD ?

Details
Gift.553

These are not dangerous memory resident parasitic viruses. “Gift.724″ is encrypted. They hook INT 21h and write themselves to the beginning of COM files that are searched. While installing memory resident the viruses allocate a 64Kb block of DOS memory that may decrease the system performance.
The most interesting feature of these viruses is their structure: it follows the standard ZIP archives binary format. The beginning of virus code is very similar to ZIP header, and to the end of infected files a block of data is written that is similar to ZIP “end-of-archive” data. Despite on this, when infected files are run, these data are executed as a sequence of legal assembler instructions that pass control to the main virus code. As a result, the infected files can be not only executed as DOS programs, but also can be accessed as ZIP archives. These “archives” contains just one file named “SMF_Gift.com”. Being “extracted” this file is the same as original contents of infected file.

Details
Gidra.469

These are harmless not memory resident parasitic viruses. They search for .COM-files and write themselves to their ends. They contain the internal text string:
I’m GIDRA v1.6 : Life is Good, But Good Life Better Yet.

Details
GI.2765

It’s a not dangerous memory resident encrypted parasitic virus. It hooks INT 08h, 21h and writes itself to the beginnings of COM-files (except COMMAND.COM) that are executed. It contains the internal strings “COMMAND.COM” and ID-string “GI”. Five hours after installing memory resident it manifests itself by one of two video effects.

Details
Ghostball.2351.a

It is a not dangerous not memory resident virus which by standard way hits .COM-files of current directory and directories listed in PATH. It writes a small program into Boot-sectors of disks. This program hooks INT 8 and starts to run a ball (see “Ping-Pong” virus) but doesn’t infect any files or sectors. This virus contains the text “GhostBalls, Product of Iceland Copyright (c) 1989, 4418 and 5F19″.

Details
Ghost_2.5000

This is a very dangerous memory resident encrypted parasitic stealth-virus. It hooks INT 21h and 25h, and writes itself to the beginning of COM- and EXE-files that are executed, opened or closed. If the resulting COM-file length is out of segment (64K), the virus converts the file to EXE format.
While installing its TSR copy, if there is no free system memory, the virus displays the following message, and exits to DOS:
Swap file creation error at 0FAD:2DEC.
Program aborted.

The virus contains code that overwrites .PAS- and .CPP-files with the following text:
There is nothing in the world that I ever wanted more than to never feel
breaking apart all my programs again. The spiderman is always hungry

but this code is never executed.
In January, the virus corrupts the data on the hard drive, and then displays the following message (there may be any random digit instead of “000000000″), and “drops snow” on the screen:
Happy New Year !
Ghost 1.0 is terminating its work now. Please waitall
Write down this number : 0000000000 and pray for your data rescue.

The virus also contains the internal text strings:
COMMAND.COM
.COM.EXE.PAS.CPP
I feel so tired.
The way the rain comes down how it`s how I feel inside.
I`ve been living so long with my pictures of you
Remembering you standing quiet in the rain

Details
Ghost.1447

It is a dangerous memory resident virus. It infects COM- and EXE-files when they are executed or opened. Before infection the infector appends to file random times of NOP (90h) instructions:
+———–+
¦File ¦
+———–¦
¦90h 90h all¦
+———–¦
¦Virus ¦
+———–+

The infector works only under DOS 3.30 because it uses some undocumented system areas and addresses of DOS 3.30: one part of the code the virus copies into one system buffer (I don’t understand for why). It contains the text “MINSK GHOST,1991″ and hooks INT 1Ah, 21h.