Post by lilhack on Mar 13, 2007 18:37:23 GMT -5
Virus Information Summary List
Introduction & Entry Format
Each of the entries in the list consists of several fields.
Below is a brief description of what is indicated in each of the
fields. For fields where codes may appear, the meaning of each
code in indicated.
Virus Name: Field contains one of the more common names for the
virus. The listing is alphabetized based on this
field.
Aliases: Other names that the same virus may be referred to by.
These names are aliases or A.K.A.'s.
V Status: This field contains one of the following values which indicate
how common the virus is in the public domain.
Common: The virus is one of the most common viruses reported to
various groups which gather virus infection statistics.
Most of these groups are in the United States. Where a
virus has had many reports from a specific geographic area,
the V Status field will contain "Common - xxxxxxxxx" where
xxxxxxxxx is an indicator of geographic location.
Endangered: The "Endangered" classification of viruses are
viruses that are very uncommon and were fairly recently
discovered or isolated. Due to some characteristics of
these viruses, it is highly unlikely that they will ever
become a widespread problem. It doesn't mean that they
don't exist, just that the probability of someone getting
these viruses is fairly low.
Extinct: The "Extinct" classification is for viruses which at
one time may have been widespread (ie. they are not a
research virus which was never released into the public
domain), but have not had a reported infection in at least
one year. "Extinct" viruses will also include "viruses"
which were submitted which actually don't replicate due to
a flaw in their viral code, but if the flaw were corrected
they might be successful. It is still possible that someone
could become infected with one of these viruses, but the
probability is extremely low.
Myth: "Myth" viruses are viruses which have been discussed among
various groups for some time (in excess of one year), but are
not known to actually exist as either a public domain or
research virus. Probably the best case of a "Myth" virus
is the Nichols Virus.
Rare: "Rare" viruses are viruses which were recently (within the
last year) isolated but which do not appear to be widespread.
These viruses, as a general rule, will be viruses which
have characteristics that would make them a possible
future problem. "Rare" viruses have a higher probability
of someone becoming infected than Endangered or Extinct
viruses, but are much less likely to be found than a
"Common" virus.
Research: A "Research" virus is a virus which was originally
received by at least one anti-viral researcher directly
from its source or author. These viruses are not known
to have been released into the public domain, so they are
highly unlikely to be detected on computer systems other
than researchers.
Rumored: The "Rumored" virus classification are for viruses
which the author has received information about, but that
no sample of the virus has been made available for analysis.
Any viruses in this classification should be considered with
a grain of salt, they may not actually exist.
Unknown: The "Unknown" classification is for those viruses where
the original submission of the virus to anti-viral researchers
is suspect for any number of reasons, or that there is
very little information known about the origin of the
virus.
New: The "New" category is for viruses which were recently
received by the author but cannot at the present time be
researched in depth. Instead of leaving these viruses out
of the listing all together, they will be listed but with
a "New" status.
Discovery: First recorded discovery date.
Origin: Author/country of origin
Symptoms: Changes to system that may be noticed by users: messages,
growth in files, TSRs/ Resident TOM (change in CHKDSK
return), BSC - boot sector change (may require cold boot
from known-good protected floppy to find), corruption of
system or files, frequent re-boots, slowdowns.
Origin: Either credited or assumed to be in country of discovery.
Eff Length: The length of the viral code after it has infected
a program or system component. For boot-sector infectors,
the length is indicated as N/A, for not applicable.
Type Code: The type codes indicated for a virus indicate general
behavior characteristics. Following the type code(s) is
a brief text description. The type codes used are:
A = Infects all program files (COM & EXE)
B = Boot virus
C = Infects COM files only
D = Infects DOS boot sector on hard disk
E = Infects EXE files only
F = Floppy (360K) only
K = Infects COMMAND.COM
M = Infects Master boot sector on hard disk
N = Non-resident (in memory)
O = Overwriting virus
P = Parasitic virus
R = Resident (in memory)
(below 640k - segment A000)
a - in unused portion of allocated memory
(does not change free memory, such as virus resident
in CLI stack space or unused system memory)
Example: LeHigh
f - in free (user) memory below TOM
(does not prevent overwriting)
Example: Icelandic
h - in high memory but below TOM
(Resides in high system memory, right below TOM.
Memory is allocated so it won't be accidently
overwritten.)
Example: Flash
s - in low (system/TSR) memory
(reduces free memory, typically uses a normal
Int 21/Int 28 TSR)
Example: Jerusalem
t - above TOM but below 640k (moves Int 12 return)
(Reduces total memory size and free memory)
Example: Pakistani Brain
(above 640k)
b - in BIOS/Video/Shadow RAM area (segment A000 - FFFF)
e - in extended/expanded memory (above 1 Meg)
S = Spawning or companion file virus
(This type of virus creates another file on the disk which
contains the actual viral code. Example: Aids II)
T = Manipulation of the File Allocation Table (FAT)
X = Manipulation/Infection of the Partition Table
Detection Method:
This entry indicates how to determine if a program or
system has been infected by the virus. Where the virus
can be detected with a shareware, public domain, or
readily available commercial program, it is indicated.
Note that a "+" after the anti-viral product's version number
indicates that versions of the product from the indicated version
forward are applicable.
Programs referenced in the listing are:
AVTK - Dr. Solomon's Anti-Virus Toolkit <commercial>
F-PROT - Fridrik Skulason's F-Prot detector/disinfector
IBM Scan - IBM's Virus Scanning Program <commercial>
Pro-Scan - McAfee Associates' Pro-Scan Program <commercial>
VirexPC - MicroCom's VirexPC Program <commercial>
VirHunt - Digital Dispatch Inc's VirHunt Program <commercial>
ViruScan - McAfee Associates' ViruScan Program
ViruScan/X- McAfee Associates' ViruScan Program with /X switch
Removal Instructions:
Brief instructions on how to remove the virus. Where
a shareware, public domain, or readily available
commercial program is available which will remove the
virus, it is indicated. Programs referenced in the
listing are:
AntiCrim - Jan Terpstra's AntiCrime program
CleanUp - John McAfee's CleanUp universal virus
disinfector.
Note: CleanUp is only indicated for a virus
if it will disinfect the file, rather than
delete the infected file.
DOS COPY - Use the DOS COPY command to copy files from
infected non-bootable disks to newly formatted,
uninfected disks. Note: do NOT use the
DOS DISKCOPY command on boot sector infected
disks, or the new disk will also be infected!
DOS SYS - Use the DOS SYS command to overwrite the boot
sector on infected hard disks or diskettes.
Be sure you power down the system first, and
boot from a write protected master diskette,
or the SYS command will copy the infected
boot sector.
F-PROT - Fridrik Skulason's F-Prot detector/disinfector,
Version 1.07.
M-3066 - Traceback virus disinfector.
MDisk - MD Boot Virus Disinfector. Be sure to use the
program which corresponds to your DOS release.
Pro-Scan - Pro-Scan Virus Identifier/Disinfector <Commercial>.
Saturday - European generic Jerusalem virus disinfector.
Scan/D - ViruScan run with the /D option.
Scan/D/A - ViruScan run with the /D /A options.
Scan/D/X - ViruScan run with the /D /X options.
UnVirus - Yuval Rakavy's disinfector for Brain, Jerusalem,
Ping Pong, Ping Pong-B, Typo Boot, Suriv 1.01,
Suriv 2.01, and Suriv 3.00 viruses.
VirexPC - MicroCom's VirexPC Detector/Disinfector
Note: VirexPC is only indicated if it will actually
disinfect the virus, not just delete the infected
file.
VirHunt - Digital Dispatch Inc's VirHunt Detector/Disinfector
Note: VirHunt is only indicated if it will actually
disinfect the virus on all major variants.
Virus Buster - Yuval Tal's Virus Buster Detector/Disinfector
General Comments:
This field includes other information about the virus,
including but not limited to: historical information,
possible origin, possible damage the virus may cause,
and activation criteria.
Introduction & Entry Format
Each of the entries in the list consists of several fields.
Below is a brief description of what is indicated in each of the
fields. For fields where codes may appear, the meaning of each
code in indicated.
Virus Name: Field contains one of the more common names for the
virus. The listing is alphabetized based on this
field.
Aliases: Other names that the same virus may be referred to by.
These names are aliases or A.K.A.'s.
V Status: This field contains one of the following values which indicate
how common the virus is in the public domain.
Common: The virus is one of the most common viruses reported to
various groups which gather virus infection statistics.
Most of these groups are in the United States. Where a
virus has had many reports from a specific geographic area,
the V Status field will contain "Common - xxxxxxxxx" where
xxxxxxxxx is an indicator of geographic location.
Endangered: The "Endangered" classification of viruses are
viruses that are very uncommon and were fairly recently
discovered or isolated. Due to some characteristics of
these viruses, it is highly unlikely that they will ever
become a widespread problem. It doesn't mean that they
don't exist, just that the probability of someone getting
these viruses is fairly low.
Extinct: The "Extinct" classification is for viruses which at
one time may have been widespread (ie. they are not a
research virus which was never released into the public
domain), but have not had a reported infection in at least
one year. "Extinct" viruses will also include "viruses"
which were submitted which actually don't replicate due to
a flaw in their viral code, but if the flaw were corrected
they might be successful. It is still possible that someone
could become infected with one of these viruses, but the
probability is extremely low.
Myth: "Myth" viruses are viruses which have been discussed among
various groups for some time (in excess of one year), but are
not known to actually exist as either a public domain or
research virus. Probably the best case of a "Myth" virus
is the Nichols Virus.
Rare: "Rare" viruses are viruses which were recently (within the
last year) isolated but which do not appear to be widespread.
These viruses, as a general rule, will be viruses which
have characteristics that would make them a possible
future problem. "Rare" viruses have a higher probability
of someone becoming infected than Endangered or Extinct
viruses, but are much less likely to be found than a
"Common" virus.
Research: A "Research" virus is a virus which was originally
received by at least one anti-viral researcher directly
from its source or author. These viruses are not known
to have been released into the public domain, so they are
highly unlikely to be detected on computer systems other
than researchers.
Rumored: The "Rumored" virus classification are for viruses
which the author has received information about, but that
no sample of the virus has been made available for analysis.
Any viruses in this classification should be considered with
a grain of salt, they may not actually exist.
Unknown: The "Unknown" classification is for those viruses where
the original submission of the virus to anti-viral researchers
is suspect for any number of reasons, or that there is
very little information known about the origin of the
virus.
New: The "New" category is for viruses which were recently
received by the author but cannot at the present time be
researched in depth. Instead of leaving these viruses out
of the listing all together, they will be listed but with
a "New" status.
Discovery: First recorded discovery date.
Origin: Author/country of origin
Symptoms: Changes to system that may be noticed by users: messages,
growth in files, TSRs/ Resident TOM (change in CHKDSK
return), BSC - boot sector change (may require cold boot
from known-good protected floppy to find), corruption of
system or files, frequent re-boots, slowdowns.
Origin: Either credited or assumed to be in country of discovery.
Eff Length: The length of the viral code after it has infected
a program or system component. For boot-sector infectors,
the length is indicated as N/A, for not applicable.
Type Code: The type codes indicated for a virus indicate general
behavior characteristics. Following the type code(s) is
a brief text description. The type codes used are:
A = Infects all program files (COM & EXE)
B = Boot virus
C = Infects COM files only
D = Infects DOS boot sector on hard disk
E = Infects EXE files only
F = Floppy (360K) only
K = Infects COMMAND.COM
M = Infects Master boot sector on hard disk
N = Non-resident (in memory)
O = Overwriting virus
P = Parasitic virus
R = Resident (in memory)
(below 640k - segment A000)
a - in unused portion of allocated memory
(does not change free memory, such as virus resident
in CLI stack space or unused system memory)
Example: LeHigh
f - in free (user) memory below TOM
(does not prevent overwriting)
Example: Icelandic
h - in high memory but below TOM
(Resides in high system memory, right below TOM.
Memory is allocated so it won't be accidently
overwritten.)
Example: Flash
s - in low (system/TSR) memory
(reduces free memory, typically uses a normal
Int 21/Int 28 TSR)
Example: Jerusalem
t - above TOM but below 640k (moves Int 12 return)
(Reduces total memory size and free memory)
Example: Pakistani Brain
(above 640k)
b - in BIOS/Video/Shadow RAM area (segment A000 - FFFF)
e - in extended/expanded memory (above 1 Meg)
S = Spawning or companion file virus
(This type of virus creates another file on the disk which
contains the actual viral code. Example: Aids II)
T = Manipulation of the File Allocation Table (FAT)
X = Manipulation/Infection of the Partition Table
Detection Method:
This entry indicates how to determine if a program or
system has been infected by the virus. Where the virus
can be detected with a shareware, public domain, or
readily available commercial program, it is indicated.
Note that a "+" after the anti-viral product's version number
indicates that versions of the product from the indicated version
forward are applicable.
Programs referenced in the listing are:
AVTK - Dr. Solomon's Anti-Virus Toolkit <commercial>
F-PROT - Fridrik Skulason's F-Prot detector/disinfector
IBM Scan - IBM's Virus Scanning Program <commercial>
Pro-Scan - McAfee Associates' Pro-Scan Program <commercial>
VirexPC - MicroCom's VirexPC Program <commercial>
VirHunt - Digital Dispatch Inc's VirHunt Program <commercial>
ViruScan - McAfee Associates' ViruScan Program
ViruScan/X- McAfee Associates' ViruScan Program with /X switch
Removal Instructions:
Brief instructions on how to remove the virus. Where
a shareware, public domain, or readily available
commercial program is available which will remove the
virus, it is indicated. Programs referenced in the
listing are:
AntiCrim - Jan Terpstra's AntiCrime program
CleanUp - John McAfee's CleanUp universal virus
disinfector.
Note: CleanUp is only indicated for a virus
if it will disinfect the file, rather than
delete the infected file.
DOS COPY - Use the DOS COPY command to copy files from
infected non-bootable disks to newly formatted,
uninfected disks. Note: do NOT use the
DOS DISKCOPY command on boot sector infected
disks, or the new disk will also be infected!
DOS SYS - Use the DOS SYS command to overwrite the boot
sector on infected hard disks or diskettes.
Be sure you power down the system first, and
boot from a write protected master diskette,
or the SYS command will copy the infected
boot sector.
F-PROT - Fridrik Skulason's F-Prot detector/disinfector,
Version 1.07.
M-3066 - Traceback virus disinfector.
MDisk - MD Boot Virus Disinfector. Be sure to use the
program which corresponds to your DOS release.
Pro-Scan - Pro-Scan Virus Identifier/Disinfector <Commercial>.
Saturday - European generic Jerusalem virus disinfector.
Scan/D - ViruScan run with the /D option.
Scan/D/A - ViruScan run with the /D /A options.
Scan/D/X - ViruScan run with the /D /X options.
UnVirus - Yuval Rakavy's disinfector for Brain, Jerusalem,
Ping Pong, Ping Pong-B, Typo Boot, Suriv 1.01,
Suriv 2.01, and Suriv 3.00 viruses.
VirexPC - MicroCom's VirexPC Detector/Disinfector
Note: VirexPC is only indicated if it will actually
disinfect the virus, not just delete the infected
file.
VirHunt - Digital Dispatch Inc's VirHunt Detector/Disinfector
Note: VirHunt is only indicated if it will actually
disinfect the virus on all major variants.
Virus Buster - Yuval Tal's Virus Buster Detector/Disinfector
General Comments:
This field includes other information about the virus,
including but not limited to: historical information,
possible origin, possible damage the virus may cause,
and activation criteria.
