THE KNOWN VIRUSES

ON ATARI TOS COMPUTERS

AND THEIR SYMPTOMS

by Richard Karsmakers

 

 

This page contains a full systematic description of all viruses that are recognised by the "Ultimate Virus Killer 2000". The latest version of the virus killer can be found at the UVK 2000 Support Site

 

Name: Official name of the virus. When several different versions of one virus exist, their difference is indicated by one additional character - "A" for the earliest or most widely spread version, "B" for the next, etc.

Type: Virus classification to which is belongs.

Discovery date: The date when the virus was earliest reported to be seen. If the discoverer is known, his/her name is added between brackets.

Virus can copy to drive(s): This indicates to which drives the virus can copy itself. "Current drive" implies that the virus copies to the floppy drive that is currently in use, or even to hard disk if the below "Can copy to hard disk" is "yes."

Virus attaches itself to: Here it is mentioned which system vector(s) the virus attaches itself to.

Disks can be immunized against it: Informs of whether a virus can or cannot be immunized against. In the latter case, it is indicated how. The format of the immunization method is: Offset (hexadecimal), Byte/Word/Longword, and the hexadecimal value expected at that offset.

Disks can be immunized with UVK: Indicates whether or not a particular virus’ immunization was capable of being including in the "Ultimate Virus Killer" advanced disk immunization method.

What can happen: Lists the effect that the virus is programmed to cause to occur, i.e. what the destruction routine is all about.

When does that happen: Specifies when the above will happen (ahem), i.e. what the trigger routine is all about.

Reset-proof: Tells you whether or not the virus can survive a warm reset.

Can copy to hard disk: Tells you...er...well...this is pretty obvious, actually.

Remarks: All other things worth mentioning are summed up here.

 

I’d like to apologise for possible rude language in this section. Some viruses have rather profane names and/or display rather rude messages on the screen. These have all been supplied for reference only. I didn’t get off on it.

 

BOOTSECTOR VIRUSES

 

Virus #1

 

Name: Signum/BPL Virus A.

Type: Memory-resident bootsector virus.

Discovery date: November 22nd 1987 (Klaus Seligmann).

Virus can copy to drive(s): A or B (current drive).

Virus attaches itself to: Hdv_bpb vector.

Disks can be immunized against it: Yes (0.W $6038).

Immunizable with UVK: Yes.

What can happen: Not known.

When does that happen: When key is found on other disks (this has never been found - yet).

Reset-proof: No.

Can copy to hard disk: No.

Remark: This is the most widely spread virus; an approximate estimate brings it to at least 1.5 million copies worldwide! It is also known as the Emil 1A Virus and Key Virus.

 

Virus #2

 

Name: Mad Virus A.

Type: Memory-resident bootsector virus.

Discovery date: March 26th 1988 (Eerk Hofmeester).

Virus can copy to drive(s): A or B (current drive).

Virus attaches itself to: Hdv_rw vector.

Disks can be immunized against it: Yes (0.B $60).

Immunizable with UVK: Yes.

What can happen: Fools around with screen or bleeps with the sound chip.

When does that happen: After it makes five copies of itself, and then at every disk access.

Reset-proof: No.

Can copy to hard disk: No.

Remark: A relatively harmless virus, therefore also sometimes referred to as FUN Virus. This is improper, however, as there already is a virus sometimes called Fun Virus, too (the Merlin Mad Virus, #60). For more remarks on the Mad Virus, see Mad Virus B (#49). Weirdly, the Mad Virus is also known as Emil 2A Virus.

 

Virus #3

 

Name: Signum/BPL Virus B.

Discovery date: Summer 1988 (Anton Raves).

Symptoms: Disk on which the virus is present is unreadable due to a damaged BPB.

Remark: This is no true actual virus, but a virus that was corrupted while active in the system. For more info see the Signum/BPL Virus A.

 

Virus #4

 

Name: ACA Virus.

Type: Reset-proof memory-resident bootsector virus.

Discovery date: June 29th 1988 (Little Joe).

Virus can copy to drive(s): Boot device.

Virus attaches itself to: Undocumented reset-resistant.

Disks can be immunized against it: Yes (0.B $60 or 4.W $4143)

Immunizable with UVK: Yes.

What can happen: Track 0 is cleared (BPB, bootsector and FAT). Data is then irretrievably lost.

When does that happen: After it has made 10 copies of itself. This is done each time you press reset.

Reset-proof: Yes.

Can copy to hard disk: No.

Remark: This virus is made by the ACA crew (ACA stands for Anti Copyright Association) from Sweden. In April 1990 it became known that this ACA crew had also made a virus killer (with a lot of neat graphics and a scroller in the lower border). This killer could allegedly also spread viruses when you pressed a certain key combination! In a 1988 issue of the German "ST Magazin" an interview with ACA was published, in which they stated to have written (but not spread) even worse viruses. Crazily, there was even one claimed to be able to write on write-protected disks. This is nonsense.

 

Virus #5

 

Name: Freeze Virus.

Type: Memory-resident bootsector virus.

Discovery date: July 12th 1988 (Carsten Frischkorn).

Virus can copy to drive(s): A or B (current drive).

Virus attaches itself to: Hdv_rw vector; also installs MFP interrupt.

Disks can be immunized against it: Yes (0.B $60).

Immunizable with UVK: Yes.

What can happen: The system slows down more and more, until it freezes to a halt.

When does that happen: Right from the beginning on, increasing at every access of logical sector 11 (where a disk’s root directory is located).

Reset-proof: No.

Can copy to hard disk: No.

 

Virus #6

 

Name: Screen Virus.

Type: Memory-resident bootsector virus.

Discovery date: July 12th 1988 (Carsten Frischkorn).

Virus can copy to drive(s): A.

Virus attaches itself to: Hdv_bpb vector; 200 Hz System Clock vector; Etv_critic vector.

Disks can be immunized against it: Yes (executable).

Immunizable with UVK: Yes.

What can happen: Screen is blackened.

When does that happen: 54 minutes after virus installation.

Reset-proof: No.

Can copy to hard disk: No.

Remark: Only works on ROMs dated 02.06.1986 (i.e. German TOS version 1.00).

 

Virus #7

 

Name: C’T Virus.

Type: Reset-proof memory-resident bootsector virus.

Discovery date: Summer 1988 (Wim Nottroth).

Virus can copy to drive(s): Any (including hard disk).

Virus attaches itself to: Undocumented reset-resistant.

Disks can be immunized against it: Yes (executable).

Immunizable with UVK: Yes.

What can happen: Deletes FAT of floppy- and hard disk (all data irretrievably lost).

When does that happen: If date stamp is 1987.

Reset-proof: Yes.

Can copy to hard disk: Yes.

Remark: This virus was featured in a German magazine called "Computer & Technik." The authors claimed they had ‘found it’ on one of their disks. A listing was included, so that people could reproduce and adapt the virus with ease. It writes the message "ARRRGGGHHH Diskvirus hat wieder zugeschlagen" on the screen when it is activated. Due to the fact that it forgets to check whether or not the device is higher than "B," it can also copy itself to hard disk (which will most likely cause permanent damage).

 

Virus #8

 

Name: Maulwurf I Virus B (English TOS version).

Type: Reset-proof memory-resident bootsector virus.

Discovery date: September 3rd 1988 (Joerg Kruse).

Virus can copy to drive(s): A of B (current drive).

Virus attaches itself to: Reset vector, Hdv_bpb vector and VBL vector (this virus operates out of the VBL!).

Disks can be immunized against it: Yes (0.W $601C or 2.W $001C, and must be executable).

Immunizable with UVK: Yes.

What can happen: Message on screen "Maulwurf I - SSG (Subversive Software Group)" and computer locks up.

When does that happen: If original Hdv_bpb vector is re-installed, or when someone changes the Hz200 counter.

Reset-proof: Yes.

Can copy to hard disk: No.

Remark: This virus was made by the Subversive Software Group in Germany. It is also called Caterpillar Virus, its name in English.

 

Virus #9

 

Name: Bayrische Hacker Post (BHP) Virus.

Type: Memory-resident bootsector virus.

Discovery date: September 10th 1988 (Henrik Alt).

Virus can copy to drive(s): A or B (current drive).

Virus attaches itself to: Hdv_bpb vector.

Disks can be immunized against it: Yes (ANY value on 0.W).

Immunizable with UVK: Yes.

What can happen: Nothing. It only copies itself.

When does that happen: Never (how could it?).

Reset-proof: No.

Can copy to hard disk: No.

Remark: Thought to have been made by the Bayrische Hacker Post. This is a small computer user’s group in Germany that also publishes a small club magazine. In that magazine, the virus was said to be reset-proof, and that it would ‘write through the write-protect notch’ (haha!). None if this is true. It checks disk write-protection, however, in a way that only works successfully on TOS version 1.00.

 

Virus #10

 

Name: Lab-Virus.

Type: Memory-resident bootsector virus.

Discovery date: September 10th 1988 (Henrik Alt).

Virus can copy to drive(s): A or B (current drive).

Virus attaches itself to: Hdv_bpb vector.

Disks can be immunized against it: No.

What can happen: Screen is made entirely black.

When does that happen: After copying itself 10 times.

Reset-proof: No.

Can copy to hard disk: No.

Remark: Checks the write-protect status address in an illegal way, and will therefore not work correctly on any TOS version above 1.04. This virus seems to be an adapted version of the BHP Virus.

 

Virus #11

 

Name: FAT Virus.

Type: Reset-proof memory-resident bootsector call virus.

Discovery date: May 1st 1988 (Stephen E. Schneider).

Virus can copy to drive(s): A.

Virus attaches itself to: Hdv_bpb and reset vector.

Disks can be immunized against it: Yes (executable).

Immunizable with UVK: Yes.

What can happen: Random memory accesses, resulting in blots appearing on the screen and current program running crashing.

When does that happen: After three hours, and then at the first time address $114 is changed from its original value (this is the MFP Interrupt 5 vector).

Reset-proof: Yes.

Can copy to hard disk: No.

Remark: Only works on 02-06-1986 ROMs (German TOS 1.00). It uses time delays to make it more difficult to detect. This virus spreads easily and rapidly. It is bigger than just one bootsector and also uses the last FAT sector to write itself on. It is probably made in Switzerland, and is also called Swiss Virus or Blot Virus.

 

Virus #12

 

Name: Ghost Virus A.

Type: Reset-proof memory-resident bootsector virus.

Discovery date: November 20th 1988 (Carmen Brunner).

Virus can copy to drive(s): A or B (current drive).

Virus attaches itself to: Hdv_bpb and resvector; it is also non-

documented reset-resistant.

Disks can be immunized against it: No.

What can happen: Mouse Y directions are inverted.

When does that happen: After copying itself 10 times.

Reset-proof: Yes.

Can copy to hard disk: No.

Remark: England. It is very widely spread (England, Holland, Sweden and West Germany in particular). It is also known as the Mouse Virus or Inversion Virus.

 

Virus #13

 

Name: 5th Generation Virus.

Type: Memory-resident bootsector virus.

Discovery date: December 6th 1988.

Virus can copy to drive(s): A.

Virus attaches itself to: Trap #13 vector.

Disks can be immunized against it: Yes (executable).

Immunizable with UVK: Yes.

What can happen: Writes trash in the first 34 sectors of a disk, lethally corrupting the bootsector, FAT, and directory.

When does that happen: When the virus has reached its fifth generation.

Reset-proof: No.

Can copy to hard disk: No.

 

Virus #14

 

Name: OLI Virus.

Type: Reset-proof memory-resident bootsector virus.

Discovery date: December 10th 1988.

Virus can copy to drive(s): Boot device.

Virus attaches itself to: Hdv_rw and trap #14 vector; also non-documented reset-resistant.

Disks can be immunized against it: No.

What can happen: The text "OLI-VIRUS installed ." appears on the screen. Then, it starts slowing down the ST by hooking itself on an interrupt vector. In certain cases, it can also corrupt disk data.

When does that happen: After having made 20 copies of itself.

Reset-proof: Yes.

Can copy to hard disk: No.

 

Virus #15

 

Name: Maulwurf I Virus A (German TOS version).

Discovery date: January 1st 1989.

Symptoms and remark: See virus #8. Only three branch addresses are different, so as to work on German instead of English TOS.

 

Virus #16

 

Name: Kobold #2 Virus A.

Type: Reset-proof memory-resident bootsector virus.

Discovery date: January 2nd 1989.

Virus can copy to drive(s): A (?).

Virus attaches itself to: Hdv_bpb and resvector; Vbl_queue; also undocumented reset-resistant.

Disks can be immunized against it: No.

Immunizable with UVK: No.

What can happen: The mouse UP and LEFT directions will be slightly distorted, resulting in the user slowly moving the device off the desk.

When does that happen: Whenever XBIOS functions are called.

Reset-proof: Yes.

Can copy to hard disk: No.

Remark: This was the toughest virus so far. Not many statements can be made about it with certainty. It installs itself in memory on booting, and only after ANOTHER reset will it install the vectors mentioned above. Then, it will also print the text "KOBOLD#2 AKTIV!" (This leads to the belief that the virus is German).

Confusingly, there is also a "Kobold AntiVirus." This is a "virus free" disk that can be created by the German fast file copy program "Kobold" of the company Kaktus Gbr, and no true Antivirus. It has nothing to do with the Kobold Virus.

 

Virus #17

 

Name: Mad Virus C.

Discovery date: January 1989 (Frits Couwenberg).

Symptoms: See virus #2.

Remark: Some of the last screen fiddle/sound routines in this virus have been corrupted by alien code. It will therefore crash when these routines are executed.

 

Virus #18

 

Name: Mutant Anti-Virus #1 A.

Discovery date: January 28th 1989.

Symptoms: Copies itself to other disks (except when they’re executable). Some of the latter half of its code is corrupted by alien code, however, and may/will result in a system crash.

Remark: Read further for more info about anti-viruses.

 

Virus #19

 

Name: Goblin Virus.

Type: Reset-proof memory-resident bootsector virus.

Discovery date: April 3rd 1989 (Clive Duberley).

Virus can copy to drive(s): A or B (drive used by disk access call).

Virus attaches itself to: Hdv_bpb and resvector; also non-documented reset- resistant.

Disks can be immunized against it: Yes (1A2.L $27182818).

Immunizable with UVK: Yes.

What can happen: It puts the message "The Green Goblins Strike Again" on the screen; it can also mess up the display.

When does that happen: The message appears after 128 copies of itself have been made; messing up of the display happens after 16 copies of itself have been made.

Reset-proof: Yes.

Can copy to hard disk: No.

Remark: Probably made in England.

 

Virus #20

 

Name: Mutant Anti-Virus #1 B.

Discovery Date: March 6th 1989 (Thomas Gathen).

Symptoms: System crashes, mainly. This is just a gigantically corrupted Anti-Virus #1, and really can’t do anything decent. Most probably doesn’t even multiply...

 

Virus #21

 

Name: Counter Virus.

Type: Memory-resident bootsector virus.

Discovery Date: May 1989.

Virus can copy to drive(s): A or B (current drive).

Virus attaches itself to: ?

Disks can be immunized against it: ?

Immunizable with UVK: ?

What can happen: Nothing.

When does that happen: Never (would it?).

Reset-proof: No.

Can copy to hard disk: No.

Symptoms: This virus keeps a generation counter, but doesn’t do anything more.

 

Virus #22

 

Name: Help Virus.

Type: Memory-resident bootsector virus.

Discovery date: September 1988.

Virus can copy to drive(s): None.

Virus attaches itself to: ?

Disks can be immunized against it: ?

Immunizable with UVK: ?

What can happen: Screen is filled with bombs.

When does that happen: At booting.

Reset-proof: No.

Can copy to hard disk: No.

Remark: No real virus, because it actually cannot multiply without external help. Since it resides in the bootsector, since another virus killer classified it as a ‘virus’ and since it does something a computer user would not like, it is still listed here as a ‘virus’.

 

Virus #23

 

Name: Exception Virus.

Type: Reset-proof memory-resident bootsector virus.

Discovery date: September 1988.

Virus can copy to drive(s): A or B (current drive).

Virus attaches itself to: Hdv_bpb vector, undocumented reset-resistant.

Disks can be immunized against it: No.

What can happen: System crashes due to random values written to random memory locations.

When does that happen: About 22 minutes after a vbl routine is installed, which happens after accessing a non-write protected disk in drive A or B.

Reset-proof: Yes.

Can copy to hard disk: No.

Remark: Does not work when Hdv_bpb points at an address below hexadecimal address $FFFF (generally this is the case when a hard disk driver is installed). It was previously also known as Random Virus, and it only works on TOS versions 1.00 and 1.02.

 

Virus #24

 

Name: Gauweiler Virus.

Type: Reset-proof memory-resident bootsector virus.

Discovery date: July 12th 1989 (Harald Wend).

Virus can copy to drive(s): A or B (current drive).

Virus attaches itself to: Hdv_bpb; undocumented reset-resistant.

Disks can be immunized against it: No.

What can happen: Writes "AIDS?" on the screen and zeroes track 1 of a floppy disk (irretrievably destroying bootsector, FAT, and directory).

When does that happen: After the first reset after booting it.

Reset-proof: Yes.

Can copy to hard disk: No.

Remark: Version 3.0 of this virus (version number contained in boot code) is supposed to have been programmed on July 7th 1988 (also contained in boot code). So it was almost exactly one year old by the time it was discovered...

 

Virus #25

 

Name: Evil Virus.

Type: Reset-proof memory-resident bootsector virus.

Discovery date: May 23rd 1989 (Jeremy Hughes).

Virus can copy to drive(s): A or B (current drive).

Virus attaches itself to: Resvector and Hdv_bpb.

Disks can be immunized against it: Yes (0.L $60380666).

Immunizable with UVK: No.

What can happen: Screen colours inverted.

When does that happen: After 100 copies of itself have been made.

Reset-proof: Yes.

Can copy to hard disk: No.

Remarks: Contains the text " EVIL ! - A Gift from Old Nick". It was written in England. Obviously, the author acquired a copy of an earlier version of the "Ultimate Virus Killer" - he made sure the virus was recognised as an Atari system disk! Very cleverly done, by using the recognition bytes somewhere in the virus code. I am glad to say that we were at least one step ahead of this guy!

This virus is very often found in Scandinavian countries.

 

Virus #26

 

Name: P.M.S. Virus.

Type: Reset-proof memory-resident bootsector virus.

Discovery date: May 20th 1989 (Chris Dudley).

Virus can copy to drive(s): A.

Virus attaches itself to: XBIOS trap vector and reset vector.

Disks can be immunized against it: Yes (1B4.L $2A2A2A20).

Immunizable with UVK: Yes.

What can happen: Text "*** The Pirate Trap ***, * Youre being watched *, *** (C) P.M.S. 1987 ***" (sic) appears on the screen.

When does that happen: At each 50th copy of itself that is made.

Reset-proof: Yes.

Can copy to hard disk: No.

Remark: Contains a copyright message for 1987 (!). This virus might thus be very old (might in theory pre-date the Signum Virus) and it is a miracle that is had slipped through the attention of all virus killers until 1989. It is thought to have been made by a software vendor to prevent people from copying software in his shop. Due to obvious reasons, it is also called Pirate Trap Virus.

This virus patched the XBIOS vector in such an effective way that, once the virus is in memory, it even patches bootsector reads to hide its presence. It copies itself at each use of Floprd (XBIOS 8)!

 

Virus #27

 

Name: Ghost Virus B.

Discovery date: June 15th 1989 (R. de Groen).

Symptoms: See Virus #12 (Ghost Virus). This virus has a few damaged bytes and will therefore crash easily.

 

Virus #28

 

Name: Arnold/Rambo Virus.

Type: Memory-resident bootsector virus.

Discovery date: November 1989.

Virus can copy to drive(s): A or B (current drive).

Virus attaches itself to: Hdv_bpb vector.

Disks can be immunized against it: Yes (0.B $60).

Immunizable with UVK: Yes.

What can happen: Nothing.

When does that happen: After five copies were made.

Reset-proof: No.

Can copy to hard disk: No.

Remark: This virus seems to have been designed to have precisely the same effects as the Mad Virus, but due to a wrong branch and a non-working counter this does not work.

 

Virus #29

 

Name: Monitor Virus.

Type: Reset-proof memory-resident bootsector virus.

Discovery date: November 1989.

Virus can copy to drive(s): A or B.

Virus attaches itself to: ?

Disks can be immunized against it: ?

What can happen: Random lines are put on the screen.

When does that happen: ?

Reset-proof: Yes.

Can copy to hard disk: No.

Symptoms: Some random lines are put on the screen, which are probably meant to hint at a damaged monitor. Of course, this virus doesn’t harm the monitor at all.

 

Virus #30

 

Name: Anti-ACA Virus.

Type: Memory-resident bootsector virus.

Discovery date: December 28th 1989.

Virus can copy to drive(s): A or B (current drive).

Virus attaches itself to: GEMDOS trap vector.

Disks can be immunized against it: Yes (0.W $601C).

Immunizable with UVK: No.

What can happen: Text "GREETINGS TO ACA, THE FIRST GROUP TO BE GREETED IN A VIRUS! (AND THEY ARE THE GUYS WHO MADE THE 1ST ST VIRUS" on screen, followed by the computer crashing.

When does that happen: After four copies of itself are made.

Reset-proof: No.

Can copy to hard disk: No.

Remarks: Someone calling himself The Lazy Lion wrote this virus in Norway (as were viruses #31-36!). Actually, unlike this virus claims, the first virus on the ST was not that of the ACA (but who cares).

All these viruses patch the GEMDOS trap vector, and will get active and/or copy themselves at any Fopen or Fsfirst GEMDOS call. Quite unlogical for a bootsector virus.

 

Virus #31

 

Name: Chopin Virus.

Type: Memory-resident bootsector virus.

Discovery date: December 28th 1989.

Virus can copy to drive(s): A.

Virus attaches itself to: GEMDOS trap vector.

Disks can be immunized against it: No.

What can happen: Music of Chopin’s Death March starts playing endlessly and system freezes to a halt. At each music end, it also prints the message "FUCK! YOU’VE GOT A VIRUS!" on the screen.

When does that happen: After 26 copies of itself are made.

Reset-proof: No.

Can copy to hard disk: No.

 

Virus #32

 

Name: Cookie Monster Virus A.

Type: Memory-resident bootsector virus.

Discovery date: December 28th 1989.

Virus can copy to drive(s): A.

Virus attaches itself to: GEMDOS trap vector.

Disks can be immunized against it: No.

What can happen: Writes "YOU KNOW WHAT? I WANT A COOKIE!" on the screen, and then waits for the user to type COOKIE. After having done this, it will enable the user to continue whatever he was doing.

When does that happen: After 30 copies of itself are made, then after each 20th copy.

Reset-proof: No.

Can copy to hard disk: No.

 

Virus #33

 

Name: Cookie Monster Virus B.

Type: Reset-proof memory-resident bootsector virus.

Discovery date: December 28th 1989.

Virus can copy to drive(s): A.

Virus attaches itself to: GEMDOS trap vector and resvector.

Disks can be immunized against it: No.

What can happen: See virus #32.

When does that happen: See virus #32.

Reset-proof: Yes.

Can copy to hard disk: No.

Remark: The only difference with virus #32 is that it is reset-proof.

 

Virus #34

 

Name: Puke Virus A.

Type: Memory-resident bootsector virus.

Discovery date: December 28th 1989.

Virus can copy to drive(s): A or B (current drive).

Virus attaches itself to: GEMDOS trap vector.

Disks can be immunized against it: Yes (0.W $601C).

Immunizable with UVK: No.

What can happen: First file deleted from current floppy drive.

When does that happen: After five copies of itself are made.

Reset-proof: No.

Can copy to hard disk: No.

Remark: The boot code also includes the address of a well-known member of the Atari society, who was supposed to be blackmailed using this virus (needless to say this person did not write this virus).

 

Virus #35

 

Name: Puke Virus B.

Type: Memory-resident bootsector virus.

Discovery date: December 28th 1989.

Virus can copy to drive(s): A or B (current drive).

Virus attaches itself to: XBIOS trap vector.

Disks can be immunized against it: Yes (19E.L $70756B65).

Immunizable with UVK: Yes.

What can happen: Track 1 gets the memory contents of $78000 (screen memory on half meg machines) written on it (irretrievably corrupting bootsector, FAT and directory sectors).

When does that happen: After having made five copies of itself, and then after each second copy.

Reset-proof: No.

Can copy to hard disk: No.

Remark: See virus #34. The immunization code is actually the word "puke," which can be seen in immunized bootsectors. So there’s the explanation for the occurrence of that nasty word there, Mary Whitehouse!

 

Virus #36

 

Name: Upside Down Virus.

Type: Memory-resident bootsector virus.

Discovery date: December 28th 1989.

Virus can copy to drive(s): A or B (current drive).

Virus attaches itself to: GEMDOS trap vector.

Disks can be immunized against it: Yes (0.W $601C).

Immunizable with UVK: No.

What can happen: Screen turns upside down.

When does that happen: After four copies of itself are made, and then after each second copy.

Reset-proof: No.

Can copy to hard disk: No.

Remark: Due to a bug, it seems to write only non-executable copies of itself?

 

Virus #37

 

Name: Mutant Anti-Virus #4.

Discovery date: Autumn 1989.

Symptoms: As this is an anti-virus with almost 50% of its code destroyed, it probably only crashes the system on boot-up.

 

Virus #38

 

Name: G-DATA Virus.

Type: Memory-resident bootsector virus.

Discovery date: May 5th 1990.

Virus can copy to drive(s): A or B (current drive).

Virus attaches itself to: Hdv_bpb vector.

Disks can be immunized against it: Yes (0.B $60).

Immunizable with UVK: Yes.

What can happen: Nothing.

Reset-proof: No.

Can copy to hard disk: No.

Remark: This virus was not written by G-Data (which is a German company that also used to do a virus killer), but owes its name to the fact that it contains the message "ANTI-VIREN KIT 3KEIN VIRUS IM BOOTSECTOR" (sic) (translation: "ANTI-VIREN KIT 3NO VIRUS IN THE BOOTSECTOR"), suggesting that it is a disk immunized by the G-Data virus killer (which, of course, it isn’t). It’s based on the Exception Virus. It’s also called G-DATA Laxy Virus.

 

Virus #39

 

Name: Media Change Virus.

Type: Reset-proof memory-resident bootsector viruses.

Discovery date: October 27th 1989.

Virus can copy to drive(s): All boot devices.

Virus attaches itself to: Mediach (Media Change) vector, and undocumented reset-resistant.

Disks can be immunized against it: Yes (executable).

Immunizable with UVK: Yes.

What can happen: Text turns to screen colour.

When does that happen: Every fifth copy.

Reset-proof: Yes.

Can copy to hard disk: Yes.

Remark: Since it does not check for drives higher than B, and since it uses the BIOS Rwabs call, it can also copy to hard disk when you have booted from that!

 

Virus #40

 

Name: Ghost Virus C.

Discovery date: March 9th 1990.

Remark: A version of the original Ghost Virus in which three bytes have been corrupted, causing the branch to be (non-fatally) misled and the mouse reversion routine to malfunction. It copies without any problems, though, and is indeed reset-proof.

 

Virus #41

 

Name: Bat Virus.

Type: Non-executable reset-proof memory-resident bootsector call virus.

Discovery date: March 17th 1990 (George Woodside).

Virus can copy to drive(s): Current drive.

Virus attaches itself to: Hdv_bpb vector, timer vectors, reset vector. It’s also undocumented reset-resistant.

Disks can be immunized against it: No.

What can happen: Last sectors of directory can be destroyed if the directory is very long. The mouse pointer will turn into a Batman logo.

When does that happen: The directory bit can happen each time it copies itself; the mouse pointer will change after one hour.

Reset-proof: Yes.

Can copy to hard disk: ?

Remark: Written by some kid for a French journalist, at least allegedly. He’s an author who has e.g. written articles about viruses, and he has probably done this virus to check how fast they can multiply and to check how good virus killers are. Previously, this virus was considered to be 100% safe by all virus killers, as the bootsector was not executable - yet it was a bootsector virus anyway. Really a very ingenious virus.

 

Virus #42

 

Name: Grim Reaper Virus.

Type: Memory-resident bootsector virus.

Discovery date: May 9th 1990 (John).

Virus can copy to drive(s): Drive A only.

Virus attaches itself to: Hdv_bpb vector.

Disks can be immunized against it: Yes (0.W $6A38, 3A.W $41FA).

Immunizable with UVK: No.

What can happen: De-installs itself, screws up the screen, prints garbage on the screen and writes to contents of memory at $78000 (screen address on half megabyte machines) to the first 20 sectors of a disk, lethally corrupting bootsector, FAT and directory.

When does that happen: After 47 copies of itself are made.

Reset-proof: No.

Can copy to hard disk: No.

Remark: A nasty one, this virus. Its installation structure is identical with George Woodside’s anti-virus "VKill Guard". The bootsector also contains the text " -= The Jumper strikes again =- Pirates, the grim reaper draws near ".

 

Virus #43

 

Name: Megacunt V2.0 virus.

Type: Memory-resident bootsector virus.

Discovery date: December 1989 (Dave Moss).

Virus can copy to drive(s): Current drive (floppy only), and only to immunized disks.

Virus attaches itself to: Hdv_bpb vector.

Disks can be immunized against it: No.

What can happen: Acid-colours will be on the background screen colour, done by the level 4 interrupt.

When does that happen: After 20 copies of itself are made.

Reset-proof: No.

Can copy to hard disk: No.

Remark: Written by a chap calling himself Genital Grinder of Alcoholica, and only copies to immunized disks (!crikey!). Several other versions of this virus are believed to exist, but none have been sighted.

 

Virus #44

 

Name: Horror Virus.

Type: Non-executable reset-proof memory-resident bootsector call virus.

Discovery date: August 23rd 1990.

Virus can copy to drive(s): Drive A.

Virus attaches itself to: Hdv_bpb vector, timer C vector. Also undocumented reset-resistant.

Disks can be immunized against it: No.

What can happen: Screen will switch colours, sound will be heard.

When does that happen: At a certain time after copying itself five times.

Reset-proof: Yes.

Can copy to hard disk: No.

Remark: Written by Gunstick of ULM from Luxemburg, for test purposes. He did this early spring 1990. It has never been spread, but he gave it to me ‘just in case’. Previously, this virus was considered to be 100% safe by all virus killers, as the bootsector is not executable - yet it is a bootsector virus (see Batman Virus).

 

Virus #45

 

Name: DJA Virus.

Type: Memory-resident bootsector virus.

Discovery date: Summer 1990.

Virus can copy to drive(s): Current drive.

Virus attaches itself to: Hdv_bpb vector.

Disks can be immunized against it: Yes (0.W $6038).

Immunizable with UVK: Yes.

What can happen: Message will be displayed on screen ("Du ar smetted av DJA viruset Generatio....[generation number]") and system will lock up. This text means "You are infected by the DJA virus generation x".

When does that happen: After a fourth disk is found with the virus on it (or any disk starting with $6038 - including immunized ones!).

Reset-proof: No.

Can copy to hard disk: Yes.

Remark: Written in Scandinavia, as the text it prints means "You are infected by the DJA virus" in a Scandinavian language). A good thing is that it does not copy to immunized disks - but unfortunately these immunized disks do trigger the ‘destruction’ routine, too!

 

Virus #46

 

Name: TOI Virus.

Type: Reset-proof memory-resident bootsector virus.

Discovery date: November 10th 1990 (George Woodside).

Virus can copy to drive(s): Current drive.

Virus attaches itself to: Hdv_bpb and resvector; it is also non-documented reset-resistant.

Disks can be immunized against it: No.

What can happen: Inverts the vertical mouse movements (just like the Ghost Virus, which is its pre-virus). After that, it also toggles the bits of a random memory location (this leads to unpredictable crashes and small things going wrong).

When does that happen: After five copies of itself have been made.

Reset-proof: Yes.

Can copy to hard disk: No.

Remark: An adapted version of the Ghost Virus. The name comes from the TOI programming group in Denver, Colorado, USA, who are reported to be responsible for this one.

 

Virus #47

 

Name: Flying Chimp Virus.

Type: Memory-resident bootsector virus.

Discovery date: December 15th 1990 (Les Neidig).

Virus can copy to drive(s): Drive A.

Virus attaches itself to: Hdv_bpb vector.

Disks can be immunized against it: No.

What can happen: Message will be displayed on screen ("Zapped by Waldo the Flying Chimp!").

When does that happen: After it has multiplied itself five times, or when it has had 20 bootsector accesses.

Reset-proof: No.

Can copy to hard disk: No.

Remark: Thought to have been written in the USA. Also known as the Waldo Virus.

 

Virus #48

 

Name: Reset Virus.

Type: Memory-resident bootsector virus.

Discovery date: Summer 1988 (Volker Söhnitz).

Virus can copy to drive(s): ?

Virus attaches itself to: Hdv_bpb, Hdv_rw and Hdv_mediach vectors.

Disks can be immunized against it: No.

What can happen: It writes a message "Ihr Rechner hat Aids" (German for "Your computer has AIDS") on the screen and then freezes it.

When does that happen: Three hours after booting.

Reset-proof: No.

Can copy to hard disk: No.

Remark: Strangely enough, this virus will not copy itself if you have a cartridge installed with the word "Dent" at cartridge memory address $FA0066. Odd.

 

Virus #49

 

Name: MAD Virus B.

Discovery date: December 1987 (Volker Söhnitz).

Symptoms: See virus #2.

Remark: Published in a magazine called "Atari Spezial" (German), and therefore also known under the name Atari Spezial Virus. This is the original MAD Virus, which is exactly the same as MAD Virus A (which was spread the most) except for the offset of most code. It was written by J. Schuppener, and it was published towards the end of the year 1987 in the above mentioned magazine. The magazine now seems to be defunct, but the publisher used to be CAV-GmbH.

 

Virus #50

 

Name: Ghost Virus D.

Discovery date: February 17th 1990.

Symptoms: See virus #12 (Ghost Virus). This virus has a few damaged bytes and will not work properly - may even crash.

 

Virus #51

 

Name: Ghost Virus E.

Discovery date: April 1991.

Symptoms: Principally it’s the same as the Ghost Virus (#12), but the symptoms are different. It does something with the vertical blank queue and leaves the mouse alone. Unfortunately the precise symptoms are unknown as the copies of this virus that were found were both damaged.

 

Virus #52

 

Name: Ghost Virus F.

Discovery date: April 1991.

Symptoms: See virus #12 (Ghost Virus), Unfortunately, there is some corrupted code in the virus copy routine so that it can cause a disk to be corrupted (the bootsector can be written wrongly, not corrupting the actual data but making it inaccessible).

 

Virus #53

 

Name: Megaguru & Argo 2 Virus.

Type: Memory-resident bootsector virus.

Discovery date: June 22nd 1991 (Paolo Munarin).

Virus can copy to drive(s): A or B (current drive).

Virus attaches itself to: Hdv_bpb vector.

Disks can be immunized against it: No.

What can happen: At booting, writes the text "* MEGAGURU & ARGO 2 001 * ANTEPRIME ATARI E AMIGA PRESENTANO :" on the screen. When things go ‘wrong’ the screen inverts and a bleep sounds.

When does that happen: At each disk with an executable bootsector that is accessed - with the exception of disks that have the virus itself on them.

Reset-proof: No.

Can copy to hard disk: No.

Remark: This virus is from Italy. It was found on a disk that contained a text file from a hacker called Megaguru, who (quote) "would like to swap Amiga and ST software". Even his phone number was on it.

 

Virus #54

 

Name: Ghost Virus G.

Discovery date: June 1991 (Kai Holst).

Symptoms: See virus #12 (Ghost Virus). This seems to be an adapted version of the Ghost Virus, and the pre-virus to most recent versions of mutant Ghost Virus (of which there are rather an absurd lot).

 

Virus #55

 

Name: Finland Virus.

Type: Memory-resident reset-proof bootsector virus.

Discovery date: Early July 1991 (Steffen Fischer).

Virus can copy to drive(s): A.

Virus attaches itself to: Hdv_bpb vector, resvector. Also undocumented reset-resistant.

Disks can be immunized against it: Yes (executable).

Immunizable with UVK: Yes.

What can happen: Fiddling with the screen colours (this comes down to the green and white colours of the desktop being reversed when in colour mode).

When does that happen: After it has done each 12th copy of itself. The virus only copies to non-executable disks, or executable disks that have viral symptoms (i.e. other viruses and itself) or that have the word ‘Boot’ contained at hexadecimal offset $82 (any disk ‘protected’ by the boot program of the German PD virus killer "Sagrotan" has the word ‘Boot’ at this offset!).

Reset-proof: Yes.

Can copy to hard disk: No.

Remark: This virus was coded by a chap called Toubab, on August 30th 1990. It got sent to me by two people almost at the same time after the virus was almost one year old! Both occurrences, however, were in Scandinavia (disks from Finland and Norway) so this leads me to believe it was written in Scandinavia. It was a real pain in the posterior, as it started with a longword ‘00000000’ value, that lead the "Ultimate Virus Killer" to not finding it suspect!

 

Virus #56

 

Name: Ghost Virus H.

Discovery date: August 5th 1991 (Harald Uenzelmann).

Symptoms: See virus #12 (Ghost Virus). This is principally exactly the same as the standard Ghost Virus, but someone apparently found it necessary to change the initial Branch into BLS instead of BRA - which has the same result when executed but which effectively caused it not to be recognised.

 

Virus #57

 

Name: Signum Virus C.

Discovery date: September 25th 1991 (Darren Laidler).

Symptoms: See virus #1 (Signum Virus A). This is exactly the same with regard to symptoms and the way it works. The only reason why it is basically different is that someone (probably someone in England) optimised it a bit, and some machine code instructions have been replaced by others.

 

Virus #58

 

Name: Joe Virus.

Type: Memory-resident bootsector virus.

Discovery date: November 25th 1991 (ACN).

Virus can copy to drive(s): Current floppy drive (A or B).

Virus attaches itself to: Hdv_bpb vector.

Disks can be immunized against it: Yes (0.W $4E71).

Immunizable with UVK: No.

What can happen: When it finds itself with a specific value in the fourth and fifth byte, it will execute itself again, probably cluttering up the system.

When does that happen: When it finds itself again, and then every second time.

Reset-proof: No.

Can copy to hard disk: No.

Remark: As this virus has no particular characteristics, it was called Joe Virus as I was listening to Jimi Hendrix’ "Hey Joe" when I disassembled it. It is also called Cannibal Virus, probably due to it causing crashes when encountering itself.

 

Virus #59

 

Name: Directory Waster Virus.

Type: Reset-proof memory-resident bootsector virus.

Discovery date: Unknown (Michael Schussler).

Virus can copy to drive(s): Current floppy drive (A or B).

Virus attaches itself to: Hdv_bpb vector, resvector; also undocumented reset-resistant.

Disks can be immunized against it: No.

What can happen: First twenty tracks of your disk get destroyed (both side 0 and side 1!).

When does that happen: After each twentieth copy it made of itself.

Reset-proof: Yes.

Can copy to hard disk: No.

Remark: The name is quite improper, as it destroys about 25% of a disk and not just the directory. Initially, this virus only installs itself on the standard reset vector. After the first reset, it bends the hdv_bpb vector and becomes reset-resistant in the undocumented way.

 

Virus #60

 

Name: Merlin’s Mad Virus.

Type: Memory-resident bootsector virus.

Discovery date: Unknown (Mike Mee).

Virus can copy to drive(s): Not at all.

Virus attaches itself to: Nowhere.

Disks can be immunized against it: No need to immunize.

Immunizable with UVK: Not applicable.

What can happen: See the Mad Virus - it does the same things with the screen and/or makes a sound.

When does that happen: When booting with a disk containing this ‘virus’.

Reset-proof: Not applicable (i.e. "no").

Can copy to hard disk: Not applicable.

Remark: This is no virus at all, but it has been classified as one here as Mike Mee sent it to me, who classified it as a virus in his "Professional Virus Killer" program. It was written by Merlin the Welsh Wizard, and it’s TOTALLY HARMLESS. It can not copy itself, and only fiddles around with the screen in the same fashion as the Mad Virus after which it is called.

 

Virus #61

 

Name: Wolf Virus.

Type: Memory-resident bootsector virus.

Discovery date: February 4th 1991 (Carsten Frischkorn).

Virus can copy to drive(s): Current floppy drive (A or B).

Virus attaches itself to: BIOS vector.

Disks can be immunized against it: Yes (0.W $EB34).

Immunizable with UVK: No.

What can happen: RAM memory amount it halved (this does not imply you actually lose RAM, it just means that it makes the computer think it has less RAM).

When does that happen: After the eighth generation is found.

Reset-proof: No.

Can copy to hard disk: No.

Remark: A rather nasty virus. For starters, it starts off with the bytes you’d normally find on an MS-DOS disk, i.e. all virus killers think it’s an MS-DOS bootsector. Second, it fools the user by putting the message "Kein Virus im bootsector!" on the screen at booting. This is the boot message of the virus-free bootsector of the German virus killer "Sagrotan." It de-installs itself after three infections (i.e. your computer will think you’ve got 1/8th of your actual amount of RAM memory by then).

 

Virus #62

 

Name: Ghost Virus I.

Discovery date: October 5th 1991 (Frank Jonkers).

Symptoms: See virus #12 (Ghost Virus), Unfortunately, there is some corrupted code in the virus copy routine so that it can cause a disk to be corrupted (the bootsector can be written wrongly, not corrupting the actual data but making it inaccessible).

 

Virus #63

 

Name: Menace Virus.

Type: Reset-proof memory-resident bootsector call virus.

Discovery date: Spring 1992 (David of H-Street).

Virus can copy to drive(s): Current floppy drive (A or B).

Virus attaches itself to: XBIOS vector, Hdv_bpb vector and interrupt level 4 interrupt; also undocumented reset-resistant.

Disks can be immunized against it: No.

What can happen: Overwrites the bootsector of your floppy disk with a message in an Elfish language (from J.R.R. Tolkien’s "Lord of the Rings" books).

When does that happen: After having made ten copies of itself.

Reset-proof: Yes.

Can copy to hard disk: No.

Remark: This virus uses two sectors on disk, sector 1 and 10. It’s rather cleverly written and thought to come from Malta. Several versions are believed to exist.

 

Virus #64

 

Name: Ashton Nirvana Virus.

Type: Reset-proof memory-resident bootsector virus.

Discovery date: Spring 1992 (David of H-Street).

Virus can copy to drive(s): Current floppy drive (A or B).

Virus attaches itself to: Hdv_bpb vector; also undocumented reset-resistant.

Disks can be immunized against it: No.

What can happen: Random sectors will be read from the current drive (including hard disk!) and written back with the word "ASHTON" in it. This obviously corrupts your media, at one sector per Hdv_bpb use.

When does that happen: Each time a floppy/hard disk is read from or written to.

Reset-proof: Yes.

Can copy to hard disk: No. But it can damage data contained on it!

Remark: Perhaps this virus was written by the same person as the Menace Virus. It’s a nasty one as it can corrupt hard disks as well!

 

Virus #65

 

Name: Lietuva Virus.

Type: Reset-proof memory-resident bootsector virus.

Discovery date: Spring 1992 (Paragraph Headquarters).

Virus can copy to drive(s): Current floppy drive (A or B).

Virus attaches itself to: Vbl queue, resetvector; also undocumented reset-resistant.

Disks can be immunized against it: No.

What can happen: Bootsector will be zeroed.

When does that happen: After the first eight copies of itself are made, and every six copies afterwards. A copy is made every time a disk’s bootsector is read/written.

Reset-proof: Yes.

Can copy to hard disk: No.

Remark: Written by someone in the former USSR who now lives in Lithuania. It does not bend any actual system variables, which makes it rather revolutionary.

 

Virus #66

 

Name: Signum Virus D

Discovery date: March 25th 1992 (Volker Söhnitz)

Remark: This is an optimised version of the original Signum A Virus, which is also somewhat smaller in size. It is no longer immunizable with the standard Signum Virus immunization (0.W $6038) but instead requires to be immunized with 2.W $07C4. This effectively makes it impossible to immunize against it with the "Ultimate Virus Killer"...

 

Virus #67

 

Name: Zorro Virus A.

Type: Reset-proof memory-resident bootsector virus.

Discovery date: June 1992 (P. van Zanten)

Virus can copy to drive(s): Current floppy drive (A or B).

Virus attaches itself to: Hdv_rw, Hdv_bpb, resvector and also undocumented reset-resistant.

Disks can be immunized against it: No.

What can happen: System will lock itself.

When does that happen: After a specific number of copies are made.

Reset-proof: Yes.

Can copy to hard disk: No.

Remark: A very complex virus that evaded virus killers previously by being recognised as an MS-DOS bootsector. It’s heavily coded and installs itself in memory in a very complex way. On top of that it seems capable of installing differently coded versions of itself so that per definition each copy of this virus differs from all other copies of it. This was apparently written as an anti-virus. The author is Dutch.

 

Virus #68

 

Name: Zoch Virus.

Type: Memory-resident bootsector virus.

Discovery date: December 1992.

Virus can copy to drive(s): Current floppy drive (A or B).

Virus attaches itself to: Hdv_bpb.

Disks can be immunized against it: Yes (0.L $5A4F4348, "ZOCH").

Immunizable with UVK: No.

What can happen: Text on screen ("The Night Force Virus Breaker by Zoch"), and copies itself.

When does that happen: Text appears on installation. It copies itself to all disks it is not on already.

Reset-proof: No.

Can copy to hard disk: No.

Remark: To all intent and purpose this virus was written as an anti-virus. Unfortunately it copies itself across all bootsectors it finds with the exception of ones it finds itself on. This means that it will destroy any previous program in the bootsector, whether needed or another virus!

 

Virus #69

 

Name: Macumba 3.3 Virus.

Type: Reset-proof memory-resident bootsector virus.

Discovery date: February 1993 (Chris Brookes).

Virus can copy to drive(s): Current floppy drive (A or B).

Virus attaches itself to: Hdv_bpb, undocumented reset-resistant.

Disks can be immunized against it: No.

What can happen: The system freezes totally and abruptly.

When does that happen: After 42 copies have been made of itself.

Reset-proof: Yes.

Can copy to hard disk: No.

Remark: This virus also codes itself and also fakes to be an MS-DOS disk (just like the Zorro Virus). Quite naughty. Macumba (like Zorro) was conceived as an anti-virus. The author is Dutch.

 

Virus #70

 

Name: Zorro Virus B.

Discovery date: February 17th 1993 (Kenneth Elofsson)

Remark: Virtually identical to Zorro Virus A, so refer to information given there. Only a few bytes have been changed.

 

Virus #71

 

Name: Beilstein Virus.

Type: Reset-proof memory-resident bootsector call virus.

Discovery date: March 16th 1993 (Volker Söhnitz).

Virus can copy to drive(s): Current floppy drive (A or B).

Virus attaches itself to: Hdv_bpb, Vbl_queue, Hdv_rw, Hdv_boot, GEMDOS, XBIOS, regularly reset-resistant and undocumented reset-resistant.

Disks can be immunized against it: No.

What can happen, and when: 1) It can delete specific files when ‘MDISK’, ‘FCOPYIII’, ‘FCOPY3??’, ‘DISKUS’, ‘DISKDEMO’, ‘TED_???’ and ‘G_COPY’, 2) It can clear partition "C" of your hard disk when the virus in memory discovers that you are trying to trace it (trace bit set, for example in a debugger), 3) It can create garbage on your screen, 4) Keyboard, mouse and joystick can be disabled, 5) Mouse movements can be inverted (like with the Ghost Virus), 6) Printer output can be corrupted, 7) Modem output can be corrupted, 8) A bomb error can be created, 9) The system can be frozen until you enter the password "Apokalypse", 10) Memory can be cleared, followed by a reset, 11) The first hundred sectors of a floppy disk can be cleared, and 12) It can delete a folder. These are quite an amount of things that can go wrong!

Reset-proof: Yes.

Can copy to hard disk: No.

Remarks: This virus also encodes itself and also fakes to be an MS-DOS disk (just like the Zorro Virus). On top of that it uses an ingenious system where bits of its code are swapped around and where different bootsector offsets are used to make things extra difficult. Even when not yet encoded, there are at least 10 different versions that this virus can generate of itself. With encoding added, over 650,000 versions of this virus can exist. But that’s not everything: The bootsector that was on the disk before it got infected (e.g. a virus free disk) is stored somewhere else and executed after the virus installs itself. This means that a potential "this is a virus free disk" message previously present in the bootsector will still appear even after the disk has been infected! It is a very complex virus that, apart from the bootsector, uses four other sectors on disk that are marked BAD in the FAT to make sure they’re not overwritten. The use of these four extra sectors enable the virus to be bigger (hence the many different destruction routines) and also allow it to buffer the original bootsector previously present on the disk. The last naughty bit about this virus is that, when it bends system variables, it supplies regular XBRA ID codes of popular harmless applications to itself (for example HABO, VREP, VIRA, CB2K, SBTS and WINZ). The "Ultimate Virus Killer" correctly recognises it anyway.

This was without a doubt the nastiest virus so far. It was written by a student from Beilstein, a town in South Germany (hence its name). Officially, it has only been supplied to specific virus killer programmers.

 

Virus #72

 

Name: Temporary Madness Virus.

Type: Reset-proof memory-resident bootsector virus.

Discovery date: March 16th 1993 (Volker Söhnitz).

Virus can copy to drive(s): Current floppy drive (A or B).

Virus attaches itself to: Hdv_bpb, undocumented reset-resistant.

Disks can be immunized against it: No.

What can happen, and when: Every 65536 vertical blanks (on colour that means about every 22 minutes) the mouse movement is inverted for about 10 seconds.

Reset-proof: Yes.

Can copy to hard disk: No.

Remark: In Germany, this virus is also known as the Mouse Coordinate Virus.

 

Virus #73

 

Name: Darkness Virus (Nightmare of Brooklyn #2 ‘Darkness’).

Type: Reset-proof memory-resident bootsector virus.

Discovery date: July 17th 1993 (Piotr Kowalczyk).

Virus can copy to drive(s): Current floppy drive (A or B).

Virus attaches itself to: Hdv_bpb, undocumented reset-resistant, resvector, vbl_queue.

Disks can be immunized against it: No.

What can happen: It can write garbage on the first 9 sectors of a random track between 1 and 79. The first of those sectors will then contain the text "Nightmare of Brooklyn #2 ‘Darkness’". Additionally, the virus can make the screen black.

When does that happen: The disk track garbage writing happens every other 8 copies that it writes of itself. The screen blackening happens every 32768 vertical blanks (i.e. after about 11 minutes on colour monitors, about 7.5 minutes on monochrome).

Reset-proof: Yes.

Can copy to hard disk: No.

Remark: First discovered in Poland. This virus uses an intricate encoding method that, like other recent viruses, allows it to create hundreds of differently recognisable versions of itself.

 

Virus #74

 

Name: Small Virus.

Type: Memory-resident bootsector virus.

Discovery date: Autumn 1993 (Chris Brookes).

Virus can copy to drive(s): Current floppy drive (A or B).

Virus attaches itself to: Hdv_bpb.

Disks can be immunized against it: No.

What can happen: Nothing harmful actually. It has no destruction- or a trigger routine.

When does that happen: Never.

Reset-proof: No.

Can copy to hard disk: No.

Remark: Named after the fact that it is very small, less than half the bootsector size. Only copies itself. Nothing else.

 

Virus #75

 

Name: Ghost Virus J.

Type: Reset-proof memory-resident bootsector virus.

Discovery date: Autumn 1993 (ORQ Computer Group).

Virus can copy to drive(s): Current floppy drive (A or B).

Virus attaches itself to: Hdv_bpb and resvector; it is also non-

documented reset-resistant.

Disks can be immunized against it: No.

What can happen: Most likely nothing. It is changed (or has mutated) so that it manipulates a wrong memory value. The mouse pointer Y direction is NOT inverted.

When does that happen: After copying itself 10 times.

Reset-proof: Yes.

Can copy to hard disk: No.

Remark: It is almost identical to Ghost Virus A, much more than the other variations. It was discovered in Australia, and also known as Silent Virus.

 

Virus #76

 

Name: Zorro Virus C.

Type: Reset-proof memory-resident bootsector virus.

Discovery date: November 2nd 1993 (Piotr Kowalczyk)

Virus can copy to drive(s): Current floppy drive (A or B).

Virus attaches itself to: Hdv_rw, Hdv_bpb, resvector and also undocumented reset-resistant.

Disks can be immunized against it: No.

What can happen: System will lock itself.

When does that happen: After a specific number of copies have been made.

Reset-proof: Yes.

Can copy to hard disk: No.

Remark: Although it does almost exactly the same as Zorro Virus A, it is much more different from it than Zorro Virus B. For starters all its individual routines are interchanged, causing the unencoded virus start to be quite different too. It also installs itself on a different location in memory. This virus may have been made in Poland. It also goes by the name of Wredniak (which is Polish for "Nasty").

 

Virus #77

 

Name: Lucky Lady 1.02 Virus.

Type: Memory-resident bootsector virus.

Discovery date: February 1994.

Virus can copy to drive(s): Floppy drive A only.

Virus attaches itself to: Hdv_bpb and vbl queue.

Disks can be immunized against it: No.

What can happen: A message ("Lucky Lady rules forever!") is printed on the screen continuously, locking your system. A reset is the only way out.

When does that happen: After about an hour (on monochrome 70 Hz) or an hour and fifteen minutes (colour 50 Hz).

Reset-proof: No.

Can copy to hard disk: No.

Remark: Coded by a female programmer who goes by the name of Lucky Lady of Sector MP Inc. from Ljubljana, Slovenia (in former Yugoslavia). She had initiated some sort of bizarre ‘war’, and had vowed to write many more viruses to test both her talent at writing them and my talents at killing them. She sent her latest creations to me by registered mail without specification of the sender. Nothing much more was known about her, other than that she studied at Ljubljana University. This virus is actually prettily clumsily written, and used to get a VPF of 220% because it used three separate instances of "rwabs," among other things.

 

Virus #78

 

Name: Lucky Lady 4.12 Virus.

Type: Reset-proof memory-resident bootsector call virus.

Discovery date: March 1994.

Virus can copy to drive(s): Floppy drive A only.

Virus attaches itself to: Hdv_bpb, resvector, vbl_queue.

Disks can be immunized against it: No.

What can happen: 1) It puts message "Lucky Lady forbids you to load the UVK!" on screen, then erases "UVK_x_x.PRG" files from current drive when you try to load the "Ultimate Virus Killer" 2) Mouse cursor is changed from TOS arrow to Lucky Lady’s logo (LL) 3) Screws up the screen 4) Logical clusters 351 & 352 are overwritten and marked as ‘bad’ in the FAT (Every cluster entry after 351 is thus a "floating entry" if there was a file (data lost) present before on a disk).

When does that happen: Message and "Ultimate Virus Killer" file erasing happens every time you want to load the "Ultimate Virus Killer". Mouse cursor is changed after approximately 35 minutes on monochrome (this takes a bit longer on colour). Clusters 351 & 352 on a floppy disk are lost during cloning i.e. during every drive A access.

Reset-proof: Yes.

Can copy to hard disk: No.

Remark: Like Lucky Lady 1.02, this virus was written by a girl from Slovenia as part of her bizarre ‘war’ (see previous virus remarks). It’s not called Lucky Lady B and the other one Lucky Lady A because the viruses are totally different despite their similar name. This virus is much more complex and also a lot more dangerous. It seems only to work on English versions of TOS 1.00, where the file name of the file currently being loaded is at a specific location.

 

Virus #79

 

Name: Anaconda Virus A.

Type: Reset-proof memory-resident bootsector virus.

Discovery date: February 1994.

Virus can copy to drive(s): Current floppy drive (A or B).

Virus attaches itself to: Hdv_bpb, resvector and also undocumented reset-resistant.

Disks can be immunized against it: No.

What can happen: The virus seems to be designed to print a message on the screen, "MAUI viens de vous niquer" (this means something like "MAUI has just made fun of you", only in rather more explicit French J ). However, there is reason to believe it will in fact get fed a bogus text address and will thus print garbage on the screen instead.

When does that happen: After 10 successful copies are made of itself, and after that every 5 copies.

Reset-proof: Yes.

Can copy to hard disk: No.

Remark: Virus is located at $140, but after the first reset it relocates to phystop-$8200. It is believed to have been written by the Replicants, a cracking group from France, but this is in no way certain. The text seems to indicate a French origin anyway.

 

Virus #80

 

Name: Lucky Lady Virus 1.03.

Type: Reset-proof memory-resident bootsector virus.

Discovery date: April 1994.

Virus can copy to drive(s): A.

Virus attaches itself to: Hdv_bpb, undocumented reset-resistant, resvector, vbl_queue.

Disks can be immunized against it: No.

What can happen: The message "Lucky Lady’s your empress" appears on screen after which your system locks up.

When does that happen: Virus activates itself after approximately 80-110 seconds; the system will lock itself somewhere after between 45 and 65 minutes.

Reset-proof: Yes.

Can copy to hard disk: No.

Remark: Like the other viruses of a similar name, this was written by a Slovenian girl calling herself Lucky Lady. It cleverly disguises itself as an "ST Format Cover Disk" - the virus is a personal revenge against "ST Format" writer Clive Parker (who once slagged off virus authors) - and it is Falcon-compatible.

 

Virus #81

 

Name: Anaconda Virus B.

Type: Reset-proof memory-resident bootsector virus.

Discovery date: Spring 1994.

Virus can copy to drive(s): Current floppy drive (A or B).

Virus attaches itself to: Hdv_bpb, resvector and also undocumented reset-resistant.

Disks can be immunized against it: No.

What can happen: The virus prints the text "AKO-PADS" on the screen. Also, the virus will corrupt the disks it copies itself to.

When does that happen: After 10 successful copies are made of itself, and after that after every 5 copies.

Reset-proof: Yes.

Can copy to hard disk: No.

Remark: This is either an adapted version of Anaconda A, or the other way around. There is no way to prove either. The virus is also known as Ako Pads Virus.

 

Virus #82

 

Name: Pashley Virus.

Type: Memory-resident bootsector virus.

Discovery date: December 4th 1993.

Virus can copy to drive(s): Current floppy drive (A or B).

Virus attaches itself to: Hdv_bpb.

Disks can be immunized against it: Yes (executable).

Immunizable with UVK: Yes.

What can happen: Screen flashing red.

When does that happen: The flashing happens each time when you boot with an infected disk in the boot drive.

Reset-proof: No.

Can copy to hard disk: No.

Remark: Contains the texts "VIRUS KILLED BY S.C.PASHLEY" and "ENGLAND" which are never printed on the screen. Hence the virus name. Virus bootsectors are actually left alone by the supposed anti-virus, as they are normally executable. Maybe this virus was written by S.C.Pashley, but not likely. It is not an anti-virus because it copies itself to other disks and does nothing against viruses as such - which makes it a virus in my book.

 

Virus #83

 

Name: Gotcha Xeno Virus.

Type: Reset-proof memory-resident bootsector virus.

Discovery date: July 4th 1994 (Pawel Parys).

Virus can copy to drive(s): Current floppy drive (A or B).

Virus attaches itself to: Hdv_bpb, resvector and also undocumented reset-resistant.

Disks can be immunized against it: Yes ($1E.L $263C0000).

Immunizable with UVK: No.

What can happen: The virus will write garbage, headed by the text "GOTCHA!" on random tracks (1-64) and sectors (0-7), thus damaging data.

When does that happen: After 10 successful copies are made of itself, and after that after every 5 copies.

Reset-proof: Yes.

Can copy to hard disk: No.

Remark: It is unclear whether this is actually the pre-virus of Anaconda, or perhaps just another virus developed from it. Some of its characteristics (such as the fact that it fully works and that it can principally be immunized against) warrant classifying it as a separate virus.

The reason that it can not be immunized against by the "Ultimate Virus Killer" despite location $1E not being occupied by any other bits of the immunization scheme is that, officially (i.e. according to Atari’s standards), bootsector programs should not start prior to offset $3A. To rule out possible problems, I decided to avoid it altogether.

 

Virus #84

 

Name: UVD Virus.

Type: Potentially reset-proof memory-resident bootsector virus.

Discovery date: October 1994.

Virus can copy to drive(s): Current floppy drive (A or B).

Virus attaches itself to: Hdv_bpb or hdv_mediach.

Disks can be immunized against it: No.

What can happen: The screen will display a text. Depending on its configuration it can lock up the system afterwards.

When does that happen: After about 45 (monochrome 70 Hz) to 65 (colour 50 Hz) minutes.

Reset-proof: Depends on its configuration.

Can copy to hard disk: No.

Remark: This is a series of viruses that can be created by the "Ultimate Virus Designer," a program written by the Slovenian Stonewashing Organisation. It claims almost 200 different versions of this can be made, depending on various configurable parameters such as "offset", "reset-proof yes/no", "hide behind MS-DOS header yes/no", "location in memory", "attach to hdv_bpb or hdv_mediach" as well as two different ‘destruction’ routines or ‘no’ destruction routine. All these versions can be recognised by the "Ultimate Virus Killer."

 

Virus #85

 

Name: Tiny Virus.

Type: Memory-resident bootsector virus.

Discovery date: September 1994.

Virus can copy to drive(s): Floppy drive A only.

Virus attaches itself to: Hdv_bpb and vbl_queue

Disks can be immunized against it: No.

What can happen: Nothing. This virus just copies itself.

When does that happen: Well...never.

Reset-proof: No.

Can copy to hard disk: No.

Remark: This was the smallest virus so far, occupying only 34% of a bootsector. It was written by Lucky Lady.

 

Virus #86

 

Name: Kobold #2 Virus B.

Type: Memory-resident reset-proof bootsector virus.

Discovery date: October 10th 1994 (Dejan Orehek).

Virus can copy to drive(s): A (?).

Virus attaches itself to: Hdv_bpb and resvector, vbl_queue; also undocumented reset-resistant.

Disks can be immunized against it: No.

What can happen: The message "I LOVE JADRANKA" appears on the screen.

When does that happen: Upon installation.

Reset-proof: Yes.

Can copy to hard disk: No.

Remark: This is an adapted version of the Kobold #2 Virus, which was henceforth known as Kobold #2 Virus A. The destruction routine was removed so all this virus does it copy itself and display that message at start-up. The text message is encoded within the virus with a hexadecimal decoding value of $21111968, which would lead to thinking that November 21st 1968 is the birth date of either the author of Kobold #2 Virus B or this mysterious recipient of his affection, Jadranka.

This virus is probably of Balkan origin, and might date back to 1991.

 

Virus #87

 

Name: Signum Virus E.

Discovery date: September 19th 1994 (Mike Holmes).

Remark: This is a corrupt version of the original, with a different branch offset and faulty start-up code, most likely leading to a system crash upon installation. It cannot multiply effectively.

 

Virus #88

 

Name: Macumba 5.2 Virus.

Type: Memory-resident reset-proof bootsector virus.

Discovery date: August 1994.

Virus can copy to drive(s): A or B (current drive).

Virus attaches itself to: Hdv_bpb and undocumented reset-resistant.

Disks can be immunized against it: Yes (executable or 0.L $EB909047).

Immunizable with UVK: Yes.

What can happen: This is not exactly known. Probably a crash?

When does that happen: Probably not too long after a reset.

Reset-proof: Yes.

Can copy to harddisk: No.

Remark: To my shock, I ran across a collection of Macumba Virus installation and recognition files, leading to the following conclusions. First of all, it’s written by someone from the Netherlands. Second, there seem to be at least 19 different versions of virus (0.9, 0.9a, 1.0, 2.0, 3.0, 3.1 TT, 3.2 TT, 3.3 TT, 3.4 TT, 3.5 TT, 3.6 TT, 3.7 TT, 3.8 TT, 3.9 TT, 4.0 TT, 4.0b TT, 5.0 Falcon and 5.2 Falcon). It seems we are dealing with some TT compatible and Falcon compatible viruses here. Viruses 0.9, 0.9a and 1.0 have bugs in them, so might not work/multiply properly.

I am trying hard to get my hands on the versions that are not yet recognised by the "Ultimate Virus Killer" (i.e. all of them with the exception of 3.3 TT and 5.2 Falcon).

 

Virus #89

 

Name: Vaccin-Gillus Virus.

Type: Memory-resident reset-proof bootsector virus.

Discovery date: August 18th 1994 (Mike Holmes).

Virus can copy to drive(s): Current floppy drive (A or B).

Virus attaches itself to: Hdv_bpb, resvector, and undocumented reset-resistant.

Disks can be immunized against it: No.

What can happen: Prints the text "VACCIN-GILLUS" on the screen whilst showing wobbly colour thingy bars.

When does that happen: At booting with an infected disk.

Reset-proof: Yes.

Can copy to hard disk: No.

Remark: This was probably supposed to be an anti-virus, or at least to look like one. It copies itself right across any other bootsector, however, and does not work against any other viruses.

 

Virus #90

 

Name: Valkyrie Virus.

Type: Memory-resident reset-proof (?) bootsector’n’link call virus.

Discovery date: Late 1994.

Virus can copy to drive(s): Current drive (A, B or C). Can also copy via LAN or MIDI networks.

Virus attaches itself to: Xbios and vbl_queue.

Disks can be immunized against it: No.

Immunizable with UVK: No.

What can happen: A variety of things. The part of this particular version that was found will cause the Kobold #2 Virus to be found on a disk upon reading the bootsector, and the Lucky Lady 1.03 Virus to be written when writing to the bootsector.

When does that happen: During bootsector access.

Resetproof: Not known.

Can copy to harddisk: The virus as a whole can, but this particular segment only affects floppy disk drives.

Remark: This virus has not been properly encountered. The UVK does not recognise it on disk but only recognises the segment that attaches itself to the XBIOS vector, when the virus is already in memory.

 

Virus #91

 

Name: Goblin Virus B.

Discovery date: May 1995.

Remark: See Goblin Virus A (#19). The only thing changed about this version if the initial branch code, now preceded by a longword zero, with an adapted BRA. This virus, together with the next two, was sent in one batch by someone anonymous who probably made these variations himself. They all had in common that only the branch commands have been modified, effectively disabling them from recognition by the "Ultimate Virus Killer" until then.

 

Virus #92

 

Name: Tiny Virus B.

Discovery date: May 1995.

Remark: See Tiny Virus A (#85) and Goblin Virus B (#91). The branch was changed to a NOP followed by the regular branch, adapted.

 

Virus #93

 

Name: Darkness Virus B (Nightmare of Brooklyn #2 ‘Darkness’).

Discovery date: May 1995.

Remark: See Darkness Virus A (#73) and Goblin Virus B (#91). The branch was changed to BPL.

 

Virus #94

 

Name: Pharaoh Virus.

Type: Memory-resident reset-proof bootsector call virus.

Discovery date: Spring 1996.

Virus can copy to drive(s): Current floppy drive (A or B).

Virus attaches itself to: Hdv_bpb, resvector and undocumented reset-resistant.

Disks can be immunized against it: Yes, though it is not known exactly how.

Immunizable with UVK: Very likely. It copies to none of the immunized disks I tried to have it infect.

What can happen: Noise is made, as well as a high frequency sound.

When does that happen: After five copies have been made.

Resetproof: Yes.

Can copy to harddisk: No.

Remark: A particularly devious virus, which uses two 32-bit random values to double-encrypt itself. It can also start at 13 different locations in the bootsector, and the initial instruction can be one of 2048 different ones. This results in a total of (2^32) * (2^32) * 13 * 2048 different versions that it can make of itself (when multiplied that’s 4.9112611*10^23...). It is also MS-DOS mimicking.

It was sent to me anonymously, with an Arnhem (Netherlands) postmark. The virus is Falcon-compatible but does not copy to high density disks. As it fiddles around with BPB FAT values, programs such as "FCopy", "Mutil" and "Knife ST" may/will fail to operate properly on infected disks because they may find the manipulated BPB values hard to swallow.

It is also known as "The Curse Virus" or "Klatwa Virus" (this is Polish for "Curse," and was used to make it appear as if it was written in Poland).

Disks once infected with the "Pharaoh Virus" will never be completely regular because of the virus having rearranged various values in FAT and BPB. Copy all files you need to retain off them, then perform a soft or hard format, and copy the files back.

 

Virus #95

 

Name: Carpe Diem Virus.

Type: Memory-resident reset-proof bootsector virus originating from a Trojan Horse.

Discovery date: Spring 1996.

Virus can copy to drive(s): Current floppy drive (A or B).

Virus attaches itself to: Hdv_bpb, resvector, vbl and undocumented reset-resistant.

Disks can be immunized against it: No.

Immunizable with UVK: No.

What can happen: The text "BO[BJOF" appears at the top left of the screen. Your computer can crash.

When does that happen: The text is displayed 2048 vertical blanks after system start-up (on a 50 Hz colour monitor that would be after about 40 seconds). The crash can (and will) happen any time after that.

Resetproof: Yes.

Can copy to harddisk: Yes, but only in a file form ("~.PRG", see below).

Remark: This virus has an interesting history. It originally came in a ZIP archive called "CARPDIEM.ZIP." It contained a file called "CARPDIEM.PRG" (normally 91,750 bytes in size) and a small text file with the contents "Sease the day, and run this great falcon enhanced game!!" (sic). Upon running this ‘game’, nothing would appear to happen (though a quick eye would see the text "Ruth Marcs Development Inc. (Dedicated to the memory of Lucky Lady)" flicking on and off the top of the screen). The ‘game’ wouldn’t run, and the desktop would be displayed again. The virus, however, would have installed itself in memory and on the current floppy disk, and would have written the "~.PRG" file (see below) in C:\AUTO\. Useless, the "CARPDIEM.ZIP" file and related items would be thrown away. So this virus actually arose from what is commonly known as a "Trojan Horse." Even if you’d get rid of all virus occurrences on floppy disks, the "~.PRG" file would reinstall it on floppy every time you reboot. Likewise, the floppy version of the virus would reinstall the "~.PRG" file! So it is quite impossible to let the "Ultimate Virus Killer" on its own completely get rid of the virus for you.

HOW TO PROPERLY GET RID OF THE "CARPE DIEM VIRUS".

You have to remember that, on an infected system, there are a potential number of three copies of the virus: One on your floppy disk, one in the hard drive C:\AUTO\ folder and one in memory. These are the steps:

  1. First you have to reboot without a disk, or with a disk that is guaranteed to be virus free. Turn your system off for half a minute. This will get rid of two of the possible three copies of the virus in your system (in memory and on floppy). Make sure the floppy disk is write-protected.
  2. Turn your computer back on. Press [CONTROL] during the booting process. This way - at least with the Atari hard disk driver - the hard disk will be installed and accessible, but the programs in the \AUTO\ folder will *not* be executed. If you have another hard disk driver installed, simply try to bypass hard disk installation altogether (pressing [CONTROL], [LEFT SHIFT] and [ALTERNATE] simultaneously usually ought to do the job) and install the hard disk driver from floppy. This, too, will not install any of the \AUTO\ folder programs. If you have a Claus Brod hard disk driver installed, all you need to do is simply boot off another partition, like D:.
  3. Now you have to get rid of a file called "~.PRG" in the \AUTO\ folder of hard disk partition C:. It can’t be located anywhere else. Unfortunately, the file is hidden. That means you can’t delete it until you can see it, and you can’t normally see it. There are probably quite a few ways to delete it:

  1. With "GfA Basic". Go into "direct mode," "chdrive" to drive C and "chdir" to the \AUTO\ folder. Now, with "files," you can display the full directory, including hidden files. You can now use the "kill" command to delete "~.prg".
  2. With the alternative file selector "Selectric." Turn the "display hidden" option on, and simply delete the file from "Selectric" itself. "Selectric" can be started from the desktop, without needing to start it from the AUTO folder. You might have to switch to a higher resolution first, though.
  3. In the absence of the two options mentioned above, you can use any command line interpreter (such as "COMMAND.PRG"). These may not allow you to delete the file, but this is no problem. Using the "ren" command you can rename the file, for example to "file.xxx." This will not remove the file from the \AUTO\ folder, but will render it completely harmless - after all, only programs with the "prg" extension are executed when the \AUTO\ folder is invoked.

  1. Now, with a clean and uninfected system, you can get rid of all occurrences of the virus on all your floppies with the "Ultimate Virus Killer".

IMPORTANT: The floppy-based version of the "Carpe Diem Virus" is recognised without further ado. To recognise the tiny (1024-byte) "~.PRG" file from the link virus check (both the "CARPDIEM.PRG" mother file and the "~.PRG" file are recognised, regardless of what name they might currently have) you have to set the lowest limit of the link virus check to 1 Kb (this will cause only files below 1 Kb not to be scanned). By default, this value is set to 3 Kb, which would cause the "~.PRG" file to be skipped. The lowest link virus check limit can be altered by means of the "UVK.CNF" file (see the appropriate manual section). A line containing ".001" (without the quotes) added at the end of the file (using a text editor, for example) will do the job.

Watch out: On the Toad Computers CD-ROM "Bird of Prey" you should not use the file CARPDIEM.PRG in the folder TOAD/NEWSTUFF!

 

Virus #96

 

Name: Mad Virus D.

Discovery date: Autumn 1996.

Remark: See Mad Virus A (#2). This virus version could be written by a "Bootsector Re-Installer" utility (by Tronic of Effect, alias of John Cove). The difference is that it is located at an extra offset of $1C bytes from the beginning of the bootsector.

 

Virus #97

 

Name: Kobold #2 Virus C.

Discovery date: Autumn 1996.

Remark: See Kobold #2 Virus A (#16). This virus version could be written by a "Bootsector Re-Installer" utility (by Tronic of Effect, alias of John Cove). The difference is that it is located at an extra offset of $1C bytes from the beginning of the bootsector.

 

Virus #98

 

Name: Signum Virus F.

Discovery date: Autumn 1996.

Remark: See Signum Virus A (#1). This virus version could be written by a "Bootsector Re-Installer" utility (by Tronic of Effect, alias of John Cove). The difference is that it is located at an extra offset of $1C bytes from the beginning of the bootsector.

 

Virus #99

 

Name: Ghost Virus K.

Discovery date: Early autumn 1997.

Remark: A corrupted version of the Ghost Virus J, as far as can be seen. Might additionally crash your computer besides causing the mouse movements to be altered (also see Ghost Virus A).

 

Virus #100

 

Name: Signum Virus G.

Discovery date: Winter 1997.

Remark: A corrupted version of the Signum Virus E. Might crash an infected system (also see Signum Virus A).

 

Virus #101 - 109

 

Name: These are various older and newer versions of the Macumba Virus.

 

LINK VIRUSES

 

Virus #1

 

Name: Milzbrand.

Type: Non-resident non-overwriting link virus.

Discovery date: Spring 1988 (Wim Nottroth).

Symptoms: When the date stamp is set to 1987, it clears track 0 of your floppy disk, destroying all FAT data and filling the bootsector with a message "Dies ist ein Virus!" ("This is a virus!"). Symptoms can vary because the virus was offered as a, fully documented, type-in-listing (!) in the German magazine "Computer & Technik" and the reader could easily adapt the routines himself.

Remark: This virus was written by Eckhard Krabel, who lives in Berlin, Germany. It’s also called Anthrax Virus (which is English for the original name in German).

 

Virus #2

 

Name: Virus Construction Set Part II.

Type: Non-resident non-overwriting link virus.

Discovery date: September 4th 1988 (Frank Lemmen).

Symptoms: These vary from the message "You have ten seconds to find out how to prevent a reset" (after which a countdown follows and a reset) to routines that can be written by the user himself - the "Virus Construction Set" is a program with which the user can create his own viruses! Symptoms are therefore without limit.

Remark: The "Virus Construction Set Part II" was published by GFE R. Becker KG, Bad Soden am Taunus, West Germany. It used to be for sale, but isn’t any more.

 

Virus #3

 

Name: Uluru.

Type: Memory-resident non-overwriting link virus.

Discovery date: November 1988.

Symptoms: Installs itself in memory but is not reset-resistant. It infects every programme that will be started once an infected programme has caused it to be installed, and only does this on drive A or B, and on files that are at least 10,000 bytes in size. After a certain time, it writes a dummy text file on disk when infecting a file. This text file contains the sentence ";-) As MAD Zimmermann will be watching you )-;".

Remark: Also called Mad Zimmermann Virus, for obvious reasons.

 

Virus #4

 

Name: Garfield & Papa.

Type: Memory-resistant reset-proof non-overwriting link virus.

Discovery date: November 1988.

Symptoms: This is a reset-proof virus that installs itself in memory when an infected program is loaded. After that, every other program that is loaded into memory is infected. It can be recognised by a flashing pixel in the left top corner of the screen and the message "Garfield and Papa was here", preceded by a bleep sound.

Remark: Probably only works on one megabyte machines (or higher) since it uses the absolute hexadecimal screen address $F8000.

 

Virus #5

 

Name: Crash.

Type: Memory-resident reset-proof non-overwriting link virus.

Discovery Date: March 20th 1989 (Claus-Peter Moeller).

Symptoms: A reset-proof virus that also installs itself in your system and then infects every program you load in afterwards. Is only active on the current drive, but can copy itself into any folder. It’s the only link virus that can even infect files that have been immunized with the "Ultimate Virus Killer," i.e. files with read-only status.

Remark: Probably programmed in Switzerland.

 

ANTI-VIRUSES

 

Anti-virus #1

 

Name: AntiVirus.

Remark: There are sixteen different versions of this AntiVirus, which were all written by Helmut Neunkirchen. The following table includes them all. They are all recognised by the "Ultimate Virus Killer", and the English versions of 5.1 can be written using the ‘REPAIR DISK’ option. The texts vary slightly and are not specified here. None of them copy to hard disk, and none of them are reset-proof.

Discovery date: August 8th 1988.

Written on May 3rd 1988.

Symptoms: On system boot-up, a message appears on your screen: "This Anti-virus beeps and flashes if the actual bootsector is executable then that might be a virus! Remove this Anti-virus by reset!" It multiplies itself to other, non-executable floppy disks.

Remark: This was a simple translation job by yours truly.

Written on August 21st 1988.

Written on September 21st 1988.

Remark: Also recognises an IBM-compatible disk, on which it then does not copy itself.

Written on September 21st 1988.

Remark: A version of 4.2 that does not copy itself to other disks.

Written on October 18th 1988.

Remark: There are German and English versions of this AntiVirus.

Written on October 18th 1988.

Remark: A version of 4.5 that does not copy itself to other disks.

Written on December 5th 1988.

Remark: Uses XBRA structures, completely reprogrammed.

Written on May 12th 1989.

Remark: This was a version released by mistake, and actually older than 4.10.

Written on May 19th 1989.

Remark: Calls itself ‘VirusLähmer’.

Written on June 24th 1989.

Remark: A version of 4.10 that does not copy itself to other disks.

Written on April 23rd 1990.

Remark: There are cloning and non-cloning versions of this AntiVirus, each in a German and an English version. It recognises mutation, and recognises disks that are immunized using the "Ultimate Virus Killer."

If someone has remarks or suggestions about this AntiVirus, they are invited to write to Helmut at Bönnersdyk 63, D-47803, Krefeld, Germany. Email address: hn@pool.informatik.rwth-aachen.de.

 

Anti-virus #2

 

Name: Anti-Virus #2.

Discovery date: September 10th 1988.

Symptoms: On system boot-up, a message appears on your screen at the top line: "ANTI-VIRUS." It multiplies itself to other non-executable disks, except when it’s already present on them. When an executable bootsector is found, it inverts all colours and bleeps.

 

Anti-virus #3

 

Name: Anti-Virus User V1.4.

Discovery date: May 30th 1989 (Carmen Brunner).

Symptoms: Installs itself in memory and warns you when it finds certain disks: RED = Virus 1 (Signum Virus), PURPLE = Virus 2 (Mad Virus), BLUE = Bootsector, WHITE = Nothing. It multiplies itself to WHITE disks on drive A only. Its virus recognition is very bad, and many other disks are also suspected of being RED or PURPLE - including perfectly harmless ones.

Remark: Written by someone called Le Fele.

 

Anti-virus #4

 

Name: Anti-Virus #4.

Discovery date: June 28th 1989 (Wim Maarse).

Symptoms: This anti-virus is reset-proof. It probably only works on German Blitter TOS (TOS 1.02 version from 22.04.87), since it uses an absolute ROM jump address to the Get_BPB routine of that TOS. It copies to other disks.

 

Anti-virus #5

 

Name: Terminator V1.0.

Discovery date: March 1990.

Symptoms: Does not copy itself, and is reset-proof. Automatically checks disks for executable bootsectors, and checks memory for resident programs.

Remark: Written by Claus-Georg Frein for a commercial copy program called "Turbobooster."

 

Anti-virus #6

 

Name: Pashley Anti-Virus.

Discovery date: January 18th 1990 (Terry Simmons).

Symptoms: Copies itself to other disks, and will flash the screen and beep when an executable bootsector is found.

Remark: Written by Simeon Pashley.

 

Anti-virus #7

 

Name: Powell Anti-Virus.

Discovery date: July 30th 1989 (George Woodside).

Symptoms: Does not copy itself to other disks. Will bleep and flash the screen when an executable bootsector is found.

Remark: Written by virus killer programmer Mark S. Powell.

 

Anti-virus #8

 

Name: The Killer V2.0.

Discovery date: March 18th 1990 (George Woodside).

Symptoms: Does not copy itself. Outputs messages in French when an executable bootsector is found.

Remark: Written by Emmanuel Collignon/Omikron France.

 

Anti-virus #9

 

Name: VKill Guard.

Discovery date: May 14th 1990.

Symptoms: Does not copy itself, yet installs itself in memory and flashes and beeps when executable bootsectors are found. Its sign-on message is ‘This Guard remains active until reset. If it detects an executable bootsector, it will beep and flash the screen.’

Remark: Written by George Woodside for his program "VKill".

 

Anti-virus #10

 

Name: New Order Anti-Virus 1.02.

Discovery date: May 22nd 1990 (Glenn Robison).

Symptoms: Prints message and locks up the computer when a virus is found to bend a vector. It checks the following vectors: Hdv_init, Hdv_bpb, Hdv_rw, Hdv_boot, Hdv_mediach, BIOS and XBIOS.

 

Anti-virus #11

 

Name: Floppyshop Anti-Virus.

Disovery date: April 29th 1990 (Kevin Brown).

Symptoms: Beeps and flashes the screen when an executable bootsector is found that doesn’t contain itself. Doesn’t multiply.

 

Anti-virus #12

 

Name: Protector II Anti-Virus.

Remark: No further information available.

 

Anti-virus #13

 

Name: Incoder Anti-Virus.

Discovery date: July 1990.

Symptoms: Checks the bootsector for the occurrence of the Hdv_bpb address ($472). Checks if Hdv_bpb points at $FCxxxx or not (will therefore imply something is wrong when you work on an STE, ST Book, Falcon, or when you use a hard disk). If things are wrong, it colours the screen and locks the system. If things are OK it will print "The Incoders - safe boot" and flash one colour.

 

Anti-virus #14

 

Name: Auntie-Virus.

Discovery date: Summer 1990 (David Heiland).

Symptoms: Same as anti-virus #1. Only the texts have been changed.

Remark: Probably made in England.

 

Anti-virus #15

 

Name: Shadow Anti-Virus.

Discovery date: July 1990.

Symptoms: Checks the system for reset-resistant programs in memory on boot-up. Not resident, does not copy itself.

Remark: Written by the Shadow of the Dynamic Duo, England.

 

Anti-virus #16

 

Name: Fury Anti-Virus.

Discovery date: August 24th 1990.

Symptoms: Same as anti-virus #13, of which it is an adapted version.

Remark: Made by Fabrice Odéro, a.k.a. Fury of Legacy.

 

Anti-virus #17

 

Name: Unicorn Anti-Virus-Reset Anti-Virus.

Discovery date: December 11th 1990.

Symptoms: It is a resident program that will clear all reset vectors upon reset.

Remark: Probably written in Holland.

 

Anti-virus #18

 

Name: Zarko Berberski Anti-Virus.

Discovery date: Unknown (Mike Mee).

Symptoms: There are two different versions of this. One copies itself and one doesn’t. They both have the additional ability to wait ‘x’ seconds until the hard disk has finished booting.

Remark: Written by Zarko Berberski from Yugoslavia in a time when it was still called Yugoslavia.

 

Anti-virus #19

 

Name: Odie Anti-Virus.

Discovery date: Unknown (Mike Mee).

Symptoms: Puts a picture of Odie (dog character in "Garfield" cartoons) on the screen. Is resident, and checks for executable disks. It will copy itself on non-executable disks, and it will warn when it finds an executable disk that does not have itself on it (the screen is turned red).

Remark: Uses the XBRA protocol.

 

Anti-virus #20

 

Name: TDT 4.0 Antighost.

Discovery date: June 1992.

Symptoms: Is a resident anti-virus that copies itself across a bootsector that it finds the Ghost Virus on.

Remark: Written by Altair in France.

 

Anti-virus #21

 

Name: Caledonia Exorcist 2.0.

Discovery date: December 1992.

Symptoms: At start-up it will put the message "Caledonia Exorcist 2.0" on the screen. Whenever an executable bootsector is found during it being resident in memory, it will warn you. At any time you can press ALT-HELP to have this anti-virus install itself on the current disk. It will not copy itself without you wanting it to.

Remark: Written for/by the Caledonia PD library. The copy routine crashes on my system. Not to be confused with some virus free disks of the same name made by some French hackers.

 

Anti-virus #22

 

Name: Agrajag Boot 2.

Discovery date: July 1993.

Symptoms: At start-up it will put the message "AGRABOOT 2" on the screen. Whenever an executable bootsector is found while it is present in memory, the screen will flash. It will flash RED when such a bootsector is suspicious. Upon starting it will also find reset-proof programs and the like. It will not copy itself to any other disks of its own accord.

Remark: Written by Michael James from Glasgow, autumn 1992. Quite a good anti-virus actually.

 

Anti-virus #23

 

Name: STAX Boot Saver 5.0

Discovery date: July 1997.

Symptoms: At start-up it will put the message ‘STAX Boot Saver 5.0’ on the screen. If it finds the reset vector bent (whether by a virus or another reset-resistant program) it displays the message ‘*** VIRUS FOUND ***’, else it displays the message ‘*** NO VIRUS ***’. It will not copy itself to other disks, indeed is not even resident in memory itself.

Remark: This anti-virus version dates August 29th 1992.

 

VIRUSES KNOWN TO EXIST BUT NOT RECOGNISED BECAUSE NOT ENCOUNTERED YET

 

Unknown virus #1-#17: Macumba Virus

 

Several different versions of the Macumba Virus (Cf.) exist, none of which have been spotted so far and can therefore not be recognised yet. The following versions are thought to exist but cannot yet be recognised: 0.9, 0.9a, 1.0, 2.0, 3.0, 3.1 TT, 3.2 TT, 3.4 TT, 3.5 TT, 3.6 TT, 3.7 TT, 3.8 TT, 3.9 TT, 4.0 TT, 4.0b TT and 5.0 Falcon.

 

Unknown virus #18: Valkyrie Virus

 

This is an especially dangerous hybrid kind of bootsector/link virus that spreads to hard disk files, floppy disk bootsectors and, via LAN or MIDI networks, even to other systems connected. It hides itself effectively, and there are a few versions of it that have varying destruction routine symptoms. The common denominator was that, on January 8th (birthday of its programmer, Lucky Lady from Slovenia), the screen would clear and the message "I will never love again!" would appear on the screen. A system infected with the Valkyrie Virus will have a partition C volume name with "VLKY" encoded in it; files infected with it have "VLKY" as last longword value.