Virus, Spyware and Worm

Macro viruses have become common since the mid-1990s. Most of these viruses are written in the scripting languages for Microsoft programs such as Word and Excel and spread throughout Microsoft Office by infecting documents and spreadsheets. Since Word and Excel were also available for Mac OS, most could also spread to Macintosh computers. Although most of these viruses did not have the ability to send infected e-mail, those viruses which did take advantage of the Microsoft Outlook COM interface.

Cavity viruses can infect files without increasing their sizes or damaging the files. They accomplish this by overwriting unused areas of executable files. For example, the CIH virus, or Chernobyl Virus, infects Portable Executable files. Because those files have many empty gaps, the virus, which was 1 KB in length, did not add to the size of the file.

AGI-Plan was a memory resident DOS file infector first isolated at the Agiplan software company in Germany. Because of CARO standards that dictate that viruses should not be named after companies, AGI-Plan's technical name is Month 4-6. This name also violates CARO standards, but a more minor rule involving syntax. AGI-Plan is related to the Zero Bug virus, as both it and AGI-Plan prepend 1,536 bytes to files they infect.

AGI-Plan is not initially damaging until several months after the initial infection, hence its name. After activation, AGI-Plan will begin to corrupt write operations, which results in slow, difficult-to-notice damage overtime.

AGI-Plan is notable for reappearing in South Africa in what appeared to be an intentional re-release several years after. AGI-Plan never succeeded in spreading significantly beyond the isolated incidents in Germany and South Africa.

A computer virus is a computer program that can copy itself and infect a computer. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability. A true virus can spread from one computer to another (in some form of executable code) when its host is taken to the target computer; for instance because a user sent it over a network or the Internet, or carried it on a removable medium such as a floppy disk, CD, DVD, or USB driv.
Viruses can increase their chances of spreading to other computers by infecting files on a network file system or a file system that is accessed by another computer

Polymorphic code was the first technique that posed a serious threat to virus scanners. Just like regular encrypted viruses, a polymorphic virus infects files with an encrypted copy of itself, which is decoded by a decryption module. In the case of polymorphic viruses, however, this decryption module is also modified on each infection. A well-written polymorphic virus therefore has no parts which remain identical between infections, making it very difficult to detect directly using signatures. Antivirus software can detect it by decrypting the viruses using an emulator, or by statistical pattern analysis of the encrypted virus body. To enable polymorphic code, the virus has to have a polymorphic engine (also called mutating engine or mutation engine) somewhere in its encrypted body. See Polymorphic code for technical detail on how such engines operate

Actifed is interesting that G2 is a computer virus creation tool written by Dark Angel of the Phalcon/Skism organisation. This organization also wrote the "Phalcon-Skism Mass Produced Code Generator" [PS-MPC] which was used in the creation of Abraxas and numerous other viruses.

G2 generates compact, easily modified, fully commented, source code of .COM and .EXE infectors. It also supports the creation of resident and non-resident encrypted and non-encrypted viruses. The PS-MPC has similar use.

AGENA is a memory resident, file infecting computer virus which infects .COM and .EXE files, including command.com. It was discovered in Spain in September, 1992. Upon infection, Agena becomes memory resident at the top of system memory but below the 640K DOS boundary. Once it is memory resident, Agena infects .COM and .EXE files as they are executed. Infected programs will have a file length increase of 723 to 738 bytes with the virus being located at the end of the file. An infected file's date and time in the DOS disk directory listing are not altered. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 1,296 bytes. Interrupts 20 and 21 are hooked by the virus. It is unknown what Agena may do besides replicate. No text strings are visible within the viral code in infected programs.

Alabama is a computer virus, discovered October 1989 on the campus of Hebrew University in Jerusalem.
Alabama is a fairly standard file infector outside its odd behaviour of deciding what files to infect. When an infected file is executed, Alabama goes memory resident. Whenever a .EXE file is executed from this point on, Alabama will search out for another file to infect. This is probably intended to place blame on the file that is being executed instead of the virus itself. Files infected by Alabama increase in size by 1,560 bytes.
Payload
On Fridays, Alabama will begin to modify the File Allocation Table in an odd way. Instead of searching for a file to infect, Alabama searches for a file to cross-reference. The virus modifies the FAT entry so that when the user executes one file, another will appear. For instance, on a machine where Alabama is resident, executing PROGRAM1.EXE on a Friday may cause the virus to search for another program and find PROGRAM2.EXE. Alabama will then modify the FAT so that whenever PROGRAM1.EXE is executed, PROGRAM2.EXE displays instead. This certainly can result in confusion, and may result in programs being lost or incorrectly deleted.
Variants
There is one known variant of Alabama. Alabama.B was distributed as a modified SDIR.COM. SDIR.COM was a program created to replace the DOS DIR command. Like the original Alabama, the "B" variant does not infect .COM files. The modified SDIR.COM is simply used as a dropper.

Infection
Alcon is a standard boot sector virus that spreads via floppies. Instead of the MBR, it infects the DBR, making some antivirus programs miss it.
Symptoms
Alcon contains no notable symptoms beyond one extremely damaging one, which is overwriting random information. Assuming that the overwrites are subtle, this may result in significant compounding data overtime, as Alcon is a slow damager.

Alcon contains the text "R.SY".
Aliases and variants
Alcon's most common alias is RSY, based on inclusions in the virus code. Other aliases include Kendesm, Ken&Desmond, and Ether. It is unknown where these names are derived from.

This virus is unrelated to W32/Alcon.

Acme is a computer virus which infects EXE files. Each time an infected file is executed, Acme may infect an EXE in the current directory by creating a hidden 247 byte long read-only COM file with the same base name. (In DOS, if the file extension is not specified, and two files with the same base name exist, one with .COM and one with .EXE, the .COM file will always be executed first.) Acme is a variant of Clonewar, a spawning virus. Acme is also perhaps a descendant of the small single-step infector Zeno, which is not to be confused with the Zeno programming language.

Abraxas-infected files will become 1,171 bytes in length contain Abraxas' viral code. The file's date and time in the DOS disk directory listing will be set to the system date and time when infection occurred. The following text strings can be found within the viral code in all Abraxas infected programs:

"*.exe c:\dos\dosshell.com .. MS-DOS (c)1992"

"->>ABRAXAS-5<<--"

"...For he is not of this day"

"...Nor he of this mind"

Execution of infected programs will also result in the display of a graphic "ABRAXAS" on the system display, accompanied by an ascending scale being played on the system speaker.
Abraxas was created with the PS-MPC virus creation tool, which can be used to create similar, easily detected viruses, which are usually encrypted as well.

ABC, discovered in October 1992.After infection, total system memory, as measured by the DOS CHKDSK program, will not be altered, but available free memory will have decreased by approximately 8,960 bytes. Altered, but not infected, COM or EXE files will have 4 to 30 bytes added to their length. Infected EXE files (COM files are never infected) have a file length increase of 2,952 to 2,972 bytes, and ABC is located at the end of the infected EXE. An altered/infected file's date and time in the DOS disk directory listing may have been updated to the current system date and time when the file was altered/infected.
No text strings are visible within the viral code in infected EXE files, but the following text strings are encrypted within the initial copy of the ABC virus:
ABC_FFEA
Minsk 8.01.92
ABC
ABC causes keystrokes on the compromised machine to be repeated. It seems double-letter combinations trigger this behavior, e.g. "book" becomes "boook [sic]". System hangs may also occur when some programs are executed, a likely side effect of ABC-induced corruption.
The ABC virus is not to be confused with the ABC keylogger trojan, written in 2004 by Jan ten Hove.

Elk Cloner is one of the first known microcomputer viruses that spread "in the wild," i.e., outside the computer system or lab in which it was written. It was written around 1982 by a 15-year-old high school student named Rich Skrenta for Apple II systems.
Development
Elk Cloner was created in 1982 by Rich Skrenta, a 15-year-old high school student. Skrenta was already distrusted by his friends because, in sharing computer games and software, he would often alter the floppy disks to shut down or display taunting on-screen messages. Because his friends no longer trusted his disks, Skrenta thought of methods to alter floppy disks without physically touching them. During a winter break from the Mt. Lebanon High School in Pennsylvania, United States, Skrenta discovered how to launch the messages automatically on his Apple II computer. He developed what is now known as a boot sector virus, and began circulating it in early 1982 among high school friends and a local computer club. 25 years later in 2007, Skrenta called it "some dumb little practical joke."
Distribution
According to contemporary reports, the virus was rather contagious, successfully infecting the floppies of most people Skrenta knew, and upsetting many of them.
Part of the "success," of course, was that people were not at all wary of the potential problem, nor were virus scanners or cleaners available. The virus could still be removed, but it required an elaborate manual effort.

Bomber (also known as CommanderBomber) is a DOS polymorphic computer virus known for its technique of "patchy infection". Contrary to the usual method of infecting executables (which is to append virus body to the executable and to change the entry point), it inserts several fragments ("patches") of its code in random places inside the file. These fragments transfer control to each other using various mechanisms.

AntiCMOS is a boot virus. Its first discovery was at Lenart, Slovenia, which led to its alias of Lenart. It was isolated in Hong Kong several times at the beginning of 1994, but did not become common until it spread to North America in the Spring of 1995. AntiCMOS is a fairly standard boot virus, and is primarily notable for being one of the few DOS viruses to remain in the wild as of 2005.

AntiCMOS is so named because it has the intended effect of erasing all CMOS information. This does not occur because of a bug in the virus code. This is true of all AntiCMOS variants that have appeared in the wild. The payload date of December 1993 and the obsolete nature of these variants makes it very unlikely that AntiCMOS's payload will ever be a threat.

The Anna Kournikova computer virus was a computer virus authored by Dutch programmer Jan de Wit on Feb 11, 2001. It was designed to trick email users into opening a mail message purportedly containing a picture of tennis player Anna Kournikova, while actually hiding a malicious program. If set off, the program plunders the address book of the Microsoft Outlook e-mail program and attempts to send itself to all the people listed there. The Kournikova virus tempts users with the message: "Hi: Check This!", with what appears to be a picture file labelled "AnnaKournikova.jpg.vbs".The worm arrives in an email with the subject line "Here you have, ;0)" and an attached file called AnnaKournikova.jpg.vbs. When launched under Microsoft Windows the file does not display a picture of Anna Kournikova but launches a viral Visual Basic Script that forwards itself to everybody in the Microsoft Outlook address book of the victim.

The virus was created using a simple and widely available Visual Basic Worm Generator program developed by an Argentinian programmer called “[K]Alamar”. While similar to the ILOVEYOU virus that struck a year earlier, in 2000, the Anna Kournikova virus did not corrupt data on the infected computer
De Wit turned himself in to authorities in the town of Sneek located in the northern province of Friesland in the Netherlands. "By the time he understood what the virus did, he had conferred with his parents and decided to turn himself in to the police," Apparently, the author created the virus in a matter of hours. "The young man had downloaded a program on Sunday, February 11, from the Internet and later the same day, around 3:00 p.m., set the virus loose in a newsgroup." De Wit was charged with spreading data into a computer network with the intention of causing damage.On September 21, 2001, he was sentenced to one hundred and fifty hours community service.

It has been reported that the efforts of another virus writer working undercover for the FBI, David L. Smith, led to the identification of Jan de Wit and that the FBI passed the information to authorities in the Netherlands.De Wit turned himself in to the police in his hometown Sneek on February 14, 2001, a few days after the virus was released.

Reportedly, and resembling the cases of other computer virus writers, only a few days later the mayor of Sneek made a tentative job offer to De Wit, quoting his programming skills.

De Wit was tried in Leeuwarden and was charged with spreading data into a computer network with the intention of causing damage, a crime that carried a maximum sentence of four years in prison and a fine of 100,000 guilders (US$41,300).

The lawyers for Jan de Wit called for the dismissal of charges against him, arguing that the worm caused minimal damage. The FBI submitted evidence to the Dutch court and suggested that US$166,000 in damages was caused by the worm. De Wit admitted he created the worm using a virus creation toolkit but told the court when he posted the virus to a newsgroup he did it "without thinking and without overseeing the consequences". He denied any intent to cause damage. De Wit has been sentenced to 150 hours community service or 75 days in jail

Byte Bandit is a computer virus created for the Commodore Amiga. It appeared in January 1988. It is a boot sector virus. It was created by SCA.

It was one of the most feared Amiga viruses until the infamous Lamer Exterminator because not only did it spread from system to system automatically, it was also destructive.

Byte Bandit made no attempt to disguise itself as modern viruses, trojans, and worms do. While it naturally over-wrote the bootblock, it also hooked into the system, remaining reset-resident and causing system data corruption and system failures. The virus increments a copy counter every time it writes itself to a disk, which is in the text string "Virus by Byte Bandit in 9.87. Number of copys:" which also gives a date of September 1987 for the creation, as well as the assumed name of the programmer.

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows software and Dictionary attacks on administrator passwords to co-opt machines and link them into a virtual computer that can be commanded remotely by its authors. Conficker has since spread rapidly into what is now believed to be the largest computer worm infection since the 2003 SQL Slammer, with more than seven million government, business and home computers in over 200 countries now under its control. The worm has been unusually difficult to counter because of its combined use of many advanced malware techniques.
Operation
Although almost all of the advanced malware techniques used by Conficker have seen past use or are well known to researchers, the worm's combined use of so many has made it unusually difficult to eradicate.The worm's unknown authors are also believed to be tracking anti-malware efforts from network operators and law enforcement and have regularly released new variants to close the worm's own vulnerabilities.

Five variants of the Conficker worm are known and have been dubbed Conficker A, B, C, D and E. They were discovered 21 November 2008, 29 December 2008, 20 February 2009, 4 March 2009 and 7 April 2009, respectively.The Conficker Working Group uses namings of A, B, B++, C, and E for the same variants respectively. This means that (CWG) B++ -> (MSFT) C and (CWG) C -> (MSFT) D.
Initial infection
Variants A, B, C and E exploit a vulnerability in the Server Service on Windows computers, in which an already-infected source computer uses a specially-crafted RPC request to force a buffer overflow and execute shellcode on the target computer. On the source computer, the worm runs an HTTP server on a port between 1024 and 10000; the target shellcode connects back to this HTTP server to download a copy of the worm in DLL form, which it then attaches to svchost.exe.Variants B and later may attach instead to a running services.exe or Windows Explorer process.
Variants B and C can remotely execute copies of themselves through the ADMIN$ share on computers visible over NetBIOS. If the share is password-protected, a dictionary attack is attempted, potentially generating large amounts of network traffic and tripping user account lockout policies.
Variants B and C place a copy of their DLL form on any attached removable media (such as USB flash drives), from which they can then infect new hosts through the Windows AutoRun mechanism.
To start itself at system boot, the worm saves a copy of its DLL form to a random filename in the Windows system folder, then adds registry keys to have svchost.exe invoke that DLL as an invisible network service

Dark Avenger was a pseudonym of a computer virus writer from Sofia, Bulgaria. He gained considerable popularity during the early 1990s, as some of his viruses spread not only nationwide, but across Europe as well, even reaching the United States
Dark Avenger's viruses
Dark Avenger's first virus appeared in early 1989 and contained the string "This program was written in the city of Sofia (C) 1988-89 Dark Avenger". Thus, this first virus is usually referred to as "Dark Avenger", eponymous to its author. It was very infectious: Opening or just copying a file was sufficient to start an infection. Additionally, the virus also destroyed data, by overwriting a random sector of the disk at every 16th run of a program, filling space with files containing the string "Eddie lives... somewhere in time!"--possibly a reference to Iron Maiden's album, "Somewhere in Time". Due to its highly-infectious nature, the virus spread world-wide, reaching Western Europe, the USSR, the United States, and even East Asia. It even received moderate mention in the New York Times and Washington Post.

This virus was soon followed by others, each employing a new clever trick. Dark Avenger is believed to have authored the following viruses: Dark Avenger, V2000 (two variants), V2100 (two variants), 651, Diamond (two variants), Nomenklatura, 512 (six variants), 800, 1226, Proud, Evil, Phoenix, Anthrax, Leech. As a major means for spreading the source code of his viruses, Dark Avenger used the then popular bulletin board systems. In its variants, the virus also contained the following strings:

"Zopy (sic) me - I want to travel"
"Only the Good die young..."
"Copyright (C) 1989 by Vesselin Bontchev"
In technical terms, the most prominent feature of some of Dark Avenger's viruses was their polymorphic engine, the Mutation Engine (MtE); MtE could be linked to the plain virus in order to generate polymorphic decryptors. Dark Avenger did not, however, invent polymorphism itself, since this had already been predicted by Fred Cohen, and later put into practice by Mark Washburn in his 1260 virus, in 1990. It wasn't until a year or more later that Dark Avenger's viruses began to employ polymorphic code.

Dark Avenger made frequent attacks on Bulgarian anti-virus researcher Vesselin Bontchev. Such is the case with the viruses V2000 and V2100, which claim to be written by Vesselin Bontchev, in an attempt to cause defamation. This "conflict" between the two has led many to believe that Bontchev and Dark Avenger were intentionally "promoting" each other, or that they might even be the same person.

Dark Avenger's actions were not treated as a crime at that time in Bulgaria, since there was no law for information protection

The Fun.Exe virus is of the w32.Assarm family of computer viruses. According to Symantec it registers itself as a windows system process then periodically sends mail with spreading attachments as a response to any unopened emails in outlook express. This virus first appeared in early 2008 and is now recognized by most anti virus programs.
Infection
The virus will install multiple copies of itself throughout the system. It makes itself hard to remove by installing many different copies with different names in different locations. The running copy is a system process and will restart if it is closed manually. It adds itself to auto run information so that it executes multiple copies on startup. The copies monitor each other and will restore each other if one is deleted. This makes deleting from windows nearly impossible.

Known file names used by the virus are Fun.exe, DC.exe, Other.exe, SVIQ.exe, win.exe, and WinSit.exe.

The file icon is made to look like the icon for a folder, inviting the user to open the folder when actually they are running the program thus starting the initial infection. However the graphic icon for the folder is poorly ripped from windows service icons and can be distinguished by subtle visual differences, predominantly white below the black outline of the folder which on the real folder icon is dithered to transparent space. This visual difference is especially noticeable in safe mode when graphic operating capacity is in 256 color mode instead of 24 bit color mode.

The files show a creation date of 6-23-2008 and show an original name of Olalatheworld.exe and an internal name of Olalatheworld. The files are 124,928 bytes in size. These characteristics can help distinguish the infected files, which is important because some of the names used by the file are names of legitimate windows files and therefore care must be taken not to accidentally remove a vital windows file.

Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971.Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system. Creeper gained access via the ARPANET and copied itself to the remote system where the message, "I'm the creeper, catch me if you can!" was displayed. The Reaper program was created to delete Creeper.
A program called "Elk Cloner" was the first computer virus to appear "in the wild" — that is, outside the single computer or lab where it was created.[14] Written in 1981 by Richard Skrenta, it attached itself to the Apple DOS 3.3 operating system and spread via floppy disk.[14][15] This virus, created as a practical joke when Skrenta was still in high school, was injected in a game on a floppy disk. On its 50th use the Elk Cloner virus would be activated, infecting the computer and displaying a short poem beginning "Elk Cloner: The program with a personality."

Nonresident viruses can be thought of as consisting of a finder module and a replication module. The finder module is responsible for finding new files to infect. For each new executable file the finder module encounters, it calls the replication module to infect that file

©Brain (the industry standard name being Brain) is, in its first incarnation written in January 1986, considered to be the first computer virus for MS-DOS. It infects the boot sector of storage media formatted with the DOS File Allocation Table (FAT) file system.
©Brain affects the IBM PC computer by replacing the boot sector of a floppy disk with a copy of the virus. The real boot sector is moved to another sector and marked as bad. Infected disks usually have five kilobytes of bad sectors. The disk label is changed to ©Brain, and the following text can be seen in infected boot sectors:

Welcome to the Dungeon © 1986 Brain & Amjads (pvt) Ltd VIRUS_SHOE RECORD V9.0 Dedicated to the dynamic memories of millions of viruses who are no longer with us today - Thanks GOODNESS!! BEWARE OF THE er..VIRUS : this program is catching program follows after these messages....$#@%$@!!

Form was a boot sector virus isolated in Switzerland in the summer of 1990 which became very common worldwide. The origin of Form is widely listed as Switzerland, but this may be an assumption based on its isolation locale. The only notable characteristics of Form are that it infects the boot sector instead of the Master Boot Record (MBR) and the clicking noises associated with some infections. Infections under Form can result in severe data damage if operating system characteristics are not identical to those Form assumes.

It is notable for arguably being the most common virus in the world for a period during the early 1990s.
Infection
Form infects the boot sector. When a computer is booted from an infected sector, Form goes resident, hooks the interrupt vector table, and runs the original boot sector which it's hidden in an area it flags as defective. It will subsequently infect any media inserted into the machine
Symptoms
Form has a range of symptoms, most of which will not be evident in all infections.

Form's most famous side effect is a clicking noise produced by typing on the keyboard on the 18th of every month. However, this payload very rarely appears on modern computers, as it will not execute if a keyboard driver is installed.
Form consumes 2KB of memory, and the DOS MEM command will report that this memory is unavailable. This appears on all infections.
On floppy disks, 1 KB (2 bad sectors) will be reported. This appears in all infections.
The Form data sector contains the text "The FORM-Virus sends greetings to everyone who's reading this text. FORM doesn't destroy data! Don't panic! Fuckings go to Corinne." Additionally, some versions of Form have had this text removed.
Form makes the assumption that the active partition is a DOS FAT partition. If this is not true, such as under Windows NT, Form will overwrite in a way that may result in irreversible data loss.
Prevalence
Form was listed as spreading by the WildList from the first ever version of the WildList in July 1993 until January 2006.

As with most boot viruses, a Form infection is a rare find in modern times. Since the advent of Windows, boot viruses have become increasingly uncommon, including Form. Generally, Form infections are due to the use of floppy disks infected during the original pandemic that have since been taken out of storage.
Variants
Form has a number of variants. The widely documented versions are as follows.

Form.A is a common variant of the original, where the clicking payload occurs every day, as opposed to just the 18th.
Form.B is a minor variant of the original, with the clicking payload set for the 18th of each month instead of the 24th. It was a rare find in the field during the mid1990s, but has since become obsolete.
Form.C is a virtually undocumented, trivial variant of the original. It is suggested that Form.C is another minor variant of Form, except only activates in May. Like Form.B, it was documented as being discovered rarely in the wild during the mid-1990s.
Form.D is the most common version of Form besides the original. Some reports indicate that it affects the partition table in some way. It was a somewhat common in 1997 and 1998.
FormII is an undocumented variant.
Form-Canada is an undocumented variant

AIDS II is a companion computer virus, which infects COM files. It was first discovered in April 1990, and is a variant of AIDS. Unlike other generic file infectors, AIDS II was the first known virus to employ what could be called a "corresponding file technique" of infection so that the original target EXE file is never changed. The virus takes advantage of the DOS feature where if a file exists in both COM and EXE form, the COM file is executed. When an "infected" file is executed, since a corresponding COM file exists, the COM file containing the viral code is executed. The virus first locates an uninfected EXE file in the current directory and creates a corresponding (or companion) COM file with the viral code. These COM files will always be 8,064 bytes in length with a file date/time of the date/time of infection. After creating the new COM file, the virus then plays a melody and displays the following message.
AIDS II then spawns to the EXE file that was attempting to be executed in the first place, and the program runs without problem. After completion of the program, control returns to the virus. The melody is played again with the following message displayed

"Getting used to me?
Next time, use a Condom ....."
Since the original EXE file remains unaltered, CRC programs cannot detect this virus having infected a system. One way to manually remove AIDS II is to check the disk for programs which have both a .EXE and .COM file, with the COM file having a length of 8,064 bytes. The COM files thus identified should be erased.

According to Symantec, AIDS II may play a melody and display the following string

"Your computer is infected with AIDS VIRUS II"
The displayed text strings do not appear in the viral code.

The AIDS II virus is not to be confused with the AIDS trojan or the AIDS computer virus.

The Cascade virus was a resident computer virus written in assembler, that was widespread in the 1980s and early 1990s. It infected COM files and had the effect of making text on the screen fall down and form a heap in the bottom of the screen. It was notable for using an encryption algorithm to avoid being detected.

It first appeared on the MS-DOS system in the late 1980s.

Cabir (also known as EPOC.cabir and Symbian/Cabir) is the name of a computer worm developed in 2004 that is designed to infect mobile phones running Symbian OS. It is believed to be the first computer worm that can infect mobile phones. When a phone is infected with Cabir, the message "Caribe" is displayed on the phone's display, and is displayed every time the phone is turned on. The worm then attempts to spread to other phones in the area using wireless Bluetooth signals.

The worm was not sent out into the wild, but sent directly to anti-virus firms, who believe Cabir in its current state is harmless. However, it does prove that mobile phones are also at risk from virus writers. Experts also believe that the worm was developed by a group who call themselves 29A, a group of international hackers, as a "proof of concept" worm in order to catch world attention. It failed to infect any of its targets.

The worm can attack and replicate on Bluetooth enabled Series 60 phones. The worm tries to send itself to all Bluetooth enabled devices that support the "Object Push Profile", which can also be non-Symbian phones, desktop computers or even printers. Symantec reports that the worm spreads as a .SIS file installed in the Apps directory. Cabir does not spread if the user does not accept the file-transfer or does not agree with the installation, though some older phones would keep on displaying popups, as Cabire re-sent itself, rendering the UI useless until yes is clicked. F-Secure reports that some phones, at least, warn the user about an unverified supplier.[1] So, like many other worms, this sample also needs a good portion of social engineering to reach its goal.

While the worm is considered harmless because it replicates but does not perform any other activity, it will result in shortened battery life on portable devices due to constant scanning for other Bluetooth enabled devices.

Mabir, a variant of Cabir, is capable of spreading not only via Bluetooth but also via MMS. By sending out copies of itself as a .sis file over cellular networks, it can affect even users who are outside the 10m range of Bluetooth

Ambulance is a file infecting computer virus and it does not become memory resident. It will only infect one .COM file in any given directory, but will not infect the first one. This means there must be at least two .COM files in the directory for it to spread.

Sometimes when an infected file is executed, an ASCII ambulance can be seen moving across the bottom part of the screen. A siren sound is also played from the systems speaker.

Ambulance is not a destructive virus; it simply spreads itself around and shows off its payload once in a while.

The Ping-Pong virus (also called Boot, Bouncing Ball, Bouncing Dot, Italian, Italian-A or VeraCruz) is a boot sector virus discovered on March 1, 1988 at the University of Turin in Italy. It was likely the most common and best known boot sector virus until outnumbered by the Stoned virus.
Replication method
Computers could be contaminated by it via infected diskette, showing up as a 1 KB bad cluster (the last one on the disk, used by the virus to store the original boot sector) to most disk checking programs. Due to being labelled as bad cluster, MS-DOS will avoid overwriting it. It infects disks on every active drive and will even infect non-bootable partitions on the hard disk. Upon infection, the virus becomes memory resident
Effect
The virus would become active if a disk access is made exactly on the half hour and start to show a small "ball" bouncing around the screen in both text mode (the ASCII bullet character "•") and graphical mode. No serious damage is occurred by the virus except on '286 machines (and also V20, '386 and '486), which would sometimes crash during the ball's appearance on the screen. The cause of this crash is the "MOV CS,AX" instruction, which only exists on '88 and '86 processors. For this reason, users of machines at risk were advised to save their work and reboot, since this is the only way to temporarily get rid of the virus.

The original Ping Pong virus (Ping-Pong.A) only infects floppy disks. Later variants of this virus such as Ping-Pong.B and Ping-Pong.C also infect the hard disk boot sector as well. Whilst the virus is active, one cannot replace the boot sector—it either prevents writing to it or it immediately re-infects it.

Ping-Pong.A is extinct but the hard-disk variants can still appear.

Ada is a memory resident (stays in the memory of the computer it infects after the program it infect executes) virus that infects files. The Ada virus mainly targets .COM files, specifically COMMAND.COM.

Infected programs will have 2,600 bytes additional data inserted at the beginning of the file,and the file itself will contain the text strings:

COMMAND.COM
PCCILLIN.COM
PCCILLIN.IMG
HATI-HATI !! ADA VIRUS DISINI !!Delete
Computers infected with the Ada virus will often have a slow clicking sound emitting from their speakers; this clicking may sometimes change in pitch.Computers infected also may show a "Disk Full" error even if the disk still has space on it.

While infected with the Ada virus, system memory measured by the DOS CHKDSK decreases by 21,296 bytes to 21,312 bytes. The virus will reside in the memory after an infected file is run and will infect any other .COM files executed on the computer. It will also hijack interrupts 08, 13 and 21.
There is only one way to infect a computer with the Ada virus; by executing an infected file. The infected file may come from a variety of sources: floppy disks, files downloaded from the Internet, and infected networks

One possibility on Windows Me, Windows XP, Windows Vista and Windows 7 is a tool known as System Restore, which restores the registry and critical system files to a previous checkpoint. Often a virus will cause a system to hang, and a subsequent hard reboot will render a system restore point from the same day corrupt. Restore points from previous days should work provided the virus is not designed to corrupt the restore files or also exists in previous restore points. Some viruses, however, disable System Restore and other important tools such as Task Manager and Command Prompt. An example of a virus that does this is CiaDoor. However, many such viruses can be removed by rebooting the computer, entering Windows safe mode, and then using system tools.

On the Windows operating system, Bad Sectors 1.2 is a boot virus that infects users computers mainly by email. However, it may also infect a computer if the user visits certain web sites
An obvious symptom of the Bad Sectors 1.2 virus is a buggy and lengthy startup. The computer then begins a lengthy scan for "possible bad or inactive sectors" during a particular boot. During this scan the system hangs and must be restarted. However, the scan will continue to be run until it is impossible for the user to access their system.

The only possibility of getting around this glitch is to boot in safe mode and cancel the scan.

Users browsing the system32 program files will discover corrupted files and programs created by the virus. The virus adds meaningless and random number strings such as: "B84F5319052758433" that slows down the infected system. Also, a dialog box appears that says "SYSTEM ERROR" whenever a user attempts to delete these files.

The infected computer must be rebooted in safe mode and all corrupted files deleted. Then, the user must perform a System Restore in order to remove the virus.

CIH, also known as Chernobyl or Spacefiller, is a Microsoft Windows computer virus written by Chen Ing Hau (陳盈豪, pinyin: Chén Yíngháo) of Taiwan. It is one of the most damaging viruses, overwriting critical information on infected system drives, and more importantly, in some cases corrupting the system BIOS.

The name "Chernobyl Virus" was coined some time after the virus was already well-known as CIH, and refers to the complete coincidence of the payload trigger date in some variants of the virus (actually the virus creation date in 1998, to trigger exactly a year later) and the Chernobyl accident, which happened in the Ukrainian SSR on April 26, 1986.
CIH spreads under the Portable Executable file format under Windows 95, Windows 98, and Windows ME. CIH does not spread under Windows NT, Windows 2000, Windows XP, Windows Vista, or Windows 7. CIH infects Portable Executable files by splitting the bulk of its code into small slivers inserted into the inter-section gaps commonly seen in PE files, and writing a small re-assembly routine and table of its own code segments' locations into unused space in the tail of the PE header. This earned CIH another name, "Spacefiller". The size of the virus is around 1 kilobyte, but due to its novel multiple-cavity infection method, infected files do not grow at all. It uses methods of jumping from processor ring 3 to 0 to hook system calls.

The payload, which is considered extremely dangerous, first involves the virus overwriting the first megabyte (1024KB) of the hard drive with zeroes, beginning at sector 0. This deletes the contents of the partition table, and may cause the machine to hang.

The second payload tries to write to the Flash BIOS. Due to what may be an unintended feature of this code, BIOSes that can be successfully written to by the virus have critical boot-time code replaced with junk. This routine only works on some machines. Much emphasis has been put on machines with motherboards based on the Intel 430TX chipset, but by far the most important variable in CIH's success in writing to a machine's BIOS is the type of Flash ROM chip in the machine. Different Flash ROM chips (or chip families) have different write-enable routines specific to those chips. CIH makes no attempt to test for the Flash ROM type in its victim machines, and has only one write-enable sequence.

For the first payload, any information that the virus has overwritten with zeros is lost. If the first partition is FAT32, and over about one gigabyte, all that will get overwritten is the MBR, the partition table, the boot sector of the first partition and the first copy of the FAT of the first partition. The MBR and boot sector can simply be replaced with copies of the standard versions, the partition table can be rebuilt by scanning over the entire drive and the first copy of the FAT can be restored from the second copy. This means a complete recovery with no loss of user data can be performed automatically by a tool like Fix CIH.

If the first partition is not FAT32 or is smaller than 1GB the bulk of user data on that partition will still be intact but without the root directory and FAT it will be difficult to find it especially if there is significant fragmentation.

If the second payload executes successfully, the computer will not start at all. A technician is required to reprogram or replace the Flash BIOS chip, as most systems that CIH can affect predate BIOS restoration features.
CIH v1.2/CIH.1103
This variant is the most common one and activates on April 26. It contains the string: CIH v1.2 TTIT.
CIH v1.3/CIH.1010A and CIH1010.B
This variant also activates on June 26. It contains the string: CIH v1.3 TTIT
CIH v1.4/CIH.1019
This variant acts on the 26th of any month. It is still in the wild, although it is not that common. It contains the string CIH v1.4 TATUNG
CIH.1049
This variant activates on August 2 instead of April 26.

Arcv.670 send you this text: "Happy Xmas from The ARCV"

Conficker B & C: NetBIOS
Exploits MS08-067 vulnerability in Server service
Dictionary attack on ADMIN$ shares
Removable media
Creates DLL-based AutoRun trojan on attached removable drives