Virus Name: 1984 (TaLoN)
     Notes: COM EXE LOW INF
Signatures: TBAV -  33 C0 8E D8 BE ?2 FF 34 FF 74 02 C7 04
          F-Prot -  33 C0 8E D8 BE ?? ?? FF 34 FF 74 02 C7 04
            Scan -  33 C0 8E D8 BE ?? FF 34 FF 74 02 C7 04

[ ] F-Prot 2.10  [M] TBAV 6.08  [ ] SCAN 9.20 V109

None of the above scanners detect this Virus as of yet.
If you add the above signatures to your scanner, it will be detected.

1984 from TaLoN ... probably the world's sneakiest virus to date.
TBAV tags it in "high heuristic" mode ... NOTHING else finds it.

This virus got a write-up in the latest PC Week ... it's being spread in a
hack
of SCANV109.  You only need to run the hacked SCAN once and you're history ...
it hits every susceptible file on your HD in just one pass!

It can hit COM/EXE/BIN/OVL/SYS files, the MBR, and 360kB floppy boot sectors.

It has directory/file/partition stealth.

It uses unique virus technology (so far) in that it infects files on CLOSE!
(This is why it beats anti-virus TSRs ... they all look for infection on
OPEN.)

Infected files are forward-dated by 100 years.

You don't even have to RUN a 1984-infected file to activate the virus ... it
will activate on MOVE and COPY, on READ (even with a simple text reader like
Vern Buerg's LIST or Norton Commander's internal viewer) and it even activates
on DELETE!  (If you delete an infected file without ever running it, the virus
will bite you in the butt on the way out!)

If you PKLite or un-PKLite an infected file it will often bite you.

By: Rod Fewster
- ----------------------------------------------------------------------------

Note: In our tests we find it infecting all of the above, though we did not
run
the tests on the the MBR, and 360kB floppy boot sectors yet.  This virus is
tricky with the stealth technology it uses. It will disinfect on the fly, so
one minute one file will be infected and the next it will not but another will
be. File size changes are not present while the virus is memory resident, but
if you look when the virus is out of memory you will see a 1979 byte change on
infected files.  When the virus first goes memory resident it will look for
and
demand C:\DOS\COMMAND.COM and infect this file, though it may disinfect it
latter and infect the command.com file in the root directory of the disk.

The signature above worked on all samples of infected files tested here. This
virus is not done being researched, but the signature is here so that you can
stop something that may have started in your computer already.

Michael Paris (Cris)
- --------------------------------------------------------------------------

Virus Name: Firefly Virus
     Notes: COM EXE LOW INF
Signatures: TBAV - BB ?2 B9 10 01 81 37 ?2 81 77 02 ?2 83 C3 04 E2 F2
          F-Prot - BB ?? ?? B9 10 01 81 37 ?? ?? 81 77 02 ?? ?? 83 C3 04 E2 F2
            Scan - BB ?? B9 10 01 81 37 ?? 81 77 02 ?? 83 C3 04 E2 F2

[ ] F-Prot 2.10  [ ] TBAV 6.08  [ ] SCAN 9.20 V109

None of the above scanners can detect this virus. If you add the above
signatures to your scanner it will be detected.

The FIREFLY virus is a memory resident COM file infector.  It's most
noticeable feature is the ever-changing keyboard LED's that appears when
the virus is resident in memory.

Upon execution the virus allocates approximately 4k of memory and hooks
interrupts 21h, 1Ch, and 24h.  The old DOS interrupt 21h is moved to
interrupts 1h and 3h to be used in the virus to handle replication.

Interrupt 21
============
If this interrupt is called, the virus checks to see if an open, execute,
or attribute call is being made.  If not, the registers are restored and
the old int 21h is called and everything appears as normal.  If one of
these functions are being performed, the virus checks to see if it is
a COM file that is being looked at.  If it is, the virus infects the
file.  The virus also checks the filename passed to the interrupt to see
if an anti-virus program is being accessed.  If it is, the virus deletes
the executable.
---

Butterfly virus 'Crusades'.  -DeathBoy KoASP

These are Resident Com infectors. When a file infected with the Adams virus
is run it will infect other .Com files in the current directory. After the
virus infects a number of .Com files (this is A different number depending
on the virus), it will go memory resident.

While the virus was in memory i could not get it to infect another file
without running it (though it was resident). When infected files are run
they do replicate.  Each file infected will change size depending on which
one is run, Gomez 1648 Bytes, Pugsley 1792 Bytes, Cousin It 1680 Bytes, etc.

This collection does warrent further research, but this is released so you
can detect this 'weird family' and know a bit about them.

Michael Paris (Cris)
- ---------------------------------------------------------------------------

These signature's come from Cris
Computer Research & Information Service
(708) 863-5285

* These signature's have passed all testing and worked on all
  files that were infected and tested.

REMEMBER F-prot will only allow 10 user sigs at a time, TBAV will allow
Over 1000.
