Virus Database

Viking Family

Description Viking Family

These are the memory resident parasitic viruses. They hook INT 21h and write themselves to the end of COM and EXE files. While infecting a file the viruses convert EXE files to COM format (see "Vaccina" viruses). These viruses also contain the word:
Viking

Viking.700
It is a harmless virus. It infects the files that are executed. The versions of that virus contain the strings:
"Viking.700": Viking1 In
"Viking.700.b": Viking3 In

Viking.1000
It is not a dangerous virus. It infects the files that are executed. The virus infects the COMMAND.COM file when the first infected file is executed. This virus contains the texts:
To Nataly from Viking
In

Sometimes it also hooks INT 10h and on displaying via INT 10h it converts uppercase letters to lowercase ones, and lowercase to uppercase. While infecting a file and depending on the system timer it plays a tune.
Viking.1000.b,c,1400
These are dangerous viruses. "Viking.1400" is an encrypted one. These viruses infect the files that are executed or opened, they also search for the files and infect them on DOS calls that access to the files. They infect the COMMAND.COM file when the first infected file is executed. While infecting a file these viruses try to set INT 13h handler to its original address in DOS area, but in lot of cases the viruses fail and DOS halts. The viruses contain the text strings:
"Viking.1000.b": *.COM *.EXE Viking4 In
"Viking.1000.c": *.COM *.EXE Viking5
"Viking.1400": *.COM *.EXE Viking7

Viking.1600,2000
These are not dangerous memory resident parasitic encrypted viruses. They trace and hook INT 21h, then they write themselves to the end of COM and EXE files that are executed, opened or renamed. They search (by using the string "*.COM *.EXE") for the files and infect them on DOS calls OpenFCB and GetDiskSpace.
While infecting an EXE file "Viking.2000" checks the file length. If the length of EXE is more than 64K, the virus infects it by manipulation with EXE header fields, those files stay of EXE format after infection. If the file length is lesser than 64K, the virus converts the file to COM format (see "Vaccina" method).
These viruses contain the strings:
"Viking.1600":
CLEAVACCFMAPDIR2BDS.VSHIVIRS

"Viking.2000":
-V.EACADAIDSANTIBDS.BUSTCLEADBLSDIR2DOCT
EMM3F-PRFATCFLUSFMAPNC.ENCMAPROTQAPLSCAN
SMARSTACTESTTLINVACCVIRSVSHIWIN.

and check the file name for these strings before infection. If the first four letters of file name present in that string, the virus does not infects that file. As a result, the files CLEA*.*, VACC*.* FMAP*.*, DIR2*.*, BDS.*, VSHI*.*, VIRS*.* are not infected by "Viking.1600". "Viking.2000" does not infect the files -V.E*, ACAD*.* e.t.c.
Some generations of "Viking.1600" display the message:
On 1 Mar. 1992 I met NATALY, and she changed my life!
The 365th copy of is dedicated to our first anniversary

Depending on the number of its generation "Viking.2000" hooks INT 8 (timer) and displays either the random data, or the message "Viking". This virus contains the string:
String carrier space! Available for messages! No more viruses!
LOOKING FOR WORK! Address available in LCV_BAS!

Viking.Mixtura
It is a harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed. It contains the text strings:
Crypted Here->
ViKing-Mixtura,CopyLeft (L) 1993 by ViKing.
ViKing is The Real King of Viruses' Kingdom.

Check other viruses! Be aware! Use Antiviral Software

Brothers.2045

Description Brothers.2045

This is a harmless memory resident virus which hooks INT 21h and infects in a standard way COM- and EXE-files. It contains the texts: "Brothers in arm.Copyright (C) 1990. V 1.0", ":*.EXE".

Brr

Description Brr

It is a very dangerous memory resident stealth boot virus. It writes itself to the MBR of the hard drive and boot sectors of floppy disks. The virus infects in correct way only 360K floppy disks and corrupts data on other types of floppy disks.
While loading from infected disk it copies itself to the Interrupt Vectors Table and hooks INT 9, 13h. Depending on the system timer the virus displays the message:
Brrall!

By hooking INT 9 the virus intercepts warm reboot (Alt-Ctrl-Del) and tries to infect floppy disk, if it is in drive.

Home