Virus Database

Win16.Apparition.a

Description Win16.Apparition.a

This is a memory resident parasitic (polymorphic?) Windows EXE files infector, 87438 bytes of length, written in Borland's Object Pascal for Windows. The virus installs itself into the system and periodically searches for EXE files and writes itself to the beginning of files.
The virus has a very unusual structure. The main part (about 60K) is the virus code (virus routines and Pascal runtime library), text strings, icon and other data used by the virus while installing and spreading. The next block (3.5K) contains a packed (with LZ method) MS Word template - Word macro virus. The third block (21K) contains packed (by LZ) virus source code (!!!). After unpacking, that 46K source helped a lot to complete virus analysis. And the last block (3K) contains resources file that is used when the virus runs Borland Pascal compiler (see below).
While infecting a file the virus moves the file down by 87438 bytes and then writes its code to the beginning of the file. To return control to the host file, the virus creates a temporary file, writes to this file clean host file code and executes it. This way to spread is usual for DOS viruses written in high level languages - Pascal or C.
The virus also scans the files for
DEC BP
DEC BP

assembler instruction (4D4Dh) while infecting them, and replaces this code with INT 83h call (CD83h). When active, the virus hooks INT 83h. The only code in virus INT 83h handler decreases BP register by two - the same as DEC BP, DEC BP commands do. I do not know what is the reason to do that, but patched in this way files will work under infected system only.
Before infecting the virus checks the file header and infects only EXE file that have NE (Windows) or PE (Windows95) internal format, so the virus infects both NewEXE Windows and Windows95 executable files. Under Windows 3.11 this virus works without any side effect, but I didn't try to run it under Windows95.
Installation
When an infected file runs, the virus allocates blocks of system memory and reads its code from infected file to these blocks (to use these data while infecting other files). It then drops to the Windows startup directory the 87438 bytes VIDACCEL.EXE file containing virus code and then registers this file in Windows WIN.INI file in [windows] section as "load by default" application - the string "load=VIDACCEL.EXE" appears, or "VIDACCEL.EXE" is appended to the end of "load=" string. As a result, Windows will load and execute the infected VIDACCEL.EXE on the next startup.
To stay "memory resident" the virus creates a hidden window that dispatches system events including timer calls and runs standard messages dispatching loop. On timer calls the virus, depending on its internal flags, searches for EXE files in subdirectory trees on all disks and infects them. To do all that the virus uses standard Pascal library calls only - no system programming at all.
In details, when the virus installs itself into the system, the Pascal runtime library creates and registers a window class (by system calls REGISTERCLASS, CREATEWINDOW and SHOWWINDOW) and sets HIDDEN parameter for this window. The virus then sets new Windows system timer (SETTIMER call), sets timer delay to 10 seconds and registers a handler (wmTimer) that gets control on timer events. To stay in memory the virus initializes the main messages dispatching loop (GETMESSAGE, TRANSLATEMESSAGE, DISPATCHMESSAGE) and stays within this loop up to termination request (wmClose) when Windows exits.
Timer Handler
When the virus timer handler gets control (once per 10 seconds), it launches its four routines in sequence - one routine is executed per one timer event. The first routine maps drives - it accesses all disks from C: till Z: and stores write-able ones. To do that the virus creates temporary file WR.TST on a disk and deletes it. If this operation failed, the virus does not access files on this disk.
The second routine scans the directory tree on selected disk and searches for files. When an EXE file is found, the virus checks its length and date. If the file length is less than 300K and above than 16384 bytes, and the file date is not equal to 1234h (Feb 7, 1990), the virus saves the file name to infect it when infection routine (fourth one) will get control.
While searching files the virus pays special attention for several file names - OWINDOWS.TPW, BPC.EXE and NORMAL.DOT. If Pascal for Windows files are found (OWINDOWS.TPW and BPC.EXE), the virus stores their paths to use in its mutation engine (see below). When NORMAL.DOT file is found, the virus overwrites it with a silly Word macro virus that contains three macros: FileOpen, AutoOpen and WWUpdated. The first macro infects Word documents on opening, the second macro installs virus on Word startup, the last one is virus ID-macro.
Mutation
The third routine that is called by timer handler is the virus mutation engine. I could not make the virus to complete that routine, but it seems that the virus attempts to modify and recompile its source code! I never seen such way of polymorphism. The virus is not encrypted, but it attempts to rebuild itself, and that would be not possible to detect that virus by using a mask - in different samples there will be different offsets and pointers to data and code, and different version of Borland Pascal compiler will "mix" that code too.
To do that the virus unpacks and writes to disk its source code, processes it and inserts junk(?) do-nothing Pascal instructions into the text. The virus gets junk commands from strings:
Begin if then Repeat Until or True Until True End
While And False do While False do
Procedure Word Boolean Real Char integer string pointer wri
= <> > < and or xor

Then the virus creates temporary resources and PIF files (MAIN.RES and TMP~~TMP.PIF) and runs Borland Pascal compiler (by using PIF). As a result there is TMP$XTMP.EXE file containing virus code. The virus then appends to that file packed Word macro virus, compresses (LZ-method) and appends new source file, as well as last block with resources file (see virus structure above).
The result of this mutation engine is an EXE file with similar (but not the same) executable code and data, as well as with similar packed source code inside. The virus then renames the file to VIDACCEL.EXE (virus dropper) and moves it to Windows startup directory.
WIN.INI Section and Trigger Routines
While installing the virus creates a section in WIN.INI file, the name of section is [The Apparition]. This section describes several virus parameters. The virus creates, reads and modifies following parameters:
"Running NOW=" - "Yes" means that the virus is already active. When infected file is executed for next time, the virus checks that parameter and does not re-infect the system. While installing itself into the system, the virus sets it to "Yes", while exiting - to "No".
"BootInfected=" - "1" means that the VIDACCEL.EXE file is already dropped, and the virus will not re-drop it.
"DieMonth=" and "DieDay=" - they point to the trigger date. On this date the virus will search for all files (except WIN386.SWP and 386SPART.PAR) on all disks and delete them. The virus inits these strings while infecting the system - it sets them to current date increased by month.
"AtomID=" and "IDAtom=" parameters are used to perform system calls.
Following parameters are accessed by virus only for reading, that means that these strings may be entered only by user:
"Die=" - this parameter locks the trigger routine.
"NoRun=" - if this parameter is set to "1", the virus will not infect the system.
"NoInfect=" - if this parameter is set to "1", the virus will not infect the files.
"ShowDotsOn=1", "ShowDialog=666", "Logging=YES" - debug parameters.
If "Logging" is set, the virus creates the WINAPP.LOG file in Windows directory and writes following strings to there:
Started. - when run
Loaded OK. - allocating memory and reading virus code done
InfectBoot = start - before dropping VIDACCEL.EXE
InfectBoot = done - after dropping VIDACCEL.EXE
Running application - before running host file
Application finished - after running host file
Terminate requested - when corresponding button is pressed, if
Paused virus windows is visible (see below)
Resumed
Remove from memory requested
!!! Destruction requested !!!
Executing PIF : - while executing Borland Pascal via PIF
PM Failed : No compiler - while executing mutation engine
PM started
PM is using temp dir
PM Failed : Out of diskspace
PM Failed : 1st compile failed
1st compile OK.
PM Failed : Source file too big
PM : Compression started, bytes
PM : Compression completed,
PM : Constants updated
PM : 2nd compile failed
PM : I/O Error
PM : Linked OK

When "ShowDotsOn" is set, the virus displays MessageBoxes (header/message) to ask user about operation:
!!! VIRUS WARNING !!!
Do you really want to run program infected by virus ?
!!! WARNING !!!
Overwrite NORMAL.DOT, confirmed ?
!!! THE APPARITION WARNING !!!
Infect [filename] Confirmed ?

When "ShowDialog" is set to "666", the virus makes its window visible, and it appears on the screen:
+--------------------------------+
ƒ - ƒ THE APPARITION ƒ * ƒ
+--------------------------------ƒ
ƒ File Help ƒ
+--------------------------------ƒ
ƒ The Apparition for Windows ƒ
ƒ UltraGluk ALL-IN-ONE ƒ
ƒ ƒ
ƒ Status : ƒ
ƒ Last : ƒ
ƒ Total : ƒ
ƒ ƒ
ƒ +------------+ +-----------+ ƒ
ƒ ƒ Terminate ƒ ƒ Pause ƒ ƒ
ƒ +------------+ +-----------+ ƒ
ƒ +---------------------------+ ƒ
ƒ ƒ !!! DESTRUCT !!! ƒ ƒ
ƒ +---------------------------+ ƒ
+--------------------------------+

"File" menu contains four items:
"Check" - the virus displays the MessageBox:
Double FUCK!!!
Press CTRL+ALT+DEL Twice to Install Printer!!!

"Infect" - the virus runs file browser to select the file. If the virus is infecting some other file, it displays:
Error!
Infection engine is busy.

If the file is already infected, the virus displays:
You MAZDAI!
File is already infected, I WANNA new file to infect!

Both "Remove" and "Teminate" (mistyping in virus code) remove virus from the system. In case of "Remove" the virus also displays the MessageBox:
WINAPP
About to remove from memory, confirmed?

"Help" menu contains one item - "About". When pressed, the virus displays MessageBox with the text inside:
About The Apparition
Win-Apparition
Written by Lord Asd
Last modified : 25 Dec '96
This beta version of The Apparition was tested only
under Win 3.10 and may work incorrectly under
other Win versions and OS/2 Warp

"Status :" string is followed with a string that indicates current virus status:
Completing taskall
Wait...
Locked.
Upgraded OK.
Paused by operator.
Mapping drives...
Scanning tree (Level x)...
Spreading...
Idle.
PM : Loading...
PM : Unpack...
PM : Mutation...
PM : 1st compile
PM : FAILURE
PM : Compression...
PM : Updating...
PM : 2nd compile
PM : Linking...

"Last :" string is followed with latest infected file name. "Total :" string contains the number of files that were processed while scanning disk tree.
On "Terminate" button the virus removes itself from memory. On "Pause" button the virus paused its timer handler and replaces "Pause" button with "Resume". On "DESTRUCT" button the virus displays two MessageBoxes:
WARNING
Are you sure you want to delete all files from your disks?
!!! DANGER !!!
Destroy all data on all available devices, confirmed?

and then erases all files on all disks.
The virus also displays other MessageBoxes and contains more text strings. MessageBoxes are:
Warning
Destruction locked.
System error
System stack failure, error code 0xC6 at 0004:2F16
Error
Unexpected disk operation failure, error code 0x0x
Error
Out of memory.
Error
Unknown disk error.
!!! VIRUS WARNING !!!
This program is infected by The Apparition for Windows and will not start.

Text strings are:
APPARITION _PSEUDO_ICON MAIN_MENU ABOUTDLG UNTITLED WINAPP
COMMDLG KERNEL KERNEL GDI USER KEYBOARD KERNEL USER KEYBOARD
WINAPP.EXE
All files *.* Executable files (*.EXE) *.EXE Infect file EXE
ApparitionInstalled
hInstance=
*** PERMUTATION START HERE ***
*** PERMUTATION STOP HERE ***
Function Begin End
TMP$XTMP.T01 TMP$XTMP.T02 TMP$XTMP.EXE MAIN.RES
!!! CODE SIZE !!!
VSize=
cs_const=
!!! DECOMPRESSED SRC SIZE !!!
XSrcSize=
xss_const=
!!! COMPRESSED SRC SIZE !!!
CSrcSize=
css_const=
ApparitionInstalled
AboutDlg
Apparition
ApparitionInstalled
THE APPARITION
Running
THE APPARITION
KERNEL USER GDI KRNL386 KRNL286
MICROSOFT PIFEX
WINDOWS 286 3.0
WINDOWS 386 3.0
Portions Copyright (c) 1983,92 Borland
OW1 OW2
TurboWindow Error code = %d. Continue?
Application Error
(Inactive %s)
TPWinCrt
Runtime error 000 at 0000:0000.
Main_Menu Apparition THE APPARITION Times New Roman Terminate
Apparition Last None Pause Total
!!! DESTRUCT !!! Initializing... Status

Text added: Jan-06-1997

Check other viruses! Be aware! Use Antiviral Software

Riot multipartite

Description Riot multipartite

These are harmless memory resident multipartite viruses. On execution of infected file they hit MBR of hard drive. On loading from infected disk they hook INT 13h, then they hook INT 21h and write themselves at the end of COM-files are executed. They contain the internal text string:
(c) Metal Militia/Immortal Riot

Riot.278.a

Description Riot.278.a

Riot.278, 279, 282, 392, and Tower.411
These are harmless memory resident parasitic viruses. Upon being executed, they copy themselves into a interrupt vector table, and hook INT 21h. They write themselves to the end of executed or closed files. "Riot.393" also infects files that are opened or renamed. "Riot.282" infects COM files only; "Riot.278 and 392" infect both COM and EXE. These viruses contain text strings:
"Riot.279,281,282": EXTASY! (c) Metal Militia / Immortal Riot
"Riot.392": RAVAGE! (c) Metal Militia / Immortal Riot

"Riot.Tower.411" displays:
Tower Virus (c)1994
Thiss vihruws riten bi a prawducked af thee waauren woulds skoul distriks.

Riot.355
This is a memory resident overwriting virus. It hooks INT 21h, and overwrites all files that are executed. It contans/displays the strings:
Marked-X
Will we ever learn to talk with eachother?
(c) Metal Militia/Immortal Riot
In any country, prison is where society sends it's
failures, but in this country society itself is faily
Bad command or filename

Riot.426 and 428
These are dangerous non-memory resident parasitic viruses. They search for COM files of the current directory, and write themselves to the end of the file. In some cases, they display the message "ARBEIT MACHT FREI!" or erase disk sector. The viruses also contain the text string:
The Unforgiven / Immortal Riot Sweden 01/10/93

Riot.723, 724, F ace, RedMercury, Stioxyl, and Uniq
These are dangerous non-memory resident encrypted parasitic viruses. They search for COM files, and write themselves to the end of the file. They overwrite a DOSKEYB.COM file with a Trojan program, delete the files, and erase the disk sectors. The viruses contain the text strings:
"Riot.723 and 724":
ImmortalRiot [BAD ATTITUDE!]
(c) '94 The Unforgiven/Immortal Riot
dos doskeyb.com
"Riot.Face":
Faces of Death - (c) 1994 The Unforgiven/Immortal Riot
DOSEDIT.COM
c:doskeyb.com
Materialism - the religion of today, ain't it sad?
"Riot.Stioxyl":
[Stioxyl] (c) '94 The Unforgiven/Immortal Riot
DOSEDIT.COM
"Riot.RedMercury":
I hereby annex this sector as the property of IR!
Red Mercury (c) '94 The Unforgiven/Immortal Riot
*IR.COM
c:doskeyb.com c:autoexec.bat c:config.sys c:command.com
"Riot.Uniq":
[UNiQ](c) 1994 Metal MilitiaImmortal Riot, Sweden
c:doskeyb.com

Riot.789
This is a dangerous non-memory resident virus. By using the masks "*.COM and *.EXE", it searches for .COM and .EXE files on the C: drive, and overwrites them. It creates the C:INFERNAL.IR file to where it writes the message: Infernal Demand! (c) Metal Militia / Immortal Riot Your misery is our pleasure! Your nightmare is our dream! Your hell is our paradise! Your lost is our demand! Your cry is our laugh! And your fate is ours!
Riot.1203
This is a benign non-memory resident encrypted parasitic virus. It searches for .COM files of the directory tree, and writes itself to the end of the file. In some cases, it leaves a memory resident program, which hooks INT 8 and displays:
Another year passed by
Another tear the willows crys
to change the world we ever try
to make a difference before we die
[PSYCHOSIS] Greets, Phalcon/Skism.
(c) 93/94 The Unforgiven / Immortal Riot

It also contains the string:
\ Merry Xmas and a happy new year // Sweden - Snowing Again

Riot.Aladdin
This is a dangerous non-memory resident encrypted parasitic virus. It searches for .COM files and writes itself to the end of the file. It erases CMOS, disk sectors, and displays the following messages:
DEBUGGING IS VERY ILLEGAL (NOT!)
I am an assasin, I want to and shall kill you!
I also hate Aladdin and will also kill it!
I will eliminate you with the touch of just one finger
Look at my revenge! Crying wont help you!
I am a dangerous virus, I live! I am created by:
The [HACKING HELL] !!!!
Fear me! I am more powerfull than GOD!
Aladdin Killer #1
Hacking Hell
I-EAS Virus Creation Centre v0.19ƒÒ
[AK] [HH] [IE-VCC v0.19ƒÒ]
XXX-Rated

Riot.BadReligion
These are dangerous non-memory resident encrypted parasitic viruses. They search for COM files and write themselves to the end of the file. Depending on the system time, they erase the disk sectors. They contain the text strings:
[Bad Religion] (c) 1994 The Unforgiven/Immortal Riot
DOSEDIT.COM *.com

Riot.Caffeine.366
This is a dangerous non-memory resident encrypted parasitic virus. It searches for .COM files, and writes itself to the end of the file. Depending on the system time, it leaves a memory resident program that hooks INT 21h and erases the files that are executed. The virus contains the text string:
[Caffeine] (c) 1994 The Unforgiven/Immortal Riot*.com

Riot.CarpeDiem
This is a dangerous non-memory resident encrypted parasitic virus. It searches for .COM files, and writes itself to the end of the file. Depending on the system timer, it erases the MBR of the hard drive and displays the following message:
CARPE DIEM! (c) '93 - Raver/Immortal Riot

It also contains the text string:
Sweden 16/11/93*.com

Riot.CarpeDiem.1012 and 1033
These are benign memory resident encrypted parasitic viruses. They hook INT 21h, and write themselves to the end of COM files that are executed or closed. They contain/display the text strings:
CARPE DIEM! - SIEZE THE DAY!
(c) '95 The Unforgiven/Immortal Riot
Kudos to Raver, Conzouler & King_Dan! Program infected!

Riot.CarpeDiem_II
These are benign memory resident encrypted parasitic viruses. They hooks INT 8, 9, 21h, and write themselves to the end of COM files that are executed or closed. When an infected file is opened, the viruses disinfect it. The viruses displays the following messages:
"Carpediem_II.1299,1305": CARPE_DIEM_II - FLOATING THROUGH THE VOID!
"Carpediem_II.1336": HERMANNI BLOWS FRISK'S LITTLE DICK BLUE!
"Carpediem_II.1409,1415": CALL 0910-14000 for a CURE!
This virus was written by The Unforgiven/Immortal Riot

They also contain the text strings:
"Carpediem_II.1299,1305": SVW: The Unforgiven/Immortal Riot
Fuck Corporate Life!
"Carpediem_II.1336": AND YOU ARE IT! [DeathRider]
"Carpediem_II.1409,1415": Fuck you Ratman!
It's some version of CARPE DIEM_II!

Riot.Coke.535
This is a benign non-memory resident parasitic virus. It searches for .EXE files, and writes itself to the end of the file. It contains bugs, and replicates only from files about 340K in length. On the 1st of any month, it displays:
Love to LISA :)

It also contains the strings:
Cocaine [CoKe](c) Metal Militia/Immortal Riot
Cocaine's running thrue your vainsIt seems you have become an addict
*IR.EXE

Riot.Conjurer and Riot.Immortal
These are benign non-memory resident parasitic viruses. They search for .COM files, and write themselves to the end of the file. The viruses display the following messages:
"Riot.Conjurer.270": CoNJuReR.BSC!
"Riot.Conjurer.300": CoNJuReR.300!
"Riot.Conjurer.433": Ajax is kampioen, Ajax blijft kampioen,
er is nog geen club die daar iets aan kan doen!
CoNJuReR.AJAX Rulez! [iMMoRTaL EAS]
Ajax won UEFA-Cup 1995!!!
"Riot.Conjurer.Tng": Diz mezzie iz printed by:
CoNJuReR.TNG (The Next Generation!)
"Riot.Conjurer.VCC.269": Test Virus #1 Hacking Hell
I-EAS Virus Creation Centre v0.19ƒÒ
[T1] [HH] [IE-VCC v0.19ƒÒ]
"Riot.Conjurer.VCC.408": DEBUGGING IS VERY ILLEGAL (NOT!)
Test Virus #2 Hacking Hell
I-EAS Virus Creation Centre v0.19ƒÒ
[T2] [HH] [IE-VCC v0.19ƒÒ]
"Riot.Conjurer.VCC.586": DEBUGGING IS VERY ILLEGAL (NOT!)
Test Virus #3 Hacking Hell
I-EAS Virus Creation Centre v0.19ƒÒ
[T3] [HH] [IE-VCC v0.19ƒÒ]
"Riot.Immortal.265": iMMoRTaL.263!!
"Riot.Immortal.353": iMMoRTaL.358!!
"Riot.Immortal.377": iMMoRTaL.377 {{Encrypted!!}
"Riot.Immortal.510": iMMoRTaL.510 {{Encrypted!!}
"Riot.Immortal.550": iMMoRTaL.550!!

Riot.DDeath
This is a harmless memory resident encrypted parasitic virus. It hooks INT 21h, and writes itself to the end of COM and EXE files that are executed or closed. It contains the text string:
Digital Death - v0.90ƒÁ (c) '94 Raver/Immortal Riot

Riot.Digital
This is a dangerous memory resident encrypted parasitic virus. It hooks INT 21h, and writes itself to the end of COM files that are executed or opened. Depending on the system date and time, it beeps through a PC speaker or erases CMOS. It contains the text string:
Digital Pollution (c) '94 Raver/Immortal Riot

Riot.Doom
This is a benign non-memory resident encrypted parasitic virus. It searches for EXE files, and writes itself to the end of the file. It occupies some of the system memory after execution, but does not hook system interrupts. It contains the string:
DOOM! (c) '93 Raver/Immortal Riot

Riot.Enemy.757
This is a dangerous memory resident virus. It hooks INT 21h, and infects the files that are executed. While executing a Filename.Ext file, the virus creates Filename.Exe files, and writes itself into it. As a result, .EXE files are overwritten, and .COM files are completed with companion .EXE files. This virus contains the texts:
Unknown Enemy
(c) Metal Militia/Immortal Riot
I'm hurt, machineguns firing behind my back
Never had no chance, no way to do a attack
Thisone sure is the last time i guess
Heading for a private deathrow, nothing less
Blood, quickly pumping out from the vound in the vain
Damn, this moment makes you sort of go insane
Close my eyes, had much left to see
Was my fault, but did they have to do it, gee?
Promise me, this hit you will remember
Take one of them down before winter comes in december
Why that month? Well, i like it very much
Fresh, cool air, wonders of the snow to touch
The world is wonderful, what else to say?
Just remember this shit, cause it happends every day

Riot.Eternity
These are non-memory resident parasitic encrypted viruses. They search for EXE files, and write themselves to their end. "Riot.Eternity.562 and 565" are harmless viruses, "Riot.Eternity.600", depending on the system timer, erases disk sectors. They contain the following texts:
"Riot.Eternity.562 and 565": [ETERNITY!] (c) '93 The Unforgiven/Immortal Riot
"Riot.Eternity.599,600": Eternity_II (c) '94 The Unforgiven/Immortal Riot..

Riot.Evil
This is a harmless memory resident parasitic virus. It hooks INT 21h, and writes itself to the end of COM files that are executed. It contains the following texts:
Our past is our future!
[INVISIBLE EVIL!] (c) Metal Militia/Immortal Riot
Dedicated to all the victims..
Greets to B-real!/IR
It's like this and like that and like thisena
It's like that and like this and like thatena
It's like this..
Love to Lisa!
All i ever wanted..
All i ever asked for..

Riot.Evil.811
This is a very dangerous variant of the "Riot.Evil" virus. On the 31st of any month, it erases the disk sectors. It contains the following texts:
!BIOHAZARD!U Found ME!
BIOHAZARD VIRUS - INV. EVIL ALTER - THE Wƒ"ƒƒ$ƒÜL!
HEY HEY TO ALL A/V LAMERS!! HA!
Greets to B-real!/IR
Well, The Wƒ"ƒƒz is back, and he has an attitude!
Quit reading the code, yes, this is a fucking virus!
Catch me, Dare ya!
The Wƒ"ƒƒ$ƒÜL!!!!
Are you done yet???
Fuck this, Later C:!!!

Riot.Fire.473
This is a benign non-memory resident parasitic virus. It searches for .COM files, and writes itself to the end of the file. This virus contains/displays the following messages:
Fight Fire With Fireall
*.COM
Soon to fill our lungs the hot winds of death
The gods are laughing, so take your last breath
Immortal Riot..Death Greets me warm..

Riot.Hybris
This is a benign memory resident encrypted stealth virus. It hooks INT 21h, and writes itself to the end of COM files that are executed or closed. While opening an infected file, the virus disinfects it. The virus may hook INT 8, 9, or 16h, and runs itself with a video effect, and displays the following messages:
THIS PROGRAM IS (C) 1995 IMMORTAL RIOT
[HYBRiS] (c) '95 =TU/IR=

Riot.Insine.1026
This is a dangerous memory resident parasitic virus. It hooks INT 21h, and writes itself into the middle or beginning of COM files that are executed or closed. Depending on the system timer, it erases the disk sectors and displays:
Insane Reality..
The Unforgiven / IR..

Riot.Maria
This is a dangerous non-memory resident parasitic virus. It searches for .COM files of the directory tree, and writes itself to the end of the file. On the 2nd of every month, it erases the disk sectors. In some cases, it leaves a memory resident program that hooks INT 8 and displays:
Maria K lives..
Somewhere in my heart..
Somewhere in Sweden..
I might be insane..
But the society to blame..
The Unforgiven / Immortal Riot

Riot.Marked.354
This is a dangerous memory resident overwriting virus. It hooks INT 21h, and overwrites the files that are executed. It contains/displays the texts:
Marked-X Will we ever learn to talk with eachother?
(c) Metal Militia/Immortal Riot
In any country, prison is where society sends it's
failures, but in this country society itself is faily
Bad command or filename

Riot.Mega
This is a benign non-memory resident encrypted parasitic virus. It searches for .COM files, and writes itself to the end of the file. It contains/displays the messages:
DEBUGGING IS VERY ILLEGAL (NOT!)
You computher is now infected with:
MEGA-DESTRUCTION
The Conjurers....
Mega Destruct Hacking Hell
I-EAS Virus Creation Centre v0.19ƒÒ [MD] [HH] [IE-VCC v0.19ƒÒ]

Riot.Moonlite.458
This is a dangerous non-memory resident parasitic encrypted virus. It searches for .COM files, and writes itself to the end of the file. On Mondays, it leaves a memory resident program that hooks INT 21h and deletes the files that are executed; this program also hooks INT 9, and reboots a computer when the DEL key is pressed. This virus contains/displays the following messages:
Metallic Moonlite
(c) Metal Militia/Immortal Riot
Greetings to The Unforgiven/IR
Bad command or filename

Riot.Multi
These are dangerous memory resident parasitic viruses. They hook INT 21h, and write themselves to the end of COM files that are executed. On the 1st of any month, they erase the disk sectors. They contain the text strings:
COPY ME, SO I CAN TRAVEL!!!!!
Why am i so fly? ;)
Mmm.. Mmm.. Mmm..
For the smell of it!!!!!
MULTIMULTIMULTIMULTI
MULTI-FLU v1.0
(c) 1994 Metal Militia
Immortal Riot
Sweden
All viruswriters worldwide
ƒ"are to be gratulated!!!!!
FLUFLUFLUFLU
Written during SUMMERTIME!!!!!
Happy happy! Joy joy!
Winterkvist is.
a looser!!!!!
Greetings to the rest
of IMMORTAL RIOT
This is property of IR

Riot.Multiplex
These are dangerous non-memory resident parasitic viruses. They search for .COM files, and write themselves to the end of the file. On the 5th of each month, they erase the C: disk sectors. They contain the text strings:
MULTiPLEX (c) 1994 Metal Militia
Immortal Riot, Sweden
Somewhere, somehow, always :)
*.com ImRio

Riot.Overdoze
These are harmless memory resident parasitic viruses. They hook INT 21h, and write themselves to the end of COM files that are executed. They contain the text string:
[Overdoze] (c) 1994 The Unforgiven/Immortal Riot

Riot.Psychosis.1195
This is a benign memory resident encrypted parasitic virus. It searches for .COM files and writes itself to the end of the file. It contains the text string:
\ Merry Xmas and a happy new year // Sweden - Snowing Again

Sometimes it leaves a memory resident program that hooks INT 8 and displays:
Another year passed by
Another tear the willows cry
to change the world we ever try
to make a difference before we die
[PSYCHOSIS] Greets, Phalcon/Skism.
(c) 93/94 The Unforgiven / Immortal Riot

Riot.Radiation
This is a benign non-memory resident encrypted parasitic virus. It searches for EXE files, and writes itself to the end of the file. It deletes the CHKLIST.MS file. Depending on system date, it displays the following messages:
[RADIATION] .oO 1995 by CoKe Oo.
Your hate is my love,
your lie is my truth!
But love can be hate,
and truth can be a lie!

The also virus contains the text strings:
CHKLIST.MS
Made in Luxembourg 1995
To MANDY, the greatest girl I know !
Thanks to Metal Militia

Riot.Salamander
These are harmless memory resident encrypted parasitic viruses. They hook INT 21h, and write themselves to the end of COM files that are executed or closed. While opening an infected file, the viruses disinfect it. The viruses contain the text strings:
"Salamander.888": [- Salamander Four -] (c) by Blonde/IR 1995
"Salamander.940": [- Salamander Four -] (c) by Blonde in 1994

Riot.Sturm
These are dangerous non-memory resident encrypted parasitic viruses. They search for EXE files, and write themselves to the end of the file. Depending on the system date, they erase the disk sectors. They contain the text string:
[Stƒ#rm und Drang!] (c) '94 The Unforgiven/Immortal Riot*.EXE

Riot.sUMsDos.472
This is a dangerous memory resident parasitic virus. It hooks INT 1Ch and 21h, and writes itself to the beginning of COM files that are executed. It checks the screen buffer for the "sUMsDos" string, and erases disk sectors if such a string is found.
Riot.TTT
These are dangerous ("TTT.840" is benign) non-memory resident encrypted parasitic viruses. They search for COM or EXE files (depending on the virus version), and write themselves to the end of the file. Depending on the system date, "TTT.712 and 1063" erase the disk sectors. They contain/display the text strings:
"Riot.TTT.712":
The Tea, Toasts, and Titties virus 1.00EXE
You are screwed by a swedish virogen!
This virus is freeware, feel free to distribute!

"Riot.TTT.840":
This virus is a direct-action infector of .com files that will search for files
to infect in the current, DOS and in any directories below this. If it find an
un-infected comfile it will be infected, though it will still work as before. The virus
is freeware, and you are allowed and even encouraged to copy it and send it to your friends.
The Tea, Toasts and Titties virus v1.00Made in Sweden 1994

"Riot.TTT.1063":
This is The Tea, Toasts, and Titties virus v1.1. It is very destructive
and will spread to some of your com files. Please distribute as much as
you want. Any damage caused by this virus is appreciated. Beware [TTTT]
Live now and don't die courious!
Legalize everything!
Fucking is nice - don't die vir(o)gen!
Bad Religion! - Alah ƒÕlskar dig.. nƒÕr du ƒÕr dƒèd!
Stoppa rasismen, krossa facismen!
och dďd ąt politikerna!!
Raseri.. ANARKI! Och! ƒÕlska mig.. la-la-la.. bara MIG!.. !!

Home