Virus Database

CyberTech Family

Description CyberTech Family

These are harmless nonmemory resident (CyberTech.647,914,1313 are memory resident ones) parasitic encrypted viruses. They search for COM files, then write themselves to the end of the file. If the file name is COMMAND.COM some of these viruses insert themselves to the file end without increasing the file length (see also "Lehigh" virus).
"CyberTech.222,647" are not encrypted ones.
"CyberTech.439,444,454" contain the text string: "CAVAGUCO4DVSTB" and do not infect the files with names which begins from two letters from that string (CA*.*, all , 4D*.*, VS*.*, TB*.*). These viruses also contain the text strings:
"CyberTech.439": [NoLimit] John Tardy / Trident
"CyberTech.444": John Tardy / TridenT
"CyberTech.454": [NoLimit2] John Tardy / Trident

"CyberTech.501" contains the text strings:
I scream, you scream, we both scream for an ice-cream!
[TridenT]
John Tardy

"CyberTech.552" contains the text strings:
Mourners of a dying world
Too late to reconcile
Into Everlasting Fire
Can't you see it's Satan's world
TRIDENT
John Tardy

"CyberTech.503" displays:
RTL4
Joop van den Ende Produkties BV
Marco Daas (Casting Assistent)
Postbus 397
1430 AJ AALSMEER
van Cleeffkade 15
1413 BA AALSMEER
The Netherlands
Wedden dat... je een virus hebt?

"CyberTech.647" contains the text strings:
[90210 BH]
John Tardy / Triden

"CyberTech.Caco.664,668" contain the text strings:
(C) 1992 John Tardy / Trident
Satan spawn, the Caco-Daemon - Mor(T)alities Death

In 1993 "CyberTech.1076,1078", or in 1994 "CyberTech.1066,1215,1228" removed themselves from the host file and displayed:
The previous year you have been infected by a virus
without knowing or removing it. To be gentle to you
I decided to remove myself from your system. I suggest
you better buy ViruScan of McAfee to ensure yourself
complete security of your precious data. Next time you
could be infected with a malevolent virus.
May I say goodbye to you for now....
CyberTech Virus - Strain A
(C) 1992 John Tardy of Trident

CyberTech.914,1313
These are memory resident viruses. They hook INT 21h and write themselves to the end of COM files that are accessed. "CyberTech.914" also hooks INT 1Ch and forces system timer to decrease its counter instead of increasing. These viruses contain the text strings:
"CyberTech.914": | Trapped in a spell of the Necromonicon |
"CyberTech.1313": [ "Thunderdome" virus by John Tardy / TridenT ]
Created in Holland, released near Bolzano/Italy.
This virus is made to test the spreading rate of viruses in Italy. It is not
ment to be destructive, however, some programs might not work anymore,
because of CRC-checking. I am sorry if I accidentally corrupted one of your
programs, but HEY! That is how life is, eh? Try to get our virus collection!
and try TPE, or DMU (another one, more compact and also very complex!).
Greetings go to all other virus writers!

Check other viruses! Be aware! Use Antiviral Software

BAT.Combat.717

Description BAT.Combat.717

This is a nonmemory resident harmless BAT virus. When executed, it searches for .BAT files in the current and parent directories, then in directories C: , C:DOS, C:WINDOWS, then writes itself to the beginning of the file.
The virus uses "binary" method - its code may be executed in both BAT and COM format (see "Batman" virus). By using this trick the virus realizes two branches of its algorithm and may access DOS functions (INT 21h). To run itself as COM file the virus creates a temporary C:COMBAT.COM file and copies itself to there.
The virus contains the texts:
* ComBat *
Rajaat / Genesis
ComBat.TMP

BAT.CopyToC

Description BAT.CopyToC

These script viruses are written in BAT, and copy themselves to directories on the C: drive.
BAT.CopyToC.a
This virus is 552 bytes in size. When launched for the first time, the virus creates a file named 1.sys in the Windows directory. It then copies itself to the C: root directory as AllTheBat.bat.
The virus registers this file in the system registry to ensure that the file is automatically launched each time the system is started.
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
"AllTheBat"="c:\AllTheBat.bat"
It creates an additional file named C:AllTheBat.reg to enable it to do this.
On subsequent launches, the virus will rename all files in the current directory. It also adds the extension .bat to the name of every file. The virus attempts to copy itself to the A: drive as A: eadme.txt.bat.
BAT.CopyToC.b
This virus is 1262 bytes in size. The virus attempts to copy itself to the C: drive under the following names:
c:Gunslinger.bat
c:progra~1msnmes~1Gunslinger.bat
c:progra~1msnmes~11043data.bat
c:progra~1window~1Gunslinger.bat
c:progra~1window~1skinsdata.bat
c:progra~1window~1Visual~1user.bat
c:progra~1internGunslinger.bat
c:progra~1internpluginsdata.bat
c:progra~1internsignupuser.bat
c:progra~1internw2kcpu.bat
Payload
The virus deletes EXE files in the C:progra~1 and C:Windows directories.
BAT.CopyToC.c
This virus is 825 bytes in size. The virus copies itself into other files on the C: drive.
New files which contain a copy of the virus will have the following names:
c:Autorun.exe.bat
c:windows askman.exe.bat
c:windowsNotepad.exe.bat
c:windowssystem32xcopy.exe.bat
c:windowsystem32systray.exe.bat
Payload
The virus disables the mouse and the keyboard by launching C:Windows undll32 with the appropriate commands.
It deletes .sys files from the Windows system directory and creates text files in the C: root directory.
The C:Readme.txt file contains the following text string:
Now you are f*ck
The C:Virus Info.txt file contains the following text string:
Poop Smells

Home