Classification

Category :

Malware

Type :

Virus

Aliases :

Vacsina, Vacsina Loader, VacsnalLoadr

Summary

A programmer in Bulgaria, known as T.P. has written a number of viruses - 50 different variants or so. Two of the variants, number 5 and 39 "escaped" to the West in 1989. One of the features of virus in this family is that they contain a version number system, similar to that used in the "Denzuko" virus. If a virus in the family finds a file infected with an older version of itself, it will remove the infection and re-infect with the new version.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Variant:Yankee

Yankee_Doodle, Doodle

A number of the variants play the tune "Yankee Doodle", but the viruses are not to be confused with the original "Yankee Doodle" virus, which is called "Old Yankee" by this program.

The earliest variants seem to have been written originally to infect only .COM files. .EXE files are also infected, but that is done in two steps. First a short piece of code is added to the end of the file. Then a JMP command is added at the front of the file. This code seems to be based on the code used in FORMAT.COM and CHKDSK.COM in some versions of MS-DOS. When executed it will relocate the .EXE file. This makes the .EXE file structurally equivalent to a .COM file, so it can be infected as one.

F-Secure anti-virus products identify files that Vacsina has changed to COM files as "Vacsina Loader". This kind of files do not contain a virus and they cannot spread the virus. They are reported because they are not in their original condition any more.

Variants in the second group (versions 38 and upwards) infect .EXE files in a "ordinary" way.

Compared to most other viruses, these are fairly harmless. In the first versions a beep (BELL) is heard, every time a .COM-type file is successfully infected. As mentioned before, some of them play "Yankee Doodle", sometimes at 5 o'clock, but other variants play the tune when the computer is rebooted by pressing Ctrl-Alt-Del.

The latest versions of the viruses contain several advanced features - including self-correcting Hamming code, disabling of debugging tools, and the ability to search for and remove the Ping-Pong and Cascade viruses. None of them contain destructive code.

Variant:Yankee-1150, Yankee-1202

These viruses appear to be modified versions of one of the Yankee variants, but they are quite short, compared to the other members of the family.

Variant:Rybka

This variant does not appear able to determine if a program is already infected. It will infect the same file over and over, increasing its size by 1344 bytes each time.

Variant:Penza

Only 700 bytes long.

Variant:Login

Yankee_Doodle.TP-44.Login virus also captures Novell Netware user passwords at login time.