A programmer in Bulgaria, known as T.P. has written a number of viruses - 50 different variants or so. Two of the variants, number 5 and 39 "escaped" to the West in 1989. One of the features of virus in this family is that they contain a version number system, similar to that used in the "Denzuko" virus. If a virus in the family finds a file infected with an older version of itself, it will remove the infection and re-infect with the new version.
Disinfection & Removal
A number of the variants play the tune "Yankee Doodle", but the viruses are not to be confused with the original "Yankee Doodle" virus, which is called "Old Yankee" by this program.
The earliest variants seem to have been written originally to infect only .COM files. .EXE files are also infected, but that is done in two steps. First a short piece of code is added to the end of the file. Then a JMP command is added at the front of the file. This code seems to be based on the code used in FORMAT.COM and CHKDSK.COM in some versions of MS-DOS. When executed it will relocate the .EXE file. This makes the .EXE file structurally equivalent to a .COM file, so it can be infected as one.
F-Secure anti-virus products identify files that Vacsina has changed to COM files as "Vacsina Loader". This kind of files do not contain a virus and they cannot spread the virus. They are reported because they are not in their original condition any more.
Variants in the second group (versions 38 and upwards) infect .EXE files in a "ordinary" way.
Compared to most other viruses, these are fairly harmless. In the first versions a beep (BELL) is heard, every time a .COM-type file is successfully infected. As mentioned before, some of them play "Yankee Doodle", sometimes at 5 o'clock, but other variants play the tune when the computer is rebooted by pressing Ctrl-Alt-Del.
The latest versions of the viruses contain several advanced features - including self-correcting Hamming code, disabling of debugging tools, and the ability to search for and remove the Ping-Pong and Cascade viruses. None of them contain destructive code.
These viruses appear to be modified versions of one of the Yankee variants, but they are quite short, compared to the other members of the family.
This variant does not appear able to determine if a program is already infected. It will infect the same file over and over, increasing its size by 1344 bytes each time.
Only 700 bytes long.
Yankee_Doodle.TP-44.Login virus also captures Novell Netware user passwords at login time.