A number of the variants play the tune "Yankee Doodle", but the viruses
are not to be confused with the original "Yankee Doodle" virus, which is
called "Old Yankee" by this program.
The earliest variants seem to have been written originally to infect only
.COM files. .EXE files are also infected, but that is done in two steps.
First a short piece of code is added to the end of the file. Then a JMP
command is added at the front of the file. This code seems to be based on
the code used in FORMAT.COM and CHKDSK.COM in some versions of MS-DOS.
When executed it will relocate the .EXE file. This makes the .EXE file
structurally equivalent to a .COM file, so it can be infected as one.
F-Secure anti-virus products identify files that Vacsina has
changed to COM files as "Vacsina Loader". This kind of files do not
contain a virus and they cannot spread the virus. They are reported
because they are not in their original condition any more.
Variants in the second group (versions 38 and upwards) infect .EXE files in
a "ordinary" way.
Compared to most other viruses, these are fairly harmless. In the first
versions a beep (BELL) is heard, every time a .COM-type file is successfully
infected. As mentioned before, some of them play "Yankee Doodle", sometimes
at 5 o'clock, but other variants play the tune when the computer is rebooted
by pressing Ctrl-Alt-Del.
The latest versions of the viruses contain several advanced features -
including self-correcting Hamming code, disabling of debugging tools, and
the ability to search for and remove the Ping-Pong and Cascade viruses.
None of them contain destructive code.
These viruses appear to be modified versions of one of the Yankee variants,
but they are quite short, compared to the other members of the family.
This variant does not appear able to determine if a program is already
infected. It will infect the same file over and over, increasing its size
by 1344 bytes each time.
Only 700 bytes long.
Yankee_Doodle.TP-44.Login virus also captures Novell Netware user
passwords at login time.