When an infected file is run, Vienna will search for an uninfected file
and infect it. One out of eight files infected is destroyed, by overwriting
the first few bytes with instructions that will cause a restart when the
program is run.
Infected files can be easily found because they contain an "impossible"
value (62) in the "seconds" field of the time stamp.
Unfortunately the source code to this virus has been published in a book:
"Computer viruses: A High-Tech Disease", which has resulted in multiple
variants of the virus. This version was modified slightly, in order to
make it a little less harmful - it would only infect files in the current
directory, but this has been "fixed" in some of the variants.
This variant was found in Portugal. It has clearly been modified and
reassembled - probably in order to fool signature-type anti-virus programs.
This virus overwrites the beginning of the programs it destroys with
"@AIDS".
This is a group of variants from Bulgaria, which are similar to the
original virus, but the changes include:
Different length - shorter than the original
Different damage function - formatting of hard disk.
Critical error handler added.
| VARIANT: | Arf, Christmas Violator, Violator, Baby |
This is a group of several viruses, which have much code in common, and
might be written by the same author. One of the variants is 1055 bytes
long and contains the following text strings:
TransMogrified (TM) 1990 by RABID N'tnl Development Corp.
Copyright (C) 1990 RABID !
Activation Date: 08/15/90 - Violator Strain B
(Field Demo Test Version) *NOT TO BE DISTRIBUTED*
The text seems to indicate the existence of another version, which has
not yet been reported anywhere. A later variant is much longer, 5302
bytes. As it contains a Christmas "greeting", it has been named
"Christmas Violator". The third virus in this subgroup has
been named "Arf", as it will display the text "Arf, Arf! Got you!",
when it activates. This variant, as well as the 1000 byte Baby variant
seem to have been created with a tool that allows the user to specify the
activation date and the text message to display.
This 1881 byte variant was discovered in Poland. Most of the extra length
is devoted to a Christmas greeting.
Monxla is 939 bytes long, and has different effects, depending on the
exact time when it activates. The Monxla-B variant is related, but is
only 535 bytes long. Interceptor is 1014 bytes, and appears related to
Monxla, but has been modified quite a bit.
This 777 byte variant contains a fatal error, which will prevent it from
replicating beyond the first generation. Inside it the following text may
be found:
I come to you from The Ayatollah! (c)1990, VirusMasters
An Iraqui Warrior is in your computer
The Washburn variants (V2P1, V2P2 and V2P6) are described elsewhere,
but other encrypted variants exist, including Hybryd, a 1306 byte variant,
which contains an IBM copyright message, Kuzmitch, a variable-length
virus with a base length of 801 bytes, and Dr. Q. which is 1028 or 1161
bytes long.
This is the largest variant of Vienna, and currently the largest virus
known. Despite this it does not appear to be particularly interesting.
These variants have not been fully analyzed yet, but they do not seem
particularly interesting.
See Swedish Boys
This variant activates by overwriting COM files with a short program
that reboots the machine. Such trojanised files do not contain any
virus code, but F-Secure anti-virus products are able to detect
them as 'Destroyed by Vienna.Reboot'. Such programs cannot be cleaned,
they have to be deleted and reinstalled.
It is possible for a user to have his own program to reboot the
machine. F-Secure anti-virus products might flag it as destroyed,
because the code to reboot the machine is identical.
Easiest way to get rid of this problem is to use DEBUG to create
a new reboot program which is not identical to the trojans Vienna.Reboot
creates. To do this, write the following commands from DOS prompt:
debug
a
jmp f000:fff0
<empty line, just hit ENTER>
rcx
5
n reboot.com
w
q
This will create REBOOT.COM, which will reboot the machine.
Note: Do not execute reboot programs like this before you have
flushed your disk cache (with SMARTDRV /C or equivelant).
![](/images/pixel.gif"){kind=tracking}
