Threat Description

Vienna

Details

Aliases:Vienna, DOS-62, Unesco
Category: Malware
Type:
Platform: W32

Summary



When an infected file is run, Vienna will search for an uninfected file and infect it. One out of eight files infected is destroyed, by overwriting the first few bytes with instructions that will cause a restart when the program is run.

Infected files can be easily found because they contain an "impossible" value (62) in the "seconds" field of the time stamp.

Unfortunately the source code to this virus has been published in a book: "Computer viruses: A High-Tech Disease", which has resulted in multiple variants of the virus. This version was modified slightly, in order to make it a little less harmful - it would only infect files in the current directory, but this has been "fixed" in some of the variants.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details




Variant:Lisbon

This variant was found in Portugal. It has clearly been modified and reassembled - probably in order to fool signature-type anti-virus programs. This virus overwrites the beginning of the programs it destroys with "@AIDS".


Variant:New Vienna

This is a group of variants from Bulgaria, which are similar to the original virus, but the changes include:

Different length - shorter than the original
  Different damage function - formatting of hard disk.
  Critical error handler added.
		

Variant:Arf, Christmas Violator, Violator, Baby

This is a group of several viruses, which have much code in common, and might be written by the same author. One of the variants is 1055 bytes long and contains the following text strings:

TransMogrified (TM) 1990 by RABID N'tnl Development Corp.
  Copyright (C) 1990 RABID !
  Activation Date: 08/15/90 - Violator Strain B
  (Field Demo Test Version) *NOT TO BE DISTRIBUTED*
		

The text seems to indicate the existence of another version, which has not yet been reported anywhere. A later variant is much longer, 5302 bytes. As it contains a Christmas "greeting", it has been named "Christmas Violator". The third virus in this subgroup has been named "Arf", as it will display the text "Arf, Arf! Got you!", when it activates. This variant, as well as the 1000 byte Baby variant seem to have been created with a tool that allows the user to specify the activation date and the text message to display.


Variant:Father Christmas

Choinka

This 1881 byte variant was discovered in Poland. Most of the extra length is devoted to a Christmas greeting.


Variant:Monxla, Interceptor

Time

Monxla is 939 bytes long, and has different effects, depending on the exact time when it activates. The Monxla-B variant is related, but is only 535 bytes long. Interceptor is 1014 bytes, and appears related to Monxla, but has been modified quite a bit.


Variant:Iraqui Warrior

This 777 byte variant contains a fatal error, which will prevent it from replicating beyond the first generation. Inside it the following text may be found:

I come to you from The Ayatollah! (c)1990, VirusMasters
  An Iraqui Warrior is in your computer
		

Variant:Hybryd, Kuzmitch, Dr. Q.

The Washburn variants (V2P1, V2P2 and V2P6) are described elsewhere, but other encrypted variants exist, including Hybryd, a 1306 byte variant, which contains an IBM copyright message, Kuzmitch, a variable-length virus with a base length of 801 bytes, and Dr. Q. which is 1028 or 1161 bytes long.


Variant:NTKC

C-23693

This is the largest variant of Vienna, and currently the largest virus known. Despite this it does not appear to be particularly interesting.


Variant:Grither, Parasite, Viperize

These variants have not been fully analyzed yet, but they do not seem particularly interesting.


Variant:Betaboys

See Swedish Boys


Variant:Vienna.Reboot

This variant activates by overwriting COM files with a short program that reboots the machine. Such trojanised files do not contain any virus code, but F-Secure anti-virus products are able to detect them as 'Destroyed by Vienna.Reboot'. Such programs cannot be cleaned, they have to be deleted and reinstalled.

It is possible for a user to have his own program to reboot the machine. F-Secure anti-virus products might flag it as destroyed, because the code to reboot the machine is identical.

Easiest way to get rid of this problem is to use DEBUG to create a new reboot program which is not identical to the trojans Vienna.Reboot creates. To do this, write the following commands from DOS prompt:

debug
  a
  jmp f000:fff0
  <empty line, just hit ENTER>
  rcx
  5
  n reboot.com
  w
  q

This will create REBOOT.COM, which will reboot the machine.

Note: Do not execute reboot programs like this before you have flushed your disk cache (with SMARTDRV /C or equivelant).






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More