Summary

When an infected file is run, Vienna will search for an uninfected file and infect it. One out of eight files infected is destroyed, by overwriting the first few bytes with instructions that will cause a restart when the program is run.

Infected files can be easily found because they contain an "impossible" value (62) in the "seconds" field of the time stamp.

Unfortunately the source code to this virus has been published in a book: "Computer viruses: A High-Tech Disease", which has resulted in multiple variants of the virus. This version was modified slightly, in order to make it a little less harmful - it would only infect files in the current directory, but this has been "fixed" in some of the variants.

Additional Details

VARIANT:

Lisbon

This variant was found in Portugal. It has clearly been modified and reassembled - probably in order to fool signature-type anti-virus programs. This virus overwrites the beginning of the programs it destroys with "@AIDS".

VARIANT:

New Vienna

This is a group of variants from Bulgaria, which are similar to the original virus, but the changes include:

        Different length - shorter than the original
        Different damage function - formatting of hard disk.
        Critical error handler added.

VARIANT:

Arf, Christmas Violator, Violator, Baby

This is a group of several viruses, which have much code in common, and might be written by the same author. One of the variants is 1055 bytes long and contains the following text strings:

        TransMogrified (TM) 1990 by RABID N'tnl Development Corp.
        Copyright (C) 1990 RABID !
        Activation Date: 08/15/90 - Violator Strain B
        (Field Demo Test Version) *NOT TO BE DISTRIBUTED*

The text seems to indicate the existence of another version, which has not yet been reported anywhere. A later variant is much longer, 5302 bytes. As it contains a Christmas "greeting", it has been named "Christmas Violator". The third virus in this subgroup has been named "Arf", as it will display the text "Arf, Arf! Got you!", when it activates. This variant, as well as the 1000 byte Baby variant seem to have been created with a tool that allows the user to specify the activation date and the text message to display.

VARIANT:	Father Christmas
ALIAS:	Choinka

This 1881 byte variant was discovered in Poland. Most of the extra length is devoted to a Christmas greeting.

VARIANT:	Monxla, Interceptor
ALIAS:	Time

Monxla is 939 bytes long, and has different effects, depending on the exact time when it activates. The Monxla-B variant is related, but is only 535 bytes long. Interceptor is 1014 bytes, and appears related to Monxla, but has been modified quite a bit.

VARIANT:

Iraqui Warrior

This 777 byte variant contains a fatal error, which will prevent it from replicating beyond the first generation. Inside it the following text may be found:

        I come to you from The Ayatollah! (c)1990, VirusMasters
        An Iraqui Warrior is in your computer

VARIANT:

Hybryd, Kuzmitch, Dr. Q.

The Washburn variants (V2P1, V2P2 and V2P6) are described elsewhere, but other encrypted variants exist, including Hybryd, a 1306 byte variant, which contains an IBM copyright message, Kuzmitch, a variable-length virus with a base length of 801 bytes, and Dr. Q. which is 1028 or 1161 bytes long.

VARIANT:	NTKC
ALIAS:	C-23693

This is the largest variant of Vienna, and currently the largest virus known. Despite this it does not appear to be particularly interesting.

VARIANT:

Grither, Parasite, Viperize

These variants have not been fully analyzed yet, but they do not seem particularly interesting.

VARIANT:

Betaboys

See Swedish Boys

VARIANT:

Vienna.Reboot