When an infected file is run, Vienna will search for an uninfected file and infect it. One out of eight files infected is destroyed, by overwriting the first few bytes with instructions that will cause a restart when the program is run.
Infected files can be easily found because they contain an "impossible" value (62) in the "seconds" field of the time stamp.
Unfortunately the source code to this virus has been published in a book: "Computer viruses: A High-Tech Disease", which has resulted in multiple variants of the virus. This version was modified slightly, in order to make it a little less harmful - it would only infect files in the current directory, but this has been "fixed" in some of the variants.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note You need administrative rights to change the settings.
This variant was found in Portugal. It has clearly been modified and reassembled - probably in order to fool signature-type anti-virus programs. This virus overwrites the beginning of the programs it destroys with "@AIDS".
This is a group of variants from Bulgaria, which are similar to the original virus, but the changes include:
Different length - shorter than the original Different damage function - formatting of hard disk. Critical error handler added.
Variant:Arf, Christmas Violator, Violator, Baby
This is a group of several viruses, which have much code in common, and might be written by the same author. One of the variants is 1055 bytes long and contains the following text strings:
TransMogrified (TM) 1990 by RABID N'tnl Development Corp. Copyright (C) 1990 RABID ! Activation Date: 08/15/90 - Violator Strain B (Field Demo Test Version) *NOT TO BE DISTRIBUTED*
The text seems to indicate the existence of another version, which has not yet been reported anywhere. A later variant is much longer, 5302 bytes. As it contains a Christmas "greeting", it has been named "Christmas Violator". The third virus in this subgroup has been named "Arf", as it will display the text "Arf, Arf! Got you!", when it activates. This variant, as well as the 1000 byte Baby variant seem to have been created with a tool that allows the user to specify the activation date and the text message to display.
This 1881 byte variant was discovered in Poland. Most of the extra length is devoted to a Christmas greeting.
Monxla is 939 bytes long, and has different effects, depending on the exact time when it activates. The Monxla-B variant is related, but is only 535 bytes long. Interceptor is 1014 bytes, and appears related to Monxla, but has been modified quite a bit.
This 777 byte variant contains a fatal error, which will prevent it from replicating beyond the first generation. Inside it the following text may be found:
I come to you from The Ayatollah! (c)1990, VirusMasters An Iraqui Warrior is in your computer
Variant:Hybryd, Kuzmitch, Dr. Q.
The Washburn variants (V2P1, V2P2 and V2P6) are described elsewhere, but other encrypted variants exist, including Hybryd, a 1306 byte variant, which contains an IBM copyright message, Kuzmitch, a variable-length virus with a base length of 801 bytes, and Dr. Q. which is 1028 or 1161 bytes long.
This is the largest variant of Vienna, and currently the largest virus known. Despite this it does not appear to be particularly interesting.
Variant:Grither, Parasite, Viperize
These variants have not been fully analyzed yet, but they do not seem particularly interesting.
See Swedish Boys
This variant activates by overwriting COM files with a short program that reboots the machine. Such trojanised files do not contain any virus code, but F-Secure anti-virus products are able to detect them as 'Destroyed by Vienna.Reboot'. Such programs cannot be cleaned, they have to be deleted and reinstalled.
It is possible for a user to have his own program to reboot the machine. F-Secure anti-virus products might flag it as destroyed, because the code to reboot the machine is identical.
Easiest way to get rid of this problem is to use DEBUG to create a new reboot program which is not identical to the trojans Vienna.Reboot creates. To do this, write the following commands from DOS prompt:
debug a jmp f000:fff0 [empty line, just hit ENTER] rcx 5 n reboot.com w q
This will create REBOOT.COM, which will reboot the machine.
Note: Do not execute reboot programs like this before you have flushed your disk cache (with SMARTDRV /C or equivelant).