There are 9 variants in 5 versions, represented by the following:
Except Leo.293, these variants might not infect a file on every run, and the timestamp of the infected files would be changed to the time of infection.
When the virus is run, it infects every DOS executable in current directory.
Files infected by this variant may experience abnormal program runtime.
Leo.301, 328, 331 and 332
These variants infect one DOS executable on each run.
Programs infected by Leo.301 or 332 may become malfunctioned and could not run properly.
This variant is the only version that infects EXE files. It targets files used by Windows, infects one file by overwriting the beginning of the file on each run. No file size change can be observed, but the timestamp.
Leo.1965, 3948 and 3949
These variants infect one DOS executable on each run. When a directory contains only goat files and the virus, running the virus may hang the system.
The virus does not infect files in C:\DOS, meaning that if the virus is located in this directory, running it would do nothing to the files.
Some files infected by Leo.1965 may become malfunctioned.
Leo.293, 301, 328, 331, 332 and 333
These variants do not manifest themselves at anyway.
This variant deactivates on April 13th, on this day the virus does not spread out (i.e. no new infections).
Leo.3948 and 3949
When an infected program is run on December 31st, the virus displays the ASCII text with some green asterisks:
And also the message:
Hallo, I've got a virus for you.. Today is the 31 of December, because I want to congratulate with a Happy New Year... Today is a holiday and I want a pair of COM files... :) You have a holiday and you'll have many presents tommorow. I would like to join at this tradition Could you take me a present as a file, please... I'll be glad! Thank you for all, good bye.. Santa Leo...
And then it returns to DOS after a keypress.
This family has 9 variants in total:
Leo.293 contains the internal text string:
- Virus "Leo", created in 1997 -
Leo.301 contains the internal text string:
Leo.328 and 331 contain the internal text string and 3 NOP opcodes:
Leo.332 contains the internal text string:
--== The Leo ==--
Leo.3948 and 3949 contain the internal text strings and the filename of the infected file:
LLEO3949.CO0 ????????COM COM *.* *.com