FANDOM


Vienna is a DOS .com-infecting virus based on Christmas from the late 1980's. Its source code was published many times, accounting for its hundreds of variants.

Payload

Vienna is a non-resident, direct-action .com infector. When a file infected with the virus is run, it searches for .com files on the system and infects one of them. The seconds on the infected file's timestamp will read "62", an impossible value, making them easy to find. One of six to eight of the files will be destroyed when Vienna tries to infect them by overwriting the first five bytes with the hex character string "EAF0FF00F0", instructions that will cause a warm reboot when the program is run. These files will not actually contain the Vienna virus, they are just corrupted by it.

Creator

The creator of the Vienna virus has never been revealed. Some sources say that the virus was created by a Vienna high school student as an experiment. The first person to detect the virus was Franz Swoboda. Information was leaked that Swoboda received the virus from Ralf Burger, but Burger claimed that he received the virus from Swoboda. Ralf Burger did create a variant that caused the computer to hang rather than a reboot.

Variants

Vienna.Choinka

This variant, sometimes also known as Father Christmas is 1,881 bytes long and possibly comes from Poland. It also contains a Christmas greeting that takes up a greater part of its length.

Vienna.Gympel

This variant likely comes from Slovakia, as it contains text in the Slovak language that says, "Gympel je tycka." (Highschool is a throw-up.) It may sometimes be detected as Vienna.843, or 833.

Iraqui Warrior

This variant is 777 bytes long and contains the message:

  I come to you from The Ayatollah! (c)1990, VirusMasters
  An Iraqui Warrior is in your computer

This variant contains an error that prevents it from reproducing beyond the first generation.

Vienna.Lisbon

The Lisbon variant was discovered in Portugal. It was likely reassembled to throw off some antivirus programs. When this variant destroys a file, it overwrites the beginning with "@AIDS".

Vienna.Monxla/Interceptor

Monxla and Interceptor (one or both of them may also go by the alias Time) have different effects on the computer depending on the time that they are executed. The Monxla.A subvariant is 939 bytes long, Monxla.B is 535 bytes long and Interceptor is 1,014.

Vienna.NewVienna

This variant comes from Bulgaria. It has a shorter infection than the original and has a payload that formats the hard drive.

Vienna.NTKC

This is the largest file-infecting virus currently known. Aside from that, there is nothing really different about it from other Vienna variants.

Vienna.Reboot

This variant overwrites .com files with a program that causes the computer to reboot when the file is run. Such files cannot be cleaned, they need to be deleted and reinstalled.

Vienna.Violator/Arf/Christmas Violator/Baby

These variants are likely coded the same creator, as they have a great deal of code in common. The 1,055-byte Violator variant contains text that says:

  TransMogrified (TM) 1990 by RABID N'tnl Development Corp.
  Copyright (C) 1990 RABID !
  Activation Date: 08/15/90 - Violator Strain B
  (Field Demo Test Version) *NOT TO BE DISTRIBUTED*

While the words "Violator Strain B" may indicate a previous variant, none has yet been found. A later variant weighing in at 5,302 bytes known as Christmas Violator displays a Christmas greeting:

  Violator Strain B4 - Written by The RABID Nat'nl Development Corp. RABID would like to take this
  opportunity to extend it's sincerest holiday wishes to all Pir8 lamers around the world! If you   
  are reading this, then you are lame!!! Anyway, to John McAffe! Have a Merry Christmas and a
  virus filled new year. Go ahead! Make our day! Remember! In the festive season, Say NO to
  drugs!!! They suck ****! (Bah! We make a virus this large, might as well have something
  positive!)

Another variant, Arf, displays the text "Arf, Arf! Got you!", when it activates. Baby, which is about 1,000 bytes long, allows the user to specify the activation date and the text message to display.

Vienna.W13

The Vienna.W13 variant marks infected files with a month number of 13 rather than a seconds value of 62.

Other Variants

  • Vienna.Ambalama
  • Vienna.Angel
  • Vienna.BboDong
  • Vienna.Bloodspill
  • Vienna.BNB
  • Vienna.Born
  • Vienna.Bua
  • Vienna.BY
  • Vienna.ByteWarrior
  • Vienna.DDrUS
  • Vienna.DearUser
  • Vienna.Dr. Q
  • Vienna.Ender
  • Vienna.Feliz
  • Vienna.Grither
  • Vienna.Gustav
  • Vienna.Hybryd
  • Vienna.IRA
  • Vienna.Kuzmitch
  • Vienna.Norilsk
  • Vienna.Oscar
  • Vienna.Parasite
  • Vienna.Pivi
  • Vienna.Saigon
  • Vienna.SDI
  • Vienna.Sector
  • Vienna.Skate
  • Vienna.SPb
  • Vienna.Sunday
  • Vienna.TheseDays
  • Vienna.Viperize
  • Vienna.Westmont

Other Facts

The Vienna virus source code was published in many places, including Ralf Burger's book "Computer viruses: A High-Tech Disease", giving rise to its many variants.

Vienna became the first virus to be destroyed by an antivirus program. Rolf Burger sent a copy of the virus to Bernt Fix, who managed to neutralize the virus.

Sources

F-Secure ComputerVirus Information Pages, Vienna

McAfee Antivirus. Vienna

Virus List, "History of Malware, 1987".

Computer Knowledge, Dr. Solomon: 1986-1987 - The Prologue

Eset.com Vienna

Ralf Burger. Computer Viruses: A High-Tech Disease. 1988 Abacus (United Kingdom). ISBN 1557550433

Media

Virus.DOS01:27

Virus.DOS.Vienna

Vienna by danooct1

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.