
                                        /-----------------------------\
                                        | Xine - issue #4 - Phile 006 |
                                        \-----------------------------/

                   ﾚﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄｿ
                   ｳ  The history of Grog and his viruses ｳ
                   ｳ                                      ｳ
                   ｳ          Written by Dandler          ｳ
                   ﾀﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾙ

The virus-writer Grog appears on the Padanian and Italian virus scene in the
1992 and is active especially in the 1993, but not later.
In spite of his short activity, at the end of the 1993 Grog already produced
more than 50 viruses.
Still today the identity of this virus-writer is unknown and it seems that he
didn't further wrote any other virus, at least not using the name "Grog".
All his viruses were sent directly to a few antivirus researchers, maybe by
himself, by being uploaded in infected files, which were noticed as such, to
a Fidonet Bbs in Milan, in Lombardy, Padania, named "Euforia Bbs".

None of the Grog viruses has never been found in the wild nor has been found
in virus-trader's collections, so it is supposed that the only way of
distribution of his viruses was the Bbs one.
To be exact there is a known case of a Grog virus in the wild: there was an
infection of the virus Grog 3.1 in the United States somewhere in the 1996.
It is not known how wide the infection was, but it is probable that it
was originated by a copy of the virus that was downloaded from the Internet.
It is very unlikely that it was spreaded by the virus-writer since it took
place geographically very far and also 3 years after the virus was actually
written and distributed to the antivirus researchers.

The main peculiarity that is present in many Grog's viruses is the presence
in their body, sometimes displayed as payload sometimes not displayed, of
humoristic phrases from the Peanuts comics, from Snoopy's, Charlie Brown's
dog, attempts to write some popular novel that always turned out to be some
very funny failures. Also virus names are often taken from the Snoopy's novels
world and this made a small revolution in it's field. In fact if the
antivirus researchers were used to find magniloquent names like
"Dark Avenger", the arrival of this viruses with funny phrases gained
soon popularity.

Before the review of Grog's viruses I would like to express my regret for
the disappearing of this Padanian or Italian virus-writer, one of the most
promising and prolific ones. I hope the reason for his stop was a high
salary or a pretty girlfriend.
Now let's see Grog's viruses in alphabetical order:

- Aver torto (translation: to be wrong)
Year 1993. Com infector.
- Bruchetto (translation: little caterpillar)
Year 1993. Com infector. It inserts itself in the body of the file in an
area containing null bytes or characters.
- Char2grog
Year 1993. Com infector. It contains a payload that changes the system font
in text mode changing the character " " with word "Grog".
- Danzerino (translation: dancer)
Year 1993. Com infector.
- Delirious
Year 1993. It infects only the file "\command.com" on C and A drives.
- Dieta (translation: diet)
Year 1993. Exe infector.
- E-riluttanza (translation: E-reluctance)
Year 1992. Com infector.
- Enmity v1.0
Year 1993. Exe infector. Infects files by overwriting the Exe header but keeps
the program working.
- Enmity v2.0
Year 1993. Exe infector, Tsr. Infects files by overwriting the Exe header but
keeps the program working.
- Enmity v2.1
Year 1993. Exe infector, Encrypted, Infects files by overwriting the Exe header
but keeps the program working.
- Gonfievele (translation: swimmingly)
Year 1993. Com+Exe infector, Tsr. Uses 80286+ instructions.
- Grog v1.0
Year 1992. Com infector, a bit Polymorphic.
- Grog v2.0
Year 1992. Com infector, a bit Polymorphic.
- Grog v3.0
Year 1993. Com infector, Encrypted, Tsr. It has a payload that substitutes the
string "Microsoft" in memory with the string "Grog*Soft".
- Grog v3.1
Year 1993. Com infector, Encrypted, Tsr. It has a payload that substitutes the
string "Microsoft" in memory with the string "Grog*Soft".
- Grog v4.0
Year 1993. Com+Exe infector, Encrypted, Tsr. It uses various retro structures.
It tunnels Int 21h using a very interesting and complex tracing routine (at
the time it was the first virus to use such a tracing).
- Grog v5.0
Year 1993. The most advanced of the Grog family. Com+Exe infector, Encrypted,
Tsr. It uses many retro structures. It tunnels Int 21h with an even more
intelligent and complex tracing routine (at the time it was the first virus to
use such a tracing).
- Helen
Year 1993. Com+Exe infector, Tsr. Based on a Diamond source. It has the same
graphic payload as Diamond (available in AvpVE).
- Hophophop
Year 1993. Com infector. It inserts itself in the file's body in an area with
constant bytes. It writes to floppies directly using the Int 40h.
- Ildono (translation: thegift)
Year 1993. Com infector, Overwriting, partially Encrypted. It has a graphic
payload in 320x200 at 256 colors (available in AvpVE).
- Il cuoco (translation: the cook)
Year 1993. Exe infector, Tsr.
- Il mostro (translation: the monster)
Year 1993. Com infector.
- Inferno (translation: hell)
Year 1993. Boot infector. Maybe based on a Stoned source.
- Iraquiwarriorg
Year 1993. Com infector. Based on a Vienna source.
- Joe Anthro (translation: Joe Cave)
Year 1993. Com infector.
- Joelesquimese (translation: JoeEskimo)
Year 1993. Com infector, Polymorphic.
- Joemetafora (translation: Joemetaphor)
Year 1993. Com infector, Companion.
- Latraviata
Year 1993. Com infector.
- Lor
Year 1993. Com+Exe infector.
- Mi ami (translation: you love me)
Year 1993. Com infector, Encrypted.
- Mila
Year 1992. Com+Exe infector, overwriting. It has a payload that advertises
a radio transmission of the time named "Mila by night" broadcasted by the
Radio Deejay from Milan.
- Miscuglio (translation: mixture)
Year 1993. Com infector, Tsr. The included text reveals the origin of the
name "Grog" from the graphic adventure "Monkey Island", where the grog was
a disgusting drink for every human except for the pirates on the island.
- Mope
Year 1993. Com infector, Tsr.
- Mormorio (translation: whispering)
Year 1992. Com infector, overwriting.
- Napoleone (translation: Napoleon)
Year 1993. Exe infector, a bit Polymorphic.
- Nocciola (translation: Hazel-nut)
Year 1993. Com infector. The virus name is in Padania the name for the
Walt Disney's sorceress, Goofy's friend.
- Noncemale (translation: notsobad)
Year 1993. Com infector. Probably based on a Vienna source.
- Grog.Crackers.Inc
Year 1993. Com infector. The virus was able to execute a graphic effect when
an infected file was going to be cleaned by some old versions of TBClean from
the TBAV antivirus.
- Grog.Crackers.Nta
Year 1993. Com infector. The virus was able to execute a graphic effect when
an infected file was going to be cleaned by some old versions of TBClean from
the TBAV antivirus.
- Grog.Crackers.Public_enemy
Year 1993. Com infector.The virus was able to execute a graphic effect when
an infected file was going to be cleaned by some old versions of TBClean from
the TBAV antivirus.
- Grog.Crackers.Razor
Year 1993. Com infector.The virus was able to execute a graphic effect when
an infected file was going to be cleaned by some old versions of TBClean from
the TBAV antivirus.
- Grog.Crackers.The_dream_team
Year 1993. Com infector.The virus was able to execute a graphic effect when
an infected file was going to be cleaned by some old versions of TBClean from
the TBAV antivirus.
- Grog.Crackers.Wild_cards
Year 1993. Com infector.The virus was able to execute a graphic effect when
an infected file was going to be cleaned by some old versions of TBClean from
the TBAV antivirus.
- Gsav v1.0
Year 1993. Com infector. Full virus name: "Grog*Soft Antivirus v1.0".
Once infected a file the virus executes on the host an integrity check each
time it is executed. If the file has been changed, for example by an infection
of another virus, it will notice the user what happened and will give the
opportunity to restore the file as it was before the second infection.
- Gsav v1.1
Year 1993. Com+Exe infector. Full virus name: "Grog*Soft Antivirus v1.1".
Once infected a file the virus executes on the host an integrity check each
time it is executed. If the file has been changed, for example by an infection
of another virus, it will notice the user what happened and will give the
opportunity to restore the file as it was before the second infection.
- Outwit-c
Year 1993. Com infector, Encrypted. It has a graphic payload in 320x200 at 256
colors.
- Outwit-e
Year 1993. Exe infector, Encrypted. It has a graphic payload in 320x200 at 256
colors.
- Ovile (translation: sheep-fold)
Year 1993. Com+Exe infector, tsr. Based on a Murphy source.
- Sciagura (translation: misfortune)
Year 1993. Boot infector. Probably based on a Stoned source.
- Sempre (translation: always)
Year 1993. Com infector, Overwriting. Writes to floppies using the Int 40h.
- Stakka Bo (Stakka Bo was the name of a pop music group of the time)
Year 1993. Boot infector.
- Sway
Year 1993. Exe infector. It has a Tsr payload that uses the keyboard leds.
- Trofeodigolf (trophyofgolf)
Year 1993. Com infector. It has a payload that slowly overwrites the .dl files.
The Dl is a format for graphic animations developed in Milan.
- Trumpery
Year 1993. Com infector, Overwriting. It has a payload which tries to call
via modem some random numbers in the Milan area.
- Villino (translation: small country-house)
Year 1993. Com infector.


ﾄ End of file ﾄ