%%File: VIRS0205.TXT
%%Name/Aliases: BUTTHEAD, BUA-2263, Big Caibua, Vienna.Bua
%%Platform: PC/MS-DOS
%%Type: Program., 
%%Disk Location: COM application.
%%Features: Direct acting., Encrypted
%%Damage: Deletes or moves files., Corrupts hard disk boot sector
%%Size: 2263-2296
%%See Also: 
%%Notes: This is a relatively unsophisticated virus, of a kind that 
doesn't normally spread very well in the wild. However, this virus did 
spread rapidly via an infected 'SCREEN SAVER' , namely, 'COOLSAVER.COM. 

It is a non-resident infector of *.COM files in the current directory 
and on the PATH (COMMAND.COM files is excluded). 
If the date is May 5, 1995 or after, and the time is between 3pm and 
7pm, it will display its distinctive phallic screen effect.  Also at 
these times, it will check an internal counter, and if the value in the 
counter is high enough, it will execute various damage routines.  These 
damage routines include the creation of directories named "Caibua", 
"FUCK YOU", "EAT SHIT" and "BITE ME!", the erasing of the first file in 
the current directory on the default drive, and damaging the data on the 
C: drive by overwriting the system boot record, FATs, and other system 
areas.  

The following signature may be put into a file called ADDENDA.LST in
the IBMAV directory to enable IBMAV to detect this virus:

51BE01018B1481C2F7058BF2FC90E88908
%s the Bua-2263 %s
(COM. Mismatches=01.)

Text in file: "NGiK"

It was also discovered on the CRS Online BBS in Canada, in the file:  
BESTSSVR.ZIP 

A virus scanner is available at CRS in file area 1: XCAIBUA.ZIP

The BESTSSVR.ZIP file when uncompressed yields the program COOLSAVR.COM.
The program claims to be a screensaver, but when run it creates the "Big 
Caibua!" virus which only infects files ending in ".COM".  
The free program XCAIBUA.ZIP locates infected files and renames them so 
that they can be deleted.  
Infected .COM files cannot be recovered.  

More info. can be found in VB, June 1995 issue.