Virus Name: Made-255 Virus Type: File Infector Virus (infects .COM files.) Virus Length: 255 Bytes PC Vectors Hooked: None Executing Procedure: 1) Searches for uninfected .COM files in the current directory and infects them. 2) Infects only one file at a time. Damage: None Detecting Method: Infected files will increase by 255 Bytes.
Note: 1) After the infected file is executed, the system will halt. 2) Doesn't stay resident in memory. 3) MADE-255 doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).
Virus Name: MacGyver Virus Type: File Virus Virus Length: 2,824 bytes Description: This virus infects .EXE files Infection method: 1) When the infected program is executed, the MacGyver virus will install itself as a low system memory TSR of 3,072 bytes. When the MacGyver virus is memory resident, it will infect .EXE programs when they are executed or opened. The following text string is visible within the MacGyver viral code in all infected programs: "SCANVIR.SHW" Damage: It may cause frequent system hangs when .EXE programs are executed. Note: 1) The DOS CHKDSK program will indicate file allocation errors on all infected files when the virus is memory resident.
Virus Name: Metal_Militia Alias Name: MMIR, Immortal Riot Virus Type: File Virus Virus Length: 282 bytes Description: This virus infectes .COM files as well as COMMAND.COM. When an infected file is executed, the virus installs itself into memory. Total available memory will have decreased by 3,072 bytes. Once the virus is memory resident, it will infect .COM files when they are executed. Infected files will increase in size by 1,054-5 bytes, with the virus located at the beginning of the files. Date and time information of infected files will not be altered. The following text string can be found in the virus: "Senseless Desctruction..." "Protecting what we are joining together to take on the world.." "METAL MiLiTiA [iMMORTAL RIOT] SVW"
Virus Name: Michelangelo Virus Type: Boot Virus Virus Length: N/A Description: This virus infectes disk boot sectors. When the system is booted from a disk infected with the Michelangelo virus, the virus will install itself into memory. Total available memory will have decreased by 2,048 bytes. Once the virus is memory resident, it will infect diskette boot sectors on access. The virus will move the original boot sector and replace it with a copy of the virus. This virus activates on March 6. It will format the hard disk, overwriting all existing data.
Virus Name: Monkey Alias Name: Stoned.Empire.Monkey.B, Monkey 2 Virus Type: Boot Virus Virus Length: N/A Description: This virus infects boot sectors Infection method: 1) When the system is booted with an infected diskette, the virus loads itself in memory. While loaded, it infects any accessed, non-protected disks. 2) The DOS CHKDSK program will show a "total bytes memory" decrease of 1,024 bytes. Monkey-1 is one of the few viruses that can successfully infect floppies while Microsoft Windows is running. Damage: The virus encrypts the partition table of the master boot record. If you attempt to boot from a clean floppy, the disk will be inaccessible because the partition table has been moved. Note: If you attempt to examine the master boot record while the virus is in memory, it will display the original, uninfected version. Caution: Do not use FDISK /MBR to clean this virus.
Virus Name: MSWord_Concept Virus Type: File Virus Description: This virus infects MSWORD documents. When an infected document is opened, the virus goes resident by adding some macros to your WORD environment. Once the virus is active, all documents saved using the "Save As..." command will be infected. Symptoms include only being able to save files to the template directory.
Virus Name: Mummy Virus Type: File Virus Virus Length: 1,300 - 1,503 bytes Description: This virus infects *.EXE files Executing Procedure: 1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h. 2) It then executes the original file. 3) Once in resident memory, it will infect any uninfected file that is executed. Damage: This virus has several variants. While some variants have no damage routine, some will slow down the system performance and variants of the Mummy virus will have a Random Number counter. When the counter reaches zero, the virus will overwrite the first part of hard disk and cause severe data loss. Detecting Method: Increases infected file size by 1,300-1,503 bytes. The virus ocassionally hangs the system when the virus is resident in memory. Encrypted text strings appear inside the virus code as follows: "Mummy Version x.xxx", "Kaohsiung Senior School", "Tzeng Jau Ming presents", "Series Number=[xxxxx]." Note: 1) Loads itself resident in memory. An error message occurs if there is an I/O error (such as write protect).
Virus Name: Minimite Virus Type: File Infector Virus (infects .COM files) Virus Length: 183 Bytes PC Vectors Hooked: None Executing Procedure: 1) Finds all uninfected .COM files in the current directory and infects them. Damage: None Detecting Method: Infected files will increase by 183 Bytes. Note: 1) Doesn't stay resident in memory. 2) Minimite doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).
Virus Name: Mini-2 Virus Type: File Infector Virus (infects .COM files) Virus Length: No change PC Vectors Hooked: None Executing Procedure: 1) Finds all uninfected .COM files in the current directory and infects them.
Damage: Overwrites original files, so the length of infected files won't increase.
Note: 1) Doesn't stay resident in memory. 2) MINI-2 doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).
Virus Name: Mini-212/300 Virus Type: File Infector Virus (infects .COM files) Virus Length: 212 or 300 Bytes(COM)
PC Vectors Hooked: None Executing Procedure: 1) Searches for an uninfected .COM file in the current directory beginning with files starting with the letter "A" and randomly selecting files through the letter "Z" and infects it. 2) It only infects one file at a time. Damage: None Detecting Method: 1)Infected files will increase by 212 or 300 Bytes.
Note: 1) Doesn't stay resident in memory. 2) MINI-212/300 doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).
Virus Name: Mindless Virus Type: File Infector Virus (infects .COM files) Virus Length: No change PC Vectors Hooked: None Executing Procedure: 1) If it is Sunday, the virus damages all files on the hard disk. 2) Otherwise it infects all *.C* files in the current directory.
Damage: 1)If the system date is Sunday, it damages all the files on the hard disk. 2) Overwrites original files, so the length of infected files won't increase. Detecting Method: None. Note: 1) Doesn't stay resident in memory. 2) Mindless doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).
Virus Name: MPC-1 Virus Type: File Infector Virus (infects .COM & .EXE files) Virus Length: 641 Bytes(COM & EXE) PC Vectors Hooked: INT 24h Executing Procedure: 1) Searches for all uninfected .EXE and .COM files in the current directory and infects them. 2) It then runs the original file. Damage: None Detecting Method: 1)Infected files will increase by 641 Bytes.
Note: 1) Doesn't stay resident in memory. 2) MPC-1 hooks INT 24h when infecting files. Omits an I/O error (such as write protect).
Virus Name: MONXLA Virus Type: File Infector Virus (infects .COM files) Virus Length: 939 Bytes(COM) PC Vectors Hooked: None Executing Procedure: 1) The virus searches for a .COM file in the current directory. 2) If the system date is the 13th, it destroys the file. 3) Otherwise, it infects any one .COM file in the current directory. 4) Finally it executes the original file. Damage: If the system date is the 13th, it destroys a .COM file. Detecting Method: Infected files will increase by 939 Bytes. Note: 1) Doesn't stay resident in memory. 2) MONXLA doesn't hook INT 24h when infecting files. An error message occurs if there is an I/O error (such as write protect).
Virus Name: MORE-649 Virus Type: Memory Resident, File Infector Virus (infects .COM files). Virus Length: 649 Bytes (COM) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program) Infecting Procedure: 1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h. 2) It then executes the original file. 3a) Once in resident memory, it will infect any uninfected file that is executed. 3b) It doesn't infect .EXE files or files with a dated year larger than 1999). 4) When the virus detects a file that has a YEAR date larger than 1999, the message appears:"OH NO NOT MORE ARCV". Damage: None. Detecting Method: 1) Infected .COM files increase by 649 Bytes.
Virus Name: MAGNUM Virus Type: Memory Resident, File Infector Virus (infects .COM & .EXE files). Virus Length: 2560 Bytes (COM & EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h, INT 8h Infecting Procedure: 1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h. 2) It then executes the original file. 3) Once in resident memory, it will infect any uninfected file that is executed. Damage: None. Detecting Method: Infected files increase by 2560 Bytes. Note: 1) The Magnum virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect). 2) The virus only runs under DOS 3.3
Virus Name: MSK Virus Type: Trojan Virus Length: 272 Bytes PC Vectors Hooked: None Damage: Destroys all data on the hard disk. Detecting Method: Check whether there are files with 272 Bytes.
Note: 1) Doesn't stay resident in memory. 2) Doesn't infect any files or partition or boot sector.
Virus Name: Medical Virus Type: File Infector Virus (infects .COM files) Virus Length: 189 Bytes(COM) PC Vectors Hooked: None Executing Procedure: 1) Searches for an uninfected .COM file in the current directory and infects it. 3) It infects only one file at a time. Damage: None. Detecting Method: Infected files will increase by 189 Bytes.
Note: 1) Doesn't stay resident in memory. 2) Medical doesn't hook INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: Multi-2 Virus Type: Partition Table Infector and File Infector Virus (infects .COM & .EXE files) Virus Length: Not Applicable
PC Vectors Hooked: INT 21h, INT 24h, INT 1Ch, INT 13h. Executing Procedure: 1) The Virus will decrease the total system memory by 3K Bytes when the system is booted from an infected disk. 2) It then checks whether it has is loaded in resident memory. If not, it will load to the last 3K bytes of resident memory by hooking INT 21h and INT 1Ch. 3) It infects files when they are executed. Damage: None. Detecting Method: Infected files increase 927--1000 Bytes. Note: Multi-2 hooks INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: Multi-2-B Virus Type: File Infector Virus (infects .COM & .EXE files) and Partition Table Infector Virus Length: 927 Bytes(COM), about 1000 Bytes(EXE) PC Vectors Hooked: INT 21h, INT 24h, INT 1Ch , INT 13h. Executing Procedure: 1) When you execute a file, it will infect sector#1 if not already infected. 2a) Next it checks whether it has loaded itself in resident memory. If not, it infects sector #1 then exits. 3b) If it has, it executes the original program. Damage: None. Detecting Method: Infected files increase 927--1000 Bytes. Note: 1) Multi-2 hooks INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: Mixer 1A Other names: Virus 1618 Virus Type: File Infector Virus Virus Length: Approx.1618 bytes PC Vectors Hooked: Int 21 Executing Procedure: 1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h. 2) It then executes the original file. 3) Once in resident memory, it will infect any uninfected file that is executed. Damage: The mixture of characters sent to the serial or parallel port using BIOS functions is the main damage routine of this virus. All bytes sent to the port are translated using the virus' own table. 50 minutes after the virus is installed into memory, keyboard definition is activated. From this time on, CapsLock will be set to OFF, and Numlock will be set to ON. The virus will test to see whether the "Del", "Ctrl", or "Alt" were simultaneously depressed. If this is the case, the virus will suppress the "Alt" command and activate a routine for screen manipulation. However, the virus will call it in the wrong manner. In text mode, the virus changes all attributes of the video page 0. It will add 1 to all attributes and after 256 the virus will reset itself. 60 minutes after the virus is installed in memory, it will display a bouncing ball similar to the one seen in the Ping-Pong virus. The ball is marked "o" and its movement is controlled by the BIOS (interrupt 10h). Note: 1) An error message occurs if there is an I/O error (such as write protect).
Virus Name: MALAISE Other names: None Virus Type: File Infector Virus Virus Length: 1335/1365 bytes. Executing Procedure: 1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h. 2) It then executes the original file. 3) Once in resident memory, it will infect any uninfected file that is executed. Damage: None. Detecting Method Increases infected files size by 1335-1365 bytes Note: 1) An error message occurs if there is an I/O error (such as write protect).
Virus Name: Marauder Other names: None Virus Type: File Infector Virus Virus Length: Increases .COM file by 860 bytes. Executing Procedure: 1) Searches for an uninfected .COM file in the current directory and infects it. 2) It then executes the original file. Damage: The Marauder virus will overwrite your files on every February 2nd with the string "=[Marauder] 1992 Hellraiser - Phalcon/Skism."
Virus Name: Mi-Nazi Virus Type: Parasitic Virus. Virus Length: Infected COM file sizes increase by 1084 bytes (Does not infect EXE files). PC Vectors Hooked: INT 21h Executing Procedure: 1) Searches for one uninfected .COM file in the current directory and infects it.
Damage: The part for virus infection was badly written. The infected files cannot be executed normally (Furthermore, the virus is not able to infect and damage). Remarks: 1) The virus infects files by INT 21h. When INT 21h is executed, all the COM files in the current directory will be infected. 2) When infecting files, the virus does not hook INT 24h. Error messages will appear when I/O errors occur.
Virus Name: Madden Virus Type: EXE File infector Virus Length: 1988 bytes Executing Procedure: 1) Searches all directories starting with the current directory for one uninfected .EXE file to infect. 2) It then goes back to the original routine. 3) If there is not an infectable file, it will issue a strange sound that is stopped only by a system reboot. Damage: None Note: Date and time of infected files do not change. Detecting Method: 1) Length of infected files increase. 2) The algorithm is: First adds original length to let it became a multiple of 16, and then increase it by 1988 bytes.
Virus Name: Madden-B Virus Type: EXE File infector Virus Length: 1440 bytes Executing Procedure: 1) Searches all directories starting with the current directory for one uninfected .EXE file to infect. 2) It then goes back to the original routine. 3) If there is not an infectable file, it will emit a sound from high to low, from low to high, and so on until system rebooted. Damage: None Note: Date and time of infected files do not change. Detecting Method: 1) Length of infected files increase. 2) The algorithm is: First adds original length to let it became a multiple of 16, and then increase it by 1440 bytes.
Virus Name: Ms-Dos3.0 Virus Type: COM File infector Virus Length: 953 bytes Executing Procedure: 1) Checks whether it is resident in memory. If not, it will stay resident in high memory. 2) Then it hooks INT 21h and returns to the original routine. Vectors hooked: Hooks INT 21H (AH=3Dh,AX=4B00h) to infect files. If the program to be executed or opened is an uninfected COM file (Except COMMAND.COM) and its length is not larger than FB00h, the virus proceeds to infect it. The method of infection is: write a total of 35Dh bytes (1Ch bytes are its head, first 3B9h bytes of file) to the end of file, then overwrite its first 3B9h bytes with virus code. If the program to be executed or opened is an uninfected EXE file and its length is not larger than 4000h, the virus infects it. The method of infection is: after filling the left bytes of a segment, it will attach a total of 3F1h bytes (virus codes(3B9h)+data in the original file(1Ch)+head of file(1Ch)) to the end of file, then change the pointer in the head to the virus procedure. Damage: None Note: 1) Date and time of infected files do not change. 2) Stealth type virus: restores infected file information when the virus is in system memory. Detecting Method: 1) Memory: a) Total system memory decreases by 7A0h bytes. b) Memory might be infected if AX=9051h (AX is a return value when INT 21h(AH=B3h) called). 2) File: a) Infected COM file sizes increase by 500 bytes. b) Infected EXE file sizes increase by 1009-1024 bytes. c) Use DEBUG to load an infected file.
Virus Name: Msj Virus Type: EXE & COM File infector Virus Length: 15395 bytes Executing Procedure: 1) Searches for an uninfected EXE file in the current directory from disk A, B or C, then proceeds to infect it. 2) It only infects one file at a time. Damage: None Note: 1) Does not stay in memory. 2) You will see an error message when writing because INT 24h has not been hanged. 3) This virus is written with an advanced language. Detecting Method: Infected file sizes increase by 15395 bytes.
Virus Name: Minsk-Gh Virus Type: EXE & COM File infector Virus Length: 1450-1490 bytes Executing Procedure: 1) Checks whether it is memory resident. If not, it will stay resident in high memory. 2) Then it hooks INT 21h and goes back to the original routine. Vectors hooked: 1) Hooks INT 21H(AH=4Bh)to infect files. 2) First, it will hang INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM or EXE file, virus proceeds to infect it. Damage: None Note: This virus cannot run on DOS 5.0. Detecting Method: Infected file sizes increase by 1450-1490 bytes.
Virus Name: Mini-207 Virus Type: COM File infector Virus Length: 207 bytes Executing Procedure: 1) Searches for all uninfected COM files on current directory, then infects them. Note: 1) Does not stay in memory. 2) You will see an error message when writing because INT 24h has not been hanged. Damage: It will overwrite original files with virus code. Original files are destroyed.
Virus Name: March-25th Virus Type: Virus infects .EXE and .COM files. The MARCH-25H virus will infect .COM and .EXE files which are shorter than 196608 Bytes in length. Virus Length: 1056 Bytes. Interrupt Vectors Hooked: INT 21h. Infection Process: 1) This virus is spread by executing an infected program. 2) When a MARCH-25H infected program is executed, it will check to see if it is already resident in memory by checking to see if address 0:212h contains the value F100h. If is already in memory it will execute the infected program. 3) The virus stays resident at the top of the MCB (memory control block) but below the DOS 640k boundary. The available free memory will have decreased by 1056 (420H) bytes. It will infect .EXE and .COM programs when they are executed from hard disk. Damage: Destroys the hard disk. Infected files will have a file length increase of 1025 - 1040 (401h - 410h) bytes with the virus located at the end of the file. Symptoms: Virus causes data on C drive to be lost. Note: If the system date is March 25 of any year, virus will proceed to write garbage to: "C drive sector 0 - 6 , cylinder 0 , head 0 C drive sector 1 - 7 , cylinder 1 , head 0 C drive sector 1 - 7 , cylinder 2 , head 0."
Virus Name: MINOSSE Virus Type: EXE files only: MBR Virus Length: 5772 bytes Interrupt Vectors Hooked: INT 21h Infection Process: 1) MINOSSE is a polymorphic virus which prevents the Debug.exe program from tracing this virus. When a MINOSSE infected program is executed, it will; 1. Hook int 8xh - int 9xh: (x:any number) First, it will hook int 8xh - 9xh, and then it will run this interrupt to get into the virus entry and decrypt the virus body. 2. Stays resident at the top of MCB (memory control block) but below the 640k DOS boundary. Damage: Virus will hang the system when System date is greater than June and the day is the 25th. Infected programs will have a file length increase of 3075 bytes with the virus located at the end of the file. The available free memory will have decreased by 5772 bytes. Symptoms: 1) Decreased available memory. 2) The virus will display the following message, "Minose 1V5 (c) 93 WilliWonka." Note: This virus is polymorphic and also a very smart virus. It is not easy to detect by scan programs because its code changes and scanners can't pattern match. It is also not easy to find using the interrupt vectors because it recovers int 21h to the original vector.
Virus Name: MOMBASA Virus Type: Virus infects .COM files. Virus Length: 3584 bytes. Interrupt Vectors Hooked: INT 21h and 08h. Infection Process: 1) MOMBASA is a polymorphic virus and uses INT 01h and INT 03h to prevent tracing this virus. 2) When a MOMBASA infected program is executed, it will: Stay resident at the top of MCB (memory control block) but below the 640k DOS boundary. The available free memory will decrease by 3584 bytes. It will hook int 08h to detect if int 21h is changed by another program. If the INT 21h vector is changed, the virus will change it's vector to the new INT 21h vector and will hook its vector to int 21h again. It will infect .COM programs and try to infect C:\COMMAND.COM when they are executed.. When MOMBASA is memory resident it will hide the filesize change because the virus recovers the original file length. When creating a directory , removing a directory, or selecting a default drive such as A: or B:, virus writes some data to the disk/diskette, but without success. Damage: Screen slowly fades until completely blank. The system then proceeds to hang. The virus destroys the boot sector and FAT of the hard drive. Infected programs will have a file length increase of 3568 bytes with the virus located at the end of the file. Symptoms: Displays the following message, "I'm gonna die...Attack radical...Mombosa virus (MM 92')."
Virus Name: Math-Test Virus Type: COM & EXE File infector Virus Length: 1136 bytes Executing Procedure: 1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory. 2) Then it hooks INT 21h and goes back to the original routine. Vectors hooked: 1) Hooks INT 21H(AH=4Bh) to infect files. 2) If the program to be executed is an uninfected COM or EXE file, the virus proceeds to infect it. Damage: None Note: You will see an error message when writing because INT 24h has not been hanged. Detecting Method: Infected file sizes increase by 1136 bytes.
Virus Name: Manola Virus Type: COM File infector Virus Length: 831 bytes Executing Procedure: 1) If the current day is 7, the virus displays the following message and reboots the system: "The Atomic Dustbin 2B - I'm Here To Stay". 2) Otherwise, it searches for and infects one uninfected COM file in the current directory. Damage: Virus will sometimes reboot the system. Note: 1) It does not stay resident in memory. 2) You will see an error message when writing because INT 24h has not been hanged. Detecting Method: Infected file sizes increase by 831 bytes.
Virus Name: Mog Virus Type: COM File infector Virus Length: 328 bytes Executing Procedure: 1) Searches for all uninfected COM files in the current directory and infects them. 2) It will then display the following message:" Maccabi Yafo !!!!!" 3) If the current day is February 25, it will then halt the system. Damage: The virus will sometimes halt the system. Note: 1) It does not stay resident in memory. 2) You will see an error message when writing because INT 24h has not been hanged. Detecting Method: Infected file sizes increase by 328 bytes.
Virus Name: Md-354 Virus Type: COM File infector Virus Length: 354 bytes Executing Procedure: 1) Searches for an uninfected COM file in the current directory and infects it (It only infects one file at a time). Damage: None Note: 1) Does not stay in memory. 2) You will see an error message when writing because INT 24h has not been hanged. Detecting Method: Infected files increase by 354 bytes.
Virus Name: Mini-195 Virus Type: COM File infector Virus Length: 195 or 218 bytes Executing Procedure: Searches for an uninfected #*.COM file ("#" indicates a character from 'A' to 'Z', like A*.com, F*.COM, X*.COM) in the current directory and proceeds to infect it. Damage: None Note: 1) Does not stay in memory. 2) You will see an error message when writing because INT 24h has not been hanged. Detecting Method: Infected file sizes increase by 195 or 218 bytes.
Virus Name: Mr-Vir Virus Type: COM File infector Virus Length: 508 bytes Executing Procedure: 1) Searches for an uninfected COM file in the current directory and infects it (It infects only one file at a time). Damage: None Note: 1) It does not stay resident in memory. 2) You will see an error message when writing because INT 24h has not been hanged. Detecting Method: Infected file sizes increase by 508 bytes.
Virus Name: Magnitogorski-3 Virus Type: COM & EXE File infector Virus Length: 3000 bytes Executing Procedure: 1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory. 2) Then it hooks INT 21h and goes back to the original routine. Vectors hooked: 1) Hooks INT 21H(AH=4Bh) to infect files. 2) First, it will hang INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM or EXE file, virus proceeds to infect it. Damage: None Detecting Method: Infected file sizes increase by 3000 bytes.
Virus Type : File Virus Virus Length : 1648 bytes Virus Memory Type : MCB Type Int. Vectors Hooked : Int 21h Infection Procedure: The virus first encrypts the data found in address 1152:049Eh up to 1152:04E5h and forms "PC Virus Mummy Ver. 2.1.Kaohsiung Senior School Tzeng Jau Ming presents" then saves the address of ES to CS:[494],[458],[442],[446],[44A], then it adds 10h to the address of ES and stores it to CS:[400] and [45C]. It then moves the original header of the program to be ready for execution, modifies the allocated memory, and gets the interrupt vector. Then it saves the value of ES and BX to addresses CS:[044C] and CS:[044E] respectively. Executes child program. Damage : Detection method: Check for the following message: "PC Virus Mummy Ver 2.1 Kaohsiung Senior School Tzeng Jan Ming presents"
Virus Type: File Virus Virus Length: 2803 bytes Virus Infect Type: EXE only Virus Memory Type: MCB Memory Resident Int Vector Hooked: INT 1, 21 Infection Procedure: This virus first moves its code to the memory location nearest the MCB chain and then makes it memory resident. Afterwards it will give the control to where the code was transferred and then calls the function "Get DOS Version No." Then it will Hook INT 1 and INT 21. After this it will modify the Memory Block and will allocate 3072 bytes. Note: This virus hooks INT 1--a Single Step Interrupt which is used by debuggers like DEBUG and LDR.
Virus Type: File Virus Type, Soft Mice Other Name: AMOEBA Virus Length: 3589 bytes Trigger Condition: Nov. 1, Mar. 15 Virus Re-infect: Virus Memory Type: High Memory Resident Place of Origin: MALTA Int Vector Hooked: INT 21 Infection Procedure: First, this virus will decrypt 1184 bytes of its virus code and then it will check if the executed file is .EXE or .COM. If the checked file is not yet infected then it will infect it. Then it will allocate 4096 bytes in the high memory area and will transfer 3589 bytes of its virus code to the High Memory Area. Then it will hook INT 21. After these operations it will give back the control to the carrier program. Damage: If the system date is November 1 or March 15 then the virus will format the hard disk by overwriting the first 4 sectors of every track with garbage thus destroying the boot sector and the File Allocation Table. It will also make the hard disk a Non-DOS partition disk. It will also format the floppy disk (if present). The virus will also display garbage and random screen colors. This message can be found in the virus code: "AMOEBA virus by the Hacker Twins (c) 1991" "This is nothing, wait for the release of" "AMOEBA II-the universal infector hidden to" "any eye but ours!" "Dedicated to the University of Malta-the worst" "educational system in the universe and destroyer" "of 5x2 years of human life" This message will appear on the screen after the virus has trashed the hard disk: "To see a world in a grain of sand, And a heaven in a wild flower Hold Infinity in the palm of your hand And Eternity in an hour." THE VIRUS 16/3/91
Virus Type: File Virus Type Virus Infect Type: .EXE files only
Virus Memory Type: High Memory Resident
Place of Origin:
Int Vector Hooked: INT 08, INT 09, INT21
Infection Procedure:
The virus will first copy its code to the address 0054:0000 then it will do a series of ins and outs at port 21h and then it will hook INT 8, 9, and 21. Then it will check the carrier file if it is an EXE file. If it is, then it will infect it by transferring the first 198 bytes of the original code at the end of the file and will transfer the virus code at the beginning.
Virus Type: File Virus Type, Soft Mice
Virus Length: 1712 Bytes
Virus Infect Type: .COM files
Int Vector Hooked: INT 21
First, the virus will decrypt 1417 bytes of its code and then it will allocate 1728 bytes in the High Memory Area. Then it will transfer its code to the High Memory Area with a size of 1712 bytes. It will next hook INT 21. After doing this procedure it will return control to the carrier program.
The virus code has text strings of programs and dos utilities which it will compare with the file to be infected to hide or apply stealth technique to avoid detection.
Other Name: WERBE
Virus Length: 1533 bytes
Original Name: WERBE
Place of Origin: Germany
Int Vector Hooked:
This virus will first decrypt 1412 bytes of its virus code. Then it will get the DTA address and then will set it. Then it will check the current drive and then overwrite the boot sector of the hard disk.
Damage:
Upon loading the virus it will overwrite all the boot sectors of all fixed drives thus destroying all local hard disks. This message can be found in the virus code:
"Ups, all Disks from" "C: to Z: Trashed!" "Sorry about that!" "to all Military Inventors its time to give us the Tachyonator!" "MediaMarkt WerbeVirus '94 (c)" "MediaMarkt Germany The Wizard"
Note:
After destroying the hard disk the virus will perform the code:
17AC:0575 JMP 0575
This process performs an endless loop.
Alias:
Origin :
Eff Length : 1788 bytes
Type Code : File Virus; .COM files only
Symptoms :
COM files will increase by 1788 bytes, and there will be a decrease of 2368 bytes in the available memory. Execution of running programs will slow down.
General Comments:
The MIRE1788 virus first allocates memory with a size of 2368 bytes and then transfers its virus code to the High Memory Area with a size of 1788 bytes. It will then check the date if the day is 13. And then it will hook INT 8, INT 9 and INT 21. This allows the virus to infect other .COM files.
If the day of the month is 13, the virus has been resident and the keyboard has not been pressed for 30 minutes, the virus will display a red dialog box at the center of the screen with ASCII text written on it and the only characters readable are the numbers 16 and a set of numbers 133-20-60.
It also hides an infected file when a DIR at the command prompt is executed so as to hide the increase in the size of the infected file.