Made 255

Virus Name: Made-255

Virus Type: File Infector Virus (infects .COM files.)

Virus Length: 255 Bytes

PC Vectors Hooked: None

Executing Procedure:
1) Searches for uninfected .COM files in the current directory and infects them.
2) Infects only one file at a time.

Damage: None

Detecting Method: Infected files will increase by 255 Bytes.

Note:
1) After the infected file is executed, the system will halt.
2) Doesn't stay resident in memory.
3) MADE-255 doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).


MacGyver 255

Virus Name: MacGyver

Virus Type: File Virus

Virus Length: 2,824 bytes

Description: This virus infects .EXE files

Infection method:
1) When the infected program is executed, the MacGyver virus will install itself as a low system memory TSR of 3,072 bytes. When the MacGyver virus is memory resident, it will infect .EXE programs when they are executed or opened. The following text string is visible within the MacGyver viral code in all infected programs:

"SCANVIR.SHW"
Damage: It may cause frequent system hangs when .EXE programs are executed.

Note:
1) The DOS CHKDSK program will indicate file allocation errors on all infected files when the virus is memory resident.


Metal_Militia

Virus Name: Metal_Militia

Alias Name: MMIR, Immortal Riot

Virus Type: File Virus

Virus Length: 282 bytes

Description: This virus infectes .COM files as well as COMMAND.COM.

When an infected file is executed, the virus installs itself into memory. Total available memory will have decreased by 3,072 bytes.

Once the virus is memory resident, it will infect .COM files when they are executed. Infected files will increase in size by 1,054-5 bytes, with the virus located at the beginning of the files. Date and time information of infected files will not be altered.

The following text string can be found in the virus:

"Senseless Desctruction..."
"Protecting what we are joining together to take on the world.."
"METAL MiLiTiA [iMMORTAL RIOT] SVW"


Michelangelo

Virus Name: Michelangelo

Virus Type: Boot Virus

Virus Length: N/A

Description: This virus infectes disk boot sectors.

When the system is booted from a disk infected with the Michelangelo virus, the virus will install itself into memory. Total available memory will have decreased by 2,048 bytes.

Once the virus is memory resident, it will infect diskette boot sectors on access. The virus will move the original boot sector and replace it with a copy of the virus.

This virus activates on March 6. It will format the hard disk, overwriting all existing data.


Monkey

Virus Name: Monkey

Alias Name: Stoned.Empire.Monkey.B, Monkey 2

Virus Type: Boot Virus

Virus Length: N/A

Description: This virus infects boot sectors

Infection method:
1) When the system is booted with an infected diskette, the virus loads itself in memory. While loaded, it infects any accessed, non-protected disks.
2) The DOS CHKDSK program will show a "total bytes memory" decrease of 1,024 bytes. Monkey-1 is one of the few viruses that can successfully infect floppies while Microsoft Windows is running.

Damage: The virus encrypts the partition table of the master boot record. If you attempt to boot from a clean floppy, the disk will be inaccessible because the partition table has been moved.

Note: If you attempt to examine the master boot record while the virus is in memory, it will display the original, uninfected version.

Caution: Do not use FDISK /MBR to clean this virus.


MSWord_Concept

Virus Name: MSWord_Concept

Virus Type: File Virus

Description: This virus infects MSWORD documents.

When an infected document is opened, the virus goes resident by adding some macros to your WORD environment.

Once the virus is active, all documents saved using the "Save As..." command will be infected.

Symptoms include only being able to save files to the template directory.


Mummy

Virus Name: Mummy

Virus Type: File Virus

Virus Length: 1,300 - 1,503 bytes

Description: This virus infects *.EXE files

Executing Procedure:
1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h.
2) It then executes the original file.
3) Once in resident memory, it will infect any uninfected file that is executed.

Damage: This virus has several variants. While some variants have no damage routine, some will slow down the system performance and variants of the Mummy virus will have a Random Number counter. When the counter reaches zero, the virus will overwrite the first part of hard disk and cause severe data loss.

Detecting Method: Increases infected file size by 1,300-1,503 bytes. The virus ocassionally hangs the system when the virus is resident in memory. Encrypted text strings appear inside the virus code as follows:

"Mummy Version x.xxx",
"Kaohsiung Senior School",
"Tzeng Jau Ming presents",
"Series Number=[xxxxx]."

Note:
1) Loads itself resident in memory. An error message occurs if there is an I/O error (such as write protect).


Minimite

Virus Name: Minimite

Virus Type: File Infector Virus (infects .COM files)

Virus Length: 183 Bytes

PC Vectors Hooked: None

Executing Procedure:
1) Finds all uninfected .COM files in the current directory and infects them.

Damage: None

Detecting Method: Infected files will increase by 183 Bytes.

Note:
1) Doesn't stay resident in memory.
2) Minimite doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).


Mini 2

Virus Name: Mini-2

Virus Type: File Infector Virus (infects .COM files)

Virus Length: No change

PC Vectors Hooked: None

Executing Procedure:
1) Finds all uninfected .COM files in the current directory and infects them.

Damage: Overwrites original files, so the length of infected files won't increase.

Note:
1) Doesn't stay resident in memory.
2) MINI-2 doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).


Mini 212/300

Virus Name: Mini-212/300

Virus Type: File Infector Virus (infects .COM files)

Virus Length: 212 or 300 Bytes(COM)

PC Vectors Hooked: None

Executing Procedure:
1) Searches for an uninfected .COM file in the current directory beginning with files starting with the letter "A" and randomly selecting files through the letter "Z" and infects it.
2) It only infects one file at a time.

Damage: None

Detecting Method:
1)Infected files will increase by 212 or 300 Bytes.

Note:
1) Doesn't stay resident in memory.
2) MINI-212/300 doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).


Mindless

Virus Name: Mindless

Virus Type: File Infector Virus (infects .COM files)

Virus Length: No change

PC Vectors Hooked: None

Executing Procedure:
1) If it is Sunday, the virus damages all files on the hard disk.
2) Otherwise it infects all *.C* files in the current directory.

Damage:
1)If the system date is Sunday, it damages all the files on the hard disk.
2) Overwrites original files, so the length of infected files won't increase.

Detecting Method: None.

Note:
1) Doesn't stay resident in memory.
2) Mindless doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).


MPC-1

Virus Name: MPC-1

Virus Type: File Infector Virus (infects .COM & .EXE files)

Virus Length: 641 Bytes(COM & EXE)

PC Vectors Hooked: INT 24h

Executing Procedure:
1) Searches for all uninfected .EXE and .COM files in the current directory and infects them.
2) It then runs the original file.

Damage: None

Detecting Method:
1)Infected files will increase by 641 Bytes.

Note:
1) Doesn't stay resident in memory.
2) MPC-1 hooks INT 24h when infecting files. Omits an I/O error (such as write protect).


Monxla

Virus Name: MONXLA

Virus Type: File Infector Virus (infects .COM files)

Virus Length: 939 Bytes(COM)

PC Vectors Hooked: None

Executing Procedure:
1) The virus searches for a .COM file in the current directory.
2) If the system date is the 13th, it destroys the file.
3) Otherwise, it infects any one .COM file in the current directory.
4) Finally it executes the original file.

Damage: If the system date is the 13th, it destroys a .COM file.

Detecting Method: Infected files will increase by 939 Bytes.

Note:
1) Doesn't stay resident in memory.
2) MONXLA doesn't hook INT 24h when infecting files. An error message occurs if there is an I/O error (such as write protect).


More-649

Virus Name: MORE-649

Virus Type: Memory Resident, File Infector Virus (infects .COM files).

Virus Length: 649 Bytes (COM)

PC Vectors Hooked: INT 21h (AX=4B00h) (execute program)

Infecting Procedure:
1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h.
2) It then executes the original file.
3a) Once in resident memory, it will infect any uninfected file that is executed.
3b) It doesn't infect .EXE files or files with a dated year larger than 1999).
4) When the virus detects a file that has a YEAR date larger than 1999, the message appears:"OH NO NOT MORE ARCV".

Damage: None.

Detecting Method:
1) Infected .COM files increase by 649 Bytes.


Magnum

Virus Name: MAGNUM

Virus Type: Memory Resident, File Infector Virus (infects .COM & .EXE files).

Virus Length: 2560 Bytes (COM & EXE)

PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h, INT 8h

Infecting Procedure:
1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h.
2) It then executes the original file.
3) Once in resident memory, it will infect any uninfected file that is executed.

Damage: None.

Detecting Method: Infected files increase by 2560 Bytes.

Note:
1) The Magnum virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect).
2) The virus only runs under DOS 3.3


MSK

Virus Name: MSK

Virus Type: Trojan

Virus Length: 272 Bytes

PC Vectors Hooked: None

Damage: Destroys all data on the hard disk.

Detecting Method: Check whether there are files with 272 Bytes.

Note:
1) Doesn't stay resident in memory.
2) Doesn't infect any files or partition or boot sector.


Medical

Virus Name: Medical

Virus Type: File Infector Virus (infects .COM files)

Virus Length: 189 Bytes(COM)

PC Vectors Hooked: None

Executing Procedure:
1) Searches for an uninfected .COM file in the current directory and infects it.
3) It infects only one file at a time.

Damage: None.

Detecting Method: Infected files will increase by 189 Bytes.

Note:
1) Doesn't stay resident in memory.
2) Medical doesn't hook INT 24h when infecting files. It omits I/O errors (such as write protect).


Multi-2

Virus Name: Multi-2

Virus Type: Partition Table Infector and File Infector Virus (infects .COM & .EXE files)

Virus Length: Not Applicable

PC Vectors Hooked: INT 21h, INT 24h, INT 1Ch, INT 13h.

Executing Procedure:
1) The Virus will decrease the total system memory by 3K Bytes when the system is booted from an infected disk.
2) It then checks whether it has is loaded in resident memory. If not, it will load to the last 3K bytes of resident memory by hooking INT 21h and INT 1Ch.
3) It infects files when they are executed.

Damage: None.

Detecting Method: Infected files increase 927--1000 Bytes.

Note: Multi-2 hooks INT 24h when infecting files. It omits I/O errors (such as write protect).


Multi-2B

Virus Name: Multi-2-B

Virus Type: File Infector Virus (infects .COM & .EXE files) and Partition Table Infector

Virus Length: 927 Bytes(COM), about 1000 Bytes(EXE)

PC Vectors Hooked: INT 21h, INT 24h, INT 1Ch , INT 13h.

Executing Procedure:
1) When you execute a file, it will infect sector#1 if not already infected.
2a) Next it checks whether it has loaded itself in resident memory. If not, it infects sector #1 then exits.
3b) If it has, it executes the original program.

Damage: None.

Detecting Method: Infected files increase 927--1000 Bytes.

Note:
1) Multi-2 hooks INT 24h when infecting files. It omits I/O errors (such as write protect).


Mixer 1A

Virus Name: Mixer 1A

Other names: Virus 1618

Virus Type: File Infector Virus

Virus Length: Approx.1618 bytes

PC Vectors Hooked: Int 21

Executing Procedure:
1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h.
2) It then executes the original file.
3) Once in resident memory, it will infect any uninfected file that is executed.

Damage: The mixture of characters sent to the serial or parallel port using BIOS functions is the main damage routine of this virus. All bytes sent to the port are translated using the virus' own table.

50 minutes after the virus is installed into memory, keyboard definition is activated. From this time on, CapsLock will be set to OFF, and Numlock will be set to ON. The virus will test to see whether the "Del", "Ctrl", or "Alt" were simultaneously depressed. If this is the case, the virus will suppress the "Alt" command and activate a routine for screen manipulation. However, the virus will call it in the wrong manner.

In text mode, the virus changes all attributes of the video page 0. It will add 1 to all attributes and after 256 the virus will reset itself. 60 minutes after the virus is installed in memory, it will display a bouncing ball similar to the one seen in the Ping-Pong virus. The ball is marked "o" and its movement is controlled by the BIOS (interrupt 10h).

Note:
1) An error message occurs if there is an I/O error (such as write protect).


Malaise

Virus Name: MALAISE

Other names: None

Virus Type: File Infector Virus

Virus Length: 1335/1365 bytes.

Executing Procedure:
1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h.
2) It then executes the original file.
3) Once in resident memory, it will infect any uninfected file that is executed.

Damage: None.

Detecting Method Increases infected files size by 1335-1365 bytes

Note:
1)  An error message occurs if there is an I/O error (such as write protect).


Marauder

Virus Name: Marauder

Other names: None

Virus Type: File Infector Virus

Virus Length: Increases .COM file by 860 bytes.

Executing Procedure:
1) Searches for an uninfected .COM file in the current directory and infects it.
2) It then executes the original file.

Damage: The Marauder virus will overwrite your files on every February 2nd with the string "=[Marauder] 1992 Hellraiser - Phalcon/Skism."


Mi-Nazi

Virus Name: Mi-Nazi

Virus Type: Parasitic Virus.

Virus Length: Infected COM file sizes increase by 1084 bytes (Does not infect EXE files).

PC Vectors Hooked: INT 21h

Executing Procedure:
1) Searches for one uninfected .COM file in the current directory and infects it.

Damage: The part for virus infection was badly written. The infected files cannot be executed normally (Furthermore, the virus is not able to infect and damage).

Remarks:
1) The virus infects files by INT 21h. When INT 21h is executed, all the COM files in the current directory will be infected.
2) When infecting files, the virus does not hook INT 24h. Error messages will appear when I/O errors occur.


Madden

Virus Name: Madden

Virus Type: EXE File infector

Virus Length: 1988 bytes

Executing Procedure:
1) Searches all directories starting with the current directory for one uninfected .EXE file to infect.
2) It then goes back to the original routine.
3) If there is not an infectable file, it will issue a strange sound that is stopped only by a  system reboot.

Damage: None

Note: Date and time of infected files do not change.

Detecting Method:
1) Length of infected files increase.
2) The algorithm is: First adds original length to let it became a multiple of 16, and then increase it by 1988 bytes.


Madden-B

Virus Name: Madden-B

Virus Type: EXE File infector

Virus Length: 1440 bytes

Executing Procedure:
1) Searches all directories starting with the current directory for one uninfected .EXE file to infect.
2) It then goes back to the original routine.
3) If there is not an infectable file, it will emit a sound from high to low, from low to high, and so on until system rebooted.

Damage: None

Note: Date and time of infected files do not change.

Detecting Method:
1) Length of infected files increase.
2) The algorithm is: First adds original length to let it became a multiple of 16, and then increase it by 1440 bytes.


MS DOS 3.0

Virus Name: Ms-Dos3.0

Virus Type: COM File infector

Virus Length: 953 bytes

Executing Procedure:
1) Checks whether it is resident in memory. If not, it will stay resident in high memory.
2) Then it hooks INT 21h and returns to the original routine.

Vectors hooked: Hooks INT 21H (AH=3Dh,AX=4B00h) to infect files.
If the program to be executed or opened is an uninfected COM file (Except COMMAND.COM) and its length is not larger than FB00h, the virus proceeds to infect it. The method of infection is: write a total of 35Dh bytes (1Ch bytes are its head, first 3B9h bytes of file) to the end of file, then overwrite its first 3B9h bytes with virus code.
If the program to be executed or opened is an uninfected EXE file and its length is not larger than 4000h, the virus infects it. The method of infection is: after filling the left bytes of a segment, it will attach a total of 3F1h bytes (virus codes(3B9h)+data in the original file(1Ch)+head of file(1Ch)) to the end of file, then change the pointer in the head to the virus procedure.

Damage: None

Note:
1) Date and time of infected files do not change.
2) Stealth type virus: restores infected file information when the virus is in system memory.

Detecting Method:
1) Memory:
a) Total system memory decreases by 7A0h bytes.
b) Memory might be infected if AX=9051h (AX is a return value when INT 21h(AH=B3h) called).
2) File:
a) Infected COM file sizes increase by 500 bytes.
b) Infected EXE file sizes increase by 1009-1024 bytes.
c) Use DEBUG to load an infected file.


MSJ

Virus Name: Msj

Virus Type: EXE & COM File infector

Virus Length: 15395 bytes

Executing Procedure:
1) Searches for an uninfected EXE file in the current directory from disk A, B or C, then proceeds to infect it.
2) It only infects one file at a time.

Damage: None

Note:
1) Does not stay in memory.
2) You will see an error message when writing because INT 24h has not been hanged.
3) This virus is written with an advanced language.

Detecting Method: Infected file sizes increase by 15395 bytes.


Minsk-GH

Virus Name: Minsk-Gh

Virus Type: EXE & COM File infector

Virus Length: 1450-1490 bytes

Executing Procedure:
1) Checks whether it is memory resident. If not, it will stay resident in high memory.
2) Then it hooks INT 21h and goes back to the original routine.

Vectors hooked:
1) Hooks INT 21H(AH=4Bh)to infect files.
2) First, it will hang INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM or EXE file, virus proceeds to infect it.

Damage: None

Note: This virus cannot run on DOS 5.0.

Detecting Method: Infected file sizes increase by 1450-1490 bytes.


Mini-207

Virus Name: Mini-207

Virus Type: COM File infector

Virus Length: 207 bytes

Executing Procedure:
1) Searches for all uninfected COM files on current directory, then infects them.

Note:
1) Does not stay in memory.
2) You will see an error message when writing because INT 24h has not been hanged.

Damage: It will overwrite original files with virus code. Original files are destroyed.


March 25th

Virus Name: March-25th

Virus Type: Virus infects .EXE and .COM files. The MARCH-25H virus will infect .COM and .EXE files which are shorter than 196608 Bytes in length.

Virus Length: 1056 Bytes.

Interrupt Vectors Hooked: INT 21h.

Infection Process:
1) This virus is spread by executing an infected program.
2) When a MARCH-25H infected program is executed, it will check to see if it is already resident in memory by checking to see if address 0:212h contains the value F100h.  If is already in memory it will execute the infected program.
3) The virus stays resident at the top of the MCB (memory control block) but below the DOS 640k boundary. The available free memory will have decreased by 1056 (420H) bytes. It will infect .EXE and .COM programs when they are executed from hard disk.

Damage: Destroys the hard disk. Infected files will have a file length increase of 1025 - 1040
(401h - 410h) bytes with the virus located at the end of the file.

Symptoms: Virus causes data on C drive to be lost.

Note: If the system date is March 25 of any year, virus will proceed to write garbage to:
"C drive sector 0 - 6 , cylinder 0 , head 0
C drive sector 1 - 7 , cylinder 1 , head 0
C drive sector 1 - 7 , cylinder 2 , head 0."


Minosse

Virus Name: MINOSSE

Virus Type: EXE files only: MBR

Virus Length: 5772 bytes

Interrupt Vectors Hooked: INT 21h

Infection Process:
1) MINOSSE is a polymorphic virus which prevents the Debug.exe program from tracing this virus.

When a MINOSSE infected program is executed, it will;

1. Hook int 8xh - int 9xh: (x:any number)
First, it will hook int 8xh - 9xh, and then it will run this interrupt to
get into the virus entry and decrypt the virus body.

2. Stays resident at the top of MCB (memory control block) but below the 640k
DOS boundary.

Damage: Virus will hang the system when System date is greater than June and the day is the 25th. Infected programs will have a file length increase of 3075 bytes with the virus located at the end of the file. The available free memory will have decreased by 5772 bytes.

Symptoms:
1) Decreased available memory.
2) The virus will display the following message, "Minose 1V5 (c) 93 WilliWonka."

Note: This virus is polymorphic and also a very smart virus. It is not easy to detect by scan programs because its code changes and scanners can't pattern match. It is also not easy to find using the interrupt vectors because it recovers int 21h to the original vector.


Mombasa

Virus Name: MOMBASA

Virus Type: Virus infects .COM files.

Virus Length: 3584 bytes.

Interrupt Vectors Hooked: INT 21h and 08h.

Infection Process:
1) MOMBASA is a polymorphic virus and uses INT 01h and INT 03h to prevent tracing this virus.
2) When a MOMBASA infected program is executed, it will:

Stay resident at the top of MCB (memory control block) but below the 640k DOS boundary. The available free memory will decrease by 3584 bytes.

It will hook int 08h to detect if int 21h is changed by another program. If the INT 21h vector is changed, the virus will change it's vector to the new INT 21h vector and will hook its vector to int 21h again.

It will infect .COM programs and try to infect C:\COMMAND.COM when they are executed.. When MOMBASA is memory resident it will hide the filesize change because the virus recovers the original file length. When creating a directory , removing a directory, or selecting a default drive such as A: or B:, virus writes some data to the disk/diskette, but without success.

Damage: Screen slowly fades until completely blank. The system then proceeds to hang. The virus destroys the boot sector and FAT of the hard drive. Infected programs will have a file length increase of 3568 bytes with the virus located at the end of the file.

Symptoms: Displays the following message, "I'm gonna die...Attack radical...Mombosa virus (MM 92')."


Math-Test

Virus Name: Math-Test

Virus Type: COM & EXE File infector

Virus Length: 1136 bytes

Executing Procedure:
1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory.
2) Then it hooks INT 21h and goes back to the original routine.

Vectors hooked:
1) Hooks INT 21H(AH=4Bh) to infect files.
2) If the program to be executed is an uninfected COM or EXE file, the virus proceeds to infect it.

Damage: None

Note: You will see an error message when writing because INT 24h has not been hanged.

Detecting Method: Infected file sizes increase by 1136 bytes.


Manola

Virus Name: Manola

Virus Type: COM File infector

Virus Length: 831 bytes

Executing Procedure:
1) If the current day is 7, the virus displays the following message and reboots the system: "The Atomic Dustbin 2B - I'm Here To Stay".
2) Otherwise, it searches for and infects one uninfected COM file in the current directory.

Damage: Virus will sometimes reboot the system.

Note:
1) It does not stay resident in memory.
2) You will see an error message when writing because INT 24h has not been hanged.

Detecting Method: Infected file sizes increase by 831 bytes.


Mog

Virus Name: Mog

Virus Type: COM File infector

Virus Length: 328 bytes

Executing Procedure:
1) Searches for all uninfected COM files in the current directory and infects them.
2) It will then display the following message:" Maccabi Yafo !!!!!"
3) If the current day is February 25, it will then halt the system.

Damage: The virus will sometimes halt the system.

Note:
1) It does not stay resident in memory.
2) You will see an error message when writing because INT 24h has not been hanged.

Detecting Method: Infected file sizes increase by 328 bytes.


Md-354

Virus Name: Md-354

Virus Type: COM File infector

Virus Length: 354 bytes

Executing Procedure:
1) Searches for an uninfected COM file in the current directory and infects it (It only infects one file at a time).

Damage: None

Note:
1) Does not stay in memory.
2) You will see an error message when writing because INT 24h has not been hanged.

Detecting Method: Infected files increase by 354 bytes.


Mini-195

Virus Name: Mini-195

Virus Type: COM File infector

Virus Length: 195 or 218 bytes

Executing Procedure: Searches for an uninfected #*.COM file ("#" indicates a character from 'A' to 'Z', like A*.com, F*.COM, X*.COM) in the current directory and proceeds to infect it.

Damage: None

Note:
1) Does not stay in memory.
2) You will see an error message when writing because INT 24h has not been hanged.

Detecting Method: Infected file sizes increase by 195 or 218 bytes.


Mr-Vir

Virus Name: Mr-Vir

Virus Type: COM File infector

Virus Length: 508 bytes

Executing Procedure:
1) Searches for an uninfected COM file in the current directory and infects it (It infects only one file at a time).

Damage: None

Note:
1) It does not stay resident in memory.
2) You will see an error message when writing because INT 24h has not been hanged.

Detecting Method: Infected file sizes increase by 508 bytes.


Magnitogorski-3

Virus Name: Magnitogorski-3

Virus Type: COM & EXE File infector

Virus Length: 3000 bytes

Executing Procedure:
1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory.
2) Then it hooks INT 21h and goes back to the original routine.

Vectors hooked:
1) Hooks INT 21H(AH=4Bh) to infect files.
2) First, it will hang INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM or EXE file, virus proceeds to infect it.

Damage: None

Detecting Method: Infected file sizes increase by 3000 bytes.


Mummy-2

Virus Type : File Virus

Virus Length : 1648 bytes

Virus Memory Type : MCB Type

Int. Vectors Hooked : Int 21h

Infection Procedure:

The virus first encrypts the data found in address 1152:049Eh up to 1152:04E5h and forms "PC Virus Mummy Ver. 2.1.Kaohsiung Senior School Tzeng Jau Ming presents" then saves the address of ES to CS:[494],[458],[442],[446],[44A], then it adds 10h to the address of ES and stores it to CS:[400] and [45C]. It then moves the original header of the program to be ready for execution, modifies the allocated memory, and gets the interrupt vector. Then it saves the value of ES and BX to addresses CS:[044C] and CS:[044E] respectively. Executes child program.

Damage :

Detection method: Check for the following message:

"PC Virus Mummy Ver 2.1 Kaohsiung Senior School Tzeng Jan
Ming presents"


MacGyver.2803.A

Virus Type: File Virus

Virus Length: 2803 bytes

Virus Infect Type: EXE only

Virus Memory Type: MCB Memory Resident

Int Vector Hooked: INT 1, 21

Infection Procedure:

This virus first moves its code to the memory location nearest the MCB chain and then makes it memory resident. Afterwards it will give the control to where the code was transferred and then calls the function "Get DOS Version No." Then it will Hook INT 1 and INT 21. After this it will modify the Memory Block and will allocate 3072 bytes.

Note:

This virus hooks INT 1--a Single Step Interrupt which is used by debuggers like DEBUG and LDR.

 


Maltese.Amoeba

Virus Type: File Virus Type, Soft Mice

Other Name: AMOEBA

Virus Length: 3589 bytes

Trigger Condition: Nov. 1, Mar. 15 Virus Re-infect:

Virus Memory Type: High Memory Resident

Place of Origin: MALTA

Int Vector Hooked: INT 21

Infection Procedure:

First, this virus will decrypt 1184 bytes of its virus code and then it will check if the executed file is .EXE or .COM. If the checked file is not yet infected then it will infect it. Then it will allocate 4096 bytes in the high memory area and will transfer 3589 bytes of its virus code to the High Memory Area. Then it will hook INT 21. After these operations it will give back the control to the carrier program.

Damage:

If the system date is November 1 or March 15 then the virus will format the hard disk by overwriting the first 4 sectors of every track with garbage thus destroying the boot sector and the File Allocation Table. It will also make the hard disk a Non-DOS partition disk. It will also format the floppy disk (if present).

The virus will also display garbage and random screen colors. This message can be found in the virus code:

"AMOEBA virus by the Hacker Twins (c) 1991"
"This is nothing, wait for the release of"
"AMOEBA II-the universal infector hidden to"
"any eye but ours!"
"Dedicated to the University of Malta-the worst"
"educational system in the universe and destroyer"
"of 5x2 years of human life"

This message will appear on the screen after the virus has trashed the hard disk:

"To see a world in a grain of sand,
And a heaven in a wild flower
Hold Infinity in the palm of your hand
And Eternity in an hour."

THE VIRUS 16/3/91


Mange-Tout.1099

Virus Type: File Virus Type

Virus Infect Type: .EXE files only

Virus Memory Type: High Memory Resident

Place of Origin:

Int Vector Hooked: INT 08, INT 09, INT21

Infection Procedure:

The virus will first copy its code to the address 0054:0000 then it will do a series of ins and outs at port 21h and then it will hook INT 8, 9, and 21. Then it will check the carrier file if it is an EXE file. If it is, then it will infect it by transferring the first 198 bytes of the original code at the end of the file and will transfer the virus code at the beginning.

 


Manzon

Virus Type: File Virus Type, Soft Mice

Virus Length: 1712 Bytes

Virus Infect Type: .COM files

Virus Memory Type: High Memory Resident

Place of Origin:

Int Vector Hooked: INT 21

Infection Procedure:

First, the virus will decrypt 1417 bytes of its code and then it will allocate 1728 bytes in the High Memory Area. Then it will transfer its code to the High Memory Area with a size of 1712 bytes. It will next hook INT 21. After doing this procedure it will return control to the carrier program.

The virus code has text strings of programs and dos utilities which it will compare with the file to be infected to hide or apply stealth technique to avoid detection.

 


Markt

Virus Type: File Virus Type, Soft Mice

Other Name: WERBE

Virus Length: 1533 bytes

Original Name: WERBE

Place of Origin: Germany

Int Vector Hooked:

Infection Procedure:

This virus will first decrypt 1412 bytes of its virus code. Then it will get the DTA address and then will set it. Then it will check the current drive and then overwrite the boot sector of the hard disk.

Damage:

Upon loading the virus it will overwrite all the boot sectors of all fixed drives thus destroying all local hard disks. This message can be found in the virus code:

"Ups, all Disks from"
"C: to Z: Trashed!"
"Sorry about that!"
"to all Military Inventors its time to give us the Tachyonator!"
"MediaMarkt WerbeVirus '94 (c)"
"MediaMarkt Germany The Wizard"

Note:

After destroying the hard disk the virus will perform the code:

17AC:0575 JMP 0575

This process performs an endless loop.

 


Mirea.1788

Alias:

Origin :

Eff Length : 1788 bytes

Type Code : File Virus; .COM files only

Symptoms :

COM files will increase by 1788 bytes, and there will be a decrease of 2368 bytes in the available memory. Execution of running programs will slow down.

General Comments:

The MIRE1788 virus first allocates memory with a size of 2368 bytes and then transfers its virus code to the High Memory Area with a size of 1788 bytes. It will then check the date if the day is 13. And then it will hook INT 8, INT 9 and INT 21. This allows the virus to infect other .COM files.

If the day of the month is 13, the virus has been resident and the keyboard has not been pressed for 30 minutes, the virus will display a red dialog box at the center of the screen with ASCII text written on it and the only characters readable are the numbers 16 and a set of numbers 133-20-60.

It also hides an infected file when a DIR at the command prompt is executed so as to hide the increase in the size of the infected file.