informis
/
textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/virus/malmsey.txt

76 lines
4.0 KiB
Plaintext
Raw Permalink Blame History

Virus Name: Malmsey
Aliases:
V Status: Rare
Discovered: October, 1992
Symptoms: .COM files overwritten; programs fail to function properly;
file date/time changes
Origin: Canada
Eff Length: 495 Bytes
Type Code: ONCK - Overwriting Non-Resident .COM Infector
Detection Method: Novi 1.15a+, F-Prot, VNet, Viruscan V99+, VBuster,
Sweep 2.43a+, IBMAV, AVTK 6.04+, NShld V99+, Sweep/N
Removal Instructions: Delete infected files
General Comments:
The Malmsey virus was received in October, 1992, and was written
by a person using the name Lucifer Messiah. Malmsey is from
Canada. This virus is a non-resident, direct action overwriting
virus which infects .COM programs, including COMMAND.COM. A
later version of the virus, Malmsey 2 described below, is a
parasitic, non-resident, direct action .EXE infector.
When a program infected with the Malmsey virus is executed, the
Malmsey virus will infect one .COM program located in the current
directory, overwriting the first 495 bytes of the host file. The
programs date and time in the DOS disk directory listing will have
been updated to the current system date and time when infection
occurred. The following text strings can be found in all Malmsey
infected programs:
"*.COM"
"[Malmsey Habitat v. 1.3]"
"Warmest Regards to RABID"
"from -- ANARKICK SYSTEMS!"
Malmsey doesn't appear to do anything besides replicate, though
infected programs will be permanently corrupted.
Known variant(s) of Malmsey are:
Malmsey 2: A later version of the Malmsey virus, this variant
infects one .EXE program each time an infected program
is executed. Infected programs will have a file length
increase of 1,703 to 1,717 bytes with the virus being
located at the end of the file. The Malmsey 2 virus
will occassionally reinfect previously infected
programs, adding an additional 1,712 bytes with each
reinfection. The file's date and time in the DOS disk
directory listing will not be altered. The following
text strings can be found in the viral code in Malmsey 2
infected programs:
"Malmsey Habitat v. 2.0"
"Lucifer Messiah -- ANARKICK SYSTEMS 07-18-"
"Hap Birthday !"
Origin: Canada October, 1992.
Malmsey 3 Beta: A later version of the Malmsey 2 virus, this
variant is a memory resident infector of .COM and .EXE
programs, including COMMAND.COM. It becomes memory
resident at the top of system memory but below the 640K
DOS boundary, hooking interrupts 3 and 21. Total system
and available free memory, as indicated by the DOS CHKDSK
program, will have decreased by 2,048 bytes. Once memory
resident, Malmsey 3 Beta infects .COM and .EXE programs
when executed. Infected programs will have a file length
increase of 806 bytes with the virus being located at the
end of the file. The file's date and time in the DOS disk
directory listing will not be altered. The following
following message may be displayed by the virus when an
infected program is executed:
"Gotcha!
[MALMSEY HABITAT v3.<2E>]
Lucifer Messiah -- ANARKICK SYSTEMS"
These text strings are encrypted within the viral code.
Origin: Canada March, 1993.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Reference in New Issue View Git Blame Copy Permalink