QMU Virus


 Virus Name:  QMU 
 Aliases:     QQ-1513 
 V Status:    Rare 
 Discovery:   November, 1991 
 Symptoms:    .COM file growth; master boot sector altered; file date/time 
              changes; TSR or decrease in total system memory 
 Origin:      Unknown 
 Eff Length:  1,513 Bytes 
 Type Code:   PRsCKX - Parasitic Resident .COM & Master Boot Sector Infector 
 Detection Method:  ViruScan, AVTK, Sweep, F-Prot, ChAV, 
                    IBMAV, NAV, NAVDX, VAlert, PCScan, 
                    NShld, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, 
                    LProt, IBMAV/N 
 Removal Instructions:  Delete infected files, MDisk /P 
 
 General Comments: 
       The QMU virus was submitted in November, 1991.  QMU is a memory 
       resident infector of the hard disk master boot sector (partition 
       table) as well as .COM programs, including COMMAND.COM.  Its origin 
       is unknown. 
 
       When the first QMU infected program is executed on a system, QMU 
       will become memory resident as a low system memory TSR of 2,080 
       bytes.  The TSR will have hooked interrupts 13 and 21.  At this 
       time, QMU will also infect the hard disk master boot sector, moving 
       the original master boot sector to the second side 0, cylinder 0, 
       sector 2, and writing a full copy of the virus starting in sector 
       3. 
 
       If the system is later booted from the infected hard disk, the virus 
       will become memory resident at the top of system memory but below 
       the 640K DOS boundary.  Total system and available free memory, as 
       indicated by the DOS CHKDSK program, will have decreased by 5,120 
       bytes.  Interrupts 13 and 21 will be hooked.  Interrupt 12's return 
       will have been moved. 
 
       Once QMU is memory resident, it will infect .COM programs when 
       they are executed.  Infected programs will have a file length 
       increase of 1,513 bytes.  The virus will be located at the end 
       of infected files.  The infected program's date and time in the 
       DOS disk directory will have been updated to the current system 
       date and time when infection occurred.  Text strings found in 
       infected files include the boot sector error messages normally 
       found in the boot sector, along with the following string: 
 
               "Bad command or file name" 
 
       It is unknown what QMU does besides replicate.

Show viruses from discovered during that infect .

Main Page