Tumen Virus
Virus Name: Tumen
Aliases: Tumen V.5
V Status: Rare
Discovered: May, 1991
Symptoms: .COM file growth;decrease in total system and available
memory; music and graphics; file date/time changes
Origin: USSR
Eff Length: 1,663 bytes
Type Code: PRhCK - Parasitic Resident .COM Infector
Detection Method: ViruScan, F-Prot, Sweep, AVTK, NAV, IBMAV, ChAV,
NAVDX, VAlert, PCScan,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N,
IBMAV/N
Removal Instructions: Delete infected files
General Comments:
The Tumen, or Tumen V.5, virus was received from Europe in May,
1991. This virus originated in the USSR. It is a memory resident
infector of .COM programs, including COMMAND.COM.
When the first Tumen infected program is executed, the virus
will install itself memory resident at the top of system memory
but below the 640K DOS boundary. Total system and available free
memory, as measured by the DOS CHKDSK program, will have decreased
by 4,096 bytes. Interrupts 09 and 21 will be hooked by the virus.
Once Tumen is memory resident, it will infect .COM programs
as they are executed. If COMMAND.COM is executed, it will become
infected. Infected .COM programs will have a file length increase
of 1,663 bytes with the virus being located at the end of the
file. The program's date and time in the disk directory will also
have been updated to the system date and time when infection
occurred.
The following text strings appear in the Tumen virus:
"Full moon tonight... The time of Wolfbacks... U...U...U...
This is only demonstration version, but you hear some howl."
"(C) Copyright MMA Company
All rights reserved. USSR Tumen 1990-v0.5
This program was created in Tumen by group of
three Wolfbacks at April,1990
General System_&_Files affecting effects by Max
Main consultant -- Tall Lazy Micle
General Music_&_Video harmless effects by Alex
BACKWOLFS OF THE WORLD, UNITE!!"
The first set of text strings appears near the beginning of the
viral code, with the remaining being located at the end of the
viral code.
Tumen contains code which should produce graphic and musical
effects upon activation on some keyboard event occurring.
Known variant(s) of Tumen are:
Tumen V1.2: Submitted in January, 1992, Tumen V1.2 is a later
version of the Tumen virus described above. Infected
programs will have a file length increase of 1,255
bytes with the virus being located at the end of the
file. The program's date and time in the DOS disk
directory listing will have been altered to the
current system date and time when infection occurred.
Origin: Unknown January, 1992.
Tumen V1.3: Submitted in December, 1992, Tumen V1.3 is a later
version of the Tumen virus described above. Infected
programs will have a file length increase of 1,242
bytes with the virus being located at the end of the
file. The program's date and time in the DOS disk
directory listing will have been altered to the
current system date and time when infection occurred.
The following text string can be found within the viral
code in all Tumen V1.3 infected programs:
"Tumen.,v1.3"
Origin: Unknown December, 1992.
Tumen V2.0: Received in May, 1992, Tumen V2.0 is a later
version of both Tumen and Tumen V1.2. In addition
to the behavior of the original virus, this variant
will modify the C: drive boot sector when is present.
It adds 1,092 bytes to the .COM programs it infects.
The following text strings can be found in all infected
programs:
"Be carefull... Hackers time tonight...
This present was created in Tumen in 1990.
v 2.0. (c) Max Soft corporation
Hackers of the work, Unite!"
Systems infected with Tumen V2.0 may experience system
hangs when infected programs are executed.
Origin: USSR May, 1992.