Maaike Virus

Virus Name: Maaike Aliases: Maaike.164 V Status: Rare Discovered: April, 1994 Symptoms: .EXE files disappear from directory; .EXE files overwritten; Error messages Origin: Unknown Eff Length: 164 Bytes (Overwriting) Type Code: ORsE - Overwriting Resident .EXE Infector Detection Method: ViruScan, IBMAV, AVTK, Sweep, F-Prot, NAV, NAVDX, VAlert, PCScan, NShld, Sweep/N, AVTK/N, IBMAV/N, NProt, NAV/N Removal Instructions: Delete infected files General Comments: The Maaike virus was submitted in April, 1994. The sample submitted was from The Netherlands, though the following month a variant was received from a public domain infection in Canada. Its origin is unknown. Maaike is a memory resident overwriting virus which destroys .EXE programs and interfers with system operation. When the first Maaike infected program is executed, this virus will install itself memory resident as a low system memory TSR, hooking interrupt 21. The system user will then be returned to the DOS prompt. Once the Maaike virus is memory resident, execution of an .EXE program will result in the virus replacing the .EXE program with a 164 byte copy of itself. The 164 byte file of viral code will have the same name as the original .EXE file, with the current system date and time. The hidden attribute will be set, thus the .EXE file will appear to have been deleted. No text strings are visible within the viral code. Execution of .COM programs with the Maaike virus memory resident will result in the following message being displayed: "Bad Command or file name" The .COM files are unaltered, and will function if the virus is not memory resident. Other error messages may also occur when .COM and .EXE programs are executed with the virus memory resident, primarily of the "Write fault error writing device AUX" or write protect errors when attempting to execute .EXE programs from write protected diskettes. Known variant(s) of Maaike are: Maaike.250: A 250 byte variant of the Maaike virus described above, this variant contains the following encrypted text string: "Maaike I Love You !" Isolated: Canada May, 1994 Maaike.757: Received in August, 1994, Maaike.757 is a 757 byte variant of the Maaike virus described above. Its low system memory TSR is approximately 1,024 bytes, hooking interrupts 21 and 22. Once resident, execution of an .EXE program will result in the virus replacing the program with a copy of itself. This "copy" will be 757 bytes in size, and have the hidden attribute set in the DOS disk directory. The file's date and time will be the current system date and time when infection occurred. The following text strings are visible within the viral code: "Unknown Enemy(c) Metal Militia/Immortal Riot" "I'm hurt, machineguns firing behind my back" "Never had no chance, no way to do a attack" "This one sure is the last time i guess" "Heading for a private deathrow, nothing less" "Blood, quickly pumping out from the vound in the vain" "Damn, this moment makes you sort of go insane" "Close my eyes, had much left to see" "Was my fault, but did they have to do it, gee?" "Promise me, this hit you will remember" "Take one of them down before winter comes in december" "Why that month?Well, i like it very much" "Fresh, cool air, wonders of the snow to touch" "The world is wonderful, what else to say?" "Just remember this shit, cause it happends every day" With the Maaike.757 virus memory resident, all programs will fail to function properly. Origin: Unknown August, 1994