Online VSUM - MacGyver Virus

MacGyver Virus

Virus Name: MacGyver Aliases: MacGyver.2824 V Status: Rare Discovered: September, 1993 Symptoms: .EXE file growth; TSR; DOS CHKDSK file allocation errors; System hangs Origin: Taiwan Eff Length: 2,824 Bytes Type Code: PRsE - Parasitic Resident .EXE Infector Detection Method: F-Prot, ViruScan, AVTK, Sweep, NAV, IBMAV, NAVDX, VAlert, PCScan, ChAV, LProt, NShld, Sweep/N, NAV/N, AVTK/N, IBMAV/N, Innoc Removal Instructions: Delete infected files General Comments: The MacGyver virus was submitted in September, 1993. It is from Taiwan. This virus is a memory resident stealth virus which infects .EXE programs. When the first MacGyver infected program is executed, the MacGyver virus will install itself memory resident as a low system memory TSR of 3,072 bytes. Interrupt 21 will be hooked by the virus in memory. Once the MacGyver virus is memory resident, it will infect .EXE programs when they are executed or opened. Infected programs will have a file length increase of 2,824 bytes with the virus being located at the end of the file. The file length increase, however, will be hidden by the virus when MacGyver is memory resident. The program's date and time in the DOS disk directory listing will not be altered. The following text string is visible within the MacGyver viral code in all infected programs: "SCANVIR.SHW" The following text string is encrypted within the viral code, thus it is not visible within infected programs: "SCAN ZTEST EXEGOD MACGYVER V1.0 Written by JOEY in Keelung. TAIWAN" Systems infected with the MacGyver virus may experience frequent system hangs when .EXE programs are executed. Additionally, the DOS CHKDSK program will indicate file allocation errors on all infected files when the virus is memory resident. Known variant(s) of MacGyver are: MacGyver 2.2: MacGyver 2.2 is a 3,160 byte variant of the MacGyver virus described above. Its memory resident TSR is 3,648 bytes, hooking interrupt 21. It infects .COM and .EXE programs, including COMMAND.COM, when they are executed or opened. It does not infect programs on copy. Programs infected with the MacGyver 2.2 variant will have a file length increase of 3,160 bytes, though this file length increase will be hidden when the virus is memory resident. No text strings are visible within the viral code, and the file date & time in the DOS disk directory listing will not be altered. Origin: Taiwan February, 1994. MacGyver.2803.B: Received in May, 1995, MacGyver.2803.B is a variant of the MacGyver virus described above. Its size in memory is 3,120 bytes, hooking interrupt 21. It infects .EXE files when they are executed or opened. The following text strings are visible within the viral code in infected programs: "- Mad Satan - -Mad Satan -" "EMMXXXX" This variant hides the file length increase while the virus is memory resident. It also changes the decades field in the file date in the DOS disk directory listing to "2". Origin: Unknown May, 1995. MacGyver.2803.D: Received in January, 1996, this is another 2,803 byte variant. Its size in memory is 3,056 bytes, hooking interrupt 21, though most memory mapping programs will not map interrupt 21 to the virus in memory. Once resident, it infects .EXE files when they are executed or copied. Infected files will have a file length increase of 2,803 bytes with the virus being located at the end of the file. The file's date and time in the DOS disk directory listing will not be altered. System hangs frequently occur when .EXE files are executed, or if the system user attempts to execute a program on the A: drive. Origin: Unknown January, 1996. MacGyver.2803.E: Received in January, 1996, this is another 2,803 byte variant. Its size in memory is 3,056 bytes, hooking interrupt 21, though most memory mapping programs will not map interrupt 21 to the virus in memory. Once resident, it infects .EXE files when they are executed, opened, copied, or a DOS DIR command is issued. Infected files will have a file length increase of 2,803 bytes with the virus being located at the end of the file, though the file length increase will be hidden when the virus is memory resident. The file's date and time in the DOS disk directory listing will not be altered. System hangs frequently occur when .EXE files are executed, or if the system user attempts to execute a program on the A: drive. The following text strings are visible within the viral code: "- Mad Satan - - Mad Satan -" "EMMXXXX" The DOS CHKDSK program will indicate file allocation errors on all infected programs when this variant is memory resident. Origin: Unknown January, 1996. MacGyver.2824.B: Received in May, 1995, MacGyver.2824.B is a variant of the MacGyver virus described above. Its size in memory is also 3,072 bytes, hooking interrupt 21. It infects .EXE files when they are executed or opened. The following text strings are visible within the viral code in infected programs: "* Satan Virus * MAD !! Another Masterpiece of Satan" "(c) Copyright 1993 Written by Mad Satan..." "Ver 2.02" "command.com" This variant hides the file length increase while the virus is memory resident. Origin: Unknown May, 1995. MacGyver.4112: Received in January, 1996, MacGyver.4112 is a variant of the MacGyver virus described above. It infects .COM and .EXE files when they are executed, opened, or copied. Infected files will have a file length increase of 4,112 bytes with the virus being located at the end of the file. The file length increase, as well as the virus' presence on the file will be hidden by the virus when it is memory resident as this virus can disinfect programs as they are read into memory. No text strings are visible within the viral code. Origin: Unknown January, 1996. MacGyver.4643: Received in January, 1996, MacGyver.4643 is a variant of the MacGyver virus described above. It infects .COM and .EXE files when they are executed, opened, or copied. Infected files will have a file length increase of 4,643 bytes with the virus being located at the end of the file. The file length increase, as well as the virus' presence on the file will be hidden by the virus when it is memory resident as this virus can disinfect programs as they are read into memory. The following text strings are visible within the viral code: "U M M M M M M M M M M+ 3 * . MacGyver 3 . * 3 3 Hi!" "I am MacGyver 3 3 Written by 3 3 .. :) .." "3 3 in .. :) , Taiwan." "3 3 Don't Worry,I just 3 3 a Virus. Ha..Ha..." "3 T M M M M M M M M M M+" Origin: Unknown January, 1996.