Magic Virus


 Virus Name:  Magic 
 Aliases:     Magic.254.A 
 V Status:    New 
 Discovered:  May, 1995 
 Symptoms:    .COM file growth; decrease in available free memory; 
              file date/time seconds = "62" 
 Origin:      Unknown 
 Eff Length:  254 Bytes 
 Type Code:   PRhCK - Parasitic Resident .COM Infector 
 Detection Method:  F-Prot, AVTK, VAlert, NAV, NAVDX, Sweep, ViruScan, 
                    IBMAV, PCScan, ChAV, 
                    AVTK/N, Sweep/N, NShld, NAV/N, IBMAV/N, Innoc 4.0+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Magic, or Magic.254.A, virus was received in July, 1995.  Its 
       origin or point of isolation is unknown.  Magic is a memory resident 
       infector of .COM files, including COMMAND.COM. 
 
       When the first Magic infected program is executed, this virus will 
       install itself memory resident at the top of system memory but below 
       the 640K DOS boundary, not moving interrupt 12's return.  Available 
       free memory, as indicated by the DOS CHKDSK program from DOS 5.0, 
       will have decreased by 256 bytes.  Interrupt 21 will be hooked by 
       the virus in memory. 
 
       Once the Magic virus is memory resident, it will infect .COM files 
       when they are executed.  Infected .COM files will have a file length 
       increase of 254 bytes with the virus being located at the end of the 
       file.  The file's date and time in the DOS disk directory listing 
       will not appear to be altered, though the seconds field will have 
       been set to "62".  The following text strings can be found within the 
       viral code in all Magic infected files: 
 
           "Kuv‹ú3" 
           "COuf" 
 
       Known variant(s) of the Magic virus are: 
       Magic.239: Received in July, 1995, Magic.239 is a 239 byte 
            variant of the Magic virus described above.  It becomes 
            memory resident in allocated system memory, hooking interrupt 
            21.  Available free memory, as indicated by the DOS CHKDSK 
            program from DOS 5.0, will not be altered.  Once resident, it 
            infects .COM files, including COMMAND.COM, when they are 
            executed.  Infected files will have a file length increase of 
            239 bytes with the virus being located at the end of the 
            file.  The program's date and time in the DOS disk directory 
            listing will not appear to be altered, though the seconds field 
            will have been set to "62".  It contains the same text strings 
            as the original virus. 
            Origin:  Unknown  July, 1995. 
       Magic.254.B: Received in May, 1995, Magic.254.B is a minor 
            variant of the Magic virus described above, and is functionally 
            similar.  It contains the same text strings as the original 
            virus. 
            Origin:  Unknown  May, 1995. 
       Magic.254.C: Received in July, 1995, Magic.254.C is a minor 
            variant of the Magic virus described above.  Its size in memmory 
            is 240 bytes, hooking interrupt 21.  It adds 254 bytes to the 
            .COM files it infects.  Magic.254.C contains the same text 
            strings as the original virus. 
            Origin:  Unknown  July, 1995.

Show viruses from discovered during that infect .

Main Page