Malaga Virus
Virus Name: Malaga
Aliases:
V Status: Rare
Discovered: February, 1992
Symptoms: .COM & .EXE growth; boot sector altered; decrease in total
system & available free memory; boot failure on diskettes
Origin: Unknown
Eff Length: 2,612 - 2,626 Bytes
Type Code: PRshAB - Parasitic Resident .COM, .EXE, & Boot Sector Infector
Detection Method: ViruScan, F-Prot, Sweep, AVTK, ChAV,
NAV, IBMAV, NAVDX, VAlert, PCScan,
NShld, Sweep/N, LProt, Innoc, NProt, IBMAV/N,
AVTK/N, NAV/N
Removal Instructions: Delete infected files
General Comments:
The Malaga virus was received in February, 1992. Its origin is
unknown. Malaga is a memory resident infector of .COM and .EXE
programs, as well as the boot sector of diskettes and hard disks.
It does not infect COMMAND.COM. It is a stealth virus in that
it imploys a technique similar to the Brain virus to hide the
boot sector infection when the virus is memory resident.
The first time a program infected with the Malaga virus is executed,
the Malaga virus will install itself memory resident as a low
system memory TSR of 5,168 bytes, hooking interrupts 08, 13, and
21. At this time, it will also infect the boot sector of the
current drive, and the first .EXE program in the current directory.
Later, when the user boots from the infected diskette, the boot
will fail if it is a diskette, but the Malaga virus will infect the
hard disk boot drive DOS boot sector. Booting from the hard disk
will then result in the virus becoming memory resident at the top
of system memory but below the 640K DOS boundary. Total system and
available free memory, as indicated by the DOS CHKDSK program, will
have decreased by 4,096 bytes.
Once the Malaga virus is memory resident, it will infect one .EXE or
.COM program each time the system user executes any program or
a DOS DIR command is issued. (Infection of programs when a DIR
command is performed only occurs when the virus becomes memory
resident from a file infection, or is resident as a low system
memory TSR.) In the case of program execution, it will also infect
the program the user is currently executing if it was not previously
infected.
Programs infected with the Malaga virus will have a file length
increase of 2,612 to 2,626 bytes, the virus will be located at the
end of the program. The file's date and time in the DOS disk
directory listing will not be altered. The following text strings
can be found within the viral code in all infected programs:
"*.EXE *.COM COMMAND.COM"
"MSDOS4.0"
In the case of the infection of boot sectors, the original boot
sector and a copy of the Malaga virus code will be written to the
disk starting at sector 0 of the last available side or track of
the disk. The original boot sector will precede the copy of the
viral code.
Since Malaga is a stealth virus with regards to the boot sector
infection, if you check your system with anti-viral utilities and
find it on files, you need to power off the system and check the
system again after booting from a uninfected, write-protected
system diskette. Otherwise, the boot sector infection may be
missed, and you will promptly become reinfected.
It is unknown if Malaga does anything besides replicate.
Known variant(s) of Malaga are:
Inofensivo: Based on the Malaga virus described above, Inofensivo
is a 2,661 byte variant. Its size in memory is 5,184
bytes, hooking interrupts 08, 13, and 21. Once memory
resident, it infects .COM and .EXE programs when they are
executed, as well as one program each time a DOS DIR
command is issued. Infected files increase in size by
2,661 to 2,674 bytes in length with the virus being located
at the end of the file. The program's date and time in the
DOS disk directory listing will not be altered. The
following text strings can be found within the viral code
in all Inofensivo infected programs:
"*.EXE *.COM COMMAND.COM"
"inofensivo...."
"MSDOS4.0"
Origin: Unknown April, 1993.
Malaga-B: Functionally similar to the original virus, this is
a minor variant which has nineteen bytes which differ
from the original.
Origin: Unknown February, 1992.