Online VSUM - Malmsey Virus

Malmsey Virus

Virus Name: Malmsey Aliases: V Status: Rare Discovered: October, 1992 Symptoms: .COM files overwritten; programs fail to function properly; file date/time changes Origin: Canada Eff Length: 495 Bytes Type Code: ONCK - Overwriting Non-Resident .COM Infector Detection Method: F-Prot, Viruscan, Sweep, IBMAV, NAV, AVTK, NAVDX, VAlert, PCScan, ChAV, NShld, Sweep/N, NAV/N, NProt, AVTK/N, IBMAV/N, Innoc, LProt Removal Instructions: Delete infected files General Comments: The Malmsey virus was received in October, 1992, and was written by a person using the name Lucifer Messiah. Malmsey is from Canada. This virus is a non-resident, direct action overwriting virus which infects .COM programs, including COMMAND.COM. A later version of the virus, Malmsey 2 described below, is a parasitic, non-resident, direct action .EXE infector. When a program infected with the Malmsey virus is executed, the Malmsey virus will infect one .COM program located in the current directory, overwriting the first 495 bytes of the host file. The programs date and time in the DOS disk directory listing will have been updated to the current system date and time when infection occurred. The following text strings can be found in all Malmsey infected programs: "*.COM" "[Malmsey Habitat v. 1.3]" "Warmest Regards to RABID" "from -- ANARKICK SYSTEMS!" Malmsey doesn't appear to do anything besides replicate, though infected programs will be permanently corrupted. Known variant(s) of Malmsey are: Malmsey 2: A later version of the Malmsey virus, this variant infects one .EXE program each time an infected program is executed. Infected programs will have a file length increase of 1,703 to 1,717 bytes with the virus being located at the end of the file. The Malmsey 2 virus will occassionally reinfect previously infected programs, adding an additional 1,712 bytes with each reinfection. The file's date and time in the DOS disk directory listing will not be altered. The following text strings can be found in the viral code in Malmsey 2 infected programs: "Malmsey Habitat v. 2.0" "Lucifer Messiah -- ANARKICK SYSTEMS 07-18-" "Hap Birthday !" Origin: Canada October, 1992. Malmsey 3 Beta: A later version of the Malmsey 2 virus, this variant is a memory resident infector of .COM and .EXE programs, including COMMAND.COM. It becomes memory resident at the top of system memory but below the 640K DOS boundary, hooking interrupts 3 and 21. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 2,048 bytes. Once memory resident, Malmsey 3 Beta infects .COM and .EXE programs when executed. Infected programs will have a file length increase of 806 bytes with the virus being located at the end of the file. The file's date and time in the DOS disk directory listing will not be altered. The following following message may be displayed by the virus when an infected program is executed: "Gotcha! [MALMSEY HABITAT v3.á] Lucifer Messiah -- ANARKICK SYSTEMS" These text strings are encrypted within the viral code. Origin: Canada March, 1993.