Manola Virus
Virus Name: Manola
Aliases: Manuel
V Status: Rare
Discovered: January, 1992
Symptoms: .COM file growth; decrease in total system & available free
memory
Origin: Spain
Eff Length: 957 Bytes
Type Code: PRhC - Parasitic Resident .COM Infector
Detection Method: ViruScan, F-Prot, Sweep, AVTK, NAV, IBMAV,
NAVDX, VAlert, PCScan,
NShld, Sweep/N, NProt, AVTK/N, NAV/N, IBMAV/N
Removal Instructions: Delete infected files
General Comments:
The Manola virus was received in January, 1992 from Spain. It is
a memory resident infector of .COM programs, but not COMMAND.COM.
The first time a program infected with the Manola virus is executed,
the Manola virus will install itself memory resident at the top of
system memory but below the 640K DOS boundary. Interrupt 12's
return will not have been moved. Total system and available free
memory, as indicated by the DOS CHKDSK program, will have decreased
by 976 bytes. Interrupt 21 will be hooked by the Manola virus in
memory.
At the time of becoming memory resident, the Manola virus will
check to see if the following two files have been previously
infected, and will infect them if they are not infected:
C:\DOS\FORMAT.COM
C:\DOS\KEYB.COM
Once the Manola virus is memory resident, it will infect .COM
programs other than COMMAND.COM when they are opened or executed.
Infected .COM programs will have a file length increase of 957 bytes.
The virus will be located at the end of the infected program. The
file's date and time in the DOS disk directory listing will not have
been altered.
The following text strings can be found within the viral code in
all Manola infected programs:
"COMMAND.COM"
"Soy un Manuel Virus de tipo C"
"C:\DOS\FORMAT.COM C:\DOS\KEYB.COM"
"KEYBOARD.SYS"
It is unknown if Manola does anything besides replicate.
Known variant(s) of Manola are:
Manuel.995: Received in January, 1995, Manuel.995 is based on the
Manola virus described above. Its size in memory is 1,024
bytes, hooking interrupt 21. Manuel.995 infects .COM files,
but not COMMAND.COM, when they are executed or opened. It
will also infect the copy of CHKDSK.COM in the C:\SYS directory,
and KEYB.COM located in the C:\DOS directory when the first
infected program is executed if they were not previously
infected. Programs infected with this variant will have a file
length increase of 995 bytes with the virus being located at
the end of the file. The program's date and time in the DOS
disk directory listing will not be altered. The following text
strings are visible within the viral code:
"C:\SYS\CHKDSK.COM C:\DOS\KEYB.COM"
"COMMAND.COM"
"Manuel Virus: to repare HD, Rotate rigth the sector (not the
bytes)"
"number 2, head 0, of tracks 0 to length of this message"
Origin: Unknown January, 1995.
Manuel.B: Received in December, 1994, Manuel.B is based on the
Manola virus described above. Its size in memory is 2,560
bytes, hooking interrupt 21. Manuel.B infects .COM files,
but not COMMAND.COM, when they are executed or opened. It
will also infect the copies of FORMAT.COM and KEYB.COM located
in the C:\DOS directory when the first infected program is
executed if they were not previously infected. Programs
infected with this variant will have a file length increase of
2,482 bytes with the virus being located at the end of the
file. The program's date and time in the DOS disk directory
listing will not be altered. The following text strings are
visible within the viral code:
"C:\DOS\FORMAT.COM C:\DOS\KEYB.COM"
"COMMAND.COM"
"*.com"
"Soy un Manuel Virus de tipo B"
Origin: Spain December, 1994.