Marbas Virus


 Virus Name:  Marbas 
 Aliases:     Marbas.1303 
 V Status:    New 
 Discovered:  January, 1996 
 Symptoms:    .COM file growth; file date/time changes 
 Origin:      Unknown 
 Eff Length:  1,303 Bytes 
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector 
 Detection Method: NAV, NAVDX, IBMAV, AVTK, ViruScan, F-Prot, PCScan, ChAV, 
                   NAV/N, IBMAV/N, NProt, AVTK/N, NShld, NProt, Innoc 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Marbas or Marbas.1303 virus was received in January, 1996.  Its 
       origin or point of isolation is unknown.  Marbas is a non-resident, 
       direct action infector of .COM files, including COMMAND.COM. 
 
       When a program infected with the Marbas virus is executed, this 
       virus will infect all of the .COM files located in the current 
       directory.  Infected programs will have a file length increase of 
       1,303 bytes with the virus being located at the end of the file. 
       The program's date and time in the DOS disk directory listing will 
       have been updated to the current system date and time when infection 
       occurred.  The following text strings are encrypted within the 
       Marbas viral code: 
 
           "[PolyMorphisM ]" 
           "[Marbas]" 
           "[Put Satanachia]" 
           "[-Satan's Fire-]" 
           "*.com *.* .." 
           "[ Pride ][ Avarice ][ Lechery ][ Anger ][ Gluttony ][ Envey ][ 
             Sloth ]" 
           "[So on his nightmare, through the evening fog, Flits the squat 
            fiend o'er fen, lake, and bog; Seeks some love-wildered maid 
            with sleep oppressed, Alights, and grinning sits upon her 
            breast... Back o'er her pillow sinks her blushing head, Her 
            snow-white limbs hang helpless from the bed; While with quick 
            sighs and suffocative breath Her interrupted heart pulse swims 
            in death.]" 
           "????????COM" 
 
       Known variant(s) of Marbas are: 
       Marbas.1313: Also received in January, 1996, this is a 1,313 
           byte variant of the Marbas virus described above.  It infects 
           all of the .COM files in the current directory when an infected 
           program is executed, adding 1,313 bytes to the file's length. 
           The viral code will be located at the end of the file and the 
           program's date and time in the DOS disk directory listing will 
           have been updated to the current system date and time when 
           infection occurred.  This variant contains the same encrypted 
           text strings as the original virus. 
           Origin:  Unknown  January, 1996.

Show viruses from discovered during that infect .

Main Page