Marzia Virus


 Virus Name:  Marzia 
 Aliases: 
 V Status:    Rare 
 Discovered:  July, 1993 
 Symptoms:    .COM & .EXE growth; MBR (partition table) altered; 
              decrease in total system & available free memory; 
              file date/time seconds = "62"; 
              system hard disk corruption; DOS CHKDSK file allocation errors 
 Origin:      Pisa, Italy 
 Eff Length:  2,048 Bytes 
 Type Code:   PRhAKX - Parasitic Resident .COM, .EXE, & MBR Infector 
 Detection Method:  F-Prot, ViruScan, Sweep, AVTK, IBMAV, NAV, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    NShld, Sweep/N, AVTK/N, NProt, IBMAV/N, NAV/N, LProt, 
                    Innoc 4.0+ 
 Removal Instructions:  Delete infected files and repair MBR 
 
 General Comments: 
       The Marzia virus was isolated in Pisa, Italy in July, 1993.  Marzia 
       is a memory resident, stealth, multi-partite virus which infects 
       .COM and .EXE programs, including COMMAND.COM, as well as the system 
       hard disk master boot record (partition table sector). 
 
       When the first Marzia infected program is executed, the Marzia virus 
       will become memory resident at the top of system memory but below 
       the 640K DOS boundary, hooking interrupt 21.  Total system and 
       available free memory, as indicated by the DOS CHKDSK program, will 
       have decreased by 3,072 bytes.  Interrupt 12's return will not be 
       moved.  Also at this time, the virus will infect the system hard 
       disk's master boot record (partition table sector) if it was not 
       previously infected. 
 
       Once the Marzia virus is memory resident, it will infect .COM and 
       .EXE programs, including COMMAND.COM, when they are executed. 
       Infected programs will have a file length increase of 2,048 bytes, 
       though the file length increase will be hidden when the virus is 
       memory resident.  The virus is located at the end of infected files. 
       The program's date and time in the DOS disk directory listing will 
       not appear to be altered, though the seconds field will have been 
       set to "62".  The following text strings can be found within the 
       viral code in all infected programs: 
 
               "MARZIA" 
               "MARZIA3" 
 
       The Marzia virus does not infect very small .EXE files. 
 
       This virus contains destructive code which may overwrite the 
       system hard disk's master boot record approximately 2 hours after 
       becoming memory resident.  When the virus is memory resident, 
       users of infected systems may notice that the DOS CHKDSK program 
       will indicate file allocation errors on all infected files. 
 
       Known variant(s) of Marzia are: 
       Marzia.J: Received in January, 1995, Marzia.J is a 2,048 byte 
             variant.  The following text string can be found at the end 
             of all infected files" 
             "WW        " 
             The spaces in the text string are hex 00 characters.  System 
             hangs may occur when programs are executed. 
             Origin:  Unknown  January, 1995. 
       Marzia.K: Received in January, 1995, Marzia.K is another 
             minor 2,048 byte variant.  It appears to have been altered 
             to avoid detection by some anti-viral programs. 
             Origin:  Unknown  January, 1995. 
       Narzia.L: Received in January, 1995, Marzia.L is another 
             minor variant.  It contains the following text string: 
             "SZ VIRUS" 
             Origin:  Unknown  January, 1995. 
       Marzia.N: Received in January, 1995, Marzia.N is a 2,048 byte 
             variant.  It contains the following text strings: 
             "DV" 
             "DVv1.00a3" 
             Origin:  Unknown  January, 1995. 
       Marzia.P: Received in May, 1995, Marzia.P is another 2,048 byte 
             variant.  It contains the following text strings: 
             "GDA VIRUS" 
             Origin:  Unknown  May, 1995.

Show viruses from discovered during that infect .

Main Page