Mayberry Virus
Virus Name: Mayberry
Aliases:
V Status: Rare
Discovered: May, 1994
Symptoms: .COM & .EXE file growth; DOS CHKDSK file allocation errors;
decrease in total system & available free memory
Origin: Sweden
Eff Length: 402 - 828 Bytes, depending on virus present
Type Code: PNRhtAK - Parasitic Non-Resident or Resident
.COM and/or .EXE Infectors
Detection Method: F-Prot, ViruScan, IBMAV, AVTK, Sweep, NAV, NAVDX,
VAlert, PCScan, ChAV,
NShld, Sweep/N, IBMAV/N, AVTK/N, NProt, Innoc, NAV/N,
LProt
Removal Instructions: Delete infected files
General Comments:
The Mayberry virus is actually a group of eleven viruses received
from Sweden in May, 1994. The viruses within this group or family,
with the exception of one, refer to characters in the 1960's
television program "The Andy Griffith Show". The exception virus
refers to the character Jethro, which is not from this television
program.
Some of the Mayberry viruses are non-resident, direct action
infectors of programs, either .COM, .EXE, or both, while others
are memory resident program infectors. Two of the viruses in the
family are fast infecting size stealthing viruses.
Below is a brief description of the Mayberry viruses. These viruses
don't appear to do anything besides replicate.
Known member(s) of the Mayberry family are:
Mayberry.402: Mayberry.402 is a 402 byte non-resident, direct
action infector of .COM programs, including COMMAND.COM. It
infects up to two .COM programs each time an infected program
is executed. Infected programs will have a file length
increase of 402 bytes with the virus being located at the
end of the file. The program's date and time in the DOS
disk directory listing will not be altered. The following
text strings are visible within the viral code:
"[BW] Velmalou (c) by HypoDermic!! Part of the Mayberry
Family!!!"
"*.COM .."
Origin: Sweden May, 1994.
Mayberry.409: Mayberry.409 is a 409 byte memory resident infector
.COM programs, but not COMMAND.COM. It installs itself memory
resident at the top of system memory but below the 640K DOS
boundary, hooking interrupt 21. Total system and available
free memory, as indicated by the DOS CHKDSK program, will have
decreased by 1,024 bytes. Once resident, it infects .COM
programs when they are executed. Infected programs will have
a file length increase of 409 bytes with the virus being
located at the end of the file. The program's date and time
in the DOS disk directory listing will not be altered. The
following text string is visible within the viral code:
"[BW] OPY (c) by HypoDermic!! Part of the Mayberry
Family!!!"
Origin: Sweden May, 1994.
Mayberry.475: Mayberry.475 is a 475 byte non-resident, direct
action infector of .COM programs, including COMMAND.COM. It
infects up to three .COM programs each time an infected
program is executed. Infected programs will have a file
length increase of 475 bytes with the virus being located at
the end of the file. The program's date and time in the DOS
disk directory listing will not be altered. The following
text strings are encrypted within the viral code:
"[BW] Jethro (c) by HypoDermic! Part of the Mayberry
Family! (Huh!"
"*.COM .."
Origin: Sweden May, 1994.
Mayberry.496: Mayberry.496 is a 496 byte non-resident, direct
action infector of .COM programs, including COMMAND.COM. It
infects one .COM program each time an infected program is
executed. Infected programs will have a file length increase
of 496 bytes with the virus being located at the end of the
file. The program's date and time in the DOS disk directory
listing will not be altered. The following text strings are
encrypted within the viral code:
"[BW] Barney (c) by HypoDermic!! Part of the Mayberry
Family!!!"
"*.COM .."
Origin: Sweden May, 1994.
Mayberry.502: Mayberry.502 is a 502 byte non-resident, direct
action infector of .EXE programs. It infects two .EXE
programs each time an infected program is executed. Infected
programs will have a file length increase of 502 bytes with
the virus being located at the end of the file. The program's
date and time in the DOS disk directory listing will not be
altered. The following text strings are encrypted within the
viral code:
"[BW] Floyd (c) by HypoDermic!! Part of the Mayberry
Family!!!"
"*.EXE"
Origin: Sweden May, 1994.
Mayberry.609: Mayberry.609 is a 609 byte memory resident infector
.COM and .EXE programs, but not COMMAND.COM. It installs
itself memory resident at the top of system memory but below
the 640K DOS boundary, hooking interrupts 21 and 24. Total
system and available free memory, as indicated by the
DOS CHKDSK program, will have decreased by 1,024 bytes. Once
resident, it infects .COM and .EXE programs when they are
executed. Infected programs will have a file length increase
of 609 bytes with the virus being located at the end of the
file. The program's date and time in the DOS disk directory
listing will not be altered. The following text string is
visible within the viral code:
"[BW] ANDY (c) by HypoDermic!! Part of the Mayberry
Family!!!"
Origin: Sweden May, 1994.
Mayberry.687: Mayberry.687 is a 687 byte non-resident, direct
action infector of .COM and .EXE programs, but not
COMMAND.COM. It infects one .COM or .EXE program each time an
infected program is executed. Infected programs will have a
file length increase of 687 bytes with the virus being located
at the end of the file. The program's date and time in the
DOS disk directory listing will not be altered. The following
text strings are visible within the viral code:
"[BW] GoMer (c) by HypoDermic!! Part of the Mayberry
Family!!!"
"*.*"
Origin: Sweden May, 1994.
Mayberry.732: Mayberry.732 is a 732 byte non-resident, direct
action infector of .COM and .EXE programs, including
COMMAND.COM. It infects up to three .COM or .EXE programs
each time an infected program is executed. Infected programs
will have a file length increase of 732 bytes with the virus
being located at the end of the file. The program's date and
time in the DOS disk directory listing will not be altered.
The following text strings are visible within the viral code:
"[BW] AuntB (c) by HypoDermic!! Part of the Mayberry
Family!!!"
"*.*"
Origin: Sweden May, 1994.
Mayberry.747: Mayberry.747 is a 747 byte non-resident, direct
action infector of .COM and .EXE programs, including
COMMAND.COM. It infects all of the .COM or .EXE programs
in the current directory when an infected program is executed.
Infected programs will have a file length increase of 747
bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory listing
will not be altered. The following text strings are encrypted
within the viral code:
"[BW] Otis (c) by HypoDermic!! Part of the Mayberry
Family!!"
"*.* .."
Origin: Sweden May, 1994.
Mayberry.758: Mayberry.758 is a 758 byte memory resident stealth
infector .COM and .EXE programs, but not COMMAND.COM. It
installs itself memory resident at the top of system memory
but below the 640K DOS boundary, hooking interrupt 21, and
moving interrupt 12's return. Total system and available free
memory, as indicated by the DOS CHKDSK program, will have
decreased by 1,024 bytes. Once resident, it infects .COM and
.EXE programs when they are executed or opened, but not on
copy. Infected programs will have a file length increase
of 758 bytes with the virus being located at the end of the
file, though the file length increase will be hidden when the
virus is memory resident. The program's date and time in the
DOS disk directory listing will not appear to be altered,
though the seconds field will have been set to "08". The
following text string is visible within the viral code:
"[BW] Miss Crump (c) by HypoDermic!! Part of the Mayberry
Family!!!"
Origin: Sweden May, 1994.
Mayberry.828: Mayberry.828 is a 828 byte memory resident stealth
infector .COM and .EXE programs, but not COMMAND.COM. It
installs itself memory resident at the top of system memory
but below the 640K DOS boundary, hooking interrupt 21. Total
system and available free memory, as indicated by the
DOS CHKDSK program, will have decreased by 2,048 bytes.
Once resident, it infects .COM and .EXE programs when they are
executed. Infected programs will have a file length increase
of 828 bytes with the virus being located at the end of the
file, though the file length increase will be hidden when the
virus is memory resident. The program's date and time in the
DOS disk directory listing will not appear to be altered,
though the seconds field will have been set to "44". The
following text strings are encrypted within the viral code:
"[BW] Goober (c) by HypoDermic!! Part of the Mayberry
Family!!!"
Systems infected with Mayberry.828 may experience the
DOS CHKDSK program detecting file allocation errors on all
infected files when the virus is memory resident.
Origin: Sweden May, 1994.
Mayberry.Dementia: Mayberry.Dementia is a 1,027 byte non-resident,
direct action infector of .COM and .EXE programs, including
COMMAND.COM. It infects one .COM or .EXE program each time an
infected program is executed. Infected programs will have a
file length increase of 1,027 bytes with the virus being
located at the end of the file. The program's date and time
in the DOS disk directory listing will not be altered. The
following text strings are encrypted within the viral code:
"[BW] [DP/4] Dementia Praecox MnemoniX '94"
"*.*"
Origin: Sweden July, 1994.