Mirage Virus

Virus Name: Mirage Aliases: V Status: New Discovered: January, 1995 Symptoms: .COM & .EXE growth; TSR; DOS CHKDSK file allocation errors; file date/time seconds = "62" Origin: Unknown Eff Length: 1,331 - 1,359 Bytes Type Code: PRsAK - Parasitic Resident .COM & .EXE Infector Detection Method: F-Prot, NAV, AVTK, Sweep, NAVDX, PCScan, ViruScan, IBMAV, ChAV, NProt, Sweep/N, NAV/N, IBMAV/N, NShld, AVTK/N, Innoc Removal Instructions: Delete infected files General Comments: The Mirage virus was received in January, 1995. Its origin or point of isolation is unknown. Mirage is a memory resident semi- stealth virus which infects .COM and .EXE files, including COMMAND.COM. When the first Mirage infected program is executed, this virus will install itself memory resident as a low system memory TSR of 1,548 bytes. Interrupt 21 will be hooked by the virus in memory. Once the Mirage virus is memory resident, it will infect .COM and .EXE files, including COMMAND.COM, when they are executed. Infected .COM files will have a file length increase of 1,331 bytes with the virus being located at the beginning of the file. Infected .EXE files will have a file length increase of 1,331 to 1,359 bytes with the virus being located at the end of the file. The file length increase will be hidden on all infected files when the virus is memory resident. The program's date and time in the DOS disk directory listing will not appear to be altered, though the seconds field will have been set to "62". The following text strings are visible within the viral code in all Mirage infected programs: "Mirage" "\COMMAND.COM" If the Mirage virus is memory resident, the DOS CHKDSK program will indicate file allocation errors on all infected files. It is unknown what the Mirage virus does besides replicate.