Mithrandir Virus


 Virus Name:  Mithrandir 
 Aliases:     Mithrandir I 
 V Status:    Rare 
 Discovered:  September, 1993 
 Symptoms:    .COM file growth; 
              decrease in total system & available free memory 
 Origin:      Sweden 
 Eff Length:  694 Bytes 
 Type Code:   PRhCK - Parasitic Resident .COM Infector 
 Detection Method:  F-Prot, ViruScan, AVTK, IBMAV, Sweep, 
                    NAV, NAVDX, VAlert, PCScan, 
                    NShld, AVTK/N, NProt, Sweep/N, IBMAV/N, NAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Mithrandir, or Mithrandir I, virus was submitted in September, 
       1993, and is from Sweden.  Mithrandir is a memory resident infector 
       of .COM programs, including COMMAND.COM.  A variant was also 
       received at the same time, Mithrandir III-B, which is a companion 
       or spawning virus. 
 
       When the first Mithrandir infected program is executed, the 
       Mithrandir virus will install itself memory resident at the top of 
       system memory but below the 640K DOS boundary, not moving interrupt 
       12's return.  Total system and available free memory, as indicated 
       by the DOS CHKDSK program, will have decreased by 1,952 bytes. 
       Interrupt 21 will be hooked by the virus in memory. 
 
       Once the Mithrandir virus is memory resident, it will infect .COM 
       programs larger than approximately 2K in size when they are 
       executed.  Infected programs will have a file length increase of 
       694 bytes with the virus being located in the middle of the file.  The 
       program's date and time in the DOS disk directory listing will not 
       be altered.  The following text strings are visible within the 
       viral code in all Mithrandir infected programs: 
 
               "Mithrandir" 
               "DeMoRaLiZeD YoUtH" 
 
       Known variant(s) of Mithrandir are: 
       Mithrandir III-B: Received in September, 1993, Mithrandir III-B 
                 is a later version of the Mithrandir virus described above, 
                 as well as the  LockUp  virus described in another entry. 
                 Mithrandir III-B's size in memory is 1,472 bytes, hooking 
                 interrupt 21.  Once resident, it infects .EXE files by 
                 creating a corresponding or companion .COM file with the 
                 same base file name when an .EXE file is executed.  This 
                 companion file is 450 bytes in size and contains the actual 
                 Mithrandir III-B viral code.  Its file date and time in the 
                 DOS disk directory will be 3-24-23 2:17:40am, and the hidden 
                 attribute will be set.  The following text string is visible 
                 within the viral code: 
                 "Mithrandir III" 
                 Origin:  Sweden  September, 1993.                
 
       See:   LockUp

Show viruses from discovered during that infect .

Main Page