MMIR Virus


 Virus Name:  MMIR 
 Aliases:     MMIR.Extasy 
 V Status:    Rare 
 Discovered:  April, 1994 
 Symptoms:    .COM file growth; system hangs 
 Origin:      Sweden 
 Eff Length:  282 Bytes 
 Type Code:   PRCK - Parasitic Resident .COM Infector 
 Detection Method:  ViruScan, F-Prot, Sweep, IBMAV, AVTK, 
                    NAVDX, VAlert, NAV, PCScan, ChAV, 
                    NProt, AVTK/N, Sweep/N, NShld, IBMAV/N, NAV/N, LProt, 
                    Innoc 4.0+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The MMIR or MMIR.Extasy virus was submitted in April, 1994, and is 
       from Sweden.  It is a memory resident infector of .COM programs, 
       including COMMAND.COM. 
 
       When the first MMIR infected program is executed, this virus will 
       become memory resident in a hole in allocated system memory, generally 
       a buffer area at 0000.  Once memory resident, it will infect .COM 
       programs when they are executed. 
 
       Programs infected with the MMIR virus will have a file length increase 
       of 282 bytes with the virus being located at the end of the file.  The 
       file's date and time in the DOS disk directory listing will not be 
       altered.  The following text string is visible within the viral code 
       in all infected programs: 
 
               "EXTASY! (c) Metal Militia / Immortal Riot" 
 
       System hangs frequently occur when programs are executed. 
 
       Known variant(s) of MMIR are: 
       MMIR.411: Received in July, 1995, MMIR.411 is a memory resident 
            infector of .COM and .EXE files, including COMMAND.COM.  It 
            becomes memory resident in allocated system memory, hooking 
            interrupt 21.  Once resident, it infects programs when they are 
            executed.  Infected programs will have a file length increase of 
            411 bytes with the virus being located at the end of the file. 
            The program's date and time in the DOS disk directory listing 
            will not be altered.  The following text strings are visible 
            within the viral code in all infected files: 
            "Tower Virus (c)1994" 
            "Thiss vihruws riten bi a prawducked af thee waauren woulds 
             skoul distriks." 
             Origin:  Unknown  July, 1995. 
       MMIR.Invisible Evil: Based on the MMIR virus, this 769 byte 
            variant infects .COM files, and is a size stealthing virus. 
            It becomes memory resident at the top of system memory but below 
            the 640K DOS boundary, not moving interrupt 12's return.  Total 
            system and available free memory, as indicated by the DOS CHKDSK 
            program, will have decreased by 1,600 bytes.  Interrupt 21 will 
            be hooked by the virus in memory.  Once memory resident, it 
            will infect .COM files, including COMMAND.COM, when they are 
            executed.  Infected programs will have a file length increase of 
            769 bytes, though the file length increase will be hidden when 
            the virus is memory resident.  The file's date and time in the 
            DOS disk directory listing will appear to be unaltered, though 
            the seconds field will have been set to "02".  The following text 
            strings are visible within the viral code: 
            "Our past is our future! ‹î" 
            "[INVISIBLE EVIL!] (c) Metal Militia/Immortal Riot" 
            "Dedicated to all the victims.." 
            "Greets to B-real!/IR" 
            "It's like this and like that and like thisena" 
            "It's like that and like this and like thatena" 
            "It's like this.. &" 
            "Love to Lisa!" 
            "All i ever wanted.." 
            "All i ever asked for.." 
            When this virus is memory resident, non-infected .COM files will 
            appear to have decreased in size by 769 bytes while infected 
            files will have no change in file size. 
            Origin:  Sweden  May, 1994. 
       MMIR.Moonlite: Based on the MMIR virus described above, this is a 
            458 byte variant.  It becomes memory resident as a low system 
            memory TSR, hooking interrupts 09 and 21.  When an infected 
            program is executed, the virus will check to see if all of the 
            .COM files in the current directory are infected.  If they aren't, 
            it will infect them.  If they are, it will delete the .COM 
            program the user was attempting to execute.  Infected programs 
            increase in size by 458 bytes with the virus being located at the 
            end of the file.  The program's date and time in the DOS disk 
            directory listing will not appear to be altered, but the seconds 
            field will have been set to "42".  The following text strings are 
            encrypted within the viral code: 
            "Metallic Moonlite(c) Metalic Militia/Immortal Riot" 
            "Greetings to The Unforgiven/IR" 
            "Bad command or filename" 
            "*.com" 
            In addition to deleting .COM files, the virus will delete any 
            .EXE programs executed when the virus is memory resident. 
            Origin:  Sweden  May, 1994. 
       MMIR.Moonlite.417: Based on the MMIR virus described above, this 
            is a 417 byte variant.  It is a non-resident, direct action 
            infector of .COM files, including COMMAND.COM.  When an infected 
            program is executed, the virus will infect all of the previously 
            uninfected .COM files in the current directory.  It may then 
            display the following message: 
            "This is a dummy phile for the Spiritual Bruces virus 1.00!" 
            Infected programs increase in size by 417 bytes with the virus 
            being located at the end of the file.  The program's date and 
            time in the DOS disk directory listing will not appear to be 
            altered, but the seconds field will have been set to "42".  The 
            following text strings are encrypted within the viral code: 
            "This is a dummy phile for the Spiritual Bruces virus 1.00!" 
            "Copyright (c) 1994 Pottie Rottie and The Mcaffe Assosiations! 
             The source code to this will __never__ be released ha-ha!" 
            "Spiritual Bruces!Caro - will time really heal my inner wounds? 
             Don't run this program the 17:ten of October any year!" 
             "*.com" 
             "????????COM" 
             "ARRESTED DEVELOPMENT, The Netherlands, Europe +31.PRI.VATE" 
            Origin:  The Netherlands  May, 1995. 
       MMIR.Moonlite.465: Based on the MMIR virus described above, this 
            is a 465 byte variant.  It is a non-resident, direct action 
            infector of .COM files, including COMMAND.COM.  When an infected 
            program is executed, the virus will infect all of the previously 
            uninfected .COM files in the current directory.  Infected 
            programs increase in size by 465 bytes with the virus being 
            located at the end of the file.  The program's date and time in 
            the DOS disk directory listing will not appear to be altered, 
            but the seconds field will have been set to "42".  The following 
            text strings are encrypted within the viral code: 
            "Metallic Moonlite (c) Metal Militia/Immortal RiotGreetings 
             to The Unforgiven/IR" 
            "Bad command or filename" 
            "*.com" 
            Origin:  Sweden  May, 1995. 
       MMIR.Ravage: Based on the MMIR virus described above, this 392 
            byte variant also infects .EXE files.  It uses the same technique 
            to become memory resident.  Once resident, it infects .COM and 
            .EXE files, including COMMAND.COM, when they are executed or 
            opened.  Infected programs increase in size by 392 bytes with 
            the virus being located at the end of the file.  The program's 
            date and time in the DOS disk directory listing will not be 
            altered.  The following text string is visible within all 
            infected files: 
            "RAVAGE! (c) Metal Militia / Immortal Riot" 
            Origin:  Sweden  April, 1994. 
       MMIR.Ravage.393: Based on the MMIR virus described above, this 393 
            byte variant also infects .EXE files.  It uses the same technique 
            to become memory resident.  Once resident, it infects .COM and 
            .EXE files, including COMMAND.COM, when they are executed. 
            Infected programs increase in size by 393 bytes with the virus 
            being located at the end of the file.  The program's date and 
            time in the DOS disk directory listing will not be altered. 
            The following text string is visible within all infected files: 
            "RAVAGE! (c) Metal Militia / Immortal Riot" 
            Origin:  Sweden  January, 1996. 
 
       See:   Uniq

Show viruses from discovered during that infect .

Main Page