Monxla B Virus

Virus Name: Monxla B Aliases: Time B, Vienna 535 V Status: Rare Discovered: January, 1991 Symptoms: .COM growth; file corruption Origin: Hungary Eff Length: 535 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan, AVTK, F-Prot, NAV, Sweep, IBMAV, NAVDX, VAlert, PCScan, ChAV, NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N Removal Instructions: Delete infected files General Comments: The Monxla B virus was isolated in January, 1991 in Hungary. This virus is a non-resident direct action infector of .COM files, including COMMAND.COM. Monxla B is a variant of the Vienna virus. When a program infected with Monxla B is executed, the virus will check the seconds portion of the system time. Depending on the value found, either one .COM program in the current directory will be infected, or one .COM program in the current directory will be corrupted. If the seconds portion of the system time is equal 0 or a multiple of 8, one .COM program in the current directory, or on the system path, will be corrupted by the first five characters of the selected .COM program being changed to the hex string: 004D004F4D, or " M OM" in text. Corrupted programs will not have a file length increase. Later execution of these corrupted programs will usually result in the system being hung, requiring a reboot. If the seconds portion of the system time was not 0 or a multiple of 8, a .COM program in the current directory will be infected with Monxla B. If no programs exist in the current directory which are neither corrupted or infected, the virus will follow the system path to find a candidate program to infect. Infected .COM programs will increase in length by 535 bytes, the virus will be located at the end of infected programs. The virus will also have changed the seconds in the file time in the disk directory to 58 so that the virus can later tell that the file is infected. See: Monxla Vienna