Mordor.1110 Virus


 Virus Name:  Mordor.1110 
 Aliases:     Mordor, Paola.1110 
 V Status:    Rare 
 Discovered:  February, 1994 
 Symptoms:    .COM file growth; Master Boot Record on hard disk altered; 
              decrease in total system & available free memory; message; 
              system hard disk corruption; disables VSAFE & VWATCH; 
              installed TSRs and/or drivers may no longer function; 
              SCSI drives and other SCSI devices may be disabled; 
              possible interference with video display 
 Origin:      Unknown 
 Eff Length:  1,110 Bytes 
 Type Code:   PRshC - Parasitic Resident .COM & MBR Infector 
 Detection Method:  F-Prot, AVTK, IBMAV, Sweep, ViruScan, 
                    NAV, NAVDX, VAlert, PCScan, ChAV, 
                    AVTK/N, NProt, Sweep/N, IBMAV/N, NShld, NAV/N, Innoc 
 Removal Instructions:  Delete infected files and replace MBR 
 
 General Comments: 
       The Mordor.1110 virus was received in February, 1994.  Its origin 
       is unknown.  Mordor.1110 is a memory resident infector of the 
       system hard disk master boot record (the sector containing the 
       hard disk partition table) and .COM programs other than COMMAND.COM. 
       It is destructive when it activates. 
 
       When the first Mordor.1110 infected program is executed, this virus 
       will install itself memory resident as a low system memory TSR of 
       1,440 bytes, hooking interrupt 21.  Also at this time, the virus 
       will infect the system hard disk master boot record sector if it was 
       not previously infected.  Later, booting from the infected system 
       hard disk will result in the virus becoming memory at the top of 
       system memory but below the 640K DOS boundary. 
 
       Once the Mordor.1110 virus is memory resident, it will infect .COM 
       programs other than COMMAND.COM when they are executed.  Infected 
       programs will have a file length increase of 1,110 bytes.  The 
       virus encrypts the host program, as well as the viral code, so its 
       relative position within the file isn't important to a normal system 
       user.  The file's date and time in the DOS disk directory listing 
       will not be altered.  The following text strings are encrypted within 
       infected programs: 
 
               "Virus MORDOR v1.0" 
               "Escrito por AZRAEL" 
               "Un Anillo para gobernarlos a todos." 
               "Un Anillo para en contrarlos" 
               "un Anillo para atraerlos a todos y atarlos en las tinieblas" 
               "en la Tierra de Mordor donde se extienden las sombras" 
               "dedicado a PAOLA HASBANI" 
               "Saludos A MURDOCK, MALVINAS, PatoruzU, KOHNTARK y 
                FIRECRAKER" 
 
       This virus may have impact the operation of the system.  It contains 
       code to disable the VSAFE and VWATCH anti-viral programs, and may 
       also render disabled or useless some installed device drivers or 
       memory resident programs.  It also may disable SCSI devices, such as 
       hard disks, due to it overwriting their driver in memory.  Video 
       display output may also be impacted by the virus. 
 
       Mordor.1110 has a two part activation mechanism, though the first 
       event does not need to occur for the destructive second activation 
       event to occur.  On March 31st of any year, the virus will display 
       the message contained in the text strings above.  On any day in 
       April, the virus will overwrite the first 18 cylinders (tracks 0 - 17) 
       of the system hard disk with characters from system memory. 
 
       Known variant(s) of Mordor.1110 are: 
       Mordor.538: Received in July, 1994, Mordor.538 is a memory 
                   resident infector of .COM programs, but not COMMAND.COM. 
                   Its memory resident TSR is 864 bytes, hooking interrupts 
                   21 and DA.  Once resident, it infects .COM programs when 
                   they are executed.  Infected programs will have a file 
                   length increase of 538 bytes with the virus being located 
                   at the beginning of the file.  The program's date and time 
                   in the DOS disk directory listing will not be altered.  No 
                   text strings are visible within the viral code in infected 
                   files. 
                   Origin:  Unknown  July, 1994. 
       Mordor.1104: Received in February, 1995, Mordor.1104 is a 1,104 
                   byte variant of the Mordor.1110 virus described above. 
                   Its size in memory is 1,424 byes, hooking interrupts 21 
                   and DA.  It infects the system hard disk master boot 
                   record as well as .COM files other than COMMAND.COM when 
                   they are executed.  Infected .COM files will have a file 
                   length increase of 1,104 bytes.  The file's date and time 
                   in the DOS disk directory listing will not be altered. 
                   The following text strings are encrypted within the viral 
                   code: 
                   "Virus MORDOR v1.0" 
                   "Escrito por AZRAEL" 
                   "Un Anillo para gobernarlos a todos." 
                   "Un Anillo para encontrarios," 
                   "un Anillo para atracrios a todos y atarios en las 
                    tinieblas" 
                   "en la Tierra de Mordor donde se extienden las sombras" 
                   "dedicado a PAOLA HASBANI" 
                   "Saludos a MURDOCK, MALVINAS, PatoruzU, KOHNTARK y 
                    FIRECRACKER" 
                   Infected systems may fail to boot from the system hard 
                   disk once the system hard disk master boot sector has 
                   been infected by the virus. 
                   Origin:  Unknown  February, 1995.

Show viruses from discovered during that infect .

Main Page