Mosca Virus


 Virus Name:  Mosca 
 Aliases:     Mosca.849 
 V Status:    New 
 Discovered:  January, 1996 
 Symptoms:    .COM file growth; decrease available free memory; 
              system hangs; file date/time seconds = "60" 
 Origin:      Unknown 
 Eff Length:  849 Bytes 
 Type Code:   PRhCK - Parasitic Resident .COM Infector 
 Detection Method:  AVTK, IBMAV, ViruScan, PCScan, NAV, NAVDX, ChAV, 
                    Innoc, AVTK/N, IBMAV/N, NShld, NAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Mosca virus was received in January, 1996.  Its origin or point 
       of isolation is unknown.  Mosca is a memory resident size stealthing 
       infector of .COM files, including COMMAND.COM.  System hangs 
       frequently occur on infected systems. 
 
       When the first Mosca infected program is executed, this virus will 
       install itself memory resident at the top of system memory but 
       below the 640K DOS boundary, not moving interrupt 12's return. 
       Available free memory will have decreased by approximately 860 
       bytes.  Interrupt 21 will be hooked by the virus in memory. 
 
       Once the Mosca virus is memory resident, it will infect .COM files, 
       including COMMAND.COM, when they are executed.  Infected .COM files 
       will have a file length increase of 849 bytes with the virus being 
       located at the end of the file.  The file length increase will not 
       be apparent in the DOS disk directory listing when this virus is 
       memory resident.  The program's date and time in the DOS disk 
       directory listing will not appear to be altered, though the seconds 
       field will have been set to "60".  The following text strings 
       are encrypted within the viral code: 
 
           "Mosca v1.0" 
           "por WM  [DAN]" 
 
       System hangs frequently occur when programs are executed with the 
       virus memory resident. 
 
       Known variant(s) of Mosca are: 
       Mosca.1278: Also received in January, 1996, this is a 1,278 
           byte variant of the Mosca virus described above.  Its size in 
           memory is approximately 1,280 bytes, hooking interrupt 21. 
           It adds 1,278 bytes to the .COM files it infects, though this 
           file length increase will be hidden when the virus is memory 
           resident.  The virus will be located at the end of the file. 
           The program's date and time in the DOS disk directory listing 
           will not appear to be altered, though the seconds field will 
           have been set to "60".  The following text strings are 
           encrypted within the viral code: 
           "Mosca v2.0" 
           "por WM  [DAN]" 
           System hangs frequently occur on infected systems. 
           Origin:  Unknown  January, 1996. 
       Mosca.1372: Also received in January, 1996, this is a 1,372 
           byte variant of the Mosca virus described above.  Its size in 
           memory is approximately 1,376 bytes, hooking interrupt 21. 
           It adds 1,376 bytes to the .COM files it infects, though this 
           file length increase will be hidden when the virus is memory 
           resident.  The virus will be located at the end of the file. 
           The program's date and time in the DOS disk directory listing 
           will not appear to be altered, though the seconds field will 
           have been set to "60".  The following text strings are 
           encrypted within the viral code: 
           "Mosca v2.1" 
           "por WM  [DAN]" 
           System hangs frequently occur on infected systems.  The DOS 
           CHKDSK program will indicate file allocation errors on all 
           infected files when this virus is memory resident. 
           Origin:  Unknown  January, 1996.

Show viruses from discovered during that infect .

Main Page