Mr. D Virus


 Virus Name:  Mr. D 
 Aliases:    
 V Status:    Rare 
 Discovered:  July, 1993 
 Symptoms:    .EXE file growth; file date/time changes; 
              decrease in total system & available free memory 
 Origin:      Unknown, but possibly Poland 
 Eff Length:  1,536 - 1,550 Bytes 
 Type Code:   PRhE - Parasitic Resident .EXE Infector 
 Detection Method:  AVTK, F-Prot, Sweep, ViruScan, IBMAV, 
                    NAV, NAVDX, VAlert, PCScan, ChAV, 
                    Sweep/N, NShld, NProt, AVTK/N, IBMAV/N, Innoc, NAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Mr. D virus was submitted in July, 1993.  Its origin is unknown, 
       but it could possibly be from Poland as it appears to be a later 
       version of the Mr. G virus.  Mr. D is a memory resident infector of 
       .EXE programs. 
 
       When the first Mr. D infected program is executed, the Mr. D virus 
       will install itself memory resident at the top of system memory but 
       below the 640K DOS boundary, not moving interrupt 12's return.  Total 
       system and available free memory, as indicated by the DOS CHKDSK 
       program, will have decreased by 1,552 bytes.  Interrupts 21 and 2F 
       will be hooked by Mr. D in memory. 
 
       Once the Mr. D virus is memory resident, it will infect .EXE 
       programs when they are executed.  Infected programs will have a file 
       length increase of 1,536 to 1,550 bytes with the virus being 
       located at the end of the file.  The program's date and time in the 
       DOS disk directory listing will have been updated to the current 
       system date and time when infection occurred.  The following text 
       string is visible within the viral code in all Mr. D infected 
       programs: 
 
               "Mr. D" 
 
       See:   Mr. G

Show viruses from discovered during that infect .

Main Page